rm android udev (builtin)

.gitea/workflows/build.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: DeterminateSystems/flake-checker-action@v12
 
       - name: "Install Cachix ❄️"
-        uses: cachix/cachix-action@v16
+        uses: cachix/cachix-action@v17
         with:
           name: helcel
           authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"

.gitea/workflows/update.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v6
       - name: Install nix
-        uses: DeterminateSystems/nix-installer-action@v21
+        uses: DeterminateSystems/nix-installer-action@v22
         with:
           github-token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
           extra_nix_config: |

.gitignore

@@ -2,3 +2,4 @@ result
 age-key.txt
 .decrypted~common.yaml
 .decrypted*
+.tmp

.sops.yaml

@@ -9,55 +9,57 @@ keys:
     - &avalon age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
     - &valinor age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
     - &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+    - &gateway age1lqvnzlendlmtwgstzrj4xzrwpatwx56k5az5au78fyg99yecwfzs3s6xn6
+    - &sandbox age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
 
 creation_rules:
   - path_regex: modules/shared/sops/private/iriy.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *iriy
+          - *iriy
-      pgp:
+        pgp:
-      - *sora
+          - *sora
   - path_regex: modules/shared/sops/private/avalon.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *avalon
+          - *avalon
-      pgp:
+        pgp:
-      - *sora
+          - *sora
   - path_regex: modules/shared/sops/private/valinor.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *valinor
+          - *valinor
-      pgp:
+        pgp:
-      - *sora
+          - *sora
   - path_regex: modules/shared/sops/private/asgard.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *asgard
+          - *asgard
-      pgp:
+        pgp:
-      - *sora
+          - *sora
 
   - path_regex: modules/shared/sops/common.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *valinor
+          - *valinor
-      - *iriy
+          - *iriy
-      - *avalon
+          - *avalon
-      - *asgard
+          - *asgard
-      pgp:
+          - *gateway
-      - *sora
+        pgp:
-  
+          - *sora
+
   - path_regex: modules/shared/sops/mock.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *ci
+          - *ci
-
+          - *sandbox
 
   - path_regex: modules/server/sops/server.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *valinor
+          - *avalon
-      - *iriy
+          - *sandbox
-      - *avalon
+
-      - *asgard
+        pgp:
-      pgp:
+          - *sora
-      - *sora

flake.lock

@@ -1,27 +1,5 @@
 {
   "nodes": {
-    "arion": {
-      "inputs": {
-        "flake-parts": "flake-parts",
-        "haskell-flake": "haskell-flake",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1765839957,
-        "narHash": "sha256-c2k30kehMWLEQpO41OhyDruj1S7RsyBlgx4yHlXKVa4=",
-        "owner": "hercules-ci",
-        "repo": "arion",
-        "rev": "9ff7acc2c00a40ecf24894592ea5019439bb9e13",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "arion",
-        "type": "github"
-      }
-    },
     "base16-schemes": {
       "flake": false,
       "locked": {
@@ -45,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766784396,
+        "lastModified": 1779036909,
-        "narHash": "sha256-rIlgatT0JtwxsEpzq+UrrIJCRfVAXgbYPzose1DmAcM=",
+        "narHash": "sha256-zXcwYQGCT6pzinK+1dBB2ekTVtfxGZAapb3Evdcu4fY=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "f0c8e1f6feb562b5db09cee9fb566a2f989e6b55",
+        "rev": "56c666e108467d87d13508936aade6d567f2a501",
         "type": "github"
       },
       "original": {
@@ -59,28 +37,23 @@
         "type": "github"
       }
     },
-    "flake-parts": {
+    "flake-compat": {
-      "inputs": {
+      "flake": false,
-        "nixpkgs-lib": [
-          "arion",
-          "nixpkgs"
-        ]
-      },
       "locked": {
-        "lastModified": 1763759067,
+        "lastModified": 1767039857,
-        "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
-        "owner": "hercules-ci",
+        "owner": "edolstra",
-        "repo": "flake-parts",
+        "repo": "flake-compat",
-        "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
         "type": "github"
       },
       "original": {
-        "owner": "hercules-ci",
+        "owner": "edolstra",
-        "repo": "flake-parts",
+        "repo": "flake-compat",
         "type": "github"
       }
     },
-    "flake-parts_2": {
+    "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
           "nur",
@@ -101,34 +74,39 @@
         "type": "github"
       }
     },
-    "hardware": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1766568855,
+        "lastModified": 1681202837,
-        "narHash": "sha256-UXVtN77D7pzKmzOotFTStgZBqpOcf8cO95FcupWp4Zo=",
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
-        "owner": "nixos",
+        "owner": "numtide",
-        "repo": "nixos-hardware",
+        "repo": "flake-utils",
-        "rev": "c5db9569ac9cc70929c268ac461f4003e3e5ca80",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "owner": "numtide",
-        "repo": "nixos-hardware",
+        "repo": "flake-utils",
         "type": "github"
       }
     },
-    "haskell-flake": {
+    "hardware": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
       "locked": {
-        "lastModified": 1675296942,
+        "lastModified": 1780065812,
-        "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=",
+        "narHash": "sha256-SCSLUKBmwlSLGQ8Xbr8PjRFtiHNk0l9ktqkcmqdBkfE=",
-        "owner": "srid",
+        "owner": "nixos",
-        "repo": "haskell-flake",
+        "repo": "nixos-hardware",
-        "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e",
+        "rev": "b76b5639c0593e0aeb0b5879ad62d4b30596c144",
         "type": "github"
       },
       "original": {
-        "owner": "srid",
+        "owner": "nixos",
-        "ref": "0.1.0",
+        "repo": "nixos-hardware",
-        "repo": "haskell-flake",
         "type": "github"
       }
     },
@@ -139,16 +117,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1763992789,
+        "lastModified": 1779726825,
-        "narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=",
+        "narHash": "sha256-RUkMrREjKDQrA+dA9+xZviGAxM5W1aVdyOr/bSYpHrE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3",
+        "rev": "b179bde238977f7d4454fc770b1a727eaf55111c",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "release-26.05",
         "repo": "home-manager",
         "type": "github"
       }
@@ -174,11 +152,11 @@
     },
     "nixUnstable": {
       "locked": {
-        "lastModified": 1766747458,
+        "lastModified": 1780030872,
-        "narHash": "sha256-m63jjuo/ygo8ztkCziYh5OOIbTSXUDkKbqw3Vuqu4a4=",
+        "narHash": "sha256-u6WU/yd/o8iYQrHX3RAwO1hYa3LkoSL+WNQD0rJfJZQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c633f572eded8c4f3c75b8010129854ed404a6ce",
+        "rev": "e9a7635a57597d9754eccebdfc7045e6c8600e6b",
         "type": "github"
       },
       "original": {
@@ -188,22 +166,40 @@
         "type": "github"
       }
     },
-    "nixpkgs": {
+    "nixos-wsl": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1766687554,
+        "lastModified": 1780169171,
-        "narHash": "sha256-DegN7KD/EtFSKXf2jvqL6lvev6GlfAAatYBcRC8goEo=",
+        "narHash": "sha256-3HBYDfBgZ+ph52HS6Ks/bMMwuh2uONIT72sZ1CtLE/s=",
-        "owner": "nixos",
+        "owner": "nix-community",
-        "repo": "nixpkgs",
+        "repo": "nixos-wsl",
-        "rev": "fd0ca39c92fdb4012ed8d60e1683c26fddadd136",
+        "rev": "998b2821c30b2938637230916904ceb8757c79e8",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "owner": "nix-community",
-        "ref": "nixos-25.05",
+        "repo": "nixos-wsl",
-        "repo": "nixpkgs",
         "type": "github"
       }
     },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1767892417,
+        "narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
+        "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
+      }
+    },
     "nixpkgs-lib": {
       "locked": {
         "lastModified": 1697935651,
@@ -221,31 +217,33 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1766651565,
+        "lastModified": 1780203844,
-        "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=",
+        "narHash": "sha256-K5sT4jTpGs15ADhviMKNBH38REpPf5Q6mM1+N6cArVE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539",
+        "rev": "b51242d7d43689db2f3be91bd05d5b24fbb469c4",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-26.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nur": {
       "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1766799124,
+        "lastModified": 1780265777,
-        "narHash": "sha256-f4OZ0VXNGm9/H70SJH/QT5tazHXUBpA5Em5nIXXpg1o=",
+        "narHash": "sha256-t/KORFHEv8Jn2vFmVfv4Zffekv+MUogI2KgtxuCcEmQ=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "b11954b861525ba70debefc3748790dcecd6c0f6",
+        "rev": "39917b7f68263188707925ffe26c9df6ef4e7d64",
         "type": "github"
       },
       "original": {
@@ -256,15 +254,16 @@
     },
     "root": {
       "inputs": {
-        "arion": "arion",
         "darwin": "darwin",
         "hardware": "hardware",
         "home-manager": "home-manager",
         "nix-colors": "nix-colors",
         "nixUnstable": "nixUnstable",
-        "nixpkgs": "nixpkgs",
+        "nixos-wsl": "nixos-wsl",
+        "nixpkgs": "nixpkgs_2",
         "nur": "nur",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
+        "vscode-server": "vscode-server"
       }
     },
     "sops-nix": {
@@ -274,11 +273,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766289575,
+        "lastModified": 1777944972,
-        "narHash": "sha256-BOKCwOQQIP4p9z8DasT5r+qjri3x7sPCOq+FTjY8Z+o=",
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "9836912e37aef546029e48c8749834735a6b9dad",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
         "type": "github"
       },
       "original": {
@@ -286,6 +285,42 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "vscode-server": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1770124655,
+        "narHash": "sha256-yHmd2B13EtBUPLJ+x0EaBwNkQr9LTne1arLVxT6hSnY=",
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "rev": "92ce71c3ba5a94f854e02d57b14af4997ab54ef0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -3,12 +3,15 @@
   inputs = {
     # Trick renovate into working: "github:NixOS/nixpkgs/nixpkgs-unstable"
     nixUnstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-26.05";
     hardware.url = "github:nixos/nixos-hardware";
-    nur.url = "github:nix-community/nur";
+    nur = {
+      url = "github:nix-community/nur";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-25.05";
+      url = "github:nix-community/home-manager/release-26.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -17,39 +20,45 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    # hyprland = {
-    #   url = "github:hyprwm/Hyprland";
-    #   inputs.nixpkgs.follows = "nixpkgs";
-    # };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nix-colors.url = "github:misterio77/nix-colors";
+    nixos-wsl = {
+      url = "github:nix-community/nixos-wsl";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
-    arion.url = "github:hercules-ci/arion";
+    vscode-server = {
-    arion.inputs.nixpkgs.follows = "nixpkgs";
+      url = "github:nix-community/nixos-vscode-server";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
   };
 
   outputs = inputs:
-    let gen = import ./generator.nix { inherit inputs; };
+    let
+      lib = inputs.nixpkgs.lib;
+      gen = import ./generator.nix { inherit inputs; };
+      systemsDir = ./systems;
+      systemNames = lib.attrNames (lib.filterAttrs
+        (name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix"))
+        (builtins.readDir systemsDir));
+      hostsByType = systemType:
+        lib.filter
+          (host: (import (systemsDir + "/${host}/cfg.nix")).syscfg.type == systemType)
+          systemNames;
+      generateHosts = systemType:
+        builtins.listToAttrs (map
+          (host: lib.nameValuePair host (gen.generate { inherit host; }))
+          (hostsByType systemType));
     in {
       devShells = import ./shells { inherit inputs; };
 
-      nixosConfigurations = {
+      nixosConfigurations = generateHosts "nixos";
-        valinor = gen.generate { host = "valinor"; };
+      darwinConfigurations = generateHosts "macos";
-        iriy = gen.generate { host = "iriy"; };
+      homeConfigurations = generateHosts "home";
-        efir = gen.generate { host = "efir"; };
-        avalon = gen.generate { host = "avalon"; };
-        ci = gen.generate { host = "ci"; };
-        sandbox = gen.generate { host = "sandbox"; };
-      };
-      darwinConfigurations = { asgard = gen.generate { host = "asgard"; }; };
-      homeConfigurations = {
-        yomi = gen.generate { host = "example"; };
-        example = gen.generate { host = "example"; };
-      };
     };
 
   # ===== Unsupported/NotImplemented ======

generator.nix

@@ -5,7 +5,7 @@
       nameValuePair = name: value: { inherit name value; };
     in ({
       "nixos" = inputs.nixpkgs.lib.nixosSystem {
-        system = syscfg.syscfg.system;
+        system = "x86_64-linux";
         specialArgs = { inherit inputs; };
         modules = [
           ./modules/shared/syscfg
@@ -13,9 +13,12 @@
           ./modules/nixos
           syscfg
           ./systems/${host}
-          inputs.arion.nixosModules.arion
           inputs.sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.home-manager
+
+          inputs.nixos-wsl.nixosModules.wsl
+          inputs.vscode-server.nixosModules.default
+
           {
             home-manager.useGlobalPkgs = true;
             home-manager.useUserPackages = true;
@@ -29,7 +32,6 @@
                   syscfg
                   { usercfg = userConfig; }
                   inputs.nix-colors.homeManagerModule
-                  # inputs.hyprland.homeManagerModules.default
                   inputs.sops-nix.homeManagerModules.sops
                 ];
               }) syscfg.syscfg.users);
@@ -38,7 +40,7 @@
       };
 
       "macos" = inputs.darwin.lib.darwinSystem {
-        system = syscfg.system;
+        system = "x86_64-darwin";
         modules = [
           ./modules/shared/syscfg
           ./modules/shared/sops

modules/home/cli/git/default.nix

@@ -1,15 +1,17 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
 
   programs.git = {
     enable = true;
-    userEmail = "${config.usercfg.git.email}";
+    signing = lib.mkIf (config.usercfg.git.key != null) {
-    userName = "${config.usercfg.git.username}";
+      key = config.usercfg.git.key;
-    signing = {
-      key = "${config.usercfg.git.key}";
       signByDefault = true;
     };
     ignores = [ "*result*" ".direnv" "node_modules" ];
-    extraConfig = { core.hooksPath = "./.dev/hooks"; };
+    settings = {
+      core.hooksPath = "./.dev/hooks"; 
+      user.email = "${config.usercfg.git.email}";
+      user.name = "${config.usercfg.git.username}";
+    };
   };
 
   home.packages = with pkgs; [ tig ];

modules/home/cli/neofetch/config.jsonc

@@ -0,0 +1,147 @@
+{
+    "$schema": "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json",
+    "logo": {
+        "type": "builtin", // Logo type: auto, builtin, small, file, etc.
+        // "source": "arch",
+        "width": 10,
+        "height": 10,
+        "padding": {
+            "top": 3,
+            "left": 2,
+            "right": 2
+        },
+        "color": {
+            "1": "blue",
+            "2": "white",
+            "3": "cyan"
+        }
+    },
+    "display": { /* Display settings */},
+    "modules": [
+        "break",
+        {
+            "type": "custom",
+            "format": "\u001b[90m┌──────────────────────Hardware──────────────────────┐"
+        },
+        {
+            "type": "host",
+            "key": "󰌢  PC",
+            "keyColor": "green",
+            "format": "{2}"
+        },
+        {
+            "type": "cpu",
+            "key": "│ ├󱛠 ",
+            "keyColor": "green",
+            "format": "{1} | {4} @{6}"
+        },
+        {
+            "type": "gpu",
+            "key": "│ ├󰍹 ",
+            "keyColor": "green",
+            "format": "{2} | {7}"
+        },
+        {
+            "type": "memory",
+            "key": "│ ├󰑭 ",
+            "keyColor": "green",
+            "format": "{2}"
+        },
+        // {
+        //     "type": "disk",
+        //     "key": "└ └󰋊 ",
+        //     "keyColor": "green"
+        // },
+        {
+            "type": "custom",
+            "format": "\u001b[90m└────────────────────────────────────────────────────┘"
+        },
+        "break",
+        {
+            "type": "custom",
+            "format": "\u001b[90m┌──────────────────────Software──────────────────────┐"
+        },
+        {
+            "type": "os",
+            "key": "  OS",
+            "keyColor": "yellow",
+            "format": " {2} {8}"
+        },
+        {
+            "type": "kernel",
+            "key": "│ ├󰌽 ",
+            "keyColor": "yellow",
+            "format": "{1} {2}"
+        },
+        {
+            "type": "bios",
+            "key": "│ ├󰖡 ",
+            "keyColor": "yellow"
+        },
+        {
+            "type": "packages",
+            "key": "│ ├󰏗 ",
+            "keyColor": "yellow"
+        },
+        {
+            "type": "de",
+            "key": "󰧨  DE",
+            "keyColor": "blue",
+            "format": "{2} | {3}"
+        },
+        {
+            "type": "lm",
+            "key": "│ ├󰍁 ",
+            "keyColor": "blue",
+            "format": "{1} {2} {3}"
+        },
+        {
+            "type": "wm",
+            "key": "│ ├󱂬 ",
+            "keyColor": "blue",
+            "format": "{2} {5}"
+        },
+        {
+            "type": "custom",
+            "format": "\u001b[90m└────────────────────────────────────────────────────┘"
+        },
+        "break",
+        {
+            "type": "custom",
+            "format": "\u001b[90m┌──────────────────────Age───────────────────────────┐"
+        },
+        {
+            "type": "command",
+            "key": "  ›  OS Age  ",
+            "keyColor": "magenta",
+            "text": "birth_install=$(stat -c %W /); current=$(date +%s); time_progression=$((current - birth_install)); days_difference=$((time_progression / 86400)); echo $days_difference days"
+        },
+        {
+            "type": "command",
+            "key": "  ›  Update  ",
+            "keyColor": "magenta",
+            "text": "nixos-rebuild list-generations | awk '$NF == \"True\" {print $2, $3}' | xargs -I {} date -d \"{}\" +\"%s\" | awk '{diff=systime()-$1; printf \"%d days, %d hours, %d mins\\n\", diff/86400, (diff%86400)/3600, (diff%3600)/60}'"
+        },
+        {
+            "type": "uptime",
+            "key": "  ›  Uptime  ",
+            "keyColor": "magenta"
+        },
+        {
+            "type": "custom",
+            "format": "\u001b[90m└────────────────────────────────────────────────────┘"
+        },
+        {
+            "type": "colors",
+            "paddingLeft": 2,
+            "block": {
+                "width": 3,
+                "range": [
+                    0,
+                    15
+                ]
+            } //,
+            //"symbol": "circle"
+        },
+    ]
+}

modules/home/cli/neofetch/default.nix

@@ -1,4 +1,5 @@
 { pkgs, config, ... }: {
-  home.packages = with pkgs; [ neofetch ];
+  home.packages = with pkgs; [ fastfetch ];
   xdg.configFile."neofetch/config.conf".source = ./config.conf;
+  xdg.configFile."fastfetch/config.jsonc".source = ./config.jsonc;
 }

modules/home/cli/zsh/default.nix

@@ -9,6 +9,8 @@ in {
       "sudo" = "sudo ";
       "devsh" =
         "nix develop --profile /tmp/devsh-env ${nixflake_url}#devsh -c zsh";
+      "cdevsh" =
+        "nix develop --profile /tmp/devsh-env -c zsh";
       "nixb" = "(sudo nixos-rebuild switch --flake ${nixflake_url})";
       "nixgc" = "sudo nix-collect-garbage -d && nix-collect-garbage -d";
       "ssh" = "TERM=xterm-256color  ${pkgs.openssh}/bin/ssh";

modules/home/gui/apps/develop/default.nix

@@ -2,6 +2,6 @@
   imports = [ ./vscodium ];
 
   config = lib.mkIf (config.syscfg.make.develop) {
-    home.packages = with pkgs; [ blender godot_4 openscad-unstable bambu-studio pandoc];
+    home.packages = with pkgs; [ blender godot_4 openscad-unstable orca-slicer pandoc claude-code];
   };
 }

modules/home/gui/apps/develop/vscodium/default.nix

@@ -12,6 +12,7 @@
           ms-python.vscode-pylance
           ms-vscode.cpptools
           dbaeumer.vscode-eslint
+          continue.continue 
         ];
       #};
     };

modules/home/gui/apps/pipewire/default.nix

@@ -25,6 +25,20 @@
                 }
             }
         }
+        {   name = "libpipewire-module-loopback"
+            args = {
+                node.description = "Virtual Loopback"
+                audio.position = [ FL FR ]
+                capture.props = {
+                    media.class = "Audio/Sink"
+                    node.name = "vloopback_sink"
+                }
+                playback.props = {
+                    media.class = "Audio/Source"
+                    node.name = "vloopback_source"
+                }
+            }
+        }
       ]
     '';
   };

modules/home/gui/games/default.nix

@@ -9,11 +9,11 @@
       #games
       # steam
       gamemode
-      gamescope
+      #gamescope
-      mangohud
+      #mangohud
       prismlauncher
       openttd-jgrpp
-      bottles
+      #bottles
       lutris
       unstable.umu-launcher
       # wine

modules/home/gui/games/wow.nix

@@ -5,6 +5,7 @@
     home.packages = with pkgs;
       [
         # custom.simc
+        unstable.instawow
       ];
 
     # templates buggy currently
@@ -18,64 +19,5 @@
               "wago_addons": null
             }
         }'';
-
-# curse:master-plan
-# curse:raretrackercore-rt
-# curse:raretrackerdragonflight-rtd
-# curse:raretrackermaw-rtmw
-# curse:raretrackermechagon-rtm
-# curse:raretrackerthewarwithin-rtww
-# curse:raretrackertimelessisle-rtti
-# curse:raretrackeruldum-rtu
-# curse:raretrackervale-rtv
-# curse:raretrackerworldbosses-rtwb
-# curse:raretrackerzerethmortis-rtz
-# curse:venture-plan
-# curse:war-plan
-# github:nevcairiel/bartender4
-# github:cidan/betterbags
-# github:bigwigsmods/bigwigs
-# github:bigwigsmods/bigwigs_battleforazeroth
-# github:bigwigsmods/bigwigs_burningcrusade
-# github:bigwigsmods/bigwigs_cataclysm
-# github:bigwigsmods/bigwigs_classic
-# github:bigwigsmods/bigwigs_dragonflight
-# github:bigwigsmods/bigwigs_legion
-# github:bigwigsmods/bigwigs_mistsofpandaria
-# github:bigwigsmods/bigwigs_shadowlands
-# github:bigwigsmods/bigwigs_warlordsofdraenor
-# github:bigwigsmods/bigwigs_wrathofthelichking
-# github:nezroy/demodal
-# github:curseforge-mirror/details
-# github:edusperoni/details_elitism
-# github:curseforge-mirror/elitismhelper
-# github:michaelnpsp/grid2
-# github:jods-gh/groupfinderrio
-# github:nevcairiel/handynotes
-# github:hekili/hekili
-# github:thekrowi/krowi_achievementfilter
-# github:bigwigsmods/littlewigs
-# github:nnoggie/mythicdungeontools
-# github:tullamods/omnicc
-# github:tercioo/plater-nameplates
-# github:curseforge-mirror/quest_completist
-# github:raiderio/raiderio-addon
-# github:wowrarity/rarity
-# github:nevcairiel/shadowedunitframes
-# github:simulationcraft/simc-addon
-# github:curseforge-mirror/tomcats
-# github:weakauras/weakauras2
-# github:kemayo/wow-handynotes-battleforazerothtreasures
-# github:kemayo/wow-handynotes-dragonflight
-# github:kemayo/wow-handynotes-legiontreasures
-# github:kemayo/wow-handynotes-longforgottenhippogryph
-# github:kemayo/wow-handynotes-lostandfound
-# github:kemayo/wow-handynotes-secretfish
-# github:kemayo/wow-handynotes-shadowlandstreasures
-# github:kemayo/wow-handynotes-stygia
-# github:kemayo/wow-handynotes-treasurehunter
-# github:kemayo/wow-handynotes-warwithin
-# wowi:7032-tomtom
-
   };
 }

modules/home/gui/theme/default.nix

@@ -1,6 +1,5 @@
 { lib, config, pkgs, ... }:
 let
-  colorVariant = " black";
   gtkThemeFromScheme = import ./gtk-theme-gen.nix { inherit pkgs config; };
   wallpaperGen = import ./wallpaper-gen.nix { inherit pkgs config; };
 in {

modules/home/wayland/hyprland/config.nix

@@ -89,9 +89,7 @@
             new_status = master
         }
 
-        gestures {
+        gesture = 3, vertical, workspace
-            workspace_swipe = off
-        }
                         
         exec-once = eww open bar
         #exec-once = waybar

modules/home/xdg/default.nix

@@ -7,7 +7,7 @@
   xdg.userDirs.documents = "${config.home.homeDirectory}/desktop";
   xdg.userDirs.download = "${config.home.homeDirectory}/downloads";
   xdg.userDirs.extraConfig = {
-    XDG_MISC_DIR = "${config.home.homeDirectory}/misc";
+    MISC = "${config.home.homeDirectory}/misc";
   };
   xdg.userDirs.music = "${config.home.homeDirectory}/media/music";
   xdg.userDirs.pictures = "${config.home.homeDirectory}/media/photo";
@@ -15,5 +15,5 @@
   xdg.userDirs.templates = "${config.home.homeDirectory}/media/template";
   xdg.userDirs.videos = "${config.home.homeDirectory}/media/video";
   xdg.userDirs.createDirectories = true;
-
+  xdg.userDirs.setSessionVariables = true;
 }

modules/nixos/system/default.nix

@@ -1,3 +1,11 @@
 { ... }: {
   imports = [ ./dbus ./fonts ./hw ./locale ./network ./nix ./security ./xdg ];
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=512M
+    SystemMaxFileSize=64M
+    MaxRetentionSec=1month
+    RateLimitIntervalSec=30s
+    RateLimitBurst=10000
+  '';
 }

modules/nixos/system/hw/boot/default.nix

@@ -9,7 +9,7 @@ in {
       };
       efi = {
         canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot/efi";
+        efiSysMountPoint = "/boot";
       };
     };
   };

modules/nixos/system/hw/default.nix

@@ -1 +1 @@
-{ ... }: { imports = [ ./base ./boot ./fs ./graphics ./power ./udev ./virt ]; }
+{ ... }: { imports = [ ./base ./boot ./fs ./graphics ./power ./udev ./virt ./wsl ]; }

modules/nixos/system/hw/power/default.nix

@@ -15,16 +15,15 @@
     # suspend to RAM (deep) rather than `s2idle`
     boot.kernelParams = [ "mem_sleep_default=deep" ];
     # suspend-then-hibernate
-    systemd.sleep.extraConfig = ''
+    systemd.sleep.settings.Sleep = {
-      HibernateDelaySec=30m
+      HibernateDelaySec = "30m";
-      SuspendState=mem
+      SuspendState = "mem";
-    '';
+    };
 
-    services.logind.lidSwitch = "suspend-then-hibernate";
+    services.logind.settings.Login.HandleLidSwitch = "suspend-then-hibernate";
     # Hibernate on power button pressed
-    services.logind.powerKey = "hibernate";
+    services.logind.settings.Login.HandlePowerKey = "hibernate";
-    services.logind.powerKeyLongPress = "poweroff";
+    services.logind.settings.Login.HandlePowerKeyLongPress = "poweroff";
-
 
     systemd.user.services.battery_monitor = {
       wants = [ "display-manager.service" ];

modules/nixos/system/hw/udev/default.nix

@@ -1,8 +1,8 @@
-{ ... }: {
+{ pkgs, ... }: {
   systemd.services.systemd-udevd.restartIfChanged = false;
 
   services.udev = {
-    packages = [ ];
+    packages = with pkgs; [ ];
     extraRules = ''
       SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0127", GROUP="plugdev", TAG+="uaccess"
       SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0118", GROUP="plugdev", TAG+="uaccess"

modules/nixos/system/hw/virt/default.nix

@@ -11,11 +11,13 @@
         dockerSocket.enable = true;
         dockerCompat = true;
         defaultNetwork.settings = {
-          dnsname.enable = true;
+          #dnsname.enable = true;
-          internal = true;
+          dns_enabled = true;
-          name = "internal";
+          #internal = true;
+          #name = "internal";
         };
       };
     };
+    virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
   };
 }

modules/nixos/system/hw/wsl/default.nix

@@ -0,0 +1,13 @@
+{ lib, config, pkgs, ... }: {
+    config = lib.mkIf (config.syscfg.extra.wsl) {
+    wsl.enable = true;
+    wsl.defaultUser = config.syscfg.defaultUser;
+    wsl.extraBin = with pkgs; [
+        { src = "${coreutils}/bin/uname"; }
+        { src = "${coreutils}/bin/dirname"; }
+        { src = "${coreutils}/bin/readlink"; }
+    ];
+    
+    wsl.wslConf.network.generateHosts = false;
+    };
+}

modules/nixos/system/network/base/default.nix

@@ -1,9 +1,30 @@
-{ config, ... }: {
+{ lib, config, ... }: {
   networking = {
     hostName = config.syscfg.hostname;
     useDHCP = true;
     nameservers = [ "1.1.1.1" "9.9.9.9" ];
 
-    firewall = { enable = true; };
+    extraHosts = ''
+      ${lib.concatStringsSep "\n" config.syscfg.extra.hosts}
+    '';
+
+    proxy = lib.mkIf (config.syscfg.extra.proxy.domain != "") {
+      default = "http://${config.syscfg.extra.proxy.domain}:${config.syscfg.extra.proxy.port or "8080"}";
+      noProxy = "${config.syscfg.extra.proxy.noProxy}";
+    };
+
+
+    firewall = { 
+      enable = true;
+      allowedUDPPorts = 
+        (if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++ 
+        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
+        [ ];
+
+      allowedTCPPorts = 
+        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
+        (if (config.syscfg.server != false) then [ 5432 6379 8181 ] else [ ]) ++ 
+        [ ];
+    };
   };
 }

modules/nixos/system/network/wireguard/default.nix

@@ -1,4 +1,12 @@
-{ config, lib, ... }: {
+{ config, lib, pkgs, ... }: let
+
+  isValidPeer = p: 
+    (p ? syscfg.net.wg.enable) && 
+    (p.syscfg.net.wg.enable == true) && 
+    (p.syscfg.net.wg.pubkey != config.syscfg.net.wg.pubkey);
+  activePeers = builtins.filter isValidPeer config.syscfg.peers;
+in
+{
   config = lib.mkIf (config.syscfg.net.wg.enable) {
     networking.wireguard = {
       enable = true;
@@ -9,14 +17,26 @@
             config.sops.secrets."${config.syscfg.hostname}_wg_priv".path;
           listenPort = 1515;
           mtu = 1340;
-          peers = [{
+          peers = 
-            allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
+            if (config.syscfg.server ? wireguard && config.syscfg.server.wireguard) then
-            endpoint = "vpn.helcel.net:1515";
+              map (p: {
-            publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
+                name = p.syscfg.hostname;
-            persistentKeepalive = 30;
+                publicKey = p.syscfg.net.wg.pubkey;
-          }];
+                allowedIPs = [ p.syscfg.net.wg.ip4 p.syscfg.net.wg.ip6 ];
+              }) activePeers
+            else
+              [{
+                allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
+                endpoint = "vpn.helcel.net:1515";
+                publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
+                persistentKeepalive = 30;
+              }];
         };
       };
     };
+    systemd.services."wireguard-wg0" = {
+      after = [ "network-online.target" "nss-lookup.target" ];
+      wants = [ "network-online.target" "nss-lookup.target" ];
+    };
   };
 }

modules/nixos/system/nix/default.nix

@@ -37,5 +37,12 @@
       ];
     };
   };
+  programs.nix-ld = {
+    enable = true;
+    libraries = with pkgs; [
+      libx11 libxcb libxi libxext libxkbfile xcbutilcursor
+      libpng libdrm libpulseaudio nss nspr expat libbsd
+    ];
+  };
   system.stateVersion = "24.11";
 }

modules/nixos/tools/debug/default.nix

@@ -1,12 +1,9 @@
 { pkgs, config, lib, ... }: {
 
   config = lib.mkIf (config.syscfg.make.develop) {
-    programs.adb.enable = true;
+
-    services.udev.packages = [
-      pkgs.android-udev-rules
-    ];
     programs.wireshark.enable = true;
 
-    environment.systemPackages = with pkgs; [ wget dconf wireshark ];
+    environment.systemPackages = with pkgs; [ wget dconf wireshark mtr android-tools ];
   };
 }

modules/nixos/tools/develop/default.nix

@@ -6,7 +6,15 @@ let
     includeEmulator = false;
   };
 in {
+
+  imports = [ ./ollama ];
   config = lib.mkIf (config.syscfg.make.develop) {
+
+    services.vscode-server = lib.mkIf (config.syscfg.extra.wsl) {
+      enable = true;
+      enableFHS = true;
+    };
+
     environment.systemPackages = with pkgs;
       [
         # android-tools

modules/nixos/tools/develop/ollama/default.nix

@@ -0,0 +1,15 @@
+{ lib, config, pkgs, ... }: 
+let 
+ ollamaPkg = pkgs.ollama-vulkan;
+in{
+
+  config = lib.mkIf (config.syscfg.make.develop) {
+    services.ollama = {
+        enable = true;
+        package = ollamaPkg;
+        loadModels = [ ];
+        syncModels = true;
+    };
+    environment.systemPackages = with pkgs; [ ollamaPkg ];
+  };
+}

modules/server/containers/apps/.template.nix

@@ -0,0 +1,54 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let
+  version = "latest";
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "EXAMPLE";
+    tag = "0.0.0";
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "echo 1" ];
+      ExposedPorts = {  };
+    };
+  }; 
+  settings = pkgs.writeText "settings.yaml" ...;
+  templateData = builder.mkData { name = "template"; dir = "template"; vars = {
+      _ARGUMENT = "template";
+    };
+  };
+in {
+  requires = {
+    secrets = [ ];
+    databases = [ ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.config}/example/";
+      mode = "0444";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        # imageStream = image;
+        image = "....:${version}";
+        port = 8080;
+        secret = name;
+        extraEnv = { };
+        overrides = {
+          cmd = [ ];
+          volumes = [ ];
+         };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."EXAMPLE".path;
+      script = pkgs.writeShellScript "setup" ''
+        ...
+      '';
+    };
+  };
+}

modules/server/containers/apps/.todo.md

@@ -0,0 +1,8 @@
+# Missing
+
+RSS: TTRSS / FreshRSS
+Monitoring: Telegraf + InfluxDB
+https://github.com/tarampampam/error-pages ?
+kavita + mylar ? kapowarr ?
+
+- Transmission Cfg and API/Token handling

modules/server/containers/apps/authentik.nix

@@ -0,0 +1,139 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "2026.2.2";
+  serverCfg = config.syscfg.server;
+  mediaCfg = config.syscfg.media;
+  authentikBackground = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
+  logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
+  logoIcoFileName = builtins.baseNameOf (toString mediaCfg.logo.ico);
+  backgroundFileName = builtins.baseNameOf (toString authentikBackground);
+  logoSvgMount = "/media/custom/${logoSvgFileName}";
+  logoIcoMount = "/media/custom/${logoIcoFileName}";
+  backgroundMount = "/media/custom/${backgroundFileName}";
+  authentikData = builder.mkData { 
+    name = "authentik"; dir = "authentik"; vars = {
+      AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
+      COOKIE_DOMAIN = "${serverCfg.domain}";
+      AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
+      AUTHENTIK_BRANDING_TITLE = if containerCfg.extra ? name then containerCfg.extra.name else "authentik";
+      AUTHENTIK_BRANDING_LOGO = "custom/${logoSvgFileName}";
+      AUTHENTIK_BRANDING_FAVICON = "custom/${logoIcoFileName}";
+      AUTHENTIK_BRANDING_BACKGROUND = "custom/${backgroundFileName}";
+    } 
+    // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?freshrss then { FRESHRSS_DOMAIN = "${serverCfg.containers.freshrss.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?homepage then { HOMEPAGE_DOMAIN = "${serverCfg.containers.homepage.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
+  };
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.config}/authentik";
+      owner = "1000:1000";
+      dirs = ["media" "templates"];
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "ghcr.io/goauthentik/server:${version}";
+        port = 9000;
+        secret = name;
+        extraEnv = {
+          AUTHENTIK_REDIS__HOST = builder.host;
+          AUTHENTIK_POSTGRESQL__HOST = builder.host;
+          AUTHENTIK_POSTGRESQL__USER = "authentik_user";
+          AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
+          AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
+          AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
+          AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+        } // lib.optionalAttrs (serverCfg.mail.server != null) {
+          AUTHENTIK_EMAIL__HOST = serverCfg.mail.server;
+          AUTHENTIK_EMAIL__PORT = "587";
+          AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
+          AUTHENTIK_EMAIL__USE_TLS = "true";
+          AUTHENTIK_EMAIL__USE_SSL = "false";
+          AUTHENTIK_EMAIL__TIMEOUT = "10";
+          AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
+        };
+        overrides = {
+          environmentFiles =  [ config.sops.secrets."AUTHENTIK".path config.sops.secrets."CUSTOM".path ] ;
+        
+          cmd = [ "server" ];
+          volumes = [
+            "${serverCfg.path.config}/authentik/media:/media"
+            "${serverCfg.path.config}/authentik/templates:/templates"
+            "${authentikData}:/blueprints/custom:ro"
+            "${mediaCfg.logo.svg}:${logoSvgMount}:ro"
+            "${mediaCfg.logo.ico}:${logoIcoMount}:ro"
+            "${authentikBackground}:${backgroundMount}:ro"
+          ];
+        };
+      };
+
+      worker = builder.mkContainer {
+        image = "ghcr.io/goauthentik/server:${version}";
+        secret = name;
+        extraEnv = {
+          AUTHENTIK_REDIS__HOST = builder.host;
+          AUTHENTIK_POSTGRESQL__HOST = builder.host;
+          AUTHENTIK_POSTGRESQL__USER = "authentik_user";
+          AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
+          AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
+          AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
+          AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+        };
+        overrides = {
+          cmd = [ "worker" ];
+          volumes = [
+            "${serverCfg.path.config}/authentik/media:/media"
+            "${serverCfg.path.config}/authentik/templates:/templates"
+            "${authentikData}:/blueprints/custom:ro"
+            "${mediaCfg.logo.svg}:${logoSvgMount}:ro"
+            "${mediaCfg.logo.ico}:${logoIcoMount}:ro"
+            "${authentikBackground}:${backgroundMount}:ro"
+          ];
+        };
+      };
+
+      ldap = builder.mkContainer {
+        image = "ghcr.io/goauthentik/ldap:${version}";
+        secret = name;
+        extraEnv = {
+          AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}"; 
+          AUTHENTIK_INSECURE = "false"; 
+        };
+      };
+    };
+
+    setup = {
+      trigger = "worker";
+      script = pkgs.writeShellScript "setup" ''
+        # Define the command wrapper
+        AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
+
+        $AK apply_blueprint /blueprints/custom/authentik.yaml
+        $AK apply_blueprint /blueprints/custom/branding.yaml
+        $AK apply_blueprint /blueprints/custom/traefik.yaml
+        $AK apply_blueprint /blueprints/custom/ldap.yaml
+
+        ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
+        ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
+        ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
+        ${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
+        ${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''}
+        ${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}
+
+        echo "Completed Authentik Setup"
+      '';
+    };
+  };
+}

modules/server/containers/apps/calibre.nix

@@ -0,0 +1,42 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let
+  version = "latest";
+  serverCfg = config.syscfg.server;
+in {
+  runtime = {
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "crocodilestick/calibre-web-automated:${version}";
+        port = 8083;
+      #   secret = name;
+        extraEnv = {
+          CWA_PORT_OVERRIDE = "8083";
+
+          PUID = "1000";
+          PGID = "1000";
+          #HARDCOVER_TOKEN= ....
+          TRUSTED_PROXY_COUNT= "1";
+        };
+          extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`)";
+          "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik) then "authentik" else "";
+          "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
+          "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
+          "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
+        };
+        overrides = {
+          volumes = [
+            "${serverCfg.path.book}:/calibre-library"
+            "${serverCfg.path.download}/book:/cwa-book-ingest"
+          ];
+        };
+      };
+    };
+  };
+
+  # curl 'https://books.test.helcel.net/admin/ajaxconfig' \
+  # -X POST 
+  # -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'
+  # --data-raw 'csrf_token=${CSRF_TOKEN}&config_certfile=&config_keyfile=&config_updatechannel=0&config_trustedhosts=&config_log_level=20&config_logfile=%2Fdev%2Fstdout&config_access_logfile=%2Fconfig%2Faccess.log&config_embed_metadata=on&config_uploading=on&config_upload_formats=m4b%2Cacsm%2Cdoc%2Cpdf%2Cmp3%2Codt%2Ccbr%2Crtf%2Clit%2Cprc%2Cm4a%2Cdjv%2Cfb2%2Copus%2Cdocx%2Cazw3%2Cepub%2Cdjvu%2Cwav%2Ccb7%2Ccbz%2Cmp4%2Ckfx-zip%2Cmobi%2Ccbt%2Cogg%2Ckfx%2Ckepub%2Ctxt%2Cazw%2Chtml%2Cflac&config_external_port=8083&config_goodreads_api_key=&config_hardcover_token=&config_use_https=on&config_reverse_proxy_login_header_name=&config_login_type=1&config_ldap_provider_url=sso.test.helcel.net&config_ldap_port=389&config_ldap_encryption=0&config_ldap_cacert_path=&config_ldap_cert_path=&config_ldap_key_path=&config_ldap_authentication=2&config_ldap_serv_username=cn%3Dldap-service%2Cou%3Dusers%2C%24%7BLDAP_DC_DOMAIN%7D&config_ldap_serv_password_e=%24DEFAULT_LDAP_PASSWORD&config_ldap_dn=%24%7BLDAP_DC_DOMAIN%7D&config_ldap_user_object=(memberOf%3Dcn%3Dcloud%2Cou%3Dgroups%2C%24%7BLDAP_DC_DOMAIN%7D)&config_ldap_openldap=on&config_ldap_auto_create_users=on&config_ldap_group_object_filter=(memberOf%3Dcn%3Dcloud%2Cou%3Dgroups%2C%24%7BLDAP_DC_DOMAIN%7D)&config_ldap_group_name=cloud&config_ldap_group_members_field=memberUid&ldap_import_user_filter=0&config_ldap_member_user_object=&config_generic_oauth_metadata_url=&config_generic_oauth_server_url=&config_generic_oauth_auth_url=&config_generic_oauth_token_url=&config_generic_oauth_userinfo_url=&config_generic_oauth_scope=email+openid+profile&config_oauth_redirect_host=&config_generic_oauth_client_id=&config_generic_oauth_client_secret=&config_generic_oauth_username_mapper=preferred_username&config_generic_oauth_email_mapper=email&config_generic_oauth_admin_group=admin&config_generic_oauth_login_button=OpenID+Connect&config_1_oauth_client_id=&config_1_oauth_client_secret=&config_2_oauth_client_id=&config_2_oauth_client_secret=&config_binariesdir=%2Fusr%2Fbin&config_calibre=&config_kepubifypath=%2Fusr%2Fbin%2Fkepubify&config_rarfile_location=%2Fusr%2Fbin%2Funrar&config_enable_oauth_group_admin_management=on&config_ratelimiter=on&config_limiter_uri=&config_limiter_options=&config_check_extensions=on&config_session=1&config_password_policy=on&config_password_min_length=8&config_password_number=on&config_password_lower=on&config_password_upper=on&config_password_character=on&config_password_special=on'
+}

modules/server/containers/apps/collabora.nix

@@ -0,0 +1,37 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+version = "latest";
+serverCfg = config.syscfg.server;
+in {
+  requires.secrets = [ name ];
+
+  runtime = {
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "collabora/code:${version}";
+        port = 9980;
+        secret = name;
+        extraEnv = {
+          "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
+          "server_name" = "${containerCfg.subdomain}.${serverCfg.domain}";
+          "username" = "collabora_user";
+          "VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.domain}";
+          "VIRTUAL_PORT" = "9980";
+          "VIRTUAL_PROTO" = "http";
+          "DONT_GEN_SSL_CERT" = "true";
+          "RESOLVE_TO_PROXY_IP" = "true";
+          "extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
+          "dictionaries" = "en fr de jp no";
+        };
+        
+        overrides = {
+          volumes = [
+            "${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
+            "${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
+          ];
+        };
+      };
+    };
+  };
+}

modules/server/containers/apps/ethercalc.nix

@@ -0,0 +1,42 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  ethercalc_exe = pkgs.ethercalc;
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "ethercalc";
+    tag = ethercalc_exe.version;
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
+      ExposedPorts = { "8080/tcp" = {}; };
+    };
+  };
+in {
+  requires.secrets = [ name ];
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.data}/ethercalc/";
+      mode = "0666";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        imageStream = image;
+        port = 8080;
+        secret = name;
+        extraEnv = {
+          ETHERCALC_PORT = "8080";
+          #CONNECT TO REDIS
+        };
+        overrides = {
+          volumes = [
+            "${serverCfg.path.data}/ethercalc:/data"
+          ];
+         };
+      };
+    };
+  };
+}

modules/server/containers/apps/etherpad.nix

@@ -0,0 +1,129 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  etherpad_exe = pkgs.etherpad-lite;
+  settings = pkgs.writeText"settings.json" (builtins.toJSON {
+    title= "\${TITLE:Etherpad}";
+    showRecentPads = "\${SHOW_RECENT_PADS:true}";
+    favicon = "\${FAVICON:null}";
+    publicURL = "\${PUBLIC_URL:null}";
+    skinName = "\${SKIN_NAME:colibris}";
+    skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
+    ip = "\${IP:0.0.0.0}";
+    port = "\${PORT:9001}";
+    showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
+    enableMetrics = "\${ENABLE_METRICS:true}";
+    updates.tier = "off";
+    cleanup.enabled = false;
+    gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
+    authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
+    enableDarkMode = "\${ENABLE_DARK_MODE:true}";
+    enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
+    dbType = "\${DB_TYPE:dirty}";
+    dbSettings = {
+      host =       "\${DB_HOST:undefined}";
+      port =       "\${DB_PORT:undefined}";
+      database =   "\${DB_NAME:undefined}";
+      user =       "\${DB_USER:undefined}";
+      password =   "\${DB_PASS:undefined}";
+      charset =    "\${DB_CHARSET:undefined}";
+      filename =   "\${DB_FILENAME:var/dirty.db}";
+      collection = "\${DB_COLLECTION:undefined}";
+      url =        "\${DB_URL:undefined}";
+    };
+    defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
+    padOptions = {
+      noColors =         "\${PAD_OPTIONS_NO_COLORS:false}";
+      showControls =     "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
+      showChat =         "\${PAD_OPTIONS_SHOW_CHAT:true}";
+      showLineNumbers =  "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
+      useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
+      userName =         "\${PAD_OPTIONS_USER_NAME:null}";
+      userColor =        "\${PAD_OPTIONS_USER_COLOR:null}";
+      rtl =              "\${PAD_OPTIONS_RTL:false}";
+      alwaysShowChat =   "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
+      chatAndUsers =     "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
+      lang =             "\${PAD_OPTIONS_LANG:null}";
+      fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
+      enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
+    };
+
+    requireSession = "\${REQUIRE_SESSION:false}";
+    editOnly = "\${EDIT_ONLY:false}";
+    minify = "\${MINIFY:true}";
+    requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
+    requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
+    trustProxy = "\${TRUST_PROXY:true}";
+    ep_headerauth.username_header = "X-authentik-username";
+    users.admin = {
+      password = "\${ADMIN_PASSWORD:null}";
+      is_admin = true;
+    };
+    socketTransportProtocols = ["websocket" "polling"];
+    socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
+    indentationOnNewLine = true;
+
+    loglevel = "\${LOGLEVEL:INFO}";
+    lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
+  });
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "etherpad";
+    tag = etherpad_exe.version;
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
+      ExposedPorts = { "8080/tcp" = {}; };
+    };
+  };
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.config}/etherpad/";
+      mode = "0444";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        imageStream = image;
+        port = 8080;
+        secret = name;
+        extraEnv = {
+          TITLE = "Pad";
+          PORT ="8080";
+          DB_TYPE = "postgres";
+          DB_HOST = builder.host;
+          DB_NAME = "etherpad_db";
+          DB_USER = "etherpad_user";
+          TRUST_PROXY = "true";
+          DB_CHARSET = "utf8mb4";
+          DEFAULT_PAD_TEXT = "";
+          PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
+          PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
+          SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
+        };
+        overrides = {
+          cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
+          volumes = [
+            "${settings}:/etc/etherpad/settings.json"
+            "${serverCfg.path.config}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
+          ];
+         };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."ETHERPAD".path;
+      script = pkgs.writeShellScript "setup" ''
+        echo "$APIKEY" > ${serverCfg.path.config}/etherpad/APIKEY.txt
+        chmod 444 ${serverCfg.path.config}/etherpad/APIKEY.txt
+      '';
+    };
+  };
+}

modules/server/containers/apps/favicon.nix

@@ -0,0 +1,301 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let
+  serverCfg = config.syscfg.server;
+  mediaCfg = config.syscfg.media;
+  port = 8080;
+  cacheControl = containerCfg.extra.cacheControl or "public, max-age=86400";
+  priority = toString (containerCfg.extra.priority or 1000);
+  logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
+  logoSvgMount = "/assets/${logoSvgFileName}";
+  configFile = pkgs.writeText "favicon-config.json" (builtins.toJSON {
+    inherit cacheControl;
+    mappings = containerCfg.extra.mappings or {};
+    default = containerCfg.extra.default or null;
+    logoScale = containerCfg.extra.logoScale or 0.72;
+  });
+  pythonEnv = pkgs.python3.withPackages (ps: with ps; [
+    cairosvg
+    pillow
+  ]);
+  serverScript = pkgs.writeText "favicon-server.py" ''
+    import base64
+    import hashlib
+    from io import BytesIO
+    import json
+    import os
+    import re
+    from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+    from pathlib import Path
+    from urllib.parse import urlsplit
+
+    import cairosvg
+    from PIL import Image
+
+
+    CONFIG_PATH = os.environ.get("FAVICON_CONFIG", "/config/config.json")
+    LOGO_PATH = os.environ.get("FAVICON_LOGO", "/assets/logo.svg")
+    CACHE_DIR = Path(os.environ.get("FAVICON_CACHE_DIR", "/cache"))
+    LISTEN_HOST = os.environ.get("FAVICON_LISTEN_HOST", "0.0.0.0")
+    LISTEN_PORT = int(os.environ.get("FAVICON_PORT", "8080"))
+    DEFAULT_CACHE_CONTROL = "public, max-age=86400"
+    PATH_PATTERN = re.compile(
+        r"(?i)(?:^|/)(?:"
+        r"favicon(?:-[0-9]+x[0-9]+)?\.(?:ico|png|svg)"
+        r"|apple-touch-icon(?:-precomposed)?\.png"
+        r"|android-chrome-(?:192x192|512x512)\.png"
+        r"|mstile-150x150\.png"
+        r")$"
+    )
+
+
+    with open(CONFIG_PATH, "r", encoding="utf-8") as fh:
+        APP_CONFIG = json.load(fh)
+    with open(LOGO_PATH, "rb") as fh:
+        LOGO_BYTES = fh.read()
+    LOGO_DATA_URI = "data:image/svg+xml;base64," + base64.b64encode(LOGO_BYTES).decode("ascii")
+
+
+    def _normalize_host(host):
+        return (host or "").split(":", 1)[0].strip().lower()
+
+
+    def _pick_profile(host):
+        mappings = APP_CONFIG.get("mappings", {})
+        exact = mappings.get(host)
+        if exact is not None:
+            return exact
+
+        wildcard_matches = []
+        for pattern, profile in mappings.items():
+            if pattern.startswith("*.") and host.endswith(pattern[1:].lower()):
+                wildcard_matches.append((pattern.count("."), profile))
+
+        if wildcard_matches:
+            wildcard_matches.sort(key=lambda item: item[0], reverse=True)
+            return wildcard_matches[0][1]
+
+        return APP_CONFIG.get("default")
+
+
+    def _color(value, fallback):
+        return value if isinstance(value, str) and value else fallback
+
+
+    def _badge_text(profile):
+        badge = profile.get("icon") or profile.get("label") or profile.get("text") or ""
+        badge = str(badge).strip()
+        if not badge:
+            return ""
+        return badge[:3].upper()
+
+
+    def _logo_scale():
+        scale = APP_CONFIG.get("logoScale", 0.72)
+        try:
+            scale = float(scale)
+        except (TypeError, ValueError):
+            return 0.72
+        return max(0.2, min(0.9, scale))
+
+
+    def _render_svg(profile):
+        bg = _color(profile.get("background"), "#111827")
+        fg = _color(profile.get("foreground"), "#f8fafc")
+        accent = _color(profile.get("accent"), "#38bdf8")
+        badge = _badge_text(profile)
+
+        canvas = 256
+        panel = 188
+        panel_offset = (canvas - panel) // 2
+        logo_size = int(canvas * _logo_scale())
+        logo_offset = (canvas - logo_size) // 2
+        badge_svg = ""
+        if badge:
+            badge_svg = f"""
+              <g>
+                <circle cx="196" cy="60" r="34" fill="{accent}" />
+                <text x="196" y="72"
+                  font-family="DejaVu Sans, sans-serif"
+                  font-size="34"
+                  font-weight="700"
+                  text-anchor="middle"
+                  fill="{fg}">{badge}</text>
+              </g>
+            """
+
+        return f"""<svg xmlns="http://www.w3.org/2000/svg" width="{canvas}" height="{canvas}" viewBox="0 0 {canvas} {canvas}">
+          <defs>
+            <radialGradient id="glow" cx="84%" cy="16%" r="75%">
+              <stop offset="0%" stop-color="{accent}" stop-opacity="0.34" />
+              <stop offset="100%" stop-color="{accent}" stop-opacity="0" />
+            </radialGradient>
+          </defs>
+          <rect width="{canvas}" height="{canvas}" rx="56" fill="{bg}" />
+          <rect width="{canvas}" height="{canvas}" rx="56" fill="url(#glow)" />
+          <rect x="{panel_offset}" y="{panel_offset}" width="{panel}" height="{panel}" rx="44" fill="#ffffff" fill-opacity="0.08" stroke="{accent}" stroke-opacity="0.6" stroke-width="6" />
+          <rect x="42" y="214" width="172" height="10" rx="5" fill="{accent}" fill-opacity="0.9" />
+          <image href="{LOGO_DATA_URI}" x="{logo_offset}" y="{logo_offset}" width="{logo_size}" height="{logo_size}" preserveAspectRatio="xMidYMid meet" />
+          {badge_svg}
+        </svg>"""
+
+
+    def _target_spec(path):
+        name = Path(path).name.lower()
+        if name.endswith(".svg"):
+            return ("svg", None)
+        if name.endswith(".ico"):
+            return ("ico", 64)
+
+        known_sizes = {
+            "apple-touch-icon.png": 180,
+            "apple-touch-icon-precomposed.png": 180,
+            "android-chrome-192x192.png": 192,
+            "android-chrome-512x512.png": 512,
+            "mstile-150x150.png": 150,
+            "favicon.png": 256,
+        }
+        if name in known_sizes:
+            return ("png", known_sizes[name])
+
+        match = re.search(r"([0-9]{2,4})x([0-9]{2,4})", name)
+        if match:
+            return ("png", int(match.group(1)))
+        return ("png", 256)
+
+
+    def _cache_key(host, spec, profile):
+        payload = json.dumps(
+            {"host": host, "spec": spec, "profile": profile, "logo": hashlib.sha256(LOGO_BYTES).hexdigest()},
+            sort_keys=True,
+        ).encode("utf-8")
+        return hashlib.sha256(payload).hexdigest()
+
+
+    def _mime(ext):
+        return {
+            "svg": "image/svg+xml",
+            "png": "image/png",
+            "ico": "image/x-icon",
+        }[ext]
+
+
+    def _generate_asset(host, profile, path):
+        spec = _target_spec(path)
+        cache_name = f"{_cache_key(host, spec, profile)}.{spec[0]}"
+        target = CACHE_DIR / cache_name
+        if target.exists():
+            return target, _mime(spec[0])
+
+        CACHE_DIR.mkdir(parents=True, exist_ok=True)
+        svg = _render_svg(profile).encode("utf-8")
+        if spec[0] == "svg":
+            target.write_bytes(svg)
+            return target, _mime("svg")
+
+        png_bytes = cairosvg.svg2png(bytestring=svg, output_width=spec[1], output_height=spec[1])
+        if spec[0] == "png":
+            target.write_bytes(png_bytes)
+            return target, _mime("png")
+
+        image = Image.open(BytesIO(png_bytes))
+        image.save(target, format="ICO", sizes=[(64, 64), (48, 48), (32, 32), (16, 16)])
+        image.close()
+        return target, _mime("ico")
+
+
+    class Handler(BaseHTTPRequestHandler):
+        server_version = "favicon-router/1.0"
+
+        def _serve(self, include_body):
+            path = urlsplit(self.path).path
+            if not PATH_PATTERN.search(path):
+                self.send_error(404)
+                return
+
+            host = _normalize_host(self.headers.get("Host", ""))
+            profile = _pick_profile(host)
+            if not profile:
+                self.send_error(404, "No favicon mapping for host")
+                return
+
+            asset_path, content_type = _generate_asset(host, profile, path)
+            payload = asset_path.read_bytes()
+            self.send_response(200)
+            self.send_header("Content-Type", content_type)
+            self.send_header("Content-Length", str(len(payload)))
+            self.send_header("Cache-Control", APP_CONFIG.get("cacheControl", DEFAULT_CACHE_CONTROL))
+            self.end_headers()
+            if include_body:
+                self.wfile.write(payload)
+
+        def do_GET(self):
+            self._serve(include_body=True)
+
+        def do_HEAD(self):
+            self._serve(include_body=False)
+
+        def log_message(self, fmt, *args):
+            print("%s - - [%s] %s" % (self.address_string(), self.log_date_time_string(), fmt % args))
+
+
+    if __name__ == "__main__":
+        httpd = ThreadingHTTPServer((LISTEN_HOST, LISTEN_PORT), Handler)
+        httpd.serve_forever()
+  '';
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "favicon";
+    tag = "1";
+    contents = [
+      pythonEnv
+      pkgs.fontconfig
+      pkgs.dejavu_fonts
+      pkgs.cacert
+      pkgs.tzdata
+    ];
+    config = {
+      Entrypoint = [ "${pythonEnv}/bin/python3" serverScript ];
+      ExposedPorts = { "${toString port}/tcp" = { }; };
+      WorkingDir = "/";
+    };
+  };
+in {
+  runtime = {
+    paths = [
+      {
+        path = "${serverCfg.path.config}/favicon";
+        mode = "0755";
+        dirs = [ "cache" ];
+      }
+    ];
+
+    containers = {
+      server = builder.mkContainer {
+        imageStream = image;
+        port = port;
+        extraEnv = {
+          FAVICON_CONFIG = "/config/config.json";
+          FAVICON_LOGO = logoSvgMount;
+          FAVICON_CACHE_DIR = "/cache";
+          FAVICON_PORT = toString port;
+          FONTCONFIG_FILE = "${pkgs.fontconfig.out}/etc/fonts/fonts.conf";
+          FONTCONFIG_PATH = "${pkgs.fontconfig.out}/etc/fonts";
+        };
+        extraLabels = {
+          "traefik.enable" = "true";
+          "traefik.http.routers.${name}.entrypoints" = "web-secure";
+          "traefik.http.routers.${name}.rule" = "HostRegexp(`{host:.+}`) && PathRegexp(`^/(?:.*\\/)?(?:favicon(?:-[0-9]+x[0-9]+)?\\.(?:ico|png|svg)|apple-touch-icon(?:-precomposed)?\\.png|android-chrome-(?:192x192|512x512)\\.png|mstile-150x150\\.png)$`)";
+          "traefik.http.routers.${name}.priority" = priority;
+          "traefik.http.routers.${name}.tls" = "true";
+          "traefik.http.services.${name}.loadbalancer.server.port" = toString port;
+        };
+        overrides = {
+          volumes = [
+            "${configFile}:/config/config.json:ro"
+            "${serverCfg.path.config}/favicon/cache:/cache"
+            "${mediaCfg.logo.svg}:${logoSvgMount}:ro"
+          ];
+        };
+      };
+    };
+  };
+}

modules/server/containers/apps/freshrss.nix

@@ -0,0 +1,61 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let
+  version = "latest";
+  serverCfg = config.syscfg.server;
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [
+      {
+        path = "${serverCfg.path.config}/freshrss";
+        owner = "1000:1000";
+        mode = "0755";
+      }
+    ];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "ghcr.io/freshrss/freshrss:${version}";
+        port = 80;
+        
+        extraEnv = {
+          CRON_MIN = "5,35";
+          TRUSTED_PROXY = "10.0.0.0/8 192.168.0.1/16";
+          LISTEN = "80";
+          OIDC_ENABLED = "1";
+          OIDC_PROVIDER_METADATA_URL = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/freshrss/.well-known/openid-configuration";
+          OIDC_REMOTE_USER_CLAIM = "preferred_username";
+          OIDC_CLIENT_ID = "freshrss";
+          OIDC_SCOPES = "openid profile";
+          OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
+        };
+
+        overrides = {
+          environmentFiles =  [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path ];
+          volumes = ["${serverCfg.path.config}/freshrss:/var/www/FreshRSS/data"];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "server"; # Triggers atomic environment verification on main controller
+      envFile = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path];
+      script = pkgs.writeShellScript "setup-freshrss" ''
+
+        RSS="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data freshrss-server"
+        $RSS ./cli/prepare.php
+        $RSS ./cli/do-install.php --default-user $DEFAULT_ADMIN_USERNAME --auth-type http_auth --base-url https://${containerCfg.subdomain}.${serverCfg.domain} --language en \
+          --title RSS --api-enabled --db-type pgsql --db-host ${builder.host} --db-user freshrss_user --db-password $DB_PASSWORD --db-base freshrss_db
+        $RSS ./cli/create-user.php --user $DEFAULT_ADMIN_USERNAME --password $DEFAULT_ADMIN_PASSWORD --email $DEFAULT_ADMIN_EMAIL
+        $RSS ./cli/reconfigure.php
+        # $RSS ./cli/access-permissions.sh
+        
+      '';
+    };
+  };
+}

modules/server/containers/apps/frigate.nix

@@ -0,0 +1,96 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  
+  # Ensure the package is available (Nixpkgs includes frigate)
+  frigatePkg = pkgs.frigate;
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "frigate";
+    tag = frigatePkg.version;
+    contents = [ 
+      pkgs.bashInteractive 
+      frigatePkg
+      pkgs.ffmpeg # Explicitly included for video stream processing
+    ];
+    config = {
+      Entrypoint = [ "${frigatePkg}/bin/frigate" ];
+      Cmd = [ "start" ];
+      ExposedPorts = {
+        "5000/tcp" = {}; # Web UI / API
+        "8554/tcp" = {}; # RTSP Feeds
+        "8555/tcp" = {}; # WebRTC
+      };
+      Env = [
+        "FRIGATE_RTSP_PASSWORD=secret" # Base fallback, overridden by envFile/sops
+      ];
+    };
+  };
+in {
+  requires.secrets = [ name ];
+
+  runtime = {
+    paths = [
+      {
+        path = "${serverCfg.path.config}/frigate/";
+        mode = "0755";
+      }
+      {
+        path = "/var/lib/frigate/storage/";
+        mode = "0755"; # Dedicated path for heavy video recordings and media
+      }
+    ];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        imageStream = image;
+        port = 5000;
+        secret = name;
+        extraEnv = {
+          PLUS_API_KEY = ""; # Optional: For Frigate Plus users
+        };
+        overrides = {
+          cmd = [ ];
+          volumes = [
+            "${serverCfg.path.config}/frigate:/config"
+            "/var/lib/frigate/storage:/media/frigate"
+            "/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
+            "/dev/dri:/dev/dri"         # Passes Intel/AMD GPU for hardware video decoding
+          ];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."FRIGATE_ENV".path;
+      script = pkgs.writeShellScript "setup-frigate" ''
+        mkdir -p "${serverCfg.path.config}/frigate"
+        mkdir -p "/var/lib/frigate/storage"
+        
+        # Bootstrap a standard configuration layout if missing
+        if [ ! -f "${serverCfg.path.config}/frigate/config.yml" ]; then
+          cat <<EOF > "${serverCfg.path.config}/frigate/config.yml"
+mqtt:
+  enabled: False # Set to True and define host if connecting to Home Assistant
+
+database:
+  path: /config/frigate.db
+
+cameras:
+  dummy_camera: # Replace with your actual RTSP stream details
+    enabled: false
+    ffmpeg:
+      inputs:
+        - path: rtsp://127.0.0.1:554/live
+          roles:
+            - detect
+    detect:
+      enabled: false
+EOF
+        fi
+      '';
+    };
+  };
+}

modules/server/containers/apps/gitea.nix

@@ -0,0 +1,146 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "latest";
+  serverCfg = config.syscfg.server;
+
+  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.data}/gitea";
+      owner = "1000:1000";
+      dirs = ["data" "runner"];
+      mode = "0755";
+    }];
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "gitea/gitea:${version}";
+        port = 8080;
+        secret = name;
+        
+        extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
+          GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
+          GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
+          GITEA__repository__DISABLE_STARS = "true";
+          GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
+          # GITEA__ui__THEMES = "";
+          # GITEA__ui__DEFAULT_THEME = "";
+
+          # GITEA__security__SECRET_KEY = "SECRET_ENV";
+          # GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
+          # GITEA__database__PASSWD = "SECRET_ENV";
+          # GITEA__mailer__PASSWD="SECRET_ENV";
+
+          GITEA__database__DB_TYPE = "postgres"; 
+          GITEA__database__HOST = builder.host;
+          GITEA__database__NAME = "gitea_db";
+          GITEA__database__USER = "gitea_user";
+
+
+          GITEA__mailer__ENABLED = "true";
+          GITEA__mailer__FROM = "";
+          GITEA__mailer__PROTOCOL = "smtps";
+          GITEA__mailer__SMTP_ADDR = "";
+          GITEA__mailer__SMTP_PORT = "";
+          GITEA__mailer__USER= "";
+
+          GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
+          GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}/";
+          GITEA__server__PROTOCOL = "http";
+          GITEA__server__HTTP_PORT = "8080";
+          GITEA__server__LFS_START_SERVER = "true";
+          GITEA__security__INSTALL_LOCK = "true";
+
+        } // ( if serverCfg.containers?authentik then {
+          GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
+          GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
+          GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
+          GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
+          GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
+          GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
+          GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
+          GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/outpost.goauthentik.io/sign_out";
+          GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
+          GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
+          GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
+          GITEA__security__RREVERSE_PROXY_LIMIT = "1";
+          GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
+        } else {});
+        extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/user/login`) ";
+          "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik && containerCfg.extra?proxyauth) then "authentik" else "";
+          "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
+          "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
+          "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
+        };
+
+        overrides = {
+          volumes = [
+            "${serverCfg.path.data}/gitea/data:/data"
+          ];
+          ports = [ "2222:22" ]; 
+        };
+      };
+
+      runner = builder.mkContainer {
+        image = "gitea/act_runner:${version}";
+        secret = name;
+        extraEnv = { 
+          CONFIG_FILE="/data/config.yml";
+          GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
+          GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
+        };
+
+        overrides = {
+          volumes = [
+            "${serverCfg.path.data}/gitea/runner:/data"
+            "/var/run/podman/podman.sock:/var/run/docker.sock"
+          ];
+          # ports = [ "8088:8088" ]; 
+        };
+      };
+    };
+
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."CUSTOM".path;
+      script = pkgs.writeShellScript "setup" ''
+        # Define the command wrapper
+        GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
+        GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
+
+        $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
+
+        touch ${serverCfg.path.data}/gitea/data-runner/config.yml
+
+        RUNNER_TOKEN=$($GT actions generate-runner-token)
+        $GTR register \
+          --instance "https://${containerCfg.subdomain}.${serverCfg.domain}" \
+          --token "$RUNNER_TOKEN" \
+          --name "Runner" \
+          --labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
+          --no-interactive
+
+
+        ${lib.optionalString (serverCfg.containers ? authentik) ''
+        $GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \
+            --bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \
+            --user-search-base "ou=users,${LDAP_DC_DOMAIN}" \
+            --user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \
+            --admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \
+            --username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
+            --synchronize-users
+        ''}
+
+        echo "Completed Gitea Setup"
+      '';
+    };
+  };
+}

modules/server/containers/apps/handbrake.nix

@@ -0,0 +1,48 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  version = "latest";
+in {
+  runtime = {
+    paths = [{
+      path = "${serverCfg.path.config}/handbrake";
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        authentik = true;
+        tmpfs = true;
+        subdomain = containerCfg.subdomain;
+        subpath = containerCfg.subpath;
+        image = "ghcr.io/jlesage/handbrake:${version}";
+        port = 5800;
+        
+        extraEnv = {
+          USER_ID = "1000";
+          GROUP_ID = "1000";
+          AUTOMATED_CONVERSION_PRESET = "Custom/AV1 MKV 1080p30";
+          AUTOMATED_CONVERSION_FORMAT = "mkv";
+          AUTOMATED_CONVERSION_OUTPUT_SUBDIR = "SAME_AS_SRC";
+        };
+        
+        overrides = {
+          volumes = [
+            "${serverCfg.path.config}/handbrake:/config:rw"
+            "${serverCfg.path.dlComplete}:/watch:rw"
+            "${serverCfg.path.dlConverted}:/output:rw"
+          ];
+         };
+      };
+    };
+
+    
+    setup = {
+      trigger = "server";
+      script = pkgs.writeShellScript "setup" ''
+          mkdir -p ${serverCfg.path.data}/handbrake/{watch,output}
+
+      '';
+    };
+  };
+}

modules/server/containers/apps/homeassistant.nix

@@ -0,0 +1,102 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "latest";
+  serverCfg = config.syscfg.server;
+  
+in {
+  runtime = {
+    vm = {
+      portForward = [ 8123 ];
+      cfg = {cfg,...}: {
+        services.home-assistant = {
+          enable = true;
+          openFirewall = true;
+          
+          extraComponents = [
+            "matter" "thread" "cast" "zha"
+            "default_config" "met" "esphome" "radio_browser"
+            "telegram_bot" "swiss_public_transport" "nextcloud" "jellyfin" 
+          ]  ++ (if containerCfg.extra ? components then containerCfg.extra.components else []);
+          
+
+          extraPackages = pp: with pp; [
+              python-telegram gtts
+          ];
+          lovelaceConfig = {};
+
+          config = {
+            homeassistant = {
+              name = "Home";
+              latitude = "${if containerCfg.extra ? latitude then toString containerCfg.extra.latitude else toString 0}";
+              longitude = "${if containerCfg.extra ? longitude then toString containerCfg.extra.longitude else toString 0}";
+              elevation = "${if containerCfg.extra ? elevation then toString containerCfg.extra.elevation else toString 0}";
+              unit_system = "metric";
+              time_zone = config.time.timeZone;
+            };
+            lovelace = { mode = "yaml"; };
+            customLovelaceModules = [];
+            
+            # default_config = {};
+            http = {
+              use_x_forwarded_for = true;
+              trusted_proxies = [ "10.0.0.0/8" "127.0.0.1" ];
+            };
+          };
+        };
+      };
+    };
+
+    containers = {
+      dummy = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "alpine:latest";
+        extraLabels = {
+          "traefik.http.services.${containerCfg.subdomain}.loadbalancer.server.url" = "http://${builder.hostIp}:8123";
+        };
+        overrides = {cmd = [ "sleep" "infinity" ];};
+      };
+    };
+
+    setup = {
+      trigger = "dummy";
+      envFile = config.sops.secrets."CUSTOM".path;
+      script = pkgs.writeShellScript "setup" ''
+
+    HASS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
+    until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/manifest.json")" =~ (200|301|302) ]]; do
+      sleep 5
+    done
+    sleep 5
+
+    ONBOARDING_STATUS=$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/api/onboarding" 2>/dev/null || echo "000")
+
+    if [ "$ONBOARDING_STATUS" = "200" ]; then
+      AUTH_CODE=$( ${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/api/onboarding/users" \
+        -H "Content-Type: application/json" \
+        -d '{"client_id":"'"$HASS_URL"'","name":"'"$DEFAULT_ADMIN_USERNAME"'","username":"'"$DEFAULT_ADMIN_USERNAME"'","password":"'"$DEFAULT_ADMIN_PASSWORD"'","language":"en"}' \
+        | ${pkgs.jq}/bin/jq -r '.auth_code' )
+
+      ACCESS_TOKEN=$(${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/auth/token" \
+          -H "Content-Type: application/x-www-form-urlencoded" \
+          -d "grant_type=authorization_code&code=$AUTH_CODE&client_id=$HASS_URL" \
+      | ${pkgs.jq}/bin/jq -r '.access_token' )    
+
+      ${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/core_config" \
+          -H "Authorization: Bearer $ACCESS_TOKEN" \
+          -H "Content-Type: application/json" \
+          -d '{"time_zone":"${config.time.timeZone}"}' > /dev/null 2>&1 || true
+      # We can configure many more things above !
+
+      ${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/analytics" \
+          -H "Authorization: Bearer $ACCESS_TOKEN" \
+          -H "Content-Type: application/json" -d '{}' > /dev/null 2>&1 || true
+
+      ${pkgs.curl} -s -X POST "$HA_URL/api/onboarding/integration" \
+          -H "Authorization: Bearer $ACCESS_TOKEN" \
+          -H "Content-Type: application/json" \
+          -d '{"client_id":"'"$HASS_URL"'","redirect_uri":"'"$HASS_URL"'/?auth_callback=1"}' > /dev/null 2>&1 || true
+    fi
+      '';
+    };
+  };
+}

modules/server/containers/apps/homepage.nix

@@ -0,0 +1,291 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+    version = "latest";
+    serverCfg = config.syscfg.server;
+    mediaCfg = config.syscfg.media;
+    backgroundImage = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
+    backgroundFileName = builtins.baseNameOf (toString backgroundImage);
+    backgroundMount = "/app/public/media/${backgroundFileName}";
+
+    settings = pkgs.writers.writeYAML "settings.yaml" {
+        title = "My Self-Hosted Dashboard";
+        description = "";
+        startUrl = "https://${containerCfg.subdomain}.${serverCfg.domain}";
+        background = {
+            image = "/media/${backgroundFileName}";
+            blur = "sm"; #sm, md, xl,... 
+            # saturate = "";
+            # brightness = "";
+            # opacity = "";
+        };
+        cardBlur = "xs"; #xs, md, ...
+        # favicon = ""; 
+        theme = "dark";
+        color = "slate";
+        pwa = {
+
+        };
+        layout = {
+            Admin = {
+                style = "grid";
+                columns = 1;
+            };
+        };
+        providers = {
+            finnhub = "{{HOMEPAGE_VAR_FINNHUB}}";
+        };
+        headerStyle = "clean";
+        hideVersion = true;
+        disableUpdateCheck = true;
+        showStats = false;
+        statusStyle = "dot";
+        hideErrors = true;
+    };
+    widgets = pkgs.writers.writeYAML "widgets.yaml" [
+        {openmeteo = {
+            latitude = "47.3769";
+            longitude = "8.5417";
+            timezone = "Europe/Zurich";
+            units = "metric";
+            cache = "15";
+        };}
+        {search = {
+            provider = "custom";
+            focus = true;
+            showSearchSuggestions = true;
+            target = "_blank";
+          } // (lib.optionalAttrs (serverCfg.containers?searxng) {
+            url = "https://${serverCfg.containers.searxng.subdomain}.${serverCfg.domain}/search?q=";
+            suggestionUrl = "https://${serverCfg.containers.searxng.subdomain}.${serverCfg.domain}/autocompleter?q=";
+          });
+        }
+        {stocks = {
+            provider = "finnhub";
+            color = true;
+            cache = 15;
+            watchlist = containerCfg.extra.stocks or [];
+            
+        };}
+    ];
+
+    bookmarks = pkgs.writers.writeYAML "bookmarks.yaml" [
+        
+    ];
+    services = pkgs.writers.writeYAML "services.yaml" [
+        {Media = lib.flatten [
+            (lib.optional (serverCfg.containers?jellyfin) { 
+                Jellyfin={
+                    icon = "jellyfin.png";
+                    href = "https://${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";
+                    widget = {
+                        type="jellyfin";
+                        url = "http://jellyfin-server:8096";
+                        key = "{{HOMEPAGE_VAR_JELLYFIN_API}}";
+                    };
+                };
+            })
+            (lib.optional (serverCfg.containers?invidious) { 
+                Invidious={
+                    icon = "invidious.png";
+                    href = "https://${serverCfg.containers.invidious.subdomain}.${serverCfg.domain}";
+                };
+            })
+            (lib.optional (serverCfg.containers?miniflux) { 
+                Miniflux={
+                    icon = "miniflux.png";
+                    href = "https://${serverCfg.containers.miniflux.subdomain}.${serverCfg.domain}";
+                    widget = {
+                        type="miniflux";
+                        url = "http://miniflux-server";
+                        key = "{{HOMEPAGE_VAR_MINIFLUX_API}}";
+                    };
+                };
+            })
+        ];}
+        {Cloud = lib.flatten [
+            (lib.optional (serverCfg.containers?nextcloud) { 
+                Nextcloud={
+                    icon = "nextcloud.png";
+                    href = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
+                    widget = {
+                        type="nextcloud";
+                        url = "http://nextcloud-server:80";
+                        key = "{{HOMEPAGE_VAR_NEXTCLOUD_API}}";
+                    };
+                };
+            })
+            (lib.optional (serverCfg.containers?ethercalc) { 
+                Ethercalc={
+                    icon = "ethercalc.png";
+                    href = "https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.domain}";
+                };
+            })
+            (lib.optional (serverCfg.containers?etherpad) { 
+                Etherpad={
+                    icon = "etherpad.png";
+                    href = "https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.domain}";
+                };
+            })
+            (lib.optional (serverCfg.containers?immich) { 
+                immich={
+                    icon = "immich.png";
+                    href = "https://${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";
+                    widget = {
+                        type="immich";
+                        url = "http://immich-server:80";
+                        key = "{{HOMEPAGE_VAR_IMMICH_API}}";
+                        version = "2";
+                    };
+                };
+            })
+        ];}
+        {Dev = lib.flatten [
+            (lib.optional (serverCfg.containers?gitea) { 
+                Gitea={
+                    icon = "gitea.png";
+                    href = "https://${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";
+                    # widget = {
+                    #     type="gitea";
+                    #     url = "http://gitea-server:8080";
+                    #     key = "{{HOMEPAGE_VAR_GITEA_API}}";
+                    # };
+                };
+            })
+        ];}
+         {Admin = #lib.flatten [
+            #({permissions.groups = ["admin"];})
+            #({services = 
+            lib.flatten [
+            (lib.optional (serverCfg.containers?traefik) { 
+                Traefik={
+                    icon = "traefik.png";
+                    href = "https://${serverCfg.containers.traefik.subdomain}.${serverCfg.domain}";
+                    widget = {
+                        type = "traefik";
+                        url = "http://traefik-server:8080";
+                    };
+                };
+            })
+            (lib.optional (serverCfg.containers?authentik) { 
+                Authentik={
+                    icon = "authentik.png";
+                    href = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}";
+                    widget = {
+                        type = "authentik";
+                        url = "http://authentik-server:9000";
+                        key = "{{HOMEPAGE_VAR_AUTHENTIK_API}}";
+                        version = "2";
+                    };
+                };
+            })
+            (lib.optional (serverCfg.containers?umami) { 
+                Umami={
+                    icon = "umami.png";
+                    href = "https://${serverCfg.containers.umami.subdomain}.${serverCfg.domain}";
+                };
+            })
+            (lib.optional (serverCfg.containers?influx) { 
+                Influx={
+                    icon = "influx.png";
+                    href = "https://${serverCfg.containers.influx.subdomain}.${serverCfg.domain}";
+                };
+            })
+            (lib.optional (serverCfg.containers?handbrake) { 
+                Handbrake={
+                    icon = "handbrake.png";
+                    href = "https://${serverCfg.containers.handbrake.subdomain}.${serverCfg.domain}";
+                };
+            })
+            (lib.optional (serverCfg.containers?transmission) { 
+                Transmission={
+                    icon = "transmission.png";
+                    href = "https://${serverCfg.containers.transmission.subdomain}.${serverCfg.domain}/transmission";
+                    widget = {
+                        type = "transmission";
+                        url = "http://transmission-server:9091";
+                        rpcUrl = "/transmission/"; 
+                    };
+                };
+            })
+            (lib.optional (serverCfg.containers?servarr) (
+            let 
+                modules = serverCfg.containers.servarr.extra.modules or ["prowlarr" "sonarr" "radarr" "flaresolverr" ];
+            in
+            (lib.optional (builtins.elem "sonarr" modules) {
+                Sonarr={
+                    icon = "sonarr.png";
+                    href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/sonarr";
+                    widget = {
+                        type = "sonarr";
+                        url = "http://servarr-sonarr:8989";
+                        key = "{{HOMEPAGE_VAR_SONARR_API}}";
+                         
+                    };
+                };
+            }) ++ (lib.optional (builtins.elem "radarr" modules) {
+                Radarr={
+                    icon = "radarr.png";
+                    href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/radarr";
+                    widget = {
+                        type = "radarr";
+                        url = "http://servarr-radarr:8989";
+                        key = "{{HOMEPAGE_VAR_RADARR_API}}";
+                         
+                    };
+                };
+            }) ++ (lib.optional (builtins.elem "lidarr" modules) {
+                Lidarr={
+                    icon = "lidarr.png";
+                    href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/lidarr";
+                    widget = {
+                        type = "lidarr";
+                        url = "http://servarr-lidarr:8989";
+                        key = "{{HOMEPAGE_VAR_LIDARR_API}}";
+                         
+                    };
+                };
+            }) ++ (lib.optional (builtins.elem "prowlarr" modules) {
+                Prowlarr={
+                    icon = "prowlarr.png";
+                    href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/prowlarr";
+                    widget = {
+                        type = "prowlarr";
+                        url = "http://servarr-prowlarr:8989";
+                        key = "{{HOMEPAGE_VAR_PROWLARR_API}}";
+                         
+                    };
+                };
+            })
+                # Bazarr
+
+            ))
+        ];}#)];}
+    ];
+in {
+    runtime = {
+      containers = {
+        server = builder.mkContainer {
+          subdomain = containerCfg.subdomain;
+          image = "ghcr.io/gethomepage/homepage:${version}";
+          port = 3000;
+          extraEnv = { 
+              HOMEPAGE_VAR_TITLE="${serverCfg.domain}";
+              HOMEPAGE_ALLOWED_HOSTS = "${containerCfg.subdomain}.${serverCfg.domain},${builder.host}";
+          };
+          extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}.service" = "${containerCfg.subdomain}";
+          };
+          overrides = {
+              environmentFiles =  [ config.sops.secrets."CUSTOM".path ];
+              volumes = [ 
+                  "${settings}:/app/config/settings.yaml:ro"
+                  "${services}:/app/config/services.yaml:ro"
+                  "${widgets}:/app/config/widgets.yaml:ro"
+                  "${bookmarks}:/app/config/bookmarks.yaml:ro"
+                  "${backgroundImage}:${backgroundMount}:ro"
+              ];
+          };
+      };
+      };
+    };
+}

modules/server/containers/apps/immich.nix

@@ -0,0 +1,104 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  version = "v2";
+  serverCfg = config.syscfg.server;
+
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path = "${serverCfg.path.config}/immich";
+      dirs = ["cache"];
+      mode = "0750";
+    }{
+      path = "${serverCfg.path.data}/immich/";
+      dirs = ["upload" "thumbs" "encoded-video" "backups"];
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "ghcr.io/immich-app/immich-server:${version}";
+        port = 2283;
+        secret = name;
+        extraEnv = {
+          DB_HOSTNAME = builder.host;
+          REDIS_HOSTNAME = builder.host;
+          DB_USERNAME = "immich_user";
+          DB_DATABASE_NAME = "immich_db";
+          IMMICH_TRUSTED_PROXIES = "10.0.0.0/8";
+          IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
+          # IMMICH_ALLOW_SETUP = "false";
+          # IMMICH_IGNORE_MOUNT_CHECK_ERRORS = "true";
+        };
+        overrides = {
+          volumes = [
+            "${serverCfg.path.photo}:/data/upload"
+            "${serverCfg.path.data}/immich/backups:/data/backups"
+            "${serverCfg.path.config}/immich/thumbs:/data/thumbs"
+            "${serverCfg.path.config}/immich/encoded-video:/data/encoded-video"
+          ];
+        };
+      };
+
+      ml = builder.mkContainer {
+        image = "ghcr.io/immich-app/immich-machine-learning:${version}";
+        port = 3003;
+        overrides = {
+          volumes = [
+            "${serverCfg.path.config}/immich/cache:/cache"
+          ];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."CUSTOM".path;
+      script = pkgs.writeShellScript "setup" ''
+          PSQL="${pkgs.postgresql}/bin/psql -U postgres"
+          $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;"
+          $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;"
+
+          IMMICH_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
+          until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$IMMICH_URL")" =~ (200|301|302) ]]; do
+            sleep 5
+          done
+          ${pkgs.curl}/bin/curl -X POST "$IMMICH_URL/api/auth/admin-sign-up" \
+            -H "Content-Type: application/json" -H "Accept: application/json" \
+            -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'", "name": "'"$DEFAULT_ADMIN_USERNAME"'" }'
+
+          IMMICH_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$IMMICH_URL/api/auth/login" \
+          -H "Content-Type: application/json" \
+          -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'"}' \
+          | ${pkgs.jq}/bin/jq -r '.accessToken')        
+
+          ${lib.optionalString (serverCfg.containers ? authentik) ''
+          ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
+          ${pkgs.jq}/bin/jq '.oauth.enabled = true | 
+                            .oauth.autoRegister = true |
+                            .oauth.autoLaunch = true |
+                            .oauth.signingAlgorithm = "RS256" |
+                            .oauth.profileSigningAlgorithm = "RS256" |
+                            .oauth.clientId = "immich" | 
+                            .oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" | 
+                            .oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" | 
+                            .oauth.scope = "openid profile email" |
+                            .oauth.buttonText = "Login with SSO"' | \
+          ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
+          ''}
+
+          ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
+          ${pkgs.jq}/bin/jq '.storageTemplate.enable = true |
+                            .storageTemplate.template = "{{y}}/{{#if album}}{{album}}{{else}}{{MM}}{{/if}}/{{filename}}"' | \
+          ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
+          
+      '';
+    };
+  };
+}

modules/server/containers/apps/influx.nix

@@ -0,0 +1,78 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  version = "latest";
+
+
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path = "${serverCfg.path.config}/influxdb/";
+      owner = "1500:1500";
+      mode = "0700"; 
+    }{
+      path = "${serverCfg.path.data}/influxdb/";
+      owner = "1500:1500";
+      mode = "0700"; 
+    }];
+
+    containers = {
+      # db = builder.mkContainer {
+      #   subdomain = containerCfg.subdomain;
+      #   image = "influxdata/influxdb:3.0";
+      #   port = 8181;
+      #   secret = name;
+      #   extraEnv = {
+      #     INFLUXD_DB_PATH = "/db";
+      #     INFLUXD_CONFIG_PATH = "/config";
+      #   };
+      #   overrides = {
+      #     volumes = [
+      #       "${serverCfg.path.data}/influxdb:/db:rw"
+      #       "${serverCfg.path.config}/influxdb:/config:ro"
+      #     ];
+      #   };
+      # };
+
+      server = builder.mkContainer {
+        tmpfs = true;
+        subdomain = containerCfg.subdomain;
+        image = "influxdata/influxdb3-ui:${version}";
+        port = 8080;
+        secret = name;
+        extraEnv = {
+          SESSION_SECRET_KEY = "7b0024c13ae770000f797c201e2f210b9932a689c04d34de04379faa44e88e97";
+          DATABASE_URL = "/db/sqlite.db"; 
+        };
+        overrides = {
+          ports = [ "8080:8080" ];
+          cmd = [ "--mode=admin" ]; 
+          volumes = [
+            "${serverCfg.path.data}/influxdb:/db:rw"
+            "${serverCfg.path.config}/influxdb/:/app-root/config:ro"
+          ];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      script = pkgs.writeShellScript "setup" ''
+        cat > ${serverCfg.path.config}/influxdb/config.json << 'EOF'
+{
+  "DEFAULT_INFLUX_SERVER": "http://${builder.host}:8181",
+  "DEFAULT_INFLUX_DATABASE": "main",
+  "DEFAULT_API_TOKEN": "$INFLUXDB3_TOKEN",
+  "DEFAULT_SERVER_NAME": "${serverCfg.domain}"
+}
+EOF
+      chmod -R 755 ${serverCfg.path.config}/influxdb
+      '';
+    };
+  };
+}

modules/server/containers/apps/invidious.nix

@@ -0,0 +1,83 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+
+  patchedInvidious = pkgs.invidious.overrideAttrs (oldAttrs: {
+    postPatch = (oldAttrs.postPatch or "") + ''
+      cp ${../data/invidious/login.cr} src/invidious/routes/login.cr
+    '';
+  });
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = pkgs.invidious.name;
+    tag = pkgs.invidious.version;
+
+    contents = [ pkgs.cacert patchedInvidious ];
+    config = {
+      Entrypoint = [ "${patchedInvidious}/bin/invidious" ];
+      ExposedPorts = { "3000/tcp" = {}; };
+      Env = [ 
+        "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+        "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      ];
+    };
+  };
+
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.config}/invidious";
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        imageStream = image;
+        port = 3000;
+        secret = name;
+        extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/login`) ";
+          "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
+          "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
+          "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
+          "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
+        };
+        extraEnv = {
+          INVIDIOUS_CONFIG_FILE = "/data/config.yml";
+        };
+        overrides = {
+          volumes = [
+            "${serverCfg.path.config}/invidious:/data:ro"
+          ];
+        };
+      };
+
+      companion = builder.mkContainer {
+        image = "quay.io/invidious/invidious-companion:latest";
+        port = 8282;
+        secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
+        extraOptions = [
+          "--cap-drop=all"
+          "--security-opt=no-new-privileges"
+        ];
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
+      script = pkgs.writeShellScript "setup" ''
+        export DB_HOST=${builder.host}
+        export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
+
+        ${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.path.config}/invidious/config.yml"
+      '';
+    };
+  };
+}

modules/server/containers/apps/jellyfin.nix

@@ -0,0 +1,175 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let
+  serverCfg = config.syscfg.server;
+  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
+  nss = pkgs.dockerTools.fakeNss.override {
+    extraPasswdLines = [
+      "jellyfin:x:1000:1000:Jellyfin Daemon:/config/data:/bin/false"
+    ];
+    extraGroupLines = [
+      "jellyfin:x:1000:"
+    ];
+  };
+  image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
+    name = pkgs.jellyfin.name;
+    tag = pkgs.jellyfin.version;  
+    contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ];
+    config = {
+      User = "jellyfin:jellyfin"; 
+      Entrypoint = [ "${pkgs.jellyfin}/bin/jellyfin" ];
+      ExposedPorts = { "8096/tcp" = { }; };
+      Env = [ 
+        "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+        "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      ];
+    };
+  };
+in {
+  runtime = {
+    paths = [
+      {
+        path = "${serverCfg.path.config}/jellyfin/";
+        owner = "1000:1000";
+        mode = "0755";
+      }
+    ];
+
+    containers = {
+      server = builder.mkContainer {
+        tmpfs = true;
+        subdomain = containerCfg.subdomain;
+        imageStream = image;
+        port = 8096;
+        extraEnv = {
+          HOME = "/config/data";
+          DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
+          JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
+          JELLYFIN_ServerName = if containerCfg.extra?name then containerCfg.extra.name else "Flix";
+        };
+        overrides = {
+          cmd = [
+          "--datadir" "/config/data"
+          "--cachedir" "/config/cache"
+          "--configdir" "/config/config"
+          "--logdir" "/config/log" 
+          ];
+          volumes = [
+            "${serverCfg.path.film}:/media:ro" 
+            "${serverCfg.path.config}/jellyfin:/config"
+          ];
+          # If you have an Intel/AMD GPU for transcoding, add the device:
+          devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = config.sops.secrets."CUSTOM".path;
+      script = pkgs.writeShellScript "setup" ''
+        JELLYFIN_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
+        until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
+          sleep 5
+        done
+        echo "Jellyfin is up. Sleeping for 20 seconds..."
+        sleep 20
+        WIZARD_COMPLETE=$(${pkgs.curl}/bin/curl -sSf "$JELLYFIN_URL/System/Info/Public" 2>/dev/null | \
+          ${pkgs.jq}/bin/jq -r '.StartupWizardCompleted // false')
+        if [ "$WIZARD_COMPLETE" = "false" ]; then
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/Configuration" \
+            -H "Content-Type: application/json" \
+            -d '{"ServerName":"Flix","UICulture":"en-US","MetadataCountryCode":"US","PreferredMetadataLanguage":"en"}'; then
+            echo "ERROR: Failed to set startup configuration."
+            exit 1
+          fi
+          
+          if ! ${pkgs.curl}/bin/curl -sSf -X GET "$JELLYFIN_URL/Startup/User"; then
+            echo "ERROR: Failed to get base user."
+            exit 1
+          fi
+
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/User" \
+            -H 'accept: */*' -H "Content-Type: application/json" \
+            -d '{"Name": "'"$DEFAULT_ADMIN_USERNAME"'", "Password": "'"$DEFAULT_ADMIN_PASSWORD"'"}'; then
+            echo "ERROR: Failed to set admin user."
+            exit 1
+          fi
+
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/RemoteAccess" \
+            -H "Content-Type: application/json" \
+            -d '{"EnableRemoteAccess":true,"EnableAutomaticPortMapping":false}'; then
+            echo "ERROR: Failed to configure remote access."
+            exit 1
+          fi
+
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "''$JELLYFIN_URL/Startup/Complete"; then
+            echo "ERROR: Failed to complete wizard."
+            exit 1
+          fi
+          echo "Jellyfin initialization successfully completed!"
+        fi
+
+        ${lib.optionalString (serverCfg.containers ? authentik) ''
+        JELLYFIN_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Users/AuthenticateByName" \
+          -H "Content-Type: application/json" \
+          -H "Authorization: MediaBrowser Client=\"Bash Script\", Device=\"Server Terminal\", DeviceId=\"script-12345\", Version=\"1.0.0\"" \
+          -d "{\"Username\": \"$DEFAULT_ADMIN_USERNAME\", \"Pw\": \"$DEFAULT_ADMIN_PASSWORD\"}" \
+          | ${pkgs.jq}/bin/jq -r '.AccessToken')
+
+        # Verify we got a token
+        if [ "$JELLYFIN_TOKEN" = "null" ] || [ -z "$JELLYFIN_TOKEN" ]; then
+            echo "ERROR: Authentication failed."
+            exit 1
+        fi
+        if ${pkgs.curl}/bin/curl -sSf -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+            "$JELLYFIN_URL/Plugins" | ${pkgs.gnugrep}/bin/grep -q "958aad6637844d2ab89aa7b6fab6e25c"; then
+          echo "LDAP Plugin is already installed. Skipping setup."
+        else
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Packages/Installed/LDAP%20Authentication?assemblyGuid=958aad6637844d2ab89aa7b6fab6e25c" \
+              -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+              -H "Content-Length: 0"; then
+            echo "ERROR: LDAP Plugin Setup Failed."
+            exit 1
+          fi
+
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
+              -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+              -H "Content-Length: 0"; then
+            echo "ERROR: Server failed to accept restart command."
+            exit 1
+          fi
+          sleep 1-
+          until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
+            sleep 5
+          done
+          echo "Jellyfin is up. Sleeping for 20 seconds..."
+          sleep 20
+        fi
+
+        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \
+            -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+            -H "Content-Type: application/json" -H 'accept: */*' \
+            -d '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true,
+            "LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword": "'"$DEFAULT_LDAP_PASSWORD"'",
+            "LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
+            "LdapSearchAttributes":"uid, cn, mail, displayName",
+            "LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
+            "EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
+            "EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
+            "LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
+            "EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}'; then
+          echo "ERROR: LDAP Plugin Setup Failed."
+          exit 1
+        fi
+        ''}
+
+        ${pkgs.sqlite}/bin/sqlite3 ${serverCfg.path.config}/jellyfin/data/data/jellyfin.db <<EOF
+INSERT OR IGNORE INTO ApiKeys (Id, AccessToken, Name, DateCreated, DateLastActivity) 
+VALUES ( 1, "$HOMEPAGE_VAR_JELLYFIN_API", 'Home', strftime('%Y-%m-%d %H:%M:%S', 'now'), strftime('%Y-%m-%d %H:%M:%S', 'now'));
+EOF
+        echo "Completed Setup"
+
+      '';
+    };
+  };
+}

modules/server/containers/apps/nextcloud.nix

@@ -0,0 +1,213 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  version = "31";
+  serverCfg = config.syscfg.server;
+  mediaCfg = config.syscfg.media;
+  backgroundImage = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
+  backgroundFileName = builtins.baseNameOf (toString backgroundImage);
+  logoPngFileName = builtins.baseNameOf (toString mediaCfg.logo.png);
+  logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
+  logoIcoFileName = builtins.baseNameOf (toString mediaCfg.logo.ico);
+  logoPngMount = "/var/www/html/theming/${logoPngFileName}";
+  logoSvgMount = "/var/www/html/theming/${logoSvgFileName}";
+  logoIcoMount = "/var/www/html/theming/${logoIcoFileName}";
+  backgroundMount = "/var/www/html/theming/${backgroundFileName}";
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.config}/nextcloud";
+      owner = "33:33";
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        tmpfs = true;
+        subdomain = containerCfg.subdomain;
+        image = "nextcloud:${version}";
+        port = 80;
+        secret = name;
+        extraEnv = {
+          REDIS_HOST = builder.host;
+          POSTGRES_HOST = builder.host;
+          POSTGRES_USER = "nextcloud_user";
+          POSTGRES_DB = "nextcloud_db";
+          AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+          NEXTCLOUD_TRUSTED_DOMAINS = "${containerCfg.subdomain}.${serverCfg.domain} nextcloud-server";
+          # SMTP_HOST = serverCfg.mail.server;
+          # SMTP_NAME = "mail_user";
+          # SMTP_PASSWORD = "mail_password";
+          # MAIL_FROM_ADDRESS = "${containerCfg.subdomain}@${serverCfg.domain}";
+          # MAIL_DOMAIN = serverCfg.mail.domain;
+          TRUSTED_PROXIES = "10.10.0.0/16 192.168.0.0/16";
+          NEXTCLOUD_DATA_DIR = "/var/www/html/data";
+        };
+        extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
+          "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
+          "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
+          "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
+          "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
+          "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
+        };
+        overrides = {
+          ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
+          volumes = [
+            "${serverCfg.path.config}/nextcloud:/var/www/html"
+            "${serverCfg.path.cloud}:/var/www/html/data"
+            "${mediaCfg.logo.png}:${logoPngMount}:ro"
+            "${mediaCfg.logo.svg}:${logoSvgMount}:ro"
+            "${mediaCfg.logo.ico}:${logoIcoMount}:ro"
+            "${backgroundImage}:${backgroundMount}:ro"
+          ];
+        };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u www-data nextcloud-server php occ"
+
+      echo "Waiting for Nextcloud container to start..."
+      until $OCC status > /dev/null 2>&1; do
+        sleep 2
+      done
+
+      INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
+      if [ -z "$INSTALLED" ]; then
+        echo "Running first-time setup..."
+        
+        $OCC maintenance:install \
+          --admin-user "$DEFAULT_ADMIN_USERNAME" \
+          --admin-pass "$DEFAULT_ADMIN_PASSWORD"
+      fi
+      if [ -z "$INSTALLED" ] || [ -f "/tmp/force-nextcloud-setup" ]; then
+        rm -f "/tmp/force-nextcloud-setup"
+        echo "Applying Settings..."
+        
+        $OCC config:system:set default_phone_region --value="CH"
+        $OCC config:system:set overwriteprotocol --value="https"
+        $OCC config:app:set core backgroundjobs_mode --value="cron"
+        $OCC config:system:set maintenance_window_start --type=integer --value=1
+        $OCC config:system:set default_language --value="en"
+        $OCC config:system:set default_locale --value="en_CH"
+
+        echo "Applying Apps..."
+        $OCC app:disable activity || true
+        $OCC app:disable app_api || true
+        $OCC app:disable comments || true
+        $OCC app:disable firstrunwizard || true
+        $OCC config:system:set show_first_run_wizard --type=bool --value=false
+        $OCC app:disable nextcloud_announcements || true
+        $OCC app:disable oauth2 || true
+        $OCC app:disable recommendations || true
+        $OCC app:disable sharebymail || true
+        $OCC app:disable support || true
+        $OCC app:disable survey_client || true
+        $OCC app:disable updatenotification || true
+        $OCC app:disable user_status || true
+
+        $OCC app:install calendar || true
+        $OCC app:install contacts || true
+        $OCC app:install camerarawpreviews || true
+        $OCC app:install cospend || true
+        $OCC app:install deck || true
+        $OCC app:install files_markdown || true
+        $OCC app:install forms || true
+        $OCC app:install groupfolders || true
+        $OCC app:install ownpad || true
+        $OCC app:install previewgenerator || true
+        $OCC app:install richdocuments || true
+        ${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
+        # $OCC app:install side_menu || true 
+        $OCC app:install spreed || true
+        $OCC app:install teamfolders || true
+        ${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
+
+        echo "Applying Apps Settings..."
+        $OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
+        $OCC config:app:set cospend allow_federation --value="yes"
+        
+        ${lib.optionalString (serverCfg.containers ? ethercalc) ''
+        $OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
+        $OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.domain}"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? etherpad) ''
+        $OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
+        $OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.domain}"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? collabora) ''
+        $OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}/"
+        $OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}"
+        $OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? authentik) ''
+        $OCC saml:config:set 1 --general-idp0_display_name="authentik"
+        $OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
+        $OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}"
+        $OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/sso/binding/redirect/"
+        $OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/slo/binding/redirect/"
+        AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
+        $OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT" 
+
+        $OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
+        $OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+        $OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
+
+        $OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
+        $OCC group:add cloud || true
+        $OCC group:adduser admin $DEFAULT_ADMIN_USERNAME
+        $OCC config:app:set user_saml general-group_provisioning --value="0"
+        $OCC config:app:set user_saml general-require_provisioning_groups --value="1"
+        ''}
+        # configure side_menu ...
+        FOLDERS=$($OCC teamfolders:list --format=json)
+        ${builtins.concatStringsSep "\n" (map (name: ''
+          if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
+              $OCC teamfolders:create "${name}"
+          fi
+        '') containerCfg.extra.teamFolders or [])}
+        SERVERS=$($OCC federation:list-servers --format=json)
+        ${builtins.concatStringsSep "\n" (map (domain: ''
+          if ! echo "$SERVERS" | grep -q "${domain}"; then
+            $OCC federation:add-server "https://${domain}"
+          fi
+        '') containerCfg.extra.federatedServers or [])}
+        $OCC config:app:set systemtags allow_user_creating --value="no"
+        
+      else
+          echo "Nextcloud is already installed. Skipping setup."
+      fi
+
+      echo "Applying Theme..."
+      $OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.domain}"
+      ${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
+      ${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
+      $OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
+      $OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
+      $OCC theming:config logo "${logoPngMount}"
+      $OCC theming:config logoheader "${logoSvgMount}"
+      $OCC theming:config favicon "${logoIcoMount}"
+      $OCC theming:config background "${backgroundMount}"
+
+      $OCC config:app:set serverinfo token --value="$HOMEPAGE_VAR_NEXTCLOUD_API"
+
+      echo "Maintenance..."
+      $OCC app:update --all
+      $OCC maintenance:repair --include-expensive --no-interaction
+      $OCC db:add-missing-indices --no-interaction
+
+      echo "Completed Setup"
+      '';
+    };
+
+    cron = [ "*/5 * * * *  root  ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
+  };
+}

modules/server/containers/apps/openhab.nix

@@ -0,0 +1,77 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  version = "5.1.4"; 
+
+in {
+  runtime = {
+    paths = [
+      { path="${serverCfg.path.config}/openhab/conf";  owner="1000:1000"; mode = "0755"; }
+      { path="${serverCfg.path.config}/openhab/userdata";  owner="1000:1000"; mode = "0755"; }
+      { path="${serverCfg.path.config}/openhab/addons";  owner="1000:1000"; mode = "0755"; }
+    ];
+
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "openhab/openhab:${version}";
+        port = 8080; 
+        extraEnv = { 
+          USER_ID = "1000";
+          GROUP_ID = "1000";
+          CRYPTO_POLICY = "unlimited";
+          OPENHAB_HTTP_PORT = "8080";
+        };
+        extraOptions = [
+          "--network=host"
+          "--cap-add=NET_ADMIN"
+          "--cap-add=NET_RAW"
+          "--no-healthcheck"
+        ];
+        overrides = {
+          volumes = [ 
+            "${serverCfg.path.config}/openhab/conf:/openhab/conf"
+            "${serverCfg.path.config}/openhab/userdata:/openhab/userdata"
+            "${serverCfg.path.config}/openhab/addons:/opt/openhab/addons"
+            "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro"
+          ];
+         };
+      };
+    };
+
+    setup = {
+      trigger = "server";
+      envFile = [ config.sops.secrets."CUSTOM".path ];
+      script = pkgs.writeShellScript "setup" ''
+        # Pre-generate openHAB directories on the host
+        OHAB="${pkgs.podman}/bin/podman --events-backend=none exec openhab-server /openhab/runtime/bin/client -u openhab -p habopen"
+        sleep 20
+        exit 0
+        $OHAB openhab:users add $DEFAULT_ADMIN_USERNAME $DEFAULT_ADMIN_PASSWORD administrator 
+        $OHAB feature:list
+        $OHAB openhab:addons install persistance-mapdb
+        $OHAB openhab:addons install persistance-influxdb
+
+        $OHAB openhab:addons install ui-basic
+        $OHAB openhab:addons install automation-jsscripting
+
+        $OHAB openhab:addons install binding-telegram
+        $OHAB openhab:addons install binding-matter
+        $OHAB openhab:addons install binding-mqtt
+        $OHAB openhab:addons install binding-bluetooth
+        $OHAB openhab:addons install binding-zigbee
+        $OHAB openhab:addons install binding-chromecast
+        $OHAB openhab:addons install binding-astro
+        $OHAB openhab:addons install binding-meteoblue
+        $OHAB openhab:addons install binding-publictransportswitzerland
+
+        #IF APPLE DEVICE: HomeKit (siri/apple bridge)
+        #IF UBIQUITY NET: Unifi + UnifiProtect (net/cam bridge)
+        #IF YAMAHA+EPSON: EpsonProjector + Yamaha (projector and sound)
+        #IF BAMBULAB DEVICE: BambuLab (notify print state)
+        #IF GARDENA DEVICE: Gardena (smart watering)
+        #Extra: AndroidTV/Jellyfin (Bind with lights + more)
+      '';
+    };
+  };
+}

modules/server/containers/apps/searxng.nix

@@ -0,0 +1,87 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  version= "latest";
+  serverCfg = config.syscfg.server;
+  settings = pkgs.writeText"settings.yml" (pkgs.lib.generators.toYAML {}{
+    use_default_settings = true;
+    brand = {
+        issue_url = "";
+        docs_url = "";
+        public_instances = "";
+        wiki_url = "";
+        custom = {
+            links = {
+                "Home" = "https://${serverCfg.domain}";
+                # "Status" = "https://status.${serverCfg.domain}";
+            };
+        };
+        pwa_colors = {
+            theme_color_light = "${serverCfg.colorScheme.palette.base0C}";
+            background_color_light = "${serverCfg.colorScheme.palette.base07}";
+            theme_color_dark = "${serverCfg.colorScheme.palette.base0C}";
+            background_color_dark = "${serverCfg.colorScheme.palette.base02}";
+            theme_color_black = "${serverCfg.colorScheme.palette.base0C}";
+            background_color_black = "${serverCfg.colorScheme.palette.base01}";
+        };
+    };
+    general = {
+        debug = false;
+        instance_name = if containerCfg.extra ? instanceName then containerCfg.extra.instanceName else "SearXNG";
+        privacypolicy_url = false;
+        donation_url = false;
+        contact_url = false;
+        enable_metrics = false;
+    };
+    search = {
+        safe_search = 0;
+        autocomplete = if containerCfg.extra ? autocomplete then containerCfg.extra.autocomplete else "";
+        languages = [ "all" "en" "en-US" "ja" "de-CH" "fr-CH" "nb" ];
+    };
+    server = {
+        # secret_key = ""; SET BY ENV VAR
+    };
+    ui = {
+        default_locale = if containerCfg.extra ? defaultLocale then containerCfg.extra.defaultLocale else "en";
+        # query_in_title = "true";
+        #default_theme = "custom";
+        custom_css = "footer { display: none !important; }";
+    };
+    # categories_as_tabs = {
+    #     general = {};
+    #     images ={};
+    #     videos = {};
+    #     news = {};
+    #     files = {};
+    # };
+    plugins = {
+        "searx.plugins.infinite_scroll.SXNGPlugin".active = true;
+        "searx.plugins.tracker_url_remover.SXNGPlugin".active = true;
+    };
+  });
+in {
+  requires.secrets = [ name ];
+
+  runtime = {
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "searxng/searxng:${version}";
+        port = 8080;
+        secret = name;
+        extraEnv = { 
+          SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
+          SEARXNG_PORT = "8080";
+          SEARXNG_BIND_ADDRESS = "[::]";
+          SEARXNG_PUBLIC_INSTANCE = "false";
+          SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
+          #SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}";
+        };
+        overrides = {
+          volumes = [ 
+              "${settings}:/etc/searxng/settings.yml"
+          ];
+         };
+      };
+    };
+  };
+}

modules/server/containers/apps/selfmark.nix

@@ -0,0 +1,90 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let
+  version = "latest";
+  serverCfg = config.syscfg.server;
+in {
+  runtime = {
+    paths = [{
+      path = "${serverCfg.path.config}/selfmark/";
+      mode = "0444";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        authentik = true;
+        subdomain = containerCfg.subdomain;
+        subpath = containerCfg.subpath;
+        image = "ghcr.io/calibrain/shelfmark:${version}";
+        port = 8080;
+        
+        extraEnv = {
+          # HARDCOVER_API_KEY = ""; #FROM SOPS
+          # AA_DONATOR_KEY = ""; #FROM SOPS
+          # PROWLARR_API_KEY = ""; #FROM SOPS
+
+          FLASK_PORT = "8080";
+          PUID = "1000";
+          PGID = "1000";
+          USING_TOR = "false";
+          ONBOARDING = "false";
+          SUPPORTED_FORMATS = "epub,mobi,azw3,fb2,djvu,cbz,cbr,pdf";
+          SUPPORTED_AUDIOBOOK_FORMATS = "mp3, m4b";
+          BOOK_LANGUAGE = "en,fr"; # ,de,jp";
+          SEARCH_MODE = "universal";
+          AA_DEFAULT_SORT = "relevance";
+          METADATA_PROVIDER = "openlibrary";
+          INGEST_DIR = "/books";
+          BOOKS_OUTPUT_MODE = "/output";
+          FILE_ORGANIZATION = "organize";
+          TEMPLATE_RENAME = "{Author} - {Title} ({Year})";
+          TEMPLATE_ORGANIZE = "{Author}/{Title} ({Year})";
+          HARDLINK_TORRENTS = "false";
+          FILE_ORGANIZATION_AUDIOBOOK = "organize";
+          TEMPLATE_RENAME_AUDIOBOOK = "{Author} - {Title}";
+          TEMPLATE_ORGANIZE_AUDIOBOOK = "{Author}/{Title} ({Year})";
+
+          HARDCOVER_ENABLED = "true";
+          HARDCOVER_DEFAULT_SORT = "relevance";
+          OPENLIBRARY_ENABLED = "true";
+          OPENLIBRARY_DEFAULT_SORT = "relevance";
+          DIRECT_DOWNLOAD_ENABLED = "true";
+
+          USE_CF_BYPASS = "true";
+          AA_BASE_URL = "auto";
+          AA_MIRROR_URLS = "https://annas-archive.gl,https://annas-archive.pk,https://annas-archive.gd,";
+          LIBGEN_MIRROR_URLS = "https://libgen.li,https://libgen.vg,https://libgen.la,https://libgen.bz,https://libgen.gl";
+          ZLIB_MIRROR_URLS = "https://z-lib.sk,https://z-library.gs,https://z-lib.fm,https://z-lib.gd,https://z-lib.gl";
+          # WELIB_MIRROR_URLS = "https://welib.org"; #avoid
+        } // lib.optionalAttrs(containerCfg.subpath != null) {
+          BASE_PATH = "/${containerCfg.subpath}";
+          URL_BASE = "/${containerCfg.subpath}";
+        } // lib.optionalAttrs(serverCfg.containers?calibre) {
+          CALIBRE_WEB_URL = "https://${serverCfg.containers.calibre.subdomain}.${serverCfg.domain}";
+        } // lib.optionalAttrs(serverCfg.containers?authentik) {
+          AUTH_METHOD = "proxy";
+          PROXY_AUTH_USER_HEADER = "X-authentik-username";
+          PROXY_AUTH_ADMIN_GROUP_HEADER = "X-authentik-groups";
+          PROXY_AUTH_ADMIN_GROUP_NAME = "admin";
+        } // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "prowlarr" serverCfg.containers.servarr.extra.modules) ({
+          PROWLARR_ENABLED = "true";
+          PROWLARR_URL = "http://servarr-prowlarr:8989";
+        } // lib.optionalAttrs(serverCfg.containers?transmission) {
+          PROWLARR_TORRENT_CLIENT = "transmission";
+          TRANSMISSION_URL = "http://transmission-server:9091";
+        }) // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "flaresolverr" serverCfg.containers.servarr.extra.modules) {
+          USING_EXTERNAL_BYPASSER = "true";
+          EXT_BYPASSER_URL = "http://servarr-flaresolverr:8191";
+          EXT_BYPASSER_PATH = "/v1";
+          EXT_BYPASSER_TIMEOUT = "60000";
+        };
+        overrides = {
+          volumes = [
+            "${serverCfg.path.dlComplete}:/books:rw"
+            "${serverCfg.path.book}:/output:rw"
+            "${serverCfg.path.config}/selfmark:/config:rw"
+           ];
+         };
+      };
+    };
+  };
+}

modules/server/containers/apps/suwayomi.nix

@@ -0,0 +1,53 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let
+  version = "stable"; 
+  serverCfg = config.syscfg.server;
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    containers = {
+      server = builder.mkContainer {
+        subdomain = containerCfg.subdomain;
+        image = "ghcr.io/suwayomi/suwayomi-server:${version}";
+        port = 4567;
+        secret = name;
+
+        extraEnv = {
+          BIND_PORT = "4567";
+          AUTH_MODE = "ui_login";
+          WEB_UI_ENABLED = "true";
+          WEB_UI_FLAVOR = "WebUI";
+          # AUTO_DOWNLOAD_CHAPTERS = true;
+          # AUTO_DOWNLOAD_EXCLUDE_UNREAD = true;
+          # AUTO_DOWNLOAD_NEW_CHAPTERS_LIMIT = 0;
+          # AUTO_DOWNLOAD_IGNORE_REUPLOADS = false;
+          # DOWNLOAD_CONVERSIONS = {};
+          # SERVE_CONVERSIONS = {};
+          # MAX_SOURCES_IN_PARALLEL = 6;
+          # UPDATE_EXCLUDE_UNREAD = true;
+          # UPDATE_EXCLUDE_STARTED = true;
+          # UPDATE_EXCLUDE_COMPLETED = true;
+          # UPDATE_INTERVAL = 12; #Hours
+          # UPDATE_MANGA_INFO = false;
+          DATABASE_TYPE = "POSTGRESQL";
+          DATABASE_URL = "postgresql://${builder.host}/suwayomi_db";
+          DATABASE_USERNAME = "suwayomi_user";
+          FLARESOLVERR_ENABLED = lib.boolToString (builtins.elem "flaresolverr" (((config.syscfg.server.containers.servarr or {}).extra or {}).modules or []));
+          FLARESOLVERR_URL = "http://servarr-flaresolverr:8191";
+          EXTENSION_REPOS = "[\"https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json\"]"; #https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json
+        };
+
+        overrides = {
+          volumes = [
+            "${serverCfg.path.manga}:/home/suwayomi/.local/share/Tachidesk/downloads"
+            # "${serverCfg.path.config}/suwayomi:/home/suwayomi/.local/share/Tachidesk"
+          ];
+        };
+      };
+    };
+  };
+}

modules/server/containers/apps/traefik.nix

@@ -0,0 +1,89 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "traefik";
+    tag = pkgs.traefik.version;
+    contents = with pkgs;[ cacert tzdata ];
+    config = {
+      Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
+      WorkingDir = "/";
+    };
+  };
+in {
+  requires.secrets = [ name ];
+
+  runtime = {
+    paths = [{
+      path="${serverCfg.path.config}/traefik";
+      owner = "1000:1000";
+      mode = "0755";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        imageStream = image;
+        subdomain = containerCfg.subdomain;
+        port = 8080;
+        secret = name;
+        extraLabels = {
+          "traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
+          "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
+                  
+          "traefik.http.routers.${containerCfg.subdomain}.middlewares" =  if serverCfg.containers?authentik then "authentik" else "";
+        } // (if serverCfg.containers?authentik then {
+          "traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
+          "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
+          "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
+          "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
+        } else {}) // (if serverCfg.containers?umami then {
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000";
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin";
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true";
+        } else {}) // (if containerCfg.extra ? provider || serverCfg.domain != "localhost" then {
+          "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
+          "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.domain}";
+          "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.domain}";
+        } else {});
+        extraEnv = { };
+        overrides = {
+          cmd = [ 
+            "--api"
+            "--log.level=INFO"
+            "--providers.docker=true"
+            "--global.checknewversion=false"
+            "--global.sendanonymoususage=false"
+            "--api.insecure=true"
+            "--api.dashboard=true"
+            "--providers.docker.exposedByDefault=false"
+            "--entrypoints.web.address=:80"
+            "--entrypoints.web-secure.address=:443"
+            "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
+            "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+            "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
+            "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
+          ] ++ (if serverCfg.containers ? umami  then [
+            "--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder"
+            "--experimental.plugins.umami-feeder.version=v1.4.1"
+            "--entrypoints.web-secure.http.middlewares=umami-global@docker"
+          ] else []) ++ (if containerCfg.extra ? provider then [
+            "--certificatesresolvers.default.acme.email=acme@${serverCfg.domain}"
+            "--certificatesresolvers.default.acme.dnschallenge=true"
+            "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
+            "--certificatesresolvers.default.acme.storage=/custom/acme.json"
+          ] else []) ++ (if serverCfg.domain != "localhost" then [
+            "--certificatesresolvers.default.acme.httpchallenge=false"
+            "--certificatesresolvers.default.acme.tlschallenge=true"
+          ] else []);
+          ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
+          volumes = [
+            "/var/run/podman/podman.sock:/var/run/docker.sock"
+            # "${serverCfg.path.config}/traefik/access.log:/etc/traefik/access.log"
+            "${serverCfg.path.config}/traefik:/custom"
+          ];
+        };
+      };
+    };
+  };
+}

modules/server/containers/apps/transmission.nix

@@ -0,0 +1,59 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = pkgs.transmission_4.name;
+    tag = pkgs.transmission_4.version;
+    contents = [ pkgs.cacert ];
+    config = {
+        Cmd = [ "${pkgs.transmission_4}/bin/transmission-daemon" "--foreground" "--config-dir" "/config" ];
+        ExposedPorts = {
+            "9091/tcp" = {};
+            "51413/tcp" = {}; "51413/udp" = {};
+        };
+    };
+  };
+in {
+  runtime = {
+    paths = [{
+        path = "${serverCfg.path.config}/transmission";
+        owner = "1000:1000";
+        mode = "0755";
+      }];
+
+    containers = {
+      server = builder.mkContainer {
+        authentik = true;
+        subdomain = containerCfg.subdomain;
+        subpath = containerCfg.subpath;
+        imageStream = image;
+        port = 9091;
+        
+        extraEnv = {
+          PUID = "1000";
+          PGID = "1000";
+          WHITELIST = "";# 127.0.0.1,::1,10.*";
+          # HOST_WHITELIST = "traefik-server,authentik-server,authentik-worker";
+        };
+
+        overrides = {
+          volumes = [
+            "${serverCfg.path.dlComplete}:/downloads/complete"
+            "${serverCfg.path.dlIncomplete}:/downloads/incomplete"
+            "${serverCfg.path.config}/transmission:/config"
+          ];
+        };
+      };
+    };
+
+
+    setup = {
+      trigger = "server";
+      envFile = [ config.sops.secrets."CUSTOM".path ];
+      script = pkgs.writeShellScript "setup" ''
+
+        ${pkgs.gettext}/bin/envsubst < "${../data/transmission/settings.json}" > "${serverCfg.path.config}/transmission/config/settings.json"
+      '';
+    };
+  };
+}

modules/server/containers/apps/trmnl.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/umami.nix

@@ -0,0 +1,54 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  
+  # Umami image built from nixpkgs
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = pkgs.umami.name;
+    tag = pkgs.umami.version;
+    contents = with pkgs; [ cacert openssl ];
+    config = {
+      # Umami in nixpkgs typically provides a binary or script to start the server
+      Entrypoint = [ "${pkgs.umami}/bin/umami-server" ];
+      ExposedPorts = { "3000/tcp" = {}; };
+      Env = [ "NODE_ENV=production" ];
+    };
+  };
+in {
+  requires = {
+    secrets = [ name ];
+    databases = [ name ];
+  };
+
+  runtime = {
+    paths = [{
+      path = "${serverCfg.path.config}/umami/";
+      mode = "0444";
+    }];
+
+    containers = {
+      server = builder.mkContainer {
+        authentik = true;
+        tmpfs = true;
+        subdomain = containerCfg.subdomain;
+        image = "${pkgs.umami.name}:${pkgs.umami.version}"; 
+        imageStream = image;
+        port = 3000;
+        secret = name;
+        extraEnv = {
+          PORT = "3000";
+          # HOSTNAME = "${containerCfg.subdomain}.${serverCfg.domain}";
+          DATABASE_TYPE = "postgresql";
+          REDIS_URL = "redis://${builder.host}";
+          CLIENT_IP_HEADER = "X-Forwarded-For";
+          BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
+          # DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
+
+        };
+        overrides = {
+          cmd = [ "start" ]; # Specific command for the umami binary
+         };
+      };
+    };
+  };
+}

modules/server/containers/builder.nix

@@ -0,0 +1,129 @@
+{ config, lib, pkgs, serverCfg }:
+let 
+  mkRouterName = { subdomain, subpath ? null }:
+    if subpath != null
+    then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}"
+    else subdomain;
+  getOr = attrs: path: default: lib.attrByPath path default attrs;
+  mkTmpfsOption = size: "--tmpfs=/tmp:rw,noexec,nosuid,size=${size}";
+  mkAuthentikLabels =
+    { subdomain
+    , subpath ? null
+    , routerName ? mkRouterName { inherit subdomain subpath; }
+    , middleware ? "authentik"
+    }:
+    lib.optionalAttrs (serverCfg.containers ? authentik) {
+      "traefik.http.routers.${routerName}.middlewares" = middleware;
+    };
+  contBuilder =
+    { image ? null, imageStream ? null, imageFile ? null
+    , secret ? null
+    , subdomain ? null, subpath?null, port ? null
+    , authentik ? false
+    , tmpfs ? false
+    , tmpfsSize ? "512m"
+    , extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
+    , overrides ? { }
+    }:
+    let 
+      routerName = mkRouterName { inherit subdomain subpath; };
+      base = {
+      image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}" 
+              else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image;
+      imageStream = imageStream;
+      imageFile = imageFile;
+
+      environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
+      environment = {
+        TZ = config.time.timeZone;
+      } // extraEnv;
+
+      labels = (if subdomain!=null then ({
+        "traefik.enable" = "true";
+        "traefik.http.routers.${routerName}.entrypoints" = "web-secure";
+        "traefik.http.routers.${routerName}.rule" = if subpath != null 
+          then "Host(`${subdomain}.${serverCfg.domain}`) && PathPrefix(`/${subpath}`)"
+          else "Host(`${subdomain}.${serverCfg.domain}`)";
+        "traefik.http.routers.${routerName}.tls" = "true";
+      } // lib.optionalAttrs (port!=null) {
+        "traefik.http.services.${routerName}.loadbalancer.server.port" = toString port;
+      }) else {
+        "traefik.enable" = "false";
+      })
+      // lib.optionalAttrs authentik (mkAuthentikLabels { inherit subdomain subpath routerName; })
+      // extraLabels;
+
+      extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+      ]
+      ++ lib.optional tmpfs (mkTmpfsOption tmpfsSize)
+      ++ extraOptions;
+    };
+    in lib.recursiveUpdate base overrides;
+  vmBuilder = { name, vm }: ((import "${pkgs.path}/nixos/lib/eval-config.nix" {
+      system = "x86_64-linux";
+      modules = [ vm.cfg
+        ({ config, lib, modulesPath, ... }: {
+        imports = [
+          "${modulesPath}/profiles/qemu-guest.nix"
+          "${modulesPath}/virtualisation/qemu-vm.nix"
+        ];
+        networking.hostName = name;
+        networking.useDHCP = true; 
+        networking.firewall.enable = false;
+        services.qemuGuest.enable = true;
+        system.stateVersion = "26.05"; 
+        virtualisation = {
+          memorySize = vm.memory or 2048;
+          cores = vm.cores or 2;
+          forwardPorts = let
+            parsePortString = port: {
+              from = "host";
+              host.port = port;
+              guest.port = port;
+            };
+          in if (vm ? portForward && vm.portForward != null) then map parsePortString vm.portForward else [];
+        };})
+      ];
+    }).config.system.build.vm);
+in {
+  mkContainer = contBuilder;
+  mkVm = vmBuilder;
+  mkApp = name: app:
+    {
+      inherit name;
+      requires = {
+        secrets = getOr app [ "requires" "secrets" ] [ ];
+        databases = getOr app [ "requires" "databases" ] [ ];
+      };
+      exports = {
+        authentik = {
+          blueprints = getOr app [ "exports" "authentik" "blueprints" ] [ ];
+        };
+      };
+      runtime = {
+        paths = getOr app [ "runtime" "paths" ] [ ];
+        containers = getOr app [ "runtime" "containers" ] { };
+        vm = getOr app [ "runtime" "vm" ] null;
+        cron = getOr app [ "runtime" "cron" ] [ ];
+        setup = {
+          trigger = "";
+          script = null;
+          envFile = [ ];
+        } // getOr app [ "runtime" "setup" ] { };
+      };
+    };
+  mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
+    mkdir -p $out
+    cp -r ${./data + "/${dir}"}/. $out/
+    find $out -type f | while read file; do
+      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
+        substituteInPlace "$file" --replace "@${n}@" "${toString v}"
+      '') vars)}
+    done
+  '';
+  host = "host.containers.internal"; 
+  hostIp =  if (config.virtualisation.podman.defaultNetwork.settings ? subnets) 
+    then (builtins.elemAt config.virtualisation.podman.defaultNetwork.settings.subnets 0).gateway
+    else "10.88.0.1"; 
+}

modules/server/containers/data/authentik/authentik.yaml

@@ -0,0 +1,70 @@
+version: 1
+metadata:
+  name: "Initial User Setup"
+  labels:
+    blueprint-type: core
+entries:
+  # Optionally, disable the default enrollment flow entirely
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "default-source-enrollment"
+    attrs:
+      designation: "enrollment"
+      enabled: false
+  # --- GROUPS ---
+  - model: authentik_core.group
+    identifiers:
+      name: "admin"
+    attrs:
+      is_superuser: true
+
+  - model: authentik_core.group
+    identifiers:
+      name: "cloud"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "dev"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "flix"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "family"
+    attrs:
+      is_superuser: false
+
+  # --- ADMIN USERS ---
+  - model: authentik_core.user
+    identifiers:
+      username: !Env DEFAULT_ADMIN_USERNAME
+    attrs:
+      name: !Env DEFAULT_ADMIN_USERNAME
+      email: !Env DEFAULT_ADMIN_EMAIL
+      password: !Env DEFAULT_ADMIN_PASSWORD
+      path: "users"
+      groups:
+        - !Find [authentik_core.group, [name, "admin"]]
+
+  # Disable the Initial Setup Flow
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "initial-setup"
+    attrs:
+      authentication: "require_superuser"
+      enabled: false
+
+  # Disable the default 'akadmin' if it exists
+  - model: authentik_core.user
+    identifiers:
+      username: "akadmin"
+    attrs:
+      is_active: false

modules/server/containers/data/authentik/branding.yaml

@@ -0,0 +1,13 @@
+version: 1
+metadata:
+  name: "Branding Setup"
+entries:
+  - model: authentik_brands.brand
+    identifiers:
+      domain: "@AUTHENTIK_DOMAIN@"
+    attrs:
+      domain: "@AUTHENTIK_DOMAIN@"
+      branding_title: "@AUTHENTIK_BRANDING_TITLE@"
+      branding_logo: "@AUTHENTIK_BRANDING_LOGO@"
+      branding_favicon: "@AUTHENTIK_BRANDING_FAVICON@"
+      branding_default_flow_background: "@AUTHENTIK_BRANDING_BACKGROUND@"

modules/server/containers/data/authentik/freshrss.yaml

@@ -0,0 +1,58 @@
+version: 1
+metadata:
+  name: "FreshRSS OAuth2 Provisioning"
+  labels:
+    app: freshrss
+entries:
+  - model: authentik_providers_oauth2.oauth2provider
+    identifiers:
+      name: "FreshRSS Provider"
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-implicit-consent],
+        ]
+      authentication_flow:
+        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      client_type: "confidential"
+      client_id: "freshrss"
+
+      client_secret: !Env FRESHRSS_OAUTH_SECRET
+      access_code_validity: "minutes=5"
+      token_validity: "days=30"
+      signing_key:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, "authentik Self-signed Certificate"],
+        ]
+      redirect_uris:
+        - url: "https://@FRESHRSS_DOMAIN@.*"
+          matching_mode: "regex"
+      property_mappings:
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'openid'"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'email'"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'profile'"],
+          ]
+
+  - model: authentik_core.application
+    identifiers:
+      slug: "freshrss"
+    attrs:
+      name: "FreshRSS"
+      launch_url: "@FRESHRSS_DOMAIN@"
+      provider:
+        !Find [
+          authentik_providers_oauth2.oauth2provider,
+          [name, "FreshRSS Provider"],
+        ]

modules/server/containers/data/authentik/gitea.yaml

@@ -0,0 +1,11 @@
+version: 1
+metadata:
+  name: gitea-ldap-setup
+entries:
+  - model: authentik_core.application
+    id: gitea-app
+    identifiers:
+      slug: gitea
+    attrs:
+      name: Gitea
+      launch_url: "@GITEA_DOMAIN@"

modules/server/containers/data/authentik/homepage.yaml

@@ -0,0 +1,108 @@
+version: 1
+metadata:
+  name: "Homepage Dashboard - OIDC Provisioning"
+  labels:
+    app: homepage
+
+entries:
+  - model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      name: "Homepage Custom Scope: Groups"
+    attrs:
+      scope_name: "groups"
+      description: "Pass user groups array to Homepage for conditional element rendering"
+      expression: |
+        return {
+            "groups": [group.name for group in request.user.ak_groups.all()]
+        }
+  # 1. Create the OAuth2/OIDC Provider
+  - model: authentik_providers_oauth2.oauth2provider
+    identifiers:
+      name: "Homepage Provider"
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-implicit-consent],
+        ]
+      authentication_flow:
+        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      client_type: "confidential"
+      client_id: "homepage"
+      client_secret: !Env HOMEPAGE_VAR_OAUTH_SECRET
+      access_code_validity: "minutes=5"
+      token_validity: "days=30"
+      redirect_uris:
+        - url: "https://@HOMEPAGE_DOMAIN@/login"
+          matching_mode: "regex"
+      signing_key:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, "authentik Self-signed Certificate"],
+        ]
+      property_mappings:
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'openid'"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'email'"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'profile'"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "Homepage Custom Scope: Groups"],
+          ]
+
+  # 2. Create the Application and link it to the Provider
+  - model: authentik_core.application
+    identifiers:
+      slug: homepage
+    attrs:
+      name: "Homepage"
+      launch_url: "@HOMEPAGE_DOMAIN@"
+      provider:
+        !Find [
+          authentik_providers_oauth2.oauth2provider,
+          [name, Homepage Provider],
+        ]
+      open_in_new_tab: false
+
+  # 3. Provision the static API token linked to the user account
+  - model: authentik_rbac.role
+    state: present
+    identifiers:
+      name: homepage-viewer
+    attrs:
+      permissions:
+        - authentik_core.view_user
+        - authentik_events.view_event
+
+  - model: authentik_core.user
+    state: present
+    identifiers:
+      username: homepage-svc
+    attrs:
+      roles:
+        - !Find [authentik_rbac.role, [name, "homepage-viewer"]]
+      name: Homepage Service Account
+      path: goauthentik.io/service-accounts
+      is_active: true
+      attributes:
+        goauthentik.io/user/service-account: true
+
+  - model: authentik_core.token
+    state: present
+    identifiers:
+      identifier: homepage-token
+    attrs:
+      key: !Env HOMEPAGE_VAR_AUTHENTIK_API
+      user: !Find [authentik_core.user, [username, "homepage-svc"]]
+      intent: api
+      expiring: false

modules/server/containers/data/authentik/immich.yaml

@@ -0,0 +1,62 @@
+version: 1
+metadata:
+  name: "Immich OAuth2 Provisioning"
+  labels:
+    app: immich
+entries:
+  - model: authentik_providers_oauth2.oauth2provider
+    identifiers:
+      name: "Immich Provider"
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-implicit-consent],
+        ]
+      authentication_flow:
+        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      client_type: "confidential"
+      client_id: "immich"
+
+      client_secret: !Env IMMICH_OAUTH_SECRET
+      access_code_validity: "minutes=5"
+      token_validity: "days=30"
+      signing_key:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, "authentik Self-signed Certificate"],
+        ]
+      redirect_uris:
+        - url: "app.immich:///oauth-callback"
+          matching_mode: "strict"
+        - url: "https://@IMMICH_DOMAIN@/auth/login"
+          matching_mode: "regex"
+        - url: "https://@IMMICH_DOMAIN@/user-settings"
+          matching_mode: "regex"
+      property_mappings:
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'openid'"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'email'"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'profile'"],
+          ]
+
+  - model: authentik_core.application
+    identifiers:
+      slug: "immich"
+    attrs:
+      name: "Immich"
+      launch_url: "@IMMICH_DOMAIN@"
+      provider:
+        !Find [
+          authentik_providers_oauth2.oauth2provider,
+          [name, "Immich Provider"],
+        ]

modules/server/containers/data/authentik/jellyfin.yaml

@@ -0,0 +1,11 @@
+version: 1
+metadata:
+  name: jellyfin-ldap-setup
+entries:
+  - model: authentik_core.application
+    id: jellyfin-app
+    identifiers:
+      slug: jellyfin
+    attrs:
+      name: Jellyfin
+      launch_url: "@JELLYFIN_DOMAIN@"

modules/server/containers/data/authentik/ldap.yaml

@@ -0,0 +1,79 @@
+version: 1
+metadata:
+  name: Pre-configured LDAP Outpost
+entries:
+  - model: authentik_providers_ldap.ldapprovider
+    identifiers:
+      name: ldap-provider
+    attrs:
+      base_dn: "@AUTHENTIK_LDAP_DC_DOMAIN@"
+      search_group: null
+      authorization_flow:
+        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+
+  - model: authentik_core.user
+    state: present
+    identifiers:
+      username: "ldap-service"
+    attrs:
+      name: "LDAP Bind Service Account"
+      type: "service_account"
+      path: "goauthentik.io"
+      is_active: true
+      password: !Env DEFAULT_LDAP_PASSWORD
+      attributes:
+        ak_recovery_immutable: true
+
+  - model: authentik_core.token
+    identifiers:
+      identifier: ldap-outpost-static-token
+    attrs:
+      intent: api
+      expiring: false
+      key: !Env AUTHENTIK_TOKEN
+      user: !Find [authentik_core.user, [username, "ldap-service"]]
+
+  - model: authentik_outposts.outpost
+    identifiers:
+      name: LDAP Outpost
+    attrs:
+      type: ldap
+      providers:
+        - !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
+      token:
+        !Find [authentik_core.token, [identifier, ldap-outpost-static-token]]
+      config:
+        log_level: info
+        authentik_host: https://sso.test.helcel.net/
+        refresh_interval: minutes=5
+        authentik_host_insecure: false
+
+  - model: authentik_rbac.role
+    state: present
+    identifiers:
+      name: "LDAP Search Role"
+    attrs:
+      permissions:
+        - "authentik_providers_ldap.search_full_directory"
+
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: "LDAP Search Group"
+    attrs:
+      users:
+        - !Find [authentik_core.user, [username, "ldap-service"]]
+      roles:
+        - !Find [authentik_rbac.role, [name, "LDAP Search Role"]]
+
+  - model: authentik_core.application
+    id: ldap-placeholder
+    identifiers:
+      slug: ldap
+    attrs:
+      name: ldap
+      group: _
+      provider:
+        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]

modules/server/containers/data/authentik/nextcloud.yaml

@@ -0,0 +1,58 @@
+version: 1
+metadata:
+  name: nextcloud-saml-setup
+entries:
+  - model: authentik_providers_saml.samlprovider
+    identifiers:
+      name: Nextcloud SAML
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-explicit-consent],
+        ]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+
+      acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
+      audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
+      issuer: https://@AUTHENTIK_DOMAIN@
+      sp_binding: post
+      property_mappings:
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: Name"],
+          ]
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: Email"],
+          ]
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: Groups"],
+          ]
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: Username"],
+          ]
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: User ID"],
+          ]
+
+      signing_kp:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, "authentik Self-signed Certificate"],
+        ]
+      sign_assertion: true
+      sign_response: false
+
+  - model: authentik_core.application
+    identifiers:
+      slug: nextcloud
+    attrs:
+      name: Nextcloud
+      provider:
+        !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
+      launch_url: "@NEXTCLOUD_DOMAIN@"

modules/server/containers/data/authentik/traefik.yaml

@@ -0,0 +1,46 @@
+version: 1
+metadata:
+  name: domain-wide-proxy-setup
+entries:
+  # 1. The Provider
+  - model: authentik_providers_proxy.proxyprovider
+    identifiers:
+      name: Domain Wide Proxy
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-implicit-consent],
+        ]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+
+      external_host: https://@AUTHENTIK_DOMAIN@
+      cookie_domain: "@COOKIE_DOMAIN@"
+
+      mode: forward_domain
+      intercept_header_auth: true
+
+  # 2. The Application (Required to link the provider)
+  - model: authentik_core.application
+    identifiers:
+      slug: authentik-proxy
+    attrs:
+      name: "Domain Auth Provider"
+      group: _
+      provider:
+        !Find [
+          authentik_providers_proxy.proxyprovider,
+          [name, Domain Wide Proxy],
+        ]
+
+  # 3. Add to Outpost
+  - model: authentik_outposts.outpost
+    identifiers:
+      name: authentik Embedded Outpost
+    attrs:
+      providers:
+        - !Find [
+            authentik_providers_proxy.proxyprovider,
+            [name, Domain Wide Proxy],
+          ]

modules/server/containers/data/invidious/config.yml

@@ -0,0 +1,137 @@
+db:
+    user: invidious_user
+    password: $DB_PASSWORD
+    host: $DB_HOST
+    port: 5432
+    dbname: invidious_db
+
+check_tables: true
+invidious_companion:
+    - private_url: "http://invidious-companion:8282/companion"
+
+invidious_companion_key: $SERVER_SECRET_KEY
+port: 3000
+
+external_port: 443
+host_binding: 0.0.0.0
+domain: $INVIDIOUS_DOMAIN
+https_only: false
+#hsts: true
+
+## Accepted values: true, false, dash, livestreams, downloads, local
+#disable_proxy: false
+# use_innertube_for_captions: false
+
+# -----------------------------
+#  Features
+# -----------------------------
+
+popular_enabled: false
+statistics_enabled: true
+registration_enabled: true
+login_enabled: true
+captcha_enabled: false
+admins: ["$DEFAULT_ADMIN_EMAIL"]
+enable_user_notifications: false
+
+# -----------------------------
+#  Background jobs
+# -----------------------------
+
+channel_threads: 1
+#channel_refresh_interval: 30m
+
+full_refresh: false
+feed_threads: 1
+
+jobs:
+    clear_expired_items:
+        enable: true
+    refresh_channels:
+        enable: true
+    refresh_feeds:
+        enable: true
+
+# -----------------------------
+#  Miscellaneous
+# -----------------------------
+
+#banner:
+# use_pubsub_feeds: true
+
+hmac_key: $HMAC_KEY
+#dmca_content:
+#cache_annotations: false
+#modified_source_code_url: ""
+#playlist_length_limit: 500
+
+#########################################
+#
+#  Default user preferences
+#
+#########################################
+
+default_user_preferences:
+    # -----------------------------
+    #  Internationalization
+    # -----------------------------
+
+    #locale: en-US
+    #region: US
+    ## Top 3 preferred languages for video captions.
+    #captions: ["", "", ""]
+
+    # -----------------------------
+    #  Interface
+    # -----------------------------
+
+    dark_mode: "auto"
+    #thin_mode: false
+    feed_menu: ["Subscriptions", "Playlists"]
+    default_home: Subscriptions
+    #max_results: 40
+    #annotations: false
+    #annotations_subscribed: false
+    #comments: ["youtube", ""]
+    #player_style: invidious
+    #related_videos: true
+
+    # -----------------------------
+    #  Video player behavior
+    # -----------------------------
+
+    #preload: true
+    #autoplay: false
+    #continue: false
+    #continue_autoplay: true
+    #listen: false
+    #video_loop: false
+
+    # -----------------------------
+    #  Video playback settings
+    # -----------------------------
+
+    #quality: dash
+    #quality_dash: auto
+    #speed: 1.0
+    #volume: 100
+    #vr_mode: true
+    save_player_pos: true
+
+    # -----------------------------
+    #  Subscription feed
+    # -----------------------------
+
+    #latest_only: false
+    #notifications_only: false
+    unseen_only: true
+    #sort: published
+
+    # -----------------------------
+    #  Miscellaneous
+    # -----------------------------
+
+    #local: false
+    show_nick: false
+    #automatic_instance_redirect: false
+    #extend_desc: false

modules/server/containers/data/invidious/login.cr

@@ -0,0 +1,101 @@
+{% skip_file if flag?(:api_only) %}
+
+module Invidious::Routes::Login
+    def self.login_page(env)
+        locale = env.get("preferences").as(Preferences).locale
+
+        user = env.get? "user"
+        referer = get_referer(env, "/feed/subscriptions")
+        return env.redirect referer if user
+        return error_template(400, "Login has been disabled by administrator.") if !CONFIG.login_enabled
+        
+
+        if forwarded_user = env.request.headers["X-authentik-email"]? 
+            begin
+                email = forwarded_user.try &.downcase.byte_slice(0, 254)
+                
+                return error_template(401, "User ID is a required field") if email.nil? || email.empty?
+                
+                user = Invidious::Database::Users.select(email: email)
+                if user
+                    sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
+                    Invidious::Database::SessionIDs.insert(sid, email)
+                    env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
+
+                    if env.request.cookies["PREFS"]?
+                        cookie = env.request.cookies["PREFS"]
+                        cookie.expires = Time.utc(1990, 1, 1)
+                        env.response.cookies << cookie
+                    end
+                else
+                    return error_template(400, "Registration has been disabled by administrator.") if !CONFIG.registration_enabled
+
+                    sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
+                    user, sid = create_user(sid, email, "")
+
+                    if language_header = env.request.headers["Accept-Language"]?
+                        if language = ANG.language_negotiator.best(language_header, LOCALES.keys)
+                            user.preferences.locale = language.header
+                        end
+                    end
+
+                    Invidious::Database::Users.insert(user)
+                    Invidious::Database::SessionIDs.insert(sid, email)
+
+                    view_name = "subscriptions_#{sha256(user.email)}"
+                    PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS #{MATERIALIZED_VIEW_SQL.call(user.email)}")
+                    env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
+
+                    if env.request.cookies["PREFS"]?
+                        user.preferences = env.get("preferences").as(Preferences)
+                        Invidious::Database::Users.update_preferences(user)
+
+                        cookie = env.request.cookies["PREFS"]
+                        cookie.expires = Time.utc(1990, 1, 1)
+                        env.response.cookies << cookie
+                    end
+                end
+
+                return env.redirect referer
+            rescue ex
+                return error_template(500, "Authentication error: #{ex.message}")
+            end
+        end
+        env.redirect referer
+    end
+
+    def self.login(env)
+        referer = get_referer(env, "/feed/subscriptions")
+        env.redirect referer
+        return error_template(403, "Login post is not supported.")
+    end
+
+    def self.signout(env)
+        locale = env.get("preferences").as(Preferences).locale
+
+        user = env.get? "user"
+        sid = env.get? "sid"
+        referer = get_referer(env)
+
+        return env.redirect referer if !user
+
+        user = user.as(User)
+        sid = sid.as(String)
+        token = env.params.body["csrf_token"]?
+
+        begin
+            validate_request(token, sid, env.request, HMAC_KEY, locale)
+        rescue ex
+            return error_template(400, ex)
+        end
+
+        Invidious::Database::SessionIDs.delete(sid: sid)
+
+        env.request.cookies.each do |cookie|
+            cookie.expires = Time.utc(1990, 1, 1)
+            env.response.cookies << cookie
+        end
+
+        env.redirect referer
+    end
+end

modules/server/containers/data/transmission/settings.json

@@ -0,0 +1,70 @@
+{
+    "alt-speed-down": 50,
+    "alt-speed-enabled": false,
+    "alt-speed-time-begin": 540,
+    "alt-speed-time-day": 127,
+    "alt-speed-time-enabled": false,
+    "alt-speed-time-end": 1020,
+    "alt-speed-up": 50,
+    "bind-address-ipv4": "0.0.0.0",
+    "bind-address-ipv6": "::",
+    "blocklist-enabled": false,
+    "blocklist-url": "http://www.example.com/blocklist",
+    "cache-size-mb": 4,
+    "dht-enabled": true,
+    "download-dir": "/downloads/complete",
+    "download-queue-enabled": true,
+    "download-queue-size": 5,
+    "encryption": 1,
+    "idle-seeding-limit": 30,
+    "idle-seeding-limit-enabled": false,
+    "incomplete-dir": "/downloads/incomplete",
+    "incomplete-dir-enabled": true,
+    "lpd-enabled": false,
+    "message-level": 2,
+    "peer-congestion-algorithm": "",
+    "peer-id-ttl-hours": 6,
+    "peer-limit-global": 200,
+    "peer-limit-per-torrent": 50,
+    "peer-port": 51413,
+    "peer-port-random-high": 65535,
+    "peer-port-random-low": 49152,
+    "peer-port-random-on-start": false,
+    "peer-socket-tos": "default",
+    "pex-enabled": true,
+    "port-forwarding-enabled": true,
+    "preallocation": 1,
+    "prefetch-enabled": 1,
+    "queue-stalled-enabled": true,
+    "queue-stalled-minutes": 30,
+    "ratio-limit": 2,
+    "ratio-limit-enabled": false,
+    "rename-partial-files": true,
+    "rpc-authentication-required": false,
+    "rpc-bind-address": "0.0.0.0",
+    "rpc-enabled": true,
+    "rpc-password": "$TRANSMISSION_RPC_PASSWORD",
+    "rpc-port": 9091,
+    "rpc-url": "/transmission/",
+    "rpc-username": "",
+    "rpc-host-whitelist": "127.0.0.1",
+    "rpc-host-whitelist-enabled": false,
+    "rpc-whitelist": "127.0.0.1",
+    "rpc-whitelist-enabled": false,
+    "scrape-paused-torrents-enabled": true,
+    "script-torrent-done-enabled": false,
+    "script-torrent-done-filename": "",
+    "seed-queue-enabled": false,
+    "seed-queue-size": 10,
+    "speed-limit-down": 100,
+    "speed-limit-down-enabled": false,
+    "speed-limit-up": 100,
+    "speed-limit-up-enabled": false,
+    "start-added-torrents": true,
+    "trash-original-torrent-files": false,
+    "umask": 2,
+    "upload-slots-per-torrent": 14,
+    "utp-enabled": false,
+    "watch-dir": "/watch",
+    "watch-dir-enabled": true
+}

modules/server/containers/default.nix

@@ -0,0 +1,107 @@
+{ config, pkgs, lib, ... }:
+let
+  serverCfg = config.syscfg.server;
+  builder = import ./builder.nix { inherit config lib pkgs serverCfg; };
+  loadApp = name: containerCfg:
+    builder.mkApp name ((import (./apps + "/${name}.nix")) {
+      inherit config pkgs lib containerCfg builder name;
+    });
+  loadedContainers = lib.mapAttrs loadApp serverCfg.containers;
+  appsList = builtins.attrValues loadedContainers;
+  concatRuntimeLists = field: lib.concatMap (app: app.runtime.${field}) appsList;
+  mkNamedUnits = mkUnit: items: lib.listToAttrs (map mkUnit items);
+  mergedContainers = lib.concatMapAttrs (appName: app:
+    lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.runtime.containers
+  ) loadedContainers;
+  allPathConfigs = map (path: {
+    inherit path;
+    mode = "0755";
+  }) (lib.unique (builtins.attrValues serverCfg.path)) ++ concatRuntimeLists "paths";
+  allSetupConfigs = map (app: ({ name = app.name; envFile = ""; } // app.runtime.setup)) appsList;
+  allCronsConfigs = concatRuntimeLists "cron";
+  allVMConfigs = builtins.filter (app: app.runtime.vm != null) appsList;
+  mkPathSetup = cfg:
+    let
+      effectiveCfg = {
+        owner = "root:root";
+        mode = "0400";
+        dirs = [];
+      } // cfg;
+    in ''
+      ${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
+      ${lib.concatMapStringsSep "\n" (dir: "${pkgs.coreutils}/bin/mkdir -p ${effectiveCfg.path}/${lib.escapeShellArg dir}") effectiveCfg.dirs}
+      ${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
+      ${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
+    '';
+in {
+  config = lib.mkMerge [{
+    syscfg.server.loadedContainers = loadedContainers;
+  } (lib.mkIf (loadedContainers != {}) {
+      virtualisation.oci-containers = {
+        backend = "podman";
+        containers = mergedContainers;
+      };
+      system.activationScripts.container-setup-dirs = {
+        deps = [ "users" "groups" ];
+        text = lib.concatStringsSep "\n" (map mkPathSetup allPathConfigs);
+      };
+
+      systemd.services = {
+        podman-gc = {
+          description = "Podman garbage collection";
+          serviceConfig.Type = "oneshot";
+          script = ''
+            ${pkgs.podman}/bin/podman container prune -f
+            ${pkgs.podman}/bin/podman image prune -f
+          '';
+          startAt = "weekly";
+        };
+      } 
+      // mkNamedUnits (e: {
+        name = "${e.name}-vm";
+        value = {
+          description = "Isolated NixOS Guest VM for ${e.name}";
+          after = [ "network-online.target" ];
+          wants = [ "network-online.target" ];
+          wantedBy = [ "multi-user.target" ];
+          environment = {
+            QEMU_VM_REG_SND = "0";
+            NIX_DISK_IMAGE = "/media/data/kvm/${e.name}-guest.qcw2";
+          };
+          serviceConfig = {
+            Type = "simple";
+            Restart = "always";
+            RestartSec = "10s";
+            ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /media/data/kvm";
+            ExecStart = ''
+              ${builder.mkVm { name = e.name; vm = e.runtime.vm; }}/bin/run-${e.name}-vm -nographic
+            '';
+          };
+        };
+      }) allVMConfigs
+       // mkNamedUnits (e: {
+        name = "${e.name}-setup";
+       value = {
+          description = "Run ${e.name} setup";
+          after = [ "podman-${e.name}-${e.trigger}.service" ];
+          wants = [ "podman-${e.name}-${e.trigger}.service" ];
+          partOf = [ "podman-${e.name}-${e.trigger}.service" ];
+          wantedBy = [ "multi-user.target" ];
+          restartTriggers = [ e.script ];
+          serviceConfig = {
+            Type = "oneshot";
+            TimeoutStartSec = "360s";
+            EnvironmentFile = e.envFile;
+            ExecStart = e.script;
+            RemainAfterExit = true;
+            User = "root";
+          };
+        };
+      }) allSetupConfigs;
+
+      services.cron = {
+        enable = true;
+        systemCronJobs = allCronsConfigs;
+      };
+  })];
+}

modules/server/database/default.nix

@@ -0,0 +1,100 @@
+
+{ config, lib, pkgs, ... }:
+let
+
+  listNames = config.syscfg.server.db;
+  containerNames = lib.concatMap (app: app.requires.databases) (builtins.attrValues config.syscfg.server.loadedContainers);
+  allApps = lib.unique (listNames ++ containerNames);
+in {
+  config = lib.mkIf ( builtins.length allApps > 0) {
+    services.postgresql = {
+      enable = true;
+      enableTCPIP = true;
+      extensions = ps: with ps; [ vectorchord pgvector ];
+      settings = {
+        listen_addresses = lib.mkForce "*"; 
+        shared_preload_libraries = "vchord";
+      };
+      authentication = pkgs.lib.mkOverride 10 ''
+         # TYPE  DATABASE        USER            ADDRESS                 METHOD
+         local   all             all                                     trust
+         host    all             all             127.0.0.1/32            trust
+         host    all             all             ::1/128                 trust
+         host    all             all             10.0.0.0/8              scram-sha-256
+         host    all             all             169.254.0.0/16          scram-sha-256
+      '';
+      ensureDatabases = map (name: "${name}_db") allApps;
+      ensureUsers = map (name: { name = "${name}_user"; }) allApps;
+    };
+    services.postgresqlBackup = {
+      enable = true;
+      location = "/var/lib/postgresql/backups";
+      startAt = "*-*-* 04:00:00"; # Runs every day at 4 AM
+      backupAll = true; # Backs up all databases and roles
+    };
+
+    services.redis.servers."main" = {
+      enable = true;
+      port = 6379;
+      bind = "*";
+      settings.protected-mode = "no";
+    };
+    
+    systemd.services.influxdb3 = {
+      description = "InfluxDB 3 Time Series Database Engine";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment = {
+        INFLUXDB3_NODE_IDENTIFIER_PREFIX = "node0";
+        INFLUXDB3_OBJECT_STORE = "file";
+        INFLUXDB3_DATA_DIR = "${config.syscfg.server.path.data}/influxdb";
+        INFLUXDB3_DB_DIR = "${config.syscfg.server.path.data}/influxdb";
+        INFLUXDB3_ENABLE_INTERNAL_DB = "true";
+      };
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.influxdb3}/bin/influxdb3 serve"; #--admin-token-file=/run/secrets/admin-token
+        Restart = "on-failure";
+        StateDirectory = "influxdb3";
+        PrivateTmp = true;
+        NoNewPrivileges = true;
+      };
+    };
+
+#   admin-token.json=  {
+#   "token": "$INFLUXDB_TOKEN",
+#   "name": "admin",
+#   "description": "Admin token for automated deployment"
+# }
+
+
+    systemd.services.postgresql-init = {
+      description = "Custom Postgres Setup (Ownership & Passwords)";
+      after = [ "postgresql.service" ];
+      wantedBy = [ "multi-user.target" ];
+      
+      serviceConfig = {
+        Type = "oneshot";
+        User = "postgres";
+        RemainAfterExit = true;
+      };
+
+      script = ''
+        ${pkgs.coreutils}/bin/sleep 20
+        PSQL="${pkgs.postgresql}/bin/psql"
+        ${lib.concatMapStringsSep "\n" (name: ''
+          $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
+          
+          if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
+            PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
+            if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
+                echo "✅ Successfully set password for ${name}_user"
+            else
+                echo "❌ FAILED to set password for ${name}_user"
+            fi
+          fi
+        '') allApps}
+      '';
+    };
+  };
+}

modules/server/default.nix

@@ -1,15 +1,3 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:{
-let
+  imports = [ ./containers ./database ./nftables ./openssh ./sops ];
-in {
-  imports = [ ./sops ];
-  environment.systemPackages = with pkgs; [ arion ];
-  virtualisation.arion = {
-    backend = "podman-socket";
-    projects = {
-      cloud.settings = import ./docker/cloud.nix { inherit config pkgs lib; };
-      authentik.settings =
-        import ./docker/authentik.nix { inherit config pkgs lib; };
-    };
-  };
-
 }

modules/server/docker/authentik.nix

@@ -1,104 +0,0 @@
-{ config, pkgs, lib, ... }:
-let serverCfg = config.syscfg.server;
-in {
-  project.name = "authentik";
-
-  networks = {
-    internal = {
-      name = lib.mkForce "internal";
-      internal = true;
-    };
-    external = {
-      name = lib.mkForce "external";
-      internal = false;
-    };
-  };
-
-  services = {
-
-    auth_postgresql.service = {
-      image = "postgres:14-alpine";
-      container_name = "auth_postgresql";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [ ];
-      environment = {
-        POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD";
-        POSTGRES_USER = "authentik";
-        POSTGRES_DB = "authentik";
-      };
-    };
-
-    auth_redis.service = {
-      image = "redis:alpine";
-      container_name = "auth_redis";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [ ];
-      environment = { };
-      labels = { "traefik.enable" = "false"; };
-    };
-
-    auth_server.service = {
-      image = "ghcr.io/goauthentik/server:latest";
-      container_name = "auth_server";
-      restart = "unless-stopped";
-      networks = [ "internal" "external" ];
-      volumes = [
-        "${serverCfg.dataPath}/authentik/media:/media"
-        "${serverCfg.dataPath}/authentik/templates:/templates"
-      ];
-      environment = {
-        "AUTHENTIK_REDIS__HOST" = "auth_redis";
-        "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
-        "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
-        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
-        "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
-        "AUTHENTIK_EMAIL__PORT" = "587";
-        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
-        "AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD";
-        "AUTHENTIK_EMAIL__USE_TLS" = "true";
-        "AUTHENTIK_EMAIL__USE_SSL" = "false";
-        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
-        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
-      };
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.sso.entrypoints" = "web-secure";
-        "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.sso.tls" = "true";
-        "traefik.http.services.sso.loadbalancer.server.port" = "9000";
-        "traefik.docker.network" = "external";
-      };
-      command = "server";
-      ports = [
-        "9999:9000" # host:container
-      ];
-    };
-
-    auth_worker.service = {
-      image = "ghcr.io/goauthentik/server:latest";
-      container_name = "auth_worker";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [
-        "${serverCfg.dataPath}/authentik/media:/media"
-        "${serverCfg.dataPath}/authentik/templates:/templates"
-        "/var/run/docker.sock:/var/run/docker.sock"
-      ];
-      environment = {
-        "AUTHENTIK_REDIS__HOST" = "auth_redis";
-        "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
-        "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
-        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
-      };
-      labels = { "traefik.enable" = "false"; };
-      command = "worker";
-      user = "root";
-    };
-  };
-}

modules/server/docker/cloud.nix

@@ -1,152 +0,0 @@
-{ config, pkgs, lib, ... }:
-let serverCfg = config.syscfg.server;
-in {
-  project.name = "cloud";
-
-  networks = {
-    internal = {
-      name = lib.mkForce "internal";
-      internal = true;
-    };
-    external = {
-      name = lib.mkForce "external";
-      internal = false;
-    };
-  };
-
-  services = {
-
-    cloud_nextcloud.service = {
-      image = "nextcloud:27";
-      container_name = "cloud";
-      restart = "unless-stopped";
-      networks = [ "external" ];
-      volumes = [
-        "${serverCfg.configPath}/data/nextcloud:/var/www/html"
-        "${serverCfg.dataPath}/data/music:/media/music"
-        "${serverCfg.dataPath}/data/video:/media/video"
-        "${serverCfg.dataPath}/data/photo:/media/photo"
-      ];
-      tmpfs = [ "/tmp" ];
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.nextcloud.entrypoints" = "web-secure";
-        "traefik.http.routers.nextcloud.rule" =
-          "Host(`cloud.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.nextcloud.tls" = "true";
-        "traefik.http.routers.nextcloud.middlewares" =
-          "sts_headers,nextcloud-caldav";
-
-        "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent" =
-          "true";
-        "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex" =
-          "^https://(.*)/.well-known/(card|cal)dav";
-        "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement" =
-          "https://$\${1}/remote.php/dav/";
-        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
-        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" =
-          "true";
-      };
-    };
-
-    cloud_office.service = {
-      image = "collabora/code:latest";
-      container_name = "cloud_office";
-      restart = "unless-stopped";
-      networks = [ "external" ];
-      volumes = [ ];
-      environment = {
-        username = "COLLABORA_USER";
-        password = "COLLABORA_PASSWORD";
-        aliasgroup1 = "https://cloud.${serverCfg.hostDomain}";
-        server_name = "office.${serverCfg.hostDomain}";
-        VIRTUAL_HOST = "office.${serverCfg.hostDomain}";
-        VIRTUAL_PORT = "9980";
-        VIRTUAL_PROTO = "http";
-        DONT_GEN_SSL_CERT = "true";
-        RESOLVE_TO_PROXY_IP = "true";
-        NETWORK_ACCESS = "internal";
-        extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
-        dictionaries = "en fr de jp";
-      };
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.collabora.entrypoints" = "web-secure";
-        "traefik.http.routers.collabora.rule" =
-          "Host(`office.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.collabora.tls" = "true";
-      };
-    };
-
-    cloud_etherpad.service = {
-      image = "etherpad/etherpad:latest";
-      container_name = "etherpad";
-      restart = "unless-stopped";
-      networks = [ "external" ];
-      volumes = [
-        "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
-        "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
-      ];
-      environment = {
-        NODE_ENV = "production";
-        TITLE = "Helcel-Pad";
-        DB_TYPE = "mysql";
-        DB_HOST = serverCfg.dbHost;
-        DB_PORT = serverCfg.dbPort;
-        DB_NAME = "etherpad";
-        DB_USER = "ETHERPAD_DB_USER";
-        DB_PASS = "ETHERPAD_DB_PASSWORD";
-        DB_CHARSET = "utf8mb4";
-        DEFAULT_PAD_TEXT = "P A D";
-        PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
-        PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
-        ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
-        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
-      };
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.etherpad.entrypoints" = "web-secure";
-        "traefik.http.routers.etherpad.rule" =
-          "Host(`pad.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.etherpad.tls" = "true";
-      };
-    };
-
-    cloud_ethercalc.service = {
-      image = "audreyt/ethercalc:latest";
-      container_name = "ethercalc";
-      restart = "unless-stopped";
-      networks = [ "external" "internal" ];
-      volumes = [
-        "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
-        "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
-      ];
-      environment = {
-        NODE_ENV = "production";
-        TITLE = "Helcel-Calc";
-        REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis";
-        REDIS_PORT_6379_TCP_PORT = "6379";
-        ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
-        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
-      };
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.ethercalc.entrypoints" = "web-secure";
-        "traefik.http.routers.ethercalc.rule" =
-          "Host(`calc.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.ethercalc.tls" = "true";
-      };
-    };
-
-    cloud_redis.service = {
-      image = "redis:latest";
-      container_name = "ethercalc-redis";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [ "${serverCfg.dataPath}/ether/ethercalc/redis:/data" ];
-      environment = { };
-      labels = { "traefik.enable" = "false"; };
-    };
-
-  };
-}

modules/server/docker/sample.nix

@@ -1,30 +0,0 @@
-{ config, pkgs, lib, ... }:
-let serverCfg = config.syscfg.server;
-in {
-  project.name = "name";
-
-  networks = {
-    internal = {
-      name = lib.mkForce "internal";
-      internal = true;
-    };
-    external = {
-      name = lib.mkForce "external";
-      internal = false;
-    };
-  };
-
-  services = {
-
-    NAME.service = {
-      image = "NAME:latest";
-      container_name = "NAME";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [ ];
-      environment = { };
-      labels = { "traefik.enable" = "false"; };
-    };
-
-  };
-}

modules/server/docker/traefik.nix

@@ -1,81 +0,0 @@
-{ config, pkgs, ... }: {
-  project.name = "traefik";
-
-  networks = {
-    internal = {
-      name = lib.mkForce "internal";
-      internal = true;
-    };
-    external = {
-      name = lib.mkForce "external";
-      internal = false;
-    };
-  };
-
-  services = {
-
-    traefik.service = {
-      image = "traefik:latest";
-      container_name = "traefik";
-      restart = "unless-stopped";
-      networks = [ "internal" "external" ];
-      command = [
-        "--api"
-        "--providers.docker=true"
-        "--entrypoints.web.address=:80"
-        "--entrypoints.web-secure.address=:443"
-      ];
-      port = [ "443" "80" ];
-      volumes = [
-        "/var/run/docker.sock:/var/run/docker.sock:ro"
-        "${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
-        "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
-        "${serverCfg.configPath}/traefik/acme.json:/acme.json"
-      ];
-      environment = {
-        "INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
-      };
-      labels = { "traefik.enable" = "false"; };
-    };
-
-    matomo.service = {
-      image = "matomo:latest";
-      container_name = "matomo";
-      restart = "unless-stopped";
-      networks = [ "external" ];
-      volumes = [
-        "/etc/localtime:/etc/localtime:ro"
-        "${serverCfg.configPath}/matomo:/var/www/html/config:rw"
-        "${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
-      ];
-      environment = { };
-      labels = {
-        "traefik.http.routers.matomo.rule" =
-          "Host(`matomo.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.matomo.entrypoints" = "web-secure";
-        "traefik.http.routers.matomo.tls" = "true";
-      };
-    };
-
-    searx.service = {
-      image = "searxng/searxng:latest";
-      container_name = "searx";
-      restart = "unless-stopped";
-      networks = [ "external" ];
-      volumes = [ "/etc/localtime:/etc/localtime:ro" ];
-      environment = {
-        "BASE_URL" = "https://searx.${serverCfg.hostDomain}";
-        "AUTOCOMPLETE" = "true";
-        "INSTANCE_NAME" = "searx${serverCfg.shortName}";
-      };
-      labels = {
-        "traefik.http.routers.matomo.rule" =
-          "Host(`searx.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.matomo.entrypoints" = "web-secure";
-        "traefik.http.routers.matomo.tls" = "true";
-      };
-    };
-
-  };
-}
-

modules/server/nftables/default.nix

@@ -0,0 +1,41 @@
+{ config, lib, ... }:
+let
+ cfg = config.syscfg.server;
+in {
+  config = lib.mkIf (cfg.ipfw.enable) {
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
+
+    networking.nftables.enable = true;
+    networking.nftables.ruleset = ''
+      table inet nat {
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept;
+          
+          ${lib.concatMapStringsSep "\n" (rule:
+            let
+              srcInt = builtins.elemAt rule 0;
+              dstAddr4 = builtins.elemAt rule 1;
+              dstAddr6 = builtins.elemAt rule 2;
+              srcPort = toString (builtins.elemAt rule 3);
+              dstPort = toString (builtins.elemAt rule 4);
+            in ''
+                iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort}
+                iifname "${srcInt}" udp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort}
+
+                iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
+                iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
+            ''
+          ) cfg.ipfw.ports}
+        }
+        
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade
+        }
+      }
+    '';
+  };
+}

modules/server/openssh/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, ... }: 
+let
+  allUsers = lib.concatMap (peer: if peer.syscfg ? users then peer.syscfg.users else []) config.syscfg.peers;
+  groupedUsers = lib.groupBy (u: u.username) allUsers;
+  allowedUsernames = map (u: u.username) config.syscfg.users;
+  activeUsers = lib.filterAttrs (name: _: lib.elem name allowedUsernames) groupedUsers;
+in {
+  config = lib.mkIf (config.syscfg.server.openssh) {
+    services.openssh = {
+        enable = true;
+        ports = [ 422 ];
+        settings = {
+        #Banner = "";
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+        ClientAliveInterval = 60;
+        ClientAliveCountMax = 3;
+        TCPKeepAlive = true;
+        };
+    };
+    users.users = lib.mapAttrs (name: userList: {
+        openssh.authorizedKeys.keys = lib.unique (
+        lib.concatMap (u: if u ? pubssh then [ u.pubssh ] else []) userList
+        );
+    }) activeUsers;
+    };
+}

modules/server/sops/default.nix

@@ -1,20 +1,16 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }:
-  sops.secrets.INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
+let
-  sops.secrets."${config.syscfg.hostname}_ssh_pub" = {
+  listNames = config.syscfg.server.db;
-    mode = "0400";
+  containerNames = lib.concatMap (app: app.requires.secrets) (builtins.attrValues config.syscfg.server.loadedContainers);
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
+  allApps = lib.unique (listNames ++ containerNames);
-    group = config.users.users.${config.syscfg.defaultUser}.group;
+in{
-  };
+    sops.secrets = {
-  sops.secrets."iriy_ssh_pub" = {
+      CUSTOM = { 
-    mode = "0444";
+        mode = "0444";
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
+        sopsFile = ./server.yaml; 
-    group = config.users.users.${config.syscfg.defaultUser}.group;
+      };
-  };
+    } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
-  sops.secrets."valinor_ssh_pub" = {
+      mode = "0444";
-    mode = "0444";
+      sopsFile = ./server.yaml;
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
+    }));
-    group = config.users.users.${config.syscfg.defaultUser}.group;
-  };
-  sops.secrets."${config.syscfg.hostname}_wg_priv" = { };
-  sops.secrets."${config.syscfg.hostname}_wg_pub" = { };
 }

modules/server/sops/example.server.yaml

@@ -0,0 +1,48 @@
+CUSTOM: |
+  DEFAULT_ADMIN_USERNAME=...
+  DEFAULT_ADMIN_PASSWORD=...
+  DEFAULT_ADMIN_EMAIL=...
+  DEFAULT_LDAP_PASSWORD=...
+TRAEFIK: |
+  INFOMANIAK_ACCESS_TOKEN=...
+AUTHENTIK: |
+  DB_PASSWORD=...
+  POSTGRES_PASSWORD=...
+  AUTHENTIK_SECRET_KEY=...
+  AUTHENTIK_EMAIL__PASSWORD=...
+  AUTHENTIK_TOKEN=...
+NEXTCLOUD: |
+  DB_PASSWORD=...
+  POSTGRES_PASSWORD=...
+COLLABORA: |
+  password=...
+ETHERPAD: |
+  DB_PASSWORD=...
+  DB_PASS=...
+  ADMIN_PASSWORD=...
+  APIKEY=...
+ETHERCALC: |
+  ETHERCALC_KEY=...
+GITEA: |
+  DB_PASSWORD=...
+  GITEA__database__PASSWD=...
+  GITEA__security__SECRET_KEY=...
+  GITEA__security__INTERNAL_TOKEN=...
+SEARXNG: |
+  SEARXNG_SECRET=...
+UMAMI: |
+  DB_PASSWORD=...
+  DATABASE_URL=postgresql://username:mypassword@localhost:5432/mydb
+  APP_SECRET=...
+IMMICH: |
+  DB_URL = "postgresql://immich_user:...@localhost:5432/immich_db";
+SERVARR: |
+  SONARR__AUTH__APIKEY=...
+  RADARR__AUTH__APIKEY=...
+FRESHRSS: |
+    DB_PASSWORD=...
+SUWAYOMI: |
+    DATABASE_PASSWORD=...
+    DB_PASSWORD=...
+CALIBRE: |
+    DB_PASSWORD=...

modules/server/sops/server.yaml

@@ -1,68 +1,63 @@
-INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
+CUSTOM: ENC[AES256_GCM,data:UdxcMBZVmWKoikP713KcpuiMH0OJbR+CFvJ9Os4lTfLkVb0PMOCftprLKIdVbb39Ov4O1F4cpWbVD5ypCj5PPBygQM8ce1bDNRa/M7E3VPPwZw5ZtXtkgGlPwPpuHeoVC1K8XxltxpuqdQtSNUPsDg4rYnsEaXTnpJ3YTWHliM7W1oU8okEgxdtQFvjcHFhNTTSNKHfMHd3CyOABf1J0FX55uqgXydCBbeHnge9Rbiue4FjIdewvpZatVy6mhi0ILGEEL6XAObkFrWrv9rLWM/ymd6Lb5I+xAkmYTJ7AaYfaokTey/NJ1cJ5KBftQBgQ5Wo11kfRuNrGGRZROT59vGIEaO/QUiiKndsSGE5XpRylAkHNV8SEHg2PWeI8fz/n2zVRT6Gmy+xXQTbvEhRm+LQ2hMNXVEzUq47tsPL2OXcWgNZKrhz95Ct2/OegPI7/HTdMmD3Wbqs3FlrkOMrL1W3GKCzUfV69cmXFy8llXBMyEk7Vf/+2CjOmeDuvjlFKF4Jkip/rVGB5rTB4xPToS5tCz2qksggaRXidd4lSCyI+CxZN9NdL8klMSJ0bhawxltt3xMBO7egF4KDHmxJTBvohp4HBHZXy3pJ9AXQX2aYzC+L9cjSkvto7qyuC5rD/HgX8n4YiHFR8ua72bickgZ2JKpNawVDRWdDFNyVBCQbhZfkZzyCECQ1AfNUn969TQsTzP91vEk+F2QzmoE6hYEVJ8PRg2p89TeevcTuH70qVBMT2TAtLAlkZ4gQegByo4vvjtSGlFzHy5idKTxjHM/HTLkRImCXRBj663PU7e/zse+bCzk6DfhM4JsNt8mZRRPU1cYqnzgfjz5O+IP50BUYYgmsoQhNKH22E3tUaXihvddNusfnxdq5RFgwcGTcfIVUSB3c98Q1yf2Ft896dzl9OLcRj6tsAUId2e3iJ13FhZEpm5Y+zc5CSAdOuEAya0j5FRYopMUkKJ8uC/CRXTFuSIAo4kw9/Dc05Td/IsLGVQKnL9oyWzj7p1V4J0hLc37ELF5/TShFmkCL99m50XXctupVoLOVP35O36QzFcduw8knNF9iNqrK42tTS8Jt1ZY3BR4L5Nm1TM9rMO6afGy18b1fag5Zk7pByTzGwLped7ST2qf3R3KtbK3CWXbojpnQhYHYnDVaXT0JCPhdqSRIXV+f7hFEH6AwvyCkoahBO19oL6/YizqJe51pKQqWudzVjqDhSt9Z9NsqLRfCIL+cl63LSjQjhyBXKTtxJbqqkYP6uGLULAE89WUzjP5D1oE8EspHmcpirfDyjLa6JJyLWBMGbFDAzHeOJT3AXmGXNvEYsHk28DrJ+LsWFH8MDUPFCXz2Acj8M0B1Kv8822/Xir4xw2AlnS2Y0mL6i8evQ7S2/wg0C9G/nscLZfNeFOvph+sZhQd3/5osgit38TwWPCvg6ulu9nzDjAjI8vAZ3PG/d1PgeJzoWLDmE1EDxqDlR/UFq,iv:0bnj/W2ys7bNJKfAfUmgsiXeyHdiqhRAeB3qDGU2Is0=,tag:oiZMxOk4ABhzguaZbRQZxg==,type:str]
+TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
+AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str]
+NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
+COLLABORA: ENC[AES256_GCM,data:cLGEziks5dyxTF1jugfpQE0l0nSkDP7MpROzCxCM94jv49sguA+d/SnY1olE8ZP9iCBnlvbMZyNR7uYo88B92Pmv8wVWfeuhHiHFIXh5aaOxntpt80UMg3Jy,iv:gmFG7C893QPuZ4rEqllAlUpNIXMcGsf9+/QCPLhWLTM=,tag:WpKHCUk6zhQRfFX2d6OPbQ==,type:str]
+ETHERPAD: ENC[AES256_GCM,data:PSr06GyOgY0HDNC4Hr2XUjbNUszGlfBjxDbrrKNQOqSMSVfZj4iFIGamrS72WO0un4U7IENx0T6CTBN/ELoq7J/+W9zf879uzKWuNaAulLVtBqrUbbqA7hTJpidnveZXzdwZRvlz/bU8kWAmXyhiDb2Q42Sz3BDb6duM3PO1AgG8Ko1pi2IemCPjO3uzudeT8FAlO8NnCUxKgwIKSz8CodOXFVGk66NX4xJd4ycfdNYXvKBNlzt1+WuWsZeZzeWmF7WD2dt4wWA9fWxB90fnth6ZV5LdeXjyYnzwkFOWoyNazgqV4jBv+aXKVwX4fYvspu13cVdrak3gc698bS2N1guDss4A/sfXMbtaYPGm98xXkqz1LP7sXQzKUdZf9sAS9gtOVv2tmg==,iv:uQ0Roe+XefzMjZCF3It+U2D1MWPMT5f6CPwlz0gQ5W0=,tag:wSgp0CVr6Y6M3eqcoTy8cw==,type:str]
+ETHERCALC: ENC[AES256_GCM,data:0ScnDsUNBt6wYJC4hTXn8huuTptBTDKZV4yFVQ4fuBWc6auWNWhDQlTc0ImJoK6efr2uyp3sVu3o+KlCNvUGhDOJ1you6socyTgRP0q7oLPC+Ln+bFP8gWG8v2nyEFY=,iv:YqvVjBFG/WZg1l4aMAiioOruWZ9zcTMr74DVW+1+2DQ=,tag:ePBXd4ddipJtxhFE1amfMg==,type:str]
+GITEA: ENC[AES256_GCM,data:TGsye52g8DVOk51o1dWfF6x3m6BFPe0MtUbOayxYejaYSZ4cDCfx02EPAhiL3FJGLfidZt7+WpjhVqJvFeCvJ1OXdYMQyuL3akPBCmEjmBgBhJvEjVtVgV3aNMS21gy3o0RG/MXDXOLpjHeaXn3G/XWKsv5bw+gg94bDirOguLC5eaFxddn5/UGFvfwXzDmkoNmc9zufGvVpUkRy8rju/TjOz4Q5GZk1gXWtJWdkTGhuVYVBDDHIQq9DBS0qXi8tP3FvY8prOi/c5ZbyyZjTOgNpWB9uU4HkHz4aUTMFIrPFwUeWmNMIdyUmarSQ7tDDdhBfIiLhb94jaMATHq+PfwwpCcmiTfBEG3OS/3SXPMWg6jhfUxvxsKNT2HQca31B9IRqlitaio3r6KEPBTYh2nWtFO9d5Is7TUWkGsOaV+0JSiNPNh5uD7kNyBxsKUKcND7JXMxW/TZOqARY64x6IwDrbcypsyMW5i+4Er1/0HCvZ7FBH1XkTul8vBGF5ZGD/tYp/m6Ld26GKYkj967eYIwlNFcOMGNue5PyJfFCq0qWbLWO9dFA9c2e9r81DCD8y/0S3Ts7X7TkXVGShm7JoMqb8dzg9i6CoNlmbPAM5GwoNV3ftQugvqEGMk5UIvf05YsgSNvq4UJbhsT4bZqpV0plnxYD5TswCGF/XQ3nwwFTudmf1OLcgYwM2NckbVui128o1Rw=,iv:vo6l0QirLIUvwLN675LYkffkXejJecvBesLJvoW/bjY=,tag:zyLyiCskF84A3QVoq5X3iw==,type:str]
+SEARXNG: ENC[AES256_GCM,data:gtKhEmMemzLRl4c3cYhMAQ+5vUth1IhWQeLvW1YtaG5TbhQHBR4PDREQOlGt+tlfGQrft+FeNhMSN/SKOp8gmScVWa+9qmltzxRGRpLm3m/VuBZvOlGdeUcKAX8zEH6A,iv:B2UEtjTRIjT6W+tH2gtcl6XMvZNgbvZUXTiBePGOu24=,tag:SHIF6eaWBLwy9RrEy1N9kg==,type:str]
+UMAMI: ENC[AES256_GCM,data:onB/uXLajaRLmeQMGNHFsjREzPih9ha+cogGRw+nRomERSRrbBv+6gCqEr8F3Dcm818JB4jGRYKoIYG8Jl6gMDaz5QQiA4qAnbG19LuzVeVUgz4NGEgXBULoT/0sQacnyAPIfPEp+ESWRQH81nO6Qcs+rICpS2Xfeye5hb+8rSAxmLpY991AJ3+avGyMwPcpfNCkixWt68KuG5ZN/IGDksM/sSLGgyMisClbEdhigq4mwibOxpiWjcKk/17xYgY6Xz93h/yloHKZIZZpnyA+85YC6oNWgCPhkGIAVu3dGshp10a0nk1A2INm6vxNPbfUjYLkt3zDAPZtoBRCqUs+43Eh62hYgajgWCQJhjJkDgF4Y1ifGfDerIXs/cDpIKLt2+7VqM6/ouqIDPJ7khSAr+8bcHU4CKDtsDagob5PpCG4ABt44cg9cGw=,iv:HD450JZuWn2+V0pvOsDHy9oVAanFMf1el9LA1z0PULY=,tag:p7Vl7dtM8UdAUNgmdG+7cg==,type:str]
+IMMICH: ENC[AES256_GCM,data:1y78yeawkRjUXLWPyFdMB5HCDQhb1PoxEMfHmKSZfv0CWloOrQWT735dlH+W9yC6ljZjqVD9Fwq/9GqqKQMTFMCpr8wVRwSHEuqmaG3UgKzbLA3aWZ1SIB0AiJi+eUunzHj2vikUJx9dMRjC+iNXrsVWh2HqMrOyFCWetZoIfxNiAgsgNKPgYYsHLv6OAZs9XT7V3veqe0zc0nyw7ghWSXne/yNhQESyyGlMAdagrJRNimvXIp/AoAUKl2WUJm2MBl7lb6K1YeJ1XW8OjAHzV8isBiUwU8ZD81VJog0fgTGjbUa+HO7jEo+9YwmDIMx3f5z9N4A=,iv:pboITW2rr7+w8VNZM6uYMMEFZ1S/JtqjNOVthpYJ2tQ=,tag:0dgrJ191sB4MLJHMoQBlCg==,type:str]
+INVIDIOUS: ENC[AES256_GCM,data:ZfgU5UFMmG9Cx9UaR0xnKr9VPebG3kut0difTFZmoqOSs+stG6YJfV82OOhj1RQLVJlPr/scydYy1+3LytwvP1BT7tLe0jII7XupbkL0w3n79KBaiIzAPdicqLxeqjKH45I0NjHra4djdnO2Ff4T8CTiFDlPn1rMuiw=,iv:UaDmOKJ4bFPGCaIePLXkWot9E6sTu2nhaVs83sI38G0=,tag:spTjxWEmLfPc8BZl2GglBA==,type:str]
+SERVARR: ENC[AES256_GCM,data:757WdthmToCGr2boph7iW1ycs3tQyGgD3lhYOcX/X3hjs9dLLPCWGI2zt5axp72IGJ/sVYEop2rqsRLxdPn3VIyQLvQ+3MYdo8Z/yOuMy7DAlnITQQQUI2ylZKHVmFAt39/xBpwsVjh3m/hBQvn/LbCDtR2s4qa+8fQDfeZXksTtnf7YZbVygTF7jWZ+0oVvkvNO1ZUejvP+uHL+jHwgMEwQnR22hOYWEKZ1s7PI+EZHujqyOhnwXB4jRG+XD7R4N6AhC5Z+nmkFpy3ffszCJ0/H,iv:NrNbkL6GWN4r+uzxNYrhoECD1APbRsRBcMBbVHD3DwM=,tag:YK1O50wV+lHAQa6TX9huUw==,type:str]
+INFLUX: ENC[AES256_GCM,data:woaZ/8zWRFtuO6U3HQ==,iv:iLo33tykE6oQW2jUNVGtR/JwrZbs9Fe1fFQ5/LnvaRY=,tag:6UDOU0JJgR7eyQ0hL8j5Qw==,type:str]
+FRESHRSS: ENC[AES256_GCM,data:M5C76yVyi0Uw28FWj+IvQJbP1hdxxBGWfp30egjlv8Eu4tSZjHyfni+OLwgziDeQQyvRbn2OHwKtztEu4N2C7iU0UaotB0jCOc2BKuwfSWrxWfmkTDrY1YBfbGgLWEKQ1ddafI/Dn99n4HFbGpMZ8Fbe+sRKKGgpAPj9bMkUjoP3eXw4HUWhu84b6LWu3x8DwArhNDOkHJnDL+Rlif7hILg7+eI/IUB0XakKCMIKHZn9djk4yjgXMQGF5EFRlPVWgQ==,iv:2Kb916TksnVhby/GORx9nzir6A7GiRNL9S0wrbc8yDQ=,tag:v2Nhj61qd4f/YV1HcF0v5Q==,type:str]
+SUWAYOMI: ENC[AES256_GCM,data:xVzuIWdEZLeFtkVew/Jbt0U+ouOjA+U/flhSAsWHPQHWgp7+6uvdBYIxcyQ+firHAu9qcAO/HahDgnr0lhcQx/n5XgEhCchiGxCNBcAi/AD+FE9/PgSJf2DvjCp0ckCWvPChGsy+TD8uNi1bg0lqSrbDExRS28f3FVPrbrJJ1vj/V9Gk4PABg/UcdvycgCpf266aFMMzNuPJGyaRuQEnyFNvQgs53R7t9D9hC9GSc4MkEGt7g0GeX1MTRTzjjISgCdzZxjUiJGSuFTBemQggcWOAJNdYFq1vuh5X3zBvlF+zz75g3cin9S58CQ==,iv:/zlNBdu5SuzC8+t4zOYVga3hLWnxlNUALi6BS4MjNog=,tag:DfeC0X7uX9/qhltFl2D2hg==,type:str]
+CALIBRE: ENC[AES256_GCM,data:Uxz/5H4q/ugmW49a6oIQsG450w+SS1H58gOMXDVX/JQ8OCGxWQ8DRNmSGBZLgGsJ9UA1rxYRS4+pDuDL+iQsNVOmZzFRAuWJwUhEiF72B/Ah0IyXpnPIups8S2Nq,iv:rK274zWuvguY/DPHXxG174j+Ne11SB7ZCQLxO6Tvvg4=,tag:7wJyt94jRvRCZxgHWotzVA==,type:str]
+SELFMARK: ENC[AES256_GCM,data:YDCfMay/SxmJxQcVPvXJe7h/BGjOjVZLU4eJ3+t6z4EDqUueNzmBPWtF1hrNJCC2XlZFlD+PmCyoo8tzuPiig4Uxwf4Gos15Skddx8Jt4/PKjR3AW0z0U8kAtXmByBAAa/nLEVwTkyRybYTXcd36SlqyTrbVfDLkIQW0yiqp93Fh40gWTV3u/gz2ZeLit12o3LNnm7Zne7y8w7iAO2vm2L5h2W8R+9B8oW1MSweclKgDlMieNh+pmxexnNdvGX5jAgaOM2xSUC8Z/PcgSCAYwNVe0CYsHPypES/miS3XrVs4E/YIaMGaTi7lTS+zxy9x8F17O/MVHoy7yuzjQYBZ1w+PmMOYv+Wc1mVJswAHMfvZE6EUFL/P7Qy2T+c19cowphZTuuGZMaIqjeWfn4ZHPlVhWEdamk3dhyqA2I2g1X5cANP1FV73FJC/3gTqKXkkp9wcWqN59gAHmUzn2D5Mhmvx2UkTbyUyNxR71VdpSN4szYifmEdp56KQVpjrw4dSst97sWCzI6nrDn4P9J3TrTpCFJM2PSbyF23NIVuPCx2pdqTdjCr1IX+9v1qLKOcbIZq/S3ldQ6E2PZnvIA6faoE5SO5uy8qUwct54Jc+p6WTNFRMzfbFs31xVgiiR3Y5HsTc3Ee2ePhu1ggvCa8o4CW9zqO5jqFX38C8n0jYhc31AlVui0hswECHBgDqFQ3pZS10Fx4heYjnfJRTB8OrE0/lf0QYgMqLcWJyxJqwutoa5uaQxiq1QV3beyj8Yv0/kSEqrWvItvZaM2MCkmBjxDtfBqx1zIZ3Lm2xYJmOLB/SgYYWi+0d9yS2Dhe8mpOr2/xMsgdUUz2YbCX5YfA=,iv:nohcihzxdZORTKrrYnupqts4REcyioqlfFhQOM9K/H8=,tag:2sPes1v7LfvIj0hC/tKClw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZk1VY3NEZmRkS0J6dU03
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rzc3ak4vRVZiNWxNZEN3
-            OUtETWpHL2hLN09kRytNUEhmVnA5WW9yVXlNCmZaZnQ2YUlMMmlrZ2dEZDVFMHA5
+            N21rSjZqUm9XVWF5TUxNTXVybEMzNCtod0NnClNjODB6VWhzU1VHeVdlZ3hEaE5D
-            OUpqOTJJbHVVREtpSFUyaDJDbXltaTgKLS0tIFY0ZkF3Ym5oeHViN3J4eW4vSVYz
+            MW9WWWYvYmt5TmNzMzNudDhLSW12RnMKLS0tIDdjc2ZOK3QxaTFJMFdpTHFzcklr
-            QkhuU0NLWElyVXpZd2ZpOHhwam04R28KFuaI35e8pB25M2dlP19gApso12ZYJ3ld
+            clZnQXpPbWs5aXZJeUlxOWhJNmIrOFkKZfZ19Y4yfCJi1GrxLsv76JyBmuxW/glF
-            BpMnp97ShX0I8bZRIYxSHpSrB/J+tt1V4pfGdJq7uWZM7XacPy666A==
+            BCJCvmdSSOJx5JW26Y3Y3LwiIuL8yboKR+8ZAwU2fG5OQfs+2czFdQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s
+        - recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuZXNjRzJsdFpTdDZhSkRB
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cEpsb2gvbDJ0aG5BRWNS
-            eW1qSStnZHN5Tzh3bFA1azZIRk42V1RzSTJJCi9MV0k5ZXNQOWJFYnlXdnB3azBL
+            WXgydFo3ZkF3SmVIU1EvaHVjb3RvK3BxVDJrCis2ME9zUEVGQURFdmJXS2lTSklk
-            NzNldkFLWlEyT01MeWlFU3RKODU4dWcKLS0tIFJXL1ZsNDgydTgxVGRMYWxyQTNT
+            V3ZONHpTZVJqMUxOVkd5ZDlqVTRNdzgKLS0tIGwwR0k1Vll6bEdmZVZvVktzMTRN
-            K1M0TDd1eGd1V3pOcjl1M1VrdDUvbG8KpsWlrr14MOh/8mG+rXpswPPFE3VnpKGt
+            S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
-            03DWUII3+MMEWLJPLxkNJ9BzCm4Kl1QNHSbJ7Ex6df0b7nB6Ed6Hvw==
+            d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+    lastmodified: "2026-06-02T17:28:48Z"
-          enc: |
+    mac: ENC[AES256_GCM,data:vJbMJ/VsetyhQHEQH6eBLp9MA5OMkARSkXW73nWNtJ3wSA/EWJgyb4LGj316W2zdwlE/KatSdzrQgITNCkpIwIdzSLrl+4xDP1qW0F7eJFR9fpEqvj0pfH9Sszh7izOEiHaMwMJo0rw5d6sMTFyDcuOOAn9Q/mzc5zd/VX6AmtA=,iv:ZR2nPyZMu3Rb1GXNvuRxazox7FB2fWobFexSwhVuYQQ=,tag:xoJZ2xMkWRC86G2w5291fg==,type:str]
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5U1VjTjlIMTdLRFQ5R1Av
-            SVBLMFZtV3ppK2VXWjdYelNGTGFOZUJaMndBCjYyZ0IveXFiVDlSUEtNOXk2L3g3
-            UmFIRE1GMEs2QVhUcFJkTHpCWmhhbG8KLS0tIG94NStMUnFZRTRsK2w4cDd4Rms5
-            M1MwTEtJNEFDdjRLVFRseThxNGJUQ0kKKN7QX9qUojNQBknbInaXslaKsAAhEj5y
-            QMXAU6TxlHMv+wZy2RQwMe/zE7RP24TypnX894iV0usTHujyxvfk3w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUHFYMWdVczRPdEFSbFR5
-            VmcxeEU4YWxwRTlDUkRkNVY0dFh5cjVUNjNnCkRSblNaS214dkdrd3JnNE5rZnR3
-            S0JVeXova1h2VnB2ODY0SUYxZm45TjAKLS0tIFN1QXFyTkt3SmV0UVhGMlMxTmpN
-            VW83cnd2TnQwWlVCUnpzZ29NRE1SekUKBGVCaijugxR6eSxvk19nncR9X6bmSSUq
-            VoxtHBkJbz/4mcQ/SUb4Wv1Rt5875tLWygS7qKmh8jzoP7JI4E9qWQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-08T16:05:46Z"
-    mac: ENC[AES256_GCM,data:X6AUVWJRcwH45W9NoQxI8Lp6l+5RFpgCNB6cdUZZODHDdTUMt9a6wr9YfU56C7QkdlxXdj6xCOCscJtw/WY2Y+XchWXaUVZZsoZ9xUo28aksUtHSyE9WJBHCeSqss79IW6k/GeDPiDOfz4om+udDvtdpyKbtvbw2a+K5st+62d4=,iv:REGTavU8DkalUbfO1J2+VccYnRRrOqstSFq/RU7Co5Q=,tag:2t8mwqa76kVQyeWS85zXsA==,type:str]
     pgp:
-        - created_at: "2024-05-08T15:46:52Z"
+        - created_at: "2026-05-05T23:46:27Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA6R3Y9nD7qMBAQ//bYK5gdxv8fNvG6P4GrD27gQRQXhLGF2+hS54sqEqjeN8
+            hQIMA6R3Y9nD7qMBAQ/+JdTDmQhL1+iX7yeyGs1kt9yQeMYkJ+bQD3LqlQVh6Xea
-            NZpHVbNNRR3AggOkT7QY1JO8bOhWscefH1vvBmBuODzh5Fw42t4zNPEDjWZEetxa
+            yPIdcMBjAf1CNlkJKeJ4QK3f8rsZkxHmUFVDz7yCXctsp81hNBMZ0sauBM50OU4W
-            rClbLEvo7Kz8UKCNb9JIeYx7cr8sPWCmg4GvV1wGjhjr+u5ovuheORnHl+qoLsqv
+            gQsDailZHgG5qCqKx91qSyVLtzVy4zcoTXy8TWLrSwztCt9qqX9LFZTKyZzNTiHW
-            P12PV7VzwC52v92GWiu9LRJqfqZra5GjUXGVXzBcZ9i6CnUDejzssWjhO/fmzKum
+            DHYSwaJdTteXY89pZjPAQ6UtIdoVWaVfvCgaSZAxr3K8IJmobvMhhk/Fgm3CoE6Y
-            GbGIi9sf3RmVYsUASDgRBmVAZC3KF7RLi0L6WY0etRocAaWSAgnU1lZ04E8ZtLjk
+            mfQd4lQhoqxrn2M/FKc30vg0yKVsiW3qlfnJCVHCxYUtQLVs3cF05lmj7CYy+0Mu
-            DlCtIpreJ1H0Ym+5EXB94PG0KZjayxKc20YDQ+yYwwSmiCVaUCLlYX2BOoncUYFF
+            7eZlfVj84hCLmd4ccOITkrOTqcBKWKQ5EpE8DGvWlLPEZt407MjaphEJ7dYhkfr/
-            MxVgWYwn14R5jyGbh4NyiBxPGHvIUx5RCIo70pMgS6W5ALZYTcNDLF82mj1xTOTy
+            x4HrahZoeVbYX2Va0++picut+cE/NL9F/QMfqP4QhdHQhe74FlQcxpGDtcUIQep5
-            bcuaa7FCuXJif457LCe5TcAa5WYDgKX8pUKzFRhWIckcGwgFCUB0Z7+L9L7F0yt/
+            8MvbEAhUpGL4sErg6afmIapxXi3euIXcBDYPatgoAlsH7E8rUTX1Sd4VOgV89kEJ
-            YZd71cY0Lxlwi61CnWgZZMx2FFpHyBCEmF1A180KUtB1jSkS/AVmlM2z9I0QsR62
+            pkl4OOwcaiF+brqtDiTGZf5l6AOugiYTp2Rtq9KMcGEGEmXFLcFKVjNEkZIxNxt3
-            fTFIaqimPMjUzbuTs0QjUXf8OJZo0/cwo9XeGyCBtJTg7cLdsOFouqfvXhvkdCrR
+            EtrXrNmOCVJm71yOn2ruD9n2EXzFULfeyOhup7eYVfynkEWYlCQNHeaqMy2q656m
-            xCLE2Ke5jwmoPKs1t+YpwMMzB57j/rluZCgiz45w7YDXKf4gEp2ra9siFiC/y9PS
+            LWVd89AUzWLcsmY8naWpfekU9K//hLHxRLBzqfouYXJ+Ji/HOvfRj7NZBg6UtgfS
-            XgEPymUiDZY0w9S5oGr94cNc6LQId16Zgt1vWHLzgg8QZqkxLTBjUXXc7aoCISQp
+            XgFOJg3EaLAZEyvEZKWpnWlf3gBTRK3ffaLzs+eddSgzYUutzlOYUZb7v3iEdjta
-            AwUE62KJucVvWjB3kcgDbNvaDWWC5O48zUavmzkmmP1sqKf0gO/XG52PDG/DF3Y=
+            4Ik4F1M+kOGieyVxxLHOHMrOn09+WMmFIiPpBtCIcZmtwOzXNdhbZdFWNx5qPhU=
-            =cs0r
+            =wXdG
             -----END PGP MESSAGE-----
           fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.12.1

modules/shared/colors/default.nix

@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ ... }: {
   imports = [ ./sorahiro.nix ];
 
   colorScheme.palette.border-radius = "#8";

modules/shared/colors/sorahiro.nix

@@ -1,4 +1,4 @@
-{ nix-colors, ... }: 
+{ ... }: 
 let use_pastelle = true;
 in{
   # usage:  a = "#${config.colorScheme.palette.base00}";