Merge pull request 'Lock file maintenance' (#278 ) from renovate/lock-file-maintenance into main

Lock file maintenance
Merge pull request 'Lock file maintenance' (#277 ) from renovate/lock-file-maintenance into main
2026-05-24 04:07:46 +02:00 · 2026-05-24 02:07:43 +00:00 · 2026-05-23 04:04:16 +02:00 · 2026-05-23 02:04:14 +00:00 · 2026-05-17 04:04:25 +02:00 · 2026-05-17 02:04:18 +00:00
44 changed files with 452 additions and 1298 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,3 @@ result
 age-key.txt
 .decrypted~common.yaml
 .decrypted*
-.tmp
--- a/flake.lock
+++ b/flake.lock
@@ -45,11 +45,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777780666,
-        "narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
+        "lastModified": 1779036909,
+        "narHash": "sha256-zXcwYQGCT6pzinK+1dBB2ekTVtfxGZAapb3Evdcu4fY=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
+        "rev": "56c666e108467d87d13508936aade6d567f2a501",
        "type": "github"
      },
      "original": {
@@ -103,11 +103,11 @@
    },
    "hardware": {
      "locked": {
-        "lastModified": 1778143761,
-        "narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
+        "lastModified": 1779258371,
+        "narHash": "sha256-j1iZsLy6oFApqR1oiDmHhvkwxXqcNi0aoSJj643LuwU=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
+        "rev": "c97bc4d15bd3473dd095e8e8ba57330ab1943a77",
        "type": "github"
      },
      "original": {
@@ -139,11 +139,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777851538,
-        "narHash": "sha256-Gp8qwTEYNoy2yvmErVGlvLOQvrtEECCAKbonW7VJef8=",
+        "lastModified": 1779506708,
+        "narHash": "sha256-QOD/CNm196nCJRheux/URi4/HE66fthdOMqCJoPP1Y0=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "cc09c0f9b7eaa95c2d9827338a5eb03d32505ca5",
+        "rev": "3ee51fbdac8c8bdfe1e7e1fcaba6520a563f394f",
        "type": "github"
      },
      "original": {
@@ -174,11 +174,11 @@
    },
    "nixUnstable": {
      "locked": {
-        "lastModified": 1778274207,
-        "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
+        "lastModified": 1779536132,
+        "narHash": "sha256-q+fF42iv/geEbHfgSzy3tS0FF/EyD6XTZ98E6yxiBO8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
+        "rev": "3d8f0f3f72a6cd4d93d0ad13203f2ea1cb7e1456",
        "type": "github"
      },
      "original": {
@@ -190,11 +190,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1778003029,
-        "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
+        "lastModified": 1779102034,
+        "narHash": "sha256-vZJZjLo513IeI8hjzHFc6TDezUd4uCE2Eq4SNO3DNNg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
+        "rev": "687f05a9184cad4eaf905c48b63649e3a86f5433",
        "type": "github"
      },
      "original": {
@@ -221,11 +221,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1777954456,
-        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
+        "lastModified": 1779508470,
+        "narHash": "sha256-Ap9KJX+5xHIn3bPIpfNgT6MEXdAECECwo4/rmlQD74M=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
+        "rev": "29916453413845e54a65b8a1cf996842300cd299",
        "type": "github"
      },
      "original": {
@@ -241,11 +241,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1778376280,
-        "narHash": "sha256-pL2F2FF2FN7zWr5o/vG7GiYOSjp+DUNyPIYqNaLQFFs=",
+        "lastModified": 1779586422,
+        "narHash": "sha256-gQkg/IFgLNmcfm8/IzlkxzRQche90YB+6ziTTuXcjSM=",
        "owner": "nix-community",
        "repo": "nur",
-        "rev": "828688994167eb57628c98fd1d7e1223b079cda1",
+        "rev": "72d24686031cfcc123c1511836df64e6fde27453",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -17,11 +17,19 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    # hyprland = {
+    #   url = "github:hyprwm/Hyprland";
+    #   inputs.nixpkgs.follows = "nixpkgs";
+    # };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-colors.url = "github:misterio77/nix-colors";
+
+    arion.url = "github:hercules-ci/arion";
+    arion.inputs.nixpkgs.follows = "nixpkgs";
+
  };

  outputs = inputs:
--- a/generator.nix
+++ b/generator.nix
@@ -13,6 +13,7 @@
          ./modules/nixos
          syscfg
          ./systems/${host}
+          inputs.arion.nixosModules.arion
          inputs.sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.home-manager
          {
--- a/modules/nixos/system/hw/virt/default.nix
+++ b/modules/nixos/system/hw/virt/default.nix
@@ -18,6 +18,5 @@
        };
      };
    };
-    virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
  };
 }
--- a/modules/nixos/system/network/base/default.nix
+++ b/modules/nixos/system/network/base/default.nix
@@ -7,13 +7,11 @@
    firewall = { 
      enable = true;
      allowedUDPPorts = 
-        (if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++ 
-        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
+        (if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++ 
        [ ];

      allowedTCPPorts = 
-        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
-        (if (config.syscfg.server != false) then [ 5432 6379 ] else [ ]) ++ 
+        (if config.syscfg.server ? web       then [ 80 443 22 ] else [ ]) ++ 
        [ ];
    };
  };
--- a/modules/server/containers/apps/.todo.md
+++ b/modules/server/containers/apps/.todo.md
@@ -1,4 +0,0 @@
-# Missing
-
-RSS: TTRSS / FreshRSS
-Monitoring: Telegraf + InfluxDB
--- a/modules/server/containers/apps/authentik.nix
+++ b/modules/server/containers/apps/authentik.nix
@@ -1,92 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-  version = "2026.2.2";
-  serverCfg = config.syscfg.server;
-  authentikData = builder.mkData { 
-    name = "authentik"; dir = "authentik"; vars = {
-      NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}";
-      AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
-      COOKIE_DOMAIN = "${serverCfg.hostDomain}";
-    };
-  };
-in {
-  paths = [{
-    path="${serverCfg.configPath}/authentik/media";
-    owner = "1000:1000";
-    mode = "0755";
-  }{
-    path="${serverCfg.configPath}/authentik/templates";
-    owner = "1000:1000";
-    mode = "0755";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      image = "ghcr.io/goauthentik/server:${version}";
-      port = 9000;
-      ip = containerCfg.ip;
-      secret = name;
-      extraEnv = {
-        "AUTHENTIK_REDIS__HOST" = builder.host;
-        "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
-        "AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain;
-        "AUTHENTIK_EMAIL__PORT" = "587";
-        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
-        "AUTHENTIK_EMAIL__USE_TLS" = "true";
-        "AUTHENTIK_EMAIL__USE_SSL" = "false";
-        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
-        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
-        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
-        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
-      };
-      overrides = {
-        cmd = [ "server" ];
-        ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:9000" ] else [];
-        volumes = [
-          "${serverCfg.configPath}/authentik/media:/media"
-          "${serverCfg.configPath}/authentik/templates:/templates"
-          "${authentikData}:/blueprints/custom:ro"
-        ];
-      };
-    };
-
-    worker = builder.mkContainer {
-      image = "ghcr.io/goauthentik/server:${version}";
-      secret = "authentik";
-      extraEnv = {
-        "AUTHENTIK_REDIS__HOST" = builder.host;
-        "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
-        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
-        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
-      };
-      overrides = {
-        cmd = [ "worker" ];
-        volumes = [
-          "${serverCfg.configPath}/authentik/media:/media"
-          "${serverCfg.configPath}/authentik/templates:/templates"
-          "${authentikData}:/blueprints/custom:ro"
-        ];
-      };
-    };
-  };
-
-
-  setup = {
-    trigger = "worker";
-    script = pkgs.writeShellScript "setup" ''
-      # Define the command wrapper
-      AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u root authentik-worker ak"
-
-      $AK apply_blueprint /blueprints/custom/authentik.yaml
-      $AK apply_blueprint /blueprints/custom/traefik.yaml
-      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
-
-      echo "Completed Authentik Setup"
-      '';
-  };
-}
--- a/modules/server/containers/apps/collabora.nix
+++ b/modules/server/containers/apps/collabora.nix
@@ -1,34 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-version = "latest";
-serverCfg = config.syscfg.server;
-in {
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      image = "collabora/code:${version}";
-      port = 9980;
-      ip = containerCfg.ip;
-      secret = name;
-      extraEnv = {
-        "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";
-        "server_name" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
-        "username" = "collabora_user";
-        "VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
-        "VIRTUAL_PORT" = "9980";
-        "VIRTUAL_PROTO" = "http";
-        "DONT_GEN_SSL_CERT" = "true";
-        "RESOLVE_TO_PROXY_IP" = "true";
-        "extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
-        "dictionaries" = "en fr de jp no";
-      };
-      
-      overrides = {
-        volumes = [
-          "${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
-          "${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
-        ];
-      };
-    };
-  };
-}
--- a/modules/server/containers/apps/ethercalc.nix
+++ b/modules/server/containers/apps/ethercalc.nix
@@ -1,39 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-  serverCfg = config.syscfg.server;
-  ethercalc_exe = pkgs.ethercalc;
-
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = "ethercalc";
-    tag = ethercalc_exe.version;
-    contents = [ pkgs.bashInteractive ];
-    config = {
-      Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
-      ExposedPorts = { "8080/tcp" = {}; };
-    };
-  };
-in {
-  paths = [{
-    path="${serverCfg.dataPath}/ethercalc/";
-    mode = "0666";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      imageStream = image;
-      port = 8080;
-      ip = containerCfg.ip;
-      secret = name;
-      extraEnv = {
-        ETHERCALC_PORT = "8080";
-        #CONNECT TO REDIS
-      };
-      overrides = {
-        volumes = [
-          "${serverCfg.dataPath}/ethercalc:/data"
-        ];
-       };
-    };
-  };
-}
--- a/modules/server/containers/apps/etherpad.nix
+++ b/modules/server/containers/apps/etherpad.nix
@@ -1,123 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-  serverCfg = config.syscfg.server;
-  etherpad_exe = pkgs.etherpad-lite;
-  settings = pkgs.writeText"settings.json" (builtins.toJSON {
-    title= "\${TITLE:Etherpad}";
-    showRecentPads = "\${SHOW_RECENT_PADS:true}";
-    favicon = "\${FAVICON:null}";
-    publicURL = "\${PUBLIC_URL:null}";
-    skinName = "\${SKIN_NAME:colibris}";
-    skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
-    ip = "\${IP:0.0.0.0}";
-    port = "\${PORT:9001}";
-    showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
-    enableMetrics = "\${ENABLE_METRICS:true}";
-    updates.tier = "off";
-    cleanup.enabled = false;
-    gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
-    authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
-    enableDarkMode = "\${ENABLE_DARK_MODE:true}";
-    enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
-    dbType = "\${DB_TYPE:dirty}";
-    dbSettings = {
-      host =       "\${DB_HOST:undefined}";
-      port =       "\${DB_PORT:undefined}";
-      database =   "\${DB_NAME:undefined}";
-      user =       "\${DB_USER:undefined}";
-      password =   "\${DB_PASS:undefined}";
-      charset =    "\${DB_CHARSET:undefined}";
-      filename =   "\${DB_FILENAME:var/dirty.db}";
-      collection = "\${DB_COLLECTION:undefined}";
-      url =        "\${DB_URL:undefined}";
-    };
-    defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
-    padOptions = {
-      noColors =         "\${PAD_OPTIONS_NO_COLORS:false}";
-      showControls =     "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
-      showChat =         "\${PAD_OPTIONS_SHOW_CHAT:true}";
-      showLineNumbers =  "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
-      useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
-      userName =         "\${PAD_OPTIONS_USER_NAME:null}";
-      userColor =        "\${PAD_OPTIONS_USER_COLOR:null}";
-      rtl =              "\${PAD_OPTIONS_RTL:false}";
-      alwaysShowChat =   "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
-      chatAndUsers =     "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
-      lang =             "\${PAD_OPTIONS_LANG:null}";
-      fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
-      enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
-    };
-
-    requireSession = "\${REQUIRE_SESSION:false}";
-    editOnly = "\${EDIT_ONLY:false}";
-    minify = "\${MINIFY:true}";
-    requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
-    requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
-    trustProxy = "\${TRUST_PROXY:true}";
-    ep_headerauth.username_header = "X-authentik-username";
-    users.admin = {
-      password = "\${ADMIN_PASSWORD:null}";
-      is_admin = true;
-    };
-    socketTransportProtocols = ["websocket" "polling"];
-    socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
-    indentationOnNewLine = true;
-
-    loglevel = "\${LOGLEVEL:INFO}";
-    lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
-  });
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = "etherpad";
-    tag = etherpad_exe.version;
-    contents = [ pkgs.bashInteractive ];
-    config = {
-      Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
-      ExposedPorts = { "8080/tcp" = {}; };
-    };
-  };
-in {
-  paths = [{
-    path="${serverCfg.configPath}/etherpad/";
-    mode = "0444";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      imageStream = image;
-      port = 8080;
-      ip = containerCfg.ip;
-      secret = name;
-      extraEnv = {
-        TITLE = "Pad";
-        PORT ="8080";
-        DB_TYPE = "postgres";
-        DB_HOST = builder.host;
-        DB_NAME = "etherpad_db";
-        DB_USER = "etherpad_user";
-        TRUST_PROXY = "true";
-        DB_CHARSET = "utf8mb4";
-        DEFAULT_PAD_TEXT = "";
-        PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
-        PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
-        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
-      };
-      overrides = {
-        cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
-        volumes = [
-          "${settings}:/etc/etherpad/settings.json"
-          "${serverCfg.configPath}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
-        ];
-       };
-    };
-  };
-
-  setup = {
-    trigger = "server";
-    envFile = config.sops.secrets."ETHERPAD".path;
-    script = pkgs.writeShellScript "setup" ''
-      echo "$APIKEY" > ${serverCfg.configPath}/etherpad/APIKEY.txt
-      chmod 444 ${serverCfg.configPath}/etherpad/APIKEY.txt
-    '';
-  };
-}
--- a/modules/server/containers/apps/frigate.nix
+++ b/modules/server/containers/apps/frigate.nix
@@ -1,3 +0,0 @@
-{...}:{
-    
-}
--- a/modules/server/containers/apps/gitea.nix
+++ b/modules/server/containers/apps/gitea.nix
@@ -1,130 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-  version = "latest";
-  serverCfg = config.syscfg.server;
-in {
-    
-  paths = [{
-    path="${serverCfg.dataPath}/gitea/data";
-    owner = "1000:1000";
-    mode = "0755";
-  }{
-    path="${serverCfg.dataPath}/gitea/data-runner";
-    owner = "1000:1000";
-    mode = "0755";
-  }];
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      image = "gitea/gitea:${version}";
-      port = 8080;
-      ip = containerCfg.ip;
-      secret = name;
-      
-      extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
-        GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
-        GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
-        GITEA__repository__DISABLE_STARS = "true";
-        GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
-        # GITEA__ui__THEMES = "";
-        # GITEA__ui__DEFAULT_THEME = "";
-
-        # GITEA__security__SECRET_KEY = "SECRET_ENV";
-        # GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
-        # GITEA__database__PASSWD = "SECRET_ENV";
-        # GITEA__mailer__PASSWD="SECRET_ENV";
-
-        GITEA__database__DB_TYPE = "postgres"; 
-        GITEA__database__HOST = builder.host;
-        GITEA__database__NAME = "gitea_db";
-        GITEA__database__USER = "gitea_user";
-
-
-        GITEA__mailer__ENABLED = "true";
-        GITEA__mailer__FROM = "";
-        GITEA__mailer__PROTOCOL = "smtps";
-        GITEA__mailer__SMTP_ADDR = "";
-        GITEA__mailer__SMTP_PORT = "";
-        GITEA__mailer__USER= "";
-
-        GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
-        GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.hostDomain}/";
-        GITEA__server__PROTOCOL = "http";
-        GITEA__server__HTTP_PORT = "8080";
-        GITEA__server__LFS_START_SERVER = "true";
-        GITEA__security__INSTALL_LOCK = "true";
-
-      } // ( if serverCfg.containers?authentik then {
-        GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
-        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
-        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
-        GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
-        GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
-        GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
-        GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
-        GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/outpost.goauthentik.io/sign_out";
-        GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
-        GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
-        GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
-        GITEA__security__RREVERSE_PROXY_LIMIT = "1";
-        GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
-      } else {});
-      extraLabels = {
-        "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.hostDomain}`) && Path(`/user/login`) ";
-        "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
-        "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
-        "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
-        "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
-      };
-
-      overrides = {
-        volumes = [
-          "${serverCfg.dataPath}/gitea/data:/data"
-        ];
-        ports = [ "2222:22" ]; 
-      };
-    };
-
-    runner = builder.mkContainer {
-      image = "gitea/act_runner:${version}";
-      secret = name;
-      extraEnv = { 
-        CONFIG_FILE="/data/config.yml";
-        GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.hostDomain}";
-        GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.hostDomain}";
-      };
-
-      overrides = {
-        volumes = [
-          "${serverCfg.dataPath}/gitea/data-runner:/data"
-          "/var/run/podman/podman.sock:/var/run/docker.sock"
-        ];
-        # ports = [ "8088:8088" ]; 
-      };
-    };
-  };
-
-
-  setup = {
-    trigger = "server";
-    envFile = config.sops.secrets."CUSTOM".path;
-    script = pkgs.writeShellScript "setup" ''
-      # Define the command wrapper
-      GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
-      GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
-
-      $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
-
-      RUNNER_TOKEN=$($GT actions generate-runner-token)
-      $GTR register \
-        --instance "https://${containerCfg.subdomain}.${serverCfg.hostDomain}" \
-        --token "$RUNNER_TOKEN" \
-        --name "Runner" \
-        --labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
-        --no-interactive
-
-
-      echo "Completed Gitea Setup"
-      '';
-  };
-}
--- a/modules/server/containers/apps/handbrake.nix
+++ b/modules/server/containers/apps/handbrake.nix
@@ -1,3 +0,0 @@
-{...}:{
-    
-}
--- a/modules/server/containers/apps/homeassistant.nix
+++ b/modules/server/containers/apps/homeassistant.nix
@@ -1,3 +0,0 @@
-{...}:{
-    
-}
--- a/modules/server/containers/apps/invidious.nix
+++ b/modules/server/containers/apps/invidious.nix
@@ -1,3 +0,0 @@
-{...}:{
-    
-}
--- a/modules/server/containers/apps/jellyfin.nix
+++ b/modules/server/containers/apps/jellyfin.nix
@@ -1,3 +0,0 @@
-{...}:{
-    
-}
--- a/modules/server/containers/apps/nextcloud.nix
+++ b/modules/server/containers/apps/nextcloud.nix
@@ -1,198 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-version = "31";
-serverCfg = config.syscfg.server;
-in {
-  paths = [{
-    path="${serverCfg.dataPath}/nextcloud/www";
-    owner = "33:33";
-    mode = "0755";
-  }{
-    path="${serverCfg.dataPath}/nextcloud/data";
-    owner = "33:33";
-    mode = "0755";
-    backup = true;
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      image = "nextcloud:${version}";
-      port = 80;
-      ip = containerCfg.ip;
-      secret = name;
-      extraEnv = {
-        REDIS_HOST = builder.host;
-        POSTGRES_HOST = builder.host;
-        POSTGRES_USER = "nextcloud_user";
-        POSTGRES_DB = "nextcloud_db";
-        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
-        "NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
-        "SMTP_HOST" = serverCfg.mailServer;
-        "SMTP_NAME" = "mail_user";
-        "SMTP_PASSWORD" = "mail_password";
-        "MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.hostDomain}";
-        "MAIL_DOMAIN" = serverCfg.mailDomain;
-        "TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
-      };
-      extraLabels = {
-        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
-        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
-        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
-        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
-        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
-        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
-      };
-      extraOptions = [
-        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
-      ];
-      overrides = {
-        ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
-        volumes = [
-          "${serverCfg.dataPath}/nextcloud/www:/var/www/html"
-          "${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
-        ];
-      };
-    };
-  };
-
-  setup = {
-    trigger = "server";
-    script = pkgs.writeShellScript "setup" ''
-      # Define the command wrapper
-      OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u www-data nextcloud-server php occ"
-
-      echo "Waiting for Nextcloud container to start..."
-      until $OCC status > /dev/null 2>&1; do
-        sleep 2
-      done
-
-      INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
-      if [ -z "$INSTALLED" ]; then
-        echo "Running first-time setup..."
-        
-        $OCC maintenance:install \
-          --admin-user "$DEFAULT_ADMIN_USERNAME" \
-          --admin-pass "$DEFAULT_ADMIN_PASSWORD"
-      fi
-      if [ -z "$INSTALLED" ] || [ -f "/tmp/force-nextcloud-setup" ]; then
-        rm -f "/tmp/force-nextcloud-setup"
-        echo "Applying Settings..."
-        
-        $OCC config:system:set default_phone_region --value="CH"
-        $OCC config:system:set overwriteprotocol --value="https"
-        $OCC config:app:set core backgroundjobs_mode --value="cron"
-        $OCC config:system:set maintenance_window_start --type=integer --value=1
-        $OCC config:system:set default_language --value="en"
-        $OCC config:system:set default_locale --value="en_CH"
-
-        echo "Applying Apps..."
-        $OCC app:disable activity || true
-        $OCC app:disable app_api || true
-        $OCC app:disable comments || true
-        $OCC app:disable firstrunwizard || true
-        $OCC config:system:set show_first_run_wizard --type=bool --value=false
-        $OCC app:disable nextcloud_announcements || true
-        $OCC app:disable oauth2 || true
-        $OCC app:disable recommendations || true
-        $OCC app:disable sharebymail || true
-        $OCC app:disable support || true
-        $OCC app:disable survey_client || true
-        $OCC app:disable updatenotification || true
-        $OCC app:disable user_status || true
-
-        $OCC app:install calendar || true
-        $OCC app:install calendar || true
-        $OCC app:install contacts || true
-        $OCC app:install camerarawpreviews || true
-        $OCC app:install cospend || true
-        $OCC app:install deck || true
-        $OCC app:install files_markdown || true
-        $OCC app:install forms || true
-        $OCC app:install groupfolders || true
-        $OCC app:install ownpad || true
-        $OCC app:install previewgenerator || true
-        $OCC app:install richdocuments || true
-        ${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
-        # $OCC app:install side_menu || true 
-        $OCC app:install spreed || true
-        $OCC app:install teamfolders || true
-        ${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
-
-        echo "Applying Apps Settings..."
-        $OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
-        $OCC config:app:set cospend allow_federation --value="yes"
-        
-        ${lib.optionalString (serverCfg.containers ? ethercalc) ''
-        $OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
-        $OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.hostDomain}"
-        ''}
-        ${lib.optionalString (serverCfg.containers ? etherpad) ''
-        $OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
-        $OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.hostDomain}"
-        ''}
-        ${lib.optionalString (serverCfg.containers ? collabora) ''
-        $OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}/"
-        $OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}"
-        $OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
-        ''}
-        ${lib.optionalString (serverCfg.containers ? authentik) ''
-        $OCC saml:config:set 1 --general-idp0_display_name="authentik"
-        $OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
-        $OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}"
-        $OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/sso/binding/redirect/"
-        $OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/slo/binding/redirect/"
-        AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
-        $OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT" 
-
-        $OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
-        $OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-        $OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
-
-        $OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
-        $OCC group:add admin || true
-        $OCC group:add cloud || true
-        $OCC config:app:set user_saml general-group_provisioning --value="0"
-        $OCC config:app:set user_saml general-require_provisioning_groups --value="1"
-        ''}
-        # configure side_menu ...
-        FOLDERS=$($OCC teamfolders:list --format=json)
-        ${builtins.concatStringsSep "\n" (map (name: ''
-          if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
-              $OCC teamfolders:create "${name}"
-          fi
-        '') containerCfg.extra.teamFolders or [])}
-        SERVERS=$($OCC federation:list-servers --format=json)
-        ${builtins.concatStringsSep "\n" (map (domain: ''
-          if ! echo "$SERVERS" | grep -q "${domain}"; then
-            $OCC federation:add-server "https://${domain}"
-          fi
-        '') containerCfg.extra.federatedServers or [])}
-        $OCC config:app:set systemtags allow_user_creating --value="no"
-        
-        echo "Applying Theme..."
-        $OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.hostDomain}"
-        ${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
-        ${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
-        $OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
-        $OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
-
-        #$OCC theming:config logo {serverCfg.colorScheme.logo}
-        #$OCC theming:config logoheader {serverCfg.colorScheme.logo}
-        #$OCC theming:config background {serverCfg.colorScheme.bg}
-            
-      else
-          echo "Nextcloud is already installed. Skipping setup."
-      fi
-
-      echo "Maintenance..."
-      $OCC app:update --all
-      $OCC maintenance:repair --include-expensive --no-interaction
-      $OCC db:add-missing-indices --no-interaction
-
-      echo "Completed Setup"
-    '';
-  };
-
-  cron = [ "*/5 * * * *  root  ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
-}
--- a/modules/server/containers/apps/searxng.nix
+++ b/modules/server/containers/apps/searxng.nix
@@ -1,3 +0,0 @@
-{...}:{
-    
-}
--- a/modules/server/containers/apps/servarr.nix
+++ b/modules/server/containers/apps/servarr.nix
@@ -1,3 +0,0 @@
-{...}:{
-    
-}
--- a/modules/server/containers/apps/traefik.nix
+++ b/modules/server/containers/apps/traefik.nix
@@ -1,77 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-  serverCfg = config.syscfg.server;
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = "traefik";
-    tag = pkgs.traefik.version;
-    contents = with pkgs;[ cacert tzdata ];
-    config = {
-      Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
-      WorkingDir = "/";
-    };
-  };
-in {
-  paths = [{
-    path="${serverCfg.configPath}/traefik";
-    owner = "1000:1000";
-    mode = "0755";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      imageStream = image;
-      subdomain = containerCfg.subdomain;
-      ip = containerCfg.ip;
-      port = 8080;
-      secret = name;
-      extraLabels = {
-        "traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
-        "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
-                
-        "traefik.http.routers.${containerCfg.subdomain}.middlewares" =  if serverCfg.containers?authentik then "authentik" else "";
-        "traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
-        "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
-        "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
-        "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
-      } // (if containerCfg.extra ? provider || serverCfg.hostDomain != "localhost" then {
-        "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
-        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.hostDomain}";
-        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.hostDomain}";
-      } else {});
-      extraEnv = { };
-      overrides = {
-        cmd = [ 
-          "--api"
-          "--log.level=INFO"
-          "--providers.docker=true"
-          "--global.checknewversion=false"
-          "--global.sendanonymoususage=false"
-          "--api.insecure=true"
-          "--api.dashboard=true"
-          "--providers.docker.exposedByDefault=false"
-          "--entrypoints.web.address=:80"
-          "--entrypoints.web-secure.address=:443"
-          "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
-          "--entrypoints.web.http.redirections.entrypoint.scheme=https"
-          "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
-          "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
-        ] ++ (if containerCfg.extra ? provider then [
-          "--certificatesresolvers.default.acme.email=acme@${serverCfg.hostDomain}"
-          "--certificatesresolvers.default.acme.dnschallenge=true"
-          "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
-          "--certificatesresolvers.default.acme.storage=/custom/acme.json"
-        ] else (if serverCfg.hostDomain != "localhost" then [
-          "--certificatesresolvers.default.acme.httpchallenge=false"
-          "--certificatesresolvers.default.acme.tlschallenge=true"
-        ] else [ ]));
-        ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
-        volumes = [
-          "/var/run/podman/podman.sock:/var/run/docker.sock"
-          # "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
-          "${serverCfg.configPath}/traefik:/custom"
-        ];
-      };
-    };
-  };
-}
-
--- a/modules/server/containers/apps/transmission.nix
+++ b/modules/server/containers/apps/transmission.nix
@@ -1,3 +0,0 @@
-{...}:{
-    
-}
--- a/modules/server/containers/apps/trmnl.nix
+++ b/modules/server/containers/apps/trmnl.nix
@@ -1,3 +0,0 @@
-{...}:{
-    
-}
--- a/modules/server/containers/apps/umami.nix
+++ b/modules/server/containers/apps/umami.nix
@@ -1,3 +0,0 @@
-{...}:{
-    
-}
--- a/modules/server/containers/builder.nix
+++ b/modules/server/containers/builder.nix
@@ -1,46 +0,0 @@
-{ config, lib, pkgs, serverCfg }:
-let 
-  builder =
-  { image ? null, imageStream ? null
-  , secret ? null
-  , subdomain ? null, ip ? null, port ? 0
-  , extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
-  , overrides ? { }
-  }:
-  let base = {
-    image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}" 
-            else image;
-    imageStream = imageStream;
-
-    environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
-    environment = {} // extraEnv;
-
-    labels = (if subdomain!=null then ({
-      "traefik.enable" = "true";
-      "traefik.http.routers.${subdomain}.entrypoints" = "web-secure";
-      "traefik.http.routers.${subdomain}.rule" = "Host(`${subdomain}.${serverCfg.hostDomain}`)";
-      "traefik.http.routers.${subdomain}.tls" = "true";
-    } // lib.optionalAttrs (port!=null) {
-      "traefik.http.services.${subdomain}.loadbalancer.server.port" = toString port;
-    }) else {
-      "traefik.enable" = "false";
-    }) // extraLabels;
-
-    extraOptions = extraOptions ++ [
-      "--add-host=host.containers.internal:host-gateway"
-    ] ++ lib.optional (ip!=null) "--ip=${ip}";
-  };
-  in lib.recursiveUpdate base overrides;
-in {
-  mkContainer = builder;
-  mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
-    mkdir -p $out
-    cp -r ${./data + "/${dir}"}/. $out/
-    find $out -type f | while read file; do
-      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
-        substituteInPlace "$file" --replace "@${n}@" "${toString v}"
-      '') vars)}
-    done
-  '';
-  host = "host.containers.internal"; 
-}
--- a/modules/server/containers/data/authentik/authentik.yaml
+++ b/modules/server/containers/data/authentik/authentik.yaml
@@ -1,70 +0,0 @@
-version: 1
-metadata:
-  name: "Initial User Setup"
-  labels:
-    blueprint-type: core
-entries:
-  # Optionally, disable the default enrollment flow entirely
-  - model: authentik_flows.flow
-    identifiers:
-      slug: "default-source-enrollment"
-    attrs:
-      designation: "enrollment"
-      enabled: false
-  # --- GROUPS ---
-  - model: authentik_core.group
-    identifiers:
-      name: "admin"
-    attrs:
-      is_superuser: true
-
-  - model: authentik_core.group
-    identifiers:
-      name: "cloud"
-    attrs:
-      is_superuser: false
-
-  - model: authentik_core.group
-    identifiers:
-      name: "dev"
-    attrs:
-      is_superuser: false
-
-  - model: authentik_core.group
-    identifiers:
-      name: "flix"
-    attrs:
-      is_superuser: false
-
-  - model: authentik_core.group
-    identifiers:
-      name: "family"
-    attrs:
-      is_superuser: false
-
-  # --- ADMIN USERS ---
-  - model: authentik_core.user
-    identifiers:
-      username: !Env DEFAULT_ADMIN_USERNAME
-    attrs:
-      name: !Env DEFAULT_ADMIN_USERNAME
-      email: !Env DEFAULT_ADMIN_EMAIL
-      password: !Env DEFAULT_ADMIN_PASSWORD
-      path: "users"
-      groups:
-        - !Find [authentik_core.group, [name, "admin"]]
-
-  # Disable the Initial Setup Flow
-  - model: authentik_flows.flow
-    identifiers:
-      slug: "initial-setup"
-    attrs:
-      authentication: "require_superuser"
-      enabled: false
-
-  # Disable the default 'akadmin' if it exists
-  - model: authentik_core.user
-    identifiers:
-      username: "akadmin"
-    attrs:
-      is_active: false
--- a/modules/server/containers/data/authentik/nextcloud.yaml
+++ b/modules/server/containers/data/authentik/nextcloud.yaml
@@ -1,88 +0,0 @@
-version: 1
-metadata:
-  name: nextcloud-saml-setup
-entries:
-  # 1. Create the SAML Provider
-  - model: authentik_providers_saml.samlprovider
-    identifiers:
-      name: Nextcloud SAML
-    attrs:
-      authorization_flow:
-        !Find [
-          authentik_flows.flow,
-          [slug, default-provider-authorization-explicit-consent],
-        ]
-      invalidation_flow:
-        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-
-      # Adjust these URLs to match your Nextcloud domain
-      acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
-      audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
-      issuer: https://@AUTHENTIK_DOMAIN@
-      sp_binding: post
-      # Map the attributes for Name, Email, and Groups
-      property_mappings:
-        - !Find [
-            authentik_core.propertymapping,
-            [name, "authentik default SAML Mapping: Name"],
-          ]
-        - !Find [
-            authentik_core.propertymapping,
-            [name, "authentik default SAML Mapping: Email"],
-          ]
-        - !Find [
-            authentik_core.propertymapping,
-            [name, "authentik default SAML Mapping: Groups"],
-          ]
-        - !Find [
-            authentik_core.propertymapping,
-            [name, "authentik default SAML Mapping: Username"],
-          ]
-        - !Find [
-            authentik_core.propertymapping,
-            [name, "authentik default SAML Mapping: User ID"],
-          ]
-
-        # - !Find [
-        #     authentik_providers_saml.samlpropertymapping,
-        #     [managed, "goauthentik.io/providers/saml/ms-name"],
-        #   ]
-        # - !Find [
-        #     authentik_providers_saml.samlpropertymapping,
-        #     [managed, "goauthentik.io/providers/saml/ms-email"],
-        #   ]
-        # - !Find [
-        #     authentik_providers_saml.samlpropertymapping,
-        #     [managed, "goauthentik.io/providers/saml/ms-groups"],
-        #   ]
-
-        # - !Find [
-        #     authentik_core.propertymapping,
-        #     [managed, goauthentik.io/providers/saml/ms-name],
-        #   ]
-        # - !Find [
-        #     authentik_core.propertymapping,
-        #     [managed, goauthentik.io/providers/saml/ms-email],
-        #   ]
-        # - !Find [
-        #     authentik_core.propertymapping,
-        #     [managed, goauthentik.io/providers/saml/ms-groups],
-        #   ]
-      # Select your signing certificate (default is usually self-signed)
-      signing_kp:
-        !Find [
-          authentik_crypto.certificatekeypair,
-          [name, "authentik Self-signed Certificate"],
-        ]
-      sign_assertion: true
-      sign_response: false
-
-  # 2. Create the Application
-  - model: authentik_core.application
-    identifiers:
-      slug: nextcloud
-    attrs:
-      name: Nextcloud
-      provider:
-        !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
-      group: "Cloud Services"
--- a/modules/server/containers/data/authentik/traefik.yaml
+++ b/modules/server/containers/data/authentik/traefik.yaml
@@ -1,45 +0,0 @@
-version: 1
-metadata:
-  name: domain-wide-proxy-setup
-entries:
-  # 1. The Provider
-  - model: authentik_providers_proxy.proxyprovider
-    identifiers:
-      name: Domain Wide Proxy
-    attrs:
-      authorization_flow:
-        !Find [
-          authentik_flows.flow,
-          [slug, default-provider-authorization-implicit-consent],
-        ]
-      invalidation_flow:
-        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-
-      external_host: https://@AUTHENTIK_DOMAIN@
-      cookie_domain: "@COOKIE_DOMAIN@"
-
-      mode: forward_domain
-      intercept_header_auth: true
-
-  # 2. The Application (Required to link the provider)
-  - model: authentik_core.application
-    identifiers:
-      slug: authentik-proxy
-    attrs:
-      name: "Domain Auth Provider"
-      provider:
-        !Find [
-          authentik_providers_proxy.proxyprovider,
-          [name, Domain Wide Proxy],
-        ]
-
-  # 3. Add to Outpost
-  - model: authentik_outposts.outpost
-    identifiers:
-      name: authentik Embedded Outpost
-    attrs:
-      providers:
-        - !Find [
-            authentik_providers_proxy.proxyprovider,
-            [name, Domain Wide Proxy],
-          ]
--- a/modules/server/containers/default.nix
+++ b/modules/server/containers/default.nix
@@ -1,23 +1,14 @@
 { config, pkgs, lib, ... }:
 let
-  serverCfg = config.syscfg.server;
-  builder = import ./builder.nix { inherit config lib pkgs serverCfg; };
-  enabledConfigs = lib.filterAttrs (name: c: c.enable) serverCfg.containers;
+  cfg = config.syscfg.server.containers;
+  enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg;
  containerSetsList = lib.mapAttrsToList (name: containerCfg:
-  let apps = import (./apps + "/${name}.nix") {inherit config pkgs lib containerCfg builder name;};
-  in{
-    name = name;
-    containers = lib.mapAttrs' (cName: cValue: 
-      lib.nameValuePair "${name}-${cName}" cValue
-    ) apps.containers;
-    paths = apps.paths or [];
-    setup = apps.setup or null;
-    cron = apps.cron or [];
-  }
-) enabledConfigs;
+    import (./defs + "/${name}.nix") {
+      inherit config pkgs lib  containerCfg;
+    }
+  ) enabledConfigs;
  mergedContainers = lib.attrsets.mergeAttrsList  (lib.map(e: e.containers) containerSetsList);
-  allPathConfigs = lib.flatten (lib.map (e: e.paths) containerSetsList);
-  allCronsConfigs = lib.flatten (lib.map (e: e.cron or []) containerSetsList);
+  allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
 in
 {
  config = lib.mkIf ( enabledConfigs != {} ) {
@@ -26,56 +17,24 @@ in
      backend = "podman";
      containers = mergedContainers;
    };
+
+    systemd.services.podman-gc = {
+      description = "Podman garbage collection";
+      serviceConfig.Type = "oneshot";
+      script = ''
+        ${pkgs.podman}/bin/podman container prune -f
+        ${pkgs.podman}/bin/podman image prune -f
+      '';
+      startAt = "weekly";
+    };
    
    system.activationScripts.container-setup-dirs = {
      deps = [ "users" "groups" ];
-      text = lib.concatStringsSep "\n" (map (cfg:
-      let
-        effectiveCfg = {
-          owner = "root:root";
-          mode = "0400";
-        } // cfg;
-      in ''
-        ${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
-        ${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
-        ${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
+      text = lib.concatStringsSep "\n" (map (cfg: ''
+        mkdir -p "${cfg.path}"
+        chown ${cfg.owner} "${cfg.path}"
+        chmod ${cfg.mode} "${cfg.path}"
      '') allPathConfigs);
    };
-
-    systemd.services = {
-      podman-gc = {
-        description = "Podman garbage collection";
-        serviceConfig.Type = "oneshot";
-        script = ''
-          ${pkgs.podman}/bin/podman container prune -f
-          ${pkgs.podman}/bin/podman image prune -f
-        '';
-        startAt = "weekly";
-      };
-    } // lib.listToAttrs (lib.concatMap (containerSet: 
-      if containerSet.setup != null then [{
-        name = "${containerSet.name}-setup";
-        value = {
-          description = "Run ${containerSet.name} setup";
-          after = [ "podman-${containerSet.name}-${containerSet.setup.trigger}.service" ];
-          wants = [ "podman-${containerSet.name}-${containerSet.setup.trigger}.service" ];
-          wantedBy = [ "multi-user.target" ];
-          serviceConfig = {
-            Type = "oneshot";
-            TimeoutStartSec = "360s";
-            EnvironmentFile = if (containerSet.setup ? envFile) then containerSet.setup.envFile else [ ];
-            ExecStart = "${containerSet.setup.script}";
-            RemainAfterExit = true;
-            User = "root";
-          };
-        };
-      }] else []
-    ) containerSetsList);
-
-    services.cron = {
-      enable = true;
-      systemCronJobs = allCronsConfigs;
-    };
-
  };
 }
--- a/modules/server/containers/defs/authentik.nix
+++ b/modules/server/containers/defs/authentik.nix
@@ -0,0 +1,84 @@
+{ config, containerCfg, pkgs, lib, ... }:
+let 
+serverCfg = config.syscfg.server;
+in {
+  paths = [{
+    path="${serverCfg.dataPath}/authentik/media";
+    owner = "1000:1000";
+    mode = "0755";
+  }{
+    path="${serverCfg.dataPath}/authentik/templates";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+
+  containers = {
+
+    auth_server = {
+      image = "ghcr.io/goauthentik/server:latest";
+      hostname = "auth_server";
+      volumes = [
+        "${serverCfg.dataPath}/authentik/media:/media"
+        "${serverCfg.dataPath}/authentik/templates:/templates"
+      ];
+      environmentFiles = [
+        config.sops.secrets."AUTHENTIK".path
+      ];
+      environment = {
+        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
+        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
+        "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
+        "AUTHENTIK_EMAIL__PORT" = "587";
+        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
+        "AUTHENTIK_EMAIL__USE_TLS" = "true";
+        "AUTHENTIK_EMAIL__USE_SSL" = "false";
+        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
+        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
+      };
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.sso.entrypoints" = "web-secure";
+        "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.sso.tls" = "true";
+        "traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
+      };
+      cmd = [ "server" ];
+      extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+        "--replace"
+        "--rm"
+        "--ip=${containerCfg.ip}"
+      ];
+      ports = [
+        "9999:${toString containerCfg.port}"
+      ];
+    };
+
+    auth_worker = {
+      image = "ghcr.io/goauthentik/server:latest";
+      hostname = "auth_worker";
+      volumes = [
+        "${serverCfg.dataPath}/authentik/media:/media"
+        "${serverCfg.dataPath}/authentik/templates:/templates"
+        "/var/run/docker.sock:/var/run/docker.sock"
+      ];
+      environmentFiles = [
+        config.sops.secrets."AUTHENTIK".path
+      ];
+      environment = {
+        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
+        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
+      };
+      extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+        "--replace"
+        "--rm"
+      ];
+      cmd = [ "worker" ];
+    };
+  };
+}
--- a/modules/server/containers/defs/cloud.nix
+++ b/modules/server/containers/defs/cloud.nix
@@ -0,0 +1,152 @@
+{ config, pkgs, lib, ... }:
+let serverCfg = config.syscfg.server;
+in {
+  project.name = "cloud";
+
+  networks = {
+    internal = {
+      name = lib.mkForce "internal";
+      internal = true;
+    };
+    external = {
+      name = lib.mkForce "external";
+      internal = false;
+    };
+  };
+
+  services = {
+
+    cloud_nextcloud.service = {
+      image = "nextcloud:27";
+      container_name = "cloud";
+      restart = "unless-stopped";
+      networks = [ "external" ];
+      volumes = [
+        "${serverCfg.configPath}/data/nextcloud:/var/www/html"
+        "${serverCfg.dataPath}/data/music:/media/music"
+        "${serverCfg.dataPath}/data/video:/media/video"
+        "${serverCfg.dataPath}/data/photo:/media/photo"
+      ];
+      tmpfs = [ "/tmp" ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.nextcloud.entrypoints" = "web-secure";
+        "traefik.http.routers.nextcloud.rule" =
+          "Host(`cloud.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.nextcloud.tls" = "true";
+        "traefik.http.routers.nextcloud.middlewares" =
+          "sts_headers,nextcloud-caldav";
+
+        "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent" =
+          "true";
+        "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex" =
+          "^https://(.*)/.well-known/(card|cal)dav";
+        "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement" =
+          "https://$\${1}/remote.php/dav/";
+        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
+        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" =
+          "true";
+      };
+    };
+
+    cloud_office.service = {
+      image = "collabora/code:latest";
+      container_name = "cloud_office";
+      restart = "unless-stopped";
+      networks = [ "external" ];
+      volumes = [ ];
+      environment = {
+        username = "COLLABORA_USER";
+        password = "COLLABORA_PASSWORD";
+        aliasgroup1 = "https://cloud.${serverCfg.hostDomain}";
+        server_name = "office.${serverCfg.hostDomain}";
+        VIRTUAL_HOST = "office.${serverCfg.hostDomain}";
+        VIRTUAL_PORT = "9980";
+        VIRTUAL_PROTO = "http";
+        DONT_GEN_SSL_CERT = "true";
+        RESOLVE_TO_PROXY_IP = "true";
+        NETWORK_ACCESS = "internal";
+        extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
+        dictionaries = "en fr de jp";
+      };
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.collabora.entrypoints" = "web-secure";
+        "traefik.http.routers.collabora.rule" =
+          "Host(`office.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.collabora.tls" = "true";
+      };
+    };
+
+    cloud_etherpad.service = {
+      image = "etherpad/etherpad:latest";
+      container_name = "etherpad";
+      restart = "unless-stopped";
+      networks = [ "external" ];
+      volumes = [
+        "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
+        "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
+      ];
+      environment = {
+        NODE_ENV = "production";
+        TITLE = "Helcel-Pad";
+        DB_TYPE = "mysql";
+        DB_HOST = serverCfg.dbHost;
+        DB_PORT = serverCfg.dbPort;
+        DB_NAME = "etherpad";
+        DB_USER = "ETHERPAD_DB_USER";
+        DB_PASS = "ETHERPAD_DB_PASSWORD";
+        DB_CHARSET = "utf8mb4";
+        DEFAULT_PAD_TEXT = "P A D";
+        PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
+        PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
+        ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
+        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
+      };
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.etherpad.entrypoints" = "web-secure";
+        "traefik.http.routers.etherpad.rule" =
+          "Host(`pad.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.etherpad.tls" = "true";
+      };
+    };
+
+    cloud_ethercalc.service = {
+      image = "audreyt/ethercalc:latest";
+      container_name = "ethercalc";
+      restart = "unless-stopped";
+      networks = [ "external" "internal" ];
+      volumes = [
+        "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
+        "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
+      ];
+      environment = {
+        NODE_ENV = "production";
+        TITLE = "Helcel-Calc";
+        REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis";
+        REDIS_PORT_6379_TCP_PORT = "6379";
+        ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
+        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
+      };
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.ethercalc.entrypoints" = "web-secure";
+        "traefik.http.routers.ethercalc.rule" =
+          "Host(`calc.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.ethercalc.tls" = "true";
+      };
+    };
+
+    cloud_redis.service = {
+      image = "redis:latest";
+      container_name = "ethercalc-redis";
+      restart = "unless-stopped";
+      networks = [ "internal" ];
+      volumes = [ "${serverCfg.dataPath}/ether/ethercalc/redis:/data" ];
+      environment = { };
+      labels = { "traefik.enable" = "false"; };
+    };
+
+  };
+}
--- a/modules/server/containers/defs/sample.nix
+++ b/modules/server/containers/defs/sample.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+let serverCfg = config.syscfg.server;
+in {
+  project.name = "name";
+
+  networks = {
+    internal = {
+      name = lib.mkForce "internal";
+      internal = true;
+    };
+    external = {
+      name = lib.mkForce "external";
+      internal = false;
+    };
+  };
+
+  services = {
+
+    NAME.service = {
+      image = "NAME:latest";
+      container_name = "NAME";
+      restart = "unless-stopped";
+      networks = [ "internal" ];
+      volumes = [ ];
+      environment = { };
+      labels = { "traefik.enable" = "false"; };
+    };
+
+  };
+}
--- a/modules/server/containers/defs/traefik.nix
+++ b/modules/server/containers/defs/traefik.nix
@@ -0,0 +1,81 @@
+{ config, pkgs, ... }: {
+  project.name = "traefik";
+
+  networks = {
+    internal = {
+      name = lib.mkForce "internal";
+      internal = true;
+    };
+    external = {
+      name = lib.mkForce "external";
+      internal = false;
+    };
+  };
+
+  services = {
+
+    traefik.service = {
+      image = "traefik:latest";
+      container_name = "traefik";
+      restart = "unless-stopped";
+      networks = [ "internal" "external" ];
+      command = [
+        "--api"
+        "--providers.docker=true"
+        "--entrypoints.web.address=:80"
+        "--entrypoints.web-secure.address=:443"
+      ];
+      port = [ "443" "80" ];
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock:ro"
+        "${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
+        "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
+        "${serverCfg.configPath}/traefik/acme.json:/acme.json"
+      ];
+      environment = {
+        "INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
+      };
+      labels = { "traefik.enable" = "false"; };
+    };
+
+    matomo.service = {
+      image = "matomo:latest";
+      container_name = "matomo";
+      restart = "unless-stopped";
+      networks = [ "external" ];
+      volumes = [
+        "/etc/localtime:/etc/localtime:ro"
+        "${serverCfg.configPath}/matomo:/var/www/html/config:rw"
+        "${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
+      ];
+      environment = { };
+      labels = {
+        "traefik.http.routers.matomo.rule" =
+          "Host(`matomo.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.matomo.entrypoints" = "web-secure";
+        "traefik.http.routers.matomo.tls" = "true";
+      };
+    };
+
+    searx.service = {
+      image = "searxng/searxng:latest";
+      container_name = "searx";
+      restart = "unless-stopped";
+      networks = [ "external" ];
+      volumes = [ "/etc/localtime:/etc/localtime:ro" ];
+      environment = {
+        "BASE_URL" = "https://searx.${serverCfg.hostDomain}";
+        "AUTOCOMPLETE" = "true";
+        "INSTANCE_NAME" = "searx${serverCfg.shortName}";
+      };
+      labels = {
+        "traefik.http.routers.matomo.rule" =
+          "Host(`searx.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.matomo.entrypoints" = "web-secure";
+        "traefik.http.routers.matomo.tls" = "true";
+      };
+    };
+
+  };
+}
+
--- a/modules/server/database/default.nix
+++ b/modules/server/database/default.nix
@@ -62,6 +62,7 @@ in {
          
          if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
            PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
+            echo $PASS
            if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
                echo "✅ Successfully set password for ${name}_user"
            else
--- a/modules/server/nftables/default.nix
+++ b/modules/server/nftables/default.nix
@@ -1,8 +1,7 @@
-{ config, lib, ... }:
-let
- cfg = config.syscfg.server;
-in {
-  config = lib.mkIf (cfg.ipfw.enable) {
+
+
+{ config, lib, ... }:{
+  config = lib.mkIf (config.syscfg.server.nftables.enable) {
    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = 1;
      "net.ipv6.conf.all.forwarding" = 1;
@@ -10,6 +9,13 @@ in {

    networking.nftables.enable = true;
    networking.nftables.ruleset = ''
+      table inet filter {
+        chain input {
+          type filter hook input priority filter; policy accept;
+          tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
+          
+        }
+      }
      table inet nat {
        chain prerouting {
          type nat hook prerouting priority dstnat; policy accept;
@@ -28,12 +34,12 @@ in {
                iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
                iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
            ''
-          ) cfg.ipfw.ports}
+          ) config.syscfg.server.nftables.ports}
        }
        
        chain postrouting {
          type nat hook postrouting priority srcnat; policy accept;
-          oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade
+          oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
        }
      }
    '';
--- a/modules/server/nginx/default.nix
+++ b/modules/server/nginx/default.nix
@@ -1,130 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.syscfg.server;
-  containers = cfg.containers; 
-  faviconOverride = {
-    " ~* /favicon\.(ico|png|svg|jpg)$" = {
-      extraConfig = ''
-        add_header Content-Type image/svg+xml;
-        return 200 '<svg xmlns="http://www.w3.org/2000/svg" id="Layer_1" data-name="Layer 1" viewBox="0 0 50 50"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M30.83,5A23.23,23.23,0,0,0,10.41,67.13h10.8C26,63,32.94,61.8,38,67.13H49.39C44.93,61.09,38.24,55,30.83,55Z"/><path class="cls-1" d="M46.25,28.11c-14.89,31.15-41,4.6-25-11H10.41c-8.47,14.76,3.24,34.68,20.42,34.23,13.28,0,24.24-19.72,24.24-23.21,0-1.54-2.14-6.25-5.68-11H38A40.52,40.52,0,0,1,46.25,78.11Zm.4-.91Z"/></svg>';
-      '';
-      # proxyPass = "http://127.0.0.1:9000";
-    };
-  };
-  # Function to convert your container config into an NGINX vhost
-  mkVhost = container: {
-    forceSSL = true;
-    # quic = true;
-    # http3 = true;
-    useACMEHost = "${cfg.hostDomain}";
-    locations = faviconOverride // {
-      "/" = {
-        proxyPass = "http://${container.ip}:${toString container.port}";
-        proxyWebsockets = true; # Recommended for modern apps
-      };
-    };
-  };
-  
-in {
-  config = lib.mkIf ( config.syscfg.server.web) {
-    security.acme = {
-      acceptTerms = true;
-      defaults.email = "admin@domain.org";
-
-      certs."${cfg.hostDomain}" = {
-        domain = "*.${cfg.hostDomain}";
-        extraDomainNames = [ "${cfg.hostDomain}" ]; # Adds the root too
-        dnsProvider = "infomaniak";
-        credentialsFile = config.sops.secrets."INFOMANIAK_API_KEY".path; # File containing your API token (e.g. CLOUDFLARE_DNS_API_TOKEN=...)
-        group = "nginx"; 
-      };
-    };
-
-    services.nginx = {
-      enable = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      recommendedGzipSettings = true;
-
-      # appendHttpConfig = ''
-      #   add_header Alt-Svc 'h3=":443"; ma=86400';
-      # '';
-      commonHttpConfig = ''
-        proxy_buffer_size 32k;
-        proxy_buffers 8 16k;
-        proxy_busy_buffers_size 48k;
-      '';
-
-      virtualHosts = {
-        "_" = {
-          default = true;
-          forceSSL = true;
-          # quic = true;
-          # http3 = true;
-          useACMEHost = "${cfg.hostDomain}";
-          
-          locations = {
-            "/" = {
-              extraConfig = ''
-              return 404;
-              '';
-            };
-          };
-        };
-        "sec.${cfg.hostDomain}" = {
-          forceSSL = true;
-          useACMEHost = "${cfg.hostDomain}";
-          
-          locations = {
-            "/" = {
-              proxyWebsockets = true;
-              proxyPass= "http://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}";
-
-              extraConfig = ''
-                auth_request     /outpost.goauthentik.io/auth/nginx;
-                error_page       401 = @goauthentik_proxy_signin;
-                auth_request_set $auth_cookie $upstream_http_set_cookie;
-                add_header       Set-Cookie $auth_cookie;
-                
-                auth_request_set $authentik_username $upstream_http_x_authentik_username;
-                auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
-                auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
-                auth_request_set $authentik_email $upstream_http_x_authentik_email;
-                auth_request_set $authentik_name $upstream_http_x_authentik_name;
-                auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
-
-                proxy_set_header X-authentik-username $authentik_username;
-                proxy_set_header X-authentik-groups $authentik_groups;
-                proxy_set_header X-authentik-entitlements $authentik_entitlements;
-                proxy_set_header X-authentik-email $authentik_email;
-                proxy_set_header X-authentik-name $authentik_name;
-                proxy_set_header X-authentik-uid $authentik_uid;
-              '';
-            };
-
-            "/outpost.goauthentik.io" = {
-              proxyWebsockets = true;
-              proxyPass = "http://${config.syscfg.server.containers.authentik.ip}:${toString config.syscfg.server.containers.authentik.port}/outpost.goauthentik.io";
-              extraConfig = ''
-                proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
-                add_header              Set-Cookie $auth_cookie;
-                auth_request_set        $auth_cookie $upstream_http_set_cookie;
-                proxy_pass_request_body off;
-                proxy_set_header        Content-Length "";
-              '';
-            };
-          };
-          extraConfig = ''
-            location @goauthentik_proxy_signin {
-                internal;
-                add_header Set-Cookie $auth_cookie;
-                return 302 https://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
-            }
-          '';
-        };
-      } //lib.mapAttrs' (name: v: 
-        lib.nameValuePair "${v.subdomain}.${cfg.hostDomain}" (mkVhost v)
-      ) containers;
-    };
-  };
-}
--- a/modules/server/sops/default.nix
+++ b/modules/server/sops/default.nix
@@ -1,17 +1,16 @@
 { config, lib, pkgs, ... }:
 let
-  listNames = config.syscfg.server.db;
+ listNames = config.syscfg.server.db;
  containerNames = lib.mapAttrsToList (name: cfg: name) 
-    (lib.filterAttrs (name: cfg: ((cfg.db or false) || (cfg.sops or false))) config.syscfg.server.containers);
+    (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
  allApps = lib.unique (listNames ++ containerNames);
 in{
+  config = lib.mkIf (config.syscfg.server.sops) {
    sops.secrets = {
-      CUSTOM = { 
-        mode = "0444";
-        sopsFile = ./server.yaml; 
-      };
-    } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
-      mode = "0444";
+      INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
+    } // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: {
+      owner = "postgres";
      sopsFile = ./server.yaml;
    }));
+  };
 }
--- a/modules/server/sops/example.server.yaml
+++ b/modules/server/sops/example.server.yaml
@@ -1,28 +0,0 @@
-CUSTOM: |
-  DEFAULT_ADMIN_USERNAME=...
-  DEFAULT_ADMIN_PASSWORD=...
-  DEFAULT_ADMIN_EMAIL=...
-TRAEFIK: |
-  INFOMANIAK_ACCESS_TOKEN=...
-AUTHENTIK: |
-  DB_PASSWORD=...
-  POSTGRES_PASSWORD=...
-  AUTHENTIK_SECRET_KEY=...
-  AUTHENTIK_EMAIL__PASSWORD=...
-NEXTCLOUD: |
-  DB_PASSWORD=...
-  POSTGRES_PASSWORD=...
-COLLABORA: |
-  password=...
-ETHERPAD: |
-  DB_PASSWORD=...
-  DB_PASS=...
-  ADMIN_PASSWORD=...
-  APIKEY=...
-ETHERCALC: |
-  ETHERCALC_KEY=...
-GITEA: |
-  DB_PASSWORD=...
-  GITEA__database__PASSWD=...
-  GITEA__security__SECRET_KEY=...
-  GITEA__security__INTERNAL_TOKEN=...
--- a/modules/server/sops/server.yaml
+++ b/modules/server/sops/server.yaml
@@ -1,11 +1,5 @@
-CUSTOM: ENC[AES256_GCM,data:OVhE99dmudlV31Re2/fyFurXnRSM3RjbdVDxYp6oF4kazaseISlI4QjgIyyUNEAjeAST17Prv/t5GdyTUvoUICoVKmhQdRv5xFeB7ngTCdi7XoYW1r6HIXwz9wOf/UvPWLafSxSM,iv:/ikpvHH5sLZpTnNABUFjZoVLS+tBZSUYIUxxdXMCCcc=,tag:mS9uW33M355KErY1rQtvqQ==,type:str]
-TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
-AUTHENTIK: ENC[AES256_GCM,data:dZ+Kf85ZjaZ82coYNeNOXe5zfD2M9rEeOB6jDNoaKmo3jMABhnha+iBvYJTI2NltkGzymPJQI+JV8F6GdT1l6cqcR8p0nNjQjS1BMk0rR7n8RCp6MazUTJuIjbEq6zEUrA4SXquw5gZDEp4FLo010PhoLaLinHg8OoqzjDsTxdcKevbQWmZeefDBrwXWpz6BlkRIQA3KazVb0w7l1jDTIkozUIWbvtvtk5ccGjzx3b+wCC36QYFcHHtPvFZwMDHzFPVBd90hWc/BwFfvCExONmH0S7GLFTp7I5NsBnWpT0AHUHHc5PlSR2dUy9H2DZ3IkORdNVzOaqESbYKymuWTQBDQuyI9IJdt4Cac0CV9i6p8rFXL6fQyQKZ9djHX8orpyCUeJXqFs8I6et+IzpTeZcmdv/76Q9tomBBi4k4PRMXpeff8Bn02bOSb7RSaj5NVeWxIhZkh3sEXUeva5/yrAYT30mrLpbwzWoCaKrPCPLIcFxvNrYxPUo6kVVz1jSlBurvcKefbreJGqA==,iv:Hj7aBfDLSqRBzueN8b9F9TutpjMESFloqrnirSmnH9U=,tag:1ikt1JvuhIZCx68nh/VzMA==,type:str]
-NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
-COLLABORA: ENC[AES256_GCM,data:cLGEziks5dyxTF1jugfpQE0l0nSkDP7MpROzCxCM94jv49sguA+d/SnY1olE8ZP9iCBnlvbMZyNR7uYo88B92Pmv8wVWfeuhHiHFIXh5aaOxntpt80UMg3Jy,iv:gmFG7C893QPuZ4rEqllAlUpNIXMcGsf9+/QCPLhWLTM=,tag:WpKHCUk6zhQRfFX2d6OPbQ==,type:str]
-ETHERPAD: ENC[AES256_GCM,data:PSr06GyOgY0HDNC4Hr2XUjbNUszGlfBjxDbrrKNQOqSMSVfZj4iFIGamrS72WO0un4U7IENx0T6CTBN/ELoq7J/+W9zf879uzKWuNaAulLVtBqrUbbqA7hTJpidnveZXzdwZRvlz/bU8kWAmXyhiDb2Q42Sz3BDb6duM3PO1AgG8Ko1pi2IemCPjO3uzudeT8FAlO8NnCUxKgwIKSz8CodOXFVGk66NX4xJd4ycfdNYXvKBNlzt1+WuWsZeZzeWmF7WD2dt4wWA9fWxB90fnth6ZV5LdeXjyYnzwkFOWoyNazgqV4jBv+aXKVwX4fYvspu13cVdrak3gc698bS2N1guDss4A/sfXMbtaYPGm98xXkqz1LP7sXQzKUdZf9sAS9gtOVv2tmg==,iv:uQ0Roe+XefzMjZCF3It+U2D1MWPMT5f6CPwlz0gQ5W0=,tag:wSgp0CVr6Y6M3eqcoTy8cw==,type:str]
-ETHERCALC: ENC[AES256_GCM,data:0ScnDsUNBt6wYJC4hTXn8huuTptBTDKZV4yFVQ4fuBWc6auWNWhDQlTc0ImJoK6efr2uyp3sVu3o+KlCNvUGhDOJ1you6socyTgRP0q7oLPC+Ln+bFP8gWG8v2nyEFY=,iv:YqvVjBFG/WZg1l4aMAiioOruWZ9zcTMr74DVW+1+2DQ=,tag:ePBXd4ddipJtxhFE1amfMg==,type:str]
-GITEA: ENC[AES256_GCM,data:TGsye52g8DVOk51o1dWfF6x3m6BFPe0MtUbOayxYejaYSZ4cDCfx02EPAhiL3FJGLfidZt7+WpjhVqJvFeCvJ1OXdYMQyuL3akPBCmEjmBgBhJvEjVtVgV3aNMS21gy3o0RG/MXDXOLpjHeaXn3G/XWKsv5bw+gg94bDirOguLC5eaFxddn5/UGFvfwXzDmkoNmc9zufGvVpUkRy8rju/TjOz4Q5GZk1gXWtJWdkTGhuVYVBDDHIQq9DBS0qXi8tP3FvY8prOi/c5ZbyyZjTOgNpWB9uU4HkHz4aUTMFIrPFwUeWmNMIdyUmarSQ7tDDdhBfIiLhb94jaMATHq+PfwwpCcmiTfBEG3OS/3SXPMWg6jhfUxvxsKNT2HQca31B9IRqlitaio3r6KEPBTYh2nWtFO9d5Is7TUWkGsOaV+0JSiNPNh5uD7kNyBxsKUKcND7JXMxW/TZOqARY64x6IwDrbcypsyMW5i+4Er1/0HCvZ7FBH1XkTul8vBGF5ZGD/tYp/m6Ld26GKYkj967eYIwlNFcOMGNue5PyJfFCq0qWbLWO9dFA9c2e9r81DCD8y/0S3Ts7X7TkXVGShm7JoMqb8dzg9i6CoNlmbPAM5GwoNV3ftQugvqEGMk5UIvf05YsgSNvq4UJbhsT4bZqpV0plnxYD5TswCGF/XQ3nwwFTudmf1OLcgYwM2NckbVui128o1Rw=,iv:vo6l0QirLIUvwLN675LYkffkXejJecvBesLJvoW/bjY=,tag:zyLyiCskF84A3QVoq5X3iw==,type:str]
+INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
+AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str]
 sops:
    age:
        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
@@ -26,8 +20,8 @@ sops:
            S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
            d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-11T22:33:41Z"
-    mac: ENC[AES256_GCM,data:276HHpEW56HOvKKbNPM79QrEBYDM590bOLfsgssSb79jm+LzrgLlYk2QImmXArADWby4Ai4jBPL4EahNm+a3aBazMEbwAu+EorvORE2P12W5C1ztskx5XUI3yDKY96jlZvmpXsqefa2pOQc1USk8ai/Obd5MLK06kMr2w3a7P9s=,iv:NJoe1lvw1hrWNL79Ux065UkSEDEEc0+NqlqB4tk3mAw=,tag:YTjIvEP1BO69Pa0qispMLQ==,type:str]
+    lastmodified: "2026-05-06T01:10:20Z"
+    mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str]
    pgp:
        - created_at: "2026-05-05T23:46:27Z"
          enc: |-
--- a/modules/shared/colors/default.nix
+++ b/modules/shared/colors/default.nix
@@ -1,4 +1,4 @@
-{ ... }: {
+{ config, ... }: {
  imports = [ ./sorahiro.nix ];

  colorScheme.palette.border-radius = "#8";
--- a/modules/shared/colors/sorahiro.nix
+++ b/modules/shared/colors/sorahiro.nix
@@ -1,4 +1,4 @@
-{ ... }: 
+{ nix-colors, ... }: 
 let use_pastelle = true;
 in{
  # usage:  a = "#${config.colorScheme.palette.base00}";
--- a/modules/shared/syscfg/default.nix
+++ b/modules/shared/syscfg/default.nix
@@ -82,9 +82,18 @@ let
  };
  serverOpt = with lib; {
    hostDomain = mkOption { type = types.str; };
+    shortName = mkOption { type = types.str; };
    mailDomain = mkOption { type = types.str; };
    mailServer = mkOption { type = types.str; };

+    dbHost = mkOption {
+      type = types.str;
+      default = "localhost";
+    };
+    dbPort = mkOption {
+      type = types.str;
+      default = "3306";
+    };
    configPath = mkOption {
      type = types.str;
      default = "/media/config";
@@ -93,32 +102,22 @@ let
      type = types.str;
      default = "/media/data";
    };
-
-    colorScheme = mkOption {
-      #type = types.submodule {
-      #  options = {
-      #    slug = mkOption { type = types.str; };
-       #   name = mkOption { type = types.str; };
-       #   palette = mkOption { 
-            type = types.attrs; #default = {};# };
-        #};
-     # };
-      default = (lib.evalModules { modules =[ { freeformType = with lib.types; attrsOf anything; } ../colors ];}).config.colorScheme ;
-    };
    containers  = mkOption {
      type = types.attrsOf (types.submodule {
        options = {
          enable = mkOption { type = types.bool;default = false; };
          db = mkOption { type = types.bool;default = false; };
-          sops = mkOption { type = types.bool;default = false; };
-          ip = mkOption { type = types.nullOr types.str; default = null;};
-          subdomain = mkOption { type = types.nullOr types.str; default=null;};
-          port = mkOption { type = types.nullOr types.port; default = null; };
-          extra = mkOption { type = types.attrs; default = {}; };
+          ip = mkOption { type = types.str; };
+          port = mkOption { type = types.port; };
+          extraParam = mkOption { type = types.str; default = ""; };
        };
      });
      default = {};
    };
+    sops = mkOption {
+      type = types.bool;
+      default = false;
+    };
    openssh = mkOption {
      type = types.bool;
      default = false;
@@ -131,7 +130,7 @@ let
      type = types.bool;
      default = false;
    };
-    ipfw = {
+    nftables = {
      enable = mkOption {
        type = types.bool;
        default = false;
--- a/systems/gateway/cfg.nix
+++ b/systems/gateway/cfg.nix
@@ -29,7 +29,7 @@
      openssh = true;
      wireguard = true;
      web = true;
-      ipfw = {
+      nftables = {
        enable = true;
        ifs = ["ens3" "wg0" ];
        ports = [
--- a/systems/sandbox/cfg.nix
+++ b/systems/sandbox/cfg.nix
@@ -21,44 +21,22 @@
    server = {
      openssh = true;
      web = true;
+      sops = true;

      hostDomain = "test.helcel.net";
+      shortName = "testcel";
      mailDomain = "test@helcel";
      mailServer = "infomaniak.ch";
+
+      dbHost = "localhost";
      
      containers = {
-
-        traefik = {
-          enable = true;
-          sops = true;
-          subdomain = "traefik";
-          extra={provider="infomaniak";};
-        };
+        #cloud = {enable = true;};
        authentik = {
          enable = true;
          db = true;
-          subdomain = "sso";
-          port = 9000;
-        };
-        nextcloud = {
-          enable = true;
-          db = true;
-          subdomain = "cloud";
-        };
-        collabora = {
-          enable = true;
-          sops = true;
-          subdomain = "office";
-        };
-        etherpad = {
-          enable = true;
-          db = true;
-          subdomain = "pad";
-        };
-        gitea = {
-          enable = true;
-          db = true;
-          subdomain = "git";
+          ip = "10.88.0.125";
+          port = 9000 ;
        };
      };
    };
Author	SHA1	Message	Date
bot	fc0e449a99	Merge pull request 'Lock file maintenance' (#278 ) from renovate/lock-file-maintenance into main	2026-05-24 04:07:46 +02:00
Renovate Bot	123d04f12d	Lock file maintenance	2026-05-24 02:07:43 +00:00
bot	489a9f2d5c	Merge pull request 'Lock file maintenance' (#277 ) from renovate/lock-file-maintenance into main	2026-05-23 04:04:16 +02:00
Renovate Bot	f8446664dc	Lock file maintenance	2026-05-23 02:04:14 +00:00
bot	0f38465422	Merge pull request 'Lock file maintenance' (#276 ) from renovate/lock-file-maintenance into main	2026-05-17 04:04:25 +02:00
Renovate Bot	b0cdf80594	Lock file maintenance	2026-05-17 02:04:18 +00:00
bot	c7bec63eaa	Merge pull request 'Lock file maintenance' (#275 ) from renovate/lock-file-maintenance into main	2026-05-16 04:04:49 +02:00
Renovate Bot	e9c0a2827a	Lock file maintenance	2026-05-16 02:04:47 +00:00
bot	7b620b260c	Merge pull request 'Lock file maintenance' (#274 ) from renovate/lock-file-maintenance into main	2026-05-10 04:06:54 +02:00
Renovate Bot	1f8df0ca67	Lock file maintenance	2026-05-10 02:06:42 +00:00
bot	317b4fdbfa	Merge pull request 'Lock file maintenance' (#273 ) from renovate/lock-file-maintenance into main	2026-05-09 04:04:40 +02:00
Renovate Bot	dea9bca8f3	Lock file maintenance	2026-05-09 02:04:36 +00:00