Lock file maintenance

.gitea/workflows/build.yml

@@ -12,17 +12,17 @@ jobs:
   build-nixos:
     runs-on: ubuntu-latest
     steps: 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
       
       - name: "Install Nix ❄️"
-        uses: cachix/install-nix-action@v31
+        uses: cachix/install-nix-action@v27
 
     #  - uses: DeterminateSystems/nix-installer-action@v4
-      - uses: DeterminateSystems/magic-nix-cache-action@v13
-      - uses: DeterminateSystems/flake-checker-action@v12
+      - uses: DeterminateSystems/magic-nix-cache-action@v8
+      - uses: DeterminateSystems/flake-checker-action@v9
 
       - name: "Install Cachix ❄️"
-        uses: cachix/cachix-action@v17
+        uses: cachix/cachix-action@v15
         with:
           name: helcel
           authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"

.gitea/workflows/update.yml

@@ -13,15 +13,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
       - name: Install nix
-        uses: DeterminateSystems/nix-installer-action@v22
+        uses: DeterminateSystems/nix-installer-action@v14
         with:
           github-token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
           extra_nix_config: |
             experimental-features = nix-command flakes            
       - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@v28
+        uses: DeterminateSystems/update-flake-lock@v24
         with:
           token: ${{ secrets.GT_TOKEN_FOR_UPDATES }}
           pr-title: "[chore] Update flake.lock"

.gitignore

@@ -2,4 +2,3 @@ result
 age-key.txt
 .decrypted~common.yaml
 .decrypted*
-.tmp

.sops.yaml

@@ -9,57 +9,55 @@ keys:
     - &avalon age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
     - &valinor age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
     - &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
-    - &gateway age1lqvnzlendlmtwgstzrj4xzrwpatwx56k5az5au78fyg99yecwfzs3s6xn6
-    - &sandbox age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
 
 creation_rules:
   - path_regex: modules/shared/sops/private/iriy.[a-z]+
     key_groups:
-      - age:
-          - *iriy
-        pgp:
-          - *sora
+    - age:
+      - *iriy
+      pgp:
+      - *sora
   - path_regex: modules/shared/sops/private/avalon.[a-z]+
     key_groups:
-      - age:
-          - *avalon
-        pgp:
-          - *sora
+    - age:
+      - *avalon
+      pgp:
+      - *sora
   - path_regex: modules/shared/sops/private/valinor.[a-z]+
     key_groups:
-      - age:
-          - *valinor
-        pgp:
-          - *sora
+    - age:
+      - *valinor
+      pgp:
+      - *sora
   - path_regex: modules/shared/sops/private/asgard.[a-z]+
     key_groups:
-      - age:
-          - *asgard
-        pgp:
-          - *sora
+    - age:
+      - *asgard
+      pgp:
+      - *sora
 
   - path_regex: modules/shared/sops/common.[a-z]+
     key_groups:
-      - age:
-          - *valinor
-          - *iriy
-          - *avalon
-          - *asgard
-          - *gateway
-        pgp:
-          - *sora
+    - age:
+      - *valinor
+      - *iriy
+      - *avalon
+      - *asgard
+      pgp:
+      - *sora
   
   - path_regex: modules/shared/sops/mock.[a-z]+
     key_groups:
-      - age:
-          - *ci
-          - *sandbox
+    - age:
+      - *ci
+
 
   - path_regex: modules/server/sops/server.[a-z]+
     key_groups:
-      - age:
-          - *avalon
-          - *sandbox
-
-        pgp:
-          - *sora
+    - age:
+      - *valinor
+      - *iriy
+      - *avalon
+      - *asgard
+      pgp:
+      - *sora

flake.lock

@@ -1,19 +1,53 @@
 {
   "nodes": {
+    "aquamarine": {
+      "inputs": {
+        "hyprutils": [
+          "hyprland",
+          "hyprutils"
+        ],
+        "hyprwayland-scanner": [
+          "hyprland",
+          "hyprwayland-scanner"
+        ],
+        "nixpkgs": [
+          "hyprland",
+          "nixpkgs"
+        ],
+        "systems": [
+          "hyprland",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726665257,
+        "narHash": "sha256-rEzEZtd3iyVo5RJ1OGujOlnywNf3gsrOnjAn1NLciD4=",
+        "owner": "hyprwm",
+        "repo": "aquamarine",
+        "rev": "752d0fbd141fabb5a1e7f865199b80e6e76f8d8e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hyprwm",
+        "repo": "aquamarine",
+        "type": "github"
+      }
+    },
     "arion": {
       "inputs": {
         "flake-parts": "flake-parts",
         "haskell-flake": "haskell-flake",
+        "hercules-ci-effects": "hercules-ci-effects",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1770259557,
-        "narHash": "sha256-EvZ09k9+mzXAngPzU2K7oLLUDlKoT1numb4bDb3Gtl4=",
+        "lastModified": 1722825873,
+        "narHash": "sha256-bFNXkD+s9NuidZePiJAjjFUnsMOwXb7hEZ4JEDdSALw=",
         "owner": "hercules-ci",
         "repo": "arion",
-        "rev": "9b24cf65c72cb0e9616e437d55e1ac8e5c6bc715",
+        "rev": "90bc85532767c785245f5c1e29ebfecb941cf8c9",
         "type": "github"
       },
       "original": {
@@ -45,11 +79,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777780666,
-        "narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
+        "lastModified": 1727003835,
+        "narHash": "sha256-Cfllbt/ADfO8oxbT984MhPHR6FJBaglsr1SxtDGbpec=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
+        "rev": "bd7d1e3912d40f799c5c0f7e5820ec950f1e0b3d",
         "type": "github"
       },
       "original": {
@@ -67,11 +101,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769996383,
-        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
+        "lastModified": 1722555600,
+        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
+        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
         "type": "github"
       },
       "original": {
@@ -83,31 +117,31 @@
     "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": [
-          "nur",
+          "arion",
+          "hercules-ci-effects",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1733312601,
-        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "lastModified": 1712014858,
+        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
         "type": "github"
       },
       "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
+        "id": "flake-parts",
+        "type": "indirect"
       }
     },
     "hardware": {
       "locked": {
-        "lastModified": 1778143761,
-        "narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
+        "lastModified": 1727040444,
+        "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
+        "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac",
         "type": "github"
       },
       "original": {
@@ -132,6 +166,28 @@
         "type": "github"
       }
     },
+    "hercules-ci-effects": {
+      "inputs": {
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": [
+          "arion",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1719226092,
+        "narHash": "sha256-YNkUMcCUCpnULp40g+svYsaH1RbSEj6s4WdZY/SHe38=",
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "rev": "11e4b8dc112e2f485d7c97e1cee77f9958f498f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -139,20 +195,183 @@
         ]
       },
       "locked": {
-        "lastModified": 1777851538,
-        "narHash": "sha256-Gp8qwTEYNoy2yvmErVGlvLOQvrtEECCAKbonW7VJef8=",
+        "lastModified": 1727111745,
+        "narHash": "sha256-EYLvFRoTPWtD+3uDg2wwQvlz88OrIr3zld+jFE5gDcY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "cc09c0f9b7eaa95c2d9827338a5eb03d32505ca5",
+        "rev": "21c021862fa696c8199934e2153214ab57150cb6",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
     },
+    "hyprcursor": {
+      "inputs": {
+        "hyprlang": [
+          "hyprland",
+          "hyprlang"
+        ],
+        "nixpkgs": [
+          "hyprland",
+          "nixpkgs"
+        ],
+        "systems": [
+          "hyprland",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722623071,
+        "narHash": "sha256-sLADpVgebpCBFXkA1FlCXtvEPu1tdEsTfqK1hfeHySE=",
+        "owner": "hyprwm",
+        "repo": "hyprcursor",
+        "rev": "912d56025f03d41b1ad29510c423757b4379eb1c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hyprwm",
+        "repo": "hyprcursor",
+        "type": "github"
+      }
+    },
+    "hyprland": {
+      "inputs": {
+        "aquamarine": "aquamarine",
+        "hyprcursor": "hyprcursor",
+        "hyprlang": "hyprlang",
+        "hyprutils": "hyprutils",
+        "hyprwayland-scanner": "hyprwayland-scanner",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems",
+        "xdph": "xdph"
+      },
+      "locked": {
+        "lastModified": 1727135369,
+        "narHash": "sha256-//NqvBEEKKKHHSEBmN8tn7ZHFFNLDdjEamNFev2h6L8=",
+        "ref": "refs/heads/main",
+        "rev": "d279d7c4c6fe27c1944d8e9b51c4730612c8a9ae",
+        "revCount": 5251,
+        "submodules": true,
+        "type": "git",
+        "url": "https://github.com/hyprwm/Hyprland"
+      },
+      "original": {
+        "submodules": true,
+        "type": "git",
+        "url": "https://github.com/hyprwm/Hyprland"
+      }
+    },
+    "hyprland-protocols": {
+      "inputs": {
+        "nixpkgs": [
+          "hyprland",
+          "xdph",
+          "nixpkgs"
+        ],
+        "systems": [
+          "hyprland",
+          "xdph",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1721326555,
+        "narHash": "sha256-zCu4R0CSHEactW9JqYki26gy8h9f6rHmSwj4XJmlHgg=",
+        "owner": "hyprwm",
+        "repo": "hyprland-protocols",
+        "rev": "5a11232266bf1a1f5952d5b179c3f4b2facaaa84",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hyprwm",
+        "repo": "hyprland-protocols",
+        "type": "github"
+      }
+    },
+    "hyprlang": {
+      "inputs": {
+        "hyprutils": [
+          "hyprland",
+          "hyprutils"
+        ],
+        "nixpkgs": [
+          "hyprland",
+          "nixpkgs"
+        ],
+        "systems": [
+          "hyprland",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1725997860,
+        "narHash": "sha256-d/rZ/fHR5l1n7PeyLw0StWMNLXVU9c4HFyfskw568so=",
+        "owner": "hyprwm",
+        "repo": "hyprlang",
+        "rev": "dfeb5811dd6485490cce18d6cc1e38a055eea876",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hyprwm",
+        "repo": "hyprlang",
+        "type": "github"
+      }
+    },
+    "hyprutils": {
+      "inputs": {
+        "nixpkgs": [
+          "hyprland",
+          "nixpkgs"
+        ],
+        "systems": [
+          "hyprland",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726874949,
+        "narHash": "sha256-PNnIpwGqpTvMU3N2r0wMQwK1E+t4Bb5fbJwblQvr+80=",
+        "owner": "hyprwm",
+        "repo": "hyprutils",
+        "rev": "d97af4f6bd068c03a518b597675e598f57ea2291",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hyprwm",
+        "repo": "hyprutils",
+        "type": "github"
+      }
+    },
+    "hyprwayland-scanner": {
+      "inputs": {
+        "nixpkgs": [
+          "hyprland",
+          "nixpkgs"
+        ],
+        "systems": [
+          "hyprland",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726840673,
+        "narHash": "sha256-HIPEXyRRVZoqD6U+lFS1B0tsIU7p83FaB9m7KT/x6mQ=",
+        "owner": "hyprwm",
+        "repo": "hyprwayland-scanner",
+        "rev": "b68dab23fc922eae99306988133ee80a40b39ca5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hyprwm",
+        "repo": "hyprwayland-scanner",
+        "type": "github"
+      }
+    },
     "nix-colors": {
       "inputs": {
         "base16-schemes": "base16-schemes",
@@ -172,34 +391,34 @@
         "type": "github"
       }
     },
-    "nixUnstable": {
+    "nixMaster": {
       "locked": {
-        "lastModified": 1778274207,
-        "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
+        "lastModified": 1727135852,
+        "narHash": "sha256-MddIcGJ9qbAFjj1WV5yQ2t7JsSE+c/nXmPJ5JgrwSSo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
+        "rev": "ee35dc7c19dd00e4a122e36b24603687f6d04359",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixpkgs-unstable",
+        "ref": "master",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1778003029,
-        "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
+        "lastModified": 1726937504,
+        "narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
+        "rev": "9357f4f23713673f310988025d9dc261c20e70c6",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-25.11",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -219,33 +438,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1777954456,
-        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nur": {
-      "inputs": {
-        "flake-parts": "flake-parts_2",
-        "nixpkgs": "nixpkgs_2"
-      },
       "locked": {
-        "lastModified": 1778376280,
-        "narHash": "sha256-pL2F2FF2FN7zWr5o/vG7GiYOSjp+DUNyPIYqNaLQFFs=",
+        "lastModified": 1727128777,
+        "narHash": "sha256-K2Auk4ZPRasHvMmFDHhGtt6L/JShaeS5+hqYU1O2Uq8=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "828688994167eb57628c98fd1d7e1223b079cda1",
+        "rev": "e868e9fd6c65c5e8ed4a5a5da4caed283b8f2219",
         "type": "github"
       },
       "original": {
@@ -260,25 +459,30 @@
         "darwin": "darwin",
         "hardware": "hardware",
         "home-manager": "home-manager",
+        "hyprland": "hyprland",
         "nix-colors": "nix-colors",
-        "nixUnstable": "nixUnstable",
+        "nixMaster": "nixMaster",
         "nixpkgs": "nixpkgs",
         "nur": "nur",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
+        "umu": "umu"
       }
     },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1777944972,
-        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
+        "lastModified": 1726524647,
+        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
+        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
         "type": "github"
       },
       "original": {
@@ -286,6 +490,83 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "type": "github"
+      }
+    },
+    "umu": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "dir": "packaging/nix",
+        "lastModified": 1727047270,
+        "narHash": "sha256-7g+h/FZUWPpZ+UsTtb6aqbTY7znCqwxOk98Ilo9N6ZU=",
+        "ref": "refs/heads/main",
+        "rev": "3e71418d937f054e04ff9173f18e57756c1fd9d6",
+        "revCount": 728,
+        "submodules": true,
+        "type": "git",
+        "url": "https://github.com/Open-Wine-Components/umu-launcher/?dir=packaging/nix"
+      },
+      "original": {
+        "dir": "packaging/nix",
+        "submodules": true,
+        "type": "git",
+        "url": "https://github.com/Open-Wine-Components/umu-launcher/?dir=packaging/nix"
+      }
+    },
+    "xdph": {
+      "inputs": {
+        "hyprland-protocols": "hyprland-protocols",
+        "hyprlang": [
+          "hyprland",
+          "hyprlang"
+        ],
+        "hyprutils": [
+          "hyprland",
+          "hyprutils"
+        ],
+        "hyprwayland-scanner": [
+          "hyprland",
+          "hyprwayland-scanner"
+        ],
+        "nixpkgs": [
+          "hyprland",
+          "nixpkgs"
+        ],
+        "systems": [
+          "hyprland",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1727109343,
+        "narHash": "sha256-1PFckA8Im7wMSl26okwOKqBZeCFLD3LvZZFaxswDhbY=",
+        "owner": "hyprwm",
+        "repo": "xdg-desktop-portal-hyprland",
+        "rev": "4adb6c4c41ee5014bfe608123bfeddb26e5f5cea",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hyprwm",
+        "repo": "xdg-desktop-portal-hyprland",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,14 +1,14 @@
 {
   description = "SoraFlake";
   inputs = {
-    # Trick renovate into working: "github:NixOS/nixpkgs/nixpkgs-unstable"
-    nixUnstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
+# Trick renovate into working: "github:NixOS/nixpkgs/nixpkgs-unstable"
+    nixMaster.url = "github:nixos/nixpkgs/master";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     hardware.url = "github:nixos/nixos-hardware";
     nur.url = "github:nix-community/nur";
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-25.11";
+      url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -17,11 +17,24 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    hyprland = {
+      url = "git+https://github.com/hyprwm/Hyprland?submodules=1";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    umu= {
+      url = "git+https://github.com/Open-Wine-Components/umu-launcher/?dir=packaging\/nix&submodules=1";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs-stable.follows = "nixpkgs";
     };
     nix-colors.url = "github:misterio77/nix-colors";
+
+    arion.url = "github:hercules-ci/arion";
+    arion.inputs.nixpkgs.follows = "nixpkgs";
+
   };
 
   outputs = inputs:
@@ -36,7 +49,6 @@
         avalon = gen.generate { host = "avalon"; };
         ci = gen.generate { host = "ci"; };
         sandbox = gen.generate { host = "sandbox"; };
-        gateway = gen.generate { host = "gateway"; };
       };
       darwinConfigurations = { asgard = gen.generate { host = "asgard"; }; };
       homeConfigurations = {

generator.nix

@@ -13,6 +13,7 @@
           ./modules/nixos
           syscfg
           ./systems/${host}
+          inputs.arion.nixosModules.arion
           inputs.sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.home-manager
           {
@@ -28,8 +29,7 @@
                   syscfg
                   { usercfg = userConfig; }
                   inputs.nix-colors.homeManagerModule
-                  # inputs.hyprland.homeManagerModules.default
-                  inputs.sops-nix.homeManagerModules.sops
+                  inputs.hyprland.homeManagerModules.default
                 ];
               }) syscfg.syscfg.users);
           }
@@ -53,7 +53,7 @@
               nameValuePair userConfig.username {
                 imports = [
                   inputs.nix-colors.homeManagerModule
-                  inputs.sops-nix.homeManagerModules.sops
+                  inputs.hyprland.homeManagerModules
                 ];
               }) syscfg.syscfg.users);
           }

modules/home/base/default.nix

@@ -1,6 +1,5 @@
 { lib, config, ... }: {
 
-  #environment.sessionVariables.SOPS_AGE_KEY_FILE = keyFilePath;
   systemd.user.startServices = "sd-switch";
   programs.home-manager.enable = true;
 
@@ -8,14 +7,6 @@
     username = "${config.usercfg.username}";
     homeDirectory = "/home/${config.usercfg.username}";
 
-    stateVersion = "24.11";
+    stateVersion = "23.11";
   };
-
-
-  #SOPS
-  # sops.defaultSopsFile = ./sops/${config.usercfg.username}.yaml;
-  # sops.age.keyFile = "/var/lib/sops-nix/age-key.txt";
-  # sops.age.generateKey = true;
-  # sops.secrets."github_user_key" = { };
-  # sops.secrets."curse_forge_key" = { };
 }

modules/home/base/sops/sora.yaml

@@ -1,69 +0,0 @@
-curse_forge_key: ENC[AES256_GCM,data:PhhwPhUys/WDzXb40iFlrUcwFEJVzi49vDlm5Hpc7IUwbBiQI1Zvi6115THMvarnGESDyouPfoZP0wha,iv:x//EzR4QwdD0UxqV97yUepc39DopoqiDT21unpF9R2E=,tag:5jM1EibWo0wI+PS70+kb/Q==,type:str]
-github_user_key: ENC[AES256_GCM,data:RvBsQjWGd2qRCvBzcpMv8FIXGY/GiPd9o0x2Oq+NlbXxR2NMqNBNLw==,iv:99AcmOWFft7XQAn7YrGjZuCvz0M5wUkYeInsWwyeUFM=,tag:wkw2YQGi9j/8XtOFd8KhdQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraWFDRFUxQ2l5OWV1OXNK
-            UExEbWZkM0kzVk1rZG4yY3pBLzdMVWVJS0UwCnhlWFJ5T2lZUXJyNkg1ejQxaU1t
-            L3F2RUhldTY3N2xXL0hwczNKRzNjcncKLS0tIEkycHoxcDBGNyt2V3RDY29wNGVp
-            TGg5Rk05VkRsaXM1Q0NxMmtMajRORDAKqjFldiAYJKjmnkeDkwanjYvhL6645DZ5
-            dVXExjqO/DG733ge8HFyKzpfpkzRymV1giUwxBdII1dd0mJ2ncINeA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UkRjblIvYStZUzQyRHA1
-            ZGVXeHhrN0kyVkxZdms5U3gwVFlPMW12MVJjCjRkVURpZXBzb0tYenB4dGxKamh6
-            VXVBMmo1Ujkvd2VTRExyWE5MbVJaclUKLS0tIDVhRkYzZmEzUG00Q2IwOWZUMVVt
-            ODVIbytpcjN1cVMyaG1qVVdkRmtaMzQKNsvD9DpK/raDBob+IcuNk72tQDts36kJ
-            QhtoLy8MvUymi49PdEWrgyf68w5XwRO/U4iINhR0qzm0glg/XcyHjA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJc3hKWkk3ckNOY2UyTVhG
-            MmtLaEd0K04yaGxiOUoxMXkzOEFnYis4VkhnCktDRFM2bS8vb05OWDdwa0RwRlNO
-            cmlZemtxVGZ6S0tNTDV1cmE1N0pVWnMKLS0tIE9EZllycHJpcEY2R1pwOFhOZEU3
-            L01IcytDd3BPb0VOTW9DQ2lUdUVJS0kKiD+C+3mK1b/eIwCEFanFgYGLNk3JNPQ7
-            i1UqzbHVxSd0q/YVwdKAcj0jA6EezGm275tgq7IVsy2sHkvRMaEDtQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweVU3TkxFZzRnd2I2clN2
-            ZTlTWmhwQkhVc1hnOXFvZVVDSWpHMVh1TGtrCkc3M1pUTnZCMHpvYXB5ZVhreGxa
-            ZVY2cG5Ja2ltL3k2Q1VEalc5TTNFMXcKLS0tIGd5UWl0RGVXT211Zm51dlB6WFZ1
-            STRtTVpVTCtVZ1FUNENqWFFVNTNuaVUKN6HRiZjTdENeif8dJ29urBxPXDaosjjY
-            InN4Ko6YUaGfvB1DTrKIzrxOpsHS+XjisoGfT71tJwwEOoREklEO/A==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-23T18:05:22Z"
-    mac: ENC[AES256_GCM,data:YSi2xIwz50VxUDL3QzGVUwRWUgZhvudSLCKgwIbWm8gkuAJ/V2sVRhJNVQJ1YvLO44ob5hmrgR4wSnOdAbS7FrpbLcJuoYBjVUTDjy+j6otnIDxEcYeciHhZ1pV/OiydBmJC+lZ4+SRdWdokL2HaXRKgc9QT9e/MdAbFIzI1x90=,iv:8rj8yEqHTMgoGu31RVskYizmROB/5I0ajZJ/EcmlVfE=,tag:PILFCyXY8sXYGxCEHS7qCg==,type:str]
-    pgp:
-        - created_at: "2023-04-20T10:20:17Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            wcFMA6R3Y9nD7qMBAQ/8CVWQaYKfOzvPIllZyyWpUjHRLLXaR8MNJ8U5WI/tdwdN
-            9UScDYJFuYRW7Q9s4Mt961kBGpaHqe9MUZBxUDlYX59+EN3FbO/eMQ5OqI05ESmL
-            TvZB4+S9C5o73nuypSDNvYz+Lgq6DO25ZPhXdtPhx2DE4G31/wft/LpxhjalIjI8
-            MU0Dv22R4qC+glJbe4GIF2IJ8XoxnnzjiGeSqiyv0QIBM0SzOtA5sKwNohWBnW7g
-            7vxOTm5+kyzG0dDjt3tFApgPDaA1wjofzhRuuveF52VBsuIA2opFdpqkyICvK6rn
-            NB5kUaPlY6A0m+n0oHSfY5wm/AnHNE4Oob/ifumAaB0EAJVUTRauI5M8SeJF0ya1
-            U0IQ9N2lb7Y6q4pqHywIa6fnylsqCfxInAYKMuslRq8f9t/qakb4/MYcnPrwpzjw
-            73/naiNoJmG6NVTkM52qTtOqZAmsaQd5cigTuPW2Z2CJq1yLZEVGSSd1DUGUjBDK
-            nQGucpVVVpD+ifrIPz+Iqwy+5NoZZm/Oa9pKJGFzqXinnDNZaqtgpmTw9QxcSeaP
-            VvGZG9CDd89MtAm1VQyuqi1bQ2faq3G0xNrLl7xUsfmjx4ofW+JXR87OzvGfLPhu
-            Sjl3kS9j5/MEBRBg3n9gNkgSu5Sy3ilhckY3yjTgAT9Gw2giDhCiUXi1/7KrGprS
-            UQHPCSsjyWsyuYVa3lAP/WPdVclc4WOdfYcetUCXBVP7LQr0bq+IG+2J0nnY3mDt
-            Va5k4sP1qu6Ecrs2JioQ1V2H+VmcrRykBWnMXl1tDSWKMA==
-            =pS8X
-            -----END PGP MESSAGE-----
-          fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
-    unencrypted_suffix: _unencrypted
-    version: 3.9.2

modules/home/cli/git/default.nix

@@ -1,17 +1,15 @@
-{ config, lib, pkgs, ... }: {
+{ config, pkgs, ... }: {
 
   programs.git = {
     enable = true;
-    signing = lib.mkIf (config.usercfg.git.key != null) {
-      key = config.usercfg.git.key;
+    userEmail = "${config.usercfg.git.email}";
+    userName = "${config.usercfg.git.username}";
+    signing = {
+      key = "${config.usercfg.git.key}";
       signByDefault = true;
     };
     ignores = [ "*result*" ".direnv" "node_modules" ];
-    settings = {
-      core.hooksPath = "./.dev/hooks"; 
-      user.email = "${config.usercfg.git.email}";
-      user.name = "${config.usercfg.git.username}";
-    };
+    extraConfig = { core.hooksPath = "./.dev/hooks"; };
   };
 
   home.packages = with pkgs; [ tig ];

modules/home/cli/other/default.nix

@@ -12,7 +12,7 @@
     cbonsai
     pipes-rs
     cmatrix
-    #cava
+    cava
     sl
   ];
 }

modules/home/cli/zsh/default.nix

@@ -9,14 +9,12 @@ in {
       "sudo" = "sudo ";
       "devsh" =
         "nix develop --profile /tmp/devsh-env ${nixflake_url}#devsh -c zsh";
-      "cdevsh" =
-        "nix develop --profile /tmp/devsh-env -c zsh";
       "nixb" = "(sudo nixos-rebuild switch --flake ${nixflake_url})";
       "nixgc" = "sudo nix-collect-garbage -d && nix-collect-garbage -d";
       "ssh" = "TERM=xterm-256color  ${pkgs.openssh}/bin/ssh";
       "top" = "btop";
     };
-    initContent = ''
+    initExtra = ''
       sopsu() {nix-shell -p sops --run "sops updatekeys $1";}
       sopsn() {nix-shell -p sops --run "sops $1";}
     '';

modules/home/gui/apps/develop/default.nix

@@ -2,6 +2,6 @@
   imports = [ ./vscodium ];
 
   config = lib.mkIf (config.syscfg.make.develop) {
-    home.packages = with pkgs; [ blender godot_4 openscad-unstable orca-slicer pandoc claude-code];
+    home.packages = with pkgs; [ blender godot_4 ];
   };
 }

modules/home/gui/apps/develop/vscodium/default.nix

@@ -4,17 +4,14 @@
     programs.vscode = {
       enable = true;
       package = pkgs.vscodium;
-      #profiles.default = {
-        profiles.default.extensions = with pkgs.vscode-extensions; [
-          bbenoist.nix
-          esbenp.prettier-vscode
-          golang.go
-          ms-python.vscode-pylance
-          ms-vscode.cpptools
-          dbaeumer.vscode-eslint
-          continue.continue 
-        ];
-      #};
+      extensions = with pkgs.vscode-extensions; [
+        bbenoist.nix
+        esbenp.prettier-vscode
+        golang.go
+        ms-python.vscode-pylance
+        ms-vscode.cpptools
+        dbaeumer.vscode-eslint
+      ];
     };
   };
 }

modules/home/gui/apps/pipewire/default.nix

@@ -25,20 +25,6 @@
                 }
             }
         }
-        {   name = "libpipewire-module-loopback"
-            args = {
-                node.description = "Virtual Loopback"
-                audio.position = [ FL FR ]
-                capture.props = {
-                    media.class = "Audio/Sink"
-                    node.name = "vloopback_sink"
-                }
-                playback.props = {
-                    media.class = "Audio/Source"
-                    node.name = "vloopback_source"
-                }
-            }
-        }
       ]
     '';
   };

modules/home/gui/base/default.nix

@@ -10,11 +10,10 @@
       xfce.tumbler
 
       telegram-desktop
-      discord-canary
+      discord
       pavucontrol
       keepassxc
       nextcloud-client
-
       gramps
     ];
   };

modules/home/gui/games/default.nix

@@ -1,22 +1,23 @@
 { inputs, lib, config, pkgs, ... }: {
 
-  imports = [ ./openttd.nix ./wow.nix ];
+  imports = [ ./openttd.nix ];
 
   config = lib.mkIf (config.syscfg.make.game) {
 
     home.packages = with pkgs; [
+      # custom.simc
 
       #games
-      # steam
+      steam
       gamemode
-      #gamescope
-      #mangohud
+      gamescope
+      mangohud
       prismlauncher
       openttd-jgrpp
-      #bottles
+      bottles
       lutris
-      unstable.umu-launcher
-      # wine
+      inputs.umu.packages.${pkgs.system}.umu
+      wine
     ];
   };
 

modules/home/gui/games/wow.nix

@@ -1,23 +0,0 @@
-{ pkgs, lib, config, sops, ... }: {
-
-  config = lib.mkIf (config.syscfg.make.game) {
-
-    home.packages = with pkgs;
-      [
-        # custom.simc
-        unstable.instawow
-      ];
-
-    # templates buggy currently
-    #xdg.configFile."instawow/config.json" = ''${config.sops.templates."instawow_config.json".path}'';
-    sops.templates."instawow_config.json".content = ''
-       {
-            "auto_update_check": true,
-            "access_tokens": {
-              "cfcore": "${config.sops.placeholder.curse_forge_key}",
-              "github": "${config.sops.placeholder.github_user_key}",
-              "wago_addons": null
-            }
-        }'';
-  };
-}

modules/home/gui/theme/gtk-theme-gen.nix

@@ -11,8 +11,8 @@ in pkgs.stdenv.mkDerivation rec {
   src = pkgs.fetchFromGitHub {
     owner = "vinceliuice";
     repo = "Orchis-theme";
-    rev = "5b73376721cf307101e22d7031c1f4b1344d1f63";
-    sha256 = "sha256-+2/CsgJ+rdDpCp+r5B/zys3PtFgtnu+ohTEUOtJNd1Y=";
+    rev = "be8b0aff92ed0741174b74c2ee10c74b15be0474";
+    sha256 = "sha256-m7xh/1uIDh2BM0hTPA5QymXQt6yV7mM7Ivg5VaF2PvM=";
   };
 
   nativeBuildInputs = with pkgs; [ gtk3 sassc ];
@@ -22,43 +22,43 @@ in pkgs.stdenv.mkDerivation rec {
   preInstall = ''
     mkdir -p $out/share/themes
     cat > src/_sass/_color-palette-${scheme.slug}.scss << 'EOF'
-      $red-light: #${scheme.palette.low0F};
-      $red-dark: #${scheme.palette.high0F};
+      $red-light: #${scheme.palette.base0F};
+      $red-dark: #${scheme.palette.base0F};
 
-      $pink-light: #${scheme.palette.low0E};
-      $pink-dark: #${scheme.palette.high0E};
+      $pink-light: #${scheme.palette.base0E};
+      $pink-dark: #${scheme.palette.base0E};
 
-      $purple-light: #${scheme.palette.low0D};
-      $purple-dark: #${scheme.palette.high0D};
+      $purple-light: #${scheme.palette.base0D};
+      $purple-dark: #${scheme.palette.base0D};
 
-      $blue-light: #${scheme.palette.low0C};
-      $blue-dark: #${scheme.palette.high0C};
+      $blue-light: #${scheme.palette.base0C};
+      $blue-dark: #${scheme.palette.base0C};
 
-      $teal-light: #${scheme.palette.low0B};
-      $teal-dark: #${scheme.palette.high0B};
+      $teal-light: #${scheme.palette.base0B};
+      $teal-dark: #${scheme.palette.base0B};
 
-      $green-light: #${scheme.palette.low0A};
-      $green-dark: #${scheme.palette.high0A};
-      $sea-light: #${scheme.palette.alt_low0B};
-      $sea-dark: #${scheme.palette.alt_high0B};
+      $green-light: #${scheme.palette.base0A};
+      $green-dark: #${scheme.palette.base0A};
+      $sea-light: #${scheme.palette.base0B};
+      $sea-dark: #${scheme.palette.base0B};
 
-      $yellow-light: #${scheme.palette.low09};
-      $yellow-dark: #${scheme.palette.low09};
+      $yellow-light: #${scheme.palette.base09};
+      $yellow-dark: #${scheme.palette.base09};
 
-      $orange-light: #${scheme.palette.low08};
-      $orange-dark: #${scheme.palette.high08};
+      $orange-light: #${scheme.palette.base08};
+      $orange-dark: #${scheme.palette.base08};
 
       $grey-050: #${scheme.palette.base07};
       $grey-100: #${scheme.palette.base07};
-      $grey-150: #${scheme.palette.base06};
+      $grey-150: #${scheme.palette.base07};
       $grey-200: #${scheme.palette.base06};
-      $grey-250: #${scheme.palette.base05};
+      $grey-250: #${scheme.palette.base06};
       $grey-300: #${scheme.palette.base05};
-      $grey-350: #${scheme.palette.base04};
+      $grey-350: #${scheme.palette.base05};
       $grey-400: #${scheme.palette.base04};
-      $grey-450: #${scheme.palette.base03};
+      $grey-450: #${scheme.palette.base04};
       $grey-500: #${scheme.palette.base03};
-      $grey-550: #${scheme.palette.base02};
+      $grey-550: #${scheme.palette.base03};
       $grey-600: #${scheme.palette.base02};
       $grey-650: #${scheme.palette.base02};
       $grey-700: #${scheme.palette.base01};

modules/home/wayland/apps/eww/bar/eww.yuck

@@ -48,7 +48,7 @@
 
 
 (defwindow bar
-    :monitor 1
+    :monitor 0
     :geometry (geometry
       :x "0%"
       :y "0%"

modules/home/wayland/apps/eww/bar/windows/calendar.yuck

@@ -1,5 +1,5 @@
 (defwindow calendar
-  :monitor 1
+  :monitor 0
   :geometry (geometry
     :x "0%"
     :y "0%"

modules/home/wayland/apps/eww/bar/windows/powermenu.yuck

@@ -34,7 +34,7 @@
 )
 
 (defwindow powermenu
-    :monitor 1
+    :monitor 0
     :stacking "overlay"
     :geometry (geometry 
                     :anchor "center"

modules/home/wayland/apps/eww/bar/windows/radio.yuck

@@ -2,7 +2,7 @@
 (defvar radio_rev false)
 
 (defwindow radio
-  :monitor 1
+  :monitor 0
   :geometry (geometry
     :x "0%"
     :y "0%"

modules/home/wayland/apps/eww/bar/windows/sys.yuck

@@ -129,7 +129,7 @@
 )
 
 (defwindow sys
-  :monitor 1
+  :monitor 0
   :stacking "overlay"
   :geometry (geometry
     :x "0%"

modules/home/wayland/apps/kanshi/default.nix

@@ -7,52 +7,43 @@
       settings = [
         {
           profile.name = "tower_0";
-          profile.outputs = [
-            {
-              criteria = "AOC 24E1W1 GNSKCHA086899";
-              mode = "1920x1080@60.000";
-              position = "0,0";
-              status = "enable";
-              scale = 1.0;
-              adaptiveSync = true;
-            }
-            {
-              criteria = "AOC 24E1W1 GNSKBHA080346";
-              mode = "1920x1080@60.000";
-              position = "1920,0";
-              status = "enable";
-              scale = 1.0;
-              adaptiveSync = true;
-            }
-          ];
+          profile.outputs = [{
+            criteria = "CEX CX133 0x00000001";
+            mode = "1920x1200@59.972";
+            position = "0,0";
+            scale = 1.0;
+            status = "enable";
+          }];
         }
         {
           profile.name = "tower_1";
+          profile.outputs = [{
+            criteria = "AOC 16G3 1DDP7HA000348";
+            mode = "1920x1080@144.000";
+            position = "0,0";
+            status = "enable";
+            scale = 1.0;
+            adaptiveSync = true;
+          }];
+        }
+        {
+          profile.name = "tower_2";
           profile.outputs = [
             {
-              criteria = "AOC 24E1W1 GNSKCHA086899";
-              mode = "1920x1080@60.000";
-              position = "0,0";
-              status = "enable";
-              scale = 1.0;
-              adaptiveSync = true;
-            }
-            {
-              criteria = "AOC 24E1W1 GNSKBHA080346";
-              mode = "1920x1080@60.000";
-              position = "0,0";
-              status = "enable";
-              scale = 1.0;
-              adaptiveSync = true;
-            }
-            {
-              criteria = "LG UNKNOWN_TBD";
+              criteria = "AOC 16G3 1DDP7HA000348";
               mode = "1920x1080@144.000";
               position = "0,0";
               status = "enable";
               scale = 1.0;
               adaptiveSync = true;
             }
+            {
+              criteria = "CEX CX133 0x00000001";
+              mode = "1920x1200@59.972";
+              position = "0,1080";
+              scale = 1.0;
+              status = "enable";
+            }
           ];
         }
         {

modules/home/wayland/apps/waylock/default.nix

@@ -5,8 +5,6 @@
 
     xdg.configFile."swaylock/config".text = ''
       screenshots
-      grace-no-mouse
-      grace-no-touch
       grace=5
       effect-pixelate=5
       fade-in=0.2

modules/home/wayland/base/default.nix

@@ -17,12 +17,8 @@ in {
       dbus-hyprland-environment
       wayland
 
-      hyprpicker
-      
-      hyprshot
+      grim
       slurp
-      satty
-
       swappy
       cliphist
       wl-clipboard
@@ -46,8 +42,6 @@ in {
           [ "discord-402572971681644545.desktop" ];
         "x-scheme-handler/discord-696343075731144724" =
           [ "discord-696343075731144724.desktop" ];
-        "x-scheme-handler/tg" = [ "org.telegram.desktop.desktop" ];
-        "x-scheme-handler/tonsite" = [ "org.telegram.desktop.desktop" ];
         "x-scheme-handler/http" = [ "firefox.desktop" ];
         "x-scheme-handler/https" = [ "firefox.desktop" ];
         "x-scheme-handler/chrome" = [ "firefox.desktop" ];

modules/home/wayland/hyprland/config.nix

@@ -6,7 +6,7 @@
       xwayland.enable = true;
       extraConfig = ''
         monitor=,preferred,auto,auto
-        env=bitdepth,10
+
         input {
             kb_layout = us, ru
             kb_variant = intl, phonetic
@@ -61,10 +61,10 @@
             fullscreen_opacity = 1.0
                                       
             # shadow
-            # drop_shadow = no
-            # shadow_range = 60
-            # shadow_offset = 0 5
-            # shadow_render_power = 4
+            drop_shadow = no
+            shadow_range = 60
+            shadow_offset = 0 5
+            shadow_render_power = 4
             #col.shadow = rgba(00000099)
         }
                         
@@ -89,7 +89,9 @@
             new_status = master
         }
 
-        gesture = 3, vertical, workspace
+        gestures {
+            workspace_swipe = off
+        }
                         
         exec-once = eww open bar
         #exec-once = waybar
@@ -164,7 +166,7 @@
         bind = SUPER SHIFT,D,exec, ~/.config/hypr/themes/apatheia/eww/launch_bar 
 
         bind = SUPER, V, exec, cliphist list | wofi -dmenu | cliphist decode | wl-copy
-        bind = , PRINT, exec, hyprshot -m region --raw | satty --filename - --early-exit --action-on-enter save-to-clipboard --copy-command 'wl-copy'
+        bind =  , Print, exec, grim -g "$(slurp -d)" - | swappy -f -
 
         bind = SUPER, L, exec, swaylock 
 

modules/home/xorg/bspwm/config.nix

@@ -110,7 +110,7 @@
       telegram-desktop &
       nextcloud &
       jellyfin-mpv-shim &
-      #flameshot &
+      flameshot &
 
       sleep 2
 
@@ -265,7 +265,7 @@
 
       # Screenshots
       Print
-      	hyprshot -m region
+      	flameshot gui
 
       # Lock Desktop
       super + l

modules/home/xorg/bspwm/default.nix

@@ -5,7 +5,7 @@
   config = lib.mkIf (config.usercfg.wm == "X11") {
     xsession.windowManager.bspwm = { enable = true; };
     services.sxhkd = { enable = true; };
-    home.packages = with pkgs; [ xrandr arandr hyprshot xtrlock i3lock ];
+    home.packages = with pkgs; [ xrandr arandr flameshot xtrlock i3lock ];
 
   };
 }

modules/nixos/gui/audio/default.nix

@@ -3,8 +3,8 @@ let cfg = config.syscfg.make.gui;
 in {
   config = lib.mkIf cfg {
     # sound.enable = true;
+    hardware.pulseaudio.enable = false;
     security.rtkit.enable = true;
-    services.pulseaudio.enable = false; #25.05 change to services
     services.pipewire = {
       enable = true;
       alsa.enable = true;

modules/nixos/gui/games/default.nix

@@ -5,9 +5,6 @@ in {
     programs.steam = {
       enable = true;
       remotePlay.openFirewall = true;
-      extraCompatPackages = with pkgs;  [proton-ge-bin];
     };
-    programs.gamemode.enable = true;
-
   };
 }

modules/nixos/system/default.nix

@@ -1,9 +1,3 @@
 { ... }: {
   imports = [ ./dbus ./fonts ./hw ./locale ./network ./nix ./security ./xdg ];
-
-  # services.journald.extraConfig = ''
-  #   LineMax=128K
-  #   SystemMaxUse=512M
-  #   SystemMaxFileSize=128M
-  # '';
 }

modules/nixos/system/hw/boot/default.nix

@@ -9,7 +9,7 @@ in {
       };
       efi = {
         canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot";
+        efiSysMountPoint = "/boot/efi";
       };
     };
   };

modules/nixos/system/hw/power/default.nix

@@ -7,24 +7,9 @@
         STOP_CHARGE_THRESH_BAT0 = 90;
         CPU_SCALING_GOVERNOR_ON_AC = "performance";
         CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
-        MEM_SLEEP_ON_BAT = "deep";
       };
     };
 
-    powerManagement.enable = true;
-    # suspend to RAM (deep) rather than `s2idle`
-    boot.kernelParams = [ "mem_sleep_default=deep" ];
-    # suspend-then-hibernate
-    systemd.sleep.extraConfig = ''
-      HibernateDelaySec=30m
-      SuspendState=mem
-    '';
-
-    services.logind.settings.Login.HandleLidSwitch = "suspend-then-hibernate";
-    # Hibernate on power button pressed
-    services.logind.settings.Login.HandlePowerKey = "hibernate";
-    services.logind.settings.Login.HandlePowerKeyLongPress = "poweroff";
-
     systemd.user.services.battery_monitor = {
       wants = [ "display-manager.service" ];
       wantedBy = [ "graphical-session.target" ];

modules/nixos/system/hw/virt/default.nix

@@ -11,13 +11,11 @@
         dockerSocket.enable = true;
         dockerCompat = true;
         defaultNetwork.settings = {
-          #dnsname.enable = true;
-          dns_enabled = true;
-          #internal = true;
-          #name = "internal";
+          dnsname.enable = true;
+          internal = true;
+          name = "internal";
         };
       };
     };
-    virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
   };
 }

modules/nixos/system/network/base/default.nix

@@ -4,17 +4,6 @@
     useDHCP = true;
     nameservers = [ "1.1.1.1" "9.9.9.9" ];
 
-    firewall = { 
-      enable = true;
-      allowedUDPPorts = 
-        (if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++ 
-        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
-        [ ];
-
-      allowedTCPPorts = 
-        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
-        (if (config.syscfg.server != false) then [ 5432 6379 ] else [ ]) ++ 
-        [ ];
-    };
+    firewall = { enable = true; };
   };
 }

modules/nixos/system/network/wireguard/default.nix

@@ -1,12 +1,4 @@
-{ config, lib, pkgs, ... }: let
-
-  isValidPeer = p: 
-    (p ? syscfg.net.wg.enable) && 
-    (p.syscfg.net.wg.enable == true) && 
-    (p.syscfg.net.wg.pubkey != config.syscfg.net.wg.pubkey);
-  activePeers = builtins.filter isValidPeer config.syscfg.peers;
-in
-{
+{ config, lib, ... }: {
   config = lib.mkIf (config.syscfg.net.wg.enable) {
     networking.wireguard = {
       enable = true;
@@ -17,26 +9,14 @@ in
             config.sops.secrets."${config.syscfg.hostname}_wg_priv".path;
           listenPort = 1515;
           mtu = 1340;
-          peers = 
-            if (config.syscfg.server ? wireguard && config.syscfg.server.wireguard) then
-              map (p: {
-                name = p.syscfg.hostname;
-                publicKey = p.syscfg.net.wg.pubkey;
-                allowedIPs = [ p.syscfg.net.wg.ip4 p.syscfg.net.wg.ip6 ];
-              }) activePeers
-            else
-              [{
-                allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
-                endpoint = "vpn.helcel.net:1515";
-                publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
-                persistentKeepalive = 30;
-              }];
+          peers = [{
+            allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
+            endpoint = "vpn.helcel.net:1515";
+            publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
+            persistentKeepalive = 30;
+          }];
         };
       };
     };
-    systemd.services."wireguard-wg0" = {
-      after = [ "network-online.target" "nss-lookup.target" ];
-      wants = [ "network-online.target" "nss-lookup.target" ];
-    };
   };
 }

modules/nixos/system/nix/default.nix

@@ -10,7 +10,7 @@
   };
   nixpkgs.overlays = import ../../../../overlays { inherit inputs pkgs; };
   nix = {
-    package = pkgs.nixVersions.stable;
+    package = pkgs.nixFlakes;
     extraOptions = ''
       experimental-features = nix-command flakes
       warn-dirty = false
@@ -37,5 +37,5 @@
       ];
     };
   };
-  system.stateVersion = "24.11";
+  system.stateVersion = "24.05";
 }

modules/nixos/tools/debug/default.nix

@@ -2,9 +2,6 @@
 
   config = lib.mkIf (config.syscfg.make.develop) {
     programs.adb.enable = true;
-    # services.udev.packages = [
-    #   pkgs.android-udev-rules
-    # ];
     programs.wireshark.enable = true;
 
     environment.systemPackages = with pkgs; [ wget dconf wireshark ];

modules/nixos/tools/default.nix

@@ -1,64 +1,64 @@
-{ pkgs, ... }: {
-  imports = [ ./debug ./develop ];
+{ pkgs,... }: { 
+    imports = [ ./debug ./develop ];
 
-  # services.telegraf = {
-  #     enable = true;
-  #     extraConfig = {
-  #         agent = {
-  #             interval = "10s";
-  #             round_interval = true;
-  #             metric_batch_size = 1000;
-  #             metric_buffer_limit = 10000;
-  #             collection_jitter = "0s";
-  #             flush_interval = "10s";
-  #             flush_jitter = "0s";
-  #             precision = "";
-  #             hostname = "valinor";
-  #             omit_hostname = false;
-  #         };
+    # services.telegraf = {
+    #     enable = true;
+    #     extraConfig = {
+    #         agent = {
+    #             interval = "10s";
+    #             round_interval = true;
+    #             metric_batch_size = 1000;
+    #             metric_buffer_limit = 10000;
+    #             collection_jitter = "0s";
+    #             flush_interval = "10s";
+    #             flush_jitter = "0s";
+    #             precision = "";
+    #             hostname = "valinor";
+    #             omit_hostname = false;
+    #         };
 
-  #         inputs.cpu = {
-  #             percpu = true;
-  #             totalcpu = true;
-  #             collect_cpu_time = false;
-  #             report_active = false;
-  #         };
+    #         inputs.cpu = {
+    #             percpu = true;
+    #             totalcpu = true;
+    #             collect_cpu_time = false;
+    #             report_active = false;
+    #         };
 
-  #         inputs.mem = {};
-  #         inputs.swap = {};
-  #         inputs.system = {};
-  #         inputs.disk = {
-  #             ignore_fs = ["tmpfs" "devtmpfs" "devfs"];
-  #         };
+    #         inputs.mem = {};
+    #         inputs.swap = {};
+    #         inputs.system = {};
+    #         inputs.disk = {
+    #             ignore_fs = ["tmpfs" "devtmpfs" "devfs"];
+    #         };
 
-  #         inputs.net = {};
-  #         inputs.netstat = {};
+    #         inputs.net = {};
+    #         inputs.netstat = {};
 
-  #         inputs.ping = {
-  #             urls = ["8.8.8.8" "8.8.4.4"];
-  #             count = 4;
-  #             interval = "60s";
-  #             binary = "${pkgs.iputils.out}/bin/ping";
-  #         };
+    #         inputs.ping = {
+    #             urls = ["8.8.8.8" "8.8.4.4"];
+    #             count = 4;
+    #             interval = "60s";
+    #             binary = "${pkgs.iputils.out}/bin/ping";
+    #         };
 
-  #         inputs.internet_speed = {
-  #             interval = "2m";
-  #         };
+    #         inputs.internet_speed = {
+    #             interval = "2m";
+    #         };
             
-  #         inputs.net_response = {
-  #             protocol = "tcp";
-  #             address = "google.com:80";
-  #             timeout = "5s";
-  #             read_timeout = "5s";
-  #             interval = "30s";
-  #         };
+    #         inputs.net_response = {
+    #             protocol = "tcp";
+    #             address = "google.com:80";
+    #             timeout = "5s";
+    #             read_timeout = "5s";
+    #             interval = "30s";
+    #         };
 
-  #         outputs.influxdb_v2 = {
-  #             urls = [""];
-  #             token = "";
-  #             organization = "";
-  #             bucket = "";
-  #         };
-  #     };
-  # };
-}
+    #         outputs.influxdb_v2 = {
+    #             urls = [""];
+    #             token = "";
+    #             organization = "";
+    #             bucket = "";
+    #         };
+    #     };
+    # };
+ }

modules/nixos/tools/develop/default.nix

@@ -6,13 +6,10 @@ let
     includeEmulator = false;
   };
 in {
-
-  imports = [ ./ollama ];
   config = lib.mkIf (config.syscfg.make.develop) {
-    environment.systemPackages = with pkgs;
-      [
-        # android-tools
-        unstable.androidStudioPackages.canary
-      ];
+    environment.systemPackages = with pkgs; [
+      android-tools
+      androidStudioPackages.canary
+    ];
   };
 }

modules/nixos/tools/develop/ollama/default.nix

@@ -1,16 +0,0 @@
-{ lib, config, pkgs, ... }: 
-let 
- ollamaPkg = pkgs.ollama-rocm;
-in{
-
-  config = lib.mkIf (config.syscfg.make.develop) {
-    services.ollama = {
-        enable = true;
-        package = ollamaPkg;
-        acceleration = "rocm"; 
-        loadModels = [ "deepseek-v2:lite" "qwen2.5-coder:7b" "qwen2.5-coder:1.5b" ];
-        syncModels = true;
-    };
-    environment.systemPackages = with pkgs; [ ollamaPkg ];
-  };
-}

modules/nixos/users/default.nix

@@ -22,7 +22,6 @@ in {
           "docker"
           "podman"
           "wireshark"
-          "gamemode"
         ];
       }) config.syscfg.users);
   };

modules/server/containers/apps/.template.nix

@@ -1,46 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-  serverCfg = config.syscfg.server;
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = "EXAMPLE";
-    tag = "0.0.0";
-    contents = [ pkgs.bashInteractive ];
-    config = {
-      Entrypoint = [ "echo 1" ];
-      ExposedPorts = {  };
-    };
-  };
-  templateData = builder.mkData { name = "template"; dir = "template"; vars = {
-      _ARGUMENT = "template";
-    };
-  };
-in {
-  sops = false;
-  db = false;
-  paths = [{
-    path="${serverCfg.configPath}/example/";
-    mode = "0444";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      imageStream = image;
-      port = 8080;
-      secret = name;
-      extraEnv = { };
-      overrides = {
-        cmd = [ ];
-        volumes = [ ];
-       };
-    };
-  };
-
-  setup = {
-    trigger = "server";
-    envFile = config.sops.secrets."EXAMPLE".path;
-    script = pkgs.writeShellScript "setup" ''
-      ...
-    '';
-  };
-}

modules/server/containers/apps/.todo.md

@@ -1,7 +0,0 @@
-# Missing
-
-RSS: TTRSS / FreshRSS
-Monitoring: Telegraf + InfluxDB
-https://github.com/tarampampam/error-pages ?
-
-- Transmission Cfg and API/Token handling

modules/server/containers/apps/authentik.nix

@@ -1,111 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-  version = "2026.2.2";
-  serverCfg = config.syscfg.server;
-  authentikData = builder.mkData { 
-    name = "authentik"; dir = "authentik"; vars = {
-      AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
-      COOKIE_DOMAIN = "${serverCfg.domain}";
-      AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
-    } 
-    // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
-    // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
-    // (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
-    // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
-  };
-in {
-  sops = true;
-  db = true;
-  paths = [{
-    path="${serverCfg.configPath}/authentik/media";
-    owner = "1000:1000";
-    mode = "0755";
-  }{
-    path="${serverCfg.configPath}/authentik/templates";
-    owner = "1000:1000";
-    mode = "0755";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      image = "ghcr.io/goauthentik/server:${version}";
-      port = 9000;
-      secret = name;
-      extraEnv = {
-        AUTHENTIK_REDIS__HOST = builder.host;
-        AUTHENTIK_POSTGRESQL__HOST = builder.host;
-        AUTHENTIK_POSTGRESQL__USER = "authentik_user";
-        AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
-        AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
-        AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
-        AUTHENTIK_EMAIL__PORT = "587";
-        AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
-        AUTHENTIK_EMAIL__USE_TLS = "true";
-        AUTHENTIK_EMAIL__USE_SSL = "false";
-        AUTHENTIK_EMAIL__TIMEOUT = "10";
-        AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
-        AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
-        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
-      };
-      overrides = {
-        cmd = [ "server" ];
-        volumes = [
-          "${serverCfg.configPath}/authentik/media:/media"
-          "${serverCfg.configPath}/authentik/templates:/templates"
-          "${authentikData}:/blueprints/custom:ro"
-        ];
-      };
-    };
-
-    worker = builder.mkContainer {
-      image = "ghcr.io/goauthentik/server:${version}";
-      secret = name;
-      extraEnv = {
-        AUTHENTIK_REDIS__HOST = builder.host;
-        AUTHENTIK_POSTGRESQL__HOST = builder.host;
-        AUTHENTIK_POSTGRESQL__USER = "authentik_user";
-        AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
-        AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
-        AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
-        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
-      };
-      overrides = {
-        cmd = [ "worker" ];
-        volumes = [
-          "${serverCfg.configPath}/authentik/media:/media"
-          "${serverCfg.configPath}/authentik/templates:/templates"
-          "${authentikData}:/blueprints/custom:ro"
-        ];
-      };
-    };
-
-    ldap = builder.mkContainer {
-      image = "ghcr.io/goauthentik/ldap:${version}";
-      secret = name;
-      extraEnv = {
-        AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}"; 
-        AUTHENTIK_INSECURE = "false"; 
-      };
-    };
-  };
-
-  setup = {
-    trigger = "worker";
-    script = pkgs.writeShellScript "setup" ''
-      # Define the command wrapper
-      AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
-
-      $AK apply_blueprint /blueprints/custom/authentik.yaml
-      $AK apply_blueprint /blueprints/custom/traefik.yaml
-      $AK apply_blueprint /blueprints/custom/ldap.yaml
-
-      ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
-      ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
-      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
-      ${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
-
-      echo "Completed Authentik Setup"
-      '';
-  };
-}

modules/server/containers/apps/collabora.nix

@@ -1,34 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-version = "latest";
-serverCfg = config.syscfg.server;
-in {
-  sops = true;
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      image = "collabora/code:${version}";
-      port = 9980;
-      secret = name;
-      extraEnv = {
-        "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
-        "server_name" = "${containerCfg.subdomain}.${serverCfg.domain}";
-        "username" = "collabora_user";
-        "VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.domain}";
-        "VIRTUAL_PORT" = "9980";
-        "VIRTUAL_PROTO" = "http";
-        "DONT_GEN_SSL_CERT" = "true";
-        "RESOLVE_TO_PROXY_IP" = "true";
-        "extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
-        "dictionaries" = "en fr de jp no";
-      };
-      
-      overrides = {
-        volumes = [
-          "${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
-          "${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
-        ];
-      };
-    };
-  };
-}

modules/server/containers/apps/ethercalc.nix

@@ -1,39 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-  serverCfg = config.syscfg.server;
-  ethercalc_exe = pkgs.ethercalc;
-
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = "ethercalc";
-    tag = ethercalc_exe.version;
-    contents = [ pkgs.bashInteractive ];
-    config = {
-      Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
-      ExposedPorts = { "8080/tcp" = {}; };
-    };
-  };
-in {
-  sops = true;
-  paths = [{
-    path="${serverCfg.dataPath}/ethercalc/";
-    mode = "0666";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      imageStream = image;
-      port = 8080;
-      secret = name;
-      extraEnv = {
-        ETHERCALC_PORT = "8080";
-        #CONNECT TO REDIS
-      };
-      overrides = {
-        volumes = [
-          "${serverCfg.dataPath}/ethercalc:/data"
-        ];
-       };
-    };
-  };
-}

modules/server/containers/apps/etherpad.nix

@@ -1,124 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-  serverCfg = config.syscfg.server;
-  etherpad_exe = pkgs.etherpad-lite;
-  settings = pkgs.writeText"settings.json" (builtins.toJSON {
-    title= "\${TITLE:Etherpad}";
-    showRecentPads = "\${SHOW_RECENT_PADS:true}";
-    favicon = "\${FAVICON:null}";
-    publicURL = "\${PUBLIC_URL:null}";
-    skinName = "\${SKIN_NAME:colibris}";
-    skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
-    ip = "\${IP:0.0.0.0}";
-    port = "\${PORT:9001}";
-    showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
-    enableMetrics = "\${ENABLE_METRICS:true}";
-    updates.tier = "off";
-    cleanup.enabled = false;
-    gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
-    authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
-    enableDarkMode = "\${ENABLE_DARK_MODE:true}";
-    enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
-    dbType = "\${DB_TYPE:dirty}";
-    dbSettings = {
-      host =       "\${DB_HOST:undefined}";
-      port =       "\${DB_PORT:undefined}";
-      database =   "\${DB_NAME:undefined}";
-      user =       "\${DB_USER:undefined}";
-      password =   "\${DB_PASS:undefined}";
-      charset =    "\${DB_CHARSET:undefined}";
-      filename =   "\${DB_FILENAME:var/dirty.db}";
-      collection = "\${DB_COLLECTION:undefined}";
-      url =        "\${DB_URL:undefined}";
-    };
-    defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
-    padOptions = {
-      noColors =         "\${PAD_OPTIONS_NO_COLORS:false}";
-      showControls =     "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
-      showChat =         "\${PAD_OPTIONS_SHOW_CHAT:true}";
-      showLineNumbers =  "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
-      useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
-      userName =         "\${PAD_OPTIONS_USER_NAME:null}";
-      userColor =        "\${PAD_OPTIONS_USER_COLOR:null}";
-      rtl =              "\${PAD_OPTIONS_RTL:false}";
-      alwaysShowChat =   "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
-      chatAndUsers =     "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
-      lang =             "\${PAD_OPTIONS_LANG:null}";
-      fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
-      enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
-    };
-
-    requireSession = "\${REQUIRE_SESSION:false}";
-    editOnly = "\${EDIT_ONLY:false}";
-    minify = "\${MINIFY:true}";
-    requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
-    requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
-    trustProxy = "\${TRUST_PROXY:true}";
-    ep_headerauth.username_header = "X-authentik-username";
-    users.admin = {
-      password = "\${ADMIN_PASSWORD:null}";
-      is_admin = true;
-    };
-    socketTransportProtocols = ["websocket" "polling"];
-    socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
-    indentationOnNewLine = true;
-
-    loglevel = "\${LOGLEVEL:INFO}";
-    lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
-  });
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = "etherpad";
-    tag = etherpad_exe.version;
-    contents = [ pkgs.bashInteractive ];
-    config = {
-      Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
-      ExposedPorts = { "8080/tcp" = {}; };
-    };
-  };
-in {
-  sops = true;
-  db = true;
-  paths = [{
-    path="${serverCfg.configPath}/etherpad/";
-    mode = "0444";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      imageStream = image;
-      port = 8080;
-      secret = name;
-      extraEnv = {
-        TITLE = "Pad";
-        PORT ="8080";
-        DB_TYPE = "postgres";
-        DB_HOST = builder.host;
-        DB_NAME = "etherpad_db";
-        DB_USER = "etherpad_user";
-        TRUST_PROXY = "true";
-        DB_CHARSET = "utf8mb4";
-        DEFAULT_PAD_TEXT = "";
-        PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
-        PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
-        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
-      };
-      overrides = {
-        cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
-        volumes = [
-          "${settings}:/etc/etherpad/settings.json"
-          "${serverCfg.configPath}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
-        ];
-       };
-    };
-  };
-
-  setup = {
-    trigger = "server";
-    envFile = config.sops.secrets."ETHERPAD".path;
-    script = pkgs.writeShellScript "setup" ''
-      echo "$APIKEY" > ${serverCfg.configPath}/etherpad/APIKEY.txt
-      chmod 444 ${serverCfg.configPath}/etherpad/APIKEY.txt
-    '';
-  };
-}

modules/server/containers/apps/frigate.nix

@@ -1,95 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-  serverCfg = config.syscfg.server;
-  
-  # Ensure the package is available (Nixpkgs includes frigate)
-  frigatePkg = pkgs.frigate;
-
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = "frigate";
-    tag = frigatePkg.version;
-    contents = [ 
-      pkgs.bashInteractive 
-      frigatePkg
-      pkgs.ffmpeg # Explicitly included for video stream processing
-    ];
-    config = {
-      Entrypoint = [ "${frigatePkg}/bin/frigate" ];
-      Cmd = [ "start" ];
-      ExposedPorts = {
-        "5000/tcp" = {}; # Web UI / API
-        "8554/tcp" = {}; # RTSP Feeds
-        "8555/tcp" = {}; # WebRTC
-      };
-      Env = [
-        "FRIGATE_RTSP_PASSWORD=secret" # Base fallback, overridden by envFile/sops
-      ];
-    };
-  };
-in {
-  sops = true; # Enabled to safeguard sensitive camera RTSP stream credentials
-  db = false;  # Internal SQLite is used by default in Frigate
-
-  paths = [
-    {
-      path = "${serverCfg.configPath}/frigate/";
-      mode = "0755";
-    }
-    {
-      path = "/var/lib/frigate/storage/";
-      mode = "0755"; # Dedicated path for heavy video recordings and media
-    }
-  ];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      imageStream = image;
-      port = 5000;
-      secret = name;
-      extraEnv = {
-        PLUS_API_KEY = ""; # Optional: For Frigate Plus users
-      };
-      overrides = {
-        cmd = [ ];
-        volumes = [
-          "${serverCfg.configPath}/frigate:/config"
-          "/var/lib/frigate/storage:/media/frigate"
-          "/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
-          "/dev/dri:/dev/dri"         # Passes Intel/AMD GPU for hardware video decoding
-        ];
-      };
-    };
-  };
-
-  setup = {
-    trigger = "server";
-    envFile = config.sops.secrets."FRIGATE_ENV".path;
-    script = pkgs.writeShellScript "setup-frigate" ''
-      mkdir -p "${serverCfg.configPath}/frigate"
-      mkdir -p "/var/lib/frigate/storage"
-      
-      # Bootstrap a standard configuration layout if missing
-      if [ ! -f "${serverCfg.configPath}/frigate/config.yml" ]; then
-        cat <<EOF > "${serverCfg.configPath}/frigate/config.yml"
-mqtt:
-  enabled: False # Set to True and define host if connecting to Home Assistant
-
-database:
-  path: /config/frigate.db
-
-cameras:
-  dummy_camera: # Replace with your actual RTSP stream details
-    enabled: false
-    ffmpeg:
-      inputs:
-        - path: rtsp://127.0.0.1:554/live
-          roles:
-            - detect
-    detect:
-      enabled: false
-EOF
-      fi
-    '';
-  };
-}

modules/server/containers/apps/gitea.nix

@@ -1,145 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-  version = "latest";
-  serverCfg = config.syscfg.server;
-
-  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
-in {
-  sops = true;
-  db = true;
-  paths = [{
-    path="${serverCfg.dataPath}/gitea/data";
-    owner = "1000:1000";
-    mode = "0755";
-  }{
-    path="${serverCfg.dataPath}/gitea/data-runner";
-    owner = "1000:1000";
-    mode = "0755";
-  }];
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      image = "gitea/gitea:${version}";
-      port = 8080;
-      secret = name;
-      
-      extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
-        GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
-        GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
-        GITEA__repository__DISABLE_STARS = "true";
-        GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
-        # GITEA__ui__THEMES = "";
-        # GITEA__ui__DEFAULT_THEME = "";
-
-        # GITEA__security__SECRET_KEY = "SECRET_ENV";
-        # GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
-        # GITEA__database__PASSWD = "SECRET_ENV";
-        # GITEA__mailer__PASSWD="SECRET_ENV";
-
-        GITEA__database__DB_TYPE = "postgres"; 
-        GITEA__database__HOST = builder.host;
-        GITEA__database__NAME = "gitea_db";
-        GITEA__database__USER = "gitea_user";
-
-
-        GITEA__mailer__ENABLED = "true";
-        GITEA__mailer__FROM = "";
-        GITEA__mailer__PROTOCOL = "smtps";
-        GITEA__mailer__SMTP_ADDR = "";
-        GITEA__mailer__SMTP_PORT = "";
-        GITEA__mailer__USER= "";
-
-        GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
-        GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}/";
-        GITEA__server__PROTOCOL = "http";
-        GITEA__server__HTTP_PORT = "8080";
-        GITEA__server__LFS_START_SERVER = "true";
-        GITEA__security__INSTALL_LOCK = "true";
-
-      } // ( if serverCfg.containers?authentik then {
-        GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
-        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
-        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
-        GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
-        GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
-        GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
-        GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
-        GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/outpost.goauthentik.io/sign_out";
-        GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
-        GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
-        GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
-        GITEA__security__RREVERSE_PROXY_LIMIT = "1";
-        GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
-      } else {});
-      extraLabels = {
-        "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/user/login`) ";
-        "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
-        "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
-        "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
-        "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
-      };
-
-      overrides = {
-        volumes = [
-          "${serverCfg.dataPath}/gitea/data:/data"
-        ];
-        ports = [ "2222:22" ]; 
-      };
-    };
-
-    runner = builder.mkContainer {
-      image = "gitea/act_runner:${version}";
-      secret = name;
-      extraEnv = { 
-        CONFIG_FILE="/data/config.yml";
-        GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
-        GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
-      };
-
-      overrides = {
-        volumes = [
-          "${serverCfg.dataPath}/gitea/data-runner:/data"
-          "/var/run/podman/podman.sock:/var/run/docker.sock"
-        ];
-        # ports = [ "8088:8088" ]; 
-      };
-    };
-  };
-
-
-  setup = {
-    trigger = "server";
-    envFile = config.sops.secrets."CUSTOM".path;
-    script = pkgs.writeShellScript "setup" ''
-      # Define the command wrapper
-      GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
-      GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
-
-      $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
-
-      touch ${serverCfg.dataPath}/gitea/data-runner/config.yml
-
-      RUNNER_TOKEN=$($GT actions generate-runner-token)
-      $GTR register \
-        --instance "https://${containerCfg.subdomain}.${serverCfg.domain}" \
-        --token "$RUNNER_TOKEN" \
-        --name "Runner" \
-        --labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
-        --no-interactive
-
-
-      ${lib.optionalString (serverCfg.containers ? authentik) ''
-      $GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \
-          --bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \
-          --user-search-base "ou=users,${LDAP_DC_DOMAIN}" \
-          --user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \
-          --admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \
-          --username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
-          --synchronize-users
-      ''}
-
-
-      echo "Completed Gitea Setup"
-      '';
-  };
-}

modules/server/containers/apps/handbrake.nix

@@ -1,3 +0,0 @@
-{...}:{
-    
-}

modules/server/containers/apps/homeassistant.nix

@@ -1,43 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-  serverCfg = config.syscfg.server;
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = pkgs.home-assistant.name;
-    tag = pkgs.home-assistant.version;
-    contents = [  ];
-    config = {
-      Entrypoint = [ "${pkgs.home-assistant}/bin/hass" ];
-      ExposedPorts = {
-        "8123/tcp" = {};
-      };
-    };
-  };
-in {
-  sops = true;
-  db = false;
-  
-  paths = [{
-    path = "${serverCfg.configPath}/homeassistant/";
-    mode = "0755"; 
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      imageStream = image;
-      port = 8123;
-      secret = name;
-      extraEnv = {
-        TZ = config.time.timeZone or "UTC";
-      };
-      overrides = {
-        cmd = [ "--config" "/config" ];
-        volumes = [
-          "${serverCfg.configPath}/homeassistant/:/config"
-          "/run/dbus:/run/dbus:ro" # Required for Bluetooth/mDNS service discovery
-        ];
-      };
-    };
-  };
-
-}

modules/server/containers/apps/immich.nix

@@ -1,97 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-  version = "v2";
-  serverCfg = config.syscfg.server;
-
-in {
-  sops = true;
-  db = true;
-
-  paths = [{
-    path = "${serverCfg.configPath}/immich/cache";
-    mode = "0750";
-  }{
-    path = "${serverCfg.dataPath}/immich/";
-    mode = "0755";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      image = "ghcr.io/immich-app/immich-server:${version}";
-      port = 2283;
-      secret = name;
-      extraEnv = {
-        DB_HOSTNAME = builder.host;
-        REDIS_HOSTNAME = builder.host;
-        DB_USERNAME = "immich_user";
-        DB_DATABASE_NAME = "immich_db";
-        IMMICH_TRUSTED_PROXIES = "10.0.0.0/8";
-        IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
-        # IMMICH_ALLOW_SETUP = "false";
-        # IMMICH_IGNORE_MOUNT_CHECK_ERRORS = "true";
-      };
-      overrides = {
-        volumes = [
-          "${serverCfg.dataPath}/immich:/data"
-        ];
-      };
-    };
-
-    ml = builder.mkContainer {
-      image = "ghcr.io/immich-app/immich-machine-learning:${version}";
-      port = 3003;
-      overrides = {
-        volumes = [
-          "${serverCfg.configPath}/immich/cache:/cache"
-        ];
-      };
-    };
-  };
-
-  setup = {
-    trigger = "server";
-    envFile = config.sops.secrets."CUSTOM".path;
-    script = pkgs.writeShellScript "setup" ''
-        PSQL="${pkgs.postgresql}/bin/psql -U postgres"
-        $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;"
-        $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;"
-
-        mkdir -p ${serverCfg.dataPath}/immich/{upload,library,thumbs,encoded-video,profile,backups}
-
-        IMMICH_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
-        until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$IMMICH_URL")" =~ (200|301|302) ]]; do
-          sleep 5
-        done
-        ${pkgs.curl}/bin/curl -X POST "$IMMICH_URL/api/auth/admin-sign-up" \
-          -H "Content-Type: application/json" -H "Accept: application/json" \
-          -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'", "name": "'"$DEFAULT_ADMIN_USERNAME"'" }'
-
-        IMMICH_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$IMMICH_URL/api/auth/login" \
-        -H "Content-Type: application/json" \
-        -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'"}' \
-        | ${pkgs.jq}/bin/jq -r '.accessToken')        
-
-        ${lib.optionalString (serverCfg.containers ? authentik) ''
-        ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
-        ${pkgs.jq}/bin/jq '.oauth.enabled = true | 
-                          .oauth.autoRegister = true |
-                          .oauth.autoLaunch = true |
-                          .oauth.signingAlgorithm = "RS256" |
-                          .oauth.profileSigningAlgorithm = "RS256" |
-                          .oauth.clientId = "immich" | 
-                          .oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" | 
-                          .oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" | 
-                          .oauth.scope = "openid profile email" |
-                          .oauth.buttonText = "Login with SSO"' | \
-        ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
-        ''}
-
-        ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
-        ${pkgs.jq}/bin/jq '.storageTemplate.enable = true |
-                          .storageTemplate.template = "{{y}}/{{#if album}}{{album}}{{else}}{{MM}}{{/if}}/{{filename}}"' | \
-        ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
-        
-    '';
-  };
-}

modules/server/containers/apps/influx.nix

@@ -1,45 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-  serverCfg = config.syscfg.server;
-  influxPkg = pkgs.influxdb2;
-
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = influxPkg.name;
-    tag = influxPkg.version;
-    contents = [ ];
-    config = {
-      Entrypoint = [ "${influxPkg}/bin/influxd" ];
-      ExposedPorts = {
-        "8086/tcp" = {}; # Combined Engine and UI port
-      };
-    };
-  };
-in {
-  sops = true; # Highly recommended for initial admin passwords and setup tokens
-  db = false;  # Using InfluxDB directly as the primary database
-  
-  paths = [{
-    path = "${serverCfg.configPath}/influxdb/";
-    mode = "0700"; # Strict database permissions
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      imageStream = image;
-      port = 8086;
-      secret = name;
-      extraEnv = {
-        INFLUXD_CONFIG_PATH = "var/lib/influxdb2/config";
-        INFLUXD_BOLT_PATH = "/var/lib/influxdb2/influxdb.bolt";
-        INFLUXD_ENGINE_PATH = "/var/lib/influxdb2/engine";
-      };
-      overrides = {
-        volumes = [
-          "${serverCfg.configPath}/influxdb/:/var/lib/influxdb2"
-        ];
-      };
-    };
-  };
-
-}

modules/server/containers/apps/invidious.nix

@@ -1,78 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-  serverCfg = config.syscfg.server;
-
-  patchedInvidious = pkgs.invidious.overrideAttrs (oldAttrs: {
-    postPatch = (oldAttrs.postPatch or "") + ''
-      cp ${../data/invidious/login.cr} src/invidious/routes/login.cr
-    '';
-  });
-
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = pkgs.invidious.name;
-    tag = pkgs.invidious.version;
-
-    contents = [ pkgs.cacert patchedInvidious ];
-    config = {
-      Entrypoint = [ "${patchedInvidious}/bin/invidious" ];
-      ExposedPorts = { "3000/tcp" = {}; };
-      Env = [ 
-        "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
-        "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
-      ];
-    };
-  };
-
-in {
-  sops = true;
-  db = true;
-  paths = [{
-    path="${serverCfg.configPath}/invidious";
-    mode = "0755";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      imageStream = image;
-      port = 3000;
-      secret = name;
-      extraLabels = {
-        "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/login`) ";
-        "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
-        "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
-        "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
-        "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
-      };
-      extraEnv = {
-        INVIDIOUS_CONFIG_FILE = "/data/config.yml";
-      };
-      overrides = {
-        volumes = [
-          "${serverCfg.configPath}/invidious:/data:ro"
-        ];
-      };
-    };
-
-    companion = builder.mkContainer {
-      image = "quay.io/invidious/invidious-companion:latest";
-      port = 8282;
-      secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
-      extraOptions = [
-        "--cap-drop=all"
-        "--security-opt=no-new-privileges"
-      ];
-    };
-  };
-
-  setup = {
-    trigger = "server";
-    envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
-    script = pkgs.writeShellScript "setup" ''
-      export DB_HOST=${builder.host}
-      export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
-
-      ${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.configPath}/invidious/config.yml"
-    '';
-  };
-}

modules/server/containers/apps/jellyfin.nix

@@ -1,177 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let
-  serverCfg = config.syscfg.server;
-  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
-  nss = pkgs.dockerTools.fakeNss.override {
-    extraPasswdLines = [
-      "jellyfin:x:1000:1000:Jellyfin Daemon:/config/data:/bin/false"
-    ];
-    extraGroupLines = [
-      "jellyfin:x:1000:"
-    ];
-  };
-  image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
-    name = pkgs.jellyfin.name;
-    tag = pkgs.jellyfin.version;  
-    contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ];
-    config = {
-      User = "jellyfin:jellyfin"; 
-      Entrypoint = [ "${pkgs.jellyfin}/bin/jellyfin" ];
-      ExposedPorts = { "8096/tcp" = { }; };
-      Env = [ 
-        "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
-        "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
-      ];
-    };
-  };
-in {
-  paths = [
-    {
-      path = "${serverCfg.dataPath}/media/";
-      owner = "1000:1000";
-      mode = "0755";
-    }
-    {
-      path = "${serverCfg.configPath}/jellyfin/";
-      owner = "1000:1000";
-      mode = "0755";
-    }
-  ];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      imageStream = image;
-      port = 8096;
-      extraEnv = {
-        HOME = "/config/data";
-        DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
-        JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
-        JELLYFIN_ServerName = if containerCfg.extra?name then containerCfg.extra.name else "Flix";
-      };
-      extraOptions = [
-        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
-      ];
-      overrides = {
-        cmd = [
-        "--datadir" "/config/data"
-        "--cachedir" "/config/cache"
-        "--configdir" "/config/config"
-        "--logdir" "/config/log" 
-        ];
-        volumes = [
-          "${serverCfg.dataPath}/media:/media:ro" 
-          "${serverCfg.configPath}/jellyfin:/config"
-        ];
-        # If you have an Intel/AMD GPU for transcoding, add the device:
-        devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
-      };
-    };
-  };
-
-  setup = {
-    trigger = "server";
-    envFile = config.sops.secrets."CUSTOM".path;
-    script = pkgs.writeShellScript "setup" ''
-      JELLYFIN_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
-      until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
-        sleep 5
-      done
-      echo "Jellyfin is up. Sleeping for 20 seconds..."
-      sleep 20
-      WIZARD_COMPLETE=$(${pkgs.curl}/bin/curl -sSf "$JELLYFIN_URL/System/Info/Public" 2>/dev/null | \
-        ${pkgs.jq}/bin/jq -r '.StartupWizardCompleted // false')
-      if [ "$WIZARD_COMPLETE" = "false" ]; then
-        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/Configuration" \
-          -H "Content-Type: application/json" \
-          -d '{"ServerName":"Flix","UICulture":"en-US","MetadataCountryCode":"US","PreferredMetadataLanguage":"en"}'; then
-          echo "ERROR: Failed to set startup configuration."
-          exit 1
-        fi
-        
-        if ! ${pkgs.curl}/bin/curl -sSf -X GET "$JELLYFIN_URL/Startup/User"; then
-          echo "ERROR: Failed to get base user."
-          exit 1
-        fi
-
-        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/User" \
-          -H 'accept: */*' -H "Content-Type: application/json" \
-          -d '{"Name": "'"$DEFAULT_ADMIN_USERNAME"'", "Password": "'"$DEFAULT_ADMIN_PASSWORD"'"}'; then
-          echo "ERROR: Failed to set admin user."
-          exit 1
-        fi
-
-        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/RemoteAccess" \
-          -H "Content-Type: application/json" \
-          -d '{"EnableRemoteAccess":true,"EnableAutomaticPortMapping":false}'; then
-          echo "ERROR: Failed to configure remote access."
-          exit 1
-        fi
-
-        if ! ${pkgs.curl}/bin/curl -sSf -X POST "''$JELLYFIN_URL/Startup/Complete"; then
-          echo "ERROR: Failed to complete wizard."
-          exit 1
-        fi
-        echo "Jellyfin initialization successfully completed!"
-      fi
-
-      ${lib.optionalString (serverCfg.containers ? authentik) ''
-      JELLYFIN_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Users/AuthenticateByName" \
-        -H "Content-Type: application/json" \
-        -H "Authorization: MediaBrowser Client=\"Bash Script\", Device=\"Server Terminal\", DeviceId=\"script-12345\", Version=\"1.0.0\"" \
-        -d "{\"Username\": \"$DEFAULT_ADMIN_USERNAME\", \"Pw\": \"$DEFAULT_ADMIN_PASSWORD\"}" \
-        | ${pkgs.jq}/bin/jq -r '.AccessToken')
-
-      # Verify we got a token
-      if [ "$JELLYFIN_TOKEN" = "null" ] || [ -z "$JELLYFIN_TOKEN" ]; then
-          echo "ERROR: Authentication failed."
-          exit 1
-      fi
-      if ${pkgs.curl}/bin/curl -sSf -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-          "$JELLYFIN_URL/Plugins" | ${pkgs.gnugrep}/bin/grep -q "958aad6637844d2ab89aa7b6fab6e25c"; then
-        echo "LDAP Plugin is already installed. Skipping setup."
-      else
-        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Packages/Installed/LDAP%20Authentication?assemblyGuid=958aad6637844d2ab89aa7b6fab6e25c" \
-            -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-            -H "Content-Length: 0"; then
-          echo "ERROR: LDAP Plugin Setup Failed."
-          exit 1
-        fi
-
-        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
-            -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-            -H "Content-Length: 0"; then
-          echo "ERROR: Server failed to accept restart command."
-          exit 1
-        fi
-        sleep 1-
-        until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
-          sleep 5
-        done
-        echo "Jellyfin is up. Sleeping for 20 seconds..."
-        sleep 20
-      fi
-
-      if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \
-          -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-          -H "Content-Type: application/json" -H 'accept: */*' \
-          -d '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true,
-          "LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword": "'"$DEFAULT_LDAP_PASSWORD"'",
-          "LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
-          "LdapSearchAttributes":"uid, cn, mail, displayName",
-          "LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
-          "EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
-          "EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
-          "LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
-          "EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}'; then
-        echo "ERROR: LDAP Plugin Setup Failed."
-        exit 1
-      fi
-      ''}
-
-      echo "Completed Setup"
-
-    '';
-  };
-
-}

modules/server/containers/apps/nextcloud.nix

@@ -1,199 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-version = "31";
-serverCfg = config.syscfg.server;
-in {
-  sops = true;
-  db = true;
-  paths = [{
-    path="${serverCfg.dataPath}/nextcloud/www";
-    owner = "33:33";
-    mode = "0755";
-  }{
-    path="${serverCfg.dataPath}/nextcloud/data";
-    owner = "33:33";
-    mode = "0755";
-    backup = true;
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      image = "nextcloud:${version}";
-      port = 80;
-      secret = name;
-      extraEnv = {
-        REDIS_HOST = builder.host;
-        POSTGRES_HOST = builder.host;
-        POSTGRES_USER = "nextcloud_user";
-        POSTGRES_DB = "nextcloud_db";
-        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
-        "NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.domain}";
-        "SMTP_HOST" = serverCfg.mailServer;
-        "SMTP_NAME" = "mail_user";
-        "SMTP_PASSWORD" = "mail_password";
-        "MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.domain}";
-        "MAIL_DOMAIN" = serverCfg.mailDomain;
-        "TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
-      };
-      extraLabels = {
-        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
-        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
-        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
-        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
-        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
-        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
-      };
-      extraOptions = [
-        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
-      ];
-      overrides = {
-        ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
-        volumes = [
-          "${serverCfg.dataPath}/nextcloud/www:/var/www/html"
-          "${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
-        ];
-      };
-    };
-  };
-
-  setup = {
-    trigger = "server";
-    script = pkgs.writeShellScript "setup" ''
-      # Define the command wrapper
-      OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u www-data nextcloud-server php occ"
-
-      echo "Waiting for Nextcloud container to start..."
-      until $OCC status > /dev/null 2>&1; do
-        sleep 2
-      done
-
-      INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
-      if [ -z "$INSTALLED" ]; then
-        echo "Running first-time setup..."
-        
-        $OCC maintenance:install \
-          --admin-user "$DEFAULT_ADMIN_USERNAME" \
-          --admin-pass "$DEFAULT_ADMIN_PASSWORD"
-      fi
-      if [ -z "$INSTALLED" ] || [ -f "/tmp/force-nextcloud-setup" ]; then
-        rm -f "/tmp/force-nextcloud-setup"
-        echo "Applying Settings..."
-        
-        $OCC config:system:set default_phone_region --value="CH"
-        $OCC config:system:set overwriteprotocol --value="https"
-        $OCC config:app:set core backgroundjobs_mode --value="cron"
-        $OCC config:system:set maintenance_window_start --type=integer --value=1
-        $OCC config:system:set default_language --value="en"
-        $OCC config:system:set default_locale --value="en_CH"
-
-        echo "Applying Apps..."
-        $OCC app:disable activity || true
-        $OCC app:disable app_api || true
-        $OCC app:disable comments || true
-        $OCC app:disable firstrunwizard || true
-        $OCC config:system:set show_first_run_wizard --type=bool --value=false
-        $OCC app:disable nextcloud_announcements || true
-        $OCC app:disable oauth2 || true
-        $OCC app:disable recommendations || true
-        $OCC app:disable sharebymail || true
-        $OCC app:disable support || true
-        $OCC app:disable survey_client || true
-        $OCC app:disable updatenotification || true
-        $OCC app:disable user_status || true
-
-        $OCC app:install calendar || true
-        $OCC app:install calendar || true
-        $OCC app:install contacts || true
-        $OCC app:install camerarawpreviews || true
-        $OCC app:install cospend || true
-        $OCC app:install deck || true
-        $OCC app:install files_markdown || true
-        $OCC app:install forms || true
-        $OCC app:install groupfolders || true
-        $OCC app:install ownpad || true
-        $OCC app:install previewgenerator || true
-        $OCC app:install richdocuments || true
-        ${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
-        # $OCC app:install side_menu || true 
-        $OCC app:install spreed || true
-        $OCC app:install teamfolders || true
-        ${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
-
-        echo "Applying Apps Settings..."
-        $OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
-        $OCC config:app:set cospend allow_federation --value="yes"
-        
-        ${lib.optionalString (serverCfg.containers ? ethercalc) ''
-        $OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
-        $OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.domain}"
-        ''}
-        ${lib.optionalString (serverCfg.containers ? etherpad) ''
-        $OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
-        $OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.domain}"
-        ''}
-        ${lib.optionalString (serverCfg.containers ? collabora) ''
-        $OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}/"
-        $OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}"
-        $OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
-        ''}
-        ${lib.optionalString (serverCfg.containers ? authentik) ''
-        $OCC saml:config:set 1 --general-idp0_display_name="authentik"
-        $OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
-        $OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}"
-        $OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/sso/binding/redirect/"
-        $OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/slo/binding/redirect/"
-        AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
-        $OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT" 
-
-        $OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
-        $OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-        $OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
-
-        $OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
-        $OCC group:add admin || true
-        $OCC group:add cloud || true
-        $OCC config:app:set user_saml general-group_provisioning --value="0"
-        $OCC config:app:set user_saml general-require_provisioning_groups --value="1"
-        ''}
-        # configure side_menu ...
-        FOLDERS=$($OCC teamfolders:list --format=json)
-        ${builtins.concatStringsSep "\n" (map (name: ''
-          if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
-              $OCC teamfolders:create "${name}"
-          fi
-        '') containerCfg.extra.teamFolders or [])}
-        SERVERS=$($OCC federation:list-servers --format=json)
-        ${builtins.concatStringsSep "\n" (map (domain: ''
-          if ! echo "$SERVERS" | grep -q "${domain}"; then
-            $OCC federation:add-server "https://${domain}"
-          fi
-        '') containerCfg.extra.federatedServers or [])}
-        $OCC config:app:set systemtags allow_user_creating --value="no"
-        
-        echo "Applying Theme..."
-        $OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.domain}"
-        ${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
-        ${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
-        $OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
-        $OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
-
-        #$OCC theming:config logo {serverCfg.colorScheme.logo}
-        #$OCC theming:config logoheader {serverCfg.colorScheme.logo}
-        #$OCC theming:config background {serverCfg.colorScheme.bg}
-            
-      else
-          echo "Nextcloud is already installed. Skipping setup."
-      fi
-
-      echo "Maintenance..."
-      $OCC app:update --all
-      $OCC maintenance:repair --include-expensive --no-interaction
-      $OCC db:add-missing-indices --no-interaction
-
-      echo "Completed Setup"
-    '';
-  };
-
-  cron = [ "*/5 * * * *  root  ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
-}

modules/server/containers/apps/searxng.nix

@@ -1,92 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-  version= "latest";
-  serverCfg = config.syscfg.server;
-  settings = pkgs.writeText"settings.yml" (pkgs.lib.generators.toYAML {}{
-    use_default_settings = true;
-    brand = {
-        issue_url = "";
-        docs_url = "";
-        public_instances = "";
-        wiki_url = "";
-        custom = {
-            links = {
-                "Home" = "https://${serverCfg.domain}";
-                # "Status" = "https://status.${serverCfg.domain}";
-            };
-        };
-        pwa_colors = {
-            theme_color_light = "${serverCfg.colorScheme.palette.base0C}";
-            background_color_light = "${serverCfg.colorScheme.palette.base07}";
-            theme_color_dark = "${serverCfg.colorScheme.palette.base0C}";
-            background_color_dark = "${serverCfg.colorScheme.palette.base02}";
-            theme_color_black = "${serverCfg.colorScheme.palette.base0C}";
-            background_color_black = "${serverCfg.colorScheme.palette.base01}";
-        };
-    };
-    general = {
-        debug = false;
-        instance_name = if containerCfg.extra ? instanceName then containerCfg.extra.instanceName else "SearXNG";
-        privacypolicy_url = false;
-        donation_url = false;
-        contact_url = false;
-        enable_metrics = false;
-    };
-    search = {
-        safe_search = 0;
-        autocomplete = if containerCfg.extra ? autocomplete then containerCfg.extra.autocomplete else "";
-        languages = [ "all" "en" "en-US" "ja" "de-CH" "fr-CH" "nb" ];
-    };
-    server = {
-        # secret_key = ""; SET BY ENV VAR
-    };
-    ui = {
-        default_locale = if containerCfg.extra ? defaultLocale then containerCfg.extra.defaultLocale else "en";
-        # query_in_title = "true";
-        #default_theme = "custom";
-        custom_css = "footer { display: none !important; }";
-    };
-    # categories_as_tabs = {
-    #     general = {};
-    #     images ={};
-    #     videos = {};
-    #     news = {};
-    #     files = {};
-    # };
-    plugins = {
-        "searx.plugins.infinite_scroll.SXNGPlugin".active = true;
-        "searx.plugins.tracker_url_remover.SXNGPlugin".active = true;
-    };
-  });
-in {
-   sops = true;
-#   paths = [{
-#     path="${serverCfg.dataPath}/searxng/";
-#     mode = "0444";
-#   }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      image = "searxng/searxng:${version}";
-      port = 8080;
-      secret = name;
-      extraEnv = { 
-        SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
-        SEARXNG_PORT = "8080";
-        SEARXNG_BIND_ADDRESS = "[::]";
-        SEARXNG_PUBLIC_INSTANCE = "false";
-        SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
-        #SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}";
-      };
-      overrides = {
-        cmd = [ ];
-        volumes = [ 
-            "${settings}:/etc/searxng/settings.yml"
-            # "/path/to/your/logo.png:/usr/local/searxng/searx/static/themes/simple/img/searxng.png
-            # "${serverCfg.dataPath}/searxng:/var/cache/searxng/"
-        ];
-       };
-    };
-  };
-}

modules/server/containers/apps/servarr.nix

@@ -1,83 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-  serverCfg = config.syscfg.server;
-
-  mkServarrImage = appName: appPkg: binaryPath: pkgs.dockerTools.streamLayeredImage {
-    name = appPkg.name;
-    tag = appPkg.version;
-    contents = with pkgs; [ cacert openssl ];
-    config = {
-      Cmd = [ "${appPkg}/${binaryPath}" "-nobrowser" "-data=/config" ];
-      Env = [ "DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1" "HOME=/tmp" ];
-    };
-  };
-
-  images = {
-    prowlarr = mkServarrImage "prowlarr" pkgs.prowlarr "bin/Prowlarr";
-    radarr   = mkServarrImage "radarr"   pkgs.radarr   "bin/Radarr";
-    sonarr   = mkServarrImage "sonarr"   pkgs.sonarr   "bin/Sonarr";
-    bazarr   = mkServarrImage  "bazarr"   pkgs.bazarr   "bin/bazarr";
-    lidarr   = mkServarrImage "lidarr"   pkgs.lidarr   "bin/Lidarr";
-    readarr  = mkServarrImage "readarr"  pkgs.readarr  "bin/Readarr";
-  };
-
-  sharedVolumes = [
-    "${serverCfg.dataPath}/media:/media" # Fast hardlinking requires a single shared root
-    "${serverCfg.configPath}/servarr:/config-root"
-  ];
-in {
-  sops = true;
-  paths = [
-    { path = "${serverCfg.dataPath}/media/"; mode = "0755"; }
-    { path = "${serverCfg.configPath}/servarr/prowlarr"; mode = "0755"; }
-    { path = "${serverCfg.configPath}/servarr/radarr";   mode = "0755"; }
-    { path = "${serverCfg.configPath}/servarr/sonarr";   mode = "0755"; }
-  ];
-
-  containers = {
-    prowlarr = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      subpath = "prowlarr";
-      imageStream = images.prowlarr;
-      port = 9696;
-      secret = name;
-      extraOptions = [
-        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
-      ];
-      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/prowlarr:/config" ];
-    };
-
-    radarr = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      subpath = "radarr";
-      imageStream = images.radarr;
-      port = 7878;
-      secret = name;
-      extraOptions = [
-        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
-      ];
-      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/radarr:/config" ];
-    };
-
-    sonarr = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      subpath = "sonarr";
-      imageStream = images.sonarr;
-      port = 8989;
-      secret = name;
-      extraOptions = [
-        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
-      ];
-      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/sonarr:/config" ];
-    };
-  };
-
-#   setup = {
-#     trigger = "prowlarr"; # Triggers atomic environment verification on main controller
-#     envFile = config.sops.secrets."SERVARR".path;
-#     script = pkgs.writeShellScript "setup-servarr" ''
-#       echo "Validating multi-container path permission nodes..."
-#     #   mkdir -p ${serverCfg.configPath}/servarr/{prowlarr,radarr,sonarr}
-#     '';
-#   };
-}

modules/server/containers/apps/traefik.nix

@@ -1,87 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-  serverCfg = config.syscfg.server;
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = "traefik";
-    tag = pkgs.traefik.version;
-    contents = with pkgs;[ cacert tzdata ];
-    config = {
-      Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
-      WorkingDir = "/";
-    };
-  };
-in {
-  sops = true;
-  paths = [{
-    path="${serverCfg.configPath}/traefik";
-    owner = "1000:1000";
-    mode = "0755";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      imageStream = image;
-      subdomain = containerCfg.subdomain;
-      port = 8080;
-      secret = name;
-      extraLabels = {
-        "traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
-        "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
-                
-        "traefik.http.routers.${containerCfg.subdomain}.middlewares" =  if serverCfg.containers?authentik then "authentik" else "";
-      } // (if serverCfg.containers?authentik then {
-        "traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
-        "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
-        "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
-        "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
-      } else {}) // (if serverCfg.containers?umami then {
-        "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000";
-        "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin";
-        "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
-        "traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true";
-      } else {}) // (if containerCfg.extra ? provider || serverCfg.domain != "localhost" then {
-        "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
-        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.domain}";
-        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.domain}";
-      } else {});
-      extraEnv = { };
-      overrides = {
-        cmd = [ 
-          "--api"
-          "--log.level=INFO"
-          "--providers.docker=true"
-          "--global.checknewversion=false"
-          "--global.sendanonymoususage=false"
-          "--api.insecure=true"
-          "--api.dashboard=true"
-          "--providers.docker.exposedByDefault=false"
-          "--entrypoints.web.address=:80"
-          "--entrypoints.web-secure.address=:443"
-          "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
-          "--entrypoints.web.http.redirections.entrypoint.scheme=https"
-          "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
-          "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
-        ] ++ (if serverCfg.containers ? umami  then [
-          "--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder"
-          "--experimental.plugins.umami-feeder.version=v1.4.1"
-          "--entrypoints.web-secure.http.middlewares=umami-global@docker"
-        ] else []) ++ (if containerCfg.extra ? provider then [
-          "--certificatesresolvers.default.acme.email=acme@${serverCfg.domain}"
-          "--certificatesresolvers.default.acme.dnschallenge=true"
-          "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
-          "--certificatesresolvers.default.acme.storage=/custom/acme.json"
-        ] else []) ++ (if serverCfg.domain != "localhost" then [
-          "--certificatesresolvers.default.acme.httpchallenge=false"
-          "--certificatesresolvers.default.acme.tlschallenge=true"
-        ] else []);
-        ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
-        volumes = [
-          "/var/run/podman/podman.sock:/var/run/docker.sock"
-          # "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
-          "${serverCfg.configPath}/traefik:/custom"
-        ];
-      };
-    };
-  };
-}
-

modules/server/containers/apps/transmission.nix

@@ -1,57 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name, ... }:
-let 
-  serverCfg = config.syscfg.server;
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = pkgs.transmission_4.name;
-    tag = pkgs.transmission_4.version;
-    contents = [ pkgs.cacert ];
-    config = {
-        Cmd = [ "${pkgs.transmission_4}/bin/transmission-daemon" "--foreground" "--config-dir" "/config" ];
-        ExposedPorts = {
-            "9091/tcp" = {};
-            "51413/tcp" = {}; "51413/udp" = {};
-        };
-    };
-  };
-in {
-  paths = [{
-      path = "${serverCfg.dataPath}/transmission/complete";
-      owner = "1000:1000";
-      mode = "0755";
-    }{
-      path = "${serverCfg.dataPath}/transmission/incomplete";
-      owner = "1000:1000";
-      mode = "0755";
-    }{
-      path = "${serverCfg.dataPath}/transmission/config";
-      owner = "1000:1000";
-      mode = "0755";
-    }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      imageStream = image;
-      port = 9091;
-      
-      extraEnv = {
-        PUID = "1000";
-        PGID = "1000";
-        TZ = "Europe/Zurich";
-      };
-      extraLabels = { } // (if serverCfg.containers ? authentik then {
-        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";
-      } else {});
-
-      overrides = {
-        cmd = [ ];
-        volumes = [
-          "${serverCfg.dataPath}/transmission/complete:/downloads/complete"
-          "${serverCfg.dataPath}/transmission/incomplete:/downloads/incomplete"
-          "${serverCfg.dataPath}/transmission/config:/config"
-        ];
-      };
-    };
-  };
-
-}

modules/server/containers/apps/trmnl.nix

@@ -1,3 +0,0 @@
-{...}:{
-    
-}

modules/server/containers/apps/umami.nix

@@ -1,54 +0,0 @@
-{ config, containerCfg, pkgs, lib, builder, name,... }:
-let 
-  serverCfg = config.syscfg.server;
-  
-  # Umami image built from nixpkgs
-  image = pkgs.dockerTools.streamLayeredImage {
-    name = pkgs.umami.name;
-    tag = pkgs.umami.version;
-    contents = with pkgs; [ cacert openssl ];
-    config = {
-      # Umami in nixpkgs typically provides a binary or script to start the server
-      Entrypoint = [ "${pkgs.umami}/bin/umami-server" ];
-      ExposedPorts = { "3000/tcp" = {}; };
-      Env = [ "NODE_ENV=production" ];
-    };
-  };
-in {
-  sops = true;
-  db = true;
-  paths = [{
-    path = "${serverCfg.configPath}/umami/";
-    mode = "0444";
-  }];
-
-  containers = {
-    server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
-      image = "${pkgs.umami.name}:${pkgs.umami.version}"; 
-      imageStream = image;
-      port = 3000;
-      secret = name;
-      extraEnv = {
-        PORT = "3000";
-        # HOSTNAME = "${containerCfg.subdomain}.${serverCfg.domain}";
-        DATABASE_TYPE = "postgresql";
-        REDIS_URL = "redis://${builder.host}";
-        CLIENT_IP_HEADER = "X-Forwarded-For";
-        BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
-        # DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
-
-      };
-      extraLabels = { } // ( if serverCfg.containers?authentik then {
-        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
-      } else {});
-      extraOptions = [
-        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
-      ];
-      overrides = {
-        cmd = [ "start" ]; # Specific command for the umami binary
-       };
-    };
-  };
-
-}

modules/server/containers/builder.nix

@@ -1,53 +0,0 @@
-{ config, lib, pkgs, serverCfg }:
-let 
-  builder =
-  { image ? null, imageStream ? null, imageFile ? null
-  , secret ? null
-  , subdomain ? null, subpath?null, port ? 0
-  , extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
-  , overrides ? { }
-  }:
-  let 
-    routerName = if subpath != null 
-                 then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}" 
-                 else subdomain;
-    base = {
-    image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}" 
-            else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image;
-    imageStream = imageStream;
-    imageFile = imageFile;
-
-    environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
-    environment = {} // extraEnv;
-
-    labels = (if subdomain!=null then ({
-      "traefik.enable" = "true";
-      "traefik.http.routers.${routerName}.entrypoints" = "web-secure";
-      "traefik.http.routers.${routerName}.rule" = if subpath != null 
-        then "Host(`${subdomain}.${serverCfg.domain}`) && PathPrefix(`/${subpath}`)"
-        else "Host(`${subdomain}.${serverCfg.domain}`)";
-      "traefik.http.routers.${routerName}.tls" = "true";
-    } // lib.optionalAttrs (port!=null) {
-      "traefik.http.services.${routerName}.loadbalancer.server.port" = toString port;
-    }) else {
-      "traefik.enable" = "false";
-    }) // extraLabels;
-
-    extraOptions = extraOptions ++ [
-      "--add-host=host.containers.internal:host-gateway"
-    ];
-  };
-  in lib.recursiveUpdate base overrides;
-in {
-  mkContainer = builder;
-  mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
-    mkdir -p $out
-    cp -r ${./data + "/${dir}"}/. $out/
-    find $out -type f | while read file; do
-      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
-        substituteInPlace "$file" --replace "@${n}@" "${toString v}"
-      '') vars)}
-    done
-  '';
-  host = "host.containers.internal"; 
-}

modules/server/containers/data/authentik/authentik.yaml

@@ -1,70 +0,0 @@
-version: 1
-metadata:
-  name: "Initial User Setup"
-  labels:
-    blueprint-type: core
-entries:
-  # Optionally, disable the default enrollment flow entirely
-  - model: authentik_flows.flow
-    identifiers:
-      slug: "default-source-enrollment"
-    attrs:
-      designation: "enrollment"
-      enabled: false
-  # --- GROUPS ---
-  - model: authentik_core.group
-    identifiers:
-      name: "admin"
-    attrs:
-      is_superuser: true
-
-  - model: authentik_core.group
-    identifiers:
-      name: "cloud"
-    attrs:
-      is_superuser: false
-
-  - model: authentik_core.group
-    identifiers:
-      name: "dev"
-    attrs:
-      is_superuser: false
-
-  - model: authentik_core.group
-    identifiers:
-      name: "flix"
-    attrs:
-      is_superuser: false
-
-  - model: authentik_core.group
-    identifiers:
-      name: "family"
-    attrs:
-      is_superuser: false
-
-  # --- ADMIN USERS ---
-  - model: authentik_core.user
-    identifiers:
-      username: !Env DEFAULT_ADMIN_USERNAME
-    attrs:
-      name: !Env DEFAULT_ADMIN_USERNAME
-      email: !Env DEFAULT_ADMIN_EMAIL
-      password: !Env DEFAULT_ADMIN_PASSWORD
-      path: "users"
-      groups:
-        - !Find [authentik_core.group, [name, "admin"]]
-
-  # Disable the Initial Setup Flow
-  - model: authentik_flows.flow
-    identifiers:
-      slug: "initial-setup"
-    attrs:
-      authentication: "require_superuser"
-      enabled: false
-
-  # Disable the default 'akadmin' if it exists
-  - model: authentik_core.user
-    identifiers:
-      username: "akadmin"
-    attrs:
-      is_active: false

modules/server/containers/data/authentik/gitea.yaml

@@ -1,11 +0,0 @@
-version: 1
-metadata:
-  name: gitea-ldap-setup
-entries:
-  - model: authentik_core.application
-    id: gitea-app
-    identifiers:
-      slug: gitea
-    attrs:
-      name: Gitea
-      launch_url: "@GITEA_DOMAIN@"

modules/server/containers/data/authentik/immich.yaml

@@ -1,62 +0,0 @@
-version: 1
-metadata:
-  name: "Immich OAuth2 Provisioning"
-  labels:
-    app: immich
-entries:
-  - model: authentik_providers_oauth2.oauth2provider
-    identifiers:
-      name: "Immich Provider"
-    attrs:
-      authorization_flow:
-        !Find [
-          authentik_flows.flow,
-          [slug, default-provider-authorization-implicit-consent],
-        ]
-      authentication_flow:
-        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-      invalidation_flow:
-        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-      client_type: "confidential"
-      client_id: "immich"
-
-      client_secret: !Env IMMICH_OAUTH_SECRET
-      access_code_validity: "minutes=5"
-      token_validity: "days=30"
-      signing_key:
-        !Find [
-          authentik_crypto.certificatekeypair,
-          [name, "authentik Self-signed Certificate"],
-        ]
-      redirect_uris:
-        - url: "app.immich:///oauth-callback"
-          matching_mode: "strict"
-        - url: "https://@IMMICH_DOMAIN@/auth/login"
-          matching_mode: "regex"
-        - url: "https://@IMMICH_DOMAIN@/user-settings"
-          matching_mode: "regex"
-      property_mappings:
-        - !Find [
-            authentik_providers_oauth2.scopemapping,
-            [name, "authentik default OAuth Mapping: OpenID 'openid'"],
-          ]
-        - !Find [
-            authentik_providers_oauth2.scopemapping,
-            [name, "authentik default OAuth Mapping: OpenID 'email'"],
-          ]
-        - !Find [
-            authentik_providers_oauth2.scopemapping,
-            [name, "authentik default OAuth Mapping: OpenID 'profile'"],
-          ]
-
-  - model: authentik_core.application
-    identifiers:
-      slug: "immich"
-    attrs:
-      name: "Immich"
-      launch_url: "@IMMICH_DOMAIN@"
-      provider:
-        !Find [
-          authentik_providers_oauth2.oauth2provider,
-          [name, "Immich Provider"],
-        ]

modules/server/containers/data/authentik/jellyfin.yaml

@@ -1,11 +0,0 @@
-version: 1
-metadata:
-  name: jellyfin-ldap-setup
-entries:
-  - model: authentik_core.application
-    id: jellyfin-app
-    identifiers:
-      slug: jellyfin
-    attrs:
-      name: Jellyfin
-      launch_url: "@JELLYFIN_DOMAIN@"

modules/server/containers/data/authentik/ldap.yaml

@@ -1,78 +0,0 @@
-version: 1
-metadata:
-  name: Pre-configured LDAP Outpost
-entries:
-  - model: authentik_providers_ldap.ldapprovider
-    identifiers:
-      name: ldap-provider
-    attrs:
-      base_dn: "@AUTHENTIK_LDAP_DC_DOMAIN@"
-      search_group: null
-      authorization_flow:
-        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-      invalidation_flow:
-        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-
-  - model: authentik_core.user
-    state: present
-    identifiers:
-      username: "ldap-service"
-    attrs:
-      name: "LDAP Bind Service Account"
-      type: "service_account"
-      path: "goauthentik.io"
-      is_active: true
-      password: !Env DEFAULT_LDAP_PASSWORD
-      attributes:
-        ak_recovery_immutable: true
-
-  - model: authentik_core.token
-    identifiers:
-      identifier: ldap-outpost-static-token
-    attrs:
-      intent: api
-      key: !Env AUTHENTIK_TOKEN
-      user: !Find [authentik_core.user, [username, "ldap-service"]]
-
-  - model: authentik_outposts.outpost
-    identifiers:
-      name: LDAP Outpost
-    attrs:
-      type: ldap
-      providers:
-        - !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
-      token:
-        !Find [authentik_core.token, [identifier, ldap-outpost-static-token]]
-      config:
-        log_level: info
-        authentik_host: https://sso.test.helcel.net/
-        refresh_interval: minutes=5
-        authentik_host_insecure: false
-
-  - model: authentik_rbac.role
-    state: present
-    identifiers:
-      name: "LDAP Search Role"
-    attrs:
-      permissions:
-        - "authentik_providers_ldap.search_full_directory"
-
-  - model: authentik_core.group
-    state: present
-    identifiers:
-      name: "LDAP Search Group"
-    attrs:
-      users:
-        - !Find [authentik_core.user, [username, "ldap-service"]]
-      roles:
-        - !Find [authentik_rbac.role, [name, "LDAP Search Role"]]
-
-  - model: authentik_core.application
-    id: ldap-placeholder
-    identifiers:
-      slug: ldap
-    attrs:
-      name: ldap
-      group: _
-      provider:
-        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]

modules/server/containers/data/authentik/nextcloud.yaml

@@ -1,58 +0,0 @@
-version: 1
-metadata:
-  name: nextcloud-saml-setup
-entries:
-  - model: authentik_providers_saml.samlprovider
-    identifiers:
-      name: Nextcloud SAML
-    attrs:
-      authorization_flow:
-        !Find [
-          authentik_flows.flow,
-          [slug, default-provider-authorization-explicit-consent],
-        ]
-      invalidation_flow:
-        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-
-      acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
-      audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
-      issuer: https://@AUTHENTIK_DOMAIN@
-      sp_binding: post
-      property_mappings:
-        - !Find [
-            authentik_core.propertymapping,
-            [name, "authentik default SAML Mapping: Name"],
-          ]
-        - !Find [
-            authentik_core.propertymapping,
-            [name, "authentik default SAML Mapping: Email"],
-          ]
-        - !Find [
-            authentik_core.propertymapping,
-            [name, "authentik default SAML Mapping: Groups"],
-          ]
-        - !Find [
-            authentik_core.propertymapping,
-            [name, "authentik default SAML Mapping: Username"],
-          ]
-        - !Find [
-            authentik_core.propertymapping,
-            [name, "authentik default SAML Mapping: User ID"],
-          ]
-
-      signing_kp:
-        !Find [
-          authentik_crypto.certificatekeypair,
-          [name, "authentik Self-signed Certificate"],
-        ]
-      sign_assertion: true
-      sign_response: false
-
-  - model: authentik_core.application
-    identifiers:
-      slug: nextcloud
-    attrs:
-      name: Nextcloud
-      provider:
-        !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
-      launch_url: "@NEXTCLOUD_DOMAIN@"

modules/server/containers/data/authentik/traefik.yaml

@@ -1,46 +0,0 @@
-version: 1
-metadata:
-  name: domain-wide-proxy-setup
-entries:
-  # 1. The Provider
-  - model: authentik_providers_proxy.proxyprovider
-    identifiers:
-      name: Domain Wide Proxy
-    attrs:
-      authorization_flow:
-        !Find [
-          authentik_flows.flow,
-          [slug, default-provider-authorization-implicit-consent],
-        ]
-      invalidation_flow:
-        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-
-      external_host: https://@AUTHENTIK_DOMAIN@
-      cookie_domain: "@COOKIE_DOMAIN@"
-
-      mode: forward_domain
-      intercept_header_auth: true
-
-  # 2. The Application (Required to link the provider)
-  - model: authentik_core.application
-    identifiers:
-      slug: authentik-proxy
-    attrs:
-      name: "Domain Auth Provider"
-      group: _
-      provider:
-        !Find [
-          authentik_providers_proxy.proxyprovider,
-          [name, Domain Wide Proxy],
-        ]
-
-  # 3. Add to Outpost
-  - model: authentik_outposts.outpost
-    identifiers:
-      name: authentik Embedded Outpost
-    attrs:
-      providers:
-        - !Find [
-            authentik_providers_proxy.proxyprovider,
-            [name, Domain Wide Proxy],
-          ]

modules/server/containers/data/invidious/config.yml

@@ -1,137 +0,0 @@
-db:
-    user: invidious_user
-    password: $DB_PASSWORD
-    host: $DB_HOST
-    port: 5432
-    dbname: invidious_db
-
-check_tables: true
-invidious_companion:
-    - private_url: "http://immich-companion:8282/companion"
-
-invidious_companion_key: $SERVER_SECRET_KEY
-port: 3000
-
-external_port: 443
-host_binding: 0.0.0.0
-domain: $INVIDIOUS_DOMAIN
-https_only: false
-#hsts: true
-
-## Accepted values: true, false, dash, livestreams, downloads, local
-#disable_proxy: false
-# use_innertube_for_captions: false
-
-# -----------------------------
-#  Features
-# -----------------------------
-
-popular_enabled: false
-statistics_enabled: true
-registration_enabled: true
-login_enabled: true
-captcha_enabled: false
-admins: ["$DEFAULT_ADMIN_EMAIL"]
-enable_user_notifications: false
-
-# -----------------------------
-#  Background jobs
-# -----------------------------
-
-channel_threads: 1
-#channel_refresh_interval: 30m
-
-full_refresh: false
-feed_threads: 1
-
-jobs:
-    clear_expired_items:
-        enable: true
-    refresh_channels:
-        enable: true
-    refresh_feeds:
-        enable: true
-
-# -----------------------------
-#  Miscellaneous
-# -----------------------------
-
-#banner:
-# use_pubsub_feeds: true
-
-hmac_key: $HMAC_KEY
-#dmca_content:
-#cache_annotations: false
-#modified_source_code_url: ""
-#playlist_length_limit: 500
-
-#########################################
-#
-#  Default user preferences
-#
-#########################################
-
-default_user_preferences:
-    # -----------------------------
-    #  Internationalization
-    # -----------------------------
-
-    #locale: en-US
-    #region: US
-    ## Top 3 preferred languages for video captions.
-    #captions: ["", "", ""]
-
-    # -----------------------------
-    #  Interface
-    # -----------------------------
-
-    dark_mode: "auto"
-    #thin_mode: false
-    feed_menu: ["Subscriptions", "Playlists"]
-    default_home: Subscriptions
-    #max_results: 40
-    #annotations: false
-    #annotations_subscribed: false
-    #comments: ["youtube", ""]
-    #player_style: invidious
-    #related_videos: true
-
-    # -----------------------------
-    #  Video player behavior
-    # -----------------------------
-
-    #preload: true
-    #autoplay: false
-    #continue: false
-    #continue_autoplay: true
-    #listen: false
-    #video_loop: false
-
-    # -----------------------------
-    #  Video playback settings
-    # -----------------------------
-
-    #quality: dash
-    #quality_dash: auto
-    #speed: 1.0
-    #volume: 100
-    #vr_mode: true
-    save_player_pos: true
-
-    # -----------------------------
-    #  Subscription feed
-    # -----------------------------
-
-    #latest_only: false
-    #notifications_only: false
-    unseen_only: true
-    #sort: published
-
-    # -----------------------------
-    #  Miscellaneous
-    # -----------------------------
-
-    #local: false
-    show_nick: false
-    #automatic_instance_redirect: false
-    #extend_desc: false

modules/server/containers/data/invidious/login.cr

@@ -1,101 +0,0 @@
-{% skip_file if flag?(:api_only) %}
-
-module Invidious::Routes::Login
-    def self.login_page(env)
-        locale = env.get("preferences").as(Preferences).locale
-
-        user = env.get? "user"
-        referer = get_referer(env, "/feed/subscriptions")
-        return env.redirect referer if user
-        return error_template(400, "Login has been disabled by administrator.") if !CONFIG.login_enabled
-        
-
-        if forwarded_user = env.request.headers["X-authentik-email"]? 
-            begin
-                email = forwarded_user.try &.downcase.byte_slice(0, 254)
-                
-                return error_template(401, "User ID is a required field") if email.nil? || email.empty?
-                
-                user = Invidious::Database::Users.select(email: email)
-                if user
-                    sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
-                    Invidious::Database::SessionIDs.insert(sid, email)
-                    env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
-
-                    if env.request.cookies["PREFS"]?
-                        cookie = env.request.cookies["PREFS"]
-                        cookie.expires = Time.utc(1990, 1, 1)
-                        env.response.cookies << cookie
-                    end
-                else
-                    return error_template(400, "Registration has been disabled by administrator.") if !CONFIG.registration_enabled
-
-                    sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
-                    user, sid = create_user(sid, email, "")
-
-                    if language_header = env.request.headers["Accept-Language"]?
-                        if language = ANG.language_negotiator.best(language_header, LOCALES.keys)
-                            user.preferences.locale = language.header
-                        end
-                    end
-
-                    Invidious::Database::Users.insert(user)
-                    Invidious::Database::SessionIDs.insert(sid, email)
-
-                    view_name = "subscriptions_#{sha256(user.email)}"
-                    PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS #{MATERIALIZED_VIEW_SQL.call(user.email)}")
-                    env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
-
-                    if env.request.cookies["PREFS"]?
-                        user.preferences = env.get("preferences").as(Preferences)
-                        Invidious::Database::Users.update_preferences(user)
-
-                        cookie = env.request.cookies["PREFS"]
-                        cookie.expires = Time.utc(1990, 1, 1)
-                        env.response.cookies << cookie
-                    end
-                end
-
-                return env.redirect referer
-            rescue ex
-                return error_template(500, "Authentication error: #{ex.message}")
-            end
-        end
-        env.redirect referer
-    end
-
-    def self.login(env)
-        referer = get_referer(env, "/feed/subscriptions")
-        env.redirect referer
-        return error_template(403, "Login post is not supported.")
-    end
-
-    def self.signout(env)
-        locale = env.get("preferences").as(Preferences).locale
-
-        user = env.get? "user"
-        sid = env.get? "sid"
-        referer = get_referer(env)
-
-        return env.redirect referer if !user
-
-        user = user.as(User)
-        sid = sid.as(String)
-        token = env.params.body["csrf_token"]?
-
-        begin
-            validate_request(token, sid, env.request, HMAC_KEY, locale)
-        rescue ex
-            return error_template(400, ex)
-        end
-
-        Invidious::Database::SessionIDs.delete(sid: sid)
-
-        env.request.cookies.each do |cookie|
-            cookie.expires = Time.utc(1990, 1, 1)
-            env.response.cookies << cookie
-        end
-
-        env.redirect referer
-    end
-end

modules/server/containers/default.nix

@@ -1,75 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  serverCfg = config.syscfg.server;
-  builder = import ./builder.nix { inherit config lib pkgs serverCfg; };
-
-in{
-  config = lib.mkMerge [{
-    syscfg.server.loadedContainers = lib.mapAttrs (name: containerCfg:
-      (import (./apps + "/${name}.nix")) { inherit config pkgs lib containerCfg builder name; }
-    ) config.syscfg.server.containers;
-  } (lib.mkIf ( serverCfg.containers != {} ) (
-    let
-      appsList = builtins.attrValues config.syscfg.server.loadedContainers;
-      mergedContainers = lib.concatMapAttrs (appName: app:
-        lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.containers
-      ) config.syscfg.server.loadedContainers;
-      allPathConfigs  = lib.concatMap (app: app.paths) appsList;
-      allSetupConfigs = lib.concatMap (app: if app.setup?script then [({name = app.name; envFile="";} // app.setup)] else []) appsList;
-      allCronsConfigs = lib.concatMap (app: app.cron) appsList;
-    in{
-      virtualisation.oci-containers = {
-        backend = "podman";
-        containers = mergedContainers;
-      };
-      system.activationScripts.container-setup-dirs = {
-        deps = [ "users" "groups" ];
-        text = lib.concatStringsSep "\n" (map (cfg:
-        let
-          effectiveCfg = {
-            owner = "root:root";
-            mode = "0400";
-          } // cfg;
-        in ''
-          ${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
-          ${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
-          ${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
-        '') allPathConfigs);
-      };
-
-      systemd.services = {
-        podman-gc = {
-          description = "Podman garbage collection";
-          serviceConfig.Type = "oneshot";
-          script = ''
-            ${pkgs.podman}/bin/podman container prune -f
-            ${pkgs.podman}/bin/podman image prune -f
-          '';
-          startAt = "weekly";
-        };
-      } // lib.listToAttrs (lib.concatMap (e: [{
-        name = "${e.name}-setup";
-        value = {
-          description = "Run ${e.name} setup";
-          after = [ "podman-${e.name}-${e.trigger}.service" ];
-          wants = [ "podman-${e.name}-${e.trigger}.service" ];
-          wantedBy = [ "multi-user.target" ];
-          serviceConfig = {
-            Type = "oneshot";
-            TimeoutStartSec = "360s";
-            EnvironmentFile = e.envFile;
-            ExecStart = e.script;
-            RemainAfterExit = true;
-            User = "root";
-          };
-        };
-      }]) allSetupConfigs );
-
-      services.cron = {
-        enable = true;
-        systemCronJobs = allCronsConfigs;
-      };
-
-  }))];
-
-}

modules/server/database/default.nix

@@ -1,73 +0,0 @@
-
-{ config, lib, pkgs, ... }:
-let
-
-  listNames = config.syscfg.server.db;
-  containerNames = builtins.attrNames (lib.filterAttrs (appName: app: app.db) config.syscfg.server.loadedContainers);
-  allApps = lib.unique (listNames ++ containerNames);
-in {
-  config = lib.mkIf ( builtins.length allApps > 0) {
-    services.postgresql = {
-      enable = true;
-      enableTCPIP = true;
-      extensions = ps: with ps; [ vectorchord pgvector ];
-      settings = {
-        listen_addresses = lib.mkForce "*"; 
-        shared_preload_libraries = "vchord";
-      };
-      authentication = pkgs.lib.mkOverride 10 ''
-         # TYPE  DATABASE        USER            ADDRESS                 METHOD
-         local   all             all                                     trust
-         host    all             all             127.0.0.1/32            trust
-         host    all             all             ::1/128                 trust
-         host    all             all             10.0.0.0/8              scram-sha-256
-         host    all             all             169.254.0.0/16          scram-sha-256
-      '';
-      ensureDatabases = map (name: "${name}_db") allApps;
-      ensureUsers = map (name: { name = "${name}_user"; }) allApps;
-    };
-    services.postgresqlBackup = {
-      enable = true;
-      location = "/var/lib/postgresql/backups";
-      startAt = "*-*-* 04:00:00"; # Runs every day at 4 AM
-      backupAll = true; # Backs up all databases and roles
-    };
-
-    services.redis.servers."main" = {
-      enable = true;
-      port = 6379;
-      bind = "*";
-      settings.protected-mode = "no";
-    };
-
-
-    systemd.services.postgresql-init = {
-      description = "Custom Postgres Setup (Ownership & Passwords)";
-      after = [ "postgresql.service" ];
-      wantedBy = [ "multi-user.target" ];
-      
-      serviceConfig = {
-        Type = "oneshot";
-        User = "postgres";
-        RemainAfterExit = true;
-      };
-
-      script = ''
-        ${pkgs.coreutils}/bin/sleep 20
-        PSQL="${pkgs.postgresql}/bin/psql"
-        ${lib.concatMapStringsSep "\n" (name: ''
-          $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
-          
-          if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
-            PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
-            if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
-                echo "✅ Successfully set password for ${name}_user"
-            else
-                echo "❌ FAILED to set password for ${name}_user"
-            fi
-          fi
-        '') allApps}
-      '';
-    };
-  };
-}

modules/server/default.nix

@@ -1,3 +1,15 @@
-{ config, pkgs, lib, ... }:{
-  imports = [ ./containers ./database ./nftables ./openssh ./sops ];
+{ config, pkgs, lib, ... }:
+let
+in {
+  imports = [ ./sops ];
+  environment.systemPackages = with pkgs; [ arion ];
+  virtualisation.arion = {
+    backend = "podman-socket";
+    projects = {
+      cloud.settings = import ./docker/cloud.nix { inherit config pkgs lib; };
+      authentik.settings =
+        import ./docker/authentik.nix { inherit config pkgs lib; };
+    };
+  };
+
 }

modules/server/docker/authentik.nix

@@ -0,0 +1,104 @@
+{ config, pkgs, lib, ... }:
+let serverCfg = config.syscfg.server;
+in {
+  project.name = "authentik";
+
+  networks = {
+    internal = {
+      name = lib.mkForce "internal";
+      internal = true;
+    };
+    external = {
+      name = lib.mkForce "external";
+      internal = false;
+    };
+  };
+
+  services = {
+
+    auth_postgresql.service = {
+      image = "postgres:14-alpine";
+      container_name = "auth_postgresql";
+      restart = "unless-stopped";
+      networks = [ "internal" ];
+      volumes = [ ];
+      environment = {
+        POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD";
+        POSTGRES_USER = "authentik";
+        POSTGRES_DB = "authentik";
+      };
+    };
+
+    auth_redis.service = {
+      image = "redis:alpine";
+      container_name = "auth_redis";
+      restart = "unless-stopped";
+      networks = [ "internal" ];
+      volumes = [ ];
+      environment = { };
+      labels = { "traefik.enable" = "false"; };
+    };
+
+    auth_server.service = {
+      image = "ghcr.io/goauthentik/server:latest";
+      container_name = "auth_server";
+      restart = "unless-stopped";
+      networks = [ "internal" "external" ];
+      volumes = [
+        "${serverCfg.dataPath}/authentik/media:/media"
+        "${serverCfg.dataPath}/authentik/templates:/templates"
+      ];
+      environment = {
+        "AUTHENTIK_REDIS__HOST" = "auth_redis";
+        "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
+        "AUTHENTIK_POSTGRESQL__USER" = "authentik";
+        "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
+        "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
+        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
+        "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
+        "AUTHENTIK_EMAIL__PORT" = "587";
+        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
+        "AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD";
+        "AUTHENTIK_EMAIL__USE_TLS" = "true";
+        "AUTHENTIK_EMAIL__USE_SSL" = "false";
+        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
+        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
+      };
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.sso.entrypoints" = "web-secure";
+        "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.sso.tls" = "true";
+        "traefik.http.services.sso.loadbalancer.server.port" = "9000";
+        "traefik.docker.network" = "external";
+      };
+      command = "server";
+      ports = [
+        "9999:9000" # host:container
+      ];
+    };
+
+    auth_worker.service = {
+      image = "ghcr.io/goauthentik/server:latest";
+      container_name = "auth_worker";
+      restart = "unless-stopped";
+      networks = [ "internal" ];
+      volumes = [
+        "${serverCfg.dataPath}/authentik/media:/media"
+        "${serverCfg.dataPath}/authentik/templates:/templates"
+        "/var/run/docker.sock:/var/run/docker.sock"
+      ];
+      environment = {
+        "AUTHENTIK_REDIS__HOST" = "auth_redis";
+        "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
+        "AUTHENTIK_POSTGRESQL__USER" = "authentik";
+        "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
+        "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
+        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
+      };
+      labels = { "traefik.enable" = "false"; };
+      command = "worker";
+      user = "root";
+    };
+  };
+}

modules/server/docker/cloud.nix

@@ -0,0 +1,152 @@
+{ config, pkgs, lib, ... }:
+let serverCfg = config.syscfg.server;
+in {
+  project.name = "cloud";
+
+  networks = {
+    internal = {
+      name = lib.mkForce "internal";
+      internal = true;
+    };
+    external = {
+      name = lib.mkForce "external";
+      internal = false;
+    };
+  };
+
+  services = {
+
+    cloud_nextcloud.service = {
+      image = "nextcloud:27";
+      container_name = "cloud";
+      restart = "unless-stopped";
+      networks = [ "external" ];
+      volumes = [
+        "${serverCfg.configPath}/data/nextcloud:/var/www/html"
+        "${serverCfg.dataPath}/data/music:/media/music"
+        "${serverCfg.dataPath}/data/video:/media/video"
+        "${serverCfg.dataPath}/data/photo:/media/photo"
+      ];
+      tmpfs = [ "/tmp" ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.nextcloud.entrypoints" = "web-secure";
+        "traefik.http.routers.nextcloud.rule" =
+          "Host(`cloud.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.nextcloud.tls" = "true";
+        "traefik.http.routers.nextcloud.middlewares" =
+          "sts_headers,nextcloud-caldav";
+
+        "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent" =
+          "true";
+        "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex" =
+          "^https://(.*)/.well-known/(card|cal)dav";
+        "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement" =
+          "https://$\${1}/remote.php/dav/";
+        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
+        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" =
+          "true";
+      };
+    };
+
+    cloud_office.service = {
+      image = "collabora/code:latest";
+      container_name = "cloud_office";
+      restart = "unless-stopped";
+      networks = [ "external" ];
+      volumes = [ ];
+      environment = {
+        username = "COLLABORA_USER";
+        password = "COLLABORA_PASSWORD";
+        aliasgroup1 = "https://cloud.${serverCfg.hostDomain}";
+        server_name = "office.${serverCfg.hostDomain}";
+        VIRTUAL_HOST = "office.${serverCfg.hostDomain}";
+        VIRTUAL_PORT = "9980";
+        VIRTUAL_PROTO = "http";
+        DONT_GEN_SSL_CERT = "true";
+        RESOLVE_TO_PROXY_IP = "true";
+        NETWORK_ACCESS = "internal";
+        extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
+        dictionaries = "en fr de jp";
+      };
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.collabora.entrypoints" = "web-secure";
+        "traefik.http.routers.collabora.rule" =
+          "Host(`office.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.collabora.tls" = "true";
+      };
+    };
+
+    cloud_etherpad.service = {
+      image = "etherpad/etherpad:latest";
+      container_name = "etherpad";
+      restart = "unless-stopped";
+      networks = [ "external" ];
+      volumes = [
+        "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
+        "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
+      ];
+      environment = {
+        NODE_ENV = "production";
+        TITLE = "Helcel-Pad";
+        DB_TYPE = "mysql";
+        DB_HOST = serverCfg.dbHost;
+        DB_PORT = serverCfg.dbPort;
+        DB_NAME = "etherpad";
+        DB_USER = "ETHERPAD_DB_USER";
+        DB_PASS = "ETHERPAD_DB_PASSWORD";
+        DB_CHARSET = "utf8mb4";
+        DEFAULT_PAD_TEXT = "P A D";
+        PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
+        PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
+        ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
+        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
+      };
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.etherpad.entrypoints" = "web-secure";
+        "traefik.http.routers.etherpad.rule" =
+          "Host(`pad.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.etherpad.tls" = "true";
+      };
+    };
+
+    cloud_ethercalc.service = {
+      image = "audreyt/ethercalc:latest";
+      container_name = "ethercalc";
+      restart = "unless-stopped";
+      networks = [ "external" "internal" ];
+      volumes = [
+        "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
+        "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
+      ];
+      environment = {
+        NODE_ENV = "production";
+        TITLE = "Helcel-Calc";
+        REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis";
+        REDIS_PORT_6379_TCP_PORT = "6379";
+        ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
+        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
+      };
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.ethercalc.entrypoints" = "web-secure";
+        "traefik.http.routers.ethercalc.rule" =
+          "Host(`calc.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.ethercalc.tls" = "true";
+      };
+    };
+
+    cloud_redis.service = {
+      image = "redis:latest";
+      container_name = "ethercalc-redis";
+      restart = "unless-stopped";
+      networks = [ "internal" ];
+      volumes = [ "${serverCfg.dataPath}/ether/ethercalc/redis:/data" ];
+      environment = { };
+      labels = { "traefik.enable" = "false"; };
+    };
+
+  };
+}

modules/server/docker/sample.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+let serverCfg = config.syscfg.server;
+in {
+  project.name = "name";
+
+  networks = {
+    internal = {
+      name = lib.mkForce "internal";
+      internal = true;
+    };
+    external = {
+      name = lib.mkForce "external";
+      internal = false;
+    };
+  };
+
+  services = {
+
+    NAME.service = {
+      image = "NAME:latest";
+      container_name = "NAME";
+      restart = "unless-stopped";
+      networks = [ "internal" ];
+      volumes = [ ];
+      environment = { };
+      labels = { "traefik.enable" = "false"; };
+    };
+
+  };
+}

modules/server/docker/traefik.nix

@@ -0,0 +1,81 @@
+{ config, pkgs, ... }: {
+  project.name = "traefik";
+
+  networks = {
+    internal = {
+      name = lib.mkForce "internal";
+      internal = true;
+    };
+    external = {
+      name = lib.mkForce "external";
+      internal = false;
+    };
+  };
+
+  services = {
+
+    traefik.service = {
+      image = "traefik:latest";
+      container_name = "traefik";
+      restart = "unless-stopped";
+      networks = [ "internal" "external" ];
+      command = [
+        "--api"
+        "--providers.docker=true"
+        "--entrypoints.web.address=:80"
+        "--entrypoints.web-secure.address=:443"
+      ];
+      port = [ "443" "80" ];
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock:ro"
+        "${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
+        "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
+        "${serverCfg.configPath}/traefik/acme.json:/acme.json"
+      ];
+      environment = {
+        "INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
+      };
+      labels = { "traefik.enable" = "false"; };
+    };
+
+    matomo.service = {
+      image = "matomo:latest";
+      container_name = "matomo";
+      restart = "unless-stopped";
+      networks = [ "external" ];
+      volumes = [
+        "/etc/localtime:/etc/localtime:ro"
+        "${serverCfg.configPath}/matomo:/var/www/html/config:rw"
+        "${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
+      ];
+      environment = { };
+      labels = {
+        "traefik.http.routers.matomo.rule" =
+          "Host(`matomo.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.matomo.entrypoints" = "web-secure";
+        "traefik.http.routers.matomo.tls" = "true";
+      };
+    };
+
+    searx.service = {
+      image = "searxng/searxng:latest";
+      container_name = "searx";
+      restart = "unless-stopped";
+      networks = [ "external" ];
+      volumes = [ "/etc/localtime:/etc/localtime:ro" ];
+      environment = {
+        "BASE_URL" = "https://searx.${serverCfg.hostDomain}";
+        "AUTOCOMPLETE" = "true";
+        "INSTANCE_NAME" = "searx${serverCfg.shortName}";
+      };
+      labels = {
+        "traefik.http.routers.matomo.rule" =
+          "Host(`searx.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.matomo.entrypoints" = "web-secure";
+        "traefik.http.routers.matomo.tls" = "true";
+      };
+    };
+
+  };
+}
+

modules/server/nftables/default.nix

@@ -1,41 +0,0 @@
-{ config, lib, ... }:
-let
- cfg = config.syscfg.server;
-in {
-  config = lib.mkIf (cfg.ipfw.enable) {
-    boot.kernel.sysctl = {
-      "net.ipv4.ip_forward" = 1;
-      "net.ipv6.conf.all.forwarding" = 1;
-    };
-
-    networking.nftables.enable = true;
-    networking.nftables.ruleset = ''
-      table inet nat {
-        chain prerouting {
-          type nat hook prerouting priority dstnat; policy accept;
-          
-          ${lib.concatMapStringsSep "\n" (rule:
-            let
-              srcInt = builtins.elemAt rule 0;
-              dstAddr4 = builtins.elemAt rule 1;
-              dstAddr6 = builtins.elemAt rule 2;
-              srcPort = toString (builtins.elemAt rule 3);
-              dstPort = toString (builtins.elemAt rule 4);
-            in ''
-                iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort}
-                iifname "${srcInt}" udp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort}
-
-                iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
-                iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
-            ''
-          ) cfg.ipfw.ports}
-        }
-        
-        chain postrouting {
-          type nat hook postrouting priority srcnat; policy accept;
-          oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade
-        }
-      }
-    '';
-  };
-}

modules/server/openssh/default.nix

@@ -1,27 +0,0 @@
-{ config, lib, ... }: 
-let
-  allUsers = lib.concatMap (peer: if peer.syscfg ? users then peer.syscfg.users else []) config.syscfg.peers;
-  groupedUsers = lib.groupBy (u: u.username) allUsers;
-  allowedUsernames = map (u: u.username) config.syscfg.users;
-  activeUsers = lib.filterAttrs (name: _: lib.elem name allowedUsernames) groupedUsers;
-in {
-  config = lib.mkIf (config.syscfg.server.openssh) {
-    services.openssh = {
-        enable = true;
-        ports = [ 422 ];
-        banner = "";
-        settings = {
-        PasswordAuthentication = false;
-        PermitRootLogin = "no";
-        ClientAliveInterval = 60;
-        ClientAliveCountMax = 3;
-        TCPKeepAlive = true;
-        };
-    };
-    users.users = lib.mapAttrs (name: userList: {
-        openssh.authorizedKeys.keys = lib.unique (
-        lib.concatMap (u: if u ? pubssh then [ u.pubssh ] else []) userList
-        );
-    }) activeUsers;
-    };
-}

modules/server/sops/default.nix

@@ -1,16 +1,10 @@
-{ config, lib, pkgs, ... }:
-let
-  listNames = config.syscfg.server.db;
-  containerNames = builtins.attrNames (lib.filterAttrs (appName: app: app.sops) config.syscfg.server.loadedContainers);
-  allApps = lib.unique (listNames ++ containerNames);
-in{
-    sops.secrets = {
-      CUSTOM = { 
-        mode = "0444";
-        sopsFile = ./server.yaml; 
-      };
-    } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
-      mode = "0444";
-      sopsFile = ./server.yaml;
-    }));
+{ config, pkgs, ... }: {
+  sops.secrets.INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
+  sops.secrets."${config.syscfg.hostname}_ssh_pub" = {
+    mode = "0400";
+    owner = config.users.users.${config.syscfg.defaultUser}.name;
+    group = config.users.users.${config.syscfg.defaultUser}.group;
+  };
+  sops.secrets."${config.syscfg.hostname}_wg_priv" = { };
+  sops.secrets."${config.syscfg.hostname}_wg_pub" = { };
 }

modules/server/sops/example.server.yaml

@@ -1,38 +0,0 @@
-CUSTOM: |
-  DEFAULT_ADMIN_USERNAME=...
-  DEFAULT_ADMIN_PASSWORD=...
-  DEFAULT_ADMIN_EMAIL=...
-  DEFAULT_LDAP_PASSWORD=...
-TRAEFIK: |
-  INFOMANIAK_ACCESS_TOKEN=...
-AUTHENTIK: |
-  DB_PASSWORD=...
-  POSTGRES_PASSWORD=...
-  AUTHENTIK_SECRET_KEY=...
-  AUTHENTIK_EMAIL__PASSWORD=...
-  AUTHENTIK_TOKEN=...
-NEXTCLOUD: |
-  DB_PASSWORD=...
-  POSTGRES_PASSWORD=...
-COLLABORA: |
-  password=...
-ETHERPAD: |
-  DB_PASSWORD=...
-  DB_PASS=...
-  ADMIN_PASSWORD=...
-  APIKEY=...
-ETHERCALC: |
-  ETHERCALC_KEY=...
-GITEA: |
-  DB_PASSWORD=...
-  GITEA__database__PASSWD=...
-  GITEA__security__SECRET_KEY=...
-  GITEA__security__INTERNAL_TOKEN=...
-SEARXNG: |
-  SEARXNG_SECRET=...
-UMAMI: |
-  DB_PASSWORD=...
-  DATABASE_URL=postgresql://username:mypassword@localhost:5432/mydb
-  APP_SECRET=...
-IMMICH: |
-  DB_URL = "postgresql://immich_user:...@localhost:5432/immich_db";

modules/server/sops/server.yaml

@@ -1,58 +1,68 @@
-CUSTOM: ENC[AES256_GCM,data:8+973kGKWFbxGHTSnc+UDKC1Q5KKiTeESY68XHX2e2BVw7zpl2oYLPYv7wQ3JA2u6q5rFXrokNvh3ti6JcvQ/302APloPrw6YfC8RofjX7h+WVS9cBaND+AlliQqf+vGWI0VQoEFmJKogxbliIN9nGiL9FLa1QJHRJb1X4P76daakh1+P1eJlE4pgPvblPygDezabC/Pa2k3qCaGAvyOOyZYFNj5ttufmB0FlNQZMVLLuyA3xe92z6I/zbFPBY9RNa10v1+Wm5GRdD8JZHsJfPD1bLqH61mt/ZtczVY7fXnX9n3vbYYGaHiF/ylunydXgmAsDXjSWKwq5r7TCDnQR5lPqDpNtbLpnD+aY22e8AOSRlKLOhVUH2CU3B3Ry8pIYbVZz983DHgMoymd8ZISoHE+,iv:8/DRKfCYp+IG/UgxxxN2PgFjdd24Rc4wNpcVHP9KsAo=,tag:/ikcKONeiE5BWVLYoaWaCw==,type:str]
-TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
-AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str]
-NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
-COLLABORA: ENC[AES256_GCM,data:cLGEziks5dyxTF1jugfpQE0l0nSkDP7MpROzCxCM94jv49sguA+d/SnY1olE8ZP9iCBnlvbMZyNR7uYo88B92Pmv8wVWfeuhHiHFIXh5aaOxntpt80UMg3Jy,iv:gmFG7C893QPuZ4rEqllAlUpNIXMcGsf9+/QCPLhWLTM=,tag:WpKHCUk6zhQRfFX2d6OPbQ==,type:str]
-ETHERPAD: ENC[AES256_GCM,data:PSr06GyOgY0HDNC4Hr2XUjbNUszGlfBjxDbrrKNQOqSMSVfZj4iFIGamrS72WO0un4U7IENx0T6CTBN/ELoq7J/+W9zf879uzKWuNaAulLVtBqrUbbqA7hTJpidnveZXzdwZRvlz/bU8kWAmXyhiDb2Q42Sz3BDb6duM3PO1AgG8Ko1pi2IemCPjO3uzudeT8FAlO8NnCUxKgwIKSz8CodOXFVGk66NX4xJd4ycfdNYXvKBNlzt1+WuWsZeZzeWmF7WD2dt4wWA9fWxB90fnth6ZV5LdeXjyYnzwkFOWoyNazgqV4jBv+aXKVwX4fYvspu13cVdrak3gc698bS2N1guDss4A/sfXMbtaYPGm98xXkqz1LP7sXQzKUdZf9sAS9gtOVv2tmg==,iv:uQ0Roe+XefzMjZCF3It+U2D1MWPMT5f6CPwlz0gQ5W0=,tag:wSgp0CVr6Y6M3eqcoTy8cw==,type:str]
-ETHERCALC: ENC[AES256_GCM,data:0ScnDsUNBt6wYJC4hTXn8huuTptBTDKZV4yFVQ4fuBWc6auWNWhDQlTc0ImJoK6efr2uyp3sVu3o+KlCNvUGhDOJ1you6socyTgRP0q7oLPC+Ln+bFP8gWG8v2nyEFY=,iv:YqvVjBFG/WZg1l4aMAiioOruWZ9zcTMr74DVW+1+2DQ=,tag:ePBXd4ddipJtxhFE1amfMg==,type:str]
-GITEA: ENC[AES256_GCM,data:TGsye52g8DVOk51o1dWfF6x3m6BFPe0MtUbOayxYejaYSZ4cDCfx02EPAhiL3FJGLfidZt7+WpjhVqJvFeCvJ1OXdYMQyuL3akPBCmEjmBgBhJvEjVtVgV3aNMS21gy3o0RG/MXDXOLpjHeaXn3G/XWKsv5bw+gg94bDirOguLC5eaFxddn5/UGFvfwXzDmkoNmc9zufGvVpUkRy8rju/TjOz4Q5GZk1gXWtJWdkTGhuVYVBDDHIQq9DBS0qXi8tP3FvY8prOi/c5ZbyyZjTOgNpWB9uU4HkHz4aUTMFIrPFwUeWmNMIdyUmarSQ7tDDdhBfIiLhb94jaMATHq+PfwwpCcmiTfBEG3OS/3SXPMWg6jhfUxvxsKNT2HQca31B9IRqlitaio3r6KEPBTYh2nWtFO9d5Is7TUWkGsOaV+0JSiNPNh5uD7kNyBxsKUKcND7JXMxW/TZOqARY64x6IwDrbcypsyMW5i+4Er1/0HCvZ7FBH1XkTul8vBGF5ZGD/tYp/m6Ld26GKYkj967eYIwlNFcOMGNue5PyJfFCq0qWbLWO9dFA9c2e9r81DCD8y/0S3Ts7X7TkXVGShm7JoMqb8dzg9i6CoNlmbPAM5GwoNV3ftQugvqEGMk5UIvf05YsgSNvq4UJbhsT4bZqpV0plnxYD5TswCGF/XQ3nwwFTudmf1OLcgYwM2NckbVui128o1Rw=,iv:vo6l0QirLIUvwLN675LYkffkXejJecvBesLJvoW/bjY=,tag:zyLyiCskF84A3QVoq5X3iw==,type:str]
-SEARXNG: ENC[AES256_GCM,data:gtKhEmMemzLRl4c3cYhMAQ+5vUth1IhWQeLvW1YtaG5TbhQHBR4PDREQOlGt+tlfGQrft+FeNhMSN/SKOp8gmScVWa+9qmltzxRGRpLm3m/VuBZvOlGdeUcKAX8zEH6A,iv:B2UEtjTRIjT6W+tH2gtcl6XMvZNgbvZUXTiBePGOu24=,tag:SHIF6eaWBLwy9RrEy1N9kg==,type:str]
-UMAMI: ENC[AES256_GCM,data:onB/uXLajaRLmeQMGNHFsjREzPih9ha+cogGRw+nRomERSRrbBv+6gCqEr8F3Dcm818JB4jGRYKoIYG8Jl6gMDaz5QQiA4qAnbG19LuzVeVUgz4NGEgXBULoT/0sQacnyAPIfPEp+ESWRQH81nO6Qcs+rICpS2Xfeye5hb+8rSAxmLpY991AJ3+avGyMwPcpfNCkixWt68KuG5ZN/IGDksM/sSLGgyMisClbEdhigq4mwibOxpiWjcKk/17xYgY6Xz93h/yloHKZIZZpnyA+85YC6oNWgCPhkGIAVu3dGshp10a0nk1A2INm6vxNPbfUjYLkt3zDAPZtoBRCqUs+43Eh62hYgajgWCQJhjJkDgF4Y1ifGfDerIXs/cDpIKLt2+7VqM6/ouqIDPJ7khSAr+8bcHU4CKDtsDagob5PpCG4ABt44cg9cGw=,iv:HD450JZuWn2+V0pvOsDHy9oVAanFMf1el9LA1z0PULY=,tag:p7Vl7dtM8UdAUNgmdG+7cg==,type:str]
-IMMICH: ENC[AES256_GCM,data:1y78yeawkRjUXLWPyFdMB5HCDQhb1PoxEMfHmKSZfv0CWloOrQWT735dlH+W9yC6ljZjqVD9Fwq/9GqqKQMTFMCpr8wVRwSHEuqmaG3UgKzbLA3aWZ1SIB0AiJi+eUunzHj2vikUJx9dMRjC+iNXrsVWh2HqMrOyFCWetZoIfxNiAgsgNKPgYYsHLv6OAZs9XT7V3veqe0zc0nyw7ghWSXne/yNhQESyyGlMAdagrJRNimvXIp/AoAUKl2WUJm2MBl7lb6K1YeJ1XW8OjAHzV8isBiUwU8ZD81VJog0fgTGjbUa+HO7jEo+9YwmDIMx3f5z9N4A=,iv:pboITW2rr7+w8VNZM6uYMMEFZ1S/JtqjNOVthpYJ2tQ=,tag:0dgrJ191sB4MLJHMoQBlCg==,type:str]
-INVIDIOUS: ENC[AES256_GCM,data:ZfgU5UFMmG9Cx9UaR0xnKr9VPebG3kut0difTFZmoqOSs+stG6YJfV82OOhj1RQLVJlPr/scydYy1+3LytwvP1BT7tLe0jII7XupbkL0w3n79KBaiIzAPdicqLxeqjKH45I0NjHra4djdnO2Ff4T8CTiFDlPn1rMuiw=,iv:UaDmOKJ4bFPGCaIePLXkWot9E6sTu2nhaVs83sI38G0=,tag:spTjxWEmLfPc8BZl2GglBA==,type:str]
-SERVARR: ENC[AES256_GCM,data:fukF7bejebMU7yp48fix,iv:CZkLyO8N8BqSk+0KDcMDrz1pbwaNH7Pg+NvNebdIdYM=,tag:AOMvnZOE0H6QDCmkPg3Kyw==,type:str]
+INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
     age:
         - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rzc3ak4vRVZiNWxNZEN3
-            N21rSjZqUm9XVWF5TUxNTXVybEMzNCtod0NnClNjODB6VWhzU1VHeVdlZ3hEaE5D
-            MW9WWWYvYmt5TmNzMzNudDhLSW12RnMKLS0tIDdjc2ZOK3QxaTFJMFdpTHFzcklr
-            clZnQXpPbWs5aXZJeUlxOWhJNmIrOFkKZfZ19Y4yfCJi1GrxLsv76JyBmuxW/glF
-            BCJCvmdSSOJx5JW26Y3Y3LwiIuL8yboKR+8ZAwU2fG5OQfs+2czFdQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZk1VY3NEZmRkS0J6dU03
+            OUtETWpHL2hLN09kRytNUEhmVnA5WW9yVXlNCmZaZnQ2YUlMMmlrZ2dEZDVFMHA5
+            OUpqOTJJbHVVREtpSFUyaDJDbXltaTgKLS0tIFY0ZkF3Ym5oeHViN3J4eW4vSVYz
+            QkhuU0NLWElyVXpZd2ZpOHhwam04R28KFuaI35e8pB25M2dlP19gApso12ZYJ3ld
+            BpMnp97ShX0I8bZRIYxSHpSrB/J+tt1V4pfGdJq7uWZM7XacPy666A==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
+        - recipient: age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cEpsb2gvbDJ0aG5BRWNS
-            WXgydFo3ZkF3SmVIU1EvaHVjb3RvK3BxVDJrCis2ME9zUEVGQURFdmJXS2lTSklk
-            V3ZONHpTZVJqMUxOVkd5ZDlqVTRNdzgKLS0tIGwwR0k1Vll6bEdmZVZvVktzMTRN
-            S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
-            d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuZXNjRzJsdFpTdDZhSkRB
+            eW1qSStnZHN5Tzh3bFA1azZIRk42V1RzSTJJCi9MV0k5ZXNQOWJFYnlXdnB3azBL
+            NzNldkFLWlEyT01MeWlFU3RKODU4dWcKLS0tIFJXL1ZsNDgydTgxVGRMYWxyQTNT
+            K1M0TDd1eGd1V3pOcjl1M1VrdDUvbG8KpsWlrr14MOh/8mG+rXpswPPFE3VnpKGt
+            03DWUII3+MMEWLJPLxkNJ9BzCm4Kl1QNHSbJ7Ex6df0b7nB6Ed6Hvw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-15T14:26:21Z"
-    mac: ENC[AES256_GCM,data:fIG4gFNzgbyfkn1ofd23c45MzCCExrga47y9/2vtuzRU5xXmB9A9uA80JQHCoRTdu/2NlJIrGyOKoZK4RENo75s8s2ZK+HzcTNGWyZptLjrRBIiBQJyDHDaAE34Ghdm96m8YwOyBsnanbgz8LhR8gyIDxSMEcqx+OQcOHqPGd20=,iv:fa7ToxI8mWqc5NqPjITqzxLvtTNodj7yohLkP51b058=,tag:DhXrHxqFON5zjI3uNclnxw==,type:str]
+        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5U1VjTjlIMTdLRFQ5R1Av
+            SVBLMFZtV3ppK2VXWjdYelNGTGFOZUJaMndBCjYyZ0IveXFiVDlSUEtNOXk2L3g3
+            UmFIRE1GMEs2QVhUcFJkTHpCWmhhbG8KLS0tIG94NStMUnFZRTRsK2w4cDd4Rms5
+            M1MwTEtJNEFDdjRLVFRseThxNGJUQ0kKKN7QX9qUojNQBknbInaXslaKsAAhEj5y
+            QMXAU6TxlHMv+wZy2RQwMe/zE7RP24TypnX894iV0usTHujyxvfk3w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUHFYMWdVczRPdEFSbFR5
+            VmcxeEU4YWxwRTlDUkRkNVY0dFh5cjVUNjNnCkRSblNaS214dkdrd3JnNE5rZnR3
+            S0JVeXova1h2VnB2ODY0SUYxZm45TjAKLS0tIFN1QXFyTkt3SmV0UVhGMlMxTmpN
+            VW83cnd2TnQwWlVCUnpzZ29NRE1SekUKBGVCaijugxR6eSxvk19nncR9X6bmSSUq
+            VoxtHBkJbz/4mcQ/SUb4Wv1Rt5875tLWygS7qKmh8jzoP7JI4E9qWQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-08T16:05:46Z"
+    mac: ENC[AES256_GCM,data:X6AUVWJRcwH45W9NoQxI8Lp6l+5RFpgCNB6cdUZZODHDdTUMt9a6wr9YfU56C7QkdlxXdj6xCOCscJtw/WY2Y+XchWXaUVZZsoZ9xUo28aksUtHSyE9WJBHCeSqss79IW6k/GeDPiDOfz4om+udDvtdpyKbtvbw2a+K5st+62d4=,iv:REGTavU8DkalUbfO1J2+VccYnRRrOqstSFq/RU7Co5Q=,tag:2t8mwqa76kVQyeWS85zXsA==,type:str]
     pgp:
-        - created_at: "2026-05-05T23:46:27Z"
+        - created_at: "2024-05-08T15:46:52Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA6R3Y9nD7qMBAQ/+JdTDmQhL1+iX7yeyGs1kt9yQeMYkJ+bQD3LqlQVh6Xea
-            yPIdcMBjAf1CNlkJKeJ4QK3f8rsZkxHmUFVDz7yCXctsp81hNBMZ0sauBM50OU4W
-            gQsDailZHgG5qCqKx91qSyVLtzVy4zcoTXy8TWLrSwztCt9qqX9LFZTKyZzNTiHW
-            DHYSwaJdTteXY89pZjPAQ6UtIdoVWaVfvCgaSZAxr3K8IJmobvMhhk/Fgm3CoE6Y
-            mfQd4lQhoqxrn2M/FKc30vg0yKVsiW3qlfnJCVHCxYUtQLVs3cF05lmj7CYy+0Mu
-            7eZlfVj84hCLmd4ccOITkrOTqcBKWKQ5EpE8DGvWlLPEZt407MjaphEJ7dYhkfr/
-            x4HrahZoeVbYX2Va0++picut+cE/NL9F/QMfqP4QhdHQhe74FlQcxpGDtcUIQep5
-            8MvbEAhUpGL4sErg6afmIapxXi3euIXcBDYPatgoAlsH7E8rUTX1Sd4VOgV89kEJ
-            pkl4OOwcaiF+brqtDiTGZf5l6AOugiYTp2Rtq9KMcGEGEmXFLcFKVjNEkZIxNxt3
-            EtrXrNmOCVJm71yOn2ruD9n2EXzFULfeyOhup7eYVfynkEWYlCQNHeaqMy2q656m
-            LWVd89AUzWLcsmY8naWpfekU9K//hLHxRLBzqfouYXJ+Ji/HOvfRj7NZBg6UtgfS
-            XgFOJg3EaLAZEyvEZKWpnWlf3gBTRK3ffaLzs+eddSgzYUutzlOYUZb7v3iEdjta
-            4Ik4F1M+kOGieyVxxLHOHMrOn09+WMmFIiPpBtCIcZmtwOzXNdhbZdFWNx5qPhU=
-            =wXdG
+            hQIMA6R3Y9nD7qMBAQ//bYK5gdxv8fNvG6P4GrD27gQRQXhLGF2+hS54sqEqjeN8
+            NZpHVbNNRR3AggOkT7QY1JO8bOhWscefH1vvBmBuODzh5Fw42t4zNPEDjWZEetxa
+            rClbLEvo7Kz8UKCNb9JIeYx7cr8sPWCmg4GvV1wGjhjr+u5ovuheORnHl+qoLsqv
+            P12PV7VzwC52v92GWiu9LRJqfqZra5GjUXGVXzBcZ9i6CnUDejzssWjhO/fmzKum
+            GbGIi9sf3RmVYsUASDgRBmVAZC3KF7RLi0L6WY0etRocAaWSAgnU1lZ04E8ZtLjk
+            DlCtIpreJ1H0Ym+5EXB94PG0KZjayxKc20YDQ+yYwwSmiCVaUCLlYX2BOoncUYFF
+            MxVgWYwn14R5jyGbh4NyiBxPGHvIUx5RCIo70pMgS6W5ALZYTcNDLF82mj1xTOTy
+            bcuaa7FCuXJif457LCe5TcAa5WYDgKX8pUKzFRhWIckcGwgFCUB0Z7+L9L7F0yt/
+            YZd71cY0Lxlwi61CnWgZZMx2FFpHyBCEmF1A180KUtB1jSkS/AVmlM2z9I0QsR62
+            fTFIaqimPMjUzbuTs0QjUXf8OJZo0/cwo9XeGyCBtJTg7cLdsOFouqfvXhvkdCrR
+            xCLE2Ke5jwmoPKs1t+YpwMMzB57j/rluZCgiz45w7YDXKf4gEp2ra9siFiC/y9PS
+            XgEPymUiDZY0w9S5oGr94cNc6LQId16Zgt1vWHLzgg8QZqkxLTBjUXXc7aoCISQp
+            AwUE62KJucVvWjB3kcgDbNvaDWWC5O48zUavmzkmmP1sqKf0gO/XG52PDG/DF3Y=
+            =cs0r
             -----END PGP MESSAGE-----
           fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
     unencrypted_suffix: _unencrypted
-    version: 3.12.1
+    version: 3.8.1

modules/shared/colors/default.nix

@@ -1,5 +1,5 @@
-{ ... }: {
-  imports = [ ./sorahiro.nix ];
+{ config, ... }: {
+  imports = [ ./sorahiro_soft.nix ];
 
   colorScheme.palette.border-radius = "#8";
   colorScheme.palette.border-width = "#2";

modules/shared/colors/sorahiro.nix

@@ -1,67 +0,0 @@
-{ ... }: 
-let use_pastelle = true;
-in{
-  # usage:  a = "#${config.colorScheme.palette.base00}";
-
-  colorScheme = {
-    slug = "sorahiro";
-    name = "sorahiro";
-    author = "Soraefir @ Helcel";
-    variant = "dark";
-    palette = rec {
-      # Format: Name, Pantone, RAL
-      base00 = "#000000"; # Black / 419C / 9005
-      base01 = "#060a0f"; # Rich Black / 532C / 9005
-      base02 = "#212c38"; # Yankees Blue / 433C / 5011
-      base03 = "#3f5268"; # Police Blue  / 432C / 5000
-      base04 = "#617b9a"; # Slate Gray  / 5415C / 5014
-      base05 = "#90a7c1"; # Pewter Blue / 535C / 5024
-      base06 = "#c9d3df"; # Columbia Blue / 538C / 7047
-      base07 = "#fcfcfc"; # Lotion / 663C / 9016
-      alt00 = "#000000"; # Black / 419C / 9005
-      alt01 = "#0c0906"; # Vampire Black  / 419C / 9005
-      alt02 = "#312920"; # Pine Tree / 440C / 6022
-      alt03 = "#5b4e3e"; # Olive Drab Camouflage / 411C / 7013
-      alt04 = "#887660"; # Shadow / 404C / 7002
-      alt05 = "#b8a083"; # Pale Taupe / 480C / 1019
-      alt06 = "#e1cfb9"; # Desert Sand / 482C / 1015
-      alt07 = "#fcfcfc"; # Lotion / 663C / 9016
-
-      base08 = if use_pastelle then low08 else high08;
-      base09 = if use_pastelle then low09 else high09;
-      base0A = if use_pastelle then low0A else high0A;
-      base0B = if use_pastelle then low0B else high0B;
-      base0C = if use_pastelle then low0C else high0C;
-      base0D = if use_pastelle then low0D else high0D;
-      base0E = if use_pastelle then low0E else high0E;
-      base0F = if use_pastelle then low0F else high0F;
-
-      high08 = "#f09732"; # Deep Saffron / 804C / 1033
-      high09 = "#f2d831"; # Dandelion / 114C / 1016
-      high0A = "#98f12f"; # Green Lizard  / 375C / 6038
-      high0B = "#34f4f0"; # Fluorescent Blue  / 3252C / 6027
-      high0C = "#3193f5"; # Brilliant Azure / 2727C / 5015
-      high0D = "#c156f6"; # Blue-Violet / 2592C / 4006
-      high0E = "#f62ac0"; # Royal Pink / 807C / 4010
-      high0F = "#f42060"; # Deep Carmine Pink / 1925C / 3018
-      alt_high08 = "#f66824"; # Orange-Red / 165C / 2008
-      alt_high0B = "#41f3a4"; # Eucalyptus / 3395C / 6037
-      alt_high0C = "#2abef8"; # Spiro Disco Ball / 298C / 5012
-      alt_high0D = "#837ff5"; # Violets Are Blue / 814C / 4005
-
-      low08 = "#ffac56"; # Rajah  / 150C / 1017
-      low09 = "#feea74"; # Shandy  / 127C / 1016
-      low0A = "#bffe8a"; # Menthol  / 374C / 6018
-      low0B = "#4cfefa"; # Electric Blue / 3252C / 6027
-      low0C = "#62acfd"; # Blue Jeans / 279C / 5012
-      low0D = "#9b9bfd"; # Maximum Blue Purple  / 2715C / 4005
-      low0E = "#fe9bda"; # Lavender Rose / 223C / 4003
-      low0F = "#fc8999"; # Tulip / 1775C / 3014
-      alt_low08 = "#fe946a"; # Atomic Tangerine / 811C / 1034
-      alt_low0B = "#87febf"; # Aquamarine / 353C / 6019
-      alt_low0C = "#38c3fd"; # Picton Blue / 298C / 5012
-      alt_low0D = "#dca2ff"; # Mauve / 2572C / 4005
-
-    };
-  };
-}

modules/shared/colors/sorahiro_hard.nix

@@ -0,0 +1,29 @@
+{ nix-colors, ... }: {
+  # usage:  a = "#${config.colorScheme.palette.base00}";
+
+  colorScheme = {
+    slug = "sorahiro-hard";
+    name = "sorahiro-hard";
+    author = "Soraefir @ Helcel";
+    variant = "dark";
+    palette = {
+      # Format: Name, Pantone, RAL
+      base00 = "#030B12"; # Rich Black / 6C / 000-15-00
+      base01 = "#0C1D2E"; # Maastricht Blue / 5395C / 270-20-15
+      base02 = "#203A53"; # Japanese Indigo / 534C / 260-20-20
+      base03 = "#425F7C"; # Deep Space Sparkle / 7699C / 260-40-20
+      base04 = "#93A9BE"; # Pewter Blue / 535C / 260-70-15
+      base05 = "#B6C5D5"; # Pastel Blue / 5445C / 260-80-10
+      base06 = "#D6DFE8"; # Gainsboro / 642C / 260-90-05
+      base07 = "#F0F3F7"; # White / 656C / 290-92-05
+      base08 = "#F59331"; # Deep Saffron / 715C / 070-70-70
+      base09 = "#F5F531"; # Maximum Yellow / 394C / 100-80-80
+      base0A = "#93F531"; # French Lime / 7488C / 120-70-75
+      base0B = "#31F593"; # Eucalyptus / 3385C / 160-70-50
+      base0C = "#3193F5"; # Brilliant Azure / 2727C / 280-50-40
+      baseOD = "#9331F5"; # Blue-Violet / 7442C / 300-40-45
+      base0E = "#F53193"; # Royal Pink / 232C / 350-50-50
+      base0F = "#F53131"; # Deep Carmine Pink / 1788C / 040-50-70
+    };
+  };
+}

modules/shared/colors/sorahiro_soft.nix

@@ -0,0 +1,29 @@
+{ nix-colors, ... }: {
+  # usage:  a = "#${config.colorScheme.palette.base00}";
+
+  colorScheme = {
+    slug = "sorahiro-soft";
+    name = "sorahiro-soft";
+    author = "Soraefir @ Helcel";
+    variant = "dark";
+    palette = {
+      # Format: Name, Pantone, RAL
+      base00 = "#030B12"; # Rich Black / 6C / 000-15-00
+      base01 = "#0C1D2E"; # Maastricht Blue / 5395C / 270-20-15
+      base02 = "#203A53"; # Japanese Indigo / 534C / 260-20-20
+      base03 = "#425F7C"; # Deep Space Sparkle / 7699C / 260-40-20
+      base04 = "#93A9BE"; # Pewter Blue / 535C / 260-70-15
+      base05 = "#B6C5D5"; # Pastel Blue / 5445C / 260-80-10
+      base06 = "#D6DFE8"; # Gainsboro / 642C / 260-90-05
+      base07 = "#F0F3F7"; # White / 656C / 290-92-05
+      base08 = "#F5B97D"; # Mellow Apricot / 156C / 070-80-40
+      base09 = "#F5F57D"; # Sunny / 393C / 100-90-50
+      base0A = "#B9F57D"; # Yellow-Green / 373C / 120-80-60
+      base0B = "#7DF5B9"; # Aquamarine / 3375C / 150-80-40
+      base0C = "#7DB9F5"; # Light Azure / 278C / 250-70-30
+      base0D = "#B97DF5"; # Lavender / 2572C / 310-60-35
+      base0E = "#F57DB9"; # Persian Pink / 211C / 350-60-45
+      base0F = "#F57D7D"; # Light Coral / 170C / 030-60-50
+    };
+  };
+}

modules/shared/sops/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
 let
   isCI = builtins.elem config.syscfg.hostname [ "ci" "sandbox" ];
   keyFilePath = (if isCI then
@@ -14,15 +14,19 @@ in {
   sops.age.keyFile = keyFilePath;
   sops.age.generateKey = true;
 
-  sops.secrets = lib.mkMerge [
-  {
-    wifi = { };
-    "${config.syscfg.hostname}_ssh_priv" = {
-      mode = "0400";
-      owner = config.users.users.${config.syscfg.defaultUser}.name;
-      group = config.users.users.${config.syscfg.defaultUser}.group;
-    };
-    "${config.syscfg.hostname}_wg_priv" = { };
-  }
-];
+  sops.secrets.wifi = { };
+
+  sops.secrets."${config.syscfg.hostname}_ssh_priv" = {
+    mode = "0400";
+    owner = config.users.users.${config.syscfg.defaultUser}.name;
+    group = config.users.users.${config.syscfg.defaultUser}.group;
+  };
+  sops.secrets."${config.syscfg.hostname}_ssh_pub" = {
+    mode = "0400";
+    owner = config.users.users.${config.syscfg.defaultUser}.name;
+    group = config.users.users.${config.syscfg.defaultUser}.group;
+  };
+  sops.secrets."${config.syscfg.hostname}_wg_priv" = { };
+  sops.secrets."${config.syscfg.hostname}_wg_pub" = { };
+
 }

modules/shared/sops/mock.yaml

@@ -1,34 +1,30 @@
-ci_ssh_priv: ENC[AES256_GCM,data:OuWZVS+ul8ERoQHEH8Gq6GdHWY5E3spR0uRu7akTVHrr6vYPWZHdV/8fjqKvfHd+dAeymWXe2Li7NXfXQM+y4OH36r1z9DLstwD4ufUmoHZ/MIO6qlsugzYhMw==,iv:NbLyzilDIH5cT3SC0SLaOn0alxXSIyZ/4Tr1zSBjIjI=,tag:uOzoai0Rq6UthSkWHhw8Hg==,type:str]
-ci_ssh_pub: ENC[AES256_GCM,data:Lu2Ec+HylJzt/IMu1b8AKgGsjpZT7X628pjOYQ==,iv:VZOA/Q9zmbMnf9DsXN90er+tSnJ+syg3QabDuDal92Q=,tag:lef6MRtvgyntMrxphatqmg==,type:str]
-ci_wg_priv: ENC[AES256_GCM,data:IoCn7jrahiJBhKxPuGyexg==,iv:uHbrAq/mSQ6TtMqGhJez3d13u9ZK1S92w49ntXvbA3g=,tag:QrZghdiQbmC9pcjKtIuKug==,type:str]
-ci_wg_pub: ENC[AES256_GCM,data:FB+DBkwDizA3C/s1TCkn,iv:GD3xmJEyD9yZaV72GubGCBi8BW74zmSr2hOl123g0mM=,tag:v189CtpJV7OX0sB9OJaWLA==,type:str]
-sandbox_ssh_priv: ENC[AES256_GCM,data:Wj/M/0VEfY7Ruix7nwi09obpX+w6G+gfGK4ZFTKkbpEEM2JyFnRHhWYQiBvBQOXahTGQ+zAnibCNcHSTCBa66XjMhtY865Hs6FovVCfgx0awTZcns26w5vqJdg==,iv:2NbVjpKTyyiY4rtC/A6s2nABo5p0VAWtzC6b6TrHkvI=,tag:CVi4i9MNi/cU64cn9s0DRA==,type:str]
-sandbox_ssh_pub: ENC[AES256_GCM,data:xbcGusta4qBO0hfmks+VCpN8N4dd/qGkGNREACVKxuSF,iv:/QMFyKaa3nOq1GrLNydq+Q8kS52fK6wsB3MioZN/qVM=,tag:WTZ2wlfBMmANw6EEWl5jew==,type:str]
-sandbox_wg_priv: ENC[AES256_GCM,data:4trdnPhgjlUChATnNx9o3Q==,iv:3efDzVFVCqv6yCNgBEXfQ19oh2bZLPO8my33uBgviW0=,tag:Io1obSodHW/RWWIg8VS8Zg==,type:str]
-sandbox_wg_pub: ENC[AES256_GCM,data:7L4SJdDMi5DZHpLfR6cs,iv:UULKRJvU0lktwmKGcIP/sRAZb0j2e0iL40o3DkSv/+U=,tag:irsolwnnfOjhYfiyanjxjw==,type:str]
-PGP_KEY: ENC[AES256_GCM,data:lwwHWksY+ea8D3z9,iv:/tOEukP7LiNhhdSw870vPeUGhN2lse2v1pZ5fJQglc0=,tag:225sf9GjXc8/NZgcXJIxZA==,type:str]
-wifi: ENC[AES256_GCM,data:Z+pbGAekk26GD3zg4TXVacP4Nrh93HPEMNcT0I1YaA==,iv:oiWZvnKvWmF/6cRZpCLsuf1uPJig6toNla5uT3t2kyM=,tag:iS3sq8JZsNUby9pSxYPw5g==,type:str]
+ci_ssh_priv: ENC[AES256_GCM,data:3Fd7HtFzD+0Pm0qnmaNeivSrEJnH6A3CzLrSyYD4J1rpdHCYdFB2hbZAB5HF3yeCMlyqnApGHxi+9jN8FI54SzwqJQAgSZvKrkBhrs4JIQxPU0ZhOQHvneWYnA==,iv:NbLyzilDIH5cT3SC0SLaOn0alxXSIyZ/4Tr1zSBjIjI=,tag:xGfI8QRlkj4OZDVuV21Kcg==,type:str]
+ci_ssh_pub: ENC[AES256_GCM,data:6BVY3GS9lMLR/dYNxyldcBJe1DrjG/yHjqfCIw==,iv:VZOA/Q9zmbMnf9DsXN90er+tSnJ+syg3QabDuDal92Q=,tag:+xwHADgq22cV5ai9xd6ceQ==,type:str]
+ci_wg_priv: ENC[AES256_GCM,data:uA4eiEhQbbhLkrTyhRX4Tg==,iv:uHbrAq/mSQ6TtMqGhJez3d13u9ZK1S92w49ntXvbA3g=,tag:KwjiYrnuQxrydVKKV4xN4A==,type:str]
+ci_wg_pub: ENC[AES256_GCM,data:MBIdTEkyJBvbTtYrQYS8,iv:GD3xmJEyD9yZaV72GubGCBi8BW74zmSr2hOl123g0mM=,tag:ekUniuYPCSxwlmB1yUbo4w==,type:str]
+sandbox_ssh_priv: ENC[AES256_GCM,data:OG5ZsSQFEbUKLXtHF9MAHWYwnxBM0EyVyj54sPs9XEsFaRXq3WDa+ANnpVqBLtw6cPodLQHyJ5tY/Hr1rdINNGyLPEz/Zm3K7vz6iXUeThAKDhYaCH4vccFFtQ==,iv:2NbVjpKTyyiY4rtC/A6s2nABo5p0VAWtzC6b6TrHkvI=,tag:sO+SUMws8HncC9dmeiJPSg==,type:str]
+sandbox_ssh_pub: ENC[AES256_GCM,data:6bwJAmLuN0dhC8OiBW8qL2Ejt70a2ar02YTAqimnhcez,iv:/QMFyKaa3nOq1GrLNydq+Q8kS52fK6wsB3MioZN/qVM=,tag:XxcTX/REbHl5MKtRecjM2g==,type:str]
+sandbox_wg_priv: ENC[AES256_GCM,data:8d+WCtyGoEH3/4q1DZImUw==,iv:3efDzVFVCqv6yCNgBEXfQ19oh2bZLPO8my33uBgviW0=,tag:+WNPB7b6tVTzDlSVziDO2w==,type:str]
+sandbox_wg_pub: ENC[AES256_GCM,data:rpxkijFKzyKx3uhEa/+j,iv:UULKRJvU0lktwmKGcIP/sRAZb0j2e0iL40o3DkSv/+U=,tag:OWHbfFPbTY6l3Bu/og78Bg==,type:str]
+PGP_KEY: ENC[AES256_GCM,data:IVhL/l0JSPcefX1z,iv:/tOEukP7LiNhhdSw870vPeUGhN2lse2v1pZ5fJQglc0=,tag:++NUJeRhsDE9eRsbKu8Ldw==,type:str]
+wifi: ENC[AES256_GCM,data:SV3yNB/0dBqggh0kOKU98Nodd0VS4K8kTqg7aLyeAg==,iv:w4nspNxswHl2CZ7diPUzupzotfjskzp91NIq4f0v0UM=,tag:7nUHijRlEgyliWn2ZuZo/Q==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
     age:
         - recipient: age13qv9dn9806paqgpjwmmkwtdzvv4qpv0ulksq0epnn8ufaxeug5zskyas3z
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbHNVZjRzQi9ram1xNHk3
-            d3pTTStiMjBLZHgwL0cvUGRwRFFzWi9HS2dvCkQ0ZU5UK1owS0N5MHhxOXV1cGVy
-            RnFQbGlhVy9tSVZKYXBqbzZjZU9nd3cKLS0tIDdXdm1qVTYvdS9sQ0Z0aExpTzB1
-            WkNsWVpqaHRSWkl6YXVrN0NoemhiS1EKoDRocdztTLQ5LMwHdlszTFHy+rm+y4RE
-            f97a6Z2J87ZfObRbaap5adVD7qk/tTYHGshT/8G1JxjctsxRgdfsmA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZd0c5ZjZCb0Z6ZXlKaFph
+            S25LcnFaM3NueUdxOEkwQWRVYjZwNEx1TnpVCkJ1RnJsV2IwNWd5RVJBU2pOUnRa
+            UEcrdDVHUnZ3Zng4UVNWZjNhSzRmRGcKLS0tIEpMMGJCZmkrcnFwWjM4ZVF6VmJN
+            aFplU05pYXpPQWZRY202bVhFd3pHdHcKfauUQhzuUwpoaSlky+PlsOTrVQjyCSxi
+            NYlJ7ScbxzJsqTqJbZnD+lbSdWK2XVKXy1Vn4hR0C0WF7g2Y7CU7tg==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSHBpZGg0TlVtMFhjY2Ry
-            NzUrd1pPZFZNdFdLSUxrUUROaVNCTzdGR0hrCkVGUmpGemtFSDErRDArS0Y0WGZu
-            YkYzL2NGMTlnNW1NdStHOGpRN3A1VXcKLS0tIGs0MDIxTmpzSGtRWHZESFhNWXlS
-            Y3N0a2VPUHdoRlpUZ3BPVXROdDRHekEK2YN9ZgCaBPt/8kAkZNgsHp61SYqiFFXX
-            2lF0R1GNmYWm6T0YVCp/2ZN3z4GC+monctg1zoo5QsHfhIOpqIVoTA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-06T13:37:03Z"
-    mac: ENC[AES256_GCM,data:uI9yG3/jGNGn6yoN9W+9K/AUeSowe4Mb9vhh38pwkuKab9zXTFidCWyh1e0TEOsIHrhfK2GPc2fHwc309/la+CoiNxAIYtC4xmoCYxSGrDgbsZEONrusy9AEKpRCO8CqLYyLYaAG9sLqFyIz3GyEnS/j98V3LeemhFtS17J1VHI=,iv:x/7caaKnggoyEaCx5sf+zzSE+3d7atv+o9B1O3QX0Uc=,tag:Tzfs+ACx+4A6kxAZtVQ3KQ==,type:str]
+    lastmodified: "2024-04-14T21:03:55Z"
+    mac: ENC[AES256_GCM,data:W9kM3AaHcZcqVtT4qRpMRYKgmA9pBikAPhdKiPR/Y+0MSjY4c9LPeTBeS1vZzUaTgRHmNh/ns6I9SBO36Hio5qI6m/pjNdr9GfFbBpbnY+5mer6YTitq47TVySC9v+BRkES4A34h1Ky5yvJSDlz2kJfO/WVWllaQd0dxq8rgAU8=,iv:cRxgGKhD6KqXKpK4E12lWIIj99hBFSmGzSIv9LmYEyg=,tag:QXcswnB7GavGrBy1dFpQlQ==,type:str]
+    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.8.1

modules/shared/syscfg/default.nix

@@ -1,13 +1,102 @@
 { inputs, lib, ... }:
 let
-  systemsDir = ../../../systems;
-  systemNames = lib.attrNames (lib.filterAttrs 
-    (name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix")) 
-    (builtins.readDir systemsDir));
+  userOpt = with lib; {
+    username = mkOption { type = types.str; };
+    wm = mkOption {
+      type = types.enum [ "Wayland" "X11" "-" ];
+      default = "-";
+    };
+    git = {
+      username = mkOption { type = types.str; };
+      email = mkOption { type = types.str; };
+      key = mkOption { type = types.str; };
+    };
+  };
+  netOpt = with lib; {
+    ble = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
+    wlp = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      nif = mkOption {
+        type = types.str;
+        default = "";
+      };
+    };
+    wg = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      ip4 = mkOption {
+        type = types.str;
+        default = "";
+      };
+      ip6 = mkOption {
+        type = types.str;
+        default = "";
+      };
+    };
+  };
+  makeOpt = with lib; {
+    cli = mkOption {
+      type = types.bool;
+      default = true;
+    };
+    gui = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    virt = mkOption {
+      type = types.bool;
+      default = true;
+    };
+    power = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    game = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    develop = mkOption {
+      type = types.bool;
+      default = false;
+    };
+  };
+  serverOpt = with lib; {
+    hostDomain = mkOption { type = types.str; };
+    shortName = mkOption { type = types.str; };
+    mailDomain = mkOption { type = types.str; };
+    mailServer = mkOption { type = types.str; };
 
+    dbHost = mkOption {
+      type = types.str;
+      default = "localhost";
+    };
+    dbPort = mkOption {
+      type = types.str;
+      default = "3306";
+    };
 
+    configPath = mkOption {
+      type = types.str;
+      default = "/media/config";
+    };
+    dataPath = mkOption {
+      type = types.str;
+      default = "/media/data";
+    };
+
+  };
 in with lib; {
-  options.usercfg = import ./user.nix  {inherit lib;};
+  options.usercfg = userOpt;
   options.syscfg = {
     hostname = mkOption { type = types.str; };
     type = mkOption {
@@ -19,18 +108,18 @@ in with lib; {
       default = "x86_64-linux";
     };
     defaultUser = mkOption { type = types.str; };
-    make = import ./make.nix {inherit lib;};
-    net = import ./net.nix  {inherit lib;};
+    make = makeOpt;
+    net = netOpt;
     users = mkOption {
-      type = types.listOf (types.submodule { options = import ./user.nix  {inherit lib;}; });
+      type = types.listOf (types.submodule { options = userOpt; });
       default = [ ];
     };
-    peers = mkOption {
-      default = map (name: import (systemsDir + "/${name}/cfg.nix")) systemNames;
-    };
     server = mkOption {
-      type = types.oneOf [ types.bool (types.submodule { options = import ./server.nix {inherit lib;}; }) ];
-      default = false;
+      type = types.oneOf [
+        (types.attrs)
+        (types.submodule { options = serverOpt; })
+      ];
+      default = { };
     };
   };
 }

modules/shared/syscfg/make.nix

@@ -1,9 +0,0 @@
-{ lib,... }:
-with lib; {
-    cli = mkOption { type = types.bool; default = true; };
-    gui = mkOption { type = types.bool; default = false; };
-    virt = mkOption { type = types.bool; default = false; };
-    power = mkOption { type = types.bool; default = false; };
-    game = mkOption { type = types.bool; default = false; };
-    develop = mkOption { type = types.bool; default = false; };
-}

modules/shared/syscfg/net.nix

@@ -1,14 +0,0 @@
-{ lib,... }:
-with lib; {
-    ble.enable = mkOption { type = types.bool; default = false; };
-    wlp = {
-        enable = mkOption { type = types.bool; default = false; };
-        nif = mkOption { type = types.str; default = ""; };
-    };
-    wg = {
-        enable = mkOption { type = types.bool; default = false; };
-        ip4 = mkOption { type = types.str; default = ""; };
-        ip6 = mkOption { type = types.str; default = ""; };
-        pubkey = mkOption { type = types.str; default = ""; };
-    };
-}

modules/shared/syscfg/server.nix

@@ -1,92 +0,0 @@
-{ lib,... }:
-let
-
-in with lib; {
-    domain = mkOption { type = types.str; };
-    mailDomain = mkOption { type = types.str; };
-    mailServer = mkOption { type = types.str; };
-
-    configPath = mkOption {
-      type = types.str;
-      default = "/media/config";
-    };
-    dataPath = mkOption {
-      type = types.str;
-      default = "/media/data";
-    };
-
-    colorScheme = mkOption {
-      type = types.attrs;
-      default = (lib.evalModules { modules =[ { freeformType = with lib.types; attrsOf anything; } ../colors ];}).config.colorScheme ;
-    };
-    loadedContainers = lib.mkOption {
-      readOnly = true;
-       type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
-        options = {
-          name = lib.mkOption {type = lib.types.str; default = name;};
-          sops = lib.mkOption {type = lib.types.bool; default = false;};
-          db = lib.mkOption {type = lib.types.bool; default = false;};
-
-          paths = lib.mkOption {type = lib.types.listOf lib.types.attrs; default = [ ];};
-          containers = lib.mkOption {type = lib.types.attrsOf lib.types.attrs; default = { };};
-          cron = lib.mkOption {type = lib.types.listOf lib.types.str; default = [ ];};
-
-          setup = {
-            trigger = lib.mkOption {type = lib.types.str; default = "";};
-            script = lib.mkOption {type = lib.types.nullOr lib.types.package; default = null;};
-            envFile = lib.mkOption {type = with lib.types; coercedTo str (x: [x]) (listOf str); default = [];};
-          };
-        };
-       }));
-        
-    };
-    containers  = mkOption {
-      type = types.attrsOf (types.submodule {
-        options = {
-          subdomain = mkOption { type = types.nullOr types.str; default=null;};
-          subpath = mkOption { type = types.nullOr types.str; default=null;};
-          port = mkOption { type = types.nullOr types.port; default = null; };
-          extra = mkOption { type = types.attrs; default = {}; };
-        };
-      });
-      default = {};
-    };
-    openssh = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    wireguard = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    web = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    ipfw = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      ifs = mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-      };
-      ports = mkOption {
-        type = types.listOf (types.listOf (types.oneOf [ types.str types.int ]));
-        default = [];
-        description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]";
-        example = [
-          [ "ens3" "10.10.1.2" "IPV6" 22 2222 ]
-          [ "ens3" "10.10.1.2" "IPV6" 80 80 ]
-          [ "ens3" "10.10.1.2" "IPV6" 443 443 ]
-        ];
-      };
-    };
-
-    db = mkOption {
-      type = types.listOf (types.str);
-      default = [ ];
-    };
-
-}

modules/shared/syscfg/user.nix

@@ -1,14 +0,0 @@
-{ lib,... }:
-with lib; {
-    username = mkOption { type = types.str; };
-    pubssh = mkOption { type = types.str; default=""; };
-    wm = mkOption {
-        type = types.enum [ "Wayland" "X11" "-" ];
-        default = "-";
-    };
-    git = {
-        username = mkOption { type = types.str; default = "Anonymous";};
-        email = mkOption { type = types.str; default = "anonymous@domain"; };
-        key = mkOption { type = types.nullOr types.str; default=null; };
-    };
-}