Update modules/server/sops/example.server.yaml

Add modules/server/containers/data/authentik/ldap.yaml
Update modules/server/containers/apps/servarr.nix
2026-05-13 17:32:12 +02:00 · 2026-05-13 17:31:46 +02:00 · 2026-05-13 17:31:29 +02:00 · 2026-05-13 17:31:19 +02:00 · 2026-05-13 17:31:07 +02:00 · 2026-05-13 17:30:57 +02:00
53 changed files with 2218 additions and 620 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ result
 age-key.txt
 .decrypted~common.yaml
 .decrypted*
+.tmp
--- a/flake.lock
+++ b/flake.lock
@@ -45,11 +45,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775037210,
-        "narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=",
+        "lastModified": 1777780666,
+        "narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "06648f4902343228ce2de79f291dd5a58ee12146",
+        "rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
        "type": "github"
      },
      "original": {
@@ -103,11 +103,11 @@
    },
    "hardware": {
      "locked": {
-        "lastModified": 1776983936,
-        "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
+        "lastModified": 1778143761,
+        "narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
+        "rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
        "type": "github"
      },
      "original": {
@@ -139,11 +139,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777771528,
-        "narHash": "sha256-YycygK6n7KeW1YCobdFJcORWzkmrvNcp6xT+IovA0d4=",
+        "lastModified": 1777851538,
+        "narHash": "sha256-Gp8qwTEYNoy2yvmErVGlvLOQvrtEECCAKbonW7VJef8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "0585fbf645640973e3398863bbaf3bd1ddce4a51",
+        "rev": "cc09c0f9b7eaa95c2d9827338a5eb03d32505ca5",
        "type": "github"
      },
      "original": {
@@ -174,11 +174,11 @@
    },
    "nixUnstable": {
      "locked": {
-        "lastModified": 1777641297,
-        "narHash": "sha256-WNGcmeOZ8Tr9dq6ztCspYbzWFswr2mPebM9LpsfGxPk=",
+        "lastModified": 1778274207,
+        "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c6d65881c5624c9cae5ea6cedef24699b0c0a4c0",
+        "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
        "type": "github"
      },
      "original": {
@@ -190,11 +190,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1777428379,
-        "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
+        "lastModified": 1778003029,
+        "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "755f5aa91337890c432639c60b6064bb7fe67769",
+        "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
        "type": "github"
      },
      "original": {
@@ -221,11 +221,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1777578337,
-        "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
+        "lastModified": 1777954456,
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
        "type": "github"
      },
      "original": {
@@ -241,11 +241,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1777763626,
-        "narHash": "sha256-UFwZDbdMezNnxZwikhDR4EWiCPUiEmPXHmqLOrcG34g=",
+        "lastModified": 1778376280,
+        "narHash": "sha256-pL2F2FF2FN7zWr5o/vG7GiYOSjp+DUNyPIYqNaLQFFs=",
        "owner": "nix-community",
        "repo": "nur",
-        "rev": "3873764e5896bd6da6cf0df17172849ea51ac5eb",
+        "rev": "828688994167eb57628c98fd1d7e1223b079cda1",
        "type": "github"
      },
      "original": {
@@ -274,11 +274,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777338324,
-        "narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=",
+        "lastModified": 1777944972,
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -17,19 +17,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    # hyprland = {
-    #   url = "github:hyprwm/Hyprland";
-    #   inputs.nixpkgs.follows = "nixpkgs";
-    # };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-colors.url = "github:misterio77/nix-colors";
-
-    arion.url = "github:hercules-ci/arion";
-    arion.inputs.nixpkgs.follows = "nixpkgs";
-
  };

  outputs = inputs:
--- a/generator.nix
+++ b/generator.nix
@@ -13,7 +13,6 @@
          ./modules/nixos
          syscfg
          ./systems/${host}
-          inputs.arion.nixosModules.arion
          inputs.sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.home-manager
          {
--- a/modules/nixos/system/hw/virt/default.nix
+++ b/modules/nixos/system/hw/virt/default.nix
@@ -18,5 +18,6 @@
        };
      };
    };
+    virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
  };
 }
--- a/modules/nixos/system/network/base/default.nix
+++ b/modules/nixos/system/network/base/default.nix
@@ -7,11 +7,13 @@
    firewall = { 
      enable = true;
      allowedUDPPorts = 
-        (if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++ 
+        (if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++ 
+        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
        [ ];

      allowedTCPPorts = 
-        (if config.syscfg.server ? web       then [ 80 443 22 ] else [ ]) ++ 
+        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
+        (if (config.syscfg.server != false) then [ 5432 6379 ] else [ ]) ++ 
        [ ];
    };
  };
--- a/modules/server/containers/apps/.template.nix
+++ b/modules/server/containers/apps/.template.nix
@@ -0,0 +1,46 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "EXAMPLE";
+    tag = "0.0.0";
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "echo 1" ];
+      ExposedPorts = {  };
+    };
+  };
+  templateData = builder.mkData { name = "template"; dir = "template"; vars = {
+      _ARGUMENT = "template";
+    };
+  };
+in {
+  sops = false;
+  db = false;
+  paths = [{
+    path="${serverCfg.configPath}/example/";
+    mode = "0444";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8080;
+      secret = name;
+      extraEnv = { };
+      overrides = {
+        cmd = [ ];
+        volumes = [ ];
+       };
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    envFile = config.sops.secrets."EXAMPLE".path;
+    script = pkgs.writeShellScript "setup" ''
+      ...
+    '';
+  };
+}
--- a/modules/server/containers/apps/.todo.md
+++ b/modules/server/containers/apps/.todo.md
@@ -0,0 +1,8 @@
+# Missing
+
+RSS: TTRSS / FreshRSS
+Monitoring: Telegraf + InfluxDB
+https://github.com/tarampampam/error-pages ?
+
+- JellyFin external mkData for config (system.xml)
+- Transmission Cfg and API/Token handling
--- a/modules/server/containers/apps/authentik.nix
+++ b/modules/server/containers/apps/authentik.nix
@@ -0,0 +1,109 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "2026.2.2";
+  serverCfg = config.syscfg.server;
+  authentikData = builder.mkData { 
+    name = "authentik"; dir = "authentik"; vars = {
+      NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}";
+      AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
+      COOKIE_DOMAIN = "${serverCfg.hostDomain}";
+      AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain));
+    };
+  };
+in {
+  sops = true;
+  db = true;
+  paths = [{
+    path="${serverCfg.configPath}/authentik/media";
+    owner = "1000:1000";
+    mode = "0755";
+  }{
+    path="${serverCfg.configPath}/authentik/templates";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "ghcr.io/goauthentik/server:${version}";
+      port = 9000;
+      secret = name;
+      extraEnv = {
+        AUTHENTIK_REDIS__HOST = builder.host;
+        AUTHENTIK_POSTGRESQL__HOST = builder.host;
+        AUTHENTIK_POSTGRESQL__USER = "authentik_user";
+        AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
+        AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
+        AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
+        AUTHENTIK_EMAIL__PORT = "587";
+        AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.hostDomain}";
+        AUTHENTIK_EMAIL__USE_TLS = "true";
+        AUTHENTIK_EMAIL__USE_SSL = "false";
+        AUTHENTIK_EMAIL__TIMEOUT = "10";
+        AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.hostDomain}";
+        AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
+        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+      };
+      overrides = {
+        cmd = [ "server" ];
+        ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:9000" ] else [];
+        volumes = [
+          "${serverCfg.configPath}/authentik/media:/media"
+          "${serverCfg.configPath}/authentik/templates:/templates"
+          "${authentikData}:/blueprints/custom:ro"
+        ];
+      };
+    };
+
+    worker = builder.mkContainer {
+      image = "ghcr.io/goauthentik/server:${version}";
+      secret = "authentik";
+      extraEnv = {
+        AUTHENTIK_REDIS__HOST = builder.host;
+        AUTHENTIK_POSTGRESQL__HOST = builder.host;
+        AUTHENTIK_POSTGRESQL__USER = "authentik_user";
+        AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
+        AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
+        AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
+        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+      };
+      overrides = {
+        cmd = [ "worker" ];
+        volumes = [
+          "${serverCfg.configPath}/authentik/media:/media"
+          "${serverCfg.configPath}/authentik/templates:/templates"
+          "${authentikData}:/blueprints/custom:ro"
+        ];
+      };
+    };
+
+    ldap = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "ghcr.io/goauthentik/ldap:${version}";
+      secret = name;
+      extraEnv = {
+        "AUTHENTIK_HOST" = "http://${builder.host}:9000"; 
+        "AUTHENTIK_INSECURE" = "false"; 
+      };
+      overrides = {
+        ports = [ "389:3389" "636:6636" ];
+      };
+    };
+  };
+
+  setup = {
+    trigger = "worker";
+    script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u root authentik-worker ak"
+
+      $AK apply_blueprint /blueprints/custom/authentik.yaml
+      $AK apply_blueprint /blueprints/custom/traefik.yaml
+      $AK apply_blueprint /blueprints/custom/ldap.yaml
+      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
+
+      echo "Completed Authentik Setup"
+      '';
+  };
+}
--- a/modules/server/containers/apps/collabora.nix
+++ b/modules/server/containers/apps/collabora.nix
@@ -0,0 +1,34 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+version = "latest";
+serverCfg = config.syscfg.server;
+in {
+  sops = true;
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "collabora/code:${version}";
+      port = 9980;
+      secret = name;
+      extraEnv = {
+        "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";
+        "server_name" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
+        "username" = "collabora_user";
+        "VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
+        "VIRTUAL_PORT" = "9980";
+        "VIRTUAL_PROTO" = "http";
+        "DONT_GEN_SSL_CERT" = "true";
+        "RESOLVE_TO_PROXY_IP" = "true";
+        "extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
+        "dictionaries" = "en fr de jp no";
+      };
+      
+      overrides = {
+        volumes = [
+          "${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
+          "${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
+        ];
+      };
+    };
+  };
+}
--- a/modules/server/containers/apps/ethercalc.nix
+++ b/modules/server/containers/apps/ethercalc.nix
@@ -0,0 +1,39 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  ethercalc_exe = pkgs.ethercalc;
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "ethercalc";
+    tag = ethercalc_exe.version;
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
+      ExposedPorts = { "8080/tcp" = {}; };
+    };
+  };
+in {
+  sops = true;
+  paths = [{
+    path="${serverCfg.dataPath}/ethercalc/";
+    mode = "0666";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8080;
+      secret = name;
+      extraEnv = {
+        ETHERCALC_PORT = "8080";
+        #CONNECT TO REDIS
+      };
+      overrides = {
+        volumes = [
+          "${serverCfg.dataPath}/ethercalc:/data"
+        ];
+       };
+    };
+  };
+}
--- a/modules/server/containers/apps/etherpad.nix
+++ b/modules/server/containers/apps/etherpad.nix
@@ -0,0 +1,124 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  etherpad_exe = pkgs.etherpad-lite;
+  settings = pkgs.writeText"settings.json" (builtins.toJSON {
+    title= "\${TITLE:Etherpad}";
+    showRecentPads = "\${SHOW_RECENT_PADS:true}";
+    favicon = "\${FAVICON:null}";
+    publicURL = "\${PUBLIC_URL:null}";
+    skinName = "\${SKIN_NAME:colibris}";
+    skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
+    ip = "\${IP:0.0.0.0}";
+    port = "\${PORT:9001}";
+    showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
+    enableMetrics = "\${ENABLE_METRICS:true}";
+    updates.tier = "off";
+    cleanup.enabled = false;
+    gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
+    authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
+    enableDarkMode = "\${ENABLE_DARK_MODE:true}";
+    enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
+    dbType = "\${DB_TYPE:dirty}";
+    dbSettings = {
+      host =       "\${DB_HOST:undefined}";
+      port =       "\${DB_PORT:undefined}";
+      database =   "\${DB_NAME:undefined}";
+      user =       "\${DB_USER:undefined}";
+      password =   "\${DB_PASS:undefined}";
+      charset =    "\${DB_CHARSET:undefined}";
+      filename =   "\${DB_FILENAME:var/dirty.db}";
+      collection = "\${DB_COLLECTION:undefined}";
+      url =        "\${DB_URL:undefined}";
+    };
+    defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
+    padOptions = {
+      noColors =         "\${PAD_OPTIONS_NO_COLORS:false}";
+      showControls =     "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
+      showChat =         "\${PAD_OPTIONS_SHOW_CHAT:true}";
+      showLineNumbers =  "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
+      useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
+      userName =         "\${PAD_OPTIONS_USER_NAME:null}";
+      userColor =        "\${PAD_OPTIONS_USER_COLOR:null}";
+      rtl =              "\${PAD_OPTIONS_RTL:false}";
+      alwaysShowChat =   "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
+      chatAndUsers =     "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
+      lang =             "\${PAD_OPTIONS_LANG:null}";
+      fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
+      enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
+    };
+
+    requireSession = "\${REQUIRE_SESSION:false}";
+    editOnly = "\${EDIT_ONLY:false}";
+    minify = "\${MINIFY:true}";
+    requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
+    requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
+    trustProxy = "\${TRUST_PROXY:true}";
+    ep_headerauth.username_header = "X-authentik-username";
+    users.admin = {
+      password = "\${ADMIN_PASSWORD:null}";
+      is_admin = true;
+    };
+    socketTransportProtocols = ["websocket" "polling"];
+    socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
+    indentationOnNewLine = true;
+
+    loglevel = "\${LOGLEVEL:INFO}";
+    lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
+  });
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "etherpad";
+    tag = etherpad_exe.version;
+    contents = [ pkgs.bashInteractive ];
+    config = {
+      Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
+      ExposedPorts = { "8080/tcp" = {}; };
+    };
+  };
+in {
+  sops = true;
+  db = true;
+  paths = [{
+    path="${serverCfg.configPath}/etherpad/";
+    mode = "0444";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8080;
+      secret = name;
+      extraEnv = {
+        TITLE = "Pad";
+        PORT ="8080";
+        DB_TYPE = "postgres";
+        DB_HOST = builder.host;
+        DB_NAME = "etherpad_db";
+        DB_USER = "etherpad_user";
+        TRUST_PROXY = "true";
+        DB_CHARSET = "utf8mb4";
+        DEFAULT_PAD_TEXT = "";
+        PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
+        PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
+        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
+      };
+      overrides = {
+        cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
+        volumes = [
+          "${settings}:/etc/etherpad/settings.json"
+          "${serverCfg.configPath}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
+        ];
+       };
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    envFile = config.sops.secrets."ETHERPAD".path;
+    script = pkgs.writeShellScript "setup" ''
+      echo "$APIKEY" > ${serverCfg.configPath}/etherpad/APIKEY.txt
+      chmod 444 ${serverCfg.configPath}/etherpad/APIKEY.txt
+    '';
+  };
+}
--- a/modules/server/containers/apps/frigate.nix
+++ b/modules/server/containers/apps/frigate.nix
@@ -0,0 +1,95 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  
+  # Ensure the package is available (Nixpkgs includes frigate)
+  frigatePkg = pkgs.frigate;
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "frigate";
+    tag = frigatePkg.version;
+    contents = [ 
+      pkgs.bashInteractive 
+      frigatePkg
+      pkgs.ffmpeg # Explicitly included for video stream processing
+    ];
+    config = {
+      Entrypoint = [ "${frigatePkg}/bin/frigate" ];
+      Cmd = [ "start" ];
+      ExposedPorts = {
+        "5000/tcp" = {}; # Web UI / API
+        "8554/tcp" = {}; # RTSP Feeds
+        "8555/tcp" = {}; # WebRTC
+      };
+      Env = [
+        "FRIGATE_RTSP_PASSWORD=secret" # Base fallback, overridden by envFile/sops
+      ];
+    };
+  };
+in {
+  sops = true; # Enabled to safeguard sensitive camera RTSP stream credentials
+  db = false;  # Internal SQLite is used by default in Frigate
+
+  paths = [
+    {
+      path = "${serverCfg.configPath}/frigate/";
+      mode = "0755";
+    }
+    {
+      path = "/var/lib/frigate/storage/";
+      mode = "0755"; # Dedicated path for heavy video recordings and media
+    }
+  ];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 5000;
+      secret = name;
+      extraEnv = {
+        PLUS_API_KEY = ""; # Optional: For Frigate Plus users
+      };
+      overrides = {
+        cmd = [ ];
+        volumes = [
+          "${serverCfg.configPath}/frigate:/config"
+          "/var/lib/frigate/storage:/media/frigate"
+          "/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
+          "/dev/dri:/dev/dri"         # Passes Intel/AMD GPU for hardware video decoding
+        ];
+      };
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    envFile = config.sops.secrets."FRIGATE_ENV".path;
+    script = pkgs.writeShellScript "setup-frigate" ''
+      mkdir -p "${serverCfg.configPath}/frigate"
+      mkdir -p "/var/lib/frigate/storage"
+      
+      # Bootstrap a standard configuration layout if missing
+      if [ ! -f "${serverCfg.configPath}/frigate/config.yml" ]; then
+        cat <<EOF > "${serverCfg.configPath}/frigate/config.yml"
+mqtt:
+  enabled: False # Set to True and define host if connecting to Home Assistant
+
+database:
+  path: /config/frigate.db
+
+cameras:
+  dummy_camera: # Replace with your actual RTSP stream details
+    enabled: false
+    ffmpeg:
+      inputs:
+        - path: rtsp://127.0.0.1:554/live
+          roles:
+            - detect
+    detect:
+      enabled: false
+EOF
+      fi
+    '';
+  };
+}
--- a/modules/server/containers/apps/gitea.nix
+++ b/modules/server/containers/apps/gitea.nix
@@ -0,0 +1,130 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "latest";
+  serverCfg = config.syscfg.server;
+in {
+  sops = true;
+  db = true;
+  paths = [{
+    path="${serverCfg.dataPath}/gitea/data";
+    owner = "1000:1000";
+    mode = "0755";
+  }{
+    path="${serverCfg.dataPath}/gitea/data-runner";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "gitea/gitea:${version}";
+      port = 8080;
+      secret = name;
+      
+      extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
+        GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
+        GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
+        GITEA__repository__DISABLE_STARS = "true";
+        GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
+        # GITEA__ui__THEMES = "";
+        # GITEA__ui__DEFAULT_THEME = "";
+
+        # GITEA__security__SECRET_KEY = "SECRET_ENV";
+        # GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
+        # GITEA__database__PASSWD = "SECRET_ENV";
+        # GITEA__mailer__PASSWD="SECRET_ENV";
+
+        GITEA__database__DB_TYPE = "postgres"; 
+        GITEA__database__HOST = builder.host;
+        GITEA__database__NAME = "gitea_db";
+        GITEA__database__USER = "gitea_user";
+
+
+        GITEA__mailer__ENABLED = "true";
+        GITEA__mailer__FROM = "";
+        GITEA__mailer__PROTOCOL = "smtps";
+        GITEA__mailer__SMTP_ADDR = "";
+        GITEA__mailer__SMTP_PORT = "";
+        GITEA__mailer__USER= "";
+
+        GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
+        GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.hostDomain}/";
+        GITEA__server__PROTOCOL = "http";
+        GITEA__server__HTTP_PORT = "8080";
+        GITEA__server__LFS_START_SERVER = "true";
+        GITEA__security__INSTALL_LOCK = "true";
+
+      } // ( if serverCfg.containers?authentik then {
+        GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
+        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
+        GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
+        GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/outpost.goauthentik.io/sign_out";
+        GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
+        GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
+        GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
+        GITEA__security__RREVERSE_PROXY_LIMIT = "1";
+        GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
+      } else {});
+      extraLabels = {
+        "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.hostDomain}`) && Path(`/user/login`) ";
+        "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
+        "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
+        "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
+        "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
+      };
+
+      overrides = {
+        volumes = [
+          "${serverCfg.dataPath}/gitea/data:/data"
+        ];
+        ports = [ "2222:22" ]; 
+      };
+    };
+
+    runner = builder.mkContainer {
+      image = "gitea/act_runner:${version}";
+      secret = name;
+      extraEnv = { 
+        CONFIG_FILE="/data/config.yml";
+        GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.hostDomain}";
+        GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.hostDomain}";
+      };
+
+      overrides = {
+        volumes = [
+          "${serverCfg.dataPath}/gitea/data-runner:/data"
+          "/var/run/podman/podman.sock:/var/run/docker.sock"
+        ];
+        # ports = [ "8088:8088" ]; 
+      };
+    };
+  };
+
+
+  setup = {
+    trigger = "server";
+    envFile = config.sops.secrets."CUSTOM".path;
+    script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
+      GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
+
+      $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
+
+      RUNNER_TOKEN=$($GT actions generate-runner-token)
+      $GTR register \
+        --instance "https://${containerCfg.subdomain}.${serverCfg.hostDomain}" \
+        --token "$RUNNER_TOKEN" \
+        --name "Runner" \
+        --labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
+        --no-interactive
+
+
+      echo "Completed Gitea Setup"
+      '';
+  };
+}
--- a/modules/server/containers/apps/handbrake.nix
+++ b/modules/server/containers/apps/handbrake.nix
@@ -0,0 +1,3 @@
+{...}:{
+    
+}
--- a/modules/server/containers/apps/homeassistant.nix
+++ b/modules/server/containers/apps/homeassistant.nix
@@ -0,0 +1,43 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = pkgs.home-assistant.name;
+    tag = pkgs.home-assistant.version;
+    contents = [  ];
+    config = {
+      Entrypoint = [ "${pkgs.home-assistant}/bin/hass" ];
+      ExposedPorts = {
+        "8123/tcp" = {};
+      };
+    };
+  };
+in {
+  sops = true;
+  db = false;
+  
+  paths = [{
+    path = "${serverCfg.configPath}/homeassistant/";
+    mode = "0755"; 
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8123;
+      secret = name;
+      extraEnv = {
+        TZ = config.time.timeZone or "UTC";
+      };
+      overrides = {
+        cmd = [ "--config" "/config" ];
+        volumes = [
+          "${serverCfg.configPath}/homeassistant/:/config"
+          "/run/dbus:/run/dbus:ro" # Required for Bluetooth/mDNS service discovery
+        ];
+      };
+    };
+  };
+
+}
--- a/modules/server/containers/apps/immich.nix
+++ b/modules/server/containers/apps/immich.nix
@@ -0,0 +1,57 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+
+  immichServerImage = pkgs.dockerTools.pullImage {
+    imageName = "ghcr.io/immich-app/immich-server";
+    imageDigest = "sha256:d5cb251d7c3bcbb8e5bb974c8de53f3e1f0efcb71e21bde1b66df872a0a2df3d";
+    sha256 = "0000000000000000000000000000000000000000000000000000";
+  };
+  immichMachineLearningImage = pkgs.dockerTools.pullImage {
+    imageName = "ghcr.io/immich-app/immich-machine-learning";
+    imageDigest = "sha256:4a25fdcd11c13bc33e8b4e7eef118bc23dbd4df012012ec6d7fb1eeef872ad4d";
+    sha256 = "0000000000000000000000000000000000000000000000000000";
+  };
+
+in {
+  sops = false;
+  db = true;
+
+  paths = [{
+    path = "${serverCfg.configPath}/immich/cache";
+    mode = "0750";
+  }{
+    path = "${serverCfg.dataPath}/immich/";
+    mode = "0750";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = immichServerImage;
+      port = 2283;
+      secret = name;
+      extraEnv = {
+        DB_URL = "postgresql://immich_user:\${DB_PASS}@${builder.host}/immich_db";
+        IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
+        REDIS_HOSTNAME = builder.host;
+      };
+      overrides = {
+        volumes = [
+          "${serverCfg.dataPath}/immich:/usr/src/upload"
+        ];
+      };
+    };
+
+    immich-ml = builder.mkContainer {
+      imageStream = immichMachineLearningImage;
+      port = 3003;
+      overrides = {
+        volumes = [
+          "${serverCfg.configPath}/immich/cache:/cache"
+        ];
+      };
+    };
+  };
+
+}
--- a/modules/server/containers/apps/influx.nix
+++ b/modules/server/containers/apps/influx.nix
@@ -0,0 +1,45 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  influxPkg = pkgs.influxdb2;
+
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = influxPkg.name;
+    tag = influxPkg.version;
+    contents = [ ];
+    config = {
+      Entrypoint = [ "${influxPkg}/bin/influxd" ];
+      ExposedPorts = {
+        "8086/tcp" = {}; # Combined Engine and UI port
+      };
+    };
+  };
+in {
+  sops = true; # Highly recommended for initial admin passwords and setup tokens
+  db = false;  # Using InfluxDB directly as the primary database
+  
+  paths = [{
+    path = "${serverCfg.configPath}/influxdb/";
+    mode = "0700"; # Strict database permissions
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8086;
+      secret = name;
+      extraEnv = {
+        INFLUXD_CONFIG_PATH = "var/lib/influxdb2/config";
+        INFLUXD_BOLT_PATH = "/var/lib/influxdb2/influxdb.bolt";
+        INFLUXD_ENGINE_PATH = "/var/lib/influxdb2/engine";
+      };
+      overrides = {
+        volumes = [
+          "${serverCfg.configPath}/influxdb/:/var/lib/influxdb2"
+        ];
+      };
+    };
+  };
+
+}
--- a/modules/server/containers/apps/invidious.nix
+++ b/modules/server/containers/apps/invidious.nix
@@ -0,0 +1,47 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+
+  invidiousImage = pkgs.dockerTools.pullImage {
+    imageName = "quay.io/invidious/invidious";
+    imageDigest = "sha256:7b5cfca1b369cbb87a6c983a54d588cb375ff60c6d71b3e1f0e2f59265f2a1b9"; # Pin tag digest
+    sha256 = lib.fakeSha256; 
+  };
+  companionImage = pkgs.dockerTools.pullImage {
+    imageName = "quay.io/invidious/inv-sig-helper";
+    imageDigest = "sha256:2d150b07b1406b3a0c25a5f1e8e25d6b46efbb12dbfde6125026bc9812a647ad";
+    sha256 = lib.fakeSha256;
+  };
+
+in {
+  sops = true;
+  db = true;
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = invidiousImage;
+      port = 3000;
+      secret = name;
+      extraEnv = {
+        INVIDIOUS_DATABASE_URL = "postgres://invidious_user:\${DB_PASS}@${builder.host}/invidious_db";
+        INVIDIOUS_HMAC_KEY = "\${HMAC_KEY}";
+        INVIDIOUS_COMPANION_URL = "http://invidious-companion:12999";
+        INVIDIOUS_PO_TOKEN = "\${PO_TOKEN}";
+        INVIDIOUS_VISITOR_DATA = "\${VISITOR_DATA}";
+        INVIDIOUS_PORT = "3000";
+        INVIDIOUS_COMPANION_KEY = "\${INVIDIOUS_KEY}";
+        INVIDIOUS_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
+        #registration_enabled: false
+      };
+    };
+
+    companion = builder.mkContainer {
+      imageStream = companionImage;
+      port = 12999;
+      overrides = {
+        cmd = [ "--tcp" "0.0.0.0:12999" ];
+      };
+    };
+  };
+}
--- a/modules/server/containers/apps/jellyfin.nix
+++ b/modules/server/containers/apps/jellyfin.nix
@@ -0,0 +1,68 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
+    name = pkgs.jellyfin.name;
+    tag = pkgs.jellyfin.version;
+    contents = [
+      pkgs.cacert
+    ];
+    config = {
+      Entrypoint = [ "${pkgs.jellyfin}/bin/jellyfin" ];
+      ExposedPorts = { "8096/tcp" = { }; };
+    };
+  };
+
+in {
+  paths = [
+    {
+      path = "${serverCfg.dataPath}/media/";
+      mode = "0755";
+    }
+    {
+      path = "${serverCfg.configPath}/jellyfin/";
+      mode = "0755";
+    }
+  ];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      # imageFile = image;
+      port = 8096;
+    #   secret = name;
+      extraEnv = {
+        DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
+        # JELLYFIN_WEB_DIR = "${pkgs.jellyfin-web}/share/jellyfin-web";
+        JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
+      };
+      extraOptions = [
+        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
+      ];
+      overrides = {
+        cmd = [
+        "--datadir" "/config/data"
+        "--cachedir" "/config/cache"
+        "--configdir" "/config/config"
+        "--logdir" "/config/log" 
+        ];
+        volumes = [
+          "${serverCfg.dataPath}/media:/media:ro" 
+          "${serverCfg.configPath}/jellyfin:/config"
+        ];
+        # If you have an Intel/AMD GPU for transcoding, add the device:
+        devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
+      };
+    };
+  };
+
+
+
+    #LDAP_DC_DOMAIN = "dc=ldap,dc=helcel,dc=net"
+  #HOST=...
+  #LDAP_BIND_USER=ldap-sa
+  #LDAP_BIND_PASSWORD=...
+  #LDAP_GROUP=flix
+  #LDAP_ADMIN=admin
+}
--- a/modules/server/containers/apps/nextcloud.nix
+++ b/modules/server/containers/apps/nextcloud.nix
@@ -0,0 +1,199 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+version = "31";
+serverCfg = config.syscfg.server;
+in {
+  sops = true;
+  db = true;
+  paths = [{
+    path="${serverCfg.dataPath}/nextcloud/www";
+    owner = "33:33";
+    mode = "0755";
+  }{
+    path="${serverCfg.dataPath}/nextcloud/data";
+    owner = "33:33";
+    mode = "0755";
+    backup = true;
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "nextcloud:${version}";
+      port = 80;
+      secret = name;
+      extraEnv = {
+        REDIS_HOST = builder.host;
+        POSTGRES_HOST = builder.host;
+        POSTGRES_USER = "nextcloud_user";
+        POSTGRES_DB = "nextcloud_db";
+        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
+        "NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
+        "SMTP_HOST" = serverCfg.mailServer;
+        "SMTP_NAME" = "mail_user";
+        "SMTP_PASSWORD" = "mail_password";
+        "MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.hostDomain}";
+        "MAIL_DOMAIN" = serverCfg.mailDomain;
+        "TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
+      };
+      extraLabels = {
+        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
+        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
+        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
+        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
+        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
+        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
+      };
+      extraOptions = [
+        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
+      ];
+      overrides = {
+        ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
+        volumes = [
+          "${serverCfg.dataPath}/nextcloud/www:/var/www/html"
+          "${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
+        ];
+      };
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u www-data nextcloud-server php occ"
+
+      echo "Waiting for Nextcloud container to start..."
+      until $OCC status > /dev/null 2>&1; do
+        sleep 2
+      done
+
+      INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
+      if [ -z "$INSTALLED" ]; then
+        echo "Running first-time setup..."
+        
+        $OCC maintenance:install \
+          --admin-user "$DEFAULT_ADMIN_USERNAME" \
+          --admin-pass "$DEFAULT_ADMIN_PASSWORD"
+      fi
+      if [ -z "$INSTALLED" ] || [ -f "/tmp/force-nextcloud-setup" ]; then
+        rm -f "/tmp/force-nextcloud-setup"
+        echo "Applying Settings..."
+        
+        $OCC config:system:set default_phone_region --value="CH"
+        $OCC config:system:set overwriteprotocol --value="https"
+        $OCC config:app:set core backgroundjobs_mode --value="cron"
+        $OCC config:system:set maintenance_window_start --type=integer --value=1
+        $OCC config:system:set default_language --value="en"
+        $OCC config:system:set default_locale --value="en_CH"
+
+        echo "Applying Apps..."
+        $OCC app:disable activity || true
+        $OCC app:disable app_api || true
+        $OCC app:disable comments || true
+        $OCC app:disable firstrunwizard || true
+        $OCC config:system:set show_first_run_wizard --type=bool --value=false
+        $OCC app:disable nextcloud_announcements || true
+        $OCC app:disable oauth2 || true
+        $OCC app:disable recommendations || true
+        $OCC app:disable sharebymail || true
+        $OCC app:disable support || true
+        $OCC app:disable survey_client || true
+        $OCC app:disable updatenotification || true
+        $OCC app:disable user_status || true
+
+        $OCC app:install calendar || true
+        $OCC app:install calendar || true
+        $OCC app:install contacts || true
+        $OCC app:install camerarawpreviews || true
+        $OCC app:install cospend || true
+        $OCC app:install deck || true
+        $OCC app:install files_markdown || true
+        $OCC app:install forms || true
+        $OCC app:install groupfolders || true
+        $OCC app:install ownpad || true
+        $OCC app:install previewgenerator || true
+        $OCC app:install richdocuments || true
+        ${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
+        # $OCC app:install side_menu || true 
+        $OCC app:install spreed || true
+        $OCC app:install teamfolders || true
+        ${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
+
+        echo "Applying Apps Settings..."
+        $OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
+        $OCC config:app:set cospend allow_federation --value="yes"
+        
+        ${lib.optionalString (serverCfg.containers ? ethercalc) ''
+        $OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
+        $OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.hostDomain}"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? etherpad) ''
+        $OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
+        $OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.hostDomain}"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? collabora) ''
+        $OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}/"
+        $OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}"
+        $OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
+        ''}
+        ${lib.optionalString (serverCfg.containers ? authentik) ''
+        $OCC saml:config:set 1 --general-idp0_display_name="authentik"
+        $OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
+        $OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}"
+        $OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/sso/binding/redirect/"
+        $OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/slo/binding/redirect/"
+        AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
+        $OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT" 
+
+        $OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
+        $OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+        $OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
+
+        $OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
+        $OCC group:add admin || true
+        $OCC group:add cloud || true
+        $OCC config:app:set user_saml general-group_provisioning --value="0"
+        $OCC config:app:set user_saml general-require_provisioning_groups --value="1"
+        ''}
+        # configure side_menu ...
+        FOLDERS=$($OCC teamfolders:list --format=json)
+        ${builtins.concatStringsSep "\n" (map (name: ''
+          if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
+              $OCC teamfolders:create "${name}"
+          fi
+        '') containerCfg.extra.teamFolders or [])}
+        SERVERS=$($OCC federation:list-servers --format=json)
+        ${builtins.concatStringsSep "\n" (map (domain: ''
+          if ! echo "$SERVERS" | grep -q "${domain}"; then
+            $OCC federation:add-server "https://${domain}"
+          fi
+        '') containerCfg.extra.federatedServers or [])}
+        $OCC config:app:set systemtags allow_user_creating --value="no"
+        
+        echo "Applying Theme..."
+        $OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.hostDomain}"
+        ${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
+        ${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
+        $OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
+        $OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
+
+        #$OCC theming:config logo {serverCfg.colorScheme.logo}
+        #$OCC theming:config logoheader {serverCfg.colorScheme.logo}
+        #$OCC theming:config background {serverCfg.colorScheme.bg}
+            
+      else
+          echo "Nextcloud is already installed. Skipping setup."
+      fi
+
+      echo "Maintenance..."
+      $OCC app:update --all
+      $OCC maintenance:repair --include-expensive --no-interaction
+      $OCC db:add-missing-indices --no-interaction
+
+      echo "Completed Setup"
+    '';
+  };
+
+  cron = [ "*/5 * * * *  root  ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
+}
--- a/modules/server/containers/apps/searxng.nix
+++ b/modules/server/containers/apps/searxng.nix
@@ -0,0 +1,92 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  version= "latest";
+  serverCfg = config.syscfg.server;
+  settings = pkgs.writeText"settings.yml" (pkgs.lib.generators.toYAML {}{
+    use_default_settings = true;
+    brand = {
+        issue_url = "";
+        docs_url = "";
+        public_instances = "";
+        wiki_url = "";
+        custom = {
+            links = {
+                "Home" = "https://${serverCfg.hostDomain}";
+                # "Status" = "https://status.${serverCfg.hostDomain}";
+            };
+        };
+        pwa_colors = {
+            theme_color_light = "${serverCfg.colorScheme.palette.base0C}";
+            background_color_light = "${serverCfg.colorScheme.palette.base07}";
+            theme_color_dark = "${serverCfg.colorScheme.palette.base0C}";
+            background_color_dark = "${serverCfg.colorScheme.palette.base02}";
+            theme_color_black = "${serverCfg.colorScheme.palette.base0C}";
+            background_color_black = "${serverCfg.colorScheme.palette.base01}";
+        };
+    };
+    general = {
+        debug = false;
+        instance_name = if containerCfg.extra ? instanceName then containerCfg.extra.instanceName else "SearXNG";
+        privacypolicy_url = false;
+        donation_url = false;
+        contact_url = false;
+        enable_metrics = false;
+    };
+    search = {
+        safe_search = 0;
+        autocomplete = if containerCfg.extra ? autocomplete then containerCfg.extra.autocomplete else "";
+        languages = [ "all" "en" "en-US" "ja" "de-CH" "fr-CH" "nb" ];
+    };
+    server = {
+        # secret_key = ""; SET BY ENV VAR
+    };
+    ui = {
+        default_locale = if containerCfg.extra ? defaultLocale then containerCfg.extra.defaultLocale else "en";
+        # query_in_title = "true";
+        #default_theme = "custom";
+        custom_css = "footer { display: none !important; }";
+    };
+    # categories_as_tabs = {
+    #     general = {};
+    #     images ={};
+    #     videos = {};
+    #     news = {};
+    #     files = {};
+    # };
+    plugins = {
+        "searx.plugins.infinite_scroll.SXNGPlugin".active = true;
+        "searx.plugins.tracker_url_remover.SXNGPlugin".active = true;
+    };
+  });
+in {
+   sops = true;
+#   paths = [{
+#     path="${serverCfg.dataPath}/searxng/";
+#     mode = "0444";
+#   }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "searxng/searxng:${version}";
+      port = 8080;
+      secret = name;
+      extraEnv = { 
+        SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.hostDomain}";
+        SEARXNG_PORT = "8080";
+        SEARXNG_BIND_ADDRESS = "[::]";
+        SEARXNG_PUBLIC_INSTANCE = "false";
+        SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
+        #SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}";
+      };
+      overrides = {
+        cmd = [ ];
+        volumes = [ 
+            "${settings}:/etc/searxng/settings.yml"
+            # "/path/to/your/logo.png:/usr/local/searxng/searx/static/themes/simple/img/searxng.png
+            # "${serverCfg.dataPath}/searxng:/var/cache/searxng/"
+        ];
+       };
+    };
+  };
+}
--- a/modules/server/containers/apps/servarr.nix
+++ b/modules/server/containers/apps/servarr.nix
@@ -0,0 +1,83 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+
+  mkServarrImage = appName: appPkg: binaryPath: pkgs.dockerTools.streamLayeredImage {
+    name = appPkg.name;
+    tag = appPkg.version;
+    contents = with pkgs; [ cacert openssl ];
+    config = {
+      Cmd = [ "${appPkg}/${binaryPath}" "-nobrowser" "-data=/config" ];
+      Env = [ "DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1" "HOME=/tmp" ];
+    };
+  };
+
+  images = {
+    prowlarr = mkServarrImage "prowlarr" pkgs.prowlarr "bin/Prowlarr";
+    radarr   = mkServarrImage "radarr"   pkgs.radarr   "bin/Radarr";
+    sonarr   = mkServarrImage "sonarr"   pkgs.sonarr   "bin/Sonarr";
+    bazarr   = mkServarrImage  "bazarr"   pkgs.bazarr   "bin/bazarr";
+    lidarr   = mkServarrImage "lidarr"   pkgs.lidarr   "bin/Lidarr";
+    readarr  = mkServarrImage "readarr"  pkgs.readarr  "bin/Readarr";
+  };
+
+  sharedVolumes = [
+    "${serverCfg.dataPath}/media:/media" # Fast hardlinking requires a single shared root
+    "${serverCfg.configPath}/servarr:/config-root"
+  ];
+in {
+  sops = true;
+  paths = [
+    { path = "${serverCfg.dataPath}/media/"; mode = "0755"; }
+    { path = "${serverCfg.configPath}/servarr/prowlarr"; mode = "0755"; }
+    { path = "${serverCfg.configPath}/servarr/radarr";   mode = "0755"; }
+    { path = "${serverCfg.configPath}/servarr/sonarr";   mode = "0755"; }
+  ];
+
+  containers = {
+    prowlarr = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      subpath = "prowlarr";
+      imageStream = images.prowlarr;
+      port = 9696;
+      secret = name;
+      extraOptions = [
+        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
+      ];
+      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/prowlarr:/config" ];
+    };
+
+    radarr = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      subpath = "radarr";
+      imageStream = images.radarr;
+      port = 7878;
+      secret = name;
+      extraOptions = [
+        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
+      ];
+      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/radarr:/config" ];
+    };
+
+    sonarr = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      subpath = "sonarr";
+      imageStream = images.sonarr;
+      port = 8989;
+      secret = name;
+      extraOptions = [
+        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
+      ];
+      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/sonarr:/config" ];
+    };
+  };
+
+#   setup = {
+#     trigger = "prowlarr"; # Triggers atomic environment verification on main controller
+#     envFile = config.sops.secrets."SERVARR".path;
+#     script = pkgs.writeShellScript "setup-servarr" ''
+#       echo "Validating multi-container path permission nodes..."
+#     #   mkdir -p ${serverCfg.configPath}/servarr/{prowlarr,radarr,sonarr}
+#     '';
+#   };
+}
--- a/modules/server/containers/apps/traefik.nix
+++ b/modules/server/containers/apps/traefik.nix
@@ -0,0 +1,81 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "traefik";
+    tag = pkgs.traefik.version;
+    contents = with pkgs;[ cacert tzdata ];
+    config = {
+      Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
+      WorkingDir = "/";
+    };
+  };
+in {
+  sops = true;
+  paths = [{
+    path="${serverCfg.configPath}/traefik";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      imageStream = image;
+      subdomain = containerCfg.subdomain;
+      port = 8080;
+      secret = name;
+      extraLabels = {
+        "traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
+        "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
+                
+        "traefik.http.routers.${containerCfg.subdomain}.middlewares" =  if serverCfg.containers?authentik then "authentik" else "";
+        "traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
+        "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
+        "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
+        "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
+      } // (if containerCfg.extra ? provider || serverCfg.hostDomain != "localhost" then {
+        "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
+        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.hostDomain}";
+        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.hostDomain}";
+      } else {});
+      extraEnv = { };
+      overrides = {
+        cmd = [ 
+          "--api"
+          "--log.level=INFO"
+          "--providers.docker=true"
+          "--global.checknewversion=false"
+          "--global.sendanonymoususage=false"
+          "--api.insecure=true"
+          "--api.dashboard=true"
+          "--providers.docker.exposedByDefault=false"
+          "--entrypoints.web.address=:80"
+          "--entrypoints.web-secure.address=:443"
+          "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
+          "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+          "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
+          "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
+        ] ++ (if serverCfg.containers ? umami  then [
+          "--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder"
+          "--experimental.plugins.umami-feeder.version=v1.4.1"
+          "--entrypoints.web-secure.http.middlewares=umami-global@docker"
+        ] else []) ++ (if containerCfg.extra ? provider then [
+          "--certificatesresolvers.default.acme.email=acme@${serverCfg.hostDomain}"
+          "--certificatesresolvers.default.acme.dnschallenge=true"
+          "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
+          "--certificatesresolvers.default.acme.storage=/custom/acme.json"
+        ] else []) ++ (if serverCfg.hostDomain != "localhost" then [
+          "--certificatesresolvers.default.acme.httpchallenge=false"
+          "--certificatesresolvers.default.acme.tlschallenge=true"
+        ] else []);
+        ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
+        volumes = [
+          "/var/run/podman/podman.sock:/var/run/docker.sock"
+          # "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
+          "${serverCfg.configPath}/traefik:/custom"
+        ];
+      };
+    };
+  };
+}
+
--- a/modules/server/containers/apps/transmission.nix
+++ b/modules/server/containers/apps/transmission.nix
@@ -0,0 +1,57 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  serverCfg = config.syscfg.server;
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = pkgs.transmission_4.name;
+    tag = pkgs.transmission_4.version;
+    contents = [ pkgs.cacert ];
+    config = {
+        Cmd = [ "${pkgs.transmission_4}/bin/transmission-daemon" "--foreground" "--config-dir" "/config" ];
+        ExposedPorts = {
+            "9091/tcp" = {};
+            "51413/tcp" = {}; "51413/udp" = {};
+        };
+    };
+  };
+in {
+  paths = [{
+      path = "${serverCfg.dataPath}/transmission/complete";
+      owner = "1000:1000";
+      mode = "0755";
+    }{
+      path = "${serverCfg.dataPath}/transmission/incomplete";
+      owner = "1000:1000";
+      mode = "0755";
+    }{
+      path = "${serverCfg.dataPath}/transmission/config";
+      owner = "1000:1000";
+      mode = "0755";
+    }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 9091;
+      
+      extraEnv = {
+        PUID = "1000";
+        PGID = "1000";
+        TZ = "Europe/Zurich";
+      };
+      extraLabels = { } // (if serverCfg.containers ? authentik then {
+        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";
+      } else {});
+
+      overrides = {
+        cmd = [ ];
+        volumes = [
+          "${serverCfg.dataPath}/transmission/complete:/downloads/complete"
+          "${serverCfg.dataPath}/transmission/incomplete:/downloads/incomplete"
+          "${serverCfg.dataPath}/transmission/config:/config"
+        ];
+      };
+    };
+  };
+
+}
--- a/modules/server/containers/apps/trmnl.nix
+++ b/modules/server/containers/apps/trmnl.nix
@@ -0,0 +1,3 @@
+{...}:{
+    
+}
--- a/modules/server/containers/apps/umami.nix
+++ b/modules/server/containers/apps/umami.nix
@@ -0,0 +1,59 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  
+  # Umami image built from nixpkgs
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = pkgs.umami.name;
+    tag = pkgs.umami.version;
+    contents = with pkgs; [ cacert openssl ];
+    config = {
+      # Umami in nixpkgs typically provides a binary or script to start the server
+      Entrypoint = [ "${pkgs.umami}/bin/umami-server" ];
+      ExposedPorts = { "3000/tcp" = {}; };
+      Env = [ "NODE_ENV=production" ];
+    };
+  };
+in {
+  sops = true;
+  db = true;
+  paths = [{
+    path = "${serverCfg.configPath}/umami/";
+    mode = "0444";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "${pkgs.umami.name}:${pkgs.umami.version}"; 
+      imageStream = image;
+      port = 3000;
+      secret = name;
+      extraEnv = {
+        PORT = "3000";
+        # HOSTNAME = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
+        DATABASE_TYPE = "postgresql";
+        REDIS_URL = "redis://${builder.host}";
+        CLIENT_IP_HEADER = "X-Forwarded-For";
+        BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
+        # DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
+
+      };
+      extraLabels = { 
+        "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000";
+        "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin";
+        "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
+        "traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true";
+      } // ( if serverCfg.containers?authentik then {
+        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
+      } else {});
+      extraOptions = [
+        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
+      ];
+      overrides = {
+        cmd = [ "start" ]; # Specific command for the umami binary
+       };
+    };
+  };
+
+}
--- a/modules/server/containers/builder.nix
+++ b/modules/server/containers/builder.nix
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, serverCfg }:
+let 
+  builder =
+  { image ? null, imageStream ? null, imageFile ? null
+  , secret ? null
+  , subdomain ? null, subpath?null, port ? 0
+  , extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
+  , overrides ? { }
+  }:
+  let 
+    routerName = if subpath != null 
+                 then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}" 
+                 else subdomain;
+    base = {
+    image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}" 
+            else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image;
+    imageStream = imageStream;
+    imageFile = imageFile;
+
+    environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
+    environment = {} // extraEnv;
+
+    labels = (if subdomain!=null then ({
+      "traefik.enable" = "true";
+      "traefik.http.routers.${routerName}.entrypoints" = "web-secure";
+      "traefik.http.routers.${routerName}.rule" = if subpath != null 
+        then "Host(`${subdomain}.${serverCfg.hostDomain}`) && PathPrefix(`/${subpath}`)"
+        else "Host(`${subdomain}.${serverCfg.hostDomain}`)";
+      "traefik.http.routers.${routerName}.tls" = "true";
+    } // lib.optionalAttrs (port!=null) {
+      "traefik.http.services.${routerName}.loadbalancer.server.port" = toString port;
+    }) else {
+      "traefik.enable" = "false";
+    }) // extraLabels;
+
+    extraOptions = extraOptions ++ [
+      "--add-host=host.containers.internal:host-gateway"
+    ];
+  };
+  in lib.recursiveUpdate base overrides;
+in {
+  mkContainer = builder;
+  mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
+    mkdir -p $out
+    cp -r ${./data + "/${dir}"}/. $out/
+    find $out -type f | while read file; do
+      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
+        substituteInPlace "$file" --replace "@${n}@" "${toString v}"
+      '') vars)}
+    done
+  '';
+  host = "host.containers.internal"; 
+}
--- a/modules/server/containers/data/authentik/authentik.yaml
+++ b/modules/server/containers/data/authentik/authentik.yaml
@@ -0,0 +1,70 @@
+version: 1
+metadata:
+  name: "Initial User Setup"
+  labels:
+    blueprint-type: core
+entries:
+  # Optionally, disable the default enrollment flow entirely
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "default-source-enrollment"
+    attrs:
+      designation: "enrollment"
+      enabled: false
+  # --- GROUPS ---
+  - model: authentik_core.group
+    identifiers:
+      name: "admin"
+    attrs:
+      is_superuser: true
+
+  - model: authentik_core.group
+    identifiers:
+      name: "cloud"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "dev"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "flix"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "family"
+    attrs:
+      is_superuser: false
+
+  # --- ADMIN USERS ---
+  - model: authentik_core.user
+    identifiers:
+      username: !Env DEFAULT_ADMIN_USERNAME
+    attrs:
+      name: !Env DEFAULT_ADMIN_USERNAME
+      email: !Env DEFAULT_ADMIN_EMAIL
+      password: !Env DEFAULT_ADMIN_PASSWORD
+      path: "users"
+      groups:
+        - !Find [authentik_core.group, [name, "admin"]]
+
+  # Disable the Initial Setup Flow
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "initial-setup"
+    attrs:
+      authentication: "require_superuser"
+      enabled: false
+
+  # Disable the default 'akadmin' if it exists
+  - model: authentik_core.user
+    identifiers:
+      username: "akadmin"
+    attrs:
+      is_active: false
--- a/modules/server/containers/data/authentik/ldap.yaml
+++ b/modules/server/containers/data/authentik/ldap.yaml
@@ -0,0 +1,41 @@
+version: 1
+metadata:
+  name: Pre-configured LDAP Outpost
+entries:
+  # 1. Define the LDAP Provider
+  - model: authentik_providers_ldap.ldapprovider
+    identifiers:
+      name: ldap-provider
+    attrs:
+      base_dn: "DC=ldap,@AUTHENTIK_LDAP_DC_DOMAIN@"
+      search_group: null
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-implicit-consent],
+        ]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+
+  # 2. Define the Token with a static Key
+  - model: authentik_core.token
+    identifiers:
+      identifier: ldap-outpost-static-token
+    attrs:
+      intent: api
+      # MANDATORY: Explicitly set your long, secure pre-shared token here
+      key: !Env AUTHENTIK_LDAP
+      user: 1 # Assigns to default akadmin user
+
+  # 3. Define the Outpost linking the Provider and the Token
+  - model: authentik_outposts.outpost
+    identifiers:
+      name: LDAP Outpost
+    attrs:
+      type: ldap
+      providers:
+        - !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
+      token:
+        !Find [authentik_core.token, [identifier, ldap-outpost-static-token]]
+      config:
+        log_level: info
--- a/modules/server/containers/data/authentik/nextcloud.yaml
+++ b/modules/server/containers/data/authentik/nextcloud.yaml
@@ -0,0 +1,88 @@
+version: 1
+metadata:
+  name: nextcloud-saml-setup
+entries:
+  # 1. Create the SAML Provider
+  - model: authentik_providers_saml.samlprovider
+    identifiers:
+      name: Nextcloud SAML
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-explicit-consent],
+        ]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+
+      # Adjust these URLs to match your Nextcloud domain
+      acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
+      audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
+      issuer: https://@AUTHENTIK_DOMAIN@
+      sp_binding: post
+      # Map the attributes for Name, Email, and Groups
+      property_mappings:
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: Name"],
+          ]
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: Email"],
+          ]
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: Groups"],
+          ]
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: Username"],
+          ]
+        - !Find [
+            authentik_core.propertymapping,
+            [name, "authentik default SAML Mapping: User ID"],
+          ]
+
+        # - !Find [
+        #     authentik_providers_saml.samlpropertymapping,
+        #     [managed, "goauthentik.io/providers/saml/ms-name"],
+        #   ]
+        # - !Find [
+        #     authentik_providers_saml.samlpropertymapping,
+        #     [managed, "goauthentik.io/providers/saml/ms-email"],
+        #   ]
+        # - !Find [
+        #     authentik_providers_saml.samlpropertymapping,
+        #     [managed, "goauthentik.io/providers/saml/ms-groups"],
+        #   ]
+
+        # - !Find [
+        #     authentik_core.propertymapping,
+        #     [managed, goauthentik.io/providers/saml/ms-name],
+        #   ]
+        # - !Find [
+        #     authentik_core.propertymapping,
+        #     [managed, goauthentik.io/providers/saml/ms-email],
+        #   ]
+        # - !Find [
+        #     authentik_core.propertymapping,
+        #     [managed, goauthentik.io/providers/saml/ms-groups],
+        #   ]
+      # Select your signing certificate (default is usually self-signed)
+      signing_kp:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, "authentik Self-signed Certificate"],
+        ]
+      sign_assertion: true
+      sign_response: false
+
+  # 2. Create the Application
+  - model: authentik_core.application
+    identifiers:
+      slug: nextcloud
+    attrs:
+      name: Nextcloud
+      provider:
+        !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
+      group: "Cloud Services"
--- a/modules/server/containers/data/authentik/traefik.yaml
+++ b/modules/server/containers/data/authentik/traefik.yaml
@@ -0,0 +1,45 @@
+version: 1
+metadata:
+  name: domain-wide-proxy-setup
+entries:
+  # 1. The Provider
+  - model: authentik_providers_proxy.proxyprovider
+    identifiers:
+      name: Domain Wide Proxy
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-implicit-consent],
+        ]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+
+      external_host: https://@AUTHENTIK_DOMAIN@
+      cookie_domain: "@COOKIE_DOMAIN@"
+
+      mode: forward_domain
+      intercept_header_auth: true
+
+  # 2. The Application (Required to link the provider)
+  - model: authentik_core.application
+    identifiers:
+      slug: authentik-proxy
+    attrs:
+      name: "Domain Auth Provider"
+      provider:
+        !Find [
+          authentik_providers_proxy.proxyprovider,
+          [name, Domain Wide Proxy],
+        ]
+
+  # 3. Add to Outpost
+  - model: authentik_outposts.outpost
+    identifiers:
+      name: authentik Embedded Outpost
+    attrs:
+      providers:
+        - !Find [
+            authentik_providers_proxy.proxyprovider,
+            [name, Domain Wide Proxy],
+          ]
--- a/modules/server/containers/data/jellyfin/LDAP-Auth.xml
+++ b/modules/server/containers/data/jellyfin/LDAP-Auth.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <LdapUsers />
+  <LdapServer>@HOST@</LdapServer>
+  <LdapPort>389</LdapPort>
+  <UseSsl>false</UseSsl>
+  <UseStartTls>false</UseStartTls>
+  <SkipSslVerify>true</SkipSslVerify>
+  <LdapBindUser>cn=@LDAP_BIND_USER@,ou=users,@LDAP_DC_DOMAIN@</LdapBindUser>
+  <LdapBindPassword>@LDAP_BIND_PASSWORD@</LdapBindPassword>
+  <LdapBaseDn>@LDAP_DC_DOMAIN@</LdapBaseDn>
+  <LdapSearchFilter>(memberOf=cn=@LDAP_GROUP@,ou=groups,@LDAP_DC_DOMAIN@)</LdapSearchFilter>
+  <LdapAdminBaseDn />
+  <LdapAdminFilter>(memberOf=cn=@LDAP_ADMIN@,ou=groups,@LDAP_DC_DOMAIN@)</LdapAdminFilter>
+  <EnableLdapAdminFilterMemberUid>false</EnableLdapAdminFilterMemberUid>
+  <LdapSearchAttributes>uid, cn, mail, displayName</LdapSearchAttributes>
+  <LdapClientCertPath />
+  <LdapClientKeyPath />
+  <LdapRootCaPath />
+  <CreateUsersFromLdap>true</CreateUsersFromLdap>
+  <AllowPassChange>false</AllowPassChange>
+  <LdapUidAttribute>uid</LdapUidAttribute>
+  <LdapUsernameAttribute>cn</LdapUsernameAttribute>
+  <LdapPasswordAttribute>userPassword</LdapPasswordAttribute>
+  <EnableLdapProfileImageSync>false</EnableLdapProfileImageSync>
+  <LdapProfileImageAttribute>jpegphoto</LdapProfileImageAttribute>
+  <EnableAllFolders>true</EnableAllFolders>
+  <EnabledFolders />
+  <PasswordResetUrl />
--- a/modules/server/containers/default.nix
+++ b/modules/server/containers/default.nix
@@ -1,40 +1,75 @@
 { config, pkgs, lib, ... }:
 let
-  cfg = config.syscfg.server.containers;
-  enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg;
-  containerSetsList = lib.mapAttrsToList (name: containerCfg:
-    import (./defs + "/${name}.nix") {
-      inherit config pkgs lib  containerCfg;
-    }
-  ) enabledConfigs;
-  mergedContainers = lib.attrsets.mergeAttrsList  (lib.map(e: e.containers) containerSetsList);
-  allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
-in
-{
-  config = lib.mkIf ( enabledConfigs != {} ) {
+  serverCfg = config.syscfg.server;
+  builder = import ./builder.nix { inherit config lib pkgs serverCfg; };

-    virtualisation.oci-containers = {
-      backend = "podman";
-      containers = mergedContainers;
-    };
+in{
+  config = lib.mkMerge [{
+    syscfg.server.loadedContainers = lib.mapAttrs (name: containerCfg:
+      (import (./apps + "/${name}.nix")) { inherit config pkgs lib containerCfg builder name; }
+    ) config.syscfg.server.containers;
+  } (lib.mkIf ( serverCfg.containers != {} ) (
+    let
+      appsList = builtins.attrValues config.syscfg.server.loadedContainers;
+      mergedContainers = lib.concatMapAttrs (appName: app:
+        lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.containers
+      ) config.syscfg.server.loadedContainers;
+      allPathConfigs  = lib.concatMap (app: app.paths) appsList;
+      allSetupConfigs = lib.concatMap (app: if app.setup?script then [({name = app.name; envFile="";} // app.setup)] else []) appsList;
+      allCronsConfigs = lib.concatMap (app: app.cron) appsList;
+    in{
+      virtualisation.oci-containers = {
+        backend = "podman";
+        containers = mergedContainers;
+      };
+      system.activationScripts.container-setup-dirs = {
+        deps = [ "users" "groups" ];
+        text = lib.concatStringsSep "\n" (map (cfg:
+        let
+          effectiveCfg = {
+            owner = "root:root";
+            mode = "0400";
+          } // cfg;
+        in ''
+          ${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
+          ${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
+          ${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
+        '') allPathConfigs);
+      };

-    systemd.services.podman-gc = {
-      description = "Podman garbage collection";
-      serviceConfig.Type = "oneshot";
-      script = ''
-        ${pkgs.podman}/bin/podman container prune -f
-        ${pkgs.podman}/bin/podman image prune -f
-      '';
-      startAt = "weekly";
-    };
+      systemd.services = {
+        podman-gc = {
+          description = "Podman garbage collection";
+          serviceConfig.Type = "oneshot";
+          script = ''
+            ${pkgs.podman}/bin/podman container prune -f
+            ${pkgs.podman}/bin/podman image prune -f
+          '';
+          startAt = "weekly";
+        };
+      } // lib.listToAttrs (lib.concatMap (e: [{
+        name = "${e.name}-setup";
+        value = {
+          description = "Run ${e.name} setup";
+          after = [ "podman-${e.name}-${e.trigger}.service" ];
+          wants = [ "podman-${e.name}-${e.trigger}.service" ];
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            TimeoutStartSec = "360s";
+            EnvironmentFile = e.envFile;
+            ExecStart = e.script;
+            RemainAfterExit = true;
+            User = "root";
+          };
+        };
+      }]) allSetupConfigs );
+
+      services.cron = {
+        enable = true;
+        systemCronJobs = allCronsConfigs;
+      };
+
+  }))];

-    system.activationScripts.container-setup-dirs = {
-      deps = [ "users" "groups" ];
-      text = lib.concatStringsSep "\n" (map (cfg: ''
-        mkdir -p "${cfg.path}"
-        chown ${cfg.owner} "${cfg.path}"
-        chmod ${cfg.mode} "${cfg.path}"
-      '') allPathConfigs);
-    };
-  };
 }
--- a/modules/server/containers/defs/authentik.nix
+++ b/modules/server/containers/defs/authentik.nix
@@ -1,84 +0,0 @@
-{ config, containerCfg, pkgs, lib, ... }:
-let 
-serverCfg = config.syscfg.server;
-in {
-  paths = [{
-    path="${serverCfg.dataPath}/authentik/media";
-    owner = "1000:1000";
-    mode = "0755";
-  }{
-    path="${serverCfg.dataPath}/authentik/templates";
-    owner = "1000:1000";
-    mode = "0755";
-  }];
-
-  containers = {
-
-    auth_server = {
-      image = "ghcr.io/goauthentik/server:latest";
-      hostname = "auth_server";
-      volumes = [
-        "${serverCfg.dataPath}/authentik/media:/media"
-        "${serverCfg.dataPath}/authentik/templates:/templates"
-      ];
-      environmentFiles = [
-        config.sops.secrets."AUTHENTIK".path
-      ];
-      environment = {
-        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
-        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
-        "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
-        "AUTHENTIK_EMAIL__PORT" = "587";
-        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
-        "AUTHENTIK_EMAIL__USE_TLS" = "true";
-        "AUTHENTIK_EMAIL__USE_SSL" = "false";
-        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
-        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
-      };
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.sso.entrypoints" = "web-secure";
-        "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.sso.tls" = "true";
-        "traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
-      };
-      cmd = [ "server" ];
-      extraOptions = [
-        "--add-host=host.containers.internal:host-gateway"
-        "--replace"
-        "--rm"
-        "--ip=${containerCfg.ip}"
-      ];
-      ports = [
-        "9999:${toString containerCfg.port}"
-      ];
-    };
-
-    auth_worker = {
-      image = "ghcr.io/goauthentik/server:latest";
-      hostname = "auth_worker";
-      volumes = [
-        "${serverCfg.dataPath}/authentik/media:/media"
-        "${serverCfg.dataPath}/authentik/templates:/templates"
-        "/var/run/docker.sock:/var/run/docker.sock"
-      ];
-      environmentFiles = [
-        config.sops.secrets."AUTHENTIK".path
-      ];
-      environment = {
-        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
-        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
-      };
-      extraOptions = [
-        "--add-host=host.containers.internal:host-gateway"
-        "--replace"
-        "--rm"
-      ];
-      cmd = [ "worker" ];
-    };
-  };
-}
--- a/modules/server/containers/defs/cloud.nix
+++ b/modules/server/containers/defs/cloud.nix
@@ -1,152 +0,0 @@
-{ config, pkgs, lib, ... }:
-let serverCfg = config.syscfg.server;
-in {
-  project.name = "cloud";
-
-  networks = {
-    internal = {
-      name = lib.mkForce "internal";
-      internal = true;
-    };
-    external = {
-      name = lib.mkForce "external";
-      internal = false;
-    };
-  };
-
-  services = {
-
-    cloud_nextcloud.service = {
-      image = "nextcloud:27";
-      container_name = "cloud";
-      restart = "unless-stopped";
-      networks = [ "external" ];
-      volumes = [
-        "${serverCfg.configPath}/data/nextcloud:/var/www/html"
-        "${serverCfg.dataPath}/data/music:/media/music"
-        "${serverCfg.dataPath}/data/video:/media/video"
-        "${serverCfg.dataPath}/data/photo:/media/photo"
-      ];
-      tmpfs = [ "/tmp" ];
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.nextcloud.entrypoints" = "web-secure";
-        "traefik.http.routers.nextcloud.rule" =
-          "Host(`cloud.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.nextcloud.tls" = "true";
-        "traefik.http.routers.nextcloud.middlewares" =
-          "sts_headers,nextcloud-caldav";
-
-        "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent" =
-          "true";
-        "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex" =
-          "^https://(.*)/.well-known/(card|cal)dav";
-        "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement" =
-          "https://$\${1}/remote.php/dav/";
-        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
-        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" =
-          "true";
-      };
-    };
-
-    cloud_office.service = {
-      image = "collabora/code:latest";
-      container_name = "cloud_office";
-      restart = "unless-stopped";
-      networks = [ "external" ];
-      volumes = [ ];
-      environment = {
-        username = "COLLABORA_USER";
-        password = "COLLABORA_PASSWORD";
-        aliasgroup1 = "https://cloud.${serverCfg.hostDomain}";
-        server_name = "office.${serverCfg.hostDomain}";
-        VIRTUAL_HOST = "office.${serverCfg.hostDomain}";
-        VIRTUAL_PORT = "9980";
-        VIRTUAL_PROTO = "http";
-        DONT_GEN_SSL_CERT = "true";
-        RESOLVE_TO_PROXY_IP = "true";
-        NETWORK_ACCESS = "internal";
-        extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
-        dictionaries = "en fr de jp";
-      };
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.collabora.entrypoints" = "web-secure";
-        "traefik.http.routers.collabora.rule" =
-          "Host(`office.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.collabora.tls" = "true";
-      };
-    };
-
-    cloud_etherpad.service = {
-      image = "etherpad/etherpad:latest";
-      container_name = "etherpad";
-      restart = "unless-stopped";
-      networks = [ "external" ];
-      volumes = [
-        "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
-        "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
-      ];
-      environment = {
-        NODE_ENV = "production";
-        TITLE = "Helcel-Pad";
-        DB_TYPE = "mysql";
-        DB_HOST = serverCfg.dbHost;
-        DB_PORT = serverCfg.dbPort;
-        DB_NAME = "etherpad";
-        DB_USER = "ETHERPAD_DB_USER";
-        DB_PASS = "ETHERPAD_DB_PASSWORD";
-        DB_CHARSET = "utf8mb4";
-        DEFAULT_PAD_TEXT = "P A D";
-        PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
-        PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
-        ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
-        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
-      };
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.etherpad.entrypoints" = "web-secure";
-        "traefik.http.routers.etherpad.rule" =
-          "Host(`pad.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.etherpad.tls" = "true";
-      };
-    };
-
-    cloud_ethercalc.service = {
-      image = "audreyt/ethercalc:latest";
-      container_name = "ethercalc";
-      restart = "unless-stopped";
-      networks = [ "external" "internal" ];
-      volumes = [
-        "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
-        "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
-      ];
-      environment = {
-        NODE_ENV = "production";
-        TITLE = "Helcel-Calc";
-        REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis";
-        REDIS_PORT_6379_TCP_PORT = "6379";
-        ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
-        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
-      };
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.ethercalc.entrypoints" = "web-secure";
-        "traefik.http.routers.ethercalc.rule" =
-          "Host(`calc.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.ethercalc.tls" = "true";
-      };
-    };
-
-    cloud_redis.service = {
-      image = "redis:latest";
-      container_name = "ethercalc-redis";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [ "${serverCfg.dataPath}/ether/ethercalc/redis:/data" ];
-      environment = { };
-      labels = { "traefik.enable" = "false"; };
-    };
-
-  };
-}
--- a/modules/server/containers/defs/sample.nix
+++ b/modules/server/containers/defs/sample.nix
@@ -1,30 +0,0 @@
-{ config, pkgs, lib, ... }:
-let serverCfg = config.syscfg.server;
-in {
-  project.name = "name";
-
-  networks = {
-    internal = {
-      name = lib.mkForce "internal";
-      internal = true;
-    };
-    external = {
-      name = lib.mkForce "external";
-      internal = false;
-    };
-  };
-
-  services = {
-
-    NAME.service = {
-      image = "NAME:latest";
-      container_name = "NAME";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [ ];
-      environment = { };
-      labels = { "traefik.enable" = "false"; };
-    };
-
-  };
-}
--- a/modules/server/containers/defs/traefik.nix
+++ b/modules/server/containers/defs/traefik.nix
@@ -1,81 +0,0 @@
-{ config, pkgs, ... }: {
-  project.name = "traefik";
-
-  networks = {
-    internal = {
-      name = lib.mkForce "internal";
-      internal = true;
-    };
-    external = {
-      name = lib.mkForce "external";
-      internal = false;
-    };
-  };
-
-  services = {
-
-    traefik.service = {
-      image = "traefik:latest";
-      container_name = "traefik";
-      restart = "unless-stopped";
-      networks = [ "internal" "external" ];
-      command = [
-        "--api"
-        "--providers.docker=true"
-        "--entrypoints.web.address=:80"
-        "--entrypoints.web-secure.address=:443"
-      ];
-      port = [ "443" "80" ];
-      volumes = [
-        "/var/run/docker.sock:/var/run/docker.sock:ro"
-        "${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
-        "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
-        "${serverCfg.configPath}/traefik/acme.json:/acme.json"
-      ];
-      environment = {
-        "INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
-      };
-      labels = { "traefik.enable" = "false"; };
-    };
-
-    matomo.service = {
-      image = "matomo:latest";
-      container_name = "matomo";
-      restart = "unless-stopped";
-      networks = [ "external" ];
-      volumes = [
-        "/etc/localtime:/etc/localtime:ro"
-        "${serverCfg.configPath}/matomo:/var/www/html/config:rw"
-        "${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
-      ];
-      environment = { };
-      labels = {
-        "traefik.http.routers.matomo.rule" =
-          "Host(`matomo.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.matomo.entrypoints" = "web-secure";
-        "traefik.http.routers.matomo.tls" = "true";
-      };
-    };
-
-    searx.service = {
-      image = "searxng/searxng:latest";
-      container_name = "searx";
-      restart = "unless-stopped";
-      networks = [ "external" ];
-      volumes = [ "/etc/localtime:/etc/localtime:ro" ];
-      environment = {
-        "BASE_URL" = "https://searx.${serverCfg.hostDomain}";
-        "AUTOCOMPLETE" = "true";
-        "INSTANCE_NAME" = "searx${serverCfg.shortName}";
-      };
-      labels = {
-        "traefik.http.routers.matomo.rule" =
-          "Host(`searx.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.matomo.entrypoints" = "web-secure";
-        "traefik.http.routers.matomo.tls" = "true";
-      };
-    };
-
-  };
-}
-
--- a/modules/server/database/default.nix
+++ b/modules/server/database/default.nix
@@ -1,14 +1,10 @@

 { config, lib, pkgs, ... }:
 let
+
  listNames = config.syscfg.server.db;
-
-  containerNames = lib.mapAttrsToList 
-    (name: cfg: name) 
-    (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
-
+  containerNames = builtins.attrNames (lib.filterAttrs (appName: app: app.db) config.syscfg.server.loadedContainers);
  allApps = lib.unique (listNames ++ containerNames);
-
 in {
  config = lib.mkIf ( builtins.length allApps > 0) {
    services.postgresql = {
@@ -62,7 +58,6 @@ in {
          
          if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
            PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
-            echo $PASS
            if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
                echo "✅ Successfully set password for ${name}_user"
            else
--- a/modules/server/nftables/default.nix
+++ b/modules/server/nftables/default.nix
@@ -1,7 +1,8 @@
-
-
-{ config, lib, ... }:{
-  config = lib.mkIf (config.syscfg.server.nftables.enable) {
+{ config, lib, ... }:
+let
+ cfg = config.syscfg.server;
+in {
+  config = lib.mkIf (cfg.ipfw.enable) {
    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = 1;
      "net.ipv6.conf.all.forwarding" = 1;
@@ -9,13 +10,6 @@

    networking.nftables.enable = true;
    networking.nftables.ruleset = ''
-      table inet filter {
-        chain input {
-          type filter hook input priority filter; policy accept;
-          tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
-          
-        }
-      }
      table inet nat {
        chain prerouting {
          type nat hook prerouting priority dstnat; policy accept;
@@ -34,12 +28,12 @@
                iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
                iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
            ''
-          ) config.syscfg.server.nftables.ports}
+          ) cfg.ipfw.ports}
        }
        
        chain postrouting {
          type nat hook postrouting priority srcnat; policy accept;
-          oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
+          oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade
        }
      }
    '';
--- a/modules/server/nginx/default.nix
+++ b/modules/server/nginx/default.nix
@@ -0,0 +1,130 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.syscfg.server;
+  containers = cfg.containers; 
+  faviconOverride = {
+    " ~* /favicon\.(ico|png|svg|jpg)$" = {
+      extraConfig = ''
+        add_header Content-Type image/svg+xml;
+        return 200 '<svg xmlns="http://www.w3.org/2000/svg" id="Layer_1" data-name="Layer 1" viewBox="0 0 50 50"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M30.83,5A23.23,23.23,0,0,0,10.41,67.13h10.8C26,63,32.94,61.8,38,67.13H49.39C44.93,61.09,38.24,55,30.83,55Z"/><path class="cls-1" d="M46.25,28.11c-14.89,31.15-41,4.6-25-11H10.41c-8.47,14.76,3.24,34.68,20.42,34.23,13.28,0,24.24-19.72,24.24-23.21,0-1.54-2.14-6.25-5.68-11H38A40.52,40.52,0,0,1,46.25,78.11Zm.4-.91Z"/></svg>';
+      '';
+      # proxyPass = "http://127.0.0.1:9000";
+    };
+  };
+  # Function to convert your container config into an NGINX vhost
+  mkVhost = container: {
+    forceSSL = true;
+    # quic = true;
+    # http3 = true;
+    useACMEHost = "${cfg.hostDomain}";
+    locations = faviconOverride // {
+      "/" = {
+        proxyPass = "http://${container.ip}:${toString container.port}";
+        proxyWebsockets = true; # Recommended for modern apps
+      };
+    };
+  };
+  
+in {
+  config = lib.mkIf ( config.syscfg.server.web) {
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "admin@domain.org";
+
+      certs."${cfg.hostDomain}" = {
+        domain = "*.${cfg.hostDomain}";
+        extraDomainNames = [ "${cfg.hostDomain}" ]; # Adds the root too
+        dnsProvider = "infomaniak";
+        credentialsFile = config.sops.secrets."INFOMANIAK_API_KEY".path; # File containing your API token (e.g. CLOUDFLARE_DNS_API_TOKEN=...)
+        group = "nginx"; 
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+
+      # appendHttpConfig = ''
+      #   add_header Alt-Svc 'h3=":443"; ma=86400';
+      # '';
+      commonHttpConfig = ''
+        proxy_buffer_size 32k;
+        proxy_buffers 8 16k;
+        proxy_busy_buffers_size 48k;
+      '';
+
+      virtualHosts = {
+        "_" = {
+          default = true;
+          forceSSL = true;
+          # quic = true;
+          # http3 = true;
+          useACMEHost = "${cfg.hostDomain}";
+          
+          locations = {
+            "/" = {
+              extraConfig = ''
+              return 404;
+              '';
+            };
+          };
+        };
+        "sec.${cfg.hostDomain}" = {
+          forceSSL = true;
+          useACMEHost = "${cfg.hostDomain}";
+          
+          locations = {
+            "/" = {
+              proxyWebsockets = true;
+              proxyPass= "http://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}";
+
+              extraConfig = ''
+                auth_request     /outpost.goauthentik.io/auth/nginx;
+                error_page       401 = @goauthentik_proxy_signin;
+                auth_request_set $auth_cookie $upstream_http_set_cookie;
+                add_header       Set-Cookie $auth_cookie;
+                
+                auth_request_set $authentik_username $upstream_http_x_authentik_username;
+                auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+                auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
+                auth_request_set $authentik_email $upstream_http_x_authentik_email;
+                auth_request_set $authentik_name $upstream_http_x_authentik_name;
+                auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+                proxy_set_header X-authentik-username $authentik_username;
+                proxy_set_header X-authentik-groups $authentik_groups;
+                proxy_set_header X-authentik-entitlements $authentik_entitlements;
+                proxy_set_header X-authentik-email $authentik_email;
+                proxy_set_header X-authentik-name $authentik_name;
+                proxy_set_header X-authentik-uid $authentik_uid;
+              '';
+            };
+
+            "/outpost.goauthentik.io" = {
+              proxyWebsockets = true;
+              proxyPass = "http://${config.syscfg.server.containers.authentik.ip}:${toString config.syscfg.server.containers.authentik.port}/outpost.goauthentik.io";
+              extraConfig = ''
+                proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
+                add_header              Set-Cookie $auth_cookie;
+                auth_request_set        $auth_cookie $upstream_http_set_cookie;
+                proxy_pass_request_body off;
+                proxy_set_header        Content-Length "";
+              '';
+            };
+          };
+          extraConfig = ''
+            location @goauthentik_proxy_signin {
+                internal;
+                add_header Set-Cookie $auth_cookie;
+                return 302 https://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+            }
+          '';
+        };
+      } //lib.mapAttrs' (name: v: 
+        lib.nameValuePair "${v.subdomain}.${cfg.hostDomain}" (mkVhost v)
+      ) containers;
+    };
+  };
+}
--- a/modules/server/sops/default.nix
+++ b/modules/server/sops/default.nix
@@ -1,16 +1,16 @@
 { config, lib, pkgs, ... }:
 let
- listNames = config.syscfg.server.db;
-  containerNames = lib.mapAttrsToList (name: cfg: name) 
-    (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
+  listNames = config.syscfg.server.db;
+  containerNames = builtins.attrNames (lib.filterAttrs (appName: app: app.sops) config.syscfg.server.loadedContainers);
  allApps = lib.unique (listNames ++ containerNames);
 in{
-  config = lib.mkIf (config.syscfg.server.sops) {
    sops.secrets = {
-      INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
-    } // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: {
-      owner = "postgres";
+      CUSTOM = { 
+        mode = "0444";
+        sopsFile = ./server.yaml; 
+      };
+    } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
+      mode = "0444";
      sopsFile = ./server.yaml;
    }));
-  };
 }
--- a/modules/server/sops/example.server.yaml
+++ b/modules/server/sops/example.server.yaml
@@ -0,0 +1,35 @@
+CUSTOM: |
+  DEFAULT_ADMIN_USERNAME=...
+  DEFAULT_ADMIN_PASSWORD=...
+  DEFAULT_ADMIN_EMAIL=...
+TRAEFIK: |
+  INFOMANIAK_ACCESS_TOKEN=...
+AUTHENTIK: |
+  DB_PASSWORD=...
+  POSTGRES_PASSWORD=...
+  AUTHENTIK_SECRET_KEY=...
+  AUTHENTIK_EMAIL__PASSWORD=...
+  AUTHENTIK_TOKEN=...
+NEXTCLOUD: |
+  DB_PASSWORD=...
+  POSTGRES_PASSWORD=...
+COLLABORA: |
+  password=...
+ETHERPAD: |
+  DB_PASSWORD=...
+  DB_PASS=...
+  ADMIN_PASSWORD=...
+  APIKEY=...
+ETHERCALC: |
+  ETHERCALC_KEY=...
+GITEA: |
+  DB_PASSWORD=...
+  GITEA__database__PASSWD=...
+  GITEA__security__SECRET_KEY=...
+  GITEA__security__INTERNAL_TOKEN=...
+SEARXNG: |
+  SEARXNG_SECRET=...
+UMAMI: |
+  DB_PASSWORD=...
+  DATABASE_URL=postgresql://username:mypassword@localhost:5432/mydb
+  APP_SECRET=...
--- a/modules/server/sops/server.yaml
+++ b/modules/server/sops/server.yaml
@@ -1,5 +1,14 @@
-INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
-AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str]
+CUSTOM: ENC[AES256_GCM,data:OVhE99dmudlV31Re2/fyFurXnRSM3RjbdVDxYp6oF4kazaseISlI4QjgIyyUNEAjeAST17Prv/t5GdyTUvoUICoVKmhQdRv5xFeB7ngTCdi7XoYW1r6HIXwz9wOf/UvPWLafSxSM,iv:/ikpvHH5sLZpTnNABUFjZoVLS+tBZSUYIUxxdXMCCcc=,tag:mS9uW33M355KErY1rQtvqQ==,type:str]
+TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
+AUTHENTIK: ENC[AES256_GCM,data:dZ+Kf85ZjaZ82coYNeNOXe5zfD2M9rEeOB6jDNoaKmo3jMABhnha+iBvYJTI2NltkGzymPJQI+JV8F6GdT1l6cqcR8p0nNjQjS1BMk0rR7n8RCp6MazUTJuIjbEq6zEUrA4SXquw5gZDEp4FLo010PhoLaLinHg8OoqzjDsTxdcKevbQWmZeefDBrwXWpz6BlkRIQA3KazVb0w7l1jDTIkozUIWbvtvtk5ccGjzx3b+wCC36QYFcHHtPvFZwMDHzFPVBd90hWc/BwFfvCExONmH0S7GLFTp7I5NsBnWpT0AHUHHc5PlSR2dUy9H2DZ3IkORdNVzOaqESbYKymuWTQBDQuyI9IJdt4Cac0CV9i6p8rFXL6fQyQKZ9djHX8orpyCUeJXqFs8I6et+IzpTeZcmdv/76Q9tomBBi4k4PRMXpeff8Bn02bOSb7RSaj5NVeWxIhZkh3sEXUeva5/yrAYT30mrLpbwzWoCaKrPCPLIcFxvNrYxPUo6kVVz1jSlBurvcKefbreJGqA==,iv:Hj7aBfDLSqRBzueN8b9F9TutpjMESFloqrnirSmnH9U=,tag:1ikt1JvuhIZCx68nh/VzMA==,type:str]
+NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
+COLLABORA: ENC[AES256_GCM,data:cLGEziks5dyxTF1jugfpQE0l0nSkDP7MpROzCxCM94jv49sguA+d/SnY1olE8ZP9iCBnlvbMZyNR7uYo88B92Pmv8wVWfeuhHiHFIXh5aaOxntpt80UMg3Jy,iv:gmFG7C893QPuZ4rEqllAlUpNIXMcGsf9+/QCPLhWLTM=,tag:WpKHCUk6zhQRfFX2d6OPbQ==,type:str]
+ETHERPAD: ENC[AES256_GCM,data:PSr06GyOgY0HDNC4Hr2XUjbNUszGlfBjxDbrrKNQOqSMSVfZj4iFIGamrS72WO0un4U7IENx0T6CTBN/ELoq7J/+W9zf879uzKWuNaAulLVtBqrUbbqA7hTJpidnveZXzdwZRvlz/bU8kWAmXyhiDb2Q42Sz3BDb6duM3PO1AgG8Ko1pi2IemCPjO3uzudeT8FAlO8NnCUxKgwIKSz8CodOXFVGk66NX4xJd4ycfdNYXvKBNlzt1+WuWsZeZzeWmF7WD2dt4wWA9fWxB90fnth6ZV5LdeXjyYnzwkFOWoyNazgqV4jBv+aXKVwX4fYvspu13cVdrak3gc698bS2N1guDss4A/sfXMbtaYPGm98xXkqz1LP7sXQzKUdZf9sAS9gtOVv2tmg==,iv:uQ0Roe+XefzMjZCF3It+U2D1MWPMT5f6CPwlz0gQ5W0=,tag:wSgp0CVr6Y6M3eqcoTy8cw==,type:str]
+ETHERCALC: ENC[AES256_GCM,data:0ScnDsUNBt6wYJC4hTXn8huuTptBTDKZV4yFVQ4fuBWc6auWNWhDQlTc0ImJoK6efr2uyp3sVu3o+KlCNvUGhDOJ1you6socyTgRP0q7oLPC+Ln+bFP8gWG8v2nyEFY=,iv:YqvVjBFG/WZg1l4aMAiioOruWZ9zcTMr74DVW+1+2DQ=,tag:ePBXd4ddipJtxhFE1amfMg==,type:str]
+GITEA: ENC[AES256_GCM,data:TGsye52g8DVOk51o1dWfF6x3m6BFPe0MtUbOayxYejaYSZ4cDCfx02EPAhiL3FJGLfidZt7+WpjhVqJvFeCvJ1OXdYMQyuL3akPBCmEjmBgBhJvEjVtVgV3aNMS21gy3o0RG/MXDXOLpjHeaXn3G/XWKsv5bw+gg94bDirOguLC5eaFxddn5/UGFvfwXzDmkoNmc9zufGvVpUkRy8rju/TjOz4Q5GZk1gXWtJWdkTGhuVYVBDDHIQq9DBS0qXi8tP3FvY8prOi/c5ZbyyZjTOgNpWB9uU4HkHz4aUTMFIrPFwUeWmNMIdyUmarSQ7tDDdhBfIiLhb94jaMATHq+PfwwpCcmiTfBEG3OS/3SXPMWg6jhfUxvxsKNT2HQca31B9IRqlitaio3r6KEPBTYh2nWtFO9d5Is7TUWkGsOaV+0JSiNPNh5uD7kNyBxsKUKcND7JXMxW/TZOqARY64x6IwDrbcypsyMW5i+4Er1/0HCvZ7FBH1XkTul8vBGF5ZGD/tYp/m6Ld26GKYkj967eYIwlNFcOMGNue5PyJfFCq0qWbLWO9dFA9c2e9r81DCD8y/0S3Ts7X7TkXVGShm7JoMqb8dzg9i6CoNlmbPAM5GwoNV3ftQugvqEGMk5UIvf05YsgSNvq4UJbhsT4bZqpV0plnxYD5TswCGF/XQ3nwwFTudmf1OLcgYwM2NckbVui128o1Rw=,iv:vo6l0QirLIUvwLN675LYkffkXejJecvBesLJvoW/bjY=,tag:zyLyiCskF84A3QVoq5X3iw==,type:str]
+SEARXNG: ENC[AES256_GCM,data:gtKhEmMemzLRl4c3cYhMAQ+5vUth1IhWQeLvW1YtaG5TbhQHBR4PDREQOlGt+tlfGQrft+FeNhMSN/SKOp8gmScVWa+9qmltzxRGRpLm3m/VuBZvOlGdeUcKAX8zEH6A,iv:B2UEtjTRIjT6W+tH2gtcl6XMvZNgbvZUXTiBePGOu24=,tag:SHIF6eaWBLwy9RrEy1N9kg==,type:str]
+UMAMI: ENC[AES256_GCM,data:l1eMel/8PlzDjnEbpgjXceu7l8zFnl6NPYihrzAJPoSl7fE794FfkmrEhm2tf+kI1HgpDnOVpAP847k3NFGWRtiIYwjHl2NFlw0UorMutzja7uBP5oktmjVZZs3SaZFSQaWMHPCP9b2+LiMVAZqhERHF5y4A4mwP+q5CUVTgLGnDaBFBX7hwV2KRCARNYtxHkA80cxxUx1yJD50WCqjhCl1to2jx6bE+eupZvKk6U0GmC4MiMHkCzpWdzdtLsLHP5yMxbXUCdDUKmMDWSrOTJULYSsE8R/dZH2DOwwkhS23tXY4ckSbOmruGTEbhbBk+LADBdk9ijD9oaa4gVnF6Vqoib0esUCt/9EJAizgTro7eFGgCcYH2dl2doPJq372ZioSoYD6jiSdrUyCUmKs4xGEocnvy8W/CVG4=,iv:4pM3CsuO+1jfFQ7b1S9PHjdlIpVXvDVurMswmwz9ZrU=,tag:a8hyyFJHyqmAjsURJcNt3Q==,type:str]
+SERVARR: ENC[AES256_GCM,data:fukF7bejebMU7yp48fix,iv:CZkLyO8N8BqSk+0KDcMDrz1pbwaNH7Pg+NvNebdIdYM=,tag:AOMvnZOE0H6QDCmkPg3Kyw==,type:str]
 sops:
    age:
        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
@@ -20,8 +29,8 @@ sops:
            S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
            d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-06T01:10:20Z"
-    mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str]
+    lastmodified: "2026-05-12T23:00:07Z"
+    mac: ENC[AES256_GCM,data:g2Hbt81av0W6osMC3RcVPPkEPlrIeM4chlbQ1P+FrvxIQGWXvQlypnoYPLLBtfuXgUkASFJGQRM9dyUSvSwJczk3/HBoReZigyJRLNb5sfpF+YFHqplkX5hPDQ8iJDCWjpuIWiU0gH+hphm+V0nwB5o6iqeEkeZv8iIurEL/Des=,iv:hF4zb0fjonge/QmLpiOyghAMBAersVsWrOtk9oKPqbo=,tag:fusPQtNmQXS8u4/VB/L9SQ==,type:str]
    pgp:
        - created_at: "2026-05-05T23:46:27Z"
          enc: |-
--- a/modules/shared/colors/default.nix
+++ b/modules/shared/colors/default.nix
@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ ... }: {
  imports = [ ./sorahiro.nix ];

  colorScheme.palette.border-radius = "#8";
--- a/modules/shared/colors/sorahiro.nix
+++ b/modules/shared/colors/sorahiro.nix
@@ -1,4 +1,4 @@
-{ nix-colors, ... }: 
+{ ... }: 
 let use_pastelle = true;
 in{
  # usage:  a = "#${config.colorScheme.palette.base00}";
--- a/modules/shared/syscfg/default.nix
+++ b/modules/shared/syscfg/default.nix
@@ -5,160 +5,9 @@ let
    (name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix")) 
    (builtins.readDir systemsDir));

-  userOpt = with lib; {
-    username = mkOption { type = types.str; };
-    pubssh = mkOption { type = types.str; default=""; };
-    wm = mkOption {
-      type = types.enum [ "Wayland" "X11" "-" ];
-      default = "-";
-    };
-    git = {
-      username = mkOption { type = types.str; default = "Anonymous";};
-      email = mkOption { type = types.str; default = "anonymous@domain"; };
-      key = mkOption { type = types.nullOr types.str; default=null; };
-    };
-  };
-  netOpt = with lib; {
-    ble = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-      };
-    };
-    wlp = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      nif = mkOption {
-        type = types.str;
-        default = "";
-      };
-    };
-    wg = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      ip4 = mkOption {
-        type = types.str;
-        default = "";
-      };
-      ip6 = mkOption {
-        type = types.str;
-        default = "";
-      };
-      pubkey = mkOption {
-        type = types.str;
-        default = "";
-      };
-    };
-  };
-  makeOpt = with lib; {
-    cli = mkOption {
-      type = types.bool;
-      default = true;
-    };
-    gui = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    virt = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    power = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    game = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    develop = mkOption {
-      type = types.bool;
-      default = false;
-    };
-  };
-  serverOpt = with lib; {
-    hostDomain = mkOption { type = types.str; };
-    shortName = mkOption { type = types.str; };
-    mailDomain = mkOption { type = types.str; };
-    mailServer = mkOption { type = types.str; };

-    dbHost = mkOption {
-      type = types.str;
-      default = "localhost";
-    };
-    dbPort = mkOption {
-      type = types.str;
-      default = "3306";
-    };
-    configPath = mkOption {
-      type = types.str;
-      default = "/media/config";
-    };
-    dataPath = mkOption {
-      type = types.str;
-      default = "/media/data";
-    };
-    containers  = mkOption {
-      type = types.attrsOf (types.submodule {
-        options = {
-          enable = mkOption { type = types.bool;default = false; };
-          db = mkOption { type = types.bool;default = false; };
-          ip = mkOption { type = types.str; };
-          port = mkOption { type = types.port; };
-          extraParam = mkOption { type = types.str; default = ""; };
-        };
-      });
-      default = {};
-    };
-    sops = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    openssh = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    wireguard = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    web = mkOption {
-      type = types.bool;
-      default = false;
-    };
-    nftables = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      ifs = mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-      };
-      ports = mkOption {
-        type = types.listOf (types.listOf (types.oneOf [ types.str types.int ]));
-        default = [];
-        description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]";
-        example = [
-          [ "ens3" "10.10.1.2" "IPV6" 22 2222 ]
-          [ "ens3" "10.10.1.2" "IPV6" 80 80 ]
-          [ "ens3" "10.10.1.2" "IPV6" 443 443 ]
-        ];
-      };
-    };
-
-    db = mkOption {
-      type = types.listOf (types.str);
-      default = [ ];
-    };
-
-  };
 in with lib; {
-  options.usercfg = userOpt;
+  options.usercfg = import ./user.nix  {inherit lib;};
  options.syscfg = {
    hostname = mkOption { type = types.str; };
    type = mkOption {
@@ -170,20 +19,17 @@ in with lib; {
      default = "x86_64-linux";
    };
    defaultUser = mkOption { type = types.str; };
-    make = makeOpt;
-    net = netOpt;
+    make = import ./make.nix {inherit lib;};
+    net = import ./net.nix  {inherit lib;};
    users = mkOption {
-      type = types.listOf (types.submodule { options = userOpt; });
+      type = types.listOf (types.submodule { options = import ./user.nix  {inherit lib;}; });
      default = [ ];
    };
    peers = mkOption {
      default = map (name: import (systemsDir + "/${name}/cfg.nix")) systemNames;
    };
    server = mkOption {
-      type = types.oneOf [
-        types.bool
-        (types.submodule { options = serverOpt; })
-      ];
+      type = types.oneOf [ types.bool (types.submodule { options = import ./server.nix {inherit lib;}; }) ];
      default = false;
    };
  };
--- a/modules/shared/syscfg/make.nix
+++ b/modules/shared/syscfg/make.nix
@@ -0,0 +1,9 @@
+{ lib,... }:
+with lib; {
+    cli = mkOption { type = types.bool; default = true; };
+    gui = mkOption { type = types.bool; default = false; };
+    virt = mkOption { type = types.bool; default = false; };
+    power = mkOption { type = types.bool; default = false; };
+    game = mkOption { type = types.bool; default = false; };
+    develop = mkOption { type = types.bool; default = false; };
+}
--- a/modules/shared/syscfg/net.nix
+++ b/modules/shared/syscfg/net.nix
@@ -0,0 +1,14 @@
+{ lib,... }:
+with lib; {
+    ble.enable = mkOption { type = types.bool; default = false; };
+    wlp = {
+        enable = mkOption { type = types.bool; default = false; };
+        nif = mkOption { type = types.str; default = ""; };
+    };
+    wg = {
+        enable = mkOption { type = types.bool; default = false; };
+        ip4 = mkOption { type = types.str; default = ""; };
+        ip6 = mkOption { type = types.str; default = ""; };
+        pubkey = mkOption { type = types.str; default = ""; };
+    };
+}
--- a/modules/shared/syscfg/server.nix
+++ b/modules/shared/syscfg/server.nix
@@ -0,0 +1,92 @@
+{ lib,... }:
+let
+
+in with lib; {
+    hostDomain = mkOption { type = types.str; };
+    mailDomain = mkOption { type = types.str; };
+    mailServer = mkOption { type = types.str; };
+
+    configPath = mkOption {
+      type = types.str;
+      default = "/media/config";
+    };
+    dataPath = mkOption {
+      type = types.str;
+      default = "/media/data";
+    };
+
+    colorScheme = mkOption {
+      type = types.attrs;
+      default = (lib.evalModules { modules =[ { freeformType = with lib.types; attrsOf anything; } ../colors ];}).config.colorScheme ;
+    };
+    loadedContainers = lib.mkOption {
+      readOnly = true;
+       type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
+        options = {
+          name = lib.mkOption {type = lib.types.str; default = name;};
+          sops = lib.mkOption {type = lib.types.bool; default = false;};
+          db = lib.mkOption {type = lib.types.bool; default = false;};
+
+          paths = lib.mkOption {type = lib.types.listOf lib.types.attrs; default = [ ];};
+          containers = lib.mkOption {type = lib.types.attrsOf lib.types.attrs; default = { };};
+          cron = lib.mkOption {type = lib.types.listOf lib.types.str; default = [ ];};
+
+          setup = {
+            trigger = lib.mkOption {type = lib.types.str; default = "";};
+            script = lib.mkOption {type = lib.types.nullOr lib.types.package; default = null;};
+            envFile = lib.mkOption {type = lib.types.nullOr lib.types.str; default = null;};
+          };
+        };
+       }));
+        
+    };
+    containers  = mkOption {
+      type = types.attrsOf (types.submodule {
+        options = {
+          subdomain = mkOption { type = types.nullOr types.str; default=null;};
+          subpath = mkOption { type = types.nullOr types.str; default=null;};
+          port = mkOption { type = types.nullOr types.port; default = null; };
+          extra = mkOption { type = types.attrs; default = {}; };
+        };
+      });
+      default = {};
+    };
+    openssh = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    wireguard = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    web = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    ipfw = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      ifs = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+      };
+      ports = mkOption {
+        type = types.listOf (types.listOf (types.oneOf [ types.str types.int ]));
+        default = [];
+        description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]";
+        example = [
+          [ "ens3" "10.10.1.2" "IPV6" 22 2222 ]
+          [ "ens3" "10.10.1.2" "IPV6" 80 80 ]
+          [ "ens3" "10.10.1.2" "IPV6" 443 443 ]
+        ];
+      };
+    };
+
+    db = mkOption {
+      type = types.listOf (types.str);
+      default = [ ];
+    };
+
+}
--- a/modules/shared/syscfg/user.nix
+++ b/modules/shared/syscfg/user.nix
@@ -0,0 +1,14 @@
+{ lib,... }:
+with lib; {
+    username = mkOption { type = types.str; };
+    pubssh = mkOption { type = types.str; default=""; };
+    wm = mkOption {
+        type = types.enum [ "Wayland" "X11" "-" ];
+        default = "-";
+    };
+    git = {
+        username = mkOption { type = types.str; default = "Anonymous";};
+        email = mkOption { type = types.str; default = "anonymous@domain"; };
+        key = mkOption { type = types.nullOr types.str; default=null; };
+    };
+}
--- a/systems/gateway/cfg.nix
+++ b/systems/gateway/cfg.nix
@@ -29,7 +29,7 @@
      openssh = true;
      wireguard = true;
      web = true;
-      nftables = {
+      ipfw = {
        enable = true;
        ifs = ["ens3" "wg0" ];
        ports = [
--- a/systems/sandbox/cfg.nix
+++ b/systems/sandbox/cfg.nix
@@ -21,22 +21,51 @@
    server = {
      openssh = true;
      web = true;
-      sops = true;

      hostDomain = "test.helcel.net";
-      shortName = "testcel";
      mailDomain = "test@helcel";
      mailServer = "infomaniak.ch";
      
-      dbHost = "localhost";
-      
      containers = {
-        #cloud = {enable = true;};
+
+        traefik = {
+          subdomain = "traefik";
+          extra={provider="infomaniak";};
+        };
        authentik = {
-          enable = true;
-          db = true;
-          ip = "10.88.0.125";
-          port = 9000 ;
+          subdomain = "sso";
+          port = 9000;
+        };
+        nextcloud = {
+          subdomain = "cloud";
+        };
+        collabora = {
+          subdomain = "office";
+        };
+        etherpad = {
+          subdomain = "pad";
+        };
+        ethercalc = {
+          subdomain = "pad";
+        };
+        gitea = {
+          subdomain = "git";
+        };
+        searxng = {
+          subdomain = "searx";
+        };
+        jellyfin = {
+          subdomain = "flix";
+        };
+        transmission = {
+          subdomain = "rflix";
+          subpath = "p2p";
+        };
+        # servarr = {
+        #   subdomain = "arr";
+        # };
+        umami = {
+          subdomain = "umami";
        };
      };
    };
Author	SHA1	Message	Date
sora-ext	7cfd1bb245	Update modules/server/sops/example.server.yaml	2026-05-13 17:32:12 +02:00
sora-ext	85a6517609	Add modules/server/containers/data/authentik/ldap.yaml	2026-05-13 17:31:46 +02:00
sora-ext	d55756f8f8	Update modules/server/containers/apps/servarr.nix	2026-05-13 17:31:29 +02:00
sora-ext	18beb41cd8	Update modules/server/containers/apps/jellyfin.nix	2026-05-13 17:31:19 +02:00
sora-ext	78f01cf111	Update modules/server/containers/apps/invidious.nix	2026-05-13 17:31:07 +02:00
sora-ext	c582d89715	Add modules/server/containers/apps/influx.nix	2026-05-13 17:30:57 +02:00
sora-ext	4270b15f9d	Update modules/server/containers/apps/immich.nix	2026-05-13 17:30:43 +02:00
sora-ext	a62bc660c5	Update modules/server/containers/apps/homeassistant.nix	2026-05-13 17:30:33 +02:00
sora-ext	973fd78c1b	Update modules/server/containers/apps/frigate.nix	2026-05-13 17:30:24 +02:00
sora-ext	7e62883e66	Update modules/server/containers/apps/authentik.nix	2026-05-13 17:30:10 +02:00
sora-ext	feccc2c3e0	Update modules/server/containers/apps/.template.nix	2026-05-13 17:30:00 +02:00
sora-ext	0b02de0957	Update modules/server/containers/default.nix	2026-05-13 17:29:49 +02:00
sora-ext	721838df2b	Update modules/server/containers/builder.nix	2026-05-13 17:29:33 +02:00
soraefir	8c800ad0d3	Jellyfin LDAP	2026-05-13 01:56:45 +02:00
soraefir	f7af832d8e	fix jellyfin media path	2026-05-13 01:31:15 +02:00
soraefir	6ddf4a07cc	fix umami db	2026-05-13 01:00:14 +02:00
soraefir	0df674647c	sops	2026-05-13 00:50:22 +02:00
soraefir	7bead6b3ac	fix umami	2026-05-13 00:41:36 +02:00
soraefir	f0befa87be	test	2026-05-12 22:52:25 +02:00
soraefir	6d665ee59c	add sops to servarr	2026-05-12 21:28:24 +02:00
soraefir	befe46c085	sops	2026-05-12 21:26:46 +02:00
soraefir	ba6d057600	Fix	2026-05-12 21:26:07 +02:00
soraefir	db5230bd69	typo	2026-05-12 21:25:01 +02:00
soraefir	e1a80bb7ce	Add new modules	2026-05-12 21:24:02 +02:00
sora-ext	7d95ba04a9	Add modules/shared/syscfg/user.nix	2026-05-12 18:02:13 +02:00
sora-ext	9169205357	Add modules/shared/syscfg/make.nix	2026-05-12 18:02:01 +02:00
sora-ext	74721f6b09	Add modules/shared/syscfg/net.nix	2026-05-12 18:01:52 +02:00
sora-ext	668c0107f9	Add modules/shared/syscfg/server.nix	2026-05-12 18:01:44 +02:00
sora-ext	331291c54d	Update modules/shared/syscfg/default.nix	2026-05-12 18:01:33 +02:00
sora-ext	d10f53e485	Add modules/server/containers/apps/immich.nix	2026-05-12 17:47:01 +02:00
sora-ext	82aea8268f	Update modules/shared/syscfg/default.nix	2026-05-12 17:46:23 +02:00
sora-ext	050eaedca2	Update modules/server/sops/example.server.yaml	2026-05-12 17:46:11 +02:00
sora-ext	be9cb270aa	Update modules/server/sops/default.nix	2026-05-12 17:45:59 +02:00
sora-ext	a5e0e96b52	Update modules/server/database/default.nix	2026-05-12 17:45:49 +02:00
sora-ext	4366232f18	Update modules/server/containers/apps/umami.nix	2026-05-12 17:45:34 +02:00
sora-ext	4398b1d888	Update modules/server/containers/apps/transmission.nix	2026-05-12 17:45:25 +02:00
sora-ext	c4b5c47aa4	Update modules/server/containers/apps/traefik.nix	2026-05-12 17:45:16 +02:00
sora-ext	ff64e6c231	Update modules/server/containers/apps/servarr.nix	2026-05-12 17:45:07 +02:00
sora-ext	e7d656141a	Update modules/server/containers/apps/searxng.nix	2026-05-12 17:44:59 +02:00
sora-ext	cf3c2428fb	Update modules/server/containers/apps/nextcloud.nix	2026-05-12 17:44:50 +02:00
sora-ext	a2dc050b1c	Update modules/server/containers/apps/jellyfin.nix	2026-05-12 17:44:41 +02:00
sora-ext	8bf332caf2	Update modules/server/containers/apps/gitea.nix	2026-05-12 17:44:25 +02:00
sora-ext	20d3786547	Update modules/server/containers/apps/etherpad.nix	2026-05-12 17:44:18 +02:00
sora-ext	79422c180a	Update modules/server/containers/apps/ethercalc.nix	2026-05-12 17:44:11 +02:00
sora-ext	65fc9c6df2	Update modules/server/containers/apps/collabora.nix	2026-05-12 17:44:03 +02:00
sora-ext	a59cbd13a3	Update modules/server/containers/apps/authentik.nix	2026-05-12 17:43:55 +02:00
sora-ext	5f04ef7ae5	Update modules/server/containers/apps/.todo.md	2026-05-12 17:43:48 +02:00
sora-ext	0aff508cda	Add modules/server/containers/apps/.template.nix	2026-05-12 17:43:40 +02:00
sora-ext	30df106b94	Update modules/server/containers/default.nix	2026-05-12 17:43:28 +02:00
sora-ext	3abdb6d637	Update modules/server/containers/builder.nix	2026-05-12 17:43:18 +02:00
soraefir	cd4c727255	gitea runner	2026-05-12 01:06:14 +02:00
soraefir	26cb095014	Fix	2026-05-12 00:55:55 +02:00
soraefir	2a9113e07d	fix calc	2026-05-12 00:50:25 +02:00
soraefir	42a170283d	add sops	2026-05-12 00:45:07 +02:00
soraefir	3d4cdaf6e9	new stuff	2026-05-12 00:42:09 +02:00
soraefir	21d959b592	fix script admin	2026-05-11 23:00:07 +02:00
soraefir	0895d67489	fix gitea script	2026-05-11 22:57:43 +02:00
soraefir	86f1fc116c	Fix gitea script	2026-05-11 22:55:03 +02:00
soraefir	b82033f857	gitea adminify	2026-05-11 22:45:34 +02:00
soraefir	fbe8399886	Fix	2026-05-11 22:11:26 +02:00
soraefir	036f1117be	fix mkdir	2026-05-11 22:05:38 +02:00
soraefir	b3eb1de9e6	fix	2026-05-11 22:02:16 +02:00
soraefir	91c2928a56	Fix	2026-05-11 21:53:49 +02:00
soraefir	89ffc75db2	Fix sops APIKEY	2026-05-11 21:49:20 +02:00
soraefir	63fc0bde6e	Fix port	2026-05-11 21:29:16 +02:00
soraefir	bc765ea0c6	Fix cloud port	2026-05-11 20:35:14 +02:00
soraefir	df236d4ec7	sh	2026-05-11 20:18:14 +02:00
soraefir	2f24725df4	add sh	2026-05-11 20:16:37 +02:00
soraefir	4708753085	Gitea	2026-05-11 19:22:06 +02:00
soraefir	370416edba	Fix sops	2026-05-11 19:04:16 +02:00
soraefir	ee1dec3d44	rm port	2026-05-11 18:50:36 +02:00
sora-ext	b748db9550	Add modules/server/containers/apps/.todo.md	2026-05-11 18:47:46 +02:00
sora-ext	78381d15ff	Update modules/server/containers/apps/authentik.nix	2026-05-11 18:47:46 +02:00
sora-ext	037d75af2a	Update modules/server/containers/apps/collabora.nix	2026-05-11 18:47:46 +02:00
sora-ext	9e9338d136	Add modules/server/containers/apps/ethercalc.nix	2026-05-11 18:47:46 +02:00
sora-ext	cd19d8ac06	Update modules/server/containers/apps/etherpad.nix	2026-05-11 18:47:46 +02:00
sora-ext	6dda5f6bd5	Add modules/server/containers/apps/frigate.nix	2026-05-11 18:47:46 +02:00
sora-ext	836b890fab	Add modules/server/containers/apps/gitea.nix	2026-05-11 18:47:46 +02:00
sora-ext	40ed44aa52	Add modules/server/containers/apps/handbrake.nix	2026-05-11 18:47:46 +02:00
sora-ext	2fcbf6adb3	Add modules/server/containers/apps/homeassistant.nix	2026-05-11 18:47:46 +02:00
sora-ext	f3fbf159b4	Add modules/server/containers/apps/invidious.nix	2026-05-11 18:47:46 +02:00
sora-ext	f3b8feb50d	Update modules/server/containers/apps/nextcloud.nix	2026-05-11 18:47:46 +02:00
sora-ext	f6f51597cd	Add modules/server/containers/apps/jellyfin.nix	2026-05-11 18:47:46 +02:00
sora-ext	5c7b5fcbfe	Add modules/server/containers/apps/searxng.nix	2026-05-11 18:47:46 +02:00
sora-ext	07b6868d27	Add modules/server/containers/apps/servarr.nix	2026-05-11 18:47:46 +02:00
sora-ext	870b13ef36	Update modules/server/containers/apps/traefik.nix	2026-05-11 18:47:46 +02:00
sora-ext	4b8c8bdc51	Add modules/server/containers/apps/transmission.nix	2026-05-11 18:47:46 +02:00
sora-ext	c24628b574	Add modules/server/containers/apps/trmnl.nix	2026-05-11 18:47:46 +02:00
sora-ext	c1fb77a89f	Add modules/server/containers/apps/umami.nix	2026-05-11 18:47:46 +02:00
sora-ext	94012aa44c	Update modules/shared/sops/default.nix	2026-05-11 18:47:46 +02:00
sora-ext	5ff282e65c	Update modules/shared/syscfg/default.nix	2026-05-11 18:47:46 +02:00
Renovate Bot	0bedb71d07	Lock file maintenance	2026-05-11 18:47:46 +02:00
Renovate Bot	47cbbc56cb	Lock file maintenance	2026-05-11 18:47:46 +02:00
sora	e116efd45c	Update modules/server/containers/apps/etherpad.nix	2026-05-11 03:03:52 +02:00
soraefir	ff498d15a3	fix	2026-05-11 02:51:27 +02:00
soraefir	90c596270f	Fix	2026-05-11 02:49:57 +02:00
soraefir	458a9091d4	fix	2026-05-11 02:32:08 +02:00
soraefir	123d18d1e8	fix	2026-05-11 02:29:11 +02:00
soraefir	f05f7b0147	fix	2026-05-11 02:23:54 +02:00
soraefir	a41390dcee	Fix key	2026-05-11 02:19:31 +02:00
soraefir	29478e2aed	Fix api	2026-05-11 02:11:15 +02:00
soraefir	82b422883e	Fix api	2026-05-11 01:56:11 +02:00
soraefir	4151e50a42	fix	2026-05-11 01:36:08 +02:00
soraefir	5afaf859b9	fix	2026-05-11 00:55:20 +02:00
soraefir	0cd20319fe	fix script	2026-05-11 00:54:02 +02:00
soraefir	468cd34fca	fix	2026-05-11 00:46:52 +02:00
soraefir	882d36ff83	typo	2026-05-11 00:45:43 +02:00
soraefir	dc2682c829	fix	2026-05-11 00:44:26 +02:00
soraefir	f354a99d56	test new setup script	2026-05-11 00:42:34 +02:00
soraefir	bf1fbea959	chmod and fix	2026-05-11 00:38:02 +02:00
soraefir	31addeda66	Opt dir	2026-05-11 00:33:38 +02:00
soraefir	d0ca9761d7	fix	2026-05-11 00:24:31 +02:00
soraefir	bbbb5831a8	etherpad api	2026-05-11 00:15:54 +02:00
soraefir	46f4b5288b	Admin	2026-05-10 22:39:33 +02:00
soraefir	8293df4974	Fix	2026-05-10 22:36:43 +02:00
soraefir	08866273cc	fix	2026-05-10 22:31:31 +02:00
soraefir	e2772e51d9	Fix group	2026-05-10 22:27:29 +02:00
soraefir	6bf856b702	WIP	2026-05-10 22:21:02 +02:00
soraefir	93199b4359	tmp fix	2026-05-10 22:11:53 +02:00
soraefir	d3ffacf4ca	Fix admin	2026-05-10 22:08:03 +02:00
soraefir	ac0e28b5ab	fix authentic flow	2026-05-10 22:02:11 +02:00
soraefir	e76f53d887	test template	2026-05-10 21:47:49 +02:00
soraefir	f67e142f53	fix envfile	2026-05-10 21:43:48 +02:00
soraefir	8165bf6935	Add force exec	2026-05-10 21:40:49 +02:00
soraefir	09539b5866	Add user setup script	2026-05-10 21:39:12 +02:00
soraefir	1b2a724a26	Fix idp & co, add base ak setup	2026-05-10 20:42:19 +02:00
soraefir	e6e6e4af49	Fix saml url	2026-05-10 19:56:05 +02:00
soraefir	e999a5bf2c	Fix	2026-05-10 19:49:32 +02:00
soraefir	a57818e37e	Fix db	2026-05-10 19:43:19 +02:00
soraefir	0e61b2fad4	saml name	2026-05-10 19:41:58 +02:00
soraefir	9016657699	import cert	2026-05-10 19:34:46 +02:00
soraefir	5462434558	Fix	2026-05-10 19:19:15 +02:00
soraefir	aa36fa812c	Foix blueprint	2026-05-10 19:14:37 +02:00
soraefir	f5f28968c6	test blueprint fix	2026-05-10 18:58:13 +02:00
soraefir	4c2ef6e264	Fix blueprints	2026-05-10 18:51:58 +02:00
soraefir	fa808f3eb2	Fix nix mkdata	2026-05-10 18:44:58 +02:00
soraefir	7bc9ae1f2d	Fix mkData	2026-05-10 18:42:03 +02:00
soraefir	e53be27e96	Fix	2026-05-10 18:36:20 +02:00
soraefir	88ab6e2007	typo	2026-05-10 18:34:23 +02:00
soraefir	864e698272	fix	2026-05-10 18:33:22 +02:00
soraefir	8961706503	fix	2026-05-10 18:31:56 +02:00
soraefir	c637fea0d0	Add authentik blueprints	2026-05-10 18:29:53 +02:00
soraefir	9813e7d49a	Longer timeout	2026-05-10 12:29:46 +02:00
soraefir	ea6db4b9bf	fix	2026-05-10 12:26:34 +02:00
soraefir	2eff0969e0	fix	2026-05-10 12:21:46 +02:00
soraefir	cf5648122d	fix	2026-05-10 12:21:01 +02:00
soraefir	b10e7a5a93	fix	2026-05-10 12:04:03 +02:00
soraefir	882a43b705	cfg	2026-05-10 12:03:05 +02:00
soraefir	e9868a2513	fix	2026-05-10 12:02:02 +02:00
soraefir	43a0f903b0	Fix	2026-05-10 12:01:28 +02:00
soraefir	1b76ec20b4	fix	2026-05-10 11:59:37 +02:00
soraefir	6a7fcf6152	fix	2026-05-10 11:58:29 +02:00
soraefir	b6bc6dd138	dbg	2026-05-10 11:57:59 +02:00
soraefir	90f8387192	tmp ignore	2026-05-10 11:56:13 +02:00
soraefir	25604d6c14	test	2026-05-10 11:55:53 +02:00
soraefir	51d60de5c0	fix	2026-05-10 11:54:37 +02:00
soraefir	5e8cd65785	fix	2026-05-10 11:52:32 +02:00
soraefir	fa5845808b	fix	2026-05-10 11:50:34 +02:00
soraefir	28c17d9bb6	colors	2026-05-10 11:49:18 +02:00
soraefir	89d2f9a48e	typo2	2026-05-10 11:42:53 +02:00
soraefir	e58d323ea0	typo	2026-05-10 11:41:59 +02:00
soraefir	7465b6b24c	script omprovement	2026-05-10 11:38:19 +02:00
soraefir	59c6b68501	Add cron	2026-05-09 19:40:22 +02:00
soraefir	9273387170	Script improvements	2026-05-09 19:35:05 +02:00
soraefir	55a08673f0	fix caldav	2026-05-09 19:25:06 +02:00
soraefir	5dbb95603d	silence script verbosity	2026-05-09 19:20:35 +02:00
soraefir	d60f8dd56f	improve script	2026-05-09 19:18:27 +02:00
soraefir	7d35cb319f	Fix	2026-05-09 19:12:36 +02:00
soraefir	8d4caac83b	group for nextcloud	2026-05-09 18:47:38 +02:00
soraefir	ad2b492b51	Fix service	2026-05-09 18:42:22 +02:00
soraefir	4b68accf2f	fix nextcloud	2026-05-09 17:52:39 +02:00
soraefir	0d9c8a2974	fix	2026-05-09 17:51:06 +02:00
soraefir	63d2dddd1e	setup scripts	2026-05-09 17:50:23 +02:00
soraefir	55d678df19	bump nextcloud	2026-05-09 13:33:56 +02:00
soraefir	88a4ab069e	registries	2026-05-09 13:28:48 +02:00
soraefir	c54ed4a712	Admin user	2026-05-09 12:54:13 +02:00
soraefir	3db4517a3b	temps	2026-05-09 12:43:16 +02:00
soraefir	f3dfe561ad	add plugin	2026-05-09 12:38:04 +02:00
soraefir	b58da2b2e1	port fix	2026-05-09 12:12:42 +02:00
soraefir	28fa63919f	Fix env	2026-05-09 12:09:27 +02:00
soraefir	cb7e29bfe0	container settings	2026-05-09 11:58:38 +02:00
soraefir	ea58be6fdc	fix typo	2026-05-09 11:57:21 +02:00
soraefir	da51e61c05	escape	2026-05-09 11:56:42 +02:00
soraefir	1ca61b70d2	fix env	2026-05-09 11:53:29 +02:00
soraefir	eafafe876f	postgres	2026-05-09 11:03:58 +02:00
soraefir	21adca1fbc	tmp perm	2026-05-09 10:50:25 +02:00
soraefir	57efc58bc2	Fix user etherpad	2026-05-09 10:46:04 +02:00
soraefir	cd5deea849	etherpad	2026-05-09 10:45:16 +02:00
soraefir	9f5f8751e5	fix ddos	2026-05-09 10:32:18 +02:00
soraefir	f02adc6d93	fix	2026-05-09 10:24:13 +02:00
soraefir	b2f6d8cc9e	Fix	2026-05-09 10:19:21 +02:00
soraefir	c18ac097fa	test	2026-05-09 10:17:27 +02:00
soraefir	1fc9017e7e	fix	2026-05-09 10:12:01 +02:00
soraefir	8ff90e54b8	fix	2026-05-09 10:11:21 +02:00
soraefir	fba3a24f16	custom image	2026-05-09 10:09:51 +02:00
soraefir	fcb97828f4	test custom img	2026-05-09 10:04:47 +02:00
soraefir	e04382742f	cleanup traefik	2026-05-09 10:03:09 +02:00
soraefir	48b40d819b	fix typo	2026-05-09 09:56:28 +02:00
soraefir	8b75968f11	fix tls	2026-05-09 09:55:30 +02:00
soraefir	dda8409329	cert	2026-05-09 09:46:18 +02:00
soraefir	9a0b5171b1	fix dns	2026-05-09 09:42:33 +02:00
soraefir	9abb5b2f26	logs	2026-05-09 09:35:41 +02:00
soraefir	8362599b54	traefik	2026-05-09 09:34:07 +02:00
soraefir	c1b9c12281	fix	2026-05-09 09:26:40 +02:00
soraefir	e4dcb0bd39	api port	2026-05-09 00:20:27 +02:00
soraefir	a31991c507	typo	2026-05-08 23:58:53 +02:00
soraefir	e1651cba2a	traefik docker	2026-05-08 23:57:19 +02:00
soraefir	bb5ecbba73	acme	2026-05-08 23:54:20 +02:00
soraefir	0c79617647	test acme	2026-05-08 23:48:37 +02:00
soraefir	a3bc8b80c5	fix acme	2026-05-08 23:39:48 +02:00
soraefir	55fcf8b71a	fix	2026-05-08 23:32:25 +02:00
soraefir	5aabd9acce	Fix	2026-05-08 23:31:56 +02:00
soraefir	e652c12bf2	fix traefik	2026-05-08 23:30:04 +02:00
soraefir	4c684cf9b1	Fix portfw traefik	2026-05-08 23:18:43 +02:00
soraefir	0c60bbbaa8	rm deprecated	2026-05-08 23:14:51 +02:00
soraefir	097334b483	fix statfs	2026-05-08 23:10:52 +02:00
soraefir	bfd099d201	container registry	2026-05-08 23:05:25 +02:00
soraefir	1fe6e43046	sops	2026-05-08 22:56:05 +02:00
soraefir	23b8ad480e	fix subdomain	2026-05-08 22:55:21 +02:00
soraefir	3d1fc2a2c9	traefik	2026-05-08 22:53:41 +02:00
soraefir	aacca16eb2	fix tmpfs	2026-05-08 21:05:08 +02:00
soraefir	5de459c347	fix nulls	2026-05-08 21:01:46 +02:00
soraefir	d898116ff4	fix nulls	2026-05-08 20:59:40 +02:00
soraefir	e2b688c836	fix sops	2026-05-08 20:54:54 +02:00
soraefir	b5d57bf9c8	test	2026-05-08 20:52:08 +02:00
soraefir	236f9dbdc3	Sops	2026-05-08 20:50:13 +02:00
soraefir	9696ca9a6d	ipfw	2026-05-08 20:47:00 +02:00
soraefir	df523c48e5	rename and fix	2026-05-08 20:46:23 +02:00
soraefir	4d398d5596	sops	2026-05-08 20:36:26 +02:00
soraefir	5045291097	sops	2026-05-08 20:35:43 +02:00
soraefir	2dc1632a40	sops	2026-05-08 20:32:37 +02:00
soraefir	744a2b8563	Secrets	2026-05-08 20:31:12 +02:00
soraefir	b722d349af	fix cloud	2026-05-08 20:28:22 +02:00
soraefir	7438905618	WIP	2026-05-08 20:25:51 +02:00
soraefir	908c144c73	add cloud	2026-05-08 20:25:14 +02:00
soraefir	6d353df19f	fix collabora	2026-05-08 20:23:40 +02:00
soraefir	7194d91b1c	WIP	2026-05-08 20:22:04 +02:00
soraefir	d3c301db36	Fix	2026-05-08 02:52:56 +02:00
soraefir	135d48d78c	test	2026-05-08 02:47:19 +02:00
soraefir	d4292cd46d	test	2026-05-08 02:45:33 +02:00
soraefir	4a4d3e3604	typo	2026-05-08 02:37:06 +02:00
soraefir	d076538901	test	2026-05-08 02:35:32 +02:00
soraefir	8fedaf18cd	firewall?	2026-05-08 02:20:28 +02:00
soraefir	4c1f9f0e78	nft	2026-05-08 02:17:10 +02:00
soraefir	1a8eb085df	fix db ?	2026-05-08 02:13:44 +02:00
soraefir	8a619d9fc6	env	2026-05-08 02:00:10 +02:00
soraefir	a76f920297	Fix	2026-05-08 01:58:37 +02:00
soraefir	fe93cb708e	accept podman traffic	2026-05-08 01:49:31 +02:00
soraefir	cb29056296	Sops	2026-05-08 01:37:57 +02:00
soraefir	4bc68eeeaf	more fix	2026-05-08 01:34:17 +02:00
soraefir	9cf9937cb7	wg nft	2026-05-08 01:26:53 +02:00
soraefir	593514c100	fix ssh	2026-05-08 01:21:56 +02:00
soraefir	6ad9a0b34c	Env	2026-05-08 01:19:04 +02:00
soraefir	65e3568072	Db	2026-05-08 01:18:02 +02:00
soraefir	c55b06cca9	fix nft	2026-05-08 01:15:56 +02:00
soraefir	40dba4b959	Fix nftable	2026-05-08 01:15:27 +02:00
soraefir	bc8a9d42f9	Fix nftable	2026-05-08 01:09:51 +02:00
soraefir	cd5a1aeed4	temp fix	2026-05-08 01:08:59 +02:00
soraefir	0f2081486d	Wops	2026-05-08 01:08:07 +02:00
soraefir	1c022d7642	Fix secret	2026-05-08 00:53:00 +02:00
soraefir	379f6befb3	fix	2026-05-08 00:44:13 +02:00
soraefir	868d2ce116	fix	2026-05-08 00:29:12 +02:00
soraefir	94fdfa2b33	Test acme	2026-05-08 00:17:46 +02:00
soraefir	a73ad174ea	Fix	2026-05-08 00:14:41 +02:00
soraefir	fba5a79ce6	Fix parenthesis	2026-05-08 00:12:17 +02:00
soraefir	e8c9fc52fb	Update	2026-05-08 00:06:21 +02:00
soraefir	8092bac6b7	nginx	2026-05-07 00:03:43 +02:00
soraefir	7d80478e83	more fixes authentik	2026-05-06 23:47:09 +02:00
soraefir	2cab462db5	Fix authentik worker	2026-05-06 23:45:21 +02:00
soraefir	0bb796fbe8	Fix cfg	2026-05-06 23:42:29 +02:00
soraefir	1f2cc94a0a	Fix builder	2026-05-06 23:39:28 +02:00
soraefir	3caf507905	Fix attempt	2026-05-06 23:35:03 +02:00
soraefir	27a5566ac6	Rename file	2026-05-06 23:31:12 +02:00
soraefir	b439888fa8	Fix naming	2026-05-06 23:30:08 +02:00
soraefir	093497367a	container builder	2026-05-06 23:28:49 +02:00
soraefir	1c0cfd1afe	change podman building	2026-05-06 22:59:11 +02:00