Update modules/server/containers/apps/etherpad.nix

fix
Fix
2026-05-11 03:03:52 +02:00 · 2026-05-11 02:51:27 +02:00 · 2026-05-11 02:49:57 +02:00 · 2026-05-11 02:32:08 +02:00 · 2026-05-11 02:29:11 +02:00 · 2026-05-11 02:23:54 +02:00
30 changed files with 1042 additions and 429 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ result
 age-key.txt
 .decrypted~common.yaml
 .decrypted*
 .tmp
--- a/flake.nix
+++ b/flake.nix
@@ -17,19 +17,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # hyprland = {
    #   url = "github:hyprwm/Hyprland";
    #   inputs.nixpkgs.follows = "nixpkgs";
    # };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-colors.url = "github:misterio77/nix-colors";
    arion.url = "github:hercules-ci/arion";
    arion.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = inputs:
--- a/generator.nix
+++ b/generator.nix
@@ -13,7 +13,6 @@
          ./modules/nixos
          syscfg
          ./systems/${host}
          inputs.arion.nixosModules.arion
          inputs.sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.home-manager
          {
--- a/modules/nixos/system/hw/virt/default.nix
+++ b/modules/nixos/system/hw/virt/default.nix
@@ -18,5 +18,6 @@
        };
      };
    };
    virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
  };
 }
--- a/modules/nixos/system/network/base/default.nix
+++ b/modules/nixos/system/network/base/default.nix
@@ -7,11 +7,13 @@
    firewall = { 
      enable = true;
      allowedUDPPorts = 
-        (if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++ 
+        (if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++ 
        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
        [ ];
      allowedTCPPorts = 
-        (if config.syscfg.server ? web       then [ 80 443 22 ] else [ ]) ++ 
+        (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ 
        (if (config.syscfg.server != false) then [ 5432 6379 ] else [ ]) ++ 
        [ ];
    };
  };
--- a/modules/server/containers/apps/authentik.nix
+++ b/modules/server/containers/apps/authentik.nix
@@ -0,0 +1,94 @@
 { config, containerCfg, pkgs, lib, builder, name, ... }:
 let 
  version = "2026.2.2";
  serverCfg = config.syscfg.server;
  authentikData = builder.mkData { 
    name = "authentik"; dir = "authentik"; vars = {
      NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}";
      AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
      COOKIE_DOMAIN = "${serverCfg.hostDomain}";
    };
  };
 in {
  paths = [{
    path="${serverCfg.configPath}/authentik/media";
    owner = "1000:1000";
    mode = "0755";
  }{
    path="${serverCfg.configPath}/authentik/templates";
    owner = "1000:1000";
    mode = "0755";
  }];
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "ghcr.io/goauthentik/server:${version}";
      port = containerCfg.port;
      ip = containerCfg.ip;
      secret = name;
      extraEnv = {
        "AUTHENTIK_REDIS__HOST" = builder.host;
        "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
        "AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain;
        "AUTHENTIK_EMAIL__PORT" = "587";
        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
        "AUTHENTIK_EMAIL__USE_TLS" = "true";
        "AUTHENTIK_EMAIL__USE_SSL" = "false";
        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
      };
      overrides = {
        cmd = [ "server" ];
        ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
        volumes = [
          "${serverCfg.configPath}/authentik/media:/media"
          "${serverCfg.configPath}/authentik/templates:/templates"
          "${authentikData}:/blueprints/custom:ro"
        ];
      };
    };
    worker = builder.mkContainer {
      image = "ghcr.io/goauthentik/server:${version}";
      secret = "authentik";
      extraEnv = {
        "AUTHENTIK_REDIS__HOST" = builder.host;
        "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
      };
      # extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS
      overrides = {
        cmd = [ "worker" ];
        volumes = [
          "${serverCfg.configPath}/authentik/media:/media"
          "${serverCfg.configPath}/authentik/templates:/templates"
          "${authentikData}:/blueprints/custom:ro"
          # "/var/run/podman/podman.sock:/var/run/docker.sock" #PODMAN GROUP FOR SOCKET ACCESS
        ];
      };
    };
  };
  setup = {
    trigger = "worker";
    script = pkgs.writeShellScript "setup" ''
      # Define the command wrapper
      AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u root authentik-worker ak"
      $AK apply_blueprint /blueprints/custom/authentik.yaml
      $AK apply_blueprint /blueprints/custom/traefik.yaml
      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
      echo "Completed Authentik Setup"
      '';
  };
 }
--- a/modules/server/containers/apps/collabora.nix
+++ b/modules/server/containers/apps/collabora.nix
@@ -0,0 +1,33 @@
 { config, containerCfg, pkgs, lib, builder, name, ... }:
 let 
 version = "latest";
 serverCfg = config.syscfg.server;
 in {
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "collabora/code:${version}";
      port = containerCfg.port;
      ip = containerCfg.ip;
      secret = name;
      extraEnv = {
        "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";
        "server_name" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
        "VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
        "VIRTUAL_PORT" = "${toString containerCfg.port}";
        "VIRTUAL_PROTO" = "http";
        "DONT_GEN_SSL_CERT" = "true";
        "RESOLVE_TO_PROXY_IP" = "true";
        "extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
        "dictionaries" = "en fr de jp no";
      };
      overrides = {
        volumes = [
          "${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
          "${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
        ];
      };
    };
  };
 }
--- a/modules/server/containers/apps/etherpad.nix
+++ b/modules/server/containers/apps/etherpad.nix
@@ -0,0 +1,115 @@
 { config, containerCfg, pkgs, lib, builder, name,... }:
 let 
  serverCfg = config.syscfg.server;
  etherpad_exe = pkgs.etherpad-lite;
  settings = pkgs.writeText"settings.json" (builtins.toJSON {
    title= "\${TITLE:Etherpad}";
    showRecentPads = "\${SHOW_RECENT_PADS:true}";
    favicon = "\${FAVICON:null}";
    publicURL = "\${PUBLIC_URL:null}";
    skinName = "\${SKIN_NAME:colibris}";
    skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
    ip = "\${IP:0.0.0.0}";
    port = "\${PORT:9001}";
    showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
    enableMetrics = "\${ENABLE_METRICS:true}";
    updates.tier = "off";
    cleanup.enabled = false;
    gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
    authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
    enableDarkMode = "\${ENABLE_DARK_MODE:true}";
    enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
    dbType = "\${DB_TYPE:dirty}";
    dbSettings = {
      host =       "\${DB_HOST:undefined}";
      port =       "\${DB_PORT:undefined}";
      database =   "\${DB_NAME:undefined}";
      user =       "\${DB_USER:undefined}";
      password =   "\${DB_PASS:undefined}";
      charset =    "\${DB_CHARSET:undefined}";
      filename =   "\${DB_FILENAME:var/dirty.db}";
      collection = "\${DB_COLLECTION:undefined}";
      url =        "\${DB_URL:undefined}";
    };
    defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
    padOptions = {
      noColors =         "\${PAD_OPTIONS_NO_COLORS:false}";
      showControls =     "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
      showChat =         "\${PAD_OPTIONS_SHOW_CHAT:true}";
      showLineNumbers =  "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
      useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
      userName =         "\${PAD_OPTIONS_USER_NAME:null}";
      userColor =        "\${PAD_OPTIONS_USER_COLOR:null}";
      rtl =              "\${PAD_OPTIONS_RTL:false}";
      alwaysShowChat =   "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
      chatAndUsers =     "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
      lang =             "\${PAD_OPTIONS_LANG:null}";
      fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
      enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
    };
    requireSession = "\${REQUIRE_SESSION:false}";
    editOnly = "\${EDIT_ONLY:false}";
    minify = "\${MINIFY:true}";
    requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
    requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
    trustProxy = "\${TRUST_PROXY:true}";
    ep_headerauth.username_header = "X-authentik-username";
    users.admin = {
      password = "\${ADMIN_PASSWORD:null}";
      is_admin = true;
    };
    socketTransportProtocols = ["websocket" "polling"];
    socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
    indentationOnNewLine = true;
    loglevel = "\${LOGLEVEL:INFO}";
    lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
  });
  image = pkgs.dockerTools.streamLayeredImage {
    name = "etherpad";
    tag = etherpad_exe.version;
    config = {
      Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
      ExposedPorts = { "${toString containerCfg.port}/tcp" = {}; };
      Env = [
        "NODE_ENV=production"
      ];
    };
  };
 in {
  paths = [];
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      imageStream = image;
      port = containerCfg.port;
      ip = containerCfg.ip;
      secret = name;
      extraEnv = {
        TITLE = "Pad";
        PORT = toString containerCfg.port;
        DB_TYPE = "postgres";
        DB_HOST = builder.host;
        DB_NAME = "etherpad_db";
        DB_USER = "etherpad_user";
        TRUST_PROXY = "true";
        DB_CHARSET = "utf8mb4";
        DEFAULT_PAD_TEXT = "";
        PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
        PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
      };
      overrides = {
        cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "$APIKEY"];
        volumes = [
          "${settings}:/etc/etherpad/settings.json"
        ];
       };
    };
  };
 }
--- a/modules/server/containers/apps/nextcloud.nix
+++ b/modules/server/containers/apps/nextcloud.nix
@@ -0,0 +1,198 @@
 { config, containerCfg, pkgs, lib, builder, name,... }:
 let 
 version = "31";
 serverCfg = config.syscfg.server;
 in {
  paths = [{
    path="${serverCfg.dataPath}/nextcloud/www";
    owner = "33:33";
    mode = "0755";
  }{
    path="${serverCfg.dataPath}/nextcloud/data";
    owner = "33:33";
    mode = "0755";
    backup = true;
  }];
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "nextcloud:${version}";
      port = containerCfg.port;
      ip = containerCfg.ip;
      secret = name;
      extraEnv = {
        REDIS_HOST = builder.host;
        POSTGRES_HOST = builder.host;
        POSTGRES_USER = "nextcloud_user";
        POSTGRES_DB = "nextcloud_db";
        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
        "NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
        "SMTP_HOST" = serverCfg.mailServer;
        "SMTP_NAME" = "mail_user";
        "SMTP_PASSWORD" = "mail_password";
        "MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.hostDomain}";
        "MAIL_DOMAIN" = serverCfg.mailDomain;
        "TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
      };
      extraLabels = {
        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
      };
      extraOptions = [
        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
      ];
      overrides = {
        ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
        volumes = [
          "${serverCfg.dataPath}/nextcloud/www:/var/www/html"
          "${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
        ];
      };
    };
  };
  setup = {
    trigger = "server";
    script = pkgs.writeShellScript "setup" ''
      # Define the command wrapper
      OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u www-data nextcloud-server php occ"
      echo "Waiting for Nextcloud container to start..."
      until $OCC status > /dev/null 2>&1; do
        sleep 2
      done
      INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
      if [ -z "$INSTALLED" ]; then
        echo "Running first-time setup..."
        $OCC maintenance:install \
          --admin-user "$DEFAULT_ADMIN_USERNAME" \
          --admin-pass "$DEFAULT_ADMIN_PASSWORD"
      fi
      if [ -z "$INSTALLED" ] || [ -f "/tmp/force-nextcloud-setup" ]; then
        rm -f "/tmp/force-nextcloud-setup"
        echo "Applying Settings..."
        $OCC config:system:set default_phone_region --value="CH"
        $OCC config:system:set overwriteprotocol --value="https"
        $OCC config:app:set core backgroundjobs_mode --value="cron"
        $OCC config:system:set maintenance_window_start --type=integer --value=1
        $OCC config:system:set default_language --value="en"
        $OCC config:system:set default_locale --value="en_CH"
        echo "Applying Apps..."
        $OCC app:disable activity || true
        $OCC app:disable app_api || true
        $OCC app:disable comments || true
        $OCC app:disable firstrunwizard || true
        $OCC config:system:set show_first_run_wizard --type=bool --value=false
        $OCC app:disable nextcloud_announcements || true
        $OCC app:disable oauth2 || true
        $OCC app:disable recommendations || true
        $OCC app:disable sharebymail || true
        $OCC app:disable support || true
        $OCC app:disable survey_client || true
        $OCC app:disable updatenotification || true
        $OCC app:disable user_status || true
        $OCC app:install calendar || true
        $OCC app:install calendar || true
        $OCC app:install contacts || true
        $OCC app:install camerarawpreviews || true
        $OCC app:install cospend || true
        $OCC app:install deck || true
        $OCC app:install files_markdown || true
        $OCC app:install forms || true
        $OCC app:install groupfolders || true
        $OCC app:install ownpad || true
        $OCC app:install previewgenerator || true
        $OCC app:install richdocuments || true
        ${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
        # $OCC app:install side_menu || true 
        $OCC app:install spreed || true
        $OCC app:install teamfolders || true
        ${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
        echo "Applying Apps Settings..."
        $OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
        $OCC config:app:set cospend allow_federation --value="yes"
        ${lib.optionalString (serverCfg.containers ? ethercalc) ''
        $OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
        $OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.hostDomain}"
        ''}
        ${lib.optionalString (serverCfg.containers ? etherpad) ''
        $OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
        $OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.hostDomain}"
        ''}
        ${lib.optionalString (serverCfg.containers ? collabora) ''
        $OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}/"
        $OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}"
        $OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
        ''}
        ${lib.optionalString (serverCfg.containers ? authentik) ''
        $OCC saml:config:set 1 --general-idp0_display_name="authentik"
        $OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
        $OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}"
        $OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/sso/binding/redirect/"
        $OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/slo/binding/redirect/"
        AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
        $OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT" 
        $OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
        $OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
        $OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
        $OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
        $OCC group:add admin || true
        $OCC group:add cloud || true
        $OCC config:app:set user_saml general-group_provisioning --value="0"
        $OCC config:app:set user_saml general-require_provisioning_groups --value="1"
        ''}
        # configure side_menu ...
        FOLDERS=$($OCC teamfolders:list --format=json)
        ${builtins.concatStringsSep "\n" (map (name: ''
          if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
              $OCC teamfolders:create "${name}"
          fi
        '') containerCfg.extra.teamFolders or [])}
        SERVERS=$($OCC federation:list-servers --format=json)
        ${builtins.concatStringsSep "\n" (map (domain: ''
          if ! echo "$SERVERS" | grep -q "${domain}"; then
            $OCC federation:add-server "https://${domain}"
          fi
        '') containerCfg.extra.federatedServers or [])}
        $OCC config:app:set systemtags allow_user_creating --value="no"
        echo "Applying Theme..."
        $OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.hostDomain}"
        ${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
        ${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
        $OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
        $OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
        #$OCC theming:config logo {serverCfg.colorScheme.logo}
        #$OCC theming:config logoheader {serverCfg.colorScheme.logo}
        #$OCC theming:config background {serverCfg.colorScheme.bg}
      else
          echo "Nextcloud is already installed. Skipping setup."
      fi
      echo "Maintenance..."
      $OCC app:update --all
      $OCC maintenance:repair --include-expensive --no-interaction
      $OCC db:add-missing-indices --no-interaction
      echo "Completed Setup"
    '';
  };
  cron = [ "*/5 * * * *  root  ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
 }
--- a/modules/server/containers/apps/traefik.nix
+++ b/modules/server/containers/apps/traefik.nix
@@ -0,0 +1,75 @@
 { config, containerCfg, pkgs, lib, builder, name,... }:
 let 
  serverCfg = config.syscfg.server;
  image = pkgs.dockerTools.streamLayeredImage {
    name = "traefik";
    tag = pkgs.traefik.version;
    contents = with pkgs;[ cacert tzdata ];
    config = {
      Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
      WorkingDir = "/";
    };
  };
 in {
  paths = [{
    path="${serverCfg.configPath}/traefik";
    owner = "1000:1000";
    mode = "0755";
  }];
  containers = {
    server = builder.mkContainer {
      imageStream = image;
      subdomain = containerCfg.subdomain;
      ip = containerCfg.ip;
      port = 8080;
      secret = name;
      extraLabels = {
        "traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
        "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";
        "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.hostDomain}";
        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.hostDomain}";
        "traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
        "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
        "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
        "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
      };
      extraEnv = { };
      overrides = {
        cmd = [ 
          "--api"
          "--log.level=INFO"
          "--providers.docker=true"
          "--global.checknewversion=false"
          "--global.sendanonymoususage=false"
          "--api.insecure=true"
          "--api.dashboard=true"
          "--providers.docker.exposedByDefault=false"
          "--entrypoints.web.address=:80"
          "--entrypoints.web-secure.address=:443"
          "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
          "--entrypoints.web.http.redirections.entrypoint.scheme=https"
          "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
          "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
          "--certificatesresolvers.default.acme.email=acme@${serverCfg.hostDomain}"
          "--certificatesresolvers.default.acme.tlschallenge=false"
          "--certificatesresolvers.default.acme.httpchallenge=false"
          "--certificatesresolvers.default.acme.dnschallenge=true"
          "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
          "--certificatesresolvers.default.acme.storage=/custom/acme.json"
        ];
        ports = [ "443:443" "80:80" ];
        volumes = [
          "/var/run/podman/podman.sock:/var/run/docker.sock"
          # "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
          "${serverCfg.configPath}/traefik:/custom"
        ];
      };
    };
  };
 }
--- a/modules/server/containers/builder.nix
+++ b/modules/server/containers/builder.nix
@@ -0,0 +1,46 @@
 { config, lib, pkgs, serverCfg }:
 let 
  builder =
  { image ? null, imageStream ? null
  , secret ? null
  , subdomain ? null, ip ? null, port ? 0
  , extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
  , overrides ? { }
  }:
  let base = {
    image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}" 
            else image;
    imageStream = imageStream;
    environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
    environment = {} // extraEnv;
    labels = (if subdomain!=null then ({
      "traefik.enable" = "true";
      "traefik.http.routers.${subdomain}.entrypoints" = "web-secure";
      "traefik.http.routers.${subdomain}.rule" = "Host(`${subdomain}.${serverCfg.hostDomain}`)";
      "traefik.http.routers.${subdomain}.tls" = "true";
    } // lib.optionalAttrs (port!=null) {
      "traefik.http.services.${subdomain}.loadbalancer.server.port" = toString port;
    }) else {
      "traefik.enable" = "false";
    }) // extraLabels;
    extraOptions = extraOptions ++ [
      "--add-host=host.containers.internal:host-gateway"
    ] ++ lib.optional (ip!=null) "--ip=${ip}";
  };
  in lib.recursiveUpdate base overrides;
 in {
  mkContainer = builder;
  mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
    mkdir -p $out
    cp -r ${./data + "/${dir}"}/. $out/
    find $out -type f | while read file; do
      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
        substituteInPlace "$file" --replace "@${n}@" "${toString v}"
      '') vars)}
    done
  '';
  host = "host.containers.internal"; 
 }
--- a/modules/server/containers/data/authentik/authentik.yaml
+++ b/modules/server/containers/data/authentik/authentik.yaml
@@ -0,0 +1,71 @@
 version: 1
 metadata:
  name: "Initial User Setup"
  labels:
    blueprint-type: core
 entries:
  # Optionally, disable the default enrollment flow entirely
  - model: authentik_flows.flow
    identifiers:
      slug: "default-source-enrollment"
    attrs:
      designation: "enrollment"
      enabled: false
  # --- GROUPS ---
  - model: authentik_core.group
    state: present
    identifiers:
      name: "admin"
    attrs:
      is_superuser: true
  - model: authentik_core.group
    identifiers:
      name: "cloud"
    attrs:
      is_superuser: false
  - model: authentik_core.group
    identifiers:
      name: "dev"
    attrs:
      is_superuser: false
  - model: authentik_core.group
    identifiers:
      name: "flix"
    attrs:
      is_superuser: false
  - model: authentik_core.group
    identifiers:
      name: "family"
    attrs:
      is_superuser: false
  # --- ADMIN USERS ---
  - model: authentik_core.user
    identifiers:
      username: !Env DEFAULT_ADMIN_USERNAME
    attrs:
      name: !Env DEFAULT_ADMIN_USERNAME
      email: !Env DEFAULT_ADMIN_EMAIL
      password: !Env DEFAULT_ADMIN_PASSWORD
      path: "users"
      groups:
        - !Find [authentik_core.group, [name, "admin"]]
  # Disable the Initial Setup Flow
  - model: authentik_flows.flow
    identifiers:
      slug: "initial-setup"
    attrs:
      authentication: "require_superuser"
      enabled: false
  # Disable the default 'akadmin' if it exists
  - model: authentik_core.user
    identifiers:
      username: "akadmin"
    attrs:
      is_active: false
--- a/modules/server/containers/data/authentik/nextcloud.yaml
+++ b/modules/server/containers/data/authentik/nextcloud.yaml
@@ -0,0 +1,88 @@
 version: 1
 metadata:
  name: nextcloud-saml-setup
 entries:
  # 1. Create the SAML Provider
  - model: authentik_providers_saml.samlprovider
    identifiers:
      name: Nextcloud SAML
    attrs:
      authorization_flow:
        !Find [
          authentik_flows.flow,
          [slug, default-provider-authorization-explicit-consent],
        ]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      # Adjust these URLs to match your Nextcloud domain
      acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
      audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
      issuer: https://@AUTHENTIK_DOMAIN@
      sp_binding: post
      # Map the attributes for Name, Email, and Groups
      property_mappings:
        - !Find [
            authentik_core.propertymapping,
            [name, "authentik default SAML Mapping: Name"],
          ]
        - !Find [
            authentik_core.propertymapping,
            [name, "authentik default SAML Mapping: Email"],
          ]
        - !Find [
            authentik_core.propertymapping,
            [name, "authentik default SAML Mapping: Groups"],
          ]
        - !Find [
            authentik_core.propertymapping,
            [name, "authentik default SAML Mapping: Username"],
          ]
        - !Find [
            authentik_core.propertymapping,
            [name, "authentik default SAML Mapping: User ID"],
          ]
        # - !Find [
        #     authentik_providers_saml.samlpropertymapping,
        #     [managed, "goauthentik.io/providers/saml/ms-name"],
        #   ]
        # - !Find [
        #     authentik_providers_saml.samlpropertymapping,
        #     [managed, "goauthentik.io/providers/saml/ms-email"],
        #   ]
        # - !Find [
        #     authentik_providers_saml.samlpropertymapping,
        #     [managed, "goauthentik.io/providers/saml/ms-groups"],
        #   ]
        # - !Find [
        #     authentik_core.propertymapping,
        #     [managed, goauthentik.io/providers/saml/ms-name],
        #   ]
        # - !Find [
        #     authentik_core.propertymapping,
        #     [managed, goauthentik.io/providers/saml/ms-email],
        #   ]
        # - !Find [
        #     authentik_core.propertymapping,
        #     [managed, goauthentik.io/providers/saml/ms-groups],
        #   ]
      # Select your signing certificate (default is usually self-signed)
      signing_kp:
        !Find [
          authentik_crypto.certificatekeypair,
          [name, "authentik Self-signed Certificate"],
        ]
      sign_assertion: true
      sign_response: false
  # 2. Create the Application
  - model: authentik_core.application
    identifiers:
      slug: nextcloud
    attrs:
      name: Nextcloud
      provider:
        !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
      group: "Cloud Services"
--- a/modules/server/containers/data/authentik/traefik.yaml
+++ b/modules/server/containers/data/authentik/traefik.yaml
@@ -0,0 +1,45 @@
 version: 1
 metadata:
  name: domain-wide-proxy-setup
 entries:
  # 1. The Provider
  - model: authentik_providers_proxy.proxyprovider
    identifiers:
      name: Domain Wide Proxy
    attrs:
      authorization_flow:
        !Find [
          authentik_flows.flow,
          [slug, default-provider-authorization-implicit-consent],
        ]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      external_host: https://@AUTHENTIK_DOMAIN@
      cookie_domain: "@COOKIE_DOMAIN@"
      mode: forward_domain
      intercept_header_auth: true
  # 2. The Application (Required to link the provider)
  - model: authentik_core.application
    identifiers:
      slug: authentik-proxy
    attrs:
      name: "Domain Auth Provider"
      provider:
        !Find [
          authentik_providers_proxy.proxyprovider,
          [name, Domain Wide Proxy],
        ]
  # 3. Add to Outpost
  - model: authentik_outposts.outpost
    identifiers:
      name: authentik Embedded Outpost
    attrs:
      providers:
        - !Find [
            authentik_providers_proxy.proxyprovider,
            [name, Domain Wide Proxy],
          ]
--- a/modules/server/containers/default.nix
+++ b/modules/server/containers/default.nix
@@ -1,14 +1,23 @@
 { config, pkgs, lib, ... }:
 let
-  cfg = config.syscfg.server.containers;
+  serverCfg = config.syscfg.server;
-  enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg;
+  builder = import ./builder.nix { inherit config lib pkgs serverCfg; };
  enabledConfigs = lib.filterAttrs (name: c: c.enable) serverCfg.containers;
  containerSetsList = lib.mapAttrsToList (name: containerCfg:
-    import (./defs + "/${name}.nix") {
+  let apps = import (./apps + "/${name}.nix") {inherit config pkgs lib containerCfg builder name;};
-      inherit config pkgs lib  containerCfg;
+  in{
-    }
+    name = name;
-  ) enabledConfigs;
+    containers = lib.mapAttrs' (cName: cValue: 
      lib.nameValuePair "${name}-${cName}" cValue
    ) apps.containers;
    paths = apps.paths or [];
    setup = apps.setup or null;
    cron = apps.cron or [];
  }
 ) enabledConfigs;
  mergedContainers = lib.attrsets.mergeAttrsList  (lib.map(e: e.containers) containerSetsList);
-  allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
+  allPathConfigs = lib.flatten (lib.map (e: e.paths) containerSetsList);
  allCronsConfigs = lib.flatten (lib.map (e: e.cron or []) containerSetsList);
 in
 {
  config = lib.mkIf ( enabledConfigs != {} ) {
@@ -17,24 +26,50 @@ in
      backend = "podman";
      containers = mergedContainers;
    };
    systemd.services.podman-gc = {
      description = "Podman garbage collection";
      serviceConfig.Type = "oneshot";
      script = ''
        ${pkgs.podman}/bin/podman container prune -f
        ${pkgs.podman}/bin/podman image prune -f
      '';
      startAt = "weekly";
    };
    system.activationScripts.container-setup-dirs = {
      deps = [ "users" "groups" ];
      text = lib.concatStringsSep "\n" (map (cfg: ''
-        mkdir -p "${cfg.path}"
+        ${pkgs.coreutils}/bin/mkdir -p "${cfg.path}"
-        chown ${cfg.owner} "${cfg.path}"
+        ${pkgs.coreutils}/bin/chown ${cfg.owner} "${cfg.path}"
-        chmod ${cfg.mode} "${cfg.path}"
+        ${pkgs.coreutils}/bin/chmod ${cfg.mode} "${cfg.path}"
      '') allPathConfigs);
    };
    systemd.services = {
      podman-gc = {
        description = "Podman garbage collection";
        serviceConfig.Type = "oneshot";
        script = ''
          ${pkgs.podman}/bin/podman container prune -f
          ${pkgs.podman}/bin/podman image prune -f
        '';
        startAt = "weekly";
      };
    } // lib.listToAttrs (lib.concatMap (containerSet: 
      if containerSet.setup != null then [{
        name = "${containerSet.name}-setup";
        value = {
          description = "Run ${containerSet.name} setup";
          after = [ "podman-${containerSet.name}-${containerSet.setup.trigger}.service" ];
          wants = [ "podman-${containerSet.name}-${containerSet.setup.trigger}.service" ];
          wantedBy = [ "multi-user.target" ];
          serviceConfig = {
            Type = "oneshot";
            TimeoutStartSec = "360s";
            EnvironmentFile = if (containerSet.setup ? envFile) then containerSet.setup.envFile else [ ];
            ExecStart = "${containerSet.setup.script}";
            RemainAfterExit = true;
            User = "root";
          };
        };
      }] else []
    ) containerSetsList);
    services.cron = {
      enable = true;
      systemCronJobs = allCronsConfigs;
    };
  };
 }
--- a/modules/server/containers/defs/authentik.nix
+++ b/modules/server/containers/defs/authentik.nix
@@ -1,84 +0,0 @@
 { config, containerCfg, pkgs, lib, ... }:
 let 
 serverCfg = config.syscfg.server;
 in {
  paths = [{
    path="${serverCfg.dataPath}/authentik/media";
    owner = "1000:1000";
    mode = "0755";
  }{
    path="${serverCfg.dataPath}/authentik/templates";
    owner = "1000:1000";
    mode = "0755";
  }];
  containers = {
    auth_server = {
      image = "ghcr.io/goauthentik/server:latest";
      hostname = "auth_server";
      volumes = [
        "${serverCfg.dataPath}/authentik/media:/media"
        "${serverCfg.dataPath}/authentik/templates:/templates"
      ];
      environmentFiles = [
        config.sops.secrets."AUTHENTIK".path
      ];
      environment = {
        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
        "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
        "AUTHENTIK_EMAIL__PORT" = "587";
        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
        "AUTHENTIK_EMAIL__USE_TLS" = "true";
        "AUTHENTIK_EMAIL__USE_SSL" = "false";
        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
      };
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.sso.entrypoints" = "web-secure";
        "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
        "traefik.http.routers.sso.tls" = "true";
        "traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
      };
      cmd = [ "server" ];
      extraOptions = [
        "--add-host=host.containers.internal:host-gateway"
        "--replace"
        "--rm"
        "--ip=${containerCfg.ip}"
      ];
      ports = [
        "9999:${toString containerCfg.port}"
      ];
    };
    auth_worker = {
      image = "ghcr.io/goauthentik/server:latest";
      hostname = "auth_worker";
      volumes = [
        "${serverCfg.dataPath}/authentik/media:/media"
        "${serverCfg.dataPath}/authentik/templates:/templates"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environmentFiles = [
        config.sops.secrets."AUTHENTIK".path
      ];
      environment = {
        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
      };
      extraOptions = [
        "--add-host=host.containers.internal:host-gateway"
        "--replace"
        "--rm"
      ];
      cmd = [ "worker" ];
    };
  };
 }
--- a/modules/server/containers/defs/cloud.nix
+++ b/modules/server/containers/defs/cloud.nix
@@ -1,152 +0,0 @@
 { config, pkgs, lib, ... }:
 let serverCfg = config.syscfg.server;
 in {
  project.name = "cloud";
  networks = {
    internal = {
      name = lib.mkForce "internal";
      internal = true;
    };
    external = {
      name = lib.mkForce "external";
      internal = false;
    };
  };
  services = {
    cloud_nextcloud.service = {
      image = "nextcloud:27";
      container_name = "cloud";
      restart = "unless-stopped";
      networks = [ "external" ];
      volumes = [
        "${serverCfg.configPath}/data/nextcloud:/var/www/html"
        "${serverCfg.dataPath}/data/music:/media/music"
        "${serverCfg.dataPath}/data/video:/media/video"
        "${serverCfg.dataPath}/data/photo:/media/photo"
      ];
      tmpfs = [ "/tmp" ];
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.nextcloud.entrypoints" = "web-secure";
        "traefik.http.routers.nextcloud.rule" =
          "Host(`cloud.${serverCfg.hostDomain}`)";
        "traefik.http.routers.nextcloud.tls" = "true";
        "traefik.http.routers.nextcloud.middlewares" =
          "sts_headers,nextcloud-caldav";
        "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent" =
          "true";
        "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex" =
          "^https://(.*)/.well-known/(card|cal)dav";
        "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement" =
          "https://$\${1}/remote.php/dav/";
        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" =
          "true";
      };
    };
    cloud_office.service = {
      image = "collabora/code:latest";
      container_name = "cloud_office";
      restart = "unless-stopped";
      networks = [ "external" ];
      volumes = [ ];
      environment = {
        username = "COLLABORA_USER";
        password = "COLLABORA_PASSWORD";
        aliasgroup1 = "https://cloud.${serverCfg.hostDomain}";
        server_name = "office.${serverCfg.hostDomain}";
        VIRTUAL_HOST = "office.${serverCfg.hostDomain}";
        VIRTUAL_PORT = "9980";
        VIRTUAL_PROTO = "http";
        DONT_GEN_SSL_CERT = "true";
        RESOLVE_TO_PROXY_IP = "true";
        NETWORK_ACCESS = "internal";
        extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
        dictionaries = "en fr de jp";
      };
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.collabora.entrypoints" = "web-secure";
        "traefik.http.routers.collabora.rule" =
          "Host(`office.${serverCfg.hostDomain}`)";
        "traefik.http.routers.collabora.tls" = "true";
      };
    };
    cloud_etherpad.service = {
      image = "etherpad/etherpad:latest";
      container_name = "etherpad";
      restart = "unless-stopped";
      networks = [ "external" ];
      volumes = [
        "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
        "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
      ];
      environment = {
        NODE_ENV = "production";
        TITLE = "Helcel-Pad";
        DB_TYPE = "mysql";
        DB_HOST = serverCfg.dbHost;
        DB_PORT = serverCfg.dbPort;
        DB_NAME = "etherpad";
        DB_USER = "ETHERPAD_DB_USER";
        DB_PASS = "ETHERPAD_DB_PASSWORD";
        DB_CHARSET = "utf8mb4";
        DEFAULT_PAD_TEXT = "P A D";
        PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
        PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
        ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
      };
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.etherpad.entrypoints" = "web-secure";
        "traefik.http.routers.etherpad.rule" =
          "Host(`pad.${serverCfg.hostDomain}`)";
        "traefik.http.routers.etherpad.tls" = "true";
      };
    };
    cloud_ethercalc.service = {
      image = "audreyt/ethercalc:latest";
      container_name = "ethercalc";
      restart = "unless-stopped";
      networks = [ "external" "internal" ];
      volumes = [
        "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
        "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
      ];
      environment = {
        NODE_ENV = "production";
        TITLE = "Helcel-Calc";
        REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis";
        REDIS_PORT_6379_TCP_PORT = "6379";
        ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
      };
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.ethercalc.entrypoints" = "web-secure";
        "traefik.http.routers.ethercalc.rule" =
          "Host(`calc.${serverCfg.hostDomain}`)";
        "traefik.http.routers.ethercalc.tls" = "true";
      };
    };
    cloud_redis.service = {
      image = "redis:latest";
      container_name = "ethercalc-redis";
      restart = "unless-stopped";
      networks = [ "internal" ];
      volumes = [ "${serverCfg.dataPath}/ether/ethercalc/redis:/data" ];
      environment = { };
      labels = { "traefik.enable" = "false"; };
    };
  };
 }
--- a/modules/server/containers/defs/sample.nix
+++ b/modules/server/containers/defs/sample.nix
@@ -1,30 +0,0 @@
 { config, pkgs, lib, ... }:
 let serverCfg = config.syscfg.server;
 in {
  project.name = "name";
  networks = {
    internal = {
      name = lib.mkForce "internal";
      internal = true;
    };
    external = {
      name = lib.mkForce "external";
      internal = false;
    };
  };
  services = {
    NAME.service = {
      image = "NAME:latest";
      container_name = "NAME";
      restart = "unless-stopped";
      networks = [ "internal" ];
      volumes = [ ];
      environment = { };
      labels = { "traefik.enable" = "false"; };
    };
  };
 }
--- a/modules/server/containers/defs/traefik.nix
+++ b/modules/server/containers/defs/traefik.nix
@@ -1,81 +0,0 @@
 { config, pkgs, ... }: {
  project.name = "traefik";
  networks = {
    internal = {
      name = lib.mkForce "internal";
      internal = true;
    };
    external = {
      name = lib.mkForce "external";
      internal = false;
    };
  };
  services = {
    traefik.service = {
      image = "traefik:latest";
      container_name = "traefik";
      restart = "unless-stopped";
      networks = [ "internal" "external" ];
      command = [
        "--api"
        "--providers.docker=true"
        "--entrypoints.web.address=:80"
        "--entrypoints.web-secure.address=:443"
      ];
      port = [ "443" "80" ];
      volumes = [
        "/var/run/docker.sock:/var/run/docker.sock:ro"
        "${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
        "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
        "${serverCfg.configPath}/traefik/acme.json:/acme.json"
      ];
      environment = {
        "INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
      };
      labels = { "traefik.enable" = "false"; };
    };
    matomo.service = {
      image = "matomo:latest";
      container_name = "matomo";
      restart = "unless-stopped";
      networks = [ "external" ];
      volumes = [
        "/etc/localtime:/etc/localtime:ro"
        "${serverCfg.configPath}/matomo:/var/www/html/config:rw"
        "${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
      ];
      environment = { };
      labels = {
        "traefik.http.routers.matomo.rule" =
          "Host(`matomo.${serverCfg.hostDomain}`)";
        "traefik.http.routers.matomo.entrypoints" = "web-secure";
        "traefik.http.routers.matomo.tls" = "true";
      };
    };
    searx.service = {
      image = "searxng/searxng:latest";
      container_name = "searx";
      restart = "unless-stopped";
      networks = [ "external" ];
      volumes = [ "/etc/localtime:/etc/localtime:ro" ];
      environment = {
        "BASE_URL" = "https://searx.${serverCfg.hostDomain}";
        "AUTOCOMPLETE" = "true";
        "INSTANCE_NAME" = "searx${serverCfg.shortName}";
      };
      labels = {
        "traefik.http.routers.matomo.rule" =
          "Host(`searx.${serverCfg.hostDomain}`)";
        "traefik.http.routers.matomo.entrypoints" = "web-secure";
        "traefik.http.routers.matomo.tls" = "true";
      };
    };
  };
 }
--- a/modules/server/database/default.nix
+++ b/modules/server/database/default.nix
@@ -62,7 +62,6 @@ in {
          if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
            PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
            echo $PASS
            if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
                echo "✅ Successfully set password for ${name}_user"
            else
--- a/modules/server/nftables/default.nix
+++ b/modules/server/nftables/default.nix
@@ -1,7 +1,8 @@
-
+{ config, lib, ... }:
-
+let
-{ config, lib, ... }:{
+ cfg = config.syscfg.server;
-  config = lib.mkIf (config.syscfg.server.nftables.enable) {
+in {
  config = lib.mkIf (cfg.ipfw.enable) {
    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = 1;
      "net.ipv6.conf.all.forwarding" = 1;
@@ -9,13 +10,6 @@
    networking.nftables.enable = true;
    networking.nftables.ruleset = ''
      table inet filter {
        chain input {
          type filter hook input priority filter; policy accept;
          tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
        }
      }
      table inet nat {
        chain prerouting {
          type nat hook prerouting priority dstnat; policy accept;
@@ -34,12 +28,12 @@
                iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
                iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
            ''
-          ) config.syscfg.server.nftables.ports}
+          ) cfg.ipfw.ports}
        }
        chain postrouting {
          type nat hook postrouting priority srcnat; policy accept;
-          oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
+          oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade
        }
      }
    '';
--- a/modules/server/nginx/default.nix
+++ b/modules/server/nginx/default.nix
@@ -0,0 +1,130 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.syscfg.server;
  containers = cfg.containers; 
  faviconOverride = {
    " ~* /favicon\.(ico|png|svg|jpg)$" = {
      extraConfig = ''
        add_header Content-Type image/svg+xml;
        return 200 '<svg xmlns="http://www.w3.org/2000/svg" id="Layer_1" data-name="Layer 1" viewBox="0 0 50 50"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M30.83,5A23.23,23.23,0,0,0,10.41,67.13h10.8C26,63,32.94,61.8,38,67.13H49.39C44.93,61.09,38.24,55,30.83,55Z"/><path class="cls-1" d="M46.25,28.11c-14.89,31.15-41,4.6-25-11H10.41c-8.47,14.76,3.24,34.68,20.42,34.23,13.28,0,24.24-19.72,24.24-23.21,0-1.54-2.14-6.25-5.68-11H38A40.52,40.52,0,0,1,46.25,78.11Zm.4-.91Z"/></svg>';
      '';
      # proxyPass = "http://127.0.0.1:9000";
    };
  };
  # Function to convert your container config into an NGINX vhost
  mkVhost = container: {
    forceSSL = true;
    # quic = true;
    # http3 = true;
    useACMEHost = "${cfg.hostDomain}";
    locations = faviconOverride // {
      "/" = {
        proxyPass = "http://${container.ip}:${toString container.port}";
        proxyWebsockets = true; # Recommended for modern apps
      };
    };
  };
 in {
  config = lib.mkIf ( config.syscfg.server.web) {
    security.acme = {
      acceptTerms = true;
      defaults.email = "admin@domain.org";
      certs."${cfg.hostDomain}" = {
        domain = "*.${cfg.hostDomain}";
        extraDomainNames = [ "${cfg.hostDomain}" ]; # Adds the root too
        dnsProvider = "infomaniak";
        credentialsFile = config.sops.secrets."INFOMANIAK_API_KEY".path; # File containing your API token (e.g. CLOUDFLARE_DNS_API_TOKEN=...)
        group = "nginx"; 
      };
    };
    services.nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      recommendedGzipSettings = true;
      # appendHttpConfig = ''
      #   add_header Alt-Svc 'h3=":443"; ma=86400';
      # '';
      commonHttpConfig = ''
        proxy_buffer_size 32k;
        proxy_buffers 8 16k;
        proxy_busy_buffers_size 48k;
      '';
      virtualHosts = {
        "_" = {
          default = true;
          forceSSL = true;
          # quic = true;
          # http3 = true;
          useACMEHost = "${cfg.hostDomain}";
          locations = {
            "/" = {
              extraConfig = ''
              return 404;
              '';
            };
          };
        };
        "sec.${cfg.hostDomain}" = {
          forceSSL = true;
          useACMEHost = "${cfg.hostDomain}";
          locations = {
            "/" = {
              proxyWebsockets = true;
              proxyPass= "http://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}";
              extraConfig = ''
                auth_request     /outpost.goauthentik.io/auth/nginx;
                error_page       401 = @goauthentik_proxy_signin;
                auth_request_set $auth_cookie $upstream_http_set_cookie;
                add_header       Set-Cookie $auth_cookie;
                auth_request_set $authentik_username $upstream_http_x_authentik_username;
                auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
                auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
                auth_request_set $authentik_email $upstream_http_x_authentik_email;
                auth_request_set $authentik_name $upstream_http_x_authentik_name;
                auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
                proxy_set_header X-authentik-username $authentik_username;
                proxy_set_header X-authentik-groups $authentik_groups;
                proxy_set_header X-authentik-entitlements $authentik_entitlements;
                proxy_set_header X-authentik-email $authentik_email;
                proxy_set_header X-authentik-name $authentik_name;
                proxy_set_header X-authentik-uid $authentik_uid;
              '';
            };
            "/outpost.goauthentik.io" = {
              proxyWebsockets = true;
              proxyPass = "http://${config.syscfg.server.containers.authentik.ip}:${toString config.syscfg.server.containers.authentik.port}/outpost.goauthentik.io";
              extraConfig = ''
                proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
                add_header              Set-Cookie $auth_cookie;
                auth_request_set        $auth_cookie $upstream_http_set_cookie;
                proxy_pass_request_body off;
                proxy_set_header        Content-Length "";
              '';
            };
          };
          extraConfig = ''
            location @goauthentik_proxy_signin {
                internal;
                add_header Set-Cookie $auth_cookie;
                return 302 https://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
            }
          '';
        };
      } //lib.mapAttrs' (name: v: 
        lib.nameValuePair "${v.subdomain}.${cfg.hostDomain}" (mkVhost v)
      ) containers;
    };
  };
 }
--- a/modules/server/sops/default.nix
+++ b/modules/server/sops/default.nix
@@ -1,16 +1,18 @@
 { config, lib, pkgs, ... }:
 let
- listNames = config.syscfg.server.db;
+  listNames = config.syscfg.server.db;
  containerNames = lib.mapAttrsToList (name: cfg: name) 
-    (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
+    (lib.filterAttrs (name: cfg: ((cfg.db or false) || (cfg.sops or false))) config.syscfg.server.containers);
  allApps = lib.unique (listNames ++ containerNames);
 in{
  config = lib.mkIf (config.syscfg.server.sops) {
    sops.secrets = {
-      INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
+      CUSTOM = { 
-    } // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: {
+        mode = "0644";
        sopsFile = ./server.yaml; 
      };
    } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
      owner = "postgres";
      mode = "0644";
      sopsFile = ./server.yaml;
    }));
  };
 }
--- a/modules/server/sops/example.server.yaml
+++ b/modules/server/sops/example.server.yaml
@@ -0,0 +1,13 @@
 INFOMANIAK_API_KEY: abc
 AUTHENTIK: |
  DB_PASSWORD=abc
  AUTHENTIK_POSTGRESQL__PASSWORD=abc
  AUTHENTIK_POSTGRESQL__SSLMODE=disable
  AUTHENTIK_SECRET_KEY=abc
 NEXTCLOUD: |
  DB_PASSWORD=abc
  POSTGRES_PASSWORD=abc
 ETHERPAD: |
  DB_PASSWORD=abc
  ETHERPAD_DB_PASSWORD=abc
  ETHERPAD_ADMIN_PASSWORD=abc
--- a/modules/server/sops/server.yaml
+++ b/modules/server/sops/server.yaml
@@ -1,5 +1,9 @@
-INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
+CUSTOM: ENC[AES256_GCM,data:OVhE99dmudlV31Re2/fyFurXnRSM3RjbdVDxYp6oF4kazaseISlI4QjgIyyUNEAjeAST17Prv/t5GdyTUvoUICoVKmhQdRv5xFeB7ngTCdi7XoYW1r6HIXwz9wOf/UvPWLafSxSM,iv:/ikpvHH5sLZpTnNABUFjZoVLS+tBZSUYIUxxdXMCCcc=,tag:mS9uW33M355KErY1rQtvqQ==,type:str]
-AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str]
+TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
 AUTHENTIK: ENC[AES256_GCM,data:dZ+Kf85ZjaZ82coYNeNOXe5zfD2M9rEeOB6jDNoaKmo3jMABhnha+iBvYJTI2NltkGzymPJQI+JV8F6GdT1l6cqcR8p0nNjQjS1BMk0rR7n8RCp6MazUTJuIjbEq6zEUrA4SXquw5gZDEp4FLo010PhoLaLinHg8OoqzjDsTxdcKevbQWmZeefDBrwXWpz6BlkRIQA3KazVb0w7l1jDTIkozUIWbvtvtk5ccGjzx3b+wCC36QYFcHHtPvFZwMDHzFPVBd90hWc/BwFfvCExONmH0S7GLFTp7I5NsBnWpT0AHUHHc5PlSR2dUy9H2DZ3IkORdNVzOaqESbYKymuWTQBDQuyI9IJdt4Cac0CV9i6p8rFXL6fQyQKZ9djHX8orpyCUeJXqFs8I6et+IzpTeZcmdv/76Q9tomBBi4k4PRMXpeff8Bn02bOSb7RSaj5NVeWxIhZkh3sEXUeva5/yrAYT30mrLpbwzWoCaKrPCPLIcFxvNrYxPUo6kVVz1jSlBurvcKefbreJGqA==,iv:Hj7aBfDLSqRBzueN8b9F9TutpjMESFloqrnirSmnH9U=,tag:1ikt1JvuhIZCx68nh/VzMA==,type:str]
 NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
 COLLABORA: ENC[AES256_GCM,data:tY4LLma/7Ut9J/6C3GRyjRn30CAP76hT573++cLqGj7/BSb8uEkU0sJ/CUmSEJvxLqnoFgjc+XWe+NJSiNMWKYfnHvf1DglMntkJB+BgvnbYvHAYOHOAJO6Jp7YhrYvXdy+HoT4DNaQbcDhYuYI=,iv:uPxznygpX6gtmJ7dZ/WrbxyuMjup0wtbBPS7xYinrwI=,tag:rdqrSIokAbkRzP4FLxqYLw==,type:str]
 ETHERPAD: ENC[AES256_GCM,data:PSr06GyOgY0HDNC4Hr2XUjbNUszGlfBjxDbrrKNQOqSMSVfZj4iFIGamrS72WO0un4U7IENx0T6CTBN/ELoq7J/+W9zf879uzKWuNaAulLVtBqrUbbqA7hTJpidnveZXzdwZRvlz/bU8kWAmXyhiDb2Q42Sz3BDb6duM3PO1AgG8Ko1pi2IemCPjO3uzudeT8FAlO8NnCUxKgwIKSz8CodOXFVGk66NX4xJd4ycfdNYXvKBNlzt1+WuWsZeZzeWmF7WD2dt4wWA9fWxB90fnth6ZV5LdeXjyYnzwkFOWoyNazgqV4jBv+aXKVwX4fYvspu13cVdrak3gc698bS2N1guDss4A/sfXMbtaYPGm98xXkqz1LP7sXQzKUdZf9sAS9gtOVv2tmg==,iv:uQ0Roe+XefzMjZCF3It+U2D1MWPMT5f6CPwlz0gQ5W0=,tag:wSgp0CVr6Y6M3eqcoTy8cw==,type:str]
 sops:
    age:
        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
@@ -20,8 +24,8 @@ sops:
            S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
            d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-06T01:10:20Z"
+    lastmodified: "2026-05-10T22:53:56Z"
-    mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str]
+    mac: ENC[AES256_GCM,data:YwOf2cqWxR3HDtmk8AX0rT+3qjvaKjx8wgbNfh+itSEvaDNy5CjeSyn7PSUSMD9VKmn4hvzNqSgTirL0kYEY0O+q3XZT+2yKRcaSQPkEMiRujWUxiw7OXavZrrySSeb2Cg0t3MIeafyf5Dd7n4jDydn+IsfI7VZ8pn5KBYKtpu8=,iv:Y6DK1J6TmfqrM/5c67iFUBPFixZcpwKVvQ5+P/AV77s=,tag:ewPPSGIe61uqvzDxGymdTg==,type:str]
    pgp:
        - created_at: "2026-05-05T23:46:27Z"
          enc: |-
--- a/modules/shared/colors/default.nix
+++ b/modules/shared/colors/default.nix
@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ ... }: {
  imports = [ ./sorahiro.nix ];
  colorScheme.palette.border-radius = "#8";
--- a/modules/shared/colors/sorahiro.nix
+++ b/modules/shared/colors/sorahiro.nix
@@ -1,4 +1,4 @@
-{ nix-colors, ... }: 
+{ ... }: 
 let use_pastelle = true;
 in{
  # usage:  a = "#${config.colorScheme.palette.base00}";
--- a/modules/shared/syscfg/default.nix
+++ b/modules/shared/syscfg/default.nix
@@ -82,18 +82,9 @@ let
  };
  serverOpt = with lib; {
    hostDomain = mkOption { type = types.str; };
    shortName = mkOption { type = types.str; };
    mailDomain = mkOption { type = types.str; };
    mailServer = mkOption { type = types.str; };
    dbHost = mkOption {
      type = types.str;
      default = "localhost";
    };
    dbPort = mkOption {
      type = types.str;
      default = "3306";
    };
    configPath = mkOption {
      type = types.str;
      default = "/media/config";
@@ -102,22 +93,33 @@ let
      type = types.str;
      default = "/media/data";
    };
    colorScheme = mkOption {
      #type = types.submodule {
      #  options = {
      #    slug = mkOption { type = types.str; };
       #   name = mkOption { type = types.str; };
       #   palette = mkOption { 
            type = types.attrs; #default = {};# };
        #};
     # };
      default = (lib.evalModules { modules =[ { freeformType = with lib.types; attrsOf anything; } ../colors ];}).config.colorScheme ;
    };
    containers  = mkOption {
      type = types.attrsOf (types.submodule {
        options = {
          enable = mkOption { type = types.bool;default = false; };
          db = mkOption { type = types.bool;default = false; };
-          ip = mkOption { type = types.str; };
+          sops = mkOption { type = types.bool;default = false; };
-          port = mkOption { type = types.port; };
+          ip = mkOption { type = types.nullOr types.str; default = null;};
-          extraParam = mkOption { type = types.str; default = ""; };
+          subdomain = mkOption { type = types.nullOr types.str; default=null;};
          port = mkOption { type = types.nullOr types.port; default = null; };
          pubPort = mkOption { type = types.nullOr types.port; default = null; };
          extra = mkOption { type = types.attrs; default = {}; };
        };
      });
      default = {};
    };
    sops = mkOption {
      type = types.bool;
      default = false;
    };
    openssh = mkOption {
      type = types.bool;
      default = false;
@@ -130,7 +132,7 @@ let
      type = types.bool;
      default = false;
    };
-    nftables = {
+    ipfw = {
      enable = mkOption {
        type = types.bool;
        default = false;
--- a/systems/gateway/cfg.nix
+++ b/systems/gateway/cfg.nix
@@ -29,7 +29,7 @@
      openssh = true;
      wireguard = true;
      web = true;
-      nftables = {
+      ipfw = {
        enable = true;
        ifs = ["ens3" "wg0" ];
        ports = [
--- a/systems/sandbox/cfg.nix
+++ b/systems/sandbox/cfg.nix
@@ -21,22 +21,43 @@
    server = {
      openssh = true;
      web = true;
      sops = true;
      hostDomain = "test.helcel.net";
      shortName = "testcel";
      mailDomain = "test@helcel";
      mailServer = "infomaniak.ch";
      dbHost = "localhost";
      containers = {
-        #cloud = {enable = true;};
+
        traefik = {
          enable = true;
          sops = true;
          subdomain = "traefik";
          extra={provider="infomaniak";};
        };
        authentik = {
          enable = true;
          db = true;
-          ip = "10.88.0.125";
+          subdomain = "sso";
-          port = 9000 ;
+          port = 9000;
          pubPort = 9999;
        };
        nextcloud = {
          enable = true;
          db = true;
          subdomain = "cloud";
          port = 80;
        };
        collabora = {
          enable = true;
          sops = true;
          subdomain = "office";
          port = 9980;
        };
        etherpad = {
          enable = true;
          db = true;
          subdomain = "pad";
          port = 8080;
        };
      };
    };
Author	SHA1	Message	Date
sora	e116efd45c	Update modules/server/containers/apps/etherpad.nix	2026-05-11 03:03:52 +02:00
soraefir	ff498d15a3	fix	2026-05-11 02:51:27 +02:00
soraefir	90c596270f	Fix	2026-05-11 02:49:57 +02:00
soraefir	458a9091d4	fix	2026-05-11 02:32:08 +02:00
soraefir	123d18d1e8	fix	2026-05-11 02:29:11 +02:00
soraefir	f05f7b0147	fix	2026-05-11 02:23:54 +02:00
soraefir	a41390dcee	Fix key	2026-05-11 02:19:31 +02:00
soraefir	29478e2aed	Fix api	2026-05-11 02:11:15 +02:00
soraefir	82b422883e	Fix api	2026-05-11 01:56:11 +02:00
soraefir	4151e50a42	fix	2026-05-11 01:36:08 +02:00
soraefir	5afaf859b9	fix	2026-05-11 00:55:20 +02:00
soraefir	0cd20319fe	fix script	2026-05-11 00:54:02 +02:00
soraefir	468cd34fca	fix	2026-05-11 00:46:52 +02:00
soraefir	882d36ff83	typo	2026-05-11 00:45:43 +02:00
soraefir	dc2682c829	fix	2026-05-11 00:44:26 +02:00
soraefir	f354a99d56	test new setup script	2026-05-11 00:42:34 +02:00
soraefir	bf1fbea959	chmod and fix	2026-05-11 00:38:02 +02:00
soraefir	31addeda66	Opt dir	2026-05-11 00:33:38 +02:00
soraefir	d0ca9761d7	fix	2026-05-11 00:24:31 +02:00
soraefir	bbbb5831a8	etherpad api	2026-05-11 00:15:54 +02:00
soraefir	46f4b5288b	Admin	2026-05-10 22:39:33 +02:00
soraefir	8293df4974	Fix	2026-05-10 22:36:43 +02:00
soraefir	08866273cc	fix	2026-05-10 22:31:31 +02:00
soraefir	e2772e51d9	Fix group	2026-05-10 22:27:29 +02:00
soraefir	6bf856b702	WIP	2026-05-10 22:21:02 +02:00
soraefir	93199b4359	tmp fix	2026-05-10 22:11:53 +02:00
soraefir	d3ffacf4ca	Fix admin	2026-05-10 22:08:03 +02:00
soraefir	ac0e28b5ab	fix authentic flow	2026-05-10 22:02:11 +02:00
soraefir	e76f53d887	test template	2026-05-10 21:47:49 +02:00
soraefir	f67e142f53	fix envfile	2026-05-10 21:43:48 +02:00
soraefir	8165bf6935	Add force exec	2026-05-10 21:40:49 +02:00
soraefir	09539b5866	Add user setup script	2026-05-10 21:39:12 +02:00
soraefir	1b2a724a26	Fix idp & co, add base ak setup	2026-05-10 20:42:19 +02:00
soraefir	e6e6e4af49	Fix saml url	2026-05-10 19:56:05 +02:00
soraefir	e999a5bf2c	Fix	2026-05-10 19:49:32 +02:00
soraefir	a57818e37e	Fix db	2026-05-10 19:43:19 +02:00
soraefir	0e61b2fad4	saml name	2026-05-10 19:41:58 +02:00
soraefir	9016657699	import cert	2026-05-10 19:34:46 +02:00
soraefir	5462434558	Fix	2026-05-10 19:19:15 +02:00
soraefir	aa36fa812c	Foix blueprint	2026-05-10 19:14:37 +02:00
soraefir	f5f28968c6	test blueprint fix	2026-05-10 18:58:13 +02:00
soraefir	4c2ef6e264	Fix blueprints	2026-05-10 18:51:58 +02:00
soraefir	fa808f3eb2	Fix nix mkdata	2026-05-10 18:44:58 +02:00
soraefir	7bc9ae1f2d	Fix mkData	2026-05-10 18:42:03 +02:00
soraefir	e53be27e96	Fix	2026-05-10 18:36:20 +02:00
soraefir	88ab6e2007	typo	2026-05-10 18:34:23 +02:00
soraefir	864e698272	fix	2026-05-10 18:33:22 +02:00
soraefir	8961706503	fix	2026-05-10 18:31:56 +02:00
soraefir	c637fea0d0	Add authentik blueprints	2026-05-10 18:29:53 +02:00
soraefir	9813e7d49a	Longer timeout	2026-05-10 12:29:46 +02:00
soraefir	ea6db4b9bf	fix	2026-05-10 12:26:34 +02:00
soraefir	2eff0969e0	fix	2026-05-10 12:21:46 +02:00
soraefir	cf5648122d	fix	2026-05-10 12:21:01 +02:00
soraefir	b10e7a5a93	fix	2026-05-10 12:04:03 +02:00
soraefir	882a43b705	cfg	2026-05-10 12:03:05 +02:00
soraefir	e9868a2513	fix	2026-05-10 12:02:02 +02:00
soraefir	43a0f903b0	Fix	2026-05-10 12:01:28 +02:00
soraefir	1b76ec20b4	fix	2026-05-10 11:59:37 +02:00
soraefir	6a7fcf6152	fix	2026-05-10 11:58:29 +02:00
soraefir	b6bc6dd138	dbg	2026-05-10 11:57:59 +02:00
soraefir	90f8387192	tmp ignore	2026-05-10 11:56:13 +02:00
soraefir	25604d6c14	test	2026-05-10 11:55:53 +02:00
soraefir	51d60de5c0	fix	2026-05-10 11:54:37 +02:00
soraefir	5e8cd65785	fix	2026-05-10 11:52:32 +02:00
soraefir	fa5845808b	fix	2026-05-10 11:50:34 +02:00
soraefir	28c17d9bb6	colors	2026-05-10 11:49:18 +02:00
soraefir	89d2f9a48e	typo2	2026-05-10 11:42:53 +02:00
soraefir	e58d323ea0	typo	2026-05-10 11:41:59 +02:00
soraefir	7465b6b24c	script omprovement	2026-05-10 11:38:19 +02:00
soraefir	59c6b68501	Add cron	2026-05-09 19:40:22 +02:00
soraefir	9273387170	Script improvements	2026-05-09 19:35:05 +02:00
soraefir	55a08673f0	fix caldav	2026-05-09 19:25:06 +02:00
soraefir	5dbb95603d	silence script verbosity	2026-05-09 19:20:35 +02:00
soraefir	d60f8dd56f	improve script	2026-05-09 19:18:27 +02:00
soraefir	7d35cb319f	Fix	2026-05-09 19:12:36 +02:00
soraefir	8d4caac83b	group for nextcloud	2026-05-09 18:47:38 +02:00
soraefir	ad2b492b51	Fix service	2026-05-09 18:42:22 +02:00
soraefir	4b68accf2f	fix nextcloud	2026-05-09 17:52:39 +02:00
soraefir	0d9c8a2974	fix	2026-05-09 17:51:06 +02:00
soraefir	63d2dddd1e	setup scripts	2026-05-09 17:50:23 +02:00
soraefir	55d678df19	bump nextcloud	2026-05-09 13:33:56 +02:00
soraefir	88a4ab069e	registries	2026-05-09 13:28:48 +02:00
soraefir	c54ed4a712	Admin user	2026-05-09 12:54:13 +02:00
soraefir	3db4517a3b	temps	2026-05-09 12:43:16 +02:00
soraefir	f3dfe561ad	add plugin	2026-05-09 12:38:04 +02:00
soraefir	b58da2b2e1	port fix	2026-05-09 12:12:42 +02:00
soraefir	28fa63919f	Fix env	2026-05-09 12:09:27 +02:00
soraefir	cb7e29bfe0	container settings	2026-05-09 11:58:38 +02:00
soraefir	ea58be6fdc	fix typo	2026-05-09 11:57:21 +02:00
soraefir	da51e61c05	escape	2026-05-09 11:56:42 +02:00
soraefir	1ca61b70d2	fix env	2026-05-09 11:53:29 +02:00
soraefir	eafafe876f	postgres	2026-05-09 11:03:58 +02:00
soraefir	21adca1fbc	tmp perm	2026-05-09 10:50:25 +02:00
soraefir	57efc58bc2	Fix user etherpad	2026-05-09 10:46:04 +02:00
soraefir	cd5deea849	etherpad	2026-05-09 10:45:16 +02:00
soraefir	9f5f8751e5	fix ddos	2026-05-09 10:32:18 +02:00
soraefir	f02adc6d93	fix	2026-05-09 10:24:13 +02:00
soraefir	b2f6d8cc9e	Fix	2026-05-09 10:19:21 +02:00
soraefir	c18ac097fa	test	2026-05-09 10:17:27 +02:00
soraefir	1fc9017e7e	fix	2026-05-09 10:12:01 +02:00
soraefir	8ff90e54b8	fix	2026-05-09 10:11:21 +02:00
soraefir	fba3a24f16	custom image	2026-05-09 10:09:51 +02:00
soraefir	fcb97828f4	test custom img	2026-05-09 10:04:47 +02:00
soraefir	e04382742f	cleanup traefik	2026-05-09 10:03:09 +02:00
soraefir	48b40d819b	fix typo	2026-05-09 09:56:28 +02:00
soraefir	8b75968f11	fix tls	2026-05-09 09:55:30 +02:00
soraefir	dda8409329	cert	2026-05-09 09:46:18 +02:00
soraefir	9a0b5171b1	fix dns	2026-05-09 09:42:33 +02:00
soraefir	9abb5b2f26	logs	2026-05-09 09:35:41 +02:00
soraefir	8362599b54	traefik	2026-05-09 09:34:07 +02:00
soraefir	c1b9c12281	fix	2026-05-09 09:26:40 +02:00
soraefir	e4dcb0bd39	api port	2026-05-09 00:20:27 +02:00
soraefir	a31991c507	typo	2026-05-08 23:58:53 +02:00
soraefir	e1651cba2a	traefik docker	2026-05-08 23:57:19 +02:00
soraefir	bb5ecbba73	acme	2026-05-08 23:54:20 +02:00
soraefir	0c79617647	test acme	2026-05-08 23:48:37 +02:00
soraefir	a3bc8b80c5	fix acme	2026-05-08 23:39:48 +02:00
soraefir	55fcf8b71a	fix	2026-05-08 23:32:25 +02:00
soraefir	5aabd9acce	Fix	2026-05-08 23:31:56 +02:00
soraefir	e652c12bf2	fix traefik	2026-05-08 23:30:04 +02:00
soraefir	4c684cf9b1	Fix portfw traefik	2026-05-08 23:18:43 +02:00
soraefir	0c60bbbaa8	rm deprecated	2026-05-08 23:14:51 +02:00
soraefir	097334b483	fix statfs	2026-05-08 23:10:52 +02:00
soraefir	bfd099d201	container registry	2026-05-08 23:05:25 +02:00
soraefir	1fe6e43046	sops	2026-05-08 22:56:05 +02:00
soraefir	23b8ad480e	fix subdomain	2026-05-08 22:55:21 +02:00
soraefir	3d1fc2a2c9	traefik	2026-05-08 22:53:41 +02:00
soraefir	aacca16eb2	fix tmpfs	2026-05-08 21:05:08 +02:00
soraefir	5de459c347	fix nulls	2026-05-08 21:01:46 +02:00
soraefir	d898116ff4	fix nulls	2026-05-08 20:59:40 +02:00
soraefir	e2b688c836	fix sops	2026-05-08 20:54:54 +02:00
soraefir	b5d57bf9c8	test	2026-05-08 20:52:08 +02:00
soraefir	236f9dbdc3	Sops	2026-05-08 20:50:13 +02:00
soraefir	9696ca9a6d	ipfw	2026-05-08 20:47:00 +02:00
soraefir	df523c48e5	rename and fix	2026-05-08 20:46:23 +02:00
soraefir	4d398d5596	sops	2026-05-08 20:36:26 +02:00
soraefir	5045291097	sops	2026-05-08 20:35:43 +02:00
soraefir	2dc1632a40	sops	2026-05-08 20:32:37 +02:00
soraefir	744a2b8563	Secrets	2026-05-08 20:31:12 +02:00
soraefir	b722d349af	fix cloud	2026-05-08 20:28:22 +02:00
soraefir	7438905618	WIP	2026-05-08 20:25:51 +02:00
soraefir	908c144c73	add cloud	2026-05-08 20:25:14 +02:00
soraefir	6d353df19f	fix collabora	2026-05-08 20:23:40 +02:00
soraefir	7194d91b1c	WIP	2026-05-08 20:22:04 +02:00
soraefir	d3c301db36	Fix	2026-05-08 02:52:56 +02:00
soraefir	135d48d78c	test	2026-05-08 02:47:19 +02:00
soraefir	d4292cd46d	test	2026-05-08 02:45:33 +02:00
soraefir	4a4d3e3604	typo	2026-05-08 02:37:06 +02:00
soraefir	d076538901	test	2026-05-08 02:35:32 +02:00
soraefir	8fedaf18cd	firewall?	2026-05-08 02:20:28 +02:00
soraefir	4c1f9f0e78	nft	2026-05-08 02:17:10 +02:00
soraefir	1a8eb085df	fix db ?	2026-05-08 02:13:44 +02:00
soraefir	8a619d9fc6	env	2026-05-08 02:00:10 +02:00
soraefir	a76f920297	Fix	2026-05-08 01:58:37 +02:00
soraefir	fe93cb708e	accept podman traffic	2026-05-08 01:49:31 +02:00
soraefir	cb29056296	Sops	2026-05-08 01:37:57 +02:00
soraefir	4bc68eeeaf	more fix	2026-05-08 01:34:17 +02:00
soraefir	9cf9937cb7	wg nft	2026-05-08 01:26:53 +02:00
soraefir	593514c100	fix ssh	2026-05-08 01:21:56 +02:00
soraefir	6ad9a0b34c	Env	2026-05-08 01:19:04 +02:00
soraefir	65e3568072	Db	2026-05-08 01:18:02 +02:00
soraefir	c55b06cca9	fix nft	2026-05-08 01:15:56 +02:00
soraefir	40dba4b959	Fix nftable	2026-05-08 01:15:27 +02:00
soraefir	bc8a9d42f9	Fix nftable	2026-05-08 01:09:51 +02:00
soraefir	cd5a1aeed4	temp fix	2026-05-08 01:08:59 +02:00
soraefir	0f2081486d	Wops	2026-05-08 01:08:07 +02:00
soraefir	1c022d7642	Fix secret	2026-05-08 00:53:00 +02:00
soraefir	379f6befb3	fix	2026-05-08 00:44:13 +02:00
soraefir	868d2ce116	fix	2026-05-08 00:29:12 +02:00
soraefir	94fdfa2b33	Test acme	2026-05-08 00:17:46 +02:00
soraefir	a73ad174ea	Fix	2026-05-08 00:14:41 +02:00
soraefir	fba5a79ce6	Fix parenthesis	2026-05-08 00:12:17 +02:00
soraefir	e8c9fc52fb	Update	2026-05-08 00:06:21 +02:00
soraefir	8092bac6b7	nginx	2026-05-07 00:03:43 +02:00
soraefir	7d80478e83	more fixes authentik	2026-05-06 23:47:09 +02:00
soraefir	2cab462db5	Fix authentik worker	2026-05-06 23:45:21 +02:00
soraefir	0bb796fbe8	Fix cfg	2026-05-06 23:42:29 +02:00
soraefir	1f2cc94a0a	Fix builder	2026-05-06 23:39:28 +02:00
soraefir	3caf507905	Fix attempt	2026-05-06 23:35:03 +02:00
soraefir	27a5566ac6	Rename file	2026-05-06 23:31:12 +02:00
soraefir	b439888fa8	Fix naming	2026-05-06 23:30:08 +02:00
soraefir	093497367a	container builder	2026-05-06 23:28:49 +02:00
soraefir	1c0cfd1afe	change podman building	2026-05-06 22:59:11 +02:00