Merge branch 'main' of ssh://git.ghoscht.com:2222/ghoscht/nix-config

flake.lock

@@ -137,11 +137,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1727359191,
+        "lastModified": 1729281548,
-        "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=",
+        "narHash": "sha256-MuojlSnwAJAwfhgmW8ZtZrwm2Sko4fqubCvReqbUzYw=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700",
+        "rev": "a6a3179ddf396dfc28a078e2f169354d0c137125",
         "type": "github"
       },
       "original": {
@@ -159,11 +159,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1727409802,
+        "lastModified": 1729321532,
-        "narHash": "sha256-bTdztNxJL+dAcQ1yCtXy2upnvPt1FWerbRvzg3quhbU=",
+        "narHash": "sha256-3/d/mbLQhrkE1qK2Ut/mrMElE6fP9t6ITJoRQ6F+D7o=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "7964499d31675bc17b042f5ba46abe6bc2ea79af",
+        "rev": "70087c8c6e491dcc0bbff459073b480b1a72ac1c",
         "type": "gitlab"
       },
       "original": {
@@ -340,11 +340,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1725688145,
+        "lastModified": 1728804768,
-        "narHash": "sha256-WCdR85Psl7yfl1/gDruytzZcDUtj+V3GBxwb0kMWbts=",
+        "narHash": "sha256-WG8KWmT72SA1XrmixxJwI1RRWrT9D97kkYSE5OfOJdg=",
         "owner": "GermanBread",
         "repo": "declarative-flatpak",
-        "rev": "1cd36d4068cdeb3fa3fb815f8c9bfbc1217f445d",
+        "rev": "42cc2c4d97a03889d551cc82c43a0b124fd403f6",
         "type": "github"
       },
       "original": {
@@ -378,11 +378,11 @@
     },
     "hardware": {
       "locked": {
-        "lastModified": 1727040444,
+        "lastModified": 1728729581,
-        "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=",
+        "narHash": "sha256-oazkQ/z7r43YkDLLQdMg8oIB3CwWNb+2ZrYOxtLEWTQ=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac",
+        "rev": "a8dd1b21995964b115b1e3ec639dd6ce24ab9806",
         "type": "github"
       },
       "original": {
@@ -778,11 +778,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1725762081,
+        "lastModified": 1728156290,
-        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
+        "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
+        "rev": "17ae88b569bb15590549ff478bab6494dde4a907",
         "type": "github"
       },
       "original": {
@@ -794,11 +794,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1727122398,
+        "lastModified": 1729070438,
-        "narHash": "sha256-o8VBeCWHBxGd4kVMceIayf5GApqTavJbTa44Xcg5Rrk=",
+        "narHash": "sha256-KOTTUfPkugH52avUvXGxvWy8ibKKj4genodIYUED+Kc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "30439d93eb8b19861ccbe3e581abf97bdc91b093",
+        "rev": "5785b6bb5eaae44e627d541023034e1601455827",
         "type": "github"
       },
       "original": {
@@ -906,11 +906,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1724316499,
+        "lastModified": 1727907660,
-        "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
+        "narHash": "sha256-QftbyPoieM5M50WKUMzQmWtBWib/ZJbHo7mhj5riQec=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
+        "rev": "5966581aa04be7eff830b9e1457d56dc70a0b798",
         "type": "github"
       },
       "original": {
@@ -954,11 +954,11 @@
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1727264057,
+        "lastModified": 1729181673,
-        "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=",
+        "narHash": "sha256-LDiPhQ3l+fBjRATNtnuDZsBS7hqoBtPkKBkhpoBHv3I=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "759537f06e6999e141588ff1c9be7f3a5c060106",
+        "rev": "4eb33fe664af7b41a4c446f87d20c9a0a6321fa3",
         "type": "github"
       },
       "original": {
@@ -1002,11 +1002,11 @@
     },
     "nixpkgs_9": {
       "locked": {
-        "lastModified": 1725534445,
+        "lastModified": 1728093190,
-        "narHash": "sha256-Yd0FK9SkWy+ZPuNqUgmVPXokxDgMJoGuNpMEtkfcf84=",
+        "narHash": "sha256-CAZF2NRuHmqTtRTNAruWpHA43Gg2UvuCNEIzabP0l6M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9bb1e7571aadf31ddb4af77fc64b2d59580f9a39",
+        "rev": "e2f08f4d8b3ecb5cf5c9fd9cb2d53bb3c71807da",
         "type": "github"
       },
       "original": {
@@ -1082,11 +1082,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1727423009,
+        "lastModified": 1728345710,
-        "narHash": "sha256-+4B/dQm2EnORIk0k2wV3aHGaE0WXTBjColXjj7qWh10=",
+        "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "127a96f49ddc377be6ba76964411bab11ae27803",
+        "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
         "type": "github"
       },
       "original": {
@@ -1229,11 +1229,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1726560853,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {

hosts/adalbert/default.nix

@@ -67,6 +67,10 @@
   services.udev.packages = [inputs.heliox-cli.packages.x86_64-linux.default];
   environment.systemPackages = [inputs.heliox-cli.packages.x86_64-linux.default];
 
+  # Personalausweis reader
+  programs.ausweisapp.enable = true;
+  programs.ausweisapp.openFirewall = true; # also sets firewall entry
+
   programs.nix-ld.enable = true;
 
   # services.xserver.displayManager.sddm.enable = true;

hosts/franz/arion/git/arion-compose.nix

@@ -15,6 +15,7 @@
       useHostStore = true;
       labels = {
         "traefik.enable" = "true";
+        "diun.enable" = "true";
         "traefik.docker.network" = "dmz";
 
         "traefik.http.services.forgejo.loadbalancer.server.port" = "3000";
@@ -30,12 +31,6 @@
         "traefik.http.routers.forgejo-external.entrypoints" = "websecure-external";
         "traefik.http.routers.forgejo-external.tls" = "true";
         "traefik.http.routers.forgejo-external.tls.certresolver" = "letsencrypt";
-
-        "diun.enable" = "true";
-        "diun.watch_repo" = "true";
-        "diun.sort_tags" = "semver";
-        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
-        "diun.exclude_tags" = "\\b\\d{4,}\\b";
       };
       volumes = [
         "/storage/dataset/docker/git/forgejo_data:/data"

hosts/franz/arion/infrastructure/arion-compose.nix

@@ -12,7 +12,7 @@
 
   services = {
     traefik.service = {
-      image = "traefik:v3.1.4";
+      image = "traefik:3.1.4";
       container_name = "traefik";
       useHostStore = true;
       ports = [
@@ -24,6 +24,8 @@
       ];
       labels = {
         "traefik.enable" = "true";
+        "diun.enable" = "true";
+
         "traefik.http.routers.dashboard.rule" = "Host(`traefik.ghoscht.com`)";
         "traefik.http.routers.dashboard.entrypoints" = "websecure";
         "traefik.http.services.dashboard.loadbalancer.server.port" = "8080";
@@ -35,11 +37,6 @@
 
         "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme" = "https";
         "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto" = "https";
-
-        "diun.enable" = "true";
-        "diun.watch_repo" = "true";
-        "diun.sort_tags" = "semver";
-        "diun.include_tags" = "^v\\d+\\.\\d+\\.\\d+$$";
       };
       volumes = [
         "/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro"
@@ -74,8 +71,6 @@
       ];
       labels = {
         "diun.enable" = "true";
-        "diun.watch_repo" = "true";
-        "diun.sort_tags" = "semver";
         "diun.include_tags" = "^v\\d+\\.\\d+\\.\\d+$$";
       };
       depends_on = [
@@ -140,7 +135,6 @@
       image = "crazymax/diun:4.28";
       container_name = "diun";
       restart = "always";
-      command = "serve";
       volumes = [
         "/storage/dataset/docker/infrastructure/diun_data:/data"
         "/var/run/docker.sock:/var/run/docker.sock"
@@ -155,6 +149,9 @@
         DIUN_WATCH_RUNONSTARTUP = "true";
         DIUN_PROVIDERS_DOCKER = "true";
 
+        DIUN_DEFAULTS_SORTTAGS = "semver";
+        DIUN_DEFAULTS_INCLUDETAGS = "^\\d+\\.\\d+\\.\\d+$$";
+        DIUN_DEFAULTS_WATCHREPO = "true";
         DIUN_DEFAULTS_MAXTAGS = 1;
         DIUN_DEFAULTS_NOTIFYON = "new";
 

hosts/franz/arion/media/arion-compose.nix

@@ -16,6 +16,8 @@
       ];
       labels = {
         "traefik.enable" = "true";
+        "diun.enable" = "true";
+
         "traefik.http.routers.jellyfin.entrypoints" = "websecure";
         "traefik.http.routers.jellyfin.rule" = "Host(`jellyfin.ghoscht.com`)";
         "traefik.http.services.jellyfin.loadbalancer.server.port" = "8096";
@@ -23,11 +25,7 @@
         "traefik.http.routers.jellyfin.tls" = "true";
         "traefik.http.routers.jellyfin.tls.certresolver" = "letsencrypt";
 
-        "diun.enable" = "true";
+        "diun.exclude_tags" = "\\d{4,}";
-        "diun.watch_repo" = "true";
-        "diun.sort_tags" = "semver";
-        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
-        "diun.exclude_tags" = "\\b\\d{4,}\\b";
       };
       volumes = [
         "/storage/dataset/docker/media/jellyfin_data:/config"
@@ -50,6 +48,7 @@
       container_name = "navidrome";
       labels = {
         "traefik.enable" = "true";
+        "diun.enable" = "true";
         "traefik.docker.network" = "dmz";
 
         "traefik.http.services.navidrome.loadbalancer.server.port" = "4533";
@@ -65,12 +64,6 @@
         "traefik.http.routers.navidrome-external.entrypoints" = "websecure-external";
         "traefik.http.routers.navidrome-external.tls" = "true";
         "traefik.http.routers.navidrome-external.tls.certresolver" = "letsencrypt";
-
-        "diun.enable" = "true";
-        "diun.watch_repo" = "true";
-        "diun.sort_tags" = "semver";
-        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
-        "diun.exclude_tags" = "\\b\\d{4,}\\b";
       };
       volumes = [
         "/storage/dataset/docker/media/navidrome_data:/data"
@@ -157,6 +150,8 @@
       container_name = "prowlarr";
       labels = {
         "traefik.enable" = "true";
+        "diun.enable" = "true";
+
         "traefik.http.routers.prowlarr.entrypoints" = "websecure";
         "traefik.http.routers.prowlarr.rule" = "Host(`prowlarr.ghoscht.com`)";
         "traefik.http.services.prowlarr.loadbalancer.server.port" = "9696";
@@ -164,11 +159,6 @@
         "traefik.http.routers.prowlarr.tls" = "true";
         "traefik.http.routers.prowlarr.tls.certresolver" = "letsencrypt";
         "traefik.http.routers.prowlarr.middlewares" = "authentik@file";
-
-        "diun.enable" = "true";
-        "diun.watch_repo" = "true";
-        "diun.sort_tags" = "semver";
-        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
       };
       volumes = [
         "/storage/dataset/docker/media/prowlarr_data:/config"
@@ -189,6 +179,8 @@
       container_name = "sonarr";
       labels = {
         "traefik.enable" = "true";
+        "diun.enable" = "true";
+
         "traefik.http.routers.sonarr.entrypoints" = "websecure";
         "traefik.http.routers.sonarr.rule" = "Host(`sonarr.ghoscht.com`)";
         "traefik.http.services.sonarr.loadbalancer.server.port" = "8989";
@@ -196,10 +188,6 @@
         "traefik.http.routers.sonarr.tls" = "true";
         "traefik.http.routers.sonarr.tls.certresolver" = "letsencrypt";
         "traefik.http.routers.sonarr.middlewares" = "authentik@file";
-
-        "diun.enable" = "true";
-        "diun.watch_repo" = "true";
-        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
       };
       volumes = [
         "/storage/dataset/docker/media/sonarr_data:/config"
@@ -222,6 +210,8 @@
       container_name = "radarr";
       labels = {
         "traefik.enable" = "true";
+        "diun.enable" = "true";
+
         "traefik.http.routers.radarr.entrypoints" = "websecure";
         "traefik.http.routers.radarr.rule" = "Host(`radarr.ghoscht.com`)";
         "traefik.http.services.radarr.loadbalancer.server.port" = "7878";
@@ -229,10 +219,6 @@
         "traefik.http.routers.radarr.tls" = "true";
         "traefik.http.routers.radarr.tls.certresolver" = "letsencrypt";
         "traefik.http.routers.radarr.middlewares" = "authentik@file";
-
-        "diun.enable" = "true";
-        "diun.watch_repo" = "true";
-        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
       };
       volumes = [
         "/storage/dataset/docker/media/radarr_data:/config"
@@ -251,10 +237,12 @@
       restart = "always";
     };
     lidarr.service = {
-      image = "linuxserver/lidarr:2.4.3";
+      image = "linuxserver/lidarr:2.5.3";
       container_name = "lidarr";
       labels = {
         "traefik.enable" = "true";
+        "diun.enable" = "true";
+
         "traefik.http.routers.lidarr.entrypoints" = "websecure";
         "traefik.http.routers.lidarr.rule" = "Host(`lidarr.ghoscht.com`)";
         "traefik.http.services.lidarr.loadbalancer.server.port" = "8686";
@@ -263,6 +251,8 @@
         "traefik.http.routers.lidarr.tls" = "true";
         "traefik.http.routers.lidarr.tls.certresolver" = "letsencrypt";
         "traefik.http.routers.lidarr.middlewares" = "authentik@file";
+
+        "diun.exclude_tags" = "\\d{4,}";
       };
       volumes = [
         "/storage/dataset/docker/media/lidarr_data:/config"
@@ -335,6 +325,8 @@
       container_name = "autobrr";
       labels = {
         "traefik.enable" = "true";
+        "diun.enable" = "true";
+
         "traefik.http.routers.autobrr.entrypoints" = "websecure";
         "traefik.http.routers.autobrr.rule" = "Host(`autobrr.ghoscht.com`)";
         "traefik.http.services.autobrr.loadbalancer.server.port" = "7474";
@@ -342,8 +334,6 @@
         "traefik.http.routers.autobrr.tls" = "true";
         "traefik.http.routers.autobrr.tls.certresolver" = "letsencrypt";
 
-        "diun.enable" = "true";
-        "diun.watch_repo" = "true";
         "diun.include_tags" = "^v\\d+\\.\\d+\\.\\d+$$";
       };
       volumes = [

hosts/franz/arion/passwords/arion-compose.nix

@@ -12,6 +12,7 @@
       container_name = "vaultwarden";
       labels = {
         "traefik.enable" = "true";
+        "diun.enable" = "true";
         "traefik.docker.network" = "dmz";
 
         "traefik.http.services.vaultwarden.loadbalancer.server.port" = "80";
@@ -27,12 +28,6 @@
         "traefik.http.routers.vaultwarden-external.entrypoints" = "websecure-external";
         "traefik.http.routers.vaultwarden-external.tls" = "true";
         "traefik.http.routers.vaultwarden-external.tls.certresolver" = "letsencrypt";
-
-        "diun.enable" = "true";
-        "diun.watch_repo" = "true";
-        "diun.sort_tags" = "semver";
-        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
-        "diun.exclude_tags" = "\\b\\d{4,}\\b";
       };
       volumes = [
         "/storage/dataset/docker/passwords/vaultwarden_data/:/data"

hosts/franz/restic.nix

@@ -64,8 +64,11 @@ in {
       version: 2
       global:
         forget:
-          keep-weekly: 7
+          keep-last: 5
+          keep-weekly: 1
           keep-monthly: 12
+          keep-yearly: 7
+          keep-within: '14d'
 
       extras:
         default_hooks: &default_hooks
@@ -81,6 +84,7 @@ in {
           to:
             - zfs
             - eustachius
+          forget: prune
           cron: '0 4 * * 0' # Every Sunday at 4:00
           hooks:
             <<: *default_hooks
@@ -94,6 +98,7 @@ in {
             - zfs
             - ssd
             - eustachius
+          forget: prune
           cron: '0 4 * * 0' # Every Sunday at 4:00
           hooks:
             <<: *default_hooks
@@ -106,6 +111,7 @@ in {
           to:
             - zfs
             - eustachius
+          forget: prune
           cron: '0 4 * * 0' # Every Sunday at 4:00
           hooks:
             <<: *default_hooks
@@ -157,6 +163,7 @@ in {
           to:
             - zfs
             - eustachius
+          forget: prune
           cron: '0 4 * * 0' # Every Sunday at 4:00
           hooks:
             <<: *default_hooks
@@ -182,6 +189,7 @@ in {
           to:
             - zfs
             - eustachius
+          forget: prune
           cron: '0 4 * * 0' # Every Sunday at 4:00
           hooks:
             <<: *default_hooks
@@ -204,6 +212,7 @@ in {
           from: /storage/dataset/docker/headscale
           to:
             - zfs
+          forget: prune
           cron: '55 3 * * *' # Every Day at 3:55
           hooks:
             <<: *default_hooks
@@ -217,6 +226,7 @@ in {
             - zfs
             - ssd
             - eustachius
+          forget: prune
           cron: '55 3 * * *' # Every Day at 3:55
           hooks:
             <<: *default_hooks
@@ -230,6 +240,7 @@ in {
             - zfs
             - ssd
             - eustachius
+          forget: prune
           cron: '55 3 * * *' # Every Day at 3:55
           hooks:
             <<: *default_hooks
@@ -243,6 +254,7 @@ in {
             - zfs
             - ssd
             - eustachius
+          forget: prune
           cron: '55 3 * * *' # Every Day at 3:55
           hooks:
             <<: *default_hooks
@@ -256,6 +268,7 @@ in {
             - zfs
             - ssd
             - eustachius
+          forget: prune
           cron: '55 3 * * *' # Every Day at 3:55
           hooks:
             <<: *default_hooks