flake.lock: Update

authentik: 2024.8.1->2024.8.2
traefik: v3.1.2->v3.1.3
navidrome: 0.52.0->0.53.1

.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &franz age1uauvjwfvg8u0zkn58ematurcptf43gz6vx44nwkq3xcnmwq95psqna9psw
+creation_rules:
+  - path_regex: secrets/franz.yaml$
+    key_groups:
+      - age:
+          - *franz

README.md

@@ -0,0 +1,20 @@
+# Nix-Config
+
+## Installation
+
+The NixOS installer image comes with password SSH auth disabled. Simply allowing the public Git keys is a nice workaround.
+```sh
+sudo systemctl start sshd
+mkdir ~/.ssh; curl https://git.ghoscht.com/ghoscht.keys > ~/.ssh/authorized_keys
+```
+
+The specific config from "hosts" can be installed using the following command. Limiting the download speed is optional, but can come in handy.
+```sh
+sudo nixos-install --option download-speed 4000 --flake .#<CONFIG_NAME_HERE>
+```
+
+## RPi Image generation
+```sh
+nix build .#nixosConfigurations.eustachius.config.system.build.sdImage
+sudo dd if=./result/sd-image/<IMAGE_NAME>.img of=/dev/<DEVICE_NAME> bs=1M status=progress
+```

disko/btrfs-swap.nix

@@ -0,0 +1,74 @@
+{device ? throw "Set this to your disk device, e.g. /dev/sda", ...}: {
+  disko.devices = {
+    disk.main = {
+      inherit device;
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = ["umask=0077"];
+            };
+          };
+          swap = {
+            size = "4G";
+            content = {
+              type = "swap";
+              resumeDevice = true;
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "root_vg";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      root_vg = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "btrfs";
+              extraArgs = ["-f"];
+
+              subvolumes = {
+                "/root" = {
+                  mountpoint = "/";
+                };
+
+                "/home" = {
+                  mountOptions = ["compress=zstd"];
+                  mountpoint = "/home";
+                };
+
+                "/nix" = {
+                  mountOptions = ["subvol=nix" "compress=zstd" "noatime"];
+                  mountpoint = "/nix";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

flake.nix

@@ -3,21 +3,23 @@
 
   inputs = {
     # Nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
     # You can access packages and modules from different nixpkgs revs
     # at the same time. Here's an working example:
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     # Also see the 'unstable-packages' overlay at 'overlays/default.nix'.
 
     # Home manager
-    home-manager.url = "github:nix-community/home-manager/release-23.11";
+    home-manager.url = "github:nix-community/home-manager/release-24.05";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
     hardware.url = "github:nixos/nixos-hardware";
-    nh = {
-      url = "github:viperml/nh";
+
+    disko = {
+      url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
     nix-colors.url = "github:misterio77/nix-colors";
     firefox-addons = {
       url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
@@ -28,13 +30,17 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     xremap.url = "github:xremap/nix-flake";
+    flatpaks.url = "github:GermanBread/declarative-flatpak/stable-v3";
+    heliox-cli.url = "git+https://git.ghoscht.com/heliox/cli?ref=custom-dimming";
+    picokontroller.url = "git+https://git.ghoscht.com/ghoscht/picoKontroller";
+    sops-nix.url = "github:Mic92/sops-nix";
+    arion.url = "github:hercules-ci/arion";
   };
 
   outputs = {
     self,
     nixpkgs,
     home-manager,
-    arkenfox,
     ...
   } @ inputs: let
     inherit (self) outputs;
@@ -76,12 +82,43 @@
           ./hosts/adalbert
         ];
       };
+      ludwig = nixpkgs.lib.nixosSystem {
+        specialArgs = {inherit inputs outputs vars;};
+        modules = [
+          ./hosts/ludwig
+        ];
+      };
+      leopold = nixpkgs.lib.nixosSystem {
+        specialArgs = {inherit inputs outputs vars;};
+        modules = [
+          ./hosts/leopold
+        ];
+      };
+      franz = nixpkgs.lib.nixosSystem {
+        specialArgs = {inherit inputs outputs vars;};
+        modules = [
+          ./hosts/franz
+        ];
+      };
+      # build with nix build .#nixosConfigurations.eustachius.config.system.build.sdImage
+      eustachius = nixpkgs.lib.nixosSystem {
+        system = "aarch64-linux";
+        modules = [
+          "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix"
+          ./hosts/eustachius
+
+          # extra config for sdImage generator
+          {
+            sdImage.compressImage = false;
+          }
+        ];
+      };
     };
 
     # Standalone home-manager configuration entrypoint
     # Available through 'home-manager --flake .#your-username@your-hostname'
     homeConfigurations = {
-      "ghoscht@adalbert" = home-manager.lib.homeManagerConfiguration {
+      "${vars.user}@adalbert" = home-manager.lib.homeManagerConfiguration {
         pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
         extraSpecialArgs = {inherit inputs outputs vars;};
         modules = [
@@ -89,5 +126,26 @@
         ];
       };
     };
+    "${vars.user}@ludwig" = home-manager.lib.homeManagerConfiguration {
+      pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
+      extraSpecialArgs = {inherit inputs outputs vars;};
+      modules = [
+        ./home/ludwig.nix
+      ];
+    };
+    "${vars.user}@franz" = home-manager.lib.homeManagerConfiguration {
+      pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
+      extraSpecialArgs = {inherit inputs outputs vars;};
+      modules = [
+        ./home/franz.nix
+      ];
+    };
+    # "${vars.user}@eustachius" = home-manager.lib.homeManagerConfiguration {
+    #   pkgs = nixpkgs.legacyPackages.aarch64-linux; # Home-manager requires 'pkgs' instance
+    #   extraSpecialArgs = {inherit inputs outputs vars;};
+    #   modules = [
+    #     ./home/eustachius.nix
+    #   ];
+    # };
   };
 }

home/adalbert.nix

@@ -1,6 +1,7 @@
 {
   inputs,
   outputs,
+  pkgs,
   ...
 }: let
 in {
@@ -9,38 +10,22 @@ in {
     ./features/desktop/awesome
     ./features/games
     ./features/coding
+    ./features/desktop/common/3d-printing.nix
     inputs.nix-colors.homeManagerModules.default
   ];
 
   colorScheme = inputs.nix-colors.colorSchemes.catppuccin-mocha;
-  # wallpaper = outputs.wallpapers.cyberpunk-city-red;
-  #
-  # #  ------   -----   ------
-  # # | DP-3 | | DP-1| | DP-2 |
-  # #  ------   -----   ------
-  # monitors = [
-  #   {
-  #     name = "DP-3";
-  #     width = 1920;
-  #     height = 1080;
-  #     x = 0;
-  #     workspace = "3";
-  #     enabled = false;
-  #   }
-  #   {
-  #     name = "DP-1";
-  #     width = 2560;
-  #     height = 1080;
-  #     x = 1920;
-  #     workspace = "1";
-  #     primary = true;
-  #   }
-  #   {
-  #     name = "DP-2";
-  #     width = 1920;
-  #     height = 1080;
-  #     x = 4480;
-  #     workspace = "2";
-  #   }
-  # ];
+
+  home.packages = [
+    inputs.picokontroller.packages.x86_64-linux.default
+    # pkgs.citrix_workspace
+  ];
+  nixpkgs = {
+    config = {
+      permittedInsecurePackages = [
+        "electron-25.9.0"
+        "nix-2.15.3"
+      ];
+    };
+  };
 }

home/features/cli/default.nix

@@ -20,10 +20,18 @@
     httpie # Better curl
     diffsitter # Better diff
     jq # JSON pretty printer and manipulator
-    timer # To help with my ADHD paralysis
+    timer # Nice looking timer
     lazydocker # Docker TUI
-    neofetch
-    tldr # nice & short manual snippets
+    neofetch # Unixporn stuff
+    tldr # Nice & short manual snippets
+    ntfy-sh # Push notifications to other devices
+    ipinfo # IP geolocation
+    ranger # TUI file manager
+    trickle # cli network limiter
+    du-dust # disk usage visualizer
+    lftp # FTP client
+    unar # unarchive files like rar, zip, tar
+    glow # fancy markdown viewer
 
     nvd # Differ
     nix-output-monitor

home/features/cli/fish.nix

@@ -7,11 +7,13 @@
   inherit (lib) mkIf;
   hasPackage = pname: lib.any (p: p ? pname && p.pname == pname) config.home.packages;
   hasRipgrep = hasPackage "ripgrep";
+  hasLftp = hasPackage "lftp";
   hasExa = hasPackage "eza";
   hasLazygit = config.programs.lazygit.enable;
   hasLazydocker = hasPackage "lazydocker";
   hasNixYourShell = hasPackage "nix-your-shell";
   hasShellColor = config.programs.shellcolor.enable;
+  hasWezterm = config.programs.wezterm.enable;
   shellcolor = "${pkgs.shellcolord}/bin/shellcolor";
 in {
   programs.fish = {
@@ -44,15 +46,29 @@ in {
         name = "autopair";
         src = pkgs.fishPlugins.autopair.src;
       }
+      {
+        name = "puffer";
+        src = pkgs.fishPlugins.puffer.src;
+      }
+      {
+        name = "z";
+        src = pkgs.fishPlugins.z.src;
+      }
     ];
     shellAliases = {
       lzg = mkIf hasLazygit "lazygit";
       lzd = mkIf hasLazydocker "lazydocker";
       batt = ''upower -i /org/freedesktop/UPower/devices/battery_BAT0 | grep -e "percentage" -e "state"'';
-      hx = "~/Documents/heliox-cli/target/debug/heliox-cli --mode";
       slp = "systemctl suspend";
       sdn = "shutdown 0";
       nrs = "nh os switch ~/.setup";
+
+      ls = mkIf hasExa "eza";
+      ll = mkIf hasExa "eza -l";
+      la = mkIf hasExa "eza -la";
+      exa = mkIf hasExa "eza";
+
+      imgcat = mkIf hasWezterm "wezterm imgcat";
     };
     shellAbbrs = rec {
       jqless = "jq -C | less -r";
@@ -65,8 +81,16 @@ in {
       nbn = "nix build nixpkgs#";
       nf = "nix flake";
 
-      ls = mkIf hasExa "eza";
-      exa = mkIf hasExa "eza";
+      glk = "gpg --list-keys --with-keygrip";
+      gssh = "gpg --export-ssh-key";
+      gnk = "gpg --full-generate-key --expert";
+      gek = "gpg --edit-key --expert";
+
+      udmount = "udisksctl mount -b";
+      udumount = "udisksctl unmount -b";
+
+      fftp = mkIf hasLftp "lftp -u ghoscht, sftp://192.168.178.35";
+      arss = "sudo autorestic exec -av -- snapshots";
     };
     functions = {
       # Disable greeting

home/features/cli/git.nix

@@ -1,6 +1,6 @@
 {pkgs, ...}: {
   #Prefer IPv4 for ssh
-  home.file.".ssh/config".text = "AddressFamily inet";
+  # home.file.".ssh/config".text = "AddressFamily inet";
 
   programs.git = {
     enable = true;
@@ -12,6 +12,7 @@
       commit.gpgsign = true;
       user.signingkey = "0x2C2C1C62A5388E82";
       init.defaultBranch = "main";
+      pull.rebase = false; # merge by default
     };
     lfs.enable = true;
     aliases = {

home/features/cli/gpg.nix

@@ -11,7 +11,7 @@
     enableSshSupport = true;
     enableFishIntegration = true;
     enableZshIntegration = true;
-    pinentryFlavor = "gnome3";
+    pinentryPackage = pkgs.pinentry-gnome3;
   };
 
   # Prevent clobbering SSH_AUTH_SOCK

home/features/coding/default.nix

@@ -3,5 +3,6 @@
     ./nvim
     ./vscode.nix
     ./intellij.nix
+    ./tmux.nix
   ];
 }

home/features/coding/nvim/default.nix

@@ -7,6 +7,39 @@
 }: let
   vars = import ../../../../vars.nix;
   colors = config.colorScheme.colors;
+  stableExtraPkgs = with pkgs; [
+    # LSP
+    lua-language-server
+    pkgs.nodePackages.typescript-language-server
+
+    # Formatters
+    stylua # lua
+    black # pyton
+    alejandra # nix
+    clang-tools_16 # c/c++
+    rustfmt
+    yamlfmt
+    prettierd
+    vscode-langservers-extracted
+
+    # Linters
+    ruff # python
+    nodePackages.jsonlint # json
+    nodePackages.eslint_d # javascript
+
+    # Tools
+    xclip
+    wl-clipboard
+    fzf
+    gcc
+
+    # idk?
+    lua
+  ];
+  unstableExtraPkgs = with pkgs.unstable; [
+    # LSP
+    nixd
+  ];
 in {
   home.sessionVariables.EDITOR = "nvim";
 
@@ -17,29 +50,7 @@ in {
     vimAlias = true;
     vimdiffAlias = true;
 
-    extraPackages = with pkgs; [
-      # LSP
-      lua-language-server
-      lua
-      rnix-lsp # nix
-
-      # Formatters
-      stylua # lua
-      black # pyton
-      alejandra # nix
-      clang-tools_16 # c/c++
-
-      # Linters
-      ruff # python
-      nodePackages.jsonlint # json
-      nodePackages.eslint_d # javascript
-
-      # Tools
-      xclip
-      wl-clipboard
-      fzf
-      gcc
-    ];
+    extraPackages = stableExtraPkgs ++ unstableExtraPkgs;
 
     plugins = with pkgs.vimPlugins; [
       {
@@ -69,6 +80,7 @@ in {
         type = "lua";
       }
 
+      cmp-path
       nvim-cmp
       {
         plugin = nvim-cmp;
@@ -92,7 +104,29 @@ in {
       friendly-snippets
 
       {
-        plugin = nvim-treesitter.withAllGrammars;
+        plugin = nvim-treesitter.withPlugins (p: [
+          p.vim
+          p.bash
+          p.lua
+          p.python
+          p.json
+          p.java
+          p.rust
+          p.cpp
+          p.c
+          p.css
+          p.csv
+          p.dockerfile
+          p.diff
+          p.gitignore
+          p.git_config
+          p.gitattributes
+          p.make
+          p.yaml
+          p.toml
+          p.typescript
+          p.xml
+        ]);
         config = builtins.readFile ./plugin/treesitter.lua;
         type = "lua";
       }
@@ -100,7 +134,7 @@ in {
       vim-nix
 
       {
-        plugin = nvim-base16;
+        plugin = base16-nvim;
         config = ''
           require('base16-colorscheme').setup({
             base00 = '#${colors.base00}', base01 = '#${colors.base01}', base02 = '#${colors.base02}', base03 = '#${colors.base03}',
@@ -122,6 +156,7 @@ in {
       nui-nvim
       {
         plugin = neo-tree-nvim;
+        config = builtins.readFile ./plugin/neo-tree.lua;
         type = "lua";
       }
 
@@ -151,7 +186,43 @@ in {
         config = builtins.readFile ./plugin/none-ls.lua;
         type = "lua";
       }
+
+      {
+        plugin = nvim-autopairs;
+        config = "require('nvim-autopairs').setup()";
+        type = "lua";
+      }
+
+      barbar-nvim
+
+      {
+        plugin = nvim-surround;
+        config = "require('nvim-surround').setup({})";
+        type = "lua";
+      }
+
+      vim-be-good
+
+      rainbow-delimiters-nvim
+
+      rustaceanvim
+
+      {
+        plugin = vim-tmux-navigator;
+        config = builtins.readFile ./plugin/vim-tmux-navigator.lua;
+        type = "lua";
+      }
+
+      {
+        plugin = nvim-ts-autotag;
+        config = "require('nvim-ts-autotag').setup({})";
+        type = "lua";
+      }
     ];
+
+    extraLuaConfig = ''
+      ${builtins.readFile ./options.lua}
+    '';
   };
 
   xdg.desktopEntries = {

home/features/coding/nvim/options.lua

@@ -1,9 +1,11 @@
+vim.keymap.set("", "<Space>", "<Nop>")
+vim.keymap.set("", "<C-Space>", "<Nop>")
 vim.g.mapleader = " "
 vim.g.maplocalleader = " "
 
 vim.o.clipboard = "unnamedplus"
 
-vim.o.number = true
+-- vim.o.number = true
 vim.o.relativenumber = true
 
 vim.o.signcolumn = "yes"
@@ -16,3 +18,8 @@ vim.o.updatetime = 300
 vim.o.termguicolors = true
 
 vim.o.mouse = "a"
+
+-- disable empty line ~
+vim.o.fillchars = "eob: "
+
+vim.o.undofile = true

home/features/coding/nvim/plugin/cmp.lua

@@ -42,5 +42,6 @@ cmp.setup({
 	sources = {
 		{ name = "nvim_lsp" },
 		{ name = "luasnip" },
+		{ name = "path" },
 	},
 })

home/features/coding/nvim/plugin/lsp.lua

@@ -39,7 +39,29 @@ require("lspconfig").lua_ls.setup({
 	},
 })
 
-require("lspconfig").rnix.setup({
+require("lspconfig").nixd.setup({
 	on_attach = on_attach,
 	capabilities = capabilities,
 })
+
+require("lspconfig").tsserver.setup({
+	on_attach = on_attach,
+	capabilities = capabilities,
+})
+
+require("lspconfig").eslint.setup({
+	settings = {
+		packageManager = "yarn",
+	},
+	on_attach = function(client, bufnr)
+		vim.api.nvim_create_autocmd("BufWritePre", {
+			buffer = bufnr,
+			command = "EslintFixAll",
+		})
+		vim.api.nvim_create_autocmd("BufWritePost", {
+			callback = function()
+				vim.lsp.buf.format()
+			end,
+		})
+	end,
+})

home/features/coding/nvim/plugin/neo-tree.lua

@@ -0,0 +1,19 @@
+require("neo-tree").setup({
+	close_if_last_window = true, -- Close Neo-tree if it is the last window left in the tab
+	hide_root_node = true, -- Hide the root node
+	filesystem = {
+		filtered_items = {
+			visible = false,
+			hide_dotfiles = false,
+			hide_gitignored = false,
+			hide_by_name = {
+				".git",
+				".DS_Store",
+				"thumbs.db",
+			},
+			show_hidden_count = false,
+		},
+	},
+})
+
+vim.keymap.set("n", "<C-n>", "<Cmd>Neotree toggle<CR>")

home/features/coding/nvim/plugin/none-ls.lua

@@ -7,14 +7,24 @@ local opts = {
 		null_ls.builtins.formatting.stylua,
 		-- Python
 		null_ls.builtins.formatting.black,
-		null_ls.builtins.diagnostics.ruff,
+		-- null_ls.builtins.diagnostics.ruff,
 		-- Javascript
-		null_ls.builtins.diagnostics.eslint_d,
-		null_ls.builtins.diagnostics.jsonlint,
+		-- null_ls.builtins.diagnostics.eslint_d,
+		-- null_ls.builtins.diagnostics.jsonlint,
 		-- C/C++
 		null_ls.builtins.formatting.clang_format,
 		-- Nix
 		null_ls.builtins.formatting.alejandra,
+		-- Rust
+		-- null_ls.builtins.formatting.rustfmt,
+		-- YAML
+		null_ls.builtins.formatting.yamlfmt,
+		-- Typescript
+		null_ls.builtins.formatting.prettier.with({
+			condition = function(utils)
+				return utils.has_file({ ".prettierrc.js" })
+			end,
+		}),
 	},
 	on_attach = function(client, bufnr)
 		if client.supports_method("textDocument/formatting") then

home/features/coding/nvim/plugin/vim-tmux-navigator.lua

@@ -0,0 +1,5 @@
+-- Navigate vim panes better
+vim.keymap.set("n", "<c-k>", ":wincmd k<CR>")
+vim.keymap.set("n", "<c-j>", ":wincmd j<CR>")
+vim.keymap.set("n", "<c-h>", ":wincmd h<CR>")
+vim.keymap.set("n", "<c-l>", ":wincmd l<CR>")

home/features/coding/tmux.nix

@@ -0,0 +1,46 @@
+{pkgs, ...}: {
+  home.packages = [pkgs.tmuxinator-fzf-start];
+  programs.tmux = {
+    enable = true;
+    keyMode = "vi";
+    customPaneNavigationAndResize = true;
+    mouse = true;
+    tmuxinator.enable = true;
+    shortcut = "Space";
+    extraConfig = ''
+      bind % split-window -h -c "#{pane_current_path}"
+      bind '"' split-window -v -c "#{pane_current_path}"
+      set -sg escape-time 0
+    '';
+    plugins = with pkgs; [
+      tmuxPlugins.vim-tmux-navigator
+      {
+        plugin = tmuxPlugins.catppuccin;
+        extraConfig = ''
+          set -g status-position top
+
+          set-option -sa terminal-features ',xterm-256color:RGB'
+
+          set -g @catppuccin_window_left_separator ""
+          set -g @catppuccin_window_right_separator " "
+          set -g @catppuccin_window_middle_separator " █"
+          set -g @catppuccin_window_number_position "right"
+
+          set -g @catppuccin_window_default_fill "number"
+          set -g @catppuccin_window_default_text "#W"
+
+          set -g @catppuccin_window_current_fill "number"
+          set -g @catppuccin_window_current_text "#W"
+
+          set -g @catppuccin_status_modules_right "directory session"
+          set -g @catppuccin_status_left_separator  " "
+          set -g @catppuccin_status_right_separator ""
+          set -g @catppuccin_status_fill "icon"
+          set -g @catppuccin_status_connect_separator "no"
+
+          set -g @catppuccin_directory_text "#{pane_current_path}"
+        '';
+      }
+    ];
+  };
+}

home/features/desktop/awesome/default.nix

@@ -1,6 +1,7 @@
 {pkgs, ...}: {
   imports = [
     ../common
+    ./zathura.nix
   ];
 
   home = {
@@ -30,6 +31,7 @@
       flameshot
       xclip
       brightnessctl
+      feh
     ];
   };
 }

home/features/desktop/awesome/zathura.nix

@@ -0,0 +1,47 @@
+{pkgs, ...}: {
+  programs.zathura = {
+    enable = true;
+    options = {
+      selection-clipboard = "clipboard";
+      statusbar-home-tilde = true;
+
+      default-fg = "#CDD6F4";
+      default-bg = "#1E1E2E";
+
+      completion-bg = "#313244";
+      completion-fg = "#CDD6F4";
+      completion-highlight-bg = "#575268";
+      completion-highlight-fg = "#CDD6F4";
+      completion-group-bg = "#313244";
+      completion-group-fg = "#89B4FA";
+
+      statusbar-fg = "#CDD6F4";
+      statusbar-bg = "#313244";
+
+      notification-bg = "#313244";
+      notification-fg = "#CDD6F4";
+      notification-error-bg = "#313244";
+      notification-error-fg = "#F38BA8";
+      notification-warning-bg = "#313244";
+      notification-warning-fg = "#FAE3B0";
+
+      inputbar-fg = "#CDD6F4";
+      inputbar-bg = "#313244";
+
+      recolor-lightcolor = "#1E1E2E";
+      recolor-darkcolor = "#CDD6F4";
+
+      index-fg = "#CDD6F4";
+      index-bg = "#1E1E2E";
+      index-active-fg = "#CDD6F4";
+      index-active-bg = "#313244";
+
+      render-loading-bg = "#1E1E2E";
+      render-loading-fg = "#CDD6F4";
+
+      highlight-color = "#575268";
+      highlight-fg = "#F5C2E7";
+      highlight-active-color = "#F5C2E7";
+    };
+  };
+}

home/features/desktop/common/3d-printing.nix

@@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  home.packages = with pkgs; [freecad cura];
+}

home/features/desktop/common/default.nix

@@ -1,8 +1,29 @@
-{
+{pkgs, ...}: {
   imports = [
+    ./theming.nix
     ./firefox.nix
     ./alacritty.nix
+    ./wezterm.nix
     ./font.nix
     ./playerctl.nix
+    ./easyeffects.nix
+    ./nextcloud.nix
+    ./flatpak.nix
+    ./notes.nix
+    ./fcitx5.nix
   ];
+
+  home.packages = with pkgs;
+    [
+      jellyfin-media-player # watch shows & movies from jellyfin with hardware decoding
+      # feishin-appimage # self-packaged feishin while electron build fails
+      signal-desktop # secure messenger
+      webcord-vencord # more "privacy friendly" discord client
+      anki
+      calibre
+
+      rofi-audio-switcher # Script to switch default audio sinks/sources
+      mpv # Video player
+    ]
+    ++ (with pkgs.unstable; [feishin]);
 }

home/features/desktop/common/easyeffects.nix

@@ -0,0 +1,7 @@
+{pkgs, ...}: {
+  # services.easyeffects.enable = true;
+  xdg.configFile."easyeffects/output/Beyerdynamic_DT990_Oratory.json" = {
+    source = ../../../../rsc/config/easyeffects/Beyerdynamic_DT990_Oratory.json;
+  };
+  home.packages = with pkgs; [easyeffects];
+}

home/features/desktop/common/fcitx5.nix

@@ -0,0 +1,6 @@
+{pkgs, ...}: {
+  xdg.configFile."fcitx5" = {
+    source = ../../../../rsc/config/fcitx5;
+    recursive = true;
+  };
+}

home/features/desktop/common/firefox.nix

@@ -5,6 +5,8 @@
   ...
 }: {
   imports = [inputs.arkenfox.hmModules.default];
+  home.file.".mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json".source = "${pkgs.plasma5Packages.plasma-browser-integration}/lib/mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json";
+
   programs.firefox = {
     enable = true;
 
@@ -20,6 +22,7 @@
         darkreader
         tabliss
         consent-o-matic
+        # bypass-paywalls-clean
       ];
 
       search.engines = {
@@ -116,59 +119,69 @@
       search.default = "Searx";
 
       settings = {
+        "media.hardwaremediakeys.enabled" = false;
         "dom.security.https_only_mode" = true;
-        "browser.download.panel.shown" = true;
+        "browser.download.panel.shown" = false;
+        "browser.toolbars.bookmarks.visibility" = "always";
         "signon.rememberSignons" = false;
         "browser.formfill.enable" = false;
         "signon. prefillForms" = false;
         "browser.shell.checkDefaultBrowser" = false;
-        "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
+        # "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
         "browser.uiCustomization.state" = ''{"placements":{"widget-overflow-fixed-list":[],"unified-extensions-area":["addon_darkreader_org-browser-action","plasma-browser-integration_kde_org-browser-action","_506e023c-7f2b-40a3-8066-bc5deb40aebe_-browser-action","_testpilot-containers-browser-action","7esoorv3_alefvanoon_anonaddy_me-browser-action","_a6c4a591-f1b2-4f03-b3ff-767e5bedf4e7_-browser-action","gdpr_cavi_au_dk-browser-action","firefoxcolor_mozilla_com-browser-action","firefox-translations-addon_mozilla_org-browser-action"],"nav-bar":["back-button","forward-button","stop-reload-button","urlbar-container","downloads-button","unified-extensions-button","ublock0_raymondhill_net-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action"],"toolbar-menubar":["menubar-items"],"TabsToolbar":["tabbrowser-tabs","new-tab-button","alltabs-button"],"PersonalToolbar":["personal-bookmarks"]},"seen":["save-to-pocket-button","developer-button","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","addon_darkreader_org-browser-action","ublock0_raymondhill_net-browser-action","plasma-browser-integration_kde_org-browser-action","_506e023c-7f2b-40a3-8066-bc5deb40aebe_-browser-action","_testpilot-containers-browser-action","7esoorv3_alefvanoon_anonaddy_me-browser-action","_a6c4a591-f1b2-4f03-b3ff-767e5bedf4e7_-browser-action","gdpr_cavi_au_dk-browser-action","firefoxcolor_mozilla_com-browser-action","firefox-translations-addon_mozilla_org-browser-action"],"dirtyAreaCache":["nav-bar","PersonalToolbar","toolbar-menubar","TabsToolbar","unified-extensions-area"],"currentVersion":20,"newElementCount":4}'';
       };
       arkenfox = {
         enable = true;
-    "0000".enable = true;
-    "0100" = {
-      enable = true;
-      # Allow setting homepage
-      "0102"."browser.startup.page".value = 1;
-    };
-    "0200" = {
-      enable = true;
-    };
-    "0300".enable = true;
-    # We keep safebrowsing
-    "0400".enable = false;
-    "0600" = {
-      enable = true;
-      "0610"."browser.send_pings".enable = true;
-    };
-    "0700" = {
-      enable = true;
-      # Disable DNS over HTTPS
-      "0710"."network.trr.mode".value = 5;
-    };
-    # "0800" = {
-    #   enable = true;
-    #   # Keep using url bar as search bar
-    #   "0801"."keyword.enabled".value = true;
-    # };
-    "0900".enable = true;
-    "1000" = {
-      enable = true;
-      # Enable disk cache for performance reasons
-      "1001"."browser.cache.disk.enable".enable = true;
-      "1001"."browser.cache.disk.enable".value = true;
-    };
-    "1200".enable = true;
-    # I don't use container tabs
-    "1700".enable = false;
-    "2600" = {
-      enable = true;
-      # The recent documents feature is useful
-      "2653".enable = false;
-    };
-    "2700".enable = true;
+        "0000".enable = true;
+        "0100" = {
+          enable = true;
+          # Allow setting homepage
+          "0102"."browser.startup.page".value = 1;
+        };
+        "0200" = {
+          enable = true;
+        };
+        "0300".enable = true;
+        # We keep safebrowsing
+        "0400".enable = false;
+        "0600" = {
+          enable = true;
+          "0610"."browser.send_pings".enable = true;
+        };
+        "0700" = {
+          enable = true;
+          # Disable DNS over HTTPS
+          "0710"."network.trr.mode".value = 5;
+        };
+        # "0800" = {
+        #   enable = true;
+        #   # Keep using url bar as search bar
+        #   "0801"."keyword.enabled".value = true;
+        # };
+        "0900".enable = true;
+        "1000" = {
+          enable = true;
+          # Enable disk cache for performance reasons
+          "1001"."browser.cache.disk.enable".enable = true;
+          "1001"."browser.cache.disk.enable".value = true;
+        };
+        "1200".enable = true;
+        # I don't use container tabs
+        "1700".enable = false;
+        "2600" = {
+          enable = true;
+          # useDownloadDir
+          "2651".enable = false;
+          # always_ask_before_handling_new_types
+          "2654".enable = false;
+        };
+        "2700".enable = true;
+        "2800" = {
+          "2812".enable = true;
+        };
+        "5000" = {
+          "5008".enable = true;
+        };
       };
     };
   };

home/features/desktop/common/flatpak.nix

@@ -0,0 +1,32 @@
+{
+  inputs,
+  pkgs,
+  vars,
+  ...
+}: {
+  imports = [inputs.flatpaks.homeManagerModules.default];
+  services.flatpak = {
+    remotes.flathub = "https://flathub.org/repo/flathub.flatpakrepo";
+    packages = [
+      "flathub:app/us.zoom.Zoom//stable"
+      "flathub:app/com.discordapp.Discord//stable"
+      "flathub:app/md.obsidian.Obsidian//stable"
+    ];
+    overrides = {
+      global = {
+        filesystems = [
+          "~/.local/share/icons"
+        ];
+        environment = {
+          "MOZ_ENABLE_WAYLAND" = 1;
+        };
+      };
+      "md.obsidian.Obsidian" = {
+        sockets = [
+          "wayland"
+          "system-bus"
+        ];
+      };
+    };
+  };
+}

home/features/desktop/common/nextcloud.nix

@@ -0,0 +1,3 @@
+{
+  services.nextcloud-client.enable = true;
+}

home/features/desktop/common/notes.nix

@@ -0,0 +1,5 @@
+{pkgs, ...}: {
+  home.packages = with pkgs; [
+    xournalpp
+  ];
+}

home/features/desktop/common/theming.nix

@@ -0,0 +1,33 @@
+{pkgs, ...}: {
+  home.pointerCursor = {
+    package = pkgs.bibata-cursors;
+    name = "Bibata-Modern-Ice";
+    size = 25;
+    x11.enable = true;
+    gtk.enable = true;
+  };
+
+  # gtk.cursorTheme.package = pkgs.bibata-cursors;
+  # gtk.cursorTheme.name = "Bibata-Modern-Ice";
+  # home.file.".icons/bibata".source = "${pkgs.bibata-cursors}/share/icons/Bibata-Modern-Classic";
+  # xdg.dataFile."icons/bibata".source = "${pkgs.bibata-cursors}/share/icons/Bibata-Modern-Classic";
+  gtk = {
+    enable = true;
+    theme.package = pkgs.adw-gtk3;
+    theme.name = "adw-gtk3-dark";
+    iconTheme.package = pkgs.papirus-icon-theme;
+    iconTheme.name = "Papirus";
+  };
+
+  qt = {
+    enable = true;
+    platformTheme = "gtk";
+    style.package = with pkgs; [adwaita-qt adwaita-qt6];
+    style.name = "adwaita-dark";
+  };
+
+  home.packages = with pkgs; [
+    libsForQt5.qt5.qtquickcontrols2
+    libsForQt5.qt5.qtgraphicaleffects
+  ];
+}

home/features/desktop/common/wezterm.nix

@@ -0,0 +1,55 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  programs.wezterm = {
+    enable = true;
+    colorSchemes = {
+      "${config.colorscheme.slug}" = with config.colorScheme; {
+        foreground = "#${colors.base05}";
+        background = "#${colors.base00}";
+
+        ansi = [
+          "#${colors.base00}"
+          "#${colors.base08}"
+          "#${colors.base0B}"
+          "#${colors.base0A}"
+          "#${colors.base0D}"
+          "#${colors.base0E}"
+          "#${colors.base0C}"
+          "#${colors.base05}"
+        ];
+        brights = [
+          "#${colors.base03}"
+          "#${colors.base08}"
+          "#${colors.base0B}"
+          "#${colors.base0A}"
+          "#${colors.base0D}"
+          "#${colors.base0E}"
+          "#${colors.base0C}"
+          "#${colors.base07}"
+        ];
+        cursor_fg = "#${colors.base00}";
+        cursor_bg = "#${colors.base05}";
+        selection_fg = "#${colors.base00}";
+        selection_bg = "#${colors.base05}";
+      };
+    };
+    extraConfig = ''
+      return {
+        warn_about_missing_glyphs=false,
+        font = wezterm.font("${config.fontProfiles.monospace.family}"),
+        font_size = 12.0,
+        window_background_opacity = 0.83,
+        color_scheme = "${config.colorscheme.slug}",
+        hide_tab_bar_if_only_one_tab = true,
+        window_close_confirmation = "NeverPrompt",
+        use_ime = true,
+        set_environment_variables = {
+          TERM = 'wezterm',
+        },
+      }
+    '';
+  };
+}

home/features/desktop/gnome/default.nix

@@ -0,0 +1,5 @@
+{pkgs, ...}: {
+  imports = [
+    ../common
+  ];
+}

home/features/games/default.nix

@@ -1,5 +1,12 @@
 {pkgs, ...}: {
-  imports = [
-    # ./steam.nix
+  home.packages = with pkgs; [
+    protonup-rs
+    heroic
+    (lutris.override {
+      extraLibraries = pkgs: [
+        wine
+        wineWowPackages.stable
+      ];
+    })
   ];
 }

home/features/games/steam.nix

@@ -1,31 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}: let
-  steam-with-pkgs = pkgs.steam.override {
-    extraPkgs = pkgs:
-      with pkgs; [
-        xorg.libXcursor
-        xorg.libXi
-        xorg.libXinerama
-        xorg.libXScrnSaver
-        libpng
-        libpulseaudio
-        libvorbis
-        stdenv.cc.cc.lib
-        libkrb5
-        keyutils
-        gamescope
-        mangohud
-      ];
-  };
-in {
-  home.packages = with pkgs; [
-    steam-with-pkgs
-    gamescope
-    mangohud
-    protontricks
-  ];
-}

home/features/general/xdg-dirs.nix

@@ -0,0 +1,14 @@
+{
+  xdg.userDirs = {
+    enable = true;
+    createDirectories = true;
+    desktop = "/home/ghoscht/Uni";
+    download = "/home/ghoscht/Downloads";
+    documents = "/home/ghoscht/Documents";
+    music = null;
+    pictures = "/home/ghoscht/Pictures";
+    publicShare = null;
+    templates = null;
+    videos = null;
+  };
+}

home/franz.nix

@@ -0,0 +1,27 @@
+{
+  inputs,
+  outputs,
+  ...
+}: let
+in {
+  imports = [
+    ./global
+    ./features/coding/nvim
+    ./features/coding/tmux.nix
+    inputs.nix-colors.homeManagerModules.default
+  ];
+
+  colorScheme = inputs.nix-colors.colorSchemes.catppuccin-mocha;
+
+  home.file.".docker" = {
+    source = ../rsc/docker/franz;
+    recursive = true;
+  };
+  nixpkgs = {
+    config = {
+      permittedInsecurePackages = [
+        "nix-2.15.3"
+      ];
+    };
+  };
+}

home/global/default.nix

@@ -20,6 +20,7 @@
 
       # You can also split up your configuration and import pieces of it here:
       ../features/cli
+      ../features/general/xdg-dirs.nix
     ]
     ++ (builtins.attrValues outputs.homeManagerModules);
 

home/ludwig.nix

@@ -0,0 +1,27 @@
+{
+  pkgs,
+  inputs,
+  outputs,
+  ...
+}: let
+in {
+  imports = [
+    ./global
+    ./features/desktop/awesome
+    ./features/desktop/gnome
+    ./features/coding
+    inputs.nix-colors.homeManagerModules.default
+  ];
+
+  home.packages = with pkgs; [nextcloud-client];
+
+  colorScheme = inputs.nix-colors.colorSchemes.catppuccin-mocha;
+  nixpkgs = {
+    config = {
+      permittedInsecurePackages = [
+        "electron-25.9.0"
+        "nix-2.15.3"
+      ];
+    };
+  };
+}

hosts/adalbert/default.nix

@@ -3,9 +3,6 @@
 {
   inputs,
   outputs,
-  lib,
-  config,
-  pkgs,
   ...
 }: {
   # You can import other NixOS modules here
@@ -32,9 +29,11 @@
     ../common/optional/kde-connect.nix
     ../common/optional/gnome-keyring.nix
     ../common/optional/adb.nix
+    ../common/optional/docker.nix
     ../common/optional/gaming/gamemode.nix
     ../common/optional/gaming/steam.nix
-    ../common/optional/gaming/vr.nix
+    ../common/optional/desktop/japanese.nix
+    ../common/optional/udisks.nix
   ];
 
   nixpkgs = {
@@ -65,13 +64,29 @@
 
   networking.hostName = "adalbert";
 
+  services.udev.packages = [inputs.heliox-cli.packages.x86_64-linux.default];
+  environment.systemPackages = [inputs.heliox-cli.packages.x86_64-linux.default];
+
+  programs.nix-ld.enable = true;
+
+  # services.xserver.displayManager.sddm.enable = true;
+  services.xserver.displayManager.gdm.enable = true;
+
   # Force disable Nvidia PRIME, needed by nix-hardware
   hardware.nvidia.prime.offload.enable = false;
 
+  programs.coolercontrol = {
+    enable = true;
+    nvidiaSupport = true;
+  };
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+    "riscv64-linux"
+  ];
+
   programs = {
     adb.enable = true;
     dconf.enable = true;
-    kdeconnect.enable = true;
   };
 
   hardware = {

hosts/adalbert/hardware-configuration.nix

@@ -18,17 +18,17 @@
   boot.extraModulePackages = [];
 
   fileSystems."/" = {
-    device = "/dev/disk/by-uuid/f9ba57fb-0b82-47e0-8189-7bbebc530e2b";
+    device = "/dev/disk/by-uuid/e92a5e85-52ce-4627-be79-5c07a99e2d1b";
     fsType = "ext4";
   };
 
   fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/BCF2-51D4";
+    device = "/dev/disk/by-uuid/348E-AC69";
     fsType = "vfat";
   };
 
   swapDevices = [
-    {device = "/dev/disk/by-uuid/4834fbc3-3feb-4b93-b11f-8b9bd054c5c1";}
+    {device = "/dev/disk/by-uuid/ae322cab-c083-4644-80ff-9122498d54e8";}
   ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

hosts/common/global/default.nix

@@ -2,7 +2,6 @@
 {
   inputs,
   outputs,
-  config,
   ...
 }: {
   imports =
@@ -12,8 +11,8 @@
       ./fish.nix
       ./locale.nix
       ./nix.nix
-      ./podman.nix
       ./power-button.nix
+      ./documentation.nix
     ]
     ++ (builtins.attrValues outputs.nixosModules);
 
@@ -26,8 +25,8 @@
     };
   };
 
-  # Fix for qt6 plugins
-  environment.profileRelativeSessionVariables = {
-    QT_PLUGIN_PATH = ["/lib/qt-6/plugins"];
-  };
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  boot.supportedFilesystems = ["ntfs"];
 }

hosts/common/global/documentation.nix

@@ -0,0 +1,9 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [man-pages man-pages-posix];
+  documentation.dev.enable = true;
+  documentation.man = {
+    # In order to enable to mandoc man-db has to be disabled.
+    man-db.enable = false;
+    mandoc.enable = true;
+  };
+}

hosts/common/optional/desktop/flatpak.nix

@@ -9,4 +9,6 @@
 
   # Create folder where all fonts are linked to /run/current-system/sw/share/X11/fonts
   fonts.fontDir.enable = true;
+
+  xdg.portal.enable = true;
 }

hosts/common/optional/desktop/global.nix

@@ -4,15 +4,13 @@
   pkgs,
   ...
 }: {
-  imports = [./pipewire.nix ../printing.nix ./flatpak.nix ./xdg.nix ./xremap.nix];
-
-  # Enable networking
-  networking.networkmanager.enable = true;
+  imports = [./pipewire.nix ../printing.nix ./flatpak.nix ./xremap.nix];
 
   # Enable for GTK
   programs.dconf.enable = true;
 
-  services.xserver = {
-    displayManager.sddm.enable = true;
+  # Fix for qt6 plugins
+  environment.profileRelativeSessionVariables = {
+    QT_PLUGIN_PATH = ["/lib/qt-6/plugins"];
   };
 }

hosts/common/optional/desktop/gnome.nix

@@ -11,6 +11,41 @@
       desktopManager.gnome = {
         enable = true;
       };
+      libinput.enable = true;
+      modules = [pkgs.xf86_input_wacom];
+      wacom.enable = true;
     };
+    udev.packages = with pkgs; [
+      gnome.gnome-settings-daemon
+    ];
+  };
+
+  environment = {
+    systemPackages = with pkgs; [
+      # System-Wide Packages
+      gnome.adwaita-icon-theme
+      gnome.dconf-editor
+      gnome.gnome-tweaks
+      gnomeExtensions.kimpanel
+      gnomeExtensions.vitals
+      gnomeExtensions.tray-icons-reloaded
+    ];
+    gnome.excludePackages =
+      (with pkgs; [
+        # Ignored Packages
+        gnome-tour
+      ])
+      ++ (with pkgs.gnome; [
+        atomix
+        epiphany
+        geary
+        gedit
+        gnome-characters
+        gnome-contacts
+        gnome-initial-setup
+        hitori
+        iagno
+        tali
+      ]);
   };
 }

hosts/common/optional/desktop/japanese.nix

@@ -0,0 +1,12 @@
+{pkgs, ...}: {
+  i18n.inputMethod = {
+    enabled = "fcitx5";
+    fcitx5.addons = with pkgs; [
+      fcitx5-mozc
+      fcitx5-gtk
+    ];
+  };
+  fonts.packages = with pkgs; [
+    noto-fonts-cjk-sans
+  ];
+}

hosts/common/optional/desktop/pipewire.nix

@@ -1,4 +1,4 @@
-{
+{pkgs, ...}: {
   security.rtkit.enable = true;
   hardware.pulseaudio.enable = false;
   services.pipewire = {
@@ -8,4 +8,6 @@
     pulse.enable = true;
     jack.enable = true;
   };
+
+  environment.systemPackages = with pkgs; [pavucontrol pulseaudio qpwgraph];
 }

hosts/common/optional/desktop/plasma.nix

@@ -0,0 +1,15 @@
+{pkgs, ...}: {
+  imports = [./global.nix ./x11.nix];
+
+  services.xserver.desktopManager.plasma5.enable = true;
+  environment.plasma5.excludePackages = with pkgs.libsForQt5; [
+    elisa
+    gwenview
+    okular
+    oxygen
+    khelpcenter
+    konsole
+    plasma-browser-integration
+    print-manager
+  ];
+}

hosts/common/optional/desktop/xremap.nix

@@ -1,21 +1,63 @@
 {
   pkgs,
   inputs,
+  lib,
   ...
 }: {
   imports = [
     inputs.xremap.nixosModules.default
   ];
 
+  hardware.uinput.enable = true;
+  users.groups.uinput.members = ["ghoscht"];
+  users.groups.input.members = ["ghoscht"];
+
+  systemd.user.services.set-xhost = {
+    description = "Run a one-shot command upon user login";
+    path = [pkgs.xorg.xhost];
+    wantedBy = ["default.target"];
+    script = "xhost +SI:localuser:root";
+    environment.DISPLAY = ":0"; # NOTE: This is hardcoded for this flake
+  };
+
   services.xremap = {
     withX11 = true;
+    watch = true;
+    debug = false;
+    userName = "ghoscht";
+    serviceMode = "user";
     config = {
       keymap = [
         {
-          name = "main remaps";
+          name = "Global";
           remap = {
-            super-e = {
-              launch = ["firefox"];
+            "CapsLock" = "Esc";
+            "Esc" = "CapsLock";
+            super-x = {
+              launch = ["${lib.getExe pkgs.wezterm}"];
+            };
+            # super-space = {
+            #   launch = ["${lib.getExe pkgs.rofi}" "-i" "-show" "drun" "-show-icons"];
+            # };
+            # super-control-l = {
+            #   launch = ["${lib.getExe pkgs.firefox}"];
+            # };
+            # super-control-shift-l = {
+            #   launch = ["${lib.getExe pkgs.firefox}" "--private-window"];
+            # };
+          };
+        }
+        {
+          name = "Music";
+          remap = {
+            "KEY_PLAYPAUSE" = {
+              launch = ["${lib.getExe pkgs.playerctl}" "play-pause"];
+            };
+            "KEY_NEXTSONG" = {
+              launch = ["${lib.getExe pkgs.playerctl}" "next"];
+            };
+            "KEY_PREVIOUSSONG" = {
+              launch = ["${lib.getExe pkgs.playerctl}" "previous"];
             };
           };
         }

hosts/common/optional/gaming/steam.nix

@@ -1,18 +1,17 @@
-{pkgs, ...}: {
-  environment.systemPackages = with pkgs.unstable; [
-    heroic # Game Launcher
-    lutris # Game Launcher
-    steam # Game Launcher
-  ];
-
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
   programs = {
     steam = {
       enable = true;
-      remotePlay.openFirewall = true;
-      gamescopeSession.enable = false;
     };
-    # Steam: Right-click game - Properties - Launch options: gamemoderun %command%
-    # Lutris: General Preferences - Enable Feral GameMode
-    #                             - Global options - Add Environment Variables: LD_PRELOAD=/nix/store/*-gamemode-*-lib/lib/libgamemodeauto.so
+  };
+
+  xdg.mime = {
+    defaultApplications."x-scheme-handler/steam" = "steam.desktop";
+    addedAssociations."x-scheme-handler/steam" = "steam.desktop";
   };
 }

hosts/common/optional/gaming/vr.nix

@@ -1,6 +0,0 @@
-{
-  programs.alvr = {
-    enable = true;
-    openFirewall = true;
-  };
-}

hosts/common/optional/gnome-keyring.nix

@@ -2,11 +2,10 @@
   config,
   lib,
   pkgs,
-  vars,
   ...
 }: let
 in {
-  security.pam.services.${vars.user}.enableGnomeKeyring = true;
+  security.pam.services.sddm.enableGnomeKeyring = true;
   services.gnome.gnome-keyring.enable = true;
   programs.seahorse.enable = true;
 }

hosts/common/optional/quietboot.nix

@@ -1,33 +0,0 @@
-{
-  pkgs,
-  config,
-  ...
-}: {
-  console = {
-    useXkbConfig = true;
-    earlySetup = false;
-  };
-
-  boot = {
-    plymouth = {
-      enable = true;
-      theme = "spinner-monochrome";
-      themePackages = [
-        (pkgs.plymouth-spinner-monochrome.override {
-          inherit (config.boot.plymouth) logo;
-        })
-      ];
-    };
-    loader.timeout = 0;
-    kernelParams = [
-      "quiet"
-      "loglevel=3"
-      "systemd.show_status=auto"
-      "udev.log_level=3"
-      "rd.udev.log_level=3"
-      "vt.global_cursor_default=0"
-    ];
-    consoleLogLevel = 0;
-    initrd.verbose = false;
-  };
-}

hosts/common/optional/systemd-boot.nix

@@ -3,6 +3,7 @@
     systemd-boot = {
       enable = true;
       consoleMode = "max";
+      configurationLimit = 42;
     };
     efi.canTouchEfiVariables = true;
   };

hosts/common/optional/udisks.nix

@@ -0,0 +1,3 @@
+{
+  services.udisks2.enable = true;
+}

hosts/common/optional/vsftpd.nix

@@ -0,0 +1,7 @@
+{
+  services.vsftpd = {
+    enable = true;
+    writeEnable = true;
+    localUsers = true;
+  };
+}

hosts/eustachius/default.nix

@@ -0,0 +1,117 @@
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  vars = import ../../vars.nix;
+in {
+  imports = [../common/global/locale.nix];
+  # NixOS wants to enable GRUB by default
+  boot.loader.grub.enable = false;
+  # Enables the generation of /boot/extlinux/extlinux.conf
+  boot.loader.generic-extlinux-compatible.enable = true;
+
+  # !!! Set to specific linux kernel version
+  boot.kernelPackages = pkgs.linuxPackages;
+
+  # Disable ZFS on kernel 6
+  boot.supportedFilesystems = lib.mkForce [
+    "vfat"
+    "xfs"
+    "cifs"
+    "ntfs"
+  ];
+
+  # !!! Needed for the virtual console to work on the RPi 3, as the default of 16M doesn't seem to be enough.
+  # If X.org behaves weirdly (I only saw the cursor) then try increasing this to 256M.
+  # On a Raspberry Pi 4 with 4 GB, you should either disable this parameter or increase to at least 64M if you want the USB ports to work.
+  boot.kernelParams = ["cma=256M"];
+
+  # File systems configuration for using the installer's partition layout
+  fileSystems = {
+    # Prior to 19.09, the boot partition was hosted on the smaller first partition
+    # Starting with 19.09, the /boot folder is on the main bigger partition.
+    # The following is to be used only with older images.
+    /*
+    "/boot" = {
+    device = "/dev/disk/by-label/NIXOS_BOOT";
+    fsType = "vfat";
+    };
+    */
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+    };
+  };
+
+  # !!! Adding a swap file is optional, but strongly recommended!
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 1024;
+    }
+  ];
+
+  # systemPackages
+  environment.systemPackages = with pkgs; [
+    neovim
+    curl
+    wget
+  ];
+
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "yes";
+  };
+
+  services.restic.server = {
+    enable = true;
+    dataDir = "/mnt/backups";
+    extraFlags = ["--no-auth"];
+  };
+
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "server";
+  };
+
+  virtualisation.docker.enable = true;
+
+  networking.firewall.enable = false;
+
+  # Networking
+  networking.useDHCP = true;
+
+  # forwarding
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+    "net.ipv4.tcp_ecn" = true;
+  };
+
+  # put your own configuration here, for example ssh keys:
+  users.mutableUsers = true;
+  users.users.nixos = {
+    isNormalUser = true;
+    password = "changeme";
+    extraGroups = ["wheel" "docker"];
+    openssh.authorizedKeys.keys = [
+      #Adalbert
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJd6Gut34abkwlZ4tZVBO4Qt7CkIpPm/Z8R6JCisjnYy openpgp:0xBD0CFCA0"
+
+      #Ludwig
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlRsnLqm6Ap3yKEEhtFiWavo72df/X5Il1ZCmENUqev openpgp:0xDE189CA5"
+
+      #Franz
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIINCjLoirHMos7c9lRatWtSYAk68xbUGc8vPU0wFxIzj openpgp:0x7430326E"
+    ];
+  };
+  users.users.admin = {
+    isNormalUser = true;
+    extraGroups = ["wheel"]; # Enable ‘sudo’ for the user.
+    hashedPassword = "blablabla"; # generate with `mkpasswd`
+  };
+  nix.settings.trusted-users = ["admin" "ghoscht" "nixos"];
+
+  system.stateVersion = "23.11";
+}

hosts/franz/README.md

@@ -0,0 +1,7 @@
+# Franz
+
+## Drive Formatting
+
+```sh
+sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ../../disko/btrfs-swap.nix --arg device '"/dev/nvme0n1"'
+```

hosts/franz/arion/auth/arion-compose.nix

@@ -0,0 +1,131 @@
+let
+  authentikImage = "ghcr.io/goauthentik/server:2024.8.2";
+in {
+  project.name = "auth";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+  networks.internal = {};
+
+  services = {
+    authentik.service = {
+      image = authentikImage;
+      container_name = "authentik";
+      labels = {
+        "traefik.enable" = "true";
+
+        "traefik.http.services.authentik.loadbalancer.server.port" = "9000";
+        "traefik.http.routers.authentik.service" = "authentik";
+        "traefik.http.routers.authentik.rule" = "Host(`auth.ghoscht.com`)";
+        "traefik.http.routers.authentik.entrypoints" = "websecure";
+        "traefik.http.routers.authentik.tls" = "true";
+        "traefik.http.routers.authentik.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.authentik-external.loadbalancer.server.port" = "9000";
+        "traefik.http.routers.authentik-external.service" = "authentik-external";
+        "traefik.http.routers.authentik-external.rule" = "Host(`auth.ghoscht.com`)";
+        "traefik.http.routers.authentik-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.authentik-external.tls" = "true";
+        "traefik.http.routers.authentik-external.tls.certresolver" = "letsencrypt";
+
+        "diun.enable" = "true";
+        "diun.watch_repo" = "true";
+        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
+      };
+      command = "server";
+      environment = {
+        AUTHENTIK_REDIS__HOST = "redis";
+        AUTHENTIK_POSTGRESQL__HOST = "postgres";
+        AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/auth/authentik.env"
+      ];
+      restart = "always";
+      depends_on = {
+        redis = {condition = "service_healthy";};
+        postgres = {condition = "service_healthy";};
+      };
+      volumes = [
+        "/storage/dataset/docker/auth/authentik_media:/media"
+        "/storage/dataset/docker/auth/authentik_custom_templates:/templates"
+      ];
+      networks = [
+        "dmz"
+        "internal"
+      ];
+    };
+    worker.service = {
+      image = authentikImage;
+      command = "worker";
+      environment = {
+        AUTHENTIK_REDIS__HOST = "redis";
+        AUTHENTIK_POSTGRESQL__HOST = "postgres";
+        AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/auth/authentik.env"
+      ];
+      depends_on = {
+        redis = {condition = "service_healthy";};
+        postgres = {condition = "service_healthy";};
+      };
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/storage/dataset/docker/auth/authentik_media:/media"
+        "/storage/dataset/docker/auth/authentik_custom_templates:/templates"
+      ];
+      restart = "always";
+      user = "root";
+      networks = [
+        "internal"
+      ];
+    };
+    redis.service = {
+      image = "redis:7.2.4";
+      command = "--save 60 1 --loglevel warning";
+      healthcheck = {
+        test = [
+          "CMD-SHELL"
+          "redis-cli ping | grep PONG"
+        ];
+        start_period = "20s";
+        interval = "30s";
+        retries = 5;
+        timeout = "5s";
+      };
+      restart = "always";
+      volumes = [
+        "/storage/dataset/docker/auth/redis_data:/data"
+      ];
+      networks = [
+        "internal"
+      ];
+    };
+    postgres.service = {
+      image = "postgres:12.18";
+      restart = "always";
+      env_file = [
+        "/home/ghoscht/.docker/auth/postgres.env"
+      ];
+      volumes = [
+        "/storage/dataset/docker/auth/postgres_data:/var/lib/postgresql/data"
+      ];
+      healthcheck = {
+        test = [
+          "CMD-SHELL"
+          "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
+        ];
+        start_period = "20s";
+        interval = "30s";
+        retries = 5;
+        timeout = "5s";
+      };
+      networks = [
+        "internal"
+      ];
+    };
+  };
+}

hosts/franz/arion/auth/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/auth/default.nix

@@ -0,0 +1,45 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.auth.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."auth/postgres_db" = {
+    owner = vars.user;
+  };
+  sops.secrets."auth/postgres_user" = {
+    owner = vars.user;
+  };
+  sops.secrets."auth/postgres_pw" = {
+    owner = vars.user;
+  };
+  sops.secrets."auth/authentik_secret_key" = {
+    owner = vars.user;
+  };
+
+  sops.templates."auth-postgres.env" = {
+    path = "/home/${vars.user}/.docker/auth/postgres.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      POSTGRES_PASSWORD="${config.sops.placeholder."auth/postgres_pw"}"
+      POSTGRES_USER="${config.sops.placeholder."auth/postgres_user"}"
+      POSTGRES_DB="${config.sops.placeholder."auth/postgres_db"}"
+    '';
+  };
+
+  sops.templates."auth-authentik.env" = {
+    path = "/home/${vars.user}/.docker/auth/authentik.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      AUTHENTIK_POSTGRESQL__PASSWORD="${config.sops.placeholder."auth/postgres_pw"}"
+      AUTHENTIK_POSTGRESQL__USER="${config.sops.placeholder."auth/postgres_user"}"
+      AUTHENTIK_POSTGRESQL__NAME="${config.sops.placeholder."auth/postgres_db"}"
+      AUTHENTIK_SECRET_KEY="${config.sops.placeholder."auth/authentik_secret_key"}"
+    '';
+  };
+}

hosts/franz/arion/dashboard/arion-compose.nix

@@ -0,0 +1,42 @@
+{pkgs, ...}: {
+  project.name = "dashboard";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    homarr.service = {
+      image = "ghcr.io/ajnart/homarr:0.15.3";
+      container_name = "homarr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.homarr.entrypoints" = "websecure";
+        "traefik.http.routers.homarr.rule" = "Host(`dashboard.ghoscht.com`)";
+        "traefik.http.routers.homarr.tls" = "true";
+        "traefik.http.routers.homarr.tls.certresolver" = "letsencrypt";
+      };
+      environment = {
+        AUTH_PROVIDER = "oidc";
+        AUTH_OIDC_URI = "https://auth.ghoscht.com/application/o/homarr";
+        AUTH_OIDC_CLIENT_NAME = "authentik";
+        NEXTAUTH_URL = "https://dashboard.ghoscht.com";
+        AUTH_OIDC_ADMIN_GROUP = "Homarr Admins";
+        AUTH_OIDC_OWNER_GROUP = "Homarr Admins";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/dashboard/homarr.env"
+      ];
+      volumes = [
+        "/storage/dataset/docker/dashboard/homarr_data:/data"
+        "/storage/dataset/docker/dashboard/homarr_config:/app/data/configs"
+        "/storage/dataset/docker/dashboard/homarr_icons:/app/public/imgs"
+      ];
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}

hosts/franz/arion/dashboard/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/dashboard/default.nix

@@ -0,0 +1,24 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.dashboard.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+  sops.secrets."homarr/oidc_client_id" = {
+    owner = vars.user;
+  };
+  sops.secrets."homarr/oidc_client_secret" = {
+    owner = vars.user;
+  };
+  sops.templates."homarr.env" = {
+    path = "/home/${vars.user}/.docker/dashboard/homarr.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      AUTH_OIDC_CLIENT_SECRET="${config.sops.placeholder."homarr/oidc_client_secret"}"
+      AUTH_OIDC_CLIENT_ID="${config.sops.placeholder."homarr/oidc_client_id"}"
+    '';
+  };
+}

hosts/franz/arion/default.nix

@@ -0,0 +1,51 @@
+{
+  inputs,
+  pkgs,
+  config,
+  ...
+}: {
+  imports = [
+    inputs.arion.nixosModules.arion
+    ./dns
+    ./infrastructure
+    ./nextcloud
+    ./push
+    ./git
+    ./passwords
+    ./media
+    ./dashboard
+    ./smarthome
+    ./signal
+    ./feed
+    ./matrix
+    ./headscale
+    ./auth
+    ./minio
+    ./stats
+    ./wiki
+  ];
+
+  environment.systemPackages = with pkgs; [arion];
+
+  virtualisation.arion.backend = "docker";
+
+  systemd.services.init-dmz-bridge-network = {
+    description = "Create the network bridge dmz for the Docker stack.";
+    after = ["network.target"];
+    wantedBy = ["multi-user.target"];
+
+    serviceConfig.Type = "oneshot";
+    script = let
+      dockercli = "${config.virtualisation.docker.package}/bin/docker";
+    in ''
+      # Put a true at the end to prevent getting non-zero return code, which will
+      # crash the whole service.
+      check=$(${dockercli} network ls | grep "dmz" || true)
+      if [ -z "$check" ]; then
+        ${dockercli} network create dmz
+      else
+        echo "dmz already exists in docker"
+      fi
+    '';
+  };
+}

hosts/franz/arion/dns/arion-compose.nix

@@ -0,0 +1,76 @@
+{pkgs, ...}: {
+  project.name = "dns";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  networks.dns = {
+    name = "dns";
+    driver = "bridge";
+    ipam.config = [
+      {
+        subnet = "172.28.1.0/24";
+        ip_range = "172.28.1.5/30";
+        gateway = "172.28.1.1";
+      }
+    ];
+  };
+
+  services = {
+    pihole.service = {
+      image = "pihole/pihole:2024.03.1";
+      container_name = "pihole";
+      hostname = "pihole";
+      environment = {
+        IPv6 = "True";
+        TZ = "Europe/Berlin";
+        SKIPGRAVITYONBOOT = 1;
+        VIRTUAL_HOST = "pihole.ghoscht.com";
+      };
+      volumes = [
+        "/storage/dataset/docker/dns/pihole_data:/etc/pihole"
+        "/storage/dataset/docker/dns/pihole_dnsmasq:/etc/dnsmasq.d"
+      ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.pihole.entrypoints" = "websecure";
+        "traefik.http.routers.pihole.rule" = "Host(`pihole.ghoscht.com`)";
+        "traefik.http.services.pihole.loadbalancer.server.port" = "80";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.pihole.tls" = "true";
+        "traefik.http.routers.pihole.tls.certresolver" = "letsencrypt";
+      };
+      restart = "always";
+      networks = {
+        dmz = {};
+        dns = {
+          ipv4_address = "172.28.1.6";
+        };
+      };
+      capabilities = {
+        NET_ADMIN = true;
+      };
+      ports = [
+        "8420:80"
+        "53:53/tcp"
+        "53:53/udp"
+      ];
+    };
+    unbound.service = {
+      image = "mvance/unbound:1.19.3";
+      container_name = "unbound";
+      useHostStore = true;
+      volumes = [
+        "/storage/dataset/docker/dns/unbound_data:/opt/unbound/etc/unbound"
+      ];
+      restart = "always";
+      networks = {
+        dns = {
+          ipv4_address = "172.28.1.5";
+        };
+      };
+    };
+  };
+}

hosts/franz/arion/dns/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/dns/default.nix

@@ -0,0 +1,11 @@
+{pkgs, ...}: {
+  virtualisation.arion = {
+    projects.dns.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  # Fix containers not being able to use pihole as dns
+  networking.resolvconf.useLocalResolver = true;
+  networking.firewall.allowedTCPPorts = [80 443];
+}

hosts/franz/arion/feed/arion-compose.nix

@@ -0,0 +1,46 @@
+{pkgs, ...}: {
+  project.name = "feed";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  networks.transport = {};
+
+  services = {
+    ttrss.service = {
+      image = "wangqiru/ttrss:latest-2024-02-28";
+      container_name = "ttrss";
+      ports = [
+        "181:80"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        DB_HOST = "feed-db";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/feed/ttrss.env"
+      ];
+      restart = "always";
+      networks = [
+        "dmz"
+        "transport"
+      ];
+    };
+    feed-db.service = {
+      image = "postgres:13-alpine";
+      volumes = [
+        "/storage/dataset/docker/feed/ttrss_db:/var/lib/postgresql/data"
+      ];
+      env_file = [
+        "/home/ghoscht/.docker/feed/ttrss.env"
+      ];
+      restart = "always";
+      networks = [
+        "transport"
+      ];
+    };
+  };
+}

hosts/franz/arion/feed/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/feed/default.nix

@@ -0,0 +1,22 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.feed.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."ttrss/db_password" = {
+    owner = vars.user;
+  };
+
+  sops.templates."ttrss.env" = {
+    path = "/home/${vars.user}/.docker/feed/ttrss.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      DB_PASS="${config.sops.placeholder."ttrss/db_password"}"
+    '';
+  };
+}

hosts/franz/arion/git/arion-compose.nix

@@ -0,0 +1,76 @@
+{pkgs, ...}: {
+  project.name = "git";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  networks.transport = {};
+
+  services = {
+    forgejo.service = {
+      image = "codeberg.org/forgejo/forgejo:8.0.3";
+      container_name = "forgejo";
+      useHostStore = true;
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.docker.network" = "dmz";
+
+        "traefik.http.services.forgejo.loadbalancer.server.port" = "3000";
+        "traefik.http.routers.forgejo.service" = "forgejo";
+        "traefik.http.routers.forgejo.entrypoints" = "websecure";
+        "traefik.http.routers.forgejo.rule" = "Host(`git.ghoscht.com`)";
+        "traefik.http.routers.forgejo.tls" = "true";
+        "traefik.http.routers.forgejo.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.forgejo-external.loadbalancer.server.port" = "3000";
+        "traefik.http.routers.forgejo-external.service" = "forgejo-external";
+        "traefik.http.routers.forgejo-external.rule" = "Host(`git.ghoscht.com`)";
+        "traefik.http.routers.forgejo-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.forgejo-external.tls" = "true";
+        "traefik.http.routers.forgejo-external.tls.certresolver" = "letsencrypt";
+
+        "diun.enable" = "true";
+        "diun.watch_repo" = "true";
+        "diun.sort_tags" = "semver";
+        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
+        "diun.exclude_tags" = "\\b\\d{4,}\\b";
+      };
+      volumes = [
+        "/storage/dataset/docker/git/forgejo_data:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      ports = [
+        "2222:22"
+      ];
+      environment = {
+        USER_UID = 1000;
+        USER_GID = 1000;
+        GITEA__database__DB_TYPE = "postgres";
+        GITEA__database__HOST = "git-db:5432";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/git/forgejo.env"
+      ];
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+        "transport"
+      ];
+    };
+    git-db.service = {
+      image = "postgres:15.3-bullseye";
+      env_file = [
+        "/home/ghoscht/.docker/git/forgejo-db.env"
+      ];
+      volumes = [
+        "/storage/dataset/docker/git/forgejo_db:/var/lib/postgresql/data"
+      ];
+      restart = "unless-stopped";
+      networks = [
+        "transport"
+      ];
+    };
+  };
+}

hosts/franz/arion/git/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/git/default.nix

@@ -0,0 +1,41 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.git.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."forgejo/db_password" = {
+    owner = vars.user;
+  };
+  sops.secrets."forgejo/db_user" = {
+    owner = vars.user;
+  };
+  sops.secrets."forgejo/db_database" = {
+    owner = vars.user;
+  };
+
+  sops.templates."forgejo.env" = {
+    path = "/home/${vars.user}/.docker/git/forgejo.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      GITEA__database__NAME="${config.sops.placeholder."forgejo/db_database"}"
+      GITEA__database__USER="${config.sops.placeholder."forgejo/db_user"}"
+      GITEA__database__PASSWD="${config.sops.placeholder."forgejo/db_password"}"
+    '';
+  };
+
+  sops.templates."forgejo-db.env" = {
+    path = "/home/${vars.user}/.docker/git/forgejo-db.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      POSTGRES_DB="${config.sops.placeholder."forgejo/db_database"}"
+      POSTGRES_USER="${config.sops.placeholder."forgejo/db_user"}"
+      POSTGRES_PASSWORD="${config.sops.placeholder."forgejo/db_password"}"
+    '';
+  };
+}

hosts/franz/arion/headscale/arion-compose.nix

@@ -0,0 +1,56 @@
+{pkgs, ...}: {
+  project.name = "headscale";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    headscale.service = {
+      image = "headscale/headscale:0.22.3-debug";
+      container_name = "headscale";
+      restart = "always";
+      command = "headscale serve";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.services.headscale.loadbalancer.server.port" = "8080";
+        "traefik.http.routers.headscale.service" = "headscale";
+        "traefik.http.routers.headscale.entrypoints" = "websecure";
+        "traefik.http.routers.headscale.rule" = "Host(`headscale.ghoscht.com`)";
+        "traefik.http.routers.headscale.tls" = "true";
+        "traefik.http.routers.headscale.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.headscale-external.loadbalancer.server.port" = "8080";
+        "traefik.http.routers.headscale-external.service" = "headscale-external";
+        "traefik.http.routers.headscale-external.rule" = "Host(`headscale.ghoscht.com`)";
+        "traefik.http.routers.headscale-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.headscale-external.tls" = "true";
+        "traefik.http.routers.headscale-external.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/storage/dataset/docker/headscale/headscale_config:/etc/headscale"
+        "/storage/dataset/docker/headscale/headscale_data:/var/lib/headscale"
+      ];
+      networks = [
+        "dmz"
+      ];
+    };
+    headscale-ui.service = {
+      image = "ghcr.io/gurucomputing/headscale-ui:2024.02.24-beta1";
+      container_name = "headscale-ui";
+      restart = "always";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.headscale-ui.entrypoints" = "websecure";
+        "traefik.http.routers.headscale-ui.rule" = "PathPrefix(`/web`)&&Host(`headscale.ghoscht.com`)";
+        "traefik.http.services.headscale-ui.loadbalancer.server.port" = "80";
+        "traefik.http.routers.headscale-ui.tls" = "true";
+        "traefik.http.routers.headscale-ui.tls.certresolver" = "letsencrypt";
+      };
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}

hosts/franz/arion/headscale/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/headscale/default.nix

@@ -0,0 +1,15 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  # Tailscale client for exit node/routes
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "server";
+  };
+
+  virtualisation.arion = {
+    projects.headscale.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}

hosts/franz/arion/infrastructure/arion-compose.nix

@@ -0,0 +1,172 @@
+{pkgs, ...}: {
+  project.name = "infrastructure";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  docker-compose.volumes = {
+    traefik-logs = null;
+  };
+
+  services = {
+    traefik.service = {
+      image = "traefik:v3.1.3";
+      container_name = "traefik";
+      useHostStore = true;
+      ports = [
+        "80:80"
+        "81:81"
+        "443:443"
+        "444:444"
+        "8421:8080"
+      ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.dashboard.rule" = "Host(`traefik.ghoscht.com`)";
+        "traefik.http.routers.dashboard.entrypoints" = "websecure";
+        "traefik.http.services.dashboard.loadbalancer.server.port" = "8080";
+        "traefik.http.routers.dashboard.tls" = "true";
+        "traefik.http.routers.dashboard.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.routers.dashboard.tls.domains[0].main" = "ghoscht.com";
+        "traefik.http.routers.dashboard.tls.domains[0].sans" = "*.ghoscht.com";
+
+        "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme" = "https";
+        "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto" = "https";
+
+        "diun.enable" = "true";
+        "diun.watch_repo" = "true";
+        "diun.sort_tags" = "semver";
+        "diun.include_tags" = "^v\\d+\\.\\d+\\.\\d+$$";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro"
+        "/home/ghoscht/.docker/infrastructure/traefik_config/conf:/conf:ro"
+        "/storage/dataset/docker/infrastructure/traefik_data/acme.json:/acme.json"
+        "/var/run/docker.sock:/var/run/docker.sock:ro"
+        "traefik-logs:/var/log/traefik"
+      ];
+      env_file = [
+        "/home/ghoscht/.docker/infrastructure/traefik.env"
+      ];
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+    crowdsec.service = {
+      image = "crowdsecurity/crowdsec:v1.6.3";
+      container_name = "crowdsec";
+      environment = {
+        GID = "1000";
+        COLLECTIONS = "crowdsecurity/linux crowdsecurity/traefik firix/authentik LePresidente/gitea Dominic-Wagner/vaultwarden";
+      };
+      volumes = [
+        "/storage/dataset/docker/infrastructure/crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml"
+        "/storage/dataset/docker/infrastructure/crowdsec_config/profiles.yaml:/etc/crowdsec/profiles.yaml"
+        "/storage/dataset/docker/infrastructure/crowdsec_config/ntfy.yaml:/etc/crowdsec/notifications/ntfy.yaml"
+        "/storage/dataset/docker/infrastructure/crowdsec_db:/var/lib/crowdsec/data/"
+        "/storage/dataset/docker/infrastructure/crowdsec_data:/etc/crowdsec/"
+        "traefik-logs:/var/log/traefik/:ro"
+        "/var/run/docker.sock:/var/run/docker.sock:ro"
+      ];
+      labels = {
+        "diun.enable" = "true";
+        "diun.watch_repo" = "true";
+        "diun.sort_tags" = "semver";
+        "diun.include_tags" = "^v\\d+\\.\\d+\\.\\d+$$";
+      };
+      depends_on = [
+        "traefik"
+      ];
+      networks = [
+        "dmz"
+      ];
+      restart = "always";
+    };
+    bouncer-traefik.service = {
+      image = "fbonalair/traefik-crowdsec-bouncer:0.5.0";
+      environment = {
+        CROWDSEC_AGENT_HOST = "crowdsec:8080";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/infrastructure/traefik-bouncer.env"
+      ];
+      depends_on = [
+        "crowdsec"
+      ];
+      networks = [
+        "dmz"
+      ];
+      restart = "always";
+    };
+    scrutiny.service = {
+      image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus";
+      container_name = "scrutiny";
+      restart = "always";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.scrutiny.entrypoints" = "websecure";
+        "traefik.http.routers.scrutiny.rule" = "Host(`scrutiny.ghoscht.com`)";
+        "traefik.http.services.scrutiny.loadbalancer.server.port" = "8080";
+        "traefik.http.routers.scrutiny.tls" = "true";
+        "traefik.http.routers.scrutiny.tls.certresolver" = "letsencrypt";
+      };
+      capabilities = {
+        SYS_RAWIO = true;
+        SYS_ADMIN = true; #enables nvme support
+      };
+      volumes = [
+        "/run/udev:/run/udev:ro"
+        "/storage/dataset/docker/infrastructure/scrutiny_data:/opt/scrutiny/config"
+        "/storage/dataset/docker/infrastructure/scrutiny_influxdb_data:/opt/scrutiny/influxdb"
+      ];
+      devices = [
+        "/dev/nvme0"
+        "/dev/sda"
+        "/dev/sdb"
+        "/dev/sdc"
+        "/dev/sdd"
+        "/dev/sde"
+        "/dev/sdf"
+      ];
+      networks = [
+        "dmz"
+      ];
+    };
+    diun.service = {
+      image = "crazymax/diun:4.28";
+      container_name = "diun";
+      restart = "always";
+      command = "serve";
+      volumes = [
+        "/storage/dataset/docker/infrastructure/diun_data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+      ];
+      environment = {
+        TZ = "Europe/Berlin";
+        LOG_LEVEL = "info";
+        #Only when setting workers=1 sorting can be actually observed
+        DIUN_WATCH_WORKERS = "20";
+        DIUN_WATCH_SCHEDULE = "0 */6 * * *";
+        DIUN_WATCH_JITTER = "30s";
+        DIUN_WATCH_RUNONSTARTUP = "true";
+        DIUN_PROVIDERS_DOCKER = "true";
+
+        DIUN_DEFAULTS_MAXTAGS = 1;
+        DIUN_DEFAULTS_NOTIFYON = "new";
+
+        DIUN_NOTIF_NTFY_ENDPOINT = "http://ntfy";
+        DIUN_NOTIF_NTFY_TOPIC = "docker-updates";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/infrastructure/diun.env"
+      ];
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}

hosts/franz/arion/infrastructure/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/infrastructure/default.nix

@@ -0,0 +1,132 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.infrastructure.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."cloudflared/tunnel_token" = {
+    owner = vars.user;
+  };
+
+  sops.secrets."traefik/acme_email" = {
+    owner = vars.user;
+  };
+  sops.secrets."traefik/cloudflare_email" = {
+    owner = vars.user;
+  };
+  sops.secrets."traefik/cloudflare_api_key" = {
+    owner = vars.user;
+  };
+
+  sops.secrets."crowdsec/traefik_bouncer_api_key" = {
+    owner = vars.user;
+  };
+
+  sops.secrets."diun/ntfy_access_token" = {
+    owner = vars.user;
+  };
+
+  sops.templates."cloudflared.env" = {
+    path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
+    '';
+  };
+
+  sops.templates."traefik.env" = {
+    path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
+      CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
+    '';
+  };
+
+  sops.templates."traefik-bouncer.env" = {
+    path = "/home/${vars.user}/.docker/infrastructure/traefik-bouncer.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      CROWDSEC_BOUNCER_API_KEY="${config.sops.placeholder."crowdsec/traefik_bouncer_api_key"}"
+    '';
+  };
+
+  sops.templates."traefik.yml" = {
+    path = "/home/${vars.user}/.docker/infrastructure/traefik_config/traefik.yml";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      api:
+        dashboard: true
+        debug: true
+        insecure: true
+      entryPoints:
+        web:
+          address: ":80"
+          http:
+            redirections:
+              entrypoint:
+                to: websecure
+                scheme: https
+        websecure:
+          address: ":443"
+        web-external:
+          address: ":81"
+          http:
+            redirections:
+              entrypoint:
+                to: websecure-external
+                scheme: https
+            middlewares:
+              - crowdsec-bouncer@file
+        websecure-external:
+          address: ":444"
+          http:
+            middlewares:
+              - crowdsec-bouncer@file
+      providers:
+        docker:
+          watch: true
+          exposedByDefault: false
+          network: dmz
+        file:
+          watch: true
+          directory: /conf/
+      certificatesResolvers:
+        letsencrypt:
+          acme:
+            email: ${config.sops.placeholder."traefik/acme_email"}
+            storage: acme.json
+            dnsChallenge:
+              provider: cloudflare
+              resolvers:
+                - "1.1.1.1:53"
+                - "1.0.0.1:53"
+      log:
+        level: "INFO"
+        filePath: "/var/log/traefik/traefik.log"
+      accessLog:
+        filePath: "/var/log/traefik/access.log"
+    '';
+  };
+  sops.templates."diun.env" = {
+    path = "/home/${vars.user}/.docker/infrastructure/diun.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      DIUN_NOTIF_NTFY_TOKEN="${config.sops.placeholder."diun/ntfy_access_token"}"
+    '';
+  };
+  services.cron = {
+    enable = true;
+    systemCronJobs = [
+      "0 * * * *      root    . /etc/profile; docker exec crowdsec cscli hub update && docker exec crowdsec cscli hub upgrade >> /var/log/crowdsec-update.log"
+    ];
+  };
+}

hosts/franz/arion/matrix/arion-compose.nix

@@ -0,0 +1,113 @@
+{pkgs, ...}: {
+  project.name = "matrix";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  networks.transport = {};
+
+  services = {
+    synapse.service = {
+      image = "matrixdotorg/synapse:v1.113.0";
+      container_name = "synapse";
+      labels = {
+        "traefik.enable" = "true";
+
+        "traefik.http.services.synapse.loadbalancer.server.port" = "8008";
+        "traefik.http.routers.synapse.service" = "synapse";
+        "traefik.http.routers.synapse.entrypoints" = "websecure";
+        "traefik.http.routers.synapse.rule" = "Host(`synapse.ghoscht.com`)";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.synapse.tls" = "true";
+        "traefik.http.routers.synapse.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.synapse-external.loadbalancer.server.port" = "8008";
+        "traefik.http.routers.synapse-external.service" = "synapse-external";
+        "traefik.http.routers.synapse-external.rule" = "Host(`synapse.ghoscht.com`)";
+        "traefik.http.routers.synapse-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.synapse-external.tls" = "true";
+        "traefik.http.routers.synapse-external.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/storage/dataset/docker/matrix/synapse_data:/data"
+      ];
+      env_file = [
+        "/home/ghoscht/.docker/matrix/synapse.env"
+      ];
+      environment = {
+        UID = "1000";
+        GID = "1000";
+        TZ = "Europe/Berlin";
+      };
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+        "transport"
+      ];
+    };
+    postgres.service = {
+      image = "postgres:14";
+      env_file = [
+        "/home/ghoscht/.docker/matrix/synapse.env"
+      ];
+      volumes = [
+        "/storage/dataset/docker/matrix/synapse_db:/var/lib/postgresql/data"
+      ];
+      restart = "unless-stopped";
+      networks = [
+        "transport"
+      ];
+    };
+    matrix-nginx.service = {
+      container_name = "matrix-nginx";
+      image = "nginx:1.25.4";
+      volumes = [
+        "/storage/dataset/docker/matrix/nginx_data/matrix.conf:/etc/nginx/conf.d/matrix.conf"
+        "/storage/dataset/docker/matrix/nginx_data/www:/var/www/"
+      ];
+      labels = {
+        "traefik.enable" = "true";
+
+        "traefik.http.services.matrix.loadbalancer.server.port" = "80";
+        "traefik.http.routers.matrix.service" = "matrix";
+        "traefik.http.routers.matrix.entrypoints" = "websecure";
+        "traefik.http.routers.matrix.rule" = "Host(`matrix.ghoscht.com`)";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.matrix.tls" = "true";
+        "traefik.http.routers.matrix.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.matrix-external.loadbalancer.server.port" = "80";
+        "traefik.http.routers.matrix-external.service" = "matrix-external";
+        "traefik.http.routers.matrix-external.rule" = "Host(`matrix.ghoscht.com`)";
+        "traefik.http.routers.matrix-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.matrix-external.tls" = "true";
+        "traefik.http.routers.matrix-external.tls.certresolver" = "letsencrypt";
+      };
+      restart = "unless-stopped";
+      networks = [
+        "transport"
+        "dmz"
+      ];
+    };
+    element.service = {
+      image = "vectorim/element-web:v1.11.64";
+      volumes = [
+        "/storage/dataset/docker/matrix/element_data/element-config.json:/app/config.json"
+      ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.element.entrypoints" = "websecure";
+        "traefik.http.routers.element.rule" = "Host(`chat.ghoscht.com`)";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.element.tls" = "true";
+        "traefik.http.routers.element.tls.certresolver" = "letsencrypt";
+      };
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}

hosts/franz/arion/matrix/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/matrix/default.nix

@@ -0,0 +1,30 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  # virtualisation.arion = {
+  #   projects.matrix.settings = {
+  #     imports = [./arion-compose.nix];
+  #   };
+  # };
+
+  sops.secrets."matrix/postgres_password" = {
+    owner = vars.user;
+  };
+  sops.secrets."matrix/postgres_database" = {
+    owner = vars.user;
+  };
+  sops.secrets."matrix/postgres_user" = {
+    owner = vars.user;
+  };
+
+  sops.templates."synapse.env" = {
+    path = "/home/${vars.user}/.docker/matrix/synapse.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      POSTGRES_DB="${config.sops.placeholder."matrix/postgres_database"}"
+      POSTGRES_USER="${config.sops.placeholder."matrix/postgres_user"}"
+      POSTGRES_PASSWORD="${config.sops.placeholder."matrix/postgres_password"}"
+    '';
+  };
+}

hosts/franz/arion/media/arion-compose.nix

@@ -0,0 +1,458 @@
+{pkgs, ...}: {
+  project.name = "media";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+  networks.internal = {};
+
+  services = {
+    jellyfin.service = {
+      image = "linuxserver/jellyfin:10.9.10";
+      container_name = "jellyfin";
+      ports = [
+        "8096:8096"
+      ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.jellyfin.entrypoints" = "websecure";
+        "traefik.http.routers.jellyfin.rule" = "Host(`jellyfin.ghoscht.com`)";
+        "traefik.http.services.jellyfin.loadbalancer.server.port" = "8096";
+        "traefik.http.services.jellyfin.loadbalancer.passHostHeader" = "true";
+        "traefik.http.routers.jellyfin.tls" = "true";
+        "traefik.http.routers.jellyfin.tls.certresolver" = "letsencrypt";
+
+        "diun.enable" = "true";
+        "diun.watch_repo" = "true";
+        "diun.sort_tags" = "semver";
+        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
+        "diun.exclude_tags" = "\\b\\d{4,}\\b";
+      };
+      volumes = [
+        "/storage/dataset/docker/media/jellyfin_data:/config"
+        "/storage/dataset/data/media/tv:/tv"
+        "/storage/dataset/data/media/anime:/anime"
+        "/storage/dataset/data/media/movies:/movies"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+    navidrome.service = {
+      image = "deluan/navidrome:0.53.1";
+      container_name = "navidrome";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.docker.network" = "dmz";
+
+        "traefik.http.services.navidrome.loadbalancer.server.port" = "4533";
+        "traefik.http.routers.navidrome.service" = "navidrome";
+        "traefik.http.routers.navidrome.entrypoints" = "websecure";
+        "traefik.http.routers.navidrome.rule" = "Host(`music.ghoscht.com`)";
+        "traefik.http.routers.navidrome.tls" = "true";
+        "traefik.http.routers.navidrome.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.navidrome-external.loadbalancer.server.port" = "4533";
+        "traefik.http.routers.navidrome-external.service" = "navidrome-external";
+        "traefik.http.routers.navidrome-external.rule" = "Host(`music.ghoscht.com`)";
+        "traefik.http.routers.navidrome-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.navidrome-external.tls" = "true";
+        "traefik.http.routers.navidrome-external.tls.certresolver" = "letsencrypt";
+
+        "diun.enable" = "true";
+        "diun.watch_repo" = "true";
+        "diun.sort_tags" = "semver";
+        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
+        "diun.exclude_tags" = "\\b\\d{4,}\\b";
+      };
+      volumes = [
+        "/storage/dataset/docker/media/navidrome_data:/data"
+        "/storage/dataset/data/media/music:/music"
+      ];
+      environment = {
+        ND_SESSIONTIMEOUT = "336h";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/media/navidrome.env"
+      ];
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+    kavita.service = {
+      image = "jvmilazz0/kavita:0.8.1";
+      container_name = "kavita";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.kavita.entrypoints" = "websecure";
+        "traefik.http.routers.kavita.rule" = "Host(`kavita.ghoscht.com`)";
+        "traefik.http.services.kavita.loadbalancer.server.port" = "5000";
+        "traefik.http.routers.kavita.tls" = "true";
+        "traefik.http.routers.kavita.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/storage/dataset/docker/media/kavita_data:/kavita/config"
+        "/storage/dataset/data/media/manga:/manga"
+        "/storage/dataset/data/media/comics:/comics"
+      ];
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+    vpn.service = {
+      image = "haugene/transmission-openvpn:5.3.1";
+      container_name = "transmission";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.transmission.entrypoints" = "websecure";
+        "traefik.http.routers.transmission.rule" = "Host(`transmission.ghoscht.com`)";
+        "traefik.http.services.transmission.loadbalancer.server.port" = "9091";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.transmission.tls" = "true";
+        "traefik.http.routers.transmission.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.transmission.middlewares" = "authentik@file";
+      };
+      volumes = [
+        "/storage/dataset/docker/media/transmission_data:/config"
+        "/storage/dataset/data/:/data"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+        OPENVPN_PROVIDER = "WINDSCRIBE";
+        OPENVPN_CONFIG = "Amsterdam-Tulip-udp";
+        OVPN_PROTOCOL = "udp";
+        OPENVPN_OPTS = "--reneg-sec 0 --verb 4";
+        LOCAL_NETWORK = "192.168.0.0/16";
+        TRANSMISSION_DOWNLOAD_DIR = "/data/torrents";
+        TRANSMISSION_INCOMPLETE_DIR = "/data/torrents/incomplete";
+        TRANSMISSION_WEB_UI = "flood-for-transmission";
+        WEBPROXY_ENABLED = "true";
+      };
+      ports = ["8118:8118"];
+      env_file = [
+        "/home/ghoscht/.docker/media/windscribe.env"
+      ];
+      capabilities = {
+        NET_ADMIN = true;
+      };
+      restart = "always";
+      networks = [
+        "dmz"
+        "internal"
+      ];
+    };
+    prowlarr.service = {
+      image = "linuxserver/prowlarr:1.21.2";
+      container_name = "prowlarr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.prowlarr.entrypoints" = "websecure";
+        "traefik.http.routers.prowlarr.rule" = "Host(`prowlarr.ghoscht.com`)";
+        "traefik.http.services.prowlarr.loadbalancer.server.port" = "9696";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.prowlarr.tls" = "true";
+        "traefik.http.routers.prowlarr.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.prowlarr.middlewares" = "authentik@file";
+
+        "diun.enable" = "true";
+        "diun.watch_repo" = "true";
+        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
+      };
+      volumes = [
+        "/storage/dataset/docker/media/prowlarr_data:/config"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+      };
+      restart = "always";
+    };
+    sonarr.service = {
+      image = "linuxserver/sonarr:4.0.9";
+      container_name = "sonarr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.sonarr.entrypoints" = "websecure";
+        "traefik.http.routers.sonarr.rule" = "Host(`sonarr.ghoscht.com`)";
+        "traefik.http.services.sonarr.loadbalancer.server.port" = "8989";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.sonarr.tls" = "true";
+        "traefik.http.routers.sonarr.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.sonarr.middlewares" = "authentik@file";
+
+        "diun.enable" = "true";
+        "diun.watch_repo" = "true";
+        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
+      };
+      volumes = [
+        "/storage/dataset/docker/media/sonarr_data:/config"
+        "/storage/dataset/data/:/data"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+        prowlarr = {condition = "service_started";};
+      };
+      restart = "always";
+    };
+    radarr.service = {
+      image = "linuxserver/radarr:5.9.1";
+      container_name = "radarr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.radarr.entrypoints" = "websecure";
+        "traefik.http.routers.radarr.rule" = "Host(`radarr.ghoscht.com`)";
+        "traefik.http.services.radarr.loadbalancer.server.port" = "7878";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.radarr.tls" = "true";
+        "traefik.http.routers.radarr.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.radarr.middlewares" = "authentik@file";
+
+        "diun.enable" = "true";
+        "diun.watch_repo" = "true";
+        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
+      };
+      volumes = [
+        "/storage/dataset/docker/media/radarr_data:/config"
+        "/storage/dataset/data/:/data"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+        prowlarr = {condition = "service_started";};
+      };
+      restart = "always";
+    };
+    lidarr.service = {
+      image = "linuxserver/lidarr:2.4.3";
+      container_name = "lidarr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.lidarr.entrypoints" = "websecure";
+        "traefik.http.routers.lidarr.rule" = "Host(`lidarr.ghoscht.com`)";
+        "traefik.http.services.lidarr.loadbalancer.server.port" = "8686";
+        "traefik.http.routers.lidarr.service" = "lidarr";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.lidarr.tls" = "true";
+        "traefik.http.routers.lidarr.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.lidarr.middlewares" = "authentik@file";
+      };
+      volumes = [
+        "/storage/dataset/docker/media/lidarr_data:/config"
+        "/storage/dataset/docker/media/lidarr_addons/custom-services.d:/custom-services.d"
+        "/storage/dataset/docker/media/lidarr_addons/custom-cont-init.d:/custom-cont-init.d"
+        "/storage/dataset/data/:/data"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+        prowlarr = {condition = "service_started";};
+      };
+      restart = "always";
+    };
+    bazarr.service = {
+      image = "hotio/bazarr:release-1.4.3";
+      container_name = "bazarr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.bazarr.entrypoints" = "websecure";
+        "traefik.http.routers.bazarr.rule" = "Host(`bazarr.ghoscht.com`)";
+        "traefik.http.services.bazarr.loadbalancer.server.port" = "6767";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.bazarr.tls" = "true";
+        "traefik.http.routers.bazarr.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.bazarr.middlewares" = "authentik@file";
+      };
+      volumes = [
+        "/storage/dataset/docker/media/bazarr_data:/config"
+        "/storage/dataset/data/:/data"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      networks = ["dmz"];
+      restart = "always";
+    };
+    jellyseerr.service = {
+      image = "fallenbagel/jellyseerr:1.7.0";
+      container_name = "jellyseerr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.jellyseerr.entrypoints" = "websecure";
+        "traefik.http.routers.jellyseerr.rule" = "Host(`jellyseerr.ghoscht.com`)";
+        "traefik.http.services.jellyseerr.loadbalancer.server.port" = "5055";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.jellyseerr.tls" = "true";
+        "traefik.http.routers.jellyseerr.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/storage/dataset/docker/media/jellyseerr_data:/app/config"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      networks = ["dmz"];
+      restart = "always";
+    };
+    autobrr.service = {
+      image = "ghcr.io/autobrr/autobrr:v1.46.0";
+      container_name = "autobrr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.autobrr.entrypoints" = "websecure";
+        "traefik.http.routers.autobrr.rule" = "Host(`autobrr.ghoscht.com`)";
+        "traefik.http.services.autobrr.loadbalancer.server.port" = "7474";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.autobrr.tls" = "true";
+        "traefik.http.routers.autobrr.tls.certresolver" = "letsencrypt";
+
+        "diun.enable" = "true";
+        "diun.watch_repo" = "true";
+        "diun.include_tags" = "^v\\d+\\.\\d+\\.\\d+$$";
+      };
+      volumes = [
+        "/storage/dataset/docker/media/autobrr_data:/config"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+        prowlarr = {condition = "service_started";};
+        sonarr = {condition = "service_started";};
+        radarr = {condition = "service_started";};
+      };
+      restart = "always";
+    };
+    deemix.service = {
+      image = "finniedj/deemix:latest";
+      container_name = "deemix";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.deemix.entrypoints" = "websecure";
+        "traefik.http.routers.deemix.rule" = "Host(`deemix.ghoscht.com`)";
+        "traefik.http.services.deemix.loadbalancer.server.port" = "6595";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.deemix.tls" = "true";
+        "traefik.http.routers.deemix.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/storage/dataset/data/deemix:/downloads"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        UMASK_SET = 022;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+      };
+      restart = "always";
+    };
+    unpackerr.service = {
+      image = "golift/unpackerr:0.13";
+      container_name = "unpackerr";
+      volumes = [
+        "/storage/dataset/data/:/data"
+      ];
+      user = "1000:1000";
+      env_file = [
+        "/home/ghoscht/.docker/media/unpackerr.env"
+      ];
+      environment = {
+        TZ = "Europe/Berlin";
+        # General config
+        UN_DEBUG = "false";
+        UN_INTERVAL = "2m";
+        UN_START_DELAY = "1m";
+        UN_RETRY_DELAY = "5m";
+        UN_MAX_RETRIES = 3;
+        UN_PARALLEL = 1;
+        UN_FILE_MODE = 0644;
+        UN_DIR_MODE = 0755;
+        # Sonarr Config
+        UN_SONARR_0_URL = "http://transmission:8989";
+        UN_SONARR_0_PATHS_0 = "/data/torrents/tv";
+        UN_SONARR_0_PROTOCOLS = "torrent";
+        UN_SONARR_0_TIMEOUT = "10s";
+        UN_SONARR_0_DELETE_ORIG = "false";
+        UN_SONARR_0_DELETE_DELAY = "5m";
+        # Radarr Config
+        UN_RADARR_0_URL = "http://transmission:7878";
+        UN_RADARR_0_PATHS_0 = "/data/torrents/movies";
+        UN_RADARR_0_PROTOCOLS = "torrent";
+        UN_RADARR_0_TIMEOUT = "10s";
+        UN_RADARR_0_DELETE_ORIG = "false";
+        UN_RADARR_0_DELETE_DELAY = "5m";
+        # Lidarr Config
+        UN_LIDARR_0_URL = "http://transmission:8686";
+        UN_LIDARR_0_PATHS_0 = "/data/torrents/music";
+        UN_LIDARR_0_PROTOCOLS = "torrent";
+        UN_LIDARR_0_TIMEOUT = "10s";
+        UN_LIDARR_0_DELETE_ORIG = "false";
+        UN_LIDARR_0_DELETE_DELAY = "5m";
+      };
+      networks = ["dmz"];
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+        prowlarr = {condition = "service_started";};
+        sonarr = {condition = "service_started";};
+        radarr = {condition = "service_started";};
+      };
+      restart = "always";
+    };
+    port-refresh.service = {
+      image = "ghoscht/windscribe-ephemeral-port:latest";
+      container_name = "port-refresh";
+      volumes = [
+        "/storage/dataset/docker/media/port-refresh_config/config.yml:/config/config.yaml"
+      ];
+      networks = [
+        "internal"
+      ];
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+      };
+    };
+  };
+}

hosts/franz/arion/media/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/media/default.nix

@@ -0,0 +1,73 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.media.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."navidrome/spotify_id" = {
+    owner = vars.user;
+  };
+
+  sops.secrets."navidrome/spotify_secret" = {
+    owner = vars.user;
+  };
+  sops.secrets."navidrome/lastfm_api_key" = {
+    owner = vars.user;
+  };
+  sops.secrets."navidrome/lastfm_api_secret" = {
+    owner = vars.user;
+  };
+
+  sops.secrets."windscribe/openvpn_username" = {
+    owner = vars.user;
+  };
+  sops.secrets."windscribe/openvpn_password" = {
+    owner = vars.user;
+  };
+
+  sops.secrets."unpackerr/sonarr_api_key" = {
+    owner = vars.user;
+  };
+  sops.secrets."unpackerr/radarr_api_key" = {
+    owner = vars.user;
+  };
+  sops.secrets."unpackerr/lidarr_api_key" = {
+    owner = vars.user;
+  };
+
+  sops.templates."navidrome.env" = {
+    path = "/home/${vars.user}/.docker/media/navidrome.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      ND_SPOTIFY_ID="${config.sops.placeholder."navidrome/spotify_id"}"
+      ND_SPOTIFY_SECRET="${config.sops.placeholder."navidrome/spotify_secret"}"
+      ND_LASTFM_APIKEY="${config.sops.placeholder."navidrome/lastfm_api_key"}"
+      ND_LASTFM_SECRET="${config.sops.placeholder."navidrome/lastfm_api_secret"}"
+    '';
+  };
+
+  sops.templates."windscribe.env" = {
+    path = "/home/${vars.user}/.docker/media/windscribe.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      OPENVPN_USERNAME="${config.sops.placeholder."windscribe/openvpn_username"}"
+      OPENVPN_PASSWORD="${config.sops.placeholder."windscribe/openvpn_password"}"
+    '';
+  };
+
+  sops.templates."unpackerr.env" = {
+    path = "/home/${vars.user}/.docker/media/unpackerr.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      UN_SONARR_0_API_KEY="${config.sops.placeholder."unpackerr/sonarr_api_key"}"
+      UN_RADARR_0_API_KEY="${config.sops.placeholder."unpackerr/lidarr_api_key"}"
+      UN_LIDARR_0_API_KEY="${config.sops.placeholder."unpackerr/radarr_api_key"}"
+    '';
+  };
+}

hosts/franz/arion/minio/arion-compose.nix

@@ -0,0 +1,48 @@
+{
+  project.name = "minio";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    minio.service = {
+      image = "bitnami/minio:2024.5.10";
+      container_name = "minio";
+      labels = {
+        "traefik.enable" = "true";
+
+        # API
+        "traefik.http.routers.minio.rule" = "Host(`files.ghoscht.com`)";
+        "traefik.http.routers.minio.service" = "minio";
+        "traefik.http.routers.minio.entrypoints" = "websecure";
+        "traefik.http.services.minio.loadbalancer.server.port" = "9000";
+        "traefik.http.routers.minio.tls" = "true";
+        "traefik.http.routers.minio.tls.certresolver" = "letsencrypt";
+
+        # Dashboard
+        "traefik.http.routers.minio-dash.rule" = "Host(`minio.ghoscht.com`)";
+        "traefik.http.routers.minio-dash.service" = "minio-dash";
+        "traefik.http.routers.minio-dash.entrypoints" = "websecure";
+        "traefik.http.services.minio-dash.loadbalancer.server.port" = "9001";
+        "traefik.http.routers.minio-dash.tls" = "true";
+        "traefik.http.routers.minio-dash.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/storage/dataset/docker/minio/minio_data:/data"
+      ];
+      environment = {
+        MINIO_DATA_DIR = "/data";
+        MINIO_BROWSER_REDIRECT_URL = "https://minio.ghoscht.com";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/minio/minio.env"
+      ];
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}

hosts/franz/arion/minio/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/minio/default.nix

@@ -0,0 +1,25 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.minio.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+  sops.secrets."minio/root_user" = {
+    owner = vars.user;
+  };
+  sops.secrets."minio/root_password" = {
+    owner = vars.user;
+  };
+
+  sops.templates."minio.env" = {
+    path = "/home/${vars.user}/.docker/minio/minio.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      MINIO_ROOT_USER="${config.sops.placeholder."minio/root_user"}"
+      MINIO_ROOT_PASSWORD="${config.sops.placeholder."minio/root_password"}"
+    '';
+  };
+}

hosts/franz/arion/nextcloud/arion-compose.nix

@@ -0,0 +1,60 @@
+{pkgs, ...}: {
+  project.name = "nextcloud";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  networks.transport = {};
+
+  services = {
+    nextcloud.service = {
+      image = "nextcloud:28.0.4";
+      container_name = "nextcloud";
+      useHostStore = true;
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.nextcloud.entrypoints" = "websecure";
+        "traefik.http.routers.nextcloud.rule" = "Host(`nextcloud.ghoscht.com`)";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.nextcloud.tls" = "true";
+        "traefik.http.routers.nextcloud.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/storage/dataset/docker/nextcloud/nextcloud_data:/var/www/html"
+      ];
+      hostname = "nextcloud.ghoscht.com";
+      environment = {
+        REDIS_HOST = "nextcloud-redis";
+        REDIS_PORT = 6379;
+      };
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+        "transport"
+      ];
+    };
+    nextcloud-db.service = {
+      image = "mariadb:11.4.1-rc-jammy";
+      env_file = [
+        "/home/ghoscht/.docker/nextcloud/nextcloud.env"
+      ];
+      volumes = [
+        "/storage/dataset/docker/nextcloud/nextcloud_db:/var/lib/mysql"
+      ];
+      restart = "unless-stopped";
+      command = "--transaction-isolation=READ-COMMITTED --binlog-format=ROW";
+      networks = [
+        "transport"
+      ];
+    };
+    nextcloud-redis.service = {
+      image = "redis:alpine3.19";
+      restart = "unless-stopped";
+      networks = [
+        "transport"
+      ];
+    };
+  };
+}

hosts/franz/arion/nextcloud/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/nextcloud/default.nix

@@ -0,0 +1,41 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.nextcloud.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  services.cron = {
+    enable = true;
+    systemCronJobs = [
+      "*/5 * * * *      root    . /etc/profile; docker exec -u www-data nextcloud php /var/www/html/cron.php"
+    ];
+  };
+
+  sops.secrets."nextcloud/mysql_root_password" = {
+    owner = vars.user;
+  };
+  sops.secrets."nextcloud/mysql_password" = {
+    owner = vars.user;
+  };
+  sops.secrets."nextcloud/mysql_database" = {
+    owner = vars.user;
+  };
+  sops.secrets."nextcloud/mysql_user" = {
+    owner = vars.user;
+  };
+
+  sops.templates."nextcloud.env" = {
+    path = "/home/${vars.user}/.docker/nextcloud/nextcloud.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      MYSQL_ROOT_PASSWORD="${config.sops.placeholder."nextcloud/mysql_root_password"}"
+      MYSQL_PASSWORD="${config.sops.placeholder."nextcloud/mysql_password"}"
+      MYSQL_DATABASE="${config.sops.placeholder."nextcloud/mysql_database"}"
+      MYSQL_USER="${config.sops.placeholder."nextcloud/mysql_user"}"
+    '';
+  };
+}

hosts/franz/arion/passwords/arion-compose.nix

@@ -0,0 +1,49 @@
+{pkgs, ...}: {
+  project.name = "passwords";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    vaultwarden.service = {
+      image = "vaultwarden/server:1.32.0";
+      container_name = "vaultwarden";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.docker.network" = "dmz";
+
+        "traefik.http.services.vaultwarden.loadbalancer.server.port" = "80";
+        "traefik.http.routers.vaultwarden.service" = "vaultwarden";
+        "traefik.http.routers.vaultwarden.entrypoints" = "websecure";
+        "traefik.http.routers.vaultwarden.rule" = "Host(`vault.ghoscht.com`)";
+        "traefik.http.routers.vaultwarden.tls" = "true";
+        "traefik.http.routers.vaultwarden.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.vaultwarden-external.loadbalancer.server.port" = "80";
+        "traefik.http.routers.vaultwarden-external.service" = "vaultwarden-external";
+        "traefik.http.routers.vaultwarden-external.rule" = "Host(`vault.ghoscht.com`)";
+        "traefik.http.routers.vaultwarden-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.vaultwarden-external.tls" = "true";
+        "traefik.http.routers.vaultwarden-external.tls.certresolver" = "letsencrypt";
+
+        "diun.enable" = "true";
+        "diun.watch_repo" = "true";
+        "diun.sort_tags" = "semver";
+        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
+        "diun.exclude_tags" = "\\b\\d{4,}\\b";
+      };
+      volumes = [
+        "/storage/dataset/docker/passwords/vaultwarden_data/:/data"
+      ];
+      environment = {
+        DOMAIN = "http://vaultwarden.ghoscht.com";
+      };
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}

hosts/franz/arion/passwords/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/passwords/default.nix

@@ -0,0 +1,8 @@
+{config, ...}: let
+in {
+  virtualisation.arion = {
+    projects.password.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}

hosts/franz/arion/push/arion-compose.nix

@@ -0,0 +1,46 @@
+{pkgs, ...}: {
+  project.name = "push";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    ntfy.service = {
+      image = "binwiederhier/ntfy:v2.10.0";
+      container_name = "ntfy";
+      user = "1000:1000";
+      command = "serve";
+      useHostStore = true;
+      labels = {
+        "traefik.enable" = "true";
+
+        "traefik.http.routers.ntfy.service" = "ntfy";
+        "traefik.http.services.ntfy.loadbalancer.server.port" = "80";
+        "traefik.http.routers.ntfy.entrypoints" = "websecure";
+        "traefik.http.routers.ntfy.rule" = "Host(`push.ghoscht.com`)";
+        "traefik.http.routers.ntfy.tls" = "true";
+        "traefik.http.routers.ntfy.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.routers.ntfy-external.service" = "ntfy-external";
+        "traefik.http.services.ntfy-external.loadbalancer.server.port" = "80";
+        "traefik.http.routers.ntfy-external.rule" = "Host(`push.ghoscht.com`)";
+        "traefik.http.routers.ntfy-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.ntfy-external.tls" = "true";
+        "traefik.http.routers.ntfy-external.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/push/ntfy_data/server.yml:/etc/ntfy/server.yml"
+        "/storage/dataset/docker/push/ntfy_data:/etc/ntfy/data"
+      ];
+      environment = {
+        TZ = "Europe/Berlin";
+      };
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}

hosts/franz/arion/push/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/push/default.nix

@@ -0,0 +1,7 @@
+{
+  virtualisation.arion = {
+    projects.push.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}

hosts/franz/arion/signal/arion-compose.nix

@@ -0,0 +1,50 @@
+{pkgs, ...}: {
+  project.name = "signal";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    mollysocket.service = {
+      image = "ghcr.io/mollyim/mollysocket:1.3.0";
+      container_name = "mollysocket";
+      useHostStore = true;
+      ports = [
+        "8020:8020"
+      ];
+      command = "server";
+      working_dir = "/data";
+      labels = {
+        "traefik.enable" = "true";
+
+        "traefik.http.routers.mollysocket.rule" = "Host(`signal.ghoscht.com`)";
+        "traefik.http.routers.mollysocket.service" = "mollysocket";
+        "traefik.http.routers.mollysocket.entrypoints" = "websecure";
+        "traefik.http.services.mollysocket.loadbalancer.server.port" = "8020";
+        "traefik.http.routers.mollysocket.tls" = "true";
+        "traefik.http.routers.mollysocket.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.mollysocket-external.loadbalancer.server.port" = "8020";
+        "traefik.http.routers.mollysocket-external.service" = "mollysocket-external";
+        "traefik.http.routers.mollysocket-external.rule" = "Host(`signal.ghoscht.com`)";
+        "traefik.http.routers.mollysocket-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.mollysocket-external.tls" = "true";
+        "traefik.http.routers.mollysocket-external.tls.certresolver" = "letsencrypt";
+      };
+      environment = {
+        MOLLY_DB = "/data/mollysocket.db";
+        MOLLY_ALLOWED_ENDPOINTS = "[\"https://push.ghoscht.com\",\"*\"]";
+        MOLLY_ALLOWED_UUIDS = "[\"*\"]";
+        MOLLY_HOST = "0.0.0.0";
+        MOLLY_PORT = 8020;
+        RUST_LOG = "info";
+      };
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}