Merge branch 'main' of ssh://git.ghoscht.com:2222/ghoscht/nix-config

flake.lock: Update
Flake lock file updates: • Updated input 'arion': 'github:hercules-ci/arion/94d092fffd5cfd4f09b8988aca1b857a9d37c4d6' (2024-10-20) → 'github:hercules-ci/arion/38ea1d87421f1695743d5eca90b0c37ef3123fbb' (2024-11-05) • Updated input 'arion/flake-parts': 'github:hercules-ci/flake-parts/8471fe90ad337a8074e957b69ca4d0089218391d' (2024-08-01) → 'github:hercules-ci/flake-parts/506278e768c2a08bec68eb62932193e341f55c90' (2024-11-01) • Updated input 'arion/hercules-ci-effects': 'github:hercules-ci/hercules-ci-effects/11e4b8dc112e2f485d7c97e1cee77f9958f498f5' (2024-06-24) → 'github:hercules-ci/hercules-ci-effects/d70658494391994c7b32e8fe5610dae76737e4df' (2024-10-29) • Updated input 'arion/nixpkgs': 'github:NixOS/nixpkgs/d04953086551086b44b6f3c6b7eeb26294f207da' (2024-08-02) → 'github:NixOS/nixpkgs/7ffd9ae656aec493492b44d0ddfb28e79a1ea25d' (2024-11-02) • Updated input 'disko': 'github:nix-community/disko/3979285062d6781525cded0f6c4ff92e71376b55' (2024-10-29) → 'github:nix-community/disko/5e40e02978e3bd63c2a6a9fa6fa8ba0e310e747f' (2024-11-08) • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/178c79df993216cc9be02630d6cf42868b29f9c2?dir=pkgs/firefox-addons' (2024-11-03) → 'gitlab:rycee/nur-expressions/674763b3eb6f0bdfa1f987984711bd3f33efc7bf?dir=pkgs/firefox-addons' (2024-11-08) • Updated input 'hardware': 'github:nixos/nixos-hardware/f6e0cd5c47d150c4718199084e5764f968f1b560' (2024-11-02) → 'github:nixos/nixos-hardware/e1cc1f6483393634aee94514186d21a4871e78d7' (2024-11-06) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/080166c15633801df010977d9d7474b4a6c549d7' (2024-10-30) → 'github:nixos/nixpkgs/dba414932936fde69f0606b4f1d87c5bc0003ede' (2024-11-06) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/7ffd9ae656aec493492b44d0ddfb28e79a1ea25d' (2024-11-02) → 'github:nixos/nixpkgs/4aa36568d413aca0ea84a1684d2d46f55dbabad7' (2024-11-05) • Updated input 'sops-nix': 'github:Mic92/sops-nix/e9b5eef9b51cdf966c76143e13a9476725b2f760' (2024-11-03) → 'github:Mic92/sops-nix/60e1bce1999f126e3b16ef45f89f72f0c3f8d16f' (2024-11-08)
2024-11-08 21:44:28 +01:00 · 2024-11-08 21:05:16 +01:00 · 2024-11-08 20:47:35 +01:00 · 2024-11-08 15:49:51 +01:00 · 2024-11-05 20:35:34 +01:00 · 2024-11-05 20:35:10 +01:00
220 changed files with 10256 additions and 1702 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
 keys:
  - &franz age1uauvjwfvg8u0zkn58ematurcptf43gz6vx44nwkq3xcnmwq95psqna9psw
 creation_rules:
  - path_regex: secrets/franz.yaml$
    key_groups:
      - age:
          - *franz
--- a/README.md
+++ b/README.md
@ -0,0 +1,20 @@
 # Nix-Config
 ## Installation
 The NixOS installer image comes with password SSH auth disabled. Simply allowing the public Git keys is a nice workaround.
 ```sh
 sudo systemctl start sshd
 mkdir ~/.ssh; curl https://git.ghoscht.com/ghoscht.keys > ~/.ssh/authorized_keys
 ```
 The specific config from "hosts" can be installed using the following command. Limiting the download speed is optional, but can come in handy.
 ```sh
 sudo nixos-install --option download-speed 4000 --flake .#<CONFIG_NAME_HERE>
 ```
 ## RPi Image generation
 ```sh
 nix build .#nixosConfigurations.eustachius.config.system.build.sdImage
 sudo dd if=./result/sd-image/<IMAGE_NAME>.img of=/dev/<DEVICE_NAME> bs=1M status=progress
 ```
--- a/disko/btrfs-swap.nix
+++ b/disko/btrfs-swap.nix
@ -0,0 +1,74 @@
 {device ? throw "Set this to your disk device, e.g. /dev/sda", ...}: {
  disko.devices = {
    disk.main = {
      inherit device;
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "1M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "500M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
              mountOptions = ["umask=0077"];
            };
          };
          swap = {
            size = "4G";
            content = {
              type = "swap";
              resumeDevice = true;
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "lvm_pv";
              vg = "root_vg";
            };
          };
        };
      };
    };
    lvm_vg = {
      root_vg = {
        type = "lvm_vg";
        lvs = {
          root = {
            size = "100%FREE";
            content = {
              type = "btrfs";
              extraArgs = ["-f"];
              subvolumes = {
                "/root" = {
                  mountpoint = "/";
                };
                "/home" = {
                  mountOptions = ["compress=zstd"];
                  mountpoint = "/home";
                };
                "/nix" = {
                  mountOptions = ["subvol=nix" "compress=zstd" "noatime"];
                  mountpoint = "/nix";
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -3,21 +3,23 @@
  inputs = {
    # Nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
    # You can access packages and modules from different nixpkgs revs
    # at the same time. Here's an working example:
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    # Also see the 'unstable-packages' overlay at 'overlays/default.nix'.
    # Home manager
-    home-manager.url = "github:nix-community/home-manager/release-23.11";
+    home-manager.url = "github:nix-community/home-manager/release-24.05";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    hardware.url = "github:nixos/nixos-hardware";
-    nh = {
+
-      url = "github:viperml/nh";
+    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-colors.url = "github:misterio77/nix-colors";
    firefox-addons = {
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
@ -28,13 +30,17 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    xremap.url = "github:xremap/nix-flake";
    flatpaks.url = "github:GermanBread/declarative-flatpak/stable-v3";
    heliox-cli.url = "git+https://git.ghoscht.com/heliox/cli?ref=custom-dimming";
    picokontroller.url = "git+https://git.ghoscht.com/ghoscht/picoKontroller";
    sops-nix.url = "github:Mic92/sops-nix";
    arion.url = "github:hercules-ci/arion";
  };
  outputs = {
    self,
    nixpkgs,
    home-manager,
    arkenfox,
    ...
  } @ inputs: let
    inherit (self) outputs;
@ -76,12 +82,43 @@
          ./hosts/adalbert
        ];
      };
      ludwig = nixpkgs.lib.nixosSystem {
        specialArgs = {inherit inputs outputs vars;};
        modules = [
          ./hosts/ludwig
        ];
      };
      leopold = nixpkgs.lib.nixosSystem {
        specialArgs = {inherit inputs outputs vars;};
        modules = [
          ./hosts/leopold
        ];
      };
      franz = nixpkgs.lib.nixosSystem {
        specialArgs = {inherit inputs outputs vars;};
        modules = [
          ./hosts/franz
        ];
      };
      # build with nix build .#nixosConfigurations.eustachius.config.system.build.sdImage
      eustachius = nixpkgs.lib.nixosSystem {
        system = "aarch64-linux";
        modules = [
          "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix"
          ./hosts/eustachius
          # extra config for sdImage generator
          {
            sdImage.compressImage = false;
          }
        ];
      };
    };
    # Standalone home-manager configuration entrypoint
    # Available through 'home-manager --flake .#your-username@your-hostname'
    homeConfigurations = {
-      "ghoscht@adalbert" = home-manager.lib.homeManagerConfiguration {
+      "${vars.user}@adalbert" = home-manager.lib.homeManagerConfiguration {
        pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
        extraSpecialArgs = {inherit inputs outputs vars;};
        modules = [
@ -89,5 +126,26 @@
        ];
      };
    };
    "${vars.user}@ludwig" = home-manager.lib.homeManagerConfiguration {
      pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
      extraSpecialArgs = {inherit inputs outputs vars;};
      modules = [
        ./home/ludwig.nix
      ];
    };
    "${vars.user}@franz" = home-manager.lib.homeManagerConfiguration {
      pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
      extraSpecialArgs = {inherit inputs outputs vars;};
      modules = [
        ./home/franz.nix
      ];
    };
    # "${vars.user}@eustachius" = home-manager.lib.homeManagerConfiguration {
    #   pkgs = nixpkgs.legacyPackages.aarch64-linux; # Home-manager requires 'pkgs' instance
    #   extraSpecialArgs = {inherit inputs outputs vars;};
    #   modules = [
    #     ./home/eustachius.nix
    #   ];
    # };
  };
 }
--- a/home/adalbert.nix
+++ b/home/adalbert.nix
@ -1,6 +1,7 @@
 {
  inputs,
  outputs,
  pkgs,
  ...
 }: let
 in {
@ -9,38 +10,22 @@ in {
    ./features/desktop/awesome
    ./features/games
    ./features/coding
    ./features/desktop/common/3d-printing.nix
    inputs.nix-colors.homeManagerModules.default
  ];
  colorScheme = inputs.nix-colors.colorSchemes.catppuccin-mocha;
-  # wallpaper = outputs.wallpapers.cyberpunk-city-red;
+
-  #
+  home.packages = [
-  # #  ------   -----   ------
+    inputs.picokontroller.packages.x86_64-linux.default
-  # # | DP-3 | | DP-1| | DP-2 |
+    # pkgs.citrix_workspace
-  # #  ------   -----   ------
+  ];
-  # monitors = [
+  nixpkgs = {
-  #   {
+    config = {
-  #     name = "DP-3";
+      permittedInsecurePackages = [
-  #     width = 1920;
+        "electron-25.9.0"
-  #     height = 1080;
+        "nix-2.15.3"
-  #     x = 0;
+      ];
-  #     workspace = "3";
+    };
-  #     enabled = false;
+  };
  #   }
  #   {
  #     name = "DP-1";
  #     width = 2560;
  #     height = 1080;
  #     x = 1920;
  #     workspace = "1";
  #     primary = true;
  #   }
  #   {
  #     name = "DP-2";
  #     width = 1920;
  #     height = 1080;
  #     x = 4480;
  #     workspace = "2";
  #   }
  # ];
 }
--- a/home/features/cli/default.nix
+++ b/home/features/cli/default.nix
@ -20,10 +20,18 @@
    httpie # Better curl
    diffsitter # Better diff
    jq # JSON pretty printer and manipulator
-    timer # To help with my ADHD paralysis
+    timer # Nice looking timer
    lazydocker # Docker TUI
-    neofetch
+    neofetch # Unixporn stuff
-    tldr # nice & short manual snippets
+    tldr # Nice & short manual snippets
    ntfy-sh # Push notifications to other devices
    ipinfo # IP geolocation
    ranger # TUI file manager
    trickle # cli network limiter
    du-dust # disk usage visualizer
    lftp # FTP client
    unar # unarchive files like rar, zip, tar
    glow # fancy markdown viewer
    nvd # Differ
    nix-output-monitor
--- a/home/features/cli/fish.nix
+++ b/home/features/cli/fish.nix
@ -7,11 +7,13 @@
  inherit (lib) mkIf;
  hasPackage = pname: lib.any (p: p ? pname && p.pname == pname) config.home.packages;
  hasRipgrep = hasPackage "ripgrep";
  hasLftp = hasPackage "lftp";
  hasExa = hasPackage "eza";
  hasLazygit = config.programs.lazygit.enable;
  hasLazydocker = hasPackage "lazydocker";
  hasNixYourShell = hasPackage "nix-your-shell";
  hasShellColor = config.programs.shellcolor.enable;
  hasWezterm = config.programs.wezterm.enable;
  shellcolor = "${pkgs.shellcolord}/bin/shellcolor";
 in {
  programs.fish = {
@ -44,15 +46,29 @@ in {
        name = "autopair";
        src = pkgs.fishPlugins.autopair.src;
      }
      {
        name = "puffer";
        src = pkgs.fishPlugins.puffer.src;
      }
      {
        name = "z";
        src = pkgs.fishPlugins.z.src;
      }
    ];
    shellAliases = {
      lzg = mkIf hasLazygit "lazygit";
      lzd = mkIf hasLazydocker "lazydocker";
      batt = ''upower -i /org/freedesktop/UPower/devices/battery_BAT0 | grep -e "percentage" -e "state"'';
      hx = "~/Documents/heliox-cli/target/debug/heliox-cli --mode";
      slp = "systemctl suspend";
      sdn = "shutdown 0";
      nrs = "nh os switch ~/.setup";
      ls = mkIf hasExa "eza";
      ll = mkIf hasExa "eza -l";
      la = mkIf hasExa "eza -la";
      exa = mkIf hasExa "eza";
      imgcat = mkIf hasWezterm "wezterm imgcat";
    };
    shellAbbrs = rec {
      jqless = "jq -C | less -r";
@ -65,8 +81,16 @@ in {
      nbn = "nix build nixpkgs#";
      nf = "nix flake";
-      ls = mkIf hasExa "eza";
+      glk = "gpg --list-keys --with-keygrip";
-      exa = mkIf hasExa "eza";
+      gssh = "gpg --export-ssh-key";
      gnk = "gpg --full-generate-key --expert";
      gek = "gpg --edit-key --expert";
      udmount = "udisksctl mount -b";
      udumount = "udisksctl unmount -b";
      fftp = mkIf hasLftp "lftp -u ghoscht, sftp://192.168.178.35";
      arss = "sudo autorestic exec -av -- snapshots";
    };
    functions = {
      # Disable greeting
--- a/home/features/cli/git.nix
+++ b/home/features/cli/git.nix
@ -1,6 +1,6 @@
 {pkgs, ...}: {
  #Prefer IPv4 for ssh
-  home.file.".ssh/config".text = "AddressFamily inet";
+  # home.file.".ssh/config".text = "AddressFamily inet";
  programs.git = {
    enable = true;
@ -12,6 +12,7 @@
      commit.gpgsign = true;
      user.signingkey = "0x2C2C1C62A5388E82";
      init.defaultBranch = "main";
      pull.rebase = false; # merge by default
    };
    lfs.enable = true;
    aliases = {
--- a/home/features/cli/gpg.nix
+++ b/home/features/cli/gpg.nix
@ -11,7 +11,7 @@
    enableSshSupport = true;
    enableFishIntegration = true;
    enableZshIntegration = true;
-    pinentryFlavor = "gnome3";
+    pinentryPackage = pkgs.pinentry-gnome3;
  };
  # Prevent clobbering SSH_AUTH_SOCK
--- a/home/features/coding/default.nix
+++ b/home/features/coding/default.nix
@ -3,5 +3,6 @@
    ./nvim
    ./vscode.nix
    ./intellij.nix
    ./tmux.nix
  ];
 }
--- a/home/features/coding/intellij.nix
+++ b/home/features/coding/intellij.nix
@ -1,5 +1,9 @@
 {pkgs, ...}: {
-  home.packages = with pkgs.unstable; [
+  home.packages = [
-    (jetbrains.plugins.addPlugins jetbrains.idea-ultimate ["ideavim"])
+    (pkgs.unstable.jetbrains.plugins.addPlugins pkgs.unstable.jetbrains.idea-ultimate ["ideavim"])
  ];
  home.sessionVariables = {
    JAVA_HOME = "${pkgs.openjdk17}/lib/openjdk";
    LD_LIBRARY_PATH = "${pkgs.libGL}/lib:${pkgs.gtk3}/lib:${pkgs.glib.out}/lib:${pkgs.xorg.libXtst}/lib";
  };
 }
--- a/home/features/coding/nvim/default.nix
+++ b/home/features/coding/nvim/default.nix
@ -7,27 +7,20 @@
 }: let
  vars = import ../../../../vars.nix;
  colors = config.colorScheme.colors;
-in {
+  stableExtraPkgs = with pkgs; [
  home.sessionVariables.EDITOR = "nvim";
  programs.neovim = {
    enable = true;
    viAlias = true;
    vimAlias = true;
    vimdiffAlias = true;
    extraPackages = with pkgs; [
    # LSP
    lua-language-server
-      lua
+    pkgs.nodePackages.typescript-language-server
      rnix-lsp # nix
    # Formatters
    stylua # lua
    black # pyton
    alejandra # nix
    clang-tools_16 # c/c++
    rustfmt
    yamlfmt
    prettierd
    vscode-langservers-extracted
    # Linters
    ruff # python
@ -39,7 +32,25 @@ in {
    wl-clipboard
    fzf
    gcc
    # idk?
    lua
  ];
  unstableExtraPkgs = with pkgs.unstable; [
    # LSP
    nixd
  ];
 in {
  home.sessionVariables.EDITOR = "nvim";
  programs.neovim = {
    enable = true;
    viAlias = true;
    vimAlias = true;
    vimdiffAlias = true;
    extraPackages = stableExtraPkgs ++ unstableExtraPkgs;
    plugins = with pkgs.vimPlugins; [
      {
@ -69,6 +80,7 @@ in {
        type = "lua";
      }
      cmp-path
      nvim-cmp
      {
        plugin = nvim-cmp;
@ -92,7 +104,29 @@ in {
      friendly-snippets
      {
-        plugin = nvim-treesitter.withAllGrammars;
+        plugin = nvim-treesitter.withPlugins (p: [
          p.vim
          p.bash
          p.lua
          p.python
          p.json
          p.java
          p.rust
          p.cpp
          p.c
          p.css
          p.csv
          p.dockerfile
          p.diff
          p.gitignore
          p.git_config
          p.gitattributes
          p.make
          p.yaml
          p.toml
          p.typescript
          p.xml
        ]);
        config = builtins.readFile ./plugin/treesitter.lua;
        type = "lua";
      }
@ -100,7 +134,7 @@ in {
      vim-nix
      {
-        plugin = nvim-base16;
+        plugin = base16-nvim;
        config = ''
          require('base16-colorscheme').setup({
            base00 = '#${colors.base00}', base01 = '#${colors.base01}', base02 = '#${colors.base02}', base03 = '#${colors.base03}',
@ -122,6 +156,7 @@ in {
      nui-nvim
      {
        plugin = neo-tree-nvim;
        config = builtins.readFile ./plugin/neo-tree.lua;
        type = "lua";
      }
@ -151,7 +186,43 @@ in {
        config = builtins.readFile ./plugin/none-ls.lua;
        type = "lua";
      }
      {
        plugin = nvim-autopairs;
        config = "require('nvim-autopairs').setup()";
        type = "lua";
      }
      barbar-nvim
      {
        plugin = nvim-surround;
        config = "require('nvim-surround').setup({})";
        type = "lua";
      }
      vim-be-good
      rainbow-delimiters-nvim
      rustaceanvim
      {
        plugin = vim-tmux-navigator;
        config = builtins.readFile ./plugin/vim-tmux-navigator.lua;
        type = "lua";
      }
      {
        plugin = nvim-ts-autotag;
        config = "require('nvim-ts-autotag').setup({})";
        type = "lua";
      }
    ];
    extraLuaConfig = ''
      ${builtins.readFile ./options.lua}
    '';
  };
  xdg.desktopEntries = {
--- a/home/features/coding/nvim/options.lua
+++ b/home/features/coding/nvim/options.lua
@ -1,9 +1,11 @@
 vim.keymap.set("", "<Space>", "<Nop>")
 vim.keymap.set("", "<C-Space>", "<Nop>")
 vim.g.mapleader = " "
 vim.g.maplocalleader = " "
 vim.o.clipboard = "unnamedplus"
-vim.o.number = true
+-- vim.o.number = true
 vim.o.relativenumber = true
 vim.o.signcolumn = "yes"
@ -16,3 +18,8 @@ vim.o.updatetime = 300
 vim.o.termguicolors = true
 vim.o.mouse = "a"
 -- disable empty line ~
 vim.o.fillchars = "eob: "
 vim.o.undofile = true
--- a/home/features/coding/nvim/plugin/barbar.lua
+++ b/home/features/coding/nvim/plugin/barbar.lua
--- a/home/features/coding/nvim/plugin/cmp.lua
+++ b/home/features/coding/nvim/plugin/cmp.lua
@ -42,5 +42,6 @@ cmp.setup({
 	sources = {
 		{ name = "nvim_lsp" },
 		{ name = "luasnip" },
 		{ name = "path" },
 	},
 })
--- a/home/features/coding/nvim/plugin/lsp.lua
+++ b/home/features/coding/nvim/plugin/lsp.lua
@ -39,7 +39,29 @@ require("lspconfig").lua_ls.setup({
 	},
 })
-require("lspconfig").rnix.setup({
+require("lspconfig").nixd.setup({
 	on_attach = on_attach,
 	capabilities = capabilities,
 })
 require("lspconfig").tsserver.setup({
 	on_attach = on_attach,
 	capabilities = capabilities,
 })
 require("lspconfig").eslint.setup({
 	settings = {
 		packageManager = "yarn",
 	},
 	on_attach = function(client, bufnr)
 		vim.api.nvim_create_autocmd("BufWritePre", {
 			buffer = bufnr,
 			command = "EslintFixAll",
 		})
 		vim.api.nvim_create_autocmd("BufWritePost", {
 			callback = function()
 				vim.lsp.buf.format()
 			end,
 		})
 	end,
 })
--- a/home/features/coding/nvim/plugin/neo-tree.lua
+++ b/home/features/coding/nvim/plugin/neo-tree.lua
@ -0,0 +1,19 @@
 require("neo-tree").setup({
 	close_if_last_window = true, -- Close Neo-tree if it is the last window left in the tab
 	hide_root_node = true, -- Hide the root node
 	filesystem = {
 		filtered_items = {
 			visible = false,
 			hide_dotfiles = false,
 			hide_gitignored = false,
 			hide_by_name = {
 				".git",
 				".DS_Store",
 				"thumbs.db",
 			},
 			show_hidden_count = false,
 		},
 	},
 })
 vim.keymap.set("n", "<C-n>", "<Cmd>Neotree toggle<CR>")
--- a/home/features/coding/nvim/plugin/none-ls.lua
+++ b/home/features/coding/nvim/plugin/none-ls.lua
@ -7,14 +7,24 @@ local opts = {
 		null_ls.builtins.formatting.stylua,
 		-- Python
 		null_ls.builtins.formatting.black,
-		null_ls.builtins.diagnostics.ruff,
+		-- null_ls.builtins.diagnostics.ruff,
 		-- Javascript
-		null_ls.builtins.diagnostics.eslint_d,
+		-- null_ls.builtins.diagnostics.eslint_d,
-		null_ls.builtins.diagnostics.jsonlint,
+		-- null_ls.builtins.diagnostics.jsonlint,
 		-- C/C++
 		null_ls.builtins.formatting.clang_format,
 		-- Nix
 		null_ls.builtins.formatting.alejandra,
 		-- Rust
 		-- null_ls.builtins.formatting.rustfmt,
 		-- YAML
 		null_ls.builtins.formatting.yamlfmt,
 		-- Typescript
 		null_ls.builtins.formatting.prettier.with({
 			condition = function(utils)
 				return utils.has_file({ ".prettierrc.js" })
 			end,
 		}),
 	},
 	on_attach = function(client, bufnr)
 		if client.supports_method("textDocument/formatting") then
--- a/home/features/coding/nvim/plugin/vim-tmux-navigator.lua
+++ b/home/features/coding/nvim/plugin/vim-tmux-navigator.lua
@ -0,0 +1,5 @@
 -- Navigate vim panes better
 vim.keymap.set("n", "<c-k>", ":wincmd k<CR>")
 vim.keymap.set("n", "<c-j>", ":wincmd j<CR>")
 vim.keymap.set("n", "<c-h>", ":wincmd h<CR>")
 vim.keymap.set("n", "<c-l>", ":wincmd l<CR>")
--- a/home/features/coding/tmux.nix
+++ b/home/features/coding/tmux.nix
@ -0,0 +1,46 @@
 {pkgs, ...}: {
  home.packages = [pkgs.tmuxinator-fzf-start];
  programs.tmux = {
    enable = true;
    keyMode = "vi";
    customPaneNavigationAndResize = true;
    mouse = true;
    tmuxinator.enable = true;
    shortcut = "Space";
    extraConfig = ''
      bind % split-window -h -c "#{pane_current_path}"
      bind '"' split-window -v -c "#{pane_current_path}"
      set -sg escape-time 0
    '';
    plugins = with pkgs; [
      tmuxPlugins.vim-tmux-navigator
      {
        plugin = tmuxPlugins.catppuccin;
        extraConfig = ''
          set -g status-position top
          set-option -sa terminal-features ',xterm-256color:RGB'
          set -g @catppuccin_window_left_separator ""
          set -g @catppuccin_window_right_separator " "
          set -g @catppuccin_window_middle_separator " █"
          set -g @catppuccin_window_number_position "right"
          set -g @catppuccin_window_default_fill "number"
          set -g @catppuccin_window_default_text "#W"
          set -g @catppuccin_window_current_fill "number"
          set -g @catppuccin_window_current_text "#W"
          set -g @catppuccin_status_modules_right "directory session"
          set -g @catppuccin_status_left_separator  " "
          set -g @catppuccin_status_right_separator ""
          set -g @catppuccin_status_fill "icon"
          set -g @catppuccin_status_connect_separator "no"
          set -g @catppuccin_directory_text "#{pane_current_path}"
        '';
      }
    ];
  };
 }
--- a/home/features/desktop/awesome/default.nix
+++ b/home/features/desktop/awesome/default.nix
@ -1,6 +1,7 @@
 {pkgs, ...}: {
  imports = [
    ../common
    ./zathura.nix
  ];
  home = {
@ -30,6 +31,7 @@
      flameshot
      xclip
      brightnessctl
      feh
    ];
  };
 }
--- a/home/features/desktop/awesome/zathura.nix
+++ b/home/features/desktop/awesome/zathura.nix
@ -0,0 +1,47 @@
 {pkgs, ...}: {
  programs.zathura = {
    enable = true;
    options = {
      selection-clipboard = "clipboard";
      statusbar-home-tilde = true;
      default-fg = "#CDD6F4";
      default-bg = "#1E1E2E";
      completion-bg = "#313244";
      completion-fg = "#CDD6F4";
      completion-highlight-bg = "#575268";
      completion-highlight-fg = "#CDD6F4";
      completion-group-bg = "#313244";
      completion-group-fg = "#89B4FA";
      statusbar-fg = "#CDD6F4";
      statusbar-bg = "#313244";
      notification-bg = "#313244";
      notification-fg = "#CDD6F4";
      notification-error-bg = "#313244";
      notification-error-fg = "#F38BA8";
      notification-warning-bg = "#313244";
      notification-warning-fg = "#FAE3B0";
      inputbar-fg = "#CDD6F4";
      inputbar-bg = "#313244";
      recolor-lightcolor = "#1E1E2E";
      recolor-darkcolor = "#CDD6F4";
      index-fg = "#CDD6F4";
      index-bg = "#1E1E2E";
      index-active-fg = "#CDD6F4";
      index-active-bg = "#313244";
      render-loading-bg = "#1E1E2E";
      render-loading-fg = "#CDD6F4";
      highlight-color = "#575268";
      highlight-fg = "#F5C2E7";
      highlight-active-color = "#F5C2E7";
    };
  };
 }
--- a/home/features/desktop/common/3d-printing.nix
+++ b/home/features/desktop/common/3d-printing.nix
@ -0,0 +1,3 @@
 {pkgs, ...}: {
  home.packages = with pkgs; [freecad cura];
 }
--- a/home/features/desktop/common/default.nix
+++ b/home/features/desktop/common/default.nix
@ -1,8 +1,29 @@
-{
+{pkgs, ...}: {
  imports = [
    ./theming.nix
    ./firefox.nix
    ./alacritty.nix
    ./wezterm.nix
    ./font.nix
    ./playerctl.nix
    ./easyeffects.nix
    ./nextcloud.nix
    ./flatpak.nix
    ./notes.nix
    ./fcitx5.nix
  ];
  home.packages = with pkgs;
    [
      jellyfin-media-player # watch shows & movies from jellyfin with hardware decoding
      # feishin-appimage # self-packaged feishin while electron build fails
      signal-desktop # secure messenger
      webcord-vencord # more "privacy friendly" discord client
      anki
      calibre
      rofi-audio-switcher # Script to switch default audio sinks/sources
      mpv # Video player
    ]
    ++ (with pkgs.unstable; [feishin]);
 }
--- a/home/features/desktop/common/easyeffects.nix
+++ b/home/features/desktop/common/easyeffects.nix
@ -0,0 +1,7 @@
 {pkgs, ...}: {
  # services.easyeffects.enable = true;
  xdg.configFile."easyeffects/output/Beyerdynamic_DT990_Oratory.json" = {
    source = ../../../../rsc/config/easyeffects/Beyerdynamic_DT990_Oratory.json;
  };
  home.packages = with pkgs; [easyeffects];
 }
--- a/home/features/desktop/common/fcitx5.nix
+++ b/home/features/desktop/common/fcitx5.nix
@ -0,0 +1,107 @@
 {pkgs, ...}: {
  # xdg.configFile."fcitx5" = {
  #   source = ../../../../rsc/config/fcitx5;
  #   recursive = true;
  # };
  xdg.configFile = {
    "fcitx5/config" = {
      force = true;
      text = ''
        [Hotkey]
        # Enumerate when press trigger key repeatedly
        EnumerateWithTriggerKeys=True
        # Temporally switch between first and current Input Method
        AltTriggerKeys=
        # Enumerate Input Method Forward
        EnumerateForwardKeys=
        # Enumerate Input Method Backward
        EnumerateBackwardKeys=
        # Skip first input method while enumerating
        EnumerateSkipFirst=False
        # Enumerate Input Method Group Forward
        EnumerateGroupForwardKeys=
        # Enumerate Input Method Group Backward
        EnumerateGroupBackwardKeys=
        # Activate Input Method
        ActivateKeys=
        # Deactivate Input Method
        DeactivateKeys=
        # Default Previous page
        PrevPage=
        # Default Next page
        NextPage=
        # Default Previous Candidate
        PrevCandidate=
        # Default Next Candidate
        NextCandidate=
        # Toggle embedded preedit
        TogglePreedit=
        [Hotkey/TriggerKeys]
        0=Control+Alt+space
        [Behavior]
        # Active By Default
        ActiveByDefault=False
        # Share Input State
        ShareInputState=No
        # Show preedit in application
        PreeditEnabledByDefault=True
        # Show Input Method Information when switch input method
        ShowInputMethodInformation=True
        # Show Input Method Information when changing focus
        showInputMethodInformationWhenFocusIn=False
        # Show compact input method information
        CompactInputMethodInformation=True
        # Show first input method information
        ShowFirstInputMethodInformation=True
        # Default page size
        DefaultPageSize=5
        # Override Xkb Option
        OverrideXkbOption=False
        # Custom Xkb Option
        CustomXkbOption=
        # Force Enabled Addons
        EnabledAddons=
        # Force Disabled Addons
        DisabledAddons=
        # Preload input method to be used by default
        PreloadInputMethod=True
        # Allow input method in the password field
        AllowInputMethodForPassword=False
        # Show preedit text when typing password
        ShowPreeditForPassword=False
        # Interval of saving user data in minutes
        AutoSavePeriod=30
      '';
    };
    "fcitx5/profile" = {
      force = true;
      text = ''
        [Groups/0]
        # Group Name
        Name="Group 1"
        # Layout
        Default Layout=de
        # Default Input Method
        DefaultIM=mozc
        [Groups/0/Items/0]
        # Name
        Name=keyboard-de
        # Layout
        Layout=
        [Groups/0/Items/1]
        # Name
        Name=mozc
        # Layout
        Layout=
        [GroupOrder]
        0="Group 1"
      '';
    };
  };
 }
--- a/home/features/desktop/common/firefox.nix
+++ b/home/features/desktop/common/firefox.nix
@ -5,12 +5,14 @@
  ...
 }: {
  imports = [inputs.arkenfox.hmModules.default];
  home.file.".mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json".source = "${pkgs.plasma5Packages.plasma-browser-integration}/lib/mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json";
  programs.firefox = {
    enable = true;
    arkenfox = {
      enable = true;
-      version = "119.0";
+      version = "128.0";
    };
    profiles.Default = {
@ -20,6 +22,7 @@
        darkreader
        tabliss
        consent-o-matic
        # bypass-paywalls-clean
      ];
      search.engines = {
@ -116,13 +119,15 @@
      search.default = "Searx";
      settings = {
        "media.hardwaremediakeys.enabled" = false;
        "dom.security.https_only_mode" = true;
-        "browser.download.panel.shown" = true;
+        "browser.download.panel.shown" = false;
        "browser.toolbars.bookmarks.visibility" = "always";
        "signon.rememberSignons" = false;
        "browser.formfill.enable" = false;
        "signon. prefillForms" = false;
        "browser.shell.checkDefaultBrowser" = false;
-        "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
+        # "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
        "browser.uiCustomization.state" = ''{"placements":{"widget-overflow-fixed-list":[],"unified-extensions-area":["addon_darkreader_org-browser-action","plasma-browser-integration_kde_org-browser-action","_506e023c-7f2b-40a3-8066-bc5deb40aebe_-browser-action","_testpilot-containers-browser-action","7esoorv3_alefvanoon_anonaddy_me-browser-action","_a6c4a591-f1b2-4f03-b3ff-767e5bedf4e7_-browser-action","gdpr_cavi_au_dk-browser-action","firefoxcolor_mozilla_com-browser-action","firefox-translations-addon_mozilla_org-browser-action"],"nav-bar":["back-button","forward-button","stop-reload-button","urlbar-container","downloads-button","unified-extensions-button","ublock0_raymondhill_net-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action"],"toolbar-menubar":["menubar-items"],"TabsToolbar":["tabbrowser-tabs","new-tab-button","alltabs-button"],"PersonalToolbar":["personal-bookmarks"]},"seen":["save-to-pocket-button","developer-button","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","addon_darkreader_org-browser-action","ublock0_raymondhill_net-browser-action","plasma-browser-integration_kde_org-browser-action","_506e023c-7f2b-40a3-8066-bc5deb40aebe_-browser-action","_testpilot-containers-browser-action","7esoorv3_alefvanoon_anonaddy_me-browser-action","_a6c4a591-f1b2-4f03-b3ff-767e5bedf4e7_-browser-action","gdpr_cavi_au_dk-browser-action","firefoxcolor_mozilla_com-browser-action","firefox-translations-addon_mozilla_org-browser-action"],"dirtyAreaCache":["nav-bar","PersonalToolbar","toolbar-menubar","TabsToolbar","unified-extensions-area"],"currentVersion":20,"newElementCount":4}'';
      };
      arkenfox = {
@ -165,10 +170,18 @@
        "1700".enable = false;
        "2600" = {
          enable = true;
-      # The recent documents feature is useful
+          # useDownloadDir
-      "2653".enable = false;
+          "2651".enable = false;
          # always_ask_before_handling_new_types
          "2654".enable = false;
        };
        "2700".enable = true;
        "2800" = {
          "2812".enable = true;
        };
        "5000" = {
          "5008".enable = true;
        };
      };
    };
  };
--- a/home/features/desktop/common/flatpak.nix
+++ b/home/features/desktop/common/flatpak.nix
@ -0,0 +1,33 @@
 {inputs, ...}: {
  imports = [inputs.flatpaks.homeManagerModules.default];
  services.flatpak = {
    remotes.flathub = "https://flathub.org/repo/flathub.flatpakrepo";
    packages = [
      "flathub:app/us.zoom.Zoom//stable"
      "flathub:app/com.discordapp.Discord//stable"
      "flathub:app/md.obsidian.Obsidian//stable"
      "flathub:app/com.github.iwalton3.jellyfin-media-player//stable"
    ];
    overrides = {
      global = {
        filesystems = [
          "~/.local/share/icons"
        ];
        environment = {
          "MOZ_ENABLE_WAYLAND" = 1;
        };
      };
      "md.obsidian.Obsidian" = {
        sockets = [
          "wayland"
          "system-bus"
        ];
      };
      "com.github.iwalton3.jellyfin-media-player" = {
        environment = {
          QT_XCB_GL_INTEGRATION = "xcb_egl";
        };
      };
    };
  };
 }
--- a/home/features/desktop/common/nextcloud.nix
+++ b/home/features/desktop/common/nextcloud.nix
@ -0,0 +1,3 @@
 {
  services.nextcloud-client.enable = true;
 }
--- a/home/features/desktop/common/notes.nix
+++ b/home/features/desktop/common/notes.nix
@ -0,0 +1,5 @@
 {pkgs, ...}: {
  home.packages = with pkgs; [
    xournalpp
  ];
 }
--- a/home/features/desktop/common/theming.nix
+++ b/home/features/desktop/common/theming.nix
@ -0,0 +1,33 @@
 {pkgs, ...}: {
  home.pointerCursor = {
    package = pkgs.bibata-cursors;
    name = "Bibata-Modern-Ice";
    size = 25;
    x11.enable = true;
    gtk.enable = true;
  };
  # gtk.cursorTheme.package = pkgs.bibata-cursors;
  # gtk.cursorTheme.name = "Bibata-Modern-Ice";
  # home.file.".icons/bibata".source = "${pkgs.bibata-cursors}/share/icons/Bibata-Modern-Classic";
  # xdg.dataFile."icons/bibata".source = "${pkgs.bibata-cursors}/share/icons/Bibata-Modern-Classic";
  gtk = {
    enable = true;
    theme.package = pkgs.adw-gtk3;
    theme.name = "adw-gtk3-dark";
    iconTheme.package = pkgs.papirus-icon-theme;
    iconTheme.name = "Papirus";
  };
  qt = {
    enable = true;
    platformTheme.name = "gtk";
    style.package = with pkgs; [adwaita-qt adwaita-qt6];
    style.name = "adwaita-dark";
  };
  home.packages = with pkgs; [
    libsForQt5.qt5.qtquickcontrols2
    libsForQt5.qt5.qtgraphicaleffects
  ];
 }
--- a/home/features/desktop/common/wezterm.nix
+++ b/home/features/desktop/common/wezterm.nix
@ -0,0 +1,55 @@
 {
  pkgs,
  config,
  ...
 }: {
  programs.wezterm = {
    enable = true;
    colorSchemes = {
      "${config.colorscheme.slug}" = with config.colorScheme; {
        foreground = "#${colors.base05}";
        background = "#${colors.base00}";
        ansi = [
          "#${colors.base00}"
          "#${colors.base08}"
          "#${colors.base0B}"
          "#${colors.base0A}"
          "#${colors.base0D}"
          "#${colors.base0E}"
          "#${colors.base0C}"
          "#${colors.base05}"
        ];
        brights = [
          "#${colors.base03}"
          "#${colors.base08}"
          "#${colors.base0B}"
          "#${colors.base0A}"
          "#${colors.base0D}"
          "#${colors.base0E}"
          "#${colors.base0C}"
          "#${colors.base07}"
        ];
        cursor_fg = "#${colors.base00}";
        cursor_bg = "#${colors.base05}";
        selection_fg = "#${colors.base00}";
        selection_bg = "#${colors.base05}";
      };
    };
    extraConfig = ''
      return {
        warn_about_missing_glyphs=false,
        font = wezterm.font("${config.fontProfiles.monospace.family}"),
        font_size = 12.0,
        window_background_opacity = 0.83,
        color_scheme = "${config.colorscheme.slug}",
        hide_tab_bar_if_only_one_tab = true,
        window_close_confirmation = "NeverPrompt",
        use_ime = true,
        set_environment_variables = {
          TERM = 'wezterm',
        },
      }
    '';
  };
 }
--- a/home/features/desktop/gnome/default.nix
+++ b/home/features/desktop/gnome/default.nix
@ -0,0 +1,5 @@
 {pkgs, ...}: {
  imports = [
    ../common
  ];
 }
--- a/home/features/games/default.nix
+++ b/home/features/games/default.nix
@ -1,5 +1,12 @@
 {pkgs, ...}: {
-  imports = [
+  home.packages = with pkgs; [
-    # ./steam.nix
+    protonup-rs
    heroic
    (lutris.override {
      extraLibraries = pkgs: [
        wine
        wineWowPackages.stable
      ];
    })
  ];
 }
--- a/home/features/games/steam.nix
+++ b/home/features/games/steam.nix
@ -1,31 +0,0 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: let
  steam-with-pkgs = pkgs.steam.override {
    extraPkgs = pkgs:
      with pkgs; [
        xorg.libXcursor
        xorg.libXi
        xorg.libXinerama
        xorg.libXScrnSaver
        libpng
        libpulseaudio
        libvorbis
        stdenv.cc.cc.lib
        libkrb5
        keyutils
        gamescope
        mangohud
      ];
  };
 in {
  home.packages = with pkgs; [
    steam-with-pkgs
    gamescope
    mangohud
    protontricks
  ];
 }
--- a/home/features/general/xdg-dirs.nix
+++ b/home/features/general/xdg-dirs.nix
@ -0,0 +1,14 @@
 {
  xdg.userDirs = {
    enable = true;
    createDirectories = true;
    desktop = "/home/ghoscht/Uni";
    download = "/home/ghoscht/Downloads";
    documents = "/home/ghoscht/Documents";
    music = null;
    pictures = "/home/ghoscht/Pictures";
    publicShare = null;
    templates = null;
    videos = null;
  };
 }
--- a/home/franz.nix
+++ b/home/franz.nix
@ -0,0 +1,27 @@
 {
  inputs,
  outputs,
  ...
 }: let
 in {
  imports = [
    ./global
    ./features/coding/nvim
    ./features/coding/tmux.nix
    inputs.nix-colors.homeManagerModules.default
  ];
  colorScheme = inputs.nix-colors.colorSchemes.catppuccin-mocha;
  home.file.".docker" = {
    source = ../rsc/docker/franz;
    recursive = true;
  };
  nixpkgs = {
    config = {
      permittedInsecurePackages = [
        "nix-2.15.3"
      ];
    };
  };
 }
--- a/home/global/default.nix
+++ b/home/global/default.nix
@ -20,6 +20,7 @@
      # You can also split up your configuration and import pieces of it here:
      ../features/cli
      ../features/general/xdg-dirs.nix
    ]
    ++ (builtins.attrValues outputs.homeManagerModules);
--- a/home/ludwig.nix
+++ b/home/ludwig.nix
@ -0,0 +1,27 @@
 {
  pkgs,
  inputs,
  outputs,
  ...
 }: let
 in {
  imports = [
    ./global
    ./features/desktop/awesome
    ./features/desktop/gnome
    ./features/coding
    inputs.nix-colors.homeManagerModules.default
  ];
  home.packages = with pkgs; [nextcloud-client];
  colorScheme = inputs.nix-colors.colorSchemes.catppuccin-mocha;
  nixpkgs = {
    config = {
      permittedInsecurePackages = [
        "electron-25.9.0"
        "nix-2.15.3"
      ];
    };
  };
 }
--- a/hosts/adalbert/default.nix
+++ b/hosts/adalbert/default.nix
@ -3,8 +3,6 @@
 {
  inputs,
  outputs,
  lib,
  config,
  pkgs,
  ...
 }: {
@ -14,8 +12,8 @@
    # outputs.nixosModules.example
    # Or modules from other flakes (such as nixos-hardware):
-    inputs.hardware.nixosModules.common-cpu-amd
+    inputs.hardware.nixosModules.common-cpu-amd-pstate
-    inputs.hardware.nixosModules.common-gpu-nvidia
+    inputs.hardware.nixosModules.common-gpu-nvidia-nonprime
    inputs.hardware.nixosModules.common-pc-ssd
    # You can also split up your configuration and import pieces of it here:
@ -32,9 +30,11 @@
    ../common/optional/kde-connect.nix
    ../common/optional/gnome-keyring.nix
    ../common/optional/adb.nix
    ../common/optional/docker.nix
    ../common/optional/gaming/gamemode.nix
    ../common/optional/gaming/steam.nix
-    ../common/optional/gaming/vr.nix
+    ../common/optional/desktop/japanese.nix
    ../common/optional/udisks.nix
  ];
  nixpkgs = {
@ -60,18 +60,40 @@
      # Disable if you don't want unfree packages
      allowUnfree = true;
      firefox.enablePlasmaBrowserIntegration = true;
      segger-jlink.acceptLicense = true;
      permittedInsecurePackages = ["segger-jlink-qt4-794l"];
    };
  };
  networking.hostName = "adalbert";
  services.udev.packages = [inputs.heliox-cli.packages.x86_64-linux.default pkgs.segger-jlink];
  environment.systemPackages = [inputs.heliox-cli.packages.x86_64-linux.default];
  # Personalausweis reader
  programs.ausweisapp.enable = true;
  programs.ausweisapp.openFirewall = true; # also sets firewall entry
  programs.nix-ld.enable = true;
  # services.xserver.displayManager.sddm.enable = true;
  services.xserver.displayManager.gdm.enable = true;
  # Force disable Nvidia PRIME, needed by nix-hardware
-  hardware.nvidia.prime.offload.enable = false;
+  # hardware.nvidia.prime.offload.enable = false;
  programs.coolercontrol = {
    enable = true;
    nvidiaSupport = true;
  };
  boot.binfmt.emulatedSystems = [
    "aarch64-linux"
    "riscv64-linux"
  ];
  programs = {
    adb.enable = true;
    dconf.enable = true;
    kdeconnect.enable = true;
  };
  hardware = {
--- a/hosts/adalbert/hardware-configuration.nix
+++ b/hosts/adalbert/hardware-configuration.nix
@ -18,17 +18,17 @@
  boot.extraModulePackages = [];
  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/f9ba57fb-0b82-47e0-8189-7bbebc530e2b";
+    device = "/dev/disk/by-uuid/e92a5e85-52ce-4627-be79-5c07a99e2d1b";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/BCF2-51D4";
+    device = "/dev/disk/by-uuid/348E-AC69";
    fsType = "vfat";
  };
  swapDevices = [
-    {device = "/dev/disk/by-uuid/4834fbc3-3feb-4b93-b11f-8b9bd054c5c1";}
+    {device = "/dev/disk/by-uuid/ae322cab-c083-4644-80ff-9122498d54e8";}
  ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
--- a/hosts/common/global/default.nix
+++ b/hosts/common/global/default.nix
@ -2,7 +2,6 @@
 {
  inputs,
  outputs,
  config,
  ...
 }: {
  imports =
@ -12,8 +11,8 @@
      ./fish.nix
      ./locale.nix
      ./nix.nix
      ./podman.nix
      ./power-button.nix
      ./documentation.nix
    ]
    ++ (builtins.attrValues outputs.nixosModules);
@ -26,8 +25,8 @@
    };
  };
-  # Fix for qt6 plugins
+  # Enable networking
-  environment.profileRelativeSessionVariables = {
+  networking.networkmanager.enable = true;
-    QT_PLUGIN_PATH = ["/lib/qt-6/plugins"];
+
-  };
+  boot.supportedFilesystems = ["ntfs"];
 }
--- a/hosts/common/global/documentation.nix
+++ b/hosts/common/global/documentation.nix
@ -0,0 +1,9 @@
 {pkgs, ...}: {
  environment.systemPackages = with pkgs; [man-pages man-pages-posix];
  documentation.dev.enable = true;
  documentation.man = {
    # In order to enable to mandoc man-db has to be disabled.
    man-db.enable = false;
    mandoc.enable = true;
  };
 }
--- a/hosts/common/optional/desktop/flatpak.nix
+++ b/hosts/common/optional/desktop/flatpak.nix
@ -9,4 +9,6 @@
  # Create folder where all fonts are linked to /run/current-system/sw/share/X11/fonts
  fonts.fontDir.enable = true;
  xdg.portal.enable = true;
 }
--- a/hosts/common/optional/desktop/global.nix
+++ b/hosts/common/optional/desktop/global.nix
@ -4,15 +4,13 @@
  pkgs,
  ...
 }: {
-  imports = [./pipewire.nix ../printing.nix ./flatpak.nix ./xdg.nix ./xremap.nix];
+  imports = [./pipewire.nix ../printing.nix ./flatpak.nix ./xremap.nix];
  # Enable networking
  networking.networkmanager.enable = true;
  # Enable for GTK
  programs.dconf.enable = true;
-  services.xserver = {
+  # Fix for qt6 plugins
-    displayManager.sddm.enable = true;
+  environment.profileRelativeSessionVariables = {
    QT_PLUGIN_PATH = ["/lib/qt-6/plugins"];
  };
 }
--- a/hosts/common/optional/desktop/gnome.nix
+++ b/hosts/common/optional/desktop/gnome.nix
@ -11,6 +11,41 @@
      desktopManager.gnome = {
        enable = true;
      };
      libinput.enable = true;
      modules = [pkgs.xf86_input_wacom];
      wacom.enable = true;
    };
    udev.packages = with pkgs; [
      gnome.gnome-settings-daemon
    ];
  };
  environment = {
    systemPackages = with pkgs; [
      # System-Wide Packages
      gnome.adwaita-icon-theme
      gnome.dconf-editor
      gnome.gnome-tweaks
      gnomeExtensions.kimpanel
      gnomeExtensions.vitals
      gnomeExtensions.tray-icons-reloaded
    ];
    gnome.excludePackages =
      (with pkgs; [
        # Ignored Packages
        gnome-tour
        gedit
      ])
      ++ (with pkgs.gnome; [
        atomix
        epiphany
        geary
        gnome-characters
        gnome-contacts
        gnome-initial-setup
        hitori
        iagno
        tali
      ]);
  };
 }
--- a/hosts/common/optional/desktop/japanese.nix
+++ b/hosts/common/optional/desktop/japanese.nix
@ -0,0 +1,13 @@
 {pkgs, ...}: {
  i18n.inputMethod = {
    enabled = "fcitx5";
    fcitx5.addons = with pkgs; [
      fcitx5-mozc
      fcitx5-gtk
    ];
    fcitx5.waylandFrontend = true;
  };
  fonts.packages = with pkgs; [
    noto-fonts-cjk-sans
  ];
 }
--- a/hosts/common/optional/desktop/pipewire.nix
+++ b/hosts/common/optional/desktop/pipewire.nix
@ -1,4 +1,4 @@
-{
+{pkgs, ...}: {
  security.rtkit.enable = true;
  hardware.pulseaudio.enable = false;
  services.pipewire = {
@ -8,4 +8,6 @@
    pulse.enable = true;
    jack.enable = true;
  };
  environment.systemPackages = with pkgs; [pavucontrol pulseaudio qpwgraph];
 }
--- a/hosts/common/optional/desktop/plasma.nix
+++ b/hosts/common/optional/desktop/plasma.nix
@ -0,0 +1,15 @@
 {pkgs, ...}: {
  imports = [./global.nix ./x11.nix];
  services.xserver.desktopManager.plasma5.enable = true;
  environment.plasma5.excludePackages = with pkgs.libsForQt5; [
    elisa
    gwenview
    okular
    oxygen
    khelpcenter
    konsole
    plasma-browser-integration
    print-manager
  ];
 }
--- a/hosts/common/optional/desktop/xremap.nix
+++ b/hosts/common/optional/desktop/xremap.nix
@ -1,21 +1,63 @@
 {
  pkgs,
  inputs,
  lib,
  ...
 }: {
  imports = [
    inputs.xremap.nixosModules.default
  ];
  hardware.uinput.enable = true;
  users.groups.uinput.members = ["ghoscht"];
  users.groups.input.members = ["ghoscht"];
  systemd.user.services.set-xhost = {
    description = "Run a one-shot command upon user login";
    path = [pkgs.xorg.xhost];
    wantedBy = ["default.target"];
    script = "xhost +SI:localuser:root";
    environment.DISPLAY = ":0"; # NOTE: This is hardcoded for this flake
  };
  services.xremap = {
    withX11 = true;
    watch = true;
    debug = false;
    userName = "ghoscht";
    serviceMode = "user";
    config = {
      keymap = [
        {
-          name = "main remaps";
+          name = "Global";
          remap = {
-            super-e = {
+            "CapsLock" = "Esc";
-              launch = ["firefox"];
+            "Esc" = "CapsLock";
            super-x = {
              launch = ["${lib.getExe pkgs.wezterm}"];
            };
            # super-space = {
            #   launch = ["${lib.getExe pkgs.rofi}" "-i" "-show" "drun" "-show-icons"];
            # };
            # super-control-l = {
            #   launch = ["${lib.getExe pkgs.firefox}"];
            # };
            # super-control-shift-l = {
            #   launch = ["${lib.getExe pkgs.firefox}" "--private-window"];
            # };
          };
        }
        {
          name = "Music";
          remap = {
            "KEY_PLAYPAUSE" = {
              launch = ["${lib.getExe pkgs.playerctl}" "play-pause"];
            };
            "KEY_NEXTSONG" = {
              launch = ["${lib.getExe pkgs.playerctl}" "next"];
            };
            "KEY_PREVIOUSSONG" = {
              launch = ["${lib.getExe pkgs.playerctl}" "previous"];
            };
          };
        }
--- a/hosts/common/optional/docker.nix
+++ b/hosts/common/optional/docker.nix
@ -1,5 +1,13 @@
 {
  virtualisation.docker = {
    enable = true;
    daemon.settings = {
      "default-address-pools" = [
        {
          "base" = "172.29.0.0/16";
          "size" = 24;
        }
      ];
    };
  };
 }
--- a/hosts/common/optional/gaming/steam.nix
+++ b/hosts/common/optional/gaming/steam.nix
@ -1,18 +1,17 @@
-{pkgs, ...}: {
+{
-  environment.systemPackages = with pkgs.unstable; [
+  config,
-    heroic # Game Launcher
+  lib,
-    lutris # Game Launcher
+  pkgs,
-    steam # Game Launcher
+  ...
-  ];
+}: {
  programs = {
    steam = {
      enable = true;
      remotePlay.openFirewall = true;
      gamescopeSession.enable = false;
    };
-    # Steam: Right-click game - Properties - Launch options: gamemoderun %command%
+  };
-    # Lutris: General Preferences - Enable Feral GameMode
+
-    #                             - Global options - Add Environment Variables: LD_PRELOAD=/nix/store/*-gamemode-*-lib/lib/libgamemodeauto.so
+  xdg.mime = {
    defaultApplications."x-scheme-handler/steam" = "steam.desktop";
    addedAssociations."x-scheme-handler/steam" = "steam.desktop";
  };
 }
--- a/hosts/common/optional/gaming/vr.nix
+++ b/hosts/common/optional/gaming/vr.nix
@ -1,6 +0,0 @@
 {
  programs.alvr = {
    enable = true;
    openFirewall = true;
  };
 }
--- a/hosts/common/optional/gnome-keyring.nix
+++ b/hosts/common/optional/gnome-keyring.nix
@ -2,11 +2,10 @@
  config,
  lib,
  pkgs,
  vars,
  ...
 }: let
 in {
-  security.pam.services.${vars.user}.enableGnomeKeyring = true;
+  security.pam.services.sddm.enableGnomeKeyring = true;
  services.gnome.gnome-keyring.enable = true;
  programs.seahorse.enable = true;
 }
--- a/hosts/common/optional/quietboot.nix
+++ b/hosts/common/optional/quietboot.nix
@ -1,33 +0,0 @@
 {
  pkgs,
  config,
  ...
 }: {
  console = {
    useXkbConfig = true;
    earlySetup = false;
  };
  boot = {
    plymouth = {
      enable = true;
      theme = "spinner-monochrome";
      themePackages = [
        (pkgs.plymouth-spinner-monochrome.override {
          inherit (config.boot.plymouth) logo;
        })
      ];
    };
    loader.timeout = 0;
    kernelParams = [
      "quiet"
      "loglevel=3"
      "systemd.show_status=auto"
      "udev.log_level=3"
      "rd.udev.log_level=3"
      "vt.global_cursor_default=0"
    ];
    consoleLogLevel = 0;
    initrd.verbose = false;
  };
 }
--- a/hosts/common/optional/systemd-boot.nix
+++ b/hosts/common/optional/systemd-boot.nix
@ -3,6 +3,7 @@
    systemd-boot = {
      enable = true;
      consoleMode = "max";
      configurationLimit = 42;
    };
    efi.canTouchEfiVariables = true;
  };
--- a/hosts/common/optional/udisks.nix
+++ b/hosts/common/optional/udisks.nix
@ -0,0 +1,3 @@
 {
  services.udisks2.enable = true;
 }
--- a/hosts/common/optional/vsftpd.nix
+++ b/hosts/common/optional/vsftpd.nix
@ -0,0 +1,7 @@
 {
  services.vsftpd = {
    enable = true;
    writeEnable = true;
    localUsers = true;
  };
 }
--- a/hosts/eustachius/default.nix
+++ b/hosts/eustachius/default.nix
@ -0,0 +1,117 @@
 {
  pkgs,
  lib,
  ...
 }: let
  vars = import ../../vars.nix;
 in {
  imports = [../common/global/locale.nix];
  # NixOS wants to enable GRUB by default
  boot.loader.grub.enable = false;
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;
  # !!! Set to specific linux kernel version
  boot.kernelPackages = pkgs.linuxPackages;
  # Disable ZFS on kernel 6
  boot.supportedFilesystems = lib.mkForce [
    "vfat"
    "xfs"
    "cifs"
    "ntfs"
  ];
  # !!! Needed for the virtual console to work on the RPi 3, as the default of 16M doesn't seem to be enough.
  # If X.org behaves weirdly (I only saw the cursor) then try increasing this to 256M.
  # On a Raspberry Pi 4 with 4 GB, you should either disable this parameter or increase to at least 64M if you want the USB ports to work.
  boot.kernelParams = ["cma=256M"];
  # File systems configuration for using the installer's partition layout
  fileSystems = {
    # Prior to 19.09, the boot partition was hosted on the smaller first partition
    # Starting with 19.09, the /boot folder is on the main bigger partition.
    # The following is to be used only with older images.
    /*
    "/boot" = {
    device = "/dev/disk/by-label/NIXOS_BOOT";
    fsType = "vfat";
    };
    */
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
    };
  };
  # !!! Adding a swap file is optional, but strongly recommended!
  swapDevices = [
    {
      device = "/swapfile";
      size = 1024;
    }
  ];
  # systemPackages
  environment.systemPackages = with pkgs; [
    neovim
    curl
    wget
  ];
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "yes";
  };
  services.restic.server = {
    enable = true;
    dataDir = "/mnt/backups";
    extraFlags = ["--no-auth"];
  };
  services.tailscale = {
    enable = true;
    useRoutingFeatures = "server";
  };
  virtualisation.docker.enable = true;
  networking.firewall.enable = false;
  # Networking
  networking.useDHCP = true;
  # forwarding
  boot.kernel.sysctl = {
    "net.ipv4.conf.all.forwarding" = true;
    "net.ipv6.conf.all.forwarding" = true;
    "net.ipv4.tcp_ecn" = true;
  };
  # put your own configuration here, for example ssh keys:
  users.mutableUsers = true;
  users.users.nixos = {
    isNormalUser = true;
    password = "changeme";
    extraGroups = ["wheel" "docker"];
    openssh.authorizedKeys.keys = [
      #Adalbert
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJd6Gut34abkwlZ4tZVBO4Qt7CkIpPm/Z8R6JCisjnYy openpgp:0xBD0CFCA0"
      #Ludwig
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlRsnLqm6Ap3yKEEhtFiWavo72df/X5Il1ZCmENUqev openpgp:0xDE189CA5"
      #Franz
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIINCjLoirHMos7c9lRatWtSYAk68xbUGc8vPU0wFxIzj openpgp:0x7430326E"
    ];
  };
  users.users.admin = {
    isNormalUser = true;
    extraGroups = ["wheel"]; # Enable ‘sudo’ for the user.
    hashedPassword = "blablabla"; # generate with `mkpasswd`
  };
  nix.settings.trusted-users = ["admin" "ghoscht" "nixos"];
  system.stateVersion = "23.11";
 }
--- a/hosts/franz/README.md
+++ b/hosts/franz/README.md
@ -0,0 +1,7 @@
 # Franz
 ## Drive Formatting
 ```sh
 sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ../../disko/btrfs-swap.nix --arg device '"/dev/nvme0n1"'
 ```
--- a/hosts/franz/arion/auth/arion-compose.nix
+++ b/hosts/franz/arion/auth/arion-compose.nix
@ -0,0 +1,131 @@
 let
  authentikImage = "ghcr.io/goauthentik/server:2024.8.2";
 in {
  project.name = "auth";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  networks.internal = {};
  services = {
    authentik.service = {
      image = authentikImage;
      container_name = "authentik";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.services.authentik.loadbalancer.server.port" = "9000";
        "traefik.http.routers.authentik.service" = "authentik";
        "traefik.http.routers.authentik.rule" = "Host(`auth.ghoscht.com`)";
        "traefik.http.routers.authentik.entrypoints" = "websecure";
        "traefik.http.routers.authentik.tls" = "true";
        "traefik.http.routers.authentik.tls.certresolver" = "letsencrypt";
        "traefik.http.services.authentik-external.loadbalancer.server.port" = "9000";
        "traefik.http.routers.authentik-external.service" = "authentik-external";
        "traefik.http.routers.authentik-external.rule" = "Host(`auth.ghoscht.com`)";
        "traefik.http.routers.authentik-external.entrypoints" = "websecure-external";
        "traefik.http.routers.authentik-external.tls" = "true";
        "traefik.http.routers.authentik-external.tls.certresolver" = "letsencrypt";
        "diun.enable" = "true";
        "diun.watch_repo" = "true";
        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
      };
      command = "server";
      environment = {
        AUTHENTIK_REDIS__HOST = "redis";
        AUTHENTIK_POSTGRESQL__HOST = "postgres";
        AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
      };
      env_file = [
        "/home/ghoscht/.docker/auth/authentik.env"
      ];
      restart = "always";
      depends_on = {
        redis = {condition = "service_healthy";};
        postgres = {condition = "service_healthy";};
      };
      volumes = [
        "/storage/dataset/docker/auth/authentik_media:/media"
        "/storage/dataset/docker/auth/authentik_custom_templates:/templates"
      ];
      networks = [
        "dmz"
        "internal"
      ];
    };
    worker.service = {
      image = authentikImage;
      command = "worker";
      environment = {
        AUTHENTIK_REDIS__HOST = "redis";
        AUTHENTIK_POSTGRESQL__HOST = "postgres";
        AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
      };
      env_file = [
        "/home/ghoscht/.docker/auth/authentik.env"
      ];
      depends_on = {
        redis = {condition = "service_healthy";};
        postgres = {condition = "service_healthy";};
      };
      volumes = [
        "/var/run/docker.sock:/var/run/docker.sock"
        "/storage/dataset/docker/auth/authentik_media:/media"
        "/storage/dataset/docker/auth/authentik_custom_templates:/templates"
      ];
      restart = "always";
      user = "root";
      networks = [
        "internal"
      ];
    };
    redis.service = {
      image = "redis:7.2.4";
      command = "--save 60 1 --loglevel warning";
      healthcheck = {
        test = [
          "CMD-SHELL"
          "redis-cli ping | grep PONG"
        ];
        start_period = "20s";
        interval = "30s";
        retries = 5;
        timeout = "5s";
      };
      restart = "always";
      volumes = [
        "/storage/dataset/docker/auth/redis_data:/data"
      ];
      networks = [
        "internal"
      ];
    };
    postgres.service = {
      image = "postgres:12.18";
      restart = "always";
      env_file = [
        "/home/ghoscht/.docker/auth/postgres.env"
      ];
      volumes = [
        "/storage/dataset/docker/auth/postgres_data:/var/lib/postgresql/data"
      ];
      healthcheck = {
        test = [
          "CMD-SHELL"
          "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
        ];
        start_period = "20s";
        interval = "30s";
        retries = 5;
        timeout = "5s";
      };
      networks = [
        "internal"
      ];
    };
  };
 }
--- a/hosts/franz/arion/auth/arion-pkgs.nix
+++ b/hosts/franz/arion/auth/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/auth/default.nix
+++ b/hosts/franz/arion/auth/default.nix
@ -0,0 +1,45 @@
 {config, ...}: let
  vars = import ../../../../vars.nix;
 in {
  virtualisation.arion = {
    projects.auth.settings = {
      imports = [./arion-compose.nix];
    };
  };
  sops.secrets."auth/postgres_db" = {
    owner = vars.user;
  };
  sops.secrets."auth/postgres_user" = {
    owner = vars.user;
  };
  sops.secrets."auth/postgres_pw" = {
    owner = vars.user;
  };
  sops.secrets."auth/authentik_secret_key" = {
    owner = vars.user;
  };
  sops.templates."auth-postgres.env" = {
    path = "/home/${vars.user}/.docker/auth/postgres.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      POSTGRES_PASSWORD="${config.sops.placeholder."auth/postgres_pw"}"
      POSTGRES_USER="${config.sops.placeholder."auth/postgres_user"}"
      POSTGRES_DB="${config.sops.placeholder."auth/postgres_db"}"
    '';
  };
  sops.templates."auth-authentik.env" = {
    path = "/home/${vars.user}/.docker/auth/authentik.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      AUTHENTIK_POSTGRESQL__PASSWORD="${config.sops.placeholder."auth/postgres_pw"}"
      AUTHENTIK_POSTGRESQL__USER="${config.sops.placeholder."auth/postgres_user"}"
      AUTHENTIK_POSTGRESQL__NAME="${config.sops.placeholder."auth/postgres_db"}"
      AUTHENTIK_SECRET_KEY="${config.sops.placeholder."auth/authentik_secret_key"}"
    '';
  };
 }
--- a/hosts/franz/arion/dashboard/arion-compose.nix
+++ b/hosts/franz/arion/dashboard/arion-compose.nix
@ -0,0 +1,42 @@
 {pkgs, ...}: {
  project.name = "dashboard";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  services = {
    homarr.service = {
      image = "ghcr.io/ajnart/homarr:0.15.3";
      container_name = "homarr";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.homarr.entrypoints" = "websecure";
        "traefik.http.routers.homarr.rule" = "Host(`dashboard.ghoscht.com`)";
        "traefik.http.routers.homarr.tls" = "true";
        "traefik.http.routers.homarr.tls.certresolver" = "letsencrypt";
      };
      environment = {
        AUTH_PROVIDER = "oidc";
        AUTH_OIDC_URI = "https://auth.ghoscht.com/application/o/homarr";
        AUTH_OIDC_CLIENT_NAME = "authentik";
        NEXTAUTH_URL = "https://dashboard.ghoscht.com";
        AUTH_OIDC_ADMIN_GROUP = "Homarr Admins";
        AUTH_OIDC_OWNER_GROUP = "Homarr Admins";
      };
      env_file = [
        "/home/ghoscht/.docker/dashboard/homarr.env"
      ];
      volumes = [
        "/storage/dataset/docker/dashboard/homarr_data:/data"
        "/storage/dataset/docker/dashboard/homarr_config:/app/data/configs"
        "/storage/dataset/docker/dashboard/homarr_icons:/app/public/imgs"
      ];
      restart = "always";
      networks = [
        "dmz"
      ];
    };
  };
 }
--- a/hosts/franz/arion/dashboard/arion-pkgs.nix
+++ b/hosts/franz/arion/dashboard/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/dashboard/default.nix
+++ b/hosts/franz/arion/dashboard/default.nix
@ -0,0 +1,24 @@
 {config, ...}: let
  vars = import ../../../../vars.nix;
 in {
  virtualisation.arion = {
    projects.dashboard.settings = {
      imports = [./arion-compose.nix];
    };
  };
  sops.secrets."homarr/oidc_client_id" = {
    owner = vars.user;
  };
  sops.secrets."homarr/oidc_client_secret" = {
    owner = vars.user;
  };
  sops.templates."homarr.env" = {
    path = "/home/${vars.user}/.docker/dashboard/homarr.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      AUTH_OIDC_CLIENT_SECRET="${config.sops.placeholder."homarr/oidc_client_secret"}"
      AUTH_OIDC_CLIENT_ID="${config.sops.placeholder."homarr/oidc_client_id"}"
    '';
  };
 }
--- a/hosts/franz/arion/default.nix
+++ b/hosts/franz/arion/default.nix
@ -0,0 +1,51 @@
 {
  inputs,
  pkgs,
  config,
  ...
 }: {
  imports = [
    inputs.arion.nixosModules.arion
    ./dns
    ./infrastructure
    ./nextcloud
    ./push
    ./git
    ./passwords
    ./media
    ./dashboard
    ./smarthome
    ./signal
    ./feed
    ./matrix
    ./headscale
    ./auth
    ./minio
    ./stats
    ./wiki
  ];
  environment.systemPackages = with pkgs; [arion];
  virtualisation.arion.backend = "docker";
  systemd.services.init-dmz-bridge-network = {
    description = "Create the network bridge dmz for the Docker stack.";
    after = ["network.target"];
    wantedBy = ["multi-user.target"];
    serviceConfig.Type = "oneshot";
    script = let
      dockercli = "${config.virtualisation.docker.package}/bin/docker";
    in ''
      # Put a true at the end to prevent getting non-zero return code, which will
      # crash the whole service.
      check=$(${dockercli} network ls | grep "dmz" || true)
      if [ -z "$check" ]; then
        ${dockercli} network create dmz
      else
        echo "dmz already exists in docker"
      fi
    '';
  };
 }
--- a/hosts/franz/arion/dns/arion-compose.nix
+++ b/hosts/franz/arion/dns/arion-compose.nix
@ -0,0 +1,76 @@
 {pkgs, ...}: {
  project.name = "dns";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  networks.dns = {
    name = "dns";
    driver = "bridge";
    ipam.config = [
      {
        subnet = "172.28.1.0/24";
        ip_range = "172.28.1.5/30";
        gateway = "172.28.1.1";
      }
    ];
  };
  services = {
    pihole.service = {
      image = "pihole/pihole:2024.03.1";
      container_name = "pihole";
      hostname = "pihole";
      environment = {
        IPv6 = "True";
        TZ = "Europe/Berlin";
        SKIPGRAVITYONBOOT = 1;
        VIRTUAL_HOST = "pihole.ghoscht.com";
      };
      volumes = [
        "/storage/dataset/docker/dns/pihole_data:/etc/pihole"
        "/storage/dataset/docker/dns/pihole_dnsmasq:/etc/dnsmasq.d"
      ];
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.pihole.entrypoints" = "websecure";
        "traefik.http.routers.pihole.rule" = "Host(`pihole.ghoscht.com`)";
        "traefik.http.services.pihole.loadbalancer.server.port" = "80";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.pihole.tls" = "true";
        "traefik.http.routers.pihole.tls.certresolver" = "letsencrypt";
      };
      restart = "always";
      networks = {
        dmz = {};
        dns = {
          ipv4_address = "172.28.1.6";
        };
      };
      capabilities = {
        NET_ADMIN = true;
      };
      ports = [
        "8420:80"
        "53:53/tcp"
        "53:53/udp"
      ];
    };
    unbound.service = {
      image = "mvance/unbound:1.19.3";
      container_name = "unbound";
      useHostStore = true;
      volumes = [
        "/storage/dataset/docker/dns/unbound_data:/opt/unbound/etc/unbound"
      ];
      restart = "always";
      networks = {
        dns = {
          ipv4_address = "172.28.1.5";
        };
      };
    };
  };
 }
--- a/hosts/franz/arion/dns/arion-pkgs.nix
+++ b/hosts/franz/arion/dns/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/dns/default.nix
+++ b/hosts/franz/arion/dns/default.nix
@ -0,0 +1,11 @@
 {pkgs, ...}: {
  virtualisation.arion = {
    projects.dns.settings = {
      imports = [./arion-compose.nix];
    };
  };
  # Fix containers not being able to use pihole as dns
  networking.resolvconf.useLocalResolver = true;
  networking.firewall.allowedTCPPorts = [80 443];
 }
--- a/hosts/franz/arion/feed/arion-compose.nix
+++ b/hosts/franz/arion/feed/arion-compose.nix
@ -0,0 +1,46 @@
 {pkgs, ...}: {
  project.name = "feed";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  networks.transport = {};
  services = {
    ttrss.service = {
      image = "wangqiru/ttrss:latest-2024-02-28";
      container_name = "ttrss";
      ports = [
        "181:80"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        DB_HOST = "feed-db";
      };
      env_file = [
        "/home/ghoscht/.docker/feed/ttrss.env"
      ];
      restart = "always";
      networks = [
        "dmz"
        "transport"
      ];
    };
    feed-db.service = {
      image = "postgres:13-alpine";
      volumes = [
        "/storage/dataset/docker/feed/ttrss_db:/var/lib/postgresql/data"
      ];
      env_file = [
        "/home/ghoscht/.docker/feed/ttrss.env"
      ];
      restart = "always";
      networks = [
        "transport"
      ];
    };
  };
 }
--- a/hosts/franz/arion/feed/arion-pkgs.nix
+++ b/hosts/franz/arion/feed/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/feed/default.nix
+++ b/hosts/franz/arion/feed/default.nix
@ -0,0 +1,22 @@
 {config, ...}: let
  vars = import ../../../../vars.nix;
 in {
  virtualisation.arion = {
    projects.feed.settings = {
      imports = [./arion-compose.nix];
    };
  };
  sops.secrets."ttrss/db_password" = {
    owner = vars.user;
  };
  sops.templates."ttrss.env" = {
    path = "/home/${vars.user}/.docker/feed/ttrss.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      DB_PASS="${config.sops.placeholder."ttrss/db_password"}"
    '';
  };
 }
--- a/hosts/franz/arion/git/arion-compose.nix
+++ b/hosts/franz/arion/git/arion-compose.nix
@ -0,0 +1,71 @@
 {pkgs, ...}: {
  project.name = "git";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  networks.transport = {};
  services = {
    forgejo.service = {
      image = "codeberg.org/forgejo/forgejo:8.0.3";
      container_name = "forgejo";
      useHostStore = true;
      labels = {
        "traefik.enable" = "true";
        "diun.enable" = "true";
        "traefik.docker.network" = "dmz";
        "traefik.http.services.forgejo.loadbalancer.server.port" = "3000";
        "traefik.http.routers.forgejo.service" = "forgejo";
        "traefik.http.routers.forgejo.entrypoints" = "websecure";
        "traefik.http.routers.forgejo.rule" = "Host(`git.ghoscht.com`)";
        "traefik.http.routers.forgejo.tls" = "true";
        "traefik.http.routers.forgejo.tls.certresolver" = "letsencrypt";
        "traefik.http.services.forgejo-external.loadbalancer.server.port" = "3000";
        "traefik.http.routers.forgejo-external.service" = "forgejo-external";
        "traefik.http.routers.forgejo-external.rule" = "Host(`git.ghoscht.com`)";
        "traefik.http.routers.forgejo-external.entrypoints" = "websecure-external";
        "traefik.http.routers.forgejo-external.tls" = "true";
        "traefik.http.routers.forgejo-external.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/git/forgejo_data:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      ports = [
        "2222:22"
      ];
      environment = {
        USER_UID = 1000;
        USER_GID = 1000;
        GITEA__database__DB_TYPE = "postgres";
        GITEA__database__HOST = "git-db:5432";
      };
      env_file = [
        "/home/ghoscht/.docker/git/forgejo.env"
      ];
      restart = "unless-stopped";
      networks = [
        "dmz"
        "transport"
      ];
    };
    git-db.service = {
      image = "postgres:15.3-bullseye";
      env_file = [
        "/home/ghoscht/.docker/git/forgejo-db.env"
      ];
      volumes = [
        "/storage/dataset/docker/git/forgejo_db:/var/lib/postgresql/data"
      ];
      restart = "unless-stopped";
      networks = [
        "transport"
      ];
    };
  };
 }
--- a/hosts/franz/arion/git/arion-pkgs.nix
+++ b/hosts/franz/arion/git/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/git/default.nix
+++ b/hosts/franz/arion/git/default.nix
@ -0,0 +1,41 @@
 {config, ...}: let
  vars = import ../../../../vars.nix;
 in {
  virtualisation.arion = {
    projects.git.settings = {
      imports = [./arion-compose.nix];
    };
  };
  sops.secrets."forgejo/db_password" = {
    owner = vars.user;
  };
  sops.secrets."forgejo/db_user" = {
    owner = vars.user;
  };
  sops.secrets."forgejo/db_database" = {
    owner = vars.user;
  };
  sops.templates."forgejo.env" = {
    path = "/home/${vars.user}/.docker/git/forgejo.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      GITEA__database__NAME="${config.sops.placeholder."forgejo/db_database"}"
      GITEA__database__USER="${config.sops.placeholder."forgejo/db_user"}"
      GITEA__database__PASSWD="${config.sops.placeholder."forgejo/db_password"}"
    '';
  };
  sops.templates."forgejo-db.env" = {
    path = "/home/${vars.user}/.docker/git/forgejo-db.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      POSTGRES_DB="${config.sops.placeholder."forgejo/db_database"}"
      POSTGRES_USER="${config.sops.placeholder."forgejo/db_user"}"
      POSTGRES_PASSWORD="${config.sops.placeholder."forgejo/db_password"}"
    '';
  };
 }
--- a/hosts/franz/arion/headscale/arion-compose.nix
+++ b/hosts/franz/arion/headscale/arion-compose.nix
@ -0,0 +1,56 @@
 {pkgs, ...}: {
  project.name = "headscale";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  services = {
    headscale.service = {
      image = "headscale/headscale:0.22.3-debug";
      container_name = "headscale";
      restart = "always";
      command = "headscale serve";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.services.headscale.loadbalancer.server.port" = "8080";
        "traefik.http.routers.headscale.service" = "headscale";
        "traefik.http.routers.headscale.entrypoints" = "websecure";
        "traefik.http.routers.headscale.rule" = "Host(`headscale.ghoscht.com`)";
        "traefik.http.routers.headscale.tls" = "true";
        "traefik.http.routers.headscale.tls.certresolver" = "letsencrypt";
        "traefik.http.services.headscale-external.loadbalancer.server.port" = "8080";
        "traefik.http.routers.headscale-external.service" = "headscale-external";
        "traefik.http.routers.headscale-external.rule" = "Host(`headscale.ghoscht.com`)";
        "traefik.http.routers.headscale-external.entrypoints" = "websecure-external";
        "traefik.http.routers.headscale-external.tls" = "true";
        "traefik.http.routers.headscale-external.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/headscale/headscale_config:/etc/headscale"
        "/storage/dataset/docker/headscale/headscale_data:/var/lib/headscale"
      ];
      networks = [
        "dmz"
      ];
    };
    headscale-ui.service = {
      image = "ghcr.io/gurucomputing/headscale-ui:2024.02.24-beta1";
      container_name = "headscale-ui";
      restart = "always";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.headscale-ui.entrypoints" = "websecure";
        "traefik.http.routers.headscale-ui.rule" = "PathPrefix(`/web`)&&Host(`headscale.ghoscht.com`)";
        "traefik.http.services.headscale-ui.loadbalancer.server.port" = "80";
        "traefik.http.routers.headscale-ui.tls" = "true";
        "traefik.http.routers.headscale-ui.tls.certresolver" = "letsencrypt";
      };
      networks = [
        "dmz"
      ];
    };
  };
 }
--- a/hosts/franz/arion/headscale/arion-pkgs.nix
+++ b/hosts/franz/arion/headscale/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/headscale/default.nix
+++ b/hosts/franz/arion/headscale/default.nix
@ -0,0 +1,15 @@
 {config, ...}: let
  vars = import ../../../../vars.nix;
 in {
  # Tailscale client for exit node/routes
  services.tailscale = {
    enable = true;
    useRoutingFeatures = "server";
  };
  virtualisation.arion = {
    projects.headscale.settings = {
      imports = [./arion-compose.nix];
    };
  };
 }
--- a/hosts/franz/arion/infrastructure/arion-compose.nix
+++ b/hosts/franz/arion/infrastructure/arion-compose.nix
@ -0,0 +1,169 @@
 {pkgs, ...}: {
  project.name = "infrastructure";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  docker-compose.volumes = {
    traefik-logs = null;
  };
  services = {
    traefik.service = {
      image = "traefik:3.1.4";
      container_name = "traefik";
      useHostStore = true;
      ports = [
        "80:80"
        "81:81"
        "443:443"
        "444:444"
        "8421:8080"
      ];
      labels = {
        "traefik.enable" = "true";
        "diun.enable" = "true";
        "traefik.http.routers.dashboard.rule" = "Host(`traefik.ghoscht.com`)";
        "traefik.http.routers.dashboard.entrypoints" = "websecure";
        "traefik.http.services.dashboard.loadbalancer.server.port" = "8080";
        "traefik.http.routers.dashboard.tls" = "true";
        "traefik.http.routers.dashboard.tls.certresolver" = "letsencrypt";
        "traefik.http.routers.dashboard.tls.domains[0].main" = "ghoscht.com";
        "traefik.http.routers.dashboard.tls.domains[0].sans" = "*.ghoscht.com";
        "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme" = "https";
        "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto" = "https";
      };
      volumes = [
        "/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro"
        "/home/ghoscht/.docker/infrastructure/traefik_config/conf:/conf:ro"
        "/storage/dataset/docker/infrastructure/traefik_data/acme.json:/acme.json"
        "/var/run/docker.sock:/var/run/docker.sock:ro"
        "traefik-logs:/var/log/traefik"
      ];
      env_file = [
        "/home/ghoscht/.docker/infrastructure/traefik.env"
      ];
      restart = "always";
      networks = [
        "dmz"
      ];
    };
    crowdsec.service = {
      image = "crowdsecurity/crowdsec:v1.6.3";
      container_name = "crowdsec";
      environment = {
        GID = "1000";
        COLLECTIONS = "crowdsecurity/linux crowdsecurity/traefik firix/authentik LePresidente/gitea Dominic-Wagner/vaultwarden";
      };
      volumes = [
        "/storage/dataset/docker/infrastructure/crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml"
        "/storage/dataset/docker/infrastructure/crowdsec_config/profiles.yaml:/etc/crowdsec/profiles.yaml"
        "/storage/dataset/docker/infrastructure/crowdsec_config/ntfy.yaml:/etc/crowdsec/notifications/ntfy.yaml"
        "/storage/dataset/docker/infrastructure/crowdsec_db:/var/lib/crowdsec/data/"
        "/storage/dataset/docker/infrastructure/crowdsec_data:/etc/crowdsec/"
        "traefik-logs:/var/log/traefik/:ro"
        "/var/run/docker.sock:/var/run/docker.sock:ro"
      ];
      labels = {
        "diun.enable" = "true";
        "diun.include_tags" = "^v\\d+\\.\\d+\\.\\d+$$";
      };
      depends_on = [
        "traefik"
      ];
      networks = [
        "dmz"
      ];
      restart = "always";
    };
    bouncer-traefik.service = {
      image = "fbonalair/traefik-crowdsec-bouncer:0.5.0";
      environment = {
        CROWDSEC_AGENT_HOST = "crowdsec:8080";
      };
      env_file = [
        "/home/ghoscht/.docker/infrastructure/traefik-bouncer.env"
      ];
      depends_on = [
        "crowdsec"
      ];
      networks = [
        "dmz"
      ];
      restart = "always";
    };
    scrutiny.service = {
      image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus";
      container_name = "scrutiny";
      restart = "always";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.scrutiny.entrypoints" = "websecure";
        "traefik.http.routers.scrutiny.rule" = "Host(`scrutiny.ghoscht.com`)";
        "traefik.http.services.scrutiny.loadbalancer.server.port" = "8080";
        "traefik.http.routers.scrutiny.tls" = "true";
        "traefik.http.routers.scrutiny.tls.certresolver" = "letsencrypt";
      };
      capabilities = {
        SYS_RAWIO = true;
        SYS_ADMIN = true; #enables nvme support
      };
      volumes = [
        "/run/udev:/run/udev:ro"
        "/storage/dataset/docker/infrastructure/scrutiny_data:/opt/scrutiny/config"
        "/storage/dataset/docker/infrastructure/scrutiny_influxdb_data:/opt/scrutiny/influxdb"
      ];
      devices = [
        "/dev/nvme0"
        "/dev/sda"
        "/dev/sdb"
        "/dev/sdc"
        "/dev/sdd"
        "/dev/sde"
        "/dev/sdf"
      ];
      networks = [
        "dmz"
      ];
    };
    diun.service = {
      image = "crazymax/diun:4.28";
      container_name = "diun";
      restart = "always";
      volumes = [
        "/storage/dataset/docker/infrastructure/diun_data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        TZ = "Europe/Berlin";
        LOG_LEVEL = "info";
        #Only when setting workers=1 sorting can be actually observed
        DIUN_WATCH_WORKERS = "20";
        DIUN_WATCH_SCHEDULE = "0 */6 * * *";
        DIUN_WATCH_JITTER = "30s";
        DIUN_WATCH_RUNONSTARTUP = "true";
        DIUN_PROVIDERS_DOCKER = "true";
        DIUN_DEFAULTS_SORTTAGS = "semver";
        DIUN_DEFAULTS_INCLUDETAGS = "^\\d+\\.\\d+\\.\\d+$$";
        DIUN_DEFAULTS_WATCHREPO = "true";
        DIUN_DEFAULTS_MAXTAGS = 1;
        DIUN_DEFAULTS_NOTIFYON = "new";
        DIUN_NOTIF_NTFY_ENDPOINT = "http://ntfy";
        DIUN_NOTIF_NTFY_TOPIC = "docker-updates";
      };
      env_file = [
        "/home/ghoscht/.docker/infrastructure/diun.env"
      ];
      networks = [
        "dmz"
      ];
    };
  };
 }
--- a/hosts/franz/arion/infrastructure/arion-pkgs.nix
+++ b/hosts/franz/arion/infrastructure/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/infrastructure/default.nix
+++ b/hosts/franz/arion/infrastructure/default.nix
@ -0,0 +1,132 @@
 {config, ...}: let
  vars = import ../../../../vars.nix;
 in {
  virtualisation.arion = {
    projects.infrastructure.settings = {
      imports = [./arion-compose.nix];
    };
  };
  sops.secrets."cloudflared/tunnel_token" = {
    owner = vars.user;
  };
  sops.secrets."traefik/acme_email" = {
    owner = vars.user;
  };
  sops.secrets."traefik/cloudflare_email" = {
    owner = vars.user;
  };
  sops.secrets."traefik/cloudflare_api_key" = {
    owner = vars.user;
  };
  sops.secrets."crowdsec/traefik_bouncer_api_key" = {
    owner = vars.user;
  };
  sops.secrets."diun/ntfy_access_token" = {
    owner = vars.user;
  };
  sops.templates."cloudflared.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
    '';
  };
  sops.templates."traefik.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
      CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
    '';
  };
  sops.templates."traefik-bouncer.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/traefik-bouncer.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      CROWDSEC_BOUNCER_API_KEY="${config.sops.placeholder."crowdsec/traefik_bouncer_api_key"}"
    '';
  };
  sops.templates."traefik.yml" = {
    path = "/home/${vars.user}/.docker/infrastructure/traefik_config/traefik.yml";
    owner = vars.user;
    mode = "0775";
    content = ''
      api:
        dashboard: true
        debug: true
        insecure: true
      entryPoints:
        web:
          address: ":80"
          http:
            redirections:
              entrypoint:
                to: websecure
                scheme: https
        websecure:
          address: ":443"
        web-external:
          address: ":81"
          http:
            redirections:
              entrypoint:
                to: websecure-external
                scheme: https
            middlewares:
              - crowdsec-bouncer@file
        websecure-external:
          address: ":444"
          http:
            middlewares:
              - crowdsec-bouncer@file
      providers:
        docker:
          watch: true
          exposedByDefault: false
          network: dmz
        file:
          watch: true
          directory: /conf/
      certificatesResolvers:
        letsencrypt:
          acme:
            email: ${config.sops.placeholder."traefik/acme_email"}
            storage: acme.json
            dnsChallenge:
              provider: cloudflare
              resolvers:
                - "1.1.1.1:53"
                - "1.0.0.1:53"
      log:
        level: "INFO"
        filePath: "/var/log/traefik/traefik.log"
      accessLog:
        filePath: "/var/log/traefik/access.log"
    '';
  };
  sops.templates."diun.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/diun.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      DIUN_NOTIF_NTFY_TOKEN="${config.sops.placeholder."diun/ntfy_access_token"}"
    '';
  };
  services.cron = {
    enable = true;
    systemCronJobs = [
      "0 * * * *      root    . /etc/profile; docker exec crowdsec cscli hub update && docker exec crowdsec cscli hub upgrade >> /var/log/crowdsec-update.log"
    ];
  };
 }
--- a/hosts/franz/arion/matrix/arion-compose.nix
+++ b/hosts/franz/arion/matrix/arion-compose.nix
@ -0,0 +1,113 @@
 {pkgs, ...}: {
  project.name = "matrix";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  networks.transport = {};
  services = {
    synapse.service = {
      image = "matrixdotorg/synapse:v1.113.0";
      container_name = "synapse";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.services.synapse.loadbalancer.server.port" = "8008";
        "traefik.http.routers.synapse.service" = "synapse";
        "traefik.http.routers.synapse.entrypoints" = "websecure";
        "traefik.http.routers.synapse.rule" = "Host(`synapse.ghoscht.com`)";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.synapse.tls" = "true";
        "traefik.http.routers.synapse.tls.certresolver" = "letsencrypt";
        "traefik.http.services.synapse-external.loadbalancer.server.port" = "8008";
        "traefik.http.routers.synapse-external.service" = "synapse-external";
        "traefik.http.routers.synapse-external.rule" = "Host(`synapse.ghoscht.com`)";
        "traefik.http.routers.synapse-external.entrypoints" = "websecure-external";
        "traefik.http.routers.synapse-external.tls" = "true";
        "traefik.http.routers.synapse-external.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/matrix/synapse_data:/data"
      ];
      env_file = [
        "/home/ghoscht/.docker/matrix/synapse.env"
      ];
      environment = {
        UID = "1000";
        GID = "1000";
        TZ = "Europe/Berlin";
      };
      restart = "unless-stopped";
      networks = [
        "dmz"
        "transport"
      ];
    };
    postgres.service = {
      image = "postgres:14";
      env_file = [
        "/home/ghoscht/.docker/matrix/synapse.env"
      ];
      volumes = [
        "/storage/dataset/docker/matrix/synapse_db:/var/lib/postgresql/data"
      ];
      restart = "unless-stopped";
      networks = [
        "transport"
      ];
    };
    matrix-nginx.service = {
      container_name = "matrix-nginx";
      image = "nginx:1.25.4";
      volumes = [
        "/storage/dataset/docker/matrix/nginx_data/matrix.conf:/etc/nginx/conf.d/matrix.conf"
        "/storage/dataset/docker/matrix/nginx_data/www:/var/www/"
      ];
      labels = {
        "traefik.enable" = "true";
        "traefik.http.services.matrix.loadbalancer.server.port" = "80";
        "traefik.http.routers.matrix.service" = "matrix";
        "traefik.http.routers.matrix.entrypoints" = "websecure";
        "traefik.http.routers.matrix.rule" = "Host(`matrix.ghoscht.com`)";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.matrix.tls" = "true";
        "traefik.http.routers.matrix.tls.certresolver" = "letsencrypt";
        "traefik.http.services.matrix-external.loadbalancer.server.port" = "80";
        "traefik.http.routers.matrix-external.service" = "matrix-external";
        "traefik.http.routers.matrix-external.rule" = "Host(`matrix.ghoscht.com`)";
        "traefik.http.routers.matrix-external.entrypoints" = "websecure-external";
        "traefik.http.routers.matrix-external.tls" = "true";
        "traefik.http.routers.matrix-external.tls.certresolver" = "letsencrypt";
      };
      restart = "unless-stopped";
      networks = [
        "transport"
        "dmz"
      ];
    };
    element.service = {
      image = "vectorim/element-web:v1.11.64";
      volumes = [
        "/storage/dataset/docker/matrix/element_data/element-config.json:/app/config.json"
      ];
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.element.entrypoints" = "websecure";
        "traefik.http.routers.element.rule" = "Host(`chat.ghoscht.com`)";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.element.tls" = "true";
        "traefik.http.routers.element.tls.certresolver" = "letsencrypt";
      };
      restart = "unless-stopped";
      networks = [
        "dmz"
      ];
    };
  };
 }
--- a/hosts/franz/arion/matrix/arion-pkgs.nix
+++ b/hosts/franz/arion/matrix/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/matrix/default.nix
+++ b/hosts/franz/arion/matrix/default.nix
@ -0,0 +1,30 @@
 {config, ...}: let
  vars = import ../../../../vars.nix;
 in {
  # virtualisation.arion = {
  #   projects.matrix.settings = {
  #     imports = [./arion-compose.nix];
  #   };
  # };
  sops.secrets."matrix/postgres_password" = {
    owner = vars.user;
  };
  sops.secrets."matrix/postgres_database" = {
    owner = vars.user;
  };
  sops.secrets."matrix/postgres_user" = {
    owner = vars.user;
  };
  sops.templates."synapse.env" = {
    path = "/home/${vars.user}/.docker/matrix/synapse.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      POSTGRES_DB="${config.sops.placeholder."matrix/postgres_database"}"
      POSTGRES_USER="${config.sops.placeholder."matrix/postgres_user"}"
      POSTGRES_PASSWORD="${config.sops.placeholder."matrix/postgres_password"}"
    '';
  };
 }
--- a/hosts/franz/arion/media/arion-compose.nix
+++ b/hosts/franz/arion/media/arion-compose.nix
@ -0,0 +1,449 @@
 {pkgs, ...}: {
  project.name = "media";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  networks.internal = {};
  services = {
    jellyfin.service = {
      image = "linuxserver/jellyfin:10.9.10";
      container_name = "jellyfin";
      ports = [
        "8096:8096"
      ];
      labels = {
        "traefik.enable" = "true";
        "diun.enable" = "true";
        "traefik.http.routers.jellyfin.entrypoints" = "websecure";
        "traefik.http.routers.jellyfin.rule" = "Host(`jellyfin.ghoscht.com`)";
        "traefik.http.services.jellyfin.loadbalancer.server.port" = "8096";
        "traefik.http.services.jellyfin.loadbalancer.passHostHeader" = "true";
        "traefik.http.routers.jellyfin.tls" = "true";
        "traefik.http.routers.jellyfin.tls.certresolver" = "letsencrypt";
        "diun.exclude_tags" = "\\d{4,}";
      };
      volumes = [
        "/storage/dataset/docker/media/jellyfin_data:/config"
        "/storage/dataset/data/media/tv:/tv"
        "/storage/dataset/data/media/anime:/anime"
        "/storage/dataset/data/media/movies:/movies"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      restart = "always";
      networks = [
        "dmz"
      ];
    };
    navidrome.service = {
      image = "deluan/navidrome:0.53.1";
      container_name = "navidrome";
      labels = {
        "traefik.enable" = "true";
        "diun.enable" = "true";
        "traefik.docker.network" = "dmz";
        "traefik.http.services.navidrome.loadbalancer.server.port" = "4533";
        "traefik.http.routers.navidrome.service" = "navidrome";
        "traefik.http.routers.navidrome.entrypoints" = "websecure";
        "traefik.http.routers.navidrome.rule" = "Host(`music.ghoscht.com`)";
        "traefik.http.routers.navidrome.tls" = "true";
        "traefik.http.routers.navidrome.tls.certresolver" = "letsencrypt";
        "traefik.http.services.navidrome-external.loadbalancer.server.port" = "4533";
        "traefik.http.routers.navidrome-external.service" = "navidrome-external";
        "traefik.http.routers.navidrome-external.rule" = "Host(`music.ghoscht.com`)";
        "traefik.http.routers.navidrome-external.entrypoints" = "websecure-external";
        "traefik.http.routers.navidrome-external.tls" = "true";
        "traefik.http.routers.navidrome-external.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/navidrome_data:/data"
        "/storage/dataset/data/media/music:/music"
      ];
      environment = {
        ND_SESSIONTIMEOUT = "336h";
      };
      env_file = [
        "/home/ghoscht/.docker/media/navidrome.env"
      ];
      restart = "always";
      networks = [
        "dmz"
      ];
    };
    kavita.service = {
      image = "jvmilazz0/kavita:0.8.1";
      container_name = "kavita";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.kavita.entrypoints" = "websecure";
        "traefik.http.routers.kavita.rule" = "Host(`kavita.ghoscht.com`)";
        "traefik.http.services.kavita.loadbalancer.server.port" = "5000";
        "traefik.http.routers.kavita.tls" = "true";
        "traefik.http.routers.kavita.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/kavita_data:/kavita/config"
        "/storage/dataset/data/media/manga:/manga"
        "/storage/dataset/data/media/comics:/comics"
      ];
      restart = "always";
      networks = [
        "dmz"
      ];
    };
    vpn.service = {
      image = "haugene/transmission-openvpn:5.3.1";
      container_name = "transmission";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.transmission.entrypoints" = "websecure";
        "traefik.http.routers.transmission.rule" = "Host(`transmission.ghoscht.com`)";
        "traefik.http.services.transmission.loadbalancer.server.port" = "9091";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.transmission.tls" = "true";
        "traefik.http.routers.transmission.tls.certresolver" = "letsencrypt";
        "traefik.http.routers.transmission.middlewares" = "authentik@file";
      };
      volumes = [
        "/storage/dataset/docker/media/transmission_data:/config"
        "/storage/dataset/data/:/data"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
        OPENVPN_PROVIDER = "WINDSCRIBE";
        OPENVPN_CONFIG = "Amsterdam-Tulip-udp";
        OVPN_PROTOCOL = "udp";
        OPENVPN_OPTS = "--reneg-sec 0 --verb 4";
        LOCAL_NETWORK = "192.168.0.0/16";
        TRANSMISSION_DOWNLOAD_DIR = "/data/torrents";
        TRANSMISSION_INCOMPLETE_DIR = "/data/torrents/incomplete";
        TRANSMISSION_WEB_UI = "flood-for-transmission";
        WEBPROXY_ENABLED = "true";
      };
      ports = ["8118:8118"];
      env_file = [
        "/home/ghoscht/.docker/media/windscribe.env"
      ];
      capabilities = {
        NET_ADMIN = true;
      };
      restart = "always";
      networks = [
        "dmz"
        "internal"
      ];
    };
    prowlarr.service = {
      image = "linuxserver/prowlarr:1.23.1";
      container_name = "prowlarr";
      labels = {
        "traefik.enable" = "true";
        "diun.enable" = "true";
        "traefik.http.routers.prowlarr.entrypoints" = "websecure";
        "traefik.http.routers.prowlarr.rule" = "Host(`prowlarr.ghoscht.com`)";
        "traefik.http.services.prowlarr.loadbalancer.server.port" = "9696";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.prowlarr.tls" = "true";
        "traefik.http.routers.prowlarr.tls.certresolver" = "letsencrypt";
        "traefik.http.routers.prowlarr.middlewares" = "authentik@file";
      };
      volumes = [
        "/storage/dataset/docker/media/prowlarr_data:/config"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
      };
      restart = "always";
    };
    sonarr.service = {
      image = "linuxserver/sonarr:4.0.9";
      container_name = "sonarr";
      labels = {
        "traefik.enable" = "true";
        "diun.enable" = "true";
        "traefik.http.routers.sonarr.entrypoints" = "websecure";
        "traefik.http.routers.sonarr.rule" = "Host(`sonarr.ghoscht.com`)";
        "traefik.http.services.sonarr.loadbalancer.server.port" = "8989";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.sonarr.tls" = "true";
        "traefik.http.routers.sonarr.tls.certresolver" = "letsencrypt";
        "traefik.http.routers.sonarr.middlewares" = "authentik@file";
      };
      volumes = [
        "/storage/dataset/docker/media/sonarr_data:/config"
        "/storage/dataset/data/:/data"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
        prowlarr = {condition = "service_started";};
      };
      restart = "always";
    };
    radarr.service = {
      image = "linuxserver/radarr:5.9.1";
      container_name = "radarr";
      labels = {
        "traefik.enable" = "true";
        "diun.enable" = "true";
        "traefik.http.routers.radarr.entrypoints" = "websecure";
        "traefik.http.routers.radarr.rule" = "Host(`radarr.ghoscht.com`)";
        "traefik.http.services.radarr.loadbalancer.server.port" = "7878";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.radarr.tls" = "true";
        "traefik.http.routers.radarr.tls.certresolver" = "letsencrypt";
        "traefik.http.routers.radarr.middlewares" = "authentik@file";
      };
      volumes = [
        "/storage/dataset/docker/media/radarr_data:/config"
        "/storage/dataset/data/:/data"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
        prowlarr = {condition = "service_started";};
      };
      restart = "always";
    };
    lidarr.service = {
      image = "linuxserver/lidarr:2.5.3";
      container_name = "lidarr";
      labels = {
        "traefik.enable" = "true";
        "diun.enable" = "true";
        "traefik.http.routers.lidarr.entrypoints" = "websecure";
        "traefik.http.routers.lidarr.rule" = "Host(`lidarr.ghoscht.com`)";
        "traefik.http.services.lidarr.loadbalancer.server.port" = "8686";
        "traefik.http.routers.lidarr.service" = "lidarr";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.lidarr.tls" = "true";
        "traefik.http.routers.lidarr.tls.certresolver" = "letsencrypt";
        "traefik.http.routers.lidarr.middlewares" = "authentik@file";
        "diun.exclude_tags" = "\\d{4,}";
      };
      volumes = [
        "/storage/dataset/docker/media/lidarr_data:/config"
        "/storage/dataset/docker/media/lidarr_addons/custom-services.d:/custom-services.d"
        "/storage/dataset/docker/media/lidarr_addons/custom-cont-init.d:/custom-cont-init.d"
        "/storage/dataset/data/:/data"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
        prowlarr = {condition = "service_started";};
      };
      restart = "always";
    };
    bazarr.service = {
      image = "hotio/bazarr:release-1.4.3";
      container_name = "bazarr";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.bazarr.entrypoints" = "websecure";
        "traefik.http.routers.bazarr.rule" = "Host(`bazarr.ghoscht.com`)";
        "traefik.http.services.bazarr.loadbalancer.server.port" = "6767";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.bazarr.tls" = "true";
        "traefik.http.routers.bazarr.tls.certresolver" = "letsencrypt";
        "traefik.http.routers.bazarr.middlewares" = "authentik@file";
      };
      volumes = [
        "/storage/dataset/docker/media/bazarr_data:/config"
        "/storage/dataset/data/:/data"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      networks = ["dmz"];
      restart = "always";
    };
    jellyseerr.service = {
      image = "fallenbagel/jellyseerr:1.7.0";
      container_name = "jellyseerr";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.jellyseerr.entrypoints" = "websecure";
        "traefik.http.routers.jellyseerr.rule" = "Host(`jellyseerr.ghoscht.com`)";
        "traefik.http.services.jellyseerr.loadbalancer.server.port" = "5055";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.jellyseerr.tls" = "true";
        "traefik.http.routers.jellyseerr.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/jellyseerr_data:/app/config"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      networks = ["dmz"];
      restart = "always";
    };
    autobrr.service = {
      image = "ghcr.io/autobrr/autobrr:v1.46.0";
      container_name = "autobrr";
      labels = {
        "traefik.enable" = "true";
        "diun.enable" = "true";
        "traefik.http.routers.autobrr.entrypoints" = "websecure";
        "traefik.http.routers.autobrr.rule" = "Host(`autobrr.ghoscht.com`)";
        "traefik.http.services.autobrr.loadbalancer.server.port" = "7474";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.autobrr.tls" = "true";
        "traefik.http.routers.autobrr.tls.certresolver" = "letsencrypt";
        "diun.include_tags" = "^v\\d+\\.\\d+\\.\\d+$$";
      };
      volumes = [
        "/storage/dataset/docker/media/autobrr_data:/config"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
        prowlarr = {condition = "service_started";};
        sonarr = {condition = "service_started";};
        radarr = {condition = "service_started";};
      };
      restart = "always";
    };
    deemix.service = {
      image = "finniedj/deemix:latest";
      container_name = "deemix";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.deemix.entrypoints" = "websecure";
        "traefik.http.routers.deemix.rule" = "Host(`deemix.ghoscht.com`)";
        "traefik.http.services.deemix.loadbalancer.server.port" = "6595";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.deemix.tls" = "true";
        "traefik.http.routers.deemix.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/data/deemix:/downloads"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        UMASK_SET = 022;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
      };
      restart = "always";
    };
    unpackerr.service = {
      image = "golift/unpackerr:0.13";
      container_name = "unpackerr";
      volumes = [
        "/storage/dataset/data/:/data"
      ];
      user = "1000:1000";
      env_file = [
        "/home/ghoscht/.docker/media/unpackerr.env"
      ];
      environment = {
        TZ = "Europe/Berlin";
        # General config
        UN_DEBUG = "false";
        UN_INTERVAL = "2m";
        UN_START_DELAY = "1m";
        UN_RETRY_DELAY = "5m";
        UN_MAX_RETRIES = 3;
        UN_PARALLEL = 1;
        UN_FILE_MODE = 0644;
        UN_DIR_MODE = 0755;
        # Sonarr Config
        UN_SONARR_0_URL = "http://transmission:8989";
        UN_SONARR_0_PATHS_0 = "/data/torrents/tv";
        UN_SONARR_0_PROTOCOLS = "torrent";
        UN_SONARR_0_TIMEOUT = "10s";
        UN_SONARR_0_DELETE_ORIG = "false";
        UN_SONARR_0_DELETE_DELAY = "5m";
        # Radarr Config
        UN_RADARR_0_URL = "http://transmission:7878";
        UN_RADARR_0_PATHS_0 = "/data/torrents/movies";
        UN_RADARR_0_PROTOCOLS = "torrent";
        UN_RADARR_0_TIMEOUT = "10s";
        UN_RADARR_0_DELETE_ORIG = "false";
        UN_RADARR_0_DELETE_DELAY = "5m";
        # Lidarr Config
        UN_LIDARR_0_URL = "http://transmission:8686";
        UN_LIDARR_0_PATHS_0 = "/data/torrents/music";
        UN_LIDARR_0_PROTOCOLS = "torrent";
        UN_LIDARR_0_TIMEOUT = "10s";
        UN_LIDARR_0_DELETE_ORIG = "false";
        UN_LIDARR_0_DELETE_DELAY = "5m";
      };
      networks = ["dmz"];
      depends_on = {
        vpn = {condition = "service_healthy";};
        prowlarr = {condition = "service_started";};
        sonarr = {condition = "service_started";};
        radarr = {condition = "service_started";};
      };
      restart = "always";
    };
    port-refresh.service = {
      image = "ghoscht/windscribe-ephemeral-port:latest";
      container_name = "port-refresh";
      volumes = [
        "/storage/dataset/docker/media/port-refresh_config/config.yml:/config/config.yaml"
      ];
      networks = [
        "internal"
      ];
      depends_on = {
        vpn = {condition = "service_healthy";};
      };
    };
  };
 }
--- a/hosts/franz/arion/media/arion-pkgs.nix
+++ b/hosts/franz/arion/media/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/media/default.nix
+++ b/hosts/franz/arion/media/default.nix
@ -0,0 +1,73 @@
 {config, ...}: let
  vars = import ../../../../vars.nix;
 in {
  virtualisation.arion = {
    projects.media.settings = {
      imports = [./arion-compose.nix];
    };
  };
  sops.secrets."navidrome/spotify_id" = {
    owner = vars.user;
  };
  sops.secrets."navidrome/spotify_secret" = {
    owner = vars.user;
  };
  sops.secrets."navidrome/lastfm_api_key" = {
    owner = vars.user;
  };
  sops.secrets."navidrome/lastfm_api_secret" = {
    owner = vars.user;
  };
  sops.secrets."windscribe/openvpn_username" = {
    owner = vars.user;
  };
  sops.secrets."windscribe/openvpn_password" = {
    owner = vars.user;
  };
  sops.secrets."unpackerr/sonarr_api_key" = {
    owner = vars.user;
  };
  sops.secrets."unpackerr/radarr_api_key" = {
    owner = vars.user;
  };
  sops.secrets."unpackerr/lidarr_api_key" = {
    owner = vars.user;
  };
  sops.templates."navidrome.env" = {
    path = "/home/${vars.user}/.docker/media/navidrome.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      ND_SPOTIFY_ID="${config.sops.placeholder."navidrome/spotify_id"}"
      ND_SPOTIFY_SECRET="${config.sops.placeholder."navidrome/spotify_secret"}"
      ND_LASTFM_APIKEY="${config.sops.placeholder."navidrome/lastfm_api_key"}"
      ND_LASTFM_SECRET="${config.sops.placeholder."navidrome/lastfm_api_secret"}"
    '';
  };
  sops.templates."windscribe.env" = {
    path = "/home/${vars.user}/.docker/media/windscribe.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      OPENVPN_USERNAME="${config.sops.placeholder."windscribe/openvpn_username"}"
      OPENVPN_PASSWORD="${config.sops.placeholder."windscribe/openvpn_password"}"
    '';
  };
  sops.templates."unpackerr.env" = {
    path = "/home/${vars.user}/.docker/media/unpackerr.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      UN_SONARR_0_API_KEY="${config.sops.placeholder."unpackerr/sonarr_api_key"}"
      UN_LIDARR_0_API_KEY="${config.sops.placeholder."unpackerr/lidarr_api_key"}"
      UN_RADARR_0_API_KEY="${config.sops.placeholder."unpackerr/radarr_api_key"}"
    '';
  };
 }
--- a/hosts/franz/arion/minio/arion-compose.nix
+++ b/hosts/franz/arion/minio/arion-compose.nix
@ -0,0 +1,48 @@
 {
  project.name = "minio";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  services = {
    minio.service = {
      image = "bitnami/minio:2024.5.10";
      container_name = "minio";
      labels = {
        "traefik.enable" = "true";
        # API
        "traefik.http.routers.minio.rule" = "Host(`files.ghoscht.com`)";
        "traefik.http.routers.minio.service" = "minio";
        "traefik.http.routers.minio.entrypoints" = "websecure";
        "traefik.http.services.minio.loadbalancer.server.port" = "9000";
        "traefik.http.routers.minio.tls" = "true";
        "traefik.http.routers.minio.tls.certresolver" = "letsencrypt";
        # Dashboard
        "traefik.http.routers.minio-dash.rule" = "Host(`minio.ghoscht.com`)";
        "traefik.http.routers.minio-dash.service" = "minio-dash";
        "traefik.http.routers.minio-dash.entrypoints" = "websecure";
        "traefik.http.services.minio-dash.loadbalancer.server.port" = "9001";
        "traefik.http.routers.minio-dash.tls" = "true";
        "traefik.http.routers.minio-dash.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/minio/minio_data:/data"
      ];
      environment = {
        MINIO_DATA_DIR = "/data";
        MINIO_BROWSER_REDIRECT_URL = "https://minio.ghoscht.com";
      };
      env_file = [
        "/home/ghoscht/.docker/minio/minio.env"
      ];
      restart = "unless-stopped";
      networks = [
        "dmz"
      ];
    };
  };
 }
--- a/hosts/franz/arion/minio/arion-pkgs.nix
+++ b/hosts/franz/arion/minio/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/minio/default.nix
+++ b/hosts/franz/arion/minio/default.nix
@ -0,0 +1,25 @@
 {config, ...}: let
  vars = import ../../../../vars.nix;
 in {
  virtualisation.arion = {
    projects.minio.settings = {
      imports = [./arion-compose.nix];
    };
  };
  sops.secrets."minio/root_user" = {
    owner = vars.user;
  };
  sops.secrets."minio/root_password" = {
    owner = vars.user;
  };
  sops.templates."minio.env" = {
    path = "/home/${vars.user}/.docker/minio/minio.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      MINIO_ROOT_USER="${config.sops.placeholder."minio/root_user"}"
      MINIO_ROOT_PASSWORD="${config.sops.placeholder."minio/root_password"}"
    '';
  };
 }
--- a/hosts/franz/arion/nextcloud/arion-compose.nix
+++ b/hosts/franz/arion/nextcloud/arion-compose.nix
@ -0,0 +1,60 @@
 {pkgs, ...}: {
  project.name = "nextcloud";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  networks.transport = {};
  services = {
    nextcloud.service = {
      image = "nextcloud:28.0.4";
      container_name = "nextcloud";
      useHostStore = true;
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.nextcloud.entrypoints" = "websecure";
        "traefik.http.routers.nextcloud.rule" = "Host(`nextcloud.ghoscht.com`)";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.nextcloud.tls" = "true";
        "traefik.http.routers.nextcloud.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/nextcloud/nextcloud_data:/var/www/html"
      ];
      hostname = "nextcloud.ghoscht.com";
      environment = {
        REDIS_HOST = "nextcloud-redis";
        REDIS_PORT = 6379;
      };
      restart = "unless-stopped";
      networks = [
        "dmz"
        "transport"
      ];
    };
    nextcloud-db.service = {
      image = "mariadb:11.4.1-rc-jammy";
      env_file = [
        "/home/ghoscht/.docker/nextcloud/nextcloud.env"
      ];
      volumes = [
        "/storage/dataset/docker/nextcloud/nextcloud_db:/var/lib/mysql"
      ];
      restart = "unless-stopped";
      command = "--transaction-isolation=READ-COMMITTED --binlog-format=ROW";
      networks = [
        "transport"
      ];
    };
    nextcloud-redis.service = {
      image = "redis:alpine3.19";
      restart = "unless-stopped";
      networks = [
        "transport"
      ];
    };
  };
 }
--- a/hosts/franz/arion/nextcloud/arion-pkgs.nix
+++ b/hosts/franz/arion/nextcloud/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/nextcloud/default.nix
+++ b/hosts/franz/arion/nextcloud/default.nix
@ -0,0 +1,41 @@
 {config, ...}: let
  vars = import ../../../../vars.nix;
 in {
  virtualisation.arion = {
    projects.nextcloud.settings = {
      imports = [./arion-compose.nix];
    };
  };
  services.cron = {
    enable = true;
    systemCronJobs = [
      "*/5 * * * *      root    . /etc/profile; docker exec -u www-data nextcloud php /var/www/html/cron.php"
    ];
  };
  sops.secrets."nextcloud/mysql_root_password" = {
    owner = vars.user;
  };
  sops.secrets."nextcloud/mysql_password" = {
    owner = vars.user;
  };
  sops.secrets."nextcloud/mysql_database" = {
    owner = vars.user;
  };
  sops.secrets."nextcloud/mysql_user" = {
    owner = vars.user;
  };
  sops.templates."nextcloud.env" = {
    path = "/home/${vars.user}/.docker/nextcloud/nextcloud.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      MYSQL_ROOT_PASSWORD="${config.sops.placeholder."nextcloud/mysql_root_password"}"
      MYSQL_PASSWORD="${config.sops.placeholder."nextcloud/mysql_password"}"
      MYSQL_DATABASE="${config.sops.placeholder."nextcloud/mysql_database"}"
      MYSQL_USER="${config.sops.placeholder."nextcloud/mysql_user"}"
    '';
  };
 }
--- a/hosts/franz/arion/passwords/arion-compose.nix
+++ b/hosts/franz/arion/passwords/arion-compose.nix
@ -0,0 +1,44 @@
 {pkgs, ...}: {
  project.name = "passwords";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  services = {
    vaultwarden.service = {
      image = "vaultwarden/server:1.32.0";
      container_name = "vaultwarden";
      labels = {
        "traefik.enable" = "true";
        "diun.enable" = "true";
        "traefik.docker.network" = "dmz";
        "traefik.http.services.vaultwarden.loadbalancer.server.port" = "80";
        "traefik.http.routers.vaultwarden.service" = "vaultwarden";
        "traefik.http.routers.vaultwarden.entrypoints" = "websecure";
        "traefik.http.routers.vaultwarden.rule" = "Host(`vault.ghoscht.com`)";
        "traefik.http.routers.vaultwarden.tls" = "true";
        "traefik.http.routers.vaultwarden.tls.certresolver" = "letsencrypt";
        "traefik.http.services.vaultwarden-external.loadbalancer.server.port" = "80";
        "traefik.http.routers.vaultwarden-external.service" = "vaultwarden-external";
        "traefik.http.routers.vaultwarden-external.rule" = "Host(`vault.ghoscht.com`)";
        "traefik.http.routers.vaultwarden-external.entrypoints" = "websecure-external";
        "traefik.http.routers.vaultwarden-external.tls" = "true";
        "traefik.http.routers.vaultwarden-external.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/passwords/vaultwarden_data/:/data"
      ];
      environment = {
        DOMAIN = "http://vaultwarden.ghoscht.com";
      };
      restart = "always";
      networks = [
        "dmz"
      ];
    };
  };
 }
--- a/hosts/franz/arion/passwords/arion-pkgs.nix
+++ b/hosts/franz/arion/passwords/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/hosts/franz/arion/passwords/default.nix
+++ b/hosts/franz/arion/passwords/default.nix
@ -0,0 +1,8 @@
 {config, ...}: let
 in {
  virtualisation.arion = {
    projects.password.settings = {
      imports = [./arion-compose.nix];
    };
  };
 }
--- a/hosts/franz/arion/push/arion-compose.nix
+++ b/hosts/franz/arion/push/arion-compose.nix
@ -0,0 +1,46 @@
 {pkgs, ...}: {
  project.name = "push";
  networks.dmz = {
    name = "dmz";
    external = true;
  };
  services = {
    ntfy.service = {
      image = "binwiederhier/ntfy:v2.10.0";
      container_name = "ntfy";
      user = "1000:1000";
      command = "serve";
      useHostStore = true;
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.ntfy.service" = "ntfy";
        "traefik.http.services.ntfy.loadbalancer.server.port" = "80";
        "traefik.http.routers.ntfy.entrypoints" = "websecure";
        "traefik.http.routers.ntfy.rule" = "Host(`push.ghoscht.com`)";
        "traefik.http.routers.ntfy.tls" = "true";
        "traefik.http.routers.ntfy.tls.certresolver" = "letsencrypt";
        "traefik.http.routers.ntfy-external.service" = "ntfy-external";
        "traefik.http.services.ntfy-external.loadbalancer.server.port" = "80";
        "traefik.http.routers.ntfy-external.rule" = "Host(`push.ghoscht.com`)";
        "traefik.http.routers.ntfy-external.entrypoints" = "websecure-external";
        "traefik.http.routers.ntfy-external.tls" = "true";
        "traefik.http.routers.ntfy-external.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/home/ghoscht/.docker/push/ntfy_data/server.yml:/etc/ntfy/server.yml"
        "/storage/dataset/docker/push/ntfy_data:/etc/ntfy/data"
      ];
      environment = {
        TZ = "Europe/Berlin";
      };
      restart = "always";
      networks = [
        "dmz"
      ];
    };
  };
 }
--- a/hosts/franz/arion/push/arion-pkgs.nix
+++ b/hosts/franz/arion/push/arion-pkgs.nix
@ -0,0 +1,6 @@
 # Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
 import <nixpkgs> {
  # We specify the architecture explicitly. Use a Linux remote builder when
  # calling arion from other platforms.
  system = "x86_64-linux";
 }
--- a/Show more
+++ b/Show more