start refactoring shared code into modules, update the lock, do some other minor fixes

README.md

@@ -58,6 +58,10 @@ I have made a few commands for post installation (and for an iso installer to us
 
 ## Technical details
 
+### Project structure
+
+The project is set up to 
+
 ### [Home manager](https://github.com/nix-community/home-manager)
 Home manager is imported as a module within the global configuration, it is therefor not needed to build home-manager packages separately in this configuration. On multi user systems it might be useful to pull the home-manager configurations from separate repos for different users, so you don't have to give your users access to the global configuration.
 

flake.lock

@@ -89,11 +89,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1772153824,
+        "lastModified": 1773146250,
-        "narHash": "sha256-T65qXmlcD9qFpPTi+mOXsn4dIkO2N8Ls67nqmuzepv0=",
+        "narHash": "sha256-azzOjRqTxAqByzRP87jUUsmfOQ85i7h/YkrgTX0jZgg=",
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "4b0f5b7bf7b3eeb484d49524f3c9791864ab9362",
+        "rev": "0fa0d06dd3cd09f37f76d19b389d7ff947dfd7e8",
         "type": "github"
       },
       "original": {
@@ -139,11 +139,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772420042,
+        "lastModified": 1773025010,
-        "narHash": "sha256-naZz40TUFMa0E0CutvwWsSPhgD5JldyTUDEgP9ADpfU=",
+        "narHash": "sha256-khlHllTsovXgT2GZ0WxT4+RvuMjNeR5OW0UYeEHPYQo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "5af7af10f14706e4095bd6bc0d9373eb097283c6",
+        "rev": "7b9f7f88ab3b339f8142dc246445abb3c370d3d3",
         "type": "github"
       },
       "original": {
@@ -306,11 +306,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769939035,
+        "lastModified": 1772893680,
-        "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
+        "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "a8ca480175326551d6c4121498316261cbb5b260",
+        "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9",
         "type": "github"
       },
       "original": {
@@ -389,11 +389,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772633327,
+        "lastModified": 1773286336,
-        "narHash": "sha256-jl+DJB2DUx7EbWLRng+6HNWW/1/VQOnf0NsQB4PlA7I=",
+        "narHash": "sha256-+yFtmhOHterllxWmV6YbdevTXpJdGS0mS0UmJ0k9fh0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "5a75730e6f21ee624cbf86f4915c6e7489c74acc",
+        "rev": "7d06e0cefe6e4a1e85b2b3274dcb0b3da242a557",
         "type": "github"
       },
       "original": {
@@ -409,11 +409,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1772517207,
+        "lastModified": 1773237643,
-        "narHash": "sha256-qxHfxqbigqBTn//U4leIS5he22Wp1GS0+zmwGV7Pozs=",
+        "narHash": "sha256-L1/RhR9gBGon3+vUwt8LxFnkwBqZMNdQTHnjwGodjtw=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "7ca1501c2d80900b5967baea4d42581f84b388dd",
+        "rev": "cff48bb8dad9d56abd761825d02b892c543a1f38",
         "type": "github"
       },
       "original": {
@@ -472,11 +472,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772341813,
+        "lastModified": 1772945408,
-        "narHash": "sha256-/PQ0ubBCMj/MVCWEI/XMStn55a8dIKsvztj4ZVLvUrQ=",
+        "narHash": "sha256-PMt48sEQ8cgCeljQ9I/32uoBq/8t8y+7W/nAZhf72TQ=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "a2051ff239ce2e8a0148fa7a152903d9a78e854f",
+        "rev": "1c1d8ea87b047788fd7567adf531418c5da321ec",
         "type": "github"
       },
       "original": {
@@ -523,11 +523,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1771969195,
+        "lastModified": 1772972630,
-        "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=",
+        "narHash": "sha256-mUJxsNOrBMNOUJzN0pfdVJ1r2pxeqm9gI/yIKXzVVbk=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e",
+        "rev": "3966ce987e1a9a164205ac8259a5fe8a64528f72",
         "type": "github"
       },
       "original": {
@@ -539,11 +539,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1771848320,
+        "lastModified": 1772773019,
-        "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
+        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2fc6539b481e1d2569f25f8799236694180c0993",
+        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
         "type": "github"
       },
       "original": {
@@ -555,11 +555,11 @@
     },
     "nixpkgs-edge": {
       "locked": {
-        "lastModified": 1772650872,
+        "lastModified": 1773321471,
-        "narHash": "sha256-3ntx/EmA6eaMLYX0nGXCXm75YdCbyfEO2eJopgZuKrk=",
+        "narHash": "sha256-H8Rxavz5NavZFNEBRR5nUdGtwipp5R+uE0i7sZ9RAek=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "468dfc97e8f0b074cba09361bceeacdd87893060",
+        "rev": "eea6fb66b4f4a7abe59b10be3875cd87fba366f5",
         "type": "github"
       },
       "original": {
@@ -570,11 +570,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1772542754,
+        "lastModified": 1773122722,
-        "narHash": "sha256-WGV2hy+VIeQsYXpsLjdr4GvHv5eECMISX1zKLTedhdg=",
+        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8c809a146a140c5c8806f13399592dbcb1bb5dc4",
+        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
         "type": "github"
       },
       "original": {
@@ -618,11 +618,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1772542754,
+        "lastModified": 1773122722,
-        "narHash": "sha256-WGV2hy+VIeQsYXpsLjdr4GvHv5eECMISX1zKLTedhdg=",
+        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8c809a146a140c5c8806f13399592dbcb1bb5dc4",
+        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
         "type": "github"
       },
       "original": {
@@ -634,11 +634,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1770650459,
+        "lastModified": 1773046814,
-        "narHash": "sha256-hGeOnueXorzwDD1V9ldZr+y+zad4SNyqMnQsa/mIlvI=",
+        "narHash": "sha256-3CEw64UyzEk5QjfbcXNIl4TfmIpa2oY+duuo6aiawcU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fff0554c67696d76a0cdd9cfe14403fbdbf1f378",
+        "rev": "0c6c0dd2469abaa216599bb19bbf77a328af6564",
         "type": "github"
       },
       "original": {
@@ -650,11 +650,11 @@
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1772173633,
+        "lastModified": 1772736753,
-        "narHash": "sha256-MOH58F4AIbCkh6qlQcwMycyk5SWvsqnS/TCfnqDlpj4=",
+        "narHash": "sha256-au/m3+EuBLoSzWUCb64a/MZq6QUtOV8oC0D9tY2scPQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c0f3d81a7ddbc2b1332be0d8481a672b4f6004d6",
+        "rev": "917fec990948658ef1ccd07cef2a1ef060786846",
         "type": "github"
       },
       "original": {
@@ -855,11 +855,11 @@
         "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1772636567,
+        "lastModified": 1773319868,
-        "narHash": "sha256-1QlCWLQ5mhkbViPhOxkaW7ifp+IEiYFg7KgMDK0Uvm4=",
+        "narHash": "sha256-r9pCiDafaa7CEUjYpz5976svX7KGsDV8MI0Yh8K5WXg=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "e1afec5b08a82092271376b4fc909c91de89e260",
+        "rev": "86579c67151f83e1ca6e8101a6ab8adfe8e78484",
         "type": "gitlab"
       },
       "original": {
@@ -874,11 +874,11 @@
         "nixpkgs": "nixpkgs_6"
       },
       "locked": {
-        "lastModified": 1772495394,
+        "lastModified": 1773096132,
-        "narHash": "sha256-hmIvE/slLKEFKNEJz27IZ8BKlAaZDcjIHmkZ7GCEjfw=",
+        "narHash": "sha256-M3zEnq9OElB7zqc+mjgPlByPm1O5t2fbUrH3t/Hm5Ag=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "1d9b98a29a45abe9c4d3174bd36de9f28755e3ff",
+        "rev": "d1ff3b1034d5bab5d7d8086a7803c5a5968cd784",
         "type": "github"
       },
       "original": {
@@ -1053,11 +1053,11 @@
         "rust-overlay": "rust-overlay_2"
       },
       "locked": {
-        "lastModified": 1771148613,
+        "lastModified": 1773119656,
-        "narHash": "sha256-nLzdw8jskekSRrunxBDCA0NCHr/2aJjcXqZ1Fcqm5eY=",
+        "narHash": "sha256-AE6SthrvDyUU70myW7wAq4mzQbtmK5Spng7Y/OdCdhI=",
         "owner": "dj95",
         "repo": "zjstatus",
-        "rev": "7a039f56da80681408454d6e175fde3f54b9e592",
+        "rev": "e80d508ffbff6ab6b39a481ae9986109d3c313ac",
         "type": "github"
       },
       "original": {

home-manager/desktop/package-configs/plasma-desktop/default.nix

@@ -16,10 +16,10 @@
       WantedBy = ["default.target"];
     };
     Service = {
-      Type = "OneShot";
+      Type = "oneshot";
       ExecStart = "${pkgs.writeShellScript "set-kde-connect-commands" ''
         #!/run/current-system/sw/bin/bash
-        find ${config.home.homeDirectory}/.config/kdeconnect/ -type d -name 'kdeconnect_runcommand' -execdir mkdir -p {}/config \; -execdir cp ${builtins.toPath ./kde-connect-commands} {}/config \;
+        find ${config.home.homeDirectory}/.config/kdeconnect/ -type d -name 'kdeconnect_runcommand' -execdir mkdir -p {}/config \; -execdir cp -rf ${builtins.toPath ./kde-connect-commands} {}/config \; -execdir chmod --recursive +rwx {}/config/ \;
       ''}";
       RemainAfterExit = true;
     };
@@ -309,7 +309,13 @@
       "services/services.services.org.kde.spectacle.desktop"."_launch" = "Print";
     };
     configFile = {
-      kwinrc.Plugins.rememberwindowpositionsEnabled = true;
+      kwinrc = {
+        Plugins.rememberwindowpositionsEnabled = true;
+        Script-rememberwindowpositions = {
+          restoreType = 3;
+          whitelist = "org.mozilla.firefox\nfirefox\nlibrewolf\nkonsole\nvesktop\nsignal-dekstop\nthunderbird";
+        };
+      };
     };
   };
 }

home-manager/hosts/GLaDOS/lillian.nix

@@ -39,6 +39,25 @@
     # enableSessionWide = true;
   };
 
+  programs.plasma.configFile.kwinrc = {
+    "Tiling/Desktop_1/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
+    "Tiling/Desktop_1/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
+    "Tiling/Desktop_1/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
+    "Tiling/Desktop_1/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
+    "Tiling/Desktop_2/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
+    "Tiling/Desktop_2/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
+    "Tiling/Desktop_2/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
+    "Tiling/Desktop_2/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
+    "Tiling/Desktop_3/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
+    "Tiling/Desktop_3/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
+    "Tiling/Desktop_3/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
+    "Tiling/Desktop_3/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
+    "Tiling/Desktop_4/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
+    "Tiling/Desktop_4/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
+    "Tiling/Desktop_4/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
+    "Tiling/Desktop_4/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
+  };
+
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
   home.stateVersion = "26.05";
 }

modules/nixos/preservation/default.nix

@@ -0,0 +1,208 @@
+{ lib, config, ...}:
+let cfg = config.preservationSetup; in {
+  options = {
+    preservationSetup.enable = lib.mkEnableOption "Enable setup of preservation of files in /persistent";
+    global.desktop = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = "Whether or not we should make desktop preservation files.";
+          };
+          global.server = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = "Whether or not we should make server preservation files.";
+          };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    preservation = {
+    # the module doesn't do anything unless it is enabled
+    enable = true;
+
+    preserveAt."/persistent" = {
+      # preserve system directories
+      directories = [
+        #Shared
+        "/var/lib/sbctl"
+        "/var/lib/bluetooth"
+        "/var/lib/fprint"
+        "/var/lib/fwupd"
+        "/var/lib/libvirt"
+        "/var/lib/tpm2-tss"
+        "/var/lib/tpm2-udev-trigger"
+        "/var/lib/power-profiles-daemon"
+        "/var/lib/systemd/coredump"
+        "/var/lib/systemd/rfkill"
+        "/var/lib/systemd/timers"
+        "/var/log"
+        {
+          directory = "/var/lib/nixos";
+          inInitrd = true;
+        }
+        {
+          directory = "/var/secrets";
+          inInitrd = true;
+        }
+      ] ++ lib.mkIf (cfg.desktop == true) [
+        #Desktop
+        "/var/lib/decky-loader"
+        "/var/lib/flatpak"
+      ] ++ lib.mkIf (cfg.server == true) [
+        #Server
+        "/var/lib/continuwuity"
+        "/var/lib/dhcpcd"
+        "/var/lib/docker"
+        "/var/lib/dovecot"
+        "/var/lib/forgejo"
+        "/var/lib/gotosocial"
+        "/var/lib/grafana"
+        "/var/lib/jellyfin"
+        "/var/lib/media"
+        "/var/lib/mollysocket"
+        "/var/lib/private"
+        "/var/lib/mysql"
+        "/var/lib/nextcloud"
+        "/var/lib/onlyoffice"
+        "/var/lib/postfix"
+        "/var/lib/postgresql"
+        "/var/lib/prometheus2"
+        "/var/lib/rabbitmq"
+        "/var/lib/redis-nextcloud"
+        "/var/lib/redis-rspamd"
+        "/var/lib/secrets"
+        "/var/lib/writefreely"
+        "/var/db"
+        "/var/dkim"
+        "/var/secrets"
+        "/var/sieve"
+        "/var/vmail"
+        "/var/mysql"
+      ];
+
+      # preserve system files
+      files = [
+        {
+          file = "/etc/machine-id";
+          inInitrd = true;
+          how = "symlink";
+        }
+        "/var/lib/usbguard/rules.conf"
+
+        # creates a symlink on the volatile root
+        # creates an empty directory on the persistent volume, i.e. /persistent/var/lib/systemd
+        # does not create an empty file at the symlink's target (would require `createLinkTarget = true`)
+        {
+          file = "/var/lib/systemd/random-seed";
+          how = "symlink";
+          inInitrd = true;
+          configureParent = true;
+        }
+        "/var/lib/systemd/tpm2-srk-public-key.pem"
+        "/var/lib/systemd/tpm2-srk-public-key.tpm2b_public"
+      ];
+
+      # preserve user-specific files, implies ownership
+      users = {
+        lillian = {
+          commonMountOptions = [
+            "x-gvfs-hide"
+          ];
+          directories = [
+            {
+              directory = ".ssh";
+              mode = "0700";
+            }
+          ] ++ lib.mkIf (cfg.desktop == true) [
+          #Desktop
+            ".local/state/wireplumber"
+            ".local/share/direnv"
+            ".local/state/nix"
+            ".local/state/comma"
+            ".local/state/home-manager"
+            ".local/share/PrismLauncher"
+            ".local/share/qBittorrent"
+            ".local/share/kwalletd"
+            ".local/share/kwin" #TODO: add the window script via nix instead of saving it imperatively and keeping it
+            ".local/share/lutris"
+            ".local/share/Nextcloud"
+            ".local/share/Steam"
+            ".local/share/zoxide"
+            ".local/share/flatpak"
+            ".local/share/applications"
+            ".local/share/firefoxpwa/"
+            ".local/share/zoxide"
+            ".mozilla"
+            ".steam"
+            ".zsh"
+            ".pki"
+            ".tldrc"
+            ".thunderbird"
+            "Code"
+            "Writing"
+            "Games"
+            ".config/kdeconnect"
+            ".config/Nextcloud"
+            ".config/noisetorch"
+            ".config/qBittorrent"
+            ".config/r2modman"
+            ".config/r2modmanPlus-local"
+            ".config/Ryujinx"
+            ".config/Signal"
+            ".config/sops"
+            ".config/vesktop"
+            ".config/kde.org"
+          ];
+          #Shared
+          files = [
+            ".z"
+            ".zsh_history"
+          ];
+        };
+        root = {
+          # specify user home when it is not `/home/${user}`
+          home = "/root";
+          directories = [
+            {
+              directory = ".ssh";
+              mode = "0700";
+            }
+          ];
+        };
+      };
+    };
+  };
+  systemd.services.systemd-machine-id-commit = {
+    unitConfig.ConditionPathIsMountPoint = [
+      ""
+      "/persistent/etc/machine-id"
+    ];
+    serviceConfig.ExecStart = [
+      ""
+      "systemd-machine-id-setup --commit --root /persistent"
+    ];
+  };
+  systemd.tmpfiles.settings.preservation = {
+    "/home/lillian/.config".d = {
+      user = "lillian";
+      group = "users";
+      mode = "0755";
+    };
+    "/home/lillian/.local".d = {
+      user = "lillian";
+      group = "users";
+      mode = "0755";
+    };
+    "/home/lillian/.local/share".d = {
+      user = "lillian";
+      group = "users";
+      mode = "0755";
+    };
+    "/home/lillian/.local/state".d = {
+      user = "lillian";
+      group = "users";
+      mode = "0755";
+    };
+  };
+  };
+}

modules/nixos/shared-packages/default.nix

@@ -0,0 +1,159 @@
+{
+  outputs,
+  pkgs,
+  pkgs-edge,
+  lib,
+  config,
+  ...
+}:
+let cfg = config.sharedPackages; in {
+  options = {
+    sharedPackages.enable = lib.mkEnableOption "Whether or not to install shared packages and settings";
+    global.desktopPackages = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = "Whether or not to install shared desktop packages and settings.";
+          };
+          global.serverPackages = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = "Whether or not to install shared server packages and settings.";
+          };
+  };
+
+  config = lib.mkIf cfg.enable {
+  imports = [] ++ lib.mkIf (cfg.desktopPackages == true) [
+    ./desktop-settings
+  ] ++ lib.mkIf (cfg.serverPackages == true) [
+    ./server-settings
+  ];
+  nixpkgs = {
+    # You can add overlays here
+    overlays = [
+      # Add overlays your own flake exports (from overlays and pkgs dir):
+      outputs.overlays.additions
+      outputs.overlays.modifications
+    ];
+  };
+
+  environment.systemPackages =
+    (with pkgs; [
+      # Custom tools
+      rebuild
+      rebuild-no-inhibit
+      install-nix
+      install-nix-no-inhibit
+      update
+      upgrade
+      simple-completion-language-server
+
+      # System tools
+      age
+      alejandra
+      e2fsprogs
+      # uutils-findutils
+      git
+      git-filter-repo
+      pre-commit
+      helix
+      home-manager
+      htop
+      just
+      killall
+      oh-my-zsh
+      rsync
+      tre-command
+      wget
+      zsh
+      tldr
+      nmap
+      knot-dns
+      libressl
+      nettools
+      starship
+
+      # System libraries
+    ] ++ lib.mkIf (cfg.desktop == true) [
+      # Custom tools
+      dvd
+      dvt
+      servo
+      restart
+
+      # System tools
+      aha
+      ttf-ms-win10
+      wineWow64Packages.stable
+      bottles
+      tpm2-abrmd
+      jdk21_headless
+      #bcachefs-tools
+      clinfo
+      direnv
+      exfat
+      exfatprogs
+      gamemode
+      git-filter-repo
+      gnupg
+      pciutils
+      podman
+      podman-compose
+      python3Minimal
+      sbctl
+      tpm2-tools
+      tpm2-tss
+      virtualgl
+      vulkan-tools
+      # waydroid
+      waypipe
+      wayland-utils
+      yubikey-personalization
+      zsh
+
+      # KDE/QT
+      kdePackages.plasma-desktop
+      kdePackages.plasma-wayland-protocols
+      kdePackages.libplasma
+      kdePackages.plasma-integration
+      kdePackages.plasma-activities
+      kdePackages.plasma-workspace
+      kdePackages.discover
+      kdePackages.filelight
+      kdePackages.kcalc
+      kdePackages.kdepim-addons
+      kdePackages.kirigami
+      kdePackages.kdeconnect-kde
+      kdePackages.konsole
+      # kdePackages.krunner-ssh
+      # kdePackages.krunner-symbols
+      kdePackages.packagekit-qt
+      kdePackages.plasma-pa
+      kdePackages.sddm-kcm
+      kdePackages.dolphin-plugins
+      kdePackages.qtstyleplugin-kvantum
+      kdePackages.krdc
+      kdePackages.krfb
+      kdePackages.kate
+      kdePackages.qrca
+      libportal-qt5
+      libportal
+
+      # User tools
+      freetube
+      noisetorch
+      qjackctl
+      wireplumber
+      intiface-central
+      #rustdesk
+    ]
+
+    )
+    ++ (with pkgs-edge; [
+      # list of latest packages from nixpkgs master
+      # Can be used to install latest version of some packages
+    ] ++ lib.mkIf (cfg.desktop == true) [
+      kdePackages.plasma-vault
+    ]
+    );
+};
+}

modules/nixos/shared-packages/desktop-settings/default.nix

@@ -0,0 +1,144 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  imports = [
+    ./firefox
+  ];
+  services.udev.extraRules =  ''
+    KERNEL=="hidraw*", ATTRS{idVendor}=="057e", MODE="0660", TAG+="uaccess"
+    KERNEL=="hidraw*", KERNELS=="*057e:*", MODE="0660", TAG+="uaccess"
+    KERNEL=="hidraw*", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
+    KERNEL=="hidraw*", KERNELS=="*2DC8:*", MODE="0660", TAG+="uaccess"
+    KERNEL=="hidraw*", ATTRS{idProduct}=="6012", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
+    KERNEL=="hidraw*", KERNELS=="*2DC8:6012*", MODE="0660", TAG+="uaccess"
+  '';
+
+  fonts.packages =  [pkgs.ttf-ms-win10];
+
+  programs = {
+    # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
+    command-not-found.enable = lib.mkForce false;
+    # nix-index.enable = true;
+    nix-index-database.comma.enable = true;
+
+    direnv = {
+      enable = true;
+    };
+
+    # steam = {
+    #   enable = true;
+    #   remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
+    #   dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
+    #   extest.enable = true;
+    # };
+    kdeconnect.enable = true;
+
+    noisetorch = {
+      enable = true;
+    };
+  };
+
+  xdg.portal.enable = true;
+
+  # Enable networking
+  networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+  services = {
+    # Enable the X11 windowing system.
+    xserver.enable = true;
+
+    # Enable the KDE Plasma Desktop Environment.
+    # displayManager.sddm = {
+    #   enable = true;
+    #   wayland.enable = true;
+    # };
+    displayManager.defaultSession = lib.mkDefault "plasma";
+    desktopManager.plasma6.enable = true;
+    desktopManager.plasma6.notoPackage = pkgs.atkinson-hyperlegible;
+
+    # Enable flatpak support
+    flatpak.enable = true;
+    packagekit.enable = true;
+
+    # Configure keymap in X11
+    xserver.xkb = {
+      layout = "us";
+      variant = "";
+      options = "terminate:ctrl_alt_bksp,compose:caps_toggle";
+    };
+
+    # Enable CUPS to print documents.
+    printing.enable = true;
+
+    # Enable fwupd daemon and user space client
+    fwupd.enable = true;
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+      wireplumber.enable = true;
+    };
+
+    avahi = {
+      nssmdns4 = true;
+      enable = true;
+      ipv4 = true;
+      ipv6 = true;
+      publish = {
+        enable = true;
+        addresses = true;
+        workstation = true;
+      };
+    };
+  };
+  hardware = {
+    graphics.enable32Bit = true;
+
+    # Enable bluetooth hardware
+    bluetooth.enable = true;
+  };
+  security.rtkit.enable = true;
+
+  services.pulseaudio.enable = false;
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+  };
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+    tctiEnvironment.enable = true;
+  }; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  users.users.lillian.extraGroups = ["tss"];
+  boot = {
+    # tss group has access to TPM devices
+    bootspec.enable = true;
+    binfmt.emulatedSystems = ["aarch64-linux"];
+    #boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+    #boot.supportedFilesystems = ["bcachefs"];
+    extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
+    kernelModules = [
+      # Virtual Camera
+      "v4l2loopback"
+      # Virtual Microphone, built-in
+      "snd-aloop"
+    ];
+
+    # Set initial kernel module settings
+    extraModprobeConfig = ''
+      # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming
+      # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams
+      # https://github.com/umlaeute/v4l2loopback
+      options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
+    '';
+    loader.systemd-boot.configurationLimit = 3;
+    loader.efi.canTouchEfiVariables = true;
+};
+}

modules/nixos/shared-packages/desktop-settings/firefox/default.nix

@@ -0,0 +1,182 @@
+{pkgs, ...}: {
+  programs.firefox = {
+    enable = true;
+    package = pkgs.librewolf;
+    policies = {
+      DisableTelemetry = true;
+      DisableFirefoxStudies = true;
+      DisablePocket = true;
+      DisableFirefoxAccounts = true;
+      DisableAccounts = true;
+      DisableProfileImport = true;
+      OverrideFirstRunPage = "";
+      OverridePostUpdatePage = "";
+      DontCheckDefaultBrowser = true;
+      DisplayBookmarksToolbar = "newtab";
+      ManualAppUpdateOnly = true;
+      OfferToSaveLogins = false;
+      PasswordManagerEnabled = false;
+      DownloadDirectory = "\${home}/Downloads";
+      EnableTrackingProtection = {
+        Value = true;
+        Cryptomining = true;
+        Fingerprinting = true;
+      };
+      ExtensionSettings = {
+        # "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
+        # Catppuccin Macchiato - Mauve theme:
+        "{55750c61-e5f3-4d9a-898d-0643b3093678}" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/catppuccin-macchiato-mauve/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Sideberry:
+        #"{3c078156-979c-498b-8990-85f7987dd929}" = {
+        #  install_url = "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi";
+        #  installation_mode = "force_installed";
+        #};
+        # Privacy Badger:
+        "jid1-MnnxcxisBPnSXQ@jetpack" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Bitwarden:
+        "{446900e4-71c2-419f-a6a7-df9c091e268b}" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Libredirect:
+        "7esoorv3@alefvanoon.anonaddy.me" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/libredirect/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # DarkReader:
+        "addon@darkreader.org" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # SimpleLogin:
+        "addon@simplelogin" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/simplelogin/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Cookie Auto Delete:
+        "CookieAutoDelete@kennydo.com" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/cookie-autodelete/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Don't fuck with paste:
+        "DontFuckWithPaste@raim.ist" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/don-t-fuck-with-paste/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Firefox pwas:
+        "firefoxpwa@filips.si" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/pwas-for-firefox/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Consent o matic:
+        "gdpr@cavi.au.dk" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Mailvelope:
+        "jid1-AQqSMBYb0a8ADg@jetpack" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/mailvelope/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # KDE connect:
+        "kde-connect@0xc0dedbad.com" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/kde-connect/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Plasma browser integration:
+        "plasma-browser-integration@kde.org" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Shinigami eyes:
+        "shinigamieyes@shinigamieyes" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/shinigami-eyes/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # uBlock Origin:
+        "uBlock0@raymondhill.net" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # uBlock Scope:
+        "uBO-Scope@raymondhill.net" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/ubo-scope/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Wayback machine:
+        "wayback_machine@mozilla.org" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/file/4047136/wayback_machine_new-3.2.xpi";
+          installation_mode = "force_installed";
+        };
+        # Tree Style Tabs
+        # "treestyletab@piro.sakura.ne.jp" = {
+        #   install_url = "https://addons.mozilla.org/firefox/downloads/latest/tree-style-tab/latest.xpi";
+        #   installation_mode = "force_installed";
+        # };
+        # Adaptive Tab Bar Colour
+        "ATBC@EasonWong" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/Adaptive-Tab-Bar-Colour/latest.xpi";
+          installation_mode = "force_installed";
+        };
+      };
+      FirefoxHome = {
+        Search = true;
+        TopSites = false;
+        SponsoredTopSites = false;
+        Highlights = false;
+        Pocket = false;
+        SponsoredPocket = false;
+        Snippets = false;
+      };
+      FirefoxSuggest = {
+        WebSuggestions = false;
+        SponsoredSuggestions = false;
+        ImproveSuggest = false;
+      };
+      Preferences = {
+        "browser.compactmode.show" = true;
+        "browser.uidensity" = 0;
+        # "browser.newtabpage.activity-stream.feeds.topsites" = false;
+        "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
+        "browser.newtabpage.activity-stream.showSponsored" = false;
+        "browser.newtabpage.activity-stream.system.showSponsored" = false;
+        "font.name.serif.x-western" = "Crimson";
+        "font.name.sans-serif.x-western" = "Atkinson Hyperlegible";
+        "font.name.monospace.x-western" = "FiraCode Nerd Font";
+        "font.size.variable.x-western" = 14;
+        "floorp.browser.sidebar.useIconProvider" = "duckduckgo";
+        "floorp.browser.tabbar.settings" = 2;
+        "floorp.browser.tabs.verticaltab" = true;
+        "floorp.tabbar.style" = 2;
+        "floorp.browser.user.interface" = 8;
+        "signon.rememberSignons" = true;
+        "browser.ml.chat.enabled" = false;
+        "browser.ml.chat.shortcuts" = false;
+      };
+      # TODO: switch to ManagedBookmarks as this will be dropped at some point https://mozilla.github.io/policy-templates/#managedbookmarks
+      # Bookmarks = [
+      #   {
+      #     Title = "NixOS wiki";
+      #     Placement = "toolbar";
+      #     URL = "https://nixos.wiki/";
+      #   }
+      #   {
+      #     Title = "NixOS options";
+      #     Placement = "toolbar";
+      #     URL = "https://nixos.org/manual/nixos/stable/options";
+      #   }
+      #   {
+      #     Title = "NixOS home-manager options";
+      #     Placement = "toolbar";
+      #     URL = "https://nix-community.github.io/home-manager/options.xhtml";
+      #   }
+      # ];
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/akkoma/default.nix

@@ -0,0 +1,48 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  sops.secrets."releaseCookie".mode = "0440";
+  sops.secrets."releaseCookie".owner = config.users.users.akkoma.name;
+
+  users.groups.akkoma = {};
+
+  users.users = {
+    akkoma = {
+      isSystemUser = true;
+      group = "akkoma";
+    };
+  };
+
+  services.akkoma = {
+    enable = true;
+    package = pkgs.akkoma;
+    extraPackages = with pkgs; [ffmpeg exiftool imagemagick];
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+      serverName = "akkoma.gladtherescake.eu";
+    };
+    #dist.cookie._secret = config.sops.secrets."releaseCookie".path;
+    config = {
+      ":pleroma".":instance" = {
+        name = "GLaDTheresCake Akkoma";
+        email = "akkoma@gladtherescake.eu";
+        notify_email = "no-reply@akkoma.gladtherescake.eu";
+        emails.mailer = {
+          enabled = true;
+          adapter = "Swoosh.Adapters.Sendmail";
+          cmd_path = "sendmail";
+          cmd_args = "-N delay,failure,success";
+          qmail = true;
+        };
+        description = "Lillian's Akkoma server!";
+        languages = ["en" "nl"];
+        registrations_open = true;
+        max_pinned_statuses = 10;
+        cleanup_attachments = true;
+      };
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/aria2/container.nix

@@ -0,0 +1,101 @@
+{config, ...}: {
+  users.users.aria2.group = "aria2";
+  users.groups.aria2 = {};
+  users.users.aria2.isSystemUser = true;
+
+  sops.secrets."wg-private".mode = "0440";
+  sops.secrets."wg-private".owner = config.users.users.aria2.name;
+  containers.aria2 = {
+    forwardPorts = [
+      {
+        containerPort = 6969;
+        hostPort = 6969;
+        protocol = "udp";
+      }
+    ];
+    bindMounts = {
+      "/var/lib/media" = {
+        hostPath = "/var/lib/media";
+        isReadOnly = false;
+      };
+      "/var/lib/wg/private-key" = {
+        hostPath = config.sops.secrets."wg-private".path;
+        isReadOnly = true;
+      };
+    };
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.100.10";
+    localAddress = "192.168.100.11";
+    hostAddress6 = "fc00::1";
+    localAddress6 = "fc00::2";
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      system.stateVersion = "unstable";
+      networking.firewall.allowedTCPPorts = [6969];
+      networking.firewall.allowedUDPPorts = [6969 51820];
+      users.users = {
+        aria2.extraGroups = ["jellyfin" "nextcloud"];
+      };
+      services.aria2 = {
+        enable = true;
+        downloadDir = "/var/lib/media";
+        rpcListenPort = 6969;
+      };
+      networking.wg-quick.interfaces = {
+        wg0 = {
+          postUp = ''
+            # Mark packets on the wg0 interface
+            wg set wg0 fwmark 51820
+
+            # Forbid anything else which doesn't go through wireguard VPN on
+            # ipV4 and ipV6
+            ${pkgs.iptables}/bin/iptables -A OUTPUT \
+              ! -d 192.168.0.0/16 \
+              ! -o wg0 \
+              -m mark ! --mark $(wg show wg0 fwmark) \
+              -m addrtype ! --dst-type LOCAL \
+              -j REJECT
+            ${pkgs.iptables}/bin/ip6tables -A OUTPUT \
+              ! -o wg0 \
+              -m mark ! --mark $(wg show wg0 fwmark) \
+              -m addrtype ! --dst-type LOCAL \
+              -j REJECT
+            ${pkgs.iptables}/bin/iptables -I OUTPUT -o lo -p tcp \
+              --dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.100.10/24 -d 192.168.100.11/24 \
+              -j ACCEPT
+          '';
+          postDown = ''
+            ${pkgs.iptables}/bin/iptables -D OUTPUT \
+              ! -o wg0 \
+              -m mark ! --mark $(wg show wg0 fwmark) \
+              -m addrtype ! --dst-type LOCAL \
+              -j REJECT
+            ${pkgs.iptables}/bin/ip6tables -D OUTPUT \
+              ! -o wg0 -m mark \
+              ! --mark $(wg show wg0 fwmark) \
+              -m addrtype ! --dst-type LOCAL \
+              -j REJECT
+          '';
+
+          address = ["10.2.0.2/32"];
+          dns = ["10.2.0.1"];
+          privateKeyFile = "/var/lib/wg/private-key";
+
+          peers = [
+            {
+              publicKey = "7A19/lMrfmpFZARivC7FS8DcGxMn5uUq9LcOqFjzlDo=";
+              allowedIPs = ["0.0.0.0/0"];
+              endpoint = "185.159.158.182:51820";
+              persistentKeepalive = 25;
+            }
+          ];
+        };
+      };
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/aria2/default.nix

@@ -0,0 +1,15 @@
+{config, ...}: {
+  users.users.aria2.group = "aria2";
+  users.groups.aria2 = {};
+  users.users.aria2.isSystemUser = true;
+
+  sops.secrets."rpcSecret".mode = "0440";
+  sops.secrets."rpcSecret".owner = config.users.users.aria2.name;
+
+  services.aria2 = {
+    enable = true;
+    downloadDir = "/var/lib/media";
+    rpcListenPort = 6969;
+    rpcSecretFile = config.sops.secrets."rpcSecret".path;
+  };
+}

modules/nixos/shared-packages/server-settings/caddy/default.nix

@@ -0,0 +1,56 @@
+{config, ...}: {
+  services.phpfpm.pools.nextcloud.settings = {
+    "listen.owner" = config.services.caddy.user;
+    "listen.group" = config.services.caddy.group;
+  };
+
+  users.users.caddy.extraGroups = ["nextcloud"];
+
+  services.caddy = {
+    enable = true;
+
+    # Setup Nextcloud virtual host to listen on ports
+    virtualHosts = {
+      "${config.services.nextcloud.hostName}" = {
+        useACMEHost = "${config.services.nextcloud.hostName}";
+        extraConfig = ''
+           redir /.well-known/carddav /remote.php/dav 301
+           redir /.well-known/caldav /remote.php/dav 301
+           redir /.well-known/webfinger /index.php/.well-known/webfinger 301
+           redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
+
+           encode gzip
+           reverse_proxy localhost:9000
+           header Strict-Transport-Security max-age=31536000;
+           @forbidden {
+            path /.htaccess
+            path /data/*
+            path /config/*
+            path /db_structure
+            path /.xml
+            path /README
+            path /3rdparty/*
+            path /lib/*
+            path /templates/*
+            path /occ
+            path /console.php
+          }
+          handle @forbidden {
+            respond 404
+          }
+
+          handle {
+          	root * /var/www/html
+          	php_fastcgi 127.0.0.1:9000 {
+          		# Tells nextcloud to remove /index.php from URLs in links
+          		env front_controller_active true
+          	}
+          	file_server
+          }
+        '';
+      };
+      "onlyoffice.gladtherescake.eu" = {
+      };
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/cinny/default.nix

@@ -0,0 +1,17 @@
+{pkgs, ...}: {
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "cinny.gladtherescake.eu" = {
+        root = "${pkgs.cinny}";
+        ## Force HTTP redirect to HTTPS
+        forceSSL = true;
+        ## LetsEncrypt
+        enableACME = true;
+        locations."/" = {
+          index = "index.html";
+        };
+      };
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/conduit/default.nix

@@ -0,0 +1,153 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  # You'll need to edit these values
+  # The hostname that will appear in your user and room IDs
+  server_name = "matrix.gladtherescake.eu";
+
+  # An admin email for TLS certificate notifications
+  admin_email = "letsencrypt@gladtherescake.eu";
+
+  # These ones you can leave alone
+
+  # Build a dervation that stores the content of `${server_name}/.well-known/matrix/server`
+  well_known_server = pkgs.writeText "well-known-matrix-server" ''
+    {
+      "m.server": "${server_name}"
+    }
+  '';
+
+  # Build a dervation that stores the content of `${server_name}/.well-known/matrix/client`
+  well_known_client = pkgs.writeText "well-known-matrix-client" ''
+    {
+      "m.homeserver": {
+        "base_url": "https://${server_name}"
+      }
+    }
+  '';
+in {
+  # Configure continuwuity itself
+  services.matrix-continuwuity = {
+    enable = true;
+
+    settings.global = {
+      inherit server_name;
+      allow_registration = false;
+      # emergency_password = "testpassword";
+      turn_uris = ["turn:turn.gladtherescake.eu.url?transport=udp" "turn:turn.gladtherescake.eu?transport=tcp"];
+      turn_secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT";
+      well_known = {
+        server = "matrix.gladtherescake.eu:443";
+        client = "https://matrix.gladtherescake.eu";
+      };
+    };
+  };
+
+  # Configure automated TLS acquisition/renewal
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = admin_email;
+    };
+  };
+
+  # ACME data must be readable by the NGINX user
+  users.users.nginx.extraGroups = [
+    "acme"
+  ];
+
+  # Configure NGINX as a reverse proxy
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "${server_name}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+
+        locations."/_matrix/" = {
+          proxyPass = "http://backend_continuwuity";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffering off;
+          '';
+        };
+        locations."=/.well-known/matrix/server" = {
+          # Use the contents of the derivation built previously
+          alias = "${well_known_server}";
+
+          extraConfig = ''
+            # Set the header since by default NGINX thinks it's just bytes
+            default_type application/json;
+          '';
+        };
+
+        locations."=/.well-known/matrix/client" = {
+          # Use the contents of the derivation built previously
+          alias = "${well_known_client}";
+          return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${server_name}\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://${server_name}\"}}'";
+
+          extraConfig = ''
+            # Set the header since by default NGINX thinks it's just bytes
+            default_type application/json;
+
+            # https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
+            add_header Access-Control-Allow-Origin "*";
+          '';
+        };
+        locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = {
+          proxyPass = "http://matrix.gladtherescake.eu/client/unstable/org.matrix.msc3575/sync";
+          proxyWebsockets = true;
+          recommendedProxySettings = false;
+          return = "200 '{\"contacts\": [{\"matrix_id\": \"@admin:server.name\", \"email_address\": \"admin@server.name\", \"role\": \"m.role.admin\"}]}'";
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffering off;
+          '';
+        };
+
+        extraConfig = ''
+          merge_slashes off;
+        '';
+      };
+    };
+
+    upstreams = {
+      "backend_continuwuity" = {
+        servers = {
+          "[::1]:${toString config.services.matrix-continuwuity.settings.global.port}" = {};
+        };
+      };
+    };
+  };
+
+  # Open firewall ports for HTTP, HTTPS, and Matrix federation
+  networking.firewall.allowedTCPPorts = [80 443 8448];
+  networking.firewall.allowedUDPPorts = [80 443 8448];
+}

modules/nixos/shared-packages/server-settings/coturn/default.nix

@@ -0,0 +1,44 @@
+{config, ...}: {
+  sops.secrets."coturn-auth-secret".mode = "0440";
+  sops.secrets."coturn-auth-secret".owner = config.users.users.turnserver.name;
+  users.users.nginx.extraGroups = ["turnserver"];
+  services.coturn = {
+    enable = true;
+    use-auth-secret = true;
+    static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
+    realm = "turn.gladtherescake.eu";
+    relay-ips = [
+      "62.171.160.195"
+      "2a02:c207:2063:2448::1"
+    ];
+    extraConfig = "
+      cipher-list=\"HIGH\"
+      no-loopback-peers
+      no-multicast-peers
+    ";
+    secure-stun = true;
+    cert = "/var/lib/acme/turn.gladtherescake.eu/fullchain.pem";
+    pkey = "/var/lib/acme/turn.gladtherescake.eu/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+  };
+
+  # setup certs
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "turn.gladtherescake.eu" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+    };
+  };
+
+  # share certs with coturn and restart on renewal
+  security.acme.certs = {
+    "turn.gladtherescake.eu" = {
+      group = "turnserver";
+      postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/dashboard/default.nix

@@ -0,0 +1,8 @@
+{...}: {
+  imports = [
+    ./grafana
+    #./loki
+    ./prometheus
+    ./telegraf
+  ];
+}

modules/nixos/shared-packages/server-settings/dashboard/grafana/default.nix

@@ -0,0 +1,44 @@
+{config, ...}: {
+  # grafana configuration
+  services.grafana = {
+    enable = true;
+    settings.server = {
+      domain = "grafana.lillianviolet.dev";
+      http_port = 2342;
+      http_addr = "127.0.0.1";
+    };
+    provision = {
+      datasources.settings = {
+        apiVersion = 1;
+        datasources = [
+          {
+            name = "Prometheus";
+            type = "prometheus";
+            access = "proxy";
+            url = "http://localhost:${toString config.services.prometheus.port}";
+            isDefault = true;
+          }
+          {
+            name = "Loki";
+            type = "loki";
+            access = "proxy";
+            url = "http://localhost:3100";
+            isDefault = true;
+          }
+        ];
+      };
+    };
+  };
+
+  # nginx reverse proxy
+  services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
+    ## Force HTTP redirect to HTTPS
+    forceSSL = true;
+    ## LetsEncrypt
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
+      proxyWebsockets = true;
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/dashboard/loki/default.nix

@@ -0,0 +1,6 @@
+{...}: {
+  services.loki = {
+    enable = true;
+    configFile = ./loki.yaml;
+  };
+}

modules/nixos/shared-packages/server-settings/dashboard/loki/loki.yaml

@@ -0,0 +1,40 @@
+# Enables authentication through the X-Scope-OrgID header, which must be present
+# if true. If false, the OrgID will always be set to "fake".
+auth_enabled: false
+
+server:
+  http_listen_address: "0.0.0.0"
+  http_listen_port: 3100
+
+ingester:
+  lifecycler:
+    address: "127.0.0.1"
+    ring:
+      kvstore:
+        store: inmemory
+      replication_factor: 1
+    final_sleep: 0s
+  chunk_idle_period: 5m
+  chunk_retain_period: 30s
+
+schema_config:
+  configs:
+  - from: 2020-05-15
+    store: boltdb
+    object_store: filesystem
+    schema: v11
+    index:
+      prefix: index_
+      period: 168h
+
+storage_config:
+  boltdb:
+    directory: /tmp/loki/index
+
+  filesystem:
+    directory: /tmp/loki/chunks
+
+limits_config:
+  enforce_metric_name: false
+  reject_old_samples: true
+  reject_old_samples_max_age: 168h

modules/nixos/shared-packages/server-settings/dashboard/prometheus/default.nix

@@ -0,0 +1,34 @@
+{config, ...}: {
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+    # Export the current system metrics
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = ["systemd"];
+        port = 9002;
+      };
+    };
+    scrapeConfigs = [
+      # Scrape the current system
+      {
+        job_name = "GrafanaService system";
+        static_configs = [
+          {
+            targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
+          }
+        ];
+      }
+      # Scrape the Loki service
+      {
+        job_name = "Loki service";
+        static_configs = [
+          {
+            targets = ["127.0.0.1:3100"];
+          }
+        ];
+      }
+    ];
+  };
+}

modules/nixos/shared-packages/server-settings/dashboard/telegraf/default.nix

@@ -0,0 +1,49 @@
+{config, ...}: {
+  sops.secrets."grafana-telegraf-key".mode = "0440";
+  sops.secrets."grafana-telegraf-key".owner = config.users.users.telegraf.name;
+  services.telegraf = {
+    enable = true;
+    extraConfig = {
+      agent = {
+        interval = "10s";
+        round_interval = true;
+        metric_batch_size = 1000;
+        metric_buffer_limit = 10000;
+        collection_jitter = "0s";
+        flush_interval = "10s";
+        flush_jitter = "0s";
+        precision = "";
+        debug = false;
+        quiet = false;
+        logfile = "";
+        hostname = "queen";
+        omit_hostname = false;
+      };
+      inputs = {
+        cpu = {
+          percpu = true;
+          totalcpu = true;
+          collect_cpu_time = false;
+          report_active = false;
+          core_tags = false;
+        };
+        disk = {
+          ignore_fs = ["tmpfs" "devtmpfs" "devfs" "overlay" "aufs" "squashfs"];
+        };
+        diskio = {};
+        kernel = {};
+        mem = {};
+        system = {};
+      };
+      outputs = {
+        websocket = {
+          url = "ws://localhost:${toString config.services.prometheus.port}/api/live/push/telegraf";
+          data_format = "influx";
+          headers = {
+            Authorisation = "Bearer glsa_lqpcKV34Pp0d7eIhKN79E2HTwzWWwN4m_fe64e398";
+          };
+        };
+      };
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/default.nix

@@ -0,0 +1,19 @@
+{...}: {
+  imports = [
+    ./conduit
+    ./forgejo
+    ./gotosocial
+    ./mail-server
+    ./nextcloud
+    # ./phanpy
+    ./postgres
+    ./roundcube
+    ./coturn
+    # ./dashboard
+    #./cinny
+    #./firefox-sync
+    ./writefreely
+    ./mollysocket
+    ./jellyfin
+  ];
+}

modules/nixos/shared-packages/server-settings/firefox-sync/default.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  port = 5126;
+in {
+  sops.secrets."sync-secrets".mode = "0440";
+  sops.secrets."sync-secrets".owner = config.users.users.firefox-syncserver.name;
+
+  users.groups.firefox-syncserver = {};
+  users.users.firefox-syncserver = {
+    isSystemUser = true;
+    group = "firefox-syncserver";
+    extraGroups = [config.users.groups.keys.name];
+  };
+
+  services.mysql.package = pkgs.mariadb;
+  services.firefox-syncserver = {
+    enable = true;
+    secrets = config.sops.secrets."sync-secrets".path;
+    singleNode = {
+      enable = true;
+      hostname = "sync.gladtherescake.eu";
+      url = "http://localhost:${toString port}";
+      enableNginx = true;
+      enableTLS = true;
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/forgejo/default.nix

@@ -0,0 +1,71 @@
+{pkgs, ...}: {
+  imports = [];
+
+  #sops.secrets."mailpassunhash".mode = "0440";
+  #sops.secrets."mailpassunhash".owner = config.users.users.virtualMail.name;
+
+  services.forgejo = {
+    enable = true;
+    #TODO: different mail passwords for different services
+    #mailerPasswordFile = config.sops.secrets."mailpassunhash".path;
+    database = {
+      type = "postgres";
+    };
+    settings = {
+      "cron.sync_external_users" = {
+        RUN_AT_START = true;
+        SCHEDULE = "@every 24h";
+        UPDATE_EXISTING = true;
+      };
+      mailer = {
+        ENABLED = true;
+        PROTOCOL = "sendmail";
+        FROM = "no-reply@git.lillianviolet.dev";
+        SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
+        SENDMAIL_ARGS = "-bs";
+      };
+      repository = {
+        ENABLE_PUSH_CREATE_USER = true;
+      };
+      federation = {
+        ENABLED = true;
+      };
+      other = {
+        SHOW_FOOTER_VERSION = false;
+      };
+      service.DISABLE_REGISTRATION = true;
+      server = {
+        DOMAIN = "git.lillianviolet.dev";
+        ROOT_URL = "https://git.lillianviolet.dev/";
+        HTTP_PORT = 3218;
+      };
+      "markup.jupyter" = {
+        ENABLED = true;
+        FILE_EXTENSIONS = ".ipynb";
+        RENDER_COMMAND = "${pkgs.jupyter}/bin/jupyter nbconvert --stdout --to html --template full";
+        IS_INPUT_FILE = true;
+        RENDER_CONTENT_MODE = "no-sanitizer";
+      };
+      "markup.sanitizer.jupyter0" = {
+        ELEMENT = "div";
+        ALLOW_ATTR = "class";
+        REGEXP = "";
+      };
+      "markup.sanitizer.jupyter0.img" = {
+        ALLOW_DATA_URI_IMAGES = true;
+      };
+    };
+  };
+
+  services.nginx = {
+    virtualHosts = {
+      "git.lillianviolet.dev" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:3218";
+        };
+      };
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/gotosocial/default.nix

@@ -0,0 +1,43 @@
+{pkgs, ...}: {
+  users.users.gotosocial.extraGroups = ["virtualMail"];
+
+  services.nginx = {
+    virtualHosts = {
+      "social.gladtherescake.eu" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:4257";
+        };
+      };
+    };
+  };
+
+  services.gotosocial = {
+    enable = true;
+    package = pkgs.gotosocial;
+    setupPostgresqlDB = true;
+    settings = {
+      application-name = "gotosocial";
+      host = "social.gladtherescake.eu";
+      bind-address = "localhost";
+      port = 4257;
+      protocol = "https";
+      storage-local-base-path = "/var/lib/gotosocial/storage";
+      instance-languages = ["en-gb" "nl"];
+      media-image-max-size = 41943040;
+      media-video-max-size = 209715200;
+      media-description-max-chars = 2000;
+      #smtp-host = "localhost";
+      #smtp-port = 587;
+      #smtp-username = "no-reply@social.gladtherescake.eu";
+      #smtp-password = config.sops.secrets."mailpassunhash".path;
+      #smtp-from = "no-reply@social.gladtherescake.eu";
+    };
+  };
+
+  systemd.services."gotosocial" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+}

modules/nixos/shared-packages/server-settings/jellyfin/default.nix

@@ -0,0 +1,20 @@
+{...}: {
+  services.nginx = {
+    virtualHosts = {
+      "video.gladtherescake.eu" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:8096";
+          proxyWebsockets = true; # needed if you need to use WebSocket
+        };
+      };
+    };
+  };
+
+  services.jellyfin = {
+    enable = true;
+    user = "nextcloud";
+    group = "nextcloud";
+  };
+}

modules/nixos/shared-packages/server-settings/mail-server/default.nix

@@ -0,0 +1,108 @@
+{config, ...}: {
+  sops.secrets."mailpass".mode = "0440";
+  sops.secrets."mailpass".owner = config.users.users.virtualMail.name;
+
+  #Fix for the dovecot update
+  # services.dovecot2.sieve.extensions = ["fileinto"];
+
+  mailserver = {
+    stateVersion = 3;
+    enable = true;
+    enableImap = true;
+    enableSubmission = true;
+    fqdn = "mail.gladtherescake.eu";
+    domains = [
+      "nextcloud.gladtherescake.eu"
+      "akkoma.gladtherescake.eu"
+      "social.gladtherescake.eu"
+      "gladtherescake.eu"
+      "lillianviolet.dev"
+      "git.lillianviolet.dev"
+    ];
+
+    loginAccounts = {
+      "me@gladtherescake.eu" = {
+        hashedPasswordFile = config.sops.secrets."mailpass".path;
+        aliases = [
+          "@gladtherescake.eu"
+        ];
+        catchAll = [
+          "gladtherescake.eu"
+        ];
+      };
+      "no-reply@nextcloud.gladtherescake.eu" = {
+        hashedPasswordFile = config.sops.secrets."mailpass".path;
+      };
+      "no-reply@akkoma.gladtherescake.eu" = {
+        hashedPasswordFile = config.sops.secrets."mailpass".path;
+      };
+      "no-reply@social.gladtherescake.eu" = {
+        hashedPasswordFile = config.sops.secrets."mailpass".path;
+      };
+      "info@lillianviolet.dev" = {
+        hashedPasswordFile = config.sops.secrets."mailpass".path;
+        aliases = [
+          "@lillianviolet.dev"
+        ];
+        catchAll = [
+          "lillianviolet.dev"
+        ];
+      };
+      "no-reply@git.lillianviolet.dev" = {
+        hashedPasswordFile = config.sops.secrets."mailpass".path;
+      };
+    };
+
+    mailboxes = {
+      All = {
+        auto = "subscribe";
+        specialUse = "All";
+      };
+      Archive = {
+        auto = "subscribe";
+        specialUse = "Archive";
+      };
+      Drafts = {
+        auto = "subscribe";
+        specialUse = "Drafts";
+      };
+      Junk = {
+        auto = "subscribe";
+        specialUse = "Junk";
+      };
+      Sent = {
+        auto = "subscribe";
+        specialUse = "Sent";
+      };
+      Trash = {
+        auto = "no";
+        specialUse = "Trash";
+      };
+    };
+
+    rejectRecipients = [
+      "no-reply@nextcloud.gladtherescake.eu"
+      "no-reply@akkoma.gladtherescake.eu"
+      "no-reply@social.gladtherescake.eu"
+      "no-reply@git.lillianviolet.dev"
+      "ongebonden@gladtherescake.eu"
+      "teluyep_canoja_52868396@gladtherescake.eu"
+      "me.belsimpel@gladtherescake.eu"
+      "me.tele2@gladtherescake.eu"
+      "me+tele2@gladtherescake.eu"
+      "me.archiveorg@gladtherescake.eu"
+    ];
+    x509.useACMEHost = config.mailserver.fqdn;
+  };
+  security.acme.certs.${config.mailserver.fqdn} = {
+    webroot = "/var/lib/acme/acme-challenge/";
+    extraDomainNames = [
+      "imap.lillianviolet.dev"
+      "mail.lillianviolet.dev"
+      "pop3.lillianviolet.dev"
+      "lillianviolet.dev"
+      "gladtherescake.eu"
+      "mail.gladtherescake.eu"
+    ];
+  };
+}

modules/nixos/shared-packages/server-settings/mollysocket/default.nix

@@ -0,0 +1,25 @@
+{config, ...}: {
+  sops.secrets."mollysocket-vapid-key".mode = "0440";
+
+  services.mollysocket = {
+    enable = true;
+    environmentFile = config.sops.secrets."mollysocket-vapid-key".path;
+    settings = {
+      port = 4381;
+      allowed_endpoints = ["https://molly.gladtherescake.eu" "https://nextcloud.gladtherescake.eu"];
+      allowed_uuids = ["db639f29-b7e7-431a-9c75-bcdcb87b6bdf"];
+      webserver = true;
+    };
+  };
+  services.nginx = {
+    virtualHosts = {
+      "molly.gladtherescake.eu" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:4381";
+        };
+      };
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/nextcloud/default.nix

@@ -0,0 +1,126 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  sops.secrets."nextcloudadmin".mode = "0440";
+  sops.secrets."nextcloudadmin".owner = config.users.users.nextcloud.name;
+  sops.secrets."nextclouddb".mode = "0440";
+  sops.secrets."nextclouddb".owner = config.users.users.nextcloud.name;
+  # sops.secrets."local.json".mode = "0440";
+  # sops.secrets."local.json".owner = config.users.users.onlyoffice.name;
+
+  users.users = {
+    # nextcloud.extraGroups = [config.users.groups.keys.name config.users.users.onlyoffice.name];
+    nextcloud.extraGroups = [config.users.groups.keys.name];
+    #aria2.extraGroups = ["nextcloud"];
+    # onlyoffice.extraGroups = [config.users.users.nextcloud.name];
+  };
+
+  # Enable Nginx
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    # Setup Nextcloud virtual host to listen on ports
+    virtualHosts = {
+      "nextcloud.gladtherescake.eu" = {
+        ## Force HTTP redirect to HTTPS
+        forceSSL = true;
+        ## LetsEncrypt
+        enableACME = true;
+      };
+      "onlyoffice.gladtherescake.eu" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+    };
+  };
+
+  # Actual Nextcloud Config
+  services.nextcloud = {
+    enable = true;
+    hostName = "nextcloud.gladtherescake.eu";
+
+    package = pkgs.nextcloud33;
+
+    # Use HTTPS for links
+    https = true;
+
+    # Auto-update Nextcloud Apps
+    autoUpdateApps.enable = true;
+    # Set what time makes sense for you
+    autoUpdateApps.startAt = "05:00:00";
+    configureRedis = true;
+    maxUploadSize = "16G";
+
+    #Increase opcache string buffer
+    phpOptions."opcache.interned_strings_buffer" = "23";
+    # Further forces Nextcloud to use HTTPS
+    settings = {
+      overwriteprotocol = "https";
+      default_phone_region = "NL";
+      maintenance_window_start = 3;
+      log_type = "file";
+    };
+    appstoreEnable = true;
+    extraAppsEnable = true;
+    #extraApps = with config.services.nextcloud.package.packages.apps; {
+    # List of apps we want to install and are already packaged in
+    # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
+    # inherit calendar contacts deck forms notes onlyoffice polls twofactor_nextcloud_notification unsplash;
+    #};
+
+    config = {
+      # Nextcloud PostegreSQL database configuration, recommended over using SQLite
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbname = "nextcloud";
+      dbpassFile = config.sops.secrets."nextclouddb".path;
+
+      adminpassFile = config.sops.secrets."nextcloudadmin".path;
+      adminuser = "GLaDTheresCake";
+    };
+  };
+
+  # services.onlyoffice = {
+  #   port = 16783;
+  #   enable = true;
+  #   hostname = "onlyoffice.gladtherescake.eu";
+  #   #postgresHost = "/run/postgesql";
+  #   #postgresUser = "onlyoffice";
+  #   #postgresName = "onlyoffice";
+  #   #jwtSecretFile = config.sops.secrets."local.json".path;
+  # };
+
+  # services.rabbitmq = {
+  #   enable = true;
+  # };
+
+  systemd.services."sops-nix.service" = {
+    before = [
+      "nextcloud-setup.service"
+      "postgresql.service"
+      "onlyoffice-converter.service"
+      "onlyoffice-docservice.service"
+      "nginx.service"
+      "phpfpm-nextcloud.service"
+      "redis-nextcloud.service"
+    ];
+  };
+
+  # Ensure that postgres is running before running the setup
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+}

modules/nixos/shared-packages/server-settings/ombi/default.nix

@@ -0,0 +1,55 @@
+{...}: {
+  users.users = {
+    ombi.extraGroups = ["radarr" "sonarr" "aria2" "nextcloud"];
+  };
+  services.ombi = {
+    enable = true;
+    port = 2368;
+  };
+
+  users.users = {
+    radarr.extraGroups = ["aria2" "nextcloud"];
+    sonarr.extraGroups = ["aria2" "nextcloud"];
+  };
+
+  services = {
+    #uses port 7878
+    radarr.enable = true;
+    #uses port 8989
+    sonarr.enable = true;
+    prowlarr.enable = true;
+  };
+
+  services.nginx = {
+    virtualHosts = {
+      "ombi.gladtherescake.eu" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:2368";
+        };
+      };
+      "radarr.gladtherescake.eu" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:7878";
+        };
+      };
+      "sonarr.gladtherescake.eu" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:8989";
+        };
+      };
+      "prowlarr.gladtherescake.eu" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:9696";
+        };
+      };
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/phanpy/default.nix

@@ -0,0 +1,17 @@
+{pkgs, ...}: {
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "phanpy.gladtherescake.eu" = {
+        root = "${pkgs.phanpy}";
+        ## Force HTTP redirect to HTTPS
+        forceSSL = true;
+        ## LetsEncrypt
+        enableACME = true;
+        locations."/" = {
+          index = "index.html";
+        };
+      };
+    };
+  };
+}

modules/nixos/shared-packages/server-settings/postgres/default.nix

@@ -0,0 +1,38 @@
+{pkgs, ...}: {
+  services.postgresql = {
+    # https://nixos.org/manual/nixos/stable/#module-postgresql
+    package = pkgs.postgresql_16;
+    enable = true;
+
+    # Ensure the database, user, and ownership is set
+    ensureDatabases = [
+      "nextcloud"
+      "onlyoffice"
+      "akkoma"
+      "gotosocial"
+      "gitea"
+    ];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "onlyoffice";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "akkoma";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "gotosocial";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "gitea";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+}

modules/nixos/shared-packages/server-settings/postgres/upgrade.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = [
+    (let
+      # XXX specify the postgresql package you'd like to upgrade to.
+      # Do not forget to list the extensions you need.
+      newPostgres = pkgs.postgresql_16.withPackages (pp: [
+        # pp.plv8
+      ]);
+    in
+      pkgs.writeScriptBin "upgrade-pg-cluster" ''
+        set -eux
+        # XXX it's perhaps advisable to stop all services that depend on postgresql
+        systemctl stop postgresql
+
+        export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
+
+        export NEWBIN="${newPostgres}/bin"
+
+        export OLDDATA="${config.services.postgresql.dataDir}"
+        export OLDBIN="${config.services.postgresql.package}/bin"
+
+        install -d -m 0700 -o postgres -g postgres "$NEWDATA"
+        cd "$NEWDATA"
+        sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
+
+        sudo -u postgres $NEWBIN/pg_upgrade \
+          --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
+          --old-bindir $OLDBIN --new-bindir $NEWBIN \
+          "$@"
+      '')
+  ];
+}

modules/nixos/shared-packages/server-settings/roundcube/default.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  # TODO: Figure out how to create packages for some plugins for roundcube!
+  # https://packagist.org/search/?query=roundcube
+  # https://discourse.nixos.org/t/roundcube-with-plugins/28292/7
+  services.roundcube = {
+    enable = true;
+    package = pkgs.roundcube.withPlugins (
+      plugins: [
+        plugins.contextmenu
+        plugins.carddav
+        plugins.custom_from
+        plugins.persistent_login
+        plugins.thunderbird_labels
+      ]
+    );
+    plugins = [
+      "contextmenu"
+      "carddav"
+      "custom_from"
+      "persistent_login"
+      "thunderbird_labels"
+    ];
+
+    # this is the url of the vhost, not necessarily the same as the fqdn of
+    # the mailserver
+    hostName = "webmail.lillianviolet.dev";
+    extraConfig = ''
+      # starttls needed for authentication, so the fqdn required to match
+      # the certificate
+      $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+      $config['smtp_user'] = "%u";
+      $config['smtp_pass'] = "%p";
+    '';
+  };
+}

modules/nixos/shared-packages/server-settings/writefreely/default.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  sops.secrets."writefreely".mode = "0440";
+  sops.secrets."writefreely".owner = config.users.users.writefreely.name;
+  sops.secrets."writefreelymysql".mode = "0440";
+  sops.secrets."writefreelymysql".owner = config.users.users.writefreely.name;
+  services.writefreely = {
+    enable = true;
+    host = "writefreely.gladtherescake.eu";
+    nginx.enable = true;
+    nginx.forceSSL = true;
+    acme.enable = true;
+    # database = {
+    #   type = "mysql";
+    #   createLocally = true;
+    #   passwordFile = config.sops.secrets."writefreelymysql".path;
+    # };
+    admin = {
+      initialPasswordFile = config.sops.secrets."writefreely".path;
+      name = "GLaDTheresCake";
+    };
+    settings = {
+      app = {
+        min_username_len = 2;
+        max_blogs = 100;
+        default_visibility = "public";
+        federation = true;
+        local_timeline = true;
+      };
+      server.port = 1212;
+    };
+  };
+  systemd.services.writefreely = {
+    path = [pkgs.libressl];
+  };
+}

modules/nixos/sops/default.nix

@@ -0,0 +1,44 @@
+{ lib, config, ...}:
+let cfg = config.sopsSetup; in {
+  options = {
+    sopsSetup.enable = lib.mkEnableOption "Enable Module";
+    global.desktop= lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = "Whether or not to install shared desktop secrets.";
+          };
+  };
+
+  config = lib.mkIf cfg.enable {
+    sops = {
+    age.keyFile = "/var/secrets/keys.txt";
+    secrets."lillian-password".neededForUsers = true;
+
+    defaultSopsFile = ../hosts/${config.networking.hostName}/secrets/sops.yaml;
+
+    secrets."wg-private-key".mode = "0440";
+    secrets."wg-private-key".owner = config.users.users.root.name;
+
+    secrets."ssh-private-key" = {
+      mode = "0600";
+      owner = config.users.users.lillian.name;
+      path = "/home/lillian/.ssh/id_ed25519";
+    };
+  };
+  secrets."nextcloud-password" = lib.mkIf (cfg.desktop == true) {
+      mode = "0600";
+      owner = config.users.users.lillian.name;
+      path = "/home/lillian/.netrc";
+    };
+    secrets."prod.keys" = lib.mkIf (cfg.desktop == true) {
+      mode = "0600";
+      owner = config.users.users.lillian.name;
+      path = "/home/lillian/.config/Ryujinx/system/prod.keys";
+    };
+    secrets."title.keys" = lib.mkIf (cfg.desktop == true) {
+      mode = "0600";
+      owner = config.users.users.lillian.name;
+      path = "/home/lillian/.config/Ryujinx/system/title.keys";
+    };
+  };
+}

modules/nixos/stylix/default.nix

@@ -0,0 +1,60 @@
+  { lib, config, pkgs, ...}:
+let cfg = config.stylixSetup; in {
+  options = {
+    stylixSetup.enable = lib.mkEnableOption "Enable Module";
+  };
+  config = lib.mkIf cfg.enable {
+  stylix = {
+    # targets.qt.platform = lib.mkForce "kde";
+    enable = true;
+    # targets.qt.platform = "kde6";
+    autoEnable = true;
+    base16Scheme = {
+      scheme = "Catppuccin Macchiato Mauve";
+      author = "https://github.com/catppuccin/catppuccin";
+      base00 = "24273a";
+      base01 = "1e2030";
+      base02 = "363a4f";
+      base03 = "494d64";
+      base04 = "5b6078";
+      base05 = "cad3f5";
+      base06 = "f4dbd6";
+      base07 = "b7bdf8";
+      base08 = "ed8796";
+      base09 = "f5a97f";
+      base0A = "eed49f";
+      base0B = "a6da95";
+      base0C = "8bd5ca";
+      base0D = "c6a0f6";
+      base0E = "8aadf4";
+      base0F = "f0c6c6";
+    };
+    image = ./background.jpg;
+    cursor.package = pkgs.catppuccin-cursors.macchiatoMauve;
+    cursor.name = "catppuccin-macchiato-mauve-cursors";
+    cursor.size = 24;
+    homeManagerIntegration.followSystem = true;
+    fonts = {
+      serif = {
+        package = pkgs.atkinson-hyperlegible;
+        name = "Atkinson Hyperlegible Next";
+      };
+
+      monospace = {
+        package = pkgs.atkinson-hyperlegible-mono;
+        name = "Atkinson Hyperlegbile Mono";
+      };
+
+      sansSerif = {
+        package = pkgs.atkinson-hyperlegible;
+        name = "Atkinson Hyperlegible Next";
+      };
+
+      emoji = {
+        package = pkgs.noto-fonts-emoji-blob-bin;
+        name = "Blobmoji";
+      };
+    };
+  };
+  };
+}

nixos/desktop/default.nix

@@ -57,6 +57,7 @@
       direnv
       exfat
       exfatprogs
+      gamemode
       git-filter-repo
       gnupg
       pciutils

nixos/shared/default.nix

@@ -77,6 +77,7 @@
         rm -f /home/lillian/.config/gtk-3.0/gtk.css.backup
         rm -f /home/lillian/.config/gtk-4.0/settings.ini.backup
         rm -f /home/lillian/.config/gtk-4.0/gtk.css.backup
+        rm -r /home/lillian/.gtkrc-2.0.backup
       '';
     };
   };

nixos/shared/packages/package-configs/default.nix

@@ -0,0 +1,5 @@
+{...}: {
+  imports = [
+    ./firefox
+  ];
+}

nixos/shared/packages/package-configs/firefox/default.nix

@@ -0,0 +1,182 @@
+{pkgs, ...}: {
+  programs.firefox = {
+    enable = true;
+    package = pkgs.librewolf;
+    policies = {
+      DisableTelemetry = true;
+      DisableFirefoxStudies = true;
+      DisablePocket = true;
+      DisableFirefoxAccounts = true;
+      DisableAccounts = true;
+      DisableProfileImport = true;
+      OverrideFirstRunPage = "";
+      OverridePostUpdatePage = "";
+      DontCheckDefaultBrowser = true;
+      DisplayBookmarksToolbar = "newtab";
+      ManualAppUpdateOnly = true;
+      OfferToSaveLogins = false;
+      PasswordManagerEnabled = false;
+      DownloadDirectory = "\${home}/Downloads";
+      EnableTrackingProtection = {
+        Value = true;
+        Cryptomining = true;
+        Fingerprinting = true;
+      };
+      ExtensionSettings = {
+        # "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
+        # Catppuccin Macchiato - Mauve theme:
+        "{55750c61-e5f3-4d9a-898d-0643b3093678}" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/catppuccin-macchiato-mauve/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Sideberry:
+        #"{3c078156-979c-498b-8990-85f7987dd929}" = {
+        #  install_url = "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi";
+        #  installation_mode = "force_installed";
+        #};
+        # Privacy Badger:
+        "jid1-MnnxcxisBPnSXQ@jetpack" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Bitwarden:
+        "{446900e4-71c2-419f-a6a7-df9c091e268b}" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Libredirect:
+        "7esoorv3@alefvanoon.anonaddy.me" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/libredirect/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # DarkReader:
+        "addon@darkreader.org" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # SimpleLogin:
+        "addon@simplelogin" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/simplelogin/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Cookie Auto Delete:
+        "CookieAutoDelete@kennydo.com" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/cookie-autodelete/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Don't fuck with paste:
+        "DontFuckWithPaste@raim.ist" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/don-t-fuck-with-paste/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Firefox pwas:
+        "firefoxpwa@filips.si" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/pwas-for-firefox/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Consent o matic:
+        "gdpr@cavi.au.dk" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Mailvelope:
+        "jid1-AQqSMBYb0a8ADg@jetpack" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/mailvelope/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # KDE connect:
+        "kde-connect@0xc0dedbad.com" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/kde-connect/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Plasma browser integration:
+        "plasma-browser-integration@kde.org" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Shinigami eyes:
+        "shinigamieyes@shinigamieyes" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/shinigami-eyes/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # uBlock Origin:
+        "uBlock0@raymondhill.net" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # uBlock Scope:
+        "uBO-Scope@raymondhill.net" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/ubo-scope/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Wayback machine:
+        "wayback_machine@mozilla.org" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/file/4047136/wayback_machine_new-3.2.xpi";
+          installation_mode = "force_installed";
+        };
+        # Tree Style Tabs
+        # "treestyletab@piro.sakura.ne.jp" = {
+        #   install_url = "https://addons.mozilla.org/firefox/downloads/latest/tree-style-tab/latest.xpi";
+        #   installation_mode = "force_installed";
+        # };
+        # Adaptive Tab Bar Colour
+        "ATBC@EasonWong" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/Adaptive-Tab-Bar-Colour/latest.xpi";
+          installation_mode = "force_installed";
+        };
+      };
+      FirefoxHome = {
+        Search = true;
+        TopSites = false;
+        SponsoredTopSites = false;
+        Highlights = false;
+        Pocket = false;
+        SponsoredPocket = false;
+        Snippets = false;
+      };
+      FirefoxSuggest = {
+        WebSuggestions = false;
+        SponsoredSuggestions = false;
+        ImproveSuggest = false;
+      };
+      Preferences = {
+        "browser.compactmode.show" = true;
+        "browser.uidensity" = 0;
+        # "browser.newtabpage.activity-stream.feeds.topsites" = false;
+        "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
+        "browser.newtabpage.activity-stream.showSponsored" = false;
+        "browser.newtabpage.activity-stream.system.showSponsored" = false;
+        "font.name.serif.x-western" = "Crimson";
+        "font.name.sans-serif.x-western" = "Atkinson Hyperlegible";
+        "font.name.monospace.x-western" = "FiraCode Nerd Font";
+        "font.size.variable.x-western" = 14;
+        "floorp.browser.sidebar.useIconProvider" = "duckduckgo";
+        "floorp.browser.tabbar.settings" = 2;
+        "floorp.browser.tabs.verticaltab" = true;
+        "floorp.tabbar.style" = 2;
+        "floorp.browser.user.interface" = 8;
+        "signon.rememberSignons" = true;
+        "browser.ml.chat.enabled" = false;
+        "browser.ml.chat.shortcuts" = false;
+      };
+      # TODO: switch to ManagedBookmarks as this will be dropped at some point https://mozilla.github.io/policy-templates/#managedbookmarks
+      # Bookmarks = [
+      #   {
+      #     Title = "NixOS wiki";
+      #     Placement = "toolbar";
+      #     URL = "https://nixos.wiki/";
+      #   }
+      #   {
+      #     Title = "NixOS options";
+      #     Placement = "toolbar";
+      #     URL = "https://nixos.org/manual/nixos/stable/options";
+      #   }
+      #   {
+      #     Title = "NixOS home-manager options";
+      #     Placement = "toolbar";
+      #     URL = "https://nix-community.github.io/home-manager/options.xhtml";
+      #   }
+      # ];
+    };
+  };
+}

nixos/shared/preservation.nix

@@ -120,6 +120,7 @@
             ".thunderbird"
             "Code"
             "Writing"
+            "Games"
             ".config/kdeconnect"
             ".config/Nextcloud"
             ".config/noisetorch"