lots of stuff

.gitignore

@@ -0,0 +1,2 @@
+result
+.direnv

.sops.yaml

@@ -12,3 +12,13 @@ creation_rules:
         - *xun
         - *nixdesk
         - *hopper
+  - path_regex: secrets/nixdesk
+    key_groups:
+      - age:
+        - *xun
+        - *nixdesk
+  - path_regex: secrets/hopper
+    key_groups:
+      - age:
+        - *xun
+        - *hopper

Justfile

@@ -1,6 +1,16 @@
-remote OPERATION HOST:
+hostname := `hostname`
-  nixos-rebuild \
+
-  --flake .#{{HOST}} \
+local OPERATION:
-  --target-host xun@{{HOST}} \
+  sudo nixos-rebuild \
-  --use-remote-sudo \
+  --flake .#{{hostname}} \
+  {{OPERATION}}
+
+
+remote OPERATION HOST HOSTNAME *FLAGS:
+  nixos-rebuild \
+  --fast \
+  --flake .#{{HOST}} \
+  --target-host xun@{{HOSTNAME}} \
+  --use-remote-sudo \
+  {{FLAGS}} \
   {{OPERATION}}

flake.lock

@@ -9,11 +9,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1706647585,
+        "lastModified": 1708452844,
-        "narHash": "sha256-HwAWgXIUn0a2FIS5Mye0sAZj1BZ4++YKWzIPM7coFjs=",
+        "narHash": "sha256-zlmcdVoD/7M15OrEJFjJ19s84cudaOd66DTyso0ERic=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "9343a32ef3fc2d3be2f3c5266a09c63cc5019438",
+        "rev": "a32606b39b9b56062efdef8f001d1e88f7647f59",
         "type": "gitlab"
       },
       "original": {
@@ -60,11 +60,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1706569497,
+        "lastModified": 1706830856,
-        "narHash": "sha256-oixb0IDb5eZYw6BaVr/R/1pSoMh4rfJHkVnlgeRIeZs=",
+        "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "60c614008eed1d0383d21daac177a3e036192ed8",
+        "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
         "type": "github"
       },
       "original": {
@@ -122,11 +122,11 @@
         "nixpkgs-lib": "nixpkgs-lib_2"
       },
       "locked": {
-        "lastModified": 1704982712,
+        "lastModified": 1706830856,
-        "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
+        "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "07f6395285469419cf9d078f59b5b49993198c00",
+        "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
         "type": "github"
       },
       "original": {
@@ -188,11 +188,11 @@
     },
     "hardware": {
       "locked": {
-        "lastModified": 1706182238,
+        "lastModified": 1708091350,
-        "narHash": "sha256-Ti7CerGydU7xyrP/ow85lHsOpf+XMx98kQnPoQCSi1g=",
+        "narHash": "sha256-o28BJYi68qqvHipT7V2jkWxDiMS1LF9nxUsou+eFUPQ=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "f84eaffc35d1a655e84749228cde19922fcf55f1",
+        "rev": "106d3fec43bcea19cb2e061ca02531d54b542ce3",
         "type": "github"
       },
       "original": {
@@ -231,11 +231,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706473109,
+        "lastModified": 1708451036,
-        "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=",
+        "narHash": "sha256-tgZ38NummEdnXvxj4D0StHBzXgceAw8CptytHljH790=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d634c3abafa454551f2083b054cd95c3f287be61",
+        "rev": "517601b37c6d495274454f63c5a483c8e3ca6be1",
         "type": "github"
       },
       "original": {
@@ -321,11 +321,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706714349,
+        "lastModified": 1708433103,
-        "narHash": "sha256-XCWHBWqfCGgP1EY+KWl2xAy1muJN/MTXChiBDbeAb/8=",
+        "narHash": "sha256-Fxmfx7jSrLeMGYq634/RDWJwoKRw11ahDroOF0mIQiE=",
         "owner": "fufexan",
         "repo": "nix-gaming",
-        "rev": "015aeaa26b7eeafb14ed7e01dce74d1f2338157f",
+        "rev": "d154dc37e5a1179def36813fee1016a764090535",
         "type": "github"
       },
       "original": {
@@ -341,11 +341,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706411424,
+        "lastModified": 1708225687,
-        "narHash": "sha256-BzziJYucEZvdCE985vjPoo3ztWcmUiSQ1wJ2CoT6jCc=",
+        "narHash": "sha256-NJBDfvknI26beOFmjO2coeJMTTUCCtw2Iu+rvJ1Zb9k=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "c782f2a4f6fc94311ab5ef31df2f1149a1856181",
+        "rev": "17352eb241a8d158c4ac523b19d8d2a6c8efe127",
         "type": "github"
       },
       "original": {
@@ -361,11 +361,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1707182119,
+        "lastModified": 1708391638,
-        "narHash": "sha256-Egt1PmjNAbx2nS0h/iWpaTCcOzLPHpRXzTJBt3waEAs=",
+        "narHash": "sha256-ZbiupDt7BPhxJy6EfS8ShKAaKtW8qZblWE617Le1hCI=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "4e7767c214364217e0a7611dca3f3420555ceb20",
+        "rev": "64ff3452483eb29ad15e7e1a943831629368ae90",
         "type": "github"
       },
       "original": {
@@ -393,11 +393,11 @@
     "nixpkgs-lib": {
       "locked": {
         "dir": "lib",
-        "lastModified": 1703961334,
+        "lastModified": 1706550542,
-        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
+        "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
+        "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
         "type": "github"
       },
       "original": {
@@ -411,11 +411,11 @@
     "nixpkgs-lib_2": {
       "locked": {
         "dir": "lib",
-        "lastModified": 1703961334,
+        "lastModified": 1706550542,
-        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
+        "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
+        "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
         "type": "github"
       },
       "original": {
@@ -428,27 +428,27 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1705957679,
+        "lastModified": 1708210246,
-        "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
+        "narHash": "sha256-Q8L9XwrBK53fbuuIFMbjKvoV7ixfLFKLw4yV+SD28Y8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
+        "rev": "69405156cffbdf2be50153f13cbdf9a0bea38e49",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1707092692,
+        "lastModified": 1684570954,
-        "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=",
+        "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "faf912b086576fd1a15fca610166c98d47bc667e",
+        "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
         "type": "github"
       },
       "original": {
@@ -460,11 +460,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1706550542,
+        "lastModified": 1708296515,
-        "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
+        "narHash": "sha256-FyF489fYNAUy7b6dkYV6rGPyzp+4tThhr80KNAaF/yY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
+        "rev": "b98a4e1746acceb92c509bc496ef3d0e5ad8d4aa",
         "type": "github"
       },
       "original": {
@@ -476,11 +476,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1706173671,
+        "lastModified": 1708151420,
-        "narHash": "sha256-lciR7kQUK2FCAYuszyd7zyRRmTaXVeoZsCyK6QFpGdk=",
+        "narHash": "sha256-MGT/4aGCWQPQiu6COqJdCj9kSpLPiShgbwpbC38YXC8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4fddc9be4eaf195d631333908f2a454b03628ee5",
+        "rev": "6e2f00c83911461438301db0dba5281197fe4b3a",
         "type": "github"
       },
       "original": {
@@ -510,11 +510,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1706410821,
+        "lastModified": 1708456161,
-        "narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=",
+        "narHash": "sha256-Rh5kJvLZySEPkOxCIX1XA0SpDnYjjXSvixLwKsrcpVE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "73bf36912e31a6b21af6e0f39218e067283c67ef",
+        "rev": "acfcce2a36da17ebb724d2e100d47881880c2e48",
         "type": "github"
       },
       "original": {

flake.nix

@@ -13,7 +13,7 @@
         config,
         pkgs,
         ...
-      }: {
+      }: rec {
         devShells.default = pkgs.mkShell {
           packages = with pkgs; [
             alejandra
@@ -26,6 +26,8 @@
           name = "dots";
         };
 
+        packages = import ./pkgs {inherit pkgs;};
+
         formatter = pkgs.alejandra;
       };
     };

home/profiles/default.nix

@@ -1,6 +1,8 @@
 {
   self,
   inputs,
+  system,
+  pkgs,
   ...
 }: let
   # get these into the module system
@@ -24,7 +26,7 @@
 
   inherit (inputs.home-manager.lib) homeManagerConfiguration;
 
-  pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
+  pkgs = inputs.nixpkgs.legacyPackages.${system};
 in {
   # we need to pass this to NixOS' HM module
   _module.args = {inherit homeImports;};

home/profiles/nixdesk/default.nix

@@ -16,8 +16,10 @@
     # programs
     ../../programs/misc/keepassxc.nix
     ../../programs/misc/discord.nix
+    ../../programs/misc/thunderbird.nix
     ../../programs/music
     ../../programs/music/yams.nix
+    ../../programs/music/spotify.nix
     ../../programs/media
     ../../programs/media/jellyfin.nix
     # gaming

home/programs/games/default.nix

@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  self,
+  ...
+}: {
   home.packages = with pkgs; [
     heroic
     lutris

home/programs/games/steam.nix

@@ -26,6 +26,7 @@ in {
   home.packages = with pkgs; [
     steam-with-pkgs
     steam-run
+    steamtinkerlaunch
     protontricks
   ];
 }

home/programs/media/jellyfin.nix

@@ -1,6 +1,5 @@
 {pkgs, ...}: {
   home.packages = with pkgs; [
     jellyfin-media-player
-    jellycli
   ];
 }

home/programs/misc/discord.nix

@@ -1,7 +1,5 @@
 {pkgs, ...}: {
   home.packages = with pkgs; [
-    (discord.override {
+    vesktop
-      withVencord = true;
-    })
   ];
 }

home/programs/misc/thunderbird.nix

@@ -0,0 +1,8 @@
+{
+  programs.thunderbird = {
+    enable = true;
+    profiles.xun = {
+      isDefault = true;
+    };
+  };
+}

home/programs/music/spotify.nix

@@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  home.packages = [pkgs.spotify];
+}

home/terminal/shell/zsh.nix

@@ -16,10 +16,24 @@
       ## KEYBINDS ##
       bindkey "^[[1;5D" backward-word
       bindkey "^[[1;5C" forward-word
-      WORDCHARS= # this makes ^w actually stop on directory delimiters etc
+
+      # improve ^w behaviour
+      WORDCHARS=
+
+      # shift-tab in completion menu
+      bindkey '^[[Z' reverse-menu-complete
+
       zstyle ':completion:*'  matcher-list 'm:{a-z}={A-Z}' # Case insensitive completion
 
 
+      bindkey '^[[Z' reverse-menu-complete # shift-tab in completion menu
+
+
+      ## MISC ##
+      # Show completion categories
+      zstyle ':completion:*:*:*:*:descriptions' format '%F{magenta}<-%d->%f'
+
+
       ## PROMPT ##
       autoload -Uz vcs_info
       precmd_vcs_info() { vcs_info }

hosts/default.nix

@@ -9,10 +9,12 @@
     mod = "${self}/system";
 
     # get the basic config to build on top of
-    inherit (import "${self}/system") desktop laptop;
+    inherit (import "${self}/system") desktop;
 
     # get these into the module system
-    specialArgs = {inherit inputs self;};
+    specialArgs = {
+      inherit inputs self;
+    };
   in {
     nixdesk = nixosSystem {
       inherit specialArgs;
@@ -20,9 +22,13 @@
         desktop
         ++ [
           ./nixdesk
-          "${mod}/programs/gamemode.nix"
+
-          "${mod}/services/syncthing.nix"
           "${self}/secrets"
+          "${self}/secrets/nixdesk"
+
+          "${mod}/services/syncthing.nix"
+          "${mod}/desktop/x11/nosleep.nix"
+
           {
             home-manager = {
               users.xun.imports = homeImports."xun@nixdesk";
@@ -37,6 +43,7 @@
         ./hopper
 
         "${self}/secrets"
+        "${self}/secrets/hopper"
 
         "${mod}/core"
 
@@ -57,6 +64,11 @@
         "${mod}/services"
         "${mod}/services/pipewire.nix"
         "${mod}/services/syncthing.nix"
+        "${mod}/services/containers/server"
+
+        #"${mod}/services/networkd-wireguard.nix"
+        #"${mod}/services/wireguard.nix"
+        #"${mod}/services/transmission.nix"
 
         {
           home-manager = {

hosts/hopper/default.nix

@@ -8,6 +8,10 @@
 
   networking.hostName = "hopper";
 
+  #services.tailscale.extraUpFlags = [
+  #  "--ssh"
+  #];
+
   swapDevices = [];
 
   system.stateVersion = "23.11";

hosts/nixdesk/default.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   inputs,
+  lib,
   ...
 }: {
   imports = [
@@ -15,7 +16,13 @@
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
-  swapDevices = [];
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      randomEncryption.enable = true;
+      size = 16 * 1024;
+    }
+  ];
 
   system.stateVersion = "23.11";
 }

pkgs/default.nix

@@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  jdnbtexplorer = pkgs.qt6Packages.callPackage ./jdnbtexplorer {};
+}

pkgs/jdnbtexplorer/default.nix

@@ -0,0 +1,55 @@
+{
+  lib,
+  python3,
+  which,
+  qttools,
+}: let
+  myPython = python3.withPackages (pkgs:
+    with pkgs; [
+      pyqt6
+      pyside6
+      (myPython.pkgs.buildPythonPackage rec {
+        pname = "NBT";
+        version = "1.5.1";
+
+        src = myPython.pkgs.fetchPypi {
+          inherit pname version;
+          hash = "sha256-2juyE3YFy53+dEbxPxmzrn+vkg1DCjh/t4794n9mNsU=";
+        };
+      })
+    ]);
+in
+  myPython.pkgs.buildPythonPackage rec {
+    pname = "jdNBTExplorer";
+    version = "2.0";
+    format = "pyproject";
+
+    src = builtins.fetchGit {
+      url = "https://codeberg.org/JakobDev/jdNBTExplorer";
+      rev = "e70c9b030f88340b565c22759b6efd97172be551";
+    };
+
+    nativeBuildInputs = [
+      myPython
+      which
+      qttools
+    ];
+
+    propagatedBuildInputs = [
+      myPython
+    ];
+
+    dontWrapQtApps = true;
+
+    preFixup = ''
+      qtWrapperArgs+=("''${gappsWrapperArgs[@]}")
+      # You can manually patch scripts using: wrapQtApp "$out/bin/myapp". TODO: check when it's required.
+    '';
+
+    meta = with lib; {
+      changelog = "https://codeberg.org/JakobDev/jdNBTExplorer/releases/tag/${version}";
+      description = "An Editor for Minecraft NBT files";
+      homepage = "https://codeberg.org/JakobDev/jdNBTExplorer";
+      license = licenses.gpl3Only;
+    };
+  }

secrets/default.nix

@@ -1,6 +1,5 @@
 {
   inputs,
-  config,
   lib,
   ...
 }: {

secrets/hopper/code-server

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:UrmaXZ5U/yiBA0fIe+6OGD0a9hPMGO0AadM6dSw6armCsCHocN4nKYEgf1o67VSMR1IGmwxVEg9yT9o159jS4YnS6xE3EcygvmfrOD8X1aCWKK+eF3MWNmxjMrylTO5PYeZMu6R3,iv:ZFY9P+Zeva8U0Mhyq/zSGRs9ikRgK+tt8OFX9tusONA=,tag:CLyaeWre//r6HAaEctCBbQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUY2xXRkxjd0JqNWNuS1pu\ndVNUeE5JaWN2QkRUZzBPdnNCZjg5K0kxRnp3ClErcHk0MTB6aGpWYjcvb1NIWWVC\nY2NYbVNxRWVRbk4zdXNmcXpkRHRXbHMKLS0tIGQyekRtYkZOYmRVaVRVclFEK01Y\nZFdFZjlkTmFpU0lyZEs0Qkl5aHhEV0kK9bTzLFDrLCVGJiPLCwPLBtZm1Wl9pmqC\nMcMhpaWFPrV9VBbTXtHYoojDrwc+dHDvWIskBixhf7P7R+dOOpchhw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQnlTVGdMV0xhb215b1I5\nc2tqTHhHeDBMK29Eclp6NjVELy9reUYwTjA4ClBrVS9hWWhCeUsxbEJSNG9NRmZl\nQnZGVHdXM2svM1Iyc3NTT294NWk1RDAKLS0tIEZjUStFZDJoOHFrc0hsaUMrNXl4\nQys1M2xpRVhkUmI4U0taQllSWC93YXMKDJdRDZGGP/RFqquIY6m676vOL0CxEkrd\npIpZ88Y9/2oX0FUHxm8vV/xHXyKfWm5lU4xEcJ1tBV/Zm0jLbLQTMw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-02-21T19:46:40Z",
+		"mac": "ENC[AES256_GCM,data:8j1JzGceUdx/ha1kNYI7pVG9Qtc9dWqI+X9tBFgFJ94QAhH5r56PngsvPHDcx3Y3jHYH/eN2Nd3KESfabOS0TIxDk0ka4GpKYZY2uG6jerN88tisZ5FvatVGMDp6EPE3x0S6kjeYocbt0XBgxn32iTAC19gvS6FipZ6Df35HOQ8=,iv:PjJ51F0FKe5c0m6+cLN5d9cD5mbpKuTas48tEJ9Qr5E=,tag:CQzuGCkpE5o7GTI2Mc/rcQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

secrets/hopper/default.nix

@@ -0,0 +1,29 @@
+{
+  sops.secrets = {
+    wireguard = {
+      format = "binary";
+      sopsFile = ./wireguard;
+    };
+    wg-private = {
+      key = "PrivateKey";
+      sopsFile = ./wireguard.yaml;
+      group = "systemd-network";
+      mode = "0640";
+    };
+    wg-preshared = {
+      key = "PresharedKey";
+      sopsFile = ./wireguard.yaml;
+      group = "systemd-network";
+      mode = "0640";
+    };
+
+    serverenv = {
+      format = "binary";
+      sopsFile = ./serverenv;
+    };
+    code-server = {
+      format = "binary";
+      sopsFile = ./code-server;
+    };
+  };
+}

secrets/hopper/serverenv

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:GOiWi8l61RgpVeKWrlfwxWMbda8FgJGlHXl910qpblaTsxbrIe+aZoEqVyaSST/N4kip7m2fQsCaX5C827XKR16CZ1c5R/3oql8gDcu6lrkDTIbbttN/RUVfX6LD1Y0b,iv:nwZWzKpz4y7+LKDHoojMWBKOvybZeo/d/ZSzsMujXTI=,tag:SHnv4RuNrsQpQ30x1gjIOQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4clpZQ0doNGJwRkI3QXdX\na0RpWnJoSjlveUhzK1lPaXRYRnlhcFZPZVE0Cm1xamVNMWxVeVhXdmhWZTE3TDJa\nZnUxdWdwVU5Bd3czS2FRb3pkWDFrcEUKLS0tIG5BS2ZDN21Tbm9FNnZoRUIvV0N2\nQmY2UHowS24yS0hYTXJMKzJJdDgrTlkKW80YjK/+FF1jjqNFoJLUTtZENRS7D5Bq\nFq7Vmu/untXqA7yqojI9Og7pdWyAnAf737kq6XusCBA3KMz5C+BgMg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTmJYZzIra3RIWHFyT0RJ\nZ0JoeGduL1RmYWN2SC9Ua0RIN0dWSEN4QjB3CjgzMi9sN3RETTArRnIwNGZkM3FD\nZUJFVHpEdE5YVHhQRmoxY3VWWnFQdG8KLS0tIFo3Sy9qNE1nV2dWV1hSZEhLUENJ\nUk9walpjTUp6aXUvYjlIR2c2dlNscXMK3ZT6xLYaKtwxfEqhhxN9fgr4sBYMSHiY\nnfcj5NNxOYgY8q6Z7oJ9Yzk+8Jrv7SS/eIMCt+rk9+UOu3xl+r/TBw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-02-16T22:49:25Z",
+		"mac": "ENC[AES256_GCM,data:1V7ZORlvxVVynY7rkKxkEw8MLonW5BwdGqvZ8C9Y9QNIu/udVmQvFMOxHVkdTcYOgk/4pYK/jKNkaPCPtjfJvhnSQ3ZKfOQJWfTVhq+Ba8f2HYc2qLUDupyMtjhBY7W2Pt9yAlJHxpozblCnGty958yy7Z0V0NiiO9ETA837fUQ=,iv:IqAr2BETDyPSdhzYWKEts+9AK5coOGY5/99QZ6HufyA=,tag:3oes+CnEb4zcdNp7QQOahg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

secrets/hopper/wireguard

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:kCJQ4tuM0zzYUsUFAAWG/Q7Uxs4262XGg7ioE+n/D4De1RRGApDyOLVnt7xgPhKK3fyxfkqmUrLvlumc0KwC0wl3U0YzW77r0G+XhutE+pp3DboDiYBsGfvj/Yl8T+lV2Q9s9GLMtdshjh21DTVbXLLf4Z9Fw51oshsVZIfy+VBZvjCNlUD+6uXO3Jo/1qcwPnMvIsyqKQCAtFvfvoEyDO36/XCXoDwqs4V3NLQortL9KgTd6lClrWtZIBYj3HZcogwhnK2AqMVnHrFzizndYKK170Z2Llptz4aBQeUF40gqM16Tj4Rxjqy11o2e20rCy854yyxGf6pIYy4475h8sWPnqVGk1NaMUKHTxJ4sOqm6nC+yXSUSoj/kXKkxy74oOs29mih/SfHqj/xPsodOkX3sD7R/NcTZsyJ8wy5hJOfe7h3qFjthd6d0sc3bbbPPQtXz3ixKgN7brtJQHUhPgol8IJn6h63kBRmUu5GyZAimT/hidW/IsIfLRAV54JCcOCrUzygkrRFItDVk98PHekTrSJfm6dWd0z4=,iv:kPWXbr/kvsFxUjYP9XaPB/5EKv9R2evsbq+1beYN4L8=,tag:qee0e90KN9aTeteX2pxRVQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnU0lRS0I5cXh1V0xjb1RS\nVTlla014WWVybmNOTml5ejdOaTFiWWpTbFc4CmdVZHdvazhoNnlaeG5ibTBZREdG\nTjd4cXBjSGpsdTQyb1lMQloxWUZhZjgKLS0tIHRxa0o1TERZNlYyQUQzZUhnTnhT\nWUxEM2dnWGZmV2d6SXJVSXQ2bU1Ic2cKbPQwJSlna6Vysi2TznU3ovmWQXBbwryF\nM2dlOwPjv+lWM1DLfJRR3zUCugTuz0xjdTDLZlo1F/aaeWiAPm5j1w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VDl2dnFCbUtRdnlDTGVv\ndzBwUTh1OXRONDlGK2hXZ29YRytLbU9sNXlFClViaG9xRGw2OHZLTmZEQk9nSXU5\nZHI2aWVNSXp2Z2JxakpKUkkzQ21XZzQKLS0tIEpSM3Z4dW9VeVVEQ2JKYU5EK0hP\nYzBnK2d6TkF4VGJ6dlBrc291ZDFBYW8KtEnivQ5aj9FhnNHRL3jEQPYxSuO8QAuz\n9tIXoiU13+GOmvn8XG25cZjUIgCamd9c/uBVXFYFx3muGlmBwvn9cQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-02-10T16:33:02Z",
+		"mac": "ENC[AES256_GCM,data:HcavTZc4gd64JqL9QZxpUR9W8F3DEzjeSABTg16Tgo9jAcp703KV/EAfjGmO42397UGp3e2nSuqod7uAtpQAcHsFFvYADrFzjoxa//KA+OR3/fwWnfFWTqyC1cJa4IaZpjZJuj1Qj09NeihTuU3vRXGbn5KN5x91wcVE/UhzSXg=,iv:CacSKLYy6I8U4lwJEo535S9m2iRvgEcLvayYsnOCFko=,tag:j3PhJnidKwPPfd83ylQC+w==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

secrets/hopper/wireguard.yaml

@@ -0,0 +1,31 @@
+PrivateKey: ENC[AES256_GCM,data:Eh8XY8HqxCr4kdutL99GBhNJEjT/QP2pHQhTe/O8juiKPHslzcen+x9JeJM=,iv:MC+g84kqoFqaD0N/WvKoEgy1kl/Z2SgMqpm3AqjJ1mA=,tag:trvHpJbSI6CHNp4ihwpiIg==,type:str]
+PresharedKey: ENC[AES256_GCM,data:fT9RIvz/gXAop5UDlbWwVV1yHErbDW4ff5j2Xo1g1nVTPGzbDHZPtZD9+ts=,iv:sHrGX8gxPVkAydmalgUuZHKUn3O82eo7/vv7lA5hqDQ=,tag:/vb/zgrm/dXm1LBzojrlGw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYU05MHNPUmYwUlJ0empa
+            QzBJdUt6WENYNUp5ZVZ4ZjZ4cFl6eENXREhJCjIxcmRQbEpHNWU4VHFobFZJVlhM
+            eDE4bmMrZ1BnTlJoZXVpVFVWaW5sek0KLS0tIGxVZjNIMmVoUEVQaDdQcE9PWjht
+            NzkyYS9zY3Z5OG1ib0ZyN3FkYjlZOFEKmvYIrVv5qmwh+XEmKeCjcTGbWufg0PH0
+            Vrws+EngJk5ceYTmiGK1k1/9CNPG+0sdUgr4VrVv6DFKTzOgWB/YVA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4eXpMT1kzTE1zTzQ3aFp0
+            NHNVcFVVTXRVSEQ0QUZrK1FCTDI5WWNQbkNvCkoyUVdPVHlUdlM2RUtIOGFGQWRY
+            ZjJpTml5aE91MW5VTWZveGhVNXhETFEKLS0tIGM0ZDJVOWl3NVYwYTNLZEFaalY3
+            QUp4aFBaYjc3YUp6UVkwZk9UVjNvWDgK+WBJxWWLtg+lTn7CkVqvJwnE6mZRImhL
+            k61Fabbqpm0FGtnOgQW2mVndd1jJEsCvJxfGix91nbXJLjImPXnlTQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-10T17:04:29Z"
+    mac: ENC[AES256_GCM,data:h4gfNcQX9dnm38JBvN3wCEbUefLqO7GdjmcX/7LHQIgVllo6nuPWrThJBYCSU7apwMkGiN+UfJu4+QBgqHTot2Ctiu6jCtMb3bszGDx8pagJTNYlXAsaR9i1/RHgorBfgDwvkMWucTas4/ceIi+P+wv7u63TA7A2TDj7xRTVXoo=,iv:yBO9KwUqtIwXA/UrFhII7x+CyStW1okAh47MNGOwStI=,tag:0xw7Lt1qr7J0Ba8Mzb+IYA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

secrets/nixdesk/default.nix

@@ -1 +1,8 @@
-{}
+{
+  sops.secrets = {
+    wireguard = {
+      format = "binary";
+      sopsFile = ./wireguard;
+    };
+  };
+}

secrets/nixdesk/wireguard

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:IzWchx+R3y8ZV5JBNngcyAfm0XyOrDIn7IBQDeW8k0vH1ERjLeLbqb7VMjwFkGO764PfGO4REkbdlGDx1XWcy6vQ4oqiDM8dq5YF+0ttxrby01DGF0owouqsx3a9BzqhcWo+QCvZ3rWKVmLfFub0dfAPaH5Dxiijvetdq7KEM+7nmJS9AueYaQMMgoL8JCQIiUj+zsxwvoJVebDKLeBc0k3yRCIgQFXzQXRt1L99xMaF6wdTz7I9+K+6mAgb9JsuWRlewamaQMcffM/EuRfNIGweSJBQarvIrvEfh5BUVpkzT3OEjEP/mOdxXGe8O0qceoBkWrXete1r68ftHpPc2Bo9zeI7GDb+LZYTh220FZOhbQQ1E6yxUAwen7aJP/im9XNLeQYA8YBY+OwUvngeKLw1tFfPbPzEUfBBOvGXuT1kE6vAp2fa2NAPbqcqIMJRL9ZVZZQQ+4sQyBhf4n/bQshEAwl2aSEo8d4epSPrnRv+zDC00DEvdaAHO+IXs7MP9yXFu4tZ4b6PKhnZGtQ7e4QFHlCocMTr,iv:wVKHb+TI4vUB2nRtqvm7OuATZCuJscz64lHAi7s7ZE4=,tag:Yk06BCYsa3ZkmyS/hXMjrA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdGlGNXBLZFNuenRlOFVt\nRHdXRUplaTNpRWhTamJxODZqV2lhRVE0bWtzCnpjT3VVVk1DUGxiSUhYdjRUb0hR\nZ2Y0dWw3TS83ZWg5Q1RTR215Sm1sVUkKLS0tIGFGNU94WjR3aU42VmpJekI5Szd4\nN2V1Nm1qT0xZWVdCL3lacW1qOTdrRTQKgDypLo9NN6KYO4yR5yXKbyxMP2/jXQ6R\nqM07tmwjJ4e6Cqeb3SyThbezBjBEER8ntaW4TfVlNsoULvtLCMAuKQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age155sscpw0x36t6s9usdrz7relpxqrtqnk98mrc7s0qcv2n0v3zd7sfl2xn8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjL2NSTnVYY05pcVNyT1g4\nT0hvanphU29Dd0dvMXZ4TjdVV2R4WnpxY1JVCmVQVlcwbE9EbmxPZWhTK3RudUJG\nQVhjZ2lzUmo1VjlNejlLejVkSXZhTFkKLS0tIFpaQ1JtTm9NOWIrWFdlZWlDTXBo\nRFVKNVVyRWlxZWtqUHVsVGFsRUtWeW8KHVaiwFMs7wTn7j/PZXqrpEtEJTTRaFi2\nK65QMNkbB8DCvmO950X+lpCkuCHXpTgI+yvzLgD2zvZurlu6h9zZDg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-02-12T18:06:06Z",
+		"mac": "ENC[AES256_GCM,data:BadLvKDJpsBow/+7q41Qz9nWgu+kL2VCvrN/++to0HWr+KquHiFfPZ6QISw/BrYhuqkQf9Spv1Hale88vB9I7By9nLy1D81jkSBg9/p6zKvyMcSUSszaMGdO3L56LvsHhUkA5t3CxsT6jus48Z/HBdKluE10aOwlY3ORI0yQn9U=,iv:ZUqoCno5fHphBbfKYuvOWA5wwdGzxarb5tWJhivNl7Y=,tag:zW7WJe2+SgNpGa1VSTbjSQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

system/core/default.nix

@@ -16,7 +16,7 @@
       "en_US.UTF-8/UTF-8"
     ];
   };
-  services.xserver.layout = "eu";
+  services.xserver.xkb.layout = "eu";
 
   # don't touch this
   system.stateVersion = lib.mkDefault "23.11";

system/core/ssh.nix

@@ -11,7 +11,7 @@
     };
 
     startWhenNeeded = lib.mkDefault true;
-    openFirewall = lib.mkDefault false;
+    openFirewall = lib.mkDefault true;
     hostKeys = [
       {
         path = "/etc/ssh/ssh_host_ed25519_key";

system/core/tools.nix

@@ -1,5 +1,6 @@
 {pkgs, ...}: {
   environment.systemPackages = with pkgs; [
     htop
+    ffmpeg
   ];
 }

system/default.nix

@@ -17,6 +17,7 @@ let
 
     ./services
     ./services/pipewire.nix
+    ./services/flatpak.nix
   ];
 in {
   inherit desktop;

system/desktop/awesome.nix

@@ -1,6 +1,6 @@
 {
   imports = [
-    ./x11.nix
+    ./x11
   ];
   services.xserver = {
     enable = true;

system/desktop/x11/default.nix

@@ -0,0 +1,5 @@
+{lib, ...}: {
+  imports = [
+    ./xclip.nix
+  ];
+}

system/desktop/x11/nosleep.nix

@@ -0,0 +1,8 @@
+{
+  services.xserver.serverFlagsSection = ''
+    Option "BlankTime" "0"
+    Option "StandbyTime" "0"
+    Option "SuspendTime" "0"
+    Option "OffTime" "0"
+  '';
+}

system/desktop/x11/xclip.nix

@@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [xclip];
+}

system/network/networkd.nix

@@ -2,10 +2,6 @@
   networking.useNetworkd = true;
   systemd.network = {
     enable = true;
-    networks."10-lan" = {
-      matchConfig.Name = "lan";
-      networkConfig.DHCP = "ipv4";
-    };
   };
   services.resolved = {
     enable = true;

system/services/containers/server/default.nix

@@ -0,0 +1,436 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  hostname = config.networking.hostName;
+  dashyConfig = {
+    pageInfo = {
+      #title = "Home Lab";
+    };
+    sections = [
+      {
+        name = "*arr";
+        icon = "hl-servarr";
+        items = [
+          {
+            title = "Sonarr";
+            icon = "hl-sonarr";
+            url = "http://${hostname}:8989";
+          }
+          {
+            title = "Radarr";
+            icon = "hl-radarr";
+            url = "http://${hostname}:7878";
+          }
+          {
+            title = "Prowlarr";
+            icon = "hl-prowlarr";
+            url = "http://${hostname}:9696";
+          }
+        ];
+      }
+      {
+        name = "Management";
+        items = [
+          {
+            title = "Jellyseerr";
+            icon = "hl-jellyseerr";
+            url = "http://${hostname}:5055";
+          }
+          {
+            title = "Transmission";
+            icon = "hl-transmission";
+            url = "http://${hostname}:9091";
+          }
+        ];
+      }
+    ];
+  };
+in {
+  imports = [
+    #./statistics
+  ];
+  #virtualisation.docker = {
+  #  enable = true;
+  #  enableOnBoot = true;
+  #  autoPrune.enable = true;
+  #};
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/code-server 0770 root root -"
+    "d /var/lib/movie-db 0770 root root -"
+  ];
+
+  users.groups."media" = {}; # create media group
+
+  # this needs to be done manually since transmission is in a docker container
+  users.users."media" = {
+    isSystemUser = true;
+    group = "media";
+  };
+
+  systemd.services."${config.virtualisation.oci-containers.backend}-transmission".serviceConfig = {
+    StateDirectory = [
+      "${config.virtualisation.oci-containers.backend}/transmission/downloads"
+      "${config.virtualisation.oci-containers.backend}/transmission/config"
+      "${config.virtualisation.oci-containers.backend}/transmission/watch"
+    ];
+  };
+
+  #systemd.services."${config.virtualisation.oci-containers.backend}-jellyfin".serviceConfig = {
+  #  StateDirectory = [
+  #    "${config.virtualisation.oci-containers.backend}/jellyfin/config"
+  #    "${config.virtualisation.oci-containers.backend}/jellyfin/cache"
+  #    "${config.virtualisation.oci-containers.backend}/jellyfin/media"
+  #  ];
+  #};
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+    group = "media";
+  };
+
+  #services.radarr = {
+  #  enable = true;
+  #  group = "media";
+  #  openFirewall = true; # 7878
+  #};
+
+  #services.sonarr = {
+  #  enable = true;
+  #  group = "media";
+  #  openFirewall = true; # 8989
+  #};
+
+  #services.prowlarr = {
+  #  enable = true;
+  #  openFirewall = true; # 9696
+  #};
+
+  virtualisation.podman = {
+    enable = true;
+    autoPrune.enable = true;
+  };
+
+  virtualisation.oci-containers = {
+    backend = "podman";
+
+    containers = {
+      gluetun = {
+        image = "qmcgaw/gluetun:latest";
+
+        volumes = [
+          "${config.sops.secrets.wireguard.path}:/gluetun/wireguard/wg0.conf"
+        ];
+
+        ports = [
+          # Transmission port
+          ## This bypasses the firewall, use 127.0.0.1:XXXX:XXXX
+          ## if you only want it to be accessible locally
+          "9091:9091"
+          "127.0.0.1:8191:8191" # flaresolverr
+          "9696:9696" # prowlarr
+          "8989:8989" # sonarr
+          "7878:7878" # radarr
+          "8443:8443" # code-server
+        ];
+
+        environment = {
+          VPN_SERVICE_PROVIDER = "airvpn";
+          VPN_TYPE = "wireguard";
+          SERVER_COUNTRIES = "Netherlands";
+          FIREWALL_VPN_INPUT_PORTS = "11936,8443";
+        };
+
+        extraOptions = [
+          "--cap-add=NET_ADMIN"
+          "--device=/dev/net/tun:/dev/net/tun"
+        ];
+      };
+
+      code-server = {
+        image = "lscr.io/linuxserver/code-server:latest";
+        volumes = [
+          "/var/lib/code-server:/config"
+        ];
+        environmentFiles = [
+          config.sops.secrets.code-server.path
+        ];
+        extraOptions = [
+          "--network=container:gluetun"
+        ];
+      };
+
+      jellyseerr = {
+        image = "fallenbagel/jellyseerr:latest";
+        ports = [
+          "5055:5055"
+        ];
+        volumes = [
+          "/media/config/jellyseerr:/app/config"
+        ];
+        extraOptions = [
+          "--network=host"
+        ];
+      };
+
+      recyclarr = {
+        image = "ghcr.io/recyclarr/recyclarr";
+        volumes = [
+          #"/media/config/recyclarr:/config"
+          "${pkgs.writeText "recyclarr.yml" ''
+            sonarr:
+              sonarr-main:
+                base_url: http://localhost:8989
+                api_key: !env_var SONARR_API_KEY
+                delete_old_custom_formats: true
+                replace_existing_custom_formats: true
+                quality_definition:
+                  type: series
+                custom_formats:
+                  - trash_ids:
+                      # Unwanted
+                      - 85c61753df5da1fb2aab6f2a47426b09 # BR-DISK
+                      - 9c11cd3f07101cdba90a2d81cf0e56b4 # LQ
+                      - 47435ece6b99a0b477caf360e79ba0bb # x265
+                      # Misc
+                      - ec8fa7296b64e8cd390a1600981f3923 # Repack/Proper
+                      - eb3d5cc0a2be0db205fb823640db6a3c # Repack v2
+                      - 44e7c4de10ae50265753082e5dc76047 # Repack v3
+                      # Streaming Services
+                      - d660701077794679fd59e8bdf4ce3a29 # AMZN
+                      - f67c9ca88f463a48346062e8ad07713f # ATVP
+                      - 36b72f59f4ea20aad9316f475f2d9fbb # DCU
+                      - 89358767a60cc28783cdc3d0be9388a4 # DNSP
+                      - 7a235133c87f7da4c8cccceca7e3c7a6 # HBO
+                      - a880d6abc21e7c16884f3ae393f84179 # HMAX
+                      - f6cce30f1733d5c8194222a7507909bb # HULU
+                      - 0ac24a2a68a9700bcb7eeca8e5cd644c # iT
+                      - d34870697c9db575f17700212167be23 # NF
+                      - b2b980877494b560443631eb1f473867 # NLZ
+                      - 1656adc6d7bb2c8cca6acfb6592db421 # PCOK
+                      - c67a75ae4a1715f2bb4d492755ba4195 # PMTP
+                      - 3ac5d84fce98bab1b531393e9c82f467 # QIBI
+                      - c30d2958827d1867c73318a5a2957eb1 # RED
+                      - ae58039e1319178e6be73caab5c42166 # SHO
+                      - 1efe8da11bfd74fbbcd4d8117ddb9213 # STAN
+                      - 5d2317d99af813b6529c7ebf01c83533 # VDL
+                      - 77a7b25585c18af08f60b1547bb9b4fb # CC
+                      # HQ Source Groups
+                      - e6258996055b9fbab7e9cb2f75819294 # WEB Tier 01
+                      - 58790d4e2fdcd9733aa7ae68ba2bb503 # WEB Tier 02
+                      - d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03
+                      - d0c516558625b04b363fa6c5c2c7cfd4 # WEB Scene
+                    quality_profiles:
+                      - name: TRaSH 720/1080
+                  - trash_ids:
+                      - 949c16fe0a8147f50ba82cc2df9411c9 # Anime BD Tier 01 (Top SeaDex Muxers)
+                      - ed7f1e315e000aef424a58517fa48727 # Anime BD Tier 02 (SeaDex Muxers)
+                      - 096e406c92baa713da4a72d88030b815 # Anime BD Tier 03 (SeaDex Muxers)
+                      - 30feba9da3030c5ed1e0f7d610bcadc4 # Anime BD Tier 04 (SeaDex Muxers)
+                      - 545a76b14ddc349b8b185a6344e28b04 # Anime BD Tier 05 (Remuxes)
+                      - 25d2afecab632b1582eaf03b63055f72 # Anime BD Tier 06 (FanSubs)
+                      - 0329044e3d9137b08502a9f84a7e58db # Anime BD Tier 07 (P2P/Scene)
+                      - c81bbfb47fed3d5a3ad027d077f889de # Anime BD Tier 08 (Mini Encodes)
+                      - e0014372773c8f0e1bef8824f00c7dc4 # Anime Web Tier 01 (Muxers)
+                      - 19180499de5ef2b84b6ec59aae444696 # Anime Web Tier 02 (Top FanSubs)
+                      - e6258996055b9fbab7e9cb2f75819294 # WEB Tier 01
+                      - 58790d4e2fdcd9733aa7ae68ba2bb503 # WEB Tier 02
+                      - c27f2ae6a4e82373b0f1da094e2489ad # Anime Web Tier 03 (Official Subs)
+                      - d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03
+                      - 4fd5528a3a8024e6b49f9c67053ea5f3 # Anime Web Tier 04 (Official Subs)
+                      - 29c2a13d091144f63307e4a8ce963a39 # Anime Web Tier 05 (FanSubs)
+                      - dc262f88d74c651b12e9d90b39f6c753 # Anime Web Tier 06 (FanSubs)
+                      # Unwanted
+                      - b4a1b3d705159cdca36d71e57ca86871 # Anime Raws
+                      - e3515e519f3b1360cbfc17651944354c # Anime LQ Groups
+                      - 15a05bc7c1a36e2b57fd628f8977e2fc # AV1
+                      - 026d5aadd1a6b4e550b134cb6c72b3ca # Uncensored
+                      - d2d7b8a9d39413da5f44054080e028a3 # v0
+                      - 9c14d194486c4014d422adc64092d794 # Dubs Only
+                      - 07a32f77690263bb9fda1842db7e273f # VOSTFR
+                      # Optionals
+                      - 273bd326df95955e1b6c26527d1df89b # v1
+                      - 228b8ee9aa0a609463efca874524a6b8 # v2
+                      - 0e5833d3af2cc5fa96a0c29cd4477feb # v3
+                      - 4fc15eeb8f2f9a749f918217d4234ad8 # v4
+                      - b2550eb333d27b75833e25b8c2557b38 # 10bit
+                      # Streaming Services
+                      - d660701077794679fd59e8bdf4ce3a29 # AMZN
+                      - 7dd31f3dee6d2ef8eeaa156e23c3857e # B-Global
+                      - 4c67ff059210182b59cdd41697b8cb08 # Bilibili
+                      - 3e0b26604165f463f3e8e192261e7284 # CR
+                      - 89358767a60cc28783cdc3d0be9388a4 # DSNP
+                      - 1284d18e693de8efe0fe7d6b3e0b9170 # FUNi
+                      - 570b03b3145a25011bf073274a407259 # HIDIVE
+                      - d34870697c9db575f17700212167be23 # NF
+                      - 44a8ee6403071dd7b8a3a8dd3fe8cb20 # VRV
+                    quality_profiles:
+                      - name: TRaSH Anime
+                  - trash_ids:
+                      - 418f50b10f1907201b6cfdf881f467b7 # Anime Dual Audio
+                    quality_profiles:
+                      - name: TRaSH Anime
+                        score: 2000
+            radarr:
+              radarr-main:
+                base_url: http://localhost:7878
+                api_key: !env_var RADARR_API_KEY
+                quality_definition:
+                  type: movie
+                delete_old_custom_formats: true
+                replace_existing_custom_formats: true
+                custom_formats:
+                  - trash_ids:
+                      # HD Bluray + WEB
+                      # Movie Versions
+                      - 0f12c086e289cf966fa5948eac571f44 # Hybrid
+                      - 570bc9ebecd92723d2d21500f4be314c # Remaster
+                      - eca37840c13c6ef2dd0262b141a5482f # 4K Remaster
+                      - e0c07d59beb37348e975a930d5e50319 # Criterion Collection
+                      - 9d27d9d2181838f76dee150882bdc58c # Masters of Cinema
+                      - 957d0f44b592285f26449575e8b1167e # Special Edition
+                      - eecf3a857724171f968a66cb5719e152 # IMAX
+                      - 9f6cbff8cfe4ebbc1bde14c7b7bec0de # IMAX Enhanced
+                      # HQ Release Groups
+                      - ed27ebfef2f323e964fb1f61391bcb35 # HD Bluray Tier 01
+                      - c20c8647f2746a1f4c4262b0fbbeeeae # HD Bluray Tier 02
+                      - c20f169ef63c5f40c2def54abaf4438e # WEB Tier 01
+                      - 403816d65392c79236dcb6dd591aeda4 # WEB Tier 02
+                      - af94e0fe497124d1f9ce732069ec8c3b # WEB Tier 03
+                      # Misc
+                      - e7718d7a3ce595f289bfee26adc178f5 # Repack/Proper
+                      - ae43b294509409a6a13919dedd4764c4 # Repack2
+                      # Unwanted
+                      - ed38b889b31be83fda192888e2286d83 # BR-DISK
+                      - 90a6f9a284dff5103f6346090e6280c8 # LQ
+                      - dc98083864ea246d05a42df0d05f81cc # x265
+                      - b8cd450cbfa689c0259a01d9e29ba3d6 # 3D
+                      # Streaming Services
+                      - b3b3a6ac74ecbd56bcdbefa4799fb9df # AMZN
+                      - 40e9380490e748672c2522eaaeb692f7 # ATVP
+                      - cc5e51a9e85a6296ceefe097a77f12f4 # BCORE
+                      - 84272245b2988854bfb76a16e60baea5 # DNSP
+                      - 509e5f41146e278f9eab1ddaceb34515 # DBO
+                      - 5763d1b0ce84aff3b21038eea8e9b8ad # HMAX
+                      - 526d445d4c16214309f0fd2b3be18a89 # Hulu
+                      - 2a6039655313bf5dab1e43523b62c374 # MA
+                      - 170b1d363bd8516fbf3a3eb05d4faff6 # NF
+                      - bf7e73dd1d85b12cc527dc619761c840 # Pathe
+                      - c9fd353f8f5f1baf56dc601c4cb29920 # PCOK
+                      - e36a0ba1bc902b26ee40818a1d59b8bd # PMTP
+                      - c2863d2a50c9acad1fb50e53ece60817 # STAN
+                    quality_profiles:
+                      - name: TRaSH 720/1080
+          ''}:/config/recyclarr.yml"
+        ];
+        environmentFiles = [
+          config.sops.secrets.serverenv.path
+        ];
+        environment = {
+          PUID = toString config.users.users."media".uid;
+          PGID = toString config.users.groups."media".gid;
+        };
+        extraOptions = [
+          "--network=host"
+        ];
+      };
+
+      prowlarr = {
+        image = "lscr.io/linuxserver/prowlarr:latest";
+        volumes = [
+          "/media/config/prowlarr:/config"
+        ];
+        environment = {
+          PUID = toString config.users.users."media".uid;
+          PGID = toString config.users.groups."media".gid;
+        };
+        dependsOn = ["gluetun"];
+        extraOptions = [
+          "--network=container:gluetun"
+        ];
+      };
+
+      sonarr = {
+        image = "lscr.io/linuxserver/sonarr:latest";
+        volumes = [
+          "/media/config/sonarr:/config"
+          "/media/tvseries:/tv"
+          "/media/downloads:/downloads"
+        ];
+        environment = {
+          PUID = toString config.users.users."media".uid;
+          PGID = toString config.users.groups."media".gid;
+        };
+        dependsOn = ["gluetun"];
+        extraOptions = [
+          "--network=container:gluetun"
+        ];
+      };
+
+      radarr = {
+        image = "lscr.io/linuxserver/radarr:latest";
+        volumes = [
+          "/media/config/radarr:/config"
+          "/media/movies:/movies"
+          "/media/downloads:/downloads"
+        ];
+        environment = {
+          PUID = toString config.users.users."media".uid;
+          PGID = toString config.users.groups."media".gid;
+        };
+        dependsOn = ["gluetun"];
+        extraOptions = [
+          "--network=container:gluetun"
+        ];
+      };
+
+      flaresolverr = {
+        image = "flaresolverr/flaresolverr";
+        environment = {
+          LOG_LEVEL = "info";
+        };
+        dependsOn = ["gluetun"];
+        extraOptions = [
+          "--network=container:gluetun"
+        ];
+      };
+
+      transmission = {
+        image = "linuxserver/transmission:latest";
+        volumes = [
+          "/media/downloads:/downloads"
+          "/media/config/transmission/config:/config"
+          "/media/config/transmission/watch:/watch"
+        ];
+        environment = {
+          PUID = toString config.users.users."media".uid;
+          PGID = toString config.users.groups."media".gid;
+          PEERPORT = "11936";
+          USER = "xun";
+          PASS = "password123";
+        };
+        dependsOn = ["gluetun"];
+        extraOptions = [
+          "--network=container:gluetun"
+        ];
+      };
+
+      dashy = {
+        image = "lissy93/dashy";
+        ports = [
+          "8080:80"
+        ];
+        volumes = [
+          "${(pkgs.formats.yaml {}).generate "conf.yml" dashyConfig}:/app/public/conf.yml"
+        ];
+        extraOptions = [
+          "--network=host"
+        ];
+      };
+    };
+  };
+}

system/services/containers/server/statistics/default.nix

@@ -0,0 +1,146 @@
+{config, ...}: {
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        http_addr = "0.0.0.0";
+      };
+    };
+  };
+
+  services.loki = {
+    enable = true;
+    configuration = {
+      server.http_listen_port = 3030;
+      auth_enabled = false;
+
+      ingester = {
+        lifecycler = {
+          address = "127.0.0.1";
+          ring = {
+            kvstore = {
+              store = "inmemory";
+            };
+            replication_factor = 1;
+          };
+        };
+        chunk_idle_period = "1h";
+        max_chunk_age = "1h";
+        chunk_target_size = 999999;
+        chunk_retain_period = "30s";
+        max_transfer_retries = 0;
+      };
+
+      schema_config = {
+        configs = [
+          {
+            from = "2022-06-06";
+            store = "boltdb-shipper";
+            object_store = "filesystem";
+            schema = "v11";
+            index = {
+              prefix = "index_";
+              period = "24h";
+            };
+          }
+        ];
+      };
+
+      storage_config = {
+        boltdb_shipper = {
+          active_index_directory = "/var/lib/loki/boltdb-shipper-active";
+          cache_location = "/var/lib/loki/boltdb-shipper-cache";
+          cache_ttl = "24h";
+          shared_store = "filesystem";
+        };
+
+        filesystem = {
+          directory = "/var/lib/loki/chunks";
+        };
+      };
+
+      limits_config = {
+        reject_old_samples = true;
+        reject_old_samples_max_age = "168h";
+      };
+
+      chunk_store_config = {
+        max_look_back_period = "0s";
+      };
+
+      table_manager = {
+        retention_deletes_enabled = false;
+        retention_period = "0s";
+      };
+
+      compactor = {
+        working_directory = "/var/lib/loki";
+        shared_store = "filesystem";
+        compactor_ring = {
+          kvstore = {
+            store = "inmemory";
+          };
+        };
+      };
+    };
+  };
+
+  services.promtail = {
+    enable = true;
+    configuration = {
+      server = {
+        http_listen_port = 3031;
+        grpc_listen_port = 0;
+      };
+      positions = {
+        filename = "/tmp/positions.yaml";
+      };
+      clients = [
+        {
+          url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
+        }
+      ];
+      scrape_configs = [
+        {
+          job_name = "journal";
+          journal = {
+            max_age = "12h";
+            labels = {
+              job = "systemd-journal";
+              host = "${config.networking.hostName}";
+            };
+          };
+          relabel_configs = [
+            {
+              source_labels = ["__journal__systemd_unit"];
+              target_label = "unit";
+            }
+          ];
+        }
+      ];
+    };
+    # extraFlags
+  };
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = ["systemd"];
+        port = 9002;
+      };
+    };
+    scrapeConfigs = [
+      {
+        job_name = "${config.networking.hostName}";
+        static_configs = [
+          {
+            targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
+          }
+        ];
+      }
+    ];
+  };
+}

system/services/containers/server/statistics/loki.yaml

@@ -0,0 +1,48 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+
+ingester:
+  lifecycler:
+    address: 0.0.0.0
+    ring:
+      kvstore:
+        store: inmemory
+      replication_factor: 1
+    final_sleep: 0s
+  chunk_idle_period: 1h       # Any chunk not receiving new logs in this time will be flushed
+  max_chunk_age: 1h           # All chunks will be flushed when they hit this age, default is 1h
+  chunk_target_size: 1048576  # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first
+  chunk_retain_period: 30s    # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
+  max_transfer_retries: 0     # Chunk transfers disabled
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: boltdb-shipper
+      object_store: filesystem
+      schema: v11
+      index:
+        prefix: index_
+        period: 24h
+
+storage_config:
+  boltdb_shipper:
+    active_index_directory: /var/lib/loki/boltdb-shipper-active
+    cache_location: /var/lib/loki/boltdb-shipper-cache
+    cache_ttl: 24h         # Can be increased for faster performance over longer query periods, uses more disk space
+    shared_store: filesystem
+  filesystem:
+    directory: /var/lib/loki/chunks
+
+limits_config:
+  reject_old_samples: true
+  reject_old_samples_max_age: 168h
+
+chunk_store_config:
+  max_look_back_period: 0s
+
+table_manager:
+  retention_deletes_enabled: false
+  retention_period: 0s

system/services/flatpak.nix

@@ -0,0 +1,3 @@
+{
+  services.flatpak.enable = true;
+}

system/services/transmission.nix

@@ -0,0 +1,10 @@
+{
+  lib,
+  config,
+  self,
+  ...
+}: {
+  services.transmission = {
+    enable = true;
+  };
+}

system/services/wireguard.nix

@@ -0,0 +1,81 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  #networking.wg-quick.interfaces."wg0".configFile = config.sops.secrets.wireguard.path;
+
+  # Sets tailscale to a high priority, to make sure tailscale
+  # traffic dosent go through wireguard (which wont work)
+  #systemd.services.tailscaled.serviceConfig = {
+  #  ExecStartPost = "${pkgs.iproute2}/bin/ip rule add pref 65 table 52";
+  #  ExecStopPost = "${pkgs.iproute2}/bin/ip rule del pref 65 table 52";
+  #};
+
+  ## https://wiki.archlinux.org/title/WireGuard#systemd-networkd:_routing_all_traffic_over_WireGuard
+  #environment.systemPackages = [pkgs.wireguard-tools];
+
+  #systemd.network = {
+  #  netdevs."99-wg0" = {
+  #    netdevConfig = {
+  #      Name = "wg0";
+  #      Kind = "wireguard";
+  #      Description = "WireGuard tunnel wg0";
+  #    };
+  #    wireguardConfig = {
+  #      ListenPort = 51871;
+  #      PrivateKeyFile = config.sops.secrets.wg-private.path;
+  #    };
+  #    wireguardPeers = [
+  #      {
+  #        wireguardPeerConfig = {
+  #          PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+  #          PresharedKeyFile = config.sops.secrets.wg-preshared.path;
+  #          AllowedIPs = [
+  #            "0.0.0.0"
+  #          ];
+  #          Endpoint = "62.102.148.206:1637";
+  #        };
+  #      }
+  #    ];
+  #  };
+  #  networks."50-wg0" = {
+  #    name = "wg0";
+
+  #    address = ["10.154.4.37/24"];
+  #    dns = ["10.128.0.1"];
+  #    domains = ["~."];
+  #    networkConfig = {
+  #      DNSDefaultRoute = true;
+  #    };
+
+  #    routingPolicyRules = [
+  #      {
+  #        routingPolicyRuleConfig = {
+  #          FirewallMark = 34952;
+  #          InvertRule = true;
+  #          Table = 1000;
+  #          Priority = 10;
+  #        };
+  #      }
+  #      {
+  #        ## Allow local connections
+  #        routingPolicyRuleConfig = {
+  #          To = "192.168.0.0/24";
+  #          Priority = 9;
+  #        };
+  #      }
+  #    ];
+
+  #    routes = [
+  #      {
+  #        routeConfig = {
+  #          Gateway = "10.128.0.1";
+  #          GatewayOnLink = true;
+  #          Table = 1000;
+  #        };
+  #      }
+  #    ];
+  #  };
+  #};
+}