feat: add server configuration

2026-01-22 08:06:50 +01:00 · 2025-03-09 20:30:33 +01:00 · 2025-03-09 20:30:33 +01:00 · 9665106633
commit 9665106633
parent 0d47ab58f5
42 changed files with 4282 additions and 99 deletions
--- a/flake.lock
+++ b/flake.lock
@ -174,11 +174,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1744145203,
+        "lastModified": 1745224732,
-        "narHash": "sha256-I2oILRiJ6G+BOSjY+0dGrTPe080L3pbKpc+gCV3Nmyk=",
+        "narHash": "sha256-0OWgbEKhpMLpk3WQi3ugOwxWW4Y6JVpKiQ+o0nuNzus=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "76c0a6dba345490508f36c1aa3c7ba5b6b460989",
+        "rev": "1770bf1ae5da05564f86b969ef21c7228cc1a70b",
        "type": "github"
      },
      "original": {
@ -536,11 +536,11 @@
        "xdph": "xdph"
      },
      "locked": {
-        "lastModified": 1744646317,
+        "lastModified": 1745271027,
-        "narHash": "sha256-Vs5vKsYOtUBdUyHZ9zmKZxhcEnwm9KM8LUhww44JKtE=",
+        "narHash": "sha256-HlfNGLjNog0aPcKYaw7Pps3j1ZMZO6LaFenWVCtPfm0=",
        "owner": "hyprwm",
        "repo": "Hyprland",
-        "rev": "8b7b169043de2a9d95f8505edb8b6576fac586fd",
+        "rev": "a4f7d7c594c70408f299ec8b794211c534709eaa",
        "type": "github"
      },
      "original": {
@ -723,11 +723,11 @@
    },
    "mnw": {
      "locked": {
-        "lastModified": 1744592022,
+        "lastModified": 1744597985,
-        "narHash": "sha256-QuWrCRiF3CUM99sgj3gXbIzB1IAVWS5IEfFHadbMA2g=",
+        "narHash": "sha256-lLYB9/tQ0OAKonL0Ku963nqOm0aE1TmLavrzmXAr5Zc=",
        "owner": "Gerg-L",
        "repo": "mnw",
-        "rev": "cf9e19413b6c2d995b55565cd99facf9c751b653",
+        "rev": "cbdcbb5f8eb24e25b932bbc87e29299a72e34b64",
        "type": "github"
      },
      "original": {
@ -769,11 +769,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1744518957,
+        "lastModified": 1745120797,
-        "narHash": "sha256-RLBSWQfTL0v+7uyskC5kP6slLK1jvIuhaAh8QvB75m4=",
+        "narHash": "sha256-owQ0VQ+7cSanTVPxaZMWEzI22Q4bGnuvhVjLAJBNQ3E=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "4fc9ea78c962904f4ea11046f3db37c62e8a02fd",
+        "rev": "69716041f881a2af935021c1182ed5b0cc04d40e",
        "type": "github"
      },
      "original": {
@ -788,11 +788,11 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1744682419,
+        "lastModified": 1745270600,
-        "narHash": "sha256-mS501Cff7cxofR5YwV5e8lyKuZz07uF/U7EKFy9IIv4=",
+        "narHash": "sha256-JzjxXJvdgG0junEMcqVNn0uF0d3YigJAslfZBV89Fcg=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "317477b679d95ad2f40c960272324987e81786a4",
+        "rev": "f3de8ed9f6dc7ca9e0f8b3015d954f26f7ca43cc",
        "type": "github"
      },
      "original": {
@ -897,11 +897,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1744463964,
+        "lastModified": 1744932701,
-        "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=",
+        "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650",
+        "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
        "type": "github"
      },
      "original": {
@ -913,11 +913,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1744463964,
+        "lastModified": 1744932701,
-        "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=",
+        "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650",
+        "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
        "type": "github"
      },
      "original": {
@ -929,17 +929,17 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1740547748,
+        "lastModified": 1744868846,
-        "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=",
+        "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3a05eebede89661660945da1f151959900903b6a",
+        "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3a05eebede89661660945da1f151959900903b6a",
+        "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c",
        "type": "github"
      }
    },
@ -984,11 +984,11 @@
        "treefmt-nix": "treefmt-nix_3"
      },
      "locked": {
-        "lastModified": 1744745313,
+        "lastModified": 1745267475,
-        "narHash": "sha256-eSaXmBxjQSeHiBOxA7jcuwvumBsKI8YL1iMs8LX8dZM=",
+        "narHash": "sha256-tEP3odwByxCKdFFtnXIG6r80BAGUMt/AtUC8YPV5LxU=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "e667247df0a6f9cf0e19e991939ce87ada422ffe",
+        "rev": "af348f73e190e52b6527d33ffb21f1d3e441f35f",
        "type": "github"
      },
      "original": {
@ -1009,11 +1009,11 @@
        "systems": "systems_5"
      },
      "locked": {
-        "lastModified": 1744639354,
+        "lastModified": 1745219503,
-        "narHash": "sha256-AwUtAeDokimPucrPVj0YuoFWZ/xFVL4wy2wxZN5+u20=",
+        "narHash": "sha256-oE7nEQBfLTwXqs0U5/fpsMVsfccD6NL1TlBE1z9S+Nc=",
        "owner": "notashelf",
        "repo": "nvf",
-        "rev": "f516cb43ceb2b071e6b9a6d5c9d681c8a3187f5f",
+        "rev": "4045c458dc3e3eaabbb94518a857651cff341542",
        "type": "github"
      },
      "original": {
@ -1250,11 +1250,11 @@
        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
-        "lastModified": 1744707583,
+        "lastModified": 1744961264,
-        "narHash": "sha256-IPFcShGro/UUp8BmwMBkq+6KscPlWQevZi9qqIwVUWg=",
+        "narHash": "sha256-aRmUh0AMwcbdjJHnytg1e5h5ECcaWtIFQa6d9gI85AI=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "49d05555ccdd2592300099d6a657cc33571f4fe0",
+        "rev": "8d404a69efe76146368885110f29a2ca3700bee6",
        "type": "github"
      },
      "original": {
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -96,5 +96,13 @@ in {
        ../modules/devenv.nix
      ];
    };
    homelab = mkSystem {
      hostname = "homelab";
      username = "nickolaj";
      modules = [
        ../modules/required.nix
        ../modules/shell.nix
      ];
    };
  };
 }
--- a/hosts/homelab/configuration.nix
+++ b/hosts/homelab/configuration.nix
@ -0,0 +1,29 @@
 {
  pkgs,
  lib,
  ...
 }: {
  boot = {
    # Use grub as bootloader as it works better with mdadm
    loader.grub.enable = true;
    loader.systemd-boot.enable = lib.mkForce false;
    # HACK: silence mdadm warning on missing MAILADDR or PROGRAM setting
    swraid.mdadmConf = ''
      PROGRAM ${pkgs.coreutils}/bin/true
    '';
  };
  # Enable OpenGL
  hardware.graphics = {
    enable = true;
  };
  # Load nvidia driver for Xorg and Wayland
  services.xserver.videoDrivers = ["nvidia"];
  hardware.nvidia = {
    open = true;
    modesetting.enable = true;
  };
 }
--- a/hosts/homelab/disks.nix
+++ b/hosts/homelab/disks.nix
@ -0,0 +1,120 @@
 {pkgs, ...}: {
  # Data disks
  environment.systemPackages = with pkgs; [
    mergerfs
  ];
  fileSystems."/mnt/data-disk/1" = {
    device = "/dev/disk/by-id/ata-WDC_WD120EFBX-68B0EN0_5PKURKPF-part1";
    fsType = "ext4";
  };
  fileSystems."/mnt/data-disk/2" = {
    device = "/dev/disk/by-id/ata-WDC_WD120EFBX-68B0EN0_5PKVMK7F-part1";
    fsType = "ext4";
  };
  fileSystems."/mnt/longhorn" = {
    device = "/dev/disk/by-id/ata-TOSHIBA_HDWE160_26N7K5N0F56D-part1";
    fsType = "ext4";
  };
  fileSystems."/mnt/data" = {
    fsType = "fuse.mergerfs";
    device = "/mnt/data-disk/*";
    options = ["cache.files=partial" "dropcacheonclose=true" "category.create=mfs"];
  };
  # System disks
  disko.devices = {
    disk = {
      system1 = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WDS500G2B0A-00SM50_1827AD804249";
        content = {
          type = "gpt";
          partitions = {
            boot = {
              size = "1M";
              type = "EF02"; # for grub MBR
            };
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "system";
              };
            };
          };
        };
      };
      system2 = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WDS500G2B0A-00SM50_1908BB805114";
        content = {
          type = "gpt";
          partitions = {
            boot = {
              size = "1M";
              type = "EF02"; # for grub MBR
            };
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "system";
              };
            };
          };
        };
      };
    };
    mdadm = {
      boot = {
        type = "mdadm";
        level = 1;
        metadata = "1.0";
        content = {
          type = "filesystem";
          format = "vfat";
          mountpoint = "/boot";
          mountOptions = ["umask=0077"];
        };
      };
      system = {
        type = "mdadm";
        level = 1;
        content = {
          type = "btrfs";
          extraArgs = ["-f"];
          subvolumes = {
            "@" = {
              mountpoint = "/";
              mountOptions = ["compress=zstd" "noatime"];
            };
            "@nix" = {
              mountpoint = "/nix";
              mountOptions = ["compress=zstd" "noatime"];
            };
            "@home" = {
              mountpoint = "/home";
              mountOptions = ["compress=zstd" "noatime"];
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/homelab/docker-compose-out.sh
+++ b/hosts/homelab/docker-compose-out.sh
@ -0,0 +1,8 @@
 CONTAINER ID   IMAGE                                             COMMAND                  CREATED        STATUS                            PORTS                                                                                                                                                                                                                               NAMES
 8dbebe22375a   lscr.io/linuxserver/radarr:latest                 "/init"                  13 hours ago   Up 15 minutes                     7878/tcp                                                                                                                                                                                                                            deployment-radarr-1
 b445f1a00c58   lscr.io/linuxserver/prowlarr:latest               "/init"                  13 hours ago   Up 15 minutes                     9696/tcp                                                                                                                                                                                                                            deployment-prowlarr-1
 8ae82963dbcc   lscr.io/linuxserver/sonarr:latest                 "/init"                  37 hours ago   Up 15 minutes                     8989/tcp                                                                                                                                                                                                                            deployment-sonarr-1
 44e019b912ea   ghcr.io/open-webui/open-webui:ollama              "bash start.sh"          37 hours ago   Up 15 minutes (healthy)           8080/tcp                                                                                                                                                                                                                            open-webui
 65956cc9ab2b   lscr.io/linuxserver/sabnzbd:latest                "/init"                  3 days ago     Up 15 minutes                     8080/tcp                                                                                                                                                                                                                            deployment-sabnzbd-1
 bdddf0848dc3   lscr.io/linuxserver/bazarr:latest                 "/init"                  4 days ago     Up 15 minutes                     6767/tcp                                                                                                                                                                                                                            deployment-bazarr-1
 b1492d62fcb0   nextcloud:latest                                  "/entrypoint.sh apac…"   9 days ago     Up 15 minutes                     80/tcp                                                                                                                                                                                                                              deployment-nextcloud-1
--- a/hosts/homelab/facter.json
+++ b/hosts/homelab/facter.json
--- a/hosts/homelab/flame.nix
+++ b/hosts/homelab/flame.nix
@ -0,0 +1,27 @@
 _: let
  dataDir = "/var/lib/flame";
  domain = "flame.nickolaj.com";
 in {
  services.nginx.virtualHosts."${domain}" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:5005";
    };
  };
  virtualisation.oci-containers = {
    containers = {
      flame = {
        autoStart = true;
        image = "pawelmalak/flame:2.3.1";
        volumes = [
          "${dataDir}:/app/data"
        ];
        ports = [
          "127.0.0.1:5005:5005"
        ];
      };
    };
  };
 }
--- a/hosts/homelab/home-assistant.nix
+++ b/hosts/homelab/home-assistant.nix
@ -0,0 +1,175 @@
 {
  pkgsUnstable,
  pkgs,
  config,
  ...
 }: let
  mosquittoPort = 1883;
  zigbee2mqttPort = 8080;
  homeAssistantPort = 8123;
 in {
  age.secrets = {
    "zigbee2mqtt-secret.yaml" = {
      rekeyFile = ../../secrets/hosts/homelab/zigbee2mqtt-secret.yaml.age;
      owner = "zigbee2mqtt";
      group = "zigbee2mqtt";
    };
    z2m-basic-auth = {
      rekeyFile = ../../secrets/hosts/homelab/basic-auth.age;
      owner = config.services.nginx.user;
      inherit (config.services.nginx) group;
    };
    mosquitto-zigbee2mqtt.rekeyFile = ../../secrets/hosts/homelab/mosquitto-zigbee2mqtt.age;
    mosquitto-sas.rekeyFile = ../../secrets/hosts/homelab/mosquitto-sas.age;
    mosquitto-ha.rekeyFile = ../../secrets/hosts/homelab/mosquitto-ha.age;
  };
  networking.firewall.allowedTCPPorts = [
    mosquittoPort
  ];
  services = {
    nginx.virtualHosts = {
      "zigbee.nickolaj.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString zigbee2mqttPort}";
          proxyWebsockets = true;
        };
        basicAuthFile = "${config.age.secrets.z2m-basic-auth.path}";
      };
      "ha.nickolaj.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString homeAssistantPort}";
          proxyWebsockets = true;
        };
      };
    };
    home-assistant = {
      enable = true;
      package = pkgsUnstable.home-assistant;
      customComponents = with pkgsUnstable.home-assistant-custom-components; [
        adaptive_lighting
        sleep_as_android
        (pkgs.buildHomeAssistantComponent rec {
          owner = "Sian-Lee-SA";
          domain = "switch_manager";
          version = "v2.0.4b";
          src = pkgs.fetchFromGitHub {
            inherit owner;
            repo = "Home-Assistant-Switch-Manager";
            rev = version;
            hash = "sha256-W9xO3JjnRKHk/dlXMA6y5nEJl/KsGzPvJoumGw+nohw=";
          };
        })
      ];
      extraComponents = [
        "default_config"
        "met"
        "mqtt"
        "esphome"
        "google"
        "spotify"
        "unifi"
        "upnp"
        "homeassistant_hardware"
      ];
      config = {
        homeassistant = {
          name = "Home";
          latitude = "56.2";
          longitude = "10.2";
          elevation = "0";
          unit_system = "metric";
          time_zone = "Europe/Copenhagen";
        };
        frontend = {
          themes = "!include_dir_merge_named themes";
        };
        http = {
          server_port = homeAssistantPort;
          use_x_forwarded_for = true;
          trusted_proxies = [
            "127.0.0.1"
            "::1"
          ];
          base_url = "https://ha.nickolaj.com";
        };
        automation = "!include automations.yaml";
        script = "!include scripts.yaml";
        scene = "!include scenes.yaml";
      };
    };
    mosquitto = {
      enable = true;
      listeners = [
        {
          port = mosquittoPort;
          users."zigbee2mqtt" = {
            acl = ["readwrite #"];
            passwordFile = "${config.age.secrets.mosquitto-zigbee2mqtt.path}";
          };
          users."homeassistant" = {
            acl = ["readwrite #"];
            passwordFile = "${config.age.secrets.mosquitto-ha.path}";
          };
          users."sleep_as_android" = {
            acl = ["readwrite SleepAsAndroid"];
            passwordFile = "${config.age.secrets.mosquitto-sas.path}";
          };
        }
      ];
    };
    zigbee2mqtt = {
      enable = true;
      settings = {
        homeassistant = {
          enabled = true;
        };
        mqtt = {
          base_topic = "zigbee2mqtt";
          server = "mqtt://localhost:${toString mosquittoPort}";
          user = "zigbee2mqtt";
          password = "!${config.age.secrets."zigbee2mqtt-secret.yaml".path} password";
        };
        frontend = {
          enabled = true;
          port = zigbee2mqttPort;
        };
        serial = {
          port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0";
          adapter = "zstack";
        };
        advanced = {
          network_key = [
            233
            138
            136
            76
            51
            117
            128
            127
            74
            84
            33
            179
            116
            61
            79
            101
          ];
          channel = 25;
          log_level = "debug";
        };
      };
    };
  };
 }
--- a/hosts/homelab/netdata.nix
+++ b/hosts/homelab/netdata.nix
@ -0,0 +1,13 @@
 {
  config,
  pkgsUnstable,
  ...
 }: {
  age.secrets.netdata-claim-token.rekeyFile = ../../secrets/netdata-claim-token.age;
  services.netdata = {
    enable = true;
    package = pkgsUnstable.netdataCloud;
    claimTokenFile = "${config.age.secrets.netdata-claim-token.path}";
  };
 }
--- a/hosts/homelab/nginx.nix
+++ b/hosts/homelab/nginx.nix
@ -0,0 +1,12 @@
 _: {
  networking.firewall.allowedTCPPorts = [80 443];
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "nickolaj@fireproof.website";
  };
 }
--- a/hosts/homelab/plex.nix
+++ b/hosts/homelab/plex.nix
@ -0,0 +1,18 @@
 _: let
  domain = "plex.nickolaj.com";
 in {
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    http2 = true;
    locations."/" = {
      proxyWebsockets = true;
      proxyPass = "http://localhost:32400/";
    };
  };
  services.plex = {
    enable = true;
    openFirewall = true;
  };
 }
--- a/hosts/homelab/restic.nix
+++ b/hosts/homelab/restic.nix
@ -0,0 +1,19 @@
 {
  pkgs,
  config,
  ...
 }: {
  environment.systemPackages = with pkgs; [
    restic
  ];
  age.secrets.restic-password.rekeyFile = ../../secrets/hosts/homelab/restic-password.age;
  age.secrets.restic-env.rekeyFile = ../../secrets/hosts/homelab/restic-env.age;
  services.restic.backups.server = {
    repository = "b2:fireproof-backup";
    timerConfig = null;
    passwordFile = "${config.age.secrets.restic-password.path}";
    environmentFile = "${config.age.secrets.restic-env.path}";
  };
 }
--- a/hosts/homelab/vaultwarden.nix
+++ b/hosts/homelab/vaultwarden.nix
@ -0,0 +1,21 @@
 {config, ...}: let
  domain = "bitwarden.nickolaj.com";
 in {
  services.vaultwarden = {
    enable = true;
    config = {
      DOMAIN = "https://${domain}";
      SIGNUPS_ALLOWED = false;
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = 8222;
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://${toString config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}";
    };
  };
 }
--- a/2
+++ b/2
@ -67,7 +67,7 @@ deploy-remote hostname target:
        --flake .#{{ hostname }} \
        --disk-encryption-keys /luks-password <(just age -d ./secrets/luks-password.age) \
        --extra-files "$temp" \
-        --target-host "{{ target }}" {{ nix_output_monitor }}
+        --target-host "{{ target }}"
 [doc('A wrapper disko-install')]
 [group('deploy')]
--- a/modules/base/boot.nix
+++ b/modules/base/boot.nix
@ -1,4 +1,4 @@
-_: {
+{lib, ...}: {
-  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.enable = lib.mkDefault true;
  boot.loader.efi.canTouchEfiVariables = true;
 }
--- a/modules/desktop/hyprland/hypridle.nix
+++ b/modules/desktop/hyprland/hypridle.nix
@ -2,11 +2,10 @@
  config,
  pkgs,
  ...
-}:
+}: let
-let 
+  sleep_cmd = "${config.programs.hyprland.package}/bin/hyprctl dispatch dpms off";
-sleep_cmd = "${config.programs.hyprland.package}/bin/hyprctl dispatch dpms off";
+  wake_cmd = "${config.programs.hyprland.package}/bin/hyprctl dispatch dpms on";
-wake_cmd = "${config.programs.hyprland.package}/bin/hyprctl dispatch dpms on";
+  lock_cmd = "pidof ${pkgs.hyprlock}/bin/hyprlock || ${pkgs.hyprlock}/bin/hyprlock";
 lock_cmd = "pidof ${pkgs.hyprlock}/bin/hyprlock || ${pkgs.hyprlock}/bin/hyprlock";
 in {
  config = {
    fireproof.home-manager.services.hypridle = {
--- a/modules/desktop/hyprland/hyprlock.nix
+++ b/modules/desktop/hyprland/hyprlock.nix
@ -1,11 +1,9 @@
 {
  lib,
  config,
  inputs,
  pkgs,
  ...
-}:
+}: let
 let 
  background = pkgs.stdenvNoCC.mkDerivation {
    pname = "desktop-background";
    version = "0.2";
--- a/modules/dev/docker.nix
+++ b/modules/dev/docker.nix
@ -14,6 +14,9 @@
    enableOnBoot = lib.mkDefault false;
    storageDriver = "btrfs";
  };
  virtualisation.oci-containers = {
    backend = "docker";
  };
  users.extraGroups.docker.members = [username];
 }
--- a/modules/shell/core.nix
+++ b/modules/shell/core.nix
@ -1,5 +1,7 @@
 {pkgs, ...}: {
  config = {
    environment.enableAllTerminfo = true;
    environment.systemPackages = with pkgs; [
      # Man pages
      man-pages
--- a/secrets/hosts/homelab/.rekey/0caf919251bb18b1001dc9edd0b65e8f-ssh-key-ao.age
+++ b/secrets/hosts/homelab/.rekey/0caf919251bb18b1001dc9edd0b65e8f-ssh-key-ao.age
--- a/secrets/hosts/homelab/.rekey/138eb59710c868a3ac32a383a3c9bb8c-hashed-user-password.age
+++ b/secrets/hosts/homelab/.rekey/138eb59710c868a3ac32a383a3c9bb8c-hashed-user-password.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw F6J+zpSZMzomoDyuOD51GN66MT7WCqS8itq24chzAFk
 wk472qGObQIuLAL9jPPY1SkplwQcZ42LEALl+Lyn2mo
 -> )j-grease
 6cJmucW++jurxlstx8xohXgKvaBnLK7g5rDW/LTW6nKodU0GjVXIGkm0WFE3M+n3
 +LvT5OUcUc9BiardOKdCbDdTgw855Mwm
 --- kHNfCLIEk79PrX7SHMbDm7wqWeW0iEzi/Ha/zMPQ2Bk
 –ë§žMxpï;Ôû:„ÅÏNß1+n^0S‹†ù¹9=:Z_
 ÊëRà=yåç“·¬òS;©C¹\5Ÿ„
Ü¨©Aã—sY~Ñ³œ<C2B3>YÝ!õÊ9<17>¢zÒN*$\Šw<C5A0>}€eÖ<65>Ý7Õ
--- a/secrets/hosts/homelab/.rekey/14b416bbae3cdc88a8c1c51e34fc4251-netdata-claim-token.age
+++ b/secrets/hosts/homelab/.rekey/14b416bbae3cdc88a8c1c51e34fc4251-netdata-claim-token.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw O7Lgl8nCBN+7PkfnDJg1QlJuJsIWHsC0ph5HRvc+U3E
 bdllRkmn3RDwg1DVPSHLtYWfay/Y+hUeCtdiCYc1rDM
 -> JC5p)q|.-grease J<5Gb -#' }(d &;SYO
 9sFJvUrPneffSRN4a5VLMZBMJYluYh7efNGdJHnEnDLS2NJt33px
 --- Ct3YI+Fb2sCve9NRhIMZfAlDEN0jANs6kJREaSeRxUo
 IÇ|#+ÎR	:Êù
õËO¤FÞY\ìÝÎ¤cË|ÃX‹éÓ²¸FmË°˜X«¼©/OâÈƒ‹IŠ]Q<>¡5<>Ýtë!ö¡vÂ‚SîVRÜM»˜×„<C397>42ocüözMFX »Ý½Ñ’¡+ÿ™€Þ$#»Ii<49>üóaÇ(¾ÚK<C39A><4B>8û™Ï¦¡×Ì¦Ùñi£ ñø2þô2ó}ÐÐ¦O°Ý@
zñqÕî†”Pº
--- a/secrets/hosts/homelab/.rekey/15f8620e62e6007eca75f5b1988d30e4-mosquitto-zigbee2mqtt.age
+++ b/secrets/hosts/homelab/.rekey/15f8620e62e6007eca75f5b1988d30e4-mosquitto-zigbee2mqtt.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw k3cMMTZuQqRMU4NOfTjObYV8/wBeXviGI+pY7tEwhSc
 5tyXxJpOHU6SFMjI26Twr0IOhZNI9DhX8jxBMQM/Al4
 -> *}v$-grease -|;y' \I15AGYa
 kVpv2boLX6K7M0AxW34+bnVUQA
 --- rur+EXAAvdVN4krHU3ezxCoax/BLVsli+rU5LnndlSo
 ¼¬é_?8w²<77>~V@Çéã™xN::|æ©Óòj"“Øl;[NÎÒ@	ÊO.†X
"8¥
æ<>
--- a/secrets/hosts/homelab/.rekey/2441d2322b7240b3eea35ad9dab11832-llm-api-key.age
+++ b/secrets/hosts/homelab/.rekey/2441d2322b7240b3eea35ad9dab11832-llm-api-key.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw f1R1uOBfZIdPn5BQ+5ZniaLhcNIjCJLsSF1k7D8RIls
 qJJnInZeCvwBIMm5X1MzhwbGZ/592JqNmtAfbwSCYhw
 -> }o?y|l-grease cX)/~: `n \j
 0E48K80STlC5k6I+c+BXFV/ZaSc3VuYSnnJVrtaqloq8GjOJabQGpz2kJVecRN1y
 foetmkjWhOvTB9f5UmMvQhL3G8G4hqjJubwMrTTvW3t3
 --- dtdOrXsFxRkgVsjwAFFe32rOregwJ21fU1wFwwO6+kw
 ¢OîX6*ªôûÞ?äDõ’Gùm#ûB‘,3o[±&¢¿1¶cn¬b>(SÂÑèÎH…¢u7ÏGa:É¾HB”¥( žVá<56>Ò‚ŸÚÚÊ0›Ÿ‘-ã®,@†[í‘=Ésß6ç8r9cìîìbG
 ÜãSäß+™Íœõ£"	zÒït½Ò‹õi—×Ž‚ç·„sÝ<73>gÊÞrN:IÖ<04>é|`Š¹
--- a/secrets/hosts/homelab/.rekey/30920f14e702cae484442111b4851f54-ssh-key.age
+++ b/secrets/hosts/homelab/.rekey/30920f14e702cae484442111b4851f54-ssh-key.age
--- a/secrets/hosts/homelab/.rekey/48148d6112d1434e7398b9c12c630dd2-restic-env.age
+++ b/secrets/hosts/homelab/.rekey/48148d6112d1434e7398b9c12c630dd2-restic-env.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw 08ZhfwiBvcuSolMm1ALC8OzyY2v6Wsi/dzYULt0fSWE
 wY3KisU5VZ2i3f4UX4m8bduklHJiIqB0sIX9ZbopoWA
 -> I%-grease KdnM'X.} S }g)BW
 Zu8IquWpHt/8sQOE
 --- DRo5HV8Z3DxMKjDClkk3qQjEyud6nhM5B7qbAnrL6Os
 Ð†	Ÿ7ÜŠjfÖ<><C396>¥¼¡@XûNvV‰b\ìwMð…ã<E280A6>šÔÉÔ¥mïÕ©$ßÆGu*XW’u×©^:Ó^¾ûLyØfV……1€ZuË6<ÔÛ:É:m’$ªá˜M‰$Ê”ªØøB_¥å;yTÈZeJ’ôoíZ
--- a/secrets/hosts/homelab/.rekey/74a4e736e20629d2740a364f64845693-hosts-private.age
+++ b/secrets/hosts/homelab/.rekey/74a4e736e20629d2740a364f64845693-hosts-private.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw CI0deDYyaMuB+xZnioISSo0IVRu/EWvGqMYy5Kh8ni4
 v58W2scedSGkHszuNjdFmit5KUoRt3sPeumZJhp1Wzo
 -> Y(n-grease Tvk{V$qm
 b1vfTZ+Xs3P8Dh4/RMRyTuIL8GE7CCewHiDC5D8WznyfiCucBU69/MUhPuqIdv9X
 0qAfxmshLMAjI0tFZ54aWMm6OEpTcdzMlo1R0U+NWStOnCIbhA
 --- 4X98rP7pkB+L7Nj6az5/g6XDldWEVuZgMd7OV5jWRU8
 <ôàHZœ¢Ø…µ9ÖTÍf’%`|~ÁÓkR;HiÈlz½Z¶Ÿ¹-ÎTØ¶”ôñe¨›\PG,>*v_(=w¥Ö#ø“L“£•á*N~g5Iö²¨-P4šŒdŽÀ81^h»ð¡œg‰“Šföƒì<15>µ!8›ÿ4
--- a/secrets/hosts/homelab/.rekey/94a278805ce0e0e4f6264b8fd86a5091-restic-password.age
+++ b/secrets/hosts/homelab/.rekey/94a278805ce0e0e4f6264b8fd86a5091-restic-password.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw gJklmZvmMHNrR8CQqgeXjdquvYCI9yBoI3cIaerFzjg
 gBlXW7lWZyhyAsYJ00Iga74cZCTpfwzu123mWMP1q4U
 -> xuX3[1M"-grease :XC PdC4t '3HamwU
 CkvUahB707fp+qqKelKV1eX+v4MbKi5/hxk4UeCMkaY8vpuXtjaADPPQMfwl4Q
 --- ulRYWJMo5QCSCNmHVq3eVps8rbZvcraMSPtCGmjZ1io
 Æ©RÊÖqÚväÔPA:³Æà?“í ¥4J\¸ð,R¡¶¨]j Qi$)ÄßÆXcéª[
--- a/secrets/hosts/homelab/.rekey/b5d227f481f954aea5c51bdf5d8a5dcf-zigbee2mqtt-secret.yaml.age
+++ b/secrets/hosts/homelab/.rekey/b5d227f481f954aea5c51bdf5d8a5dcf-zigbee2mqtt-secret.yaml.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw kHM4p85AsOwVmv9pD1jzX5JMOnN6PeiCb0FjLajSYzM
 EJdymF4TcHkdS2rdFTb0qiFDc03ApPlRHP7tHyLos+c
 -> ^ph-grease $X')jU bPcQ
 OQ/f13Wb8Cc/YM7lVic7//EvxVIgQZK3PD9YUHWzRu7522bm0QBpZYu9kFlKksZ8
 KonC4Y7ZXA7vjt5HOzZWi7ZgflQc5vJMGV12M0KpFyUrQLMz6ICLoRI27UnsA1g
 --- G7bZfsEuPyIqSDhQpuBdRzct+kzKRFuQVEJAQ/I+nyE
 Âž¸#ÑDè·•	ÏÛËJpg<70>‡k_N©`¥Bgg‹©M]UËh*´Þ‚[c>\ç£œ{‰&<26>¡†_²±·0>U
--- a/secrets/hosts/homelab/.rekey/c56efde02ccf0a7c3d984bd06bb5256b-mosquitto-sas.age
+++ b/secrets/hosts/homelab/.rekey/c56efde02ccf0a7c3d984bd06bb5256b-mosquitto-sas.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw n9X1pYeg/Ro4nL+Sbh9eF7NI1NA+GZqfFcJpIvCfIBE
 /O2xZ9l5/X/SwRJcRlWr0VQaOYqkDUqfTCp0ppsZQFU
 -> T!@-grease tVu`Q
 hNzkvmlYLwaz
 --- baKbALuUvRFetyP3VoXFtqf2jCYaaG6RvcYWxJ6nBJs
 äútČ<>\?<3F>'ę<04>ăđ÷•·/0äRŘYě$ö?ŇB’Aë˝uď˛
--- a/secrets/hosts/homelab/.rekey/ce1e98e4b461da4e405ecdef56b69d89-z2m-basic-auth.age
+++ b/secrets/hosts/homelab/.rekey/ce1e98e4b461da4e405ecdef56b69d89-z2m-basic-auth.age
--- a/secrets/hosts/homelab/.rekey/de5c0bc0308469a9ac2cba127b5e7dc4-mosquitto-ha.age
+++ b/secrets/hosts/homelab/.rekey/de5c0bc0308469a9ac2cba127b5e7dc4-mosquitto-ha.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw XDWh867SO4ie2qfm59+Ub2vxQSxR6fwc72vZbHrN2Ss
 4/xK8aWfEDcEzkGsPNfkKXlpWVMqW8eU6u12OXH9k1w
 -> $Q&-grease
 i9TpyrFfEf3fwfMAppylDddeNgt1kI/DgnI2aUa5lzZ0YmVeRR/Oc8m2/ixL9bSQ
 MmnUkzSjJSgEmXzbcb/jUiTAvUFp1C71fGuIiwPMtdETeg
 --- k6eT3aj6R++AM1gFSkrqrDXaTSGP924V0zapl2jTgXg
 ™ù„Ù˜v-ÀJA‹>-âxB¿SqÖå/<2F>UžwüÜCƒ·"ÖÆ½÷<0B>\èœoXŠ¸<>€³
--- a/secrets/hosts/homelab/basic-auth.age
+++ b/secrets/hosts/homelab/basic-auth.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> X25519 IvJB9eyMjUeotOOlOJ5KfjS2D4OjzRifvuoNQzWi1gc
 XR8RCBhi5AjqfKQ1FH8fpF8Qsa7m87dfg1wcw8ZMEtQ
 -> piv-p256 q3LNVw A0aUhWmpWsmRDAXsU06Qm7L6MrKc16nGxpprogdDtUxy
 uxrBGAEUIRU436lx8+cs1LXnL1XbBP5+0VrGMpXvuXA
 -> @@02F=3-grease
 8aoVyiXx2y93mJuA+3OJ+0EQjg5/WZRtYjqYe5UJa/BjkzRzdvlTcwMnwNldZzcC
 HKjMzq75J+Ot9TOBRe+OKByhEXoqe4uWPXB7rw
 --- DmhCoM0vlZqKIQ7ycZ+ud0Do0XdOkCz1jKZzOxgZQHY
 I<EFBFBD>tç‰"É<><ÀH<ÞË†Z¹’ƒKºX“&“›8RŒÆ#³¸eá3”e	ëŠ¼âÈKMû¬/®FEàm^Õ}#ÔÔ,!„Æ<E2809E>†&®.Z’eŠ&ï…ÜBÇº)Œ1ÿFv{©°ogCuîzD‡;x’$\Á3rþM
--- a/secrets/hosts/homelab/id_ed25519.age
+++ b/secrets/hosts/homelab/id_ed25519.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> piv-p256 q3LNVw A5+sdq4RTbheCEzvuq2BjsAoBoTuwoaqZBnSjqIK32Zl
 ktly/qj2zYhX+czwgDvmNM1a6MbGIJqz7H0lvzJ7Axg
 -> m{7-grease 5,VvVN
 llZG3b/UEL06BI1chzBdrZ0wKRXNpv+4
 --- TPxkYZu4F0Il9r32xOQciMOUW8Vk9D2wkSbSrxzCUkc
 iÝjÚŠÀ¬¬<C2AC>~<11>I)4
ø¯Í²pò4q³[c‹,``çháoGêÐ~½X
'(n’÷$FbÍ«AkµÐÍ³ES
 EÝÐ_†O<EFBFBD>§UQ¹Û½¡¸²q5FKöÎ-ÓS“Ä®Âä–¥§²EY’öÆI¯í¤•ï<·I+Ù:ˆèþý·
T(<28>äš§‚ø_WÊ;·8µˆpl“öß‡¡©Ô‘¾¦/Íˆëq8fí4^È3‚ËË×ÙáW°‚W<E2809A>ç…?ùôCœ¹/_ÆI<0C>jT³å³¤‚
 2¥þ(,ôU’„îû!8Àº«õÇŸ\ŠuÀÚû]t°ZöQ·<51>:<3A>°“>{9ž%Šb<15>VY„œ™î%¾"(»W•ø¢†dVt¬¼ø“o…Š@«hÛ¶,¨¤`‡J«µ<C2AB>…‰<ò¯Ó¦5Š]ø½„—ÇêûIKøšRûXêÑ†K0þ9€Z_¹6ìDHÐ2¤Ù¡r\r- Rˆôý®E(¸Fûï+mº#öÌ(¤”<ØnP«UÚ&½
 -Œêì§žZNE4J‘¢µ2ßX–1æù4ÆœcÃ~Q3
--- a/secrets/hosts/homelab/id_ed25519.pub
+++ b/secrets/hosts/homelab/id_ed25519.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhxZWoJ756xjulZ/sIE8t2Wjt0pFi6DLGT+TAjk0fNx nickolaj@homelab
--- a/secrets/hosts/homelab/mosquitto-ha.age
+++ b/secrets/hosts/homelab/mosquitto-ha.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> X25519 6a2eEogc167KcEQ/k6H3KUuoeXfOPsnblSezlRN9mT8
 ofUCZ+DOa2FCOwiwRkeJttMYHbtlQNMiI9kEBNwvU84
 -> piv-p256 q3LNVw AzmRiiKEn4CVtXq+G8+LTEiHX7N3B2dvC3SpJJ86GCaM
 BihfkNZCycG/Be3SDkbfZPWTKPiKrX8iaktaBLcdW7U
 -> _peX_txi-grease RNVi]
 m/xckMd8CvdwgXRxlwxOCVWLponSQ44iNUCuWNYiuVIoOFbU0Fr/zIlGMx3jLe/C
 nJNVkTID2/OTVcQtDWfz+5LdecbuYeq0A6reOo1fjg
 --- /P9pjhMiJldQe89uap+zEX9mmz8/wThb2tG6EXyBNXM
 3©1ã/á_õ-ö}Ÿ<7F>‘F‚[êŒÑzjIÑùª@ÏWJ<1A>
‚®<E2809A>é‘‚÷5¿€”³ë
--- a/secrets/hosts/homelab/mosquitto-sas.age
+++ b/secrets/hosts/homelab/mosquitto-sas.age
--- a/secrets/hosts/homelab/mosquitto-zigbee2mqtt.age
+++ b/secrets/hosts/homelab/mosquitto-zigbee2mqtt.age
--- a/secrets/hosts/homelab/restic-env.age
+++ b/secrets/hosts/homelab/restic-env.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> X25519 yczjxcZq+Im03Xe456EWRPcDt6r/SnBM6zVcYr9oT0I
 k0exa0PAIs2rPWgdEK+1uqi7VN4ZLQswEFtxxrvSP4U
 -> piv-p256 q3LNVw Ah0sLbl5aiS36sGVKZM7fWlrx6halCtwW3Hc6IQb1W+w
 lRVq+Z47bjkpOReRRoscR5A+LpqloyNgx4zjx+2M1C0
 -> '-grease f%E `Dyy55T + 5xHqim
 ysaJAgUcTp5aWOyu3MkXq2AGsqEBpNZDfuSu6PDmdtojwjEM879ZVy0+7Xg
 --- ddwcqlpP4+ZIWode9wPkOVnrrqYpEkdFjhwDsgVXhzc
 n•(¢
ËúAÒ1F¸8©ö¿Âåuf<75>ÞéwúƒB#<N¤lúùö(Òò&üÏõèÓÅ6¸Xx#û(!sÛÇíÝÞsÊ7«c?1¼5uêqE¢ôëž…íúf0ƒy4Múž˜LëôMPç<I«l§{ôMWqÍÞ¤ÆŒoŠ
--- a/secrets/hosts/homelab/restic-password.age
+++ b/secrets/hosts/homelab/restic-password.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> X25519 SlTiYLUOZgos54gVVEiWVsO2LC1Pwm7NWTMYQqx3Dio
 68fxmw+BadS30wF1kl9eeQvVSFqhafUFtXSXMfMsDmg
 -> piv-p256 q3LNVw A/CtvNbVRNCJkKm5QCwi6ehvTid7rQxCCoGfFvD8luoz
 Qr0v5GGWSV98qrxvRqNAK42gm3TKLny1DYB/ijqeOmY
 -> \*-grease +7F= 9O W#`d ?
 FJ9LaugVuNQN6o5/D3lfyhvLuXY3kXVFNg
 --- ejAUsW3bP39q8PciF0gA3VOWDeGHf7P17JBNIkvFj/c
 浯w!ﾀﾅ螫兢>B<>皖搦1ｧr`Q梦ｿoiﾒ{<7B>笛-ﾃ焜<EFBE83>,ｽ-ﾃ酸ｴｦﾃ<1B>
--- a/secrets/hosts/homelab/zigbee2mqtt-secret.yaml.age
+++ b/secrets/hosts/homelab/zigbee2mqtt-secret.yaml.age
--- a/secrets/netdata-claim-token.age
+++ b/secrets/netdata-claim-token.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> X25519 ZwlikKecA4BWj61AmzgfAYggI3beEo/N9taFt0w9X3w
 zmgXbAdUD33hpz4I+B5IF01gheDmm8cSArNNANM2C90
 -> piv-p256 q3LNVw AvVG4PzbF7O2tA6a9SFe0rY2Y3EvWySmM1pFKk5OXnrs
 tN3OYjBKDihjbGakPRiJ+mQW3/x06AiOk7K39jp/IM4
 -> D#`T1-grease D w@ ML;p2 ?SbOwhx
 yRBDJJPqqPY0f6aX8w
 --- qjhN3qD7Ye8UGPCX69wZfGK5wBy0Dn/IhXpSC3J5kN0
 ä¬ŸC|S˜6r¦Ë;††f:T“	Úªs©h$©Ú™4—ä<E28094>Ct;Å8 Æ"0µÒÖÊÐ!šiOPÇUäî•‘Kï1ƒ4jœ]lšþ8<C3BE>Çxœ<)fýŽYV€Z¡Jk‹?Îñº3¨º½4˜qF…‰¦xÂ4¨»²ýÐ©Ô@ðkˆ¿,ëŠàâ—„ÖØ<¶yqP÷H"OWê×n±þ k3ï
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhxZWoJ756xjulZ/sIE8t2Wjt0pFi6DLGT+TAjk0fNx nickolaj@homelab`