Weekly flake update: 2025-10-29 17:38 UTC

.github/workflows/build-schemes.yml

@@ -3,8 +3,8 @@ name: Build All Color Schemes
 on:
   push:
     paths:
-      - 'config/schemes.nix'
+      - "config/schemes.nix"
-      - 'config/scheme-utils.nix'
+      - "config/scheme-utils.nix"
   workflow_dispatch:
 
 jobs:
@@ -12,81 +12,81 @@ jobs:
     runs-on: nixos
     env:
       HOSTNAME: server
-    
+
     steps:
-    - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
-    
+
-    - name: Get available schemes
+      - name: Get available schemes
-      id: schemes
+        id: schemes
-      run: |
+        run: |
-        SCHEMES=$(nix eval --raw --impure --expr '
+          SCHEMES=$(nix eval --raw --impure --expr '
-          let
+            let
-            pkgs = import <nixpkgs> {};
+              pkgs = import <nixpkgs> {};
-            inputs = {};
+              inputs = {};
-            utils = import ./scripts/scheme-utils.nix { inherit pkgs inputs; };
+              utils = import ./scripts/scheme-utils.nix { inherit pkgs inputs; };
-          in
+            in
-          builtins.concatStringsSep " " utils.availableSchemes
+            builtins.concatStringsSep " " utils.availableSchemes
-        ')
+          ')
-        echo "schemes=$SCHEMES" >> $GITHUB_OUTPUT
+          echo "schemes=$SCHEMES" >> $GITHUB_OUTPUT
-        echo "Available schemes: $SCHEMES"
+          echo "Available schemes: $SCHEMES"
-    
+
-    - name: Configure Attic cache
+      - name: Configure Attic cache
-      run: |
+        run: |
-        # Configure attic client to use your cache server
+          # Configure attic client to use your cache server
-        attic login servidos https://cache.servidos.lat ${{ secrets.ATTIC_TOKEN }}
+          attic login servidos http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
-    
+
-    - name: Build and push all schemes
+      - name: Build and push all schemes
-      run: |
+        run: |
-        echo "Building and pushing all schemes..."
+          echo "Building and pushing all schemes..."
-        
+
-        # Store original scheme
+          # Store original scheme
-        ORIGINAL_SCHEME=$(grep -oP "scheme = schemesFile\.schemes\.\K\w+" config/stylix.nix)
+          ORIGINAL_SCHEME=$(grep -oP "scheme = schemesFile\.schemes\.\K\w+" config/stylix.nix)
-        echo "Original scheme: $ORIGINAL_SCHEME"
+          echo "Original scheme: $ORIGINAL_SCHEME"
-        
+
-        # Build and push each scheme
+          # Build and push each scheme
-        for scheme in ${{ steps.schemes.outputs.schemes }}; do
+          for scheme in ${{ steps.schemes.outputs.schemes }}; do
+            echo "========================================="
+            echo "Processing scheme: $scheme"
+            echo "========================================="
+
+            # Update stylix.nix to use this scheme
+            sed -i "s/scheme = schemesFile\.schemes\.\w\+;/scheme = schemesFile.schemes.$scheme;/" config/stylix.nix
+
+            # Verify the change
+            grep "scheme = schemesFile.schemes" config/stylix.nix
+
+            # Build the configuration
+            echo "Building $scheme..."
+            nix build .#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel \
+              --out-link ./result-$scheme \
+              --quiet
+
+            # Push to cache
+            echo "Pushing $scheme to cache..."
+            attic push servidos:nixos ./result-$scheme
+
+            # Also push using print-out-paths for better cache coverage
+            nix build .#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel \
+              --print-out-paths \
+              --quiet | attic push servidos:nixos --stdin
+
+            echo "✓ Completed $scheme"
+            echo ""
+          done
+
+          # Restore original scheme
+          echo "Restoring original scheme: $ORIGINAL_SCHEME"
+          sed -i "s/scheme = schemesFile\.schemes\.\w\+;/scheme = schemesFile.schemes.$ORIGINAL_SCHEME;/" config/stylix.nix
+
           echo "========================================="
-          echo "Processing scheme: $scheme"
+          echo "All schemes built and pushed successfully!"
           echo "========================================="
-          
+
-          # Update stylix.nix to use this scheme
+      - name: Summary
-          sed -i "s/scheme = schemesFile\.schemes\.\w\+;/scheme = schemesFile.schemes.$scheme;/" config/stylix.nix
+        run: |
-          
+          SCHEME_COUNT=$(echo "${{ steps.schemes.outputs.schemes }}" | wc -w)
-          # Verify the change
+          echo "✅ Color scheme builds completed successfully!"
-          grep "scheme = schemesFile.schemes" config/stylix.nix
+          echo "- Built $SCHEME_COUNT schemes: ${{ steps.schemes.outputs.schemes }}"
-          
+          echo "- Pushed all builds to Atticd cache"
-          # Build the configuration
-          echo "Building $scheme..."
-          nix build .#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel \
-            --out-link ./result-$scheme \
-            --quiet
-          
-          # Push to cache
-          echo "Pushing $scheme to cache..."
-          attic push servidos:nixos ./result-$scheme
-          
-          # Also push using print-out-paths for better cache coverage
-          nix build .#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel \
-            --print-out-paths \
-            --quiet | attic push servidos:nixos --stdin
-          
-          echo "✓ Completed $scheme"
           echo ""
-        done
+          echo "You can now switch schemes quickly without waiting for builds!"
-        
-        # Restore original scheme
-        echo "Restoring original scheme: $ORIGINAL_SCHEME"
-        sed -i "s/scheme = schemesFile\.schemes\.\w\+;/scheme = schemesFile.schemes.$ORIGINAL_SCHEME;/" config/stylix.nix
-        
-        echo "========================================="
-        echo "All schemes built and pushed successfully!"
-        echo "========================================="
-    
-    - name: Summary
-      run: |
-        SCHEME_COUNT=$(echo "${{ steps.schemes.outputs.schemes }}" | wc -w)
-        echo "✅ Color scheme builds completed successfully!"
-        echo "- Built $SCHEME_COUNT schemes: ${{ steps.schemes.outputs.schemes }}"
-        echo "- Pushed all builds to Atticd cache"
-        echo ""
-        echo "You can now switch schemes quickly without waiting for builds!"

.github/workflows/weekly-build-cache.yml

@@ -38,7 +38,7 @@ jobs:
         if: steps.check_changes.outputs.changes == 'true'
         run: |
           # Configure attic client to use your cache server
-          attic login servidos https://cache.servidos.lat ${{ secrets.ATTIC_TOKEN }}
+          attic login servidos http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
 
       - name: Build workstation configuration
         if: steps.check_changes.outputs.changes == 'true'

config/base.nix

@@ -75,6 +75,7 @@
       "dotnet-runtime-6.0.36"
       "dotnet-sdk-wrapped-6.0.428"
       "dotnet-sdk-6.0.428"
+      "mbedtls-2.28.10"
     ];
   };
   nix = {

config/jawz.nix

@@ -33,7 +33,7 @@ in
       matchBlocks = {
         vps = {
           hostname = config.my.ips.vps;
-          user = "fedora";
+          user = "jawz";
           port = 3456;
           identityFile = config.sops.secrets."private_keys/${hostName}".path;
         };
@@ -68,14 +68,14 @@ in
       "plugdev"
       "bluetooth"
     ];
-    openssh.authorizedKeys.keyFiles = [
+    openssh.authorizedKeys.keyFiles = inputs.self.lib.getSshKeys [
-      ../secrets/ssh/ed25519_deacero.pub
+      "deacero"
-      ../secrets/ssh/ed25519_workstation.pub
+      "workstation"
-      ../secrets/ssh/ed25519_server.pub
+      "server"
-      ../secrets/ssh/ed25519_miniserver.pub
+      "miniserver"
-      ../secrets/ssh/ed25519_galaxy.pub
+      "galaxy"
-      ../secrets/ssh/ed25519_phone.pub
+      "phone"
-      ../secrets/ssh/ed25519_vps.pub
+      "vps"
     ];
   };
 }

dotfiles/stignore

@@ -1,6 +1,7 @@
 (?d)jawz/chrome/userChrome.css
 (?d)jawz/chrome/userContent.css
 (?d)jawz/lock
+(?d)jawz/storage
 (?d)jawz/user.js
 (?d)native-messaging-hosts/org.gnome.browser_connector.json
 (?d)native-messaging-hosts/org.gnome.chrome_gnome_shell.json

flake.lock

@@ -20,11 +20,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1759499898,
+        "lastModified": 1760101617,
-        "narHash": "sha256-UNzYHLWfkSzLHDep5Ckb5tXc0fdxwPIrT+MY4kpQttM=",
+        "narHash": "sha256-8jf/3ZCi+B7zYpIyV04+3wm72BD7Z801IlOzsOACR7I=",
         "owner": "hyprwm",
         "repo": "aquamarine",
-        "rev": "655e067f96fd44b3f5685e17f566b0e4d535d798",
+        "rev": "1826a9923881320306231b1c2090379ebf9fa4f8",
         "type": "github"
       },
       "original": {
@@ -54,16 +54,17 @@
     "base16-fish": {
       "flake": false,
       "locked": {
-        "lastModified": 1622559957,
+        "lastModified": 1754405784,
-        "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
+        "narHash": "sha256-l9xHIy+85FN+bEo6yquq2IjD1rSg9fjfjpyGP1W8YXo=",
         "owner": "tomyun",
         "repo": "base16-fish",
-        "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
+        "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561",
         "type": "github"
       },
       "original": {
         "owner": "tomyun",
         "repo": "base16-fish",
+        "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561",
         "type": "github"
       }
     },
@@ -215,11 +216,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1759362264,
+        "lastModified": 1760948891,
-        "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=",
+        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "758cf7296bee11f1706a574c77d072b8a7baa881",
+        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
         "type": "github"
       },
       "original": {
@@ -233,11 +234,11 @@
         "nixpkgs-lib": "nixpkgs-lib_2"
       },
       "locked": {
-        "lastModified": 1759362264,
+        "lastModified": 1760948891,
-        "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=",
+        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "758cf7296bee11f1706a574c77d072b8a7baa881",
+        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
         "type": "github"
       },
       "original": {
@@ -460,11 +461,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1759490292,
+        "lastModified": 1760445448,
-        "narHash": "sha256-T6iWzDOXp8Wv0KQOCTHpBcmAOdHJ6zc/l9xaztW6Ivc=",
+        "narHash": "sha256-fXGjL6dw31FPFRrmIemzGiNSlfvEJTJNsmadZi+qNhI=",
         "owner": "hyprwm",
         "repo": "hyprgraphics",
-        "rev": "9431db625cd9bb66ac55525479dce694101d6d7a",
+        "rev": "50fb9f069219f338a11cf0bcccb9e58357d67757",
         "type": "github"
       },
       "original": {
@@ -491,11 +492,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1760143218,
+        "lastModified": 1761758444,
-        "narHash": "sha256-OhJPROcRcwBkjOKkXr/f3/7wuSjhAIqr8WfmEUF9Uuo=",
+        "narHash": "sha256-m05lvxm5qhUoAWB5vkyt9llmGcQ05Q7Km8d6QvMVfVA=",
         "owner": "hyprwm",
         "repo": "Hyprland",
-        "rev": "d599513d4a72d66ac62ffdedc41d6653fa81b39e",
+        "rev": "83a0a62004ee915921ac36a96760944ad6550e1e",
         "type": "github"
       },
       "original": {
@@ -516,11 +517,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749046714,
+        "lastModified": 1759610243,
-        "narHash": "sha256-kymV5FMnddYGI+UjwIw8ceDjdeg7ToDVjbHCvUlhn14=",
+        "narHash": "sha256-+KEVnKBe8wz+a6dTLq8YDcF3UrhQElwsYJaVaHXJtoI=",
         "owner": "hyprwm",
         "repo": "hyprland-protocols",
-        "rev": "613878cb6f459c5e323aaafe1e6f388ac8a36330",
+        "rev": "bd153e76f751f150a09328dbdeb5e4fab9d23622",
         "type": "github"
       },
       "original": {
@@ -684,11 +685,11 @@
         "sudoku-solver": "sudoku-solver"
       },
       "locked": {
-        "lastModified": 1760073554,
+        "lastModified": 1761720517,
-        "narHash": "sha256-Ydqg/9lpoha2vgspjviqeRh6/tsWN+pZcUxn1ZyrFZM=",
+        "narHash": "sha256-YWKeZsstuJMEOlC31pyveuLT9525YW+wzTAMHDawgZ0=",
         "ref": "refs/heads/master",
-        "rev": "5c13b806a094f3605e2da70e133551848ad8d9a9",
+        "rev": "07daae7770da1201de6825de9b65eab0fcd81ca8",
-        "revCount": 109,
+        "revCount": 116,
         "type": "git",
         "url": "https://git.servidos.lat/jawz/scripts.git"
       },
@@ -705,11 +706,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1760146997,
+        "lastModified": 1761703070,
-        "narHash": "sha256-x2sF8Q4tWz3DI166s+KFDXySrK+cN+/YEd3DfhnhBLQ=",
+        "narHash": "sha256-KAsGjetWzPdUYqGuOu1Vu95d8i+L7JqwG7o3hLJ7DD8=",
         "owner": "fufexan",
         "repo": "nix-gaming",
-        "rev": "ad505387568d024654da88fef03d9c5319cba92f",
+        "rev": "30854a5ad380aa93b18c254bca4b5d7b6f3dc968",
         "type": "github"
       },
       "original": {
@@ -820,11 +821,11 @@
     },
     "nixpkgs-small": {
       "locked": {
-        "lastModified": 1760081104,
+        "lastModified": 1761706708,
-        "narHash": "sha256-n9NgHBtZgLrT1FtJ2W9AvVKM7bXWBgqw/is739m72WQ=",
+        "narHash": "sha256-zgrEi11Ok83JI2U11GQqSiE0TddvdHfnE8jI0iE4Vms=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "872106a411643f96e2c9576d247cf96e7c8c1b97",
+        "rev": "1f12c8011e59aca25db5cbf000735089a51874ea",
         "type": "github"
       },
       "original": {
@@ -836,11 +837,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1760038930,
+        "lastModified": 1761373498,
-        "narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=",
+        "narHash": "sha256-Q/uhWNvd7V7k1H1ZPMy/vkx3F8C13ZcdrKjO7Jv7v0c=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3",
+        "rev": "6a08e6bb4e46ff7fcbb53d409b253f6bad8a28ce",
         "type": "github"
       },
       "original": {
@@ -852,11 +853,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1759994382,
+        "lastModified": 1761468971,
-        "narHash": "sha256-wSK+3UkalDZRVHGCRikZ//CyZUJWDJkBDTQX1+G77Ow=",
+        "narHash": "sha256-vY2OLVg5ZTobdroQKQQSipSIkHlxOTrIF1fsMzPh8w8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5da4a26309e796daa7ffca72df93dbe53b8164c7",
+        "rev": "78e34d1667d32d8a0ffc3eba4591ff256e80576e",
         "type": "github"
       },
       "original": {
@@ -895,11 +896,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1760150127,
+        "lastModified": 1761756571,
-        "narHash": "sha256-McDmxx/bruodgHLD4sFIl0fKkEkNj5VE3DglImfslrk=",
+        "narHash": "sha256-Ryt/9e3t+KEo9BT1TJqpi8hnkGOQrG1ddsOPf12zwBM=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "886a5646695563cbae3c1e10369c6070c7645e73",
+        "rev": "14ea3a540e215ee60d970038f56c26ffb205b843",
         "type": "github"
       },
       "original": {
@@ -944,11 +945,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758108966,
+        "lastModified": 1760663237,
-        "narHash": "sha256-ytw7ROXaWZ7OfwHrQ9xvjpUWeGVm86pwnEd1QhzawIo=",
+        "narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "54df955a695a84cd47d4a43e08e1feaf90b1fd9b",
+        "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37",
         "type": "github"
       },
       "original": {
@@ -1002,11 +1003,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1759635238,
+        "lastModified": 1760998189,
-        "narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=",
+        "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "6e5a38e08a2c31ae687504196a230ae00ea95133",
+        "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3",
         "type": "github"
       },
       "original": {
@@ -1036,11 +1037,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1759596342,
+        "lastModified": 1761668239,
-        "narHash": "sha256-1Eda1V8pjpviMdBTdDXrFp7jkaUokIgXgBYTZyzDODk=",
+        "narHash": "sha256-b0+7/5hBUsLjd/gMY9/LSEsvuWFFolHdpUAOlG73zmw=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "4d065856e936fc6a99ba55d39ac2df9ded6bedbe",
+        "rev": "a149a557dc306e76d53e7dd488826e61ef9c6289",
         "type": "github"
       },
       "original": {
@@ -1293,11 +1294,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755354946,
+        "lastModified": 1760713634,
-        "narHash": "sha256-zdov5f/GcoLQc9qYIS1dUTqtJMeDqmBmo59PAxze6e4=",
+        "narHash": "sha256-5HXelmz2x/uO26lvW7MudnadbAfoBnve4tRBiDVLtOM=",
         "owner": "hyprwm",
         "repo": "xdg-desktop-portal-hyprland",
-        "rev": "a10726d6a8d0ef1a0c645378f983b6278c42eaa0",
+        "rev": "753bbbdf6a052994da94062e5b753288cef28dfb",
         "type": "github"
       },
       "original": {

hosts/miniserver/configuration.nix

@@ -1,17 +1,17 @@
-{ config, ... }:
+{ config, inputs, ... }:
 {
   imports = [
     ./hardware-configuration.nix
     ../../config/base.nix
     ../../config/stylix.nix
   ];
-  my = import ./toggles.nix // {
+  my = import ./toggles.nix { inherit inputs; } // {
     nix.cores = 3;
     nix.maxJobs = 8;
     users.nixremote.enable = true;
-    users.nixremote.authorizedKeys = [
+    users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
-      ../../secrets/ssh/ed25519_nixworkstation.pub
+      "nixworkstation"
-      ../../secrets/ssh/ed25519_nixserver.pub
+      "nixserver"
     ];
   };
   nix.buildMachines =

hosts/miniserver/toggles.nix

@@ -1,16 +1,6 @@
+{ inputs }:
 let
-  mkEnabled = name: {
+  inherit (inputs.self.lib) mkEnabled mkEnabledWithProxy enableList;
-    inherit name;
-    value.enable = true;
-  };
-  mkEnabledWithProxy = name: {
-    inherit name;
-    value = {
-      enable = true;
-      enableProxy = true;
-    };
-  };
-  enableList = func: list: list |> map func |> builtins.listToAttrs;
 in
 {
   emacs.enable = true;

hosts/server/configuration.nix

@@ -2,6 +2,7 @@
   pkgs,
   config,
   lib,
+  inputs,
   ...
 }:
 {
@@ -10,12 +11,12 @@
     ../../config/base.nix
     ../../config/stylix.nix
   ];
-  my = import ./toggles.nix { inherit config; } // {
+  my = import ./toggles.nix { inherit config inputs; } // {
     nix.cores = 6;
     users.nixremote.enable = true;
-    users.nixremote.authorizedKeys = [
+    users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
-      ../../secrets/ssh/ed25519_nixworkstation.pub
+      "nixworkstation"
-      ../../secrets/ssh/ed25519_nixminiserver.pub
+      "nixminiserver"
     ];
     network.firewall.enabledServicePorts = true;
     network.firewall.additionalPorts = [

hosts/server/toggles.nix

@@ -1,17 +1,7 @@
-{ config }:
+{ config, inputs }:
 let
-  mkEnabled = name: {
+  inherit (inputs.self.lib) mkEnabled enableList;
-    inherit name;
+  mkEnabledIp = inputs.self.lib.mkEnabledIp config.my.ips.wg-server;
-    value.enable = true;
-  };
-  mkEnabledIp = name: {
-    inherit name;
-    value = {
-      enable = true;
-      ip = config.my.ips.wg-server;
-    };
-  };
-  enableList = func: list: list |> map func |> builtins.listToAttrs;
 in
 {
   mainServer = "server";

hosts/workstation/configuration.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  inputs,
   ...
 }:
 let
@@ -22,13 +23,13 @@ in
     ../../config/stylix.nix
     ../../environments/gnome.nix
   ];
-  my = import ./toggles.nix // {
+  my = import ./toggles.nix { inherit inputs; } // {
     nix.cores = 8;
     nix.maxJobs = 8;
     users.nixremote.enable = true;
-    users.nixremote.authorizedKeys = [
+    users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
-      ../../secrets/ssh/ed25519_nixserver.pub
+      "nixserver"
-      ../../secrets/ssh/ed25519_nixminiserver.pub
+      "nixminiserver"
     ];
   };
   home-manager.users.jawz = {

hosts/workstation/toggles.nix

@@ -1,9 +1,6 @@
+{ inputs }:
 let
-  mkEnabled = name: {
+  inherit (inputs.self.lib) mkEnabled enableList;
-    inherit name;
-    value.enable = true;
-  };
-  enableList = func: list: list |> map func |> builtins.listToAttrs;
 in
 {
   stylix.enable = true;

modules/factories/mkserver.nix

@@ -53,58 +53,8 @@ let
       default = null;
     };
   };
-  proxy = locations: {
-    inherit locations;
-    forceSSL = true;
-    enableACME = true;
-    http2 = true;
-  };
-  proxyReverse =
-    cfg:
-    proxy {
-      "/" = {
-        proxyPass = "http://${cfg.ip}:${toString cfg.port}/";
-        proxyWebsockets = cfg.enableSocket;
-      };
-    };
-  proxyReverseFix =
-    cfg:
-    let
-      useLocalhost = cfg.hostName == config.networking.hostName;
-      localHeaders = ''
-        proxy_set_header   Host $host;
-        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header   X-Forwarded-Proto $scheme;
-      '';
-    in
-    proxyReverse cfg
-    // {
-      extraConfig = ''
-        ${if useLocalhost then localHeaders else ""}
-        proxy_set_header   X-Forwarded-Host $host;
-        proxy_set_header   Upgrade $http_upgrade;
-        proxy_set_header   Connection $http_connection;
-        proxy_redirect     off;
-        proxy_http_version 1.1;
-      '';
-    };
-  proxyReversePrivate =
-    cfg:
-    proxyReverse cfg
-    // {
-      extraConfig = ''
-        ssl_verify_client on;
-        ssl_client_certificate ${cfg.certPath};
-        error_page 403 /403.html;
-      '';
-    };
 in
 {
-  inherit
+  inherit mkOptions;
-    mkOptions
+  mkServerOptions = mkOptions;
-    proxy
-    proxyReverse
-    proxyReverseFix
-    proxyReversePrivate
-    ;
 }

modules/modules.nix

@@ -17,6 +17,7 @@ in
     ++ inputs.self.lib.autoImport ./shell filterNames
     ++ inputs.self.lib.autoImport ./network filterNames
     ++ [
+      ./factories/mkscript.nix
       ./nix/build.nix
       ./users/nixremote.nix
     ];
@@ -48,7 +49,7 @@ in
         server = "192.168.100.15";
         miniserver = "192.168.1.100";
         workstation = "192.168.100.18";
-        vps = "51.222.141.104";
+        vps = "172.236.243.182";
         wg-vps = "10.77.0.1";
         wg-server = "10.77.0.2";
         wg-friend1 = "10.8.0.2";
@@ -104,65 +105,71 @@ in
     enableProxy = lib.mkEnableOption "nginx reverse proxy for services";
   };
   config = {
-    assertions = [
+    assertions =
-      {
+      # PostgreSQL dependency assertions
-        assertion = config.my.servers.nextcloud.enable -> config.my.servers.postgres.enable;
+      inputs.self.lib.mkPostgresDependencies config [
-        message = "Nextcloud requires PostgreSQL to be enabled";
+        {
-      }
+          service = "nextcloud";
-      {
+          name = "Nextcloud";
-        assertion = config.my.servers.vaultwarden.enable -> config.my.servers.postgres.enable;
+        }
-        message = "Vaultwarden requires PostgreSQL to be enabled";
+        {
-      }
+          service = "vaultwarden";
-      {
+          name = "Vaultwarden";
-        assertion = config.my.servers.firefly-iii.enable -> config.my.servers.postgres.enable;
+        }
-        message = "Firefly III requires PostgreSQL to be enabled";
+        {
-      }
+          service = "firefly-iii";
-      {
+          name = "Firefly III";
-        assertion = config.my.servers.mealie.enable -> config.my.servers.postgres.enable;
+        }
-        message = "Mealie requires PostgreSQL to be enabled";
+        {
-      }
+          service = "mealie";
-      {
+          name = "Mealie";
-        assertion = config.my.servers.shiori.enable -> config.my.servers.postgres.enable;
+        }
-        message = "Shiori requires PostgreSQL to be enabled";
+        {
-      }
+          service = "shiori";
-      {
+          name = "Shiori";
-        assertion = config.my.servers.ryot.enable -> config.my.servers.postgres.enable;
+        }
-        message = "Ryot requires PostgreSQL to be enabled";
+        {
-      }
+          service = "ryot";
-      {
+          name = "Ryot";
-        assertion = config.my.servers.synapse.enable -> config.my.servers.postgres.enable;
+        }
-        message = "Matrix Synapse requires PostgreSQL to be enabled";
+        {
-      }
+          service = "synapse";
-      {
+          name = "Matrix Synapse";
-        assertion = config.my.servers.gitea.enable -> config.my.servers.postgres.enable;
+        }
-        message = "Gitea requires PostgreSQL to be enabled";
+        {
-      }
+          service = "gitea";
-      {
+          name = "Gitea";
-        assertion =
+        }
-          config.my.enableProxy
+      ]
-          -> (builtins.any (s: s.enableProxy or false) (builtins.attrValues config.my.servers));
+      ++
-        message = "enableProxy is true but no services have enableProxy enabled";
+      # Other assertions
-      }
+      [
-      {
+        {
-        assertion =
+          assertion =
-          config.my.enableContainers
+            config.my.enableProxy
-          || !(builtins.any (opt: opt) [
+            -> (builtins.any (s: s.enableProxy or false) (builtins.attrValues config.my.servers));
-            config.my.servers.ryot.enable
+          message = "enableProxy is true but no services have enableProxy enabled";
-            config.my.servers.lidarr.enable
+        }
-            config.my.servers.prowlarr.enable
+        {
-            config.my.servers.maloja.enable
+          assertion =
-            config.my.servers.multi-scrobbler.enable
+            config.my.enableContainers
-            config.my.servers.flame.enable
+            || !(builtins.any (opt: opt) [
-            config.my.servers.flameSecret.enable
+              config.my.servers.ryot.enable
-            config.my.servers.metube.enable
+              config.my.servers.lidarr.enable
-            config.my.servers.go-vod.enable
+              config.my.servers.prowlarr.enable
-            config.my.servers.tranga.enable
+              config.my.servers.maloja.enable
-            config.my.servers.drpp.enable
+              config.my.servers.multi-scrobbler.enable
-            config.my.servers.plex-discord-bot.enable
+              config.my.servers.flame.enable
-          ]);
+              config.my.servers.flameSecret.enable
-        message = "Container services are enabled but enableContainers is false";
+              config.my.servers.metube.enable
-      }
+              config.my.servers.go-vod.enable
-    ];
+              config.my.servers.tranga.enable
+              config.my.servers.drpp.enable
+              config.my.servers.plex-discord-bot.enable
+            ]);
+          message = "Container services are enabled but enableContainers is false";
+        }
+      ];
     virtualisation = {
       containers.enable = true;
       oci-containers.backend = "podman";

modules/network/firewall.nix

@@ -6,6 +6,7 @@
 }:
 let
   firewallBlacklist = [
+    "sabnzbd"
     "lidarr"
     "maloja"
     "tranga"

modules/scripts/download.nix

@@ -6,7 +6,6 @@
   ...
 }:
 {
-  imports = [ ../factories/mkscript.nix ];
   options.my.units = {
     download.enable = lib.mkEnableOption "media download automation scripts";
     downloadManga.enable = lib.mkEnableOption "manga download automation";

modules/scripts/ffmpeg4discord.nix

@@ -1,6 +1,5 @@
 { inputs, lib, ... }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config.my.scripts.ffmpeg4discord = {
     enable = lib.mkDefault false;
     install = true;

modules/scripts/ffmpreg.nix

@@ -1,6 +1,5 @@
 { inputs, lib, ... }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config.my.scripts.ffmpreg = {
     enable = lib.mkDefault false;
     install = true;

modules/scripts/find-dup-episode.nix

@@ -1,6 +1,5 @@
 { inputs, lib, ... }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config.my.scripts.find-dup-episodes = {
     enable = lib.mkDefault false;
     install = true;

modules/scripts/library-report.nix

@@ -1,6 +1,5 @@
 { inputs, lib, ... }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config.my.scripts.library-report = {
     enable = lib.mkDefault false;
     install = true;

modules/scripts/manage-library.nix

@@ -1,6 +1,5 @@
 { inputs, lib, ... }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config.my.scripts.manage-library = {
     enable = lib.mkDefault false;
     install = true;

modules/scripts/pika-list.nix

@@ -1,6 +1,5 @@
 { inputs, lib, ... }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config.my.scripts.pika-list = {
     enable = lib.mkDefault false;
     install = true;

modules/scripts/run.nix

@@ -1,6 +1,5 @@
 { inputs, lib, ... }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config.my.scripts.run = {
     enable = lib.mkDefault false;
     install = true;

modules/scripts/split-dir.nix

@@ -1,6 +1,5 @@
 { inputs, lib, ... }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config.my.scripts.split-dir = {
     enable = lib.mkDefault false;
     install = true;

modules/scripts/stream-dl.nix

@@ -6,7 +6,6 @@
   ...
 }:
 {
-  imports = [ ../factories/mkscript.nix ];
   options.my.units.stream-dl.enable = lib.mkEnableOption "streaming media download service";
   config =
     let

modules/scripts/tasks.nix

@@ -1,6 +1,5 @@
 { inputs, lib, ... }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config.my.scripts.tasks = {
     enable = lib.mkDefault false;
     install = true;

modules/scripts/tuh-activity-logger.nix

@@ -1,6 +1,5 @@
 { inputs, lib, ... }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config.my.scripts.tuh-activity-logger = {
     enable = lib.mkDefault false;
     install = true;

modules/scripts/update-dns.nix

@@ -6,7 +6,6 @@
   ...
 }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config = lib.mkIf config.my.secureHost {
     sops.secrets = {
       cloudflare-api.sopsFile = ../../secrets/env.yaml;

modules/scripts/update-org-agenda-cache.nix

@@ -5,7 +5,6 @@
   ...
 }:
 {
-  imports = [ ../factories/mkscript.nix ];
   config.my.scripts.update-org-agenda-cache = {
     enable = lib.mkDefault false;
     install = config.my.emacs.enable;

modules/servers/atticd.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.atticd;
 in
 {
-  options.my.servers.atticd = inputs.self.lib.mkServerOptions "atticd" "cache" 2343 lib;
+  options.my.servers.atticd = setup.mkOptions "atticd" "cache" 2343;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     sops.secrets."private_cache_keys/atticd".sopsFile = ../../secrets/keys.yaml;
     services.atticd = {
@@ -17,6 +17,7 @@ in
       settings = {
         listen = "[::]:${toString cfg.port}";
         jwt = { };
+        database.heartbeat = true; # 5 minutes
         chunking = {
           nar-size-threshold = 64 * 1024; # 64 KiB
           min-size = 16 * 1024; # 16 KiB
@@ -25,7 +26,7 @@ in
         };
         compression = {
           type = "zstd";
-          level = 8;
+          level = 3;
         };
         garbage-collection = {
           interval = "7 days";
@@ -33,5 +34,12 @@ in
         };
       };
     };
+    systemd.services.atticd = {
+      serviceConfig = {
+        TimeoutStartSec = "15min";
+        TimeoutStopSec = "5min";
+        MemoryMax = "4G";
+      };
+    };
   };
 }

modules/servers/audiobookshelf.nix

@@ -1,16 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.audiobookshelf;
 in
 {
-  options.my.servers.audiobookshelf =
+  options.my.servers.audiobookshelf = setup.mkOptions "audiobookshelf" "audiobooks" 5687;
-    inputs.self.lib.mkServerOptions "audiobookshelf" "audiobooks" 5687
-      lib;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     my.servers.audiobookshelf.enableSocket = true;
     services.audiobookshelf = {

modules/servers/bazarr.nix

@@ -1,16 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.bazarr;
 in
 {
-  options.my.servers.bazarr =
+  options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort;
-    inputs.self.lib.mkServerOptions "bazarr" "subs" config.services.bazarr.listenPort
-      lib;
   config.services.bazarr = lib.mkIf cfg.enable {
     inherit (cfg) enable;
     group = "piracy";

modules/servers/drpp.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.drpp;
 in
 {
-  options.my.servers.drpp = inputs.self.lib.mkServerOptions "drpp" "drpp" 0 lib;
+  options.my.servers.drpp = setup.mkOptions "drpp" "drpp" 0;
   config.virtualisation.oci-containers.containers.drpp = lib.mkIf cfg.enable {
     image = "ghcr.io/phin05/discord-rich-presence-plex:latest";
     environment = {

modules/servers/firefox-syncserver.nix

@@ -1,16 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.firefox-syncserver;
 in
 {
-  options.my.servers.firefox-syncserver =
+  options.my.servers.firefox-syncserver = setup.mkOptions "firefox-syncserver" "sync" 4233;
-    inputs.self.lib.mkServerOptions "firefox-syncserver" "sync" 4233
-      lib;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     # sops.secrets.firefox-syncserver.sopsFile = ../../secrets/env.yaml;
     services.firefox-syncserver = {

modules/servers/flame.nix

@@ -1,18 +1,18 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
   cfg = config.my.servers.flame;
   cfgS = config.my.servers.flameSecret;
   enable = (cfg.enable || cfgS.enable) && config.my.secureHost;
+  setup = import ../factories/mkserver.nix { inherit lib config; };
 in
 {
   options.my.servers = {
-    flame = inputs.self.lib.mkServerOptions "flame" "start" 5005 lib;
+    flame = setup.mkOptions "flame" "start" 5005;
-    flameSecret = inputs.self.lib.mkServerOptions "flameSecret" "qampqwn4wprhqny8h8zj" 5007 lib;
+    flameSecret = setup.mkOptions "flameSecret" "qampqwn4wprhqny8h8zj" 5007;
   };
   config = lib.mkIf enable {
     sops.secrets = {

modules/servers/gitea.nix

@@ -1,11 +1,11 @@
 {
   lib,
   config,
-  inputs,
   pkgs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.gitea;
 in
 {
@@ -13,7 +13,7 @@ in
     ../nix/gitea-actions-runners/ryujinx.nix
     ../nix/gitea-actions-runners/nixos.nix
   ];
-  options.my.servers.gitea = inputs.self.lib.mkServerOptions "gitea" "git" 9083 lib;
+  options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     sops.secrets.gitea.sopsFile = ../../secrets/env.yaml;
     services.gitea = {

modules/servers/homepage.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.homepage;
 in
 {
-  options.my.servers.homepage = inputs.self.lib.mkServerOptions "homepage" "home" 8082 lib;
+  options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;
   config = lib.mkIf config.my.secureHost {
     sops.secrets = lib.mkIf cfg.enable {
       homepage.sopsFile = ../../secrets/homepage.yaml;

modules/servers/jellyfin.nix

@@ -8,6 +8,7 @@
 let
   cfg = config.my.servers.jellyfin;
   inherit (inputs.jawz-scripts.packages.x86_64-linux) sub-sync;
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   sub-sync-path = [
     pkgs.nix
     pkgs.bash
@@ -21,7 +22,7 @@ let
   ];
 in
 {
-  options.my.servers.jellyfin = inputs.self.lib.mkServerOptions "jellyfin" "flix" 8096 lib;
+  options.my.servers.jellyfin = setup.mkOptions "jellyfin" "flix" 8096;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     environment.systemPackages = [
       pkgs.jellyfin-ffmpeg

modules/servers/kavita.nix

@@ -1,16 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.kavita;
 in
 {
-  options.my.servers.kavita =
+  options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;
-    inputs.self.lib.mkServerOptions "kavita" "library" config.services.kavita.settings.Port
-      lib;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     sops.secrets.kavita-token = {
       owner = config.users.users.kavita.name;

modules/servers/lidarr.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.lidarr;
 in
 {
-  options.my.servers.lidarr = inputs.self.lib.mkServerOptions "lidarr" "music" 8686 lib;
+  options.my.servers.lidarr = setup.mkOptions "lidarr" "music" 8686;
   config.virtualisation.oci-containers.containers.lidarr = lib.mkIf cfg.enable {
     autoStart = true;
     image = "linuxserver/lidarr:version-2.13.3.4711";

modules/servers/maloja.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.maloja;
 in
 {
-  options.my.servers.maloja = inputs.self.lib.mkServerOptions "maloja" "maloja" 42010 lib;
+  options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     sops.secrets.maloja.sopsFile = ../../secrets/env.yaml;
     virtualisation.oci-containers.containers.maloja = {

modules/servers/mealie.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.mealie;
 in
 {
-  options.my.servers.mealie = inputs.self.lib.mkServerOptions "mealie" "mealie" 9925 lib;
+  options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     sops.secrets.mealie.sopsFile = ../../secrets/env.yaml;
     services.mealie = {

modules/servers/metube.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.metube;
 in
 {
-  options.my.servers.metube = inputs.self.lib.mkServerOptions "metube" "bajameesta" 8881 lib;
+  options.my.servers.metube = setup.mkOptions "metube" "bajameesta" 8881;
   config.virtualisation.oci-containers.containers.metube = lib.mkIf cfg.enable {
     image = "ghcr.io/alexta69/metube:latest";
     ports = [ "${toString cfg.port}:8081" ];

modules/servers/microbin.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.microbin;
 in
 {
-  options.my.servers.microbin = inputs.self.lib.mkServerOptions "microbin" "copy" 8086 lib;
+  options.my.servers.microbin = setup.mkOptions "microbin" "copy" 8086;
   config.services.microbin = lib.mkIf (cfg.enable && config.my.secureHost) {
     inherit (cfg) enable;
     settings = {

modules/servers/multi-scrobbler.nix

@@ -1,16 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.multi-scrobbler;
 in
 {
-  options.my.servers.multi-scrobbler =
+  options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078;
-    inputs.self.lib.mkServerOptions "multi-scrobbler" "scrobble" 9078
-      lib;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     sops.secrets.multi-scrobbler.sopsFile = ../../secrets/env.yaml;
     virtualisation.oci-containers.containers.multi-scrobbler = {

modules/servers/nextcloud.nix

@@ -6,6 +6,7 @@
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   commonProxyConfig = ''
     proxy_set_header Host $host;
   '';
@@ -28,14 +29,14 @@ let
       };
     }
   );
-  pytensorflow = pkgs.python311.withPackages (ps: [ ps.tensorflow ]);
+  pytensorflow = pkgs.python3.withPackages (ps: [ ps.tensorflow ]);
   cfg = config.my.servers.nextcloud;
   cfgC = config.my.servers.collabora;
 in
 {
   options.my.servers = {
-    nextcloud = inputs.self.lib.mkServerOptions "nextcloud" "cloud" 80 lib;
+    nextcloud = setup.mkOptions "nextcloud" "cloud" 80;
-    collabora = inputs.self.lib.mkServerOptions "collabora" "collabora" 9980 lib;
+    collabora = setup.mkOptions "collabora" "collabora" 9980;
     go-vod.enable = lib.mkEnableOption "Go-VOD video transcoding service";
   };
   config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
@@ -174,6 +175,14 @@ in
           ];
           #vps
           serverAliases = [ "cloud.rotehaare.art" ];
+          extraConfig = ''
+            add_header X-XSS-Protection "1; mode=block" always;
+            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+            add_header X-Content-Type-Options "nosniff" always;
+            add_header X-Frame-Options "SAMEORIGIN" always;
+            add_header Referrer-Policy "no-referrer-when-downgrade" always;
+            add_header X-Permitted-Cross-Domain-Policies "none" always;
+          '';
           locations = {
             "/".proxyWebsockets = true;
             "~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" =
@@ -186,6 +195,11 @@ in
           http2 = true;
           locations = {
             # static files
+            "^~ /browser" = {
+              proxyPass = cfgC.local;
+              extraConfig = commonProxyConfig;
+            };
+            # Legacy static files (for compatibility)
             "^~ /loleaflet" = {
               proxyPass = cfgC.local;
               extraConfig = commonProxyConfig;
@@ -201,11 +215,21 @@ in
               extraConfig = commonProxyConfig;
             };
             # download, presentation, image upload and websocket
+            "~ ^/cool" = {
+              proxyPass = cfgC.local;
+              extraConfig = commonWebsocketConfig;
+            };
+            # Legacy websocket (for compatibility)
             "~ ^/lool" = {
               proxyPass = cfgC.local;
               extraConfig = commonWebsocketConfig;
             };
             # Admin Console websocket
+            "^~ /cool/adminws" = {
+              proxyPass = cfgC.local;
+              extraConfig = commonWebsocketConfig;
+            };
+            # Legacy Admin Console websocket (for compatibility)
             "^~ /lool/adminws" = {
               proxyPass = cfgC.local;
               extraConfig = commonWebsocketConfig;
@@ -230,23 +254,23 @@ in
       };
       collabora = lib.mkIf cfgC.enable {
         autoStart = true;
-        image = "collabora/code";
+        image = "collabora/code:latest";
-        imageFile = pkgs.dockerTools.pullImage {
-          imageName = "collabora/code";
-          imageDigest = "sha256:aab41379baf5652832e9237fcc06a768096a5a7fccc66cf8bd4fdb06d2cbba7f";
-          sha256 = "sha256-M66lynhzaOEFnE15Sy1N6lBbGDxwNw6ap+IUJAvoCLs=";
-        };
         ports = [ "9980:9980" ];
         environment = {
           TZ = config.my.timeZone;
           domain = cfg.host;
-          aliasgroup1 = "${cfg.host}:443";
+          aliasgroup1 = "${cfg.url}:443";
-          aliasgroup2 = "cloud.rotehaare.art:443";
+          aliasgroup2 = "https://cloud.rotehaare.art:443";
+          server_name = cfgC.host;
           dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru";
           extra_params = ''
             --o:ssl.enable=false
             --o:ssl.termination=true
+            --o:remote_font_config.url=${cfg.url}/apps/richdocuments/settings/fonts.json
+            --o:logging.level=information
           '';
+          DONT_GEN_SSL_CERT = "1";
+          SLEEPFORDEBUGGER = "0";
         };
         extraOptions = [
           "--cap-add"

modules/servers/nix-serve.nix

@@ -1,15 +1,15 @@
 {
   lib,
-  inputs,
   config,
   pkgs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.nix-serve;
 in
 {
-  options.my.servers.nix-serve = inputs.self.lib.mkServerOptions "nix-serve" "cache" 5000 lib;
+  options.my.servers.nix-serve = setup.mkOptions "nix-serve" "cache" 5000;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     sops.secrets."private_cache_keys/miniserver".sopsFile = ../../secrets/keys.yaml;
     services.nix-serve = {

modules/servers/ombi.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.ombi;
 in
 {
-  options.my.servers.ombi = inputs.self.lib.mkServerOptions "ombi" "requests" 3425 lib;
+  options.my.servers.ombi = setup.mkOptions "ombi" "requests" 3425;
   config.services.ombi = lib.mkIf cfg.enable {
     inherit (cfg) enable port;
   };

modules/servers/plex-discord-bot.nix

@@ -1,15 +1,15 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.plex-discord-bot;
   name = "plex-discord-bot";
 in
 {
-  options.my.servers.plex-discord-bot = inputs.self.lib.mkServerOptions name name 0 lib;
+  options.my.servers.plex-discord-bot = setup.mkOptions name name 0;
   config.virtualisation.oci-containers.containers.plex-discord-bot = lib.mkIf cfg.enable {
     image = "ghcr.io/phin05/discord-rich-presence-plex:latest";
     environment = {

modules/servers/plex.nix

@@ -1,14 +1,14 @@
 {
   lib,
-  inputs,
   config,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.plex;
 in
 {
-  options.my.servers.plex = inputs.self.lib.mkServerOptions "plex" "plex" 32400 lib;
+  options.my.servers.plex = setup.mkOptions "plex" "plex" 32400;
   config.services = lib.mkIf (cfg.enable && config.my.secureHost) {
     plex = {
       inherit (cfg) enable;

modules/servers/portfolio.nix

@@ -1,14 +1,14 @@
 {
   config,
   lib,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.websites.portfolio;
 in
 {
-  options.my.websites.portfolio = inputs.self.lib.mkServerOptions "portfolio" "portfolio" 0 lib;
+  options.my.websites.portfolio = setup.mkOptions "portfolio" "portfolio" 0;
   config.services.nginx.virtualHosts."danilo-reyes.com" = lib.mkIf cfg.enableProxy {
     forceSSL = true;
     enableACME = true;

modules/servers/prowlarr.nix

@@ -1,14 +1,14 @@
 {
   lib,
-  inputs,
   config,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.prowlarr;
 in
 {
-  options.my.servers.prowlarr = inputs.self.lib.mkServerOptions "prowlarr" "indexer" 9696 lib;
+  options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;
   config = lib.mkIf cfg.enable {
     users.users.prowlarr = {
       group = "piracy";

modules/servers/qbittorrent.nix

@@ -1,8 +1,8 @@
 {
+  inputs,
   lib,
   config,
   pkgs,
-  inputs,
   ...
 }:
 let
@@ -36,6 +36,10 @@ let
         ;
     }
   );
+  torrentCompletionScript = pkgs.writeShellScript "qbit-torrent-completion" ''
+    chown jawz:piracy -R "$1"
+    chmod -R 775 "$1"
+  '';
 in
 {
   options.my.servers = {
@@ -50,6 +54,7 @@ in
     };
   };
   config = lib.mkIf (config.my.servers.qbittorrent.enable && config.my.secureHost) {
+    my.network.firewall.additionalPorts = [ config.my.servers.qbittorrent.port ];
     home-manager.users.jawz.xdg.dataFile.vuetorrent.source = vuetorrent;
     sops.secrets =
       let
@@ -72,7 +77,10 @@ in
         "unpackerr/radarr-api" = mkUnpackerrSecret;
       };
     systemd = {
-      packages = [ pkgs.qbittorrent-nox ];
+      packages = [
+        pkgs.qbittorrent-nox
+        torrentCompletionScript
+      ];
       services."qbittorrent-nox@jawz" = {
         enable = true;
         overrideStrategy = "asDropin";

modules/servers/radarr.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.radarr;
 in
 {
-  options.my.servers.radarr = inputs.self.lib.mkServerOptions "radarr" "movies" 7878 lib;
+  options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878;
   config = lib.mkIf cfg.enable {
     services.radarr = {
       inherit (cfg) enable;

modules/servers/readeck.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.readeck;
 in
 {
-  options.my.servers.readeck = inputs.self.lib.mkServerOptions "readeck" "laters" 9546 lib;
+  options.my.servers.readeck = setup.mkOptions "readeck" "laters" 9546;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     sops.secrets.readeck.sopsFile = ../../secrets/env.yaml;
     services.readeck = {

modules/servers/ryot.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.ryot;
 in
 {
-  options.my.servers.ryot = inputs.self.lib.mkServerOptions "ryot" "tracker" 8765 lib;
+  options.my.servers.ryot = setup.mkOptions "ryot" "tracker" 8765;
   config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
     sops.secrets.ryot.sopsFile = ../../secrets/env.yaml;
     virtualisation.oci-containers.containers.ryot = {

modules/servers/sabnzbd.nix

@@ -12,6 +12,7 @@ in
     };
   };
   config = lib.mkIf cfg.enable {
+    my.network.firewall.additionalPorts = [ cfg.port ];
     services.sabnzbd = {
       inherit (cfg) enable;
       group = "piracy";

modules/servers/shiori.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.shiori;
 in
 {
-  options.my.servers.shiori = inputs.self.lib.mkServerOptions "shiori" "bookmarks" 4368 lib;
+  options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368;
   config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
     sops.secrets.shiori.sopsFile = ../../secrets/env.yaml;
     services.shiori = {

modules/servers/sonarr.nix

@@ -1,14 +1,14 @@
 {
   lib,
   config,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.sonarr;
 in
 {
-  options.my.servers.sonarr = inputs.self.lib.mkServerOptions "sonarr" "series" 8989 lib;
+  options.my.servers.sonarr = setup.mkOptions "sonarr" "series" 8989;
   config.services.sonarr = lib.mkIf cfg.enable {
     inherit (cfg) enable;
     group = "piracy";

modules/servers/stash.nix

@@ -1,11 +1,11 @@
 {
   lib,
-  inputs,
   config,
   pkgs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.stash;
   cfgS = config.services.stash;
   stashPythonFHS = pkgs.buildFHSEnv {
@@ -28,7 +28,7 @@ let
   };
 in
 {
-  options.my.servers.stash = inputs.self.lib.mkServerOptions "stash" "xxx" 9999 lib;
+  options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     sops.secrets = {
       "stash/password".sopsFile = ../../secrets/secrets.yaml;

modules/servers/synapse.nix

@@ -1,11 +1,11 @@
 {
   lib,
-  inputs,
   config,
   pkgs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.synapse;
   cfgE = config.my.servers.element;
   domain = "wedsgk5ac2qcaf9yb.click";
@@ -19,8 +19,8 @@ let
 in
 {
   options.my.servers = {
-    synapse = inputs.self.lib.mkServerOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008 lib;
+    synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008;
-    element = inputs.self.lib.mkServerOptions "element" "55a608953f6d64c199" 5345 lib;
+    element = setup.mkOptions "element" "55a608953f6d64c199" 5345;
   };
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     my.servers = {
@@ -58,7 +58,7 @@ in
         ];
         settings = {
           server_name = cfg.domain;
-          public_baseurl = cfg.url;
+          public_baseurl = "http://${config.my.ips.wg-server}:${toString cfg.port}";
           federation_domain_whitelist = [ ];
           allow_public_rooms_without_auth = false;
           allow_public_rooms_over_federation = false;

modules/servers/tranga.nix

@@ -1,14 +1,14 @@
 {
   config,
   lib,
-  inputs,
   ...
 }:
 let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
   cfg = config.my.servers.tranga;
 in
 {
-  options.my.servers.tranga = inputs.self.lib.mkServerOptions "tranga" "tranga" 9555 lib;
+  options.my.servers.tranga = setup.mkOptions "tranga" "tranga" 9555;
   config = lib.mkIf cfg.enable {
     virtualisation.oci-containers.containers = {
       tranga-api = {

modules/servers/vaultwarden.nix

@@ -1,15 +1,15 @@
 {
   lib,
-  inputs,
   config,
   pkgs,
   ...
 }:
 let
   cfg = config.my.servers.vaultwarden;
+  setup = import ../factories/mkserver.nix { inherit lib config; };
 in
 {
-  options.my.servers.vaultwarden = inputs.self.lib.mkServerOptions "vaultwarden" "vault" 8222 lib;
+  options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222;
   config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
     sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml;
     services.vaultwarden = {

modules/shell/multimedia.nix

@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -24,7 +25,7 @@
       };
       gallery-dl = {
         enable = true;
-        settings = import ../../dotfiles/gallery-dl.nix;
+        settings = inputs.self.lib.importDotfile ../../dotfiles/gallery-dl.nix;
       };
       ${config.my.shell.type} = {
         initExtra = lib.mkAfter ''

modules/shell/tools.nix

@@ -106,8 +106,6 @@ in
         jq # json parser
         yq # yaml parser
         smartmontools # check hard drie health
-        ;
-      inherit (inputs.jawz-scripts.packages.x86_64-linux)
         rmlint # amazing dupe finder that integrates well with BTRFS
         ;
     };

modules/users/nixremote.nix

@@ -1,13 +1,18 @@
-{ lib, config, ... }:
+{
+  lib,
+  config,
+  inputs,
+  ...
+}:
 {
   options.my.users.nixremote = {
     enable = lib.mkEnableOption "nixremote user for distributed builds";
     authorizedKeys = lib.mkOption {
       type = lib.types.listOf lib.types.path;
-      default = [
+      default = inputs.self.lib.getSshKeys [
-        ../../secrets/ssh/ed25519_nixworkstation.pub
+        "nixworkstation"
-        ../../secrets/ssh/ed25519_nixserver.pub
+        "nixserver"
-        ../../secrets/ssh/ed25519_nixminiserver.pub
+        "nixminiserver"
       ];
       description = "List of SSH public key files to authorize for nixremote user";
     };

parts/core.nix

@@ -55,55 +55,6 @@ in
         |> builtins.attrNames
         |> builtins.filter (file: builtins.match ".*\\.nix" file != null && filterFn file)
         |> map (file: dir + "/${file}");
-      mkServerOptions = name: subdomain: port: lib: {
-        enable = lib.mkEnableOption "this server service";
-        enableCron = lib.mkEnableOption "enable cronjob";
-        enableProxy = lib.mkEnableOption "enable reverse proxy";
-        port = lib.mkOption {
-          type = lib.types.int;
-          default = port;
-        };
-        name = lib.mkOption {
-          type = lib.types.str;
-          default = name;
-        };
-        domain = lib.mkOption {
-          type = lib.types.str;
-          default = "servidos.lat";
-        };
-        host = lib.mkOption {
-          type = lib.types.str;
-          default = "${subdomain}.servidos.lat";
-        };
-        hostName = lib.mkOption {
-          type = lib.types.str;
-          default = "miniserver";
-        };
-        url = lib.mkOption {
-          type = lib.types.str;
-          default = "https://${subdomain}.servidos.lat";
-        };
-        ip = lib.mkOption {
-          type = lib.types.str;
-          default = "127.0.0.1";
-        };
-        local = lib.mkOption {
-          type = lib.types.str;
-          default = "http://127.0.0.1:${toString port}";
-        };
-        isLocal = lib.mkOption {
-          type = lib.types.bool;
-          default = true;
-        };
-        enableSocket = lib.mkOption {
-          type = lib.types.bool;
-          default = false;
-        };
-        certPath = lib.mkOption {
-          type = lib.types.nullOr lib.types.path;
-          default = null;
-        };
-      };
       proxy = locations: {
         inherit locations;
         forceSSL = true;
@@ -196,6 +147,7 @@ in
         shellType: bashContent: zshContent:
         if shellType == "bash" then { initExtra = bashContent; } else { initContent = zshContent; };
       mergeAliases = baseAliases: extraAliases: baseAliases // extraAliases;
+      importDotfile = path: import path;
       getServicesWithNativeFirewall =
         config: blacklist:
         config.my.servers
@@ -219,6 +171,47 @@ in
           |> lib.attrValues
           |> map (srv: srv.port)
         );
+      mkEnabled = name: {
+        inherit name;
+        value.enable = true;
+      };
+      mkEnabledWithProxy = name: {
+        inherit name;
+        value = {
+          enable = true;
+          enableProxy = true;
+        };
+      };
+      mkEnabledIp = ip: name: {
+        inherit name;
+        value = {
+          enable = true;
+          inherit ip;
+        };
+      };
+      enableList = func: list: list |> map func |> builtins.listToAttrs;
+      mkPostgresDependency = config: serviceName: displayName: {
+        assertion = config.my.servers.${serviceName}.enable -> config.my.servers.postgres.enable;
+        message = "${displayName} requires PostgreSQL to be enabled";
+      };
+      mkPostgresDependencies =
+        config: serviceMap:
+        serviceMap |> map (entry: inputs.self.lib.mkPostgresDependency config entry.service entry.name);
+      sshKeys = {
+        deacero = ../secrets/ssh/ed25519_deacero.pub;
+        workstation = ../secrets/ssh/ed25519_workstation.pub;
+        server = ../secrets/ssh/ed25519_server.pub;
+        miniserver = ../secrets/ssh/ed25519_miniserver.pub;
+        galaxy = ../secrets/ssh/ed25519_galaxy.pub;
+        phone = ../secrets/ssh/ed25519_phone.pub;
+        vps = ../secrets/ssh/ed25519_vps.pub;
+        emacs = ../secrets/ssh/ed25519_emacs.pub;
+        # Build user keys (nixremote)
+        nixworkstation = ../secrets/ssh/ed25519_nixworkstation.pub;
+        nixserver = ../secrets/ssh/ed25519_nixserver.pub;
+        nixminiserver = ../secrets/ssh/ed25519_nixminiserver.pub;
+      };
+      getSshKeys = keyNames: keyNames |> map (name: inputs.self.lib.sshKeys.${name});
     };
   };
 }