update: system update & refactor

# Breaking Changes
- sops location movod to "system/dev/<dev-name>/sops/sops-conf.nix"
- flake devices declaration changes
- whole flake update

system/dev/ahlap/default.nix

@@ -1,113 +0,0 @@
-{
-  username,
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  faceIcon = pkgs.fetchurl {
-    url = "https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRwExkFtlGxRWflUTcPCfneHSC8E0WuIWNbvkQ4-5_R8x4BXCYx";
-    hash = "sha256-OXP3iv7JOz/uhw4P90m54yY5j79gDBBVdoySFZmYAZY=";
-  };
-
-  monitors = [
-  ];
-in
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../modules/presets/basic.nix
-
-    # Nvidia GPU Driver
-    (import ../../modules/nvidia.nix {
-      nvidia-mode = "offload";
-      intel-bus-id = "PCI:0:2:0";
-      nvidia-bus-id = "PCI:59:0:0";
-    })
-
-    ./boot.nix # Extra Boot Options
-    ../../modules/gaming.nix
-    ../../modules/wine.nix
-    ../../modules/localsend.nix
-    (import ../../modules/airplay.nix { hostname = config.networking.hostName; })
-    # (import ../../modules/virtualization.nix { inherit username; })
-    # ../../modules/wireguard.nix
-  ];
-
-  home-manager = {
-    users."${username}" = {
-      imports = [
-        ../../../home/presets/basic.nix
-
-        {
-          home.file.".face" = {
-            source = lib.mkForce faceIcon;
-          };
-        }
-
-        # Hyprland
-        (import ../../../home/user/hyprland.nix { inherit monitors; })
-        {
-          wayland.windowManager.hyprland = {
-            settings = {
-              input = {
-                kb_options = lib.mkForce [ ];
-              };
-            };
-          };
-        }
-
-        (import ../../../home/user/waybar.nix {
-          settings = [
-            # monitor 1
-            {
-              output = "eDP-1";
-              modules-left = [
-                "custom/os"
-                "hyprland/workspaces"
-                "clock"
-                "custom/cava"
-                "mpris"
-              ];
-              modules-right = (
-                [
-                  "wlr/taskbar"
-                ]
-                ++ (
-                  if config.programs.gamemode.enable then
-                    [
-                      "custom/gamemode"
-                    ]
-                  else
-                    [ ]
-                )
-                ++ [
-                  # "custom/bitwarden"
-                  "custom/airplay"
-                  "custom/wallRand"
-                  "custom/recording"
-                  "idle_inhibitor"
-                  "network"
-                  "cpu"
-                  "memory"
-                  "pulseaudio"
-                  "custom/swaync"
-                ]
-              );
-            }
-          ];
-        })
-
-        # Git
-        (import ../../../home/user/git.nix {
-          inherit username;
-          email = "skyblocksians@gmail.com";
-        })
-      ];
-    };
-  };
-
-  users.users."${username}".openssh.authorizedKeys.keys = [
-  ];
-}

system/dev/dn-lap/common/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./boot.nix
+    ./hardware-configuration.nix
+  ];
+}

system/dev/dn-lap/default.nix

@@ -1,87 +1,39 @@
+{ hostname }:
 {
-  username,
   config,
   ...
 }:
 let
-  monitors = [
-    ''desc:LG Display 0x0665''
-  ];
+  username = "danny";
 in
 {
-  imports = [
-    ./hardware-configuration.nix
-    ./boot.nix
-    ./sops-conf.nix
-    ../../modules/printer.nix
-    ../../modules/presets/basic.nix
-    ../../modules/gaming.nix
-    ../../modules/virtualization.nix
-    ../../modules/wine.nix
-    ../../modules/wireguard.nix
-    (import ../../modules/airplay.nix { })
-    # ../../modules/battery-life.nix
-  ];
-
-  home-manager = {
-    users."${username}" = {
-      imports = [
-        ../../../home/presets/basic.nix
-        (import ../../../home/user/bitwarden.nix {
-          email = "danny@dn-server.net.dn";
-          baseUrl = "https://bitwarden.net.dn";
-        })
-
-        # Hyprland
-        (import ../../../home/user/hyprland.nix { inherit monitors; })
+  systemConf = {
+    inherit hostname username;
+    domain = "net.dn";
+    hyprland = {
+      enable = true;
+      monitors = [
         {
-          wayland.windowManager.hyprland = {
-            settings = {
-              monitor = [
-                ''desc:LG Display 0x0665, preferred, 0x0, 1.25''
-              ];
-            };
-          };
-
+          desc = "LG Display 0x0665";
+          output = "eDP-1";
+          props = "preferred, 0x0, 1.25";
         }
-
-        # waybar
-        (import ../../../home/user/waybar.nix {
-          settings = [
-            {
-              output = "eDP-1";
-              height = 46;
-              modules-left = [
-                "custom/os"
-                "hyprland/workspaces"
-                "clock"
-                "mpris"
-              ];
-              modules-right = [
-                "wlr/taskbar"
-                "temperature"
-                "custom/wallRand"
-                "custom/wireguard"
-                "custom/recording"
-                "idle_inhibitor"
-                "network"
-                "pulseaudio"
-                "battery"
-                "custom/swaync"
-              ];
-            }
-          ];
-        })
-
-        # Git
-        (import ../../../home/user/git.nix {
-          inherit username;
-          email = "danny10132024@gmail.com";
-        })
       ];
     };
   };
 
+  imports = [
+    ../../modules/presets/basic.nix
+    ./common
+    ./games
+    ./home
+    ./office
+    ./services
+    ./sops
+    ./utility
+    ./virtualisation
+  ];
+
   users.users."${username}".openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"

system/dev/dn-lap/games/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../../../modules/gaming.nix
+  ];
+}

system/dev/dn-lap/home/default.nix

@@ -0,0 +1,51 @@
+{ config, ... }:
+let
+  inherit (config.systemConf) username;
+in
+{
+  home-manager = {
+    users."${username}" = {
+      imports = [
+        ../../../../home/presets/basic.nix
+        (import ../../../../home/user/bitwarden.nix {
+          email = "danny@dn-server.net.dn";
+          baseUrl = "https://bitwarden.net.dn";
+        })
+
+        # waybar
+        (import ../../../../home/user/waybar.nix {
+          settings = [
+            {
+              output = "eDP-1";
+              height = 46;
+              modules-left = [
+                "custom/os"
+                "hyprland/workspaces"
+                "clock"
+                "mpris"
+              ];
+              modules-right = [
+                "wlr/taskbar"
+                "temperature"
+                "custom/wallRand"
+                "custom/wireguard"
+                "custom/recording"
+                "idle_inhibitor"
+                "network"
+                "pulseaudio"
+                "battery"
+                "custom/swaync"
+              ];
+            }
+          ];
+        })
+
+        # Git
+        (import ../../../../home/user/git.nix {
+          inherit username;
+          email = "danny10132024@gmail.com";
+        })
+      ];
+    };
+  };
+}

system/dev/dn-lap/office/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../../../modules/printer.nix
+  ];
+}

system/dev/dn-lap/services/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../../../modules/wireguard.nix
+  ];
+}

system/dev/dn-lap/sops/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./sops-conf.nix
+  ];
+}

system/dev/dn-lap/sops/secret.yaml

@@ -1,22 +1,26 @@
 wireguard:
     conf: ENC[AES256_GCM,data:GKUlc2K+pJCZHrasZtC/ql8ojYOyIqquOa6gTD3BycvCIU62OO0X0Zi1XW858AzQokHNd3vE+m18XPk1/am5I9FBc0+vGlVctNZgcPLKYObsxF40aZU+NU+Ip1wjNP/V6t0zyt6ur7R7Si9HePhZZqDEpdyBzR2Jjl8DrfC9NiRTVQaHw1D72yjwOGZCkeY7n8PRW9wW9UkzuJNmFHDxF4nUaeP3k3fpfLFEOVyyjvy8Ba995tVWOfJgkMng57VgIr36jzMXWlkpSTB06wWEIfgVpbQpzkFyxWwA4sxhMJfp4JvO3IvzUvkGn3W14Z/SVcg5km7q5aXff9m1/Srn,iv:Oxa377J9Wufm036iFcm+RvitNiWWNPXmUrm9BwrUfBo=,tag:kM4PR/u+j1RkET2Z7FTIPA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
+        - recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkczZGckdvWVdlaFFxQmox
+            eWM5eGtoOHIvbTlEc0RnSVN1REVMSTBXZURrCktDeUxMZUY1cHRtKzRLTDNDUU9E
+            aldkcFZ2a0ZzUXdOSjZWeHVPZ1FJY1UKLS0tIGZZTlk4OWtZcERXME5YNk96cmc5
+            M3RPbkRxSFRXeEU5MFZxLzl4clpabDAKiCaiEKZwaCUGi6DRtzb786c8qB+EiiCn
+            YHrCvm5F72vAmDAozqtTjZM1Dt4yQDxPNMWKFyUzxY0TDpboGrgBHA==
+            -----END AGE ENCRYPTED FILE-----
         - recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ankwMFc5R3lRK2svRzBL
-            VVRUMjNRYisyRTNxM1hHeDNsbGVGT2hFUkEwCkpoVWR4MXVuWlJpZEt3eGJiYm5t
-            SUZubUJqSUEwNnk1K1RsWFVucmFoVEkKLS0tIFd1TitJMHNxc2xwWCtwWnJSWWhN
-            SnFxQ2Z0MVZ6Nm5oRy96TjFKR0Y3dEkKsT9FjBvrjUZCAx0XKb5Vj5I7VsJixdtf
-            LTNIAxt20mkyuddr6AaFFN8xsjz0TlwEQRgSGAmm3As2KGKohduMsQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1SzNGcVFkSS93VnQyUlZw
+            YkM0U1BUTTF4ajY5VU5LOHpYbTBaYnBsUFZnCmx2a0R1VCtkcTUrT2VNMGRRc29H
+            R1hVSHNDSjlwdk1RUXZYdkpFeUFkY1EKLS0tIDdVdU92STZIN0JmK0ZPeldsYlRG
+            eWFnVWcrUVpRVDQveTloWk9LVm4yd28KppalVePvXwPks+2TKHqG8a+uZjpgQo3I
+            edhrdNan56Ly5mLFyXmGlww88nqQMTZq4DODtyfF4+rRlyv0i4AEEg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-04-22T05:44:47Z"
     mac: ENC[AES256_GCM,data:DODaAnKe5ExNhXxfOq874bXGy44A3aw+KWnpeDr3OAbocVMvM0uE55r0x9JEbMakVWiDZq0SCP2K6XiTT74hX90tmwvl8jr9HYqAqscOZ75mRfc2NmZJRWuxJj6nA0U+4/A6dm2ftSXP09rH/WjKGpLObLbpOKQledM+U5Ggzjo=,iv:WEhgMOX+L471+ZrBicoBsJAlTxLl9Nc608SPJ3p6XpY=,tag:e/eKKmy4Z8+mC9Ixg0X6+A==,type:str]
-    pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4

system/dev/dn-lap/utility/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    (import ../../../modules/airplay.nix { })
+  ];
+}

system/dev/dn-lap/virtualisation/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ../../../modules/virtualization.nix
+    ../../../modules/wine.nix
+  ];
+}

system/dev/dn-pre7780/common/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./boot.nix
+    ./nvidia.nix
+    ./hardware-configuration.nix
+  ];
+}

system/dev/dn-pre7780/common/nvidia.nix

@@ -0,0 +1,16 @@
+{ lib, config, ... }:
+let
+  inherit (lib) mkForce;
+in
+{
+  imports = [
+    (import ../../../modules/nvidia.nix {
+      nvidia-mode = "offload";
+      intel-bus-id = "PCI:0:2:0";
+      nvidia-bus-id = "PCI:1:0:0";
+    })
+  ];
+
+  hardware.nvidia.package = mkForce config.boot.kernelPackages.nvidiaPackages.latest;
+  hardware.nvidia.open = mkForce true;
+}

system/dev/dn-pre7780/default.nix

@@ -1,19 +1,37 @@
+{ hostname }:
 {
+  self,
+  inputs,
   pkgs,
-  username,
   config,
   lib,
   ...
 }:
 let
-  inherit (lib) optionalString;
-  protonGEVersion = "10-15";
-  monitors = [
-    "desc:ASUSTek COMPUTER INC ASUS VG32VQ1B 0x00002271"
-    "desc:Acer Technologies XV272U V3 1322131231233"
-  ];
+  username = "danny";
 in
 {
+  systemConf = {
+    inherit hostname username;
+    domain = "net.dn";
+    enableHomeManager = true;
+    hyprland = {
+      enable = true;
+      monitors = [
+        {
+          desc = "ASUSTek COMPUTER INC ASUS VG32VQ1B 0x00002271";
+          output = "DP-6";
+          props = "2560x1440@165, 0x0, 1";
+        }
+        {
+          desc = "Acer Technologies XV272U V3 1322131231233";
+          output = "DP-5";
+          props = "2560x1440@180, -1440x-600, 1, transform, 1";
+        }
+      ];
+    };
+  };
+
   networking.firewall.allowedTCPPortRanges = [
     {
       from = 8000;
@@ -25,57 +43,15 @@ in
     }
   ];
 
-  hardware.nvidia.package = lib.mkForce config.boot.kernelPackages.nvidiaPackages.latest;
-  hardware.nvidia.open = lib.mkForce true;
-
   imports = [
-    ./boot.nix # Extra Boot Options
-    ./sops-conf.nix # Secret
-    ./nginx.nix
-    ./mail.nix
-    # (import ./netbird.nix {
-    #   domain = "pre7780.dn";
-    #   coturnPassFile = config.sops.secrets."netbird/coturn/password".path;
-    #   idpSecret = config.sops.secrets."netbird/oidc/secret".path;
-    #   dataStoreEncryptionKey = config.sops.secrets."netbird/dataStoreKey".path;
-    # })
-    ./hardware-configuration.nix
-
     ../../modules/presets/basic.nix
-    ../../modules/sunshine.nix
-
-    # Nvidia GPU Driver
-    (import ../../modules/nvidia.nix {
-      nvidia-mode = "offload";
-      intel-bus-id = "PCI:0:2:0";
-      nvidia-bus-id = "PCI:1:0:0";
-    })
-
-    ../../modules/gaming.nix
-    # ../../modules/secure-boot.nix
-    ../../modules/virtualization.nix
-    ../../modules/wine.nix
-    ../../modules/wireguard.nix
-    ../../modules/localsend.nix
-    (import ../../modules/airplay.nix { hostname = "pre7780"; })
-    (import ../../modules/rustdesk-server.nix {
-      relayHosts = [
-        "10.0.0.0/24"
-        "192.168.0.0/24"
-      ];
-    })
-
-    (import ../../modules/nextcloud.nix {
-      hostname = "nextcloud.pre7780.dn";
-      configureACME = true;
-      https = true;
-      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
-      trusted = [ "nextcloud.daccc.info" ];
-    })
-
-    ../../modules/davinci-resolve.nix
-    ../../modules/webcam.nix
-    ../../modules/postgresql.nix
+    ./common
+    ./games
+    ./home
+    ./services
+    ./sops
+    ./utility
+    ./virtualisation
   ];
 
   # Live Sync D
@@ -84,151 +60,9 @@ in
     ensureDatabases = [ "livesyncd" ];
   };
 
-  # Power Management
-  services.tlp = {
-    enable = true;
-    settings = {
-      INTEL_GPU_MIN_FREQ_ON_AC = 500;
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    rustdesk
-    ((blender.override { cudaSupport = true; }).overrideAttrs (prev: {
-      postInstall = ''
-        sed -i 's|Exec=blender %f|Exec=/run/current-system/sw/bin/nvidia-offload blender %f|' $out/share/applications/blender.desktop
-      '';
-    }))
+  users.users.${username}.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMj/LeB3i/vca3YwGNpAjf922FgiY2svro48fUSQAjOv Shortcuts on :D"
   ];
-
-  services.openssh = {
-    settings = {
-      UseDns = false;
-    };
-  };
-
-  users.users = {
-    ${username} = {
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMj/LeB3i/vca3YwGNpAjf922FgiY2svro48fUSQAjOv Shortcuts on :D"
-      ];
-    };
-  };
-
-  home-manager = {
-    users."${username}" = {
-      imports = [
-        ../../../home/presets/basic.nix
-
-        # Bitwarden client
-        (import ../../../home/user/bitwarden.nix {
-          email = "danny@net.dn";
-          baseUrl = "https://bitwarden.net.dn";
-        })
-
-        # waybar
-        (import ../../../home/user/waybar.nix {
-          settings = [
-            # monitor 1
-            {
-              output = "DP-6";
-              height = 48;
-              modules-left = [
-                "custom/os"
-                "hyprland/workspaces"
-                "clock"
-                "custom/cava"
-                "mpris"
-              ];
-              modules-right = [
-                "wlr/taskbar"
-                (optionalString config.programs.gamemode.enable "custom/gamemode")
-                "custom/bitwarden"
-                "custom/airplay"
-                "custom/wallRand"
-                "custom/wireguard"
-                "custom/recording"
-                "idle_inhibitor"
-                "network"
-                "cpu"
-                "memory"
-                "pulseaudio"
-                "custom/swaync"
-              ];
-            }
-            # monitor 2
-            {
-              output = "DP-5";
-              height = 54;
-              modules-left = [
-                "clock"
-                "mpris"
-              ];
-              modules-right = [
-                "wlr/taskbar"
-                "temperature"
-                "cpu"
-                "memory"
-                "pulseaudio"
-              ];
-            }
-          ];
-        })
-
-        # Hyprland
-        (import ../../../home/user/hyprland.nix { inherit monitors; })
-        ./hyprland.nix
-
-        # Git
-        (import ../../../home/user/git.nix {
-          inherit username;
-          email = "danny10132024@gmail.com";
-        })
-
-        # (import ../../../home/user/wallpaper-engine.nix {
-        #   monitorIdPairs = [
-        #     {
-        #       monitor = "DP-6";
-        #       id = "3050040845";
-        #     }
-        #     {
-        #       monitor = "DP-5";
-        #       id = "2665674743";
-        #     }
-        #   ];
-        # })
-      ];
-
-      home.file = {
-        # CS go
-        ".steam/steam/steamapps/common/Counter-Strike Global Offensive/game/csgo/cfg/autoexec.cfg".text = ''
-          fps_max "250"
-
-          # Wheel Jump
-          bind "mwheeldown" "+jump"
-          bind "mwheelup" "+jump"
-          bind "space" "+jump"
-
-          echo "AUTOEXEC LOADED SUCCESSFULLY!"
-          host_writeconfig
-        '';
-
-        # Proton GE
-        ".steam/root/compatibilitytools.d/GE-Proton${protonGEVersion}" = {
-          source = fetchTarball {
-            url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton${protonGEVersion}/GE-Proton${protonGEVersion}.tar.gz";
-            sha256 = "sha256:0iv7vak4a42b5m772gqr6wnarswib6dmybfcdjn3snvwxcb6hbsm";
-          };
-        };
-        ".steam/root/compatibilitytools.d/CachyOS-Proton10-0_v3" = {
-          source = fetchTarball {
-            url = "https://github.com/CachyOS/proton-cachyos/releases/download/cachyos-10.0-20250714-slr/proton-cachyos-10.0-20250714-slr-x86_64_v3.tar.xz";
-            sha256 = "sha256:0hp22hkfv3f1p75im3xpif0pmixkq2i3hq3dhllzr2r7l1qx16iz";
-          };
-        };
-      };
-    };
-  };
 }

system/dev/dn-pre7780/expr/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./netbird.nix
+  ];
+}

system/dev/dn-pre7780/expr/netbird.nix

@@ -9,6 +9,7 @@ let
   port = 51820;
 in
 {
+
   services.netbird = {
     server = {
       enable = true;

system/dev/dn-pre7780/expr/vm-settings.nix

@@ -0,0 +1,169 @@
+{
+  pkgs,
+  lib,
+  inputs,
+  system,
+}:
+let
+  vmList =
+    let
+      kubeMasterIP = "192.168.0.6";
+      kubeMasterHostname = "api.kube";
+      kubeMasterAPIServerPort = 6443;
+      kubeApi = "https://${kubeMasterHostname}:${toString kubeMasterAPIServerPort}";
+    in
+    {
+      # master
+      vm-1 = {
+        ip = "192.168.0.6";
+        mac = "02:00:00:00:00:01";
+        extraConfig = {
+          networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}";
+          environment.systemPackages = with pkgs; [
+            kompose
+            kubectl
+            kubernetes
+          ];
+
+          services.kubernetes = {
+            roles = [
+              "master"
+              "node"
+            ];
+
+            masterAddress = kubeMasterHostname;
+            apiserverAddress = kubeApi;
+            easyCerts = true;
+            apiserver = {
+              securePort = kubeMasterAPIServerPort;
+              advertiseAddress = kubeMasterIP;
+            };
+
+            addons.dns.enable = true;
+          };
+
+          systemd.services.link-kube-config = {
+            wantedBy = [ "multi-user.target" ];
+            serviceConfig = {
+              Type = "oneshot";
+              ExecStart = "${pkgs.writeShellScript "link-kube-config.sh" ''
+                target="/etc/kubernetes/cluster-admin.kubeconfig"
+                if [ -e "$target" ]; then
+                  [ ! -d "/root/.kube" ] && mkdir -p "/root/.kube"
+                  ln -sf $target /root/.kube/config
+                fi
+              ''}";
+            };
+          };
+        };
+      };
+      # Node
+      vm-2 = {
+        ip = "192.168.0.7";
+        mac = "02:00:00:00:00:02";
+        extraConfig = {
+          networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}";
+
+          environment.systemPackages = with pkgs; [
+            kompose
+            kubectl
+            kubernetes
+          ];
+
+          services.kubernetes = {
+            roles = [ "node" ];
+            masterAddress = kubeMasterHostname;
+            easyCerts = true;
+
+            kubelet.kubeconfig.server = kubeApi;
+            apiserverAddress = kubeApi;
+            addons.dns.enable = true;
+          };
+        };
+      };
+    };
+
+  mkMicrovm = name: value: {
+    hypervisor = "qemu";
+    vcpu = 4;
+    mem = 8192;
+    interfaces = [
+      {
+        type = "tap";
+        id = "${name}";
+        mac = value.mac;
+      }
+    ];
+    shares = [
+      {
+        tag = "ro-store";
+        source = "/nix/store";
+        mountPoint = "/nix/.ro-store";
+      }
+    ];
+  };
+in
+lib.mapAttrs' (
+  name: value:
+  lib.nameValuePair name (
+    lib.nixosSystem {
+      inherit system;
+      modules = [
+        inputs.microvm.nixosModules.microvm
+        value.extraConfig
+        {
+          microvm = mkMicrovm name value;
+          system.stateVersion = lib.trivial.release;
+          networking.hostName = name;
+          networking.domain = "kube";
+          networking.firewall.enable = false;
+          users.users.root.password = "";
+          services.getty.autologinUser = "root";
+
+          programs.fish.enable = true;
+          programs.bash = {
+            shellInit = ''
+              if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
+              then
+                shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
+                exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
+              fi
+            '';
+          };
+
+          systemd.network.enable = true;
+          systemd.network.networks."20-lan" = {
+            matchConfig.Type = "ether";
+            networkConfig = {
+              Address = [ "${value.ip}/24" ];
+              Gateway = "192.168.0.1";
+              DNS = [ "192.168.0.1" ];
+              DHCP = "no";
+            };
+          };
+
+          systemd.services.br-netfilter = {
+            wantedBy = [ "multi-user.target" ];
+            serviceConfig = {
+              ExecStart = "/run/current-system/sw/bin/modprobe br_netfilter";
+            };
+          };
+
+          environment.systemPackages = with pkgs; [
+            dig.dnsutils
+            openssl
+
+            fishPlugins.done
+            fishPlugins.fzf-fish
+            fishPlugins.forgit
+            fishPlugins.hydro
+            fzf
+            fishPlugins.grc
+            grc
+            git
+          ];
+        }
+      ];
+    }
+  )
+) vmList

system/dev/dn-pre7780/expr/vm.nix

@@ -0,0 +1,44 @@
+self: {
+  networking.useNetworkd = true;
+  systemd.network.enable = true;
+  systemd.network.networks."10-lan" = {
+    matchConfig.Name = [
+      "enp0s31f6"
+      "vm-*"
+    ];
+    networkConfig = {
+      Bridge = "br0";
+    };
+  };
+
+  systemd.network.netdevs."br0" = {
+    netdevConfig = {
+      Name = "br0";
+      Kind = "bridge";
+    };
+  };
+
+  systemd.network.networks."10-lan-bridge" = {
+    matchConfig.Name = "br0";
+    networkConfig = {
+      Address = [ "192.168.0.5/24" ];
+      Gateway = "192.168.0.1";
+      DNS = [ "192.168.0.1" ];
+    };
+
+    linkConfig.RequiredForOnline = "routable";
+  };
+
+  microvm.vms = {
+    vm-1 = {
+      flake = self;
+      updateFlake = "git+file:///etc/nixos";
+      autostart = false;
+    };
+    vm-2 = {
+      flake = self;
+      updateFlake = "git+file:///etc/nixos";
+      autostart = false;
+    };
+  };
+}

system/dev/dn-pre7780/games/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ../../../modules/gaming.nix
+    ./game.nix
+  ];
+}

system/dev/dn-pre7780/games/game.nix

@@ -0,0 +1,59 @@
+{
+  pkgs,
+  pkgs-stable,
+  config,
+  inputs,
+  ...
+}:
+let
+  protonGEVersion = "10-15";
+  # ==== Needed for special import ==== #
+  shadps4-7 = pkgs.shadps4.overrideAttrs (_: rec {
+    version = "0.7.0";
+    src = pkgs.fetchFromGitHub {
+      owner = "shadps4-emu";
+      repo = "shadPS4";
+      rev = "v.${version}";
+      hash = "sha256-g55Ob74Yhnnrsv9+fNA1+uTJ0H2nyH5UT4ITHnrGKDo=";
+      fetchSubmodules = true;
+    };
+  });
+in
+{
+  environment.systemPackages = [
+    pkgs-stable.shadps4
+  ];
+
+  home-manager = {
+    users."${config.systemConf.username}" = {
+      home.file = {
+        # CS go
+        ".steam/steam/steamapps/common/Counter-Strike Global Offensive/game/csgo/cfg/autoexec.cfg".text = ''
+          fps_max "250"
+
+          # Wheel Jump
+          bind "mwheeldown" "+jump"
+          bind "mwheelup" "+jump"
+          bind "space" "+jump"
+
+          echo "AUTOEXEC LOADED SUCCESSFULLY!"
+          host_writeconfig
+        '';
+
+        # Proton GE
+        ".steam/root/compatibilitytools.d/GE-Proton${protonGEVersion}" = {
+          source = fetchTarball {
+            url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton${protonGEVersion}/GE-Proton${protonGEVersion}.tar.gz";
+            sha256 = "sha256:0iv7vak4a42b5m772gqr6wnarswib6dmybfcdjn3snvwxcb6hbsm";
+          };
+        };
+        ".steam/root/compatibilitytools.d/CachyOS-Proton10-0_v3" = {
+          source = fetchTarball {
+            url = "https://github.com/CachyOS/proton-cachyos/releases/download/cachyos-10.0-20250714-slr/proton-cachyos-10.0-20250714-slr-x86_64_v3.tar.xz";
+            sha256 = "sha256:0hp22hkfv3f1p75im3xpif0pmixkq2i3hq3dhllzr2r7l1qx16iz";
+          };
+        };
+      };
+    };
+  };
+}

system/dev/dn-pre7780/home/default.nix

@@ -0,0 +1,74 @@
+{ config, lib, ... }:
+let
+  inherit (lib) optionalString;
+  inherit (config.systemConf) username;
+in
+{
+  home-manager.users."${username}" = {
+    imports = [
+      ../../../../home/presets/basic.nix
+      ./wm
+
+      # Bitwarden client
+      (import ../../../../home/user/bitwarden.nix {
+        email = "danny@net.dn";
+        baseUrl = "https://bitwarden.net.dn";
+      })
+
+      # waybar
+      (import ../../../../home/user/waybar.nix {
+        settings = [
+          # monitor 1
+          {
+            output = "DP-6";
+            height = 48;
+            modules-left = [
+              "custom/os"
+              "hyprland/workspaces"
+              "clock"
+              "custom/cava"
+              "mpris"
+            ];
+            modules-right = [
+              "wlr/taskbar"
+              (optionalString config.programs.gamemode.enable "custom/gamemode")
+              "custom/bitwarden"
+              "custom/airplay"
+              "custom/wallRand"
+              "custom/wireguard"
+              "custom/recording"
+              "idle_inhibitor"
+              "network"
+              "cpu"
+              "memory"
+              "pulseaudio"
+              "custom/swaync"
+            ];
+          }
+          # monitor 2
+          {
+            output = "DP-5";
+            height = 54;
+            modules-left = [
+              "clock"
+              "mpris"
+            ];
+            modules-right = [
+              "wlr/taskbar"
+              "temperature"
+              "cpu"
+              "memory"
+              "pulseaudio"
+            ];
+          }
+        ];
+      })
+
+      # Git
+      (import ../../../../home/user/git.nix {
+        inherit username;
+        email = "danny10132024@gmail.com";
+      })
+    ];
+  };
+}

system/dev/dn-pre7780/home/wm/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./hyprland.nix
+  ];
+}

system/dev/dn-pre7780/home/wm/hyprland.nix

@@ -1,6 +1,6 @@
 { pkgs, ... }:
 let
-  memeSelector = pkgs.callPackage ../../../home/scripts/memeSelector.nix {
+  memeSelector = pkgs.callPackage ../../../../../home/scripts/memeSelector.nix {
     url = "https://nextcloud.net.dn/public.php/dav/files/pygHoPB5LxDZbeY/";
   };
 in
@@ -11,10 +11,6 @@ in
 
   wayland.windowManager.hyprland = {
     settings = {
-      monitor = [
-        ''desc:ASUSTek COMPUTER INC ASUS VG32VQ1B 0x00002271, 2560x1440@165, 0x0, 1''
-        ''desc:Acer Technologies XV272U V3 1322131231233, 2560x1440@180, -1440x-600, 1, transform, 1''
-      ];
       misc = {
         vrr = 0;
       };

system/dev/dn-pre7780/services/default.nix

@@ -0,0 +1,9 @@
+{
+  imports = [
+    ../../../modules/postgresql.nix
+    ./mail.nix
+    ./nginx.nix
+    ./wireguard.nix
+    # ./netbird.nix
+  ];
+}

system/dev/dn-pre7780/services/mail.nix

@@ -1,4 +1,7 @@
-{ config, ... }:
+{
+  config,
+  ...
+}:
 let
   domain = "daccc.info";
   fqdn = "mx1.daccc.info";
@@ -6,7 +9,7 @@ in
 {
   networking.firewall.allowedTCPPorts = [ 8080 ];
   imports = [
-    (import ../../modules/stalwart.nix {
+    (import ../../../modules/stalwart.nix {
       inherit domain;
 
       enableNginx = false;
@@ -30,9 +33,10 @@ in
       };
       ldapConf = {
         type = "ldap";
-        url = "ldap://10.0.0.1:389";
+        url = "ldaps://ldap.net.dn";
+        tls.enable = true;
         timeout = "30s";
-        base-dn = "dc=net,dc=dn";
+        base-dn = "ou=people,dc=net,dc=dn";
         attributes = {
           name = "uid";
           email = "mail";
@@ -44,28 +48,18 @@ in
           class = "objectClass";
         };
         filter = {
-          name = "(&(objectClass=inetOrgPerson)(uid=?))";
+          name = "(&(objectClass=inetOrgPerson)(|(uid=?)(mail=?)))";
           email = "(&(objectClass=inetOrgPerson)(mail=?))";
         };
         bind = {
           dn = "cn=admin,dc=net,dc=dn";
           secret = "%{file:${config.sops.secrets."stalwart/ldap".path}}%";
           auth = {
-            method = "lookup";
+            method = "default";
           };
         };
       };
-      oidcConf = {
-        type = "oidc";
-        timeout = "1s";
-        endpoint.url = "https://keycloak.net.dn/realms/master/protocol/openid-connect/userinfo";
-        endpoint.method = "userinfo";
-        fields = {
-          email = "email";
-          username = "preferred_username";
-          full-name = "name";
-        };
-      };
     })
   ];
+
 }

system/dev/dn-pre7780/services/netbird.nix

@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  imports = [
+    (import ../expr/netbird.nix {
+      domain = "pre7780.dn";
+      coturnPassFile = config.sops.secrets."netbird/coturn/password".path;
+      idpSecret = config.sops.secrets."netbird/oidc/secret".path;
+      dataStoreEncryptionKey = config.sops.secrets."netbird/dataStoreKey".path;
+    })
+  ];
+}

system/dev/dn-pre7780/services/nginx.nix

@@ -9,9 +9,11 @@
     acceptTerms = true;
     defaults = {
       validMinDays = 2;
+      webroot = null;
       server = "https://ca.net.dn/acme/acme/directory";
       renewInterval = "daily";
-      email = "danny@net.dn";
+      email = "danny@pre7780.dn";
+      dnsResolver = "10.0.0.1:53";
       dnsProvider = "pdns";
       dnsPropagationCheck = false;
       environmentFile = config.sops.secrets."acme/pdns".path;

system/dev/dn-pre7780/services/wireguard.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../../../modules/wireguard.nix
+  ];
+}

system/dev/dn-pre7780/sops/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./sops-conf.nix
+  ];
+}

system/dev/dn-pre7780/sops/secret.yaml

@@ -15,13 +15,17 @@ stalwart:
     dkimKey: ENC[AES256_GCM,data:oi+XvZ9hMMsgMtFnGPMbVBGagkwQzcPQDi1b0Zd54615V5yuOLHZxpLT5Z3LYlCOQmOcrCaIwn8lQKIZbAuAq6HDUVlNabjgnHeoq3XRIvcswO/B9pljL/22JCZleSrWSBh+WE+RwQIcqUIr0eNerXCUaAQLTE8lYn6mJMa/OoHJJ3R498OGyM/8rbuIMfKj5eqJnctsd9lRWeNmiq7hpQKJ8syLXMsRM9y79NJTPGJrIAJ/5F8SfUJ256/S2N25Cq61pkaXWxTcZzXFgAGU/sa3zsY86BRwEnFEVRMnygJWrVZW/ABYgRjL99r6OBQM8WTFpE8cK9GZTpylTm+QCS9lHsAA2rnUfLTs/09z41klbGSAu5jfokM5jhyFIjmDm9h3hEk4l0F4KTWgQ7avWqGVx4yVPktrVS6eh6W7+I0V6BOUhzH0Pp9xXWwhbFrMPYAYK5MQSLAS5nd3RCQWrxZwWh//ATiWdngUeWPyObxXSTmoV254k230sT39jQmqmTK5zIkOBvokPps9q3nPq1i3UIkSAXo0ZWI+GHiL1rnzJkMMGViugJdGEwUf8nWlYMcYkHmDRUZam6DIxzkf5svtd+kbDTxRa4GzeJrOYizgwDGpD5vRA9u8i7MYBS1Rhw3UVqZ9gkjtv8mqoOkDqVnHVnS2UPtsircecvjHmhu4Tq4hn8phX3F+2I8lhXUIalzPng5zjPGNUcDT+SoCbNeHuSWDDmMYQtzM3/xwae9quP9FXhr9IGGygmFUPGsl3cuxSJ3+Cq9/Hhd7bnTYnxYfv781qTmZsFclMUWNxUJQWLJ+5BQz6u1zW64wh+5SHUGrw7CHFsdgNAKv7YN+GJMNTHOjZr9RTL9R8opDm8Iho5IyQjMP401+DY30mOCq03WKJiC8qehgoaH16ssNV6ZuoHldu2N6JKmiwywgTRq8zQEo8jPnro772CQ9Tg0/5PnkhdlLdphDEIp60IbM+XWqMNwHY57fm6U+81PcgtsoRmI5OklrrhQjv+1aRgz0vRM80FOHMv7kxgEdNkb1x15B4g0ocBXEdLuxJEVaW4uWlP9EIivXOWwaPZf1QjT8ISuUQlFMXvtNj/V3SraW3K1bErJL5JnI16z803kdoAqYijf3IrRK49SKoCq6B2V8yo8iCRod2GFt1P3ADKb/uvJ6iCBSlFRFwiJYr8qu7TPXFCpsoySEmr1edBQdAkzXxFZLDMczHq2BzUo2RPfwtDubG1GMWxzrbZ1T6N3j1+GXiyTX7XuKdpSpFlXtPuJcCIrX4D4xnjv1SqqXEcKJO9oUcdMK6+Eem7wtVDBDDYpWellT+bLmtouvdEgjYE8VG5UGJJ5NpYoJAce9c7RE5/ozuvUH+uMfqfb8igZQlBMl6hbqO7j8m11i+ijS9T6Wu2DCSVIqqBHu8bouz1vyfq8l/whJCl1BkaZtiE5+NLkHoYSOuXGtVvEuXwMhvCWdnkxJtHZxxXQuCcBcVkD9Edg0YTslGv+XUvaYRlfZUqypqYZ9zJ21en9XPK3zafZ5gRLdY0xhXN4OKbGrXXL4cm5jfroTeez9iIL4fJGcA80PRHUGoLfK7ht2z0Lq3U91F4jz5KEhbaDtWDcMryr1Bwb6UXgLrezNM290g8J3GpXLBAdvqDXK79jSdPNqptGYt++VDeCdtA+P3z9K6aMWZzPURkLXxZ1bWy5YXP03MIkUpZWsc5lQmccUiyFe/Y+d9RSAZClmVxsQAY5y90d42EhkrOag06geziV9aaxgr57LdoPJQabD48bIbFFvimhV2DS3Gf/7gFtCXlm9oZiIqSHG+1TMKRp8XVwn6f70d76/Ba5Uiu0EX8V2x0Dsnin6GGynMBFCPKPXssHRe71SfRVxPJrzlLjtfTdPuzW5Q2k/U//z9SWd6Ao3+mzsbTC8MAYGeIzeE4GdsTs4ViEQWg5sSMSfjeKOFfgpTQi20LGomjF4gtTfnchEUBcUAarV6+hT/inYG2SlglyWwr2+LE3Ua5FWRXsZu4tBHcfE0axIb6Ju5KeogPVPo6cNoJCR2XLPNQakB9ONniCxPTW6zOx8h/A2UeIWMgbAn/jNYdd4kFu1IWBAQaZg5kSg1KmSAtnKgFmhb8A0Ope8h5fKfdX5tf0ulW0bjBz+rqNf2FQwcB/ScuEc65LSX+b0bzvIILuZfSRytFQpaQ4svjjA6mP4VIRoPRkkRl+gTEO+Ue4No4VZGE9+YdRFZ7OmtH6S1e5vu1rBiLuTVayHjuSWRu0OmxDiErP6uXPy8Q==,iv:Q5g9kxJKEKLHge2mcgk/UnTNMDFjzeLFLNjlY8KWe60=,tag:yL03NWRK2whOxNjcR3cPyA==,type:str]
     ldap: ENC[AES256_GCM,data:ygOPMCNIxvWxE9dPBeKGbA==,iv:t+p1/vjEZNDTw7LcaitzYv2xCPtlf/mmQhqXT1OFKXs=,tag:uPYp259FHZu5fut+Bc9eSA==,type:str]
 acme:
-    pdns: ENC[AES256_GCM,data:+InGSnaGIFVtDRlVltzWbZfquzodHUQrPeMRBnVNB9mrajlKr5dFK6DD8dXAvN7UjZFBfrgZefOPkmLR2ncLXGOV2Kl7jorVw50Y0f0iKl7mqwHaZKaQdk7cpGDkCrt/LvfbP9x7gVrs6pQpsU+c/P5rbBLRyejchh/WtiyzgowYIJxYohggeG09+l7YI3FR6U5wiymIRISpNBGEhwG0q17qdAhdtc49qP/K,iv:JcSlxAwHwU528S7iSpAnSbUZw7iO+LMjR3qGwRHp+Zk=,tag:twf2WOQb/yZ3GtN/hlikMA==,type:str]
+    pdns: ENC[AES256_GCM,data:eKnahc8HWboYCUpBuEUrdCMhN8A2N2VN0wrmzcyU2OfMeQaswIYSWV4sBzUbj/pono8PaVxK1FBKsn+Ycd4Y6tcxsAkbPfnPkOsbe0FJpz4t9RFLJBLw3U0YTE/TaURiDYipHnvPGYgyq3AziH/xa4WXZxLHGI0x+a/y3PpWy37rT87DWUT2kktPshdO7Mbwn7nSC78WByXmyaUMkT74Sc0FNmCgfijrHk/ATXGb,iv:y3eRZXFbqqf4VuuqHHYdIoiEa1zqRU1XIlEqooJ28lU=,tag:2bIALJFGZyIZT7fyo/y5Nw==,type:str]
 cloudflare:
     secret: ENC[AES256_GCM,data:tritGdt3bWm/YtfdF2kO8qIBisa2rGF9/Dpl8R79e6REe//YKZFqFg==,iv:UG53JZ55+gDCPJzKjbVaWnpgOdvqcRoDUg8ef9xOV9A=,tag:JD3s28dsA9G2fqtz4soATA==,type:str]
 netbird:
     oidc:
         secret: ENC[AES256_GCM,data:hSVMUEBL0kCvRLD3zd57SLhNIAFOR4eaJPcIIIIUJng=,iv:VhfseftQNlXSDCWuaYQUIklMUCkUbChyWbJl3qgD75M=,tag:vbqov0VgA0XNZfzcr3FZgA==,type:str]
     dataStoreKey: ENC[AES256_GCM,data:vV2wgo5qFS+DC1NmOjVddZW9HAsRMpUFH+t/70iQ3A5YXkhbWoCeSxZDyAg=,iv:tKqh28qj8gqHfcb44Ej731w6NKi29X4iEwIOQ4ZcCzA=,tag:ObAxVrUctm6pbmXSQw7j5w==,type:str]
+crowdsec:
+    lapi.yaml: ENC[AES256_GCM,data:BpDlz/liFYVZTA66TMWDifGfT4R9l0W9/LOU33rrPVC4YKeFbB1gIxqkUOEDl8fxsou5Jx/MQivyz90lE8yxbcGV/Zzx4ZJaHN+jz6mfM6mADEWp/nUcfO9tECijOhPPYt/8aE3py38NlFZuafZ2CwdL7RmDX7YCjpiIYxXaIjSv61WPD1SLkOkusnoA7bJZ2xmJ/dfEMXEA4LCCOfGQ,iv:922rrz94pD3/R1kGlQyIFkoq/fRSyxaIQ5qllldQMCY=,tag:AAPlwiQP4KMzHZmcMH76AQ==,type:str]
+    capi.yaml: ENC[AES256_GCM,data:UuBESeHfKEPSIzP7RPNES0BVWwJsmPqLP3QJbAeAcm6eQ3sRzUSrVxY8A2yoiLD2lnuJPy2BbYHJpBR7VSfs7oUCc7LljgAp1uB2GH1y8YE46xJLo0TDp873bZJdcsO00ozsbtmWlGWJm7HLrzIUEe0mAjBzZeXe1WDJByGeVqupNLwpXSMaos2ktHjXA6hTGAdE5iIxBAXI6qjldWjRnlqE,iv:hZ2nUaOipU7Top0vsn23yU0XWP9SKcoj85xFo5hD/mU=,tag:32E2o+FOJXM9aMnLQA6KYA==,type:str]
+    consoleToken: ENC[AES256_GCM,data:Q6QWWwcvLd8+ddwPMBzyB+X4gh8I53qSLA==,iv:JD48L59nQYttglAfuKL/lNBzWgBfj01rkIeP8pqmo70=,tag:6cxsQViDGuzjScKkBuO4Bw==,type:str]
 sops:
     age:
         - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
@@ -33,7 +37,7 @@ sops:
             MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w
             lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-01T05:31:13Z"
-    mac: ENC[AES256_GCM,data:a3CkOEZUYSeRa6Zj+2EQnusgkOu2xHvGXhW9Pr5ny9sEiUF+S9jLQeS9vZpDNnQc5F/BRf/r0K7BTSwyoaAGZn3vsm3ruTGpajqV43Ji8PzG8BEApV0USwAn+gM8K4mMAEU9AjiqQ6k4Zf/dbYzv/rDtxVTdSbwcpM8KjIBv//Q=,iv:aCk+M3wigrbhCEHtf1K9vwByIYnTxBi7VD1XEIYgiL8=,tag:PtJN8KlPZbed0bgEcgSY0w==,type:str]
+    lastmodified: "2025-10-13T06:51:06Z"
+    mac: ENC[AES256_GCM,data:1+X8f7lPwN+ELJ4DmkTN71Kzvvh4V3yiMilOOnz4NCqLRPdtpiQQz8W4VXkOkBONV5816IOCU2Br4kiQnPAkPEiwpJZzWQItqomZTp4gErSGmmMpVf2lbCRfsU2Eg1tgAaS1ZRQx8/o1vSIJtoPVKiqYdYSsNDx2zbafWqn9+Rk=,iv:uZ4BWoJB6LazGy+RAzdhB8uUCSa109R4TdE6PguryR8=,tag:5G0GRihPQKl9n/fJjZr/Jw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

system/dev/dn-pre7780/sops/sops-conf.nix

@@ -10,17 +10,8 @@ in
         owner = "nextcloud";
         group = "nextcloud";
       };
-      "openldap/adminPassword" = mkIf config.services.openldap.enable {
-        owner = config.users.users.openldap.name;
-        group = config.users.users.openldap.group;
-        mode = "0660";
-      };
+
       "lam/env" = { };
-      "dovecot/openldap" = mkIf (config.services.postfix.enable && config.services.openldap.enable) {
-        owner = config.services.dovecot2.user;
-        group = config.services.dovecot2.group;
-        mode = "0660";
-      };
 
       "netbird/oidc/secret" = mkIf config.services.netbird.server.dashboard.enable {
         owner = "netbird";
@@ -36,6 +27,18 @@ in
       "acme/pdns" = mkIf (hasAttr "acme" config.users.users) {
         owner = "acme";
       };
+      "crowdsec/lapi.yaml" = mkIf config.services.crowdsec.enable {
+        owner = "crowdsec";
+        mode = "0600";
+      };
+      "crowdsec/capi.yaml" = mkIf config.services.crowdsec.enable {
+        owner = "crowdsec";
+        mode = "0600";
+      };
+      "crowdsec/consoleToken" = mkIf config.services.crowdsec.enable {
+        owner = "crowdsec";
+        mode = "0600";
+      };
     }
     // (optionalAttrs config.services.stalwart-mail.enable (
       let

system/dev/dn-pre7780/utility/airplay.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    (import ../../../modules/airplay.nix { hostname = "pre7780"; })
+  ];
+}

system/dev/dn-pre7780/utility/blender.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    rustdesk
+    ((blender.override { cudaSupport = true; }).overrideAttrs (prev: {
+      postInstall = ''
+        sed -i 's|Exec=blender %f|Exec=/run/current-system/sw/bin/nvidia-offload blender %f|' $out/share/applications/blender.desktop
+      '';
+    }))
+  ];
+}

system/dev/dn-pre7780/utility/davinci-resolve.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../../../modules/davinci-resolve.nix
+  ];
+}

system/dev/dn-pre7780/utility/default.nix

@@ -0,0 +1,8 @@
+{
+  imports = [
+    ../../../modules/localsend.nix
+    ./airplay.nix
+    ./davinci-resolve.nix
+    ./blender.nix
+  ];
+}

system/dev/dn-pre7780/virtualisation/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ../../../modules/virtualization.nix
+    ../../../modules/wine.nix
+  ];
+}

system/dev/dn-server/common/default.nix

@@ -0,0 +1,14 @@
+{
+  imports = [
+    ../../../modules/presets/minimal.nix
+    ../../../modules/bluetooth.nix
+    ../../../modules/gc.nix
+    ../../../modules/stylix.nix
+    ../../../modules/postgresql.nix
+    ./backup.nix
+    ./boot.nix
+    ./hardware-configuration.nix
+    ./networking.nix
+    ./nvidia.nix
+  ];
+}

system/dev/dn-server/common/hardware-configuration.nix

@@ -4,7 +4,6 @@
 {
   config,
   lib,
-  pkgs,
   modulesPath,
   ...
 }:

system/dev/dn-server/common/networking.nix

@@ -2,18 +2,11 @@
 with lib;
 {
   networking = {
-    domain = "net.dn";
     networkmanager = {
       enable = true;
       insertNameservers = mkForce [ "127.0.0.1" ];
     };
     enableIPv6 = true;
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        443
-        80
-      ];
-    };
+    firewall.enable = true;
   };
 }

system/dev/dn-server/common/nvidia.nix

@@ -0,0 +1,9 @@
+{
+  imports = [
+    (import ../../../modules/nvidia.nix {
+      nvidia-mode = "offload";
+      intel-bus-id = "PCI:0:2:0";
+      nvidia-bus-id = "PCI:1:0:0";
+    })
+  ];
+}

system/dev/dn-server/default.nix

@@ -1,157 +1,33 @@
+{ hostname }:
 {
   pkgs,
   lib,
   inputs,
   system,
-  username,
   config,
   ...
 }:
 let
-  inherit (lib) optionalAttrs;
-  inherit (builtins) toString;
+  username = "danny";
 in
 {
+  systemConf = {
+    inherit hostname username;
+    domain = "net.dn";
+    hyprland.enable = false;
+  };
+
   imports = [
-    (import ../../modules/nvidia.nix {
-      nvidia-mode = "offload";
-      intel-bus-id = "PCI:0:2:0";
-      nvidia-bus-id = "PCI:1:0:0";
-    })
-    ./backup.nix
-    ./security.nix
-    ./sops-conf.nix
-    ./boot.nix
-    ./hardware-configuration.nix
-    ./networking.nix
-    ./services.nix
-    ./nginx.nix
-    ./step-ca.nix
-    ./atticd.nix
-    ../../modules/presets/minimal.nix
-    ../../modules/bluetooth.nix
-    ../../modules/gc.nix
-    ../../modules/mail-server
-    ../../modules/stylix.nix
-    (import ../../modules/paperless-ngx.nix {
-      domain = "paperless.net.dn";
-      passwordFile = config.sops.secrets."paperless/adminPassword".path;
-    })
-    (import ../../modules/prometheus.nix {
-      fqdn = "metrics.net.dn";
-      selfMonitor = true;
-      configureNginx = true;
-      scrapes = [
-        (optionalAttrs config.services.pdns-recursor.enable {
-          job_name = "powerdns_recursor";
-          static_configs = [
-            {
-              targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ];
-            }
-          ];
-        })
-      ];
-    })
-    (import ../../modules/actual {
-      fqdn = "actual.net.dn";
-    })
-    (import ../../modules/nextcloud.nix {
-      hostname = "nextcloud.net.dn";
-      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
-      trusted = [ "nextcloud.daccc.info" ];
-    })
-    (import ../../modules/vaultwarden.nix {
-      domain = "bitwarden.net.dn";
-    })
-    (import ../../modules/grafana.nix {
-      domain = "grafana.net.dn";
-      passFile = config.sops.secrets."grafana/password".path;
-      smtpHost = config.mail-server.domain;
-      smtpDomain = config.mail-server.domain;
-      extraSettings = {
-        "auth.generic_oauth" =
-          let
-            OIDCBaseUrl = "https://keycloak.net.dn/realms/master/protocol/openid-connect";
-          in
-          {
-            enabled = true;
-            allow_sign_up = true;
-            client_id = "grafana";
-            client_secret = ''$__file{${config.sops.secrets."grafana/client_secret".path}}'';
-            scopes = "openid email profile offline_access roles";
-            email_attribute_path = "email";
-            login_attribute_path = "username";
-            name_attribute_path = "full_name";
-            auth_url = "${OIDCBaseUrl}/auth";
-            token_url = "${OIDCBaseUrl}/token";
-            api_url = "${OIDCBaseUrl}/userinfo";
-            role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
-          };
-      };
-    })
-    ../../modules/postgresql.nix
+    ./common
+    ./home
+    ./network
+    ./nix
+    ./security
+    ./services
+    ./sops
   ];
 
   environment.systemPackages = with pkgs; [
     openssl
   ];
-
-  mail-server = {
-    enable = true;
-    configureACME = true;
-    mailDir = "~/Maildir";
-    caFile = "" + ../../extra/ca.crt;
-    virtualMailDir = "/var/mail/vhosts";
-    domain = "net.dn";
-    rootAlias = "${username}";
-    networks = [
-      "127.0.0.0/8"
-      "10.0.0.0/24"
-    ];
-    virtual = ''
-      admin@net.dn ${username}@net.dn
-      postmaster@net.dn ${username}@net.dn
-    '';
-    openFirewall = true;
-    oauth = {
-      passwordFile = config.sops.secrets."oauth/password".path;
-    };
-    ldap = {
-      passwordFile = config.sops.secrets."ldap/password".path;
-      webEnv = config.sops.secrets."ldap/env".path;
-    };
-    rspamd = {
-      trainerSecret = config.sops.secrets."rspamd-trainer".path;
-    };
-  };
-
-  home-manager = {
-    users."${username}" = {
-      imports = [
-        ../../../home/user/config.nix
-        ../../../home/user/direnv.nix
-        ../../../home/user/environment.nix
-        ../../../home/user/nvf
-        ../../../home/user/shell.nix
-        ../../../home/user/tmux.nix
-        ../../../home/user/yazi.nix
-        {
-          home.packages = with pkgs; [
-            inputs.ghostty.packages.${system}.default
-            (python3.withPackages (
-              p: with p; [
-                pip
-              ]
-            ))
-          ];
-        }
-
-        # Git
-        (import ../../../home/user/git.nix {
-          inherit username;
-          email = "danny10132024@gmail.com";
-        })
-      ];
-    };
-  };
 }

system/dev/dn-server/home/default.nix

@@ -0,0 +1,34 @@
+{
+  inputs,
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (config.systemConf) username;
+in
+{
+  home-manager = {
+    users."${username}" = {
+      imports = [
+        ../../../../home/user/config.nix
+        ../../../../home/user/direnv.nix
+        ../../../../home/user/environment.nix
+        ../../../../home/user/nvf
+        ../../../../home/user/shell.nix
+        ../../../../home/user/yazi.nix
+        {
+          home.packages = with pkgs; [
+            inputs.ghostty.packages.${system}.default
+          ];
+        }
+
+        # Git
+        (import ../../../../home/user/git.nix {
+          inherit username;
+          email = "danny10132024@gmail.com";
+        })
+      ];
+    };
+  };
+}

system/dev/dn-server/network/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./nginx.nix
+    ./services.nix
+    ./step-ca.nix
+  ];
+}

system/dev/dn-server/network/services.nix

@@ -1,11 +1,10 @@
 {
   config,
   lib,
-  username,
   ...
 }:
 let
-  inherit username;
+  inherit (config.systemConf) username;
 
   ethInterface = "enp0s31f6";
   sshPorts = [ 30072 ];
@@ -319,6 +318,7 @@ in
         gpgsql-host=/var/run/postgresql
         gpgsql-dbname=pdns
         gpgsql-user=pdns
+        gpgsql-dnssec=yes
         webserver=yes
         webserver-port=8081
         local-port=5359
@@ -372,6 +372,9 @@ in
     };
   };
 
+  systemd.services.pdns-recursor.before = [ "acme-setup.service" ];
+  systemd.services.pdns.before = [ "acme-setup.service" ];
+
   users.users = {
     root.openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
@@ -386,7 +389,7 @@ in
 
   virtualisation = {
     oci-containers = {
-      backend = "podman";
+      backend = "docker";
       containers = {
         uptime-kuma = {
           extraOptions = [ "--network=host" ];

system/dev/dn-server/nix/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./atticd.nix
+  ];
+}

system/dev/dn-server/security/crowdsec.nix

@@ -0,0 +1,12 @@
+{ config, ... }:
+{
+  imports = [
+    (import ../../../modules/crowdsec.nix {
+      lapiCred = config.sops.secrets."crowdsec/lapi.yaml".path;
+      capiCred = config.sops.secrets."crowdsec/capi.yaml".path;
+      consoleToken = config.sops.secrets."crowdsec/consoleToken".path;
+      enableServer = true;
+      enablePrometheus = true;
+    })
+  ];
+}

system/dev/dn-server/security/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./fail2ban.nix
+    ./crowdsec.nix
+  ];
+}

system/dev/dn-server/security/fail2ban.nix

@@ -1,9 +1,6 @@
-{
-  ...
-}:
 {
   imports = [
-    (import ../../modules/fail2ban.nix {
+    (import ../../../modules/fail2ban.nix {
       extraAllowList = [
         "10.0.0.0/24"
         "122.117.215.55"

system/dev/dn-server/services/actual-budget.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    (import ../../../modules/actual {
+      fqdn = "actual.net.dn";
+    })
+  ];
+}

system/dev/dn-server/services/bitwarden.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    (import ../../../modules/vaultwarden.nix {
+      domain = "bitwarden.net.dn";
+    })
+  ];
+}

system/dev/dn-server/services/default.nix

@@ -0,0 +1,11 @@
+{
+  imports = [
+    ./actual-budget.nix
+    ./bitwarden.nix
+    ./docmost.nix
+    ./mail-server.nix
+    ./nextcloud.nix
+    ./paperless-ngx.nix
+    ./metrics.nix
+  ];
+}

system/dev/dn-server/services/docmost.nix

@@ -0,0 +1,12 @@
+{ config, ... }:
+{
+  imports = [
+    (import ../../../modules/docmost.nix {
+      fqdn = "docmost.net.dn";
+      extraConf = {
+        MAIL_DRIVER = "smtp";
+      };
+      envFile = config.sops.secrets."docmost".path;
+    })
+  ];
+}

system/dev/dn-server/services/mail-server.nix

@@ -0,0 +1,58 @@
+{ config, ... }:
+let
+  inherit (config.systemConf) username;
+in
+{
+  mail-server =
+    let
+      domain = "net.dn";
+    in
+    {
+      inherit domain;
+
+      enable = true;
+      openFirewall = true;
+      configureNginx = true;
+      hostname = "mx1";
+      extraDomains = [
+        "mail.${domain}"
+      ];
+      caFile = "" + ../../../extra/ca.crt;
+      rootAlias = "${username}";
+      networks = [
+        "127.0.0.0/8"
+        "10.0.0.0/24"
+      ];
+      virtual = ''
+        admin@${domain} ${username}@${domain}
+        postmaster@${domain} ${username}@${domain}
+      '';
+      webmail = {
+        enable = true;
+        hostname = "mail.${domain}";
+      };
+      keycloak = {
+        dbSecretFile = config.sops.secrets."oauth/password".path;
+        adminAccountFile = config.sops.secrets."oauth/adminEnv".path;
+      };
+      ldap = {
+        filter = "(&(objectClass=inetOrgPerson)(objectClass=mailRoutingObject)(uid=%{user | username}))";
+        extraAuthConf = ''
+          auth_username_format = %{user | lower}
+          fields {
+            user = %{ldap:mail}
+            password = %{ldap:userPassword}
+          }
+        '';
+        secretFile = config.sops.secrets."ldap/password".path;
+        webSecretFile = config.sops.secrets."ldap/env".path;
+      };
+      rspamd = {
+        secretFile = config.sops.secrets."rspamd".path;
+        trainerSecretFile = config.sops.secrets."rspamd-trainer".path;
+      };
+      dovecot.oauth = {
+        enable = true;
+      };
+    };
+}

system/dev/dn-server/services/metrics.nix

@@ -0,0 +1,157 @@
+{
+  config,
+  lib,
+  helper,
+  pkgs,
+  ...
+}:
+let
+  inherit (helper.grafana) mkDashboard;
+  inherit (lib) optionalAttrs;
+  inherit (config.networking) hostName;
+
+  datasourceTemplate = [
+    {
+      current = {
+        text = "Prometheus";
+        value = "prometheus-dn-server";
+      };
+      label = "DS_PROMETHEUS";
+      name = "DS_PROMETHEUS";
+      options = [ ];
+      query = "prometheus";
+      refresh = 1;
+      regex = "";
+      type = "datasource";
+    }
+  ];
+
+  crowdsecSrc = fetchTarball {
+    url = "https://github.com/crowdsecurity/grafana-dashboards/archive/c89d8476b32ea76e924c488db7d0afd0306fc609.tar.gz";
+    sha256 = "sha256:1s7v03hzss22dkl3hw9qf0qc86qn98wx8x13rvy73wc5mgxv9wnk";
+  };
+
+  crowdsecDashboard = mkDashboard {
+    name = "crowdsec";
+    src = "${crowdsecSrc}/dashboards_v5";
+    templateList = datasourceTemplate;
+  };
+
+  pdnsRecursorSrc = pkgs.fetchurl {
+    name = "pdns-recursor-grafana-dashboard.json";
+    url = "https://grafana.com/api/dashboards/20448/revisions/3/download";
+    sha256 = "sha256-8lgo+A3dnFLanhGJWCKAo/iPYSMiove17xvMolgq9nI=";
+  };
+
+  pdnsRecursorDashboard = mkDashboard {
+    name = "pdns-recursor";
+    src = "${pdnsRecursorSrc}";
+    templateList = datasourceTemplate;
+    conf = {
+      dontUnpack = true;
+    };
+  };
+in
+{
+  imports = [
+    (import ../../../modules/prometheus.nix {
+      fqdn = "metrics.net.dn";
+      selfMonitor = true;
+      configureNginx = true;
+      scrapes = [
+        (optionalAttrs config.services.pdns-recursor.enable {
+          job_name = "powerdns_recursor";
+          static_configs = [
+            {
+              targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ];
+              labels = {
+                machine = "${hostName}";
+              };
+            }
+          ];
+          relabel_configs = [
+            {
+              source_labels = [ "__address__" ];
+              target_label = "instance";
+              regex = "(.*):[0-9]+";
+              replacement = "PDNS Recursor - \${1}";
+            }
+          ];
+        })
+        (optionalAttrs config.services.crowdsec.settings.general.prometheus.enabled {
+          job_name = "crowdsec";
+          static_configs = [
+            {
+              targets = [
+                "localhost:${toString config.services.crowdsec.settings.general.prometheus.listen_port}"
+              ];
+              labels = {
+                machine = "${hostName}";
+              };
+            }
+          ];
+          relabel_configs = [
+            {
+              source_labels = [ "__address__" ];
+              target_label = "instance";
+              regex = "(.*):[0-9]+";
+              replacement = "CrowdSec - \${1}";
+            }
+          ];
+        })
+      ];
+    })
+
+    (import ../../../modules/grafana.nix {
+      domain = "grafana.net.dn";
+      passFile = config.sops.secrets."grafana/password".path;
+      smtpHost = "${config.mail-server.hostname}.${config.mail-server.domain}:465";
+      smtpDomain = config.mail-server.domain;
+      extraSettings = {
+        "auth.generic_oauth" =
+          let
+            OIDCBaseUrl = "https://keycloak.net.dn/realms/master/protocol/openid-connect";
+          in
+          {
+            enabled = true;
+            allow_sign_up = true;
+            client_id = "grafana";
+            client_secret = ''$__file{${config.sops.secrets."grafana/client_secret".path}}'';
+            scopes = "openid email profile offline_access roles";
+            email_attribute_path = "email";
+            login_attribute_path = "username";
+            name_attribute_path = "username";
+            auth_url = "${OIDCBaseUrl}/auth";
+            token_url = "${OIDCBaseUrl}/token";
+            api_url = "${OIDCBaseUrl}/userinfo";
+            role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
+          };
+      };
+      extraConf = {
+        provision.datasources.settings = {
+          prune = true;
+          datasources = [
+            {
+              uid = "prometheus-dn-server";
+              name = "Prometheus";
+              url = "https://metrics.net.dn";
+              type = "prometheus";
+            }
+          ];
+        };
+        provision.dashboards.settings.providers = [
+          {
+            name = "CrowdSec";
+            type = "file";
+            options.path = "${crowdsecDashboard}";
+          }
+          {
+            name = "PDNSRecursor";
+            type = "file";
+            options.path = "${pdnsRecursorDashboard}";
+          }
+        ];
+      };
+    })
+  ];
+}

system/dev/dn-server/services/nextcloud.nix

@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  imports = [
+    (import ../../../modules/nextcloud.nix {
+      hostname = "nextcloud.net.dn";
+      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
+      trusted-domains = [ "nextcloud.daccc.info" ];
+      trusted-proxies = [ "10.0.0.0/24" ];
+    })
+  ];
+}

system/dev/dn-server/services/paperless-ngx.nix

@@ -0,0 +1,9 @@
+{ config, ... }:
+{
+  imports = [
+    (import ../../../modules/paperless-ngx.nix {
+      domain = "paperless.net.dn";
+      passwordFile = config.sops.secrets."paperless/adminPassword".path;
+    })
+  ];
+}

system/dev/dn-server/sops-conf.nix

@@ -1,69 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib) mkIf;
-in
-{
-  sops = {
-    secrets = {
-      "wireguard/privateKey" = { };
-      "nextcloud/adminPassword" = { };
-      "step_ca/password" = { };
-      vaultwarden = { };
-      "oauth/password" = { };
-      "ldap/password" = lib.mkIf config.mail-server.enable {
-        mode = "0660";
-        owner = config.services.openldap.user;
-        group = config.services.openldap.group;
-      };
-      "ldap/env" = lib.mkIf config.mail-server.enable {
-        mode = "0660";
-        group = config.users.groups.docker.name;
-      };
-      "powerdns-admin/secret" = {
-        mode = "0660";
-        owner = "powerdnsadmin";
-        group = "powerdnsadmin";
-      };
-      "powerdns-admin/salt" = {
-        mode = "0660";
-        owner = "powerdnsadmin";
-        group = "powerdnsadmin";
-      };
-      powerdns = {
-        mode = "0660";
-        owner = "pdns";
-        group = "pdns";
-      };
-      rspamd-trainer = { };
-      "acme/env" = mkIf config.security.acme.acceptTerms {
-        mode = "0660";
-        owner = "acme";
-        group = "acme";
-      };
-      "postsrsd/secret" = mkIf config.services.postsrsd.enable {
-        mode = "0660";
-        owner = config.services.postsrsd.user;
-        group = config.services.postsrsd.group;
-      };
-      "grafana/password" = mkIf config.services.grafana.enable {
-        mode = "0660";
-        owner = "grafana";
-        group = "grafana";
-      };
-      "grafana/client_secret" = mkIf config.services.grafana.enable {
-        mode = "0660";
-        owner = "grafana";
-        group = "grafana";
-      };
-      "prometheus/powerdns/password" = mkIf config.services.prometheus.enable {
-        mode = "0660";
-        owner = "prometheus";
-        group = config.users.users.prometheus.group;
-      };
-      "paperless/adminPassword" = mkIf config.services.paperless.enable {
-        owner = config.services.paperless.user;
-      };
-      "atticd/secret" = mkIf config.services.atticd.enable { };
-    };
-  };
-}

system/dev/dn-server/sops/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./sops-conf.nix
+  ];
+}

system/dev/dn-server/sops/sops-conf.nix

@@ -0,0 +1,85 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkIf;
+in
+{
+  sops.secrets = {
+    "wireguard/privateKey" = { };
+    "nextcloud/adminPassword" = { };
+    "step_ca/password" = { };
+    vaultwarden = { };
+    "oauth/password" = { };
+    "oauth/adminEnv" = { };
+    "ldap/password" = lib.mkIf config.mail-server.enable {
+      mode = "0660";
+      owner = config.services.openldap.user;
+      group = config.services.openldap.group;
+    };
+    "ldap/env" = lib.mkIf config.mail-server.enable {
+      mode = "0660";
+      group = config.users.groups.docker.name;
+    };
+    "powerdns-admin/secret" = {
+      mode = "0660";
+      owner = "powerdnsadmin";
+      group = "powerdnsadmin";
+    };
+    "powerdns-admin/salt" = {
+      mode = "0660";
+      owner = "powerdnsadmin";
+      group = "powerdnsadmin";
+    };
+    powerdns = {
+      mode = "0660";
+      owner = "pdns";
+      group = "pdns";
+    };
+    rspamd-trainer = {
+    };
+    rspamd = mkIf config.services.rspamd.enable {
+      owner = config.services.rspamd.user;
+    };
+    "acme/env" = mkIf config.security.acme.acceptTerms {
+      mode = "0660";
+      owner = "acme";
+      group = "acme";
+    };
+    "postsrsd/secret" = mkIf config.services.postsrsd.enable {
+      mode = "0660";
+      owner = config.services.postsrsd.user;
+      group = config.services.postsrsd.group;
+    };
+    "grafana/password" = mkIf config.services.grafana.enable {
+      mode = "0660";
+      owner = "grafana";
+      group = "grafana";
+    };
+    "grafana/client_secret" = mkIf config.services.grafana.enable {
+      mode = "0660";
+      owner = "grafana";
+      group = "grafana";
+    };
+    "prometheus/powerdns/password" = mkIf config.services.prometheus.enable {
+      mode = "0660";
+      owner = "prometheus";
+      group = config.users.users.prometheus.group;
+    };
+    "paperless/adminPassword" = mkIf config.services.paperless.enable {
+      owner = config.services.paperless.user;
+    };
+    "atticd/secret" = mkIf config.services.atticd.enable { };
+    "docmost" = { };
+    "crowdsec/lapi.yaml" = mkIf config.services.crowdsec.enable {
+      owner = "crowdsec";
+      mode = "0600";
+    };
+    "crowdsec/capi.yaml" = mkIf config.services.crowdsec.enable {
+      owner = "crowdsec";
+      mode = "0600";
+    };
+    "crowdsec/consoleToken" = mkIf config.services.crowdsec.enable {
+      owner = "crowdsec";
+      mode = "0600";
+    };
+  };
+}

system/dev/skydrive-lap/common/default.nix

@@ -0,0 +1,8 @@
+{
+  imports = [
+    ./boot.nix
+    ./disk.nix
+    ./nvidia.nix
+    ./hardware-configuration.nix
+  ];
+}

system/dev/skydrive-lap/common/nvidia.nix

@@ -0,0 +1,10 @@
+{
+  imports = [
+    # Nvidia GPU Driver
+    (import ../../../modules/nvidia.nix {
+      nvidia-mode = "offload";
+      intel-bus-id = "PCI:0:2:0";
+      nvidia-bus-id = "PCI:1:0:0";
+    })
+  ];
+}

system/dev/skydrive-lap/default.nix

@@ -1,151 +1,41 @@
+{ hostname }:
 {
-  username,
   config,
   lib,
   pkgs,
   ...
 }:
 let
-  inherit (lib) optionalString;
-  geVersion = "10-15";
-  faceIcon = pkgs.fetchurl {
-    url = "https://files.net.dn/skydrive.jpg";
-    hash = "sha256-aMjl6VL1Zy+r3ElfFyhFOlJKWn42JOnAFfBXF+GPB/Q=";
-    curlOpts = "-k";
-  };
-
-  memeSelector = pkgs.callPackage ../../../home/scripts/memeSelector.nix {
-    url = "https://nextcloud.net.dn/public.php/dav/files/pygHoPB5LxDZbeY/";
-  };
-
-  monitors = [
-    "desc:AU Optronics 0x82ED"
-    "desc:AOC 24B30HM2 27ZQ4HA00101"
-  ];
+  username = "skydrive";
 in
 {
-  imports = [
-    ./hardware-configuration.nix
-    ../../modules/presets/basic.nix
-
-    # Nvidia GPU Driver
-    (import ../../modules/nvidia.nix {
-      nvidia-mode = "offload";
-      intel-bus-id = "PCI:0:2:0";
-      nvidia-bus-id = "PCI:1:0:0";
-    })
-
-    ./boot.nix # Extra Boot Options
-    ./disk.nix
-    ./sops-conf.nix
-    ../../modules/printer.nix
-    ../../modules/gaming.nix
-    ../../modules/wine.nix
-    ../../modules/localsend.nix
-    (import ../../modules/airplay.nix { hostname = config.networking.hostName; })
-    # (import ../../modules/virtualization.nix { inherit username; })
-    ../../modules/wireguard.nix
-  ];
-
-  home-manager = {
-    users."${username}" = {
-      imports = [
-        ../../../home/presets/basic.nix
-
+  systemConf = {
+    inherit hostname username;
+    domain = "net.dn";
+    hyprland = {
+      enable = true;
+      monitors = [
         {
-          home.file.".face" = {
-            source = lib.mkForce faceIcon;
-          };
+          desc = "AU Optronics 0x82ED";
+          props = "prefered, 0x0, 1";
+          output = "eDP-1";
         }
-
-        # Hyprland
-        (import ../../../home/user/hyprland.nix { inherit monitors; })
         {
-          wayland.windowManager.hyprland = {
-            settings = {
-              input = {
-                kb_options = lib.mkForce [ ];
-              };
-
-              monitor = [
-                ''desc:AU Optronics 0x82ED, prefered, 0x0, 1''
-                ''desc:AOC 24B30HM2 27ZQ4HA00101, prefered, 1920x540, 1''
-              ];
-
-              bind = [
-                "$mainMod ctrl, M, exec, ${memeSelector}/bin/memeSelector"
-              ];
-            };
-          };
+          desc = "AOC 24B30HM2 27ZQ4HA00101";
+          props = "prefered, 1920x540, 1";
+          output = "HDMI-A-2";
         }
-
-        (import ../../../home/user/waybar.nix {
-          settings = [
-            # monitor 1
-            {
-              output = "eDP-1";
-              modules-left = [
-                "custom/os"
-                "hyprland/workspaces"
-                "clock"
-                "custom/cava"
-                "mpris"
-              ];
-              modules-right = [
-                "wlr/taskbar"
-                (optionalString config.programs.gamemode.enable "custom/gamemode")
-                "custom/airplay"
-                "custom/wallRand"
-                "custom/wireguard"
-                "custom/recording"
-                "idle_inhibitor"
-                "network"
-                "cpu"
-                "memory"
-                "pulseaudio"
-                "custom/swaync"
-              ];
-            }
-            {
-              output = "HDMI-A-2";
-              modules-left = [
-                "clock"
-                "mpris"
-              ];
-              modules-right = [
-                "wlr/taskbar"
-                "temperature"
-                "cpu"
-                "memory"
-                "pulseaudio"
-              ];
-            }
-          ];
-        })
       ];
-
-      home.file = {
-        # Proton GE
-        ".steam/root/compatibilitytools.d/GE-Proton${geVersion}" = {
-          source = fetchTarball {
-            url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton${geVersion}/GE-Proton${geVersion}.tar.gz";
-            sha256 = "sha256:0iv7vak4a42b5m772gqr6wnarswib6dmybfcdjn3snvwxcb6hbsm";
-          };
-        };
-        ".steam/root/compatibilitytools.d/CachyOS-Proton10-0_v3" = {
-          source = fetchTarball {
-            url = "https://github.com/CachyOS/proton-cachyos/releases/download/cachyos-10.0-20250714-slr/proton-cachyos-10.0-20250714-slr-x86_64_v3.tar.xz";
-            sha256 = "sha256:0hp22hkfv3f1p75im3xpif0pmixkq2i3hq3dhllzr2r7l1qx16iz";
-          };
-        };
-      };
     };
   };
 
-  environment.systemPackages = map lib.lowPrio [
-    pkgs.curl
-    pkgs.gitMinimal
-    memeSelector
+  imports = [
+    ../../modules/presets/basic.nix
+    ./common
+    ./games
+    ./services
+    ./sops
+    ./utility
   ];
 
   users.users.root.openssh.authorizedKeys.keys = [

system/dev/skydrive-lap/games/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ../../../modules/gaming.nix
+    ../../../modules/wine.nix
+  ];
+}

system/dev/skydrive-lap/home/default.nix

@@ -0,0 +1,118 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (config.systemConf) username;
+  inherit (lib) mkForce optionalString;
+
+  geVersion = "10-15";
+
+  memeSelector = pkgs.callPackage ../../../../home/scripts/memeSelector.nix {
+    url = "https://nextcloud.net.dn/public.php/dav/files/pygHoPB5LxDZbeY/";
+  };
+
+  faceIcon = pkgs.fetchurl {
+    url = "https://files.net.dn/skydrive.jpg";
+    hash = "sha256-aMjl6VL1Zy+r3ElfFyhFOlJKWn42JOnAFfBXF+GPB/Q=";
+    curlOpts = "-k";
+  };
+in
+{
+
+  environment.systemPackages = map lib.lowPrio [
+    pkgs.curl
+    pkgs.gitMinimal
+    memeSelector
+  ];
+
+  home-manager = {
+    users."${username}" = {
+      imports = [
+        ../../../../home/presets/basic.nix
+
+        {
+          home.file.".face" = {
+            source = mkForce faceIcon;
+          };
+        }
+
+        {
+          wayland.windowManager.hyprland = {
+            settings = {
+              input = {
+                kb_options = lib.mkForce [ ];
+              };
+
+              bind = [
+                "$mainMod ctrl, M, exec, ${memeSelector}/bin/memeSelector"
+              ];
+            };
+          };
+        }
+
+        (import ../../../../home/user/waybar.nix {
+          settings = [
+            # monitor 1
+            {
+              output = "eDP-1";
+              modules-left = [
+                "custom/os"
+                "hyprland/workspaces"
+                "clock"
+                "custom/cava"
+                "mpris"
+              ];
+              modules-right = [
+                "wlr/taskbar"
+                (optionalString config.programs.gamemode.enable "custom/gamemode")
+                "custom/airplay"
+                "custom/wallRand"
+                "custom/wireguard"
+                "custom/recording"
+                "idle_inhibitor"
+                "network"
+                "cpu"
+                "memory"
+                "pulseaudio"
+                "custom/swaync"
+              ];
+            }
+            {
+              output = "HDMI-A-2";
+              modules-left = [
+                "clock"
+                "mpris"
+              ];
+              modules-right = [
+                "wlr/taskbar"
+                "temperature"
+                "cpu"
+                "memory"
+                "pulseaudio"
+              ];
+            }
+          ];
+        })
+      ];
+
+      home.file = {
+        # Proton GE
+        ".steam/root/compatibilitytools.d/GE-Proton${geVersion}" = {
+          source = fetchTarball {
+            url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton${geVersion}/GE-Proton${geVersion}.tar.gz";
+            sha256 = "sha256:0iv7vak4a42b5m772gqr6wnarswib6dmybfcdjn3snvwxcb6hbsm";
+          };
+        };
+        ".steam/root/compatibilitytools.d/CachyOS-Proton10-0_v3" = {
+          source = fetchTarball {
+            url = "https://github.com/CachyOS/proton-cachyos/releases/download/cachyos-10.0-20250714-slr/proton-cachyos-10.0-20250714-slr-x86_64_v3.tar.xz";
+            sha256 = "sha256:0hp22hkfv3f1p75im3xpif0pmixkq2i3hq3dhllzr2r7l1qx16iz";
+          };
+        };
+      };
+    };
+  };
+}

system/dev/skydrive-lap/services/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./wireguard.nix
+  ];
+}

system/dev/skydrive-lap/services/wireguard.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../../../modules/wireguard.nix
+  ];
+}

system/dev/skydrive-lap/sops/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./sops-conf.nix
+  ];
+}

system/dev/skydrive-lap/utility/default.nix

@@ -0,0 +1,8 @@
+{ config, ... }:
+{
+  imports = [
+    ../../../modules/printer.nix
+    ../../../modules/localsend.nix
+    (import ../../../modules/airplay.nix { hostname = config.networking.hostName; })
+  ];
+}

system/modules/crowdsec.nix

@@ -0,0 +1,99 @@
+{
+  lapiCred,
+  capiCred,
+  consoleToken,
+  trusted_ips ? [ ],
+  extraAcq ? [ ],
+  extraJournal ? [ ],
+  enableServer ? false,
+  enablePrometheus ? true,
+}:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) mkDefault mkIf;
+  mkJournalFilter = service: {
+    journalctl_filter = [
+      "_SYSTEMD_UNIT=${service}"
+    ];
+    labels = {
+      type = "syslog";
+    };
+    source = "journalctl";
+  };
+
+  # ==== Default Services ==== #
+  services = map (x: mkJournalFilter x) [
+    "sshd.service"
+  ];
+
+  extraServices = map (x: mkJournalFilter x) extraJournal;
+in
+{
+  services.postgresql = {
+    enable = mkDefault true;
+    ensureDatabases = [ config.services.crowdsec.user ];
+    ensureUsers = [
+      {
+        name = config.services.crowdsec.user;
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  services.crowdsec = {
+    enable = true;
+    settings.general = {
+      prometheus = {
+        enabled = enablePrometheus;
+      };
+      db_config = {
+        type = "postgresql";
+        db_name = config.services.crowdsec.user;
+        db_path = "/var/run/postgresql";
+        user = config.services.crowdsec.user;
+        sslmode = "disable";
+        flush.max_items = 5000;
+        flush.max_age = "7d";
+      };
+      api.client = {
+        insecure_skip_verify = false;
+      };
+      api.server = mkIf enableServer {
+        enable = true;
+        listen_uri = "127.0.0.1:31005";
+        trusted_ips = [
+          "127.0.0.1"
+          "10.0.0.0/24"
+          "::1"
+        ]
+        ++ trusted_ips;
+      };
+    };
+    settings = {
+      lapi.credentialsFile = lapiCred;
+      capi.credentialsFile = capiCred;
+      console.tokenFile = consoleToken;
+    };
+    localConfig = {
+      acquisitions = services ++ extraServices ++ extraAcq;
+    };
+    hub = {
+      scenarios = [
+        "crowdsecurity/ssh-bf"
+        "crowdsecurity/ssh-generic-test"
+        "crowdsecurity/http-generic-test"
+      ];
+      postOverflows = [ "crowdsecurity/auditd-nix-wrappers-whitelist-process" ];
+      parsers = [ "crowdsecurity/sshd-logs" ];
+      collections = [ "crowdsecurity/linux" ];
+      appSecRules = [ "crowdsecurity/base-config" ];
+      appSecConfigs = [ "crowdsecurity/appsec-default" ];
+    };
+    autoUpdateService = true;
+  };
+}

system/modules/davinci-resolve.nix

@@ -1,6 +1,6 @@
 {
   pkgs,
-  username,
+  config,
   ...
 }:
 let
@@ -13,7 +13,7 @@ in
     scriptBin
   ];
 
-  home-manager.users."${username}" = {
+  home-manager.users."${config.systemConf.username}" = {
     xdg.desktopEntries."davindi-resolve" = {
       name = "Davinci Resolve";
       genericName = "Video Editor";

system/modules/docmost.nix

@@ -0,0 +1,86 @@
+{
+  fqdn ? null,
+  port ? 32000,
+  https ? true,
+  openFirewall ? false,
+  extraConf ? { },
+  envFile ? null,
+}:
+{
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib) optionalString mkIf;
+in
+{
+  networking.firewall.allowedTCPPorts = mkIf openFirewall [
+    port
+  ];
+
+  services.redis.servers."docmost" = {
+    enable = true;
+    port = 32001;
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "docmost" ];
+    ensureUsers = [
+      {
+        name = "docmost";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  virtualisation.oci-containers = {
+    backend = lib.mkDefault "docker";
+    containers = {
+      docmost = {
+        image = "docmost/docmost:latest";
+        environment = (
+          {
+            PORT = "${toString port}";
+            APP_URL = "${
+              if (fqdn != null) then
+                "${if https then "https" else "http"}://${fqdn}"
+              else
+                "http://localhost:${toString port}"
+            }";
+            DATABASE_URL = "postgresql://docmost@docmost?schema=public&host=/var/run/postgresql";
+            REDIS_URL = "redis://localhost:${toString config.services.redis.servers.docmost.port}";
+          }
+          // extraConf
+        );
+        extraOptions = [
+          "--network=host"
+          "${optionalString (envFile != null) "--env-file=${envFile}"}"
+        ];
+        volumes = [
+          "/var/run/postgresql:/var/run/postgresql"
+          "docmost:/app/data/storage"
+        ];
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = lib.mkDefault true;
+    enableReload = lib.mkDefault true;
+    recommendedGzipSettings = lib.mkDefault true;
+    recommendedOptimisation = lib.mkDefault true;
+    recommendedTlsSettings = lib.mkDefault true;
+    recommendedProxySettings = lib.mkDefault true;
+    virtualHosts = lib.mkIf (fqdn != null) {
+      "${fqdn}" = {
+        enableACME = lib.mkIf https true;
+        forceSSL = lib.mkIf https true;
+        locations."/" = {
+          proxyPass = "http://localhost:${toString port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+}

system/modules/grafana.nix

@@ -4,12 +4,23 @@
   smtpDomain,
   domain,
   extraSettings ? { },
+  extraConf ? { },
 }:
 { config, ... }:
 let
   email = "grafana@${smtpDomain}";
 in
 {
+  services.postgresql = {
+    ensureDatabases = [ "grafana" ];
+    ensureUsers = [
+      {
+        name = "grafana";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
   services.grafana = {
     enable = true;
     settings = (
@@ -31,11 +42,20 @@ in
         security = {
           admin_email = email;
           admin_password = "$__file{${passFile}}";
+          secret_key = "$__file{${passFile}}";
+        };
+        database = {
+          type = "postgres";
+          user = "grafana";
+          name = "grafana";
+          host = "/var/run/postgresql";
         };
       }
       // extraSettings
     );
-  };
+
+  }
+  // extraConf;
 
   services.nginx.virtualHosts."${domain}" = {
     enableACME = true;

system/modules/hyprland.nix

@@ -1,17 +1,24 @@
 {
   pkgs,
+  config,
   inputs,
+  lib,
   ...
 }:
+let
+  inherit (lib) mkIf;
+
+  hyprlandEnabled = config.programs.hyprland.enable;
+in
 {
   programs.hyprland = {
-    enable = true;
+    enable = config.systemConf.hyprland.enable;
     withUWSM = false;
     package = inputs.hyprland.packages."${pkgs.system}".hyprland;
     portalPackage = inputs.hyprland.packages.${pkgs.system}.xdg-desktop-portal-hyprland;
   };
 
-  xdg.portal = {
+  xdg.portal = mkIf hyprlandEnabled {
     enable = true;
     xdgOpenUsePortal = true;
     extraPortals = [
@@ -19,29 +26,32 @@
     ];
   };
 
-  environment.sessionVariables = {
+  environment.sessionVariables = mkIf hyprlandEnabled {
     NIXOS_OZONE_WL = "1";
     WLR_NO_HARDWARE_CURSORS = "1";
   };
 
-  environment.systemPackages = with pkgs; [
-    pyprland
-    hyprsunset
-    hyprpicker
-    hyprshot
-    kitty
+  environment.systemPackages = mkIf hyprlandEnabled (
+    with pkgs;
+    [
+      pyprland
+      hyprsunset
+      hyprpicker
+      hyprshot
+      kitty
 
-    qt5.qtwayland
-    qt6.qtwayland
-    wlogout
-    wl-clipboard
+      # qt5.qtwayland
+      # qt6.qtwayland
+      wlogout
+      wl-clipboard
 
-    # Util
-    grim
-    slurp
-  ];
+      # Util
+      grim
+      slurp
+    ]
+  );
 
-  nix = {
+  nix = mkIf hyprlandEnabled {
     settings = {
       substituters = [ "https://hyprland.cachix.org" ];
       trusted-public-keys = [

system/modules/mail-server/default.nix

@@ -1,163 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib;
-{
-  options.mail-server = {
-    enable = mkEnableOption "mail-server";
-
-    configureACME = mkEnableOption "Enable auto configuration of ACME" // {
-      default = false;
-    };
-
-    caFile = mkOption {
-      type = types.path;
-      default = config.security.pki.caBundle;
-      description = ''
-        Extra CA certification to trust;
-      '';
-    };
-
-    openFirewall = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        This option results in following configuration:
-
-        networking.firewall.allowedTCPPorts = [
-          25  # SMTP
-          465 # SMTPS
-          587 # STARTTLS
-          143 # IMAP STARTTLS
-          993 # IMAPS
-          110 # POP3 STARTTLS
-          995 # POP3S
-        ];
-      '';
-    };
-
-    rootAlias = mkOption {
-      type = with types; uniq str;
-      default = "";
-      description = "Root alias";
-      example = ''
-        <your username>
-      '';
-    };
-
-    virtual = mkOption {
-      type = lib.types.lines;
-      default = "";
-      description = ''
-        Entries for the virtual alias map, cf. man-page {manpage}`virtual(5)`.
-      '';
-    };
-
-    extraAliases = mkOption {
-      type = with types; str;
-      default = "";
-      description = "Extra aliases";
-      example = ''
-        something: root
-        gender: root
-      '';
-    };
-
-    mailDir = mkOption {
-      type = with types; uniq str;
-      description = "Path to store local mails";
-      default = "~/Maildir";
-      example = "~/Maildir";
-    };
-
-    virtualMailDir = mkOption {
-      type = with types; path;
-      description = "Path to store virtual mails";
-      default = "/var/mail/vhosts";
-      example = "/var/mail/vmails";
-    };
-
-    uid = mkOption {
-      type = with types; int;
-      default = 5000;
-      description = "UID for \"vmail\"";
-    };
-
-    gid = mkOption {
-      type = with types; int;
-      default = 5000;
-      description = "GID for \"vmail\"";
-    };
-
-    domain = mkOption {
-      type = with types; uniq str;
-      default = config.networking.fqdn;
-      description = "Domain name used for mail server";
-    };
-
-    origin = mkOption {
-      type = with types; uniq str;
-      default = "";
-      description = "Origin to use in outgoing e-mail. Leave blank to use hostname.";
-    };
-
-    destination = mkOption {
-      type = with types; listOf str;
-      default = [ ];
-      description = "Postfix destination";
-    };
-
-    networks = mkOption {
-      type = with types; listOf str;
-      default = [ ];
-      description = "Postfix networks";
-    };
-
-    oauth = {
-      username = mkOption {
-        type = with types; uniq str;
-        default = "keycloak";
-        description = "Keycloak username";
-      };
-
-      passwordFile = mkOption {
-        type = with types; path;
-        description = "Path to the keycloak password file";
-        example = "/run/secrets/keycloak/password";
-      };
-    };
-
-    ldap = {
-      passwordFile = mkOption {
-        type = with types; path;
-        description = "Path to the openldap password file";
-        example = "/run/secrets/ldap/password";
-      };
-
-      webEnv = mkOption {
-        type = with types; path;
-        description = "Path to phpLDAPadmin env file";
-        example = "/run/secrets/ldap/env";
-      };
-    };
-
-    rspamd = {
-      trainerSecret = mkOption {
-        type = with types; path;
-        description = "Path to rspamd trainer secret";
-        example = "/run/secrets/rspamd-trainer/secret";
-      };
-      port = mkOption {
-        type = with types; int;
-        default = 11334;
-        description = "Port for rspamd webUI";
-      };
-    };
-  };
-
-  imports = [
-    ./server.nix
-  ];
-}

system/modules/mail-server/server.nix

@@ -1,616 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-with lib;
-let
-  cfg = config.mail-server;
-  dcList = strings.splitString "." cfg.domain;
-  ldapDomain = strings.concatStringsSep "," (lists.forEach dcList (dc: "dc=" + dc));
-
-  dovecotSecretPath = "/run/dovecot-secret";
-  authBaseConf = pkgs.writeText "dovecot-auth.conf.ext" ''
-    passdb ldap {
-      auth_username_format = %{user | lower}
-      ldap_bind = no
-      ldap_filter = (&(objectClass=inetOrgPerson)(uid=%{user | username}))
-      use_worker = no
-
-      fields {
-        user = %{ldap:mail}
-        password = %{ldap:userPassword}
-      }
-    }
-    ldap_auth_dn = cn=admin,${ldapDomain}
-    ldap_auth_dn_password = $LDAP_PASSWORD
-    ldap_uris = ldap://localhost
-    ldap_base = ${ldapDomain}
-  '';
-  authConf = "${dovecotSecretPath}/dovecot-auth.conf.ext";
-
-  dovecotDomain = config.services.postfix.settings.main.myhostname;
-in
-{
-  config = mkIf cfg.enable {
-    security.acme.certs = mkIf cfg.configureACME {
-      "${config.services.postfix.settings.main.myhostname}" = {
-        dnsProvider = null;
-        webroot = "/var/lib/acme/acme-challenge";
-        postRun = ''
-          systemctl restart postfix.service
-          systemctl restart dovecot.service
-        '';
-      };
-      "${cfg.domain}" = {
-        dnsProvider = null;
-        webroot = "/var/lib/acme/acme-challenge";
-      };
-    };
-
-    # ===== opendkim ===== #
-    services.opendkim = {
-      enable = true;
-      domains = "csl:${cfg.domain}";
-      selector = "mail";
-    };
-
-    # ===== Postfix ===== #
-    environment.sessionVariables = {
-      MAILDIR = cfg.mailDir;
-    };
-
-    systemd.services.postfix = {
-      requires = [
-        "acme-finished-${config.services.postfix.settings.main.myhostname}.target"
-      ];
-      serviceConfig.LoadCredential =
-        let
-          certDir =
-            config.security.acme.certs."${config.services.postfix.settings.main.myhostname}".directory;
-        in
-        [
-          "cert.pem:${certDir}/cert.pem"
-          "key.pem:${certDir}/key.pem"
-        ];
-    };
-
-    services.postfix = {
-      enable = true;
-      virtual = cfg.virtual;
-      enableSubmissions = true;
-
-      settings.main =
-        let
-          credsDir = "/run/credentials/postfix.service";
-          certDir = "${credsDir}/cert.pem";
-          keyDir = "${credsDir}/key.pem";
-        in
-        {
-          myhostname = "mail.${cfg.domain}";
-          mynetworks = cfg.networks;
-          mydestination = cfg.destination;
-          myorigin = if cfg.origin == "" then cfg.domain else cfg.origin;
-          relayhost = [ "0.0.0.0:465" ];
-          smtpd_tls_security_level = "encrypt";
-          smtpd_client_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject";
-          smtpd_relay_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination";
-          milter_macro_daemon_name = "ORIGINATING";
-
-          virtual_uid_maps = [
-            "static:${toString cfg.uid}"
-          ];
-          virtual_gid_maps = [
-            "static:${toString cfg.gid}"
-          ];
-
-          virtual_mailbox_domains = [ cfg.domain ];
-          virtual_transport = "lmtp:unix:private/dovecot-lmtp";
-          smtpd_sasl_type = "dovecot";
-          smtpd_sasl_path = "private/auth";
-          smtpd_sasl_auth_enable = "yes";
-          tls_random_source = "dev:/dev/urandom";
-
-          smtp_tls_security_level = "may";
-          smtp_tls_chain_files = [
-            keyDir
-            certDir
-          ];
-
-          smtpd_tls_chain_files = [
-            keyDir
-            certDir
-          ];
-
-          home_mailbox = cfg.mailDir;
-        }
-        // optionalAttrs config.services.opendkim.enable (
-          let
-            opendkimSocket = strings.removePrefix "local:" config.services.opendkim.socket;
-          in
-          {
-            smtpd_milters = [ "unix:${opendkimSocket}" ];
-            non_smtpd_milters = [ "unix:${opendkimSocket}" ];
-            milter_default_action = "accept";
-          }
-        );
-
-      rootAlias = cfg.rootAlias;
-      postmasterAlias = "root";
-      extraAliases = ''
-        mailer-daemon: postmaster
-        nobody: root
-        hostmaster: root
-        usenet: root
-        news: root
-        webmaster: root
-        www: root
-        ftp: root
-        abuse: root
-        noc: root
-        security: root
-      ''
-      + cfg.extraAliases;
-    };
-
-    services.rspamd = {
-      enable = true;
-      postfix.enable = true;
-      workers = {
-        normal = {
-          includes = [ "$CONFDIR/worker-normal.inc" ];
-          bindSockets = [
-            {
-              socket = "/run/rspamd/rspamd.sock";
-              mode = "0660";
-              owner = "${config.services.rspamd.user}";
-              group = "${config.services.rspamd.group}";
-            }
-          ];
-        };
-        controller = {
-          includes = [ "$CONFDIR/worker-controller.inc" ];
-          bindSockets = [ "127.0.0.1:${toString cfg.rspamd.port}" ];
-          extraConfig = ''
-            password=$2$w3asngzxwp3hoa67gimtrgmdxzmpq1n1$knfe5cyb1f769zro4rsi3j8ipc1p7ewh3u4cz63ngidmpjs8955y
-          '';
-        };
-      };
-    };
-
-    # ===== rspamd trainer ===== #
-    services.rspamd-trainer = {
-      enable = true;
-      settings = {
-        HOST = dovecotDomain;
-        USERNAME = "spam@${cfg.domain}";
-        INBOXPREFIX = "INBOX.";
-      };
-      secrets = [
-        cfg.rspamd.trainerSecret
-      ];
-    };
-
-    systemd.services.rspamd-trainer = lib.mkIf config.services.rspamd-trainer.enable {
-      after = [
-        "postfix.service"
-        "dovecot.service"
-        "rspamd-trainer-pre.service"
-      ];
-      requires = [ "rspamd-trainer-pre.service" ];
-    };
-
-    # ===== Create Mailbox for rspamd trainer ===== #
-    systemd.services.rspamd-trainer-pre = lib.mkIf config.services.rspamd-trainer.enable {
-      serviceConfig = {
-        ExecStart =
-          let
-            script = pkgs.writeShellScript "rspamd-trainer-pre.sh" ''
-              set -euo pipefail
-
-              username=${config.services.rspamd-trainer.settings.USERNAME}
-              domain="${cfg.domain}"
-              mailbox_list=("report_spam" "report_ham" "report_spam_reply")
-              for mailbox in ''\${mailbox_list[@]}; do
-                echo "Creating $mailbox..."
-                ${pkgs.dovecot}/bin/doveadm mailbox create -u "$username@$domain" "INBOX.$mailbox" 2>/dev/null || true
-              done
-            '';
-          in
-          "${pkgs.bash}/bin/bash ${script}";
-        Type = "oneshot";
-      };
-    };
-
-    # ===== Dovecot ===== #
-    systemd.services.dovecot = {
-      requires = [ "acme-finished-${dovecotDomain}.target" ];
-      serviceConfig = {
-        RuntimeDirectory = [ "dovecot-secret" ];
-        RuntimeDirectoryMode = "0640";
-        ExecStartPre = [
-          ''${pkgs.busybox.out}/bin/mkdir -p ${cfg.virtualMailDir}''
-          ''${pkgs.busybox.out}/bin/chown -R vmail:vmail ${cfg.virtualMailDir}''
-          ''${pkgs.busybox.out}/bin/chmod 770 ${cfg.virtualMailDir}''
-          ''${pkgs.bash}/bin/bash -c "LDAP_PASSWORD=$(cat ${cfg.ldap.passwordFile}) ${pkgs.gettext.out}/bin/envsubst < ${authBaseConf} > ${authConf}"''
-          ''${pkgs.busybox.out}/bin/chown ${config.services.dovecot.user}:${config.services.dovecot.group} ${authConf}''
-          ''${pkgs.busybox.out}/bin/chmod 660 ${authConf}''
-        ];
-
-        LoadCredential =
-          let
-            certDir = config.security.acme.certs."${dovecotDomain}".directory;
-          in
-          [
-            "cert.pem:${certDir}/cert.pem"
-            "key.pem:${certDir}/key.pem"
-          ];
-      };
-    };
-
-    services.dovecot =
-      let
-        credsDir = "/run/credentials/dovecot.service";
-        certDir = "${credsDir}/cert.pem";
-        keyDir = "${credsDir}/key.pem";
-      in
-      {
-        enable = true;
-        enablePAM = false;
-        enableImap = true;
-        enablePop3 = true;
-        enableLmtp = true;
-        enableHealthCheck = true;
-        mailLocation = lib.mkDefault "${cfg.mailDir}";
-        mailUser = "vmail";
-        mailGroup = "vmail";
-        sslServerKey = keyDir;
-        sslServerCert = certDir;
-
-        mailboxes = {
-          Junk = {
-            specialUse = "Junk";
-            auto = "subscribe";
-          };
-          Drafts = {
-            specialUse = "Drafts";
-            auto = "subscribe";
-          };
-          Archive = {
-            specialUse = "Archive";
-            auto = "subscribe";
-          };
-          Sent = {
-            specialUse = "Sent";
-            auto = "subscribe";
-          };
-        };
-
-        extraConfig = ''
-          # authentication debug logging
-          log_path = /dev/stderr
-          log_debug = (category=auth-client) OR (event=auth_client_passdb_lookup_started)
-
-          auth_mechanisms = plain login
-          ssl = required
-
-          service auth {
-            unix_listener ${config.services.postfix.settings.main.queue_directory}/private/auth {
-              mode = 0660
-              user = ${config.services.postfix.user}
-              group = ${config.services.postfix.group}
-              type = postfix
-            }
-          }
-
-          service lmtp {
-            unix_listener ${config.services.postfix.settings.main.queue_directory}/private/dovecot-lmtp {
-              mode = 0660
-              user = ${config.services.postfix.user}
-              group = ${config.services.postfix.group}
-              type = postfix
-            }
-          }
-
-          userdb static {
-            fields {
-              uid = ${toString cfg.uid}
-              gid = ${toString cfg.gid}
-              home = ${cfg.virtualMailDir}/%{user | domain}/%{user | username}
-            }
-          }
-
-          lda_mailbox_autosubscribe = yes
-          lda_mailbox_autocreate = yes
-
-          !include ${authConf}
-        '';
-      };
-
-    systemd.services.dovecot-healthcheck = mkIf config.services.dovecot.enableHealthCheck (
-      let
-        pythonServer =
-          pkgs.writeScript "dovecot-healthcheck"
-            # python
-            ''
-              #!${pkgs.python3}/bin/python3
-              import socket
-              from http.server import BaseHTTPRequestHandler, HTTPServer
-
-              DOVECOT_HOST = '127.0.0.1'
-              DOVECOT_PORT = ${toString config.services.dovecot.healthCheckPort}
-
-              class HealthCheckHandler(BaseHTTPRequestHandler):
-                  def do_GET(self):
-                      if self.path != '/ping':
-                          self.send_response(404)
-                          self.end_headers()
-                          return
-                      try:
-                          with socket.create_connection((DOVECOT_HOST, DOVECOT_PORT), timeout=5) as sock:
-                              sock.sendall(b"PING\n")
-                              data = sock.recv(1024).strip()
-                      except Exception as e:
-                          self.send_response(500)
-                          self.end_headers()
-                          self.wfile.write(b"Error connecting to healthcheck service")
-                          return
-
-                      if data == b"PONG":
-                          self.send_response(200)
-                          self.send_header("Content-Type", "text/plain")
-                          self.end_headers()
-                          self.wfile.write(b"PONG")
-                      else:
-                          self.send_response(500)
-                          self.end_headers()
-                          self.wfile.write(b"Unexpected response")
-
-              if __name__ == '__main__':
-                  server = HTTPServer(('0.0.0.0', 5002), HealthCheckHandler)
-                  print("HTTP healthcheck proxy running on port 5002")
-                  server.serve_forever()
-            '';
-      in
-      {
-        requires = [ "dovecot.service" ];
-        wantedBy = [ "multi-user.target" ];
-        after = [ "dovecot.service" ];
-        serviceConfig = {
-          Type = "simple";
-          ExecStart = pythonServer;
-        };
-      }
-    );
-
-    # ===== Firewall ===== #
-    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
-      80 # HTTP
-      443 # HTTPS
-      25 # SMTP
-      465 # SMTPS
-      587 # STARTTLS
-      143 # IMAP STARTTLS
-      993 # IMAPS
-      110 # POP3 STARTTLS
-      995 # POP3S
-      389 # LDAP
-    ];
-
-    services.postgresql = {
-      enable = true;
-      ensureDatabases = [ "keycloak" ];
-      ensureUsers = [
-        {
-          name = "keycloak";
-          ensureDBOwnership = true;
-        }
-      ];
-    };
-
-    # ===== OAuth keycloak ===== #
-    services.keycloak = {
-      enable = true;
-
-      database = {
-        type = "postgresql";
-        host = "localhost";
-        name = "keycloak";
-        createLocally = false;
-        passwordFile = cfg.oauth.passwordFile;
-      };
-
-      settings = {
-        hostname = "keycloak.${cfg.domain}";
-        proxy-headers = "xforwarded";
-        http-port = 38080;
-        http-enabled = true;
-        health-enabled = true;
-        http-management-port = 38081;
-        truststore-paths = cfg.caFile;
-      };
-    };
-
-    # ==== LDAP ===== #
-    services.openldap = {
-      enable = true;
-
-      urlList = [ "ldap:///" ];
-      settings = {
-        attrs = {
-          olcLogLevel = "conns config";
-        };
-
-        children = {
-          "cn=schema".includes = [
-            "${pkgs.openldap}/etc/schema/core.ldif"
-            "${pkgs.openldap}/etc/schema/cosine.ldif"
-            "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
-          ];
-
-          "olcDatabase={1}mdb" = {
-            attrs = {
-              objectClass = [
-                "olcDatabaseConfig"
-                "olcMdbConfig"
-              ];
-
-              olcDatabase = "{1}mdb";
-              olcDbDirectory = "/var/lib/openldap/data";
-
-              olcSuffix = ldapDomain;
-
-              olcRootDN = "cn=admin,${ldapDomain}";
-              olcRootPW.path = cfg.ldap.passwordFile;
-
-              olcAccess = [
-                ''
-                  {0}to attrs=userPassword
-                      by dn.exact="cn=admin,${ldapDomain}" read
-                      by dn.exact="uid=admin@${cfg.domain},ou=people,${ldapDomain}" write
-                      by self write
-                      by anonymous auth
-                      by * none
-                ''
-                ''
-                  {1}to *
-                      by dn.exact="uid=admin@${cfg.domain},ou=people,${ldapDomain}" write
-                      by * read
-                ''
-              ];
-            };
-
-            children = {
-              "olcOverlay={2}ppolicy".attrs = {
-                objectClass = [
-                  "olcOverlayConfig"
-                  "olcPPolicyConfig"
-                  "top"
-                ];
-                olcOverlay = "{2}ppolicy";
-                olcPPolicyHashCleartext = "TRUE";
-              };
-
-              "olcOverlay={3}memberof".attrs = {
-                objectClass = [
-                  "olcOverlayConfig"
-                  "olcMemberOf"
-                  "top"
-                ];
-                olcOverlay = "{3}memberof";
-                olcMemberOfRefInt = "TRUE";
-                olcMemberOfDangling = "ignore";
-                olcMemberOfGroupOC = "groupOfNames";
-                olcMemberOfMemberAD = "member";
-                olcMemberOfMemberOfAD = "memberOf";
-              };
-
-              "olcOverlay={4}refint".attrs = {
-                objectClass = [
-                  "olcOverlayConfig"
-                  "olcRefintConfig"
-                  "top"
-                ];
-                olcOverlay = "{4}refint";
-                olcRefintAttribute = "memberof member manager owner";
-              };
-            };
-          };
-        };
-      };
-    };
-
-    # ==== postsrsd ==== #
-    services.postsrsd = {
-      enable = true;
-      configurePostfix = true;
-      secretsFile = config.sops.secrets."postsrsd/secret".path;
-      settings = {
-        srs-domain = cfg.domain;
-        domains = [ cfg.domain ];
-      };
-    };
-
-    virtualisation = {
-      docker = {
-        enable = true;
-        rootless = {
-          enable = true;
-          setSocketVariable = true;
-        };
-      };
-      oci-containers = {
-        backend = "podman";
-        containers = {
-          phpLDAPadmin = {
-            extraOptions = [ "--network=host" ];
-            image = "phpldapadmin/phpldapadmin";
-            volumes = [
-              "/var/lib/pla/logs:/app/storage/logs"
-              "/var/lib/pla/sessions:/app/storage/framework/sessions"
-            ];
-            environment = {
-              APP_URL = "https://ldap.${cfg.domain}";
-              ASSET_URL = "https://ldap.${cfg.domain}";
-              APP_TIMEZONE = "Asia/Taipei";
-              LDAP_HOST = "127.0.0.1";
-              SERVER_NAME = ":8080";
-              LDAP_LOGIN_OBJECTCLASS = "inetOrgPerson";
-              LDAP_BASE_DN = "${ldapDomain}";
-              LDAP_LOGIN_ATTR = "dn";
-              LDAP_LOGIN_ATTR_DESC = "Username";
-            };
-            environmentFiles = [
-              cfg.ldap.webEnv
-            ];
-          };
-        };
-      };
-    };
-
-    # ===== Virtual Mail User ===== #
-    users.groups.vmail = {
-      gid = cfg.gid;
-    };
-
-    users.users.vmail = {
-      uid = cfg.uid;
-      group = "vmail";
-    };
-
-    services.nginx = {
-      enable = mkDefault true;
-      recommendedGzipSettings = mkDefault true;
-      recommendedOptimisation = mkDefault true;
-      recommendedTlsSettings = mkDefault true;
-      recommendedProxySettings = mkDefault true;
-
-      virtualHosts = {
-        "${config.services.postfix.settings.main.myhostname}" = {
-          enableACME = true;
-          forceSSL = true;
-          locations."/dovecot/ping".proxyPass = "http://localhost:${toString 5002}/ping";
-        };
-        "ldap.${cfg.domain}" = {
-          enableACME = true;
-          forceSSL = true;
-          locations."/".proxyPass = "http://localhost:${toString 8080}/";
-        };
-        "rspamd.${cfg.domain}" = mkIf config.services.rspamd.enable {
-          enableACME = true;
-          forceSSL = true;
-          locations."/".proxyPass = "http://localhost:${toString cfg.rspamd.port}/";
-        };
-        "${config.services.keycloak.settings.hostname}" = mkIf config.services.keycloak.enable {
-          enableACME = true;
-          forceSSL = true;
-          locations."/".proxyPass =
-            "http://localhost:${toString config.services.keycloak.settings.http-port}";
-          locations."/health".proxyPass =
-            "http://localhost:${toString config.services.keycloak.settings.http-management-port}/health";
-        };
-      };
-    };
-  };
-}

system/modules/nextcloud.nix

@@ -2,11 +2,10 @@
   hostname,
   adminpassFile,
   datadir ? null,
-  dataBackupPath ? null,
-  dbBackupPath ? null,
   https ? true,
   configureACME ? true,
-  trusted ? [ ],
+  trusted-domains ? [ ],
+  trusted-proxies ? [ ],
 }:
 {
   config,
@@ -17,9 +16,7 @@
 let
   inherit (lib) mkIf;
 
-  enableBackup = dataBackupPath != null || dbBackupPath != null;
-
-  nextcloudPkg = pkgs.nextcloud31.overrideAttrs (oldAttr: rec {
+  nextcloudPkg = pkgs.nextcloud32.overrideAttrs (oldAttr: rec {
     caBundle = config.security.pki.caBundle;
     postPatch = ''
       cp ${caBundle} resources/config/ca-bundle.crt
@@ -30,8 +27,8 @@ in
   imports = [
     "${
       fetchTarball {
-        url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
-        sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
+        url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/c3fdbf165814d403a8f8e81ff8e15adcbe7eadd0.tar.gz";
+        sha256 = "sha256:19w6m1k4a0f48k1mnvdjkvcc8cnrlqg65kvyqzhxpkp5dbph9nzg";
       }
     }/nextcloud-extras.nix"
   ];
@@ -54,7 +51,7 @@ in
     package = nextcloudPkg;
     configureRedis = true;
     hostName = hostname;
-    https = if https then true else false;
+    https = https;
     datadir = lib.mkIf (datadir != null) datadir;
     phpExtraExtensions =
       all: with all; [
@@ -65,19 +62,13 @@ in
       inherit (config.services.nextcloud.package.packages.apps)
         contacts
         calendar
-        tasks
         whiteboard
+        user_oidc
         ;
 
       camerarawpreviews = pkgs.fetchNextcloudApp {
-        url = "https://github.com/ariselseng/camerarawpreviews/releases/download/v0.8.7/camerarawpreviews_nextcloud.tar.gz";
-        sha256 = "sha256-aiMUSJQVbr3xlJkqOaE3cNhdZu3CnPEIWTNVOoG4HSo=";
-        license = "agpl3Plus";
-      };
-
-      user_oidc = pkgs.fetchNextcloudApp {
-        url = "https://github.com/nextcloud-releases/user_oidc/releases/download/v7.2.0/user_oidc-v7.2.0.tar.gz";
-        sha256 = "sha256-nXDWfRP9n9eH+JGg1a++kD5uLMsXh5BHAaTAOgLI9W4=";
+        url = "https://github.com/ariselseng/camerarawpreviews/releases/download/v0.8.8/camerarawpreviews_nextcloud.tar.gz";
+        sha256 = "sha256-Pnjm38hn90oV3l4cPAnQ+oeO6x57iyqkm80jZGqDo1I=";
         license = "agpl3Plus";
       };
     };
@@ -92,8 +83,8 @@ in
     settings = {
       allow_local_remote_servers = true;
       log_type = "syslog";
-      trusted_proxies = trusted;
-      trusted_domains = trusted;
+      trusted_proxies = trusted-proxies;
+      trusted_domains = trusted-domains;
       enabledPreviewProviders = [
         "OC\\Preview\\BMP"
         "OC\\Preview\\GIF"
@@ -120,5 +111,4 @@ in
   environment.systemPackages = with pkgs; [
     exiftool
   ];
-
 }

system/modules/packages.nix

@@ -1,4 +1,10 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  inputs,
+  system,
+  ...
+}:
+{
   environment.systemPackages = with pkgs; [
     file
 
@@ -46,5 +52,8 @@
 
     # Media
     vlc
+
+    # Search nixpkgs util
+    inputs.nix-search-tv.packages.${system}.default
   ];
 }

system/modules/presets/basic.nix

@@ -7,11 +7,11 @@
     ../bluetooth.nix
     ../display-manager.nix
     ../flatpak.nix
-    ../hyprland.nix
     ../obs-studio.nix
     ../plymouth.nix
     ../polkit.nix
     ../security.nix
+    ../hyprland.nix
   ];
 
   programs.gdk-pixbuf.modulePackages = [ pkgs.librsvg ];

system/modules/programs.nix

@@ -36,7 +36,12 @@
     dconf.enable = true;
     zsh.enable = true;
     mtr.enable = true;
-    fish.enable = true;
+    fish = {
+      enable = true;
+      shellAliases = {
+        "ns" = "nix-search-tv print | fzf --preview 'nix-search-tv preview {}' --scheme history";
+      };
+    };
 
     # Set fish as default shell but not login shell
     bash = {

system/modules/services.nix

@@ -1,10 +1,12 @@
 {
   lib,
   pkgs,
-  username,
+  config,
   ...
 }:
-
+let
+  inherit (config.systemConf) username;
+in
 {
   networking = {
     firewall = {

system/modules/sops-nix.nix

@@ -1,6 +1,6 @@
 { config, ... }:
 let
-  defaultSopsFile = ../.. + "/system/dev/${config.networking.hostName}/secret.yaml";
+  defaultSopsFile = ../.. + "/system/dev/${config.networking.hostName}/sops/secret.yaml";
   ageKeyFile = "/var/lib/sops-nix/key.txt";
 in
 {

system/modules/stalwart.nix

@@ -3,7 +3,6 @@
   dbPassFile,
   dkimKey,
   ldapConf,
-  oidcConf,
   domain ? null,
   acmeConf ? null,
   enableNginx ? true,
@@ -102,17 +101,6 @@ in
       };
       acme."letsencrypt" = mkIf (acmeConf != null) acmeConf;
 
-      session.auth = {
-        mechanisms = "[plain login oauthbearer]";
-        directory = mkCondition "listener != 'smtp'" "'ldap'" false;
-        require = mkCondition "listener != 'smtp'" true false;
-      };
-
-      session.rcpt = {
-        relay = mkCondition "!is_empty(authenticated_as)" true false;
-        directory = "'*'";
-      };
-
       directory = {
         "in-memory" = {
           type = "memory";
@@ -129,7 +117,6 @@ in
         imap.lookup.domains = [
           domain
         ];
-        "oidc" = oidcConf;
       };
       authentication.fallback-admin = {
         user = "admin";

system/modules/stylix.nix

@@ -1,18 +1,17 @@
 {
   pkgs,
   config,
-  username,
-  inputs,
   ...
 }:
 let
+  inherit (config.systemConf) username;
+
   caskaydia = {
     name = "CaskaydiaCove Nerd Font Mono";
     package = pkgs.nerd-fonts.caskaydia-cove;
   };
 
   sf-pro-display-bold = pkgs.callPackage ../../pkgs/fonts/sf-pro-display-bold { };
-  # dfkai-sb = pkgs.callPackage ../../pkgs/fonts/dfkai-sb { src = inputs.kaiu-font; };
 in
 {
   stylix = {