✨ [pi4] Containerize Actual service

README.md

@@ -17,8 +17,6 @@ My NixOS configurations with dotfiles for my systems.
 | Runner | Rofi       |
 | Fetch  | Fastfetch  |
 
-Requires Nix-channel with [NixOS 24.11](https://nixos.org/)
-
 ## Commands
 
 First time run, will create a shell with the minimum dependencies in order to download the rest

flake.lock

@@ -9,11 +9,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736090999,
+        "lastModified": 1744557573,
-        "narHash": "sha256-B5CJuHqfJrzPa7tObK0H9669/EClSHpa/P7B9EuvElU=",
+        "narHash": "sha256-XAyj0iDuI51BytJ1PwN53uLpzTDdznPDQFG4RwihlTQ=",
         "owner": "aylur",
         "repo": "ags",
-        "rev": "5527c3c07d92c11e04e7fd99d58429493dba7e3c",
+        "rev": "3ed9737bdbc8fc7a7c7ceef2165c9109f336bff6",
         "type": "github"
       },
       "original": {
@@ -31,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1735172721,
+        "lastModified": 1742571008,
-        "narHash": "sha256-rtEAwGsHSppnkR3Qg3eRJ6Xh/F84IY9CrBBLzYabalY=",
+        "narHash": "sha256-5WgfJAeBpxiKbTR/gJvxrGYfqQRge5aUDcGKmU1YZ1Q=",
         "owner": "aylur",
         "repo": "astal",
-        "rev": "6c84b64efc736e039a8a10774a4a1bf772c37aa2",
+        "rev": "dc0e5d37abe9424c53dcbd2506a4886ffee6296e",
         "type": "github"
       },
       "original": {
@@ -44,16 +44,53 @@
         "type": "github"
       }
     },
+    "astal_2": {
+      "inputs": {
+        "nixpkgs": [
+          "hyprpanel",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748416910,
+        "narHash": "sha256-FEQcs58HL8Fe4i7XlqVEUwthjxwvRvgX15gTTfW17sU=",
+        "owner": "aylur",
+        "repo": "astal",
+        "rev": "c1bd89a47c81c66ab5fc6872db5a916c0433fb89",
+        "type": "github"
+      },
+      "original": {
+        "owner": "aylur",
+        "repo": "astal",
+        "type": "github"
+      }
+    },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "catppuccin": {
       "inputs": {
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1745598511,
+        "lastModified": 1748080874,
-        "narHash": "sha256-GWYB7PngGwTJrp7gr0w6E5nnvwiblPvN2kjRCQw3ZEg=",
+        "narHash": "sha256-sUebEzAkrY8Aq5G0GHFyRddmRNGP/a2iTtV7ISNvi/c=",
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "199cb288a85b15ed203089804c024ae5b3eacd7c",
+        "rev": "0ba11b12be81f0849a89ed17ab635164ea8f0112",
         "type": "github"
       },
       "original": {
@@ -62,16 +99,80 @@
         "type": "github"
       }
     },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": [
+          "simple-nixos-mailserver",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "simple-nixos-mailserver",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1742649964,
+        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "simple-nixos-mailserver",
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "grayjay": {
       "inputs": {
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1745469639,
+        "lastModified": 1748772835,
-        "narHash": "sha256-LNIzSWQ+xoVpanW4NKdN7Np8z9CtoU2+yXaztH1Upt4=",
+        "narHash": "sha256-p/hGSN1DOU/pELQi5PTds8eL+czjmb/0RvwvLm7nGC8=",
         "owner": "rishabh5321",
         "repo": "grayjay-flake",
-        "rev": "da25d4ae2cd44954d6655ceb4781e766c2b1cccb",
+        "rev": "998cbc285d936a45daf07414d03db3f60c133caa",
         "type": "github"
       },
       "original": {
@@ -87,16 +188,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1745557122,
+        "lastModified": 1748665073,
-        "narHash": "sha256-eqSo9ugzsqhFgaDFYUZj943nurlX4L6f+AW0skJ4W+M=",
+        "narHash": "sha256-RMhjnPKWtCoIIHiuR9QKD7xfsKb3agxzMfJY8V9MOew=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "dd26f75fb4ec1c731d4b1396eaf4439ce40a91c1",
+        "rev": "282e1e029cb6ab4811114fc85110613d72771dea",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-24.11",
+        "ref": "release-25.05",
         "repo": "home-manager",
         "type": "github"
       }
@@ -125,14 +226,15 @@
     "hyprpanel": {
       "inputs": {
         "ags": "ags",
+        "astal": "astal_2",
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1744513377,
+        "lastModified": 1748962037,
-        "narHash": "sha256-2ocy+qAVxTBmaK8MpAy7mpKIH+DYEzwf+KzXZX83oZ4=",
+        "narHash": "sha256-MkrOyZ6CqTzzmlfmvkPiezy51hG96xqucrR38xQpK/0=",
         "owner": "Jas-SinghFSU",
         "repo": "HyprPanel",
-        "rev": "42943b3def85d8787d703778951944c8e791202b",
+        "rev": "8422c6b80526f8289a30b93cb5b354d9f007141d",
         "type": "github"
       },
       "original": {
@@ -157,29 +259,45 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
+    "nixpkgs-25_05": {
       "locked": {
-        "lastModified": 1745487689,
+        "lastModified": 1747610100,
-        "narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=",
+        "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3",
+        "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1748889542,
+        "narHash": "sha256-Hb4iMhIbjX45GcrgOp3b8xnyli+ysRPqAgZ/LZgyT5k=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "10d7f8d34e5eb9c0f9a0485186c1ca691d2c5922",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1745526057,
+        "lastModified": 1748693115,
-        "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=",
+        "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f771eb401a46846c1aebd20552521b233dd7e18b",
+        "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc",
         "type": "github"
       },
       "original": {
@@ -191,11 +309,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1745234285,
+        "lastModified": 1748693115,
-        "narHash": "sha256-GfpyMzxwkfgRVN0cTGQSkTC0OHhEkv3Jf6Tcjm//qZ0=",
+        "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c11863f1e964833214b767f4a369c6e6a7aba141",
+        "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc",
         "type": "github"
       },
       "original": {
@@ -207,11 +325,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1736344531,
+        "lastModified": 1748370509,
-        "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=",
+        "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912",
+        "rev": "4faa5f5321320e49a78ae7848582f684d64783e9",
         "type": "github"
       },
       "original": {
@@ -223,21 +341,37 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1745487689,
+        "lastModified": 1748889542,
-        "narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=",
+        "narHash": "sha256-Hb4iMhIbjX45GcrgOp3b8xnyli+ysRPqAgZ/LZgyT5k=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3",
+        "rev": "10d7f8d34e5eb9c0f9a0485186c1ca691d2c5922",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1747179050,
+        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_6": {
       "locked": {
         "lastModified": 1743448293,
         "narHash": "sha256-bmEPmSjJakAp/JojZRrUvNcDX2R5/nuX6bm+seVaGhs=",
@@ -262,11 +396,35 @@
         "nixpkgs": "nixpkgs_4",
         "nixpkgs-stable": "nixpkgs-stable",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "simple-nixos-mailserver": "simple-nixos-mailserver",
         "sops-nix": "sops-nix",
         "spicetify-nix": "spicetify-nix",
         "zen-browser": "zen-browser"
       }
     },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat",
+        "git-hooks": "git-hooks",
+        "nixpkgs": "nixpkgs_5",
+        "nixpkgs-25_05": "nixpkgs-25_05"
+      },
+      "locked": {
+        "lastModified": 1747965231,
+        "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "53007af63fade28853408370c4c600a63dd97f41",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-25.05",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
@@ -274,11 +432,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745310711,
+        "lastModified": 1747603214,
-        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
+        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
         "owner": "mic92",
         "repo": "sops-nix",
-        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
+        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
         "type": "github"
       },
       "original": {
@@ -295,11 +453,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1745727291,
+        "lastModified": 1748752728,
-        "narHash": "sha256-YW/V93WgJur6a3BVa1jynlKr2pyZlEpiXXjQjpSHc5s=",
+        "narHash": "sha256-en008ncPUQjVx2i3PbM4RWeZkD9DNbJwIy0epppXe2o=",
         "owner": "Gerg-L",
         "repo": "spicetify-nix",
-        "rev": "9e5c7a2e7f1ab3118ec9b7179eb28667a3575f0e",
+        "rev": "0e03de40d5128eb2ad600c98f57cf5db2cdf3240",
         "type": "github"
       },
       "original": {
@@ -326,14 +484,14 @@
     "zen-browser": {
       "inputs": {
         "home-manager": "home-manager_2",
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_6"
       },
       "locked": {
-        "lastModified": 1745757285,
+        "lastModified": 1748920570,
-        "narHash": "sha256-kDCv++sAfALKJM4unFdX6Pz3R4y2twchJ8lSLOIOkbQ=",
+        "narHash": "sha256-m7EshkqPxa3IxN/qwxP1LlMlRdn37aiK0hghDieho8A=",
         "owner": "0xc000022070",
         "repo": "zen-browser-flake",
-        "rev": "e70d270a3927d8e78254ad049908b3535ba40f73",
+        "rev": "ff5bf0bcf588e8c1d0f5fcd635b0c8e1cce8aee5",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,17 +5,17 @@
     #
     # ========= Official NixOS and HM Package Sources =========
     #
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
     # The next two are for pinning to stable vs unstable regardless of what the above is set to
     # This is particularly useful when an upcoming stable release is in beta because you can effectively
     # keep 'nixpkgs-stable' set to stable for critical packages while setting 'nixpkgs' to the beta branch to
     # get a jump start on deprecation changes.
     # See also 'stable-packages' and 'unstable-packages' overlays at 'overlays/default.nix"
-    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-24.11";
+      url = "github:nix-community/home-manager/release-25.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -31,6 +31,7 @@
     catppuccin.url = "github:catppuccin/nix";
     # Bar
     hyprpanel.url = "github:Jas-SinghFSU/HyprPanel";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
     # Spotify
     spicetify-nix = {
       url = "github:Gerg-L/spicetify-nix";
@@ -47,6 +48,7 @@
       self,
       nixpkgs,
       home-manager,
+      simple-nixos-mailserver,
       ...
     }@inputs:
     let
@@ -72,28 +74,51 @@
       systems = builtins.map (config: defaultAttrs // config) [
         {
           hostName = "desktop";
-          system = "x86_64-linux";
           nvidia.enable = true;
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSzXyTuQyTrWsfORQbvgrqt/33+hfSUDXeMg6D1T2wz";
         }
         {
           hostName = "thinkpad";
-          system = "x86_64-linux";
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNlHKE/BD8kKfhJD7GBk1A3whZf3gTjk9VEgGAj3qsH";
         }
         {
           hostName = "pi4";
           system = "aarch64-linux";
           wayland.enable = false;
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJE9m7YiITe1sDqSZ7Pa8luIw3WToLsypixZEqE4wCQE";
+          address.private = common.localIpAddr 188;
+        }
+        {
+          hostName = "homelab";
+          wayland.enable = false;
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARDv5nRlfPDXdV+Db4FaqeSJZ3/3MO0frYGzuVeqYAl";
+          address.private = common.localIpAddr 231;
+          address.tailnet = common.tailnetAddr "admin";
         }
-        # TODO Homelab config
       ];
 
       defaultAttrs = {
+        hostName = builtins.abort "hostName is required";
+        system = "x86_64-linux";
         username = common.username;
         version = common.system.version;
         wayland.enable = true;
         nvidia.enable = false;
       };
 
+      knownSystems = [
+        {
+          # Samsung S23 FE
+          hostName = "localhost-y4maoyqm";
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7SSjiqnjif1Kko60iXVTKJ7a1/lRlR8TFNtoclNcnQ";
+        }
+        {
+          # OnePlus 8
+          hostName = "localhost-4izgka9k";
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALtulVgLrUEpKnpfPFQTHjaEXTxs2Q818NC18eLx0bj";
+        }
+      ];
+
     in
     {
       #
@@ -126,6 +151,8 @@
                   theme
                   lib
                   systemConfig
+                  systems
+                  knownSystems
                   ;
                 isDarwin = false;
               };
@@ -145,6 +172,7 @@
                         theme
                         libHm
                         systemConfig
+                        systems
                         ;
                     };
                     users.${username} = import ./hosts/${hostName}/home-manager;

hosts/desktop/default.nix

@@ -6,10 +6,10 @@
 
 {
   imports = [
-    (lib.custom.relativeToRoot "shared/modules")
+    (lib.custom.relativeToDesktop "modules")
     ./bluetooth.nix
     ./hardware-configuration.nix
   ];
 
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelPackages = pkgs.linuxPackages_6_14;
 }

hosts/desktop/home-manager/default.nix

@@ -5,7 +5,7 @@
 
 {
   imports = [
-    (lib.custom.relativeToRoot "shared/home-manager")
+    (lib.custom.relativeToDesktop "home-manager")
     ./hyprpaper.nix
     ./settings.nix
   ];

hosts/pi4/actual.nix

@@ -0,0 +1,42 @@
+{ config, common, ... }:
+let
+  domain = "beta.budget.${common.domain}";
+in
+{
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "ve-*" ];
+    externalInterface = "wlan0";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  containers.actual = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.10.188";
+    localAddress = "192.168.10.11";
+    config =
+      { ... }:
+      {
+        services = {
+          actual = {
+            enable = true;
+            settings = {
+              port = 8084;
+              loginMethod = "password";
+            };
+          };
+        };
+        system.stateVersion = common.system.version;
+      };
+  };
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${config.containers.actual.localAddress}:8084";
+      proxyWebsockets = true;
+    };
+  };
+}

hosts/pi4/caddy.nix

@@ -0,0 +1,91 @@
+{ common, ... }:
+let
+  domain = common.domain;
+in
+{
+  services.caddy = {
+    enable = false;
+    email = "cert@${domain}";
+    virtualHosts =
+      let
+        localProxy = proxyTo "localhost";
+        homelabProxy = proxyTo "192.168.10.231";
+        proxyTo = ip: port: "reverse_proxy ${ip}:${builtins.toString port}";
+        redirect = subdomain: "redir https://${subdomain}.${domain}{uri}";
+      in
+      {
+        "beta.${domain}".extraConfig = ''
+          redir https://${domain}{uri}
+        '';
+        "git.${domain}".extraConfig = ''
+          ${redirect "code"}
+        '';
+        "kitchenowl.${domain}".extraConfig = ''
+          ${redirect "grocery"}
+        '';
+        # Gitea
+        "code.${domain}".extraConfig = ''
+          ${homelabProxy 3000}
+        '';
+        # Forgejo
+        "beta.code.${domain}".extraConfig = ''
+          ${localProxy 8001}
+        '';
+        # Nextcloud
+        "nextcloud.${domain}".extraConfig = ''
+          redir /.well-known/carddav /remote.php/dav 301
+          redir /.well-known/caldav /remote.php/dav 301
+          ${homelabProxy 11000}
+        '';
+        # Kitchenowl
+        "grocery.${domain}".extraConfig = ''
+          ${homelabProxy 800}
+        '';
+        # Actual Budget
+        "budget.${domain}".extraConfig = ''
+          ${homelabProxy 5006}
+        '';
+        # Uptime Kuma
+        "status.${domain}".extraConfig = ''
+          ${homelabProxy 3001}
+        '';
+        # Headscale
+        "vpn.${domain}".extraConfig = ''
+          reverse_proxy /web* 192.168.10.231:8084
+          reverse_proxy * 192.168.10.231:8082
+        '';
+        # Headscale SmartDNS
+        "dns.${domain}".extraConfig = ''
+          ${homelabProxy 8082}
+        '';
+        # FreshRSS
+        "rss.${domain}".extraConfig = ''
+          ${homelabProxy 8085}
+        '';
+        # Ente backend
+        "api.ente.${domain}".extraConfig = ''
+          ${homelabProxy 8083}
+        '';
+        # Ente Photos frontend
+        "ente.${domain}".extraConfig = ''
+          ${homelabProxy 3003}
+        '';
+        # Ente Auth frontend
+        "mfa.${domain}".extraConfig = ''
+          ${homelabProxy 3004}
+        '';
+        # Homepage / portfolio
+        "${domain}".extraConfig = ''
+          ${homelabProxy 4321}
+        '';
+        # Yamtrack
+        "track.${domain}".extraConfig = ''
+          ${homelabProxy 8090}
+        '';
+        # Donetick
+        "chore.${domain}".extraConfig = ''
+          ${homelabProxy 2021}
+        '';
+      };
+  };
+}

hosts/pi4/default.nix

@@ -1,31 +1,19 @@
-{
+{ lib, ... }:
-  lib,
-  config,
-  systemConfig,
-  ...
-}:
 
 {
   imports = with lib.custom; [
-    (relativeToRoot "shared/modules/nix-helper.nix")
+    (relativeToBase "modules")
-    (relativeToRoot "shared/modules/nixos.nix")
+    ./actual.nix
-    (relativeToRoot "shared/modules/shell.nix")
-    (relativeToRoot "shared/modules/security/sops.nix")
     ./boot.nix
-    ./development.nix
+    ./caddy.nix
+    ./forgejo.nix
     ./hardware.nix
-    ./networking.nix
+    ./headscale.nix
+    ./mailserver.nix
+    ./nextcloud.nix
+    ./nginx.nix
+    ./podman.nix
+    ./postgres.nix
     ./security
   ];
-
-  system.stateVersion = systemConfig.version;
-
-  users = {
-    mutableUsers = false;
-    users.${systemConfig.username} = {
-      isNormalUser = true;
-      hashedPasswordFile = config.sops.secrets.password.path;
-      extraGroups = [ "wheel" ];
-    };
-  };
 }

hosts/pi4/development.nix

@@ -1,11 +0,0 @@
-{ pkgs, lib, ... }:
-
-{
-  imports = [
-    (lib.custom.relativeToRoot "shared/modules/development/formatters.nix")
-  ];
-
-  environment.systemPackages = with pkgs; [
-    just
-  ];
-}

hosts/pi4/forgejo.nix

@@ -0,0 +1,94 @@
+{
+  config,
+  pkgs,
+  lib,
+  systemConfig,
+  common,
+  ...
+}:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+  domain = "beta.code.${common.domain}";
+  passwordKey = "forgejo/admin-pass";
+  runnerTokenKey = "forgejo/runner-token";
+in
+{
+  services = {
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString srv.HTTP_PORT}";
+      serverAliases = [ "beta.git.${common.domain}" ];
+    };
+
+    forgejo = {
+      enable = true;
+      database.type = "postgres";
+      # Enable support for Git Large File Storage
+      lfs.enable = true;
+
+      secrets.mailer.PASSWD = config.sops.secrets."mailserver/password-hash".path;
+
+      settings = {
+        server = {
+          DOMAIN = domain;
+          # You need to specify this to remove the port from URLs in the web UI.
+          ROOT_URL = "https://${domain}/";
+          HTTP_PORT = 8002;
+        };
+        # You can temporarily allow registration to create an admin user.
+        service.DISABLE_REGISTRATION = true;
+        # Add support for actions, based on act: https://github.com/nektos/act
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        # Sending emails is completely optional
+        # You can send a test email from the web UI at:
+        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
+        mailer = lib.mkIf config.mailserver.enable {
+          ENABLED = true;
+          PROTOCOL = "smtps";
+          SMTP_ADDR = config.mailserver.fqdn;
+          FROM = "noreply-forgejo@${common.domain}";
+          USER = "${systemConfig.username}@${common.domain}";
+        };
+      };
+    };
+    gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "monolith";
+        url = "https://${domain}";
+        # Obtaining the path to the runner token file may differ
+        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+        tokenFile = config.sops.secrets.${runnerTokenKey}.path;
+        labels = [
+          "docker:docker://node:20-bullseye"
+          "native:host"
+        ];
+      };
+    };
+  };
+
+  sops.secrets = {
+    ${passwordKey}.owner = "forgejo";
+    ${runnerTokenKey}.owner = "forgejo";
+  };
+
+  # Create a single admin user / update password if exists
+  systemd.services.forgejo.preStart =
+    let
+      adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
+      pwd = config.sops.secrets.${passwordKey};
+      user = "martin"; # Note, Forgejo doesn't allow creation of an account named "admin"
+      email = "git@${common.domain}";
+    in
+    ''
+      ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+      ## Alter an existing user. Will prompt new password on login
+      # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+    '';
+}

hosts/pi4/headscale.nix

@@ -0,0 +1,66 @@
+{
+  config,
+  common,
+  ...
+}:
+let
+  cfg = config.services.headscale;
+
+  domain = "beta.vpn.${common.domain}";
+  dnsDomain = "secure.${common.domain}";
+in
+{
+  networking.firewall = {
+    trustedInterfaces = [ config.services.tailscale.interfaceName ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
+
+  services = {
+    headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8083;
+      settings = {
+        database = {
+          postgres = {
+            host = "/run/postgresql";
+            name = "headscale";
+            port = config.services.postgresql.settings.port;
+            user = cfg.user;
+          };
+          type = "postgres";
+        };
+        dns = {
+          base_domain = dnsDomain;
+          magic_dns = true;
+        };
+        logtail.enabled = false;
+        server_url = "https://${domain}";
+      };
+    };
+
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyWebsockets = true;
+      };
+    };
+
+    postgresql =
+      let
+        psql = cfg.settings.database.postgres;
+      in
+      {
+        ensureDatabases = [ psql.name ];
+        ensureUsers = [
+          {
+            name = psql.user;
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+  };
+
+}

hosts/pi4/home-manager/default.nix

@@ -1,33 +1,9 @@
-{
+{ lib, ... }:
-  lib,
-  inputs,
-  outputs,
-  systemConfig,
-  ...
-}:
 
 {
-  imports = [
+  imports = with lib.custom; [
-    inputs.catppuccin.homeModules.catppuccin
+    (relativeToBase "home-manager")
-    (lib.custom.relativeToRoot "shared/home-manager/development/git.nix")
-    (lib.custom.relativeToRoot "shared/home-manager/development/helix.nix")
-    (lib.custom.relativeToRoot "shared/home-manager/shell/btop.nix")
-    (lib.custom.relativeToRoot "shared/home-manager/shell/eza.nix")
-    (lib.custom.relativeToRoot "shared/home-manager/shell/fastfetch.nix")
-    (lib.custom.relativeToRoot "shared/home-manager/shell/fish.nix")
-    (lib.custom.relativeToRoot "shared/home-manager/shell/zoxide.nix")
-    (lib.custom.relativeToRoot "shared/home-manager/gpg.nix")
   ];
 
-  home.stateVersion = systemConfig.version;
+  programs.git.signing.key = "E3FA0E995C0D0E5E";
-
-  # Adds pkgs.unstable in order to fetch packages from unstable repositories
-  nixpkgs.overlays = [ outputs.overlays.unstable-packages ];
-
-  programs = {
-    git.signing.key = "E3FA0E995C0D0E5E";
-    # Let Home Manager install and manage itself.
-    home-manager.enable = true;
-  };
-
 }

hosts/pi4/mailserver.nix

@@ -0,0 +1,44 @@
+{
+  config,
+  inputs,
+  common,
+  systemConfig,
+  ...
+}:
+let
+  passwordHashKey = "mailserver/password-hash";
+in
+{
+  imports = [
+    inputs.simple-nixos-mailserver.nixosModule
+  ];
+
+  mailserver = {
+    enable = true;
+    # stateVersion = 1; TODO uncomment on 25.11
+    fqdn = "mail.${common.domain}";
+    domains = [
+      common.domain
+    ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "${systemConfig.username}@${common.domain}" = {
+        hashedPasswordFile = config.sops.secrets.${passwordHashKey}.path;
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "acme-nginx";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    25
+    465
+    587
+  ];
+
+  sops.secrets.${passwordHashKey}.neededForUsers = true;
+}

hosts/pi4/nextcloud.nix

@@ -0,0 +1,90 @@
+# https://mich-murphy.com/configure-nextcloud-nixos/
+{
+  pkgs,
+  config,
+  common,
+  ...
+}:
+let
+  adminPassKey = "nextcloud/admin-pass";
+  domain = "beta.nextcloud.${common.domain}";
+  dbname = "nextcloud";
+  dbuser = dbname;
+in
+{
+  security.acme = {
+    acceptTerms = true;
+    certs.${config.services.nextcloud.hostName}.email = "acme@${common.domain}";
+  };
+
+  services = {
+    nextcloud = {
+      enable = true;
+
+      autoUpdateApps.enable = true;
+
+      config = {
+        adminpassFile = config.sops.secrets.${adminPassKey}.path;
+        dbtype = "pgsql";
+        dbname = dbname;
+        dbuser = dbuser;
+        # default directory for postgresql, ensures automatic setup of db
+        dbhost = "/run/postgresql";
+        adminuser = "admin";
+      };
+
+      extraApps = {
+        inherit (config.services.nextcloud.package.packages.apps)
+          contacts
+          deck
+          notes
+          tasks
+          ;
+      };
+      extraAppsEnable = true;
+
+      hostName = domain;
+      https = true;
+
+      maxUploadSize = "0"; # No max limit
+      package = pkgs.nextcloud31;
+
+      settings = {
+        default_phone_region = "NO";
+        trusted_domains = [
+          domain
+        ];
+      };
+    };
+
+    nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+      forceSSL = true;
+      enableACME = true;
+    };
+
+    postgresql = {
+      ensureDatabases = [ dbname ];
+      ensureUsers = [
+        {
+          name = dbuser;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+    postgresqlBackup = {
+      enable = true;
+      location = "/data/backup/nextclouddb";
+      databases = [ dbname ];
+      # time to start backup in systemd.time format
+      startAt = "*-*-* 23:15:00";
+    };
+  };
+
+  sops.secrets.${adminPassKey}.neededForUsers = true;
+
+  # ensure postgresql db is started with nextcloud
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+}

hosts/pi4/nginx.nix

@@ -0,0 +1,93 @@
+{
+  common,
+  ...
+}:
+let
+  domain = common.domain;
+  proxyTo = address: port: {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "${address}:${builtins.toString port}";
+  };
+  proxyLocations = locations: {
+    enableACME = true;
+    forceSSL = true;
+    inherit locations;
+  };
+  homelab = "http://${common.localIpAddr 231}";
+  homelabProxy = proxyTo homelab; # TODO get homelab local ip from systems
+  redirect = subdomain: {
+    enableACME = true;
+    forceSSL = true;
+    globalRedirect = if subdomain == "" then domain else "${subdomain}.${domain}";
+  };
+in
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      # Beta is currently stable
+      "www.${domain}" = redirect "";
+      "beta.${domain}" = redirect "";
+      "git.${domain}" = redirect "code";
+      "kitchenowl.${domain}" = redirect "grocery";
+      # Gitea
+      "code.${domain}" = homelabProxy 3000;
+      # Nextcloud
+      "nextcloud.${domain}" = proxyLocations {
+        "/".proxyPass = "${homelab}:11000";
+        "/.well-known/carddav".return = "301 /remote.php/dav";
+        "/.well-known/caldav".return = "301 /remote.php/dav";
+      };
+      # Kitchenowl
+      "grocery.${domain}" = homelabProxy 800;
+      # Actual budget
+      "budget.${domain}" = homelabProxy 5006;
+      # Uptime Kuma
+      "status.${domain}" = homelabProxy 3001;
+      # Headscale
+      "vpn.${domain}" = proxyLocations {
+        "/web".proxyPass = "${homelab}:8084";
+        "/" = {
+          proxyPass = "${homelab}:8082";
+          extraConfig = ''
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_redirect http:// https://;
+            proxy_buffering off;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+          '';
+        };
+      };
+      # Headscale SmartDNS
+      "dns.${domain}" = homelabProxy 8082;
+      # FreshRSS
+      "rss.${domain}" = homelabProxy 8085;
+      # Ente backend
+      "api.ente.${domain}" = homelabProxy 8083;
+      # Ente Photos frontend
+      "ente.${domain}" = homelabProxy 3003;
+      # Ente Auth frontend
+      "mfa.${domain}" = homelabProxy 3004;
+      # Homepage / portfolio
+      "${domain}" = homelabProxy 4321;
+      # Yamtrack
+      "track.${domain}" = homelabProxy 8090;
+      # Donetick
+      "chore.${domain}" = homelabProxy 2021;
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@${domain}";
+  };
+}

hosts/pi4/podman.nix

@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+
+{
+  virtualisation = {
+    # Enable common container config files in /etc/containers
+    containers.enable = true;
+    podman = {
+      enable = true;
+
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  # Useful other development tools
+  environment.systemPackages = with pkgs; [
+    podman-tui # status of containers in the terminal
+    podman-compose # start group of containers for dev
+  ];
+}

hosts/pi4/postgres.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser        auth-method
+      local all       all           trust
+    '';
+  };
+}

hosts/pi4/security/default.nix

@@ -3,12 +3,5 @@
     ./firewall.nix
   ];
 
-  programs.gnupg.agent = {
+  services.pcscd.enable = true;
-    enable = true;
-    enableSSHSupport = true;
-  };
-  services = {
-    pcscd.enable = true;
-    gnome.gnome-keyring.enable = true;
-  };
 }

hosts/pi4/security/firewall.nix

@@ -1,15 +1,15 @@
+{ common, ... }:
+
 {
   networking = {
     firewall = {
       enable = true;
-      trustedInterfaces = [ "tailscale0" ];
+      allowedTCPPorts = [
-      extraInputRules =
+        80
-        let
+        443
-          localIPv4Range = "192.168.10.0/24";
+      ];
-        in
+      extraInputRules = ''
-        ''
+        ip saddr ${common.localIpRange} accept
-          ip saddr ${localIPv4Range} tcp dport 22 accept
-          ip saddr ${localIPv4Range} udp dport 22 accept
       '';
     };
     nftables.enable = true;

hosts/thinkpad/default.nix

@@ -6,7 +6,7 @@
 
 {
   imports = [
-    (lib.custom.relativeToRoot "shared/modules")
+    (lib.custom.relativeToDesktop "modules")
     ./battery.nix
     ./bluetooth.nix
     ./hardware-configuration.nix

hosts/thinkpad/home-manager/default.nix

@@ -5,7 +5,7 @@
 
 {
   imports = [
-    (lib.custom.relativeToRoot "shared/home-manager")
+    (lib.custom.relativeToDesktop "home-manager")
     ./hyprland
     ./zen
   ];

justfile

@@ -34,11 +34,9 @@ switch *FLAGS:
 switch-now *FLAGS:
     nh os switch . {{FLAGS}}
 
-update-all:
+update-all *FLAGS:
-    nix-channel --update
     nix flake update
-
+    just switch {{FLAGS}}
-    just switch
 
 update PKG:
     nix flake update {{PKG}}
@@ -69,6 +67,10 @@ generate-age-from-ssh:
 get-public-age-key:
     nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt
 
+# Get the public ssh key from the current user
+get-public-ssh-key:
+    cat ~/.ssh/id_ed25519.pub
+
 # Edit the SOPS secrets file
 edit-secrets:
     nix run nixpkgs#sops -- shared/secrets/secrets.yaml

lib/default.nix

@@ -1,16 +1,19 @@
 # FIXME(lib.custom): Add some stuff from hmajid2301/dotfiles/lib/module/default.nix, as simplifies option declaration
 { lib, ... }:
+with builtins;
 
 {
-  getSecret = with lib.strings; filePath: trim (removeSuffix "\n" (builtins.readFile filePath));
+  getSecret = with lib.strings; filePath: trim (removeSuffix "\n" (readFile filePath));
 
   # use path relative to the root of the project
   relativeToRoot = lib.path.append ../.;
+  relativeToBase = lib.path.append ../shared/base;
+  relativeToDesktop = lib.path.append ../shared/desktop;
 
   scanPaths =
     path:
-    builtins.map (f: (path + "/${f}")) (
+    map (f: (path + "/${f}")) (
-      builtins.attrNames (
+      attrNames (
         lib.attrsets.filterAttrs (
           path: _type:
           (_type == "directory") # include directories
@@ -18,7 +21,7 @@
             (path != "default.nix") # ignore default.nix
             && (lib.strings.hasSuffix ".nix" path) # include .nix files
           )
-        ) (builtins.readDir path)
+        ) (readDir path)
       )
     );
 }

shared/base/home-manager/default.nix

@@ -0,0 +1,12 @@
+{ inputs, ... }:
+
+{
+  imports = [
+    inputs.catppuccin.homeModules.catppuccin
+    ./development
+    ./shell
+    ./gpg.nix
+    ./home-manager.nix
+    ./ssh.nix
+  ];
+}

shared/base/home-manager/development/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./git.nix
+    ./helix.nix
+  ];
+}

shared/base/home-manager/development/git.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, common, ... }:
 
 {
   home.packages = with pkgs; [
@@ -14,7 +14,7 @@
       enable = true;
       package = package;
       userName = "Martin Berg Alstad";
-      userEmail = "git@martials.no";
+      userEmail = "git@${common.domain}";
 
       aliases = {
         amend = "commit --amend";

shared/base/home-manager/gpg.nix

@@ -5,6 +5,6 @@
   services.gpg-agent = {
     enable = true;
     enableFishIntegration = true;
-    pinentryPackage = pkgs.pinentry-curses;
+    pinentry.package = pkgs.pinentry-curses;
   };
 }

shared/base/home-manager/home-manager.nix

@@ -0,0 +1,16 @@
+{
+  systemConfig,
+  common,
+  ...
+}:
+
+{
+  home = {
+    username = systemConfig.username;
+    homeDirectory = common.dir.home;
+    stateVersion = systemConfig.version;
+  };
+
+  # Let Home Manager install and manage itself.
+  programs.home-manager.enable = true;
+}

shared/base/home-manager/shell/bat.nix

@@ -0,0 +1,13 @@
+{ theme, ... }:
+
+{
+  catppuccin.bat = {
+    enable = true;
+    flavor = theme.flavor;
+  };
+
+  programs = {
+    bat.enable = true;
+    fish.shellAliases.cat = "bat";
+  };
+}

shared/base/home-manager/shell/default.nix

@@ -1,12 +1,11 @@
 {
   imports = [
+    ./bat.nix
     ./btop.nix
-    ./cava
     ./eza.nix
     ./fastfetch.nix
     ./fish.nix
     ./fzf.nix
-    ./yazi
     ./zoxide.nix
   ];
 }

shared/base/home-manager/ssh.nix

@@ -0,0 +1,32 @@
+# ~/.ssh/config
+{
+  systemConfig,
+  systems,
+  common,
+  ...
+}:
+with builtins;
+
+{
+  programs.ssh = {
+    enable = true;
+    matchBlocks = listToAttrs (
+      map (system: {
+        name = system.hostName;
+        value =
+          let
+            hostName =
+              if (system ? address && system.address ? tailnet) then
+                system.address.tailnet
+              else
+                common.tailnetAddr system.hostName;
+          in
+          {
+            port = 22;
+            user = systemConfig.username;
+            hostname = hostName;
+          };
+      }) systems
+    );
+  };
+}

shared/base/modules/default.nix

@@ -0,0 +1,11 @@
+{
+  imports = [
+    ./development
+    ./networking.nix
+    ./nix-helper.nix
+    ./nixos.nix
+    ./security
+    ./shell.nix
+    ./users.nix
+  ];
+}

shared/base/modules/development/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ./formatters.nix
+    ./nix.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    git
+    just
+  ];
+}

shared/base/modules/networking.nix

@@ -1,11 +1,17 @@
-{ systemConfig, ... }:
+{ pkgs, systemConfig, ... }:
 
 {
+  environment.systemPackages = with pkgs; [
+    wget
+  ];
+
   networking = {
-    hostName = systemConfig.hostName;
     networkmanager.enable = true;
+    hostName = systemConfig.hostName;
   };
 
+  programs.ssh.enableAskPassword = false;
+
   services = {
     openssh.enable = true;
     tailscale.enable = true;

shared/base/modules/nixos.nix

@@ -21,5 +21,8 @@
     overlays = [ outputs.overlays.unstable-packages ];
   };
 
-  system.stateVersion = systemConfig.version;
+  system = {
+    rebuild.enableNg = true;
+    stateVersion = systemConfig.version;
+  };
 }

shared/base/modules/security/default.nix

@@ -1,7 +1,8 @@
 {
   imports = [
+    ./keyring.nix
     ./sops.nix
-    ./yubikey.nix
+    ./ssh.nix
   ];
 
   programs.gnupg.agent.enable = true;

shared/base/modules/security/keyring.nix

@@ -0,0 +1,3 @@
+{
+  services.gnome.gnome-keyring.enable = true;
+}

shared/base/modules/security/sops.nix

@@ -15,6 +15,6 @@
     defaultSopsFormat = "yaml";
 
     age.keyFile = "/home/${systemConfig.username}/.config/sops/age/keys.txt";
-    secrets.password.neededForUsers = true;
+    secrets.password-hash.neededForUsers = true;
   };
 }

shared/base/modules/security/ssh.nix

@@ -0,0 +1,33 @@
+# /nix/store/<hash>/etc/ssh/ssh_config & /nix/store/<hash>/etc/ssh/authorized_keys
+{
+  systemConfig,
+  systems,
+  knownSystems,
+  common,
+  ...
+}:
+with builtins;
+let
+  allSystems = knownSystems ++ systems;
+in
+{
+  programs.ssh.knownHosts = listToAttrs (
+    map (system: {
+      name = system.hostName;
+      value = {
+        extraHostNames = [
+          (
+            if (system ? address && system.address ? tailnet) then
+              system.address.tailnet
+            else
+              common.tailnetAddr system.hostName
+          )
+        ];
+        publicKey = system.ssh.publicKey;
+      };
+    }) allSystems
+  );
+  users.users.${systemConfig.username}.openssh.authorizedKeys.keys = (
+    map (system: system.ssh.publicKey) allSystems
+  );
+}

shared/base/modules/users.nix

@@ -0,0 +1,18 @@
+{ config, systemConfig, ... }:
+let
+  username = systemConfig.username;
+in
+{
+  users = {
+    mutableUsers = false;
+    users.${username} = {
+      isNormalUser = true;
+      hashedPasswordFile = config.sops.secrets.password-hash.path;
+      description = username;
+      extraGroups = [
+        "networkmanager"
+        "wheel"
+      ];
+    };
+  };
+}

shared/common.nix

@@ -13,6 +13,13 @@ rec {
     pictures = "${dir.home}/Pictures";
   };
 
+  domain = "martials.no";
+  tailnetDomain = "dns.${domain}";
+  localIpPrefix = "192.168.10.";
+  localIpRange = "${localIpPrefix}0/24";
+  localIpAddr = subAddr: "${localIpPrefix}${builtins.toString subAddr}";
+  tailnetAddr = host: "${host}.${tailnetDomain}";
+
   keymaps = {
     layout = "gb,no";
     options = "grp:alt_shift_toggle"; # Toggle using ALT + SHIFT
@@ -28,5 +35,5 @@ rec {
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.version = "24.11";
+  system.version = "25.05";
 }

shared/desktop/home-manager/default.nix

@@ -0,0 +1,31 @@
+{
+  lib,
+  common,
+  ...
+}:
+let
+  dir = common.dir;
+in
+{
+  imports = [
+    (lib.custom.relativeToBase "home-manager")
+    ./development
+    ./hyprland
+    ./media
+    ./rofi
+    ./shell
+    ./zen
+    ./cursors.nix
+    ./default-applications.nix
+    ./freetube.nix
+    ./gtk.nix
+    ./kitty.nix
+    ./nextcloud.nix
+    ./sioyek.nix
+    ./spicetify.nix
+  ];
+
+  home.sessionVariables = {
+    XDG_PICTURES_DIR = dir.pictures; # Define the default dir for pictures
+  };
+}

shared/desktop/home-manager/development/default.nix

@@ -1,7 +1,5 @@
 {
   imports = [
-    ./git.nix
-    ./helix.nix
     ./zed.nix
   ];
   # TODO set Wayland vmOptions in Jetbrains products, Requires current installed version in path

shared/desktop/home-manager/development/zed.nix

@@ -19,7 +19,7 @@
         fontSize = 14;
       in
       {
-        assistant = {
+        agent = {
           default_model = {
             provider = "ollama";
             model = "deepseek-r1:8b";

shared/desktop/home-manager/hyprland/hyprlock/default.nix

@@ -78,7 +78,7 @@
         fail_color = "${theme.redRgb}";
         fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>";
         capslock_color = "${theme.yellowRgb}";
-        position = "0, -47"; # TODO change to use % at 25.05
+        position = "0, -5%";
         halign = "center";
         valign = "center";
       };

shared/desktop/home-manager/hyprland/settings.nix

@@ -9,6 +9,11 @@ let
 in
 {
   wayland.windowManager.hyprland.settings = {
+    ecosystem = {
+      no_update_news = true;
+      no_donation_nag = true;
+    };
+
     monitor = [
       ", preferred, auto, 1"
     ];

shared/desktop/home-manager/shell/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./cava
+    ./yazi
+  ];
+}

shared/desktop/home-manager/shell/yazi/default.nix

@@ -14,7 +14,7 @@
     enable = true;
     enableFishIntegration = true;
     keymap = {
-      manager.prepend_keymap = [
+      mgr.prepend_keymap = [
         {
           run = "hidden toggle";
           on = [ "<C-h>" ];
@@ -23,7 +23,7 @@
       ];
     };
     settings = {
-      manager = {
+      mgr = {
         ratio = [
           2
           4

shared/desktop/modules/default.nix

@@ -1,5 +1,8 @@
+{ lib, ... }:
+
 {
-  imports = [
+  imports = with lib.custom; [
+    (relativeToBase "modules")
     ./boot.nix
     ./development
     ./electron.nix
@@ -11,16 +14,11 @@
     ./locale.nix
     ./mail.nix
     ./media.nix
-    ./networking.nix
-    ./nixos.nix
-    ./nix-helper.nix
     ./office.nix
     ./hyprland
     ./sddm.nix
     ./security
-    ./shell.nix
     ./social.nix
-    ./users.nix
     ./qt.nix
     ./xdg.nix
     ./xserver.nix

shared/desktop/modules/development/default.nix

@@ -4,17 +4,12 @@
   imports = [
     ./docker.nix
     ./dotnet.nix
-    ./formatters.nix
-    ./nix.nix
     ./node.nix
     ./ollama.nix
     ./rust.nix
   ];
 
   environment.systemPackages = with pkgs; [
-    # Tools
-    git
-    just
     unstable.libpq # Required for PostgreSQL
   ];
 }

shared/desktop/modules/development/ollama.nix

@@ -0,0 +1,8 @@
+{ lib, systemConfig, ... }:
+
+{
+  services.ollama = {
+    enable = true;
+    acceleration = lib.mkIf systemConfig.nvidia.enable "cuda";
+  };
+}

shared/desktop/modules/fonts.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    font-awesome # Icons
+  ];
+
+  fonts = {
+    fontconfig.enable = true;
+    packages = with pkgs; [
+      nerd-fonts.jetbrains-mono
+      font-awesome
+    ];
+  };
+
+}

shared/desktop/modules/gnome/default.nix

@@ -21,7 +21,6 @@
   programs.dconf.enable = true; # Required for some gnome applications
 
   services = {
-    gnome.gnome-keyring.enable = true;
     gvfs.enable = true; # Gnome Virtual File-system. Required for various things in nautilus
     udev.packages = with pkgs; [ gnome-settings-daemon ];
   };

shared/desktop/modules/hardware/audio.nix

@@ -13,8 +13,6 @@
     spotify
   ];
 
-  hardware.pulseaudio.enable = false; # Will be moved to services in 25.05
-
   security.rtkit.enable = true; # Enable RealtimeKit for audio purposes
 
   services = {
@@ -28,6 +26,6 @@
       # Uncomment the following line if you want to use JACK applications
       # jack.enable = true;
     };
-    # pulseaudio.enable = false; # TODO uncommenct at 25.05
+    pulseaudio.enable = false; # Will be moved to services in 25.05
   };
 }