alright, time to try it

next iteration for forgejo runners
.
2025-09-08 16:24:36 +02:00 · 2025-09-08 16:18:02 +02:00 · 2025-09-08 16:14:15 +02:00 · 2025-09-08 09:03:27 +02:00 · 2025-09-07 22:26:09 +02:00 · 2025-09-07 20:47:45 +02:00
19 changed files with 512 additions and 137 deletions
--- a/.forgejo/workflows/action.yml
+++ b/.forgejo/workflows/action.yml
@ -7,10 +7,9 @@ on:
      - main

 jobs:
-  hello:
-    name: Print hello world
-    runs-on: default
+  kaas:
+    runs-on: nix
    steps:
      - name: Echo
        run: |
-          echo "Hello, world!"
+          nix --version
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,8 @@
+# ---> Nix
+# Ignore build outputs from performing a nix-build or `nix build` command
 result
-*.qcow2
+result-*
+
+# Ignore automatically generated direnv output
+.direnv
+
--- a/flake.lock
+++ b/flake.lock
@ -73,11 +73,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1755108317,
-        "narHash": "sha256-j7RGK7nyoHuJzQjVFBngpsVowIn4DAtprn66UyAFNRQ=",
+        "lastModified": 1756593129,
+        "narHash": "sha256-xpdGBk57lErbo03ZJS8uDDF5cZjoza7kzr7X+y0wj2g=",
        "owner": "emmanuelrosa",
        "repo": "erosanix",
-        "rev": "5aa322a6e586a2b46af65ab6c9a3d6042a95ff2e",
+        "rev": "f28776c49ddb4d34abc01092009fba0cd96836bd",
        "type": "github"
      },
      "original": {
@ -94,11 +94,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1755153894,
-        "narHash": "sha256-DEKeIg3MQy5GMFiFRUzcx1hGGBN2ypUPTo0jrMAdmH4=",
+        "lastModified": 1756622179,
+        "narHash": "sha256-K3CimrAcMhdDYkErd3oiWPZNaoyaGZEuvGrFuDPFMZY=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "f6874c6e512bc69d881d979a45379b988b80a338",
+        "rev": "0abcb15ae6279dcb40a8ae7c1ed980705245cb79",
        "type": "github"
      },
      "original": {
@ -114,11 +114,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1755083788,
-        "narHash": "sha256-CXiS6gfw0NH+luSpNhtRZjy4NqVFrmsYpoetu3N/fMk=",
+        "lastModified": 1756643456,
+        "narHash": "sha256-SbRGlArZnspW/xd/vnMPSyuZGXSVtxyJEoXpvpzDpSE=",
        "owner": "nix-community",
        "repo": "flake-firefox-nightly",
-        "rev": "523078b104590da5850a61dfe291650a6b49809c",
+        "rev": "6772a49573fc08b3e05502cccd90a8f5a82ee42e",
        "type": "github"
      },
      "original": {
@ -411,11 +411,11 @@
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1755072091,
-        "narHash": "sha256-FCkbELHIFXlVREaopW13QFMzwLPr/otjucmyNLQQXeg=",
+        "lastModified": 1756381920,
+        "narHash": "sha256-h6FZq485lEhkTICK779ZQ2kUWe3BieUqIKuJ2jef7SI=",
        "owner": "vinceliuice",
        "repo": "grub2-themes",
-        "rev": "03d8c9cf0d1bcf67765ac5fa35263f1b08c584fa",
+        "rev": "8f30385f556a92ecbcc0c1800521730187da1cd7",
        "type": "github"
      },
      "original": {
@ -432,11 +432,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1754593854,
-        "narHash": "sha256-fiWzQKZP92+2nm9wGBa/UYuEdVJkshHqNpCFfklas8k=",
+        "lastModified": 1756413980,
+        "narHash": "sha256-pxTwEjWZ1GohJeTEpxoZRHRoLDZjDw9CarGqxE5e908=",
        "owner": "himmelblau-idm",
        "repo": "himmelblau",
-        "rev": "e0b9a3efdcf0c6c59ed3352ffb2b003ab6aa2fed",
+        "rev": "0c12a2b5862cd673307bbe191c1f7b52cf0f091a",
        "type": "github"
      },
      "original": {
@ -452,11 +452,32 @@
        ]
      },
      "locked": {
-        "lastModified": 1755121891,
-        "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=",
+        "lastModified": 1756650373,
+        "narHash": "sha256-Iz0dNCNvLLxVGjOOF1/TJvZ4iKXE96BTgKDObCs9u+M=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426",
+        "rev": "e44549074a574d8bda612945a88e4a1fd3c456a8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "zen-browser",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1756842514,
+        "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382",
        "type": "github"
      },
      "original": {
@ -473,11 +494,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755151620,
-        "narHash": "sha256-fVMalQZ+tRXR8oue2SdWu4CdlsS2NII+++rI40XQ8rU=",
+        "lastModified": 1756638688,
+        "narHash": "sha256-ddxbPTnIchM6tgxb6fRrCvytlPE2KLifckTnde/irVQ=",
        "owner": "Jovian-Experiments",
        "repo": "Jovian-NixOS",
-        "rev": "16e12d22754d97064867006acae6e16da7a142a6",
+        "rev": "e7b8679cba79f4167199f018b05c82169249f654",
        "type": "github"
      },
      "original": {
@ -507,11 +528,11 @@
    },
    "mnw": {
      "locked": {
-        "lastModified": 1748710831,
-        "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=",
+        "lastModified": 1756580127,
+        "narHash": "sha256-XK+ZQWjnd96Uko73jY1dc23ksnuWnF/Myc4rT/LQOmc=",
        "owner": "Gerg-L",
        "repo": "mnw",
-        "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d",
+        "rev": "ecdb5ba1b08ac198d9e9bfbf9de3b234fb1eb252",
        "type": "github"
      },
      "original": {
@ -549,11 +570,11 @@
        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
-        "lastModified": 1755137329,
-        "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=",
+        "lastModified": 1756518625,
+        "narHash": "sha256-Mxh2wumeSsb968dSDksblubQqHTTdRTC5lH0gmhq9jI=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "d9330bc35048238597880e89fb173799de9db5e9",
+        "rev": "92654796f8f6c3279e4b7d409a3e5b43b0539a19",
        "type": "github"
      },
      "original": {
@ -621,11 +642,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755171343,
-        "narHash": "sha256-h6bbfhqWcHlx9tcyYa7dhaEiNpusLCcFYkJ/AnltLW8=",
+        "lastModified": 1755261305,
+        "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=",
        "owner": "nix-community",
        "repo": "nixos-wsl",
-        "rev": "e37cfef071466a9ca649f6899aff05226ce17e9e",
+        "rev": "203a7b463f307c60026136dd1191d9001c43457f",
        "type": "github"
      },
      "original": {
@ -683,11 +704,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1755061300,
-        "narHash": "sha256-eov82CkCrpiECJa3dyQ2da1sPGnAP3HK0UEra5eupaM=",
+        "lastModified": 1756578978,
+        "narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d4df8d6cc1ccfd3e4349a1d54e4fb1171e7ec1f5",
+        "rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23",
        "type": "github"
      },
      "original": {
@ -715,11 +736,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1755178357,
-        "narHash": "sha256-rzgUmlO5/pt7uPAlY6E70clNjg9JmrgBxalEj2zKq08=",
+        "lastModified": 1756653691,
+        "narHash": "sha256-tx6C07uPiAzq57mfb4EWDqPRV4BZVqvrlvDfibzL67U=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6eac4364f979ef460fb6ebd17ca65b8dae03cba4",
+        "rev": "7a1057ff3f7636bc71f58671c3a1210742149f3b",
        "type": "github"
      },
      "original": {
@ -747,11 +768,11 @@
    },
    "nixpkgs_6": {
      "locked": {
-        "lastModified": 1755027561,
-        "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=",
+        "lastModified": 1756542300,
+        "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3",
+        "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa",
        "type": "github"
      },
      "original": {
@ -763,11 +784,11 @@
    },
    "nixpkgs_7": {
      "locked": {
-        "lastModified": 1755049066,
-        "narHash": "sha256-ANrc15FSoOAdNbfKHxqEJjZLftIwIsenJGRb/04K41s=",
+        "lastModified": 1756536218,
+        "narHash": "sha256-ynQxPVN2FIPheUgTFhv01gYLbaiSOS7NgWJPm9LF9D0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "e45f8f193029378d0aaee5431ba098dc80054e9a",
+        "rev": "a918bb3594dd243c2f8534b3be01b3cb4ed35fd1",
        "type": "github"
      },
      "original": {
@ -843,11 +864,11 @@
        "systems": "systems_4"
      },
      "locked": {
-        "lastModified": 1755115677,
-        "narHash": "sha256-98Ad2F5w1xW94KymQiBohNBYpFqMa0K28v9S1SzyTY8=",
+        "lastModified": 1756646417,
+        "narHash": "sha256-1dU+BRKjczVnsTznKGaM0xrWzg2+MGQqWlde0Id9JnI=",
        "owner": "notashelf",
        "repo": "nvf",
-        "rev": "c5dc7192496a1fad38134e54f8b4fca8ac51a9fe",
+        "rev": "939fb8cfc630190cd5607526f81693525e3d593b",
        "type": "github"
      },
      "original": {
@ -866,11 +887,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1754501628,
-        "narHash": "sha256-FExJ54tVB5iu7Dh2tLcyCSWpaV+lmUzzWKZUkemwXvo=",
+        "lastModified": 1756632588,
+        "narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=",
        "owner": "nix-community",
        "repo": "plasma-manager",
-        "rev": "cca090f8115c4172b9aef6c5299ae784bdd5e133",
+        "rev": "d47428e5390d6a5a8f764808a4db15929347cd77",
        "type": "github"
      },
      "original": {
@ -905,11 +926,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1755004716,
-        "narHash": "sha256-TbhPR5Fqw5LjAeI3/FOPhNNFQCF3cieKCJWWupeZmiA=",
+        "lastModified": 1756597274,
+        "narHash": "sha256-wfaKRKsEVQDB7pQtAt04vRgFphkVscGRpSx3wG1l50E=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "b2a58b8c6eff3c3a2c8b5c70dbf69ead78284194",
+        "rev": "21614ed2d3279a9aa1f15c88d293e65a98991b30",
        "type": "github"
      },
      "original": {
@ -978,11 +999,11 @@
        "tinted-zed": "tinted-zed"
      },
      "locked": {
-        "lastModified": 1755027820,
-        "narHash": "sha256-hBSU7BEhd05y/pC9tliYjkFp8AblkbNEkPei229+0Pg=",
+        "lastModified": 1755997543,
+        "narHash": "sha256-/fejmCQ7AWa655YxyPxRDbhdU7c5+wYsFSjmEMXoBCM=",
        "owner": "nix-community",
        "repo": "stylix",
-        "rev": "c592717e9f713bbae5f718c784013d541346363d",
+        "rev": "f47c0edcf71e802378b1b7725fa57bb44fe85ee8",
        "type": "github"
      },
      "original": {
@ -1164,18 +1185,19 @@
    },
    "zen-browser": {
      "inputs": {
+        "home-manager": "home-manager_2",
        "nixpkgs": "nixpkgs_10"
      },
      "locked": {
-        "lastModified": 1727721329,
-        "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=",
-        "owner": "MarceColl",
+        "lastModified": 1756876659,
+        "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=",
+        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
-        "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc",
+        "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529",
        "type": "github"
      },
      "original": {
-        "owner": "MarceColl",
+        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -41,7 +41,7 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    zen-browser.url = "github:MarceColl/zen-browser-flake";
+    zen-browser.url = "github:0xc000022070/zen-browser-flake";

    nix-minecraft.url = "github:Infinidoge/nix-minecraft";

@ -63,11 +63,11 @@
      url = "github:Jovian-Experiments/Jovian-NixOS";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    
+
    grub2-themes = {
      url = "github:vinceliuice/grub2-themes";
    };
-    
+
    nixos-wsl = {
      url = "github:nix-community/nixos-wsl";
      inputs = {
@ -93,8 +93,15 @@
    channels-config = {
      allowUnfree = true;
      permittedInsecurePackages = [
+        # Due to *arr stack
        "dotnet-sdk-6.0.428"
        "aspnetcore-runtime-6.0.36"
+
+        # I think this is because of zen
+        "qtwebengine-5.15.19"
+
+        # For Nheko, the matrix client
+        "olm-3.2.16"
      ];
    };

@ -106,7 +113,7 @@

    homes.modules = with inputs; [
      stylix.homeModules.stylix
-      plasma-manager.homeManagerModules.plasma-manager
+      plasma-manager.homeModules.plasma-manager
    ];
  };
 }
--- a/homes/x86_64-linux/chris@manwe/default.nix
+++ b/homes/x86_64-linux/chris@manwe/default.nix
@ -35,6 +35,7 @@
      bitwarden.enable = true;
      discord.enable = true;
      ladybird.enable = true;
+      nheko.enable = true;
      obs.enable = true;
      onlyoffice.enable = true;
      signal.enable = true;
--- a/modules/home/application/nheko/default.nix
+++ b/modules/home/application/nheko/default.nix
@ -0,0 +1,15 @@
+{ config, lib, pkgs, namespace, osConfig ? {}, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.${namespace}.application.nheko;
+in
+{
+  options.${namespace}.application.nheko = {
+    enable = mkEnableOption "enable nheko (matrix client)";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [ nheko ];
+  };
+}
--- a/modules/home/application/zen/default.nix
+++ b/modules/home/application/zen/default.nix
@ -5,13 +5,15 @@ let
  cfg = config.${namespace}.application.zen;
 in
 {
+  imports = [
+    inputs.zen-browser.homeModules.default
+  ];
+
  options.${namespace}.application.zen = {
    enable = mkEnableOption "enable zen";
  };

  config = mkIf cfg.enable {
-    home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ];
-
    home.sessionVariables = {
      MOZ_ENABLE_WAYLAND = "1";
    };
@ -20,20 +22,42 @@ in
      policies = {
        AutofillAddressEnabled = true;
        AutofillCreditCardEnabled = false;
+
+        AppAutoUpdate = false;
        DisableAppUpdate = true;
+        ManualAppUpdateOnly = true;
+
        DisableFeedbackCommands = true;
        DisableFirefoxStudies = true;
        DisablePocket = true;
        DisableTelemetry = true;
-        # DontCheckDefaultBrowser = false;
+
+        DontCheckDefaultBrowser = false;
        NoDefaultBookmarks = true;
-        # OfferToSaveLogins = false;
+        OfferToSaveLogins = false;
        EnableTrackingProtection = {
          Value = true;
          Locked = true;
          Cryptomining = true;
          Fingerprinting = true;
        };
+
+        HttpAllowlist = [
+          "http://ulmo"
+        ];
+      };
+
+      policies.ExtensionSettings = let
+        mkExtension = id: {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi";
+          installation_mode = "force_installed";
+        };
+      in
+      {
+        ublock_origin = 4531307;
+        ghostry = 4562168;
+        bitwarden = 4562769;
+        sponsorblock = 4541835;
      };
    };
  };
--- a/modules/home/home-manager/default.nix
+++ b/modules/home/home-manager/default.nix
@ -4,7 +4,9 @@ let
 in
 {
  systemd.user.startServices = "sd-switch";
-  programs.home-manager.enable = true;
+  programs.home-manager = {
+    enable = true;
+  };

  home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05");
-}
+}
--- a/modules/nixos/home-manager/default.nix
+++ b/modules/nixos/home-manager/default.nix
@ -0,0 +1,6 @@
+{ ... }:
+{
+  config = {
+    home-manager.backupFileExtension = "back";
+  };
+}
--- a/modules/nixos/nix/default.nix
+++ b/modules/nixos/nix/default.nix
@ -15,10 +15,10 @@ in
    nix = {
      package = pkgs.nixVersions.latest;

-      extraOptions = "experimental-features = nix-command flakes";
+      extraOptions = "experimental-features = nix-command flakes pipe-operators";

      settings = {
-        experimental-features = [ "nix-command" "flakes" ];
+        experimental-features = [ "nix-command" "flakes" "pipe-operators" ];
        allowed-users = [ "@wheel" ];
        trusted-users = [ "@wheel" ];

--- a/modules/nixos/services/authentication/zitadel/default.nix
+++ b/modules/nixos/services/authentication/zitadel/default.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, namespace, ... }:
 let
-  inherit (lib) mkIf mkEnableOption mkForce;
+  inherit (lib) mkIf mkEnableOption;

  cfg = config.${namespace}.services.authentication.zitadel;

@ -13,6 +13,8 @@ in
  };

  config = mkIf cfg.enable {
+    ${namespace}.services.persistance.postgresql.enable = true;
+
    environment.systemPackages = with pkgs; [
      zitadel
    ];
@ -110,13 +112,6 @@ in
            ensureDBOwnership = true;
          }
        ];
-        authentication = mkForce ''
-          # Generated file, do not edit!
-          # TYPE  DATABASE  USER  ADDRESS       METHOD
-          local   all       all                 trust
-          host    all       all   127.0.0.1/32  trust
-          host    all       all   ::1/128       trust
-          '';
      };

      caddy = {
--- a/modules/nixos/services/communication/conduit/default.nix
+++ b/modules/nixos/services/communication/conduit/default.nix
@ -0,0 +1,56 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.${namespace}.services.communication.conduit;
+  domain = "matrix.kruining.eu";
+in
+{
+  options.${namespace}.services.communication.conduit = {
+    enable = mkEnableOption "conduit (Matrix server)";
+  };
+
+  config = mkIf cfg.enable {
+    # ${namespace}.services = {
+    #   persistance.postgresql.enable = true;
+    #   virtualisation.podman.enable = true;
+    # };
+
+    services = {
+      matrix-conduit = {
+        enable = true;
+
+        settings.global = {
+          address = "::1";
+          port = 4001;
+
+          database_backend = "rocksdb";
+
+          server_name = "chris-matrix";
+        };
+      };
+
+      # postgresql = {
+      #   enable = true;
+      #   ensureDatabases = [ "conduit" ];
+      #   ensureUsers = [
+      #     {
+      #       name = "conduit";
+      #       ensureDBOwnership = true;
+      #     }
+      #   ];
+      # };
+
+      caddy = {
+        enable = true;
+        virtualHosts = {
+          ${domain}.extraConfig = ''
+            # import auth-z
+
+            # reverse_proxy http://127.0.0.1:5002
+          '';
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/services/development/forgejo/default.nix
+++ b/modules/nixos/services/development/forgejo/default.nix
@ -11,7 +11,10 @@ in
  };

  config = mkIf cfg.enable {
-    ${namespace}.services.virtualisation.podman.enable = true;
+    ${namespace}.services = {
+      persistance.postgresql.enable = true;
+      virtualisation.podman.enable = true;
+    };

    environment.systemPackages = with pkgs; [ forgejo ];

@ -91,6 +94,7 @@ in

          actions = {
            ENABLED = true;
+            # DEFAULT_ACTIONS_URL = "https://data.forgejo.org";
          };

          other = {
@ -136,10 +140,12 @@ in
          # tokenFile = config.age.secrets.forgejo-runner-token.path;
          token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw";
          labels = [
-            "default:docker://node:22-bullseye"
+            "default:docker://nixos/nix:latest"
+            "ubuntu:docker://ubuntu:24-bookworm"
+            "nix:docker://git.amarth.cloud/amarth/runners/default:latest"
          ];
          settings = {
-
+            log.level = "info";
          };
        };
      };
@ -152,7 +158,7 @@ in

            # stupid dumb way to prevent the login page and go to zitadel instead
            # be aware that this does not disable local login at all!
-            rewrite /user/login /user/oauth2/Zitadel
+            # rewrite /user/login /user/oauth2/Zitadel

            reverse_proxy http://127.0.0.1:5002
          '';
--- a/modules/nixos/services/media/default.nix
+++ b/modules/nixos/services/media/default.nix
@ -66,38 +66,73 @@ in
    # Services
    #=========================================================================
    services = let
-      serviceConf = {
+      arrService = {
+        enable = true;
+        openFirewall = true;
+
+        settings = {
+          auth.AuthenticationMethod = "External";
+
+          # postgres = {
+          #   PostgresHost = "localhost";
+          #   PostgresPort = "5432";
+          #   PostgresUser = "media";
+          # };
+        };
+      };
+
+      withPort = port: service: service // { settings.server.Port = builtins.toString port; };
+
+      withUserAndGroup = service: service  // {
+        user = cfg.user;
+        group = cfg.group;
+      };
+    in {
+      radarr =
+        arrService
+        |> withPort 2001
+        |> withUserAndGroup;
+
+      sonarr =
+        arrService
+        |> withPort 2002
+        |> withUserAndGroup;
+
+      lidarr =
+        arrService
+        |> withPort 2003
+        |> withUserAndGroup;
+        
+      prowlarr =
+        arrService
+        |> withPort 2004;
+
+      bazarr = {
+        enable = true;
+        openFirewall = true;
+        user = cfg.user;
+        group = cfg.group;
+        listenPort = 2005;
+      };
+
+      # port is harcoded in nixpkgs module
+      jellyfin = {
        enable = true;
        openFirewall = true;
        user = cfg.user;
        group = cfg.group;
      };
-    in {
-      jellyfin = serviceConf;
-      radarr = serviceConf;
-      sonarr = serviceConf;
-      bazarr = serviceConf;
-      lidarr = serviceConf;

      flaresolverr = {
        enable = true;
        openFirewall = true;
-      };
-
-      jellyseerr = {
-        enable = true;
-        openFirewall = true;
-      };
-
-      prowlarr = {
-        enable = true;
-        openFirewall = true;
+        port = 2007;
      };

      qbittorrent = {
        enable = true;
        openFirewall = true;
-        webuiPort = 5000;
+        webuiPort = 2008;

        serverConfig = {
          LegalNotice.Accepted = true;
@ -107,6 +142,7 @@ in
        group = cfg.group;
      };

+      # port is harcoded in nixpkgs module
      sabnzbd = {
        enable = true;
        openFirewall = true;
@ -116,46 +152,49 @@ in
        group = cfg.group;
      };

+      # postgresql = {
+      #   enable = true;
+      #   ensureDatabases = [
+      #     "radarr-main" "radarr-log"
+      #     "sonarr-main" "sonarr-log"
+      #     "lidarr-main" "lidarr-log"
+      #     "prowlarr-main" "prowlarr-log"
+      #   ];
+      #   identMap = ''
+      #     media media radarr-main
+      #     media media radarr-log
+      #     media media sonarr-main
+      #     media media sonarr-log
+      #     media media lidarr-main
+      #     media media lidarr-log
+      #     media media prowlarr-main
+      #     media media prowlarr-log
+      #   '';
+      #   ensureUsers = [
+      #     { name = "radarr-main"; ensureDBOwnership = true; }
+      #     { name = "radarr-log"; ensureDBOwnership = true; }
+
+      #     { name = "sonarr-main"; ensureDBOwnership = true; }
+      #     { name = "sonarr-log"; ensureDBOwnership = true; }
+          
+      #     { name = "lidarr-main"; ensureDBOwnership = true; }
+      #     { name = "lidarr-log"; ensureDBOwnership = true; }
+          
+      #     { name = "prowlarr-main"; ensureDBOwnership = true; }
+      #     { name = "prowlarr-log"; ensureDBOwnership = true; }
+      #   ];
+      # };
+
      caddy = {
        enable = true;
        virtualHosts = {
-          "media.kruining.eu".extraConfig = ''
-            import auth
-
-            reverse_proxy http://127.0.0.1:9494
-          '';
          "jellyfin.kruining.eu".extraConfig = ''
-            reverse_proxy http://127.0.0.1:8096
+            reverse_proxy http://[::1]:8096
          '';
        };
      };
    };

    systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
-
-    ${namespace}.services.virtualisation.podman.enable = true;
-
-    virtualisation = {
-      oci-containers = {
-        backend = "podman";
-
-        containers = {
-          # flaresolverr = {
-          #   image = "flaresolverr/flaresolverr";
-          #   autoStart = true;
-          #   ports = [ "127.0.0.1:8191:8191" ];
-          # };
-
-          reiverr = {
-            image = "ghcr.io/aleksilassila/reiverr:v2.2.0";
-            autoStart = true;
-            ports = [ "127.0.0.1:9494:9494" ];
-            volumes = [ "${cfg.path}/reiverr/config:/config" ];
-          };
-        };
-      };
-    };
-
-    networking.firewall.allowedTCPPorts = [ 80 443 6969 ];
  };
 }
--- a/modules/nixos/services/media/homer/default.nix
+++ b/modules/nixos/services/media/homer/default.nix
@ -0,0 +1,161 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.${namespace}.services.media.homer;
+in
+{
+  options.${namespace}.services.media.homer = {
+    enable = mkEnableOption "Enable homer";
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 2000 ];
+
+    services = {
+      homer = {
+        enable = true;
+
+        virtualHost = {
+          caddy.enable = true;
+          domain = "http://:2000";
+        };
+
+        settings = {
+          title = "Ulmo dashboard";
+
+          columns = 4;
+          connectivityCheck = true;
+
+          links = [];
+
+          services = [
+            {
+              name = "Services";
+              items = [
+                {
+                  name = "Zitadel";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg";
+                  tag = "app";
+                  url = "https://auth.amarth.cloud";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Forgejo";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg";
+                  tag = "app";
+                  type = "Gitea";
+                  url = "https://git.amarth.cloud";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Vaultwarden";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg";
+                  type = "Vaultwarden";
+                  tag = "app";
+                  url = "https://vault.kruining.eu";
+                  target = "_blank";
+                }
+              ];
+            }
+
+            {
+              name = "Observability";
+              items = [
+                {
+                  name = "Grafana";
+                  type = "Grafana";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Prometheus";
+                  type = "Prometheus";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}";
+                  target = "_blank";
+                }
+              ];
+            }
+
+            {
+              name = "Media";
+              items = [
+                {
+                  name = "Jellyfin (Movies)";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg";
+                  tag = "app";
+                  type = "Emby";
+                  url = "http://${config.networking.hostName}:8096";
+                  apikey = "e3ceed943eeb409ba8342738db7cc1f5";
+                  libraryType = "movies";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Radarr";
+                  type = "Radarr";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Sonarr";
+                  type = "Sonarr";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Lidarr";
+                  type = "Lidarr";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Prowlarr";
+                  type = "Prowlarr";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "qBittorrent";
+                  type = "qBittorrent";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "SABnzbd";
+                  type = "SABnzbd";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:8080";
+                  target = "_blank";
+                }
+              ];
+            }
+          ];
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/services/persistance/postgesql/default.nix
+++ b/modules/nixos/services/persistance/postgesql/default.nix
@ -0,0 +1,26 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.${namespace}.services.persistance.postgresql;
+in
+{
+  options.${namespace}.services.persistance.postgresql = {
+    enable = mkEnableOption "Postgresql";
+  };
+
+  config = mkIf cfg.enable {
+    services = {
+      postgresql = {
+        enable = true;
+        authentication = ''
+          # Generated file, do not edit!
+          # TYPE  DATABASE  USER  ADDRESS       METHOD
+          local   all       all                 trust
+          host    all       all   127.0.0.1/32  trust
+          host    all       all   ::1/128       trust
+        '';
+      };
+    };
+  };
+}
--- a/modules/nixos/services/security/vaultwarden/default.nix
+++ b/modules/nixos/services/security/vaultwarden/default.nix
@ -76,6 +76,12 @@ in
          "vault.kruining.eu".extraConfig = ''
            encode zstd gzip

+            handle_path /admin {
+              respond 401 {
+                close
+              }
+            }
+
            reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
              header_up X-Real-IP {remote_host}
            }
--- a/modules/nixos/services/virtualisation/podman/default.nix
+++ b/modules/nixos/services/virtualisation/podman/default.nix
@ -12,6 +12,7 @@ in
  config = mkIf cfg.enable {
    virtualisation = {
      containers.enable = true;
+      oci-containers.backend = "podman";

      podman = {
        enable = true;
--- a/systems/x86_64-linux/ulmo/default.nix
+++ b/systems/x86_64-linux/ulmo/default.nix
@ -10,11 +10,14 @@
      authentication.authelia.enable = true;
      authentication.zitadel.enable = true;

+      communication.conduit.enable = true;
+
      development.forgejo.enable = true;

      networking.ssh.enable = true;

      media.enable = true;
+      media.homer.enable = true;
      media.nfs.enable = true;

      observability = {
Author	SHA1	Message	Date
Chris Kruining	9ebe4fd4e7	alright, time to try it	2025-09-08 16:24:36 +02:00
Chris Kruining	2a79a4eb63	next iteration for forgejo runners	2025-09-08 16:18:02 +02:00
Chris Kruining	1d6f488ebd	. Some checks failed Test action / Print hello world (push) Failing after 2m46s Details	2025-09-08 16:14:15 +02:00
Chris Kruining	ec827c4187	update pipeline Some checks failed Test action / Print hello world (push) Failing after 1m51s Details	2025-09-08 09:03:27 +02:00
Chris Kruining	fe5cce0946	initial conduit setup Some checks failed Test action / Print hello world (push) Failing after 9s Details	2025-09-07 22:26:09 +02:00
Chris Kruining	ce7b147d04	move runner Some checks failed Test action / Print hello world (push) Failing after 9s Details	2025-09-07 20:47:45 +02:00
Chris Kruining	7f6f1166a4	add backup extension for home manager	2025-09-07 20:47:33 +02:00
Chris Kruining	288e354edf	add nheko	2025-09-07 20:06:56 +02:00
Chris Kruining	0689c338ac	solve compilation errors	2025-09-07 18:12:08 +02:00
Chris Kruining	2ca6339fe6	fix typo	2025-09-07 18:11:36 +02:00
Chris Kruining	98c9424db5	aaha, there is the code I forgot to commit... Some checks failed Test action / Print hello world (push) Failing after 1m52s Details	2025-09-07 17:30:52 +02:00
Chris Kruining	d3e7de5f5a	asdf Some checks failed Test action / Print hello world (push) Failing after 1m54s Details	2025-09-04 15:57:29 +02:00
Chris Kruining	7ac547bd81	parameterize git clone	2025-09-04 15:55:58 +02:00
Chris Kruining	f31317304e	riiight, should've seen that one coming.... Some checks failed Test action / Print hello world (push) Failing after 1m53s Details	2025-09-04 15:53:35 +02:00
Chris Kruining	cd53e4c008	sdfasdfg Some checks failed Test action / Print hello world (push) Failing after 1m49s Details	2025-09-04 15:50:38 +02:00
Chris Kruining	522041cbae	waaaaaaggh Some checks failed Test action / Print hello world (push) Failing after 1m50s Details	2025-09-04 15:47:37 +02:00
Chris Kruining	8b9e1a14a8	,... Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 15:47:10 +02:00
Chris Kruining	a0e2d8db71	. Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 15:46:25 +02:00
Chris Kruining	7070382596	runAsRoot requires kvm... Some checks failed Test action / Print hello world (push) Failing after 1m50s Details	2025-09-04 15:43:18 +02:00
Chris Kruining	1cbfb6b5c0	. Some checks failed Test action / Print hello world (push) Failing after 27s Details	2025-09-04 15:34:40 +02:00
Chris Kruining	237d208e93	siiiiigh Some checks failed Test action / Print hello world (push) Failing after 29s Details	2025-09-04 15:28:59 +02:00
Chris Kruining	a114f0a7f8	. Some checks failed Test action / Print hello world (push) Failing after 1m47s Details	2025-09-04 15:26:18 +02:00
Chris Kruining	3aaad47c2b	whoops Some checks failed Test action / Print hello world (push) Failing after 1m49s Details	2025-09-04 15:23:23 +02:00
Chris Kruining	3d02de9c6c	I really don't get it anymore... Some checks failed Test action / Print hello world (push) Failing after 1m49s Details	2025-09-04 15:20:38 +02:00
Chris Kruining	a39cb0cf53	? Some checks failed Test action / Print hello world (push) Failing after 22s Details	2025-09-04 15:19:14 +02:00
Chris Kruining	898cb6c512	local builds again Some checks failed Test action / Print hello world (push) Failing after 17s Details	2025-09-04 15:17:49 +02:00
Chris Kruining	66e400e7c0	uuuuuugh Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 15:11:32 +02:00
Chris Kruining	61505943f9	add base image Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 15:09:34 +02:00
Chris Kruining	e0c37a10a5	another attempt Some checks failed Test action / Print hello world (push) Failing after 21s Details	2025-09-04 15:08:48 +02:00
Chris Kruining	2653f3fc93	sooooo lost right now.... Some checks failed Test action / Print hello world (push) Failing after 20s Details	2025-09-04 15:05:40 +02:00
Chris Kruining	e0002d7254	shadowSetup than??? Some checks failed Test action / Print hello world (push) Failing after 20s Details	2025-09-04 15:00:37 +02:00
Chris Kruining	22333b143b	hmmmmm Some checks failed Test action / Print hello world (push) Failing after 21s Details	2025-09-04 14:58:31 +02:00
Chris Kruining	40cd9d3745	is it podman that needs the kvm? Some checks failed Test action / Print hello world (push) Failing after 26s Details	2025-09-04 14:56:44 +02:00
Chris Kruining	101bf12909	fix warning	2025-09-04 14:55:37 +02:00
Chris Kruining	09a5df6253	fix? Some checks failed Test action / Print hello world (push) Failing after 30s Details	2025-09-04 14:53:50 +02:00
Chris Kruining	b158df262e	ugh Some checks failed Test action / Print hello world (push) Failing after 12s Details	2025-09-04 14:07:06 +02:00
Chris Kruining	716342d556	. Some checks failed Test action / Print hello world (push) Failing after 12s Details	2025-09-04 14:02:34 +02:00
Chris Kruining	e4843997ea	add credentials, but then why do I need to log in???? Some checks failed Test action / Print hello world (push) Failing after 12s Details	2025-09-04 13:58:51 +02:00
Chris Kruining	9c048aca05	hmmmm Some checks failed Test action / Print hello world (push) Failing after 12s Details	2025-09-04 13:56:16 +02:00
Chris Kruining	d917f93a9f	finally some more success????? Some checks failed Test action / Print hello world (push) Failing after 12s Details	2025-09-04 13:55:13 +02:00
Chris Kruining	b8e43fedba	lets try another avenue... Some checks failed Test action / Print hello world (push) Failing after 13s Details	2025-09-04 13:47:02 +02:00
Chris Kruining	33f9a7fbd8	fix package conflict? Some checks failed Test action / Print hello world (push) Failing after 7s Details	2025-09-04 13:24:37 +02:00
Chris Kruining	7d7c3aa53a	. Some checks failed Test action / Print hello world (push) Failing after 16s Details	2025-09-04 13:22:43 +02:00
Chris Kruining	c7f3ed7cd6	. Some checks failed Test action / Print hello world (push) Failing after 7s Details	2025-09-04 13:21:05 +02:00
Chris Kruining	b2cb74657e	ahhh shit, here we go again Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 13:11:35 +02:00
Chris Kruining	25ae5ea1ac	next round Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 13:09:31 +02:00
Chris Kruining	833f4ce5e6	just fuse, got it Some checks failed Test action / Print hello world (push) Failing after 24s Details	2025-09-04 12:09:44 +02:00
Chris Kruining	55d5ea4839	is it a missing dep???? Some checks failed Test action / Print hello world (push) Failing after 2s Details	2025-09-04 12:08:38 +02:00
Chris Kruining	efd98d4b44	gotta love the typos... Some checks failed Test action / Print hello world (push) Failing after 25s Details	2025-09-04 12:05:12 +02:00
Chris Kruining	9ea18b18d5	. Some checks failed Test action / Print hello world (push) Failing after 7s Details	2025-09-04 12:04:28 +02:00
Chris Kruining	68f6620383	right Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 12:03:26 +02:00
Chris Kruining	a42446985c	another attempt Some checks failed Test action / Print hello world (push) Failing after 7s Details	2025-09-04 12:02:40 +02:00
Chris Kruining	4d4f4e67e0	add registry? Some checks failed Test action / Print hello world (push) Failing after 7s Details	2025-09-04 11:23:50 +02:00
Chris Kruining	f9328cd72e	I am an idiot, as proven once more... Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 11:22:59 +02:00
Chris Kruining	b3a9ea6057	. Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 11:19:43 +02:00
Chris Kruining	8b07f55593	. Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 11:14:41 +02:00
Chris Kruining	4a26a4ad11	. Some checks failed Test action / Print hello world (push) Failing after 7s Details	2025-09-04 11:13:15 +02:00
Chris Kruining	fdf1bc34e8	. Some checks failed Test action / Print hello world (push) Failing after 9s Details	2025-09-04 11:11:06 +02:00
Chris Kruining	da1a4d42ed	woooot, more success!!! Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 11:07:58 +02:00
Chris Kruining	4762d4189e	right. obviously... Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 11:06:57 +02:00
Chris Kruining	fa0a4917a2	cool shizzle Some checks failed Test action / Print hello world (push) Failing after 1s Details	2025-09-04 11:04:13 +02:00
Chris Kruining	0d6fb5aab6	update default runner dockerfile	2025-09-04 10:39:31 +02:00
Chris Kruining	e048ada01f	whoops	2025-09-04 10:38:46 +02:00
Chris Kruining	863956c38b	oooooh, closer Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 10:17:08 +02:00
Chris Kruining	95f6b2b8d3	nixpkgs instead???? Some checks failed Test action / Print hello world (push) Failing after 8s Details	2025-09-04 10:14:44 +02:00
Chris Kruining	2b887f188c	aaaaaiiii Some checks failed Test action / Print hello world (push) Failing after 2s Details	2025-09-04 10:14:06 +02:00
Chris Kruining	0b23548559	whoopsie Some checks failed Test action / Print hello world (push) Failing after 1s Details	2025-09-04 10:11:59 +02:00
Chris Kruining	9ed5cbded0	update homer Some checks failed Test action / Print hello world (push) Failing after 0s Details	2025-09-04 10:09:08 +02:00
Chris Kruining	41a4fde9f2	first attempt to push an image	2025-09-04 10:08:59 +02:00
Chris Kruining	fa81dbdcf6	even more homer All checks were successful Test action / Print hello world (push) Successful in 1s Details	2025-09-03 17:47:38 +02:00
Chris Kruining	b8b8e015c5	add pipe-operator nix feature All checks were successful Test action / Print hello world (push) Successful in 1s Details	2025-09-03 17:44:19 +02:00
Chris Kruining	a91afd3b0a	expand homer	2025-09-03 17:44:01 +02:00
Chris Kruining	6d7867b45c	update fogejo runner image All checks were successful Test action / Print hello world (push) Successful in 1s Details	2025-09-03 17:24:43 +02:00
Chris Kruining	7c75cab11b	improve podman config	2025-09-03 17:24:27 +02:00
Chris Kruining	44e7a6fa0f	harden vaultwarden All checks were successful Test action / Print hello world (push) Successful in 19s Details	2025-09-03 16:45:32 +02:00
Chris Kruining	6379b5e2de	improve zen config	2025-09-03 16:45:20 +02:00
Chris Kruining	7758806282	add homer dashboard	2025-09-03 16:44:50 +02:00
Chris Kruining	a29b757530	restructure media services	2025-09-03 15:12:30 +02:00
Chris Kruining	5ddcaf35f6	fix zen	2025-09-03 14:54:18 +02:00
Chris Kruining	39253ca080	update deps Some checks failed Test action / Print hello world (push) Has been cancelled Details	2025-08-31 17:30:45 +02:00