alright, time to try it

.forgejo/workflows/action.yml

@@ -7,10 +7,9 @@ on:
       - main
 
 jobs:
-  hello:
+  kaas:
-    name: Print hello world
+    runs-on: nix
-    runs-on: default
     steps:
       - name: Echo
         run: |
-          echo "Hello, world!"
+          nix --version

.gitignore

@@ -1,2 +1,8 @@
+# ---> Nix
+# Ignore build outputs from performing a nix-build or `nix build` command
 result
-*.qcow2
+result-*
+
+# Ignore automatically generated direnv output
+.direnv
+

flake.lock

@@ -73,11 +73,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1755108317,
+        "lastModified": 1756593129,
-        "narHash": "sha256-j7RGK7nyoHuJzQjVFBngpsVowIn4DAtprn66UyAFNRQ=",
+        "narHash": "sha256-xpdGBk57lErbo03ZJS8uDDF5cZjoza7kzr7X+y0wj2g=",
         "owner": "emmanuelrosa",
         "repo": "erosanix",
-        "rev": "5aa322a6e586a2b46af65ab6c9a3d6042a95ff2e",
+        "rev": "f28776c49ddb4d34abc01092009fba0cd96836bd",
         "type": "github"
       },
       "original": {
@@ -94,11 +94,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1755153894,
+        "lastModified": 1756622179,
-        "narHash": "sha256-DEKeIg3MQy5GMFiFRUzcx1hGGBN2ypUPTo0jrMAdmH4=",
+        "narHash": "sha256-K3CimrAcMhdDYkErd3oiWPZNaoyaGZEuvGrFuDPFMZY=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "f6874c6e512bc69d881d979a45379b988b80a338",
+        "rev": "0abcb15ae6279dcb40a8ae7c1ed980705245cb79",
         "type": "github"
       },
       "original": {
@@ -114,11 +114,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1755083788,
+        "lastModified": 1756643456,
-        "narHash": "sha256-CXiS6gfw0NH+luSpNhtRZjy4NqVFrmsYpoetu3N/fMk=",
+        "narHash": "sha256-SbRGlArZnspW/xd/vnMPSyuZGXSVtxyJEoXpvpzDpSE=",
         "owner": "nix-community",
         "repo": "flake-firefox-nightly",
-        "rev": "523078b104590da5850a61dfe291650a6b49809c",
+        "rev": "6772a49573fc08b3e05502cccd90a8f5a82ee42e",
         "type": "github"
       },
       "original": {
@@ -411,11 +411,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1755072091,
+        "lastModified": 1756381920,
-        "narHash": "sha256-FCkbELHIFXlVREaopW13QFMzwLPr/otjucmyNLQQXeg=",
+        "narHash": "sha256-h6FZq485lEhkTICK779ZQ2kUWe3BieUqIKuJ2jef7SI=",
         "owner": "vinceliuice",
         "repo": "grub2-themes",
-        "rev": "03d8c9cf0d1bcf67765ac5fa35263f1b08c584fa",
+        "rev": "8f30385f556a92ecbcc0c1800521730187da1cd7",
         "type": "github"
       },
       "original": {
@@ -432,11 +432,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754593854,
+        "lastModified": 1756413980,
-        "narHash": "sha256-fiWzQKZP92+2nm9wGBa/UYuEdVJkshHqNpCFfklas8k=",
+        "narHash": "sha256-pxTwEjWZ1GohJeTEpxoZRHRoLDZjDw9CarGqxE5e908=",
         "owner": "himmelblau-idm",
         "repo": "himmelblau",
-        "rev": "e0b9a3efdcf0c6c59ed3352ffb2b003ab6aa2fed",
+        "rev": "0c12a2b5862cd673307bbe191c1f7b52cf0f091a",
         "type": "github"
       },
       "original": {
@@ -452,11 +452,32 @@
         ]
       },
       "locked": {
-        "lastModified": 1755121891,
+        "lastModified": 1756650373,
-        "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=",
+        "narHash": "sha256-Iz0dNCNvLLxVGjOOF1/TJvZ4iKXE96BTgKDObCs9u+M=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426",
+        "rev": "e44549074a574d8bda612945a88e4a1fd3c456a8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "zen-browser",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1756842514,
+        "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382",
         "type": "github"
       },
       "original": {
@@ -473,11 +494,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755151620,
+        "lastModified": 1756638688,
-        "narHash": "sha256-fVMalQZ+tRXR8oue2SdWu4CdlsS2NII+++rI40XQ8rU=",
+        "narHash": "sha256-ddxbPTnIchM6tgxb6fRrCvytlPE2KLifckTnde/irVQ=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "16e12d22754d97064867006acae6e16da7a142a6",
+        "rev": "e7b8679cba79f4167199f018b05c82169249f654",
         "type": "github"
       },
       "original": {
@@ -507,11 +528,11 @@
     },
     "mnw": {
       "locked": {
-        "lastModified": 1748710831,
+        "lastModified": 1756580127,
-        "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=",
+        "narHash": "sha256-XK+ZQWjnd96Uko73jY1dc23ksnuWnF/Myc4rT/LQOmc=",
         "owner": "Gerg-L",
         "repo": "mnw",
-        "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d",
+        "rev": "ecdb5ba1b08ac198d9e9bfbf9de3b234fb1eb252",
         "type": "github"
       },
       "original": {
@@ -549,11 +570,11 @@
         "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1755137329,
+        "lastModified": 1756518625,
-        "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=",
+        "narHash": "sha256-Mxh2wumeSsb968dSDksblubQqHTTdRTC5lH0gmhq9jI=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "d9330bc35048238597880e89fb173799de9db5e9",
+        "rev": "92654796f8f6c3279e4b7d409a3e5b43b0539a19",
         "type": "github"
       },
       "original": {
@@ -621,11 +642,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755171343,
+        "lastModified": 1755261305,
-        "narHash": "sha256-h6bbfhqWcHlx9tcyYa7dhaEiNpusLCcFYkJ/AnltLW8=",
+        "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=",
         "owner": "nix-community",
         "repo": "nixos-wsl",
-        "rev": "e37cfef071466a9ca649f6899aff05226ce17e9e",
+        "rev": "203a7b463f307c60026136dd1191d9001c43457f",
         "type": "github"
       },
       "original": {
@@ -683,11 +704,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1755061300,
+        "lastModified": 1756578978,
-        "narHash": "sha256-eov82CkCrpiECJa3dyQ2da1sPGnAP3HK0UEra5eupaM=",
+        "narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d4df8d6cc1ccfd3e4349a1d54e4fb1171e7ec1f5",
+        "rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23",
         "type": "github"
       },
       "original": {
@@ -715,11 +736,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1755178357,
+        "lastModified": 1756653691,
-        "narHash": "sha256-rzgUmlO5/pt7uPAlY6E70clNjg9JmrgBxalEj2zKq08=",
+        "narHash": "sha256-tx6C07uPiAzq57mfb4EWDqPRV4BZVqvrlvDfibzL67U=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6eac4364f979ef460fb6ebd17ca65b8dae03cba4",
+        "rev": "7a1057ff3f7636bc71f58671c3a1210742149f3b",
         "type": "github"
       },
       "original": {
@@ -747,11 +768,11 @@
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1755027561,
+        "lastModified": 1756542300,
-        "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=",
+        "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3",
+        "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa",
         "type": "github"
       },
       "original": {
@@ -763,11 +784,11 @@
     },
     "nixpkgs_7": {
       "locked": {
-        "lastModified": 1755049066,
+        "lastModified": 1756536218,
-        "narHash": "sha256-ANrc15FSoOAdNbfKHxqEJjZLftIwIsenJGRb/04K41s=",
+        "narHash": "sha256-ynQxPVN2FIPheUgTFhv01gYLbaiSOS7NgWJPm9LF9D0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e45f8f193029378d0aaee5431ba098dc80054e9a",
+        "rev": "a918bb3594dd243c2f8534b3be01b3cb4ed35fd1",
         "type": "github"
       },
       "original": {
@@ -843,11 +864,11 @@
         "systems": "systems_4"
       },
       "locked": {
-        "lastModified": 1755115677,
+        "lastModified": 1756646417,
-        "narHash": "sha256-98Ad2F5w1xW94KymQiBohNBYpFqMa0K28v9S1SzyTY8=",
+        "narHash": "sha256-1dU+BRKjczVnsTznKGaM0xrWzg2+MGQqWlde0Id9JnI=",
         "owner": "notashelf",
         "repo": "nvf",
-        "rev": "c5dc7192496a1fad38134e54f8b4fca8ac51a9fe",
+        "rev": "939fb8cfc630190cd5607526f81693525e3d593b",
         "type": "github"
       },
       "original": {
@@ -866,11 +887,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754501628,
+        "lastModified": 1756632588,
-        "narHash": "sha256-FExJ54tVB5iu7Dh2tLcyCSWpaV+lmUzzWKZUkemwXvo=",
+        "narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "cca090f8115c4172b9aef6c5299ae784bdd5e133",
+        "rev": "d47428e5390d6a5a8f764808a4db15929347cd77",
         "type": "github"
       },
       "original": {
@@ -905,11 +926,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1755004716,
+        "lastModified": 1756597274,
-        "narHash": "sha256-TbhPR5Fqw5LjAeI3/FOPhNNFQCF3cieKCJWWupeZmiA=",
+        "narHash": "sha256-wfaKRKsEVQDB7pQtAt04vRgFphkVscGRpSx3wG1l50E=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "b2a58b8c6eff3c3a2c8b5c70dbf69ead78284194",
+        "rev": "21614ed2d3279a9aa1f15c88d293e65a98991b30",
         "type": "github"
       },
       "original": {
@@ -978,11 +999,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1755027820,
+        "lastModified": 1755997543,
-        "narHash": "sha256-hBSU7BEhd05y/pC9tliYjkFp8AblkbNEkPei229+0Pg=",
+        "narHash": "sha256-/fejmCQ7AWa655YxyPxRDbhdU7c5+wYsFSjmEMXoBCM=",
         "owner": "nix-community",
         "repo": "stylix",
-        "rev": "c592717e9f713bbae5f718c784013d541346363d",
+        "rev": "f47c0edcf71e802378b1b7725fa57bb44fe85ee8",
         "type": "github"
       },
       "original": {
@@ -1164,18 +1185,19 @@
     },
     "zen-browser": {
       "inputs": {
+        "home-manager": "home-manager_2",
         "nixpkgs": "nixpkgs_10"
       },
       "locked": {
-        "lastModified": 1727721329,
+        "lastModified": 1756876659,
-        "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=",
+        "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=",
-        "owner": "MarceColl",
+        "owner": "0xc000022070",
         "repo": "zen-browser-flake",
-        "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc",
+        "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529",
         "type": "github"
       },
       "original": {
-        "owner": "MarceColl",
+        "owner": "0xc000022070",
         "repo": "zen-browser-flake",
         "type": "github"
       }

flake.nix

@@ -41,7 +41,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    zen-browser.url = "github:MarceColl/zen-browser-flake";
+    zen-browser.url = "github:0xc000022070/zen-browser-flake";
 
     nix-minecraft.url = "github:Infinidoge/nix-minecraft";
 
@@ -93,8 +93,15 @@
     channels-config = {
       allowUnfree = true;
       permittedInsecurePackages = [
+        # Due to *arr stack
         "dotnet-sdk-6.0.428"
         "aspnetcore-runtime-6.0.36"
+
+        # I think this is because of zen
+        "qtwebengine-5.15.19"
+
+        # For Nheko, the matrix client
+        "olm-3.2.16"
       ];
     };
 
@@ -106,7 +113,7 @@
 
     homes.modules = with inputs; [
       stylix.homeModules.stylix
-      plasma-manager.homeManagerModules.plasma-manager
+      plasma-manager.homeModules.plasma-manager
     ];
   };
 }

homes/x86_64-linux/chris@manwe/default.nix

@@ -35,6 +35,7 @@
       bitwarden.enable = true;
       discord.enable = true;
       ladybird.enable = true;
+      nheko.enable = true;
       obs.enable = true;
       onlyoffice.enable = true;
       signal.enable = true;

modules/home/application/nheko/default.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, namespace, osConfig ? {}, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.${namespace}.application.nheko;
+in
+{
+  options.${namespace}.application.nheko = {
+    enable = mkEnableOption "enable nheko (matrix client)";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [ nheko ];
+  };
+}

modules/home/application/zen/default.nix

@@ -5,13 +5,15 @@ let
   cfg = config.${namespace}.application.zen;
 in
 {
+  imports = [
+    inputs.zen-browser.homeModules.default
+  ];
+
   options.${namespace}.application.zen = {
     enable = mkEnableOption "enable zen";
   };
 
   config = mkIf cfg.enable {
-    home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ];
-
     home.sessionVariables = {
       MOZ_ENABLE_WAYLAND = "1";
     };
@@ -20,20 +22,42 @@ in
       policies = {
         AutofillAddressEnabled = true;
         AutofillCreditCardEnabled = false;
+
+        AppAutoUpdate = false;
         DisableAppUpdate = true;
+        ManualAppUpdateOnly = true;
+
         DisableFeedbackCommands = true;
         DisableFirefoxStudies = true;
         DisablePocket = true;
         DisableTelemetry = true;
-        # DontCheckDefaultBrowser = false;
+
+        DontCheckDefaultBrowser = false;
         NoDefaultBookmarks = true;
-        # OfferToSaveLogins = false;
+        OfferToSaveLogins = false;
         EnableTrackingProtection = {
           Value = true;
           Locked = true;
           Cryptomining = true;
           Fingerprinting = true;
         };
+
+        HttpAllowlist = [
+          "http://ulmo"
+        ];
+      };
+
+      policies.ExtensionSettings = let
+        mkExtension = id: {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi";
+          installation_mode = "force_installed";
+        };
+      in
+      {
+        ublock_origin = 4531307;
+        ghostry = 4562168;
+        bitwarden = 4562769;
+        sponsorblock = 4541835;
       };
     };
   };

modules/home/home-manager/default.nix

@@ -4,7 +4,9 @@ let
 in
 {
   systemd.user.startServices = "sd-switch";
-  programs.home-manager.enable = true;
+  programs.home-manager = {
+    enable = true;
+  };
 
   home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05");
 }

modules/nixos/home-manager/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  config = {
+    home-manager.backupFileExtension = "back";
+  };
+}

modules/nixos/nix/default.nix

@@ -15,10 +15,10 @@ in
     nix = {
       package = pkgs.nixVersions.latest;
 
-      extraOptions = "experimental-features = nix-command flakes";
+      extraOptions = "experimental-features = nix-command flakes pipe-operators";
 
       settings = {
-        experimental-features = [ "nix-command" "flakes" ];
+        experimental-features = [ "nix-command" "flakes" "pipe-operators" ];
         allowed-users = [ "@wheel" ];
         trusted-users = [ "@wheel" ];
 

modules/nixos/services/authentication/zitadel/default.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, namespace, ... }:
 let
-  inherit (lib) mkIf mkEnableOption mkForce;
+  inherit (lib) mkIf mkEnableOption;
 
   cfg = config.${namespace}.services.authentication.zitadel;
 
@@ -13,6 +13,8 @@ in
   };
 
   config = mkIf cfg.enable {
+    ${namespace}.services.persistance.postgresql.enable = true;
+
     environment.systemPackages = with pkgs; [
       zitadel
     ];
@@ -110,13 +112,6 @@ in
             ensureDBOwnership = true;
           }
         ];
-        authentication = mkForce ''
-          # Generated file, do not edit!
-          # TYPE  DATABASE  USER  ADDRESS       METHOD
-          local   all       all                 trust
-          host    all       all   127.0.0.1/32  trust
-          host    all       all   ::1/128       trust
-          '';
       };
 
       caddy = {

modules/nixos/services/communication/conduit/default.nix

@@ -0,0 +1,56 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.${namespace}.services.communication.conduit;
+  domain = "matrix.kruining.eu";
+in
+{
+  options.${namespace}.services.communication.conduit = {
+    enable = mkEnableOption "conduit (Matrix server)";
+  };
+
+  config = mkIf cfg.enable {
+    # ${namespace}.services = {
+    #   persistance.postgresql.enable = true;
+    #   virtualisation.podman.enable = true;
+    # };
+
+    services = {
+      matrix-conduit = {
+        enable = true;
+
+        settings.global = {
+          address = "::1";
+          port = 4001;
+
+          database_backend = "rocksdb";
+
+          server_name = "chris-matrix";
+        };
+      };
+
+      # postgresql = {
+      #   enable = true;
+      #   ensureDatabases = [ "conduit" ];
+      #   ensureUsers = [
+      #     {
+      #       name = "conduit";
+      #       ensureDBOwnership = true;
+      #     }
+      #   ];
+      # };
+
+      caddy = {
+        enable = true;
+        virtualHosts = {
+          ${domain}.extraConfig = ''
+            # import auth-z
+
+            # reverse_proxy http://127.0.0.1:5002
+          '';
+        };
+      };
+    };
+  };
+}

modules/nixos/services/development/forgejo/default.nix

@@ -11,7 +11,10 @@ in
   };
 
   config = mkIf cfg.enable {
-    ${namespace}.services.virtualisation.podman.enable = true;
+    ${namespace}.services = {
+      persistance.postgresql.enable = true;
+      virtualisation.podman.enable = true;
+    };
 
     environment.systemPackages = with pkgs; [ forgejo ];
 
@@ -91,6 +94,7 @@ in
 
           actions = {
             ENABLED = true;
+            # DEFAULT_ACTIONS_URL = "https://data.forgejo.org";
           };
 
           other = {
@@ -136,10 +140,12 @@ in
           # tokenFile = config.age.secrets.forgejo-runner-token.path;
           token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw";
           labels = [
-            "default:docker://node:22-bullseye"
+            "default:docker://nixos/nix:latest"
+            "ubuntu:docker://ubuntu:24-bookworm"
+            "nix:docker://git.amarth.cloud/amarth/runners/default:latest"
           ];
           settings = {
-
+            log.level = "info";
           };
         };
       };
@@ -152,7 +158,7 @@ in
 
             # stupid dumb way to prevent the login page and go to zitadel instead
             # be aware that this does not disable local login at all!
-            rewrite /user/login /user/oauth2/Zitadel
+            # rewrite /user/login /user/oauth2/Zitadel
 
             reverse_proxy http://127.0.0.1:5002
           '';

modules/nixos/services/media/default.nix

@@ -66,38 +66,73 @@ in
     # Services
     #=========================================================================
     services = let
-      serviceConf = {
+      arrService = {
+        enable = true;
+        openFirewall = true;
+
+        settings = {
+          auth.AuthenticationMethod = "External";
+
+          # postgres = {
+          #   PostgresHost = "localhost";
+          #   PostgresPort = "5432";
+          #   PostgresUser = "media";
+          # };
+        };
+      };
+
+      withPort = port: service: service // { settings.server.Port = builtins.toString port; };
+
+      withUserAndGroup = service: service  // {
+        user = cfg.user;
+        group = cfg.group;
+      };
+    in {
+      radarr =
+        arrService
+        |> withPort 2001
+        |> withUserAndGroup;
+
+      sonarr =
+        arrService
+        |> withPort 2002
+        |> withUserAndGroup;
+
+      lidarr =
+        arrService
+        |> withPort 2003
+        |> withUserAndGroup;
+        
+      prowlarr =
+        arrService
+        |> withPort 2004;
+
+      bazarr = {
+        enable = true;
+        openFirewall = true;
+        user = cfg.user;
+        group = cfg.group;
+        listenPort = 2005;
+      };
+
+      # port is harcoded in nixpkgs module
+      jellyfin = {
         enable = true;
         openFirewall = true;
         user = cfg.user;
         group = cfg.group;
       };
-    in {
-      jellyfin = serviceConf;
-      radarr = serviceConf;
-      sonarr = serviceConf;
-      bazarr = serviceConf;
-      lidarr = serviceConf;
 
       flaresolverr = {
         enable = true;
         openFirewall = true;
-      };
+        port = 2007;
-
-      jellyseerr = {
-        enable = true;
-        openFirewall = true;
-      };
-
-      prowlarr = {
-        enable = true;
-        openFirewall = true;
       };
 
       qbittorrent = {
         enable = true;
         openFirewall = true;
-        webuiPort = 5000;
+        webuiPort = 2008;
 
         serverConfig = {
           LegalNotice.Accepted = true;
@@ -107,6 +142,7 @@ in
         group = cfg.group;
       };
 
+      # port is harcoded in nixpkgs module
       sabnzbd = {
         enable = true;
         openFirewall = true;
@@ -116,46 +152,49 @@ in
         group = cfg.group;
       };
 
+      # postgresql = {
+      #   enable = true;
+      #   ensureDatabases = [
+      #     "radarr-main" "radarr-log"
+      #     "sonarr-main" "sonarr-log"
+      #     "lidarr-main" "lidarr-log"
+      #     "prowlarr-main" "prowlarr-log"
+      #   ];
+      #   identMap = ''
+      #     media media radarr-main
+      #     media media radarr-log
+      #     media media sonarr-main
+      #     media media sonarr-log
+      #     media media lidarr-main
+      #     media media lidarr-log
+      #     media media prowlarr-main
+      #     media media prowlarr-log
+      #   '';
+      #   ensureUsers = [
+      #     { name = "radarr-main"; ensureDBOwnership = true; }
+      #     { name = "radarr-log"; ensureDBOwnership = true; }
+
+      #     { name = "sonarr-main"; ensureDBOwnership = true; }
+      #     { name = "sonarr-log"; ensureDBOwnership = true; }
+          
+      #     { name = "lidarr-main"; ensureDBOwnership = true; }
+      #     { name = "lidarr-log"; ensureDBOwnership = true; }
+          
+      #     { name = "prowlarr-main"; ensureDBOwnership = true; }
+      #     { name = "prowlarr-log"; ensureDBOwnership = true; }
+      #   ];
+      # };
+
       caddy = {
         enable = true;
         virtualHosts = {
-          "media.kruining.eu".extraConfig = ''
-            import auth
-
-            reverse_proxy http://127.0.0.1:9494
-          '';
           "jellyfin.kruining.eu".extraConfig = ''
-            reverse_proxy http://127.0.0.1:8096
+            reverse_proxy http://[::1]:8096
           '';
         };
       };
     };
 
     systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
-
-    ${namespace}.services.virtualisation.podman.enable = true;
-
-    virtualisation = {
-      oci-containers = {
-        backend = "podman";
-
-        containers = {
-          # flaresolverr = {
-          #   image = "flaresolverr/flaresolverr";
-          #   autoStart = true;
-          #   ports = [ "127.0.0.1:8191:8191" ];
-          # };
-
-          reiverr = {
-            image = "ghcr.io/aleksilassila/reiverr:v2.2.0";
-            autoStart = true;
-            ports = [ "127.0.0.1:9494:9494" ];
-            volumes = [ "${cfg.path}/reiverr/config:/config" ];
-          };
-        };
-      };
-    };
-
-    networking.firewall.allowedTCPPorts = [ 80 443 6969 ];
   };
 }

modules/nixos/services/media/homer/default.nix

@@ -0,0 +1,161 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.${namespace}.services.media.homer;
+in
+{
+  options.${namespace}.services.media.homer = {
+    enable = mkEnableOption "Enable homer";
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 2000 ];
+
+    services = {
+      homer = {
+        enable = true;
+
+        virtualHost = {
+          caddy.enable = true;
+          domain = "http://:2000";
+        };
+
+        settings = {
+          title = "Ulmo dashboard";
+
+          columns = 4;
+          connectivityCheck = true;
+
+          links = [];
+
+          services = [
+            {
+              name = "Services";
+              items = [
+                {
+                  name = "Zitadel";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg";
+                  tag = "app";
+                  url = "https://auth.amarth.cloud";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Forgejo";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg";
+                  tag = "app";
+                  type = "Gitea";
+                  url = "https://git.amarth.cloud";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Vaultwarden";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg";
+                  type = "Vaultwarden";
+                  tag = "app";
+                  url = "https://vault.kruining.eu";
+                  target = "_blank";
+                }
+              ];
+            }
+
+            {
+              name = "Observability";
+              items = [
+                {
+                  name = "Grafana";
+                  type = "Grafana";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Prometheus";
+                  type = "Prometheus";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}";
+                  target = "_blank";
+                }
+              ];
+            }
+
+            {
+              name = "Media";
+              items = [
+                {
+                  name = "Jellyfin (Movies)";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg";
+                  tag = "app";
+                  type = "Emby";
+                  url = "http://${config.networking.hostName}:8096";
+                  apikey = "e3ceed943eeb409ba8342738db7cc1f5";
+                  libraryType = "movies";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Radarr";
+                  type = "Radarr";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Sonarr";
+                  type = "Sonarr";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Lidarr";
+                  type = "Lidarr";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "Prowlarr";
+                  type = "Prowlarr";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "qBittorrent";
+                  type = "qBittorrent";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}";
+                  target = "_blank";
+                }
+
+                {
+                  name = "SABnzbd";
+                  type = "SABnzbd";
+                  logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:8080";
+                  target = "_blank";
+                }
+              ];
+            }
+          ];
+        };
+      };
+    };
+  };
+}

modules/nixos/services/persistance/convex/default.nix

@@ -1,21 +0,0 @@
-{ config, pkgs, lib, namespace, ... }:
-let
-  inherit (lib) mkIf mkEnableOption;
-
-  cfg = config.${namespace}.services.persistance.convex;
-in
-{
-  imports = [ ./source.nix ];
-
-  options.${namespace}.services.persistance.convex = {
-    enable = mkEnableOption "enable Convex";
-  };
-
-  config = mkIf cfg.enable {
-    services.convex = {
-      enable = true;
-      package = pkgs.${namespace}.convex;
-      secret = "ThisIsMyAwesomeSecret";
-    };
-  };
-}

modules/nixos/services/persistance/convex/source.nix

@@ -1,149 +0,0 @@
-{ config, pkgs, lib, namespace, ... }:
-let
-  inherit (lib) mkIf mkEnableOption mkPackageOption mkOption optional types;
-
-  cfg = config.services.convex;
-
-  default_user = "convex";
-  default_group = "convex";
-in
-{
-  options.services.convex = {
-    enable = mkEnableOption "enable Convex (backend only for now)";
-
-    package = mkPackageOption pkgs "convex" {};
-
-    name = lib.mkOption {
-      type = types.str;
-      default = "convex";
-      description = ''
-        Name for the instance.
-      '';
-    };
-
-    secret = lib.mkOption {
-      type = types.str;
-      default = "";
-      description = ''
-        Secret for the instance.
-      '';
-    };
-
-    apiPort = mkOption {
-      type = types.port;
-      default = 3210;
-      description = ''
-        The TCP port to use for the API.
-      '';
-    };
-
-    actionsPort = mkOption {
-      type = types.port;
-      default = 3211;
-      description = ''
-        The TCP port to use for the HTTP actions.
-      '';
-    };
-
-    dashboardPort = mkOption {
-      type = types.port;
-      default = 6791;
-      description = ''
-        The TCP port to use for the Dashboard.
-      '';
-    };
-
-    openFirewall = lib.mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to open ports in the firewall for the server.
-      '';
-    };
-
-    user = lib.mkOption {
-      type = types.str;
-      default = default_user;
-      description = ''
-        As which user to run the service.
-      '';
-    };
-
-    group = lib.mkOption {
-      type = types.str;
-      default = default_group;
-      description = ''
-        As which group to run the service.
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = cfg.secret != "";
-        message = ''
-          No secret provided for convex
-        '';
-      }
-    ];
-
-    users = {
-      users.${cfg.user} = {
-        description = "System user for convex service";
-        isSystemUser = true;
-        group = cfg.group;
-      };
-
-      groups.${cfg.group} = {};
-    };
-
-    networking.firewall.allowedTCPPorts = optional cfg.openFirewall [ cfg.apiPort cfg.actionsPort cfg.dashboardPort ];
-    
-    environment.systemPackages = [ cfg.package ];
-
-    systemd.services.convex = {
-      description = "Convex Backend server";
-
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-
-      serviceConfig = {
-        ExecStart = "${cfg.package}/bin --instance-name ${cfg.name} --instance-secret ${cfg.secret}";
-        Type = "notify";
-
-        User = cfg.user;
-        Group = cfg.group;
-
-        RuntimeDirectory = "convex";
-        RuntimeDirectoryMode = "0775";
-        StateDirectory = "convex";
-        StateDirectoryMode = "0775";
-        Umask = "0077";
-
-        CapabilityBoundingSet = "";
-        NoNewPrivileges = true;
-
-        # Sandboxing
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        PrivateTmp = true;
-        PrivateDevices = true;
-        PrivateUsers = true;
-        ProtectClock = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectControlGroups = true;
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
-        RestrictNamespaces = true;
-        LockPersonality = true;
-      };
-    };
-  };
-}

modules/nixos/services/persistance/postgesql/default.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.${namespace}.services.persistance.postgresql;
+in
+{
+  options.${namespace}.services.persistance.postgresql = {
+    enable = mkEnableOption "Postgresql";
+  };
+
+  config = mkIf cfg.enable {
+    services = {
+      postgresql = {
+        enable = true;
+        authentication = ''
+          # Generated file, do not edit!
+          # TYPE  DATABASE  USER  ADDRESS       METHOD
+          local   all       all                 trust
+          host    all       all   127.0.0.1/32  trust
+          host    all       all   ::1/128       trust
+        '';
+      };
+    };
+  };
+}

modules/nixos/services/security/vaultwarden/default.nix

@@ -76,6 +76,12 @@ in
           "vault.kruining.eu".extraConfig = ''
             encode zstd gzip
 
+            handle_path /admin {
+              respond 401 {
+                close
+              }
+            }
+
             reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
               header_up X-Real-IP {remote_host}
             }

modules/nixos/services/virtualisation/podman/default.nix

@@ -12,6 +12,7 @@ in
   config = mkIf cfg.enable {
     virtualisation = {
       containers.enable = true;
+      oci-containers.backend = "podman";
 
       podman = {
         enable = true;

packages/convex/default.nix

@@ -1,59 +0,0 @@
-{ 
-  lib, 
-  stdenv, 
-  rustPlatform, 
-  fetchFromGitHub, 
-  
-  # dependencies
-  openssl, 
-  pkg-config, 
-  cmake,
-  llvmPackages,
-  postgresql, 
-  sqlite, 
-  
-  #options
-  dbBackend ? "postgresql", 
-
-  ... 
-}:
-rustPlatform.buildRustPackage rec {
-  pname = "convex";
-  version = "2025-08-20-c9b561e";
-
-  src = fetchFromGitHub {
-    owner = "get-convex";
-    repo = "convex-backend";
-    rev = "c9b561e1b365c85ef28af35d742cb7dd174b5555";
-    hash = "sha256-4h4AQt+rQ+nTw6eTbbB5vqFt9MFjKYw3Z7bGXdXijJ0=";
-  };
-
-  cargoHash = "sha256-pcDNWGrk9D0qcF479QAglPLFDZp27f8RueP5/lq9jho=";
-
-  cargoBuildFlags = [
-    "-p" "local_backend"
-    "--bin" "convex-local-backend"
-  ];
-
-  env = {
-    LIBCLANG_PATH = "${llvmPackages.libclang}/lib";
-  };
-
-  strictDeps = true;
-
-  # Build-time dependencies
-  nativeBuildInputs = [ pkg-config cmake rustPlatform.bindgenHook ];
-
-  # Run-time dependencies
-  buildInputs = 
-    [ openssl ]
-    ++ lib.optional (dbBackend == "sqlite") sqlite
-    ++ lib.optional (dbBackend == "postgresql") postgresql;
-
-  buildFeatures = "";
-
-  meta = with lib; {
-    license = licenses.fsl11Asl20;
-    mainProgram = "convex";
-  };
-}

systems/x86_64-linux/ulmo/default.nix

@@ -10,11 +10,14 @@
       authentication.authelia.enable = true;
       authentication.zitadel.enable = true;
 
+      communication.conduit.enable = true;
+
       development.forgejo.enable = true;
 
       networking.ssh.enable = true;
 
       media.enable = true;
+      media.homer.enable = true;
       media.nfs.enable = true;
 
       observability = {
@@ -24,8 +27,6 @@
         promtail.enable = true;
       };
 
-      persistance.convex.enable = true;
-
       security.vaultwarden.enable = true;
     };