chore: update dependencies

.just/machine.just

@@ -1,11 +1,14 @@
-@_default: list
+set unstable := true
+set quiet := true
+
+_default: list
 
 [doc('List machines')]
-@list:
+list:
     ls -1 ../systems/x86_64-linux/
 
 [doc('Update the target machine')]
 [no-exit-message]
-@update machine:
-    just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')"
-    nixos-rebuild switch -L --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }}
+update machine:
+    just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')"
+    nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }}

.just/vars.just

@@ -1,21 +1,16 @@
 set unstable := true
+set quiet := true
 
 base_path := invocation_directory() / "systems/x86_64-linux"
 
-# sops := "nix shell nixpkgs#sops --command sops"
-# yq := "nix shell nixpkgs#yq --command yq"
-
-sops := "sops"
-yq := "yq"
-
-@_default:
+_default:
     just --list
 
 [doc('list all vars of the target machine')]
 list machine:
     sops decrypt {{ base_path }}/{{ machine }}/secrets.yml
 
-@edit machine:
+edit machine:
     sops edit {{ base_path }}/{{ machine }}/secrets.yml
 
 @set machine key value:
@@ -26,10 +21,10 @@ list machine:
 
     echo "Done"
 
-@get machine key:
+get machine key:
     sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')"
 
-@remove machine key:
+remove machine key:
     sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
 
     git add {{ base_path }}/{{ machine }}/secrets.yml

.justfile

@@ -1,33 +1,40 @@
-@_default:
+_default:
     just --list --list-submodules
 
-[doc('Manage vars')]
-mod vars '.just/vars.just'
+set unstable
+set quiet
 
-[doc('Manage machines')]
+mod vars '.just/vars.just'
 mod machine '.just/machine.just'
 
 [doc('Show information about project')]
-@show:
+show:
     echo "show"
 
 [doc('update the flake dependencies')]
-@update:
+update:
     nix flake update
     git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null
     echo "Done"
 
+[doc('Rebase branch on main')]
+rebase:
+    git stash -q \
+    && git fetch \
+    && git rebase origin/main \
+    && git stash pop -q
+
+    echo "Done"
+
 [doc('Introspection on flake output')]
-@select key:
-  nix eval --show-trace --json .#{{ key }} | jq .
-
-
+select key:
+    nix eval --json .#{{ key }} | jq .
 
 #===============================================================================================
 # Utils
-#===============================================================================================
-[no-exit-message]
+# ===============================================================================================
 [no-cd]
+[no-exit-message]
 [private]
-@assert condition message:
+assert condition message:
     [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; }

flake.lock

@@ -84,11 +84,19 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
+<<<<<<< HEAD
         "lastModified": 1765033957,
         "narHash": "sha256-yL5IjUOne+h6AodxxqoqwPgRy2HXle6+W4Aa2GVJruk=",
         "rev": "9985ce76af367e7c9e3022c5b893418059a17491",
         "type": "tarball",
         "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/9985ce76af367e7c9e3022c5b893418059a17491.tar.gz"
+=======
+        "lastModified": 1764220269,
+        "narHash": "sha256-rSSmhTCjfZLZog3qO6Q5C58pINmDv8EheGUhcojxd6c=",
+        "rev": "c70c04d09477ceee5820a8da4d9c0d1b50eb6cc6",
+        "type": "tarball",
+        "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/c70c04d09477ceee5820a8da4d9c0d1b50eb6cc6.tar.gz"
+>>>>>>> 122a796 (chore: update dependencies)
       },
       "original": {
         "type": "tarball",
@@ -130,11 +138,19 @@
         ]
       },
       "locked": {
+<<<<<<< HEAD
         "lastModified": 1764627417,
         "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",
         "owner": "nix-community",
         "repo": "disko",
         "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",
+=======
+        "lastModified": 1764110879,
+        "narHash": "sha256-xanUzIb0tf3kJ+PoOFmXEXV1jM3PjkDT/TQ5DYeNYRc=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "aecba248f9a7d68c5d1ed15de2d1c8a4c994a3c5",
+>>>>>>> 122a796 (chore: update dependencies)
         "type": "github"
       },
       "original": {
@@ -149,11 +165,19 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
+<<<<<<< HEAD
         "lastModified": 1764775116,
         "narHash": "sha256-S4fY3fytcqXBuOSbQjEVke2eqK9/e/6Jy3jp0JGM2X4=",
         "owner": "emmanuelrosa",
         "repo": "erosanix",
         "rev": "172661ccc78b1529a294eee5e99ca1616c934f37",
+=======
+        "lastModified": 1763851335,
+        "narHash": "sha256-mmDc9dREBGGZW1iCB3AbMLBzsXrf48hJ+EzJ6g7Tdbk=",
+        "owner": "emmanuelrosa",
+        "repo": "erosanix",
+        "rev": "17407369c38ac2ade3be648666d30f6469908bdb",
+>>>>>>> 122a796 (chore: update dependencies)
         "type": "github"
       },
       "original": {
@@ -170,11 +194,19 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
+<<<<<<< HEAD
         "lastModified": 1764915802,
         "narHash": "sha256-eHTucU43sRCpvvTt5eey9htcWipS7ZN3B7ts6MiXLxo=",
         "owner": "nix-community",
         "repo": "fenix",
         "rev": "a83a78fd3587d9f3388f0b459ad9c2bbd6d1b6d8",
+=======
+        "lastModified": 1764226020,
+        "narHash": "sha256-FzUCFwXNjLnnZmVqYj/FjlBhUpat59SExflEaIGT62s=",
+        "owner": "nix-community",
+        "repo": "fenix",
+        "rev": "2d8176c02f7be6d13578d24d5fd5049f1b46a4c5",
+>>>>>>> 122a796 (chore: update dependencies)
         "type": "github"
       },
       "original": {
@@ -190,11 +222,19 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
+<<<<<<< HEAD
         "lastModified": 1765024561,
         "narHash": "sha256-xtfg5gNfyiyBTfWwbKgatV1sPeJjEnUczHCaSWi+crY=",
         "owner": "nix-community",
         "repo": "flake-firefox-nightly",
         "rev": "e6f559729459a7890f01b258c33c1025800f5dbb",
+=======
+        "lastModified": 1764242161,
+        "narHash": "sha256-Yxeu6Zm85RwER/0z0fv3mX2xaBy38PZKgdAAE57huRU=",
+        "owner": "nix-community",
+        "repo": "flake-firefox-nightly",
+        "rev": "ca10e2ff1ec58b1a3722ccb3c052c57c5e070780",
+>>>>>>> 122a796 (chore: update dependencies)
         "type": "github"
       },
       "original": {
@@ -574,11 +614,19 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
+<<<<<<< HEAD
         "lastModified": 1764617621,
         "narHash": "sha256-Eq0TvWs6xhKZs5HXH1hlrNasrHD7AOEdeLkTis//X7w=",
         "owner": "himmelblau-idm",
         "repo": "himmelblau",
         "rev": "c19494250d8c15e7c75e9301bdc271579a6dc77a",
+=======
+        "lastModified": 1764184347,
+        "narHash": "sha256-xhzCn/rnBDTybHtuFV2IhCgjLMsCVpbzpEL0w//4Na8=",
+        "owner": "himmelblau-idm",
+        "repo": "himmelblau",
+        "rev": "9f0f6e27b6a9acdb12c4807cc1402132b21009f3",
+>>>>>>> 122a796 (chore: update dependencies)
         "type": "github"
       },
       "original": {
@@ -594,11 +642,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764603455,
-        "narHash": "sha256-Q70rxlbrxPcTtqWIb9+71rkJESxIOou5isZBvyOieXw=",
+        "lastModified": 1764194569,
+        "narHash": "sha256-iUM9ktarEzThkayyZrzQ7oycPshAY2XRQqVKz0xX/L0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "effe4c007d6243d9e69ce2242d76a2471c1b8d5c",
+        "rev": "9651819d75f6c7ffaf8a9227490ac704f29659f0",
         "type": "github"
       },
       "original": {
@@ -636,11 +684,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764612577,
-        "narHash": "sha256-sHI+7m/ryVYf7agWkutYbvzUS07aAd8g2NVWgUqhxLg=",
+        "lastModified": 1764236397,
+        "narHash": "sha256-s/6WrJJryLI6BgphsY8l0s0UmGUg3mgkSFuvvsbN0FM=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "bcb22e208cf8883004fcec3a33f2500e7dc319a5",
+        "rev": "50026908d1501193afdcccdf7359d1a485074eda",
         "type": "github"
       },
       "original": {
@@ -752,11 +800,11 @@
         "nixpkgs": "nixpkgs_6"
       },
       "locked": {
-        "lastModified": 1764556167,
-        "narHash": "sha256-/b+oEls56HDRzsSp60tsRfPFRjFebBPHq6k1I+hfPqw=",
+        "lastModified": 1764208886,
+        "narHash": "sha256-voOx8RsK3miw3EHw05nwuOS4ltzeH8tKJnVr+mxtTPQ=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "849d1b2b1adddfc7bddbd3be6bffd218a3f5a6fe",
+        "rev": "7da8a2d675f9cc56b3f6d654b4cccdca5016ac8e",
         "type": "github"
       },
       "original": {
@@ -852,11 +900,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764591717,
-        "narHash": "sha256-T/HMA0Bb/O6UnlGQ0Xt+wGe1j8m7eyyQ5+vVcCJslsM=",
+        "lastModified": 1764072830,
+        "narHash": "sha256-ezkjlUCohD9o9c47Ey0/I4CamSS0QEORTqGvyGqMud0=",
         "owner": "nix-community",
         "repo": "nixos-wsl",
-        "rev": "84d1dab290feb4865d0cfcffc7aa0cf9bc65c3b7",
+        "rev": "c7832dd786175e20f2697179e0e03efadffe4201",
         "type": "github"
       },
       "original": {
@@ -914,11 +962,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1764547213,
-        "narHash": "sha256-pGXM6frMKLRJmeMcQ228O1QQBuNEUjzmWx9uBd+CbXM=",
+        "lastModified": 1764201071,
+        "narHash": "sha256-ACX5IcJTSoZYBPVtgFAOHvo/FZ70n9AmaAhoeIF+O9Y=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "64de27c1c985895c1a9f92aaeaab4e6a4c0960f5",
+        "rev": "8c40e16ba896a3657226780454734265b0534f6a",
         "type": "github"
       },
       "original": {
@@ -946,11 +994,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1764618760,
-        "narHash": "sha256-QTUgygkdUq4sq7mXoO2Q2IPpvkKOZtTAJkbTaTjMi0A=",
+        "lastModified": 1764243589,
+        "narHash": "sha256-JoCEZJaU1Ex0MFG3A2DwTtu+jOCLigyXUAmlZLROBdg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "29a7d6eec7e1177020f62f7599e5021317219c37",
+        "rev": "57dcc6d4a389a7b6d1fb4cf20c9435f12b11f98d",
         "type": "github"
       },
       "original": {
@@ -994,11 +1042,11 @@
     },
     "nixpkgs_7": {
       "locked": {
-        "lastModified": 1764517877,
-        "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",
+        "lastModified": 1763966396,
+        "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",
+        "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a",
         "type": "github"
       },
       "original": {
@@ -1026,11 +1074,11 @@
     },
     "nixpkgs_9": {
       "locked": {
-        "lastModified": 1764445028,
-        "narHash": "sha256-ik6H/0Zl+qHYDKTXFPpzuVHSZE+uvVz2XQuQd1IVXzo=",
+        "lastModified": 1763618868,
+        "narHash": "sha256-v5afmLjn/uyD9EQuPBn7nZuaZVV9r+JerayK/4wvdWA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a09378c0108815dbf3961a0e085936f4146ec415",
+        "rev": "a8d610af3f1a5fb71e23e08434d8d61a466fc942",
         "type": "github"
       },
       "original": {
@@ -1139,11 +1187,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1764525349,
-        "narHash": "sha256-vR3vU9AwzMsBvjNeeG2inA5W/2MwseFk5NIIrLFEMHk=",
+        "lastModified": 1764175386,
+        "narHash": "sha256-LfgFqvPz3C80VjaffSjy8lLyRWfbThhB7gE7IWXHjYU=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "d646b23f000d099d845f999c2c1e05b15d9cdc78",
+        "rev": "71ddf07c1c75046df3bb496cf824de5c053d99ad",
         "type": "github"
       },
       "original": {
@@ -1204,11 +1252,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764483358,
-        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
+        "lastModified": 1764021963,
+        "narHash": "sha256-1m84V2ROwNEbqeS9t37/mkry23GBhfMt8qb6aHHmjuc=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
+        "rev": "c482a1c1bbe030be6688ed7dc84f7213f304f1ec",
         "type": "github"
       },
       "original": {
@@ -1222,11 +1270,11 @@
         "nixpkgs": "nixpkgs_9"
       },
       "locked": {
-        "lastModified": 1764483358,
-        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
+        "lastModified": 1764021963,
+        "narHash": "sha256-1m84V2ROwNEbqeS9t37/mkry23GBhfMt8qb6aHHmjuc=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
+        "rev": "c482a1c1bbe030be6688ed7dc84f7213f304f1ec",
         "type": "github"
       },
       "original": {
@@ -1254,11 +1302,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1764550443,
-        "narHash": "sha256-ArO2V1YEHmEILilTj4KPtqF4gqc1q2HBrrrmygQ/UyU=",
+        "lastModified": 1764191810,
+        "narHash": "sha256-rofXPD/9TGpHveo1MTlUfpnF0MCG1/uHUB9f0rosdqc=",
         "owner": "nix-community",
         "repo": "stylix",
-        "rev": "794b6e1fa75177ebfeb32967f135858a1ab1ba15",
+        "rev": "70c444a10d0c9ef71a25580dfa79af9cd43f3a5e",
         "type": "github"
       },
       "original": {
@@ -1519,11 +1567,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764598958,
-        "narHash": "sha256-sJQHRL8trBoG/ArR+mUlyp5cyKU0pgQY+qDQzZGnVgM=",
+        "lastModified": 1764217570,
+        "narHash": "sha256-vgqUC6lI/gW70uekA0bpNFU6yR0tcZRfLIZcxGfN76g=",
         "owner": "0xc000022070",
         "repo": "zen-browser-flake",
-        "rev": "8cded25e10b13e2999241f1c73a7d4e5e5d6f69e",
+        "rev": "3dc281d86044322f9182b20abbc21db8824c130a",
         "type": "github"
       },
       "original": {

modules/nixos/services/persistance/convex/default.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.${namespace}.services.persistance.convex;
+in
+{
+  imports = [ ./source.nix ];
+
+  options.${namespace}.services.persistance.convex = {
+    enable = mkEnableOption "enable Convex";
+  };
+
+  config = mkIf cfg.enable {
+    services.convex = {
+      enable = true;
+      package = pkgs.${namespace}.convex;
+      secret = "ThisIsMyAwesomeSecret";
+    };
+  };
+}

modules/nixos/services/persistance/convex/source.nix

@@ -0,0 +1,149 @@
+{ config, pkgs, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption mkPackageOption mkOption optional types;
+
+  cfg = config.services.convex;
+
+  default_user = "convex";
+  default_group = "convex";
+in
+{
+  options.services.convex = {
+    enable = mkEnableOption "enable Convex (backend only for now)";
+
+    package = mkPackageOption pkgs "convex" {};
+
+    name = lib.mkOption {
+      type = types.str;
+      default = "convex";
+      description = ''
+        Name for the instance.
+      '';
+    };
+
+    secret = lib.mkOption {
+      type = types.str;
+      default = "";
+      description = ''
+        Secret for the instance.
+      '';
+    };
+
+    apiPort = mkOption {
+      type = types.port;
+      default = 3210;
+      description = ''
+        The TCP port to use for the API.
+      '';
+    };
+
+    actionsPort = mkOption {
+      type = types.port;
+      default = 3211;
+      description = ''
+        The TCP port to use for the HTTP actions.
+      '';
+    };
+
+    dashboardPort = mkOption {
+      type = types.port;
+      default = 6791;
+      description = ''
+        The TCP port to use for the Dashboard.
+      '';
+    };
+
+    openFirewall = lib.mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to open ports in the firewall for the server.
+      '';
+    };
+
+    user = lib.mkOption {
+      type = types.str;
+      default = default_user;
+      description = ''
+        As which user to run the service.
+      '';
+    };
+
+    group = lib.mkOption {
+      type = types.str;
+      default = default_group;
+      description = ''
+        As which group to run the service.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.secret != "";
+        message = ''
+          No secret provided for convex
+        '';
+      }
+    ];
+
+    users = {
+      users.${cfg.user} = {
+        description = "System user for convex service";
+        isSystemUser = true;
+        group = cfg.group;
+      };
+
+      groups.${cfg.group} = {};
+    };
+
+    networking.firewall.allowedTCPPorts = optional cfg.openFirewall [ cfg.apiPort cfg.actionsPort cfg.dashboardPort ];
+    
+    environment.systemPackages = [ cfg.package ];
+
+    systemd.services.convex = {
+      description = "Convex Backend server";
+
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin --instance-name ${cfg.name} --instance-secret ${cfg.secret}";
+        Type = "notify";
+
+        User = cfg.user;
+        Group = cfg.group;
+
+        RuntimeDirectory = "convex";
+        RuntimeDirectoryMode = "0775";
+        StateDirectory = "convex";
+        StateDirectoryMode = "0775";
+        Umask = "0077";
+
+        CapabilityBoundingSet = "";
+        NoNewPrivileges = true;
+
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+      };
+    };
+  };
+}

packages/convex/default.nix

@@ -0,0 +1,59 @@
+{ 
+  lib, 
+  stdenv, 
+  rustPlatform, 
+  fetchFromGitHub, 
+  
+  # dependencies
+  openssl, 
+  pkg-config, 
+  cmake,
+  llvmPackages,
+  postgresql, 
+  sqlite, 
+  
+  #options
+  dbBackend ? "postgresql", 
+
+  ... 
+}:
+rustPlatform.buildRustPackage rec {
+  pname = "convex";
+  version = "2025-08-20-c9b561e";
+
+  src = fetchFromGitHub {
+    owner = "get-convex";
+    repo = "convex-backend";
+    rev = "c9b561e1b365c85ef28af35d742cb7dd174b5555";
+    hash = "sha256-4h4AQt+rQ+nTw6eTbbB5vqFt9MFjKYw3Z7bGXdXijJ0=";
+  };
+
+  cargoHash = "sha256-pcDNWGrk9D0qcF479QAglPLFDZp27f8RueP5/lq9jho=";
+
+  cargoBuildFlags = [
+    "-p" "local_backend"
+    "--bin" "convex-local-backend"
+  ];
+
+  env = {
+    LIBCLANG_PATH = "${llvmPackages.libclang}/lib";
+  };
+
+  strictDeps = true;
+
+  # Build-time dependencies
+  nativeBuildInputs = [ pkg-config cmake rustPlatform.bindgenHook ];
+
+  # Run-time dependencies
+  buildInputs = 
+    [ openssl ]
+    ++ lib.optional (dbBackend == "sqlite") sqlite
+    ++ lib.optional (dbBackend == "postgresql") postgresql;
+
+  buildFeatures = "";
+
+  meta = with lib; {
+    license = licenses.fsl11Asl20;
+    mainProgram = "convex";
+  };
+}

systems/x86_64-linux/ulmo/default.nix

@@ -206,6 +206,8 @@
         # uptime-kuma.enable = true;
       };
 
+      persistance.convex.enable = true;
+
       security.vaultwarden = {
         enable = true;
         database = {