services/forgejo: move data from storage-box to local volume

services/forgejo: increase session lifetime to 30 days
services/forgejo: enable git hooks
2025-04-13 17:15:51 +02:00 · 2025-04-13 17:15:44 +02:00 · 2025-04-13 16:40:24 +02:00 · 2025-04-13 16:40:24 +02:00 · 2025-04-13 16:40:24 +02:00 · 2025-04-13 16:40:24 +02:00
49 changed files with 311 additions and 774 deletions
--- a/README.md
+++ b/README.md
@ -17,11 +17,11 @@ Collection of my personal Nix configurations and opinionated NixOS, nix-darwin,

 - hosts - per-machine configurations
  - kazuki - my linux arm server
-  - legion - my linux x86 server
  - hijiri - my macbook
  - hijiri-vm - linux vm running on my macbook
  - ude - another linux arm server
  - kogata - my m1 mac mini doubling as a server
+  - youko - my linux x86 server
 - modules - options which in principle should be reusable by others
  - system - my opinionated nixos/nix-darwin modules
  - home - my opinionated home-manager modules
--- a/assets/forgejo/apple-touch-icon.png
+++ b/assets/forgejo/apple-touch-icon.png
--- a/assets/forgejo/avatar_default.png
+++ b/assets/forgejo/avatar_default.png
--- a/assets/forgejo/favicon.png
+++ b/assets/forgejo/favicon.png
--- a/assets/forgejo/favicon.svg
+++ b/assets/forgejo/favicon.svg
@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round" viewBox="0 0 380 380" width="32" height="32"><path d="M149.575 234.069q-1.811-19.766-14.887-37.117l-3.95-2.915q11.298-2.199 20.018-8.145l2.017 2.236q9.436.497 18.673-2.59c-1.959-4.581-5.162-9.942-9.113-15.187 6.358-5.113 10.839-9.91 12.947-15.288q-10.332-.871-17.08.648l4.084-3.329c9.155-4.309 12.227-16.306 12.515-36.033.26-17.767-1.208-32.111-7.701-43.184q-34.73 24.961-35.481 42.674-13.548-18.255-35.253-18.564c.448 5.884 2.21 12.099 5.565 17.243-2.604.285-4.894 1.216-7.859 2.411-12.156-13.612-23.673-29.376-34.414-47.008-8.039 23.269-11.333 40.023-11.455 50.284-.185 15.523 2.061 27.432 8.313 35.773l3.091 3.727-16.713-1.928c2.54 8.707 7.805 10.601 12.388 14.2-3.162 5.672-6.712 11.419-5.2 16.186 4.853 1.053 10.244.317 15.543-.116q12.885 6.631 30.679 9.057c-3.911.199-8.614.271-18.699-1.928q1.927 7.567 10.869 12.33-5.961 4.674-7.947 10.518 5.58-.468 10.226-1.169-3.624 8.152-4.909 17.239" style="fill:#fff;fill-rule:nonzero" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M85.842 234.094q1.285-9.087 4.909-17.239-4.646.701-10.226 1.169 1.986-5.844 7.947-10.518-8.942-4.763-10.869-12.33c10.085 2.199 14.788 2.127 18.699 1.928q-17.793-2.425-30.679-9.058c-5.299.434-10.69 1.17-15.543.117-1.512-4.767 2.038-10.514 5.2-16.186-4.583-3.6-9.848-5.493-12.388-14.2l16.713 1.928M56.514 155.978c-6.252-8.341-8.498-20.25-8.313-35.773.122-10.261 3.416-27.015 11.455-50.284q16.112 26.448 34.068 46.565" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M108.929 122.454q-13.353 2.18-23.373.049c8.248-6.371 12.822-8.004 18.865-8.135" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M102.706 115.642c-3.863-5.34-5.86-12.045-6.342-18.367q21.705.31 35.253 18.563.751-17.712 35.481-42.673c6.493 11.073 7.961 25.417 7.701 43.184-.288 19.727-3.36 31.724-12.515 36.033M158.2 155.711q6.748-1.52 17.08-.648c-2.108 5.378-6.589 10.175-12.947 15.288 3.951 5.245 7.154 10.606 9.113 15.187q-9.237 3.087-18.673 2.59M130.738 194.037q11.298-2.199 20.018-8.145M149.575 234.069q-1.811-19.766-14.887-37.117M65.551 146.77l29.868-1.53M70.019 170.273q-4.531-9.216 1.71-23.819" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M82.462 145.904c-1.913 14.213.121 23.042 6.417 23.03 6.855-.014 8.935-9.064 6.54-23.694" style="fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M122.796 145.382q13.86-3.124 28.791-1.607" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M143.816 143.298c5.18 5.875 5.983 14.532 4.825 24.09" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M122.796 145.382c-1.413 14.984.295 21.028 5.401 21.024 11.093-.008 5.742-13.933 6.606-22.844" style="fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M100.913 170.171a31 31 0 0 1 7.467-.581M94.877 182.466c3.607 2.981 6.483 2.176 12.251-2.727 6.426 1.759 13.671 4.519 16.185-1.431" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M60.711 175.474q2.568-2.85 6.354-2.742c-.29 2.933-.746 3.681-1.211 5.237-.775 2.588 6.18-1.728 9.088-3.278M140.128 175.257l4.115-3.759c.165 2.013-.146 5.293.486 6.06 2.44-.927 4.167-3.564 6.223-5.412" style="fill:none;fill-rule:nonzero;stroke:#c41818;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/></svg>
--- a/assets/forgejo/logo.png
+++ b/assets/forgejo/logo.png
--- a/assets/forgejo/logo.svg
+++ b/assets/forgejo/logo.svg
@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round" viewBox="0 0 380 380" width="32" height="32"><path d="M149.575 234.069q-1.811-19.766-14.887-37.117l-3.95-2.915q11.298-2.199 20.018-8.145l2.017 2.236q9.436.497 18.673-2.59c-1.959-4.581-5.162-9.942-9.113-15.187 6.358-5.113 10.839-9.91 12.947-15.288q-10.332-.871-17.08.648l4.084-3.329c9.155-4.309 12.227-16.306 12.515-36.033.26-17.767-1.208-32.111-7.701-43.184q-34.73 24.961-35.481 42.674-13.548-18.255-35.253-18.564c.448 5.884 2.21 12.099 5.565 17.243-2.604.285-4.894 1.216-7.859 2.411-12.156-13.612-23.673-29.376-34.414-47.008-8.039 23.269-11.333 40.023-11.455 50.284-.185 15.523 2.061 27.432 8.313 35.773l3.091 3.727-16.713-1.928c2.54 8.707 7.805 10.601 12.388 14.2-3.162 5.672-6.712 11.419-5.2 16.186 4.853 1.053 10.244.317 15.543-.116q12.885 6.631 30.679 9.057c-3.911.199-8.614.271-18.699-1.928q1.927 7.567 10.869 12.33-5.961 4.674-7.947 10.518 5.58-.468 10.226-1.169-3.624 8.152-4.909 17.239" style="fill:#fff;fill-rule:nonzero" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M85.842 234.094q1.285-9.087 4.909-17.239-4.646.701-10.226 1.169 1.986-5.844 7.947-10.518-8.942-4.763-10.869-12.33c10.085 2.199 14.788 2.127 18.699 1.928q-17.793-2.425-30.679-9.058c-5.299.434-10.69 1.17-15.543.117-1.512-4.767 2.038-10.514 5.2-16.186-4.583-3.6-9.848-5.493-12.388-14.2l16.713 1.928M56.514 155.978c-6.252-8.341-8.498-20.25-8.313-35.773.122-10.261 3.416-27.015 11.455-50.284q16.112 26.448 34.068 46.565" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M108.929 122.454q-13.353 2.18-23.373.049c8.248-6.371 12.822-8.004 18.865-8.135" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M102.706 115.642c-3.863-5.34-5.86-12.045-6.342-18.367q21.705.31 35.253 18.563.751-17.712 35.481-42.673c6.493 11.073 7.961 25.417 7.701 43.184-.288 19.727-3.36 31.724-12.515 36.033M158.2 155.711q6.748-1.52 17.08-.648c-2.108 5.378-6.589 10.175-12.947 15.288 3.951 5.245 7.154 10.606 9.113 15.187q-9.237 3.087-18.673 2.59M130.738 194.037q11.298-2.199 20.018-8.145M149.575 234.069q-1.811-19.766-14.887-37.117M65.551 146.77l29.868-1.53M70.019 170.273q-4.531-9.216 1.71-23.819" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M82.462 145.904c-1.913 14.213.121 23.042 6.417 23.03 6.855-.014 8.935-9.064 6.54-23.694" style="fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M122.796 145.382q13.86-3.124 28.791-1.607" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M143.816 143.298c5.18 5.875 5.983 14.532 4.825 24.09" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M122.796 145.382c-1.413 14.984.295 21.028 5.401 21.024 11.093-.008 5.742-13.933 6.606-22.844" style="fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M100.913 170.171a31 31 0 0 1 7.467-.581M94.877 182.466c3.607 2.981 6.483 2.176 12.251-2.727 6.426 1.759 13.671 4.519 16.185-1.431" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M60.711 175.474q2.568-2.85 6.354-2.742c-.29 2.933-.746 3.681-1.211 5.237-.775 2.588 6.18-1.728 9.088-3.278M140.128 175.257l4.115-3.759c.165 2.013-.146 5.293.486 6.06 2.44-.927 4.167-3.564 6.223-5.412" style="fill:none;fill-rule:nonzero;stroke:#c41818;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/></svg>
--- a/assets/ssh.nix
+++ b/assets/ssh.nix
@ -9,7 +9,6 @@

    hijiri-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6tfXLB6xhcl3rtI5x9NXSs12U4LVy06RRlyZxiORa0 nikodem@rabulinski.com";
    kazuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImsFb9qRxX0n2Bmy00T8iPam+Fc3mgKkm7dfM7AQRHN nikodem@rabulinski.com";
-    legion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHX2MNGZGSTedYAepZHgcx+KK0A6ASulwSrpf9ytb5h nikodem@rabulinski.com";
    miyagi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEIf4Ypws+1v9WL9MibW1dELpa/7YixElaBE7S71jsTy nrabulinski@antmicro.com";
    ude = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDm3M/i/4wP2BM4+9hHAOMospwvlBZ+FT+pJtVgaaMq nikodem@rabulinski.com";
    kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGK7H4Z29d72HJlI69Vt0YLOyuPcn9XxYjvMZfql80z0 nikodem@rabulinski.com";
@ -20,7 +19,6 @@

  system = {
    kazuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyYhYWDNmKSrpcslD3NzWW+lQmDcLJdjLh7CSkL4hW5 root@kazuki";
-    legion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Ktyj0FSn8KLRwRGd0Tp/qNUPXV7+XyxAsWGWdMYp8 root@legion";
    miyagi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILbUcsZrZgGHojG+1yVyNEW5Fgr7/7qNaWxOt+lFrJaD root@miyagi";
    ude = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZW15ObZ6XG776pdEvs9yqSuIiWlbGveEVA774Ri9/o root@ude";
    kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPN/SXBcIB1WN8GIhYrQrqzFGuVkEP4o0E+x0uQ4f2l";
--- a/flake.lock
+++ b/flake.lock
@ -190,22 +190,6 @@
        "type": "github"
      }
    },
-    "fl-config": {
-      "locked": {
-        "lastModified": 1653159448,
-        "narHash": "sha256-PvB9ha0r4w6p412MBPP71kS/ZTBnOjxL0brlmyucPBA=",
-        "owner": "flakelib",
-        "repo": "fl",
-        "rev": "fcefb9738d5995308a24cda018a083ccb6b0f460",
-        "type": "github"
-      },
-      "original": {
-        "owner": "flakelib",
-        "ref": "config",
-        "repo": "fl",
-        "type": "github"
-      }
-    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -351,25 +335,6 @@
        "type": "github"
      }
    },
-    "flakelib": {
-      "inputs": {
-        "fl-config": "fl-config",
-        "std": "std"
-      },
-      "locked": {
-        "lastModified": 1701802971,
-        "narHash": "sha256-Zo5fJpXbe+xXOTiDT4JG2rExobMJTmFZ72+3XTMMHrQ=",
-        "owner": "flakelib",
-        "repo": "fl",
-        "rev": "b71a91517f6b16aa5faefe8ec491d9f3062d7a20",
-        "type": "github"
-      },
-      "original": {
-        "owner": "flakelib",
-        "repo": "fl",
-        "type": "github"
-      }
-    },
    "flakey-profile": {
      "locked": {
        "lastModified": 1712898590,
@ -531,21 +496,6 @@
        "type": "github"
      }
    },
-    "nix-std": {
-      "locked": {
-        "lastModified": 1701658249,
-        "narHash": "sha256-KIt1TUuBvldhaVRta010MI5FeQlB8WadjqljybjesN0=",
-        "owner": "chessai",
-        "repo": "nix-std",
-        "rev": "715db541ffff4194620e48d210b76f73a74b5b5d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "chessai",
-        "repo": "nix-std",
-        "type": "github"
-      }
-    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1723603349,
@ -621,44 +571,6 @@
        "type": "github"
      }
    },
-    "nvidia-patch": {
-      "inputs": {
-        "flakelib": "flakelib",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nvidia-patch-src": "nvidia-patch-src"
-      },
-      "locked": {
-        "lastModified": 1742460640,
-        "narHash": "sha256-Qks0TRMOiuVKjcSPkg251Q2/wdU5ooMt4b2f2numPzg=",
-        "owner": "arcnmx",
-        "repo": "nvidia-patch.nix",
-        "rev": "c85990250376300fe11413e22458911f408f64d0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "arcnmx",
-        "repo": "nvidia-patch.nix",
-        "type": "github"
-      }
-    },
-    "nvidia-patch-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1742384429,
-        "narHash": "sha256-5O0TXVrLsFrULXli2vB2iJ7TECUckMHKvJZYmdkcnGE=",
-        "owner": "keylase",
-        "repo": "nvidia-patch",
-        "rev": "07080317245ac30c38001d2149810b2dee3cce1f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "keylase",
-        "repo": "nvidia-patch",
-        "type": "github"
-      }
-    },
    "racket": {
      "inputs": {
        "nixpkgs": [
@ -697,7 +609,6 @@
        "mailserver": "mailserver",
        "niko-nur": "niko-nur",
        "nixpkgs": "nixpkgs_2",
-        "nvidia-patch": "nvidia-patch",
        "racket": "racket",
        "treefmt": "treefmt",
        "wrapper-manager": "wrapper-manager",
@ -764,24 +675,6 @@
        "type": "github"
      }
    },
-    "std": {
-      "inputs": {
-        "nix-std": "nix-std"
-      },
-      "locked": {
-        "lastModified": 1701802337,
-        "narHash": "sha256-JCVCyjDZ6LA0xyVoDZzRXjy0OgWOZo3OpeZEVm/U97w=",
-        "owner": "flakelib",
-        "repo": "std",
-        "rev": "443d1c8246b3d96a4822b02af907ca0d833e8b63",
-        "type": "github"
-      },
-      "original": {
-        "owner": "flakelib",
-        "repo": "std",
-        "type": "github"
-      }
-    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -65,6 +65,10 @@
              # racket
              "*.rkt"
              "**/rashrc"
+
+              # custom assets
+              "*.png"
+              "*.svg"
            ];
            settings.on-unmatched = "fatal";
          };
@ -121,10 +125,6 @@
      url = "gitlab:famedly/conduit?ref=next";
      flake = false;
    };
-    nvidia-patch = {
-      url = "github:arcnmx/nvidia-patch.nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
    fenix = {
      url = "github:nix-community/fenix";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -9,7 +9,6 @@
    ./kazuki
    ./hijiri-vm
    ./hijiri
-    ./legion
    # TODO: Custom installer ISO
    # ./installer
    ./ude
--- a/hosts/kazuki/default.nix
+++ b/hosts/kazuki/default.nix
@ -15,7 +15,6 @@
        ./storage.nix
        ./ntfy.nix
        ./zitadel.nix
-        ./forgejo.nix
        ./prometheus.nix
      ];

--- a/hosts/kazuki/forgejo.nix
+++ b/hosts/kazuki/forgejo.nix
@ -1,62 +0,0 @@
-{ config, ... }:
-{
-  age.secrets.rab-lol-cf = {
-    file = ../../secrets/rab-lol-cf.age;
-    owner = config.services.nginx.user;
-  };
-
-  services.forgejo = {
-    enable = true;
-    settings = {
-      server = {
-        DOMAIN = "git.rab.lol";
-        ROOT_URL = "https://git.rab.lol/";
-      };
-      oauth2_client = {
-        REGISTER_EMAIL_CONFIRM = false;
-        ENABLE_AUTO_REGISTRATION = true;
-        ACCOUNT_LINKING = "auto";
-        UPDATE_AVATAR = true;
-      };
-      service = {
-        DISABLE_REGISTRATION = false;
-        ALLOW_ONLY_INTERNAL_REGISTRATION = false;
-        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
-      };
-      federation.ENABLED = true;
-    };
-    repositoryRoot = "/storage-box/forgejo/repos";
-    lfs = {
-      enable = true;
-      contentDir = "/storage-box/forgejo/lfs";
-    };
-  };
-
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedTlsSettings = true;
-    virtualHosts."git.rab.lol" = {
-      forceSSL = true;
-      enableACME = true;
-      acmeRoot = null;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:3000";
-        extraConfig = ''
-          proxy_set_header Connection $http_connection;
-          proxy_set_header Upgrade $http_upgrade;
-        '';
-      };
-    };
-  };
-
-  users.users.nginx.extraGroups = [ "acme" ];
-  security.acme.acceptTerms = true;
-  security.acme.certs."git.rab.lol" = {
-    dnsProvider = "cloudflare";
-    credentialsFile = config.age.secrets.rab-lol-cf.path;
-    email = "nikodem@rabulinski.com";
-  };
-}
--- a/hosts/legion/default.nix
+++ b/hosts/legion/default.nix
@ -1,47 +0,0 @@
-{
-  configurations.nixos.legion =
-    {
-      config,
-      username,
-      ...
-    }:
-    {
-      imports = [
-        ./hardware.nix
-        # ./disks.nix
-        ./msmtp.nix
-        ./desktop.nix
-      ];
-
-      nixpkgs.hostPlatform = "x86_64-linux";
-
-      specialisation = {
-        nas.configuration = ./nas;
-      };
-
-      boot = {
-        loader.systemd-boot.enable = true;
-        loader.efi.canTouchEfiVariables = true;
-      };
-
-      settei.tailscale = {
-        ipv4 = "100.84.112.35";
-        ipv6 = "fd7a:115c:a1e0:ab12:4843:cd96:6254:7023";
-      };
-
-      networking = {
-        hostName = "legion";
-        hostId = builtins.substring 0 8 "524209a432724c7abaf04398cdd6eecd";
-        networkmanager.enable = true;
-      };
-      systemd.services.NetworkManager-wait-online.enable = false;
-
-      powerManagement.cpuFreqGovernor = "performance";
-
-      age.secrets.niko-pass.file = ../../secrets/legion-niko-pass.age;
-      users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path;
-
-      settei.incus.enable = true;
-      virtualisation.podman.enable = true;
-    };
-}
--- a/hosts/legion/desktop.nix
+++ b/hosts/legion/desktop.nix
@ -1,112 +0,0 @@
-# TODO: Proper desktop module
-{
-  config,
-  pkgs,
-  lib,
-  username,
-  ...
-}:
-{
-  # Needed for nvidia and steam
-  nixpkgs.config.allowUnfree = true;
-
-  settei.user.config = {
-    settei.desktop.enable = true;
-    home.packages = with pkgs; [
-      brightnessctl
-      dmenu
-    ];
-
-    xsession.windowManager.i3 = {
-      enable = true;
-      config = {
-        terminal = "wezterm";
-        modifier = "Mod4";
-      };
-    };
-
-    home.file.".xinitrc".source = pkgs.writeShellScript "xinitrc" ''
-      xrandr --setprovideroutputsource modesetting NVIDIA-0
-      xrandr --auto
-      exec dbus-run-session i3
-    '';
-  };
-
-  programs.steam = {
-    enable = true;
-    remotePlay.openFirewall = true;
-    dedicatedServer.openFirewall = true;
-    gamescopeSession = { };
-  };
-
-  hardware.steam-hardware.enable = true;
-
-  services.logind = lib.genAttrs [
-    "lidSwitch"
-    "lidSwitchDocked"
-    "lidSwitchExternalPower"
-  ] (_: "ignore");
-
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    pulse.enable = true;
-  };
-
-  programs.dconf.enable = true;
-  services.dbus.enable = true;
-
-  users.users.${username}.extraGroups = [
-    "video"
-    "input"
-  ];
-
-  # NVIDIA stuff
-  services.xserver = {
-    enable = true;
-    excludePackages = [ pkgs.xterm ];
-    videoDrivers = [ "nvidia" ];
-    xkb.layout = "pl";
-    displayManager.startx.enable = true;
-    config = lib.mkForce ''
-      Section "OutputClass"
-        Identifier "intel"
-        MatchDriver "i915"
-        Driver "modesetting"
-      EndSection
-
-      Section "OutputClass"
-        Identifier "nvidia"
-        MatchDriver "nvidia-drm"
-        Driver "nvidia"
-        Option "AllowEmptyInitialConfiguration"
-        Option "PrimaryGPU" "yes"
-        ModulePath "${config.hardware.nvidia.package.bin}/lib/xorg/modules"
-        ModulePath "${pkgs.xorg.xorgserver}/lib/xorg/modules"
-      EndSection
-
-      Section "InputClass"
-        Identifier "touchpad"
-        Driver "libinput"
-        MatchIsTouchpad "on"
-        Option "Tapping" "on"
-        Option "TappingButtonMap" "lrm"
-        Option "NaturalScrolling" "true"
-      EndSection
-    '';
-    exportConfiguration = true;
-  };
-  services.libinput.enable = true;
-
-  hardware.nvidia = {
-    patch.enable = true;
-    patch.nvidiaPackage = config.boot.kernelPackages.nvidia_x11_production;
-    open = false;
-    modesetting.enable = true;
-  };
-
-  hardware.graphics = {
-    enable = true;
-    enable32Bit = true;
-  };
-}
--- a/hosts/legion/disks.nix
+++ b/hosts/legion/disks.nix
@ -1,14 +0,0 @@
-_args:
-/*
-  let
-    bootDevice = args.bootDevice or "/dev/nvme0n1";
-  in
-*/
-{
-  assertions = [
-    {
-      assertion = false;
-      message = "Disko config TODO";
-    }
-  ];
-}
--- a/hosts/legion/hardware.nix
+++ b/hosts/legion/hardware.nix
@ -1,90 +0,0 @@
-{ config, ... }:
-{
-  boot.initrd.availableKernelModules = [
-    "xhci_pci"
-    "ahci"
-    "nvme"
-    "usbhid"
-    "usb_storage"
-    "uas"
-  ];
-  boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
-  boot.kernelModules = [
-    "kvm-intel"
-    "i2c-dev"
-    "acpi_call"
-  ];
-  boot.blacklistedKernelModules = [ "nouveau" ];
-
-  # Needed for enableAllFirmware
-  nixpkgs.config.allowUnfree = true;
-  hardware = {
-    enableAllFirmware = true;
-    cpu.intel.updateMicrocode = true;
-  };
-
-  services.smartd.enable = true;
-
-  # TODO: Move to disko only
-  # TODO: Actually set up impermanence
-  boot.supportedFilesystems = [ "btrfs" ];
-  boot.initrd.luks.devices."enc".device = "/dev/disk/by-label/LUKS";
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-label/LINUX";
-    fsType = "btrfs";
-    options = [
-      "subvol=root"
-      "compress=zstd"
-      "noatime"
-    ];
-  };
-
-  fileSystems."/home" = {
-    device = "/dev/disk/by-label/LINUX";
-    fsType = "btrfs";
-    options = [
-      "subvol=home"
-      "compress=zstd"
-      "noatime"
-    ];
-  };
-
-  fileSystems."/nix" = {
-    device = "/dev/disk/by-label/LINUX";
-    fsType = "btrfs";
-    options = [
-      "subvol=nix"
-      "compress=zstd"
-      "noatime"
-    ];
-  };
-
-  fileSystems."/persist" = {
-    device = "/dev/disk/by-label/LINUX";
-    fsType = "btrfs";
-    options = [
-      "subvol=persist"
-      "compress=zstd"
-      "noatime"
-    ];
-  };
-
-  fileSystems."/var/log" = {
-    device = "/dev/disk/by-label/LINUX";
-    fsType = "btrfs";
-    options = [
-      "subvol=log"
-      "compress=zstd"
-      "noatime"
-    ];
-    neededForBoot = true;
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-label/BOOT";
-    fsType = "vfat";
-  };
-
-  swapDevices = [ { device = "/dev/disk/by-label/SWAP"; } ];
-}
--- a/hosts/legion/msmtp.nix
+++ b/hosts/legion/msmtp.nix
@ -1,36 +0,0 @@
-# TODO: Potentially make this a common module?
-{
-  pkgs,
-  config,
-  username,
-  ...
-}:
-let
-  mail = "alert@nrab.lol";
-  aliases = pkgs.writeText "mail-aliases" ''
-    ${username}: nikodem@rabulinski.com
-    root: ${mail}
-  '';
-in
-{
-  age.secrets.alert-plaintext.file = ../../secrets/alert-plain-pass.age;
-
-  programs.msmtp = {
-    enable = true;
-    setSendmail = true;
-    defaults = {
-      inherit aliases;
-      tls = "on";
-      auth = "login";
-      tls_starttls = "off";
-    };
-    accounts = {
-      default = {
-        host = "mail.nrab.lol";
-        passwordeval = "cat ${config.age.secrets.alert-plaintext.path}";
-        user = mail;
-        from = mail;
-      };
-    };
-  };
-}
--- a/hosts/legion/nas/default.nix
+++ b/hosts/legion/nas/default.nix
@ -1,59 +0,0 @@
-{
-  pkgs,
-  lib,
-  username,
-  ...
-}:
-{
-  imports = [ ./media.nix ];
-
-  boot.supportedFilesystems = [
-    "ext4"
-    "zfs"
-  ];
-
-  boot.zfs.extraPools = [ "yottapool" ];
-  services.zfs = {
-    autoScrub.enable = true;
-    zed.settings = {
-      ZED_DEBUG_LOG = "/tmp/zed.debug.log";
-      ZED_EMAIL_ADDR = [ username ];
-      ZED_EMAIL_PROG = lib.getExe pkgs.msmtp;
-      ZED_EMAIL_OPTS = "@ADDRESS@";
-
-      ZED_NOTIFY_INTERVAL_SECS = 3600;
-      ZED_NOTIFY_VERBOSE = true;
-
-      ZED_USE_ENCLOSURE_LEDS = true;
-      ZED_SCRUB_AFTER_RESILVER = true;
-    };
-  };
-
-  fileSystems."/bulk" = {
-    device = "/dev/disk/by-label/BULK";
-    fsType = "ext4";
-  };
-
-  systemd.mounts = [
-    {
-      type = "none";
-      options = "bind";
-      what = "/media/data";
-      where = "/export/yotta-data";
-      requires = [ "zfs-mount.service" ];
-      after = [ "zfs-mount.service" ];
-      wantedBy = [ "multi-user.target" ];
-      before = [ "nfs-server.service" ];
-      requiredBy = [ "nfs-server.service" ];
-    }
-  ];
-
-  services.nfs.server = {
-    enable = true;
-    hostName = "100.84.112.35";
-    exports = ''
-      /export            *(insecure,rw,crossmnt,fsid=0)
-      /export/yotta-data *(insecure,rw,nohide)
-    '';
-  };
-}
--- a/hosts/legion/nas/media.nix
+++ b/hosts/legion/nas/media.nix
@ -1,132 +0,0 @@
-{
-  config,
-  username,
-  lib,
-  ...
-}:
-{
-  age.secrets.rab-lol-cf = {
-    file = ../../../secrets/rab-lol-cf.age;
-    owner = config.services.nginx.user;
-  };
-
-  services.jellyfin = {
-    enable = true;
-    openFirewall = true;
-  };
-  services.radarr.enable = true;
-  # TODO: Remove once https://github.com/Sonarr/Sonarr/pull/7443 is merged
-  nixpkgs.config.permittedInsecurePackages = [
-    "dotnet-sdk-6.0.428"
-    "aspnetcore-runtime-6.0.36"
-  ];
-  services.sonarr.enable = true;
-  services.prowlarr.enable = true;
-  services.jellyseerr.enable = true;
-  services.deluge = {
-    enable = true;
-    web.enable = true;
-    config.download_location = "/media/deluge";
-  };
-
-  services.restic.server = {
-    enable = true;
-    dataDir = "/media/restic";
-    extraFlags = [ "--no-auth" ];
-  };
-
-  users.users = {
-    jellyfin.extraGroups = [
-      "radarr"
-      "sonarr"
-    ];
-    radarr.extraGroups = [ "deluge" ];
-    sonarr.extraGroups = [ "deluge" ];
-    ${username}.extraGroups = [ "deluge" ];
-  };
-
-  systemd.services = lib.mkMerge [
-    (lib.genAttrs
-      [
-        "jellyfin"
-        "radarr"
-        "sonarr"
-        "prowlarr"
-        "deluged"
-        "restic-rest-server"
-      ]
-      (_: {
-        requires = [ "zfs-mount.service" ];
-        after = [ "zfs-mount.service" ];
-      })
-    )
-    {
-      jellyseerr.requires = [
-        "jellyfin.service"
-        "radarr.service"
-        "sonarr.service"
-      ];
-
-      radarr.requires = [ "deluged.service" ];
-      sonarr.requires = [ "deluged.service" ];
-    }
-  ];
-
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    virtualHosts =
-      let
-        services = [
-          "jellyfin"
-          "jellyseerr"
-          "deluge"
-          "prowlarr"
-          "sonarr"
-          "radarr"
-        ];
-        mkService = name: {
-          forceSSL = true;
-          useACMEHost = "_wildcard.legion.rab.lol";
-          listen = lib.flatten (
-            map
-              (port: [
-                (port // { addr = config.settei.tailscale.ipv4; })
-                (port // { addr = "[${config.settei.tailscale.ipv6}]"; })
-              ])
-              [
-                { port = 80; }
-                {
-                  port = 443;
-                  ssl = true;
-                }
-              ]
-          );
-
-          locations."/".proxyPass = "http://${name}";
-        };
-        services' = map (service: {
-          name = "${service}.legion.rab.lol";
-          value = mkService service;
-        }) services;
-      in
-      lib.listToAttrs services';
-    upstreams = {
-      jellyfin.servers."localhost:8096" = { };
-      jellyseerr.servers."localhost:5055" = { };
-      deluge.servers."localhost:8112" = { };
-      prowlarr.servers."localhost:9696" = { };
-      radarr.servers."localhost:7878" = { };
-      sonarr.servers."localhost:8989" = { };
-    };
-  };
-
-  users.users.nginx.extraGroups = [ "acme" ];
-  security.acme.acceptTerms = true;
-  security.acme.certs."_wildcard.legion.rab.lol" = {
-    domain = "*.legion.rab.lol";
-    dnsProvider = "cloudflare";
-    credentialsFile = config.age.secrets.rab-lol-cf.path;
-    email = "nikodem@rabulinski.com";
-  };
-}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -33,7 +33,6 @@ in
        inputs.disko.nixosModules.disko
        inputs.mailserver.nixosModules.default
        inputs.home-manager.nixosModules.home-manager
-        inputs.nvidia-patch.nixosModules.nvidia-patch
        inputs.attic.nixosModules.atticd
        inputs.lix-module.nixosModules.default
        {
--- a/modules/system/containers.nix
+++ b/modules/system/containers.nix
@ -85,6 +85,12 @@ let

          services.openssh.hostKeys = [ ];
          system.stateVersion = lib.mkDefault config.system.stateVersion;
+
+          networking.useHostResolvConf = false;
+          networking.nameservers = [
+            "1.1.1.1"
+            "1.0.0.1"
+          ];
        };

        bindMounts = {
@ -95,6 +101,11 @@ let
        privateNetwork = lib.mkForce true;
      }
    ) config.settei.containers;
+
+    networking.nat = lib.mkIf (config.settei.containers != { }) {
+      enable = true;
+      internalInterfaces = [ "ve-+" ];
+    };
  };

  darwinConfig = lib.optionalAttrs (!isLinux) {
--- a/secrets/alert-nrab-lol-pass.age
+++ b/secrets/alert-nrab-lol-pass.age
@ -1,7 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw XYwseCo1fgFTMZ4IL13orBFdnWo0is7fujpJ5vDEIXo
-5L2q/5umRSXrK1YGUXeUS3rpUlaGGwCKqzvUpQ5nk8s
-> ssh-ed25519 GKhvwg 2fSKj5gtCn8oj35oOgL3o8TxkkZNBlp+xy/W4mYghm8
-fNse8uiLWps7zSIY8826MRAY1PyO++G3+7tT6TDQeag
--- /1Qqdeo1Tvw3EQDGKc5D85eXTnJ/vmdtwfHf/WuvGwQ
-–ZîQr.KGè²ùõ;1ýçW9£>†ˆ<E280A0>GjE(÷<>~]ß÷œ3"®†Žðiº“ï
)1 [Èäñm;ÀÜºWÅqn)vsEÜY«ÝÒÅÁäË,Ú0‹X3I1ñ‡P`
+-> ssh-ed25519 84j9mw Uex/8V7Wq/9Bz9nvJRwfl5F6/QexinaDIhe14gAqWng
+/lvX7cziXcohWI8FS8eybbdAaWDgN2Nvv2/3/DDaCFg
+-> ssh-ed25519 GKhvwg JmC8WUB4SkpEy9nYGo9sfoNPx1pOAqvq0YDqd4l4vWw
+F7KRZaLxCs7eYlPvv+yLovyFAxkahr/p5apcL+Bilfk
+--- k5tZFrWFA+pUvgN2TYuIXzHBII2bLhB308qm5LFGJVg
+gÉ¸0ZT‚JÑJÊ)]>Äp¹À
+?LM‰¥µßØ><08>†ÍwÐŸuYxŒÒï™"/Œ"$¾ÀÓL
<0A>Éé<14>ÿøYÆ1‘ÐüT×¸mÖ‘áö§±ÃÑs»~
--- a/secrets/alert-plain-pass.age
+++ b/secrets/alert-plain-pass.age
@ -1,19 +1,20 @@
 age-encryption.org/v1
-> ssh-ed25519 GKhvwg 5euhetVuCUsVmzsFBVQr0U709Ogv6j1m+rhaS1ZXQhw
-p9dTjCsqwXRFgY1qvZOmlpJGYIz+hj286sP/oaX15H4
-> ssh-ed25519 H0Rg/A MrlNR2XgW04Csdhpd1s2Tfr3gsD8l1YWj5l/5EJEtGI
-+3RiO5GHLJOstxEKvNvAlZ1ycWHLUun0K7raJ/86a/M
-> ssh-ed25519 84j9mw 2wIXF94Zbo3fB7fRzQWGv5mCwdiomYVoFU8p25olt1k
-S2A2AP8clxTkJBtqRTTSeHeKCkcveEYaaU41di0v9kM
-> ssh-ed25519 5A7peQ G+MxkpWskys34yRKVC9CEXdfqujMUG/v4Vp9WvPYRw0
-BA+l5LIAIX0/KeSRcxLRybQ42OZV/ZX9pLCHhvkI1gc
-> ssh-ed25519 ioPMHA EXnV+gYXCwuE9kL8HJDxwGTWRqfJQt4gO4IxDXNXCDM
-s2Ji8kJ+hl+3vy/kIIHyngIw6BGouXjLTbIK/AQYfNI
-> ssh-ed25519 g2vRWw Ir+r+/jelVmGjtahgKwTkiwZUWSxkCHJrYFkm+GqTDQ
-GsDZu3gaQArHOEFQH4qoJSQw1mflKWvWNYpI+RZgI/0
-> ssh-ed25519 IFuY+w tWgf0Nelr0ji9Kr9fBt+2rdr0alagGG960uzW8RL9yE
-FW5Wt5OMD887sClsLF/q4AlTDocImI72az465K/qZPs
-> ssh-ed25519 rA7dkQ 9apitDrmj/hY9bCHadtYFZmjGUwqXtFZiUypjt9Z1BQ
-l+4ZTzw1rAYQV9dWn2sAr6Q1UtwunbelGr+UqMwetsE
--- dmVol02/2xV9zEOzA8+n5fyyjEk5Tsq/3W1yZa07ntg
-Pÿ`nÑHmXöØ‘ªDâ¸`7ô{ç3˜Pø¿¸ùãÊÛð}€£ñèvÉÜT€—Áb
+-> ssh-ed25519 GKhvwg ZvzKWT14nrdbiVRJf4hK3Gmb7pkLA1YrzIAXi7GqUm0
+OqGUgm/4oefj+J6JrIM42FPq/2tH/evQfKYQGCSMIc4
+-> ssh-ed25519 H0Rg/A ucyXgt869tI6HWLjrsg5o65HBBHnjiAyJ2T7aCps7iQ
+h58tIKkuHEFM+7VRl6u+3vvV3XQ0r+XqvUo7OdLuKEg
+-> ssh-ed25519 84j9mw 2a5d7xIwqwF9MuAKv490mGUMYiDvZWK8+sLDjShpnmk
+7CH1AzJQD7nrq7aKZJy54+74awO2MHO6RySq29/MH18
+-> ssh-ed25519 5A7peQ 8h1pfClbTdBZuSZyw1LcntL6QIDXukYkJ+SBmcZMYAE
+d8gix1GBYjqe8nYc/gdOxEvsYNo7+W+vhQZq/RFPeRw
+-> ssh-ed25519 g2vRWw E4b+U5rVKsurdddkOSeDKmhIQW5iK4hdoRePQjohM2w
+WlMZ6Yd9iCqcm/WIrzRSRU9fmqdtc2Lb79wgB945Kg
+-> ssh-ed25519 B2veVw 4APxbmXkGw6O319hX1rPpgCz2BNXs1fa71eopRvgsFI
+AQ3FsW+H7qYg90JG8904/N0FjxjH4S70S1Gyer1BiXI
+-> ssh-ed25519 IFuY+w +W4IMgBS9ihPCEGWQw8DrsTkF8Ih5H1+ZjhmGdPimQE
+qlMFMVpw6uvH/OqGx/fIBFcP41RlXxyXKJ3//1N7mcQ
+-> ssh-ed25519 rA7dkQ 1XI21LILuaiYGHbdgCllU+H8N+/YPq9FyrOUTp0AXCI
+vklhN/5KOmbB0MaQ4F/iIuj5ReLiBrmFQunPtJu0o7w
+--- 5T2/adM9me57EcbMcLPba1MIisFzJnXLC+inc57bJdk
+ÿJi'ª©6£—&Ù&o
+k4-hu¨š}ï2¥Ú|‘Î1DIl9ÞíÜ¦¡—ýY•–
--- a/secrets/attic-creds.age
+++ b/secrets/attic-creds.age
--- a/secrets/forgejo-token.age
+++ b/secrets/forgejo-token.age
--- a/secrets/github-token.age
+++ b/secrets/github-token.age
--- a/secrets/hercules-cache.age
+++ b/secrets/hercules-cache.age
--- a/secrets/hercules-secrets.age
+++ b/secrets/hercules-secrets.age
@ -1,16 +1,12 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw qVTbaORT1Ouwq1uA0cWQ3Q85tLYcq6xuZ9UhcMOTTSk
-PE0VZp1P9K4IAnm/BIDusGsp4dtLvaN0/m9q9gNnfx4
-> ssh-ed25519 ioPMHA +m127XNN1vH6Tg6XGuHDbND0giQgGsMLE7YUKagZbXk
-tKyYRNLt1UgnQR//64yAunpHjE7JyB/Mkdmc4gkMTWw
-> ssh-ed25519 IFuY+w x4WynTbStig1Ay9gyaplDcNlLQT0kMOFOJwVvcco1i0
-i8M7n2tfBJoFNmQHs5jEaZdfKc1UmjL5y6oBCos1mDk
-> ssh-ed25519 5A7peQ +XJDHQntGS+FcrFgy9X/9RDOrBMNCI8rHsicV4Z5sBo
-i6xfceBN4DE9EYF8Q4PaJjX7qbELJaJ5dxMGoAIE8xU
-> ssh-ed25519 GKhvwg fzJcotOtNhVeNwOdMQIwPT9GmgbE13HYmCkwbFlCCkQ
-mNtYtoX8IUDgHKAQRA5e7HLZgYVI9wCF8QMm530eFEo
--- EIWU+anFU1NSYiu3O+xncDnVvJVrwHzwaAX1YhsaOj4
-%§ëDJ#Îä·0Ÿ¨AÉD
-qz›,3sHÿ…µÌÂVb¦<>‘®ÄÂTùÍÞªˆË‡¹8Ÿ¬[ ÏÈ?VgNVdˆ
-Ä<EFBFBD>È—L=è©íÌµžðg%Î¹î[ÕmdšòíëØ6oqòžEÂ4Å<34>óöÕF3‹@P\(MDM;’%É^<5E>Ü«ïp¾xîª÷p<10>):O9,iBµ¥±„T
-sÇšÏ-—à“ÃJWºÖèEÎ\0Â£™yÎ>0;î<>öyÑLæå{üt.g%W,ºX} JÆJßÀd‹gê3žŽ\Ž#)ö<>›0h=l‚´ˆüš<C3BC>hBBäƒœüXÀ<58>ÄëÍb$õ^Ð
óå”B¨M™ØìÕþ[È~ÌÜu?Ñâ®þþ	h‹¾ªlÿ”Ìc;z½k
+-> ssh-ed25519 84j9mw bwa+uUxySjFDjOaCzRiZyYVKl4po1YDaOoDQLqqObSI
+ayXv7BKF5lkzM3ai3rHL8irPetF2Nlwoji2VHpRsD5c
+-> ssh-ed25519 IFuY+w k98+p1XfAR7f7kbahEwTzZVA45ulV4t3INkOQMsU3D8
+1QbRrGvE5cMMKzSNXK5LfBndDBJITd6gTBg9dJWir9E
+-> ssh-ed25519 5A7peQ NyqKUm+8hfHcJ760y3EttpxygXxQXKFXURU8pHg1bAw
+Rh7EqnDagUFvmIEsFkjkE2tVzlhWrGgANKy9UQM0D7M
+-> ssh-ed25519 GKhvwg J3b+gGMaemGwSb7jfeCug9bcjXUJbU8BBGRoTXw2lw4
+tmMZY+0SSYVxZSMDQEBWCYzKUHTVbFH1iuybHyBvor8
+--- Uh1N32VLTQ2mxhsxu40FbIv0dQkqPdfBk+q3nJ/xPZ4
+;¨tØ¶ïálÌ™„RyœhÙ–QBXzÇiß¦þ¶ä%JN@Ö§þFƒDv8º½.ÒD™“,½¦_J¢žÝ(<¿p-<½Añf—l)ÕøFQ±”Íf“øéª+—6îmH<6D>þÝ²Å¿–ç~ðÉy•NÁ5ØŠÍ®ñÃ‘b—#]yÛ{§MSx9XO•3«ýñ`ô®ƒR<|—O4ÓÓ(ˆƒäKÍ@wdMq	s%XdG®rW™m6½1N QåñGJòÅ~ÙÄÝƒ«xkÅgRCvëš‘&vÏùåÞ¶±NS f©6ÿ÷,È`¾K ÑŠþkŸ1<C5B8>Z!T%[,a6‚XèÖ¾Ûÿ‚NL5›îÉk»^ÌËV–ž
+õg}×Cí¡>Šˆm5ØÐrd7MÃnÙ=
--- a/secrets/hercules-token.age
+++ b/secrets/hercules-token.age
--- a/secrets/kanidm-admin-pass.age
+++ b/secrets/kanidm-admin-pass.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw W4+Z4WjOyUl4mWPqVykNWRhf2/8qfVOSM7QCFPNMZTA
+0ndQjslMwjQqguN25nBQtCchpCLhoD/vrxh1yNVeTNw
+-> ssh-ed25519 GKhvwg H8XcFJDZTA3IzxmK6wbB+PVM2gCZ4ysAPjL5j0LgeE0
+kehTMRIVOZ5ubtO7w8WF+gU3sjYXMQtd5hH+wcv3uSE
+--- 72ntrRbWq8pdkk/GrsVupTttfY9t+w3l+2KQbQyNn/I
+iydìû$vVl TK$4G[€â· ©âMI[™#t—¹ °ôz:‰ñÍÙr9~½ESÃA»6Œ}×µ
--- a/secrets/kanidm-idm-admin-pass.age
+++ b/secrets/kanidm-idm-admin-pass.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw 8zYeVXx36dpC8TxMdoM1GdERoNNj902KwTF4h/r4inM
+n3mYra0BeM4gWsZ7Roilu14o/GajX1iWw0fcy0q31yc
+-> ssh-ed25519 GKhvwg cqd7YmVpbxqZxaVluHDZ8Yw0gNfJCKMmoWa4mEoXym8
+Gbcj+PJaqyPRRGX4olr7mmJ5IoEGlQaogYbj7i9E/98
+--- LoQPWI+m8s3NjalUh0+xdW54c8lgddBmhPoIiPbmR8I
+‘ê¢èÒ–ÆœÜ‰ ÈY
+ž9˜äÅ!4<>šÞ2DV³£P²·‘9¡N<C2A1>]G;ÎÏ?ˆÐ‰S± '
--- a/secrets/leet-nrab-lol-pass.age
+++ b/secrets/leet-nrab-lol-pass.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw qRlII1WyhanH2pNwSnl01iMlPWQ7tsyiNNOHPLNMflo
-ZMtYsPCDsgcbN1qoAYWTBQtfBWGHzi4WKbGtpJSzKRA
-> ssh-ed25519 GKhvwg Fck+71BDUxko70r43pDKCYaa5OKZipR4iNveNrJaiC0
-uZZhlsckmE+mi7Oq8+gtisDFmLEoy0Pm/9BKgRi9VHo
--- i/jgJHw3pEnMDGSjdK47mOkt87oI8szIHiIqimXVyXY
-ÚÖßµSÇÞ<Èñ<C388>S‘¨ýjË{B>A¼Ñ¶î°Â„å<>í<EFBFBD>ÏBzœ¸ÜwgÅÙá@"PY^£+E¥×['ÓÞú–ÌŽÕ‘,K©[ÈXÜ~XåÇg’{øÊ2æìí–c4
+-> ssh-ed25519 84j9mw 9ygN4fWQWX889zSTchiwqVwxTzHzl+3PSelEpeGx6yA
+v1GTvSMdbwC6U0QZtaD7/b5QbJ9j4J3F10eCUaT5COY
+-> ssh-ed25519 GKhvwg 9I2sycYPtBMPZenbWLueANm46TTPzbgCa//4oKojGEQ
+aEX3TQpWRAcrtJaiTMxB08L8OY/O/4JR+/zoNPl7Kxc
+--- 6EB80pdWxmL1yVM+klouel5E59m2C88Dz0SH2DiT6nE
+hkdJwÓ|g¾~ºvà^’Ëjq\<5C> 'ƒ™yöIícdW™YF?ÓNÍþâ/ä0ÄØý+h<>¶’…=œ85±#Š
²‘\bm£~ŽäÇú1æïy"úqÌAT<41>
--- a/secrets/legion-niko-pass.age
+++ b/secrets/legion-niko-pass.age
--- a/secrets/miyagi-niko-pass.age
+++ b/secrets/miyagi-niko-pass.age
@ -1,8 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 g2vRWw Pdv9mU1heeteeLbLFVUAIyZxmCWHNmhnw0TphSVMczg
-xks6yrF0BziJFp1QHSJdv5Svo1bCu9DF6s3wa2h0Xmg
-> ssh-ed25519 GKhvwg H2DeS0HP/vWKRrBszwCffNgIZo8nVymGSkWEH26Y/2k
-2y9DCIwpFsFXpgOwOrrD9+HpRzEuno1fW2upd2FLbZc
--- LNHsLxE4XBziNhnXmARcxB7UWhcKNvon1sDdX6mfZaw
-1Šdmÿ<6D>
-öf——ŽR´¸…,È[Û#[-ô;øMÓ}ävžêi4üx˜~=èÌ)ño¬º¡›N^Ènþê„"X<>§Bª}W583Ùæƒ<C3A6>fšvÞÀò:Î¥çôu†Z«µ<C2AB>åÉ¶
+-> ssh-ed25519 g2vRWw 8FCO/eYVK3KfOvdyk5Va3R9jXaSNzV+ArFVhJwJPDDk
+zRBpyAtdJxg4TSsgUep66Yv2CMUUAI8IF3pL5+MI/88
+-> ssh-ed25519 GKhvwg eMLyDK82QCKJrVjtfuy5DKTNFOc39zdJxJNFEXCO1Ac
+6AamgzEBeT1018cy7N5GcvgjypGPLqF+2P14h//jTtA
+--- jhq8ZEIoUjMq5PH7tktWMKQuCLMKifY/UfjjM1Qn7UE
+QÖ8cœV2ž
Æˆ<19>4Ü$h©+e…yÖ
+0ç#¬aJ`ng{@½Ç.sªIgÏžåc*®Q'è&•¶˜‡k,CuI±†ý´w†™É˜×Î
+rEÔNîÕ·@FŽP€I¸¸?ÐÑ’
--- a/secrets/nrab-lol-cf.age
+++ b/secrets/nrab-lol-cf.age
--- a/secrets/ntfy-alert-pass.age
+++ b/secrets/ntfy-alert-pass.age
--- a/secrets/ntfy-niko-pass.age
+++ b/secrets/ntfy-niko-pass.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw VodL+EHOjoXj8R/F0vMQzEcnnCFzzes0QByGCDCgVQw
-tZLaDA1FLFwbK0AGo8lpTJjMUnPhJh1czYVLIYjkcEc
-> ssh-ed25519 GKhvwg gHaR4I4l0I+/XrbjTMp/mevEzxPJXNLB1eHs33WKwGw
-GTAzrhyyDylZgExteDGpGbcS/TFX1q+NhF1FWHzNV0s
--- QS1dAgdS96KwIprDjzz6OD4qSIZs4/m9JEIsi3+kgPk
-¼ÐzêÐPCžSÖx€ªf	¹Â-èÕÂžÀiŒ¡cû7˜_¸2ÅŠ~¶ÛjA
+-> ssh-ed25519 84j9mw 5fEqoBEGZ6AZRfWuU6mej6XNl6hDrxMIMMlccp9CVzg
+QvontdV2/amh/i1Ldmzup8TB+lN4b0+YuoT+UFWiPw8
+-> ssh-ed25519 GKhvwg 5Qm1FPvbv0ZsJiJ0Rjm0CPm6eWKvfQ4XHAOmEUWWCiA
+eu1MXEWfo425lbnq5tAOnGqpLgRVIOCkZKegTQQjw/I
+--- s1g2UCKwlew0wCJSxGosBzn1K0TEbPlrIl09iZ58bMg
+PÕÌý®ü$<24>N{èLrÿxS:=W²x•Òc¤(Jµ£|ÁÏúõ»48ÙäS
--- a/secrets/rab-lol-cf.age
+++ b/secrets/rab-lol-cf.age
@ -1,9 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 ioPMHA ftS+6CMGsySkp/KbDBLPKeWNDK83bZ2VB8ZKMRijkkY
-U+2wopG3G2AvI4KUD9tZGIrHZSM3UdyDdYmbbkllWPo
-> ssh-ed25519 84j9mw xek41MX1ETVgRZa24I7n5U/XkJOqItQWK3Qz1FfkDCc
-40CWzCUmxsjgmiObbqKuSieifZ2vNo965jOeTrZ8hT8
-> ssh-ed25519 GKhvwg X2YSREIPjoaWaku9qrVu04hOlZjUF3LFEUZaIMgg02s
-jbjT6qoIFGXRv2wrkzf2GHx3tcku/tgWfK6Sns3uFVc
--- B/FIIz8dDg9YXbtDxfAQFZj9PCLHwI/mboBJQBuFmJg
-„ýÎãì4®L7Hç3F¼
À<0B>íÍ„"ºæfU(ëÁLÎ×Û~î‡%sb£ìùãæ¾Ô€~ZÂ}Z>2KO¨'Q\Á¿W[š„·ÏŒe…š¡1ö^IÖÂ‘
+-> ssh-ed25519 84j9mw qUAkkpjjETyLa0IZfbm8yJ2opDBBsngbrrNjwu02G0s
+kpEKDzWIfskgnZYR+0lgtCKqv0KwfpxRTq9crCsjvto
+-> ssh-ed25519 GKhvwg FKrEGsx5mPhWnq5vNgFgxM816v6ZAG16pmdukuBWDDU
+qmPRvA2bd0W3QlR6h8BLC/O+XjTp00vYXnp+tXakXDY
+--- 7FE7FzsRmCKPvjr3yOlot32FV0lod38Hec/JRaxP+8g
+xA°}~	<0B>˙H]…źTLŘ˛Ő¸l]µ¬0>Cź}J:·0nľ°°CšEćĹaăŕV´¤bĐ
"d—ŻV!ŘR˙Ávďş®zĺ9ójO
+
--- a/secrets/rabulinski-com-cf.age
+++ b/secrets/rabulinski-com-cf.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw d9KZV9S1hRXBvVcFe40S0NqWKlQ/AdRgAqdYXKicXR8
-SgTn9MXrft+sRr4I96fqQHzAdm0b21Bd0eSoYFfq7/4
-> ssh-ed25519 GKhvwg B9qTfegTwDH/X0nQMGvTKCsK2GyzJ7yWgFIo+nKhsGc
-Is4Hi8B2/9s0pz/quvNER2hTkabPbr7qeILL4PhQO1c
--- 1BhfbNEwYq0ra5slik651qbC8jffR2FmnDHV3FDtom0
-Œ-…oS‚Ô<E2809A>¢-?{¢r]5«°ó–â”;Ä+0Â
’GÏÁoE9tƒ”µHXjqâj2@3@¦üÞ ¶¼µº©÷m°mkúðyQâØ;_<>ŸW°ÑÏ¶Qœ~
+-> ssh-ed25519 84j9mw O57uksGzyC2Obzy7AYk86DnEFQNXt43g5CqM4Vp69jU
+1fW8YTn28ju1O3tX62A6AtvfzsmKzmhe79c3DmGUPrY
+-> ssh-ed25519 GKhvwg s3WZPik8t204g4BlxpHeSpnL4/IgM+JdekXJYx7EFVo
+N0Pyre1DwiLFo4HUE8SFDmNnkE4XJtcyHfn63cMlQJo
+--- WPllwfNX5iXFmVC0pGCNrH4T9EGRhmRwGayE3bY/YC0
+dp¿/Ý©„ÿ3+dvÕÛv&÷ËÒ²„µR
÷xdèþSyé©8Eª–øSÃûæÒÅešÞ}Nb#ø’¹6åw.w“E0Q¬·–‹%˜?ûÅ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -13,21 +13,18 @@ in
  # "bitwarden-env-file.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
  "hercules-token.age".publicKeys = [
    keys.system.kazuki
-    keys.system.legion
    keys.system.ude
    keys.system.kogata
    keys.other.bootstrap
  ];
  "hercules-cache.age".publicKeys = [
    keys.system.kazuki
-    keys.system.legion
    keys.system.ude
    keys.system.kogata
    keys.other.bootstrap
  ];
  "hercules-secrets.age".publicKeys = [
    keys.system.kazuki
-    keys.system.legion
    keys.system.ude
    keys.system.kogata
    keys.other.bootstrap
@ -35,10 +32,6 @@ in
  "alert-plain-pass.age".publicKeys = [
    keys.other.bootstrap
  ] ++ builtins.attrValues keys.system;
-  "legion-niko-pass.age".publicKeys = [
-    keys.system.legion
-    keys.other.bootstrap
-  ];
  "storage-box-creds.age".publicKeys = [
    keys.system.kazuki
    keys.other.bootstrap
@ -54,7 +47,6 @@ in
  "github-token.age".publicKeys = [
    keys.system.ude
    keys.system.kazuki
-    keys.system.legion
    keys.system.kogata
    keys.other.bootstrap
  ];
@ -72,7 +64,6 @@ in
    keys.other.bootstrap
  ];
  "rab-lol-cf.age".publicKeys = [
-    keys.system.legion
    keys.system.kazuki
    keys.other.bootstrap
  ];
@ -97,4 +88,12 @@ in
    keys.system.ude
    keys.other.bootstrap
  ];
+  "kanidm-admin-pass.age".publicKeys = [
+    keys.system.kazuki
+    keys.other.bootstrap
+  ];
+  "kanidm-idm-admin-pass.age".publicKeys = [
+    keys.system.kazuki
+    keys.other.bootstrap
+  ];
 }
--- a/secrets/storage-box-creds.age
+++ b/secrets/storage-box-creds.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw auP2WgwsaWjyocQkSzoYShO2kSLjn2UArvAVEhKgDiY
-4Uh423ZjS7/Xo6TxLJzWqXgHZAu0xouH0UvFZuJuEz4
-> ssh-ed25519 GKhvwg JHtyTS12OXspSKP9r/a61cfp+ubYbsAXFmEijMTex3Q
-wZYrJ8yIZ3v5cdBzpiI9ocaTpHbtmebEpbr59Bz3rhc
--- koWJ57H+ErMJDxW6JDNL2ImmZb6o9v2BJtaFi2OL+dc
-Ioð5q®&¢C<C2A2>³U*”†[T.Hª€ÉŠ×Êºkkp„Oç£Ys,Óg£49øËÅ‰$^l-Aú/—¶åë¦QÊX»ÆðÖø
+-> ssh-ed25519 84j9mw tKQQB/cd6JHCLQLrix2WGW5hHBUNC+pqDZXvTmOlOkw
+lnx4olU3W8dgMwigYga/NYcjJ/C59J/uVdYNOfWmN2I
+-> ssh-ed25519 GKhvwg iWTl/jvU1aBd78yAZUsOgcG6JaK+vO8Dpx61dYMjmhc
+2Iu6OHlLlhJLy/cxI/zSuqRhBnoeGLXINbDyMIvDZD8
+--- eOl0sze0EOvfcAarBav7mb4B3jdBvOE+fF166oukbrk
+!żlćxq*T,.–ÄX˝k6ě^ů<†!żX5ŘČŢŁž‡‰·ÇŐáĄńô,`ßěY‰^đŮ›Čů.¬đÔÜ°úďeWßěµâOúyÖ
--- a/secrets/storage-box-webdav.age
+++ b/secrets/storage-box-webdav.age
@ -1,7 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw 8RHYGSsbQG4F+mKMbXJu9aFv6xN3ZyxRBBhFJ3H8EFY
-sRQonxjyqPLnL3AbfugdmraHzVK7RE3LjhuzLirImGM
-> ssh-ed25519 GKhvwg aEEIBlvZ//KmEqkX1pkZrT7QK9sopwKKiD6YUa9lA3k
-srUtd+v0kDfbCsZ7OwPvzRVIualWm8CA4mhgdNAJm+A
--- yWhOlkbF9GUT7OsMu3R0/Dc+nP7DrUetuPLZJFySPpE
-ƒ7™î0P`öÍTåsT§±=ÃÄ*ä=sÁÌp>¿mt–Y{±ò‘·…-ö;M0ŸzÔCm}®¾ñßûŒ÷¾g“O»TÚGÏžjÇË‡<C38B>þàÁ½éÌN
+-> ssh-ed25519 84j9mw C3TpEZsxJIYJ3d5vsQkCcCTity80nLsyxm5zCBZOMzk
+56z54taf+KUJjDugfCGKlcbeRZfDzi3+eeanKPINS6E
+-> ssh-ed25519 GKhvwg uUXJkGw54Q7dCnYobwV1zihOPa4R1FydJZehlFc5MA4
+6Zbym9jLykqsYjmb6rKIa6GExAKVVvEkvCQrzl6HB/M
+--- QICnyH0PORBpoNgT3pjuhP1p8AHn9gD2OIae/9G23x8
+±(¯}¨{¬¤Ôœ2Ë“¿ò‚i]UmiLmÂvé>ke<7F>ã'6“AÀÌ¯¶XÔi<¯á:òùÓfÇU)á<>È~Ÿú&A¬Ë¡çj°–#à
+D·?_“E-éH
--- a/secrets/ude-deluge.age
+++ b/secrets/ude-deluge.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 IFuY+w EOJQpXxn+NL/BJjpdo8mIGfOYxcMElkVIiGx7KftrQ4
-OcglvGhSgb1mxH8M19ZMf3m6lSF0clzH7Mjikf7cilM
-> ssh-ed25519 GKhvwg cr+0J59wCjYBONBcDulN8lpvZiCvULHqnwDu+eKQRAo
-9q87PSfr4kq8lCDrw5Od3D1xJjSSmVv2/TXBWEBtBpU
--- FmVR9tb8wjYFb/FBTrblXMCUAMw5KQ7sX8WojcxCrbk
-ŃĚÇCÂ<\á}ŹJ<C5B9>Ą ¨„f”é|<7C>6G“Ś•@WXc-"©Ő÷Ď<C3B7>űîüîAGşŹ«Z‚' Ĺxé_ňÔ ˝z,@nÇ"3[Ä?
Lb@óŹďe
+-> ssh-ed25519 IFuY+w ZigoLhwVERGG/r7uYI3DKX7jijKt+4tsiTWpbIdUTXE
+k4jmQIJXr7yJOY3pkc1VnoqDgWkNr84k1AgYF7jNjRs
+-> ssh-ed25519 GKhvwg FMZOLDeE2Yw1Kd8V7NTL2oQtWo4IKDUoHu/Z8Su2hHI
+QF+L/Qf35wkOcgGWWRGANMJCG5Vz80epjQuwa4IdYQM
+--- ZUTRNDrgxdsZsNSP1Z3BLxw4EYexr873aJrbUvIgE2I
+‰yâùZÍªëú¶
M¹®ËXdè˜å¡¸*ô5ð‡øj"‹¥¿íí*ÃÖZU³åÑ„²|Ý•]¼ßa8	ð"Zœb<>][9S÷Uµù.
--- a/secrets/youko-niko-pass.age
+++ b/secrets/youko-niko-pass.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 rA7dkQ etmPKjKz102knTx/qQAihC9bFvRENB0Q1DtnaQyjfm4
-GPt9OCIwT+/Q/UUDtkHB8d7T6znHy1y1NEUeI+SCeMg
-> ssh-ed25519 GKhvwg qdCxGyXrdD+WQa/il8fIlV7OKdREqd40Qk0PKITHxlk
-OBJ9gg+KBHi2s1HYLazy3K+yh8tvnUvmuH+riWU7K8c
--- V3FRy0/TcUdUaBDUK+93r5rH26Is/KVuNJC+1vFMsOI
-ŠýØÀëÐw§±æÏôOÌ.âžŒañ«÷Ûä<01>A¨&<26>ößÞ<C39F>z³¹û	ä[oXµÄ‚u<E2809A>ÁßùÅþƒáÖÉ÷”,ášajxGÆœuÕ/šÆñæ–›eL‘²Ì›/6S[SU¾
+-> ssh-ed25519 rA7dkQ ucrMqUlwttyHHFkJ/c5tYpHohefNYe6aJnxHMUjkUxU
+RgsGaMLmtziGu/n6MiDJmkTZORTh2yYWoSS0eu9i6PA
+-> ssh-ed25519 GKhvwg u7Fjda07e17aJGV0ZFK/Mt2ZbF/3b38MLydE8WKs2gY
+gO2rNP64Nkhr5GShWP8zhxeT2YUKEkqN1Oc6/3l6PKU
+--- H9oqwkU/uI5fZAdy+qkCW5vw1PBaahe28FTUxhEFsds
+xSæmL6îï9ÊŽÐîG›Ž×3Ñ<áò4[ZÀ Œt»}å¶<OÓÃØdšÊcªYûé–}>XQ^]<5D>–ŠñKiƒ|B¶ÌwDmÓq×HïX©]FñeÄRt%¥`Ò¤0†»IVÂ×
--- a/secrets/zitadel-master.age
+++ b/secrets/zitadel-master.age
--- a/services/default.nix
+++ b/services/default.nix
@ -2,5 +2,7 @@
  imports = [
    ./attic.nix
    ./forgejo-runner.nix
+    ./kanidm.nix
+    ./forgejo.nix
  ];
 }
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@ -0,0 +1,89 @@
+{
+  services.forgejo = {
+    host = "kazuki";
+    ports = [ 3000 ];
+    config =
+      { config, pkgs, ... }:
+      {
+        age.secrets.rab-lol-cf = {
+          file = ../secrets/rab-lol-cf.age;
+          owner = config.services.nginx.user;
+        };
+
+        services.forgejo = {
+          enable = true;
+          package = pkgs.forgejo;
+          settings = {
+            server = {
+              DOMAIN = "git.rab.lol";
+              ROOT_URL = "https://git.rab.lol/";
+            };
+            security = {
+              DISABLE_GIT_HOOKS = false;
+            };
+            oauth2_client = {
+              REGISTER_EMAIL_CONFIRM = false;
+              ENABLE_AUTO_REGISTRATION = true;
+              ACCOUNT_LINKING = "auto";
+              UPDATE_AVATAR = true;
+            };
+            service = {
+              DISABLE_REGISTRATION = false;
+              ALLOW_ONLY_INTERNAL_REGISTRATION = false;
+              ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+            };
+            session = {
+              SESSION_LIFE_TIME = 86400 * 30;
+            };
+            federation.ENABLED = true;
+          };
+          repositoryRoot = "/forgejo/repos";
+          lfs = {
+            enable = true;
+            contentDir = "/forgejo/lfs";
+          };
+        };
+
+        systemd.tmpfiles.rules =
+          let
+            cfg = config.services.forgejo;
+            imgDir = pkgs.runCommand "forgejo-img-dir" { } ''
+              cp -R ${../assets/forgejo} "$out"
+            '';
+          in
+          [
+            "d '${cfg.customDir}/public' 0750 ${cfg.user} ${cfg.group} - -"
+            "d '${cfg.customDir}/public/assets' 0750 ${cfg.user} ${cfg.group} - -"
+            "L+ '${cfg.customDir}/public/assets/img' - - - - ${imgDir}"
+          ];
+
+        services.nginx = {
+          enable = true;
+          recommendedProxySettings = true;
+          recommendedGzipSettings = true;
+          recommendedOptimisation = true;
+          recommendedTlsSettings = true;
+          virtualHosts."git.rab.lol" = {
+            forceSSL = true;
+            enableACME = true;
+            acmeRoot = null;
+            locations."/" = {
+              proxyPass = "http://127.0.0.1:3000";
+              extraConfig = ''
+                proxy_set_header Connection $http_connection;
+                proxy_set_header Upgrade $http_upgrade;
+              '';
+            };
+          };
+        };
+
+        users.users.nginx.extraGroups = [ "acme" ];
+        security.acme.acceptTerms = true;
+        security.acme.certs."git.rab.lol" = {
+          dnsProvider = "cloudflare";
+          credentialsFile = config.age.secrets.rab-lol-cf.path;
+          email = "nikodem@rabulinski.com";
+        };
+      };
+  };
+}
--- a/services/kanidm.nix
+++ b/services/kanidm.nix
@ -0,0 +1,85 @@
+{
+  services.kanidm =
+    let
+      port = 8443;
+      domain = "auth.rabulinski.com";
+    in
+    {
+      host = "kazuki";
+      ports = [ port ];
+      config =
+        { config, pkgs, ... }:
+        let
+          cert = config.security.acme.certs.${domain};
+        in
+        {
+          age.secrets.rabulinski-com-cf = {
+            file = ../secrets/rabulinski-com-cf.age;
+            owner = config.services.nginx.user;
+          };
+          age.secrets.kanidm-admin-pass = {
+            file = ../secrets/kanidm-admin-pass.age;
+            owner = "kanidm";
+          };
+          age.secrets.kanidm-idm-admin-pass = {
+            file = ../secrets/kanidm-idm-admin-pass.age;
+            owner = "kanidm";
+          };
+
+          services.kanidm = {
+            enableServer = true;
+            package = pkgs.kanidmWithSecretProvisioning;
+            serverSettings = {
+              bindaddress = "127.0.0.1:${toString port}";
+              inherit domain;
+              origin = "https://${domain}";
+              trust_x_forward_for = true;
+              tls_chain = "${cert.directory}/fullchain.pem";
+              tls_key = "${cert.directory}/key.pem";
+            };
+            provision = {
+              enable = true;
+              idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-pass.path;
+              adminPasswordFile = config.age.secrets.kanidm-admin-pass.path;
+            };
+          };
+
+          systemd.services.kanidm.serviceConfig = {
+            SupplementaryGroups = [ cert.group ];
+          };
+
+          users.users.nginx.extraGroups = [ "acme" ];
+          networking.firewall.allowedTCPPorts = [
+            80
+            443
+          ];
+
+          services.nginx = {
+            enable = true;
+            recommendedProxySettings = true;
+            recommendedGzipSettings = true;
+            recommendedOptimisation = true;
+            recommendedTlsSettings = true;
+            virtualHosts."auth.rabulinski.com" = {
+              forceSSL = true;
+              enableACME = true;
+              acmeRoot = null;
+              locations."/" = {
+                proxyPass = "https://localhost:${toString port}";
+                proxyWebsockets = true;
+                extraConfig = ''
+                  proxy_ssl_verify off;
+                  proxy_ssl_name ${domain};
+                '';
+              };
+            };
+          };
+
+          security.acme.certs.${domain} = {
+            dnsProvider = "cloudflare";
+            credentialsFile = config.age.secrets.rabulinski-com-cf.path;
+            reloadServices = [ "kanidm" ];
+          };
+        };
+    };
+}
Author	SHA1	Message	Date
Nikodem Rabuliński	4297436691	services/forgejo: move data from storage-box to local volume All checks were successful / check (pull_request) Successful in 40s Details	2025-04-13 17:15:51 +02:00
Daste	c78ddc7f9d	services/forgejo: increase session lifetime to 30 days	2025-04-13 17:15:44 +02:00
Nikodem Rabuliński	c181ac4633	services/forgejo: enable git hooks	2025-04-13 16:40:24 +02:00
Nikodem Rabuliński	a71d6598e9	services/forgejo: use latest instead of lts	2025-04-13 16:40:24 +02:00
Nikodem Rabuliński	106d1d1341	services/forgejo: forgejo but make it COOL	2025-04-13 16:40:24 +02:00
Nikodem Rabuliński	6d3115f981	modules/system/containers: enable nat for container interfaces	2025-04-13 16:40:24 +02:00
Nikodem Rabuliński	653a847af2	services/forgejo: move from hosts/kazuki	2025-04-13 16:40:24 +02:00
Nikodem Rabuliński	ea9c4b1d9b	services/kanidm: init	2025-04-13 16:40:23 +02:00
Nikodem Rabuliński	678005a0ee	hosts: remove legion All checks were successful / check (pull_request) Successful in 1m23s Details / check (push) Successful in 44s Details it's been a good ride, but it's time to say goodbye	2025-03-22 23:22:42 +01:00
Nikodem Rabuliński	a6b046e28b	readme: mention youko	2025-03-22 23:17:02 +01:00
				`@ -0,0 +1 @@`
				<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round" viewBox="0 0 380 380" width="32" height="32"><path d="M149.575 234.069q-1.811-19.766-14.887-37.117l-3.95-2.915q11.298-2.199 20.018-8.145l2.017 2.236q9.436.497 18.673-2.59c-1.959-4.581-5.162-9.942-9.113-15.187 6.358-5.113 10.839-9.91 12.947-15.288q-10.332-.871-17.08.648l4.084-3.329c9.155-4.309 12.227-16.306 12.515-36.033.26-17.767-1.208-32.111-7.701-43.184q-34.73 24.961-35.481 42.674-13.548-18.255-35.253-18.564c.448 5.884 2.21 12.099 5.565 17.243-2.604.285-4.894 1.216-7.859 2.411-12.156-13.612-23.673-29.376-34.414-47.008-8.039 23.269-11.333 40.023-11.455 50.284-.185 15.523 2.061 27.432 8.313 35.773l3.091 3.727-16.713-1.928c2.54 8.707 7.805 10.601 12.388 14.2-3.162 5.672-6.712 11.419-5.2 16.186 4.853 1.053 10.244.317 15.543-.116q12.885 6.631 30.679 9.057c-3.911.199-8.614.271-18.699-1.928q1.927 7.567 10.869 12.33-5.961 4.674-7.947 10.518 5.58-.468 10.226-1.169-3.624 8.152-4.909 17.239" style="fill:#fff;fill-rule:nonzero" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M85.842 234.094q1.285-9.087 4.909-17.239-4.646.701-10.226 1.169 1.986-5.844 7.947-10.518-8.942-4.763-10.869-12.33c10.085 2.199 14.788 2.127 18.699 1.928q-17.793-2.425-30.679-9.058c-5.299.434-10.69 1.17-15.543.117-1.512-4.767 2.038-10.514 5.2-16.186-4.583-3.6-9.848-5.493-12.388-14.2l16.713 1.928M56.514 155.978c-6.252-8.341-8.498-20.25-8.313-35.773.122-10.261 3.416-27.015 11.455-50.284q16.112 26.448 34.068 46.565" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M108.929 122.454q-13.353 2.18-23.373.049c8.248-6.371 12.822-8.004 18.865-8.135" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M102.706 115.642c-3.863-5.34-5.86-12.045-6.342-18.367q21.705.31 35.253 18.563.751-17.712 35.481-42.673c6.493 11.073 7.961 25.417 7.701 43.184-.288 19.727-3.36 31.724-12.515 36.033M158.2 155.711q6.748-1.52 17.08-.648c-2.108 5.378-6.589 10.175-12.947 15.288 3.951 5.245 7.154 10.606 9.113 15.187q-9.237 3.087-18.673 2.59M130.738 194.037q11.298-2.199 20.018-8.145M149.575 234.069q-1.811-19.766-14.887-37.117M65.551 146.77l29.868-1.53M70.019 170.273q-4.531-9.216 1.71-23.819" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M82.462 145.904c-1.913 14.213.121 23.042 6.417 23.03 6.855-.014 8.935-9.064 6.54-23.694" style="fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M122.796 145.382q13.86-3.124 28.791-1.607" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M143.816 143.298c5.18 5.875 5.983 14.532 4.825 24.09" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M122.796 145.382c-1.413 14.984.295 21.028 5.401 21.024 11.093-.008 5.742-13.933 6.606-22.844" style="fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M100.913 170.171a31 31 0 0 1 7.467-.581M94.877 182.466c3.607 2.981 6.483 2.176 12.251-2.727 6.426 1.759 13.671 4.519 16.185-1.431" style="fill:none;fill-rule:nonzero;stroke:#000;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/><path d="M60.711 175.474q2.568-2.85 6.354-2.742c-.29 2.933-.746 3.681-1.211 5.237-.775 2.588 6.18-1.728 9.088-3.278M140.128 175.257l4.115-3.759c.165 2.013-.146 5.293.486 6.06 2.44-.927 4.167-3.564 6.223-5.412" style="fill:none;fill-rule:nonzero;stroke:#c41818;stroke-width:1.59px" transform="translate(-96.92 -181.242)scale(2.62918)"/></svg>