modules/system/containers: enable nat for container interfaces

services/forgejo: move from hosts/kazuki
services/kanidm: init
2025-03-21 23:56:53 +01:00 · 2025-03-21 23:56:53 +01:00 · 2025-03-21 23:56:51 +01:00 · 2025-03-21 23:31:18 +01:00 · 2025-03-21 22:42:05 +01:00 · 2025-03-20 22:54:40 +01:00
39 changed files with 690 additions and 155 deletions
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@ -0,0 +1,11 @@
+on:
+  push:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  check:
+    runs-on: native
+    steps:
+      - uses: actions/checkout@v4
+      - run: nix flake check --all-systems
--- a/assets/ssh.nix
+++ b/assets/ssh.nix
@ -15,6 +15,7 @@
    kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGK7H4Z29d72HJlI69Vt0YLOyuPcn9XxYjvMZfql80z0 nikodem@rabulinski.com";
    hijiri = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXVPUBYAMn9H3efG/ldWl/ySmZV0CXleyH7E5nKf/N7 nikodem@rabulinski.com";
    tsukasa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPKXcihNVgsStMstnZYvh+Ai+JsydX3vu4O0yhlN+zw niko@tsukasa";
+    youko = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAGBazVVFr1+beFxpC701IPz4JwdPIyFJybVVZ9kTkr niko@youko";
  };

  system = {
@ -25,5 +26,6 @@
    kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPN/SXBcIB1WN8GIhYrQrqzFGuVkEP4o0E+x0uQ4f2l";
    hijiri = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILsTkICNuUwGqrToisTViFCBoql39+DFYVZSWj7vfbXK";
    tsukasa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKy32XGCkB0KOUm4f0ybrutfAzR7+baifM2yv5KuYV7 root@tsukasa";
+    youko = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSbIjEo28aB2TACkvLY+VRKElZEdH9qFlTTfxCrblGZ root@youko";
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -47,11 +47,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1738514772,
-        "narHash": "sha256-ng38xM+7MfmoWYcQj6/Ejgt732nbFIDx14QvWVpG0d4=",
+        "lastModified": 1742497754,
+        "narHash": "sha256-fCM/cnenyg+HQ3Ek7uXu04UX/aXrHBD6BW93/rYWZHE=",
        "ref": "refs/heads/main",
-        "rev": "b691dd3a7746afd73e944db98c0b000c1424cd5e",
-        "revCount": 362,
+        "rev": "af9d18efe24894a63c39d37bc0d2ddbea413aaa8",
+        "revCount": 366,
        "type": "git",
        "url": "https://git.lix.systems/nrabulinski/attic.git"
      },
@ -79,11 +79,11 @@
    "conduit-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1730678249,
-        "narHash": "sha256-Xn1BnCbwbRFhqcFJ4GvSmB+H509fiHFhTJcpi4G+2oo=",
+        "lastModified": 1742005420,
+        "narHash": "sha256-v4LCx7VUZ+8Hy1+6ziREVY/QEADjZbo8c0h9eU7nMVY=",
        "owner": "famedly",
        "repo": "conduit",
-        "rev": "e952522a39883e4431e74c42cef3d9bc562752f8",
+        "rev": "063d13a0e10619f17bc21f0dd291c5a733581394",
        "type": "gitlab"
      },
      "original": {
@ -95,11 +95,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1737689766,
-        "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=",
+        "lastModified": 1742394900,
+        "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "6fe74265bbb6d016d663b1091f015e2976c4a527",
+        "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd",
        "type": "github"
      },
      "original": {
@ -115,15 +115,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1738277753,
-        "narHash": "sha256-iyFcCOk0mmDiv4ut9mBEuMxMZIym3++0qN1rQBg8FW0=",
+        "lastModified": 1742382197,
+        "narHash": "sha256-5OtFbbdKAkWDVuzjs1J9KwdFuDxsEvz0FZX3xR2jEUM=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "49b807fa7c37568d7fbe2aeaafb9255c185412f9",
+        "rev": "643b57fd32135769f809913663130a95fe6db49e",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
+        "ref": "refs/pull/1335/merge",
        "repo": "nix-darwin",
        "type": "github"
      }
@ -135,11 +136,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738148035,
-        "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=",
+        "lastModified": 1741786315,
+        "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54",
+        "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de",
        "type": "github"
      },
      "original": {
@ -156,11 +157,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1738564312,
-        "narHash": "sha256-awAp1Qe+c95PQxP7v+Zfse+w3URaP3UQLCRlaPMzYtE=",
+        "lastModified": 1742452566,
+        "narHash": "sha256-sVuLDQ2UIWfXUBbctzrZrXM2X05YjX08K7XHMztt36E=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "d99d2a562b9c9d5f0e4399e5bb677b37a791c7eb",
+        "rev": "7d9ba794daf5e8cc7ee728859bc688d8e26d5f06",
        "type": "github"
      },
      "original": {
@ -176,11 +177,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738544198,
-        "narHash": "sha256-bdGeUx6SBs37wQ6gHo5m+apn5Uze2fVz/oYfkD6DKUA=",
+        "lastModified": 1742432361,
+        "narHash": "sha256-FlqTrkzSn6oPR5iJTPsCQDd0ioMGzzxnPB+2wve9W2w=",
        "owner": "bandithedoge",
        "repo": "nixpkgs-firefox-darwin",
-        "rev": "6a14fbdbc697c7f1c93376ecbed4b095ccc55f00",
+        "rev": "c868ff433ea5123e837a62ae689543045187d7a4",
        "type": "github"
      },
      "original": {
@ -245,11 +246,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738453229,
-        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
+        "lastModified": 1741352980,
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
        "type": "github"
      },
      "original": {
@ -265,11 +266,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738453229,
-        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
+        "lastModified": 1741352980,
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
        "type": "github"
      },
      "original": {
@ -386,9 +387,6 @@
    },
    "helix": {
      "inputs": {
-        "crane": [
-          "crane"
-        ],
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
@ -396,11 +394,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1738547365,
-        "narHash": "sha256-4GrVwyIZKx14eVG8TZMKmgyw8v3TuETPrLvYkFNqlyc=",
+        "lastModified": 1742479163,
+        "narHash": "sha256-YC0zdGyZMu7seA2Jm1mxtcxE4lSeVwvCPMfWzJ8+o/c=",
        "owner": "helix-editor",
        "repo": "helix",
-        "rev": "066e938ba083c0259ff411b681eca7bad30980df",
+        "rev": "b7d735ffe66a03ab5970e5f860923aada50d4e4c",
        "type": "github"
      },
      "original": {
@ -416,11 +414,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738448366,
-        "narHash": "sha256-4ATtQqBlgsGqkHTemta0ydY6f7JBRXz4Hf574NHQpkg=",
+        "lastModified": 1742501496,
+        "narHash": "sha256-LYwyZmhckDKK7i4avmbcs1pBROpOaHi98lbjX1fmVpU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "18fa9f323d8adbb0b7b8b98a8488db308210ed93",
+        "rev": "d725df5ad8cee60e61ee6fe3afb735e4fbc1ff41",
        "type": "github"
      },
      "original": {
@ -432,11 +430,11 @@
    "lix": {
      "flake": false,
      "locked": {
-        "lastModified": 1738446528,
-        "narHash": "sha256-NYL/r7EXSyYP7nXuYGvGYMI9QtztGjVaKKofBt/pCv8=",
+        "lastModified": 1742411066,
+        "narHash": "sha256-8vXOKPQFRzTjapsRnTJ1nuFjUfC+AGI2ybdK5cAEHZ8=",
        "ref": "refs/heads/main",
-        "rev": "a51380645f61b33d37a536b596d16c481f7b84a6",
-        "revCount": 17342,
+        "rev": "2491b7cc2128ee440d24768c4521c38b1859fc28",
+        "revCount": 17705,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix.git"
      },
@ -457,11 +455,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738176840,
-        "narHash": "sha256-NG3IRvRs3u3btVCN861FqHvgOwqcNT/Oy6PBG86F5/E=",
+        "lastModified": 1741894565,
+        "narHash": "sha256-2FD0NDJbEjUHloVrtEIms5miJsj1tvQCc/0YK5ambyc=",
        "ref": "refs/heads/main",
-        "rev": "621aae0f3cceaffa6d73a4fb0f89c08d338d729e",
-        "revCount": 133,
+        "rev": "a6da43f8193d9e329bba1795c42590c27966082e",
+        "revCount": 136,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nixos-module.git"
      },
@ -480,11 +478,11 @@
        "nixpkgs-24_11": "nixpkgs-24_11"
      },
      "locked": {
-        "lastModified": 1737736848,
-        "narHash": "sha256-VrUfCXBXYV+YmQ2OvVTeML9EnmaPRtH+POrNIcJp6yo=",
+        "lastModified": 1742413977,
+        "narHash": "sha256-NkhM9GVu3HL+MiXtGD0TjuPCQ4GFVJPBZ8KyI2cFDGU=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "6b425d13f5a9d73cb63973d3609acacef4d1e261",
+        "rev": "b4fbffe79c00f19be94b86b4144ff67541613659",
        "type": "gitlab"
      },
      "original": {
@ -609,11 +607,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1738452225,
-        "narHash": "sha256-Qmwx3FXM0x0pdjibwTk/uRbayqDrs3EwmRJe7tQWu48=",
+        "lastModified": 1742395137,
+        "narHash": "sha256-WWNNjCSzQCtATpCFEijm81NNG1xqlLMVbIzXAiZysbs=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "6c4e0724e0a785a20679b1bca3a46bfce60f05b6",
+        "rev": "2a725d40de138714db4872dc7405d86457aa17ad",
        "type": "github"
      },
      "original": {
@ -632,11 +630,11 @@
        "nvidia-patch-src": "nvidia-patch-src"
      },
      "locked": {
-        "lastModified": 1736930913,
-        "narHash": "sha256-f7v5s924/CiDCW7j/SEvefwm6Jb07zQWYShJ+FIYS0A=",
+        "lastModified": 1742460640,
+        "narHash": "sha256-Qks0TRMOiuVKjcSPkg251Q2/wdU5ooMt4b2f2numPzg=",
        "owner": "arcnmx",
        "repo": "nvidia-patch.nix",
-        "rev": "6ca6f8dd2139b9c01049de29979c1c0db157a647",
+        "rev": "c85990250376300fe11413e22458911f408f64d0",
        "type": "github"
      },
      "original": {
@ -648,11 +646,11 @@
    "nvidia-patch-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1736882949,
-        "narHash": "sha256-s1qtdm0UGd4uImNts42W5hT6W1nOVz8eTyBF37QlUfc=",
+        "lastModified": 1742384429,
+        "narHash": "sha256-5O0TXVrLsFrULXli2vB2iJ7TECUckMHKvJZYmdkcnGE=",
        "owner": "keylase",
        "repo": "nvidia-patch",
-        "rev": "0837f46dfe25b6e750abc7e601032bdd12c70be0",
+        "rev": "07080317245ac30c38001d2149810b2dee3cce1f",
        "type": "github"
      },
      "original": {
@ -710,11 +708,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1738488035,
-        "narHash": "sha256-sLLW0S7OGlFYgNvAQnqWK1Ws5V1YNGvfXHdWoZ91CeI=",
+        "lastModified": 1742296961,
+        "narHash": "sha256-gCpvEQOrugHWLimD1wTFOJHagnSEP6VYBDspq96Idu0=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "f3998f7f8a197596c5edf72e937996e6674b423b",
+        "rev": "15d87419f1a123d8f888d608129c3ce3ff8f13d4",
        "type": "github"
      },
      "original": {
@ -732,11 +730,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1737599167,
-        "narHash": "sha256-S2rHCrQWCDVp63XxL/AQbGr1g5M8Zx14C7Jooa4oM8o=",
+        "lastModified": 1740623427,
+        "narHash": "sha256-3SdPQrZoa4odlScFDUHd4CUPQ/R1gtH4Mq9u8CBiK8M=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "38374302ae9edf819eac666d1f276d62c712dd06",
+        "rev": "d342e8b5fd88421ff982f383c853f0fc78a847ab",
        "type": "github"
      },
      "original": {
@ -753,11 +751,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1737166965,
-        "narHash": "sha256-vlDROBAgq+7PEVM0vaS2zboY6DXs3oKK0qW/1dVuFs4=",
+        "lastModified": 1739240901,
+        "narHash": "sha256-YDtl/9w71m5WcZvbEroYoWrjECDhzJZLZ8E68S3BYok=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "fc839c9d5d1ebc789b4657c43c4d54838c7c01de",
+        "rev": "03473e2af8a4b490f4d2cdb2e4d3b75f82c8197c",
        "type": "github"
      },
      "original": {
@ -851,11 +849,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738070913,
-        "narHash": "sha256-j6jC12vCFsTGDmY2u1H12lMr62fnclNjuCtAdF1a4Nk=",
+        "lastModified": 1742370146,
+        "narHash": "sha256-XRE8hL4vKIQyVMDXykFh4ceo3KSpuJF3ts8GKwh5bIU=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "bebf27d00f7d10ba75332a0541ac43676985dea3",
+        "rev": "adc195eef5da3606891cedf80c0d9ce2d3190808",
        "type": "github"
      },
      "original": {
@ -923,11 +921,11 @@
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1738084440,
-        "narHash": "sha256-sARyUquyuNapFbICL/PJEhcDgBzpxTcHUNw8R/xL1iA=",
+        "lastModified": 1741803511,
+        "narHash": "sha256-DcCGBWvAvt+OWI+EcPRO+/IXZHkFgPxZUmxf2VLl8no=",
        "owner": "dj95",
        "repo": "zjstatus",
-        "rev": "096dc72a909fd0fb34768a98354aad6207002671",
+        "rev": "df9c77718f7023de8406e593eda6b5b0bc09cddd",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -86,7 +86,9 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    darwin = {
-      url = "github:lnl7/nix-darwin";
+      # TODO: Move back once https://github.com/LnL7/nix-darwin/issues/1392 is resolved
+      # url = "github:lnl7/nix-darwin";
+      url = "github:lnl7/nix-darwin?ref=refs/pull/1335/merge";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix = {
@ -147,7 +149,6 @@
    helix = {
      url = "github:helix-editor/helix";
      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.crane.follows = "crane";
    };
    zjstatus = {
      url = "github:dj95/zjstatus";
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -14,6 +14,7 @@
    # ./installer
    ./ude
    ./kogata
+    ./youko
  ];

  builders =
--- a/hosts/youko/default.nix
+++ b/hosts/youko/default.nix
@ -0,0 +1,48 @@
+{
+  configurations.nixos.youko =
+    {
+      config,
+      lib,
+      username,
+      ...
+    }:
+    {
+      imports = [
+        ./disks.nix
+        ./hardware.nix
+        ./sway.nix
+        ./msmtp.nix
+        ./nas.nix
+      ];
+
+      nixpkgs.hostPlatform = "x86_64-linux";
+
+      boot = {
+        loader.systemd-boot.enable = true;
+        loader.efi.canTouchEfiVariables = true;
+      };
+
+      networking.networkmanager.enable = true;
+
+      age.secrets.niko-pass.file = ../../secrets/youko-niko-pass.age;
+      users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path;
+
+      settei.user.config = {
+        settei.desktop.enable = true;
+      };
+
+      services.udisks2.enable = true;
+      settei.incus.enable = true;
+      virtualisation.podman.enable = true;
+      hardware.keyboard.qmk.enable = true;
+
+      settei.unfree.allowedPackages = [ "vmware-workstation" ];
+      virtualisation.vmware.host.enable = true;
+      environment.etc."vmware/config" = lib.mkForce {
+        source = "${config.virtualisation.vmware.host.package}/etc/vmware/config";
+        text = null;
+      };
+
+      networking.hostId = "b49ee8de";
+    };
+}
--- a/hosts/youko/disks.nix
+++ b/hosts/youko/disks.nix
@ -0,0 +1,58 @@
+{
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/nvme0n1";
+    content = {
+      type = "gpt";
+      partitions = {
+        esp = {
+          size = "512M";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+            mountOptions = [ "umask=0077" ];
+          };
+        };
+        luks = {
+          size = "100%";
+          content = {
+            type = "luks";
+            name = "crypted";
+            settings.allowDiscards = true;
+            content = {
+              type = "btrfs";
+              extraArgs = [ "-f" ];
+              subvolumes =
+                let
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                  ];
+                in
+                {
+                  "/root" = {
+                    inherit mountOptions;
+                    mountpoint = "/";
+                  };
+                  "/home" = {
+                    inherit mountOptions;
+                    mountpoint = "/home";
+                  };
+                  "/nix" = {
+                    inherit mountOptions;
+                    mountpoint = "/nix";
+                  };
+                  "/swap" = {
+                    mountpoint = "/.swapvol";
+                    swap.swapfile.size = "16G";
+                  };
+                };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/youko/hardware.nix
+++ b/hosts/youko/hardware.nix
@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  boot = {
+    extraModulePackages = with config.boot.kernelPackages; [ it87 ];
+    initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "ahci"
+      "usb_storage"
+      "usbhid"
+      "sd_mod"
+    ];
+    kernelModules = [
+      "kvm-amd"
+      "i2c-dev"
+      "it87"
+    ];
+    extraModprobeConfig = ''
+      options it87 ignore_resource_conflict=1
+    '';
+  };
+
+  services.smartd.enable = true;
+  hardware.cpu.amd.updateMicrocode = true;
+}
--- a/hosts/youko/msmtp.nix
+++ b/hosts/youko/msmtp.nix
@ -0,0 +1,36 @@
+# TODO: Potentially make this a common module?
+{
+  pkgs,
+  config,
+  username,
+  ...
+}:
+let
+  mail = "alert@nrab.lol";
+  aliases = pkgs.writeText "mail-aliases" ''
+    ${username}: nikodem@rabulinski.com
+    root: ${mail}
+  '';
+in
+{
+  age.secrets.alert-plaintext.file = ../../secrets/alert-plain-pass.age;
+
+  programs.msmtp = {
+    enable = true;
+    setSendmail = true;
+    defaults = {
+      inherit aliases;
+      tls = "on";
+      auth = "login";
+      tls_starttls = "off";
+    };
+    accounts = {
+      default = {
+        host = "mail.nrab.lol";
+        passwordeval = "cat ${config.age.secrets.alert-plaintext.path}";
+        user = mail;
+        from = mail;
+      };
+    };
+  };
+}
--- a/hosts/youko/nas.nix
+++ b/hosts/youko/nas.nix
@ -0,0 +1,122 @@
+{
+  username,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  boot = {
+    supportedFilesystems = [ "zfs" ];
+    zfs.extraPools = [ "yottapool" ];
+  };
+
+  services.zfs = {
+    autoScrub.enable = true;
+    zed.settings = {
+      ZED_DEBUG_LOG = "/tmp/zed.debug.log";
+      ZED_EMAIL_ADDR = [ username ];
+      ZED_EMAIL_PROG = lib.getExe pkgs.msmtp;
+      ZED_EMAIL_OPTS = "@ADDRESS@";
+
+      ZED_NOTIFY_INTERVAL_SECS = 3600;
+      ZED_NOTIFY_VERBOSE = true;
+
+      ZED_USE_ENCLOSURE_LEDS = true;
+      ZED_SCRUB_AFTER_RESILVER = true;
+    };
+  };
+
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  # TODO: Clean up. Potentially make it a separate module
+  services.avahi = {
+    publish.enable = true;
+    publish.userServices = true;
+    nssmdns4 = true;
+    enable = true;
+    openFirewall = true;
+    extraServiceFiles = {
+      timemachine = ''
+        <?xml version="1.0" standalone='no'?>
+        <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
+        <service-group>
+          <name replace-wildcards="yes">%h</name>
+          <service>
+            <type>_smb._tcp</type>
+            <port>445</port>
+          </service>
+            <service>
+            <type>_device-info._tcp</type>
+            <port>0</port>
+            <txt-record>model=TimeCapsule8,119</txt-record>
+          </service>
+          <service>
+            <type>_adisk._tcp</type>
+            <txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record>
+            <txt-record>sys=waMa=0,adVF=0x100</txt-record>
+          </service>
+        </service-group>
+      '';
+    };
+  };
+
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "hosts allow" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+        "getwd cache" = "true";
+        "strict sync" = "no";
+        "use sendfile" = "true";
+      };
+      "tm_share" = {
+        "path" = "/media/data/tm_share";
+        "valid users" = "niko";
+        "public" = "no";
+        "writeable" = "yes";
+        "force user" = "niko";
+        "fruit:aapl" = "yes";
+        "fruit:time machine" = "yes";
+        "vfs objects" = "catia fruit streams_xattr";
+      };
+    };
+  };
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+  services.radarr.enable = true;
+  # TODO: Remove once https://github.com/Sonarr/Sonarr/pull/7443 is merged
+  nixpkgs.config.permittedInsecurePackages = [
+    "dotnet-sdk-6.0.428"
+    "aspnetcore-runtime-6.0.36"
+  ];
+  services.sonarr.enable = true;
+  services.prowlarr.enable = true;
+  services.jellyseerr.enable = true;
+  services.deluge = {
+    enable = true;
+    web.enable = true;
+    config.download_location = "/media/deluge";
+  };
+
+  users = {
+    users = {
+      jellyfin.extraGroups = [
+        "radarr"
+        "sonarr"
+      ];
+      radarr.extraGroups = [ "deluge" ];
+      sonarr.extraGroups = [ "deluge" ];
+      ${username}.extraGroups = [ "deluge" ];
+    };
+  };
+}
--- a/hosts/youko/sway.nix
+++ b/hosts/youko/sway.nix
@ -0,0 +1,137 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  services.greetd = {
+    enable = true;
+    vt = 2;
+    settings.default_session =
+      let
+        swayWrapper = pkgs.writeShellScript "sway-wrapper" ''
+          export XCURSOR_THEME=volantes_cursors
+          exec ${lib.getExe config.programs.sway.package}
+        '';
+      in
+      {
+        command = "${lib.getExe pkgs.greetd.tuigreet} --time --cmd ${swayWrapper}";
+        user = "niko";
+      };
+  };
+
+  programs.sway = {
+    enable = true;
+    wrapperFeatures.base = true;
+    wrapperFeatures.gtk = true;
+  };
+
+  security.pam.services.swaylock = { };
+  xdg.portal.config.common.default = "*";
+
+  settei.user.config =
+    { config, ... }:
+    {
+      home.pointerCursor = {
+        name = "volantes_cursors";
+        package = pkgs.volantes-cursors;
+      };
+
+      home.packages = with pkgs; [
+        (writeShellApplication {
+          name = "lock";
+          text = ''
+            swaymsg output '*' power off
+            swaylock -c 000000
+            swaymsg output '*' power on
+          '';
+        })
+        (writeShellApplication {
+          name = "screenshot";
+          runtimeInputs = [
+            slurp
+            grim
+            wl-clipboard
+          ];
+          text = ''
+            grim -g "$(slurp)" - | \
+              wl-copy -t image/png
+          '';
+        })
+        # Bitwarden stuff, move to separate module or properly package?
+        # Maybe use some other input method?
+        (rofi-rbw.override { waylandSupport = true; })
+        rbw
+        pinentry-rofi
+      ];
+
+      wayland.windowManager.sway =
+        let
+          mod = config.wayland.windowManager.sway.config.modifier;
+        in
+        {
+          enable = true;
+          package = null;
+          config.workspaceAutoBackAndForth = true;
+          config.terminal = "wezterm";
+          config.modifier = "Mod4";
+          config.fonts.names = [ "IosevkaTerm Nerd Font" ];
+          config.keybindings = lib.mkOptionDefault {
+            "${mod}+b" = "exec rofi-rbw --selector rofi";
+            "${mod}+d" = "exec rofi -show drun";
+            "${mod}+Shift+s" = "exec screenshot";
+          };
+          config.keycodebindings = {
+            "${mod}+Shift+60" = "exec lock";
+          };
+          config.window.commands =
+            let
+              alwaysFloating = [
+                { window_role = "pop-up"; }
+                { window_role = "bubble"; }
+                { window_role = "dialog"; }
+                { window_type = "dialog"; }
+                { window_role = "task_dialog"; }
+                { window_type = "menu"; }
+                { app_id = "floating"; }
+                { app_id = "floating_update"; }
+                { class = "(?i)pinentry"; }
+                { title = "Administrator privileges required"; }
+                { title = "About Mozilla Firefox"; }
+                { window_role = "About"; }
+                {
+                  app_id = "firefox";
+                  title = "Library";
+                }
+              ];
+            in
+            map (criteria: {
+              inherit criteria;
+              command = "floating enable";
+            }) alwaysFloating;
+          config.input = {
+            "type:pointer" = {
+              accel_profile = "flat";
+              pointer_accel = "0.2";
+            };
+            "type:keyboard" = {
+              xkb_layout = "pl";
+            };
+          };
+          config.seat."*" = {
+            xcursor_theme = "volantes_cursors 24";
+          };
+          config.startup = [
+            {
+              command = "${lib.getExe' pkgs.glib "gsettings"} set org.gnome.desktop.interface cursor-theme 'volantes_cursors'";
+              always = true;
+            }
+          ];
+        };
+      programs.rofi = {
+        enable = true;
+        package = pkgs.rofi-wayland;
+      };
+    };
+}
--- a/modules/home/desktop/zellij.nix
+++ b/modules/home/desktop/zellij.nix
@ -3,7 +3,12 @@
  # TODO: Move zellij to a wrapper
  programs.zellij = {
    enable = true;
+    enableBashIntegration = false;
+    enableFishIntegration = false;
+    enableZshIntegration = false;
    settings = {
+      default_layout = "compacter";
+      show_startup_tips = false;
      keybinds = {
        shared_except = {
          _args = [ "locked" ];
--- a/modules/home/unfree.nix
+++ b/modules/home/unfree.nix
@ -1,5 +1,5 @@
 # Copy of modules/system/unfree.nix
-{ config, lib, ... }:
+args@{ config, lib, ... }:
 {
  _file = ./unfree.nix;

@ -11,7 +11,7 @@
      };
  };

-  config = {
+  config = lib.mkIf (!args ? osConfig) {
    nixpkgs.config.allowUnfreePredicate = lib.mkForce (
      pkg: builtins.elem (lib.getName pkg) config.settei.unfree.allowedPackages
    );
--- a/modules/system/incus.nix
+++ b/modules/system/incus.nix
@ -49,6 +49,23 @@ let
              };
            }
          ];
+          profiles = [
+            {
+              devices = {
+                eth0 = {
+                  name = "eth0";
+                  network = "incusbr0";
+                  type = "nic";
+                };
+                root = {
+                  path = "/";
+                  pool = "default";
+                  type = "disk";
+                };
+              };
+              name = "default";
+            }
+          ];
        };
      };
      networking = {
--- a/modules/system/sane-defaults.nix
+++ b/modules/system/sane-defaults.nix
@ -52,7 +52,6 @@ let
          experimental-features = [
            "nix-command"
            "flakes"
-            "repl-flake"
            "auto-allocate-uids"
          ];
          trusted-users = lib.optionals (!adminNeedsPassword) [ username ];
@ -92,7 +91,10 @@ let
        isNormalUser = true;
        home = "/home/${username}";
        group = username;
-        extraGroups = [ "wheel" ];
+        extraGroups = lib.mkMerge [
+          [ "wheel" ]
+          (lib.mkIf config.networking.networkmanager.enable [ "networkmanager" ])
+        ];
      };
      groups.${username} = { };
    };
@ -114,9 +116,8 @@ let

  darwinConfig = lib.optionalAttrs (!isLinux) {
    system.stateVersion = 4;
-    services.nix-daemon.enable = true;

-    security.pam.enableSudoTouchIdAuth = true;
+    security.pam.services.sudo_local.touchIdAuth = true;

    users.users.${username}.home = "/Users/${username}";
    # Every macOS ARM machine can emulate x86.
--- a/secrets/alert-nrab-lol-pass.age
+++ b/secrets/alert-nrab-lol-pass.age
--- a/secrets/alert-plain-pass.age
+++ b/secrets/alert-plain-pass.age
--- a/secrets/attic-creds.age
+++ b/secrets/attic-creds.age
--- a/secrets/forgejo-token.age
+++ b/secrets/forgejo-token.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 rA7dkQ tnp92QTb/uXAEizZuUrnaGcJCCkCSjIcE4RiQiYVdw8
+HXsRlqJSrDYaAeYslcR+g5KIQC1SUxFp+QdSHpKT61s
+-> ssh-ed25519 IFuY+w LI7kx/XwfF0JU8tSmW75nxpeLTUkEfY8NunAZljafCc
+f+WEjASZzP9ISv+7kPIMVNgEjdHUxVnLzUkqFHo4byY
+-> ssh-ed25519 GKhvwg EZDwzHfhaY0iHHeIDvm6BIY64kPPUgKjZnNuuwwqoAw
+FvZEeIqnsFA1fQka4R7sax1O13UZWoVbksSMLP3eEaA
+--- XBBcs7w5J7w01fKGoAXVTgOffS9ajheUMz3vDsxHgTo
+¼›g´ÕöØ¤ƒRn´lè¥gÃ’ÅÁA˜*%ÇYªr¯í
9}³=L~f7„¶ZgâxŠèœ
>¦ Rë}hQ›óõz`rÅZèØñ
--- a/secrets/github-token.age
+++ b/secrets/github-token.age
@ -1,13 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 IFuY+w nyBEszEusqQE6jM7y9G4KCyzNHawdyy+hTfm9LsuRCY
-1bbg4kmmv9m2Gwp+3x8zvqFOkmTKt898/sGCUK9rpGE
-> ssh-ed25519 84j9mw 5s2PNoIOMWf2gBwzmRHmssMOuvu2kv43316E20McKh8
-FyA+VjPgPynvMQfxm3d2+SOEpsJFIKJE8pbXeIkOfGI
-> ssh-ed25519 ioPMHA 4N9PsYYaeqJDbxpQpyCgvR/JWwLPDCAi65YB6M0uT0U
-mFCqo1htPi2WRKiJz/t8Y7TMD/p7X81HsHGG0KIsROQ
-> ssh-ed25519 5A7peQ ZjRTqjDou2xS638dR8AWKCv5uKTSmOSJ/4rkfFckhjY
-yUJABvMDLN0C15XBmnZJZ88khXAXLUP+aEqH5DlJcKY
-> ssh-ed25519 GKhvwg w1OKhVPY89J/pbrrXIHVifV++5e1tLqlSL9yM/2rqX0
-VF0cvmdtCZAlPgIqcNZYp7ANPhvDqlFE7h018lCbWyg
--- YWa0wXlaYVF+g06+w/u/h+NURlfMY8lauf5ZtrrhrF4
-3¦Í…P×†øæôÃ?4ƒ·)òçméñ f.ùªª±§þåÂ²’`<60><><EFBFBD>Á½aF<61>CjŒ"JÂÑwdé±‡œùBÆŒ+{dK´µ•
+-> ssh-ed25519 IFuY+w hrfVBxFIiDTvbm7OMYbme2+97WI3nqxYbjBNRXRS9H4
+SaKftmSA+8LitXnkqaw67xw378sNeGs/ENxmMsOVdvQ
+-> ssh-ed25519 84j9mw opGXl7a35TsSj2/ADgdbS5bp6/EDTsUDkS/IjIgjUBA
+Cw5O6wt9vzqCgbWxxCrzmXJQH+/Ae1wwyHCcHLfpEck
+-> ssh-ed25519 ioPMHA 5fAg0NsD/KlXSAJg1UQYsJEzZMy/wCHfwmv19cbWRyQ
+OhDaO75k9xEdCE0GdyJ6iK6B11ie/l4yCfVKp6py31I
+-> ssh-ed25519 5A7peQ pqvZetDuRh5pesWPZ9725h7i+XuvSNMn7810ukhNjyM
+96JlWRIyIZ07siNa1kk0HtHhiB4NQbSKQ4KXsDJGGdE
+-> ssh-ed25519 GKhvwg Ba5tOdWUlE9qs1tPb7t+0ZtHN82a6RmMHP1tzGe/VSg
+wLWBaFUkWkB5lMEKX0ISEQTGx/RDTF1vbvuGo9w8Qm4
+--- yVc69z1O1UOM+93dnjV0wkeqb4StW4HcBYi00z+0dIQ
+ð"›Š49ë”¹ùbW<62>5v	˜WjsUÚ²ºíoO<6F>Åý#S%\âqn®ã[³ðh½ôA¡ÑjEÊhéœýŽÔÞ¢„Ót¹£“jÿ‚C
--- a/secrets/hercules-cache.age
+++ b/secrets/hercules-cache.age
--- a/secrets/hercules-secrets.age
+++ b/secrets/hercules-secrets.age
@ -1,13 +1,16 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw P7StDsdpmJLp0ni5ZwdhVy2lx5TSfVlIqFAF9y4Zn34
-UksAEE1WWb2xWgHM8h4lhTW2pwqF8ydgGtFnqcp1KUo
-> ssh-ed25519 ioPMHA roPhy0I+dRtPuWsnFSxl2m7Uh7GgXkupwHSgL+LHrzs
-8rUE3mr9dukcAeR1213wjSm6Bme9ExpGX6TjEhHRYnc
-> ssh-ed25519 IFuY+w crwMCw/ElBMNFhUMHLAg+ZxpsutBwV7hhG79bXEmCDE
-7rnOVAVI/HgGbaswauWxCqB7Tkzx3hCxB2RZOi4aIpQ
-> ssh-ed25519 5A7peQ bcqPb+IVrI8BKlcpIrZ/qnbnG3p/mLsk/iSCVYlvwmY
-2q9KmMmyeYey9txiYrmxM5T86qXw7arKZSAbxszgxVo
-> ssh-ed25519 GKhvwg H9Pka72t6kmmxGcoAaRtyn8m9xlP9DJSeBrE6jVtRh4
-w/lcxBFd5w9mMn/sarr+7yCY+IGJzMJUgvi+KrQA4s4
--- wO1f52ZjrCtOdgOrnkKWPao5ZS2BhmWFQmvLGliosyM
-S»Úø–¹]l—ŽuâGŸá	ˆc°•U åÖLHb/(ÒfüÜ	ë$Ý&øÌX‘mÝ’<C39D>FPžçt®»œç.n‚,)¡¥<C2A1>ã¦t8ô 9½gø~”3Ûê×Î.ì×ÑÕÛh±œ`ê<>Ä0àÈiÂ<69>Ø|Zi¡‡9ùS‡´ß«ûÞ”~°vf¼,~\;ÃIÛ®ÖFVOÀ)uÍj :Ëu[&Çè´œª6£µ¢`ÝO¥Z|yVÆì®É¥_„ƒPeÁ½äùKÍ.vêª¹úž^›¹ñŸ•2ç-†Ò€<\^ämîŠ<C3AE>‘!.÷y¿s”¯
›¦Èl‚
ƒÎK`fÂbD‰äcdbÊD–<…í_6¿zãà±R©Å?êg•Ì®Ù`H ,5h Œ$\û¥XlÑÝ
+-> ssh-ed25519 84j9mw qVTbaORT1Ouwq1uA0cWQ3Q85tLYcq6xuZ9UhcMOTTSk
+PE0VZp1P9K4IAnm/BIDusGsp4dtLvaN0/m9q9gNnfx4
+-> ssh-ed25519 ioPMHA +m127XNN1vH6Tg6XGuHDbND0giQgGsMLE7YUKagZbXk
+tKyYRNLt1UgnQR//64yAunpHjE7JyB/Mkdmc4gkMTWw
+-> ssh-ed25519 IFuY+w x4WynTbStig1Ay9gyaplDcNlLQT0kMOFOJwVvcco1i0
+i8M7n2tfBJoFNmQHs5jEaZdfKc1UmjL5y6oBCos1mDk
+-> ssh-ed25519 5A7peQ +XJDHQntGS+FcrFgy9X/9RDOrBMNCI8rHsicV4Z5sBo
+i6xfceBN4DE9EYF8Q4PaJjX7qbELJaJ5dxMGoAIE8xU
+-> ssh-ed25519 GKhvwg fzJcotOtNhVeNwOdMQIwPT9GmgbE13HYmCkwbFlCCkQ
+mNtYtoX8IUDgHKAQRA5e7HLZgYVI9wCF8QMm530eFEo
+--- EIWU+anFU1NSYiu3O+xncDnVvJVrwHzwaAX1YhsaOj4
+%§ëDJ#Îä·0Ÿ¨AÉD
+qz›,3sHÿ…µÌÂVb¦<>‘®ÄÂTùÍÞªˆË‡¹8Ÿ¬[ ÏÈ?VgNVdˆ
+Ä<EFBFBD>È—L=è©íÌµžðg%Î¹î[ÕmdšòíëØ6oqòžEÂ4Å<34>óöÕF3‹@P\(MDM;’%É^<5E>Ü«ïp¾xîª÷p<10>):O9,iBµ¥±„T
+sÇšÏ-—à“ÃJWºÖèEÎ\0Â£™yÎ>0;î<>öyÑLæå{üt.g%W,ºX} JÆJßÀd‹gê3žŽ\Ž#)ö<>›0h=l‚´ˆüš<C3BC>hBBäƒœüXÀ<58>ÄëÍb$õ^Ð
óå”B¨M™ØìÕþ[È~ÌÜu?Ñâ®þþ	h‹¾ªlÿ”Ìc;z½k
--- a/secrets/hercules-token.age
+++ b/secrets/hercules-token.age
--- a/secrets/leet-nrab-lol-pass.age
+++ b/secrets/leet-nrab-lol-pass.age
@ -1,8 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw ZuGILSHnMIMy/GDEjkAriTBKBykkytcIVo63DPd4MhA
-aa/sGLpf+GrLzo8Jf3JWAPI0Uk96SH/CvGhynNJVx6E
-> ssh-ed25519 GKhvwg STHVqp1zYhQzu73INk2Cmkuf8X8kJPLtGSY8LJze/Tc
-Ny1C5CAnqSCcunIbM8if8oQ2VlerIIW5Dqds/Ztektw
--- gaHP+odPfw8A4f5NJkYOuvvYRWwo5EzRZVkXp6E7dfI
-NëÑfO÷=¢¨ÿª+T3þT 0w<ˆnXrˆ\—ùä˜XZ´MãX n˜Ò*ªóÞÉ¯òGœ’¼!¡ßG^ ß2ÞúÓÑqê’ô˜/w†ü
-ª½“}FPy‹<79>
+-> ssh-ed25519 84j9mw qRlII1WyhanH2pNwSnl01iMlPWQ7tsyiNNOHPLNMflo
+ZMtYsPCDsgcbN1qoAYWTBQtfBWGHzi4WKbGtpJSzKRA
+-> ssh-ed25519 GKhvwg Fck+71BDUxko70r43pDKCYaa5OKZipR4iNveNrJaiC0
+uZZhlsckmE+mi7Oq8+gtisDFmLEoy0Pm/9BKgRi9VHo
+--- i/jgJHw3pEnMDGSjdK47mOkt87oI8szIHiIqimXVyXY
+ÚÖßµSÇÞ<Èñ<C388>S‘¨ýjË{B>A¼Ñ¶î°Â„å<>í<EFBFBD>ÏBzœ¸ÜwgÅÙá@"PY^£+E¥×['ÓÞú–ÌŽÕ‘,K©[ÈXÜ~XåÇg’{øÊ2æìí–c4
--- a/secrets/legion-niko-pass.age
+++ b/secrets/legion-niko-pass.age
--- a/secrets/miyagi-niko-pass.age
+++ b/secrets/miyagi-niko-pass.age
@ -1,8 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 g2vRWw //TMaNWwTNS5wE3Hg/SEwqriIaOiOUE5remdVF449Vk
-8K3isM05ep9HJ58TlNE9bmiIuqJPoq3lI/3AbUrLw8Q
-> ssh-ed25519 GKhvwg GANoFnELye0945KaMuS7xw6CGPhI5vigD+vScnpbQxI
-CSx0E7fOB8A5MSc1ySywNFj5mkkdi6DDUc+ObaW/kew
--- +BiFZI/o5loCYZ95bkY4zQYr2y6SYc2bmnRuAMg2MPM
-"D1ŠMh»›`dcó…Þl©U;]PuÍ×Õ¼	/?¸Éì5«\\ì½D»ô¯È1l6Ã¸z‘ÍÕNé¼Sì™Æ
-N;<+^BpømÕšÁy»
ñ¦s°Z;ûÃºVª«¥ÉÝj’
+-> ssh-ed25519 g2vRWw Pdv9mU1heeteeLbLFVUAIyZxmCWHNmhnw0TphSVMczg
+xks6yrF0BziJFp1QHSJdv5Svo1bCu9DF6s3wa2h0Xmg
+-> ssh-ed25519 GKhvwg H2DeS0HP/vWKRrBszwCffNgIZo8nVymGSkWEH26Y/2k
+2y9DCIwpFsFXpgOwOrrD9+HpRzEuno1fW2upd2FLbZc
+--- LNHsLxE4XBziNhnXmARcxB7UWhcKNvon1sDdX6mfZaw
+-1Šdmÿ<6D>
+öf——ŽR´¸…,È[Û#[-ô;øMÓ}ävžêi4üx˜~=èÌ)ño¬º¡›N^Ènþê„"X<>§Bª}W583Ùæƒ<C3A6>fšvÞÀò:Î¥çôu†Z«µ<C2AB>åÉ¶
--- a/secrets/nrab-lol-cf.age
+++ b/secrets/nrab-lol-cf.age
--- a/secrets/ntfy-alert-pass.age
+++ b/secrets/ntfy-alert-pass.age
--- a/secrets/ntfy-niko-pass.age
+++ b/secrets/ntfy-niko-pass.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw tR4gg/XeVdS8xCIuHxN25uaRKu6a09DSW26SI3AWDlM
-uC2gJ9UWDE6uVXkUDlaVZlWAH5iLDgagkN+54msvyoY
-> ssh-ed25519 GKhvwg q27QskTYhI5gjIKKpNHn5V2FRmhIg8QFJ8m0TPZiwSY
-/0RIbiG/nwxKDJ613BLoCNvjej6f65mr1xwCN7/aueI
--- XU82wFZVE+zTZ/mGhnoxqWrdUOv3n6VOwQizZSHPLfw
-«ÁěĎ"˝ô˛čů1ëKË×Ä˝°˝.Ž J<>'!nlO]>ˇďĹYç
ąEűëÝX‘
+-> ssh-ed25519 84j9mw VodL+EHOjoXj8R/F0vMQzEcnnCFzzes0QByGCDCgVQw
+tZLaDA1FLFwbK0AGo8lpTJjMUnPhJh1czYVLIYjkcEc
+-> ssh-ed25519 GKhvwg gHaR4I4l0I+/XrbjTMp/mevEzxPJXNLB1eHs33WKwGw
+GTAzrhyyDylZgExteDGpGbcS/TFX1q+NhF1FWHzNV0s
+--- QS1dAgdS96KwIprDjzz6OD4qSIZs4/m9JEIsi3+kgPk
+¼ÐzêÐPCžSÖx€ªf	¹Â-èÕÂžÀiŒ¡cû7˜_¸2ÅŠ~¶ÛjA
--- a/secrets/rab-lol-cf.age
+++ b/secrets/rab-lol-cf.age
@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 ioPMHA efHpBvtB+mXXa7RoRdqePHGOmsY5BXVOgGsfOhPm30w
-2GvumVVuuLGEarpdauTCrB61aLtVtrkM3/pPlWIODnk
-> ssh-ed25519 84j9mw rqj6xvESlvrfcjhVEWCbpd//vvdKjrTjt3ZDPeLHowQ
-dcUD131zvVQGiUYQWt9A51CnIpLGNSGinSZk7HSGHoc
-> ssh-ed25519 GKhvwg cIji8zRSGWEbC/xxS8C4jyDCpQsFv05j2Yo8UjaHSAk
-+c/tIYPigZdPQWKvGYaoA6AYRAB83XlEEdfucihB984
--- TEQTQ/lm/JqyyWU2sC10qHl4AL/2IP9yCUfhXG4LdP4
-ŮČ®żöˇS¨Fâ-dcÂ‹D€\<5C>?hî Qg@W’âî
-xA|M*Űr—t0ÜĹ±~Ń°XaŇ{¸ÎĂy/ŹëWUŃ¸ˇ¤Y˛‹ë ¬¨{đ×°}TAxDç
+-> ssh-ed25519 ioPMHA ftS+6CMGsySkp/KbDBLPKeWNDK83bZ2VB8ZKMRijkkY
+U+2wopG3G2AvI4KUD9tZGIrHZSM3UdyDdYmbbkllWPo
+-> ssh-ed25519 84j9mw xek41MX1ETVgRZa24I7n5U/XkJOqItQWK3Qz1FfkDCc
+40CWzCUmxsjgmiObbqKuSieifZ2vNo965jOeTrZ8hT8
+-> ssh-ed25519 GKhvwg X2YSREIPjoaWaku9qrVu04hOlZjUF3LFEUZaIMgg02s
+jbjT6qoIFGXRv2wrkzf2GHx3tcku/tgWfK6Sns3uFVc
+--- B/FIIz8dDg9YXbtDxfAQFZj9PCLHwI/mboBJQBuFmJg
+„ýÎãì4®L7Hç3F¼
À<0B>íÍ„"ºæfU(ëÁLÎ×Û~î‡%sb£ìùãæ¾Ô€~ZÂ}Z>2KO¨'Q\Á¿W[š„·ÏŒe…š¡1ö^IÖÂ‘
--- a/secrets/rabulinski-com-cf.age
+++ b/secrets/rabulinski-com-cf.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw LuZiZnebklpoXQ6RPZSrELwY4CzwY+Qb/LrlVPFiSC4
-QVi6XyetJxwvOB+v+CyKEdcq96ykcK3wfWh3i75Dq1o
-> ssh-ed25519 GKhvwg V3iEXNodDDKKKrHSfNYVKTphsMQfgl3Z/LUwTyArx3A
-FQJLg7uHWzc6/U+/QOCYwrkwvvw8rQNG+h+PJ1rRKXA
--- FVExbzlz8e7moZFIkpMR+sj4Kurv+Ge6yMW/uJLr5H4
-¨Ñ ç×¿I-‡iO–Jbzk÷Œ€1¨"œ„’ø™Kx—I{¨BÆšd#¦éê71Ü®âm-Ø¡ø0D°¢£f\¥y}ƒ‡ˆâùŸ‘ôÿÕ=Ú¸º
ëû4òÝ£
+-> ssh-ed25519 84j9mw d9KZV9S1hRXBvVcFe40S0NqWKlQ/AdRgAqdYXKicXR8
+SgTn9MXrft+sRr4I96fqQHzAdm0b21Bd0eSoYFfq7/4
+-> ssh-ed25519 GKhvwg B9qTfegTwDH/X0nQMGvTKCsK2GyzJ7yWgFIo+nKhsGc
+Is4Hi8B2/9s0pz/quvNER2hTkabPbr7qeILL4PhQO1c
+--- 1BhfbNEwYq0ra5slik651qbC8jffR2FmnDHV3FDtom0
+Œ-…oS‚Ô<E2809A>¢-?{¢r]5«°ó–â”;Ä+0Â
’GÏÁoE9tƒ”µHXjqâj2@3@¦üÞ ¶¼µº©÷m°mkúðyQâØ;_<>ŸW°ÑÏ¶Qœ~
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -33,9 +33,8 @@ in
    keys.other.bootstrap
  ];
  "alert-plain-pass.age".publicKeys = [
-    keys.system.legion
    keys.other.bootstrap
-  ];
+  ] ++ builtins.attrValues keys.system;
  "legion-niko-pass.age".publicKeys = [
    keys.system.legion
    keys.other.bootstrap
@ -89,6 +88,15 @@ in
    keys.system.ude
    keys.other.bootstrap
  ];
+  "youko-niko-pass.age".publicKeys = [
+    keys.system.youko
+    keys.other.bootstrap
+  ];
+  "forgejo-token.age".publicKeys = [
+    keys.system.youko
+    keys.system.ude
+    keys.other.bootstrap
+  ];
  "kanidm-admin-pass.age".publicKeys = [
    keys.system.kazuki
    keys.other.bootstrap
--- a/secrets/storage-box-creds.age
+++ b/secrets/storage-box-creds.age
@ -1,9 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 84j9mw voingQjX/CjAjo63KLaRPFaG74IpxcRb0qv+r2b5wzo
-ccWzQQSJW7cc8RiS9PzN2U5Xj0+Z7804tPsaGrq09KA
-> ssh-ed25519 GKhvwg 2z8J0YRxQ4WP1G/W7DxRK7z1b6UBjodvN8ECP4fLg1U
-wRG4U9oAJ2KtPUHg5l0yDmmHatmwXOrn2nJlOQJMlpE
--- qs7kR5AIkwQ8NtDjYnmKZmCl4+1G6MFBNB3Mu3J9Y1M
-<EFBFBD>ø™
-æ8[ÅÎWÑ•®SàõòÝ¸’<C2B8>„<EFBFBD>î]&èZaØ¼uŸÇæžEBÕå!®pŽÖÏ´åÌ4pYÝ±"
-QYê<EFBFBD>qSÆ¬`œ
+-> ssh-ed25519 84j9mw auP2WgwsaWjyocQkSzoYShO2kSLjn2UArvAVEhKgDiY
+4Uh423ZjS7/Xo6TxLJzWqXgHZAu0xouH0UvFZuJuEz4
+-> ssh-ed25519 GKhvwg JHtyTS12OXspSKP9r/a61cfp+ubYbsAXFmEijMTex3Q
+wZYrJ8yIZ3v5cdBzpiI9ocaTpHbtmebEpbr59Bz3rhc
+--- koWJ57H+ErMJDxW6JDNL2ImmZb6o9v2BJtaFi2OL+dc
+Ioð5q®&¢C<C2A2>³U*”†[T.Hª€ÉŠ×Êºkkp„Oç£Ys,Óg£49øËÅ‰$^l-Aú/—¶åë¦QÊX»ÆðÖø
--- a/secrets/storage-box-webdav.age
+++ b/secrets/storage-box-webdav.age
--- a/secrets/ude-deluge.age
+++ b/secrets/ude-deluge.age
@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 IFuY+w +zbPYKlvvfaIQl+PnnZlEai/TAgzsQ7s/1bLXNXnXEw
-BTQQRxlaRFbWnV6e+QBPDfN+lyg9URj+2h85tDKZ19k
-> ssh-ed25519 GKhvwg DzWYIGY0CNdA5wp7PkV1gpWmtYG28or8XeNZ7DkLz1c
-ELQVeuyaIOWVH6+oMDDlI3CikDLe5jijwVPbaRBL2NQ
--- vCU0PryisDG8cOKr6CmPcUwjIdThsRjrty/fowZNwOk
-ð”Êh<1F>+Ñ®ì>³ùöíHV`w|e/³ò]â½kšïyð´S~d¡¡œm&Û9¹ªýY)ÍÉ)T
ôn•ç¡Sê8Ç@Û¿zsSÉÑÒÔg'
+-> ssh-ed25519 IFuY+w EOJQpXxn+NL/BJjpdo8mIGfOYxcMElkVIiGx7KftrQ4
+OcglvGhSgb1mxH8M19ZMf3m6lSF0clzH7Mjikf7cilM
+-> ssh-ed25519 GKhvwg cr+0J59wCjYBONBcDulN8lpvZiCvULHqnwDu+eKQRAo
+9q87PSfr4kq8lCDrw5Od3D1xJjSSmVv2/TXBWEBtBpU
+--- FmVR9tb8wjYFb/FBTrblXMCUAMw5KQ7sX8WojcxCrbk
+ŃĚÇCÂ<\á}ŹJ<C5B9>Ą ¨„f”é|<7C>6G“Ś•@WXc-"©Ő÷Ď<C3B7>űîüîAGşŹ«Z‚' Ĺxé_ňÔ ˝z,@nÇ"3[Ä?
Lb@óŹďe
--- a/secrets/youko-niko-pass.age
+++ b/secrets/youko-niko-pass.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 rA7dkQ etmPKjKz102knTx/qQAihC9bFvRENB0Q1DtnaQyjfm4
+GPt9OCIwT+/Q/UUDtkHB8d7T6znHy1y1NEUeI+SCeMg
+-> ssh-ed25519 GKhvwg qdCxGyXrdD+WQa/il8fIlV7OKdREqd40Qk0PKITHxlk
+OBJ9gg+KBHi2s1HYLazy3K+yh8tvnUvmuH+riWU7K8c
+--- V3FRy0/TcUdUaBDUK+93r5rH26Is/KVuNJC+1vFMsOI
+ŠýØÀëÐw§±æÏôOÌ.âžŒañ«÷Ûä<01>A¨&<26>ößÞ<C39F>z³¹û	ä[oXµÄ‚u<E2809A>ÁßùÅþƒáÖÉ÷”,ášajxGÆœuÕ/šÆñæ–›eL‘²Ì›/6S[SU¾
--- a/secrets/zitadel-master.age
+++ b/secrets/zitadel-master.age
--- a/services/default.nix
+++ b/services/default.nix
@ -1,6 +1,7 @@
 {
  imports = [
    ./attic.nix
+    ./forgejo-runner.nix
    ./kanidm.nix
    ./forgejo.nix
  ];
--- a/services/forgejo-runner.nix
+++ b/services/forgejo-runner.nix
@ -0,0 +1,49 @@
+{
+  services.forgejo-runner = {
+    hosts = [
+      "ude"
+      "youko"
+    ];
+    config =
+      {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+      {
+        age.secrets.forgejo-runner-token.file = ../secrets/forgejo-token.age;
+
+        services.gitea-actions-runner = {
+          package = pkgs.forgejo-actions-runner;
+          instances.default = {
+            enable = true;
+            name = config.networking.hostName;
+            url = "https://git.rab.lol";
+            tokenFile = config.age.secrets.forgejo-runner-token.path;
+            settings = {
+              container.network = "bridge";
+            };
+            hostPackages = lib.mkOptionDefault [
+              pkgs.nix
+            ];
+            labels = [
+              "ubuntu-latest:docker://node:16-bullseye"
+              "ubuntu-22.04:docker://node:16-bullseye"
+              "ubuntu-20.04:docker://node:16-bullseye"
+              "ubuntu-18.04:docker://node:16-buster"
+              "native:host"
+              "native-${pkgs.system}:host"
+            ];
+          };
+        };
+
+        virtualisation.podman = {
+          enable = true;
+          defaultNetwork.settings.dns_enabled = true;
+        };
+
+        networking.firewall.trustedInterfaces = [ "podman+" ];
+      };
+  };
+}
Author	SHA1	Message	Date
Nikodem Rabuliński	ae66e9fd21	modules/system/containers: enable nat for container interfaces All checks were successful / check (pull_request) Successful in 44s Details	2025-03-21 23:56:53 +01:00
Nikodem Rabuliński	1a62c97de4	services/forgejo: move from hosts/kazuki	2025-03-21 23:56:53 +01:00
Nikodem Rabuliński	33d2682245	services/kanidm: init	2025-03-21 23:56:51 +01:00
Nikodem Rabuliński	cdfd00a99c	modules/home/desktop/zellij: disable shell integrations All checks were successful / check (pull_request) Successful in 40s Details / check (push) Successful in 46s Details	2025-03-21 23:31:18 +01:00
Nikodem Rabuliński	16e8f3f0f4	flake.lock: update All checks were successful / check (pull_request) Successful in 4m16s Details / check (push) Successful in 47s Details	2025-03-21 22:42:05 +01:00
Nikodem Rabuliński	008a38e397	ci: check all systems	2025-03-20 22:54:40 +01:00
Nikodem Rabuliński	f3168cea0f	ci: trigger on prs All checks were successful / check (pull_request) Successful in 3m49s Details / check (push) Successful in 1m35s Details	2025-03-19 18:14:22 +01:00
Nikodem Rabuliński	00a797fd09	services/forgejo-runner: add nix to path	2025-03-19 18:10:16 +01:00
Nikodem Rabuliński	b7ee2ec2ff	ci: use forgejo runner Some checks failed / check (push) Failing after 13s Details	2025-03-19 17:40:09 +01:00
Nikodem Rabuliński	b97f24c12c	services/forgejo-runner: init	2025-03-19 17:31:48 +01:00
Nikodem Rabuliński	21920907fe	hosts/youko: enable vmware	2025-03-18 22:08:18 +01:00
Nikodem Rabuliński	94b293acbb	modules/system/incus: initialize default profile	2025-03-18 22:08:18 +01:00
Nikodem Rabuliński	ddaec1196e	hosts/youko/nas: sail the high seas	2025-03-18 22:08:18 +01:00
Nikodem Rabuliński	c0d6938a39	modules/system/sane-defaults: add user to networkmanager group	2025-03-18 22:08:18 +01:00
Nikodem Rabuliński	994732bf6b	hosts/youko: enable smb	2025-03-18 22:08:11 +01:00
Nikodem Rabuliński	dcb2f78a9c	hosts/youko: add kernel module for fan control	2025-02-24 22:43:33 +01:00
Nikodem Rabuliński	f369c754a3	hosts/youko: move zfs pool	2025-02-24 22:43:33 +01:00
Nikodem Rabuliński	3622d231f8	secrets: sign alert-plain-pass for all systems	2025-02-24 22:43:33 +01:00
Nikodem Rabuliński	2dc36618af	hosts/youko: sway	2025-02-24 22:43:33 +01:00
Nikodem Rabuliński	aaa0b853f7	hosts/youko: add youko ssh keys, set user password	2025-02-24 22:43:30 +01:00
Nikodem Rabuliński	e2014034bb	hosts/youko: init	2025-02-24 22:42:51 +01:00