Merge pull request 'feature/add-overseerr' (#120) from feature/add-overseerr into main

Reviewed-on: #120

.github/workflows/flake-health-checks.yml

@@ -5,6 +5,9 @@ on:
     pull_request:
         branches: ["main"]
     merge_group:
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    cancel-in-progress: true
 jobs:
     health-check:
         name: "Perform Nix flake checks"

.github/workflows/flake-update.yml

@@ -4,6 +4,9 @@ on:
     workflow_dispatch:
     schedule:
         - cron: "00 12 * * *"
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    cancel-in-progress: true
 jobs:
     update_lockfile:
         runs-on: ubuntu-latest

.github/workflows/lock-health-checks.yml

@@ -5,6 +5,9 @@ on:
     pull_request:
         branches: ["main"]
     merge_group:
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    cancel-in-progress: true
 jobs:
     health-check:
         name: "Check health of `flake.lock`"

.sops.yaml

@@ -7,11 +7,9 @@ keys:
     # cspell:disable
     - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
     - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
-    #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
     - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
+    - &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
     # cspell:enable
-servers: &servers
-    - *palatine-hill
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
 #
@@ -38,9 +36,22 @@ creation_rules:
             - *admin_alice
           age:
             - *artemision
+    - path_regex: systems/selinunte/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *artemision
+            - *selinunte
     - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
       key_groups:
         - pgp:
             - *admin_alice
           age:
             - *palatine-hill
+    - path_regex: systems/palatine-hill/docker/openvpn/.*\.ovpn$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *palatine-hill

flake.lock

@@ -304,7 +304,9 @@
       "inputs": {
         "nix": "nix",
         "nix-eval-jobs": "nix-eval-jobs",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
         "lastModified": 1748756240,
@@ -409,6 +411,35 @@
         "type": "github"
       }
     },
+    "nixos-cosmic": {
+      "inputs": {
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nixpkgs-stable"
+        ],
+        "rust-overlay": [
+          "rust-overlay"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748776124,
+        "narHash": "sha256-vs2cMCHX9wnWJutXhQyWkWOpMF/Xbw0ZAUAFGsKLifA=",
+        "owner": "lilyinstarlight",
+        "repo": "nixos-cosmic",
+        "rev": "e989a41092f6f0375e7afb789bc97cb30d01fdb8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lilyinstarlight",
+        "repo": "nixos-cosmic",
+        "type": "github"
+      }
+    },
     "nixos-generators": {
       "inputs": {
         "nixlib": "nixlib",
@@ -470,16 +501,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1748124805,
-        "narHash": "sha256-8A7HjmnvCpDjmETrZY1QwzKunR63LiP7lHu1eA5q6JI=",
-        "owner": "NixOS",
+        "lastModified": 1748762463,
+        "narHash": "sha256-rb8vudY2u0SgdWh83SAhM5QZT91ZOnvjOLGTO4pdGTc=",
+        "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "db1aed32009f408e4048c1dd0beaf714dd34ed93",
+        "rev": "0d0bc640d371e9e8c9914c42951b3d6522bc5dda",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-25.05-small",
+        "owner": "nixos",
+        "ref": "nixos-unstable-small",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -515,22 +546,6 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1748762463,
-        "narHash": "sha256-rb8vudY2u0SgdWh83SAhM5QZT91ZOnvjOLGTO4pdGTc=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "0d0bc640d371e9e8c9914c42951b3d6522bc5dda",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nur": {
       "inputs": {
         "flake-parts": [
@@ -591,10 +606,11 @@
         "hydra": "hydra",
         "hyprland-contrib": "hyprland-contrib",
         "nix-index-database": "nix-index-database",
+        "nixos-cosmic": "nixos-cosmic",
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
         "nixos-modules": "nixos-modules",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
         "nixpkgs-stable": "nixpkgs-stable",
         "pre-commit-hooks": "pre-commit-hooks",
         "rust-overlay": "rust-overlay",

flake.nix

@@ -6,16 +6,19 @@
       "https://cache.nixos.org/?priority=1&want-mass-query=true"
       "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
       "https://attic.nayeonie.com/nix-cache"
+      "https://cosmic.cachix.org/"
     ];
     trusted-substituters = [
       "https://cache.nixos.org"
       "https://nix-community.cachix.org"
       "https://attic.nayeonie.com/nix-cache"
+      "https://cosmic.cachix.org/"
     ];
     trusted-public-keys = [
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       "nix-cache:grGRsHhqNDhkEuTODvHJXYmoCClntC+U8XAJQzwMaZM="
+      "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
     ];
     trusted-users = [ "root" ];
     allow-import-from-derivation = true;
@@ -23,6 +26,7 @@
   };
 
   inputs = {
+    # flake inputs with no explicit deps (in alphabetic order)
     flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
     flake-parts.url = "github:hercules-ci/flake-parts";
     nixos-hardware.url = "github:NixOS/nixos-hardware";
@@ -32,16 +36,7 @@
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
     systems.url = "github:nix-systems/default";
 
-    # attic = {
-    #   url = "github:zhaofengli/attic";
-    #   inputs = {
-    #     nixpkgs.follows = "nixpkgs";
-    #     nixpkgs-stable.follows = "nixpkgs-stable";
-    #     flake-compat.follows = "flake-compat";
-    #     flake-parts.follows = "flake-parts";
-    #   };
-    # };
-
+    # flake inputs with dependencies (in alphabetic order)
     firefox-addons = {
       url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
       inputs = {
@@ -61,9 +56,9 @@
 
     hydra = {
       url = "git+https://nayeonie.com/ahuston-0/hydra?ref=add-gitea-pulls";
-      # inputs = {
-      #   nixpkgs.follows = "nixpkgs";
-      # };
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+      };
     };
 
     hyprland-contrib = {
@@ -76,6 +71,16 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    nixos-cosmic = {
+      url = "github:lilyinstarlight/nixos-cosmic";
+      inputs = {
+        flake-compat.follows = "flake-compat";
+        nixpkgs.follows = "nixpkgs";
+        nixpkgs-stable.follows = "nixpkgs-stable";
+        rust-overlay.follows = "rust-overlay";
+      };
+    };
+
     nixos-generators = {
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";

modules/users.nix

@@ -0,0 +1,11 @@
+{
+  ...
+}:
+
+{
+  users.groups = {
+    users = {
+      gid = 100;
+    };
+  };
+}

systems/artemision/configuration.nix

@@ -60,12 +60,13 @@
 
     fwupd = {
       enable = true;
-      package =
-        (import (builtins.fetchTarball {
-          url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
-          sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
-        }) { inherit (pkgs) system; }).fwupd;
+      # package =
+      #   (import (builtins.fetchTarball {
+      #     url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
+      #     sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
+      #   }) { inherit (pkgs) system; }).fwupd;
     };
+    mullvad-vpn.enable = true;
 
     fprintd.enable = lib.mkForce false;
     openssh.enable = lib.mkForce false;

systems/artemision/desktop.nix

@@ -45,9 +45,6 @@
 
   powerManagement = {
     enable = true;
-    resumeCommands = ''
-      ${pkgs.hyprlock}/bin/hyprlock -c /home/alice/.config/hypr/hyprlock.conf
-    '';
   };
 
   environment.systemPackages = with pkgs; [

systems/artemision/programs.nix

@@ -100,7 +100,6 @@
     unipicker
     unzip
     uutils-coreutils-noprefix
-    vesktop
     vscode
     watchman
     wget

systems/palatine-hill/configuration.nix

@@ -17,6 +17,7 @@
     ./minio.nix
     ./networking.nix
     ./nextcloud.nix
+    #./plex
     ./postgresql.nix
     ./samba.nix
     ./zfs.nix
@@ -57,16 +58,37 @@
     };
   };
 
-  environment.systemPackages = with pkgs; [
+  environment = {
+    systemPackages = with pkgs; [
       chromedriver
       chromium
       docker-compose
+      filebot
       intel-gpu-tools
       jellyfin-ffmpeg
       jq
       yt-dlp
       yq
     ];
+    etc = {
+      # Creates /etc/lynis/custom.prf
+      "lynis/custom.prf" = {
+        text = ''
+          skip-test=BANN-7126
+          skip-test=BANN-7130
+          skip-test=DEB-0520
+          skip-test=DEB-0810
+          skip-test=FIRE-4513
+          skip-test=HRDN-7222
+          skip-test=KRNL-5820
+          skip-test=LOGG-2190
+          skip-test=LYNIS
+          skip-test=TOOL-5002
+        '';
+        mode = "0440";
+      };
+    };
+  };
 
   services = {
     samba.enable = true;

systems/palatine-hill/default.nix

@@ -3,5 +3,8 @@
   users = [ "alice" ];
   modules = [
     # inputs.attic.nixosModules.atticd
+    inputs.nixos-hardware.nixosModules.common-cpu-amd
+    inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
+    inputs.nixos-hardware.nixosModules.supermicro
   ];
 }

systems/palatine-hill/docker/act-runner.nix

@@ -12,6 +12,7 @@ in
   virtualisation.oci-containers.containers = {
     act-stable-latest-main = {
       image = "gitea/act_runner:latest";
+      pull = "always";
       extraOptions = [
         "--stop-signal=SIGINT"
       ];
@@ -35,6 +36,7 @@ in
 
     act-stable-latest-1 = {
       image = "gitea/act_runner:latest";
+      pull = "always";
       extraOptions = [
         "--stop-signal=SIGINT"
       ];
@@ -57,6 +59,7 @@ in
 
     act-stable-latest-2 = {
       image = "gitea/act_runner:latest";
+      pull = "always";
       extraOptions = [
         "--stop-signal=SIGINT"
       ];

systems/palatine-hill/docker/arr.nix

@@ -0,0 +1,124 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  vars = import ../vars.nix;
+in
+{
+  virtualisation.oci-containers.containers = {
+    bazarr = {
+      image = "ghcr.io/linuxserver/bazarr:latest";
+      ports = [ "6767:6767" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [
+        "${vars.primary_docker}/bazarr:/config"
+        "${vars.primary_plex_storage}/data:/data"
+      ];
+      autoStart = true;
+    };
+    prowlarr = {
+      image = "ghcr.io/linuxserver/prowlarr:latest";
+      ports = [ "9696:9696" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [ "${vars.primary_docker}/prowlarr:/config" ];
+      autoStart = true;
+    };
+    radarr = {
+      image = "ghcr.io/linuxserver/radarr:latest";
+      ports = [ "7878:7878" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [
+        "${vars.primary_docker}/radarr:/config"
+        "${vars.primary_plex_storage}/data:/data"
+      ];
+      autoStart = true;
+    };
+    sonarr = {
+      image = "ghcr.io/linuxserver/sonarr:latest";
+      ports = [ "8989:8989" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [
+        "${vars.primary_docker}/sonarr:/config"
+        "${vars.primary_plex_storage}/data:/data"
+      ];
+      autoStart = true;
+    };
+    lidarr = {
+      image = "ghcr.io/linuxserver/lidarr:latest";
+      ports = [ "8686:8686" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [
+        "${vars.primary_docker}/lidarr:/config"
+        "${vars.primary_plex_storage}/data:/data"
+      ];
+      autoStart = true;
+    };
+    readarr = {
+      image = "ghcr.io/linuxserver/readarr:latest";
+      ports = [ "8787:8787" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [
+        "${vars.primary_docker}/readarr:/config"
+        "${vars.primary_plex_storage}/data:/data"
+      ];
+      autoStart = true;
+    };
+    unpackerr = {
+      image = "golift/unpackerr:latest";
+      user = "600:100";
+      environment = {
+        TZ = "America/New_York";
+      };
+      volumes = [
+        "${vars.primary_docker}/unpackerr:/config"
+        "${vars.primary_plex_storage}:/data"
+      ];
+      autoStart = true;
+    };
+
+    overseerr = {
+      image = "lscr.io/linuxserver/overseerr";
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [ "${vars.primary_docker}/overseerr:/config" ];
+      # TODO: remove ports later since this is going through web
+      ports = [ "5055:5055" ]; # Web UI port
+      dependsOn = [
+        "radarr"
+        "sonarr"
+      ];
+      extraOptions = [ "--network=haproxy-net" ];
+      autoStart = true;
+    };
+  };
+}

systems/palatine-hill/docker/default.nix

@@ -8,6 +8,7 @@
 {
   imports = [
     ./act-runner.nix
+    ./arr.nix
     # temp disable archiveteam for tiktok archiving
     #./archiveteam.nix
     # ./books.nix

systems/palatine-hill/docker/glances.nix

@@ -8,6 +8,7 @@ in
   virtualisation.oci-containers.containers = {
     glances = {
       image = "nicolargo/glances:latest-full";
+      pull = "always";
       extraOptions = [
         "--pid=host"
         "--network=haproxy-net"

systems/palatine-hill/docker/minecraft.nix

@@ -39,6 +39,7 @@ in
   virtualisation.oci-containers.containers = {
     mc-router = {
       image = "itzg/mc-router:latest";
+      pull = "always";
       extraOptions = [
         "--network=haproxy-net"
         "--network=minecraft-net"

systems/palatine-hill/docker/nextcloud.nix

@@ -9,6 +9,7 @@ let
   nextcloud-base = {
     # image comes from running docker compose build in nextcloud-docker/.examples/full/apache
     image = "nextcloud-nextcloud";
+    pull = "always";
     hostname = "nextcloud";
     volumes = [
       "${nextcloud_path}/nc_data:/var/www/html:z"
@@ -32,6 +33,7 @@ in
     };
     redis = {
       image = "redis:latest";
+      pull = "always";
       user = "600:600";
       volumes = [
         "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf"
@@ -47,6 +49,7 @@ in
     };
     go-vod = {
       image = "radialapps/go-vod:latest";
+      pull = "always";
       dependsOn = [ "nextcloud" ];
       environment = {
         NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz";
@@ -58,6 +61,7 @@ in
     };
     collabora-code = {
       image = "collabora/code:latest";
+      pull = "always";
       dependsOn = [ "nextcloud" ];
       environment = {
         aliasgroup1 = "https://collabora.nayenoie.com:443";

systems/palatine-hill/docker/torr.nix

@@ -1,7 +1,8 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 let
   delugeBase = {
+    pull = "always";
     environment = {
       PUID = "600";
       PGID = "100";
@@ -19,18 +20,31 @@ let
   deluge_path = "${torr_path}/deluge";
   delugevpn_path = "${torr_path}/delugevpn";
 
-  genSopsConf = file: {
+  #genSopsConfWg = file: {
+  #  "${file}" = {
+  #    format = "binary";
+  #    sopsFile = ./wg/${file};
+  #    path = "${delugevpn_path}/config/wireguard/configs/${file}";
+  #    owner = "docker-service";
+  #    group = "users";
+  #    restartUnits = [ "docker-delugeVPN.service" ];
+  #  };
+  #};
+
+  genSopsConfOvpn = file: {
     "${file}" = {
       format = "binary";
-      sopsFile = ./wg/${file};
-      path = "${delugevpn_path}/config/wireguard/configs/${file}";
+      sopsFile = ./openvpn/${file};
+      path = "${delugevpn_path}/config/openvpn/configs/${file}";
       owner = "docker-service";
       group = "users";
       restartUnits = [ "docker-delugeVPN.service" ];
     };
+
   };
 in
 {
+
   virtualisation.oci-containers.containers = {
     deluge = delugeBase // {
       image = "binhex/arch-deluge";
@@ -45,25 +59,26 @@ in
       ];
     };
     delugeVPN = delugeBase // {
-      image = "binhex/arch-delugevpn";
-      extraOptions = [
-        "--privileged=true"
-        "--sysctl"
-        "net.ipv4.conf.all.src_valid_mark=1"
-      ];
+      image = "binhex/arch-delugevpn:latest";
+      capabilities = {
+        NET_ADMIN = true;
+      };
+      autoRemoveOnStop = false;
       environment = delugeBase.environment // {
         VPN_ENABLED = "yes";
-        VPN_CLIENT = "wireguard";
-        VPN_PROV = "custom";
+        VPN_CLIENT = "openvpn";
+        VPN_PROV = "protonvpn";
         ENABLE_PRIVOXY = "yes";
         LAN_NETWORK = "192.168.0.0/16";
-        NAME_SERVERS = "194.242.2.9";
+        ENABLE_STARTUP_SCRIPTS = "yes";
+        #NAME_SERVERS = "194.242.2.9";
+        #NAME_SERVERS = "9.9.9.9";
         # note, delete /config/perms.txt to force a bulk permissions update
-
       };
+      environmentFiles = [ config.sops.secrets."docker/delugevpn".path ];
       volumes = [
         "${delugevpn_path}/config:/config"
-        "${delugevpn_path}/data:/data"
+        "${deluge_path}/data:/data" # use common torrent path yuck
         "/etc/localtime:/etc/localtime:ro"
       ];
       ports = [
@@ -71,6 +86,9 @@ in
         "8119:8118"
         "39275:39275"
         "39275:39275/udp"
+        "48346:48346"
+        "48346:48346/udp"
+
       ];
     };
   };
@@ -79,25 +97,34 @@ in
     serviceConfig = {
       ExecStartPre = [
         (
-          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
-          + "-type l -not -name wg0.conf "
+          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/openvpn/configs "
+          + "-type l -not -name network.ovpn "
           + "| ${pkgs.coreutils}/bin/shuf -n 1 "
-          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
-          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
-          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
+          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/openvpn/network.ovpn &&"
+          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/openvpn/network.ovpn &&"
+          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/openvpn/network.ovpn\""
+        )
+        (
+          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/scripts/links "
+          + "-type l "
+          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/scripts/ \""
         )
       ];
-      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
+      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/scripts/*sh" ];
     };
   };
 
-  sops.secrets =
-    (genSopsConf "se-mma-wg-001.conf")
-    // (genSopsConf "se-mma-wg-002.conf")
-    // (genSopsConf "se-mma-wg-003.conf")
-    // (genSopsConf "se-mma-wg-004.conf")
-    // (genSopsConf "se-mma-wg-005.conf")
-    // (genSopsConf "se-mma-wg-101.conf")
-    // (genSopsConf "se-mma-wg-102.conf")
-    // (genSopsConf "se-mma-wg-103.conf");
+  sops.secrets = (genSopsConfOvpn "se.protonvpn.udp.ovpn") // {
+    "docker/delugevpn" = {
+      owner = "docker-service";
+      group = "users";
+      restartUnits = [ "docker-delugeVPN.service" ];
+    };
+    "docker/protonvpn-start-script" = {
+      path = "${delugevpn_path}/config/scripts/links/protonvpn-start-script.sh";
+      owner = "docker-service";
+      group = "users";
+      restartUnits = [ "docker-delugeVPN.service" ];
+    };
+  };
 }

systems/palatine-hill/firewall.nix

@@ -24,6 +24,15 @@
 
     # collabora
     9980
+
+    # arr
+    6767
+    9696
+    7878
+    8989
+    8686
+    8787
+    5055
   ];
 
 }

systems/palatine-hill/hydra.nix

@@ -82,10 +82,10 @@ in
       '';
     };
 
-    nix-serve = {
-      enable = true;
-      secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
-    };
+    # nix-serve = {
+    #   enable = true;
+    #   secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
+    # };
     prometheus = {
       enable = true;
       webExternalUrl = "https://prom.alicehuston.xyz";
@@ -134,7 +134,7 @@ in
   sops = {
     secrets = {
       "hydra/environment".owner = "hydra";
-      "nix-serve/secret-key".owner = "root";
+      # "nix-serve/secret-key".owner = "root";
       "alice/gha-hydra-token" = {
         sopsFile = ../../users/alice/secrets.yaml;
         owner = "hydra";

systems/palatine-hill/plex/default.nix

@@ -0,0 +1,28 @@
+{
+  pkgs,
+  ...
+}:
+let
+  vars = import ../vars.nix;
+in
+{
+  services.plex = {
+    enable = true;
+    dataDir = vars.primary_plex;
+  };
+  systemd.services.plex_permission = {
+    description = "maintains plex permissions";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.bash}/bin/bash ${./plex_permission.sh}";
+    };
+  };
+  systemd.timers.plex_permission = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "1h";
+      OnCalendar = "daily 03:00";
+      Unit = "plex_permission.service";
+    };
+  };
+}

systems/palatine-hill/plex/plex_permission.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+plex_dir="/ZFS/ZFS-primary/plex"
+
+chown docker-service:users -R "$plex_dir"
+find "$plex_dir" -type f -exec chmod 664 {} \;
+find "$plex_dir" -type d -exec chmod 775 {} \;

systems/palatine-hill/secrets.yaml

@@ -23,6 +23,8 @@ docker:
     redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
     act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
     collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
+    delugevpn: ENC[AES256_GCM,data:YGkgaQUuA9oteKD77tnFzxZSHctyOQjMNlfvJr3mPWAl2P8wfcshiUoa6SNp69pagxbzRV6mfuzwzinbkQCoZN3lw7uF76y0,iv:Bro0H4tFR+3wi9DGGq9a6ge4o4uPlVXBUF7h17zyqg8=,tag:N1kVNFasqGMx8R9qTq2dJA==,type:str]
+    protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str]
 acme:
     bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
     dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
@@ -41,8 +43,8 @@ sops:
             cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
             LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-30T04:36:41Z"
-    mac: ENC[AES256_GCM,data:fEsUt5g0/7j8IVgtXQ0thV93dxe6SGCglqeHdnaXFOjKcCUEFWUmi98M8X92hR9AJzscRK6wqzijd/AQBzl+GL2QtDYsn8qx9Nr0DBd6Gh1vi25eh5LtADm09COSae1THWuFLP7L1Qamyt+XzlBa7Xnrzfuzzp0s2/cZoxZiueU=,iv:VYzh833cMQwGmkB6QunRys0Eluz+0KGj8Y43B9icE9w=,tag:EWJSizBMTFZ0TZhncYe2Sw==,type:str]
+    lastmodified: "2025-06-01T23:54:50Z"
+    mac: ENC[AES256_GCM,data:xBSrKfuBEXYVqLhZF903HbLaCpgXyuo3r7/FUBPM9Pl+rKUGx8p7LKCIec2NPCGO8ylQvC8T2mochSHSAvN339nxPlQ7f/tKWc6QgicaX4Sb4k0wJdqamSJTq4mkg8482HOUiFCSi3lA3zWC3Y9ZixESmEWTbxe9sQ51Vo69lkw=,iv:XiGVzryZwo5UmJe7I8pkg5IEdms0vR9iRdlFu2wjUeI=,tag:jhOuV+aZd5rQF0xg+0tvOg==,type:str]
     pgp:
         - created_at: "2024-11-28T18:56:39Z"
           enc: |-

systems/palatine-hill/vars.nix

@@ -17,4 +17,6 @@ rec {
   primary_nextcloud = "${zfs_primary}/nextcloud";
   primary_redis = "${zfs_primary}/redis";
   primary_torr = "${zfs_primary}/torr";
+  primary_plex = "${zfs_primary}/plex";
+  primary_plex_storage = "${zfs_primary}/plex_storage";
 }

systems/selinunte/audio.nix

@@ -0,0 +1,35 @@
+{ pkgs, ... }:
+
+{
+  # rtkit is optional but recommended
+  security.rtkit.enable = true;
+  services = {
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      # If you want to use JACK applications, uncomment this
+      #jack.enable = true;
+    };
+
+    pipewire.wireplumber.configPackages = [
+      (pkgs.writeTextDir "share/wireplumber/bluetooth.lua.d/51-bluez-config.lua" ''
+        bluez_monitor.properties = {
+        	["bluez5.enable-sbc-xq"] = true,
+        	["bluez5.enable-msbc"] = true,
+        	["bluez5.enable-hw-volume"] = true,
+        	["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
+        }
+      '')
+    ];
+    blueman.enable = true;
+  };
+
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+
+  environment.systemPackages = with pkgs; [ pavucontrol ];
+
+  programs.noisetorch.enable = true;
+}

systems/selinunte/configuration.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./audio.nix
+    ./desktop.nix
+    ./fonts.nix
+    ./graphics.nix
+    ./polkit.nix
+    ./programs.nix
+    ./steam.nix
+    ./stylix.nix
+  ];
+
+  time.timeZone = "America/New_York";
+
+  # temp workaround for building while in nixos-enter
+  #services.logrotate.checkConfig = false;
+
+  networking = {
+    hostId = "9f2e1ff9";
+    firewall.enable = true;
+    useNetworkd = true;
+  };
+
+  boot = {
+    kernelPackages = lib.mkForce pkgs.linuxPackages_xanmod;
+    useSystemdBoot = true;
+    default = true;
+  };
+
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  services = {
+    flatpak.enable = true;
+    gvfs.enable = true;
+    openssh.enable = lib.mkForce false;
+  };
+
+  system.stateVersion = "25.11";
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}

systems/selinunte/default.nix

@@ -0,0 +1,23 @@
+{ inputs, ... }:
+{
+  system = "x86_64-linux";
+  home = true;
+  sops = true;
+  server = false;
+  users = [ "alice" ];
+  modules = [
+    inputs.nixos-hardware.nixosModules.common-pc
+    inputs.nixos-hardware.nixosModules.common-pc-ssd
+    inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
+    inputs.nixos-hardware.nixosModules.common-cpu-amd
+    inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
+    inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
+    inputs.stylix.nixosModules.stylix
+    {
+      environment.systemPackages = [
+        inputs.wired-notify.packages.x86_64-linux.default
+        inputs.hyprland-contrib.packages.x86_64-linux.grimblast
+      ];
+    }
+  ];
+}

systems/selinunte/desktop.nix

@@ -0,0 +1,38 @@
+{ pkgs, ... }:
+
+{
+  # installs hyprland, and its dependencies
+
+  programs = {
+    hyprland = {
+      enable = true;
+      xwayland.enable = true;
+      withUWSM = true;
+    };
+    hyprlock.enable = true;
+    ydotool.enable = true;
+  };
+  # Optional, hint electron apps to use wayland:
+  environment.sessionVariables.NIXOS_OZONE_WL = "1";
+
+  services = {
+    displayManager.gdm = {
+      enable = true;
+      wayland = true;
+    };
+
+    dbus = {
+      enable = true;
+      implementation = "broker";
+    };
+  };
+
+  powerManagement = {
+    enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    libsForQt5.qt5.qtwayland
+    qt6.qtwayland
+  ];
+}

systems/selinunte/fonts.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  fonts = {
+    fontconfig.enable = true;
+    enableDefaultPackages = true;
+    packages = with pkgs.nerd-fonts; [
+      fira-code
+      droid-sans-mono
+      hack
+      dejavu-sans-mono
+      noto
+      open-dyslexic
+    ];
+  };
+}

systems/selinunte/graphics.nix

@@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+
+{
+  hardware.graphics = {
+    ## radv: an open-source Vulkan driver from freedesktop
+    enable = true;
+    enable32Bit = true;
+
+  };
+  hardware.nvidia = {
+
+    # Modesetting is required.
+    modesetting.enable = true;
+
+    # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
+    # Enable this if you have graphical corruption issues or application crashes after waking
+    # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
+    # of just the bare essentials.
+    powerManagement.enable = false;
+
+    # Fine-grained power management. Turns off GPU when not in use.
+    # Experimental and only works on modern Nvidia GPUs (Turing or newer).
+    powerManagement.finegrained = false;
+
+    # Use the NVidia open source kernel module (not to be confused with the
+    # independent third-party "nouveau" open source driver).
+    # Support is limited to the Turing and later architectures. Full list of
+    # supported GPUs is at:
+    # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
+    # Only available from driver 515.43.04+
+    open = false;
+
+    # Enable the Nvidia settings menu,
+    # accessible via `nvidia-settings`.
+    nvidiaSettings = true;
+
+    # Optionally, you may need to select the appropriate driver version for your specific GPU.
+    package = config.boot.kernelPackages.nvidiaPackages.stable;
+  };
+}

systems/selinunte/hardware.nix

@@ -0,0 +1,96 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+      "usb_storage"
+      "usbhid"
+      "sd_mod"
+      "ip_vs"
+      "ip_vs_rr"
+      "nf_conntrack"
+    ];
+    initrd.kernelModules = [
+      "dm-snapshot"
+      "r8152"
+    ];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+    kernelParams = [
+      "amdgpu.sg_display=0"
+      "amdgpu.graphics_sg=0"
+      "amdgpu.abmlevel=3"
+    ];
+  };
+
+  fileSystems = {
+
+    "/" = lib.mkDefault {
+      device = "/dev/disk/by-uuid/f3c11d62-37f4-495e-b668-1ff49e0d3a47";
+      fsType = "ext4";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+
+    "/home" = {
+      device = "/dev/disk/by-uuid/720af942-464c-4c1e-be41-0438936264f0";
+      fsType = "ext4";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-uuid/035f23f8-d895-4b0c-bcf5-45885a5dbbd9";
+      fsType = "ext4";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/5AD7-6005";
+      fsType = "vfat";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
+
+  boot.initrd.luks.devices = {
+    "nixos-pv" = {
+      device = "/dev/disk/by-uuid/12a7f660-bbcc-4066-81d0-e66005ee534a";
+      preLVM = true;
+      allowDiscards = true;
+    };
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

systems/selinunte/polkit.nix

@@ -0,0 +1,22 @@
+{ pkgs, ... }:
+
+{
+  security.polkit.enable = true;
+  environment.systemPackages = with pkgs; [ polkit_gnome ];
+
+  systemd = {
+    user.services.polkit-gnome-authentication-agent-1 = {
+      description = "polkit-gnome-authentication-agent-1";
+      wantedBy = [ "graphical-session.target" ];
+      wants = [ "graphical-session.target" ];
+      after = [ "graphical-session.target" ];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+        Restart = "on-failure";
+        RestartSec = 1;
+        TimeoutStopSec = 10;
+      };
+    };
+  };
+}

systems/selinunte/programs.nix

@@ -0,0 +1,112 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    act
+    alacritty
+    attic-client
+    amdgpu_top
+    bat
+    bitwarden-cli
+    bfg-repo-cleaner
+    btop
+    calibre
+    # calibre dedrm?
+    candy-icons
+    chromium
+    chromedriver
+    croc
+    deadnix
+    direnv
+    easyeffects
+    eza
+    fanficfare
+    ferium
+    fd
+    file
+    firefox
+    # gestures replacement
+    git
+    glances
+    gpu-viewer
+    grim
+    helvum
+    htop
+    hwloc
+    ipmiview
+    iperf3
+    # ipscan
+    jp2a
+    jq
+    kdePackages.kdenlive
+    kitty
+    kubectl
+    kubernetes-helm
+    libreoffice-fresh
+    libtool
+    lsof
+    lynis
+    masterpdfeditor4
+    minikube
+    mons
+    mpv
+    # nbt explorer?
+    ncdu
+    nemo-with-extensions
+    neofetch
+    neovim
+    nix-init
+    nix-output-monitor
+    nix-prefetch
+    nix-tree
+    nixpkgs-fmt
+    nmap
+    obs-studio
+    obsidian
+    ocrmypdf
+    pciutils
+    #disabled until wxpython compat with python3.12
+    #playonlinux
+    prismlauncher
+    protonmail-bridge
+    protontricks
+    proxychains
+    qrencode
+    redshift
+    restic
+    ripgrep
+    rpi-imager
+    rofi-wayland
+    samba
+    signal-desktop
+    # signal in tray?
+    siji
+    simple-mtpfs
+    skaffold
+    slack
+    slurp
+    smartmontools
+    snyk
+    sops
+    spotify
+    spotify-player
+    #swaylock/waylock?
+    sweet-nova
+    telegram-desktop
+    terraform
+    tig
+    tokei
+    tree
+    unipicker
+    unzip
+    uutils-coreutils-noprefix
+    vesktop
+    vscode
+    watchman
+    wget
+    wl-clipboard
+    yq
+    yt-dlp
+    zoom-us
+    zoxide
+  ];
+}

systems/selinunte/steam.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = [ pkgs.steam-run ];
+  hardware.steam-hardware.enable = true;
+  programs = {
+    gamescope = {
+      enable = true;
+      capSysNice = true;
+    };
+    steam = {
+      enable = true;
+      remotePlay.openFirewall = true;
+      localNetworkGameTransfers.openFirewall = true;
+      extraCompatPackages = with pkgs; [ proton-ge-bin ];
+      gamescopeSession.enable = true;
+      extest.enable = true;
+    };
+  };
+}

systems/selinunte/stylix.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+# let
+# randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
+#   numWallpapers =
+#   $((1 + $RANDOM % 10))
+
+# in
+{
+  stylix = {
+    enable = true;
+    image = "${pkgs.hyprland}/share/hypr/wall2.png";
+
+    #image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
+    polarity = "dark";
+  };
+}

users/alice/home/waybar.json

@@ -4,8 +4,8 @@
     "layer": "top",
     "position": "top",
     "output": [
-      "eDP-2",
       "eDP-1",
+      "eDP-2",
       "HDMI-0",
       "DP-0"
     ],

users/alice/non-server.nix

@@ -5,6 +5,46 @@
     enable = true;
     package = pkgs.emacs30-pgtk;
   };
+  programs.vesktop = {
+    enable = true;
+    settings = {
+      appBadge = false;
+      arRPC = true;
+      checkUpdates = false;
+      customTitleBar = false;
+      hardwareAcceleration = true;
+    };
+    vencord.settings = {
+      autoUpdate = false;
+      autoUpdateNotification = false;
+      notifyAboutUpdates = false;
+      plugins = {
+        AnonymiseFileNames.enabled = true;
+        BetterFolders.enabled = true;
+        BetterGifAltText.enabled = true;
+        CallTimer.enabled = true;
+        ClearURLs.enabled = true;
+        CopyFileContents.enabled = true;
+        CtrlEnterSend.enabled = true;
+        CustomIdle = {
+          enabled = true;
+          remainInIdle = false;
+        };
+        FriendsSince.enabled = true;
+        GameActivityToggle.enabled = true;
+        ImplicitRelationships.enabled = true;
+        MutualGroupDMs.enabled = true;
+        QuickMention.enabled = true;
+        QuickReply.enabled = true;
+        ReplaceGoogleSearch = {
+          enabled = true;
+          customEngineName = "DuckDuckGo";
+        };
+        ReviewDB.enabled = true;
+        ShowConnections.enabled = true;
+      };
+    };
+  };
   home.packages = with pkgs; [
     cmake
     shellcheck

users/default.nix

@@ -14,6 +14,7 @@
   hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null;
   openssh.authorizedKeys.keys = publicKeys;
   extraGroups = [
+    "users"
     "wheel"
     "media"
     (lib.mkIf config.networking.networkmanager.enable "networkmanager")