Merge branch 'main' into feature/vesktop

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

.github/workflows/flake-health-checks.yml

@@ -6,8 +6,8 @@ on:
         branches: ["main"]
     merge_group:
 concurrency:
-    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-    cancel-in-progress: true
+  cancel-in-progress: true
 jobs:
     health-check:
         name: "Perform Nix flake checks"

.github/workflows/flake-update.yml

@@ -5,8 +5,8 @@ on:
     schedule:
         - cron: "00 12 * * *"
 concurrency:
-    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-    cancel-in-progress: true
+  cancel-in-progress: true
 jobs:
     update_lockfile:
         runs-on: ubuntu-latest

.github/workflows/lock-health-checks.yml

@@ -6,8 +6,8 @@ on:
         branches: ["main"]
     merge_group:
 concurrency:
-    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-    cancel-in-progress: true
+  cancel-in-progress: true
 jobs:
     health-check:
         name: "Check health of `flake.lock`"

.sops.yaml

@@ -49,9 +49,3 @@ creation_rules:
             - *admin_alice
           age:
             - *palatine-hill
-    - path_regex: systems/palatine-hill/docker/openvpn/.*\.ovpn$
-      key_groups:
-        - pgp:
-            - *admin_alice
-          age:
-            - *palatine-hill

flake.lock

@@ -37,11 +37,11 @@
     "base16-helix": {
       "flake": false,
       "locked": {
-        "lastModified": 1748408240,
+        "lastModified": 1736852337,
-        "narHash": "sha256-9M2b1rMyMzJK0eusea0x3lyh3mu5nMeEDSc4RZkGm+g=",
+        "narHash": "sha256-esD42YdgLlEh7koBrSqcT7p2fsMctPAcGl/+2sYJa2o=",
         "owner": "tinted-theming",
         "repo": "base16-helix",
-        "rev": "6c711ab1a9db6f51e2f6887cc3345530b33e152e",
+        "rev": "03860521c40b0b9c04818f2218d9cc9efc21e7a5",
         "type": "github"
       },
       "original": {
@@ -75,11 +75,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1749269004,
+        "lastModified": 1748730131,
-        "narHash": "sha256-20eV5kl7iP7ODy9ZNW2SAg8bIg2ttud+IWs7UHxsbE0=",
+        "narHash": "sha256-QHKZlwzw80hoJkNGXQePIg4u109lqcodALkont2WJAc=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "c579adeca940c70ac7dd661a1cda662f2d1fb158",
+        "rev": "aa7bfc2ec4763b57386fcd50242c390a596b9bb0",
         "type": "gitlab"
       },
       "original": {
@@ -92,11 +92,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1748383148,
+        "lastModified": 1744642301,
-        "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=",
+        "narHash": "sha256-5A6LL7T0lttn1vrKsNOKUk9V0ittdW0VEqh6AtefxJ4=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf",
+        "rev": "59e3de00f01e5adb851d824cf7911bd90c31083a",
         "type": "github"
       },
       "original": {
@@ -124,11 +124,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1748821116,
+        "lastModified": 1743550720,
-        "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
+        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
         "type": "github"
       },
       "original": {
@@ -145,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743550720,
+        "lastModified": 1733312601,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
         "type": "github"
       },
       "original": {
@@ -207,11 +207,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747372754,
+        "lastModified": 1742649964,
-        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
+        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
         "type": "github"
       },
       "original": {
@@ -287,11 +287,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749358668,
+        "lastModified": 1748737919,
-        "narHash": "sha256-V91nN4Q9ZwX0N+Gzu+F8SnvzMcdURYnMcIvpfLQzD5M=",
+        "narHash": "sha256-5kvBbLYdp+n7Ftanjcs6Nv+UO6sBhelp6MIGJ9nWmjQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "06451df423dd5e555f39857438ffc16c5b765862",
+        "rev": "5675a9686851d9626560052a032c4e14e533c1fa",
         "type": "github"
       },
       "original": {
@@ -383,11 +383,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749355504,
+        "lastModified": 1748751003,
-        "narHash": "sha256-L17CdJMD+/FCBOHjREQLXbe2VUnc3rjffenBbu2Kwpc=",
+        "narHash": "sha256-i4GZdKAK97S0ZMU3w4fqgEJr0cVywzqjugt2qZPrScs=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "40a6e15e44b11fbf8f2b1df9d64dbfc117625e94",
+        "rev": "2860bee699248d828c2ed9097a1cd82c2f991b43",
         "type": "github"
       },
       "original": {
@@ -427,11 +427,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749338348,
+        "lastModified": 1748776124,
-        "narHash": "sha256-IBLKyOU55Kt1gSXL4dFQUQUVcYd5+qfSrVAL8lcE8QY=",
+        "narHash": "sha256-vs2cMCHX9wnWJutXhQyWkWOpMF/Xbw0ZAUAFGsKLifA=",
         "owner": "lilyinstarlight",
         "repo": "nixos-cosmic",
-        "rev": "f2ac592313c51c9be981e45f56dc00714e103477",
+        "rev": "e989a41092f6f0375e7afb789bc97cb30d01fdb8",
         "type": "github"
       },
       "original": {
@@ -463,11 +463,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1749195551,
+        "lastModified": 1748634340,
-        "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=",
+        "narHash": "sha256-pZH4bqbOd8S+si6UcfjHovWDiWKiIGRNRMpmRWaDIms=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "4602f7e1d3f197b3cb540d5accf5669121629628",
+        "rev": "daa628a725ab4948e0e2b795e8fb6f4c3e289a7a",
         "type": "github"
       },
       "original": {
@@ -501,11 +501,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1749289455,
+        "lastModified": 1748762463,
-        "narHash": "sha256-FmG/5HlnBrPNTCQv91GPUV2RKUw2WvDtyhXcN2fN280=",
+        "narHash": "sha256-rb8vudY2u0SgdWh83SAhM5QZT91ZOnvjOLGTO4pdGTc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6dbd508802ef3f74cf792a25b653861ed8360a80",
+        "rev": "0d0bc640d371e9e8c9914c42951b3d6522bc5dda",
         "type": "github"
       },
       "original": {
@@ -517,11 +517,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1748740939,
+        "lastModified": 1743296961,
-        "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=",
+        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "656a64127e9d791a334452c6b6606d17539476e2",
+        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
         "type": "github"
       },
       "original": {
@@ -532,11 +532,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1749173751,
+        "lastModified": 1748421225,
-        "narHash": "sha256-ENY3y3v6S9ZmLDDLI3LUT8MXmfXg/fSt2eA4GCnMVCE=",
+        "narHash": "sha256-XXILOc80tvlvEQgYpYFnze8MkQQmp3eQxFbTzb3m/R0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ed29f002b6d6e5e7e32590deb065c34a31dc3e91",
+        "rev": "78add7b7abb61689e34fc23070a8f55e1d26185b",
         "type": "github"
       },
       "original": {
@@ -559,11 +559,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1748730660,
+        "lastModified": 1746056780,
-        "narHash": "sha256-5LKmRYKdPuhm8j5GFe3AfrJL8dd8o57BQ34AGjJl1R0=",
+        "narHash": "sha256-/emueQGaoT4vu0QjU9LDOG5roxRSfdY0K2KkxuzazcM=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "2c0bc52fe14681e9ef60e3553888c4f086e46ecb",
+        "rev": "d476cd0972dd6242d76374fcc277e6735715c167",
         "type": "github"
       },
       "original": {
@@ -627,11 +627,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749350575,
+        "lastModified": 1748746145,
-        "narHash": "sha256-ltLegOYrp69v/7BXlNfSwUPrt2DvF7N668pV4a6rWRA=",
+        "narHash": "sha256-bwkCAK9pOyI2Ww4Q4oO1Ynv7O9aZPrsIAMMASmhVGp4=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "24d5806474b0779d373f381f00d75ad51fd45099",
+        "rev": "12a0d94a2f2b06714f747ab97b2fa546f46b460c",
         "type": "github"
       },
       "original": {
@@ -688,11 +688,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1749236315,
+        "lastModified": 1748717073,
-        "narHash": "sha256-Ndtdvwz8D4WOYHl5mj9d5F5iC8WPH6uPNF7RcU3QzmE=",
+        "narHash": "sha256-Yxo8A7BgNpRXTrB359LyfQ0NjJuiaLIS6sTTUCulEX0=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "29d006198ee05143cca8b4b89f37025823da1bcc",
+        "rev": "64b9f2c2df31bb87bdd2360a2feb58c817b4d16c",
         "type": "github"
       },
       "original": {
@@ -767,11 +767,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1748180480,
+        "lastModified": 1744974599,
-        "narHash": "sha256-7n0XiZiEHl2zRhDwZd/g+p38xwEoWtT0/aESwTMXWG4=",
+        "narHash": "sha256-Fg+rdGs5FAgfkYNCs74lnl8vkQmiZVdBsziyPhVqrlY=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "87d652edd26f5c0c99deda5ae13dfb8ece2ffe31",
+        "rev": "28c26a621123ad4ebd5bbfb34ab39421c0144bdd",
         "type": "github"
       },
       "original": {
@@ -783,11 +783,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1748740859,
+        "lastModified": 1745111349,
-        "narHash": "sha256-OEM12bg7F4N5WjZOcV7FHJbqRI6jtCqL6u8FtPrlZz4=",
+        "narHash": "sha256-udV+nHdpqgkJI9D0mtvvAzbqubt9jdifS/KhTTbJ45w=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "57d5f9683ff9a3b590643beeaf0364da819aedda",
+        "rev": "e009f18a01182b63559fb28f1c786eb027c3dee9",
         "type": "github"
       },
       "original": {

modules/users.nix

@@ -1,11 +0,0 @@
-{
-  ...
-}:
-
-{
-  users.groups = {
-    users = {
-      gid = 100;
-    };
-  };
-}

systems/artemision/configuration.nix

@@ -60,13 +60,12 @@
 
     fwupd = {
       enable = true;
-      # package =
+      package =
-      #   (import (builtins.fetchTarball {
+        (import (builtins.fetchTarball {
-      #     url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
+          url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
-      #     sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
+          sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
-      #   }) { inherit (pkgs) system; }).fwupd;
+        }) { inherit (pkgs) system; }).fwupd;
     };
-    mullvad-vpn.enable = true;
 
     fprintd.enable = lib.mkForce false;
     openssh.enable = lib.mkForce false;

systems/palatine-hill/configuration.nix

@@ -17,7 +17,6 @@
     ./minio.nix
     ./networking.nix
     ./nextcloud.nix
-    #./plex
     ./postgresql.nix
     ./samba.nix
     ./zfs.nix
@@ -58,37 +57,16 @@
     };
   };
 
-  environment = {
+  environment.systemPackages = with pkgs; [
-    systemPackages = with pkgs; [
+    chromedriver
-      chromedriver
+    chromium
-      chromium
+    docker-compose
-      docker-compose
+    intel-gpu-tools
-      filebot
+    jellyfin-ffmpeg
-      intel-gpu-tools
+    jq
-      jellyfin-ffmpeg
+    yt-dlp
-      jq
+    yq
-      yt-dlp
+  ];
-      yq
-    ];
-    etc = {
-      # Creates /etc/lynis/custom.prf
-      "lynis/custom.prf" = {
-        text = ''
-          skip-test=BANN-7126
-          skip-test=BANN-7130
-          skip-test=DEB-0520
-          skip-test=DEB-0810
-          skip-test=FIRE-4513
-          skip-test=HRDN-7222
-          skip-test=KRNL-5820
-          skip-test=LOGG-2190
-          skip-test=LYNIS
-          skip-test=TOOL-5002
-        '';
-        mode = "0440";
-      };
-    };
-  };
 
   services = {
     samba.enable = true;

systems/palatine-hill/docker/act-runner.nix

@@ -12,7 +12,6 @@ in
   virtualisation.oci-containers.containers = {
     act-stable-latest-main = {
       image = "gitea/act_runner:latest";
-      pull = "always";
       extraOptions = [
         "--stop-signal=SIGINT"
       ];
@@ -36,7 +35,6 @@ in
 
     act-stable-latest-1 = {
       image = "gitea/act_runner:latest";
-      pull = "always";
       extraOptions = [
         "--stop-signal=SIGINT"
       ];
@@ -59,7 +57,6 @@ in
 
     act-stable-latest-2 = {
       image = "gitea/act_runner:latest";
-      pull = "always";
       extraOptions = [
         "--stop-signal=SIGINT"
       ];

systems/palatine-hill/docker/arr.nix

@@ -1,124 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers = {
-    bazarr = {
-      image = "ghcr.io/linuxserver/bazarr:latest";
-      ports = [ "6767:6767" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.primary_docker}/bazarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
-      ];
-      autoStart = true;
-    };
-    prowlarr = {
-      image = "ghcr.io/linuxserver/prowlarr:latest";
-      ports = [ "9696:9696" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [ "${vars.primary_docker}/prowlarr:/config" ];
-      autoStart = true;
-    };
-    radarr = {
-      image = "ghcr.io/linuxserver/radarr:latest";
-      ports = [ "7878:7878" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.primary_docker}/radarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
-      ];
-      autoStart = true;
-    };
-    sonarr = {
-      image = "ghcr.io/linuxserver/sonarr:latest";
-      ports = [ "8989:8989" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.primary_docker}/sonarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
-      ];
-      autoStart = true;
-    };
-    lidarr = {
-      image = "ghcr.io/linuxserver/lidarr:latest";
-      ports = [ "8686:8686" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.primary_docker}/lidarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
-      ];
-      autoStart = true;
-    };
-    readarr = {
-      image = "ghcr.io/linuxserver/readarr:latest";
-      ports = [ "8787:8787" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.primary_docker}/readarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
-      ];
-      autoStart = true;
-    };
-    unpackerr = {
-      image = "golift/unpackerr:latest";
-      user = "600:100";
-      environment = {
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.primary_docker}/unpackerr:/config"
-        "${vars.primary_plex_storage}:/data"
-      ];
-      autoStart = true;
-    };
-
-    overseerr = {
-      image = "lscr.io/linuxserver/overseerr";
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [ "${vars.primary_docker}/overseerr:/config" ];
-      # TODO: remove ports later since this is going through web
-      ports = [ "5055:5055" ]; # Web UI port
-      dependsOn = [
-        "radarr"
-        "sonarr"
-      ];
-      extraOptions = [ "--network=haproxy-net" ];
-      autoStart = true;
-    };
-  };
-}

systems/palatine-hill/docker/default.nix

@@ -8,7 +8,6 @@
 {
   imports = [
     ./act-runner.nix
-    ./arr.nix
     # temp disable archiveteam for tiktok archiving
     #./archiveteam.nix
     # ./books.nix

systems/palatine-hill/docker/glances.nix

@@ -8,7 +8,6 @@ in
   virtualisation.oci-containers.containers = {
     glances = {
       image = "nicolargo/glances:latest-full";
-      pull = "always";
       extraOptions = [
         "--pid=host"
         "--network=haproxy-net"

systems/palatine-hill/docker/minecraft.nix

@@ -39,7 +39,6 @@ in
   virtualisation.oci-containers.containers = {
     mc-router = {
       image = "itzg/mc-router:latest";
-      pull = "always";
       extraOptions = [
         "--network=haproxy-net"
         "--network=minecraft-net"

systems/palatine-hill/docker/nextcloud.nix

@@ -9,7 +9,6 @@ let
   nextcloud-base = {
     # image comes from running docker compose build in nextcloud-docker/.examples/full/apache
     image = "nextcloud-nextcloud";
-    pull = "always";
     hostname = "nextcloud";
     volumes = [
       "${nextcloud_path}/nc_data:/var/www/html:z"
@@ -33,7 +32,6 @@ in
     };
     redis = {
       image = "redis:latest";
-      pull = "always";
       user = "600:600";
       volumes = [
         "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf"
@@ -49,7 +47,6 @@ in
     };
     go-vod = {
       image = "radialapps/go-vod:latest";
-      pull = "always";
       dependsOn = [ "nextcloud" ];
       environment = {
         NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz";
@@ -61,7 +58,6 @@ in
     };
     collabora-code = {
       image = "collabora/code:latest";
-      pull = "always";
       dependsOn = [ "nextcloud" ];
       environment = {
         aliasgroup1 = "https://collabora.nayenoie.com:443";

systems/palatine-hill/docker/torr.nix

@@ -1,8 +1,7 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 
 let
   delugeBase = {
-    pull = "always";
     environment = {
       PUID = "600";
       PGID = "100";
@@ -20,31 +19,18 @@ let
   deluge_path = "${torr_path}/deluge";
   delugevpn_path = "${torr_path}/delugevpn";
 
-  #genSopsConfWg = file: {
+  genSopsConf = file: {
-  #  "${file}" = {
-  #    format = "binary";
-  #    sopsFile = ./wg/${file};
-  #    path = "${delugevpn_path}/config/wireguard/configs/${file}";
-  #    owner = "docker-service";
-  #    group = "users";
-  #    restartUnits = [ "docker-delugeVPN.service" ];
-  #  };
-  #};
-
-  genSopsConfOvpn = file: {
     "${file}" = {
       format = "binary";
-      sopsFile = ./openvpn/${file};
+      sopsFile = ./wg/${file};
-      path = "${delugevpn_path}/config/openvpn/configs/${file}";
+      path = "${delugevpn_path}/config/wireguard/configs/${file}";
       owner = "docker-service";
       group = "users";
       restartUnits = [ "docker-delugeVPN.service" ];
     };
-
   };
 in
 {
-
   virtualisation.oci-containers.containers = {
     deluge = delugeBase // {
       image = "binhex/arch-deluge";
@@ -59,26 +45,25 @@ in
       ];
     };
     delugeVPN = delugeBase // {
-      image = "binhex/arch-delugevpn:latest";
+      image = "binhex/arch-delugevpn";
-      capabilities = {
+      extraOptions = [
-        NET_ADMIN = true;
+        "--privileged=true"
-      };
+        "--sysctl"
-      autoRemoveOnStop = false;
+        "net.ipv4.conf.all.src_valid_mark=1"
+      ];
       environment = delugeBase.environment // {
         VPN_ENABLED = "yes";
-        VPN_CLIENT = "openvpn";
+        VPN_CLIENT = "wireguard";
-        VPN_PROV = "protonvpn";
+        VPN_PROV = "custom";
         ENABLE_PRIVOXY = "yes";
         LAN_NETWORK = "192.168.0.0/16";
-        ENABLE_STARTUP_SCRIPTS = "yes";
+        NAME_SERVERS = "194.242.2.9";
-        #NAME_SERVERS = "194.242.2.9";
-        #NAME_SERVERS = "9.9.9.9";
         # note, delete /config/perms.txt to force a bulk permissions update
+
       };
-      environmentFiles = [ config.sops.secrets."docker/delugevpn".path ];
       volumes = [
         "${delugevpn_path}/config:/config"
-        "${deluge_path}/data:/data" # use common torrent path yuck
+        "${delugevpn_path}/data:/data"
         "/etc/localtime:/etc/localtime:ro"
       ];
       ports = [
@@ -86,9 +71,6 @@ in
         "8119:8118"
         "39275:39275"
         "39275:39275/udp"
-        "48346:48346"
-        "48346:48346/udp"
-
       ];
     };
   };
@@ -97,34 +79,25 @@ in
     serviceConfig = {
       ExecStartPre = [
         (
-          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/openvpn/configs "
+          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
-          + "-type l -not -name network.ovpn "
+          + "-type l -not -name wg0.conf "
           + "| ${pkgs.coreutils}/bin/shuf -n 1 "
-          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/openvpn/network.ovpn &&"
+          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
-          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/openvpn/network.ovpn &&"
+          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
-          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/openvpn/network.ovpn\""
+          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
-        )
-        (
-          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/scripts/links "
-          + "-type l "
-          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/scripts/ \""
         )
       ];
-      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/scripts/*sh" ];
+      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
     };
   };
 
-  sops.secrets = (genSopsConfOvpn "se.protonvpn.udp.ovpn") // {
+  sops.secrets =
-    "docker/delugevpn" = {
+    (genSopsConf "se-mma-wg-001.conf")
-      owner = "docker-service";
+    // (genSopsConf "se-mma-wg-002.conf")
-      group = "users";
+    // (genSopsConf "se-mma-wg-003.conf")
-      restartUnits = [ "docker-delugeVPN.service" ];
+    // (genSopsConf "se-mma-wg-004.conf")
-    };
+    // (genSopsConf "se-mma-wg-005.conf")
-    "docker/protonvpn-start-script" = {
+    // (genSopsConf "se-mma-wg-101.conf")
-      path = "${delugevpn_path}/config/scripts/links/protonvpn-start-script.sh";
+    // (genSopsConf "se-mma-wg-102.conf")
-      owner = "docker-service";
+    // (genSopsConf "se-mma-wg-103.conf");
-      group = "users";
-      restartUnits = [ "docker-delugeVPN.service" ];
-    };
-  };
 }

systems/palatine-hill/firewall.nix

@@ -24,15 +24,6 @@
 
     # collabora
     9980
-
-    # arr
-    6767
-    9696
-    7878
-    8989
-    8686
-    8787
-    5055
   ];
 
 }

systems/palatine-hill/hydra.nix

@@ -82,10 +82,10 @@ in
       '';
     };
 
-    # nix-serve = {
+    nix-serve = {
-    #   enable = true;
+      enable = true;
-    #   secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
+      secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
-    # };
+    };
     prometheus = {
       enable = true;
       webExternalUrl = "https://prom.alicehuston.xyz";
@@ -134,7 +134,7 @@ in
   sops = {
     secrets = {
       "hydra/environment".owner = "hydra";
-      # "nix-serve/secret-key".owner = "root";
+      "nix-serve/secret-key".owner = "root";
       "alice/gha-hydra-token" = {
         sopsFile = ../../users/alice/secrets.yaml;
         owner = "hydra";

systems/palatine-hill/plex/default.nix

@@ -1,28 +0,0 @@
-{
-  pkgs,
-  ...
-}:
-let
-  vars = import ../vars.nix;
-in
-{
-  services.plex = {
-    enable = true;
-    dataDir = vars.primary_plex;
-  };
-  systemd.services.plex_permission = {
-    description = "maintains plex permissions";
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = "${pkgs.bash}/bin/bash ${./plex_permission.sh}";
-    };
-  };
-  systemd.timers.plex_permission = {
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnBootSec = "1h";
-      OnCalendar = "daily 03:00";
-      Unit = "plex_permission.service";
-    };
-  };
-}

systems/palatine-hill/plex/plex_permission.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-plex_dir="/ZFS/ZFS-primary/plex"
-
-chown docker-service:users -R "$plex_dir"
-find "$plex_dir" -type f -exec chmod 664 {} \;
-find "$plex_dir" -type d -exec chmod 775 {} \;

systems/palatine-hill/secrets.yaml

@@ -23,8 +23,6 @@ docker:
     redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
     act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
     collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
-    delugevpn: ENC[AES256_GCM,data:YGkgaQUuA9oteKD77tnFzxZSHctyOQjMNlfvJr3mPWAl2P8wfcshiUoa6SNp69pagxbzRV6mfuzwzinbkQCoZN3lw7uF76y0,iv:Bro0H4tFR+3wi9DGGq9a6ge4o4uPlVXBUF7h17zyqg8=,tag:N1kVNFasqGMx8R9qTq2dJA==,type:str]
-    protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str]
 acme:
     bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
     dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
@@ -43,8 +41,8 @@ sops:
             cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
             LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-01T23:54:50Z"
+    lastmodified: "2025-05-30T04:36:41Z"
-    mac: ENC[AES256_GCM,data:xBSrKfuBEXYVqLhZF903HbLaCpgXyuo3r7/FUBPM9Pl+rKUGx8p7LKCIec2NPCGO8ylQvC8T2mochSHSAvN339nxPlQ7f/tKWc6QgicaX4Sb4k0wJdqamSJTq4mkg8482HOUiFCSi3lA3zWC3Y9ZixESmEWTbxe9sQ51Vo69lkw=,iv:XiGVzryZwo5UmJe7I8pkg5IEdms0vR9iRdlFu2wjUeI=,tag:jhOuV+aZd5rQF0xg+0tvOg==,type:str]
+    mac: ENC[AES256_GCM,data:fEsUt5g0/7j8IVgtXQ0thV93dxe6SGCglqeHdnaXFOjKcCUEFWUmi98M8X92hR9AJzscRK6wqzijd/AQBzl+GL2QtDYsn8qx9Nr0DBd6Gh1vi25eh5LtADm09COSae1THWuFLP7L1Qamyt+XzlBa7Xnrzfuzzp0s2/cZoxZiueU=,iv:VYzh833cMQwGmkB6QunRys0Eluz+0KGj8Y43B9icE9w=,tag:EWJSizBMTFZ0TZhncYe2Sw==,type:str]
     pgp:
         - created_at: "2024-11-28T18:56:39Z"
           enc: |-

systems/palatine-hill/vars.nix

@@ -17,6 +17,4 @@ rec {
   primary_nextcloud = "${zfs_primary}/nextcloud";
   primary_redis = "${zfs_primary}/redis";
   primary_torr = "${zfs_primary}/torr";
-  primary_plex = "${zfs_primary}/plex";
-  primary_plex_storage = "${zfs_primary}/plex_storage";
 }

users/alice/default.nix

@@ -14,6 +14,5 @@ import ../default.nix {
     ;
   publicKeys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7oJjIYNRCRrUlhdGJgst6bzqubbKH0gjZYulQ1eVcZ alice@artemision"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWG3cIBju6vzX6s8JlmGNJOiWY7pQ19bHvcqDADtWzv snowi@DESKTOP-EVIR8IH"
   ];
 }

users/alice/non-server.nix

@@ -28,7 +28,9 @@
         CtrlEnterSend.enabled = true;
         CustomIdle = {
           enabled = true;
-          remainInIdle = false;
+          settings = {
+            remainInIdle = false;
+          };
         };
         FriendsSince.enabled = true;
         GameActivityToggle.enabled = true;
@@ -38,7 +40,7 @@
         QuickReply.enabled = true;
         ReplaceGoogleSearch = {
           enabled = true;
-          customEngineName = "DuckDuckGo";
+          settings.customEngineName = "DuckDuckGo";
         };
         ReviewDB.enabled = true;
         ShowConnections.enabled = true;

users/default.nix

@@ -14,7 +14,6 @@
   hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null;
   openssh.authorizedKeys.keys = publicKeys;
   extraGroups = [
-    "users"
     "wheel"
     "media"
     (lib.mkIf config.networking.networkmanager.enable "networkmanager")