split gluetun instances

Reviewed-on: #171

flake.lock

@@ -21,17 +21,17 @@
     "base16-fish": {
       "flake": false,
       "locked": {
-        "lastModified": 1754405784,
-        "narHash": "sha256-l9xHIy+85FN+bEo6yquq2IjD1rSg9fjfjpyGP1W8YXo=",
+        "lastModified": 1765809053,
+        "narHash": "sha256-XCUQLoLfBJ8saWms2HCIj4NEN+xNsWBlU1NrEPcQG4s=",
         "owner": "tomyun",
         "repo": "base16-fish",
-        "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561",
+        "rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
         "type": "github"
       },
       "original": {
         "owner": "tomyun",
         "repo": "base16-fish",
-        "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561",
+        "rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
         "type": "github"
       }
     },
@@ -76,11 +76,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1765685099,
-        "narHash": "sha256-D4VYn8NN0sLOzoo4geYDiV/T/Ilor78CaS50gNq6Ep0=",
+        "lastModified": 1767473845,
+        "narHash": "sha256-Pvd0l14qYA4jBS+JSCufoj8qFpeu2dt0Q9zBvpeLKac=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "51712b3d3481dfaeef9a5f8b293ea1aa04a61cdb",
+        "rev": "7f7d9e8b61abade02c6dc0d530ba6b43a50acead",
         "type": "gitlab"
       },
       "original": {
@@ -125,11 +125,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1765495779,
-        "narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=",
+        "lastModified": 1765835352,
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "5635c32d666a59ec9a55cab87e898889869f7b71",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
         "type": "github"
       },
       "original": {
@@ -242,11 +242,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765682243,
-        "narHash": "sha256-yeCxFV/905Wr91yKt5zrVvK6O2CVXWRMSrxqlAZnLp0=",
+        "lastModified": 1767556355,
+        "narHash": "sha256-RDTUBDQBi9D4eD9iJQWtUDN/13MDLX+KmE+TwwNUp2s=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "58bf3ecb2d0bba7bdf363fc8a6c4d49b4d509d03",
+        "rev": "f894bc4ffde179d178d8deb374fcf9855d1a82b7",
         "type": "github"
       },
       "original": {
@@ -283,11 +283,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765113580,
-        "narHash": "sha256-b8YOwGDFprkQJjXsKGuSNS1pWe8w4cUW36YxlUelNpU=",
+        "lastModified": 1766066098,
+        "narHash": "sha256-d3HmUbmfTDIt9mXEHszqyo2byqQMoyJtUJCZ9U1IqHQ=",
         "owner": "hyprwm",
         "repo": "contrib",
-        "rev": "db18f83bebbc2cf43a21dbb26cd99aabe672d923",
+        "rev": "41dbcac8183bb1b3a4ade0d8276b2f2df6ae4690",
         "type": "github"
       },
       "original": {
@@ -417,11 +417,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1764440730,
-        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
+        "lastModified": 1767185284,
+        "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
+        "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
         "type": "github"
       },
       "original": {
@@ -440,11 +440,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765680822,
-        "narHash": "sha256-e5YH/ypoOYwmT7mnK1NzxHMg9XMIOr449TdCivh1cHs=",
+        "lastModified": 1766370075,
+        "narHash": "sha256-gbhR8+gNrhmYxKaNJpTjFivuibr3ZdlB5eU0a8yE36I=",
         "owner": "NuschtOS",
         "repo": "nixos-modules",
-        "rev": "457cb20476534590ea8911a6cc5f614fcc683528",
+        "rev": "db6f2a33500dadb81020b6e5d4281b4820d1b862",
         "type": "github"
       },
       "original": {
@@ -471,11 +471,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1761765539,
-        "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=",
+        "lastModified": 1765674936,
+        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc",
+        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
         "type": "github"
       },
       "original": {
@@ -502,11 +502,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1765472234,
-        "narHash": "sha256-9VvC20PJPsleGMewwcWYKGzDIyjckEz8uWmT0vCDYK0=",
+        "lastModified": 1767379071,
+        "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2fbfb1d73d239d2402a8fe03963e37aab15abe8b",
+        "rev": "fb7944c166a3b630f177938e478f0378e64ce108",
         "type": "github"
       },
       "original": {
@@ -552,11 +552,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765464257,
-        "narHash": "sha256-dixPWKiHzh80PtD0aLuxYNQ0xP+843dfXG/yM3OzaYQ=",
+        "lastModified": 1767281941,
+        "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "09e45f2598e1a8499c3594fe11ec2943f34fe509",
+        "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa",
         "type": "github"
       },
       "original": {
@@ -596,11 +596,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765680428,
-        "narHash": "sha256-fyPmRof9SZeI14ChPk5rVPOm7ISiiGkwGCunkhM+eUg=",
+        "lastModified": 1767495280,
+        "narHash": "sha256-hEEgtE/RSRigw8xscchGymf/t1nluZwTfru4QF6O1CQ=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "eb3898d8ef143d4bf0f7f2229105fc51c7731b2f",
+        "rev": "cb24c5cc207ba8e9a4ce245eedd2d37c3a988bc1",
         "type": "github"
       },
       "original": {
@@ -616,11 +616,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765684837,
-        "narHash": "sha256-fJCnsYcpQxxy/wit9EBOK33c0Z9U4D3Tvo3gf2mvHos=",
+        "lastModified": 1767499857,
+        "narHash": "sha256-0zUU/PW09d6oBaR8x8vMHcAhg1MOvo3CwoXgHijzzNE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "94d8af61d8a603d33d1ed3500a33fcf35ae7d3bc",
+        "rev": "ecc41505948ec2ab0325f14c9862a4329c2b4190",
         "type": "github"
       },
       "original": {
@@ -650,11 +650,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1765474444,
-        "narHash": "sha256-sDG+c73xEnIw1pFNRWffKDnTWiTuyZiEP+Iub0D3mWA=",
+        "lastModified": 1767559556,
+        "narHash": "sha256-Pf1d9Hh9UUQ/oS+evq6dU0MiaDczXXNztTlQekaMbW0=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "dd14de4432a94e93e10d0159f1d411487e435e1e",
+        "rev": "b135edbdd403896d1ef507934c045f716deb5609",
         "type": "github"
       },
       "original": {
@@ -787,11 +787,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1759739742,
-        "narHash": "sha256-nTNmgO71tD3jJGpr9yIS1atOBJp8K1pwZOxnEdS+aAk=",
+        "lastModified": 1765936672,
+        "narHash": "sha256-wxkeSF0/3FI0HSBKhZ2mlAAmFviNrZzdhjHqTfWP6h0=",
         "owner": "Toqozz",
         "repo": "wired-notify",
-        "rev": "6a96aa2066d8ad945f2323b63dc217081ef51168",
+        "rev": "491197a6a5ef9c65a85c3eb1531786f32ffff5b3",
         "type": "github"
       },
       "original": {

hydra/jobsets.nix

@@ -18,7 +18,7 @@ let
     };
 
   prs = readJSONFile pulls;
-  refs = readJSONFile branches;
+  #refs = readJSONFile branches;
 
   # template for creating a job
   makeJob =
@@ -47,19 +47,19 @@ let
   giteaHost = "ssh://gitea@nayeonie.com:2222";
   repo = "ahuston-0/nix-dotfiles";
   # # Create a hydra job for a branch
-  jobOfRef =
-    name:
-    { ref, ... }:
-    if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
-      null
-    else
-      {
-        name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
-        value = makeJob {
-          description = "Branch ${name}";
-          flake = "git+${giteaHost}/${repo}?ref=${ref}";
-        };
-      };
+  #jobOfRef =
+  #  name:
+  #  { ref, ... }:
+  #  if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
+  #    null
+  #  else
+  #    {
+  #      name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
+  #      value = makeJob {
+  #        description = "Branch ${name}";
+  #        flake = "git+${giteaHost}/${repo}?ref=${ref}";
+  #      };
+  #    };
 
   # Create a hydra job for a PR
   jobOfPR = id: info: {
@@ -77,12 +77,12 @@ let
   # wrapper function for reading json from file
   readJSONFile = f: builtins.fromJSON (builtins.readFile f);
   # remove null values from a set, in-case of branches that don't exist
-  mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);
+  #mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);
 
   # Create job set from PRs and branches
   jobs = makeSpec (
     builtins.listToAttrs (map ({ name, value }: jobOfPR name value) (attrsToList prs))
-    // builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
+    #// builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
   );
 in
 {

modules/nix.nix

@@ -1,6 +1,5 @@
 { lib, pkgs, ... }:
 {
-  nixpkgs.config.allowImportrFromDerivation = true;
   nix = {
     #package = pkgs.nixVersions.latest;
     diffSystem = true;

systems/artemision/configuration.nix

@@ -52,7 +52,7 @@
       };
     };
     calibre-server = {
-      enable = true;
+      enable = false;
       user = "calibre-web";
       group = "calibre-web";
 

systems/artemision/default.nix

@@ -7,7 +7,7 @@
   server = false;
   users = [ "alice" ];
   modules = [
-    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
+    inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series
     inputs.stylix.nixosModules.stylix
     {
       environment.systemPackages = [

systems/artemision/hardware.nix

@@ -100,7 +100,7 @@
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+  networking.interfaces.wlp191s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

systems/artemision/private-wifi.nix

@@ -3,17 +3,17 @@
   networking.nameservers = [
     "9.9.9.9"
     "1.1.1.1"
-    "192.168.76.1"
+    #"192.168.76.1"
   ];
 
-  services.resolved = {
-    enable = true;
-    dnssec = "false";
-    domains = [ "~." ];
-    fallbackDns = [
-      "1.1.1.1#one.one.one.one"
-      "1.0.0.1#one.one.one.one"
-    ];
-    dnsovertls = "true";
-  };
+  #services.resolved = {
+  #  enable = true;
+  #  dnssec = "false";
+  #  domains = [ "~." ];
+  #  fallbackDns = [
+  #    "1.1.1.1#one.one.one.one"
+  #    "1.0.0.1#one.one.one.one"
+  #  ];
+  #  dnsovertls = "true";
+  #};
 }

systems/artemision/secrets.yaml

@@ -10,7 +10,7 @@ example_booleans:
     - ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
 apps:
     spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
-wifi-env: ENC[AES256_GCM,data:2BM4wQq+RfASkg9lcH+fW7eD0VaPJMXABp3z0sYXqZbVzv9R9eAxSokxzcifT/1JK8PBwvZkWtEFrKAT3phXIZzoEySnGKGYazz8fqWWWhMJotLNNo5VkX70hLppgE9vYxf9vQSq0PLWYCN0jUO0H9mHjOT6mDzKUHegcC53jzkNY3WTfLkyzDWJVMP9IbVQ22N5QlJbzZNqrNTaOtcRm06PBz7pNuEKOy4jj5ipZOh6ceR81Xy6BXM7MzFN27lYbzfVvcDmlwqPORAmr7/00QBy2cp38rTswJEzYf1x2Q==,iv:DSTVPw9qtmo02/usZZDpHsYlX3sSW+2XrnawtBkRNmQ=,tag:3p3eW+3BEQrOmHlBNUEOaA==,type:str]
+wifi-env: ENC[AES256_GCM,data:mxPCyunx8yOahcuVhZCzuqAt/G89lMBnZme+qwcxO4LsCftx7h2FotA+wnlj1++vmPW5zL72q2kzxh0KcVlYqK9fpOrMY/FJeJXWYNMZIHesmWKlaaeA1wM/q1dSllwuVuULp9WQzipiQHwcCCLseo3bmCsYpbs8PUibrDgbDqXreTSjJBNTVzwOGpz1bZCSpEynS+dQQViRSNcVeYTOLxrOTxx5lyEOIhgIc3167ObhK+7bJVG2ZcP209Gllip4XkCj/FKnEwg2vVF5Dpofz7T2Op5ef/oNzahhKmCa+k7OPqITWwPYZg7pqAf6jdMy4eBP/A==,iv:Q6IMqePFwd1b1pSuh+TIwcag2bbJXyIYUmJWY6UaaqI=,tag:UZ5ak6nmHkNG0uBMTl1CwQ==,type:str]
 #ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
 sops:
     age:
@@ -23,8 +23,8 @@ sops:
             d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
             D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-15T15:37:51Z"
-    mac: ENC[AES256_GCM,data:qJ8NdnzVrgQb0rGwjZFHrS+eJrUjQEk4M4uo5bnk4eY7aKaHejARcYOIhp0H/DMdlix+Dm3DAAeeRWn8AKCatXaSzYD/VHHbjfp0lKBCsC8CZFeCELQ5GGEHnVot3WGb4J+QdfupwdduExSSMd6XeZGFVbSGhLzRbiiWA+i8I3o=,iv:oxWiDCH60apKT0/fJbWp1cIZ9cvd6mJKlP3xAjMBXIo=,tag:0We6eCJnsncujCt+CwK9UQ==,type:str]
+    lastmodified: "2026-01-03T19:32:16Z"
+    mac: ENC[AES256_GCM,data:q5NppTtZZA9Oo15zI0pAZ/YN2qu0TneDPMJY9rXtWlYfG7Pq5taRyc9MpV7CyEt+qWMkN//O3/sA4jmQTtpT8JuYIEa+/x5cfSZ5w0ErjKdV4/IyDs1LPDKNLXIWlmPMo61VvsKW9DZRBRml9qtR1ypeHBuz0pjECBwAQPEcw9k=,iv:X7wUOxn4BsvqCPmNZvH75hyAzUeD7Qtp+4e4SLpPWlI=,tag:Dp6Bu3zEkRaRPdOwWil13g==,type:str]
     pgp:
         - created_at: "2024-11-28T18:57:09Z"
           enc: |-
@@ -39,4 +39,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

systems/artemision/wifi.nix

@@ -11,7 +11,7 @@ in
   networking.wireless = {
     enable = true;
     secretsFile = config.sops.secrets."wifi-env".path;
-    userControlled.enable = true;
+    userControlled = true;
     networks = {
       "taetaethegae-2.0" = {
         pskRaw = "ext:PASS_taetaethegae_20";
@@ -29,6 +29,7 @@ in
       "Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
       "Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
       "Mojo Dojo Casa House".pskRaw = "ext:PASS_Carly";
+      "bwe_guest".pskRaw = "ext:PASS_BWE_NE";
 
       # Public wifi connections
       # set public_wifi on line 5 to true if connecting to one of these
@@ -45,7 +46,7 @@ in
     defaultSopsFile = ./secrets.yaml;
     secrets = {
       "wifi-env" = {
-        owner = "root";
+        owner = "wpa_supplicant";
         restartUnits = [ "wpa_supplicant.service" ];
       };
     };

systems/palatine-hill/docker/arr.nix

@@ -1,121 +1,273 @@
 {
   config,
   lib,
-  pkgs,
   ...
 }:
 let
   vars = import ../vars.nix;
+  arr_postgres_config =
+    container_type:
+    let
+      ctype = lib.strings.toUpper container_type;
+    in
+    {
+      "${ctype}__POSTGRES__HOST" = "/var/run/postgresql";
+      "${ctype}__POSTGRES__PORT" = toString config.services.postgresql.settings.port;
+    };
 in
 {
+  # Notes:
+  # Jellyplex-watched - sync watch status between plex and jellyfin as long as users and library is the same
+  # Tdarr - for distributed transcoding?
+  #
+  # list of containers supporting postgres:
+  #   bazarr:
+  #     POSTGRES_ENABED: true
+  #     POSTGRES_HOST:
+  #     POSTGRES_PORT:
+  #     POSTGRES_DATABASE: bazarr
+  #     POSTGRES_USERNAME: arr
+  #     POSTGRES_PASSWORD: sops
+  #   prowlarr:
+  #     see ctype
+  #   radarr:
+  #     see ctype
+  #   sonarr:
+  #     see ctype
+  #   lidarr:
+  #     see ctype
+  #   jellyseerr:
+  #     DB_TYPE: postgres
+  #     DB_HOST:
+  #     DB_PORT:
+  #     DB_USER: arr
+  #     DB_PASS: sops
+  #     DB_NAME: jellyseerr
+  #
   virtualisation.oci-containers.containers = {
     bazarr = {
       image = "ghcr.io/linuxserver/bazarr:latest";
+      pull = "always";
       ports = [ "6767:6767" ];
+      hostname = "bazarr";
       environment = {
         PUID = "600";
         PGID = "100";
         TZ = "America/New_York";
+        POSTGRES_HOST = "/var/run/postgresql";
+        POSTGRES_PORT = toString config.services.postgresql.settings.port;
       };
+      environmentFiles = [
+        config.sops.secrets."docker/bazarr".path
+      ];
       volumes = [
         "${vars.primary_docker}/bazarr:/config"
         "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      extraOptions = [
+        "--network=arrnet"
       ];
       autoStart = true;
     };
     prowlarr = {
       image = "ghcr.io/linuxserver/prowlarr:latest";
+      pull = "always";
       ports = [ "9696:9696" ];
+      hostname = "prowlarr";
       environment = {
         PUID = "600";
         PGID = "100";
         TZ = "America/New_York";
-      };
-      volumes = [ "${vars.primary_docker}/prowlarr:/config" ];
+      }
+      // arr_postgres_config "prowlarr";
+      environmentFiles = [
+        config.sops.secrets."docker/prowlarr".path
+      ];
+      extraOptions = [
+        "--network=arrnet"
+      ];
+      volumes = [
+        "${vars.primary_docker}/prowlarr:/config"
+
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
       autoStart = true;
     };
     radarr = {
       image = "ghcr.io/linuxserver/radarr:latest";
+      pull = "always";
       ports = [ "7878:7878" ];
+      hostname = "radarr";
       environment = {
         PUID = "600";
         PGID = "100";
         TZ = "America/New_York";
-      };
+      }
+      // arr_postgres_config "radarr";
+      environmentFiles = [
+        config.sops.secrets."docker/radarr".path
+      ];
       volumes = [
         "${vars.primary_docker}/radarr:/config"
         "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      extraOptions = [
+        "--network=arrnet"
       ];
       autoStart = true;
     };
     sonarr = {
       image = "ghcr.io/linuxserver/sonarr:latest";
+      pull = "always";
       ports = [ "8989:8989" ];
+      hostname = "sonarr";
       environment = {
         PUID = "600";
         PGID = "100";
         TZ = "America/New_York";
-      };
+      }
+      // arr_postgres_config "sonarr";
+      environmentFiles = [
+        config.sops.secrets."docker/sonarr".path
+      ];
       volumes = [
         "${vars.primary_docker}/sonarr:/config"
         "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      extraOptions = [
+        "--network=arrnet"
       ];
       autoStart = true;
     };
     lidarr = {
       image = "ghcr.io/linuxserver/lidarr:latest";
+      pull = "always";
       ports = [ "8686:8686" ];
+      hostname = "lidarr";
       environment = {
         PUID = "600";
         PGID = "100";
         TZ = "America/New_York";
-      };
+      }
+      // arr_postgres_config "lidarr";
+      environmentFiles = [
+        config.sops.secrets."docker/lidarr".path
+      ];
       volumes = [
         "${vars.primary_docker}/lidarr:/config"
         "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      extraOptions = [
+        "--network=arrnet"
       ];
       autoStart = true;
     };
     unpackerr = {
       image = "golift/unpackerr:latest";
+      pull = "always";
       user = "600:100";
+      hostname = "unpackerr";
       environment = {
         TZ = "America/New_York";
       };
       volumes = [
         "${vars.primary_docker}/unpackerr:/config"
         "${vars.primary_plex_storage}:/data"
+        "/var/run/postgresql:/var/run/postgresql"
       ];
+      extraOptions = [ "--network=arrnet" ];
       autoStart = true;
     };
     notifiarr = {
       image = "golift/notifiarr:latest";
+      pull = "always";
+      ports = [ "5454:5454" ];
       user = "600:100";
+      hostname = "notifiarr";
       environment = {
         TZ = "America/New_York";
       };
+      environmentFiles = [ config.sops.secrets."docker/notifiarr".path ];
       volumes = [
         "${vars.primary_docker}/notifiarr:/config"
         "${vars.primary_plex_storage}:/data"
+        "/var/run/postgresql:/var/run/postgresql"
       ];
+      extraOptions = [ "--network=arrnet" ];
       autoStart = true;
     };
-    overseerr = {
-      image = "fallenbagel/jellyseerr:preview-seerr";
+    jellyseerr = {
+      image = "fallenbagel/jellyseerr:latest";
+      pull = "always";
+      hostname = "jellyseerr";
       environment = {
         PUID = "600";
         PGID = "100";
         TZ = "America/New_York";
+        DB_TYPE = "postgres";
+        DB_HOST = "/var/run/postgresql";
+        DB_PORT = toString config.services.postgresql.settings.port;
       };
-      volumes = [ "${vars.primary_docker}/overseerr:/config" ];
+      environmentFiles = [
+        config.sops.secrets."docker/jellyseerr".path
+      ];
+      volumes = [
+        "${vars.primary_docker}/overseerr:/config"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
       # TODO: remove ports later since this is going through web
+      extraOptions = [
+        "--network=arrnet"
+        "--network=haproxy-net"
+        # "--health-cmd \"wget --no-verbose --tries 1 --spider http://localhost:5055/api/v1/status || exit 1\""
+        # "--health-start-period 20s"
+        # "--health-timeout 3s"
+        # "--health-interval 15s"
+        # "--health-retries 3"
+      ];
       ports = [ "5055:5055" ]; # Web UI port
       dependsOn = [
         "radarr"
         "sonarr"
       ];
-      extraOptions = [ "--network=haproxy-net" ];
       autoStart = true;
     };
   };
+
+  sops = {
+    secrets = {
+      "docker/notifiarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-notifiarr.service" ];
+      };
+      "docker/bazarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-bazarr.service" ];
+      };
+      "docker/prowlarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-prowlarr.service" ];
+      };
+      "docker/radarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-radarr.service" ];
+      };
+      "docker/sonarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-sonarr.service" ];
+      };
+      "docker/lidarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-lidarr.service" ];
+      };
+      "docker/jellyseerr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-jellyseerr.service" ];
+      };
+    };
+  };
 }

systems/palatine-hill/docker/nextcloud.nix

@@ -8,13 +8,13 @@ let
   # nextcloud-image = import ./nextcloud-image { inherit pkgs; };
   nextcloud-base = {
     # image comes from running docker compose build in nextcloud-docker/.examples/full/apache
-    image = "nextcloud-nextcloud";
+    image = "docker.io/library/nextcloud-nextcloud";
     # pull = "always";
     # do NOT enable pull here, this image is generated based on a custom docker image
     hostname = "nextcloud";
     volumes = [
       "${nextcloud_path}/nc_data:/var/www/html:z"
-      "${nextcloud_path}/nc_php:/usr/local/etc/php"
+      #"${nextcloud_path}/nc_php:/usr/local/etc/php"
       "${nextcloud_path}/nc_prehooks:/docker-entrypoint-hooks.d/before-starting"
       #"${nextcloud_path}/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro"
     ];

systems/palatine-hill/docker/torr.nix

@@ -1,130 +1,143 @@
 { config, pkgs, ... }:
 
 let
-  delugeBase = {
+  qbitBase = {
+    image = "ghcr.io/linuxserver/qbittorrent:latest";
     pull = "always";
     environment = {
       PUID = "600";
       PGID = "100";
       TZ = "America/New_York";
-      UMASK = "000";
-      DEBUG = "true";
-      DELUGE_DAEMON_LOG_LEVEL = "debug";
-      DELUGE_WEB_LOG_LEVEL = "debug";
     };
   };
 
   vars = import ../vars.nix;
   #docker_path = vars.primary_docker;
   torr_path = vars.primary_torr;
-  deluge_path = "${torr_path}/deluge";
-  delugevpn_path = "${torr_path}/delugevpn";
-
-  #genSopsConfWg = file: {
-  #  "${file}" = {
-  #    format = "binary";
-  #    sopsFile = ./wg/${file};
-  #    path = "${delugevpn_path}/config/wireguard/configs/${file}";
-  #    owner = "docker-service";
-  #    group = "users";
-  #    restartUnits = [ "docker-delugeVPN.service" ];
-  #  };
-  #};
-
-  genSopsConfOvpn = file: {
-    "${file}" = {
-      format = "binary";
-      sopsFile = ./openvpn/${file};
-      path = "${delugevpn_path}/config/openvpn/configs/${file}";
-      owner = "docker-service";
-      group = "users";
-      restartUnits = [ "docker-delugeVPN.service" ];
-    };
-
-  };
+  qbit_path = "${torr_path}/qbit";
+  qbitvpn_path = "${torr_path}/qbitvpn";
+  qbitperm_path = "${torr_path}/qbitperm";
 in
 {
 
   virtualisation.oci-containers.containers = {
-    deluge = delugeBase // {
-      image = "binhex/arch-deluge";
+    qbit = qbitBase // {
+      # webui port is 8082, torr port is 29432
+      environment = qbitBase.environment // {
+        WEBUI_PORT = "8082";
+        TORRENTING_PORT = "29432";
+      };
       volumes = [
-        "${deluge_path}/config:/config"
-        "${deluge_path}/data/:/data"
+        "${qbit_path}/config:/config" # move from docker/qbit to qbit_path
+        "${torr_path}/data/:/data"
         "/etc/localtime:/etc/localtime:ro"
       ];
+      networks = [ "host" ];
       ports = [
-        "8084:8112"
-        "29433:29433"
+        "8082:8082"
+        "29432:29432"
+        "29432:29432/udp"
+      ];
+      extraOptions = [
+        "--dns=9.9.9.9"
       ];
     };
-    delugeVPN = delugeBase // {
-      image = "binhex/arch-delugevpn:latest";
+
+    # temp instance
+    qbitVPN = qbitBase // {
+      # webui port is 8081, torr port is 39274
+      networks = [
+        "container:gluetun-qbit"
+      ];
+      environment = qbitBase.environment // {
+        WEBUI_PORT = "8081";
+      };
+      dependsOn = [ "gluetun-qbit" ];
+      volumes = [
+        "${qbitvpn_path}/config:/config"
+        "${torr_path}/data:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+    };
+    gluetun-qbit = {
+      image = "qmcgaw/gluetun:v3";
       capabilities = {
         NET_ADMIN = true;
       };
-      autoRemoveOnStop = false;
-      environment = delugeBase.environment // {
-        VPN_ENABLED = "yes";
-        VPN_CLIENT = "openvpn";
-        VPN_PROV = "protonvpn";
-        ENABLE_PRIVOXY = "yes";
-        LAN_NETWORK = "192.168.0.0/16";
-        ENABLE_STARTUP_SCRIPTS = "yes";
-        #NAME_SERVERS = "194.242.2.9";
-        #NAME_SERVERS = "9.9.9.9";
-        # note, delete /config/perms.txt to force a bulk permissions update
-      };
-      environmentFiles = [ config.sops.secrets."docker/delugevpn".path ];
-      volumes = [
-        "${delugevpn_path}/config:/config"
-        "${deluge_path}/data:/data" # use common torrent path yuck
-        "/etc/localtime:/etc/localtime:ro"
+      devices = [
+        "/dev/net/tun:/dev/net/tun"
       ];
       ports = [
-        "8085:8112"
-        "8119:8118"
-        "39275:39275"
-        "39275:39275/udp"
-        "48346:48346"
-        "48346:48346/udp"
+        "8081:8081"
+        "8083:8083"
+      ];
+      environment = {
+        TZ = "America/New_York";
+        # SOPS prep
+      };
+      environmentFiles = [
+        config.sops.secrets."docker/gluetun".path
+        config.sops.secrets."docker/gluetun-qbitvpn".path
+      ];
+    };
 
+    # permanent instance
+    qbitPerm = qbitBase // {
+      # webui port is 8083, torr port is 29434
+      networks = [
+        "container:gluetun-qbit"
+      ];
+      environment = qbitBase.environment // {
+        WEBUI_PORT = "8083";
+      };
+      dependsOn = [ "gluetun-qbit" ];
+      volumes = [
+        "${qbitperm_path}/config:/config"
+        "${torr_path}/data:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+    };
+    gluetun-qbitperm = {
+      image = "qmcgaw/gluetun:v3";
+      capabilities = {
+        NET_ADMIN = true;
+      };
+      devices = [
+        "/dev/net/tun:/dev/net/tun"
+      ];
+      ports = [
+        "8083:8083"
+      ];
+      environment = {
+        TZ = "America/New_York";
+        # SOPS prep
+      };
+      environmentFiles = [
+        config.sops.secrets."docker/gluetun".path
+        config.sops.secrets."docker/gluetun-qbitperm".path
       ];
     };
   };
 
-  systemd.services.docker-delugeVPN = {
-    serviceConfig = {
-      ExecStartPre = [
-        (
-          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/openvpn/configs "
-          + "-type l -not -name network.ovpn "
-          + "| ${pkgs.coreutils}/bin/shuf -n 1 "
-          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/openvpn/network.ovpn &&"
-          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/openvpn/network.ovpn &&"
-          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/openvpn/network.ovpn\""
-        )
-        (
-          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/scripts/links "
-          + "-type l "
-          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/scripts/ \""
-        )
+  sops.secrets = {
+    "docker/gluetun" = {
+      owner = "docker-service";
+      restartUnits = [
+        "docker-gluetun-qbit.service"
+        "docker-gluetun-qbitperm.service"
       ];
-      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/scripts/*sh" ];
     };
-  };
-
-  sops.secrets = (genSopsConfOvpn "se.protonvpn.udp.ovpn") // {
-    "docker/delugevpn" = {
+    "docker/gluetun-qbitvpn" = {
       owner = "docker-service";
-      group = "users";
-      restartUnits = [ "docker-delugeVPN.service" ];
+      restartUnits = [
+        "docker-gluetun-qbit.service"
+      ];
     };
-    "docker/protonvpn-start-script" = {
-      path = "${delugevpn_path}/config/scripts/links/protonvpn-start-script.sh";
+    "docker/gluetun-qbitperm" = {
       owner = "docker-service";
-      group = "users";
-      restartUnits = [ "docker-delugeVPN.service" ];
+      restartUnits = [
+        "docker-gluetun-qbitperm.service"
+      ];
     };
   };
 }

systems/palatine-hill/firewall.nix

@@ -1,38 +1,59 @@
 { ... }:
 
 {
-  networking.firewall.allowedTCPPorts = [
-    # qbit
-    8081
-    8082
-    8443
+  networking.firewall = {
 
-    # hydra
-    3000
+    extraCommands = "
+      iptables -I nixos-fw 1 -i br+ -j ACCEPT
+    ";
 
-    # minio
-    8500
-    8501
+    extraStopCommands = "
+      iptables -D nixos-fw -i br+ -j ACCEPT
+    ";
 
-    # gitea
-    2222
-    2223
-    8088
+    trustedInterfaces = [ "br+" ];
 
-    # attic
-    8183
+    allowedTCPPorts = [
+      # qbit
+      8081
+      8082
+      8443
 
-    # collabora
-    9980
+      # hydra
+      3000
 
-    # arr
-    6767
-    9696
-    7878
-    8989
-    8686
-    8787
-    5055
-  ];
+      # minio
+      8500
+      8501
 
+      # gitea
+      2222
+      2223
+      8088
+
+      # attic
+      8183
+
+      # collabora
+      9980
+
+      # arr
+      6767
+      9696
+      7878
+      8989
+      8686
+      8787
+      5055
+
+      # torr
+      29432
+    ];
+
+    allowedUDPPorts = [
+      # torr
+      29432
+    ];
+
+  };
 }

systems/palatine-hill/hydra.nix

@@ -43,9 +43,9 @@ in
     hydra = {
       enable = true;
       package = inputs.hydra.packages.x86_64-linux.hydra.overrideAttrs (old: {
-        checkPhase = ''
+        preCheck = ''
           export YATH_JOB_COUNT=8
-          ${old.checkPhase or "yath test"}
+          ${old.preCheck or ""}
         '';
       });
       hydraURL = "https://hydra.alicehuston.xyz";

systems/palatine-hill/postgresql.nix

@@ -1,6 +1,5 @@
 {
   config,
-  lib,
   pkgs,
   ...
 }:
@@ -30,6 +29,12 @@ in
            # Let other names login as themselves
            superuser_map      /^(.*)$   \1
       '';
+      authentication = ''
+        local  bazarr  bazarr  scram-sha-256
+        local  /.*arr-main  /.*arr  scram-sha-256
+        local  /.*arr-log  /.*arr  scram-sha-256
+        local  jellyseerr  jellyseerr  scram-sha-256
+      '';
 
       # initialScript = config.sops.secrets."postgres/init".path;
       ensureDatabases = [

systems/palatine-hill/samba.nix

@@ -12,7 +12,7 @@
         #"use sendfile" = "yes";
         #"max protocol" = "smb2";
         # note: localhost is the ipv6 localhost ::1
-        "hosts allow" = "192.168.76. 127.0.0.1 localhost";
+        "hosts allow" = "192.168.76. 127.0.0.1 localhost 192.168.191.";
         "hosts deny" = "0.0.0.0/0";
         "guest account" = "nobody";
         "map to guest" = "bad user";

systems/palatine-hill/secrets.yaml

@@ -25,7 +25,16 @@ docker:
     collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
     delugevpn: ENC[AES256_GCM,data:YGkgaQUuA9oteKD77tnFzxZSHctyOQjMNlfvJr3mPWAl2P8wfcshiUoa6SNp69pagxbzRV6mfuzwzinbkQCoZN3lw7uF76y0,iv:Bro0H4tFR+3wi9DGGq9a6ge4o4uPlVXBUF7h17zyqg8=,tag:N1kVNFasqGMx8R9qTq2dJA==,type:str]
     protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str]
-    notifiarr: ENC[AES256_GCM,data:8p7+58u1WSjBMjgxxkyDVp0CK26RMBAOFe7Ax5ugfs85+K97loSCAgTaDzplkHwZ0W1jc7rKUyEp6H22R+VwIUL5CvlYZ4XIZbcbrTfcuAqXcVExDNP/hQQs0Kg6,iv:kXKVrHPiBKvUvaeZvf1AG8M+Zu3SaSv5UacBqeHeBWA=,tag:jiZe/6oEZ8IPybZ3rDevEg==,type:str]
+    notifiarr: ENC[AES256_GCM,data:XxVEhp4Rei6mRcdSSooRnofuVNZDalVhDYiVUmvQUr8QihrVRMKRE9Kpl5PGWUBw,iv:urMLaUf3XUjMks2vk0E7iRUU3mLHBiMAiwtQgmWQq20=,tag:dHdTOyC/ukd71UlYEI5fWw==,type:str]
+    bazarr: ENC[AES256_GCM,data:x+JdRCl3x3OM3lWmgcWikJSEnh5c5He5HmuLzCGAQ8zUXMi2Z3Kf6LzL+aoqtCBu3rabYZmQSLBoDm9CPkk=,iv:7e+3w46RUD2/OSlwrEe7BRxUqPPdt5+obIjQA8pr3xY=,tag:rHSijp/tcf/SGp5y4kJ0cw==,type:str]
+    prowlarr: ENC[AES256_GCM,data:hr3hYwRw0+/UD8anqZQjGy7rPkV2pad4Xi5FdXSf3Ftd1/jwlYfMqhqgEngFX30LLMWvJvjeu1TkTNzSEwI6ZCPdefNVYYwWavtm+XcBVxffGvFZ,iv:EXW48288IcCeGs/vP4tkAI4dxQAOh92Na43q/9cyuSc=,tag:pnYR26MDd82DjeUPdwCoUw==,type:str]
+    radarr: ENC[AES256_GCM,data:qCfoeEHb0ng5GhaY3QZiFvLVb25ZHNmgT0bRqEjBcelyP2819zCL7LxUPr08FxivEYZiAMFVleRozL8NMg6O5fh+2BatcYOfyh99zxIC,iv:HV3gTTnrjtab7x4Be+7hSe+nrD6BnPAmZBsHzi9Fujg=,tag:O6x0FDlasuJSRrGL/9SwpQ==,type:str]
+    sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str]
+    lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str]
+    jellyseerr: ENC[AES256_GCM,data:7dDfHFp8+WbJqrf7Ms/gmfroBePwegXh5CXn5FcOz8IEK7rTvr9KZfz9x/1BwdD8,iv:ZPi3OcMfH76A08piKY4P7hFbeMyouwBoeN5oL3ExzKU=,tag:oOZ37dy/y+DFqNRfAHexvQ==,type:str]
+    gluetun: ENC[AES256_GCM,data:ryhYVOYEZl5zDs+xMgbWI6q/Ei2AiNZJMxT/TcaHzTEocINgbczWk9GKeeZKno71vFXiF9/tPpYavLqvjWNL77doWDB+wiYrtBJ97PkQ70dqWntua9E8eCalYlIZpRbLsl5OA9ZHorIMPjjSB2CRYLCqq30PPi5I2TtRvs/g6LRUN4sZ/E2TTUjz7AEY7228ZEuHt1UkU+dY/jEbx6fwrm/ocP8xKvYUuAR1/Cx/z4N0mqmVl+FX/5dRSkmhpfAxO9ss898XKiJW4rewQIbG5ccYal+reZZr70TaEJQqg5KIfAnbp6dEjAsSXnRiEF801JXM0h+d14ECT4tQmdyvYBdCVnJ/Ibqw9D15cViHmeDbR68spqOCj67FSMKxgCVx4KFrxPOualsULX7RL/UbHq2cwyziSFkH4n2ljFlKohyj39F7EparJbiCOumNfhRWknDDwvXY+BjJhbAe19ccKP6QWrS68uBp0cTXqb0rVN/qlfz6Sj5EYj5M/u0rl6d5xctnKmOzfLjI2m5+E9WfDJaAUcP/Ihs+p2eD7aSQTIj+O7I66ju+UAz66D9ZoU1U3uVQ9gaPI5dOMmYdLKS3b19EVytwW2W13d0WXKIw5Vfb7MvFh9I0iPWq+ntL4jQzMYSwV5Y=,iv:Cy3h5I3vbqKORdqw91SHL4tRMeGHMLsXgQ0USJ2jtzk=,tag:0J/p1sUQfXR4ujjY7VzZuQ==,type:str]
+    gluetun-qbitvpn: ENC[AES256_GCM,data:3IdmuLvWs5YRQZuG9y1GRTMKMbR7OynUUVluezviDOV22EkABvo3Ic/+xZrWi/lzAhQRwRsCGjinlUJf7lBvPLg53HaIplbzSIyd3IPLbKzEVAK32WYB/M5cGNQW+XV8TiKK72HO8+WG588A0bsuvp/wQ86ohpRHVrnlboANLS3diCNXI3VdFIHPGpvM77TqB3/vo2AFLKjxi2es4l6KRam8cEUFAz0eH03tTUYaxy+ewA5IZCQSbMURLFKKdh0EATTG5jIz3jFp372fnk8UBgFPeH8+N9VHNM6rnV6zAsC2Vlj2E1YQRTRqOwSK0NRAAV5NBbr7zumS3VS0rVUpIbZVrW/C2BSAVbzowkHuo5o1B7UFsryb3s2FJJGF2biaDoL+ijM5a0Qi4LfNeaSLNKrzaTin0wYq8rPrQKOUBZL4t6FsRbG7KHmfwM4uYdWqV5h1syjI9WWReuePVb416YvqSH9p8HhNsDTka8IGgYkHcYAXYuuxUc6sgQONBwrsdeN5Dhq1IedhuOW+3qAV+hHl8qmVgiWZ8Ss+nmo016nsikifEp08N7J8t3f86/SFZO+YMBxQ/K9PJLsJzR2jsBcf2aTlq0cuzXDvb4cMtro=,iv:N9zdyKJDsj049j5hZOSnAkS/VTWlC3crTODJKIpYYko=,tag:uYHq3CZj0P/BAv+0Ak5ZEw==,type:str]
+    gluetun-qbitperm: ENC[AES256_GCM,data:kzSrILs78UkzNeAvxoDU3QsLKdapQNyQW9nq0it+7HhhwDQ0MJB1s2Ek8zKErTatpwzG8xiUK0HwX5hFLgNZYc+OE0CH4PUrgX1t6dykuPLD2rKQL7veElNgqhX0/39xNyopyJk2UMVFNSqoV1DCC/ja9MqX9+jBYk++7DeX7v1Gl1ntjzJ+zIscg0nOTN1eQAHtiOWtFU0COC/aA8KS+HLIsMkjrIk9UD4C/DE8AOS07s+gDxPRtl6L7324FRqjEHNyxAobWOOLeG711RZcskF7dlminVJu4aVGbBwIy/zDdHFxRwO6yaLr/AqrTlRVOa2O8Qu2Ydpv8ZNj2F6fHrVNNmVwvMEKYibV6oMVo72uT+DTz/mFaYuTUeuJfkdCy7tnQYhBnpbd5J4mKfVb8uOF9Tx02kL2fTFKyvtET3nrtakQUjv8mEqHn4F8136O2JvUBN5RmC3B3vRdFjYgdfwy8hUT9b0Cmi8w0Zzs+XGMRdvWv2g6b5fmlAn0K+a0KB1fdDLhvbIXhY+sYzR3yOH01K0lW3xVdnl1eMIFjZkUGRTi32HyCYb0SUA1EcXmtA4XmyZ6HHFEXFA5y2guVqU4xLyXXldM+lGB7yGLMcM=,iv:kuueHxYafrEdyBxGUBoU2ks7kdr/rWMnXZmE3Kx/iK4=,tag:bNIfP3H5/Kh3ofuCGGx5Hg==,type:str]
 acme:
     bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
     dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
@@ -44,8 +53,8 @@ sops:
             cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
             LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-15T02:30:11Z"
-    mac: ENC[AES256_GCM,data:uG3ZnIAepcCDFXZNhE18dqd0R3pL0a4JTxTaYx8fnaoT3ooN580yIA6tfjGj+6M3JyqPCM56dmqmnMsPplkr+WToW5Wgc8EBe+L2UdSpVK6Zk1ClxvG+NMmZK0u+dNOszJHpoRWTFLl5Wffku9hKEwcgYTA0nwVcrqPc3FSZQyA=,iv:hN2Wfr/IopxM1ItekB7YcXPjR5zBIwPvq1EzW1yjS34=,tag:ao059oZR+kT7IMBF4b2aAQ==,type:str]
+    lastmodified: "2026-01-10T05:52:21Z"
+    mac: ENC[AES256_GCM,data:DyLjQrIXJD7udT32xJ20WgCYr+4zXr7s0uuVMxOYSiC1VphhV+BQ2BgGF0bxAfx1n+JiO2BnyX8uD+z/iWh/k/9+UBGnL3MPJ5L5ffvno8hktVU9NHO72xkugYIkbSievTYrJGcSwWAsfJGTm4+1rG9GgcSoxIvRUoR6QJss22s=,iv:pHkPR0Va4bKjZVzNtvsDJ211ORNvNyZfWRf70OWI01w=,tag:/gEp09I+1nD6Cn6dPGZglA==,type:str]
     pgp:
         - created_at: "2024-11-28T18:56:39Z"
           enc: |-

systems/palatine-hill/zfs.nix

@@ -49,7 +49,7 @@
           daily = 30;
           weekly = 0;
           monthly = 6;
-          yearly = 3;
+          yearly = 2;
           autosnap = true;
           autoprune = true;
         };

users/alice/home/hypr/hyprland.conf

@@ -116,8 +116,8 @@ master {
 }
 
 gestures {
-    # See https://wiki.hyprland.org/Configuring/Variables/ for more
-    workspace_swipe = off
+    # See https://wiki.hypr.land/Configuring/Gestures/ for more
+    gesture = 3, horizontal, workspace
 }
 
 misc {
@@ -149,6 +149,7 @@ bind = $mainMod, W, killactive,
 #bind = $mainMod, W, exit, 
 bind = $mainMod, E, exec, $fileManager
 bind = $mainMod, V, togglefloating, 
+bind = $mainMod, F, fullscreen, toggle
 bind = $mainMod, SPACE, exec, $menu
 bind = $mainMod, O, pseudo, # dwindle
 bind = $mainMod, J, togglesplit, # dwindle

users/alice/home/zsh.nix

@@ -1,9 +1,10 @@
-{ lib, ... }:
+{ lib, config, ... }:
 {
 
   programs.zsh = {
 
     enable = true;
+    dotDir = "${config.xdg.configHome}/zsh";
     oh-my-zsh = {
       enable = true;
       plugins = [

users/alice/non-server.nix

@@ -14,6 +14,7 @@
       customTitleBar = false;
       hardwareAcceleration = true;
     };
+    vencord.useSystem = true;
     vencord.settings = {
       autoUpdate = false;
       autoUpdateNotification = false;
@@ -108,5 +109,8 @@
 
     # media tools
     #deepin.deepin-music
+
+    # arch zed deps
+    nixd
   ];
 }

users/default.nix

@@ -22,6 +22,7 @@
     (lib.mkIf config.programs.wireshark.enable "wireshark")
     (lib.mkIf config.virtualisation.docker.enable "docker")
     (lib.mkIf (with config.services.locate; (enable && package == pkgs.plocate)) "plocate")
+    (lib.mkIf config.networking.wireless.enable "wpa_supplicant")
     "libvirtd"
     "dialout"
     "plugdev"