move nas apps sorta

flake.nix.ori

@@ -1,938 +0,0 @@
-{
-  description = "flake for matt-nixos";
-
-  inputs = {
-
-    #####################################################
-    #                   Desktop                         #
-    #####################################################
-
-    # nixpgs
-    desktop-nixpkgs = {
-      url = "github:NixOS/nixpkgs/nixos-unstable";
-    };
-
-    # Chaotic-nix
-    desktop-chaotic = {
-      url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
-    };
-
-    # Home Manager
-    desktop-home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "desktop-nixpkgs";
-    };
-
-    # Impermenance
-    desktop-impermanence = {
-      url = "github:nix-community/impermanence";
-    };
-
-    # Lanzaboote
-    desktop-lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.2";
-      inputs.nixpkgs.follows = "desktop-nixpkgs";
-    };
-
-    # Nix hardware
-    desktop-nixos-hardware = {
-      url = "github:NixOS/nixos-hardware/master";
-    };
-
-    # Sops-nix
-    desktop-sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "desktop-nixpkgs";
-    };
-
-    # steam rom manager
-    desktop-steam-rom-manager = {
-      url = "github:mjallen18/nix-steam-rom-manager";
-      inputs.nixpkgs.follows = "desktop-nixpkgs";
-      inputs.home-manager.follows = "desktop-home-manager";
-    };
-
-    # cosmic launcher
-    desktop-cosmic = {
-      url = "github:lilyinstarlight/nixos-cosmic";
-      inputs.nixpkgs.follows = "desktop-nixpkgs";
-    };
-
-    desktop-nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
-
-    #####################################################
-    #                     NAS                           #
-    #####################################################
-
-    # nixpgs
-    nas-nixpkgs = {
-      # url = "github:NixOS/nixpkgs/nixos-24.11";
-      url = "github:NixOS/nixpkgs/nixos-unstable";
-    };
-
-    nas-nixpkgs-stable = {
-      url = "github:NixOS/nixpkgs/nixos-24.11";
-    };
-
-    # Authentik
-    nas-authentik-nix = {
-      url = "github:nix-community/authentik-nix";
-      inputs.nixpkgs.follows = "nas-nixpkgs";
-    };
-
-    # cosmic launcher
-    nas-cosmic = {
-      url = "github:lilyinstarlight/nixos-cosmic";
-      inputs.nixpkgs.follows = "nas-nixpkgs-stable";
-    };
-
-    # crowdsec
-    nas-crowdsec = {
-      url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git";
-      inputs.nixpkgs.follows = "nas-nixpkgs";
-    };
-
-    # Home Manager
-    nas-home-manager = {
-      # url = "github:nix-community/home-manager/release-24.11";
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nas-nixpkgs";
-    };
-
-    # Impermenance
-    nas-impermanence = {
-      url = "github:nix-community/impermanence";
-    };
-
-    # Lanzaboote
-    nas-lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.2";
-      inputs.nixpkgs.follows = "nas-nixpkgs";
-    };
-
-    # Nix hardware
-    nas-nixos-hardware = {
-      url = "github:NixOS/nixos-hardware/master";
-    };
-
-    # Sops-nix
-    nas-sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nas-nixpkgs";
-    };
-
-    nas-nixai.url = "github:olafkfreund/nix-ai-help";
-
-    nas-nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
-
-    #####################################################
-    #                     pi5                           #
-    #####################################################
-
-    # nixpgs
-    pi5-nixpkgs = {
-      url = "github:NixOS/nixpkgs/nixos-unstable";
-    };
-
-    # Home Manager
-    pi5-home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "pi5-nixpkgs";
-    };
-
-    # Impermenance
-    pi5-impermanence = {
-      url = "github:nix-community/impermanence";
-    };
-
-    # Nix hardware
-    pi5-nixos-hardware = {
-      url = "github:NixOS/nixos-hardware/master";
-    };
-
-    # Sops-nix
-    pi5-sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "pi5-nixpkgs";
-    };
-
-    pi5-disko = {
-      # the fork is needed for partition attributes support
-      url = "github:nvmd/disko/gpt-attrs";
-      # url = "github:nix-community/disko";
-      inputs.nixpkgs.follows = "pi5-nixpkgs";
-    };
-
-    pi5-cosmic = {
-      url = "github:lilyinstarlight/nixos-cosmic";
-      inputs.nixpkgs.follows = "pi5-nixpkgs";
-    };
-
-    #####################################################
-    #                     pi4                           #
-    #####################################################
-
-    # nixpgs
-    pi4-nixpkgs = {
-      url = "github:NixOS/nixpkgs/nixos-unstable";
-    };
-
-    # Home Manager
-    pi4-home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "pi4-nixpkgs";
-    };
-
-    # Impermenance
-    pi4-impermanence = {
-      url = "github:nix-community/impermanence";
-    };
-
-    # Sops-nix
-    pi4-sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "pi4-nixpkgs";
-    };
-
-    # Nix hardware
-    pi4-nixos-hardware = {
-      url = "github:NixOS/nixos-hardware/master";
-    };
-
-    pi4-disko = {
-      # the fork is needed for partition attributes support
-      url = "github:nvmd/disko/gpt-attrs";
-      # url = "github:nix-community/disko";
-      inputs.nixpkgs.follows = "pi4-nixpkgs";
-    };
-
-
-    nixos-raspberrypi.url = "github:nvmd/nixos-raspberrypi";
-
-    #####################################################
-    #                  Steamdeck                        #
-    #####################################################
-
-    # nixpgs
-    steamdeck-nixpkgs = {
-      url = "github:NixOS/nixpkgs/nixos-unstable";
-    };
-
-    # Joviain for steamdeck
-    steamdeck-jovian = {
-      url = "github:Jovian-Experiments/Jovian-NixOS";
-      inputs.nixpkgs.follows = "steamdeck-nixpkgs";
-    };
-
-    # Chaotic-nix
-    steamdeck-chaotic = {
-      url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
-    };
-
-    # Impermenance
-    steamdeck-impermanence = {
-      url = "github:nix-community/impermanence";
-    };
-
-    # Home Manager
-    steamdeck-home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "steamdeck-nixpkgs";
-    };
-
-    # Lanzaboote
-    steamdeck-lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.2";
-      inputs.nixpkgs.follows = "steamdeck-nixpkgs";
-    };
-
-    # Sops-nix
-    steamdeck-sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "steamdeck-nixpkgs";
-    };
-
-    # Nix hardware
-    steamdeck-nixos-hardware = {
-      url = "github:NixOS/nixos-hardware/master";
-    };
-
-    # steam rom manager
-    steamdeck-steam-rom-manager = {
-      url = "github:mjallen18/nix-steam-rom-manager";
-      inputs.nixpkgs.follows = "steamdeck-nixpkgs";
-      inputs.home-manager.follows = "steamdeck-home-manager";
-    };
-
-    steamdeck-disko = {
-      # the fork is needed for partition attributes support
-      url = "github:nvmd/disko/gpt-attrs";
-      # url = "github:nix-community/disko";
-      inputs.nixpkgs.follows = "steamdeck-nixpkgs";
-    };
-
-    #####################################################
-    #                   MacBook                         #
-    #####################################################
-
-    #Apple
-    nix-darwin = {
-      url = "github:LnL7/nix-darwin";
-      inputs.nixpkgs.follows = "desktop-nixpkgs";
-    };
-
-    nix-homebrew.url = "github:zhaofengli/nix-homebrew";
-
-    homebrew-core = {
-      url = "github:homebrew/homebrew-core";
-      flake = false;
-    };
-    homebrew-cask = {
-      url = "github:homebrew/homebrew-cask";
-      flake = false;
-    };
-  
-    #####################################################
-    #                 Macbook Nix                       #
-    #####################################################
-
-    # nixpgs
-    mac-nixpkgs = {
-      url = "github:NixOS/nixpkgs/nixos-unstable";
-    };
-
-    mac-nixos-apple-silicon = {
-      url = "github:nix-community/nixos-apple-silicon";
-    };
-
-    # Home Manager
-    mac-home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "mac-nixpkgs";
-    };
-
-    # Impermenance
-    mac-impermanence = {
-      url = "github:nix-community/impermanence";
-    };
-
-    # Sops-nix
-    mac-sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "mac-nixpkgs";
-    };
-
-    #####################################################
-    #                     NUC                           #
-    #####################################################
-
-    # nixpgs
-    nuc-nixpkgs = {
-      # url = "github:NixOS/nixpkgs/nixos-24.11";
-      url = "github:NixOS/nixpkgs/nixos-unstable";
-    };
-
-    # Home Manager
-    nuc-home-manager = {
-      # url = "github:nix-community/home-manager/release-24.11";
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nuc-nixpkgs";
-    };
-
-    # Impermenance
-    nuc-impermanence = {
-      url = "github:nix-community/impermanence";
-    };
-
-    # Lanzaboote
-    nuc-lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.2";
-      inputs.nixpkgs.follows = "nuc-nixpkgs";
-    };
-
-    # Sops-nix
-    nuc-sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nuc-nixpkgs";
-    };
-
-    nuc-disko = {
-      # the fork is needed for partition attributes support
-      url = "github:nvmd/disko/gpt-attrs";
-      # url = "github:nix-community/disko";
-      inputs.nixpkgs.follows = "nuc-nixpkgs";
-    };
-
-    #####################################################
-    #                    Common                         #
-    #####################################################
-
-    nixpkgs-unstable = {
-      url = "github:NixOS/nixpkgs/nixos-unstable";
-    };
-
-    nixpkgs-stable = {
-      url = "github:NixOS/nixpkgs/nixos-25.05";
-    };
-  };
-
-  outputs =
-    {
-      self,
-
-      # Desktop
-      desktop-nixpkgs,
-      desktop-chaotic,
-      desktop-home-manager,
-      desktop-impermanence,
-      desktop-lanzaboote,
-      desktop-nixos-hardware,
-      desktop-sops-nix,
-      desktop-steam-rom-manager,
-      desktop-cosmic,
-      desktop-nix-vscode-extensions,
-
-      # NAS
-      nas-nixpkgs,
-      nas-nixpkgs-stable,
-      nas-authentik-nix,
-      nas-cosmic,
-      nas-crowdsec,
-      nas-home-manager,
-      nas-impermanence,
-      nas-lanzaboote,
-      nas-nixos-hardware,
-      nas-sops-nix,
-      nas-nixai,
-      nas-nix-vscode-extensions,
-
-      # pi5
-      pi5-nixpkgs,
-      pi5-home-manager,
-      pi5-impermanence,
-      pi5-nixos-hardware,
-      pi5-sops-nix,
-      pi5-disko,
-      pi5-cosmic,
-
-      # pi4
-      pi4-nixpkgs,
-      pi4-home-manager,
-      pi4-impermanence,
-      pi4-sops-nix,
-      pi4-nixos-hardware,
-      pi4-disko,
-
-      nixos-raspberrypi,
-
-      # Steamdeck
-      steamdeck-nixpkgs,
-      steamdeck-chaotic,
-      steamdeck-home-manager,
-      steamdeck-impermanence,
-      steamdeck-jovian,
-      steamdeck-lanzaboote,
-      steamdeck-nixos-hardware,
-      steamdeck-sops-nix,
-      steamdeck-steam-rom-manager,
-      steamdeck-disko,
-
-      # MacBook
-      nix-darwin,
-      nix-homebrew,
-      homebrew-core,
-      homebrew-cask,
-
-      # MacBook Nix
-      mac-nixpkgs,
-      mac-nixos-apple-silicon,
-      mac-home-manager,
-      mac-impermanence,
-      mac-sops-nix,
-
-      nuc-nixpkgs,
-      nuc-home-manager,
-      nuc-impermanence,
-      nuc-lanzaboote,
-      nuc-sops-nix,
-      nuc-disko,
-
-      # Common
-      nixpkgs-unstable,
-      nixpkgs-stable,
-    }@inputs:
-    let
-      inherit (self) outputs;
-    in
-    {
-      overlays = import ./overlays { inherit inputs; };
-
-      nixosConfigurations = {
-        # Desktop
-        "matt-nixos" = desktop-nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          specialArgs = {
-            inherit inputs outputs;
-            hyprlandSettings = import ./hosts/desktop/hyprland-settings.nix;
-          };
-          modules = [
-            ./hosts/base/base-nogui
-            ./hosts/base/base-gui
-            ./hosts/desktop/configuration.nix
-
-            ./modules/desktop-environments/gnome
-            ./modules/desktop-environments/cosmic/specialisation.nix
-            ./modules/desktop-environments/hyprland/specialisation.nix
-
-            ./modules/amd
-            ./modules/gaming
-
-            # Lanzaboote
-            desktop-lanzaboote.nixosModules.lanzaboote
-
-            # Chaotic Nyx
-            desktop-chaotic.nixosModules.default
-
-            # Impermanence
-            desktop-impermanence.nixosModules.impermanence
-            ./modules/impermanence
-
-            desktop-sops-nix.nixosModules.sops
-
-            # Home Manager
-            desktop-home-manager.nixosModules.home-manager
-            {
-              home-manager.useGlobalPkgs = true;
-              home-manager.useUserPackages = true;
-              home-manager.users.matt =
-                { ... }:
-                {
-                  imports = [
-                    ./hosts/desktop/home.nix
-                    ./modules/home/defaults.nix
-                    ./modules/home/git.nix
-                    ./modules/home/gnome.nix
-                    ./modules/home/librewolf.nix
-                    ./modules/home/office.nix
-                    ./modules/home/shell.nix
-                    ./modules/home/vscode.nix
-                    desktop-steam-rom-manager.homeManagerModules.default
-                    desktop-sops-nix.homeManagerModules.sops
-                  ];
-                };
-              home-manager.users.root =
-                { ... }:
-                {
-                  imports = [
-                    ./modules/root-user
-                    desktop-sops-nix.homeManagerModules.sops
-                  ];
-                };
-              home-manager.backupFileExtension = "backup";
-            }
-
-            # nixos hardware
-            desktop-nixos-hardware.nixosModules.common-cpu-amd
-            desktop-nixos-hardware.nixosModules.common-cpu-amd-pstate
-            desktop-nixos-hardware.nixosModules.common-cpu-amd-zenpower
-            desktop-nixos-hardware.nixosModules.common-gpu-amd
-            desktop-nixos-hardware.nixosModules.common-hidpi
-            desktop-nixos-hardware.nixosModules.common-pc
-          ];
-        };
-
-        # NAS
-        "jallen-nas" = nas-nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          specialArgs = {
-            inherit inputs outputs;
-          };
-          modules = [
-            ./hosts/base/base-nogui
-            ./hosts/base/base-gui
-            ./hosts/nas/configuration.nix
-            ./modules/desktop-environments/cosmic
-            ./modules/nvidia
-
-            nas-lanzaboote.nixosModules.lanzaboote
-
-            nas-impermanence.nixosModules.impermanence
-            ./hosts/nas/impermanence.nix
-
-            nas-cosmic.nixosModules.default
-
-            # nas-nixai.nixosModules.x86_64-linux.default
-
-            nas-home-manager.nixosModules.home-manager
-            {
-              home-manager.useGlobalPkgs = false;
-              home-manager.useUserPackages = true;
-              home-manager.users.admin =
-                { ... }:
-                {
-                  imports = [
-                    ./hosts/nas/home.nix
-                    ./modules/home/defaults.nix
-                    ./modules/home/git.nix
-                    ./modules/home/librewolf.nix
-                    ./modules/home/shell.nix
-                    ./modules/home/vscode.nix
-                    nas-sops-nix.homeManagerModules.sops
-                    # nas-nixai.homeManagerModules.x86_64-linux.default
-                  ];
-                };
-              home-manager.users.root =
-                { ... }:
-                {
-                  imports = [
-                    ./modules/root-user
-                    nas-sops-nix.homeManagerModules.sops
-                  ];
-                };
-              home-manager.backupFileExtension = "backup";
-            }
-
-            nas-authentik-nix.nixosModules.default
-
-            nas-sops-nix.nixosModules.sops
-
-            nas-crowdsec.nixosModules.crowdsec
-            nas-crowdsec.nixosModules.crowdsec-firewall-bouncer
-
-            (
-              { ... }:
-              {
-                nixpkgs.overlays = [
-                  nas-crowdsec.overlays.default
-                  nas-nix-vscode-extensions.overlays.default
-                ];
-              }
-            )
-
-            nas-nixos-hardware.nixosModules.common-pc
-            nas-nixos-hardware.nixosModules.common-cpu-amd
-            nas-nixos-hardware.nixosModules.common-cpu-amd-pstate
-            nas-nixos-hardware.nixosModules.common-cpu-amd-zenpower
-            nas-nixos-hardware.nixosModules.common-hidpi
-          ];
-        };
-
-        # pi5
-        "pi5" = nixos-raspberrypi.lib.nixosSystem {
-          specialArgs = inputs //
-          {
-            inherit outputs;
-          };
-          system = "aarch64-linux";
-          modules = [
-            ./hosts/base/base-nogui
-            ./hosts/base/base-gui
-            pi5-disko.nixosModules.disko
-            ./hosts/pi5/disko.nix
-            pi5-cosmic.nixosModules.default
-            pi5-impermanence.nixosModules.impermanence
-            pi5-sops-nix.nixosModules.sops
-            ./hosts/pi5/configuration.nix
-            pi5-nixos-hardware.nixosModules.raspberry-pi-5
-            {
-              # Hardware specific configuration, see section below for a more complete
-              # list of modules
-              imports = with nixos-raspberrypi.nixosModules; [
-                raspberry-pi-5.base
-                raspberry-pi-5.display-vc4
-                raspberry-pi-5.bluetooth
-              ];
-            }
-            pi5-home-manager.nixosModules.home-manager
-            {
-              home-manager.useGlobalPkgs = true;
-              home-manager.useUserPackages = true;
-              home-manager.backupFileExtension = "backup";
-              home-manager.users.matt =
-                { ... }:
-                {
-                  imports = [
-                    ./hosts/pi5/home.nix
-                    pi5-sops-nix.homeManagerModules.sops
-                  ];
-                };
-              home-manager.users.root =
-                { ... }:
-                {
-                  imports = [
-                    ./modules/root-user
-                    pi5-sops-nix.homeManagerModules.sops
-                  ];
-                };
-            }
-          ];
-        };
-
-        # pi4
-        "pi4" = nixos-raspberrypi.lib.nixosSystem {
-          specialArgs = inputs //
-          {
-            inherit outputs;
-          };
-          system = "aarch64-linux";
-          modules = [
-            ./hosts/base/base-nogui
-            pi4-disko.nixosModules.disko
-            ./modules/disko/pi-uefi-disko.nix
-            pi4-nixos-hardware.nixosModules.raspberry-pi-4
-            {
-              # Hardware specific configuration, see section below for a more complete
-              # list of modules
-              imports = with nixos-raspberrypi.nixosModules; [
-                raspberry-pi-4.base
-                raspberry-pi-4.display-vc4
-                raspberry-pi-4.bluetooth
-                raspberry-pi-4.case-argonone
-              ];
-            }
-            pi4-impermanence.nixosModules.impermanence
-            pi4-sops-nix.nixosModules.sops
-            ./hosts/pi4/configuration.nix
-            pi4-home-manager.nixosModules.home-manager
-            {
-              home-manager.useGlobalPkgs = true;
-              home-manager.useUserPackages = true;
-              home-manager.backupFileExtension = "backup";
-              home-manager.users.matt =
-                { ... }:
-                {
-                  imports = [
-                    ./hosts/pi4/home.nix
-                    pi4-sops-nix.homeManagerModules.sops
-                  ];
-                };
-              home-manager.users.root =
-                { ... }:
-                {
-                  imports = [
-                    ./modules/root-user
-                    pi4-sops-nix.homeManagerModules.sops
-                  ];
-                };
-            }
-          ];
-        };
-
-        "steamdeck" = steamdeck-nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          specialArgs = {
-            inherit inputs outputs;
-          };
-          modules = [
-            ./hosts/base/base-nogui
-            ./hosts/base/base-gui
-            ./hosts/deck/configuration.nix
-            ./modules/desktop-environments/gnome
-
-            steamdeck-lanzaboote.nixosModules.lanzaboote
-
-            steamdeck-disko.nixosModules.disko
-            ./modules/disko/disko.nix
-
-            steamdeck-impermanence.nixosModules.impermanence
-            ./modules/impermanence
-
-            steamdeck-home-manager.nixosModules.home-manager
-            {
-              home-manager.useGlobalPkgs = true;
-              home-manager.useUserPackages = true;
-              home-manager.users.deck =
-                { ... }:
-                {
-                  imports = [
-                    ./hosts/deck/home.nix
-                    ./modules/home/defaults.nix
-                    ./modules/home/git.nix
-                    ./modules/home/gnome.nix
-                    ./modules/home/librewolf.nix
-                    ./modules/home/office.nix
-                    ./modules/home/shell.nix
-                    ./modules/home/vscode.nix
-                    steamdeck-sops-nix.homeManagerModules.sops
-                    steamdeck-steam-rom-manager.homeManagerModules.default
-                  ];
-                };
-              home-manager.users.root =
-                { ... }:
-                {
-                  imports = [
-                    ./modules/root-user
-                    steamdeck-sops-nix.homeManagerModules.sops
-                  ];
-                };
-              home-manager.backupFileExtension = "backup";
-            }
-
-            steamdeck-nixos-hardware.nixosModules.common-cpu-amd
-            steamdeck-nixos-hardware.nixosModules.common-cpu-amd-pstate
-            steamdeck-nixos-hardware.nixosModules.common-cpu-amd-zenpower
-            steamdeck-nixos-hardware.nixosModules.common-gpu-amd
-            steamdeck-nixos-hardware.nixosModules.common-hidpi
-            steamdeck-nixos-hardware.nixosModules.common-pc
-
-            steamdeck-sops-nix.nixosModules.sops
-
-            steamdeck-jovian.nixosModules.jovian
-
-            steamdeck-chaotic.nixosModules.default
-          ];
-        };
-
-        # MacBook Nix
-        "macbook-pro-nixos" = mac-nixpkgs.lib.nixosSystem {
-          system = "aarch64-linux";
-          specialArgs = {
-            inherit inputs outputs;
-            hyprlandSettings = import ./hosts/mac-nixos/hyprland-settings.nix;
-          };
-          modules = [
-            ./hosts/base/base-nogui
-            ./hosts/base/base-gui
-            ./hosts/mac-nixos/configuration.nix
-
-            ./modules/desktop-environments/hyprland
-
-            # Apple Silicon Support
-            mac-nixos-apple-silicon.nixosModules.default
-
-            # Impermanence
-            mac-impermanence.nixosModules.impermanence
-            ./modules/impermanence
-
-            mac-sops-nix.nixosModules.sops
-
-            # Home Manager
-            mac-home-manager.nixosModules.home-manager
-            {
-              home-manager.useGlobalPkgs = true;
-              home-manager.useUserPackages = true;
-              home-manager.users.matt =
-                { ... }:
-                {
-                  imports = [
-                    ./hosts/mac-nixos/home.nix
-                    ./modules/home/defaults.nix
-                    ./modules/home/git.nix
-#                    ./modules/home/gnome.nix
-#                    ./modules/home/librewolf.nix
-                    ./modules/home/office.nix
-                    ./modules/home/shell.nix
-#                    ./modules/home/vscode.nix
-                    mac-sops-nix.homeManagerModules.sops
-                  ];
-                };
-              home-manager.users.root =
-                { ... }:
-                {
-                  imports = [
-                    ./modules/root-user
-                    mac-sops-nix.homeManagerModules.sops
-                  ];
-                };
-              home-manager.backupFileExtension = "backup";
-            }
-          ];
-        };
-
-        # NUC
-        "nuc-nixos" = nuc-nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          specialArgs = {
-            inherit inputs outputs;
-          };
-          modules = [
-            ./hosts/base/base-nogui
-            ./hosts/nuc/configuration.nix
-
-            nuc-lanzaboote.nixosModules.lanzaboote
-
-            nuc-impermanence.nixosModules.impermanence
-            ./hosts/nuc/impermanence.nix
-
-            nuc-disko.nixosModules.disko
-            ./modules/disko/disko.nix
-
-            nuc-home-manager.nixosModules.home-manager
-            {
-              home-manager.useGlobalPkgs = false;
-              home-manager.useUserPackages = true;
-              home-manager.users.admin =
-                { ... }:
-                {
-                  imports = [
-                    ./hosts/nuc/home.nix
-                    ./modules/home/defaults.nix
-                    ./modules/home/git.nix
-                    ./modules/home/shell.nix
-                    nuc-sops-nix.homeManagerModules.sops
-                  ];
-                };
-              home-manager.users.root =
-                { ... }:
-                {
-                  imports = [
-                    ./modules/root-user
-                    nuc-sops-nix.homeManagerModules.sops
-                  ];
-                };
-              home-manager.backupFileExtension = "backup";
-            }
-
-            nuc-sops-nix.nixosModules.sops
-          ];
-        };
-      };
-
-      darwinConfigurations = {
-        "MacBook-Pro" = nix-darwin.lib.darwinSystem {
-          system = "aarch64-darwin";
-          specialArgs = {
-            inherit inputs outputs;
-          };
-          modules = [
-            ./hosts/mac/configuration.nix
-            nix-homebrew.darwinModules.nix-homebrew
-            desktop-home-manager.darwinModules.home-manager
-            {
-              home-manager.useGlobalPkgs = true;
-              home-manager.useUserPackages = true;
-              home-manager.users.mattjallen = import ./hosts/mac/home.nix;
-              home-manager.backupFileExtension = "backup";
-            }
-            (
-              { ... }:
-              {
-                nixpkgs.overlays = [
-                  desktop-nix-vscode-extensions.overlays.default
-                ];
-              }
-            )
-          ];
-        };
-      };
-
-      packages.aarch64-linux.vmware-horizon-fhs = 
-      let
-        pkgs = import mac-nixpkgs { system = "aarch64-linux"; };
-        x64 = import mac-nixpkgs { system = "x86_64-linux"; config.allowUnfree = true; };
-      in
-      pkgs.buildFHSEnv {
-        name = "horizon-client-x64";
-        targetPkgs = _pkgs: with x64; [
-          vmware-horizon-client gtk3 xorg.libX11 libxml2
-        ];
-        runScript = "box64 vmware-view";
-      };
-
-      # Expose the package set, including overlays, for convenience.
-      darwinPackages = self.darwinConfigurations."MacBook-Pro".pkgs;
-
-      # Set Git commit hash for darwin-version.
-      system.configurationRevision = self.rev or self.dirtyRev or null;
-    };
-}

modules/nixos/actual/default.nix

@@ -2,9 +2,8 @@
 with lib;
 let
   cfg = config.nas-apps.actual;
-  settings = import ../../settings.nix;
   dataDir = "/data";
-  hostAddress = settings.hostAddress;
+  hostAddress = "10.0.1.3";
   actualUserId = config.users.users.nix-apps.uid;
   actualGroupId = config.users.groups.jallen-nas.gid;
 in

modules/nixos/arrs/default.nix

@@ -7,7 +7,6 @@
 with lib;
 let
   cfg = config.nas-apps.arrs;
-  settings = import ../../settings.nix;
   radarrDataDir = "/var/lib/radarr";
   downloadDir = "/downloads";
   incompleteDir = "/downloads-incomplete";
@@ -21,7 +20,6 @@ let
   sonarrPkg = pkgs.sonarr;
   delugePkg = pkgs.deluge;
   jackettPkg = pkgs.jackett;
-  sabnzbdPkg = pkgs.sabnzbd;
 in
 {
   imports = [ ./options.nix ];
@@ -30,7 +28,7 @@ in
     containers.arrs = {
       autoStart = true;
       privateNetwork = true;
-      hostAddress = settings.hostAddress;
+      hostAddress = "10.0.1.3";
       localAddress = cfg.localAddress;
 
       config =
@@ -40,7 +38,12 @@ in
           ...
         }:
         {
-          nixpkgs.config.allowUnfree = true;
+          nixpkgs.config = {
+            allowUnfree = lib.mkForce true;
+            allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+              "unrar"
+            ];
+          };
 
           # Enable radarr service
           services.radarr = {
@@ -69,7 +72,7 @@ in
             user = "arrs";
             group = "media";
             configFile = "${sabnzbdConfig}/sabnzbd.ini";
-            package = sabnzbdPkg;
+            package = pkgs.sabnzbd;
           };
 
           services.deluge = {

modules/nixos/crowdsec/default.nix

@@ -1,4 +1,4 @@
-{ outputs, config, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 with lib;
 let
   cfg = config.nas-apps.crowdsec;

modules/nixos/gitea/default.nix

@@ -2,8 +2,7 @@
 with lib;
 let
   cfg = config.nas-apps.gitea;
-  settings = import ../../settings.nix;
+  hostAddress = "10.0.1.3";
-  hostAddress = settings.hostAddress;
   # localAddress = "10.0.4.18";
   # httpPort = 3000;
   # sshPort = 2222;

modules/nixos/immich/default.nix

@@ -0,0 +1,33 @@
+{ config, lib, namespace, ... }:
+with lib;
+let
+  cfg = config.${namespace}.services.immich;
+
+  immichPort = 2283;
+  dataDir = "/media/nas/main/photos";
+  dbPassword = config.sops.secrets."jallen-nas/immich/db-password".path;
+in
+{
+  imports  = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    # Enable immich service
+    services.immich = {
+      enable = true;
+      port = immichPort;
+      openFirewall = true;
+      secretsFile = dbPassword;
+      mediaLocation = dataDir;
+
+      environment = {
+        IMMICH_HOST = lib.mkForce "0.0.0.0";
+        IMMICH_TRUSTED_PROXIES = "10.0.1.3";
+        TZ = "America/Chicago";
+      };
+
+      machine-learning = {
+        enable = true;
+      };
+    };
+  };
+}

modules/nixos/immich/options.nix

@@ -0,0 +1,7 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.immich = {
+    enable = mkEnableOption "enable immich";
+  };
+}

modules/nixos/jellyfin/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, namespace, ... }:
+with lib;
+let
+  cfg = config.${namespace}.services.jellyfin;
+in
+{
+  imports  = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    services.jellyfin = {
+      enable = true;
+      openFirewall = true;
+      user = "nix-apps";
+      group = "jallen-nas";
+      dataDir = "/media/nas/ssd/nix-app-data/jellyfin";
+      # cacheDir = "/cache";
+    };
+  };
+}

modules/nixos/jellyfin/options.nix

@@ -0,0 +1,7 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.jellyfin = {
+    enable = mkEnableOption "enable jellyfin";
+  };
+}

modules/nixos/jellyseerr/default.nix

@@ -0,0 +1,78 @@
+{ config, lib, namespace, ... }:
+with lib;
+let
+  cfg = config.${namespace}.services.jellyseerr;
+
+  jellyseerrPort = 5055;
+  dataDir = "/var/lib/private/jellyseerr";
+in
+{
+  imports  = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    containers.jellyseerr = {
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "10.0.1.3";
+      localAddress = "10.0.1.52";
+      hostAddress6 = "fc00::1";
+      localAddress6 = "fc00::4";
+
+      bindMounts = {
+        ${dataDir} = {
+          hostPath = "/media/nas/ssd/nix-app-data/jellyseerr";
+          isReadOnly = false;
+        };
+      };
+
+      config =
+        {
+          lib,
+          ...
+        }:
+        {
+          # Enable jellyseerr service
+          services.jellyseerr = {
+            enable = true;
+            port = jellyseerrPort;
+            # package = package;
+            openFirewall = true;
+          };
+
+          networking = {
+            firewall = {
+              enable = true;
+              allowedTCPPorts = [ jellyseerrPort ];
+            };
+            # Use systemd-resolved inside the container
+            # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+            useHostResolvConf = lib.mkForce false;
+          };
+
+          # Create and set permissions for required directories
+          system.activationScripts.jellyseerr-dirs = ''
+            mkdir -p /var/lib/private/jellyseerr
+
+            chown -R jellyseerr:jellyseerr /var/lib/private/jellyseerr
+
+            chmod -R 775 /var/lib/private/jellyseerr
+
+            ln -sf /var/lib/private/jellyseerr /var/lib/jellyfin
+
+          '';
+
+          services.resolved.enable = true;
+          system.stateVersion = "23.11";
+        };
+    };
+
+    networking.nat = {
+      forwardPorts = [
+        {
+          destination = "10.0.1.52:5055";
+          sourcePort = jellyseerrPort;
+        }
+      ];
+    };
+  };
+}

modules/nixos/jellyseerr/options.nix

@@ -0,0 +1,7 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.jellyseerr = {
+    enable = mkEnableOption "enable jellyseerr";
+  };
+}

modules/nixos/lubelogger/default.nix

@@ -0,0 +1,28 @@
+{ config, lib, namespace, ... }:
+with lib;
+let
+  cfg = config.${namespace}.services.lubelogger;
+in
+{
+  imports  = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    virtualisation.oci-containers.containers.lubelogger = {
+      autoStart = true;
+      image = "ghcr.io/hargata/lubelogger";
+      ports = [ "6754:8080" ];
+      volumes = [ 
+        "/media/nas/ssd/nix-app-data/lubelogger:/App/data"
+        "/media/nas/ssd/nix-app-data/lubelogger/keys:/root/.aspnet/DataProtection-Keys"
+      ];
+      environmentFiles = [
+        "/media/nas/ssd/nix-app-data/lubelogger/lubelogger.env"
+      ];
+      environment = {
+        PUID = toString config.users.users.nix-apps.uid;
+        PGID = toString config.users.groups.jallen-nas.gid;
+        TZ = "America/Chicago";
+      };
+    };
+  };
+}

modules/nixos/lubelogger/options.nix

@@ -0,0 +1,7 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.lubelogger = {
+    enable = mkEnableOption "enable lubelogger";
+  };
+}

modules/nixos/nextcloud/default.nix

@@ -0,0 +1,240 @@
+{ config, lib, pkgs, namespace, ... }:
+with lib;
+let
+  cfg = config.${namespace}.services.nextcloud;
+
+  adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
+  secretsFile =  config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path;
+  jwtSecretFile =  config.sops.secrets."jallen-nas/onlyoffice-key".path;
+  nextcloudUserId = config.users.users.nix-apps.uid;
+  nextcloudGroupId = config.users.groups.jallen-nas.gid;
+  hostAddress = "10.0.1.3";
+  localAddress = "10.0.2.18";
+  nextcloudPortExtHttp = 9988;
+  nextcloudPortExtHttps = 9943;
+  onlyofficePortExt = 9943;
+in
+{
+  imports  = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    containers.nextcloud = {
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = hostAddress;
+      localAddress = localAddress;
+      specialArgs = {
+        inherit namespace;
+      };
+
+      bindMounts = {
+        secrets = {
+          hostPath = "/run/secrets/jallen-nas/nextcloud";
+          isReadOnly = true;
+          mountPoint = "/run/secrets/jallen-nas/nextcloud";
+        };
+        
+        secrets2 = {
+          hostPath = "/run/secrets/jallen-nas/onlyoffice-key";
+          isReadOnly = true;
+          mountPoint = "/run/secrets/jallen-nas/onlyoffice-key";
+        };
+
+        data = {
+          hostPath = "/media/nas/main/nextcloud";
+          isReadOnly = false;
+          mountPoint = "/data";
+        };
+
+        "/var/lib/nextcloud" = {
+          hostPath = "/media/nas/ssd/nix-app-data/nextcloud";
+          isReadOnly = false;
+          mountPoint = "/var/lib/nextcloud";
+        };
+
+        "/var/lib/onlyoffice" = {
+          hostPath = "/media/nas/ssd/nix-app-data/onlyoffice";
+          isReadOnly = false;
+          mountPoint = "/var/lib/onlyoffice";
+        };
+      };
+
+      config =
+        { pkgs, lib, namespace, ... }:
+        {
+          nixpkgs.config.allowUnfree = true;
+          networking.extraHosts = ''
+              ${hostAddress} host.containers protonmail-bridge
+            '';
+
+          services = {
+            nextcloud = {
+              enable = true;
+              package = pkgs.nextcloud31;
+              # datadir = "/data";
+              database.createLocally = true;
+              hostName = "cloud.mjallen.dev";
+              appstoreEnable = true;
+              caching.redis = true;
+              configureRedis = true;
+              enableImagemagick = true;
+              https = true;
+              secretFile = secretsFile;
+
+              config = {
+                adminuser = "mjallen";
+                adminpassFile = adminpass;
+                dbhost = "localhost";
+                dbtype = "sqlite";
+                dbname = "nextcloud";
+                dbuser = "nextcloud";
+              };
+              settings = {
+                loglevel = 3;
+                allow_local_remote_servers = true;
+                upgrade.disable-web = false;
+                datadirectory = "/data";
+                trusted_domains = [
+                  "${hostAddress}:${toString nextcloudPortExtHttp}"
+                  "${hostAddress}:${toString nextcloudPortExtHttps}"
+                  "${localAddress}:80"
+                  "${localAddress}:443"
+                  "cloud.mjallen.dev"
+                ];
+                opcache.interned_strings_buffer = 16;
+                trusted_proxies = [ hostAddress ];
+                maintenance_window_start = 6;
+                default_phone_region = "US";
+                enable_previews = true;
+                enabledPreviewProviders = [
+                  "OC\\Preview\\PNG"
+                  "OC\\Preview\\JPEG"
+                  "OC\\Preview\\GIF"
+                  "OC\\Preview\\BMP"
+                  "OC\\Preview\\XBitmap"
+                  "OC\\Preview\\MP3"
+                  "OC\\Preview\\TXT"
+                  "OC\\Preview\\MarkDown"
+                  "OC\\Preview\\OpenDocument"
+                  "OC\\Preview\\Krita"
+                  "OC\\Preview\\HEIC"
+                  "OC\\Preview\\Movie"
+                  "OC\\Preview\\MSOffice2003"
+                  "OC\\Preview\\MSOffice2007"
+                  "OC\\Preview\\MSOfficeDoc"
+                ];
+                installed = true;
+                user_oidc = {
+                  auto_provision = false;
+                  soft_auto_provision = false;
+                  allow_multiple_user_backends = false; # auto redirect to authentik for login
+                };
+              };
+            };
+          };
+
+          services.onlyoffice = {
+            enable = true;
+            port = onlyofficePortExt;
+            hostname = "office.mjallen.dev";
+            jwtSecretFile = jwtSecretFile;
+          };
+
+          # System packages
+          environment.systemPackages = with pkgs; [
+            cudaPackages.cudnn
+            cudatoolkit
+            ffmpeg
+            # libtensorflow-bin
+            nextcloud31
+            nodejs
+            onlyoffice-documentserver
+            sqlite
+          ];
+
+          # Create required users and groups
+          users.users.nextcloud = {
+            isSystemUser = true;
+            uid = lib.mkForce nextcloudUserId;
+            group = "nextcloud";
+          };
+
+          users.users.onlyoffice = {
+            group = lib.mkForce "nextcloud";
+          };
+
+          users.groups = {
+            nextcloud = {
+              gid = lib.mkForce nextcloudGroupId;
+            };
+            downloads = { };
+          };
+
+          # Create and set permissions for required directories
+          system.activationScripts.nextcloud-dirs = ''
+            mkdir -p /data
+
+            chown -R nextcloud:nextcloud /data
+
+            chown  -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud
+
+            chmod -R 775 /data
+
+            chmod  -R 750 /run/secrets/jallen-nas/nextcloud
+
+          '';
+
+          hardware = {
+            graphics = {
+              enable = true;
+              # setLdLibraryPath = true;
+            };
+          };
+
+          programs = {
+            nix-ld.enable = true;
+          };
+
+          system.stateVersion = "23.11";
+          networking = {
+            firewall = {
+              enable = true;
+              allowedTCPPorts = [
+                80
+                443
+                onlyofficePortExt
+              ];
+            };
+            # Use systemd-resolved inside the container
+            # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+            useHostResolvConf = lib.mkForce false;
+          };
+          services.resolved.enable = true;
+
+        };
+    };
+
+    networking = {
+      nat = {
+        forwardPorts = [
+          {
+            destination = "${localAddress}:443";
+            sourcePort = nextcloudPortExtHttps;
+          }
+          {
+            destination = "${localAddress}:80";
+            sourcePort = nextcloudPortExtHttp;
+          }
+          {
+            destination = "${localAddress}:8000";
+            sourcePort = 8000;
+          }
+          {
+            destination = "${localAddress}:${toString onlyofficePortExt}";
+            sourcePort = onlyofficePortExt;
+          }
+        ];
+      };
+    };
+  };
+}

modules/nixos/nextcloud/options.nix

@@ -0,0 +1,7 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.nextcloud = {
+    enable = mkEnableOption "enable nextcloud";
+  };
+}

modules/nixos/ollama/default.nix

@@ -0,0 +1,77 @@
+{ config, lib, pkgs, namespace, ... }:
+with lib;
+let
+  cfg = config.${namespace}.services.ollama;
+
+  llamaPackage = pkgs.llama-cpp.overrideAttrs (old: {
+    src = pkgs.fetchFromGitHub {
+      owner  = "ggml-org";
+      repo   = "llama.cpp";
+      rev    = "b4920";
+      sha256 = "sha256-SnQIeY74JpAPRMxWcpklDH5D4CQvAgi0GYx5+ECk2J4=";
+    };
+    # Optionally override other attributes if you need to
+    # version = "my-fork-version";
+    # pname = "llama-cpp-custom";
+  });
+in
+{
+  imports  = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    services.ollama = {
+      enable = true;
+      port = 11434;
+      host = "0.0.0.0";
+      user = "nix-apps";
+      group = "jallen-nas";
+      openFirewall = true;
+      acceleration = "cuda";
+      home = "/media/nas/ssd/nix-app-data/ollama";
+    };
+
+    environment.systemPackages = [ llamaPackage ];
+
+    services.llama-cpp = {
+      enable = true;
+      port = 8127;
+      host = "0.0.0.0";
+      openFirewall = true;
+      model = "/media/nas/ssd/nix-app-data/llama-cpp/models/functionary-small-v3.2-GGUF/functionary-small-v3.2.Q4_0.gguf";
+      package = llamaPackage; # pkgs.unstable.llama-cpp;
+      extraFlags = [
+        "--n_gpu-layers"
+        "500"
+        "-c"
+        "0"
+        "--numa"
+        "numactl"
+        "--jinja"
+      ];
+    };
+
+    services.open-webui = {
+      enable = false;
+      host = "0.0.0.0";
+      port = 8888;
+      openFirewall = true;
+      # stateDir = "/media/nas/ssd/nix-app-data/open-webui";
+      environmentFile = config.sops.secrets."jallen-nas/open-webui".path;
+      environment = {
+        OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration";
+        OAUTH_PROVIDER_NAME = "authentik";
+        OPENID_REDIRECT_URI = "https://chat.mjallen.dev/oauth/oidc/callback";
+        ENABLE_OAUTH_SIGNUP = "False";
+        OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "True";
+        ENABLE_SIGNUP = "False";
+        ENABLE_LOGIN_FORM = "False";
+        ANONYMIZED_TELEMETRY = "False";
+        DO_NOT_TRACK = "True";
+        SCARF_NO_ANALYTICS = "True";
+        OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
+        LOCAL_FILES_ONLY = "False";
+        WEBUI_AUTH = "False";
+      };
+    };
+  };
+}

modules/nixos/ollama/options.nix

@@ -0,0 +1,7 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.ollama = {
+    enable = mkEnableOption "enable ollama";
+  };
+}

modules/nixos/paperless/default.nix

@@ -0,0 +1,106 @@
+{ config, lib, namespace, ... }:
+with lib;
+let
+  cfg = config.${namespace}.services.paperless;
+
+  paperlessPort = 28981;
+  paperlessUserId = config.users.users.nix-apps.uid;
+  paperlessGroupId = config.users.groups.jallen-nas.gid;
+  paperlessEnv = config.sops.templates."paperless.env".path;
+  paperlessPkg = pkgs.paperless-ngx;
+in
+{
+  imports  = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    containers.paperless = {
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "10.0.1.3";
+      localAddress = "10.0.1.20";
+      hostAddress6 = "fc00::1";
+      localAddress6 = "fc00::20";
+
+      config =
+        {
+          lib,
+          ...
+        }:
+        {
+          # Enable paperless service
+          services.paperless = {
+            enable = false;
+            package = paperlessPkg;
+            port = paperlessPort;
+            user = "paperless";
+            address = "0.0.0.0";
+            passwordFile = "/var/lib/paperless/paperless-password";
+            # environmentFile = paperlessEnv; # unstable is too unstable, but this doesnt exist in stable.... disabling altogether....
+          };
+
+          # Create required users and groups
+          users.groups = {
+            documents = {
+              gid = lib.mkForce paperlessGroupId;
+            };
+          };
+
+          users.users.paperless = {
+            isSystemUser = true;
+            uid = lib.mkForce paperlessUserId;
+            group = lib.mkForce "documents";
+          };
+
+          # Create and set permissions for required directories
+          system.activationScripts.paperless-dirs = ''
+            mkdir -p /var/lib/paperless
+
+            chown -R paperless:documents /var/lib/paperless
+
+            chmod -R 775 /var/lib/paperless
+
+          '';
+
+          networking = {
+            firewall = {
+              enable = true;
+              allowedTCPPorts = [ paperlessPort ];
+            };
+            # Use systemd-resolved inside the container
+            # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+            useHostResolvConf = lib.mkForce false;
+          };
+
+          services.resolved.enable = true;
+          system.stateVersion = "23.11";
+        };
+
+      # Bind mount directories from host
+      bindMounts = {
+        "/var/lib/paperless" = {
+          hostPath = "/media/nas/ssd/nix-app-data/paperless";
+          isReadOnly = false;
+        };
+        secrets = {
+          hostPath = "/run/secrets/jallen-nas/paperless";
+          isReadOnly = true;
+          mountPoint = "/run/secrets/jallen-nas/paperless";
+        };
+        secret-env = {
+          hostPath = "/run/secrets/rendered/paperless.env";
+          isReadOnly = true;
+          mountPoint = "/run/secrets/rendered/paperless.env";
+        };
+      };
+    };
+
+    networking.nat = {
+      forwardPorts = [
+        {
+          destination = "10.0.1.20:28981";
+          sourcePort = paperlessPort;
+        }
+      ];
+    };
+  };
+}

modules/nixos/paperless/options.nix

@@ -0,0 +1,7 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.paperless = {
+    enable = mkEnableOption "enable paperless";
+  };
+}

modules/nixos/traefik/default.nix

@@ -0,0 +1,397 @@
+{ config, lib, namespace, ... }:
+with lib;
+let
+  cfg = config.${namespace}.services.traefik;
+
+  domain = "mjallen.dev";
+  serverIp = "10.0.1.3";
+
+  # Forward services
+  authUrl = "http://${serverIp}:9000/outpost.goauthentik.io";
+
+  actualUrl = "http://${config.containers.actual.localAddress}:${toString config.containers.actual.config.services.actual.settings.port}";
+  authentikUrl = "http://${serverIp}:9000";
+  cacheUrl = "http://${serverIp}:9012";
+  cloudUrl = "http://${config.containers.nextcloud.localAddress}:80";
+  giteaUrl = "http://${config.containers.gitea.localAddress}:${toString config.containers.gitea.config.services.gitea.settings.server.HTTP_PORT}";
+  hassUrl = "http://homeassistant.local:8123";
+  immichUrl = "http://${serverIp}:${toString config.services.immich.port}";
+  jellyfinUrl = "http://${serverIp}:8096";
+  jellyseerrUrl = "http://${config.containers.jellyseerr.localAddress}:${toString config.containers.jellyseerr.config.services.jellyseerr.port}";
+  lubeloggerUrl = "http://${serverIp}:6754";
+  onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}";
+  openWebUIUrl = "http://${serverIp}:8888";
+  paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}";
+
+  # Plugins
+  traefikPlugins = {
+    bouncer = {
+      moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
+      version = "v1.4.2";
+    };
+    geoblock = {
+      moduleName = "github.com/PascalMinder/geoblock";
+      version = "v0.2.5";
+    };
+  };
+
+  crowdsecAppsecHost = "${serverIp}:7422";
+  crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path;
+
+  # Ports
+  httpPort = 80;
+  httpsPort = 443;
+  traefikPort = 8080;
+  metricsPort = 8082;
+
+  forwardPorts = [
+      httpPort
+      httpsPort
+      traefikPort
+      metricsPort
+  ];
+
+  # misc
+  letsEncryptEmail = "jalle008@proton.me";
+  dataDir = "/media/nas/ssd/nix-app-data/traefik";
+  authentikAddress = "http://${serverIp}:9000/outpost.goauthentik.io/auth/traefik";
+in
+{
+  imports  = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    sops = {
+      secrets = {
+        "jallen-nas/traefik/crowdsec-lapi-key" = {
+          owner = config.users.users.traefik.name;
+          group = config.users.users.traefik.group;
+          restartUnits = [ "traefik.service" ];
+        };
+        "jallen-nas/traefik/cloudflare-dns-api-token" = { };
+        "jallen-nas/traefik/cloudflare-zone-api-token" = { };
+        "jallen-nas/traefik/cloudflare-api-key" = { };
+        "jallen-nas/traefik/cloudflare-email" = { };
+      };
+      templates = {
+        "traefik.env" = {
+          content = ''
+            CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
+            CLOUDFLARE_ZONE_API_TOKEN =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
+            CLOUDFLARE_API_KEY =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
+            CLOUDFLARE_EMAIL =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
+          '';
+          owner = config.users.users.traefik.name;
+          group = config.users.users.traefik.group;
+          restartUnits = [ "traefik.service" ];
+        };
+      };
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = forwardPorts;
+      allowedUDPPorts = forwardPorts;
+    };
+
+    services.traefik = {
+      enable = true;
+      dataDir = dataDir;
+      group = "jallen-nas";#group;
+      environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops
+
+      staticConfigOptions = {
+        entryPoints = {
+          web = {
+            address = ":${toString httpPort}";
+            asDefault = true;
+            http.redirections.entrypoint = {
+              to = "websecure";
+              scheme = "https";
+            };
+          };
+
+          websecure = {
+            address = ":${toString httpsPort}";
+            asDefault = true;
+            http.tls.certResolver = "letsencrypt";
+          };
+
+          metrics = {
+            address = ":${toString metricsPort}"; # Port for metrics
+          };
+        };
+
+        log = {
+          level = "INFO";
+        };
+
+        metrics = {
+          prometheus = {
+            entryPoint = "metrics";
+            addEntryPointsLabels = true;
+            addServicesLabels = true;
+            buckets = [0.1 0.3 1.2 5.0];  # Response time buckets
+          };
+        };
+
+        certificatesResolvers.letsencrypt.acme = {
+          email = letsEncryptEmail;
+          storage = "${config.services.traefik.dataDir}/acme.json";
+          dnsChallenge = {
+            provider = "cloudflare";
+            resolvers = [
+              "1.1.1.1:53"
+              "8.8.8.8:53"
+            ];
+          };
+        };
+
+        api.dashboard = true;
+        # Access the Traefik dashboard on <Traefik IP>:8080 of your server
+        api.insecure = true;
+
+        experimental = {
+          plugins = traefikPlugins;
+        };
+      };
+
+      dynamicConfigOptions = {
+        http = {
+          middlewares = {
+            authentik = {
+              forwardAuth = {
+                tls.insecureSkipVerify = true;
+                address = authentikAddress;
+                trustForwardHeader = true;
+                authResponseHeaders = [
+                  "X-authentik-username"
+                  "X-authentik-groups"
+                  "X-authentik-email"
+                  "X-authentik-name"
+                  "X-authentik-uid"
+                  "X-authentik-jwt"
+                  "X-authentik-meta-jwks"
+                  "X-authentik-meta-outpost"
+                  "X-authentik-meta-provider"
+                  "X-authentik-meta-app"
+                  "X-authentik-meta-version"
+                ];
+              };
+            };
+            onlyoffice-websocket = {
+              headers.customrequestheaders = {
+                X-Forwarded-Proto = "https";
+              };
+            };
+            crowdsec = {
+              plugin = {
+                bouncer = {
+                  crowdsecAppsecEnabled = true;
+                  crowdsecAppsecHost = crowdsecAppsecHost;
+                  crowdsecAppsecFailureBlock = true;
+                  crowdsecAppsecUnreachableBlock = true;
+                  crowdsecLapiKeyFile = crowdsecLapiKeyFile;
+                };
+              };
+            };
+            whitelist-geoblock = {
+              plugin = {
+                geoblock = {
+                  silentStartUp = false;
+                  allowLocalRequests = true;
+                  logLocalRequests = false;
+                  logAllowedRequests = false;
+                  logApiRequests = false;
+                  api = "https://get.geojs.io/v1/ip/country/{ip}";
+                  apiTimeoutMs = 500;
+                  cacheSize = 25;
+                  forceMonthlyUpdate = true;
+                  allowUnknownCountries = false;
+                  unknownCountryApiResponse = "nil";
+                  blackListMode = false;
+                  countries = [
+                    "CA"
+                    "US"
+                  ];
+                };
+              };
+            };
+            internal-ipallowlist = 
+            {
+              ipAllowList = {
+                sourceRange = [
+                  "127.0.0.1/32"
+                  "10.0.1.0/24"
+                ];
+              };
+            };
+          };
+
+          services = {
+            auth.loadBalancer.servers = [
+              {
+                url = authUrl;
+              }
+            ];
+
+            actual.loadBalancer.servers = [
+              {
+                url = actualUrl;
+              }
+            ];
+            authentik.loadBalancer.servers = [
+              {
+                url = authentikUrl;
+              }
+            ];
+            cache.loadBalancer.servers = [
+              {
+                url = cacheUrl;
+              }
+            ];
+            chat.loadBalancer.servers = [
+              {
+                url = openWebUIUrl;
+              }
+            ];
+            cloud.loadBalancer.servers = [
+              {
+                url = cloudUrl;
+              }
+            ];
+            gitea.loadBalancer.servers = [
+              {
+                url = giteaUrl;
+              }
+            ];
+            hass.loadBalancer.servers = [
+              {
+                url = hassUrl;
+              }
+            ];
+            immich.loadBalancer.servers = [
+              {
+                url = immichUrl;
+              }
+            ];
+            jellyfin.loadBalancer.servers = [
+              {
+                url = jellyfinUrl;
+              }
+            ];
+            jellyseerr.loadBalancer.servers = [
+              {
+                url = jellyseerrUrl;
+              }
+            ];
+            lubelogger.loadBalancer.servers = [
+              {
+                url = lubeloggerUrl;
+              }
+            ];
+            onlyoffice.loadBalancer.servers = [
+              {
+                url = onlyofficeUrl;
+              }
+            ];
+            paperless.loadBalancer.servers = [
+              {
+                url = paperlessUrl;
+              }
+            ];
+          };
+
+          routers = {
+            auth = {
+              entryPoints = [ "websecure" ];
+              rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)";
+              service = "auth";
+              middlewares = [ "crowdsec" "whitelist-geoblock" ];
+              priority = 15;
+              tls.certResolver = "letsencrypt";
+            };
+
+            actual = {
+              entryPoints = [ "websecure" ];
+              rule = "Host(`actual.${domain}`)";
+              service = "actual";
+              middlewares = [ "crowdsec" "whitelist-geoblock" ];
+              tls.certResolver = "letsencrypt";
+            };
+            authentik = {
+              entryPoints = [ "websecure" ];
+              rule = "Host(`authentik.${domain}`)";
+              service = "authentik";
+              middlewares = [ "crowdsec" "whitelist-geoblock" ];
+              tls.certResolver = "letsencrypt";
+            };
+            cache = {
+              entryPoints = [ "websecure" ];
+              rule = "Host(`cache.${domain}`)";
+              service = "cache";
+              middlewares = [ "crowdsec" "whitelist-geoblock" ];
+              priority = 10;
+              tls.certResolver = "letsencrypt";
+            };
+            cloud = {
+              entryPoints = [ "websecure" ];
+              rule = "Host(`cloud.${domain}`)";
+              service = "cloud";
+              middlewares = [ "crowdsec" "whitelist-geoblock" ];
+              tls.certResolver = "letsencrypt";
+            };
+            gitea = {
+              entryPoints = [ "websecure" ];
+              rule = "Host(`gitea.${domain}`)";
+              service = "gitea";
+              middlewares = [ "crowdsec" "whitelist-geoblock" ];
+              tls.certResolver = "letsencrypt";
+            };
+            hass = {
+              entryPoints = [ "websecure" ];
+              rule = "Host(`hass.${domain}`)";
+              service = "hass";
+              middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ];
+              priority = 10;
+              tls.certResolver = "letsencrypt";
+            };
+            immich = {
+              entryPoints = [ "websecure" ];
+              rule = "Host(`immich.${domain}`)";
+              service = "immich";
+              middlewares = [ "crowdsec" "whitelist-geoblock" ];
+              tls.certResolver = "letsencrypt";
+            };
+            jellyfin = {
+              entryPoints = [ "websecure" ];
+              rule = "Host(`jellyfin.${domain}`)";
+              service = "jellyfin";
+              middlewares = [ "crowdsec" "whitelist-geoblock" ];
+              tls.certResolver = "letsencrypt";
+            };
+            jellyseerr = {
+              entryPoints = [ "websecure" ];
+              rule = "Host(`jellyseerr.${domain}`)";
+              service = "jellyseerr";
+              middlewares = [ "crowdsec" "whitelist-geoblock" ];
+              tls.certResolver = "letsencrypt";
+            };
+            lubelogger = {
+              entryPoints = [ "websecure" ];
+              rule = "Host(`lubelogger.${domain}`)";
+              service = "lubelogger";
+              middlewares = [ "crowdsec" "whitelist-geoblock" ];
+              tls.certResolver = "letsencrypt";
+            };
+            onlyoffice = {
+              entryPoints = [ "websecure" ];
+              rule = "Host(`office.${domain}`)";
+              service = "onlyoffice";
+              middlewares = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ];
+              tls.certResolver = "letsencrypt";
+            };
+          };
+        };
+      };
+    };
+  };
+}

modules/nixos/traefik/options.nix

@@ -0,0 +1,7 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.traefik = {
+    enable = mkEnableOption "enable traefik";
+  };
+}

modules/nixos/wyoming/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, namespace, ... }:
+with lib;
+let
+  cfg = config.${namespace}.services.wyoming;
+in
+{
+  imports  = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    services.wyoming = {
+      faster-whisper.servers.hass-whisper = {
+        enable = true;
+        useTransformers = false;
+        device = "cuda";
+        language = "en";
+        model = "distil-large-v3";
+        uri = "tcp://0.0.0.0:10300";
+      };
+
+      piper.servers.hass-piper = {
+        enable = true;
+        voice = "en-us-ryan-high";
+        uri = "tcp://0.0.0.0:10200";
+      };
+    };
+  };
+}

modules/nixos/wyoming/options.nix

@@ -0,0 +1,7 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.wyoming = {
+    enable = mkEnableOption "enable wyoming";
+  };
+}

systems/x86_64-linux/nas/apps.nix

@@ -1,25 +1,18 @@
-{ pkgs, lib, ... }:
+{ pkgs, lib, namespace, ... }:
-let
-  settings = import ./settings.nix;
-in
 {
-  imports = [
+  ${namespace} = {
-    ./apps/actual
+    services = {
-    ./apps/arrs
+      immich.enable = true;
-    ./apps/crowdsec
+      jellyfin.enable = true;
-    ./apps/excalidraw
+      jellyseerr.enable = true;
-    ./apps/gitea
+      lubelogger.enable = true;
-    ./apps/immich
+      nextcloud.enable = true;
-    ./apps/jellyfin
+      ollama.enable = true;
-    ./apps/jellyseerr
+      paperless.enable = true;
-    ./apps/lubelogger
+      traefik.enable = true;
-    ./apps/nextcloud
+      wyoming.enable = true;
-    ./apps/ollama
+    };
-    ./apps/orca
+  };
-    ./apps/paperless
-    ./apps/traefik
-    ./apps/wyoming
-  ];
 
   nas-apps = {
     actual = {
@@ -71,7 +64,7 @@ in
     crowdsec = {
       enable = true;
       port = 9898;
-      apiAddress = settings.hostAddress;
+      apiAddress = "10.0.1.3";
       apiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
       dataDir = "/media/nas/ssd/nix-app-data/crowdsec";
     };

systems/x86_64-linux/nas/apps/excalidraw/default.nix

@@ -1,13 +0,0 @@
-{ config, ... }:
-{
-  virtualisation.oci-containers.containers.excalidraw = {
-    autoStart = true;
-    image = "excalidraw/excalidraw";
-    ports = [ "8765:80" ];
-    environment = {
-      PUID = toString config.users.users.nix-apps.uid;
-      PGID = toString config.users.groups.jallen-nas.gid;
-      TZ = "America/Chicago";
-    };
-  };
-}

systems/x86_64-linux/nas/apps/immich/default.nix

@@ -1,27 +0,0 @@
-{ config, lib, ... }:
-let
-  settings = import ../../settings.nix;
-  immichPort = 2283;
-  dataDir = "/media/nas/main/photos";
-  dbPassword = config.sops.secrets."jallen-nas/immich/db-password".path;
-in
-{
-  # Enable immich service
-  services.immich = {
-    enable = true;
-    port = immichPort;
-    openFirewall = true;
-    secretsFile = dbPassword;
-    mediaLocation = dataDir;
-
-    environment = {
-      IMMICH_HOST = lib.mkForce "0.0.0.0";
-      IMMICH_TRUSTED_PROXIES = settings.hostAddress;
-      TZ = "America/Chicago";
-    };
-
-    machine-learning = {
-      enable = true;
-    };
-  };
-}

systems/x86_64-linux/nas/apps/jellyfin/default.nix

@@ -1,11 +0,0 @@
-{ ... }:
-{
-  services.jellyfin = {
-    enable = true;
-    openFirewall = true;
-    user = "nix-apps";
-    group = "jallen-nas";
-    dataDir = "/media/nas/ssd/nix-app-data/jellyfin";
-    # cacheDir = "/cache";
-  };
-}

systems/x86_64-linux/nas/apps/jellyseerr/default.nix

@@ -1,73 +0,0 @@
-{ ... }:
-
-let
-  jellyseerrPort = 5055;
-  dataDir = "/var/lib/private/jellyseerr";
-  settings = import ../../settings.nix;
-in
-{
-  containers.jellyseerr = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = settings.hostAddress;
-    localAddress = "10.0.1.52";
-    hostAddress6 = "fc00::1";
-    localAddress6 = "fc00::4";
-
-    bindMounts = {
-      ${dataDir} = {
-        hostPath = "/media/nas/ssd/nix-app-data/jellyseerr";
-        isReadOnly = false;
-      };
-    };
-
-    config =
-      {
-        lib,
-        ...
-      }:
-      {
-        # Enable jellyseerr service
-        services.jellyseerr = {
-          enable = true;
-          port = jellyseerrPort;
-          # package = package;
-          openFirewall = true;
-        };
-
-        networking = {
-          firewall = {
-            enable = true;
-            allowedTCPPorts = [ jellyseerrPort ];
-          };
-          # Use systemd-resolved inside the container
-          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-          useHostResolvConf = lib.mkForce false;
-        };
-
-        # Create and set permissions for required directories
-        system.activationScripts.jellyseerr-dirs = ''
-          mkdir -p /var/lib/private/jellyseerr
-
-          chown -R jellyseerr:jellyseerr /var/lib/private/jellyseerr
-
-          chmod -R 775 /var/lib/private/jellyseerr
-
-          ln -sf /var/lib/private/jellyseerr /var/lib/jellyfin
-
-        '';
-
-        services.resolved.enable = true;
-        system.stateVersion = "23.11";
-      };
-  };
-
-  networking.nat = {
-    forwardPorts = [
-      {
-        destination = "10.0.1.52:5055";
-        sourcePort = jellyseerrPort;
-      }
-    ];
-  };
-}

systems/x86_64-linux/nas/apps/lubelogger/default.nix

@@ -1,20 +0,0 @@
-{ config, ... }:
-{
-  virtualisation.oci-containers.containers.lubelogger = {
-    autoStart = true;
-    image = "ghcr.io/hargata/lubelogger";
-    ports = [ "6754:8080" ];
-    volumes = [ 
-      "/media/nas/ssd/nix-app-data/lubelogger:/App/data"
-      "/media/nas/ssd/nix-app-data/lubelogger/keys:/root/.aspnet/DataProtection-Keys"
-    ];
-    environmentFiles = [
-      "/media/nas/ssd/nix-app-data/lubelogger/lubelogger.env"
-    ];
-    environment = {
-      PUID = toString config.users.users.nix-apps.uid;
-      PGID = toString config.users.groups.jallen-nas.gid;
-      TZ = "America/Chicago";
-    };
-  };
-}

systems/x86_64-linux/nas/apps/nextcloud/default.nix

@@ -1,237 +0,0 @@
-{ config, pkgs, namespace, ... }:
-let
-  settings = import ../../settings.nix;
-  adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
-  secretsFile =  config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path;
-  jwtSecretFile =  config.sops.secrets."jallen-nas/onlyoffice-key".path;
-  nextcloudUserId = config.users.users.nix-apps.uid;
-  nextcloudGroupId = config.users.groups.jallen-nas.gid;
-  nextcloudPackage = pkgs.nextcloud31;
-  hostAddress = settings.hostAddress;
-  localAddress = "10.0.2.18";
-  nextcloudPortExtHttp = 9988;
-  nextcloudPortExtHttps = 9943;
-  onlyofficePortExt = 9943;
-
-  systemPackages = with pkgs; [
-    cudaPackages.cudnn
-    cudatoolkit
-    ffmpeg
-    # libtensorflow-bin
-    nextcloud31
-    nodejs
-    onlyoffice-documentserver
-    sqlite
-  ];
-in
-{
-  containers.nextcloud = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = hostAddress;
-    localAddress = localAddress;
-    specialArgs = {
-      inherit namespace;
-    };
-
-    bindMounts = {
-      secrets = {
-        hostPath = "/run/secrets/jallen-nas/nextcloud";
-        isReadOnly = true;
-        mountPoint = "/run/secrets/jallen-nas/nextcloud";
-      };
-      
-      secrets2 = {
-        hostPath = "/run/secrets/jallen-nas/onlyoffice-key";
-        isReadOnly = true;
-        mountPoint = "/run/secrets/jallen-nas/onlyoffice-key";
-      };
-
-      data = {
-        hostPath = "/media/nas/main/nextcloud";
-        isReadOnly = false;
-        mountPoint = "/data";
-      };
-
-      "/var/lib/nextcloud" = {
-        hostPath = "/media/nas/ssd/nix-app-data/nextcloud";
-        isReadOnly = false;
-        mountPoint = "/var/lib/nextcloud";
-      };
-
-      "/var/lib/onlyoffice" = {
-        hostPath = "/media/nas/ssd/nix-app-data/onlyoffice";
-        isReadOnly = false;
-        mountPoint = "/var/lib/onlyoffice";
-      };
-    };
-
-    config =
-      { pkgs, lib, namespace, ... }:
-      {
-        nixpkgs.config.allowUnfree = true;
-        networking.extraHosts = ''
-            ${hostAddress} host.containers protonmail-bridge
-          '';
-
-        services = {
-          nextcloud = {
-            enable = true;
-            package = nextcloudPackage;
-            # datadir = "/data";
-            database.createLocally = true;
-            hostName = "cloud.mjallen.dev";
-            appstoreEnable = true;
-            caching.redis = true;
-            configureRedis = true;
-            enableImagemagick = true;
-            https = true;
-            secretFile = secretsFile;
-
-            config = {
-              adminuser = "mjallen";
-              adminpassFile = adminpass;
-              dbhost = "localhost";
-              dbtype = "sqlite";
-              dbname = "nextcloud";
-              dbuser = "nextcloud";
-            };
-            settings = {
-              loglevel = 3;
-              allow_local_remote_servers = true;
-              upgrade.disable-web = false;
-              datadirectory = "/data";
-              trusted_domains = [
-                "${hostAddress}:${toString nextcloudPortExtHttp}"
-                "${hostAddress}:${toString nextcloudPortExtHttps}"
-                "${localAddress}:80"
-                "${localAddress}:443"
-                "cloud.mjallen.dev"
-              ];
-              opcache.interned_strings_buffer = 16;
-              trusted_proxies = [ hostAddress ];
-              maintenance_window_start = 6;
-              default_phone_region = "US";
-              enable_previews = true;
-              enabledPreviewProviders = [
-                "OC\\Preview\\PNG"
-                "OC\\Preview\\JPEG"
-                "OC\\Preview\\GIF"
-                "OC\\Preview\\BMP"
-                "OC\\Preview\\XBitmap"
-                "OC\\Preview\\MP3"
-                "OC\\Preview\\TXT"
-                "OC\\Preview\\MarkDown"
-                "OC\\Preview\\OpenDocument"
-                "OC\\Preview\\Krita"
-                "OC\\Preview\\HEIC"
-                "OC\\Preview\\Movie"
-                "OC\\Preview\\MSOffice2003"
-                "OC\\Preview\\MSOffice2007"
-                "OC\\Preview\\MSOfficeDoc"
-              ];
-              installed = true;
-              user_oidc = {
-                auto_provision = false;
-                soft_auto_provision = false;
-                allow_multiple_user_backends = false; # auto redirect to authentik for login
-              };
-            };
-          };
-        };
-
-        services.onlyoffice = {
-          enable = true;
-          port = onlyofficePortExt;
-          hostname = "office.mjallen.dev";
-          jwtSecretFile = jwtSecretFile;
-        };
-
-        # System packages
-        environment.systemPackages = systemPackages;
-
-        # Create required users and groups
-        users.users.nextcloud = {
-          isSystemUser = true;
-          uid = lib.mkForce nextcloudUserId;
-          group = "nextcloud";
-        };
-
-        users.users.onlyoffice = {
-          group = lib.mkForce "nextcloud";
-        };
-
-        users.groups = {
-          nextcloud = {
-            gid = lib.mkForce nextcloudGroupId;
-          };
-          downloads = { };
-        };
-
-        # Create and set permissions for required directories
-        system.activationScripts.nextcloud-dirs = ''
-          mkdir -p /data
-
-          chown -R nextcloud:nextcloud /data
-
-          chown  -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud
-
-          chmod -R 775 /data
-
-          chmod  -R 750 /run/secrets/jallen-nas/nextcloud
-
-        '';
-
-        hardware = {
-          graphics = {
-            enable = true;
-            # setLdLibraryPath = true;
-          };
-        };
-
-        programs = {
-          nix-ld.enable = true;
-        };
-
-        system.stateVersion = "23.11";
-        networking = {
-          firewall = {
-            enable = true;
-            allowedTCPPorts = [
-              80
-              443
-              onlyofficePortExt
-            ];
-          };
-          # Use systemd-resolved inside the container
-          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-          useHostResolvConf = lib.mkForce false;
-        };
-        services.resolved.enable = true;
-
-      };
-  };
-
-  networking = {
-    nat = {
-      forwardPorts = [
-        {
-          destination = "${localAddress}:443";
-          sourcePort = nextcloudPortExtHttps;
-        }
-        {
-          destination = "${localAddress}:80";
-          sourcePort = nextcloudPortExtHttp;
-        }
-        {
-          destination = "${localAddress}:8000";
-          sourcePort = 8000;
-        }
-        {
-          destination = "${localAddress}:${toString onlyofficePortExt}";
-          sourcePort = onlyofficePortExt;
-        }
-      ];
-    };
-  };
-}

systems/x86_64-linux/nas/apps/ollama/default.nix

@@ -1,70 +0,0 @@
-{ config, pkgs, ... }:
-let
-  llamaPackage = pkgs.llama-cpp.overrideAttrs (old: {
-    src = pkgs.fetchFromGitHub {
-      owner  = "ggml-org";
-      repo   = "llama.cpp";
-      rev    = "b4920";
-      sha256 = "sha256-SnQIeY74JpAPRMxWcpklDH5D4CQvAgi0GYx5+ECk2J4=";
-    };
-    # Optionally override other attributes if you need to
-    # version = "my-fork-version";
-    # pname = "llama-cpp-custom";
-  });
-in
-{
-  services.ollama = {
-    enable = true;
-    port = 11434;
-    host = "0.0.0.0";
-    user = "nix-apps";
-    group = "jallen-nas";
-    openFirewall = true;
-    acceleration = "cuda";
-    home = "/media/nas/ssd/nix-app-data/ollama";
-  };
-
-  environment.systemPackages = [ llamaPackage ];
-
-  services.llama-cpp = {
-    enable = true;
-    port = 8127;
-    host = "0.0.0.0";
-    openFirewall = true;
-    model = "/media/nas/ssd/nix-app-data/llama-cpp/models/functionary-small-v3.2-GGUF/functionary-small-v3.2.Q4_0.gguf";
-    package = llamaPackage; # pkgs.unstable.llama-cpp;
-    extraFlags = [
-      "--n_gpu-layers"
-      "500"
-      "-c"
-      "0"
-      "--numa"
-      "numactl"
-      "--jinja"
-    ];
-  };
-
-  services.open-webui = {
-    enable = false;
-    host = "0.0.0.0";
-    port = 8888;
-    openFirewall = true;
-    # stateDir = "/media/nas/ssd/nix-app-data/open-webui";
-    environmentFile = config.sops.secrets."jallen-nas/open-webui".path;
-    environment = {
-      OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration";
-      OAUTH_PROVIDER_NAME = "authentik";
-      OPENID_REDIRECT_URI = "https://chat.mjallen.dev/oauth/oidc/callback";
-      ENABLE_OAUTH_SIGNUP = "False";
-      OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "True";
-      ENABLE_SIGNUP = "False";
-      ENABLE_LOGIN_FORM = "False";
-      ANONYMIZED_TELEMETRY = "False";
-      DO_NOT_TRACK = "True";
-      SCARF_NO_ANALYTICS = "True";
-      OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
-      LOCAL_FILES_ONLY = "False";
-      WEBUI_AUTH = "False";
-    };
-  };
-}

systems/x86_64-linux/nas/apps/paperless/default.nix

@@ -1,104 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}:
-let
-  settings = import ../../settings.nix;
-  paperlessPort = 28981;
-  paperlessUserId = config.users.users.nix-apps.uid;
-  paperlessGroupId = config.users.groups.jallen-nas.gid;
-  paperlessEnv = config.sops.templates."paperless.env".path;
-  paperlessPkg = pkgs.paperless-ngx;
-in
-{
-  containers.paperless = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = settings.hostAddress;
-    localAddress = "10.0.1.20";
-    hostAddress6 = "fc00::1";
-    localAddress6 = "fc00::20";
-
-    config =
-      {
-        lib,
-        ...
-      }:
-      {
-        # Enable paperless service
-        services.paperless = {
-          enable = false;
-          package = paperlessPkg;
-          port = paperlessPort;
-          user = "paperless";
-          address = "0.0.0.0";
-          passwordFile = "/var/lib/paperless/paperless-password";
-          # environmentFile = paperlessEnv; # unstable is too unstable, but this doesnt exist in stable.... disabling altogether....
-        };
-
-        # Create required users and groups
-        users.groups = {
-          documents = {
-            gid = lib.mkForce paperlessGroupId;
-          };
-        };
-
-        users.users.paperless = {
-          isSystemUser = true;
-          uid = lib.mkForce paperlessUserId;
-          group = lib.mkForce "documents";
-        };
-
-        # Create and set permissions for required directories
-        system.activationScripts.paperless-dirs = ''
-          mkdir -p /var/lib/paperless
-
-          chown -R paperless:documents /var/lib/paperless
-
-          chmod -R 775 /var/lib/paperless
-
-        '';
-
-        networking = {
-          firewall = {
-            enable = true;
-            allowedTCPPorts = [ paperlessPort ];
-          };
-          # Use systemd-resolved inside the container
-          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-          useHostResolvConf = lib.mkForce false;
-        };
-
-        services.resolved.enable = true;
-        system.stateVersion = "23.11";
-      };
-
-    # Bind mount directories from host
-    bindMounts = {
-      "/var/lib/paperless" = {
-        hostPath = "/media/nas/ssd/nix-app-data/paperless";
-        isReadOnly = false;
-      };
-      secrets = {
-        hostPath = "/run/secrets/jallen-nas/paperless";
-        isReadOnly = true;
-        mountPoint = "/run/secrets/jallen-nas/paperless";
-      };
-      secret-env = {
-        hostPath = "/run/secrets/rendered/paperless.env";
-        isReadOnly = true;
-        mountPoint = "/run/secrets/rendered/paperless.env";
-      };
-    };
-  };
-
-  networking.nat = {
-    forwardPorts = [
-      {
-        destination = "10.0.1.20:28981";
-        sourcePort = paperlessPort;
-      }
-    ];
-  };
-}

systems/x86_64-linux/nas/apps/traefik/default.nix

@@ -1,391 +0,0 @@
-{ config, ... }:
-let
-  settings = import ../../settings.nix;
-  domain = "mjallen.dev";
-  serverIp = settings.hostAddress;
-
-  # Forward services
-  authUrl = "http://${serverIp}:9000/outpost.goauthentik.io";
-
-  actualUrl = "http://${config.containers.actual.localAddress}:${toString config.containers.actual.config.services.actual.settings.port}";
-  authentikUrl = "http://${serverIp}:9000";
-  cacheUrl = "http://${serverIp}:9012";
-  cloudUrl = "http://${config.containers.nextcloud.localAddress}:80";
-  giteaUrl = "http://${config.containers.gitea.localAddress}:${toString config.containers.gitea.config.services.gitea.settings.server.HTTP_PORT}";
-  hassUrl = "http://homeassistant.local:8123";
-  immichUrl = "http://${serverIp}:${toString config.services.immich.port}";
-  jellyfinUrl = "http://${serverIp}:8096";
-  jellyseerrUrl = "http://${config.containers.jellyseerr.localAddress}:${toString config.containers.jellyseerr.config.services.jellyseerr.port}";
-  lubeloggerUrl = "http://${serverIp}:6754";
-  onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}";
-  openWebUIUrl = "http://${serverIp}:8888";
-  paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}";
-
-  # Plugins
-  traefikPlugins = {
-    bouncer = {
-      moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
-      version = "v1.4.2";
-    };
-    geoblock = {
-      moduleName = "github.com/PascalMinder/geoblock";
-      version = "v0.2.5";
-    };
-  };
-
-  crowdsecAppsecHost = "${serverIp}:7422";
-  crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path;
-
-  # Ports
-  httpPort = 80;
-  httpsPort = 443;
-  traefikPort = 8080;
-  metricsPort = 8082;
-
-  forwardPorts = [
-      httpPort
-      httpsPort
-      traefikPort
-      metricsPort
-  ];
-
-  # misc
-  letsEncryptEmail = "jalle008@proton.me";
-  dataDir = "/media/nas/ssd/nix-app-data/traefik";
-  authentikAddress = "http://${serverIp}:9000/outpost.goauthentik.io/auth/traefik";
-in
-{
-  sops = {
-    secrets = {
-      "jallen-nas/traefik/crowdsec-lapi-key" = {
-        owner = config.users.users.traefik.name;
-        group = config.users.users.traefik.group;
-        restartUnits = [ "traefik.service" ];
-      };
-      "jallen-nas/traefik/cloudflare-dns-api-token" = { };
-      "jallen-nas/traefik/cloudflare-zone-api-token" = { };
-      "jallen-nas/traefik/cloudflare-api-key" = { };
-      "jallen-nas/traefik/cloudflare-email" = { };
-    };
-    templates = {
-      "traefik.env" = {
-        content = ''
-          CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
-          CLOUDFLARE_ZONE_API_TOKEN =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
-          CLOUDFLARE_API_KEY =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
-          CLOUDFLARE_EMAIL =  ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
-        '';
-        owner = config.users.users.traefik.name;
-        group = config.users.users.traefik.group;
-        restartUnits = [ "traefik.service" ];
-      };
-    };
-  };
-
-  networking.firewall = {
-    allowedTCPPorts = forwardPorts;
-    allowedUDPPorts = forwardPorts;
-  };
-
-  services.traefik = {
-    enable = true;
-    dataDir = dataDir;
-    group = "jallen-nas";#group;
-    environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops
-
-    staticConfigOptions = {
-      entryPoints = {
-        web = {
-          address = ":${toString httpPort}";
-          asDefault = true;
-          http.redirections.entrypoint = {
-            to = "websecure";
-            scheme = "https";
-          };
-        };
-
-        websecure = {
-          address = ":${toString httpsPort}";
-          asDefault = true;
-          http.tls.certResolver = "letsencrypt";
-        };
-
-        metrics = {
-          address = ":${toString metricsPort}"; # Port for metrics
-        };
-      };
-
-      log = {
-        level = "INFO";
-      };
-
-      metrics = {
-        prometheus = {
-          entryPoint = "metrics";
-          addEntryPointsLabels = true;
-          addServicesLabels = true;
-          buckets = [0.1 0.3 1.2 5.0];  # Response time buckets
-        };
-      };
-
-      certificatesResolvers.letsencrypt.acme = {
-        email = letsEncryptEmail;
-        storage = "${config.services.traefik.dataDir}/acme.json";
-        dnsChallenge = {
-          provider = "cloudflare";
-          resolvers = [
-            "1.1.1.1:53"
-            "8.8.8.8:53"
-          ];
-        };
-      };
-
-      api.dashboard = true;
-      # Access the Traefik dashboard on <Traefik IP>:8080 of your server
-      api.insecure = true;
-
-      experimental = {
-        plugins = traefikPlugins;
-      };
-    };
-
-    dynamicConfigOptions = {
-      http = {
-        middlewares = {
-          authentik = {
-            forwardAuth = {
-              tls.insecureSkipVerify = true;
-              address = authentikAddress;
-              trustForwardHeader = true;
-              authResponseHeaders = [
-                "X-authentik-username"
-                "X-authentik-groups"
-                "X-authentik-email"
-                "X-authentik-name"
-                "X-authentik-uid"
-                "X-authentik-jwt"
-                "X-authentik-meta-jwks"
-                "X-authentik-meta-outpost"
-                "X-authentik-meta-provider"
-                "X-authentik-meta-app"
-                "X-authentik-meta-version"
-              ];
-            };
-          };
-          onlyoffice-websocket = {
-            headers.customrequestheaders = {
-              X-Forwarded-Proto = "https";
-            };
-          };
-          crowdsec = {
-            plugin = {
-              bouncer = {
-                crowdsecAppsecEnabled = true;
-                crowdsecAppsecHost = crowdsecAppsecHost;
-                crowdsecAppsecFailureBlock = true;
-                crowdsecAppsecUnreachableBlock = true;
-                crowdsecLapiKeyFile = crowdsecLapiKeyFile;
-              };
-            };
-          };
-          whitelist-geoblock = {
-            plugin = {
-              geoblock = {
-                silentStartUp = false;
-                allowLocalRequests = true;
-                logLocalRequests = false;
-                logAllowedRequests = false;
-                logApiRequests = false;
-                api = "https://get.geojs.io/v1/ip/country/{ip}";
-                apiTimeoutMs = 500;
-                cacheSize = 25;
-                forceMonthlyUpdate = true;
-                allowUnknownCountries = false;
-                unknownCountryApiResponse = "nil";
-                blackListMode = false;
-                countries = [
-                  "CA"
-                  "US"
-                ];
-              };
-            };
-          };
-          internal-ipallowlist = 
-          {
-            ipAllowList = {
-              sourceRange = [
-                "127.0.0.1/32"
-                "10.0.1.0/24"
-              ];
-            };
-          };
-        };
-
-        services = {
-          auth.loadBalancer.servers = [
-            {
-              url = authUrl;
-            }
-          ];
-
-          actual.loadBalancer.servers = [
-            {
-              url = actualUrl;
-            }
-          ];
-          authentik.loadBalancer.servers = [
-            {
-              url = authentikUrl;
-            }
-          ];
-          cache.loadBalancer.servers = [
-            {
-              url = cacheUrl;
-            }
-          ];
-          chat.loadBalancer.servers = [
-            {
-              url = openWebUIUrl;
-            }
-          ];
-          cloud.loadBalancer.servers = [
-            {
-              url = cloudUrl;
-            }
-          ];
-          gitea.loadBalancer.servers = [
-            {
-              url = giteaUrl;
-            }
-          ];
-          hass.loadBalancer.servers = [
-            {
-              url = hassUrl;
-            }
-          ];
-          immich.loadBalancer.servers = [
-            {
-              url = immichUrl;
-            }
-          ];
-          jellyfin.loadBalancer.servers = [
-            {
-              url = jellyfinUrl;
-            }
-          ];
-          jellyseerr.loadBalancer.servers = [
-            {
-              url = jellyseerrUrl;
-            }
-          ];
-          lubelogger.loadBalancer.servers = [
-            {
-              url = lubeloggerUrl;
-            }
-          ];
-          onlyoffice.loadBalancer.servers = [
-            {
-              url = onlyofficeUrl;
-            }
-          ];
-          paperless.loadBalancer.servers = [
-            {
-              url = paperlessUrl;
-            }
-          ];
-        };
-
-        routers = {
-          auth = {
-            entryPoints = [ "websecure" ];
-            rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)";
-            service = "auth";
-            middlewares = [ "crowdsec" "whitelist-geoblock" ];
-            priority = 15;
-            tls.certResolver = "letsencrypt";
-          };
-
-          actual = {
-            entryPoints = [ "websecure" ];
-            rule = "Host(`actual.${domain}`)";
-            service = "actual";
-            middlewares = [ "crowdsec" "whitelist-geoblock" ];
-            tls.certResolver = "letsencrypt";
-          };
-          authentik = {
-            entryPoints = [ "websecure" ];
-            rule = "Host(`authentik.${domain}`)";
-            service = "authentik";
-            middlewares = [ "crowdsec" "whitelist-geoblock" ];
-            tls.certResolver = "letsencrypt";
-          };
-          cache = {
-            entryPoints = [ "websecure" ];
-            rule = "Host(`cache.${domain}`)";
-            service = "cache";
-            middlewares = [ "crowdsec" "whitelist-geoblock" ];
-            priority = 10;
-            tls.certResolver = "letsencrypt";
-          };
-          cloud = {
-            entryPoints = [ "websecure" ];
-            rule = "Host(`cloud.${domain}`)";
-            service = "cloud";
-            middlewares = [ "crowdsec" "whitelist-geoblock" ];
-            tls.certResolver = "letsencrypt";
-          };
-          gitea = {
-            entryPoints = [ "websecure" ];
-            rule = "Host(`gitea.${domain}`)";
-            service = "gitea";
-            middlewares = [ "crowdsec" "whitelist-geoblock" ];
-            tls.certResolver = "letsencrypt";
-          };
-          hass = {
-            entryPoints = [ "websecure" ];
-            rule = "Host(`hass.${domain}`)";
-            service = "hass";
-            middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ];
-            priority = 10;
-            tls.certResolver = "letsencrypt";
-          };
-          immich = {
-            entryPoints = [ "websecure" ];
-            rule = "Host(`immich.${domain}`)";
-            service = "immich";
-            middlewares = [ "crowdsec" "whitelist-geoblock" ];
-            tls.certResolver = "letsencrypt";
-          };
-          jellyfin = {
-            entryPoints = [ "websecure" ];
-            rule = "Host(`jellyfin.${domain}`)";
-            service = "jellyfin";
-            middlewares = [ "crowdsec" "whitelist-geoblock" ];
-            tls.certResolver = "letsencrypt";
-          };
-          jellyseerr = {
-            entryPoints = [ "websecure" ];
-            rule = "Host(`jellyseerr.${domain}`)";
-            service = "jellyseerr";
-            middlewares = [ "crowdsec" "whitelist-geoblock" ];
-            tls.certResolver = "letsencrypt";
-          };
-          lubelogger = {
-            entryPoints = [ "websecure" ];
-            rule = "Host(`lubelogger.${domain}`)";
-            service = "lubelogger";
-            middlewares = [ "crowdsec" "whitelist-geoblock" ];
-            tls.certResolver = "letsencrypt";
-          };
-          onlyoffice = {
-            entryPoints = [ "websecure" ];
-            rule = "Host(`office.${domain}`)";
-            service = "onlyoffice";
-            middlewares = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ];
-            tls.certResolver = "letsencrypt";
-          };
-        };
-      };
-    };
-  };
-}

systems/x86_64-linux/nas/apps/wyoming/default.nix

@@ -1,19 +0,0 @@
-{ pkgs, ... }:
-{
-  services.wyoming = {
-    faster-whisper.servers.hass-whisper = {
-      enable = true;
-      useTransformers = false;
-      device = "cuda";
-      language = "en";
-      model = "distil-large-v3";
-      uri = "tcp://0.0.0.0:10300";
-    };
-
-    piper.servers.hass-piper = {
-      enable = true;
-      voice = "en-us-ryan-high";
-      uri = "tcp://0.0.0.0:10200";
-    };
-  };
-}

systems/x86_64-linux/nas/networking.nix

@@ -1,6 +1,5 @@
 { config, lib, ... }:
 let
-  settings = import ./settings.nix;
   ports = [
     8008 # restic
     9000 # authentik
@@ -29,7 +28,7 @@ in
 {
   # Networking configs
   networking = {
-    hostName = lib.mkForce settings.hostName;
+    hostName = lib.mkForce "jallen-nas";
 
     useNetworkd = true;
 
@@ -50,7 +49,7 @@ in
               type = "wifi";
             };
             ipv4 = {
-              address1 = "${settings.hostAddress}/24";
+              address1 = "10.0.1.3/24";
               dns = "10.0.1.1";
               gateway = "10.0.1.1";
               method = "manual";

systems/x86_64-linux/nuc/networking.nix

@@ -1,6 +1,5 @@
 { config, lib, ... }:
 let
-  # settings = import ./settings.nix;
   ports = [
     8192
   ];
@@ -8,7 +7,7 @@ in
 {
   # Networking configs
   networking = {
-    hostName = lib.mkForce "nuc-nixos";#settings.hostName;
+    hostName = lib.mkForce "nuc-nixos";
 
     useNetworkd = true;