hmm

modules/nixos/services/caddy/default.nix

@@ -15,7 +15,7 @@ let
     plugins = [
       "github.com/caddy-dns/cloudflare@v0.2.3"
     ];
-    hash = "sha256-bL1cpMvDogD/pdVxGA8CAMEXazWpFDBiGBxG83SmXLA=";
+    hash = "sha256-20o+14cn/eeLuf1c8uGE1ODRZGC0oxocaIVlv4tFSvA=";
   };
 
   # "github.com/hslatman/caddy-crowdsec-bouncer/http@v0.9.2"

modules/nixos/services/grafana/default.nix

@@ -52,7 +52,7 @@ let
       name = "node-exporter-full.json";
       path = patchDashboard "node-exporter-full.json" (pkgs.fetchurl {
         url = "https://grafana.com/api/dashboards/1860/revisions/latest/download";
-        sha256 = "sha256-pNgn6xgZBEu6LW0lc0cXX2gRkQ8lg/rer34SPE3yEl4=";
+        sha256 = "sha256-mEWSdsTn1EKpW6xoJv/s0XST46EOoUPbDugQwyngIss=";
       }) "ds_prometheus";
     }
     {
@@ -880,6 +880,16 @@ let
       # Inject ntfy credentials into Grafana's environment so the $__env{}
       # provider in contactPoints.yaml can resolve them at runtime.
       # The grafana.env template is managed by SOPS and owned by grafana:grafana.
+      sops.templates."grafana.env" = {
+        content = ''
+          GRAFANA_NTFY_USER=${config.sops.placeholder."jallen-nas/ntfy/user"}
+          GRAFANA_NTFY_PASSWORD=${config.sops.placeholder."jallen-nas/ntfy/password"}
+        '';
+        mode = "0400";
+        owner = "grafana";
+        restartUnits = [ "grafana.service" ];
+      };
+
       systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.templates."grafana.env".path;
 
       # The redis exporter needs AF_INET to reach TCP Redis instances.

modules/nixos/services/kavita/default.nix

@@ -27,9 +27,9 @@ let
         enable = true;
         dataDir = "${cfg.configDir}/kavita";
         tokenKeyFile = config.sops.secrets."jallen-nas/kavita/token".path;
-        settings = {
-          inherit (cfg) port;
-        };
+        # settings = {
+        #   inherit (cfg) port;
+        # };
       };
     };
   };

modules/nixos/services/matrix/default.nix

@@ -149,6 +149,17 @@ let
       systemd.services.matrix-synapse = {
         after = [ "postgresql.service" ];
         requires = [ "postgresql.service" ];
+        # Prevent unbounded restart loops (e.g. when authentik/OIDC is unreachable at startup).
+        # Without this, synapse will respawn hundreds of times per hour, flooding the kernel
+        # message buffer and risking filesystem corruption on unclean shutdown.
+        startLimitIntervalSec = 300; # 5 minute window
+        startLimitBurst = 5; # max 5 attempts per window, then give up until manual intervention
+        serviceConfig = {
+          # Exponential backoff: starts at 10s, doubles each attempt up to 5 minutes
+          RestartSec = "10s";
+          RestartSteps = 5;
+          RestartMaxDelaySec = "5min";
+        };
       };
     };
   };