idk

2026-02-09 11:26:58 -06:00
parent 525cc60739
commit 9ad06425c8
23 changed files with 1612 additions and 1466 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -1,7 +1,24 @@
 {
  "nodes": {
+    "authentik-go": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1770333754,
+        "narHash": "sha256-Yyna75Nd6485tZP9IpdEa5QNomswe9hRfM+w3MuET9E=",
+        "owner": "goauthentik",
+        "repo": "client-go",
+        "rev": "280022b0a8de5c8f4b2965d1147a1c4fa846ba64",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "repo": "client-go",
+        "type": "github"
+      }
+    },
    "authentik-nix": {
      "inputs": {
+        "authentik-go": "authentik-go",
        "authentik-src": "authentik-src",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
@@ -14,16 +31,15 @@
        "uv2nix": "uv2nix"
      },
      "locked": {
-        "lastModified": 1769248094,
-        "narHash": "sha256-9eiLAIUI3rsjqdY32+jQdKB+0VI6Jks0uf0s/UVMVJI=",
+        "lastModified": 1770535094,
+        "narHash": "sha256-MLjqqCQsJFZJKqSMfarSVsFLNRiDK/pvOnoRwZ+esmk=",
        "owner": "nix-community",
        "repo": "authentik-nix",
-        "rev": "1cab906a5cb342a4890ea9e4fe3993c6d438689b",
+        "rev": "b09825ea48b0802b4806ed9f0f4721a49e36eb98",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "version/2025.12.1",
        "repo": "authentik-nix",
        "type": "github"
      }
@@ -31,16 +47,16 @@
    "authentik-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1768596569,
-        "narHash": "sha256-HDTbQB/sMhYh2b95dQwzF8OgrwLWdl4hVmx6wtDcgE8=",
-        "owner": "ma27",
+        "lastModified": 1770055313,
+        "narHash": "sha256-t9DOFNSQJZdUnZSEr3z8EBRsltS4DKu9xad9gS5/Ikc=",
+        "owner": "goauthentik",
        "repo": "authentik",
-        "rev": "72ad5fe320f2201fc2a37372d4c9cb46377a58e5",
+        "rev": "6760f4c5d38e245edb72e12e4f45bda8dd859ccd",
        "type": "github"
      },
      "original": {
-        "owner": "ma27",
-        "ref": "2025.12.1-dependency-fix",
+        "owner": "goauthentik",
+        "ref": "version/2025.12.3",
        "repo": "authentik",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -49,7 +49,7 @@
    nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";

    authentik-nix = {
-      url = "github:nix-community/authentik-nix/version/2025.12.1";
+      url = "github:nix-community/authentik-nix";
      # inputs.nixpkgs.follows = "nixpkgs-stable";
    };

--- a/homes/x86_64-linux/matt@matt-nixos/default.nix
+++ b/homes/x86_64-linux/matt@matt-nixos/default.nix
@@ -195,10 +195,7 @@ in
    ]);

  specialisation = {
-    "end4".configuration = 
-      let
-        dotfiles = inputs.end4-dotfiles;
-      in {
+    "end4".configuration = {
      programs = {
        illogical-impulse = {
          enable = true;
--- a/modules/home/programs/hyprland/default.nix
+++ b/modules/home/programs/hyprland/default.nix
@@ -64,7 +64,7 @@ in
          wl-clipboard
          wlogout
          wlroots
-          xorg.xhost
+          xhost
          xsettingsd
          xwayland
        ]
--- a/modules/home/stylix/default.nix
+++ b/modules/home/stylix/default.nix
@@ -92,6 +92,7 @@ in
        enable = false;
        useWallpaper = false;
      };
+      kde.enable = false;
      firefox = {
        enable = false;
        profileNames = [
--- a/modules/nixos/gaming/default.nix
+++ b/modules/nixos/gaming/default.nix
@@ -21,10 +21,10 @@ in
      package = pkgs.steam.override {
        extraPkgs =
          _pkgs: with pkgs; [
-            xorg.libXcursor
-            xorg.libXi
-            xorg.libXinerama
-            xorg.libXScrnSaver
+            libXcursor
+            libXi
+            libXinerama
+            libXScrnSaver
            libpng
            libpulseaudio
            libvorbis
--- a/modules/nixos/homeassistant/automations/motion-light/default.nix
+++ b/modules/nixos/homeassistant/automations/motion-light/default.nix
@@ -68,57 +68,6 @@ let
      mode: single
  '';

-  automationToYamlSwitch = mlcfg: ''
-    - id: '${toString mlcfg.id}'
-      alias: ${mlcfg.alias}
-      description: '${mlcfg.description}'
-      triggers:
-      - device_id: ${mlcfg.motion-sensor.mqttDeviceId}
-        entity_id: ${mlcfg.motion-sensor.mqttEntityId}
-        domain: binary_sensor
-        id: occupied
-        subtype: on_press
-        trigger: device
-        type: occupied
-        for:
-          hours: 0
-          minutes: 0
-          seconds: 0
-      - device_id: ${mlcfg.motion-sensor.mqttDeviceId}
-        entity_id: ${mlcfg.motion-sensor.mqttEntityId}
-        domain: binary_sensor
-        id: vacant
-        subtype: off_press
-        trigger: device
-        type: not_occupied
-        for:
-          hours: 0
-          minutes: 0
-          seconds: 5
-      conditions: []
-      actions:
-      - choose:
-        - conditions:
-          - condition: trigger
-            id:
-            - occupied
-          sequence:
-          - type: turn_on
-            device_id:  ${mlcfg.switch.deviceId}
-            entity_id:  ${mlcfg.switch.entityId}
-            domain: switch
-        - conditions:
-          - condition: trigger
-            id:
-            - vacant
-          sequence:
-          - type: turn_off
-            device_id:  ${mlcfg.switch.deviceId}
-            entity_id:  ${mlcfg.switch.entityId}
-            domain: switch
-      mode: single
-  '';
-
  motionLightAutomations = concatStringsSep "\n" (
    mapAttrsToList (_: automationToYaml) cfg.motion-light
  );
--- a/modules/nixos/programs/default.nix
+++ b/modules/nixos/programs/default.nix
@@ -62,18 +62,17 @@ in
        SDL2
        util-linux
        vulkan-loader
-        xorg.libX11
-        xorg.libICE
-        xorg.libSM
-        xorg.libXcursor
-        xorg.libXrandr
-        xorg.libXi
-        xorg.libXcomposite
-        xorg.libXdamage
-        xorg.libXext
-        xorg.libXfixes
-        xorg.libX11
-        xorg.libxcb
+        libICE
+        libSM
+        libXcursor
+        libXrandr
+        libXi
+        libXcomposite
+        libXdamage
+        libXext
+        libXfixes
+        # libx11
+        libxcb
        zlib
      ];
    };
--- a/modules/nixos/services/coturn/default.nix
+++ b/modules/nixos/services/coturn/default.nix
@@ -0,0 +1,77 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+let
+  name = "coturn";
+  cfg = config.${namespace}.services.${name};
+
+  coturnConfig = lib.${namespace}.mkModule {
+    inherit config name;
+    serviceName = "${name}-synapse";
+    description = "config";
+    options = { };
+    moduleConfig = {
+      services.coturn = rec {
+        enable = true;
+        no-cli = true;
+        no-tcp-relay = true;
+        min-port = 49000;
+        max-port = 50000;
+        use-auth-secret = true;
+        static-auth-secret = "Lucifer008!";
+        listening-port = cfg.port;
+        realm = "turn.mjallen.dev";
+        # cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+        # pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+        extraConfig = ''
+          # for debugging
+          verbose
+          # ban private IP ranges
+          no-multicast-peers
+          denied-peer-ip=0.0.0.0-0.255.255.255
+          denied-peer-ip=10.0.0.0-10.255.255.255
+          denied-peer-ip=100.64.0.0-100.127.255.255
+          denied-peer-ip=127.0.0.0-127.255.255.255
+          denied-peer-ip=169.254.0.0-169.254.255.255
+          denied-peer-ip=172.16.0.0-172.31.255.255
+          denied-peer-ip=192.0.0.0-192.0.0.255
+          denied-peer-ip=192.0.2.0-192.0.2.255
+          denied-peer-ip=192.88.99.0-192.88.99.255
+          denied-peer-ip=192.168.0.0-192.168.255.255
+          denied-peer-ip=198.18.0.0-198.19.255.255
+          denied-peer-ip=198.51.100.0-198.51.100.255
+          denied-peer-ip=203.0.113.0-203.0.113.255
+          denied-peer-ip=240.0.0.0-255.255.255.255
+          denied-peer-ip=::1
+          denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+          denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+          denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+          denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+          denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+          denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+          denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        '';
+      };
+      networking.firewall = {
+        interfaces.enp197s0 = let
+          range = with config.services.coturn; [ {
+          from = min-port;
+          to = max-port;
+        } ];
+        in
+        {
+          allowedUDPPortRanges = range;
+          allowedUDPPorts = [ 3478 5349 ];
+          allowedTCPPortRanges = [ ];
+          allowedTCPPorts = [ 3478 5349 ];
+        };
+      };
+    };
+  };
+in
+{
+  imports = [ coturnConfig ];
+}
--- a/modules/nixos/services/matrix/default.nix
+++ b/modules/nixos/services/matrix/default.nix
@@ -59,6 +59,7 @@ let
        dataDir = "${cfg.configDir}/matrix-synapse";
        configureRedisLocally = true;
        enableRegistrationScript = true;
+        withJemalloc = true;
        extras = [
          "oidc"
          "redis"
@@ -118,6 +119,9 @@ let
              server_name = "matrix.org";
            }
          ];
+          turn_uris = ["turn:${config.services.coturn.realm}:3478?transport=udp" "turn:${config.services.coturn.realm}:3478?transport=tcp"];
+          turn_shared_secret = config.services.coturn.static-auth-secret;
+          turn_user_lifetime = "1h";
        };
      };

--- a/modules/nixos/services/matrix/livekit.nix
+++ b/modules/nixos/services/matrix/livekit.nix
@@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.${namespace}.services.${name};
+
+  keyFile = "/run/livekit.key";
+
+  file = pkgs.writeText "file.txt" ''
+  {
+    "m.homeserver": {
+      "base_url": "https://matrix.mjallen.dev"
+    },
+    "m.identity_server": {
+      "base_url": "https://vector.im"
+    },
+    "org.matrix.msc3575.proxy": {
+      "url": "https://matrix.mjallen.dev"
+    },
+    "org.matrix.msc4143.rtc_foci": [
+      {
+        "type": "livekit",    "livekit_service_url": "https://mjallen.dev/livekit/jwt"
+      }
+    ]
+  }
+  '';
+in
+{
+  services.livekit = {
+    enable = true;
+    openFirewall = true;
+    settings.room.auto_create = false;
+    inherit keyFile;
+  };
+  services.lk-jwt-service = {
+    enable = true;
+    # can be on the same virtualHost as synapse
+    livekitUrl = "wss://mjallen.dev/livekit/sfu";
+    inherit keyFile;
+  };
+  config = lib.mkIf cfg.enable {
+    # generate the key when needed
+    systemd.services.livekit-key = {
+      before = [
+        "lk-jwt-service.service"
+        "livekit.service"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [
+        livekit
+        coreutils
+        gawk
+      ];
+      script = ''
+        echo "Key missing, generating key"
+        echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
+      '';
+      serviceConfig.Type = "oneshot";
+      unitConfig.ConditionPathExists = "!${keyFile}";
+    };
+    # restrict access to livekit room creation to a homeserver
+    systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "mjallen.dev";
+    services.nginx.virtualHosts = {
+      "matrix.mjallen.dev".locations = {
+        "^~ /.well-known/matrix/client" = {
+          alias = file;
+          extraConfig = "default_type text/plain;";
+        };
+      "mjallen.dev".locations = {
+        "^~ /livekit/jwt/" = {
+          priority = 400;
+          proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
+        };
+        
+        "^~ /livekit/sfu/" = {
+          extraConfig = ''
+            proxy_send_timeout 120;
+            proxy_read_timeout 120;
+            proxy_buffering off;
+
+            proxy_set_header Accept-Encoding gzip;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+          '';
+          priority = 400;
+          proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";
+          proxyWebsockets = true;
+        };
+      };
+    }
+  };
+}
--- a/overlays/ccache/default.nix
+++ b/overlays/ccache/default.nix
@@ -1,5 +1,5 @@
 { ... }:
-final: super: {
+_final: _super: {
  # ${namespace} = super.${namespace} // {
  #   linuxPackages_rpi5 = super.linuxPackagesFor (
  #     super.${namespace}.linux-rpi.override { stdenv = super.ccacheStdenv; }
--- a/packages/librepods-beta/default.nix
+++ b/packages/librepods-beta/default.nix
@@ -50,10 +50,10 @@ rustPlatform.buildRustPackage rec {
    freetype.dev
    libGL
    pkg-config
-    xorg.libX11
-    xorg.libXcursor
-    xorg.libXi
-    xorg.libXrandr
+    # libx11
+    # libXcursor
+    # libXi
+    # libXandr
    wayland
    libxkbcommon
  ];
--- a/secrets/nas-secrets.yaml
+++ b/secrets/nas-secrets.yaml
@@ -2,7 +2,7 @@ jallen-nas:
  admin_password: ENC[AES256_GCM,data:0XUblR800UyliA8JfYUZbncDRxiU6eoTaf3i80+OCwJ/31oBhSqj9OtgYeRg3IyURwik1Nk/609IuHjIhly3mgTjOD6Hpzxpag==,iv:0yO3z8ItHRQFeI9JOnFTKhKVHi5u9cMtpglFRlkvYLE=,tag:iUd79iWAJQ9iqP0qolSwfA==,type:str]
  nas_pool: ENC[AES256_GCM,data:LBiUC/5qMFUnWUWYZgRPrGopdPd6oWB0+xe1S+GiOMtSIsBH34ZoE8U/v1HmxR17mt0x169xq7iXAQZTCZ/Vd8KGmecTK7hC+H6kmSUcwsuoPiVyoSPdet3Zb716eXGWmnSD6QlReUpq6xiCqOwKUkgNgRtkdc92PAEcmbrw1tfooxTesxB3n9pSCXAkwsPxJWl7nLrCZIf6wOZci/TiwFJf534/YPKIz8q5JxX+E+VeQ4NNRfZxn4EqlMDgmNcEcuHdflqTNAlDmREqhN0XNREUaFveQ01T5sFb6XHorEHpUlKIzDpMV4LKjZQMZax4T+6nbGpUa5kf/Gr3xeOpMpTGNir1bM8oPQGP/Iz9u4AjGP56+JYcqUBcxG1wwNFIqBrrC+Bf7vdjGxgMClwW5AbMtGXwE9y+dSM9MMkj8kiaK1zWZfyIqRBheXtXUhPIjJSR8fmnVtKW358E7ynC9R14AsA3qxpxEc4+VmF7cJEzjStP//FRSuUFRlvgIcGBfncvt0b+ecEk8WostYAMHhqpyHtW2hG5orv6qFupLz0VCBbFLqlIEMG1d/EfjulGqWN4fGIhlAGpssvuo8r/9bOz4efTwODnKJqX5YfOPhFDAJZzj7pgFgAjf8/xAgelAU1yR3nlj2PR9itEAApY0L0FvnC4fEMBqlpINM8gGeNcfTraIYo7bqVhOT5sVOXmru+nRoyG1I01rJ1lQpis5Kqt+HWGa43fi81dtTm7kj/4bOPSPrJimIOD37O3GRlbiiGIhy/Ta/iVqzRsYeUZOyIQT+IjZ4pX5tgJ/AxASVzdRd9GluexPdUGVDb9Kjf7mo7aYsXyWDBP7ZoXDQGHndrlTlrQreDLgcwCXo1hHEn9YkIUfYpBd5Th7LJrsaNWXH838S+9sDqSCGdVPVcH0HC8x5T5Uo3Jb833uaQjtaXsSaAgaRkcEtAHz4LO5kKii3AgP0vA,iv:ny8qQhSrfokW3iS0KXtCVYgtvj07c25jfEUCIExD7eI=,tag:QD8C37p3gUJr42NHiL7PHw==,type:str]
  ups_password: ENC[AES256_GCM,data:tYuJ9nU3E2/Ko6Y=,iv:lQq+g68lKCp1rmPvS/84xGIXHxD9zY5zZrrjEJlY8Hs=,tag:p6McEr+sXGAQyMAz1Kaxfw==,type:str]
-    authentik-env: ENC[AES256_GCM,data:AzHHGyhoyMp/ebnK6LQ5apBUhQT04SPJrtA6XcdaQ38C+fYuG2ph2iWFb+giafxCe8IXWAYT8CWoeqcspM7CPSAAKgqfVaPhMvjXqLxCY/rpegb5jBD1U6tURhPsH3ADrERk+kCmTV2eUpuV+nluiGM+fRdwhB0zu378HKwhXCpSO4L24aXhe9pxxxaTQzncWH6zW5iaRdouDVr1bAUzLi9BpnmS0ZK/rfLq2whErCeN++Srx6aCgwJ7jaqetBglQkIl3YG6flS8u3vsKtI+RVaNJ5tzrWR/qv0vBy8y1PZEuuXZdiHjn1hjiPE1T31j2+aQdbX70RaJfIt6E4lVtArQHv8PTUDxUoxcnUv52xLTStT5/UdIlNoZjPMwvaknpK7Z0uw9w4j76gmgk06xsxoCpnXIGTm1QpGqviBhgfNs5Va/qi4MBfByaym3UAz9LPHs4keuvJNN8dS0q5OMnRswl14PjIb1MIKB/QCVHvb4hO7eIRiWOkA7nb9LP/y1mjAYslr+I+GNpU8oIYTAvKoMS7ZgC49RoLWytAXUru2I7CqDR9zgPzlDQ9gLPoFKw2uKulpAy0ayQWPcgPA2CFmF+5zdINNSNKn0gRZ/2RTc3DiWmzo4P13EmrOwvkWCkiswFu1d6ctKZFhQnfPuj9LRGp/Os55JpLrreSyRJug6lgR4bPdC3x8sbxNmb5S2Y+4aFfgPXfdCdXs5b+8j28d1d4EoOO/arUzNADz9ODD5esb2g8UC2QtQd0RRYX/qmiM=,iv:YKvFxz3M8HKlg56JfN6uv8hvCFlEbhBkaSQz1v9l3zk=,tag:rz7UixSDqOXH7Ga6mkVYAw==,type:str]
+  authentik-env: ENC[AES256_GCM,data:PhHiiDJuKx/LKbJR6wx0HknqAs+fnAilA2HsMHwl0N3CMQ0pa+qKEB9x0a16Jr0yC9F4OKD7k98Q4wHbQWuE8IORB9CaiWVQzwJEaFvQ1wdv0wtHC23Aq5ppUPG941xArpF40/64vLYYa8w5Q1wxQr6xeg4VZwpSahIRAa6tB4eMAgopl4QeXGMskaPrL7A9Eu6lXt5LQJkCEFRuyL1XX5W33/l0HYeovgevhqTcbRmOLiG8r4XOihQDUtVWIhW8X3iDlCsgNEgxJE2s+7UuqwetvHpLCQMEyPfITx6FMI6vw8+raLTwQC7fDWXyqjWIJ3/xds7DTcBjJZMj72S6tggX0QLDfnrtjIG0iVNmbRDE2Cv96VJVdV6B381B2XKYx1EThjgucxbmp2Gz4+dpGu3O+rNxlfd9VR7KDA1FH2ddPr8JMhRpeBYbYpxCfuKqgKgfBqvxdI7lV2/alsqLZ3RdzRxi3mCilrldnKEw9YzEJEh0UU2L9J2bP8GJWpyfQsSGnNjpGL3k877e7R0NrKle7ertp2NZKccrKCXyYDGbfERrfmtN2ebaWZXmtbj9Hf/PZBQyXa8onf85QeuY5574pvm8+TZRGorhuMyKi/19lOuEgrAayDM8lQZUDW/QWmU3qf8dO4LAbE7HpzJfv0nEgnKbqVUrV4wcgHYPWNSCFLfdW8eVISgIgZBNA/FD836fwBTCwB91jfWI8g9yrK0l+fvk7RL7Spz7XoK/YIELhojoS6LLr/1wgP2atekDaUBMKw==,iv:w6M8cm+5eCkGPJiD0NkBgZuIVjYPUd9d1yp95y/BwyQ=,tag:SgOpa23x395CefA9zvI5GA==,type:str]
  traefik:
    crowdsec:
      lapi-key: ENC[AES256_GCM,data:tEEr+KtGPseweqWn7eyrZwZBl+pPqzQqr5cmlYZF2ugm9pF4sUwBdEy21A==,iv:x1h0Op29Ta15dPe1Tfm4c1Mlo85aqvyOgZ5bELRNTGE=,tag:y0R8DHc0ya96n6hLLhteYA==,type:str]
@@ -58,8 +58,8 @@ jallen-nas:
  ntfy:
    auth-users: ENC[AES256_GCM,data:5k2a8GxQ76tGFv0kSlnS2Cr3te0pkKjLlswtnK7m3JOuBMN4hFxOuleZJgy/gbcYvxtKgs5zx6l1pVJVUBnaSZxzANK/LWjbYPaM8VOkzTFxCpLWjhCOlLn0gao=,iv:7BrNN929jGkkquMVnRx1kjnDNg1F47MdCFkYK8fCPL0=,tag:lpMUK9rLmHUYOh7LSpXsVA==,type:str]
  matrix:
-        client-id: ENC[AES256_GCM,data:Cv5nbJQPo2YkNwVlzaquXguaVpfVxmYu4LvwlgLJw1EVfDz8ZqgCtQ==,iv:OO9q+q36wCq0yuTxLpqh5Nn0oVWdNISTMZzeQedPcGE=,tag:KDsox/yemi9t76xr2/yvbg==,type:str]
-        client-secret: ENC[AES256_GCM,data:5OcfUAVZ0xfGEkGr8rp08lFRbcvMf2XvCU08XnaK8iwjWEmVJjLHtBV0rzulPpdJf9eVapCz0udC8v1bPgD2tvVLNNdSUK5CMwYIB6dsa44/lkUe+EvNl/7w68vUqyo3rWAgTLIUksglvk/aCXH0p3ZIrQgQgeI6EbvdS5bcLqY=,iv:OeCnHFGaXUQhqdPX4XksKwwZrbhBr8bsNeDTiIbfSpY=,tag:KWqDU9iJmIQpObxNdLs6AQ==,type:str]
+    client-id: ENC[AES256_GCM,data:mMpc+BsS9YYCXRrTNaCQcMMVdxw98uQdvywauYGjVV+ASalZA3PbBA==,iv:5Qzgny+6HkKFAYLckkVYsHVlhp0GuI96PPMjVx6RRZI=,tag:5LlLg3nnyHy9ak2VT1+hMQ==,type:str]
+    client-secret: ENC[AES256_GCM,data:mH83GAgAziN0CMy/GuSGCTrm0wyopzvrxw1xkA7aBDSdP7N0ZYkfJ5et7daB+5jew+bbVA/Gy8aO1U2/rJ4FhRr5C0XhayHs1fT1sZBel904OHboTGRpy+eg4H+RSaA6WYWk5HRKH2ZcAfMa1jOqnbqol3+P96KpIPiMotDGL/c=,iv:mg8XbHu4ZkYICDjK2Q88SXt1Gl9IdbehFZyKES8OU50=,tag:UBnysN2qgIg53GRzbog7+A==,type:str]
  glance:
    arr-username: ENC[AES256_GCM,data:PlLrcaYLmvv5,iv:ZdBAkR93TLh0FMYhqBhxw8hZI5a/UeS3fpWkORH2e4k=,tag:hpuEgLnF5hCtt0XJTC/gAg==,type:str]
    arr-password: ENC[AES256_GCM,data:K8J3fPGWc3SWeKo=,iv:pkr+m92OlAszLXmGn34tEtaEvvBV+ohObj2uRDqKIYc=,tag:wBxe9gijHie6sq0brtpMRQ==,type:str]
@@ -221,8 +221,8 @@ sops:
        L0gwQm5takNjMkVGNzVlSStJYlUwWDAKP8QA3rRUHYbyyhPC/k0Eq2EIKfjyc7Co
        7BkHH3msC6h9g42BB5iIYe6KQ+UGxMQBFvp+qSB27jaIfajN5MP0BA==
        -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-31T04:32:39Z"
-    mac: ENC[AES256_GCM,data:YhtZZuRgoBvVdk7MTle4dCVXxVANo3B/oOvLC1zS9/de3uGz1zV7ztbUYx5SIW6HOzlYxdjvmFJV79xcQyAiPoj6zC7gyQdHjvNZ8V39gYqaGsF6kasdlPVHpQBgeGepPjpYy7m2ROFlkvXkjNVgs+/ENAsRoqyMNSGXEltoM7Q=,iv:NVDHLzxHQSFOXjroiPatdw8V7nuaT40AQ/noU9K1wsY=,tag:+PBTFVL81ArJNZM/k97msg==,type:str]
+  lastmodified: "2026-02-09T16:07:02Z"
+  mac: ENC[AES256_GCM,data:wObXRnXCkE5yfBpwtkuFnzlGaF2BugipRxnx0Z/pTwc6PENKHrCFqnuOdb4EDnlYBGXTGSCUzksWS1kZVc8SF0tiimzlPAB9suS31386I3ex+IJNlouv6MFkvBpeI5OnMo7y/eJVK9GBmC5bxoNhySMAQBRCuDGs9uCaTHdYkRI=,iv:kAInXG7UMeIN/ZJwmwY2cd6V/n3fxOUodvCP0sADvcc=,tag:oFa8zO9WNOGLQZKC7vTN+A==,type:str]
  pgp:
    - created_at: "2026-02-06T15:34:30Z"
      enc: |-
--- a/systems/aarch64-linux/macbook-pro-nixos/hardware-configuration.nix
+++ b/systems/aarch64-linux/macbook-pro-nixos/hardware-configuration.nix
@@ -1,64 +1,72 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, modulesPath, ... }:

 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
  ];

-  boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" "sdhci_pci" ];
+  boot.initrd.availableKernelModules = [
+    "usbhid"
+    "usb_storage"
+    "sdhci_pci"
+  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "none";
+  fileSystems."/" = {
+    device = "none";
    fsType = "tmpfs";
    options = [ "mode=755" ];
  };

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/80CC-18FC";
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/80CC-18FC";
    fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
  };

-  fileSystems."/home" =
-    { device = "/dev/mapper/cryptroot";
+  fileSystems."/home" = {
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=home" ];
  };

-  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/6fc86225-2bd4-4d9f-ba51-c3bc6b1dc7f9";
+  boot.initrd.luks.devices."cryptroot".device =
+    "/dev/disk/by-uuid/6fc86225-2bd4-4d9f-ba51-c3bc6b1dc7f9";

-  fileSystems."/persist" =
-    { device = "/dev/mapper/cryptroot";
+  fileSystems."/persist" = {
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=persist" ];
  };

-  fileSystems."/etc" =
-    { device = "/dev/mapper/cryptroot";
+  fileSystems."/etc" = {
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=etc" ];
  };

-  fileSystems."/root" =
-    { device = "/dev/mapper/cryptroot";
+  fileSystems."/root" = {
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=root" ];
  };

-  fileSystems."/nix" =
-    { device = "/dev/mapper/cryptroot";
+  fileSystems."/nix" = {
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=nix" ];
  };

-  fileSystems."/var/log" =
-    { device = "/dev/mapper/cryptroot";
+  fileSystems."/var/log" = {
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=log" ];
  };
--- a/systems/x86_64-linux/jallen-nas/apps.nix
+++ b/systems/x86_64-linux/jallen-nas/apps.nix
@@ -28,7 +28,7 @@ in
        environmentFile = "/run/secrets/jallen-nas/attic-key";
      };
      authentik = {
-        enable = false;
+        enable = true;
        configureDb = true;
        port = 9000;
        reverseProxy = enabled;
@@ -59,6 +59,11 @@ in
          PROXY_DOMAIN = "code.mjallen.dev";
        };
      };
+      coturn = {
+        enable = true;
+        port = 3478;
+        reverseProxy = enabled;
+      };
      collabora = {
        enable = false;
        port = 9980;
@@ -125,7 +130,7 @@ in
        port = 3214;
      };
      matrix = {
-        enable = false;
+        enable = true;
        port = 8448;
        reverseProxy = enabled;
      };