merge

homes/x86_64-linux/admin@nas/default.nix

@@ -2,8 +2,6 @@
 {
   home.username = "admin";
 
-  # mjallen.home.enable = true;
-
   mjallen = {
     shell-aliases = {
       enable = true;
@@ -73,14 +71,4 @@
     };
   };
 
-  # services.nixai = {
-  #   enable = true;
-  #   mcp = {
-  #     enable = true;
-  #     # Optional: custom socket path (uses `$HOME` expansion)
-  #     socketPath = "$HOME/.local/share/nixai/mcp.sock";
-  #   };
-  #   # Optional: integrate with VS Code
-  #   vscodeIntegration = true;
-  # };
 }

modules/nixos/attic/default.nix

@@ -0,0 +1,132 @@
+{
+  config,
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+with lib;
+let
+  cfg = config.${namespace}.services.attic;
+in
+{
+  imports = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    services.atticd = {
+      enable = true;
+      environmentFile = cfg.environmentFile;
+      settings = {
+        listen = "${cfg.listenAddress}:${toString cfg.port}";
+      };
+    };
+
+    # Open firewall for attic if enabled
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
+    };
+
+    # Include the attic watch-store service and rebuild cache services
+    systemd.services = {
+      attic-watch-store = {
+        enable = true;
+        description = "watch store for cache";
+        serviceConfig = {
+          Type = "simple";
+          User = "admin";
+          Group = "jallen-nas";
+          WorkingDirectory = "/etc/nixos";
+          StandardOutput = "journal+console";
+          StandardError = "journal+console";
+          Restart = "always";
+          RestartSec = "5";
+        };
+        path = with pkgs; [
+          bash
+          attic-client
+        ];
+        script = ''
+          #!/usr/bin/env bash
+          attic watch-store nas-cache
+        '';
+      };
+
+      nix-rebuild-cache-desktop = {
+        enable = true;
+        description = "Rebuild desktop NixOS configurations for cache";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "admin";
+          Group = "jallen-nas";
+          WorkingDirectory = "/etc/nixos";
+          StandardOutput = "journal+console";
+          StandardError = "journal+console";
+          Restart = "no";
+          TimeoutStartSec = "2h";
+        };
+        path = with pkgs; [
+          nix
+          git
+          coreutils
+          gnugrep
+          gnused
+          openssh
+        ];
+        script = ''
+          #!/usr/bin/env bash
+          if [ -d .git ]; then
+            git pull || echo "Warning: Could not pull latest changes"
+          fi
+          echo "Starting build of matt-nixos at $(date)"
+          if nix flake update desktop-nixpkgs desktop-chaotic desktop-home-manager desktop-impermanence desktop-lanzaboote desktop-nixos-hardware desktop-sops-nix desktop-steam-rom-manager nixpkgs-unstable nixpkgs-stable nix-darwin; then
+            echo "matt-nixos flake updated successfully at $(date)"
+          else
+            echo "matt-nixos failed to build at $(date)"
+          fi
+          if nix build .\#nixosConfigurations.matt-nixos.config.system.build.toplevel --no-link; then
+            echo "matt-nixos built successfully at $(date)"
+            git add .
+            git commit -m "Desktop Updates $(date)"
+          else
+            echo "matt-nixos failed to build at $(date)"
+            git reset --hard
+          fi
+        '';
+      };
+    };
+
+    # Include timers for cache rebuilds
+    systemd.timers = {
+      nix-rebuild-cache-desktop = {
+        description = "Timer for rebuilding desktop NixOS configurations cache";
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = "weekly";
+          Persistent = true;
+          RandomizedDelaySec = "24h";
+        };
+      };
+    };
+
+    # Configure distributed builds
+    nix = {
+      settings.builders-use-substitutes = true;
+      distributedBuilds = true;
+      buildMachines = [
+        {
+          hostName = "pi5.local";
+          system = "aarch64-linux";
+          maxJobs = 4;
+          sshUser = "matt";
+          supportedFeatures = [
+            "nixos-test"
+            "benchmark"
+            "big-parallel"
+            "kvm"
+          ];
+        }
+      ];
+    };
+  };
+}

modules/nixos/attic/options.nix

@@ -0,0 +1,31 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.attic = {
+    enable = mkEnableOption "attic binary cache daemon";
+
+    port = mkOption {
+      type = types.port;
+      default = 9012;
+      description = "Port for attic cache daemon";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to open firewall for attic";
+    };
+
+    environmentFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = "Path to environment file containing attic secrets";
+    };
+
+    listenAddress = mkOption {
+      type = types.str;
+      default = "[::1]";
+      description = "Address to listen on";
+    };
+  };
+}

modules/nixos/authentik/default.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+with lib;
+let
+  cfg = config.${namespace}.services.authentik;
+in
+{
+  imports = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    services.authentik = {
+      enable = true;
+      environmentFile = cfg.environmentFile;
+      settings = {
+        port = cfg.port;
+      };
+    };
+
+    # Open firewall for authentik if enabled
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
+    };
+
+    # Ensure PostgreSQL is configured for authentik
+    services.postgresql = {
+      enable = mkDefault true;
+      ensureDatabases = [ "authentik" ];
+      ensureUsers = [
+        {
+          name = "authentik";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    # Ensure Redis is configured for authentik
+    services.redis.servers.authentik = {
+      enable = mkDefault true;
+      port = mkDefault 6379;
+    };
+  };
+}

modules/nixos/authentik/options.nix

@@ -0,0 +1,31 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.authentik = {
+    enable = mkEnableOption "authentik identity provider";
+
+    port = mkOption {
+      type = types.port;
+      default = 9000;
+      description = "Port for authentik web interface";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to open firewall for authentik";
+    };
+
+    environmentFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = "Path to environment file containing authentik secrets";
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/authentik";
+      description = "Data directory for authentik";
+    };
+  };
+}

modules/nixos/code-server/default.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+with lib;
+let
+  cfg = config.${namespace}.services.code-server;
+in
+{
+  imports = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    # Configure the standard NixOS code-server service
+    services.code-server = {
+      enable = true;
+      port = cfg.port;
+      user = cfg.user;
+      group = cfg.group;
+      host = cfg.host;
+      auth = cfg.auth;
+      disableTelemetry = cfg.disableTelemetry;
+      disableUpdateCheck = cfg.disableUpdateCheck;
+      extraEnvironment = cfg.extraEnvironment;
+    }
+    // optionalAttrs (cfg.hashedPassword != null) {
+      hashedPassword = cfg.hashedPassword;
+    };
+
+    # Open firewall for code-server if enabled
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
+    };
+  };
+}

modules/nixos/code-server/options.nix

@@ -0,0 +1,70 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.code-server = {
+    enable = mkEnableOption "code-server with enhanced configuration";
+
+    port = mkOption {
+      type = types.port;
+      default = 4444;
+      description = "Port for code-server";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to open firewall for code-server";
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "admin";
+      description = "User to run code-server as";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "users";
+      description = "Group to run code-server as";
+    };
+
+    host = mkOption {
+      type = types.str;
+      default = "0.0.0.0";
+      description = "Host to bind code-server to";
+    };
+
+    auth = mkOption {
+      type = types.enum [
+        "none"
+        "password"
+      ];
+      default = "none";
+      description = "Authentication method for code-server";
+    };
+
+    hashedPassword = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Hashed password for code-server authentication";
+    };
+
+    extraEnvironment = mkOption {
+      type = types.attrsOf types.str;
+      default = { };
+      description = "Extra environment variables for code-server";
+    };
+
+    disableTelemetry = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to disable telemetry";
+    };
+
+    disableUpdateCheck = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to disable update checks";
+    };
+  };
+}

modules/nixos/crowdsec/default.nix

@@ -58,11 +58,9 @@ in
         [ "${script}/bin/register-bouncer" ];
     };
 
-    networking = {
-      firewall = {
+    networking.firewall = mkIf cfg.openFirewall {
       allowedTCPPorts = [ cfg.port ];
       allowedUDPPorts = [ cfg.port ];
     };
   };
-  };
 }

modules/nixos/crowdsec/options.nix

@@ -5,23 +5,33 @@ with lib;
     enable = mkEnableOption "crowdsec service";
 
     port = mkOption {
-      type = types.int;
+      type = types.port;
       default = 9898;
+      description = "Port for crowdsec API";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to open firewall for crowdsec";
     };
 
     apiAddress = mkOption {
       type = types.str;
       default = "127.0.0.1";
+      description = "API address for crowdsec";
     };
 
     apiKey = mkOption {
       type = types.str;
       default = "";
+      description = "API key for crowdsec bouncer";
     };
 
     dataDir = mkOption {
       type = types.str;
       default = "";
+      description = "Data directory for crowdsec";
     };
   };
 }

modules/nixos/glances/default.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+with lib;
+let
+  cfg = config.${namespace}.services.glances;
+in
+{
+  imports = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    # Open firewall for glances if enabled
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
+    };
+
+    # Install glances package
+    environment.systemPackages = with pkgs; [
+      glances
+    ];
+
+    # Configure systemd service for glances
+    systemd.services.glances-server = {
+      description = "Glances system monitoring web server";
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      path = with pkgs; [
+        bash
+        glances
+      ];
+
+      script = ''
+        glances -w --bind ${cfg.bindAddress} --port ${toString cfg.port}
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        User = "glances";
+        Group = "glances";
+        Restart = "always";
+        RestartSec = "5";
+        StandardOutput = "journal";
+        StandardError = "journal";
+      };
+    };
+
+    # Create glances user and group
+    users.users.glances = {
+      isSystemUser = true;
+      group = "glances";
+      description = "Glances monitoring user";
+    };
+
+    users.groups.glances = { };
+  };
+}

modules/nixos/glances/options.nix

@@ -0,0 +1,25 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.glances = {
+    enable = mkEnableOption "glances system monitoring service";
+
+    port = mkOption {
+      type = types.port;
+      default = 61208;
+      description = "Port for glances web interface";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to open firewall for glances";
+    };
+
+    bindAddress = mkOption {
+      type = types.str;
+      default = "0.0.0.0";
+      description = "Address to bind glances web server to";
+    };
+  };
+}

modules/nixos/lubelogger/default.nix

@@ -15,7 +15,7 @@ in
     virtualisation.oci-containers.containers.lubelogger = {
       autoStart = true;
       image = "ghcr.io/hargata/lubelogger";
-      ports = [ "6754:8080" ];
+      ports = [ "${toString cfg.port}:8080" ];
       volumes = [
         "/media/nas/main/nix-app-data/lubelogger:/App/data"
         "/media/nas/main/nix-app-data/lubelogger/keys:/root/.aspnet/DataProtection-Keys"
@@ -29,5 +29,11 @@ in
         TZ = "America/Chicago";
       };
     };
+
+    # Open firewall for lubelogger if enabled
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
+    };
   };
 }

modules/nixos/lubelogger/options.nix

@@ -3,5 +3,17 @@ with lib;
 {
   options.${namespace}.services.lubelogger = {
     enable = mkEnableOption "enable lubelogger";
+
+    port = mkOption {
+      type = types.port;
+      default = 6754;
+      description = "Port for lubelogger web interface";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to open firewall for lubelogger";
+    };
   };
 }

modules/nixos/netbootxyz/default.nix

@@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+with lib;
+let
+  cfg = config.${namespace}.services.netbootxyz;
+in
+{
+  imports = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    # Open firewall for netbootxyz if enabled
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [
+        cfg.httpPort
+        cfg.httpsPort
+      ];
+      allowedUDPPorts = [
+        cfg.httpPort
+        cfg.httpsPort
+      ];
+    };
+
+    # Create data directory
+    systemd.tmpfiles.rules = [
+      "d ${cfg.dataDir} 0755 root root -"
+    ];
+
+    # Configure netbootxyz as a container service
+    virtualisation.oci-containers = {
+      backend = "podman";
+      containers.netbootxyz = {
+        image = "ghcr.io/netbootxyz/netbootxyz:latest";
+        ports = [
+          "${toString cfg.httpPort}:3000"
+          "${toString cfg.httpsPort}:3001"
+        ];
+        volumes = [
+          "${cfg.dataDir}:/app/src/config"
+        ];
+        environment = {
+          MENU_VERSION = "2.0.76";
+          PORT_RANGE = "30000:30010";
+        };
+        extraOptions = [
+          "--restart=unless-stopped"
+        ];
+      };
+    };
+
+    # Enable podman for oci-containers
+    virtualisation.podman.enable = true;
+  };
+}

modules/nixos/netbootxyz/options.nix

@@ -0,0 +1,31 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.netbootxyz = {
+    enable = mkEnableOption "netbootxyz network boot service";
+
+    httpPort = mkOption {
+      type = types.port;
+      default = 4000;
+      description = "HTTP port for netbootxyz";
+    };
+
+    httpsPort = mkOption {
+      type = types.port;
+      default = 4080;
+      description = "HTTPS port for netbootxyz";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to open firewall for netbootxyz";
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/netbootxyz";
+      description = "Data directory for netbootxyz";
+    };
+  };
+}

modules/nixos/protonmail-bridge/default.nix

@@ -0,0 +1,65 @@
+{
+  config,
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+with lib;
+let
+  cfg = config.${namespace}.services.protonmail-bridge;
+in
+{
+  imports = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    # Open firewall for protonmail bridge if enabled
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [
+        cfg.smtpPort
+        cfg.imapPort
+      ];
+      allowedUDPPorts = [
+        cfg.smtpPort
+        cfg.imapPort
+      ];
+    };
+
+    # Install protonmail-bridge package
+    environment.systemPackages = with pkgs; [
+      protonmail-bridge
+      gnome-keyring
+      gnupg
+      pass
+    ];
+
+    # Configure systemd user service for protonmail-bridge
+    systemd.user.services.protonmail-bridge = {
+      description = "Protonmail Bridge";
+      enable = true;
+      environment = {
+        GNUPGHOME = "%h/.gnupg";
+        PASSWORD_STORE_DIR = "%h/.password-store";
+      };
+      script = "${pkgs.protonmail-bridge}/bin/protonmail-bridge --noninteractive";
+      path = with pkgs; [
+        gnome-keyring
+        gnupg
+        pass
+        protonmail-bridge
+      ];
+      wantedBy = [ "default.target" ];
+      after = [ "gpg-agent.service" ];
+    };
+
+    # Enable gnome keyring for password storage
+    security.pam.services.login.enableGnomeKeyring = true;
+    services.gnome.gnome-keyring.enable = true;
+
+    # Configure gpg-agent
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+  };
+}

modules/nixos/protonmail-bridge/options.nix

@@ -0,0 +1,31 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.protonmail-bridge = {
+    enable = mkEnableOption "protonmail bridge service";
+
+    smtpPort = mkOption {
+      type = types.port;
+      default = 1025;
+      description = "SMTP port for protonmail bridge";
+    };
+
+    imapPort = mkOption {
+      type = types.port;
+      default = 1143;
+      description = "IMAP port for protonmail bridge";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to open firewall for protonmail bridge";
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "admin";
+      description = "User to run protonmail bridge as";
+    };
+  };
+}

modules/nixos/restic/default.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+with lib;
+let
+  cfg = config.${namespace}.services.restic;
+in
+{
+  imports = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    # Configure the standard NixOS restic server service
+    services.restic.server = {
+      enable = true;
+      dataDir = cfg.dataDir;
+      prometheus = cfg.prometheus;
+      listenAddress = "${cfg.listenAddress}:${toString cfg.port}";
+      extraFlags = cfg.extraFlags;
+    }
+    // optionalAttrs (cfg.htpasswdFile != null) {
+      htpasswd-file = cfg.htpasswdFile;
+    };
+
+    # Open firewall for restic server if enabled
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
+    };
+  };
+}

modules/nixos/restic/options.nix

@@ -0,0 +1,49 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.restic = {
+    enable = mkEnableOption "restic server with enhanced configuration";
+
+    port = mkOption {
+      type = types.port;
+      default = 8008;
+      description = "Port for restic server";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to open firewall for restic server";
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/restic";
+      description = "Data directory for restic server";
+    };
+
+    listenAddress = mkOption {
+      type = types.str;
+      default = "0.0.0.0";
+      description = "Address to bind restic server to";
+    };
+
+    prometheus = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to enable prometheus metrics";
+    };
+
+    htpasswdFile = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Path to htpasswd file for authentication";
+    };
+
+    extraFlags = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = "Extra flags to pass to restic server";
+    };
+  };
+}

systems/x86_64-linux/nas/apps.nix

@@ -98,6 +98,62 @@
       };
 
       tdarr.enable = true;
+
+      authentik = {
+        enable = true;
+        port = 9000;
+        environmentFile = "/run/secrets/jallen-nas/authentik-env";
+      };
+
+      attic = {
+        enable = true;
+        port = 9012;
+        listenAddress = "[::]";
+        environmentFile = "/run/secrets/jallen-nas/attic-key";
+      };
+
+      protonmail-bridge = {
+        enable = true;
+        smtpPort = 1025;
+        imapPort = 1143;
+        user = "admin";
+      };
+
+      netbootxyz = {
+        enable = true;
+        httpPort = 4000;
+        httpsPort = 4080;
+        dataDir = "/media/nas/main/nix-app-data/netbootxyz";
+      };
+
+      glances = {
+        enable = true;
+        port = 61208;
+        bindAddress = "0.0.0.0";
+      };
+
+      code-server = {
+        enable = true;
+        port = 4444;
+        user = "admin";
+        group = "jallen-nas";
+        host = "0.0.0.0";
+        auth = "none";
+        hashedPassword = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
+        extraEnvironment = {
+          PROXY_DOMAIN = "code.mjallen.dev";
+        };
+      };
+
+      restic = {
+        enable = true;
+        port = 8008;
+        dataDir = "/media/nas/main/backup/restic";
+        prometheus = true;
+        listenAddress = "0.0.0.0";
+        htpasswdFile = "/media/nas/main/backup/restic/.htpasswd";
+        extraFlags = [ "--no-auth" ];
+      };
     };
   };
 }

systems/x86_64-linux/nas/default.nix

@@ -3,7 +3,6 @@
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
 {
-  config,
   pkgs,
   namespace,
   ...
@@ -67,52 +66,6 @@
       firewall = {
         enable = true;
         allowPing = true;
-        allowedTCPPorts = [
-          8008 # restic
-          9000 # authentik
-          2342 # grafana
-          51820 # wireguard
-          1025
-          1143
-          10200
-          10300
-          8127
-          9980 # onlyoffice
-          4000 # netbootxyz
-          4080 # netbootxyz
-          3000 # gitea
-          2222 # gitea ssh
-          3300
-          9898
-          6754 # lubelogger
-          2283 # immich
-          4444 # code-server
-          9012
-          8192
-        ];
-        allowedUDPPorts = [
-          8008 # restic
-          9000 # authentik
-          2342 # grafana
-          51820 # wireguard
-          1025
-          1143
-          10200
-          10300
-          8127
-          9980 # onlyoffice
-          4000 # netbootxyz
-          4080 # netbootxyz
-          3000 # gitea
-          2222 # gitea ssh
-          3300
-          9898
-          6754 # lubelogger
-          2283 # immich
-          4444 # code-server
-          9012
-          8192
-        ];
         trustedInterfaces = [ "tailscale0" ];
       };
     };
@@ -143,7 +96,6 @@
       ffmpeg
       ipset
       llama-cpp
-      # inputs.nas-nixai.packages.x86_64-linux.nixai
       networkmanagerapplet
       nut
       packagekit
@@ -167,48 +119,6 @@
       enable = true;
       nvidiaSupport = true;
     };
-
-    msmtp = {
-      enable = false;
-      accounts = {
-        default = {
-          auth = true;
-          tls_starttls = false;
-          host = "smtp.gmail.com";
-          user = "matt.l.jallen";
-          from = "matt.l.jallen@gmail.com";
-          passwordeval = "cat ${config.sops.secrets."jallen-nas/gitea/mail-key".path}";
-        };
-      };
-      defaults = {
-        port = 465;
-        tls = true;
-      };
-    };
-  };
-
-  hardware.fancontrol = {
-    enable = false;
-    config = ''
-      # Configuration file generated by pwmconfig, changes will be lost
-      # hwmon6/temp9_input -- chipset temp?
-      # hwmon2/temp1_input -- cpu temp?
-      # hwmon6/pwm5 -- chipset fan?
-      # hwmon6/pwm2, hwmon6/pwm3 -- cpu fans?
-      # hwmon6/pwm4 -- case fans?
-
-      INTERVAL=10
-      DEVPATH=hwmon2=devices/pci0000:00/0000:00:18.3 hwmon6=devices/platform/nct6775.656
-      DEVNAME=hwmon2=k10temp hwmon6=nct6798
-      FCTEMPS=hwmon6/pwm5=hwmon6/temp9_input hwmon6/pwm2=hwmon2/temp1_input hwmon6/pwm3=hwmon2/temp1_input hwmon6/pwm4=hwmon2/temp1_input
-      FCFANS=hwmon6/pwm5=hwmon6/fan5_input hwmon6/pwm2=hwmon6/fan2_input hwmon6/pwm3=hwmon6/fan3_input hwmon6/pwm4=hwmon6/fan4_input
-      MINTEMP=hwmon6/pwm5=20 hwmon6/pwm2=20 hwmon6/pwm3=20 hwmon6/pwm4=20
-      MAXTEMP=hwmon6/pwm5=60 hwmon6/pwm2=90 hwmon6/pwm3=90 hwmon6/pwm4=90
-      MINSTART=hwmon6/pwm5=16 hwmon6/pwm2=90 hwmon6/pwm3=45 hwmon6/pwm4=60
-      MINSTOP=hwmon6/pwm5=14 hwmon6/pwm2=0 hwmon6/pwm3=30 hwmon6/pwm4=45
-      MINPWM=hwmon6/pwm5=14 hwmon6/pwm2=0 hwmon6/pwm3=0 hwmon6/pwm4=0
-      MAXPWM=hwmon6/pwm5=255 hwmon6/pwm2=255 hwmon6/pwm3=255 hwmon6/pwm4=255
-    '';
   };
 
   # Additional virtualization beyond what's in development module

systems/x86_64-linux/nas/grafana.nix

@@ -82,5 +82,8 @@ in
     };
   };
   # Open firewall ports for Grafana
-  networking.firewall.allowedTCPPorts = [ 9999 ];
+  networking.firewall = {
+    allowedTCPPorts = [ 9999 ];
+    allowedUDPPorts = [ 9999 ];
+  };
 }

systems/x86_64-linux/nas/nix-serve.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   # "https://cache.mjallen.dev"
   # "cache.mjallen.dev-1:IzFmKCd8/gggI6lcCXsW65qQwiCLGFFN9t9s2iw7Lvc="
@@ -10,14 +10,6 @@
     openFirewall = true;
   };
 
-  services.atticd = {
-    enable = true;
-    environmentFile = config.sops.secrets."jallen-nas/attic-key".path;
-    settings = {
-      listen = "[::]:9012";
-    };
-  };
-
   # Improved systemd service with better error handling
   systemd = {
     services = {

systems/x86_64-linux/nas/services.nix

@@ -8,21 +8,6 @@ in
   # Services configs
   services = {
 
-    code-server = {
-      enable = true;
-      disableTelemetry = true;
-      disableUpdateCheck = true;
-      user = "admin";
-      group = "jallen-nas";
-      host = "0.0.0.0";
-      port = 4444;
-      auth = "none";
-      hashedPassword = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
-      extraEnvironment = {
-        PROXY_DOMAIN = "code.mjallen.dev";
-      };
-    };
-
     minecraft-server = {
       enable = false;
       eula = true;
@@ -127,11 +112,6 @@ in
       ];
     };
 
-    authentik = {
-      enable = true;
-      environmentFile = config.sops.secrets."jallen-nas/authentik-env".path;
-    };
-
     # nixai = {
     #   enable = true;
     #   mcp = {
@@ -168,33 +148,6 @@ in
       };
     };
 
-    restic.server = {
-      enable = true;
-      dataDir = "/media/nas/main/backup/restic";
-      prometheus = true;
-      listenAddress = "0.0.0.0:8008";
-      htpasswd-file = "/media/nas/main/backup/restic/.htpasswd";
-    };
-  };
-
-  systemd.user.services = {
-    protonmail-bridge = {
-      description = "Protonmail Bridge";
-      enable = true;
-      environment = {
-        GNUPGHOME = "%h/.gnupg";
-        PASSWORD_STORE_DIR = "%h/.password-store";
-      };
-      script = "${pkgs.protonmail-bridge}/bin/protonmail-bridge --noninteractive";
-      path = [
-        pkgs.gnome-keyring
-        pkgs.gnupg
-        pkgs.pass
-        pkgs.protonmail-bridge
-      ];
-      wantedBy = [ "default.target" ];
-      after = [ "gpg-agent.service" ];
-    };
   };
 
   # TODO move to normal samba settings
@@ -298,17 +251,6 @@ in
       '';
     };
 
-    glances-server = {
-      path = [
-        pkgs.bash
-        pkgs.glances
-      ];
-      script = ''
-        glances -w
-      '';
-      wantedBy = [ "multi-user.target" ];
-    };
-
     hd-idle = {
       enable = false;
       environment = {