sab

idk
2026-02-09 16:35:55 -06:00 · 2026-02-09 16:35:55 -06:00
26 changed files with 1695 additions and 1478 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -1,7 +1,24 @@
 {
  "nodes": {
    "authentik-go": {
      "flake": false,
      "locked": {
        "lastModified": 1770333754,
        "narHash": "sha256-Yyna75Nd6485tZP9IpdEa5QNomswe9hRfM+w3MuET9E=",
        "owner": "goauthentik",
        "repo": "client-go",
        "rev": "280022b0a8de5c8f4b2965d1147a1c4fa846ba64",
        "type": "github"
      },
      "original": {
        "owner": "goauthentik",
        "repo": "client-go",
        "type": "github"
      }
    },
    "authentik-nix": {
      "inputs": {
        "authentik-go": "authentik-go",
        "authentik-src": "authentik-src",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
@@ -14,16 +31,15 @@
        "uv2nix": "uv2nix"
      },
      "locked": {
-        "lastModified": 1769248094,
+        "lastModified": 1770535094,
-        "narHash": "sha256-9eiLAIUI3rsjqdY32+jQdKB+0VI6Jks0uf0s/UVMVJI=",
+        "narHash": "sha256-MLjqqCQsJFZJKqSMfarSVsFLNRiDK/pvOnoRwZ+esmk=",
        "owner": "nix-community",
        "repo": "authentik-nix",
-        "rev": "1cab906a5cb342a4890ea9e4fe3993c6d438689b",
+        "rev": "b09825ea48b0802b4806ed9f0f4721a49e36eb98",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "version/2025.12.1",
        "repo": "authentik-nix",
        "type": "github"
      }
@@ -31,16 +47,16 @@
    "authentik-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1768596569,
+        "lastModified": 1770055313,
-        "narHash": "sha256-HDTbQB/sMhYh2b95dQwzF8OgrwLWdl4hVmx6wtDcgE8=",
+        "narHash": "sha256-t9DOFNSQJZdUnZSEr3z8EBRsltS4DKu9xad9gS5/Ikc=",
-        "owner": "ma27",
+        "owner": "goauthentik",
        "repo": "authentik",
-        "rev": "72ad5fe320f2201fc2a37372d4c9cb46377a58e5",
+        "rev": "6760f4c5d38e245edb72e12e4f45bda8dd859ccd",
        "type": "github"
      },
      "original": {
-        "owner": "ma27",
+        "owner": "goauthentik",
-        "ref": "2025.12.1-dependency-fix",
+        "ref": "version/2025.12.3",
        "repo": "authentik",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -49,7 +49,7 @@
    nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
    authentik-nix = {
-      url = "github:nix-community/authentik-nix/version/2025.12.1";
+      url = "github:nix-community/authentik-nix";
      # inputs.nixpkgs.follows = "nixpkgs-stable";
    };
--- a/homes/x86_64-linux/matt@matt-nixos/default.nix
+++ b/homes/x86_64-linux/matt@matt-nixos/default.nix
@@ -1,5 +1,4 @@
 {
  inputs,
  lib,
  pkgs,
  namespace,
@@ -195,10 +194,7 @@ in
    ]);
  specialisation = {
-    "end4".configuration = 
+    "end4".configuration = {
      let
        dotfiles = inputs.end4-dotfiles;
      in {
      programs = {
        illogical-impulse = {
          enable = true;
--- a/modules/home/programs/hyprland/default.nix
+++ b/modules/home/programs/hyprland/default.nix
@@ -64,7 +64,7 @@ in
          wl-clipboard
          wlogout
          wlroots
-          xorg.xhost
+          xhost
          xsettingsd
          xwayland
        ]
--- a/modules/home/stylix/default.nix
+++ b/modules/home/stylix/default.nix
@@ -92,6 +92,7 @@ in
        enable = false;
        useWallpaper = false;
      };
      kde.enable = false;
      firefox = {
        enable = false;
        profileNames = [
--- a/modules/nixos/gaming/default.nix
+++ b/modules/nixos/gaming/default.nix
@@ -21,10 +21,10 @@ in
      package = pkgs.steam.override {
        extraPkgs =
          _pkgs: with pkgs; [
-            xorg.libXcursor
+            libXcursor
-            xorg.libXi
+            libXi
-            xorg.libXinerama
+            libXinerama
-            xorg.libXScrnSaver
+            libXScrnSaver
            libpng
            libpulseaudio
            libvorbis
--- a/modules/nixos/homeassistant/automations/motion-light/default.nix
+++ b/modules/nixos/homeassistant/automations/motion-light/default.nix
@@ -68,57 +68,6 @@ let
      mode: single
  '';
  automationToYamlSwitch = mlcfg: ''
    - id: '${toString mlcfg.id}'
      alias: ${mlcfg.alias}
      description: '${mlcfg.description}'
      triggers:
      - device_id: ${mlcfg.motion-sensor.mqttDeviceId}
        entity_id: ${mlcfg.motion-sensor.mqttEntityId}
        domain: binary_sensor
        id: occupied
        subtype: on_press
        trigger: device
        type: occupied
        for:
          hours: 0
          minutes: 0
          seconds: 0
      - device_id: ${mlcfg.motion-sensor.mqttDeviceId}
        entity_id: ${mlcfg.motion-sensor.mqttEntityId}
        domain: binary_sensor
        id: vacant
        subtype: off_press
        trigger: device
        type: not_occupied
        for:
          hours: 0
          minutes: 0
          seconds: 5
      conditions: []
      actions:
      - choose:
        - conditions:
          - condition: trigger
            id:
            - occupied
          sequence:
          - type: turn_on
            device_id:  ${mlcfg.switch.deviceId}
            entity_id:  ${mlcfg.switch.entityId}
            domain: switch
        - conditions:
          - condition: trigger
            id:
            - vacant
          sequence:
          - type: turn_off
            device_id:  ${mlcfg.switch.deviceId}
            entity_id:  ${mlcfg.switch.entityId}
            domain: switch
      mode: single
  '';
  motionLightAutomations = concatStringsSep "\n" (
    mapAttrsToList (_: automationToYaml) cfg.motion-light
  );
--- a/modules/nixos/programs/default.nix
+++ b/modules/nixos/programs/default.nix
@@ -62,18 +62,17 @@ in
        SDL2
        util-linux
        vulkan-loader
-        xorg.libX11
+        libICE
-        xorg.libICE
+        libSM
-        xorg.libSM
+        libXcursor
-        xorg.libXcursor
+        libXrandr
-        xorg.libXrandr
+        libXi
-        xorg.libXi
+        libXcomposite
-        xorg.libXcomposite
+        libXdamage
-        xorg.libXdamage
+        libXext
-        xorg.libXext
+        libXfixes
-        xorg.libXfixes
+        # libx11
-        xorg.libX11
+        libxcb
        xorg.libxcb
        zlib
      ];
    };
--- a/modules/nixos/services/arrs/default.nix
+++ b/modules/nixos/services/arrs/default.nix
@@ -81,7 +81,8 @@ let
        secretFiles = [
          config.sops.templates."sabnzbd.ini".path
        ];
-        settings = {
+        configFile = null;
        settings = lib.mkForce {
          misc = {
            host = "0.0.0.0";
            port = 8280;
--- a/modules/nixos/services/coturn/default.nix
+++ b/modules/nixos/services/coturn/default.nix
@@ -0,0 +1,86 @@
 {
  config,
  lib,
  namespace,
  ...
 }:
 let
  name = "coturn";
  cfg = config.${namespace}.services.${name};
  coturnConfig = lib.${namespace}.mkModule {
    inherit config name;
    serviceName = "${name}-synapse";
    description = "config";
    options = { };
    moduleConfig = {
      services.coturn = rec {
        enable = true;
        no-cli = true;
        no-tcp-relay = true;
        min-port = 49000;
        max-port = 50000;
        use-auth-secret = true;
        static-auth-secret = "Lucifer008!";
        listening-port = cfg.port;
        realm = "turn.mjallen.dev";
        # cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
        # pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
        extraConfig = ''
          # for debugging
          verbose
          # ban private IP ranges
          no-multicast-peers
          denied-peer-ip=0.0.0.0-0.255.255.255
          denied-peer-ip=10.0.0.0-10.255.255.255
          denied-peer-ip=100.64.0.0-100.127.255.255
          denied-peer-ip=127.0.0.0-127.255.255.255
          denied-peer-ip=169.254.0.0-169.254.255.255
          denied-peer-ip=172.16.0.0-172.31.255.255
          denied-peer-ip=192.0.0.0-192.0.0.255
          denied-peer-ip=192.0.2.0-192.0.2.255
          denied-peer-ip=192.88.99.0-192.88.99.255
          denied-peer-ip=192.168.0.0-192.168.255.255
          denied-peer-ip=198.18.0.0-198.19.255.255
          denied-peer-ip=198.51.100.0-198.51.100.255
          denied-peer-ip=203.0.113.0-203.0.113.255
          denied-peer-ip=240.0.0.0-255.255.255.255
          denied-peer-ip=::1
          denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
          denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
          denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
          denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
          denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
          denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
          denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        '';
      };
      networking.firewall = {
        interfaces.enp197s0 =
          let
            range = with config.services.coturn; [
              {
                from = min-port;
                to = max-port;
              }
            ];
          in
          {
            allowedUDPPortRanges = range;
            allowedUDPPorts = [
              3478
              5349
            ];
            allowedTCPPortRanges = [ ];
            allowedTCPPorts = [
              3478
              5349
            ];
          };
      };
    };
  };
 in
 {
  imports = [ coturnConfig ];
 }
--- a/modules/nixos/services/matrix/default.nix
+++ b/modules/nixos/services/matrix/default.nix
@@ -59,6 +59,7 @@ let
        dataDir = "${cfg.configDir}/matrix-synapse";
        configureRedisLocally = true;
        enableRegistrationScript = true;
        withJemalloc = true;
        extras = [
          "oidc"
          "redis"
@@ -67,7 +68,7 @@ let
        settings = {
          server_name = "mjallen.dev";
          public_baseurl = "https://matrix.mjallen.dev";
-          serve_server_wellknown = true;
+          serve_server_wellknown = false;
          listeners = [
            {
@@ -105,7 +106,7 @@ let
          # Registration settings
          enable_registration = false; # Set to true initially to create admin user
-          enable_registration_without_verification = false;
+          enable_registration_without_verification = lib.mkForce false;
          # Media settings
          max_upload_size = "50M";
@@ -118,6 +119,12 @@ let
              server_name = "matrix.org";
            }
          ];
          turn_uris = [
            "turn:${config.services.coturn.realm}:3478?transport=udp"
            "turn:${config.services.coturn.realm}:3478?transport=tcp"
          ];
          turn_shared_secret = config.services.coturn.static-auth-secret;
          turn_user_lifetime = "1h";
        };
      };
@@ -140,5 +147,8 @@ let
  };
 in
 {
-  imports = [ matrixConfig ];
+  imports = [
    matrixConfig
    ./livekit.nix
  ];
 }
--- a/modules/nixos/services/matrix/livekit.nix
+++ b/modules/nixos/services/matrix/livekit.nix
@@ -0,0 +1,113 @@
 {
  config,
  lib,
  pkgs,
  namespace,
  ...
 }:
 let
  cfg = config.${namespace}.services.matrix;
  keyFile = "/run/livekit.key";
  file = pkgs.writeText ".well-known.json" ''
    {
      "m.homeserver": {
        "base_url": "https://matrix.mjallen.dev"
      },
      "m.identity_server": {
        "base_url": "https://vector.im"
      },
      "org.matrix.msc3575.proxy": {
        "url": "https://matrix.mjallen.dev"
      },
      "org.matrix.msc4143.rtc_foci": [
        {
          "type": "livekit",    "livekit_service_url": "https://mjallen.dev/livekit/jwt"
        }
      ]
    }
  '';
 in
 {
  config = lib.mkIf cfg.enable {
    services.livekit = {
      enable = true;
      openFirewall = true;
      settings.room.auto_create = false;
      inherit keyFile;
    };
    services.lk-jwt-service = {
      enable = true;
      port = 8585;
      # can be on the same virtualHost as synapse
      livekitUrl = "wss://mjallen.dev/livekit/sfu";
      inherit keyFile;
    };
    # generate the key when needed
    systemd.services.livekit-key = {
      before = [
        "lk-jwt-service.service"
        "livekit.service"
      ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [
        livekit
        coreutils
        gawk
      ];
      script = ''
        echo "Key missing, generating key"
        echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
      '';
      serviceConfig.Type = "oneshot";
      unitConfig.ConditionPathExists = "!${keyFile}";
    };
    # restrict access to livekit room creation to a homeserver
    systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "mjallen.dev";
    services.nginx = {
      enable = true;
      defaultHTTPListenPort = 8188;
      virtualHosts = {
        "matrix.mjallen.dev".locations = {
          "= /.well-known/matrix/client" = {
            alias = file;
            extraConfig = ''
              default_type application/json;
              add_header Access-Control-Allow-Origin "*";
            '';
          };
        };
        "mjallen.dev".locations = {
          "= /.well-known/matrix/client" = {
            alias = file;
            extraConfig = ''
              default_type application/json;
              add_header Access-Control-Allow-Origin "*";
            '';
          };
          "^~ /livekit/jwt/" = {
            priority = 400;
            proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
          };
          "^~ /livekit/sfu/" = {
            extraConfig = ''
              proxy_send_timeout 120;
              proxy_read_timeout 120;
              proxy_buffering off;
              proxy_set_header Accept-Encoding gzip;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
            '';
            priority = 400;
            proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";
            proxyWebsockets = true;
          };
        };
      };
    };
  };
 }
--- a/modules/nixos/services/traefik/default.nix
+++ b/modules/nixos/services/traefik/default.nix
@@ -296,6 +296,11 @@ in
                url = hassUrl;
              }
            ];
            nginx.loadBalancer.servers = [
              {
                url = "http://localhost:8188";
              }
            ];
          }
          // reverseProxyServiceConfigs;
@@ -312,6 +317,30 @@ in
              tls.certResolver = "letsencrypt";
            };
            matrix2 = {
              entryPoints = [ "websecure" ];
              rule = "Host(`matrix.mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)";
              service = "nginx";
              middlewares = [
                "crowdsec"
                "whitelist-geoblock"
              ];
              priority = 1;
              tls.certResolver = "letsencrypt";
            };
            matrix3 = {
              entryPoints = [ "websecure" ];
              rule = "Host(`mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)";
              service = "nginx";
              middlewares = [
                "crowdsec"
                "whitelist-geoblock"
              ];
              priority = 1;
              tls.certResolver = "letsencrypt";
            };
            cache = {
              entryPoints = [ "websecure" ];
              rule = "Host(`cache.${domain}`)";
--- a/overlays/ccache/default.nix
+++ b/overlays/ccache/default.nix
@@ -1,5 +1,5 @@
 { ... }:
-final: super: {
+_final: _super: {
  # ${namespace} = super.${namespace} // {
  #   linuxPackages_rpi5 = super.linuxPackagesFor (
  #     super.${namespace}.linux-rpi.override { stdenv = super.ccacheStdenv; }
--- a/packages/librepods-beta/default.nix
+++ b/packages/librepods-beta/default.nix
@@ -9,7 +9,6 @@
  wayland,
  libxkbcommon,
  libGL,
  xorg,
  expat,
  fontconfig,
  freetype,
@@ -50,10 +49,10 @@ rustPlatform.buildRustPackage rec {
    freetype.dev
    libGL
    pkg-config
-    xorg.libX11
+    # libx11
-    xorg.libXcursor
+    # libXcursor
-    xorg.libXi
+    # libXi
-    xorg.libXrandr
+    # libXandr
    wayland
    libxkbcommon
  ];
--- a/secrets/nas-secrets.yaml
+++ b/secrets/nas-secrets.yaml
@@ -2,7 +2,7 @@ jallen-nas:
  admin_password: ENC[AES256_GCM,data:0XUblR800UyliA8JfYUZbncDRxiU6eoTaf3i80+OCwJ/31oBhSqj9OtgYeRg3IyURwik1Nk/609IuHjIhly3mgTjOD6Hpzxpag==,iv:0yO3z8ItHRQFeI9JOnFTKhKVHi5u9cMtpglFRlkvYLE=,tag:iUd79iWAJQ9iqP0qolSwfA==,type:str]
  nas_pool: ENC[AES256_GCM,data:LBiUC/5qMFUnWUWYZgRPrGopdPd6oWB0+xe1S+GiOMtSIsBH34ZoE8U/v1HmxR17mt0x169xq7iXAQZTCZ/Vd8KGmecTK7hC+H6kmSUcwsuoPiVyoSPdet3Zb716eXGWmnSD6QlReUpq6xiCqOwKUkgNgRtkdc92PAEcmbrw1tfooxTesxB3n9pSCXAkwsPxJWl7nLrCZIf6wOZci/TiwFJf534/YPKIz8q5JxX+E+VeQ4NNRfZxn4EqlMDgmNcEcuHdflqTNAlDmREqhN0XNREUaFveQ01T5sFb6XHorEHpUlKIzDpMV4LKjZQMZax4T+6nbGpUa5kf/Gr3xeOpMpTGNir1bM8oPQGP/Iz9u4AjGP56+JYcqUBcxG1wwNFIqBrrC+Bf7vdjGxgMClwW5AbMtGXwE9y+dSM9MMkj8kiaK1zWZfyIqRBheXtXUhPIjJSR8fmnVtKW358E7ynC9R14AsA3qxpxEc4+VmF7cJEzjStP//FRSuUFRlvgIcGBfncvt0b+ecEk8WostYAMHhqpyHtW2hG5orv6qFupLz0VCBbFLqlIEMG1d/EfjulGqWN4fGIhlAGpssvuo8r/9bOz4efTwODnKJqX5YfOPhFDAJZzj7pgFgAjf8/xAgelAU1yR3nlj2PR9itEAApY0L0FvnC4fEMBqlpINM8gGeNcfTraIYo7bqVhOT5sVOXmru+nRoyG1I01rJ1lQpis5Kqt+HWGa43fi81dtTm7kj/4bOPSPrJimIOD37O3GRlbiiGIhy/Ta/iVqzRsYeUZOyIQT+IjZ4pX5tgJ/AxASVzdRd9GluexPdUGVDb9Kjf7mo7aYsXyWDBP7ZoXDQGHndrlTlrQreDLgcwCXo1hHEn9YkIUfYpBd5Th7LJrsaNWXH838S+9sDqSCGdVPVcH0HC8x5T5Uo3Jb833uaQjtaXsSaAgaRkcEtAHz4LO5kKii3AgP0vA,iv:ny8qQhSrfokW3iS0KXtCVYgtvj07c25jfEUCIExD7eI=,tag:QD8C37p3gUJr42NHiL7PHw==,type:str]
  ups_password: ENC[AES256_GCM,data:tYuJ9nU3E2/Ko6Y=,iv:lQq+g68lKCp1rmPvS/84xGIXHxD9zY5zZrrjEJlY8Hs=,tag:p6McEr+sXGAQyMAz1Kaxfw==,type:str]
-    authentik-env: ENC[AES256_GCM,data:AzHHGyhoyMp/ebnK6LQ5apBUhQT04SPJrtA6XcdaQ38C+fYuG2ph2iWFb+giafxCe8IXWAYT8CWoeqcspM7CPSAAKgqfVaPhMvjXqLxCY/rpegb5jBD1U6tURhPsH3ADrERk+kCmTV2eUpuV+nluiGM+fRdwhB0zu378HKwhXCpSO4L24aXhe9pxxxaTQzncWH6zW5iaRdouDVr1bAUzLi9BpnmS0ZK/rfLq2whErCeN++Srx6aCgwJ7jaqetBglQkIl3YG6flS8u3vsKtI+RVaNJ5tzrWR/qv0vBy8y1PZEuuXZdiHjn1hjiPE1T31j2+aQdbX70RaJfIt6E4lVtArQHv8PTUDxUoxcnUv52xLTStT5/UdIlNoZjPMwvaknpK7Z0uw9w4j76gmgk06xsxoCpnXIGTm1QpGqviBhgfNs5Va/qi4MBfByaym3UAz9LPHs4keuvJNN8dS0q5OMnRswl14PjIb1MIKB/QCVHvb4hO7eIRiWOkA7nb9LP/y1mjAYslr+I+GNpU8oIYTAvKoMS7ZgC49RoLWytAXUru2I7CqDR9zgPzlDQ9gLPoFKw2uKulpAy0ayQWPcgPA2CFmF+5zdINNSNKn0gRZ/2RTc3DiWmzo4P13EmrOwvkWCkiswFu1d6ctKZFhQnfPuj9LRGp/Os55JpLrreSyRJug6lgR4bPdC3x8sbxNmb5S2Y+4aFfgPXfdCdXs5b+8j28d1d4EoOO/arUzNADz9ODD5esb2g8UC2QtQd0RRYX/qmiM=,iv:YKvFxz3M8HKlg56JfN6uv8hvCFlEbhBkaSQz1v9l3zk=,tag:rz7UixSDqOXH7Ga6mkVYAw==,type:str]
+  authentik-env: ENC[AES256_GCM,data:PhHiiDJuKx/LKbJR6wx0HknqAs+fnAilA2HsMHwl0N3CMQ0pa+qKEB9x0a16Jr0yC9F4OKD7k98Q4wHbQWuE8IORB9CaiWVQzwJEaFvQ1wdv0wtHC23Aq5ppUPG941xArpF40/64vLYYa8w5Q1wxQr6xeg4VZwpSahIRAa6tB4eMAgopl4QeXGMskaPrL7A9Eu6lXt5LQJkCEFRuyL1XX5W33/l0HYeovgevhqTcbRmOLiG8r4XOihQDUtVWIhW8X3iDlCsgNEgxJE2s+7UuqwetvHpLCQMEyPfITx6FMI6vw8+raLTwQC7fDWXyqjWIJ3/xds7DTcBjJZMj72S6tggX0QLDfnrtjIG0iVNmbRDE2Cv96VJVdV6B381B2XKYx1EThjgucxbmp2Gz4+dpGu3O+rNxlfd9VR7KDA1FH2ddPr8JMhRpeBYbYpxCfuKqgKgfBqvxdI7lV2/alsqLZ3RdzRxi3mCilrldnKEw9YzEJEh0UU2L9J2bP8GJWpyfQsSGnNjpGL3k877e7R0NrKle7ertp2NZKccrKCXyYDGbfERrfmtN2ebaWZXmtbj9Hf/PZBQyXa8onf85QeuY5574pvm8+TZRGorhuMyKi/19lOuEgrAayDM8lQZUDW/QWmU3qf8dO4LAbE7HpzJfv0nEgnKbqVUrV4wcgHYPWNSCFLfdW8eVISgIgZBNA/FD836fwBTCwB91jfWI8g9yrK0l+fvk7RL7Spz7XoK/YIELhojoS6LLr/1wgP2atekDaUBMKw==,iv:w6M8cm+5eCkGPJiD0NkBgZuIVjYPUd9d1yp95y/BwyQ=,tag:SgOpa23x395CefA9zvI5GA==,type:str]
  traefik:
    crowdsec:
      lapi-key: ENC[AES256_GCM,data:tEEr+KtGPseweqWn7eyrZwZBl+pPqzQqr5cmlYZF2ugm9pF4sUwBdEy21A==,iv:x1h0Op29Ta15dPe1Tfm4c1Mlo85aqvyOgZ5bELRNTGE=,tag:y0R8DHc0ya96n6hLLhteYA==,type:str]
@@ -58,8 +58,8 @@ jallen-nas:
  ntfy:
    auth-users: ENC[AES256_GCM,data:5k2a8GxQ76tGFv0kSlnS2Cr3te0pkKjLlswtnK7m3JOuBMN4hFxOuleZJgy/gbcYvxtKgs5zx6l1pVJVUBnaSZxzANK/LWjbYPaM8VOkzTFxCpLWjhCOlLn0gao=,iv:7BrNN929jGkkquMVnRx1kjnDNg1F47MdCFkYK8fCPL0=,tag:lpMUK9rLmHUYOh7LSpXsVA==,type:str]
  matrix:
-        client-id: ENC[AES256_GCM,data:Cv5nbJQPo2YkNwVlzaquXguaVpfVxmYu4LvwlgLJw1EVfDz8ZqgCtQ==,iv:OO9q+q36wCq0yuTxLpqh5Nn0oVWdNISTMZzeQedPcGE=,tag:KDsox/yemi9t76xr2/yvbg==,type:str]
+    client-id: ENC[AES256_GCM,data:mMpc+BsS9YYCXRrTNaCQcMMVdxw98uQdvywauYGjVV+ASalZA3PbBA==,iv:5Qzgny+6HkKFAYLckkVYsHVlhp0GuI96PPMjVx6RRZI=,tag:5LlLg3nnyHy9ak2VT1+hMQ==,type:str]
-        client-secret: ENC[AES256_GCM,data:5OcfUAVZ0xfGEkGr8rp08lFRbcvMf2XvCU08XnaK8iwjWEmVJjLHtBV0rzulPpdJf9eVapCz0udC8v1bPgD2tvVLNNdSUK5CMwYIB6dsa44/lkUe+EvNl/7w68vUqyo3rWAgTLIUksglvk/aCXH0p3ZIrQgQgeI6EbvdS5bcLqY=,iv:OeCnHFGaXUQhqdPX4XksKwwZrbhBr8bsNeDTiIbfSpY=,tag:KWqDU9iJmIQpObxNdLs6AQ==,type:str]
+    client-secret: ENC[AES256_GCM,data:mH83GAgAziN0CMy/GuSGCTrm0wyopzvrxw1xkA7aBDSdP7N0ZYkfJ5et7daB+5jew+bbVA/Gy8aO1U2/rJ4FhRr5C0XhayHs1fT1sZBel904OHboTGRpy+eg4H+RSaA6WYWk5HRKH2ZcAfMa1jOqnbqol3+P96KpIPiMotDGL/c=,iv:mg8XbHu4ZkYICDjK2Q88SXt1Gl9IdbehFZyKES8OU50=,tag:UBnysN2qgIg53GRzbog7+A==,type:str]
  glance:
    arr-username: ENC[AES256_GCM,data:PlLrcaYLmvv5,iv:ZdBAkR93TLh0FMYhqBhxw8hZI5a/UeS3fpWkORH2e4k=,tag:hpuEgLnF5hCtt0XJTC/gAg==,type:str]
    arr-password: ENC[AES256_GCM,data:K8J3fPGWc3SWeKo=,iv:pkr+m92OlAszLXmGn34tEtaEvvBV+ohObj2uRDqKIYc=,tag:wBxe9gijHie6sq0brtpMRQ==,type:str]
@@ -221,8 +221,8 @@ sops:
        L0gwQm5takNjMkVGNzVlSStJYlUwWDAKP8QA3rRUHYbyyhPC/k0Eq2EIKfjyc7Co
        7BkHH3msC6h9g42BB5iIYe6KQ+UGxMQBFvp+qSB27jaIfajN5MP0BA==
        -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-31T04:32:39Z"
+  lastmodified: "2026-02-09T16:07:02Z"
-    mac: ENC[AES256_GCM,data:YhtZZuRgoBvVdk7MTle4dCVXxVANo3B/oOvLC1zS9/de3uGz1zV7ztbUYx5SIW6HOzlYxdjvmFJV79xcQyAiPoj6zC7gyQdHjvNZ8V39gYqaGsF6kasdlPVHpQBgeGepPjpYy7m2ROFlkvXkjNVgs+/ENAsRoqyMNSGXEltoM7Q=,iv:NVDHLzxHQSFOXjroiPatdw8V7nuaT40AQ/noU9K1wsY=,tag:+PBTFVL81ArJNZM/k97msg==,type:str]
+  mac: ENC[AES256_GCM,data:wObXRnXCkE5yfBpwtkuFnzlGaF2BugipRxnx0Z/pTwc6PENKHrCFqnuOdb4EDnlYBGXTGSCUzksWS1kZVc8SF0tiimzlPAB9suS31386I3ex+IJNlouv6MFkvBpeI5OnMo7y/eJVK9GBmC5bxoNhySMAQBRCuDGs9uCaTHdYkRI=,iv:kAInXG7UMeIN/ZJwmwY2cd6V/n3fxOUodvCP0sADvcc=,tag:oFa8zO9WNOGLQZKC7vTN+A==,type:str]
  pgp:
    - created_at: "2026-02-06T15:34:30Z"
      enc: |-
--- a/systems/aarch64-linux/macbook-pro-nixos/hardware-configuration.nix
+++ b/systems/aarch64-linux/macbook-pro-nixos/hardware-configuration.nix
@@ -1,64 +1,72 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, modulesPath, ... }:
 {
-  imports =
+  imports = [
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/installer/scan/not-detected.nix")
  ];
-  boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" "sdhci_pci" ];
+  boot.initrd.availableKernelModules = [
    "usbhid"
    "usb_storage"
    "sdhci_pci"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "none";
+    device = "none";
    fsType = "tmpfs";
    options = [ "mode=755" ];
  };
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/80CC-18FC";
+    device = "/dev/disk/by-uuid/80CC-18FC";
    fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+    options = [
      "fmask=0022"
      "dmask=0022"
    ];
  };
-  fileSystems."/home" =
+  fileSystems."/home" = {
-    { device = "/dev/mapper/cryptroot";
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=home" ];
  };
-  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/6fc86225-2bd4-4d9f-ba51-c3bc6b1dc7f9";
+  boot.initrd.luks.devices."cryptroot".device =
    "/dev/disk/by-uuid/6fc86225-2bd4-4d9f-ba51-c3bc6b1dc7f9";
-  fileSystems."/persist" =
+  fileSystems."/persist" = {
-    { device = "/dev/mapper/cryptroot";
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=persist" ];
  };
-  fileSystems."/etc" =
+  fileSystems."/etc" = {
-    { device = "/dev/mapper/cryptroot";
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=etc" ];
  };
-  fileSystems."/root" =
+  fileSystems."/root" = {
-    { device = "/dev/mapper/cryptroot";
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=root" ];
  };
-  fileSystems."/nix" =
+  fileSystems."/nix" = {
-    { device = "/dev/mapper/cryptroot";
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=nix" ];
  };
-  fileSystems."/var/log" =
+  fileSystems."/var/log" = {
-    { device = "/dev/mapper/cryptroot";
+    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
    options = [ "subvol=log" ];
  };
--- a/systems/x86_64-linux/jallen-nas/apps.nix
+++ b/systems/x86_64-linux/jallen-nas/apps.nix
@@ -28,7 +28,7 @@ in
        environmentFile = "/run/secrets/jallen-nas/attic-key";
      };
      authentik = {
-        enable = false;
+        enable = true;
        configureDb = true;
        port = 9000;
        reverseProxy = enabled;
@@ -59,6 +59,11 @@ in
          PROXY_DOMAIN = "code.mjallen.dev";
        };
      };
      coturn = {
        enable = true;
        port = 3478;
        reverseProxy = enabled;
      };
      collabora = {
        enable = false;
        port = 9980;
@@ -125,7 +130,7 @@ in
        port = 3214;
      };
      matrix = {
-        enable = false;
+        enable = true;
        port = 8448;
        reverseProxy = enabled;
      };
--- a/systems/x86_64-linux/jallen-nas/default.nix
+++ b/systems/x86_64-linux/jallen-nas/default.nix
@@ -334,12 +334,17 @@ in
      tpm2-tools
      tpm2-tss
    ];
-    # persistence."/media/nas/main/persist" = {
+    persistence."/media/nas/main/persist" = {
-    #   hideMounts = true;
+      hideMounts = true;
-    #   directories = [
+      directories = [
-
+        {
-    #   ];
+          directory = "/var/lib/sabnzbd";
-    # };
+          user = "sabnzbd";
          group = "sabnzbd";
          mode = "u=rwx,g=rx,o=rx";
        }
      ];
    };
  };
  networking.firewall.checkReversePath = false;
Author	SHA1	Message	Date
mjallen18	1731647367	sab	2026-02-09 16:35:55 -06:00
mjallen18	9ad06425c8	idk	2026-02-09 16:35:55 -06:00