Set up PiGallery2

Monitor all relevant services in the MOTD script
Allow NAT loopback via DNS server
2025-12-23 14:19:27 +01:00 · 2025-12-22 08:01:38 +01:00 · 2025-12-22 07:58:38 +01:00 · 2025-12-21 23:40:04 +01:00 · 2025-12-21 23:04:10 +01:00 · 2025-12-06 05:18:46 +01:00
13 changed files with 343 additions and 120 deletions
--- a/2
+++ b/2
@@ -1,7 +1,7 @@
 DIR=$(HOME)/Projects/zion

 switch:
-	nixos-rebuild switch --fast --target-host root@zion \
+	nixos-rebuild switch --no-reexec --target-host root@zion \
 	--build-host root@zion --flake path://$(DIR)#zion

 .DEFAULT_GOAL := switch
--- a/configuration.nix
+++ b/configuration.nix
@@ -99,6 +99,8 @@ with pkgs;
        "root"
        "coolneng"
      ];
+      lazy-trees = true;
+      eval-cores = 2;
    };
    gc = {
      automatic = true;
@@ -183,8 +185,6 @@ with pkgs;
    };
    secrets.telegram = {
      file = secrets/telegram.age;
-      owner = "matrix-as-telegram";
-      group = "matrix-as-telegram";
    };
    secrets.mqtt-sender = {
      file = secrets/mqtt-sender.age;
@@ -198,13 +198,9 @@ with pkgs;
    };
    secrets.facebook = {
      file = secrets/facebook.age;
-      owner = "matrix-as-facebook";
-      group = "matrix-as-facebook";
    };
    secrets.signal = {
      file = secrets/signal.age;
-      owner = "matrix-as-signal";
-      group = "matrix-as-signal";
    };
    secrets.inadyn-duckdns = {
      file = secrets/inadyn-duckdns.age;
@@ -216,6 +212,11 @@ with pkgs;
      owner = "inadyn";
      group = "inadyn";
    };
+    secrets.inadyn-porkbun-secret = {
+      file = secrets/inadyn-porkbun-secret.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
    secrets.acme-duckdns = {
      file = secrets/acme-duckdns.age;
      owner = "acme";
@@ -226,22 +227,27 @@ with pkgs;
      owner = "acme";
      group = "nginx";
    };
-    secrets.wallabag.file = secrets/wallabag.age;
-    secrets.wallabag-postgres.file = secrets/wallabag-postgres.age;
    secrets.microbin = {
      file = secrets/microbin.age;
      owner = "63026";
      group = "63026";
    };
+    secrets.readeck = {
+      file = secrets/readeck.age;
+      owner = "63026";
+      group = "63026";
+    };
    identityPaths = [ "/etc/ssh/id_ed25519" ];
  };

  # Auto-upgrade the system
  system.autoUpgrade = {
    enable = true;
+    allowReboot = true;
    flake = "/home/coolneng/system";
    flags = [
-      "--update-input agenix --update-input nixpkgs"
+      "--update-input"
+      "nixpkgs"
      "--commit-lock-file"
    ];
  };
--- a/flake.lock
+++ b/flake.lock
@@ -10,11 +10,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1736955230,
-        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
+        "lastModified": 1762618334,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
        "type": "github"
      },
      "original": {
@@ -31,11 +31,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1700795494,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
        "type": "github"
      },
      "original": {
@@ -45,6 +45,63 @@
        "type": "github"
      }
    },
+    "determinate": {
+      "inputs": {
+        "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
+        "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
+        "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
+        "nix": "nix",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1766177528,
+        "narHash": "sha256-Bl+p766mM7qNCZtMqmTz13RuUbOMKsFa+/vnGYoxgPk=",
+        "rev": "b159c082f0f9bdefa6c386189a13c5fa0734d8d8",
+        "revCount": 317,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
+      }
+    },
+    "determinate-nixd-aarch64-darwin": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-vDaEQ5T4eA7kEPREmm68IVWGR6zT0aDL5slZxA6dkSc=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
+      }
+    },
+    "determinate-nixd-aarch64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-Hf4JsIv5G3IR0Q0RHGLSNdmDzFv97sVQQKwzY6A0vV4=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
+      }
+    },
+    "determinate-nixd-x86_64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-J+J4E02XpEl0ZkpzMbUmGCf6S4yk0gYCYmiGzZ058ik=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
+      }
+    },
    "devshell": {
      "locked": {
        "lastModified": 1642188268,
@@ -61,6 +118,22 @@
      }
    },
    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1641205782,
@@ -76,6 +149,53 @@
        "type": "github"
      }
    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748821116,
+        "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
+        "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
+        "revCount": 377,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
+      }
+    },
+    "git-hooks-nix": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": [
+          "determinate",
+          "nix"
+        ],
+        "nixpkgs": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747372754,
+        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
+        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
+        "revCount": 1026,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -84,11 +204,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1703113217,
-        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
@@ -97,10 +217,31 @@
        "type": "github"
      }
    },
+    "nix": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "git-hooks-nix": "git-hooks-nix",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-23-11": "nixpkgs-23-11",
+        "nixpkgs-regression": "nixpkgs-regression"
+      },
+      "locked": {
+        "lastModified": 1766174426,
+        "narHash": "sha256-0ZofAQZNgg5nfIKsVb7g4It6ufmIyLtfFRPOf+6WRkk=",
+        "rev": "15d6091194b5b90d292e8d6283db77f09c303b1e",
+        "revCount": 24285,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
+      }
+    },
    "nix-matrix-appservices": {
      "inputs": {
        "devshell": "devshell",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
        "nixlib": "nixlib",
        "nixpkgs": [
          "nixpkgs"
@@ -137,11 +278,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1740646007,
-        "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
+        "lastModified": 1764440730,
+        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
+        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
        "type": "github"
      },
      "original": {
@@ -153,41 +294,87 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1748708770,
-        "narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "a59eb7800787c926045d51b70982ae285faa2346",
-        "type": "github"
+        "lastModified": 1761597516,
+        "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
+        "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
+        "revCount": 811874,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
      },
      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-25.05",
-        "type": "indirect"
+        "type": "tarball",
+        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs-23-11": {
      "locked": {
-        "lastModified": 1729880355,
-        "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=",
+        "lastModified": 1717159533,
+        "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "18536bf04cd71abd345f9579158841376fdd0c5a",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
+        "type": "github"
+      }
+    },
+    "nixpkgs-regression": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1765772535,
+        "narHash": "sha256-aq+dQoaPONOSjtFIBnAXseDm9TUhIbe215TPmkfMYww=",
+        "rev": "09b8fda8959d761445f12b55f380d90375a1d6bb",
+        "revCount": 911985,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1766201043,
+        "narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b3aad468604d3e488d627c0b43984eb60e75e782",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
+        "determinate": "determinate",
        "nix-matrix-appservices": "nix-matrix-appservices",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs": "nixpkgs_3"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@@ -1,9 +1,16 @@
 {
  description = "System configuration for zion";

+  nixConfig = {
+    extra-substituters = "https://install.determinate.systems";
+    extra-trusted-public-keys = ''
+      cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
+    '';
+  };
+
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-25.05";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -16,14 +23,7 @@
  };

  outputs =
-    {
-      self,
-      nixpkgs,
-      nixpkgs-unstable,
-      agenix,
-      nixos-hardware,
-      ...
-    }@inputs:
+    { self, nixpkgs, ... }@inputs:
    let
      system = "x86_64-linux";

@@ -37,8 +37,9 @@
        inherit system;
        modules = [
          (import ./configuration.nix)
-          agenix.nixosModules.age
-          nixos-hardware.nixosModules.aoostar-r1-n100
+          inputs.agenix.nixosModules.age
+          inputs.nixos-hardware.nixosModules.aoostar-r1-n100
+          inputs.determinate.nixosModules.default
        ];
        specialArgs = {
          inherit inputs;
--- a/modules/containers.nix
+++ b/modules/containers.nix
@@ -44,31 +44,24 @@
          ports = [ "127.0.0.1:9090:8080" ];
          volumes = [ "/vault/opodsync:/var/www/server/data" ];
        };
-        # Wallabag
-        wallabag = {
-          image = "wallabag/wallabag@sha256:a87160e4445e11f9bcec0f4b201c31e1eb0d201d7bcd1aac421e8f3c2b8f553c";
-          environmentFiles = [ config.age.secrets.wallabag.path ];
-          dependsOn = [ "postgresql" ];
-          extraOptions = [ "--pod=wallabag-pod" ];
-        };
-        # Wallabag database
-        postgresql = {
-          image = "postgres:16.8@sha256:e95b0cb95f719e0ce156c2bc5545c89fbd98a1a692845a5331ddc79ea61f1b1e";
-          environmentFiles = [ config.age.secrets.wallabag-postgres.path ];
-          extraOptions = [ "--pod=wallabag-pod" ];
-          volumes = [ "/var/lib/postgresql-wallabag:/var/lib/postgresql/data" ];
+        # Photo gallery
+        pigallery2 = {
+          image = "bpatrik/pigallery2@sha256:c936e4504cfe7158198542a8db794b24afb0301155d89e911f13bd04e0b406c2";
+          ports = [ "127.0.0.1:9191:80" ];
+          volumes = [
+            "/vault/pigallery2/config:/app/data/config"
+            "/vault/pigallery2/db:/app/data/db"
+            "/vault/pigallery2/tmp:/app/data/tmp"
+            "/vault/syncthing/Photos:/app/data/images"
+          ];
+          cmd = [
+            "-e"
+            "NODE_ENV=production"
+          ];
        };
      };
    };
  };
-  # Allow networking between Wallabag and Postgresql
-  systemd.services.create-wallabag-pod = {
-    serviceConfig.Type = "oneshot";
-    wantedBy = [ "podman-postgresql.service" ];
-    script = with pkgs; ''
-      ${podman}/bin/podman pod exists wallabag-pod || ${podman}/bin/podman pod create -n wallabag-pod -p '127.0.0.1:8090:80'
-    '';
-  };

  # Start services after ZFS mount
  systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ];
--- a/modules/information.nix
+++ b/modules/information.nix
@@ -24,4 +24,21 @@
    };
  };

+  # Readeck configuration
+  services.readeck = {
+    enable = true;
+    settings = {
+      server = {
+        host = "127.0.0.1";
+        port = 9092;
+        allowed_hosts = [ "read.psydnd.org" ];
+        trusted_proxies = [ "127.0.0.1" ];
+        environmentFile = config.age.secrets.readeck.path;
+      };
+    };
+  };
+
+  # NOTE Load credentials using environment variables
+  systemd.services.readeck.serviceConfig.EnvironmentFile = config.age.secrets.readeck.path;
+
 }
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -27,8 +27,8 @@ in
    address = [ "192.168.128.2/23" ];
    gateway = [ "192.168.128.1" ];
    dns = [
-      "1.1.1.1"
-      "9.9.9.9"
+      "127.0.0.1"
+      "::1"
    ];
    networkConfig.DNSSEC = "no";
  };
@@ -47,11 +47,9 @@ in
  # NOTE Temporary workaround until Inadyn fixes the Porkbun module
  services.oink = {
    enable = true;
-    settings = {
-      apiKey = "PLACEHOLDER";
-      secretApiKey = "PLACEHOLDER";
-      interval = 1800;
-    };
+    apiKeyFile = config.age.secrets.inadyn-porkbun.path;
+    secretApiKeyFile = config.age.secrets.inadyn-porkbun-secret.path;
+    settings.interval = 1800;
    domains = [
      {
        domain = "psydnd.org";
@@ -59,8 +57,6 @@ in
      }
    ];
  };
-  # NOTE Load credentials using environment variables
-  systemd.services.oink.serviceConfig.EnvironmentFile = config.age.secrets.inadyn-porkbun.path;

  # Firewall configuration
  networking.firewall = {
@@ -112,6 +108,14 @@ in
          "fd00::3/128"
        ];
      }
+      # kathreftis
+      {
+        PublicKey = "qfHtv6LSZjtxvH46d8pysr+/yPo2tV9cZumgIpxBNF4=";
+        AllowedIPs = [
+          "10.8.0.4/32"
+          "fd00::4/128"
+        ];
+      }
    ];
  };

@@ -127,6 +131,16 @@ in
    };
  };

+  # Disable systemd-resolved DNS stub
+  services.resolved = {
+    enable = true;
+    llmnr = "false";
+    extraConfig = ''
+      MulticastDNS=yes
+      DNSStubListener=no
+    '';
+  };
+
  # DNS server with ad-block
  services.dnsmasq = {
    enable = true;
@@ -150,11 +164,12 @@ in

      conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf";
      dnssec = false;
+      address = "/psydnd.org/192.168.128.2";
    };
  };

  # Encrypted DNS
-  services.dnscrypt-proxy2 = {
+  services.dnscrypt-proxy = {
    enable = true;
    upstreamDefaults = true;
    settings = {
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -11,7 +11,7 @@
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
-    recommendedZstdSettings = true;
+    recommendedBrotliSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    clientMaxBodySize = "0";
@@ -134,18 +134,6 @@
          };
        };
      };
-      "wallabag.psydnd.org" = {
-        useACMEHost = "psydnd.org";
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://localhost:8090/";
-          extraConfig = ''
-            proxy_set_header X-Forwarded-Host $server_name;
-            proxy_set_header X-Forwarded-Proto https;
-            proxy_set_header X-Forwarded-For $remote_addr;
-          '';
-        };
-      };
      "books.psydnd.org" = {
        useACMEHost = "psydnd.org";
        forceSSL = true;
@@ -176,6 +164,16 @@
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:9091/";
      };
+      "read.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9092/";
+      };
+      "photos.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9191/";
+      };
    };
  };

--- a/scripts/motd.sh
+++ b/scripts/motd.sh
@@ -20,30 +20,31 @@ echo "============================================================
 - System uptime.......: $upDays days $upHours hours $upMins minutes $upSecs seconds
 ============================================================"
 services=(
-	"syncthing.service"
-	"radicale.service"
-	"miniflux.service"
-	"gitea.service"
-	"dendrite.service"
-	"nginx.service"
-	"dnsmasq.service"
-	"podman-openbooks.service"
-	"mosquitto.service"
-	"podman-mqtt2prometheus.service"
-	"prometheus.service"
-	"grafana.service"
+    "syncthing.service"
+    "radicale.service"
+    "miniflux.service"
+    "gitea.service"
+    "dendrite.service"
+    "nginx.service"
+    "dnsmasq.service"
+    "dnscrypt-proxy.service"
+    "podman-openbooks.service"
+    "mosquitto.service"
+    "podman-mqtt2prometheus.service"
+    "prometheus.service"
+    "grafana.service"
 )

 for var in "${services[@]}"; do
-	if [[ -z $var ]]; then
-		printf "\n"
-	else
-		if systemctl -q is-active "${var}"; then
-			printf "%-40s [\e[32mOK\e[39m]\n" "$var"
-		else
-			printf "%-40s [\e[31mFAIL\e[39m]\n" "$var"
-		fi
-	fi
+    if [[ -z $var ]]; then
+        printf "\n"
+    else
+        if systemctl -q is-active "${var}"; then
+            printf "%-40s [\e[32mOK\e[39m]\n" "$var"
+        else
+            printf "%-40s [\e[31mFAIL\e[39m]\n" "$var"
+        fi
+    fi
 done

 echo "============================================================"
--- a/secrets/inadyn-porkbun-secret.age
+++ b/secrets/inadyn-porkbun-secret.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg paS5BxWWicriSLAZyCBKd2xylLAp4/LcHmogO7me8yQ
+MWW/Pkvn+4G4YeYXY9ZPXC92TbcFXQMyHJ2ltFzXpZs
+--- ZdFfQ7tHfEo+u/0MmigCNh6OIxkd2bimRN30rMUs1ks
+<EFBFBD>9<EFBFBD>7Y<EFBFBD>$B<>sX<0E>ʽb<CABD>O'J<><4A>S'<27>5!<21><>UMʯ-v<>m<EFBFBD><6D><EFBFBD><EFBFBD><EFBFBD>8%|R,<2C>~I<><14><>G<EFBFBD><47>VQE<0E>0D<30>:Qv<<1E><>)<29><0B><>%fc<66><63>XZչ 7+yB
--- a/secrets/inadyn-porkbun.age
+++ b/secrets/inadyn-porkbun.age
--- a/secrets/readeck.age
+++ b/secrets/readeck.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,9 +17,9 @@ in
  "signal.age".publicKeys = [ zion ];
  "inadyn-duckdns.age".publicKeys = [ zion ];
  "inadyn-porkbun.age".publicKeys = [ zion ];
+  "inadyn-porkbun-secret.age".publicKeys = [ zion ];
  "acme-duckdns.age".publicKeys = [ zion ];
  "acme-porkbun.age".publicKeys = [ zion ];
-  "wallabag.age".publicKeys = [ zion ];
-  "wallabag-postgres.age".publicKeys = [ zion ];
  "microbin.age".publicKeys = [ zion ];
+  "readeck.age".publicKeys = [ zion ];
 }
Author	SHA1	Message	Date
coolneng	c7eefea616	Set up PiGallery2	2025-12-23 14:19:27 +01:00
coolneng	7608249b0b	Monitor all relevant services in the MOTD script	2025-12-22 08:01:38 +01:00
coolneng	61b35e5f4a	Allow NAT loopback via DNS server	2025-12-22 07:58:38 +01:00
coolneng	1ccc0041d6	Add kafthretis as a wireguard peer	2025-12-21 23:40:04 +01:00
coolneng	2856e30cbf	flake.lock: Update Flake lock file updates: • Updated input 'determinate': 'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.13.2/019a9b01-c0c6-7e1c-959e-98ac5b7675de/source.tar.gz' (2025-11-19) → 'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz' (2025-12-19) • Updated input 'determinate/determinate-nixd-aarch64-darwin': 'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/macOS' → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS' • Updated input 'determinate/determinate-nixd-aarch64-linux': 'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/aarch64-linux' → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux' • Updated input 'determinate/determinate-nixd-x86_64-linux': 'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/x86_64-linux' → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux' • Updated input 'determinate/nix': 'https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.13.2/019a9af6-3d7b-71bc-bccd-8b18e147ad77/source.tar.gz' (2025-11-19) → 'https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz' (2025-12-19) • Updated input 'determinate/nixpkgs': 'https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.897465%2Brev-8b6600824693a9c706ef09bd86711ca393703466/019a9577-b407-75dd-b18b-3308def1c215/source.tar.gz' (2025-11-17) → 'https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz' (2025-12-15) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/c97c47f' (2025-12-04) → 'github:NixOS/nixpkgs/b3aad46' (2025-12-20)	2025-12-21 23:04:10 +01:00
coolneng	3e577066c1	Migrate to Determinate Nix	2025-12-06 05:18:46 +01:00
coolneng	3f10536deb	flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/1aab89277eb2d87823d5b69bae631a2496cff57a?narHash=sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0%3D' (2025-12-02) → 'github:NixOS/nixpkgs/c97c47f2bac4fa59e2cbdeba289686ae615f8ed4?narHash=sha256-OtzF5wBvO0jgW1WW1rQU9cMGx7zuvkF7CAVJ1ypzkxA%3D' (2025-12-04)	2025-12-05 23:51:49 +01:00
coolneng	25e995dfb3	Adapt dnscrypt-proxy config to upstream changes	2025-12-04 17:31:29 +01:00
coolneng	f2faa9047b	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/9edb1787864c4f59ae5074ad498b6272b3ec308d?narHash=sha256-NA/FT2hVhKDftbHSwVnoRTFhes62%2B7dxZbxj5Gxvghs%3D' (2025-08-05) → 'github:ryantm/agenix/fcdea223397448d35d9b31f798479227e80183f6?narHash=sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L%2BVSybPfiIgzU8lbQ%3D' (2025-11-08) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/a65b650d6981e23edd1afa1f01eb942f19cdcbb7?narHash=sha256-9bHzrVbjAudbO8q4vYFBWlEkDam31fsz0J7GB8k4AsI%3D' (2025-08-26) → 'github:NixOS/nixos-hardware/9154f4569b6cdfd3c595851a6ba51bfaa472d9f3?narHash=sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x%2B6XUJ4YdFRjtO4%3D' (2025-11-29) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f?narHash=sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD%2B/cTUzzgVFoaHrkqY%3D' (2025-11-30) → 'github:NixOS/nixpkgs/1aab89277eb2d87823d5b69bae631a2496cff57a?narHash=sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0%3D' (2025-12-02) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5?narHash=sha256-XexyKZpf46cMiO5Vbj%2BdWSAXOnr285GHsMch8FBoHbc%3D' (2025-08-25) → 'github:NixOS/nixpkgs/418468ac9527e799809c900eda37cbff999199b6?narHash=sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y%3D' (2025-12-02)	2025-12-04 17:21:24 +01:00
coolneng	22fc403563	Use Brotli instead of ZSTD for Nginx	2025-12-01 09:26:14 +01:00
coolneng	d5e11e4909	Remove redundant secret injection for oink	2025-12-01 09:25:15 +01:00
coolneng	bcc764dd50	Upgrade to NixOS 25.11	2025-12-01 09:24:18 +01:00
coolneng	4e317cfd81	Specify auto upgrade flags correctly	2025-11-23 17:12:55 +01:00
coolneng	2ad5372267	Use inputs attribute to import modules	2025-11-23 17:03:54 +01:00
coolneng	6e93e251d6	Use correct Flake URL scheme for Auto Upgrade	2025-08-29 01:01:24 +02:00
coolneng	770ecc6c02	Adapt Makefile to new CLI flags of nixos-rebuild	2025-08-27 08:16:38 +02:00
coolneng	86fb493a80	Disable systemd-resolved DNS stub causing conflict	2025-08-27 08:12:57 +02:00
coolneng	3057f13858	Reboot after Auto Upgrade if necessary	2025-08-27 06:20:52 +02:00
coolneng	155c4f3525	Use Git repository as Flake URL for Auto Upgrade	2025-08-27 06:17:48 +02:00
coolneng	3abfa5cb84	Remove Matrix bridges users	2025-08-27 06:14:36 +02:00
coolneng	5d1b075adb	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/e600439ec4c273cf11e06fe4d9d906fb98fa097c?narHash=sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA%3D' (2025-01-15) → 'github:ryantm/agenix/9edb1787864c4f59ae5074ad498b6272b3ec308d?narHash=sha256-NA/FT2hVhKDftbHSwVnoRTFhes62%2B7dxZbxj5Gxvghs%3D' (2025-08-05) • Updated input 'agenix/darwin': 'github:lnl7/nix-darwin/4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d?narHash=sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0%3D' (2023-11-24) → 'github:lnl7/nix-darwin/43975d782b418ebf4969e9ccba82466728c2851b?narHash=sha256-dyN%2BteG9G82G%2Bm%2BPX/aSAagkC%2BvUv0SgUw3XkPhQodQ%3D' (2025-04-12) • Updated input 'agenix/home-manager': 'github:nix-community/home-manager/3bfaacf46133c037bb356193bd2f1765d9dc82c1?narHash=sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE%3D' (2023-12-20) → 'github:nix-community/home-manager/abfad3d2958c9e6300a883bd443512c55dfeb1be?narHash=sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs%3D' (2025-04-24) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/009b764ac98a3602d41fc68072eeec5d24fc0e49?narHash=sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE%3D' (2025-02-27) → 'github:NixOS/nixos-hardware/a65b650d6981e23edd1afa1f01eb942f19cdcbb7?narHash=sha256-9bHzrVbjAudbO8q4vYFBWlEkDam31fsz0J7GB8k4AsI%3D' (2025-08-26) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/a59eb7800787c926045d51b70982ae285faa2346?narHash=sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY%3D' (2025-05-31) → 'github:NixOS/nixpkgs/b1b3291469652d5a2edb0becc4ef0246fff97a7c?narHash=sha256-wY1%2B2JPH0ZZC4BQefoZw/k%2B3%2BDowFyfOxv17CN/idKs%3D' (2025-08-23) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/18536bf04cd71abd345f9579158841376fdd0c5a?narHash=sha256-RP%2BOQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM%3D' (2024-10-25) → 'github:NixOS/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5?narHash=sha256-XexyKZpf46cMiO5Vbj%2BdWSAXOnr285GHsMch8FBoHbc%3D' (2025-08-25)	2025-08-27 03:05:54 +02:00
coolneng	6a3fbf2d80	Migrate from Wallabag to Readeck	2025-06-02 17:14:44 +02:00
coolneng	9a35cefd62	Set Wallabag container version to 2.5.4	2025-06-02 15:47:03 +02:00