Set up PiGallery2

Flake lock file updates:

• Updated input 'determinate':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.13.2/019a9b01-c0c6-7e1c-959e-98ac5b7675de/source.tar.gz' (2025-11-19)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz' (2025-12-19)
• Updated input 'determinate/determinate-nixd-aarch64-darwin':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/macOS'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS'
• Updated input 'determinate/determinate-nixd-aarch64-linux':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/aarch64-linux'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux'
• Updated input 'determinate/determinate-nixd-x86_64-linux':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/x86_64-linux'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux'
• Updated input 'determinate/nix':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.13.2/019a9af6-3d7b-71bc-bccd-8b18e147ad77/source.tar.gz' (2025-11-19)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz' (2025-12-19)
• Updated input 'determinate/nixpkgs':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.897465%2Brev-8b6600824693a9c706ef09bd86711ca393703466/019a9577-b407-75dd-b18b-3308def1c215/source.tar.gz' (2025-11-17)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz' (2025-12-15)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/c97c47f' (2025-12-04)
  → 'github:NixOS/nixpkgs/b3aad46' (2025-12-20)

.dir-locals.el

@@ -1 +0,0 @@
-((nil . ((ssh-deploy-root-remote . "/ssh:zion:/home/coolneng/system"))))

Makefile

@@ -1,7 +1,7 @@
 DIR=$(HOME)/Projects/zion
 
 switch:
-	nixos-rebuild switch --fast --target-host root@zion \
+	nixos-rebuild switch --no-reexec --target-host root@zion \
 	--build-host root@zion --flake path://$(DIR)#zion
 
 .DEFAULT_GOAL := switch

README.org

@@ -20,32 +20,34 @@
 ** Installation
 
 1. Download the sdcard image
-2. Connect a keyboard to the Raspberry Pi and set the password
+2. Use initial config file
 
 #+begin_src shell
-passwd
-sudo su
-passwd
+cp install.nix configuration.nix
 #+end_src
 
-The default user is nixos
-
 3. Move the repo to the server and the agenix key
 
 #+begin_src shell
-scp -R Projects/zion zion:/home/nixos/system
+scp -r Projects/zion zion:/home/nixos/system
 scp .ssh/zion root@zion:/etc/ssh/id_ed25519
 #+end_src
 
-4. Rebuild the system using Flakes
+4. Mount the firmware partition
+
+#+begin_src shell
+mount /dev/mmcblk1p1 /boot
+#+end_src
+
+5. Rebuild the system using Flakes
 
 #+begin_src shell
 nix-shell -p git
-sudo nixos-rebuild switch --flake /home/nixos/system#zion --impure
+sudo nixos-rebuild switch --flake /home/nixos/system#zion
 #+end_src
 
-5. Restore the SQL databases
+6. Restore the SQL databases
 
 #+begin_src shell
-psql -U postgres -f /vault/backups/zion/databases/all.sql
+gunzip -c /vault/backups/zion/databases/all.sql.gz | psql -U postgres
 #+end_src

configuration.nix

@@ -1,46 +1,76 @@
-{ config, inputs, pkgs, lib, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
 
 with pkgs;
 
 {
+  # Kernel configuration
+  boot = {
+    blacklistedKernelModules = [
+      "btusb"
+      "bluetooth"
+    ];
+    kernelParams = [
+      "zfs.zfs_arc_max=8589934592"
+      "zfs.zfs_arc_min=1073741824"
+    ];
+    supportedFilesystems = [ "zfs" ];
+    zfs = {
+      requestEncryptionCredentials = false;
+      extraPools = [ "vault" ];
+    };
+  };
+
+  # Secure boot using lanzaboote
+  boot.loader = {
+    efi.canTouchEfiVariables = true;
+    systemd-boot = {
+      enable = true;
+      configurationLimit = 50;
+      editor = false;
+    };
+    timeout = 3;
+  };
+
   # Declare system packages
   environment.systemPackages = [
     libraspberrypi
     htop
     neovim
     git
-    inputs.agenix.packages.aarch64-linux.default
+    inputs.agenix.packages.${config.nixpkgs.localSystem.system}.default
   ];
 
-  # Add a swap file
-  swapDevices = [{
-    device = "/swapfile";
-    size = 4096;
-  }];
-
-  # Enable zswap
-  zramSwap.enable = true;
-
   # Configure basic SSH access
   services.openssh = {
     enable = true;
-    permitRootLogin = "yes";
-    passwordAuthentication = false;
+    settings = {
+      PermitRootLogin = "yes";
+      PasswordAuthentication = false;
+    };
   };
 
   # Cleanup tmp on startup
-  boot.cleanTmpDir = true;
+  boot.tmp.cleanOnBoot = true;
 
   # Create coolneng user
   users.users.coolneng = {
     isNormalUser = true;
     home = "/home/coolneng";
-    extraGroups = [ "wheel" "docker" ];
+    extraGroups = [
+      "wheel"
+      "docker"
+    ];
     openssh.authorizedKeys.keys = [
       # panacea
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
       # caravanserai
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBWNtNp+vI2So4vISZX/yQv754ZzXqobFgUP3zk4FY zion"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIX0poiPhFLFh88fhpLFX7n1oCevVRyTxe9ZvGmjPq8n zion"
     ];
     shell = "${fish}/bin/fish";
   };
@@ -55,12 +85,6 @@ with pkgs;
   time.timeZone = "Europe/Brussels";
   services.timesyncd.enable = true;
 
-  # Enable ZFS support
-  boot.supportedFilesystems = [ "zfs" ];
-
-  # Don't import encrypted datasets
-  boot.zfs.requestEncryptionCredentials = false;
-
   # Scrub zpool monthly
   services.zfs.autoScrub = {
     enable = true;
@@ -71,7 +95,12 @@ with pkgs;
   nix = {
     settings = {
       auto-optimise-store = true;
-      experimental-features = [ "nix-command" "flakes" ];
+      trusted-users = [
+        "root"
+        "coolneng"
+      ];
+      lazy-trees = true;
+      eval-cores = 2;
     };
     gc = {
       automatic = true;
@@ -82,33 +111,42 @@ with pkgs;
       keep-outputs = true
       keep-derivations = true
       gc-keep-outputs = true
+      experimental-features = nix-command flakes
     '';
   };
 
   # Use same version of nixpkgs for nix-shell
-  nix.nixPath = let path = toString ./.;
-  in [ "nixpkgs=${inputs.nixpkgs}" "nixos-config=${path}/configuration.nix" ];
+  nix.nixPath =
+    let
+      path = toString ./.;
+    in
+    [
+      "nixpkgs=${inputs.nixpkgs}"
+      "nixos-config=${path}/configuration.nix"
+    ];
 
   # Configure fish shell
   programs.fish.enable = true;
   users.users.root = {
     shell = "${fish}/bin/fish";
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
-    ];
+    openssh.authorizedKeys.keys = config.users.users.coolneng.openssh.authorizedKeys.keys;
   };
 
-  # Keep logs for a week
-  services.journald.extraConfig = "MaxRetentionSec=1week";
+  # Keep logs for a month
+  services.journald.extraConfig = "MaxRetentionSec=4week";
 
-  # Increase inotify limits
-  boot.kernel.sysctl = { "fs.inotify.max_user_watches" = 204800; };
+  # Increase inotify limits and maximum buffer size
+  boot.kernel.sysctl = {
+    "fs.inotify.max_user_watches" = 204800;
+    "net.core.rmem_max" = 2500000;
+    "net.core.wmem_max" = 2500000;
+  };
 
   # MOTD message
   programs.fish.interactiveShellInit = "${./scripts/motd.sh}";
 
   # NixOS version
-  system.stateVersion = "22.05";
+  system.stateVersion = "24.11";
 
   # Specify secrets
   age = {
@@ -124,7 +162,6 @@ with pkgs;
       owner = "gitea";
       group = "gitea";
     };
-    secrets.ddclient.file = secrets/ddclient.age;
     secrets.miniflux = {
       file = secrets/miniflux.age;
       owner = "miniflux";
@@ -148,8 +185,57 @@ with pkgs;
     };
     secrets.telegram = {
       file = secrets/telegram.age;
-      owner = "matrix-as-telegram";
-      group = "matrix-as-telegram";
+    };
+    secrets.mqtt-sender = {
+      file = secrets/mqtt-sender.age;
+      owner = "mosquitto";
+      group = "mosquitto";
+    };
+    secrets.mqtt-receiver = {
+      file = secrets/mqtt-receiver.age;
+      owner = "mosquitto";
+      group = "mosquitto";
+    };
+    secrets.facebook = {
+      file = secrets/facebook.age;
+    };
+    secrets.signal = {
+      file = secrets/signal.age;
+    };
+    secrets.inadyn-duckdns = {
+      file = secrets/inadyn-duckdns.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.inadyn-porkbun = {
+      file = secrets/inadyn-porkbun.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.inadyn-porkbun-secret = {
+      file = secrets/inadyn-porkbun-secret.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.acme-duckdns = {
+      file = secrets/acme-duckdns.age;
+      owner = "acme";
+      group = "nginx";
+    };
+    secrets.acme-porkbun = {
+      file = secrets/acme-porkbun.age;
+      owner = "acme";
+      group = "nginx";
+    };
+    secrets.microbin = {
+      file = secrets/microbin.age;
+      owner = "63026";
+      group = "63026";
+    };
+    secrets.readeck = {
+      file = secrets/readeck.age;
+      owner = "63026";
+      group = "63026";
     };
     identityPaths = [ "/etc/ssh/id_ed25519" ];
   };
@@ -157,10 +243,9 @@ with pkgs;
   # Auto-upgrade the system
   system.autoUpgrade = {
     enable = true;
+    allowReboot = true;
     flake = "/home/coolneng/system";
     flags = [
-      "--update-input"
-      "agenix"
       "--update-input"
       "nixpkgs"
       "--commit-lock-file"
@@ -192,7 +277,7 @@ with pkgs;
     ./modules/periodic.nix
     ./modules/communication.nix
     ./modules/information.nix
-    ./modules/device.nix
+    ./modules/containers.nix
   ];
 
 }

flake.lock

@@ -3,16 +3,18 @@
     "agenix": {
       "inputs": {
         "darwin": "darwin",
+        "home-manager": "home-manager",
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1677969766,
-        "narHash": "sha256-AIp/ZYZMNLDZR/H7iiAlaGpu4lcXsVt9JQpBlf43HRY=",
+        "lastModified": 1762618334,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "03b51fe8e459a946c4b88dcfb6446e45efb2c24e",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
         "type": "github"
       },
       "original": {
@@ -29,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1673295039,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
         "type": "github"
       },
       "original": {
@@ -43,6 +45,63 @@
         "type": "github"
       }
     },
+    "determinate": {
+      "inputs": {
+        "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
+        "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
+        "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
+        "nix": "nix",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1766177528,
+        "narHash": "sha256-Bl+p766mM7qNCZtMqmTz13RuUbOMKsFa+/vnGYoxgPk=",
+        "rev": "b159c082f0f9bdefa6c386189a13c5fa0734d8d8",
+        "revCount": 317,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
+      }
+    },
+    "determinate-nixd-aarch64-darwin": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-vDaEQ5T4eA7kEPREmm68IVWGR6zT0aDL5slZxA6dkSc=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
+      }
+    },
+    "determinate-nixd-aarch64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-Hf4JsIv5G3IR0Q0RHGLSNdmDzFv97sVQQKwzY6A0vV4=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
+      }
+    },
+    "determinate-nixd-x86_64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-J+J4E02XpEl0ZkpzMbUmGCf6S4yk0gYCYmiGzZ058ik=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
+      }
+    },
     "devshell": {
       "locked": {
         "lastModified": 1642188268,
@@ -59,6 +118,22 @@
       }
     },
     "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1641205782,
@@ -74,21 +149,110 @@
         "type": "github"
       }
     },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748821116,
+        "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
+        "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
+        "revCount": 377,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
+      }
+    },
+    "git-hooks-nix": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": [
+          "determinate",
+          "nix"
+        ],
+        "nixpkgs": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747372754,
+        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
+        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
+        "revCount": 1026,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nix": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "git-hooks-nix": "git-hooks-nix",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-23-11": "nixpkgs-23-11",
+        "nixpkgs-regression": "nixpkgs-regression"
+      },
+      "locked": {
+        "lastModified": 1766174426,
+        "narHash": "sha256-0ZofAQZNgg5nfIKsVb7g4It6ufmIyLtfFRPOf+6WRkk=",
+        "rev": "15d6091194b5b90d292e8d6283db77f09c303b1e",
+        "revCount": 24285,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
+      }
+    },
     "nix-matrix-appservices": {
       "inputs": {
         "devshell": "devshell",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "nixlib": "nixlib",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1663958238,
-        "narHash": "sha256-l4VrBCswq500YwsgjK7M8HUmnVWrHYY7DKZ7uZK5Abg=",
+        "lastModified": 1683490239,
+        "narHash": "sha256-QKzpvl2XrqbobWq/I/smDa9hEniwctjJybXPVILHP0w=",
         "owner": "coffeetables",
         "repo": "nix-matrix-appservices",
-        "rev": "efdc09f26e3b01801edaa3b0e2bdd46d9d133bba",
+        "rev": "e795d2fbc61da45d49802bb3e8f8d0c70ddc1e68",
         "type": "gitlab"
       },
       "original": {
@@ -114,56 +278,118 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1674550793,
-        "narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=",
+        "lastModified": 1764440730,
+        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103",
+        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
+        "ref": "master",
         "repo": "nixos-hardware",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1679318992,
-        "narHash": "sha256-uoj5Oy6hruIHuxzfQZtcalObe5kPrX9v+ClUMFEOzmE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "e2c97799da5f5cd87adfa5017fba971771e123ef",
-        "type": "github"
+        "lastModified": 1761597516,
+        "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
+        "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
+        "revCount": 811874,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
       },
       "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-22.11",
-        "type": "indirect"
+        "type": "tarball",
+        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
       }
     },
-    "nixpkgs-unstable": {
+    "nixpkgs-23-11": {
       "locked": {
-        "lastModified": 1679437018,
-        "narHash": "sha256-vOuiDPLHSEo/7NkiWtxpHpHgoXoNmrm+wkXZ6a072Fc=",
+        "lastModified": 1717159533,
+        "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "19cf008bb18e47b6e3b4e16e32a9a4bdd4b45f7e",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
+        "type": "github"
+      }
+    },
+    "nixpkgs-regression": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1765772535,
+        "narHash": "sha256-aq+dQoaPONOSjtFIBnAXseDm9TUhIbe215TPmkfMYww=",
+        "rev": "09b8fda8959d761445f12b55f380d90375a1d6bb",
+        "revCount": 911985,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1766201043,
+        "narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b3aad468604d3e488d627c0b43984eb60e75e782",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "determinate": "determinate",
         "nix-matrix-appservices": "nix-matrix-appservices",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs": "nixpkgs_3"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -1,43 +1,48 @@
 {
   description = "System configuration for zion";
 
+  nixConfig = {
+    extra-substituters = "https://install.determinate.systems";
+    extra-trusted-public-keys = ''
+      cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
+    '';
+  };
+
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-22.11";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
     agenix = {
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nixos-hardware.url = "github:NixOS/nixos-hardware";
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
     nix-matrix-appservices = {
       url = "gitlab:coffeetables/nix-matrix-appservices";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, agenix, nixos-hardware
-    , nix-matrix-appservices, ... }@inputs:
+  outputs =
+    { self, nixpkgs, ... }@inputs:
     let
-      system = "aarch64-linux";
+      system = "x86_64-linux";
 
       pkgs = import pkgs { inherit system; };
 
-      pkgs-unstable = import inputs.nixpkgs-unstable { inherit system; };
-
       lib = nixpkgs.lib;
 
-    in {
+    in
+    {
       nixosConfigurations.zion = lib.nixosSystem {
         inherit system;
         modules = [
           (import ./configuration.nix)
-          agenix.nixosModules.age
-          nixos-hardware.nixosModules.raspberry-pi-4
-          nix-matrix-appservices.nixosModule
+          inputs.agenix.nixosModules.age
+          inputs.nixos-hardware.nixosModules.aoostar-r1-n100
+          inputs.determinate.nixosModules.default
         ];
         specialArgs = {
           inherit inputs;
-          inherit pkgs-unstable;
         };
       };
 

modules/communication.nix

@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 with pkgs;
 
@@ -11,18 +16,8 @@ let
     conn_max_lifetime = -1;
   };
 
-  latest-mautrix-signal = mautrix-signal.overrideAttrs (old: rec {
-    version = "0.4.2";
-    src = fetchFromGitHub {
-      owner = "mautrix";
-      repo = "signal";
-      rev = "refs/tags/v${version}";
-      sha256 = "UbetU1n9zD/mVFaJc9FECDq/Zell1TI/aYPsGXGB8Js=";
-    };
-
-  });
-
-in {
+in
+{
   # Matrix server configuration
   services.dendrite = {
     enable = true;
@@ -39,22 +34,32 @@ in {
       # HACK Inherit postgres connection string for the rest of the DBs
       app_service_api = {
         inherit database;
-        config_files = [
-          "/var/lib/matrix-as-facebook/facebook-registration.yaml"
-          "/var/lib/matrix-as-signal/signal-registration.yaml"
-          "/var/lib/matrix-as-telegram/telegram-registration.yaml"
-        ];
       };
-      media_api = { inherit database; };
-      room_server = { inherit database; };
-      push_server = { inherit database; };
+      media_api = {
+        inherit database;
+      };
+      room_server = {
+        inherit database;
+      };
+      push_server = {
+        inherit database;
+      };
       mscs = {
         inherit database;
-        mscs = [ "msc2836" "msc2946" ];
+        mscs = [
+          "msc2836"
+          "msc2946"
+        ];
+      };
+      sync_api = {
+        inherit database;
+      };
+      key_server = {
+        inherit database;
+      };
+      federation_api = {
+        inherit database;
       };
-      sync_api = { inherit database; };
-      key_server = { inherit database; };
-      federation_api = { inherit database; };
       user_api = {
         account_database = database;
         device_database = database;
@@ -62,69 +67,37 @@ in {
     };
   };
 
-  # Matrix bridges
-  services.matrix-appservices = {
-    homeserver = "dendrite";
-    homeserverDomain = "coolneng.duckdns.org";
-    homeserverURL = "https://matrix.coolneng.duckdns.org";
-    addRegistrationFiles = true;
-    services = {
-      telegram = {
-        port = 8118;
-        format = "mautrix-python";
-        package = mautrix-telegram;
-        serviceConfig.EnvironmentFile = config.age.secrets.telegram.path;
-        settings = {
-          homeserver.software = "standard";
-          telegram = {
-            api_id = "$API_ID";
-            api_hash = "$API_HASH";
-          };
-          bridge = {
-            permissions."@coolneng:coolneng.duckdns.org" = "admin";
-            backfill.normal_groups = true;
-          };
-        };
-      };
-      facebook = {
-        port = 8228;
-        format = "mautrix-python";
-        package = mautrix-facebook;
-        settings.homeserver.software = "standard";
-      };
-      signal = {
-        port = 8338;
-        format = "mautrix-python";
-        package = latest-mautrix-signal;
-        serviceConfig = {
-          StateDirectory = [ "matrix-as-signal" "signald" ];
-          JoinNamespaceOf = "signald.service";
-          SupplementaryGroups = [ "signald" ];
-        };
-        settings = {
-          homeserver.software = "standard";
-          signal = {
-            socket_path = config.services.signald.socketPath;
-            outgoing_attachment_dir = "/var/lib/signald/tmp";
-          };
-        };
-      };
-    };
-  };
+  # Start dendrite after config files are mounted
+  systemd.services.dendrite.unitConfig.RequiresMountsFor = [
+    /var/lib/matrix-as-facebook
+    /var/lib/matrix-as-signal
+    /var/lib/matrix-as-telegram
+  ];
 
-  # Additional settings for mautrix-signal
-  services.signald = {
+  # MQTT configuration
+  services.mosquitto = {
     enable = true;
-    user = "matrix-as-signal";
+    dataDir = "/vault/mosquitto";
+    logType = [
+      "websockets"
+      "error"
+      "warning"
+      "notice"
+      "information"
+    ];
+    logDest = [ "syslog" ];
+    listeners = [
+      {
+        users.homeostasis = {
+          acl = [ "write #" ];
+          hashedPasswordFile = config.age.secrets.mqtt-sender.path;
         };
-  systemd.services.matrix-as-signal = {
-    requires = [ "signald.service" ];
-    after = [ "signald.service" ];
-    unitConfig.JoinsNamespaceOf = "signald.service";
-    path = [ ffmpeg ];
+        users.prometheus = {
+          acl = [ "read #" ];
+          hashedPasswordFile = config.age.secrets.mqtt-receiver.path;
+        };
+      }
+    ];
   };
-
-  # Enable voice messages for facebook
-  systemd.services.matrix-as-facebook.path = [ ffmpeg ];
 
 }

modules/containers.nix

@@ -0,0 +1,68 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  # Podman setup
+  virtualisation = {
+    containers.enable = true;
+    podman = {
+      enable = true;
+      dockerCompat = true;
+      extraPackages = with pkgs; [ zfs ];
+    };
+
+    oci-containers = {
+      backend = "podman";
+      containers = {
+        # Openbooks configuration
+        openbooks = {
+          image = "evanbuss/openbooks@sha256:4fa9188885368c2303b7dc527d48b3159aaa7022010e29b3ed96842018793590";
+          ports = [ "127.0.0.1:9000:80" ];
+          cmd = [
+            "--name"
+            "bradar"
+            "--searchbot"
+            "searchook"
+            "--persist"
+            "--tls"
+            "false"
+          ];
+        };
+        # Prometheus MQTT integration
+        mqtt2prometheus = {
+          image = "hikhvar/mqtt2prometheus@sha256:8e166d36feaa5ddcad703eef3a2c5167a154d6eef306a40fe6509861580c0714";
+          ports = [ "127.0.0.1:9641:9641" ];
+          volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
+        };
+        # Podcast synchronization
+        opodsync = {
+          image = "ganeshlab/opodsync@sha256:32626b732fe38687a5dfd703d515136e413c4b16f286b38656718ad03f0d94c1";
+          ports = [ "127.0.0.1:9090:8080" ];
+          volumes = [ "/vault/opodsync:/var/www/server/data" ];
+        };
+        # Photo gallery
+        pigallery2 = {
+          image = "bpatrik/pigallery2@sha256:c936e4504cfe7158198542a8db794b24afb0301155d89e911f13bd04e0b406c2";
+          ports = [ "127.0.0.1:9191:80" ];
+          volumes = [
+            "/vault/pigallery2/config:/app/data/config"
+            "/vault/pigallery2/db:/app/data/db"
+            "/vault/pigallery2/tmp:/app/data/tmp"
+            "/vault/syncthing/Photos:/app/data/images"
+          ];
+          cmd = [
+            "-e"
+            "NODE_ENV=production"
+          ];
+        };
+      };
+    };
+  };
+
+  # Start services after ZFS mount
+  systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ];
+}

modules/datasync.nix

@@ -1,4 +1,10 @@
-{ config, pkgs, lib, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
 
   # Syncthing configuration
   services.syncthing = {
@@ -7,39 +13,54 @@
     guiAddress = "0.0.0.0:8384";
     dataDir = "/vault/syncthing";
     key = config.age.secrets.syncthing.path;
+    settings = {
+      extraOptions.options = {
+        maxFolderConcurrency = 4;
+        progressUpdateIntervalS = -1;
+      };
       devices = {
-      panacea.id =
-        "NF4SYEJ-RSGPDEF-CDEYC3A-JWZMKNC-KG4FVQP-CZ5HRFY-XM22BZD-N7B6VAH";
-      caravanserai.id =
-        "MIRF73R-S7AV47R-VLWZUK2-TFCVQPV-FRYCPND-Y4VR3W2-ZAIQXZD-JAEQCAD";
+        panacea.id = "VEGVHKF-P4FT3BD-4T3ML7J-65URQOU-3XKNMI5-6LGWSCI-BIQZOUE-RKQ6PQX";
+        caravanserai.id = "XQAXYEU-FWLAFZM-GTZYDGH-AIRBEXI-4CZD365-JUBTHDA-GOXXOYV-E5LEYQE";
       };
       folders = {
         Documents = {
           id = "wusdj-bfjkr";
           type = "receiveonly";
           path = "/vault/syncthing/Documents";
-        devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Notes = {
           id = "kafhz-bfmzm";
           type = "receiveonly";
           path = "/vault/syncthing/Notes";
-        devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Music = {
           id = "2aqt7-vpprc";
           type = "receiveonly";
           path = "/vault/syncthing/Music";
-        devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Photos = {
           id = "mjibc-ustcg";
           type = "receiveonly";
           path = "/vault/syncthing/Photos";
-        devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Projects = {
@@ -53,21 +74,41 @@
           id = "m2007j20cg_vc7r-photos";
           type = "receiveonly";
           path = "/vault/syncthing/Photos/Phone";
-        devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Files = {
           id = "tsk52-u6rbk";
           type = "receiveonly";
           path = "/vault/syncthing/Files";
-        devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Phone-screenshots = {
           id = "pp70r-pbr70";
           type = "receiveonly";
           path = "/vault/syncthing/Photos/Phone-screenshots";
-        devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
+        };
+
+        Audio = {
+          id = "tarrs-5mxck";
+          type = "receiveonly";
+          path = "/vault/syncthing/Audio";
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
+        };
       };
     };
   };
@@ -97,4 +138,8 @@
     monthly = 12;
   };
 
+  # Start services after ZFS mount
+  systemd.services.syncthing.unitConfig.RequiresMountsFor = [ /vault/syncthing ];
+  systemd.services.radicale.unitConfig.RequiresMountsFor = [ /vault/radicale ];
+
 }

modules/device.nix

@@ -1,39 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with pkgs;
-
-{
-  # A bunch of boot parameters needed for optimal runtime on RPi 4B
-  boot.kernelPackages = linuxPackages_rpi4;
-  boot.kernelParams = [
-    "zfs.zfs_arc_max=134217728"
-    "console=TTYAMA0,115200"
-    "console=tty1"
-    "8250.nr_uarts=1"
-    "iomem=relaxed"
-    "strict-devmem=0"
-  ];
-
-  # Enable SATA-HAT GPIO features
-  boot.loader = {
-    grub.enable = false;
-    generic-extlinux-compatible.enable = lib.mkForce false;
-  };
-  boot.loader.raspberryPi = {
-    enable = true;
-    version = 4;
-    firmwareConfig = ''
-      iomem=relaxed
-      strict-devmem=0
-      dtoverlay=w1-gpio
-    '';
-  };
-
-  boot.kernelModules = [ "pwm_bcm2835" "w1-gpio" "w1-therm" ];
-  # Load PWM hardware timers
-  hardware.raspberry-pi."4".pwm0.enable = true;
-
-  # Enable I2C
-  hardware.raspberry-pi."4".i2c1.enable = true;
-
-}

modules/devops.nix

@@ -1,10 +1,13 @@
-{ config, pkgs, pkgs-unstable, lib, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
   # Set up Gitea with LFS support
   services.gitea = {
     enable = true;
-    domain = "git.coolneng.duckdns.org";
-    rootUrl = "https://git.coolneng.duckdns.org";
-    package = pkgs-unstable.gitea;
     database = {
       type = "postgres";
       passwordFile = config.age.secrets.gitea.path;
@@ -16,10 +19,17 @@
       contentDir = "${config.services.gitea.repositoryRoot}/data/lfs";
     };
     settings = {
-      ui.DEFAULT_THEME = "arc-green";
+      server = {
+        DISABLE_SSH = true;
+        DOMAIN = "git.psydnd.org";
+        ROOT_URL = "https://git.psydnd.org";
+      };
+      service.DISABLE_REGISTRATION = true;
       session.COOKIE_SECURE = true;
-      server.DISABLE_SSH = true;
       actions.ENABLED = true;
     };
   };
+
+  # Start services after ZFS mount
+  systemd.services.gitea.unitConfig.RequiresMountsFor = [ /vault/git ];
 }

modules/hardware-configuration.nix

@@ -8,97 +8,51 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
-      fsType = "ext4";
+    { device = "sysion/stateful/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "sysion/ephemeral/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/tmp" =
+    { device = "sysion/ephemeral/tmp";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home/coolneng" =
+    { device = "sysion/stateful/home";
+      fsType = "zfs";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/2178-694E";
+    { device = "/dev/disk/by-uuid/C332-4650";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
-  fileSystems."/var/lib/matrix-as-facebook" =
-    { device = "vault/state_directories/matrix-as-facebook";
-      fsType = "zfs";
-    };
-
-  fileSystems."/var/lib/matrix-as-signal" =
-    { device = "vault/state_directories/matrix-as-signal";
-      fsType = "zfs";
-    };
-
-  fileSystems."/var/lib/signald" =
-    { device = "vault/state_directories/signald";
-      fsType = "zfs";
-    };
-
-  fileSystems."/var/lib/gitea" =
-    { device = "vault/state_directories/gitea";
-      fsType = "zfs";
-    };
-
-  fileSystems."/var/lib/matrix-as-telegram" =
-    { device = "vault/state_directories/matrix-as-telegram";
-      fsType = "zfs";
-    };
-
-  fileSystems."/vault" =
-    { device = "vault";
-      fsType = "zfs";
-    };
-
-  fileSystems."/var/lib/wallabag" =
-    { device = "vault/state_directories/wallabag";
-      fsType = "zfs";
-    };
-
-  fileSystems."/vault/git" =
-    { device = "vault/git";
-      fsType = "zfs";
-    };
-
-  fileSystems."/vault/backups" =
-    { device = "vault/backups";
-      fsType = "zfs";
-    };
-
-  fileSystems."/vault/radicale" =
-    { device = "vault/radicale";
-      fsType = "zfs";
-    };
-
-  fileSystems."/vault/backups/zion" =
-    { device = "vault/backups/zion";
-      fsType = "zfs";
-    };
-
-  fileSystems."/vault/syncthing" =
-    { device = "vault/syncthing";
-      fsType = "zfs";
-    };
-
-  fileSystems."/vault/backups/monolith" =
-    { device = "vault/backups/monolith";
-      fsType = "zfs";
-    };
-
-  swapDevices = [ ];
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/d388feef-a651-4dae-8161-f666136de240"; }
+    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
   # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
 
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

modules/information.nix

@@ -1,57 +1,44 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
   # Miniflux configuration
   services.miniflux = {
     enable = true;
     adminCredentialsFile = config.age.secrets.miniflux.path;
-    config = {
-      BASE_URL = "https://rss.coolneng.duckdns.org";
-      RUN_MIGRATIONS = "1";
-      DISABLE_HSTS = "1";
-    };
   };
 
-  # Php-fpm pool for Wallabag
-  services.phpfpm.pools.wallabag = {
-    user = "nginx";
-    group = "nginx";
-    settings = {
-      "listen.owner" = config.services.nginx.user;
-      "listen.group" = config.services.nginx.group;
-      "listen.mode" = 600;
-      "pm" = "ondemand";
-      "pm.max_children " = 4;
-      "pm.max_requests" = 32;
-      "env[WALLABAG_DATA]" = "/var/lib/wallabag";
-    };
-    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
-  };
-
-  # Set environment variable pointing to wallabag configuration directory
-  environment.variables.WALLABAG_DATA = "/var/lib/wallabag";
-
-  # Podman setup
-  virtualisation = {
-    containers.enable = true;
-    podman = {
+  # Microbin configuration
+  services.microbin = {
     enable = true;
-      dockerCompat = true;
-      extraPackages = with pkgs; [ zfs ];
+    passwordFile = config.age.secrets.microbin.path;
+    settings = {
+      MICROBIN_PORT = 9091;
+      MICROBIN_PUBLIC_PATH = "https://bin.psydnd.org";
+      MICROBIN_QR = true;
+      MICROBIN_WIDE = true;
+    };
   };
 
-    # Openbooks configuration
-    oci-containers = {
-      backend = "podman";
-      containers = {
-        openbooks = {
-          image =
-            "evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da";
-          ports = [ "127.0.0.1:9000:80" ];
-          cmd = [ "--name" "bookworm" "--searchbot" "searchook" "--persist" ];
-        };
+  # Readeck configuration
+  services.readeck = {
+    enable = true;
+    settings = {
+      server = {
+        host = "127.0.0.1";
+        port = 9092;
+        allowed_hosts = [ "read.psydnd.org" ];
+        trusted_proxies = [ "127.0.0.1" ];
+        environmentFile = config.age.secrets.readeck.path;
       };
     };
   };
 
+  # NOTE Load credentials using environment variables
+  systemd.services.readeck.serviceConfig.EnvironmentFile = config.age.secrets.readeck.path;
+
 }

modules/monitoring.nix

@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 with pkgs;
 
@@ -46,34 +51,39 @@ with pkgs;
   services.prometheus = {
     enable = true;
     port = 9001;
+    retentionTime = "10y";
+    extraFlags = [ "--web.enable-admin-api" ];
     exporters = {
       node = {
         enable = true;
         enabledCollectors = [ "systemd" ];
         port = 9002;
       };
-      zfs.enable = true;
-      wireguard.enable = true;
       postgres.enable = true;
       smartctl.enable = true;
-      #nginx.enable = true;
-      dnsmasq.enable = true;
     };
-    scrapeConfigs = [{
+    scrapeConfigs = [
+      {
         job_name = "zion";
-      static_configs = [{
+        static_configs = [
+          {
             targets = [
               "localhost:${toString config.services.prometheus.exporters.node.port}"
+              "localhost:${toString config.services.prometheus.exporters.postgres.port}"
+              "localhost:${toString config.services.prometheus.exporters.smartctl.port}"
+              "localhost:9641" # MQTT2Prometheus
+            ];
+          }
+        ];
+      }
     ];
-      }];
-    }];
   };
 
   # Grafana configuration
   services.grafana = {
     enable = true;
     settings.server = {
-      domain = "grafana.coolneng.duckdns.org";
+      domain = "grafana.psydnd.org";
       http_port = 9009;
       http_addr = "127.0.0.1";
     };

modules/networking.nix

@@ -1,46 +1,61 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
-let wireguard_port = 1194;
+let
+  wireguard_port = 1194;
 
-in {
+in
+{
   # Enable systemd-networkd
   networking = {
     hostName = "zion";
-    hostId = "4e74ea68";
+    hostId = "760bfad7";
     useDHCP = false;
     useNetworkd = true;
     dhcpcd.enable = false;
   };
-  systemd.services."systemd-networkd-wait-online".enable = false;
+  systemd.network.wait-online.enable = false;
 
   # Assign a static IP
   systemd.network.networks."24-home" = {
-    name = "eth0";
-    matchConfig.Name = "eth0";
-    address = [ "192.168.13.2/24" ];
-    gateway = [ "192.168.13.1" ];
-    dns = [ "192.168.13.2" ];
+    name = "enp2s0";
+    matchConfig.Name = "enp2s0";
+    address = [ "192.168.128.2/23" ];
+    gateway = [ "192.168.128.1" ];
+    dns = [
+      "127.0.0.1"
+      "::1"
+    ];
     networkConfig.DNSSEC = "no";
   };
 
-  # Enable zeroconf
-  services.avahi = {
+  # Dynamic DNS configuration
+  services.inadyn = {
     enable = true;
-    nssmdns = true;
-    openFirewall = true;
-    publish = {
-      enable = true;
-      userServices = true;
+    interval = "*:0/30";
+    settings.provider."duckdns" = {
+      hostname = "coolneng.duckdns.org";
+      include = config.age.secrets.inadyn-duckdns.path;
     };
   };
 
-  # Dynamic DNS configuration
-  services.ddclient = {
+  # Dynamic DNS configuration for Porkbun
+  # NOTE Temporary workaround until Inadyn fixes the Porkbun module
+  services.oink = {
     enable = true;
-    quiet = true;
-    protocol = "duckdns";
-    domains = [ "coolneng.duckdns.org" ];
-    passwordFile = config.age.secrets.ddclient.path;
+    apiKeyFile = config.age.secrets.inadyn-porkbun.path;
+    secretApiKeyFile = config.age.secrets.inadyn-porkbun-secret.path;
+    settings.interval = 1800;
+    domains = [
+      {
+        domain = "psydnd.org";
+        subdomain = "";
+      }
+    ];
   };
 
   # Firewall configuration
@@ -50,13 +65,19 @@ in {
       443 # HTTPS
       53 # DNS
       8448 # Matrix
+      1883 # MQTT
     ];
     allowedUDPPorts = [
       wireguard_port # Wireguard
       53 # DNS
     ];
     extraCommands = ''
-      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${
+        config.systemd.network.networks."24-home".name
+      } -j MASQUERADE
+      ip6tables -t nat -A POSTROUTING -s fd00::0/128 -o ${
+        config.systemd.network.networks."24-home".name
+      } -j MASQUERADE
     '';
   };
 
@@ -73,17 +94,27 @@ in {
     wireguardPeers = [
       # panacea
       {
-        wireguardPeerConfig = {
         PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
-          AllowedIPs = [ "10.8.0.2/32" ];
-        };
+        AllowedIPs = [
+          "10.8.0.2/32"
+          "fd00::2/128"
+        ];
       }
       # caravanserai
       {
-        wireguardPeerConfig = {
-          PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
-          AllowedIPs = [ "10.8.0.3/32" ];
-        };
+        PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs=";
+        AllowedIPs = [
+          "10.8.0.3/32"
+          "fd00::3/128"
+        ];
+      }
+      # kathreftis
+      {
+        PublicKey = "qfHtv6LSZjtxvH46d8pysr+/yPo2tV9cZumgIpxBNF4=";
+        AllowedIPs = [
+          "10.8.0.4/32"
+          "fd00::4/128"
+        ];
       }
     ];
   };
@@ -91,32 +122,68 @@ in {
   systemd.network.networks."wg0" = {
     matchConfig.Name = "wg0";
     networkConfig = {
-      Address = "10.8.0.1/24";
-      IPForward = true;
-      IPMasquerade = "ipv4";
+      Address = [
+        "10.8.0.1/24"
+        "fd00::1/128"
+      ];
+      IPv4Forwarding = true;
+      IPv6Forwarding = true;
     };
   };
 
+  # Disable systemd-resolved DNS stub
+  services.resolved = {
+    enable = true;
+    llmnr = "false";
+    extraConfig = ''
+      MulticastDNS=yes
+      DNSStubListener=no
+    '';
+  };
+
   # DNS server with ad-block
   services.dnsmasq = {
     enable = true;
-    servers = [ "51.158.108.203" "137.220.55.93" ];
-    extraConfig = ''
-      domain-needed
-      bogus-priv
-      no-resolv
+    settings = {
+      domain-needed = true;
+      bogus-priv = true;
+      no-resolv = true;
 
-      listen-address=127.0.0.1,192.168.13.2,10.8.0.1
-      bind-interfaces
+      listen-address = [
+        "127.0.0.1"
+        "192.168.128.2"
+        "10.8.0.1"
+        "::1"
+        "fd00::1"
+      ];
+      bind-interfaces = true;
+      server = [ "127.0.0.1#43" ];
 
-      cache-size=10000
-      local-ttl=300
+      cache-size = 10000;
+      local-ttl = 300;
 
-      conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt
+      conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf";
+      dnssec = false;
+      address = "/psydnd.org/192.168.128.2";
+    };
+  };
 
-      address=/coolneng.duckdns.org/192.168.13.2
-    '';
+  # Encrypted DNS
+  services.dnscrypt-proxy = {
+    enable = true;
+    upstreamDefaults = true;
+    settings = {
+      listen_addresses = [
+        "127.0.0.1:43"
+        "[::1]:43"
+      ];
+      sources.public-resolvers = {
+        urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
+        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+      blocked_names.blocked_names_file = "/var/lib/dnscrypt-proxy/blocklist.txt";
+    };
   };
 
 }
-

modules/periodic.nix

@@ -1,10 +1,16 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
-  stateDir = "/var/lib/dnsmasq";
-  blocklist = "${stateDir}/dnsmasq.blacklist.txt";
+  stateDir = "/var/lib/dnscrypt-proxy";
+  blocklist = "${stateDir}/blocklist.txt";
 
-in {
+in
+{
   # PostgreSQL daily backups
   services.postgresqlBackup = {
     enable = true;
@@ -14,71 +20,21 @@ in {
   };
 
   # Fetch hosts-blocklists daily
+  # TODO Download the list if the file doesn't exist the first time
   systemd.services.download-dns-blocklist = {
     description = "Download hosts-blocklists";
     wantedBy = [ "default.target" ];
-    path = with pkgs; [ curl coreutils ];
+    path = with pkgs; [
+      curl
+      coreutils
+    ];
     script = ''
-      curl -L https://github.com/notracking/hosts-blocklists/raw/master/dnsmasq/dnsmasq.blacklist.txt -o ${blocklist}
-      sed "/cainiao/d" -i ${blocklist}
+      curl -L https://download.dnscrypt.info/blacklists/domains/mybase.txt -o ${blocklist}
     '';
     serviceConfig.Type = "oneshot";
-    postStop = ''
-      chown -R dnsmasq ${stateDir}
-      systemctl restart dnsmasq
-    '';
-    after = [ "wireguard-wg0.service" ];
     startAt = "02:00:00";
   };
 
-  # Enable SATA HAT
-  systemd.services.sata-hat = {
-    description = "Enable software support for SATA Hat";
-    wantedBy = [ "zfs-import.target" ];
-    script = ''
-      ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh on"
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = "yes";
-      ExecStop = ''
-        ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh off"
-      '';
-    };
-    before = [ "zfs-import.target" "zfs-import-vault.service" "umount.target" ];
-    requires = [ "systemd-udev-settle.service" ];
-    after = [ "systemd-udev-settle.service" ];
-    conflicts = [ "umount.target" ];
-    requiredBy = [ "syncthing.service" "radicale.service" "gitea.service" ];
-  };
-
-  # HACK: restart services dependent on ZFS afer mount
-  systemd.services.restart-services-mount = {
-    description = "Restart services after the ZFS dataset is mounted";
-    wantedBy = [ "default.target" ];
-    script = ''
-      sleep 5
-      systemctl restart syncthing
-      systemctl restart radicale
-      systemctl restart gitea
-      systemctl restart podman-openbooks
-    '';
-    serviceConfig.Type = "oneshot";
-    requires = [ "sata-hat.service" ];
-    after = [ "vault.mount" ];
-  };
-
-  # Idle HDDs when not used
-  systemd.services.hd-idle = {
-    description = "Idle HDDs when not in use";
-    wantedBy = [ "default.target" ];
-    path = with pkgs; [ hd-idle ];
-    script = "${pkgs.hd-idle}/bin/hd-idle";
-    serviceConfig.Type = "simple";
-    requires = [ "sata-hat.service" ];
-    after = [ "vault.mount" ];
-  };
-
   # Push zion changes to git daily
   systemd.user.services.zion-push = {
     description = "Push zion changes to git";

modules/webstack.nix

@@ -1,16 +1,21 @@
 # Web services configuration
-{ config, pkgs, lib, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
 
   # Reverse proxy configuration
   services.nginx = {
     enable = true;
     recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
     recommendedProxySettings = true;
     recommendedOptimisation = true;
     clientMaxBodySize = "0";
-    sslCiphers =
-      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
+    sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
     sslProtocols = "TLSv1.2 TLSv1.3";
     sslDhparam = "/var/lib/dhparams/nginx.pem";
     commonHttpConfig = ''
@@ -29,17 +34,12 @@
       proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';
     virtualHosts = {
+      # Old domain being redirected
       "coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
-        # Redirect from legacy subdirectory URL to subdomain
         locations = {
-          "/radicale/".return = "301 https://radicale.coolneng.duckdns.org";
-          "/syncthing/".return = "301 https://sync.coolneng.duckdns.org";
-          "/gitea/".extraConfig =
-            "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
-          "/miniflux/".extraConfig =
-            "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
+          "/".return = "301 https://psydnd.org$request_uri";
           # Delegation for Matrix
           "/.well-known/" = {
             alias = "${../well-known}" + "/";
@@ -49,16 +49,21 @@
               add_header Access-Control-Allow-Origin * always;
             '';
           };
-          "/nginx_status/".extraConfig = ''
-            stub_status on;
-            access_log   off;
-            allow 127.0.0.1;
-            deny all;
-          '';
         };
       };
-      "radicale.coolneng.duckdns.org" = {
-        enableACME = true;
+      # Redirect subdomains
+      "~^(?<subdomain>.+)\.coolneng\.duckdns\.org$" = {
+        useACMEHost = "coolneng.duckdns.org";
+        forceSSL = true;
+        locations."/".return = "301 https://$subdomain.psydnd.org$request_uri";
+      };
+      # Current domain
+      "psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+      };
+      "radicale.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:5232/";
@@ -68,32 +73,33 @@
           '';
         };
       };
-      "sync.coolneng.duckdns.org" = {
-        enableACME = true;
+      "sync.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/".proxyPass = "http://localhost:8384/";
       };
-      "git.coolneng.duckdns.org" = {
-        enableACME = true;
+      "git.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:3000/";
           extraConfig = ''
             ${config.services.nginx.commonHttpConfig}
             # Disable embedding as a frame, except from the same origin
-            add_header Content-Security-Policy "frame-src git.coolneng.duckdns.org; frame-ancestors git.coolneng.duckdns.org";
+            add_header Content-Security-Policy "frame-src git.psydnd.org; frame-ancestors git.psydnd.org";
           '';
         };
       };
-      "rss.coolneng.duckdns.org" = {
-        enableACME = true;
+      "rss.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/".proxyPass = "http://localhost:8080/";
       };
-      "matrix.coolneng.duckdns.org" = {
-        enableACME = true;
+      "matrix.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         listen = [
+          # IPv4
           {
             addr = "0.0.0.0";
             port = 8448;
@@ -104,48 +110,32 @@
             port = 443;
             ssl = true;
           }
+          # IPv6
+          {
+            addr = "[::]";
+            port = 8448;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
         ];
-        locations."~ ^(/_matrix|/_synapse/client)" = {
-          proxyPass = "http://localhost:8008";
-          extraConfig = ''
-            proxy_set_header X-Forwarded-For $remote_addr;
-            proxy_set_header X-Forwarded-Proto $scheme;
-          '';
+        locations."~ ^(/_matrix|/_synapse/client)".proxyPass = "http://localhost:8008";
       };
-      };
-      "element.coolneng.duckdns.org" = {
-        enableACME = true;
+      "element.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/".root = pkgs.element-web.override {
           conf.default_server_config = {
-            "m.homeserver"."base_url" = "https://matrix.coolneng.duckdns.org";
+            "m.homeserver"."base_url" = "https://matrix.psydnd.org";
             "m.identity_server"."base_url" = "https://vector.im";
           };
         };
       };
-      "wallabag.coolneng.duckdns.org" = {
-        enableACME = true;
-        forceSSL = true;
-        root = "${pkgs.wallabag}/web";
-        locations = {
-          "/".tryFiles = "$uri /app.php$is_args$args";
-          "/assets".root = "${config.environment.variables.WALLABAG_DATA}/web";
-          "~ ^/app.php(/|$)" = {
-            fastcgiParams = {
-              SCRIPT_FILENAME = "${pkgs.wallabag}/web/$fastcgi_script_name";
-              DOCUMENT_ROOT = "${pkgs.wallabag}/web";
-            };
-            extraConfig = ''
-              fastcgi_pass unix:${config.services.phpfpm.pools.wallabag.socket};
-              fastcgi_split_path_info ^(.+\.php)(/.*)$;
-              include ${pkgs.nginx}/conf/fastcgi_params;
-              internal;
-            '';
-          };
-        };
-      };
-      "books.coolneng.duckdns.org" = {
-        enableACME = true;
+      "books.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:9000/";
@@ -156,43 +146,70 @@
           '';
         };
       };
-      "grafana.coolneng.duckdns.org" = {
-        enableACME = true;
+      "grafana.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:9009/";
           proxyWebsockets = true;
         };
       };
+      "podcast.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9090/";
+      };
+      "bin.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9091/";
+      };
+      "read.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9092/";
+      };
+      "photos.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9191/";
+      };
     };
   };
 
   # ACME certs configuration
   security.acme = {
     acceptTerms = true;
-    defaults.email = "akasroua@gmail.com";
-    certs."coolneng.duckdns.org".extraDomainNames = [
-      "radicale.coolneng.duckdns.org"
-      "sync.coolneng.duckdns.org"
-      "git.coolneng.duckdns.org"
-      "rss.coolneng.duckdns.org"
-      "matrix.coolneng.duckdns.org"
-      "element.coolneng.duckdns.org"
-      "wallabag.coolneng.duckdns.org"
-      "books.coolneng.duckdns.org"
-    ];
+    defaults = {
+      email = "akasroua@disroot.org";
+      group = "nginx";
+    };
+    certs = {
+      "coolneng.duckdns.org" = {
+        domain = "*.coolneng.duckdns.org";
+        dnsProvider = "duckdns";
+        environmentFile = config.age.secrets.acme-duckdns.path;
+      };
+      "psydnd.org" = {
+        domain = "psydnd.org";
+        extraDomainNames = [ "*.psydnd.org" ];
+        dnsProvider = "porkbun";
+        environmentFile = config.age.secrets.acme-porkbun.path;
+      };
+    };
   };
 
   # Generate dhparams
   security.dhparams = {
     enable = true;
-    params.nginx.bits = 2048;
+    defaultBitSize = 4096;
+    params.nginx.bits = 4096;
   };
 
   # PostgreSQL databases configuration
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_15;
+    package = pkgs.postgresql_16;
     authentication = lib.mkForce ''
       # Generated file; do not edit!
       # TYPE  DATABASE        USER            ADDRESS                 METHOD
@@ -202,7 +219,7 @@
     '';
     settings = {
       max_connections = "300";
-      shared_buffers = "512MB";
+      shared_buffers = "1024MB";
     };
   };
 
@@ -213,7 +230,9 @@
     "miniflux.service"
     "radicale.service"
     "dendrite.service"
-    "phpfpm-wallabag.service"
-    "systemd-tmpfiles-setup.service"
+    "grafana.service"
+    "podman-openbooks.service"
+    "podman-mqtt2prometheus.service"
+    "podman-opodsync.service"
   ];
 }

scripts/SATA-hat.sh

@@ -1,75 +0,0 @@
-#!/bin/sh
-
-BASE_PATH=/sys/class
-GPIO_PATH="$BASE_PATH"/gpio
-PWM_PATH="$BASE_PATH"/pwm/pwmchip0
-
-# GPIO pins
-SATA0=26
-SATA1=25
-CPU_FAN=12
-
-# Values
-LOW=0
-HIGH=1
-
-export_pin() {
-    if [ ! -e $GPIO_PATH/gpio"$1" ]; then
-        echo "$1" >$GPIO_PATH/export
-    fi
-}
-
-unexport_pin() {
-    if [ -e $GPIO_PATH/gpio"$1" ]; then
-        echo "$1" >$GPIO_PATH/unexport
-    fi
-}
-
-set_gpio() {
-    export_pin "$1"
-    echo "out" >$GPIO_PATH/gpio"$1"/direction
-    echo "$2" >$GPIO_PATH/gpio"$1"/value
-    if [ "$3" = "clean" ]; then
-        unexport_pin "$1"
-    fi
-}
-
-enable_pwm_channel() {
-    echo "$1" >$PWM_PATH/export
-    echo 40000 >$PWM_PATH/pwm"$1"/period
-    echo 30000 >$PWM_PATH/pwm"$1"/duty_cycle
-    echo 1 >$PWM_PATH/pwm"$1"/enable
-}
-
-set_pwm() {
-    if [ "$1" = "clean" ]; then
-        echo 1 >$PWM_PATH/unexport
-    else
-        enable_pwm_channel 1
-    fi
-}
-
-turn_on() {
-    set_gpio $SATA0 $HIGH
-    sleep 1
-    set_gpio $SATA1 $HIGH
-    set_gpio $CPU_FAN $HIGH
-    set_pwm
-}
-
-turn_off() {
-    set_gpio $SATA0 $LOW clean
-    set_gpio $SATA1 $LOW clean
-    set_gpio $CPU_FAN $LOW clean
-    set_pwm clean
-}
-
-trap turn_off INT
-
-if [ "$1" = "on" ]; then
-    turn_on
-else
-    turn_off
-fi
-
-exit 0

scripts/install.sh

@@ -0,0 +1,66 @@
+#!/bin/sh
+
+partition_disk() {
+    parted "$DISK" -- mklabel gpt
+    parted "$DISK" -- mkpart ESP fat32 1MiB 1025MiB
+    parted "$DISK" -- mkpart linux-swap 1025MiB 17409MiB
+    parted "$DISK" -- mkpart primary 17409MiB 100%
+    parted "$DISK" -- set 1 boot on
+    mkfs.fat -F32 -n BOOT "$DISK"p1
+    mkswap "$DISK"p2
+    swapon "$DISK"p2
+}
+
+zfs_setup() {
+    zpool import -f vault
+    zpool create -f -o ashift=12 -o autotrim=on -O acltype=posixacl -O relatime=on \
+        -O xattr=sa -O dnodesize=legacy -O normalization=formD -O mountpoint=none \
+        -O canmount=off -O devices=off -R /mnt -O compression=zstd "$POOL_NAME" "$DISK"p3
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral/nix
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false -o sync=disabled -o setuid=off "$POOL_NAME"/ephemeral/tmp
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true "$POOL_NAME"/stateful/home
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful/root
+}
+
+mount_datasets() {
+    mount -t zfs sysion/stateful/root /mnt
+    mkdir -p /mnt/boot
+    mount "$DISK"p1 /mnt/boot
+    mkdir -p /mnt/home/coolneng
+    mount -t zfs sysion/stateful/home /mnt/home/coolneng
+    mkdir -p /mnt/nix
+    mount -t zfs sysion/ephemeral/nix /mnt/nix
+    mkdir -p /mnt/tmp
+    mount -t zfs sysion/ephemeral/tmp /mnt/tmp
+}
+
+install_system() {
+    nixos-generate-config --root /mnt
+    mv /mnt/etc/nixos/hardware-configuration.nix modules/hardware-configuration.nix
+    nix-shell -p git --command "nixos-install --root /mnt --flake .#zion"
+}
+
+usage() {
+    echo "Usage: install.sh <disk>"
+    echo "disk: full path to the disk (e.g. /dev/sda)"
+    exit 1
+}
+
+if [ $# != 1 ]; then
+    usage
+fi
+
+DISK="$1"
+POOL_NAME="sysion"
+
+echo "Let's start by partitioning the disk"
+partition_disk
+echo "Starting up the ZFS machinery"
+zfs_setup
+echo "Mounting the horse"
+mount_datasets
+echo "Lift off to the NixOS planet"
+install_system
+echo "All ready, time to rejoice"

scripts/motd.sh

@@ -23,16 +23,16 @@ services=(
     "syncthing.service"
     "radicale.service"
     "miniflux.service"
-	"phpfpm-wallabag.service"
     "gitea.service"
     "dendrite.service"
-	"matrix-as-telegram.service"
-	"matrix-as-facebook.service"
-	"matrix-as-signal.service"
-	"signald.service"
     "nginx.service"
     "dnsmasq.service"
+    "dnscrypt-proxy.service"
     "podman-openbooks.service"
+    "mosquitto.service"
+    "podman-mqtt2prometheus.service"
+    "prometheus.service"
+    "grafana.service"
 )
 
 for var in "${services[@]}"; do

secrets/acme-porkbun.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg 7JImhL2Wo/eJEwUGP+NhEf36yq5gHO9q1GYhY2HaMAY
+eAMhD0sqHQS+aayBpOsY8+081i72QAhJCFbBe0//uwU
+--- 4K8cXsDuWZrmWNJ+rz166ej9o/gLFc7CfJuzAsG0BxA
+|.<2E><><EFBFBD>	f<><66>f<EFBFBD>=<1D>-<2D>X$P<>:

secrets/ddclient.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 iUaRGg mRkPNMBvRfbwb3GjcWWJ42RiJn4wxMdczvL2OJFagkY
-jCqCSE2MMx74ZvXabmyHfI4jC6lwhtgrTSqjAflUksw
--> vH/-grease []_Tx" cZfV JHS /x/
-SK1DATphyeQv8pjoNXTlQrRKQwn8oItd6xrhSic7fmxzmuKTQiPE
---- ObilbWkclfLnmjVql03OamXitnFgYnzfoZ04oq3XO1k
-<EFBFBD>iy<13>݌1k{<7B><>OJ3<1F>H<EFBFBD>N<><4E><11><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>%y<><1D><><0C><>JA<4A>8<EFBFBD><38>
-'<27>N<EFBFBD><4E>%<25><><EFBFBD><EFBFBD><EFBFBD>L@<12>6	&<26><>

secrets/inadyn-duckdns.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg XMrsd1RQcDq/SpFtqpB4Gj1keCvJsMB+VA58qZirYA4
+tf8NQzoEYJXlKBjtX4ZplaPQv51RCW9yHulvKZB8c8g
+--- 5wZntAZCQ4pGYrgDFd63w6Y+Taaatcw5z0tDSvShi30
+<EFBFBD><EFBFBD>4<EFBFBD><EFBFBD><EFBFBD>Ɖq3<EFBFBD>&
+><0E>4<EFBFBD><34>J<EFBFBD>?<3F><0F><>QW<51>jZ<:'<<16>x(<28>Y<16>i<EFBFBD>ZDO#<23>w<7F><77>R<EFBFBD><52><EFBFBD>O@2<>cAj	(f<><66><EFBFBD><EFBFBD>M<EFBFBD><4D><EFBFBD>

secrets/inadyn-porkbun-secret.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg paS5BxWWicriSLAZyCBKd2xylLAp4/LcHmogO7me8yQ
+MWW/Pkvn+4G4YeYXY9ZPXC92TbcFXQMyHJ2ltFzXpZs
+--- ZdFfQ7tHfEo+u/0MmigCNh6OIxkd2bimRN30rMUs1ks
+<EFBFBD>9<EFBFBD>7Y<EFBFBD>$B<>sX<0E>ʽb<CABD>O'J<><4A>S
'<27>5!<21><>UMʯ-v<>m<EFBFBD><6D><EFBFBD><EFBFBD><EFBFBD>8%|R,<2C>~I<><14><>G<EFBFBD><47>VQE<0E>0D<30>:Qv<<1E><>)<29><0B><>%fc<66><63>XZչ 7+yB

secrets/mqtt-receiver.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg JT+as1Cl66qOy5yY3WJNs0bh51DWaCe/+XZLR8m1L0A
+/6CyRX6Ks7Wr/ySlJhdfkabcy4N5rQ0VzGtlbxL8RCs
+-> L$l;-grease uU_g`a
+N00Z5C8AKzdnGZuFUHqY6uZBiMryyT3IXkdNlYW2fVJLOSfkfFdXssIK9hcMObyi
+sQENGphUf1Sk16Vo9p4emOL5mtzU
+--- flb9q0/Q608TJ6K9fsGULVwi2Pk860Cz750d5DBSfMM
+1<EFBFBD>%<25><>=<3D>Lڮ<4C><DAAE>s<EFBFBD>c/<2F>Iy<49><79>oT!<21>ڏ<EFBFBD>&X<0F><><EFBFBD>WՒZ̋<5A><CC8B><0E>8Z<38><5A><EFBFBD><EFBFBD><EFBFBD>æ<19><><EFBFBD><EFBFBD><06>	<09><0B>tw<74>'<27><> i<>e’<65>_<EFBFBD>}-<2D>V<EFBFBD>$<24>S<EFBFBD><53><EFBFBD><EFBFBD><EFBFBD>خA<D8AE><41><EFBFBD>h<EFBFBD><68><EFBFBD><04><>!<21><>9Z<39><5A><05><>hqіIa<49><61>,

secrets/secrets.nix

@@ -1,15 +1,25 @@
 let
-  zion =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW";
-in {
+  zion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW";
+in
+{
   "wireguard.age".publicKeys = [ zion ];
   "syncthing.age".publicKeys = [ zion ];
   "msmtp.age".publicKeys = [ zion ];
   "gitea.age".publicKeys = [ zion ];
-  "ddclient.age".publicKeys = [ zion ];
   "miniflux.age".publicKeys = [ zion ];
   "git.age".publicKeys = [ zion ];
   "dendrite.age".publicKeys = [ zion ];
   "dendrite-postgres.age".publicKeys = [ zion ];
   "telegram.age".publicKeys = [ zion ];
+  "mqtt-sender.age".publicKeys = [ zion ];
+  "mqtt-receiver.age".publicKeys = [ zion ];
+  "facebook.age".publicKeys = [ zion ];
+  "signal.age".publicKeys = [ zion ];
+  "inadyn-duckdns.age".publicKeys = [ zion ];
+  "inadyn-porkbun.age".publicKeys = [ zion ];
+  "inadyn-porkbun-secret.age".publicKeys = [ zion ];
+  "acme-duckdns.age".publicKeys = [ zion ];
+  "acme-porkbun.age".publicKeys = [ zion ];
+  "microbin.age".publicKeys = [ zion ];
+  "readeck.age".publicKeys = [ zion ];
 }

secrets/signal.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg J/gZDBtDsIzjCzO1y2vXgxl8YuvWJgcpk+8KMOp63kg
+1XF9JFAIscHWFJMTctZOxVIBYhYliUFays5gwjZt6hs
+-> vM4\2y\'-grease
+bj9VKIuH0l1v5X8N2v4p+u3VySDKjj3WAyVZ7f+wmy16wncrNyMtiUZ+ELBWfqXd
+XOyeGZoKBHwd8lOgkZ+va0BEkBJs9piX
+--- K2uN9JxuqPQpAxjQ+6dgsqhsq50nTkLsw8QGJprE5hQ
+H<EFBFBD><EFBFBD><EFBFBD>S<>:<3A>eJ4}'<27><><EFBFBD>T<EFBFBD><54>˦<0B><>[<5B>'<27>M<EFBFBD><4D><EFBFBD>9<><07><>E6_<36><12><><EFBFBD><1D><><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD>yPM8''<27>'<15>F<><46><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Rڡ"<22>ݏ<EFBFBD>X<EFBFBD><58><EFBFBD><EFBFBD>;<3B><>4<EFBFBD>J/>k<1C>5<EFBFBD><<15><>:<3A>M<EFBFBD>lK$<24>ӟq<D39F>S<EFBFBD><53><EFBFBD><EFBFBD>#<23>Ō<04>j<EFBFBD>X)<29><>v<EFBFBD><76><EFBFBD>–<EFBFBD>Ou<4F><75>J<>P<EFBFBD><12><>~

secrets/wallabag-postgres.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg zWm4+j3/IRqd3uZqGzXVcHvs+urNrvDMOceWKbpl018
+HlIKCFYt7n3iKZav5i0YiB4awRMJML0XUowX8sKKH2c
+--- ysvYVxgK1OeqCk8KdNF+uWsaQ9EzVRku7nw37aUAW3A
+c<EFBFBD><EFBFBD>b<EFBFBD>W|bU<62>B"<22><04>Ե<EFBFBD><D4B5><EFBFBD><EFBFBD><EFBFBD><03><>U<EFBFBD>

well-known/matrix/client

@@ -1,5 +1,5 @@
 {
     "m.homeserver": {
-        "base_url": "https://matrix.coolneng.duckdns.org"
+        "base_url": "https://matrix.psydnd.org"
     }
 }

well-known/matrix/server

@@ -1 +1 @@
-{ "m.server": "matrix.coolneng.duckdns.org:443" }
+{ "m.server": "matrix.psydnd.org:443" }