Migrate to Determinate Nix

flake.lock: Update
Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/1aab89277eb2d87823d5b69bae631a2496cff57a?narHash=sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0%3D' (2025-12-02) → 'github:NixOS/nixpkgs/c97c47f2bac4fa59e2cbdeba289686ae615f8ed4?narHash=sha256-OtzF5wBvO0jgW1WW1rQU9cMGx7zuvkF7CAVJ1ypzkxA%3D' (2025-12-04)
2025-12-06 05:18:46 +01:00 · 2025-12-05 23:51:49 +01:00 · 2025-12-04 17:31:29 +01:00 · 2025-12-04 17:21:24 +01:00 · 2025-12-01 09:26:14 +01:00 · 2025-12-01 09:25:15 +01:00
31 changed files with 688 additions and 554 deletions
--- a/.dir-locals.el
+++ b/.dir-locals.el
@@ -1 +0,0 @@
-((nil . ((ssh-deploy-root-remote . "/ssh:zion:/home/coolneng/system"))))
--- a/2
+++ b/2
@@ -1,7 +1,7 @@
 DIR=$(HOME)/Projects/zion

 switch:
-	nixos-rebuild switch --fast --target-host root@zion \
+	nixos-rebuild switch --no-reexec --target-host root@zion \
 	--build-host root@zion --flake path://$(DIR)#zion

 .DEFAULT_GOAL := switch
--- a/configuration.nix
+++ b/configuration.nix
@@ -9,13 +9,41 @@
 with pkgs;

 {
+  # Kernel configuration
+  boot = {
+    blacklistedKernelModules = [
+      "btusb"
+      "bluetooth"
+    ];
+    kernelParams = [
+      "zfs.zfs_arc_max=8589934592"
+      "zfs.zfs_arc_min=1073741824"
+    ];
+    supportedFilesystems = [ "zfs" ];
+    zfs = {
+      requestEncryptionCredentials = false;
+      extraPools = [ "vault" ];
+    };
+  };
+
+  # Secure boot using lanzaboote
+  boot.loader = {
+    efi.canTouchEfiVariables = true;
+    systemd-boot = {
+      enable = true;
+      configurationLimit = 50;
+      editor = false;
+    };
+    timeout = 3;
+  };
+
  # Declare system packages
  environment.systemPackages = [
    libraspberrypi
    htop
    neovim
    git
-    inputs.agenix.packages.aarch64-linux.default
+    inputs.agenix.packages.${config.nixpkgs.localSystem.system}.default
  ];

  # Configure basic SSH access
@@ -57,12 +85,6 @@ with pkgs;
  time.timeZone = "Europe/Brussels";
  services.timesyncd.enable = true;

-  # Enable ZFS support
-  boot.supportedFilesystems = [ "zfs" ];
-
-  # Don't import encrypted datasets
-  boot.zfs.requestEncryptionCredentials = false;
-
  # Scrub zpool monthly
  services.zfs.autoScrub = {
    enable = true;
@@ -73,10 +95,12 @@ with pkgs;
  nix = {
    settings = {
      auto-optimise-store = true;
-      experimental-features = [
-        "nix-command"
-        "flakes"
+      trusted-users = [
+        "root"
+        "coolneng"
      ];
+      lazy-trees = true;
+      eval-cores = 2;
    };
    gc = {
      automatic = true;
@@ -87,6 +111,7 @@ with pkgs;
      keep-outputs = true
      keep-derivations = true
      gc-keep-outputs = true
+      experimental-features = nix-command flakes
    '';
  };

@@ -104,9 +129,7 @@ with pkgs;
  programs.fish.enable = true;
  users.users.root = {
    shell = "${fish}/bin/fish";
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
-    ];
+    openssh.authorizedKeys.keys = config.users.users.coolneng.openssh.authorizedKeys.keys;
  };

  # Keep logs for a month
@@ -123,7 +146,7 @@ with pkgs;
  programs.fish.interactiveShellInit = "${./scripts/motd.sh}";

  # NixOS version
-  system.stateVersion = "22.05";
+  system.stateVersion = "24.11";

  # Specify secrets
  age = {
@@ -139,7 +162,6 @@ with pkgs;
      owner = "gitea";
      group = "gitea";
    };
-    secrets.ddclient.file = secrets/ddclient.age;
    secrets.miniflux = {
      file = secrets/miniflux.age;
      owner = "miniflux";
@@ -163,8 +185,6 @@ with pkgs;
    };
    secrets.telegram = {
      file = secrets/telegram.age;
-      owner = "matrix-as-telegram";
-      group = "matrix-as-telegram";
    };
    secrets.mqtt-sender = {
      file = secrets/mqtt-sender.age;
@@ -178,13 +198,44 @@ with pkgs;
    };
    secrets.facebook = {
      file = secrets/facebook.age;
-      owner = "matrix-as-facebook";
-      group = "matrix-as-facebook";
    };
    secrets.signal = {
      file = secrets/signal.age;
-      owner = "matrix-as-signal";
-      group = "matrix-as-signal";
+    };
+    secrets.inadyn-duckdns = {
+      file = secrets/inadyn-duckdns.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.inadyn-porkbun = {
+      file = secrets/inadyn-porkbun.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.inadyn-porkbun-secret = {
+      file = secrets/inadyn-porkbun-secret.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.acme-duckdns = {
+      file = secrets/acme-duckdns.age;
+      owner = "acme";
+      group = "nginx";
+    };
+    secrets.acme-porkbun = {
+      file = secrets/acme-porkbun.age;
+      owner = "acme";
+      group = "nginx";
+    };
+    secrets.microbin = {
+      file = secrets/microbin.age;
+      owner = "63026";
+      group = "63026";
+    };
+    secrets.readeck = {
+      file = secrets/readeck.age;
+      owner = "63026";
+      group = "63026";
    };
    identityPaths = [ "/etc/ssh/id_ed25519" ];
  };
@@ -192,22 +243,15 @@ with pkgs;
  # Auto-upgrade the system
  system.autoUpgrade = {
    enable = true;
+    allowReboot = true;
    flake = "/home/coolneng/system";
    flags = [
-      "--update-input agenix --update-input nixpkgs"
+      "--update-input"
+      "nixpkgs"
      "--commit-lock-file"
    ];
  };

-  # Limit the memory and CPU use of Nix
-  systemd.services.nixos-upgrade.serviceConfig = {
-    MemoryHigh = [ "500M" ];
-    MemoryMax = [ "2048M" ];
-    CPUWeight = [ "20" ];
-    CPUQuota = [ "85%" ];
-    IOWeight = [ "20" ];
-  };
-
  # Configure git for auto-upgrade
  programs.git = {
    enable = true;
@@ -233,7 +277,6 @@ with pkgs;
    ./modules/periodic.nix
    ./modules/communication.nix
    ./modules/information.nix
-    ./modules/device.nix
    ./modules/containers.nix
  ];

--- a/flake.lock
+++ b/flake.lock
@@ -10,11 +10,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1723293904,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "lastModified": 1762618334,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
        "type": "github"
      },
      "original": {
@@ -31,11 +31,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1700795494,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
        "type": "github"
      },
      "original": {
@@ -45,6 +45,63 @@
        "type": "github"
      }
    },
+    "determinate": {
+      "inputs": {
+        "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
+        "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
+        "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
+        "nix": "nix",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1763536872,
+        "narHash": "sha256-QCYGGghBya+qsY59f1zzgYzxEzz+N9S7YRkVWDIDbgo=",
+        "rev": "f4e598cbb10021c93f73dd4c0cf01ec791ea53f9",
+        "revCount": 315,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.13.2/019a9b01-c0c6-7e1c-959e-98ac5b7675de/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
+      }
+    },
+    "determinate-nixd-aarch64-darwin": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-g1r0dPwlUi1h96c4BuHzv9M2lWDqRy9bPDW9tRSq35I=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/macOS"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/macOS"
+      }
+    },
+    "determinate-nixd-aarch64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-xn324irXG/EpUdUfUGFrlJNg23JN2cVArd5LsFPjGKc=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/aarch64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/aarch64-linux"
+      }
+    },
+    "determinate-nixd-x86_64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-VPM5FOGwEjl56b7Edvg3sduvauPHCyXZ11fN9hcUdTU=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/x86_64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/x86_64-linux"
+      }
+    },
    "devshell": {
      "locked": {
        "lastModified": 1642188268,
@@ -61,6 +118,22 @@
      }
    },
    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1641205782,
@@ -76,6 +149,53 @@
        "type": "github"
      }
    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748821116,
+        "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
+        "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
+        "revCount": 377,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
+      }
+    },
+    "git-hooks-nix": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": [
+          "determinate",
+          "nix"
+        ],
+        "nixpkgs": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747372754,
+        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
+        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
+        "revCount": 1026,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -84,11 +204,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1703113217,
-        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
@@ -97,10 +217,31 @@
        "type": "github"
      }
    },
+    "nix": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "git-hooks-nix": "git-hooks-nix",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-23-11": "nixpkgs-23-11",
+        "nixpkgs-regression": "nixpkgs-regression"
+      },
+      "locked": {
+        "lastModified": 1763534330,
+        "narHash": "sha256-gTuB2qBdSKCKnZwENTqScs/pPBaZQOv6zZ1KJvV/ohk=",
+        "rev": "be871f9baf5366a220b5f25634eebab6f452a017",
+        "revCount": 23278,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.13.2/019a9af6-3d7b-71bc-bccd-8b18e147ad77/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
+      }
+    },
    "nix-matrix-appservices": {
      "inputs": {
        "devshell": "devshell",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
        "nixlib": "nixlib",
        "nixpkgs": [
          "nixpkgs"
@@ -137,56 +278,103 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1729742320,
-        "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
+        "lastModified": 1764440730,
+        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
+        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
+        "ref": "master",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1733384649,
-        "narHash": "sha256-K5DJ2LpPqht7K76bsxetI+YHhGGRyVteTPRQaIIKJpw=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "190c31a89e5eec80dd6604d7f9e5af3802a58a13",
-        "type": "github"
+        "lastModified": 1761597516,
+        "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
+        "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
+        "revCount": 811874,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
      },
      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-24.05",
-        "type": "indirect"
+        "type": "tarball",
+        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs-23-11": {
      "locked": {
-        "lastModified": 1729880355,
-        "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=",
+        "lastModified": 1717159533,
+        "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "18536bf04cd71abd345f9579158841376fdd0c5a",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
+        "type": "github"
+      }
+    },
+    "nixpkgs-regression": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1763375004,
+        "narHash": "sha256-e81Xfa7xhRZfqGB4s3xEvrg4p1v+fToM6CIQlXUyaX0=",
+        "rev": "8b6600824693a9c706ef09bd86711ca393703466",
+        "revCount": 897465,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.897465%2Brev-8b6600824693a9c706ef09bd86711ca393703466/019a9577-b407-75dd-b18b-3308def1c215/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1764831616,
+        "narHash": "sha256-OtzF5wBvO0jgW1WW1rQU9cMGx7zuvkF7CAVJ1ypzkxA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c97c47f2bac4fa59e2cbdeba289686ae615f8ed4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
+        "determinate": "determinate",
        "nix-matrix-appservices": "nix-matrix-appservices",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs": "nixpkgs_3"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@@ -1,43 +1,48 @@
 {
  description = "System configuration for zion";

+  nixConfig = {
+    extra-substituters = "https://install.determinate.systems";
+    extra-trusted-public-keys = ''
+      cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
+    '';
+  };
+
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nixos-hardware.url = "github:NixOS/nixos-hardware";
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    nix-matrix-appservices = {
      url = "gitlab:coffeetables/nix-matrix-appservices";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

-  outputs = { self, nixpkgs, nixpkgs-unstable, agenix, nixos-hardware
-    , nix-matrix-appservices, ... }@inputs:
+  outputs =
+    { self, nixpkgs, ... }@inputs:
    let
-      system = "aarch64-linux";
+      system = "x86_64-linux";

      pkgs = import pkgs { inherit system; };

-      pkgs-unstable = import inputs.nixpkgs-unstable { inherit system; };
-
      lib = nixpkgs.lib;

-    in {
+    in
+    {
      nixosConfigurations.zion = lib.nixosSystem {
        inherit system;
        modules = [
          (import ./configuration.nix)
-          agenix.nixosModules.age
-          nixos-hardware.nixosModules.raspberry-pi-4
-          nix-matrix-appservices.nixosModule
+          inputs.agenix.nixosModules.age
+          inputs.nixos-hardware.nixosModules.aoostar-r1-n100
+          inputs.determinate.nixosModules.default
        ];
        specialArgs = {
          inherit inputs;
-          inherit pkgs-unstable;
        };
      };

--- a/modules/communication.nix
+++ b/modules/communication.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 with pkgs;

@@ -11,7 +16,8 @@ let
    conn_max_lifetime = -1;
  };

-in {
+in
+{
  # Matrix server configuration
  services.dendrite = {
    enable = true;
@@ -28,22 +34,32 @@ in {
      # HACK Inherit postgres connection string for the rest of the DBs
      app_service_api = {
        inherit database;
-        config_files = [
-          "/var/lib/matrix-as-facebook/facebook-registration.yaml"
-          "/var/lib/matrix-as-signal/signal-registration.yaml"
-          "/var/lib/matrix-as-telegram/telegram-registration.yaml"
-        ];
      };
-      media_api = { inherit database; };
-      room_server = { inherit database; };
-      push_server = { inherit database; };
+      media_api = {
+        inherit database;
+      };
+      room_server = {
+        inherit database;
+      };
+      push_server = {
+        inherit database;
+      };
      mscs = {
        inherit database;
-        mscs = [ "msc2836" "msc2946" ];
+        mscs = [
+          "msc2836"
+          "msc2946"
+        ];
+      };
+      sync_api = {
+        inherit database;
+      };
+      key_server = {
+        inherit database;
+      };
+      federation_api = {
+        inherit database;
      };
-      sync_api = { inherit database; };
-      key_server = { inherit database; };
-      federation_api = { inherit database; };
      user_api = {
        account_database = database;
        device_database = database;
@@ -58,95 +74,30 @@ in {
    /var/lib/matrix-as-telegram
  ];

-  # Matrix bridges
-  services.matrix-appservices = {
-    homeserver = "dendrite";
-    homeserverDomain = "coolneng.duckdns.org";
-    homeserverURL = "https://matrix.coolneng.duckdns.org";
-    services = {
-      telegram = {
-        port = 8118;
-        format = "mautrix-python";
-        package = mautrix-telegram;
-        serviceConfig.EnvironmentFile = config.age.secrets.telegram.path;
-        settings = {
-          appservice.database = "$DB_STRING";
-          homeserver.software = "standard";
-          telegram = {
-            api_id = "$API_ID";
-            api_hash = "$API_HASH";
-          };
-          bridge = {
-            permissions."@coolneng:coolneng.duckdns.org" = "admin";
-            backfill.normal_groups = true;
-          };
-        };
-      };
-      facebook = {
-        port = 8228;
-        format = "mautrix-python";
-        package = mautrix-facebook;
-        serviceConfig.EnvironmentFile = config.age.secrets.facebook.path;
-        settings = {
-          appservice.database = "$DB_STRING";
-          homeserver.software = "standard";
-          bridge.permissions."@coolneng:coolneng.duckdns.org" = "admin";
-        };
-      };
-      signal = {
-        port = 8338;
-        format = "mautrix-python";
-        package = mautrix-signal;
-        serviceConfig = {
-          EnvironmentFile = config.age.secrets.signal.path;
-          StateDirectory = [ "matrix-as-signal" "signald" ];
-          JoinNamespaceOf = "signald.service";
-          SupplementaryGroups = [ "signald" ];
-        };
-        settings = {
-          appservice.database = "$DB_STRING";
-          homeserver.software = "standard";
-          bridge.permissions."@coolneng:coolneng.duckdns.org" = "admin";
-          signal = {
-            socket_path = config.services.signald.socketPath;
-            outgoing_attachment_dir = "/var/lib/signald/tmp";
-          };
-        };
-      };
-    };
-  };
-
-  # Additional settings for mautrix-signal
-  services.signald = {
-    enable = true;
-    user = "matrix-as-signal";
-  };
-  systemd.services.matrix-as-signal = {
-    requires = [ "signald.service" ];
-    after = [ "signald.service" ];
-    unitConfig.JoinsNamespaceOf = "signald.service";
-    path = [ ffmpeg ];
-  };
-
-  # Enable voice messages for facebook
-  systemd.services.matrix-as-facebook.path = [ ffmpeg ];
-
  # MQTT configuration
  services.mosquitto = {
    enable = true;
    dataDir = "/vault/mosquitto";
-    logType = [ "websockets" "error" "warning" "notice" "information" ];
+    logType = [
+      "websockets"
+      "error"
+      "warning"
+      "notice"
+      "information"
+    ];
    logDest = [ "syslog" ];
-    listeners = [{
-      users.homeostasis = {
-        acl = [ "write #" ];
-        hashedPasswordFile = config.age.secrets.mqtt-sender.path;
-      };
-      users.prometheus = {
-        acl = [ "read #" ];
-        hashedPasswordFile = config.age.secrets.mqtt-receiver.path;
-      };
-    }];
+    listeners = [
+      {
+        users.homeostasis = {
+          acl = [ "write #" ];
+          hashedPasswordFile = config.age.secrets.mqtt-sender.path;
+        };
+        users.prometheus = {
+          acl = [ "read #" ];
+          hashedPasswordFile = config.age.secrets.mqtt-receiver.path;
+        };
+      }
+    ];
  };

 }
--- a/modules/containers.nix
+++ b/modules/containers.nix
@@ -20,7 +20,7 @@
      containers = {
        # Openbooks configuration
        openbooks = {
-          image = "evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da";
+          image = "evanbuss/openbooks@sha256:4fa9188885368c2303b7dc527d48b3159aaa7022010e29b3ed96842018793590";
          ports = [ "127.0.0.1:9000:80" ];
          cmd = [
            "--name"
@@ -34,10 +34,16 @@
        };
        # Prometheus MQTT integration
        mqtt2prometheus = {
-          image = "hikhvar/mqtt2prometheus@sha256:ad133b8cef2d82c5573864598b1c8361753adc7e4ac53da28bc9b6afdf05aeaf";
+          image = "hikhvar/mqtt2prometheus@sha256:8e166d36feaa5ddcad703eef3a2c5167a154d6eef306a40fe6509861580c0714";
          ports = [ "127.0.0.1:9641:9641" ];
          volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
        };
+        # Podcast synchronization
+        opodsync = {
+          image = "ganeshlab/opodsync@sha256:32626b732fe38687a5dfd703d515136e413c4b16f286b38656718ad03f0d94c1";
+          ports = [ "127.0.0.1:9090:8080" ];
+          volumes = [ "/vault/opodsync:/var/www/server/data" ];
+        };
      };
    };
  };
--- a/modules/device.nix
+++ b/modules/device.nix
@@ -1,36 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with pkgs;
-
-{
-  # A bunch of boot parameters needed for optimal runtime on RPi 4B
-  boot.kernelPackages = linuxPackages_rpi4;
-  boot.kernelParams = [
-    "zfs.zfs_arc_max=134217728"
-    "console=TTYAMA0,115200"
-    "console=tty1"
-    "8250.nr_uarts=1"
-    "iomem=relaxed"
-    "strict-devmem=0"
-  ];
-
-  # Enable SATA-HAT GPIO features
-  boot.loader = {
-    grub.enable = false;
-    generic-extlinux-compatible.enable = lib.mkForce false;
-    raspberryPi = {
-      enable = true;
-      version = 4;
-      firmwareConfig = ''
-        iomem=relaxed
-        strict-devmem=0
-      '';
-    };
-  };
-
-  # Load PWM hardware timers
-  hardware.raspberry-pi."4".pwm0.enable = true;
-
-  # Enable I2C
-  hardware.raspberry-pi."4".i2c1.enable = true;
-}
--- a/modules/devops.nix
+++ b/modules/devops.nix
@@ -1,4 +1,10 @@
-{ config, pkgs, lib, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
  # Set up Gitea with LFS support
  services.gitea = {
    enable = true;
@@ -15,11 +21,10 @@
    settings = {
      server = {
        DISABLE_SSH = true;
-        DOMAIN = "git.coolneng.duckdns.org";
-        ROOT_URL = "https://git.coolneng.duckdns.org";
+        DOMAIN = "git.psydnd.org";
+        ROOT_URL = "https://git.psydnd.org";
      };
      service.DISABLE_REGISTRATION = true;
-      ui.DEFAULT_THEME = "arc-green";
      session.COOKIE_SECURE = true;
      actions.ENABLED = true;
    };
--- a/modules/hardware-configuration.nix
+++ b/modules/hardware-configuration.nix
@@ -4,135 +4,55 @@
 { config, lib, pkgs, modulesPath, ... }:

 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" = {
-    device = "sysion/root";
-    fsType = "zfs";
-  };
+  fileSystems."/" =
+    { device = "sysion/stateful/root";
+      fsType = "zfs";
+    };

-  fileSystems."/nix" = {
-    device = "sysion/root/nix";
-    fsType = "zfs";
-  };
+  fileSystems."/nix" =
+    { device = "sysion/ephemeral/nix";
+      fsType = "zfs";
+    };

-  fileSystems."/home" = {
-    device = "sysion/home";
-    fsType = "zfs";
-  };
+  fileSystems."/tmp" =
+    { device = "sysion/ephemeral/tmp";
+      fsType = "zfs";
+    };

-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/EB8C-3C86";
-    fsType = "vfat";
-  };
+  fileSystems."/home/coolneng" =
+    { device = "sysion/stateful/home";
+      fsType = "zfs";
+    };

-  fileSystems."/var/lib/prometheus2" = {
-    device = "vault/state_directories/prometheus";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/grafana" = {
-    device = "vault/state_directories/grafana";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/gitea" = {
-    device = "vault/state_directories/gitea";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/matrix-as-facebook" = {
-    device = "vault/state_directories/matrix-as-facebook";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/signald" = {
-    device = "vault/state_directories/signald";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/matrix-as-signal" = {
-    device = "vault/state_directories/matrix-as-signal";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault" = {
-    device = "vault";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/matrix-as-telegram" = {
-    device = "vault/state_directories/matrix-as-telegram";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/backups" = {
-    device = "vault/backups";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/mosquitto" = {
-    device = "vault/mosquitto";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/radicale" = {
-    device = "vault/radicale";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/git" = {
-    device = "vault/git";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/syncthing" = {
-    device = "vault/syncthing";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/backups/zion" = {
-    device = "vault/backups/zion";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/backups/monolith" = {
-    device = "vault/backups/monolith";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/wallabag" = {
-    device = "vault/state_directories/wallabag";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/containers/storage/overlay" = {
-    device = "/var/lib/containers/storage/overlay";
-    fsType = "none";
-    options = [ "bind" ];
-  };
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/C332-4650";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };

  swapDevices =
-    [{ device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; }];
+    [ { device = "/dev/disk/by-uuid/d388feef-a651-4dae-8161-f666136de240"; }
+    ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.veth25ee5d84.useDHCP = lib.mkDefault true;
-  # networking.interfaces.veth6e46f8d7.useDHCP = lib.mkDefault true;
-  # networking.interfaces.veth8506af14.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;

-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/modules/information.nix
+++ b/modules/information.nix
@@ -10,29 +10,35 @@
  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.age.secrets.miniflux.path;
-    config = {
-      BASE_URL = "https://rss.coolneng.duckdns.org";
-      DISABLE_HSTS = 1;
-    };
  };

-  # Php-fpm pool for Wallabag
-  services.phpfpm.pools.wallabag = {
-    user = "nginx";
-    group = "nginx";
+  # Microbin configuration
+  services.microbin = {
+    enable = true;
+    passwordFile = config.age.secrets.microbin.path;
    settings = {
-      "listen.owner" = config.services.nginx.user;
-      "listen.group" = config.services.nginx.group;
-      "listen.mode" = 600;
-      "pm" = "ondemand";
-      "pm.max_children " = 4;
-      "pm.max_requests" = 32;
-      "env[WALLABAG_DATA]" = config.environment.variables.WALLABAG_DATA;
+      MICROBIN_PORT = 9091;
+      MICROBIN_PUBLIC_PATH = "https://bin.psydnd.org";
+      MICROBIN_QR = true;
+      MICROBIN_WIDE = true;
    };
-    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
  };

-  # Set environment variable pointing to wallabag configuration directory
-  environment.variables.WALLABAG_DATA = "/var/lib/wallabag";
+  # Readeck configuration
+  services.readeck = {
+    enable = true;
+    settings = {
+      server = {
+        host = "127.0.0.1";
+        port = 9092;
+        allowed_hosts = [ "read.psydnd.org" ];
+        trusted_proxies = [ "127.0.0.1" ];
+        environmentFile = config.age.secrets.readeck.path;
+      };
+    };
+  };
+
+  # NOTE Load credentials using environment variables
+  systemd.services.readeck.serviceConfig.EnvironmentFile = config.age.secrets.readeck.path;

 }
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 with pkgs;

@@ -46,7 +51,8 @@ with pkgs;
  services.prometheus = {
    enable = true;
    port = 9001;
-    retentionTime = "1y";
+    retentionTime = "10y";
+    extraFlags = [ "--web.enable-admin-api" ];
    exporters = {
      node = {
        enable = true;
@@ -56,27 +62,28 @@ with pkgs;
      postgres.enable = true;
      smartctl.enable = true;
    };
-    scrapeConfigs = [{
-      job_name = "zion";
-      static_configs = [{
-        targets = [
-          "localhost:${toString config.services.prometheus.exporters.node.port}"
-          "localhost:${
-            toString config.services.prometheus.exporters.postgres.port
-          }"
-          "localhost:${
-            toString config.services.prometheus.exporters.smartctl.port
-          }"
+    scrapeConfigs = [
+      {
+        job_name = "zion";
+        static_configs = [
+          {
+            targets = [
+              "localhost:${toString config.services.prometheus.exporters.node.port}"
+              "localhost:${toString config.services.prometheus.exporters.postgres.port}"
+              "localhost:${toString config.services.prometheus.exporters.smartctl.port}"
+              "localhost:9641" # MQTT2Prometheus
+            ];
+          }
        ];
-      }];
-    }];
+      }
+    ];
  };

  # Grafana configuration
  services.grafana = {
    enable = true;
    settings.server = {
-      domain = "grafana.coolneng.duckdns.org";
+      domain = "grafana.psydnd.org";
      http_port = 9009;
      http_addr = "127.0.0.1";
    };
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -13,7 +13,7 @@ in
  # Enable systemd-networkd
  networking = {
    hostName = "zion";
-    hostId = "4e74ea68";
+    hostId = "760bfad7";
    useDHCP = false;
    useNetworkd = true;
    dhcpcd.enable = false;
@@ -22,27 +22,40 @@ in

  # Assign a static IP
  systemd.network.networks."24-home" = {
-    name = "end0";
-    matchConfig.Name = "end0";
-    address = [ "192.168.13.2/24" ];
-    gateway = [ "192.168.13.1" ];
+    name = "enp2s0";
+    matchConfig.Name = "enp2s0";
+    address = [ "192.168.128.2/23" ];
+    gateway = [ "192.168.128.1" ];
    dns = [
-      "1.1.1.1"
-      "9.9.9.9"
+      "127.0.0.1"
+      "::1"
    ];
    networkConfig.DNSSEC = "no";
  };

  # Dynamic DNS configuration
-  services.ddclient = {
+  services.inadyn = {
    enable = true;
-    quiet = true;
-    use = "web, web=freedns";
-    interval = "30min";
-    protocol = "duckdns";
-    domains = [ "coolneng.duckdns.org" ];
-    passwordFile = config.age.secrets.ddclient.path;
-    extraConfig = "";
+    interval = "*:0/30";
+    settings.provider."duckdns" = {
+      hostname = "coolneng.duckdns.org";
+      include = config.age.secrets.inadyn-duckdns.path;
+    };
+  };
+
+  # Dynamic DNS configuration for Porkbun
+  # NOTE Temporary workaround until Inadyn fixes the Porkbun module
+  services.oink = {
+    enable = true;
+    apiKeyFile = config.age.secrets.inadyn-porkbun.path;
+    secretApiKeyFile = config.age.secrets.inadyn-porkbun-secret.path;
+    settings.interval = 1800;
+    domains = [
+      {
+        domain = "psydnd.org";
+        subdomain = "";
+      }
+    ];
  };

  # Firewall configuration
@@ -62,6 +75,9 @@ in
      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${
        config.systemd.network.networks."24-home".name
      } -j MASQUERADE
+      ip6tables -t nat -A POSTROUTING -s fd00::0/128 -o ${
+        config.systemd.network.networks."24-home".name
+      } -j MASQUERADE
    '';
  };

@@ -78,17 +94,19 @@ in
    wireguardPeers = [
      # panacea
      {
-        wireguardPeerConfig = {
-          PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
-          AllowedIPs = [ "10.8.0.2/32" ];
-        };
+        PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
+        AllowedIPs = [
+          "10.8.0.2/32"
+          "fd00::2/128"
+        ];
      }
      # caravanserai
      {
-        wireguardPeerConfig = {
-          PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs=";
-          AllowedIPs = [ "10.8.0.3/32" ];
-        };
+        PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs=";
+        AllowedIPs = [
+          "10.8.0.3/32"
+          "fd00::3/128"
+        ];
      }
    ];
  };
@@ -96,12 +114,25 @@ in
  systemd.network.networks."wg0" = {
    matchConfig.Name = "wg0";
    networkConfig = {
-      Address = "10.8.0.1/24";
-      IPForward = true;
-      IPMasquerade = "ipv4";
+      Address = [
+        "10.8.0.1/24"
+        "fd00::1/128"
+      ];
+      IPv4Forwarding = true;
+      IPv6Forwarding = true;
    };
  };

+  # Disable systemd-resolved DNS stub
+  services.resolved = {
+    enable = true;
+    llmnr = "false";
+    extraConfig = ''
+      MulticastDNS=yes
+      DNSStubListener=no
+    '';
+  };
+
  # DNS server with ad-block
  services.dnsmasq = {
    enable = true;
@@ -110,7 +141,13 @@ in
      bogus-priv = true;
      no-resolv = true;

-      listen-address = [ "127.0.0.1" "192.168.13.2" "10.8.0.1" ];
+      listen-address = [
+        "127.0.0.1"
+        "192.168.128.2"
+        "10.8.0.1"
+        "::1"
+        "fd00::1"
+      ];
      bind-interfaces = true;
      server = [ "127.0.0.1#43" ];

@@ -119,17 +156,18 @@ in

      conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf";
      dnssec = false;
-
-      address = "/coolneng.duckdns.org/192.168.13.2";
    };
  };

  # Encrypted DNS
-  services.dnscrypt-proxy2 = {
+  services.dnscrypt-proxy = {
    enable = true;
    upstreamDefaults = true;
    settings = {
-      listen_addresses = [ "127.0.0.1:43" ];
+      listen_addresses = [
+        "127.0.0.1:43"
+        "[::1]:43"
+      ];
      sources.public-resolvers = {
        urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
--- a/modules/periodic.nix
+++ b/modules/periodic.nix
@@ -35,22 +35,6 @@ in
    startAt = "02:00:00";
  };

-  # Enable SATA HAT fans
-  systemd.services.sata-hat = {
-    description = "Enable software support for SATA Hat";
-    wantedBy = [ "default.target" ];
-    script = ''
-      ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh on"
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = "yes";
-      ExecStop = ''
-        ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh off"
-      '';
-    };
-  };
-
  # Push zion changes to git daily
  systemd.user.services.zion-push = {
    description = "Push zion changes to git";
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -11,7 +11,7 @@
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
-    recommendedZstdSettings = true;
+    recommendedBrotliSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    clientMaxBodySize = "0";
@@ -34,15 +34,12 @@
      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
    virtualHosts = {
+      # Old domain being redirected
      "coolneng.duckdns.org" = {
        useACMEHost = "coolneng.duckdns.org";
        forceSSL = true;
-        # Redirect from legacy subdirectory URL to subdomain
        locations = {
-          "/radicale/".return = "301 https://radicale.coolneng.duckdns.org";
-          "/syncthing/".return = "301 https://sync.coolneng.duckdns.org";
-          "/gitea/".extraConfig = "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
-          "/miniflux/".extraConfig = "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
+          "/".return = "301 https://psydnd.org$request_uri";
          # Delegation for Matrix
          "/.well-known/" = {
            alias = "${../well-known}" + "/";
@@ -54,9 +51,20 @@
          };
        };
      };
-      "radicale.coolneng.duckdns.org" = {
+      # Redirect subdomains
+      "~^(?<subdomain>.+)\.coolneng\.duckdns\.org$" = {
        useACMEHost = "coolneng.duckdns.org";
        forceSSL = true;
+        locations."/".return = "301 https://$subdomain.psydnd.org$request_uri";
+      };
+      # Current domain
+      "psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+      };
+      "radicale.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:5232/";
          extraConfig = ''
@@ -65,30 +73,30 @@
          '';
        };
      };
-      "sync.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "sync.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:8384/";
      };
-      "git.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "git.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:3000/";
          extraConfig = ''
            ${config.services.nginx.commonHttpConfig}
            # Disable embedding as a frame, except from the same origin
-            add_header Content-Security-Policy "frame-src git.coolneng.duckdns.org; frame-ancestors git.coolneng.duckdns.org";
+            add_header Content-Security-Policy "frame-src git.psydnd.org; frame-ancestors git.psydnd.org";
          '';
        };
      };
-      "rss.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "rss.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:8080/";
      };
-      "matrix.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "matrix.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        listen = [
          # IPv4
@@ -116,39 +124,18 @@
        ];
        locations."~ ^(/_matrix|/_synapse/client)".proxyPass = "http://localhost:8008";
      };
-      "element.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "element.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/".root = pkgs.element-web.override {
          conf.default_server_config = {
-            "m.homeserver"."base_url" = "https://matrix.coolneng.duckdns.org";
+            "m.homeserver"."base_url" = "https://matrix.psydnd.org";
            "m.identity_server"."base_url" = "https://vector.im";
          };
        };
      };
-      "wallabag.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
-        forceSSL = true;
-        root = "${pkgs.wallabag}/web";
-        locations = {
-          "/".tryFiles = "$uri /app.php$is_args$args";
-          "/assets".root = "${config.environment.variables.WALLABAG_DATA}/web";
-          "~ ^/app.php(/|$)" = {
-            fastcgiParams = {
-              SCRIPT_FILENAME = "${pkgs.wallabag}/web/$fastcgi_script_name";
-              DOCUMENT_ROOT = "${pkgs.wallabag}/web";
-            };
-            extraConfig = ''
-              fastcgi_pass unix:${config.services.phpfpm.pools.wallabag.socket};
-              fastcgi_split_path_info ^(.+\.php)(/.*)$;
-              include ${pkgs.nginx}/conf/fastcgi_params;
-              internal;
-            '';
-          };
-        };
-      };
-      "books.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "books.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:9000/";
@@ -159,14 +146,29 @@
          '';
        };
      };
-      "grafana.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "grafana.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:9009/";
          proxyWebsockets = true;
        };
      };
+      "podcast.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9090/";
+      };
+      "bin.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9091/";
+      };
+      "read.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9092/";
+      };
    };
  };

@@ -175,26 +177,34 @@
    acceptTerms = true;
    defaults = {
      email = "akasroua@disroot.org";
-      dnsResolver = "127.0.0.1:53";
      group = "nginx";
-      webroot = "/var/lib/acme/acme-challenge";
-      ocspMustStaple = true;
    };
-    certs."coolneng.duckdns.org".extraDomainNames = lib.attrsets.mapAttrsToList (
-      name: value: "${name}"
-    ) config.services.nginx.virtualHosts;
+    certs = {
+      "coolneng.duckdns.org" = {
+        domain = "*.coolneng.duckdns.org";
+        dnsProvider = "duckdns";
+        environmentFile = config.age.secrets.acme-duckdns.path;
+      };
+      "psydnd.org" = {
+        domain = "psydnd.org";
+        extraDomainNames = [ "*.psydnd.org" ];
+        dnsProvider = "porkbun";
+        environmentFile = config.age.secrets.acme-porkbun.path;
+      };
+    };
  };

  # Generate dhparams
  security.dhparams = {
    enable = true;
-    params.nginx.bits = 2048;
+    defaultBitSize = 4096;
+    params.nginx.bits = 4096;
  };

  # PostgreSQL databases configuration
  services.postgresql = {
    enable = true;
-    package = pkgs.postgresql_15;
+    package = pkgs.postgresql_16;
    authentication = lib.mkForce ''
      # Generated file; do not edit!
      # TYPE  DATABASE        USER            ADDRESS                 METHOD
@@ -215,10 +225,9 @@
    "miniflux.service"
    "radicale.service"
    "dendrite.service"
-    "phpfpm-wallabag.service"
-    "systemd-tmpfiles-setup.service"
+    "grafana.service"
    "podman-openbooks.service"
    "podman-mqtt2prometheus.service"
-    "podman-nightscout.service"
+    "podman-opodsync.service"
  ];
 }
--- a/scripts/SATA-hat.sh
+++ b/scripts/SATA-hat.sh
@@ -1,71 +0,0 @@
-#!/bin/sh
-
-BASE_PATH=/sys/class
-GPIO_PATH="$BASE_PATH"/gpio
-PWM_PATH="$BASE_PATH"/pwm/pwmchip0
-
-# GPIO pins
-CPU_FAN=12
-HDD_FAN=13
-
-# Values
-LOW=0
-HIGH=1
-
-export_pin() {
-    if [ ! -e $GPIO_PATH/gpio"$1" ]; then
-        echo "$1" >$GPIO_PATH/export
-    fi
-}
-
-unexport_pin() {
-    if [ -e $GPIO_PATH/gpio"$1" ]; then
-        echo "$1" >$GPIO_PATH/unexport
-    fi
-}
-
-set_gpio() {
-    export_pin "$1"
-    echo "out" >$GPIO_PATH/gpio"$1"/direction
-    echo "$2" >$GPIO_PATH/gpio"$1"/value
-    if [ "$3" = "clean" ]; then
-        unexport_pin "$1"
-    fi
-}
-
-enable_pwm_channel() {
-    echo "$1" >$PWM_PATH/export
-    echo 40000 >$PWM_PATH/pwm"$1"/period
-    echo 30000 >$PWM_PATH/pwm"$1"/duty_cycle
-    echo 1 >$PWM_PATH/pwm"$1"/enable
-}
-
-set_pwm() {
-    if [ "$1" = "clean" ]; then
-        echo 1 >$PWM_PATH/unexport
-    else
-        enable_pwm_channel 1
-    fi
-}
-
-turn_on() {
-    set_gpio $CPU_FAN $HIGH
-    set_gpio $HDD_FAN $HIGH
-    set_pwm
-}
-
-turn_off() {
-    set_gpio $CPU_FAN $LOW clean
-    set_gpio $HDD_FAN $LOW clean
-    set_pwm clean
-}
-
-trap turn_off INT
-
-if [ "$1" = "on" ]; then
-    turn_on
-else
-    turn_off
-fi
-
-exit 0
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+partition_disk() {
+    parted "$DISK" -- mklabel gpt
+    parted "$DISK" -- mkpart ESP fat32 1MiB 1025MiB
+    parted "$DISK" -- mkpart linux-swap 1025MiB 17409MiB
+    parted "$DISK" -- mkpart primary 17409MiB 100%
+    parted "$DISK" -- set 1 boot on
+    mkfs.fat -F32 -n BOOT "$DISK"p1
+    mkswap "$DISK"p2
+    swapon "$DISK"p2
+}
+
+zfs_setup() {
+    zpool import -f vault
+    zpool create -f -o ashift=12 -o autotrim=on -O acltype=posixacl -O relatime=on \
+        -O xattr=sa -O dnodesize=legacy -O normalization=formD -O mountpoint=none \
+        -O canmount=off -O devices=off -R /mnt -O compression=zstd "$POOL_NAME" "$DISK"p3
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral/nix
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false -o sync=disabled -o setuid=off "$POOL_NAME"/ephemeral/tmp
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true "$POOL_NAME"/stateful/home
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful/root
+}
+
+mount_datasets() {
+    mount -t zfs sysion/stateful/root /mnt
+    mkdir -p /mnt/boot
+    mount "$DISK"p1 /mnt/boot
+    mkdir -p /mnt/home/coolneng
+    mount -t zfs sysion/stateful/home /mnt/home/coolneng
+    mkdir -p /mnt/nix
+    mount -t zfs sysion/ephemeral/nix /mnt/nix
+    mkdir -p /mnt/tmp
+    mount -t zfs sysion/ephemeral/tmp /mnt/tmp
+}
+
+install_system() {
+    nixos-generate-config --root /mnt
+    mv /mnt/etc/nixos/hardware-configuration.nix modules/hardware-configuration.nix
+    nix-shell -p git --command "nixos-install --root /mnt --flake .#zion"
+}
+
+usage() {
+    echo "Usage: install.sh <disk>"
+    echo "disk: full path to the disk (e.g. /dev/sda)"
+    exit 1
+}
+
+if [ $# != 1 ]; then
+    usage
+fi
+
+DISK="$1"
+POOL_NAME="sysion"
+
+echo "Let's start by partitioning the disk"
+partition_disk
+echo "Starting up the ZFS machinery"
+zfs_setup
+echo "Mounting the horse"
+mount_datasets
+echo "Lift off to the NixOS planet"
+install_system
+echo "All ready, time to rejoice"
--- a/scripts/motd.sh
+++ b/scripts/motd.sh
@@ -23,13 +23,8 @@ services=(
 	"syncthing.service"
 	"radicale.service"
 	"miniflux.service"
-	"phpfpm-wallabag.service"
 	"gitea.service"
 	"dendrite.service"
-	"matrix-as-telegram.service"
-	"matrix-as-facebook.service"
-	"matrix-as-signal.service"
-	"signald.service"
 	"nginx.service"
 	"dnsmasq.service"
 	"podman-openbooks.service"
--- a/secrets/acme-duckdns.age
+++ b/secrets/acme-duckdns.age
--- a/secrets/acme-porkbun.age
+++ b/secrets/acme-porkbun.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg 7JImhL2Wo/eJEwUGP+NhEf36yq5gHO9q1GYhY2HaMAY
+eAMhD0sqHQS+aayBpOsY8+081i72QAhJCFbBe0//uwU
+--- 4K8cXsDuWZrmWNJ+rz166ej9o/gLFc7CfJuzAsG0BxA
+|.<2E><><EFBFBD>	f<><66>f<EFBFBD>=<1D>-<2D>X$P<>:
--- a/secrets/ddclient.age
+++ b/secrets/ddclient.age
@@ -1,8 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 iUaRGg mRkPNMBvRfbwb3GjcWWJ42RiJn4wxMdczvL2OJFagkY
-jCqCSE2MMx74ZvXabmyHfI4jC6lwhtgrTSqjAflUksw
-> vH/-grease []_Tx" cZfV JHS /x/
-SK1DATphyeQv8pjoNXTlQrRKQwn8oItd6xrhSic7fmxzmuKTQiPE
--- ObilbWkclfLnmjVql03OamXitnFgYnzfoZ04oq3XO1k
-<EFBFBD>iy<13>݌1k{<7B><>OJ3<1F>H<EFBFBD>N<><4E><11><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>%y<><1D><><0C><>JA<4A>8<EFBFBD><38>
-'<27>N<EFBFBD><4E>%<25><><EFBFBD><EFBFBD><EFBFBD>L@<12>6	&<26><>
--- a/secrets/inadyn-duckdns.age
+++ b/secrets/inadyn-duckdns.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg XMrsd1RQcDq/SpFtqpB4Gj1keCvJsMB+VA58qZirYA4
+tf8NQzoEYJXlKBjtX4ZplaPQv51RCW9yHulvKZB8c8g
+--- 5wZntAZCQ4pGYrgDFd63w6Y+Taaatcw5z0tDSvShi30
+<EFBFBD><EFBFBD>4<EFBFBD><EFBFBD><EFBFBD>Ɖq3<EFBFBD>&
+><0E>4<EFBFBD><34>J<EFBFBD>?<3F><0F><>QW<51>jZ<:'<<16>x(<28>Y<16>i<EFBFBD>ZDO#<23>w<7F><77>R<EFBFBD><52><EFBFBD>O@2<>cAj	(f<><66><EFBFBD><EFBFBD>M<EFBFBD><4D><EFBFBD>
--- a/secrets/inadyn-porkbun-secret.age
+++ b/secrets/inadyn-porkbun-secret.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg paS5BxWWicriSLAZyCBKd2xylLAp4/LcHmogO7me8yQ
+MWW/Pkvn+4G4YeYXY9ZPXC92TbcFXQMyHJ2ltFzXpZs
+--- ZdFfQ7tHfEo+u/0MmigCNh6OIxkd2bimRN30rMUs1ks
+<EFBFBD>9<EFBFBD>7Y<EFBFBD>$B<>sX<0E>ʽb<CABD>O'J<><4A>S'<27>5!<21><>UMʯ-v<>m<EFBFBD><6D><EFBFBD><EFBFBD><EFBFBD>8%|R,<2C>~I<><14><>G<EFBFBD><47>VQE<0E>0D<30>:Qv<<1E><>)<29><0B><>%fc<66><63>XZչ 7+yB
--- a/secrets/inadyn-porkbun.age
+++ b/secrets/inadyn-porkbun.age
--- a/secrets/microbin.age
+++ b/secrets/microbin.age
--- a/secrets/readeck.age
+++ b/secrets/readeck.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,7 +6,6 @@ in
  "syncthing.age".publicKeys = [ zion ];
  "msmtp.age".publicKeys = [ zion ];
  "gitea.age".publicKeys = [ zion ];
-  "ddclient.age".publicKeys = [ zion ];
  "miniflux.age".publicKeys = [ zion ];
  "git.age".publicKeys = [ zion ];
  "dendrite.age".publicKeys = [ zion ];
@@ -16,4 +15,11 @@ in
  "mqtt-receiver.age".publicKeys = [ zion ];
  "facebook.age".publicKeys = [ zion ];
  "signal.age".publicKeys = [ zion ];
+  "inadyn-duckdns.age".publicKeys = [ zion ];
+  "inadyn-porkbun.age".publicKeys = [ zion ];
+  "inadyn-porkbun-secret.age".publicKeys = [ zion ];
+  "acme-duckdns.age".publicKeys = [ zion ];
+  "acme-porkbun.age".publicKeys = [ zion ];
+  "microbin.age".publicKeys = [ zion ];
+  "readeck.age".publicKeys = [ zion ];
 }
--- a/secrets/wallabag-postgres.age
+++ b/secrets/wallabag-postgres.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg zWm4+j3/IRqd3uZqGzXVcHvs+urNrvDMOceWKbpl018
+HlIKCFYt7n3iKZav5i0YiB4awRMJML0XUowX8sKKH2c
+--- ysvYVxgK1OeqCk8KdNF+uWsaQ9EzVRku7nw37aUAW3A
+c<EFBFBD><EFBFBD>b<EFBFBD>W|bU<62>B"<22><04>Ե<EFBFBD><D4B5><EFBFBD><EFBFBD><EFBFBD><03><>U<EFBFBD>
--- a/secrets/wallabag.age
+++ b/secrets/wallabag.age
--- a/well-known/matrix/client
+++ b/well-known/matrix/client
@@ -1,5 +1,5 @@
 {
    "m.homeserver": {
-        "base_url": "https://matrix.coolneng.duckdns.org"
+        "base_url": "https://matrix.psydnd.org"
    }
 }
--- a/well-known/matrix/server
+++ b/well-known/matrix/server
@@ -1 +1 @@
-{ "m.server": "matrix.coolneng.duckdns.org:443" }
+{ "m.server": "matrix.psydnd.org:443" }
Author	SHA1	Message	Date
coolneng	3e577066c1	Migrate to Determinate Nix	2025-12-06 05:18:46 +01:00
coolneng	3f10536deb	flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/1aab89277eb2d87823d5b69bae631a2496cff57a?narHash=sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0%3D' (2025-12-02) → 'github:NixOS/nixpkgs/c97c47f2bac4fa59e2cbdeba289686ae615f8ed4?narHash=sha256-OtzF5wBvO0jgW1WW1rQU9cMGx7zuvkF7CAVJ1ypzkxA%3D' (2025-12-04)	2025-12-05 23:51:49 +01:00
coolneng	25e995dfb3	Adapt dnscrypt-proxy config to upstream changes	2025-12-04 17:31:29 +01:00
coolneng	f2faa9047b	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/9edb1787864c4f59ae5074ad498b6272b3ec308d?narHash=sha256-NA/FT2hVhKDftbHSwVnoRTFhes62%2B7dxZbxj5Gxvghs%3D' (2025-08-05) → 'github:ryantm/agenix/fcdea223397448d35d9b31f798479227e80183f6?narHash=sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L%2BVSybPfiIgzU8lbQ%3D' (2025-11-08) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/a65b650d6981e23edd1afa1f01eb942f19cdcbb7?narHash=sha256-9bHzrVbjAudbO8q4vYFBWlEkDam31fsz0J7GB8k4AsI%3D' (2025-08-26) → 'github:NixOS/nixos-hardware/9154f4569b6cdfd3c595851a6ba51bfaa472d9f3?narHash=sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x%2B6XUJ4YdFRjtO4%3D' (2025-11-29) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f?narHash=sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD%2B/cTUzzgVFoaHrkqY%3D' (2025-11-30) → 'github:NixOS/nixpkgs/1aab89277eb2d87823d5b69bae631a2496cff57a?narHash=sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0%3D' (2025-12-02) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5?narHash=sha256-XexyKZpf46cMiO5Vbj%2BdWSAXOnr285GHsMch8FBoHbc%3D' (2025-08-25) → 'github:NixOS/nixpkgs/418468ac9527e799809c900eda37cbff999199b6?narHash=sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y%3D' (2025-12-02)	2025-12-04 17:21:24 +01:00
coolneng	22fc403563	Use Brotli instead of ZSTD for Nginx	2025-12-01 09:26:14 +01:00
coolneng	d5e11e4909	Remove redundant secret injection for oink	2025-12-01 09:25:15 +01:00
coolneng	bcc764dd50	Upgrade to NixOS 25.11	2025-12-01 09:24:18 +01:00
coolneng	4e317cfd81	Specify auto upgrade flags correctly	2025-11-23 17:12:55 +01:00
coolneng	2ad5372267	Use inputs attribute to import modules	2025-11-23 17:03:54 +01:00
coolneng	6e93e251d6	Use correct Flake URL scheme for Auto Upgrade	2025-08-29 01:01:24 +02:00
coolneng	770ecc6c02	Adapt Makefile to new CLI flags of nixos-rebuild	2025-08-27 08:16:38 +02:00
coolneng	86fb493a80	Disable systemd-resolved DNS stub causing conflict	2025-08-27 08:12:57 +02:00
coolneng	3057f13858	Reboot after Auto Upgrade if necessary	2025-08-27 06:20:52 +02:00
coolneng	155c4f3525	Use Git repository as Flake URL for Auto Upgrade	2025-08-27 06:17:48 +02:00
coolneng	3abfa5cb84	Remove Matrix bridges users	2025-08-27 06:14:36 +02:00
coolneng	5d1b075adb	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/e600439ec4c273cf11e06fe4d9d906fb98fa097c?narHash=sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA%3D' (2025-01-15) → 'github:ryantm/agenix/9edb1787864c4f59ae5074ad498b6272b3ec308d?narHash=sha256-NA/FT2hVhKDftbHSwVnoRTFhes62%2B7dxZbxj5Gxvghs%3D' (2025-08-05) • Updated input 'agenix/darwin': 'github:lnl7/nix-darwin/4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d?narHash=sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0%3D' (2023-11-24) → 'github:lnl7/nix-darwin/43975d782b418ebf4969e9ccba82466728c2851b?narHash=sha256-dyN%2BteG9G82G%2Bm%2BPX/aSAagkC%2BvUv0SgUw3XkPhQodQ%3D' (2025-04-12) • Updated input 'agenix/home-manager': 'github:nix-community/home-manager/3bfaacf46133c037bb356193bd2f1765d9dc82c1?narHash=sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE%3D' (2023-12-20) → 'github:nix-community/home-manager/abfad3d2958c9e6300a883bd443512c55dfeb1be?narHash=sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs%3D' (2025-04-24) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/009b764ac98a3602d41fc68072eeec5d24fc0e49?narHash=sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE%3D' (2025-02-27) → 'github:NixOS/nixos-hardware/a65b650d6981e23edd1afa1f01eb942f19cdcbb7?narHash=sha256-9bHzrVbjAudbO8q4vYFBWlEkDam31fsz0J7GB8k4AsI%3D' (2025-08-26) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/a59eb7800787c926045d51b70982ae285faa2346?narHash=sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY%3D' (2025-05-31) → 'github:NixOS/nixpkgs/b1b3291469652d5a2edb0becc4ef0246fff97a7c?narHash=sha256-wY1%2B2JPH0ZZC4BQefoZw/k%2B3%2BDowFyfOxv17CN/idKs%3D' (2025-08-23) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/18536bf04cd71abd345f9579158841376fdd0c5a?narHash=sha256-RP%2BOQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM%3D' (2024-10-25) → 'github:NixOS/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5?narHash=sha256-XexyKZpf46cMiO5Vbj%2BdWSAXOnr285GHsMch8FBoHbc%3D' (2025-08-25)	2025-08-27 03:05:54 +02:00
coolneng	6a3fbf2d80	Migrate from Wallabag to Readeck	2025-06-02 17:14:44 +02:00
coolneng	9a35cefd62	Set Wallabag container version to 2.5.4	2025-06-02 15:47:03 +02:00
coolneng	0fa3b9de30	Enable Prometheus admin API	2025-06-02 12:34:46 +02:00
coolneng	4e56c58d7a	Increase retention time of Prometheus metrics	2025-06-02 12:34:32 +02:00
coolneng	f9a04a4492	Use systemd-boot as a temporary workaround	2025-06-02 12:22:12 +02:00
coolneng	b2c983ee22	Upgrade to NixOS 25.05	2025-06-02 12:19:43 +02:00
coolneng	28399165fc	Set up Microbin	2025-04-29 14:33:08 +02:00
coolneng	42df5964f1	Migrate Wallabag to container deployment	2025-04-28 17:06:22 +02:00
coolneng	90b38fcf08	Listen to MQTT gateway in Prometheus	2025-04-23 17:19:49 +02:00
coolneng	f4ba4e8a89	Update services that require nginx	2025-04-14 19:23:12 +02:00
coolneng	156d8b04e5	Route IPv6 via Wireguard	2025-04-14 19:22:26 +02:00
coolneng	ef69519de7	Increase Diffie-Hellman key size	2025-04-14 17:18:43 +02:00
coolneng	e4175767a3	Remove unstable package definition	2025-04-08 03:13:01 +02:00
coolneng	0127dbc975	Set up Opodsync	2025-04-08 03:08:46 +02:00
coolneng	848d652ac7	Redirect all URLs to new domain	2025-04-08 02:58:03 +02:00
coolneng	40838848c3	Replace ddclient with Inadyn	2025-04-07 14:28:00 +02:00
coolneng	e82ab26d23	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41?narHash=sha256-b%2Buqzj%2BWa6xgMS9aNbX4I%2BsXeb5biPDi39VgvSFqFvU%3D' (2024-08-10) → 'github:ryantm/agenix/e600439ec4c273cf11e06fe4d9d906fb98fa097c?narHash=sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA%3D' (2025-01-15) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b?narHash=sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc%3D' (2025-02-25) → 'github:NixOS/nixpkgs/7819a0d29d1dd2bc331bec4b327f0776359b1fa6?narHash=sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p%2BjElwxaM%3D' (2025-04-05)	2025-04-07 04:40:23 +02:00
coolneng	31d582bc9a	Adapt Wireguard config to upstream changes	2025-03-28 16:44:40 +01:00
coolneng	a5f9244996	Change location of the system configuration	2025-03-21 20:27:39 +01:00
coolneng	68d7c22549	Switch to the operator LAN subnet	2025-03-04 17:51:30 +01:00
coolneng	acf5a23ed5	Remove SSH upload configuration file	2025-03-04 17:50:54 +01:00
coolneng	e3e91bc934	Set flake path to canonical Syncthing folder	2025-03-03 11:19:49 +01:00
coolneng	28a2e71b65	Remove deleted Gitea theme from configuration	2025-02-28 06:09:08 +01:00
coolneng	a23c52cdf3	Upgrade to PostgreSQL 16	2025-02-28 06:08:45 +01:00
coolneng	78f3761754	Remove broken Matrix bridges module	2025-02-28 06:08:24 +01:00
coolneng	db447ddb8b	Refer to main users SSH keys for root	2025-02-28 04:16:14 +01:00
coolneng	45562df6cf	Use DNS-01 for ACME	2025-02-28 04:16:06 +01:00
coolneng	0b3e10fd70	Change CPU architecture of podman containers	2025-02-28 04:14:44 +01:00
coolneng	f2386e8020	Adapt ddclient to upstream changes	2025-02-28 04:14:25 +01:00
coolneng	9504d4c5a1	Disable automatic ZFS encrypted dataset import	2025-02-27 21:05:22 +01:00
coolneng	9335bdeac9	Enabled Aoostar R1 specific tweaks	2025-02-27 21:05:22 +01:00
coolneng	3b471f8e32	Add installation script	2025-02-27 21:05:22 +01:00
coolneng	ccd5019abd	Upgrade to NixOS 24.11	2025-02-27 21:05:22 +01:00
coolneng	a0573d8aab	Adapt LAN configuration	2025-02-27 21:05:22 +01:00
coolneng	a389e1395d	Remove Raspberry Pi 4 specific bits	2025-02-27 18:00:49 +01:00
coolneng	b8ae40febd	Format nix files using new formatter	2024-12-11 22:14:07 +01:00
coolneng	0d3da95ae2	Remove redundant options from networking module	2024-12-11 22:13:13 +01:00
coolneng	52a1cbd382	Lower CPU and RAM limits of the upgrade service	2024-12-11 22:12:43 +01:00
				`@@ -1 +0,0 @@`
				`((nil . ((ssh-deploy-root-remote . "/ssh:zion:/home/coolneng/system"))))`