Migrate to Determinate Nix

flake.lock: Update
Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/1aab89277eb2d87823d5b69bae631a2496cff57a?narHash=sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0%3D' (2025-12-02) → 'github:NixOS/nixpkgs/c97c47f2bac4fa59e2cbdeba289686ae615f8ed4?narHash=sha256-OtzF5wBvO0jgW1WW1rQU9cMGx7zuvkF7CAVJ1ypzkxA%3D' (2025-12-04)
2025-12-06 05:18:46 +01:00 · 2025-12-05 23:51:49 +01:00 · 2025-12-04 17:31:29 +01:00 · 2025-12-04 17:21:24 +01:00 · 2025-12-01 09:26:14 +01:00 · 2025-12-01 09:25:15 +01:00
27 changed files with 403 additions and 387 deletions
--- a/.dir-locals.el
+++ b/.dir-locals.el
@@ -1 +0,0 @@
-((nil . ((ssh-deploy-root-remote . "/ssh:zion:/home/coolneng/system"))))
--- a/2
+++ b/2
@@ -1,7 +1,7 @@
 DIR=$(HOME)/Projects/zion

 switch:
-	nixos-rebuild switch --fast --target-host root@zion \
+	nixos-rebuild switch --no-reexec --target-host root@zion \
 	--build-host root@zion --flake path://$(DIR)#zion

 .DEFAULT_GOAL := switch
--- a/configuration.nix
+++ b/configuration.nix
@@ -30,7 +30,7 @@ with pkgs;
  boot.loader = {
    efi.canTouchEfiVariables = true;
    systemd-boot = {
-      enable = false;
+      enable = true;
      configurationLimit = 50;
      editor = false;
    };
@@ -99,6 +99,8 @@ with pkgs;
        "root"
        "coolneng"
      ];
+      lazy-trees = true;
+      eval-cores = 2;
    };
    gc = {
      automatic = true;
@@ -160,7 +162,6 @@ with pkgs;
      owner = "gitea";
      group = "gitea";
    };
-    secrets.ddclient.file = secrets/ddclient.age;
    secrets.miniflux = {
      file = secrets/miniflux.age;
      owner = "miniflux";
@@ -184,8 +185,6 @@ with pkgs;
    };
    secrets.telegram = {
      file = secrets/telegram.age;
-      owner = "matrix-as-telegram";
-      group = "matrix-as-telegram";
    };
    secrets.mqtt-sender = {
      file = secrets/mqtt-sender.age;
@@ -199,28 +198,56 @@ with pkgs;
    };
    secrets.facebook = {
      file = secrets/facebook.age;
-      owner = "matrix-as-facebook";
-      group = "matrix-as-facebook";
    };
    secrets.signal = {
      file = secrets/signal.age;
-      owner = "matrix-as-signal";
-      group = "matrix-as-signal";
    };
-    secrets.acme = {
-      file = secrets/acme.age;
+    secrets.inadyn-duckdns = {
+      file = secrets/inadyn-duckdns.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.inadyn-porkbun = {
+      file = secrets/inadyn-porkbun.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.inadyn-porkbun-secret = {
+      file = secrets/inadyn-porkbun-secret.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.acme-duckdns = {
+      file = secrets/acme-duckdns.age;
      owner = "acme";
      group = "nginx";
    };
+    secrets.acme-porkbun = {
+      file = secrets/acme-porkbun.age;
+      owner = "acme";
+      group = "nginx";
+    };
+    secrets.microbin = {
+      file = secrets/microbin.age;
+      owner = "63026";
+      group = "63026";
+    };
+    secrets.readeck = {
+      file = secrets/readeck.age;
+      owner = "63026";
+      group = "63026";
+    };
    identityPaths = [ "/etc/ssh/id_ed25519" ];
  };

  # Auto-upgrade the system
  system.autoUpgrade = {
    enable = true;
+    allowReboot = true;
    flake = "/home/coolneng/system";
    flags = [
-      "--update-input agenix --update-input nixpkgs"
+      "--update-input"
+      "nixpkgs"
      "--commit-lock-file"
    ];
  };
--- a/flake.lock
+++ b/flake.lock
@@ -10,11 +10,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1723293904,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "lastModified": 1762618334,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
        "type": "github"
      },
      "original": {
@@ -23,39 +23,6 @@
        "type": "github"
      }
    },
-    "crane": {
-      "inputs": {
-        "flake-compat": [
-          "lanzaboote",
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ],
-        "rust-overlay": [
-          "lanzaboote",
-          "rust-overlay"
-        ]
-      },
-      "locked": {
-        "lastModified": 1681177078,
-        "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ipetkov",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@@ -64,11 +31,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1700795494,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
        "type": "github"
      },
      "original": {
@@ -78,6 +45,63 @@
        "type": "github"
      }
    },
+    "determinate": {
+      "inputs": {
+        "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
+        "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
+        "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
+        "nix": "nix",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1763536872,
+        "narHash": "sha256-QCYGGghBya+qsY59f1zzgYzxEzz+N9S7YRkVWDIDbgo=",
+        "rev": "f4e598cbb10021c93f73dd4c0cf01ec791ea53f9",
+        "revCount": 315,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.13.2/019a9b01-c0c6-7e1c-959e-98ac5b7675de/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
+      }
+    },
+    "determinate-nixd-aarch64-darwin": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-g1r0dPwlUi1h96c4BuHzv9M2lWDqRy9bPDW9tRSq35I=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/macOS"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/macOS"
+      }
+    },
+    "determinate-nixd-aarch64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-xn324irXG/EpUdUfUGFrlJNg23JN2cVArd5LsFPjGKc=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/aarch64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/aarch64-linux"
+      }
+    },
+    "determinate-nixd-x86_64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-VPM5FOGwEjl56b7Edvg3sduvauPHCyXZ11fN9hcUdTU=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/x86_64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.13.2/x86_64-linux"
+      }
+    },
    "devshell": {
      "locked": {
        "lastModified": 1642188268,
@@ -96,11 +120,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
@@ -128,62 +152,48 @@
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
-          "lanzaboote",
+          "determinate",
+          "nix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1680392223,
-        "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
-        "type": "github"
+        "lastModified": 1748821116,
+        "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
+        "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
+        "revCount": 377,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
      },
      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
      }
    },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems_2"
-      },
-      "locked": {
-        "lastModified": 1681202837,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "gitignore": {
+    "git-hooks-nix": {
      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": [
+          "determinate",
+          "nix"
+        ],
        "nixpkgs": [
-          "lanzaboote",
-          "pre-commit-hooks-nix",
+          "determinate",
+          "nix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1660459072,
-        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
-        "type": "github"
+        "lastModified": 1747372754,
+        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
+        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
+        "revCount": 1026,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
      },
      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
      }
    },
    "home-manager": {
@@ -194,11 +204,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1703113217,
-        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
@@ -207,31 +217,25 @@
        "type": "github"
      }
    },
-    "lanzaboote": {
+    "nix": {
      "inputs": {
-        "crane": "crane",
-        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
-        "rust-overlay": "rust-overlay"
+        "git-hooks-nix": "git-hooks-nix",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-23-11": "nixpkgs-23-11",
+        "nixpkgs-regression": "nixpkgs-regression"
      },
      "locked": {
-        "lastModified": 1682802423,
-        "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
-        "owner": "nix-community",
-        "repo": "lanzaboote",
-        "rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
-        "type": "github"
+        "lastModified": 1763534330,
+        "narHash": "sha256-gTuB2qBdSKCKnZwENTqScs/pPBaZQOv6zZ1KJvV/ohk=",
+        "rev": "be871f9baf5366a220b5f25634eebab6f452a017",
+        "revCount": 23278,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.13.2/019a9af6-3d7b-71bc-bccd-8b18e147ad77/source.tar.gz"
      },
      "original": {
-        "owner": "nix-community",
-        "ref": "v0.3.0",
-        "repo": "lanzaboote",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
      }
    },
    "nix-matrix-appservices": {
@@ -274,11 +278,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1740646007,
-        "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
+        "lastModified": 1764440730,
+        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
+        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
        "type": "github"
      },
      "original": {
@@ -290,114 +294,87 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1740463929,
-        "narHash": "sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b",
-        "type": "github"
+        "lastModified": 1761597516,
+        "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
+        "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
+        "revCount": 811874,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
      },
      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-24.11",
-        "type": "indirect"
+        "type": "tarball",
+        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
      }
    },
-    "nixpkgs-stable": {
+    "nixpkgs-23-11": {
      "locked": {
-        "lastModified": 1678872516,
-        "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
+        "lastModified": 1717159533,
+        "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-22.11",
        "repo": "nixpkgs",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
        "type": "github"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs-regression": {
      "locked": {
-        "lastModified": 1729880355,
-        "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=",
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "18536bf04cd71abd345f9579158841376fdd0c5a",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
      }
    },
-    "pre-commit-hooks-nix": {
-      "inputs": {
-        "flake-compat": [
-          "lanzaboote",
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
+    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1681413034,
-        "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
+        "lastModified": 1763375004,
+        "narHash": "sha256-e81Xfa7xhRZfqGB4s3xEvrg4p1v+fToM6CIQlXUyaX0=",
+        "rev": "8b6600824693a9c706ef09bd86711ca393703466",
+        "revCount": 897465,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.897465%2Brev-8b6600824693a9c706ef09bd86711ca393703466/019a9577-b407-75dd-b18b-3308def1c215/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1764831616,
+        "narHash": "sha256-OtzF5wBvO0jgW1WW1rQU9cMGx7zuvkF7CAVJ1ypzkxA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c97c47f2bac4fa59e2cbdeba289686ae615f8ed4",
        "type": "github"
      },
      "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
-        "lanzaboote": "lanzaboote",
+        "determinate": "determinate",
        "nix-matrix-appservices": "nix-matrix-appservices",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
-      }
-    },
-    "rust-overlay": {
-      "inputs": {
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1682129965,
-        "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "2c417c0460b788328220120c698630947547ee83",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
+        "nixpkgs": "nixpkgs_3"
      }
    },
    "systems": {
@@ -414,21 +391,6 @@
        "repo": "default",
        "type": "github"
      }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -1,9 +1,16 @@
 {
  description = "System configuration for zion";

+  nixConfig = {
+    extra-substituters = "https://install.determinate.systems";
+    extra-trusted-public-keys = ''
+      cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
+    '';
+  };
+
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.11";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -16,22 +23,12 @@
  };

  outputs =
-    {
-      self,
-      nixpkgs,
-      nixpkgs-unstable,
-      agenix,
-      nixos-hardware,
-      nix-matrix-appservices,
-      ...
-    }@inputs:
+    { self, nixpkgs, ... }@inputs:
    let
      system = "x86_64-linux";

      pkgs = import pkgs { inherit system; };

-      pkgs-unstable = import inputs.nixpkgs-unstable { inherit system; };
-
      lib = nixpkgs.lib;

    in
@@ -40,13 +37,12 @@
        inherit system;
        modules = [
          (import ./configuration.nix)
-          agenix.nixosModules.age
-          nix-matrix-appservices.nixosModule
-          nixos-hardware.nixosModules.aoostar-r1-n100
+          inputs.agenix.nixosModules.age
+          inputs.nixos-hardware.nixosModules.aoostar-r1-n100
+          inputs.determinate.nixosModules.default
        ];
        specialArgs = {
          inherit inputs;
-          inherit pkgs-unstable;
        };
      };

--- a/modules/communication.nix
+++ b/modules/communication.nix
@@ -34,11 +34,6 @@ in
      # HACK Inherit postgres connection string for the rest of the DBs
      app_service_api = {
        inherit database;
-        config_files = [
-          "/var/lib/matrix-as-facebook/facebook-registration.yaml"
-          "/var/lib/matrix-as-signal/signal-registration.yaml"
-          "/var/lib/matrix-as-telegram/telegram-registration.yaml"
-        ];
      };
      media_api = {
        inherit database;
@@ -79,47 +74,6 @@ in
    /var/lib/matrix-as-telegram
  ];

-  # Matrix bridges
-  services.matrix-appservices = {
-    homeserver = "dendrite";
-    homeserverDomain = "coolneng.duckdns.org";
-    homeserverURL = "https://matrix.coolneng.duckdns.org";
-    services = {
-      telegram = {
-        port = 8118;
-        format = "mautrix-python";
-        package = mautrix-telegram;
-        serviceConfig.EnvironmentFile = config.age.secrets.telegram.path;
-        settings = {
-          appservice.database = "$DB_STRING";
-          homeserver.software = "standard";
-          telegram = {
-            api_id = "$API_ID";
-            api_hash = "$API_HASH";
-          };
-          bridge = {
-            permissions."@coolneng:coolneng.duckdns.org" = "admin";
-            backfill.normal_groups = true;
-          };
-        };
-      };
-      facebook = {
-        port = 8228;
-        format = "mautrix-python";
-        package = mautrix-meta;
-        serviceConfig.EnvironmentFile = config.age.secrets.facebook.path;
-        settings = {
-          appservice.database = "$DB_STRING";
-          homeserver.software = "standard";
-          bridge.permissions."@coolneng:coolneng.duckdns.org" = "admin";
-        };
-      };
-    };
-  };
-
-  # Enable voice messages for facebook
-  systemd.services.matrix-as-facebook.path = [ ffmpeg ];
-
  # MQTT configuration
  services.mosquitto = {
    enable = true;
--- a/modules/containers.nix
+++ b/modules/containers.nix
@@ -38,6 +38,12 @@
          ports = [ "127.0.0.1:9641:9641" ];
          volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
        };
+        # Podcast synchronization
+        opodsync = {
+          image = "ganeshlab/opodsync@sha256:32626b732fe38687a5dfd703d515136e413c4b16f286b38656718ad03f0d94c1";
+          ports = [ "127.0.0.1:9090:8080" ];
+          volumes = [ "/vault/opodsync:/var/www/server/data" ];
+        };
      };
    };
  };
--- a/modules/devops.nix
+++ b/modules/devops.nix
@@ -21,11 +21,10 @@
    settings = {
      server = {
        DISABLE_SSH = true;
-        DOMAIN = "git.coolneng.duckdns.org";
-        ROOT_URL = "https://git.coolneng.duckdns.org";
+        DOMAIN = "git.psydnd.org";
+        ROOT_URL = "https://git.psydnd.org";
      };
      service.DISABLE_REGISTRATION = true;
-      ui.DEFAULT_THEME = "arc-green";
      session.COOKIE_SECURE = true;
      actions.ENABLED = true;
    };
--- a/modules/information.nix
+++ b/modules/information.nix
@@ -10,29 +10,35 @@
  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.age.secrets.miniflux.path;
-    config = {
-      BASE_URL = "https://rss.coolneng.duckdns.org";
-      DISABLE_HSTS = 1;
-    };
  };

-  # Php-fpm pool for Wallabag
-  services.phpfpm.pools.wallabag = {
-    user = "nginx";
-    group = "nginx";
+  # Microbin configuration
+  services.microbin = {
+    enable = true;
+    passwordFile = config.age.secrets.microbin.path;
    settings = {
-      "listen.owner" = config.services.nginx.user;
-      "listen.group" = config.services.nginx.group;
-      "listen.mode" = 600;
-      "pm" = "ondemand";
-      "pm.max_children " = 4;
-      "pm.max_requests" = 32;
-      "env[WALLABAG_DATA]" = config.environment.variables.WALLABAG_DATA;
+      MICROBIN_PORT = 9091;
+      MICROBIN_PUBLIC_PATH = "https://bin.psydnd.org";
+      MICROBIN_QR = true;
+      MICROBIN_WIDE = true;
    };
-    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
  };

-  # Set environment variable pointing to wallabag configuration directory
-  environment.variables.WALLABAG_DATA = "/var/lib/wallabag";
+  # Readeck configuration
+  services.readeck = {
+    enable = true;
+    settings = {
+      server = {
+        host = "127.0.0.1";
+        port = 9092;
+        allowed_hosts = [ "read.psydnd.org" ];
+        trusted_proxies = [ "127.0.0.1" ];
+        environmentFile = config.age.secrets.readeck.path;
+      };
+    };
+  };
+
+  # NOTE Load credentials using environment variables
+  systemd.services.readeck.serviceConfig.EnvironmentFile = config.age.secrets.readeck.path;

 }
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -51,7 +51,8 @@ with pkgs;
  services.prometheus = {
    enable = true;
    port = 9001;
-    retentionTime = "1y";
+    retentionTime = "10y";
+    extraFlags = [ "--web.enable-admin-api" ];
    exporters = {
      node = {
        enable = true;
@@ -70,6 +71,7 @@ with pkgs;
              "localhost:${toString config.services.prometheus.exporters.node.port}"
              "localhost:${toString config.services.prometheus.exporters.postgres.port}"
              "localhost:${toString config.services.prometheus.exporters.smartctl.port}"
+              "localhost:9641" # MQTT2Prometheus
            ];
          }
        ];
@@ -81,7 +83,7 @@ with pkgs;
  services.grafana = {
    enable = true;
    settings.server = {
-      domain = "grafana.coolneng.duckdns.org";
+      domain = "grafana.psydnd.org";
      http_port = 9009;
      http_addr = "127.0.0.1";
    };
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -24,23 +24,38 @@ in
  systemd.network.networks."24-home" = {
    name = "enp2s0";
    matchConfig.Name = "enp2s0";
-    address = [ "192.168.129.2/23" ];
+    address = [ "192.168.128.2/23" ];
    gateway = [ "192.168.128.1" ];
    dns = [
-      "1.1.1.1"
-      "9.9.9.9"
+      "127.0.0.1"
+      "::1"
    ];
    networkConfig.DNSSEC = "no";
  };

  # Dynamic DNS configuration
-  services.ddclient = {
+  services.inadyn = {
    enable = true;
-    quiet = true;
-    interval = "30min";
-    protocol = "duckdns";
-    domains = [ "coolneng.duckdns.org" ];
-    passwordFile = config.age.secrets.ddclient.path;
+    interval = "*:0/30";
+    settings.provider."duckdns" = {
+      hostname = "coolneng.duckdns.org";
+      include = config.age.secrets.inadyn-duckdns.path;
+    };
+  };
+
+  # Dynamic DNS configuration for Porkbun
+  # NOTE Temporary workaround until Inadyn fixes the Porkbun module
+  services.oink = {
+    enable = true;
+    apiKeyFile = config.age.secrets.inadyn-porkbun.path;
+    secretApiKeyFile = config.age.secrets.inadyn-porkbun-secret.path;
+    settings.interval = 1800;
+    domains = [
+      {
+        domain = "psydnd.org";
+        subdomain = "";
+      }
+    ];
  };

  # Firewall configuration
@@ -56,6 +71,14 @@ in
      wireguard_port # Wireguard
      53 # DNS
    ];
+    extraCommands = ''
+      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${
+        config.systemd.network.networks."24-home".name
+      } -j MASQUERADE
+      ip6tables -t nat -A POSTROUTING -s fd00::0/128 -o ${
+        config.systemd.network.networks."24-home".name
+      } -j MASQUERADE
+    '';
  };

  # Wireguard setup
@@ -71,17 +94,19 @@ in
    wireguardPeers = [
      # panacea
      {
-        wireguardPeerConfig = {
        PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
-          AllowedIPs = [ "10.8.0.2/32" ];
-        };
+        AllowedIPs = [
+          "10.8.0.2/32"
+          "fd00::2/128"
+        ];
      }
      # caravanserai
      {
-        wireguardPeerConfig = {
        PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs=";
-          AllowedIPs = [ "10.8.0.3/32" ];
-        };
+        AllowedIPs = [
+          "10.8.0.3/32"
+          "fd00::3/128"
+        ];
      }
    ];
  };
@@ -89,11 +114,25 @@ in
  systemd.network.networks."wg0" = {
    matchConfig.Name = "wg0";
    networkConfig = {
-      Address = "10.8.0.1/24";
+      Address = [
+        "10.8.0.1/24"
+        "fd00::1/128"
+      ];
      IPv4Forwarding = true;
+      IPv6Forwarding = true;
    };
  };

+  # Disable systemd-resolved DNS stub
+  services.resolved = {
+    enable = true;
+    llmnr = "false";
+    extraConfig = ''
+      MulticastDNS=yes
+      DNSStubListener=no
+    '';
+  };
+
  # DNS server with ad-block
  services.dnsmasq = {
    enable = true;
@@ -104,8 +143,10 @@ in

      listen-address = [
        "127.0.0.1"
-        "192.168.129.2"
+        "192.168.128.2"
        "10.8.0.1"
+        "::1"
+        "fd00::1"
      ];
      bind-interfaces = true;
      server = [ "127.0.0.1#43" ];
@@ -115,17 +156,18 @@ in

      conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf";
      dnssec = false;
-
-      address = "/coolneng.duckdns.org/192.168.129.2";
    };
  };

  # Encrypted DNS
-  services.dnscrypt-proxy2 = {
+  services.dnscrypt-proxy = {
    enable = true;
    upstreamDefaults = true;
    settings = {
-      listen_addresses = [ "127.0.0.1:43" ];
+      listen_addresses = [
+        "127.0.0.1:43"
+        "[::1]:43"
+      ];
      sources.public-resolvers = {
        urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -11,7 +11,7 @@
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
-    recommendedZstdSettings = true;
+    recommendedBrotliSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    clientMaxBodySize = "0";
@@ -34,15 +34,12 @@
      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
    virtualHosts = {
+      # Old domain being redirected
      "coolneng.duckdns.org" = {
        useACMEHost = "coolneng.duckdns.org";
        forceSSL = true;
-        # Redirect from legacy subdirectory URL to subdomain
        locations = {
-          "/radicale/".return = "301 https://radicale.coolneng.duckdns.org";
-          "/syncthing/".return = "301 https://sync.coolneng.duckdns.org";
-          "/gitea/".extraConfig = "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
-          "/miniflux/".extraConfig = "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
+          "/".return = "301 https://psydnd.org$request_uri";
          # Delegation for Matrix
          "/.well-known/" = {
            alias = "${../well-known}" + "/";
@@ -54,9 +51,20 @@
          };
        };
      };
-      "radicale.coolneng.duckdns.org" = {
+      # Redirect subdomains
+      "~^(?<subdomain>.+)\.coolneng\.duckdns\.org$" = {
        useACMEHost = "coolneng.duckdns.org";
        forceSSL = true;
+        locations."/".return = "301 https://$subdomain.psydnd.org$request_uri";
+      };
+      # Current domain
+      "psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+      };
+      "radicale.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:5232/";
          extraConfig = ''
@@ -65,30 +73,30 @@
          '';
        };
      };
-      "sync.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "sync.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:8384/";
      };
-      "git.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "git.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:3000/";
          extraConfig = ''
            ${config.services.nginx.commonHttpConfig}
            # Disable embedding as a frame, except from the same origin
-            add_header Content-Security-Policy "frame-src git.coolneng.duckdns.org; frame-ancestors git.coolneng.duckdns.org";
+            add_header Content-Security-Policy "frame-src git.psydnd.org; frame-ancestors git.psydnd.org";
          '';
        };
      };
-      "rss.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "rss.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:8080/";
      };
-      "matrix.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "matrix.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        listen = [
          # IPv4
@@ -116,39 +124,18 @@
        ];
        locations."~ ^(/_matrix|/_synapse/client)".proxyPass = "http://localhost:8008";
      };
-      "element.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "element.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/".root = pkgs.element-web.override {
          conf.default_server_config = {
-            "m.homeserver"."base_url" = "https://matrix.coolneng.duckdns.org";
+            "m.homeserver"."base_url" = "https://matrix.psydnd.org";
            "m.identity_server"."base_url" = "https://vector.im";
          };
        };
      };
-      "wallabag.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
-        forceSSL = true;
-        root = "${pkgs.wallabag}/web";
-        locations = {
-          "/".tryFiles = "$uri /app.php$is_args$args";
-          "/assets".root = "${config.environment.variables.WALLABAG_DATA}/web";
-          "~ ^/app.php(/|$)" = {
-            fastcgiParams = {
-              SCRIPT_FILENAME = "${pkgs.wallabag}/web/$fastcgi_script_name";
-              DOCUMENT_ROOT = "${pkgs.wallabag}/web";
-            };
-            extraConfig = ''
-              fastcgi_pass unix:${config.services.phpfpm.pools.wallabag.socket};
-              fastcgi_split_path_info ^(.+\.php)(/.*)$;
-              include ${pkgs.nginx}/conf/fastcgi_params;
-              internal;
-            '';
-          };
-        };
-      };
-      "books.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "books.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:9000/";
@@ -159,14 +146,29 @@
          '';
        };
      };
-      "grafana.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "grafana.psydnd.org" = {
+        useACMEHost = "psydnd.org";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:9009/";
          proxyWebsockets = true;
        };
      };
+      "podcast.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9090/";
+      };
+      "bin.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9091/";
+      };
+      "read.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9092/";
+      };
    };
  };

@@ -177,23 +179,32 @@
      email = "akasroua@disroot.org";
      group = "nginx";
    };
-    certs."coolneng.duckdns.org" = {
+    certs = {
+      "coolneng.duckdns.org" = {
        domain = "*.coolneng.duckdns.org";
        dnsProvider = "duckdns";
-      environmentFile = config.age.secrets.acme.path;
+        environmentFile = config.age.secrets.acme-duckdns.path;
+      };
+      "psydnd.org" = {
+        domain = "psydnd.org";
+        extraDomainNames = [ "*.psydnd.org" ];
+        dnsProvider = "porkbun";
+        environmentFile = config.age.secrets.acme-porkbun.path;
+      };
    };
  };

  # Generate dhparams
  security.dhparams = {
    enable = true;
-    params.nginx.bits = 2048;
+    defaultBitSize = 4096;
+    params.nginx.bits = 4096;
  };

  # PostgreSQL databases configuration
  services.postgresql = {
    enable = true;
-    package = pkgs.postgresql_15;
+    package = pkgs.postgresql_16;
    authentication = lib.mkForce ''
      # Generated file; do not edit!
      # TYPE  DATABASE        USER            ADDRESS                 METHOD
@@ -214,10 +225,9 @@
    "miniflux.service"
    "radicale.service"
    "dendrite.service"
-    "phpfpm-wallabag.service"
-    "systemd-tmpfiles-setup.service"
+    "grafana.service"
    "podman-openbooks.service"
    "podman-mqtt2prometheus.service"
-    "podman-nightscout.service"
+    "podman-opodsync.service"
  ];
 }
--- a/scripts/motd.sh
+++ b/scripts/motd.sh
@@ -23,13 +23,8 @@ services=(
 	"syncthing.service"
 	"radicale.service"
 	"miniflux.service"
-	"phpfpm-wallabag.service"
 	"gitea.service"
 	"dendrite.service"
-	"matrix-as-telegram.service"
-	"matrix-as-facebook.service"
-	"matrix-as-signal.service"
-	"signald.service"
 	"nginx.service"
 	"dnsmasq.service"
 	"podman-openbooks.service"
--- a/secrets/acme-duckdns.age
+++ b/secrets/acme-duckdns.age
--- a/secrets/acme-porkbun.age
+++ b/secrets/acme-porkbun.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg 7JImhL2Wo/eJEwUGP+NhEf36yq5gHO9q1GYhY2HaMAY
+eAMhD0sqHQS+aayBpOsY8+081i72QAhJCFbBe0//uwU
+--- 4K8cXsDuWZrmWNJ+rz166ej9o/gLFc7CfJuzAsG0BxA
+|.<2E><><EFBFBD>	f<><66>f<EFBFBD>=<1D>-<2D>X$P<>:
--- a/secrets/acme.age
+++ b/secrets/acme.age
--- a/secrets/ddclient.age
+++ b/secrets/ddclient.age
@@ -1,8 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 iUaRGg mRkPNMBvRfbwb3GjcWWJ42RiJn4wxMdczvL2OJFagkY
-jCqCSE2MMx74ZvXabmyHfI4jC6lwhtgrTSqjAflUksw
-> vH/-grease []_Tx" cZfV JHS /x/
-SK1DATphyeQv8pjoNXTlQrRKQwn8oItd6xrhSic7fmxzmuKTQiPE
--- ObilbWkclfLnmjVql03OamXitnFgYnzfoZ04oq3XO1k
-<EFBFBD>iy<13>݌1k{<7B><>OJ3<1F>H<EFBFBD>N<><4E><11><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>%y<><1D><><0C><>JA<4A>8<EFBFBD><38>
-'<27>N<EFBFBD><4E>%<25><><EFBFBD><EFBFBD><EFBFBD>L@<12>6	&<26><>
--- a/secrets/inadyn-duckdns.age
+++ b/secrets/inadyn-duckdns.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg XMrsd1RQcDq/SpFtqpB4Gj1keCvJsMB+VA58qZirYA4
+tf8NQzoEYJXlKBjtX4ZplaPQv51RCW9yHulvKZB8c8g
+--- 5wZntAZCQ4pGYrgDFd63w6Y+Taaatcw5z0tDSvShi30
+<EFBFBD><EFBFBD>4<EFBFBD><EFBFBD><EFBFBD>Ɖq3<EFBFBD>&
+><0E>4<EFBFBD><34>J<EFBFBD>?<3F><0F><>QW<51>jZ<:'<<16>x(<28>Y<16>i<EFBFBD>ZDO#<23>w<7F><77>R<EFBFBD><52><EFBFBD>O@2<>cAj	(f<><66><EFBFBD><EFBFBD>M<EFBFBD><4D><EFBFBD>
--- a/secrets/inadyn-porkbun-secret.age
+++ b/secrets/inadyn-porkbun-secret.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg paS5BxWWicriSLAZyCBKd2xylLAp4/LcHmogO7me8yQ
+MWW/Pkvn+4G4YeYXY9ZPXC92TbcFXQMyHJ2ltFzXpZs
+--- ZdFfQ7tHfEo+u/0MmigCNh6OIxkd2bimRN30rMUs1ks
+<EFBFBD>9<EFBFBD>7Y<EFBFBD>$B<>sX<0E>ʽb<CABD>O'J<><4A>S'<27>5!<21><>UMʯ-v<>m<EFBFBD><6D><EFBFBD><EFBFBD><EFBFBD>8%|R,<2C>~I<><14><>G<EFBFBD><47>VQE<0E>0D<30>:Qv<<1E><>)<29><0B><>%fc<66><63>XZչ 7+yB
--- a/secrets/inadyn-porkbun.age
+++ b/secrets/inadyn-porkbun.age
--- a/secrets/microbin.age
+++ b/secrets/microbin.age
--- a/secrets/readeck.age
+++ b/secrets/readeck.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,7 +6,6 @@ in
  "syncthing.age".publicKeys = [ zion ];
  "msmtp.age".publicKeys = [ zion ];
  "gitea.age".publicKeys = [ zion ];
-  "ddclient.age".publicKeys = [ zion ];
  "miniflux.age".publicKeys = [ zion ];
  "git.age".publicKeys = [ zion ];
  "dendrite.age".publicKeys = [ zion ];
@@ -16,5 +15,11 @@ in
  "mqtt-receiver.age".publicKeys = [ zion ];
  "facebook.age".publicKeys = [ zion ];
  "signal.age".publicKeys = [ zion ];
-  "acme.age".publicKeys = [ zion ];
+  "inadyn-duckdns.age".publicKeys = [ zion ];
+  "inadyn-porkbun.age".publicKeys = [ zion ];
+  "inadyn-porkbun-secret.age".publicKeys = [ zion ];
+  "acme-duckdns.age".publicKeys = [ zion ];
+  "acme-porkbun.age".publicKeys = [ zion ];
+  "microbin.age".publicKeys = [ zion ];
+  "readeck.age".publicKeys = [ zion ];
 }
--- a/secrets/wallabag-postgres.age
+++ b/secrets/wallabag-postgres.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg zWm4+j3/IRqd3uZqGzXVcHvs+urNrvDMOceWKbpl018
+HlIKCFYt7n3iKZav5i0YiB4awRMJML0XUowX8sKKH2c
+--- ysvYVxgK1OeqCk8KdNF+uWsaQ9EzVRku7nw37aUAW3A
+c<EFBFBD><EFBFBD>b<EFBFBD>W|bU<62>B"<22><04>Ե<EFBFBD><D4B5><EFBFBD><EFBFBD><EFBFBD><03><>U<EFBFBD>
--- a/secrets/wallabag.age
+++ b/secrets/wallabag.age
--- a/well-known/matrix/client
+++ b/well-known/matrix/client
@@ -1,5 +1,5 @@
 {
    "m.homeserver": {
-        "base_url": "https://matrix.coolneng.duckdns.org"
+        "base_url": "https://matrix.psydnd.org"
    }
 }
--- a/well-known/matrix/server
+++ b/well-known/matrix/server
@@ -1 +1 @@
-{ "m.server": "matrix.coolneng.duckdns.org:443" }
+{ "m.server": "matrix.psydnd.org:443" }
Author	SHA1	Message	Date
coolneng	3e577066c1	Migrate to Determinate Nix	2025-12-06 05:18:46 +01:00
coolneng	3f10536deb	flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/1aab89277eb2d87823d5b69bae631a2496cff57a?narHash=sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0%3D' (2025-12-02) → 'github:NixOS/nixpkgs/c97c47f2bac4fa59e2cbdeba289686ae615f8ed4?narHash=sha256-OtzF5wBvO0jgW1WW1rQU9cMGx7zuvkF7CAVJ1ypzkxA%3D' (2025-12-04)	2025-12-05 23:51:49 +01:00
coolneng	25e995dfb3	Adapt dnscrypt-proxy config to upstream changes	2025-12-04 17:31:29 +01:00
coolneng	f2faa9047b	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/9edb1787864c4f59ae5074ad498b6272b3ec308d?narHash=sha256-NA/FT2hVhKDftbHSwVnoRTFhes62%2B7dxZbxj5Gxvghs%3D' (2025-08-05) → 'github:ryantm/agenix/fcdea223397448d35d9b31f798479227e80183f6?narHash=sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L%2BVSybPfiIgzU8lbQ%3D' (2025-11-08) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/a65b650d6981e23edd1afa1f01eb942f19cdcbb7?narHash=sha256-9bHzrVbjAudbO8q4vYFBWlEkDam31fsz0J7GB8k4AsI%3D' (2025-08-26) → 'github:NixOS/nixos-hardware/9154f4569b6cdfd3c595851a6ba51bfaa472d9f3?narHash=sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x%2B6XUJ4YdFRjtO4%3D' (2025-11-29) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f?narHash=sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD%2B/cTUzzgVFoaHrkqY%3D' (2025-11-30) → 'github:NixOS/nixpkgs/1aab89277eb2d87823d5b69bae631a2496cff57a?narHash=sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0%3D' (2025-12-02) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5?narHash=sha256-XexyKZpf46cMiO5Vbj%2BdWSAXOnr285GHsMch8FBoHbc%3D' (2025-08-25) → 'github:NixOS/nixpkgs/418468ac9527e799809c900eda37cbff999199b6?narHash=sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y%3D' (2025-12-02)	2025-12-04 17:21:24 +01:00
coolneng	22fc403563	Use Brotli instead of ZSTD for Nginx	2025-12-01 09:26:14 +01:00
coolneng	d5e11e4909	Remove redundant secret injection for oink	2025-12-01 09:25:15 +01:00
coolneng	bcc764dd50	Upgrade to NixOS 25.11	2025-12-01 09:24:18 +01:00
coolneng	4e317cfd81	Specify auto upgrade flags correctly	2025-11-23 17:12:55 +01:00
coolneng	2ad5372267	Use inputs attribute to import modules	2025-11-23 17:03:54 +01:00
coolneng	6e93e251d6	Use correct Flake URL scheme for Auto Upgrade	2025-08-29 01:01:24 +02:00
coolneng	770ecc6c02	Adapt Makefile to new CLI flags of nixos-rebuild	2025-08-27 08:16:38 +02:00
coolneng	86fb493a80	Disable systemd-resolved DNS stub causing conflict	2025-08-27 08:12:57 +02:00
coolneng	3057f13858	Reboot after Auto Upgrade if necessary	2025-08-27 06:20:52 +02:00
coolneng	155c4f3525	Use Git repository as Flake URL for Auto Upgrade	2025-08-27 06:17:48 +02:00
coolneng	3abfa5cb84	Remove Matrix bridges users	2025-08-27 06:14:36 +02:00
coolneng	5d1b075adb	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/e600439ec4c273cf11e06fe4d9d906fb98fa097c?narHash=sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA%3D' (2025-01-15) → 'github:ryantm/agenix/9edb1787864c4f59ae5074ad498b6272b3ec308d?narHash=sha256-NA/FT2hVhKDftbHSwVnoRTFhes62%2B7dxZbxj5Gxvghs%3D' (2025-08-05) • Updated input 'agenix/darwin': 'github:lnl7/nix-darwin/4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d?narHash=sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0%3D' (2023-11-24) → 'github:lnl7/nix-darwin/43975d782b418ebf4969e9ccba82466728c2851b?narHash=sha256-dyN%2BteG9G82G%2Bm%2BPX/aSAagkC%2BvUv0SgUw3XkPhQodQ%3D' (2025-04-12) • Updated input 'agenix/home-manager': 'github:nix-community/home-manager/3bfaacf46133c037bb356193bd2f1765d9dc82c1?narHash=sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE%3D' (2023-12-20) → 'github:nix-community/home-manager/abfad3d2958c9e6300a883bd443512c55dfeb1be?narHash=sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs%3D' (2025-04-24) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/009b764ac98a3602d41fc68072eeec5d24fc0e49?narHash=sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE%3D' (2025-02-27) → 'github:NixOS/nixos-hardware/a65b650d6981e23edd1afa1f01eb942f19cdcbb7?narHash=sha256-9bHzrVbjAudbO8q4vYFBWlEkDam31fsz0J7GB8k4AsI%3D' (2025-08-26) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/a59eb7800787c926045d51b70982ae285faa2346?narHash=sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY%3D' (2025-05-31) → 'github:NixOS/nixpkgs/b1b3291469652d5a2edb0becc4ef0246fff97a7c?narHash=sha256-wY1%2B2JPH0ZZC4BQefoZw/k%2B3%2BDowFyfOxv17CN/idKs%3D' (2025-08-23) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/18536bf04cd71abd345f9579158841376fdd0c5a?narHash=sha256-RP%2BOQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM%3D' (2024-10-25) → 'github:NixOS/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5?narHash=sha256-XexyKZpf46cMiO5Vbj%2BdWSAXOnr285GHsMch8FBoHbc%3D' (2025-08-25)	2025-08-27 03:05:54 +02:00
coolneng	6a3fbf2d80	Migrate from Wallabag to Readeck	2025-06-02 17:14:44 +02:00
coolneng	9a35cefd62	Set Wallabag container version to 2.5.4	2025-06-02 15:47:03 +02:00
coolneng	0fa3b9de30	Enable Prometheus admin API	2025-06-02 12:34:46 +02:00
coolneng	4e56c58d7a	Increase retention time of Prometheus metrics	2025-06-02 12:34:32 +02:00
coolneng	f9a04a4492	Use systemd-boot as a temporary workaround	2025-06-02 12:22:12 +02:00
coolneng	b2c983ee22	Upgrade to NixOS 25.05	2025-06-02 12:19:43 +02:00
coolneng	28399165fc	Set up Microbin	2025-04-29 14:33:08 +02:00
coolneng	42df5964f1	Migrate Wallabag to container deployment	2025-04-28 17:06:22 +02:00
coolneng	90b38fcf08	Listen to MQTT gateway in Prometheus	2025-04-23 17:19:49 +02:00
coolneng	f4ba4e8a89	Update services that require nginx	2025-04-14 19:23:12 +02:00
coolneng	156d8b04e5	Route IPv6 via Wireguard	2025-04-14 19:22:26 +02:00
coolneng	ef69519de7	Increase Diffie-Hellman key size	2025-04-14 17:18:43 +02:00
coolneng	e4175767a3	Remove unstable package definition	2025-04-08 03:13:01 +02:00
coolneng	0127dbc975	Set up Opodsync	2025-04-08 03:08:46 +02:00
coolneng	848d652ac7	Redirect all URLs to new domain	2025-04-08 02:58:03 +02:00
coolneng	40838848c3	Replace ddclient with Inadyn	2025-04-07 14:28:00 +02:00
coolneng	e82ab26d23	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41?narHash=sha256-b%2Buqzj%2BWa6xgMS9aNbX4I%2BsXeb5biPDi39VgvSFqFvU%3D' (2024-08-10) → 'github:ryantm/agenix/e600439ec4c273cf11e06fe4d9d906fb98fa097c?narHash=sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA%3D' (2025-01-15) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b?narHash=sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc%3D' (2025-02-25) → 'github:NixOS/nixpkgs/7819a0d29d1dd2bc331bec4b327f0776359b1fa6?narHash=sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p%2BjElwxaM%3D' (2025-04-05)	2025-04-07 04:40:23 +02:00
coolneng	31d582bc9a	Adapt Wireguard config to upstream changes	2025-03-28 16:44:40 +01:00
coolneng	a5f9244996	Change location of the system configuration	2025-03-21 20:27:39 +01:00
coolneng	68d7c22549	Switch to the operator LAN subnet	2025-03-04 17:51:30 +01:00
coolneng	acf5a23ed5	Remove SSH upload configuration file	2025-03-04 17:50:54 +01:00
coolneng	e3e91bc934	Set flake path to canonical Syncthing folder	2025-03-03 11:19:49 +01:00
coolneng	28a2e71b65	Remove deleted Gitea theme from configuration	2025-02-28 06:09:08 +01:00
coolneng	a23c52cdf3	Upgrade to PostgreSQL 16	2025-02-28 06:08:45 +01:00
coolneng	78f3761754	Remove broken Matrix bridges module	2025-02-28 06:08:24 +01:00
				`@@ -1 +0,0 @@`
				`((nil . ((ssh-deploy-root-remote . "/ssh:zion:/home/coolneng/system"))))`