Set up PiGallery2

Flake lock file updates:

• Updated input 'determinate':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.13.2/019a9b01-c0c6-7e1c-959e-98ac5b7675de/source.tar.gz' (2025-11-19)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz' (2025-12-19)
• Updated input 'determinate/determinate-nixd-aarch64-darwin':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/macOS'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS'
• Updated input 'determinate/determinate-nixd-aarch64-linux':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/aarch64-linux'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux'
• Updated input 'determinate/determinate-nixd-x86_64-linux':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/x86_64-linux'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux'
• Updated input 'determinate/nix':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.13.2/019a9af6-3d7b-71bc-bccd-8b18e147ad77/source.tar.gz' (2025-11-19)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz' (2025-12-19)
• Updated input 'determinate/nixpkgs':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.897465%2Brev-8b6600824693a9c706ef09bd86711ca393703466/019a9577-b407-75dd-b18b-3308def1c215/source.tar.gz' (2025-11-17)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz' (2025-12-15)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/c97c47f' (2025-12-04)
  → 'github:NixOS/nixpkgs/b3aad46' (2025-12-20)

.dir-locals.el

@@ -1 +0,0 @@
-((nil . ((ssh-deploy-root-remote . "/ssh:zion:/home/coolneng/system"))))

Makefile

@@ -1,7 +1,7 @@
 DIR=$(HOME)/Projects/zion
 
 switch:
-	nixos-rebuild switch --fast --target-host root@zion \
+	nixos-rebuild switch --no-reexec --target-host root@zion \
 	--build-host root@zion --flake path://$(DIR)#zion
 
 .DEFAULT_GOAL := switch

configuration.nix

@@ -1,15 +1,49 @@
-{ config, inputs, pkgs, lib, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
 
 with pkgs;
 
 {
+  # Kernel configuration
+  boot = {
+    blacklistedKernelModules = [
+      "btusb"
+      "bluetooth"
+    ];
+    kernelParams = [
+      "zfs.zfs_arc_max=8589934592"
+      "zfs.zfs_arc_min=1073741824"
+    ];
+    supportedFilesystems = [ "zfs" ];
+    zfs = {
+      requestEncryptionCredentials = false;
+      extraPools = [ "vault" ];
+    };
+  };
+
+  # Secure boot using lanzaboote
+  boot.loader = {
+    efi.canTouchEfiVariables = true;
+    systemd-boot = {
+      enable = true;
+      configurationLimit = 50;
+      editor = false;
+    };
+    timeout = 3;
+  };
+
   # Declare system packages
   environment.systemPackages = [
     libraspberrypi
     htop
     neovim
     git
-    inputs.agenix.packages.aarch64-linux.default
+    inputs.agenix.packages.${config.nixpkgs.localSystem.system}.default
   ];
 
   # Configure basic SSH access
@@ -28,12 +62,15 @@ with pkgs;
   users.users.coolneng = {
     isNormalUser = true;
     home = "/home/coolneng";
-    extraGroups = [ "wheel" "docker" ];
+    extraGroups = [
+      "wheel"
+      "docker"
+    ];
     openssh.authorizedKeys.keys = [
       # panacea
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
       # caravanserai
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBWNtNp+vI2So4vISZX/yQv754ZzXqobFgUP3zk4FY zion"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIX0poiPhFLFh88fhpLFX7n1oCevVRyTxe9ZvGmjPq8n zion"
     ];
     shell = "${fish}/bin/fish";
   };
@@ -48,12 +85,6 @@ with pkgs;
   time.timeZone = "Europe/Brussels";
   services.timesyncd.enable = true;
 
-  # Enable ZFS support
-  boot.supportedFilesystems = [ "zfs" ];
-
-  # Don't import encrypted datasets
-  boot.zfs.requestEncryptionCredentials = false;
-
   # Scrub zpool monthly
   services.zfs.autoScrub = {
     enable = true;
@@ -64,7 +95,12 @@ with pkgs;
   nix = {
     settings = {
       auto-optimise-store = true;
-      experimental-features = [ "nix-command" "flakes" ];
+      trusted-users = [
+        "root"
+        "coolneng"
+      ];
+      lazy-trees = true;
+      eval-cores = 2;
     };
     gc = {
       automatic = true;
@@ -75,20 +111,25 @@ with pkgs;
       keep-outputs = true
       keep-derivations = true
       gc-keep-outputs = true
+      experimental-features = nix-command flakes
     '';
   };
 
   # Use same version of nixpkgs for nix-shell
-  nix.nixPath = let path = toString ./.;
-  in [ "nixpkgs=${inputs.nixpkgs}" "nixos-config=${path}/configuration.nix" ];
+  nix.nixPath =
+    let
+      path = toString ./.;
+    in
+    [
+      "nixpkgs=${inputs.nixpkgs}"
+      "nixos-config=${path}/configuration.nix"
+    ];
 
   # Configure fish shell
   programs.fish.enable = true;
   users.users.root = {
     shell = "${fish}/bin/fish";
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
-    ];
+    openssh.authorizedKeys.keys = config.users.users.coolneng.openssh.authorizedKeys.keys;
   };
 
   # Keep logs for a month
@@ -105,7 +146,7 @@ with pkgs;
   programs.fish.interactiveShellInit = "${./scripts/motd.sh}";
 
   # NixOS version
-  system.stateVersion = "22.05";
+  system.stateVersion = "24.11";
 
   # Specify secrets
   age = {
@@ -121,7 +162,6 @@ with pkgs;
       owner = "gitea";
       group = "gitea";
     };
-    secrets.ddclient.file = secrets/ddclient.age;
     secrets.miniflux = {
       file = secrets/miniflux.age;
       owner = "miniflux";
@@ -145,8 +185,6 @@ with pkgs;
     };
     secrets.telegram = {
       file = secrets/telegram.age;
-      owner = "matrix-as-telegram";
-      group = "matrix-as-telegram";
     };
     secrets.mqtt-sender = {
       file = secrets/mqtt-sender.age;
@@ -158,20 +196,46 @@ with pkgs;
       owner = "mosquitto";
       group = "mosquitto";
     };
-    secrets.nightscout = {
-      file = secrets/nightscout.age;
-      owner = "coolneng";
-      group = "podman";
-    };
     secrets.facebook = {
       file = secrets/facebook.age;
-      owner = "matrix-as-facebook";
-      group = "matrix-as-facebook";
     };
     secrets.signal = {
       file = secrets/signal.age;
-      owner = "matrix-as-signal";
-      group = "matrix-as-signal";
+    };
+    secrets.inadyn-duckdns = {
+      file = secrets/inadyn-duckdns.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.inadyn-porkbun = {
+      file = secrets/inadyn-porkbun.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.inadyn-porkbun-secret = {
+      file = secrets/inadyn-porkbun-secret.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.acme-duckdns = {
+      file = secrets/acme-duckdns.age;
+      owner = "acme";
+      group = "nginx";
+    };
+    secrets.acme-porkbun = {
+      file = secrets/acme-porkbun.age;
+      owner = "acme";
+      group = "nginx";
+    };
+    secrets.microbin = {
+      file = secrets/microbin.age;
+      owner = "63026";
+      group = "63026";
+    };
+    secrets.readeck = {
+      file = secrets/readeck.age;
+      owner = "63026";
+      group = "63026";
     };
     identityPaths = [ "/etc/ssh/id_ed25519" ];
   };
@@ -179,18 +243,13 @@ with pkgs;
   # Auto-upgrade the system
   system.autoUpgrade = {
     enable = true;
+    allowReboot = true;
     flake = "/home/coolneng/system";
-    flags =
-      [ "--update-input agenix --update-input nixpkgs" "--commit-lock-file" ];
-  };
-
-  # Limit the memory and CPU use of Nix
-  systemd.services.nixos-upgrade.serviceConfig = {
-    MemoryHigh = [ "500M" ];
-    MemoryMax = [ "2048M" ];
-    CPUWeight = [ "20" ];
-    CPUQuota = [ "85%" ];
-    IOWeight = [ "20" ];
+    flags = [
+      "--update-input"
+      "nixpkgs"
+      "--commit-lock-file"
+    ];
   };
 
   # Configure git for auto-upgrade
@@ -218,7 +277,6 @@ with pkgs;
     ./modules/periodic.nix
     ./modules/communication.nix
     ./modules/information.nix
-    ./modules/device.nix
     ./modules/containers.nix
   ];
 

flake.lock

@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1712079060,
-        "narHash": "sha256-/JdiT9t+zzjChc5qQiF+jhrVhRt8figYH29rZO7pFe4=",
+        "lastModified": 1762618334,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "1381a759b205dff7a6818733118d02253340fd5e",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
         "type": "github"
       },
       "original": {
@@ -31,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700795494,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
         "type": "github"
       },
       "original": {
@@ -45,6 +45,63 @@
         "type": "github"
       }
     },
+    "determinate": {
+      "inputs": {
+        "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
+        "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
+        "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
+        "nix": "nix",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1766177528,
+        "narHash": "sha256-Bl+p766mM7qNCZtMqmTz13RuUbOMKsFa+/vnGYoxgPk=",
+        "rev": "b159c082f0f9bdefa6c386189a13c5fa0734d8d8",
+        "revCount": 317,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
+      }
+    },
+    "determinate-nixd-aarch64-darwin": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-vDaEQ5T4eA7kEPREmm68IVWGR6zT0aDL5slZxA6dkSc=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
+      }
+    },
+    "determinate-nixd-aarch64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-Hf4JsIv5G3IR0Q0RHGLSNdmDzFv97sVQQKwzY6A0vV4=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
+      }
+    },
+    "determinate-nixd-x86_64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-J+J4E02XpEl0ZkpzMbUmGCf6S4yk0gYCYmiGzZ058ik=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
+      }
+    },
     "devshell": {
       "locked": {
         "lastModified": 1642188268,
@@ -61,6 +118,22 @@
       }
     },
     "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1641205782,
@@ -76,6 +149,53 @@
         "type": "github"
       }
     },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748821116,
+        "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
+        "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
+        "revCount": 377,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
+      }
+    },
+    "git-hooks-nix": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": [
+          "determinate",
+          "nix"
+        ],
+        "nixpkgs": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747372754,
+        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
+        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
+        "revCount": 1026,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -84,11 +204,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703113217,
-        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
         "type": "github"
       },
       "original": {
@@ -97,10 +217,31 @@
         "type": "github"
       }
     },
+    "nix": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "git-hooks-nix": "git-hooks-nix",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-23-11": "nixpkgs-23-11",
+        "nixpkgs-regression": "nixpkgs-regression"
+      },
+      "locked": {
+        "lastModified": 1766174426,
+        "narHash": "sha256-0ZofAQZNgg5nfIKsVb7g4It6ufmIyLtfFRPOf+6WRkk=",
+        "rev": "15d6091194b5b90d292e8d6283db77f09c303b1e",
+        "revCount": 24285,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
+      }
+    },
     "nix-matrix-appservices": {
       "inputs": {
         "devshell": "devshell",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "nixlib": "nixlib",
         "nixpkgs": [
           "nixpkgs"
@@ -137,56 +278,103 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1684899633,
-        "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=",
+        "lastModified": 1764440730,
+        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d",
+        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
+        "ref": "master",
         "repo": "nixos-hardware",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1712588820,
-        "narHash": "sha256-y31s5idk3jMJMAVE4Ud9AdI7HT3CgTAeMTJ0StqKN7Y=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d272ca50d1f7424fbfcd1e6f1c9e01d92f6da167",
-        "type": "github"
+        "lastModified": 1761597516,
+        "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
+        "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
+        "revCount": 811874,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
       },
       "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-23.11",
-        "type": "indirect"
+        "type": "tarball",
+        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
       }
     },
-    "nixpkgs-unstable": {
+    "nixpkgs-23-11": {
       "locked": {
-        "lastModified": 1685931219,
-        "narHash": "sha256-8EWeOZ6LKQfgAjB/USffUSELPRjw88A+xTcXnOUvO5M=",
+        "lastModified": 1717159533,
+        "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7409480d5c8584a1a83c422530419efe4afb0d19",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
+        "type": "github"
+      }
+    },
+    "nixpkgs-regression": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1765772535,
+        "narHash": "sha256-aq+dQoaPONOSjtFIBnAXseDm9TUhIbe215TPmkfMYww=",
+        "rev": "09b8fda8959d761445f12b55f380d90375a1d6bb",
+        "revCount": 911985,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1766201043,
+        "narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b3aad468604d3e488d627c0b43984eb60e75e782",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "determinate": "determinate",
         "nix-matrix-appservices": "nix-matrix-appservices",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs": "nixpkgs_3"
       }
     },
     "systems": {

flake.nix

@@ -1,43 +1,48 @@
 {
   description = "System configuration for zion";
 
+  nixConfig = {
+    extra-substituters = "https://install.determinate.systems";
+    extra-trusted-public-keys = ''
+      cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
+    '';
+  };
+
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.11";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
     agenix = {
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nixos-hardware.url = "github:NixOS/nixos-hardware";
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
     nix-matrix-appservices = {
       url = "gitlab:coffeetables/nix-matrix-appservices";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, agenix, nixos-hardware
-    , nix-matrix-appservices, ... }@inputs:
+  outputs =
+    { self, nixpkgs, ... }@inputs:
     let
-      system = "aarch64-linux";
+      system = "x86_64-linux";
 
       pkgs = import pkgs { inherit system; };
 
-      pkgs-unstable = import inputs.nixpkgs-unstable { inherit system; };
-
       lib = nixpkgs.lib;
 
-    in {
+    in
+    {
       nixosConfigurations.zion = lib.nixosSystem {
         inherit system;
         modules = [
           (import ./configuration.nix)
-          agenix.nixosModules.age
-          nixos-hardware.nixosModules.raspberry-pi-4
-          nix-matrix-appservices.nixosModule
+          inputs.agenix.nixosModules.age
+          inputs.nixos-hardware.nixosModules.aoostar-r1-n100
+          inputs.determinate.nixosModules.default
         ];
         specialArgs = {
           inherit inputs;
-          inherit pkgs-unstable;
         };
       };
 

modules/communication.nix

@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 with pkgs;
 
@@ -11,7 +16,8 @@ let
     conn_max_lifetime = -1;
   };
 
-in {
+in
+{
   # Matrix server configuration
   services.dendrite = {
     enable = true;
@@ -28,22 +34,32 @@ in {
       # HACK Inherit postgres connection string for the rest of the DBs
       app_service_api = {
         inherit database;
-        config_files = [
-          "/var/lib/matrix-as-facebook/facebook-registration.yaml"
-          "/var/lib/matrix-as-signal/signal-registration.yaml"
-          "/var/lib/matrix-as-telegram/telegram-registration.yaml"
-        ];
       };
-      media_api = { inherit database; };
-      room_server = { inherit database; };
-      push_server = { inherit database; };
+      media_api = {
+        inherit database;
+      };
+      room_server = {
+        inherit database;
+      };
+      push_server = {
+        inherit database;
+      };
       mscs = {
         inherit database;
-        mscs = [ "msc2836" "msc2946" ];
+        mscs = [
+          "msc2836"
+          "msc2946"
+        ];
+      };
+      sync_api = {
+        inherit database;
+      };
+      key_server = {
+        inherit database;
+      };
+      federation_api = {
+        inherit database;
       };
-      sync_api = { inherit database; };
-      key_server = { inherit database; };
-      federation_api = { inherit database; };
       user_api = {
         account_database = database;
         device_database = database;
@@ -58,86 +74,20 @@ in {
     /var/lib/matrix-as-telegram
   ];
 
-  # Matrix bridges
-  services.matrix-appservices = {
-    homeserver = "dendrite";
-    homeserverDomain = "coolneng.duckdns.org";
-    homeserverURL = "https://matrix.coolneng.duckdns.org";
-    services = {
-      telegram = {
-        port = 8118;
-        format = "mautrix-python";
-        package = mautrix-telegram;
-        serviceConfig.EnvironmentFile = config.age.secrets.telegram.path;
-        settings = {
-          appservice.database = "$DB_STRING";
-          homeserver.software = "standard";
-          telegram = {
-            api_id = "$API_ID";
-            api_hash = "$API_HASH";
-          };
-          bridge = {
-            permissions."@coolneng:coolneng.duckdns.org" = "admin";
-            backfill.normal_groups = true;
-          };
-        };
-      };
-      facebook = {
-        port = 8228;
-        format = "mautrix-python";
-        package = mautrix-facebook;
-        serviceConfig.EnvironmentFile = config.age.secrets.facebook.path;
-        settings = {
-          appservice.database = "$DB_STRING";
-          homeserver.software = "standard";
-          bridge.permissions."@coolneng:coolneng.duckdns.org" = "admin";
-        };
-      };
-      signal = {
-        port = 8338;
-        format = "mautrix-python";
-        package = mautrix-signal;
-        serviceConfig = {
-          EnvironmentFile = config.age.secrets.signal.path;
-          StateDirectory = [ "matrix-as-signal" "signald" ];
-          JoinNamespaceOf = "signald.service";
-          SupplementaryGroups = [ "signald" ];
-        };
-        settings = {
-          appservice.database = "$DB_STRING";
-          homeserver.software = "standard";
-          bridge.permissions."@coolneng:coolneng.duckdns.org" = "admin";
-          signal = {
-            socket_path = config.services.signald.socketPath;
-            outgoing_attachment_dir = "/var/lib/signald/tmp";
-          };
-        };
-      };
-    };
-  };
-
-  # Additional settings for mautrix-signal
-  services.signald = {
-    enable = true;
-    user = "matrix-as-signal";
-  };
-  systemd.services.matrix-as-signal = {
-    requires = [ "signald.service" ];
-    after = [ "signald.service" ];
-    unitConfig.JoinsNamespaceOf = "signald.service";
-    path = [ ffmpeg ];
-  };
-
-  # Enable voice messages for facebook
-  systemd.services.matrix-as-facebook.path = [ ffmpeg ];
-
   # MQTT configuration
   services.mosquitto = {
     enable = true;
     dataDir = "/vault/mosquitto";
-    logType = [ "websockets" "error" "warning" "notice" "information" ];
+    logType = [
+      "websockets"
+      "error"
+      "warning"
+      "notice"
+      "information"
+    ];
     logDest = [ "syslog" ];
-    listeners = [{
+    listeners = [
+      {
         users.homeostasis = {
           acl = [ "write #" ];
           hashedPasswordFile = config.age.secrets.mqtt-sender.path;
@@ -146,7 +96,8 @@ in {
           acl = [ "read #" ];
           hashedPasswordFile = config.age.secrets.mqtt-receiver.path;
         };
-    }];
+      }
+    ];
   };
 
 }

modules/containers.nix

@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
   # Podman setup
@@ -15,8 +20,7 @@
       containers = {
         # Openbooks configuration
         openbooks = {
-          image =
-            "evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da";
+          image = "evanbuss/openbooks@sha256:4fa9188885368c2303b7dc527d48b3159aaa7022010e29b3ed96842018793590";
           ports = [ "127.0.0.1:9000:80" ];
           cmd = [
             "--name"
@@ -30,42 +34,35 @@
         };
         # Prometheus MQTT integration
         mqtt2prometheus = {
-          image =
-            "hikhvar/mqtt2prometheus@sha256:ad133b8cef2d82c5573864598b1c8361753adc7e4ac53da28bc9b6afdf05aeaf";
+          image = "hikhvar/mqtt2prometheus@sha256:8e166d36feaa5ddcad703eef3a2c5167a154d6eef306a40fe6509861580c0714";
           ports = [ "127.0.0.1:9641:9641" ];
           volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
         };
-        # CGM repository
-        nightscout = {
-          image =
-            "nightscout/cgm-remote-monitor@sha256:ce522a9fe9b1373f576329e48349a622c8a9b6177c93dc2771152df36dd90876";
-          environmentFiles = [ config.age.secrets.nightscout.path ];
-          extraOptions = [ "--pod=cgm-repo" ];
-          dependsOn = [ "mongodb" ];
+        # Podcast synchronization
+        opodsync = {
+          image = "ganeshlab/opodsync@sha256:32626b732fe38687a5dfd703d515136e413c4b16f286b38656718ad03f0d94c1";
+          ports = [ "127.0.0.1:9090:8080" ];
+          volumes = [ "/vault/opodsync:/var/www/server/data" ];
         };
-        # CGM repository database
-        mongodb = {
-          image =
-            "mongo:4.4.9@sha256:0837a92d01bcc8c750a8d692ed4df33f0befd07ef261b23e7d9feda04bacd3eb";
-          volumes = [ "/vault/mongodb:/data/db" ];
-          extraOptions = [ "--pod=cgm-repo" ];
+        # Photo gallery
+        pigallery2 = {
+          image = "bpatrik/pigallery2@sha256:c936e4504cfe7158198542a8db794b24afb0301155d89e911f13bd04e0b406c2";
+          ports = [ "127.0.0.1:9191:80" ];
+          volumes = [
+            "/vault/pigallery2/config:/app/data/config"
+            "/vault/pigallery2/db:/app/data/db"
+            "/vault/pigallery2/tmp:/app/data/tmp"
+            "/vault/syncthing/Photos:/app/data/images"
+          ];
+          cmd = [
+            "-e"
+            "NODE_ENV=production"
+          ];
         };
       };
     };
   };
 
-  # Allow networking between Cgm-Repo and MongoDB
-  systemd.services.create-cgm-repo-pod = {
-    serviceConfig.Type = "oneshot";
-    wantedBy = [ "podman-mongodb.service" ];
-    script = with pkgs; ''
-      ${podman}/bin/podman pod exists cgm-repo || ${podman}/bin/podman pod create -n cgm-repo -p '127.0.0.1:1337:1337'
-    '';
-  };
-
   # Start services after ZFS mount
-  systemd.services.podman-mongodb.unitConfig.RequiresMountsFor =
-    [ /vault/mongodb ];
-  systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor =
-    [ /vault/mqtt2prometheus ];
+  systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ];
 }

modules/datasync.nix

@@ -1,4 +1,10 @@
-{ config, pkgs, lib, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
 
   # Syncthing configuration
   services.syncthing = {
@@ -13,38 +19,48 @@
         progressUpdateIntervalS = -1;
       };
       devices = {
-        panacea.id =
-          "VEGVHKF-P4FT3BD-4T3ML7J-65URQOU-3XKNMI5-6LGWSCI-BIQZOUE-RKQ6PQX";
-        caravanserai.id =
-          "MIRF73R-S7AV47R-VLWZUK2-TFCVQPV-FRYCPND-Y4VR3W2-ZAIQXZD-JAEQCAD";
+        panacea.id = "VEGVHKF-P4FT3BD-4T3ML7J-65URQOU-3XKNMI5-6LGWSCI-BIQZOUE-RKQ6PQX";
+        caravanserai.id = "XQAXYEU-FWLAFZM-GTZYDGH-AIRBEXI-4CZD365-JUBTHDA-GOXXOYV-E5LEYQE";
       };
       folders = {
         Documents = {
           id = "wusdj-bfjkr";
           type = "receiveonly";
           path = "/vault/syncthing/Documents";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Notes = {
           id = "kafhz-bfmzm";
           type = "receiveonly";
           path = "/vault/syncthing/Notes";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Music = {
           id = "2aqt7-vpprc";
           type = "receiveonly";
           path = "/vault/syncthing/Music";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Photos = {
           id = "mjibc-ustcg";
           type = "receiveonly";
           path = "/vault/syncthing/Photos";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Projects = {
@@ -58,28 +74,40 @@
           id = "m2007j20cg_vc7r-photos";
           type = "receiveonly";
           path = "/vault/syncthing/Photos/Phone";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Files = {
           id = "tsk52-u6rbk";
           type = "receiveonly";
           path = "/vault/syncthing/Files";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Phone-screenshots = {
           id = "pp70r-pbr70";
           type = "receiveonly";
           path = "/vault/syncthing/Photos/Phone-screenshots";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
 
         Audio = {
           id = "tarrs-5mxck";
           type = "receiveonly";
           path = "/vault/syncthing/Audio";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
         };
       };
     };
@@ -111,8 +139,7 @@
   };
 
   # Start services after ZFS mount
-  systemd.services.syncthing.unitConfig.RequiresMountsFor =
-    [ /vault/syncthing ];
+  systemd.services.syncthing.unitConfig.RequiresMountsFor = [ /vault/syncthing ];
   systemd.services.radicale.unitConfig.RequiresMountsFor = [ /vault/radicale ];
 
 }

modules/device.nix

@@ -1,36 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with pkgs;
-
-{
-  # A bunch of boot parameters needed for optimal runtime on RPi 4B
-  boot.kernelPackages = linuxPackages_rpi4;
-  boot.kernelParams = [
-    "zfs.zfs_arc_max=134217728"
-    "console=TTYAMA0,115200"
-    "console=tty1"
-    "8250.nr_uarts=1"
-    "iomem=relaxed"
-    "strict-devmem=0"
-  ];
-
-  # Enable SATA-HAT GPIO features
-  boot.loader = {
-    grub.enable = false;
-    generic-extlinux-compatible.enable = lib.mkForce false;
-    raspberryPi = {
-      enable = true;
-      version = 4;
-      firmwareConfig = ''
-        iomem=relaxed
-        strict-devmem=0
-      '';
-    };
-  };
-
-  # Load PWM hardware timers
-  hardware.raspberry-pi."4".pwm0.enable = true;
-
-  # Enable I2C
-  hardware.raspberry-pi."4".i2c1.enable = true;
-}

modules/devops.nix

@@ -1,4 +1,10 @@
-{ config, pkgs, lib, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
   # Set up Gitea with LFS support
   services.gitea = {
     enable = true;
@@ -15,11 +21,10 @@
     settings = {
       server = {
         DISABLE_SSH = true;
-        DOMAIN = "git.coolneng.duckdns.org";
-        ROOT_URL = "https://git.coolneng.duckdns.org";
+        DOMAIN = "git.psydnd.org";
+        ROOT_URL = "https://git.psydnd.org";
       };
       service.DISABLE_REGISTRATION = true;
-      ui.DEFAULT_THEME = "arc-green";
       session.COOKIE_SECURE = true;
       actions.ENABLED = true;
     };

modules/hardware-configuration.nix

@@ -4,135 +4,55 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" = {
-    device = "sysion/root";
+  fileSystems."/" =
+    { device = "sysion/stateful/root";
       fsType = "zfs";
     };
 
-  fileSystems."/nix" = {
-    device = "sysion/root/nix";
+  fileSystems."/nix" =
+    { device = "sysion/ephemeral/nix";
       fsType = "zfs";
     };
 
-  fileSystems."/home" = {
-    device = "sysion/home";
+  fileSystems."/tmp" =
+    { device = "sysion/ephemeral/tmp";
       fsType = "zfs";
     };
 
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/EB8C-3C86";
+  fileSystems."/home/coolneng" =
+    { device = "sysion/stateful/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/C332-4650";
       fsType = "vfat";
-  };
-
-  fileSystems."/var/lib/prometheus2" = {
-    device = "vault/state_directories/prometheus";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/grafana" = {
-    device = "vault/state_directories/grafana";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/gitea" = {
-    device = "vault/state_directories/gitea";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/matrix-as-facebook" = {
-    device = "vault/state_directories/matrix-as-facebook";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/signald" = {
-    device = "vault/state_directories/signald";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/matrix-as-signal" = {
-    device = "vault/state_directories/matrix-as-signal";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault" = {
-    device = "vault";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/matrix-as-telegram" = {
-    device = "vault/state_directories/matrix-as-telegram";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/backups" = {
-    device = "vault/backups";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/mosquitto" = {
-    device = "vault/mosquitto";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/radicale" = {
-    device = "vault/radicale";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/git" = {
-    device = "vault/git";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/syncthing" = {
-    device = "vault/syncthing";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/backups/zion" = {
-    device = "vault/backups/zion";
-    fsType = "zfs";
-  };
-
-  fileSystems."/vault/backups/monolith" = {
-    device = "vault/backups/monolith";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/wallabag" = {
-    device = "vault/state_directories/wallabag";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib/containers/storage/overlay" = {
-    device = "/var/lib/containers/storage/overlay";
-    fsType = "none";
-    options = [ "bind" ];
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices =
-    [{ device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; }];
+    [ { device = "/dev/disk/by-uuid/d388feef-a651-4dae-8161-f666136de240"; }
+    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.veth25ee5d84.useDHCP = lib.mkDefault true;
-  # networking.interfaces.veth6e46f8d7.useDHCP = lib.mkDefault true;
-  # networking.interfaces.veth8506af14.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
   # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
 
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

modules/information.nix

@@ -1,34 +1,44 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
   # Miniflux configuration
   services.miniflux = {
     enable = true;
     adminCredentialsFile = config.age.secrets.miniflux.path;
-    config = {
-      BASE_URL = "https://rss.coolneng.duckdns.org";
-      RUN_MIGRATIONS = "1";
-      DISABLE_HSTS = "1";
-    };
   };
 
-  # Php-fpm pool for Wallabag
-  services.phpfpm.pools.wallabag = {
-    user = "nginx";
-    group = "nginx";
+  # Microbin configuration
+  services.microbin = {
+    enable = true;
+    passwordFile = config.age.secrets.microbin.path;
     settings = {
-      "listen.owner" = config.services.nginx.user;
-      "listen.group" = config.services.nginx.group;
-      "listen.mode" = 600;
-      "pm" = "ondemand";
-      "pm.max_children " = 4;
-      "pm.max_requests" = 32;
-      "env[WALLABAG_DATA]" = "/var/lib/wallabag";
+      MICROBIN_PORT = 9091;
+      MICROBIN_PUBLIC_PATH = "https://bin.psydnd.org";
+      MICROBIN_QR = true;
+      MICROBIN_WIDE = true;
     };
-    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
   };
 
-  # Set environment variable pointing to wallabag configuration directory
-  environment.variables.WALLABAG_DATA = "/var/lib/wallabag";
+  # Readeck configuration
+  services.readeck = {
+    enable = true;
+    settings = {
+      server = {
+        host = "127.0.0.1";
+        port = 9092;
+        allowed_hosts = [ "read.psydnd.org" ];
+        trusted_proxies = [ "127.0.0.1" ];
+        environmentFile = config.age.secrets.readeck.path;
+      };
+    };
+  };
+
+  # NOTE Load credentials using environment variables
+  systemd.services.readeck.serviceConfig.EnvironmentFile = config.age.secrets.readeck.path;
 
 }

modules/monitoring.nix

@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 with pkgs;
 
@@ -46,7 +51,8 @@ with pkgs;
   services.prometheus = {
     enable = true;
     port = 9001;
-    retentionTime = "1y";
+    retentionTime = "10y";
+    extraFlags = [ "--web.enable-admin-api" ];
     exporters = {
       node = {
         enable = true;
@@ -56,27 +62,28 @@ with pkgs;
       postgres.enable = true;
       smartctl.enable = true;
     };
-    scrapeConfigs = [{
+    scrapeConfigs = [
+      {
         job_name = "zion";
-      static_configs = [{
+        static_configs = [
+          {
             targets = [
               "localhost:${toString config.services.prometheus.exporters.node.port}"
-          "localhost:${
-            toString config.services.prometheus.exporters.postgres.port
-          }"
-          "localhost:${
-            toString config.services.prometheus.exporters.smartctl.port
-          }"
+              "localhost:${toString config.services.prometheus.exporters.postgres.port}"
+              "localhost:${toString config.services.prometheus.exporters.smartctl.port}"
+              "localhost:9641" # MQTT2Prometheus
+            ];
+          }
+        ];
+      }
     ];
-      }];
-    }];
   };
 
   # Grafana configuration
   services.grafana = {
     enable = true;
     settings.server = {
-      domain = "grafana.coolneng.duckdns.org";
+      domain = "grafana.psydnd.org";
       http_port = 9009;
       http_addr = "127.0.0.1";
     };

modules/networking.nix

@@ -1,12 +1,19 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
-let wireguard_port = 1194;
+let
+  wireguard_port = 1194;
 
-in {
+in
+{
   # Enable systemd-networkd
   networking = {
     hostName = "zion";
-    hostId = "4e74ea68";
+    hostId = "760bfad7";
     useDHCP = false;
     useNetworkd = true;
     dhcpcd.enable = false;
@@ -15,24 +22,40 @@ in {
 
   # Assign a static IP
   systemd.network.networks."24-home" = {
-    name = "end0";
-    matchConfig.Name = "end0";
-    address = [ "192.168.13.2/24" ];
-    gateway = [ "192.168.13.1" ];
-    dns = [ "1.1.1.1" "9.9.9.9" ];
+    name = "enp2s0";
+    matchConfig.Name = "enp2s0";
+    address = [ "192.168.128.2/23" ];
+    gateway = [ "192.168.128.1" ];
+    dns = [
+      "127.0.0.1"
+      "::1"
+    ];
     networkConfig.DNSSEC = "no";
   };
 
   # Dynamic DNS configuration
-  services.ddclient = {
+  services.inadyn = {
     enable = true;
-    quiet = true;
-    use = "web, web=freedns";
-    interval = "30min";
-    protocol = "duckdns";
-    domains = [ "coolneng.duckdns.org" ];
-    passwordFile = config.age.secrets.ddclient.path;
-    extraConfig = "";
+    interval = "*:0/30";
+    settings.provider."duckdns" = {
+      hostname = "coolneng.duckdns.org";
+      include = config.age.secrets.inadyn-duckdns.path;
+    };
+  };
+
+  # Dynamic DNS configuration for Porkbun
+  # NOTE Temporary workaround until Inadyn fixes the Porkbun module
+  services.oink = {
+    enable = true;
+    apiKeyFile = config.age.secrets.inadyn-porkbun.path;
+    secretApiKeyFile = config.age.secrets.inadyn-porkbun-secret.path;
+    settings.interval = 1800;
+    domains = [
+      {
+        domain = "psydnd.org";
+        subdomain = "";
+      }
+    ];
   };
 
   # Firewall configuration
@@ -52,6 +75,9 @@ in {
       iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${
         config.systemd.network.networks."24-home".name
       } -j MASQUERADE
+      ip6tables -t nat -A POSTROUTING -s fd00::0/128 -o ${
+        config.systemd.network.networks."24-home".name
+      } -j MASQUERADE
     '';
   };
 
@@ -68,17 +94,27 @@ in {
     wireguardPeers = [
       # panacea
       {
-        wireguardPeerConfig = {
         PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
-          AllowedIPs = [ "10.8.0.2/32" ];
-        };
+        AllowedIPs = [
+          "10.8.0.2/32"
+          "fd00::2/128"
+        ];
       }
       # caravanserai
       {
-        wireguardPeerConfig = {
-          PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
-          AllowedIPs = [ "10.8.0.3/32" ];
-        };
+        PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs=";
+        AllowedIPs = [
+          "10.8.0.3/32"
+          "fd00::3/128"
+        ];
+      }
+      # kathreftis
+      {
+        PublicKey = "qfHtv6LSZjtxvH46d8pysr+/yPo2tV9cZumgIpxBNF4=";
+        AllowedIPs = [
+          "10.8.0.4/32"
+          "fd00::4/128"
+        ];
       }
     ];
   };
@@ -86,12 +122,25 @@ in {
   systemd.network.networks."wg0" = {
     matchConfig.Name = "wg0";
     networkConfig = {
-      Address = "10.8.0.1/24";
-      IPForward = true;
-      IPMasquerade = "ipv4";
+      Address = [
+        "10.8.0.1/24"
+        "fd00::1/128"
+      ];
+      IPv4Forwarding = true;
+      IPv6Forwarding = true;
     };
   };
 
+  # Disable systemd-resolved DNS stub
+  services.resolved = {
+    enable = true;
+    llmnr = "false";
+    extraConfig = ''
+      MulticastDNS=yes
+      DNSStubListener=no
+    '';
+  };
+
   # DNS server with ad-block
   services.dnsmasq = {
     enable = true;
@@ -100,7 +149,13 @@ in {
       bogus-priv = true;
       no-resolv = true;
 
-      listen-address = [ "127.0.0.1" "192.168.13.2" "10.8.0.1" ];
+      listen-address = [
+        "127.0.0.1"
+        "192.168.128.2"
+        "10.8.0.1"
+        "::1"
+        "fd00::1"
+      ];
       bind-interfaces = true;
       server = [ "127.0.0.1#43" ];
 
@@ -109,27 +164,25 @@ in {
 
       conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf";
       dnssec = false;
-
-      address = "/coolneng.duckdns.org/192.168.13.2";
+      address = "/psydnd.org/192.168.128.2";
     };
   };
 
   # Encrypted DNS
-  services.dnscrypt-proxy2 = {
+  services.dnscrypt-proxy = {
     enable = true;
     upstreamDefaults = true;
     settings = {
-      listen_addresses = [ "127.0.0.1:43" ];
-      sources.public-resolvers = {
-        urls = [
-          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+      listen_addresses = [
+        "127.0.0.1:43"
+        "[::1]:43"
       ];
+      sources.public-resolvers = {
+        urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
         cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
-        minisign_key =
-          "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
       };
-      blocked_names.blocked_names_file =
-        "/var/lib/dnscrypt-proxy/blocklist.txt";
+      blocked_names.blocked_names_file = "/var/lib/dnscrypt-proxy/blocklist.txt";
     };
   };
 

modules/periodic.nix

@@ -1,10 +1,16 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
   stateDir = "/var/lib/dnscrypt-proxy";
   blocklist = "${stateDir}/blocklist.txt";
 
-in {
+in
+{
   # PostgreSQL daily backups
   services.postgresqlBackup = {
     enable = true;
@@ -18,7 +24,10 @@ in {
   systemd.services.download-dns-blocklist = {
     description = "Download hosts-blocklists";
     wantedBy = [ "default.target" ];
-    path = with pkgs; [ curl coreutils ];
+    path = with pkgs; [
+      curl
+      coreutils
+    ];
     script = ''
       curl -L https://download.dnscrypt.info/blacklists/domains/mybase.txt -o ${blocklist}
     '';
@@ -26,22 +35,6 @@ in {
     startAt = "02:00:00";
   };
 
-  # Enable SATA HAT fans
-  systemd.services.sata-hat = {
-    description = "Enable software support for SATA Hat";
-    wantedBy = [ "default.target" ];
-    script = ''
-      ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh on"
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = "yes";
-      ExecStop = ''
-        ${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh off"
-      '';
-    };
-  };
-
   # Push zion changes to git daily
   systemd.user.services.zion-push = {
     description = "Push zion changes to git";

modules/webstack.nix

@@ -1,17 +1,21 @@
 # Web services configuration
-{ config, pkgs, lib, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
 
   # Reverse proxy configuration
   services.nginx = {
     enable = true;
     recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
     recommendedProxySettings = true;
     recommendedOptimisation = true;
-    recommendedBrotliSettings = true;
     clientMaxBodySize = "0";
-    sslCiphers =
-      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
+    sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
     sslProtocols = "TLSv1.2 TLSv1.3";
     sslDhparam = "/var/lib/dhparams/nginx.pem";
     commonHttpConfig = ''
@@ -30,17 +34,12 @@
       proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';
     virtualHosts = {
+      # Old domain being redirected
       "coolneng.duckdns.org" = {
         useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
-        # Redirect from legacy subdirectory URL to subdomain
         locations = {
-          "/radicale/".return = "301 https://radicale.coolneng.duckdns.org";
-          "/syncthing/".return = "301 https://sync.coolneng.duckdns.org";
-          "/gitea/".extraConfig =
-            "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
-          "/miniflux/".extraConfig =
-            "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
+          "/".return = "301 https://psydnd.org$request_uri";
           # Delegation for Matrix
           "/.well-known/" = {
             alias = "${../well-known}" + "/";
@@ -52,9 +51,20 @@
           };
         };
       };
-      "radicale.coolneng.duckdns.org" = {
+      # Redirect subdomains
+      "~^(?<subdomain>.+)\.coolneng\.duckdns\.org$" = {
         useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
+        locations."/".return = "301 https://$subdomain.psydnd.org$request_uri";
+      };
+      # Current domain
+      "psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+      };
+      "radicale.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:5232/";
           extraConfig = ''
@@ -63,30 +73,30 @@
           '';
         };
       };
-      "sync.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "sync.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/".proxyPass = "http://localhost:8384/";
       };
-      "git.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "git.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:3000/";
           extraConfig = ''
             ${config.services.nginx.commonHttpConfig}
             # Disable embedding as a frame, except from the same origin
-            add_header Content-Security-Policy "frame-src git.coolneng.duckdns.org; frame-ancestors git.coolneng.duckdns.org";
+            add_header Content-Security-Policy "frame-src git.psydnd.org; frame-ancestors git.psydnd.org";
           '';
         };
       };
-      "rss.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "rss.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/".proxyPass = "http://localhost:8080/";
       };
-      "matrix.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "matrix.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         listen = [
           # IPv4
@@ -112,42 +122,20 @@
             ssl = true;
           }
         ];
-        locations."~ ^(/_matrix|/_synapse/client)".proxyPass =
-          "http://localhost:8008";
+        locations."~ ^(/_matrix|/_synapse/client)".proxyPass = "http://localhost:8008";
       };
-      "element.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "element.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/".root = pkgs.element-web.override {
           conf.default_server_config = {
-            "m.homeserver"."base_url" = "https://matrix.coolneng.duckdns.org";
+            "m.homeserver"."base_url" = "https://matrix.psydnd.org";
             "m.identity_server"."base_url" = "https://vector.im";
           };
         };
       };
-      "wallabag.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
-        forceSSL = true;
-        root = "${pkgs.wallabag}/web";
-        locations = {
-          "/".tryFiles = "$uri /app.php$is_args$args";
-          "/assets".root = "${config.environment.variables.WALLABAG_DATA}/web";
-          "~ ^/app.php(/|$)" = {
-            fastcgiParams = {
-              SCRIPT_FILENAME = "${pkgs.wallabag}/web/$fastcgi_script_name";
-              DOCUMENT_ROOT = "${pkgs.wallabag}/web";
-            };
-            extraConfig = ''
-              fastcgi_pass unix:${config.services.phpfpm.pools.wallabag.socket};
-              fastcgi_split_path_info ^(.+\.php)(/.*)$;
-              include ${pkgs.nginx}/conf/fastcgi_params;
-              internal;
-            '';
-          };
-        };
-      };
-      "books.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "books.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:9000/";
@@ -158,23 +146,33 @@
           '';
         };
       };
-      "grafana.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "grafana.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:9009/";
           proxyWebsockets = true;
         };
       };
-      "nightscout.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "podcast.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://localhost:1337";
-          extraConfig = ''
-            proxy_set_header X-Forwarded-For $remote_addr;
-          '';
+        locations."/".proxyPass = "http://localhost:9090/";
       };
+      "bin.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9091/";
+      };
+      "read.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9092/";
+      };
+      "photos.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9191/";
       };
     };
   };
@@ -184,26 +182,34 @@
     acceptTerms = true;
     defaults = {
       email = "akasroua@disroot.org";
-      dnsResolver = "127.0.0.1:53";
       group = "nginx";
-      webroot = "/var/lib/acme/acme-challenge";
-      ocspMustStaple = true;
     };
-    certs."coolneng.duckdns.org".extraDomainNames =
-      lib.attrsets.mapAttrsToList (name: value: "${name}")
-      config.services.nginx.virtualHosts;
+    certs = {
+      "coolneng.duckdns.org" = {
+        domain = "*.coolneng.duckdns.org";
+        dnsProvider = "duckdns";
+        environmentFile = config.age.secrets.acme-duckdns.path;
+      };
+      "psydnd.org" = {
+        domain = "psydnd.org";
+        extraDomainNames = [ "*.psydnd.org" ];
+        dnsProvider = "porkbun";
+        environmentFile = config.age.secrets.acme-porkbun.path;
+      };
+    };
   };
 
   # Generate dhparams
   security.dhparams = {
     enable = true;
-    params.nginx.bits = 2048;
+    defaultBitSize = 4096;
+    params.nginx.bits = 4096;
   };
 
   # PostgreSQL databases configuration
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_15;
+    package = pkgs.postgresql_16;
     authentication = lib.mkForce ''
       # Generated file; do not edit!
       # TYPE  DATABASE        USER            ADDRESS                 METHOD
@@ -224,10 +230,9 @@
     "miniflux.service"
     "radicale.service"
     "dendrite.service"
-    "phpfpm-wallabag.service"
-    "systemd-tmpfiles-setup.service"
+    "grafana.service"
     "podman-openbooks.service"
     "podman-mqtt2prometheus.service"
-    "podman-nightscout.service"
+    "podman-opodsync.service"
   ];
 }

scripts/SATA-hat.sh

@@ -1,71 +0,0 @@
-#!/bin/sh
-
-BASE_PATH=/sys/class
-GPIO_PATH="$BASE_PATH"/gpio
-PWM_PATH="$BASE_PATH"/pwm/pwmchip0
-
-# GPIO pins
-CPU_FAN=12
-HDD_FAN=13
-
-# Values
-LOW=0
-HIGH=1
-
-export_pin() {
-    if [ ! -e $GPIO_PATH/gpio"$1" ]; then
-        echo "$1" >$GPIO_PATH/export
-    fi
-}
-
-unexport_pin() {
-    if [ -e $GPIO_PATH/gpio"$1" ]; then
-        echo "$1" >$GPIO_PATH/unexport
-    fi
-}
-
-set_gpio() {
-    export_pin "$1"
-    echo "out" >$GPIO_PATH/gpio"$1"/direction
-    echo "$2" >$GPIO_PATH/gpio"$1"/value
-    if [ "$3" = "clean" ]; then
-        unexport_pin "$1"
-    fi
-}
-
-enable_pwm_channel() {
-    echo "$1" >$PWM_PATH/export
-    echo 40000 >$PWM_PATH/pwm"$1"/period
-    echo 30000 >$PWM_PATH/pwm"$1"/duty_cycle
-    echo 1 >$PWM_PATH/pwm"$1"/enable
-}
-
-set_pwm() {
-    if [ "$1" = "clean" ]; then
-        echo 1 >$PWM_PATH/unexport
-    else
-        enable_pwm_channel 1
-    fi
-}
-
-turn_on() {
-    set_gpio $CPU_FAN $HIGH
-    set_gpio $HDD_FAN $HIGH
-    set_pwm
-}
-
-turn_off() {
-    set_gpio $CPU_FAN $LOW clean
-    set_gpio $HDD_FAN $LOW clean
-    set_pwm clean
-}
-
-trap turn_off INT
-
-if [ "$1" = "on" ]; then
-    turn_on
-else
-    turn_off
-fi
-
-exit 0

scripts/install.sh

@@ -0,0 +1,66 @@
+#!/bin/sh
+
+partition_disk() {
+    parted "$DISK" -- mklabel gpt
+    parted "$DISK" -- mkpart ESP fat32 1MiB 1025MiB
+    parted "$DISK" -- mkpart linux-swap 1025MiB 17409MiB
+    parted "$DISK" -- mkpart primary 17409MiB 100%
+    parted "$DISK" -- set 1 boot on
+    mkfs.fat -F32 -n BOOT "$DISK"p1
+    mkswap "$DISK"p2
+    swapon "$DISK"p2
+}
+
+zfs_setup() {
+    zpool import -f vault
+    zpool create -f -o ashift=12 -o autotrim=on -O acltype=posixacl -O relatime=on \
+        -O xattr=sa -O dnodesize=legacy -O normalization=formD -O mountpoint=none \
+        -O canmount=off -O devices=off -R /mnt -O compression=zstd "$POOL_NAME" "$DISK"p3
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral/nix
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false -o sync=disabled -o setuid=off "$POOL_NAME"/ephemeral/tmp
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true "$POOL_NAME"/stateful/home
+    zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful/root
+}
+
+mount_datasets() {
+    mount -t zfs sysion/stateful/root /mnt
+    mkdir -p /mnt/boot
+    mount "$DISK"p1 /mnt/boot
+    mkdir -p /mnt/home/coolneng
+    mount -t zfs sysion/stateful/home /mnt/home/coolneng
+    mkdir -p /mnt/nix
+    mount -t zfs sysion/ephemeral/nix /mnt/nix
+    mkdir -p /mnt/tmp
+    mount -t zfs sysion/ephemeral/tmp /mnt/tmp
+}
+
+install_system() {
+    nixos-generate-config --root /mnt
+    mv /mnt/etc/nixos/hardware-configuration.nix modules/hardware-configuration.nix
+    nix-shell -p git --command "nixos-install --root /mnt --flake .#zion"
+}
+
+usage() {
+    echo "Usage: install.sh <disk>"
+    echo "disk: full path to the disk (e.g. /dev/sda)"
+    exit 1
+}
+
+if [ $# != 1 ]; then
+    usage
+fi
+
+DISK="$1"
+POOL_NAME="sysion"
+
+echo "Let's start by partitioning the disk"
+partition_disk
+echo "Starting up the ZFS machinery"
+zfs_setup
+echo "Mounting the horse"
+mount_datasets
+echo "Lift off to the NixOS planet"
+install_system
+echo "All ready, time to rejoice"

scripts/motd.sh

@@ -23,21 +23,16 @@ services=(
     "syncthing.service"
     "radicale.service"
     "miniflux.service"
-	"phpfpm-wallabag.service"
     "gitea.service"
     "dendrite.service"
-	"matrix-as-telegram.service"
-	"matrix-as-facebook.service"
-	"matrix-as-signal.service"
-	"signald.service"
     "nginx.service"
     "dnsmasq.service"
+    "dnscrypt-proxy.service"
     "podman-openbooks.service"
     "mosquitto.service"
     "podman-mqtt2prometheus.service"
     "prometheus.service"
     "grafana.service"
-	"podman-nightscout.service"
 )
 
 for var in "${services[@]}"; do

secrets/acme-porkbun.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg 7JImhL2Wo/eJEwUGP+NhEf36yq5gHO9q1GYhY2HaMAY
+eAMhD0sqHQS+aayBpOsY8+081i72QAhJCFbBe0//uwU
+--- 4K8cXsDuWZrmWNJ+rz166ej9o/gLFc7CfJuzAsG0BxA
+|.<2E><><EFBFBD>	f<><66>f<EFBFBD>=<1D>-<2D>X$P<>:

secrets/ddclient.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 iUaRGg mRkPNMBvRfbwb3GjcWWJ42RiJn4wxMdczvL2OJFagkY
-jCqCSE2MMx74ZvXabmyHfI4jC6lwhtgrTSqjAflUksw
--> vH/-grease []_Tx" cZfV JHS /x/
-SK1DATphyeQv8pjoNXTlQrRKQwn8oItd6xrhSic7fmxzmuKTQiPE
---- ObilbWkclfLnmjVql03OamXitnFgYnzfoZ04oq3XO1k
-<EFBFBD>iy<13>݌1k{<7B><>OJ3<1F>H<EFBFBD>N<><4E><11><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>%y<><1D><><0C><>JA<4A>8<EFBFBD><38>
-'<27>N<EFBFBD><4E>%<25><><EFBFBD><EFBFBD><EFBFBD>L@<12>6	&<26><>

secrets/inadyn-duckdns.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg XMrsd1RQcDq/SpFtqpB4Gj1keCvJsMB+VA58qZirYA4
+tf8NQzoEYJXlKBjtX4ZplaPQv51RCW9yHulvKZB8c8g
+--- 5wZntAZCQ4pGYrgDFd63w6Y+Taaatcw5z0tDSvShi30
+<EFBFBD><EFBFBD>4<EFBFBD><EFBFBD><EFBFBD>Ɖq3<EFBFBD>&
+><0E>4<EFBFBD><34>J<EFBFBD>?<3F><0F><>QW<51>jZ<:'<<16>x(<28>Y<16>i<EFBFBD>ZDO#<23>w<7F><77>R<EFBFBD><52><EFBFBD>O@2<>cAj	(f<><66><EFBFBD><EFBFBD>M<EFBFBD><4D><EFBFBD>

secrets/inadyn-porkbun-secret.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg paS5BxWWicriSLAZyCBKd2xylLAp4/LcHmogO7me8yQ
+MWW/Pkvn+4G4YeYXY9ZPXC92TbcFXQMyHJ2ltFzXpZs
+--- ZdFfQ7tHfEo+u/0MmigCNh6OIxkd2bimRN30rMUs1ks
+<EFBFBD>9<EFBFBD>7Y<EFBFBD>$B<>sX<0E>ʽb<CABD>O'J<><4A>S
'<27>5!<21><>UMʯ-v<>m<EFBFBD><6D><EFBFBD><EFBFBD><EFBFBD>8%|R,<2C>~I<><14><>G<EFBFBD><47>VQE<0E>0D<30>:Qv<<1E><>)<29><0B><>%fc<66><63>XZչ 7+yB

secrets/secrets.nix

@@ -1,12 +1,11 @@
 let
-  zion =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW";
-in {
+  zion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW";
+in
+{
   "wireguard.age".publicKeys = [ zion ];
   "syncthing.age".publicKeys = [ zion ];
   "msmtp.age".publicKeys = [ zion ];
   "gitea.age".publicKeys = [ zion ];
-  "ddclient.age".publicKeys = [ zion ];
   "miniflux.age".publicKeys = [ zion ];
   "git.age".publicKeys = [ zion ];
   "dendrite.age".publicKeys = [ zion ];
@@ -14,7 +13,13 @@ in {
   "telegram.age".publicKeys = [ zion ];
   "mqtt-sender.age".publicKeys = [ zion ];
   "mqtt-receiver.age".publicKeys = [ zion ];
-  "nightscout.age".publicKeys = [ zion ];
   "facebook.age".publicKeys = [ zion ];
   "signal.age".publicKeys = [ zion ];
+  "inadyn-duckdns.age".publicKeys = [ zion ];
+  "inadyn-porkbun.age".publicKeys = [ zion ];
+  "inadyn-porkbun-secret.age".publicKeys = [ zion ];
+  "acme-duckdns.age".publicKeys = [ zion ];
+  "acme-porkbun.age".publicKeys = [ zion ];
+  "microbin.age".publicKeys = [ zion ];
+  "readeck.age".publicKeys = [ zion ];
 }

secrets/wallabag-postgres.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg zWm4+j3/IRqd3uZqGzXVcHvs+urNrvDMOceWKbpl018
+HlIKCFYt7n3iKZav5i0YiB4awRMJML0XUowX8sKKH2c
+--- ysvYVxgK1OeqCk8KdNF+uWsaQ9EzVRku7nw37aUAW3A
+c<EFBFBD><EFBFBD>b<EFBFBD>W|bU<62>B"<22><04>Ե<EFBFBD><D4B5><EFBFBD><EFBFBD><EFBFBD><03><>U<EFBFBD>

well-known/matrix/client

@@ -1,5 +1,5 @@
 {
     "m.homeserver": {
-        "base_url": "https://matrix.coolneng.duckdns.org"
+        "base_url": "https://matrix.psydnd.org"
     }
 }

well-known/matrix/server

@@ -1 +1 @@
-{ "m.server": "matrix.coolneng.duckdns.org:443" }
+{ "m.server": "matrix.psydnd.org:443" }