Set up PiGallery2

Flake lock file updates:

• Updated input 'determinate':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.13.2/019a9b01-c0c6-7e1c-959e-98ac5b7675de/source.tar.gz' (2025-11-19)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz' (2025-12-19)
• Updated input 'determinate/determinate-nixd-aarch64-darwin':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/macOS'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS'
• Updated input 'determinate/determinate-nixd-aarch64-linux':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/aarch64-linux'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux'
• Updated input 'determinate/determinate-nixd-x86_64-linux':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/x86_64-linux'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux'
• Updated input 'determinate/nix':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.13.2/019a9af6-3d7b-71bc-bccd-8b18e147ad77/source.tar.gz' (2025-11-19)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz' (2025-12-19)
• Updated input 'determinate/nixpkgs':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.897465%2Brev-8b6600824693a9c706ef09bd86711ca393703466/019a9577-b407-75dd-b18b-3308def1c215/source.tar.gz' (2025-11-17)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz' (2025-12-15)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/c97c47f' (2025-12-04)
  → 'github:NixOS/nixpkgs/b3aad46' (2025-12-20)

.dir-locals.el

@@ -1 +0,0 @@
-((nil . ((ssh-deploy-root-remote . "/ssh:zion:/home/coolneng/system"))))

Makefile

@@ -1,7 +1,7 @@
 DIR=$(HOME)/Projects/zion
 
 switch:
-	nixos-rebuild switch --fast --target-host root@zion \
+	nixos-rebuild switch --no-reexec --target-host root@zion \
 	--build-host root@zion --flake path://$(DIR)#zion
 
 .DEFAULT_GOAL := switch

configuration.nix

@@ -30,7 +30,7 @@ with pkgs;
   boot.loader = {
     efi.canTouchEfiVariables = true;
     systemd-boot = {
-      enable = false;
+      enable = true;
       configurationLimit = 50;
       editor = false;
     };
@@ -99,6 +99,8 @@ with pkgs;
         "root"
         "coolneng"
       ];
+      lazy-trees = true;
+      eval-cores = 2;
     };
     gc = {
       automatic = true;
@@ -160,7 +162,6 @@ with pkgs;
       owner = "gitea";
       group = "gitea";
     };
-    secrets.ddclient.file = secrets/ddclient.age;
     secrets.miniflux = {
       file = secrets/miniflux.age;
       owner = "miniflux";
@@ -184,8 +185,6 @@ with pkgs;
     };
     secrets.telegram = {
       file = secrets/telegram.age;
-      owner = "matrix-as-telegram";
-      group = "matrix-as-telegram";
     };
     secrets.mqtt-sender = {
       file = secrets/mqtt-sender.age;
@@ -199,28 +198,56 @@ with pkgs;
     };
     secrets.facebook = {
       file = secrets/facebook.age;
-      owner = "matrix-as-facebook";
-      group = "matrix-as-facebook";
     };
     secrets.signal = {
       file = secrets/signal.age;
-      owner = "matrix-as-signal";
-      group = "matrix-as-signal";
     };
-    secrets.acme = {
-      file = secrets/acme.age;
+    secrets.inadyn-duckdns = {
+      file = secrets/inadyn-duckdns.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.inadyn-porkbun = {
+      file = secrets/inadyn-porkbun.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.inadyn-porkbun-secret = {
+      file = secrets/inadyn-porkbun-secret.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
+    secrets.acme-duckdns = {
+      file = secrets/acme-duckdns.age;
       owner = "acme";
       group = "nginx";
     };
+    secrets.acme-porkbun = {
+      file = secrets/acme-porkbun.age;
+      owner = "acme";
+      group = "nginx";
+    };
+    secrets.microbin = {
+      file = secrets/microbin.age;
+      owner = "63026";
+      group = "63026";
+    };
+    secrets.readeck = {
+      file = secrets/readeck.age;
+      owner = "63026";
+      group = "63026";
+    };
     identityPaths = [ "/etc/ssh/id_ed25519" ];
   };
 
   # Auto-upgrade the system
   system.autoUpgrade = {
     enable = true;
-    flake = "/vault/syncthing/Projects/zion";
+    allowReboot = true;
+    flake = "/home/coolneng/system";
     flags = [
-      "--update-input agenix --update-input nixpkgs"
+      "--update-input"
+      "nixpkgs"
       "--commit-lock-file"
     ];
   };

flake.lock

@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1723293904,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "lastModified": 1762618334,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
         "type": "github"
       },
       "original": {
@@ -31,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700795494,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
         "type": "github"
       },
       "original": {
@@ -45,6 +45,63 @@
         "type": "github"
       }
     },
+    "determinate": {
+      "inputs": {
+        "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
+        "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
+        "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
+        "nix": "nix",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1766177528,
+        "narHash": "sha256-Bl+p766mM7qNCZtMqmTz13RuUbOMKsFa+/vnGYoxgPk=",
+        "rev": "b159c082f0f9bdefa6c386189a13c5fa0734d8d8",
+        "revCount": 317,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
+      }
+    },
+    "determinate-nixd-aarch64-darwin": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-vDaEQ5T4eA7kEPREmm68IVWGR6zT0aDL5slZxA6dkSc=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
+      }
+    },
+    "determinate-nixd-aarch64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-Hf4JsIv5G3IR0Q0RHGLSNdmDzFv97sVQQKwzY6A0vV4=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
+      }
+    },
+    "determinate-nixd-x86_64-linux": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-J+J4E02XpEl0ZkpzMbUmGCf6S4yk0gYCYmiGzZ058ik=",
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
+      }
+    },
     "devshell": {
       "locked": {
         "lastModified": 1642188268,
@@ -61,6 +118,22 @@
       }
     },
     "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1641205782,
@@ -76,6 +149,53 @@
         "type": "github"
       }
     },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748821116,
+        "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
+        "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
+        "revCount": 377,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
+      }
+    },
+    "git-hooks-nix": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": [
+          "determinate",
+          "nix"
+        ],
+        "nixpkgs": [
+          "determinate",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747372754,
+        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
+        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
+        "revCount": 1026,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -84,11 +204,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703113217,
-        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
         "type": "github"
       },
       "original": {
@@ -97,10 +217,31 @@
         "type": "github"
       }
     },
+    "nix": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "git-hooks-nix": "git-hooks-nix",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-23-11": "nixpkgs-23-11",
+        "nixpkgs-regression": "nixpkgs-regression"
+      },
+      "locked": {
+        "lastModified": 1766174426,
+        "narHash": "sha256-0ZofAQZNgg5nfIKsVb7g4It6ufmIyLtfFRPOf+6WRkk=",
+        "rev": "15d6091194b5b90d292e8d6283db77f09c303b1e",
+        "revCount": 24285,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
+      }
+    },
     "nix-matrix-appservices": {
       "inputs": {
         "devshell": "devshell",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "nixlib": "nixlib",
         "nixpkgs": [
           "nixpkgs"
@@ -137,11 +278,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1740646007,
-        "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
+        "lastModified": 1764440730,
+        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
+        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
         "type": "github"
       },
       "original": {
@@ -153,41 +294,87 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1740463929,
-        "narHash": "sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b",
-        "type": "github"
+        "lastModified": 1761597516,
+        "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
+        "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
+        "revCount": 811874,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
       },
       "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-24.11",
-        "type": "indirect"
+        "type": "tarball",
+        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
       }
     },
-    "nixpkgs-unstable": {
+    "nixpkgs-23-11": {
       "locked": {
-        "lastModified": 1729880355,
-        "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=",
+        "lastModified": 1717159533,
+        "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "18536bf04cd71abd345f9579158841376fdd0c5a",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
+        "type": "github"
+      }
+    },
+    "nixpkgs-regression": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1765772535,
+        "narHash": "sha256-aq+dQoaPONOSjtFIBnAXseDm9TUhIbe215TPmkfMYww=",
+        "rev": "09b8fda8959d761445f12b55f380d90375a1d6bb",
+        "revCount": 911985,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1766201043,
+        "narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b3aad468604d3e488d627c0b43984eb60e75e782",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "determinate": "determinate",
         "nix-matrix-appservices": "nix-matrix-appservices",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs": "nixpkgs_3"
       }
     },
     "systems": {

flake.nix

@@ -1,9 +1,16 @@
 {
   description = "System configuration for zion";
 
+  nixConfig = {
+    extra-substituters = "https://install.determinate.systems";
+    extra-trusted-public-keys = ''
+      cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
+    '';
+  };
+
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.11";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
     agenix = {
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -16,21 +23,12 @@
   };
 
   outputs =
-    {
-      self,
-      nixpkgs,
-      nixpkgs-unstable,
-      agenix,
-      nixos-hardware,
-      ...
-    }@inputs:
+    { self, nixpkgs, ... }@inputs:
     let
       system = "x86_64-linux";
 
       pkgs = import pkgs { inherit system; };
 
-      pkgs-unstable = import inputs.nixpkgs-unstable { inherit system; };
-
       lib = nixpkgs.lib;
 
     in
@@ -39,12 +37,12 @@
         inherit system;
         modules = [
           (import ./configuration.nix)
-          agenix.nixosModules.age
-          nixos-hardware.nixosModules.aoostar-r1-n100
+          inputs.agenix.nixosModules.age
+          inputs.nixos-hardware.nixosModules.aoostar-r1-n100
+          inputs.determinate.nixosModules.default
         ];
         specialArgs = {
           inherit inputs;
-          inherit pkgs-unstable;
         };
       };
 

modules/containers.nix

@@ -38,6 +38,27 @@
           ports = [ "127.0.0.1:9641:9641" ];
           volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
         };
+        # Podcast synchronization
+        opodsync = {
+          image = "ganeshlab/opodsync@sha256:32626b732fe38687a5dfd703d515136e413c4b16f286b38656718ad03f0d94c1";
+          ports = [ "127.0.0.1:9090:8080" ];
+          volumes = [ "/vault/opodsync:/var/www/server/data" ];
+        };
+        # Photo gallery
+        pigallery2 = {
+          image = "bpatrik/pigallery2@sha256:c936e4504cfe7158198542a8db794b24afb0301155d89e911f13bd04e0b406c2";
+          ports = [ "127.0.0.1:9191:80" ];
+          volumes = [
+            "/vault/pigallery2/config:/app/data/config"
+            "/vault/pigallery2/db:/app/data/db"
+            "/vault/pigallery2/tmp:/app/data/tmp"
+            "/vault/syncthing/Photos:/app/data/images"
+          ];
+          cmd = [
+            "-e"
+            "NODE_ENV=production"
+          ];
+        };
       };
     };
   };

modules/devops.nix

@@ -21,8 +21,8 @@
     settings = {
       server = {
         DISABLE_SSH = true;
-        DOMAIN = "git.coolneng.duckdns.org";
-        ROOT_URL = "https://git.coolneng.duckdns.org";
+        DOMAIN = "git.psydnd.org";
+        ROOT_URL = "https://git.psydnd.org";
       };
       service.DISABLE_REGISTRATION = true;
       session.COOKIE_SECURE = true;

modules/information.nix

@@ -10,29 +10,35 @@
   services.miniflux = {
     enable = true;
     adminCredentialsFile = config.age.secrets.miniflux.path;
-    config = {
-      BASE_URL = "https://rss.coolneng.duckdns.org";
-      DISABLE_HSTS = 1;
-    };
   };
 
-  # Php-fpm pool for Wallabag
-  services.phpfpm.pools.wallabag = {
-    user = "nginx";
-    group = "nginx";
+  # Microbin configuration
+  services.microbin = {
+    enable = true;
+    passwordFile = config.age.secrets.microbin.path;
     settings = {
-      "listen.owner" = config.services.nginx.user;
-      "listen.group" = config.services.nginx.group;
-      "listen.mode" = 600;
-      "pm" = "ondemand";
-      "pm.max_children " = 4;
-      "pm.max_requests" = 32;
-      "env[WALLABAG_DATA]" = config.environment.variables.WALLABAG_DATA;
+      MICROBIN_PORT = 9091;
+      MICROBIN_PUBLIC_PATH = "https://bin.psydnd.org";
+      MICROBIN_QR = true;
+      MICROBIN_WIDE = true;
     };
-    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
   };
 
-  # Set environment variable pointing to wallabag configuration directory
-  environment.variables.WALLABAG_DATA = "/var/lib/wallabag";
+  # Readeck configuration
+  services.readeck = {
+    enable = true;
+    settings = {
+      server = {
+        host = "127.0.0.1";
+        port = 9092;
+        allowed_hosts = [ "read.psydnd.org" ];
+        trusted_proxies = [ "127.0.0.1" ];
+        environmentFile = config.age.secrets.readeck.path;
+      };
+    };
+  };
+
+  # NOTE Load credentials using environment variables
+  systemd.services.readeck.serviceConfig.EnvironmentFile = config.age.secrets.readeck.path;
 
 }

modules/monitoring.nix

@@ -51,7 +51,8 @@ with pkgs;
   services.prometheus = {
     enable = true;
     port = 9001;
-    retentionTime = "1y";
+    retentionTime = "10y";
+    extraFlags = [ "--web.enable-admin-api" ];
     exporters = {
       node = {
         enable = true;
@@ -70,6 +71,7 @@ with pkgs;
               "localhost:${toString config.services.prometheus.exporters.node.port}"
               "localhost:${toString config.services.prometheus.exporters.postgres.port}"
               "localhost:${toString config.services.prometheus.exporters.smartctl.port}"
+              "localhost:9641" # MQTT2Prometheus
             ];
           }
         ];
@@ -81,7 +83,7 @@ with pkgs;
   services.grafana = {
     enable = true;
     settings.server = {
-      domain = "grafana.coolneng.duckdns.org";
+      domain = "grafana.psydnd.org";
       http_port = 9009;
       http_addr = "127.0.0.1";
     };

modules/networking.nix

@@ -24,23 +24,38 @@ in
   systemd.network.networks."24-home" = {
     name = "enp2s0";
     matchConfig.Name = "enp2s0";
-    address = [ "192.168.129.2/23" ];
+    address = [ "192.168.128.2/23" ];
     gateway = [ "192.168.128.1" ];
     dns = [
-      "1.1.1.1"
-      "9.9.9.9"
+      "127.0.0.1"
+      "::1"
     ];
     networkConfig.DNSSEC = "no";
   };
 
   # Dynamic DNS configuration
-  services.ddclient = {
+  services.inadyn = {
     enable = true;
-    quiet = true;
-    interval = "30min";
-    protocol = "duckdns";
-    domains = [ "coolneng.duckdns.org" ];
-    passwordFile = config.age.secrets.ddclient.path;
+    interval = "*:0/30";
+    settings.provider."duckdns" = {
+      hostname = "coolneng.duckdns.org";
+      include = config.age.secrets.inadyn-duckdns.path;
+    };
+  };
+
+  # Dynamic DNS configuration for Porkbun
+  # NOTE Temporary workaround until Inadyn fixes the Porkbun module
+  services.oink = {
+    enable = true;
+    apiKeyFile = config.age.secrets.inadyn-porkbun.path;
+    secretApiKeyFile = config.age.secrets.inadyn-porkbun-secret.path;
+    settings.interval = 1800;
+    domains = [
+      {
+        domain = "psydnd.org";
+        subdomain = "";
+      }
+    ];
   };
 
   # Firewall configuration
@@ -56,6 +71,14 @@ in
       wireguard_port # Wireguard
       53 # DNS
     ];
+    extraCommands = ''
+      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${
+        config.systemd.network.networks."24-home".name
+      } -j MASQUERADE
+      ip6tables -t nat -A POSTROUTING -s fd00::0/128 -o ${
+        config.systemd.network.networks."24-home".name
+      } -j MASQUERADE
+    '';
   };
 
   # Wireguard setup
@@ -71,17 +94,27 @@ in
     wireguardPeers = [
       # panacea
       {
-        wireguardPeerConfig = {
-          PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
-          AllowedIPs = [ "10.8.0.2/32" ];
-        };
+        PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
+        AllowedIPs = [
+          "10.8.0.2/32"
+          "fd00::2/128"
+        ];
       }
       # caravanserai
       {
-        wireguardPeerConfig = {
-          PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs=";
-          AllowedIPs = [ "10.8.0.3/32" ];
-        };
+        PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs=";
+        AllowedIPs = [
+          "10.8.0.3/32"
+          "fd00::3/128"
+        ];
+      }
+      # kathreftis
+      {
+        PublicKey = "qfHtv6LSZjtxvH46d8pysr+/yPo2tV9cZumgIpxBNF4=";
+        AllowedIPs = [
+          "10.8.0.4/32"
+          "fd00::4/128"
+        ];
       }
     ];
   };
@@ -89,11 +122,25 @@ in
   systemd.network.networks."wg0" = {
     matchConfig.Name = "wg0";
     networkConfig = {
-      Address = "10.8.0.1/24";
+      Address = [
+        "10.8.0.1/24"
+        "fd00::1/128"
+      ];
       IPv4Forwarding = true;
+      IPv6Forwarding = true;
     };
   };
 
+  # Disable systemd-resolved DNS stub
+  services.resolved = {
+    enable = true;
+    llmnr = "false";
+    extraConfig = ''
+      MulticastDNS=yes
+      DNSStubListener=no
+    '';
+  };
+
   # DNS server with ad-block
   services.dnsmasq = {
     enable = true;
@@ -104,8 +151,10 @@ in
 
       listen-address = [
         "127.0.0.1"
-        "192.168.129.2"
+        "192.168.128.2"
         "10.8.0.1"
+        "::1"
+        "fd00::1"
       ];
       bind-interfaces = true;
       server = [ "127.0.0.1#43" ];
@@ -115,17 +164,19 @@ in
 
       conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf";
       dnssec = false;
-
-      address = "/coolneng.duckdns.org/192.168.129.2";
+      address = "/psydnd.org/192.168.128.2";
     };
   };
 
   # Encrypted DNS
-  services.dnscrypt-proxy2 = {
+  services.dnscrypt-proxy = {
     enable = true;
     upstreamDefaults = true;
     settings = {
-      listen_addresses = [ "127.0.0.1:43" ];
+      listen_addresses = [
+        "127.0.0.1:43"
+        "[::1]:43"
+      ];
       sources.public-resolvers = {
         urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
         cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";

modules/webstack.nix

@@ -11,7 +11,7 @@
   services.nginx = {
     enable = true;
     recommendedTlsSettings = true;
-    recommendedZstdSettings = true;
+    recommendedBrotliSettings = true;
     recommendedProxySettings = true;
     recommendedOptimisation = true;
     clientMaxBodySize = "0";
@@ -34,15 +34,12 @@
       proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';
     virtualHosts = {
+      # Old domain being redirected
       "coolneng.duckdns.org" = {
         useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
-        # Redirect from legacy subdirectory URL to subdomain
         locations = {
-          "/radicale/".return = "301 https://radicale.coolneng.duckdns.org";
-          "/syncthing/".return = "301 https://sync.coolneng.duckdns.org";
-          "/gitea/".extraConfig = "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
-          "/miniflux/".extraConfig = "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
+          "/".return = "301 https://psydnd.org$request_uri";
           # Delegation for Matrix
           "/.well-known/" = {
             alias = "${../well-known}" + "/";
@@ -54,9 +51,20 @@
           };
         };
       };
-      "radicale.coolneng.duckdns.org" = {
+      # Redirect subdomains
+      "~^(?<subdomain>.+)\.coolneng\.duckdns\.org$" = {
         useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
+        locations."/".return = "301 https://$subdomain.psydnd.org$request_uri";
+      };
+      # Current domain
+      "psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+      };
+      "radicale.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:5232/";
           extraConfig = ''
@@ -65,30 +73,30 @@
           '';
         };
       };
-      "sync.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "sync.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/".proxyPass = "http://localhost:8384/";
       };
-      "git.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "git.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:3000/";
           extraConfig = ''
             ${config.services.nginx.commonHttpConfig}
             # Disable embedding as a frame, except from the same origin
-            add_header Content-Security-Policy "frame-src git.coolneng.duckdns.org; frame-ancestors git.coolneng.duckdns.org";
+            add_header Content-Security-Policy "frame-src git.psydnd.org; frame-ancestors git.psydnd.org";
           '';
         };
       };
-      "rss.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "rss.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/".proxyPass = "http://localhost:8080/";
       };
-      "matrix.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "matrix.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         listen = [
           # IPv4
@@ -116,39 +124,18 @@
         ];
         locations."~ ^(/_matrix|/_synapse/client)".proxyPass = "http://localhost:8008";
       };
-      "element.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "element.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/".root = pkgs.element-web.override {
           conf.default_server_config = {
-            "m.homeserver"."base_url" = "https://matrix.coolneng.duckdns.org";
+            "m.homeserver"."base_url" = "https://matrix.psydnd.org";
             "m.identity_server"."base_url" = "https://vector.im";
           };
         };
       };
-      "wallabag.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
-        forceSSL = true;
-        root = "${pkgs.wallabag}/web";
-        locations = {
-          "/".tryFiles = "$uri /app.php$is_args$args";
-          "/assets".root = "${config.environment.variables.WALLABAG_DATA}/web";
-          "~ ^/app.php(/|$)" = {
-            fastcgiParams = {
-              SCRIPT_FILENAME = "${pkgs.wallabag}/web/$fastcgi_script_name";
-              DOCUMENT_ROOT = "${pkgs.wallabag}/web";
-            };
-            extraConfig = ''
-              fastcgi_pass unix:${config.services.phpfpm.pools.wallabag.socket};
-              fastcgi_split_path_info ^(.+\.php)(/.*)$;
-              include ${pkgs.nginx}/conf/fastcgi_params;
-              internal;
-            '';
-          };
-        };
-      };
-      "books.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "books.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:9000/";
@@ -159,14 +146,34 @@
           '';
         };
       };
-      "grafana.coolneng.duckdns.org" = {
-        useACMEHost = "coolneng.duckdns.org";
+      "grafana.psydnd.org" = {
+        useACMEHost = "psydnd.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:9009/";
           proxyWebsockets = true;
         };
       };
+      "podcast.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9090/";
+      };
+      "bin.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9091/";
+      };
+      "read.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9092/";
+      };
+      "photos.psydnd.org" = {
+        useACMEHost = "psydnd.org";
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9191/";
+      };
     };
   };
 
@@ -177,17 +184,26 @@
       email = "akasroua@disroot.org";
       group = "nginx";
     };
-    certs."coolneng.duckdns.org" = {
-      domain = "*.coolneng.duckdns.org";
-      dnsProvider = "duckdns";
-      environmentFile = config.age.secrets.acme.path;
+    certs = {
+      "coolneng.duckdns.org" = {
+        domain = "*.coolneng.duckdns.org";
+        dnsProvider = "duckdns";
+        environmentFile = config.age.secrets.acme-duckdns.path;
+      };
+      "psydnd.org" = {
+        domain = "psydnd.org";
+        extraDomainNames = [ "*.psydnd.org" ];
+        dnsProvider = "porkbun";
+        environmentFile = config.age.secrets.acme-porkbun.path;
+      };
     };
   };
 
   # Generate dhparams
   security.dhparams = {
     enable = true;
-    params.nginx.bits = 2048;
+    defaultBitSize = 4096;
+    params.nginx.bits = 4096;
   };
 
   # PostgreSQL databases configuration
@@ -214,10 +230,9 @@
     "miniflux.service"
     "radicale.service"
     "dendrite.service"
-    "phpfpm-wallabag.service"
-    "systemd-tmpfiles-setup.service"
+    "grafana.service"
     "podman-openbooks.service"
     "podman-mqtt2prometheus.service"
-    "podman-nightscout.service"
+    "podman-opodsync.service"
   ];
 }

scripts/motd.sh

@@ -20,31 +20,31 @@ echo "============================================================
  - System uptime.......: $upDays days $upHours hours $upMins minutes $upSecs seconds
 ============================================================"
 services=(
-	"syncthing.service"
-	"radicale.service"
-	"miniflux.service"
-	"phpfpm-wallabag.service"
-	"gitea.service"
-	"dendrite.service"
-	"nginx.service"
-	"dnsmasq.service"
-	"podman-openbooks.service"
-	"mosquitto.service"
-	"podman-mqtt2prometheus.service"
-	"prometheus.service"
-	"grafana.service"
+    "syncthing.service"
+    "radicale.service"
+    "miniflux.service"
+    "gitea.service"
+    "dendrite.service"
+    "nginx.service"
+    "dnsmasq.service"
+    "dnscrypt-proxy.service"
+    "podman-openbooks.service"
+    "mosquitto.service"
+    "podman-mqtt2prometheus.service"
+    "prometheus.service"
+    "grafana.service"
 )
 
 for var in "${services[@]}"; do
-	if [[ -z $var ]]; then
-		printf "\n"
-	else
-		if systemctl -q is-active "${var}"; then
-			printf "%-40s [\e[32mOK\e[39m]\n" "$var"
-		else
-			printf "%-40s [\e[31mFAIL\e[39m]\n" "$var"
-		fi
-	fi
+    if [[ -z $var ]]; then
+        printf "\n"
+    else
+        if systemctl -q is-active "${var}"; then
+            printf "%-40s [\e[32mOK\e[39m]\n" "$var"
+        else
+            printf "%-40s [\e[31mFAIL\e[39m]\n" "$var"
+        fi
+    fi
 done
 
 echo "============================================================"

secrets/acme-porkbun.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg 7JImhL2Wo/eJEwUGP+NhEf36yq5gHO9q1GYhY2HaMAY
+eAMhD0sqHQS+aayBpOsY8+081i72QAhJCFbBe0//uwU
+--- 4K8cXsDuWZrmWNJ+rz166ej9o/gLFc7CfJuzAsG0BxA
+|.<2E><><EFBFBD>	f<><66>f<EFBFBD>=<1D>-<2D>X$P<>:

secrets/ddclient.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 iUaRGg mRkPNMBvRfbwb3GjcWWJ42RiJn4wxMdczvL2OJFagkY
-jCqCSE2MMx74ZvXabmyHfI4jC6lwhtgrTSqjAflUksw
--> vH/-grease []_Tx" cZfV JHS /x/
-SK1DATphyeQv8pjoNXTlQrRKQwn8oItd6xrhSic7fmxzmuKTQiPE
---- ObilbWkclfLnmjVql03OamXitnFgYnzfoZ04oq3XO1k
-<EFBFBD>iy<13>݌1k{<7B><>OJ3<1F>H<EFBFBD>N<><4E><11><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>%y<><1D><><0C><>JA<4A>8<EFBFBD><38>
-'<27>N<EFBFBD><4E>%<25><><EFBFBD><EFBFBD><EFBFBD>L@<12>6	&<26><>

secrets/inadyn-duckdns.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg XMrsd1RQcDq/SpFtqpB4Gj1keCvJsMB+VA58qZirYA4
+tf8NQzoEYJXlKBjtX4ZplaPQv51RCW9yHulvKZB8c8g
+--- 5wZntAZCQ4pGYrgDFd63w6Y+Taaatcw5z0tDSvShi30
+<EFBFBD><EFBFBD>4<EFBFBD><EFBFBD><EFBFBD>Ɖq3<EFBFBD>&
+><0E>4<EFBFBD><34>J<EFBFBD>?<3F><0F><>QW<51>jZ<:'<<16>x(<28>Y<16>i<EFBFBD>ZDO#<23>w<7F><77>R<EFBFBD><52><EFBFBD>O@2<>cAj	(f<><66><EFBFBD><EFBFBD>M<EFBFBD><4D><EFBFBD>

secrets/inadyn-porkbun-secret.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg paS5BxWWicriSLAZyCBKd2xylLAp4/LcHmogO7me8yQ
+MWW/Pkvn+4G4YeYXY9ZPXC92TbcFXQMyHJ2ltFzXpZs
+--- ZdFfQ7tHfEo+u/0MmigCNh6OIxkd2bimRN30rMUs1ks
+<EFBFBD>9<EFBFBD>7Y<EFBFBD>$B<>sX<0E>ʽb<CABD>O'J<><4A>S
'<27>5!<21><>UMʯ-v<>m<EFBFBD><6D><EFBFBD><EFBFBD><EFBFBD>8%|R,<2C>~I<><14><>G<EFBFBD><47>VQE<0E>0D<30>:Qv<<1E><>)<29><0B><>%fc<66><63>XZչ 7+yB

secrets/secrets.nix

@@ -6,7 +6,6 @@ in
   "syncthing.age".publicKeys = [ zion ];
   "msmtp.age".publicKeys = [ zion ];
   "gitea.age".publicKeys = [ zion ];
-  "ddclient.age".publicKeys = [ zion ];
   "miniflux.age".publicKeys = [ zion ];
   "git.age".publicKeys = [ zion ];
   "dendrite.age".publicKeys = [ zion ];
@@ -16,5 +15,11 @@ in
   "mqtt-receiver.age".publicKeys = [ zion ];
   "facebook.age".publicKeys = [ zion ];
   "signal.age".publicKeys = [ zion ];
-  "acme.age".publicKeys = [ zion ];
+  "inadyn-duckdns.age".publicKeys = [ zion ];
+  "inadyn-porkbun.age".publicKeys = [ zion ];
+  "inadyn-porkbun-secret.age".publicKeys = [ zion ];
+  "acme-duckdns.age".publicKeys = [ zion ];
+  "acme-porkbun.age".publicKeys = [ zion ];
+  "microbin.age".publicKeys = [ zion ];
+  "readeck.age".publicKeys = [ zion ];
 }

secrets/wallabag-postgres.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg zWm4+j3/IRqd3uZqGzXVcHvs+urNrvDMOceWKbpl018
+HlIKCFYt7n3iKZav5i0YiB4awRMJML0XUowX8sKKH2c
+--- ysvYVxgK1OeqCk8KdNF+uWsaQ9EzVRku7nw37aUAW3A
+c<EFBFBD><EFBFBD>b<EFBFBD>W|bU<62>B"<22><04>Ե<EFBFBD><D4B5><EFBFBD><EFBFBD><EFBFBD><03><>U<EFBFBD>

well-known/matrix/client

@@ -1,5 +1,5 @@
 {
     "m.homeserver": {
-        "base_url": "https://matrix.coolneng.duckdns.org"
+        "base_url": "https://matrix.psydnd.org"
     }
 }

well-known/matrix/server

@@ -1 +1 @@
-{ "m.server": "matrix.coolneng.duckdns.org:443" }
+{ "m.server": "matrix.psydnd.org:443" }