cleanup

.gitattributes

@@ -2,7 +2,8 @@ secrets/murmur_password filter=git-crypt diff=git-crypt
 secrets/hashedPass filter=git-crypt diff=git-crypt
 secrets/minecraft-whitelist.nix filter=git-crypt diff=git-crypt
 secrets/wg0.conf filter=git-crypt diff=git-crypt
-secrets/caddy_auth.nix filter=git-crypt diff=git-crypt
+secrets/caddy_auth filter=git-crypt diff=git-crypt
 secrets/matrix_reg_token.nix filter=git-crypt diff=git-crypt
-secrets/owntracks_caddy_auth.nix filter=git-crypt diff=git-crypt
+secrets/owntracks_caddy_auth filter=git-crypt diff=git-crypt
 secrets/secureboot.tar filter=git-crypt diff=git-crypt
+secrets/zfs-key filter=git-crypt diff=git-crypt

configuration.nix

@@ -11,6 +11,8 @@
 {
   imports = [
     ./hardware.nix
+    ./zfs.nix
+    ./services/postgresql.nix
     ./services/jellyfin.nix
     ./services/caddy.nix
     ./services/immich.nix
@@ -19,9 +21,7 @@
     ./services/wg.nix
     ./services/qbittorrent.nix
     ./services/bitmagnet.nix
-
     ./services/matrix.nix
-
     ./services/owntracks.nix
   ];
 
@@ -32,6 +32,12 @@
     hybrid-sleep.enable = false;
   };
 
+  powerManagement = {
+    powertop.enable = true;
+    enable = true;
+    cpuFreqGovernor = "powersave";
+  };
+
   nix = {
     # optimize the store
     optimise.automatic = true;
@@ -55,17 +61,8 @@
   boot = {
     kernelPackages = pkgs.linuxPackages;
 
-    kernelParams = [
-      # 2048MB
-      "zfs.zfs_arc_max=2048000000"
-    ];
-
-    supportedFilesystems = [ "zfs" ];
-    zfs.extraPools = [ "tank" ];
-
     loader = {
       # Use the systemd-boot EFI boot loader.
-      systemd-boot.enable = true;
       efi.canTouchEfiVariables = true;
 
       # 1s timeout
@@ -76,10 +73,22 @@
       compressor = "zstd";
     };
 
-    # kernelModules = [
-    #   # kernel module for case fan control
-    #   "nct6775"
-    # ];
+    loader.systemd-boot.enable = lib.mkForce false;
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
+
+  system.activationScripts = {
+    # extract all my secureboot keys
+    "secureboot-keys".text = ''
+      #!/bin/sh
+      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+      mkdir -p ${config.boot.lanzaboote.pkiBundle}
+      ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
+    '';
   };
 
   environment.etc = {
@@ -137,12 +146,20 @@
 
     wget
 
-    (pkgs.writeScriptBin "mc-console" ''
-      #!/bin/sh
-      ${pkgs.tmux}/bin/tmux -S /run/minecraft/${service_configs.minecraft.server_name}.sock attach
-    '')
+    powertop
 
-    (pkgs.writeScriptBin "disk-smart-test" ''
+    (pkgs.writeShellApplication {
+      name = "disk-smart-test";
+      runtimeInputs = with pkgs; [
+        gnugrep
+        coreutils
+        smartmontools
+      ];
+
+      # i gotta fix that
+      excludeShellChecks = [ "SC2010" ];
+
+      text = ''
         #!/bin/sh
         set -e
         if [[ $EUID -ne 0 ]]; then
@@ -150,12 +167,13 @@
           exit 2
         fi
 
-      DISKS=$(${pkgs.coreutils}/bin/ls /dev/sd* | ${pkgs.gnugrep}/bin/grep -v "[0-9]$")
+        DISKS=$(ls /dev/sd* | grep -v "[0-9]$")
         for i in $DISKS; do
-        ${pkgs.coreutils}/bin/echo -n "$i "
-        ${pkgs.smartmontools}/bin/smartctl -a "$i" | ${pkgs.gnugrep}/bin/grep "SMART overall-health self-assessment test result:" | ${pkgs.coreutils}/bin/cut -d' ' -f6
+          echo -n "$i "
+          smartctl -a "$i" | grep "SMART overall-health self-assessment test result:" | cut -d' ' -f6
         done
-    '')
+      '';
+    })
 
     (pkgs.writeShellApplication {
       name = "reflac";
@@ -172,6 +190,7 @@
 
     pfetch-rs
 
+    sbctl
   ];
 
   services.zfs = {
@@ -189,21 +208,32 @@
 
   systemd.services.no-rgb =
     let
-      no-rgb = pkgs.writeScriptBin "no-rgb" ''
+      no-rgb = (
+        pkgs.writeShellApplication {
+          name = "no-rgb";
+          runtimeInputs = with pkgs; [
+            openrgb
+            coreutils
+            gnugrep
+          ];
+
+          text = ''
             #!/bin/sh
             set -e
 
-        NUM_DEVICES=$(${pkgs.openrgb}/bin/openrgb --noautoconnect --list-devices | ${pkgs.gnugrep}/bin/grep -E '^[0-9]+: ' | ${pkgs.coreutils}/bin/wc -l)
+            NUM_DEVICES=$(openrgb --noautoconnect --list-devices | grep -cE '^[0-9]+: ')
 
-        for i in $(${pkgs.coreutils}/bin/seq 0 $(($NUM_DEVICES - 1))); do
-          ${pkgs.openrgb}/bin/openrgb --noautoconnect --device $i --mode direct --color 000000
+            for i in $(seq 0 $((NUM_DEVICES - 1))); do
+              openrgb --noautoconnect --device "$i" --mode direct --color 000000
             done
           '';
+        }
+      );
     in
     {
       description = "disable rgb";
       serviceConfig = {
-        ExecStart = "${no-rgb}/bin/no-rgb";
+        ExecStart = "${no-rgb}/bin/${no-rgb.name}";
         Type = "oneshot";
       };
       wantedBy = [ "multi-user.target" ];
@@ -255,14 +285,18 @@
     # };
   };
 
+  users.groups.${service_configs.torrent_group} = { };
+
   users.users.${username} = {
     isNormalUser = true;
     extraGroups = [
       "wheel"
       "video"
       "render"
+      service_configs.torrent_group
     ];
-    hashedPasswordFile = "/etc/nixos/secrets/hashedPass";
+
+    hashedPasswordFile = "${./secrets/hashedPass}";
 
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
@@ -312,15 +346,5 @@
   #   };
   # };
 
-  services.postgresql = {
-    enable = true;
-    package = pkgs.postgresql_16;
-    dataDir = "/tank/services/sql";
-  };
-
-  systemd.tmpfiles.rules = [
-    "d ${config.services.postgresql.dataDir} 0700 postgres postgres"
-  ];
-
-  system.stateVersion = "24.05";
+  system.stateVersion = "24.11";
 }

disk-config.nix

@@ -0,0 +1,31 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "f2fs";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

flake.lock

@@ -1,6 +1,57 @@
 {
   "nodes": {
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1738148035,
+        "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1673956053,
@@ -16,6 +67,27 @@
         "type": "github"
       }
     },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
@@ -34,6 +106,28 @@
         "type": "github"
       }
     },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -55,20 +149,45 @@
         "type": "github"
       }
     },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
     "nix-minecraft": {
       "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1737683037,
-        "narHash": "sha256-1J2Pf6ub2DkkoqRq2xEFrusJKR4XHnnFk0wyOPrV2PM=",
+        "lastModified": 1738374527,
+        "narHash": "sha256-OcZG42dKolSREIIBM39/kY2TqykihbtYopQSjBbgBjM=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "f80c70946d3e27a466b8b9e65b24e36d571eac8b",
+        "rev": "2c815583946bcf1f7327c89fdf9bb4af7f3f5a14",
         "type": "github"
       },
       "original": {
@@ -79,11 +198,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1737751639,
-        "narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=",
+        "lastModified": 1738391520,
+        "narHash": "sha256-6HI58PKjddsC0RA0gBQlt6ox47oH//jLUHwx05RO8g0=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4",
+        "rev": "34b64e4e1ddb14e3ffc7db8d4a781396dbbab773",
         "type": "github"
       },
       "original": {
@@ -95,11 +214,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1737672001,
-        "narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=",
+        "lastModified": 1738277201,
+        "narHash": "sha256-6L+WXKCw5mqnUIExvqkD99pJQ41xgyCk6z/H9snClwk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8",
+        "rev": "666e1b3f09c267afd66addebe80fb05a5ef2b554",
         "type": "github"
       },
       "original": {
@@ -111,11 +230,11 @@
     },
     "nixpkgs-qbt": {
       "locked": {
-        "lastModified": 1728358927,
-        "narHash": "sha256-8SUsg/Nmn8aEURRdZwxKKNnz22zRMyNwNoP1+aWnhlg=",
+        "lastModified": 1738103934,
+        "narHash": "sha256-MhDdcDDdK2uscLU370r3V9PQcejx+2LVbMG8bjCXMb0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ed446194bbf78795e4ec2d004da093116c93653f",
+        "rev": "4f4706686c921ef202712a00da1c96f0100f6921",
         "type": "github"
       },
       "original": {
@@ -125,9 +244,54 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
+        "disko": "disko",
         "home-manager": "home-manager",
+        "lanzaboote": "lanzaboote",
         "nix-minecraft": "nix-minecraft",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
@@ -135,6 +299,27 @@
         "vpn-confinement": "vpn-confinement"
       }
     },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,

flake.nix

@@ -4,6 +4,11 @@
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
 
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
 
     nix-minecraft = {
@@ -19,6 +24,11 @@
       url = "github:nix-community/home-manager/release-24.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =
@@ -29,16 +39,20 @@
       vpn-confinement,
       nixpkgs-qbt,
       home-manager,
+      lanzaboote,
+      disko,
       ...
     }@inputs:
     let
       username = "primary";
       hostname = "muffin";
-      eth_interface = "enp3s0";
+      eth_interface = "enp4s0";
 
       service_configs = rec {
+        zpool = "tank";
         hdd_path = "/mnt/hdd";
         services_dir = "/tank/services";
+        torrent_group = "media";
 
         # TODO: add checks to make sure none of these collide
         ports = {
@@ -48,6 +62,7 @@
           ollama = 11434;
           bitmagnet = 3333;
           owntracks = 3825;
+          gitea = 2283;
         };
 
         https = {
@@ -55,6 +70,7 @@
           data_dir = services_dir + "/http";
           domain = "gardling.com";
           wg_ip = "192.168.15.1";
+          matrix_hostname = "matrix.${service_configs.https.domain}";
         };
 
         gitea = {
@@ -102,6 +118,8 @@
         };
         modules =
           [
+            ./disk-config.nix
+            disko.nixosModules.disko
             ./configuration.nix
 
             vpn-confinement.nixosModules.default
@@ -115,6 +133,8 @@
               nixpkgs.overlays = [ nix-minecraft.overlay ];
             }
 
+            lanzaboote.nixosModules.lanzaboote
+
             home-manager.nixosModules.home-manager
             (
               {

hardware.nix

@@ -17,20 +17,6 @@
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/f467d1e8-5f00-40ee-aa67-55a999181918";
-    fsType = "ext4";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/96DC-6E54";
-    fsType = "vfat";
-    options = [
-      "fmask=0022"
-      "dmask=0022"
-    ];
-  };
-
   # 3tb HDD
   fileSystems.${service_configs.hdd_path} = {
     device = "/dev/disk/by-uuid/f69b8c84-20ca-448f-b580-8951f20b9fc1";

services/bitmagnet.nix

@@ -1,4 +1,9 @@
-{ pkgs, service_configs, ... }:
+{
+  pkgs,
+  service_configs,
+  config,
+  ...
+}:
 {
   vpnNamespaces.wg = {
     portMappings = [
@@ -30,6 +35,14 @@
     };
   };
 
+  services.caddy.virtualHosts.
+
+  "bitmagnet.${service_configs.https.domain}".extraConfig =
+    ''
+      # tls internal
+      ${builtins.readFile ../secrets/caddy_auth}
+      reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.bitmagnet}
+    '';
   systemd.services.bitmagnet.vpnConfinement = {
     enable = true;
     vpnNamespace = "wg";

services/caddy.nix

@@ -5,9 +5,6 @@
   pkgs,
   ...
 }:
-let
-  matrix_hostname = "matrix.${service_configs.https.domain}";
-in
 {
   services.caddy = {
     enable = true;
@@ -15,12 +12,6 @@ in
     virtualHosts = {
       ${service_configs.https.domain} = {
         extraConfig = ''
-
-          header /.well-known/matrix/* Content-Type application/json
-          header /.well-known/matrix/* Access-Control-Allow-Origin *
-          respond /.well-known/matrix/server `{"m.server": "${matrix_hostname}:443"}`
-          respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${matrix_hostname}"},"m.homeserver":{"base_url":"https://${matrix_hostname}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-conduit.settings.global.server_name}"}}`
-
           root * ${service_configs.https.data_dir}
           file_server browse
         '';
@@ -28,57 +19,16 @@ in
         serverAliases = [ "www.${service_configs.https.domain}" ];
       };
 
-      "immich.${service_configs.https.domain}".extraConfig = ''
-        reverse_proxy :${builtins.toString config.services.immich.port}
-      '';
-
-      "jellyfin.${service_configs.https.domain}".extraConfig = ''
-        reverse_proxy :${builtins.toString service_configs.ports.jellyfin}
-        request_body {
-        	max_size 4096MB
-        }
-      '';
-
-      "${service_configs.gitea.domain}".extraConfig = ''
-        reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
-      '';
-
-      "bitmagnet.${service_configs.https.domain}".extraConfig = ''
-        # tls internal
-        ${import ../secrets/caddy_auth.nix}
-        reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.bitmagnet}
-      '';
-
-      "torrent.${service_configs.https.domain}".extraConfig = ''
-        # tls internal
-        ${import ../secrets/caddy_auth.nix}
-        reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.torrent}
-      '';
-
       "map.${service_configs.https.domain}".extraConfig = ''
         # tls internal
         root * ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web
         file_server browse
       '';
-
-      "${matrix_hostname}".extraConfig = ''
-        reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port}
-      '';
-
-      # Exact duplicate of matrix.DOMAIN_NAME
-      "${matrix_hostname}:8448".extraConfig =
-        config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name
-        }".extraConfig;
-
-      "owntracks.${service_configs.https.domain}".extraConfig = ''
-        ${import ../secrets/owntracks_caddy_auth.nix}
-        reverse_proxy :${builtins.toString service_configs.ports.owntracks}
-      '';
     };
   };
 
   systemd.tmpfiles.rules = [
-    "d ${service_configs.https.data_dir} g+rwx ${config.services.caddy.user} ${config.services.caddy.group}"
+    "d ${service_configs.https.data_dir} 770 ${config.services.caddy.user} ${config.services.caddy.group}"
   ];
 
   systemd.packages = with pkgs; [ nssTools ];

services/gitea.nix

@@ -18,7 +18,7 @@
       server = {
         DOMAIN = service_configs.gitea.domain;
         ROOT_URL = "https://" + config.services.gitea.settings.server.DOMAIN;
-        HTTP_PORT = 3281;
+        HTTP_PORT = service_configs.ports.gitea;
         LANDING_PAGE = "/explore/repos";
       };
       session = {
@@ -30,8 +30,12 @@
     };
   };
 
+  services.caddy.virtualHosts."${service_configs.gitea.domain}".extraConfig = ''
+    reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
+  '';
+
   systemd.tmpfiles.rules = [
-    "d ${config.services.gitea.stateDir} 0750 ${config.services.gitea.user} ${config.services.gitea.group}"
+    "d ${config.services.gitea.stateDir} 0770 ${config.services.gitea.user} ${config.services.gitea.group}"
   ];
 
   services.postgresql = {

services/immich.nix

@@ -2,6 +2,7 @@
   service_configs,
   pkgs,
   config,
+  username,
   ...
 }:
 {
@@ -16,8 +17,12 @@
     };
   };
 
+  services.caddy.virtualHosts."immich.${service_configs.https.domain}".extraConfig = ''
+    reverse_proxy :${builtins.toString config.services.immich.port}
+  '';
+
   systemd.tmpfiles.rules = [
-    "d ${config.services.immich.mediaLocation} 0750 ${config.services.immich.user} ${config.services.immich.group}"
+    "d ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}"
   ];
 
   environment.systemPackages = with pkgs; [
@@ -28,4 +33,8 @@
     "video"
     "render"
   ];
+
+  users.users.${username}.extraGroups = [
+    config.services.immich.group
+  ];
 }

services/jellyfin.nix

@@ -22,14 +22,22 @@
     cacheDir = dataDir + "_cache";
   };
 
+  services.caddy.virtualHosts."jellyfin.${service_configs.https.domain}".extraConfig = ''
+    reverse_proxy :${builtins.toString service_configs.ports.jellyfin}
+    request_body {
+    	max_size 4096MB
+    }
+  '';
+
   systemd.tmpfiles.rules = [
-    "d ${config.services.jellyfin.dataDir} 0750 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
-    "d ${config.services.jellyfin.cacheDir} 0750 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
+    "d ${config.services.jellyfin.dataDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
+    "d ${config.services.jellyfin.cacheDir} 0770 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
   ];
 
   users.users.${config.services.jellyfin.user}.extraGroups = [
     "video"
     "render"
+    service_configs.torrent_group
   ];
 
   users.users.${username}.extraGroups = [

services/matrix.nix

@@ -2,6 +2,7 @@
   pkgs,
   config,
   service_configs,
+  lib,
   ...
 }:
 {
@@ -9,6 +10,22 @@
     ../secrets/matrix_reg_token.nix
   ];
 
+  services.caddy.virtualHosts.${service_configs.https.domain}.extraConfig = lib.mkBefore ''
+    header /.well-known/matrix/* Content-Type application/json
+    header /.well-known/matrix/* Access-Control-Allow-Origin *
+    respond /.well-known/matrix/server `{"m.server": "${service_configs.https.matrix_hostname}:443"}`
+    respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${service_configs.https.matrix_hostname}"},"m.homeserver":{"base_url":"https://${service_configs.https.matrix_hostname}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-conduit.settings.global.server_name}"}}`
+  '';
+
+  services.caddy.virtualHosts."${service_configs.https.matrix_hostname}".extraConfig = ''
+    reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port}
+  '';
+
+  # Exact duplicate
+  services.caddy.virtualHosts."${service_configs.https.matrix_hostname}:8448".extraConfig =
+    config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name
+    }".extraConfig;
+
   services.matrix-conduit = {
     enable = true;
     package = pkgs.conduwuit;
@@ -34,6 +51,6 @@
   };
 
   systemd.tmpfiles.rules = [
-    "d /var/lib/private/matrix-conduit 0750 conduit conduit"
+    "d /var/lib/private/matrix-conduit 0770 conduit conduit"
   ];
 }

services/minecraft.nix

@@ -9,6 +9,13 @@ let
   heap_size = "4000M";
 in
 {
+  environment.systemPackages = [
+    (pkgs.writeScriptBin "mc-console" ''
+      #!/bin/sh
+      ${pkgs.tmux}/bin/tmux -S /run/minecraft/${service_configs.minecraft.server_name}.sock attach
+    '')
+  ];
+
   nixpkgs.config.allowUnfreePredicate =
     pkg:
     builtins.elem (lib.getName pkg) [
@@ -44,8 +51,8 @@ in
           with pkgs;
           builtins.attrValues {
             FabricApi = fetchurl {
-              url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/8FAH9fuR/fabric-api-0.114.2%2B1.21.4.jar";
-              sha512 = "24ed904096a17f65ef2ee4b04e076df2df076bd7748c838573cf97f5b38d2353bf62fe202779fb0c8372a82fb1133e16ce1fba585e2ec5aa5a5164203e785072";
+              url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/S6sAWXmr/fabric-api-0.115.0%2B1.21.4.jar";
+              sha512 = "abb2b28e9b874adfc82c3c87ddf348e2e98adc5153aed7ae5bcaddf5b1d8bd98982a052ab91411b7fad3bbdffc5d788be60d22b9c95dd21e62b96ea49aa404ca";
             };
 
             FerriteCore = fetchurl {
@@ -64,8 +71,8 @@ in
             };
 
             moonrise = fetchurl {
-              url = "https://cdn.modrinth.com/data/KOHu7RCS/versions/a8Zqa1bJ/Moonrise-Fabric-0.2.0-beta.7%2B6ec14ff.jar";
-              sha512 = "4ebc97764038aebd0b4bc5f6b25f9356419cf32f6c8bd64016665d9aad5c9f79ca9df2decac3038f7f713ff595c2b3286b3a1eb4d6debcd6639a52556416581a";
+              url = "https://cdn.modrinth.com/data/KOHu7RCS/versions/J5ayzvZp/Moonrise-Fabric-0.2.0-beta.8%2B0cbff02.jar";
+              sha512 = "d6f8b698226ebfcd87635cc2796022b0dad030f1d9ff5fd77d184b729c4d0c1f7dcfd265ab0f80186178c8c89fbdce20407b1025af05edec8c4a4f8df605ebf6";
             };
 
             squaremap = fetchurl {
@@ -84,7 +91,7 @@ in
   };
 
   systemd.tmpfiles.rules = [
-    "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0750 minecraft minecraft"
+    "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0770 minecraft minecraft"
   ];
 
   users.users.${username}.extraGroups = [

services/owntracks.nix

@@ -1,4 +1,9 @@
-{ pkgs, service_configs, ... }:
+{
+  pkgs,
+  service_configs,
+  username,
+  ...
+}:
 let
   owntracks_pkg = pkgs.owntracks-recorder.overrideAttrs (old: {
     installPhase =
@@ -29,6 +34,15 @@ in
   };
 
   systemd.tmpfiles.rules = [
-    "d ${service_configs.owntracks.data_dir} 0750 owntracks owntracks"
+    "d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks"
+  ];
+
+  services.caddy.virtualHosts."owntracks.${service_configs.https.domain}".extraConfig = ''
+    ${builtins.readFile ../secrets/owntracks_caddy_auth}
+    reverse_proxy :${builtins.toString service_configs.ports.owntracks}
+  '';
+
+  users.users.${username}.extraGroups = [
+    "owntracks"
   ];
 }

services/postgresql.nix

@@ -0,0 +1,21 @@
+{
+  pkgs,
+  config,
+  username,
+  ...
+}:
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_16;
+    dataDir = "/tank/services/sql";
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${config.services.postgresql.dataDir} 0700 postgresql postgresql"
+  ];
+
+  users.users.${username}.extraGroups = [
+    "postgresql"
+  ];
+}

services/qbittorrent.nix

@@ -3,6 +3,7 @@
   config,
   service_configs,
   username,
+  lib,
   ...
 }:
 {
@@ -53,24 +54,36 @@
       Session = {
         GlobalUPSpeedLimit = 500; # in KiB/s
         GlobalDLSpeedLimit = 0;
+        IgnoreLimitsOnLAN = true;
 
         # Including overhead in limits ruins download because download
         # uses upload to communicate with seeders
         IncludeOverheadInLimits = false;
 
-        GlobalMaxRatio = 2;
-        QueueingSystemEnabled = false; # seed all torrents all the timei
+        GlobalMaxRatio = 3;
+        QueueingSystemEnabled = false; # seed all torrents all the time
 
-        # add a few trackers TODO! add a script so I can just do a list
         AddTrackersEnabled = true;
-        AdditionalTrackers = "udp://tracker.opentrackr.org:1337/announce\\nudp://open.stealth.si:80/announce\\nudp://open.demonii.com:1337\\nudp://exodus.desync.com:6969/announce";
+        AdditionalTrackers = (
+          lib.concatStrings (
+            map (url: url + "\\n") [
+              "udp://tracker.opentrackr.org:1337/announce"
+              "udp://open.stealth.si:80/announce"
+              "udp://open.demonii.com:1337"
+              "udp://exodus.desync.com:6969/announce"
+              "udp://tracker.dler.org:6969/announce"
+              "udp://tracker.bittor.pw:1337/announce"
+              "udp://tracker.torrent.eu.org:451/announce"
+            ]
+          )
+        );
       };
     };
   };
 
   systemd.tmpfiles.rules = [
-    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
-    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
+    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${service_configs.torrent_group}"
+    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0770 ${config.services.qbittorrent.user} ${service_configs.torrent_group}"
   ];
 
   # make qbittorrent use a vpn
@@ -79,6 +92,16 @@
     vpnNamespace = "wg";
   };
 
+  services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = ''
+    # tls internal
+    ${builtins.readFile ../secrets/caddy_auth}
+    reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString config.services.qbittorrent.webuiPort}
+  '';
+
+  users.users.${config.services.qbittorrent.user}.extraGroups = [
+    service_configs.torrent_group
+  ];
+
   users.users.${username}.extraGroups = [
     config.services.qbittorrent.group
   ];

zfs.nix

@@ -0,0 +1,28 @@
+{
+  service_configs,
+  pkgs,
+  ...
+}:
+let
+  zfs-key = "/etc/zfs-key";
+in
+{
+  system.activationScripts = {
+    "zfs-key".text = ''
+      #!/bin/sh
+      rm -fr ${zfs-key} || true
+      cp ${./secrets/zfs-key} ${zfs-key}
+    '';
+  };
+
+  boot.zfs.package = pkgs.zfs_unstable;
+  boot.initrd.kernelModules = [ "zfs" ];
+
+  boot.kernelParams = [
+    # 2048MB
+    "zfs.zfs_arc_max=2048000000"
+  ];
+
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs.extraPools = [ service_configs.zpool ];
+}