whatever

hosts/abacus/authorized-keys.nix

@@ -1,4 +1,5 @@
-{config, ...}: {
+{ config, ... }:
+{
   users.users.root.openssh.authorizedKeys.keys = [
     config.pubkeys.hosts.vessel
   ];

hosts/abacus/filesystems.nix

@@ -1,14 +1,15 @@
-{config, ...}: {
+{ config, ... }:
+{
   fileSystems = {
     "/" = {
       fsType = "ext4";
       label = "main";
-      options = ["noatime"];
+      options = [ "noatime" ];
     };
     ${config.services.navidrome.settings.MusicFolder} = {
       label = "music";
       fsType = "ext4";
-      options = ["noatime"];
+      options = [ "noatime" ];
     };
   };
 }

hosts/abacus/forgejo.nix

@@ -3,9 +3,11 @@
   lib,
   pkgs,
   ...
-}: let
+}:
+let
   virtualHostName = "forgejo.helveticanonstandard.net";
-in {
+in
+{
   age.secrets = lib.mkSecrets {
     forgejo-mailer = {
       mode = "400";
@@ -19,6 +21,7 @@ in {
 
   services.forgejo = {
     enable = true;
+    package = pkgs.forgejo;
     database.type = "postgres";
     lfs.enable = true;
     settings = {
@@ -51,25 +54,28 @@ in {
     secrets.mailer.PASSWD = config.age.secrets.forgejo-mailer.path;
   };
 
+  # TODO what
   systemd.services.forgejo.preStart = lib.getExe pkgs.writeShellApplication {
     name = "forgejo-init-admin";
     runtimeInputs = [
       config.services.forgejo.package
     ];
-    text = let
-      passwordFile = config.age.secrets.forgejo-admin.path;
-    in ''
-      admins=$(admin user list --admin)
-      admins=$((admins - 1))
+    text =
+      let
+        passwordFile = config.age.secrets.forgejo-admin.path;
+      in
+      ''
+        admins=$(admin user list --admin)
+        admins=$((admins - 1))
 
-      if ((admins < 1)); then
-        gitea admin user create \
-          --admin \
-          --email helvetica@helveticanonstandard.net \
-          --username helvetica \
-          --password "$(cat -- ${passwordFile})"
-      fi
-    '';
+        if ((admins < 1)); then
+          gitea admin user create \
+            --admin \
+            --email helvetica@helveticanonstandard.net \
+            --username helvetica \
+            --password "$(cat -- ${passwordFile})"
+        fi
+      '';
   };
 
   services.nginx.virtualHosts.${virtualHostName} = {
@@ -80,9 +86,11 @@ in {
       client_max_body_size 512M;
     '';
 
-    locations."/".proxyPass = let
-      host = config.services.forgejo.settings.server.HTTP_ADDR;
-      port = builtins.toString config.services.forgejo.settings.server.HTTP_PORT;
-    in "http://${host}:${port}";
+    locations."/".proxyPass =
+      let
+        host = config.services.forgejo.settings.server.HTTP_ADDR;
+        port = builtins.toString config.services.forgejo.settings.server.HTTP_PORT;
+      in
+      "http://${host}:${port}";
   };
 }

hosts/abacus/hardware.nix

@@ -1,11 +1,18 @@
-{modulesPath, ...}: {
+{ modulesPath, ... }:
+{
   imports = [
     "${modulesPath}/profiles/qemu-guest.nix"
   ];
 
   nixpkgs.hostPlatform = "aarch64-linux";
 
-  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod"];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "usbhid"
+    "sr_mod"
+  ];
 
   powerManagement.cpuFreqGovernor = "performance";
 }

hosts/abacus/headscale.nix

@@ -1,6 +1,8 @@
-{config, ...}: let
+{ config, ... }:
+let
   virtualHostName = "headscale.helveticanonstandard.net";
-in {
+in
+{
   services.headscale = {
     enable = true;
     address = "127.0.0.1";
@@ -16,10 +18,12 @@ in {
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      proxyPass = let
-        host = config.services.headscale.address;
-        port = builtins.toString config.services.headscale.port;
-      in "http://${host}:${port}";
+      proxyPass =
+        let
+          host = config.services.headscale.address;
+          port = builtins.toString config.services.headscale.port;
+        in
+        "http://${host}:${port}";
       proxyWebsockets = true;
     };
   };

hosts/abacus/mealie.nix

@@ -1,6 +1,8 @@
-{config, ...}: let
+{ config, ... }:
+let
   virtualHostName = "mealie.helveticanonstandard.net";
-in {
+in
+{
   services.mealie = {
     enable = true;
     settings = {
@@ -15,9 +17,11 @@ in {
     enableACME = true;
     forceSSL = true;
 
-    locations."/".proxyPass = let
-      host = config.services.mealie.listenAddress;
-      port = builtins.toString config.services.mealie.port;
-    in "http://${host}:${port}";
+    locations."/".proxyPass =
+      let
+        host = config.services.mealie.listenAddress;
+        port = builtins.toString config.services.mealie.port;
+      in
+      "http://${host}:${port}";
   };
 }

hosts/abacus/navidrome.nix

@@ -1,6 +1,8 @@
-{config, ...}: let
+{ config, ... }:
+let
   virtualHostName = "navidrome.helveticanonstandard.net";
-in {
+in
+{
   services.navidrome = {
     enable = true;
     settings = {
@@ -15,9 +17,11 @@ in {
     enableACME = true;
     forceSSL = true;
 
-    locations."/".proxyPass = let
-      host = config.services.navidrome.settings.Address;
-      port = builtins.toString config.services.navidrome.settings.Port;
-    in "http://${host}:${port}";
+    locations."/".proxyPass =
+      let
+        host = config.services.navidrome.settings.Address;
+        port = builtins.toString config.services.navidrome.settings.Port;
+      in
+      "http://${host}:${port}";
   };
 }

hosts/abacus/networking.nix

@@ -0,0 +1,23 @@
+{
+  networking =
+    let
+      interface = "enp1s0";
+    in
+    {
+      domain = "wrz.one";
+      interfaces.${interface}.ipv6.addresses = [
+        {
+          address = "2a01:4f9:c012:92b5::2";
+          prefixLength = 64;
+        }
+      ];
+      defaultGateway6 = {
+        address = "fe80::1";
+        inherit interface;
+      };
+      firewall.allowedTCPPorts = [
+        80
+        443
+      ];
+    };
+}

hosts/abacus/nginx.nix

@@ -0,0 +1,32 @@
+{
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    commonHttpConfig = ''
+      error_log stderr;
+      access_log /var/log/nginx/access.log;
+    '';
+
+    virtualHosts =
+      let
+        matchAll = ''~.*'';
+        matchWww = ''~^www\.(?<domain>.+)$'';
+      in
+      {
+        # Redirect anything that doesn't match any server name to networking.domain
+        ${matchAll} = {
+          default = true;
+          rejectSSL = true;
+
+          globalRedirect = "wrz.one";
+        };
+        # Redirect www to non-www
+        ${matchWww}.globalRedirect = "$domain";
+      };
+  };
+}

hosts/abacus/restic.nix

@@ -0,0 +1,41 @@
+{
+  attrName,
+  config,
+  lib,
+  ...
+}:
+let
+  secretName = "restic-${attrName}";
+  secret = config.age.secrets.${secretName};
+in
+{
+  age.secrets = lib.mkSecrets { ${secretName} = { }; };
+
+  services.restic.backups.remote = {
+    repository = "sftp:u459482@u459482.your-storagebox.de:/${attrName}";
+    initialize = true;
+    paths = [
+      config.services.vaultwarden.backupDir
+      config.services.syncthing.dataDir
+      config.services.forgejo.stateDir
+      config.services.postgresqlBackup.location
+      config.services.postgresqlBackup.location
+      # TODO: Add stateDir options for these
+      "/var/lib/headscale"
+      "/var/lib/navidrome"
+    ];
+    passwordFile = secret.path;
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 12"
+    ];
+    timerConfig = {
+      OnCalendar = "*-*-* 03:00:00";
+      Persistent = true;
+    };
+    extraOptions = [
+      "sftp.args='-i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"
+    ];
+  };
+}

hosts/abacus/static-sites.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  parent = "/var/www";
+  sites = [
+    "wrz.one"
+    "helveticanonstandard.net"
+  ];
+in
+lib.mkMerge (
+  map (
+    virtualHostName:
+    let
+      root = "${parent}/${virtualHostName}";
+    in
+    {
+      services.nginx.virtualHosts.${virtualHostName} = {
+        enableACME = true;
+        forceSSL = true;
+
+        inherit root;
+      };
+
+      systemd.tmpfiles.settings."10-static-sites".${root}.d = {
+        user = config.users.mainUser;
+        group = "users";
+        mode = "0755";
+      };
+    }
+  ) sites
+)

hosts/abacus/vaultwarden.nix

@@ -2,11 +2,13 @@
   config,
   lib,
   ...
-}: let
+}:
+let
   virtualHostName = "vault.wrz.one";
   backupDir = "/srv/backup/vaultwarden";
-in {
-  age.secrets = lib.mkSecrets {vaultwarden = {};};
+in
+{
+  age.secrets = lib.mkSecrets { vaultwarden = { }; };
 
   services.vaultwarden = {
     enable = true;
@@ -37,10 +39,12 @@ in {
     forceSSL = true;
 
     locations."/" = {
-      proxyPass = let
-        host = config.services.vaultwarden.config.ROCKET_ADDRESS;
-        port = builtins.toString config.services.vaultwarden.config.ROCKET_PORT;
-      in "http://${host}:${port}";
+      proxyPass =
+        let
+          host = config.services.vaultwarden.config.ROCKET_ADDRESS;
+          port = builtins.toString config.services.vaultwarden.config.ROCKET_PORT;
+        in
+        "http://${host}:${port}";
       proxyWebsockets = true;
     };
   };

hosts/flamingo/filesystems.nix

@@ -4,6 +4,6 @@
   fileSystems."/" = {
     fsType = "ext4";
     device = "/dev/mapper/main";
-    options = ["noatime"];
+    options = [ "noatime" ];
   };
 }

hosts/flamingo/hardware.nix

@@ -2,7 +2,8 @@
   inputs,
   modulesPath,
   ...
-}: {
+}:
+{
   imports = [
     "${modulesPath}/installer/scan/not-detected.nix"
 
@@ -12,8 +13,13 @@
   nixpkgs.hostPlatform = "x86_64-linux";
 
   boot = {
-    initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
-    kernelModules = ["kvm-intel"];
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "nvme"
+      "usb_storage"
+      "sd_mod"
+    ];
+    kernelModules = [ "kvm-intel" ];
   };
 
   powerManagement.cpuFreqGovernor = "powersave";

hosts/glacier/filesystems.nix

@@ -4,6 +4,6 @@
   fileSystems."/" = {
     fsType = "ext4";
     device = "/dev/mapper/main";
-    options = ["noatime"];
+    options = [ "noatime" ];
   };
 }

hosts/glacier/hardware.nix

@@ -2,7 +2,8 @@
   inputs,
   modulesPath,
   ...
-}: {
+}:
+{
   imports = [
     "${modulesPath}/installer/scan/not-detected.nix"
 
@@ -15,11 +16,18 @@
 
   boot = {
     initrd = {
-      availableKernelModules = ["nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
-      kernelModules = ["amdgpu"];
+      availableKernelModules = [
+        "nvme"
+        "ahci"
+        "xhci_pci"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ "amdgpu" ];
     };
-    kernelModules = ["kvm-amd"];
-    binfmt.emulatedSystems = ["aarch64-linux"];
+    kernelModules = [ "kvm-amd" ];
+    binfmt.emulatedSystems = [ "aarch64-linux" ];
   };
 
   powerManagement.cpuFreqGovernor = "performance";

hosts/glacier/profiles.nix

@@ -0,0 +1,9 @@
+{
+  profiles = {
+    desktop = true;
+    emulation = true;
+    gaming = true;
+    piracy = true;
+    productivity = true;
+  };
+}

hosts/headful/flamingo/libreoffice.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "org.libreoffice.LibreOffice"
-  ];
-}

hosts/headful/flamingo/librewolf.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "io.gitlab.librewolf-community"
-  ];
-}

hosts/headful/flamingo/mpv.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "io.mpv.Mpv"
-  ];
-}

hosts/headful/flamingo/supersonic.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "io.github.dweymouth.supersonic"
-  ];
-}

hosts/headful/glacier/gimp.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "org.gimp.GIMP"
-  ];
-}

hosts/headful/glacier/inkscape.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "org.inkscape.Inkscape"
-  ];
-}

hosts/headful/glacier/lanzaboote.nix

@@ -1,3 +0,0 @@
-{
-  setups.secureBoot.enable = true;
-}

hosts/headful/glacier/libreoffice.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "org.libreoffice.LibreOffice"
-  ];
-}

hosts/headful/glacier/librewolf.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "io.gitlab.librewolf-community"
-  ];
-}

hosts/headful/glacier/mpv.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "io.mpv.Mpv"
-  ];
-}

hosts/headful/glacier/steam.nix

@@ -1,6 +0,0 @@
-{
-  services.flatpak.packages = [
-    "com.valvesoftware.Steam"
-    "com.github.Matoking.protontricks"
-  ];
-}

hosts/headful/glacier/supersonic.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "io.github.dweymouth.supersonic"
-  ];
-}

hosts/headful/insomniac/cosmic.nix

@@ -1,17 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  services.greetd.settings.initial_session = {
-    user = config.users.mainUser;
-    command = ''
-      ${lib.getExe' pkgs.coreutils "env"} XCURSOR_THEME="''${XCURSOR_THEME:-Pop}" systemd-cat --identifier start-cosmic ${lib.getExe' pkgs.cosmic-session "start-cosmic"}
-    '';
-  };
-
-  environment.cosmic.excludePackages = [
-    pkgs.cosmic-store
-  ];
-}

hosts/headful/insomniac/dolphin.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "org.DolphinEmu.dolphin-emu"
-  ];
-}

hosts/headful/insomniac/flatpak.nix

@@ -1,6 +0,0 @@
-{
-  services.flatpak.update.auto = {
-    enable = true;
-    onCalendar = "weekly";
-  };
-}

hosts/headful/insomniac/freetube.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "io.freetubeapp.FreeTube"
-  ];
-}

hosts/headful/insomniac/rmg.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "com.github.Rosalie241.RMG"
-  ];
-}

hosts/headful/insomniac/steam.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "com.valvesoftware.Steam"
-  ];
-}

hosts/headful/insomniac/supersonic.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "io.github.dweymouth.supersonic"
-  ];
-}

hosts/headful/work/kubectl.nix

@@ -1,6 +0,0 @@
-{pkgs, ...}: {
-  environment.systemPackages = [
-    pkgs.kubectl
-    pkgs.awscli
-  ];
-}

hosts/headful/work/php.nix

@@ -1,95 +0,0 @@
-{
-  lib,
-  inputs,
-  pkgs,
-  ...
-}: let
-  supportedPhps = [
-    "php72"
-    "php73"
-    "php74"
-    "php80"
-    "php81"
-    "php82"
-    "php83"
-    "php84"
-  ];
-
-  selectedPhp = lib.last supportedPhps;
-
-  extraConfig = ''
-    memory_limit = -1
-
-    xdebug.mode = develop,coverage,gcstats,profile,debug,trace
-    xdebug.discover_client_host = 1
-    xdebug.client_host = localhost
-  '';
-
-  # Wrap all PHP versions with the extensions I need and bundle composer
-  phps = lib.genAttrs supportedPhps (
-    phpName: let
-      phpBase = inputs.phps.packages.${pkgs.system}.${phpName};
-      phpWithEnv = phpBase.buildEnv {
-        extensions = {
-          enabled,
-          all,
-        }:
-          enabled
-          ++ [all.xdebug]
-          ++ (
-            if (lib.versionAtLeast phpBase.version "8")
-            then [all.amqp]
-            else []
-          );
-        inherit extraConfig;
-      };
-      phpWithTools = pkgs.symlinkJoin {
-        inherit (phpWithEnv) name version meta passthru;
-        paths = [
-          phpWithEnv
-          phpWithEnv.packages.composer
-        ];
-      };
-    in
-      phpWithTools
-  );
-
-  prefix = "/var/lib/phps";
-
-  # Tell Symfony's CLI where it can access the different PHP versions
-  symfony-cli = let
-    package = pkgs.symfony-cli;
-  in
-    pkgs.symlinkJoin {
-      inherit (package) pname version meta;
-
-      paths = [package];
-
-      buildInputs = [pkgs.makeWrapper];
-
-      postBuild = ''
-        wrapProgram $out/bin/${package.meta.mainProgram} \
-          --suffix PATH : ${pkgs.lib.makeBinPath (
-          builtins.attrValues phps
-        )}
-      '';
-    };
-in {
-  nix.settings = {
-    substituters = ["https://fossar.cachix.org/"];
-    trusted-public-keys = ["fossar.cachix.org-1:Zv6FuqIboeHPWQS7ysLCJ7UT7xExb4OE8c4LyGb5AsE="];
-  };
-
-  # Link PHP installations so that PhpStorm knows about them
-  systemd.tmpfiles.settings =
-    builtins.mapAttrs (name: drv: {
-      "${prefix}/${name}"."L+".argument = drv.outPath;
-    })
-    phps;
-
-  environment.systemPackages = [
-    pkgs.jetbrains.phpstorm
-    phps.${selectedPhp}
-    symfony-cli
-  ];
-}

hosts/headful/work/supersonic.nix

@@ -1,5 +0,0 @@
-{
-  services.flatpak.packages = [
-    "io.github.dweymouth.supersonic"
-  ];
-}

hosts/headful/work/syncthing.nix

@@ -1,3 +0,0 @@
-{lib, ...}: {
-  services.syncthing.enable = lib.mkForce false;
-}

hosts/headless/abacus/backup.nix

@@ -1,30 +0,0 @@
-{
-  attrName,
-  config,
-  lib,
-  ...
-}: {
-  age.secrets = lib.mkSecrets {"restic-${attrName}" = {};};
-
-  services.restic.backups.${attrName} = {
-    repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}";
-    initialize = true;
-    paths = [
-      config.services.vaultwarden.backupDir
-      config.services.syncthing.dataDir
-      config.services.forgejo.stateDir
-      config.services.postgresqlBackup.location
-      config.services.postgresqlBackup.location
-      # TODO: Add stateDir options for these
-      "/var/lib/headscale"
-      "/var/lib/navidrome"
-    ];
-    passwordFile = config.age.secrets."restic-${attrName}".path;
-    pruneOpts = ["--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12"];
-    timerConfig = {
-      OnCalendar = "*-*-* 03:00:00";
-      Persistent = true;
-    };
-    extraOptions = ["sftp.args='-i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"];
-  };
-}

hosts/headless/abacus/networking.nix

@@ -1,18 +0,0 @@
-{
-  networking = let
-    interface = "enp1s0";
-  in {
-    domain = "wrz.one";
-    interfaces.${interface}.ipv6.addresses = [
-      {
-        address = "2a01:4f9:c012:92b5::2";
-        prefixLength = 64;
-      }
-    ];
-    defaultGateway6 = {
-      address = "fe80::1";
-      inherit interface;
-    };
-    firewall.allowedTCPPorts = [80 443];
-  };
-}

hosts/headless/abacus/nginx.nix

@@ -1,30 +0,0 @@
-{
-  services.nginx = {
-    enable = true;
-
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    commonHttpConfig = ''
-      error_log stderr;
-      access_log /var/log/nginx/access.log;
-    '';
-
-    virtualHosts = let
-      matchAll = ''~.*'';
-      matchWww = ''~^www\.(?<domain>.+)$'';
-    in {
-      # Redirect anything that doesn't match any server name to networking.domain
-      ${matchAll} = {
-        default = true;
-        rejectSSL = true;
-
-        globalRedirect = "wrz.one";
-      };
-      # Redirect www to non-www
-      ${matchWww}.globalRedirect = "$domain";
-    };
-  };
-}

hosts/headless/abacus/static-sites.nix

@@ -1,32 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  parent = "/var/www";
-  sites = [
-    "wrz.one"
-    "helveticanonstandard.net"
-  ];
-in
-  lib.mkMerge (
-    map (
-      virtualHostName: let
-        root = "${parent}/${virtualHostName}";
-      in {
-        services.nginx.virtualHosts.${virtualHostName} = {
-          enableACME = true;
-          forceSSL = true;
-
-          inherit root;
-        };
-
-        systemd.tmpfiles.settings."10-static-sites".${root}.d = {
-          user = config.users.mainUser;
-          group = "users";
-          mode = "0755";
-        };
-      }
-    )
-    sites
-  )

hosts/headless/vessel/backup.nix

@@ -1,61 +0,0 @@
-{
-  attrName,
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  backups = {
-    music = "/srv/music";
-    safe = "/srv/safe";
-    storage = "/srv/storage";
-    sync = config.services.syncthing.dataDir;
-  };
-in {
-  systemd = lib.mkMerge (map (
-    backupName: let
-      systemdName = "${backupName}-backup";
-    in {
-      timers.${systemdName} = {
-        description = "Local rsync Backup ${backupName}";
-        wantedBy = ["timers.target"];
-        timerConfig = {
-          OnCalendar = "*-*-* 03:00:00"; # TODO
-          Persistent = true;
-          Unit = "${systemdName}.service"; # TODO
-        };
-      };
-
-      services.${systemdName} = {
-        description = "Local rsync Backup ${backupName}";
-        serviceConfig = {
-          Type = "oneshot";
-          User = "root";
-          Group = "root";
-        };
-        # TODO
-        script = ''
-          ${lib.getExe pkgs.rsync} --verbose --verbose --archive --update --delete --mkpath -- ${backups.${backupName}}/ /srv/backup/${backupName}/
-        '';
-      };
-    }
-  ) (lib.attrNames backups));
-
-  age.secrets = lib.mkSecrets {"restic-${attrName}" = {};};
-
-  services.restic.backups.${attrName} = {
-    repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}";
-    initialize = true;
-    paths = [
-      backups.safe
-      backups.sync
-    ];
-    passwordFile = config.age.secrets."restic-${attrName}".path;
-    pruneOpts = ["--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12"];
-    timerConfig = {
-      OnCalendar = "*-*-* 03:00:00"; # TODO
-      Persistent = true;
-    };
-    extraOptions = ["sftp.args='-i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"];
-  };
-}

hosts/headless/vessel/blocky.nix

@@ -1,27 +0,0 @@
-let
-  upstream = "https://one.one.one.one/dns-query";
-in {
-  services = {
-    resolved.extraConfig = "DNSStubListener=no";
-    blocky = {
-      enable = true;
-      settings = {
-        ports.dns = 53;
-        upstreams.groups.default = [upstream];
-        bootstrapDns = {
-          inherit upstream;
-          ips = ["1.1.1.1" "1.0.0.1"];
-        };
-        blocking = {
-          denylists.ads = ["https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"];
-          clientGroupsBlock.default = ["ads"];
-        };
-        caching = {
-          minTime = "5m";
-          maxTime = "30m";
-          prefetching = true;
-        };
-      };
-    };
-  };
-}

hosts/headless/vessel/filesystems.nix

@@ -1,14 +0,0 @@
-{
-  fileSystems = {
-    "/" = {
-      fsType = "ext4";
-      label = "main";
-      options = ["noatime"];
-    };
-    "/srv/backup" = {
-      label = "backup";
-      fsType = "ext4";
-      options = ["noatime"];
-    };
-  };
-}

hosts/headless/vessel/musicomp.nix

@@ -1,37 +0,0 @@
-{
-  inputs,
-  self,
-  lib,
-  pkgs,
-  ...
-}: {
-  imports = [
-    inputs.musicomp.nixosModules.default
-  ];
-
-  services.musicomp.jobs.main = {
-    music = "/srv/music";
-    comp = "/srv/compmusic";
-    timerConfig = {
-      OnCalendar = "daily";
-      Persistent = true;
-    };
-    inhibitsSleep = true;
-    post = let
-      remoteDir = self.nixosConfigurations.abacus.config.services.navidrome.settings.MusicFolder;
-      rsyncExe = lib.getExe pkgs.rsync;
-      rsh = "${lib.getExe pkgs.openssh} -i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
-    in ''
-      ${rsyncExe} \
-        --archive \
-        --recursive \
-        --delete \
-        --update \
-        --mkpath \
-        --verbose --verbose \
-        --exclude lost+found \
-        --rsh ${lib.escapeShellArg rsh} \
-        /srv/compmusic/ root@wrz.one:${remoteDir}
-    '';
-  };
-}

hosts/headless/vessel/storage.nix

@@ -1,27 +0,0 @@
-{
-  systemd.tmpfiles.settings = {
-    "10-safe"."/srv/safe".d = {
-      user = "helvetica";
-      group = "users";
-      mode = "0755";
-    };
-
-    "10-storage"."/srv/storage".d = {
-      user = "helvetica";
-      group = "users";
-      mode = "0755";
-    };
-
-    "10-music"."/srv/music".d = {
-      user = "helvetica";
-      group = "users";
-      mode = "0755";
-    };
-
-    "10-compmusic"."/srv/compmusic".d = {
-      user = "helvetica";
-      group = "users";
-      mode = "0755";
-    };
-  };
-}

hosts/insomniac/filesystems.nix

@@ -2,6 +2,6 @@
   fileSystems."/" = {
     fsType = "ext4";
     label = "main";
-    options = ["noatime"];
+    options = [ "noatime" ];
   };
 }

hosts/insomniac/freetube.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = [
+    pkgs.freetube
+  ];
+}

hosts/insomniac/hardware.nix

@@ -2,7 +2,8 @@
   inputs,
   modulesPath,
   ...
-}: {
+}:
+{
   imports = [
     "${modulesPath}/installer/scan/not-detected.nix"
 
@@ -15,10 +16,16 @@
 
   boot = {
     initrd = {
-      availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "sd_mod"];
-      kernelModules = ["amdgpu"];
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "ahci"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ "amdgpu" ];
     };
-    kernelModules = ["kvm-amd"];
+    kernelModules = [ "kvm-amd" ];
   };
 
   powerManagement.cpuFreqGovernor = "performance";

hosts/insomniac/users.nix

@@ -2,9 +2,11 @@
   config,
   lib,
   ...
-}: let
+}:
+let
   inherit (config.users) mainUser;
-in {
+in
+{
   users = {
     mainUser = lib.mkForce "insomniac";
     users.${mainUser}.description = lib.mkForce "Insomniac";

hosts/vessel/filesystems.nix

@@ -0,0 +1,24 @@
+{
+  fileSystems = {
+    "/" = {
+      label = "white";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+    "/srv/vault" = {
+      label = "black";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+    "/srv/void" = {
+      label = "green";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+    "/srv/sync" = {
+      label = "red";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+  };
+}

hosts/vessel/hardware.nix

@@ -2,7 +2,8 @@
   inputs,
   modulesPath,
   ...
-}: {
+}:
+{
   imports = [
     "${modulesPath}/installer/scan/not-detected.nix"
 
@@ -14,8 +15,15 @@
   nixpkgs.hostPlatform = "x86_64-linux";
 
   boot = {
-    initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
-    kernelModules = ["kvm-intel"];
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "ahci"
+      "nvme"
+      "usbhid"
+      "usb_storage"
+      "sd_mod"
+    ];
+    kernelModules = [ "kvm-intel" ];
   };
 
   powerManagement.cpuFreqGovernor = "powersave";

hosts/vessel/musicomp.nix

@@ -0,0 +1,45 @@
+{
+  inputs,
+  self,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    inputs.musicomp.nixosModules.default
+  ];
+
+  services.musicomp.jobs.main = {
+    music = "/srv/music";
+    comp = "/srv/compmusic";
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = true;
+    };
+    inhibitsSleep = true;
+    post =
+      let
+        remoteDir = self.nixosConfigurations.abacus.config.services.navidrome.settings.MusicFolder;
+        package = pkgs.writeShellApplication {
+          name = "sync";
+          runtimeInputs = [
+            pkgs.openssh
+            pkgs.rsync
+          ];
+          text = ''
+            rsync \
+              --archive \
+              --recursive \
+              --delete \
+              --update \
+              --mkpath \
+              --verbose --verbose \
+              --rsh 'ssh -i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' \
+              /srv/void/compmusic/ root@wrz.one:${lib.escapeShellArg remoteDir}
+          '';
+        };
+      in
+      lib.getExe package;
+  };
+}

hosts/vessel/restic.nix

@@ -0,0 +1,56 @@
+{
+  attrName,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  secretName = "restic-${attrName}";
+  secret = config.age.secrets.${secretName};
+in
+{
+  age.secrets = lib.mkSecrets { ${secretName} = { }; };
+
+  services.restic.backups = {
+    local = {
+      repository = "/srv/backup/void";
+      initialize = true;
+      paths = [
+        "/srv/void"
+      ];
+      passwordFile = secret.path;
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 5"
+        "--keep-monthly 12"
+      ];
+      timerConfig = {
+        OnCalendar = "*-*-* 03:00:00";
+        Persistent = true;
+      };
+    };
+
+    remote = {
+      repository = "sftp:u459482@u459482.your-storagebox.de:/${attrName}";
+      initialize = true;
+      paths = [
+        config.services.syncthing.dataDir
+        "/srv/vault"
+      ];
+      passwordFile = secret.path;
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 5"
+        "--keep-monthly 12"
+      ];
+      timerConfig = {
+        OnCalendar = "*-*-* 03:00:00";
+        Persistent = true;
+      };
+      extraOptions = [
+        "sftp.args='-i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"
+      ];
+    };
+  };
+}

hosts/vessel/rsync.nix

@@ -0,0 +1,7 @@
+{
+  services.rsync.jobs.vault = {
+    sources = [ "/srv/vault/" ];
+    destination = "/srv/sync/";
+    inhibitsSleep = true;
+  };
+}

hosts/vessel/storage.nix

@@ -0,0 +1,16 @@
+{
+  systemd.tmpfiles.settings = {
+    music = {
+      "/srv/vault/music".d = {
+        user = "root";
+        group = "users";
+        mode = "0755";
+      };
+      "/srv/void/compmusic".d = {
+        user = "root";
+        group = "users";
+        mode = "0755";
+      };
+    };
+  };
+}

hosts/work/docker.nix

@@ -2,7 +2,8 @@
   config,
   pkgs,
   ...
-}: {
+}:
+{
   virtualisation.docker.enable = true;
 
   environment.systemPackages = [

hosts/work/filesystems.nix

@@ -4,6 +4,6 @@
   fileSystems."/" = {
     fsType = "ext4";
     device = "/dev/mapper/main";
-    options = ["noatime"];
+    options = [ "noatime" ];
   };
 }

hosts/work/hardware.nix

@@ -2,7 +2,8 @@
   inputs,
   modulesPath,
   ...
-}: {
+}:
+{
   imports = [
     "${modulesPath}/installer/scan/not-detected.nix"
 
@@ -16,10 +17,16 @@
 
   boot = {
     initrd = {
-      availableKernelModules = ["nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod"];
-      kernelModules = [];
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "thunderbolt"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
     };
-    kernelModules = ["kvm-amd"];
-    extraModulePackages = [];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
   };
 }

hosts/work/php.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    inputs.myphps.nixosModules.default
+  ];
+
+  services.myphps = {
+    enable = true;
+    prefix = "/var/lib/phps";
+  };
+
+  environment.systemPackages = [
+    pkgs.jetbrains.phpstorm
+    config.services.myphps.phps.php
+    inputs.myphps.packages.${pkgs.system}.symfony-cli
+  ];
+}

hosts/work/plasma.nix

@@ -2,7 +2,8 @@
   lib,
   pkgs,
   ...
-}: {
+}:
+{
   services = {
     desktopManager = {
       cosmic.enable = lib.mkForce false;
@@ -30,6 +31,6 @@
 
   xdg.portal = {
     xdgOpenUsePortal = true;
-    extraPortals = [pkgs.xdg-desktop-portal-gtk];
+    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
   };
 }

hosts/work/tools.nix

@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
+{
   environment.systemPackages = [
     pkgs.gnumake
     pkgs.unzip

hosts/work/users.nix

@@ -2,9 +2,11 @@
   config,
   lib,
   ...
-}: let
+}:
+let
   inherit (config.users) mainUser;
-in {
+in
+{
   users = {
     mainUser = lib.mkForce "lukas";
     users.${mainUser}.description = lib.mkForce "Lukas Wurzinger";