updates

allowed_signers

@@ -0,0 +1 @@
+rouven@rfive.de namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqjaaB4RSwGGZXHb8UqTLz0GkOWlKctHoxmhpkwsFMI rouven@thinkpad

flake.lock

@@ -12,11 +12,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1736955230,
+        "lastModified": 1745630506,
-        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
+        "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
+        "rev": "96e078c646b711aee04b82ba01aefbff87004ded",
         "type": "github"
       },
       "original": {
@@ -33,15 +33,17 @@
         "flake-utils": "flake-utils",
         "napalm": "napalm",
         "nixpkgs": "nixpkgs",
-        "poetry2nix": "poetry2nix",
+        "pyproject-build-systems": "pyproject-build-systems",
-        "systems": "systems_2"
+        "pyproject-nix": "pyproject-nix",
+        "systems": "systems_2",
+        "uv2nix": "uv2nix"
       },
       "locked": {
-        "lastModified": 1744375272,
+        "lastModified": 1746770624,
-        "narHash": "sha256-xvWbdTctLu5YWgcp+lNTh51GAY3vB2XEXUFKRMJUiCM=",
+        "narHash": "sha256-40c1p1EiveXd8P4MsG21+M4x/0QOCGQJP0ISyx9L1QE=",
         "owner": "nix-community",
         "repo": "authentik-nix",
-        "rev": "105b3b6c004ce00d1d3c7a88669bea4aadfd4580",
+        "rev": "0b5a36483867e2473a40610d0dcb7cb06260a6cf",
         "type": "github"
       },
       "original": {
@@ -53,16 +55,16 @@
     "authentik-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1744135136,
+        "lastModified": 1745954192,
-        "narHash": "sha256-7wvoCRhLipX4qzrb/ctsozG565yckx+moxiF6vRo84I=",
+        "narHash": "sha256-QuIgeu3CN6S44/zSiaj+iIkDz2494mb1MWvD3eYYkVE=",
         "owner": "goauthentik",
         "repo": "authentik",
-        "rev": "74eab55c615b156e4191ee98dc789e2d58c016f9",
+        "rev": "22412729e2379d645da2ac0c0270a0ac6147945e",
         "type": "github"
       },
       "original": {
         "owner": "goauthentik",
-        "ref": "version/2025.2.4",
+        "ref": "version/2025.4.0",
         "repo": "authentik",
         "type": "github"
       }
@@ -106,11 +108,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700795494,
+        "lastModified": 1744478979,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
         "type": "github"
       },
       "original": {
@@ -277,11 +279,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745439012,
+        "lastModified": 1746798521,
-        "narHash": "sha256-TwbdiH28QK7Da2JQTqFHdb+UCJq6QbF2mtf+RxHVzEA=",
+        "narHash": "sha256-axfz/jBEH9XHpS7YSumstV7b2PrPf7L8bhWUtLBv3nA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d31710fb2cd536b1966fee2af74e99a0816a61a8",
+        "rev": "e95a7c5b6fa93304cd2fd78cf676c4f6d23c422c",
         "type": "github"
       },
       "original": {
@@ -396,28 +398,6 @@
         "type": "github"
       }
     },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik",
-          "poetry2nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1729742964,
-        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
     "nix-index-database": {
       "inputs": {
         "nixpkgs": [
@@ -425,11 +405,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745120797,
+        "lastModified": 1746330942,
-        "narHash": "sha256-owQ0VQ+7cSanTVPxaZMWEzI22Q4bGnuvhVjLAJBNQ3E=",
+        "narHash": "sha256-ShizFaJCAST23tSrHHtFFGF0fwd72AG+KhPZFFQX/0o=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "69716041f881a2af935021c1182ed5b0cc04d40e",
+        "rev": "137fd2bd726fff343874f85601b51769b48685cc",
         "type": "github"
       },
       "original": {
@@ -440,11 +420,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1744098102,
+        "lastModified": 1746141548,
-        "narHash": "sha256-tzCdyIJj9AjysC3OuKA+tMD/kDEDAF9mICPDU7ix0JA=",
+        "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c8cd81426f45942bb2906d5ed2fe21d2f19d95b7",
+        "rev": "f02fddb8acef29a8b32f10a335d44828d7825b78",
         "type": "github"
       },
       "original": {
@@ -502,11 +482,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1745391562,
+        "lastModified": 1746663147,
-        "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",
+        "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",
+        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
         "type": "github"
       },
       "original": {
@@ -535,37 +515,6 @@
         "type": "sourcehut"
       }
     },
-    "poetry2nix": {
-      "inputs": {
-        "flake-utils": [
-          "authentik",
-          "flake-utils"
-        ],
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": [
-          "authentik",
-          "nixpkgs"
-        ],
-        "systems": [
-          "authentik",
-          "systems"
-        ],
-        "treefmt-nix": "treefmt-nix"
-      },
-      "locked": {
-        "lastModified": 1743690424,
-        "narHash": "sha256-cX98bUuKuihOaRp8dNV1Mq7u6/CQZWTPth2IJPATBXc=",
-        "owner": "nix-community",
-        "repo": "poetry2nix",
-        "rev": "ce2369db77f45688172384bbeb962bc6c2ea6f94",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "poetry2nix",
-        "type": "github"
-      }
-    },
     "pre-commit-hooks-nix": {
       "inputs": {
         "flake-compat": [
@@ -613,6 +562,56 @@
         "type": "sourcehut"
       }
     },
+    "pyproject-build-systems": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik",
+          "pyproject-nix"
+        ],
+        "uv2nix": [
+          "authentik",
+          "uv2nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744599653,
+        "narHash": "sha256-nysSwVVjG4hKoOjhjvE6U5lIKA8sEr1d1QzEfZsannU=",
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "rev": "7dba6dbc73120e15b558754c26024f6c93015dd7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "type": "github"
+      }
+    },
+    "pyproject-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746146146,
+        "narHash": "sha256-60+mzI2lbgn+G8F5mz+cmkDvHFn4s5oqcOna1SzYy74=",
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "rev": "3e9623bdd86a3c545e82b7f97cfdba5f07232d9a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -680,28 +679,6 @@
         "type": "github"
       }
     },
-    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik",
-          "poetry2nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1730120726,
-        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
     "trucksimulatorbot": {
       "inputs": {
         "images": "images",
@@ -722,6 +699,31 @@
         "repo": "trucksimulator",
         "type": "sourcehut"
       }
+    },
+    "uv2nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik",
+          "pyproject-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746048139,
+        "narHash": "sha256-LdCLyiihLg6P2/mjzP0+W7RtraDSIaJJPTy6SCtW5Ag=",
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "rev": "680e2f8e637bc79b84268949d2f2b2f5e5f1d81c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -115,6 +115,7 @@
             authentik.nixosModules.default
             ./hosts/nuc
             ./shared
+            ./shared/caddy
             {
               nixpkgs.overlays = [ self.overlays.default ];
             }
@@ -128,6 +129,7 @@
             impermanence.nixosModules.impermanence
             agenix.nixosModules.default
             ./hosts/fujitsu
+            ./shared/caddy
             ./shared
             {
               nixpkgs.overlays = [ self.overlays.default ];
@@ -140,6 +142,7 @@
           modules = [
             ./hosts/falkenstein
             ./shared
+            ./shared/caddy
             {
               nixpkgs.overlays = [ self.overlays.default ];
             }

hosts/falkenstein/modules/caddy/default.nix

@@ -17,22 +17,6 @@ let
 in
 {
   services.caddy = {
-    enable = true;
-    email = "ca@${config.networking.domain}";
-    logFormat = "format console";
-    globalConfig = ''
-      servers {
-        metrics
-      }
-    '';
-    virtualHosts.":2018" = {
-      extraConfig = ''
-        metrics
-      '';
-      logFormat = ''
-        output discard
-      '';
-    };
     virtualHosts."${config.networking.domain}".extraConfig = ''
       file_server browse
       root * /srv/web/${config.networking.domain}
@@ -40,7 +24,4 @@ in
       respond /.well-known/matrix/server ${builtins.toJSON serverConfig}
     '';
   };
-  systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
-  networking.firewall.allowedTCPPorts = [ 80 443 2018 ];
-  networking.firewall.allowedUDPPorts = [ 443 ];
 }

hosts/fujitsu/modules/jellyfin/default.nix

@@ -1,6 +1,12 @@
+{ config, ... }:
+let
+  domain = "media.vpn.rfive.de";
+in
 {
   services.jellyfin = {
     enable = true;
-    openFirewall = true;
   };
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:8096
+  '';
 }

hosts/nuc/default.nix

@@ -5,6 +5,7 @@
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ./modules/authentik
+      ./modules/atuin
       ./modules/networks
       ./modules/adguard
       ./modules/backup
@@ -15,7 +16,6 @@
       ./modules/monitoring
       ./modules/torrent
       ./modules/vaultwarden
-      ./modules/caddy
       ./modules/indexing
     ];
 

hosts/nuc/modules/adguard/default.nix

@@ -1,13 +1,19 @@
 { ... }:
+let
+  domain = "adguard.vpn.rfive.de";
+  port = 3000;
+in
 {
   networking.firewall.allowedTCPPorts = [ 53 ];
   networking.firewall.allowedUDPPorts = [ 53 ];
   services.adguardhome = {
     enable = true;
-    openFirewall = true;
     settings = {
       dns.bind_hosts = [ "192.168.42.2" ];
-      http.address = "0.0.0.0:3000";
+      http.address = "127.0.0.1:${toString port}";
     };
   };
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString port}
+  '';
 }

hosts/nuc/modules/atuin/default.nix

@@ -0,0 +1,12 @@
+{ config, ... }:
+let
+  domain = "shell.vpn.rfive.de";
+in
+{
+  services.atuin = {
+    enable = true;
+  };
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString config.services.atuin.port}
+  '';
+}

hosts/nuc/modules/indexing/prowlarr.nix

@@ -1,7 +1,12 @@
-{ ... }:
+{ config, ... }:
+let
+  domain = "index.vpn.rfive.de";
+in
 {
   services.prowlarr = {
     enable = true;
-    openFirewall = true;
   };
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString config.services.prowlarr.settings.server.port}
+  '';
 }

hosts/nuc/modules/indexing/radarr.nix

@@ -1,7 +1,12 @@
-{ ... }:
+{ config, ... }:
+let
+  domain = "movies.vpn.rfive.de";
+in
 {
   services.radarr = {
     enable = true;
-    openFirewall = true;
   };
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString config.services.radarr.settings.server.port}
+  '';
 }

hosts/nuc/modules/indexing/sonarr.nix

@@ -1,7 +1,12 @@
-{ ... }:
+{ config, ... }:
+let
+  domain = "shows.vpn.rfive.de";
+in
 {
   services.sonarr = {
     enable = true;
-    openFirewall = true;
   };
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString config.services.sonarr.settings.server.port}
+  '';
 }

hosts/nuc/modules/torrent/default.nix

@@ -1,5 +1,6 @@
 { config, pkgs, ... }:
 let
+  domain = "torrents.vpn.rfive.de";
   cfg = {
     stateDir = "/var/lib/qbittorrent";
     downloadDir = "/var/videos/"; # TODO support other Media Types
@@ -124,7 +125,9 @@ in
       SystemCallFilter = "@system-service";
     };
   };
-  networking.firewall.allowedTCPPorts = [ cfg.port ];
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString cfg.port}
+  '';
   systemd.tmpfiles.rules = [
     # ensure downloads directory is created, set permissions
     "d ${cfg.stateDir} - ${cfg.user} ${cfg.user} - -"

hosts/thinkpad/modules/networks/default.nix

@@ -81,6 +81,9 @@
         "WIFI@DB" = {
           authProtocols = [ "NONE" ];
         };
+        "WIFIonICE" = {
+          authProtocols = [ "NONE" ];
+        };
       };
     };
   };

hosts/thinkpad/modules/security/default.nix

@@ -18,6 +18,8 @@
           cue = true;
         };
       };
+      # fixes run0 failing to execute
+      services.systemd-run0 = { };
     };
     krb5 = {
       enable = true;

hosts/thinkpad/modules/virtualisation/default.nix

@@ -1,13 +1,13 @@
 { pkgs, ... }:
 {
   virtualisation = {
-    # podman = {
+    podman = {
-    #   enable = true;
-    #   defaultNetwork.settings.dns_enabled = true;
-    # };
-    docker = {
       enable = true;
+      defaultNetwork.settings.dns_enabled = true;
     };
+    # docker = {
+    #   enable = true;
+    # };
     libvirtd = {
       enable = true;
       qemu = {
@@ -27,4 +27,20 @@
     virt-viewer
     podman-compose
   ];
+  systemd.nspawn = {
+    n1 = {
+      networkConfig = {
+        Private = true;
+        VirtualEthernet = true;
+        Bridge = "br0";
+      };
+    };
+    n2 = {
+      networkConfig = {
+        Private = true;
+        VirtualEthernet = true;
+        Bridge = "br0";
+      };
+    };
+  };
 }

shared/zsh.nix

@@ -26,6 +26,9 @@ in
     iperf
     jq
     helix
+    nushell
+    atuin
+    nmap
   ];
   users.defaultUserShell = pkgs.zsh;
   programs.fzf = {
@@ -68,6 +71,8 @@ in
           zstyle ':completion:*:complete:networkctl:*' list-grouped true
           source ${pkgs.agdsn-zsh-config}/etc/zsh/zshrc
           source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh
+          source ${pkgs.zsh-vi-mode}/share/zsh-vi-mode/zsh-vi-mode.plugin.zsh
+          zvm_after_init_commands+=(eval "$(atuin init zsh)")
           unsetopt extendedglob
 
       
@@ -100,7 +105,6 @@ in
           # then
           #   cat ${../images/cat.sixel}
           # fi
-          eval "$(${pkgs.mcfly}/bin/mcfly init zsh)"
           eval "$(${pkgs.zoxide}/bin/zoxide init zsh)"
         '';
     };

users/rouven/modules/git/default.nix

@@ -17,7 +17,8 @@
     extraConfig = {
       merge.conflictStyle = "diff3";
       diff.colorMoved = "default";
-      user.signingkey = "B95E8FE6B11C4D09";
+      user.signingkey = "~/.ssh/git.pub";
+      gpg.format = "ssh";
       pull.rebase = false;
       init.defaultBranch = "main";
       commit.gpgsign = true;

users/rouven/modules/packages.nix

@@ -5,7 +5,6 @@
     # essentials
     htop-vim
     lsof
-    postgresql
 
     zip
     unzip
@@ -15,6 +14,7 @@
     glab
     tio
     tcpdump
+    openconnect
 
     # graphics
     (zathura.override { plugins = [ zathuraPkgs.zathura_pdf_mupdf ]; })
@@ -53,6 +53,7 @@
     typst
     hut
     wine
+    electrum
     # ansible
     ansible-lint
     (python3.withPackages (ps: [
@@ -83,14 +84,12 @@
     rustfmt
     clippy
     gcc
-    nodejs_20
     gnumake
     go
     pre-commit
 
     # fancy tools
     just
-    himalaya
     # strace but with colors
     # (strace.overrideAttrs (_: {
     #   patches = [

users/rouven/modules/wayland/river.nix

@@ -44,7 +44,7 @@
           };
           "None" = builtins.mapAttrs (_key: bind: "spawn \"" + bind + "\"") {
             Print = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
-            XF86Launch2 = "${pkgs.sway-contrib.grimshot}/bin/grimshot save area - | ${pkgs.swappy}/bin/swappy -f -";
+            XF86SelectiveScreenshot = "${pkgs.sway-contrib.grimshot}/bin/grimshot save area - | ${pkgs.swappy}/bin/swappy -f -";
             XF86MonBrightnessUp = "${pkgs.light}/bin/light -A 10";
             XF86MonBrightnessDown = "${pkgs.light}/bin/light -U 10";
             XF86AudioMute = "${pkgs.pulseaudio}/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle";