bump lock

.sops.yaml

@@ -11,6 +11,7 @@ keys:
   - &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z
   - &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh
   - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
+  - &stream age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
 creation_rules:
   - path_regex: hosts/toaster/[^/]+\.yaml$
     key_groups:
@@ -66,3 +67,9 @@ creation_rules:
         - *admin_oxa
         age:
         - *conduwuit
+  - path_regex: hosts/stream/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *admin_oxa
+        age:
+        - *stream

flake.lock

@@ -14,11 +14,11 @@
         "uv2nix": "uv2nix"
       },
       "locked": {
-        "lastModified": 1747386678,
+        "lastModified": 1751033152,
-        "narHash": "sha256-+4pIDo56iXWUklX1U+biw/cfC8TiSXTMh2N6V/+JMUg=",
+        "narHash": "sha256-0ANu9OLQJszcEyvnfDB7G957uqskZwCrTzRXz/yfAmE=",
         "owner": "nix-community",
         "repo": "authentik-nix",
-        "rev": "f20474660332903be6b47f3c1fdfc531f6f75f1d",
+        "rev": "1a4d6a5dd6fef39b99eb7ea4db79c5d5c7d7f1bf",
         "type": "github"
       },
       "original": {
@@ -30,16 +30,16 @@
     "authentik-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1747329052,
+        "lastModified": 1751031262,
-        "narHash": "sha256-idShMSYIrf3ViG9VFNGNu6TSjBz3Q+GJMMeCzcJwfG4=",
+        "narHash": "sha256-SNgRMQUjL3DTlWkMyRMan+pY1FfIV+DMeq5BiTM0N0k=",
         "owner": "goauthentik",
         "repo": "authentik",
-        "rev": "ae47624761f05040149d856d5e55a90cd7492740",
+        "rev": "b34665fabd8d938d81ce871a4e86ca528c5f253b",
         "type": "github"
       },
       "original": {
         "owner": "goauthentik",
-        "ref": "version/2025.4.1",
+        "ref": "version/2025.4.3",
         "repo": "authentik",
         "type": "github"
       }
@@ -96,11 +96,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1743550720,
+        "lastModified": 1749398372,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
         "type": "github"
       },
       "original": {
@@ -224,26 +224,6 @@
         "type": "github"
       }
     },
-    "home-manager": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unstable"
-        ]
-      },
-      "locked": {
-        "lastModified": 1748830238,
-        "narHash": "sha256-EB+LzYHK0D5aqxZiYoPeoZoOzSAs8eqBDxm3R+6wMKU=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "c7fdb7e90bff1a51b79c1eed458fb39e6649a82a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
     "lanzaboote": {
       "inputs": {
         "crane": "crane",
@@ -273,38 +253,36 @@
     "lix": {
       "flake": false,
       "locked": {
-        "lastModified": 1748874826,
+        "lastModified": 1750762203,
-        "narHash": "sha256-PPRYL4vp/09ZPqbgo1b0h+mt28tddxE/nhA04bGvAU0=",
+        "narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=",
-        "rev": "530b40ac8ebf49ab93887e5035d7f1fdc3111325",
+        "rev": "38b358ce27203f972faa2973cf44ba80c758f46e",
         "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/530b40ac8ebf49ab93887e5035d7f1fdc3111325.tar.gz?rev=530b40ac8ebf49ab93887e5035d7f1fdc3111325"
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/38b358ce27203f972faa2973cf44ba80c758f46e.tar.gz?rev=38b358ce27203f972faa2973cf44ba80c758f46e"
       },
       "original": {
         "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/lix/archive/main.tar.gz"
+        "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz"
       }
     },
     "lix-module": {
       "inputs": {
         "flake-utils": "flake-utils_3",
         "flakey-profile": "flakey-profile",
-        "lix": [
+        "lix": "lix",
-          "lix"
-        ],
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1747667424,
+        "lastModified": 1750776670,
-        "narHash": "sha256-7EICjbmG6lApWKhFtwvZovdcdORY1CEe6/K7JwtpYfs=",
+        "narHash": "sha256-EfA5K5EZAnspmraJrXQlziffVpaT+QDBiE6yKmuaNNQ=",
-        "rev": "3c23c6ae2aecc1f76ae7993efe1a78b5316f0700",
+        "rev": "c3c78a32273e89d28367d8605a4c880f0b6607e3",
         "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/3c23c6ae2aecc1f76ae7993efe1a78b5316f0700.tar.gz?rev=3c23c6ae2aecc1f76ae7993efe1a78b5316f0700"
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/c3c78a32273e89d28367d8605a4c880f0b6607e3.tar.gz?rev=c3c78a32273e89d28367d8605a4c880f0b6607e3"
       },
       "original": {
         "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz"
+        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz"
       }
     },
     "microvm": {
@@ -318,11 +296,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1748464257,
+        "lastModified": 1750358184,
-        "narHash": "sha256-PdnQSE2vPfql9WEjunj2qQnDpuuvk7HH+4djgXJSwFs=",
+        "narHash": "sha256-17EYMeY5v8KRk9HW6Z4dExY8Wg4y/zM2eM2wbbx+vMs=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "e238645b6f0447a2eb1d538d300d5049d4006f9f",
+        "rev": "fd9f5dba1ffee5ad6f29394b2a9e4c66c1ce77dc",
         "type": "github"
       },
       "original": {
@@ -359,11 +337,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1748634340,
+        "lastModified": 1750837715,
-        "narHash": "sha256-pZH4bqbOd8S+si6UcfjHovWDiWKiIGRNRMpmRWaDIms=",
+        "narHash": "sha256-2m1ceZjbmgrJCZ2PuQZaK4in3gcg3o6rZ7WK6dr5vAA=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "daa628a725ab4948e0e2b795e8fb6f4c3e289a7a",
+        "rev": "98236410ea0fe204d0447149537a924fb71a6d4f",
         "type": "github"
       },
       "original": {
@@ -375,11 +353,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1747179050,
+        "lastModified": 1750776420,
-        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
+        "narHash": "sha256-/CG+w0o0oJ5itVklOoLbdn2dGB0wbZVOoDm4np6w09A=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
+        "rev": "30a61f056ac492e3b7cdcb69c1e6abdcf00e39cf",
         "type": "github"
       },
       "original": {
@@ -391,11 +369,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1743296961,
+        "lastModified": 1748740939,
-        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
+        "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
+        "rev": "656a64127e9d791a334452c6b6606d17539476e2",
         "type": "github"
       },
       "original": {
@@ -422,11 +400,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1748693115,
+        "lastModified": 1751011381,
-        "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=",
+        "narHash": "sha256-krGXKxvkBhnrSC/kGBmg5MyupUUT5R6IBCLEzx9jhMM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc",
+        "rev": "30e2e2857ba47844aa71991daa6ed1fc678bcbb7",
         "type": "github"
       },
       "original": {
@@ -438,11 +416,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1748708770,
+        "lastModified": 1750969886,
-        "narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=",
+        "narHash": "sha256-zW/OFnotiz/ndPFdebpo3X0CrbVNf22n4DjN2vxlb58=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a59eb7800787c926045d51b70982ae285faa2346",
+        "rev": "a676066377a2fe7457369dd37c31fd2263b662f4",
         "type": "github"
       },
       "original": {
@@ -495,11 +473,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744599653,
+        "lastModified": 1749519371,
-        "narHash": "sha256-nysSwVVjG4hKoOjhjvE6U5lIKA8sEr1d1QzEfZsannU=",
+        "narHash": "sha256-UJONN7mA2stweZCoRcry2aa1XTTBL0AfUOY84Lmqhos=",
         "owner": "pyproject-nix",
         "repo": "build-system-pkgs",
-        "rev": "7dba6dbc73120e15b558754c26024f6c93015dd7",
+        "rev": "7c06967eca687f3482624250428cc12f43c92523",
         "type": "github"
       },
       "original": {
@@ -516,11 +494,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746540146,
+        "lastModified": 1750499893,
-        "narHash": "sha256-QxdHGNpbicIrw5t6U3x+ZxeY/7IEJ6lYbvsjXmcxFIM=",
+        "narHash": "sha256-ThKBd8XSvITAh2JqU7enOp8AfKeQgf9u7zYC41cnBE4=",
         "owner": "pyproject-nix",
         "repo": "pyproject.nix",
-        "rev": "e09c10c24ebb955125fda449939bfba664c467fd",
+        "rev": "e824458bd917b44bf4c38795dea2650336b2f55d",
         "type": "github"
       },
       "original": {
@@ -533,9 +511,7 @@
       "inputs": {
         "authentik-nix": "authentik-nix",
         "flake-utils": "flake-utils_2",
-        "home-manager": "home-manager",
         "lanzaboote": "lanzaboote",
-        "lix": "lix",
         "lix-module": "lix-module",
         "microvm": "microvm",
         "nixos-hardware": "nixos-hardware",
@@ -574,11 +550,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747603214,
+        "lastModified": 1750119275,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2",
         "type": "github"
       },
       "original": {
@@ -676,11 +652,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746649034,
+        "lastModified": 1750987094,
-        "narHash": "sha256-gmv+ZiY3pQnwgI0Gm3Z1tNSux1CnOJ0De+xeDOol1+0=",
+        "narHash": "sha256-GujDElxLgYatnNvuL1U6qd18lcuG6anJMjpfYRScV08=",
         "owner": "pyproject-nix",
         "repo": "uv2nix",
-        "rev": "fe540e91c26f378c62bf6da365a97e848434d0cd",
+        "rev": "4b703d851b61e664a70238711a8ff0efa1aa2f52",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,7 +1,12 @@
 {
   inputs = {
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05";
+
+    lix-module = {
+      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     flake-utils.url = "github:numtide/flake-utils";
 
@@ -10,7 +15,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    nixos-hardware.url = "github:NixOS/nixos-hardware?ref=master";
 
     microvm = {
       url = "github:astro/microvm.nix";
@@ -21,7 +26,7 @@
     };
 
     lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.2";
+      url = "github:nix-community/lanzaboote?ref=v0.4.2";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
 
@@ -29,28 +34,12 @@
       url = "github:nix-community/authentik-nix";
     };
 
-    lix = {
-      url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz";
-      flake = false;
-    };
-
-    lix-module = {
-      url = "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.lix.follows = "lix";
-    };
-
     website = {
       url = "git+https://git.oxapentane.com/0xa/website.git?ref=main";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.flake-utils.follows = "flake-utils";
     };
 
-    home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
-
     tmux-yank = {
       url = "github:tmux-plugins/tmux-yank";
       flake = false;
@@ -59,7 +48,6 @@
 
   outputs =
     inputs@{
-      home-manager,
       lanzaboote,
       lix-module,
       microvm,
@@ -77,6 +65,7 @@
             "forgejo"
             "miniflux"
             "radicale"
+            "stream"
           ];
           microvm-unstable-list = [
             "auth"
@@ -119,25 +108,19 @@
               nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen3
               lix-module.nixosModules.default
 
-              home-manager.nixosModules.home-manager
-              {
-                home-manager.useGlobalPkgs = true;
-                home-manager.useUserPackages = true;
-                home-manager.users."0xa" = import ./hosts/toaster/0xa-home.nix;
-              }
-
               ./hosts/toaster
 
               ./modules/basic-tools
               ./modules/binary-caches.nix
               ./modules/devtools.nix
-              ./modules/niri.nix
+              ./modules/emacs.nix
+              ./modules/gnome.nix
               ./modules/gnupg.nix
+              ./modules/mail
               ./modules/radio.nix
               ./modules/science.nix
               ./modules/tlp.nix
               ./modules/virtualization.nix
-              ./modules/mail
               ./modules/wg
             ];
           };
@@ -146,7 +129,6 @@
             specialArgs = { inherit inputs; };
             modules = [
               sops-nix.nixosModules.sops
-              lix-module.nixosModules.default
 
               ./hosts/cloud
 

hosts/cloud/proxy/auth.nix

@@ -1,36 +0,0 @@
-{ ... }:
-{
-  services.nginx.upstreams.authentik = {
-    servers = {
-      "10.89.88.11:9000" = { };
-      "[fd31:185d:722f::11]:9000" = { };
-    };
-    extraConfig = ''
-      keepalive 10;
-    '';
-  };
-
-  services.nginx.virtualHosts."auth.oxapentane.com" = {
-    forceSSL = true;
-    enableACME = true;
-    locations."/" = {
-      proxyPass = "http://authentik";
-      extraConfig = ''
-        # general proxy settings
-        proxy_connect_timeout   60s;
-        proxy_send_timeout      60s;
-        proxy_read_timeout      60s;
-        proxy_http_version      1.1;
-        proxy_set_header        Host $host;
-        proxy_set_header        X-Real-IP $remote_addr;
-        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header        X-Forwarded-Proto $scheme;
-        proxy_set_header        X-Forwarded-Host $host;
-        proxy_set_header        X-Forwarded-Server $host;
-        # authentik specifik
-        proxy_set_header        Upgrade $http_upgrade;
-        proxy_set_header        Connection $connection_upgrade_keepalive;
-      '';
-    };
-  };
-}

hosts/cloud/proxy/conduwuit.nix

@@ -1,47 +0,0 @@
-{ ... }:
-let
-  proxy-conf = ''
-    client_max_body_size 50M;
-    proxy_buffering off;
-
-    proxy_set_header Host              $host;
-    proxy_set_header X-Real-IP         $remote_addr;
-    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header Access-Control-Allow-Origin *;
-    proxy_set_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
-    proxy_set_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type, Authorization';
-
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-
-    proxy_read_timeout 600s;
-    proxy_send_timeout 600s;
-    send_timeout 600s;
-  '';
-
-in
-{
-  services.nginx.upstreams.conduwuit = {
-    servers = {
-      "10.89.88.16:6167" = { };
-      "[fd31:185d:722f::16]:6167" = { };
-    };
-  };
-
-  services.nginx.virtualHosts."oxapentane.com" = {
-    locations."/_matrix/" = {
-      proxyPass = "http://conduwuit$request_uri";
-      extraConfig = proxy-conf;
-    };
-    locations."/_conduwuit/" = {
-      proxyPass = "http://conduwuit$request_uri";
-      extraConfig = proxy-conf;
-    };
-    locations."/.well-known/matrix" = {
-      proxyPass = "http://conduwuit$request_uri";
-      extraConfig = proxy-conf;
-    };
-  };
-}

hosts/cloud/proxy/dav.nix

@@ -1,64 +0,0 @@
-{ ... }:
-{
-  services.nginx.upstreams.radicale = {
-    servers = {
-      "10.89.88.12:5232" = { };
-      "[fd31:185d:722f::12]:5232" = { };
-    };
-  };
-
-  services.nginx.virtualHosts."dav.oxapentane.com" = {
-    forceSSL = true;
-    enableACME = true;
-    # Radicale
-    locations."/" = {
-      proxyPass = "http://radicale";
-      extraConfig = ''
-        # Radicale stuff
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade_keepalive;
-
-        # authentik stuff
-        auth_request     /outpost.goauthentik.io/auth/nginx;
-        error_page       401 = @goauthentik_proxy_signin;
-        auth_request_set $auth_cookie $upstream_http_set_cookie;
-        proxy_set_header       Set-Cookie $auth_cookie;
-
-        # translate headers from the outposts back to the actual upstream
-        auth_request_set $authentik_username $upstream_http_x_authentik_username;
-        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
-        auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
-        auth_request_set $authentik_email $upstream_http_x_authentik_email;
-        auth_request_set $authentik_name $upstream_http_x_authentik_name;
-        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
-
-        proxy_set_header X-authentik-username $authentik_username;
-        proxy_set_header X-Remote-User $authentik_username;
-        proxy_set_header X-authentik-groups $authentik_groups;
-        proxy_set_header X-authentik-entitlements $authentik_entitlements;
-        proxy_set_header X-authentik-email $authentik_email;
-        proxy_set_header X-authentik-name $authentik_name;
-        proxy_set_header X-authentik-uid $authentik_uid;
-      '';
-    };
-
-    locations."/outpost.goauthentik.io" = {
-      proxyPass = "http://authentik/outpost.goauthentik.io";
-      extraConfig = ''
-        proxy_set_header Host $host;
-        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-        proxy_set_header Set-Cookie $auth_cookie;
-        auth_request_set $auth_cookie $upstream_http_set_cookie;
-        proxy_pass_request_body off;
-        proxy_set_header Content-Length "";
-      '';
-    };
-    locations."@goauthentik_proxy_signin" = {
-      extraConfig = ''
-        internal;
-        proxy_set_header Set-Cookie $auth_cookie;
-        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
-      '';
-    };
-  };
-}

hosts/cloud/proxy/default.nix

@@ -4,12 +4,7 @@ let
 in
 {
   imports = [
-    ./auth.nix
-    ./conduwuit.nix
-    ./dav.nix
     ./git.nix
-    ./immich.nix
-    ./news.nix
   ];
 
   networking.firewall.allowedTCPPorts = [
@@ -17,63 +12,85 @@ in
     443
   ];
 
-  services.nginx = {
+  services.caddy = {
     enable = true;
+    virtualHosts."oxapentane.com" = {
+      serverAliases = [ "www.oxapentane.com" ];
+      extraConfig = ''
+        # conduit
+        @matrix {
+            path /.well-known/matrix/*
+            path /_matrix/*
+        }
 
-    recommendedGzipSettings = true;
+        route {
-    recommendedOptimisation = true;
+            header /.well-known/matrix/* Access-Control-Allow-Origin *
-    recommendedTlsSettings = true;
 
-    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+            reverse_proxy @matrix 10.89.88.16:6167
 
-    appendHttpConfig = ''
+            # file server
-      # upgrade websockets
+            file_server {
-      map $http_upgrade $connection_upgrade_keepalive {
+                root ${website}
-        default upgrade;
+                index index.html
-        '''      ''';
+            }
-      }
+        }
+      '';
+    };
 
-      ### TLS
+    virtualHosts."auth.oxapentane.com".extraConfig = ''
-      # Add HSTS header with preloading to HTTPS requests.
+      reverse_proxy 10.89.88.11:9000 [fd31:185d:722f::11]:9000
-      # Adding this header to HTTP requests is discouraged
-      map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-
-      # Enable CSP for your services.
-      # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
-      # Disable embedding as a frame
-      # add_header X-Frame-Options DENY;
-
-      # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
     '';
 
-    virtualHosts."oxapentane.com" = {
+    virtualHosts."dav.oxapentane.com".extraConfig = ''
-      forceSSL = true;
+      route {
-      enableACME = true;
+          reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
-      default = true;
+
-      locations."/" = {
+          forward_auth 10.89.88.11:9000 {
-        root = "${website}";
+              uri /outpost.goauthentik.io/auth/caddy
-        index = "index.html";
+              copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Authentik-Username>X-Remote-User
-      };
+              trusted_proxies 10.89.88.11 fd31:185d:722f::11
-    };
+          }
-    virtualHosts."www.oxapentane.com" = {
+      }
-      forceSSL = true;
+      reverse_proxy 10.89.88.12:5232 [fd31:185d:722f::12]:5232
-      enableACME = true;
+
-      locations."/" = {
+    '';
-        return = "302 https://oxapentane.com";
+
-      };
+    virtualHosts."immich.oxapentane.com".extraConfig = ''
-    };
+      reverse_proxy 10.89.88.13:2283
-  };
+    '';
+
+    virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
+
+    virtualHosts."music.oxapentane.com".extraConfig = ''
+      route {
+          reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
+
+          @protected not path /share/* /rest/*
+          forward_auth @protected 10.89.88.11:9000 {
+              uri /outpost.goauthentik.io/auth/caddy
+              copy_headers X-Authentik-Username>Remote-User
+              trusted_proxies 10.89.88.11 fd31:185d:722f::11
+          }
+
+
+          @subsonic path /rest/*
+          forward_auth @subsonic 10.89.88.11:9000 {
+              uri /outpost.goauthentik.io/auth/caddy
+              copy_headers X-Authentik-Username>Remote-User
+              @error status 1xx 3xx 4xx 5xx
+              handle_response @error {
+                  respond <<SUBSONICERR
+                  <subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
+                    <error code="40" message="Invalid credentials or unsupported client"></error>
+                  </subsonic-response>
+                  SUBSONICERR 200
+              }
+              trusted_proxies 10.89.88.11 fd31:185d:722f::11
+          }
+      }
+      reverse_proxy 10.89.88.17:4533
+
+    '';
 
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "acme@oxapentane.com";
   };
 }

hosts/cloud/proxy/git.nix

@@ -35,34 +35,6 @@
         "fd31:185d:722e::1"
       ];
 
-  services.nginx.upstreams.forgejo = {
+  services.caddy.virtualHosts."git.oxapentane.com".extraConfig =
-    servers = {
+    "reverse_proxy 10.89.88.15:3000 [fd31:185d:722f::15]:3000";
-      "10.89.88.15:3000" = { };
-      "[fd31:185d:722f::15]:3000" = { };
-    };
-  };
-
-  services.nginx.virtualHosts."git.oxapentane.com" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://forgejo";
-      extraConfig = ''
-        client_max_body_size 50000M;
-
-        proxy_set_header Host              $host;
-        proxy_set_header X-Real-IP         $remote_addr;
-        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-
-        proxy_read_timeout 600s;
-        proxy_send_timeout 600s;
-        send_timeout 600s;
-      '';
-    };
-  };
 }

hosts/cloud/proxy/immich.nix

@@ -1,33 +0,0 @@
-{ ... }:
-{
-  services.nginx.upstreams.immich = {
-    servers = {
-      "10.89.88.13:2283" = { };
-      "[fd31:185d:722f::13]:2283" = { };
-    };
-  };
-
-  services.nginx.virtualHosts."immich.oxapentane.com" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://immich";
-      extraConfig = ''
-        client_max_body_size 50000M;
-
-        proxy_set_header Host              $host;
-        proxy_set_header X-Real-IP         $remote_addr;
-        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-
-        proxy_read_timeout 600s;
-        proxy_send_timeout 600s;
-        send_timeout 600s;
-      '';
-    };
-  };
-}

hosts/cloud/proxy/news.nix

@@ -1,17 +0,0 @@
-{ ... }:
-{
-  services.nginx.virtualHosts."news.oxapentane.com" = {
-    forceSSL = true;
-    enableACME = true;
-    locations."/" = {
-      proxyPass = "http://10.89.88.14:8080";
-      extraConfig = ''
-        proxy_set_header Host              $host;
-        proxy_set_header X-Real-IP         $remote_addr;
-        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_redirect off;
-      '';
-    };
-  };
-}

hosts/stream/default.nix

@@ -0,0 +1,76 @@
+{ config, lib, ... }:
+let
+  mac = "02:00:00:00:00:07";
+in
+{
+  imports = [
+    ./navidrome.nix
+  ];
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "wg/0xa-proxy" = {
+      owner = config.users.users.systemd-network.name;
+    };
+  };
+
+  microvm = {
+    hypervisor = "qemu";
+    mem = 4 * 1024;
+    vcpu = 3;
+    interfaces = [
+      {
+        type = "tap";
+        id = "uvm-stream";
+        mac = mac;
+      }
+    ];
+    shares =
+      [
+        {
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+          tag = "store";
+          proto = "virtiofs";
+        }
+      ]
+      ++ map
+        (dir: {
+          source = dir;
+          mountPoint = "/${dir}";
+          tag = dir;
+          proto = "virtiofs";
+        })
+        [
+          "etc"
+          "var"
+          "home"
+        ];
+  };
+
+  networking.useNetworkd = true;
+  networking.firewall.enable = lib.mkForce false; # firewalling done by the host
+
+  systemd.network = {
+    enable = true;
+    networks."11-host" = {
+      matchConfig.MACAddress = mac;
+      networkConfig = {
+        Address = "10.99.99.17/24";
+        DHCP = "no";
+      };
+      routes = [
+        {
+          Gateway = "10.99.99.1";
+          Destination = "0.0.0.0/0";
+          Metric = 1024;
+        }
+      ];
+    };
+  };
+
+  networking.hostName = "stream";
+  system.stateVersion = "25.05";
+}

hosts/stream/navidrome.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  services.navidrome = {
+    enable = true;
+    settings = {
+      Address = "10.89.88.17";
+      BaseUrl = "/";
+      EnableExternalServices = false;
+      MusicFolder = "/var/lib/navidrome/music";
+      Port = 4533;
+      ScanSchedule = "@every 11m";
+      TranscodingCacheSize = "11GiB";
+      ReverseProxyWhitelist = "10.89.88.1/24";
+    };
+  };
+}

hosts/stream/secrets.yaml

@@ -0,0 +1,38 @@
+wg:
+    0xa-proxy: ENC[AES256_GCM,data:uZfFc4elxCAVZvdIHJ7lgoPs9qKkD9ZvLhcYbexDcqn0alaMzIr++CY52FI=,iv:CREMt6GrLHs4Jwj/55awDFHh9hQlJPEi4ZQ7ZLMPvRA=,tag:iJAGdqzQbyezmDj+tzjdNQ==,type:str]
+sops:
+    age:
+        - recipient: age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSko5L1BCOTR1QmZabGw3
+            QS9kbDZyWEJvV09MNkNqbTNncjZrOXl6WFZrCmxQelVzbjdvUUl4aVl3UVFVL0Q5
+            S0VDNkdvcDZnZytCdjBrZUZYTFlEZncKLS0tIG1NWnlnRGovcWxDL2JYMTc2bEY5
+            K29Dd0t6b3FMZjU2cXFBbEw3RktkQlkKCh+jXv65KfAsSR4/0+UWwU5tCphrEEgE
+            WDbIdUZ8j5xHHQwJ58cU7uQ+BSy0yZlwwr8vPoaKdXQzMgyrQfq3gg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-12T22:54:11Z"
+    mac: ENC[AES256_GCM,data:15EU9VupWfvR8CrfKrX3nhpD60hYB2LY3vuAPvdqzKLliqSqolNj956fOFicfSHvmW/s+7x+M+5FROnOzSbToTZotFtvALQihHH999veGZMx8Q8oIyljT1PBw/SU9djXPI1KjG/zzYOAwu7y/Ffm0QKhMRziH7CQLn30KR0o2w0=,iv:ghdyTvcpgnBi2L9s4UrzwWwt9TeU0WkGquZ64+w9IN8=,tag:4m4hYFgejlEaQROB/OEi6g==,type:str]
+    pgp:
+        - created_at: "2025-06-12T22:51:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7zUOKwzpAE7AQ/8ClHQoCuiC0AH28bDit4qjNh/TnYq3IbAdyITOqUYPRc6
+            th8MCDY0CfxvzDTLYxTlHH4MNDOiWWTMg/shC8xV3MrAIpEQV79ivYMay04aWpCH
+            HqlhjBynCwAnJRanc9Ch5zW1wCjpgMp+kMDX8JhhUL0Rmt2fd2nSp4R2bb+/HRvn
+            vAaDq3TTLkLr1OHcTNKFFbXafGLKMahxkQGRMgD1DIPCLW+nUxerUnlxHo4yjj3B
+            WKXBVKeWowgBHvelHqUVf6yeSmWZyFDP/jFxFEi75A+BYmwxlQcRDn0L0NKUlMa/
+            uF3jtW3XBMS/sLX7aRscBFeEq9XPce9urJK4KPFNVFI3X1WbD6O/Z87Y+MHa2n0s
+            DuxIwrffpw8p4qSVBAJLbSW1vR/suGh/0Cr31mzo4FJT92A93wc8JdLdpHUfTXL/
+            bEbt6M7OSqvIt5/mor7Ad6/HRkEl+sZJnHqeU/qKfAIKKfz5UVG/ZCZDZlVGTmpp
+            lV9Dn8QjA1ut4lMvACJBocnrlH4T6150ULL0r3gHuVy5YhnGR+LWFdgaCJ4v3f1J
+            A59eAyQENNMoSGZU/YZx95kFPc1O/GIkmiMpXZxBISN3F70QP30ieqbP1qnZRfMg
+            GldVAFhfaHct4lujlgRfOkmwcNG3gTIru4wAqg+wzriI9jm9vEoF0MDJs2cwNYTS
+            XgE32jq6Li59TMUQH9iB4l0cM42QbQ8BcSn6o/NhmF6HHq9W5yuD6EIs4KNfdHv6
+            ikgqQuGGO9v7qDMd0piyqeLRGMANepxrR5uMsbFmMnah9RUq9CjRbMADLa+8DeU=
+            =fEVm
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

hosts/toaster/default.nix

@@ -4,7 +4,7 @@
     ./amd.nix
     ./hardware-configuration.nix
     ./irc.nix
-    ./network/full-networkd.nix
+    ./network
     ./secure-boot.nix
     ./zfs.nix
   ];
@@ -66,7 +66,7 @@
     home = "/home/0xa";
     isNormalUser = true;
     uid = 1000;
-    shell = pkgs.fish;
+    shell = pkgs.zsh;
   };
 
   # This value determines the NixOS release from which the default

hosts/toaster/network/default.nix

@@ -7,13 +7,16 @@
   ];
 
   # Networkmanager shouldn't interfere with systemd managed interfaces
-  networking.networkmanager.unmanaged =
+  networking.networkmanager = {
-    let
+    enable = true;
-      systemd_netdevs = lib.attrsets.attrValues (
+    unmanaged =
-        lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs
+      let
-      );
+        systemd_netdevs = lib.attrsets.attrValues (
-    in
+          lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs
-    systemd_netdevs;
+        );
+      in
+      systemd_netdevs;
+  };
 
   systemd.network = {
     enable = true;

hosts/toaster/network/mullvad.nix

@@ -1,9 +1,12 @@
-{ config, ... }:
+{
+  config,
+  ...
+}:
 {
   systemd.network =
     let
-      pubkey = "uUYbYGKoA6UBh1hfkAz5tAWFv4SmteYC9kWh7/K6Ah0=";
+      pubkey = "xpZ3ZDEukbqKQvdHwaqKMUhsYhcYD3uLPUh1ACsVr1s=";
-      endpoint = "92.60.40.209";
+      endpoint = "185.65.134.86";
       port = "51820";
       addr = [
         "10.74.16.48/32"

modules/basic-tools/default.nix

@@ -7,7 +7,6 @@
     ./nix.nix
     ./nix-ld.nix
     ./zsh.nix
-    ./fish.nix
   ];
 
   environment.systemPackages =
@@ -81,7 +80,6 @@
     vim = "nvim";
     grep = "grep --color=auto";
   };
-  users.defaultUserShell = pkgs.zsh; # keep root shell posix compatible
 
   programs.iftop.enable = true;
   programs.mosh.enable = true;

modules/basic-tools/zsh.nix

@@ -15,7 +15,6 @@
   programs.zsh = {
     enable = true;
     enableCompletion = true;
-    syntaxHighlighting.enable = true;
     interactiveShellInit = ''
       bindkey -e
       export HISTFILE="$HOME/.zsh_history"
@@ -39,6 +38,7 @@
       LP_ENABLE_SVN=0
       LP_BATTERY_THRESHOLD=15
       LP_SSH_COLORS=1
+      LP_DISABLED_VCS_PATHS=("/home/0xa/proj/NixOS/nixpkgs")
     '';
   };
 }

modules/chromium.nix

@@ -26,9 +26,9 @@
       "AutoplayAllowed" = false;
       "DefaultNotificationSetting" = 2;
       "BackgroundModeEnabled" = false;
-      "DefaultSearchProviderEnabled" = true;
+      # "DefaultSearchProviderEnabled" = true;
       # "DefaultSearchProviderSearchURL" = "https://google.com/search?q={searchTerms}";
-      "DefaultSearchProviderSearchURL" = "https://duckduckgo.com/?q={searchTerms}";
+      # "DefaultSearchProviderSearchURL" = "https://duckduckgo.com/?q={searchTerms}";
       "SearchSuggestEnable" = false;
       "BlockThirdPartyCookies" = true;
       "PrivacySandboxAdMeasurementEnabled" = false;

modules/desktop-software.nix

@@ -7,19 +7,24 @@
     audacity
     blender
     dino
+    discord
+    element-desktop
     ffmpeg-full
+    ghostty
     gimp
     inkscape
+    lapce
+    mpv
+    obs-studio
+    qbittorrent
+    transmission_4-gtk
     signal-desktop
+    spotify
     telegram-desktop
     tor-browser
     wl-clipboard
     yt-dlp
-    element-desktop
-    discord
-    mpv
-    obs-studio
-    firefox
   ];
   programs.steam.enable = true;
+  programs.firefox.enable = true;
 }

modules/devtools.nix

@@ -16,28 +16,20 @@
     in
     [
       # general
-      cmake
-      gcc
       gef
       gdb
-      binutils
       binwalk
-      clang
-      clang-tools
-      direnv
       sops
       nil
-      nixpkgs-fmt
       nix-index
       kicad
       kikit
-      freecad-wayland
+      freecad-qt6
       imhex
       python3Full
       nixfmt-rfc-style
       treefmt
       android-tools
-      bacon
     ];
 
   # android stuff
@@ -51,23 +43,5 @@
   };
   users.users."0xa".extraGroups = [ "wireshark" ];
 
-  ## direnv
+  programs.direnv.enable = true;
-  programs.bash.interactiveShellInit = ''
-    eval "$(direnv hook bash)"
-  '';
-  programs.zsh.interactiveShellInit = ''
-    eval "$(direnv hook zsh)"
-  '';
-  programs.fish.interactiveShellInit = ''
-    direnv hook fish | source
-  '';
-
-  # nix options for derivations to persist garbage collection
-  nix.extraOptions = ''
-    keep-outputs = true
-    keep-derivations = true
-  '';
-  environment.pathsToLink = [
-    "/share/nix-direnv"
-  ];
 }

modules/emacs.nix

@@ -5,14 +5,37 @@
 }:
 
 {
-  environment.systemPackages = with pkgs; [
+  environment.systemPackages =
-    direnv
+    let
-    mu
+      # https://wiki.nixos.org/wiki/TexLive
-  ];
+      # minimal set of latex packages for orgmode
+      # emacs config:
+      # (setq org-latex-complier "lualatex")
+      # (setq org-preview-latex-default-process 'dvisvgm)
+      orgmode-tex = (
+        pkgs.texlive.combine {
+          inherit (pkgs.texlive)
+            scheme-basic
+            dvisvgm
+            dvipng
+            wrapfig
+            amsmath
+            ulem
+            hyperref
+            capt-of
+            ;
+        }
+      );
+    in
+    with pkgs;
+    [
+      mu
+      orgmode-tex
+    ];
 
   services.emacs = {
     install = true;
-    enable = false;
+    enable = true;
     package =
       with pkgs;
       (
@@ -32,6 +55,6 @@
           ]
         )
       );
-    defaultEditor = lib.mkDefault true;
+    defaultEditor = lib.mkForce true;
   };
 }

modules/fonts.nix

@@ -19,6 +19,8 @@
     liberation_ttf
     noto-fonts
     noto-fonts-cjk-sans
+    noto-fonts-color-emoji
+    noto-fonts-monochrome-emoji
     noto-fonts-emoji
     noto-fonts-extra
     proggyfonts

modules/gnome.nix

@@ -13,11 +13,8 @@
     gnome-obfuscate
     gnome-boxes
     gnome-tweaks
-    qbittorrent
     gnomeExtensions.caffeine
     gnomeExtensions.brightness-control-using-ddcutil
-    spotify
-    ghostty
     fractal
   ];
 

modules/gnupg.nix

@@ -4,8 +4,6 @@
   environment.systemPackages = with pkgs; [
     gnupg
     opensc
-
-    yubikey-personalization-gui
   ];
 
   # smartcard support

modules/niri.nix

@@ -6,66 +6,49 @@
     ./desktop-software.nix
     ./fonts.nix
   ];
-  environment.systemPackages =
+  environment.systemPackages = with pkgs; [
-    let
+    screen-message
-      xwayland-satellite-git = pkgs.xwayland-satellite.overrideAttrs (
+    qbittorrent
-        final: _prev: {
+    gajim
-          version = "0.6";
+    imv
-          cargoHash = "sha256-R3xXyXpHQw/Vh5Y4vFUl7n7jwBEEqwUCIZGAf9+SY1M=";
+    mpv
-          src = pkgs.fetchFromGitHub {
+    evince
-            owner = "Supreeeme";
+    brightnessctl
-            repo = "xwayland-satellite";
+    pulsemixer
-            rev = "3ba30b149f9eb2bbf42cf4758d2158ca8cceef73";
+    cmus
-            sha256 = "sha256-IiLr1alzKFIy5tGGpDlabQbe6LV1c9ABvkH6T5WmyRI=";
+    termusic
-          };
+    gsettings-desktop-schemas
-          cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
+    xdg-utils
-            inherit (final) pname src version;
+    qt5.qtwayland
-            hash = final.cargoHash;
+    bashmount
-          };
+    audacity
-        }
+    spotify-player
-      );
+    zathura
-    in
+    ncdu
-    with pkgs;
+    adwaita-icon-theme
-    [
+    bluetui
-      screen-message
+    gammastep
-      qbittorrent
+    graphicsmagick
-      gajim
+    i3status-rust
-      imv
+    impala
-      mpv
+    kanshi
-      evince
+    pamixer
-      brightnessctl
+    swayidle
-      pulsemixer
+    swaylock
-      cmus
+    wl-clipboard
-      termusic
+    xfce.thunar
-      gsettings-desktop-schemas
+    banana-cursor
-      xdg-utils
+    yofi
-      qt5.qtwayland
+    alacritty
-      bashmount
+    i3bar-river
-      audacity
+    mako
-      spotify-player
+    swww
-      zathura
+    wbg
-      ncdu
+    oculante
-      adwaita-icon-theme
+    xwayland-satellite
-      bluetui
+    foot
-      gammastep
+    fuzzel
-      graphicsmagick
+  ];
-      i3status-rust
-      impala
-      kanshi
-      pamixer
-      swayidle
-      swaylock
-      wl-clipboard
-      xfce.thunar
-      banana-cursor
-      fuzzel
-      alacritty
-      i3bar-river
-      mako
-      swww
-      oculante
-      xwayland-satellite-git
-    ];
 
   # Enable sound.
   security.rtkit.enable = true;
@@ -118,7 +101,18 @@
   };
 
   services.gnome.gnome-keyring.enable = true;
-  security.pam.services.greetd.enableGnomeKeyring = true;
+  programs.seahorse.enable = true;
+
+  # https://github.com/JohnRTitor/nix-conf/commit/53bc83aef18849976d5a42cc727d38dd0e38c5b0
+  security.pam.services = {
+    greetd.enableGnomeKeyring = true;
+    greetd-password.enableGnomeKeyring = true;
+    login.enableGnomeKeyring = true;
+  };
+  services.dbus.packages = with pkgs; [
+    gnome-keyring
+    gcr
+  ];
 
   services.greetd = {
     enable = true;
@@ -130,11 +124,4 @@
   };
 
   programs.gnupg.agent.pinentryPackage = pkgs.pinentry-curses;
-  programs.ssh = {
-    startAgent = true;
-    enableAskPassword = false;
-    extraConfig = ''
-      AddKeysToAgent yes
-    '';
-  };
 }

modules/plasma.nix

@@ -0,0 +1,52 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./desktop-software.nix
+    ./fonts.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    kaidan
+    kdePackages.filelight
+    kdePackages.okular
+    vlc
+  ];
+
+  programs.kde-pim = {
+    enable = true;
+    kmail = true;
+    kontact = true;
+    merkuro = true;
+  };
+
+  # Enable sound.
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    pulse.enable = true;
+  };
+
+  programs.zsh.vteIntegration = true;
+  programs.bash.vteIntegration = true;
+
+  hardware.bluetooth.enable = true;
+
+  services.displayManager.sddm = {
+    enable = true;
+    wayland.enable = true;
+  };
+
+  services.desktopManager.plasma6.enable = true;
+
+  programs.ssh = {
+    startAgent = true;
+    enableAskPassword = false;
+    extraConfig = ''
+      AddKeysToAgent yes
+    '';
+  };
+  programs.firefox.nativeMessagingHosts.packages = with pkgs.kdePackages; [
+    plasma-browser-integration
+  ];
+}

modules/science.nix

@@ -3,7 +3,6 @@
   environment.systemPackages = with pkgs; [
     gnuplot
     zotero
-    paraview
     numbat
   ];
 }

modules/server/ssh.nix

@@ -10,5 +10,6 @@
   networking.firewall.allowedTCPPorts = [ 22 ];
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31"
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINjKbSzsAx8P9POD9pOXO+Fxub68V828sNatPA6+2zmGAAAABHNzaDo= 0xa@keychain-A"
   ];
 }

modules/wg/proxy.nix

@@ -71,6 +71,14 @@
           publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y=";
           privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
         };
+        "stream" = {
+          address = [
+            "10.89.88.17/24"
+            "fd31:185d:722f::17/48"
+          ];
+          publicKey = "RDxbOvd/1FSWqIp5v1++wPBcG1hScAT4mhIlMZdvxU4=";
+          privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
+        };
       };
     }
   ];