Remove obsolete nfs mounts

Will be used for the FastF1 cache in the future

.gitignore

@@ -0,0 +1,3 @@
+*.password
+ServeNix/services/heidi.discord_token
+volumes-backup/*.tar.gz

ServeNix/configuration.nix

@@ -11,39 +11,32 @@
     ./hardware-configuration.nix
     <home-manager/nixos>
 
+    # DNS (required for internet)
+    # ./services/adguard.nix # NOTE: Runs on ThinkNix
+    # ./services/pihole.nix
+
+    # My own stuff
+    # ./services/airsignal.nix
+    ./services/heidi.nix
+    ./services/formula10.nix
+    ./services/formula11.nix
+
     # General
-    ./services/airsignal.nix
     ./services/authelia.nix
     ./services/gitea.nix
     ./services/gitea-runner.nix
-    ./services/homepage.nix
+    # ./services/homeassistant.nix # Replaced by HAOS
+    # ./services/homepage.nix
     ./services/immich.nix
-    ./services/memos.nix
+    ./services/jellyfin.nix
+    ./services/kopia.nix
     ./services/nextcloud.nix
     ./services/nginx-proxy-manager.nix
-    ./services/pihole.nix
+    ./services/paperless.nix
     ./services/portainer.nix
-    ./services/uptime-kuma.nix
+    # ./services/uptime-kuma.nix
     ./services/whats-up-docker.nix
-    ./services/wireguard-vps.nix
+    # ./services/wireguard-vps.nix # NOTE: Runs on ThinkNix
-
-    # MultimediArr
-    ./services/bazarr.nix
-    ./services/fileflows.nix
-    ./services/jellyfin.nix
-    ./services/jellyseerr.nix
-    ./services/jellystat.nix
-    ./services/prowlarr.nix
-    ./services/radarr.nix
-    ./services/sonarr.nix
-    ./services/sabnzbd.nix
-
-    # Box
-    ./services/box-fileflows.nix
-    ./services/box-hydra.nix
-    ./services/box-metube.nix
-    ./services/box-sabnzbd.nix
-    ./services/box-stash.nix
   ];
 
   # Bootloader.
@@ -87,14 +80,32 @@
 
     # Enable networking
     networkmanager.enable = true;
+    enableIPv6 = true;
+
+    interfaces.ens18 = {
+      ipv4.addresses = [
+        {
+          address = "192.168.86.25";
+          prefixLength = 24;
+        }
+      ];
+
+      ipv6.addresses = [
+        {
+	  address = "fd00::19"; # 25 in hex
+	  prefixLength = 120;
+	}
+      ];
+    };
 
-    interfaces.ens18.ipv4.addresses = [{
-      address = "192.168.86.25";
-      prefixLength = 24;
-    }];
     defaultGateway = "192.168.86.5";
+    defaultGateway6 = "fd00::5";
+
     nameservers = [
-      "127.0.0.1"
+      # "127.0.0.1"
+      # "8.8.8.8"
+      "192.168.86.26"
+      "fd00::1a" # 26 in hex
     ];
   };
 
@@ -112,6 +123,11 @@
       # crash the whole service.
       check=$(${dockercli} network ls | grep ${network} || true)
       if [ -z "$check" ]; then
+        # TODO: Disable IP masquerading to show individual containers in AdGuard/Pi-Hole
+        #       - Disabling this prevents containers from having internet connection. DNS issue?
+        # ${dockercli} network create -o "com.docker.network.bridge.enable_ip_masquerade"="false" ${network}
+
+        # ${dockercli} network create --ipv6 --gateway="2000::1" --subnet="2000::/80" ${network}
         ${dockercli} network create ${network}
       else
         echo "${network} already exists in docker"
@@ -167,6 +183,8 @@
       nnn
       busybox
       glances
+      ffmpeg
+      ripgrep
 
       docker-compose
     ];
@@ -211,6 +229,27 @@
       #   enable = true;
       #   setSocketVariable = true;
       # };
+      daemon.settings = {
+        # ipv6 = true; # TODO: Resulted in slowdowns for some services?
+	# fixed-cidr-v6 = "2001::/80";
+
+        dns = [
+          # TODO: Does this circumvent my DNS for each container?
+          #       It might improve gitea actions though...
+          "8.8.8.8"
+	  # "2001:4860:4860::8888"
+
+          # TODO: Might prevent containers from having DNS?
+          # "127.0.0.1"
+          # "192.168.86.25"
+        ];
+
+	# Allow access via tcp socket (for homepage)
+	hosts = [
+	  "tcp://0.0.0.0:2375"
+	  "unix:///var/run/docker.sock"
+	];
+      };
     };
     oci-containers.backend = "docker";
   };
@@ -263,6 +302,8 @@
 
     ntp.enable = true;
     qemuGuest.enable = true;
+    # TODO: Might prevent containers from having working DNS
+    # resolved.fallbackDns = ["8.8.8.8"];
   };
 
   networking.firewall = {

ServeNix/hardware-configuration.nix

@@ -47,25 +47,8 @@
       fsType = "nfs";
     };
 
-    "/media/TV-Usenet" = {
+    "/media/TV-Music" = {
-      device = "192.168.86.20:/mnt/SG Exos Mirror 18TB/Usenet";
+      device = "192.168.86.20:/mnt/SG Exos Mirror 18TB/Music";
-      fsType = "nfs";
-    };
-
-    # WD Blue Stripe Shares
-
-    "/media/Stash-Video" = {
-      device = "192.168.86.20:/mnt/WD Blue Stripe 2T/Video";
-      fsType = "nfs";
-    };
-
-    "/media/Stash-Picture" = {
-      device = "192.168.86.20:/mnt/WD Blue Stripe 2T/Picture";
-      fsType = "nfs";
-    };
-
-    "/media/Stash-Usenet" = {
-      device = "192.168.86.20:/mnt/WD Blue Stripe 2T/Usenet";
       fsType = "nfs";
     };
   };

ServeNix/services/adguard.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.adguard = {
+    image = "adguard/adguardhome";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # DNS server
+      "53:53/tcp"
+      "53:53/udp"
+      # "853:853/tcp" # DNS over TLS
+      # "853:853/udp" # DNS over QUIC
+
+      # DHCP server
+      # "67:67/udp"
+      # "68:68/tcp"
+      # "68:68/udp"
+
+      # Admin panel + DNS over HTTPS
+      # "80:80/tcp"
+      # "443:443/tcp"
+      # "443:443/udp"
+      # "3100:3000/tcp" # Web interface
+
+      # DNSCrypt
+      # "5443:5443/tcp"
+      # "5443:5443/udp"
+
+      # "6060:6060/tcp" # Debugging
+    ];
+
+    volumes = [
+      "adguard_config:/opt/adguardhome/conf"
+      "adguard_work:/opt/adguardhome/work"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}

ServeNix/services/airsignal.nix

@@ -1,26 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.airsignal = {
-    image = "gitea.vps.chriphost.de/christoph/airsignal:latest";
-    autoStart = true;
-
-    dependsOn = [];
-
-    ports = [
-      "12776:12776"
-      "12776:12776/udp"
-    ];
-
-    volumes = [];
-
-    environment = {};
-
-    extraOptions = [
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/bazarr.nix

@@ -1,33 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.bazarr = {
-    image = "linuxserver/bazarr:latest";
-    autoStart = true;
-
-    dependsOn = [];
-
-    ports = [
-      # "6767:6767"
-    ];
-
-    volumes = [
-      "bazarr_config:/config"
-      "/media/Show:/tv"
-      "/media/Movie:/movies"
-    ];
-
-    environment = {
-      PUID = "3000";
-      PGID = "3000";
-      TZ = "Europe/Berlin";
-    };
-
-    extraOptions = [
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/box-fileflows.nix

@@ -1,42 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.box-fileflows = {
-    image = "revenz/fileflows:latest";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-    ];
-
-    ports = [
-      # "5000:5000"
-    ];
-
-    volumes = [
-      "/media/Stash-Video:/media/Video"
-
-      "box-fileflows_temp:/temp"
-      "box-fileflows_logs:/app/Logs"
-      "box-fileflows_config:/app/Data"
-
-      "/var/run/docker.sock:/var/run/docker.sock:ro"
-    ];
-
-    environment = {
-      TZ = "Europe/Berlin";
-
-      NVIDIA_VISIBLE_DEVICES = "all";
-      NVIDIA_DRIVER_CAPABILITIES = "all";
-    };
-
-    extraOptions = [
-      "--privileged" # Helps with CUDA issues
-      "--gpus=all"
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/box-metube.nix

@@ -1,36 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.box-metube = {
-    image = "ghcr.io/alexta69/metube";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-    ];
-
-    ports = [
-      # "3366:8081"
-    ];
-
-    volumes = [
-      "/media/Stash-Usenet/metube:/downloads"
-    ];
-
-    environment = {
-      UID = "3001";
-      GID = "3001";
-
-      # NVIDIA_VISIBLE_DEVICES = "all";
-      # NVIDIA_DRIVER_CAPABILITIES = "all";
-    };
-
-    extraOptions = [
-      # "--gpus=all"
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/box-sabnzbd.nix

@@ -1,35 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.box-sabnzbd = {
-    image = "linuxserver/sabnzbd:latest";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-    ];
-
-    ports = [
-      # "8080:8080"
-    ];
-
-    volumes = [
-      "/media/Stash-Usenet:/downloads"
-
-      "box-sabnzbd_config:/config"
-    ];
-
-    environment = {
-      PUID = "3001";
-      PGID = "3001";
-      TZ = "Europe/Berlin";
-    };
-
-    extraOptions = [
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/box-stash.nix

@@ -1,47 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.box-stash = {
-    image = "stashapp/stash:latest";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-    ];
-
-    ports = [
-      # "9999:9999"
-    ];
-
-    volumes = [
-      "/media/Stash-Picture:/data/picture"
-      "/media/Stash-Video:/data/video"
-
-      "box-stash_config:/root/.stash"
-      "box-stash_metadata:/metadata"
-      "box-stash_generated:/generated"
-      "box-stash_blobs:/blobs"
-      "box-stash_cache:/cache"
-    ];
-
-    environment = {
-      STASH_PORT = "9999";
-      STASH_CACHE = "/cache/";
-      STASH_GENERATED = "/generated/";
-      STASH_METADATA = "/metadata/";
-      STASH_STASH = "/data/";
-
-      NVIDIA_VISIBLE_DEVICES = "all";
-      NVIDIA_DRIVER_CAPABILITIES = "all";
-    };
-
-    extraOptions = [
-      "--privileged"
-      "--gpus=all"
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/fileflows.nix

@@ -1,43 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.fileflows = {
-    image = "revenz/fileflows:latest";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-    ];
-
-    ports = [
-      # "5000:5000"
-    ];
-
-    volumes = [
-      "/media/Movie:/media/Movie"
-      "/media/Show:/media/Show"
-
-      "fileflows_temp:/temp"
-      "fileflows_logs:/app/Logs"
-      "fileflows_config:/app/Data"
-
-      "/var/run/docker.sock:/var/run/docker.sock:ro"
-    ];
-
-    environment = {
-      TZ = "Europe/Berlin";
-
-      NVIDIA_VISIBLE_DEVICES = "all";
-      NVIDIA_DRIVER_CAPABILITIES = "all";
-    };
-
-    extraOptions = [
-      "--privileged" # Helps with CUDA issues
-      "--gpus=all"
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/formula10.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.formula10 = {
+    image = "gitea.vps.chriphost.de/christoph/formula10:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      "55555:5000"
+    ];
+
+    volumes = [
+      "formula10_data:/app/instance"
+      "formula10_cache:/cache"
+    ];
+
+    environment = {
+      TZ = "Europe/Berlin";
+    };
+
+    extraOptions = [
+      "--init" # Make an init process take up PID 1, to make python receive the SIGTERM
+      "--net=behind-nginx"
+    ];
+  };
+}

ServeNix/services/formula11.nix

@@ -0,0 +1,65 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.formula11_pocketbase = {
+    image = "gitea.vps.chriphost.de/christoph/pocketbase:0.25.0";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      "8090:8080"
+    ];
+
+    volumes = [
+      "formula11_pb_data:/pb/pb_data"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      # "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.formula11 = {
+    image = "gitea.vps.chriphost.de/christoph/formula11:latest";
+    autoStart = true;
+
+    dependsOn = [
+      "formula11_pocketbase"
+    ];
+
+    ports = [
+      # "8080:8090"
+      "5173:3000"
+    ];
+
+    volumes = [];
+
+    environment = {
+      # PB_PROTOCOL="http";
+      # PB_HOST="formula11_pocketbase";
+      # PB_PORT="8000";
+
+      # PB_PROTOCOL="https";
+      # PB_URL="f11pb.vps.chriphost.de";
+
+      PUBLIC_PBURL="https://f11pb.vps.chriphost.de";
+
+      # Required by SvelteKit to prevent cross-site POST errors
+      ORIGIN="https://f11.vps.chriphost.de";
+    };
+
+    extraOptions = [
+      # "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

ServeNix/services/gitea-runner.nix

@@ -5,29 +5,16 @@
   ...
 }: {
   virtualisation.oci-containers.containers.gitea-runner = {
-    # Question: For gitea/act_runner dind set config.yaml/docker_host to "unix:///var/run/user/1000/docker.sock"?
+    image = "gitea/act_runner:latest"; # NOTE: vegardit has other runner images
-    image = "gitea/act_runner:latest";
-    # image = "vegardit/gitea-act-runner:dind-latest";
-
     autoStart = true;
 
-    dependsOn = [
+    dependsOn = [];
-      # "pihole"
-    ];
 
     ports = [];
 
     volumes = [
       "gitea-runner_data:/data"
       "gitea-runner_config:/config" # Managed by env variables for vegardit image
-
-      # For rootless-dind
-      # "gitea-runner_rootless-docker-auth:/home/rootless/.docker"
-
-      # Cache dind pulled images
-      # "gitea-runner_overlay2:/var/lib/docker/overlay2"
-      # "gitea-runner_image:/var/lib/docker/image"
-
     
       "/var/run/docker.sock:/var/run/docker.sock" # Disable for dind
     ];
@@ -42,12 +29,6 @@
 
       # NOTE: This token is invalid, when re-registering is needed it has to be refreshed
       GITEA_RUNNER_REGISTRATION_TOKEN = "Mq6wr0dPthqDij3iaryP8s5VYZA5kPfOQbHA6wm6";
-
-      # These are for the specific vegardit/gitea-act-runner image
-      # GITEA_RUNNER_LOG_LEVEL = "debug";
-      # GITEA_INSTANCE_INSECURE = "true";
-      # GITEA_RUNNER_JOB_CONTAINER_NETWORK = "host"; # "host" for dind, "behind-nginx" otherwise
-      # GITEA_RUNNER_JOB_CONTAINER_PRIVILEGED = "true"; # Enable for dind
     };
 
     extraOptions = [

ServeNix/services/gitea.nix

@@ -39,7 +39,7 @@
       "3000:3000"
 
       # NOTE: Set .git/config url to ssh://christoph@gitea.local.chriphost.de:222/christoph/<repo>.git
-      "222:22" # Gitea SSH
+      "222:222" # Gitea SSH
     ];
 
     volumes = [

ServeNix/services/gitlab.nix

@@ -1,37 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.gitlab = {
-    image = "gitlab/gitlab-ce";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-    ];
-
-    ports = [
-      # "80:80"
-      # "443:443"
-      "2222:22" # SSH
-    ];
-
-    volumes = [
-      "gitlab_config:/etc/gitlab"
-      "gitlab_logs:/var/log/gitlab"
-      "gitlab_data:/var/opt/gitlab"
-    ];
-
-    environment = {
-      GITLAB_OMNIBUS_CONFIG = "external_url 'https://gitlab.local.chriphost.de:443'; gitlab_rails['gitlab_shell_ssh_port'] = 2222;";
-    };
-
-    extraOptions = [
-      # "--gpus=all"
-      "--net=behind-nginx"
-      "--shm-size=256m"
-    ];
-  };
-}

ServeNix/services/heidi.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.heidi = {
+    image = "gitea.vps.chriphost.de/christoph/discord-heidi:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "heidi_config:/config"
+
+      "/home/christoph/heidi-sounds:/sounds:ro"
+    ];
+
+    environment = {
+      DISCORD_TOKEN = (builtins.readFile ./heidi.discord_token);
+      DOCKER = "True";
+    };
+
+    extraOptions = [
+      "--init" # Make an init process take up PID 1, to make python receive the SIGTERM
+      "--net=behind-nginx"
+    ];
+  };
+}

ServeNix/services/homeassistant.nix

@@ -4,21 +4,18 @@
   pkgs,
   ...
 }: {
-  virtualisation.oci-containers.containers.box-hydra = {
+  virtualisation.oci-containers.containers.homeassistant = {
-    image = "linuxserver/nzbhydra2:latest";
+    image = "lscr.io/linuxserver/homeassistant:latest";
     autoStart = true;
 
-    dependsOn = [
+    dependsOn = [];
-      # "pihole"
-      # "sabnzbd"
-    ];
 
     ports = [
-      # "5076:5076"
+      "8123:8123" # WebUI
     ];
 
     volumes = [
-      "box-hydra_config:/config"
+      "homeassistant_config:/config"
     ];
 
     environment = {
@@ -29,6 +26,7 @@
 
     extraOptions = [
       "--net=behind-nginx"
+      "--device=/dev/ttyUSB0:/dev/ttyUSB0" # Sonoff Zigbee Stick
     ];
   };
 }

ServeNix/services/immich.nix

@@ -5,7 +5,7 @@
   ...
 }: {
   virtualisation.oci-containers.containers.immich-database = {
-    image = "postgres:15";
+    image = "ghcr.io/immich-app/postgres:15-vectorchord0.3.0-pgvectors0.2.0";
     autoStart = true;
 
     dependsOn = [];
@@ -85,8 +85,6 @@
 
       MACHINE_LEARNING_WORKERS = "1";
       MACHINE_LEARNING_WORKER_TIMEOUT = "120";
-      DISABLE_MACHINE_LEARNING = "false";
-      DISABLE_TYPESENSE = "false";
     };
 
     extraOptions = [

ServeNix/services/jellyfin.nix

@@ -19,6 +19,7 @@
     volumes = [
       "/media/Show:/data/tvshows"
       "/media/Movie:/data/movies"
+      "/media/TV-Music:/data/music"
 
       "jellyfin_config:/config"
     ];

ServeNix/services/jellyseerr.nix

@@ -1,34 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.jellyseerr = {
-    image = "fallenbagel/jellyseerr:latest";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-      # "sonarr"
-      # "radarr"
-      # "jellyfin"
-    ];
-
-    ports = [
-      "5055:5055"
-    ];
-
-    volumes = [
-      "jellyseerr_config:/app/config"
-    ];
-
-    environment = {
-      TZ = "Europe/Berlin";
-    };
-
-    extraOptions = [
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/jellystat.nix

@@ -1,78 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.jellystat-db = {
-    image = "postgres:15.2";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-
-    ];
-
-    ports = [
-      # "5432:5432"
-    ];
-
-    volumes = [
-      "jellystat-db_data:/var/lib/postgresql/data"
-    ];
-
-    environment = {
-      POSTGRES_DB = "jfstat";
-      POSTGRES_USER = "postgres";
-      POSTGRES_PASSWORD = "jellystat-db";
-
-      # PUID = "1000";
-      # PGID = "1000";
-      # TZ = "Europe/Berlin";
-      # NVIDIA_VISIBLE_DEVICES = "all";
-      # NVIDIA_DRIVER_CAPABILITIES = "all";
-    };
-
-    extraOptions = [
-      # "--gpus=all"
-      "--net=behind-nginx"
-    ];
-  };
-
-  virtualisation.oci-containers.containers.jellystat = {
-    image = "cyfershepard/jellystat";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-      "jellystat-db"
-    ];
-
-    ports = [
-      # "3000:3000"
-    ];
-
-    volumes = [
-      "jellystat_data:/app/backend/backup-data"
-    ];
-
-    environment = {
-      POSTGRES_USER = "postgres";
-      POSTGRES_PASSWORD = "jellystat-db";
-      POSTGRES_IP = "jellystat-db";
-      POSTGRES_PORT = "5432";
-      JWT_SECRET = "MyUnsecretJwtKey";
-
-      # PUID = "1000";
-      # PGID = "1000";
-      # TZ = "Europe/Berlin";
-      # NVIDIA_VISIBLE_DEVICES = "all";
-      # NVIDIA_DRIVER_CAPABILITIES = "all";
-    };
-
-    extraOptions = [
-      # "--gpus=all"
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/kopia.nix

@@ -0,0 +1,81 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.kopia = {
+    image = "kopia/kopia:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "51515:51515"
+    ];
+
+    volumes = [
+      "kopia_config:/app/config"
+      "kopia_cache:/app/cache"
+      "kopia_logs:/app/logs"
+      "kopia_temp:/tmp"
+
+      # Repository, where snapshots are stored (incrementally)
+      "/media/synology-syncthing:/repository"
+
+      # Folders that are backed up
+      # "adguard_config:/data/adguard_config:ro" # ThinkNix
+      # "adguard_work:/data/adguard_work:ro" # ThinkNix
+      "authelia_config:/data/authelia_config:ro"
+      "formula10_cache:/data/formula10_cache:ro"
+      "formula10_data:/data/formula10_data:ro"
+      "gitea-db_data:/data/gitea-db_data:ro"
+      "gitea-runner_config:/data/gitea-runner_config:ro"
+      "gitea-runner_data:/data/gitea-runner_data:ro"
+      "gitea_data:/data/gitea_data:ro"
+      "heidi_config:/data/heidi_config:ro"
+      # "homeassistant_config:/data/homeassistant_config:ro" # ThinkNix
+      # "homepage_config:/data/homepage_config:ro"
+      "immich-database_data:/data/immich-database_data:ro"
+      "immich_config:/data/immich_config:ro"
+      "immich_data:/data/immich_data:ro"
+      "immich_machine-learning:/data/immich_machine-learning:ro"
+      "jellyfin_config:/data/jellyfin_config:ro"
+      "nextcloud-db_data:/data/nextcloud-db_data:ro"
+      "nextcloud_data:/data/nextcloud_data:ro"
+      "nginx_config:/data/nginx_config:ro"
+      "nginx_letsencrypt:/data/nginx_letsencrypt:ro"
+      "nginx_snippets:/data/nginx_snippets:ro"
+      "paperless-postgres_data:/data/paperless-postgres_data:ro"
+      "paperless_data:/data/paperless_data:ro"
+      # "portainer_config:/data/portainer_config:ro"
+      # "uptime-kuma_config:/data/uptime-kuma_config:ro" # Disabled
+      # "wireguard_vps_config:/data/wireguard_vps_config:ro"
+    ];
+
+    environment = {
+      TZ = "Europe/Berlin";
+      USER = "christoph";
+      KOPIA_PASSWORD = (builtins.readFile ./kopia.password);
+    };
+
+    entrypoint = "/bin/kopia";
+
+    cmd = [
+      "server"
+      "start"
+      "--disable-csrf-token-checks"
+      "--insecure"
+      "--address=0.0.0.0:51515"
+      "--server-username=christoph"
+      "--server-password=kopia"
+    ];
+
+    extraOptions = [
+      "--privileged"
+      "--device=/dev/fuse:/dev/fuse:rwm"
+      "--cap-add=SYS_ADMIN"
+      "--net=behind-nginx"
+    ];
+  };
+}

ServeNix/services/memos.nix

@@ -1,27 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.memos = {
-    image = "ghcr.io/usememos/memos:latest";
-    autoStart = true;
-
-    dependsOn = [];
-
-    ports = [
-      "5230:5230"
-    ];
-
-    volumes = [
-      "memos_data:/var/opt/memos"
-    ];
-
-    environment = {};
-
-    extraOptions = [
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/nextcloud.nix

@@ -66,6 +66,12 @@
     volumes = [
       "nextcloud_data:/var/www/html"
 
+      # Paperless media
+      # "/media/paperless-consume:/media/paperless-consume"
+      # "/media/paperless-export:/media/paperless-export"
+      # "/media/paperless-media:/media/paperless-media"
+      "/home/christoph/nextcloud:/flow-scripts"
+
       # "/var/run/docker.sock:/var/run/docker.sock:ro" # For AiO
     ];
 
@@ -74,11 +80,11 @@
 
       # Allow uploads larger than 1GB
       APACHE_BODY_LIMIT = "0";
-      NEXTCLOUD_TRUSTED_DOMAINS = "nextcloud.local.chriphost.de local.chriphost.de nextcloud.vps.chriphost.de vps.chriphost.de";
+      NEXTCLOUD_TRUSTED_DOMAINS = "https://nextcloud.local.chriphost.de https://local.chriphost.de https://nextcloud.vps.chriphost.de https://vps.chriphost.de";
 
       # Proxy
       APACHE_DISABLE_REWRITE_IP = "1";
-      TRUSTED_PROXIES = "192.168.86.25 212.227.233.241";
+      TRUSTED_PROXIES = "192.168.86.25 212.227.233.241 172.19.0.1";
       OVERWRITEPROTOCOL = "https";
       
       # DB
@@ -95,4 +101,26 @@
       "--net=behind-nginx"
     ];
   };
+
+  systemd.services.nextcloud-cron = {
+    enable = true;
+    description = "Nextcloud Cron Job";
+    
+    serviceConfig = {
+      ExecStart = "${pkgs.docker}/bin/docker exec -u www-data nextcloud /usr/local/bin/php -f /var/www/html/cron.php";
+    };
+  };
+
+  systemd.timers.nextcloud-cron = {
+    enable = true;
+    description = "Nextcloud Cron Job";
+
+    timerConfig = {
+      OnBootSec = "5min";
+      OnUnitActiveSec = "5min";
+      Unit = "nextcloud-cron.service";
+    };
+
+    wantedBy = ["timers.target"];
+  };
 }

ServeNix/services/paperless.nix

@@ -0,0 +1,87 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.paperless-redis = {
+    image = "docker.io/library/redis:7";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "paperless-redis_data:/data"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.paperless-postgres = {
+    image = "docker.io/library/postgres:15";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "paperless-postgres_data:/var/lib/postgresql/data"
+    ];
+
+    environment = {
+      POSTGRES_DB = "paperless";
+      POSTGRES_USER = "paperless";
+      POSTGRES_PASSWORD = "paperless";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.paperless = {
+    image = "ghcr.io/paperless-ngx/paperless-ngx:latest";
+    autoStart = true;
+
+    dependsOn = [
+      "paperless-redis"
+      "paperless-postgres"
+    ];
+
+    ports = [
+      "8000:8000"
+    ];
+
+    volumes = [
+      "paperless_data:/usr/src/paperless/data"
+      "/media/paperless-media:/usr/src/paperless/media"
+      "/media/paperless-export:/usr/src/paperless/export"
+      "/media/paperless-consume:/usr/src/paperless/consume"
+    ];
+
+    environment = {
+      PAPERLESS_REDIS = "redis://paperless-redis:6379";
+      PAPERLESS_DBHOST = "paperless-postgres";
+
+      # PAPERLESS_ADMIN_USER = "root";
+      # PAPERLESS_ADMIN_PASSWORD = "admin";
+
+      PAPERLESS_URL = "https://*.chriphost.de";
+      # PAPERLESS_CSRF_TRUSTED_ORIGINS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]";
+      # PAPERLESS_ALLOWED_HOSTS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]";
+      # PAPERLESS_CORS_ALLOWED_HOSTS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]";
+    };
+
+    extraOptions = [
+      # "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

ServeNix/services/portainer.nix

@@ -4,27 +4,50 @@
   pkgs,
   ...
 }: {
-  virtualisation.oci-containers.containers.portainer = {
+  # virtualisation.oci-containers.containers.portainer = {
-    image = "portainer/portainer-ce:latest";
+  #   image = "portainer/portainer-ce:latest";
+  #   autoStart = true;
+
+  #   dependsOn = [];
+
+  #   ports = [
+  #     # "8000:8000"
+  #     # "9443:9443"
+  #   ];
+
+  #   volumes = [
+  #     "portainer_config:/data"
+
+  #     "/var/run/docker.sock:/var/run/docker.sock"
+  #   ];
+
+  #   environment = {};
+
+  #   extraOptions = [
+  #     "--net=behind-nginx"
+  #   ];
+  # };
+
+  virtualisation.oci-containers.containers.portainer-agent = {
+    image = "portainer/agent:latest";
     autoStart = true;
 
     dependsOn = [];
 
     ports = [
-      # "8000:8000"
+      "9001:9001"
-      # "9443:9443"
     ];
 
     volumes = [
-      "portainer_config:/data"
-
       "/var/run/docker.sock:/var/run/docker.sock"
+      "/var/lib/docker/volumes:/var/lib/docker/volumes"
     ];
 
     environment = {};
 
     extraOptions = [
-      "--net=behind-nginx"
+      # This container needs to be accessible from another machine inside the LAN
+      # "--net=behind-nginx"
     ];
   };
 }

ServeNix/services/radarr.nix

@@ -1,38 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.radarr = {
-    image = "linuxserver/radarr:latest";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-      # "sabnzbd"
-      # "prowlarr"
-    ];
-
-    ports = [
-      # "7878:7878"
-    ];
-
-    volumes = [
-      "/media/TV-Usenet:/downloads"
-      "/media/Movie:/movies"
-
-      "radarr_config:/config"
-    ];
-
-    environment = {
-      PUID = "3000";
-      PGID = "3000";
-      TZ = "Europe/Berlin";
-    };
-
-    extraOptions = [
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/sabnzbd.nix

@@ -1,35 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.sabnzbd = {
-    image = "linuxserver/sabnzbd:latest";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-    ];
-
-    ports = [
-      # "8080:8080"
-    ];
-
-    volumes = [
-      "/media/TV-Usenet:/downloads"
-
-      "sabnzbd_config:/config"
-    ];
-
-    environment = {
-      PUID = "3000";
-      PGID = "3000";
-      TZ = "Europe/Berlin";
-    };
-
-    extraOptions = [
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/sonarr.nix

@@ -1,38 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  virtualisation.oci-containers.containers.sonarr = {
-    image = "linuxserver/sonarr:latest";
-    autoStart = true;
-
-    dependsOn = [
-      # "pihole"
-      # "sabnzbd"
-      # "prowlarr"
-    ];
-
-    ports = [
-      # "8989:8989"
-    ];
-
-    volumes = [
-      "/media/TV-Usenet:/downloads"
-      "/media/Show:/tv"
-
-      "sonarr_config:/config"
-    ];
-
-    environment = {
-      PUID = "3000";
-      PGID = "3000";
-      TZ = "Europe/Berlin";
-    };
-
-    extraOptions = [
-      "--net=behind-nginx"
-    ];
-  };
-}

ServeNix/services/whats-up-docker.nix

@@ -5,7 +5,7 @@
   ...
 }: {
   virtualisation.oci-containers.containers.whats-up-docker = {
-    image = "fmartinou/whats-up-docker:latest";
+    image = "getwud/wud:latest";
     autoStart = true;
 
     dependsOn = [

ThinkNix/configuration.nix

@@ -0,0 +1,318 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    <home-manager/nixos>
+
+    # DNS (required for internet)
+    ./services/adguard.nix
+    # ./services/pihole.nix
+
+    # General
+    # ./services/kopia.nix
+    # ./services/homepage.nix
+    ./services/nginx-proxy-manager.nix
+    ./services/portainer.nix
+    ./services/whats-up-docker.nix
+    ./services/wireguard.nix
+  ];
+
+  # Bootloader.
+  boot = {
+    loader.grub.enable = true;
+    loader.grub.device = "/dev/sda";
+    loader.grub.useOSProber = true;
+
+    # NOTE: I think this needs a separate EFI partition?
+    # loader.systemd-boot = {
+    #   enable = true;
+    #   configurationLimit = 5;
+    #   editor = false;
+    #   # canTouchEfiVariables = true;
+    #   # efiSysMountPoint = "/boot";
+    # };
+  };
+
+  # hardware = {
+  #   opengl = {
+  #     enable = true;
+  #     driSupport = true;
+  #     driSupport32Bit = true;
+  #   };
+
+  #   nvidia = {
+  #     modesetting.enable = true;
+  #     powerManagement.enable = false; # Experimental option, maybe this is the reason fileflows fails after some time?
+  #     open = false;
+  #     nvidiaSettings = false;
+  #   };
+  # };
+
+  networking = {
+    hostName = "thinknix"; # Define your hostname.
+    # wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+    # Configure network proxy if necessary
+    # proxy.default = "http://user:password@proxy:port/";
+    # proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+    # Enable networking
+    networkmanager.enable = true;
+
+    interfaces.ens18 = {
+      ipv4.addresses = [
+        {
+          address = "192.168.86.26";
+          prefixLength = 24;
+        }
+      ];
+
+      ipv6.addresses = [
+        {
+          address = "fd00::1a"; # 26 in hex
+	  prefixLength = 120;
+        }
+      ];
+    };
+
+    defaultGateway = "192.168.86.5";
+    defaultGateway6 = "fd00::5";
+
+    nameservers = [
+      "127.0.0.1"
+      "::1"
+
+      # "192.168.86.25"
+      # "8.8.8.8"
+    ];
+  };
+
+  systemd.services.init-behind-nginx-docker-network = {
+    description = "Create a docker network bridge for all services behind nginx-proxy-manager.";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+  
+    serviceConfig.Type = "oneshot";
+    script = let
+      dockercli = "${config.virtualisation.docker.package}/bin/docker";
+      network = "behind-nginx";
+    in ''
+      # Put a true at the end to prevent getting non-zero return code, which will
+      # crash the whole service.
+      check=$(${dockercli} network ls | grep ${network} || true)
+      if [ -z "$check" ]; then
+        # TODO: Disable IP masquerading to show individual containers in AdGuard/Pi-Hole
+        #       - Disabling this prevents containers from having internet connection. DNS issue?
+        # ${dockercli} network create -o "com.docker.network.bridge.enable_ip_masquerade"="false" ${network}
+
+        # ${dockercli} network create --ipv6 --gateway="2000::1" --subnet="2000::/80" ${network}
+        ${dockercli} network create ${network}
+      else
+        echo "${network} already exists in docker"
+      fi
+    '';
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "de_DE.UTF-8";
+    LC_IDENTIFICATION = "de_DE.UTF-8";
+    LC_MEASUREMENT = "de_DE.UTF-8";
+    LC_MONETARY = "de_DE.UTF-8";
+    LC_NAME = "de_DE.UTF-8";
+    LC_NUMERIC = "de_DE.UTF-8";
+    LC_PAPER = "de_DE.UTF-8";
+    LC_TELEPHONE = "de_DE.UTF-8";
+    LC_TIME = "de_DE.UTF-8";
+  };
+
+  # Configure console keymap
+  console.keyMap = "us-acentos";
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.christoph = {
+    isNormalUser = true;
+    description = "Christoph";
+    extraGroups = ["networkmanager" "wheel" "docker"];
+    shell = pkgs.fish;
+    packages = with pkgs; [];
+  };
+
+  users.users.git = {
+    uid = 500;
+    group = "git";
+    isNormalUser = false;
+    isSystemUser = true;
+    description = "Gitea User";
+    extraGroups = ["docker"];
+    shell = pkgs.fish;
+  };
+
+  home-manager.users.christoph = {pkgs, ...}: {
+    home.packages = with pkgs; [
+      lazygit
+      keychain
+      alejandra
+      nnn
+      busybox
+      glances
+      ripgrep
+
+      docker-compose
+    ];
+
+    programs = {
+      fish = {
+        enable = true;
+      };
+
+      git = {
+        enable = true;
+        userEmail = "christoph.urlacher@protonmail.com";
+        userName = "Christoph Urlacher";
+      };
+
+      keychain = {
+        enable = true;
+        enableFishIntegration = true;
+        agents = ["ssh"];
+        keys = ["id_ed25519"];
+      };
+
+      starship = {
+        enable = true;
+        enableFishIntegration = true;
+      };
+
+      yt-dlp = {
+        enable = true;
+      };
+    };
+
+    home.stateVersion = "23.05";
+  };
+
+  virtualisation = {
+    docker = {
+      enable = true;
+      autoPrune.enable = true;
+      # enableNvidia = true;
+      # rootless = {
+      #   enable = true;
+      #   setSocketVariable = true;
+      # };
+      daemon.settings = {
+        # ipv6 = true;
+        # fixed-cidr-v6 = "2001::/80";
+
+        dns = [
+          # TODO: Does this circumvent my DNS for each container?
+          #       It might improve gitea actions though...
+          "8.8.8.8"
+	  # "2001:4860:4860::8888"
+
+          # TODO: Might prevent containers from having DNS?
+          # "127.0.0.1"
+          # "192.168.86.25"
+        ];
+      };
+    };
+    oci-containers.backend = "docker";
+  };
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    wget
+    helix
+    git
+  ];
+
+  programs = {
+    firejail.enable = true;
+    fish.enable = true;
+    git.enable = true;
+    neovim.enable = true;
+    # fuse.userAllowOther = true;
+  };
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  services = {
+    # Configure keymap in X11
+    xserver = {
+      layout = "us";
+      xkbVariant = "altgr-intl";
+      # videoDrivers = ["nvidia"];
+    };
+
+    # Trims the journal if it gets too large
+    journald.extraConfig = ''
+      SystemMaxUse=50M
+    '';
+
+    # Enable the OpenSSH daemon.
+    openssh.enable = true;
+
+    ntp.enable = true;
+    qemuGuest.enable = true;
+    # TODO: Might prevent containers from having working DNS
+    # resolved.fallbackDns = ["8.8.8.8"];
+  };
+
+  networking.firewall = {
+    # Open ports in the firewall.
+    allowedTCPPorts = [
+      # PiHole requires these ports, as it's running in --net=host mode
+      53
+      80
+
+      # 3000 # Gitea runner needs to reach local gitea instance
+    ];
+    allowedUDPPorts = [
+      # PiHole requires these ports, as it's running in --net=host mode
+      53
+      67 # PiHole DHCP
+
+      # 3000 # Gitea runner needs to reach local gitea instance
+    ];
+    # Or disable the firewall altogether.
+    enable = true;
+
+    trustedInterfaces = [
+      "docker0"
+    ];
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

ThinkNix/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/2d1b1f62-f008-4562-906e-5a63d854b18b";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.br-962bf00415f9.useDHCP = lib.mkDefault true;
+  # networking.interfaces.docker0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

ThinkNix/services/0_TEMPLATE.nix

@@ -4,29 +4,28 @@
   pkgs,
   ...
 }: {
-  virtualisation.oci-containers.containers.prowlarr = {
+  virtualisation.oci-containers.containers.NAME = {
-    image = "linuxserver/prowlarr:latest";
+    image = "";
     autoStart = true;
 
     dependsOn = [
       # "pihole"
     ];
 
-    ports = [
+    ports = [];
-      # "9696:9696"
-    ];
 
-    volumes = [
+    volumes = [];
-      "prowlarr_config:/config"
-    ];
 
     environment = {
       PUID = "1000";
       PGID = "1000";
       TZ = "Europe/Berlin";
+      # NVIDIA_VISIBLE_DEVICES = "all";
+      # NVIDIA_DRIVER_CAPABILITIES = "all";
     };
 
     extraOptions = [
+      # "--gpus=all"
       "--net=behind-nginx"
     ];
   };

ThinkNix/services/adguard.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.adguard = {
+    image = "adguard/adguardhome";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # DNS server
+      "53:53/tcp"
+      "53:53/udp"
+      # "853:853/tcp" # DNS over TLS
+      # "853:853/udp" # DNS over QUIC
+
+      # DHCP server
+      # "67:67/udp"
+      # "68:68/tcp"
+      # "68:68/udp"
+
+      # Admin panel + DNS over HTTPS
+      # "80:80/tcp"
+      # "443:443/tcp"
+      # "443:443/udp"
+      # "3100:3000/tcp" # Web interface
+
+      # DNSCrypt
+      # "5443:5443/tcp"
+      # "5443:5443/udp"
+
+      # "6060:6060/tcp" # Debugging
+    ];
+
+    volumes = [
+      "adguard_config:/opt/adguardhome/conf"
+      "adguard_work:/opt/adguardhome/work"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}

ThinkNix/services/homepage.nix

@@ -26,6 +26,7 @@
 
     extraOptions = [
       "--net=behind-nginx"
+      # "--privileged"
     ];
   };
 }

ThinkNix/services/kopia.nix

@@ -0,0 +1,96 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.kopia = {
+    image = "kopia/kopia:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "51515:51515"
+    ];
+
+    volumes = [
+      "kopia_config:/app/config"
+      "kopia_cache:/app/cache"
+      "kopia_logs:/app/logs"
+      "kopia_temp:/tmp"
+
+      # Repository, where snapshots are stored (incrementally)
+      "/media/synology-syncthing:/repository"
+
+      # Folders that are backed up
+      "adguard_config:/data/adguard_config:ro"
+      "adguard_work:/data/adguard_work:ro"
+      "authelia_config:/data/authelia_config:ro"
+      "bazarr_config:/data/bazarr_config:ro"
+      "box-fileflows_config:/data/box-fileflows_config:ro"
+      "box-hydra_config:/data/box-hydra_config:ro"
+      "box-sabnzbd_config:/data/box-sabnzbd_config:ro"
+      "box-stash_blobs:/data/box-stash_blobs:ro"
+      "box-stash_config:/data/box-stash_config:ro"
+      "box-stash_generated:/data/box-stash_generated:ro"
+      "box-stash_metadata:/data/box-stash_metadata:ro"
+      "fileflows_config:/data/fileflows_config:ro"
+      "formula10_data:/data/formula10_data:ro"
+      "gitea-db_data:/data/gitea-db_data:ro"
+      "gitea-runner_config:/data/gitea-runner_config:ro"
+      "gitea-runner_data:/data/gitea-runner_data:ro"
+      "gitea_data:/data/gitea_data:ro"
+      "heidi_config:/data/heidi_config:ro"
+      "homeassistant_config:/data/homeassistant_config:ro"
+      "homepage_config:/data/homepage_config:ro"
+      "immich-database_data:/data/immich-database_data:ro"
+      "immich_config:/data/immich_config:ro"
+      "immich_data:/data/immich_data:ro"
+      "immich_machine-learning:/data/immich_machine-learning:ro"
+      "jellyfin_config:/data/jellyfin_config:ro"
+      "jellyseerr_config:/data/jellyseerr_config:ro"
+      "jellystat-db_data:/data/jellystat-db_data:ro"
+      "jellystat_data:/data/jellystat_data:ro"
+      "nextcloud-db_data:/data/nextcloud-db_data:ro"
+      "nextcloud_data:/data/nextcloud_data:ro"
+      "nginx_config:/data/nginx_config:ro"
+      "nginx_letsencrypt:/data/nginx_letsencrypt:ro"
+      "nginx_snippets:/data/nginx_snippets:ro"
+      "paperless-postgres_data:/data/paperless-postgres_data:ro"
+      "paperless_data:/data/paperless_data:ro"
+      "portainer_config:/data/portainer_config:ro"
+      "prowlarr_config:/data/prowlarr_config:ro"
+      "radarr_config:/data/radarr_config:ro"
+      "sabnzbd_config:/data/sabnzbd_config:ro"
+      "sonarr_config:/data/sonarr_config:ro"
+      "uptime-kuma_config:/data/uptime-kuma_config:ro"
+      "wireguard_vps_config:/data/wireguard_vps_config:ro"
+    ];
+
+    environment = {
+      TZ = "Europe/Berlin";
+      USER = "christoph";
+      KOPIA_PASSWORD = (builtins.readFile ./kopia.password);
+    };
+
+    entrypoint = "/bin/kopia";
+
+    cmd = [
+      "server"
+      "start"
+      "--disable-csrf-token-checks"
+      "--insecure"
+      "--address=0.0.0.0:51515"
+      "--server-username=christoph"
+      "--server-password=kopia"
+    ];
+
+    extraOptions = [
+      "--privileged"
+      "--device=/dev/fuse:/dev/fuse:rwm"
+      "--cap-add=SYS_ADMIN"
+      "--net=behind-nginx"
+    ];
+  };
+}

ThinkNix/services/nginx-proxy-manager.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.nginx-proxy-manager = {
+    image = "jc21/nginx-proxy-manager:latest";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      "80:80"
+      # "81:81" # Web interface
+      "443:443"
+    ];
+
+    volumes = [
+      "nginx_config:/data"
+      "nginx_snippets:/snippets"
+      "nginx_letsencrypt:/etc/letsencrypt"
+    ];
+
+    environment = {
+      DISABLE_IPV6 = "true";
+    };
+
+    extraOptions = [
+      # "--net=host"
+      "--net=behind-nginx"
+    ];
+  };
+}

ThinkNix/services/portainer.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.portainer = {
+    image = "portainer/portainer-ce:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "8000:8000"
+      # "9443:9443"
+    ];
+
+    volumes = [
+      "portainer_config:/data"
+
+      "/var/run/docker.sock:/var/run/docker.sock"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}

ThinkNix/services/whats-up-docker.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.whats-up-docker = {
+    image = "getwud/wud:latest";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      # "3001:3000"
+    ];
+
+    volumes = [
+      "/var/run/docker.sock:/var/run/docker.sock"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}

ThinkNix/services/wireguard.nix

@@ -4,7 +4,7 @@
   pkgs,
   ...
 }: {
-  virtualisation.oci-containers.containers.wireguard-vps = {
+  virtualisation.oci-containers.containers.wireguard = {
     image = "linuxserver/wireguard:latest";
     autoStart = true;
 

volumes-backup/backup.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+VOLUME_NAME="wireguard_vps_config"
+
+sudo docker run --rm -v /home/christoph/HomeLab/volumes-backup:/backup -v "$VOLUME_NAME":/data:ro debian:stretch-slim bash -c "cd /data && /bin/tar -czvf /backup/$VOLUME_NAME.tar.gz ."

volumes-backup/restore.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+VOLUME_NAME="wireguard_vps_config"
+
+sudo docker run --rm -v /home/christoph/HomeLab/volumes-backup:/backup -v "$VOLUME_NAME":/data debian:stretch-slim bash -c "cd /data && /bin/tar -xzvf /backup/$VOLUME_NAME.tar.gz"