Modules: Add agenix module

.gitignore

@@ -10,3 +10,4 @@ result
 config/neovim/store
 home/modules/ags/config/types
 home/modules/ags/config/tsconfig.json
+home/modules/agenix/secrets.nix

config/navi/christoph.cheat

@@ -107,11 +107,15 @@ yes "The quick brown fox jumps over the lazy dog" | head -c <size> > <output>
 # For-loop in fish shell
 for o in <objects>; <action>; end
 
-% shell
+% fd
 # Find files larger or smaller than a specified size in the current directory
 fd --type file --size <mode><size> -- "<regex>" .
 $ mode: echo -e "+\t\tFind Larger Files\n-\t\tFind Smaller Files" --- --column 1
 
+% fd
+# Find .desktop files of an application
+fd ".*\.desktop" / | rg --trim --pretty "<application>"
+
 % gdu
 # Visualize storage usage on all mounted disks
 sudo gdu -d

flake.nix

@@ -33,37 +33,37 @@
     nixvim.inputs.nixpkgs.follows = "nixpkgs";
 
     # Emacs nightly
-    emacs-overlay.url = "github:nix-community/emacs-overlay";
+    # emacs-overlay.url = "github:nix-community/emacs-overlay";
-    emacs-overlay.inputs.nixpkgs.follows = "nixpkgs";
+    # emacs-overlay.inputs.nixpkgs.follows = "nixpkgs";
 
     # Declarative Flatpak
     nix-flatpak.url = "github:gmodena/nix-flatpak/?ref=latest";
     # nix-flatpak.inputs.nixpkgs.follows = "nixpkgs"; # nix-flatpak doesn't have this
 
     # HyprPlugins
-    hyprland-plugins.url = "github:hyprwm/hyprland-plugins";
+    # hyprland-plugins.url = "github:hyprwm/hyprland-plugins";
-    hyprland-plugins.inputs.nixpkgs.follows = "nixpkgs";
+    # hyprland-plugins.inputs.nixpkgs.follows = "nixpkgs";
-    hypr-dynamic-cursors.url = "github:VirtCode/hypr-dynamic-cursors";
+    # hypr-dynamic-cursors.url = "github:VirtCode/hypr-dynamic-cursors";
-    hypr-dynamic-cursors.inputs.nixpkgs.follows = "nixpkgs";
+    # hypr-dynamic-cursors.inputs.nixpkgs.follows = "nixpkgs";
 
     # Realtime audio
-    musnix.url = "github:musnix/musnix";
+    # musnix.url = "github:musnix/musnix";
-    musnix.inputs.nixpkgs.follows = "nixpkgs";
+    # musnix.inputs.nixpkgs.follows = "nixpkgs";
 
     nix-topology.url = "github:oddlama/nix-topology";
     nix-topology.inputs.nixpkgs.follows = "nixpkgs";
 
     # Ags for widgets (this was a terrible idea)
-    ags.url = "github:Aylur/ags";
+    # ags.url = "github:Aylur/ags";
-    ags.inputs.nixpkgs.follows = "nixpkgs";
+    # ags.inputs.nixpkgs.follows = "nixpkgs";
 
     # Spicetify
-    spicetify-nix.url = "github:Gerg-L/spicetify-nix";
+    # spicetify-nix.url = "github:Gerg-L/spicetify-nix";
-    spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
+    # spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
 
     # Pinned versions
-    v4l2loopback-pinned.url = "github:nixos/nixpkgs/4684fd6b0c01e4b7d99027a34c93c2e09ecafee2";
+    # v4l2loopback-pinned.url = "github:nixos/nixpkgs/4684fd6b0c01e4b7d99027a34c93c2e09ecafee2";
-    unityhub-pinned.url = "github:huantianad/nixpkgs/9542b0bc7701e173a10e6977e57bbba68bb3051f";
+    # unityhub-pinned.url = "github:huantianad/nixpkgs/9542b0bc7701e173a10e6977e57bbba68bb3051f";
   };
 
   # Outputs is a function that takes the inputs as arguments.
@@ -100,16 +100,18 @@
       overlays = [
         inputs.devshell.overlays.default
         inputs.nur.overlays.default
-        inputs.emacs-overlay.overlay
         inputs.nix-topology.overlays.default
+        # inputs.emacs-overlay.overlay
 
+        # Overriding specific packages from a different nixpkgs (e.g. a pull request)
+        # can be done like this. Note that this creates an additional nixpkgs instance.
         # https://github.com/NixOS/nixpkgs/issues/418451
-        (final: prev: {
+        # (final: prev: {
-          unityhub_pinned_3_13 = import inputs.unityhub-pinned {
+        #   unityhub_pinned_3_13 = import inputs.unityhub-pinned {
-            config.allowUnfree = true;
+        #     config.allowUnfree = true;
-            localSystem = {inherit (prev) system;};
+        #     localSystem = {inherit (prev) system;};
-          };
+        #   };
-        })
+        # })
 
         # All my own overlays
         (import ./overlays {inherit nixpkgs inputs;})

home/christoph/default.nix

@@ -252,10 +252,12 @@
   # This only works when HM is installed as a system module,
   # as nixosConfig won't be available otherwise.
   xdg = {
-    enable = !headless;
+    enable = true; # This only does xdg path management
-    mime.enable = true;
+    mime.enable = nixosConfig.modules.mime.enable;
+
     mimeApps = {
-      enable = true;
+      enable = nixosConfig.modules.mime.enable;
+
       associations.added = nixosConfig.xdg.mime.addedAssociations;
       associations.removed = nixosConfig.xdg.mime.removedAssociations;
       defaultApplications = nixosConfig.xdg.mime.defaultApplications;
@@ -446,10 +448,6 @@
           hunspellDicts.de_DE
         ])
       ];
-
-    # Do not change.
-    # This marks the version when NixOS was installed for backwards-compatibility.
-    stateVersion = "22.05";
   };
 
   # home.file.".options-doc".source = "${pkgs.modules-options-doc}";
@@ -663,7 +661,7 @@
       indicator = nixosConfig.programs.kdeconnect.enable;
     };
 
-    flatpak = {
+    flatpak = lib.mkIf nixosConfig.services.flatpak.enable {
       # FlatHub stable is only added by default if no custom remotes are specified
       remotes = lib.mkOptionDefault [
         {

home/christoph/nixinator/default.nix

@@ -114,7 +114,6 @@
 
         # Unity Stuff
         # unityhub
-        unityhub_pinned_3_13.unityhub # TODO: Remove after https://github.com/NixOS/nixpkgs/issues/418451
 
         rider
         dotnetCore
@@ -147,6 +146,10 @@
 
         # ".var/app/com.valvesoftware.Steam/config/MangoHud/MangoHud.conf".source = config.lib.file.mkOutOfStoreSymlink "${config.paths.dotfiles}/mangohud/MangoHud.conf";
       };
+
+      # Do not change.
+      # This marks the version when NixOS was installed for backwards-compatibility.
+      stateVersion = "22.05";
     };
 
     services = {

home/christoph/nixtop/default.nix

@@ -31,6 +31,12 @@
       waybar.monitor = "eDP-1";
     };
 
-    # home.packages = with pkgs; [];
+    home = {
+      # packages = with pkgs; [];
+
+      # Do not change.
+      # This marks the version when NixOS was installed for backwards-compatibility.
+      stateVersion = "22.05";
+    };
   };
 }

home/christoph/servenix/default.nix

@@ -0,0 +1,19 @@
+{
+  pkgs,
+  nixosConfig,
+  config,
+  lib,
+  ...
+}: {
+  imports = [
+    ../../modules
+  ];
+
+  config = {
+    home.packages = with pkgs; [
+      docker-compose
+    ];
+
+    home.stateVersion = "23.05";
+  };
+}

home/modules/agenix/default.nix

@@ -0,0 +1,50 @@
+{
+  config,
+  nixosConfig,
+  lib,
+  mylib,
+  pkgs,
+  username,
+  publicKeys,
+  ...
+}: let
+  inherit (config.modules) agenix;
+in {
+  options.modules.agenix = import ./options.nix {inherit lib mylib;};
+
+  config = {
+    # The user will be able to decrypt .age files using agenix.
+    # On each user/machine, this should generate a corresponding secrets.nix
+    home.file."${config.paths.nixflake}/home/modules/agenix/secrets.nix".text = let
+      mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
+    in ''
+      # NOTE: This file will contain keys depending on the host/by which user it was built on.
+      {
+        ${lib.optionalString
+        # If this user defined any secrets...
+        (builtins.hasAttr "${username}" agenix.secrets)
+        # ...we will add them to the current secrets.nix,
+        # s.t. agenix can be used to encrypt the secret.
+        (builtins.concatStringsSep "\n"
+          (builtins.map
+            (mkSecret publicKeys.${username}.ssh)
+            agenix.secrets.${username}))}
+      }
+    '';
+
+    age.secrets = let
+      mkSecretIfExists = name:
+      # If this user has already encrypted the secret...
+        if builtins.pathExists ./${name}.age
+        # ...we will register it with age...
+        then {${name}.file = ./${name}.age;}
+        # ...otherwise we link to a bogus file.
+        else {${name}.file = ./void.age;};
+    in
+      lib.mkIf
+      # If this user defined any secrets...
+      (builtins.hasAttr "${username}" agenix.secrets)
+      # ...we will register all secrets files that have already been generated.
+      (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username}));
+  };
+}

home/modules/agenix/options.nix

@@ -0,0 +1,33 @@
+{
+  lib,
+  mylib,
+  ...
+}: let
+  mkSecret = file:
+    lib.mkOption {
+      type = lib.types.path;
+      default = file;
+    };
+in {
+  secrets = lib.mkOption {
+    type = lib.types.attrs;
+    description = "The secret files managed by agenix (and their associated keys)";
+    example = ''
+      {
+        christoph = [
+          "heidi-discord-token"
+          "kopia-password"
+          "kopia-server-username"
+          "kopia-server-password"
+        ];
+      }
+    '';
+
+    default = {};
+  };
+
+  heidi-discord-token = mkSecret ./heidi-discord-token.age;
+  kopia-user-password = mkSecret ./kopia-user-password.age;
+  kopia-server-user = mkSecret ./kopia-server-user.age;
+  kopia-server-password = mkSecret ./kopia-server-password.age;
+}

home/modules/agenix/void.age

@@ -0,0 +1 @@
+This secret has not been generated.

home/modules/default.nix

@@ -3,6 +3,7 @@
     # Obsolete modules are kept in "1_deprecated" for reference.
 
     # My own HM modules
+    ./agenix
     ./beets
     ./chromium
     ./color
@@ -26,7 +27,8 @@
     # HM modules imported from the flake inputs
     inputs.nix-flatpak.homeManagerModules.nix-flatpak
     inputs.nixvim.homeManagerModules.nixvim
-    inputs.ags.homeManagerModules.default
+    inputs.agenix.homeManagerModules.default
-    inputs.spicetify-nix.homeManagerModules.default
+    # inputs.ags.homeManagerModules.default
+    # inputs.spicetify-nix.homeManagerModules.default
   ];
 }

system/default.nix

@@ -75,7 +75,6 @@ with mylib.networking; {
     network = {
       inherit hostname;
       enable = true;
-      useNetworkManager = true;
 
       networks = {
         # Default wildcard ethernet network for all hosts
@@ -341,7 +340,7 @@ with mylib.networking; {
 
     acpid.enable = true;
     dbus.enable = true;
-    flatpak.enable = true; # Not quite the nix style but useful for bottles/proprietary stuff/steam/gaming
+    flatpak.enable = !headless; # Not quite the nix style but useful for bottles/proprietary stuff/steam/gaming
     fstrim.enable = true; # SSD
     fwupd.enable = true; # Device firmware (I don't think I have any supported devices)
     # locate.enable = true; # Periodically update index
@@ -383,13 +382,4 @@ with mylib.networking; {
       '';
     };
   };
-
-  # The current system was installed on 22.05, do not change.
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
 }

system/modules/docker/default.nix

@@ -50,7 +50,10 @@ in {
         # extraPackages = with pkgs; [];
       };
 
-      oci-containers.backend = "podman"; # "docker" or "podman"
+      oci-containers.backend =
+        if docker.podman
+        then "podman"
+        else "docker"; # "docker" or "podman"
       libvirtd.enable = true;
     };
   };

system/nixinator/default.nix

@@ -12,6 +12,8 @@
 
   modules = {
     network = {
+      useNetworkManager = true;
+
       # Systemd-networkd configs
       networks = {
         # This should override the default network 50-ether
@@ -129,4 +131,13 @@
       videoDrivers = ["nvidia"]; # NVIDIA
     };
   };
+
+  # The current system was installed on 22.05, do not change.
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.05"; # Did you read the comment?
 }

system/nixtop/default.nix

@@ -7,6 +7,8 @@
 
   modules = {
     network = {
+      useNetworkManager = true;
+
       wireguard-tunnels = {
         wg0-de-74 =
           mylib.networking.mkWireguardService
@@ -35,4 +37,13 @@
     # Proprietary graphics drivers
     videoDrivers = ["intel"];
   };
+
+  # The current system was installed on 22.05, do not change.
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.05"; # Did you read the comment?
 }

system/servenix/default.nix

@@ -0,0 +1,113 @@
+{
+  inputs,
+  hostname,
+  lib,
+  mylib,
+  config,
+  pkgs,
+  system,
+  username,
+  headless,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+
+    ../modules
+
+    # My own services
+    ../services/heidi.nix
+    ../services/formula10.nix
+    ../services/formula11.nix
+
+    # General services
+    ../services/authelia.nix
+    ../services/gitea.nix
+    ../services/gitea-runner.nix
+    ../services/immich.nix
+    ../services/jellyfin.nix
+    ../services/kopia.nix
+    ../services/nextcloud.nix
+    ../services/nginx-proxy-manager.nix
+    ../services/paperless.nix
+    ../services/portainer.nix
+    ../services/whats-up-docker.nix
+  ];
+
+  modules = {
+    network = {
+      useNetworkManager = false;
+
+      networks = {
+        "10-ether-1G" = mylib.networking.mkStaticSystemdNetwork {
+          interface = "ens18";
+          ips = ["192.168.86.25/24"];
+          routers = ["192.168.86.5"];
+          nameservers = ["192.168.86.26"];
+          routable = true;
+        };
+      };
+
+      allowedTCPPorts = [
+        53 # DNS
+        80 # HTTP
+        3000 # Gitea runner needs to reach local gitea instance
+      ];
+
+      allowedUDPPorts = [
+        53 # DNS
+        67 # DHCP
+        3000 # Gitea runner needs to reach local gitea instance
+      ];
+    };
+  };
+
+  networking.firewall.trustedInterfaces = ["docker0" "podman0"];
+
+  systemd.services.init-behind-nginx-docker-network = {
+    description = "Create a docker network bridge for all services behind nginx-proxy-manager.";
+    after = ["network.target"];
+    wantedBy = ["multi-user.target"];
+
+    serviceConfig.Type = "oneshot";
+    script = let
+      cli = "${config.virtualisation.docker.package}/bin/docker";
+      network = "behind-nginx";
+    in ''
+      # Put a true at the end to prevent getting non-zero return code, which will
+      # crash the whole service.
+      check=$(${cli} network ls | grep ${network} || true)
+      if [ -z "$check" ]; then
+        # TODO: Disable IP masquerading to show individual containers in AdGuard/Pi-Hole
+        #       - Disabling this prevents containers from having internet connection. DNS issue?
+        # ${cli} network create -o "com.docker.network.bridge.enable_ip_masquerade"="false" ${network}
+
+        # ${cli} network create --ipv6 --gateway="2000::1" --subnet="2000::/80" ${network}
+        ${cli} network create ${network}
+      else
+        echo "${network} already exists in docker"
+      fi
+    '';
+  };
+
+  # List services that you want to enable:
+  services = {
+    # Configure keymap in X11
+    xserver = {
+      layout = "us";
+      xkbVariant = "altgr-intl";
+      videoDrivers = ["nvidia"];
+    };
+
+    qemuGuest.enable = true;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

system/servenix/hardware-configuration.nix

@@ -0,0 +1,99 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+    initrd.kernelModules = [];
+    kernelModules = ["kvm-intel"];
+    extraModulePackages = [];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/2d1b1f62-f008-4562-906e-5a63d854b18b";
+      fsType = "ext4";
+      options = ["defaults" "rw" "relatime"];
+    };
+
+    "/home/christoph/ssd" = {
+      device = "/dev/disk/by-uuid/ff42f57c-cd45-41ea-a0ee-640e638b38bc";
+      fsType = "ext4";
+      options = ["defaults" "rw" "relatime"];
+    };
+
+    # Synology DS223j
+
+    "/media/synology-syncthing" = {
+      device = "192.168.86.15:/volume1/DockerVolumes";
+      fsType = "nfs";
+      options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"];
+    };
+
+    # SG Exos Mirror Shares
+
+    "/media/Movie" = {
+      device = "192.168.86.20:/mnt/SG Exos Mirror 18TB/Movie";
+      fsType = "nfs";
+      options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"];
+    };
+
+    "/media/Show" = {
+      device = "192.168.86.20:/mnt/SG Exos Mirror 18TB/Show";
+      fsType = "nfs";
+      options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"];
+    };
+
+    "/media/TV-Music" = {
+      device = "192.168.86.20:/mnt/SG Exos Mirror 18TB/Music";
+      fsType = "nfs";
+      options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"];
+    };
+  };
+
+  swapDevices = [];
+
+  hardware = {
+    enableAllFirmware = true;
+    enableRedistributableFirmware = true;
+    cpu.intel.updateMicrocode = true;
+    bluetooth.enable = false;
+    nvidia-container-toolkit.enable = true;
+
+    nvidia = {
+      package = config.boot.kernelPackages.nvidiaPackages.stable;
+
+      modesetting.enable = false;
+      open = true;
+      nvidiaSettings = false;
+    };
+
+    graphics = {
+      enable = true;
+      enable32Bit = true;
+
+      extraPackages = with pkgs; [
+        vaapiVdpau
+        libvdpau-va-gl
+
+        nvidia-vaapi-driver
+      ];
+    };
+  };
+
+  environment.variables = {
+    GBM_BACKEND = "nvidia-drm";
+    __GLX_VENDOR_LIBRARY_NAME = "nvidia";
+    LIBVA_DRIVER_NAME = "nvidia";
+    NVD_BACKEND = "direct"; # egl
+  };
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}

system/services/0_TEMPLATE.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.TEMPLATE = {
+    image = "TEMPLATE";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [];
+
+    environment = {
+      PUID = "1000";
+      PGID = "1000";
+      TZ = "Europe/Berlin";
+      # NVIDIA_VISIBLE_DEVICES = "all";
+      # NVIDIA_DRIVER_CAPABILITIES = "all";
+    };
+
+    extraOptions = [
+      # "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/adguard.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.adguard = {
+    image = "adguard/adguardhome";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # DNS server
+      "53:53/tcp"
+      "53:53/udp"
+      # "853:853/tcp" # DNS over TLS
+      # "853:853/udp" # DNS over QUIC
+
+      # DHCP server
+      # "67:67/udp"
+      # "68:68/tcp"
+      # "68:68/udp"
+
+      # Admin panel + DNS over HTTPS
+      # "80:80/tcp"
+      # "443:443/tcp"
+      # "443:443/udp"
+      # "3100:3000/tcp" # Web interface
+
+      # DNSCrypt
+      # "5443:5443/tcp"
+      # "5443:5443/udp"
+
+      # "6060:6060/tcp" # Debugging
+    ];
+
+    volumes = [
+      "adguard_config:/opt/adguardhome/conf"
+      "adguard_work:/opt/adguardhome/work"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/authelia.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.authelia = {
+    image = "authelia/authelia:latest";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      # "9091:9091"
+    ];
+
+    volumes = [
+      "authelia_config:/config"
+    ];
+
+    environment = {
+      TZ = "Europe/Berlin";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/formula10.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.formula10 = {
+    image = "gitea.vps.chriphost.de/christoph/formula10:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      "55555:5000"
+    ];
+
+    volumes = [
+      "formula10_data:/app/instance"
+      "formula10_cache:/cache"
+    ];
+
+    environment = {
+      TZ = "Europe/Berlin";
+    };
+
+    extraOptions = [
+      "--init" # Make an init process take up PID 1, to make python receive the SIGTERM
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/formula11.nix

@@ -0,0 +1,65 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.formula11_pocketbase = {
+    image = "gitea.vps.chriphost.de/christoph/pocketbase:0.25.0";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      "8090:8080"
+    ];
+
+    volumes = [
+      "formula11_pb_data:/pb/pb_data"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      # "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.formula11 = {
+    image = "gitea.vps.chriphost.de/christoph/formula11:latest";
+    autoStart = true;
+
+    dependsOn = [
+      "formula11_pocketbase"
+    ];
+
+    ports = [
+      # "8080:8090"
+      "5173:3000"
+    ];
+
+    volumes = [];
+
+    environment = {
+      # PB_PROTOCOL="http";
+      # PB_HOST="formula11_pocketbase";
+      # PB_PORT="8000";
+
+      # PB_PROTOCOL="https";
+      # PB_URL="f11pb.vps.chriphost.de";
+
+      PUBLIC_PBURL="https://f11pb.vps.chriphost.de";
+
+      # Required by SvelteKit to prevent cross-site POST errors
+      ORIGIN="https://f11.vps.chriphost.de";
+    };
+
+    extraOptions = [
+      # "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/gitea-runner.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.gitea-runner = {
+    image = "gitea/act_runner:latest"; # NOTE: vegardit has other runner images
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "gitea-runner_data:/data"
+      "gitea-runner_config:/config" # Managed by env variables for vegardit image
+    
+      "/var/run/docker.sock:/var/run/docker.sock" # Disable for dind
+    ];
+
+    environment = {
+      # NOTE: gitlab.local.chriphost.de doesn't work, because it gets resolved to 192.168.86.25:443, which is nginx
+      GITEA_INSTANCE_URL = "http://192.168.86.25:3000";
+      GITEA_RUNNER_NAME = "servenix";
+
+      # Can be generated from inside the container using act_runner generate-config > /config/config.yaml
+      CONFIG_FILE = "/config/config.yaml";
+
+      # NOTE: This token is invalid, when re-registering is needed it has to be refreshed
+      GITEA_RUNNER_REGISTRATION_TOKEN = "Mq6wr0dPthqDij3iaryP8s5VYZA5kPfOQbHA6wm6";
+    };
+
+    extraOptions = [
+      # "--privileged" # Enable for dind
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/gitea.nix

@@ -0,0 +1,83 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  users = {
+    groups.git = {};
+
+    # Extra git user for Gitea
+    users.git = {
+      uid = 500;
+      group = "git";
+      isNormalUser = false;
+      isSystemUser = true;
+      description = "Gitea User";
+      extraGroups = ["docker" "podman"];
+      shell = pkgs.fish;
+    };
+  };
+
+  virtualisation.oci-containers.containers.gitea-db = {
+    image = "postgres:14";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "gitea-db_data:/var/lib/postgresql/data"
+    ];
+
+    environment = {
+      POSTGRES_USER = "gitea";
+      POSTGRES_PASSWORD = "gitea";
+      POSTGRES_DB = "gitea";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.gitea = {
+    image = "gitea/gitea:latest";
+    autoStart = true;
+
+    dependsOn = [
+      "gitea-db"
+    ];
+
+    ports = [
+      "3000:3000"
+
+      # NOTE: Set .git/config url to ssh://christoph@gitea.local.chriphost.de:222/christoph/<repo>.git
+      "222:222" # Gitea SSH
+    ];
+
+    volumes = [
+      "/etc/timezone:/etc/timezone:ro"
+      "/etc/localtime:/etc/localtime:ro"
+
+      "gitea_data:/data"
+    ];
+
+    environment = {
+      USER = "git";
+      USER_UID = "500";
+      # USER_GID = "100";
+
+      GITEA__database__DB_TYPE = "postgres";
+      GITEA__database__HOST = "gitea-db:5432";
+      GITEA__database__NAME = "gitea";
+      GITEA__database__USER = "gitea";
+      GITEA__database__PASSWD = "gitea";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/heidi.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.heidi = {
+    image = "gitea.vps.chriphost.de/christoph/discord-heidi:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "heidi_config:/config"
+
+      "/home/christoph/heidi-sounds:/sounds:ro"
+    ];
+
+    environment = {
+      DISCORD_TOKEN = (builtins.readFile ./heidi.discord_token);
+      DOCKER = "True";
+    };
+
+    extraOptions = [
+      "--init" # Make an init process take up PID 1, to make python receive the SIGTERM
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/immich.nix

@@ -0,0 +1,96 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.immich-database = {
+    image = "ghcr.io/immich-app/postgres:15-vectorchord0.3.0-pgvectors0.2.0";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "5432:5432"
+    ];
+
+    volumes = [
+      "immich-database_data:/var/lib/postgresql/data"
+    ];
+
+    environment = {
+      POSTGRES_USER = "immich";
+      POSTGRES_PASSWORD = "immich";
+      POSTGRES_DB = "immich";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.immich-redis = {
+    image = "redis";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "6379:6379"
+    ];
+
+    volumes = [];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.immich = {
+    image = "ghcr.io/imagegenius/immich:latest";
+    autoStart = true;
+
+    dependsOn = [
+      "immich-database"
+      "immich-redis"
+    ];
+
+    ports = [
+      "2283:8080"
+    ];
+
+    volumes = [
+      "immich_config:/config"
+      "immich_data:/photos"
+      "immich_machine-learning:/config/machine-learning"
+      # "immich_imports:/import:ro"
+    ];
+
+    environment = {
+      PUID = "1000";
+      PGID = "1000";
+      TZ = "Europe/Berlin";
+
+      DB_HOSTNAME = "immich-database";
+      DB_USERNAME = "immich";
+      DB_PASSWORD = "immich";
+      # DB_PORT = "5432";
+      DB_DATABASE_NAME = "immich";
+
+      REDIS_HOSTNAME = "immich-redis";
+      # REDIS_PORT = "6379";
+      # REDIS_PASSWORD = "";
+
+      MACHINE_LEARNING_WORKERS = "1";
+      MACHINE_LEARNING_WORKER_TIMEOUT = "120";
+    };
+
+    extraOptions = [
+      "--privileged"
+      "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/jellyfin.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.jellyfin = {
+    image = "linuxserver/jellyfin:latest";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      "8096:8096"
+    ];
+
+    volumes = [
+      "/media/Show:/data/tvshows"
+      "/media/Movie:/data/movies"
+      "/media/TV-Music:/data/music"
+
+      "jellyfin_config:/config"
+    ];
+
+    environment = {
+      PUID = "3000";
+      PGID = "3000";
+      TZ = "Europe/Berlin";
+
+      NVIDIA_VISIBLE_DEVICES = "all";
+      NVIDIA_DRIVER_CAPABILITIES = "all";
+    };
+
+    extraOptions = [
+      "--privileged"
+      "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/kopia.nix

@@ -0,0 +1,81 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.kopia = {
+    image = "kopia/kopia:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "51515:51515"
+    ];
+
+    volumes = [
+      "kopia_config:/app/config"
+      "kopia_cache:/app/cache"
+      "kopia_logs:/app/logs"
+      "kopia_temp:/tmp"
+
+      # Repository, where snapshots are stored (incrementally)
+      "/media/synology-syncthing:/repository"
+
+      # Folders that are backed up
+      # "adguard_config:/data/adguard_config:ro" # ThinkNix
+      # "adguard_work:/data/adguard_work:ro" # ThinkNix
+      "authelia_config:/data/authelia_config:ro"
+      "formula10_cache:/data/formula10_cache:ro"
+      "formula10_data:/data/formula10_data:ro"
+      "gitea-db_data:/data/gitea-db_data:ro"
+      "gitea-runner_config:/data/gitea-runner_config:ro"
+      "gitea-runner_data:/data/gitea-runner_data:ro"
+      "gitea_data:/data/gitea_data:ro"
+      "heidi_config:/data/heidi_config:ro"
+      # "homeassistant_config:/data/homeassistant_config:ro" # ThinkNix
+      # "homepage_config:/data/homepage_config:ro"
+      "immich-database_data:/data/immich-database_data:ro"
+      "immich_config:/data/immich_config:ro"
+      "immich_data:/data/immich_data:ro"
+      "immich_machine-learning:/data/immich_machine-learning:ro"
+      "jellyfin_config:/data/jellyfin_config:ro"
+      "nextcloud-db_data:/data/nextcloud-db_data:ro"
+      "nextcloud_data:/data/nextcloud_data:ro"
+      "nginx_config:/data/nginx_config:ro"
+      "nginx_letsencrypt:/data/nginx_letsencrypt:ro"
+      "nginx_snippets:/data/nginx_snippets:ro"
+      "paperless-postgres_data:/data/paperless-postgres_data:ro"
+      "paperless_data:/data/paperless_data:ro"
+      # "portainer_config:/data/portainer_config:ro"
+      # "uptime-kuma_config:/data/uptime-kuma_config:ro" # Disabled
+      # "wireguard_vps_config:/data/wireguard_vps_config:ro"
+    ];
+
+    environment = {
+      TZ = "Europe/Berlin";
+      USER = "christoph";
+      KOPIA_PASSWORD = (builtins.readFile ./kopia.password);
+    };
+
+    entrypoint = "/bin/kopia";
+
+    cmd = [
+      "server"
+      "start"
+      "--disable-csrf-token-checks"
+      "--insecure"
+      "--address=0.0.0.0:51515"
+      "--server-username=christoph"
+      "--server-password=kopia"
+    ];
+
+    extraOptions = [
+      "--privileged"
+      "--device=/dev/fuse:/dev/fuse:rwm"
+      "--cap-add=SYS_ADMIN"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/nextcloud.nix

@@ -0,0 +1,126 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.nextcloud-db = {
+    image = "postgres:alpine";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "5432:5432"
+    ];
+
+    volumes = [
+      "nextcloud-db_data:/var/lib/postgresql/data"
+    ];
+
+    environment = {
+      POSTGRES_PASSWORD = "nextcloud";
+      POSTGRES_DB = "nextcloud";
+      POSTGRES_USER = "nextcloud";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.nextcloud-memcache = {
+    image = "redis:alpine";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "6379:6379"
+    ];
+
+    volumes = [
+      "nextcloud-memcache_data:/data"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.nextcloud = {
+    image = "nextcloud:apache";
+    autoStart = true;
+
+    dependsOn = [
+      "nextcloud-db"
+      "nextcloud-memcache"
+    ];
+
+    ports = [
+      "8080:80"
+    ];
+
+    volumes = [
+      "nextcloud_data:/var/www/html"
+
+      # Paperless media
+      # "/media/paperless-consume:/media/paperless-consume"
+      # "/media/paperless-export:/media/paperless-export"
+      # "/media/paperless-media:/media/paperless-media"
+      "/home/christoph/nextcloud:/flow-scripts"
+
+      # "/var/run/docker.sock:/var/run/docker.sock:ro" # For AiO
+    ];
+
+    environment = {
+      # Don't add PUID/PGID/TZ or sth like that!
+
+      # Allow uploads larger than 1GB
+      APACHE_BODY_LIMIT = "0";
+      NEXTCLOUD_TRUSTED_DOMAINS = "https://nextcloud.local.chriphost.de https://local.chriphost.de https://nextcloud.vps.chriphost.de https://vps.chriphost.de";
+
+      # Proxy
+      APACHE_DISABLE_REWRITE_IP = "1";
+      TRUSTED_PROXIES = "192.168.86.25 212.227.233.241 172.19.0.1";
+      OVERWRITEPROTOCOL = "https";
+      
+      # DB
+      POSTGRES_HOST = "nextcloud-db";
+      POSTGRES_PASSWORD = "nextcloud";
+      POSTGRES_DB = "nextcloud";
+      POSTGRES_USER = "nextcloud";
+
+      # Memcache + Transactional Locking
+      REDIS_HOST = "nextcloud-memcache";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  systemd.services.nextcloud-cron = {
+    enable = true;
+    description = "Nextcloud Cron Job";
+    
+    serviceConfig = {
+      ExecStart = "${pkgs.docker}/bin/docker exec -u www-data nextcloud /usr/local/bin/php -f /var/www/html/cron.php";
+    };
+  };
+
+  systemd.timers.nextcloud-cron = {
+    enable = true;
+    description = "Nextcloud Cron Job";
+
+    timerConfig = {
+      OnBootSec = "5min";
+      OnUnitActiveSec = "5min";
+      Unit = "nextcloud-cron.service";
+    };
+
+    wantedBy = ["timers.target"];
+  };
+}

system/services/nginx-proxy-manager.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.nginx-proxy-manager = {
+    image = "jc21/nginx-proxy-manager:latest";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      "80:80"
+      # "81:81" # Web interface
+      "443:443"
+    ];
+
+    volumes = [
+      "nginx_config:/data"
+      "nginx_snippets:/snippets"
+      "nginx_letsencrypt:/etc/letsencrypt"
+    ];
+
+    environment = {
+      DISABLE_IPV6 = "true";
+    };
+
+    extraOptions = [
+      # "--net=host"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/paperless.nix

@@ -0,0 +1,87 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.paperless-redis = {
+    image = "docker.io/library/redis:7";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "paperless-redis_data:/data"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.paperless-postgres = {
+    image = "docker.io/library/postgres:15";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "paperless-postgres_data:/var/lib/postgresql/data"
+    ];
+
+    environment = {
+      POSTGRES_DB = "paperless";
+      POSTGRES_USER = "paperless";
+      POSTGRES_PASSWORD = "paperless";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.paperless = {
+    image = "ghcr.io/paperless-ngx/paperless-ngx:latest";
+    autoStart = true;
+
+    dependsOn = [
+      "paperless-redis"
+      "paperless-postgres"
+    ];
+
+    ports = [
+      "8000:8000"
+    ];
+
+    volumes = [
+      "paperless_data:/usr/src/paperless/data"
+      "/media/paperless-media:/usr/src/paperless/media"
+      "/media/paperless-export:/usr/src/paperless/export"
+      "/media/paperless-consume:/usr/src/paperless/consume"
+    ];
+
+    environment = {
+      PAPERLESS_REDIS = "redis://paperless-redis:6379";
+      PAPERLESS_DBHOST = "paperless-postgres";
+
+      # PAPERLESS_ADMIN_USER = "root";
+      # PAPERLESS_ADMIN_PASSWORD = "admin";
+
+      PAPERLESS_URL = "https://*.chriphost.de";
+      # PAPERLESS_CSRF_TRUSTED_ORIGINS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]";
+      # PAPERLESS_ALLOWED_HOSTS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]";
+      # PAPERLESS_CORS_ALLOWED_HOSTS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]";
+    };
+
+    extraOptions = [
+      # "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/portainer.nix

@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # virtualisation.oci-containers.containers.portainer = {
+  #   image = "portainer/portainer-ce:latest";
+  #   autoStart = true;
+
+  #   dependsOn = [];
+
+  #   ports = [
+  #     # "8000:8000"
+  #     # "9443:9443"
+  #   ];
+
+  #   volumes = [
+  #     "portainer_config:/data"
+
+  #     "/var/run/docker.sock:/var/run/docker.sock"
+  #   ];
+
+  #   environment = {};
+
+  #   extraOptions = [
+  #     "--net=behind-nginx"
+  #   ];
+  # };
+
+  virtualisation.oci-containers.containers.portainer-agent = {
+    image = "portainer/agent:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      "9001:9001"
+    ];
+
+    volumes = [
+      "/var/run/docker.sock:/var/run/docker.sock"
+      "/var/lib/docker/volumes:/var/lib/docker/volumes"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      # This container needs to be accessible from another machine inside the LAN
+      # "--net=behind-nginx"
+    ];
+  };
+}

system/services/whats-up-docker.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.whats-up-docker = {
+    image = "getwud/wud:latest";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      # "3001:3000"
+    ];
+
+    volumes = [
+      "/var/run/docker.sock:/var/run/docker.sock"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}