deadnix, cleanup

2024-02-08 23:21:10 +03:00 · 2024-02-08 23:21:10 +03:00 · 9034ae5060
commit 9034ae5060
parent f7f371f106
99 changed files with 129 additions and 990 deletions
--- a/flake.nix
+++ b/flake.nix
@ -118,7 +118,6 @@
      "rustic-rs-0.7.0.patch"
      "vaultwarden.patch"
      "vscode-1.86.0.patch"
      "webhooks.patch"
    ];
    sharedOverlays = [ flake-utils-plus.overlay inputs.sops-nix.overlays.default ];
    channelsConfig = {
@ -141,7 +140,6 @@
        modules = __attrValues self.customModules ++ [
          (import (./machines + "/${name}"))
          { device = name; mainuser = "ataraxia"; }
          inputs.vscode-server.nixosModule
          inputs.sops-nix.nixosModules.sops
        ];
        specialArgs = { inherit inputs; };
@ -152,7 +150,6 @@
        modules = __attrValues self.customModules ++ [
          (import (./machines/Home-Hypervisor))
          { device = "Home-Hypervisor"; mainuser = "ataraxia"; }
          inputs.vscode-server.nixosModule
          inputs.sops-nix.nixosModules.sops
        ];
        specialArgs = { inherit inputs; };
--- a/machines/AMD-Workstation/boot.nix
+++ b/machines/AMD-Workstation/boot.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ pkgs, lib, ... }:
 let
  zfs_arc_max = toString (6 * 1024 * 1024 * 1024);
 in {
--- a/machines/AMD-Workstation/hardware-configuration.nix
+++ b/machines/AMD-Workstation/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, modulesPath, ... }:
 {
  imports =
--- a/machines/Dell-Laptop/boot.nix
+++ b/machines/Dell-Laptop/boot.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ pkgs, lib, ... }:
 let
  zfs_arc_max = toString (2 * 1024 * 1024 * 1024);
 in {
--- a/machines/Dell-Laptop/default.nix
+++ b/machines/Dell-Laptop/default.nix
@ -1,4 +1,4 @@
-{ inputs, config, lib, pkgs, ... }: {
+{ inputs, config, pkgs, ... }: {
  imports = with inputs.self; [
    ./boot.nix
    ./hardware-configuration.nix
--- a/machines/Dell-Laptop/hardware-configuration.nix
+++ b/machines/Dell-Laptop/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, modulesPath, ... }:
 {
  imports =
--- a/machines/Home-Hypervisor/autoinstall.nix
+++ b/machines/Home-Hypervisor/autoinstall.nix
@ -1,4 +1,4 @@
-{ lib, ... }: {
+{ ... }: {
  autoinstall."Home-Hypervisor" = {
    debug = false;
    mainuser = "ataraxia";
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@ -1,4 +1,4 @@
-{ modulesPath, inputs, lib, pkgs, config, options, ... }:
+{ inputs, lib, pkgs, config, ... }:
 let persistRoot = config.autoinstall.persist.persistRoot or "/persist";
 in {
  imports = with inputs.self; [
@ -40,12 +40,11 @@ in {
    customProfiles.yandex-db
    (import customProfiles.blocky {
      inherit config pkgs;
      inherit (import ./dns-mapping.nix) dnsmasq-list;
    })
    (import customProfiles.headscale {
-      inherit config pkgs lib inputs;
+      inherit config lib inputs;
      inherit (import ./dns-mapping.nix) headscale-list;
    })
  ];
--- a/machines/Home-Hypervisor/hardware-configuration.nix
+++ b/machines/Home-Hypervisor/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, modulesPath, ... }:
 {
  imports =
--- a/machines/Home-Hypervisor/usb-hdd.nix
+++ b/machines/Home-Hypervisor/usb-hdd.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }: {
+{ ... }: {
  boot.initrd = rec {
    luks.devices = {
      "crypt-nas" = {
--- a/machines/NixOS-VPS/services/synapse.nix
+++ b/machines/NixOS-VPS/services/synapse.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, inputs, ... }:
 let
  bridge = (import ../hardware/networks.nix).interfaces.main';
  external-ip = "83.138.55.118";
--- a/machines/NixOS-VPS/services/tailscale.nix
+++ b/machines/NixOS-VPS/services/tailscale.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, ... }:
 let
  bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName;
  tailscalePort = config.services.tailscale.port;
--- a/machines/NixOS-VPS/services/tor-bridge.nix
+++ b/machines/NixOS-VPS/services/tor-bridge.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ pkgs, ... }:
 let
  inherit (import ../hardware/networks.nix) interfaces;
  bridgeName = interfaces.main'.bridgeName;
--- a/machines/NixOS-VPS/services/wireguard.nix
+++ b/machines/NixOS-VPS/services/wireguard.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ lib, pkgs, ... }:
 let
  inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
  wireguardIFName = interfaces.wireguard0.ifname;
--- a/modules/applications.nix
+++ b/modules/applications.nix
@ -1,10 +1,10 @@
-{ pkgs, config, lib, ... }:
+{ config, lib, ... }:
 with config.deviceSpecific;
 {
  options = with lib;
    with types; {
      defaultApplications = mkOption {
-        type = attrsOf (submodule ({ name, ... }: {
+        type = attrsOf (submodule ({ ... }: {
          options = {
            cmd = mkOption { type = path; };
            desktop = mkOption { type = str; };
--- a/modules/devices.nix
+++ b/modules/devices.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ lib, config, ... }:
 with lib;
 with types; {
  options = {
--- a/modules/headscale-auth.nix
+++ b/modules/headscale-auth.nix
@ -5,7 +5,7 @@ with lib;
    description = mdDoc ''
      Request headscale auth key.
    '';
-    type = types.attrsOf (types.submodule ({ cfg, name, ... }: {
+    type = types.attrsOf (types.submodule ({ ... }: {
      options = {
        autoStart = mkOption {
          type = types.bool;
--- a/modules/libvirt-guests.nix
+++ b/modules/libvirt-guests.nix
@ -44,7 +44,7 @@ let
      default = "virtiofs";
    };
  };
-  guestsOptions = { name, ... }: {
+  guestsOptions = { ... }: {
    options = rec {
      xmlFile = mkOption {
        type = with types; nullOr path;
--- a/modules/persist.nix
+++ b/modules/persist.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, inputs, ... }:
+{ config, lib, inputs, ... }:
 let
  cfg = config.persist;
@ -23,110 +23,22 @@ let
 in {
  options = let
    inherit (lib) mkOption mkEnableOption;
-    inherit (lib.types) listOf path str either submodule enum;
+    inherit (lib.types) listOf path str;
    # defaultPerms = {
    #   mode = "0755";
    #   user = "root";
    #   group = "root";
    # };
    # dirPermsOpts = { user, group, mode }: {
    #   user = mkOption {
    #     type = str;
    #     default = user;
    #   };
    #   group = mkOption {
    #     type = str;
    #     default = group;
    #   };
    #   mode = mkOption {
    #     type = str;
    #     default = mode;
    #   };
    # };
    # fileOpts = perms: {
    #   options = {
    #     file = mkOption {
    #       type = str;
    #     };
    #     parentDirectory = dirPermsOpts perms;
    #   };
    # };
    # dirOpts = perms: {
    #   options = {
    #     directory = mkOption {
    #       type = str;
    #     };
    #   } // (dirPermsOpts perms);
    # };
    # userDefaultPerms = {
    #   inherit (defaultPerms) mode;
    #   user = config.mainuser;
    #   group = config.users.${userDefaultPerms.user}.group;
    # };
    # rootFile = submodule [
    #   (fileOpts defaultPerms)
    # ];
    # rootDir = submodule [
    #   (dirOpts defaultPerms)
    # ];
    # userFile = submodule [
    #   (fileOpts userDefaultPerms)
    # ];
    # userDir = submodule [
    #   (dirOpts userDefaultPerms)
    # ];
    common = {
      directories = mkOption {
        # type = listOf (either str (submodule {
        #   options = {
        #     directory = mkOption {
        #       type = str;
        #       default = null;
        #     };
        #     user = mkOption {
        #       type = str;
        #       default = "root";
        #     };
        #     group = mkOption {
        #       type = str;
        #       default = "root";
        #     };
        #     mode = mkOption {
        #       type = str;
        #       default = "0755";
        #     };
        #   };
        # }));
        # type = listOf (either str rootDir);
        type = listOf str;
        default = [ ];
      };
      files = mkOption {
        # type = listOf (either str rootFile);
        type = listOf str;
        default = [ ];
      };
      homeFiles = mkOption {
        # type = listOf (either str userFile);
        type = listOf str;
        default = [ ];
      };
      homeDirectories = mkOption {
        # type = listOf (either str (submodule {
        #   options = {
        #     directory = mkOption {
        #       type = str;
        #       default = null;
        #     };
        #     method = mkOption {
        #       type = enum [ "bindfs" "symlink" ];
        #       default = "bindfs";
        #     };
        #   };
        # }));
        # type = listOf (either str userDir);
        type = listOf str;
        default = [ ];
      };
@ -186,23 +98,6 @@ in {
      };
    };
    # fileSystems."/" = lib.mkIf (config.deviceSpecific.devInfo.fileSystem != "zfs") {
    #   device = "none";
    #   options = [ "defaults" "size=2G" "mode=755" ];
    #   fsType = "tmpfs";
    # };
    # boot.initrd = lib.mkIf (config.deviceSpecific.devInfo.fileSystem != "zfs") {
    #   postMountCommands =
    #     assert config.fileSystems
    #     ? ${cfg.persistRoot}
    #     && config.fileSystems.${cfg.persistRoot}.neededForBoot; ''
    #       mkdir -p /mnt-root/nix
    #       mount --bind /mnt-root${cfg.persistRoot}/nix /mnt-root/nix
    #       chmod 755 /mnt-root
    #     '';
    # };
    systemd.services.persist-cache-cleanup = lib.mkIf cfg.cache.clean.enable {
      description = "Cleaning up cache files and directories";
      script = ''
--- a/modules/rustic-postgresql.nix
+++ b/modules/rustic-postgresql.nix
@ -5,7 +5,7 @@ with lib;
    description = mdDoc ''
      Periodic backups of postgresql database to create with Rustic.
    '';
-    type = types.attrsOf (types.submodule ({ config, name, ... }: {
+    type = types.attrsOf (types.submodule ({ name, ... }: {
      options = {
        dbName = mkOption {
          type = types.str;
--- a/modules/s3-sync.nix
+++ b/modules/s3-sync.nix
@ -7,7 +7,7 @@ in {
    description = mdDoc ''
      Sync buckets beetween two storages.
    '';
-    type = types.attrsOf (types.submodule ({ config, name, ... }: {
+    type = types.attrsOf (types.submodule ({ ... }: {
      options = {
        rcloneConfigFile = mkOption {
          type = with types; nullOr path;
--- a/modules/steam-compat-tools.nix
+++ b/modules/steam-compat-tools.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 with lib;
 let cfg = config.programs.steam;
 in {
--- a/modules/users.nix
+++ b/modules/users.nix
@ -1,7 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ lib, ... }: {
 with lib;
 with types; {
  options = {
-    mainuser = mkOption { type = str; };
+    mainuser = lib.mkOption { type = lib.types.str; };
  };
 }
--- a/patches/authentik-271885.patch
+++ b/patches/authentik-271885.patch
@ -1,314 +0,0 @@
 diff --git a/pkgs/by-name/au/authentik/ldap.nix b/pkgs/by-name/au/authentik/ldap.nix
 new file mode 100644
 index 000000000000..7945c3021dfd
 --- /dev/null
 +++ b/pkgs/by-name/au/authentik/ldap.nix
@@ -0,0 +1,18 @@
 +{ lib, buildGoModule, authentik }:
 +
 +buildGoModule {
 +  pname = "authentik-ldap-outpost";
 +  inherit (authentik) version src;
 +
 +  vendorHash = "sha256-8F9emmQmbe7R+xtGrjV5ht0adGasU6WAvLa8Wxr+j8M=";
 +
 +  CGO_ENABLED = 0;
 +
 +  subPackages = [ "cmd/ldap" ];
 +
 +  meta = authentik.meta // {
 +    description = "The authentik ldap outpost. Needed for the extendal ldap API.";
 +    homepage = "https://goauthentik.io/docs/providers/ldap/";
 +    mainProgram = "ldap";
 +  };
 +}
 diff --git a/pkgs/by-name/au/authentik/outposts.nix b/pkgs/by-name/au/authentik/outposts.nix
 new file mode 100644
 index 000000000000..05649628b3e8
 --- /dev/null
 +++ b/pkgs/by-name/au/authentik/outposts.nix
@@ -0,0 +1,5 @@
 +{ callPackage }:
 +
 +{
 +  ldap = callPackage ./ldap.nix { };
 +}
 diff --git a/pkgs/by-name/au/authentik/package.nix b/pkgs/by-name/au/authentik/package.nix
 new file mode 100644
 index 000000000000..8fca47e7ec28
 --- /dev/null
 +++ b/pkgs/by-name/au/authentik/package.nix
@@ -0,0 +1,248 @@
 +{ lib
 +, stdenvNoCC
 +, fetchFromGitHub
 +, buildNpmPackage
 +, buildGoModule
 +, runCommand
 +, openapi-generator-cli
 +, nodejs
 +, python3
 +, codespell
 +, makeWrapper }:
 +
 +let
 +  version = "2023.10.6";
 +
 +  src = fetchFromGitHub {
 +    owner = "goauthentik";
 +    repo = "authentik";
 +    rev = "version/${version}";
 +    hash = "sha256-N6FeNUlenbBQPAAUSqC+2GWFfte3G+Zfu5KGVJOqNZQ=";
 +  };
 +
 +  website = buildNpmPackage {
 +    pname = "authentik-website";
 +    inherit version src;
 +    npmDepsHash = "sha256-4dgFxEvMnp+35nSQNsEchtN1qoS5X2KzEbLPvMnyR+k=";
 +
 +    NODE_ENV = "production";
 +    NODE_OPTIONS = "--openssl-legacy-provider";
 +
 +    postPatch = ''
 +      cd website
 +    '';
 +
 +    installPhase = ''
 +      cp -r help $out
 +    '';
 +
 +    npmInstallFlags = [ "--include=dev" ];
 +    npmBuildScript = "build-docs-only";
 +  };
 +
 +  clientapi = stdenvNoCC.mkDerivation {
 +    pname = "authentik-client-api";
 +    inherit version src;
 +
 +    postPatch = ''
 +      rm Makefile
 +
 +      substituteInPlace ./scripts/api-ts-config.yaml \
 +        --replace '/local' "$(pwd)/"
 +    '';
 +
 +    nativeBuildInputs = [ openapi-generator-cli ];
 +    buildPhase = ''
 +      runHook preBuild
 +      openapi-generator-cli generate -i ./schema.yml \
 +      -g typescript-fetch -o $out \
 +      -c ./scripts/api-ts-config.yaml \
 +        --additional-properties=npmVersion=${nodejs.pkgs.npm.version} \
 +        --git-repo-id authentik --git-user-id goauthentik
 +      runHook postBuild
 +    '';
 +  };
 +
 +  webui = buildNpmPackage {
 +    pname = "authentik-webui";
 +    inherit version;
 +
 +    src = runCommand "authentik-webui-source" {} ''
 +      mkdir -p $out/web/node_modules/@goauthentik/
 +      cp -r ${src}/web $out/
 +      ln -s ${src}/website $out/
 +      ln -s ${clientapi} $out/web/node_modules/@goauthentik/api
 +    '';
 +    npmDepsHash = "sha256-5aCKlArtoEijGqeYiY3zoV0Qo7/Xt5hSXbmy2uYZpok=";
 +
 +    postPatch = ''
 +      cd web
 +    '';
 +
 +    installPhase = ''
 +      runHook preInstall
 +      mkdir $out
 +      cp -r dist $out/dist
 +      cp -r authentik $out/authentik
 +      runHook postInstall
 +    '';
 +
 +    NODE_ENV = "production";
 +    NODE_OPTIONS = "--openssl-legacy-provider";
 +
 +    npmInstallFlags = [ "--include=dev" ];
 +  };
 +
 +  python = python3.override {
 +    self = python;
 +    packageOverrides = final: prev: {
 +      authentik-django = prev.buildPythonPackage {
 +        pname = "authentik-django";
 +        inherit version src;
 +        pyproject = true;
 +
 +        postPatch = ''
 +          substituteInPlace authentik/root/settings.py \
 +            --replace 'Path(__file__).absolute().parent.parent.parent' "\"$out\""
 +          substituteInPlace authentik/lib/default.yml \
 +            --replace '/blueprints' "$out/blueprints"
 +          sed -i '/dumb-init/d' pyproject.toml
 +          sed -i '/djangorestframework-guardian/d' pyproject.toml
 +        '';
 +
 +        nativeBuildInputs = [ prev.poetry-core ];
 +        propagatedBuildInputs = with prev; [
 +          argon2-cffi
 +          celery
 +          channels
 +          channels-redis
 +          colorama
 +          dacite
 +          daphne
 +          deepmerge
 +          defusedxml
 +          django
 +          django-filter
 +          django-guardian
 +          django-model-utils
 +          django-prometheus
 +          django-redis
 +          djangorestframework
 +          djangorestframework-guardian2
 +          docker
 +          drf-spectacular
 +          duo-client
 +          facebook-sdk
 +          flower
 +          geoip2
 +          gunicorn
 +          httptools
 +          kubernetes
 +          ldap3
 +          lxml
 +          opencontainers
 +          packaging
 +          paramiko
 +          psycopg
 +          pycryptodome
 +          pydantic
 +          pydantic-scim
 +          pyjwt
 +          pyyaml
 +          requests-oauthlib
 +          sentry-sdk
 +          structlog
 +          swagger-spec-validator
 +          twilio
 +          twisted
 +          ua-parser
 +          urllib3
 +          uvicorn
 +          uvloop
 +          watchdog
 +          webauthn
 +          websockets
 +          wsproto
 +          xmlsec
 +          zxcvbn
 +          jsonpatch
 +        ] ++ [
 +          codespell
 +        ];
 +
 +        postInstall = ''
 +          mkdir -p $out/web $out/website
 +          cp -r lifecycle manage.py $out/${prev.python.sitePackages}/
 +          cp -r blueprints $out/
 +          cp -r ${webui}/dist ${webui}/authentik $out/web/
 +          cp -r ${website} $out/website/help
 +          ln -s $out/${prev.python.sitePackages}/lifecycle $out/lifecycle
 +        '';
 +      };
 +    };
 +  };
 +
 +  inherit (python.pkgs) authentik-django;
 +
 +  proxy = buildGoModule {
 +    pname = "authentik-proxy";
 +    inherit version src;
 +
 +    postPatch = ''
 +      substituteInPlace internal/gounicorn/gounicorn.go \
 +        --replace './lifecycle' "${authentik-django}/lifecycle"
 +      substituteInPlace web/static.go \
 +        --replace './web' "${authentik-django}/web"
 +      substituteInPlace internal/web/static.go \
 +        --replace './web' "${authentik-django}/web"
 +    '';
 +
 +    CGO_ENABLED = 0;
 +
 +    vendorHash = "sha256-8F9emmQmbe7R+xtGrjV5ht0adGasU6WAvLa8Wxr+j8M=";
 +
 +    postInstall = ''
 +      mv $out/bin/server $out/bin/authentik
 +    '';
 +
 +    subPackages = [ "cmd/server" ];
 +  };
 +
 +in stdenvNoCC.mkDerivation {
 +  pname = "authentik";
 +  inherit src version;
 +
 +  postPatch = ''
 +    rm Makefile
 +    patchShebangs lifecycle/ak
 +
 +    # This causes issues in systemd services
 +    substituteInPlace lifecycle/ak \
 +      --replace 'printf' '>&2 printf' \
 +      --replace '> /dev/stderr' ""
 +  '';
 +
 +  installPhase = ''
 +    runHook preInstall
 +    mkdir -p $out/bin
 +    cp -r lifecycle/ak $out/bin/
 +
 +    wrapProgram $out/bin/ak \
 +      --prefix PATH : ${lib.makeBinPath [ (python.withPackages (ps: [ps.authentik-django])) proxy ]} \
 +      --set TMPDIR /dev/shm \
 +      --set PYTHONDONTWRITEBYTECODE 1 \
 +      --set PYTHONUNBUFFERED 1
 +    runHook postInstall
 +  '';
 +
 +  nativeBuildInputs = [ makeWrapper ];
 +
 +  meta = with lib; {
 +    description = "The authentication glue you need";
 +    changelog = "https://github.com/goauthentik/authentik/releases/tag/version%2F${version}";
 +    homepage = "https://goauthentik.io/";
 +    license = licenses.mit;
 +    maintainers = with maintainers; [ jvanbruegge ];
 +    mainProgram = "ak";
 +  };
 +}
 diff --git a/pkgs/tools/networking/openapi-generator-cli/default.nix b/pkgs/tools/networking/openapi-generator-cli/default.nix
 index 2edba9a26eb6..fed141f9c1e1 100644
 --- a/pkgs/tools/networking/openapi-generator-cli/default.nix
 +++ b/pkgs/tools/networking/openapi-generator-cli/default.nix
@@ -33,6 +33,7 @@ let this = stdenv.mkDerivation rec {
     homepage = "https://github.com/OpenAPITools/openapi-generator";
     changelog = "https://github.com/OpenAPITools/openapi-generator/releases/tag/v${version}";
     sourceProvenance = with sourceTypes; [ binaryBytecode ];
 +    mainProgram = "openapi-generator-cli";
     license = licenses.asl20;
     maintainers = with maintainers; [ shou ];
   };
 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
 index e0ca2d741d53..20687cbb509a 100644
 --- a/pkgs/top-level/all-packages.nix
 +++ b/pkgs/top-level/all-packages.nix
@@ -3374,6 +3374,8 @@ with pkgs;
   authelia = callPackage ../servers/authelia { };
 +  authentik-outposts = recurseIntoAttrs (callPackages ../by-name/au/authentik/outposts.nix { });
 +
   autoflake = with python3.pkgs; toPythonApplication autoflake;
   autospotting = callPackage ../applications/misc/autospotting { };
--- a/patches/tor-bridge.patch
+++ b/patches/tor-bridge.patch
@ -1,13 +0,0 @@
 diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix
 index 4ff941251c99..32c9d8ae046c 100644
 --- a/nixos/modules/services/security/tor.nix
 +++ b/nixos/modules/services/security/tor.nix
@@ -854,7 +854,7 @@ in
           BridgeRelay = true;
           ExtORPort.port = mkDefault "auto";
           ServerTransportPlugin.transports = mkDefault ["obfs4"];
 -          ServerTransportPlugin.exec = mkDefault "${pkgs.obfs4}/bin/obfs4proxy managed";
 +          ServerTransportPlugin.exec = mkDefault "${lib.getExe pkgs.obfs4} managed";
         } // optionalAttrs (cfg.relay.role == "private-bridge") {
           ExtraInfoStatistics = false;
           PublishServerDescriptor = false;
--- a/patches/webhooks.patch
+++ b/patches/webhooks.patch
@ -1,28 +0,0 @@
 diff --git a/nixos/modules/services/networking/webhook.nix b/nixos/modules/services/networking/webhook.nix
 index 2a78491941c..9e3c816021f 100644
 --- a/nixos/modules/services/networking/webhook.nix
 +++ b/nixos/modules/services/networking/webhook.nix
@@ -158,6 +158,11 @@ in {
         default = {};
         description = mdDoc "Extra environment variables passed to webhook.";
       };
 +      environmentFiles = mkOption {
 +        type = types.listOf types.str;
 +        default = [];
 +        description = mdDoc "Extra environment variables from files passed to webhook.";
 +      };
     };
   };
@@ -201,7 +206,11 @@ in {
             ++ optional cfg.enableTemplates "-template"
             ++ optional cfg.verbose "-verbose"
             ++ cfg.extraArgs;
 +        envFiles = concatMapStringsSep "\n" (envFile: "source " + envFile) cfg.environmentFiles;
       in ''
 +        set -a
 +        ${envFiles}
 +        set +a
         ${cfg.package}/bin/webhook ${escapeShellArgs args}
       '';
       serviceConfig = {
--- a/profiles/applications-setup.nix
+++ b/profiles/applications-setup.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, ... }: {
  defaultApplications = {
    fm = {
      cmd = "${pkgs.pcmanfm}/bin/pcmanfm";
@ -50,7 +50,7 @@
      enable = true;
      defaultApplications =
        with config.defaultApplications;
-        builtins.mapAttrs (name: value:
+        builtins.mapAttrs (_name: value:
          if value ? desktop then [ "${value.desktop}.desktop" ] else value) {
            "text/html" = browser;
            "inode/directory" = fm;
--- a/profiles/applications/alacritty.nix
+++ b/profiles/applications/alacritty.nix
@ -1,83 +0,0 @@
 { pkgs, lib, config, ... }:
 let
  thm = config.lib.base16.theme;
 in
 with config.deviceSpecific;
 {
  # defaultApplications.term = lib.mkIf (isDesktop) {
  #   cmd = "${pkgs.alacritty}/bin/alacritty";
  #   desktop = "alacritty";
  # };
  home-manager.users.${config.mainuser} = {
    programs.alacritty = {
      # enable = isDesktop;
      enable = false;
      settings = {
        font = {
          normal = {
            family = "${thm.fonts.mono.family}";
            style = "Regular";
          };
          bold = {
            family = "${thm.fonts.mono.family}";
            style = "Bold";
          };
          italic = {
            family = "${thm.fonts.mono.family}";
            style = "Italic";
          };
          bold_italic = {
            family = "${thm.fonts.mono.family}";
            style = "Bold Italic";
          };
          size = thm.fontSizes.small.int;
        };
        window.padding = {
          x = 2;
          y = 2;
        };
        shell.program = "${pkgs.zsh}/bin/zsh";
        cursor.style = "Beam";
        colors = {
          primary = {
            background = "#${thm.base00-hex}";
            foreground = "#${thm.base05-hex}";
          };
          cursor = {
            text = "#${thm.base02-hex}";
            cursor = "#${thm.base00-hex}";
          };
          normal = {
            black = "#${thm.base00-hex}";
            red = "#${thm.base08-hex}";
            green = "#${thm.base0B-hex}";
            yellow = "#${thm.base0A-hex}";
            blue = "#${thm.base0D-hex}";
            magenta = "#${thm.base0E-hex}";
            cyan = "#${thm.base0C-hex}";
            white = "#${thm.base05-hex}";
          };
          bright = {
            black = "#${thm.base03-hex}";
            red = "#${thm.base09-hex}";
            green = "#${thm.base01-hex}";
            yellow = "#${thm.base02-hex}";
            blue = "#${thm.base04-hex}";
            magenta = "#${thm.base06-hex}";
            cyan = "#${thm.base0F-hex}";
            white = "#${thm.base07-hex}";
          };
          draw_bold_text_with_bright_colors = "false";
        };
        env = {
          WINIT_X11_SCALE_FACTOR = "1.0";
        };
      };
    };
  };
 }
--- a/profiles/applications/cassowary.nix
+++ b/profiles/applications/cassowary.nix
@ -1,14 +1,7 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, ... }: {
  home-manager.users.${config.mainuser} = {
-    home.packages = [
+    home.packages = [ pkgs.cassowary-py ];
      pkgs.cassowary-py
    ];
    # xdg.configFile."casualrdh/config.json".text = toJson ''
    # '';
    # xdg.desktopEntries
  };
  persist.state.homeDirectories = [
    ".config/casualrdh"
  ];
--- a/profiles/applications/element.nix
+++ b/profiles/applications/element.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, ... }: {
  home-manager.users.${config.mainuser}.home.packages = [
    pkgs.element-desktop
  ];
--- a/profiles/applications/email.nix
+++ b/profiles/applications/email.nix
@ -1,67 +1,8 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, ... }: {
  home-manager.users.${config.mainuser} = {
-    home.packages = [
+    home.packages = [ pkgs.gnome.geary ];
      # pkgs.himalaya
      pkgs.gnome.geary
    ];
    # xdg.configFile."himalaya/config.toml".text = ''
    #   downloads-dir = "/home/${config.mainuser}/Downloads/mail"
    #   name = "Dmitriy Kholkin"
    #   signature = "Regards,"
    #   # email-reading-verify-cmd
    #   # email-reading-decrypt-cmd
    #   # email-writing-sign-cmd
    #   # email-writing-encrypt-cmd
    #   # notify-cmd
    #   # notify-query
    #   # sync
    #   [ataraxiadev]
    #   default = true
    #   email = "ataraxiadev@ataraxiadev.com"
    #   backend = "imap"
    #   imap-host = "mail.ataraxiadev.com"
    #   imap-port = 993
    #   imap-login = "ataraxiadev@ataraxiadev.com"
    #   imap-passwd-cmd = "${pkgs.pass}/bin/pass show email/ataraxiadev@ataraxiadev.com"
    #   imap-ssl = true
    #   imap-starttls = false
    #   imap-insecure = false
    #   sender = "smtp"
    #   smtp-host = "mail.ataraxiadev.com"
    #   smtp-port = 465
    #   smtp-login = "ataraxiadev@ataraxiadev.com"
    #   smtp-passwd-cmd = "${pkgs.pass}/bin/pass show email/ataraxiadev@ataraxiadev.com"
    #   smtp-ssl = true
    #   smtp-starttls = false
    #   smtp-insecure = false
    # '';
  };
  # systemd.user.services.himalaya-notify = {
  #   description = "Himalaya new messages notifier";
  #   after = [ "network.target" ];
  #   wantedBy = [ "default.target" ];
  #   script = "himalaya notify";
  #   environment = {
  #     PASSWORD_STORE_DIR = config.secretsConfig.password-store;
  #     GNUPGHOME = config.secretsConfig.gnupgHome;
  #   };
  #   # script = "echo $(pass show email/ataraxiadev@ataraxiadev.com) || echo lol";
  #   path = with pkgs; [ himalaya libnotify pass gnupg ];
  #   serviceConfig = {
  #     Restart = lib.mkForce "no";
  #     # Restart = "always";
  #     RestartSec = 10;
  #     # Type = "oneshot";
  #   };
  # };
  defaultApplications.mail = {
    cmd = "${pkgs.gnome.geary}/bin/geary";
    desktop = "geary";
@ -72,7 +13,6 @@
  ];
  persist.state.homeDirectories = [
    ".config/himalaya"
    ".config/geary"
    ".local/share/geary"
  ];
--- a/profiles/applications/firefox.nix
+++ b/profiles/applications/firefox.nix
@ -3,8 +3,7 @@ with lib;
 let
  thm = config.lib.base16.theme;
  fonts = config.lib.base16.theme.fonts;
-  profileName = config.mainuser;
+  homeDir = config.home-manager.users.${config.mainuser}.home.homeDirectory;
  homeDir = config.home-manager.users.${profileName}.home.homeDirectory;
  mkUserJs = { prefs ? {}, extraPrefs ? "" }: ''
    ${extraPrefs}
@ -12,10 +11,8 @@ let
      user_pref("${name}", ${builtins.toJSON value});
    '') prefs)}
  '';
 in {
-  services.dbus.packages = [ pkgs.firefox-wayland ];
+  services.dbus.packages = [ pkgs.firefox ];
  environment.sessionVariables = {
    MOZ_USE_XINPUT2 = "1";
--- a/profiles/applications/games/hoyo.nix
+++ b/profiles/applications/games/hoyo.nix
@ -1,4 +1,4 @@
-{ inputs, config, lib, pkgs, ... }: {
+{ inputs, lib, ... }: {
  imports = [ inputs.aagl.nixosModules.default ];
  nix.settings = inputs.aagl.nixConfig;
--- a/profiles/applications/games/steam.nix
+++ b/profiles/applications/games/steam.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }: {
+{ pkgs, ... }: {
  programs.steam.enable = true;
  programs.steam.extraCompatPackages = [
    pkgs.proton-ge
@ -6,29 +6,13 @@
  programs.gamescope.enable = true;
  programs.gamescope.capSysNice = false;
-  # startupApplications = [ "steam" ];
+  startupApplications = [ "${pkgs.steam}/bin/steam" ];
  startupApplications = let
    gs = pkgs.writeShellScriptBin "gamescope-steam" ''
      gamescope --steam --borderless -- steam
    '';
  in [
    # "${gs}/bin/gamescope-steam"
    "${pkgs.steam}/bin/steam"
  ];
  systemd.user.services.x11-ownership = {
    script = ''
      doas chown ${config.mainuser} /tmp/.X11-unix
    '';
    after = [ "hyprland-session.target" ];
    wantedBy = [ "hyprland-session.target" ];
  };
  persist.state.homeDirectories = [
    ".local/share/Steam"
    ".steam"
  ] ++ [
-    # Games configs
+    # Native games config
    ".config/WarThunder"
    ".local/share/BeamNG.drive"
  ];
--- a/profiles/applications/games/wine-games.nix
+++ b/profiles/applications/games/wine-games.nix
@ -1,13 +1,10 @@
-{ pkgs, lib, config, ... }: {
+{ pkgs, config, ... }: {
  home-manager.users.${config.mainuser}.home.packages = [
    # pkgs.lutris
    pkgs.bottles
    pkgs.osu-lazer-bin
    pkgs.realrtcw
  ];
  persist.state.homeDirectories = [
    # ".config/lutris"
    # ".local/share/lutris"
    ".local/share/bottles"
    ".local/share/osu"
  ];
--- a/profiles/applications/kitty.nix
+++ b/profiles/applications/kitty.nix
@ -1,7 +1,7 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, config, ... }:
 let
  thm = config.lib.base16.theme;
-in with config.deviceSpecific;
+in
 {
  defaultApplications.term = {
    cmd = "${pkgs.kitty}/bin/kitty";
@ -11,8 +11,6 @@ in with config.deviceSpecific;
    programs.kitty = {
      enable = true;
      font.name = "${thm.fonts.mono.family} ${thm.fontSizes.small.str}";
      # keybindings = ''
      # '';
      settings = {
        foreground = "#${thm.base05-hex}";
        background = "#${thm.base00-hex}";
--- a/profiles/applications/mpv.nix
+++ b/profiles/applications/mpv.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, ... }:
 {
  home-manager.users.${config.mainuser} = {
    programs.mpv = {
--- a/profiles/applications/nicotine.nix
+++ b/profiles/applications/nicotine.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }: {
+{ config, pkgs, ... }: {
  home-manager.users.${config.mainuser} = {
    home.packages = [ pkgs.nicotine-plus ];
  };
--- a/profiles/applications/nnn.nix
+++ b/profiles/applications/nnn.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, ... }: {
  home-manager.users.${config.mainuser} = {
    programs.nnn = {
      enable = true;
--- a/profiles/applications/packages.nix
+++ b/profiles/applications/packages.nix
@ -1,4 +1,4 @@
-{ pkgs, config, lib, inputs, ... }:
+{ pkgs, config, lib, ... }:
 with config.deviceSpecific; {
  programs.adb.enable = true;
@ -8,6 +8,8 @@ with config.deviceSpecific; {
      bat
      comma
      curl
      curlie
      duf
      eza
      fd
      glib.out
@ -16,8 +18,10 @@ with config.deviceSpecific; {
      lm_sensors
      lnav
      nix-prefetch-git
      nix-prefetch-github
      p7zip
      pciutils
      rclone
      ripgrep
      ripgrep-all
      sd
@ -26,7 +30,6 @@ with config.deviceSpecific; {
      unrar
      unzip
      usbutils
      wget
      zip
      # --- tui ---
      bottom
@ -34,47 +37,37 @@ with config.deviceSpecific; {
      ncdu
      procs
      # --- gui ---
      deadbeef
      feh
      qimgv
      xarchiver
      zathura
      xdg-utils
      # --- awesome-shell ---
      # curlie
      # duf
      # zsh-z
    ] ++ lib.optionals (!(isVM || isISO)) [
      a2ln
      # audacity
      cachix
      ffmpeg.bin
      monero-gui
      nodePackages.peerflix
      nix-tree
      yt-dlp
      # ---- gui ----
      bitwarden
      # foliate
      jellyfin-media-player
      jellyfin-mpv-shim
      joplin-desktop
      # libreoffice
      obs-studio
      obs-studio-plugins.obs-vkcapture
      obsidian
      onlyoffice-bin_7_5
      pinta
      qbittorrent
      sonixd
      tdesktop
      tidal-dl
      tor-browser-bundle-bin
      ungoogled-chromium
      webcord-vencord
      youtube-to-mpv
    ] ++ lib.optionals isGaming [
      ceserver
      gamescope
      moonlight-qt
      protonhax
      protontricks
      vkBasalt
@ -86,24 +79,24 @@ with config.deviceSpecific; {
  persist.state.homeDirectories = [
    ".config/Bitwarden"
    ".config/chromium"
    ".config/deadbeef"
    ".config/jellyfin-mpv-shim"
    ".config/jellyfin.org"
    ".config/joplin-desktop"
    ".config/kdeconnect"
    ".config/libreoffice"
    ".config/monero-project"
    ".config/obs-studio"
    ".config/obsidian"
    ".config/pcmanfm"
-    # ".config/Pinta"
+    ".config/Pinta"
    ".config/qBittorrent"
-    # ".config/qimgv"
+    ".config/qimgv"
    ".config/rclone"
    ".config/Sonixd"
-    # ".config/xarchiver"
+    ".config/WebCord"
-    ".local/share/jellyfinmediaplayer"
+    ".config/xarchiver"
    ".local/share/TelegramDesktop"
    ".local/share/tor-browser"
    ".android"
    ".anydesk"
    ".bitmonero"
    ".monero"
  ];
--- a/profiles/applications/rclone.nix
+++ b/profiles/applications/rclone.nix
@ -1,9 +0,0 @@
 { config, pkgs, lib, ... }: {
  home-manager.users.${config.mainuser}.home.packages = [
    pkgs.rclone
  ];
  persist.state.homeDirectories = [
    ".config/rclone"
  ];
 }
--- a/profiles/applications/rofi.nix
+++ b/profiles/applications/rofi.nix
@ -1,4 +1,4 @@
-{ pkgs, config, lib, ... }:
+{ pkgs, config, ... }:
 let
  thm = config.lib.base16.theme;
  themeFile = config.lib.base16.templateFile { name = "rofi"; };
--- a/profiles/applications/spotify.nix
+++ b/profiles/applications/spotify.nix
@ -1,12 +1,12 @@
-{ config, lib, pkgs, ... }: {
+{ config, pkgs, ... }: {
  home-manager.users.${config.mainuser}.home.packages = with pkgs; [
    spotifywm
  ];
-  
+
  startupApplications = [
    "${pkgs.spotifywm}/bin/spotify"
  ];
-  
+
  persist.state.homeDirectories = [
    ".config/spotify"
  ];
--- a/profiles/applications/sunshine.nix
+++ b/profiles/applications/sunshine.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }: {
+{ config, pkgs, ... }: {
  boot.kernelModules = [ "uinput" ];
  services.udev.extraRules = ''
@ -23,12 +23,8 @@
  };
  networking.firewall = {
-    allowedTCPPorts = [
+    allowedTCPPorts = [ 47984 47989 47990 48010 ];
-      47984 47989 47990 48010
+    allowedUDPPorts = [ 47998 47999 48000 48002 48010 ];
    ];
    allowedUDPPorts = [
      47998 47999 48000 48002 48010
    ];
  };
  persist.state.homeDirectories = [ ".config/sunshine" ];
--- a/profiles/applications/tor-browser.nix
+++ b/profiles/applications/tor-browser.nix
@ -1,14 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  tor-browser = pkgs.writeShellScriptBin "tor-browser" ''
    mullvad-exclude ${pkgs.tor-browser-bundle-bin}/bin/tor-browser
  '';
 in {
  home-manager.users.${config.mainuser}.home.packages = if config.deviceSpecific.vpn.mullvad.enable then [
    tor-browser
  ] else [
    pkgs.tor-browser-bundle-bin
  ];
  persist.state.homeDirectories = [ ".local/share/tor-browser" ];
 }
--- a/profiles/applications/vscode/default.nix
+++ b/profiles/applications/vscode/default.nix
@ -177,24 +177,5 @@ in
        ];
      };
    };
    home.file.".cache/wal/colors".text = ''
      #${thm.base00-hex}
      #${thm.base08-hex}
      #${thm.base0B-hex}
      #${thm.base0A-hex}
      #${thm.base0D-hex}
      #${thm.base0E-hex}
      #${thm.base0C-hex}
      #${thm.base05-hex}
      #${thm.base03-hex}
      #${thm.base08-hex}
      #${thm.base0B-hex}
      #${thm.base0A-hex}
      #${thm.base0D-hex}
      #${thm.base0E-hex}
      #${thm.base0C-hex}
      #${thm.base07-hex}
    '';
  };
 }
--- a/profiles/applications/zathura.nix
+++ b/profiles/applications/zathura.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:
 let
  home = config.home-manager.users.${config.mainuser};
  zathura-pkg = home.programs.zathura.package;
--- a/profiles/bluetooth.nix
+++ b/profiles/bluetooth.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, lib, ... }: {
  config = lib.mkIf (!config.deviceSpecific.isServer) {
    services.blueman.enable = true;
    hardware.bluetooth = {
--- a/profiles/hardened.nix
+++ b/profiles/hardened.nix
@ -1,4 +1,4 @@
-{ modulesPath, config, pkgs, lib, ... }: {
+{ modulesPath, config, lib, ... }: {
  imports = [
    (modulesPath + "/profiles/hardened.nix")
  ];
@ -91,7 +91,7 @@
  # dhcpcd broken with scudo or graphene malloc
  nixpkgs.overlays = lib.optionals (config.environment.memoryAllocator.provider != "libc") [
-    (final: prev: {
+    (_final: prev: {
      dhcpcd = prev.dhcpcd.override { enablePrivSep = false; };
    })
  ];
--- a/profiles/hardware.nix
+++ b/profiles/hardware.nix
@ -1,4 +1,4 @@
-{ pkgs, config, lib, ... }:
+{ pkgs, config, ... }:
 with config.deviceSpecific; {
  hardware.cpu.${devInfo.cpu.vendor}.updateMicrocode = true;
--- a/profiles/network.nix
+++ b/profiles/network.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ lib, config, ... }:
 {
  networking = {
    networkmanager.enable = true;
--- a/profiles/nix/default.nix
+++ b/profiles/nix/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs,  ... }: {
+{ config, lib, inputs,  ... }: {
  nix = {
    nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ];
--- a/profiles/nix/doas.patch
+++ b/profiles/nix/doas.patch
@ -1,23 +0,0 @@
 From 012a913fbc861029a0f4b100cfd57d3b505a455f Mon Sep 17 00:00:00 2001
 From: ForeverNooob <106961997+ForeverNooob@users.noreply.github.com>
 Date: Sun, 30 Oct 2022 08:13:19 +0000
 Subject: [PATCH] Add doas support to the installation script.
 Previously the install errored out and told you to manually add `/nix/` and set the perms if you had `doas` installed instead of `sudo`. Well, not any more!
 ---
 scripts/install-nix-from-closure.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/scripts/install-nix-from-closure.sh b/scripts/install-nix-from-closure.sh
 index d4eed2efe80..d8931e97015 100644
 --- a/scripts/install-nix-from-closure.sh
 +++ b/scripts/install-nix-from-closure.sh
@@ -137,7 +137,7 @@ echo "performing a single-user installation of Nix..." >&2
 if ! [ -e "$dest" ]; then
     cmd="mkdir -m 0755 $dest && chown $USER $dest"
     echo "directory $dest does not exist; creating it by running '$cmd' using sudo" >&2
 -    if ! sudo sh -c "$cmd"; then
 +    if ! (sudo sh -c "$cmd" || doas sh -c "$cmd") ; then
         echo "$0: please manually run '$cmd' as root to create $dest" >&2
         exit 1
     fi
--- a/profiles/security/pass-secret-service.nix
+++ b/profiles/security/pass-secret-service.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, ... }: {
  environment.systemPackages = [ pkgs.pass-secret-service ];
  services.dbus.packages = [ pkgs.pass-secret-service ];
  xdg.portal.extraPortals = [ pkgs.pass-secret-service ];
--- a/profiles/security/user.nix
+++ b/profiles/security/user.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, ... }: {
  security.apparmor.enable = true;
  programs.firejail.enable = true;
--- a/profiles/security/vlock.nix
+++ b/profiles/security/vlock.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, lib, ... }: {
  # FIXME: completely remove sudo
  security.sudo = {
    enable = true;
--- a/profiles/servers/acme.nix
+++ b/profiles/servers/acme.nix
@ -1,4 +1,4 @@
-{ config, ... }: {
+{ ... }: {
  security.acme = {
    acceptTerms = true;
    # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # staging
--- a/profiles/servers/atticd.nix
+++ b/profiles/servers/atticd.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }: {
+{ config, lib, inputs, ... }: {
  imports = [ inputs.attic.nixosModules.atticd ];
  sops.secrets.atticd.sopsFile = inputs.self.secretsDir + /home-hypervisor/atticd.yaml;
  sops.secrets.atticd.restartUnits = [ "atticd.service" ];
--- a/profiles/servers/battery-historian.nix
+++ b/profiles/servers/battery-historian.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }: {
+{ ... }: {
  virtualisation.oci-containers.containers.battery-historian = {
    autoStart = true;
    ports = [ "0.0.0.0:9999:9999" ];
--- a/profiles/servers/blocky.nix
+++ b/profiles/servers/blocky.nix
@ -1,4 +1,4 @@
-{ config, pkgs, dnsmasq-list ? [], ... }:
+{ dnsmasq-list ? [], ... }:
 let
  nodeAddress = "192.168.0.5";
  upstream-dns = "100.64.0.1";
@ -17,7 +17,7 @@ in {
    localAddress = "${nodeAddress}/24";
    tmpfs = [ "/" ];
    bindMounts."/tmp/blocky-authkey".hostPath = "/tmp/blocky-authkey";
-    config = { config, pkgs, lib, ... }:
+    config = { config, lib, ... }:
    let
      grafanaPort = config.services.grafana.settings.server.http_port;
      blockyPort = config.services.blocky.settings.ports.dns;
--- a/profiles/servers/fail2ban.nix
+++ b/profiles/servers/fail2ban.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, ... }: {
  services.openssh.settings.LogLevel = "VERBOSE";
  services.fail2ban = {
--- a/profiles/servers/gitea.nix
+++ b/profiles/servers/gitea.nix
@ -17,8 +17,6 @@ let
 in {
  sops.secrets.gitea = gitea-secret;
  sops.secrets.gitea-mailer = gitea-secret;
  # sops.secrets.gitea-secretkey = gitea-secret;
  # sops.secrets.gitea-internaltoken = gitea-secret;
  sops.secrets.gitea-runner-hypervisor = runner-secret [ "gitea-runner-hypervisor.service" ];
  persist.state.directories = [
--- a/profiles/servers/headscale.nix
+++ b/profiles/servers/headscale.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, headscale-list ? {}, ... }:
+{ config, lib, inputs, headscale-list ? {}, ... }:
 let
  domain = "wg.ataraxiadev.com";
 in {
--- a/profiles/servers/inpx-web.nix
+++ b/profiles/servers/inpx-web.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }: let
+{ ... }: let
  nas-path = "/media/nas/media-stack";
 in {
  virtualisation.oci-containers.containers.inpx-web = {
--- a/profiles/servers/it-tools.nix
+++ b/profiles/servers/it-tools.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }: {
+{ ... }: {
  virtualisation.oci-containers.containers.it-tools = {
    autoStart = true;
    image = "docker.io/corentinth/it-tools:latest";
--- a/profiles/servers/joplin-server.nix
+++ b/profiles/servers/joplin-server.nix
@ -1,60 +0,0 @@
 { config, lib, pkgs, inputs, ... }:
 let
  joplin-data = "/srv/joplin/data";
  joplin-db-data = "/srv/joplin/postgres";
  joplin-uid = "1001";
  backend = config.virtualisation.oci-containers.backend;
  pod-name = "joplin-pod";
  open-ports = [ "127.0.0.1:22300:22300/tcp" ];
 in {
  sops.secrets.joplin-env.sopsFile = inputs.self.secretsDir + /home-hypervisor/joplin.yaml;
  sops.secrets.joplin-db-env.sopsFile = inputs.self.secretsDir + /home-hypervisor/joplin.yaml;
  sops.secrets.joplin-env.restartUnits = [ "${backend}-joplin.service" ];
  sops.secrets.joplin-db-env.restartUnits = [ "${backend}-joplin-db.service" ];
  # FIXMEL mailer
  virtualisation.oci-containers.containers = {
    joplin = {
      autoStart = true;
      dependsOn = [ "joplin-db" ];
      environment = { MAX_TIME_DRIFT = "0"; };
      environmentFiles = [ config.sops.secrets.joplin-env.path ];
      extraOptions = [ "--pod=${pod-name}" ];
      image = "docker.io/ataraxiadev/joplin-server:2.9.17";
      volumes = [
        "${joplin-data}:/home/joplin/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
    };
    joplin-db = {
      autoStart = true;
      environmentFiles = [ config.sops.secrets.joplin-db-env.path ];
      extraOptions = [ "--pod=${pod-name}" ];
      image = "docker.io/postgres:13";
      volumes = [ "${joplin-db-data}:/var/lib/postgresql/data" ];
    };
  };
  systemd.tmpfiles.rules = [
    "d ${joplin-data} 0755 ${joplin-uid} ${joplin-uid} -"
    "d ${joplin-db-data} 0700 dhcpcd dhcpcd -"
  ];
  systemd.services."podman-create-${pod-name}" = let
    portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
    start = pkgs.writeShellScript "create-pod-${pod-name}" ''
      podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping}
    '';
    stop = "podman pod rm -i -f ${pod-name}";
  in rec {
    path = [ pkgs.coreutils config.virtualisation.podman.package ];
    before = [ "${backend}-joplin.service" "${backend}-joplin-db.service" ];
    requiredBy = before;
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = "yes";
      ExecStart = start;
      ExecStop = stop;
    };
  };
 }
--- a/profiles/servers/media-stack/caddy.nix
+++ b/profiles/servers/media-stack/caddy.nix
@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ pkgs, ... }:
 let
  backend = config.virtualisation.oci-containers.backend;
  nas-path = "/media/nas/media-stack";
  caddyconf = pkgs.writeText "Caddyfile" ''
    {
--- a/profiles/servers/media-stack/jackett.nix
+++ b/profiles/servers/media-stack/jackett.nix
@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ ... }:
 let
  backend = config.virtualisation.oci-containers.backend;
  nas-path = "/media/nas/media-stack";
 in {
  virtualisation.oci-containers.containers.jackett = {
--- a/profiles/servers/media-stack/jellyfin.nix
+++ b/profiles/servers/media-stack/jellyfin.nix
@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ config, ... }:
 let
  backend = config.virtualisation.oci-containers.backend;
  nas-path = "/media/nas/media-stack";
  renderGid = toString config.users.groups.render.gid;
  videoGid = toString config.users.groups.video.gid;
--- a/profiles/servers/media-stack/lidarr.nix
+++ b/profiles/servers/media-stack/lidarr.nix
@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ ... }:
 let
  backend = config.virtualisation.oci-containers.backend;
  nas-path = "/media/nas/media-stack";
 in {
  virtualisation.oci-containers.containers.lidarr = {
--- a/profiles/servers/media-stack/medusa.nix
+++ b/profiles/servers/media-stack/medusa.nix
@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ ... }:
 let
  backend = config.virtualisation.oci-containers.backend;
  nas-path = "/media/nas/media-stack";
 in {
  virtualisation.oci-containers.containers.medusa = {
--- a/profiles/servers/media-stack/qbittorrent.nix
+++ b/profiles/servers/media-stack/qbittorrent.nix
@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ ... }:
 let
  backend = config.virtualisation.oci-containers.backend;
  nas-path = "/media/nas/media-stack";
 in {
  virtualisation.oci-containers.containers.qbittorrent = {
--- a/profiles/servers/media-stack/radarr.nix
+++ b/profiles/servers/media-stack/radarr.nix
@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ ... }:
 let
  backend = config.virtualisation.oci-containers.backend;
  nas-path = "/media/nas/media-stack";
 in {
  virtualisation.oci-containers.containers.radarr = {
--- a/profiles/servers/media-stack/recyclarr.nix
+++ b/profiles/servers/media-stack/recyclarr.nix
@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ ... }:
 let
  backend = config.virtualisation.oci-containers.backend;
  nas-path = "/media/nas/media-stack";
 in {
  virtualisation.oci-containers.containers.recyclarr = {
--- a/profiles/servers/media-stack/sonarr.nix
+++ b/profiles/servers/media-stack/sonarr.nix
@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }:
+{ ... }:
 let
  backend = config.virtualisation.oci-containers.backend;
  nas-path = "/media/nas/media-stack";
 in {
  virtualisation.oci-containers.containers.sonarr = {
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, pkgs, inputs, ... }:
 let
  authentik = { proxyPass ? null, proxyWebsockets ? false, root ? {}, rootExtraConfig ? "", locations ? {}, extraConfig ? "", ... }: {
    extraConfig = ''
--- a/profiles/servers/openbooks.nix
+++ b/profiles/servers/openbooks.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ ... }:
 let
  nas-path = "/media/nas/media-stack";
 in {
--- a/profiles/servers/spdf.nix
+++ b/profiles/servers/spdf.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }: let
+{ ... }: let
  nas-path = "/media/nas/media-stack";
 in {
  virtualisation.oci-containers.containers.spdf = {
--- a/profiles/servers/tinyproxy.nix
+++ b/profiles/servers/tinyproxy.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ ... }: {
  containers.tinyproxy = {
    extraFlags = [ "-U" ];
    autoStart = true;
@ -6,8 +6,7 @@
    privateNetwork = true;
    hostBridge = "br0";
    localAddress = "192.168.0.6/24";
-    # tmpfs = [ "/" ]; # not working with unprivilliged container
+    config = { ... }: {
    config = { config, pkgs, ... }: {
      services.privoxy = {
        enable = true;
        settings = {
@ -22,7 +21,6 @@
        defaultGateway = "192.168.0.1";
        hostName = "tinyproxy-node";
        nameservers = [ "192.168.0.1" ];
        # enableIPv6 = false;
        useHostResolvConf = false;
        firewall = {
          enable = true;
--- a/profiles/servers/vaultwarden.nix
+++ b/profiles/servers/vaultwarden.nix
@ -11,7 +11,6 @@
      extendedLogging = true;
      invitationsAllowed = false;
      useSyslog = true;
      # logFile = "/var/log/vaultwarden.log";
      logLevel = "warn";
      rocketAddress = "127.0.0.1";
      rocketPort = 8812;
@ -29,7 +28,6 @@
      websocketEnabled = true;
      websocketPort = 3012;
      webVaultEnabled = true;
      # rocketWorkers = 10;
      dataDir = "/var/lib/bitwarden_rs";
    };
    environmentFile = config.sops.secrets.vaultwarden.path;
--- a/profiles/servers/vscode-server.nix
+++ b/profiles/servers/vscode-server.nix
@ -1,4 +1,5 @@
-{ pkgs, ... }: {
+{ pkgs, inputs, ... }: {
  imports = [ inputs.vscode-server.nixosModule ];
  services.vscode-server = {
    enable = true;
    nodejsPackage = pkgs.nodejs_18;
--- a/profiles/servers/webhooks.nix
+++ b/profiles/servers/webhooks.nix
@ -23,14 +23,12 @@ in {
    home = "/var/lib/webhook";
  };
  systemd.services.webhook.serviceConfig.EnvironmentFile = config.sops.secrets.webhook-blog.path;
  services.webhook = {
    enable = true;
    port = 9510;
    group = "webhook";
    user = "webhook";
    environmentFiles = [
      config.sops.secrets.webhook-blog.path
    ];
    hooksTemplated = {
      publish-ataraxiadev-blog = ''
        {
--- a/profiles/servers/wiki.nix
+++ b/profiles/servers/wiki.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ ... }: {
  services.kiwix-serve = {
    enable = true;
    port = 8190;
--- a/profiles/themes.nix
+++ b/profiles/themes.nix
@ -1,6 +1,6 @@
-{ config, lib, pkgs, inputs, ... }: {
+{ pkgs, ... }: {
-  config.themes.base16 = with config.deviceSpecific.devInfo; {
+  config.themes.base16 = {
    enable = true;
    # customScheme = {
    #   enable = true;
--- a/profiles/vpn.nix
+++ b/profiles/vpn.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ lib, config, ... }:
 let
  isTailscale = config.deviceSpecific.vpn.tailscale.enable;
  wg = config.deviceSpecific.vpn.wireguard;
--- a/profiles/workspace/aria2.nix
+++ b/profiles/workspace/aria2.nix
@ -1,18 +1,17 @@
-{ config, lib, pkgs, ... }:
+{ config, ... }:
 let
  homeDir = config.home-manager.users.${config.mainuser}.home.homeDirectory;
 in {
  # TODO: enable websocket (--rpc-certificate)
-  services.aria2 = {
+  home-manager.users.${config.mainuser} = {
-    enable = true;
+    programs.aria2 = {
-    downloadDir = "/media/aria2";
+      enable = true;
-    rpcListenPort = 6800;
+      settings = {
-    # FIXME: I can expose this, since i listen rpc only on localhost
+        dir = "${homeDir}/Downloads/aria2";
-    # but in future it's better to implement read key from secrets before start daemon
+        listen-port = "6881-6999";
-    rpcSecret = "secret";
+        rpc-listen-port = 6800;
-    # listenPortRange = {};
+      };
-    openPorts = false;
+    };
  };
-  # networking.firewall.allowedTCPPorts = [ config.services.aria2.rpcListenPort ];
+
  persist.state.directories = [ "/media/aria2" ];
 }
--- a/profiles/workspace/cursor.nix
+++ b/profiles/workspace/cursor.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ lib, config, ... }:
 let
  thm = config.lib.base16.theme;
 in {
--- a/profiles/workspace/gtk.nix
+++ b/profiles/workspace/gtk.nix
@ -3,7 +3,7 @@ let
  thm = config.lib.base16.theme;
 in {
  nixpkgs.overlays = [
-    (self: super: {
+    (_self: _super: {
      generated-gtk-theme =
        pkgs.callPackage "${inputs.rycee}/pkgs/materia-theme" {
          configBase16 = {
--- a/profiles/workspace/light.nix
+++ b/profiles/workspace/light.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, ... }: {
  programs.light.enable = config.deviceSpecific.isLaptop;
  services.actkbd = {
    enable = config.deviceSpecific.isLaptop;
--- a/profiles/workspace/locale.nix
+++ b/profiles/workspace/locale.nix
@ -1,4 +1,4 @@
-{ pkgs, config, lib, ... }:
+{ config, ... }:
 let
  en = "en_US.UTF-8";
  ru = "ru_RU.UTF-8";
--- a/profiles/workspace/misc.nix
+++ b/profiles/workspace/misc.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ lib, config, ... }:
 with config.deviceSpecific; {
  environment.sessionVariables =
@ -16,7 +16,7 @@ with config.deviceSpecific; {
  services.upower.enable = isLaptop;
  xdg.portal.enable = true;
  xdg.portal.config.common.default = "*";
-  xdg.portal.xdgOpenUsePortal = true;
+  # xdg.portal.xdgOpenUsePortal = true;
  home-manager.users.${config.mainuser} = {
    news.display = "silent";
--- a/profiles/workspace/ssh.nix
+++ b/profiles/workspace/ssh.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ config, ... }:
 with config.deviceSpecific; {
  services.openssh = {
    enable = true;
--- a/profiles/workspace/waybar/default.nix
+++ b/profiles/workspace/waybar/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, pkgs, ... }:
 with config.deviceSpecific; {
  home-manager.users.${config.mainuser}.programs.waybar = {
    enable = true;
--- a/profiles/workspace/xdg.nix
+++ b/profiles/workspace/xdg.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:
 let
  dirsToClean = [
    "Downloads"
--- a/profiles/workspace/zsh/default.nix
+++ b/profiles/workspace/zsh/default.nix
@ -1,4 +1,4 @@
-{ pkgs, config, inputs, ... }: {
+{ pkgs, config, ... }: {
  environment.pathsToLink = [ "/share/zsh" ];
  environment.sessionVariables.SHELL = "${pkgs.zsh}/bin/zsh";
--- a/roles/desktop.nix
+++ b/roles/desktop.nix
@ -9,7 +9,6 @@
    themes
    virtualisation
    alacritty
    corectrl
    element
    email
@ -19,11 +18,9 @@
    mangohud
    mpv
    packages
    rclone
    rofi
    spotify
    steam
    tor-browser
    vscode
    waydroid
    zathura
--- a/roles/hypervisor.nix
+++ b/roles/hypervisor.nix
@ -1,4 +1,4 @@
-{ inputs, pkgs, ... }: {
+{ inputs, ... }: {
  imports = with inputs.self.customProfiles; [
    inputs.home-manager.nixosModules.home-manager {
      home-manager.useGlobalPkgs = true;
--- a/secrets/suomi-vps/marzban.env
+++ b/secrets/suomi-vps/marzban.env
@ -1,16 +0,0 @@
 SUDO_USERNAME=ENC[AES256_GCM,data:4QMSmmaPB10=,iv:KveMQ+EdfltGzQRRA+cm1MaRlsLypOhlWHdCumHLQS4=,tag:v30WjSutCxO9LDv3wFZHMA==,type:str]
 SUDO_PASSWORD=ENC[AES256_GCM,data:IPJGUQiB6jMObUsUdw==,iv:N9cw9aGkmgIYmmrNkQYQ5PFdrmYKC8Tdgr4yb/96U5A=,tag:/yYIC/rKCttSgBBGvjCe2A==,type:str]
 TELEGRAM_API_TOKEN=ENC[AES256_GCM,data:8PySjalQnpADCd+3Yt+Iax3DdGq6sxR0PHntgAzKpI+iXsB8TsMqsm6ElORoOw==,iv:y7tmr1jIs/JtMnBcEkGiCxrKkPcgUt6RBSq4GiKXNZ8=,tag:TcdxtPkO4Pvfcku72XCFIg==,type:str]
 TELEGRAM_ADMIN_ID=ENC[AES256_GCM,data:nH/VUQNoRqwj,iv:AdBRZqyBVeze8SGn0pmxaBB8CWyo3D1TTaVx7NsEPHI=,tag:MyJwnQhuBCQ7XMS74TevRg==,type:str]
 SQLALCHEMY_DATABASE_URL=ENC[AES256_GCM,data:bQJGB/c/pTuAPev2zxcLu1cNg2TmlHH9iY2kQH4qfqRwh/Fcjg==,iv:CeQZ8qcNLiVgtGI/4Egod6VaXamCfAKHi4jrgzXKl9Q=,tag:VX0J3r6RjnS5utJ/UDK1hQ==,type:str]
 XRAY_JSON=ENC[AES256_GCM,data:28Wkv4CG4hpG9h51d2ge3AUO2MdVuRBjPuw1bxFwYqhT,iv:MooWqI5QCmk0JXWdKxA40UIFaaIxG3EakMQ1jBH8TVI=,tag:Fmnqdg9mvRVvm/0O7VNFGw==,type:str]
 sops_lastmodified=2023-11-22T23:09:38Z
 sops_mac=ENC[AES256_GCM,data:m9TLulK7igJtvtuu1Leag5Ky28qxKyELOKGTFZmX8O/VaVwu1EHC07awgf9HJjFlAcIWT6+fkRcnpwse6t4Thh//Yc4YIu8ryJjsRZBLezaR26SOWis41HR/uek/lSLLMMrdIyiU/5RX9i3/rhUjZwCDYzM1yg+rDsxfGIdERCM=,iv:+TXcgj9MsmQmZzYi4JKbgPVLcX0VLKtheq5/ckPRDcY=,tag:Ku+43ZiVCOeUxN3pimv7JQ==,type:str]
 sops_pgp__list_0__map_created_at=2023-11-22T22:35:02Z
 sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQEMAwcagTG/Fm6AAQf9FyMBT+jm0pOjuw6aXQSv7Xc8ffKtXYAIUgKsHTTAnqfj\npoDoel7I1toENks/0flFxXjtzp6kBPPmb8aX+CelPv5orIyzMUdJbgZ2D6LINHTD\npW5DmGA7gkegk/gus4qMz+p/zxoJC0EBrr8eVbgIUMi3WVUtG1TofpeaKm+xf61r\nvVJLMn7dHxjmt3qe6RVBAD2bS/tTEUEfGubOWBLUrWq1MElnL0MLZy3936dmMJ5W\nLrurkBfJ7hCIIfJn/7VCBkY93Nk/NjZCF/EdYj2/Dgs0SOqIc5wXGC259/7HhVEJ\nlmBOKYWPzHp4c40AMHld3L3rJ0cOKenTBSfj8g7b1tJYAaB+dW//A/HaL8FrIpxx\nMjS1HyfsFfDM8D8Um+PCe4cktupMmlhuU898rOLwgAX90niRHvhm0IWbLISa1QDx\nPH4SjYB4NWIk5i1eunYm8jjMStNNbRABJg==\n=V9Pe\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=ad382d058c964607b7bbf01b071a8131bf166e80
 sops_pgp__list_1__map_created_at=2023-11-22T22:35:02Z
 sops_pgp__list_1__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMAyNex7x1cALKAQ//TN89prS2jIW3lvDFdOmFfNKSOo9oNqVJZPKbyRTG4gxL\ndwhPZnCoQd8Sg88TNexfgl/qkQJhU6k/dbx2/nebJXgkQz4GDpmNNVAHacH+A7Sv\n/ZPGDLMdivOF6JVIIBxjdj06KxRfyeTf3Cnb2JqaCjGc312POBOQMZBa/GvfQjC7\n8YhS6TqXu8+MhmWNP9bbTWE1kc7bNeH+1BzraZn5625OQN1kCNj2SEBaZPI1i/MS\nTQxHf0yfIES6lZ/NTB6H0xkxbwcKYbbY47o9dc5BG7uAKPGh9oBnAmH66XuSq260\nuWsRwfdfK8NOEy9nxSk2Yqfgatzx7WkNCEX6l6ztCbSDeruJ56X49vr+xLbw5NyX\n+rgvr1w85uiAzct8f/2QNBq/J0qjoinHvxbUUbLP3LkJzqOoxXV0YEqjx7LHMrEW\nCRn2oiLRZd5ElsbVvDGhpFAoMq2kYa2U3280YRQuH0zFGpUbhS8Q7FtyZOBuw2pz\nYNJwLwsRODNvCeeruYOzLF/ERfZteO7yzj0WWyGPvhIcIvz9mP6JgtDvR+0e15hi\nZ6zyzz5wvpBWEpQaVuNeXxHr4+UJe2iLZN1ATTCJW7dfJyKxBC1yimXPmrJJtQOI\nqUjqIiskgdph0DRPXwgE3sHKYEbUwHb2l1ospnN2AW3RRSyXYgvBo/N91ndazffS\nWAFwVCXJLn7n3BrM8CYozTHsrOHTtMMqRDHKZq2C8GHJMpPb3t6K07CIolmkjMHN\nivdG4dSds8uj4HYwFKlw1ZyMqZApSI/FnLoaOfw9Ur6xKI6U1Z2T2GU=\n=xUz4\n-----END PGP MESSAGE-----
 sops_pgp__list_1__map_fp=d286fd9431753cb455537070235ec7bc757002ca
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.8.1
--- a/secrets/suomi-vps/nginx.yaml
+++ b/secrets/suomi-vps/nginx.yaml