wip

2023-01-13 04:03:15 +03:00 · 2023-01-13 04:03:15 +03:00 · b02a4d80ba
commit b02a4d80ba
parent 4edefd3f19
19 changed files with 505 additions and 314 deletions
--- a/flake.lock
+++ b/flake.lock
@ -149,11 +149,11 @@
    },
    "deploy-rs": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs"
        ],
-        "utils": "utils_2"
+        "utils": "utils"
      },
      "locked": {
        "lastModified": 1672327199,
@ -170,6 +170,31 @@
      }
    },
    "devshell": {
+      "inputs": {
+        "flake-utils": [
+          "direnv-vscode",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "direnv-vscode",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1671489820,
+        "narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
+    "devshell_2": {
      "flake": false,
      "locked": {
        "lastModified": 1663445644,
@ -185,6 +210,30 @@
        "type": "github"
      }
    },
+    "direnv-vscode": {
+      "inputs": {
+        "devshell": "devshell",
+        "flake-compat": "flake-compat_2",
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "npmlock2nix": "npmlock2nix"
+      },
+      "locked": {
+        "lastModified": 1673358096,
+        "narHash": "sha256-A2nS0ruQwoldc0OBPay6NSJ0JXdrsauCFigNau4ZOno=",
+        "owner": "direnv",
+        "repo": "direnv-vscode",
+        "rev": "497bc6a9b0e9474e763d5253da4e1cb0b5ca2466",
+        "type": "github"
+      },
+      "original": {
+        "owner": "direnv",
+        "repo": "direnv-vscode",
+        "type": "github"
+      }
+    },
    "dream2nix": {
      "inputs": {
        "alejandra": "alejandra",
@ -245,11 +294,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1650374568,
-        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
        "type": "github"
      },
      "original": {
@ -572,7 +621,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "utils": "utils_3"
+        "utils": "utils_2"
      },
      "locked": {
        "lastModified": 1673343300,
@ -716,28 +765,6 @@
      }
    },
    "naersk": {
-      "inputs": {
-        "nixpkgs": [
-          "comma",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1662220400,
-        "narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
-        "owner": "nix-community",
-        "repo": "naersk",
-        "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "master",
-        "repo": "naersk",
-        "type": "github"
-      }
-    },
-    "naersk_2": {
      "inputs": {
        "nixpkgs": [
          "rnix-lsp",
@ -1142,6 +1169,22 @@
        "type": "github"
      }
    },
+    "npmlock2nix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1670666882,
+        "narHash": "sha256-hoCm6Z6fXuYML+gh+HISsRVPMXDmyknAWlaentg9zcc=",
+        "owner": "nix-community",
+        "repo": "npmlock2nix",
+        "rev": "cc11d791fdc3afb2ae7c2f11e10abf7c33b40763",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "npmlock2nix",
+        "type": "github"
+      }
+    },
    "nur": {
      "locked": {
        "lastModified": 1673466346,
@ -1219,11 +1262,11 @@
    },
    "rnix-lsp": {
      "inputs": {
-        "naersk": "naersk_2",
+        "naersk": "naersk",
        "nixpkgs": [
          "nixpkgs"
        ],
-        "utils": "utils_4"
+        "utils": "utils_3"
      },
      "locked": {
        "lastModified": 1669555118,
@ -1244,7 +1287,6 @@
        "arkenfox-userjs": "arkenfox-userjs",
        "base16": "base16",
        "base16-tokyonight-scheme": "base16-tokyonight-scheme",
-        "comma": "comma",
        "deploy-rs": "deploy-rs",
        "flake-compat": "flake-compat_3",
        "flake-registry": "flake-registry",
@ -1376,7 +1418,22 @@
        "type": "github"
      }
    },
-    "utils_4": {
+    "utils_2": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "utils_3": {
      "locked": {
        "lastModified": 1656928814,
        "narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=",
@ -1391,7 +1448,7 @@
        "type": "github"
      }
    },
-    "utils_5": {
+    "utils_4": {
      "locked": {
        "lastModified": 1605370193,
        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
--- a/flake.nix
+++ b/flake.nix
@ -33,10 +33,6 @@
      url = "github:alukardbf/base16-tokyonight-scheme";
      flake = false;
    };
-    comma = {
-      url = "github:nix-community/comma";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
    deploy-rs = {
      url = "github:serokell/deploy-rs";
      inputs.nixpkgs.follows = "nixpkgs";
@ -121,7 +117,7 @@
    inherit self inputs;
    supportedSystems = [ "x86_64-linux" ];

-    sharedPatches = patchesPath [ "mullvad-exclude-containers.patch" "mullvad.patch" ];
+    sharedPatches = patchesPath [ "mullvad-exclude-containers.patch" "mullvad.patch" "gitea-208605.patch" ];
    channelsConfig = { allowUnfree = true; };
    channels.unstable.input = nixpkgs;
    channels.unstable.patches = patchesPath [ ] ++ sharedPatches;
--- a/machines/Flakes-ISO/default.nix
+++ b/machines/Flakes-ISO/default.nix
@ -16,7 +16,7 @@
    programs.ssh.extraConfig = ''
      Host nix-builder
        hostname 192.168.0.100
-        user ${config.mainuser}
+        user alukard
        identitiesOnly yes
        identityFile /home/nixos/ssh-builder
    '';
@ -34,7 +34,7 @@
      buildMachines = [{
        hostName = "nix-builder";
        maxJobs = 8;
-        sshUser = config.mainuser;
+        sshUser = "alukard";
        sshKey = "/home/nixos/ssh-builder";
        systems = [ "x86_64-linux" "i686-linux" ];
        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
--- a/machines/Home-Hypervisor/boot.nix
+++ b/machines/Home-Hypervisor/boot.nix
@ -23,16 +23,26 @@ in {
    #   # '';
    };
    initrd = {
+      # kernelModules = [
+      #   "mmc_core" "mmc_block" "sdhci" "sdhci-pci"
+      #   "vfat" "nls_cp437" "nls_iso8859_1"
+      # ];
+      # postDeviceCommands = let
+      #   SDUUID = "E54A-5461";
+      # in pkgs.lib.mkBefore ''
+      #   mkdir -m 0755 -p /key
+      #   sleep 2 # To make sure the usb key has been loaded
+      #   mount -n -t vfat -o ro `findfs UUID=${SDUUID}` /key
+      # '';
      # availableKernelModules = [ "tg3" ]; # for dell-laptop
      # postMountCommands = ''
      # '';
      luks.devices = {
        "cryptboot" = {
+          # preLVM = false;
          preLVM = true;
+          # keyFile = "/key/keyfile0";
          keyFile = "/keyfile0.bin";
-          # keyFileSize = 4096;
-          # keyFile = "/dev/disk/by-path/pci-0000:00:1f.2-ata-2.0";
-          # keyFile = "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00005";
          allowDiscards = true;
          bypassWorkqueues = config.deviceSpecific.isSSD;
          fallbackToPassword = true;
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@ -9,6 +9,13 @@ in {
    ./virtualisation.nix

    nixosRoles.hypervisor
+    nixosProfiles.acme
+    nixosProfiles.gitea
+    # nixosProfiles.joplin-server
+    nixosProfiles.mailserver
+    nixosProfiles.nginx
+    nixosProfiles.roundcube
+    nixosProfiles.vaultwarden
    nixosProfiles.vscode-server
  ];

@ -85,14 +92,32 @@ in {
  systemd.coredump.enable = false;
  programs.firejail.enable = true;
  # scudo memalloc is unstable
-  # environment.memoryAllocator.provider = "libc";
+  environment.memoryAllocator.provider = lib.mkForce "libc";
  # environment.memoryAllocator.provider = "graphene-hardened";

  networking.wireless.enable = false;
  networking.networkmanager.enable = false;
  networking.hostName = config.device;

-  services.timesyncd.enable = false;
+  networking.nameservers = [ "192.168.0.1" ];
+  networking.defaultGateway = "192.168.0.1";
+  networking.bridges.br0.interfaces = [ "enp2s0f0" ];
+  networking.interfaces.br0 = {
+    useDHCP = false;
+    ipv4.addresses = [{
+      "address" = "192.168.0.10";
+      "prefixLength" = 24;
+    }];
+  };
+  networking.extraHosts = ''
+    127.0.0.1 mail.ataraxiadev.com
+    127.0.0.1 code.ataraxiadev.com
+  '';
+
+  services.logind.lidSwitch = "lock";
+  services.logind.lidSwitchDocked = "lock";
+  services.logind.lidSwitchExternalPower = "lock";
+  services.timesyncd.enable = lib.mkForce false;
  services.openntpd.enable = true;
  networking.timeServers = [
    "0.ru.pool.ntp.org"
@ -109,7 +134,10 @@ in {
    home.file.".config/libvirt/libvirt.conf".text = ''
      uri_default = "qemu:///system"
    '';
-    home.packages = with pkgs; [ bat podman-compose micro bottom nix-index-update ];
+    home.packages = with pkgs; [
+      bat podman-compose micro bottom nix-index-update
+      pwgen comma
+    ];
    xdg.mime.enable = false;
    home.stateVersion = "22.11";
  };
--- a/machines/Home-Hypervisor/hardware-configuration.nix
+++ b/machines/Home-Hypervisor/hardware-configuration.nix
@ -5,12 +5,12 @@

 {
  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];

-  boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
@ -79,15 +79,15 @@
    };

  fileSystems."/boot/efi" =
-    { device = "/dev/disk/by-uuid/A3BF-2C90";
+    { device = "/dev/disk/by-uuid/C5F3-4271";
      fsType = "vfat";
    };

  swapDevices = [
    {
-      device = "/dev/disk/by-partuuid/c40f4598-4250-4afd-9778-b79619bda1bc";
-      # randomEncryption.enable = true;
-      # randomEncryption.allowDiscards = true;
+      device = "/dev/disk/by-partuuid/4623124f-05e6-4d55-8fe8-6cd9a904fd72";
+      randomEncryption.enable = true;
+      randomEncryption.allowDiscards = true;
    }
  ];

@ -96,13 +96,14 @@
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-    networking.hostId = "c63612aa";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    networking.hostId = "a9408846";
    boot.zfs.devNodes = "/dev/disk/by-id";
    boot.supportedFilesystems = [ "zfs" ];
-    boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-partuuid/47af6a50-2995-42e8-a0f2-844297fe1dc5";
-    boot.initrd.luks.devices."cryptboot".device = "/dev/disk/by-partuuid/1cdbdb3a-d01c-4f9d-adbb-3bb5e805aca1";
+    boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-partuuid/465cbfbb-73b8-4129-9904-9fabcc5db368";
+    boot.initrd.luks.devices."cryptboot".device = "/dev/disk/by-partuuid/74f2b810-c7ff-471d-9829-7a3ef05c8c0e";
 }
--- a/machines/Home-Hypervisor/virtualisation.nix
+++ b/machines/Home-Hypervisor/virtualisation.nix
@ -1,13 +1,17 @@
 { config, pkgs, lib, ... }: {
+  boot.kernelModules = [
+    "xt_nat"
+    # "iptable_nat"
+    # "iptable_filter"
+  ];
+
  virtualisation = {
    oci-containers.backend = lib.mkForce "podman";
    docker.enable = lib.mkForce false;
    podman = {
      enable = true;
      extraPackages = [ pkgs.zfs ];
-      # dockerCompat = true;
-      defaultNetwork.settings.dns_enabled = true;
-      # dockerSocket.enable = true;
+      # defaultNetwork.settings.dns_enabled = true;
    };
    containers.registries.search = [
      "docker.io" "gcr.io" "quay.io"
@ -64,6 +68,15 @@
  # };
  # users.groups.podmanmanager = {};

+  home-manager.users.${config.mainuser} = {
+    home.file.".config/containers/storage.conf".text = ''
+      [storage]
+      driver = "overlay"
+    '';
+    # [storage.options.overlay]
+    # mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs"
+  };
+
  users.users.${config.mainuser} = {
    subUidRanges = [{
      count = 1000;
--- a/patches/gitea-208605.patch
+++ b/patches/gitea-208605.patch
@ -1,16 +1,16 @@
-From 482bafe254f447040d10716a5e8cd6692b743994 Mon Sep 17 00:00:00 2001
-From: Izorkin <izorkin@elven.pw>
-Date: Sun, 1 Jan 2023 14:07:09 +0300
-Subject: [PATCH] nixos/gitea: update sandboxing options
-
---
- nixos/modules/services/misc/gitea.nix | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
 diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix
-index 00e90f5b32b47..d93bb393429de 100644
+index 00e90f5b32b..90879dce7dc 100644
 --- a/nixos/modules/services/misc/gitea.nix
 +++ b/nixos/modules/services/misc/gitea.nix
+@@ -175,7 +175,7 @@ in
+         };
+
+         type = mkOption {
+-          type = types.enum [ "zip" "rar" "tar" "sz" "tar.gz" "tar.xz" "tar.bz2" "tar.br" "tar.lz4" ];
+          type = types.enum [ "zip" "rar" "tar" "sz" "tar.gz" "tar.xz" "tar.bz2" "tar.br" "tar.lz4" "tar.zst" ];
+           default = "zip";
+           description = lib.mdDoc "Archive format used to store the dump file.";
+         };
@@ -567,7 +567,10 @@ in
         Restart = "always";
         # Runtime directory and mode
@ -41,5 +41,4 @@ index 00e90f5b32b47..d93bb393429de 100644
 -        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
 +        SystemCallFilter = [ "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid" "setrlimit" ];
       };
- 
       environment = {
--- a/profiles/nix/default.nix
+++ b/profiles/nix/default.nix
@ -41,7 +41,7 @@ with config.deviceSpecific; {
      {
        hostName = "nix-builder";
        maxJobs = 8;
-        sshUser = config.mainuser;
+        sshUser = "alukard";
        sshKey = config.secrets.ssh-builder.decrypted;
        systems = [ "x86_64-linux" "i686-linux" ];
        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
--- a/profiles/overlay.nix
+++ b/profiles/overlay.nix
@ -93,8 +93,8 @@ with lib; {

        grub2 = prev.callPackage ./packages/grub { };

-        narodmon-py = self.writers.writePython3Bin "temp.py" {
-          libraries = with self.python3Packages; [ requests ];
+        narodmon-py = prev.writers.writePython3Bin "temp.py" {
+          libraries = with prev.python3Packages; [ requests ];
        } ./packages/narodmon-py.nix;
      }
    )
--- a/profiles/servers/acme.nix
+++ b/profiles/servers/acme.nix
@ -0,0 +1,13 @@
+{ config, ... }: {
+  security.acme = {
+    acceptTerms = true;
+    # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # staging
+    defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
+    defaults.email = "ataraxiadev@ataraxiadev.com";
+    defaults.renewInterval = "weekly";
+  };
+
+  persist.state.directories = [
+    "/var/lib/acme"
+  ];
+}
--- a/profiles/servers/gitea.nix
+++ b/profiles/servers/gitea.nix
@ -1,9 +1,20 @@
 { pkgs, config, lib, ... }:
-{
-  secrets.gitea = {
-    owner = "gitea";
-  };
+let
+  user = config.services.gitea.user;
+  group = "gitea";
+in {
+  secrets.gitea.owner = user;
+  secrets.gitea-mailer.owner = user;
+  secrets.gitea-secretkey.owner = user;
+  secrets.gitea-internaltoken.owner = user;

+  persist.state.directories = lib.mkIf
+    (config.deviceSpecific.devInfo.fileSystem != "zfs") [{
+      directory = "/srv/gitea";
+      inherit user group;
+    }];
+
+  # TODO: backups! gitea.dump setting
  services.gitea = {
    enable = true;
    appName = "AtaraxiaDev's Gitea Instance";
@ -11,22 +22,72 @@
      type = "postgres";
      passwordFile = config.secrets.gitea.decrypted;
    };
+    # TODO: cleanup cache older than...
+    dump = {
+      enable = true;
+      backupDir = "/srv/gitea/dump";
+      interval = "daily";
+      type = "tar.zst";
+    };
    domain = "code.ataraxiadev.com";
+    httpAddress = "127.0.0.1";
    httpPort = 6000;
    lfs.enable = true;
    rootUrl = "https://code.ataraxiadev.com";
-    stateDir = "/gitea/data"; # FIXME!
+    stateDir = "/srv/gitea/data";
+    mailerPasswordFile = config.secrets.gitea-mailer.decrypted;
    settings = {
+      api = {
+        ENABLE_SWAGGER = false;
+      };
      attachment = {
        MAX_SIZE = 100;
        MAX_FILES = 10;
      };
+      mailer = {
+        ENABLED = true;
+        # PROTOCOL = "smtp+starttls";
+        PROTOCOL = "smtps";
+        SMTP_ADDR = "mail.ataraxiadev.com";
+        USER = "gitea@ataraxiadev.com";
+      };
+      migrations = {
+        ALLOWED_DOMAINS = "github.com, *.github.com, gitlab.com, *.gitlab.com";
+      };
+      packages = {
+        ENABLED = false;
+      };
+      # repository = {
+      #   DISABLE_HTTP_GIT = true;
+      # };
      "repository.upload" = {
        FILE_MAX_SIZE = 100;
        MAX_FILES = 10;
      };
+      security = {
+        INSTALL_LOCK = true;
+        DISABLE_GIT_HOOKS = true;
+        DISABLE_WEBHOOKS = true;
+        IMPORT_LOCAL_PATHS = false;
+        PASSWORD_HASH_ALGO = "argon2";
+        SECRET_KEY_URI = "file:${config.secrets.gitea-secretkey.decrypted}";
+        INTERNAL_TOKEN_URI = "file:${config.secrets.gitea-internaltoken.decrypted}";
+
+        SECRET_KEY = lib.mkForce "";
+        INTERNAL_TOKEN = lib.mkForce "";
+      };
+      oauth2 = {
+        JWT_SIGNING_ALGORITHM = "ES256";
+        JWT_SECRET = lib.mkForce "";
+      };
      service = {
        DISABLE_REGISTRATION = true;
+        DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
+        DEFAULT_USER_IS_RESTRICTED = true;
+
+        # REGISTER_EMAIL_CONFIRM = true;
+        REGISTER_EMAIL_CONFIRM = false;
+        REGISTER_MANUAL_CONFIRM = true;
      };
      session = {
        COOKIE_SECURE = true;
@ -35,16 +96,5 @@
        DEFAULT_THEME = "arc-green";
      };
    };
-    # ssh = {
-    #   enable = true;
-    #   clonePort = 2222;
-    # };
-    # settings = {
-    #   server = {
-    #     START_SSH_SERVER = true;
-    #     SSH_LISTEN_HOST = "0.0.0.0";
-    #     SSH_LISTEN_PORT = 2222;
-    #   };
-    # };
  };
 }
--- a/profiles/servers/joplin-server.nix
+++ b/profiles/servers/joplin-server.nix
@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 let
  joplin-data = "/srv/joplin/data";
+  joplin-db-data = "/srv/joplin/postgres";
  joplin-uid = "1001";
  backend = config.virtualisation.oci-containers.backend;
 in {
@ -13,22 +14,48 @@ in {
      dependsOn = [ "joplin-db" ];
      environmentFiles = [ config.secrets.joplin-env.decrypted ];
      extraOptions = [
-        "--network=joplin"
+        "--pod=joplin"
+        # "--network=joplin"
      ];
-      ports = [ "127.0.0.1:22300:22300" ];
-      image = "ataraxiadev/joplin-server:2.8.8";
+      # ports = [ "127.0.0.1:22300:22300" ];
+      image = "docker.io/library/ataraxiadev/joplin-server:2.9.17";
      volumes = [ "${joplin-data}:/home/joplin/data" ];
    };
    joplin-db = {
      autoStart = true;
      environmentFiles = [ config.secrets.joplin-db-env.decrypted ];
      extraOptions = [
-        "--network=joplin"
+        "--pod=joplin"
+        # "--network=joplin"
      ];
-      image = "postgres:13";
-      volumes = [ "/srv/joplin/postgres:/var/lib/postgresql/data" ];
+      image = "docker.io/library/postgres:13";
+      volumes = [ "${joplin-db-data}:/var/lib/postgresql/data" ];
    };
  };
+  systemd.services.podman-create-pod-joplin = let
+    podman = config.virtualisation.podman.package;
+    # start-script = pkgs.writeShellScript "start" ''
+    # '';
+  in {
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = "yes";
+      ExecStart = ''
+        mkdir -p ${joplin-data} && chown ${joplin-uid} ${joplin-data}
+        mkdir -p ${joplin-db-data}
+        ${podman}/bin/podman pod exists joplin ||
+          ${podman}/bin/podman pod create -n joplin -p "127.0.0.1:22300:22300"
+      '';
+      ExecStop = "${podman}/bin/podman pod rm -i -f joplin";
+    };
+    wantedBy = [ "${backend}-joplin.service" "${backend}-joplin-db.service" ];
+    # script = ''
+    #   mkdir -p ${joplin-data} && chown ${joplin-uid} ${joplin-data} || true
+    #   mkdir -p ${joplin-db-data} || true
+    #   ${config.virtualisation.podman.package}/bin/podman pod exists joplin ||
+    #     ${config.virtualisation.podman.package}/bin/podman pod create -n joplin -p "127.0.0.1:22300:22300"
+    # '';
+  };
  # systemd.services.create-joplin-network = with config.virtualisation.oci-containers; {
  #   serviceConfig.Type = "oneshot";
  #   wantedBy = [
@ -40,23 +67,23 @@ in {
  #       ${pkgs.podman}/bin/podman network create -d bridge joplin || true
  #   '';
  # };
-  systemd.services.podman-joplin = {
-    path = [ "/run/wrappers" ];
-    serviceConfig.User = config.mainuser;
-    preStart = "${pkgs.podman}/bin/podman network create -d bridge joplin || true";
-    postStop = "${pkgs.podman}/bin/podman network rm joplin || true";
-  };
-  systemd.services.podman-joplin-db = {
-    path = [ "/run/wrappers" ];
-    serviceConfig.User = config.mainuser;
-    preStart = "${pkgs.podman}/bin/podman network create -d bridge joplin || true";
-    postStop = "${pkgs.podman}/bin/podman network rm joplin || true";
-  };
-  systemd.services.create-joplin-folder = {
-    serviceConfig.Type = "oneshot";
-    wantedBy = [ "${backend}-joplin.service" ];
-    script = ''
-      [ ! -d "${joplin-data}" ] && mkdir -p ${joplin-data} && chown ${joplin-uid} ${joplin-data}
-    '';
-  };
+  # systemd.services.podman-joplin = {
+  #   # path = [ "/run/wrappers" ];
+  #   # serviceConfig.User = config.mainuser;
+  #   preStart = "podman network create -d bridge joplin || true";
+  #   postStop = "podman network rm joplin || true";
+  # };
+  # systemd.services.podman-joplin-db = {
+  #   # path = [ "/run/wrappers" ];
+  #   # serviceConfig.User = config.mainuser;
+  #   preStart = "podman network create -d bridge joplin || true";
+  #   postStop = "podman network rm joplin || true";
+  # };
+  # systemd.services.create-joplin-folder = {
+  #   serviceConfig.Type = "oneshot";
+  #   wantedBy = [ "${backend}-joplin.service" ];
+  #   script = ''
+  #     mkdir -p ${joplin-data} && chown ${joplin-uid} ${joplin-data}
+  #   '';
+  # };
 }
--- a/profiles/servers/mailserver.nix
+++ b/profiles/servers/mailserver.nix
@ -1,32 +1,18 @@
 { pkgs, config, lib, inputs, ... }:
 let
-  module = toString inputs.simple-nixos-mailserver;
+  secrets-default = {
+    owner = "dovecot2:dovecot2";
+    services = [ "dovecot2" ];
+  };
 in {
-  imports = [ module ];
-  secrets.mailserver = {
-    owner = "dovecot2:dovecot2";
-    services = [ "dovecot2" ];
-  };
-  secrets.mailserver-minichka = {
-    owner = "dovecot2:dovecot2";
-    services = [ "dovecot2" ];
-  };
-  secrets.mailserver-mitin = {
-    owner = "dovecot2:dovecot2";
-    services = [ "dovecot2" ];
-  };
-  secrets.mailserver-joplin = {
-    owner = "dovecot2:dovecot2";
-    services = [ "dovecot2" ];
-  };
-  secrets.mailserver-vaultwarden = {
-    owner = "dovecot2:dovecot2";
-    services = [ "dovecot2" ];
-  };
-  secrets.mailserver-seafile = {
-    owner = "dovecot2:dovecot2";
-    services = [ "dovecot2" ];
-  };
+  imports = [ (toString inputs.simple-nixos-mailserver) ];
+  secrets.mailserver = secrets-default;
+  secrets.mailserver-minichka = secrets-default;
+  secrets.mailserver-mitin = secrets-default;
+  secrets.mailserver-joplin = secrets-default;
+  secrets.mailserver-vaultwarden = secrets-default;
+  secrets.mailserver-seafile = secrets-default;
+  secrets.mailserver-gitea = secrets-default;

  security.acme.certs."mail.ataraxiadev.com" = {
    webroot = "/var/lib/acme/acme-challenge";
@ -114,8 +100,11 @@ in {
    # nsp apacheHttpd --run 'htpasswd -nbB "" "super secret password"' | cut -d: -f2
    loginAccounts = {
      "ataraxiadev@ataraxiadev.com" = {
-        aliases =
-          [ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" "ark@ataraxiadev.com" "ark" ];
+        aliases =[
+          "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root"
+          "ark@ataraxiadev.com" "ark"
+          # "@ataraxiadev.com"
+        ];
        hashedPasswordFile = config.secrets.mailserver.decrypted;
      };
      "minichka76@ataraxiadev.com" = {
@ -127,6 +116,11 @@ in {
        aliases = [ "mitin" "mitin1@ataraxiadev.com" "mitin1" "mitin2@ataraxiadev.com" "mitin2" ];
        hashedPasswordFile = config.secrets.mailserver-mitin.decrypted;
      };
+
+      "gitea@ataraxiadev.com" = {
+        aliases = [ "gitea" ];
+        hashedPasswordFile = config.secrets.mailserver-gitea.decrypted;
+      };
      "joplin@ataraxiadev.com" = {
        aliases = [ "joplin" ];
        hashedPasswordFile = config.secrets.mailserver-joplin.decrypted;
@ -141,7 +135,8 @@ in {
      };
    };
    hierarchySeparator = "/";
-    localDnsResolver = false;
+    localDnsResolver = true;
+    # certificateScheme = 3;
    certificateScheme = 1;
    certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
    keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
@ -153,15 +148,20 @@ in {
    enableSubmission = true;
    enableSubmissionSsl = true;
    virusScanning = false;
+
+    mailDirectory = "/srv/mail/vmail";
+    dkimKeyDirectory = "/srv/mail/dkim";
  };

  # FIXME: ownership of mail directory
  persist.state.directories = [
-    "/var/lib/dovecot"
-    "/var/lib/postfix"
-    "/var/lib/dhparams"
-
-    "/var/dkim"
+    # "/var/lib/dovecot"
+    # "/var/lib/postfix"
+    # "/var/lib/dhparams"
+  ] ++ lib.optionals (config.deviceSpecific.devInfo.fileSystem != "zfs") [
+    config.mailserver.dkimKeyDirectory
    config.mailserver.mailDirectory
  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -1,44 +1,37 @@
 { config, lib, pkgs, ... }: {
-  security.acme = {
-    acceptTerms = true;
-    # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # staging
-    defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
-    defaults.email = "ataraxiadev@ataraxiadev.com";
-    defaults.renewInterval = "weekly";
-    certs = {
-      "ataraxiadev.com" = {
-        webroot = "/var/lib/acme/acme-challenge";
-        extraDomainNames = [
-          "matrix.ataraxiadev.com"
-          "cinny.ataraxiadev.com"
-          "dimension.ataraxiadev.com"
-          "element.ataraxiadev.com"
-          "goneb.ataraxiadev.com"
-          "jitsi.ataraxiadev.com"
-          "stats.ataraxiadev.com"
-          "startpage.ataraxiadev.com"
-          "vw.ataraxiadev.com"
-          "code.ataraxiadev.com"
-          "file.ataraxiadev.com"
-          "webmail.ataraxiadev.com"
-          "jellyfin.ataraxiadev.com"
-          "radarr.ataraxiadev.com"
-          "qbit.ataraxiadev.com"
-          "prowlarr.ataraxiadev.com"
-          "sonarr.ataraxiadev.com"
-          "sonarrtv.ataraxiadev.com"
-          "organizr.ataraxiadev.com"
-          "lidarr.ataraxiadev.com"
-          "bazarr.ataraxiadev.com"
-          "nzbhydra.ataraxiadev.com"
-          "kavita.ataraxiadev.com"
-          "shoko.ataraxiadev.com"
-          "bathist.ataraxiadev.com"
-          "microbin.ataraxiadev.com"
-          "joplin.ataraxiadev.com"
-          "api.ataraxiadev.com"
-        ];
-      };
+  security.acme.certs = {
+    "ataraxiadev.com" = {
+      webroot = "/var/lib/acme/acme-challenge";
+      extraDomainNames = [
+        # "matrix.ataraxiadev.com"
+        # "cinny.ataraxiadev.com"
+        # "dimension.ataraxiadev.com"
+        # "element.ataraxiadev.com"
+        # "goneb.ataraxiadev.com"
+        # "jitsi.ataraxiadev.com"
+        # "stats.ataraxiadev.com"
+        "startpage.ataraxiadev.com"
+        "vw.ataraxiadev.com"
+        "code.ataraxiadev.com"
+        # "file.ataraxiadev.com"
+        "webmail.ataraxiadev.com"
+        # "jellyfin.ataraxiadev.com"
+        # "radarr.ataraxiadev.com"
+        # "qbit.ataraxiadev.com"
+        # "prowlarr.ataraxiadev.com"
+        # "sonarr.ataraxiadev.com"
+        # "sonarrtv.ataraxiadev.com"
+        # "organizr.ataraxiadev.com"
+        # "lidarr.ataraxiadev.com"
+        # "bazarr.ataraxiadev.com"
+        # "nzbhydra.ataraxiadev.com"
+        # "kavita.ataraxiadev.com"
+        # "shoko.ataraxiadev.com"
+        # "bathist.ataraxiadev.com"
+        # "microbin.ataraxiadev.com"
+        # "joplin.ataraxiadev.com"
+        "api.ataraxiadev.com"
+      ];
    };
  };

@ -88,53 +81,53 @@
            try_files $uri $uri/ =404;
          '';
        };
-        locations."/.well-known/matrix" = {
-          proxyPass = "https://matrix.ataraxiadev.com/.well-known/matrix";
-          extraConfig = ''
-            proxy_set_header X-Forwarded-For $remote_addr;
-          '';
-        };
+        # locations."/.well-known/matrix" = {
+        #   proxyPass = "https://matrix.ataraxiadev.com/.well-known/matrix";
+        #   extraConfig = ''
+        #     proxy_set_header X-Forwarded-For $remote_addr;
+        #   '';
+        # };
      } // default;
-      "matrix:443" = {
-        serverAliases = [
-          "matrix.ataraxiadev.com"
-          "cinny.ataraxiadev.com"
-          "dimension.ataraxiadev.com"
-          "element.ataraxiadev.com"
-          "goneb.ataraxiadev.com"
-          "jitsi.ataraxiadev.com"
-          "stats.ataraxiadev.com"
-        ];
-        listen = [{
-          addr = "0.0.0.0";
-          port = 443;
-          ssl = true;
-        }];
-        locations."/" = {
-          proxyPass = "http://matrix.pve:81";
-          extraConfig = ''
-            proxy_hide_header Content-Security-Policy;
-          '' + proxySettings;
-        };
-      } // default;
-      "matrix:8448" = let
-        certName = default.useACMEHost;
-      in with config.security.acme; {
-        onlySSL = true;
-        sslCertificate = "${certs.${certName}.directory}/fullchain.pem";
-        sslCertificateKey = "${certs.${certName}.directory}/key.pem";
-        sslTrustedCertificate = "${certs.${certName}.directory}/chain.pem";
-        serverAliases = [ "matrix.ataraxiadev.com" ];
-        listen = [{
-          addr = "0.0.0.0";
-          port = 8448;
-          ssl = true;
-        }];
-        locations."/" = {
-          proxyPass = "http://matrix.pve:8449";
-          extraConfig = proxySettings;
-        };
-      };
+      # "matrix:443" = {
+      #   serverAliases = [
+      #     "matrix.ataraxiadev.com"
+      #     "cinny.ataraxiadev.com"
+      #     "dimension.ataraxiadev.com"
+      #     "element.ataraxiadev.com"
+      #     "goneb.ataraxiadev.com"
+      #     "jitsi.ataraxiadev.com"
+      #     "stats.ataraxiadev.com"
+      #   ];
+      #   listen = [{
+      #     addr = "0.0.0.0";
+      #     port = 443;
+      #     ssl = true;
+      #   }];
+      #   locations."/" = {
+      #     proxyPass = "http://matrix.pve:81";
+      #     extraConfig = ''
+      #       proxy_hide_header Content-Security-Policy;
+      #     '' + proxySettings;
+      #   };
+      # } // default;
+      # "matrix:8448" = let
+      #   certName = default.useACMEHost;
+      # in with config.security.acme; {
+      #   onlySSL = true;
+      #   sslCertificate = "${certs.${certName}.directory}/fullchain.pem";
+      #   sslCertificateKey = "${certs.${certName}.directory}/key.pem";
+      #   sslTrustedCertificate = "${certs.${certName}.directory}/chain.pem";
+      #   serverAliases = [ "matrix.ataraxiadev.com" ];
+      #   listen = [{
+      #     addr = "0.0.0.0";
+      #     port = 8448;
+      #     ssl = true;
+      #   }];
+      #   locations."/" = {
+      #     proxyPass = "http://matrix.pve:8449";
+      #     extraConfig = proxySettings;
+      #   };
+      # };
      "startpage.ataraxiadev.com" = {
        locations."/" = {
          root = "/srv/http/startpage.ataraxiadev.com/";
@ -162,18 +155,18 @@
          extraConfig = proxySettings;
        };
      } // default;
-      "bathist.ataraxiadev.com" = {
-        locations."/" = {
-          proxyPass = "http://localhost:9999";
-          extraConfig = proxySettings;
-        };
-      } // default;
-      "file.ataraxiadev.com" = {
-        locations."/" = {
-          proxyPass = "http://localhost:8088";
-          extraConfig = proxySettings;
-        };
-      } // default;
+      # "bathist.ataraxiadev.com" = {
+      #   locations."/" = {
+      #     proxyPass = "http://localhost:9999";
+      #     extraConfig = proxySettings;
+      #   };
+      # } // default;
+      # "file.ataraxiadev.com" = {
+      #   locations."/" = {
+      #     proxyPass = "http://localhost:8088";
+      #     extraConfig = proxySettings;
+      #   };
+      # } // default;
      "webmail.ataraxiadev.com" = {
        locations."/" = {
          extraConfig = ''
@ -181,49 +174,49 @@
          '' + proxySettings;
        };
      } // default;
-      "media-stack" = {
-        serverAliases = [
-          "jellyfin.ataraxiadev.com"
-          "radarr.ataraxiadev.com"
-          "qbit.ataraxiadev.com"
-          "prowlarr.ataraxiadev.com"
-          "sonarr.ataraxiadev.com"
-          "sonarrtv.ataraxiadev.com"
-          "organizr.ataraxiadev.com"
-          "lidarr.ataraxiadev.com"
-          "bazarr.ataraxiadev.com"
-          "nzbhydra.ataraxiadev.com"
-          "kavita.ataraxiadev.com"
-          "shoko.ataraxiadev.com"
-        ];
-        locations."/" = {
-          proxyPass = "http://localhost:8100";
-          proxyWebsockets = true;
-          extraConfig = ''
-            proxy_buffer_size 128k;
-            proxy_buffers 4 256k;
-            proxy_busy_buffers_size 256k;
-            send_timeout 15m;
-            proxy_connect_timeout 600;
-            proxy_send_timeout 600;
-            proxy_read_timeout 15m;
-          '' + proxySettings;
-        };
-      } // default;
-      "microbin.ataraxiadev.com" = {
-        locations."/" = {
-          proxyPass = "http://localhost:9988";
-          extraConfig = ''
-            client_max_body_size 40M;
-          '' + proxySettings;
-        };
-      } // default;
-      "joplin.ataraxiadev.com" = {
-        locations."/" = {
-          proxyPass = "http://localhost:22300";
-          extraConfig = proxySettings;
-        };
-      } // default;
+      # "media-stack" = {
+      #   serverAliases = [
+      #     "jellyfin.ataraxiadev.com"
+      #     "radarr.ataraxiadev.com"
+      #     "qbit.ataraxiadev.com"
+      #     "prowlarr.ataraxiadev.com"
+      #     "sonarr.ataraxiadev.com"
+      #     "sonarrtv.ataraxiadev.com"
+      #     "organizr.ataraxiadev.com"
+      #     "lidarr.ataraxiadev.com"
+      #     "bazarr.ataraxiadev.com"
+      #     "nzbhydra.ataraxiadev.com"
+      #     "kavita.ataraxiadev.com"
+      #     "shoko.ataraxiadev.com"
+      #   ];
+      #   locations."/" = {
+      #     proxyPass = "http://localhost:8100";
+      #     proxyWebsockets = true;
+      #     extraConfig = ''
+      #       proxy_buffer_size 128k;
+      #       proxy_buffers 4 256k;
+      #       proxy_busy_buffers_size 256k;
+      #       send_timeout 15m;
+      #       proxy_connect_timeout 600;
+      #       proxy_send_timeout 600;
+      #       proxy_read_timeout 15m;
+      #     '' + proxySettings;
+      #   };
+      # } // default;
+      # "microbin.ataraxiadev.com" = {
+      #   locations."/" = {
+      #     proxyPass = "http://localhost:9988";
+      #     extraConfig = ''
+      #       client_max_body_size 40M;
+      #     '' + proxySettings;
+      #   };
+      # } // default;
+      # "joplin.ataraxiadev.com" = {
+      #   locations."/" = {
+      #     proxyPass = "http://localhost:22300";
+      #     extraConfig = proxySettings;
+      #   };
+      # } // default;
      "api.ataraxiadev.com" = {
        locations."~ (\\.py|\\.sh)$" = with config.services; {
          alias = "/srv/http/api.ataraxiadev.com";
@ -241,12 +234,9 @@
  secrets.narodmon-key.owner = config.services.nginx.user;

  system.activationScripts.linkPyScripts.text = ''
+    [ ! -d "/srv/http/api.ataraxiadev.com" ] && mkdir -p /srv/http/api.ataraxiadev.com
    ln -sfn ${pkgs.narodmon-py}/bin/temp.py /srv/http/api.ataraxiadev.com/temp.py
  '';

  networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
-
-  persist.state.directories = [
-    "/var/lib/acme"
-  ];
 }
--- a/profiles/servers/vaultwarden.nix
+++ b/profiles/servers/vaultwarden.nix
@ -1,18 +1,20 @@
-{ config, pkgs, lib, ... }: {
-  secrets.vaultwarden = {
-    owner = "${toString config.users.users.vaultwarden.uid}";
-    permissions = "400";
-  };
+{ config, pkgs, lib, ... }:
+let
+  user = config.users.users.vaultwarden.name;
+  group = config.users.groups.vaultwarden.name;
+in {
+  secrets.vaultwarden.owner = user;

  services.vaultwarden = {
    enable = true;
-    backupDir = "/backups/vaultwarden";
+    backupDir = "/srv/vaultwarden";
    config = {
      domain = "https://vw.ataraxiadev.com";
      extendedLogging = true;
      invitationsAllowed = false;
      logFile = "/var/log/vaultwarden.log";
      logLevel = "warn";
+      rocketAddress = "127.0.0.1";
      rocketPort = 8812;
      showPasswordHint = false;
      signupsAllowed = false;
@ -23,8 +25,8 @@
      smtpFromName = "Vaultwarden";
      smtpHost = "mail.ataraxiadev.com";
      smtpPort = 587;
-      smtpSsl = true;
-      websocketAddress = "0.0.0.0";
+      smtpSecurity = "starttls";
+      websocketAddress = "127.0.0.1";
      websocketEnabled = true;
      websocketPort = 3012;
      webVaultEnabled = true;
@ -33,5 +35,15 @@
    environmentFile = config.secrets.vaultwarden.decrypted;
  };

-  persist.state.directories = [ "/var/lib/bitwarden_rs" ];
+  # We need to do this to successufully create backup folder
+  systemd.services.backup-vaultwarden.serviceConfig = {
+    User = "root";
+    Group = "root";
+  };
+
+  persist.state.directories = [{
+    "/var/lib/bitwarden_rs"
+  }] ++ lib.optionals (config.deviceSpecific.devInfo.fileSystem != "zfs") [{
+    config.services.vaultwarden.backupDir
+  }];
 }
--- a/profiles/workspace/gpg.nix
+++ b/profiles/workspace/gpg.nix
@ -26,13 +26,5 @@ with config.deviceSpecific; {
    };
  };

-  # persist.state.homeDirectories = [{
-  #   directory = config.secretsConfig.gnupgHome;
-  #   method = "symlink";
-  # }];
-  persist.state.homeDirectories = let
-    gnupgHome-relative = lib.removePrefix
-      config.home-manager.users.${config.mainuser}.home.homeDirectory
-        config.secretsConfig.gnupgHome;
-  in [ gnupgHome-relative ];
+  persist.state.homeDirectories = [ ".local/share/gnupg" ];
 }
--- a/profiles/workspace/misc.nix
+++ b/profiles/workspace/misc.nix
@ -50,6 +50,8 @@
  persist.state.directories = [
    "/var/lib/nixos"
    "/var/lib/systemd"
+  ] ++ lib.optionals config.services.postgresql.enable [
+    config.services.postgresql.dataDir
  ];
  persist.state.homeDirectories = [
    "projects"
--- a/profiles/workspace/nix-index.nix
+++ b/profiles/workspace/nix-index.nix
@ -7,5 +7,6 @@
  };
  programs.command-not-found.enable = lib.mkForce false;

-  persist.derivative.homeDirectories = [ ".cache/nix-index" ];
+  # FIXME
+  # persist.derivative.homeDirectories = [ ".cache/nix-index" ];
 }