add custom hosts to block

big hypervisor and servers refactor
connect to bathist only from local
2024-01-21 17:40:23 +03:00 · 2024-01-21 17:40:07 +03:00 · 2024-01-21 17:04:01 +03:00 · 2024-01-21 17:03:29 +03:00 · 2024-01-21 16:32:37 +03:00 · 2024-01-21 16:32:12 +03:00
30 changed files with 652 additions and 949 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1443,11 +1443,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1703620235,
-        "narHash": "sha256-QTTz8m1WxJGbAbRWJIQtM7Dum2bDmcsVYu3mppzKTGg=",
+        "lastModified": 1705685864,
+        "narHash": "sha256-kUrIeXJr1TBzcHi3GI9Aos9kIwzS6N9gM7O3e7LZdd0=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "5eec32231557faed7d0eeae215396b6477890ec7",
+        "rev": "9270a293f01ae7748ec42b903c7b92123cb24ec0",
        "type": "github"
      },
      "original": {
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@ -3,58 +3,49 @@ let persistRoot = config.autoinstall.persist.persistRoot or "/persist";
 in {
  imports = with inputs.self; [
    inputs.sops-nix.nixosModules.sops
+    ./backups.nix
    ./boot.nix
    ./hardware-configuration.nix
+    ./usb-hdd.nix
    ./virtualisation.nix
-    ./disks.nix
-    ./backups.nix
    customProfiles.hardened
-
    customRoles.hypervisor
+
    customProfiles.acme
+    customProfiles.attic
+    customProfiles.atticd
    customProfiles.authentik
    customProfiles.battery-historian
    customProfiles.fail2ban
-    # customProfiles.firefox-syncserver
    customProfiles.gitea
+    customProfiles.homepage
+    customProfiles.hoyolab
+    customProfiles.inpx-web
+    customProfiles.it-tools
    customProfiles.joplin-server
-    # customProfiles.mailserver
+    customProfiles.media-stack
+    customProfiles.minio
    customProfiles.nginx
-    # customProfiles.roundcube
+    customProfiles.ocis
+    customProfiles.openbooks
+    customProfiles.outline
+    customProfiles.radicale
+    customProfiles.spdf
    customProfiles.tinyproxy
    customProfiles.vaultwarden
    customProfiles.vscode-server
-
-    customProfiles.media-stack
-    # customProfiles.copyparty
-    customProfiles.inpx-web
-    # customProfiles.seafile
-    customProfiles.spdf
-    # customProfiles.cocalc
-    # customProfiles.neko-browser
-    customProfiles.openbooks
    customProfiles.webhooks
-
-    customProfiles.yandex-db
-    customProfiles.hoyolab
-    customProfiles.it-tools
-    customProfiles.homepage
-    customProfiles.matrix
-    customProfiles.atticd
-    customProfiles.attic
-    # customProfiles.restic-server
-    customProfiles.outline
-    customProfiles.radicale
    customProfiles.wiki
+    customProfiles.yandex-db

    (import customProfiles.blocky {
-      inherit config;
-      inherit (import ./dns-mapping.nix) dns-mapping;
+      inherit config pkgs;
+      inherit (import ./dns-mapping.nix) dnsmasq-list;
    })

    (import customProfiles.headscale {
      inherit config pkgs;
-      inherit (import ./dns-headscale.nix) dns-mapping;
+      inherit (import ./dns-mapping.nix) headscale-list;
    })
  ];

--- a/machines/Home-Hypervisor/dns-headscale.nix
+++ b/machines/Home-Hypervisor/dns-headscale.nix
@ -1,127 +0,0 @@
-{
-  dns-mapping = [
-    { name = "ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "auth.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "bathist.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "browser.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "cal.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "cocalc.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "dimension.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
-    { name = "docs.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
-    { name = "fb.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "fsync.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "goneb.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
-    { name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "jitsi.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
-    { name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    # { name = "mail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
-    { name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "microbin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "nzbhydra.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "openbooks.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "organizr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "pdf.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "prowlarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "qbit.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "radarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "restic.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "shoko.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "sonarrtv.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "startpage.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
-    { name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
-    { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    # { name = "webmail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-
-    { name = "ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "auth.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "bathist.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "browser.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "cal.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "cocalc.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "dimension.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
-    { name = "docs.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
-    { name = "fb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "fsync.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "goneb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
-    { name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "jitsi.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
-    { name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    # { name = "mail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
-    { name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "microbin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "nzbhydra.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "openbooks.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "organizr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "pdf.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "prowlarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "qbit.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "radarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "restic.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "shoko.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "sonarrtv.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "startpage.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
-    { name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
-    { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    # { name = "webmail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-
-    # block hoyoverse logs
-    { name = "overseauspider.yuanshen.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "overseauspider.yuanshen.com"; type = "AAAA"; value = "::"; }
-    { name = "log-upload-os.hoyoverse.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "log-upload-os.hoyoverse.com"; type = "AAAA"; value = "::"; }
-    { name = "log-upload-os.mihoyo.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "log-upload-os.mihoyo.com"; type = "AAAA"; value = "::"; }
-    { name = "dump.gamesafe.qq.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "dump.gamesafe.qq.com"; type = "AAAA"; value = "::"; }
-    { name = "log-upload.mihoyo.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "log-upload.mihoyo.com"; type = "AAAA"; value = "::"; }
-    { name = "devlog-upload.mihoyo.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "devlog-upload.mihoyo.com"; type = "AAAA"; value = "::"; }
-    { name = "uspider.yuanshen.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "uspider.yuanshen.com"; type = "AAAA"; value = "::"; }
-    { name = "sg-public-data-api.hoyoverse.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "sg-public-data-api.hoyoverse.com"; type = "AAAA"; value = "::"; }
-    { name = "public-data-api.mihoyo.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "public-data-api.mihoyo.com"; type = "AAAA"; value = "::"; }
-    { name = "prd-lender.cdp.internal.unity3d.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "prd-lender.cdp.internal.unity3d.com"; type = "AAAA"; value = "::"; }
-    { name = "thind-prd-knob.data.ie.unity3d.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "thind-prd-knob.data.ie.unity3d.com"; type = "AAAA"; value = "::"; }
-    { name = "thind-gke-usc.prd.data.corp.unity3d.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "thind-gke-usc.prd.data.corp.unity3d.com"; type = "AAAA"; value = "::"; }
-    { name = "cdp.cloud.unity3d.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "cdp.cloud.unity3d.com"; type = "AAAA"; value = "::"; }
-    { name = "remote-config-proxy-prd.uca.cloud.unity3d.com"; type = "A"; value = "0.0.0.0"; }
-    { name = "remote-config-proxy-prd.uca.cloud.unity3d.com"; type = "AAAA"; value = "::"; }
-  ];
-}
--- a/machines/Home-Hypervisor/dns-mapping.nix
+++ b/machines/Home-Hypervisor/dns-mapping.nix
@ -1,65 +1,92 @@
 {
-  dns-mapping = [
+  headscale-list = [
+    { name = "ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "auth.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "cal.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "docs.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
+    { name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
+    { name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "openbooks.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "pdf.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "qbit.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "radarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "restic.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "s3.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
+    { name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
+    { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+
+    { name = "ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "auth.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "cal.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "docs.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
+    { name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
+    { name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "openbooks.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "pdf.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "qbit.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "radarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "restic.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "s3.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
+    { name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
+    { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+  ];
+  dnsmasq-list = [
    "/api.ataraxiadev.com/192.168.0.10"
    "/auth.ataraxiadev.com/192.168.0.10"
-    "/bathist.ataraxiadev.com/192.168.0.10"
-    "/browser.ataraxiadev.com/192.168.0.10"
    "/cache.ataraxiadev.com/192.168.0.10"
    "/cal.ataraxiadev.com/192.168.0.10"
-    "/cocalc.ataraxiadev.com/192.168.0.10"
    "/code.ataraxiadev.com/192.168.0.10"
    "/docs.ataraxiadev.com/192.168.0.10"
-    # "/dimension.ataraxiadev.com/192.168.0.10"
-    # "/element.ataraxiadev.com/192.168.0.10"
-    "/fb.ataraxiadev.com/192.168.0.10"
    "/file.ataraxiadev.com/192.168.0.10"
-    "/fsync.ataraxiadev.com/192.168.0.10"
-    # "/goneb.ataraxiadev.com/192.168.0.10"
    "/home.ataraxiadev.com/192.168.0.10"
    "/jackett.ataraxiadev.com/192.168.0.10"
    "/jellyfin.ataraxiadev.com/192.168.0.10"
-    # "/jitsi.ataraxiadev.com/192.168.0.10"
    "/joplin.ataraxiadev.com/192.168.0.10"
    "/kavita.ataraxiadev.com/192.168.0.10"
    "/ldap.ataraxiadev.com/192.168.0.10"
    "/lib.ataraxiadev.com/192.168.0.10"
-    # "/matrix.ataraxiadev.com/192.168.0.10"
    "/medusa.ataraxiadev.com/192.168.0.10"
-    "/microbin.ataraxiadev.com/192.168.0.10"
-    "/nzbhydra.ataraxiadev.com/192.168.0.10"
    "/openbooks.ataraxiadev.com/192.168.0.10"
-    "/organizr.ataraxiadev.com/192.168.0.10"
    "/pdf.ataraxiadev.com/192.168.0.10"
-    "/prowlarr.ataraxiadev.com/192.168.0.10"
    "/qbit.ataraxiadev.com/192.168.0.10"
    "/radarr.ataraxiadev.com/192.168.0.10"
    "/restic.ataraxiadev.com/192.168.0.10"
-    "/shoko.ataraxiadev.com/192.168.0.10"
+    "/s3.ataraxiadev.com/192.168.0.10"
    "/sonarr.ataraxiadev.com/192.168.0.10"
-    "/sonarrtv.ataraxiadev.com/192.168.0.10"
-    "/startpage.ataraxiadev.com/192.168.0.10"
-    # "/stats.ataraxiadev.com/192.168.0.10"
    "/tools.ataraxiadev.com/192.168.0.10"
-    # "/turn.ataraxiadev.com/192.168.0.10"
    "/vw.ataraxiadev.com/192.168.0.10"
-    "/wg.ataraxiadev.com/192.168.0.10"
    "/wiki.ataraxiadev.com/192.168.0.10"
-    "/www.ataraxiadev.com/192.168.0.10"
-
-    # block hoyoverse logs
-    "/overseauspider.yuanshen.com/0.0.0.0"
-    "/log-upload-os.hoyoverse.com/0.0.0.0"
-    "/log-upload-os.mihoyo.com/0.0.0.0"
-    "/dump.gamesafe.qq.com/0.0.0.0"
-    "/log-upload.mihoyo.com/0.0.0.0"
-    "/devlog-upload.mihoyo.com/0.0.0.0"
-    "/uspider.yuanshen.com/0.0.0.0"
-    "/sg-public-data-api.hoyoverse.com/0.0.0.0"
-    "/public-data-api.mihoyo.com/0.0.0.0"
-    "/prd-lender.cdp.internal.unity3d.com/0.0.0.0"
-    "/thind-prd-knob.data.ie.unity3d.com/0.0.0.0"
-    "/thind-gke-usc.prd.data.corp.unity3d.com/0.0.0.0"
-    "/cdp.cloud.unity3d.com/0.0.0.0"
-    "/remote-config-proxy-prd.uca.cloud.unity3d.com/0.0.0.0"
  ];
 }
--- a/machines/Home-Hypervisor/usb-hdd.nix
+++ b/machines/Home-Hypervisor/usb-hdd.nix
--- a/machines/NixOS-VPS/services/dns.nix
+++ b/machines/NixOS-VPS/services/dns.nix
@ -135,6 +135,7 @@ in {
            "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
            "https://github.com/RPiList/specials/raw/master/Blocklisten/MS-Office-Telemetry"
            "https://github.com/RPiList/specials/raw/master/Blocklisten/Win10Telemetry"
+            ../../../misc/telemetry.hosts
          ];
        };
        clientGroupsBlock.default = [ "ads" "telemetry" ];
--- a/misc/telemetry.hosts
+++ b/misc/telemetry.hosts
@ -0,0 +1,28 @@
+overseauspider.yuanshen.com
+overseauspider.yuanshen.com
+log-upload-os.hoyoverse.com
+log-upload-os.hoyoverse.com
+log-upload-os.mihoyo.com
+log-upload-os.mihoyo.com
+dump.gamesafe.qq.com
+dump.gamesafe.qq.com
+log-upload.mihoyo.com
+log-upload.mihoyo.com
+devlog-upload.mihoyo.com
+devlog-upload.mihoyo.com
+uspider.yuanshen.com
+uspider.yuanshen.com
+sg-public-data-api.hoyoverse.com
+sg-public-data-api.hoyoverse.com
+public-data-api.mihoyo.com
+public-data-api.mihoyo.com
+prd-lender.cdp.internal.unity3d.com
+prd-lender.cdp.internal.unity3d.com
+thind-prd-knob.data.ie.unity3d.com
+thind-prd-knob.data.ie.unity3d.com
+thind-gke-usc.prd.data.corp.unity3d.com
+thind-gke-usc.prd.data.corp.unity3d.com
+cdp.cloud.unity3d.com
+cdp.cloud.unity3d.com
+remote-config-proxy-prd.uca.cloud.unity3d.com
+remote-config-proxy-prd.uca.cloud.unity3d.com
--- a/modules/ocis.nix
+++ b/modules/ocis.nix
@ -0,0 +1,159 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.ocis;
+  format = pkgs.formats.yaml { };
+
+  linkConfigs = confDir: lib.pipe cfg.settings [
+    (lib.attrsets.mapAttrs (n: v: format.generate "${n}.yaml" v))
+    (lib.mapAttrsToList (n: v: "ln -sf ${v} ${confDir}/${n}.yaml"))
+    (lib.concatStringsSep "\n")
+  ];
+
+  mkExport = { arg, value }: "export ${arg}=${value}";
+  adminpass = {
+    arg = "ADMIN_PASSWORD";
+    value = ''"$(<"${toString cfg.adminpassFile}")"'';
+  };
+in
+{
+  options.services.ocis = {
+    enable = mkEnableOption (lib.mdDoc "ownCloud Infinite Scale Stack");
+    package = mkOption {
+      type = types.package;
+      description = lib.mdDoc "Which package to use for the ocis instance.";
+      default = pkgs.ocis-bin;
+    };
+    configDir = mkOption {
+      default = "/var/lib/ocis/.config";
+      type = types.path;
+      description = lib.mdDoc "The config directory. Set OCIS_CONFIG_DIR env variable.";
+    };
+    baseDataPath = mkOption {
+      default = "/var/lib/ocis";
+      type = types.path;
+      description = lib.mdDoc "The base data directory. Set OCIS_BASE_DATA_PATH env variable.";
+    };
+    environment = lib.mkOption {
+      type = lib.types.attrsOf lib.types.str;
+      default = { };
+      example = lib.literalExpression ''
+        {
+          OCIS_URL = "https://localhost:9200";
+        }
+      '';
+      description = lib.mdDoc "Environment variables to pass to ocis instance.";
+    };
+    environmentFile = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = lib.mdDoc ''
+        file in the format of an EnvironmentFile as described by systemd.exec(5).
+      '';
+    };
+    adminpassFile = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = lib.mdDoc ''
+        The full path to a file that contains the admin's password. Must be
+        readable by user `ocis`. The password is set only in the initial
+        setup of Ocis by the systemd service `ocis-init.service`.
+      '';
+    };
+    settings = mkOption {
+      type = with types; attrsOf format.type;
+      default = { };
+      example = lib.literalExpression ''
+        {
+          auth-bearer = {
+            tracing = {
+              enabled = true;
+            };
+          };
+          proxy = {
+            user_oidc_claim = "preferred_username";
+            user_cs3_claim = "username";
+          };
+        }
+      '';
+      description = lib.mdDoc ''
+        OCIS configuration. Refer to
+        <https://doc.owncloud.com/ocis/next/deployment/services/services.html>
+        for details on supported values.
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.configDir}' - ocis ocis - -"
+      "d '${cfg.baseDataPath}' - ocis ocis - -"
+    ];
+    systemd.services.ocis-init = rec {
+      before = [ "ocis-server.service" ];
+      requiredBy = [ "ocis-server.service" ];
+      path = [ cfg.package ];
+      environment = {
+        OCIS_CONFIG_DIR = cfg.configDir;
+        OCIS_BASE_DATA_PATH = cfg.baseDataPath;
+      } // cfg.environment;
+      script = ''
+        ${lib.optionalString (cfg.settings != { }) "${linkConfigs environment.OCIS_CONFIG_DIR}"}
+        if [ ! -f "$OCIS_CONFIG_DIR/ocis.yaml" ]; then
+          ${
+            lib.optionalString (cfg.adminpassFile != null) ''
+              if [ ! -r "${cfg.adminpassFile}" ]; then
+                echo "adminpassFile ${cfg.adminpassFile} is not readable by ocis:ocis! Aborting..."
+                exit 1
+              fi
+              if [ -z "$(<${cfg.adminpassFile})" ]; then
+                echo "adminpassFile ${cfg.adminpassFile} is empty!"
+                exit 1
+              fi
+              ${mkExport adminpass}
+            ''
+          }
+          ocis init
+        fi
+      '';
+      serviceConfig = {
+        Type = "simple";
+        StateDirectory = "ocis";
+        User = "ocis";
+        Group = "ocis";
+      } // optionalAttrs (cfg.environmentFile != null) {
+        EnvironmentFile = cfg.environmentFile;
+      };
+    };
+
+    systemd.services.ocis-server = {
+      description = "ownCloud Infinite Scale Stack";
+      wantedBy = [ "multi-user.target" ];
+      path = [ cfg.package ];
+      environment = {
+        OCIS_CONFIG_DIR = cfg.configDir;
+        OCIS_BASE_DATA_PATH = cfg.baseDataPath;
+        OCIS_URL = "https://localhost:9200";
+        PROXY_HTTP_ADDR = "127.0.0.1:9200";
+      } // cfg.environment;
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+        ExecStart = "${cfg.package}/bin/ocis server";
+        User = "ocis";
+        Group = "ocis";
+        LimitNOFILE = 65536;
+      } // optionalAttrs (cfg.environmentFile != null) {
+        EnvironmentFile = cfg.environmentFile;
+      };
+    };
+
+    environment.systemPackages = [ cfg.package ];
+
+    users.groups.ocis = { };
+    users.users.ocis = {
+      description = "Ocis Daemon User";
+      group = "ocis";
+      isSystemUser = true;
+    };
+  };
+}
--- a/profiles/servers/authentik.nix
+++ b/profiles/servers/authentik.nix
@ -11,7 +11,7 @@ let
    "127.0.0.1:389:3389/tcp" "127.0.0.1:636:6636/tcp"
  ];
  owner = "1000";
-  authentik-version = "2023.8.3";
+  authentik-version = "2023.10.6";
 in {
  secrets.authentik-env.services = [ "${backend}-authentik-server.service" ];
  secrets.authentik-ldap.services = [ "${backend}-authentik-ldap.service" ];
--- a/profiles/servers/battery-historian.nix
+++ b/profiles/servers/battery-historian.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }: {
  virtualisation.oci-containers.containers.battery-historian = {
    autoStart = true;
-    ports = [ "127.0.0.1:9999:9999" ];
+    ports = [ "0.0.0.0:9999:9999" ];
    image = "gcr.io/android-battery-historian/stable:3.0";
  };
 }
--- a/profiles/servers/blocky.nix
+++ b/profiles/servers/blocky.nix
@ -1,23 +1,30 @@
-{ config, dns-mapping ? [], ... }:
+{ config, pkgs, dnsmasq-list ? [], ... }:
 let
  nodeAddress = "192.168.0.5";
-  wgAddress = "10.100.0.1";
-  wgConf = config.secrets.wg-hypervisor-dns.decrypted;
+  upstream-dns = "100.64.0.1";
 in {
-  boot.kernelModules = [ "wireguard" ];
-  secrets.wg-hypervisor-dns.services = [ "container@blocky.service" ];
+  systemd.tmpfiles.rules = [
+    "d /srv/blocky-tailscale 0755 root root -"
+  ];
+  systemd.services.gen-headscale-key = {
+    before = [ "container@blocky.service" ];
+    requiredBy = [ "container@blocky.service" ];
+    serviceConfig.Type = "oneshot";
+    path = [ pkgs.headscale ];
+    script = ''
+      headscale preauthkeys create --ephemeral -e 1h -u ataraxiadev | tee /tmp/blocky-authkey
+    '';
+  };
  containers.blocky = {
    autoStart = true;
+    enableTun = true;
    ephemeral = true;
    privateNetwork = true;
    hostBridge = "br0";
    localAddress = "${nodeAddress}/24";
    tmpfs = [ "/" ];
-    bindMounts."${wgConf}" = {
-      hostPath = wgConf;
-      isReadOnly = true;
-    };
-    config = { config, pkgs, ... }:
+    bindMounts."/tmp/blocky-authkey".hostPath = "/tmp/blocky-authkey";
+    config = { config, pkgs, lib, ... }:
    let
      grafanaPort = config.services.grafana.settings.server.http_port;
      blockyPort = config.services.blocky.settings.ports.dns;
@ -26,7 +33,7 @@ in {
      networking = {
        defaultGateway = "192.168.0.1";
        hostName = "blocky-node";
-        nameservers = [ wgAddress ];
+        nameservers = [ "127.0.0.1" ];
        enableIPv6 = false;
        useHostResolvConf = false;
        firewall = {
@ -34,8 +41,21 @@ in {
          allowedTCPPorts = [ blockyPort grafanaPort ];
          allowedUDPPorts = [ blockyPort ];
        };
-        wg-quick.interfaces.wg0.configFile = wgConf;
      };
+      # ephemeral tailscale node
+      services.tailscale = {
+        enable = true;
+        useRoutingFeatures = "client";
+        authKeyFile = "/tmp/blocky-authkey";
+        extraUpFlags = [ "--login-server=https://wg.ataraxiadev.com" "--accept-dns=false" ];
+      };
+      systemd.services.tailscaled.serviceConfig.Environment = let
+        cfg = config.services.tailscale;
+      in lib.mkForce [
+        "PORT=${toString cfg.port}"
+        ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName} --state=mem:"''
+      ];
+
      services.dnsmasq = {
        enable = true;
        alwaysKeepRunning = true;
@ -46,14 +66,26 @@ in {
          no-hosts = true;
          listen-address = "127.0.0.1";
          no-dhcp-interface = "";
-          address = dns-mapping ++ [];
+          address = dnsmasq-list ++ [];
        };
      };
      services.blocky = {
        enable = true;
        settings = {
-          upstream.default = [ wgAddress ];
+          upstream.default = [ upstream-dns ];
          upstreamTimeout = "10s";
+          blocking = {
+            blackLists.telemetry = [ ../../misc/telemetry.hosts ];
+            clientGroupsBlock.default = [ "telemetry" ];
+          };
+          conditional = {
+            fallbackUpstream = true;
+            mapping = {
+              "ataraxiadev.com" = "127.0.0.1:5353";
+            };
+          };
+          # drop ipv6 requests
+          filtering.queryTypes = [ "AAAA" ];
          caching = {
            minTime = "0m";
            maxTime = "12h";
@ -66,12 +98,6 @@ in {
          };
          prometheus.enable = true;
          queryLog.type = "console";
-          conditional = {
-            fallbackUpstream = true;
-            mapping = {
-              "ataraxiadev.com" = "127.0.0.1:5353";
-            };
-          };
        };
      };
      services.prometheus = {
@ -134,7 +160,7 @@ in {
          user = "grafana";
        };
      };
-      system.stateVersion = "23.05";
+      system.stateVersion = "23.11";
    };
  };
 }
--- a/profiles/servers/cocalc.nix
+++ b/profiles/servers/cocalc.nix
@ -1,15 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  backend = config.virtualisation.oci-containers.backend;
-  nas-path = "/media/nas/containers";
-in {
-  virtualisation.oci-containers.containers.cocalc = {
-    autoStart = true;
-    image = "docker.io/ataraxiadev/cocalc-latex:1b335d368d26";
-    ports = [ "127.0.0.1:9099:443/tcp" ];
-    volumes = [
-      "${nas-path}/cocalc:/projects"
-      "${nas-path}/databases/cocalc:/projects/postgres"
-    ];
-  };
-}
--- a/profiles/servers/copyparty.nix
+++ b/profiles/servers/copyparty.nix
@ -1,25 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  backend = config.virtualisation.oci-containers.backend;
-  nas-path = "/media/nas";
-in {
-  virtualisation.oci-containers.containers.copyparty = {
-    autoStart = true;
-    image = "docker.io/copyparty/min";
-    cmd = [
-      "--xdev" "--xvol"
-      # "-e2dsa" "-e2ts"
-      # "--re-maxage 600"
-      # "--hist /cache/copyparty"
-      # "--no-robots"
-      "-q" "--http-only" "--no-dav"
-      "-s" "--no-logues" "--no-readme"
-      # "-i localhost"
-    ];
-    ports = [ "127.0.0.1:3923:3923/tcp" ];
-    user = "1000:100";
-    volumes = [
-      "${nas-path}:/w"
-    ];
-  };
-}
--- a/profiles/servers/firefox-syncserver.nix
+++ b/profiles/servers/firefox-syncserver.nix
@ -1,34 +0,0 @@
-{ pkgs, config, lib, ... }: {
-  secrets.firefox-syncserver = {
-    # owner = config.services.firefox-syncserver.database.user;
-  };
-
-  services.mysql.package = pkgs.mariadb;
-
-  services.firefox-syncserver = {
-    enable = true;
-    database.createLocally = true;
-    secrets = config.secrets.firefox-syncserver.decrypted;
-    settings = {
-      port = 5000;
-      tokenserver.enabled = true;
-      # syncserver = {
-      #   public_url = "https://fsync.ataraxiadev.com";
-      # };
-      # endpoints = {
-      #   "sync-1.5" = "http://localhost:8000/1.5/1";
-      # };
-    };
-    singleNode = {
-      enable = true;
-      capacity = 10;
-      # enableTLS = false;
-      # enableNginx = false;
-      # enableTLS = false;
-      # enableNginx = true;
-      # hostname = "localhost";
-      # hostname = "fsync.ataraxiadev.com";
-      url = "https://fsync.ataraxiadev.com";
-    };
-  };
-}
--- a/profiles/servers/headscale.nix
+++ b/profiles/servers/headscale.nix
@ -1,4 +1,4 @@
-{ config, pkgs, dns-mapping ? {}, ... }:
+{ config, pkgs, headscale-list ? {}, ... }:
 let
  domain = "wg.ataraxiadev.com";
 in {
@ -17,7 +17,7 @@ in {
      dns_config = {
        base_domain = domain;
        nameservers = [ "127.0.0.1" ];
-        extra_records = dns-mapping;
+        extra_records = headscale-list;
      };
      oidc = {
        only_start_if_oidc_is_available = true;
--- a/profiles/servers/homepage.nix
+++ b/profiles/servers/homepage.nix
@ -6,7 +6,6 @@ let
  pod-dns = "192.168.0.1";
  open-ports = [
    "127.0.0.1:3000:3000/tcp"
-    # "127.0.0.1:2375:2375/tcp"
  ];
 in {
  virtualisation.oci-containers.containers = {
@ -18,7 +17,6 @@ in {
        PGID = "100";
      };
      extraOptions = [ "--pod=${pod-name}" ];
-      # ports = [ "127.0.0.1:3000:3000/tcp" ];
      volumes = [
        "${nas-path}/homepage/config:/app/config"
        "${nas-path}/homepage/icons:/app/public/icons"
@ -35,7 +33,6 @@ in {
        POST = "0";
      };
      extraOptions = [ "--pod=${pod-name}" ];
-      # ports = [ "127.0.0.1:2375:2375/tcp" ];
      volumes = [
        "${nas-path}/homepage/config:/app/config"
        "${nas-path}/homepage/icons:/app/public/icons"
--- a/profiles/servers/mailserver.nix
+++ b/profiles/servers/mailserver.nix
@ -1,153 +0,0 @@
-{ pkgs, config, lib, inputs, ... }:
-let
-  secrets-default = {
-    owner = "dovecot2:dovecot2";
-    services = [ "dovecot2" ];
-  };
-in {
-  imports = [ (toString inputs.simple-nixos-mailserver) ];
-  secrets.mailserver = secrets-default;
-  secrets.mailserver-minichka = secrets-default;
-  secrets.mailserver-mitin = secrets-default;
-  secrets.mailserver-joplin = secrets-default;
-  secrets.mailserver-vaultwarden = secrets-default;
-  secrets.mailserver-seafile = secrets-default;
-  secrets.mailserver-gitea = secrets-default;
-  secrets.mailserver-authentik = secrets-default;
-  secrets.mailserver-kavita = secrets-default;
-  secrets.mailserver-synapse = secrets-default;
-  secrets.mailserver-outline = secrets-default;
-
-  security.acme.certs."mail.ataraxiadev.com" = {
-    webroot = "/var/lib/acme/acme-challenge";
-    postRun = ''
-      systemctl reload postfix
-      systemctl reload dovecot2
-    '';
-  };
-
-  services.postfix = {
-    dnsBlacklists = [
-      "all.s5h.net"
-      "b.barracudacentral.org"
-      "bl.spamcop.net"
-      "blacklist.woody.ch"
-    ];
-    dnsBlacklistOverrides = ''
-      ataraxiadev.com OK
-      mail.ataraxiadev.com OK
-      127.0.0.0/8 OK
-      192.168.0.0/16 OK
-    '';
-    headerChecks = [
-      {
-        action = "IGNORE";
-        pattern = "/^User-Agent.*Roundcube Webmail/";
-      }
-    ];
-  };
-  mailserver = rec {
-    enable = true;
-    openFirewall = true;
-    fqdn = "mail.ataraxiadev.com";
-    domains = [ "ataraxiadev.com" ];
-    # hashedPassword:
-    # nsp apacheHttpd --run 'htpasswd -nbB "" "super secret password"' | cut -d: -f2
-    loginAccounts = {
-      "ataraxiadev@ataraxiadev.com" = {
-        aliases = [
-          "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root"
-          "ark@ataraxiadev.com" "ark" "ataraxiadev.hsr@ataraxiadev.com" "ataraxiadev.hsr"
-          "hsr@ataraxiadev.com" "hsr"
-          "hsr1@ataraxiadev.com" "hsr1"
-          "hsr2@ataraxiadev.com" "hsr2"
-          "hsr3@ataraxiadev.com" "hsr3"
-          "hsr4@ataraxiadev.com" "hsr4"
-          "hsr5@ataraxiadev.com" "hsr5"
-          "hsr6@ataraxiadev.com" "hsr6"
-          "hsr7@ataraxiadev.com" "hsr7"
-          "hsr8@ataraxiadev.com" "hsr8"
-          "hsr9@ataraxiadev.com" "hsr9"
-          "hsr10@ataraxiadev.com" "hsr10"
-          "hsr11@ataraxiadev.com" "hsr11"
-          "hsr12@ataraxiadev.com" "hsr12"
-          "hsr13@ataraxiadev.com" "hsr13"
-          "hsr14@ataraxiadev.com" "hsr14"
-          "hsr15@ataraxiadev.com" "hsr15"
-          "hsr16@ataraxiadev.com" "hsr16"
-          # "@ataraxiadev.com"
-        ];
-        hashedPasswordFile = config.secrets.mailserver.decrypted;
-      };
-      "minichka76@ataraxiadev.com" = {
-        aliases = [
-        	"minichka76" "kpoxa@ataraxiadev.com" "kpoxa"
-        	"sladkiyson0417@ataraxiadev.com" "sladkiyson0417"
-        ];
-        hashedPasswordFile = config.secrets.mailserver-minichka.decrypted;
-      };
-      "mitin@ataraxiadev.com" = {
-        aliases = [ "mitin" "mitin1@ataraxiadev.com" "mitin1" "mitin2@ataraxiadev.com" "mitin2" ];
-        hashedPasswordFile = config.secrets.mailserver-mitin.decrypted;
-      };
-
-      "authentik@ataraxiadev.com" = {
-        aliases = [ "authentik" ];
-        hashedPasswordFile = config.secrets.mailserver-authentik.decrypted;
-      };
-      "gitea@ataraxiadev.com" = {
-        aliases = [ "gitea" ];
-        hashedPasswordFile = config.secrets.mailserver-gitea.decrypted;
-      };
-      "joplin@ataraxiadev.com" = {
-        aliases = [ "joplin" ];
-        hashedPasswordFile = config.secrets.mailserver-joplin.decrypted;
-      };
-      "kavita@ataraxiadev.com" = {
-        aliases = [ "kavita" ];
-        hashedPasswordFile = config.secrets.mailserver-kavita.decrypted;
-      };
-      "vaultwarden@ataraxiadev.com" = {
-        aliases = [ "vaultwarden" ];
-        hashedPasswordFile = config.secrets.mailserver-vaultwarden.decrypted;
-      };
-      "seafile@ataraxiadev.com" = {
-        aliases = [ "seafile" ];
-        hashedPasswordFile = config.secrets.mailserver-seafile.decrypted;
-      };
-      "matrix@ataraxiadev.com" = {
-        aliases = [ "matrix" ];
-        hashedPasswordFile = config.secrets.mailserver-synapse.decrypted;
-      };
-      "outline@ataraxiadev.com" = {
-        aliases = [ "outline" ];
-        hashedPasswordFile = config.secrets.mailserver-outline.decrypted;
-      };
-    };
-    hierarchySeparator = "/";
-    localDnsResolver = false;
-    certificateScheme = "manual";
-    certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
-    keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
-    enableManageSieve = true;
-    enableImap = true;
-    enableImapSsl = true;
-    enablePop3 = false;
-    enablePop3Ssl = false;
-    enableSubmission = true;
-    enableSubmissionSsl = true;
-    virusScanning = false;
-
-    mailDirectory = "/srv/mail/vmail";
-    dkimKeyDirectory = "/srv/mail/dkim";
-  };
-
-  persist.state.directories = [
-    "/var/sieve" # FIXME: change ownership to virtualMail:
-  ] ++ lib.optionals (config.deviceSpecific.devInfo.fileSystem != "zfs") [
-    config.mailserver.dkimKeyDirectory
-    config.mailserver.mailDirectory
-  ];
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-}
--- a/profiles/servers/matrix.nix
+++ b/profiles/servers/matrix.nix
@ -1,23 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  virtualisation.libvirt.guests.fedora-synapse = {
-    autoStart = false;
-    user = config.mainuser;
-    group = "libvirtd";
-    uefi = true;
-    memory = 2 * 1024;
-    cpu = {
-      sockets = 1; cores = 1; threads = 2;
-    };
-    devices = {
-      disks = [
-        { diskFile = "/media/nas/libvirt/images/fedora-matrix-root.img"; type = "raw"; targetName = "vda"; }
-        { diskFile = "/media/nas/libvirt/images/fedora-matrix-synapse.img"; type = "raw"; targetName = "vdb"; }
-      ];
-      network = {
-        macAddress = "00:16:3e:5b:49:bf";
-        interfaceType = "bridge";
-        sourceDev = "br0";
-      };
-    };
-  };
-}
--- a/profiles/servers/microbin.nix
+++ b/profiles/servers/microbin.nix
@ -1,22 +0,0 @@
-{ config, pkgs, lib, ... }: {
-  secrets.microbin-pass.services = [ "microbin.service" ];
-
-  systemd.services.microbin = {
-    description = "MicroBin";
-    path = [ pkgs.microbin ];
-    script = ''
-      mkdir -p /var/microbin
-      cd /var/microbin
-      MICROBIN_PASS=$(cat /var/secrets/microbin-pass)
-      microbin --editable --highlightsyntax --private -b 127.0.0.1 -p 9988 --auth-username ataraxiadev --auth-password $MICROBIN_PASS
-    '';
-    serviceConfig = {
-      Restart = "always";
-      Type = "simple";
-    };
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-  };
-
-  persist.state.directories = [ "/var/microbin" ];
-}
--- a/profiles/servers/minio.nix
+++ b/profiles/servers/minio.nix
@ -0,0 +1,33 @@
+{ config, lib, pkgs, inputs, ... }: {
+  sops.secrets.minio-credentials = {
+    owner = "minio";
+    mode = "0400";
+    sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;
+    restartUnits = [ "minio.service" ];
+  };
+
+  services.minio = {
+    enable = true;
+    browser = true;
+    configDir = "/media/nas/minio/config";
+    dataDir = [ "/media/nas/minio/data" ];
+    listenAddress = "127.0.0.1:9600";
+    consoleAddress = "127.0.0.1:9601";
+    rootCredentialsFile = config.sops.secrets.minio-credentials.path;
+  };
+
+  systemd.services.minio = {
+    environment = lib.mkAfter {
+      MINIO_SERVER_URL = "https://s3.ataraxiadev.com";
+      MINIO_BROWSER_REDIRECT_URL = "https://s3.ataraxiadev.com/ui";
+      MINIO_IDENTITY_OPENID_COMMENT="Authentik";
+      MINIO_IDENTITY_OPENID_CONFIG_URL = "https://auth.ataraxiadev.com/application/o/minio/.well-known/openid-configuration";
+      MINIO_IDENTITY_OPENID_REDIRECT_URI = "https://s3.ataraxiadev.com/ui/oauth_callback";
+      MINIO_IDENTITY_OPENID_SCOPES = "openid,profile,email,minio";
+    };
+  };
+
+  # persist.state.directories = config.services.minio.dataDir ++ [
+  #   config.services.minio.configDir
+  # ];
+}
--- a/profiles/servers/neko-browser.nix
+++ b/profiles/servers/neko-browser.nix
@ -1,30 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  backend = config.virtualisation.oci-containers.backend;
-in {
-  virtualisation.oci-containers.containers.neko-browser = {
-    autoStart = true;
-    image = "ghcr.io/m1k1o/neko/intel-firefox";
-    environment = {
-      NEKO_ICELITE = "true";
-      NEKO_SCREEN = "1920x1080@30";
-      NEKO_PASSWORD = "neko";
-      NEKO_PASSWORD_ADMIN = "admin";
-      NEKO_TCPMUX = "8091";
-      NEKO_UDPMUX = "8092";
-      NEKO_BIND = "127.0.0.1:8090";
-      NEKO_NAT1TO1 = "91.202.204.123";
-    };
-    extraOptions = [
-      "--cap-add=SYS_ADMIN"
-      "--cap-add=SYS_CHROOT"
-      "--device=/dev/dri:/dev/dri"
-      "--shm-size=1gb"
-    ];
-    ports = [
-      "127.0.0.1:8090:8090"
-      "127.0.0.1:8091:8091"
-      "127.0.0.1:8092:8092/udp"
-    ];
-  };
-}
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -61,16 +61,16 @@ in {
      extraDomainNames = [
        "api.ataraxiadev.com"
        "auth.ataraxiadev.com"
-        "bathist.ataraxiadev.com"
-        "browser.ataraxiadev.com"
+        # "bathist.ataraxiadev.com"
+        # "browser.ataraxiadev.com"
        "cache.ataraxiadev.com"
        "cal.ataraxiadev.com"
-        "cocalc.ataraxiadev.com"
+        # "cocalc.ataraxiadev.com"
        "code.ataraxiadev.com"
        "docs.ataraxiadev.com"
-        "fb.ataraxiadev.com"
+        # "fb.ataraxiadev.com"
        "file.ataraxiadev.com"
-        "fsync.ataraxiadev.com"
+        # "fsync.ataraxiadev.com"
        "home.ataraxiadev.com"
        "jackett.ataraxiadev.com"
        "jellyfin.ataraxiadev.com"
@ -84,8 +84,9 @@ in {
        "pdf.ataraxiadev.com"
        "qbit.ataraxiadev.com"
        "radarr.ataraxiadev.com"
+        "s3.ataraxiadev.com"
        "sonarr.ataraxiadev.com"
-        "startpage.ataraxiadev.com"
+        # "startpage.ataraxiadev.com"
        "tools.ataraxiadev.com"
        "vw.ataraxiadev.com"
        "wg.ataraxiadev.com"
@ -100,12 +101,6 @@ in {
    };
  };

-  services.fcgiwrap = {
-    enable = true;
-    user = config.services.nginx.user;
-    group = config.services.nginx.group;
-  };
-
  services.nginx = {
    enable = true;
    group = "acme";
@ -117,12 +112,6 @@ in {
    clientMaxBodySize = "250m";
    commonHttpConfig = ''
      proxy_hide_header X-Frame-Options;
-      # proxy_hide_header Content-Security-Policy;
-      # add_header Content-Security-Policy "upgrade-insecure-requests";
-      # add_header X-XSS-Protection "1; mode=block";
-      # add_header X-Robots-Tag "none";
-      # add_header X-Content-Type-Options "nosniff";
-
    '';
    virtualHosts = let
      default = {
@ -151,7 +140,7 @@ in {
          '';
        };
        locations."/hooks" = {
-          proxyPass = "http://127.0.0.1:9010/hooks";
+          proxyPass = "http://127.0.0.1:9510/hooks";
        };
        locations."/.well-known/matrix" = {
          proxyPass = "https://matrix.ataraxiadev.com/.well-known/matrix";
@ -160,52 +149,30 @@ in {
          '';
        };
      } // default;
-      # "matrix:443" = {
-      #   serverAliases = [
-      #     "matrix.ataraxiadev.com"
-      #     "dimension.ataraxiadev.com"
-      #     "element.ataraxiadev.com"
-      #     "stats.ataraxiadev.com"
-      #   ];
-      #   listen = [{
-      #     addr = "0.0.0.0";
-      #     port = 443;
-      #     ssl = true;
-      #   }];
-      #   locations."/" = {
-      #     proxyPass = "http://matrix.pve:81";
-      #     extraConfig = ''
-      #       client_max_body_size 50M;
-      #     '' + proxySettings;
-      #   };
-      # } // default;
-      # "matrix:8448" = {
-      #   serverAliases = [ "matrix.ataraxiadev.com" ];
-      #   listen = [{
-      #     addr = "0.0.0.0";
-      #     port = 8448;
-      #     ssl = true;
-      #   }];
-      #   locations."/" = {
-      #     proxyPass = "http://matrix.pve:8448";
-      #     extraConfig = ''
-      #       client_max_body_size 50M;
-      #     '' + proxySettings;
-      #   };
-      # } // default;
-      "home.ataraxiadev.com" = default // authentik {
-        proxyPass = "http://127.0.0.1:3000";
-      };
-      "openbooks.ataraxiadev.com" = default // authentik {
-        proxyPass = "http://127.0.0.1:8097";
-        proxyWebsockets = true;
-      };
-      "docs.ataraxiadev.com" = {
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:3010";
-          proxyWebsockets = true;
+      "api.ataraxiadev.com" = {
+        locations."~ (\\.py|\\.sh)$" = with config.services; {
+          alias = "/srv/http/api.ataraxiadev.com";
          extraConfig = ''
-            client_max_body_size 100M;
+            gzip off;
+            fastcgi_pass ${fcgiwrap.socketType}:${fcgiwrap.socketAddress};
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include ${pkgs.nginx}/conf/fastcgi_params;
+          '';
+        };
+      } // default;
+      "auth.ataraxiadev.com" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:9000";
+          proxyWebsockets = true;
+          extraConfig = proxySettings;
+        };
+      } // default;
+      "cache.ataraxiadev.com" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8083";
+          extraConfig = ''
+            client_max_body_size 0;
+            send_timeout 15m;
          '' + proxySettings;
        };
      } // default;
@ -215,105 +182,48 @@ in {
          extraConfig = proxySettings;
        };
      } // default;
-      "vw.ataraxiadev.com" = {
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8812";
-          extraConfig = proxySettings;
-        };
-        locations."/notifications/hub" = {
-          proxyPass = "http://127.0.0.1:3012";
-          proxyWebsockets = true;
-          extraConfig = proxySettings;
-        };
-        locations."/notifications/hub/negotiate" = {
-          proxyPass = "http://127.0.0.1:8812";
-          extraConfig = proxySettings;
-        };
-      } // default;
      "code.ataraxiadev.com" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:6000";
          extraConfig = proxySettings;
        };
      } // default;
-      "bathist.ataraxiadev.com" = default // authentik {
-        proxyPass = "http://127.0.0.1:9999";
-        rootExtraConfig = proxySettings;
-      };
-      # "browser.ataraxiadev.com" = {
-      #   locations."/" = {
-      #     proxyPass = "http://127.0.0.1:8090";
-      #     proxyWebsockets = true;
-      #     extraConfig = ''
-      #       proxy_read_timeout 86400;
-      #     '' + proxySettings;
-      #   };
-      # } // default;
-      # "fb.ataraxiadev.com" = default // authentik {
-      #   proxyPass = "http://127.0.0.1:3923";
-      #   rootExtraConfig = ''
-      #     proxy_redirect off;
-      #     proxy_http_version 1.1;
-      #     client_max_body_size 0;
-      #     proxy_buffering off;
-      #     proxy_request_buffering off;
-      #     proxy_set_header Connection "Keep-Alive";
-      #   '' + proxySettings;
-      # };
+      "docs.ataraxiadev.com" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:3010";
+          proxyWebsockets = true;
+          extraConfig = ''
+            client_max_body_size 100M;
+          '' + proxySettings;
+        };
+      } // default;
      "file.ataraxiadev.com" = {
        locations."/" = {
-          proxyPass = "http://127.0.0.1:8088";
+          proxyPass = "http://127.0.0.1:9200";
          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffers 4 256k;
+            proxy_buffer_size 128k;
+            proxy_busy_buffers_size 256k;
+            # Disable checking of client request body size
            client_max_body_size 0;
-            proxy_buffer_size 16k;
-            proxy_busy_buffers_size 16k;
-            proxy_connect_timeout 36000s;
-            proxy_max_temp_file_size 102400m;
-            proxy_read_timeout 36000s;
-            proxy_request_buffering off;
-            send_timeout 36000s;
-            proxy_send_timeout 36000s;
-            # proxy_buffering off;
          '';
        };
-        extraConfig = ''
-          proxy_set_header X-Forwarded-Proto https;
-          proxy_set_header X-Forwarded-For $remote_addr;
-        '';
      } // default;
-      # "webmail.ataraxiadev.com" = {
-      #   locations."/" = {
-      #     extraConfig = ''
-      #       client_max_body_size 30M;
-      #     '' + proxySettings;
-      #   };
-      # } // default;
-      "cocalc.ataraxiadev.com" = {
+      "home.ataraxiadev.com" = default // authentik {
+        proxyPass = "http://127.0.0.1:3000";
+      };
+      "joplin.ataraxiadev.com" = {
        locations."/" = {
-          proxyPass = "https://localhost:9099";
-          proxyWebsockets = true;
+          proxyPass = "http://127.0.0.1:22300";
          extraConfig = proxySettings;
        };
      } // default;
-      "tools.ataraxiadev.com" = default // authentik {
-        proxyPass = "http://127.0.0.1:8070";
-      };
-      "pdf.ataraxiadev.com" = default // authentik {
-        proxyPass = "http://127.0.0.1:8071";
-      };
+      "ldap.ataraxiadev.com" = default;
      "lib.ataraxiadev.com" = default // authentik {
        proxyPass = "http://127.0.0.1:8072";
        proxyWebsockets = true;
      };
-      "medusa.ataraxiadev.com" = {
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8180";
-          proxyWebsockets = true;
-          extraConfig = ''
-            add_header Content-Security-Policy "upgrade-insecure-requests";
-          '' + proxySettings;
-        };
-      } // default;
      "media-stack" = {
        serverAliases = [
          "jellyfin.ataraxiadev.com"
@ -339,59 +249,94 @@ in {
          '' + proxySettings;
        };
      } // default;
-      "joplin.ataraxiadev.com" = {
+      "medusa.ataraxiadev.com" = {
        locations."/" = {
-          proxyPass = "http://127.0.0.1:22300";
-          extraConfig = proxySettings;
+          proxyPass = "http://127.0.0.1:8180";
+          proxyWebsockets = true;
+          extraConfig = ''
+            add_header Content-Security-Policy "upgrade-insecure-requests";
+          '' + proxySettings;
        };
      } // default;
-      # "fsync.ataraxiadev.com" = {
-      #   locations."/" = {
-      #     proxyPass = "http://127.0.0.1:5000";
-      #     extraConfig = proxySettings;
-      #   };
-      # } // default;
-      "auth.ataraxiadev.com" = {
+      "openbooks.ataraxiadev.com" = default // authentik {
+        proxyPass = "http://127.0.0.1:8097";
+        proxyWebsockets = true;
+      };
+      "pdf.ataraxiadev.com" = default // authentik {
+        proxyPass = "http://127.0.0.1:8071";
+      };
+      "s3.ataraxiadev.com" = {
        locations."/" = {
-          proxyPass = "http://127.0.0.1:9000";
+          proxyPass = "http://127.0.0.1:9600";
+          extraConfig = ''
+            proxy_connect_timeout 300;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            chunked_transfer_encoding off;
+          '' + proxySettings;
+        };
+        locations."/ui/" = {
+          proxyPass = "http://127.0.0.1:9601";
+          extraConfig = ''
+            rewrite ^/ui/(.*) /$1 break;
+            proxy_set_header X-NginX-Proxy true;
+            real_ip_header X-Real-IP;
+
+            proxy_connect_timeout 300;
+            chunked_transfer_encoding off;
+          '' + proxySettings;
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          ignore_invalid_headers off;
+          client_max_body_size 0;
+          proxy_buffering off;
+          proxy_request_buffering off;
+        '';
+      } // default;
+      "tools.ataraxiadev.com" = default // authentik {
+        proxyPass = "http://127.0.0.1:8070";
+      };
+      "vw.ataraxiadev.com" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8812";
+          extraConfig = proxySettings;
+        };
+        locations."/notifications/hub" = {
+          proxyPass = "http://127.0.0.1:3012";
          proxyWebsockets = true;
          extraConfig = proxySettings;
        };
+        locations."/notifications/hub/negotiate" = {
+          proxyPass = "http://127.0.0.1:8812";
+          extraConfig = proxySettings;
+        };
      } // default;
-      "ldap.ataraxiadev.com" = default;
      "wg.ataraxiadev.com" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
          proxyWebsockets = true;
        };
      } // default;
-      "api.ataraxiadev.com" = {
-        locations."~ (\\.py|\\.sh)$" = with config.services; {
-          alias = "/srv/http/api.ataraxiadev.com";
-          extraConfig = ''
-            gzip off;
-            fastcgi_pass ${fcgiwrap.socketType}:${fcgiwrap.socketAddress};
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            include ${pkgs.nginx}/conf/fastcgi_params;
-          '';
-        };
-      } // default;
-      "cache.ataraxiadev.com" = {
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8083";
-          extraConfig = ''
-            client_max_body_size 0;
-            send_timeout 15m;
-          '' + proxySettings;
-        };
-      } // default;
      "wiki.ataraxiadev.com" = default // authentik {
        proxyPass = "http://127.0.0.1:8190";
-        # rootExtraConfig = proxySettings;
      };
+      # "cocalc.ataraxiadev.com" = {
+      #   locations."/" = {
+      #     proxyPass = "https://127.0.0.1:9599";
+      #     proxyWebsockets = true;
+      #     extraConfig = proxySettings;
+      #   };
+      # } // default;
    };
  };

+  services.fcgiwrap = {
+    enable = true;
+    user = config.services.nginx.user;
+    group = config.services.nginx.group;
+  };
+
  secrets.narodmon-key.owner = config.services.nginx.user;

  system.activationScripts.linkPyScripts.text = ''
@ -399,5 +344,5 @@ in {
    ln -sfn ${pkgs.narodmon-py}/bin/temp.py /srv/http/api.ataraxiadev.com/temp.py
  '';

-  networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/profiles/servers/ocis.nix
+++ b/profiles/servers/ocis.nix
@ -0,0 +1,39 @@
+{ config, lib, pkgs, inputs, ... }: {
+  sops.secrets.ocis-env-file = {
+    owner = "ocis";
+    mode = "0400";
+    sopsFile = inputs.self.secretsDir + /home-hypervisor/ocis.yaml;
+    restartUnits = [ "ocis-server.service" ];
+  };
+  services.ocis = {
+    enable = true;
+    configDir = "/var/lib/ocis";
+    baseDataPath = "/media/nas/ocis";
+    environmentFile = config.sops.secrets.ocis-env-file.path;
+    environment = {
+      # Web settings
+      OCIS_INSECURE = "false";
+      OCIS_LOG_LEVEL = "debug";
+      OCIS_URL = "https://file.ataraxiadev.com";
+      PROXY_HTTP_ADDR = "127.0.0.1:9200";
+      PROXY_TLS = "false";
+      # Disable embedded idp (we are using authentik)
+      OCIS_EXCLUDE_RUN_SERVICES = "idp";
+      # OIDC Settings
+      OCIS_OIDC_ISSUER = "https://auth.ataraxiadev.com/application/o/owncloud-web-client/";
+      PROXY_AUTOPROVISION_ACCOUNTS = "true";
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "jwt";
+      PROXY_OIDC_REWRITE_WELLKNOWN = "true";
+      PROXY_ROLE_ASSIGNMENT_DRIVER = "oidc";
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM = "groups";
+      PROXY_USER_CS3_CLAIM = "mail";
+      PROXY_USER_OIDC_CLAIM = "email";
+      # S3 storage
+      STORAGE_USERS_DRIVER = "s3ng";
+      STORAGE_SYSTEM_DRIVER = "ocis";
+      STORAGE_USERS_S3NG_BUCKET = "ocis";
+      STORAGE_USERS_S3NG_ENDPOINT = "https://s3.ataraxiadev.com";
+      STORAGE_USERS_S3NG_REGION = "us-east-1";
+    };
+  };
+}
--- a/profiles/servers/openbooks.nix
+++ b/profiles/servers/openbooks.nix
@ -1,6 +1,5 @@
 { config, lib, pkgs, ... }:
 let
-  backend = config.virtualisation.oci-containers.backend;
  nas-path = "/media/nas/media-stack";
 in {
  virtualisation.oci-containers.containers.openbooks = {
--- a/profiles/servers/outline.nix
+++ b/profiles/servers/outline.nix
@ -5,67 +5,53 @@
      services = [ "outline.service" ];
    };
  in {
-    minio-cred.owner = "minio";
-    minio-cred.services = [ "minio.service" ];
    minio-outline = default;
    outline-mail = default;
    outline-oidc = default;
    outline-key = default;
    outline-utils = default;
  };
-  services = {
-    # TODO: migrate from s3 to local storage
-    outline = {
-      enable = true;
-      port = 3010;
-      publicUrl = "https://docs.ataraxiadev.com";
-      forceHttps = false;
+  services.outline = {
+    enable = true;
+    port = 3010;
+    publicUrl = "https://docs.ataraxiadev.com";
+    forceHttps = false;

-      storage = {
-        accessKey = "outline";
-        secretKeyFile = config.secrets.minio-outline.decrypted;
-        region = config.services.minio.region;
-        uploadBucketUrl = "http://127.0.0.1:9100";
-        uploadBucketName = "outline";
-        # uploadMaxSize = 0;
-      };
-
-      oidcAuthentication = {
-        authUrl = "https://auth.ataraxiadev.com/application/o/authorize/";
-        tokenUrl = "https://auth.ataraxiadev.com/application/o/token/";
-        userinfoUrl = "https://auth.ataraxiadev.com/application/o/userinfo/";
-        clientId = "tUs7tv85xlK3W4VOw7AQDMYNXqibpV5H8ofR7zix";
-        clientSecretFile = config.secrets.outline-oidc.decrypted;
-        scopes = [ "openid" "email" "profile" ];
-        usernameClaim = "email";
-        displayName = "openid";
-      };
-
-      smtp = {
-        host = "mail.ataraxiadev.com";
-        port = 465;
-        secure = true;
-        username = "outline@ataraxiadev.com";
-        passwordFile = config.secrets.outline-mail.decrypted;
-        fromEmail = "Outline <no-reply@ataraxiadev.com>";
-        replyEmail = "Outline <outline@ataraxiadev.com>";
-      };
-
-      secretKeyFile = config.secrets.outline-key.decrypted;
-      utilsSecretFile = config.secrets.outline-utils.decrypted;
+    storage = {
+      accessKey = "outline";
+      secretKeyFile = config.secrets.minio-outline.decrypted;
+      region = config.services.minio.region;
+      uploadBucketUrl = "https://s3.ataraxiadev.com";
+      uploadBucketName = "outline";
+      # uploadMaxSize = 0;
    };
-    minio = {
-      enable = true;
-      listenAddress = "127.0.0.1:9100";
-      consoleAddress = "192.168.0.10:9101";
-      rootCredentialsFile = config.secrets.minio-cred.decrypted;
+
+    oidcAuthentication = {
+      authUrl = "https://auth.ataraxiadev.com/application/o/authorize/";
+      tokenUrl = "https://auth.ataraxiadev.com/application/o/token/";
+      userinfoUrl = "https://auth.ataraxiadev.com/application/o/userinfo/";
+      clientId = "tUs7tv85xlK3W4VOw7AQDMYNXqibpV5H8ofR7zix";
+      clientSecretFile = config.secrets.outline-oidc.decrypted;
+      scopes = [ "openid" "email" "profile" ];
+      usernameClaim = "email";
+      displayName = "openid";
    };
+
+    smtp = {
+      host = "mail.ataraxiadev.com";
+      port = 465;
+      secure = true;
+      username = "outline@ataraxiadev.com";
+      passwordFile = config.secrets.outline-mail.decrypted;
+      fromEmail = "Outline <no-reply@ataraxiadev.com>";
+      replyEmail = "Outline <outline@ataraxiadev.com>";
+    };
+
+    secretKeyFile = config.secrets.outline-key.decrypted;
+    utilsSecretFile = config.secrets.outline-utils.decrypted;
  };

-  networking.firewall.allowedTCPPorts = [ 9101 ];
-
-  persist.state.directories = config.services.minio.dataDir ++ [
+  persist.state.directories = [
    "/var/lib/redis-outline"
-    config.services.minio.configDir
  ];
 }
--- a/profiles/servers/roundcube.nix
+++ b/profiles/servers/roundcube.nix
@ -1,34 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  services.roundcube = {
-    enable = true;
-    database.username = "roundcube";
-    dicts = with pkgs.aspellDicts; [ en ru ];
-    extraConfig = ''
-      $config['imap_host'] = array(
-        'tls://mail.ataraxiadev.com' => "AtaraxiaDev's Mail Server",
-        'ssl://imap.gmail.com:993' => 'Google Mail',
-      );
-      $config['username_domain'] = array(
-        'mail.ataraxiadev.com' => 'ataraxiadev.com',
-        'mail.gmail.com' => 'gmail.com',
-      );
-      $config['x_frame_options'] = false;
-      $config['smtp_host'] = "tls://mail.ataraxiadev.com:587";
-      $config['smtp_user'] = "%u";
-      $config['smtp_pass'] = "%p";
-    '';
-    hostName = "webmail.ataraxiadev.com";
-    maxAttachmentSize = 50;
-    plugins = [ "carddav" "persistent_login" "managesieve" ];
-    package = pkgs.roundcube.withPlugins (plugins:
-      with plugins; [ carddav persistent_login ]
-    );
-  };
-
-  services.phpfpm.pools.roundcube.settings = {
-    "listen.owner" = config.services.nginx.user;
-    "listen.group" = config.services.nginx.group;
-  };
-
-  persist.state.directories = [ "/var/lib/roundcube" ];
-}
--- a/profiles/servers/seafile.nix
+++ b/profiles/servers/seafile.nix
@ -1,160 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  backend = config.virtualisation.oci-containers.backend;
-  nas-path = "/media/nas/seafile";
-  pod-name = "seafile-pod";
-  open-ports = [ "127.0.0.1:8088:80" ];
-  seafile-ver = "10.0.1";
-  mariadb-ver = "10.11.4";
-  memcached-ver = "1.6.21";
-  caddy-ver = "1.1.0";
-  seahub-media-caddyfile = pkgs.writeText "Caddyfile" ''
-    {
-        admin off
-        http_port 8098
-        https_port 8099
-    }
-    :8098 {
-        root * /usr/share/caddy
-        file_server
-    }
-  '';
-  seafile-caddy-caddyfile = pkgs.writeText "Caddyfile" ''
-    {
-        auto_https disable_redirects
-    }
-
-    http:// https:// {
-        reverse_proxy seahub:8000 {
-            lb_policy header X-Forwarded-For
-            trusted_proxies private_ranges
-        }
-        reverse_proxy /seafdav* seafile-server:8080 {
-            header_up Destination https:// http://
-            trusted_proxies private_ranges
-        }
-        handle_path /seafhttp* {
-            uri strip_prefix seafhttp
-            reverse_proxy seafile-server:8082 {
-                trusted_proxies private_ranges
-            }
-        }
-        handle_path /notification* {
-            uri strip_prefix notification
-            reverse_proxy seafile-server:8083 {
-                trusted_proxies private_ranges
-            }
-        }
-        reverse_proxy /media/* seahub-media:8098 {
-            lb_policy header X-Forwarded-For
-            trusted_proxies private_ranges
-        }
-        rewrite /accounts/login* /oauth/login/?
-    }
-  '';
-in {
-  secrets.seafile-db-pass = { };
-  secrets.seafile-admin-pass = { };
-
-  virtualisation.oci-containers.containers.seafile-server = {
-    autoStart = true;
-    dependsOn = [ "seafile-db" "memcached" "seafile-caddy" ];
-    environment = {
-      DB_HOST = "seafile-db";
-      TIME_ZONE = "Europe/Moscow";
-      HTTPS = "true";
-      SEAFILE_SERVER_HOSTNAME = "file.ataraxiadev.com";
-      GC_CRON = "0 6 * * 0";
-    };
-    environmentFiles = [
-      config.secrets.seafile-db-pass.decrypted
-    ];
-    extraOptions = [ "--pod=seafile" ];
-    image = "docker.io/ggogel/seafile-server:${seafile-ver}";
-    volumes = [ "${nas-path}/server-data:/shared" ];
-  };
-
-  virtualisation.oci-containers.containers.seahub = {
-    autoStart = true;
-    dependsOn = [ "seafile-server" "seahub-media" "seafile-caddy" ];
-    environment = {
-      SEAFILE_ADMIN_EMAIL = "admin@ataraxiadev.com";
-    };
-    environmentFiles = [
-      config.secrets.seafile-admin-pass.decrypted
-    ];
-    extraOptions = [
-      "--pod=seafile"
-    ];
-    image = "docker.io/ggogel/seahub:${seafile-ver}";
-    volumes = [
-      "${nas-path}/server-data:/shared"
-    ];
-  };
-
-  virtualisation.oci-containers.containers.seahub-media = {
-    autoStart = true;
-    dependsOn = [ "seafile-caddy" ];
-    extraOptions = [ "--pod=seafile" ];
-    image = "docker.io/ggogel/seahub-media:${seafile-ver}";
-    volumes = [
-      "${seahub-media-caddyfile}:/etc/caddy/Caddyfile"
-      "${nas-path}/server-data/seafile/seahub-data/avatars:/usr/share/caddy/media/avatars"
-      "${nas-path}/server-data/seafile/seahub-data/custom:/usr/share/caddy/media/custom"
-    ];
-  };
-
-  virtualisation.oci-containers.containers.seafile-db = {
-    autoStart = true;
-    environment = {
-      MYSQL_LOG_CONSOLE = "true";
-    };
-    environmentFiles = [
-      config.secrets.seafile-db-pass.decrypted
-    ];
-    extraOptions = [ "--pod=seafile" ];
-    image = "docker.io/mariadb:${mariadb-ver}";
-    volumes = [
-      "${nas-path}/db:/var/lib/mysql"
-    ];
-  };
-
-  virtualisation.oci-containers.containers.memcached = {
-    autoStart = true;
-    cmd = [ "memcached" "-m 256" ];
-    extraOptions = [ "--pod=seafile" ];
-    image = "docker.io/memcached:${memcached-ver}";
-  };
-
-  virtualisation.oci-containers.containers.seafile-caddy = {
-    autoStart = true;
-    extraOptions = [ "--pod=seafile" ];
-    image = "docker.io/ggogel/seafile-caddy:${caddy-ver}";
-    volumes = [ "${seafile-caddy-caddyfile}:/etc/caddy/Caddyfile" ];
-  };
-
-  systemd.services."podman-create-${pod-name}" = let
-    portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
-    start = pkgs.writeShellScript "create-pod-${pod-name}" ''
-      podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping}
-      exit 0
-    '';
-  in rec {
-    path = [ pkgs.coreutils config.virtualisation.podman.package ];
-    before = [
-      "${backend}-seafile-server.service"
-      "${backend}-seahub.service"
-      "${backend}-seahub-media.service"
-      "${backend}-seafile-db.service"
-      "${backend}-memcached.service"
-      "${backend}-seafile-caddy.service"
-    ];
-    requiredBy = before;
-    partOf = before;
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = "yes";
-      ExecStart = start;
-    };
-  };
-}
--- a/profiles/servers/webhooks.nix
+++ b/profiles/servers/webhooks.nix
@ -23,7 +23,7 @@ in {

  services.webhook = {
    enable = true;
-    port = 9010;
+    port = 9510;
    group = "webhook";
    user = "webhook";
    environmentFiles = [
--- a/secrets/home-hypervisor/minio.yaml
+++ b/secrets/home-hypervisor/minio.yaml
@ -0,0 +1,47 @@
+minio-credentials: ENC[AES256_GCM,data:yK/skw8GkY6rlhfIYHKoHV4+pBMHkLtXtwG8hQMVit6SQtcC74T7tQOnwe/AU79xKZAL9Bpvn1vBurBAVmsBiyPWNZVvkuWWT1033LkE9lApwwb6HaF4PAqPgiCvXwc0svPKPaFp+Kfyc07+I6KhKuL2tQLKWtZLIVhwEltSsQME/X1f2pAfJMxd/JfiZYd9kpv2JNN5PGPtDNCddsqHg8x5xJfVS3rCDe3LCiIZliKHOHD0D+EpFpnCrdR5GLH67LCwNT/1ZHjOntWoTVHDFMzWYW+bahE+HQp/C+462NmDTFFqT3cfh+c+hArADVAwIrgPNo5jbPkbkSFYhhC9kyWmCwasgtb1Pw+/66wNJWIrZ2lQWIFsV73NmNPv3qsuXJ/Iw4fRXzy8x0FY8fXhdIUOlpBmZINiGmwPEVGLRv+Fym6RGOsKWSqx3q9vgT3hA0AU6bh1,iv:PBXOkdagtbApkWY/dM4cH61lfJtsk+PbVeeGmSvnNzs=,tag:CqhqHbNxGNItLfQTrXEc4w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-01-20T18:53:33Z"
+    mac: ENC[AES256_GCM,data:KnuQeJpvts2n53WRRsPOeSJLVPu5D/aTiqcbmB+zzWGxAmRRJz+Nx2iPPAy3Soz1Plg9LlcAW0P42wQ392qlxwq0SYPceJ6wxllnqOURoPF4hHTfvkPmJoQjgt782tunDvzKP8EsBb3GQwpwG7yPkFSCU4NpZc1hQsuFlWxjfJw=,iv:YVJLsTMBRmmuSXV5IHLxNysKIQqwN5P4D5qINrQwieY=,tag:+Z1Rj5JJilHqkR6M0i7aGQ==,type:str]
+    pgp:
+        - created_at: "2024-01-20T17:06:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAwcagTG/Fm6AAQf9HMlE0UBYlccSvDcVG/yVq2DLZJYXnBruGbVZqpk8JIBu
+            syj9b9rpJk48yi97ZVlvJkzaU/tADLyo8CgI3qDHh/lOmB3o/205Rrlu2fW8M9z3
+            s74Dgwt9BsmnRzy4ht9SaqmI2PEL2xJrD3LpyC3vq+n8TlGvmmtUjeoaEu6/qich
+            570cArO02cOtIjZF9AJtyzQr/6oht84yx9lrhMACNPcxAJaaRSdlLkzVFo2GI6gf
+            ESjaew3/FJxPtdJV3OFy/A4bFNM/4bUdL50wERfnemLq7GhGp97ZP+pKTQcYV0KQ
+            c5MSdoQs8Vy5x0vofRVF7yEddSdB6rTbm3QkBNd0a9JWAc6jdLKiP1k7miYfL8OS
+            vGBBz7NeHQvx0Iu2jruMFxDvE4gYaRrWYRmAmy/Hml5f58g1JwQzac7sDoTeR6YV
+            k9Jg5PXX3tU1qjG2IGhmmJoucHL7Hmg=
+            =weHd
+            -----END PGP MESSAGE-----
+          fp: ad382d058c964607b7bbf01b071a8131bf166e80
+        - created_at: "2024-01-20T17:06:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA187ia82lSDGAQ/+LWe2cLp9fLKVmc2p97lJgXe/LNgKHEXx3kmP9EbylVSW
+            oCbmq1cKmZwXijSx9yhJYSj9S8nVhqAESWzzlKNRVFC7kwTeNoVwIPscNXIjuHwM
+            ApEzsBkpKWTTXHsuVuvKfl7smf0fC90/NRIrEQwWsdSjFmm2/WAlHn0M5hFcbW0f
+            CDQr0AfoICD+C6sMDHNhVzcSdsnxHTo0YbQgm2EeuU22EYXCdFAPNfZMnG3F2fcH
+            ncCygKWBvQOw4SUNxHUt3CZz1E8JYT4Dv9BGL0ODi4mFHnJYKpFJ/jj7NVIDa5Nl
+            EHVXjWaU2cwu4FGThBEJ+7LjIFQBf7pG2jXAW4CeVdGSAELcobl+OykF5liqTe9S
+            Q0JKz7ABxurhnTki3Ht8r1QZqADwkc8gN2Kv/q+1PN3YbeRG1SBy2M22K/4loW2j
+            LMOaC7V2sWk32qzcYGSB4muGbjW67vXjHPHhXagl+oirz5cPYHTO3xvgXWS7Ut1o
+            Bz/HxP//wj/zzddvtrX8q4v9wqh7hppI2kl5SJOl2mGuCmP6K3iGQbEIjpc2+LbQ
+            3S/RKUMX8EWNmNyMQWyvKfJqvGLkDdYlrcCgv+G82nTi53XEkYQzdBZ1DDuU+iOb
+            gRtXAh2m+FZJgp6kPmHD9Wb3gSspxnr5K2V9J+coFn+qrT8Q2roE0PfQYOms0QTS
+            VgEq5F8giC9A8rc14kjNfha102ipESwXDh+Lr1Z29CQLqR6CFDInO31QiLgNjitv
+            /mySGYecMZkMyKoIaxuJMkCyd603Ak/4uWzMDdF8zIX37yyHt1MA
+            =T7/J
+            -----END PGP MESSAGE-----
+          fp: a32018133c7afbfd05d5b2795f3b89af369520c6
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/secrets/home-hypervisor/ocis.yaml
+++ b/secrets/home-hypervisor/ocis.yaml
@ -0,0 +1,48 @@
+ocis-admin-pass: ENC[AES256_GCM,data:WfgdyfLxojFR6/hOIu+ycFgiih8=,iv:s9GWDBrrWGWkRDzd/BB3tuyExmdKVa7qvRbjgx0N0jQ=,tag:eRFs5ZCTBjbXSRwvO8lCSg==,type:str]
+ocis-env-file: ENC[AES256_GCM,data:6oyXhsmmMzFd7CIv4j+gWbzHo4Jy4Ym5KzV6tAXdKkTP1n6Yvv1UpdebOzXfrXZTTHuEzrTJvtFAviZd526KyAeeo53iQvWDdhazeywHL5AbsmUJ7IZ0eChGiXBXsYTYSb+TyFaRHpZazpT8ePurHkVuYfE4lyKDIILu3Y4ahfyXQzRnh3lhS1SxuWtDcoG6lcuAwgLBOgcIeHWI9rqmtylneeGf70oRfd80sHQ=,iv:tlQF8b0x+qd7JuhbFY1ekZNKjT68SKW6P/DRYalYfuU=,tag:V6SjKQbZiGm7rJtCtogQRw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-01-20T20:50:32Z"
+    mac: ENC[AES256_GCM,data:0SLZnxDo9X6a6od00XKsZ45RfdC43JHom9H6lhTdgco/w7OnRFd4ukJoaQfL8OnXuS5v7UgxNByzuVNJY7cIgNXLNKKFYG7fzb8GNyTmYyFbSUyjlgQ1pDbjFdKsWTgeoUyb/Q/CzdZFWBbJLvMkwwR1pirhWCEQx3GxlaD8MNA=,iv:L6XPxjhLH0bJCveTYWL9aYXhHvxusJcbE2EO8OwPg24=,tag:GveNLkF72FSfVBazWPigrQ==,type:str]
+    pgp:
+        - created_at: "2024-01-20T17:09:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAwcagTG/Fm6AAQf/REYKQJmtKWMBqmnDJKvcLlvdv7AFLeNG9dHdGFbBMFiv
+            viLQwAeN1DzMJMFvI9EDDYSQ7hF5MQ//AenFv2W3WSJpKAU8l5A1n8+mVHQ4CxKm
+            xBPGZhx74dghPDFuEjWfwI63Ysxy7KzEtapwJ9aWaRjNVMV6viQoav3Y9FNSiPFX
+            /ocNPqWteEzeoK+DzJLMJXCKYQVHgUgtxXAtCQa8eX+cieL8lzNIKR/jbY5lO9Wz
+            fAMS9wr1LUek/PBB5OiYkG9cBoE5z82z+70zMQNmNXb9dUBGLpSpDL7BQVNHxLhe
+            cO3GHHtn+NE/yl3LaLtpxYGaUZM8Js22yQRq00k6mNJYAR4PMeAm/lZbbGzc6zzP
+            y4UzEAWnH9S0GDnl/k050ixj1SBrdbpkAAJ6yMuu8/kKif8DXc5rXFU7+XNy3JQG
+            sfxl7NwNlZ5ElSjBqvsTlYoAHPwJdSM4og==
+            =XHRN
+            -----END PGP MESSAGE-----
+          fp: ad382d058c964607b7bbf01b071a8131bf166e80
+        - created_at: "2024-01-20T17:09:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQILA187ia82lSDGAQ/1G7woSu9b6Ol99Cr94gec/Uxc7EwqfITpFJs3KsVyUOZm
+            uY6J9ni6yf5wekW05+E4RIqj6S9tARmb0YIX7/aQqQMFoF7lTq68Y7M+oBn2xuUB
+            eOCOZ/ir3IRNI1lPwfQpmNqZebfkwAF9T6PjEV38mHhRP8v+gXXBS+BFBElUWp/p
+            EBPt8twveOxk/ok/LEtQtpYPNPdwv2Duxxa4oYBrjDXXzfhtLrU8ck/I+Wuvh7DH
+            WCmLmJ95bU1DiO7QbG2PJ5ElO5UZD7D1HfDv1+ql60/WBMzywuSzigsY8C2HDXA5
+            rIYdRzXMLVBRzxSOMytxQwUJHp8T3/Off0Hidx+w7qQ6J+lUvZvNQ7UoinsA0VWp
+            X49V6kRTVoy2SceWJDUq46kXsGhKCmDZlRh/LWESJwXSFxoIdHwU2s1LBJNbLuv5
+            QrYdFQuo0Z/Exhm8YWgpnOUQx+/2eRmC2V059Hu1ZInH5mUpEXjKsfQjD7GAcbq9
+            HfPriB/qh14pW9Yahm5H7snXFiQsfEEs7Kyf9e+67AzxUJL2g3pxhd+geGJAy2vS
+            wdJZaFr7Ii2GNyNfBFHcXo35aP17rcKrrI5FsrDk26d2R9KLxtY+Jkn/sIix4gR3
+            lji7YbXcSvBEmxuYz9qsKmlEFIIdbbsC/aSD1gJ7s673q27XyszO71xTpeaxPtJY
+            ATwQ2MXglpSytz/99+abS6yWIHn+F08577fczfY0RpiJRacblDnv3gUqluZvitTd
+            f6fIzvPK3AzM9WYebHr2Pk2vyLFcveM21KeLmaFUcHGl85QrA5jZVg==
+            =7up9
+            -----END PGP MESSAGE-----
+          fp: a32018133c7afbfd05d5b2795f3b89af369520c6
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
Author	SHA1	Message	Date
Dmitriy Kholkin	8615929e23	add custom hosts to block Some checks failed Build ISO / build (push) Waiting to run Build and cache hosts configurations / build (push) Has been cancelled	2024-01-21 17:40:23 +03:00
Dmitriy Kholkin	08e4bce41e	big hypervisor and servers refactor	2024-01-21 17:40:07 +03:00
Dmitriy Kholkin	b93fbe3a06	connect to bathist only from local	2024-01-21 17:04:01 +03:00
Dmitriy Kholkin	d6f1831059	update authentik	2024-01-21 17:03:29 +03:00
Dmitriy Kholkin	545d616b4a	fix blocky container	2024-01-21 16:32:37 +03:00
Dmitriy Kholkin	47a778a82a	sort profiles	2024-01-21 16:32:12 +03:00
Dmitriy Kholkin	b8e9b685fe	add ocis to home-hypervisor	2024-01-21 16:30:50 +03:00
Dmitriy Kholkin	7a2d8c20bc	add ocis module	2024-01-21 16:29:10 +03:00
Dmitriy Kholkin	203dafe185	change webhooks port	2024-01-21 16:29:00 +03:00
Dmitriy Kholkin	2521430f7d	refactor minio	2024-01-21 16:26:48 +03:00
Dmitriy Kholkin	93b31fcec8	update nur	2024-01-21 16:21:50 +03:00