feat: add media-stack containers

feat: add filestash container
feat: enable quadlet by default in server role
2025-07-08 20:14:39 +03:00 · 2025-07-08 20:14:14 +03:00 · 2025-07-08 20:12:36 +03:00 · 2025-07-08 20:10:28 +03:00 · 2025-07-08 20:09:57 +03:00 · 2025-07-08 20:08:38 +03:00
34 changed files with 2374 additions and 14 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1049,6 +1049,21 @@
        "type": "github"
      }
    },
    "quadlet-nix": {
      "locked": {
        "lastModified": 1751931728,
        "narHash": "sha256-i4OALPUnFhe9j9NauZaszZZTgIYSaLHmCO2gp9MZYKQ=",
        "owner": "SEIAROTg",
        "repo": "quadlet-nix",
        "rev": "5cb4f185dc3722d589bdf238e6802c4c9f87994e",
        "type": "github"
      },
      "original": {
        "owner": "SEIAROTg",
        "repo": "quadlet-nix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "ataraxiasjel-nur": "ataraxiasjel-nur",
@ -1071,7 +1086,9 @@
        "nix2container": "nix2container",
        "nixpkgs": "nixpkgs_9",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "quadlet-nix": "quadlet-nix",
        "sops-nix": "sops-nix",
        "srvos": "srvos",
        "walker": "walker"
      }
    },
@ -1116,6 +1133,26 @@
        "type": "github"
      }
    },
    "srvos": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1751564530,
        "narHash": "sha256-DybnqQMmkMEbNQhrbMGFijZCa9g5mtYIMPACVNMJ5u8=",
        "owner": "nix-community",
        "repo": "srvos",
        "rev": "6bb452f0b31058ffe64241bcf092ebf1c7758be1",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "srvos",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -60,10 +60,15 @@
      url = "github:nix-community/nix-vscode-extensions";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    srvos = {
      url = "github:nix-community/srvos";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    walker = {
      url = "github:abenz1267/walker";
      inputs.nixpkgs.follows = "nixpkgs";
@ -105,9 +110,13 @@
            inputs.sops-nix.nixosModules.sops
            inputs.chaotic.nixosModules.nyx-cache
            inputs.chaotic.nixosModules.nyx-overlay
            inputs.quadlet-nix.nixosModules.quadlet
            ./modules/nixos
          ];
-          homeModules = [ ./modules/home ];
+          homeModules = [
            inputs.quadlet-nix.homeManagerModules.quadlet
            ./modules/home
          ];
          hostModuleDir = ./hosts;
          hosts = {
            NixOS-VM.system = "x86_64-linux";
--- a/hosts/orion/backups.nix
+++ b/hosts/orion/backups.nix
@ -0,0 +1,93 @@
 {
  config,
  lib,
  inputs,
  secretsDir,
  ...
 }:
 {
  imports = [ inputs.ataraxiasjel-nur.nixosModules.rustic ];
  sops.secrets.rustic-vps-pass.sopsFile = secretsDir + /rustic.yaml;
  sops.secrets.rustic-backups-s3-env.sopsFile = secretsDir + /rustic.yaml;
  services.rustic.backups =
    let
      label = "hypervisor-nas";
    in
    rec {
      nas-backup = {
        backup = true;
        prune = false;
        initialize = true;
        environmentFile = config.sops.secrets.rustic-backups-s3-env.path;
        extraEnvironment = {
          https_proxy = "http://10.10.10.6:8888";
        };
        pruneOpts = [ "--repack-cacheable-only=false" ];
        timerConfig = {
          OnCalendar = "05:00";
          Persistent = true;
        };
        settings = {
          repository = {
            repository = "opendal:s3";
            password-file = config.sops.secrets.rustic-nas-pass.path;
            options = {
              root = label;
              bucket = "ataraxia-rustic-backups";
              region = "eu-central-003";
              endpoint = "https://s3.eu-central-003.backblazeb2.com";
            };
          };
          repository.options = {
            timeout = "2min";
            retry = "5";
          };
          backup = {
            host = config.networking.hostName;
            label = label;
            ignore-devid = true;
            group-by = "label";
            skip-identical-parent = true;
            globs = [
              "!/media/nas/**/cache"
              "!/media/nas/**/.cache"
              "!/media/nas/**/log"
              "!/media/nas/**/logs"
              "!/media/nas/media-stack/configs/lidarr/config/MediaCover"
              "!/media/nas/media-stack/configs/qbittorrent/downloads"
              "!/media/nas/media-stack/configs/recyclarr/repositories"
              "!/srv/gitea"
              "!/srv/wiki"
            ];
            snapshots = [
              {
                sources = [
                  "/srv /media/nas/containers"
                  "/media/nas/media-stack/configs"
                ];
              }
            ];
          };
          forget = {
            filter-labels = [ label ];
            group-by = "label";
            prune = true;
            keep-daily = 4;
            keep-weekly = 2;
            keep-monthly = 0;
          };
        };
      };
      nas-prune = lib.recursiveUpdate nas-backup {
        backup = false;
        prune = true;
        initialize = false;
        createWrapper = false;
        timerConfig = {
          OnCalendar = "Tue, 07:00";
          Persistent = true;
        };
      };
    };
 }
--- a/hosts/orion/boot.nix
+++ b/hosts/orion/boot.nix
@ -0,0 +1,48 @@
 { pkgs, ... }:
 {
  services.scx.enable = true;
  services.scx.scheduler = "scx_bpfland";
  networking.hostId = "a9408846";
  boot = {
    kernelPackages = pkgs.linuxPackages_cachyos-server;
    zfs.package = pkgs.zfs_cachyos;
    zfs.devNodes = "/dev/disk/by-id";
    loader = {
      grub = {
        enable = true;
        device = "nodev";
        copyKernels = true;
        efiSupport = true;
        enableCryptodisk = true;
        useOSProber = false;
        zfsSupport = true;
      };
      efi.efiSysMountPoint = "/efi";
      efi.canTouchEfiVariables = true;
    };
    kernelModules = [
      "tcp_bbr"
      "veth"
      "nfsv4"
    ];
    kernelParams = [
      "scsi_mod.use_blk_mq=1"
      "pti=off"
      "spectre_v2=off"
    ];
    kernel.sysctl = {
      "kernel.split_lock_mitigate" = 0;
      "vm.overcommit_memory" = 1;
    };
    tmp.useTmpfs = true;
    tmp.tmpfsSize = "100%";
    tmp.tmpfsHugeMemoryPages = "within_size";
    supportedFilesystems = [ "zfs" ];
  };
 }
--- a/hosts/orion/default.nix
+++ b/hosts/orion/default.nix
@ -1,26 +1,122 @@
 { ... }:
 {
  lib,
  pkgs,
  inputs,
  ...
 }:
 {
  imports = [
    inputs.srvos.nixosModules.server
    inputs.srvos.nixosModules.mixins-terminfo
    ./boot.nix
    ./disk-config.nix
    ./backups.nix
  ];
  ataraxia.defaults.role = "server";
  ataraxia.defaults.hardware.cpuVendor = "intel";
  ataraxia.defaults.hardware.gpuVendor = "intel";
  # Impermanence
  ataraxia.filesystems.zfs.enable = true;
  ataraxia.filesystems.zfs.eraseOnBoot.enable = true;
  ataraxia.filesystems.zfs.eraseOnBoot.snapshots = [
-    "rpool/nixos/root@blank"
+    "rpool/nixos/root@empty"
-    "rpool/user/home@blank"
+    "rpool/user/home@empty"
  ];
  ataraxia.filesystems.zfs.mountpoints = [
    "/etc/secrets"
    "/media/bittorrent"
    "/media/libvirt"
    "/media/libvirt/images"
    "/nix"
    "/persist"
-    "/srv/home"
+    "/srv"
    "/var/lib/containers"
    "/etc/secrets"
    "/var/lib/docker"
    "/var/lib/libvirt"
    "/var/lib/nixos-containers"
    "/var/lib/ocis"
    "/var/lib/postgresql"
    "/var/log"
    "/vol"
  ];
  ataraxia.networkd = {
    enable = true;
    domain = "home.ataraxiadev.com";
    ifname = "enp2s0";
    mac = "d4:3d:7e:26:a8:af";
    bridge.enable = true;
    ipv4 = [
      {
        address = "10.10.10.10/24";
        gateway = "10.10.10.1";
        dns = [
          "10.10.10.1"
          "9.9.9.9"
        ];
      }
    ];
  };
  security.lockKernelModules = lib.mkForce false;
  environment.memoryAllocator.provider = lib.mkForce "libc";
  # Services
  services.postgresql.enable = true;
  services.postgresql.settings = {
    full_page_writes = "off";
    wal_init_zero = "off";
    wal_recycle = "off";
  };
  services.tailscale = {
    enable = true;
    useRoutingFeatures = "both";
  };
  # Auto-mount lan nfs share
  fileSystems."/media/local-nfs" = {
    device = "10.10.10.11:/";
    fsType = "nfs4";
    options = [
      "nfsvers=4.2"
      "x-systemd.automount"
      "noauto"
    ];
  };
  environment.systemPackages = with pkgs; [
    bat
    bottom
    dnsutils
    fd
    kitty.terminfo
    micro
    mkvtoolnix-cli
    nfs-utils
    p7zip
    podman-compose
    pwgen
    ripgrep
    rsync
    rustic-rs
    smartmontools
  ];
  ataraxia.containers.filestash.enable = true;
  ataraxia.containers.media-stack.enable = true;
  ataraxia.containers.tinyproxy.enable = true;
  ataraxia.security.acme.enable = true;
  ataraxia.services.authentik.enable = true;
  ataraxia.services.gitea.enable = true;
  ataraxia.services.syncyomi.enable = true;
  ataraxia.services.vaultwarden.enable = true;
  ataraxia.virtualisation.guests = {
    omv = {
      autoStart = true;
      xmlFile = ./vm/omv.xml;
    };
  };
  system.stateVersion = "25.05";
 }
--- a/hosts/orion/disk-config.nix
+++ b/hosts/orion/disk-config.nix
@ -0,0 +1,261 @@
 { inputs, ... }:
 let
  emptySnapshot =
    name: "zfs list -t snapshot -H -o name | grep -E '^${name}@empty$' || zfs snapshot ${name}@empty";
 in
 {
  imports = [ inputs.disko.nixosModules.disko ];
  disko.devices = {
    disk = {
      main = {
        device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S5Y1NJ1R160554B";
        type = "disk";
        content = {
          type = "gpt";
          partitions = {
            esp = {
              type = "EF00";
              name = "ESP";
              size = "512M";
              priority = 1;
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/efi";
                mountOptions = [ "umask=0077" ];
              };
            };
            swap = {
              name = "swap";
              size = "16G";
              priority = 2;
              content = {
                type = "swap";
                randomEncryption = true;
              };
            };
            boot = {
              name = "bpool";
              size = "4G";
              priority = 3;
              content = {
                type = "zfs";
                pool = "bpool";
              };
            };
            cryptroot = {
              size = "100%";
              priority = 4;
              content = {
                type = "zfs";
                pool = "rpool";
              };
            };
          };
        };
      };
    };
    zpool = {
      bpool = {
        type = "zpool";
        options = {
          ashift = "13";
          autotrim = "on";
          compatibility = "grub2";
        };
        rootFsOptions = {
          acltype = "posixacl";
          atime = "on";
          canmount = "off";
          compression = "lz4";
          devices = "off";
          normalization = "formD";
          relatime = "on";
          xattr = "sa";
          dedup = "off";
        };
        mountpoint = "/boot";
        postCreateHook = emptySnapshot "bpool";
        datasets = {
          nixos = {
            type = "zfs_fs";
            options.mountpoint = "none";
            options.canmount = "off";
            postCreateHook = emptySnapshot "bpool/nixos";
          };
          "nixos/boot" = {
            type = "zfs_fs";
            mountpoint = "/boot";
            options.canmount = "on";
            postCreateHook = emptySnapshot "bpool/nixos/boot";
          };
        };
      };
      rpool = {
        type = "zpool";
        options = {
          ashift = "13";
          autotrim = "on";
          cachefile = "none";
        };
        rootFsOptions = {
          acltype = "posixacl";
          atime = "on";
          canmount = "off";
          compression = "zstd";
          dedup = "off";
          dnodesize = "auto";
          normalization = "formD";
          relatime = "on";
          xattr = "sa";
        };
        mountpoint = "/";
        postCreateHook = emptySnapshot "rpool";
        datasets = {
          reserved = {
            type = "zfs_fs";
            options.mountpoint = "none";
            options = {
              canmount = "off";
              refreservation = "10G";
            };
          };
          nixos = {
            type = "zfs_fs";
            options.mountpoint = "none";
            options.canmount = "off";
            postCreateHook = emptySnapshot "rpool/nixos";
          };
          user = {
            type = "zfs_fs";
            options.mountpoint = "none";
            options.canmount = "off";
            postCreateHook = emptySnapshot "rpool/user";
          };
          persistent = {
            type = "zfs_fs";
            options.mountpoint = "none";
            options.canmount = "off";
            postCreateHook = emptySnapshot "rpool/persistent";
          };
          "nixos/root" = {
            type = "zfs_fs";
            mountpoint = "/";
            options.canmount = "noauto";
            postCreateHook = emptySnapshot "rpool/nixos/root";
          };
          "user/home" = {
            type = "zfs_fs";
            mountpoint = "/home";
            options.canmount = "on";
            postCreateHook = emptySnapshot "rpool/user/home";
          };
          "persistent/impermanence" = {
            type = "zfs_fs";
            mountpoint = "/persist";
            options.canmount = "on";
            postCreateHook = emptySnapshot "rpool/persistent/impermanence";
          };
          "persistent/servers" = {
            type = "zfs_fs";
            mountpoint = "/srv";
            options.canmount = "on";
            postCreateHook = emptySnapshot "rpool/persistent/servers";
          };
          "persistent/nix" = {
            type = "zfs_fs";
            mountpoint = "/nix";
            options.canmount = "on";
            postCreateHook = emptySnapshot "rpool/persistent/nix";
          };
          "persistent/secrets" = {
            type = "zfs_fs";
            mountpoint = "/etc/secrets";
            options.canmount = "on";
            postCreateHook = emptySnapshot "rpool/persistent/secrets";
          };
          "persistent/log" = {
            type = "zfs_fs";
            mountpoint = "/var/log";
            options.canmount = "on";
            postCreateHook = emptySnapshot "rpool/persistent/log";
          };
          "persistent/docker" = {
            type = "zfs_fs";
            mountpoint = "/var/lib/docker";
            options.canmount = "on";
            postCreateHook = emptySnapshot "rpool/persistent/docker";
          };
          "persistent/nixos-containers" = {
            type = "zfs_fs";
            mountpoint = "/var/lib/nixos-containers";
            options.canmount = "on";
            postCreateHook = emptySnapshot "rpool/persistent/nixos-containers";
          };
          "persistent/libvirt" = {
            type = "zfs_fs";
            mountpoint = "/var/lib/libvirt";
            options.canmount = "on";
            postCreateHook = emptySnapshot "rpool/persistent/libvirt";
          };
          "persistent/libvirt-user" = {
            type = "zfs_fs";
            mountpoint = "/media/libvirt";
            options.canmount = "on";
            postCreateHook = emptySnapshot "rpool/persistent/libvirt-user";
          };
          "persistent/libvirt-user/images" = {
            type = "zfs_fs";
            mountpoint = "/media/libvirt/images";
            options.canmount = "on";
            options.atime = "off";
            options.recordsize = "16K";
            options.compression = "lz4";
            postCreateHook = emptySnapshot "rpool/persistent/libvirt-user/images";
          };
          "persistent/ocis" = {
            type = "zfs_fs";
            mountpoint = "/var/lib/ocis";
            options.canmount = "on";
            options.recordsize = "1M";
            postCreateHook = emptySnapshot "rpool/persistent/ocis";
          };
          # "persistent/podman" = {
          #   type = "zfs_fs";
          #   mountpoint = "/var/lib/podman";
          #   options.canmount = "on";
          #   options.atime = "off";
          #   postCreateHook = emptySnapshot "rpool/persistent/podman";
          # };
          "persistent/postgresql" = {
            type = "zfs_fs";
            mountpoint = "/var/lib/postgresql";
            options.canmount = "on";
            options.recordsize = "16K";
            options.atime = "off";
            options.logbias = "latency";
            postCreateHook = emptySnapshot "rpool/persistent/postgresql";
          };
          vol = {
            type = "zfs_fs";
            options.canmount = "off";
            postCreateHook = emptySnapshot "rpool/vol";
          };
          "vol/podman" = {
            type = "zfs_volume";
            size = "40G";
            options.volblocksize = "16K";
            content = {
              type = "filesystem";
              format = "xfs";
              mountpoint = "/var/lib/containers";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/orion/vm/omv.xml
+++ b/hosts/orion/vm/omv.xml
@ -0,0 +1,197 @@
 <domain type='kvm'>
  <name>omv</name>
  <uuid>48cd00d8-9060-4221-a8bb-4d1db42c5939</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://debian.org/debian/12"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <os>
    <type arch='x86_64' machine='pc-q35-9.1'>hvm</type>
    <loader readonly='yes' type='pflash'>/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
    <nvram template='/run/libvirt/nix-ovmf/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/omv_VARS.fd</nvram>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
  </features>
  <cpu mode='host-passthrough' check='none' migratable='on'>
    <topology sockets='1' dies='1' clusters='1' cores='2' threads='1'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/media/libvirt/images/omv.qcow2'/>
      <target dev='vda' bus='virtio'/>
      <boot order='1'/>
      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
    </disk>
    <disk type='block' device='disk'>
      <driver name='qemu' type='raw'/>
      <source dev='/dev/disk/by-id/ata-ST1000LM024_HN-M101MBB_S30YJ9DF829362'/>
      <target dev='vdb' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='sda' bus='sata'/>
      <readonly/>
      <boot order='2'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
    </controller>
    <controller type='pci' index='0' model='pcie-root'/>
    <controller type='pci' index='1' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='1' port='0x10'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
    </controller>
    <controller type='pci' index='2' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='2' port='0x11'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
    </controller>
    <controller type='pci' index='3' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='3' port='0x12'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
    </controller>
    <controller type='pci' index='4' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='4' port='0x13'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
    </controller>
    <controller type='pci' index='5' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='5' port='0x14'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
    </controller>
    <controller type='pci' index='6' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='6' port='0x15'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
    </controller>
    <controller type='pci' index='7' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='7' port='0x16'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
    </controller>
    <controller type='pci' index='8' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='8' port='0x17'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
    </controller>
    <controller type='pci' index='9' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='9' port='0x18'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0' multifunction='on'/>
    </controller>
    <controller type='pci' index='10' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='10' port='0x19'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x1'/>
    </controller>
    <controller type='pci' index='11' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='11' port='0x1a'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x2'/>
    </controller>
    <controller type='pci' index='12' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='12' port='0x1b'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x3'/>
    </controller>
    <controller type='pci' index='13' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='13' port='0x1c'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x4'/>
    </controller>
    <controller type='pci' index='14' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='14' port='0x1d'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x5'/>
    </controller>
    <controller type='sata' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:d8:ef:84'/>
      <source bridge='br0'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='unix'>
      <target type='virtio' name='org.qemu.guest_agent.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='2'/>
    </channel>
    <input type='tablet' bus='usb'>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'/>
    </tpm>
    <graphics type='spice' autoport='yes'>
      <listen type='address'/>
      <image compression='off'/>
    </graphics>
    <sound model='ich9'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
    </sound>
    <audio id='1' type='spice'/>
    <video>
      <model type='virtio' heads='1' primary='yes'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='2'/>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='3'/>
    </redirdev>
    <watchdog model='itco' action='reset'/>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
    </memballoon>
    <rng model='virtio'>
      <backend model='random'>/dev/urandom</backend>
      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
    </rng>
  </devices>
 </domain>
--- a/hosts/vega/default.nix
+++ b/hosts/vega/default.nix
@ -10,7 +10,6 @@ in
 {
  imports = [
    ./disk-config.nix
    # ./hardware-configuration.nix
    ./boot.nix
    inputs.catppuccin.nixosModules.catppuccin
@ -78,7 +77,6 @@ in
    };
  };
  ataraxia.programs.waydroid.enable = true;
  ataraxia.vpn.sing-box.enable = true;
  ataraxia.vpn.sing-box.config = "dell-singbox";
  services.tailscale = {
--- a/modules/home/roles/default.nix
+++ b/modules/home/roles/default.nix
@ -75,7 +75,10 @@ in
          { allowUnfree = true; android_sdk.accept_license = true; }
        '';
      };
-      serverRole = recursiveUpdate baseRole { };
+      serverRole = recursiveUpdate baseRole {
        # TODO: add user for containers
        virtualisation.quadlet.enable = mkDefault true;
      };
      desktopRole = recursiveUpdate baseRole {
        ataraxia.defaults.fonts.enable = mkDefault true;
        ataraxia.defaults.sound.enable = mkDefault true;
--- a/modules/nixos/containers/filestash.nix
+++ b/modules/nixos/containers/filestash.nix
@ -0,0 +1,33 @@
 { config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.filestash;
  nas-path = "/media/nas/media-stack";
 in
 {
  options.ataraxia.containers.filestash = {
    enable = mkEnableOption "Enable filestash container";
  };
  config = mkIf cfg.enable {
    virtualisation.oci-containers.containers.filestash = {
      autoStart = true;
      environment = {
        PUID = "1000";
        PGID = "100";
        UMASK = "002";
        TZ = "Europe/Moscow";
        APPLICATION_URL = "files.ataraxiadev.com";
        CANARY = "true";
      };
      # Tags: latest
      image = "docker.io/machines/filestash@sha256:923c3399768fada3424bb6f3bc01521dad30e9a7a840cfb2eba3610b6acafffe";
      ports = [ "127.0.0.1:8334:8334/tcp" ];
      volumes = [
        "${nas-path}/configs/filestash:/app/data/state"
        "${nas-path}:/mnt"
      ];
    };
  };
 }
--- a/modules/nixos/containers/media-stack/caddy.nix
+++ b/modules/nixos/containers/media-stack/caddy.nix
@ -0,0 +1,67 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.media-stack;
  nas-path = "/media/nas/media-stack";
  caddyconf = pkgs.writeText "Caddyfile" ''
    {
      auto_https off
      http_port 8180
    }
    jellyfin.ataraxiadev.com:8180 {
      reverse_proxy jellyfin:8096
    }
    qbit.ataraxiadev.com:8180 {
      reverse_proxy qbittorrent:8080
    }
    medusa.ataraxiadev.com:8180 {
      reverse_proxy medusa:8081
    }
    jackett.ataraxiadev.com:8180 {
      reverse_proxy jackett:9117
    }
    sonarr.ataraxiadev.com:8180 {
      reverse_proxy sonarr:8989
    }
    radarr.ataraxiadev.com:8180 {
      reverse_proxy radarr:7878
    }
    lidarr.ataraxiadev.com:8180 {
      reverse_proxy lidarr:8686
    }
    kavita.ataraxiadev.com:8180 {
      reverse_proxy kavita:5000
    }
  '';
 in
 {
  options.ataraxia.containers.media-stack = {
    caddy = mkEnableOption "Enable media-caddy container";
  };
  config = mkIf cfg.caddy {
    virtualisation.oci-containers.containers.media-caddy = {
      autoStart = true;
      # Tags: release-20b7f25, release-2.10.0, release
      image = "ghcr.io/hotio/caddy@sha256:937fe02672e7ce7f189e28d45c4ccfe86b2a7d5791b4e04badb55e143e32d5b7";
      environment = {
        PUID = "1000";
        PGID = "100";
        UMASK = "002";
        TZ = "Europe/Moscow";
      };
      extraOptions = [ "--pod=media-stack" ];
      volumes = [
        "${nas-path}/configs/caddy:/config"
        "${caddyconf}:/config/Caddyfile"
      ];
    };
  };
 }
--- a/modules/nixos/containers/media-stack/default.nix
+++ b/modules/nixos/containers/media-stack/default.nix
@ -0,0 +1,94 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib)
    mkDefault
    mkEnableOption
    mkIf
    optionals
    ;
  cfg = config.ataraxia.containers.media-stack;
  backend = config.virtualisation.oci-containers.backend;
  pod-name = "media-stack";
  open-ports = [
    # caddy
    "127.0.0.1:8180:8180"
    # qbittorrent
    "0.0.0.0:7000:7000"
    "0.0.0.0:7000:7000/udp"
  ];
  pod-dns = "10.10.10.1";
 in
 {
  imports = [
    ./caddy.nix
    ./jackett.nix
    ./jellyfin.nix
    ./kavita.nix
    ./lidarr.nix
    ./medusa.nix
    ./qbittorrent.nix
    ./radarr.nix
    ./recyclarr.nix
    ./sonarr.nix
  ];
  options.ataraxia.containers.media-stack = {
    enable = mkEnableOption "Enable media-stack containers";
  };
  config = mkIf cfg.enable {
    ataraxia.containers.media-stack.caddy = mkDefault true;
    ataraxia.containers.media-stack.jackett = mkDefault true;
    ataraxia.containers.media-stack.jellyfin = mkDefault true;
    ataraxia.containers.media-stack.kavita = mkDefault true;
    ataraxia.containers.media-stack.lidarr = mkDefault true;
    ataraxia.containers.media-stack.medusa = mkDefault true;
    ataraxia.containers.media-stack.qbittorrent = mkDefault true;
    ataraxia.containers.media-stack.radarr = mkDefault true;
    ataraxia.containers.media-stack.recyclarr = mkDefault true;
    ataraxia.containers.media-stack.sonarr = mkDefault true;
    systemd.services."podman-create-${pod-name}" =
      let
        portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
        start = pkgs.writeShellScript "create-pod-${pod-name}" ''
          podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping} --dns ${pod-dns}
        '';
        stop = pkgs.writeShellScript "remove-pod-${pod-name}" ''
          podman pod rm -i -f ${pod-name}
        '';
      in
      rec {
        path = [
          pkgs.coreutils
          config.virtualisation.podman.package
        ];
        before =
          [ ]
          ++ optionals cfg.caddy [ "${backend}-media-caddy.service" ]
          ++ optionals cfg.jackett [ "${backend}-jackett.service" ]
          ++ optionals cfg.jellyfin [ "${backend}-jellyfin.service" ]
          ++ optionals cfg.kavita [ "${backend}-kavita.service" ]
          ++ optionals cfg.lidarr [ "${backend}-lidarr.service" ]
          ++ optionals cfg.medusa [ "${backend}-medusa.service" ]
          ++ optionals cfg.qbittorrent [ "${backend}-qbittorrent.service" ]
          ++ optionals cfg.radarr [ "${backend}-radarr.service" ]
          ++ optionals cfg.recyclarr [ "${backend}-recyclarr.service" ]
          ++ optionals cfg.sonarr [ "${backend}-sonarr.service" ];
        requiredBy = before;
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = "yes";
          ExecStart = start;
          ExecStop = stop;
        };
      };
  };
 }
--- a/modules/nixos/containers/media-stack/jackett.nix
+++ b/modules/nixos/containers/media-stack/jackett.nix
@ -0,0 +1,30 @@
 { config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.media-stack;
  nas-path = "/media/nas/media-stack";
 in
 {
  options.ataraxia.containers.media-stack = {
    jackett = mkEnableOption "Enable jackett container";
  };
  config = mkIf cfg.jackett {
    virtualisation.oci-containers.containers.jackett = {
      autoStart = true;
      environment = {
        PUID = "1000";
        PGID = "100";
        UMASK = "002";
        TZ = "Europe/Moscow";
      };
      extraOptions = [ "--pod=media-stack" ];
      # Tags: 0.22.2117, version-v0.22.2117, v0.22.2117-ls80
      image = "docker.io/linuxserver/jackett@sha256:221606b0ed7df0d66e601d0ba83f5f9cc9b9c761bafad3507d6854406b3a447b";
      volumes = [
        "${nas-path}/configs/jackett:/config"
      ];
    };
  };
 }
--- a/modules/nixos/containers/media-stack/jellyfin.nix
+++ b/modules/nixos/containers/media-stack/jellyfin.nix
@ -0,0 +1,51 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.media-stack;
  nas-path = "/media/nas/media-stack";
  renderGid = toString config.users.groups.render.gid;
  videoGid = toString config.users.groups.video.gid;
  inputGid = toString config.users.groups.input.gid;
  intro-skipper-fix = pkgs.writeText "intro-skipper-fix" ''
    #!/bin/bash
    chown abc /usr/share/jellyfin/web/index.html
  '';
 in
 {
  options.ataraxia.containers.media-stack = {
    jellyfin = mkEnableOption "Enable jellyfin container";
  };
  config = mkIf cfg.jellyfin {
    virtualisation.oci-containers.containers.jellyfin = {
      autoStart = true;
      # Tags: 10.10.7, version-10.10.7ubu2404, 10.10.7ubu2404-ls68
      image = "docker.io/linuxserver/jellyfin@sha256:d325675bce77eda246f13d0aa2bf94002d4e426e6e1783594cf9b6df164fcb23";
      environment = {
        PUID = "1000";
        PGID = "100";
        UMASK = "002";
        TZ = "Europe/Moscow";
        http_proxy = "http://10.10.10.6:8888";
        https_proxy = "http://10.10.10.6:8888";
      };
      extraOptions = [
        "--pod=media-stack"
        "--device=/dev/dri/renderD128:/dev/dri/renderD128"
        "--group-add=${renderGid},${videoGid},${inputGid}"
        # "--privileged"
      ];
      volumes = [
        "${nas-path}/configs/jellyfin:/config"
        "${nas-path}/media:/data/media"
        "${intro-skipper-fix}:/custom-cont-init.d/intro-skipper-fix:ro"
      ];
    };
  };
 }
--- a/modules/nixos/containers/media-stack/kavita.nix
+++ b/modules/nixos/containers/media-stack/kavita.nix
@ -0,0 +1,35 @@
 { config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.media-stack;
  nas-path = "/media/nas/media-stack";
 in
 {
  options.ataraxia.containers.media-stack = {
    kavita = mkEnableOption "Enable kavita container";
  };
  config = mkIf cfg.kavita {
    virtualisation.oci-containers.containers.kavita = {
      autoStart = true;
      # Tags: 0.8.6, version-v0.8.6.2, v0.8.6.2-ls79
      image = "docker.io/linuxserver/kavita@sha256:b222e4b2137db2301756d018076d0bfee858077d8af24d709f1f4003d628e580";
      environment = {
        PUID = "1000";
        PGID = "100";
        TZ = "Europe/Moscow";
        DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "true";
      };
      extraOptions = [ "--pod=media-stack" ];
      volumes = [
        "${nas-path}/configs/kavita:/config"
        "${nas-path}/media/books:/data/books"
        "${nas-path}/media/comics:/data/comics"
        "${nas-path}/media/fanfics:/data/fanfics"
        "${nas-path}/media/manga:/data/manga"
        "${nas-path}/media/novels:/data/novels"
      ];
    };
  };
 }
--- a/modules/nixos/containers/media-stack/lidarr.nix
+++ b/modules/nixos/containers/media-stack/lidarr.nix
@ -0,0 +1,32 @@
 { config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.media-stack;
  nas-path = "/media/nas/media-stack";
 in
 {
  options.ataraxia.containers.media-stack = {
    lidarr = mkEnableOption "Enable lidarr container";
  };
  config = mkIf cfg.lidarr {
    virtualisation.oci-containers.containers.lidarr = {
      autoStart = true;
      environment = {
        PUID = "1000";
        PGID = "100";
        TZ = "Europe/Moscow";
      };
      extraOptions = [ "--pod=media-stack" ];
      # Tags: 2.12.4, version-2.12.4.4658, 2.12.4.4658-ls45
      image = "docker.io/linuxserver/lidarr@sha256:71fe6d5702691c6ac8961b9b1042fdea1ff833a49c82c5e165346fa88999a48a";
      volumes = [
        "${nas-path}/configs/lidarr/config:/config"
        "${nas-path}/configs/lidarr/custom-services.d:/custom-services.d"
        "${nas-path}/configs/lidarr/custom-cont-init.d:/custom-cont-init.d"
        "${nas-path}:/data"
      ];
    };
  };
 }
--- a/modules/nixos/containers/media-stack/medusa.nix
+++ b/modules/nixos/containers/media-stack/medusa.nix
@ -0,0 +1,30 @@
 { config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.media-stack;
  nas-path = "/media/nas/media-stack";
 in
 {
  options.ataraxia.containers.media-stack = {
    medusa = mkEnableOption "Enable medusa container";
  };
  config = mkIf cfg.medusa {
    virtualisation.oci-containers.containers.medusa = {
      autoStart = true;
      # Tags: 1.0.22, version-v1.0.22, v1.0.22-ls230
      image = "docker.io/linuxserver/medusa@sha256:89d7397b64b079050d8d20284fc692aee36a196885f57e5d9a396455d58a130d";
      environment = {
        PUID = "1000";
        PGID = "100";
        TZ = "Europe/Moscow";
      };
      extraOptions = [ "--pod=media-stack" ];
      volumes = [
        "${nas-path}/configs/medusa:/config"
        "${nas-path}:/data"
      ];
    };
  };
 }
--- a/modules/nixos/containers/media-stack/qbittorrent.nix
+++ b/modules/nixos/containers/media-stack/qbittorrent.nix
@ -0,0 +1,59 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.media-stack;
  backend = "podman";
  nas-path = "/media/nas/media-stack";
  volume = "local-nfs";
  nfs-share = "10.10.10.11:/";
 in
 {
  options.ataraxia.containers.media-stack = {
    qbittorrent = mkEnableOption "Enable qbittorrent container";
  };
  config = mkIf cfg.qbittorrent {
    virtualisation.oci-containers.containers.qbittorrent = {
      autoStart = true;
      # Tags: 5.1.2, version-5.1.2-r0, 5.1.2-r0-ls402
      image = "docker.io/linuxserver/qbittorrent@sha256:94c8c82291c4fcf86084a6efb9f806786296fad48739e4723dc9a5393073a2ae";
      environment = {
        PUID = "1000";
        PGID = "100";
        UMASK = "002";
        TZ = "Europe/Moscow";
        TORRENTING_PORT = "7000";
        DOCKER_MODS = "ghcr.io/gabe565/linuxserver-mod-vuetorrent";
      };
      extraOptions = [ "--pod=media-stack" ];
      volumes = [
        "${nas-path}/configs/qbittorrent:/config"
        "${nas-path}:/data"
        "${volume}:/nfs"
      ];
    };
    systemd.services."podman-create-volume-${volume}" =
      let
        start = pkgs.writeShellScript "create-volume-${volume}" ''
          podman volume exists ${volume} || podman volume create --opt type=nfs4 --opt o=rw --opt device=${nfs-share} ${volume}
        '';
      in
      rec {
        path = [ config.virtualisation.podman.package ];
        before = [ "${backend}-qbittorrent.service" ];
        requiredBy = before;
        serviceConfig = {
          Type = "oneshot";
          ExecStart = start;
        };
      };
  };
 }
--- a/modules/nixos/containers/media-stack/radarr.nix
+++ b/modules/nixos/containers/media-stack/radarr.nix
@ -0,0 +1,31 @@
 { config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.media-stack;
  nas-path = "/media/nas/media-stack";
 in
 {
  options.ataraxia.containers.media-stack = {
    radarr = mkEnableOption "Enable radarr container";
  };
  config = mkIf cfg.radarr {
    virtualisation.oci-containers.containers.radarr = {
      autoStart = true;
      environment = {
        PUID = "1000";
        PGID = "100";
        UMASK = "002";
        TZ = "Europe/Moscow";
      };
      extraOptions = [ "--pod=media-stack" ];
      # Tags: 5.26.2, version-5.26.2.10099, 5.26.2.10099-ls276
      image = "docker.io/linuxserver/radarr@sha256:07a474b61394553e047ad43a1a78c1047fc99be0144c509dd91e3877f402ebcb";
      volumes = [
        "${nas-path}/configs/radarr:/config"
        "${nas-path}:/data"
      ];
    };
  };
 }
--- a/modules/nixos/containers/media-stack/recyclarr.nix
+++ b/modules/nixos/containers/media-stack/recyclarr.nix
@ -0,0 +1,29 @@
 { config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.media-stack;
  nas-path = "/media/nas/media-stack";
 in
 {
  options.ataraxia.containers.media-stack = {
    recyclarr = mkEnableOption "Enable recyclarr container";
  };
  config = mkIf cfg.recyclarr {
    virtualisation.oci-containers.containers.recyclarr = {
      autoStart = true;
      environment = {
        CRON_SCHEDULE = "@daily";
        TZ = "Europe/Moscow";
      };
      extraOptions = [ "--pod=media-stack" ];
      # Tags: 7.4.1, 7.4, 7
      image = "ghcr.io/recyclarr/recyclarr@sha256:759540877f95453eca8a26c1a93593e783a7a824c324fbd57523deffb67f48e1";
      volumes = [
        "${nas-path}/configs/recyclarr:/config"
      ];
      user = "1000:100";
    };
  };
 }
--- a/modules/nixos/containers/media-stack/sonarr.nix
+++ b/modules/nixos/containers/media-stack/sonarr.nix
@ -0,0 +1,31 @@
 { config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.media-stack;
  nas-path = "/media/nas/media-stack";
 in
 {
  options.ataraxia.containers.media-stack = {
    sonarr = mkEnableOption "Enable sonarr container";
  };
  config = mkIf cfg.sonarr {
    virtualisation.oci-containers.containers.sonarr = {
      autoStart = true;
      environment = {
        PUID = "1000";
        PGID = "100";
        UMASK = "002";
        TZ = "Europe/Moscow";
      };
      extraOptions = [ "--pod=media-stack" ];
      # Tags: 4.0.15, version-4.0.15.2941, 4.0.15.2941-ls285
      image = "docker.io/linuxserver/sonarr@sha256:1156329d544b38bd1483add75c9b72c559f20e1ca043fd2d6376c2589d38951f";
      volumes = [
        "${nas-path}/configs/sonarr:/config"
        "${nas-path}:/data"
      ];
    };
  };
 }
--- a/modules/nixos/containers/tinyproxy.nix
+++ b/modules/nixos/containers/tinyproxy.nix
@ -0,0 +1,76 @@
 {
  config,
  lib,
  secretsDir,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.containers.tinyproxy;
 in
 {
  options.ataraxia.containers.tinyproxy = {
    enable = mkEnableOption "Enable tinyproxy nixos-container";
  };
  config = mkIf cfg.enable {
    sops.secrets.tinyproxy-singbox = {
      sopsFile = secretsDir + /proxy.yaml;
      restartUnits = [ "container@tinyproxy.service" ];
      mode = "0600";
    };
    containers.tinyproxy = {
      # extraFlags = [ "-U" ];
      autoStart = true;
      ephemeral = true;
      privateNetwork = true;
      hostBridge = "br0";
      localAddress = "10.10.10.6/24";
      bindMounts."/tmp/sing-box.json".hostPath = config.sops.secrets.tinyproxy-singbox.path;
      config =
        { pkgs, ... }:
        {
          environment.systemPackages = with pkgs; [
            dnsutils
            kitty.terminfo
            sing-box
          ];
          systemd.packages = with pkgs; [ sing-box ];
          systemd.services.sing-box = {
            preStart = ''
              umask 0007
              mkdir -p ''${RUNTIME_DIRECTORY}
              cp /tmp/sing-box.json ''${RUNTIME_DIRECTORY}/config.json
            '';
            serviceConfig = {
              StateDirectory = "sing-box";
              StateDirectoryMode = "0700";
              RuntimeDirectory = "sing-box";
              RuntimeDirectoryMode = "0700";
              ExecStart = [
                ""
                "${lib.getExe cfg.package} -D \${STATE_DIRECTORY} -C \${RUNTIME_DIRECTORY} run"
              ];
            };
            wantedBy = [ "multi-user.target" ];
          };
          networking = {
            dhcpcd.denyInterfaces = [ "singtun0" ];
            defaultGateway = "10.10.10.1";
            hostName = "tinyproxy-node";
            nameservers = [ "10.10.10.1" ];
            useHostResolvConf = false;
            firewall = {
              enable = true;
              allowedTCPPorts = [
                8888
                8889
              ];
              rejectPackets = false;
            };
          };
        };
    };
  };
 }
--- a/modules/nixos/roles/default.nix
+++ b/modules/nixos/roles/default.nix
@ -87,6 +87,7 @@ in
        ataraxia.profiles.minimal = mkDefault true;
        ataraxia.virtualisation.podman = mkDefault true;
        ataraxia.virtualisation.libvirt = mkDefault true;
        virtualisation.quadlet.enable = mkDefault true;
        boot.supportedFilesystems = [ "nfs" ];
--- a/modules/nixos/security/acme.nix
+++ b/modules/nixos/security/acme.nix
@ -0,0 +1,39 @@
 {
  config,
  lib,
  inputs,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.security.acme;
 in
 {
  options.ataraxia.security.acme = {
    enable = mkEnableOption "Default acme settings";
  };
  config = mkIf cfg.enable {
    sops.secrets.cf-dns-api = {
      sopsFile = inputs.self.secretsDir + /misc.yaml;
      owner = "acme";
    };
    security.acme = {
      acceptTerms = true;
      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # staging
      defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
      defaults.email = "admin@ataraxiadev.com";
      defaults.renewInterval = "weekly";
      certs = {
        "ataraxiadev.com" = {
          extraDomainNames = [ "*.ataraxiadev.com" ];
          dnsResolver = "1.1.1.1:53";
          dnsProvider = "cloudflare";
          credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.cf-dns-api.path;
        };
      };
    };
    persist.state.directories = [ "/var/lib/acme" ];
  };
 }
--- a/modules/nixos/services/authentik.nix
+++ b/modules/nixos/services/authentik.nix
@ -0,0 +1,56 @@
 {
  config,
  lib,
  inputs,
  secretsDir,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf mkOption;
  inherit (lib.types) str;
  cfg = config.ataraxia.services.authentik;
 in
 {
  imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ];
  options.ataraxia.services.authentik = {
    enable = mkEnableOption "Enable authentik service";
    sopsDir = mkOption {
      type = str;
      default = config.networking.hostName;
      description = ''
        Name for sops secrets directory. Defaults to hostname.
      '';
    };
  };
  config = mkIf cfg.enable {
    sops.secrets.authentik-env.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml;
    sops.secrets.authentik-ldap.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml;
    sops.secrets.authentik-env.restartUnits = [
      "authentik-server.service"
      "authentik-worker.service"
    ];
    sops.secrets.authentik-ldap.restartUnits = [ "authentik-ldap-outpost.service" ];
    backups.postgresql.authentik = { };
    services.authentik = {
      enable = true;
      logLevel = "info";
      listen.address = "127.0.0.1";
      listen.http = 9000;
      listen.https = 9443;
      environmentFile = config.sops.secrets.authentik-env.path;
      outposts.ldap = {
        enable = true;
        host = "https://auth.ataraxiadev.com";
        environmentFile = config.sops.secrets.authentik-ldap.path;
        listen.address = "127.0.0.1";
        listen.ldap = 3389;
        listen.ldaps = 6636;
      };
    };
  };
 }
--- a/modules/nixos/services/gitea.nix
+++ b/modules/nixos/services/gitea.nix
@ -0,0 +1,174 @@
 {
  config,
  lib,
  pkgs,
  secretsDir,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf mkOption;
  inherit (lib.types) str;
  cfg = config.ataraxia.services.gitea;
  gitea-user = config.services.gitea.user;
  # gitea-group = "gitea";
  # runner-user = "gitea-runner";
  # runner-group = "root";
  gitea-secret = {
    sopsFile = secretsDir + /${cfg.sopsDir}/gitea.yaml;
    owner = gitea-user;
    restartUnits = [ "gitea.service" ];
  };
  # runner-secret = services: {
  #   sopsFile = secretsDir + /${cfg.sopsDir}/gitea.yaml;
  #   owner = runner-user;
  #   restartUnits = services;
  # };
 in
 {
  options.ataraxia.services.gitea = {
    enable = mkEnableOption "Enable gitea service";
    sopsDir = mkOption {
      type = str;
      default = config.networking.hostName;
      description = ''
        Name for sops secrets directory. Defaults to hostname.
      '';
    };
  };
  config = mkIf cfg.enable {
    sops.secrets.gitea = gitea-secret;
    sops.secrets.gitea-mailer = gitea-secret;
    # sops.secrets.gitea-runner-hypervisor = runner-secret [ "gitea-runner-hypervisor.service" ];
    persist.state.directories = [
      # { directory = "/var/lib/gitea-runner"; user = runner-user; group = runner-group; }
      # { directory = "/srv/gitea"; user = gitea-user; group = gitea-group; }
    ];
    backups.postgresql.gitea = { };
    # TODO: backups! gitea.dump setting
    services.gitea = {
      enable = true;
      appName = "AtaraxiaDev's Gitea Instance";
      database = {
        type = "postgres";
        passwordFile = config.sops.secrets.gitea.path;
      };
      dump = {
        enable = true;
        backupDir = "/srv/gitea/dump";
        interval = "06:00";
        type = "tar.zst";
      };
      lfs.enable = true;
      stateDir = "/srv/gitea/data";
      mailerPasswordFile = config.sops.secrets.gitea-mailer.path;
      settings = {
        server = {
          DOMAIN = "code.ataraxiadev.com";
          HTTP_ADDRESS = "127.0.0.1";
          HTTP_PORT = 6000;
          ROOT_URL = "https://code.ataraxiadev.com";
        };
        actions = {
          ENABLED = false;
        };
        api = {
          ENABLE_SWAGGER = false;
        };
        attachment = {
          MAX_SIZE = 100;
          MAX_FILES = 10;
        };
        mailer = {
          ENABLED = true;
          PROTOCOL = "smtps";
          SMTP_ADDR = "mail.ataraxiadev.com";
          USER = "gitea@ataraxiadev.com";
        };
        migrations = {
          ALLOW_LOCALNETWORKS = true;
          ALLOWED_DOMAINS = "";
        };
        packages = {
          ENABLED = false;
        };
        "repository.upload" = {
          FILE_MAX_SIZE = 100;
          MAX_FILES = 10;
        };
        security = {
          INSTALL_LOCK = true;
          DISABLE_GIT_HOOKS = true;
          DISABLE_WEBHOOKS = false;
          IMPORT_LOCAL_PATHS = false;
          PASSWORD_HASH_ALGO = "argon2";
        };
        oauth2 = {
          JWT_SIGNING_ALGORITHM = "ES256";
        };
        service = {
          DISABLE_REGISTRATION = true;
          DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
          DEFAULT_USER_IS_RESTRICTED = true;
          REGISTER_EMAIL_CONFIRM = false;
          REGISTER_MANUAL_CONFIRM = true;
        };
        session = {
          COOKIE_SECURE = true;
        };
        webhook = {
          ALLOWED_HOST_LIST = "loopback, private, ataraxiadev.com, *.ataraxiadev.com";
        };
      };
    };
    systemd.services.gitea-dump-clean =
      let
        older-than = "3"; # in days
      in
      rec {
        before = [ "gitea-dump.service" ];
        requiredBy = before;
        script = ''
          ${pkgs.findutils}/bin/find ${config.services.gitea.dump.backupDir} \
            -mindepth 1 -type f -mtime +${older-than} -delete
        '';
      };
    # users.users.${runner-user} = {
    #   isSystemUser = true;
    #   group = runner-group;
    # };
    # services.gitea-actions-runner.instances.hypervisor = {
    #   enable = true;
    #   name = "hypervisor";
    #   url = config.services.gitea.settings.server.ROOT_URL;
    #   tokenFile = config.sops.secrets.gitea-runner-hypervisor.path;
    #   labels = [
    #     "native:host"
    #     "debian-latest:docker://debian:12-slim"
    #   ];
    #   hostPackages = with pkgs; [
    #     bash
    #     curl
    #     gawk
    #     gitMinimal
    #     gnused
    #     wget
    #   ];
    #   # TODO: fix cache server
    #   # settings = {};
    # };
    # systemd.services.gitea-runner-hypervisor = {
    #   serviceConfig.DynamicUser = lib.mkForce false;
    #   serviceConfig.User = lib.mkForce runner-user;
    #   serviceConfig.Group = lib.mkForce runner-group;
    # };
  };
 }
--- a/modules/nixos/services/syncyomi.nix
+++ b/modules/nixos/services/syncyomi.nix
@ -0,0 +1,34 @@
 {
  config,
  lib,
  inputs,
  secretsDir,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf mkOption;
  inherit (lib.types) str;
  cfg = config.ataraxia.services.syncyomi;
 in
 {
  imports = [ inputs.ataraxiasjel-nur.nixosModules.syncyomi ];
  options.ataraxia.services.syncyomi = {
    enable = mkEnableOption "Enable syncyomi service";
    sopsDir = mkOption {
      type = str;
      default = config.networking.hostName;
      description = ''
        Name for sops secrets directory. Defaults to hostname.
      '';
    };
  };
  config = mkIf cfg.enable {
    sops.secrets.syncyomi.sopsFile = secretsDir + /${cfg.sopsDir}/syncyomi.yaml;
    services.syncyomi.enable = true;
    services.syncyomi.configFile = config.sops.secrets.syncyomi.path;
    networking.firewall.allowedTCPPorts = [ 8282 ];
  };
 }
--- a/modules/nixos/services/vaultwarden.nix
+++ b/modules/nixos/services/vaultwarden.nix
@ -0,0 +1,80 @@
 {
  config,
  lib,
  secretsDir,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf mkOption;
  inherit (lib.types) str;
  cfg = config.ataraxia.services.vaultwarden;
 in
 {
  options.ataraxia.services.vaultwarden = {
    enable = mkEnableOption "Enable vaultwarden service";
    sopsDir = mkOption {
      type = str;
      default = config.networking.hostName;
      description = ''
        Name for sops secrets directory. Defaults to hostname.
      '';
    };
  };
  config = mkIf cfg.enable {
    sops.secrets.vaultwarden.sopsFile = secretsDir + /${cfg.sopsDir}/vaultwarden.yaml;
    sops.secrets.vaultwarden.owner = config.users.users.vaultwarden.name;
    sops.secrets.vaultwarden.restartUnits = [ "vaultwarden.service" ];
    services.vaultwarden = {
      enable = true;
      backupDir = "/srv/vaultwarden";
      config = {
        domain = "https://vw.ataraxiadev.com";
        extendedLogging = true;
        invitationsAllowed = false;
        useSyslog = true;
        logLevel = "warn";
        rocketAddress = "127.0.0.1";
        rocketPort = 8812;
        showPasswordHint = false;
        signupsAllowed = false;
        signupsDomainsWhitelist = "ataraxiadev.com";
        signupsVerify = true;
        smtpAuthMechanism = "Login";
        smtpFrom = "vaultwarden@ataraxiadev.com";
        smtpFromName = "Vaultwarden";
        smtpHost = "mail.ataraxiadev.com";
        smtpPort = 587;
        smtpSecurity = "starttls";
        websocketAddress = "127.0.0.1";
        websocketEnabled = true;
        websocketPort = 3012;
        webVaultEnabled = true;
      };
      environmentFile = config.sops.secrets.vaultwarden.path;
    };
    # We need to do this to successufully create backup folder
    # systemd.services.backup-vaultwarden.serviceConfig = {
    #   User = "root";
    #   Group = "root";
    # };
    persist.state.directories = [
      "/var/lib/vaultwarden"
      config.services.vaultwarden.backupDir
    ];
    systemd.tmpfiles.rules =
      let
        backupDir = config.services.vaultwarden.backupDir;
        user = config.systemd.services.backup-vaultwarden.serviceConfig.User;
        group = config.systemd.services.backup-vaultwarden.serviceConfig.Group;
      in
      [
        "d ${backupDir} 0700 ${user} ${group} -"
      ];
  };
 }
--- a/modules/nixos/virtualisation/libvirt-guest.nix
+++ b/modules/nixos/virtualisation/libvirt-guest.nix
@ -0,0 +1,527 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib)
    concatStrings
    mapAttrsToList
    mkIf
    mkMerge
    mkOption
    optionalString
    ;
  inherit (lib.types)
    attrsOf
    bool
    enum
    int
    listOf
    nullOr
    path
    str
    submodule
    ;
  cfg = config.ataraxia.virtualisation.guests;
  diskOptions.options = {
    diskFile = mkOption {
      type = str;
    };
    # TODO
    bus = mkOption {
      type = enum [
        "virtio"
        "ide"
        "scsi"
        "sata"
      ];
      default = "virtio";
    };
    type = mkOption {
      type = enum [
        "raw"
        "qcow2"
      ];
      default = "qcow2";
    };
    targetName = mkOption {
      type = str;
      default = "vda";
    };
    discard = mkOption {
      type = enum [
        "ignore"
        "unmap"
      ];
      default = "unmap";
    };
    cache = mkOption {
      type = enum [
        "none"
        "writethrough"
        "writeback"
        "directsync"
        "unsafe"
      ];
      default = "writeback";
    };
  };
  mountOptions.options = {
    sourceDir = mkOption {
      type = str;
      default = "";
    };
    targetDir = mkOption {
      type = str;
      default = "";
    };
    # TODO
    type = mkOption {
      type = enum [
        "virtiofs"
        "9p"
      ];
      default = "virtiofs";
    };
  };
  guestsOptions =
    { ... }:
    {
      options = rec {
        xmlFile = mkOption {
          type = nullOr path;
          default = null;
        };
        connectUri = mkOption {
          type = str;
          default = "qemu:///system";
        };
        user = mkOption {
          type = str;
          default = "qemu-libvirtd";
        };
        group = mkOption {
          type = str;
          default = "qemu-libvirtd";
        };
        autoStart = mkOption {
          type = bool;
          default = false;
        };
        autoDefine = mkOption {
          type = bool;
          default = true;
        };
        guestOsType = mkOption {
          type = enum [
            "linux"
            "windows"
          ];
          default = "linux";
        };
        uefi = mkOption {
          type = bool;
          default = false;
        };
        memory = mkOption {
          type = int;
          default = 1024;
        };
        sharedMemory = mkOption {
          type = bool;
          # TODO: not needed if using 9p mount
          default = devices.mounts != [ ];
        };
        cpu = {
          sockets = mkOption {
            type = int;
            default = 1;
          };
          cores = mkOption {
            type = int;
            default = 1;
          };
          threads = mkOption {
            type = int;
            default = 1;
          };
        };
        devices = {
          disks = mkOption {
            type = listOf (submodule diskOptions);
            default = [ ];
          };
          mounts = mkOption {
            type = listOf (submodule mountOptions);
            default = [ ];
          };
          tablet = mkOption {
            type = bool;
            default = true;
          };
          serial = mkOption {
            type = bool;
            default = true;
          };
          qemuGuestAgent = mkOption {
            type = bool;
            default = guestOsType != "windows";
          };
          audio = {
            enable = mkOption {
              type = bool;
              default = true;
            };
            type = mkOption {
              # TODO
              type = enum [
                "none"
                "alsa"
                "coreaudio"
                "dbus"
                "jack"
                "oss"
                "pulseaudio"
                "sdl"
                "spice"
                "file"
              ];
              default = "spice";
            };
          };
          graphics = {
            enable = mkOption {
              type = bool;
              # TODO: must be true if video == true?
              default = true;
            };
            type = mkOption {
              # TODO
              type = enum [
                "sdl"
                "vnc"
                "spice"
                "rdp"
                "desktop"
                "egl-headless"
              ];
              default = "spice";
            };
          };
          video = {
            enable = mkOption {
              type = bool;
              default = true;
            };
            type = mkOption {
              # TODO
              type = enum [
                "vga"
                "cirrus"
                "vmvga"
                "xen"
                "vbox"
                "qxl"
                "virtio"
                "gop"
                "bochs"
                "ramfb"
                "none"
              ];
              default = "virtio";
            };
          };
          network = {
            enable = mkOption {
              type = bool;
              default = true;
            };
            interfaceType = mkOption {
              # TODO
              type = enum [
                "network"
                "macvlan"
                "bridge"
              ];
              default = "network";
            };
            modelType = mkOption {
              type = enum [
                "virtio"
                "e1000"
              ];
              default = "virtio";
            };
            macAddress = mkOption {
              type = nullOr str;
              default = null;
            };
            active = mkOption {
              type = bool;
              default = true;
            };
            sourceDev = mkOption {
              type = str;
              default = "default";
            };
          };
        };
        timeout = mkOption {
          type = int;
          default = 10;
        };
      };
    };
  genXML =
    name: guest:
    pkgs.writeText "libvirt-guest-${name}.xml" ''
      <domain type="kvm">
        <name>${name}</name>
        <uuid>UUID</uuid>
        <memory unit="MiB">${toString guest.memory}</memory>
        ${optionalString guest.sharedMemory ''
          <memoryBacking>
            <source type="memfd"/>
            <access mode="shared"/>
          </memoryBacking>
        ''}
        <vcpu placement="static">${with guest.cpu; toString (sockets * cores * threads)}</vcpu>
        <os>
          <type arch="x86_64" machine="pc-q35-9.2">hvm</type>
          ${optionalString guest.uefi ''
            <loader readonly="yes" type="pflash" format="raw">/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
            <nvram template="/run/libvirt/nix-ovmf/OVMF_CODE.fd" templateFormat="raw" format="raw">/var/lib/libvirt/qemu/nvram/${name}_VARS.fd</nvram>
          ''}
        </os>
        <features>
          <acpi/>
          <apic/>
          ${optionalString (guest.guestOsType == "windows") ''
            <pae/>
            <hyperv mode="custom">
              <relaxed state="on"/>
              <vapic state="on"/>
              <spinlocks state="on" retries="8191"/>
              <vpindex state="on"/>
              <synic state="on"/>
            </hyperv>
          ''}
          <vmport state="off"/>
        </features>
        <cpu mode="host-passthrough" check="none" migratable="on">
        ${with guest.cpu; ''
          <topology
            sockets="${toString sockets}"
            cores="${toString cores}"
            threads="${toString threads}"
          />
        ''}
        </cpu>
        <clock offset="${if guest.guestOsType == "windows" then "localtime" else "utc"}">
          <timer name="rtc" tickpolicy="catchup"/>
          <timer name="pit" tickpolicy="delay"/>
          <timer name="hpet" present="no"/>
          ${optionalString (guest.guestOsType == "windows") ''
            <timer name="hypervclock" present="yes"/>
          ''}
        </clock>
        <pm>
          <suspend-to-mem enabled="no"/>
          <suspend-to-disk enabled="no"/>
        </pm>
        <devices>
          <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
          ${concatStrings (
            map (disk: ''
              <disk type="file" device="disk">
                <driver name="qemu" type="${disk.type}" cache="${disk.cache}" discard="${disk.discard}"/>
                <source file="${disk.diskFile}"/>
                <target dev="${disk.targetName}" bus="${disk.bus}"/>
              </disk>
            '') guest.devices.disks
          )}
          ${concatStrings (
            map (mount: ''
              <filesystem type="mount" accessmode="passthrough">
                <driver type="virtiofs" queue="1024"/>
                <binary path="/run/current-system/sw/bin/virtiofsd" xattr="on">
                  <cache mode="always"/>
                  <lock posix="on" flock="on"/>
                </binary>
                <source dir="${mount.sourceDir}"/>
                <target dir="${mount.targetDir}"/>
              </filesystem>
            '') guest.devices.mounts
          )}
          ${
            with guest.devices.network;
            if enable then
              if interfaceType == "network" then
                ''
                  <interface type="network">
                    ${optionalString (macAddress != null) ''
                      <mac address="${macAddress}"/>
                    ''}
                    <source network="${sourceDev}"/>
                    <model type="${modelType}"/>
                  </interface>
                ''
              else if interfaceType == "bridge" then
                ''
                  <interface type="bridge">
                  ${optionalString (macAddress != null) ''
                    <mac address="${macAddress}"/>
                  ''}
                    <source bridge="${sourceDev}"/>
                    <model type="${modelType}"/>
                  </interface>
                ''
              else if interfaceType == "macvlan" then
                ''
                  <interface type="direct">
                  ${optionalString (macAddress != null) ''
                    <mac address="${macAddress}"/>
                  ''}
                    <source dev="${sourceDev}" mode="bridge"/>
                    <model type="${modelType}"/>
                  </interface>
                ''
              else
                ""
            else
              ""
          }
          ${optionalString guest.devices.tablet ''
            <input type="tablet" bus="usb"/>
          ''}
          ${optionalString guest.devices.serial ''
            <serial type="pty"/>
          ''}
          ${optionalString guest.devices.qemuGuestAgent ''
            <channel type="unix">
              <target type="virtio" name="org.qemu.guest_agent.0"/>
            </channel>
          ''}
          ${optionalString guest.devices.audio.enable ''
            <audio id="1" type="${guest.devices.audio.type}"/>
            <sound model="ich9"/>
          ''}
          ${
            if guest.devices.graphics.enable then
              if guest.devices.graphics.type == "spice" then
                ''
                  <graphics type="spice" autoport="yes">
                    <listen type="address"/>
                    <image compression="off"/>
                  </graphics>
                ''
              else
                ""
            else
              ""
          }
          ${
            with guest.devices.video;
            with lib;
            optionalString enable ''
              <video>
              ${
                if type == "virtio" then
                  ''
                    <model type="virtio" heads="1"/>
                  ''
                else if type == "qxl" then
                  ''
                    <model type="qxl" ram="65536" vram="65536" vgamem="16384" heads="1"/>
                  ''
                else
                  ""
              }
              </video>
            ''
          }
          <channel type="spicevmc">
            <target type="virtio" name="com.redhat.spice.0"/>
          </channel>
          <input type="mouse" bus="ps2"/>
          <input type="keyboard" bus="ps2"/>
          <redirdev bus='usb' type='spicevmc'/>
          <memballoon model="virtio"/>
          ${optionalString (guest.guestOsType == "windows") ''
            <rng model="virtio">
              <backend model="random">/dev/urandom</backend>
            </rng>
          ''}
        </devices>
      </domain>
    '';
 in
 {
  options.ataraxia.virtualisation.guests = mkOption {
    default = { };
    type = attrsOf (submodule guestsOptions);
  };
  config.systemd.services = mkMerge (
    mapAttrsToList (name: guest: {
      "libvirt-guest-define-${name}" = {
        after = [ "libvirtd.service" ];
        requires = [ "libvirtd.service" ];
        wantedBy = mkIf guest.autoDefine [ "multi-user.target" ];
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = "no";
          User = guest.user;
          Group = guest.group;
        };
        environment = {
          LIBVIRT_DEFAULT_URI = guest.connectUri;
        };
        script =
          if guest.xmlFile != null then
            ''
              ${pkgs.libvirt}/bin/virsh define --file ${guest.xmlFile}
              ${pkgs.libvirt}/bin/virsh net-start ${guest.devices.network.sourceDev} || true
            ''
          else
            ''
              uuid="$(${pkgs.libvirt}/bin/virsh domuuid '${name}' || true)"
              ${pkgs.libvirt}/bin/virsh define <(sed "s/UUID/$uuid/" '${genXML name guest}')
              ${optionalString (
                guest.devices.network.interfaceType == "network"
              ) "${pkgs.libvirt}/bin/virsh net-start ${guest.devices.network.sourceDev} || true"}
            '';
      };
      "libvirt-guest-${name}" = {
        after = [ "libvirt-guest-define-${name}.service" ];
        requires = [ "libvirt-guest-define-${name}.service" ];
        wantedBy = mkIf guest.autoStart [ "multi-user.target" ];
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = "yes";
          User = guest.user;
          Group = guest.group;
        };
        environment = {
          LIBVIRT_DEFAULT_URI = guest.connectUri;
        };
        script = "${pkgs.libvirt}/bin/virsh start '${name}'";
        preStop = ''
          ${pkgs.libvirt}/bin/virsh shutdown '${name}'
          let "timeout = $(date +%s) + ${toString guest.timeout}"
          while [ "$(${pkgs.libvirt}/bin/virsh list --name | grep --count '^${name}$')" -gt 0 ]; do
            if [ "$(date +%s)" -ge "$timeout" ]; then
              ${pkgs.libvirt}/bin/virsh destroy '${name}'
            else
              sleep 0.5
            fi
          done
        '';
      };
    }) cfg
  );
 }
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -9,9 +9,8 @@ let
  };
 in
 {
-  # attic-client = inputs.attic.packages.${system}.attic;
+  authentik = unstable.authentik;
-  # attic-server = inputs.attic.packages.${system}.attic-server;
+  authentik-outposts = unstable.authentik-outposts;
  # cassowary-py = inputs.cassowary.packages.${system}.cassowary;
  hyprlandUnstable = unstable.hyprland;
  hyprlandPortalUnstable = unstable.xdg-desktop-portal-hyprland;
  intel-vaapi-driver = prev.intel-vaapi-driver.override { enableHybridCodec = true; };
--- a/secrets/orion/authentik.yaml
+++ b/secrets/orion/authentik.yaml
@ -0,0 +1,29 @@
 authentik-docker-env: ENC[AES256_GCM,data:gQgij38e/InGVurVfXNkLTWuydSKu0InOXBooltqu7hpctm1noSGFXtfT2dgXcmftTXPzDx3Mah5zqAHXeygv4gWqnTaCXIw9IKmsz4V0VeycfUVzdtli2oo5Dyf1lyJHzSrxWVuatdQYafVQomIHswKHqSMIGg0LE7HR1HHDoPm57v8JMEbMGaw4PQ7cIasRPYwTQyzqiLAlohXpyovYlVd7yUZZQNWSozlD8mFwVaKPDEmnSfzEBxYMwnzY3d8MtHaI+S/kGKWcKBDQ58WXuLysjuIu7bgRiHnvbz/aUlKiF7r4deaIX4tWZsOarjYliSTBraZEHbFqO00viRISX1IBP4BVD7N1QsuczMk9MILWy5NZzUVT73MK2Y9WY4A3TYofdxjjSBnhXQnwfZlm3IY5cJxAVLjVXIUqMaQ+GHiJsnxdl9qVvvsJ/hadYgTpf+JZ9G4X6hE84/2vFrXItY/5VRyh1Hv4Z43wsCALw6pzWJcp8HbzkbyAJpROFXD9XPm28ocAEmc92mu0X4a3vevJq2cfvHTAYb5Gwyo868G/DZdgIq9MPpK3ZBGUtJnacIS5jtYowf9TncGpRSkxC0iUCwbl/aY02o9cfEuYhJK57e7o0N3oVxKhP3aelgrpq5sdy6QBNAc4IgTJwUucwTpqFSj4z7TDSIjtLA4BTlSEfwTRFVuF7VAakhoeSkW8YvHRaZB+Dq/2P3nLpFbPAjqW7XthlDypQ5ADRWBFfj9BzMbf+Kcd4rtO9bTtnyZPzpkbsbuWkF/I0NWeAlc7ozW3O37+n4Flt42fuHg2Vh0ncV7MSk6vETVBvtV04JSr65bBqhuKhBrGV7UHTHQAov3gyML3Gica0ZCcJvK9lKGaX+hEYaB0nb9qmtCQc4JKxGwboG5Lo59tIYGN3yPNf0QtiAMFWzZ8sTL1b2pV1NKIgoMtrx7l5dga2Mng4bhUIkLii0H/bqeY6qD/a2PV2B7zU3EInoK9UjieOGM6DaGJXcbj/JPJKMg23ZR/wbNM2LE59U8IomuXeJ+vRlRpZvxn9148qwJcF+DlgZlVFdGBnyUucLHZMZogtmcfe48QGYv5oKdBk2ZOVnvSxodiw1jPWgLmRATnWK4zaqBXlnMsoNZGyp57pYpTpaklulXy1kUwooMGyJo7TEOQj4zzgEjII5mrA6xb73Sg1qGIbSHyqMvg2f+CWgWPgwrlwug+6IepQHgPeIaukSIuDzhq5SJLZpBig+b4qNuVwUqtuWeoW1V2H/iaNojLsizcGVgiIlTnOU16mpn40G5tbpmsZLjSJnDhrPScz2kn1kA6mDjNmZ7s4s7ouAGxFpL3A==,iv:RoNU+sz4ibBnCZEwhrZOCZ8L2f4AKlA2HDkjGOd75HU=,tag:GmXqPgen7ZJ/hVqQhO+DbQ==,type:str]
 authentik-docker-ldap: ENC[AES256_GCM,data:Ex6g0F9krdKj1Zn4V6oafV7PXrkdIHYsh6z287yEDkJdUUsz73QXKYjMIyF6AhoDFtOCPqmEB7J6qFxCzQjJsHYDbDT/pDHjJMpmnA==,iv:DrifVWgEak8Pd7V50UOnEs6lVH3+LhSNDmZ6z4QMS14=,tag:snAy/ebpo1yyHGmy9l12Ww==,type:str]
 authentik-env: ENC[AES256_GCM,data:G2/zs34u73Iyob0ZBV2xRh6sAbr9LgvXeupfQeg7UhafEfFe9Izki7ig8ZzFwaoWMeewWvF2/LOlegK5n05D6CnDL0hMBCbRiGEd2df3zHLT0lbN5jbZ9mNw+p13+qT5lm3paV26PCsvERGQNQLJ8+SHrgB6S847fHqWANmQJRoiA2LFPWNj2VJfn2By1ZyH/JtQPERNuLGZJCz6PgecC4qM88+Rubqw3Jj9ebw3xvQFqAt1rhD08xSO6yFSBQRG0SxDmhX2L7dI2mm4CQl9LIA5dTF3tw/nqlVby5j2TqrfICoP87eunifcus16TNRHjDdpfKpWBpFuROoiBdzCRakkORcNzDegyNb9UI0hsklnT9c01b9vC75Jrmv6fcZFRbw7diwcs85Ty6aHKZAANhShYHx5TmO+SFIR2lZpXPpXQgJuXNz8EDYyflZfIBagwpD5G7NawDeGFrnqd7ioJqO/yoAQNaF5b8z5Fdw6xpwWCCmJ7MHUkIioHE8/82egi5d2lBPM+BHiMvTyi0jC1AwrL0cD+efdG19/vkEk2Vdvx4EQb+JaAzQeSYpcl4r78s9IWTEberibWi6dfu9bf+Wf4RZ3XA9x7ij2fK2VP+C1rbwsx35SWFME+XouBMYdnfZINKl4lEqawfilbTjfqNBrZMVarWBEnQ579q9MPuXWH1TAIoWXZnZkFJIZRmotXzO84/NSNSkcyeMZPqmASD2Wi5oS+szb+iPf5w1N1LLmj407lEo8zcQrc63Du77d4KRl+ClrHCGIkcE4wENn1PZO8pBtqke+d/OGJ2xf4n2FTa7ShwBWG6vfwD3JFswv/uFrIjlcwviRVakK3taRFdPrWacMACyDLlOVFWsXUJRE+QZUvcF+F6NgKI2OoEObg0TpIepBFafg09P+9t8iHhFB1/7JUdefLUQrP6mNecUoJdJHV12r5DGN0GfeFiUijXCXAwRQvskYMEHxCaL+a3WL4zVoKhxiE+c+N8rQeneypnSvOFgQZLe3GpzrGpuyT2scw89WbEkequ54xbKnKOjNQiNcXuIvofTn4l8sWaK6JPLltZzvbCH3L3NLOIcadkvLxH2Mprp0FKUb,iv:/fR2FJan/QRCKLKBaPdagcfMD4xsaezZAXHIYmwZ484=,tag:1u/EXA+4KdsVrchKUMY41A==,type:str]
 authentik-ldap: ENC[AES256_GCM,data:trkAbd1/delgSdV2nvPjbDV4fK0Eeu0X3c8xGYFIotHhPrYqZeBlgh9m6W1dEBeH/DOqPDlc6hqwGCE7D39Ael/WV5dgQepzB+7eYQ==,iv:dNGa2YW2nm21lLuX0efxYO8TLyi6Or4IOID0Zvl3neQ=,tag:wBDWNxeuahiNw+vupGNPqw==,type:str]
 sops:
    shamir_threshold: 1
    age:
        - recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cnFSMTlTbnBucXVsN2Zv
            Nms5RklOaGgrZjlJMmlNTkRvV3o4NVZPb21FCmdNdGJKangxanlOczRZam5DMTVN
            ZGdqbVJhNGRVMDVYcmhpNTBxSmJQdmsKLS0tIE1tRnNONVM2UXBJUyt6bWE5NmpK
            MkpvTjFpQ0JLK3ZUaUJGdWpZRFNsUXMKn8ImvsqI9EiVxTx34VTp8l4zJp2pawGy
            817OEdp9spuDG6AyoxrDjpsbZ0R/9kQ1W/Y9nJNNRrvMuIijw1FO0g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbTErSzVzYlRadkRFT05V
            ZXNRY1JIN2t2dGFIQ3lDV0hVYmdBWEYvazFFCmlid3ZGTzV4Y2NhOU5IVTF2QUFY
            MTFWV1pGSk9DRDg5K1lCVVRaUUlEa3MKLS0tIGFhSjdieEtCQXRCVVpTekNISXR4
            MW9UdVRKWUF6S3BZLzJ0QkhHbUpSc0kK3M8rkSRq1zo3TvlTf7erJc3RjamW+81D
            GIKKOybcRBCJQ+SqFoyF97aaa3QVlDXEU1rvpoP+p88NAt7ERJXvsw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-01-24T16:13:04Z"
    mac: ENC[AES256_GCM,data:OKANPvWhQCG/iFwc2zWVnaQ2799ai8l40styj60kpWB1Id7ccLomPCvzMMtZS/tCrp9HxrbYkN/9GgRnMrMoNvp2QtL19c4pmN2V9VKrEklm77UMeN5KEOemk5Iiqnjk6LF3mPuRa5nFTSwoLSsYPZ1v+vX7oob7WlhR57WAb+g=,iv:2waLQWzcqXT/9NN1rkaoc1Ym2qziGVOgRhc2nvDtMCI=,tag:ayzPdyGxts/02kIyayDPpQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/secrets/orion/gitea.yaml
+++ b/secrets/orion/gitea.yaml
@ -0,0 +1,30 @@
 gitea: ENC[AES256_GCM,data:J+ZBpsUSXOaPycPCjh6RgZQlRv8=,iv:DtE+qtWTIHS2OkFZBhUcjg07wVrwiMm7XsW63ZD4f5o=,tag:5vOIdgsBB8eMkIbRe6pNdA==,type:str]
 gitea-mailer: ENC[AES256_GCM,data:o7JNqMqJM3OoDxSohmeYsPn1n3wb6J6L,iv:agiJl0halqfmKMvWA8b0boXF3rXrbC2bIj9zb5274hg=,tag:DjnNySDnYwVYtP9RNuEYGQ==,type:str]
 gitea-secretkey: ENC[AES256_GCM,data:eyhy6wRwoWxUVGh3GghePwYZxX2BmHxly0Tn6eHq+6qDryDgL6c/fA==,iv:/xMqcni+lTh3syWSSp50pS6VHDTEDsUL2idFWEoCc9M=,tag:qgmGHzc5R6k6OLOEyrBlMw==,type:str]
 gitea-internaltoken: ENC[AES256_GCM,data:BYA9CHQ/IVnwA/apr0V3EYE66vJfz5wdpOGxgMzVdcYKrqVVhfK7YQ==,iv:Fj4gn00rRc2E1A74SWeRZWktm4EvvTeCG04p8K2NSxk=,tag:BanFYGL7GF5Q8zdjugAICw==,type:str]
 gitea-runner-hypervisor: ENC[AES256_GCM,data:vS++cR4ewTzT8W7h870tXJkFYy6F9hV8SA/A94kqIxsawAmeeu5xf5YVQZZcNw==,iv:h9LVb3J909tkoiI01mh7ZgW34MPrB49mC5Sn+b5iIQE=,tag:CJ9kk6Ly/X89VAU2pBOZaA==,type:str]
 sops:
    shamir_threshold: 1
    age:
        - recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbUdCR3NvYlFoeW9hZU5k
            Um5YYzE3aDN1WWRvd3JRWG83eDV2VVBUWXpvCjYwSU1neTF5cmZneDVSTmgrbzgv
            SE9JSWY4SmRwVmVMNVhmb1RzSEF0ZzgKLS0tIHFzcHhQWUwzelRBWGJyd3RwQ05K
            c1AvZ2EwY0VPWGc1WnhucDFmQmhtWUUKkHK658ViO8wtm/kJk5t3B6z7vXHsCHI6
            PeIbqM+hQ2dW7yCJTfKyYoJGwaWrAgzjFRD0wbh9b+JQWavIiyhZrA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUUwvZ25yUGo5YjJNcHFM
            b1hUSTQ5VUlmODMwbEhzNFFTSmFFaG9tcTJFCmFrYU9qSWlVNmRqUnlmdEkrYlhF
            V2lCNnZwNGZVL0pUaW5RTWVHaFpnYlEKLS0tIFpDNC9RU21kS3R2UzRvMnpBcjc5
            U1VldmYxV2k4c3gwY1FUSjNQWmtRODQK7P9NTF9JxzilXiLdv4WCGt0V3pxB7xbt
            gECxjDTHYd+TBkOExzYHAD7VXQGpPPyCKREZ1AsZJjhhZoZJrrMMuQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-01-21T19:08:51Z"
    mac: ENC[AES256_GCM,data:ranW9+W0x11eRFRzGosVfapoW1xpgTUpUvzzItYcZT0Pr1cRpBMQNTmHXpItNKuw1Ut4PBzUlmtDl/Y1VlefVecy6j9xvEczgYvCXCRH+x5Dp2FAuIwqw+EuQWsxxZ/k32zzdWT2brWsO+z5EmLRePJu0mBoxRx1vqVAZef8vwo=,iv:yEofPQ22CpHLktUjRke1Tlg445TpX0ocpQBeoeWba+Q=,tag:Ai+tbYJJ5BHyNHfnK1elgw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/secrets/orion/syncyomi.yaml
+++ b/secrets/orion/syncyomi.yaml
@ -0,0 +1,25 @@
 syncyomi: ENC[AES256_GCM,data:DRx/E4S4IEVp4uFT2STjsv79bFZk+RGfv9EDYHiCOdkUr6TaA4fcF17fWD2VX2HshnU4dTnlOG/Z27/eygixkXjlFOIcSXuZZIv+Pttxl/r0cgI7NM8fGh3rn2Id34gIpRpmW34VwIU3EU9ctwBwTmsbpM2zMBbXKTXyr/mWuLCqc6WiSHlz1mJaHmMUW6uidj5WbnoJ0KamLlJtkZz0P0v+CczMhon6d9S2xWJ3qi/Tt15jTldEkKBZ+sNag9yAUc5dSPvNRGXsq5NAtqIIXpIVdDvBHKXLtlkeDroHFidyRlBsUJ9ZmpMNyZvBAngzspRQuPJAWcvMOp2EtpxwiReDk3n9UNPkwmj5ZOPwDixwjoriV9fHFOdHRFqICWEJbRMLwj+NHnkxa5vZI8f9WCfwjk3npbgQ1yY+GxBlv5iVBIacG/QmOZjpy9X1WURFGev6tHcL9KBRg2sx0hDR+qO1f4t8KWE8unS9xFBMiynsDsX46XIY1YeXXGfjZRiSZYTmenkUvXfkhijBmlLAW38=,iv:OAUDQhm5aQwjUa0vn03PzWOrZlJiFdPYGdZPDV/lFRs=,tag:71OvVXwwIl93mC4EpTAmzA==,type:str]
 sops:
    age:
        - recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDU0swYlJZalNxYWZHcDAv
            RnhsbFZhN2NsMkxXUWdDL0R6aEcvTFZCTUJZCjNpaWxYVXZ5T3NCVTBkZnVPa2ZG
            U1RWcUxwRkVGSDhVdEtOcmpSWUxNR00KLS0tIGRHUHJCUjJuU3lZQnlZU1N0Q3Iy
            UUxOMmIzMUcxdmdBR2tHZUdjd2FBeWsKqGJ0Globcl/6eEAk4ICtvqIKBvTlXiot
            hwysXkcNqiSvaETLFWmrwtd+zLAuwb9320QBB5J1PgyU4onbMq5c4w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdVNnbTVzWGJ5aWtWOVdW
            bURQWXB5S0JCVFcxMGF6Y3R5czJQV2txTXhJCklOZW5VTzNtQ2ZTbWRFYTJsRTBo
            QjJ3WW5WcFlVeG0wQ1N5WW9QcXZ5a1UKLS0tIDJ6Zkk2UHFHYU1CVlIvRmh4ZW0y
            K3pwd2JyZUVpRXh5YTkxMGFBR2dHVWcKXphBeCwSow+8ETCKx4AZ3xEiOQHMmAHC
            qmPDJM94dt9dXFBWZ1hlf3k5keAqicQzmvFfj0jaEs2wKbrRiXFAVQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-04-17T20:20:57Z"
    mac: ENC[AES256_GCM,data:K68jXgp7l8hHkBLD/XoQmaN9gYDXdFbH30SOoeUaw2u0bIUbTopMTu1hfO405F/bHQ3N0JIJb7fYz0dqD2QvfvcI2HAIb2ZAeR8Z7IVmVyNZRuttzLCJ2KeW3DGkVh1QHdyM5lbYyiPunm3tTArhHKM7Bf8W9pXbN+k4p+L2ZLM=,iv:26Pvkq6PUWqWkshzZUJOGY4wor2nFvbEza8dWUf8Cl4=,tag:JGUGDqI5QfjdJoimr4uAEw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.1
--- a/secrets/orion/vaultwarden.yaml
+++ b/secrets/orion/vaultwarden.yaml
@ -0,0 +1,26 @@
 vaultwarden: ENC[AES256_GCM,data:B1qaU/1jsDgbc7wEl3Yrehez3vHCOPDQ5rjpkYPf4QgVwonOvvEf4H7doVwabhihRqoy43QXBeDRuPVaea/ZJythvZV0cez2Mr6YrhG7/BSB+AIDEa+wNQTGgY5IWkztp7j4BP1XmyRA4A42dOnfHJR6BncJGAfhNguq3FZJuf5BClvyT5aov+GKfiO81l93ig324TKsU9ClLqmVarrPCNba683ADrH8g5EkB2rw0LwKJBWVQh0TKhTTyFdMFTNaIQ17K1ueqLwd2xIfHMmN61s=,iv:H6/RxF6LSMD3OUAY3mEhof2VGOCctg6FsaoyOTI9e5Q=,tag:W+nCl/RAWpdXWbE9v/oMOg==,type:str]
 sops:
    shamir_threshold: 1
    age:
        - recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNVZpRE8zUzN0RWNXT09F
            bUR0MmxMNDNybHBEN0FKY3VtTW1XREpaSkNJCnpGRmZqRlU0YlBiYkxkeEVLMzdv
            eERFc3dITG5lOTVLRkJYM2NNa1lpWDgKLS0tIEsra0ZBblhiTk9kTFJxWjZtRDhS
            NDhKY2dEVXFOL3JIZmtMVG5tVklIQXcKbLLeZOrJCGRPscw4LWsVAGk29EwQg0lK
            +YYSsQLm+cZNLxHLClsmQn/ykEvIEA5/1DjFXVvulFW+Kbk9NwSxHA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqa0tPM2NiaW13Sk5rR091
            VVBVYnRoc3I2WFI3WFhETTdXUzU4ckFZbGtJCjR4em80Vm1UQk9vM3h4OER6dVNs
            RWJwazRiUHVXY01vZ1hyN3k3MlBrbUEKLS0tIDd3aEhxNDZHWDdETkd0VkMwOTZG
            MWNhelRQZTdBZGMzUk5HQklSWWVTNWMK6gunbCmYfXh4fQ3mV0kh6TlwxTpxlUI0
            Y6+pPh+Sw39KTFdirXv5OTWtCN53S6HXejIuctIOvdfrB1LYwsb7XA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-01-21T19:24:09Z"
    mac: ENC[AES256_GCM,data:+KnkQjRKq7f7gojR4TDRUahPPcOshTQUIzJOmGBD4cspjLj0Ljf9tqoMCvCzwU7CGIg2c4phUCWluyQwlUAoiRL0rM8YyN2nE0PiWOcnl3p9FHwHxV9ElWiWpVnKroVxZEz0vmj0nsabl9PRD5ipX06kDK8GRZXFw+laSCy0N1E=,iv:7DO9ML9ToedihSJA6v1hMcd4Q/PJ+JLvJQk69kQ8btA=,tag:cifnSqY1ezoHt8WHtuyakw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.8.1
Author	SHA1	Message	Date
Dmitriy Kholkin	f52eaa8eb2	feat: add media-stack containers	2025-07-08 20:14:39 +03:00
Dmitriy Kholkin	daa99bf963	feat: add filestash container	2025-07-08 20:14:14 +03:00
Dmitriy Kholkin	2a7ffbb769	feat: enable quadlet by default in server role	2025-07-08 20:12:36 +03:00
Dmitriy Kholkin	3f1ab3a855	feat: disable waydroid on vega	2025-07-08 20:10:28 +03:00
Dmitriy Kholkin	5953860a63	feat: add syncyomi service	2025-07-08 20:09:57 +03:00
Dmitriy Kholkin	43694be7b8	fix: enable gitea on orion	2025-07-08 20:08:38 +03:00
Dmitriy Kholkin	c2bcc51aec	feat: add authentik service	2025-07-08 20:08:18 +03:00
Dmitriy Kholkin	54d5d760d2	feat: add gitea service	2025-07-08 20:07:11 +03:00
Dmitriy Kholkin	e8364fac08	feat: add acme module	2025-07-08 20:06:38 +03:00
Dmitriy Kholkin	91ed66d8fb	feat: add tinyproxy nixos-container to orion	2025-07-08 20:06:01 +03:00
Dmitriy Kholkin	5401e9e068	feat: add quadlet-nix flake input	2025-07-08 20:04:02 +03:00
Dmitriy Kholkin	10036817cc	fix: add srvos input	2025-07-08 20:03:45 +03:00
Dmitriy Kholkin	8de956ae72	feat: add vaultwared service to orion	2025-07-08 20:03:12 +03:00
Dmitriy Kholkin	56fb173b71	feat: add OMV vm to orion	2025-07-08 20:00:25 +03:00
Dmitriy Kholkin	df14232cc0	feat: add libvirt-guest module to nixos	2025-07-08 20:00:08 +03:00
Dmitriy Kholkin	1296c0e998	feat: add backup config for orion	2025-07-08 19:59:19 +03:00
Dmitriy Kholkin	1ff00246d3	feat: add boot config for orion	2025-07-08 19:58:52 +03:00
Dmitriy Kholkin	90013674f6	feat: add wip orion host config	2025-07-08 19:58:35 +03:00