move some files around

hosts/monosodium-glutamate-g/configuration.nix

@@ -0,0 +1,135 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ inputs, config, pkgs, lib, ... }:
+{
+  imports = [
+      ./hardware-configuration.nix
+      ../../common.nix
+      ../../modules
+  ];
+
+  #nixpkgs = {
+    #overlays = [
+      #(self: super: {
+        #linux_zen_xeniafied = pkgs.linuxPackagesFor (pkgs.linuxKernel.kernels.linux_zen.override {
+          #structuredExtraConfig = with lib.kernel; {
+            #"FB" = yes;
+            #"FRAMEBUFFER_CONSOLE" = yes;
+            #"VGA_CONSOLE" = yes;
+            #"VIDEO_SELECT" = yes;
+            #LOGO = lib.mkForce yes;
+            #LOGO_LINUX_CLUT224 = yes;
+          #};
+          #ignoreConfigErrors = true;
+        #});
+      #})
+    #];
+  #};
+
+  jade = {
+    flatpak.enable = true;
+    desktop = {
+      enable = true;
+      compositing.enable = true;
+      creative.enable = true;
+      syncthing.enable = true;
+      kdeconnect.enable = true;
+      cloud.enable = true;
+      social.enable = true;
+      gaming.enable = true;
+      ios-compat.enable = true;
+      mail.enable = true;
+    };
+    terminal.enable = true;
+    neovim.enable = true;
+    zsh.enable = true;
+  };
+
+  # monitor control
+  services.ddccontrol.enable = true;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  # latest linux kernel
+  #boot.kernelPackages = pkgs.linuxPackages_latest;
+  #boot.kernelPackages = pkgs.linux_zen_xeniafied;
+  boot.kernelPackages = pkgs.linuxPackages_zen;
+  #boot.kernelPatches = [ 
+    #{
+      #name = "fomx";
+      #patch = ../other/0001-fomx.patch;
+    #} 
+  #];
+
+  programs.corectrl.enable = true;
+
+  networking.hostName = "monosodium-glutamate-g";
+
+  services.xserver.layout = "us";
+  services.xserver.xkbVariant = "altgr-intl";
+
+  services.openssh.settings.PermitRootLogin = "without-password";
+
+  hardware.bluetooth.enable = true;
+  hardware.keyboard.uhk.enable = true;
+  hardware.enableRedistributableFirmware = true;
+
+  # missing: menu-qalc picom-jonaburg
+  environment.systemPackages = with pkgs; [
+    # TODO: clean up.
+    libGL
+    libreoffice-fresh
+    wireshark
+
+    zenstates zenmonitor
+    nvtop-amd
+    radeontop 
+    rgp 
+  ];
+  programs.wireshark.enable = true;
+
+  environment.pathsToLink = [
+    "/share/nix-direnv"
+  ];
+
+  services.blueman.enable = true;
+
+  services.gnome.gnome-keyring.enable = true;
+  programs.seahorse.enable = true;
+  security.pam.services.jade.enableGnomeKeyring = true;
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # networking.firewall.allowedTCPPorts = [ 4713 ];
+  systemd.services."NetworkManager-wait-online".enable = false;
+  services.xserver.enable = true;
+
+  systemd.services = {
+    create-swapfile = {
+      serviceConfig.Type = "oneshot";
+      wantedBy = [ "swap-swapfile.swap" ];
+      script = ''
+        swapfile="/swap/swapfile"
+        if [[ -f "$swapfile" ]]; then
+          echo "Swap file $swapfile already exists, taking no action"
+        else
+          echo "Setting up swap file $swapfile"
+          ${pkgs.coreutils}/bin/truncate -s 0 "$swapfile"
+          ${pkgs.e2fsprogs}/bin/chattr +C "$swapfile"
+        fi
+      '';
+    };
+  };
+
+  # release channel
+  system.stateVersion = "22.05"; # Did you read the comment?
+}
+
+
+

hosts/monosodium-glutamate-g/hardware-configuration.nix

@@ -0,0 +1,47 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/72ffbc9d-a319-42d7-8d26-13c921a679db";
+      fsType = "btrfs";
+      options = [ "subvol=@root" "compress=zstd:3" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/72ffbc9d-a319-42d7-8d26-13c921a679db";
+      fsType = "btrfs";
+      options = [ "subvol=@home" "compress=zstd:3"];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/D63E-18C9";
+      fsType = "vfat";
+    };
+
+  swapDevices = [{
+    device = "/swap/swapfile";
+    size = (1024 * 64) + (1024 * 8); # 72G
+  } ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp9s0.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/potatobook-g/configuration.nix

@@ -0,0 +1,235 @@
+{ inputs, config, pkgs, ... }:
+{
+  nix.settings = {
+    trusted-substituters = [
+      "https://t2linux.cachix.org"
+    ];
+    trusted-public-keys = [
+      "t2linux.cachix.org-1:P733c5Gt1qTcxsm+Bae0renWnT8OLs0u9+yfaK2Bejw="
+    ];
+  };
+  imports = [
+      # ./t2.nix
+      # "${builtins.fetchGit { url = "https://github.com/kekrby/nixos-hardware.git"; }}/apple/t2"
+      ./hardware-configuration.nix
+      ../../common.nix
+      ../../modules
+      #inputs.mms.module
+  ];
+
+  # boot.supportedFilesystems = pkgs.lib.mkForce [ "ext4" "btrfs" "squashfs" ];
+  # networking.wireless.enable = pkgs.lib.mkForce false;
+
+  # services.xserver.displayManager.autoLogin.user = pkgs.lib.mkForce "jade";
+  # users.users.jade = pkgs.lib.mkForce {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" "input" "uinput" "libvirtd" ];
+  #   packages = with pkgs; [
+  #   ];
+  # };
+
+  nixpkgs = {
+    overlays = [
+      (self: super: {
+        linux_zen_xeniafied = pkgs.linuxPackagesFor (pkgs.linuxKernel.kernels.linux_zen.override {
+          structuredExtraConfig = with lib.kernel; {
+            #"FB" = yes;
+            #"FRAMEBUFFER_CONSOLE" = yes;
+            #"VGA_CONSOLE" = yes;
+            #"VIDEO_SELECT" = yes;
+            LOGO = lib.mkForce yes;
+            LOGO_LINUX_CLUT224 = yes;
+          };
+          ignoreConfigErrors = true;
+        });
+      })
+    ];
+  };
+  boot.kernelPatches = [ 
+    {
+      name = "fomx";
+      patch = ../other/0001-fomx.patch;
+    } 
+  ];
+
+  jade = {
+    flatpak.enable = true;
+    desktop = {
+      enable = true;
+      compositing.enable = true;
+      creative.enable = true;
+      syncthing.enable = true;
+      kdeconnect.enable = true;
+      cloud.enable = true;
+      social.enable = true;
+      mail.enable = true;
+    };
+    terminal.enable = true;
+    neovim.enable = true;
+    zsh.enable = true;
+  };
+
+  fileSystems = {
+    "/".options = [ "compress=zstd:3" ];
+    "/home".options = [ "compress=zstd:3" ];
+    "/nix".options = [ "compress=zstd:3" "noatime" ];
+    #"/swap".options = [ "noatime" ];
+  };
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.networkmanager.enable = true;
+
+  networking.hostName = "potatobook-g";
+
+
+  services.xserver = {
+    resolutions = [ { x = 1920; y = 1200; } ];
+    # dpi = 180;
+    layout = "us";
+    xkbVariant = "altgr-intl";
+  };
+
+  services.autorandr = {
+    enable = true;
+    profiles = {
+      "default" = {
+        config = {
+          "eDP-1" = {
+            enable = true;
+            mode = "1920x1200";
+          };
+        };
+      };
+    };
+  };
+
+  # environment.variables = {
+  #   GDK_SCALE = "2";
+  #   GDK_DPI_SCALE = "0.5";
+  #   _JAVA_OPTIONS = "-Dsun.java2d.uiScale=2";
+  # };
+
+  hardware.keyboard.uhk.enable = true;
+  hardware.enableRedistributableFirmware = true;
+
+
+  environment.systemPackages = with pkgs; [
+    android-tools
+  ];
+
+  environment.pathsToLink = [
+    "/share/nix-direnv"
+  ];
+
+  services.blueman.enable = true;
+
+  programs.adb.enable = true;
+
+  services.gnome.gnome-keyring.enable = true;
+  programs.seahorse.enable = true;
+  security.pam.services.jade.enableGnomeKeyring = true;
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # networking.firewall.allowedTCPPorts = [ 4713 ];
+  systemd.services."NetworkManager-wait-online".enable = false;
+
+  #services.modded-minecraft-servers = {
+    # This is mandatory, sorry.
+    #eula = true;
+
+    # The name will be used for the state folder and system user.
+    # In this case, the folder is `/var/lib/mc-e2es`
+    # and the user `mc-e2es`.
+    #instances = {
+      #e2es = {
+        #enable = true;
+        #jvmMaxAllocation = "7G";
+        #jvmInitialAllocation = "2G";
+        #rsyncSSHKeys = [ "" ];
+        #serverConfig = {
+          ## Port must be unique
+          #white-list = true;
+          #spawn-protection = 0;
+          #max-tick-time = 5 * 60 * 1000;
+          #allow-flight = true;
+          #server-port = 8080;
+          #motd = "Hello world";
+        #};
+      #};
+    #};
+  #};
+
+  # i rly should put that important big comment back here
+  system.stateVersion = "22.11"; # Did you read the comment?
+
+  systemd.services = {
+    create-swapfile = {
+      serviceConfig.Type = "oneshot";
+      wantedBy = [ "swap-swapfile.swap" ];
+      script = ''
+        swapfile="/swap/swapfile"
+        if [[ -f "$swapfile" ]]; then
+          echo "Swap file $swapfile already exists, taking no action"
+        else
+          echo "Setting up swap file $swapfile"
+          ${pkgs.coreutils}/bin/truncate -s 0 "$swapfile"
+          ${pkgs.e2fsprogs}/bin/chattr +C "$swapfile"
+        fi
+      '';
+    };
+  };
+
+  services.logind.extraConfig = ''
+    RuntimeDirectorySize=12G
+  '';
+
+  #networking = {
+    #nameservers = [ 
+      #"192.168.8.205" 
+    #];
+    #wireguard = {
+      #enable = true;
+      #interfaces = {
+        #wg-maxim-vpn = {
+          #privateKey = "CLcq8sCnusXz0jFHz6ODAZBD2Sn2vb9a5BCfbQGrrXk=";
+          #listenPort = 21124;
+          #ips = [
+            #"10.0.0.4/32"
+          #];
+          #peers = [
+            #{
+              #allowedIPs = [ 
+                #"10.0.0.0/24" 
+                #"192.168.8.0/24"
+                #"0.0.0.0/0"
+                #"::/0" 
+              #];
+              #endpoint = "vpn.local.germannr4.com:51820";
+              #persistentKeepalive = 25;
+              #publicKey = "coP4Hh1smQvVI52ftZFyPfmzvsKZcT/hHa8zHMrlZwE=";
+            #}
+          #];
+        #};
+      #};
+    #};
+  #};
+
+  #fileSystems."/swap" = { 
+  #  device = "/dev/disk/by-uuid/f6d243ec-6be9-4551-8cbb-aefb7b691a62";
+  #  fsType = "btrfs";
+  #  options = [ "subvol=swap" "noatime" ];
+  #};
+  #systemd.services.nix-daemon.environment.NIX_SSHOPTS = let
+    #knownHosts = pkgs.writeText "known-hosts" ''
+      #${builtins.readFile ../secret-data/ssh-desktop-knownhosts-thingies}
+    #'';
+  #in builtins.trace "-oIdentityFile=/home/jade/.ssh/id_rsa -oUserKnownHostsFile=${knownHosts}" "-v -oIdentityFile=/home/jade/.ssh/id_rsa -oUserKnownHostsFile=/home/jade/nix-configs/secret-data/ssh-desktop-knownhosts-thingies";
+}
+
+

hosts/potatobook-g/hardware-configuration.nix

@@ -0,0 +1,57 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "uas" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/f6d243ec-6be9-4551-8cbb-aefb7b691a62";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/f6d243ec-6be9-4551-8cbb-aefb7b691a62";
+      fsType = "btrfs";
+      options = [ "subvol=home" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/f6d243ec-6be9-4551-8cbb-aefb7b691a62";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/5F66-17ED";
+      fsType = "vfat";
+    };
+
+  swapDevices = [{
+    device = "/swap/swapfile";
+    size = (1024 * 12); # 12GB
+  }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0f1u1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  # high-resolution display
+  hardware.video.hidpi.enable = lib.mkDefault true;
+}

hosts/potatobook-g/iso.nix

@@ -0,0 +1,9 @@
+{config, pkgs, ...}:
+{
+  imports = [
+    <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
+    <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
+    ./configuration.nix
+  ];
+}
+

hosts/schrottserver/configuration.nix

@@ -0,0 +1,59 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ inputs, config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../common.nix
+      ./proxy.nix
+      ./vaultwarden.nix
+      ./nextcloud.nix
+      ./mumble.nix
+      ./microbin.nix
+      ../../modules/neovim.nix
+      ../../modules/zsh.nix
+      ../../modules/firewall.nix
+      #./synapse.nix
+      ./penpot.nix
+    ];
+
+  #systemd.services.wordsofgod-bot.enable = true;
+
+  systemd.services.wordsofgod-bot = {
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.ExecStart = "${inputs.wordsofgod.packages."x86_64-linux".default}/bin/wordsofgod";
+    serviceConfig.EnvironmentFile = "/etc/wordsofgod-bot/wordsofgod.env";
+  };
+
+  services = {
+    openssh.permitRootLogin = "no";
+    fail2ban = {
+      enable = true;
+      bantime-increment.enable = true;
+    };
+  };
+
+  jade = {
+    neovim.enable = true;
+    zsh.enable = true;
+  };
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  environment.systemPackages = [ inputs.wordsofgod ];
+
+  networking.hostName = "schrottserver"; # Define your hostname.
+  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # default settings for stateful data; don't change unless reinstall with newer version
+  system.stateVersion = "22.11"; # Did you read the comment?
+
+}
+

hosts/schrottserver/hardware-configuration.nix

@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/e8d88849-3746-4c24-9ecd-09921645ef81";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/0107-0E2C";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/schrottserver/microbin.nix

@@ -0,0 +1,27 @@
+{ inputs, config, pkgs, ... }:
+{
+  environment.systemPackages = [ inputs.karton.defaultPackage."x86_64-linux" ];
+  systemd.services.karton = {
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    environment = {
+      #MICROBIN_AUTH_USERNAME = "jade";
+      KARTON_HASH_IDS = "";
+      KARTON_EDITABLE = "";
+      KARTON_PRIVATE = "";
+      KARTON_HIGHLIGHTSYNTAX = "";
+      KARTON_PUBLIC_PATH = "https://s10e.de";
+      KARTON_QR = "";
+      KARTON_URL_EP = "u";
+      KARTON_RAW_EP = "r";
+      KARTON_PASTA_EP = "p";
+    };
+    script = "${inputs.karton.defaultPackage."x86_64-linux"}/bin/karton";
+    #scriptArgs = "--auth-password ${builtins.readFile ../secret-data/mb-pass} --auth-username jade --editable --hash-ids --no-listing --highlightsyntax --public-path https://s10e.de --qr";
+    serviceConfig = {
+      Type = "simple";
+      RootDirectory="/";
+      WorkingDirectory = "/karton";
+    };
+  };
+}

hosts/schrottserver/mumble.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [ murmur ];
+  services.murmur = {
+    enable = true;
+    registerHostname = "mumble.schrottkatze.de";
+  };
+}

hosts/schrottserver/nextcloud.nix

@@ -0,0 +1,38 @@
+{ pkgs, ... }:
+{
+  services.nextcloud = {
+    enable = true;
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbname = "nextcloud";
+      adminpassFile = "${../secret-data/nextcloud-admin-pass}";
+      adminuser = "root";
+    };
+    package = pkgs.nextcloud25;
+    extraApps = with pkgs.nextcloud25Packages.apps; { 
+      inherit bookmarks calendar contacts news tasks;
+    };
+    extraAppsEnable = true;
+    hostName = "wolke.schrottkatze.de";
+    https = true;
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      { 
+        name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  # ensure that postgres is running *before* running the setup
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+}

hosts/schrottserver/penpot.nix

@@ -0,0 +1,75 @@
+{ pkgs, inputs, ... }:
+{
+  imports = [ inputs.arion.nixosModules.arion ];
+  virtualisation.docker.enable = true;
+  virtualisation.arion = {
+    backend = "docker";
+    projects.penpot.settings = {
+      networks.penpot.name = "penpot";
+      services = {
+        "penpot-backend".service = {
+          image = "penpotapp/backend:latest";
+          volumes = [ "/penpot_assets:/opt/data/assets" ];
+          depends_on = [ "penpot-postgres" "penpot-redis" ];
+          networks = [ "penpot" ];
+          environment = {
+            "PENPOT_FLAGS" = "enable-registration enable-login-with-password disable-email-verification enable-smtp enable-prepl-server";
+            "PENPOT_PREPL_HOST" = "0.0.0.0";
+
+            "PENPOT_PUBLIC_URI" = "https://pp.schrottkatze.de";
+
+            "PENPOT_DATABASE_URI" = "postgresql://penpot-postgres/penpot";
+            "PENPOT_DATABASE_USERNAME" = "penpot";
+            "PENPOT_DATABASE_PASSWORD" = "penpot"; 
+            "PENPOT_REDIS_URI" = "redis://penpot-redis/0";
+
+            "PENPOT_ASSETS_STORAGE_BACKEND" = "assets-fs";
+            "PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/opt/data/assets";
+
+            "PENPOT_TELEMETRY_ENABLED" = "false";
+
+            "PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply-pp@schrottkatze.de>";
+            "PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply-pp@schrottkatze.de>";
+            "PENPOT_SMTP_HOST" = "smtp.migadu.com";
+            "PENPOT_SMTP_PORT" = "587";
+            "PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de";
+            "PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}";
+            "PENPOT_SMTP_TLS" = "true";
+            "PENPOT_SMTP_SSL" = "false";
+          };
+        };
+        "penpot-frontend".service = {
+          image = "penpotapp/frontend:latest";
+          ports = [  "9001:80" ];
+          volumes = [ "/penpot_assets:/opt/data/assets" ];
+          depends_on = [ "penpot-backend" "penpot-exporter" ];
+          networks = [ "penpot" ];
+        };
+        "penpot-exporter".service = {
+          image = "penpotapp/exporter:latest";
+          networks = [ "penpot" ];
+          environment = {
+            "PENPOT_PUBLIC_URI" = "http://penpot-frontend";
+            "PENPOT_REDIS_URI" = "redis://penpot-redis/0";
+          };
+        };
+        "penpot-postgres".service = {
+          image = "postgres:15";
+          stop_signal = "SIGINT";
+          volumes = [ "/penpot_postgres_v15:/var/lib/postgresql/data" ];
+          networks = [ "penpot" ];
+          environment = {
+            "POSTGRES_INITDB_ARGS" = "--data-checksums";
+            "POSTGRES_DB" = "penpot";
+            "POSTGRES_USER" = "penpot";
+            "POSTGRES_PASSWORD" = "penpot";
+          };
+        };
+        "penpot-redis".service = {
+          image = "redis:7";
+          networks = [ "penpot" ];
+        };
+      };
+    };
+  };
+}

hosts/schrottserver/proxy.nix

@@ -0,0 +1,133 @@
+{ inputs, config, pkgs, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "jade@schrottkatze.de";
+    certs = {
+      "schrottkatze.de" = {
+        group = "nginx";
+        keyType = "rsa4096";
+      };
+      "katzen.cafe" = {
+        group = "nginx";
+        keyType = "rsa4096";
+      };
+      "vw.schrottkatze.de" = {
+        group = "nginx";
+        keyType = "rsa4096";
+      };
+      "wolke.schrottkatze.de" = {
+        group = "nginx";
+        keyType = "rsa4096";
+      };
+      "s10e.de" = {
+        group = "nginx";
+        keyType = "rsa4096";
+      };
+      "synapse.schrottkatze.de" = {
+        group = "nginx";
+        keyType = "rsa4096";
+      };
+      "pp.schrottkatze.de" = {
+        group = "nginx";
+        keyType = "rsa4096";
+      };
+    };
+  };
+
+  environment.systemPackages = [ inputs.meowsite.packages."x86_64-linux".default inputs.gumseite.packages."x86_64-linux".default ];
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "schrottkatze.de" = {
+        forceSSL = true;
+        enableACME = true;
+        root = "${inputs.meowsite.packages."x86_64-linux".default}";
+      };
+      "katzen.cafe" = {
+        forceSSL = true;
+        enableACME = true;
+        root = "${inputs.gumseite.packages."x86_64-linux".default}";
+      };
+      "vw.schrottkatze.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:8812"; #changed the default rocket port due to some conflict
+          proxyWebsockets = true;
+        };
+        locations."/notifications/hub" = {
+          proxyPass = "http://localhost:3012";
+          proxyWebsockets = true;
+        };
+        locations."/notifications/hub/negotiate" = {
+          proxyPass = "http://localhost:8812";
+          proxyWebsockets = true;
+        };
+      };
+      "wolke.schrottkatze.de" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+      "pp.schrottkatze.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:9001";
+          proxyWebsockets = true;
+        };
+      };
+      "s10e.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8080$request_uri";
+        };
+      };
+      "synapse.schrottkatze.de" = {
+        forceSSL = true;
+        enableACME = true;
+        http2 = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+        locations."~ ^(/_matrix|/_synapse/client)" = {
+          proxyPass = "http://localhost:8008";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $host;
+            client_max_body_size 2G;
+          '';
+        };
+        extraConfig = "proxy_http_version 1.1;";
+      };
+    };
+  };
+}

hosts/schrottserver/synapse.nix

@@ -0,0 +1,33 @@
+{ pkgs, ... }:
+{
+  services = {
+    matrix-synapse = {
+      enable = true;
+      settings = {
+        server_name = "synapse.schrottkatze.de";
+      };
+    };
+    postgresql = {
+      enable = true;
+      initialScript = pkgs.writeText "synapse-init.sql" ''
+        CREATE ROLE "matrix-synapse";
+        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+          TEMPLATE template0
+          LC_COLLATE = "C"
+          LC_CTYPE = "C";
+      '';
+
+      #initdbArgs = [
+        #"--locale=C"
+        #"--encoding=UTF8"
+      #];
+      ensureDatabases = [ "matrix-synapse" ];
+      ensureUsers = [
+        { 
+          name = "matrix-synapse";
+          ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
+        }
+      ];
+    };
+  };
+}

hosts/schrottserver/vaultwarden.nix

@@ -0,0 +1,22 @@
+{ pkgs, ... }:
+{
+  services.vaultwarden = {
+    enable = true;
+    #backupDir = "/vw-backups";
+    config = {
+      DATA_FOLDER = "/var/lib/bitwarden_rs/";
+      DATABASE_URL = "/var/lib/bitwarden_rs/db.sqlite3";
+      LOG_FILE = "/var/log/bitwarden";
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_ADDRESS = "0.0.0.0";
+      WEBSOCKET_PORT = 3012;
+      SIGNUPS_VERIFY = true;
+      ROCKET_LOG = "debug";
+      ENABLE_WAL = false;
+      ADMIN_TOKEN = builtins.readFile ../secret-data/vaultwarden-admin-token;
+      DOMAIN = "https://vw.schrottkatze.de";
+      SMTP_TIMEOUT = 15;
+      ROCKET_PORT = 8812;
+    };
+  };
+}