hippocampus: headscale: change localaddress

Flake lock file updates:

• Updated input 'home-manager':
    'github:nix-community/home-manager/6cee0821577643e0b34e2c5d9a90d0b1b5cdca70' (2026-02-07)
  → 'github:nix-community/home-manager/2de7205ce6e10b031151033e69b7ef89708dc282' (2026-04-13)
• Updated input 'lix-module':
    'b90bf629bb.tar.gz?narHash=sha256-YMLrcBpf0TR5r/eaqm8lxzFPap2TxCor0ZGcK3a7%2Bb8%3D' (2025-01-18)
  → 'b90bf629bb.tar.gz?narHash=sha256-YMLrcBpf0TR5r/eaqm8lxzFPap2TxCor0ZGcK3a7%2Bb8%3D&rev=b90bf629bbd835e61f1317b99e12f8c831017006' (2025-01-18)
• Updated input 'me-emacs':
    'git+https://git.syzygial.cc/Syzygial/EmacsConfig.git?ref=refs/heads/master&rev=a82da456bdd9064a0395252935a66c8e2864a4db' (2026-01-20)
  → 'git+https://git.syzygial.cc/Syzygial/EmacsConfig.git?ref=refs/heads/master&rev=cce76e2f8f4372dd3391a76daa53c1a89b89bc40' (2026-03-03)
• Updated input 'microvm':
    'github:astro/microvm.nix/68c9f9c6ca91841f04f726a298c385411b7bfcd5' (2026-02-05)
  → 'github:astro/microvm.nix/c0a53823dbf7eb166c2fa7dc2d1e0d6cb2be7562' (2026-04-12)
• Updated input 'microvm/spectrum':
    'git+https://spectrum-os.org/git/spectrum?ref=refs/heads/main&rev=c5d5786d3dc938af0b279c542d1e43bce381b4b9' (2025-10-03)
  → 'git+https://spectrum-os.org/git/spectrum?ref=refs/heads/main&rev=fe39e122d898f66e89ffa17d4f4209989ccb5358' (2026-02-27)
• Updated input 'nix-darwin':
    'github:LnL7/nix-darwin/0d7874ef7e3ba02d58bebb871e6e29da36fa1b37' (2026-02-04)
  → 'github:LnL7/nix-darwin/06648f4902343228ce2de79f291dd5a58ee12146' (2026-04-01)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/00c21e4c93d963c50d4c0c89bfa84ed6e0694df2' (2026-02-04)
  → 'github:NixOS/nixpkgs/4c1018dae018162ec878d42fec712642d214fdfa' (2026-04-09)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/17eea6f3816ba6568b8c81db8a4e6ca438b30b7c' (2026-02-03)
  → 'github:Mic92/sops-nix/d4971dd58c6627bfee52a1ad4237637c0a2fb0cd' (2026-04-13)
• Updated input 'sops-nix/nixpkgs':
    'github:NixOS/nixpkgs/6308c3b21396534d8aaeac46179c14c439a89b8a' (2026-01-30)
  → 'github:NixOS/nixpkgs/13043924aaa7375ce482ebe2494338e058282925' (2026-04-11)

flake.lock

@@ -94,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770476834,
+        "lastModified": 1776114641,
-        "narHash": "sha256-cyxgVsNfHnJ4Zn6G1EOzfTXbjTy7Ds9zMOsZaX7VZWs=",
+        "narHash": "sha256-VJMt3n9zGRzupzvlhcKIz4SpWflKh0rWfYTgmkmun0Q=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6cee0821577643e0b34e2c5d9a90d0b1b5cdca70",
+        "rev": "2de7205ce6e10b031151033e69b7ef89708dc282",
         "type": "github"
       },
       "original": {
@@ -135,7 +135,7 @@
         "narHash": "sha256-YMLrcBpf0TR5r/eaqm8lxzFPap2TxCor0ZGcK3a7+b8=",
         "rev": "b90bf629bbd835e61f1317b99e12f8c831017006",
         "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/b90bf629bbd835e61f1317b99e12f8c831017006.tar.gz"
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/b90bf629bbd835e61f1317b99e12f8c831017006.tar.gz?rev=b90bf629bbd835e61f1317b99e12f8c831017006"
       },
       "original": {
         "type": "tarball",
@@ -150,11 +150,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768875255,
+        "lastModified": 1772550819,
-        "narHash": "sha256-H2fNon/y6RH+PlMxGY6X/7Qvty+LVCrjCkw8Ee15Iis=",
+        "narHash": "sha256-K6TvujvSSv+pDPAXqdabd7g9wFIkOdvHOeeFohou42A=",
         "ref": "refs/heads/master",
-        "rev": "a82da456bdd9064a0395252935a66c8e2864a4db",
+        "rev": "cce76e2f8f4372dd3391a76daa53c1a89b89bc40",
-        "revCount": 89,
+        "revCount": 94,
         "type": "git",
         "url": "https://git.syzygial.cc/Syzygial/EmacsConfig.git"
       },
@@ -171,11 +171,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1770310890,
+        "lastModified": 1775996588,
-        "narHash": "sha256-lyWAs4XKg3kLYaf4gm5qc5WJrDkYy3/qeV5G733fJww=",
+        "narHash": "sha256-klBp+NIkJJtFHKFEHaMqwDHSK09UufDL6RJoxUZOL5Q=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "68c9f9c6ca91841f04f726a298c385411b7bfcd5",
+        "rev": "c0a53823dbf7eb166c2fa7dc2d1e0d6cb2be7562",
         "type": "github"
       },
       "original": {
@@ -191,11 +191,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770184146,
+        "lastModified": 1775037210,
-        "narHash": "sha256-DsqnN6LvXmohTRaal7tVZO/AKBuZ02kPBiZKSU4qa/k=",
+        "narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "0d7874ef7e3ba02d58bebb871e6e29da36fa1b37",
+        "rev": "06648f4902343228ce2de79f291dd5a58ee12146",
         "type": "github"
       },
       "original": {
@@ -223,11 +223,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1770197578,
+        "lastModified": 1775710090,
-        "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
+        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
+        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
         "type": "github"
       },
       "original": {
@@ -239,11 +239,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1769740369,
+        "lastModified": 1775888245,
-        "narHash": "sha256-xKPyJoMoXfXpDM5DFDZDsi9PHArf2k5BJjvReYXoFpM=",
+        "narHash": "sha256-nwASzrRDD1JBEu/o8ekKYEXm/oJW6EMCzCRdrwcLe90=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6308c3b21396534d8aaeac46179c14c439a89b8a",
+        "rev": "13043924aaa7375ce482ebe2494338e058282925",
         "type": "github"
       },
       "original": {
@@ -270,11 +270,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1770145881,
+        "lastModified": 1776119890,
-        "narHash": "sha256-ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=",
+        "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c",
+        "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
         "type": "github"
       },
       "original": {
@@ -286,11 +286,11 @@
     "spectrum": {
       "flake": false,
       "locked": {
-        "lastModified": 1759482047,
+        "lastModified": 1772189877,
-        "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
+        "narHash": "sha256-i1p90Rgssb//aNiTDFq46ZG/fk3LmyRLChtp/9lddyA=",
         "ref": "refs/heads/main",
-        "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
+        "rev": "fe39e122d898f66e89ffa17d4f4209989ccb5358",
-        "revCount": 996,
+        "revCount": 1255,
         "type": "git",
         "url": "https://spectrum-os.org/git/spectrum"
       },

machines/hippocampus/configuration.nix

@@ -39,6 +39,7 @@
   nixpkgs.config.permittedInsecurePackages = [
     "nodejs-14.21.3"
     "openssl-1.1.1w"
+    "olm-3.2.16"
   ];
   nix.gc = {
     automatic = true;
@@ -89,7 +90,7 @@
   services.printing.enable = true;
 
   # Enable sound with pipewire.
-  hardware.pulseaudio.enable = false;
+  services.pulseaudio.enable = false;
   security.rtkit.enable = true;
   services.pipewire = {
     enable = true;
@@ -125,7 +126,8 @@
   environment.systemPackages = with pkgs; [
     firefox
 
-    screen
+    tmux
+    tio
     btop
     htop
     

machines/hippocampus/modules/containerHeadscale.nix

@@ -25,6 +25,8 @@
         authKeyFile = "/var/tailauth";
         extraUpFlags = ["--login-server" "${authServer}"];
       };
+      # Resolves https://github.com/NixOS/nixpkgs/issues/430756
+      systemd.services.tailscaled-autoconnect.serviceConfig.Type = lib.mkForce "simple";
     };
   };
 
@@ -59,19 +61,19 @@ in {
   };
 
   config = {
-    networking.bridges = {
+#    networking.bridges = {
-      "br0" = {
+#      "br0" = {
-        interfaces = [];
+#        interfaces = [];
-      };
+#      };
-    };
+#    };
-    networking.interfaces.br0.ipv4.addresses = [{
+#    networking.interfaces.br0.ipv4.addresses = [{
-      address = "10.0.0.1";
+#      address = "10.0.0.1";
-      prefixLength = 24;
+#      prefixLength = 24;
-    }];
+#    }];
     networking.nat = {
       enable = true;
       # Check for hostBridge use vb instead of ve
-      internalInterfaces = (map (n: "vb-${n}") (attrNames cfg.containers)) ++ ["br0"];
+      internalInterfaces = (map (n: "ve-${n}") (attrNames cfg.containers));
       externalInterface = "enp0s25";
       enableIPv6 = true;
     };

machines/hippocampus/oci/Wireguard.ContainerFile

@@ -1,5 +1,17 @@
 FROM alpine:3.16
-RUN apk add --no-cache bash wireguard-tools jq curl git ncurses
+RUN apk add --no-cache bash jq curl git ncurses \
+    bc \
+    coredns \
+    grep \
+    iproute2 \
+    iptables \
+    ip6tables \
+    iputils \
+    kmod \
+    net-tools \
+    nftables \
+    openresolv \
+    wireguard-tools
 RUN git clone https://github.com/pia-foss/manual-connections /manual-connections
 WORKDIR /manual-connections
-CMD bash -c "/manual-connections/run_setup.sh && watch -n 60 curl ip.me"
+CMD bash -c "/manual-connections/run_setup.sh && watch -n 1800 curl ip.me"

machines/hippocampus/oci/jelly.nix

@@ -31,7 +31,7 @@
             "radarr"
             "jellyseerr"
             "bazarr"
-            "readarr"
+            # "readarr"
             "prowlarr"
           ];
           environment = {
@@ -220,26 +220,26 @@
           ];
         };
 
-        readarr = {
+#        readarr = {
-          image = "linuxserver/readarr:nightly";
+#          image = "linuxserver/readarr:nightly";
-          volumes = [
+#          volumes = [
-            "${dataDir}:/data"
+#            "${dataDir}:/data"
-            "${configDir}/readarr:/config"
+#            "${configDir}/readarr:/config"
-          ];
+#          ];
-          ports = [
+#          ports = [
-            "8787:8787"
+#            "8787:8787"
-          ];
+#          ];
-          environment = baseEnv // {
+#          environment = baseEnv // {
-            
+#            
-          };
+#          };
-          extraOptions = [
+#          extraOptions = [
-            "--pull=newer"
+#            "--pull=newer"
-            "--network" "container:wireguard"
+#            "--network" "container:wireguard"
-          ];
+#          ];
-          dependsOn = [
+#          dependsOn = [
-            "prowlarr"
+#            "prowlarr"
-          ];
+#          ];
-        };
+#        };
 
         prowlarr = {
           image = "linuxserver/prowlarr:nightly";

machines/hippocampus/riscv.nix

@@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }: {
+  # TODO: rename to emulation?
   boot.binfmt.emulatedSystems = [
-    "riscv64-linux"
+    "riscv64-linux" "aarch64-linux"
   ];
   boot.binfmt.preferStaticEmulators = true;
 }

machines/hippocampus/secrets/pass.yaml

@@ -1,6 +1,6 @@
 nextcloud:
-    adminPass: ENC[AES256_GCM,data:D2SAD/Somvw8abIm0KX4fWRfuQ==,iv:Y7K14yZZFcu97KVBd0219hwnGY4LEX2DNxxulSegr/8=,tag:aRJAlz1xvQxWodcE2bZLdQ==,type:str]
+    adminPass: ENC[AES256_GCM,data:Tz34/CW22LYNtwDNoPHq0cINRg==,iv:eSw22XtTpODEreJKSK6mM0jZWAB6qLqANYF7KesNGso=,tag:4Zp7hTv3oArx+nDIEdA7Jw==,type:str]
-    s3secret: ENC[AES256_GCM,data:lIVuiZMh376MSuu13UPCu49Q64bVbk+WM/CUEIGzV0Q=,iv:J2vHalppWEupWK07zXsMoiH6avmpsgg0Cqcc7EkZVV4=,tag:pxKwiaH5SZa8Vh71gLGQWw==,type:str]
+    s3secret: ENC[AES256_GCM,data:hv3SLDs6YW5KInUBFUPXImqwnZqjegXOv7hQFtuWI48=,iv:39R8crx5/3xdK0s8/yNMwSib2yDQcfOVg0PA7GhdiXA=,tag:J8YT12onk7DOFL7Z9OEYYQ==,type:str]
 jellyfin-pia: ENC[AES256_GCM,data:hOgUAr47FMd2QgzgXBeqv41Paqy6zn6tyWVDbF1JtqcTog/zZC4=,iv:opnxrycFszAhuMARcP48gKF6eL1ERNgWS68wO+s4CIM=,tag:fqimxKdTAh55ANKD3bp46w==,type:str]
 ddclient: ENC[AES256_GCM,data:a31MKnoEZXrj/s8z3+MP9jhQ5/sBjljZphXBJsWj5GU=,iv:YHKCartadDQa59aUf9Fw/KgdgMgsqsVLDAIh/KeqehQ=,tag:hUaUqjcX75xw6eC9axtQmw==,type:str]
 anki: ENC[AES256_GCM,data:hUBKr/s1DDorlmbHDUvHtVSumw==,iv:Ekjt6dsncinHhM+dV/mxOjErBQpgKtPOVbmwGRy9XOE=,tag:zvfV9z3QROgsk4eznmxqDw==,type:str]
@@ -19,6 +19,7 @@ tuwunelreg: ENC[AES256_GCM,data:5NJL1W6iVEwLwAUGlmCOHgVzV+9aLMrp8OXu8uVUw3SpCR5f
 coturn-secret: ENC[AES256_GCM,data:9lPM14VVk/VlmYPy4XgIaKDQgRKcoaCaszcaETCBQMmMIGSuq+G2aHqa8dtXf6Tg/Llcza+VROZYBuC9bsFwoEDtcbhFoE9S7OKrJ8bWDDI1AGTwP3j9tgExvmd0HMyqkNrb3l1cPj4/CLcSlZxxWcYVWZL2sSzKpqhKNXGeYCM=,iv:zckUJK+F95lVKZz/XoD4nmuC14FiIU1gIxe5U4abvrg=,tag:nSPxlCMS4QXBvkb6jn4EQg==,type:str]
 lk-jwt: ENC[AES256_GCM,data:6EXQbXUWsXzYwHU+KYh8FfVKoMScrbX/ITx/x128UdU1r0PmqEZ39TewmDUSlNlMsaWYRffNd8lmfF3sPZDOZzL/jNJNaTSqUKy8cPX8XF+LJqq08ZDWihvgKjcyHy6BORpe07fGp6v/otJW9XE9qujJ2QC/0MA+dJpckpfibaswfWwkL2BfmDfcq2H8Tudohg==,iv:Rm5uWOKGBKlnivGkxWokpG1YR1dxeTV+cVrDZ/3i8yE=,tag:bSeOZ7SEelDIeSGTdzRVng==,type:str]
 dawarich_smtp: ENC[AES256_GCM,data:v4VU5XGGR2rLfQZsMvbXCA==,iv:jD3EFKab7/oxxqX6O1Mfz5tA/xUOGEaBtMsHnENouBQ=,tag:JWyrensx9v97blQv49jsLQ==,type:str]
+mautrix-discord: ENC[AES256_GCM,data:LzRUuwdYs4HJfeSm9iKPNaGkx5Fqs0gPBdEhv0hbEANHw2Dsg/yioS5jWc8FymhVbO3L3lfpd+TJGH5dSRqU5cTcTJO34CyBLU+Y+bkbneI+Ri0ngfCEuuNpBjyvQhHrba1YskcgvUuHPMJejFPbfPKu7B+GNznI6mZUJmN6jvO7BweY2bTeC2zURMmMjcoNEcdDUhhlSRpOK/EUVZF3LE+MwBKz/WTJbtEi22wO+x/dIg3z8SLwZRSuUYwumZ7YyQAUHDJz/7Qy5u0uzMmAAY3WpQUICg8DykenndeXST2AopG4EsBazS9GwPX60Ri4MEnnPKNXSNHy0dH+NsuCnqNCIouOpraS3yobTaI7oJIPZoKTWoJWU2Xsh0pktdzyJbJf3kpal0lQkPbD4i31LQeJJbiPPXiouhKeaSKd2LcueGIWBgMD12phZ0Vk2t4S90oN25fByvfF9clviBKbJo/wrWTO2EeQpnrqOD9B1w6ZBowIxXwPUnfNP52sjKRjCWXakO/rSzLQs2DzXT7hN3cMdNsmHxGlIWlLDEHJIpcr49vIzHkCXZc8n412taBNxMRqLHRGFpB0Cjw9CelmZ8cnXOUbSzV06ahOeuJT2Gn+CwefAZSXtiZCnqqpb2758W1Xdw4VReenGyj6TIfTDbo5rfM2elbP/LOxf3obLRpyC4MQkqyo8geT3FjjYFXTc1jN7P/ma8U1YMdZaxdNwUxi1iVB28PhaJ60BMz7UYQW9QfmY24rX0TBaL2OKu4bSh1zeaZm7QbW0LCjBm1A08Pg8nYPZVobjfWXbCIYmsjGhH3T2/BLqqhfth+q3Oswqybi35AQR9EeSJ+tZWyCgHsPWgM8KCGyynqf8xvczSUeCro6MNQ5Jzw=,iv:Bo0FRzCPMFokZsRPwUg0vP+Azo6nr4sTkrU6O++lucU=,tag:zYPEZUkILsQTljLil5Yq5w==,type:str]
 sops:
     age:
         - recipient: age1crymppz88etsdjpckmtdhr397x5xg5wv8jt6tcj23gt2snq73pzs04fuve
@@ -30,7 +31,7 @@ sops:
             RVUzMlFya3Z0amdTUTJ5YjFRck5kZzQKoWZzExqzPRpQPL4CdqBalc1/dYtjBH6J
             LGR0oImfOWlIJwcaJLv/fc470UvXHHwIji9v/pbV7xMkgMjlJthaYg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-16T00:04:12Z"
+    lastmodified: "2026-03-24T01:33:31Z"
-    mac: ENC[AES256_GCM,data:W17ieIGhzDXcjT8xJn72K0274QN9FcMOXdB4YWeSAyxSwRmwUkuF9NzbAWZ8rH/Yva8mUgOh+OC1x4xavHI5UGBsSoUk+q9vevRd13qVE328o3JW0ZRsi3PunpmmzEYoz//z3UUxpepgcBKGTui8Fj1z5tOoNtXfEtxnHv/JY0w=,iv:8TSc+cMa+bbFqoPObnBE5KUhysmZnr1iTksc4tvUcDw=,tag:6LxuWGLQv7fSpJN0spuQ5Q==,type:str]
+    mac: ENC[AES256_GCM,data:9DI2psMKIl3mM6oBWeNHLrl+e5UY/uvE0P/Y9T2sRMVHUmbo5dmr7yCxDoQ/t6EJKUKURqh1ESH9QNqAWULJRQvMabOt+fSZwjP+d8F8cR1pAEmeIpYfnbJslvrz1uhlvdcc+HYdM9BVYJ3BC3QgQk49qhU03Mum2Vn9iHwD+FA=,iv:GNSrYPdYEnA6VoNY2OJvCdxbBasjAk2UrifumTgspJ4=,tag:uUtlcGookPmvwkDI9i2arg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

machines/hippocampus/servers/private/grafana.nix

@@ -2,7 +2,7 @@
 
 {
   services.grafana = {
-    enable = true;
+    enable = false;
 
     settings.server = {
       http_addr = "0.0.0.0";

machines/hippocampus/servers/private/miniio.nix

@@ -5,8 +5,9 @@
     autoStart = true;
 
     privateNetwork = true;
-    hostBridge = "br0";
+    #hostBridge = "br0";
-    localAddress = "10.0.0.${toString (10+n)}/24";
+    hostAddress = "10.${toString (10+n)}.0.0";
+    localAddress = "10.${toString (10+n)}.0.1";
     
     # If true it registers a new node very time
     # need to find where it stores the state

machines/hippocampus/servers/public.nix

@@ -59,5 +59,8 @@
 
     # Dawarich location tracking
     ./public/dawarich.nix
+
+     # IRC web-bouncer/client
+     ./public/irc.nix
   ];
 }

machines/hippocampus/servers/public/dawarich.nix

@@ -27,11 +27,11 @@
     ${config.services.dawarich.localDomain} = {
       extraConfig = ''
         reverse_proxy localhost:${toString config.services.dawarich.webPort}
-	encode brotli {
+#	encode brotli {
-          match {
+#          match {
-	    content_type text/css text/plain text/xml text/x-component text/javascript application/x-javascript application/javascript application/json application/manifest+json application/vnd.api+json application/xml application/xhtml+xml application/rss+xml application/atom+xml application/vnd.ms-fontobject application/x-font-ttf application/x-font-opentype application/x-font-truetype image/svg+xml image/x-icon image/vnd.microsoft.icon font/ttf font/eot font/otf font/opentype
+#	    content_type text/css text/plain text/xml text/x-component text/javascript application/x-javascript application/javascript application/json application/manifest+json application/vnd.api+json application/xml application/xhtml+xml application/rss+xml application/atom+xml application/vnd.ms-fontobject application/x-font-ttf application/x-font-opentype application/x-font-truetype image/svg+xml image/x-icon image/vnd.microsoft.icon font/ttf font/eot font/otf font/opentype
-	  }
+#	  }
-	}
+#	}
       '';
     };
   };  

machines/hippocampus/servers/public/dawarich/sources.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.1.0",
+  "version": "1.2.0",
-  "hash": "sha256-oL1XLBaSYCeP+Fn+6BlGMEgCTkwZhT1VZNamrcRXrgI=",
+  "hash": "sha256-6NlqeiG+kjpSVpg8JFvqZPvCoigzjIcF1Ru/AdMwShg=",
   "npmHash": "sha256-doBsDBsO7npHs/jyeg4xWzdauWoK6dPe8z+97IP2zxI="
 }

machines/hippocampus/servers/public/dawarich/update.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash -p bundix curl jq nix-update nix-prefetch-github prefetch-npm-deps gnused
+set -e
+set -o pipefail
+
+OWNER="Freika"
+REPO="dawarich"
+
+old_version=$(nix-instantiate --eval -A 'dawarich.version' default.nix | tr -d '"')
+version=$(curl -s ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} "https://api.github.com/repos/$OWNER/$REPO/releases/latest" | jq -r ".tag_name")
+
+echo "Updating to $version"
+
+if [[ "$old_version" == "$version" ]]; then
+    echo "Already up to date!"
+    exit 0
+fi
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+
+echo "Fetching source code $REVISION"
+JSON=$(nix-prefetch-github "$OWNER" "$REPO" --rev "refs/tags/$version" 2>/dev/null)
+HASH=$(echo "$JSON" | jq -r .hash)
+
+cat > "$SCRIPT_DIR/sources.json" << EOF
+{
+  "version": "$version",
+  "hash": "$HASH",
+  "npmHash": "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+}
+EOF
+
+SOURCE_DIR="$(nix-build --no-out-link -A dawarich.src)"
+
+echo "Creating gemset.nix"
+bundix --lockfile="$SOURCE_DIR/Gemfile.lock" --gemfile="$SOURCE_DIR/Gemfile" --gemset="$SCRIPT_DIR/gemset.nix"
+nixfmt "$SCRIPT_DIR/gemset.nix"
+
+NPM_HASH="$(prefetch-npm-deps "$SOURCE_DIR/package-lock.json" 2>/dev/null)"
+sed -i "s;sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=;$NPM_HASH;g" "$SCRIPT_DIR/sources.json"

machines/hippocampus/servers/public/headscale.nix

@@ -6,6 +6,7 @@
     enable = true;
     # 7000 port addresses are for internal network
     port = 7000;
+    address = "0.0.0.0"; # Access within nixos-containers
     settings = {
       server_url = "https://headscale.syzygial.cc";
       # TODO: Generate keys??
@@ -40,7 +41,7 @@
   services.caddy.virtualHosts = {
     "headscale.syzygial.cc" = {
       extraConfig = ''
-        reverse_proxy localhost:7000
+        reverse_proxy 0.0.0.0:7000
       '';
     };
   };

machines/hippocampus/servers/public/irc.nix

@@ -0,0 +1,25 @@
+{ config, pkgs, lib, ... }: {
+  services.thelounge = {
+    enable = true;
+    public = false;
+    port = 7797;
+    #plugins;
+    #package;
+    extraConfig = {
+      # Caddy RP
+      reverseProxy = true;
+      defaults = {
+        name = "Esper";
+        host = "irc.esper.net";
+        port = 6697;
+      };
+    };
+  };
+  services.caddy.virtualHosts = {
+    "irc.glia.club" = {
+      extraConfig = ''
+        reverse_proxy localhost:${toString config.services.thelounge.port}
+      '';
+    };  
+  };
+}

machines/hippocampus/servers/public/matrix/bots/discord.nix

@@ -0,0 +1,435 @@
+{ config, pkgs, lib, ... }: let
+  mautrix-discord-user = config.systemd.services.mautrix-discord.serviceConfig.User;
+in {
+  sops.secrets.mautrix-discord = {
+    owner = mautrix-discord-user;
+  };
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [
+      mautrix-discord-user
+    ];
+    ensureUsers = [
+      {
+        name = "${mautrix-discord-user}";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+  services.mautrix-discord = {
+    enable = true;
+    # Secrets stored in environmentFile
+    settings = {
+      logging = {
+        min_level = "debug";
+        writers = [{
+          type = "stdout";
+          format = "pretty-colored";
+        } {
+          type = "file";
+          format = "json";
+          filename = "./logs/mautrix-discord.log";
+          max_size = 100;
+          max_backups = 10;
+          compress = true;
+        }];           
+      };
+      homeserver = {
+        # The address that this appservice can use to connect to the homeserver.
+        address = "https://glia.club";
+        # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
+        domain = "glia.club";
+
+        # What software is the homeserver running?
+        # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+        software = "standard";
+        # The URL to push real-time bridge status to.
+        # If set, the bridge will make POST requests to this URL whenever a user's discord connection state changes.
+        # The bridge will use the appservice as_token to authorize requests.
+        status_endpoint = null;
+        # Endpoint for reporting per-message status.
+        message_send_checkpoint_endpoint = null;
+        # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
+        async_media = false;
+
+        # Should the bridge use a websocket for connecting to the homeserver?
+        # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
+        # mautrix-asmux (deprecated), and hungryserv (proprietary).
+        websocket = false;
+        # How often should the websocket be pinged? Pinging will be disabled if this is zero.
+        ping_interval_seconds = 0;
+      };
+      bridge = {
+        # Localpart template of MXIDs for Discord users.
+        # {{.}} is replaced with the internal ID of the Discord user.
+        username_template = "bridge_discord_{{.}}";
+        # Displayname template for Discord users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
+        # Available variables:
+        #   .ID - Internal user ID
+        #   .Username - Legacy display/username on Discord
+        #   .GlobalName - New displayname on Discord
+        #   .Discriminator - The 4 numbers after the name on Discord
+        #   .Bot - Whether the user is a bot
+        #   .System - Whether the user is an official system user
+        #   .Webhook - Whether the user is a webhook and is not an application
+        #   .Application - Whether the user is an application
+        displayname_template = "{{if .Webhook}}Webhook{{else}}{{or .GlobalName .Username}}{{if .Bot}} (bot){{end}}{{end}} (Discord DM)";
+        # Displayname template for Discord channels (bridged as rooms, or spaces when type=4).
+        # Available variables:
+        #   .Name - Channel name, or user displayname (pre-formatted with displayname_template) in DMs.
+        #   .ParentName - Parent channel name (used for categories).
+        #   .GuildName - Guild name.
+        #   .NSFW - Whether the channel is marked as NSFW.
+        #   .Type - Channel type (see values at https://github.com/bwmarrin/discordgo/blob/v0.25.0/structs.go#L251-L267)
+        channel_name_template = "{{if or (eq .Type 3) (eq .Type 4)}}{{.Name}}{{else}}#{{.Name}}{{end}} (Discord)";
+        # Displayname template for Discord guilds (bridged as spaces).
+        # Available variables:
+        #   .Name - Guild name
+        guild_name_template = "{{.Name}} (Discord)";
+        # Whether to explicitly set the avatar and room name for private chat portal rooms.
+        # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
+        # If set to `always`, all DM rooms will have explicit names and avatars set.
+        # If set to `never`, DM rooms will never have names and avatars set.
+        private_chat_portal_meta = "default";
+
+        # Publicly accessible base URL that Discord can use to reach the bridge, used for avatars in relay mode.
+        # If not set, avatars will not be bridged. Only the /mautrix-discord/avatar/{server}/{id}/{hash} endpoint is used on this address.
+        # This should not have a trailing slash, the endpoint above will be appended to the provided address.
+        public_address = "https://discord.bridge.matrix.glia.club";
+        # A random key used to sign the avatar URLs. The bridge will only accept requests with a valid signature.
+        avatar_proxy_key = "generate";
+
+        portal_message_buffer = 128;
+
+        # Number of private channel portals to create on bridge startup.
+        # Other portals will be created when receiving messages.
+        startup_private_channel_create_limit = 5;
+        # Should the bridge send a read receipt from the bridge bot when a message has been sent to Discord?
+        delivery_receipts = false;
+        # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+        message_status_events = false;
+        # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
+        message_error_notices = true;
+        # Should the bridge use space-restricted join rules instead of invite-only for guild rooms?
+        # This can avoid unnecessary invite events in guild rooms when members are synced in.
+        restricted_rooms = false;
+        # Should the bridge automatically join the user to threads on Discord when the thread is opened on Matrix?
+        # This only works with clients that support thread read receipts (MSC3771 added in Matrix v1.4).
+        autojoin_thread_on_open = true;
+        # Should inline fields in Discord embeds be bridged as HTML tables to Matrix?
+        # Tables aren't supported in all clients, but are the only way to emulate the Discord inline field UI.
+        embed_fields_as_tables = true;
+        # Should guild channels be muted when the portal is created? This only meant for single-user instances,
+        # it won't mute it for all users if there are multiple Matrix users in the same Discord guild.
+        mute_channels_on_create = false;
+        # Should the bridge update the m.direct account data event when double puppeting is enabled.
+        # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+        # and is therefore prone to race conditions.
+        sync_direct_chat_list = false;
+        # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+        # This field will automatically be changed back to false after it, except if the config file is not writable.
+        resend_bridge_info = false;
+        # Should incoming custom emoji reactions be bridged as mxc:// URIs?
+        # If set to false, custom emoji reactions will be bridged as the shortcode instead, and the image won't be available.
+        custom_emoji_reactions = true;
+        # Should the bridge attempt to completely delete portal rooms when a channel is deleted on Discord?
+        # If true, the bridge will try to kick Matrix users from the room. Otherwise, the bridge only makes ghosts leave.
+        delete_portal_on_channel_delete = false;
+        # Should the bridge delete all portal rooms when you leave a guild on Discord?
+        # This only applies if the guild has no other Matrix users on this bridge instance.
+        delete_guild_on_leave = true;
+        # Whether or not created rooms should have federation enabled.
+        # If false, created portal rooms will never be federated.
+        federate_rooms = false;
+        # Prefix messages from webhooks with the profile info? This can be used along with a custom displayname_template
+        # to better handle webhooks that change their name all the time (like ones used by bridges).
+        #
+        # This will use the fallback mode in MSC4144, which means clients that support MSC4144 will not show the prefix
+        # (and will instead show the name and avatar as the message sender).
+        prefix_webhook_messages = true;
+        # Bridge webhook avatars?
+        enable_webhook_avatars = true;
+        # Should the bridge upload media to the Discord CDN directly before sending the message when using a user token,
+        # like the official client does? The other option is sending the media in the message send request as a form part
+        # (which is always used by bots and webhooks).
+        use_discord_cdn_upload = true;
+        # Proxy for Discord connections
+        proxy = "";
+        # Should mxc uris copied from Discord be cached?
+        # This can be `never` to never cache, `unencrypted` to only cache unencrypted mxc uris, or `always` to cache everything.
+        # If you have a media repo that generates non-unique mxc uris, you should set this to never.
+        cache_media = "unencrypted";
+        # Settings for converting Discord media to custom mxc:// URIs instead of reuploading.
+        # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
+        direct_media = {
+          # Should custom mxc:// URIs be used instead of reuploading media?
+          enabled = true;
+          # The server name to use for the custom mxc:// URIs.
+          # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
+          # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
+          server_name = "discord.bridge.matrix.glia.club";
+          # Optionally a custom .well-known response. This defaults to `server_name:443`
+          # well_known_response = "";
+          # The bridge supports MSC3860 media download redirects and will use them if the requester supports it.
+          # Optionally, you can force redirects and not allow proxying at all by setting this to false.
+          allow_proxy = true;
+        };
+        # Settings for converting animated stickers.
+        animated_sticker = {
+          # Format to which animated stickers should be converted.
+          # disable - No conversion, send as-is (lottie JSON)
+          # png - converts to non-animated png (fastest)
+          # gif - converts to animated gif
+          # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
+          # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support
+          target = "webp";
+          # Arguments for converter. All converters take width and height.
+          args = {
+            width = 320;
+            height = 320;
+            fps = 25; # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended)
+          };
+        };
+        # Servers to always allow double puppeting from
+        double_puppet_server_map = {
+          "glia.club" = "https://glia.club";
+        };
+        # Allow using double puppeting from any server with a valid client .well-known file.
+        double_puppet_allow_discovery = false;
+        # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+        #
+        # If set, double puppeting will be enabled automatically for local users
+        # instead of users having to find an access token and run `login-matrix`
+        # manually.
+        login_shared_secret_map = {
+          "glia.club" = "as_token:$MAUTRIX_DISCORD_DOUBLE_PUPPET";
+        };
+
+        # The prefix for commands. Only required in non-management rooms.
+        command_prefix = "!discord";
+        # Messages sent upon joining a management room.
+        # Markdown is supported. The defaults are listed below.
+        management_room_text = {
+          # Sent when joining a room.
+          welcome = "Hello, I'm a Discord bridge bot.";
+          # Sent when joining a management room and the user is already logged in.
+          welcome_connected = "Use `help` for help.";
+          # Sent when joining a management room and the user is not logged in.
+          welcome_unconnected = "Use `help` for help or `login` to log in.";
+          # Optional extra text sent when joining a management room.
+          additional_help = "";
+        };
+
+        # Settings for backfilling messages.
+        backfill = {
+          # Limits for forward backfilling.
+          forward_limits = {
+            # Initial backfill (when creating portal). 0 means backfill is disabled.
+            # A special unlimited value is not supported, you must set a limit. Initial backfill will
+            # fetch all messages first before backfilling anything, so high limits can take a lot of time.
+            initial = {
+              dm = 5000;
+              channel = 5000;
+              thread = 5000;
+            };
+            # Missed message backfill (on startup).
+            # 0 means backfill is disabled, -1 means fetch all messages since last bridged message.
+            # When using unlimited backfill (-1), messages are backfilled as they are fetched.
+            # With limits, all messages up to the limit are fetched first and backfilled afterwards.
+            missed = {
+              dm = -1;
+              channel = -1;
+              thread = -1;
+            };
+            # Maximum members in a guild to enable backfilling. Set to -1 to disable limit.
+            # This can be used as a rough heuristic to disable backfilling in channels that are too active.
+            # Currently only applies to missed message backfill.
+            max_guild_members = -1;
+          };
+        };
+
+        # End-to-bridge encryption support options.
+        #
+        # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+        encryption = {
+          # Allow encryption, work in group chat rooms with e2ee enabled
+          allow = false;
+          # Default to encryption, force-enable encryption in all portals the bridge creates
+          # This will cause the bridge bot to be in private chats for the encryption to work properly.
+          default = false;
+          # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+          # Changing this option requires updating the appservice registration file.
+          appservice = false;
+          # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
+          # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
+          # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
+          # Changing this option requires updating the appservice registration file.
+          msc4190 = false;
+          # Require encryption, drop any unencrypted messages.
+          require = false;
+          # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+          # You must use a client that supports requesting keys from other users to use this feature.
+          allow_key_sharing = false;
+          # Should users mentions be in the event wire content to enable the server to send push notifications?
+          plaintext_mentions = false;
+          # Options for deleting megolm sessions from the bridge.
+          delete_keys = {
+            # Beeper-specific: delete outbound sessions when hungryserv confirms
+            # that the user has uploaded the key to key backup.
+            delete_outbound_on_ack = false;
+            # Don't store outbound sessions in the inbound table.
+            dont_store_outbound = false;
+            # Ratchet megolm sessions forward after decrypting messages.
+            ratchet_on_decrypt = false;
+            # Delete fully used keys (index >= max_messages) after decrypting messages.
+            delete_fully_used_on_decrypt = false;
+            # Delete previous megolm sessions from same device when receiving a new one.
+            delete_prev_on_new_session = false;
+            # Delete megolm sessions received from a device when the device is deleted.
+            delete_on_device_delete = false;
+            # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
+            periodically_delete_expired = false;
+            # Delete inbound megolm sessions that don't have the received_at field used for
+            # automatic ratcheting and expired session deletion. This is meant as a migration
+            # to delete old keys prior to the bridge update.
+            delete_outdated_inbound = false;
+          };
+          # What level of device verification should be required from users?
+          #
+          # Valid levels:
+          #   unverified - Send keys to all device in the room.
+          #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+          #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+          #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+          #                           Note that creating user signatures from the bridge bot is not currently possible.
+          #   verified - Require manual per-device verification
+          #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+          verification_levels = {
+            # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
+            receive = "unverified";
+            # Minimum level that the bridge should accept for incoming Matrix messages.
+            send = "unverified";
+            # Minimum level that the bridge should require for accepting key requests.
+            share = "cross-signed-tofu";
+          };
+          # Options for Megolm room key rotation. These options allow you to
+          # configure the m.room.encryption event content. See:
+          # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+          # more information about that event.
+          rotation = {
+            # Enable custom Megolm room key rotation settings. Note that these
+            # settings will only apply to rooms created after this option is
+            # set.
+            enable_custom = false;
+            # The maximum number of milliseconds a session should be used
+            # before changing it. The Matrix spec recommends 604800000 (a week)
+            # as the default.
+            milliseconds = 604800000;
+            # The maximum number of messages that should be sent with a given a
+            # session before changing it. The Matrix spec recommends 100 as the
+            # default.
+            messages = 100;
+
+            # Disable rotating keys when a user's devices change?
+            # You should not enable this option unless you understand all the implications.
+            disable_device_change_key_rotation = false;
+          };
+        };
+
+        # Settings for provisioning API
+        provisioning = {
+          # Prefix for the provisioning API paths.
+          prefix = "/_matrix/provision";
+          # Shared secret for authentication. If set to "generate", a random secret will be generated,
+          # or if set to "disable", the provisioning API will be disabled.
+          shared_secret = "generate";
+          # Enable debug API at /debug with provisioning authentication.
+          debug_endpoints = false;
+        };
+
+        # Permissions for using the bridge.
+        # Permitted values:
+        #    relay - Talk through the relaybot (if enabled), no access otherwise
+        #     user - Access to use the bridge to chat with a Discord account.
+        #    admin - User level and some additional administration tools
+        # Permitted keys:
+        #        * - All Matrix users
+        #   domain - All users on that homeserver
+        #     mxid - Specific user
+        permissions = {
+          "*" = "relay";
+          "glia.club" = "user";
+          "@admin:glia.club" = "admin";
+          "@cyborgpotato:glia.club" = "admin";
+        };
+      };
+      appservice = {
+        # The address that the homeserver can use to connect to this appservice.
+        address = "http://localhost:${toString config.services.mautrix-discord.settings.appservice.port}";
+
+        # The hostname and port where this appservice should listen.
+        hostname = "0.0.0.0";
+        port = 7193;
+
+        # Database config.
+        # See definition at top of file
+        database = {
+          # The database type. "sqlite3-fk-wal" and "postgres" are supported.
+          type = "postgres";
+          # The database URI.
+          #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
+          #           https://github.com/mattn/go-sqlite3#connection-string
+          #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
+          #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
+          uri = "postgres:///${mautrix-discord-user}?host=/var/run/postgresql";
+          # Maximum number of connections. Mostly relevant for Postgres.
+          max_open_conns = 20;
+          max_idle_conns = 2;
+          # Maximum connection idle time and lifetime before they're closed. Disabled if null.
+          # Parsed with https://pkg.go.dev/time#ParseDuration
+          max_conn_idle_time = null;
+          max_conn_lifetime = null;
+        };
+
+        # The unique ID of this appservice.
+        id = "discord";
+        # Appservice bot details.
+        bot = {
+          # Username of the appservice bot.
+          username = "discordbot";
+          # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+          # to leave display name/avatar as-is.
+          displayname = "Discord bridge bot";
+          avatar = "mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC";
+        };
+
+        # Whether or not to receive ephemeral events via appservice transactions.
+        # Requires MSC2409 support (i.e. Synapse 1.22+).
+        ephemeral_events = true;
+
+        # Should incoming events be handled asynchronously?
+        # This may be necessary for large public instances with lots of messages going through.
+        # However, messages will not be guaranteed to be bridged in the same order they were sent in.
+        async_transactions = false;
+
+        # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+        as_token = "$MAUTRIX_DISCORD_APPSERVICE_AS_TOKEN";
+        hs_token = "$MAUTRIX_DISCORD_APPSERVICE_HS_TOKEN";
+      };
+    };
+    serviceDependencies = [ config.services.mautrix-discord.registrationServiceUnit ]
+                          ++ (lib.lists.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
+                          ++ (lib.lists.optional config.services.matrix-conduit.enable "matrix-conduit.service")
+                          ++ (lib.lists.optional config.services.matrix-continuwuity.enable "matrix-continuwuity.service")
+                          ++ (lib.lists.optional config.services.matrix-tuwunel.enable "matrix-tuwunel.service")
+                          ++ (lib.lists.optional config.services.dendrite.enable "dendrite.service");
+    environmentFile = config.sops.secrets.mautrix-discord.path;
+  };
+  services.caddy.virtualHosts = {
+    "${config.services.mautrix-discord.settings.bridge.direct_media.server_name}" = {
+      extraConfig = ''
+        reverse_proxy localhost:${toString config.services.mautrix-discord.settings.appservice.port}
+      '';
+    };
+  };
+}

machines/hippocampus/servers/public/matrix/server.nix

@@ -2,6 +2,7 @@
   imports = [
     # Real Time Communication
     ./rtc.nix
+    ./bots/discord.nix
   ];
   sops.secrets.tuwunelreg = {
     owner = config.services.matrix-tuwunel.user;
@@ -29,6 +30,9 @@
           client = "https://glia.club";
           server = "glia.club:443";
         };
+
+        # TODO: Configure more in detail/for safety:
+        url_preview_domain_contains_allowlist = ["*"];
       };
     };
   };

machines/hippocampus/servers/public/nextcloud.nix

@@ -13,7 +13,7 @@ in {
   
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud32;
+    package = pkgs.nextcloud33;
     hostName = "localhost";
     settings = {
       trusted_domains = [
@@ -41,7 +41,7 @@ in {
       objectstore.s3 = {
         enable = true;
         bucket = "nextcloud";
-        autocreate = false;
+        verify_bucket_exists = false;
         key = "nextcloud";
         secretFile = config.sops.secrets."nextcloud/s3secret".path;
         region = "us-east-1";
@@ -78,7 +78,7 @@ in {
       ffmpeg_7-headless
       # required for recognize app
       nodejs_20 # runtime and installation requirement
-      nodejs_20.pkgs.node-pre-gyp # installation requirement
+      node-pre-gyp # installation requirement
       util-linux # runtime requirement for taskset
     ];
   };

machines/hippocampus/servers/public/tandoor.nix

@@ -10,10 +10,12 @@ in {
       SECRET_KEY = config.sops.secrets.tandoor-secret.path;
       DB_ENGINE = "django.db.backends.postgresql";
       POSTGRES_HOST = "127.0.0.1";
-      POSTGRES_PORT = config.services.postgresql.port;
+      POSTGRES_PORT = config.services.postgresql.settings.port;
       POSTGRES_USER = tandoor_user;
       POSTGRES_DB = tandoor_user;
+      MEDIA_ROOT = "/var/lib/tandoor-recipes/media";
       ENABLE_SIGNUP = "1";
+      ALLOWED_HOSTS = "tandoor.syzygial.cc";
     };
   };
 

machines/universedesktop/configuration.nix

@@ -67,7 +67,7 @@
 
     networking.wireless.enable = true;
     networking.wireless.networks = {
-      "BELL422 5G".pskRaw = "ext:PSK_HOME";
+      # "BELL422 5G".pskRaw = "ext:PSK_HOME";
       "BELL422".pskRaw = "ext:PSK_HOME";
     };
 

machines/universedesktop/programs/desktop.nix

@@ -14,6 +14,8 @@
     "openssl-1.1.1v"
   ];
 
+  services.gnome.gnome-keyring.enable = true;
+  
   environment.systemPackages = with pkgs; [
       firefox
       chromium
@@ -25,6 +27,8 @@
       kdePackages.kdeconnect-kde
 
       discord
+      signal-desktop
+      element-desktop
       zoom-us
 
       anki