Many many changes

2024-05-21 23:16:02 -07:00 · 2024-05-21 23:16:02 -07:00 · 8e184394f2
parent 893b7e812e
commit 8e184394f2
31 changed files with 7463 additions and 1443 deletions
--- a/config/domain-config/fudo.org.nix
+++ b/config/domain-config/fudo.org.nix
@ -14,7 +14,8 @@ let
  domain = config.fudo.domains."${localDomain}";
  authentikHost = "legatus";
-  authentikImage = "ghcr.io/goauthentik/server:2023.10.7";
+  authentikVersion = "2024.2.3";
  authentikImage = "ghcr.io/goauthentik/server:${authentikVersion}";
  primaryNameserver = "germany";
@ -87,7 +88,7 @@ in {
      ldapBindPwFile = domainSecrets."ldap-bind.passwd";
      saslDomain = "FUDO.ORG";
      authentikOutpostToken = domainSecrets."authentik-ldap.token";
-      inherit servedDomains;
+      inherit servedDomains authentikVersion;
      dkimRecord = ''
        mail._domainkey IN TXT ( "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwoCgHwsfuu0lhj9Ayj4ntoy0bdcGBNsV46qoKbd8E8FKsJF5rL4EoytwXEFcKJwT3E+o3/BsZGi9J5irtjlfIhnxnPlhVRS3R/834NDSQyuwGTxAfhPOklhA0cTYA+4x2oGwAuraz+On2REDeSymMccXFDsTugEHVvn6qaeqkJwIDAQAB" );'';
    }))
@ -97,6 +98,8 @@ in {
    systemd.services = { lemmy.after = [ "postgresql.service" ]; };
    services = {
      tailscale.enable = true;
      immichContainer = mkIf (hostname == immichHost) {
        enable = true;
        images = let immichVersion = "v1.94.1";
--- a/config/domain-config/fudo.org/mail-server.nix
+++ b/config/domain-config/fudo.org/mail-server.nix
@ -1,6 +1,6 @@
 { primaryMailserver, primaryDomain, authentikServer, servedDomains, ldapBase
-, ldapBindDn, ldapBindPwFile, dkimRecord, saslDomain, authentikOutpostToken, ...
+, ldapBindDn, ldapBindPwFile, dkimRecord, saslDomain, authentikOutpostToken
-}:
+, authentikVersion, ... }:
 { config, lib, pkgs, ... }:
@ -94,6 +94,7 @@ in {
          bind-dn = ldapBindDn;
          bind-password-file = ldapBindPwFile;
        };
        images.ldap-proxy = "ghcr.io/goauthentik/ldap:${authentikVersion}";
        aliases = let admins = config.instance.local-admins;
        in {
          alias-users = {
--- a/config/domain-config/sea.fudo.org.nix
+++ b/config/domain-config/sea.fudo.org.nix
@ -6,6 +6,7 @@ let
  hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
  domainName = "sea.fudo.org";
  domainSecrets = config.fudo.secrets.files.domain-secrets."${domainName}";
  frigateExternalHost = "sea-cam.fudo.link";
  frigateHost = "zbox";
@ -14,7 +15,11 @@ let
    pkgs.lib.passwd.stablerandom-passwd-file "frigate-mqtt-passwd"
    config.instance.build-seed;
-  immichHost = "toothless";
+  immichHost = "cartus";
  immichMlHost = "toothless";
  immichVersion = "v1.105.1";
  mabelHost = "zbox";
 in {
  imports = [ ./sea.fudo.org/8bitdo.nix ];
@ -22,6 +27,18 @@ in {
  config = {
    fudo = {
      services = {
        mabel = {
          enable = true;
          verbose = true;
          mabel-host = mabelHost;
          matrix = {
            domain = "fudo.im";
            username = "mabel";
            token-file = domainSecrets."mabel-matrix.token";
            channel = "#thecitadel:fudo.im";
          };
        };
        metrics = {
          private-network = true;
          grafana.oauth = {
@ -39,36 +56,52 @@ in {
          acl = [ "frigate/#" ];
        };
      };
-      zones."sea.fudo.org".aliases = {
+      zones."${domainName}".aliases = {
        chat = "nostromo";
        frigate = "zbox";
        immich = immichHost;
        immich-ml = immichMlHost;
      };
    };
    services = {
      tailscale.enable = true;
      immichContainer = mkIf (hostname == immichHost) {
        enable = true;
-        images = let immichVersion = "v1.94.1";
+        images = let pgVectoVersion = "v0.2.1";
        in {
          immich = "ghcr.io/immich-app/immich-server:${immichVersion}";
          immich-ml =
            "ghcr.io/immich-app/immich-machine-learning:${immichVersion}";
          redis = "redis:6.2-alpine";
-          postgresql = "tensorchord/pgvecto-rs:pg14-v0.1.11";
+          postgresql = "tensorchord/pgvecto-rs:pg14-${pgVectoVersion}";
        };
      };
-      nginx = mkIf (hostname == immichHost) {
+      immichMlContainer = mkIf (hostname == immichMlHost) {
        enable = true;
        hostnames = [ "immich-ml.${domainName}" "immich-ml.fudo.ninja" ];
        port = 3923;
        immich-version = immichVersion;
      };
      nginx = {
        enable = true;
        recommendedOptimisation = true;
        recommendedGzipSettings = true;
        recommendedProxySettings = true;
-        virtualHosts."immich.${domainName}".locations."/" = {
+        virtualHosts = {
-          proxyPass = "http://${immichHost}.${domainName}:${
+          "immich.${domainName}".locations."/" = mkIf (hostname == immichHost) {
-              toString config.services.immichContainer.port
+            proxyPass = "http://127.0.0.1:${
-            }/";
+                toString config.services.immichContainer.port
-          recommendedProxySettings = true;
+              }/";
            recommendedProxySettings = true;
          };
          "pics.fudo.ninja".locations."/" = mkIf (hostname == immichHost) {
            proxyPass = "http://127.0.0.1:${
                toString config.services.immichContainer.port
              }/";
            recommendedProxySettings = true;
          };
        };
      };
@ -82,13 +115,13 @@ in {
            default = cam == "cam-driveway";
            streams = {
              low =
-                "rtsp://frigate:{FRIGATE_RTSP_PASSWORD}@${cam}.sea.fudo.org:554/cam/realmonitor?channel=1&subtype=0";
+                "rtsp://frigate:{FRIGATE_RTSP_PASSWORD}@${cam}.${domainName}:554/cam/realmonitor?channel=1&subtype=0";
              high =
-                "rtsp://frigate:{FRIGATE_RTSP_PASSWORD}@${cam}.sea.fudo.org:554/cam/realmonitor?channel=1&subtype=0";
+                "rtsp://frigate:{FRIGATE_RTSP_PASSWORD}@${cam}.${domainName}:554/cam/realmonitor?channel=1&subtype=0";
            };
          });
        camera-password-file =
-          config.fudo.secrets.files.domain-secrets."sea.fudo.org".seattle-camera-password;
+          config.fudo.secrets.files.domain-secrets."${domainName}".seattle-camera-password;
        mqtt = {
          host = config.fudo.services.mqtt.mqtt-hostname;
          port = config.fudo.services.mqtt.private.port;
--- a/config/hardware/cartus.nix
+++ b/config/hardware/cartus.nix
@ -0,0 +1,73 @@
 { config, lib, pkgs, ... }:
 {
  system.stateVersion = "23.11";
  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    initrd = {
      availableKernelModules =
        [ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
      kernelModules = [ ];
    };
    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
  };
  fileSystems = {
    "/" = {
      device = "cartus-root";
      fsType = "tmpfs";
      options = [ "mode=755" "noexec" ];
    };
    "/boot" = {
      device = "/dev/disk/by-label/CARTUS-BOOT";
      fsType = "vfat";
      options = [ "noexec" "noatime" ];
    };
    "/state" = {
      device = "/dev/disk/by-label/cartus-data";
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "noexec" "subvol=@state" ];
    };
    "/nix" = {
      device = "/dev/disk/by-label/cartus-data";
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "subvol=@nix" ];
    };
    "/var/log" = {
      device = "/dev/disk/by-label/cartus-data";
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "noexec" "subvol=@log" ];
    };
    "/var/lib/tailscale" = {
      device = "/dev/disk/by-label/cartus-data";
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
    };
    "/var/lib/containers" = {
      device = "/dev/disk/by-label/cartus-data";
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "noexec" "subvol=@containers" ];
    };
  };
  hardware = {
    bluetooth.enable = false;
    cpu.intel.updateMicrocode = true;
  };
  services.xserver.videoDrivers = [ "intel" ];
  nix.settings.max-jobs = lib.mkDefault 4;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }
--- a/config/hardware/germany.nix
+++ b/config/hardware/germany.nix
@ -89,6 +89,12 @@ in {
      options = [ "subvol=@container-data" "noatime" "compress=zstd" "noexec" ];
    };
    "/var/lib/tailscale" = {
      device = "/dev/disk/by-label/germany-data";
      fsType = "btrfs";
      options = [ "subvol=@tailscale" "noatime" "compress=zstd" "noexec" ];
    };
    ## BROKEN!
    # "/store" = {
    #   device = lib.concatStringsSep ":" [
--- a/config/hardware/jazz.nix
+++ b/config/hardware/jazz.nix
@ -53,6 +53,12 @@
      fsType = "btrfs";
      options = [ "subvol=@log" "noatime" "compress=zstd" "noexec" ];
    };
    "/var/lib/tailscale" = {
      device = "/dev/disk/by-label/jazz-data";
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
    };
  };
  swapDevices = [{ device = "/dev/disk/by-label/jazz-swap"; }];
--- a/config/hardware/lambda.nix
+++ b/config/hardware/lambda.nix
@ -71,6 +71,12 @@ in {
        fsType = "btrfs";
        options = [ "noatime" "compress=zstd" "noexec" "subvol=@log" ];
      };
      "/var/lib/tailscale" = {
        device = "/dev/mapper/lambda-unlocked";
        fsType = "btrfs";
        options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
      };
    };
    swapDevices = [{
--- a/config/hardware/legatus.nix
+++ b/config/hardware/legatus.nix
@ -58,12 +58,11 @@ with lib; {
      options = [ "subvol=@container-data" "noatime" "compress=zstd" "noexec" ];
    };
-    # "/var/lib/acme" = {
+    "/var/lib/tailscale" = {
-    #   device = "/dev/disk/by-label/system";
+      device = "/dev/disk/by-label/legatus-data";
-    #   fsType = "btrfs";
+      fsType = "btrfs";
-    #   options =
+      options = [ "subvol=@tailscale" "noatime" "compress=zstd" "noexec" ];
-    #     [ "subvol=@acme" "compress=zstd" "noatime" "nodiratime" "noexec" ];
+    };
    # };
  };
  swapDevices = [{ device = "/dev/disk/by-label/legatus-swap"; }];
--- a/config/hardware/system3.nix
+++ b/config/hardware/system3.nix
@ -67,6 +67,12 @@ in {
      fsType = "btrfs";
      options = [ "subvol=@home" "compress=zstd" "noatime" ];
    };
    "/var/lib/tailscale" = {
      device = "/dev/disk/by-label/system3-data";
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
    };
  };
  swapDevices = [{ device = "/dev/disk/by-label/system3-swap"; }];
--- a/config/hardware/toothless.nix
+++ b/config/hardware/toothless.nix
@ -53,6 +53,18 @@
      fsType = "btrfs";
      options = [ "subvol=@log" "noatime" "compress=zstd" "noexec" ];
    };
    "/var/lib/tailscale" = {
      device = "/dev/disk/by-label/toothless-data";
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
    };
    "/var/lib/containers" = {
      device = "/dev/disk/by-label/toothless-data";
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "noexec" "subvol=@containers" ];
    };
  };
  swapDevices = [{ device = "/dev/disk/by-label/toothless-swap"; }];
@ -66,7 +78,7 @@
    useDHCP = false;
    macvlans = {
      intif0 = {
-        interface = "enp42s0";
+        interface = "enp6s0";
        mode = "bridge";
      };
    };
--- a/config/hardware/wormhole0.nix
+++ b/config/hardware/wormhole0.nix
@ -66,6 +66,12 @@ with lib; {
      options =
        [ "subvol=@var" "compress=zstd" "noatime" "nodiratime" "noexec" ];
    };
    "/var/lib/tailscale" = {
      device = "/dev/disk/by-label/wormhole0-data";
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
    };
  };
  swapDevices = [{ device = "/dev/disk/by-label/wormhole0-swap"; }];
--- a/config/hardware/zbox.nix
+++ b/config/hardware/zbox.nix
@ -60,6 +60,12 @@
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "noexec" ];
    };
    "/var/lib/tailscale" = {
      device = "/dev/disk/by-label/zbox-data";
      fsType = "btrfs";
      options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
    };
  };
  swapDevices = [{ device = "/dev/disk/by-label/zbox-swap"; }];
--- a/config/host-config/cartus.nix
+++ b/config/host-config/cartus.nix
@ -0,0 +1,44 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  stateDir = "/state";
  hostname = "cartus";
  siteName = config.fudo.hosts."${hostname}".site;
 in {
  config = {
    networking = {
      interfaces.enp3s0 = {
        ipv4.addresses = [{
          address = pkgs.lib.getHostIpv4 hostname;
          prefixLength = pkgs.lib.getSiteV4PrefixLength siteName;
        }];
      };
      firewall.enable = false;
      defaultGateway = {
        address = pkgs.lib.getSiteGatewayV4 siteName;
        interface = "enp3s0";
      };
    };
    virtualisation = {
      arion.backend = "podman-socket";
      podman = {
        enable = true;
        autoPrune.enable = true;
        dockerSocket.enable = true;
        dockerCompat = true;
        defaultNetwork.settings = {
          dns_enabled = true;
          network_dns_servers = [ "1.1.1.1" "8.8.4.4" ];
        };
      };
    };
    services.immichContainer = {
      state-directory = "/state/immich/state";
      store-directory = "/state/immich/store";
    };
  };
 }
--- a/config/host-config/fimbria.nix
+++ b/config/host-config/fimbria.nix
@ -14,6 +14,7 @@ let
 in {
  config = {
    networking = {
      enableIPv6 = true;
      interfaces = {
        enp1s0.useDHCP = true;
        intif0 = {
@ -31,7 +32,6 @@ in {
          };
        };
      };
      enableIPv6 = false;
      firewall = {
        # Until it becomes the gateway, this is necessary
@ -40,25 +40,28 @@ in {
        allowedUDPPorts = [ 25565 34197 ];
      };
-      nat.forwardPorts = [
+      nat = {
-        # Minecraft
+        enableIPv6 = true;
-        {
+        forwardPorts = [
-          destination = "10.0.0.12:25555";
+          # Minecraft
-          proto = "tcp";
+          {
-          sourcePort = 25565;
+            destination = "10.0.0.12:25555";
-        }
+            proto = "tcp";
-        {
+            sourcePort = 25565;
-          destination = "10.0.0.12:25555";
+          }
-          proto = "udp";
+          {
-          sourcePort = 25565;
+            destination = "10.0.0.12:25555";
-        }
+            proto = "udp";
-        # Factorio
+            sourcePort = 25565;
-        {
+          }
-          destination = "10.0.0.12:34197";
+          # Factorio
-          proto = "udp";
+          {
-          sourcePort = 34197;
+            destination = "10.0.0.12:34197";
-        }
+            proto = "udp";
-      ];
+            sourcePort = 34197;
          }
        ];
      };
    };
    virtualisation = {
--- a/config/host-config/limina.nix
+++ b/config/host-config/limina.nix
@ -142,17 +142,6 @@ in {
        };
        auth.kerberos.state-directory = "/state/services/heimdal-kdc";
        # wireguard-gateway = {
        #   enable = true;
        #   network = "10.0.200.0/24";
        #   peers = {
        #     niten-phone = {
        #       public-key = "";
        #       assigned-ip = "10.0.200.2";
        #     };
        #   };
        # };
      };
    };
--- a/config/host-config/nostromo.nix
+++ b/config/host-config/nostromo.nix
@ -80,26 +80,26 @@ in {
  fudo = let host-secrets = config.fudo.secrets.host-secrets."${hostname}";
  in {
-    secrets.host-secrets.${hostname} = {
+    # secrets.host-secrets.${hostname} = {
-      pricebot-auth-token = {
+    #   pricebot-auth-token = {
-        source-file =
+    #     source-file =
-          config.fudo.secrets.files.service-secrets.nostromo."pricebot-auth.token";
+    #       config.fudo.secrets.files.service-secrets.nostromo."pricebot-auth.token";
-        target-file = "/run/services/pricebot/auth.token";
+    #     target-file = "/run/services/pricebot/auth.token";
-        user = "root";
+    #     user = "root";
-      };
+    #   };
-    };
+    # };
-    pricebot = {
+    # pricebot = {
-      enable = true;
+    #   enable = true;
-      mattermost-url = "https://chat.fudo.org";
+    #   mattermost-url = "https://chat.fudo.org";
-      mattermost-auth-token-file = host-secrets.pricebot-auth-token.target-file;
+    #   mattermost-auth-token-file = host-secrets.pricebot-auth-token.target-file;
-      monitors = {
+    #   monitors = {
-        btc = {
+    #     btc = {
-          mattermost-channel-id = "f7iem9t3qbbczjyuq4waj1s3ua";
+    #       mattermost-channel-id = "f7iem9t3qbbczjyuq4waj1s3ua";
-          notify-user = "niten";
+    #       notify-user = "niten";
-        };
+    #     };
-      };
+    #   };
-    };
+    # };
    services = {
      logging.loki.state-directory = "/state/services/loki";
--- a/config/host-config/spark.nix
+++ b/config/host-config/spark.nix
@ -1,45 +1,27 @@
 { config, lib, pkgs, ... }:
 with lib;
-let state-dir = "/state";
+let stateDir = "/state";
    hostname = ""
    primaryIp = pkgs.lib.getHostIpv4 ""
 in {
-  fudo = {
+  config = {
-    slynk.enable = true;
+    networking = {
-    wallfly.location = "office";
+      interfaces.enp3s0 = {
-  };
+        ipv4.addresses = [{
          address = primaryIp;
          prefixLength = pkgs.lib.getHostIpv4 hostname;
        }];
      };
      firewall.enable = false;
      defaultGateway = {
-  networking = {
+      };
    interfaces = { intif0.useDHCP = true; };
    firewall.enable = false;
  };
  i18n.inputMethod = {
    #enabled = "fcitx5";
    #fcitx5.addons = with pkgs; [ fcitx5-chinese-addons fcitx5-rime ];
  };
  systemd.tmpfiles.rules = [
    "d ${state-dir}/lib/cups  755 root root - -"
    "d ${state-dir}/services/yggdrasil 700 root root - -"
  ];
  fileSystems = {
    "/var/lib/cups" = {
      device = "${state-dir}/lib/cups";
      options = [ "bind" ];
    };
-    # "/var/lib/private/yggdrasil" = {
+    fudo = {
-    #   device = "${state-dir}/services/yggdrasil";
+      slynk.enable = true;
-    #   options = [ "bind" ];
+      wallfly.location = "family_room";
    # };
  };
  services = {
    yggdrasil = {
      enable = true;
      persistentKeys = true;
      group = "wheel";
    };
  };
 }
--- a/config/host-config/system3.nix
+++ b/config/host-config/system3.nix
@ -6,66 +6,10 @@ let
  inherit (config.instance) hostname;
  vmConfig = { pkgs, lib, ... }: {
    config = {
      containers.tester = {
        autoStart = true;
        # localAddress = "10.0.0.14";
        additionalCapabilities = [ "CAP_NET_ADMIN" ];
        # privateNetwork = true;
        macvlans = [ "enp7s0" ];
        #hostBridge = "tester0";
        #hostAddress = "10.0.0.14";
        #privateNetwork = true;
        config = {
          imports = [ pkgs.moduleRegistry.authoritativeDns ];
          services.openssh.enable = true;
          users = let groupName = config.users.users.niten.group;
          in {
            users.niten = config.users.users.niten;
            groups."${groupName}" = config.users.groups."${groupName}";
          };
          services.authoritative-dns = {
            enable = true;
            identity = "ns.sea.fudo.org";
            listen-ips = [ "10.0.0.14" ];
            state-directory = "/var/lib/nsd";
            timestamp = toString config.instance.build-timestamp;
            domains = {
              "sea.fudo.org" = { zone = config.fudo.zones."sea.fudo.org"; };
            };
          };
          networking = {
            defaultGateway = pkgs.lib.getHostGatewayV4 hostname;
            firewall = {
              enable = true;
              allowedTCPPorts = [ 22 53 ];
              allowedUDPPorts = [ 53 ];
            };
            # interfaces.eth0 = {
            #   ipv4.addresses = [{
            #     address = "10.0.0.14";
            #     prefixLength = 24;
            #   }];
            # };
            interfaces.mv-enp7s0.ipv4.addresses = [{
              address = "10.0.0.14";
              prefixLength = 24;
            }];
          };
        };
      };
    };
  };
 in {
  imports = [ vmConfig ];
  config = {
    fudo = {
      slynk.enable = true;
      wallfly.location = "office";
--- a/config/host-config/toothless.nix
+++ b/config/host-config/toothless.nix
@ -29,10 +29,7 @@ in {
    '';
    services = {
-      immichContainer = {
+      immichMlContainer.state-directory = "/state/immich/ml-cache";
        state-directory = "/state/immich/state";
        store-directory = "/state/immich/store";
      };
    };
    fudo = {
@ -79,12 +76,26 @@ in {
      };
    };
    hardware = {
      nvidia = {
        nvidiaSettings = true;
        package = config.boot.kernelPackages.nvidiaPackages.production;
      };
      opengl = {
        enable = true;
        driSupport32Bit = true;
      };
    };
    services.xserver.videoDrivers = [ "nvidia" ];
    virtualisation = {
      podman = {
        enable = true;
        autoPrune.enable = true;
        dockerSocket.enable = true;
        dockerCompat = true;
        enableNvidia = true;
        defaultNetwork.settings = {
          dns_enabled = true;
          network_dns_servers = [ "1.1.1.1" "8.8.4.4" ];
--- a/config/host-config/toothless/immich-ml.nix
+++ b/config/host-config/toothless/immich-ml.nix
@ -0,0 +1,29 @@
 { config, lib, pkgs, ... }:
 {
  config = {
    virtualisation.arion.projects.immich-ml.settings = let
      image = { ... }: {
        project.name = "immich-ml";
        services = {
          immich-ml = {
            service = {
              image =
                "ghcr.io/immich-app/immich-machine-learning:${immichVersion}-cuda";
              restart = "always";
              ports = [ "${toString cfg.port}:3003" ];
              volumes = [ "${cfg.state-directory}:/cache" ];
            };
          };
        };
        rawConfig = {
          deploy.resources.reservations.devices = [{
            driver = "nvidia";
            count = 1;
            capabilities = [ "gpu" ];
          }];
        };
      };
    in { imports = [ image ]; };
  };
 }
--- a/config/host-config/wormhole0.nix
+++ b/config/host-config/wormhole0.nix
@ -164,6 +164,13 @@ in {
            };
          };
          "home.sea.fudo.ninja" = {
            locations."/" = {
              proxyPass = "http://localhost:${toString homeAssistantPort}";
              proxyWebsockets = true;
            };
          };
          "node-red.sea.fudo.org" = {
            locations."/" = {
              proxyPass = "http://localhost:${toString nodeRedPort}";
--- a/config/host-config/zbox.nix
+++ b/config/host-config/zbox.nix
@ -78,10 +78,19 @@ in {
        recommendedOptimisation = true;
        recommendedProxySettings = true;
-        virtualHosts."frigate.sea.fudo.org" = {
+        virtualHosts = {
-          locations."/" = {
+          "frigate.sea.fudo.org" = {
-            proxyPass = "http://localhost:5000";
+            locations."/" = {
-            proxyWebsockets = true;
+              proxyPass = "http://localhost:5000";
              proxyWebsockets = true;
            };
          };
          "cam.sea.fudo.ninja" = {
            locations."/" = {
              proxyPass = "http://localhost:5000";
              proxyWebsockets = true;
            };
          };
        };
      };
--- a/config/profile-config/common.nix
+++ b/config/profile-config/common.nix
@ -33,18 +33,26 @@ in {
  config = {
    fudo = { hosts."${hostname}".local-networks = [ "::1/128" ]; };
-    system.autoUpgrade.enable = false;
+    system = {
      autoUpgrade.enable = false;
      # copySystemConfiguration = true;
    };
    nix = {
      package = pkgs.nixFlakes;
      extraOptions = ''
        experimental-features = nix-command flakes
      '';
      optimise = {
        automatic = true;
        dates = [ "weekly" ];
      };
      gc = {
        automatic = true;
        dates = "weekly";
-        options = "--delete-older-than 7d";
+        options = "--delete-older-than 14d";
      };
      settings.auto-optimise-store = true;
    };
    hardware.enableAllFirmware = true;
--- a/config/service/authoritative-dns.nix
+++ b/config/service/authoritative-dns.nix
@ -275,8 +275,6 @@ in {
  imports = [ hostModule containerModule ];
  config = mkIf cfg.enable {
    systemd.tmpfiles.rules = [ "d ${cfg.state-directory} 700 root root - -" ];
    fileSystems."/var/lib/nsd" = mkIf (isNull cfg.container) {
      device = cfg.state-directory;
      options = [ "bind" ];
--- a/config/service/mabel.nix
+++ b/config/service/mabel.nix
@ -0,0 +1,103 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.fudo.services.mabel;
  hostname = config.instance.hostname;
  isMqtt = config.fudo.services.mqtt.enable;
  isMabel = hostname == cfg.mabel-host;
  hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
  mqtt-password-file =
    pkgs.lib.passwd.stablerandom-passwd-file "mabel-mqtt-passwd"
    config.instance.build-seed;
 in {
  options.fudo.services.mabel = with types; {
    enable = mkEnableOption "Enable Mabel camera monitor.";
    verbose = mkEnableOption "Enable verbose output.";
    mabel-host = mkOption {
      type = str;
      description = "Host on which to run Mabel.";
    };
    mqtt = {
      username = mkOption {
        type = str;
        description = "User as which to connect to MQTT server.";
        default = "mabel-bot";
      };
    };
    matrix = {
      domain = mkOption {
        type = str;
        description = "Matrix domain on which to connect.";
      };
      username = mkOption {
        type = str;
        description = "User as which to connect to Matrix.";
      };
      token-file = mkOption {
        type = str;
        description = "Authentication for connecting to Matrix.";
      };
      channel = mkOption {
        type = str;
        description = "Channel on which to send notifications.";
      };
    };
  };
  config = mkIf cfg.enable {
    fudo = {
      secrets.host-secrets."${hostname}" = {
        mabel-mqtt-passwd = mkIf isMabel {
          source-file = mqtt-password-file;
          target-file = "/run/mabel-mqtt/passwd";
        };
        mabel-matrix-token = mkIf isMabel {
          source-file = cfg.matrix.token-file;
          target-file = "/run/mabel/matrix.token";
        };
      };
      services.mqtt = mkIf isMqtt {
        private = {
          enable = true;
          users."${cfg.mqtt.username}" = {
            password-file = mqtt-password-file;
            acl = [ "read frigate/#" ];
          };
        };
      };
    };
    services.mabel = mkIf isMabel {
      enable = true;
      verbose = cfg.verbose;
      mqtt = {
        host = config.fudo.services.mqtt.mqtt-hostname;
        port = config.fudo.services.mqtt.private.port;
        username = cfg.mqtt.username;
        password-file = hostSecrets.mabel-mqtt-passwd.target-file;
      };
      matrix = {
        domain = cfg.matrix.domain;
        username = cfg.matrix.username;
        password-file = hostSecrets.mabel-matrix-token.target-file;
        channel-alias = cfg.matrix.channel;
      };
    };
  };
 }
--- a/config/service/nexus.nix
+++ b/config/service/nexus.nix
@ -12,18 +12,12 @@ let
  site = config.fudo.sites."${siteName}";
  hostNexusDomainList = host:
-    let
+    unique (domain.nexus.public-domains ++ site.nexus.public-domains
-      domainName = config.fudo.hosts."${host}".domain;
+      ++ domain.nexus.private-domains ++ site.nexus.private-domains
-      domain = config.fudo.domains."${domainName}";
+      ++ domain.nexus.tailscale-domains ++ site.nexus.tailscale-domains);
      siteName = config.fudo.hosts."${host}".site;
      site = config.fudo.sites."${siteName}";
    in unique (domain.nexus.domains ++ site.nexus.domains);
  isEmpty = lst: lst == [ ];
  localNexusDomains = getAttrs (hostNexusDomainList hostname)
    (listKeys config.fudo.nexus.domains);
  isServer = let
    servers = concatMap (domainOpts: domainOpts.servers)
      (attrValues config.fudo.nexus.domains);
@ -140,7 +134,15 @@ in {
        enable = enableClient;
        inherit hostname;
        verbose = true;
-        domains = unique (domain.nexus.domains ++ site.nexus.domains);
+        domains = let
          genDomains = type: domains:
            genAttrs (unique domains) (_: { inherit type; });
        in (genDomains "public"
          (domain.nexus.public-domains ++ site.nexus.public-domains))
        // (genDomains "private"
          (domain.nexus.private-domains ++ site.nexus.private-domains))
        // (genDomains "tailscale"
          (domain.nexus.tailscale-domains ++ site.nexus.tailscale-domains));
        hmac-key-file = hostSecrets.nexus-key.target-file;
        servers = let localDomains = hostNexusDomainList hostname;
        in map ({ domain, alias, ... }: "${alias}.${domain}")
--- a/config/services.nix
+++ b/config/services.nix
@ -13,6 +13,7 @@
    ./service/lemmy.nix
    ./service/local-network.nix
    ./service/logging.nix
    ./service/mabel.nix
    ./service/mail-server.nix
    ./service/metrics.nix
    ./service/mqtt.nix
--- a/config/site-config/seattle.nix
+++ b/config/site-config/seattle.nix
@ -14,29 +14,29 @@ in {
        wallfly-presence.enable = true;
-        tattler = let snooper-host = "wormhole0";
+        # tattler = let snooper-host = "wormhole0";
-        in {
+        # in {
-          enable = true;
+        #   enable = true;
-          verbose = true;
+        #   verbose = true;
-          event-topics = [ "suanni/events/motion" ];
+        #   event-topics = [ "suanni/events/motion" ];
-          inherit snooper-host;
+        #   inherit snooper-host;
-        };
+        # };
-        suanni = let
+        # suanni = let
-          listener = "nostromo";
+        #   listener = "nostromo";
-          objectifier = "nostromo";
+        #   objectifier = "nostromo";
-        in {
+        # in {
-          enable = true;
+        #   enable = true;
-          event-listener.host = listener;
+        #   event-listener.host = listener;
-          objectifier.host = objectifier;
+        #   objectifier.host = objectifier;
-          synology = {
+        #   synology = {
-            host = "cargo.sea.fudo.org";
+        #     host = "cargo.sea.fudo.org";
-            port = 5001;
+        #     port = 5001;
-            username = "suanni";
+        #     username = "suanni";
-            password-file =
+        #     password-file =
-              config.fudo.secrets.files.service-passwords."${listener}".suanni-synology;
+        #       config.fudo.secrets.files.service-passwords."${listener}".suanni-synology;
-          };
+        #   };
-        };
+        # };
      };
      zones."sea.fudo.org" = {
@ -108,9 +108,15 @@ in {
        ];
        after = [ config.fudo.secrets.secret-target ];
        serviceConfig = {
-          ExecStartPre = "${pkgs.coreutils}/bin/test -f /etc/krb5.keytab";
+          ExecStartPre = pkgs.writeShellScript "await-keytab.sh" ''
            while [ ! -f /etc/krb5.keytab ]; do
              sleep 5
            done
            exit 0
          '';
          ExecStart = "${pkgs.coreutils}/bin/true";
          TimeoutStartSec = "360";
          Type = "oneshot";
          RemainAfterExit = true;
          Restart = "on-failure";
          RestartSec = "2";
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -2,7 +2,8 @@
  description = "Fudo Host Configuration";
  inputs = {
-    nixpkgs.url = "git+https://fudo.dev/nix/nixpkgs.git";
+    nixpkgs.url =
      "nixpkgs/nixos-23.11"; # "git+https://fudo.dev/nix/nixpkgs.git";
    fudo-home = {
      url = "git+https://fudo.dev/nix/home.git";
@ -11,31 +12,31 @@
    };
    # This MUST be a clean git repo, because we use the timestamp.
-    fudo-entities = {
+    fudo-entities.url = "git+https://fudo.dev/nix/entities.git";
-      url = "git+https://fudo.dev/nix/entities.git";
+
    fudo-lib.url = "git+https://fudo.dev/nix/lib.git";
    fudo-pkgs.url = "git+https://fudo.dev/nix/pkgs.git";
    fudo-secrets = {
      url = "path:/secrets";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    fudo-lib = { url = "git+https://fudo.dev/nix/lib.git"; };
+    # chute = {
    #   url = "git+https://fudo.dev/chute/chute.git?ref=stable";
    #   inputs.nixpkgs.follows = "nixpkgs";
    # };
-    fudo-pkgs = { url = "git+https://fudo.dev/nix/pkgs.git"; };
+    # chuteUnstable = {
    #   url = "git+https://fudo.dev/chute/chute.git?ref=master";
    #   inputs.nixpkgs.follows = "nixpkgs";
    # };
-    fudo-secrets.url = "path:/secrets";
+    # pricebot = {
-
+    #   url = "git+https://fudo.dev/public/pricebot.git";
-    chute = {
+    #   inputs.nixpkgs.follows = "nixpkgs";
-      url = "git+https://fudo.dev/chute/chute.git?ref=stable";
+    # };
      inputs.nixpkgs.follows = "nixpkgs";
    };
    chuteUnstable = {
      url = "git+https://fudo.dev/chute/chute.git?ref=master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    pricebot = {
      url = "git+https://fudo.dev/public/pricebot.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixpkgsUnstable.url = "nixpkgs/nixos-unstable";
@ -69,6 +70,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    mabel = {
      url = "git+https://fudo.dev/public/mabel.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    arion = {
      url = "github:hercules-ci/arion";
      inputs.nixpkgs.follows = "nixpkgs";
@ -143,6 +149,14 @@
      };
    };
    immich-ml-container = {
      url = "git+https://fudo.dev/public/immich-ml-container.git";
      inputs = {
        arion.follows = "arion";
        nixpkgs.follows = "nixpkgs";
      };
    };
    authoritative-dns = {
      url = "git+https://fudo.dev/public/authoritative-dns.git";
      inputs.nixpkgs.follows = "nixpkgs";
@ -162,15 +176,17 @@
      url = "git+https://git.informis.land/informis/textfiles.git";
      flake = false;
    };
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
  };
  outputs = { self, nixpkgs, fudo-home, fudo-lib, fudo-entities, fudo-pkgs
-    , fudo-secrets, chute, chuteUnstable, nixpkgsUnstable, pricebot, wallfly
+    , fudo-secrets, nixpkgsUnstable, wallfly, objectifier, nexus, suanni
-    , objectifier, nexus, suanni, snooper, tattler, lemmy-docker
+    , snooper, tattler, lemmy-docker, tesla-mate-container, mastodon-container
-    , tesla-mate-container, mastodon-container, authentik-container
+    , authentik-container, nextcloud-container, textfiles, matrix-module
-    , nextcloud-container, textfiles, matrix-module, mail-server
+    , mail-server, authoritative-dns, frigate-container, grafana-module
-    , authoritative-dns, frigate-container, grafana-module, lemmy-container
+    , lemmy-container, immich-container, immich-ml-container, mabel
-    , immich-container, ... }@inputs:
+    , nixos-hardware, ... }@inputs:
    with nixpkgs.lib;
    let
      fudo-nixos-hosts = filterAttrs (hostname: hostOpts: hostOpts.nixos-system)
@ -208,7 +224,10 @@
              chute = chute.packages.${arch}.chute;
              chuteUnstable = chuteUnstable.packages.${arch}.chute;
            })
-            (final: prev: { pkgsUnstable = unstable; })
+            (final: prev: {
              pkgsUnstable = unstable;
              inherit nixos-hardware;
            })
            (final: prev: {
              signal-desktop = unstable.signal-desktop;
              factorio-experimental = unstable.factorio-experimental;
@ -236,7 +255,7 @@
            fudo-secrets.nixosModules.default
            fudo-lib.nixosModules.default
            fudo-entities.nixosModule
-            pricebot.nixosModules.default
+            # pricebot.nixosModules.default
            wallfly.nixosModule
            objectifier.nixosModules.default
            suanni.nixosModules.default
@ -254,6 +273,8 @@
            grafana-module.nixosModules.default
            lemmy-container.nixosModules.default
            immich-container.nixosModules.default
            immich-ml-container.nixosModules.default
            mabel.nixosModules.default
            nexus.nixosModules.nexus-client
            nexus.nixosModules.nexus-server
@ -265,6 +286,8 @@
            (config-dir + "/profile-config/${hostOpts.profile}.nix")
            (config-dir + "/domain-config/${hostOpts.domain}.nix")
            (config-dir + "/site-config/${hostOpts.site}.nix")
            (import ./hardware-modules.nix nixos-hardware.nixosModules hostname)
          ];
          config = let pkgs = pkgs-for hostOpts.arch;
--- a/hardware-modules.nix
+++ b/hardware-modules.nix
@ -0,0 +1,17 @@
 hardwareModules: hostname:
 { ... }:
 with hardwareModules;
 {
  imports = if (hostname == "system3") then [
    common-cpu-amd
    common-gpu-amd
    common-pc-ssd
  ] else if (hostname == "jazz") then [
    common-cpu-amd
    common-gpu-amd
    common-pc-ssd
  ] else
    [ ];
 }