kitty time...

configuration-desktop.nix

@@ -49,7 +49,12 @@
 
   programs = {
     chromium.enable = true;
-    firefox.enable = true;
+    firefox = {
+      enable = true;
+      nativeMessagingHosts.packages = [
+        pkgs.fx-cast-bridge
+      ];
+    };
     kdeconnect.enable = true;
     partition-manager.enable = true;
     wireshark.enable = true;
@@ -61,10 +66,12 @@
         obs-livesplit-one
       ];
     };
+    thunar.enable = true;
   };
-  environment.sessionVariables.TERMINAL = "footclient";
+  environment.sessionVariables.TERMINAL = "kitty --single-instance";
 
   environment.systemPackages = with pkgs; [
+    kitty
     dino
     discord
     element-desktop
@@ -74,9 +81,11 @@
     via
     libimobiledevice
 
-    dwarfdump
     ffmpeg
     gimp
+    feh
+    vlc
+    mpv
 
     kdePackages.plasma-thunderbolt
   ];

configuration-nixos.nix

@@ -48,6 +48,7 @@ in {
   ];
 
   programs = {
+    zoxide.enable = true;
     firejail.enable = true;
     virt-manager.enable = true;
     nix-ld = {

configuration.nix

@@ -27,7 +27,6 @@ in {
     services.xserver.xkb.options = "caps:escape";
 
     users.defaultUserShell = pkgs.zsh;
-    # Define a user account. Don't forget to set a password with ‘passwd’.
     users.users.audrey = {
       uid = 1000;
       description = "Audrey Dutcher";
@@ -52,6 +51,7 @@ in {
       units
       units-desktop
       patchelf
+      dwarfdump
       gdb
       kubectl
       p7zip
@@ -69,6 +69,13 @@ in {
       sqlite
       cronie
       editorconfig-core-c
+      (writeShellScriptBin "rhelmot-footclient" ''
+        #!/bin/sh
+        if [ -n "''${RHELMOT_FOOTSOCK:-}" ] && [ -S "''${RHELMOT_FOOTSOCK}" ]; then
+          exec footclient --server-socket="''${RHELMOT_FOOTSOCK}" "$@"
+        fi
+        exec footclient "$@"
+      '')
       (python3.withPackages (p: lib.concatMap (pl: pl p) rhelmot.globalPythonPackages))
     ];
 
@@ -91,6 +98,7 @@ in {
     programs = {
       kakoune = {
         enable = true;
+        defaultEditor = true;
         plugins = with pkgs.kakounePlugins; [
           kak-fzf
           smarttab-kak
@@ -123,12 +131,14 @@ in {
           hdc = "hexdump -ve '\"\\\x\" 1/1 \"%02x\"'";
           nose = "pytest -v --capture=no --pdbcls=IPython.terminal.debugger:TerminalPdb";
           mkvirtualenv = "mkvirtualenv -r /etc/venv-default.txt";
+          woman = "man";
         };
       };
       tmux = {
         enable = true;
         extraConfig = builtins.readFile ./dotfiles/tmux.conf;
       };
+      ssh.extraConfig = builtins.readFile ./dotfiles/ssh-config;
       direnv.enable = true;
       htop.enable = true;
       git = {
@@ -165,10 +175,10 @@ in {
     environment.etc."gdb/gdbinit".source = ./dotfiles/gdb-init.gdb;
     environment.etc."venv-default.txt".source = ./dotfiles/venv-default.txt;
 
-    # Enable the OpenSSH daemon.
     services.openssh.enable = true;
+    # uh oh...
+    services.openssh.settings.AcceptEnv = "RHELMOT_SWAYSOCK RHELMOT_FOOTSOCK RHELMOT_WAYLAND_DISPLAY";
 
-    
     services.sanoid = lib.mkIf config.boot.zfs.enabled {
       enable = true;
       datasets."system/home" = {
@@ -229,4 +239,3 @@ in {
     };
   };
 }
-

dotfiles/kakoune/config/30-fzf.kak

@@ -8,6 +8,11 @@ set-option global fzf_grep_command 'rg'
 set-option global fzf_grep_preview_command 'bat'
 set-option global fzf_window_map 'ctrl-n'
 
+#require-module 'wayland'
+require-module 'kitty'
+#set-option global termcmd "kitty --single-instance sh -c"
+set-option global kitty_window_type 'os-window'
+
 map -docstring "filename search (current dir)" global goto n '<a-;>:filename-search<ret>'
 map -docstring "filename search (file dir)" global goto N '<a-;>:filename-search buffile-dir<ret>'
 map -docstring "full-text search (current dir)" global goto f '<a-;> fg'
@@ -26,10 +31,15 @@ define-command -docstring "terminal but floating" terminal-floating -params .. %
 set-option global fzf_terminal_command 'terminal-floating'
 define-command sway-terminal-floating -params .. %{
     nop %sh{ sway fullscreen disable }
-    set-option local termcmd "footclient --title=fzf.kak.picker sh -c"
+    set-option local termcmd "kitty --single-instance --os-window-title=fzf.kak.picker sh -c"
     wayland-terminal-window %arg{@}
 }
 
+define-command kitty-terminal-floating -params .. %{
+    nop %sh{ sway fullscreen disable }
+    kitty-terminal-window --os-window-class=fzf.kak.picker %arg{@}
+}
+
 define-command -override -hidden -docstring "wrapper command to create new terminal" \
 fzf-window -params .. %{ evaluate-commands %sh{
     if [ -n "${kak_client_env_TMUX:-}" ]; then

dotfiles/ssh-config

@@ -0,0 +1,7 @@
+#Match tagged trusted exec "[ -S \"$RHELMOT_FOOTSOCK\" -a -S \"$RHELMOT_SWAYSOCK\" ]"
+#    RemoteForward /home/audrey/.ssh/fwd-footsock-%C.sock ${RHELMOT_FOOTSOCK}
+#    RemoteForward /home/audrey/.ssh/fwd-swaysock-%C.sock ${RHELMOT_SWAYSOCK}
+#    SetEnv RHELMOT_SWAYSOCK=/home/audrey/.ssh/fwd-swaysock-%C.sock
+#    SetEnv RHELMOT_FOOTSOCK=/home/audrey/.ssh/fwd-footsock-%C.sock
+#    StreamLocalBindUnlink yes
+#    ExitOnForwardFailure no

dotfiles/sway/config

@@ -21,7 +21,7 @@ set $left h
 set $down j
 set $up k
 set $right l
-set $term footclient
+set $term kitty --single-instance
 set $prelaunch uwsm app --
 set $menu fuzzel "--launch-prefix=$prelaunch"
 set $swaylock swaylock -c 1a1b26
@@ -320,7 +320,7 @@ shadow_blur_radius 8
 # Automation
 #
 
-for_window [title="^fzf.kak.picker$"] {
+for_window [app_id="^fzf.kak.picker$"] {
     floating enable
     resize set width 90ppt height 90ppt
     move position center

dotfiles/waybar/config.jsonc

@@ -24,6 +24,8 @@
             "class<firefox>":      "<span letter_spacing='10040'>󰈹</span>",
             "class<discord>":      "<span letter_spacing='10240' size='9pt'></span>",
             "class<footclient>":   "<span letter_spacing='10240'></span>",
+            "class<foot>":         "<span letter_spacing='10240'></span>",
+            "class<kitty>":        "<span letter_spacing='10240'></span>",
             "class<Zotero>":       "<span letter_spacing='10240'>󱉟</span>",
             "class<Element>":      "<span letter_spacing='10480'>󰭹</span>",
             "class<im.dino.Dino>": "<span letter_spacing='10480'>󰭹</span>",

dotfiles/zsh-init.sh

@@ -16,7 +16,31 @@ function nixos-edit() {
 }
 
 function nixos-apply() {
-    sudo nixos-rebuild switch --flake ~/nixos-config#$HOST "$@"
+    flags=("--sudo" "--use-substitutes")
+    host="$HOST"
+    action="switch"
+    while [[ "$#" != 0 ]]; do
+        case "$1" in
+            --host)
+                host="$2"
+                shift
+                shift
+                ;;
+            --boot)
+                action="boot"
+                shift
+                ;;
+            *)
+                flags+=("$1")
+                shift
+                ;;
+        esac
+    done
+    flags+=("--flake" "$HOME/nixos-config#$host")
+    if [[ "$host" != "$HOST" ]]; then
+        flags+=("--target-host" "$host")
+    fi
+    nixos-rebuild "$action" "${flags[@]}"
 }
 
 lsflags=()
@@ -137,6 +161,53 @@ export SHELL=$(which zsh)
 export npm_config_prefix=~/.local
 export HISTSIZE=100000
 export SAVEHIST=100000
+export CARGO_TARGET_DIR=~/.cache/cargo/obj
+export TEMP=/tmp
+export TMP=/tmp
+export TEMPDIR=/tmp
+export TMPDIR=/tmp
+
+# If remote socket forwards are present, opt in to them
+# If they are invalid, set to a default value so ssh is happy
+if [[ -S "$RHELMOT_SWAYSOCK" ]]; then
+    export SWAYSOCK="$RHELMOT_SWAYSOCK"
+else
+    export RHELMOT_SWAYSOCK=/dev/null
+fi
+if [[ -S "$RHELMOT_FOOTSOCK" ]]; then
+    :
+else
+    export RHELMOT_FOOTSOCK=/dev/null
+fi
+if [[ -S "$RHELMOT_WAYLAND_DISPLAY" ]]; then
+    export WAYLAND_DISPLAY="$RHELMOT_WAYLAND_DISPLAY"
+else
+    export RHELMOT_WAYLAND_DISPLAY=/dev/null
+fi
+
+function _rhelmot_ssh_with_remote_ui_forwarding() {
+    local local_sway local_foot local_wayland
+    local_foot="/dev/null"
+    local_wayland="/dev/null"
+
+    for candidate in "$RHELMOT_FOOTSOCK" "${XDG_RUNTIME_DIR}/foot-${WAYLAND_DISPLAY}.sock" "${XDG_RUNTIME_DIR}/foot.sock" "/tmp/foot.sock"; do
+        if [[ -S "$candidate" ]]; then
+            local_foot="$candidate"
+            break
+        fi
+    done
+    for candidate in "$WAYLAND_DISPLAY" "/run/user/$(id -u)/$WAYLAND_DISPLAY"; do
+        if [[ -S "$candidate" ]]; then
+            local_wayland="$candidate"
+        fi
+    done
+
+    RHELMOT_WAYLAND_DISPLAY="$local_wayland" RHELMOT_SWAYSOCK="$SWAYSOCK" RHELMOT_FOOTSOCK="$local_foot"  command ssh "$@"
+}
+
+function ssh() {
+    _rhelmot_ssh_with_remote_ui_forwarding "$@"
+}
 
 # site vars, functions, and aliases
 if [ -e ~/.site_aliases.sh ]; then

keys/syncthing/clove

@@ -0,0 +1 @@
+WB3OPFM-5S7CLM4-PN7JIWE-H66YCFD-7UKW7PE-7KM4CMT-WPQ5BK5-ZFPMQAM

modules/audrey-sway.nix

@@ -39,12 +39,32 @@ in
             default = [];
             description = "Extra entries to add to the command palette";
         };
+        extraSwayArgs = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            default = [];
+            description = "Extra command line arguments with which to launch sway";
+        };
+        blankTimeout = lib.mkOption {
+            type = lib.types.nullOr lib.types.int;
+            default = 300;
+            description = "After how long in seconds idle should the system blank its screens";
+        };
+        lockTimeout = lib.mkOption {
+            type = lib.types.nullOr lib.types.int;
+            default = 360;
+            description = "After how long in seconds idle should the system lock the desktop";
+        };
+        suspendTimeout = lib.mkOption {
+            type = lib.types.nullOr lib.types.int;
+            default = 600;
+            description = "After how long in seconds idle should the system suspend";
+        };
     };
 
     config = lib.mkIf cfg.enable {
       programs.regreet.enable = true;
       services.greetd.settings = {
-        default_session.command = "${pkgs.dbus}/bin/dbus-run-session ${lib.getExe config.programs.sway.package} -c /etc/sway/greeter-config";
+        default_session.command = "${pkgs.dbus}/bin/dbus-run-session ${lib.getExe config.programs.sway.package} -c /etc/sway/greeter-config ${builtins.toString cfg.extraSwayArgs}";
       };
       programs.regreet.settings = {
         background.fit = "Fill";
@@ -89,6 +109,7 @@ in
         waylandCompositors.sway = {
           prettyName = "Sway";
           binPath = "/run/current-system/sw/bin/sway";
+          extraArgs = cfg.extraSwayArgs;
         };
       };
       programs.sway = {
@@ -163,11 +184,15 @@ in
           Type = "simple";
           ExecStart = ''
             ${lib.getExe pkgs.swayidle} -w \
-              timeout 300 'swaymsg "output * power off"' \
+            ${lib.optionalString (cfg.blankTimeout != null) ''
+              timeout ${builtins.toString cfg.blankTimeout} 'swaymsg "output * power off"' \
                   resume 'swaymsg "output * power on"' \
-              timeout 360 '${swaylockCmd} -f' \
+            ''} ${lib.optionalString (cfg.lockTimeout != null) ''
-              timeout 600 'systemctl suspend' \
+              timeout ${builtins.toString cfg.lockTimeout} '${swaylockCmd} -f' \
-              before-sleep '${swaylockCmd} -f'
+              before-sleep '${swaylockCmd} -f' \
+            ''} ${lib.optionalString (cfg.suspendTimeout != null) ''
+              timeout ${builtins.toString cfg.suspendTimeout} 'systemctl suspend' \
+            ''}
           '';
         };
         path = [ "/run/current-system/sw" ];

modules/kakoune.nix

@@ -19,6 +19,11 @@ in {
             description = "The package that will be linked into the global environment if enabled";
             default = cfg.package.override { plugins = cfg.plugins; };
         };
+        defaultEditor = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = "Whether to set EDITOR=kak globally";
+        };
         extraPackages = lib.mkOption {
             type = lib.types.listOf lib.types.package;
             default = [];
@@ -75,5 +80,6 @@ in {
                 destination = "/share/kak/kakrc.local";
             })
         ];
+        environment.variables.EDITOR = lib.mkIf cfg.defaultEditor "kak";
     };
 }

modules/syncthing-cluster/default.nix

@@ -49,6 +49,7 @@ in {
       inherit (cfg) configDir dataDir user;
       openDefaultPorts = true;
       overrideDevices = true;
+      overrideFolders = false;
       settings.devices = builtins.mapAttrs (_: value: { id = value; autoAcceptFolders = hostname == cfg.coordinator; }) otherDevices;
     };
   } (lib.mkIf (cfg.user != "syncthing") {

overlays/packages.nix

@@ -10,6 +10,19 @@ let overlay = final: prev: {
       hash = "sha256-vwGHiLKSjJor4A+r599DlvSHXkDuuLSSQ4/tWFALMKU=";
     })];
   });
+  sftpgo = prev.sftpgo.overrideAttrs (prev: {
+    # killing and tearing and ripping and maiming
+    postPatch = (prev.postPatch or "") + ''
+      sed -E -i -e '/func preserveUserProfile/a newUser.Groups = user.Groups;' internal/common/eventmanager.go
+    '';
+  });
+  fx-cast-bridge = prev.fx-cast-bridge.overrideAttrs (prev: {
+    postConfigure = (prev.postConfigure or "") + ''
+      substituteInPlace node_modules/mdns/lib/resolver_sequence_tasks.js --replace-fail \
+        'cares.getaddrinfo(req, host, family, 0, false)' \
+        'cares.getaddrinfo(req, host, family, 0, 0)'
+    '';
+  });
   idapro9 = pkgs.callPackage ../pkgs/idapro9.nix {};
   condition-unmetered-network = pkgs.callPackage ../pkgs/condition-unmetered-network {};
   units-desktop = pkgs.callPackage ../pkgs/units-desktop.nix {};

sites/clove/configuration.nix

@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [ ./hardware-configuration.nix ../../configuration-desktop.nix ];
+
+  boot.initrd.supportedFilesystems = [ "zfs" ];
+  boot.initrd.systemd.enable = true;
+  services.zfs.autoScrub.enable = true;
+  services.zfs.trim.enable = true;
+  # fstrim is also enabled by nixos-hardware, but only runs for /boot
+
+  networking.hostName = "clove";
+  networking.hostId = "e2a6d757";
+
+  time.timeZone = "America/Phoenix";
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 22 80 443 1337 1338 8081 2222 ];
+  networking.firewall.allowedUDPPorts = [ 1337 ];
+  systemd.coredump.enable = false;
+
+  system.stateVersion = "25.11";
+
+  environment.systemPackages = [
+    pkgs.racket
+    pkgs.idapro9
+    pkgs.qemu_kvm
+    (pkgs.runCommand "OVMF-fd" {} ''
+      mkdir -p $out/share/FV
+      ln -s ${pkgs.OVMF.fd}/FV/OVMF_CODE.fd $out/share/FV/OVMF_CODE.fd
+    '')
+    pkgs.OVMF.fd
+  ];
+
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  #programs.celestegame = {
+  #  enable = true;
+  #  withEverest = true;
+  #  withOlympus = true;
+  #  writableDir = "/var/lib/celeste";
+  #};
+
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+    "mips-linux"
+    "mipsel-linux"
+    "armv7l-linux"
+  ];
+  boot.binfmt.preferStaticEmulators = true;
+
+  programs.steam.enable = true;
+  programs.steam.gamescopeSession.enable = true;
+  programs.gamescope.enable = true;
+  programs.gamescope.capSysNice = true;
+  services.pulseaudio.support32Bit = true;
+  hardware.graphics.enable32Bit = true;
+
+  virtualisation.libvirtd = {
+    enable = true;
+    qemu.package = pkgs.qemu_kvm;
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  audrey-sway.background = ../../dotfiles/rtfs.jpg;
+
+  services.syncthing-cluster = {
+    enable = true;
+    device = "WB3OPFM-5S7CLM4-PN7JIWE-H66YCFD-7UKW7PE-7KM4CMT-WPQ5BK5-ZFPMQAM";
+    user = "audrey";
+    configDir = "/home/audrey/.config/syncthing";
+    dataDir = "/home/audrey";
+  };
+
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.nvidia.open = true;
+  audrey-sway.extraSwayArgs = [ "--unsupported-gpu" ];
+  audrey-sway.suspendTimeout = null;
+}

sites/clove/hardware-configuration.nix

@@ -0,0 +1,72 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "clove/tier1/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/66C8-15C6";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/var" =
+    { device = "clove/tier1/var";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "clove/tier1/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/containers" =
+    { device = "clove/tier2/containers";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/log" =
+    { device = "clove/tier2/log";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/spool" =
+    { device = "clove/tier2/spool";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/tmp" =
+    { device = "clove/scratch/tmp";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "clove/scratch/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/cache" =
+    { device = "clove/scratch/cache";
+      fsType = "zfs";
+    };
+
+  swapDevices = [ {
+    device = "/dev/disk/by-uuid/31ae9d96-d3dc-45e4-9b36-707df8b4f6c2";
+  } ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

sites/clove/system

@@ -0,0 +1 @@
+nixos

sites/daisy/cert.pem

@@ -1,34 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIF1zCCA7+gAwIBAgIUKYdQD74Iefk1CyzHvROGC83Hw6IwDQYJKoZIhvcNAQEL
-BQAwezELMAkGA1UEBhMCVVMxDzANBgNVBAgMBk5ldmFkYTESMBAGA1UEBwwJTGFz
-IFZlZ2FzMRMwEQYDVQQKDApTaGVsbHBoaXNoMRUwEwYDVQQLDAxhd29vLnN5c3Rl
-bXMxGzAZBgNVBAMMEmRvY2tlci5zaGVsbC5waGlzaDAeFw0yNTA4MDQxNjI5NDda
-Fw0zNTA4MDIxNjI5NDdaMHsxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZOZXZhZGEx
-EjAQBgNVBAcMCUxhcyBWZWdhczETMBEGA1UECgwKU2hlbGxwaGlzaDEVMBMGA1UE
-CwwMYXdvby5zeXN0ZW1zMRswGQYDVQQDDBJkb2NrZXIuc2hlbGwucGhpc2gwggIi
-MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDyVMA3TRVo52CNfmo4KCEF1UXR
-km3z2fezjsbjEOCeMTsirkFp71g4Cvj4RPCrIASq1DVXkOI6ZaU2OEfm15TcY0Q1
-DG8/zvjVFTOGGNqfCyz+DUSr3qweeAijyLMygjTvK1LrCUJ1daYTdr9es1Qd29dV
-Z2QxWy9+BOpz9oCs8ph+SUCVSfqn11mJ7btgSN9EU8K8f7vhm4PHpruaIJzXh6l0
-tl3wLvXbG8QW1Ms95oBCxiGFKxhAOhGQYlWkODJuh9nF+K/erXv/gmC9Xth/mbL9
-fRJpW+gPK79bhdSTPf9qLmanesRh7ZYxqDW/b7a1moR1u/MNqn4evm0muiz+cb/4
-e6PaRQfwD21dS4FNiJRWtUgSSa0qV7UdvFXvRIev/1f6jbeP0NB6txRxfRwf7cHQ
-ceWIMZgfLeGXjS1VUFnyvEL2iRgFE86YVgaYd6TIafN2tcKBb5CBJCZkkP2BBk17
-NJ/S4h1H0w9u9yyfSz8kvrFf8KMGreRsZGdq776ajI1RNye+kdOQdu8UVN/W2ewu
-E7vBw6NdDRuYGZ/pCULaXgdabiEYnzuwD5k9AKAeArWVDltSk8pS0gv8cI1MXt8J
-TBcSEal5SPwjQNVjahghc3ASydkGN31U0roXuV8+5CjTxfzE6vVsQ2PdF9cSEVHT
-kO6uIlMF7UKlytz2TwIDAQABo1MwUTAdBgNVHQ4EFgQUfMaBc83sxwCnJEeS893N
-hpFQF5gwHwYDVR0jBBgwFoAUfMaBc83sxwCnJEeS893NhpFQF5gwDwYDVR0TAQH/
-BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEATt+MoCjOJ7MlgfX/vvgrnjp9RCwY
-ltjg1n2sFzObJN0FpukFYLUdLXNj7YI34qL30FRjVDbEw3Q7ciXDPafqkzu/fMDd
-/QkOnkIPa7oQ1qHGTODN/a3/sDkGcf7Mf1KV2B3QovybhRjB+N35C2zDA6V4TWik
-AKXfqdJJEcSaG9yv1Kp4wmHvEOI0jruK2dks+46Ulw1eGk5xOHtRElfVfvO0LwGz
-8vvv+6WNoBNMw9inzwmEQALvVooWdh4cJnkUIWlSPI2n091dtU57rzvsAnPtV/sW
-Xvn9ZpRxw9vyKUBkWLLQAUbdn+XDM8XXi7zRGaY8b9LKWoNA2PGltpteCYck9za0
-a/F5Jt3f78d/vug/6Q0U2SiWNbqL9pzMX8gLIOuTqw6Rx6W32VY6WT418WqWjfsG
-iySaMbJ+P+EpIFn57UvKV5CgdDFroBLnS1YpYNpZAJJubpJLVyMxQMhb47K5vU6s
-YpsRm96kC0cZvP4J7+xpVilbzIqIHoV1foz0eRhCcS9bY+p22oLQY0EQ2joMnMnq
-VvffPBaIWMkx6hoSaoQl7nhksu1UQrzomGJfOEK+jGkRbo1QI/qz38EuvlUfSayu
-ONbCx7j+x++DyxvIQ9JEuu+cC76CNWjiDU0xFUhURrlS3t5AGe0+2ZBjcxWeX7jF
-iwbYVRB2xqWwxek=
------END CERTIFICATE-----

sites/daisy/configuration.nix

@@ -25,9 +25,9 @@
   # Open ports in the firewall.
   networking.firewall.allowedTCPPorts = [ 22 80 443 1337 1338 8081 2222 ];
   networking.firewall.allowedUDPPorts = [ 1337 ];
+  systemd.coredump.enable = false;
 
   system.stateVersion = "24.11";
-  #services.immich.enable = true;
 
   hardware.ipu6 = {
     enable = true;

sites/daisy/key.pem

@@ -1,52 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDyVMA3TRVo52CN
-fmo4KCEF1UXRkm3z2fezjsbjEOCeMTsirkFp71g4Cvj4RPCrIASq1DVXkOI6ZaU2
-OEfm15TcY0Q1DG8/zvjVFTOGGNqfCyz+DUSr3qweeAijyLMygjTvK1LrCUJ1daYT
-dr9es1Qd29dVZ2QxWy9+BOpz9oCs8ph+SUCVSfqn11mJ7btgSN9EU8K8f7vhm4PH
-pruaIJzXh6l0tl3wLvXbG8QW1Ms95oBCxiGFKxhAOhGQYlWkODJuh9nF+K/erXv/
-gmC9Xth/mbL9fRJpW+gPK79bhdSTPf9qLmanesRh7ZYxqDW/b7a1moR1u/MNqn4e
-vm0muiz+cb/4e6PaRQfwD21dS4FNiJRWtUgSSa0qV7UdvFXvRIev/1f6jbeP0NB6
-txRxfRwf7cHQceWIMZgfLeGXjS1VUFnyvEL2iRgFE86YVgaYd6TIafN2tcKBb5CB
-JCZkkP2BBk17NJ/S4h1H0w9u9yyfSz8kvrFf8KMGreRsZGdq776ajI1RNye+kdOQ
-du8UVN/W2ewuE7vBw6NdDRuYGZ/pCULaXgdabiEYnzuwD5k9AKAeArWVDltSk8pS
-0gv8cI1MXt8JTBcSEal5SPwjQNVjahghc3ASydkGN31U0roXuV8+5CjTxfzE6vVs
-Q2PdF9cSEVHTkO6uIlMF7UKlytz2TwIDAQABAoICACrgMug188lNUuiGCu4nr3wU
-OZe0dE7WbHyxEOCBDnT+2esvcLR5HB9CVb27mOd2MU02Yb++C0Dw1hPrTlF6KET8
-LUfDjPV5vc4Zw7WAtUG5nPrQRyuvqL11WHX+HzKbFhmRDUk3qLIWoE1GT+LGEOZ9
-jLJ4KiKPcy41WXQuE6NGAxQpCsu/PKGwuQ9t6B7HlfVFaqmmYgwvU1giWIQTLBz4
-TFOxpppF/MsJNR8jBFjN7TijTK/+qXpHq+7jbyqwpL+ouq/L6fYYtN1G6K3o155w
-B9rQ486Pa9YvU9qyKaPprsTPM+uDDbcT7eSYUfYuomGsVq5sFDuBRHJVGAPnoekE
-+ybrHST0MBwMqt3IUzNTfoNkO+/JKlEdAIMvmTkZERgw1yLokNUHlvoWSdiKkbpp
-ZsFpsS6nLucaUg2YxKRBkUFNXIwmO9RcCrax0putRkLeW+iYDd/1HyD8xyCpBLyG
-v/e0uUepx2i/T096YBNLrIj95Lqh1rdGOXmN2b98vEJhgZN0FCmmlIiMbYXYlrpQ
-8+6yNjpc36fFa0Af2xtv0RwULj1pEVI2QjTJCecKk9rjYBVOM8gp6xVpjy538+Zy
-yvkhKchILT4fZq8wXD8LBnFuFRjpgFQnHbN46J++y4+o0t8Kfjq+v8ttuCXLLkks
-LVCUu7GAWjejxWdQ0t/xAoIBAQD8MNQ2U6BzlVmTKjLhl9HrJd1zFEDVFDRseJjs
-YIfknIAtZMP12F810QQD0MMFisge8iDy+pm5K1GrauL5yKQUPExszFHLx9SyL4Ui
-TtsfWwHXFRged4+HS0RAqTCYpdfsKbnAYfpJCw99H1x0E6mcz2DBKS7vlO6gqhCL
-SkKwBtoXzh8IX8JpFI6blHGIZNdKF00a7iavG8ct7awHxZ5fhENnxz0QF/RCSXrG
-DIWJFC/Sa+iOq5YKQ9BjrVEsm2BwSfdD7DO1mrBYFutRz99aaACXnDnRscYPQw1G
-Et71wWE3qtkObMzIJhoEoS8gghRTpwW2/g8mueMpiFe61W6/AoIBAQD1/cvmSlGQ
-9S6mDpbSOo8r3kbcdj/Apv7rY18Ais8kynOADqlCbS3svWSL8h6tkD1SsA1ypsrq
-4n3ko5c/7IjqqRgeFE9ZNAFFTiqrbSw7W2EdH3/OtUJQUehu335Yl3mDqMu86874
-iGaHMQSfCRI2Cl7xbbseoZo7r0OiBhb8ERjTl8cJfVud9nO+oS267VyremmvDgmT
-c/SPiMJaFdQKy9l8c+VC89eTXnmzPeBERhmWhLdX9L4k+pjNtaSP2bc9W05pMzy4
-ST1XcyRT7ab1uaI7gs0RQApPrvUQuts2XnAr+mZ4K/xlvKxBQ7vEtNrkb4UunLt2
-ORZyD+AiMexxAoIBAByMfomD4AcVoiVJwqbNJANlrvMHGOvGNMUOxekEaH3VxaDd
-5l0fWG/kMHsqF9m5wzvVlytKeTqAD+fC2t0B/KkZxmEOpDfYcFiXjo+6s42SJNwv
-VCKm0EW1nI1hWdH9/DqM4q1Hqii4qtE0SqgNTcclpsNXISwYBQeFGQhbqL76l5fY
-SqUNChoRLK+qF0wkdka56o2g5houn9awMChVE7+mXmcSI/R9cbZLUS24XymMcnl0
-o8f63qpc0OtnxGezUzCC/w3eYGAvmcTvG0aQrK00VtTS56y4Xj5+DbOgEUNq19GQ
-cq/yWyBRR+K8SHR6pUhvAPOdQSPWKUQbXisVXEsCggEBAPP6woZphdb5Z0gqRirD
-DAedkbjNy9Ofjk0XJT3bbzJ1XfNQF06cDSW2fwhSn1zUKA5gMSZbCf3HoMfp/XTY
-fMAJ8LK8wCqgavY7XhTi1jEVJBAHkvMJUnlpk9iL8LubmVkdTN3XIFPerZo+4u99
-xsM0rBBXHnV2IQw7fCAyXA+sQWx0KGRgIkNdElWrdTjmfbhSVIncqWDHbHQEV4eU
-CNigcNh/9o7eXR18YcaGg24T/QMOJO6m/wScTHwTQeGvNZA0hGPQ/tNlSOL4f7qC
-hstHUAIobI5EbzWzOLtcKVoWdrkXxRRBxDd/13Vv4cdq/YP+nCCsMT5DxuBgoJQp
-4fECggEAc0joAOCppQsqi0+MYtnz+sLnN0LkedI4Pc+BrFgZe+pa0gOuz816Xf6R
-nJEuRo1DcbyOZ0/DldQdoMFd9c6kmFO2WIHJ4JsZXDRCZWFGIeakVQyepbB2J0n9
-dqSL7+o3nTtYtIbVbhIwQi0FGSLNIzyKycms0rxG4Rz3B9dzk+NEdrBYdCV/eiVo
-DHAnokgLTRKyINMiUreB/QUxg+4TOarXBJJPhqEQjHgVXXRhQzk4EH3EsU6wjFSo
-/q0J2vQ1CJJDM0YKV4izWSCjvpd6MuMPyHBCOVqWpMy3cOwzRGTO0asaG43GK1H3
-VkJw2xvYBO477ta66id4RDUBBXXzQQ==
------END PRIVATE KEY-----

sites/hydrangea/configuration.nix

@@ -37,10 +37,15 @@
 
   services.nginx = {
     enable = true;
+    additionalModules = [
+      pkgs.nginxModules.rtmp
+    ];
+
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    clientMaxBodySize = "10g";
 
     virtualHosts = {
       "home.rhelmot.io" = {
@@ -85,7 +90,54 @@
           proxyWebsockets = true;
         };
       };
+      "sftpgo.home.rhelmot.io" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:3006";
+          proxyWebsockets = true;
+        };
+      };
+      "jellyfin.home.rhelmot.io" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8096";
+          proxyWebsockets = true;
+        };
+      };
+      # "owncast.home.rhelmot.io" = {
+      #   enableACME = true;
+      #   forceSSL = true;
+      #   locations."/" = {
+      #     proxyPass = "http://127.0.0.1:3007";
+      #     proxyWebsockets = true;
+      #   };
+      # };
+      "127.0.0.1:1934" = {
+        listen = [{ addr = "127.0.0.1"; port = 1934; ssl = false; }];
+        locations."/" = {
+          root = "/var/www/stream/";
+          tryFiles = "/$arg_name =404";
+        };
+      };
     };
+
+    appendConfig = ''
+      rtmp {
+        server {
+          listen 1935;
+          chunk_size 4000;
+          application live {
+            live on;
+            allow publish all;
+            allow play all;
+            notify_method get;
+            on_publish http://127.0.0.1:1934/;
+          }
+        }
+      }
+    '';
   };
 
   services.vaultwarden = {
@@ -128,6 +180,14 @@
     settings = {
       newVersionCheck.enabled = false;
       server.externalDomain = "https://immich.home.rhelmot.io";
+      oauth = {
+        enabled = true;
+        autoLaunch = true;
+        buttonText = "Single Sign-On";
+        clientId = "immich";
+        clientSecret._secret = "/var/lib/immich/oidc-client-secret";
+        issuerUrl = "https://auth.rhelmot.io/realms/rhelmot";
+      };
     };
   };
 
@@ -194,12 +254,65 @@
     settings.gui.user = "audrey";
   };
 
+  services.sftpgo = {
+    enable = true;
+    dataDir = "/var/lib/sftpgo";
+    extraReadWriteDirs = [
+      "/var/lib/jellyfin/library"
+    ];
+    settings = {
+      tz = "local";
+      httpd.bindings = [{
+        port = 3006;
+        # 1 means OIDC for the WebAdmin UI.
+        # 2 means OIDC for the WebClient UI.
+        # 4 means login form for the WebAdmin UI.
+        # 8 means login form for the WebClient UI.
+        # 16 means the admin token endpoint for REST API.
+        # 32 means the user token endpoint for REST API.
+        # 64 means admin API key login.
+        # 128 means user API key login.
+        disabled_login_methods = 1 + 8;
+        oidc = {
+          config_url = "https://auth.rhelmot.io/realms/rhelmot";
+          client_id = "sftpgo";
+          client_secret_file = "/var/lib/sftpgo/oidc-client-secret";
+          redirect_base_url = "https://sftpgo.home.rhelmot.io";
+          username_field = "preferred_username";
+          scopes = [
+            "openid"
+            "profile"
+            "email"
+            "sftpgo"
+          ];
+        };
+      }];
+      sftpd.bindings = [{
+        port = 28022;
+        address = "0.0.0.0";
+      }];
+      sftpd.password_authentication = false;
+    };
+  };
+
+  services.jellyfin = {
+    enable = true;
+  };
+
+  # services.owncast = {
+  #   enable = true;
+  #   port = 3007;
+  #   rtmp-port = 1935;
+  # };
+
   # TODO
-  # - sftpgo
   # - transfer old nextcloud files
-  # - jellyfin
+  # - move old data files to sftpgo/audrey?
+  # - alerting
   # ON HOLD
   # - dyndns
   #   - https://github.com/qdm12/ddns-updater/pull/1046
   #   - https://github.com/ddclient/ddclient/pull/852
+  # - hedgedoc keycloak
+  #   - waiting for hedgedoc2 release to get oidc
 }

sites/hydrangea/hardware-configuration.nix

@@ -21,6 +21,8 @@
     "main/hedgedoc".mountPoint = "/var/lib/hedgedoc";
     "main/immich".mountPoint = "/var/lib/immich";
     "main/syncthing".mountPoint = "/var/lib/syncthing";
+    "main/jellyfin".mountPoint = "/var/lib/jellyfin";
+    "main/jellyfin-cache".mountPoint = "/var/cache/jellyfin";
   };
 
   fileSystems."/boot" = {

sites/sunflower/configuration.nix

@@ -102,12 +102,14 @@
       "mspa"
       "wiki-js"
       "forgejo"
+      "keycloak"
     ];
     ensureUsers = [
       { name = "bingosync"; ensureDBOwnership = true; }
       { name = "mspa"; ensureDBOwnership = true; }
       { name = "wiki-js"; ensureDBOwnership = true; }
       { name = "forgejo"; ensureDBOwnership = true; }
+      { name = "keycloak"; ensureDBOwnership = true; }
     ];
     authentication = pkgs.lib.mkOverride 10 ''
       #type database  DBuser  auth-method optional_ident_map
@@ -121,6 +123,7 @@
        defaultmap      bingosync bingosync
        defaultmap      wiki-js   wiki-js
        defaultmap      forgejo   forgejo
+       defaultmap      keycloak  keycloak
     '';
   };
 
@@ -249,8 +252,6 @@
           proxyPass = "http://192.168.100.11:3000";
           proxyWebsockets = true;
           recommendedProxySettings = true;
-          extraConfig = ''
-          '';
         };
       };
       "anons.ee" = {
@@ -260,8 +261,14 @@
           proxyPass = "http://192.168.100.11:3000";
           proxyWebsockets = true;
           recommendedProxySettings = true;
-          extraConfig = ''
+        };
-          '';
+      };
+      "auth.rhelmot.io" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:3030";
+          proxyWebsockets = true;
         };
       };
     };
@@ -292,4 +299,22 @@
     config.imports = [ ./anonsee.nix ];
   };
   services.nginx.logError = "stderr info";
+
+  services.keycloak = {
+    enable = true;
+    database.host = "/run/postgresql";
+    database.type = "postgresql";
+    initialAdminPassword = "bitesyouchangeme";
+    plugins = with pkgs.keycloak.plugins; [
+      junixsocket-common
+      junixsocket-native-common
+    ];
+    settings = {
+      hostname = "auth.rhelmot.io";
+      http-host = "127.0.0.1";
+      http-port = 3030;
+      proxy-headers = "xforwarded";
+      http-enabled = true;
+    };
+  };
 }