speed up

.gitea/workflows/check-flake.yaml

@@ -15,5 +15,14 @@ jobs:
         with:
           fetch-depth: 0
 
+      - run: attic -V
+
+      - name: Setup Attic Cache
+        uses: https://git.neet.dev/zuckerberg/attic-action@v0.2.5
+        with:
+          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+          cache: ${{ secrets.ATTIC_CACHE }}
+          token: ${{ secrets.ATTIC_TOKEN }}
+
       - name: Check Flake
         run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace

common/binary-cache.nix

@@ -1,29 +1,17 @@
 { config, lib, ... }:
 
-let
-
-in
 {
-  options.enableExtraSubstituters = lib.mkEnableOption "Enable extra substituters";
-
-  config = lib.mkMerge [
-    {
-      enableExtraSubstituters = lib.mkDefault true;
-    }
-    (lib.mkIf config.enableExtraSubstituters {
   nix = {
     settings = {
       substituters = [
         "https://cache.nixos.org/"
         "https://nix-community.cachix.org"
-            "http://s0.koi-bebop.ts.net:5000"
+        "http://s0.koi-bebop.ts.net:28338/nixos"
       ];
       trusted-public-keys = [
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-            "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+        "nixos:IDhKojUaMz+UIiri1/DQk9EpqDokih8dwxmp41uJnls="
       ];
     };
   };
-    })
-  ];
 }

common/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
 
 {
   imports = [
@@ -20,12 +20,12 @@
 
   system.stateVersion = "23.11";
 
-  networking.useDHCP = lib.mkDefault true;
+  networking.useDHCP = false;
 
   networking.firewall.enable = true;
   networking.firewall.allowPing = true;
 
-  time.timeZone = "America/Los_Angeles";
+  time.timeZone = "America/Denver";
   i18n = {
     defaultLocale = "en_US.UTF-8";
     extraLocaleSettings = {
@@ -63,6 +63,7 @@
     lf
     gnumake
     tree
+    attic
   ];
 
   nixpkgs.config.allowUnfree = true;

common/pc/audio.nix

@@ -19,15 +19,6 @@ in
       jack.enable = true;
     };
 
-    services.pipewire.extraConfig.pipewire."92-fix-wine-audio" = {
-      context.properties = {
-        default.clock.rate = 48000;
-        default.clock.quantum = 2048;
-        default.clock.min-quantum = 512;
-        default.clock.max-quantum = 2048;
-      };
-    };
-
     users.users.googlebot.extraGroups = [ "audio" ];
 
     # bt headset support

common/pc/chromium.nix

@@ -52,7 +52,7 @@ in
         # ungoogled = true;
         # --enable-native-gpu-memory-buffers # fails on AMD APU
         # --enable-webrtc-vp9-support
-        commandLineArgs = "--use-vulkan";
+        commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video  --enable-gpu-rasterization";
       };
     };
     # todo vulkan in chrome

common/pc/default.nix

@@ -89,8 +89,5 @@ in
     # for luks onlock over tor
     services.tor.enable = true;
     services.tor.client.enable = true;
-
-    # Enable wayland support in various chromium based applications
-    environment.sessionVariables.NIXOS_OZONE_WL = "1";
   };
 }

common/pc/vscodium.nix

@@ -11,8 +11,6 @@ let
     golang.go
     jnoortheen.nix-ide
     ms-vscode.cpptools
-    rust-lang.rust-analyzer
-    vadimcn.vscode-lldb
   ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
     {
       name = "platformio-ide";
@@ -20,12 +18,6 @@ let
       version = "3.1.1";
       sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
     }
-    {
-      name = "wgsl-analyzer";
-      publisher = "wgsl-analyzer";
-      version = "0.8.1";
-      sha256 = "ckclcxdUxhjWlPnDFVleLCWgWxUEENe0V328cjaZv+Y=";
-    }
   ];
 
   vscodium-with-extensions = pkgs.vscode-with-extensions.override {

common/server/atticd.nix

@@ -0,0 +1,40 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.services.atticd;
+in
+{
+  config = lib.mkIf cfg.enable {
+    services.atticd = {
+      credentialsFile = "/run/agenix/atticd-credentials";
+
+      settings = {
+        listen = "[::]:28338";
+
+        # Speed things up
+        require-proof-of-possession = false;
+
+        chunking = {
+          # Disable chunking for performance (I have plenty of space)
+          nar-size-threshold = 0;
+
+          # Chunking is disabled due to poor performance so these values don't matter but are required anyway.
+          # One day, when I move away from ZFS maybe this will perform well enough.
+          # nar-size-threshold = 64 * 1024; # 64 KiB
+          min-size = 16 * 1024; # 16 KiB
+          avg-size = 64 * 1024; # 64 KiB
+          max-size = 256 * 1024; # 256 KiB
+        };
+
+        # Disable compression for performance (I have plenty of space)
+        compression.type = "none";
+
+        garbage-collection = {
+          default-retention-period = "6 months";
+        };
+      };
+    };
+
+    age.secrets.atticd-credentials.file = ../../secrets/atticd-credentials.age;
+  };
+}

common/server/dashy.nix

@@ -37,5 +37,17 @@ in
         ];
       };
     };
+
+    services.nginx.enable = true;
+    services.nginx.virtualHosts."s0.koi-bebop.ts.net" = {
+      default = true;
+      addSSL = true;
+      serverAliases = [ "s0" ];
+      sslCertificate = "/secret/ssl/s0.koi-bebop.ts.net.crt";
+      sslCertificateKey = "/secret/ssl/s0.koi-bebop.ts.net.key";
+      locations."/" = {
+        proxyPass = "http://localhost:${toString cfg.port}";
+      };
+    };
   };
 }

common/server/default.nix

@@ -22,6 +22,6 @@
     ./dashy.nix
     ./librechat.nix
     ./actualbudget.nix
-    ./unifi.nix
+    ./atticd.nix
   ];
 }

common/server/gitea-actions-runner.nix

@@ -116,6 +116,7 @@ in
       git
       # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
       nodejs
+      attic
     ];
 
     # To allow building on the host, must override the the service's config so it doesn't use a dynamic user

common/server/librechat.nix

@@ -26,7 +26,6 @@ in
           HOST = "0.0.0.0";
           MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";
           ENDPOINTS = "openAI,google,bingAI,gptPlugins";
-          REFRESH_TOKEN_EXPIRY = toString (1000 * 60 * 60 * 24 * 30); # 30 days
         };
         environmentFiles = [
           "/run/agenix/librechat-env-file"

common/server/mailserver.nix

@@ -56,7 +56,6 @@ in
         "damon@runyan.org"
         "jonas@runyan.org"
         "simon@neet.dev"
-        "ellen@runyan.org"
       ];
       forwards = {
         "amazon@runyan.org" = [

common/server/nextcloud.nix

@@ -8,23 +8,12 @@ in
   config = lib.mkIf cfg.enable {
     services.nextcloud = {
       https = true;
-      package = pkgs.nextcloud30;
+      package = pkgs.nextcloud29;
       hostName = "neet.cloud";
       config.dbtype = "sqlite";
       config.adminuser = "jeremy";
       config.adminpassFile = "/run/agenix/nextcloud-pw";
       autoUpdateApps.enable = true;
-      extraApps = with config.services.nextcloud.package.packages.apps; {
-        # Want
-        inherit end_to_end_encryption mail spreed;
-
-        # Might use
-        inherit bookmarks calendar cookbook deck memories onlyoffice qownnotesapi;
-
-        # Try out
-        # inherit maps music news notes phonetrack polls forms;
-      };
-      extraAppsEnable = true;
     };
     age.secrets.nextcloud-pw = {
       file = ../../secrets/nextcloud-pw.age;

common/server/nginx.nix

@@ -4,10 +4,6 @@ let
   cfg = config.services.nginx;
 in
 {
-  options.services.nginx = {
-    openFirewall = lib.mkEnableOption "Open firewall ports 80 and 443";
-  };
-
   config = lib.mkIf cfg.enable {
     services.nginx = {
       recommendedGzipSettings = true;
@@ -16,8 +12,6 @@ in
       recommendedTlsSettings = true;
     };
 
-    services.nginx.openFirewall = lib.mkDefault true;
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 80 443 ];
   };
 }

common/server/unifi.nix

@@ -1,25 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.services.unifi;
-in
-{
-  options.services.unifi = {
-    # Open select Unifi ports instead of using openFirewall to avoid opening access to unifi's control panel
-    openMinimalFirewall = lib.mkEnableOption "Open bare minimum firewall ports";
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.unifi.unifiPackage = pkgs.unifi8;
-
-    networking.firewall = lib.mkIf cfg.openMinimalFirewall {
-      allowedUDPPorts = [
-        3478 # STUN
-        10001 # used for device discovery.
-      ];
-      allowedTCPPorts = [
-        8080 # Used for device and application communication.
-      ];
-    };
-  };
-}

flake.lock

@@ -12,11 +12,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723293904,
+        "lastModified": 1716561646,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
         "type": "github"
       },
       "original": {
@@ -25,6 +25,36 @@
         "type": "github"
       }
     },
+    "attic": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717279440,
+        "narHash": "sha256-kH04ReTjxOpQumgWnqy40vvQLSnLGxWP6RF3nq5Esrk=",
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "rev": "717cc95983cdc357bc347d70be20ced21f935843",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "type": "github"
+      }
+    },
     "blobs": {
       "flake": false,
       "locked": {
@@ -41,6 +71,27 @@
         "type": "gitlab"
       }
     },
+    "crane": {
+      "inputs": {
+        "nixpkgs": [
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717025063,
+        "narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
     "dailybuild_modules": {
       "inputs": {
         "flake-utils": [
@@ -99,11 +150,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1727447169,
+        "lastModified": 1718194053,
-        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
+        "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
+        "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
         "type": "github"
       },
       "original": {
@@ -135,11 +186,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1710146030,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -176,11 +227,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1728263287,
+        "lastModified": 1716772633,
-        "narHash": "sha256-GJDtsxz2/zw6g/Nrp4XVWBS5IaZ7ZUkuvxPOBEDe7pg=",
+        "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259",
+        "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac",
         "type": "github"
       },
       "original": {
@@ -191,11 +242,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1728056216,
+        "lastModified": 1717248095,
-        "narHash": "sha256-IrO06gFUDTrTlIP3Sz+mRB6WUoO2YsgMtOD3zi0VEt0=",
+        "narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "b7ca02c7565fbf6d27ff20dd6dbd49c5b82eef28",
+        "rev": "7b49d3967613d9aacac5b340ef158d493906ba79",
         "type": "github"
       },
       "original": {
@@ -207,11 +258,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1728193676,
+        "lastModified": 1717144377,
-        "narHash": "sha256-PbDWAIjKJdlVg+qQRhzdSor04bAPApDqIv2DofTyynk=",
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
         "type": "github"
       },
       "original": {
@@ -281,6 +332,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "attic": "attic",
         "dailybuild_modules": "dailybuild_modules",
         "deploy-rs": "deploy-rs",
         "flake-compat": "flake-compat",
@@ -306,14 +358,17 @@
         ],
         "nixpkgs-24_05": [
           "nixpkgs"
+        ],
+        "utils": [
+          "flake-utils"
         ]
       },
       "locked": {
-        "lastModified": 1722877200,
+        "lastModified": 1718084203,
-        "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
+        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
+        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
         "type": "gitlab"
       },
       "original": {

flake.nix

@@ -25,6 +25,7 @@
         nixpkgs.follows = "nixpkgs";
         nixpkgs-24_05.follows = "nixpkgs";
         flake-compat.follows = "flake-compat";
+        utils.follows = "flake-utils";
       };
     };
 
@@ -74,6 +75,17 @@
       url = "github:Mic92/nix-index-database";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    # Attic
+    attic = {
+      url = "github:zhaofengli/attic";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        nixpkgs-stable.follows = "nixpkgs";
+        flake-utils.follows = "flake-utils";
+        flake-compat.follows = "flake-compat";
+      };
+    };
   };
 
   outputs = { self, nixpkgs, ... }@inputs:
@@ -93,6 +105,7 @@
             agenix.nixosModules.default
             dailybuild_modules.nixosModule
             nix-index-database.nixosModules.nix-index
+            attic.nixosModules.atticd
             self.nixosModules.kernel-modules
             ({ lib, ... }: {
               config = {

machines/hotspot/default.nix

@@ -1,69 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  internal = "end0";
-  wireless = "wlan0";
-  internal-gateway-ip = "192.168.0.1";
-  internal-ip-lower = "192.168.0.10";
-  internal-ip-upper = "192.168.0.100";
-in
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  enableExtraSubstituters = false;
-
-  # networking.interfaces.${internal}.ipv4.addresses = [{
-  #   address = internal-gateway-ip;
-  #   prefixLength = 24;
-  # }];
-
-  # DHCP on all interfaces except for the internal interface
-  networking.useDHCP = true;
-  networking.interfaces.${internal}.useDHCP = true;
-  networking.interfaces.${wireless}.useDHCP = true;
-
-  # Enable NAT
-  networking.ip_forward = true;
-  networking.nat = {
-    enable = true;
-    internalInterfaces = [ internal ];
-    externalInterface = wireless;
-  };
-
-  networking.wireless = {
-    enable = true;
-    networks = {
-      "Pixel_6054".psk = "@PSK_Pixel_6054@";
-    };
-    interfaces = [ wireless ];
-    environmentFile = "/run/agenix/hostspot-passwords";
-  };
-  age.secrets.hostspot-passwords.file = ../../secrets/hostspot-passwords.age;
-
-  # dnsmasq for internal interface
-  services.dnsmasq = {
-    enable = true;
-    settings = {
-      server = [ "1.1.1.1" "8.8.8.8" ];
-      dhcp-range = "${internal-ip-lower},${internal-ip-upper},24h";
-      dhcp-option = [
-        "option:router,${internal-gateway-ip}"
-        "option:broadcast,10.0.0.255"
-        "option:ntp-server,0.0.0.0"
-      ];
-    };
-  };
-
-  networking.firewall.interfaces.${internal}.allowedTCPPorts = [
-    53 # dnsmasq
-  ];
-
-  # Make it appear we are not using phone tethering to the ISP
-  networking.firewall = {
-    extraCommands = ''
-      iptables -t mangle -A POSTROUTING -o ${wireless} -j TTL --ttl-set 65
-    '';
-  };
-}

machines/hotspot/hardware-configuration.nix

@@ -1,27 +0,0 @@
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [
-      (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot = {
-    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
-    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
-    loader = {
-      grub.enable = false;
-      generic-extlinux-compatible.enable = true;
-    };
-  };
-
-  fileSystems."/" =
-    {
-      device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
-      fsType = "ext4";
-    };
-
-  swapDevices = [ ];
-
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-}

machines/hotspot/properties.nix

@@ -1,13 +0,0 @@
-{
-  hostNames = [
-    "hotspot"
-  ];
-
-  arch = "aarch64-linux";
-
-  systemRoles = [
-    "hotspot"
-  ];
-
-  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION4IUAef687RIzWrP4HEZnpdSJswt06QmrdRMDPHHGY";
-}

machines/ponyo/default.nix

@@ -102,7 +102,7 @@
       host = "chat.neet.space";
     };
     jitsi-meet = {
-      enable = false; # disabled until vulnerable libolm dependency is removed/fixed
+      enable = true;
       host = "meet.neet.space";
     };
     turn = {
@@ -118,6 +118,14 @@
 
   # proxied web services
   services.nginx.enable = true;
+  services.nginx.virtualHosts."jellyfin.neet.cloud" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://s0.koi-bebop.ts.net";
+      proxyWebsockets = true;
+    };
+  };
   services.nginx.virtualHosts."navidrome.neet.cloud" = {
     enableACME = true;
     forceSSL = true;

machines/storage/s0/dashy.yaml

@@ -60,65 +60,73 @@ sections:
       - &ref_0
         title: Jellyfin
         icon: hl-jellyfin
-        url: https://jellyfin.s0.neet.dev
+        url: http://s0:8097
         target: sametab
-        statusCheck: false
+        statusCheck: true
+        statusCheckUrl: http://jellyfin.s0
         id: 0_1956_jellyfin
       - &ref_1
         title: Sonarr
         description: Manage TV
         icon: hl-sonarr
-        url: https://sonarr.s0.neet.dev
+        url: http://s0:8989
         target: sametab
-        statusCheck: false
+        statusCheck: true
+        statusCheckUrl: http://sonarr.s0
         id: 1_1956_sonarr
       - &ref_2
         title: Radarr
         description: Manage Movies
         icon: hl-radarr
-        url: https://radarr.s0.neet.dev
+        url: http://s0:7878
         target: sametab
-        statusCheck: false
+        statusCheck: true
+        statusCheckUrl: http://radarr.s0
         id: 2_1956_radarr
       - &ref_3
         title: Lidarr
         description: Manage Music
         icon: hl-lidarr
-        url: https://lidarr.s0.neet.dev
+        url: http://s0:8686
         target: sametab
-        statusCheck: false
+        statusCheck: true
+        statusCheckUrl: http://lidarr.s0
         id: 3_1956_lidarr
       - &ref_4
         title: Prowlarr
         description: Indexers
         icon: hl-prowlarr
-        url: https://prowlarr.s0.neet.dev
+        url: http://prowlarr.s0
         target: sametab
-        statusCheck: false
+        statusCheck: true
+        statusCheckUrl: http://prowlarr.s0
         id: 4_1956_prowlarr
       - &ref_5
         title: Bazarr
         description: Subtitles
         icon: hl-bazarr
-        url: https://bazarr.s0.neet.dev
+        url: http://s0:6767
         target: sametab
-        statusCheck: false
+        statusCheck: true
+        statusCheckUrl: http://bazarr.s0
         id: 5_1956_bazarr
       - &ref_6
         title: Navidrome
         description: Play Music
         icon: hl-navidrome
-        url: https://music.s0.neet.dev
+        url: http://s0:4534
         target: sametab
-        statusCheck: false
+        statusCheck: true
+        statusCheckUrl: http://music.s0
         id: 6_1956_navidrome
       - &ref_7
         title: Transmission
         description: Torrenting
         icon: hl-transmission
-        url: https://transmission.s0.neet.dev
+        url: http://s0:9091
         target: sametab
-        statusCheck: false
+        statusCheck: true
+        statusCheckUrl: http://transmission.s0
         id: 7_1956_transmission
     filteredItems:
       - *ref_0

machines/storage/s0/default.nix

@@ -3,7 +3,6 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ./frigate.nix
     ./home-automation.nix
   ];
 
@@ -11,23 +10,6 @@
 
   # system.autoUpgrade.enable = true;
 
-  nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
-
-  # binary cache
-  services.nix-serve = {
-    enable = true;
-    openFirewall = true;
-    secretKeyFile = "/run/agenix/binary-cache-private-key";
-  };
-  age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
-  users.users.cache-push = {
-    isNormalUser = true;
-    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
-  };
-  nix.settings = {
-    trusted-users = [ "cache-push" ];
-  };
-
   services.iperf3.enable = true;
   services.iperf3.openFirewall = true;
 
@@ -166,89 +148,61 @@
   };
 
   # nginx
-  services.nginx = {
+  services.nginx.enable = true;
-    enable = true;
+  services.nginx.virtualHosts."bazarr.s0" = {
-    openFirewall = false; # All nginx services are internal
+    listen = [{ addr = "0.0.0.0"; port = 6767; } { addr = "0.0.0.0"; port = 80; }];
-    virtualHosts =
+    locations."/".proxyPass = "http://vpn.containers:6767";
-      let
+  };
-        mkVirtualHost = external: internal:
+  services.nginx.virtualHosts."radarr.s0" = {
-          {
+    listen = [{ addr = "0.0.0.0"; port = 7878; } { addr = "0.0.0.0"; port = 80; }];
-            ${external} = {
+    locations."/".proxyPass = "http://vpn.containers:7878";
-              useACMEHost = "s0.neet.dev"; # Use wildcard cert
+  };
-              forceSSL = true;
+  services.nginx.virtualHosts."lidarr.s0" = {
+    listen = [{ addr = "0.0.0.0"; port = 8686; } { addr = "0.0.0.0"; port = 80; }];
+    locations."/".proxyPass = "http://vpn.containers:8686";
+  };
+  services.nginx.virtualHosts."sonarr.s0" = {
+    listen = [{ addr = "0.0.0.0"; port = 8989; } { addr = "0.0.0.0"; port = 80; }];
+    locations."/".proxyPass = "http://vpn.containers:8989";
+  };
+  services.nginx.virtualHosts."prowlarr.s0" = {
+    listen = [{ addr = "0.0.0.0"; port = 9696; } { addr = "0.0.0.0"; port = 80; }];
+    locations."/".proxyPass = "http://vpn.containers:9696";
+  };
+  services.nginx.virtualHosts."music.s0" = {
+    listen = [{ addr = "0.0.0.0"; port = 4534; } { addr = "0.0.0.0"; port = 80; }];
+    locations."/".proxyPass = "http://localhost:4533";
+  };
+  services.nginx.virtualHosts."jellyfin.s0" = {
+    listen = [{ addr = "0.0.0.0"; port = 8097; } { addr = "0.0.0.0"; port = 80; }];
     locations."/" = {
-                proxyPass = internal;
+      proxyPass = "http://localhost:8096";
       proxyWebsockets = true;
     };
   };
+  services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = {
+    proxyPass = "http://localhost:8096";
+    proxyWebsockets = true;
   };
-      in
+  services.nginx.virtualHosts."transmission.s0" = {
-      lib.mkMerge [
+    listen = [{ addr = "0.0.0.0"; port = 9091; } { addr = "0.0.0.0"; port = 80; }];
-        (mkVirtualHost "bazarr.s0.neet.dev" "http://vpn.containers:6767")
+    locations."/" = {
-        (mkVirtualHost "radarr.s0.neet.dev" "http://vpn.containers:7878")
+      proxyPass = "http://vpn.containers:9091";
-        (mkVirtualHost "lidarr.s0.neet.dev" "http://vpn.containers:8686")
+      proxyWebsockets = true;
-        (mkVirtualHost "sonarr.s0.neet.dev" "http://vpn.containers:8989")
-        (mkVirtualHost "prowlarr.s0.neet.dev" "http://vpn.containers:9696")
-        (mkVirtualHost "transmission.s0.neet.dev" "http://vpn.containers:9091")
-        (mkVirtualHost "unifi.s0.neet.dev" "https://localhost:8443")
-        (mkVirtualHost "music.s0.neet.dev" "http://localhost:4533")
-        (mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096")
-        (mkVirtualHost "s0.neet.dev" "http://localhost:56815")
-        {
-          # Landing page LAN redirect
-          "s0" = {
-            default = true;
-            redirectCode = 302;
-            globalRedirect = "s0.neet.dev";
-          };
-        }
-        (mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant
-        (mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052")
-        (mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834")
-        {
-          "frigate.s0.neet.dev" = {
-            # Just configure SSL, frigate module configures the rest of nginx
-            useACMEHost = "s0.neet.dev";
-            forceSSL = true;
-          };
-        }
-        (mkVirtualHost "vacuum.s0.neet.dev" "http://192.168.1.125") # valetudo
-        (mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}")
-      ];
-
-    tailscaleAuth = {
-      enable = true;
-      virtualHosts = [
-        "bazarr.s0.neet.dev"
-        "radarr.s0.neet.dev"
-        "lidarr.s0.neet.dev"
-        "sonarr.s0.neet.dev"
-        "prowlarr.s0.neet.dev"
-        "transmission.s0.neet.dev"
-        "unifi.s0.neet.dev"
-        # "music.s0.neet.dev" # messes up navidrome
-        "jellyfin.s0.neet.dev"
-        "s0.neet.dev"
-        # "ha.s0.neet.dev" # messes up home assistant
-        "esphome.s0.neet.dev"
-        "zigbee.s0.neet.dev"
-        "vacuum.s0.neet.dev"
-        "todo.s0.neet.dev"
-      ];
-      expectedTailnet = "koi-bebop.ts.net";
     };
   };
 
-  # Get wildcard cert
+  networking.firewall.allowedTCPPorts = [
-  security.acme.certs."s0.neet.dev" = {
+    6767
-    dnsProvider = "digitalocean";
+    7878
-    credentialsFile = "/run/agenix/digitalocean-dns-credentials";
+    8686
-    extraDomainNames = [ "*.s0.neet.dev" ];
+    8989
-    group = "nginx";
+    9696
-    dnsResolver = "1.1.1.1:53";
+    4534
-    dnsPropagationCheck = false; # sadly this erroneously fails
+    8097
-  };
+    9091
-  age.secrets.digitalocean-dns-credentials.file = ../../../secrets/digitalocean-dns-credentials.age;
+    8443 # unifi
+  ];
 
   virtualisation.oci-containers.backend = "podman";
   virtualisation.podman.dockerSocket.enable = true; # TODO needed?
@@ -259,18 +213,11 @@
 
   services.unifi = {
     enable = true;
-    openMinimalFirewall = true;
+    openFirewall = true;
-  };
+    unifiPackage = pkgs.unifi8;
-
-  services.vikunja = {
-    enable = true;
-    port = 61473;
-    frontendScheme = "https";
-    frontendHostname = "todo.s0.neet.dev";
-    settings = {
-      service.enableregistration = false;
-    };
   };
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
+
+  services.atticd.enable = true;
 }

machines/storage/s0/frigate.nix

@@ -1,155 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  frigateHostname = "frigate.s0.neet.dev";
-
-  mkGo2RtcStream = name: url: withAudio: {
-    ${name} = [
-      url
-      "ffmpeg:${name}#video=copy${if withAudio then "#audio=copy" else ""}"
-    ];
-  };
-
-  # Assumes camera is set to output:
-  # - rtsp
-  # - H.264 + AAC
-  # - a downscaled substream for detection
-  mkCamera = name: primaryUrl: detectUrl: {
-    # Reference https://docs.frigate.video/configuration/reference/
-    services.frigate.settings = {
-      cameras.${name} = {
-        ffmpeg = {
-          # Camera feeds are relayed through go2rtc
-          inputs = [
-            {
-              path = "rtsp://127.0.0.1:8554/${name}";
-              # input_args = "preset-rtsp-restream";
-              input_args = "preset-rtsp-restream-low-latency";
-              roles = [ "record" ];
-            }
-            {
-              path = detectUrl;
-              roles = [ "detect" ];
-            }
-          ];
-          output_args = {
-            record = "preset-record-generic-audio-copy";
-          };
-        };
-      };
-    };
-    services.go2rtc.settings.streams = lib.mkMerge [
-      (mkGo2RtcStream name primaryUrl false)
-
-      # Sadly having the detection stream go through go2rpc too makes the stream unreadable by frigate for some reason.
-      # It might need to be re-encoded to work.  But I am not interested in wasting the processing power if only frigate
-      # need the detection stream anyway. So just let frigate grab the stream directly since it works.
-      # (mkGo2RtcStream detectName detectUrl false)
-    ];
-  };
-
-  mkDahuaCamera = name: address:
-    let
-      # go2rtc and frigate have a slightly different syntax for inserting env vars. So the URLs are not interchangable :(
-      # - go2rtc: ${VAR}
-      # - frigate: {VAR}
-      primaryUrl = "rtsp://admin:\${FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=0";
-      detectUrl = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@${address}/cam/realmonitor?channel=1&subtype=1";
-    in
-    mkCamera name primaryUrl detectUrl;
-
-  mkEsp32Camera = name: address: {
-    services.frigate.settings.cameras.${name} = {
-      ffmpeg = {
-        input_args = "";
-        inputs = [{
-          path = "http://${address}:8080";
-          roles = [ "detect" "record" ];
-        }];
-
-        output_args.record = "-f segment -pix_fmt yuv420p -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -preset ultrafast -an ";
-      };
-    };
-  };
-in
-lib.mkMerge [
-  (mkDahuaCamera "dog-cam" "192.168.10.31")
-  # (mkEsp32Camera "dahlia-cam" "dahlia-cam.lan")
-  {
-    services.frigate = {
-      enable = true;
-      hostname = frigateHostname;
-      settings = {
-        mqtt = {
-          enabled = true;
-          host = "localhost:1883";
-        };
-        rtmp.enabled = false;
-        snapshots = {
-          enabled = true;
-          bounding_box = true;
-        };
-        record = {
-          enabled = true;
-          # sync_recordings = true; # detect if recordings were deleted outside of frigate (expensive)
-          retain = {
-            days = 2; # Keep video for 2 days
-            mode = "motion";
-          };
-          events = {
-            retain = {
-              default = 10; # Keep video with detections for 10 days
-              mode = "motion";
-              # mode = "active_objects";
-            };
-          };
-        };
-        # Make frigate aware of the go2rtc streams
-        go2rtc.streams = config.services.go2rtc.settings.streams;
-        detect.enabled = true;
-        objects = {
-          track = [ "person" "dog" ];
-        };
-      };
-    };
-
-    services.go2rtc = {
-      enable = true;
-      settings = {
-        rtsp.listen = ":8554";
-        webrtc.listen = ":8555";
-      };
-    };
-
-    # Pass in env file with secrets to frigate/go2rtc
-    systemd.services.frigate.serviceConfig.EnvironmentFile = "/run/agenix/frigate-credentials";
-    systemd.services.go2rtc.serviceConfig.EnvironmentFile = "/run/agenix/frigate-credentials";
-    age.secrets.frigate-credentials.file = ../../../secrets/frigate-credentials.age;
-  }
-  {
-    # hardware encode/decode with amdgpu vaapi
-    systemd.services.frigate = {
-      environment.LIBVA_DRIVER_NAME = "radeonsi";
-      serviceConfig = {
-        SupplementaryGroups = [ "render" "video" ]; # for access to dev/dri/*
-        AmbientCapabilities = "CAP_PERFMON";
-      };
-    };
-    services.frigate.settings.ffmpeg.hwaccel_args = "preset-vaapi";
-  }
-  {
-    # Coral TPU for frigate
-    services.udev.packages = [ pkgs.libedgetpu ];
-    users.groups.apex = { };
-    systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
-    systemd.services.frigate.serviceConfig.SupplementaryGroups = [ "apex" ];
-
-    # Coral PCIe driver
-    kernel.enableGasketKernelModule = true;
-
-    services.frigate.settings.detectors.coral = {
-      type = "edgetpu";
-      device = "pci";
-    };
-  }
-]

machines/storage/s0/hardware-configuration.nix

@@ -8,7 +8,6 @@
 
   # boot
   boot.loader.systemd-boot.enable = true;
-  boot.loader.systemd-boot.memtest86.enable = true;
   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
@@ -59,12 +58,8 @@
     };
   swapDevices = [ ];
 
-  networking.vlans = {
+  networking.interfaces.eth0.useDHCP = true;
-    iot = {
+  networking.interfaces.eth1.useDHCP = true;
-      id = 2;
-      interface = "eth1";
-    };
-  };
 
   powerManagement.cpuFreqGovernor = "powersave";
 }

machines/storage/s0/home-automation.nix

@@ -1,7 +1,100 @@
 { config, lib, pkgs, ... }:
 
+let
+  frigateHostname = "frigate.s0";
+  frigatePort = 61617;
+
+  mkEsp32Cam = address: {
+    ffmpeg = {
+      input_args = "";
+      inputs = [{
+        path = address;
+        roles = [ "detect" "record" ];
+      }];
+
+      output_args.record = "-f segment -pix_fmt yuv420p -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c:v libx264 -preset ultrafast -an ";
+    };
+    rtmp.enabled = false;
+    snapshots = {
+      enabled = true;
+      bounding_box = true;
+    };
+    record = {
+      enabled = true;
+      retain.days = 10; # Keep video for 10 days
+      events.retain = {
+        default = 30; # Keep video with detections for 30 days
+        mode = "active_objects";
+      };
+    };
+    detect = {
+      enabled = true;
+      width = 800;
+      height = 600;
+      fps = 10;
+    };
+    objects = {
+      track = [ "person" ];
+    };
+  };
+in
 {
-  services.esphome.enable = true;
+  networking.firewall.allowedTCPPorts = [
+    # 1883 # mqtt
+    55834 # mqtt zigbee frontend
+    frigatePort
+    4180 # oauth proxy
+  ];
+
+  services.frigate = {
+    enable = true;
+    hostname = frigateHostname;
+    settings = {
+      mqtt = {
+        enabled = true;
+        host = "localhost:1883";
+      };
+      cameras = {
+        dahlia-cam = mkEsp32Cam "http://dahlia-cam.lan:8080";
+      };
+      # ffmpeg = {
+      #   hwaccel_args = "preset-vaapi";
+      # };
+      detectors.coral = {
+        type = "edgetpu";
+        device = "pci";
+      };
+    };
+  };
+
+  # AMD GPU for vaapi
+  systemd.services.frigate.environment.LIBVA_DRIVER_NAME = "radeonsi";
+
+  # Coral TPU for frigate
+  services.udev.packages = [ pkgs.libedgetpu ];
+  users.groups.apex = { };
+  systemd.services.frigate.environment.LD_LIBRARY_PATH = "${pkgs.libedgetpu}/lib";
+  systemd.services.frigate.serviceConfig = {
+    SupplementaryGroups = "apex";
+  };
+  # Coral PCIe driver
+  kernel.enableGasketKernelModule = true;
+
+  # Allow accessing frigate UI on a specific port in addition to by hostname
+  services.nginx.virtualHosts.${frigateHostname} = {
+    listen = [{ addr = "0.0.0.0"; port = frigatePort; } { addr = "0.0.0.0"; port = 80; }];
+  };
+
+  services.esphome = {
+    enable = true;
+    address = "0.0.0.0";
+    openFirewall = true;
+  };
+  # TODO remove after upgrading nixos version
+  systemd.services.esphome.serviceConfig.ProcSubset = lib.mkForce "all";
+  systemd.services.esphome.serviceConfig.ProtectHostname = lib.mkForce false;
+  systemd.services.esphome.serviceConfig.ProtectKernelLogs = lib.mkForce false;
+  systemd.services.esphome.serviceConfig.ProtectKernelTunables = lib.mkForce false;
 
   # TODO lock down
   services.mosquitto = {
@@ -14,9 +107,6 @@
       }
     ];
   };
-  networking.firewall.allowedTCPPorts = [
-    1883 # mqtt
-  ];
 
   services.zigbee2mqtt = {
     enable = true;
@@ -31,7 +121,7 @@
         # base_topic = "zigbee2mqtt";
       };
       frontend = {
-        host = "localhost";
+        host = "0.0.0.0";
         port = 55834;
       };
     };
@@ -39,55 +129,60 @@
 
   services.home-assistant = {
     enable = true;
+    openFirewall = true;
+    configWritable = true;
     extraComponents = [
-      "default_config"
       "esphome"
       "met"
       "radio_browser"
       "wled"
       "mqtt"
-      "apple_tv" # why is this even needed? I get `ModuleNotFoundError: No module named 'pyatv'` errors otherwise for some reason.
-      "unifi"
-      "digital_ocean"
-      "downloader"
-      "mailgun"
-      "minecraft_server"
-      "mullvad"
-      "nextcloud"
-      "ollama"
-      "openweathermap"
-      "jellyfin"
-      "transmission"
-      "radarr"
-      "sonarr"
-      "syncthing"
-      "tailscale"
-      "weather"
-      "whois"
-      "youtube"
-      "homekit_controller"
-      "zha"
-      "bluetooth"
     ];
     # config = null;
     config = {
       # Includes dependencies for a basic setup
       # https://www.home-assistant.io/integrations/default_config/
       default_config = { };
-
+    };
-      # Enable reverse proxy support
-      http = {
-        use_x_forwarded_for = true;
-        trusted_proxies = [
-          "127.0.0.1"
-          "::1"
-        ];
   };
 
-      "automation manual" = [
+  # TODO need services.oauth2-proxy.cookie.domain ?
-      ];
+  services.oauth2-proxy =
-      # Allow using automations generated from the UI
+    let
-      "automation ui" = "!include automations.yaml";
+      nextcloudServer = "https://neet.cloud/";
+    in
+    {
+      enable = true;
+
+      httpAddress = "http://0.0.0.0:4180";
+
+      nginx.domain = frigateHostname;
+      # nginx.virtualHosts = [
+      #   frigateHostname
+      # ];
+
+      email.domains = [ "*" ];
+
+      cookie.secure = false;
+
+      provider = "nextcloud";
+
+      # redirectURL = "http://s0:4180/oauth2/callback"; # todo forward with nginx?
+      clientID = "4FfhEB2DNzUh6wWhXTjqQQKu3Ibm6TeYpS8TqcHe55PJC1DorE7vBZBELMKDjJ0X";
+      keyFile = "/run/agenix/oauth2-proxy-env";
+
+      loginURL = "${nextcloudServer}/index.php/apps/oauth2/authorize";
+      redeemURL = "${nextcloudServer}/index.php/apps/oauth2/api/v1/token";
+      validateURL = "${nextcloudServer}/ocs/v2.php/cloud/user?format=json";
+
+      # todo --cookie-refresh
+
+      extraConfig = {
+        # cookie-csrf-per-request = true;
+        # cookie-csrf-expire = "5m";
+        # user-id-claim = "preferred_username";
       };
     };
+
+  age.secrets.oauth2-proxy-env.file = ../../../secrets/oauth2-proxy-env.age;
 }

machines/storage/s0/properties.nix

@@ -11,7 +11,6 @@
     "pia"
     "binary-cache"
     "gitea-actions-runner"
-    "frigate"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

overlays/actualbudget/default.nix

@@ -7,16 +7,16 @@
 }:
 buildNpmPackage rec {
   pname = "actual-server";
-  version = "24.10.1";
+  version = "24.3.0";
 
   src = fetchFromGitHub {
     owner = "actualbudget";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-VJAD+lNamwuYmiPJLXkum6piGi5zLOHBp8cUeZagb4s=";
+    hash = "sha256-y51Dhdn84AWR/gM4LnAzvBIBpvKwUiclnPnwzkRoJ0I=";
   };
 
-  npmDepsHash = "sha256-Z2e4+JMhI/keLerT0F4WYdLnXHRQCqL7NjNyA9SFEF8=";
+  npmDepsHash = "sha256-/UM2Tz8t4hi621HtXSu0LTDIzZ9SWMqKXqKfPwkdpE8=";
 
   patches = [
     ./migrations-should-use-pkg-path.patch

overlays/actualbudget/migrations-should-use-pkg-path.patch

@@ -1,5 +1,5 @@
 diff --git a/src/load-config.js b/src/load-config.js
-index d99ce42..42d1351 100644
+index d3cc5dd..cfcad8a 100644
 --- a/src/load-config.js
 +++ b/src/load-config.js
 @@ -3,7 +3,8 @@ import path from 'node:path';
@@ -12,7 +12,7 @@ index d99ce42..42d1351 100644
  const debugSensitive = createDebug('actual-sensitive:config');
  
  const projectRoot = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
-@@ -108,6 +109,7 @@ const finalConfig = {
+@@ -90,6 +91,7 @@ const finalConfig = {
    serverFiles: process.env.ACTUAL_SERVER_FILES || config.serverFiles,
    userFiles: process.env.ACTUAL_USER_FILES || config.userFiles,
    webRoot: process.env.ACTUAL_WEB_ROOT || config.webRoot,
@@ -21,7 +21,7 @@ index d99ce42..42d1351 100644
      process.env.ACTUAL_HTTPS_KEY && process.env.ACTUAL_HTTPS_CERT
        ? {
 diff --git a/src/migrations.js b/src/migrations.js
-index cba7db0..9983471 100644
+index 964e1f2..3a341d7 100644
 --- a/src/migrations.js
 +++ b/src/migrations.js
 @@ -1,6 +1,12 @@
@@ -37,12 +37,11 @@ index cba7db0..9983471 100644
  
  export default function run(direction = 'up') {
    console.log(
-@@ -13,7 +19,7 @@ export default function run(direction = 'up') {
+@@ -13,6 +19,7 @@ export default function run(direction = 'up') {
          stateStore: `${path.join(config.dataDir, '.migrate')}${
            config.mode === 'test' ? '-test' : ''
          }`,
--        migrationsDirectory: `${path.join(config.projectRoot, 'migrations')}`,
++        migrationsDirectory,
-+        migrationsDirectory
        },
        (err, set) => {
          if (err) {

overlays/default.nix

@@ -12,4 +12,11 @@ in
   frigate = frigatePkgs.frigate;
 
   actual-server = prev.callPackage ./actualbudget { };
+  unifi8 = prev.unifi.overrideAttrs (oldAttrs: rec {
+    version = "8.1.113";
+    src = prev.fetchurl {
+      url = "https://dl.ui.com/unifi/8.1.113/unifi_sysvinit_all.deb";
+      sha256 = "1knm+l8MSb7XKq2WIbehAnz7loRPjgnc+R98zpWKEAE=";
+    };
+  });
 }

secrets/atticd-credentials.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPp1nw tMy5kLAcQD62yAfEVJ4LQZjs0kkEEQOfM4HN9yj3hBY
+JvlklGTxxfAZbP+alm3nxLxqhmcu2mTKwRU5WaapL9w
+-> ssh-ed25519 w3nu8g ZGzufldXq7kmIpqFecbkpDxiykWZ207k0+09I2dmxEM
+SK25e5HBe4b5reGXXfCjIFbFGzfu32RFjY++/yteRVc
+--- xZOe1syYAcVRDhiNRv+CsfFgoQbiANA6vNCon+5NExc
+-·ñ1Å,C-.M§Áè?ÐêóµµàY|u+
+‹	³Ø<C2B3>÷ŽæÒ¡ôm†Œûäfß]=érøÜüÎAg¤€æSú:Ð8•S¦LiœùªsêÁâ9JŠð<>¸ÏæñÄÐÃ<ûAz¹[ý§xï<78>:‡'U*<2A>wÀ™D/…±VpM~!õ,* ¿”µ¡øk¥Ö´ßEíîïh› {¢p$¾R`ÿ”

secrets/digitalocean-dns-credentials.age

@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 WBT1Hw wjZGPvilRXGZsC2+7dWm/Nbau8Allv29WwQCr0XSAWU
-uTOf/sokutOGDyc8fbTbBWXqCVQCFhGdHxwA6SXqhdA
--> ssh-ed25519 6AT2/g NU068qwqOWiKk0QwqP9vU4xJaND2OR4bo8xkmdWATgY
-uGd0sb5PH+rREn9pgLOFwk29CX66aPBQMvr4rBazylc
--> ssh-ed25519 hPp1nw r2JRiZ7fsHPYDlte6Oh2Gx1KkugekFeeg3xSjziI+hQ
-xnO0gscMdR25mj5uAX7D42FCbCQhqbU0wkiLX4OmVqk
--> ssh-ed25519 w3nu8g F03mPU63WwEs1SLUFErLOVCkARoggGIvvz9TFZfMOBY
-HOdVA3xW9pqUPhclO6VueSfXg3ux06Ch3fucF6Vr4hM
---- niyo231HPT/+2dzflP+zhYjL9XiWsk7svesCYdkU1jA
-DÑØQî¬5–-ô@<40>¢¿—ßÐN5<4E> Ãÿ$Ø‚™’Çž…êÐ<C3AA>X=ŒHŽDÁ`P×5ZA´÷¼YóäÓ?¡é^[³1”6ÕK*mP݈ª­æ1æç÷ß›ƒ:$^ÑfDœ*î†ÿ“š-zi´"·Tàuÿüò

secrets/frigate-credentials.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 hPp1nw Chke1ZtpXxN1c1+AnJ6Cd5kpM1KfQKTwymrfPW53QCA
-jUcw8eitC7r0rwefjllndZjARIqpWoVqGCnefHfjQ6Y
--> ssh-ed25519 w3nu8g KY/5bU1B5uvmfGHF2d6qBL1NYy64qo324rdvkgnXoDA
-OBvuFtzZXQ0RmmEXelyzHMMiVqZir7zQJMA36ZH2siE
---- CSd7lYSYQ2fCTjkJLPGdaNGL8eVpE9IBEyFo0LW907M
-£³$šO†ÈIß/À//Êw*ƒ™õD¤@u5o[¼â:·äš¥t¾˜]Jñ쮸™@Ùhþu£Àk;?·XüÁHRº’Ñ°E5¥ÍçÜ9

secrets/hostspot-passwords.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 cObvAg l/suU/M4AATK7lQuZv/qnjG/xqNGoVqhS7b3xirmNUM
-Ao2tP6BBSZdlL7jZJPmLyJQWfqdU89M9hCjkkuqtxlw
--> ssh-ed25519 w3nu8g szQugiuFfzkzVndyIdP1agun4nmCsZzFG/6EEB2V1Gk
-5+DEUJ5tkVFUpm+w/tptUCByRpMxRigwfrVglTYc8XI
---- pjviyhRustHHMipIpkKsQ4cpu+YA66JwvWXjceXopi4
-)˜Ö®Äý8³È6Y"@?Ý9”®@¡Ÿžè|ÂÄž+©Z*4ö2å“R<qef…êªG¹ïV+{©%CmÞd^™b

secrets/secrets.nix

@@ -20,10 +20,7 @@ with roles;
   "robots-email-pw.age".publicKeys = gitea;
 
   # nix binary cache
-  # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
+  "atticd-credentials.age".publicKeys = binary-cache;
-  "binary-cache-private-key.age".publicKeys = binary-cache;
-  # public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB
-  "binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea
 
   # vpn
   "iodine.age".publicKeys = iodine;
@@ -51,13 +48,4 @@ with roles;
 
   # Librechat
   "librechat-env-file.age".publicKeys = librechat;
-
-  # For ACME DNS Challenge
-  "digitalocean-dns-credentials.age".publicKeys = server;
-
-  # Frigate (DVR)
-  "frigate-credentials.age".publicKeys = frigate;
-
-  # Phone hotspot passwords
-  "hostspot-passwords.age".publicKeys = hotspot;
 }