m3-r1

flake.nix

@@ -28,6 +28,10 @@
           modules =
             [ allowUnfree ./hosts/lkk-nix-1 agenix.nixosModules.default ];
         };
+        m3-r1 = lib.nixosSystem {
+          specialArgs = { inherit inputs; };
+          modules = [ allowUnfree ./hosts/m3-r1 agenix.nixosModules.default ];
+        };
         lkk-prod-1 = lib.nixosSystem {
           specialArgs = { inherit inputs; };
           modules =
@@ -56,6 +60,12 @@
           };
           modules = [ ./home/users/m3tam3re/lkk-nix-1.nix ];
         };
+        "m3tam3re@m3-r1" = home-manager.lib.homeManagerConfiguration {
+          pkgs = nixpkgs.legacyPackages."x86_64-linux";
+          extraSpecialArgs = { # pass things to t
+          };
+          modules = [ ./home/users/m3tam3re/m3-r1.nix ];
+        };
       };
       deploy.nodes.lkk-nix-1 = {
         hostname = "lkk-nix-1";
@@ -66,6 +76,15 @@
             self.nixosConfigurations.lkk-nix-1;
         };
       };
+      deploy.nodes.m3-r1 = {
+        hostname = "lkk-nix-1";
+        sshUser = "root";
+        profiles.system = {
+          user = "root";
+          path = deploy-rs.lib.x86_64-linux.activate.nixos
+            self.nixosConfigurations.lkk-nix-1;
+        };
+      };
       deploy.nodes.lkk-prod-1 = {
         hostname = "lkk-prod-1";
         sshUser = "root";

home/features/coding/default.nix

@@ -1,11 +1,13 @@
 { pkgs, ... }: {
-  imports = [ ./emacs.nix ./golang.nix ./nix.nix ./nodejs.nix ./rust.nix ./tools.nix ];
+  imports =
+    [ ./emacs.nix ./golang.nix ./nix.nix ./nodejs.nix ./rust.nix ./tools.nix ];
 
-  home.packages = with pkgs;
-    [
-      python3
-      python311Packages.pip
-      guile_3_0
-      tinyscheme
-    ];
+  home.packages = with pkgs; [
+    ispell
+    python3
+    python311Packages.pip
+    python311Packages.setuptools
+    guile_3_0
+    tinyscheme
+  ];
 }

home/features/desktop/media.nix

@@ -18,6 +18,7 @@ in {
       handbrake
       libsForQt5.kdenlive
       makemkv
+      mediainfo
       mpv
       plexamp
       uxplay

home/users/m3tam3re/m3-r1.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, ... }: {
+  imports = [ ./base ../../features/cli ];
+
+  features = {
+    cli = {
+      fish.enable = true;
+      starship.enable = true;
+    };
+  };
+
+  home.stateVersion = "22.11";
+}

hosts/m3-r1/default.nix

@@ -0,0 +1,69 @@
+{ pkgs, ... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ../common/users/m3tam3re
+    ../common/base
+    ./services
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+  networking = {
+    hostName = "m3-r1";
+    firewall.enable = true;
+    firewall.allowedTCPPortRanges = [{
+      from = 3000;
+      to = 3100;
+    }];
+    firewall.allowedTCPPorts = [ 53 80 443 5432 3306 3478 ];
+    firewall.allowedUDPPorts = [ 53 51820 41641 ];
+    firewall.allowedUDPPortRanges = [{
+      from = 3478;
+      to = 3481;
+    }];
+  };
+  programs.fish.enable = true;
+  age = {
+    secrets = {
+      mj-smtp-user.file = ../../secrets/mj-smtp-user.age;
+      mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age;
+      tailscale-key.file = ../../secrets/tailscale-key.age;
+
+      vaultwarden-env = {
+        file = ../../secrets/vaultwarden-env.age;
+        mode = "770";
+      };
+
+      n8n-env = {
+        file = ../../secrets/n8n-env.age;
+        mode = "770";
+      };
+
+      traefik-env = {
+        file = ../../secrets/traefik-env.age;
+        mode = "770";
+        owner = "traefik";
+      };
+
+      searx-environmentFile = {
+        file = ../../secrets/searx-environmentFile.age;
+        mode = "770";
+        owner = "searx";
+      };
+
+    };
+    identityPaths = [ "/root/.ssh/lkk-nix-1" ];
+  };
+
+  nix = {
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 30d";
+    };
+    optimise.automatic = true;
+  };
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

hosts/m3-r1/hardware-configuration.nix

@@ -0,0 +1,55 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52";
+      fsType = "btrfs";
+      options = [ "subvol=home" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/2550-EF31";
+      fsType = "vfat";
+    };
+
+  fileSystems."/var/backup" =
+    { device = "46.38.248.210:/voln527829a1";
+      fsType = "nfs";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/m3-r1/services/container.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [ ./containers ];
+
+  virtualisation.podman = {
+    enable = true;
+    defaultNetwork.settings = { dns_enabled = true; };
+  };
+  virtualisation.oci-containers.backend = "podman";
+}

hosts/m3-r1/services/containers/baserow.nix

@@ -0,0 +1,25 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."baserow" = {
+    image = "docker.io/baserow/baserow:1.18.0";
+    environment = {
+      BASEROW_PUBLIC_URL = "https://db.lanakk.com";
+
+      POSTGRES_USER = "baserow";
+      POSTGRES_PASSWORD = "baserow";
+      POSTGRES_DB = "baserow";
+      DATABASE_HOST = "postgres";
+      DATABASE_NAME = "baserow";
+      DATABASE_USER = "baserow";
+      DATABASE_PASSWORD = "baserow";
+
+      EMAIL_SMTP = "in-v3.mailjet.com";
+      EMAIL_SMTP_HOST = "in-v3.mailjet.com";
+      EMAIL_SMTP_PORT = "587";
+      EMAIL_SMTP_USER = config.age.secrets.mj-smtp-user.path;
+      EMAIL_SMTP_PASSWORD = config.age.secrets.mj-smtp-pass.path;
+    };
+    ports = [ "3001:80" ];
+    volumes = [ "baserow_data:/baserow/data" ];
+    extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.11" ];
+  };
+}

hosts/m3-r1/services/containers/briefkasten.nix

@@ -0,0 +1,8 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."briefkasten" = {
+    image = "docker.io/ndom91/briefkasten";
+    environmentFiles = [ config.age.secrets.briefkasten-env.path ];    
+    ports = [ "3009:3000" ];
+    extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.19" ];
+  };
+}

hosts/m3-r1/services/containers/default.nix

@@ -0,0 +1,12 @@
+{
+  imports = [
+    ./baserow.nix
+    #    ./briefkasten.nix
+    #    ./little-link.nix
+    ./matomo.nix
+    ./mautic.nix
+    #   ./nextcloud.nix
+    #   ./nginx.nix
+    #   ./wordpress.nix
+  ];
+}

hosts/m3-r1/services/containers/little-link.nix

@@ -0,0 +1,14 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."littlelink_lanakk" = {
+    image = "ghcr.io/techno-tim/littlelink-server";
+    environmentFiles = [ config.age.secrets.littlelink-lanakk-env.path ];    
+    ports = [ "3010:3000" ];
+    extraOptions = [ "--ip=10.88.0.20" ];
+  };
+  virtualisation.oci-containers.containers."littlelink_m3tam3re" = {
+    image = "ghcr.io/techno-tim/littlelink-server";
+    environmentFiles = [ config.age.secrets.littlelink-m3tam3re-env.path ];    
+    ports = [ "3011:3000" ];
+    extraOptions = [ "--ip=10.88.0.21" ];
+  };
+}

hosts/m3-r1/services/containers/matomo.nix

@@ -0,0 +1,16 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."matomo" = {
+    image = "docker.io/matomo";
+    environment = {
+      MATOMO_DATABASE_HOST = "mysql";
+      MATOMO_DATABASE_USERNAME = "matomo";
+      MATOMO_DATABASE_PASSWORD = "matomo";
+      MATOMO_DATABASE_DBNAME = "matomo";
+      PHP_MEMORY_LIMIT="2048M";
+      
+    };
+    ports = [ "3003:80" ];
+    volumes = [ "matomo_data:/var/www/html" ];
+    extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.13" ];
+  };
+}

hosts/m3-r1/services/containers/mautic.nix

@@ -0,0 +1,16 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."mautic" = {
+    image = "docker.io/mautic/mautic:v4-apache";
+    environment = {
+      MAUTIC_DB_HOST = "mysql";
+      MAUTIC_DB_USER = "mautic";
+      MAUTIC_DB_PASSWORD = "mautic";
+      MAUTIC_DB_DBNAME = "mautic";
+      PHP_MEMORY_LIMIT="2048M";
+      MAUTIC_RUN_CRON_JOBS="true";
+    };
+    ports = [ "3008:80" ];
+    volumes = [ "mautic_data:/var/www/html" ];
+    extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.23" ];
+  };
+}

hosts/m3-r1/services/containers/nextcloud.nix

@@ -0,0 +1,14 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."nextcloud" = {
+    image = "docker.io/nextcloud";
+    environment = {
+      TRUSTED_PROXIES = "10.88.0.1/16";
+      OVERWRITEPROTOCOL = "https";
+      OVERWRITECLIURL = "https://cloud.lanakk.com";
+      OVERWRITEHOST = "cloud.lanakk.com";
+    };
+    ports = [ "3005:80" ];
+    volumes = [ "nextcloud_data:/var/www/html" ];
+    extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.15" ];
+  };
+}

hosts/m3-r1/services/containers/nginx.nix

@@ -0,0 +1,8 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."http-images" = {
+    image = "docker.io/nginx:alpine";
+    ports = [ "3012:80" ];
+    volumes = [ "/opt/service-data/http-images:/usr/share/nginx/html"];
+    extraOptions = [ "--ip=10.88.0.22" ];
+  };
+}

hosts/m3-r1/services/containers/wireguard.nix

@@ -0,0 +1,15 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."wireguard" = {
+    image = "docker.io/weejewel/wg-easy";
+    environment = { WG_HOST = "wg.lanakk.com"; WG_DEFAULT_DNS = "10.88.0.1:5353"; };
+    ports = [ "3007:51821/tcp" "51820:51820/udp" ];
+    volumes = [ "wireguard_data:/etc/wireguard" ];
+    extraOptions = [
+      "--cap-add=NET_ADMIN"
+      "--cap-add=SYS_MODULE"
+      "--sysctl=net.ipv4.conf.all.src_valid_mark=1"
+      "--sysctl=net.ipv4.ip_forward=1"
+      "--ip=10.88.0.17"
+    ];
+  };
+}

hosts/m3-r1/services/containers/wordpress.nix

@@ -0,0 +1,14 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."lanakk_blog" = {
+    image = "docker.io/wordpress";
+    environment = {
+      WORDPRESS_DB_HOST = "mysql";
+      WORDPRESS_DB_USER = "wp";
+      WORDPRESS_DB_PASSWORD = "wp";
+      WORDPRESS_DB_NAME = "lanakk_blog";
+    };
+    ports = [ "3002:80" ];
+    volumes = [ "lanakk_blog_data:/var/www/html" ];
+    extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.12" ];
+  };
+}

hosts/m3-r1/services/default.nix

@@ -0,0 +1,13 @@
+{
+  imports = [
+    ./container.nix
+    ./gitea.nix
+    ./n8n.nix
+    ./postgres.nix
+    ./searx.nix
+    ./syncthing.nix
+    ./tailscale.nix
+    ./traefik.nix
+    ./vaultwarden.nix
+  ];
+}

hosts/m3-r1/services/gitea.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+{
+  services.gitea = {
+    enable = true;
+    settings.server.ROOT_URL = "https://code.lanakk.com";
+    lfs.enable = true;
+    dump = {
+      enable = true;
+      interval = "03:30:00";
+      backupDir = "/var/backup/gitea";
+    };
+  };
+}

hosts/m3-r1/services/mariadb.nix

@@ -0,0 +1,13 @@
+{ pkgs, config, ... }:
+
+{
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+  };
+  services.mysqlBackup = {
+    enable = true;
+    calendar = "03:00:00";
+    databases = [ "" ];
+  };
+}

hosts/m3-r1/services/n8n.nix

@@ -0,0 +1,15 @@
+{ config, pkgs, ... }: {
+
+  services.n8n = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      host = "wf.lanakk.com";
+      protocol = "https";
+      editorBaseUrl="https://wf.lanakk.com";
+    };
+  };
+  systemd.services.n8n.serviceConfig = {
+    EnvironmentFile = "${config.age.secrets.n8n-env.path}";
+  };
+}

hosts/m3-r1/services/postgres.nix

@@ -0,0 +1,26 @@
+{ pkgs, config, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = true;
+    package = pkgs.postgresql_15;
+    authentication = pkgs.lib.mkOverride 10 ''
+      local all all trust
+      host all all 127.0.0.1/32 trust
+      host all all ::1/128 trust
+      host all all 10.88.0.1/16 trust
+    '';
+   initialScript = pkgs.writeText "backend-initScript" ''
+     CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow';
+     CREATE DATABASE baserow;
+     GRANT ALL PRIVILEGES ON DATABASE baserow TO baserow;
+     ALTER DATABASE baserow OWNER to baserow;
+   '';
+  };
+  services.postgresqlBackup = {
+    enable = true;
+    startAt = "03:10:00";
+    databases = [ "baserow" ];
+  }; 
+}

hosts/m3-r1/services/searx.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+  services.searx = {
+    enable = true;
+    package = pkgs.searxng;
+    settings = {
+      server.port = 3004;
+      server.secret_key = "@SEARX_SECRET_KEY@";
+    };
+  };
+}

hosts/m3-r1/services/syncthing.nix

@@ -0,0 +1,20 @@
+{ config, pkgs, ... }: {
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+    guiAddress = "0.0.0.0:8384";
+    overrideDevices = true;
+    overrideFolders = true;
+    devices = {
+      "LK-DATA" = {
+        id = "BI7CMZF-2SGQMXW-RG47HRG-FEH454J-ZTCE544-BXNSCSJ-PXCE7A7-R4CX2Q3";
+      };
+    };
+    folders = {
+      "Bildvorschauen" = {
+        path = "/opt/service-data/http-images";
+        devices = [ "LK-DATA" ];
+      };
+    };
+  };
+}

hosts/m3-r1/services/tailscale.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, ... }: {
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "both";
+  };
+  networking.firewall = {
+    trustedInterfaces = [ "tailscale0" ];
+  };
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig = {
+      Type = "oneshot";
+      EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
+    };
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up --advertise-exit-node --authkey $TAILSCALE_KEY
+    '';
+  };
+}

hosts/m3-r1/services/traefik.nix

@@ -0,0 +1,159 @@
+{ config, ... }: {
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      log = { level = "WARN"; };
+      certificatesResolvers = {
+        godaddy = {
+          acme = {
+            email = "dev@lanakk.com";
+            storage = "/var/lib/traefik/acme.json";
+            dnsChallenge = { provider = "godaddy"; };
+          };
+        };
+        lets-encrypt = {
+          acme = {
+            email = "acc@m3tam3re.com";
+            storage = "/var/lib/traefik/acme.json";
+            tlsChallenge = { };
+          };
+        };
+      };
+      api = { };
+      entryPoints = {
+        web = {
+          address = ":80";
+          http.redirections.entryPoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+        websecure = { address = ":443"; };
+      };
+    };
+    dynamicConfigOptions = {
+      http = {
+        middlewares = {
+          auth = {
+            basicAuth = {
+              users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ];
+            };
+          };
+          nextcloud_redirectregex = {
+            redirectRegex = {
+              permanent = true;
+              regex = "https://(.*)/.well-known/(?:card|cal)dav";
+              replacement = "https://\${1}/remote.php/dav";
+            };
+          };
+          nextcloud_headers = {
+            headers = {
+              referrerPolicy = "no-referrer";
+              stsSeconds = "31536000";
+              forceSTSHeader = true;
+              stsPreload = true;
+              stsIncludeSubdomains = true;
+            };
+          };
+        };
+        services = {
+          baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }];
+          gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }];
+          n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }];
+          lanakk_blog.loadBalancer.servers =
+            [{ url = "http://localhost:3002/"; }];
+          matomo.loadBalancer.servers = [{ url = "http://localhost:3003/"; }];
+          searx.loadBalancer.servers = [{ url = "http://localhost:3004/"; }];
+          mautic.loadBalancer.servers = [{ url = "http://localhost:3008/"; }];
+          syncthing.loadBalancer.servers =
+            [{ url = "http://localhost:8384/"; }];
+          vaultwarden.loadBalancer.servers =
+            [{ url = "http://localhost:3014/"; }];
+        };
+        routers = {
+          api = {
+            rule = "Host(`r.m3tam3re.com`)";
+            tls = { certResolver = "lets-encrypt"; };
+            service = "api@internal";
+            middlewares = "auth";
+            entrypoints = "websecure";
+          };
+          baserow = {
+            rule = "Host(`br.m3tam3re.com`)";
+            tls = { certResolver = "lets-encrypt"; };
+            service = "baserow";
+            entrypoints = "websecure";
+          };
+          gitea = {
+            rule = "Host(`code.m3tam3re.com`)";
+            tls = {
+              certResolver = "lets-encrypt";
+              domains = "code.m3tam3re.com";
+            };
+            service = "gitea";
+            entrypoints = "websecure";
+          };
+          n8n = {
+            rule = "Host(`io.m3tam3re.com`)";
+            tls = {
+              certResolver = "lets-encrypt";
+              domains = "io.m3tam3re.com";
+            };
+            service = "n8n";
+            entrypoints = "websecure";
+          };
+          matomo-m3tam3re = {
+            rule = "Host(`stats.m3tam3re.com`)";
+            tls = {
+              certResolver = "lets-encrypt";
+              domains = "stats.m3tam3re.com";
+            };
+            service = "matomo";
+            entrypoints = "websecure";
+          };
+          searx = {
+            rule = "Host(`search.m3tam3re.com`)";
+            tls = {
+              certResolver = "lets-encrypt";
+              domains = "search.m3tam3re.com";
+            };
+            service = "searx";
+            entrypoints = "websecure";
+          };
+          mautic = {
+            rule = "Host(`ma.m3tam3re.com`)";
+            tls = {
+              certResolver = "lets-encrypt";
+              domains = "ma.m3tam3re.com";
+            };
+            service = "mautic";
+            entrypoints = "websecure";
+          };
+          syncthing = {
+            rule = "Host(`sync.m3tam3re.com`)";
+            tls = {
+              certResolver = "lets-encrypt";
+              domains = "sync.m3tam3re.com";
+            };
+            service = "syncthing";
+            entrypoints = "websecure";
+          };
+          vaultwarden = {
+            rule = "Host(`vw.m3tam3re.com`)";
+            tls = {
+              certResolver = "lets-encrypt";
+              domains = "vw.m3tam3re.com";
+            };
+            service = "vaultwarden";
+            middlewares = "auth";
+            entrypoints = "websecure";
+          };
+        };
+      };
+    };
+  };
+
+  systemd.services.traefik.serviceConfig = {
+    EnvironmentFile = [ "${config.age.secrets.traefik-env.path}" ];
+  };
+}

hosts/m3-r1/services/vaultwarden.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, ... }: {
+
+  services.vaultwarden = {
+    enable = true;
+    backupDir = "/var/backup/vaultwarden";
+    environmentFile = "${config.age.secrets.vaultwarden-env.path}";
+  };
+}

modules/nixos/default.nix

@@ -0,0 +1 @@
+{ ordercollect = import ./ordercollect.nix; }

modules/nixos/ordercollect.nix

@@ -0,0 +1,31 @@
+{ config, lib, ... }:
+
+with lib;
+
+let cfg = config.services.ordercollect;
+
+in {
+  options.services.ordercollect = {
+    enable = mkEnableOption "Enable Ordercollect";
+    port = mkOption {
+      type = types.str;
+      description = "The http port to run on";
+      default = "";
+    };
+    package = mkOption {
+      type = types.package;
+      default = pkgs.ordercollect;
+      description = ''
+        The package for ordercollect
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ cfg.package ];
+
+    systemd.services.ordercollect = {
+      ExecStart = "${cfg.package}/bin/ordercollect --port ${cfg.port}";
+        Restart = "on-failure";
+    };
+  };
+}

pkgs/bemoji/default.nix.~1~

@@ -1,24 +0,0 @@
-{ stdenv, lib, fetchFromGitHub, bash, pkgs, makeWrapper }:
-
-with lib;
-with pkgs;
-
-stdenv.mkDerivation {
-  pname = "wofi-pass";
-  version = "0.1";
-  src = fetchFromGitHub {
-    owner = "TinfoilSubmarine";
-    repo = "wofi-pass";
-    rev = "869c545";
-    sha256 = "gcfW8E/3/dqv0P3S4z9fDv8k4R7czcIKwpo/OHFFWj0=";
-  };
-  buildInputs = [ bash coreutils wl-clipboard wofi wtype ];
-  
-  nativeBuildInputs = [ makeWrapper ];
-  installPhase = ''
-    mkdir -p $out/bin
-    cp wofi-pass $out/bin/wofi-pass
-    wrapProgram $out/bin/wofi-pass \
-      --prefix PATH : ${makeBinPath [ bash coreutils wl-clipboard wofi wtype ]}
-  '';
-}

pkgs/default.nix

@@ -2,5 +2,6 @@
 
   wofi-pass = pkgs.callPackage ./wofi-pass { };
   bemoji = pkgs.callPackage ./bemoji { };
-  
+  ordercollect = pkgs.callPackage ./ordercollect { };
+
 }

pkgs/ordercollect/default.nix

@@ -0,0 +1,23 @@
+{ buildGoModule, fetchFromGitea, lib }:
+
+buildGoModule rec {
+  pname = "ordercollect";
+  version = "0.1.0";
+
+  src = fetchFromGitea {
+    domain = "code.lanakk.com";
+    owner = "LANAKK";
+    repo = "ordercollect";
+    rev = "9ecbfa46f6758214aa2fcee7ad96aa7730301a06";
+    hash = "sha256-n4njl7LwG6GuoTj7x3rWOjErZ/a1Fog0qAymYxvsR2w=";
+  };
+
+  vendorHash = "sha256-G6k331XRuVN/cM4sNcdUV9/BzdISQI7Ljc4tesJnmH0=";
+
+  meta = with lib; {
+    description = "A simple Api for creating orders, written in Go";
+    homepage = "https://code.lanakk.com/LANAKK/ordercollect";
+    license = licenses.mit;
+    maintainers = with maintainers; [ m3tam3re ];
+  };
+}