56 changed files with 702 additions and 2926 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -3,8 +3,6 @@ keys:
  - &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
  - &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
  - &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf
  - &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
  - &crime age1sky8kccyyxe79ws4rew42r94427v2xnphq2vtxvdlw5xl7yzgs2q599yzs
 creation_rules:
  - path_regex: secrets/services/dns-knot.yaml
    key_groups:
@ -48,27 +46,3 @@ creation_rules:
      - *emily
      age:
      - *girldick
  - path_regex: secrets/hosts/seras.yaml
    key_groups:
    - pgp:
      - *emily
      age:
      - *seras
  - path_regex: secrets/services/akkoma.yaml
    key_groups:
    - pgp:
      - *emily
      age:
      - *florp
  - path_regex: secrets/restic/zh3485s1.yaml
    key_groups:
    - pgp:
      - *emily
      age:
      - *florp
  - path_regex: secrets/restic/zh3485s2.yaml
    key_groups:
    - pgp:
      - *emily
      age:
      - *crime
--- a/config/common/default.nix
+++ b/config/common/default.nix
@ -1,11 +1,11 @@
-{ config, inputs, lib, pkgs, ... }: let 
+{ config, inputs, lib, pkgs, ... }: 
-  inherit (lib) mkDefault;
+
-in {
+with lib; {
  imports = [
    ./kernel.nix
    ./networking.nix
    ./openssh.nix
-    ./users.nix
+    ./users
    ../../modules
    inputs.lix-module.nixosModules.default
  ];
@ -23,7 +23,6 @@ in {
    man-pages-posix
    unzip
    zip
    fd
    figlet
  ];
  programs = {
@ -55,7 +54,6 @@ in {
  '';
  users.motdFile = "/var/lib/deployment/motd";
  nix.package = pkgs.lix.override { enableGC = true; };
  nix.gc.automatic = true;
  nix.gc.options = "--delete-older-than 7d";
  nix.optimise.automatic = true;
@ -106,6 +104,6 @@ in {
  services.fprintd.enable = config.kyouma.machine-type.graphical;
-  system.stateVersion = mkDefault "23.11";
+  system.stateVersion = "23.11";
  time.timeZone = mkDefault "CET";
 }
--- a/config/common/openssh.nix
+++ b/config/common/openssh.nix
@ -39,7 +39,7 @@ in {
    ];
    settings = {
-      PermitRootLogin = "no";
+      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
--- a/config/common/users/default.nix
+++ b/config/common/users/default.nix
@ -1,5 +1,5 @@
 { ... }: {
  imports = [
-    ../users/emily
+    ./emily
  ];
 }
--- a/config/common/users/emily/default.nix
+++ b/config/common/users/emily/default.nix
@ -37,9 +37,6 @@
      pavucontrol
      signal-desktop
      element-desktop
      firefox
      # currently broken
      #inputs.firefox.packages.${pkgs.system}.firefox
      nixfmt-classic
      wl-clipboard
@ -65,7 +62,7 @@
    programs.eza = {
      enable = true;
-      icons = "auto";
+      icons = true;
      git = true;
      extraOptions = [
        "--color-scale=all"
--- a/config/hosts/_minimal/configuration.nix
+++ b/config/hosts/_minimal/configuration.nix
@ -52,7 +52,7 @@
    programs.eza = {
      enable = true;
-      icons = "auto";
+      icons = true;
      git = true;
      extraOptions = [
        "--color-scale=all"
--- a/config/hosts/crime/configuration.nix
+++ b/config/hosts/crime/configuration.nix
@ -1,31 +1,31 @@
-{ inputs, ... }: {
+{ ... }: {
  imports = [
    ../../common
    ../../users/lucy
    ../../profiles/headless.nix
    ../../profiles/kartoffel.nix
    ../../profiles/lxc.nix
    ../../services/arrs
    ../../services/jellyfin.nix
    ../../services/nginx.nix
-    inputs.oth.nixosModules.default
+    ./nginx.nix
  ];
-  networking.hostName = "crime";
+  networking = {
    hostName = "crime";
    firewall.allowedTCPPorts = [ 80 443 ];
    firewall.allowedUDPPorts = [ 443 ];
  };
  systemd.network.networks."98-eth-default" = {
    address = [
-      "2a0f:be01:0:100::b00b:a/128"
+      "2a0f:be01:0:100::1337/128"
      "2a0f:be01:0:100::1338/128"
    ];
  };
-  kyouma.nginx.defaultForbidden = "fentanyl.trade";
+
-  kyouma.restic = {
+  security.acme.certs = {
-    enable = true;
+    "fentanyl.trade" = { extraDomainNames = [ "frotti.ng" "watch.kyouma.net" ]; };
-    remoteUser = "zh3485s2";
+    "crime.kyouma.net" = {};
    paths = [
      "/var/lib/jellyfin"
      "/var/lib/radarr"
      "/var/lib/sonarr"
      "/var/lib/private/prowlarr"
      "/home"
    ];
  };
  services.jellyfin.enable = true;
  services.sonarr.enable = true;
  services.radarr.enable = true;
  services.prowlarr.enable = true;
 }
--- a/config/hosts/crime/nginx.nix
+++ b/config/hosts/crime/nginx.nix
@ -0,0 +1,114 @@
 { pkgs, ... }:
 let 
  landingPage = pkgs.writeTextDir "index.html" '' 
    <!DOCTYPE html>
    <html>
    <head>
    <title>crime.kyouma.net</title>
    <style>
    body {
      width: 35em;
      margin: 0 auto;
      font-family: Tahoma, Verdana, Arial, sans-serif;
    }
    </style>
    </head>
    <body>
    <h1>Welcome to crime.kyouma.net!</h1>
    <p>If you see this page, the nginx web server is successfully installed and
    working. Further configuration is required.</p>
    <p>Sonarr
    <a href="https://crime.kyouma.net/sonarr">crime.kyouma.net/sonarr</a><br/>
    Radarr
    <a href="https://crime.kyouma.net/radarr">crime.kyouma.net/radarr</a><br/>
    Prowlarr
    <a href="https://crime.kyouma.net/prowlarr">crime.kyouma.net/prowlarr</a></p>
    <p><em>Thank you for using nginx.</em></p>
    </body>
    </html>
    '';
  extraConfig = ''
    add_header Strict-Transport-Security    $hsts_header;
    add_header X-Content-Type-Options       "nosniff" always;
    add_header X-XSS-Protection             "1; mode=block" always;
    add_header X-Frame-Options              "SAMEORIGIN" always;
    add_header Referrer-Policy              "same-origin" always;
  '';
  proxyConfig = ''
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Protocol $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
  '';
  jellyAddr = "[::1]";
  jellyWeb = {
    forceSSL = true;
    #http3 = true;
    #quic = true;
    inherit extraConfig;
    locations = {
      "= /".return = "302 https://$host/web/";
      "/" = {
        proxyPass = "http://${jellyAddr}:8096";
        extraConfig = ''
          ${proxyConfig}
          proxy_buffering on;
        '';
      };
      "= /web/" = {
        proxyPass = "http://${jellyAddr}:8096/web/index.html";
        extraConfig = proxyConfig;
      };
      "/socket" = {
        proxyPass = "http://${jellyAddr}:8096";
        proxyWebsockets = true;
        extraConfig = proxyConfig;
      };
    };
  };
 in {
  services.nginx = {
    virtualHosts = {
      "fentanyl.trade" = jellyWeb // {
        enableACME = true;
      };
      "frotti.ng" = jellyWeb // {
        useACMEHost = "fentanyl.trade";
      };
    };
  };
  kyouma.nginx.virtualHosts = {
    "watch.kyouma.net" = { redirectTo = "fentanyl.trade"; };
    "redirect" = {
      default = true;
      reuseport = true;
      useACMEHost = "fentanyl.trade";
      extraConfig = ''
        return 403;
      '';
    };
    "crime.kyouma.net" = {
      listenAddresses = [ "[2a0f:be01:0:100::1338]" ];
      locations = {
        "/".root = landingPage;
        "/sonarr/" = {
          proxyPass = "http://127.0.0.1:8989";
          recommendedProxySettings = true;
        };
        "/radarr/" = {
          proxyPass = "http://127.0.0.1:7878";
          recommendedProxySettings = true;
        };
        "/prowlarr/" = {
          proxyPass = "http://127.0.0.1:9696";
          recommendedProxySettings = true;
        };
      };
    };
  };
 }
--- a/config/hosts/emilia/configuration.nix
+++ b/config/hosts/emilia/configuration.nix
@ -7,7 +7,6 @@
    ../../services/nginx.nix
    ../../services/uptime-kuma.nix
    ../../services/vaultwarden.nix
    ../../services/librespeed.nix
    ./disko.nix
    ./hardware-configuration.nix
  ];
@ -17,8 +16,10 @@
  kyouma.machine-type.physical = true;
  kyouma.nginx.defaultForbidden = "uptime.kyouma.net";
-  networking.hostName = "emilia";
+  networking = {
-
+    firewall.allowedTCPPorts = [ 80 443 ];
    hostName = "emilia";
  };
  systemd.network.networks."98-eth-default" = {
    matchConfig.MACAddress = "04:d4:c4:39:73:f6";
    addresses = [
--- a/config/hosts/emilia/disko.nix
+++ b/config/hosts/emilia/disko.nix
@ -62,7 +62,6 @@
            };
          };
          root = {
            type = "8300";
            size = "100%";
          };
        };
--- a/config/hosts/florp/configuration.nix
+++ b/config/hosts/florp/configuration.nix
@ -1,68 +0,0 @@
 { lib, config, pkgs, ... }: {
  imports = [
    ../../common
    ../../profiles/headless.nix
    ../../profiles/kartoffel.nix
    ../../profiles/lxc.nix
    ../../services/akkoma
    ../../services/nginx.nix
  ];
  networking = {
    hostName = "florp";
    domain = lib.mkForce "social";
  };
  systemd.network.networks."98-eth-default" = {
    address = [
      "2a0f:be01:0:100::171/128" 
    ];
  };
  kyouma.nginx.defaultForbidden = "florp.social";
  kyouma.restic = let
    pgBackup = "/var/cache/postgresql.sql";
  in {
    enable = true;
    remoteUser = "zh3485s1";
    timerConfig = {
      OnCalendar = "hourly";
      Persistent = true;
    };
    paths = [
      "/var/lib/akkoma"
      "/var/lib/secrets"
      pgBackup
    ];
    backupPrepareCommand = ''
      umask 0077
      rm -f -- ${pgBackup} 
      ${pkgs.su}/bin/su -c '${lib.getExe' config.services.postgresql.package "pg_dumpall"}' \
        ${config.services.postgresql.superUser} >${pgBackup}
    '';
    backupCleanupCommand = ''
      rm -f -- ${pgBackup}
    '';
  };
  services.postgresql.settings = {
    max_connections = 128;
    shared_buffers = "4GB";
    effective_cache_size = "12GB";
    maintenance_work_mem = "1GB";
    checkpoint_completion_target = 0.9;
    wal_buffers = "16MB";
    default_statistics_target = 100;
    random_page_cost = 1.1;
    effective_io_concurrency = 200;
    work_mem = "34952kB";
    huge_pages = "try";
    min_wal_size = "2GB";
    max_wal_size = "8GB";
    max_worker_processes = 16;
    max_parallel_workers_per_gather = 4;
    max_parallel_workers = 16;
    max_parallel_maintenance_workers = 4;
  };
  system.stateVersion = "24.11";
 }
--- a/config/hosts/girldick/configuration.nix
+++ b/config/hosts/girldick/configuration.nix
@ -11,6 +11,7 @@
    domain = lib.mkForce "girldick.gay";
    hostName = "staging";
    nftables.enable = lib.mkForce false;
    firewall.allowedTCPPorts = [ 80 443 ];
  };
  systemd.network.networks."98-eth-default" = {
    address = [
--- a/config/hosts/integra/configuration.nix
+++ b/config/hosts/integra/configuration.nix
@ -18,11 +18,6 @@
  nix.sshServe.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOWlYhnummuWZbq3+d0x5A67YvlPvtl7/1Dk4RtNlzf christina@cafkafk.com"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/RmFnel8pcZT9nh7EAfKfAekt3BoEXy0G7G2GTacN/ aprl@computer"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxsX+lEWkHZt9NOvn9yYFP0Z++186LY4b97C4mwj/f2 aprl@whatever"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpyVefbZLkNVNzdSIlO6x6JohHE1snoHiUB3Qdvl5I2 aprl@idk"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVNo871p97NTefP52KYiwuch+FaVScxvcFd9fg0yykySTq7Y5JsxrJQgTnox/oDa0O87OyHD/GHQljAXkqiHpDkExbiGjDmGXJSKReKH061F4FqBnDIwYRzUu9Cxjl4MNqsU0RqLaz4+F42c/L7GROQwjEPUb8JHThRiI5FJnDvvB+oBLBxeyQA4v3O4i8DaDQayTr/XB+aSlhNwKrb6cjjL93AHT1uE53yY5jn4kZX+RiPQhH7rvt9N6E4Yr3CG6nUgRCUS0L66d9yfrq0XAbAVk9F+viV7Nk9qy4MWHtXZ4h0qUlzrGALPgGsCGiLGd4NvEgeCcV4nvxdmevxTSdKlJP75xlmlLVXGyhqCZkTsxm/png2UvDl+p0pLyrgNaNoXPdE0Jbv7C28WX36Nast1QFSMUhexzuOx8OgaOioeXVfK98AouqWb58iPBCvgreUIH/gJhZcnlB/Foo1KSO+fJNH8hAsLH7w0mnKyHhJjkrjjwUqsnpepB3SOLfZTE= aprl@meow"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0v3tUBNEUxfoOQBFb+N2DUBQDay0iFggUWa9Nd+BtFLOKkz+RRto3eBF0ZiJZVUxv/hLb8m2s45hcMw8agwuPrXMe5085T1fzkvPdKAPZdsT/cCmBi1OsoLjAKBFIdM4lcV0A2cca8hip+/ZPpjFPUWx73/672gAPHU7co7fP8+8CSf9dx+WIeLx3yaYHYZ/th3dB5auX3VjOazS8MojsAorwTUeBoPamHQ5dFeNafhFUL/hhtGkUI1cNHUn3bJd2V7AKTW3UglK7hVgMJPrzVS31OlpcJEf6S5XgKTWdOSwubn1bs5Lt6YYRDU24NV6CGrwKgCJSRxzNMLwpnFKiSXpO8FzkqWHYWyju141hQcFF31aZIV+7YcwEt5ZukLjFOpVtpbSXvJYigOUzGi34P3/OAGshDXjTQjvM8GIir49gx3b2Nwhg0z4UHBkAKZvDDFPHDMJoclvnhITojaAojfC9zmMCO5ZaEsk8yv7c/lWQumzRpfldWF4mwHvhD5kTADbhRdO7WTdX7AaiAYINooToeWKjFe2wn3rFubPUppptqtP03mmvs7vhhgnEVBbGZRJK3GTVk1XcsfF9rDKzewSa+wb4LsBoZtFRhc8cJqHGlKWSNk7dQ04B1atPyNLKGpGoo/UIPxyZ6bSqFVxY3nhz46VZ6z8XWI48z0/fRQ== aprl@uwu"
  ];
  systemd.network.networks."98-eth-default" = {
--- a/config/hosts/lain/iso.nix
+++ b/config/hosts/lain/iso.nix
@ -1,6 +1,5 @@
 { lib, inputs, ... }: {
  imports = [
    inputs.sops-nix.nixosModules.sops
    "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
    ./configuration.nix
  ];
--- a/config/hosts/seras/configuration.nix
+++ b/config/hosts/seras/configuration.nix
@ -1,7 +1,6 @@
-{ pkgs, ... }: {
+{ ... }: { 
  imports = [
    ../../common
    ../../users/nil
    ../../profiles/builder.nix
    ../../profiles/headless.nix
    ../../profiles/kartoffel.nix
@ -9,36 +8,20 @@
    ../../services/nginx.nix
    ../../services/hydra
    ../../services/update-nixfiles.nix
    ../../services/librespeed.nix
  ];
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-  networking.hostName = "seras";
+  networking = {
    hostName = "seras";
    firewall.allowedTCPPorts = [ 80 443 ];
  };
  systemd.network.networks."98-eth-default" = {
    address = [
      "2a0f:be01:0:100::169/128" 
    ];
  };
  services.postgresql.settings = {
    max_connections = 200;
    shared_buffers = "24GB";
    effective_cache_size = "72GB";
    maintenance_work_mem = "2GB";
    checkpoint_completion_target = 0.9;
    wal_buffers = "16MB";
    default_statistics_target = 100;
    random_page_cost = 1.1;
    effective_io_concurrency = 200;
    work_mem = "31457kB";
    huge_pages = "try";
    min_wal_size = "1GB";
    max_wal_size = "4GB";
    max_worker_processes = 32;
    max_parallel_workers_per_gather = 4;
    max_parallel_workers = 32;
    max_parallel_maintenance_workers = 4;
  };
  kyouma.ooklaserver = {
    enable = true;
    openFirewall = true;
--- a/config/hosts/web-dus/configuration.nix
+++ b/config/hosts/web-dus/configuration.nix
@ -11,7 +11,8 @@
  networking = {
    hostName = "web-dus";
    nftables.enable = lib.mkForce false;
-    firewall.allowedTCPPorts = [ 11019 ];
+    firewall.allowedTCPPorts = [ 80 443 11019 ];
    firewall.allowedUDPPorts = [ 443 ];
  };
  systemd.network.networks."98-eth-default" = {
    address = [
--- a/config/profiles/builder.nix
+++ b/config/profiles/builder.nix
@ -1,5 +1,6 @@
 { lib, pkgs, ... }: {
  kyouma.deployment.auto-upgrade.cache = "daemon";
  nix.gc.options = lib.mkForce "--delete-older-than 30d";
  nix.settings = {
    trusted-users = [ "nix-ssh" ];
    #system-features = [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ lib.optionals pkgs.hostPlatform.isx86_64 [ "gccarch-x86-64-v3" ];
@ -7,7 +8,7 @@
  nix.extraOptions = ''
    min-free = ${builtins.toString (16384 * 1024 * 1024)}
    max-free = ${builtins.toString (32768 * 1024 * 1024)}
-    max-substitution-jobs = 30
+    max-substitution-jobs = 20
    max-silent-time = 14400
  '';
  nix.sshServe = {
--- a/config/services/akkoma/default.nix
+++ b/config/services/akkoma/default.nix
@ -1,342 +0,0 @@
 { config, inputs, lib, pkgs, ... }: {
  imports = [
    inputs.florp-moderation.nixosModules.default
    # Moderated instances. See https://woof.rip/florp/moderation for more information.
    inputs.florp-moderation.nixosModules.florp
  ];
  sops.secrets."services/akkoma/mailerPassword" = {
    sopsFile = ../../../secrets/services/akkoma.yaml;
  };
  sops.secrets."services/akkoma/deepl" = {
    sopsFile = ../../../secrets/services/akkoma.yaml;
  };
  services.akkoma = {
    enable = true;
    extraPackages = let
      imagemagick = pkgs.imagemagick.override {
        libheif = pkgs.libheif.overrideAttrs (prevAttrs: {
          buildInputs = prevAttrs.buildInputs or [ ] ++ [ pkgs.svt-av1 ];
          cmakeFlags = prevAttrs.cmakeFlags or [ ] ++ [ "-DWITH_SvtEnc=ON" ];
        });
      };
    in with pkgs; [ exiftool ffmpeg-headless imagemagick ];
    extraStatic = let
      actualFetchzip =
      {
        url,
        hash
      }: pkgs.runCommandNoCC "${lib.last (lib.splitString "/" url)}" {
        src = pkgs.fetchurl {
          inherit url hash;
        };
      } ''
        ${lib.getExe pkgs.unzip} $src -d $out
        for f in $out/*_256.png; do
          mv -- "$f" "''${f/_256}"
        done
      '';
    in {
      "emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg;
      "emoji/custom" = pkgs.runCommandNoCC "florp" {
        src = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.favicon;
      } ''
        mkdir $out
        cp $src $out/florp.png
      '';
      "emoji/neodog" = actualFetchzip {
        url = "https://git.gay/moonrabbits/neodog/raw/commit/6f9eb283b6dcbe507fde1110abab267cb2d73b70/neodog.zip";
        hash = "sha256-ISyzpRyjHf+4jKrOtHHqH0Qn7CQu5RQSLH/HL/YSdT4=";
      };
      "emoji/neocat" = actualFetchzip {
        url = "https://volpeon.ink/emojis/neocat/neocat.zip";
        hash = "sha256-DZDuk0Djlax504flNWdpqAw+ROLOOVGj0ZvJLyouo7A=";
      };
      "emoji/neofox" = actualFetchzip {
        url = "https://volpeon.ink/emojis/neofox/neofox.zip";
        hash = "sha256-rZUPA7ZvrO8q/lx8XK3IxJ1URLgq0PSh752eWzG+uos=";
      };
      "emoji/blobhaj" = actualFetchzip {
        url = "https://web.archive.org/web/20240829143703/https://heatherhorns.com/wp-content/uploads/2022/12/Blobhaj-12-13-2022.zip";
        hash = "sha256-5l8ozTivCSOomPq+zDD4FWhK5mA/H2qkGs8beuDnp9s=";
      };
      "static/styles.json" = pkgs.writeText "styles.json" (builtins.toJSON (
        builtins.fromJSON (builtins.readFile "${pkgs.akkoma-fe-domi}/static/styles.json") // {
          elly-mod = "/static/themes/elly-mod.json";
        }
      ));
      "static/themes/elly-mod.json" = pkgs.writeText "elly-mod.json" (builtins.readFile ./elly-mod.json);
      "static/custom.css" = pkgs.writeText "custom.css" ''
        .tos-content img, .terms-of-service img {
          max-width: 100%;
        }
      '';
      "static/terms-of-service.html" = inputs.florp-about.packages.${pkgs.system}.default;
      "images/sylvia-ritter-15012323.avif" = inputs.florp-branding.packages.${pkgs.system}.wallpaper;
      "images/florp_banner.avif" = inputs.florp-branding.packages.${pkgs.system}.banner;
      "favicon.png" = inputs.florp-branding.packages.${pkgs.system}.favicon;
    };
    frontends = {
      primary = {
        package = pkgs.akkoma-fe-domi;
        name = "akkoma-fe";
        ref = "5f0339ce00";
      };
      admin = {
        package = pkgs.akkoma-admin-fe;
        name = "admin-fe";
        ref = "stable";
      };
    };
  };
  services.akkoma.config = let
    inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom;
    mkMapOfPredefinedKeys = set: let
      string = value: "\"${(lib.escape [ "\\" "#" "\"" ]) value}\"";
      toElixir = value: 
        if value == null then "nil" else
        if lib.isString value then string value else
        if builtins.isBool value then lib.boolToString value else
        if lib.isInt value || lib.isFloat value then toString value else
        abort "Not a elixir value ${value}";
      entries = attrs: lib.concatStringsSep ", " (lib.mapAttrsToList (name: value:
        "${toElixir name}: ${toElixir value}"
      ) attrs);
    in mkRaw "%{${entries set}}";
  in {
    ":pleroma" = {
      ":instance" = {
        name = "florp.social";
        email = "contact@florp.social";
        notify_email = "noreply@florp.social";
        description = "Likes are now florps. The timeline goes sideways.";
        instance_thumbnail = "/instance/thumbnail.avif";
        limit = 69420;
        description_limit = 69420;
        remote_limit = 131072;
        upload_limit = 256 * 1024 * 1024;
        avatar_upload_limit = 4 * 1024 * 1024;
        background_upload_limit = 8 * 1024 * 1024;
        banner_upload_limit = 8 * 1024 * 1024;
        registrations_open = true;
        registration_reason_length = 2048;
        account_approval_required = true;
        account_activation_required = true;
        federating = true;
        federation_incoming_replies_max_depth = 1024;
        federation_reachability_timeout_days = 14;
        allow_relay = true;
        max_pinned_statuses = 10;
        max_report_comment_size = 2048;
        safe_dm_mentions = true;
        remote_post_retention_days = 365;
        user_bio_length = 8192;
        user_name_length = 64;
        cleanup_attachments = true;
        local_bubble = [
          "solitary.social"
          "donotsta.re"
          "chaos.social"
        ];
      };
      ":emoji".groups = {
        blobs = "/emoji/blobs.gg/*.png";
        blobhaj = "/emoji/blobhaj/512w/*.png";
        neodog = "/emoji/neodog/*.png";
        neocat = [
          "/emoji/neocat/*.png"
          "/emoji/neodog/additional_neocat/*.png"
        ];
        neofox = [
          "/emoji/neofox/*.png"
          "/emoji/neodog/additional_neofox/*.png"
        ];
        Custom = "/emoji/custom/*.png";
      };
      "Pleroma.Captcha".method = mkRaw "Pleroma.Captcha.Kocaptcha";
      "Pleroma.Web.Endpoint".url.host = "florp.social";
      "Pleroma.Web.Metadata.Providers.Theme".theme_color = "#070F1C";
      "Pleroma.Emails.Mailer" = {
        enabled = true;
        adapter = mkRaw "Swoosh.Adapters.SMTP";
        relay = "mail.kyouma.net";
        username = "noreply@florp.social";
        password._secret = config.sops.secrets."services/akkoma/mailerPassword".path;
        port = 465;
        ssl = true;
        auth = mkRaw ":always";
      };
      ":database".rum_enabled = true;
      ":media_proxy" = {
        enabled = true;
        base_url = "https://cache.florp.social";
        proxy_opts.redirect_on_failure = true;
        proxy_opts.max_body_length = 64 * 1024 * 1024;
      };
      ":media_preview_proxy" = {
        enabled = true;
        thumbnail_max_width = 1920;
        thumbnail_max_height = 1080;
        min_content_length = 128 * 1024;
      };
      "Pleroma.Upload".base_url = "https://media.florp.social";
      "Pleroma.Upload".filters = map mkRaw [
        "Pleroma.Upload.Filter.Exiftool.ReadDescription"
        "Pleroma.Upload.Filter.Exiftool.StripMetadata"
        "Pleroma.Upload.Filter.Dedupe"
        "Pleroma.Upload.Filter.AnonymizeFilename"
      ];
      ":mrf".policies = map mkRaw [
        "Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy"
      ];
      ":mrf_object_age".threshold = 180 * 24 * 3600;
      ":frontend_configurations" = {
        pleroma_fe = mkMapOfPredefinedKeys {
          background = "/images/sylvia-ritter-15012323.avif";
          nsfwCensorImage = "/static/blurhash-overlay.png";
          collapseMessageWithSubject = true;
          streaming = true;
          webPushNotifications = true;
          useStreamingApi = true;
          scopeCopy = true;
          subjectLineBehavior = "masto";
          alwaysShowSubjectInput = true;
          postContentType = "text/markdown";
          modalOnRepeat = true;
          minimalScopesMode = true;
          redirectRootNoLogin = "/about";
          translationLanguage = "en";
          theme = "elly-mod";
        };
      };
      ":restrict_unauthenticated" = {
        timelines = mkMapOfPredefinedKeys {
          local = false;
          federated = false;
          bubble = true;
        };
      };
      ":translator" = {
        enabled = true;
        module = mkRaw "Pleroma.Akkoma.Translators.DeepL";
      };
      ":deepl" = {
        tier = mkAtom ":free";
        api_key._secret = config.sops.secrets."services/akkoma/deepl".path;
      };
    };
    ":web_push_encryption".":vapid_details" = {
      subject = "mailto:contact@florp.social";
    };
    ":joken".":default_signer"._secret = "/var/lib/secrets/akkoma/jwt-signer";
  };
  services.postgresql.enable = true;
  services.postgresql.extraPlugins = [
    pkgs.postgresql16Packages.rum
  ];
  services.nginx = {
    clientMaxBodySize = "256m";
    commonHttpConfig = ''
      access_log off;
      proxy_cache_path /var/cache/nginx/akkoma-media-cache
        levels= keys_zone=akkoma_media_cache:64m max_size=64g
        inactive=1y use_temp_path=off;
    '';
  };
  kyouma.nginx.virtualHosts = let
    proxyCache = ''
      proxy_cache akkoma_media_cache;
      # Cache objects in slices of 1 MiB
      slice 1m;
      proxy_cache_key $host$uri$is_args$args$slice_range;
      proxy_set_header Range $slice_range;
      # Decouple proxy and upstream responses
      proxy_buffering on;
      proxy_cache_lock on;
      proxy_ignore_client_abort on;
      # Default cache times for various responses
      proxy_cache_valid 200 1y;
      proxy_cache_valid 206 301 304 1h;
      # Allow serving of stale items
      proxy_cache_use_stale error timeout invalid_header updating;
    '';
  in {
    "florp.social" = {
      serverAliases = map (x: "${x}.florp.social") [ "a" "b" "c" ];
      locations."/" = {
        proxyPass = "http://unix:/run/akkoma/socket";
        proxyWebsockets = true;
      };
      locations."^/media(/.*)$".return = "308 https://media.florp.social$1";
      locations."^/proxy(/.*)$".return = "308 https://cache.florp.social$1";
      locations."= /api/v1/pleroma/admin/config" = {
        return = ''200 "\{\"error\":\"You must enable configurable_from_database in your config file.\"\}"'';
        extraConfig = ''
          types { } default_type "application/json; charset=utf-8";
        '';
      };
    };
    "media.florp.social" = {
      useACMEHost = "florp.social";
      locations."/" = {
        proxyPass = "http://unix:/run/akkoma/socket";
        extraConfig = ''
          rewrite ^(?!/media)(.*)$ /media$1;
        '' + proxyCache;
      };
    };
    "cache.florp.social" = {
      useACMEHost = "florp.social";
      locations."/" = {
        proxyPass = "http://unix:/run/akkoma/socket";
        extraConfig = ''
          rewrite ^(?!/proxy)(.*)$ /proxy$1;
        '' + proxyCache;
      };
    };
  };
  security.acme.certs."florp.social".extraDomainNames = [
    "cache.florp.social"
    "media.florp.social"
  ] ++ map (x: "${x}.florp.social") [ "a" "b" "c" ];
 }
--- a/config/services/akkoma/elly-mod.json
+++ b/config/services/akkoma/elly-mod.json
@ -1,529 +0,0 @@
 {
  "_pleroma_theme_version": 2,
  "name": "elly's theme (mod)",
  "theme": {
    "themeEngineVersion": 3,
    "shadows": {
      "panel": [
        {
          "color": "#000000",
          "x": "1",
          "y": "2",
          "blur": "6",
          "spread": 0,
          "alpha": 0.6
        }
      ],
      "topBar": [
        {
          "x": 0,
          "y": 0,
          "blur": 4,
          "spread": 0,
          "color": "#000000",
          "alpha": 0.6
        }
      ],
      "popup": [
        {
          "x": 2,
          "y": 2,
          "blur": 3,
          "spread": 0,
          "color": "#000000",
          "alpha": 0.5
        }
      ],
      "avatar": [
        {
          "x": 0,
          "y": 1,
          "blur": 8,
          "spread": 0,
          "color": "#000000",
          "alpha": 0.7
        }
      ],
      "avatarStatus": [],
      "panelHeader": [
        {
          "color": "#ffffff",
          "x": 0,
          "y": "40",
          "blur": "40",
          "spread": "-40",
          "inset": true,
          "alpha": "0.1"
        }
      ],
      "button": [
        {
          "color": "#ffffff",
          "x": 0,
          "y": "0",
          "blur": "0",
          "spread": "1",
          "alpha": "0.15",
          "inset": true
        },
        {
          "color": "#000000",
          "x": "1",
          "y": "1",
          "blur": "1",
          "spread": 0,
          "alpha": "0.3",
          "inset": false
        }
      ],
      "buttonHover": [
        {
          "color": "#318cbc",
          "x": 0,
          "y": "0",
          "blur": 0,
          "spread": "1",
          "alpha": 1,
          "inset": true
        },
        {
          "color": "#000000",
          "x": "1",
          "y": "1",
          "blur": "1",
          "spread": 0,
          "alpha": "0.3",
          "inset": false
        }
      ],
      "buttonPressed": [
        {
          "color": "#bebebe",
          "x": 0,
          "y": 0,
          "blur": "0",
          "spread": "50",
          "alpha": 0.5,
          "inset": true
        },
        {
          "color": "#ffffff",
          "x": 0,
          "y": "0",
          "blur": 0,
          "spread": "1",
          "alpha": 0.2,
          "inset": true
        },
        {
          "color": "#000000",
          "x": "1",
          "y": "1",
          "blur": 0,
          "spread": 0,
          "alpha": "0.3",
          "inset": false
        }
      ],
      "input": [
        {
          "color": "#FFFFFF",
          "x": 0,
          "y": "0",
          "blur": 0,
          "spread": "1",
          "alpha": "0.2",
          "inset": true
        }
      ]
    },
    "colors": {
      "underlay": "#000000",
      "bg": "#070e1b",
      "fg": "#31363b",
      "cRed": "#c42d38",
      "cGreen": "#22b325",
      "cOrange": "#d7d720",
      "cBlue": "#ffffff",
      "accent": "#3daee9",
      "link": "#318cbc",
      "text": "#bebebe",
      "badgeNotification": "#024297",
      "badgeNotificationText": "#ffffff",
      "alertNeutral": "#bebebe",
      "alertNeutralText": "#ffffff",
      "alertPopupNeutral": "#bebebe",
      "alertPopupNeutralText": "#000000",
      "alertSuccess": "#22b325",
      "alertSuccessText": "#ffffff",
      "alertPopupSuccess": "#22b325",
      "alertPopupSuccessText": "#000000",
      "alertWarning": "#d7d720",
      "alertWarningText": "#ffffff",
      "alertPopupWarning": "#d7d720",
      "alertPopupWarningText": "#000000",
      "alertError": "#ff090f",
      "alertErrorText": "#bebebe",
      "alertPopupError": "#ff090f",
      "alertPopupErrorText": "#ffffff",
      "panel": "#0d1a31",
      "panelText": "#bebebe",
      "alertNeutralPanelText": "#ffffff",
      "alertSuccessPanelText": "#ffffff",
      "alertWarningPanelText": "#ffffff",
      "alertErrorPanelText": "#bebebe",
      "fgText": "#bebebe",
      "topBar": "#0d1a31",
      "topBarText": "#bebebe",
      "input": "#18223d",
      "inputTopbarText": "#bebebe",
      "inputPanelText": "#bebebe",
      "inputText": "#bebebe",
      "btn": "#18223d",
      "btnText": "#bebebe",
      "btnTopBarText": "#bebebe",
      "btnDisabled": "#0c121c",
      "btnDisabledTopBarText": "#393d45",
      "btnPanelText": "#bebebe",
      "btnDisabledPanelText": "#393d45",
      "btnDisabledText": "#393d45",
      "btnToggled": "#1b1d1f",
      "btnToggledTopBarText": "#bebebe",
      "btnToggledPanelText": "#bebebe",
      "btnToggledText": "#bebebe",
      "btnPressed": "#1b1d1f",
      "btnPressedTopBarText": "#bebebe",
      "btnPressedTopBar": "#1b1d1f",
      "btnPressedPanelText": "#bebebe",
      "btnPressedPanel": "#1b1d1f",
      "btnPressedText": "#bebebe",
      "tabActiveText": "#bebebe",
      "tabText": "#bebebe",
      "tab": "#1b1d1f",
      "fgLink": "#543fe7",
      "topBarLink": "#bebebe",
      "panelLink": "#38a5ed",
      "panelFaint": "#bebebe",
      "icon": "#63666d",
      "poll": "#1d4f6e",
      "pollText": "#bebebe",
      "border": "#363c41",
      "postCyantext": "#ffffff",
      "postGreentext": "#22b325",
      "postLink": "#3daee9",
      "lightText": "#f2f2f2",
      "popover": "#070e1b",
      "selectedMenuPopover": "#0d1930",
      "highlight": "#0d1930",
      "highlightText": "#bebebe",
      "selectedMenu": "#0d1930",
      "selectedMenuText": "#bebebe",
      "selectedMenuPopoverIcon": "#666c77",
      "highlightLink": "#3daee9",
      "selectedMenuLink": "#3daee9",
      "selectedMenuPopoverLink": "#3daee9",
      "selectedMenuPopoverText": "#bebebe",
      "faintLink": "#3daee9",
      "highlightFaintLink": "#3daee9",
      "selectedMenuFaintLink": "#3daee9",
      "selectedMenuPopoverFaintLink": "#3daee9",
      "faint": "#bebebe",
      "highlightFaintText": "#bebebe",
      "selectedMenuFaintText": "#bebebe",
      "selectedMenuPopoverFaintText": "#bebebe",
      "highlightLightText": "#f2f2f2",
      "selectedMenuLightText": "#f2f2f2",
      "selectedMenuPopoverLightText": "#f2f2f2",
      "selectedMenuIcon": "#666c77",
      "selectedPost": "#0d1930",
      "selectedPostText": "#bebebe",
      "selectedPostIcon": "#666c77",
      "selectedPostLink": "#3daee9",
      "selectedPostFaintLink": "#3daee9",
      "highlightPostLink": "#3daee9",
      "selectedPostPostLink": "#3daee9",
      "selectedPostLightText": "#f2f2f2",
      "selectedPostFaintText": "#bebebe",
      "popoverText": "#bebebe",
      "popoverIcon": "#63666d",
      "popoverLink": "#3daee9",
      "postFaintLink": "#3daee9",
      "popoverPostFaintLink": "#3daee9",
      "popoverFaintLink": "#3daee9",
      "popoverFaintText": "#bebebe",
      "popoverPostLink": "#3daee9",
      "popoverLightText": "#f2f2f2",
      "highlightIcon": "#666c77",
      "highlightPostFaintLink": "#3daee9",
      "profileTint": "#070e1b",
      "profileBg": "#03070f",
      "wallpaper": "#050a13"
    },
    "opacity": {
      "underlay": 0.15,
      "bg": 0.85,
      "alert": 0.5,
      "alertPopup": 0.95,
      "panel": 0.75,
      "input": 0.9,
      "btn": 0.9,
      "faint": 0.5,
      "border": 0.55,
      "popover": 1,
      "profileTint": 0.5
    },
    "radii": {
      "btn": "3",
      "input": "4",
      "checkbox": "1",
      "panel": "3",
      "avatar": "4",
      "avatarAlt": "4",
      "tooltip": 2,
      "attachment": "3"
    },
    "fonts": {
      "interface": {
        "family": "sans-serif"
      },
      "input": {
        "family": "inherit"
      },
      "post": {
        "family": "inherit"
      },
      "postCode": {
        "family": "monospace"
      }
    }
  },
  "source": {
    "themeEngineVersion": 3,
    "fonts": {},
    "shadows": {
      "panel": [
        {
          "x": "1",
          "y": "2",
          "blur": "6",
          "spread": 0,
          "color": "#000000",
          "alpha": 0.6
        }
      ],
      "button": [
        {
          "x": 0,
          "y": "0",
          "blur": "0",
          "spread": "1",
          "color": "#ffffff",
          "alpha": "0.15",
          "inset": true
        },
        {
          "x": "1",
          "y": "1",
          "blur": "1",
          "spread": 0,
          "color": "#000000",
          "alpha": "0.3",
          "inset": false
        }
      ],
      "panelHeader": [
        {
          "x": 0,
          "y": "40",
          "blur": "40",
          "spread": "-40",
          "inset": true,
          "color": "#ffffff",
          "alpha": "0.1"
        }
      ],
      "buttonHover": [
        {
          "x": 0,
          "y": "0",
          "blur": 0,
          "spread": "1",
          "color": "--link",
          "alpha": 1,
          "inset": true
        },
        {
          "x": "1",
          "y": "1",
          "blur": "1",
          "spread": 0,
          "color": "#000000",
          "alpha": "0.3",
          "inset": false
        }
      ],
      "buttonPressed": [
        {
          "x": 0,
          "y": 0,
          "blur": "0",
          "spread": "50",
          "color": "--faint",
          "alpha": 0.5,
          "inset": true
        },
        {
          "x": 0,
          "y": "0",
          "blur": 0,
          "spread": "1",
          "color": "#ffffff",
          "alpha": 0.2,
          "inset": true
        },
        {
          "x": "1",
          "y": "1",
          "blur": 0,
          "spread": 0,
          "color": "#000000",
          "alpha": "0.3",
          "inset": false
        }
      ],
      "input": [
        {
          "x": 0,
          "y": "0",
          "blur": 0,
          "spread": "1",
          "color": "#FFFFFF",
          "alpha": "0.2",
          "inset": true
        }
      ]
    },
    "opacity": {
      "bg": "0.85",
      "border": "0.55",
      "panel": "0.75",
      "btn": "0.9",
      "input": "0.9"
    },
    "colors": {
      "bg": "#070e1b",
      "fg": "#31363b",
      "text": "#bebebe",
      "underlay": "#000000",
      "link": "#318cbc",
      "accent": "#3daee9",
      "faint": "#bebebe",
      "faintLink": "#3daee9",
      "postFaintLink": "#3daee9",
      "cBlue": "#ffffff",
      "cRed": "#c42d38",
      "cGreen": "#22b325",
      "cOrange": "#d7d720",
      "highlight": "#0d1930",
      "highlightLightText": "#f2f2f2",
      "highlightPostLink": "#3daee9",
      "highlightFaintText": "#bebebe",
      "highlightFaintLink": "#3daee9",
      "highlightPostFaintLink": "#3daee9",
      "highlightText": "#bebebe",
      "highlightLink": "#3daee9",
      "highlightIcon": "#666c77",
      "popover": "#070e1b",
      "popoverLightText": "#f2f2f2",
      "popoverPostLink": "#3daee9",
      "popoverFaintText": "#bebebe",
      "popoverFaintLink": "#3daee9",
      "popoverPostFaintLink": "#3daee9",
      "popoverText": "#bebebe",
      "popoverLink": "#3daee9",
      "popoverIcon": "#63666d",
      "selectedPost": "#0d1930",
      "selectedPostFaintText": "#bebebe",
      "selectedPostLightText": "#f2f2f2",
      "selectedPostPostLink": "#3daee9",
      "selectedPostFaintLink": "#3daee9",
      "selectedPostText": "#bebebe",
      "selectedPostLink": "#3daee9",
      "selectedPostIcon": "#666c77",
      "selectedMenu": "#0d1930",
      "selectedMenuLightText": "#f2f2f2",
      "selectedMenuFaintText": "#bebebe",
      "selectedMenuFaintLink": "#3daee9",
      "selectedMenuText": "#bebebe",
      "selectedMenuLink": "#3daee9",
      "selectedMenuIcon": "#666c77",
      "selectedMenuPopover": "#0d1930",
      "selectedMenuPopoverLightText": "#f2f2f2",
      "selectedMenuPopoverFaintText": "#bebebe",
      "selectedMenuPopoverFaintLink": "#3daee9",
      "selectedMenuPopoverText": "#bebebe",
      "selectedMenuPopoverLink": "#3daee9",
      "selectedMenuPopoverIcon": "#666c77",
      "lightText": "#f2f2f2",
      "postLink": "#3daee9",
      "border": "#363c41",
      "poll": "#1d4f6e",
      "pollText": "#bebebe",
      "icon": "#63666d",
      "fgText": "#bebebe",
      "fgLink": "#543fe7",
      "panel": "#0d1a31",
      "panelText": "#bebebe",
      "panelFaint": "#bebebe",
      "panelLink": "#38a5ed",
      "topBar": "#0d1a31",
      "topBarText": "#bebebe",
      "topBarLink": "#bebebe",
      "tab": "#1b1d1f",
      "tabText": "#bebebe",
      "tabActiveText": "#bebebe",
      "btn": "#18223d",
      "btnText": "#bebebe",
      "btnPanelText": "#bebebe",
      "btnTopBarText": "#bebebe",
      "btnPressed": "#1b1d1f",
      "btnPressedText": "#bebebe",
      "btnPressedPanel": "#1b1d1f",
      "btnPressedPanelText": "#bebebe",
      "btnPressedTopBar": "#1b1d1f",
      "btnPressedTopBarText": "#bebebe",
      "btnToggled": "#1b1d1f",
      "btnToggledText": "#bebebe",
      "btnToggledPanelText": "#bebebe",
      "btnToggledTopBarText": "#bebebe",
      "btnDisabled": "#0c121c",
      "btnDisabledText": "#393d45",
      "btnDisabledPanelText": "#393d45",
      "btnDisabledTopBarText": "#393d45",
      "input": "#18223d",
      "inputText": "#bebebe",
      "inputPanelText": "#bebebe",
      "inputTopbarText": "#bebebe",
      "alertError": "#ff090f",
      "alertErrorText": "#bebebe",
      "alertErrorPanelText": "#bebebe",
      "alertWarning": "#d7d720",
      "alertWarningText": "#ffffff",
      "alertWarningPanelText": "#ffffff",
      "alertNeutral": "#bebebe",
      "alertNeutralText": "#ffffff",
      "alertNeutralPanelText": "#ffffff",
      "badgeNotification": "#024297",
      "badgeNotificationText": "#ffffff"
    },
    "radii": {
      "btn": "3",
      "input": "4",
      "checkbox": "1",
      "panel": "3",
      "avatar": "4",
      "avatarAlt": "4",
      "attachment": "3"
    }
  }
 }
--- a/config/services/arrs/default.nix
+++ b/config/services/arrs/default.nix
@ -1,55 +0,0 @@
 { lib, pkgs, ... }: {
  services = {
    prowlarr.enable = true;
  } // lib.genAttrs [ "sonarr" "radarr" ] (_: {
    enable = true;
  });
  systemd.services = lib.genAttrs [ "radarr" "sonarr" ] (_: {
    wants = [ "mnt-mezzomix.mount" ];
  });
  systemd.mounts = lib.singleton {
    description = "rclone mount";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" "radarr.service" "sonarr.service" ];
    where = "/mnt/mezzomix";
    what = "mezzomix@otos.feralhosting.com:private/rtorrent/data";
    type = "fuse.sshfs";
    options = "umask=0000,idmap=user,_netdev,rw,nosuid,allow_other,default_permissions,follow_symlinks,reconnect,max_conns=10,identityfile=/etc/keys/ssh_host_ed25519_key";
  };
  systemd.automounts = lib.singleton {
    name = "mnt-mezzomix.automount";
    where = "/mnt/mezzomix";
    wantedBy = [ "multi-user.target" ];
    automountConfig.TimeoutIdleSec = 0;
  };
  environment.systemPackages = [ pkgs.sshfs ];
  programs.ssh.ciphers = [ "aes256-ctr" ];
  kyouma.nginx.virtualHosts = {
    "crime.kyouma.net" = {
      verifyClientCert = true;
      disableHttp3 = true;
      locations = {
        "/".root = pkgs.writeTextDir "index.html" (builtins.readFile ./landingPage.html);
        "/sonarr/" = {
          proxyPass = "http://127.0.0.1:8989";
          recommendedProxySettings = true;
        };
        "/radarr/" = {
          proxyPass = "http://127.0.0.1:7878";
          recommendedProxySettings = true;
        };
        "/prowlarr/" = {
          proxyPass = "http://127.0.0.1:9696";
          recommendedProxySettings = true;
        };
      };
    };
  };
  security.acme.certs."crime.kyouma.net" = {};
 }
--- a/config/services/arrs/landingPage.html
+++ b/config/services/arrs/landingPage.html
@ -1,27 +0,0 @@
 <!DOCTYPE html>
 <html>
 <head>
 <title>crime.kyouma.net</title>
 <style>
 body {
  width: 35em;
  margin: 0 auto;
  font-family: Tahoma, Verdana, Arial, sans-serif;
 }
 </style>
 </head>
 <body>
 <h1>Welcome to crime.kyouma.net!</h1>
 <p>If you see this page, the nginx web server is successfully installed and
 working. Further configuration is required.</p>
 <p>Sonarr
 <a href="https://crime.kyouma.net/sonarr">crime.kyouma.net/sonarr</a><br/>
 Radarr
 <a href="https://crime.kyouma.net/radarr">crime.kyouma.net/radarr</a><br/>
 Prowlarr
 <a href="https://crime.kyouma.net/prowlarr">crime.kyouma.net/prowlarr</a></p>
 <p><em>Thank you for using nginx.</em></p>
 </body>
 </html>
--- a/config/services/forgejo.nix
+++ b/config/services/forgejo.nix
@ -5,7 +5,6 @@
  };
  services.forgejo = {
    enable = true;
    package = pkgs.forgejo;
    secrets.mailer.PASSWD = config.sops.secrets."services/forgejo/mailerPassword".path;
    database = {
      createDatabase = true;
--- a/config/services/hydra/default.nix
+++ b/config/services/hydra/default.nix
@ -1,7 +1,6 @@
 { config, inputs, lib, ... }: {
  imports = [
    ./nix-config.nix
    inputs.hydra.nixosModules.hydra
  ];
  sops.secrets."services/hydra/signKey" = {
    owner = "hydra-queue-runner";
@ -19,7 +18,7 @@
  };
  kyouma.deployment.auto-upgrade.cache = "daemon";
-  services.hydra-dev = {
+  services.hydra = {
    enable = true;
    package = inputs.hydra.packages.${config.nixpkgs.hostPlatform.system}.hydra;
    hydraURL = "https://hydra.kyouma.net";
@ -30,9 +29,9 @@
    extraConfig = ''
      server_store_uri = https://cache.kyouma.net
      binary_cache_public_uri = https://cache.kyouma.net
-      evaluator_workers = 6
+      evaluator_workers = 8
-      evaluator_max_memory_size = 12288
+      evaluator_max_memory_size = 16384
-      max_output_size = ${builtins.toString (24 * 1024 * 1024 * 1024)}
+      max_output_size = 4294967296
    '';
  };
  services.harmonia = {
@ -43,11 +42,6 @@
    };
  };
  systemd.services.hydra-evaluator.serviceConfig = {
    MemoryHigh = "250G";
    MemoryMax = "254G";
  };
  kyouma.nginx.defaultForbidden = "hydra.kyouma.net";
  kyouma.nginx.virtualHosts = {
    "hydra.kyouma.net".locations."/".proxyPass = "http://localhost:3000";
--- a/config/services/hydra/nix-config.nix
+++ b/config/services/hydra/nix-config.nix
@ -1,14 +1,12 @@
 { config, lib, ... }: {
-  nix.buildMachines = let
+  nix.buildMachines = [
    base = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
  in [
    {
      hostName = "localhost";
      protocol = null;
      maxJobs = 0;
      speedFactor = 0;
      systems = [ "x86_64-linux" ];
-      supportedFeatures = base;
+      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
    }
    {
      hostName = "integra.kyouma.net";
@ -16,30 +14,27 @@
      maxJobs = 2;
      speedFactor = 4;
      systems = [ "aarch64-linux" ];
-      supportedFeatures = base;
+      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
      sshKey = config.sops.secrets."services/hydra/id_ed25519_hydra".path;
    }
-    {
+  ] ++ lib.forEach [ "03" "04" ] (num: {
-      hostName = "schrodinger.kyouma.net";
+      hostName = "build-worker-${num}.nyantec.com";
-      sshUser = "root";
+      sshUser = "nix-ssh";
-      maxJobs = 0;
+      maxJobs = 4;
-      speedFactor = 20;
+      speedFactor = 18;
-      systems = [ "riscv64-linux" ];
+      systems = [ "x86_64-linux" "riscv64-linux" ];
-      supportedFeatures = base ++ [ "gccarch-rv64imac" "gccarch-rv64imacfd" "gccarch-rv64gc" ];
+      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" "gccarch-x86-64" "gccarch-x86-64-v2" "gccarch-x86-64-v3" ];
      sshKey = config.sops.secrets."services/hydra/id_ed25519_hydra".path;
    }
-  ] ++ lib.forEach (lib.range 0 10) (num: {
+  ) ++ lib.forEach [ "01" "02" "05" "06" ] (num: {
-      hostName = "build-worker-${lib.fixedWidthNumber 2 num}";
+      hostName = "build-worker-${num}";
      sshUser = "root";
-      maxJobs = 2;
+      maxJobs = 4;
      speedFactor = 20;
-      systems = [ "i686-linux" "x86_64-linux" ];
+      systems = [ "x86_64-linux" ];
      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "gccarch-x86-64" "gccarch-x86-64-v2" "gccarch-x86-64-v3" ];
      sshKey = config.sops.secrets."services/hydra/id_ed25519_hydra".path;
  });
  nixpkgs.config.allowUnsupportedSystem = true;
  nix.distributedBuilds = true;
  nix.gc.automatic = lib.mkForce false;
  nix.settings = {
    allowed-uris = [
      "github:"
@ -53,29 +48,25 @@
      "build-worker-03.nyantec.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGqTY74c5g15DSNPNM2Wdr5jAwS7BFgX1XRnhtGOnJc";
      "build-worker-04.nyantec.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICOq+5I+nlAN2lJoOtoXrYEDuZ/TMPMa43pIlablYigK";
      "integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU";
      "schrodinger.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKo7vZ6lS1wx76YsbAdhOsGcc20YMAW52ep8SZ/FCHDp";
      "lab.nyantec.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUePtVPtBK+CYosufbaGiMT4EVanti4V5t2Wg0g/Fy4";
      "localhost".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNVavo3YHVsrYwXRVISu7kDoknn+5inFGySn4azlB8P";
      "[build-worker-kyoumanet.fly.dev]:2200".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUGzlilikAUfUGKXVCoTeDvPRoWUgDDkNU5WaRUBzls";
      "[build-worker-kyoumanet.fly.dev]:2201".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDL2M97UBHg9aUfjDUxzmzg1r0ga0m3/stummBVwuEAB";
      "[build-worker-kyoumanet.fly.dev]:2202".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTwVKL0P0chPM2Gz23rbT94844+w1CGJdCaZdzfjThz";
      "[build-worker-kyoumanet.fly.dev]:2203".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAjy2eZGJQeAYy0+fLgW9jiS0jVY2LInY0NDMnzCvvKp";
      "[build-worker-kyoumanet.fly.dev]:2204".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN72OyD9LYy4hq0WZ7ie5RPV+G54UreEJiA/RubjGoe9";
      "[build-worker-kyoumanet.fly.dev]:2205".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNh1o1I98XrI2XmOI6Q0aHPfyLCIQwKkKOxGUUeXL9v";
      "[build-worker-kyoumanet.fly.dev]:2206".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGf0kxGgwOG9KhUhvxxTSiQC5YikrzZXKDgSpBw33qN4";
      "[build-worker-kyoumanet.fly.dev]:2207".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL9z95a6Fn/dB+iNigEYpuJdBnBwCkIZYaKHcFbGP+RY";
      "[build-worker-kyoumanet.fly.dev]:2208".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAk+FNMhTfAVqk3MfLp4QiG/i5ti53DlpnC0q+sOvU9O";
      "[build-worker-kyoumanet-cdg.fly.dev]:2209".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJGlQD/3fLn/Kyb7v0RIycHRcArGi75jURj803EMpW0S";
      "[build-worker-kyoumanet-cdg.fly.dev]:2210".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQm1FSGBGdCR5f8MvBvdKM0M4yIQVnH1po7hHO5T1qz";
    }; 
    extraConfig = ''
-      Host machine-0008.cloud-v.co
+      Host build-worker-01
-        Hostname machine.cloud-v.co
+        Hostname build-worker-kyoumanet.fly.dev
-        Port 20008
+        Port 2201
-    '' + lib.concatLines (lib.forEach (lib.range 0 10) (num: ''
+      Host build-worker-02
-      Host build-worker-${lib.fixedWidthNumber 2 num}
+        Hostname build-worker-kyoumanet.fly.dev
-        Hostname build-worker-kyoumanet${lib.optionalString (num > 8) "-cdg"}.fly.dev
+        Port 2202
-        Port 22${lib.fixedWidthNumber 2 num}
+      Host build-worker-05
-    ''));
+        Hostname build-worker-kyoumanet.fly.dev
        Port 2203
      Host build-worker-06
        Hostname build-worker-kyoumanet.fly.dev
        Port 2204
    '';
  };
 }
--- a/config/services/jellyfin.nix
+++ b/config/services/jellyfin.nix
@ -1,34 +0,0 @@
 { lib, ... }: {
  services.jellyfin.enable = true;
  kyouma.nginx.virtualHosts = {
    "watch.kyouma.net".redirectTo = "fentanyl.trade";
    "fentanyl.trade" = {
      serverAliases = lib.singleton "frotti.ng";
      locations = {
        "= /".return = "302 https://$host/web/";
        "/" = {
          proxyPass = "http://[::1]:8096";
          recommendedProxySettings = true;
          extraConfig = ''
            proxy_buffering on;
          '';
        };
        "= /web/" = {
          proxyPass = "http://[::1]:8096";
          recommendedProxySettings = true;
        };
        "/socket" = {
          proxyPass = "http://[::1]:8096";
          recommendedProxySettings = true;
          proxyWebsockets = true;
        };
      };
    };
  };
  security.acme.certs."fentanyl.trade".extraDomainNames = [ 
    "frotti.ng"
    "watch.kyouma.net"
  ];
 }
--- a/config/services/librespeed.nix
+++ b/config/services/librespeed.nix
@ -1,8 +1,6 @@
 { ... }: {
  services.librespeed = {
    enable = true;
    openFirewall = true;
    domain = "speed.kyouma.net";
    frontend.enable = true;
  };
 }
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@ -1,6 +1,4 @@
-{ config, lib, pkgs, ... }: let 
+{ config, lib, ... }: with lib; {
  inherit (lib) mkDefault;
 in {
  kyouma.deployment.tags = [ "web" ];
  security.dhparams.enable = true;
  security.dhparams.params.nginx = {};
@ -11,11 +9,9 @@ in {
      email = "noc@kyouma.net";
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [ 443 ];
  services.nginx = {
    enable = true;
-    package = mkDefault pkgs.nginxQuic;
+    #package = pkgs.nginxQuic;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
@ -36,14 +32,7 @@ in {
      add_header X-XSS-Protection 		      "1; mode=block" always;
      add_header X-Frame-Options 		        "SAMEORIGIN" always;
      add_header Referrer-Policy 		        "same-origin" always;
      add_header Alt-Svc                    'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
      #add_header Content-Security-Policy    "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    '';
    eventsConfig = ''
      multi_accept on;
    '';
    appendConfig = ''
      worker_processes auto;
    '';
  };
 }
--- a/config/services/vaultwarden.nix
+++ b/config/services/vaultwarden.nix
@ -5,14 +5,14 @@
  };
  sops.secrets."services/vaultwarden/basicAuth" = {
    sopsFile = ../../secrets/services/vaultwarden.yaml;
-    owner = "nginx";
+    owner = "vaultwarden";
  };
  services.vaultwarden = {
    enable = true;
    environmentFile = config.sops.secrets."services/vaultwarden/environmentFile".path;
    backupDir = "/var/backup/bitwarden_rs";
    config = {
-      DOMAIN = "https://vault.kyouma.net";
+      DOMAIN = "https://staging.vault.kyouma.net";
      DATABASE_MAX_CONNS = 15;
      WEB_VAULT_ENABLED = true;
      WEBSOCKET_ADDRESS = "::1";
@ -33,10 +33,10 @@
      SMTP_SECURITY = "starttls";
      SMTP_PORT = 587;
      ROCKET_ADDRESS = "::1";
-      ROCKET_PORT = 8222;
+      ROCKET_PORT = "8222";
    };
  };
-  kyouma.nginx.virtualHosts."vault.kyouma.net" = {
+  kyouma.nginx.virtualHosts."staging.vault.kyouma.net" = {
    locations."/" = {
      proxyPass = "http://[::1]:8222";
      proxyWebsockets = true;
@ -46,5 +46,5 @@
      basicAuthFile = config.sops.secrets."services/vaultwarden/basicAuth".path;
    };
  };
-  security.acme.certs."vault.kyouma.net" = {};
+  security.acme.certs."staging.vault.kyouma.net" = {};
 }
--- a/config/users/lucy/default.nix
+++ b/config/users/lucy/default.nix
@ -1,78 +0,0 @@
 { inputs, pkgs, ... }: {
  imports = [
    inputs.home-manager.nixosModules.home-manager
  ];
  users.users.lucy = {
    isNormalUser = true;
    shell = pkgs.fish;
    ignoreShellProgramCheck = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIId7XvwEHtC9KdGg4Bn+XE+yyBp7/dRToJX9T56mM7ln kosaki@kosaki"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZH8HwE1OxVAArRpc3+c7foYJ/WYjp4BqUyuab9yQyl emilia@emilia"
    ];
  };
  home-manager.useGlobalPkgs = true;
  home-manager.users.lucy = {
    home.stateVersion = "24.11";
    home.packages = with pkgs; [
      whois
      htop
      restic
      fend
    ];
    fonts.fontconfig.enable = true;
    programs.bat.enable = true;
    programs.gpg.enable = true;
    programs.ripgrep.enable = true;
    programs.tmux = {
      enable = true;
      prefix = "M-w";
      clock24 = true;
      extraConfig = ''
        # unbind keys
        unbind-key C-b
        # new prefix
        bind-key M-w send-prefix
        # selection via vim keys
        bind-key -r	h select-pane -L
        bind-key -r	j select-pane -D
        bind-key -r	k select-pane -U
        bind-key -r	l select-pane -R
        # resize aswell
        bind-key -r	C-h resize-pane -L 5
        bind-key -r	C-j resize-pane -D 5
        bind-key -r	C-k resize-pane -U 5
        bind-key -r	C-l resize-pane -R 5
        bind-key	g split-window
        bind-key	v split-window -h
      '';
    };
    programs.eza = {
      enable = true;
      icons = "auto";
      git = true;
      extraOptions = [
        "--color-scale=all"
        "--color-scale-mode=gradient"
        "--group-directories-first"
      ];
    };
    programs.fish = {
      enable = true;
      interactiveShellInit = ''
        set -U fish_greeting
      '';
    };
  };
 }
--- a/config/users/nil/default.nix
+++ b/config/users/nil/default.nix
@ -1,49 +0,0 @@
 { inputs, pkgs, ... }: {
  imports = [
    inputs.home-manager.nixosModules.home-manager 
  ];
  users.users.nil = {
    isNormalUser = true;
    shell = pkgs.fish;
    ignoreShellProgramCheck = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICczPHRwY9MAwDGlcB0QgMOJjcpLJhVU3covrW9RBS62AAAABHNzaDo="
    ];
  };
  home-manager.useGlobalPkgs = true;
  home-manager.users.nil = {
    home.stateVersion = "24.11";
    home.packages = with pkgs; [
      whois
      htop
      restic
      fend
    ];
    fonts.fontconfig.enable = true;
    programs.bat.enable = true;
    programs.gpg.enable = true;
    programs.ripgrep.enable = true;
    programs.eza = {
      enable = true;
      icons = "auto";
      git = true;
      extraOptions = [
        "--color-scale=all"
        "--color-scale-mode=gradient"
        "--group-directories-first"
      ];
    };
    programs.fish = {
      enable = true;
      interactiveShellInit = ''
        set -U fish_greeting
      '';
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -5,18 +5,17 @@
        "crane": "crane",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
        "nix-github-actions": "nix-github-actions",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1731270564,
+        "lastModified": 1726069220,
-        "narHash": "sha256-6KMC/NH/VWP5Eb+hA56hz0urel3jP6Y6cF2PX6xaTkk=",
+        "narHash": "sha256-dAUWlC8uMJX9iovycfvJcg5nm3PzqJIRAOwN4z322zM=",
        "owner": "zhaofengli",
        "repo": "attic",
-        "rev": "47752427561f1c34debb16728a210d378f0ece36",
+        "rev": "416687e59c4f0b32742423458cab2c5ff8fe748a",
        "type": "github"
      },
      "original": {
@ -136,11 +135,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728330715,
+        "lastModified": 1722113426,
-        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
+        "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
+        "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae",
        "type": "github"
      },
      "original": {
@ -156,11 +155,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1731549112,
+        "lastModified": 1727196810,
-        "narHash": "sha256-c9I3i1CwZ10SoM5npQQVnfwgvB86jAS3lT4ZqkRoSOI=",
+        "narHash": "sha256-xQzgXRlczZoFfrUdA4nD5qojCQVqpiIk82aYINQZd+U=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "5fd852c4155a689098095406500d0ae3d04654a8",
+        "rev": "6d42596a35d34918a905e8539a44d3fc91f42b5b",
        "type": "github"
      },
      "original": {
@ -214,27 +213,6 @@
        "type": "github"
      }
    },
    "firefox": {
      "inputs": {
        "neoidiosyn": "neoidiosyn",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1731867603,
        "narHash": "sha256-07612Ws2V4iFQAGLEoZVIefA3rM9JP3B/qo/z4tu1Kg=",
        "ref": "refs/heads/main",
        "rev": "022ec0becb1ca7b96ddb9bdd046617075357c2cb",
        "revCount": 3,
        "type": "git",
        "url": "https://woof.rip/mikael/firefox.git"
      },
      "original": {
        "type": "git",
        "url": "https://woof.rip/mikael/firefox.git"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -348,11 +326,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1730504689,
+        "lastModified": 1726153070,
-        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a",
        "type": "github"
      },
      "original": {
@ -383,24 +361,6 @@
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_3": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
@ -415,9 +375,9 @@
        "type": "github"
      }
    },
-    "flake-utils_4": {
+    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1726560853,
@ -433,7 +393,7 @@
        "type": "github"
      }
    },
-    "flake-utils_5": {
+    "flake-utils_4": {
      "inputs": {
        "systems": [
          "stylix",
@ -469,81 +429,6 @@
        "type": "github"
      }
    },
    "flakey-profile_2": {
      "locked": {
        "lastModified": 1712898590,
        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
        "owner": "lf-",
        "repo": "flakey-profile",
        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
        "type": "github"
      },
      "original": {
        "owner": "lf-",
        "repo": "flakey-profile",
        "type": "github"
      }
    },
    "florp-about": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1731582952,
        "narHash": "sha256-hnvqHeekGal+hml6BQB254LsJn+Vk5QNKzkIu8rH/xs=",
        "ref": "refs/heads/main",
        "rev": "f283dba73f777746e1675126f8fa4c5b1fd06152",
        "revCount": 10,
        "type": "git",
        "url": "https://woof.rip/florp/about.git"
      },
      "original": {
        "type": "git",
        "url": "https://woof.rip/florp/about.git"
      }
    },
    "florp-branding": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1731182323,
        "narHash": "sha256-Ecw7fOxv3hp1iLWBqlYW9TTNi0LTtiu92gtqfdn5v20=",
        "ref": "refs/heads/main",
        "rev": "8aaf8c85b902eaaabfdeadd5502019b2816991b9",
        "revCount": 3,
        "type": "git",
        "url": "https://woof.rip/florp/branding.git"
      },
      "original": {
        "type": "git",
        "url": "https://woof.rip/florp/branding.git"
      }
    },
    "florp-moderation": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1731611636,
        "narHash": "sha256-Do8vpR8JTpkPr9vxf1aRzhb4/cUBjg5twPyGDyezxJw=",
        "ref": "refs/heads/main",
        "rev": "32e1061cb2ef3cd0eab0bd99f062a2776a73d459",
        "revCount": 7,
        "type": "git",
        "url": "https://woof.rip/florp/moderation.git"
      },
      "original": {
        "type": "git",
        "url": "https://woof.rip/florp/moderation.git"
      }
    },
    "fromYaml": {
      "flake": false,
      "locked": {
@ -577,11 +462,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1731363552,
+        "lastModified": 1726745158,
-        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
        "type": "github"
      },
      "original": {
@ -636,11 +521,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1731604581,
+        "lastModified": 1727111745,
-        "narHash": "sha256-Qq2YZZaDTB3FZLWU/Hgh1uuWlUBl3cMLGB99bm7rFUM=",
+        "narHash": "sha256-EYLvFRoTPWtD+3uDg2wwQvlz88OrIr3zld+jFE5gDcY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "1d0862ee2d7c6f6cd720d6f32213fa425004be10",
+        "rev": "21c021862fa696c8199934e2153214ab57150cb6",
        "type": "github"
      },
      "original": {
@ -658,47 +543,37 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1728215710,
+        "lastModified": 1724696781,
-        "narHash": "sha256-TRxR6zELQoUDPhLkmBU8QjgskNyVcblKgQIxhuOyNRc=",
+        "narHash": "sha256-oDLfi7PdElAdhGK8i+mQ4OOn6Hu3vzHiYnuFcHoJ0IU=",
-        "ref": "main",
+        "ref": "refs/heads/main",
-        "rev": "799441dcf6d595efb0def686ca0815aef398627b",
+        "rev": "ab6d81fad404af05dfeae7f74d1783a2f7367826",
-        "revCount": 4217,
+        "revCount": 4205,
        "type": "git",
-        "url": "https://git.lix.systems/lix-project/hydra"
+        "url": "https://git.lix.systems/snaakey/hydra.git"
      },
      "original": {
        "ref": "main",
        "rev": "799441dcf6d595efb0def686ca0815aef398627b",
        "type": "git",
-        "url": "https://git.lix.systems/lix-project/hydra"
+        "url": "https://git.lix.systems/snaakey/hydra.git"
      }
    },
-    "ixx": {
+    "iceshrimp": {
      "inputs": {
        "flake-utils": [
          "nixvim",
          "nuschtosSearch",
          "flake-utils"
        ],
        "nixpkgs": [
          "nixvim",
          "nuschtosSearch",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1729958008,
+        "lastModified": 1718289195,
-        "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=",
+        "narHash": "sha256-xmkExjsTztXW4/AYb3d3Er6Wwg4r7AVwq7rv9E93+Ec=",
-        "owner": "NuschtOS",
+        "ref": "refs/heads/dev",
-        "repo": "ixx",
+        "rev": "746c6319d3425ccfacc906535c67951e161996d9",
-        "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb",
+        "revCount": 47,
-        "type": "github"
+        "type": "git",
        "url": "https://iceshrimp.dev/iceshrimp/packaging"
      },
      "original": {
-        "owner": "NuschtOS",
+        "type": "git",
-        "ref": "v0.0.6",
+        "url": "https://iceshrimp.dev/iceshrimp/packaging"
        "repo": "ixx",
        "type": "github"
      }
    },
    "kyouma-www": {
@ -725,68 +600,6 @@
      }
    },
    "lix": {
      "flake": false,
      "locked": {
        "lastModified": 1731683711,
        "narHash": "sha256-bq21I1EjXJa/s5Rra9J9ot2NkPCnI0F5uNPurwYLdpE=",
        "rev": "c859d03013712b349d82ee6223948d6d03e63a8d",
        "type": "tarball",
        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/c859d03013712b349d82ee6223948d6d03e63a8d.tar.gz?rev=c859d03013712b349d82ee6223948d6d03e63a8d"
      },
      "original": {
        "type": "tarball",
        "url": "https://git.lix.systems/lix-project/lix/archive/main.tar.gz"
      }
    },
    "lix-module": {
      "inputs": {
        "flake-utils": "flake-utils",
        "flakey-profile": "flakey-profile",
        "lix": [
          "firefox",
          "neoidiosyn",
          "lix"
        ],
        "nixpkgs": [
          "firefox",
          "neoidiosyn",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1731185731,
        "narHash": "sha256-RNaIu43b9PoXEhW4OqXUNZKY/jezQyCYWwdv1M0VjsA=",
        "rev": "691193879d96bdfd1e6ab5ebcca2fadc7604cf34",
        "type": "tarball",
        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/691193879d96bdfd1e6ab5ebcca2fadc7604cf34.tar.gz?rev=691193879d96bdfd1e6ab5ebcca2fadc7604cf34"
      },
      "original": {
        "type": "tarball",
        "url": "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz"
      }
    },
    "lix-module_2": {
      "inputs": {
        "flake-utils": "flake-utils_3",
        "flakey-profile": "flakey-profile_2",
        "lix": "lix_3",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1723510904,
        "narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=",
        "rev": "622a2253a071a1fb97a4d3c8103a91114acc1140",
        "type": "tarball",
        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz?rev=622a2253a071a1fb97a4d3c8103a91114acc1140"
      },
      "original": {
        "type": "tarball",
        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"
      }
    },
    "lix_2": {
      "inputs": {
        "flake-compat": "flake-compat_2",
        "nix2container": "nix2container",
@ -806,7 +619,28 @@
        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.0.tar.gz"
      }
    },
-    "lix_3": {
+    "lix-module": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "flakey-profile": "flakey-profile",
        "lix": "lix_2",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1723510904,
        "narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=",
        "rev": "622a2253a071a1fb97a4d3c8103a91114acc1140",
        "type": "tarball",
        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz?rev=622a2253a071a1fb97a4d3c8103a91114acc1140"
      },
      "original": {
        "type": "tarball",
        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"
      }
    },
    "lix_2": {
      "flake": false,
      "locked": {
        "lastModified": 1723503926,
@ -820,29 +654,6 @@
        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.0.tar.gz"
      }
    },
    "neoidiosyn": {
      "inputs": {
        "lix": "lix",
        "lix-module": "lix-module",
        "nixpkgs": [
          "firefox",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1731867586,
        "narHash": "sha256-6anSWv1Vw83RKMAFMHOCv/9pp23ExzscEKFAe+GbAmU=",
        "ref": "refs/heads/main",
        "rev": "86605e5489fb5045f4dee48de2a69082e17c033b",
        "revCount": 1,
        "type": "git",
        "url": "https://woof.rip/mikael/neoidiosyn.git"
      },
      "original": {
        "type": "git",
        "url": "https://woof.rip/mikael/neoidiosyn.git"
      }
    },
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
@ -851,11 +662,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1731454423,
+        "lastModified": 1727003835,
-        "narHash": "sha256-TtwvgFxUa0wyptLhQbKaixgNW1UXf3+TDqfX3Kp63oM=",
+        "narHash": "sha256-Cfllbt/ADfO8oxbT984MhPHR6FJBaglsr1SxtDGbpec=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "6c71c49e2448e51ad830ed211024e6d0edc50116",
+        "rev": "bd7d1e3912d40f799c5c0f7e5820ec950f1e0b3d",
        "type": "github"
      },
      "original": {
@ -871,7 +682,7 @@
          "hydra",
          "lix"
        ],
-        "nix-github-actions": "nix-github-actions_2",
+        "nix-github-actions": "nix-github-actions",
        "nixpkgs": [
          "hydra",
          "nixpkgs"
@ -893,27 +704,6 @@
      }
    },
    "nix-github-actions": {
      "inputs": {
        "nixpkgs": [
          "attic",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1729742964,
        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "type": "github"
      }
    },
    "nix-github-actions_2": {
      "inputs": {
        "nixpkgs": [
          "hydra",
@ -953,11 +743,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1731403644,
+        "lastModified": 1727040444,
-        "narHash": "sha256-T9V7CTucjRZ4Qc6pUEV/kpgNGzQbHWfGcfK6JJLfUeI=",
+        "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "f6581f1c3b137086e42a08a906bdada63045f991",
+        "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac",
        "type": "github"
      },
      "original": {
@ -1036,11 +826,11 @@
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1730602179,
+        "lastModified": 1725762081,
-        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
+        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
+        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
        "type": "github"
      },
      "original": {
@ -1052,11 +842,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1725001927,
+        "lastModified": 1723688146,
-        "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=",
+        "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421",
+        "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
        "type": "github"
      },
      "original": {
@ -1084,11 +874,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1731319897,
+        "lastModified": 1726937504,
-        "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=",
+        "narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "dc460ec76cbff0e66e269457d7b728432263166c",
+        "rev": "9357f4f23713673f310988025d9dc261c20e70c6",
        "type": "github"
      },
      "original": {
@ -1115,11 +905,11 @@
        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
-        "lastModified": 1731707185,
+        "lastModified": 1727186381,
-        "narHash": "sha256-IfA3x0eL4Be/7hvdvGSnT8fgiXz7GL3PtjGw3BH68gM=",
+        "narHash": "sha256-T6vSJAvbYSBsaUkwh2adbIt7liE2xpcRhmlosMNZnDo=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "be455f7f2714ce3479ae5bb662a03bd450f45793",
+        "rev": "8f991cc8bc417ddbd1d5c7732268255557c13f4a",
        "type": "github"
      },
      "original": {
@ -1130,19 +920,18 @@
    },
    "nuschtosSearch": {
      "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_3",
        "ixx": "ixx",
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1731347683,
+        "lastModified": 1726995581,
-        "narHash": "sha256-BcSWCEUBShuB32LPif+EG0XGXyUi2jyjCSpGE1rbOws=",
+        "narHash": "sha256-lgsE/CTkZk9OIiFGEIrxXZQ7Feiv41dqlN7pEfTdgew=",
        "owner": "NuschtOS",
        "repo": "search",
-        "rev": "135d202e032be70c93b6d7d53592ef4799d6efde",
+        "rev": "3b7dd61b365ca45380707453758a45f2e9977be3",
        "type": "github"
      },
      "original": {
@ -1151,29 +940,6 @@
        "type": "github"
      }
    },
    "oth": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1732215904,
        "narHash": "sha256-bXXoyQcVMULYOj1KlzbquUyMTyByzmLatIgm0ra/7sk=",
        "ref": "refs/heads/main",
        "rev": "847cc8493f7f44bd5ada0283d6b96457f4ee5a9b",
        "revCount": 1,
        "type": "git",
        "url": "ssh://forgejo@woof.rip/emily/oth.git"
      },
      "original": {
        "type": "git",
        "url": "ssh://forgejo@woof.rip/emily/oth.git"
      }
    },
    "pre-commit-hooks": {
      "flake": false,
      "locked": {
@ -1196,21 +962,17 @@
        "disko": "disko",
        "dns": "dns",
        "fernglas": "fernglas",
-        "firefox": "firefox",
+        "flake-utils": "flake-utils",
        "flake-utils": "flake-utils_2",
        "florp-about": "florp-about",
        "florp-branding": "florp-branding",
        "florp-moderation": "florp-moderation",
        "home-manager": "home-manager",
        "hydra": "hydra",
        "iceshrimp": "iceshrimp",
        "kyouma-www": "kyouma-www",
-        "lix": "lix_2",
+        "lix": "lix",
-        "lix-module": "lix-module_2",
+        "lix-module": "lix-module",
        "nixos-hardware": "nixos-hardware",
        "nixos-needsreboot": "nixos-needsreboot",
        "nixpkgs": "nixpkgs_4",
        "nixvim": "nixvim",
        "oth": "oth",
        "sops-nix": "sops-nix",
        "stylix": "stylix"
      }
@ -1223,11 +985,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1731364708,
+        "lastModified": 1726524647,
-        "narHash": "sha256-HC0anOL+KmUQ2hdRl0AtunbAckasxrkn4VLmxbW/WaA=",
+        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "4c91d52db103e757fc25b58998b0576ae702d659",
+        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
        "type": "github"
      },
      "original": {
@ -1243,7 +1005,7 @@
        "base16-helix": "base16-helix",
        "base16-vim": "base16-vim",
        "flake-compat": "flake-compat_4",
-        "flake-utils": "flake-utils_5",
+        "flake-utils": "flake-utils_4",
        "gnome-shell": "gnome-shell",
        "home-manager": [
          "home-manager"
@ -1251,17 +1013,17 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "systems": "systems_5",
+        "systems": "systems_4",
        "tinted-foot": "tinted-foot",
        "tinted-kitty": "tinted-kitty",
        "tinted-tmux": "tinted-tmux"
      },
      "locked": {
-        "lastModified": 1731657386,
+        "lastModified": 1727218376,
-        "narHash": "sha256-Mm/JL8tFUS1SOmmZDPcswExUxzw0VpHcEyZI1h58CGA=",
+        "narHash": "sha256-vRYd45uOqzXDaSt8M50hLcsBqIWbEMsflfHk/a1nYA8=",
        "owner": "danth",
        "repo": "stylix",
-        "rev": "5ab1207b2fdeb5a022f2dd7cccf6be760f1b150f",
+        "rev": "cf8b6e2d4e8aca8ef14b839a906ab5eb98b08561",
        "type": "github"
      },
      "original": {
@ -1330,52 +1092,35 @@
        "type": "github"
      }
    },
    "systems_5": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "tinted-foot": {
      "flake": false,
      "locked": {
-        "lastModified": 1726913040,
+        "lastModified": 1696725948,
-        "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
+        "narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=",
        "owner": "tinted-theming",
        "repo": "tinted-foot",
-        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
+        "rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "tinted-foot",
        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
        "type": "github"
      }
    },
    "tinted-kitty": {
      "flake": false,
      "locked": {
-        "lastModified": 1716423189,
+        "lastModified": 1665001328,
-        "narHash": "sha256-2xF3sH7UIwegn+2gKzMpFi3pk5DlIlM18+vj17Uf82U=",
+        "narHash": "sha256-aRaizTYPpuWEcvoYE9U+YRX+Wsc8+iG0guQJbvxEdJY=",
        "owner": "tinted-theming",
        "repo": "tinted-kitty",
-        "rev": "eb39e141db14baef052893285df9f266df041ff8",
+        "rev": "06bb401fa9a0ffb84365905ffbb959ae5bf40805",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "tinted-kitty",
        "rev": "eb39e141db14baef052893285df9f266df041ff8",
        "type": "github"
      }
    },
@ -1425,11 +1170,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1730321837,
+        "lastModified": 1726734507,
-        "narHash": "sha256-vK+a09qq19QNu2MlLcvN4qcRctJbqWkX7ahgPZ/+maI=",
+        "narHash": "sha256-VUH5O5AcOSxb0uL/m34dDkxFKP6WLQ6y4I1B4+N3L2w=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "746901bb8dba96d154b66492a29f5db0693dbfcc",
+        "rev": "ee41a466c2255a3abe6bc50fc6be927cdee57a9f",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -21,30 +21,18 @@
      url = "github:wobcom/fernglas";
      inputs.flake-utils.follows = "flake-utils";
    };
    firefox = {
      url = "git+https://woof.rip/mikael/firefox.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    florp-about = {
      url = "git+https://woof.rip/florp/about.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    florp-branding = {
      url = "git+https://woof.rip/florp/branding.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    florp-moderation = {
      url = "git+https://woof.rip/florp/moderation.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    hydra = {
-      url = "git+https://git.lix.systems/lix-project/hydra?ref=main&rev=799441dcf6d595efb0def686ca0815aef398627b";
+      url = "git+https://git.lix.systems/snaakey/hydra.git";
      inputs.lix.follows = "lix";
    };
    iceshrimp = {
      url = "git+https://iceshrimp.dev/iceshrimp/packaging";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    kyouma-www = {
      url = "git+https://woof.rip/emily/kyouma-net.git";
      inputs.nixpkgs.follows = "nixpkgs";
@ -64,11 +52,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.home-manager.follows = "home-manager";
    };
    oth = {
      url = "git+ssh://forgejo@woof.rip/emily/oth.git";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/fly.toml
+++ b/fly.toml
@ -0,0 +1,77 @@
 app = 'build-worker-kyoumanet'
 primary_region = 'ams'
 [build]
  image = 'registry.fly.io/build-worker-kyoumanet:latest'
 [processes]
  bw-01 = '/entrypoint.sh'
  bw-02 = '/entrypoint.sh'
  bw-03 = '/entrypoint.sh'
  bw-04 = '/entrypoint.sh'
 [[mounts]]
  source = 'bw01'
  destination = '/mnt/data'
  initial_size = '128GB'
  processes = ['bw-01']
 [[mounts]]
  source = 'bw02'
  destination = '/mnt/data'
  initial_size = '128GB'
  processes = ['bw-02']
 [[mounts]]
  source = 'bw03'
  destination = '/mnt/data'
  initial_size = '128GB'
  processes = ['bw-03']
 [[mounts]]
  source = 'bw04'
  destination = '/mnt/data'
  initial_size = '128GB'
  processes = ['bw-04']
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-01']
  [[services.ports]]
    port = 2201
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-02']
  [[services.ports]]
    port = 2202
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-03']
  [[services.ports]]
    port = 2203
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-04']
  [[services.ports]]
    port = 2204
 [[restart]]
  policy = 'never'
 [[vm]]
  size = 'performance-16x'
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,5 +1,11 @@
-{ lib, ... }: let
+{ ... }: {
-  mapModules = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ./.));
+  imports = [
-in {
+    ./deployment
-  imports = builtins.map (dir: ./${dir}) mapModules;
+    ./graphical
    ./librespeed
    ./machine-type
    ./nginx
    ./ooklaserver
    ./update-nixfiles
  ];
 }
--- a/modules/graphical/default.nix
+++ b/modules/graphical/default.nix
@ -162,7 +162,7 @@ in {
        style.package = with pkgs; [
          libsForQt5.qtstyleplugin-kvantum
          qt6Packages.qtstyleplugin-kvantum
-          (catppuccin-kvantum.override { accent = "mauve"; variant = "macchiato"; })
+          (catppuccin-kvantum.override { accent = "Mauve"; variant = "Macchiato"; })
        ];
      };
      gtk.iconTheme.name = "Adwaita";
--- a/modules/graphical/hyprland.nix
+++ b/modules/graphical/hyprland.nix
@ -1,4 +1,4 @@
-{ config, inputs, lib, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
  config.home-manager.users.emily = lib.mkIf (config.kyouma.graphical.compositor == "hyprland") {
    wayland.windowManager.hyprland = {
      enable = true;
@ -9,8 +9,6 @@
        notifysend = "${pkgs.libnotify}/bin/notify-send";
        dolphin = "${pkgs.libsForQt5.dolphin}/bin/dolphin";
        firefox = "${pkgs.firefox}/bin/firefox";
        # currently broken
        #firefox = "${inputs.firefox.packages.${pkgs.system}.firefox}/bin/firefox";
        brightnessctl = "${pkgs.brightnessctl}/bin/brightnessctl";
        screenshot = "~/.local/bin/hypr/screenshot.sh";
        rofi = "${pkgs.rofi-wayland}/bin/rofi";
@ -121,7 +119,7 @@
          #"eDP-1, 2560x1600@60, 0x0, 1, bitdepth, 10"
          #"eDP-1, 1920x1200@60, 0x0, 1, bitdepth, 10"
          "desc:Dell Inc. AW3225QF FXK2YZ3, 3840x2160@240,5280x0,1, bitdepth,10, vrr,2"
-          "desc:GIGA-BYTE TECHNOLOGY CO. LTD. AORUS AD27QD 19320B000455, 2560x1440@144,3840x-280,1, bitdepth,10, transform,1"
+          "desc:GIGA-BYTE TECHNOLOGY CO. LTD. AORUS AD27QD 19320B000455, 2560x1440@144,3840x-350,1, bitdepth,10, transform,1"
          ",preferred,auto,1"
        ];
        workspace = [
--- a/modules/graphical/nixvim.nix
+++ b/modules/graphical/nixvim.nix
@ -161,8 +161,8 @@
        };
        servers = {
          bashls.enable = true;
-          lua_ls.enable = true;
+          lua-ls.enable = true;
-          nil_ls = {
+          nil-ls = {
            enable = true;
            settings.formatting.command = [ "nixfmt" "-w" "140" ];
          };
@ -175,8 +175,8 @@
              options.enable = true;
            };
          };
-          ruff_lsp.enable = true;
+          ruff-lsp.enable = true;
-          rust_analyzer = {
+          rust-analyzer = {
            enable = true;
            installRustc = true;
            installCargo = true;
@ -187,6 +187,7 @@
        enable = true;
        sources.diagnostics = {
          pylint.enable = true;
          statix.enable = true;
        };
        sources.formatting = {
          nixfmt.enable = true;
@ -211,7 +212,6 @@
      plugins.luasnip.enable = true;
      plugins.nvim-autopairs.enable = true;
      plugins.rainbow-delimiters.enable = true;
      plugins.web-devicons.enable = true;
      # Broken
      plugins.rustaceanvim.enable = false;
      plugins.treesitter-context.enable = true;
--- a/modules/librespeed/default.nix
+++ b/modules/librespeed/default.nix
@ -1,408 +1,277 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.services.librespeed;
-in
+in {
-{
+  options.services.librespeed = let
-  options.services.librespeed =
+    inherit (lib) mkOption types;
-    let
+  in {
-      inherit (lib) mkOption types;
+    enable = lib.mkEnableOption "LibreSpeed server";
-    in
+    package = lib.mkPackageOption pkgs "librespeed-rust" {};
-    {
+    configureNginx = mkOption {
-      enable = lib.mkEnableOption "LibreSpeed server";
+      description = "Configure nginx as a reverse proxy for LibreSpeed.";
-      package = lib.mkPackageOption pkgs "librespeed-rust" { };
+      default = if (cfg.domain != null) then true else false;
-      domain = mkOption {
+      type = types.bool;
-        description = ''
+    };
-          If not `null`, this will add an entry to `services.librespeed.servers` and
+    contactEmail = mkOption {
-          configure librespeed to use TLS.
+      description = "Email address listed in the privacy policy.";
-        '';
+      default = if (cfg.domain != null) then "webmaster@${cfg.domain}" else "webmaster@${config.networking.fqdn}";
-        default = null;
+      type = types.str;
-        type = with types; nullOr nonEmptyStr;
+    };
-      };
+    domain = mkOption {
-      downloadIPDB = mkOption {
+      description = ''
-        description = ''
+        If not `null`, this will add an entry to `services.librespeed.servers` and
-          Whether to download the IP info database before starting librespeed.
+        configure an nginx reverse proxy at the specified FQDN, unless explicitly disabled.
-          Disable this if you want to use the Go implementation.
+      '';
-        '';
+      default = null;
-        default = !(cfg.secrets ? "ipinfo_api_key");
+      type = with types; nullOr nonEmptyStr;
-        defaultText = lib.literalExpression ''!(cfg.secrets ? "ipinfo_api_key")'';
+    };
-        type = types.bool;
+    openFirewall = mkOption {
-      };
+      description = ''
-      openFirewall = mkOption {
+        Whether to open the firewall for the specified port.
-        description = ''
+        This is only necessary if no reverse proxy is used.
-          Whether to open the firewall for the specified port.
+      '';
-        '';
+      default = false;
-        default = false;
+      type = types.bool;
-        type = types.bool;
+    };
-      };
+    pageTitle = mkOption {
-      secrets = mkOption {
+      description = "Title of the webpage.";
-        description = ''
+      default = "LibreSpeed";
-          Attribute set of filesystem paths.
+      type = types.str;
-          The contents of the specified paths will be read at service start time and merged with the attributes provided in `settings`.
+    };
-        '';
+    secrets = mkOption {
-        default = { };
+      description = ''
-        type = with types; nullOr (attrsOf path);
+        Attribute set of filesystem paths.
-      };
+        The contents of the specified paths will be read at service start time and merged with the attributes provided in `settings`.
-      settings = mkOption {
+      '';
-        description = ''
+      default = {};
-          LibreSpeed configuration written as Nix expression.
+      type = with types; nullOr (attrsOf path);
-          All values set to `null` will be excluded from the evaluated config.
+    };
-          This is useful if you want to omit certain defaults when using a different LibreSpeed implementation.
+    servers = mkOption {
-
+      description = "LibreSpeed servers that should apper in the server list.";
-          See [github.com/librespeed][librespeed] for configuration help.
+      type = types.listOf (types.submodule {
-
+        options = let
-          [librespeed]: https://github.com/librespeed/speedtest-rust
+          inherit (types) nonEmptyStr;
-        '';
+        in {
-        default = { };
+          name = mkOption {
-        type =
+            description = "Name shown in the server list.";
-          with types;
+            type = nonEmptyStr;
-          nullOr (
+          };
-            attrsOf (oneOf [
+          server = mkOption {
-              (nullOr bool)
+            description = "URL to the server. You may use `//` instead of `http://` or `https://`.";
-              int
+            type = nonEmptyStr;
-              str
+          };
-              package
+          dlURL = mkOption {
-            ])
+            description = ''
-          );
+              URL path to download test on this server.
-      };
+              Append `.php` to the default value if the server uses the php implementation.
-      frontend = {
+            '';
-        enable = lib.mkEnableOption ''
+            default = "backend/garbage";
-          Enables the LibreSpeed frontend and adds a nginx virtual host if
+            type = nonEmptyStr;
-          not explicetly disabled and `services.librespeed.domain` is not `null`.
+          };
-        '';
+          ulURL = mkOption {
-        contactEmail = mkOption {
+            description = ''
-          description = "Email address listed in the privacy policy.";
+              URL path to upload test on this server.
-          default =
+              Append `.php` to the default value if the server uses the php implementation.
-            if (cfg.domain != null) then "webmaster@${cfg.domain}" else "webmaster@${config.networking.fqdn}";
+            '';
-          defaultText = lib.literalExpression ''
+            default = "backend/empty";
-            if (config.services.librespeed.domain != null) then
+            type = nonEmptyStr;
-              "webmaster@''${config.services.librespeed.domain}"
+          };
-            else
+          pingURL = mkOption {
-              "webmaster@''${config.networking.fqdn}";
+            description = ''
-          '';
+              URL path to latency/jitter test on this server.
-          type = types.str;
+              Append `.php` to the default value if the server uses the php implementation.
-        };
+            '';
-        pageTitle = mkOption {
+            default = "backend/empty";
-          description = "Title of the webpage.";
+            type = nonEmptyStr;
-          default = "LibreSpeed";
+          };
-          type = types.str;
+          getIpURL = mkOption {
-        };
+            description = ''
-        useNginx = mkOption {
+              URL path to IP lookup on this server.
-          description = ''
+              Append `.php` to the default value if the server uses the php implementation.
-            Configure nginx for the LibreSpeed frontend.
+            '';
-            This will only create a virtual host for the frontend and won't proxy all requests because
+            default = "backend/getIP";
-            the reported upload and download speeds are inaccurate if proxied.
+            type = nonEmptyStr;
          '';
          default = cfg.domain != null;
          defaultText = lib.literalExpression "config.services.librespeed.domain != null";
          type = types.bool;
        };
        settings = mkOption {
          description = ''
            Override default settings of the speedtest web client.
            See [speedtest_worker.js][link] for a list of possible values.
            [link]: https://github.com/librespeed/speedtest/blob/master/speedtest_worker.js#L39
          '';
          default = {
            telemetry_level = "basic";
          };
          type =
            with types;
            nullOr (
              attrsOf (oneOf [
                bool
                int
                str
                float
              ])
            );
        };
-        servers = mkOption {
+      });
-          description = "LibreSpeed servers that should apper in the server list.";
+    };
-          type = types.listOf (
+    settings = mkOption {
-            types.submodule {
+      description = ''
-              options =
+        LibreSpeed configuration written as Nix expression.
-                let
+        All values set to `null` will be excluded from the evaluated config.
-                  inherit (types) nonEmptyStr;
+        This is useful if you want to omit certain defaults when using a different LibreSpeed implementation.
-                in
+
-                {
+        See [github.com/librespeed][librespeed] for configuration help.
-                  name = mkOption {
+
-                    description = "Name shown in the server list.";
+        [librespeed]: https://github.com/librespeed/speedtest-rust
-                    type = nonEmptyStr;
+      '';
-                  };
+      default = {};
-                  server = mkOption {
+      type = with types; nullOr (attrsOf (oneOf [
-                    description = "URL to the server. You may use `//` instead of `http://` or `https://`.";
+        bool
-                    type = nonEmptyStr;
+        int
-                  };
+        str
-                  dlURL = mkOption {
+        null
-                    description = ''
+      ]));
-                      URL path to download test on this server.
+    };
-                      Append `.php` to the default value if the server uses the php implementation.
+  };
-                    '';
+  config = lib.mkIf cfg.enable {
-                    default = "backend/garbage";
+    assertions = [
-                    type = nonEmptyStr;
+      {
-                  };
+        assertion = cfg.configureNginx -> cfg.domain != null;
-                  ulURL = mkOption {
+        message = ''
-                    description = ''
+          `services.librespeed.configureNginx` requires `services.librespeed.domain` to be set.
-                      URL path to upload test on this server.
+        '';
-                      Append `.php` to the default value if the server uses the php implementation.
+      }
-                    '';
+    ];
-                    default = "backend/empty";
+
-                    type = nonEmptyStr;
+    networking.firewall = lib.mkIf (cfg.openFirewall) {
-                  };
+      allowedTCPPorts = [ cfg.settings.listen_port ];
-                  pingURL = mkOption {
+    };
-                    description = ''
+    services.nginx.virtualHosts = lib.mkIf cfg.configureNginx {
-                      URL path to latency/jitter test on this server.
+      ${cfg.domain} = {
-                      Append `.php` to the default value if the server uses the php implementation.
+        locations."/" = {
-                    '';
+          proxyPass = "http://${cfg.settings.bind_address}:${toString cfg.settings.listen_port}";
-                    default = "backend/empty";
+          recommendedProxySettings = true;
-                    type = nonEmptyStr;
+        };
-                  };
+        enableACME = true;
-                  getIpURL = mkOption {
+        forceSSL = true;
-                    description = ''
+      };
-                      URL path to IP lookup on this server.
+    };
-                      Append `.php` to the default value if the server uses the php implementation.
+    security.acme.certs = lib.mkIf cfg.configureNginx {
-                    '';
+      ${cfg.domain} = {};
-                    default = "backend/getIP";
+    };
-                    type = nonEmptyStr;
+
-                  };
+    services.librespeed.servers = lib.mkIf (cfg.domain != null) [
-                };
+      {
-            }
+        name = cfg.domain;
-          );
+        server = "https://${cfg.domain}";
      }
    ];
    services.librespeed.settings = let
      inherit (lib) mkDefault mkIf;
      assets = pkgs.runCommand "librespeed-assets" {
        preferLocal = true;
        serverList = ''
          function get_servers() {
            return ${builtins.toJSON cfg.servers}
          }
        '';
      } ''
        cp -r ${pkgs.librespeed-rust}/assets $out
        cat >$out/server_list.js <<<"$serverList"
        substitute ${pkgs.librespeed-rust}/assets/index.html $out/index.html \
          --replace-fail "LibreSpeed Example" ${lib.escapeShellArg (lib.escapeXML cfg.pageTitle)} \
          --replace-fail "PUT@YOUR_EMAIL.HERE" ${lib.escapeShellArg (lib.escapeXML cfg.contactEmail)} \
          --replace-fail "TO BE FILLED BY DEVELOPER" ${lib.escapeShellArg (lib.escapeXML cfg.contactEmail)}
      '';
    in {
      speed_test_dir = assets;
      bind_address = mkDefault (if cfg.configureNginx then "127.0.0.1" else "0.0.0.0");
      listen_port = mkDefault 8989;
      base_url = mkDefault "backend";
      worker_threads = mkDefault "auto";
      database_type = mkDefault "none";
      database_file = mkIf (cfg.settings.database_type == "sqlite") mkDefault "/var/lib/librespeed/speedtest.sqlite";
      #librespeed-rust will fail to start if the following config parameters are omitted.
      ipinfo_api_key = mkIf (!cfg.secrets ? "ipinfo_api_key") "";
      stats_password = mkIf (!cfg.secrets ? "stats_password") "";
      tls_key_file = mkDefault "";
      tls_cet_file = mkDefault "";
      enable_tls = mkDefault false;
    };
    systemd.services = let
      configFile = let
        anyToString = arg: if (lib.isBool arg) then
          lib.boolToString arg
        else if (lib.isInt arg) then
          toString arg
        else "\"${lib.escape [ "\"" ] (toString arg)}\"";
      in
        with lib; pipe cfg.settings [
          (filterAttrs (_: val: val != null))
          (mapAttrs (name: val: "${path}=${anyToString val}"))
          (concatLines attrValues)
          (pkgs.writeText "${cfg.package.name}-config.toml")
      ];
    in {
      librespeed-secrets = lib.mkIf (cfg.secrets != {}) {
        description = "LibreSpeed secret helper";
        ExecStart = let
          script = pkgs.writeShellApplication {
            name = "librespeed-secrets";
            runtimeInputs = [ pkgs.coreutils ];
            text = ''
              cp ${configFile} ''${RUNTIME_DIRECTORY%%:*}/config.toml
            '' + lib.pipe cfg.secrets [
              (lib.mapAttrs (name: file: ''
                cat >>''${RUNTIME_DIRECTORY%%:*}/config.toml <<EOF
                ${name}="$(<${lib.escapeShellArg file})"
                EOF
              ''))
              (lib.concatLines lib.attrValues)
            ];
          };
        in lib.getExe script;
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
          RuntimeDirectory = "librespeed";
          UMask = "u=rw";
        };
      };
      librespeed = {
        description = "LibreSpeed server daemon";
        wantedBy = [ "multi-user.target" ];
        wants = [ "network-online.target" ];
        requires = lib.optionals (cfg.secrets != {}) [ "librespeed-secrets.service" ];
        serviceConfig = {
          Type = "simple";
          Restart = "always";
          DynamicUser = true;
          ExecStartPre = lib.mkIf (!cfg.secrets ? "ipinfo_api_key") "${lib.getExe cfg.package} --update-ipdb";
          ExecStart = "${lib.getExe cfg.package} -c ${if (cfg.secrets == {}) then configFile else "\${RUNTIME_DIRECTORY%%:*}/config.toml"}";
          WorkingDirectory = "/var/cache/librespeed";
          RuntimeDirectory = "librespeed";
          RuntimeDirectoryPreserve = true;
          StateDirectory = "librespeed";
          CacheDirectory = "librespeed";
          SyslogIdentifier = "librespeed";
          ReadOnlyPaths = [ cfg.package ];
          RestrictSUIDSGID = true;
          RestrictNamespaces = true;
          PrivateTmp = true;
          PrivateDevices = true;
          PrivateUsers = true;
          ProtectHostname = true;
          ProtectClock = true;
          ProtectKernelTunables = true;
          ProtectKernelModules = true;
          ProtectKernelLogs = true;
          ProtectControlGroups = true;
          ProtectSystem = "strict";
          ProtectHome = true;
          ProtectProc = "invisible";
          SystemCallArchitectures = "native";
          SystemCallFilter = "@system-service";
          SystemCallErrorNumber = "EPERM";
          LockPersonality = true;
          NoNewPrivileges = true;
        };
      };
    };
-  config = lib.mkIf cfg.enable (
+  };
    let
      librespeedAssets =
        pkgs.runCommand "librespeed-assets"
          (
            let
              mapValue =
                arg:
                if (lib.isBool arg) then
                  lib.boolToString arg
                else if ((lib.isInt arg) || (lib.isFloat arg)) then
                  toString arg
                else
                  "\"${lib.escape [ "\"" ] (toString arg)}\"";
              mapSettings = lib.pipe cfg.frontend.settings [
                (lib.mapAttrs (name: val: "  s.setParameter(\"${lib.escape [ "\"" ] name}\",${mapValue val});"))
                (lib.attrValues)
                (lib.concatLines)
              ];
            in
            {
              preferLocal = true;
              serversList = ''
                function get_servers() {
                  return ${builtins.toJSON cfg.frontend.servers}
                }
                function override_settings () {
                ${mapSettings}
                }
              '';
            }
          )
          ''
            cp -r ${pkgs.librespeed-rust}/assets $out
            chmod 666 $out/servers_list.js
            cat >$out/servers_list.js <<<"$serversList"
            substitute ${pkgs.librespeed-rust}/assets/index.html $out/index.html \
              --replace-fail "s.setParameter(\"telemetry_level\",\"basic\"); //enable telemetry" "override_settings();" \
              --replace-fail "LibreSpeed Example" ${lib.escapeShellArg (lib.escapeXML cfg.frontend.pageTitle)} \
              --replace-fail "PUT@YOUR_EMAIL.HERE" ${lib.escapeShellArg (lib.escapeXML cfg.frontend.contactEmail)} \
              --replace-fail "TO BE FILLED BY DEVELOPER" ${lib.escapeShellArg (lib.escapeXML cfg.frontend.contactEmail)}
          '';
    in
    {
      assertions = [
        {
          assertion = cfg.frontend.useNginx -> cfg.domain != null;
          message = ''
            `services.librespeed.frontend.useNginx` requires `services.librespeed.frontend.domain` to be set.
          '';
        }
      ];
      networking.firewall = lib.mkIf cfg.openFirewall {
        allowedTCPPorts = [ cfg.settings.listen_port ];
      };
      services.nginx.virtualHosts = lib.mkIf (cfg.frontend.enable && cfg.frontend.useNginx) {
        ${cfg.domain} = {
          locations."/".root = librespeedAssets;
          locations."= /servers.json".return = "200 '${builtins.toJSON cfg.frontend.servers}'";
          locations."/backend/".return = "301 https://$host:${toString cfg.settings.listen_port}$request_uri";
          enableACME = true;
          forceSSL = true;
        };
      };
      security.acme.certs = lib.mkIf (cfg.domain != null) {
        ${cfg.domain} = {
          reloadServices = [ "librespeed.service" ];
          webroot = "/var/lib/acme/acme-challenge";
        };
      };
      services.librespeed.frontend.servers = lib.mkIf (cfg.frontend.enable && (cfg.domain != null)) [
        {
          name = cfg.domain;
          server = "//${cfg.domain}:${toString cfg.settings.listen_port}";
        }
      ];
      services.librespeed.settings =
        let
          inherit (lib) mkDefault mkIf;
        in
        {
          assets_path =
            if (cfg.frontend.enable && !cfg.frontend.useNginx) then
              librespeedAssets
            else
              pkgs.writeTextDir "index.html" "";
          bind_address = mkDefault "::";
          listen_port = mkDefault 8989;
          base_url = mkDefault "backend";
          worker_threads = mkDefault "auto";
          database_type = mkDefault "none";
          database_file = mkDefault "/var/lib/librespeed/speedtest.sqlite";
          #librespeed-rust will fail to start if the following config parameters are omitted.
          ipinfo_api_key = mkIf (!cfg.secrets ? "ipinfo_api_key") "";
          stats_password = mkIf (!cfg.secrets ? "stats_password") "";
          tls_cert_file =
            if (cfg.domain != null) then
              (mkDefault "/run/credentials/librespeed.service/cert.pem")
            else
              (mkDefault "");
          tls_key_file =
            if (cfg.domain != null) then
              (mkDefault "/run/credentials/librespeed.service/key.pem")
            else
              (mkDefault "");
          enable_tls = mkDefault (cfg.domain != null);
        };
      systemd.services =
        let
          configFile =
            let
              mapValue =
                arg:
                if (lib.isBool arg) then
                  lib.boolToString arg
                else if (lib.isInt arg) then
                  toString arg
                else
                  "\"${lib.escape [ "\"" ] (toString arg)}\"";
            in
            with lib;
            pipe cfg.settings [
              (filterAttrs (_: val: val != null))
              (mapAttrs (name: val: "${name}=${mapValue val}"))
              (attrValues)
              (concatLines)
              (pkgs.writeText "${cfg.package.name}-config.toml")
            ];
        in
        {
          librespeed-secrets = lib.mkIf (cfg.secrets != { }) {
            description = "LibreSpeed secret helper";
            ExecStart =
              let
                script = pkgs.writeShellApplication {
                  name = "librespeed-secrets";
                  runtimeInputs = [ pkgs.coreutils ];
                  text =
                    ''
                      cp ${configFile} ''${RUNTIME_DIRECTORY%%:*}/config.toml
                    ''
                    + lib.pipe cfg.secrets [
                      (lib.mapAttrs (
                        name: file: ''
                          cat >>''${RUNTIME_DIRECTORY%%:*}/config.toml <<EOF
                          ${name}="$(<${lib.escapeShellArg file})"
                          EOF
                        ''
                      ))
                      (lib.concatLines lib.attrValues)
                    ];
                };
              in
              lib.getExe script;
            serviceConfig = {
              Type = "oneshot";
              RemainAfterExit = true;
              RuntimeDirectory = "librespeed";
              UMask = "u=rw";
            };
          };
          librespeed = {
            description = "LibreSpeed server daemon";
            wantedBy = [ "multi-user.target" ];
            wants = [ "network-online.target" ];
            requires = lib.optionals (cfg.secrets != { }) [ "librespeed-secrets.service" ];
            serviceConfig = {
              Type = "simple";
              Restart = "always";
              DynamicUser = true;
              LoadCredential = lib.mkIf (cfg.domain != null) [
                "cert.pem:${config.security.acme.certs.${cfg.domain}.directory}/cert.pem"
                "key.pem:${config.security.acme.certs.${cfg.domain}.directory}/key.pem"
              ];
              ExecStartPre = lib.mkIf cfg.downloadIPDB "${lib.getExe cfg.package} --update-ipdb";
              ExecStart = "${lib.getExe cfg.package} -c ${
                if (cfg.secrets == { }) then configFile else "\${RUNTIME_DIRECTORY%%:*}/config.toml"
              }";
              WorkingDirectory = "/var/cache/librespeed";
              RuntimeDirectory = "librespeed";
              RuntimeDirectoryPreserve = true;
              StateDirectory = "librespeed";
              CacheDirectory = "librespeed";
              SyslogIdentifier = "librespeed";
              ReadOnlyPaths = [ cfg.package ];
              RestrictSUIDSGID = true;
              RestrictNamespaces = true;
              PrivateTmp = true;
              PrivateDevices = true;
              PrivateUsers = true;
              ProtectHostname = true;
              ProtectClock = true;
              ProtectKernelTunables = true;
              ProtectKernelModules = true;
              ProtectKernelLogs = true;
              ProtectControlGroups = true;
              ProtectSystem = "strict";
              ProtectHome = true;
              ProtectProc = "invisible";
              SystemCallArchitectures = "native";
              SystemCallFilter = "@system-service";
              SystemCallErrorNumber = "EPERM";
              LockPersonality = true;
              NoNewPrivileges = true;
            };
          };
        };
    }
  );
  meta.maintainers = with lib.maintainers; [ snaki ];
 }
--- a/modules/nginx/default.nix
+++ b/modules/nginx/default.nix
@ -2,40 +2,28 @@
  cfg = config.kyouma.nginx;
  extraConfig = ''
    add_header Strict-Transport-Security 	$hsts_header;
-    add_header Alt-Svc                    'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
+    #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-    #add_header Content-Security-Policy   "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+    add_header X-Content-Type-Options 	"nosniff" always;
-    add_header X-Content-Type-Options 	  "nosniff" always;
+    add_header X-XSS-Protection 		"1; mode=block" always;
-    add_header X-XSS-Protection 		      "1; mode=block" always;
+    add_header X-Frame-Options 		"SAMEORIGIN" always;
-    add_header X-Frame-Options 		        "SAMEORIGIN" always;
+    add_header Referrer-Policy 		"same-origin" always;
    add_header Referrer-Policy 		        "same-origin" always;
  '';
  createHost = vhostName: vhostCfg: {
-    extraConfig = lib.optionalString (vhostCfg ? "extraConfig") (
+    extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;
      vhostCfg.extraConfig + "\n" + extraConfig
    ) + lib.optionalString (
      if (vhostCfg ? "verifyClientCert") then 
        vhostCfg.verifyClientCert
      else false
    ) ''
      ssl_client_certificate ${./kyouma_Root_CA.pem};
      ssl_verify_client on;
      ssl_verify_depth 1;
    '';
    forceSSL = true;
    #kTLS = true;
    #http3 = true;
    #quic = true; 
  } //
-  lib.optionalAttrs (!(vhostCfg ? "useACMEHost")) {
+  lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
    enableACME = true;
  } //
-  lib.optionalAttrs (vhostCfg ? "redirectTo") {
+  lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) {
    enableACME = false;
    useACMEHost = vhostCfg.redirectTo;
    globalRedirect = vhostCfg.redirectTo;
  } //
-  lib.optionalAttrs (!vhostCfg ? "disableHttp3") {
+  (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]);
    http3 = true;
    quic = true; 
  } //
  (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" "verifyClientCert" "disableHttp3" ]);
 in {
  options = {
@ -50,21 +38,17 @@ in {
  };
  config = {
    services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) (
-      builtins.mapAttrs (createHost) cfg.virtualHosts
+      builtins.mapAttrs (createHost) cfg.virtualHosts) //
-    ) // lib.optionalAttrs (cfg.defaultForbidden != null) {
+      lib.optionalAttrs (cfg.defaultForbidden != null) {
-      "redirect" = {
+        "redirect" = {
-        quic = true;
+          default = true;
-        http3 = true;
+          forceSSL = true;
-        # reuseport has to be specified on the quic listener
+          reuseport = true;
-        # when using worker_processes auto;
+          useACMEHost = cfg.defaultForbidden;
-        reuseport = true;
+          extraConfig = ''
-        default = true;
+            return 403;
-        forceSSL = true;
+          '';
-        useACMEHost = cfg.defaultForbidden;
+        };
        extraConfig = ''
          return 403;
        '';
      };
    };
  };
 }
--- a/modules/nginx/kyouma_Root_CA.pem
+++ b/modules/nginx/kyouma_Root_CA.pem
@ -1,192 +0,0 @@
 Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            47:94:9e:44:65:f4:61:f8:aa:b3:c1:7b:86:38:21:d9:88:a5:88:f0
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kyouma Root CA
        Validity
            Not Before: Jun 21 14:02:26 2024 GMT
            Not After : Jun 21 14:02:26 2044 GMT
        Subject: CN=kyouma Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (7680 bit)
                Modulus:
                    00:f9:d0:a3:4b:d9:77:e3:ec:b4:46:8e:3f:1f:a4:
                    39:22:60:d8:ad:e9:1e:fe:ad:17:f8:30:d6:f6:fa:
                    e9:62:f7:36:25:07:e9:6c:83:91:42:0f:e2:53:f1:
                    ca:70:da:26:7d:bf:bb:1d:d5:4d:5e:99:82:99:39:
                    97:f3:c3:7d:f9:0d:08:e8:d4:ae:fc:45:88:98:8e:
                    a3:bc:2a:bd:16:67:32:59:08:59:eb:a8:de:a6:a7:
                    77:9d:f9:1a:c6:7f:76:92:3d:d7:56:74:2b:a3:5a:
                    97:8f:05:ab:3b:dc:92:61:2e:7f:95:b1:5c:04:da:
                    1e:2e:b9:de:7b:16:b2:85:b4:b4:5a:48:34:9a:bb:
                    18:0d:0a:0a:34:91:f8:8f:f3:79:46:a6:c4:ee:aa:
                    93:88:03:cf:43:a2:ba:1e:bc:65:f1:78:d8:ce:d8:
                    2b:fb:db:33:d6:37:ad:d4:9d:44:38:ff:b5:0d:dc:
                    08:61:2c:fb:f0:86:b2:ef:ff:a8:4f:63:28:13:49:
                    f8:21:4e:cb:22:98:54:de:e7:b4:e2:b6:14:c9:c5:
                    59:04:82:04:a2:39:3c:61:f5:91:99:ff:ac:6e:80:
                    9a:d2:22:7d:51:fb:ad:a3:6a:4c:14:a8:e3:28:d9:
                    22:ac:c8:3d:34:17:5a:40:ce:8d:3c:52:e7:e1:e9:
                    d4:75:0d:3f:b8:dd:d3:d2:56:25:92:fa:75:87:81:
                    fe:59:4a:82:53:d5:e7:03:39:c0:07:84:73:70:d0:
                    fc:fe:3f:06:e0:f9:0f:59:22:74:05:13:65:58:5a:
                    a8:1d:7b:52:4f:47:ed:be:26:57:47:49:57:d5:7f:
                    34:c7:3c:0f:55:d4:17:57:8a:0e:bb:f5:3a:c7:77:
                    f1:7d:06:49:a9:a8:dd:18:0e:a2:97:52:c8:49:e5:
                    39:c7:31:5d:07:c3:58:ed:8e:ae:c7:7c:1b:db:8d:
                    dc:a0:c3:e3:f5:c0:98:35:cf:fc:92:a0:a6:f3:0f:
                    b1:18:95:c0:01:eb:1d:96:8d:02:7b:9a:dc:29:5d:
                    59:f1:2a:dc:53:0e:6b:2b:6b:5d:36:03:a1:bd:e4:
                    e6:b4:1f:5a:66:67:13:4a:2c:7f:56:c9:75:5c:fe:
                    42:20:24:51:18:bb:ea:30:12:8f:88:d1:ad:fe:eb:
                    59:92:8d:1e:be:ff:3e:6e:f2:5a:d9:8c:20:f4:35:
                    ed:bc:01:47:21:d3:10:b9:5d:fe:6a:8e:e0:a3:e3:
                    e5:6f:ac:8b:fc:61:d0:75:a8:a3:92:1f:2c:cc:c1:
                    15:17:36:3b:05:ab:58:76:be:63:9d:30:5d:ed:7d:
                    83:0c:b7:24:8f:10:a8:90:02:ee:68:81:05:cd:d9:
                    4f:2e:cc:ef:97:62:d1:75:6b:82:f3:d0:34:56:d3:
                    59:7e:d9:d3:7d:93:ce:1b:17:de:fd:18:4b:e6:50:
                    72:77:88:60:dd:ff:5e:95:05:61:fe:d8:31:dd:34:
                    1e:e1:6d:61:1e:80:73:05:3e:3b:22:c2:34:07:48:
                    9b:0e:06:8d:a6:81:c4:4d:e9:4d:5d:df:e1:04:cd:
                    5b:85:6e:b2:12:aa:1b:cd:bd:4e:7e:53:ea:59:49:
                    af:11:70:b3:11:87:0f:af:2f:99:ce:e9:69:db:6d:
                    d0:5a:14:1a:95:2f:2f:db:bf:36:62:e1:99:ff:7c:
                    b8:b9:5c:4e:79:33:61:ee:db:4b:6f:40:7d:49:b2:
                    6e:e1:65:9d:f6:45:fe:27:14:24:82:5d:f6:a4:38:
                    01:ac:47:54:da:b6:02:c1:ad:79:71:b6:93:64:ec:
                    a4:06:7b:d6:5e:1c:da:7f:40:16:47:65:47:24:2a:
                    8b:77:32:49:89:c4:9f:26:d4:f9:a6:ba:e6:42:aa:
                    74:fd:7e:1e:d1:75:95:5c:5c:d8:d4:bb:75:05:79:
                    10:7a:df:5a:2b:69:9b:75:28:cb:b5:4e:48:3e:a3:
                    aa:21:04:95:8f:62:3b:46:2f:07:d0:9e:1c:50:9b:
                    3d:ba:6d:1f:c2:a0:41:7f:47:43:57:ef:92:31:47:
                    4a:a2:91:65:43:5c:c1:2b:fd:26:2d:be:41:a7:98:
                    7a:8f:52:89:5f:81:ff:48:7d:04:2a:b8:4d:50:91:
                    f5:af:18:33:44:f2:55:5f:68:87:33:d8:e6:4f:5d:
                    b9:92:ca:06:51:f3:e0:b1:5b:6f:a0:52:fe:6e:98:
                    22:01:5f:c2:fb:45:59:02:67:62:6f:74:2b:79:62:
                    e7:5a:13:a8:db:fd:a2:64:b1:0b:49:2f:f4:61:35:
                    a0:b6:12:2c:ec:24:19:9f:0c:14:85:05:b5:e1:c1:
                    9e:4e:87:a4:88:c9:79:65:1d:12:ac:89:e6:bc:ed:
                    6b:58:90:fd:95:40:3f:2e:ba:ff:b8:52:5d:60:98:
                    32:b9:20:38:a5:08:da:a1:fc:38:89:3c:f1:de:38:
                    cf:60:d8:69:a1:4b:88:51:f7:31:b8:fc:56:dc:56:
                    3a:7a:39:c5:03:23:2a:8f:fa:ab:92:7a:b6:37:da:
                    c1:9f:55:e7:31:b1:c5:be:31:60:08:c2:33:30:ec:
                    cf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                7B:C0:C6:7B:04:C4:66:0C:CD:32:FF:B0:6F:E1:D9:51:FD:1C:EE:B7
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        58:b3:2d:00:8e:c2:72:5b:ed:91:8e:3c:98:66:6a:e4:61:c3:
        0f:d1:51:98:0c:64:79:3d:01:ac:8a:38:7f:af:fc:80:31:83:
        86:a8:79:b9:0f:18:6d:2e:3a:ef:0a:c0:b1:30:39:7e:a4:3d:
        ed:4e:35:3e:9e:f1:a3:29:dd:cc:01:1e:62:6b:ed:5b:77:31:
        b3:4c:91:1d:69:70:20:44:87:e0:37:17:a0:ba:c4:e5:57:c5:
        90:1a:f2:1e:0d:ac:aa:30:11:c3:da:1c:3f:3a:28:b5:6d:12:
        ac:45:b6:6c:f0:b2:b2:6e:f0:55:33:8e:29:10:ac:9e:61:ac:
        35:ec:ed:c7:e3:51:c2:86:52:10:7a:9c:f6:22:5d:65:65:18:
        62:b7:e9:6e:be:64:46:db:dc:15:45:eb:1a:42:45:83:d7:aa:
        dd:63:24:4a:ed:b9:d5:35:86:27:22:33:6a:26:4b:32:0a:15:
        75:18:19:58:e9:6b:b4:84:ac:00:a3:78:d3:9d:7d:25:3c:5e:
        51:7f:01:ca:90:d1:40:2b:d2:45:e1:4f:fb:6e:8d:2e:cc:04:
        07:34:07:91:c6:8c:4f:a5:e4:7d:dd:78:0f:b0:9d:01:9d:6e:
        89:16:6d:3a:94:dd:38:57:bc:49:c2:e1:b5:aa:54:8f:d1:8b:
        13:db:35:2f:d1:80:5e:45:fb:53:60:61:d5:c3:e1:9c:21:60:
        a3:83:34:e6:9e:bc:86:70:fe:36:8b:35:55:28:e0:f4:b0:81:
        ed:37:59:0e:7a:f6:a7:66:a1:b6:36:45:30:95:c8:80:d6:40:
        a9:12:bf:47:b1:33:09:fa:89:d4:9f:c2:57:75:6a:47:dd:87:
        3f:b3:d1:3d:13:bc:5e:82:ea:5f:3a:dc:46:35:1e:1f:83:40:
        1c:1d:5e:ba:37:18:a3:75:2f:60:a7:84:67:9b:79:17:ad:fb:
        2a:5b:d8:84:5d:f2:ff:cc:81:4c:08:e4:17:ec:b7:cf:ac:4c:
        0f:91:8a:4c:fa:91:ed:24:39:f9:04:3a:18:b0:b1:c3:57:ed:
        9b:f1:cf:ab:bf:07:f1:52:ef:57:de:0a:76:e7:e4:c4:5f:69:
        93:71:0c:d4:3f:23:12:55:8c:3d:e6:79:b3:3c:5e:86:ac:1f:
        5e:7f:ec:96:d8:da:4d:c9:40:32:ee:b5:cb:6e:86:27:49:45:
        e6:89:30:80:fa:ba:ef:21:42:92:ba:f8:a7:51:16:61:04:13:
        da:87:ac:c5:9c:c0:19:55:80:2d:4a:32:bb:30:12:0b:49:15:
        ec:1e:5b:23:d4:d2:a3:4e:c6:22:19:bc:e2:ba:23:67:88:4c:
        54:d0:bf:10:61:91:d9:eb:f7:d7:bc:89:ee:83:0d:a3:2c:81:
        a4:c2:38:58:c3:50:b7:fe:3f:f2:bc:a2:f0:52:9d:04:1f:c2:
        85:bd:d6:06:77:30:7b:90:3d:29:92:dc:41:a9:40:4b:bb:7c:
        b7:91:07:65:2b:03:af:e4:a0:18:ab:a5:76:00:bc:10:e8:21:
        41:c7:d7:53:80:41:21:67:af:fe:d1:9d:14:4c:a9:7e:16:1d:
        4b:61:a4:f4:b1:e8:88:fe:c4:f1:60:3e:6d:d5:a9:90:14:3e:
        95:5d:7d:f0:7b:1e:af:5f:80:63:a8:ce:b1:a7:a1:b2:9a:10:
        f7:d9:e7:00:fa:33:d7:61:c9:35:b1:c2:c9:60:0b:a5:1d:08:
        a8:b2:1d:56:15:b8:b9:5e:36:b3:df:6a:76:6c:5e:9d:a7:e5:
        54:dc:1a:6c:c3:34:f2:c2:c6:ee:7a:68:49:a3:41:d6:54:34:
        78:c9:2b:d2:d2:52:94:23:35:d7:c4:bf:c6:e0:21:18:4f:7a:
        7a:be:e8:ab:34:fa:f7:4d:1a:4b:3c:37:e9:5f:1c:76:b1:6d:
        96:70:f5:f5:db:b4:15:ba:2c:71:25:80:b3:98:4a:d3:1a:8d:
        0e:69:24:de:e3:0c:38:64:82:6e:54:d1:74:47:e5:e5:69:b1:
        c1:04:12:72:8a:3f:71:c0:9f:dc:db:ba:0e:e8:3d:52:4a:23:
        56:04:9b:8c:eb:4f:62:19:7f:f5:bd:1e:48:d9:7f:89:84:3c:
        8d:f5:67:21:d6:81:ee:5a:cd:fa:c2:53:60:a0:97:1e:80:a2:
        dc:96:89:e6:99:d9:9d:48:23:a0:07:9a:02:06:29:04:eb:03:
        79:06:6b:a0:41:98:d2:8f:2d:b4:e3:cb:c2:5e:78:74:a1:92:
        29:c9:7d:07:03:ca:3f:8c:f5:71:f0:c4:7d:6a:1b:ac:33:37:
        4f:03:54:44:46:b6:76:1c:55:8a:7d:7b:e5:58:4e:a9:f8:e1:
        fe:7b:f3:a2:f8:e6:3b:e0:0b:5d:47:a8:b7:aa:f8:f3:c0:65:
        b0:e4:1c:22:8f:9e:b9:d1:8f:a6:4a:a4:28:6f:6c:27:31:49:
        58:c0:4d:80:3b:e3:e2:22:aa:ec:4e:ba:a5:0d:9e:b8:17:8c:
        6b:4e:2d:37:6a:cc:f3:2d:0d:6b:34:b4:00:eb:ce:31:0e:a5:
        c4:85:cd:1e:16:0b
 -----BEGIN CERTIFICATE-----
 MIIIgjCCBKqgAwIBAgIUR5SeRGX0Yfiqs8F7hjgh2YiliPAwDQYJKoZIhvcNAQEL
 BQAwGTEXMBUGA1UEAwwOa3lvdW1hIFJvb3QgQ0EwHhcNMjQwNjIxMTQwMjI2WhcN
 NDQwNjIxMTQwMjI2WjAZMRcwFQYDVQQDDA5reW91bWEgUm9vdCBDQTCCA+IwDQYJ
 KoZIhvcNAQEBBQADggPPADCCA8oCggPBAPnQo0vZd+PstEaOPx+kOSJg2K3pHv6t
 F/gw1vb66WL3NiUH6WyDkUIP4lPxynDaJn2/ux3VTV6Zgpk5l/PDffkNCOjUrvxF
 iJiOo7wqvRZnMlkIWeuo3qand535GsZ/dpI911Z0K6Nal48FqzvckmEuf5WxXATa
 Hi653nsWsoW0tFpINJq7GA0KCjSR+I/zeUamxO6qk4gDz0Oiuh68ZfF42M7YK/vb
 M9Y3rdSdRDj/tQ3cCGEs+/CGsu//qE9jKBNJ+CFOyyKYVN7ntOK2FMnFWQSCBKI5
 PGH1kZn/rG6AmtIifVH7raNqTBSo4yjZIqzIPTQXWkDOjTxS5+Hp1HUNP7jd09JW
 JZL6dYeB/llKglPV5wM5wAeEc3DQ/P4/BuD5D1kidAUTZVhaqB17Uk9H7b4mV0dJ
 V9V/NMc8D1XUF1eKDrv1Osd38X0GSamo3RgOopdSyEnlOccxXQfDWO2Orsd8G9uN
 3KDD4/XAmDXP/JKgpvMPsRiVwAHrHZaNAnua3CldWfEq3FMOaytrXTYDob3k5rQf
 WmZnE0osf1bJdVz+QiAkURi76jASj4jRrf7rWZKNHr7/Pm7yWtmMIPQ17bwBRyHT
 ELld/mqO4KPj5W+si/xh0HWoo5IfLMzBFRc2OwWrWHa+Y50wXe19gwy3JI8QqJAC
 7miBBc3ZTy7M75di0XVrgvPQNFbTWX7Z032TzhsX3v0YS+ZQcneIYN3/XpUFYf7Y
 Md00HuFtYR6AcwU+OyLCNAdImw4GjaaBxE3pTV3f4QTNW4VushKqG829Tn5T6llJ
 rxFwsxGHD68vmc7padtt0FoUGpUvL9u/NmLhmf98uLlcTnkzYe7bS29AfUmybuFl
 nfZF/icUJIJd9qQ4AaxHVNq2AsGteXG2k2TspAZ71l4c2n9AFkdlRyQqi3cySYnE
 nybU+aa65kKqdP1+HtF1lVxc2NS7dQV5EHrfWitpm3Uoy7VOSD6jqiEElY9iO0Yv
 B9CeHFCbPbptH8KgQX9HQ1fvkjFHSqKRZUNcwSv9Ji2+QaeYeo9SiV+B/0h9BCq4
 TVCR9a8YM0TyVV9ohzPY5k9duZLKBlHz4LFbb6BS/m6YIgFfwvtFWQJnYm90K3li
 51oTqNv9omSxC0kv9GE1oLYSLOwkGZ8MFIUFteHBnk6HpIjJeWUdEqyJ5rzta1iQ
 /ZVAPy66/7hSXWCYMrkgOKUI2qH8OIk88d44z2DYaaFLiFH3Mbj8VtxWOno5xQMj
 Ko/6q5J6tjfawZ9V5zGxxb4xYAjCMzDszwIDAQABo0IwQDAdBgNVHQ4EFgQUe8DG
 ewTEZgzNMv+wb+HZUf0c7rcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
 AQYwDQYJKoZIhvcNAQELBQADggPBAFizLQCOwnJb7ZGOPJhmauRhww/RUZgMZHk9
 AayKOH+v/IAxg4aoebkPGG0uOu8KwLEwOX6kPe1ONT6e8aMp3cwBHmJr7Vt3MbNM
 kR1pcCBEh+A3F6C6xOVXxZAa8h4NrKowEcPaHD86KLVtEqxFtmzwsrJu8FUzjikQ
 rJ5hrDXs7cfjUcKGUhB6nPYiXWVlGGK36W6+ZEbb3BVF6xpCRYPXqt1jJErtudU1
 hiciM2omSzIKFXUYGVjpa7SErACjeNOdfSU8XlF/AcqQ0UAr0kXhT/tujS7MBAc0
 B5HGjE+l5H3deA+wnQGdbokWbTqU3ThXvEnC4bWqVI/RixPbNS/RgF5F+1NgYdXD
 4ZwhYKODNOaevIZw/jaLNVUo4PSwge03WQ569qdmobY2RTCVyIDWQKkSv0exMwn6
 idSfwld1akfdhz+z0T0TvF6C6l863EY1Hh+DQBwdXro3GKN1L2CnhGebeRet+ypb
 2IRd8v/MgUwI5Bfst8+sTA+Rikz6ke0kOfkEOhiwscNX7Zvxz6u/B/FS71feCnbn
 5MRfaZNxDNQ/IxJVjD3mebM8XoasH15/7JbY2k3JQDLutctuhidJReaJMID6uu8h
 QpK6+KdRFmEEE9qHrMWcwBlVgC1KMrswEgtJFeweWyPU0qNOxiIZvOK6I2eITFTQ
 vxBhkdnr99e8ie6DDaMsgaTCOFjDULf+P/K8ovBSnQQfwoW91gZ3MHuQPSmS3EGp
 QEu7fLeRB2UrA6/koBirpXYAvBDoIUHH11OAQSFnr/7RnRRMqX4WHUthpPSx6Ij+
 xPFgPm3VqZAUPpVdffB7Hq9fgGOozrGnobKaEPfZ5wD6M9dhyTWxwslgC6UdCKiy
 HVYVuLleNrPfanZsXp2n5VTcGmzDNPLCxu56aEmjQdZUNHjJK9LSUpQjNdfEv8bg
 IRhPenq+6Ks0+vdNGks8N+lfHHaxbZZw9fXbtBW6LHElgLOYStMajQ5pJN7jDDhk
 gm5U0XRH5eVpscEEEnKKP3HAn9zbug7oPVJKI1YEm4zrT2IZf/W9HkjZf4mEPI31
 ZyHWge5azfrCU2Cglx6AotyWieaZ2Z1II6AHmgIGKQTrA3kGa6BBmNKPLbTjy8Je
 eHShkinJfQcDyj+M9XHwxH1qG6wzN08DVERGtnYcVYp9e+VYTqn44f5786L45jvg
 C11HqLeq+PPAZbDkHCKPnrnRj6ZKpChvbCcxSVjATYA74+IiquxOuqUNnrgXjGtO
 LTdqzPMtDWs0tADrzjEOpcSFzR4WCw==
 -----END CERTIFICATE-----
--- a/modules/restic/default.nix
+++ b/modules/restic/default.nix
@ -1,72 +0,0 @@
 { config, lib, options, pkgs, ... }: let
  cfg = config.kyouma.restic;
 in {
  options.kyouma.restic = let
    inherit (lib) mkOption types;
  in {
    inherit (options.services.restic.backups.type.getSubOptions [])
      timerConfig backupPrepareCommand backupCleanupCommand;
    enable = lib.mkEnableOption "Enable restic backup";
    paths = mkOption {
      description = "paths to backup";
      type = with types; listOf path;
      default = [];
    };
    pruneOpts = mkOption {
      description = "paths to backup";
      type = with types; listOf str;
      default = [
        "--keep-hourly 24"
        "--keep-daily 14"
        "--keep-weekly 8"
        "--keep-monthly 12"
      ];
    };
    remote = mkOption {
      description = "restic remote to use";
      type = types.nonEmptyStr;
      default = "zh3485.rsync.net";
    };
    remoteUser = mkOption {
      description = "remote ssh user";
      type = types.nonEmptyStr;
      default = "";
    };
    user = mkOption {
      description = "user who runs the backup job";
      type = types.nonEmptyStr;
      default = "root";
    };
    repo = mkOption {
      description = "restic repo";
      type = types.nonEmptyStr;
      default = "${config.networking.hostName}-backup";
    };
  };
  config = lib.mkIf cfg.enable {
    sops.secrets."restic/${cfg.remoteUser}/password" = {
      sopsFile = ../../secrets/restic/${cfg.remoteUser}.yaml;
    };
    sops.secrets."restic/${cfg.remoteUser}/id_ed25519" = {
      sopsFile = ../../secrets/restic/${cfg.remoteUser}.yaml;
    };
    services.restic.backups."${config.networking.hostName}-${cfg.remote}" = {
      inherit (cfg) paths user pruneOpts timerConfig backupPrepareCommand backupCleanupCommand;
      initialize = true;
      repository = "sftp:${cfg.remoteUser}@${cfg.remote}:${cfg.repo}";
      passwordFile = config.sops.secrets."restic/${cfg.remoteUser}/password".path;
      extraBackupArgs = [
        "--compression=max"
        "--pack-size=128"
        "--read-concurrency=8"
      ];
      extraOptions = let
        knownHost = pkgs.writeText "${cfg.remote}-known-host" (builtins.readFile ./${cfg.remote}/ssh_host_ed25519_key.pub);
        sshKey = config.sops.secrets."restic/${cfg.remoteUser}/id_ed25519".path;
      in [
        "sftp.command='ssh ${cfg.remoteUser}@${cfg.remote} -i ${sshKey} -o UserKnownHostsFile=${knownHost} -s sftp'"
      ];
    };
  }; 
 }
--- a/modules/restic/zh3485.rsync.net/ssh_host_ed25519_key.pub
+++ b/modules/restic/zh3485.rsync.net/ssh_host_ed25519_key.pub
@ -1 +0,0 @@
 zh3485.rsync.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd
--- a/pkgs/akkoma-admin-fe/default.nix
+++ b/pkgs/akkoma-admin-fe/default.nix
@ -1,7 +0,0 @@
 {
  akkoma-frontends 
 }:
 akkoma-frontends.admin-fe.overrideAttrs {
  patches = [ ./disable-options.patch ];
 }
--- a/pkgs/akkoma-admin-fe/disable-options.patch
+++ b/pkgs/akkoma-admin-fe/disable-options.patch
@ -1,12 +0,0 @@
 diff --git a/config/prod.env.js b/config/prod.env.js
 index 7acb93a2..ea500e99 100644
 --- a/config/prod.env.js
 +++ b/config/prod.env.js
@@ -2,6 +2,6 @@ module.exports = {
   NODE_ENV: '"production"',
   ENV_CONFIG: '"prod"',
   BASE_API: '"https://api-prod"',
 -  DISABLED_FEATURES: '[""]',
 +  DISABLED_FEATURES: '["settings","media-proxy-cache","relays"]',
   ASSETS_PUBLIC_PATH: '/pleroma/admin/'
 }
--- a/pkgs/akkoma-fe-domi/default.nix
+++ b/pkgs/akkoma-fe-domi/default.nix
@ -1,53 +0,0 @@
 {
  akkoma-frontends,
  fetchFromGitea,
  fetchYarnDeps
 }: 
 akkoma-frontends.akkoma-fe.overrideAttrs (let
  src = fetchFromGitea {
    domain = "git.sakamoto.pl";
    owner = "domi";
    repo = "akkoma-fe";
    rev = "5f0339ce005ccb12365128089edb5fd77f60841b";
    hash = "sha256-AHmJyOFmQZXmNMMsp8ONm9Itns1H/idEKl8+sxn2RSA=";
  };
  offlineCache = fetchYarnDeps {
    yarnLock = "${src}/yarn.lock";
    hash = "sha256-7WB6nmxNckMdftKds2OgD2kClvCCT/I5vmthV0jrkSs=";
  };
 in {
  version = "unstable-2024-07-20";
  pname = "akkoma-fe-domi";
  inherit src offlineCache;
  postPatch = ''
    # Build scripts assume to be used within a Git repository checkout
    substituteInPlace src/modules/instance.js \
      --replace-fail "widenTimeline: true" 'widenTimeline: "50%"' 
    substituteInPlace src/modules/config.js \
      --replace-fail "streaming: false" "streaming: true" \
      --replace-fail "useStreamingApi: false" "useStreamingApi: true" \
      --replace-fail "webPushNotifications: false" "webPushNotifications: true" \
      --replace-fail "postLanguage: undefined" 'postLanguage: "en"'
    substituteInPlace src/i18n/en.json \
      --replace-fail "meow" "florp" \
      --replace-fail "Meow" "Florp"
    sed -E -i '/^let commitHash =/,/;$/clet commitHash = "${builtins.substring 0 7 src.rev}";' \
      build/webpack.prod.conf.js
  '';
  configurePhase = ''
    runHook preConfigure
    export HOME="$(mktemp -d)"
    yarn config --offline set yarn-offline-mirror ${offlineCache}
    fixup-yarn-lock yarn.lock
    yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
    runHook postConfigure
  '';
 })
--- a/pkgs/build-worker-oci/ams/fly.toml
+++ b/pkgs/build-worker-oci/ams/fly.toml
@ -1,158 +0,0 @@
 app = 'build-worker-kyoumanet'
 primary_region = 'ams'
 [build]
  image = 'registry.fly.io/build-worker-kyoumanet:latest'
 [processes]
  bw-00 = '/entrypoint.sh'
  bw-01 = '/entrypoint.sh'
  bw-02 = '/entrypoint.sh'
  bw-03 = '/entrypoint.sh'
  bw-04 = '/entrypoint.sh'
  bw-05 = '/entrypoint.sh'
  bw-06 = '/entrypoint.sh'
  bw-07 = '/entrypoint.sh'
  bw-08 = '/entrypoint.sh'
 [[mounts]]
  source = 'bw00'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-00']
 [[mounts]]
  source = 'bw01'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-01']
 [[mounts]]
  source = 'bw02'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-02']
 [[mounts]]
  source = 'bw03'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-03']
 [[mounts]]
  source = 'bw04'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-04']
 [[mounts]]
  source = 'bw05'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-05']
 [[mounts]]
  source = 'bw06'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-06']
 [[mounts]]
  source = 'bw07'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-07']
 [[mounts]]
  source = 'bw08'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-08']
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-00']
  [[services.ports]]
    port = 2200
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-01']
  [[services.ports]]
    port = 2201
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-02']
  [[services.ports]]
    port = 2202
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-03']
  [[services.ports]]
    port = 2203
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-04']
  [[services.ports]]
    port = 2204
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-05']
  [[services.ports]]
    port = 2205
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-06']
  [[services.ports]]
    port = 2206
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-07']
  [[services.ports]]
    port = 2207
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-08']
  [[services.ports]]
    port = 2208
 [[restart]]
  policy = 'never'
 [[vm]]
  size = 'performance-16x'
  memory = '96GB'
--- a/pkgs/build-worker-oci/cdg/fly.toml
+++ b/pkgs/build-worker-oci/cdg/fly.toml
@ -1,67 +0,0 @@
 # fly.toml app configuration file generated for build-worker-kyoumanet-cdg on 2024-11-21T00:31:54+01:00
 #
 # See https://fly.io/docs/reference/configuration/ for information about how to use this file.
 #
 app = 'build-worker-kyoumanet-cdg'
 primary_region = 'cdg'
 [build]
  image = 'registry.fly.io/build-worker-kyoumanet:latest'
 [processes]
  bw-09 = '/entrypoint.sh'
  bw-10 = '/entrypoint.sh'
  bw-11 = '/entrypoint.sh'
 [[mounts]]
  source = 'bw09'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-09']
 [[mounts]]
  source = 'bw10'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-10']
 [[mounts]]
  source = 'bw11'
  destination = '/mnt/data'
  initial_size = '256GB'
  processes = ['bw-11']
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-09']
  [[services.ports]]
    port = 2209
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-10']
  [[services.ports]]
    port = 2210
 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
  processes = ['bw-11']
  [[services.ports]]
    port = 2211
 [[restart]]
  policy = 'never'
 [[vm]]
  size = 'performance-16x'
  memory = '96GB'
--- a/pkgs/build-worker-oci/default.nix
+++ b/pkgs/build-worker-oci/default.nix
@ -34,26 +34,17 @@ dockerTools.buildLayeredImage {
    trusted-public-keys = cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
    max-substitution-jobs = 20
    max-silent-time = 14400
-    min-free = ${builtins.toString (49152 * 1024 * 1024)}
+    min-free = 17179869184
-    max-free = ${builtins.toString (65536 * 1024 * 1024)}
+    max-free = 34359738368
    system-features = benchmark big-parallel kvm nixos-test uid-range gccarch-x86-64 gccarch-x86-64-v2 gccarch-x86-64-v3
    EOF
    mkdir -p /root/.ssh
    cat <<EOF > /root/.ssh/authorized_keys
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK397sBHLS66snWNPtmjUy7qZxRJh54N0RRXogKODudl nix@muon
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT0dGyLUjxFnvqUmex+5xUGQ7D4yGHKo267JgApcq0k root@ryuuko
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDTwCSWYODyvTJxwB6Rahuy0j6s/YYwtQta8bjzG/We root@ryuuko-arch
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/RmFnel8pcZT9nh7EAfKfAekt3BoEXy0G7G2GTacN/ aprl@computer
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxsX+lEWkHZt9NOvn9yYFP0Z++186LY4b97C4mwj/f2 aprl@whatever
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpyVefbZLkNVNzdSIlO6x6JohHE1snoHiUB3Qdvl5I2 aprl@idk
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVNo871p97NTefP52KYiwuch+FaVScxvcFd9fg0yykySTq7Y5JsxrJQgTnox/oDa0O87OyHD/GHQljAXkqiHpDkExbiGjDmGXJSKReKH061F4FqBnDIwYRzUu9Cxjl4MNqsU0RqLaz4+F42c/L7GROQwjEPUb8JHThRiI5FJnDvvB+oBLBxeyQA4v3O4i8DaDQayTr/XB+aSlhNwKrb6cjjL93AHT1uE53yY5jn4kZX+RiPQhH7rvt9N6E4Yr3CG6nUgRCUS0L66d9yfrq0XAbAVk9F+viV7Nk9qy4MWHtXZ4h0qUlzrGALPgGsCGiLGd4NvEgeCcV4nvxdmevxTSdKlJP75xlmlLVXGyhqCZkTsxm/png2UvDl+p0pLyrgNaNoXPdE0Jbv7C28WX36Nast1QFSMUhexzuOx8OgaOioeXVfK98AouqWb58iPBCvgreUIH/gJhZcnlB/Foo1KSO+fJNH8hAsLH7w0mnKyHhJjkrjjwUqsnpepB3SOLfZTE= aprl@meow
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0v3tUBNEUxfoOQBFb+N2DUBQDay0iFggUWa9Nd+BtFLOKkz+RRto3eBF0ZiJZVUxv/hLb8m2s45hcMw8agwuPrXMe5085T1fzkvPdKAPZdsT/cCmBi1OsoLjAKBFIdM4lcV0A2cca8hip+/ZPpjFPUWx73/672gAPHU7co7fP8+8CSf9dx+WIeLx3yaYHYZ/th3dB5auX3VjOazS8MojsAorwTUeBoPamHQ5dFeNafhFUL/hhtGkUI1cNHUn3bJd2V7AKTW3UglK7hVgMJPrzVS31OlpcJEf6S5XgKTWdOSwubn1bs5Lt6YYRDU24NV6CGrwKgCJSRxzNMLwpnFKiSXpO8FzkqWHYWyju141hQcFF31aZIV+7YcwEt5ZukLjFOpVtpbSXvJYigOUzGi34P3/OAGshDXjTQjvM8GIir49gx3b2Nwhg0z4UHBkAKZvDDFPHDMJoclvnhITojaAojfC9zmMCO5ZaEsk8yv7c/lWQumzRpfldWF4mwHvhD5kTADbhRdO7WTdX7AaiAYINooToeWKjFe2wn3rFubPUppptqtP03mmvs7vhhgnEVBbGZRJK3GTVk1XcsfF9rDKzewSa+wb4LsBoZtFRhc8cJqHGlKWSNk7dQ04B1atPyNLKGpGoo/UIPxyZ6bSqFVxY3nhz46VZ6z8XWI48z0/fRQ== aprl@uwu
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAl3/krXJeCcDEJXRuzOdCOrJLG7b6MRqC+a9Xux3mW vika@hydrangea
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQjTy9qqHcs5vgTz+iMAiNNMqdyGtOhEpnpJCReEFfZ vika@rafflesia
    sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINAgFdk78I4zssUGsAIV01zefLBpwc1W7hfTobbG80XLAAAABHNzaDo= vika@nitrokey
    EOF
    cat <<EOF > /root/.ssh/environment
--- a/pkgs/build-worker-oci/source.nix
+++ b/pkgs/build-worker-oci/source.nix
@ -4,8 +4,8 @@
 dockerTools.pullImage {
  imageName = "nixos/nix";
-  imageDigest = "sha256:133a1607deea14a02c2bc0850e275ed135814235a1147f68967afee261caea2b";
+  imageDigest = "sha256:338ca39c0c75f10919cd0cf38647ce4543033d2bbdabab4519de5adee45445f8";
-  sha256 = "0602a59g14l1jiqfffz14hcp982qaqczi5f0ylvv0h9pp2pqrqs5";
+  sha256 = "0rzms97xnzlh63pjkqq3m5146lyw00mqgdldsd00c9bzk3ybr75x";
  finalImageName = "nixos/nix";
  finalImageTag = "latest";
 }
--- a/pkgs/librespeed-go/default.nix
+++ b/pkgs/librespeed-go/default.nix
@ -1,34 +0,0 @@
 {
  lib,
  fetchFromGitHub,
  buildGoModule,
 }:
 let
  version = "1.1.5";
  src = fetchFromGitHub {
    owner = "librespeed";
    repo = "speedtest-go";
    rev = "refs/tags/v${version}";
    hash = "sha256-ywGrodl/mj/WB25F0TKVvaV0PV4lgc+KEj0x/ix9HT8=";
  };
 in
 buildGoModule {
  pname = "librespeed-go";
  inherit version src;
  vendorHash = "sha256-ev5TEv8u+tx7xIvNaK8b5iq2XXF6I37Fnrr8mb+N2WM=";
  ldflags = [ "-w" "-s" ];
  postInstall = ''
    cp -r web/assets $out/
  '';
  meta = {
    description = "A very lightweight speed test implementation in Go.";
    homepage = "https://github.com/librespeed/speedtest-go";
    license = lib.licenses.lgpl3Plus;
    maintainers = with lib.maintainers; [ snaki ];
    mainProgram = "speedtest";
  };
 }
--- a/pkgs/librespeed-rust/default.nix
+++ b/pkgs/librespeed-rust/default.nix
@ -4,13 +4,12 @@
  rustPlatform,
 }:
 let
-  # https://github.com/librespeed/speedtest-rust/pull/7
+  version = "1.3.2";
  version = "unstable-2024-09-28";
  src = fetchFromGitHub {
    owner = "librespeed";
    repo = "speedtest-rust";
-    rev = "a74f25d07da3eb665ce806e015c537264f7254c9";
+    rev = "refs/tags/v${version}";
-    hash = "sha256-+G1DFHQONXXg/5apSBlBkRvuLT4qCJaeFnQSLWt0CD0=";
+    hash = "sha256-z3lORjjJ89o+Du4mvKGydwxHU6Ra2jU5ue5Zsl/oIfY=";
  };
 in
 rustPlatform.buildRustPackage {
@ -33,6 +32,5 @@ rustPlatform.buildRustPackage {
    homepage = "https://github.com/librespeed/speedtest-rust";
    license = lib.licenses.lgpl3Plus;
    maintainers = with lib.maintainers; [ snaki ];
    mainProgram = "librespeed-rs";
  };
 }
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@ -4,12 +4,4 @@ final: prev: {
  update-nixfiles = final.callPackage ./update-nixfiles/default.nix {};
  build-worker-oci = final.callPackage ./build-worker-oci/default.nix {};
  librespeed-rust = final.callPackage ./librespeed-rust/default.nix {};
  librespeed-go = final.callPackage ./librespeed-go/default.nix {};
  akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {};
  akkoma-admin-fe = final.callPackage ./akkoma-admin-fe/default.nix {};
  nginxQuic = prev.nginxQuic.override { 
    withSlice = true;
    # Use zlib because zlib-ng uses larger buffers then nginx preallocates.
    zlib = final.zlib;
  };
 }
--- a/pkgs/update-nixfiles/update-nixfiles.sh
+++ b/pkgs/update-nixfiles/update-nixfiles.sh
@ -22,35 +22,19 @@ merge_theirs () {
 test_build () {
  local build_jobs
  build_jobs="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r ".builds | .[]")"
  for build in ${build_jobs}; do 
    local build_status
    while true; do
      local build_finished
      build_finished="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".finished")"
      [[ ${build_finished} == 1 ]] && break
      sleep 5
    done
    build_status="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".buildstatus")"
-    [[ $build_status != 0 ]] &&
+    [[ $build_status != 0 ]] && echo "Build ${build} failed" && exit 1
      echo "Build ${build} failed" &&
      exit 1
    echo "Build ${build} was successful"
  done
 # Idk why this is broken someone should fix me
 #  local last_error
 #  local now
 #
 #  last_error="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}" | jq -r ".errortime")"
 #  now="$(date +%s)"
 #
 #  [[ $last_error -gt $now ]] &&
 #    echo "Evaluation error encountered at $(date +%Y-%m-%d-%H:%M:%S --date="@${last_error}")" &&
 #    exit 1
 }
 wait_for_hydra () {
@ -58,18 +42,16 @@ wait_for_hydra () {
  local hydra_rev
  local counter
  counter=0
-  git_rev="$(git -C "${1}/nixfiles" rev-parse update-inputs)"
+  git_rev="$(git -C "${ROOT}/nixfiles" rev-parse update-inputs)"
-  while [[ $counter -lt 180 ]]; do
+  while true; do
-    counter=$((counter +1))
+    hydra_rev="$(curl -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r .flake | sed -E "s/.+&rev=(.*)/\1/g")"
    hydra_rev="$(curl -s -L -H "Accept: application/json" "${2}/evals" | jq -r '.evals | max_by(.id) | .flake' | sed -E "s/.+&rev=(.*)/\1/g")"
    if [[ "${git_rev}" == "${hydra_rev}" ]]; then
      echo "Hydra got new commit"
      break
    fi
-    sleep 5
+    sleep 30
  done
-
+  if [[ $counter -ge 30 ]]; then 
  if [[ $counter -ge 180 ]]; then
    echo "Hydra no workey"
    exit 1
  fi
@ -105,7 +87,7 @@ gitin push origin update-inputs
 echo "Waiting for hydra to get new commit"
 export -f wait_for_hydra
-timeout 4h bash -c "wait_for_hydra ${ROOT} ${JOBSET_URL}"
+timeout 4h bash -c wait_for_hydra
 echo "Testing if all build jobs completed successfully"
 test_build
--- a/secrets/restic/zh3485s1.yaml
+++ b/secrets/restic/zh3485s1.yaml
@ -1,35 +0,0 @@
 restic:
    zh3485s1:
        password: ENC[AES256_GCM,data:lDDSSqUH3pewpMA+6SNwGwRz95MBjeaD6I3RWUQNBFXsw/W9RoIY85AcRXxCl7CW,iv:NFF6uCs2FolMe9cgPkoAFmbWdXG2SuVRtoOyQXouEAU=,tag:UeC49xFwFkMh0Wi8p9reFw==,type:str]
        id_ed25519: ENC[AES256_GCM,data:fe2CAKWSrEOvEPZgGhbigw+DEnDUGtTXEj7nuGaH5enMGDvd7QtRlDYLkM+g9zKrRJ46e2nM6btUZVqqx4rJiUbjJ5B/cBzb259CTxKGgHeMj/cYXPypamIEKFwUrloxzrgxH5JIOoUvj9Ny1P1UPIB//B5Z1Uunqmdqd2XoiAtDwZ/hvyuOfdFyUkKmOnCdF4pheMRXZ6Z51N4f09OIwuZ/xC4LQYAVB2lyycOgrvefPA5YYabMd23yEXn6v/BiP1TWbSInTHvz6Rii2WYqYO3ORCfi1pvWe15kSrTsT9zYRzLvZi5TD+4FMhLmIttZB2OXK7X+h6cHtej7X+v6HKhMKHNJhukRUP7DpcZ0+ArBEdw2j+H7C4q8NdR9rk4we7WpdQlY7tGpJvEzSis+P/Jph/tkzx6xXpKiOeOAXgQUS41qcAy7gmZj7CdsulerUHcfDy4a0y1OEuDmoYW420cGGYOCB9BlvYQbaDhyv5AMSL8sMZfm7mX5qXliE7ZQc20ggKoY2MKH6RjnT8pQhMBWo/NW13PPBDIL,iv:1+aopW183ir5XHMKcDons24A/E61mLuyJGrQTRpPXdE=,tag:s1w+HZdktM0H9FUrz097Cw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeWpKYktzVE1tMkpGU1c5
            akZZdlBkeFQyUmUrOHZxTGE2V1FUVmV3cG5VCmZvTG1JTS9SUTk1aVl6TnBPQ1Fh
            clRDTmQzQUJxWlYyV2dmVXNyTDJ2K0kKLS0tIHA3S0dsQzRxRWF4RFdSSzh1aXI5
            ZFQvWFhZTndubkxaRVh3YXl0V25ZcUEK0/wV9i01kRkphrseSBqAL9f8tUlUtJDO
            PUZL2Em/QjNEnXJaxxR612ONA94ptK9bsqzRJV5RtGqDwd+oAnr13Q==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-08T13:41:02Z"
    mac: ENC[AES256_GCM,data:tMatUcv/jbvQ1URp6DrUyuiB9+rgCCdOxEVcM0NBiV5P9DGWE1hWytky4yPE9nFUOWLI7m4nTSEXHuT4yT3LkBd1Ndzhm5wQ0NEAVnZ6Sj7YOQI5CS1q95sviJBv57PBkaajHDNeSJX2hEQeR4qJFUR4fu0hIwadyzeunP/kfKE=,iv:gXRAg4cN43ocQMZm0lL8AnrbDtK+TKGchWpd/TYhnjA=,tag:+HqYuDWjoTdv+CWrJmuwxA==,type:str]
    pgp:
        - created_at: "2024-11-08T13:31:55Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4D1GtNSlou/HkSAQdALVqRZ2qzjR86mEE/MHAR5H3gmIukchY/NSvGg1Ggfmsw
            uZhnl5puGOO579ItHXbk+BYwBS2koL7jyhnX8E9zmM3d3SZHwzx0mk79fr2jLFj6
            0l4BLrhhcpUtzfje4/SeTgWFRIA68ON/PUTmW2Lgclh9OpQfbbousFS/JMvvdHaT
            /3uJEww5MKMPlqWqK7w7z6iwIITRKH0vzQoIZ3hVcDKtKOJrJ/1bWcJorFsazxvT
            =KZPf
            -----END PGP MESSAGE-----
          fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/secrets/restic/zh3485s2.yaml
+++ b/secrets/restic/zh3485s2.yaml
@ -1,35 +0,0 @@
 restic:
    zh3485s2:
        password: ENC[AES256_GCM,data:GAesjt8CMFKuZk30vJTS7kH0cSg/p6NQCOU9udcVbVCurnUdqjKqZp97KnCcmA/A,iv:bf7trphHgzFzI3Pza8dDOgmKcHsBURsXEHtw0KpGQ7s=,tag:zE1WXaptcqBQMqgk+6SRqQ==,type:str]
        id_ed25519: ENC[AES256_GCM,data:hRViIdnq9VNjjqD/X6tERHsCAuxF723bh+oES/Va5KVBJdsEK2LYXWxRQV6/dpYGnmSBNJ2q4eJS0iz2kjfNUTXg1DQZ0uuxSDbhOcKQ+ksE99VrU3Go7196gXQ+rsCuRht6vzgGzIoTcMVDlA+lvJ2EAB0o7EhK4qcKI0pRHziy4/i0JgLJKc2Xw7WwAZajyUToRrroi+oh3LRJiN0+L3B13RWNBDMxfVgSH5KERhPjU40VteKNyXg9YnZxiqRMTmDmpAu/fogXwIDgnfRuWBoDgPsHeSWVN/0IpfEegoXnmdYUGk9vKQmXNJ5z7vj6oIaz8Zuk9PfPaKZHrsUGkPZqBJydvfcUpH74+sn3idDJdQ92mYIn6rorabt6QtN9bbtULmtOU/R7wvZkRSn3SmvR6uo/xShs1pkwGa1oidn8atfoMMYnR973wvuGlDZwFGy0ZJD+Mc108U7o0U153/MervsxxZ3eIpzgmRol+TjoSJINQoPNPHsj6nx65MNfJd+AFw35h5jKUag4xKaPXS5ew/wDCqZ1PFYG,iv:P8VtAFoL0CcO7m7S60JardB95MUWYiABDOUZhLhXEzo=,tag:fLniekA0lMx6wW3u4NZPKQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1sky8kccyyxe79ws4rew42r94427v2xnphq2vtxvdlw5xl7yzgs2q599yzs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUnFUQlhzYTdyblNOWUt3
            V0daclVOZ0hlSmlJTHlKRDd5eThVSzVOVWh3CkpiaGNJd0hCMlk3MVdsdnY0TVJM
            MEtKUXFnSlAwQ0kzd1M0eVA1WG1Bb2sKLS0tIFAvVklzZldkOFpCNHV4YnQ2SDA3
            OW5TcVlqV0p4RThBRGlyaHkreEFMY28KPdgR9WCByJaLZcNophcfW7+7NU9MuI3E
            bfWEFgqZLTdAg8y7s/M6ZAyjciflclxVnY8mTIhnERD+ZHHi++z1XA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-13T12:51:05Z"
    mac: ENC[AES256_GCM,data:t/gg9SqDfrU+eKU9yw2R7ahLQY6pTgsRVFNk7K+zxTBiqUG2Rx0wm0bclkrkSKeHAVSJkc8OOWJvvRCMxaE980mknPM6721xNDV90Pt0ZsJvFXdOYKIaPQHC29klJKO60lsMsuup3BiF94O8+wIavLvYuc3jKFcaA4b9xAPRveM=,iv:TJhR1NzPVYIysghFAbjWB5lBpMhhkvwJdszkWGSLDPI=,tag:TCnewzN2qwFyG4Xio2JatQ==,type:str]
    pgp:
        - created_at: "2024-11-13T12:49:09Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4D1GtNSlou/HkSAQdArN4L/MZSZoKwk/RKgA56OQMyt7IhW15qa7+Utie4/TQw
            0xKauGLJEMp7cnpmEvpBW8sy3hZRj1K4vLv2NKHzoXBuWGBer1Hf+CDZJ71ta6J9
            0l4B9f4L9AIRHO3ncb4IPyVprr+sFyhVJJAI7bo9mbFUqH0yfM5EmFiXWg5d9zO6
            NfXbbfpW4ISEXFa//SuVl3h/HHxwDd83qA13OnhrlCjjwPfdA32kKM3CS/81JHNd
            =4L7O
            -----END PGP MESSAGE-----
          fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/secrets/services/akkoma.yaml
+++ b/secrets/services/akkoma.yaml
@ -1,35 +0,0 @@
 services:
    akkoma:
        mailerPassword: ENC[AES256_GCM,data:kNep5V0HVr17bEIY2/AbwRUPqkfHKf9xnOnYi5sMJ+STWjVrQf+AzdueJTAf9Nym,iv:Usmu0uM5ev60Ui8h9zLUcDDJIHNSxAFtMq5LyLwmAsA=,tag:fNIhB8LGJwWO3zzQWgm68A==,type:str]
        deepl: ENC[AES256_GCM,data:JVJkCm6UFUlownU/oRTmZ5o85mPv935Hj56JcXCt3PwNmx1kQbyj,iv:UzvGgVter1/9U8g/HQ2FfWNviD0KgWRLnW9fzgfGDag=,tag:q65bd26xFQ6Av71hy8u2fA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NGRYOHFVSXBNdjlpVDhF
            V0g2ZkRiZnR6UElvWEZKUWxHSjZySlJadHlvCmpBdzBPRklkOVltZWwzNlNrc0pC
            bG9kU3phNmFKNGkwek94Y2hZcjZCNW8KLS0tIFFqM0VTQXRuODAva0Rkc2xvWFB4
            VTQ3RExKY093VG8vOThCczRzY2tpY2cKJOv0yVl9Zody0mjtytyjCXpe5V3NsReA
            /Dqr6V9Hjuf3u0fjMHAjE6hDPGVH5t5NYLkNDeaGHNTaAd5dnhfprg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-10-31T16:57:58Z"
    mac: ENC[AES256_GCM,data:VJpsLBdnle6bP6ALxLS2eTOEbiHJbNc5D+pvsoJulI9VODtBk0p1VvJv9ilToxh4oiwctMmCKSO4R9NyuZUqoqwwlYtW6tFDITBA2eg/iu/uQjcuuKLC+fFGdtnTpZcShUyMds3qi8Z8Iegk2sSMLk5QXCE2QhMUQ50VN4TXF2c=,iv:rOF34iqckOJMAVm+3RDSdlrJh4hgnyiTut3SM1e0w0E=,tag:cMjMkKkN8UFWGQqQfWBUnA==,type:str]
    pgp:
        - created_at: "2024-11-04T20:52:58Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4D1GtNSlou/HkSAQdApk/nEYcccQBCzFwC+hZbMio0s37LJuK6ceSLW786Sjsw
            90ggzfOg63e92cyqYxvbKqtCgVHHU/9RmKdsSZM+rFcR3XpzWw0ke10WjZNW0lU5
            0l4BuP1sPvP7Z+kxWlITnYl4SPKxVhSmYtAdGbceiGUo36jtpi9vkziuPmyrGttM
            t1PNZ9gjGVyNw96rRg9bgXCSvJo2FfMx8GeArj1yuO3+bkkbDm7mFrbF6fMQN3JE
            =Q9iO
            -----END PGP MESSAGE-----
          fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
    unencrypted_suffix: _unencrypted
    version: 3.9.1
		`@ -1 +0,0 @@`
			`zh3485.rsync.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd`