feat(elcafe): add new server configuration

2026-02-08 00:20:44 +01:00
parent e90fb1fa0d
commit 35541ea5ae
41 changed files with 366 additions and 172 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,4 +1,6 @@
 keys:
  - &elcafe age1tkywsvddjj6r6ukuqgz9aql92jfx85rz57dhmkkndysh6yx6p5rs0zj0qr
  - &elcafe-host age17p69ktg7yfzgdsk00f32mupe4n4fevdpw2wsv7ft30yvpeseau6s7t0zdg
  - &gampo age1ajemtm502nn2n4q7v4j8meyd5mxtcqngkkedxq2pqzuwu78zp93qnw8q48
  - &gampo-host age197lfdanym647wdaz9uy8hrfqjwj9fs8rm7vs3fsrctceu8mr9gms2jedhz
  - &marpa age17pn6suvz2f7zmrm9zxj5hr0putvcvdamqxqt7ewhncgg6ccgmp2qr00xm2
@@ -19,3 +21,5 @@ creation_rules:
      - *tilo-host
      - *NaroMk3
      - *NaroMk3-host
      - *elcafe
      - *elcafe-host
--- a/README.md
+++ b/README.md
@@ -20,7 +20,6 @@
 - **hosts/**: Contains the host-specific NixOS configurations.
 - **system/**: Holds system-wide configuration modules that can be shared across different hosts. This includes things like boot settings, desktop environments, hardware configurations, networking, packages, security, and system services.
 - **users/**: Manages user-specific configurations. It's split into `modules` for reusable home-manager configurations and `phundrak` for my personal configuration.
 - **keys/**: Public keys for various machines.
 - **secrets/**: Encrypted secrets managed with `sops-nix`.
 ## Usage
--- a/flake.nix
+++ b/flake.nix
@@ -94,6 +94,7 @@
      defaultUserModules = [
        inputs.sops-nix.homeManagerModules.sops
        inputs.spicetify.homeManagerModules.default
        inputs.caelestia-shell.homeManagerModules.default
      ];
      withUserModules = modules: nixpkgs.lib.lists.flatten (defaultUserModules ++ [modules]);
    in {
@@ -101,19 +102,17 @@
        inherit extraSpecialArgs pkgs;
        modules = withUserModules ./users/phundrak/host/alys.nix;
      };
      "phundrak@elcafe" = home-manager.lib.homeManagerConfiguration {
        inherit extraSpecialArgs pkgs;
        modules = withUserModules ./users/phundrak/host/elcafe.nix;
      };
      "phundrak@gampo" = home-manager.lib.homeManagerConfiguration {
        inherit extraSpecialArgs pkgs;
-        modules = withUserModules [
+        modules = withUserModules ./users/phundrak/host/marpa.nix;
          inputs.caelestia-shell.homeManagerModules.default
          ./users/phundrak/host/marpa.nix
        ];
      };
      "phundrak@marpa" = home-manager.lib.homeManagerConfiguration {
        inherit extraSpecialArgs pkgs;
-        modules = withUserModules [
+        modules = withUserModules ./users/phundrak/host/marpa.nix;
          inputs.caelestia-shell.homeManagerModules.default
          ./users/phundrak/host/marpa.nix
        ];
      };
      "phundrak@NaroMk3" = home-manager.lib.homeManagerConfiguration {
        inherit extraSpecialArgs pkgs;
@@ -136,6 +135,10 @@
        inherit specialArgs;
        modules = withSystemModules ./hosts/alys/configuration.nix;
      };
      elcafe = nixpkgs.lib.nixosSystem {
        inherit specialArgs;
        modules = withSystemModules ./hosts/elcafe/configuration.nix;
      };
      gampo = nixpkgs.lib.nixosSystem {
        inherit specialArgs;
        modules = withSystemModules ./hosts/gampo/configuration.nix;
--- a/hosts/alys/configuration.nix
+++ b/hosts/alys/configuration.nix
@@ -20,10 +20,7 @@
      domain = "phundrak.com";
      id = "41157110";
    };
-    packages.nix = {
+    packages.nix.gc.automatic = true;
      gc.automatic = true;
      trusted-users = ["root" "phundrak"];
    };
    services = {
      endlessh.enable = true;
      ssh = {
@@ -34,7 +31,10 @@
    };
    users = {
      root.disablePassword = true;
-      phundrak.enable = true;
+      phundrak = {
        enable = true;
        trusted = true;
      };
    };
  };
  system.stateVersion = "23.11";
--- a/hosts/elcafe/configuration.nix
+++ b/hosts/elcafe/configuration.nix
@@ -0,0 +1,71 @@
 {
  inputs,
  config,
  ...
 }: {
  imports = [
    ./hardware-configuration.nix
    inputs.home-manager.nixosModules.default
    ../../system
  ];
  sops.secrets = {
    "elcafe/traefik/env".restartUnits = ["traefik.service"];
    "elcafe/traefik/dynamic".restartUnits = ["traefik.service"];
  };
  mySystem = {
    boot = {
      kernel = {
        hardened = true;
        cpuVendor = "intel";
      };
      grub = {
        enable = true;
        device = "/dev/sdh";
      };
      zfs = {
        enable = true;
        pools = ["tank"];
      };
    };
    dev.docker = {
      enable = true;
      storage = "/tank/docker/";
    };
    misc.keymap = "fr";
    networking = {
      hostname = "elcafe";
      id = "501c7fb9";
    };
    packages.nix.gc.automatic = true;
    services = {
      endlessh.enable = true;
      ssh = {
        enable = true;
        allowedUsers = ["phundrak"];
        passwordAuthentication = true;
      };
      traefik = {
        enable = false;
        environmentFiles = [config.sops.secrets."elcafe/traefik/env".path];
        dynamicConfigFile = config.sops.secrets."elcafe/traefik/dynamic".path;
      };
    };
    users = {
      root.disablePassword = true;
      phundrak = {
        enable = true;
        trusted = true;
      };
    };
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.11"; # Did you read the comment?
 }
--- a/hosts/elcafe/hardware-configuration.nix
+++ b/hosts/elcafe/hardware-configuration.nix
@@ -0,0 +1,42 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot = {
    initrd = {
      availableKernelModules = ["ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
      kernelModules = [];
    };
    kernelModules = ["kvm-intel"];
    extraModulePackages = [];
  };
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/d2e703f7-90e0-43e7-9872-ce036f201c4b";
    fsType = "ext4";
  };
  swapDevices = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno2.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno3.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno4.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/gampo/configuration.nix
+++ b/hosts/gampo/configuration.nix
@@ -49,8 +49,8 @@
      appimage.enable = true;
      flatpak.enable = true;
      nix = {
        gc.automatic = true;
        nix-ld.enable = true;
        trusted-users = ["root" "phundrak"];
      };
    };
    programs.steam.enable = true;
@@ -60,7 +60,10 @@
    };
    users = {
      root.disablePassword = true;
-      phundrak.enable = true;
+      phundrak = {
        enable = true;
        trusted = true;
      };
    };
  };
--- a/hosts/marpa/configuration.nix
+++ b/hosts/marpa/configuration.nix
@@ -98,10 +98,7 @@
    packages = {
      appimage.enable = true;
      flatpak.enable = true;
-      nix = {
+      nix.nix-ld.enable = true;
        nix-ld.enable = true;
        trusted-users = ["root" "phundrak"];
      };
    };
    programs.steam.enable = true;
    services = {
@@ -116,7 +113,10 @@
    };
    users = {
      root.disablePassword = true;
-      phundrak.enable = true;
+      phundrak = {
        enable = true;
        trusted = true;
      };
    };
  };
--- a/hosts/naromk3/configuration.nix
+++ b/hosts/naromk3/configuration.nix
@@ -29,10 +29,7 @@
        ];
      };
    };
-    packages.nix = {
+    packages.nix.gc.automatic = true;
      gc.automatic = true;
      trusted-users = ["phundrak"];
    };
    services = {
      endlessh.enable = false;
      ssh = {
@@ -44,7 +41,10 @@
    };
    users = {
      root.disablePassword = true;
-      phundrak.enable = true;
+      phundrak = {
        enable = true;
        trusted = true;
      };
    };
  };
--- a/hosts/naromk3/hardware-configuration.nix
+++ b/hosts/naromk3/hardware-configuration.nix
@@ -10,26 +10,32 @@
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
-  boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+  boot = {
-  boot.initrd.kernelModules = [];
+    initrd = {
-  boot.kernelModules = [];
+      availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
-  boot.extraModulePackages = [];
+      kernelModules = [];
    };
    kernelModules = [];
    extraModulePackages = [];
  };
-  fileSystems."/" = {
+  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/28b965a5-940b-4990-87fe-039c9f373bf0";
      fsType = "ext4";
    };
-  fileSystems."/boot" = {
+    "/boot" = {
      device = "/dev/disk/by-uuid/EBAD-6B85";
      fsType = "vfat";
      options = ["fmask=0022" "dmask=0022"];
    };
-  fileSystems."/tank" = {
+    "/tank" = {
      device = "/dev/disk/by-uuid/ed00871e-a14a-428f-b6e4-5b56febd756a";
      fsType = "ext4";
    };
  };
  swapDevices = [];
--- a/hosts/tilo/configuration.nix
+++ b/hosts/tilo/configuration.nix
@@ -30,10 +30,7 @@
        ];
      };
    };
-    packages.nix = {
+    packages.nix.gc.automatic = true;
      gc.automatic = true;
      trusted-users = ["root" "phundrak"];
    };
    services = {
      calibre.enable = true;
      endlessh.enable = true;
@@ -50,7 +47,10 @@
    };
    users = {
      root.disablePassword = true;
-      phundrak.enable = true;
+      phundrak = {
        enable = true;
        trusted = true;
      };
    };
  };
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -1,85 +1,107 @@
-extraHosts: ENC[AES256_GCM,data:buAUbxVALT7zjwYfySVQ7E6RsI4EaVBUFN/ZXOuSaj42DLoLPM45PSgkxjner9o4g6a3s58Snp3siO8l0KPSTYyPUPBZ7dgbCcsWp5t8Q3K111d4TPTlx+gcluK5BvwNvFB4esRXJOgpm5jK498COKq/UZJECM0D5Emid0CKkzZynUYdbQeHkQEKIXV2LxJNro87xHtU/l11nox37Na0+t+eqp8/jcQh9pGnKmppPhviJeCy6GoiDPNFHDalQUmd204gi6EaTx0p3r7gRK61RfTwSCiX1Y7N5muzPvJQJt8lwgqznw5Etjud8wn6HF+fmb/BbYtioO9TjOVJnjVOlB4iUMApx3XY4VOuBPJm7D9ET+2J8Umw4OD5pB9A5WF+gVseAqYYNZYpe2hlHBoXMw4IZh8qOgxR/noE71PHxRe5gSB/2Hq0lKwG0e8lyFEeJKZdXsl47CtQE39RfC/+ik2COaRmYxY8fHHs2/yTylopv/pSM6K2TGF5B3dwVS18LU5AR48C1Ip7CseMgjgAWvjQ43KBc+P74a+237tlRFlFsU3HNk9Hk4fF53DPUX67+l42W6sNcgrszFHb/dm939qDKYqdNcWEjaaVSdDo34I6NGhmTUI7FxCVYipe,iv:SehibPtT3k9Ufen8Gri3HcFthUe0S7dMT+486fwOK0w=,tag:oatCeFr2j3EPHwXc6eU66w==,type:str]
+elcafe:
    traefik:
        env: ENC[AES256_GCM,data:HUdWGYoEPp2v8dnDuVsl7YmPxuBfHmXzGrvKWeiqPlmAwMqVZrZ1j8on/7QKvYDJoTJ40XY2qNynSA==,iv:Vgc/fZERnNp7hSMeRd9EgB3IenKAFTAhwC0bk8CX4DE=,tag:SdfhOST/o29Lt1zRdXXRyQ==,type:str]
        dynamic: ENC[AES256_GCM,data:BKsjTfqpZhrocHOUfxjCNS61DVb1oSdPW99IrwmNjpFcs68WvyfD0+QZ9F362L88CQDTnDSXWAbc7mcBtxhqfhkjtsdxkhtLHMGG0WxlnYungTnROh9EDJRLNyjy/RCYWOIVOXIEUE5lLwnQkboZLEiruw1Ri+r27WYmGpD5DaR4XWDankb6BQPJA6f2ziPyynjNYZaRhMIQUDFLM3QRAXPYD00eaYIQtx253z8Uocz4LpOw2JReAQkI2zc+6Oe1O4fP/Cg8klF0owR6NkNUWoIUVwLqFmU7Yr45VO+T/f96Ev0hlDaMklxYJGNOS8kRbSqpaiuMCmL2mQ6rsZGFVfdMdImSL2j51lrPFJCsg/hNGXHAxQ0/OpHtcZz/cwn5nSHBXg6gX21kOpkWGY1+BRA15X0k5sUqXkZWjkP9wkSCV6pQTbr8a3GrX2VvGwguAC4EpTCkCobXw/d9a7bMfZFeJqFhwjpU/dfBi6OjF7bniOQ7k3+5RZRDqAxJiPaBk7NKVN1FzUCvFBjKifbfICOJaPJr1CmayNuBZtsSlj0MXBYx8D8oShzhsCo/+pyni4poMYyfNC9jQKWCBsjKEa6eWb1+TfOHv4W+lSlBFg3vGm4NDxCPnACKWlhKB4WoJGRHqnp809XF2fqP4lZN8S7+sB2rhNlr2CICk9oM80FNmW/8TTtIgbpfEeFeJwNTM+S95cFSqaIRg3kfcqB/bHG37BYthcL1SC85/lxhL2LJ/O0qXxbioyxVAaBIumAO8BB1qrdbOozHZZAU1IIKylDWMWUoJMyMdhMGnOxxxWcbV2jPUXUv03DYNp3G/5F2Hlr+h0bPIJEFZ2kb14wTK+25MsgfBgky26f8qjNwROqKA+bPeB2yUKSSCJb//PzzE4xyqu1mq2/1zTal0eSRTCEnAUCj0wDqCLBMO6GnL0PS4PtGJ9n/IbOjFXZeixWGJzUTcmxPAmsClH6FV8brEMVs5bfrjLieXQvcn0b8b9/1W2jV4dJGUE1TxUQ2B92VG7PrA39O/FO8tQJZrAMXO9iMv495w0Nxbt0HYN6wsFTUwlQ+3DCXxgmmVBqVSf1OtHuhxcznl1oR+sgPSgBRLVB22mv5677ErQGCWp1luyPSF6xvhIaKe9BDwxBwJ+RsqSn4w5t1qJM9uYqFunSJPY5439B4zWG+lUy1ZDNn1oHUaX3hZUhzc9tEm+0CWFNXxH2hiRFb2nYP6Pv/GNqjZCsflY0YYty0UJBqRELGpUO3Sd+zbyJmWtvDjto726/0jHB/jb0RVThUem0PzWmmIUth0ucKp0M7zqEWNyVPbvWOK6rWQW9eaW87bFeMhrD1PC+U0ilq9DKG1J3ldc0lEBrguc4fk72T3I62pw5KdGnsmB+FjAc8kdTFKhM52ylChsAnJGFu0LyBUgjGIzZ03XkO8RbYs/wzc9VQOvyikvB67wImXMu8PJDzMxXnu58y7C4U86kvLdUfYm5bz+MxZmXsDA1L7C4si6oLf7rOCfLLc4A1a/X/aMSk330SARW/UAZ/NaFDXhotYXZUSbr41Z6b0qRPZjjZfOkdeKxTp+r07+8oJpPOaIaaOIlNRkGyRCnbCGvJ4CuUfTQuywIefBHlawGzhsDvOKorWYTuim7MbJcd19bYMG6k8qqTQlNeHjZJaDLKJ/rnSAIGDSNYRP4uUUo0gqSp82E9bXUUn5VuFSPcJ55uvFXZD0f6tLZGIyUuG5tqw3xNQF2cA+4ZXzbxi6VIZQ+ahZELkoBR+dVXQ0yGkDJusNf61A1lfI2bd7JQnJ7YVhbF1gXNnDXdWO0F8zsnZyhSSJY3ZoXLdYn+v39+AxQvE3mpX7zNsk7+0WUHuqAh6JG6OBt7jF5OVwD3bfuQfDhPlfD7YOU5/C+rekDGXmfZOMXxadvQgWFcpHdgbV7NwKqdgj6pJDVoGO8/4HGtlb94/o6dtXzfheSLUhCUZ2Im81yduu8386fCYLHX/ZsP+CuuC2wlXQaSCgoODRXXDz7jsRcQNfW2ohmFT9iDn95NI5ylCgt49t2Cr06ft7Pd0tWjh69VQ8TjNlfqm3Sxlf/Gb9ihwOOytmbDv4bNKhpRIPC0jIZv3aaA7vgdLCbySVeMo1tfMx3Xvf6q8XqlsQ/HgwBxAMmjakIAukNwtU74oJ2AYpIO/Oc47081JR2sVtGWer6l7C8KMy9O0xYtABsofkc9kHQWtAvn82sSQTuI/UgD5ttfdfVZZaanHek3vgJyTYI3sPQDVJ6SXrC0a+fqMlTL7Jux/0B70gK1z46j5C54IBCChNa4CwXhvxofyoDgyF6DVC2qZxoKXGl1veQKJh68q9hCiDlYEpiwuRCs3j6uSUG4Rssc9TKfdY3AQltVrhykEORVEgZe1HWmlms=,iv:3G3geSZRziwGiKcUMVNZ7j5s/4YA6Uk7wCSb4aFNSMo=,tag:FxARskR9+wdV7/xCKP8UdA==,type:str]
 extraHosts: ENC[AES256_GCM,data:4lp7w0snYle7vGVLJq3zlTxoC8eVpaSreW3P8Aq+O6oRJoWo3IASpwi7zSx6nxmLo5LGPeupVXfy3xOkG9d5QFNU2uU6vXKvOnnm6wrpS+UcYp/4U/z+R3rFnFsI5PsCgmlL1bSUFCFkXlrLDIyoW50Q/DLXDS8QaUYAtto1DcRUXc9j8RnunYF38HFlAOD/Xa4DY048pvZu8TMsmLQjM5txZnZBq4+P8aBjY3SF+K9cqZ+SgQkU+gdGo0/S/N5OUZJ3ATJ6mglPl/Nplw/Dh9HvC7jEMJZKrVzWiYquTOn0/IytqOCS2SkhsmVMRqf06hpvhlz6sFXzkDfxKMIRTULEkjZDkZ7QioSbLeqmQePSg7xs28SvToiVKSpg0PxeH5LvJE73hgX3ATUXA2BmRvqQuqBwLaDU6TPm8xkYe7qbabaN5oFtXCI/XydZTao5Glqw/BZQRTise/qGgn3Bfl/ieMYQOqCMEdHzR0Beipur6spliGFC4YnwL3Nh4CO6qOB/j61a7rqY6nLyo54jWtjvHX42pTuGWhvhGH1z4NRZqcKks+KCMB4PcCXgul1hrb04wLXYVu7R/7QqOACp4SZBUFZCj+izcsnB1sKdKliL87VBUkwOSF+1JUCY,iv:5A3jCWLkooCkuOMiybbeQ9+TRA7CoiW3qbzmJLVarSc=,tag:qLsGhrFHs65Vesj4Ot4I/g==,type:str]
 mopidy:
-    spotify: ENC[AES256_GCM,data:89vPpgJ53eYou01qgxfqxOO6G/raBA0Vzck31PLchE4Jhi6HcNnoW4wwhHW3pG0AfCu5sE1CuryhRpWTc62fXIBoenKiCiU7chFhBF0UNq3Fcie26l6hdEx+XYVcM/MNBBbkb8VZq1mR0sgGmUESuZVzeI3LMykF,iv:n+LxuijWCZGW2YacrYQ2QIF2BTSilLmJ72piFRK25vw=,tag:iOQatj2UJdlMvn6C40IILg==,type:str]
+    spotify: ENC[AES256_GCM,data:6i9BzQmlndnROuT1H2zgN/3I6hBiFf14BlcS+XL2PbTiiEQZe2yE3tnZo3KXU9S5CjS3MwxsVdytKOFMQt2s1bVjcibBhJzoKEQByaapdzn1mK3kQLdJfhPf4Hf9YZV9Dlc60ngS7ESLZakdFVlj4rlbV5XReLhK,iv:fYd78r4U0kTyq1TZjBVXkjdNiOQ29gLJ53kwTXsi8W0=,tag:oWaeOuzdHWS4joZAdeA2pg==,type:str]
-    bandcamp: ENC[AES256_GCM,data:Sas5Sk0gNaq2E1XnsK8lvaZEzsaFZKY+zDxvgTiqTm2hrI2BnWieRWcZV6u1yRKjLAhh1rdSYhnZJHWUGIAY9qnFOk4vUVUHLtxnkxO/bJN/sykc4qwXRg4/NNap+8TcsN/S1AFJYKmXYn1Otx/02wbMEzHIuw==,iv:VGC7COqF3goMyyJvasiT0yVxOk4QKLOuXd2FbHjuRwk=,tag:pvyX4Q+dvlWFkdSJzTlgwA==,type:str]
+    bandcamp: ENC[AES256_GCM,data:3uWlk1W6pgExsUkLpqpFXpMceYEdMfWMxNUq8iGEyq8/P3OAjzg7pvvPBGcVwmh4jSgNilRiqmmGrtYLwdqPUMlmbFB56K6ZLDIcC2yg2SRfulYcObvimOkIkx7ITr1u6jSzjMkTR5ekIlzlPBxFQzEfBbgdrQ==,iv:IY1VH/8vjNCPz8LGbYbyr5U3FcmhV+YhK3fHnLfWiak=,tag:lB78PRuEuFen54csc7jHIQ==,type:str]
-emailPassword: ENC[AES256_GCM,data:RXmfWKIm5CzZrqhT6bAPZdijByO1NvrSwN1YO4/huVQnQh5p1g==,iv:lh/mxH5sPce+to6TsK2f0SrpHJuuGUiKWzrNmQfJcY0=,tag:EyR7Nml7Jyh4Modsq7DuBw==,type:str]
+emailPassword: ENC[AES256_GCM,data:RUuXzEfkqu1hEg12vBko17MtvdcFIxPofB+nFOuuMdWqjqJgEg==,iv:725/ttk8jHmSIj16gqvLykOu8D8rUbzzvOyxyZx8Jds=,tag:jv1ZO14WsKyWFsfqzRzZPg==,type:str]
 ssh:
-    hosts: ENC[AES256_GCM,data:CnSHwOiLbrA3C902LrkyLKvZOd4Lv1RCBF+IVVbNcx1aCibpMHlFN6Ov+CFNrHG1ZVd3tarnZdGX5kScJJa0khDOVtrUF1gtvifqn1A9tUDP2M+iu3JrVxDw6cPeVyoxWL1hwuWwfO3zgApBGT3CvzAy9V85cNEdS7ukx08VRTgnM6rXYLJKLvjwaDnhnB43Am8XpZQkI0I6DkhCAQuGCrxsqtEE/mQXItZUGlOp/Al8B1XEs35b16odMJEextf85bnzpYYbpV9n4OCMTgoZ8ciQgTbi7u9FD8vmKs5W15pZvL4sxFIcbegn29SvRd7sfsotQ6xNgXHqAQtTa+VcUPA7bSjDw5KHs0iC8AkxdHwGL1kY0GSb992BIZ7PqKdNRLAikttGslFM98Ce6fpHQXj3soYYMdsm9vj7av1+P4N6SQ2cmhpVDrbnrmXQ5MT5gbQlecu32b0Yqf6rfjGyZ+SCZmMzTwAsEpHSnIgYPin38ztDsMMPaouxaTR8V1TXK715ITtA9ojrZhTBbWlaJWVybicc6tT164ZDKyurGdPHf2KrakkVYZghuCkWZWM/yc4GoW1o7/XxWnwQDkUvte8kPDwB2Rvc1jjG6SFvhdXouIqfNNxrdbSoFURBuouZIbfamVqU3MfSF0JRBrpRerA5tqrWYOPL4rXqsqGWyQ==,iv:92tBq0zjlJ44Ia5ug2zk9PgspWzA6QlT0A+j9T74T7U=,tag:XTB7zG14DsPw1uNXTpD7Bg==,type:str]
+    hosts: ENC[AES256_GCM,data:WTgCxNIyKTwFxDVlWkJcxrvUjYuVionDQSWgSqSc0SZ5mGbl228mv7Z6mXvwbN78+jIwTuuUtfmTsDoaUaSqyIReaXFsrIHAoCGoSMbJ10RiAbyDfCEH9vbHamAX22Ccfnyh7eUOb3AsAQo/pJs/95bdCpKEPy4SXcpB0tc+KpgrEijVLpRJFyB6UGl+2qg/hVfo8no5l4tZMUBxzS5KEU7pEEcA/SLfdVMM/4+aeVmJudxJPi3RsqnA8qORVpvJC0y/ln71OrFdRVrX4e47NEXzX2Hfr+hiFbW190xBp6a/kZypQl4vk4fzn8RUathQMOVmf1r4v7eJOYRWeGeZinZtQNe7SFWtiYc0pTbQ6GNyOMwzk3bMjlyzhlrTe1MqFqVbAHSsKk6ydpcjtXt4DgQ93IL4BU6emJu7HBFBOuQ9QWEvDubhB/0Y68BWUqGqY/2lPdllGJrXL87h5KJrLHSMyUX4mF9Je84aC0cv1N3d78kepo2wCz7jrfsxixT+qN7ufu/TurLloC6y2skOCmB+gcRo79Jzk4LRi+Zf+RWnWiXw5HsZWwO7so5JIDlgApkERif6vwup12jhdu+ZxcqFfjMt1wEFceS8YGNvUl0XWPgvmM9kdqn/4XXOYCnysbpcfZaBMGDOBUlbhLUybHdDzvGYV/kMU5m8xoXAjA==,iv:Gf2f71TluSEQtiHf7CIHE2tFX8N4Y17AjP1PnNuWuNA=,tag:sGmZR1lKbbOeEhPvrHHO8Q==,type:str]
 sops:
    age:
        - recipient: age1ajemtm502nn2n4q7v4j8meyd5mxtcqngkkedxq2pqzuwu78zp93qnw8q48
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMG1wWDcrSjN0NjEzY05q
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2S3VaTmg3b2QxMGtVeStr
-            YVBWbXJ1ZTlMYkdxZmRMakNZdm9qQnFxYzBFClMzS3RUVzM1aVRoazhXNkxwZFdv
+            WWRpb0RhVFNWM3RJNEV4ZTdRVmJUa2d6YVZrCnFTOWwwTlNhc2hqM2pwZ1hkcWd1
-            OVVIQWlWS0dLS2puN0ZZVjNwaGpWeE0KLS0tIGtaVWJoZmN3bnFtbWt6RmhvUnpK
+            QlE2N0FtSGFFR1NHbzFOSzI5Um4rVTQKLS0tIEFaMHprc3Jlclk3MGtvc2NzZ3cr
-            NnlaM2VmdnRVQitxUXZueGxXeWdhQlkK99cfnUusVZO/icWY2pDLExVveLtf1xPp
+            blMrcWVSVFB3TVc0aTQ0RUYvbDFJS0kKmGisf9VDK2RPA1uQCK5udt7sdeDyh344
-            43QVMMWTnkF8fS1SyM6KT7T12gFOeCIxa06IDKs1AIvuOuaq6OxEhw==
+            IKhPHzEHAHjKEkE6sWc6TB/l8K3IfL9zdHQZ9ZqTvCiS8CBZOwPQeg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age197lfdanym647wdaz9uy8hrfqjwj9fs8rm7vs3fsrctceu8mr9gms2jedhz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SjlaZGdmNWZOKzRUYU5B
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRzRqTzlzVWpGMVFEbjV5
-            NlpDeEREOUlkamhINnREeVFoYUJqSkNlc1U0CkU2QUpBTi9DUDI0RmV3M3U3Vmgv
+            R1RXS1RBMzZGaGZjUkFZc3RLb2JkSzlRQlJZCnp5c0pMOHBZUkhralArcUhLSmx5
-            UTJ5ZXBlaEcxeUtzUjcwcGw0MG9xKzAKLS0tIFpWeHRMWDlDekVMOWtLWFR2S05y
+            Uk41cGRUR3RxR1FYVHBWU3d6ZXJpcFUKLS0tIFdLclpadHV0QlRuYmJhYVZGWVc5
-            MHNUYUlJVHc4cnRwdGpKYXJOUE9ydWcKrJmvP3y+xVMGvS17iIzAzrKjvO4LAFOH
+            eHRMV2o0TXhoVkcyaXZqU0tsR0o2eDQKdYwEuPeQ1fntKQKIlOlxet+SJ0rT5I1y
-            mQV2c2WwZpNFYb63zwKKVxxRsTMCZjQviMXywCB7GRuUk1/aCEjZyA==
+            WDpfGZUVvghx5dwdd6EMq3sQUeoFSfjrlgIAwNtHRwMC19A68ubzhQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17pn6suvz2f7zmrm9zxj5hr0putvcvdamqxqt7ewhncgg6ccgmp2qr00xm2
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMlUrWnFoZGZuZi8yVUJW
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxUEtOZ3Zac01HTjVZVXNF
-            R1lJeUYydHZCMWZFeTZBNGVVRDQxTmlGZ0RjCmVKZ3BocEVLTUl3M1VoWjRvTi96
+            endFNVprclpJMmh1eTA2ZmVJRTJlbjI3dEVNCjA4K2U5QWlOdkI0R3JwbVpNRWJG
-            SzNaWUIrUkxpVjZPVytJTmNEV2g5SkkKLS0tIDlyY1E4T1cxSXNuZDFtT3lhdFVl
+            T0VQWS9uS2UrRVk0YU9VcGhSUkJ6S2sKLS0tIGJZY1VSM1o3QUR5Mk9vNmhsRWxr
-            c2pDd2hCUE9RWHRCN1pXZ2prRk9iNFEKFWnDpPTFbi/l+aJnILF5NWwXLdpzzA7P
+            YURQR2kxdExKR00vYVJMVVQxekdVOE0KDkPOMeCo1MoM5R89t1rsMWR/bGIx592Z
-            RWoYja2qWNyIH8+6p+hazvezEVOpGECK5EVCH1dkLv52utuznmwsYg==
+            wvbVmE/El4Z0QzuvXl0XK3CFlKGuwgNw5TvtQ9QZP1aAL3yN0+T5oQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1cnnpnglkvgw5ffv8qpgwpqvj203lh4uwt698y9mxjwklxt8nysmsa8hepn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMkZ6dC84cHY5ZGtOd0cv
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQTV1dkxMK3dxbGhiTGJG
-            RERqSXI3ejB2andMcldDVmp2SjNVc1hzZlIwCmVoWEFwMXdtVUU3dTVZZ05mRkhB
+            bkVQTUFOU1I4SXAyV21PdThSZFNOTTA0cmpFCkpXcmRXdlE0eVRYWWErQUxSWFN4
-            Z2ZCMnY3SUlkV0xRQUVlUDE3VE1aTzgKLS0tIHdiYXh1aE5nb3FSZTlpdVNZOUlF
+            bjI5bkU1NE84V1FTNVZiYUpLSnhSL2cKLS0tIFl6YmxmM1JLSlpxcDcxTnRnT1k3
-            ZEpsL25rcGFZaXBaTXFKbjd2UFpYRzQKNytlpy3cD1OC3FOSfSADjMMzD9qcsLrg
+            M25EQU5zckVMa1VSK29iYW5PbHRJcVEK6+gstHbcPBdeRNvZa21nZB5sT1SdHWHs
-            A4w6NqhU8E1DJBln/AiElZ58AhzAb5okPsKRGWMQSb73XN0pLLRwXw==
+            8St5tYl5I3CxNWFgFjOrHqteRKc+ZTcj3euAJ6Wathbw0YMiA3gz0Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1g68hxv73llkyc7etzh499ztcrt93pwawy0n8p93px4taqu58mehsp88vjq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4M1hKditZLytKeVErbit5
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYRGYyUGhlL2NJelZTQ1g0
-            UEwyQW13bG1jakphRVA1WEd0WUtFa0I1UUc0ClV6NlUwRkZpZlhmY2t4RVliVExK
+            UEhJMFlkVmdlU1E2cGE2UHF2dytVYmhQMlIwCmdrOEZjUUFrQjMzK2FxVjF0NGY1
-            a2k4RkFFampEUUFkQVhvSWJwd1JPVVEKLS0tIDVzdGV4NFFveStkVUROWE1mUHAz
+            UStNT3ZXbEJlUGxzSXlBTmYwUzRIalEKLS0tIHFuWWIrTGN6eUxyNEhybHIydzRp
-            Z3R3MTRIRVZPc0pNVVhHYWhaSXdtbW8KorG+7fRAt1RT1fUD8Z4b2CJaIwCb+1br
+            cUFid1RwRXA4cExWd3poK2hEaVd5Q00KjjiEiQw2OxcGv/qDudLmbM6aysYhLTxi
-            Wt1E8hWeYVoHGnZuuJgrorv/GnqpRDkMrXix/qqGKuBlAgTDab5eYg==
+            Qjmh133pyznFs+pLVLdYnId42zvojAeuJD9cJYxuwwgPA2ZlKdSVrg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1awytvphvty4f9wmdn86xnjg9kgetqjx8qlwj5d2882t4fyyzy58s3vg5k4
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTDRWRUJNelRPMitSTm1H
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRbUs1Qm1hUnJldDNZNUR0
-            U1FTY0xsTXZrWnF2VXdsQWNLcE5zeHJ6bGg4CkRZckY3Q0hBNTgxMUVDdUh3YWZS
+            N3d0YXp5NWtjV0xvc1ZrM3ArZllIbmJtRXpnCnp2TVRyQVFqNC9kWXpBa0NnbW9X
-            STgwOEZ5cGFkVHFEOWNnNjNONDZIZm8KLS0tIGg1TUZjbmQ5MFU2bG1sZFcycnRR
+            VVFONnNleG9wN2IwdkhSWjBObmVGd3cKLS0tIHVDVmVNazdLWUpOQVlTNFRwL1c5
-            cDVwRVIxeTVmcmJLekpXcG13cTZJVG8KwXR0NOiHcd0njWwRWzEyGf0vb1kXp766
+            bkdsaXNINEZpZjdMdHAwdElpWFQ0aW8K0guO/BF8hp1LDToVBFY5JKdz8WXOwK2P
-            FhBxX0RoUToq/UgTQGBWvEODrZTnNd/zXr1J8gA1TeacTEbkoWEkpA==
+            prGKdxPsTAfW8xTq97LHHRsLC7+4TVXnjF4LS4SM8EXIX9KCl5FIGA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1erkn7dd022e90ktyj66aux9j9xvl0uzd6ru5cmrjsvcm5rtr5pfs7q6k9h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQUwxenU2aFN5My9wcHpu
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZEVtVzM0dFhJYWd5UXZO
-            c2prSCtvbW4xanlxZGhDT1dpT0V2ZUtmcGlvCkNrRkJ2OXVOSFhFcGxSYUdJMHBn
+            ajIzSFp1VENuSjlaYSs4ZUdBSS90aEoyM25JCnhrd0lyUVN0dEV5a2tQUjZwSlFx
-            M2VydHhVSW5MWTdvTW8vSWlXT3ZnV1UKLS0tIGpydEc5TXNpdXc4czVvNk54K0JO
+            eVlLT1kyejhuZDdGeHpDQnRMTllCSHMKLS0tIHZVS1JDVzBaaG1Oend1eDFiT1F4
-            RTlDblJHcUczdmtOdGc4VjUrYk1PTWMKVM07fdDfLWf4T3ELq8G4jsPhR4ZukOjP
+            NU1vREt6SXBWYU1xdW1JSm1uUGZQRVEKtaDeDNo817rXXoMkBHo0MZWtm4LayqwC
-            SATCHMTn3wG4qeGTI4R+4m4iqa3k7CFJUJapmBNHqXWOZeO5w9IonA==
+            NN8vbhGcgT+M+ehnmZ1HdPk8VWRvlQ+SMpG+a6DjK8BjYtAWcO16RQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16crkeglm3j3f6rveylytuerptjf9mwtv3hl89ywkmnnvdkntfchsuvrsk5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1SUtkZysyMU05Q0tlSHZh
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eUFYSC82YVM1WVEwc2Fz
-            V21acktNUTA1SjBMNFJtcE9XVHVFWWFvcEhNCm9hRFY3QjZkTk05UTJXZkpyTytE
+            aEl3TG5oOFU5MUFhQ0JhbC9yRVYxOFo0bUVJCnpwQzMyZmN4ZTlNVW5pZTY5bkdY
-            N01WS3E1TERmcVlCTEluT2RoODR0RFUKLS0tIHpoNmkxNlc0YmcvTHBZNUZPRks0
+            bjhaSnFxS0Vrb3pHTlJkWjVvczBSOG8KLS0tIHlsbjhxODdvcnd4c21aWUNpK01M
-            VkdKMUVOemNhUnpYSFFocnZRQmxPaUEKgCne7JJRIuvFtDMtaqO21IKjRoDW8D+3
+            ZW1hTUFtVE15QzVIVU93ZExlUWZjYzAKUZj+/NtMHCPjFFqbJ/8b2ASljV6GEk6p
-            V5tGfZOQADuef3n8ZG1j5t1OtNNBu4PjpxZynGx3/nR7+FThsK4vMg==
+            FbqV9LezRZrfl9GXBVUpB4Oeb9v2yp151aSda07/AG5YO0/jRAV/Bg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-25T02:54:23Z"
+        - recipient: age1tkywsvddjj6r6ukuqgz9aql92jfx85rz57dhmkkndysh6yx6p5rs0zj0qr
-    mac: ENC[AES256_GCM,data:nIOwiSAT3YCRabbPwfO2XBFhb/qH5cFLsMUQUCUa7trBnLeerzWLpngB96T0ZkDmsVsdJLhfv5ZWWZlgIg+K9uIww+DzvK48B3+EyVpNCJ4cDfgz3gZXlnp41Eu8LSklQ+sk9lVFEbHNPPhbTliXma9Kr1ldkdP035lQmYXUz6Y=,iv:sp7oiTUvO/FchubMlCuaaWDpNO9+aLIyehjS9+8pEPw=,tag:/PvIJTM17nFi5YIq0b1LyQ==,type:str]
+          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxdjFYN01HcXZMNVBJckVm
            eklKZHAxeWgvVlcwWk9yWUJpcFFBUnpUV0FZCi85dGE2L3d3OS9CdW5sL0pZTTM2
            SFJkcUN0emh6S3hMenhCcXBhNWF6eVUKLS0tIExwNEVyRmpGRXRLMjgxY1dqbkxQ
            bk04K1luNnJVTjZQY25KRXNSVG0venMK7uM4tqqmq/o4QgMlE/x/FXkQsPRkofNO
            I6C93RYgp1OcGPH14Kmp5lXtK4/pdToaRnVXPGenDQJsFhwWCEI+Fg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17p69ktg7yfzgdsk00f32mupe4n4fevdpw2wsv7ft30yvpeseau6s7t0zdg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOTFXaHE0SDRCTnE4di9N
            S2JIbHF2a1pzNzU4UFIvQmpZMVpOUjJqd0RJClVxcTd3d05aRDN1RGVmWVpQS2lI
            L1RVU3FUM3d4SU9pYXlwSko2RW5uWjgKLS0tIEplR1l1bGlad3p1ZkNBbFY3YmlM
            dUpXZis2N2VyN0ZFbjlPRXdwRFQ1aHMKm1Mk6MPKxFmwdATCYUANRSY5rHKgmQer
            LBlqqWKt1JiIUAYtazQeQ6KYxmjVlQPY7AZw2t+EhBEPrqbTL3vOiw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-02-08T14:11:39Z"
    mac: ENC[AES256_GCM,data:fRnv6X2PTwbkde0SJHXegU0QiixfjZlfvje/tfgotfLLmnwDsB0Pxl0tw4DkCcQ3GZKDbxC5WR4g+Jz1B/D79WYo8jEKsf7OCBgyw3HhPhsg7lgJ9Qa/NVR1PfwZBn6u5/nj1kuLgQe9ZSV/UmUIu5I1LEY8IGVoJOEJkr/ZVRg=,iv:E4qRUs/u8T3VpyJxGyqifmTQaf/+bG7uN6sbbb2cwQY=,tag:+bQhdMlw7hGcvINQJTP8lw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/system/boot/boot.nix
+++ b/system/boot/boot.nix
@@ -44,7 +44,7 @@ in {
    grub = {
      enable = mkEnableOption "Does the system use GRUB? (Disables systemd-boot)";
      device = mkOption {
-        type = types.str;
+        type = types.path;
        description = "The GRUB device";
        default = "";
      };
--- a/system/dev/docker.nix
+++ b/system/dev/docker.nix
@@ -12,6 +12,11 @@ in {
    podman.enable = mkEnableOption "Enable Podman rather than Docker";
    nvidia.enable = mkEnableOption "Activate Nvidia support";
    autoprune.enable = mkEnableOption "Enable autoprune";
    storage = mkOption {
      type = types.nullOr types.path;
      default = null;
      example = "/path/to/docker/storage";
    };
  };
  config = mkIf cfg.enable {
@@ -29,6 +34,9 @@ in {
        enable = true;
        enableNvidia = cfg.nvidia.enable;
        autoPrune.enable = cfg.autoprune.enable;
        daemon.settings = mkIf (cfg.storage != null) {
          "data-root" = cfg.storage;
        };
      };
      podman = mkIf cfg.podman.enable {
        enable = true;
--- a/system/hardware/default.nix
+++ b/system/hardware/default.nix
@@ -1,8 +1,10 @@
-{
+{lib, ...}: {
  imports = [
    ./amdgpu.nix
    ./bluetooth.nix
    ./sound.nix
    ./input
  ];
  hardware.enableAllFirmware = lib.mkDefault true;
 }
--- a/system/network/tailscale.nix
+++ b/system/network/tailscale.nix
@@ -13,7 +13,7 @@ in {
    };
  };
  config.services.tailscale = {
-    enable = cfg.enable;
+    inherit (cfg) enable;
    extraSetFlags = [
      "--accept-dns"
      "--accept-routes"
--- a/system/services/sunshine.nix
+++ b/system/services/sunshine.nix
@@ -15,7 +15,12 @@ in {
    autoStart = cfg.autostart;
    capSysAdmin = true;
    openFirewall = true;
-    settings.sunshine_name = config.mySystem.networking.hostname;
+    settings = {
      sunshine_name = config.mySystem.networking.hostname;
      locale = "en_GB";
      system_tray = "enabled";
      output_name = 1;
    };
    applications.apps = [
      {
        name = "Desktop";
@@ -42,6 +47,12 @@ in {
      {
        name = "OpenMW";
        cmd = "openmw";
        image-path = "/home/phundrak/.config/sunshine/covers/igdb_24775.png";
      }
      {
        name = "Vintage Story";
        cmd = "flatpak run at.vintagestory.VintageStory";
        image-path = "/home/phundrak/.config/sunshine/covers/igdb_69547.png";
      }
    ];
  };
--- a/system/services/traefik.nix
+++ b/system/services/traefik.nix
@@ -8,18 +8,28 @@ with lib; let
 in {
  options.mySystem.services.traefik = {
    enable = mkEnableOption "Enable Traefik";
    dataDir = mkOption {
      type = types.path;
      default = "/tank/traefik";
    };
    email = mkOption {
      type = types.str;
      default = "";
    };
    dataDir = mkOption {
      type = types.path;
      default = "/tank/traefik";
      example = "/path/to/traefik/data";
    };
    environmentFiles = mkOption {
      type = types.listOf types.path;
      example = ["/var/traefik/traefik.env"];
      default = [];
    };
    dynamicConfigFile = mkOption {
      type = types.path;
      default = "${cfg.dataDir}/traefik.yaml";
      example = "/var/traefik/dynamic.yaml";
    };
  };
  config.services.traefik = {
-    inherit (cfg) enable;
+    inherit (cfg) enable dynamicConfigFile environmentFiles;
    dynamicConfigFile = "${cfg.dataDir}/dynamic_config.toml";
    staticConfigOptions = {
      api.dashboard = true;
      log = {
@@ -29,18 +39,18 @@ in {
      };
      accessLog.filePath = "${cfg.dataDir}/access.log";
      entryPoints = {
-        http = {
+        web = {
          address = ":80";
          asDefault = true;
          http.redirections.entrypoint = {
-            to = "https";
+            to = "websecure";
            scheme = "https";
          };
        };
-        https = {
+        websecure = {
          address = ":443";
          asDefault = true;
-          httpChallenge.entryPoint = "https";
+          httpChallenge.entryPoint = "websecure";
        };
      };
      providers.docker = {
@@ -53,6 +63,7 @@ in {
        dnsChallenge = {
          provider = "cloudflare";
          resolvers = ["1.1.1.1:53" "1.0.0.1:53"];
          propagation.delayBeforeChecks = 60;
        };
      };
    };
--- a/system/users/default.nix
+++ b/system/users/default.nix
@@ -1,5 +1,7 @@
 {
  imports = [
    ./phundrak.nix
    ./root.nix
  ];
  programs.zsh.enable = true;
 }
--- a/system/users/phundrak.nix
+++ b/system/users/phundrak.nix
@@ -5,27 +5,23 @@
  ...
 }:
 with lib; let
-  cfg = config.mySystem.users;
+  cfg = config.mySystem.users.phundrak;
 in {
-  options.mySystem.users = {
+  options.mySystem.users.phundrak = {
-    root.disablePassword = mkEnableOption "Disables root password";
+    enable = mkEnableOption "Enables user phundrak";
-    phundrak.enable = mkEnableOption "Enables users phundrak";
+    trusted = mkEnableOption "Mark the user as trusted by Nix";
  };
  config = {
-    users.users = {
+    users.users.phundrak = mkIf cfg.enable {
      root = {
        hashedPassword = mkIf cfg.root.disablePassword "*";
        shell = pkgs.zsh;
      };
      phundrak = mkIf cfg.phundrak.enable {
      isNormalUser = true;
      description = "Lucien Cartier-Tilet";
      extraGroups = ["networkmanager" "wheel" "docker" "dialout" "podman" "plugdev" "games" "audio" "input"];
      shell = pkgs.zsh;
-        openssh.authorizedKeys.keyFiles = lib.filesystem.listFilesRecursive ../../keys;
+      openssh.authorizedKeys.keyFiles = lib.filesystem.listFilesRecursive ../../users/phundrak/keys;
    };
    nix.settings = mkIf cfg.trusted {
      trusted-users = ["phundrak"];
    };
    programs.zsh.enable = true;
  };
 }
--- a/system/users/root.nix
+++ b/system/users/root.nix
@@ -0,0 +1,17 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.mySystem.users.root;
 in {
  options.mySystem.users.root.disablePassword = mkEnableOption "Disables root password";
  config = {
    users.users.root = {
      hashedPassword = mkIf cfg.disablePassword "*";
      shell = pkgs.zsh;
    };
  };
 }
--- a/users/modules/desktop/default.nix
+++ b/users/modules/desktop/default.nix
@@ -13,7 +13,6 @@ in {
    ./kdeconnect.nix
    ./kitty.nix
    ./obs.nix
    ./qt.nix
    ./rofi
    ./spotify.nix
    ./swaync.nix
@@ -30,10 +29,10 @@ in {
    kdeconnect.enable = mkDefault cfg.fullDesktop;
    kitty.enable = mkDefault cfg.fullDesktop;
    obs.enable = mkDefault cfg.fullDesktop;
    qt.enable = mkDefault cfg.fullDesktop;
    rofi.enable = mkDefault cfg.fullDesktop;
    spotify.enable = mkDefault cfg.fullDesktop;
    spotify.spicetify.enable = mkDefault cfg.fullDesktop;
    theme.enable = mkDefault cfg.fullDesktop;
    wlr-which-key.enable = mkDefault cfg.fullDesktop;
  };
 }
--- a/users/modules/desktop/qt.nix
+++ b/users/modules/desktop/qt.nix
@@ -1,11 +0,0 @@
 {
  lib,
  config,
  ...
 }:
 with lib; let
  cfg = config.home.desktop.qt;
 in {
  options.home.desktop.qt.enable = mkEnableOption "Enable Qt support";
  config.qt.enable = cfg.enable;
 }
--- a/users/modules/desktop/spotify.nix
+++ b/users/modules/desktop/spotify.nix
@@ -6,8 +6,8 @@
  ...
 }:
 with lib; let
  inherit (pkgs.stdenv.hostPlatform) system;
  cfg = config.home.desktop.spotify;
  system = pkgs.stdenv.hostPlatform.system;
  spicePkgs = inputs.spicetify.legacyPackages.${system};
 in {
  options.home.desktop.spotify = {
--- a/users/modules/desktop/theme.nix
+++ b/users/modules/desktop/theme.nix
@@ -1,8 +1,14 @@
 {
  pkgs,
  config,
  lib,
  ...
-}: {
+}:
 with lib; let
  cfg = config.home.desktop.theme;
 in {
  options.home.desktop.theme.enable = mkEnableOption "Enable theme options";
  config = mkIf cfg.enable {
    gtk = {
      enable = true;
      colorScheme = "dark";
@@ -23,4 +29,5 @@
      package = pkgs.nordzy-cursor-theme;
    };
    qt.enable = true;
  };
 }
--- a/users/modules/desktop/wlr-which-key.nix
+++ b/users/modules/desktop/wlr-which-key.nix
@@ -21,7 +21,7 @@
  # Recursively filter out null values and convert kebab-case keys to snake_case
  filterNulls = value:
    if lib.isAttrs value
-    then lib.mapAttrs' (n: v: lib.nameValuePair (toSnakeCase n) (filterNulls v)) (lib.filterAttrs (n: v: v != null) value)
+    then lib.mapAttrs' (n: v: lib.nameValuePair (toSnakeCase n) (filterNulls v)) (lib.filterAttrs (_: v: v != null) value)
    else if lib.isList value
    then map filterNulls value
    else value;
--- a/users/phundrak/home.nix
+++ b/users/phundrak/home.nix
@@ -78,7 +78,7 @@
            parts = lib.strings.splitString " " content;
            email = lib.lists.last parts;
          in "${email} namespaces=\"git\" ${content}")
-          (lib.filesystem.listFilesRecursive ../../keys)
+          (lib.filesystem.listFilesRecursive ./keys)
        );
      };
    };
--- a/users/phundrak/host/alys.nix
+++ b/users/phundrak/host/alys.nix
@@ -2,9 +2,6 @@
  imports = [../light-home.nix];
  home = {
    cli.nh.flake = "${config.home.homeDirectory}/nixos";
-    phundrak.sshKey = {
+    phundrak.sshKey.content = builtins.readFile ../keys/id_alys.pub;
      content = builtins.readFile ../../../keys/id_alys.pub;
      # file = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
    };
  };
 }
--- a/users/phundrak/host/elcafe.nix
+++ b/users/phundrak/host/elcafe.nix
@@ -0,0 +1,8 @@
 {
  imports = [../light-home.nix];
  home = {
    cli.nh.flake = "/tank/phundrak/.dotfiles";
    dev.editors.emacs.enable = false;
    phundrak.sshKey.content = builtins.readFile ../keys/id_elcafe.pub;
  };
 }
--- a/users/phundrak/host/gampo.nix
+++ b/users/phundrak/host/gampo.nix
@@ -3,8 +3,6 @@
  home = {
    cli.nh.flake = "${config.home.homeDirectory}/.dotfiles";
    desktop.hyprland.host = "gampo";
-    phundrak.sshKey = {
+    phundrak.sshKey.content = builtins.readFile ../keys/id_gampo.pub;
      content = builtins.readFile ../../../keys/id_gampo.pub;
    };
  };
 }
--- a/users/phundrak/host/marpa.nix
+++ b/users/phundrak/host/marpa.nix
@@ -7,8 +7,6 @@
      ollama.gpu = "rocm";
    };
    desktop.hyprland.host = "marpa";
-    phundrak.sshKey = {
+    phundrak.sshKey.content = builtins.readFile ../keys/id_marpa.pub;
      content = builtins.readFile ../../../keys/id_marpa.pub;
    };
  };
 }
--- a/users/phundrak/host/naromk3.nix
+++ b/users/phundrak/host/naromk3.nix
@@ -2,6 +2,6 @@
  imports = [../light-home.nix];
  home = {
    cli.nh.flake = "/home/phundrak/.dotfiles";
-    phundrak.sshKey.content = builtins.readFile ../../../keys/id_naromk3.pub;
+    phundrak.sshKey.content = builtins.readFile ../keys/id_naromk3.pub;
  };
 }
--- a/users/phundrak/host/tilo.nix
+++ b/users/phundrak/host/tilo.nix
@@ -2,6 +2,6 @@
  imports = [../light-home.nix];
  home = {
    cli.nh.flake = "/tank/phundrak/.dotfiles";
-    phundrak.sshKey.content = builtins.readFile ../../../keys/id_tilo.pub;
+    phundrak.sshKey.content = builtins.readFile ../keys/id_tilo.pub;
  };
 }
--- a/users/phundrak/keys/id_alys.pub
+++ b/users/phundrak/keys/id_alys.pub
--- a/users/phundrak/keys/id_elcafe.pub
+++ b/users/phundrak/keys/id_elcafe.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+UvZISwPdbDUQKbcBksi6dKvsVccvRIbdOE0zDQt60 lucien@phundrak.com
--- a/users/phundrak/keys/id_gampo.pub
+++ b/users/phundrak/keys/id_gampo.pub
--- a/users/phundrak/keys/id_marpa.pub
+++ b/users/phundrak/keys/id_marpa.pub
--- a/users/phundrak/keys/id_naromk3.pub
+++ b/users/phundrak/keys/id_naromk3.pub
--- a/users/phundrak/keys/id_opn4.pub
+++ b/users/phundrak/keys/id_opn4.pub
--- a/users/phundrak/keys/id_tilo.pub
+++ b/users/phundrak/keys/id_tilo.pub
--- a/users/phundrak/packages.nix
+++ b/users/phundrak/packages.nix
@@ -5,7 +5,7 @@
  ...
 }:
 with lib; let
-  system = pkgs.stdenv.hostPlatform.system;
+  inherit (pkgs.stdenv.hostPlatform) system;
 in {
  programs.bun.enable = true;
  home.packages = with pkgs; [
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+UvZISwPdbDUQKbcBksi6dKvsVccvRIbdOE0zDQt60 lucien@phundrak.com`