Rebase to flake parts #13

Rebase to flake parts #11
2026-05-30 21:26:13 -03:00 · 2026-05-29 00:08:10 -03:00
17 changed files with 473 additions and 58 deletions
@@ -5,6 +5,7 @@ keys:
  - &host_t2mbp age1yr7vurfxc3w8ewfw9djfm54atw6ayze69qglamecuft5q0n9gu2sadsa2m
  - &host_ideapad age1hya7pgpe8zal52w3pjf036tpapmehedatfm4r84h30t4wuh079ssedfd37
  - &host_nix-server age1p05z980kdtngk9mw67hfev72h7xhslplpxfk9yskgmf0hl4lu3ls04zht9
  - &host_r5500 age1pewusvlcgzcnk0kpskgc9qr6jlq8s2yzwnqrnh84p7v5z0kj3qhsya8h2x
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
@@ -15,6 +16,7 @@ creation_rules:
          - *host_t2mbp
          - *host_ideapad
          - *host_nix-server
          - *host_r5500
  # Host secrets at modules/hosts/nix-server/secrets.yaml (see configuration imports),
  # or optional extra files under _secrets/.
  - path_regex: modules/hosts/nix-server/(secrets\.(yaml|json|env|ini)|_secrets/.*\.(yaml|json|env|ini))$
@@ -186,7 +186,25 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1731533236,
@@ -485,6 +503,27 @@
        "type": "github"
      }
    },
    "personal-website": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1779906441,
        "narHash": "sha256-py8KJJMi4awjZHi5FWBPYfbRPvk3Rg9SeFkPJydsG2E=",
        "ref": "refs/heads/main",
        "rev": "339a9ba1ef79dc9976af77f1fea0302de8a696d0",
        "revCount": 16,
        "type": "git",
        "url": "https://git.chiasson.cloud/Olivier/Personal-Website"
      },
      "original": {
        "type": "git",
        "url": "https://git.chiasson.cloud/Olivier/Personal-Website"
      }
    },
    "quickshell": {
      "inputs": {
        "nixpkgs": [
@@ -523,6 +562,7 @@
        "nixpkgs": "nixpkgs",
        "nur": "nur",
        "oom-hardware": "oom-hardware",
        "personal-website": "personal-website",
        "sops-nix": "sops-nix",
        "spicetify-nix": "spicetify-nix",
        "swiftshare": "swiftshare",
@@ -558,7 +598,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1779000518,
@@ -576,7 +616,7 @@
    },
    "swiftshare": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
        ]
@@ -625,6 +665,21 @@
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "t2fanrd": {
      "inputs": {
        "nixpkgs": [
@@ -92,6 +92,12 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # After pushing Personal-Website, `nix flake update personal-website` refreshes the lock pin.
    personal-website = {
      url = "git+https://git.chiasson.cloud/Olivier/Personal-Website";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # DDRM browser-extension backend
    ddrm = {
      url = "git+https://git.chiasson.cloud/Olivier/DDRM";
@@ -96,6 +96,8 @@ services.cloudflare-warp.enable = true;
        gaming.launchers.enableBottles = false;
        gaming.gamescope.enable = true;
        gaming.steam.steamTinkerLaunch.enable = true;
        gaming.sunshine.enable = true;
        gaming.sunshine.cudaSupport = true;
        monitorInput.enable = true;
@@ -124,6 +126,7 @@ services.cloudflare-warp.enable = true;
          thunderbird
          prismlauncher
          dualsensectl
        ];
@@ -0,0 +1,18 @@
 # personal-website sops secrets
 Add these keys to `secrets.yaml` (on a host with your age key):
 ```yaml
 personal-website:
    ghcr-token: <same PAT as swiftshare/ghcr-token, or new>
    database-password: <strong password>
    auth-secret: <openssl rand -base64 32>
    oauth-discord-client-secret: <Discord OAuth secret>
 ```
 ```bash
 cd modules/hosts/nix-server
 sops secrets.yaml
 ```
 After editing, verify with `sops -d secrets.yaml | yq '.personal-website'`.
@@ -0,0 +1,26 @@
 # Cloudflare dynamic DNS via NixOS (kissgyorgy/cloudflare-dyndns).
 { config, ... }:
 let
  secretFilePath = ../secrets.yaml;
 in
 {
  sops.secrets."cloudflare-ddns/api-token".sopsFile = secretFilePath;
  services.cloudflare-dyndns = {
    enable = true;
    apiTokenFile = config.sops.secrets."cloudflare-ddns/api-token".path;
    domains = [
      "chiasson.cloud"
      "chiassoncloud.services"
      "swiftshare.cloud"
      "blackfry.day"
      "yestur.day"
      "rp-own.life"
      "xn--1iu.cc"
    ];
    proxied = true;
    ipv4 = true;
    ipv6 = false;
    # Default: *:0/5 (every 5 minutes).
  };
 }
@@ -0,0 +1,47 @@
 { lib, ... }:
 {
  services.gitea = {
    enable = true;
    # Migrated sqlite DB and repos; do not provision a fresh database.
    database = {
      type = "sqlite3";
      createDatabase = false;
    };
    settings = {
      server = {
        DOMAIN = "git.chiasson.cloud";
        HTTP_PORT = 3002;
        ROOT_URL = "https://git.chiasson.cloud/";
        # Clone URLs and LAN git@… -p 222 (was Docker host 222 → container 22).
        # Port 222 is <1024 (privileged); systemd must grant CAP_NET_BIND_SERVICE below.
        SSH_PORT = 222;
        START_SSH_SERVER = true;
        SSH_LISTEN_HOST = "0.0.0.0";
        SSH_LISTEN_PORT = 222;
      };
      service.DISABLE_REGISTRATION = false;
    };
  };
  # First boot after migration runs DB migrate + hook regen; default WatchdogSec=30 kills
  # gitea while storage/actions init is still running. Type=notify also fails if startup
  # is slow; PrivateUsers breaks access to migrated files owned by the real gitea uid.
  # Port 222 is privileged (<1024); Docker mapped host 222→container 22 as root.
  systemd.services.gitea.serviceConfig = {
    Type = lib.mkForce "simple";
    PrivateUsers = lib.mkForce false;
    NoNewPrivileges = lib.mkForce false;
    AmbientCapabilities = "CAP_NET_BIND_SERVICE";
    CapabilityBoundingSet = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
    TimeoutStartSec = lib.mkForce "20min";
    WatchdogSec = lib.mkForce 0;
  };
  networking.firewall.allowedTCPPorts = [
    3002
    222
  ];
 }
@@ -0,0 +1,56 @@
 { config, ... }:
 let
  secretFilePath = ../secrets.yaml;
 in
 {
  sops.secrets."personal-website/database-password".sopsFile = secretFilePath;
  sops.secrets."personal-website/auth-secret".sopsFile = secretFilePath;
  sops.secrets."personal-website/oauth-discord-client-secret".sopsFile = secretFilePath;
  sops.templates."personal-website-postgres.env" = {
    content = ''
      POSTGRES_PASSWORD=${config.sops.placeholder."personal-website/database-password"}
      POSTGRES_USER=chiassoncloud
      POSTGRES_DB=chiassoncloud
    '';
  };
  sops.templates."personal-website.env" = {
    content = ''
      DATABASE_URL=postgresql://chiassoncloud:${config.sops.placeholder."personal-website/database-password"}@personal-website-db:5432/chiassoncloud
      AUTH_SECRET=${config.sops.placeholder."personal-website/auth-secret"}
      AUTH_DISCORD_SECRET=${config.sops.placeholder."personal-website/oauth-discord-client-secret"}
    '';
  };
  services.personalWebsite = {
    enable = true;
    app = {
      image = "ghcr.io/olivierchiasson/personal-website:main";
      ghcr = {
        username = "olivierchiasson";
        passwordFile = config.sops.secrets."swiftshare/ghcr-token".path;
      };
      port = 3001;
      authUrl = "https://chiasson.cloud";
      publicUrl = "https://chiasson.cloud";
      disableTelemetry = true;
      environmentFiles = [ config.sops.templates."personal-website.env".path ];
    };
    database = {
      user = "chiassoncloud";
      name = "chiassoncloud";
      environmentFiles = [ config.sops.templates."personal-website-postgres.env".path ];
    };
    auth.discord.clientId = "1400660345068191855";
    umami = {
      websiteId = "3b2f29d3-11b8-4a3b-bc76-bda3f27926d1";
      scriptUrl = "https://analytics.chiasson.cloud/script.js";
    };
  };
 }
@@ -18,6 +18,7 @@
        ./_services/portainer.nix
        ./_services/organizr.nix
        ./_services/swiftshare.nix
        ./_services/personal-website.nix
        ./_services/immich.nix
        ./_services/jellyfin.nix
        ./_services/nixdesk-nfs-client.nix
@@ -29,6 +30,8 @@
        ./_services/qbittorrent.nix
        ./_services/seerr.nix
        ./_services/dispatcharr.nix
        ./_services/gitea.nix
        ./_services/cloudflare-dyndns.nix
      ];
      boot.loader.grub = {
@@ -1,5 +1,5 @@
 swiftshare:
-    ghcr-token: ENC[AES256_GCM,data:wNzBA8Ib5WjxoKkGiWkfeGspKzy/vzbwwAp/+cjRF9Vsmlyx67OovQ==,iv:MCrkALYCHiPDb1tNQaWRrxuYSRXD6JtzJzEOr1aqhBk=,tag:okQfIP5IJUUIFfwAlZM1ow==,type:str]
+    ghcr-token: ENC[AES256_GCM,data:V/5dLVLv4BbAxdMiBxXgmNbK17HAQkqzHJA2NWzOFfFlcy3dq8SnZQ==,iv:YTB3Bef+kZXunXVUCkFj/YZo1POdx2K+bNvzarSJ1Iw=,tag:HEBT4ZKMXTIy+ZEkNx3rHw==,type:str]
    database-password: ENC[AES256_GCM,data:r9GSaoQ7bS644ipb3kU=,iv:KYDTzYtjfz5meDb0nemY1lhSFEorKHL0hSRIcQaHg5c=,tag:RVjAfb8XGsybAgIc2/hH+g==,type:str]
    auth-secret: ENC[AES256_GCM,data:tTXLMWASBfF49gBFrf+CZ3R4oTt7hEGUhAqEdvoQtm0zbb2VUhTq7y4tH/c=,iv:Halfu9hBex4SEUMHLAicqApTxZP0NV9pJZTr+bBSek4=,tag:1WqN75zT+zoka9sIXOJGfQ==,type:str]
    oauth-discord-client-secret: ENC[AES256_GCM,data:a9Iarcpl1HOFXdsDMh3H662T8yqVvGtfguVICwWVrAg=,iv:LsUserWQcEDV0TiRWj1sHh5/ZiFQzyc1gRWg+Ewwjik=,tag:33Ml08oHVXl0ZMmiwQ2mig==,type:str]
@@ -11,10 +11,15 @@ swiftshare:
    minio-secret-key: ENC[AES256_GCM,data:szkx+MTbMWmfbQ==,iv:+1zlHJRKMR4XDv1rrkOeilz06YA1W/1o+egylm/ZjPs=,tag:70QO3dPp9WRd71Puzl47QA==,type:str]
 immich:
    database-password: ENC[AES256_GCM,data:YWLt2pty/yVrrF7K,iv:uqrQGfST/A6LzRZ4+O0puXA1bd/7CL5A/T7jU+/++X8=,tag:/gNGK3z4RembX+tBET4M5g==,type:str]
 personal-website:
    database-password: ENC[AES256_GCM,data:PR6nNKOqB/SE956hXA4=,iv:/1usgEXfY+ef9bOAaCdjduqBqoonAm5saFBSjdGhm1Q=,tag:mDThIsYVUKyN6vQlh2YYbQ==,type:str]
    auth-secret: ENC[AES256_GCM,data:NHY+0tOA6FRmvkKZ/KgpogwOf+DuF42aoxspPUdVSi/iY5dF2yY8hwHaehI=,iv:9Gv/1YDcU+rMuX3PrwwT97qdsywIn+/wWEk17evyloo=,tag:R6RZbRhyXkwfZ0p/fZ+YcA==,type:str]
    oauth-discord-client-secret: ENC[AES256_GCM,data:YegPgoSRKNcDaID9LPWxHDz4T7VnhFfuWMyALfFhpg8=,iv:VSLWA1HG1+Y70tKnRoFulBZSKdoJTYmIDzCXIZeFYCc=,tag:yNR8rrm/7Mrj/RIVNLFfsg==,type:str]
 cloudflare-ddns:
    api-token: ENC[AES256_GCM,data:wFKbclETO0YQTcfNUdKyr6mxQODeiaYn3gLeC1mWeRda97rOvlum+Q==,iv:IuT4exNhh0z+9DbY3WNnVqEy4398DTm7aluhOv9XFss=,tag:GGPoSJLBScTmXyQ7Vab6EA==,type:str]
 sops:
    age:
-        - recipient: age1yyzgmazjxkvwtfcv9re3lqmt2ru5dcrfu3sauysm0wzfwzvyap8qkjkq32
+        - enc: |
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVWpFK2RRSHRxVFVSdEdI
            S01BSEZQUTZCV0tvM1lpSFNYc3g3ek5QNjJrClNyVUtKYnRtWVRYRkE2SStWRVRR
@@ -22,8 +27,8 @@ sops:
            ZUpnemRBSmlSZVpmRW0wNFhIK3BibVkKdD14ki8dJbYMjsBkC1Nm5TOM6M33eLJ6
            IUrKDWeZXEVe2sMhBb31Zv+tinwtHSsvpxDIsjstpxtH+5wTyoQVdA==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1elk6zwmcylwfk7gd4pjda7g29upftjvxys8py42s8d42jklnyv7s7dm9z2
+          recipient: age1yyzgmazjxkvwtfcv9re3lqmt2ru5dcrfu3sauysm0wzfwzvyap8qkjkq32
-          enc: |
+        - enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1bFJDNDdsWGIzMDl3TmRr
            MStsZVFRa1dIVmJGU3krWWlpc2FZMU9EREF3CkdDZFc0Y3ZIMVZxNHorWFRHaWwy
@@ -31,8 +36,8 @@ sops:
            NUZIYnZIMDRWTXpwTURMc2tzelp3VjAKHHBkHhz+t03W0ojsOBB2i3K4ZMUXvrwF
            4mjNqNBcAJ1uHgJP7qvpNjxEW1LcsdQKmXavoqizX+XfLaA3zEwB0Q==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1p05z980kdtngk9mw67hfev72h7xhslplpxfk9yskgmf0hl4lu3ls04zht9
+          recipient: age1elk6zwmcylwfk7gd4pjda7g29upftjvxys8py42s8d42jklnyv7s7dm9z2
-          enc: |
+        - enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwTWR0N3UwdTB0UDZxRmV5
            R3dkYUhZaElMbkxxSllTNWkrb05VSkJrMUNRCjZTUTlvVTU2MHY5ZS9oU2pCSlFu
@@ -40,7 +45,8 @@ sops:
            WWZwbkR4dTFjK2NZcW9pTTNHd252N3cKiz8l9AWciFOBU+wcT9T1WA4bToPYfq8G
            Nf0uOoSWPTJ/2SRNkSu7FMumATH4ldQ6TFSwKda3mBfBwhnFzLq10Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-30T18:45:45Z"
+          recipient: age1p05z980kdtngk9mw67hfev72h7xhslplpxfk9yskgmf0hl4lu3ls04zht9
-    mac: ENC[AES256_GCM,data:DD9NZcYQVSByaQvGAB7b/Wpk7SWBBsWtzAM9MkIHMmyxNomiPPUFQR6+18QDUCHQXk1xXMUi79bnTRz8SdoBXVjbHG8Qhy3n6D1sFeEgXC42pgem7hBPfmJlgcIPNYEguXPISLsp/Zx9ISEnH5Zul0v8/G2ACN7Y/U3jtaHx4U8=,iv:g1k16EhTR+t9jCpvhmiXYZV99aMk1DrS4frpl5q93lM=,tag:FigaXNw+IbpZ7E0a+ySb3g==,type:str]
+    lastmodified: "2026-05-28T21:04:07Z"
    mac: ENC[AES256_GCM,data:L53UYFh5xtuMx19GKAg3jW7U0/DlwJ2usy/pup+4t1HQN3KHxMwbc4BzLYkLnRBTwKMJdfKXiYmmYiYvfbbWzsPtfXLxPnF/5ROiCJ2NlxAe86SmRy2nI++eTHAXRgexIhYyL7SchsroGRvW2B3aL1jV+Eu11fD9trA9Ex1EfuI=,iv:XrRJCFSgwW2+N+4FnWrFFZz8UEVzhuhpRtHGtf8dyqc=,tag:LcO4+ilwKdU+JPyjyKaGNw==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.12.2
+    version: 3.13.1
@@ -0,0 +1,69 @@
 { self, inputs, ... }: {
  flake.nixosModules.r5500Configuration =
    {
      self,
      config,
      lib,
      pkgs,
      ...
    }:
    {
      imports = [
        self.nixosModules.r5500Hardware
        inputs.sops-nix.nixosModules.sops
        self.nixosModules.system
        self.nixosModules.users
      ];
      boot.loader.grub = {
        enable = true;
        efiSupport = false;
        device = "/dev/sda";
      };
      services.openssh = {
        enable = true;
        settings = {
          PasswordAuthentication = true;
          KbdInteractiveAuthentication = false;
          PermitRootLogin = "no";
          UseDns = false;
        };
      };
      sops = {
        defaultSopsFile = ../../../secrets/secrets.yaml;
        defaultSopsFormat = "yaml";
        age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      };
      sops.secrets."users/server/hashedPassword".neededForUsers = true;
      security.sudo.wheelNeedsPassword = true;
      nix.settings = {
        experimental-features = [ "nix-command" "flakes" ];
        trusted-users = [ "root" "@wheel" ];
        allowed-users = [ "root" "@wheel" ];
      };
      chiasson.system = {
        networking = {
          hostName = "r5500";
          networkManager.enable = true;
        };
        extraPackages = with pkgs; [ btop git ];
      };
      chiasson.users = {
        enabled = [ "server" ];
        hostOverrides.server = {
          hashedPasswordFile = config.sops.secrets."users/server/hashedPassword".path;
        };
      };
      services.xserver.enable = lib.mkDefault false;
      system.stateVersion = "25.11";
    };
 }
@@ -0,0 +1,13 @@
 { self, inputs, ... }: {
  flake.nixosConfigurations.r5500 = inputs.nixpkgs.lib.nixosSystem {
    system = "x86_64-linux";
    specialArgs = {
      inherit self inputs;
      host = "r5500";
      system = "x86_64-linux";
    };
    modules = [
      self.nixosModules.r5500Configuration
    ];
  };
 }
@@ -0,0 +1,51 @@
 { ... }: {
  flake.nixosModules.r5500Hardware =
    {
      config,
      lib,
      pkgs,
      modulesPath,
      ...
    }:
    {
      imports = [
        (modulesPath + "/installer/scan/not-detected.nix")
      ];
      boot.initrd.availableKernelModules = [
        "uhci_hcd"
        "ehci_pci"
        "ahci"
        "usb_storage"
        "usbhid"
        "sd_mod"
      ];
      boot.initrd.kernelModules = [ ];
      boot.kernelModules = [ "kvm-intel" ];
      boot.extraModulePackages = [ ];
      fileSystems."/" = {
        device = "/dev/disk/by-uuid/934a5ec3-4bab-49c3-96c9-c857c50076ba";
        fsType = "btrfs";
        options = [ "subvol=@" ];
      };
      fileSystems."/home" = {
        device = "/dev/disk/by-uuid/934a5ec3-4bab-49c3-96c9-c857c50076ba";
        fsType = "btrfs";
        options = [ "subvol=@home" ];
      };
      fileSystems."/boot" = {
        device = "/dev/disk/by-uuid/6399d086-687b-4ca9-ad34-da1dd85203d5";
        fsType = "ext4";
      };
      swapDevices = [
        { device = "/dev/disk/by-uuid/ddb9fea1-7c44-44bc-bc74-79a3adb6cc35"; }
      ];
      nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
      hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
    };
 }
@@ -37,6 +37,12 @@
          aliases = [ "nix-server" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3KDicMjtOFR6LfZrFzfAD1gdYUdwv6ZM4PSgtmIuzd nix-server";
        };
        r5500 = {
          hostName = "192.168.2.100";
          aliases = [ "r5500" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7iWCEtkYDLZFRF3w1gzyAok5VCAGUOwu4iWZdMjf3D r5500";
        };
      };
      mkIdentityFileName = hostName: ".ssh/id_ed25519_${lib.strings.toLower hostName}.pub";
@@ -55,10 +61,10 @@
        );
      # Must come before inventory `Host` blocks and before `Host *`: LAN Gitea SSH is not a catalog PC,
-      # and `Host *` sets `IdentityAgent none` — without this, git@192.168.2.103 never sees rbw keys.
+      # and `Host *` sets `IdentityAgent none` — without this, git@nix-server never sees rbw keys.
      giteaSshBlock = identityAgent: ''
-        Host git.chiasson.cloud gitea casaos 192.168.2.103
+        Host git.chiasson.cloud gitea nix-server 192.168.2.238
-          HostName 192.168.2.103
+          HostName 192.168.2.238
          Port 222
          User git
          IdentityAgent ${identityAgent}
@@ -21,6 +21,7 @@
      self.nixosModules.systemPalera1n
      self.nixosModules.systemCaching
      inputs.swiftshare.nixosModules.systemServiceSwiftshare
      inputs.personal-website.nixosModules.systemServicePersonalWebsite
      self.nixosModules.systemServiceImmich
    ];
  };
@@ -88,6 +88,39 @@
          '';
        };
        sunshine = {
          enable = lib.mkEnableOption "Sunshine — self-hosted Moonlight streaming host";
          openFirewall = lib.mkOption {
            type = lib.types.bool;
            default = true;
            description = "Open Sunshine/Moonlight ports via `services.sunshine.openFirewall`.";
          };
          capSysAdmin = lib.mkOption {
            type = lib.types.bool;
            default = true;
            description = ''
              Grant CAP_SYS_ADMIN to Sunshine for DRM/KMS capture (`services.sunshine.capSysAdmin`).
            '';
          };
          autoStart = lib.mkOption {
            type = lib.types.bool;
            default = true;
            description = "Start Sunshine with the graphical session.";
          };
          cudaSupport = lib.mkOption {
            type = lib.types.bool;
            default = false;
            description = ''
              Build Sunshine with CUDA/NVENC (`pkgs.sunshine.override { cudaSupport = true; }`).
              Enable on NVIDIA hosts for hardware encoding.
            '';
          };
        };
        launchers = {
          enableBottles = lib.mkOption {
            type = lib.types.bool;
@@ -128,6 +161,17 @@
            dedicatedServer.openFirewall = cfg.steam.dedicatedServer.openFirewall;
          };
          services.sunshine = lib.mkIf cfg.sunshine.enable {
            enable = true;
            openFirewall = cfg.sunshine.openFirewall;
            capSysAdmin = cfg.sunshine.capSysAdmin;
            autoStart = cfg.sunshine.autoStart;
            package = pkgs.sunshine.override {
              cudaSupport = cfg.sunshine.cudaSupport;
              cudaPackages = pkgs.cudaPackages;
            };
          };
          hardware.graphics = lib.mkIf cfg.graphics.enable {
            enable = true;
            enable32Bit = cfg.graphics.enable32Bit;
@@ -12,60 +12,69 @@ caching:
        token: ENC[AES256_GCM,data:8omssG3GwCFIegfz+8IAGGhFGj01RB3dqqHeFpmZOzMJUshIDvSRuTTpGFhUBC7Xue8h09hAhpirIHmqzyG3I+e2Se/VZZoByXmpyIKesl3+NqOXDkJvgImqhvFVkTiSe5p/vSN3slWDylfkThQ0hZYw5mB9J13M5965iUnWcRbg+1fYFdTuSgrHY8Rxt4da0287A0YGnsN63k7j32XOJndxsRoOLoo+IQ+X+hiPOJkfGYxY0MglnxaxhPwH8SP1V+p78N75Z2npOtMdEikdHmj/NmKbqUXN2P0+IXthxV17WePCulZVsKC1Jw+clgbyAvHcQeVG/yyrcb1CRRQpszHtq1Pz7DHvfAG+gxyPNyP7D6oQNT8foX4C6CwuHgYQtM1x0D6oAL+lppQWJ0kEV/GDlJSXQnp/aBbVAqDmqS0TCx40nVmQ0PvMcjtsiZJigkRJRNLCg6n+qmhc5Rh9RhslPN5JXU0orWs9QYAoLXzdDDGP/R9tlEhwQBxwGrFAp016iilqPavMdI8txrWWdvezQuAh//eeW5LQSa6t363VCjX8phnXeJltOgXYlyuKnCCmv0a6XwhmT0PA+32/F0BxTf9lcZConpurlvOHdznaVeUXcFOEwKouDC7smPIZZqcRU8OIbWs7YXqMgatgb/bJVtB0P0Avsj9t9Uz8Dv8xBV+90U5qwM7HV16FIERorDquzgKFcvtb8/QfjTINoswpHZKNCbmQPxfJYPheJFwMQGFn+b+ecv+Z7qng9JEujJSNtEPv2CIuVmSxZJaU5g2CMu3rFGIA3qF81Bf1Ri8n+KYWgOKpQt11nClouv2XePO8JKI6fslF411zJ8zD4E/6Qg95UWhLh0RG2cXzYSXXvrpXDlIe9spc4OLuj4tFtXkiZZvfM5MgRTtoh93soypUpEbswTji2UprC3OPikjIIW49YysGVsH2100/67HbtinRoazM1M+DjaD2pMryx7kW/oVpyaW61wiqtHk9nq8vqROLWBhQxzGSh9157z/46AT+8PN89gFh5uNdFuhFz8e8/HIV3HtIrzrtR+flJfHJ1ZT5dhTDicSMiC/DhG/hupX4GHGX6zlaMgBqB8bKxxvs+v0iHfSkDIkuenZ+nTD72DP5yuIQVIwGV16CZA6rusjb1zLn6QYpvQtCuqlih+epsGNEYP6B3rvNMc/N7JcwY4YMTK+C46EC9mXhpfPn0a5OdD4kQ6s=,iv:+g9W5MzgtLppD1K3dZ/tCuaMxaa194W3Lf23/jUmDvk=,tag:5uVwIOkB2+MRHPGlKGQtGg==,type:str]
 sops:
    age:
-        - recipient: age1yyzgmazjxkvwtfcv9re3lqmt2ru5dcrfu3sauysm0wzfwzvyap8qkjkq32
+        - enc: |
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtc25Wd0dlZldBVHZKTDRW
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTmhhd2M0M1ZsdEtReUFM
-            ZlVHamluT0hPbVArdWx0Qlk5czR6ZldIaEhRCnVkUVp6cHRwdnNsRDBhV285Q0tV
+            MEs0SHZ4dUkxNWdUZjBoSFVQd0RvZTdWVndnCitxNGRGUWcwWWpZcytpUzhOcCtF
-            RitNWHNrUy9pN0dpanFSVHJjK0VuM1kKLS0tIHVLRWFRNmZyR2JOR3FwYjZsME9v
+            SHRoSzZkcWVnZzdrL0JoVkk0cTlSbWcKLS0tIGFCUFd6WXpxVWg2MVFCcnJ1Qklp
-            L2ZKbFIydkJ5L25GSWFBamhtbHZXV0UKAPIGMBbIdR7sCxsCYJa/9kajqmceOAJa
+            TDBBc21HWHJiZkZPZ3ZyWFhOeEFaT3cK5SFqqR2Fc6o/RTDPkly6xS+hEY331ws6
-            /jjxxcaWDkv5cmq0u8qFZEDkTjY3PKoJofBcx5q0npuJmrIA/oLeJA==
+            8KIGxGXC9iO7ExGOD5nzLzFJmjZzfp6IIvdQ0rzkJY4C1vKW1pPZMw==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1elk6zwmcylwfk7gd4pjda7g29upftjvxys8py42s8d42jklnyv7s7dm9z2
+          recipient: age1yyzgmazjxkvwtfcv9re3lqmt2ru5dcrfu3sauysm0wzfwzvyap8qkjkq32
-          enc: |
+        - enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvcm5rZmtlUy9yQSs3Vnhh
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeWEwQ0o4TDZkSFI4WGFZ
-            eDVYaUxvcCtMYXhEa0ViTmFYK3JONnFsTWw0Cmdad2ZKdGcxeGQzeGVnTXRUeGJZ
+            QXZIVGQ4ajI5SFpLczJpZHh3Tm9lMkZ6K1dBCjhWeDVWcVNWM01maXVDdTRYRzI4
-            R1kxQ1ZDK0FsQzc4S1EwMFN4VVZaTzAKLS0tIDJ5S3QycG5ZdThIVlZEVjBnMG9K
+            OUk0c0czSzNhVWxkUWdIU3JCaytZdkEKLS0tIHpBNzdpT0oxNkhBalVXYkpzRitn
-            V1RSem1LdWpKT2o2aHh5dC9wVGJRakUK+5/eE+9WtSXmwoJ2Nqk4ni01GS4c3gLQ
+            dXRWUmxmTFNnYm5ZbzFYMjJ5THJlQ3cKn6AZhiS/eqvmsFbKkv79sE198ywNeNZf
-            p+wcpiOsxwnnisZTxag2yCn4hlv6FcOUWOcISq5H/sxwKgjBaeeuRQ==
+            BQJSQ353CmJQ7z7uL0m+/96aeaUu9Kjk37bPeMmxrXhhW7Kvwzwuiw==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age193gw802ytal7h5p5q37kpd9079k2vsflzmnvupcwfxh2kjdrwqtsk3g6rm
+          recipient: age1elk6zwmcylwfk7gd4pjda7g29upftjvxys8py42s8d42jklnyv7s7dm9z2
-          enc: |
+        - enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TjZVN3dFbmg5MGhNVFdD
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbDY1WXl5Wk81Rk0zOXE4
-            YTZ4WVdOUWRGTzkrUmRGVUpobmg0Y0ozaUFNClh6cXhKWVkxcTlRYmZ5NmNqeEJJ
+            dGczVWZQZW9pMkxrZUdIWUg1V0EzQVdOb1Y0CmxYMnR1RDk4TUVCQm4xVWlnMHNB
-            YzdYR1FyRExabXBDSnVSbXNxZy91am8KLS0tIHZLa0dXWHZhMDU5Q3BNR2U3NG00
+            eSs2QVZpQy83KzZMZDAzbGRkR2xmQ0UKLS0tIE5GNFRTWDhFQ1IrZUY0Si96UUhp
-            eFp4Vmxha0xOVTVwd09PVzgrdzFNL2sKDEofAS4W4i8+VBU0wl1yTWmOogNbGHhY
+            WXc4djdTVmp1bG5kN3ByTHViVy81R1kKGEgUjmwNtL7CFqILNWUEh2mHM4C3L9de
-            azvb0QmxrYpurxjep3BYsc/5Co6U4mwowidoyzQLsiBJWDWy3wPdLQ==
+            FBoqaUvE9Dc8lmxjicKKAlnf2ZbwTZ6+Iv2I+KLakjFMznSi4QFO0g==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yr7vurfxc3w8ewfw9djfm54atw6ayze69qglamecuft5q0n9gu2sadsa2m
+          recipient: age193gw802ytal7h5p5q37kpd9079k2vsflzmnvupcwfxh2kjdrwqtsk3g6rm
-          enc: |
+        - enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2d3dLVitDTVpyNllCTEJN
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZmxST1V3WXN1N01VaE16
-            R1RLc2NkRnBrandDakhxeTJWeEdMVkZyS0JRCnl5Uk9FSk1iZmxCZUI1ZWdmYlJa
+            Njd3S2kzT1l1R2o5TXErYXIyTEo2ZWxNemxrCm5QZG92WDBjNzNLRUxqZ2txLzNz
-            dEFlbjkxYjI4Y2FDZmswOGZqMUxGUXcKLS0tIGdqVWNaU1NWcGs4QXZyTkc5Z2VK
+            dUU3cURjN1Y3d2ZBMHZuV0hOUWFsVzAKLS0tIG85TnBvL0F2dzBTdHQwdmZoOFhs
-            MGpaWmtHdzdpRDJxQXNveTd5WFkzTTgKxKuoC36uLqy+QoSGVcQekv5wn69yF0qH
+            d2F5QWsxaUR0M2x1M1RVaHp0ZG1vVlkKtrMg6lwXFrXyZiweS6C1a46/Z5oDbHpm
-            2qZPAm3wnf0KzZ8Wo/B8nXkjkq4llfKHbwfePiMRL4RObKXAejYhLA==
+            FJ7xh8z3fPGRsoDWa/Qet8seNgIbLfAgyQvtIzKiKDTat4f73WIrsw==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hya7pgpe8zal52w3pjf036tpapmehedatfm4r84h30t4wuh079ssedfd37
+          recipient: age1yr7vurfxc3w8ewfw9djfm54atw6ayze69qglamecuft5q0n9gu2sadsa2m
-          enc: |
+        - enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4am5wWWRkL3J0dlZVaWJR
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TDhIdDRXVmgyVVZHQXp5
-            eVdMNnhTdGJqeFlNdnppTHNLdjdjcVNYbUQ4CjcwdGM5Nmdvck1wb0RSRjMwL01D
+            N3dlTXBZb0E0bEtuZ2RFN3pQYkZWK25SbEg0CkFaMXRleFBISFAvSzNSSGpBbFVo
-            STlFdkdDallLLzNnbGY4WndiLzdRMzAKLS0tIHRENzRFTVA2MWE5djVHUy9peVdG
+            eTgxZitQNmZmYWx0a2dPcjRMdGpzNDQKLS0tIHpOTmtCM2lCS0NkZ2cvb0loK0pt
-            dkZDTTJvWU1vZHN2ZUR1R1Z3UWpkSlEKjo621j7xjyyHcc/ij8/X0H5uNLD6SnZa
+            RTBMdHdnTnFBT2IzQ3JvWWpmZStFSTgK6CxSfV6tlejPie4xKiVUnEhpH7DYJ2lu
-            o+apPj44+fTJFL5+VjP/XOsx0rCKTQhnV0gGfZU2SPtfH2BUiDjV0g==
+            9U9bw7i3qKvjSlFQBYghF0P4EK32k3x8lkAucK3m3ub8+wbunOJWTg==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1p05z980kdtngk9mw67hfev72h7xhslplpxfk9yskgmf0hl4lu3ls04zht9
+          recipient: age1hya7pgpe8zal52w3pjf036tpapmehedatfm4r84h30t4wuh079ssedfd37
-          enc: |
+        - enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5YmF1K1ZtQmhoMGRVM0Fk
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbW1GSERmWGNvK2dCRjVC
-            bW1PL0RPQ1ZUZEg4VU5VUi9BdlNhM2hPZkRNCnVIaUJJR1dFeXA1SWk2UFBkQW9a
+            M2U1SERPU3dGRnlwRmV4bHdNd3RxYzJ2YWk4Cm52bXZuYkt4dlEvbVA0cm51cmRX
-            cjc4bFRDb2p0eXJodG5IWk01ekdCdG8KLS0tIHFzU3l3WGcyTmZ0QjRyTmQwcDRZ
+            MW1NYXllU1MwdE5jeEI4VmU5TytjcDAKLS0tIHNPOTIyN0ZlSHI3M0F3S01POGZF
-            Mnp5K1VjcncrWWt4SEUrUVlCTTc3OVkKtRqPoatEp8NvZW4Z73nfCUshdz90SCad
+            RFM3NndnWSt4NnM5TkcyeXRmUFB1Q2MKDCuWlWqV/Dogr6wXDb02BGrsnpyGe22D
-            VFgYF/2DYc7lSDP7otbsjBzGlauQQTWF1wfgEVOkw2EzOt2LCoflbg==
+            ivWjVoYx5ClxlKyt7Xuies9fLNjRTVfjJFD5DQTinSPjxrusJg0O5w==
            -----END AGE ENCRYPTED FILE-----
          recipient: age1p05z980kdtngk9mw67hfev72h7xhslplpxfk9yskgmf0hl4lu3ls04zht9
        - enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UkhFTld1T2x4bEZ0Mldy
            dmZ4b3UzaHgxN2FUenBaVFRFY0puZlVVM2dRClVMK3VCM0w3cUM5Um90YmM1TUhu
            Vk5wMm4vZXNsTnlQWFV0ZG1tS25UWkkKLS0tIDR3d2NmZjVzUEF2aHN3NW05bGVp
            L0NHbUF3NzJ3NUtnZFVRMVdLa2ZtWWcKzuMx/jDuZ3z7IPPvAmcYyjLi4c3Toj7a
            6POXxpxjGhlWJaV47jqeN+7mQY2oTHE/x4raoX/KA2ouXL29K8QpmA==
            -----END AGE ENCRYPTED FILE-----
          recipient: age1pewusvlcgzcnk0kpskgc9qr6jlq8s2yzwnqrnh84p7v5z0kj3qhsya8h2x
    lastmodified: "2026-03-24T00:15:02Z"
    mac: ENC[AES256_GCM,data:dYTwO5DtkKinTKfBXGuvXRFxl8yavxXMKTw27M5/GcK/kkstHBG119IRk9B9KC6s6IHTY81U3MeUxE9XwdBiE7q4m15+ZO2vmdBVhN8wAh+82P9BP0HSaxLkjWLeKWBfULyLX/YXmQVsr09/NUEVSZcugJ6m40Ta+X9AQgO+cyA=,iv:FmsznsKTuIr61s3Zn0QZKSKvb/e2AljEB1ijKE52RKk=,tag:rHF2Xi4iP9VF33rxpBr5pg==,type:str]
    unencrypted_suffix: _unencrypted
Author	SHA1	Message	Date
Olivier	dcdd2c2d90	Rebase to flake parts #13	2026-05-30 21:26:13 -03:00
Olivier	9a4ed1b04b	Rebase to flake parts #11	2026-05-29 00:08:10 -03:00