improve a bit the monitor infrastructure for containers

This reverts commit 325f07bdd8.

flake.lock

@@ -173,11 +173,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711934712,
-        "narHash": "sha256-sBDe+QmX/QohlnKeSEzrftcXyZL5FY09OMjZ59Rpyy4=",
+        "lastModified": 1715217706,
+        "narHash": "sha256-yEB5SEHc+o3WJpUPw455OdLy9A+gffvCJX8DZ7NCkuo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "611c9ea53250f7bb22286b3d26872280a0e608f9",
+        "rev": "8eb1b315eef89f3bdc5c9814d1b207c6d64f0046",
         "type": "github"
       },
       "original": {
@@ -732,11 +732,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710888565,
-        "narHash": "sha256-s9Hi4RHhc6yut4EcYD50sZWRDKsugBJHSbON8KFwoTw=",
+        "lastModified": 1714043624,
+        "narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "f33900124c23c4eca5831b9b5eb32ea5894375ce",
+        "rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
         "type": "github"
       },
       "original": {
@@ -774,11 +774,11 @@
       },
       "locked": {
         "dir": "nix",
-        "lastModified": 1707655140,
-        "narHash": "sha256-CP7Te/8N0ETEmxX08assyFzwymNR7FjoWJOLh7VRfEU=",
+        "lastModified": 1715058553,
+        "narHash": "sha256-5y87n9v8WJ921Q6hMFGIYq1g/HaZHoopTuzDk4SvrfQ=",
         "owner": "kmonad",
         "repo": "kmonad",
-        "rev": "70a5e97518c87ff52be4b403d774e88c5c61e3c1",
+        "rev": "8efcc8f7f7369a5e684d201c0263416db2a5df60",
         "type": "github"
       },
       "original": {
@@ -794,11 +794,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1669559123,
-        "narHash": "sha256-Iek82mEI2kk2fTJbFHvPcMl0oOscBPhFjU9mMaCSWiw=",
+        "lastModified": 1709213960,
+        "narHash": "sha256-8j4E+jKw5pHiGlEXKxRBauZ14AWhnPE70+BKMkgCy+k=",
         "owner": "mrVanDalo",
         "repo": "landingpage",
-        "rev": "2b46eb76d16988eb92daa1afc8849bde1002dc4b",
+        "rev": "300490e475978c0418ecfe995538e58527fdadf8",
         "type": "github"
       },
       "original": {
@@ -851,11 +851,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1711099355,
-        "narHash": "sha256-01tynRAW0yMboJfgwgZFLBjnD6e8OiCuNRoxGn62axE=",
+        "lastModified": 1715150548,
+        "narHash": "sha256-pb2xIGuzzkPOjUlZnBahpfQWVvtCSOcW8vLL7rQUiEY=",
         "owner": "nix-community",
         "repo": "nixos-anywhere",
-        "rev": "c34fd217b1765c9e92845051069f49560a52b8d6",
+        "rev": "242444d228636b1f0e89d3681f04a75254c29f66",
         "type": "github"
       },
       "original": {
@@ -866,11 +866,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1711352745,
-        "narHash": "sha256-luvqik+i3HTvCbXQZgB6uggvEcxI9uae0nmrgtXJ17U=",
+        "lastModified": 1715148395,
+        "narHash": "sha256-lRxjTxY3103LGMjWdVqntKZHhlmMX12QUjeFrQMmGaE=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "9a763a7acc4cfbb8603bb0231fec3eda864f81c0",
+        "rev": "a4e2b7909fc1bdf30c30ef21d388fde0b5cdde4a",
         "type": "github"
       },
       "original": {
@@ -1023,11 +1023,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1711819797,
-        "narHash": "sha256-tNeB6emxj74Y6ctwmsjtMlzUMn458sBmwnD35U5KIM4=",
+        "lastModified": 1714858427,
+        "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2b4e3ca0091049c6fbb4908c66b05b77eaef9f0c",
+        "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
         "type": "github"
       },
       "original": {
@@ -1039,11 +1039,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1711703276,
-        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
+        "lastModified": 1715266358,
+        "narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+        "rev": "f1010e0469db743d14519a1efd37e23f8513d714",
         "type": "github"
       },
       "original": {
@@ -1102,11 +1102,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1711668574,
-        "narHash": "sha256-u1dfs0ASQIEr1icTVrsKwg2xToIpn7ZXxW3RHfHxshg=",
+        "lastModified": 1715218190,
+        "narHash": "sha256-R98WOBHkk8wIi103JUVQF3ei3oui4HvoZcz9tYOAwlk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "219951b495fc2eac67b1456824cc1ec1fd2ee659",
+        "rev": "9a9960b98418f8c385f52de3b09a63f9c561427a",
         "type": "github"
       },
       "original": {
@@ -1148,11 +1148,11 @@
     },
     "nixpkgs_8": {
       "locked": {
-        "lastModified": 1711715736,
-        "narHash": "sha256-9slQ609YqT9bT/MNX9+5k5jltL9zgpn36DpFB7TkttM=",
+        "lastModified": 1714809261,
+        "narHash": "sha256-hfBmnYFyz9I1mdrC3tX1A+dF9cOUcds5PIMPxrT+cRk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "807c549feabce7eddbf259dbdcec9e0600a0660d",
+        "rev": "d32560238207b8e26d88b265207b216ee46b8450",
         "type": "github"
       },
       "original": {
@@ -1164,11 +1164,11 @@
     },
     "nixpkgs_9": {
       "locked": {
-        "lastModified": 1711853880,
-        "narHash": "sha256-5SBhzEHQW8RxQ+hjHvVXGB7dIYykLYkMtV0yZdJiObc=",
+        "lastModified": 1715142527,
+        "narHash": "sha256-8OCDTDZzmkhoJ0HzZd/wkUfdAES9e0Jsp3qb5sM/Jys=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cd1c70d941d69d8d6425984ff8aefca9b28e861a",
+        "rev": "0efaf283bd6e3b9ecf6e961d2305bf2e1a9f49c9",
         "type": "github"
       },
       "original": {
@@ -1271,12 +1271,12 @@
         "rev": "13176fcd5b4689d1b15f1f9d19e946fff45dc3c3",
         "revCount": 28,
         "type": "git",
-        "url": "ssh://gitea@git.ingolf-wagner.de/palo/overviewer.git"
+        "url": "ssh://forgejo@git.ingolf-wagner.de/palo/overviewer.git"
       },
       "original": {
         "ref": "main",
         "type": "git",
-        "url": "ssh://gitea@git.ingolf-wagner.de/palo/overviewer.git"
+        "url": "ssh://forgejo@git.ingolf-wagner.de/palo/overviewer.git"
       }
     },
     "pandoc_template": {
@@ -1352,18 +1352,18 @@
     },
     "private_assets": {
       "locked": {
-        "lastModified": 1702625488,
-        "narHash": "sha256-IPSyCKFKk6y/lEpzZKd5YiQuzZRqZKBqDS8/EyJXdHU=",
+        "lastModified": 1715197334,
+        "narHash": "sha256-8rVZd6msm8rvU49XdAmj0rN/ZRBo/tk72RI+k49PitI=",
         "ref": "main",
-        "rev": "a80acb46535c5efa69a0aa982d92e2efd1f1f377",
-        "revCount": 18,
+        "rev": "0ec2e8c4fbc36151811f5b9e68f59cdccc5a26eb",
+        "revCount": 21,
         "type": "git",
-        "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-private-assets.git"
+        "url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git"
       },
       "original": {
         "ref": "main",
         "type": "git",
-        "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-private-assets.git"
+        "url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git"
       }
     },
     "retiolum": {
@@ -1470,18 +1470,18 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1710548525,
-        "narHash": "sha256-eUaVC7nx4SyC50bVFkSzasxpN7SEnlCDqrn990BbimM=",
+        "lastModified": 1712505515,
+        "narHash": "sha256-XvuG5hC5EKAcie8dycZ7x5myPrObCkrCfUNkH/rsiTE=",
         "ref": "main",
-        "rev": "f169cfe831df94a9b6eacb3c310f89d469e32b53",
-        "revCount": 65,
+        "rev": "edb5928f4d18aa58856b695139fc20a77c8763d5",
+        "revCount": 66,
         "type": "git",
-        "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
+        "url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-secrets.git"
       },
       "original": {
         "ref": "main",
         "type": "git",
-        "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
+        "url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-secrets.git"
       }
     },
     "sln-mode": {
@@ -1529,11 +1529,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1711855048,
-        "narHash": "sha256-HxegAPnQJSC4cbEbF4Iq3YTlFHZKLiNTk8147EbLdGg=",
+        "lastModified": 1715244550,
+        "narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "99b1e37f9fc0960d064a7862eb7adfb92e64fa10",
+        "rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
         "type": "github"
       },
       "original": {
@@ -1547,11 +1547,11 @@
         "nixpkgs": "nixpkgs_9"
       },
       "locked": {
-        "lastModified": 1711932894,
-        "narHash": "sha256-aiMc4JHJU72cbkeHPDBE8pQEOel/RrW8YkGXelRvFn8=",
+        "lastModified": 1715216666,
+        "narHash": "sha256-0aTe4zSO5t6Wn+gaW5Bwr+84INd7htOdn3sdmE6/uC0=",
         "owner": "nix-community",
         "repo": "srvos",
-        "rev": "e5a5f15acaff9daa69e7ef5596f6985ec695685f",
+        "rev": "65d83b87b55c9618cf02aa9b9c08ec8adaa08c9d",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,7 +2,7 @@
   inputs = {
 
     secrets = {
-      url = "git+ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git?ref=main";
+      url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-secrets.git?ref=main";
       flake = false;
     };
     nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
@@ -46,7 +46,7 @@
     };
     private_assets = {
       #url = "git+file:///home/palo/dev/nixos/nixos-private-assets";
-      url = "git+ssh://gitea@git.ingolf-wagner.de/palo/nixos-private-assets.git?ref=main";
+      url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git?ref=main";
       flake = true;
     };
     retiolum = {
@@ -86,7 +86,7 @@
       url = "github:mrvandalo/taskshell";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    overviewer.url = "git+ssh://gitea@git.ingolf-wagner.de/palo/overviewer.git?ref=main";
+    overviewer.url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/overviewer.git?ref=main";
   };
 
   outputs =
@@ -152,7 +152,6 @@
               legacy_2305 = nixpkgs-legacy_2105 { inherit system; };
               polygon-art = polygon-art.packages.${system};
               landingpage = landingpage.packages.${system}.plain;
-              trilium-server = nixpkgs-unstable.legacyPackages.${system}.trilium-server;
               kmonad = kmonad.packages.${system}.kmonad;
               tasksh = taskshell.packages.${system}.tasksh;
               overviewer = overviewer.packages.${system}.overviewer;
@@ -197,7 +196,8 @@
                 sshUser = "root";
                 buildOn = "remote"; # valid args are "local" or "remote"
                 substituteOnTarget = false; # if buildOn is "local" then it will substitute on the target, "-s"
-                hermetic = false;
+                #hermetic = false; # ??? don't know what this is
+                nixOptions = [ "--max-jobs 1" ];
               };
             }
             {
@@ -266,8 +266,13 @@
             package = pkgs.noto-fonts-emoji;
             name = "Noto Color Emoji";
           };
+          sizes.popups = 15;
         };
 
+        home-manager.extraSpecialArgs = {
+          inherit private_assets;
+          assets = ./nixos/assets;
+        };
         home-manager.useGlobalPkgs = true;
         home-manager.useUserPackages = true;
         home-manager.sharedModules = [
@@ -333,7 +338,7 @@
             modules = [
               nixos-hardware.nixosModules.framework-12th-gen-intel
               retiolum.nixosModules.retiolum
-              private_assets.nixosModules.jobrad
+              private_assets.nixosModules.cream
               homeManagerModules
               { home-manager.users.mainUser.gui.enable = true; }
               {
@@ -359,6 +364,7 @@
             modules = [
               homeManagerModules
               retiolum.nixosModules.retiolum
+              private_assets.nixosModules.chungus
               {
                 home-manager.users.mainUser = import ./nixos/homes/palo;
                 home-manager.users.root = import ./nixos/homes/root;

nixos/assets/0001-make-atuin-on-zfs-fast-again.patch

@@ -1,6 +1,6 @@
-From b75e6fd3159896966dce2cf3af5b5be7e286ce1a Mon Sep 17 00:00:00 2001
+From 4797a2f62ab3d2716d313aa4a3170ba9672a93b6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
-Date: Mon, 6 Nov 2023 15:56:26 +0100
+Date: Fri, 22 Mar 2024 08:46:07 +0100
 Subject: [PATCH] make atuin on zfs fast again
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -8,38 +8,38 @@ Content-Transfer-Encoding: 8bit
 
 Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
 ---
- atuin-client/src/database.rs            | 3 ++-
- atuin-client/src/record/sqlite_store.rs | 3 ++-
+ atuin-client/src/database.rs            | 4 ++--
+ atuin-client/src/record/sqlite_store.rs | 2 ++
  2 files changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/atuin-client/src/database.rs b/atuin-client/src/database.rs
-index c4b45302..29006d59 100644
+index b0bcae31..d8db492b 100644
 --- a/atuin-client/src/database.rs
 +++ b/atuin-client/src/database.rs
-@@ -130,7 +130,8 @@ pub async fn new(path: impl AsRef<Path>) -> Result<Self> {
+@@ -137,9 +137,9 @@ pub async fn new(path: impl AsRef<Path>, timeout: f64) -> Result<Self> {
          }
- 
+
          let opts = SqliteConnectOptions::from_str(path.as_os_str().to_str().unwrap())?
 -            .journal_mode(SqliteJournalMode::Wal)
 +            .journal_mode(SqliteJournalMode::Memory)
+             .optimize_on_close(true, None)
+-            .synchronous(SqliteSynchronous::Normal)
 +            .synchronous(sqlx::sqlite::SqliteSynchronous::Off)
+             .with_regexp()
              .create_if_missing(true);
- 
-         let pool = SqlitePoolOptions::new().connect_with(opts).await?;
+
 diff --git a/atuin-client/src/record/sqlite_store.rs b/atuin-client/src/record/sqlite_store.rs
-index db709f20..eaed6f7a 100644
+index 6333bb27..1f25a55b 100644
 --- a/atuin-client/src/record/sqlite_store.rs
 +++ b/atuin-client/src/record/sqlite_store.rs
-@@ -37,7 +37,8 @@ pub async fn new(path: impl AsRef<Path>) -> Result<Self> {
-         }
- 
+@@ -42,6 +42,8 @@ pub async fn new(path: impl AsRef<Path>, timeout: f64) -> Result<Self> {
+
          let opts = SqliteConnectOptions::from_str(path.as_os_str().to_str().unwrap())?
--            .journal_mode(SqliteJournalMode::Wal)
+             .journal_mode(SqliteJournalMode::Wal)
 +            .journal_mode(SqliteJournalMode::Memory)
 +            .synchronous(sqlx::sqlite::SqliteSynchronous::Off)
+             .foreign_keys(true)
              .create_if_missing(true);
- 
-         let pool = SqlitePoolOptions::new().connect_with(opts).await?;
--- 
-2.42.0
 
+--
+2.43.1

nixos/components/gui/default.nix

@@ -19,6 +19,7 @@ with lib;
     ./suspend.nix
     ./taskwarrior.nix
     ./vscode.nix
+    ./wayland.nix
     ./xorg
   ];
 

nixos/components/gui/kmonad.nix

@@ -81,7 +81,7 @@
         {
           nativ = keyboard "/dev/input/by-path/platform-i8042-serio-0-event-kbd" [ "lctl" "lmet" "lalt" ];
           dasKeyboard = keyboard "/dev/input/by-id/usb-Metadot_-_Das_Keyboard_Das_Keyboard-event-kbd" [ "lctl" "lmet" "lalt" ];
-          uhk = keyboard "/dev/input/by-id/usb-Ultimate_Gadget_Laboratories_UHK_60_v2-if01-event-kbd" [ "lctl" "lmet" "lalt" ];
+          uhk = keyboard "/dev/input/by-id/usb-Ultimate_Gadget_Laboratories_UHK_60_v2-event-kbd" [ "lctl" "lmet" "lalt" ];
         };
     };
   };

nixos/components/gui/taskwarrior.nix

@@ -63,7 +63,7 @@ in
         ${pkgs.khal}/bin/ikhal
       '')
 
-      # todo : before deleting this, put it in trilium
+      # todo : before deleting this, put it in logseq
       (python3Packages.bugwarrior.overrideAttrs (old: {
         version = "develop";
         src = pkgs.fetchFromGitHub {

nixos/components/gui/wayland.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+with lib;
+{
+
+  options.components.gui.wayland.enable = mkOption {
+    type = lib.types.bool;
+    default = ! config.components.gui.xorg.enable;
+  };
+
+  config = mkIf config.components.gui.wayland.enable {
+    programs.hyprland.enable = true;
+  };
+}

nixos/components/gui/xorg/default.nix

@@ -4,7 +4,13 @@ with lib;
 
   imports = [ ./xlock.nix ];
 
-  config = mkIf config.components.gui.enable {
+  options.components.gui.xorg.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.gui.enable;
+  };
+
+
+  config = mkIf config.components.gui.xorg.enable {
 
     # system.custom.fonts.enable = true;
 
@@ -19,14 +25,8 @@ with lib;
         lightdm.enable = lib.mkDefault true;
       };
 
-      desktopManager = {
-        xterm.enable = false;
-      };
-      windowManager = {
-        xmonad.enable = true;
-        xmonad.enableContribAndExtras = true;
-        i3.enable = true;
-      };
+      desktopManager.xterm.enable = false;
+      windowManager.i3.enable = true;
 
       # mouse/touchpad
       # --------------

nixos/components/gui/xorg/xlock.nix

@@ -11,7 +11,7 @@ let
 
 in
 {
-  config = mkIf config.components.gui.enable {
+  config = mkIf config.components.gui.xorg.enable {
     environment.systemPackages = [
       lockProgram
       (pkgs.makeDesktopItem {

nixos/components/monitor/container.nix

@@ -0,0 +1,15 @@
+{ lib, config, ... }:
+with lib;
+with types;
+{
+  imports = [ ./default.nix ];
+
+  config = {
+    components.monitor.enable = mkDefault true;
+    components.monitor.metrics.enable = mkDefault false;
+    components.monitor.opentelemetry.enable = false;
+
+    services.journald.extraConfig = "SystemMaxUse=1G";
+  };
+
+}

nixos/components/monitor/default.nix

@@ -1,20 +1,32 @@
-{ lib, ... }:
+{ lib, config, ... }:
 with lib;
 with types;
 {
 
-
   options.components.monitor = {
     enable = mkOption {
       type = bool;
       default = true;
     };
+    metrics.enable = mkOption {
+      type = bool;
+      default = config.components.monitor.enable;
+    };
+    logs.enable = mkOption {
+      type = bool;
+      default = config.components.monitor.enable;
+    };
   };
 
   imports = [
-    ./netdata.nix
+    ./logs-promtail.nix
+    ./metrics-export-zfs.nix
+    ./metrics-netdata.nix
+    ./metrics-prometheus.nix
+    ./metrics-telegraf.nix
+    ./opentelemetry.nix
   ];
 
-
   config = mkIf config.components.monitor.enable { };
+
 }

nixos/components/monitor/logs-promtail.nix

@@ -0,0 +1,178 @@
+{ config, lib, ... }:
+with lib;
+with types;
+let
+  cfg = config.components.monitor.promtail;
+in
+{
+  options.components.monitor.promtail = {
+    enable = mkOption {
+      type = lib.types.bool;
+      default = config.components.monitor.logs.enable;
+    };
+    port = mkOption {
+      type = int;
+      default = 3500;
+      description = "port to provide promtail export";
+    };
+  };
+
+  config = mkMerge [
+
+    (mkIf config.components.monitor.opentelemetry.enable {
+      services.opentelemetry-collector.settings = {
+        receivers.loki = {
+          protocols.http.endpoint = "127.0.0.1:${toString cfg.port}";
+          use_incoming_timestamp = true;
+        };
+        service.pipelines.logs.receivers = [ "loki" ];
+      };
+    })
+
+    (mkIf config.components.monitor.promtail.enable {
+      services.promtail = {
+        enable = true;
+        configuration = {
+          server. disable = true;
+          positions.filename = "/var/cache/promtail/positions.yaml";
+
+          clients = [
+            { url = "http://127.0.0.1:${toString cfg.port}/loki/api/v1/push"; }
+          ];
+
+          scrape_configs =
+
+            let
+              _replace = index: replacement: ''{{ Replace .Value "${toString index}" "${replacement}" 1 }}'';
+              _elseif = index: ''{{ else if eq .Value "${toString index}" }}'';
+              _if = index: ''{{ if eq .Value "${toString index}" }}'';
+              _end = ''{{ end }}'';
+              elseblock = index: replacement: "${_elseif index}${_replace index replacement}";
+              ifblock = index: replacement: "${_if index}${_replace index replacement}";
+              createTemplateLine = list: "${concatStrings (imap0 (index: replacement: if index == 0 then ifblock index replacement else elseblock index replacement) list)}${_end}";
+            in
+            [
+              {
+                job_name = "journal";
+                journal = {
+                  json = true;
+                  max_age = "12h";
+                  labels.job = "systemd-journal";
+                };
+                pipeline_stages = [
+                  {
+                    # Set of key/value pairs of JMESPath expressions. The key will be
+                    # the key in the extracted data while the expression will be the value,
+                    # evaluated as a JMESPath from the source data.
+                    json.expressions = {
+                      # journalctl -o json | jq and you'll see these
+                      boot_id = "_BOOT_ID";
+                      facility = "SYSLOG_FACILITY";
+                      facility_label = "SYSLOG_FACILITY";
+                      instance = "_HOSTNAME";
+                      msg = "MESSAGE";
+                      priority = "PRIORITY";
+                      priority_label = "PRIORITY";
+                      transport = "_TRANSPORT";
+                      unit = "_SYSTEMD_UNIT";
+                      # coredump
+                      #coredump_cgroup = "COREDUMP_CGROUP";
+                      #coredump_exe = "COREDUMP_EXE";
+                      #coredump_cmdline = "COREDUMP_CMDLINE";
+                      #coredump_uid = "COREDUMP_UID";
+                      #coredump_gid = "COREDUMP_GID";
+                    };
+                  }
+                  {
+                    # Set the unit (defaulting to the transport like audit and kernel)
+                    template = {
+                      source = "unit";
+                      template = "{{if .unit}}{{.unit}}{{else}}{{.transport}}{{end}}";
+                    };
+                  }
+                  {
+                    # Normalize session IDs (session-1234.scope -> session.scope) to limit number of label values
+                    replace = {
+                      source = "unit";
+                      expression = "^(session-\\d+.scope)$";
+                      replace = "session.scope";
+                    };
+                  }
+                  {
+                    # Map priority to human readable
+                    template = {
+                      source = "priority_label";
+                      #template = ''{{ if eq .Value "0" }}{{ Replace .Value "0" "emerg" 1 }}{{ else if eq .Value "1" }}{{ Replace .Value "1" "alert" 1 }}{{ else if eq .Value "2" }}{{ Replace .Value "2" "crit" 1 }}{{ else if eq .Value "3" }}{{ Replace .Value "3" "err" 1 }}{{ else if eq .Value "4" }}{{ Replace .Value "4" "warning" 1 }}{{ else if eq .Value "5" }}{{ Replace .Value "5" "notice" 1 }}{{ else if eq .Value "6" }}{{ Replace .Value "6" "info" 1 }}{{ else if eq .Value "7" }}{{ Replace .Value "7" "debug" 1 }}{{ end }}'';
+                      template = createTemplateLine [
+                        "emergency"
+                        "alert"
+                        "critical"
+                        "error"
+                        "warning"
+                        "notice"
+                        "info"
+                        "debug"
+                      ];
+                    };
+                  }
+                  {
+                    # Map facility to human readable
+                    template =
+                      {
+                        source = "facility_label";
+                        template = createTemplateLine [
+                          "kern" # Kernel messages
+                          "user" # User-level messages
+                          "mail" # Mail system	Archaic POSIX still supported and sometimes used (for more mail(1))
+                          "daemon" # System daemons	All daemons, including systemd and its subsystems
+                          "auth" # Security/authorization messages	Also watch for different facility 10
+                          "syslog" # Messages generated internally by syslogd	For syslogd implementations (not used by systemd, see facility 3)
+                          "lpr" # Line printer subsystem (archaic subsystem)
+                          "news" # Network news subsystem (archaic subsystem)
+                          "uucp" # UUCP subsystem (archaic subsystem)
+                          "clock" # Clock daemon	systemd-timesyncd
+                          "authpriv" # Security/authorization messages	Also watch for different facility 4
+                          "ftp" # FTP daemon
+                          "-" # NTP subsystem
+                          "-" # Log audit
+                          "-" # Log alert
+                          "cron" # Scheduling daemon
+                          "local0" # Local use 0 (local0)
+                          "local1" # Local use 1 (local1)
+                          "local2" # Local use 2 (local2)
+                          "local3" # Local use 3 (local3)
+                          "local4" # Local use 4 (local4)
+                          "local5" # Local use 5 (local5)
+                          "local6" # Local use 6 (local6)
+                          "local7" # Local use 7 (local7)
+                        ];
+                      };
+                  }
+                  {
+                    # Key is REQUIRED and the name for the label that will be created.
+                    # Value is optional and will be the name from extracted data whose value
+                    # will be used for the value of the label. If empty, the value will be
+                    # inferred to be the same as the key.
+                    labels = {
+                      boot_id = "";
+                      facility = "";
+                      facility_label = "";
+                      instance = "";
+                      priority = "";
+                      priority_label = "";
+                      transport = "";
+                      unit = "";
+                    };
+                  }
+                  {
+                    # Write the proper message instead of JSON
+                    output.source = "msg";
+                  }
+                ];
+              }
+            ];
+        };
+      };
+    })
+  ];
+}

nixos/components/monitor/metrics-export-zfs.nix

@@ -0,0 +1,32 @@
+{ pkgs, config, lib, ... }:
+with lib;
+with types;
+{
+  options.components.monitor.exporters.zfs.enable = mkOption {
+    type = lib.types.bool;
+    default = config.components.monitor.metrics.enable;
+  };
+
+  config = mkMerge [
+    (mkIf config.components.monitor.exporters.zfs.enable {
+
+      services.telegraf.extraConfig.inputs.zfs = { };
+
+      services.prometheus.exporters.zfs.enable = true;
+      services.opentelemetry-collector.settings = {
+        receivers.prometheus.config.scrape_configs = [
+          {
+            job_name = "zfs";
+            scrape_interval = "10s";
+            static_configs = [{
+              targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.zfs.port}" ];
+            }];
+          }
+        ];
+        service.pipelines.metrics.receivers = [ "prometheus" ];
+      };
+
+    })
+  ];
+
+}

nixos/components/monitor/metrics-netdata.nix

@@ -0,0 +1,35 @@
+{ lib, pkgs, config, ... }:
+with lib;
+with types;
+{
+  options.components.monitor.netdata = {
+    enable = mkOption {
+      type = bool;
+      default = config.components.monitor.metrics.enable;
+    };
+  };
+
+  config = mkIf config.components.monitor.netdata.enable {
+
+    # netdata sink
+    services.opentelemetry-collector.settings.receivers.prometheus.config.scrape_configs = [
+      {
+        job_name = "netdata";
+        scrape_interval = "10s";
+        metrics_path = "/api/v1/allmetrics";
+        params.format = [ "prometheus" ];
+        static_configs = [{ targets = [ "127.0.0.1:19999" ]; }];
+      }
+    ];
+
+    # https://docs.netdata.cloud/daemon/config/
+    services.netdata = {
+      enable = lib.mkDefault true;
+      config = {
+        global = {
+          "memory mode" = "ram";
+        };
+      };
+    };
+  };
+}

nixos/components/monitor/metrics-prometheus.nix

@@ -0,0 +1,45 @@
+{ config, lib, ... }:
+with lib;
+with types;
+let
+  cfg = config.components.monitor.prometheus;
+in
+{
+  options.components.monitor.prometheus = {
+    enable = mkOption {
+      type = lib.types.bool;
+      default = config.components.monitor.metrics.enable;
+    };
+    port = mkOption {
+      type = int;
+      default = 8090;
+      description = "port to provide Prometheus export";
+    };
+  };
+
+  config = mkMerge [
+
+    (mkIf config.components.monitor.prometheus.enable {
+      services.prometheus = {
+        checkConfig = "syntax-only";
+        enable = true;
+      };
+    })
+
+    (mkIf config.components.monitor.prometheus.enable {
+      services.opentelemetry-collector.settings = {
+        exporters.prometheus.endpoint = "127.0.0.1:${toString cfg.port}";
+        service.pipelines.metrics.exporters = [ "prometheus" ];
+      };
+      services.prometheus.scrapeConfigs = [
+        {
+          job_name = "opentelemetry";
+          metrics_path = "/metrics";
+          scrape_interval = "10s";
+          static_configs = [{ targets = [ "localhost:${toString cfg.port}" ]; }];
+        }
+      ];
+    })
+
+  ];
+}

nixos/components/monitor/metrics-telegraf.nix

@@ -0,0 +1,50 @@
+{ config, pkgs, lib, ... }:
+with lib;
+with types;
+let
+  cfg = config.components.monitor.telegraf;
+in
+{
+  options.components.monitor.telegraf = {
+    enable = mkOption {
+      type = lib.types.bool;
+      default = config.components.monitor.metrics.enable;
+    };
+    influxDBPort = mkOption {
+      type = int;
+      default = 8088;
+      description = "Port to listen on influxDB input";
+    };
+  };
+
+  config = lib.mkMerge [
+    (mkIf config.components.monitor.telegraf.enable {
+      # opentelemetry wireing
+      services.opentelemetry-collector.settings = {
+        receivers.influxdb.endpoint = "127.0.0.1:${toString cfg.influxDBPort}";
+        service.pipelines.metrics.receivers = [ "influxdb" ];
+      };
+      services.telegraf.extraConfig.outputs.influxdb_v2.urls = [ "http://127.0.0.1:${toString cfg.influxDBPort}" ];
+    })
+
+    (mkIf config.components.monitor.telegraf.enable {
+
+      systemd.services.telegraf.path = [ pkgs.inetutils ];
+
+      services.telegraf = {
+        enable = true;
+        extraConfig = {
+          # https://github.com/influxdata/telegraf/tree/master/plugins/inputs < all them plugins
+          inputs = {
+            cpu = { };
+            diskio = { };
+            processes = { };
+            system = { };
+            systemd_units = { };
+            ping = [{ urls = [ "10.100.0.1" ]; }]; # actually important to make machine visible over wireguard
+          };
+        };
+      };
+    })
+  ];
+}

nixos/components/monitor/netdata.nix

@@ -1,33 +0,0 @@
-{ lib, pkgs, config, ... }:
-with lib;
-with types;
-{
-
-  config = lib.mkIf config.components.monitor.enable {
-
-    services.netdata = {
-      enable = lib.mkDefault true;
-      # https://docs.netdata.cloud/daemon/config/
-      config = {
-        global = {
-          "memory mode" = "ram";
-        };
-      };
-      #configDir."python.d.conf" = pkgs.writeText "python.d.conf" ''
-      #  example: yes
-      #  default_run: no
-      #  samba: yes
-      #'';
-    };
-
-    # add samba to path of python plugin
-    #systemd.services.netdata.path = [ pkgs.sudo pkgs.samba ];
-    #systemd.services.netdata.serviceConfig.CapabilityBoundingSet = [ "~" ];
-    #security.sudo.extraConfig = ''
-    #  netdata ALL=(root) NOPASSWD: ${pkgs.samba}/bin/smbstatus
-    #  netdata ALL=(root) NOPASSWD: /run/current-system/sw/bin/smbstatus
-    #'';
-
-
-  };
-}

nixos/components/monitor/opentelemetry.nix

@@ -0,0 +1,205 @@
+{ pkgs, config, lib, ... }:
+with lib;
+with types;
+let
+  cfg = config.components.monitor.opentelemetry;
+in
+{
+  options.components.monitor.opentelemetry = {
+    enable = mkOption {
+      type = bool;
+      default = config.components.monitor.enable;
+      description = "weather or not to use opentelemetry";
+    };
+    receiver.endpoint = mkOption {
+      type = nullOr str;
+      default = null;
+      description = "endpoint to receive the opentelementry data from other collectors";
+    };
+    exporter.endpoint = mkOption {
+      type = nullOr str;
+      default = null;
+      description = "endpoint to ship opentelementry data too";
+    };
+    exporter.debug = mkOption {
+      type = nullOr (enum [ "logs" "metrics" ]);
+      default = null;
+      description = "enable debug exporter.";
+    };
+    metrics.endpoint = mkOption {
+      type = str;
+      default = "127.0.0.1:8100";
+      description = "endpoint on where to provide opentelementry metrics";
+    };
+  };
+
+  config = mkMerge [
+
+    (mkIf config.components.monitor.opentelemetry.enable {
+      services.opentelemetry-collector = {
+        enable = true;
+        package = pkgs.unstable.opentelemetry-collector-contrib;
+      };
+    })
+
+    # add default tags to metrics
+    # todo : make sure we filter out metrics from otlp receivers
+    (mkIf config.components.monitor.enable {
+      services.opentelemetry-collector.settings = {
+
+        processors = {
+
+          # https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/processor/resourcedetectionprocessor/README.md
+          "resourcedetection/system" = {
+            detectors = [ "system" ];
+            override = false;
+            system.hostname_sources = [ "os" ];
+          };
+
+          metricstransform.transforms = [
+            {
+              include = ".*";
+              match_type = "regexp";
+              action = "update";
+              operations = [{
+                action = "add_label";
+                new_label = "machine";
+                new_value = config.networking.hostName;
+              }];
+            }
+          ];
+        };
+      };
+    })
+    (mkIf config.components.monitor.metrics.enable {
+      services.opentelemetry-collector.settings = {
+        service.pipelines.metrics.processors = [
+          "metricstransform"
+          "resourcedetection/system"
+        ];
+      };
+    })
+    (mkIf config.components.monitor.logs.enable {
+      services.opentelemetry-collector.settings = {
+        service.pipelines.logs.processors = [ "resourcedetection/system" ];
+      };
+    })
+
+
+    (mkIf (config.components.monitor.opentelemetry.exporter.debug != null) {
+      services.opentelemetry-collector.settings = {
+        exporters.debug = {
+          verbosity = "detailed";
+          sampling_initial = 5;
+          sampling_thereafter = 200;
+        };
+        service.pipelines.${config.components.monitor.opentelemetry.exporter.debug} = {
+          exporters = [ "debug" ];
+        };
+
+      };
+    })
+
+    # ship to next instance
+    (mkIf (config.components.monitor.opentelemetry.exporter.endpoint != null) {
+      services.opentelemetry-collector.settings = {
+        exporters.otlp = {
+          endpoint = cfg.exporter.endpoint;
+          tls.insecure = true;
+        };
+      };
+    })
+    (mkIf
+      (
+        config.components.monitor.opentelemetry.exporter.endpoint != null &&
+        config.components.monitor.logs.enable
+      )
+      {
+        services.opentelemetry-collector.settings = {
+          service.pipelines.logs.exporters = [ "otlp" ];
+        };
+      })
+    (mkIf
+      (
+        config.components.monitor.opentelemetry.exporter.endpoint != null &&
+        config.components.monitor.metrics.enable
+      )
+      {
+        services.opentelemetry-collector.settings = {
+          service.pipelines.metrics.exporters = [ "otlp" ];
+        };
+      })
+
+    # ship from other instance
+    (mkIf (config.components.monitor.opentelemetry.receiver.endpoint != null) {
+      services.opentelemetry-collector.settings = {
+        receivers.otlp.protocols.grpc.endpoint = cfg.receiver.endpoint;
+      };
+    })
+    (mkIf
+      (
+        config.components.monitor.opentelemetry.receiver.endpoint != null &&
+        config.components.monitor.logs.enable
+      )
+      {
+        services.opentelemetry-collector.settings = {
+          service.pipelines.logs.receivers = [ "otlp" ];
+        };
+      })
+    (mkIf
+      (
+        config.components.monitor.opentelemetry.receiver.endpoint != null &&
+        config.components.monitor.metrics.enable
+      )
+      {
+        services.opentelemetry-collector.settings = {
+          service.pipelines.metrics.receivers = [ "otlp" ];
+        };
+      })
+
+
+
+    # scrape opentelemetry-colectors metrics
+    # todo: this should be collected another way (opentelemetry internal?)
+    # todo : enable me only when metrics.endpoint is set.
+    (mkIf config.components.monitor.metrics.enable {
+      services.opentelemetry-collector.settings = {
+        receivers = {
+          prometheus.config.scrape_configs = [
+            {
+              job_name = "otelcol";
+              scrape_interval = "10s";
+              static_configs = [{
+                targets = [ cfg.metrics.endpoint ];
+              }];
+              metric_relabel_configs = [
+                {
+                  source_labels = [ "__name__" ];
+                  regex = ".*grpc_io.*";
+                  action = "drop";
+                }
+              ];
+            }
+          ];
+        };
+
+        service = {
+          pipelines.metrics = {
+            receivers = [ "prometheus" ];
+          };
+
+          # todo : this should be automatically be collected
+          # open telemetries own metrics?
+          telemetry.metrics.address = cfg.metrics.endpoint;
+        };
+
+      };
+    })
+    (mkIf (! config.components.monitor.metrics.enable) {
+      services.opentelemetry-collector.settings = {
+        service.telemetry.metrics.level = "none";
+      };
+    })
+  ];
+
+}

nixos/components/network/nginx.nix

@@ -33,23 +33,37 @@ with lib;
 
         # for loki logging
         commonHttpConfig = ''
-          log_format logfmt escape=json 'timestamp=$time_iso8601 '
-            'facility=nginx '
-            'src_addr=$remote_addr '
-            'body_bytes_sent=$body_bytes_sent '
-            'request_time=$request_time '
-            'response_status=$status '
-            'request="$request" '
+          log_format logfmt
+            'timestamp="$time_iso8601" '
+            'facility="nginx" '
+            'src_addr="$remote_addr" '
+            'body_bytes_sent="$body_bytes_sent" '
+            'request_time="$request_time" '
+            'response_status="$status" '
             'request_method="$request_method" '
+            'request="$request" '
             'host="$host" '
             'upstream_cache_status="$upstream_cache_status" '
             'upstream_addr="$upstream_addr" '
             'http_x_forwarded_for="$http_x_forwarded_for" '
             'http_referrer="$http_referer" '
-            'http_user_agent="$http_user_agent"';
+            'http_user_agent="$http_user_agent" ';
+
+           log_format json_combined escape=json
+             '{'
+                '"time_local":"$time_local",'
+                '"remote_addr":"$remote_addr",'
+                '"remote_user":"$remote_user",'
+                '"request":"$request",'
+                '"status": "$status",'
+                '"body_bytes_sent":"$body_bytes_sent",'
+                '"request_time":"$request_time",'
+                '"http_referrer":"$http_referer",'
+                '"http_user_agent":"$http_user_agent"'
+              '}';
 
           # log to local journald
-          access_log syslog:server=unix:/dev/log logfmt;
+          access_log syslog:server=unix:/dev/log,nohostname logfmt;
         '';
 
       };

nixos/components/network/syncthing.nix

@@ -31,6 +31,8 @@ with lib; {
       // (device "cream" "MQVKATH-THTPET5-KYAT7XX-BOIIIBA-P7OOF7Y-IWAUN53-S2VNVOY-BZWTGQK")
       // (device "cherry" "WX2HZQ7-WAOL6YR-QJYFS2L-SVUJQB4-SKHZHVE-J7XCWLQ-6GRATXX-VJUMOAH")
       // (device "chungus" "GZGW2YW-6RRUPDN-LFAOATC-56FS7LH-YC7R32N-LVA5JUX-3LSBYOX-BFR67QZ")
+      // (device "iPhone" "APFS6SA-VVTARXU-3WHHRZG-TE5N3T4-X4IC76V-T67EKZ6-NLGP3TW-EZYXYAH")
+      // (device "iPad" "JDDNVYD-H3WMSSS-WZ745KL-7QEGN6O-ZSGQLQU-YBR2L42-7FO7KJ4-BXPYDA5")
       // {
         bumba = {
           name = "windows-bumba";
@@ -49,6 +51,11 @@ with lib; {
 
       # needs to be on encrypted drives
       # -------------------------------
+      oscar_cpap = {
+        enable = lib.mkDefault false;
+        path = lib.mkDefault "/tmp/oscar_cpap";
+        devices = [ "chungus" "cream" "cherry" ];
+      };
       audiobooks = {
         enable = lib.mkDefault false;
         path = lib.mkDefault "/tmp/audiobooks";
@@ -57,7 +64,7 @@ with lib; {
       logseq = {
         enable = lib.mkDefault false;
         path = lib.mkDefault "/tmp/logseq";
-        devices = [ "chungus" "cream" "cherry" ];
+        devices = [ "chungus" "cream" "cherry" "iPhone" "iPad" ];
       };
       lectures = {
         enable = lib.mkDefault false;

nixos/components/network/tinc/private.nix

@@ -24,6 +24,7 @@ let
     "sonarr.orbi" = hosts.orbi;
     "radarr.orbi" = hosts.orbi;
     "prowlarr.orbi" = hosts.orbi;
+    "photoprism.orbi" = hosts.orbi;
     # robi
     "grafana.robi" = hosts.robi;
     "loki.robi" = hosts.robi;
@@ -49,11 +50,8 @@ let
     "minio.chungus" = hosts.chungus;
     "sync.chungus" = hosts.chungus;
     "tdarr.chungus" = hosts.chungus;
-    "trilium.chungus" = hosts.chungus;
     "tts.chungus" = hosts.chungus;
     "paperless.chungus" = hosts.chungus;
-    # cream
-    "trilium.cream" = hosts.cream;
   };
   network = "private";
 in

nixos/components/network/wireguard.nix

@@ -11,5 +11,17 @@ with lib;
     };
   };
 
+  # todo: use networking.wireguard  instead of networking wg-quick
+  # with dynamicEndpointRefreshSeconds
+  #config = {
+  #  systemd.services.wg-quick-wg0.serviceConfig = {
+  #    Restart = "always";
+  #    RestartSec = 50;
+  #    Type = mkForce "simple";
+  #    RemainAfterExit = mkForce false;
+  #  };
+  #};
+
+
 }
 

nixos/homes/common/default.nix

@@ -3,6 +3,7 @@
   imports = [
     ./packages.nix
     ./terminal.nix
+    ./zfs.nix
   ];
   options.gui.enable = lib.mkEnableOption "should GUI packages be anabled?";
 }

nixos/homes/common/terminal.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+{ lib, pkgs, assets, ... }:
 {
 
   programs.zsh = {
@@ -36,12 +36,11 @@
     enable = true;
     enableBashIntegration = true;
     enableZshIntegration = true;
-    package = pkgs.unstable.atuin;
-    # todo not needed anymore
-    #package = pkgs.unstable.atuin.overrideAttrs (_old: {
-    #  # as cursed as doing mitigations=off in the kernel command line
-    #  patches = [ ./0001-make-atuin-on-zfs-fast-again.patch ];
-    #});
+    #package = pkgs.unstable.atuin;
+    package = pkgs.unstable.atuin.overrideAttrs (_old: {
+      # as cursed as doing mitigations=off in the kernel command line
+      patches = [ "${assets}/0001-make-atuin-on-zfs-fast-again.patch" ];
+    });
     settings = {
       auto_sync = true;
       sync_frequency = "5m";

nixos/homes/common/zfs.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, lib, ... }:
+with pkgs;
+with lib;
+{
+  config = mkMerge [
+    {
+      home.packages = [
+        (
+          let
+            options = [
+              "name"
+              "mountpoint"
+              "compression"
+              "com.sun:auto-snapshot:yearly"
+              "com.sun:auto-snapshot:monthly"
+              "com.sun:auto-snapshot:daily"
+              "com.sun:auto-snapshot:hourly"
+            ];
+          in
+          pkgs.writers.writeBashBin "zfs-overview" ''
+            ${pkgs.zfs}/bin/zfs list -o ${concatStringsSep "," options} "$@"
+          ''
+        )
+      ];
+    }
+  ];
+}

nixos/homes/palo/default.nix

@@ -3,6 +3,7 @@
   imports = [
     ../common
     ./doom-emacs.nix
+    ./editor.nix
     ./git.nix
     ./gpg.nix
     ./i3.nix
@@ -10,9 +11,9 @@
     ./ssh.nix
     ./stylix.nix
     ./tmux.nix
-    ./vim.nix
     ./yubikey.nix
     ./zellij.nix
+    ./hyperland.nix
   ];
 
   home.stateVersion = "22.11";

nixos/homes/palo/editor.nix

@@ -0,0 +1,11 @@
+{
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
+
+  programs.helix = {
+    enable = true;
+    # defaultEditor = true;
+  };
+}

nixos/homes/palo/hyperland.nix

@@ -0,0 +1,161 @@
+{ pkgs, ... }:
+{
+
+  home.file.".config/hypr/hyperland.conf".text = ''
+    autogenerated = 1 # remove this line to remove the warning
+    # See https://wiki.hyprland.org/Configuring/Monitors/
+    monitor=,preferred,auto,auto
+
+    # Some default env vars.
+    env = XCURSOR_SIZE,24
+
+    # For all categories, see https://wiki.hyprland.org/Configuring/Variables/
+    input {
+        kb_layout = us
+        kb_variant =
+        kb_model =
+        kb_options =
+        kb_rules =
+
+        follow_mouse = 1
+
+        touchpad {
+            natural_scroll = no
+        }
+
+        sensitivity = 0 # -1.0 - 1.0, 0 means no modification.
+    }
+
+    general {
+        # See https://wiki.hyprland.org/Configuring/Variables/ for more
+
+        gaps_in = 5
+        gaps_out = 20
+        border_size = 2
+        col.active_border = rgba(33ccffee) rgba(00ff99ee) 45deg
+        col.inactive_border = rgba(595959aa)
+
+        layout = dwindle
+
+        # Please see https://wiki.hyprland.org/Configuring/Tearing/ before you turn this on
+        allow_tearing = false
+    }
+
+    decoration {
+        # See https://wiki.hyprland.org/Configuring/Variables/ for more
+
+        rounding = 10
+
+        blur {
+            enabled = true
+            size = 3
+            passes = 1
+        }
+
+        drop_shadow = yes
+        shadow_range = 4
+        shadow_render_power = 3
+        col.shadow = rgba(1a1a1aee)
+    }
+
+    animations {
+        enabled = yes
+
+        # Some default animations, see https://wiki.hyprland.org/Configuring/Animations/ for more
+
+        bezier = myBezier, 0.05, 0.9, 0.1, 1.05
+
+        animation = windows, 1, 7, myBezier
+        animation = windowsOut, 1, 7, default, popin 80%
+        animation = border, 1, 10, default
+        animation = borderangle, 1, 8, default
+        animation = fade, 1, 7, default
+        animation = workspaces, 1, 6, default
+    }
+
+    dwindle {
+        # See https://wiki.hyprland.org/Configuring/Dwindle-Layout/ for more
+        pseudotile = yes # master switch for pseudotiling. Enabling is bound to mainMod + P in the keybinds section below
+        preserve_split = yes # you probably want this
+    }
+
+    master {
+        # See https://wiki.hyprland.org/Configuring/Master-Layout/ for more
+        new_is_master = true
+    }
+
+    gestures {
+        # See https://wiki.hyprland.org/Configuring/Variables/ for more
+        workspace_swipe = off
+    }
+
+    misc {
+        # See https://wiki.hyprland.org/Configuring/Variables/ for more
+        force_default_wallpaper = -1 # Set to 0 to disable the anime mascot wallpapers
+    }
+
+    # Example per-device config
+    # See https://wiki.hyprland.org/Configuring/Keywords/#executing for more
+    device:epic-mouse-v1 {
+        sensitivity = -0.5
+    }
+
+    # See https://wiki.hyprland.org/Configuring/Keywords/ for more
+    $mainMod = SUPER
+
+    # Example binds, see https://wiki.hyprland.org/Configuring/Binds/ for more
+    bind = $mainMod, enter, exec, alacritty
+    bind = $mainMod, C, killactive,
+    bind = $mainMod, Q, exit,
+    bind = $mainMod, E, exec, dolphin
+    bind = $mainMod, V, togglefloating,
+    bind = $mainMod, R, exec, wofi --show drun
+    bind = $mainMod, P, pseudo, # dwindle
+    bind = $mainMod, J, togglesplit, # dwindle
+
+    # Move focus with mainMod + arrow keys
+    bind = $mainMod, left, movefocus, l
+    bind = $mainMod, right, movefocus, r
+    bind = $mainMod, up, movefocus, u
+    bind = $mainMod, down, movefocus, d
+
+    # Switch workspaces with mainMod + [0-9]
+    bind = $mainMod, 1, workspace, 1
+    bind = $mainMod, 2, workspace, 2
+    bind = $mainMod, 3, workspace, 3
+    bind = $mainMod, 4, workspace, 4
+    bind = $mainMod, 5, workspace, 5
+    bind = $mainMod, 6, workspace, 6
+    bind = $mainMod, 7, workspace, 7
+    bind = $mainMod, 8, workspace, 8
+    bind = $mainMod, 9, workspace, 9
+    bind = $mainMod, 0, workspace, 10
+
+    # Move active window to a workspace with mainMod + SHIFT + [0-9]
+    bind = $mainMod SHIFT, 1, movetoworkspace, 1
+    bind = $mainMod SHIFT, 2, movetoworkspace, 2
+    bind = $mainMod SHIFT, 3, movetoworkspace, 3
+    bind = $mainMod SHIFT, 4, movetoworkspace, 4
+    bind = $mainMod SHIFT, 5, movetoworkspace, 5
+    bind = $mainMod SHIFT, 6, movetoworkspace, 6
+    bind = $mainMod SHIFT, 7, movetoworkspace, 7
+    bind = $mainMod SHIFT, 8, movetoworkspace, 8
+    bind = $mainMod SHIFT, 9, movetoworkspace, 9
+    bind = $mainMod SHIFT, 0, movetoworkspace, 10
+
+    # Example special workspace (scratchpad)
+    bind = $mainMod, S, togglespecialworkspace, magic
+    bind = $mainMod SHIFT, S, movetoworkspace, special:magic
+
+    # Scroll through existing workspaces with mainMod + scroll
+    bind = $mainMod, mouse_down, workspace, e+1
+    bind = $mainMod, mouse_up, workspace, e-1
+
+    # Move/resize windows with mainMod + LMB/RMB and dragging
+    bindm = $mainMod, mouse:272, movewindow
+    bindm = $mainMod, mouse:273, resizewindow
+
+  '';
+
+}
+

nixos/homes/palo/i3.nix

@@ -3,6 +3,8 @@ let
 
   cfg = config.xsession.windowManager.i3;
 
+  rofi = pkgs.rofi.override { plugins = [ pkgs.rofi-emoji pkgs.rofi-calc pkgs.xdotool ]; };
+
   backgroundCommand = pkgs.writers.writeDash "background" ''
     ${pkgs.xorg.xrandr}/bin/xrandr | grep " connected" | grep "primary" | \
       ${pkgs.gnused}/bin/sed -E "s/primary //" | \
@@ -37,6 +39,7 @@ in
         fixXhost
         pkgs.autorandr
         pkgs.polygon-art.polygon-art
+        pkgs.xdotool # needed for rofi-emoji
       ];
 
 
@@ -154,7 +157,7 @@ in
             };
           startup =
             [
-              { command = "${pkgs.albert}/bin/albert"; always = true; }
+              #{ command = "${pkgs.albert}/bin/albert"; always = true; }
               { command = toString backgroundCommand; always = true; }
               {
                 command = toString (pkgs.writers.writeDash "xsettings" ''
@@ -258,7 +261,7 @@ in
                   set -o pipefail
                   ${pkgs.i3}/bin/i3-msg -t get_workspaces | \
                   ${pkgs.jq}/bin/jq --raw-output '.[] | .name' | \
-                  ${pkgs.rofi}/bin/rofi -dmenu -p 'Select Workspace' | \
+                  ${rofi}/bin/rofi -dmenu -p 'Select Workspace  ' | \
                   while read line
                   do
                     ${pkgs.i3}/bin/i3-msg workspace "$line"
@@ -274,7 +277,7 @@ in
                   set -o pipefail
                   ${pkgs.i3}/bin/i3-msg -t get_workspaces | \
                   ${pkgs.jq}/bin/jq --raw-output '.[] | .name' | \
-                  ${pkgs.rofi}/bin/rofi -dmenu -p 'Move to Workspace' | \
+                  ${rofi}/bin/rofi -dmenu -p 'Move to Workspace  ' | \
                   while read line
                   do
                     ${pkgs.i3}/bin/i3-msg move container to workspace "$line"
@@ -283,6 +286,7 @@ in
               in
               "exec ${script}";
 
+            "${cfg.config.modifier}+space" = "exec ${rofi}/bin/rofi -show drun -display-drun ''";
             "${cfg.config.modifier}+Shift+c" = "reload";
             "${cfg.config.modifier}+Shift+r" = "restart";
             "${cfg.config.modifier}+Shift+e" = "exec i3-nagbar -t warning -m 'Do you want to exit i3?' -b 'Yes' 'i3-msg exit'";
@@ -476,6 +480,19 @@ in
       };
     };
 
+    # rofi > albert
+    programs.rofi = {
+      enable = true;
+      cycle = true;
+      package = rofi;
+      # pass.enable = true;
+      extraConfig = {
+        modi = "drun,calc,emoji,combi";
+        show-icons = true;
+        terminal = "alacritty";
+      };
+    };
+
     xdg.configFile."albert/albert.conf".text = ''
       [General]
       hotkey=Meta+Space

nixos/homes/palo/packages/development.nix

@@ -40,6 +40,14 @@ with lib;
 
         mermaid-cli
 
+        # terminal code to image/movie renderer
+        vhs
+        carbon-now-cli
+        asciinema
+        asciinema-scenario
+        asciinema
+
+        marp-cli # markdown to presentation framework
       ];
     })
     {

nixos/homes/palo/packages/graphics.nix

@@ -16,12 +16,15 @@ with lib;
       blender
       lightburn
       darktable
+      colorpicker
 
       # CAD & 3D Plotting
       openscad
       freecad
       cura
 
+      qrencode
+
     ];
 
   };

nixos/homes/palo/packages/logseq.nix

@@ -4,7 +4,7 @@ with lib;
 {
   config = mkIf config.gui.enable {
     home.packages = [
-      unstable.logseq
+      logseq
     ];
     home.file.".config/Logseq/Preferences".source = (pkgs.formats.json { }).generate "LogseqPreferences.json"
       {

nixos/homes/palo/packages/packages.nix

@@ -40,12 +40,15 @@ with lib;
       bitwarden
       rbw
 
-      unstable.trilium-desktop # old (use logseq now)
-
       nginx-config-formatter
 
       unstable.yt-dlp
 
+      OSCAR
+
+      # office
+      pdfarranger
+
     ];
 
   };

nixos/homes/palo/vim.nix

@@ -1,6 +0,0 @@
-{
-  programs.vim = {
-    enable = true;
-    defaultEditor = true;
-  };
-}

nixos/legacy/media-tdarr.nix

@@ -31,8 +31,8 @@
     };
   };
 
-  networking.firewall.interfaces.wq0.allowedTCPPorts = [ 8266 ];
-  networking.firewall.interfaces.wq0.allowedUDPPorts = [ 8266 ];
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8266 ];
+  networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8266 ];
 
   networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 8266 ];
   networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ 8266 ];

nixos/legacy/media-unmanic.nix

@@ -20,8 +20,8 @@
     };
   };
 
-  #networking.firewall.interfaces.wq0.allowedTCPPorts = [ 8266 ];
-  #networking.firewall.interfaces.wq0.allowedUDPPorts = [ 8266 ];
+  #networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8266 ];
+  #networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8266 ];
 
   #networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 8266 ];
   #networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ 8266 ];

nixos/machines/cherry/configuration.nix

@@ -31,6 +31,10 @@
   components.network.wifi.enable = true;
   components.terminal.enable = true;
 
+  components.monitor.enable = true;
+  components.monitor.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi
+  #components.monitor.opentelemetry.exporter.debug = "logs";
+
   home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
 
   sops.secrets.yubikey_u2fAuthFile = { };

nixos/machines/cherry/syncthing.nix

@@ -16,6 +16,10 @@
 
       # on encrypted drive
       # ------------------
+      oscar_cpap = {
+        enable = true;
+        path = "/home/palo/Documents/OSCAR_Data";
+      };
       password-store = {
         enable = true;
         path = "/home/palo/.password-store";

nixos/machines/cherry/wireguard.nix

@@ -1,6 +1,6 @@
 { config, ... }:
 {
-  networking.firewall.allowedUDPPorts = [ 51820 ];
+  #networking.firewall.allowedUDPPorts = [ 51820 ];
   sops.secrets.wireguard_private = { };
 
   # Enable WireGuard
@@ -18,7 +18,8 @@
           # robi
           publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
           allowedIPs = [ "10.100.0.1/24" ];
-          endpoint = "ingolf-wagner.de:51820";
+          #endpoint = "ingolf-wagner.de:51820";
+          endpoint = "95.216.66.212:51820";
         }
       ];
     };

nixos/machines/chungus/atuin.nix

@@ -1,8 +0,0 @@
-{ config, ... }: {
-  services.atuin = {
-    enable = true;
-    host = "0.0.0.0";
-    maxHistoryLength = 999999;
-    openRegistration = false;
-  };
-}

nixos/machines/chungus/cache.nix

@@ -1,13 +0,0 @@
-{ ... }:
-{
-  services.nix-serve = {
-    enable = true;
-
-    # needed if i want to trust my own build packages and dirivations
-    # nix-store --generate-binary-cache-key key-name secret-key-file public-key-file
-    # secretKeyFile = sops.nixServeSecretKeyFile.path
-
-  };
-
-
-}

nixos/machines/chungus/configuration.nix

@@ -10,59 +10,41 @@
 
     ./hardware-configuration
 
-    ./disko-syncoid.nix
     ./packages.nix
 
-    ./network-wireguard.nix
-    ./network-tinc.nix
     ./network-tinc-retiolum.nix # make sure no service is open for this vpn!
+    ./network-tinc.nix
+    ./network-wireguard.nix
 
-    ./hass.nix
-    ./hass-zigbee2mqtt.nix
     ./hass-mqtt.nix
-    #./hass-wifi.nix
+    ./hass-zigbee2mqtt.nix
+    ./hass.nix
 
-    #./mail-fetcher.nix
-
-    #./borg.nix
     ./taskwarrior-autotag.nix
 
-    ./media-share.nix
     ./media-audiobookshelf.nix
-    ./media-jellyfin.nix
-    ./media-youtube.nix
     ./media-castget.nix
     ./media-curl.nix
+    ./media-jellyfin.nix
+    ./media-share.nix
     ./media-syncthing.nix
+    ./media-youtube.nix
 
-    # logging
-    ./loki.nix
-    ./loki-promtail.nix
-    ./prometheus.nix
-    ./grafana.nix
-    ./telegraf.nix
-    ./telegraf-smart.nix
+    ./telemetry/grafana.nix
+    ./telemetry/telegraf-smart.nix
+    ./telemetry/telegraf.nix
+    #./telemetry/opentelemetry-hass.nix
+    ./telemetry/prometheus.nix
+    ./telemetry/loki.nix
 
-    #./home-display.nix
-
-    ./rbackup.nix
-    ./sync-torrent.nix
-    ./sync-script.nix
+    ./sync-rbackup.nix
+    ./sync-syncoid.nix
 
+    ./service-atuin.nix
+    ./service-paperless.nix
+    ./services-forgejo.nix
     ./services-s3.nix
-
-    #./kiosk.nix
-    ./trilium.nix
-    ./gitea.nix
-    ./atuin.nix
-
-    ./cache.nix
-
-    ./vault.nix
-
-    ./docker-registry.nix
-
-    ./paperless.nix
+    ./services-vault.nix
 
   ];
 
@@ -73,8 +55,12 @@
   components.network.wifi.enable = false;
   components.terminal.enable = true;
 
-  services.printing.enable = false;
+  components.monitor.enable = true;
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
+  networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
+  components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";
 
+  services.printing.enable = false;
 
   #virtualisation.containers.storage.settings = {
   #  # fixes: Error: 'overlay' is not supported over zfs, a mount_program is required: backing file system is unsupported for this graph driver

nixos/machines/chungus/disko-syncoid.nix

@@ -1,23 +0,0 @@
-{ ... }:
-{
-  services.syncoid = {
-    enable = true;
-    commands.service2 = {
-      source = "zroot/services2";
-      target = "zraid/mirror/services2"; # should not be created up front!
-    };
-    commands.paperless = {
-      source = "zroot/paperless";
-      target = "zraid/mirror/paperless"; # should not be created up front!
-    };
-    commands.postgresql = {
-      source = "zroot/postgresql";
-      target = "zraid/mirror/postgresql"; # should not be created up front!
-    };
-    commonArgs = [
-      # Does not create new snapshot, only transfers existing
-      "--no-sync-snap"
-    ];
-  };
-
-}

nixos/machines/chungus/docker-registry.nix

@@ -1,3 +0,0 @@
-{
-  services.dockerRegistry.enable = true;
-}

nixos/machines/chungus/hass-mqtt.nix

@@ -11,6 +11,6 @@
 
   # open for tasmota
   networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 1883 ];
-  networking.firewall.interfaces.wq0.allowedTCPPorts = [ 1883 ];
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 1883 ];
 
 }

nixos/machines/chungus/loki-promtail.nix

@@ -1,41 +0,0 @@
-{ config, ... }:
-{
-  services.promtail = {
-    enable = true;
-    configuration = {
-      server = {
-        http_listen_port = 28183;
-        grpc_listen_port = 0;
-      };
-      positions.filename = "/tmp/positions.yaml";
-      clients = [
-        { url = "http://127.0.0.1:3100/loki/api/v1/push"; }
-      ];
-
-      scrape_configs = [
-        {
-          job_name = "journal";
-          journal = {
-            max_age = "12h";
-            labels = {
-              job = "systemd-journal";
-              host = config.networking.hostName;
-            };
-          };
-          relabel_configs = [
-            {
-              source_labels = [ "__journal__systemd_unit" ];
-              target_label = "unit";
-            }
-            {
-              source_labels = [ "__journal__transport" ];
-              target_label = "transport";
-            }
-          ];
-        }
-      ];
-
-    };
-
-  };
-}

nixos/machines/chungus/loki.nix

@@ -1,99 +0,0 @@
-{ config, pkgs, ... }:
-{
-
-  services.loki = {
-    enable = true;
-    configuration = {
-      server = {
-        http_listen_port = 3100;
-        log_level = "warn";
-      };
-      auth_enabled = false;
-
-      ingester = {
-        lifecycler = {
-          address = "127.0.0.1";
-          ring = {
-            kvstore = {
-              store = "inmemory";
-            };
-            replication_factor = 1;
-          };
-        };
-        chunk_idle_period = "1h";
-        max_chunk_age = "1h";
-        chunk_target_size = 999999;
-        chunk_retain_period = "30s";
-        max_transfer_retries = 0;
-      };
-
-      schema_config = {
-        configs = [{
-          from = "2022-06-06";
-          store = "boltdb-shipper";
-          object_store = "filesystem";
-          schema = "v11";
-          index = {
-            prefix = "index_";
-            period = "24h";
-          };
-        }];
-      };
-
-      storage_config = {
-        boltdb_shipper = {
-          active_index_directory = "/var/lib/loki/boltdb-shipper-active";
-          cache_location = "/var/lib/loki/boltdb-shipper-cache";
-          cache_ttl = "24h";
-          shared_store = "filesystem";
-        };
-
-        filesystem = {
-          directory = "/var/lib/loki/chunks";
-        };
-      };
-
-      limits_config = {
-        reject_old_samples = true;
-        reject_old_samples_max_age = "168h";
-      };
-
-      chunk_store_config = {
-        max_look_back_period = "0s";
-      };
-
-      table_manager = {
-        retention_deletes_enabled = false;
-        retention_period = "0s";
-      };
-
-      compactor = {
-        working_directory = "/var/lib/loki";
-        shared_store = "filesystem";
-        compactor_ring = {
-          kvstore = {
-            store = "inmemory";
-          };
-        };
-      };
-    };
-    # user, group, dataDir, extraFlags, (configFile)
-  };
-
-  #services.nginx = {
-  #  enable = true;
-  #  virtualHosts.loki = {
-  #    serverName = "loki.pepe.private";
-  #    locations."/" = {
-  #      proxyWebsockets = true;
-  #      proxyPass = "http://127.0.0.1:3100";
-  #      #extraConfig = ''
-  #      #  access_log off;
-  #      #  allow ${config.tinc.private.subnet};
-  #      #  deny all;
-  #      #'';
-  #    };
-  #  };
-  #};
-
-}

nixos/machines/chungus/media-curl.nix

@@ -2,19 +2,22 @@
 with lib;
 let
   configuration = {
-    Chaospott37C3Tickets = rec {
-      url = "https://md.chaospott.de/171s8-_cQCyX_tUca_Jxqw/download";
-      target = "/media/curl/37C3";
-      options = [
-        "-o $( date +%H:%M:%S )-TicketPlaning.md"
-      ];
-    };
+
+    #Chaospott37C3Tickets = rec {
+    #  url = "https://md.chaospott.de/171s8-_cQCyX_tUca_Jxqw/download";
+    #  target = "/media/curl/37C3";
+    #  options = [
+    #    "-o $( date +%H:%M:%S )-TicketPlaning.md"
+    #  ];
+    #};
+
     StableConfussion = {
       url = "http://stable-confusion.r/outputs/";
       target = "/media/curl/stable-confusion";
-      options = [ "--mirror" ];
+      options = [ "--mirror" "--quiet" ];
       command = "wget";
     };
+
   };
 
   downloadScript =

nixos/machines/chungus/media-syncthing.nix

@@ -7,13 +7,12 @@
     group = "media";
     # make some folders send only
     settings.folders = {
-      audiobooks.type = "sendonly";
-      lost-fotos.type = "sendonly";
-      lectures.type = "sendonly";
-    };
-    folders = {
       # on encrypted drive
       # ------------------
+      oscar_cpap = {
+        enable = true;
+        path = "/syncthing/oscar_cpap";
+      };
       logseq = {
         enable = true;
         path = "/syncthing/logseq";
@@ -48,6 +47,7 @@
       };
       lost-fotos = {
         enable = true;
+        type = "sendonly";
         path = "/syncthing/lost-fotos.ct";
       };
       music-projects = {
@@ -56,10 +56,12 @@
       };
       audiobooks = {
         enable = true;
+        type = "sendonly";
         path = "/media/audio-books";
       };
       lectures = {
         enable = true;
+        type = "sendonly";
         path = "/media/lectures";
       };
     };

nixos/machines/chungus/network-wireguard.nix

@@ -21,7 +21,8 @@
           # orbi
           publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
           allowedIPs = [ "10.100.0.1/24" ];
-          endpoint = "ingolf-wagner.de:51820";
+          #endpoint = "ingolf-wagner.de:51820";
+          endpoint = "95.216.66.212:51820";
           persistentKeepalive = 25;
         }
       ];

nixos/machines/chungus/prometheus.nix

@@ -1,121 +0,0 @@
-{ config, pkgs, lib, ... }: {
-
-  sops.secrets.hass_long_term_token.owner = "prometheus";
-
-  services.nginx = {
-    enable = true;
-    statusPage = true;
-    virtualHosts = {
-      "prometheus.${config.networking.hostName}.private" = {
-        extraConfig = ''
-          allow ${config.tinc.private.subnet};
-          deny all;
-        '';
-        locations."/" = { proxyPass = "http://localhost:${toString config.services.prometheus.port}"; };
-      };
-    };
-  };
-
-  services.prometheus = {
-    checkConfig = "syntax-only";
-    enable = true;
-    # keep data for 30 days
-    extraFlags = [ "--storage.tsdb.retention.time=90d" ];
-
-    ruleFiles = [
-      (pkgs.writeText "prometheus-rules.yml" (builtins.toJSON {
-        groups = [
-          {
-            name = "core";
-            rules = [
-              {
-                alert = "InstanceDown";
-                expr = "up == 0";
-                for = "5m";
-                labels.severity = "page";
-                annotations = {
-                  summary = "Instance {{ $labels.instance }} down";
-                  description = "{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.";
-                };
-              }
-            ];
-          }
-          {
-            name = "home-assistant";
-            rules = [
-              {
-                record = "home_open_window_sum";
-                expr = ''sum( homeassistant_binary_sensor_state{entity=~"binary_sensor\\.window_02_contact|binary_sensor\\.window_03_contact|binary_sensor\\.window_04_contact|binary_sensor\\.window_05_contact|binary_sensor\\.window_06_contact|binary_sensor\\.window_07_contact"} )'';
-              }
-            ] ++ (map
-              (number:
-                {
-                  record = "home_at_least_n_windows_open";
-                  expr = ''home_open_window_sum >= bool ${toString number}'';
-                  labels.n = number;
-                }) [ 1 2 3 ]);
-          }
-        ];
-      }))
-    ];
-
-
-
-
-    #alertmanager = {
-    #  enable = true;
-    #  configuration = {
-    #};
-    #};
-
-    exporters = {
-      node = {
-        enable = true;
-        enabledCollectors = [ "systemd" ];
-        port = 9002;
-      };
-    };
-
-    scrapeConfigs = [
-      {
-        job_name = "netdata";
-        metrics_path = "/api/v1/allmetrics";
-        params.format = [ "prometheus" ];
-        scrape_interval = "5s";
-        static_configs = [
-          {
-            targets = [ "localhost:19999" ];
-            labels = {
-              service = "netdata";
-              server = config.networking.hostName;
-            };
-          }
-        ];
-      }
-      {
-        job_name = "node";
-        static_configs = [{
-          targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
-          labels = {
-            service = "node-exporter";
-            server = config.networking.hostName;
-          };
-        }];
-      }
-      {
-        # see https://www.home-assistant.io/integrations/prometheus/
-        job_name = "home-assistant";
-        scrape_interval = "60s";
-        metrics_path = "/api/prometheus";
-        bearer_token_file = toString config.sops.secrets.hass_long_term_token.path;
-        static_configs = [{
-          targets = [ "localhost:8123" ];
-          labels = {
-            service = "hass";
-            server = config.networking.hostName;
-          };
-        }];
-      }
-    ];
-  };
-}

nixos/machines/chungus/service-atuin.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, assets, ... }: {
+  services.atuin = {
+    enable = true;
+    package = pkgs.unstable.atuin.overrideAttrs (_old: {
+      # as cursed as doing mitigations=off in the kernel command line
+      patches = [ "${assets}/0001-make-atuin-on-zfs-fast-again.patch" ];
+    });
+    host = "0.0.0.0";
+    maxHistoryLength = 999999;
+    openRegistration = false;
+  };
+}

nixos/machines/chungus/service-paperless.nix

@@ -8,10 +8,18 @@
       PAPERLESS_OCR_LANGUAGE = "deu+eng";
       PAPERLESS_APP_TITLE = "paperless.chungus.private";
       PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [ ".DS_STORE/*" "desktop.ini" ];
+      PAPERLESS_EMAIL_TASK_CRON = "0 */8 * * *"; # “At minute 0 past every 8th hour.”
       #PAPERLESS_CONSUMER_DELETE_DUPLICATES = true;
     };
   };
 
+  services.permown."/var/lib/paperless/consume" = {
+    owner = "paperless";
+    group = "paperless";
+    directory-mode = "755";
+    file-mode = "640";
+  };
+
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ];
 
   services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = {
@@ -20,6 +28,9 @@
       deny all;
     '';
     locations."/" = {
+      extraConfig = ''
+        client_max_body_size 500M;
+      '';
       proxyPass = "http://localhost:${toString config.services.paperless.port}";
       proxyWebsockets = true;
     };

nixos/machines/chungus/services-forgejo.nix

@@ -11,18 +11,17 @@
           deny all;
         '';
         locations."/" = {
-          proxyPass = "http://localhost:${toString config.services.gogs.httpPort}";
+          proxyPass = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
         };
       };
     };
   };
 
-  services.gitea = {
+  services.forgejo = {
     enable = true;
-    appName = "git.chungus.private";
-    package = pkgs.forgejo;
-    stateDir = "/srv/gitea";
+    stateDir = "/srv/forgejo";
     settings = {
+      DEFAULT.APP_NAME = "git.chungus.private";
       server.ROOT_URL = "http://git.chungus.private/";
       server.DOMAIN = "git.chungus.private";
       service.DISABLE_REGISTRATION = false;
@@ -34,6 +33,4 @@
     };
   };
 
-  # backup.dirs = [ "/srv/gitea" ];
-
 }

nixos/machines/chungus/services-vault.nix

@@ -1,6 +1,8 @@
+{ pkgs, ... }:
 {
   services.vault = {
     enable = true;
     #adress = "chungus.private:8200";
+    package = pkgs.unstable.vault;
   };
 }

nixos/machines/chungus/sync-rbackup.nix

@@ -2,12 +2,8 @@
 {
   sops.secrets.rsync_private_key = { };
 
+  # todo : replace all of them with syncoid
   rbackup.plans = {
-    nextcloud = {
-      sshKeyPath = config.sops.secrets.rsync_private_key.path;
-      src = "root@orbi:/var/lib/nixos-containers/nextcloud";
-      dst = "/mirror/nextcloud";
-    };
     git = {
       sshKeyPath = config.sops.secrets.rsync_private_key.path;
       src = "root@orbi:/var/lib/forgejo/";
@@ -23,11 +19,6 @@
       src = "root@orbi:/var/lib/bitwarden_rs/";
       dst = "/mirror/vaultwarden";
     };
-    matrix-terranix = {
-      sshKeyPath = config.sops.secrets.rsync_private_key.path;
-      src = "root@orbi:/var/lib/nixos-containers/matrix-terranix";
-      dst = "/mirror/matrix-terranix";
-    };
     radarr = {
       sshKeyPath = config.sops.secrets.rsync_private_key.path;
       src = "root@orbi:/media/arr/radarr";

nixos/machines/chungus/sync-syncoid.nix

@@ -0,0 +1,48 @@
+{ config, ... }:
+{
+
+  sops.secrets.syncoid_private_key = {
+    key = "rsync_private_key";
+    owner = config.services.syncoid.user;
+  };
+
+  services.syncoid = {
+    enable = true;
+
+    # local
+    commands.service2 = {
+      source = "zroot/services2";
+      target = "zraid/mirror/services2"; # should not be created up front!
+    };
+    commands.paperless = {
+      source = "zroot/paperless";
+      target = "zraid/mirror/paperless"; # should not be created up front!
+    };
+    commands.postgresql = {
+      source = "zroot/postgresql";
+      target = "zraid/mirror/postgresql"; # should not be created up front!
+    };
+
+    # remote
+    commands.matrix-terranix = {
+      sshKey = config.sops.secrets.syncoid_private_key.path;
+      source = "root@orbi:zroot/matrix-terranix";
+      target = "zraid/mirror/matrix-terranix"; # should not be created up front!
+    };
+    commands.nextcloud = {
+      sshKey = config.sops.secrets.syncoid_private_key.path;
+      source = "root@orbi:zroot/nextcloud";
+      target = "zraid/mirror/nextcloud"; # should not be created up front!
+    };
+    commands.photoprism = {
+      sshKey = config.sops.secrets.syncoid_private_key.path;
+      source = "root@orbi:zmedia/photoprism";
+      target = "zraid/mirror/photoprism"; # should not be created up front!
+    };
+    commonArgs = [
+      # Does not create new snapshot, only transfers existing
+      "--no-sync-snap"
+    ];
+  };
+
+}

nixos/machines/chungus/telegraf.nix

@@ -1,96 +0,0 @@
-{ config, pkgs, ... }:
-let
-  urls = [
-    { url = "https://bitwarden.ingolf-wagner.de"; path = ""; }
-    { url = "https://flix.ingolf-wagner.de"; path = "web/index.html"; }
-    { url = "https://git.ingolf-wagner.de"; path = ""; }
-    { url = "https://ingolf-wagner.de"; path = ""; }
-    { url = "https://nextcloud.ingolf-wagner.de"; path = "login"; }
-    { url = "https://tech.ingolf-wagner.de"; path = ""; }
-    { url = "https://matrix.ingolf-wagner.de"; path = ""; }
-  ];
-
-in
-{
-  systemd.services.telegraf.path = [ pkgs.inetutils ];
-
-  services.telegraf = {
-    enable = true;
-    extraConfig = {
-      outputs.prometheus_client = {
-        listen = ":9273";
-        metric_version = 2;
-      };
-      # https://github.com/influxdata/telegraf/tree/master/plugins/inputs < all them plugins
-      inputs = {
-        cpu = { };
-        diskio = { };
-        smart.attributes = true;
-        x509_cert = [{
-          sources = (map (url: "${url.url}:443") urls);
-          interval = "30m"; # agent.interval = "10s" is default
-        }];
-        http_response =
-          let fullUrls = map ({ url, path }: "${url}/${path}") urls;
-          in [{ urls = fullUrls; }];
-        processes = { };
-        system = { };
-        systemd_units = { };
-        internet_speed.interval = "10m";
-        nginx.urls = [ "http://localhost/nginx_status" ];
-        ping = [{ urls = [ "10.100.0.1" ]; }]; # actually important to make pepe visible over wireguard
-      };
-    };
-  };
-
-  services.prometheus.scrapeConfigs = [
-    {
-      # see https://www.home-assistant.io/integrations/prometheus/
-      job_name = "telgraf";
-      metrics_path = "/metrics";
-      static_configs = [{
-        targets = [ "localhost:9273" ];
-        labels = {
-          service = "telegraf";
-          server = config.networking.hostName;
-        };
-      }];
-    }
-  ];
-
-  services.prometheus.ruleFiles = [
-    (pkgs.writeText "telegraf.yml" (builtins.toJSON {
-      groups = [
-        {
-          name = "telegraf";
-          rules = [
-            {
-              alert = "HttpResponseNotOk";
-              expr = "0 * (http_response_http_response_code != 200) + 1";
-              for = "5m";
-              labels.severity = "page";
-              annotations = {
-                summary = "{{ $labels.exported_server }} does not return Ok";
-                description = "{{ $labels.exported_server }} does not return Ok for more than 5 minutes";
-              };
-            }
-            {
-              alert = "CertificatExpires";
-              expr = ''x509_cert_expiry{issuer_common_name="R3"} < ${toString (60 * 60 * 24 * 5)}'';
-              for = "1d";
-              labels.severity = "page";
-              annotations = {
-                summary = "{{ $labels.san }} does Expire Soon";
-                description = "{{ $labels.san }} does expire in less than 5 days";
-              };
-            }
-          ];
-        }
-      ];
-    }))
-  ];
-
-
-
-
-}

nixos/machines/chungus/telemetry/loki.nix

@@ -0,0 +1,145 @@
+{ config, pkgs, ... }:
+{
+
+  services.opentelemetry-collector.settings = {
+    exporters.loki = {
+      endpoint = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
+      default_labels_enabled = {
+        exporter = true;
+        job = true;
+        instance = true;
+        level = true;
+      };
+    };
+    processors = {
+      attributes.actions = [
+        {
+          action = "insert";
+          key = "loki.attribute.labels";
+          value = "job, unit, boot_id, instance, facility, facility_label, priority, priority_label";
+        }
+      ];
+      resource.attributes = [
+        {
+          action = "insert";
+          key = "loki.resource.labels";
+          value = "host.name";
+        }
+        {
+          action = "insert";
+          key = "loki.format";
+          value = "raw";
+        }
+      ];
+    };
+    service.pipelines.logs.exporters = [ "loki" ];
+    service.pipelines.logs.processors = [ "resource" "attributes" ];
+  };
+
+  services.loki = {
+    enable = true;
+    # https://grafana.com/docs/loki/latest/configure/#supported-contents-and-default-values-of-lokiyaml
+    configuration = {
+
+      server = {
+        http_listen_port = 3100;
+        log_level = "warn";
+      };
+      auth_enabled = false;
+
+      ingester = {
+        lifecycler = {
+          address = "127.0.0.1";
+          ring = {
+            kvstore = {
+              store = "inmemory";
+            };
+            replication_factor = 1;
+          };
+        };
+        chunk_idle_period = "1h";
+        max_chunk_age = "1h";
+        chunk_target_size = 999999;
+        chunk_retain_period = "30s";
+        max_transfer_retries = 0;
+      };
+
+      schema_config = {
+        configs = [{
+          from = "2022-06-06";
+          store = "boltdb-shipper";
+          object_store = "filesystem";
+          schema = "v11";
+          index = {
+            prefix = "index_";
+            period = "24h";
+          };
+        }];
+      };
+
+      storage_config = {
+        boltdb_shipper = {
+          active_index_directory = "/var/lib/loki/boltdb-shipper-active";
+          cache_location = "/var/lib/loki/boltdb-shipper-cache";
+          cache_ttl = "24h";
+          shared_store = "filesystem";
+        };
+
+        filesystem = {
+          directory = "/var/lib/loki/chunks";
+        };
+      };
+
+      limits_config = {
+        reject_old_samples = true;
+        reject_old_samples_max_age = "168h";
+      };
+
+      chunk_store_config = {
+        max_look_back_period = "0s";
+      };
+
+      table_manager = {
+        retention_deletes_enabled = false;
+        retention_period = "0s";
+      };
+
+      compactor = {
+        working_directory = "/var/lib/loki";
+        shared_store = "filesystem";
+        compactor_ring = {
+          kvstore = {
+            store = "inmemory";
+          };
+        };
+      };
+
+      # The query_range block configures the query splitting and caching in the Loki query-frontend.
+      query_range = {
+        # Perform query parallelisations based on storage sharding configuration and
+        # query ASTs. This feature is supported only by the chunks storage engine.
+        parallelise_shardable_queries = false; # false because of https://github.com/grafana/loki/issues/7649#issuecomment-1625645403
+      };
+    };
+
+    # user, group, dataDir, extraFlags, (configFile)
+  };
+
+  # https://grafana.com/docs/grafana/latest/datasources/loki/#provision-the-loki-data-source
+  services.grafana.provision.datasources.settings = {
+    apiVersion = 1;
+    datasources = [
+      {
+        name = "Loki";
+        type = "loki";
+        uid = "loki01";
+        url = "http://localhost:${toString config.services.loki.configuration.server.http_listen_port}";
+        jsonData = {
+          timeout = 360;
+          maxLines = 1000;
+        };
+      }
+    ];
+  };
+
+}

nixos/machines/chungus/telemetry/opentelemetry-hass.nix

@@ -0,0 +1,38 @@
+{ config, ... }:
+{
+
+  #{
+  #  name = "home-assistant";
+  #  rules = [
+  #    {
+  #      record = "home_open_window_sum";
+  #      expr = ''sum( homeassistant_binary_sensor_state{entity=~"binary_sensor\\.window_02_contact|binary_sensor\\.window_03_contact|binary_sensor\\.window_04_contact|binary_sensor\\.window_05_contact|binary_sensor\\.window_06_contact|binary_sensor\\.window_07_contact"} )'';
+  #    }
+  #  ] ++ (map
+  #    (number:
+  #      {
+  #        record = "home_at_least_n_windows_open";
+  #        expr = ''home_open_window_sum >= bool ${toString number}'';
+  #        labels.n = number;
+  #      }) [ 1 2 3 ]);
+  #};
+
+  sops.secrets.hass_long_term_token.owner = "prometheus";
+
+  services.opentelemetry-collector.settings = {
+    service.pipelines.metrics.receivers = [ "prometheus" ];
+    receivers.prometheus.config.scrape_configs = [
+      {
+        # see https://www.home-assistant.io/integrations/prometheus/
+        job_name = "home-assistant";
+        scrape_interval = "60s";
+        metrics_path = "/api/prometheus";
+        bearer_token_file = toString config.sops.secrets.hass_long_term_token.path;
+        static_configs = [{
+          targets = [ "127.0.0.1:8123" ];
+        }];
+      }
+    ];
+
+  };
+}

nixos/machines/chungus/telemetry/prometheus.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, lib, ... }: {
+
+  services.nginx = {
+    enable = true;
+    statusPage = true;
+    virtualHosts = {
+      "prometheus.${config.networking.hostName}.private" = {
+        extraConfig = ''
+          allow ${config.tinc.private.subnet};
+          deny all;
+        '';
+        locations."/" = { proxyPass = "http://localhost:${toString config.services.prometheus.port}"; };
+      };
+    };
+  };
+
+  services.prometheus = {
+    checkConfig = "syntax-only";
+    enable = true;
+    # keep data for 30 days
+    extraFlags = [ "--storage.tsdb.retention.time=90d" ];
+  };
+
+  services.grafana.provision.datasources.settings = {
+    apiVersion = 1;
+    datasources = [
+      {
+        name = "Prometheus";
+        type = "prometheus";
+        uid = "prometheus01";
+        url = "http://localhost:${toString config.services.prometheus.port}";
+      }
+    ];
+  };
+
+}

nixos/machines/chungus/telemetry/telegraf-smart.nix

@@ -1,15 +1,14 @@
 { pkgs, ... }:
 {
+
   services.smartd.enable = true;
   environment.systemPackages = [ pkgs.smartmontools pkgs.nvme-cli ];
 
-  services.telegraf = {
-    enable = true;
-    extraConfig.inputs.smart = {
-      attributes = true;
-      use_sudo = true;
-    };
+  services.telegraf.extraConfig.inputs.smart = {
+    attributes = true;
+    use_sudo = true;
   };
+
   systemd.services.telegraf.path = [ pkgs.smartmontools pkgs.nvme-cli "/run/wrappers" ];
 
   security.sudo.configFile = ''

nixos/machines/chungus/telemetry/telegraf.nix

@@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+let
+  urls = [
+    { url = "https://bitwarden.ingolf-wagner.de"; path = ""; }
+    { url = "https://flix.ingolf-wagner.de"; path = "web/index.html"; }
+    { url = "https://git.ingolf-wagner.de"; path = ""; }
+    { url = "https://ingolf-wagner.de"; path = ""; }
+    { url = "https://nextcloud.ingolf-wagner.de"; path = "login"; }
+    { url = "https://tech.ingolf-wagner.de"; path = ""; }
+    { url = "https://matrix.ingolf-wagner.de"; path = ""; }
+  ];
+in
+{
+  services.telegraf = {
+    extraConfig = {
+      # https://github.com/influxdata/telegraf/tree/master/plugins/inputs < all them plugins
+      inputs = {
+        x509_cert = [{
+          sources = (map (url: "${url.url}:443") urls);
+          interval = "30m"; # agent.interval = "10s" is default
+        }];
+        http_response =
+          let fullUrls = map ({ url, path }: "${url}/${path}") urls;
+          in [{ urls = fullUrls; }];
+        internet_speed.interval = "10m";
+        nginx.urls = [ "http://localhost/nginx_status" ];
+      };
+    };
+  };
+
+}

nixos/machines/cream/configuration.nix

@@ -28,6 +28,8 @@
   boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
 
   components.gui.enable = true;
+  components.gui.xorg.enable = true;
+  components.gui.wayland.enable = false;
   components.mainUser.enable = true;
   components.media.enable = true;
   components.media.tts-client.enable = false;
@@ -35,6 +37,10 @@
   components.network.wifi.enable = true;
   components.terminal.enable = true;
 
+  components.monitor.enable = true;
+  components.monitor.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi
+  components.monitor.exporters.zfs.enable = false;
+
   home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
 
   sops.secrets.yubikey_u2fAuthFile = { };

nixos/machines/cream/syncthing.nix

@@ -16,6 +16,10 @@
 
       # on encrypted drive
       # ------------------
+      oscar_cpap = {
+        enable = true;
+        path = "/home/palo/Documents/OSCAR_Data";
+      };
       password-store = {
         enable = true;
         path = "/home/palo/.password-store";

nixos/machines/cream/wireguard.nix

@@ -18,7 +18,8 @@
           # robi
           publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
           allowedIPs = [ "10.100.0.1/24" ];
-          endpoint = "ingolf-wagner.de:51820";
+          #endpoint = "ingolf-wagner.de:51820";
+          endpoint = "95.216.66.212:51820";
         }
       ];
     };

nixos/machines/orbi/cache.nix

@@ -1,13 +0,0 @@
-{ ... }:
-{
-  services.nix-serve = {
-    enable = true;
-
-    # needed if i want to trust my own build packages and dirivations
-    # nix-store --generate-binary-cache-key key-name secret-key-file public-key-file
-    # secretKeyFile = sops.nixServeSecretKeyFile.path
-
-  };
-
-
-}

nixos/machines/orbi/configuration.nix

@@ -8,11 +8,11 @@
     ../../components
     ../../modules
 
-
-    ./service-hedgedoc.nix
     ./service-forgejo.nix
-    ./service-vaultwarden.nix
+    ./service-hedgedoc.nix
+    ./service-photoprism.nix
     ./service-taskserver.nix
+    ./service-vaultwarden.nix
 
     ./nginx-ingolf-wagner-de.nix
     ./nginx-wkd.nix
@@ -20,30 +20,16 @@
     ./network-tinc.nix
     ./network-wireguard.nix
 
-    ./media-share.nix
-
-    ./media-syncthing.nix
-    #./media-transmission.nix
-    ./media-transmission2.nix
-    ./media-jellyfin.nix
     ./media-arr.nix
+    ./media-jellyfin.nix
     ./media-nextcloud.nix
+    ./media-share.nix
+    ./media-syncthing.nix
+    ./media-transmission2.nix
 
     ./social-jitsi.nix
     ./social-matrix-terranix.nix
 
-    #./sync-opentracker.nix
-    #./sync-torrent.nix
-
-    # telemetry
-    # ---------
-    #./loki.nix
-    #./loki-promtail.nix
-    ##./prometheus.nix
-    #./grafana.nix
-    ./telegraf.nix
-
-    #./cache.nix
   ];
 
   networking.hostName = "orbi";
@@ -55,6 +41,12 @@
   components.network.nginx.landingpage.enable = false;
   components.network.wifi.enable = false;
 
+  components.monitor.enable = true;
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
+  networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
+  components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";
+  components.monitor.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus
+
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "contact@ingolf-wagner.de";
 
@@ -63,4 +55,11 @@
   # chungus rsync
   users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD" ];
 
+  # todo : need this for syncoid
+  environment.systemPackages = [
+    pkgs.mbuffer
+    pkgs.lzop
+    pkgs.gzip
+  ];
+
 }

nixos/machines/orbi/finance.nix

@@ -1,58 +0,0 @@
-{ lib, config, pkgs, ... }:
-let
-
-  # find symbols with
-  # https://www.alphavantage.co/query?function=SYMBOL_SEARCH&apikey=<api_key>&keywords=<keywords>
-  # as described here : https://www.alphavantage.co/documentation/#symbolsearch
-  #
-  # example:
-  # --------
-  # stocks = [
-  #   {
-  #     friendly_name = "google";
-  #     symbol = "GOOGL.DEX";
-  #     name = "google";
-  #     currency = "$";
-  #   }
-  # ];
-  # results in
-  # P 2020-01-30 GOOGL $123
-  stocks = import ../../private_assets/finance/stocks;
-  stocksFile = toString /home/syncthing/finance/hledger/stocks.journal;
-
-in
-{
-
-  systemd.services.pull_stocks = {
-    enable = true;
-    description = "pull stocks for hledger";
-    serviceConfig = {
-      User = "syncthing";
-      Type = "oneshot";
-    };
-
-    script =
-      let
-        command = { symbol, name, currency, ... }: ''
-          APIKEY=${lib.fileContents ../../private_assets/finance/alphavantage/apiKey}
-          SYMBOL="${symbol}"
-          ${pkgs.curl}/bin/curl --location --silent \
-            "https://www.alphavantage.co/query?function=GLOBAL_QUOTE&symbol=$SYMBOL&apikey=$APIKEY" \
-            | ${pkgs.jq}/bin/jq --raw-output '.["Global Quote"]
-            | "P \(.["07. latest trading day"]) ${name} ${currency}\(.["05. price"] | tonumber)"' \
-          >> ${stocksFile}
-          sleep 1
-        '';
-      in
-      lib.concatStringsSep "\n" (map command stocks);
-  };
-
-  systemd.timers.pull_stocks = {
-    enable = true;
-    wantedBy = [ "multi-user.target" ];
-    timerConfig = {
-      OnCalendar = "weekly";
-      Persistent = "true";
-    };
-  };
-}

nixos/machines/orbi/grafana.nix

@@ -1,24 +0,0 @@
-{ config, ... }:
-{
-
-  services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
-    extraConfig = ''
-      allow ${config.tinc.private.subnet};
-      deny all;
-    '';
-    locations."/" = {
-      proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
-      proxyWebsockets = true;
-    };
-  };
-
-  services.grafana = {
-    enable = true;
-    settings.server = {
-      domain = "grafana.robi.private";
-      http_port = 2342;
-      http_addr = "localhost";
-    };
-  };
-
-}

nixos/machines/orbi/graylog.nix

@@ -1,130 +0,0 @@
-{ config, lib, pkgs, ... }:
-let port = 9000;
-in {
-  # configure nginx
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
-      "graylog.workhorse.private" = {
-        locations."/" = {
-          proxyPass = "http://localhost:${toString port}";
-          extraConfig = ''
-            proxy_set_header    Host $host:$server_port;
-            proxy_set_header    X-Real-IP $remote_addr;
-            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header    X-Forwarded-Proto $scheme;
-            proxy_read_timeout  90;
-            proxy_redirect      http://localhost:${
-              toString port
-            } https://graylog.workhorse.private/;
-          '';
-        };
-      };
-    };
-  };
-
-  services.mongodb.enable = true;
-  services.elasticsearch = {
-    enable = true;
-    listenAddress = "${config.networking.hostName}.private";
-    extraJavaOptions = [ "-Des.http.cname_in_publish_address=true" ];
-  };
-
-  services.graylog.enable = true;
-  services.graylog.elasticsearchHosts =
-    [ "http://${config.services.elasticsearch.listenAddress}:9200" ];
-
-  # https://docs.graylog.org/en/3.0/pages/configuration/server.conf.html
-  services.graylog.extraConfig = ''
-    http_bind_address = 0.0.0.0:${toString port}
-    http_publish_uri = http://workhorse.private:${toString port}/
-  '';
-
-  # other wise this does not work
-  services.graylog.nodeIdFile = "/var/lib/graylog/node-id";
-
-  # pwgen -N 1 -s 96
-  services.graylog.passwordSecret =
-    lib.fileContents ../../private_assets/graylog/password-secret;
-
-  # echo -n yourpassword | shasum -a 256
-  services.graylog.rootPasswordSha2 =
-    lib.fileContents ../../private_assets/graylog/root-password-hash;
-
-  services.graylog.plugins = [ pkgs.graylogPlugins.slack ];
-
-  # not working at the moment
-  #services.geoip-updater.enable = true;
-
-  # https://wiki.splunk.com/Http_status.csv
-  environment.etc."graylog/server/httpCodes.csv" = {
-    enable = true;
-    text = ''
-      status,status_description,status_type
-      100,Continue,Informational
-      101,Switching Protocols,Informational
-      200,OK,Successful
-      201,Created,Successful
-      202,Accepted,Successful
-      203,Non-Authoritative Information,Successful
-      204,No Content,Successful
-      205,Reset Content,Successful
-      206,Partial Content,Successful
-      300,Multiple Choices,Redirection
-      301,Moved Permanently,Redirection
-      302,Found,Redirection
-      303,See Other,Redirection
-      304,Not Modified,Redirection
-      305,Use Proxy,Redirection
-      307,Temporary Redirect,Redirection
-      400,Bad Request,Client Error
-      401,Unauthorized,Client Error
-      402,Payment Required,Client Error
-      403,Forbidden,Client Error
-      404,Not Found,Client Error
-      405,Method Not Allowed,Client Error
-      406,Not Acceptable,Client Error
-      407,Proxy Authentication Required,Client Error
-      408,Request Timeout,Client Error
-      409,Conflict,Client Error
-      410,Gone,Client Error
-      411,Length Required,Client Error
-      412,Precondition Failed,Client Error
-      413,Request Entity Too Large,Client Error
-      414,Request-URI Too Long,Client Error
-      415,Unsupported Media Type,Client Error
-      416,Requested Range Not Satisfiable,Client Error
-      417,Expectation Failed,Client Error
-      500,Internal Server Error,Server Error
-      501,Not Implemented,Server Error
-      502,Bad Gateway,Server Error
-      503,Service Unavailable,Server Error
-      504,Gateway Timeout,Server Error
-      505,HTTP Version Not Supported,Server Error
-    '';
-  };
-
-  environment.etc."graylog/server/known_servers.csv" = {
-    enable = true;
-    text = ''
-      "ip","host_name"
-      "95.216.1.150","lassul.us"
-    '';
-  };
-
-  environment.etc."graylog/systemd/loglevel.csv" = {
-    enable = true;
-    text = ''
-      "value","Servity","Description"
-      "0","emergency","System is unusable"
-      "1","alert","Should be corrected immediately"
-      "2","cirtical","Critical conditions"
-      "3","error","Error Condition"
-      "4","warning","May indicate that an error will occur if action is not taken."
-      "5","notice","Events that are unusual, but not error conditions."
-      "6","info","Normal operational messages that require no action."
-      "7","debug","Information useful to developers for debugging the application."
-    '';
-  };
-
-}

nixos/machines/orbi/grocy.nix

@@ -1,16 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  services.grocy = {
-    enable = true;
-    settings = {
-      culture = "de";
-      currency = "EUR";
-    };
-    hostName = "grocy.ingolf-wagner.de";
-    nginx.enableSSL = true;
-  };
-
-  backup.dirs = [ config.services.grocy.dataDir ];
-
-}

nixos/machines/orbi/hardware-configuration/disko-config.nix

@@ -112,6 +112,18 @@ in
               #"com.sun:auto-snapshot:monthly" = false;
             };
           };
+          "matrix-terranix" = {
+            type = "zfs_fs";
+            mountpoint = "/var/lib/nixos-containers/matrix-terranix";
+            options = {
+              mountpoint = "legacy";
+              compression = "lz4";
+              "com.sun:auto-snapshot:hourly" = toString true;
+              "com.sun:auto-snapshot:daily" = toString true;
+              #"com.sun:auto-snapshot:weekly" = false;
+              #"com.sun:auto-snapshot:monthly" = false;
+            };
+          };
         };
       };
 
@@ -123,7 +135,7 @@ in
           canmount = "off";
         };
         datasets = {
-          "media" = {
+          media = {
             type = "zfs_fs";
             mountpoint = "/media";
             options = {
@@ -134,6 +146,18 @@ in
               #"com.sun:auto-snapshot:monthly" = false;
             };
           };
+          photoprism = {
+            type = "zfs_fs";
+            mountpoint = "/var/lib/nixos-containers/photoprism";
+            options = {
+              mountpoint = "legacy";
+              compression = "lz4";
+              "com.sun:auto-snapshot:hourly" = toString true;
+              "com.sun:auto-snapshot:daily" = toString true;
+              #"com.sun:auto-snapshot:weekly" = false;
+              #"com.sun:auto-snapshot:monthly" = false;
+            };
+          };
         };
       };
 

nixos/machines/orbi/kibana.nix

@@ -1,25 +0,0 @@
-{ config, ... }: {
-  services.nginx = {
-    enable = true;
-    statusPage = true;
-    virtualHosts = {
-      "kibana.${config.networking.hostName}.private" = {
-        serverAliases = [ ];
-        locations."/" = {
-          proxyPass = "http://${config.networking.hostName}.private:${
-              toString config.services.kibana.port
-            }";
-        };
-      };
-    };
-  };
-
-  services.elasticsearch.enable = true;
-  services.elasticsearch.listenAddress = "workhorse.private";
-
-  services.kibana.enable = true;
-  services.kibana.elasticsearch.hosts = [ "http://workhorse.private:9200" ];
-  services.kibana.listenAddress = "workhorse.private";
-  services.kibana.port = 5601;
-
-}

nixos/machines/orbi/loki-promtail.nix

@@ -1,41 +0,0 @@
-{ config, ... }:
-{
-  services.promtail = {
-    enable = true;
-    configuration = {
-      server = {
-        http_listen_port = 28183;
-        grpc_listen_port = 0;
-      };
-      positions.filename = "/tmp/positions.yaml";
-      clients = [
-        { url = "http://127.0.0.1:3100/loki/api/v1/push"; }
-      ];
-
-      scrape_configs = [
-        {
-          job_name = "journal";
-          journal = {
-            max_age = "12h";
-            labels = {
-              job = "systemd-journal";
-              host = config.networking.hostName;
-            };
-          };
-          relabel_configs = [
-            {
-              source_labels = [ "__journal__systemd_unit" ];
-              target_label = "unit";
-            }
-            {
-              source_labels = [ "__journal__transport" ];
-              target_label = "transport";
-            }
-          ];
-        }
-      ];
-
-    };
-
-  };
-}

nixos/machines/orbi/loki.nix

@@ -1,99 +0,0 @@
-{ config, pkgs, ... }:
-{
-
-  services.loki = {
-    enable = true;
-    configuration = {
-      server = {
-        http_listen_port = 3100;
-        log_level = "warn";
-      };
-      auth_enabled = false;
-
-      ingester = {
-        lifecycler = {
-          address = "127.0.0.1";
-          ring = {
-            kvstore = {
-              store = "inmemory";
-            };
-            replication_factor = 1;
-          };
-        };
-        chunk_idle_period = "1h";
-        max_chunk_age = "1h";
-        chunk_target_size = 999999;
-        chunk_retain_period = "30s";
-        max_transfer_retries = 0;
-      };
-
-      schema_config = {
-        configs = [{
-          from = "2022-06-06";
-          store = "boltdb-shipper";
-          object_store = "filesystem";
-          schema = "v11";
-          index = {
-            prefix = "index_";
-            period = "24h";
-          };
-        }];
-      };
-
-      storage_config = {
-        boltdb_shipper = {
-          active_index_directory = "/var/lib/loki/boltdb-shipper-active";
-          cache_location = "/var/lib/loki/boltdb-shipper-cache";
-          cache_ttl = "24h";
-          shared_store = "filesystem";
-        };
-
-        filesystem = {
-          directory = "/var/lib/loki/chunks";
-        };
-      };
-
-      limits_config = {
-        reject_old_samples = true;
-        reject_old_samples_max_age = "168h";
-      };
-
-      chunk_store_config = {
-        max_look_back_period = "0s";
-      };
-
-      table_manager = {
-        retention_deletes_enabled = false;
-        retention_period = "0s";
-      };
-
-      compactor = {
-        working_directory = "/var/lib/loki";
-        shared_store = "filesystem";
-        compactor_ring = {
-          kvstore = {
-            store = "inmemory";
-          };
-        };
-      };
-    };
-    # user, group, dataDir, extraFlags, (configFile)
-  };
-
-  #services.nginx = {
-  #  enable = true;
-  #  virtualHosts.loki = {
-  #    serverName = "loki.pepe.private";
-  #    locations."/" = {
-  #      proxyWebsockets = true;
-  #      proxyPass = "http://127.0.0.1:3100";
-  #      #extraConfig = ''
-  #      #  access_log off;
-  #      #  allow ${config.tinc.private.subnet};
-  #      #  deny all;
-  #      #'';
-  #    };
-  #  };
-  #};
-
-}

nixos/machines/orbi/mail-fetcher.nix

@@ -1,663 +0,0 @@
-# fetches mails for me
-{ lib, pkgs, config, ... }:
-let
-  junk_filter = [
-    "from:booking.com"
-    "subject:Gewinn"
-    "from:brompton.com"
-    "from:circleci.com OR (from:noreply@github.com AND to:audio-overlay@googlegroups.com)"
-    "from:codepen.io"
-    "from:congstarnews.de"
-    "from:cronullasurfingacademy.com"
-    "from:cryptohopper.com"
-    "from:digitalo.de"
-    "from:facebook.com OR from:facebookmail.com"
-    "from:fitnessfirst.de"
-    "from:flixbus.de"
-    "from:getdigital.de"
-    "from:getpocket.com"
-    "from:ghostinspector.com"
-    "from:globetrotter.de"
-    "from:hackster.io"
-    "from:hostelworld.com"
-    "from:immobilienscout24.de"
-    "from:kvraudio.com"
-    "from:letterboxd.com"
-    "from:linkedin.com"
-    "from:magix.net"
-    "from:mailings.gmx.net"
-    "from:mailings.web.de"
-    "from:matrix.org"
-    "from:menospese.com"
-    "from:microsoftstoreemail.com"
-    "from:mixcloudmail.com AND subject:Weekly Update"
-    "from:oknotify2.com AND NOT subject:New message"
-    "from:paulaschoice.com"
-    "from:puppet.com"
-    "from:runtastic.com"
-    "from:samplemagic.com OR from:wavealchemy.co.uk OR from:creators.gumroad.com"
-    "from:ticketmaster.de"
-    "from:trade4less.de"
-    "from:tumblr.com"
-    "from:turners.co.nz"
-    "from:twitch.tv"
-    "from:vstbuzz.com"
-  ];
-  filters = [
-    {
-      query = "from:hv-geelen.de";
-      tags = [ "+wohnung" ];
-    }
-    {
-      query = "from:computerfutures.com OR from:computerfutures.de";
-      tags = [ "+jobs" "-inbox" ];
-    }
-    {
-      query = "from:seek.com.au or from:seek.co.nz";
-      tags = [ "+jobs" ];
-    }
-    {
-      query = "from:xing.com";
-      tags = [ "+jobs" "-inbox" ];
-    }
-    {
-      query = "from:no-reply@backtrace.io OR to:sononym@noreply.github.com";
-      tags = [ "+sononym" "-inbox" ];
-    }
-    {
-      query = "from:ebay.com OR from:ebay.de OR from:ebay.net";
-      tags = [ "+ebay" "+shop" "+billing" ];
-    }
-    {
-      query = "from:bahn.de";
-      tags = [ "+billing" "+bahn" ];
-    }
-    {
-      query =
-        "from:fysitech.atlassian.net OR to:engiadina-pwa@noreply.github.com";
-      tags = [ "+mia" "+work" "-unread" "-inbox" ];
-    }
-    {
-      query =
-        "from:space-left.org OR to:space-left.org OR subject:/\\[space-left\\]/";
-      tags = [ "+spaceleft" "+space-left" ];
-    }
-    {
-      query = "from:landr.com";
-      tags = [ "+landr" "+music" ];
-    }
-    {
-      query = "tag:landr and tag:billing";
-      tags = [ "+billing" ];
-    }
-    {
-      query = "from:oknotify2.com";
-      tags = [ "+okcupid" ];
-    }
-    {
-      query = "from:taxback.de OR to:taxback.de";
-      tags = [ "+steuer" ];
-    }
-    {
-      query = "from:campact.de";
-      tags = [ "+campact" "+politics" ];
-    }
-    {
-      query = "from:aliexpress.com";
-      tags = [ "+shop" "+aliexpress" ];
-    }
-    {
-      query = "from:congstar.de";
-      tags = [ "+billing" "+congstar" "-inbox" "-unread" ];
-    }
-    {
-      query =
-        "from:steampowered.com AND NOT ( subject:purchase OR subject:received )";
-      tags = [ "-inbox" "-unread" ];
-    }
-    {
-      query =
-        "from:steampowered.com AND ( subject:purchase OR subject:received )";
-      tags = [ "+billing" "+steam" ];
-    }
-    {
-      query = "from:gog.com AND NOT subject:Bestellung";
-      tags = [ "-inbox" "-unread" ];
-    }
-    {
-      query = "from:gog.com AND subject:Bestellung";
-      tags = [ "+billing" "+gog" ];
-    }
-    {
-      query = "from:stadtmobil.de";
-      tags = [ "+billing" "+stadtmobil" "-inbox" "-unread" ];
-    }
-    {
-      query = "from:drive-now.com";
-      tags = [ "+billing" "+drivenow" "-inbox" "-unread" ];
-    }
-    {
-      query = "from:data-treuhand.de";
-      tags = [ "+mindcurv" "+work" "-inbox" "-unread" "-junk" ];
-    }
-    {
-      query = "from:immocation.de";
-      tags = [ "+immobilien" "-inbox" ];
-    }
-    {
-      query = "from:tinc-vpn.org";
-      tags = [ "+tinc" ];
-    }
-    {
-      query = "from:mindfactory.de";
-      tags = [ "+shop" "+billing" ];
-    }
-    {
-      query = "from:zalando.de";
-      tags = [ "+shop" "+billing" "+zalando" ];
-    }
-    {
-      query = "from:ing.de";
-      tags = [ "+bank" "+ingdiba" ];
-    }
-    {
-      query = "from:nab.com.au";
-      tags = [ "+bank" "+nab" "-inbox" "-unread" ];
-    }
-    {
-      query = "from:dkb.de";
-      tags = [ "+bank" "+dkb" ];
-    }
-    {
-      query = "from:o2online.de";
-      tags = [ "+billing" "+o2" ];
-    }
-    {
-      query = "from:betfair.com";
-      tags = [ "+work" "+betfair" ];
-    }
-    {
-      query = "from:notifications@github.com";
-      tags = [ "+github" ];
-    }
-    {
-      query = "to:NUR@noreply.github.com";
-      tags = [ "+nur" "+nixos" "+list" ];
-    }
-    {
-      query = "to:nixpkgs@noreply.github.com";
-      tags = [ "+nixpkgs" "+nixos" "+list" ];
-    }
-    {
-      query = "from:travis-ci.org AND subject:mrVanDalo/navi";
-      tags = [ "+development" "+navi" ];
-    }
-    {
-      query = "from:travis-ci.org AND subject:nur-packages";
-      tags = [ "+development" "+nixos" "+nur-packages" ];
-    }
-    {
-      query = "from:travis-ci.org AND subject:csv-to-qif";
-      tags = [ "+development" "+csv-to-qif" ];
-    }
-    {
-      query = "to:proaudio@lists.tuxfamily.org";
-      tags = [ "-inbox" "-unread" ];
-    }
-    {
-      query = "from:nixos1@discoursemail.com";
-      tags = [ "+nixos" "+discourse" "+list" ];
-    }
-    {
-      query = "from:nixos1@discoursemail.com AND subject:Development";
-      tags = [ "+nixos" "+discourse" "+development" ];
-    }
-    {
-      query = "from:nixos1@discoursemail.com AND subject:Français";
-      tags = [ "+nixos" "+discourse" "-inbox" "-unread" ];
-    }
-    {
-      query = "from:nixos1@discoursemail.com AND subject:Announcements";
-      tags = [ "+nixos" "+discourse" "+announcements" ];
-    }
-    {
-      query = "from:nixos1@discoursemail.com AND subject:Links";
-      tags = [ "+nixos" "+discourse" "+links" ];
-    }
-    {
-      query = "from:nixos1@discoursemail.com AND subject:Games";
-      tags = [ "+nixos" "+discourse" "+games" ];
-    }
-    {
-      query = "from:nixos1@discoursemail.com AND subject:Meta";
-      tags = [ "+nixos" "+discourse" "+meta" ];
-    }
-    {
-      query = "from:nixos1@discoursemail.com AND subject:Events";
-      tags = [ "+nixos" "+discourse" "+events" ];
-    }
-    {
-      query = "from:limebike.com AND (subject:Funds OR subject:Receipt)";
-      tags = [ "-inbox" "-unread" "+billing" "+limebike" ];
-    }
-    {
-      query = "from:freemusicarchive.org";
-      tags = [ "+FMA" ];
-    }
-    {
-      query = "from:namecheap.com and subject:auto-renewal";
-      tags = [ "+namecheap" "+billing" ];
-    }
-    {
-      query = "from:namecheap.com and subject:order";
-      tags = [ "+namecheap" "+billing" ];
-    }
-    {
-      query = "tag:namecheap.com and tag:billing and body:gaykraft.com";
-      tags = [ "+namecheap" "+billing" ];
-    }
-    {
-      query = "from:nintendo.com";
-      tags = [ "+nintendo" "+billing" ];
-    }
-    {
-      query = "from:oculus.com AND subject:receipt";
-      tags = [ "+oculus" "+billing" ];
-    }
-    {
-      query = "from:car2go.com";
-      tags = [ "-inbox" "-unread" ];
-    }
-    {
-      query = "from:sixt.de";
-      tags = [ "-inbox" "-unread" ];
-    }
-    {
-      query = "from:meetup.com";
-      tags = [ "-inbox" "-unread" "+meetup" ];
-    }
-    {
-      query = "from:slack.com";
-      tags = [ "+slack" ];
-    }
-    {
-      query = "from:keybase.io";
-      tags = [ "+keybase" ];
-    }
-    {
-      query = "from:jobs2web.com";
-      tags = [ "+newzealand" "+jobs" "-inbox" ];
-    }
-    {
-      query = "from:paypal.de AND subject:Bestätigung";
-      tags = [ "-unread" "+paypal" "+billing" ];
-    }
-    {
-      query = "to:c-base.org";
-      tags = [ "+cbase" "+list" ];
-    }
-    {
-      query = "to:c-base.org AND subject=[auto-report]";
-      tags = [ "-unread" "-inbox" ];
-    }
-    {
-      query = "from:browserstack.com";
-      tags = [ "+browserstack" ];
-    }
-    {
-      query =
-        "to:renoise@ingolf-wagner.de OR to:root@renoise.com OR from:renoise.com OR to:admin@renoise.com";
-      tags = [ "+renoise" ];
-    }
-    {
-      query = "from:amazon.de OR from:amazon.com AND NOT to:renoise.com";
-      tags = [ "+shop" "+amazon" "+billing" ];
-    }
-    {
-      query = "from:hetzner.com OR from:hetzner.de";
-      tags = [ "+hetzner" ];
-    }
-    {
-      query =
-        "to:renoise.com AND NOT ( from:renoise.com OR from:root OR from:hetzner.com OR from:hetzner.de OR from:amazon.com OR from:gmail.com )";
-      tags = [ "-inbox" "-unread" "+junk" "+renoise" ];
-    }
-    {
-      query = "tag:hetzner and subject:Invoice";
-      tags = [ "+billing" ];
-    }
-    # final rules to make imap sync stuff easier
-    # there can only be one output folder tag, and theses rules are prioritized
-    {
-      query = "tag:fraud";
-      tags = [ "-inbox" "-archive" "-junk" "-unread" ];
-      message = "clean up tag fraud";
-    }
-    {
-      query = "tag:junk";
-      tags = [ "-inbox" "-archive" "-fraud" "-unread" ];
-      message = "clean up tag junk";
-    }
-    {
-      query = "tag:archive";
-      tags = [ "-inbox" "-junk" "-fraud" "-unread" ];
-      message = "clean up tag archive";
-    }
-    {
-      query = "tag:inbox";
-      tags = [ "-archive" "-junk" "-fraud" ];
-      message = "clean up inbox";
-    }
-    {
-      query = "tag:killed";
-      tags = [ "-inbox" "-unread" ];
-      message = "clean up tag killed";
-    }
-    {
-      query = "tag:muted";
-      tags = [ "-inbox" "-unread" ];
-    }
-    # remove new tag at the end
-    {
-      query = "tag:new";
-      tags = [ "-new" ];
-      message = "remove new tag at the end";
-    }
-  ];
-
-  notmuchTagging =
-    let
-
-      template = index:
-        { tags, query, message ? "generic", ... }:
-        let
-          command = ''
-            ${pkgs.notmuch}/bin/notmuch tag ${lib.concatStringsSep " " tags} -- "${query}"
-          '';
-        in
-        ''
-          echo '${command}'
-          ${command}
-        '';
-      junk_template = index: query:
-        template index {
-          tags = [ "+junk" "-unread" "-inbox" ];
-          query = query;
-          message = "generic junk filter";
-        };
-
-    in
-    pkgs.writers.writeBash "notmuch-tagging" (lib.concatStringsSep "\n"
-      ((lib.imap0 junk_template junk_filter) ++ (lib.imap0 template filters)));
-
-  notmuchTaggingNew =
-    let
-
-      template = index:
-        { tags, query, message ? "generic", ... }:
-        let
-          command = ''
-            ${pkgs.notmuch}/bin/notmuch tag ${
-              lib.concatStringsSep " " tags
-            } -- "${query} AND tag:new"
-          '';
-        in
-        ''
-          echo '${command}'
-          ${command}
-        '';
-
-      junk_template = index: query:
-        template index {
-          tags = [ "+junk" "-unread" "-inbox" ];
-          query = query;
-          message = "generic junk filter";
-        };
-    in
-    pkgs.writers.writeBash "notmuch-tagging-new" (lib.concatStringsSep "\n"
-      ((lib.imap0 junk_template junk_filter) ++ (lib.imap0 template filters)));
-
-in
-{
-
-  backup.dirs = [ "/home/mailfetcher" ];
-
-  users.users.mailUser = {
-    isNormalUser = true;
-    description = "collects mails for me";
-    hashedPassword = "!";
-    name = "mailfetcher";
-    home = "/home/mailfetcher";
-    openssh.authorizedKeys.keyFiles =
-      config.users.users.root.openssh.authorizedKeys.keyFiles;
-    group = "mailfetcher";
-  };
-
-  users.groups.mailUser = {
-    name = "mailfetcher";
-  };
-
-  sops.secrets.mail_terranix = {
-    owner = config.users.users.mailUser.name;
-    group = config.users.users.mailUser.group;
-  };
-  sops.secrets.mail_gmail = {
-    owner = config.users.users.mailUser.name;
-    group = config.users.users.mailUser.group;
-  };
-  sops.secrets.mail_gmx_palo = {
-    owner = config.users.users.mailUser.name;
-    group = config.users.users.mailUser.group;
-  };
-  sops.secrets.mail_gmx_ingolf = {
-    owner = config.users.users.mailUser.name;
-    group = config.users.users.mailUser.group;
-  };
-  sops.secrets.mail_web = {
-    owner = config.users.users.mailUser.name;
-    group = config.users.users.mailUser.group;
-  };
-  sops.secrets.mail_siteground = {
-    owner = config.users.users.mailUser.name;
-    group = config.users.users.mailUser.group;
-  };
-
-  environment.systemPackages = [ pkgs.muchsync ];
-
-  # configure accounts
-  home-manager.users.mailUser.accounts.email = {
-    accounts = {
-
-      palo_van_dalo-gmx = {
-        primary = false;
-        address = "palo_van_dalo@gmx.de";
-        aliases = [ ];
-        realName = "Ingolf Wagner";
-        userName = "palo_van_dalo@gmx.de";
-        passwordCommand =
-          "cat ${toString config.sops.secrets.mail_gmx_palo.path }";
-        imap = {
-          host = "imap.gmx.net";
-          tls.enable = true;
-          port = 993;
-        };
-        mbsync = {
-          enable = true;
-          create = "both";
-        };
-        notmuch.enable = true;
-      };
-
-      ingolf-wagner-gmx = {
-        primary = false;
-        address = "ingolf.wagner@gmx.de";
-        aliases = [ ];
-        realName = "Ingolf Wagner";
-        userName = "ingolf.wagner@gmx.de";
-        passwordCommand =
-          "cat ${toString config.sops.secrets.mail_gmx_ingolf.path }";
-        imap = {
-          host = "imap.gmx.net";
-          tls.enable = true;
-          port = 993;
-        };
-        mbsync = {
-          enable = true;
-          create = "both";
-        };
-        notmuch.enable = true;
-      };
-
-      pali_palo = {
-        primary = false;
-        address = "pali_palo@web.de";
-        aliases = [ ];
-        realName = "Ingolf Wagner";
-        userName = "pali_palo@web.de";
-        passwordCommand =
-          "cat ${toString config.sops.secrets.mail_web.path }";
-        imap = {
-          host = "imap.web.de";
-          tls.enable = true;
-          port = 993;
-        };
-        mbsync = {
-          enable = true;
-          create = "both";
-        };
-        notmuch.enable = true;
-      };
-
-      gmail = {
-        # for google accounts you have to allow 'less secure apps' in accounts.google.com
-        primary = true;
-        address = "palipalo9@googlemail.com";
-        aliases = [ ];
-        realName = "Ingolf Wagner";
-        userName = "palipalo9@googlemail.com";
-        passwordCommand =
-          "cat ${toString config.sops.secrets.mail_gmail.path }";
-        imap = {
-          host = "imap.gmail.com";
-          tls.enable = true;
-          port = 993;
-        };
-        mbsync = {
-          enable = true;
-          create = "both";
-        };
-        notmuch.enable = true;
-      };
-
-      terranix_org = {
-        primary = false;
-        address = "palo@terranix.org";
-        aliases = [ ];
-        realName = "Ingolf Wagner";
-        userName = "palo@terranix.org";
-        passwordCommand = "cat ${toString config.sops.secrets.mail_terranix.path }";
-        imap = {
-          host = "mail.privateemail.com";
-          tls.enable = true;
-          port = 993;
-        };
-        mbsync = {
-          enable = true;
-          create = "both";
-        };
-        notmuch.enable = true;
-      };
-
-      ingolf-wagner-de = {
-        primary = false;
-        address = "contact@ingolf-wagner.de";
-        aliases = [ ];
-        realName = "Ingolf Wagner";
-        userName = "contact@ingolf-wagner.de";
-        passwordCommand =
-          "cat ${toString config.sops.secrets.mail_siteground.path }";
-        imap = {
-          host = "securees5.sgcpanel.com";
-          port = 993;
-          tls.enable = true;
-          #tls.useStartTls = true;
-        };
-        # make sure the upstream mail is deleted
-        getmail = {
-          enable = true;
-          delete = true;
-          readAll = false;
-          mailboxes = [ "ALL" ];
-        };
-        notmuch.enable = true;
-      };
-
-    };
-  };
-
-  home-manager.users.mailUser.home.stateVersion = "22.11";
-
-  # configure mbsync
-  home-manager.users.mailUser.programs.mbsync.enable = true;
-
-  # re-tag everything once a day
-  systemd.services.retagmail = {
-    enable = true;
-    serviceConfig = { User = config.users.users.mailUser.name; };
-    environment.NOTMUCH_CONFIG =
-      "${config.users.users.mailUser.home}/.config/notmuch/notmuchrc";
-    script = "${notmuchTagging}";
-  };
-  systemd.timers.retagmail = {
-    enable = true;
-    timerConfig = {
-      OnCalendar = "daily";
-      Persistent = "true";
-    };
-    wantedBy = [ "multi-user.target" ];
-  };
-
-  # fetch mails every 10 minutes
-  systemd.services.fetchmail =
-    let
-      threadTag = tag: ''
-        echo "tag threads with ${tag}"
-        ${pkgs.notmuch}/bin/notmuch tag +${tag} $(${pkgs.notmuch}/bin/notmuch search --output=threads tag:${tag})
-      '';
-    in
-    {
-      enable = true;
-      serviceConfig = { User = config.users.users.mailUser.name; };
-      environment.NOTMUCH_CONFIG =
-        "${config.users.users.mailUser.home}/.config/notmuch/notmuchrc";
-      script = ''
-        echo "run mbsync"
-        ${pkgs.isync}/bin/mbsync \
-          --all
-        echo "run getmail"
-        ${pkgs.getmail}/bin/getmail \
-          --quiet \
-          --rcfile getmailingolf-wagner-de
-
-        echo "run notmuch"
-        ${pkgs.notmuch}/bin/notmuch new
-        ${notmuchTaggingNew}
-        ${threadTag "muted"}
-        ${threadTag "wohnung"}
-        ${threadTag "flagged"}
-      '';
-    };
-  systemd.timers.fetchmail = {
-    enable = true;
-    # timerConfig.OnCalendar = " *-*-* *:00:00";
-    timerConfig.OnCalendar = "*:0/10";
-    wantedBy = [ "multi-user.target" ];
-  };
-
-  # configure notmuch
-  home-manager.users.mailUser.programs.notmuch = {
-    enable = true;
-    new.tags = [ "unread" "inbox" "new" ];
-  };
-
-}

nixos/machines/orbi/media-nextcloud.nix

@@ -86,14 +86,17 @@ in
     privateNetwork = false;
     autoStart = true;
 
-    config = { config, pkgs, lib, ... }: {
+
+    config = { config, lib, ... }: {
+      nixpkgs.pkgs = pkgs;
+      imports = [ ../../components/monitor/container.nix ];
+      system.stateVersion = "23.11";
 
       # Configuring nameservers for containers is currently broken.
       # Therefore in some cases internet connectivity can be broken inside the containers.
       # A temporary workaround is to manually write the /etc/nixos/resolv.conf file like this:
       #environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
 
-      system.stateVersion = "23.11";
 
       users.users.nextcloud.uid = nextcloudUid;
 

nixos/machines/orbi/media-tdarr.nix

@@ -1,54 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-
-  # https://docs.tdarr.io/docs/installation/docker/run-compose
-  virtualisation.oci-containers = {
-    containers.tdarr = {
-      volumes = [
-        "/media/arr/tdarr/server:/app/server"
-        "/media/arr/tdarr/configs:/app/configs"
-        "/media/arr/tdarr/logs:/app/logs"
-        "/media/arr/tdarr/transcode_cache:/temp"
-        "/media:/media"
-      ];
-      environment = {
-        serverIP = "0.0.0.0";
-        serverPort = "8266";
-        webUIPort = "8265";
-        internalNode = "true";
-        inContainer = "true";
-        nodeName = "robi";
-        TZ = "Europe/Berlin";
-        PUID = toString config.users.users.media.uid;
-        PGID = toString config.users.groups.media.gid;
-      };
-      ports = [
-        "127.0.0.1:8265:8265" # WebUI
-        # "8266:8266" # server port
-      ];
-      image = "ghcr.io/haveagitgat/tdarr:latest"; # Warning: if the tag does not change, the image will not be updated
-      extraOptions = [
-        #"--network=bridge"
-        #"--privileged"
-      ];
-    };
-  };
-
-  #networking.firewall.interfaces.wq0.allowedTCPPorts = [ 8266 ];
-  #networking.firewall.interfaces.wq0.allowedUDPPorts = [ 8266 ];
-
-  #networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 8266 ];
-  #networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ 8266 ];
-
-  services.nginx.virtualHosts."tdarr.${config.networking.hostName}.private" = {
-    extraConfig = ''
-      allow ${config.tinc.private.subnet};
-      deny all;
-    '';
-    locations."/" = {
-      proxyPass = "http://localhost:8265";
-      proxyWebsockets = true;
-    };
-  };
-
-}

nixos/machines/orbi/media-transmission2.nix

@@ -23,10 +23,10 @@ in
       };
     };
 
-    config = { config, pkgs, lib, ... }: {
-
+    config = { config, lib, ... }: {
+      nixpkgs.pkgs = pkgs;
+      imports = [ ../../components/monitor/container.nix ];
       system.stateVersion = "21.05";
-      services.journald.extraConfig = "SystemMaxUse=1G";
 
       # allow transmission to write in syncthing folders
       users.groups.syncthing = {

nixos/machines/orbi/media-unmanic.nix

@@ -1,40 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-
-  virtualisation.oci-containers = {
-    containers.unmanic = {
-      volumes = [
-        "/media/arr/unmanic/config:/config"
-        #"/media/arr/unmanic/library:/library"
-        "/media/arr/unmanic/tmp:/tmp/unmanic"
-        "/media:/library"
-      ];
-      environment = {
-        PUID = toString config.users.users.media.uid;
-        PGID = toString config.users.groups.media.gid;
-      };
-      ports = [
-        "127.0.0.1:8889:8888"
-      ];
-      image = "josh5/unmanic:latest";
-    };
-  };
-
-  #networking.firewall.interfaces.wq0.allowedTCPPorts = [ 8266 ];
-  #networking.firewall.interfaces.wq0.allowedUDPPorts = [ 8266 ];
-
-  #networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 8266 ];
-  #networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ 8266 ];
-
-  services.nginx.virtualHosts."unmanic.${config.networking.hostName}.private" = {
-    extraConfig = ''
-      allow ${config.tinc.private.subnet};
-      deny all;
-    '';
-    locations."/" = {
-      proxyPass = "http://localhost:8889";
-      proxyWebsockets = true;
-    };
-  };
-
-}

nixos/machines/orbi/mysql.nix

@@ -1,20 +0,0 @@
-{ pkgs, lib, config, ... }: {
-
-  services.mysql = {
-    enable = true;
-    package = pkgs.mysql80;
-    initialScript = pkgs.writeText "initScript" ''
-      CREATE USER 'admin'@'%' IDENTIFIED BY 'admin';
-      GRANT ALL PRIVILEGES ON * . * TO 'admin'@'%';
-    '';
-  };
-
-  services.mysqlBackup = {
-    enable = true;
-    databases = [ "property" ];
-    #user = "admin";
-  };
-
-  backup.dirs = [ config.services.mysqlBackup.location ];
-
-}

nixos/machines/orbi/network-wireguard.nix

@@ -53,6 +53,16 @@
           publicKey = "ZNnlmPdxAGYtaUvOU2V47tcEhcB06LBCXkSxIvWZL2k=";
           allowedIPs = [ "10.100.0.7/32" ];
         }
+        {
+          # ipad
+          publicKey = "E8TJTPQT0jK9vzDrwqX4fIGQtM640gc6qALVTZgmfRo=";
+          allowedIPs = [ "10.100.0.8/32" ];
+        }
+        {
+          # ipad tina
+          publicKey = "aOlfGT2c/4v7U7faLXyCyiCHe8iSAOedblKgbJONxnM=";
+          allowedIPs = [ "10.100.0.9/32" ];
+        }
       ];
     };
   };

nixos/machines/orbi/prometheus.nix

@@ -1,70 +0,0 @@
-{ config, pkgs, lib, ... }: {
-
-  services.nginx = {
-    enable = true;
-    statusPage = true;
-    virtualHosts = {
-      "prometheus.robi.private" = {
-        extraConfig = ''
-          allow ${config.tinc.private.subnet};
-          deny all;
-        '';
-        locations."/" = { proxyPass = "http://localhost:${toString config.services.prometheus.port}"; };
-      };
-    };
-  };
-
-  services.prometheus = {
-    enable = true;
-    # keep data for 30 days
-    extraFlags = [ "--storage.tsdb.retention.time=30d" ];
-
-    exporters = {
-      node = {
-        enable = true;
-        enabledCollectors = [ "systemd" ];
-        port = 9002;
-      };
-    };
-
-    scrapeConfigs = [
-      {
-        job_name = "netdata";
-        metrics_path = "/api/v1/allmetrics";
-        params.format = [ "prometheus" ];
-        scrape_interval = "5s";
-        static_configs = [
-          {
-            targets = [ "localhost:19999" ];
-            labels = {
-              service = "netdata";
-              server = "robi";
-            };
-          }
-        ];
-      }
-      {
-        job_name = "systemd";
-        static_configs = [{
-          targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
-          labels = {
-            service = "node-exporter";
-            server = "robi";
-          };
-        }];
-      }
-      {
-        # see https://www.home-assistant.io/integrations/prometheus/
-        job_name = "telgraf";
-        metrics_path = "/metrics";
-        static_configs = [{
-          targets = [ "localhost:9273" ];
-          labels = {
-            service = "telegraf";
-            server = "robi";
-          };
-        }];
-      }
-    ];
-  };
-}

nixos/machines/orbi/service-forgejo.nix

@@ -9,7 +9,7 @@
         forceSSL = true;
         enableACME = true;
         locations."/" = {
-          proxyPass = "http://localhost:${toString config.services.forgejo.httpPort}";
+          proxyPass = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
         };
       };
     };
@@ -17,12 +17,10 @@
 
   services.forgejo = {
     enable = true;
-    appName = "git.ingolf-wagner.de";
-    #cookieSecure = true;
-    #disableRegistration = true;
     settings = {
       server.ROOT_URL = "https://git.ingolf-wagner.de/";
       server.DOMAIN = "git.ingolf-wagner.de";
+      DEFAULT.APP_NAME = "git.ingolf-wagner.de";
       service.DISABLE_REGISTRATION = true;
       session.COOKIE_SECURE = true;
       log.LEVEL = "Warn";

nixos/machines/orbi/service-photoprism.nix

@@ -0,0 +1,68 @@
+{ config, pkgs, lib, ... }:
+let
+  mySQLPackage = pkgs.mysql;
+  photoprismPort = 2342;
+  mysqlPort = 3336;
+in
+{
+
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ];
+  # networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ];
+
+  containers.photoprism = {
+    privateNetwork = false;
+    autoStart = true;
+
+    config = { config, lib, ... }: {
+      nixpkgs.pkgs = pkgs;
+      imports = [ ../../components/monitor/container.nix ];
+      system.stateVersion = "23.11";
+
+      # Photoprism
+      # ----------
+      services.photoprism = {
+        enable = true;
+        port = photoprismPort;
+        originalsPath = "/var/lib/private/photoprism/originals";
+        address = "0.0.0.0";
+        settings = {
+          PHOTOPRISM_ADMIN_USER = "admin";
+          PHOTOPRISM_ADMIN_PASSWORD = "...";
+          PHOTOPRISM_DEFAULT_LOCALE = "en";
+          PHOTOPRISM_DATABASE_DRIVER = "mysql";
+          PHOTOPRISM_DATABASE_NAME = "photoprism";
+          PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
+          PHOTOPRISM_DATABASE_USER = "photoprism";
+          PHOTOPRISM_SITE_URL = "http://photoprism.orbi.private:${toString  photoprismPort}";
+          PHOTOPRISM_SITE_TITLE = "PhotoPrism";
+        };
+      };
+
+      # MySQL Database
+      # --------------
+      services.mysql = {
+        enable = true;
+        package = mySQLPackage;
+        settings.mysqld.port = mysqlPort;
+        ensureDatabases = [ "photoprism" ];
+        ensureUsers = [{
+          name = "photoprism";
+          ensurePermissions = {
+            "photoprism.*" = "ALL PRIVILEGES";
+          };
+        }];
+      };
+
+      # Backup Database
+      # ---------------
+      services.mysqlBackup = {
+        enable = true;
+        databases = config.services.mysql.ensureDatabases;
+        singleTransaction = true;
+      };
+
+    };
+  };
+
+
+}

nixos/machines/orbi/service-vaultwarden.nix

@@ -19,6 +19,9 @@
         forceSSL = true;
         enableACME = true;
         locations."/" = {
+          extraConfig = ''
+            client_max_body_size 500M;
+          '';
           proxyPass = "http://localhost:${
               toString config.services.vaultwarden.config.rocketPort
             }";

nixos/machines/orbi/social-matrix-terranix.nix

@@ -68,7 +68,9 @@ in
       };
     };
 
-    config = { config, pkgs, lib, ... }: {
+    config = { config, lib, ... }: {
+      nixpkgs.pkgs = pkgs;
+      imports = [ ../../components/monitor/container.nix ];
       system.stateVersion = "23.11";
 
       services.postgresql = {

nixos/machines/orbi/sync-opentracker.nix

@@ -1,5 +0,0 @@
-{
-  services.opentracker = {
-    enable = true;
-  };
-}

nixos/machines/orbi/sync-torrent.nix

@@ -1,111 +0,0 @@
-{ lib, pkgs, config, ... }:
-let
-  uiPort = 9099;
-  announceIp = "10.23.42.111";
-  peerPort = 51433;
-in
-{
-
-  containers.sync-torrent = {
-
-    # mount host folders
-    bindMounts = {
-      media = {
-        hostPath = "/media/new";
-        mountPoint = "/media"; # must be here otherwise transmission can't see the folder
-        isReadOnly = false;
-      };
-      lib = {
-        hostPath = "/srv/sync-torrent";
-        mountPoint = "/var/lib/transmission";
-        isReadOnly = false;
-      };
-    };
-
-    autoStart = true;
-
-    config = { config, pkgs, lib, ... }: {
-
-      system.stateVersion = "22.11";
-      services.journald.extraConfig = "SystemMaxUse=1G";
-
-      services.transmission = {
-        enable = true;
-        settings = {
-          download-dir = "/media";
-          incomplete-dir = "/var/lib/transmission/incomplete"; # todo put this somewhere with frequent snapshots but low keep.
-          incomplete-dir-enabled = true;
-          message-level = 1;
-          umask = 2;
-          rpc-whitelist-enabled = false;
-          rpc-host-whitelist-enabled = false;
-          rpc-port = uiPort;
-          rpc-enable = true;
-          rpc-bind-address = "0.0.0.0";
-
-          # "normal" speed limits
-          speed-limit-down-enabled = false;
-          speed-limit-down = 800;
-          speed-limit-up-enabled = true;
-          speed-limit-up = 3000;
-          upload-slots-per-torrent = 8;
-          # Queuing
-          # When true, Transmission will only download
-          # download-queue-size non-stalled torrents at once.
-          download-queue-enabled = true;
-          download-queue-size = 3;
-
-          # When true, torrents that have not shared data for
-          # queue-stalled-minutes are treated as 'stalled'
-          # and are not counted against the queue-download-size
-          # and seed-queue-size limits.
-          queue-stalled-enabled = true;
-          queue-stalled-minutes = 60;
-
-          # When true. Transmission will only seed seed-queue-size
-          # non-stalled torrents at once.
-          seed-queue-enabled = false;
-          seed-queue-size = 10;
-
-          # Enable UPnP or NAT-PMP.
-          peer-port = peerPort;
-          port-forwarding-enabled = false;
-          announce-ip = announceIp;
-          announce-ip-enabled = true;
-
-          # Start torrents as soon as they are added
-          start-added-torrents = true;
-
-        };
-      };
-
-    };
-  };
-
-  # open ports for logging
-  #networking.firewall.interfaces."ve-torrent".allowedTCPPorts =
-  #  [ 5044 12304 12305 ];
-  #networking.firewall.interfaces."ve-torrent".allowedUDPPorts =
-  #  [ 5044 12304 12305 ];
-
-  # host nginx setup
-  # ----------------
-  # curl -H "Host: sync.robi.private" https://robi.private/  < will work
-  # curl -H "Host: sync.robi.private" https://144.76.13.147/ < wont work
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    virtualHosts = {
-      "sync.${config.networking.hostName}.private" = {
-        extraConfig = ''
-          allow ${config.tinc.private.subnet};
-          deny all;
-        '';
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString uiPort}";
-        };
-      };
-    };
-  };
-
-}

nixos/machines/orbi/telegraf.nix

@@ -1,28 +0,0 @@
-{
-  services.telegraf = {
-    enable = true;
-    extraConfig = {
-      outputs.prometheus_client = {
-        listen = ":9273";
-        metric_version = 2;
-      };
-      # https://github.com/influxdata/telegraf/tree/master/plugins/inputs < all them plugins
-      inputs = {
-        cpu = {
-          percpu = true;
-          totalcpu = true;
-        };
-        disk = { };
-        diskio = { };
-        kernel = { };
-        mem = { };
-        processes = { };
-        netstat = { };
-        net = { };
-        system = { };
-        systemd_units = { };
-        nginx.urls = [ "http://localhost/nginx_status" ];
-      };
-    };
-  };
-}

nixos/machines/orbi/webhook-ring.nix

@@ -1,45 +0,0 @@
-{ config, pkgs, ... }:
-# To create a sign at the door
-# "Sorry Doorbell is broken, please scan this QR Code
-#
-# create QR Code with:
-# qrencode -o ./test.png http://ring.ingolf-wagner.de
-#
-# for secure urls check
-# https://www.nginx.com/blog/securing-urls-secure-link-module-nginx-plus/
-{
-
-  sops.secrets.ringPushover = {
-    owner = config.services.webhook.user;
-  };
-
-  services.webhook = {
-    enable = true;
-    hooks = {
-      ring = {
-        execute-command =
-          let
-            script = pkgs.writers.writeBash "ring-script" ''
-              . ${config.sops.secrets.ringPushover.path}
-              ${pkgs.curl}/bin/curl -s \
-                --form-string "token=$API_KEY" \
-                --form-string "user=$USER_KEY" \
-                --form-string "title=Klingeling" \
-                --form-string "message=Jemand an der Tür" \
-                https://api.pushover.net/1/messages.json
-            '';
-          in
-          toString script;
-        response-message = "It's ringing";
-      };
-    };
-  };
-
-  services.nginx.virtualHosts."ring.ingolf-wagner.de" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://localhost:${toString config.services.webhook.port}/${config.services.webhook.urlPrefix}/ring";
-    };
-  };
-}

nixos/machines/orbi/weechat.nix

@@ -1,38 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-# how to setup a relay
-# * ssh on the maching
-# * sudo -u weechat screen -r
-# /set relay.network.password "mypassword"
-# /relay add weechat 10000
-
-{
-
-  # configure weechat
-  services.weechat = { enable = true; };
-
-  # configure bitlbee
-  services.bitlbee = {
-    enable = true;
-    libpurple_plugins = [
-      #pkgs.pidgin-otr
-      #pkgs.purple-facebook
-      #pkgs.purple-discord
-      #pkgs.purple-matrix
-      #pkgs.purple-hangouts
-      #pkgs.pidgin-latex
-      #pkgs.pidgin-opensteamworks
-      #pkgs.pidgin-skypeweb
-      pkgs.telegram-purple
-      #pkgs.purple-lurch
-    ];
-    plugins =
-      [ pkgs.bitlbee-facebook pkgs.bitlbee-steam pkgs.bitlbee-mastodon ];
-  };
-
-  # otherwise xterm is the only thing that works
-  environment.systemPackages = [ pkgs.rxvt_unicode ];
-
-  backup.dirs = [ config.services.weechat.root ];
-
-}