Add comments to DNS config

switch to EU DNS servers
Update systems/LoutreOS/web.nix
2025-02-20 15:34:20 +01:00 · 2025-02-20 15:29:38 +01:00 · 2025-02-20 15:13:58 +01:00 · 2025-02-17 15:33:11 +01:00 · 2025-01-08 22:24:19 +01:00 · 2025-01-07 16:42:37 +01:00
21 changed files with 930 additions and 1465 deletions
--- a/flake.lock
+++ b/flake.lock
@ -23,11 +23,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1635873573,
-        "narHash": "sha256-KcrFb8HSNcVTtYNXoUwZxW531cQn6T3YBU6Goo5G9mo=",
+        "lastModified": 1730148450,
+        "narHash": "sha256-CSxPIeDqavQ3fJhshuNs0oS84P1p87BsbNoashKlrKg=",
        "owner": "nyanloutre",
        "repo": "dogetipbot-telegram",
-        "rev": "e781adbbeda8aa0cbaef47558fc28f9e1dd162fb",
+        "rev": "667e318212920005917792b06e0f480b421fa6d3",
        "type": "gitlab"
      },
      "original": {
@ -37,18 +37,19 @@
        "type": "gitlab"
      }
    },
-    "flake-utils": {
+    "flake-compat": {
+      "flake": false,
      "locked": {
-        "lastModified": 1638122382,
-        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "edolstra",
+        "repo": "flake-compat",
        "type": "github"
      }
    },
@ -75,41 +76,42 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1655096306,
-        "narHash": "sha256-3B3zBaQVLL956deZgmucouvkZroObQ4JKHzbIfFS9/c=",
+        "lastModified": 1739624908,
+        "narHash": "sha256-f84lBmLl4tkDp1ZU5LBTSFzlxXP4926DVW3KnXrke10=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a119e218ad27bea32057a3463e3694a61c9e3802",
+        "rev": "a60651b217d2e529729cbc7d989c19f3941b9250",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-22.05",
+        "ref": "nixos-24.11",
        "type": "indirect"
      }
    },
-    "nixpkgs-21_05": {
+    "nixpkgs-4a3fc4cf7": {
      "locked": {
-        "lastModified": 1625692408,
-        "narHash": "sha256-e9L3TLLDVIJpMnHtiNHJE62oOh6emRtSZ244bgYJUZs=",
-        "owner": "NixOS",
+        "lastModified": 1716914467,
+        "narHash": "sha256-KkT6YM/yNQqirtYj/frn6RRakliB8RDvGqVGGaNhdcU=",
+        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c06613c25df3fe1dd26243847a3c105cf6770627",
+        "rev": "4a3fc4cf736b7d2d288d7a8bf775ac8d4c0920b4",
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-21.05",
-        "type": "indirect"
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "4a3fc4cf736b7d2d288d7a8bf775ac8d4c0920b4",
+        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1655043425,
-        "narHash": "sha256-A+oT+aQGhW5lXy8H0cqBLsYtgcnT5glmGOXWQDcGw6I=",
+        "lastModified": 1739736696,
+        "narHash": "sha256-zON2GNBkzsIyALlOCFiEBcIjI4w38GYOb+P+R4S8Jsw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "914ef51ffa88d9b386c71bdc88bffc5273c08ada",
+        "rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f",
        "type": "github"
      },
      "original": {
@ -123,71 +125,36 @@
        "dogetipbot-telegram": "dogetipbot-telegram",
        "ipmihddtemp": "ipmihddtemp",
        "nixpkgs": "nixpkgs",
+        "nixpkgs-4a3fc4cf7": "nixpkgs-4a3fc4cf7",
        "nixpkgs-unstable": "nixpkgs-unstable",
-        "simple-nixos-mailserver": "simple-nixos-mailserver",
-        "utils": "utils_2"
+        "simple-nixos-mailserver": "simple-nixos-mailserver"
      }
    },
    "simple-nixos-mailserver": {
      "inputs": {
        "blobs": "blobs",
+        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
-        "nixpkgs-21_05": "nixpkgs-21_05",
-        "nixpkgs-21_11": [
+        "nixpkgs-24_11": [
          "nixpkgs"
-        ],
-        "utils": "utils"
+        ]
      },
      "locked": {
-        "lastModified": 1638911354,
-        "narHash": "sha256-hNhzLOp+dApEY15vwLAQZu+sjEQbJcOXCaSfAT6lpsQ=",
+        "lastModified": 1734884447,
+        "narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "6e3a7b2ea6f0d68b82027b988aa25d3423787303",
+        "rev": "63209b1def2c9fc891ad271f474a3464a5833294",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
-        "ref": "nixos-21.11",
+        "ref": "nixos-24.11",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
-    },
-    "utils": {
-      "locked": {
-        "lastModified": 1605370193,
-        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "utils_2": {
-      "inputs": {
-        "flake-utils": "flake-utils"
-      },
-      "locked": {
-        "lastModified": 1638172912,
-        "narHash": "sha256-jxhQGNEsZTdop/Br3JPS+xmBf6t9cIWRzVZFxbT76Rw=",
-        "owner": "gytis-ivaskevicius",
-        "repo": "flake-utils-plus",
-        "rev": "166d6ebd9f0de03afc98060ac92cba9c71cfe550",
-        "type": "github"
-      },
-      "original": {
-        "owner": "gytis-ivaskevicius",
-        "ref": "v1.3.1",
-        "repo": "flake-utils-plus",
-        "type": "github"
-      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -1,13 +1,14 @@
 {
  inputs = {
-    nixpkgs.url = "flake:nixpkgs/nixos-22.05";
+    nixpkgs.url = "flake:nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "flake:nixpkgs/nixos-unstable";
-    utils.url = "github:gytis-ivaskevicius/flake-utils-plus/v1.3.1";
+    # transmission 4.0.5 downgrade to fix tracker bug
+    nixpkgs-4a3fc4cf7.url = "github:nixos/nixpkgs/4a3fc4cf736b7d2d288d7a8bf775ac8d4c0920b4";
    simple-nixos-mailserver = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.11";
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11";
      inputs = {
        nixpkgs.follows = "nixpkgs-unstable";
-        nixpkgs-21_11.follows = "nixpkgs";
+        nixpkgs-24_11.follows = "nixpkgs";
      };
    };
    dogetipbot-telegram = {
@ -20,34 +21,90 @@
    };
  };

-  outputs = inputs@{ self, utils, nixpkgs, nixpkgs-unstable, simple-nixos-mailserver, dogetipbot-telegram, ipmihddtemp }: utils.lib.mkFlake {
+  outputs = {
+    self,
+    nixpkgs,
+    nixpkgs-unstable,
+    nixpkgs-4a3fc4cf7,
+    simple-nixos-mailserver,
+    dogetipbot-telegram,
+    ipmihddtemp
+  }@inputs: {

-    inherit self inputs;
+    packages.x86_64-linux = (import ./pkgs nixpkgs.legacyPackages.x86_64-linux);

-    supportedSystems = [ "x86_64-linux" ];
-
-    hostDefaults.modules = [
-      nixpkgs.nixosModules.notDetected
-      {
-        nix.generateRegistryFromInputs = true;
-        nix.linkInputs = true;
-        nix.generateNixPathFromInputs = true;
-      }
-    ];
-
-    hosts.loutreos.modules = [
-      simple-nixos-mailserver.nixosModule
-      dogetipbot-telegram.nixosModule
-      ipmihddtemp.nixosModule
-      ./systems/LoutreOS/configuration.nix
-    ];
-
-    hosts.paul-fixe = {
-      channelName = "nixpkgs-unstable";
+    nixosConfigurations.paul-fixe = nixpkgs-unstable.lib.nixosSystem {
+      system = "x86_64-linux";
      modules = [
+        nixpkgs-unstable.nixosModules.notDetected
+        {
+          nixpkgs.config.allowUnfree = true;
+          nix = {
+            settings.experimental-features = [ "nix-command" "flakes" ];
+            registry = {
+              nixpkgs.to = {
+                type = "path";
+                path = nixpkgs-unstable.legacyPackages.x86_64-linux.path;
+              };
+            };
+          };
+        }
        ./systems/PC-Fixe/configuration.nix
      ];
    };
+
+    nixosConfigurations.loutreos = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      specialArgs = {
+        inputs = inputs;
+        pkgs-unstable = import nixpkgs-unstable {
+          inherit system;
+          config.permittedInsecurePackages = [
+            "aspnetcore-runtime-6.0.36"
+            "aspnetcore-runtime-wrapped-6.0.36"
+            "dotnet-sdk-6.0.428"
+            "dotnet-sdk-wrapped-6.0.428"
+          ];
+        };
+        pkgs-4a3fc4cf7 = import nixpkgs-4a3fc4cf7 {
+          inherit system;
+        };
+      };
+      modules = [
+        nixpkgs-unstable.nixosModules.notDetected
+        simple-nixos-mailserver.nixosModule
+        dogetipbot-telegram.nixosModule
+        ipmihddtemp.nixosModule
+        {
+          nix = {
+            settings.experimental-features = [ "nix-command" "flakes" ];
+            registry = {
+              nixpkgs.to = {
+                type = "path";
+                path = nixpkgs.legacyPackages.x86_64-linux.path;
+              };
+            };
+          };
+          systemd.services.watcharr = {
+            description = "Watcharr";
+            after = [ "network.target" ];
+            environment = {
+              PORT = "3005";
+              WATCHARR_DATA = "/var/lib/watcharr";
+            };
+            serviceConfig = {
+              DynamicUser = true;
+              StateDirectory = "watcharr";
+              ExecStart = "${self.packages.x86_64-linux.watcharr}/bin/Watcharr";
+              PrivateTmp = true;
+            };
+            wantedBy = [ "multi-user.target" ];
+          };
+        }
+        ./systems/LoutreOS/configuration.nix
+      ];
+    };
+
  };
 }

--- a/overlays/riot-web.nix
+++ b/overlays/riot-web.nix
@ -1,15 +0,0 @@
-self: super:
-{
-  riot-web = super.riot-web.override {
-    conf = {
-      default_hs_url = "https://matrix.nyanlout.re";
-      default_is_url = "https://vector.im";
-      brand = "Nyanloutre";
-      default_theme = "dark";
-      integrations_ui_url = "https://dimension.t2bot.io/riot";
-      integrations_rest_url = "https://dimension.t2bot.io/api/v1/scalar";
-      integrations_widgets_urls = ["https://dimension.t2bot.io/widgets"];
-      integrations_jitsi_widget_url = "https://dimension.t2bot.io/widgets/jitsi";
-    };
-  };
-} 
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -0,0 +1,3 @@
+pkgs: {
+  watcharr = pkgs.callPackage ./watcharr { };
+}
--- a/pkgs/watcharr/default.nix
+++ b/pkgs/watcharr/default.nix
@ -0,0 +1,64 @@
+{ lib
+, pkgs
+, buildGoModule
+, fetchFromGitHub
+, buildNpmPackage
+, nixosTests
+, caddy
+, testers
+, installShellFiles
+, stdenv
+}:
+
+let
+  version = "1.41.0";
+  src = fetchFromGitHub {
+    owner = "sbondCo";
+    repo = "Watcharr";
+    rev = "v${version}";
+    hash = "sha256-ZvCxgfZZ9pbp+NvH+IhWphJWnAwgAH0x/REPd/XxJ70=";
+  };
+
+  frontend = buildNpmPackage {
+    pname = "watcharr-ui";
+    inherit version src;
+    npmDepsHash = "sha256-73paI0y4QyzkEnU99f1HeLD/hW8GP3F9N8tGGQnloH8=";
+
+    installPhase = ''
+      cp -r build $out
+      cp package.json package-lock.json $out
+      cd $out && npm ci --omit=dev
+    '';
+  };
+in
+buildGoModule {
+  pname = "watcharr";
+  inherit version;
+
+  src = src + "/server";
+
+  vendorHash = "sha256-86pFpS8ZSj+c7vwn0QCwzXlvVYJIf3SBj4X81zlwBWQ=";
+
+  # Inject frontend assets into go embed
+  prePatch = ''
+    # rm -rf ui
+    # ln -s ${frontend} ui
+    substituteInPlace watcharr.go \
+        --replace-fail ui/index.js ${frontend}/index.js \
+        --replace-fail \"127.0.0.1:3000\" "\"127.0.0.1:\"+os.Getenv(\"PORT\")"
+  '';
+
+  buildInputs = [ pkgs.makeWrapper ];
+
+  postFixup = ''
+    wrapProgram "$out/bin/Watcharr" --prefix PATH : "${lib.makeBinPath [ pkgs.nodejs ]}"
+  '';
+
+  meta = with lib; {
+    homepage = "https://watcharr.app/";
+    description = "Open source, self-hostable watched list for all your content with user authentication, modern and clean UI and a very simple setup";
+    license = licenses.asl20;
+    # mainProgram = "caddy";
+    maintainers = with maintainers; [ nyanloutre ];
+  };
+}
--- a/services/python-ci.nix
+++ b/services/python-ci.nix
@ -1,49 +0,0 @@
-{lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.python-ci;
-in
-{
-  options.services.python-ci = {
-    enable = mkEnableOption "Service de CI Nix écrit en Python";
-  };
-
-  config = mkIf cfg.enable {
-
-    users.users = {
-      python-ci = {
-        isSystemUser = true;
-        group = "nogroup";
-        description = "Python CI user";
-      };
-    };
-
-    systemd.services.python-ci = {
-      description = "CI Nix en Python";
-      requires = ["network-online.target"];
-      wantedBy = ["multi-user.target"];
-      environment = { HOME = "/var/lib/python-ci"; NIX_PATH = concatStringsSep ":" config.nix.nixPath; NIXPKGS_ALLOW_UNFREE = "1";};
-      path = with pkgs;[ nix gnutar gzip ];
-      serviceConfig = {
-        User = "python-ci";
-        StateDirectory = "python-ci";
-        RuntimeDirectory = "python-ci";
-        RuntimeDirectoryPreserve = "yes";
-        ExecStart = with pkgs;
-        let env = python3Packages.python.buildEnv.override {
-          extraLibs = with python3Packages;[ pyramid python-gitlab ];
-          ignoreCollisions = true;
-        };
-        in "${pkgs.writeShellScriptBin "run.sh" ''
-          ${env}/bin/python ${pkgs.writeScript "python-ci.py" "${readFile ./python-ci.py}"} --port 52350 \
-              --secret /var/lib/python-ci/secret --gitlab-token /var/lib/python-ci/gitlab_token \
-              --gitea-token /var/lib/python-ci/gitea_token --output /run/python-ci
-        ''}/bin/run.sh";
-      };
-    };
-
-  };
-
-}
--- a/services/python-ci.py
+++ b/services/python-ci.py
@ -1,168 +0,0 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i python3 -p "python3.withPackages(ps: [ps.pyramid ps.python-gitlab])"
-from wsgiref.simple_server import make_server
-from pyramid.config import Configurator
-from pyramid.view import view_config, view_defaults
-from pyramid.httpexceptions import HTTPNotFound
-from subprocess import check_call, CalledProcessError
-import urllib.request
-import tarfile
-from tempfile import TemporaryDirectory
-from multiprocessing import Pool
-from gitlab import Gitlab
-import urllib.request
-import json
-import argparse
-import hmac
-import hashlib
-
-
-def gitlab_build(payload, gl):
-    commit = gl.projects.get(payload['project']['path_with_namespace']).commits.get(payload['checkout_sha'])
-
-    commit.statuses.create({'state': 'running', 'name': 'Python CI'})
-    print("push from " + payload['user_name'])
-    print("repo: " + payload['project']['path_with_namespace'])
-    print("commit: " + payload['checkout_sha'])
-    temp_dir = TemporaryDirectory()
-    repo_dir = temp_dir.name + '/' + payload['project']['name'] + '-' + payload['checkout_sha']
-    archive_url = payload['project']['web_url'] + '/-/archive/' + payload['checkout_sha'] + \
-                  '/' + payload['project']['name'] + '-' + payload['checkout_sha'] + '.tar.gz'
-
-    with urllib.request.urlopen(archive_url) as gitlab_archive:
-        with tarfile.open(fileobj=gitlab_archive, mode='r|gz') as gitlab_repo_files:
-            gitlab_repo_files.extractall(path=temp_dir.name)
-
-    check_call(['ls', '-lha', repo_dir])
-
-    try:
-        check_call(['nix-build', '-o', args.output + '/' + payload['project']['path_with_namespace'], repo_dir])
-    except CalledProcessError:
-        commit.statuses.create({'state': 'failed', 'name': 'Python CI'})
-        print("erreur build")
-    else:
-        commit.statuses.create({'state': 'success', 'name': 'Python CI'})
-        print("build terminé")
-
-
-@view_defaults(
-        route_name="gitlab_payload", renderer="json", request_method="POST"
-)
-class GitlabHook(object):
-
-    def __init__(self, request):
-        self.request = request
-        self.payload = self.request.json
-        self.whitelist = ['nyanloutre/site-musique']
-        self.secret = open(args.secret, 'r').readline().splitlines()[0]
-        self.gitlab_token = open(args.gitlab_token, 'r').readline().splitlines()[0]
-        self.gl = Gitlab('https://gitlab.com', private_token=self.gitlab_token)
-
-    @view_config(header="X-Gitlab-Event:Push Hook")
-    def push_hook(self):
-        if self.payload['project']['path_with_namespace'] in self.whitelist and self.request.headers['X-Gitlab-Token'] == self.secret:
-            self.gl.projects.get(self.payload['project']['path_with_namespace']).commits.get(self.payload['checkout_sha']).statuses.create({'state': 'pending', 'name': 'Python CI'})
-            pool.apply_async(gitlab_build, (self.payload, self.gl))
-            return "build started"
-        else:
-            raise HTTPNotFound
-
-
-def gitea_status_update(repo, commit, token, status):
-    url = 'https://gitea.nyanlout.re/api/v1/repos/' + repo + '/statuses/' + commit
-    print(url)
-    req = urllib.request.Request(url)
-    req.add_header('Content-Type', 'application/json; charset=utf-8')
-    req.add_header('accept', 'application/json')
-    req.add_header('Authorization', 'token ' + token)
-
-    jsondata = json.dumps({'state': status}).encode('utf-8')
-    req.add_header('Content-Length', len(jsondata))
-
-    urllib.request.urlopen(req, jsondata)
-
-def gitea_build(payload, token):
-    commit = payload['after']
-    repo = payload['repository']['full_name']
-
-    gitea_status_update(repo, commit, token, 'pending')
-
-    print("push from " + payload['pusher']['username'])
-    print("repo: " + repo)
-    print("commit: " + commit)
-    temp_dir = TemporaryDirectory()
-    repo_dir = temp_dir.name + '/' + payload['repository']['name']
-    archive_url = payload['repository']['html_url'] + '/archive/' + commit + '.tar.gz'
-
-    with urllib.request.urlopen(archive_url) as gitea_archive:
-        with tarfile.open(fileobj=gitea_archive, mode='r|gz') as gitea_repo_files:
-            gitea_repo_files.extractall(path=temp_dir.name)
-
-    check_call(['ls', '-lha', repo_dir])
-
-    try:
-        check_call(['nix-build', '-o', args.output + '/' + repo, repo_dir])
-    except CalledProcessError:
-        gitea_status_update(repo, commit, token, 'failure')
-        print("erreur build")
-    else:
-        gitea_status_update(repo, commit, token, 'success')
-        print("build terminé")
-
-
-@view_defaults(
-        route_name="gitea_payload", renderer="json", request_method="POST"
-)
-class GiteaHook(object):
-    def __init__(self, request):
-        self.payload = request.json
-        self.whitelist = ['nyanloutre/site-musique', 'nyanloutre/site-max']
-        self.gitea_token = open(args.gitea_token, 'r').readline().strip()
-
-    @view_config(header=["X-Gitea-Event:push", "X-Gitea-Signature"], check_hmac=True)
-    def push_hook(self):
-        if self.payload['repository']['full_name'] in self.whitelist:
-            pool.apply_async(gitea_build, (self.payload, self.gitea_token))
-            return "build started"
-        else:
-            raise HTTPNotFound
-
-
-class CheckHmacPredicate(object):
-    def __init__(self, val, info):
-        self.secret = open(args.secret, 'r').readline().strip().encode()
-
-    def text(self):
-        return 'HMAC checking enabled'
-
-    phash = text
-
-    def __call__(self, context, request):
-        payload_signature = hmac.new(self.secret, request.body, hashlib.sha256).hexdigest()
-        return hmac.compare_digest(request.headers["X-Gitea-Signature"], payload_signature)
-
-if __name__ == "__main__":
-    parser = argparse.ArgumentParser(description='CI server')
-    parser.add_argument('--address', help='listening address', default='127.0.0.1')
-    parser.add_argument('--port', type=int, help='listening port')
-    parser.add_argument('--output', help='output directory')
-    parser.add_argument('--secret', help='repo secret file')
-    parser.add_argument('--gitlab-token', help='gitlab token file')
-    parser.add_argument('--gitea-token', help='gitea token file')
-    args = parser.parse_args()
-
-
-    pool = Pool(1)
-
-    config = Configurator()
-
-    config.add_view_predicate('check_hmac', CheckHmacPredicate)
-
-    config.add_route("gitlab_payload", "/gitlab_payload")
-    config.add_route("gitea_payload", "/gitea_payload")
-    config.scan()
-
-    app = config.make_wsgi_app()
-    server = make_server(args.address, args.port, app)
-    print('listening ...')
-    server.serve_forever()
--- a/services/sdtdserver.nix
+++ b/services/sdtdserver.nix
@ -1,120 +0,0 @@
-{lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.sdtdserver;
-  gamePath = "/var/lib/sdtdserver";
-  gameOptions = {
-    ServerPort="26900";
-    ServerVisibility="2";
-    ServerName="Serveur des loutres";
-    ServerPassword="";
-    ServerMaxPlayerCount="16";
-    ServerReservedSlots="0";
-    ServerReservedSlotsPermission="100";
-    ServerAdminSlots="0";
-    ServerAdminSlotsPermission="0";
-    ServerDescription="Un serveur idiot anti gilets jaunes";
-    ServerWebsiteURL="";
-    ServerDisabledNetworkProtocols="";
-    GameWorld="Navezgane";
-    WorldGenSeed="Lakeu";
-    WorldGenSize="4096";
-    GameName="Lakeu";
-    GameDifficulty="2";
-    GameMode="GameModeSurvival";
-    ZombiesRun="0";
-    ZombieMove="0";
-    ZombieMoveNight="3";
-    ZombieFeralMove="3";
-    ZombieBMMove="3";
-    BuildCreate="false";
-    DayNightLength="60";
-    DayLightLength="18";
-    PlayerKillingMode="3";
-    PersistentPlayerProfiles="false";
-    PlayerSafeZoneLevel="5";
-    PlayerSafeZoneHours="5";
-    ControlPanelEnabled="false";
-    ControlPanelPort="8080";
-    ControlPanelPassword="CHANGEME";
-    TelnetEnabled="false";
-    TelnetPort="8081";
-    TelnetPassword="";
-    TelnetFailedLoginLimit="10";
-    TelnetFailedLoginsBlocktime="10";
-    TerminalWindowEnabled="false";
-    AdminFileName="serveradmin.xml";
-    DropOnDeath="0";
-    DropOnQuit="0";
-    BloodMoonEnemyCount="8";
-    EnemySpawnMode="true";
-    EnemyDifficulty="0";
-    BlockDurabilityModifier="100";
-    LootAbundance="100";
-    LootRespawnDays="30";
-    LandClaimSize="41";
-    LandClaimDeadZone="30";
-    LandClaimExpiryTime="3";
-    LandClaimDecayMode="0";
-    LandClaimOnlineDurabilityModifier="4";
-    LandClaimOfflineDurabilityModifier="4";
-    PartySharedKillRange="100";
-    AirDropFrequency="72";
-    AirDropMarker="false";
-    MaxSpawnedZombies="60";
-    MaxSpawnedAnimals="50";
-    EACEnabled="true";
-    HideCommandExecutionLog="0";
-    MaxUncoveredMapChunksPerPlayer="131072";
-    BedrollDeadZoneSize="15";
-    ServerLoginConfirmationText="Prout";
-  };
-  gameConfig = builtins.toFile "serverconfig.xml" ''
-    <?xml version="1.0"?>
-    <ServerSettings>
-    ${concatStrings (
-      mapAttrsToList (name: value:
-       "  <property name=\"${name}\"	value=\"${value}\"/>\n"
-    ) gameOptions)}
-    </ServerSettings>
-  '';
-in
-{
-  options.services.sdtdserver = {
-    enable = mkEnableOption "Activation du serveur dédié 7 Days to Die";
-  };
-
-  config = mkIf cfg.enable {
-
-    systemd.services.sdtdserver = {
-      description = "Serveur dédié 7 Days to Die";
-      requires = ["network-online.target"];
-      wantedBy = ["multi-user.target"];
-      environment = { HOME = gamePath; };
-      serviceConfig = {
-        DynamicUser = true;
-        StateDirectory = "sdtdserver";
-      };
-      preStart = let
-        libPath = with pkgs; lib.makeLibraryPath [
-          stdenv.cc.cc.lib
-        ];
-      in ''
-        ${pkgs.steamcmd}/bin/steamcmd +login anonymous +force_install_dir ${gamePath} +app_update 294420 validate +quit
-        install -m666 ${gameConfig} ${gamePath}/serverconfig.xml
-      '';
-      script = ''
-        ${pkgs.steam-run}/bin/steam-run ${gamePath}/7DaysToDieServer.x86_64 -quit -batchmode -nographics -dedicated -configfile=serverconfig.xml
-      '';
-    };
-
-    networking.firewall = {
-      allowedTCPPorts = [ 26900 ];
-      allowedUDPPorts = [ 26900 26901 26902 ];
-    };
-
-  };
-
-}
--- a/systems/LoutreOS/config-overviewer.py
+++ b/systems/LoutreOS/config-overviewer.py
@ -1,47 +0,0 @@
-from .observer import MultiplexingObserver, LoggingObserver, JSObserver
-
-global escape
-from cgi import escape
-def signFilter(poi):
-    if poi['id'] == 'Sign' or poi['id'] == 'minecraft:sign':
-        return "<pre>" + "\n".join(map(escape, [poi['Text1'], poi['Text2'], poi['Text3'], poi['Text4']])) + "</pre>"
-
-global json
-import json
-def petFilter(poi):
-    if "CustomName" in poi:
-        custom_name = json.loads(poi['CustomName'])
-        if "text" in custom_name:
-            return custom_name["text"]
-
-def playerIcons(poi):
-    if poi['id'] == 'Player':
-        poi['icon'] = "https://overviewer.org/avatar/%s" % poi['EntityId']
-        return "Last known location for %s" % poi['EntityId']
-
-processes = 2
-
-worlds["My world"] = "/var/lib/minecraft/world"
-
-renders["Vue normale"] = {
-    "world": "My world",
-    "title": "Vue normale",
-    "texturepath": "@CLIENT_JAR@",
-    "rendermode": smooth_lighting,
-    'markers': [dict(name="All signs", filterFunction=signFilter),
-                dict(name="Pets", filterFunction=petFilter, icon="icons/marker_cat.png", createInfoWindow=False, checked=True),
-                dict(name="Position joueurs", filterFunction=playerIcons),],
-}
-
-cave_rendermode = [Base(), EdgeLines(), Cave(only_lit=True), DepthTinting()]
-
-renders["Grottes"] = {
-    "world": "My world",
-    "title": "Grottes",
-    "texturepath": "@CLIENT_JAR@",
-    "rendermode": cave_rendermode,
-}
-
-outputdir = "/var/www/minecraft-overviewer"
-
-observer = MultiplexingObserver(LoggingObserver(), JSObserver(outputdir))
--- a/systems/LoutreOS/configuration.nix
+++ b/systems/LoutreOS/configuration.nix
@ -1,18 +1,15 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, ... }:
+{ config, pkgs, inputs, ... }:

 {
  imports = [
    ../common-cli.nix
    ./hardware-configuration.nix
+    ./network.nix
    ./users.nix
    ./services.nix
  ];

-  nix.trustedUsers = [ "root" "paul" ];
+  nix.settings.trusted-users = [ "root" "paul" ];

  boot = {
    loader = {
@ -22,144 +19,29 @@

    supportedFilesystems = [ "zfs" ];

-    tmpOnTmpfs = true;
+    tmp.useTmpfs = true;
+
+    # Enabling both boot.enableContainers & virtualisation.containers on system.stateVersion < 22.05 is unsupported
+    enableContainers = false;
  };

  documentation.nixos.enable = false;

-  nixpkgs.config.allowUnfree = false;
-  nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem pkg.pname or (builtins.parseDrvName pkg.name).name [ "factorio-headless" "perl5.32.1-slimserver" "minecraft-server" ]);
-
  services.zfs = {
    autoSnapshot.enable = true;
-    autoScrub.enable = true;
-  };
-
-  hardware.usbWwan.enable = true;
-
-  # eno1 -> VLAN100 -> Internet
-  # eno2 -> LAN
-  # eno3 -> Legacy client DHCP
-  # eno4 -> Pas utilisé
-
-  networking = {
-    hostName = "loutreos"; # Define your hostname.
-    hostId = "7e66e347";
-
-    useNetworkd = true;
-    useDHCP = false;
-
-    vlans = {
-      bouygues = {
-        id = 100;
-        interface = "eno1";
-      };
-      chinoiseries = {
-        id = 20;
-        interface = "eno2";
-      };
-    };
-
-    interfaces = {
-      bouygues = {
-        # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303
-        macAddress = "E8:AD:A6:21:73:68";
-        useDHCP = true;
-      };
-      eno2 = {
-        ipv4.addresses = [
-          { address = "10.30.0.1"; prefixLength = 16; }
-        ];
-      };
-      chinoiseries = {
-        ipv4.addresses = [
-          { address = "10.40.0.1"; prefixLength = 16; }
-        ];
-      };
-      enp0s21u2.useDHCP = true;
-    };
-
-    # NAT bouygues <-> eno2
-    nat = {
-      enable = true;
-      externalInterface = "bouygues";
-      # Permet d'utiliser le SNAT plus rapide au lieu de MASQUERADE
-      # externalIP = "0.0.0.0";
-      internalIPs = [ "10.30.0.0/16" "10.40.0.0/16" ];
-      internalInterfaces = [ "eno2" "chinoiseries" ];
-      forwardPorts = [
-        { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;}
-        { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];}
-      ];
-    };
-
-    firewall = {
-      allowedTCPPorts = [ 80 443 ];
-      allowedUDPPorts = [ ];
-      interfaces.eno2 = {
-        allowedTCPPorts = [
-          111 2049 4000 4001 4002 # NFS
-          3483 9000 9090 # Slimserver
-          1935 # RTMP
-        ];
-        allowedUDPPorts = [
-          111 2049 4000 4001 4002 # NFS
-          3483 # Slimserver
-        ];
-      };
+    autoScrub = {
      enable = true;
+      interval = "monthly";
    };
  };

-  systemd.network.networks = {
-    "40-bouygues" = {
-      dhcpV4Config.RouteMetric = 1;
-      networkConfig.KeepConfiguration = "dhcp-on-stop";
-    };
-    "40-enp0s21u2".dhcpV4Config.RouteMetric = 1024;
-  };
-
-  services.dhcpd4 = {
-    enable = true;
-    interfaces = [ "eno2" "chinoiseries" ];
-    machines = [
-      { ethernetAddress = "50:c7:bf:b6:b8:ef"; hostName = "HS110"; ipAddress = "10.30.50.7"; }
-      { ethernetAddress = "ac:1f:6b:4b:01:15"; hostName = "IPMI"; ipAddress = "10.30.1.1"; }
-      { ethernetAddress = "b4:2e:99:ed:24:26"; hostName = "paul-fixe"; ipAddress = "10.30.50.1"; }
-
-      #ESPHome
-      { ethernetAddress = "e0:98:06:85:e9:ce"; hostName = "salonled"; ipAddress = "10.30.40.1"; }
-      { ethernetAddress = "e0:98:06:86:38:fc"; hostName = "bureauled"; ipAddress = "10.30.40.2"; }
-      { ethernetAddress = "50:02:91:78:be:be"; hostName = "guirlande"; ipAddress = "10.30.40.3"; }
-
-      # YeeLights
-      { ethernetAddress = "04:cf:8c:b5:7e:18"; hostName = "yeelink-light-color3_miap7e18"; ipAddress = "10.40.249.0"; }
-      { ethernetAddress = "04:cf:8c:b5:2d:28"; hostName = "yeelink-light-color3_miap2d28"; ipAddress = "10.40.249.1"; }
-      { ethernetAddress = "04:cf:8c:b5:71:04"; hostName = "yeelink-light-color3_miap7104"; ipAddress = "10.40.249.2"; }
-    ];
-    extraConfig = ''
-      option domain-name-servers 89.234.141.66, 80.67.169.12, 80.67.169.40;
-      option subnet-mask 255.255.0.0;
-      subnet 10.30.0.0 netmask 255.255.0.0 {
-        option routers 10.30.0.1;
-        range 10.30.100.0 10.30.200.0;
-      }
-      subnet 10.40.0.0 netmask 255.255.0.0 {
-        option routers 10.40.0.1;
-        range 10.40.100.0 10.40.200.0;
-      }
-    '';
-  };
-
-  nixpkgs.overlays = [
-    (import ../../overlays/riot-web.nix)
-  ];
-
  services.openssh = {
    enable = true;
-    permitRootLogin = "no";
-    passwordAuthentication = false;
-    forwardX11 = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      X11Forwarding = true;
+    };
  };

  users = {
@ -172,8 +54,6 @@
    };
  };

-  services.autossh.sessions = [ { extraArguments = "-N -R 0.0.0.0:2222:127.0.0.1:22 loutre@vps772619.ovh.net"; monitoringPort = 20000; name = "backup-ssh-reverse"; user = "autossh"; } ];
-
  virtualisation.podman.enable = true;

  security.sudo.wheelNeedsPassword = false;
--- a/systems/LoutreOS/hardware-configuration.nix
+++ b/systems/LoutreOS/hardware-configuration.nix
@ -123,10 +123,10 @@
      fsType = "zfs";
    };

-  fileSystems."/mnt/backup" =
-    { device = "backup";
-      fsType = "zfs";
-    };
+  # fileSystems."/mnt/backup" =
+  #   { device = "backup";
+  #     fsType = "zfs";
+  #   };

  fileSystems."/mnt/backup_loutre" =
    { device = "loutrepool/backup";
@ -158,6 +158,16 @@
      fsType = "zfs";
    };

+  fileSystems."/var/lib/nextcloud" =
+    { device = "loutrepool/var/nextcloud";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/private/photoprism" =
+    { device = "loutrepool/var/photoprism";
+      fsType = "zfs";
+    };
+
  fileSystems."/mnt/paul-home" =
    { device = "loutrepool/zfs-replicate/paul-fixe/fastaf/home";
      fsType = "zfs";
@ -176,6 +186,6 @@
      }
    ];

-  nix.maxJobs = lib.mkDefault 4;
+  nix.settings.max-jobs = lib.mkDefault 4;
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/systems/LoutreOS/medias.nix
+++ b/systems/LoutreOS/medias.nix
@ -1,9 +1,10 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, pkgs-unstable, pkgs-4a3fc4cf7, ... }:

 {
  services = {
    transmission = {
      enable = true;
+      package = pkgs-4a3fc4cf7.transmission_4;
      home = "/var/lib/transmission";
      group = "medias";
      settings = {
@ -13,25 +14,33 @@
        rpc-whitelist-enabled = false;
        peer-port = 51413;
        incomplete-dir = "/mnt/medias/incomplete";
+        download-dir = "/mnt/medias/torrent";
      };
    };

-    radarr.enable = true;
-    sonarr.enable = true;
-    jackett.enable = true;
+    radarr = {
+      enable = true;
+      package = pkgs-unstable.radarr;
+    };
+    sonarr = {
+      enable = true;
+      package = pkgs-unstable.sonarr;
+    };
+    flaresolverr = {
+      enable = false;
+      package = pkgs-unstable.flaresolverr;
+    };
+    prowlarr = {
+      enable = true;
+      package = pkgs-unstable.prowlarr;
+    };

    jellyfin = {
      enable = true;
-      package = pkgs.jellyfin;
+      package = pkgs-unstable.jellyfin;
    };

-    navidrome = {
-      enable = true;
-      settings = {
-        MusicFolder = "/mnt/medias/musique";
-        ImageCacheSize = 0;
-      };
-    };
+    slimserver.enable = true;
  };

  systemd.services.transmission.serviceConfig = {
@ -48,25 +57,4 @@
      config.services.transmission.settings.peer-port
    ];
  };
-
-  virtualisation.oci-containers = {
-    backend = "podman";
-    containers = {
-      slimserver = {
-        image = "docker.io/lmscommunity/logitechmediaserver:stable";
-        volumes = [
-          "/mnt/medias/musique:/music:ro"
-          "/var/lib/slimserver:/config:rw"
-          "/etc/localtime:/etc/localtime:ro"
-        ];
-        ports = [
-          "10.30.0.1:9000:9000/tcp"
-          "10.30.0.1:9090:9090/tcp"
-          "10.30.0.1:3483:3483/tcp"
-          "10.30.0.1:3483:3483/udp"
-        ];
-        extraOptions = ["--pull=always"];
-      };
-    };
-  };
 }
--- a/systems/LoutreOS/monitoring.nix
+++ b/systems/LoutreOS/monitoring.nix
@ -7,7 +7,7 @@ in
  services = {
    smartd = {
      enable = true;
-      defaults.monitored = "-a -o on -s (S/../.././02|L/../../1/04)";
+      defaults.monitored = "-a -o on -s (S/../.././02|L/../15/./02)";
      notifications.mail = {
        enable = true;
        recipient = "paul@nyanlout.re";
@ -87,18 +87,27 @@ in

    grafana = {
      enable = true;
-      addr = "127.0.0.1";
      dataDir = "/var/lib/grafana";
-      extraOptions = {
-        SERVER_ROOT_URL = "https://grafana.${domaine}";
-        SMTP_ENABLED = "true";
-        SMTP_FROM_ADDRESS = "grafana@${domaine}";
-        SMTP_SKIP_VERIFY = "true";
-        AUTH_DISABLE_LOGIN_FORM = "true";
-        AUTH_DISABLE_SIGNOUT_MENU = "true";
-        AUTH_ANONYMOUS_ENABLED = "true";
-        AUTH_ANONYMOUS_ORG_ROLE = "Admin";
-        AUTH_BASIC_ENABLED = "false";
+      settings = {
+        server = {
+          http_addr = "127.0.0.1";
+          root_url = "https://grafana.${domaine}";
+        };
+        smtp = {
+          enabled = true;
+          from_address = "grafana@${domaine}";
+          skip_verify = true;
+        };
+        auth = {
+          disable_signout_menu = true;
+        };
+        "auth.basic" = {
+          enabled = false;
+        };
+        "auth.proxy" = {
+          enabled = true;
+          header_name = "X-WEBAUTH-USER";
+        };
      };
    };

@ -108,6 +117,10 @@ in
    };
  };

+  systemd.services.influxdb.serviceConfig = {
+    TimeoutStartSec = "10min";
+  };
+
  security.sudo.extraRules = [
    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
  ];
--- a/systems/LoutreOS/network.nix
+++ b/systems/LoutreOS/network.nix
@ -0,0 +1,365 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  boot = {
+    kernel.sysctl = {
+      "net.ipv6.conf.all.forwarding" = true;
+      "net.ipv6.conf.default.forwarding" = true;
+      "net.ipv4.conf.all.forwarding" = true;
+      "net.ipv4.conf.default.forwarding" = true;
+    };
+  };
+
+  # Enable LTE drivers
+  hardware.usb-modeswitch.enable = true;
+
+  ##################
+  # NETWORK CONFIG #
+  ##################
+
+  # eno1      -> VLAN100 -> Internet
+  # eno2      -> LAN
+  # eno3      -> Pas utilisé
+  # eno4      -> Pas utilisé
+  # enp0s21u1 -> Clé 4G Bouygues
+  # wg0       -> Tunnel Wireguard ARN
+
+  networking = {
+    hostName = "loutreos"; # Define your hostname.
+    hostId = "7e66e347";
+
+    useNetworkd = true;
+    useDHCP = false;
+
+    nameservers = [
+      # https://www.dns0.eu/fr
+      "193.110.81.0"
+      "185.253.5.0"
+    ];
+
+    vlans = {
+      bouygues = {
+        id = 100;
+        interface = "eno1";
+      };
+    };
+
+    interfaces = {
+      bouygues = {
+        # Adresse MAC BBox : https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303
+        macAddress = "E8:AD:A6:21:73:68";
+        useDHCP = true;
+      };
+      eno2 = {
+        ipv4.addresses = [
+          { address = "10.30.0.1"; prefixLength = 16; }
+        ];
+      };
+      enp0s21u1.useDHCP = true;
+    };
+
+    nftables = {
+      enable = true;
+      flushRuleset = false;
+      tables = {
+        "multi-wan-routing" = {
+          family = "inet";
+          content = ''
+            chain PREROUTING {
+              type filter hook prerouting priority mangle; policy accept;
+              # Restore the packet's CONNMARK to the MARK for existing incoming connections
+              counter meta mark set ct mark
+              # If packet MARK is set, then it means that there is already a connection mark
+              meta mark != 0x00000000 counter accept
+              # Else, we need to mark the packet.
+              # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3
+              iifname "bouygues" counter meta mark set 0x1
+              iifname "enp0s21u1" counter meta mark set 0x2
+              iifname "wg0" counter meta mark set 0x3
+              # Save new mark in CONNMARK
+              counter ct mark set mark
+            }
+
+            chain OUTPUT {
+              type route hook output priority mangle; policy accept;
+              # Restore CONNMARK to MARK for outgoing packets before final routing decision
+              counter meta mark set ct mark
+            }
+
+            chain POSTROUTING {
+              type filter hook postrouting priority mangle; policy accept;
+              # Save MARK to CONNMARK
+              counter ct mark set mark
+            }
+          '';
+        };
+
+        "redirect-external-to-local" = {
+          family = "ip";
+          content = ''
+            chain PREROUTING {
+              type nat hook prerouting priority dstnat; policy accept;
+              # Redirect local network request from server external IP to internal IP
+              # This allow access to server without internet access
+              ip saddr 10.30.0.0/16 ip daddr 176.180.172.105 counter dnat to 10.30.0.1
+            }
+          '';
+        };
+      };
+    };
+
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPorts = [ ];
+
+      # Open ports on local netwok only
+      interfaces.eno2 = {
+        allowedTCPPorts = [
+          111 2049 4000 4001 4002 # NFS
+          3483 9000 9090 # Slimserver
+          1935 # RTMP
+        ];
+        allowedUDPPorts = [
+          111 2049 4000 4001 4002 # NFS
+          3483 # Slimserver
+          67 # DHCP
+        ];
+      };
+
+      # Don't forward incoming IPv6 requests to local network
+      filterForward = true;
+      extraForwardRules = ''
+        # Forward all IPv6 traffic from local network
+        iifname "eno2" counter accept
+      '';
+    };
+  };
+
+  systemd.services.systemd-networkd = {
+    unitConfig = {
+      RequiresMountsFor = "/mnt/secrets/wireguard";
+    };
+    serviceConfig = {
+      LoadCredential = [
+          "network.wireguard.private.wg0:/mnt/secrets/wireguard/wireguard.private"
+          "network.wireguard.preshared.wg0:/mnt/secrets/wireguard/wireguard.preshared"
+      ];
+    };
+  };
+
+  #################
+  # ROUTING RULES #
+  #################
+
+  # 0:      from all lookup local
+  # 60:     from all iif lo dport 25 lookup vpn  # mails are forced to vpn table
+  # 32766:  from all lookup main                 # main table should contain no default routes, only local network routes
+  # 32767:  from all lookup default
+  # 41000:  from all fwmark 0x1 lookup fiber     # fwmark indicate established connection that must go through same interface
+  # 42000:  from all fwmark 0x2 lookup lte
+  # 43000:  from all fwmark 0x3 lookup vpn
+  # 51000:  from all lookup fiber                # first table encountered with a default route if fiber is up
+  # 52000:  from all lookup lte                  # first table encountered with a default route if fiber is down
+
+  systemd.network = let
+    routeTables = {
+      fiber = 1;
+      lte = 2; 
+      vpn = 3;
+    };
+  in {
+    enable = true;
+
+    config = {
+      inherit routeTables;
+      addRouteTablesToIPRoute2 = true;
+    };
+
+    # Wireguard ARN device configuation
+    netdevs = {
+      "10-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+          MTUBytes = "1450";
+        };
+        wireguardConfig = {
+          PrivateKey = "@network.wireguard.private.wg0";
+          RouteTable = routeTables.vpn;
+        };
+        wireguardPeers = [
+          {
+            Endpoint = "89.234.141.83:8095";
+            PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g=";
+            PresharedKey = "@network.wireguard.preshared.wg0";
+            AllowedIPs = ["0.0.0.0/0" "::/0"];
+            PersistentKeepalive = 15;
+          }
+        ];
+      };
+    };
+
+    networks = {
+      #########
+      # FIBER #
+      #########
+
+      # Set route metric to highest priority
+      # Set DHCP client magic settings for Bouygues
+      "40-bouygues" = {
+        dhcpV4Config.RouteTable = routeTables.fiber;
+
+        dhcpV6Config = {
+          DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68";
+          WithoutRA = "solicit";
+        };
+
+        ipv6AcceptRAConfig = {
+          DHCPv6Client = true;
+          RouteTable = routeTables.fiber;
+        };
+
+        networkConfig = {
+          KeepConfiguration = "dhcp-on-stop";
+          IPv6AcceptRA = true;
+          DHCPPrefixDelegation = true;
+        };
+
+        # Static attribution of first IPv6 subnet
+        dhcpPrefixDelegationConfig.SubnetId = "0";
+
+        # Route everything to fiber link with a priority of 40000
+        routingPolicyRules = [
+          {
+            FirewallMark = 1;
+            Table = routeTables.fiber;
+            Priority = 41000;
+            Family = "both";
+          }
+          {
+            Table = routeTables.fiber;
+            Priority = 51000;
+            Family = "both";
+          }
+        ];
+      };
+
+      # Don't check VLAN physical interface as it is not directly used
+      "40-eno1".linkConfig.RequiredForOnline = "no";
+
+      #######
+      # LTE #
+      #######
+
+      # Set LTE route to lower priority
+      "40-enp0s21u1" = {
+        dhcpV4Config.RouteTable = routeTables.lte;
+
+        # Route all to lte link with a priority of 50000
+        routingPolicyRules = [
+          {
+            FirewallMark = 2;
+            Table = routeTables.lte;
+            Priority = 42000;
+            Family = "both";
+          }
+          {
+            Table = routeTables.lte;
+            Priority = 52000;
+            Family = "both";
+          }
+        ];
+      };
+
+      #######
+      # VPN #
+      #######
+
+      # Wireguard ARN network configuation
+      "10-wg0" = {
+        matchConfig.Name = "wg0";
+        address = [
+          "89.234.141.196/32"
+          "2a00:5881:8119:400::1/128"
+        ];
+        routingPolicyRules = [
+          # Route outgoing emails to VPN table
+          {
+            IncomingInterface = "lo";
+            DestinationPort = "25";
+            Table = routeTables.vpn;
+            Priority = 60;
+            Family = "both";
+          }
+          # Route packets originating from wg0 device to VPN table
+          # Allow server to respond on the wg0 interface requests
+          {
+            FirewallMark = 3;
+            Table = routeTables.vpn;
+            Priority = 43000;
+            Family = "both";
+          }
+        ];
+      };
+
+      #######
+      # LAN #
+      #######
+
+      # LAN DHCP server config
+      "40-eno2" = {
+        networkConfig = {
+          IPv6SendRA = true;
+          DHCPPrefixDelegation = true;
+          DHCPServer = true;
+          IPMasquerade = "ipv4";
+        };
+        dhcpServerConfig = {
+          EmitRouter = true;
+          EmitDNS = true;
+          DNS = [
+            # https://www.dns0.eu/fr
+            "193.110.81.0"
+            "185.253.5.0"
+          ];
+        };
+        dhcpServerStaticLeases = [
+          # IPMI
+          {
+            Address = "10.30.1.1";
+            MACAddress = "ac:1f:6b:4b:01:15";
+          }
+          # paul-fixe
+          {
+            Address = "10.30.50.1";
+            MACAddress = "b4:2e:99:ed:24:26";
+          }
+          # salonled
+          {
+            Address = "10.30.40.1";
+            MACAddress = "e0:98:06:85:e9:ce";
+          }
+          # miroir-bleu
+          {
+            Address = "10.30.40.2";
+            MACAddress = "e0:98:06:86:38:fc";
+          }
+          # miroir-orange
+          {
+            Address = "10.30.40.3";
+            MACAddress = "50:02:91:78:be:be";
+          }
+        ];
+        ipv6SendRAConfig = {
+          EmitDNS = true;
+          DNS = [
+            # https://www.dns0.eu/fr
+            "2a0f:fc80::"
+            "2a0f:fc81::"
+          ];
+        };
+      };
+    };
+  };
+}
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@ -20,15 +20,10 @@ let
  '';

  backup_mail_alert = sendMail "paul@nyanlout.re" "ERREUR: Sauvegarde Borg" "Impossible de terminer la sauvegarde. Merci de voir les logs";
-
-  unstable = import <nixos-unstable> { };
 in

 {
  imports = [
-    ../../services/python-ci.nix
-    ../../services/sdtdserver.nix
-    # /mnt/secrets/factorio_secrets.nix
    ./monitoring.nix
    ./medias.nix
    ./web.nix
@ -62,7 +57,7 @@ in
    };

    # Certificate setup
-    certificateScheme = 1;
+    certificateScheme = "manual";
    certificateFile = "/var/lib/acme/${domaine}/fullchain.pem";
    keyFile = "/var/lib/acme/${domaine}/key.pem";

@ -77,46 +72,19 @@ in
  };

  services = {
-    postfix = {
-      relayHost = "mailvps.nyanlout.re";
-      relayPort = 587;
-      config = {
-        smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt";
-        smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key";
-      };
-    };
-
    rspamd.workers.controller.extraConfig = ''
-      secure_ip = ["0.0.0.0/0"];
+      secure_ip = ["0.0.0.0/0", "::"];
    '';

-    redis.enable = true;
+    # redis.enable = true;

-    logrotate = {
-      enable = true;
-      paths = {
-        nginx = {
-          path = "/var/log/nginx/*.log";
-          user = config.services.nginx.user;
-          group = config.services.nginx.group;
-          keep = 7;
-          extraConfig = ''
-            compress
-          '';
-        };
-      };
-    };
+    # enable with nginx defult config
+    logrotate.enable = true;

    fail2ban.enable = true;

    fstrim.enable = true;

-    syncthing = {
-      enable = true;
-      dataDir = "/var/lib/syncthing";
-      openDefaultPorts = true;
-    };
-
    nfs.server = {
      enable = true;
      exports = ''
@ -137,21 +105,26 @@ in
          "/var/lib/gitea"
          "/var/lib/grafana"
          "/var/lib/jackett"
-          "/var/lib/matrix-synapse"
-          "/var/lib/postgresql/.zfs/snapshot/borgsnap"
+          "/mnt/borgsnap/postgresql"
          "/var/lib/radarr"
          "/var/lib/sonarr"
          "/var/lib/transmission"
-          "/mnt/medias/musique"
-          "/mnt/medias/torrent/lidarr"
-          "/mnt/medias/torrent/musique"
+          "/var/lib/airsonic"
+          "/var/lib/hass"
+          "/var/lib/opendkim"
+          "/var/lib/slimserver"
+          "/var/lib/watcharr"
+          "/var/lib/nextcloud"
          "/mnt/paul-home/paul"
          "/var/sieve"
          "/var/vmail"
+          "/mnt/backup_loutre/amandoleen"
+          "/mnt/secrets"
        ];
        exclude = [
          "/var/lib/radarr/.config/Radarr/radarr.db-wal"
          "/var/lib/radarr/.config/Radarr/radarr.db-shm"
+          "/mnt/paul-home/paul/.cache"
        ];
        repo = "ssh://u306925@u306925.your-storagebox.de:23/./loutreos";
        environment = { BORG_RSH = "ssh -i /mnt/secrets/hetzner_ssh_key"; };
@ -165,15 +138,15 @@ in
          weekly = 4;
          monthly = 12;
        };
-        preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap";
+        preHook = ''
+          ${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap
+          mkdir -p /mnt/borgsnap/postgresql
+          ${config.security.wrapperDir}/mount -t zfs loutrepool/var/postgresql@borgsnap /mnt/borgsnap/postgresql
+        '';
        readWritePaths = [ "/var/lib/postfix/queue/maildrop" ];
        postHook = ''
+          ${config.security.wrapperDir}/umount /mnt/borgsnap/postgresql
          ${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
-          if [[ $exitStatus == 0 ]]; then
-            ${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO BackupStorage:default
-          else
-            ${backup_mail_alert}/bin/mail.sh
-          fi
        '';
      };
    };
@ -191,80 +164,101 @@ in
      };
    };

-    sdtdserver.enable = false;
-
-    factorio = {
-      enable = false;
-      autosave-interval = 10;
-      game-name = "Shame";
-      public = true;
-      username = "nyanloutre";
-    };
-
-    minecraft-server = {
-      enable = false;
-      jvmOpts = "-Xms512m -Xmx3072m";
-      eula = true;
-      declarative = true;
-      openFirewall = true;
-      whitelist = {
-        nyanloutre = "db0669ea-e332-4ca3-8d50-f5d1458f5822";
-        Hautension = "f05677f4-be5a-47df-ad77-21c739180aa2";
-        LordDarkKiwi = "79290cfc-0b00-484f-9c94-ab0786402de6";
-        Madahin = "f5f747e3-fac2-43e8-9b9b-a67dc2f368ff";
-        Hopegcx = "4497f759-2210-48db-8764-307d33011442";
-        wyrd68 = "127a3021-cdc1-419f-9010-4651df9ae3af";
-        sparsyateloutre = "d2ff63c1-4e9f-4b21-9bfc-decce5d987b3";
-      };
-      serverProperties = {
-        difficulty = 2;
-        gamemode = 0;
-        max-players = 50;
-        motd = "Hi Mark !";
-        white-list = true;
-      };
-    };
-
    kresd = {
      enable = true;
    };

+    mosquitto = {
+      enable = true;
+      listeners = [
+        {
+          acl = [ "pattern readwrite #" ];
+          omitPasswordAuth = true;
+          address = "127.0.0.1";
+          settings.allow_anonymous = true;
+        }
+      ];
+    };
+
+    zigbee2mqtt = {
+      enable = true;
+      settings = {
+        serial.port = "/dev/serial/by-id/usb-Texas_Instruments_TI_CC2531_USB_CDC___0X00124B0014D97058-if00";
+        mqtt = {
+          server = "mqtt://${(head config.services.mosquitto.listeners).address}:${toString (head config.services.mosquitto.listeners).port}";
+        };
+        frontend = {
+          port = 8080;
+          host = "127.0.0.1";
+          url = "https://zigbee.nyanlout.re";
+        };
+        groups = {
+          "101" = {
+            friendly_name = "salon";
+            devices = [
+              "0x94deb8fffe760f3d"
+            ];
+          };
+          "102" = {
+            friendly_name = "cuisine";
+            devices = [
+              "0x003c84fffe6d9ee6"
+            ];
+          };
+          "103" = {
+            friendly_name = "entrée";
+            devices = [
+              "0x84ba20fffe5ec243"
+            ];
+          };
+          "104" = {
+            friendly_name = "tout";
+            devices = [
+              "0x94deb8fffe760f3d"
+              "0x003c84fffe6d9ee6"
+              "0x84ba20fffe5ec243"
+            ];
+          };
+          "107" = {
+            friendly_name = "chambre";
+            devices = [
+              "0x84ba20fffe5eb120"
+            ];
+          };
+        };
+      };
+    };
+
    home-assistant = {
      enable = true;
+      extraComponents = [
+        # Components required to complete the onboarding
+        "met"
+        "radio_browser"
+      ];
      config = {
+        default_config = {};
        homeassistant = {
-          elevation = 143;
+          country = "FR";
+          latitude = 48.60038;
+          longitude = 7.74063;
+          elevation = 146;
        };
-        influxdb = null;
-        config = null;
-        dhcp = null;
-        frontend = null;
-        history = null;
+        meteo_france = null;
        http = {
          use_x_forwarded_for = true;
          trusted_proxies = [ "127.0.0.1" ];
        };
-        logbook = null;
-        map = null;
-        mobile_app = null;
-        person = null;
-        script = null;
-        sun = null;
-        system_health = null;
-        yeelight.devices = {
-          "10.40.249.0".name = "Chambre";
-          "10.40.249.1".name = "Bureau";
-          "10.40.249.2".name = "Cuisine";
-        };
-        zha = null;
+        mqtt = null;
        esphome = null;
        light = [
          {
            platform = "group";
            name = "Salon";
            entities = [
-              "light.bureau"
-              "light.cuisine"
+              "light.salon_light"
+              "light.cuisine_light"
+              "light.entree_light"
            ];
          }
        ];
@ -274,317 +268,38 @@ in
            host = "10.30.0.1";
          }
        ];
-        tplink.switch = [
-          { host = "10.30.50.7"; }
-        ];
-        sensor = [
-          {
-            platform = "template";
-            sensors = {
-              serveur_amps = {
-                friendly_name_template = "{{ states.switch.serveur.name}} Current";
-                value_template = ''{{ states.switch.serveur.attributes["current_a"] | float }}'';
-                unit_of_measurement = "A";
-              };
-              serveur_watts = {
-                friendly_name_template = "{{ states.switch.serveur.name}} Current Consumption";
-                value_template = ''{{ states.switch.serveur.attributes["current_power_w"] | float }}'';
-                unit_of_measurement = "W";
-              };
-              serveur_total_kwh = {
-                friendly_name_template = "{{ states.switch.serveur.name}} Total Consumption";
-                value_template = ''{{ states.switch.serveur.attributes["total_energy_kwh"] | float }}'';
-                unit_of_measurement = "kWh";
-              };
-              serveur_volts = {
-                friendly_name_template = "{{ states.switch.serveur.name}} Voltage";
-                value_template = ''{{ states.switch.serveur.attributes["voltage"] | float }}'';
-                unit_of_measurement = "V";
-              };
-              serveur_today_kwh = {
-                friendly_name_template = "{{ states.switch.serveur.name}} Today's Consumption";
-                value_template = ''{{ states.switch.serveur.attributes["today_energy_kwh"] | float }}'';
-                unit_of_measurement = "kWh";
-              };
-            };
-          }
-        ];
-        switch = [
-          {
-            platform = "wake_on_lan";
-            name = "PC Fixe";
-            mac = "b4:2e:99:ed:24:26";
-            host = "10.30.135.71";
-            broadcast_address = "10.30.255.255";
-          }
-        ];
-        device_tracker = [
-          {
-            platform = "ping";
-            hosts = { telephone_paul = "10.30.50.2"; };
-          }
-        ];
-        scene = [
-          {
-            name = "Movie";
-            icon = "mdi:movie-open";
-            entities = {
-              "light.salon" = {
-                state = "on";
-                xy_color = [0.299 0.115];
-                brightness = 50;
-              };
-              "light.bande_led_tv" = {
-                state = "on";
-                effect = "Movie";
-                brightness = 180;
-              };
-              "light.bande_led_bureau" = {
-                state = "on";
-                xy_color = [0.299 0.115];
-                brightness = 130;
-              };
-            };
-          }
-          {
-            name = "Home";
-            icon = "mdi:home";
-            entities = {
-              "light.salon" = {
-                state = "on";
-                kelvin = 2700;
-                brightness = 255;
-              };
-            };
-          }
-          {
-            name = "Night";
-            icon = "mdi:weather-night";
-            entities = {
-              "light.salon" = {
-                state = "off";
-              };
-              "light.bande_led_tv" = {
-                state = "off";
-              };
-              "light.bande_led_bureau" = {
-                state = "off";
-              };
-              "light.chambre" = {
-                state = "on";
-                kelvin = 1900;
-                brightness = 50;
-              };
-            };
-          }
-        ];
-        automation = let
-          min_sun_elevation = 4;
+      };
+    };

-          switch_chambre = {
-            domain = "zha";
-            platform = "device";
-            device_id = "3329ecdcad244e5e8fc0f4b96d52ffe1";
-          };
+    photoprism = {
+      enable = true;
+      originalsPath = "/mnt/backup_loutre/amandoleen/d/Users/Amand/Pictures";
+      passwordFile = "/mnt/secrets/photoprism_pass";
+      settings = {
+        PHOTOPRISM_READONLY = "1";
+        PHOTOPRISM_DETECT_NSFW = "1";
+        PHOTOPRISM_SITE_URL = "https://photo.nyanlout.re/";
+      };
+    };
+  };

-          switch_entree = {
-            domain = "zha";
-            platform = "device";
-            device_id = "7cd814190ec543dba76a7aa7e7996c41";
-          };
-
-          remote = {
-            domain = "zha";
-            platform = "device";
-            device_id = "d1230b76264e483388a8fdaad4f44143";
-          };
-        in [
-          # ENTREE
-
-          {
-            alias = "Aziz lumière";
-            trigger = [
-              {
-                platform = "numeric_state";
-                entity_id = "sun.sun";
-                value_template = "{{ state.attributes.elevation }}";
-                below = min_sun_elevation;
-              }
-            ];
-            condition = [
-              {
-                condition = "state";
-                entity_id = "person.paul";
-                state = "home";
-              }
-              # Sun below max elevation
-              {
-                condition = "template";
-                value_template = "{{ state_attr('sun.sun', 'elevation') < ${toString min_sun_elevation} }}";
-              }
-            ];
-            action = {
-              scene = "scene.home";
-            };
-          }
-          {
-            alias = "Aziz lumière switch";
-            trigger = {
-              type = "remote_button_short_press";
-              subtype = "turn_on";
-            } // switch_entree;
-            action = {
-              scene = "scene.home";
-            };
-          }
-          {
-            alias = "Adios";
-            trigger = [
-              {
-                platform = "state";
-                entity_id = "person.paul";
-                to = "not_home";
-              }
-              ({
-                type = "remote_button_short_press";
-                subtype = "turn_off";
-              } // switch_entree)
-            ];
-            action = [
-              {
-                service = "light.turn_off";
-                entity_id = "all";
-              }
-              {
-                service = "media_player.turn_off";
-                entity_id = "all";
-              }
-            ];
-          }
-
-          # REMOTE
-
-          {
-            alias = "Button toggle";
-            trigger = {
-              type = "remote_button_short_press";
-              subtype = "turn_on";
-            } // remote;
-            action = {
-              choose = {
-                conditions = {
-                  condition = "template";
-                  value_template = ''
-                    {% set domain = 'light' %}
-                    {% set state = 'off' %}
-                    {{ states[domain] | count == states[domain] | selectattr('state','eq',state) | list | count }}
-                  '';
-                };
-                sequence = {
-                  scene = "scene.home";
-                };
-              };
-              default = {
-                service = "light.turn_off";
-                entity_id = "all";
-              };
-            };
-          }
-          {
-            alias = "Button scene movie";
-            trigger = {
-              type = "remote_button_short_press";
-              subtype = "right";
-            } // remote;
-            action = {
-              scene = "scene.movie";
-            };
-          }
-          {
-            alias = "Button scene home";
-            trigger = {
-              type = "remote_button_short_press";
-              subtype = "left";
-            } // remote;
-            action = {
-              scene = "scene.home";
-            };
-          }
-          {
-            alias = "Button light up";
-            trigger = {
-              type = "remote_button_short_press";
-              subtype = "dim_up";
-            } // remote;
-            action = {
-              service = "light.turn_on";
-              entity_id = "light.salon";
-              data = {
-                brightness_step = 25;
-              };
-            };
-          }
-          {
-            alias = "Button light down";
-            trigger = {
-              type = "remote_button_short_press";
-              subtype = "dim_down";
-            } // remote;
-            action = {
-              service = "light.turn_on";
-              entity_id = "light.salon";
-              data = {
-                brightness_step = -25;
-              };
-            };
-          }
-
-          # CHAMBRE
-
-          {
-            alias = "Button scene night";
-            trigger = {
-              type = "remote_button_short_press";
-              subtype = "turn_on";
-            } // switch_chambre;
-            action = {
-              scene = "scene.night";
-            };
-          }
-          {
-            alias = "Button scene dodo";
-            trigger = {
-              type = "remote_button_short_press";
-              subtype = "turn_off";
-            } // switch_chambre;
-            action = {
-              service = "light.turn_off";
-              entity_id = "all";
-            };
-          }
-          {
-            alias = "Button scene lumière chambre ON";
-            trigger = {
-              type = "remote_button_long_press";
-              subtype = "dim_up";
-            } // switch_chambre;
-            action = {
-              service = "light.turn_on";
-              entity_id = "light.chambre";
-            };
-          }
-          {
-            alias = "Button scene lumière chambre OFF";
-            trigger = {
-              type = "remote_button_long_press";
-              subtype = "dim_down";
-            } // switch_chambre;
-            action = {
-              service = "light.turn_off";
-              entity_id = "light.chambre";
-            };
-          }
-        ];
+  systemd = {
+    timers."lg-devmode-reset" = {
+      wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnBootSec = "5m";
+          OnUnitActiveSec = "1w";
+        };
+    };
+    services = {
+      "borgbackup-job-loutre".serviceConfig.TemporaryFileSystem = ["/mnt/borgsnap"];
+      "lg-devmode-reset" = {
+        script = ''
+          ${pkgs.curl}/bin/curl https://developer.lge.com/secure/ResetDevModeSession.dev\?sessionToken\=9f94269da0dc14fd924b65d8dca28b076f931ad1ca04fe7a09ac78cdb0e22cb4
+        '';
+        serviceConfig = {
+          Type = "oneshot";
+        };
      };
    };
  };
@ -593,86 +308,21 @@ in

  ipmihddtemp.enable = true;

-  # systemd.services.minecraft-overviewer =
-  # let
-  #   clientJar = pkgs.fetchurl {
-  #     url = "https://overviewer.org/textures/1.14";
-  #     sha256 = "0fij9wac7vj6h0kd3mfhqpn0w9gl8pbs9vs9s085zajm0szpr44k";
-  #     name = "client.jar";
-  #   };
-  #   configFile = pkgs.runCommand "overviewer-config" { CLIENT_JAR = clientJar; } ''
-  #     substitute ${./config-overviewer.py} $out \
-  #       --subst-var CLIENT_JAR
-  #   '';
-  # in
-  # {
-  #   script = ''
-  #     ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile}
-  #     ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile} --genpoi
-  #     rm /var/www/minecraft-overviewer/progress.json
-  #   '';
-  #   serviceConfig = {
-  #     User = "nginx";
-  #     Group = "nginx";
-  #   };
-  # };
-
-  # systemd.timers.minecraft-overviewer = {
-  #   wantedBy = [ "multi-user.target" ];
-  #   timerConfig = {
-  #     OnCalendar = "*-*-* 04:00:00";
-  #   };
-  # };
-
-  # systemd.packages = with pkgs; [
-  #   tgt
-  # ];
-
-  # environment.etc."tgt/targets.conf".text = ''
-  #   <target iqn.2019-11.nyanlout.re:steam>
-  #     backing-store /dev/zvol/loutrepool/steam-lun
-  #     initiator-address 10.30.50.3
-  #   </target>
-  # '';
-
  users.groups.nginx.members = [ "matrix-synapse" ];

  security.pam.services.sshd.text = pkgs.lib.mkDefault( pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh" );

  networking = {
-    wireguard.interfaces = {
-      wg0 = {
-        ips = [ "192.168.20.1/24" ];
-        privateKeyFile = "/mnt/secrets/wireguard/wg0.privatekey";
-        listenPort = 51820;
-        allowedIPsAsRoutes = true;
-        peers = [
-          {
-            allowedIPs = [ "192.168.20.2/32" ];
-            publicKey = "b/SXiqo+GPdNOc54lyEVeUBc6B5AbVMKh+g5EZPGzlE=";
-          }
-        ];
-      };
-    };
-
-    nat.internalInterfaces = [ "wg0" ];
-    nat.internalIPs = [ "192.168.20.0/24" ];
-
    firewall.interfaces.eno2.allowedTCPPorts = [
      3260
    ];

    firewall.allowedTCPPorts = [
-      8448 # Matrix federation
      20 21 # FTP
    ];

    firewall.allowedTCPPortRanges = [
      { from = 64000; to = 65535; } # FTP
    ];
-
-    firewall.allowedUDPPorts = [
-      config.networking.wireguard.interfaces.wg0.listenPort
-    ];
  };
 }
--- a/systems/LoutreOS/users.nix
+++ b/systems/LoutreOS/users.nix
@ -6,7 +6,7 @@
      uid = 1000;
      isNormalUser = true;
      description = "Paul TREHIOU";
-      extraGroups = [ "wheel" "medias" "transmission" ];
+      extraGroups = [ "wheel" "medias" "transmission" "podman" ];
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAF7VlzHzgg70uFbRFtVTS34qNBke/RD36mRENAsa33RxztxrqMsIDscAD/d6CTe6HDy7MCGzJnWCJSXj5iOQFM4RRMvKNEgCKPHqfhmfVvO4YZuMjNB0ufVf6zhJL4Hy43STf7NIWrenGemUP+OvVSwN/ujgl2KKw4KJZt25/h/7JjlCgsZm4lWg4xcjoiKL701W2fbEoU73XKdbRTgTvKoeK1CGxdAPFefFDFcv/mtJ7d+wIxw9xODcLcA66Bu94WGMdpyEAJc4nF8IOy4pW8AzllDi0qNEZGCQ5+94upnLz0knG1ue9qU2ScAkW1/5rIJTHCVtBnmbLNSAOBAstaGQJuSL40TWZ1oPA5i1qUEhunNcJ+Sgtp6XP69qY34T/AeJvHRyw5M5LfN0g+4ka9k06NPBhbpHFASz4M8nabQ0iM63++xcapnw/8gk+EPhYVKW86SsyTa9ur+tt6oDWEKNaOhgscX44LexY7jKdeBRt3GaObtBJtVLBRx3Z2aRXgjgnKGqS40mGRiSkqb2DShspI1l8DV2RrPiuwdBzXVQjWRc0KXmJrcgXX9uoPSxihxwaUQyvmITOV1Y+NEuek4gRkVNOxjoG7RGnaYvYzxEQVoI5TwZC2/DCrAUgCv8DQawkcpEiWnBq7Q5VnpmFx5juVQ/I0G8byOkPXgRUOk9 openpgp:0xAB524BBC"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCACVI2dL4AmOdcb7RSl3JZpfK33NhqrYFfWfXMYow5SPJ9VPteOp5kVvKUuSbGH3chjpttYC/ueQJJhFagiKmkeftQTslIw6C009wUExGpJwRotHqISXv2ctURGURKy2FF848whd7xZJzdj49ZJ6S+SCbRFZvVWfT2dP/JwTiWW1mbEaWKyOgrixH6wSKt9ECumjX9KjqSWGw+k3yLJxIhdqiZAjNv4soJs1mQYdIlFCXCuznzoZIQBexZPQCx0j9HjczPz1feMLWkrHzEMexNjsBE2uA6yXLbH1wa8xCJ4VOeD7u9JqVY579AsicD62G+qIgw0B2zmyz7xTrdPv+061zmYn6qYr8EXGTk4dVgedZp8M1XzZ1PVoeeftPFcClXC7zCGyCR2uzJbQLzlaTwZrdghAiS9UhMRuKpNgZy2zDWw4MqdojrF5bndPkoijlXWYrPYBFED5OU1mpwzpanYgldowJC/Ixjwi+Hmse2q4XgZ+egfuotBqPfqB+bWsCa5GNiJWGdLP69uBSsXubGnqLwvE0FAQ2GHb+SEoZKFy/QV9GzOLlVrGlgK5YFgKJD+Q1nn1QRycXt1oMVC/AtR/NshOGanhdvIRpPATGmaxLVXSY093vyAOW4MPrS00fPAXzAfJUwIuWcloFfLMo5Jitj5rpE1s6FX8xrl4upQ== paul@nyanlout.re"
--- a/systems/LoutreOS/web.nix
+++ b/systems/LoutreOS/web.nix
@ -44,19 +44,18 @@ let
 in
 {
  security.acme = {
-    email = "paul@nyanlout.re";
+    defaults = {
+      email = "paul@nyanlout.re";
+      # Use european ACME service
+      server = "https://api.buypass.com/acme/directory";
+    };
    acceptTerms = true;
  };

  users.groups = {
-    work = {};
    webdav = {};
  };
  users.users = {
-    work = {
-      isSystemUser = true;
-      group = config.users.groups.work.name;
-    };
    webdav = {
      isSystemUser = true;
      group = config.users.groups.webdav.name;
@ -65,19 +64,6 @@ in

  services = {
    phpfpm.pools = {
-      work = {
-        user = config.users.users.work.name;
-        phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]);
-        settings = {
-          "listen.owner" = config.services.nginx.user;
-          "pm" = "dynamic";
-          "pm.max_children" = 75;
-          "pm.start_servers" = 10;
-          "pm.min_spare_servers" = 5;
-          "pm.max_spare_servers" = 20;
-          "pm.max_requests" = 500;
-        };
-      };
      drive = {
        user = config.users.users.webdav.name;
        settings = {
@ -177,6 +163,8 @@ in
              proxyPass = "http://127.0.0.1:${toString(rport)}/";
              extraConfig = ''
                auth_request_set $cookie $upstream_http_set_cookie;
+                auth_request_set $username $upstream_http_x_username;
+                proxy_set_header X-WEBAUTH-USER $username;
                add_header Set-Cookie $cookie;
              '';
            };
@ -202,9 +190,6 @@ in
            '';
          };
        } // { default = true; };
-        "riot.nyanlout.re" = base { "/" = { root = pkgs.element-web; }; };
-        "factorio.nyanlout.re" = base { "/" = { root = "/var/www/factorio"; }; };
-        "minecraft.nyanlout.re" = base { "/" = { root = "/var/www/minecraft-overviewer"; }; };
        "musique-meyenheim.fr" = base {
          "/" = {
            proxyPass = "http://unix:/run/site-musique.sock";
@ -216,64 +201,53 @@ in
            alias = "/var/www/site-musique/media/";
          };
        };
-        "maxspiegel.fr" = base { "/" = { root = "/run/python-ci/nyanloutre/site-max"; }; };
-        "stream.nyanlout.re" = base {
-          "/" = {
-            proxyPass = "http://10.30.135.71";
-          };
+        "www.musique-meyenheim.fr" = {
+          enableACME = true;
+          forceSSL = true;
+          globalRedirect = "musique-meyenheim.fr";
        };
        "login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port;
-        "grafana.nyanlout.re" = authReverse config.services.grafana.port;
+        "grafana.nyanlout.re" = authReverse config.services.grafana.settings.server.http_port;
        "transmission.nyanlout.re" = authReverse config.services.transmission.settings.rpc-port;
        "radarr.nyanlout.re" = authReverse 7878;
        "sonarr.nyanlout.re" = authReverse 8989;
        "syncthing.nyanlout.re" = authReverse 8384;
-        "jackett.nyanlout.re" = authReverse 9117;
-        "matrix.nyanlout.re" = simpleReverse 8008;
+        "prowlarr.nyanlout.re" = authReverse 9696;
+        "watcharr.nyanlout.re" = simpleReverse 3080;
        "emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
          locations."/" = {
            proxyWebsockets = true;
          };
        };
-        "ci.nyanlout.re" = simpleReverse 52350;
-        "gitea.nyanlout.re" = simpleReverse config.services.gitea.httpPort;
-        "musique.nyanlout.re" = simpleReverse config.services.navidrome.settings.Port;
+        "gitea.nyanlout.re" = simpleReverse config.services.gitea.settings.server.HTTP_PORT;
+        "photo.nyanlout.re" = recursiveUpdate (simpleReverse config.services.photoprism.port) {
+          locations."/" = {
+            proxyWebsockets = true;
+          };
+        };
+        "zigbee.nyanlout.re" = recursiveUpdate (authReverse config.services.zigbee2mqtt.settings.frontend.port) {
+          locations."/" = {
+            proxyWebsockets = true;
+          };
+        };
        "apart.nyanlout.re" = recursiveUpdate (simpleReverse config.services.home-assistant.config.http.server_port) {
          locations."/" = {
            proxyWebsockets = true;
          };
        };
-        # "work.rezom.eu" = base {
-        #   "/" = {
-        #     index = "/_h5ai/public/index.php";
-        #     extraConfig = ''
-        #       dav_ext_methods PROPFIND OPTIONS;
-        #     '';
-        #   };
-        #   "~ ^/(_h5ai/public/index|random).php" = {
-        #     extraConfig = ''
-        #       fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        #       fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};
-        #       include ${pkgs.nginx}/conf/fastcgi_params;
-        #       include ${pkgs.nginx}/conf/fastcgi.conf;
-        #     '';
-        #   };
-        # } // {
-        #   root = "/mnt/medias/iso_linux";
-        #   extraConfig = ''
-        #     access_log /var/log/nginx/$host.log;
-        #   '';
-        # };
        "drive.nyanlout.re" = base {
          "/" = {
-            index = "/index.php";
            extraConfig = ''
              fastcgi_split_path_info ^(.+\.php)(/.+)$;
              fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
              include ${pkgs.nginx}/conf/fastcgi_params;
              include ${pkgs.nginx}/conf/fastcgi.conf;
-
-              client_max_body_size    0;
+              fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+              fastcgi_intercept_errors on;
+              fastcgi_buffers 64 4K;
+              client_body_temp_path /mnt/webdav/tmp_upload;
+              client_max_body_size 0;
+              proxy_request_buffering off;
            '';
          };
        } // {
@ -295,11 +269,30 @@ in
            '';
          }
        ];
+        "designyourfuture.amandoline-creations.fr" = base {
+          "/".alias = "/var/www/amandoline-designyourfuture/";
+        };
+        "amandoline-creations.fr" = base {
+          "/".alias = "/var/www/amandoline-portfolio/";
+        };
+        "www.amandoline-creations.fr" = {
+          enableACME = true;
+          forceSSL = true;
+          globalRedirect = "amandoline-creations.fr";
+        };
+        "challenge.amandoline-creations.fr" = base {
+          "/".alias = "/var/www/amandoline-challenge/";
+        };
+        ${config.services.nextcloud.hostName} = {
+          forceSSL = true;
+          enableACME = true;
+        };
      };
    };

    postgresql = {
      enable = true;
+      package = pkgs.postgresql_14;
      settings = {
        full_page_writes = false;
      };
@ -307,22 +300,54 @@ in

    gitea = {
      enable = true;
-      cookieSecure = true;
-      httpPort = 3001;
-      rootUrl = "https://gitea.nyanlout.re/";
      database = {
        type = "postgres";
        port = 5432;
        passwordFile = "/var/lib/gitea/custom/conf/database_password";
      };
-      log.level = "Warn";
-      disableRegistration = true;
      settings = {
-        ui.DEFAULT_THEME = "arc-green";
+        server = {
+          HTTP_PORT = 3001;
+          ROOT_URL = "https://gitea.nyanlout.re/";
+        };
+        log.LEVEL = "Warn";
+        service.DISABLE_REGISTRATION = true;
+        session.COOKIE_SECURE = true;
      };
    };

-    python-ci.enable = true;
+    nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud30;
+      hostName = "cloud.nyanlout.re";
+      database.createLocally = true;
+      https = true;
+      maxUploadSize = "16G";
+      config = {
+        dbtype = "pgsql";
+        adminpassFile = "$CREDENTIALS_DIRECTORY/nextcloud_admin.pass";
+      };
+      settings = {
+        "preview_max_filesize_image" = "-1";
+        "preview_max_memory" = "1024";
+        "preview_ffmpeg_path" = "${pkgs.ffmpeg}/bin/ffmpeg";
+        "enabledPreviewProviders" = [
+          ''OC\Preview\BMP''
+          ''OC\Preview\GIF''
+          ''OC\Preview\JPEG''
+          ''OC\Preview\Krita''
+          ''OC\Preview\MarkDown''
+          ''OC\Preview\MP3''
+          ''OC\Preview\OpenDocument''
+          ''OC\Preview\PNG''
+          ''OC\Preview\TXT''
+          ''OC\Preview\XBitmap''
+          ''OC\Preview\Movie''
+        ];
+      };
+      autoUpdateApps.enable = true;
+    };
+
  };

  systemd.services.nginx.serviceConfig = {
@ -332,15 +357,18 @@ in
    ];
  };

-  systemd.services.phpfpm-work.serviceConfig = {
-    ReadOnlyPaths = "/mnt/medias/iso_linux";
+  systemd.services.phpfpm-drive.serviceConfig = {
    ReadWritePaths = [
-      "/mnt/medias/iso_linux/_h5ai"
+      "/mnt/webdav"
    ];
  };

+  systemd.services.nextcloud-setup.serviceConfig = {
+    LoadCredential = "nextcloud_admin.pass:/mnt/secrets/nextcloud_admin.pass";
+  };
+
  systemd.services.site-musique = let
-    djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_3 pillow setuptools ]));
+    djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_4 pillow setuptools ]));
  in {
    description = "Site Django de la musique de Meyenheim";
    after = [ "network.target" ];
--- a/systems/PC-Fixe/configuration.nix
+++ b/systems/PC-Fixe/configuration.nix
@ -12,7 +12,7 @@
      ../common-gui.nix
    ];

-  nix.trustedUsers = [ "root" "paul" ];
+  nix.settings.trusted-users = [ "root" "paul" ];

  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.grub = {
@ -26,21 +26,23 @@
    "acpi_enforce_resources=lax"
    "zfs.zfs_arc_max=2147483648"
  ];
-  boot.tmpOnTmpfs = false;
+  boot.tmp.useTmpfs = false;
  boot.supportedFilesystems = [ "zfs" ];
+  boot.extraModprobeConfig = ''
+    options hid_apple fnmode=2
+  '';
+
+  zramSwap.enable = true;

-  virtualisation.virtualbox.host.enable = true;
-  # virtualisation.virtualbox.host.enableExtensionPack = true;
-  # virtualisation.anbox.enable = true;
  virtualisation.podman.enable = true;

  services.zfs = {
    trim = {
-      enable = true;
+      enable = false;
      interval = "monthly";
    };
    autoScrub = {
-      enable = true;
+      enable = false;
      interval = "monthly";
    };
    autoSnapshot = {
@ -60,22 +62,7 @@
  hardware.bluetooth.enable = true;

  # Logitech G920
-  hardware.usbWwan.enable = true;
-
-  # hardware.pulseaudio.extraConfig = ''
-  #   load-module module-null-sink sink_name=mic_denoised_out rate=48000
-  #   load-module module-ladspa-sink sink_name=mic_raw_in sink_master=mic_denoised_out label=noise_suppressor_mono plugin=${pkgs.rnnoise-plugin}/lib/ladspa/librnnoise_ladspa.so control=50
-  #   load-module module-loopback source=alsa_input.pci-0000_09_00.4.analog-stereo sink=mic_raw_in channels=1 source_dont_move=true sink_dont_move=true
-
-  #   load-module module-echo-cancel source_name=hd_mic source_master=mic_denoised_out.monitor sink_master=alsa_output.pci-0000_09_00.4.analog-stereo
-
-  #   set-default-source hd_mic
-  # '';
-
-  # hardware.pulseaudio.configFile = pkgs.runCommand "default.pa" {} ''
-  #   sed '/module-switch-on-port-available$/d' \
-  #     ${pkgs.pulseaudio}/etc/pulse/default.pa > $out
-  # '';
+  hardware.usb-modeswitch.enable = true;

  services.udev.packages = with pkgs; [
    usb-modeswitch-data # Logitech G920
@ -85,8 +72,6 @@
    ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="0664", GROUP="dialout"
  '';

-  security.pki.certificateFiles = [ ./codemasters.pem ];
-
  networking.hostName = "paul-fixe";
  networking.hostId = "3a1f739e";

@ -96,17 +81,17 @@

  environment.systemPackages = with pkgs; [
    usb-modeswitch
+    esphome
  ];

-  programs.wireshark.enable = true;
-  programs.wireshark.package = pkgs.wireshark;
+  programs = {
+    wireshark.enable = true;
+    alvr.enable = true;
+  };

  networking.firewall.enable = false;

-  services.xserver.displayManager.autoLogin = {
-    enable = true;
-    user = "paul";
-  };
+  services.displayManager.autoLogin.user = "paul";

  users.users.paul = {
    isNormalUser = true;
@ -118,168 +103,23 @@
    ];
  };

-  services.netdata.enable = true;
-
  services.openssh.enable = true;
-  services.openssh.passwordAuthentication = false;
-  services.openssh.forwardX11 = true;
-
-  # security.pki.certificates = [
-  #   ''
-  #     -----BEGIN CERTIFICATE-----
-  #     MIIDoTCCAomgAwIBAgIGDorvJrq1MA0GCSqGSIb3DQEBCwUAMCgxEjAQBgNVBAMM
-  #     CW1pdG1wcm94eTESMBAGA1UECgwJbWl0bXByb3h5MB4XDTIwMDgzMDE5MjA1NloX
-  #     DTIzMDkwMTE5MjA1NlowKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAlt
-  #     aXRtcHJveHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsUHB2if9A
-  #     L5ytR9VrZncwDdx3J6ZdA2+wZQe9EjtX5ax1r55bbQBoJmN2HqZCSA3vdvMzr42W
-  #     Jx0ksNhNocEGvER2dTUIqkUKeeYQIRCc5CD9T5IpUVVKm3aeJo+FATmuzg4m23MZ
-  #     a9Up4nCdUJwufSqzv0ZWvEHERWtRXPYRZ2t+vKqnCS+dOQ3NsGWvC+12i7kNMKyy
-  #     0ylFBY/BZfaH/kMVzUijAnNQPWpW3T/Wqpx7z+IXZ+ccCQ1U1N26FXhSMa/+DenW
-  #     fo27QVNOu5cIIpAYmTl6+Oek0XLSH8oFLdjeVtBJuHFA1iAfmqPv4yJDKbSgg/d8
-  #     Jb46BE2ZyW6RAgMBAAGjgdAwgc0wDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhC
-  #     AQEEBAMCAgQweAYDVR0lBHEwbwYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD
-  #     BAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEG
-  #     CisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEATAOBgNVHQ8BAf8EBAMC
-  #     AQYwHQYDVR0OBBYEFEiFqrQtFmTV66rlQ9SCqp7ohrtsMA0GCSqGSIb3DQEBCwUA
-  #     A4IBAQBfH5xpxt4mCdnjiISaMeEcKuur2kfVbQEKNceDeKLZJfcwEkMtAr0LeyMV
-  #     1hkExtvyU0JPmgyzU7Le4UHEB8pwyyD3kYx7vBtxjVSXAbK1YKgDllPmXtlJGmA/
-  #     SMuxnwkUXwMeZBxmu8LR1SOQiMX+aZvYbQIjigduXOC/ZSHYtJbh+RmrvHFEBu7L
-  #     zZx8DzJKOmlfo9gohNIW1ucRM6B4B5yy5plqurGlkFPHlRqGoWkJPI4oB+cobzMh
-  #     QidzHgk4Set3bqIuYAsqtHGxdTtnGooagQBUWt0CxmGdmonofzinsAAasKprcBl6
-  #     QaNGz7o/LfHprXvCM1mHjbVVbZN2
-  #     -----END CERTIFICATE-----
-  #   ''
-  # ];
-
-  # services.wakeonlan.interfaces = [ { interface = "eno1"; method = "magicpacket"; } ];
-
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    package = pkgs.nginx.override {
-      modules = with pkgs.nginxModules; [ rtmp ];
-    };
-    virtualHosts."stream.nyanlout.re" = {
-      locations."/" = {
-        root = "/var/www/hls/";
-        extraConfig = ''
-          add_header Cache-Control no-cache;
-          add_header Access-Control-Allow-Origin *;
-        '';
-      };
-      default = true;
-    };
-    appendConfig = let
-      rootLocation = config.services.nginx.virtualHosts."stream.nyanlout.re".locations."/".root;
-    in ''
-      rtmp {
-        server {
-          listen 1935;
-
-          application live {
-            live on;
-            interleave on;
-            exec_push ${pkgs.ffmpeg}/bin/ffmpeg -i rtmp://localhost/$app/$name -async 1 -vsync -1
-                        -c:v libx264 -c:a aac -b:v 256k -b:a 96k -vf "scale=480:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -f flv rtmp://localhost/show/$name_low
-                        -c:v libx264 -c:a aac -b:v 768k -b:a 96k -vf "scale=720:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -f flv rtmp://localhost/show/$name_mid
-                        -c:v libx264 -c:a aac -b:v 1024k -b:a 128k -vf "scale=960:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -f flv rtmp://localhost/show/$name_high
-                        -c:v libx264 -c:a aac -b:v 1920k -b:a 128k -vf "scale=1280:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -f flv rtmp://localhost/show/$name_hd720
-                        -c copy -f flv rtmp://localhost/show/$name_src 2>>${rootLocation}/ffmpeg-$name.log;
-          }
-
-          application show {
-            live on;
-            hls on;
-
-            hls_path ${rootLocation};
-            hls_fragment 5;
-            hls_playlist_length 10;
-            hls_nested on;
-
-            hls_variant _low BANDWIDTH=352000; # Low bitrate, sub-SD resolution
-            hls_variant _mid BANDWIDTH=448000; # Medium bitrate, SD resolution
-            hls_variant _high BANDWIDTH=1152000; # High bitrate, higher-than-SD resolution
-            hls_variant _hd720 BANDWIDTH=2048000; # High bitrate, HD 720p resolution
-            hls_variant _src BANDWIDTH=8192000; # Source bitrate, source resolution
-          }
-        }
-      }
-    '';
+  services.openssh.settings = {
+    PasswordAuthentication = false;
+    X11Forwarding = true;
  };

  services.xserver.deviceSection = ''
    Option "metamodes" "DP-4: 3440x1440_144 +0+0 {AllowGSYNCCompatible=On}"
  '';

-  systemd = let
-    DP4Config = "--output DP-4 --mode 3440x1440 --rate 144";
-    HDMIConfig = "--output HDMI-0 --auto --left-of DP-4";
-  in {
-    services = {
-      wol = {
-        description = "Wake-on-LAN";
-        wantedBy = [ "multi-user.target" ];
-        requires = [ "network.target" ];
-        after = [ "network.target" ];
-        script = ''
-          ${pkgs.ethtool}/sbin/ethtool -s eno1 wol g
-        '';
-        serviceConfig.Type = "oneshot";
-      };
-      nginx.serviceConfig.ReadWritePaths = "/var/www/hls";
-      zfs-replication.serviceConfig.StateDirectory = "zfs-replication";
-    };
-    user.services = {
-      "enableTV" = {
-        description = "Enable TV output";
-        script = ''
-          ${pkgs.xorg.xrandr}/bin/xrandr ${DP4Config} --primary
-          /run/current-system/sw/bin/nvidia-settings --assign CurrentMetaMode="DP-4: 3440x1440_144 { AllowGSYNCCompatible=On }"
-          ${pkgs.xorg.xrandr}/bin/xrandr ${HDMIConfig}
-          ${pkgs.pipewire}/bin/pw-cli s 43 Profile '{ index: 1 }'
-        '';
-        conflicts = ["CSMode.service"];
-        serviceConfig.Type = "oneshot";
-      };
-      "primaryTV" = {
-        description = "Set TV output as primary";
-        script = ''
-          ${pkgs.xorg.xrandr}/bin/xrandr ${DP4Config}
-          /run/current-system/sw/bin/nvidia-settings --assign CurrentMetaMode="DP-4: 3440x1440_144 { AllowGSYNCCompatible=On }"
-          ${pkgs.xorg.xrandr}/bin/xrandr ${HDMIConfig} --primary
-          ${pkgs.pipewire}/bin/pw-cli s 43 Profile '{ index: 1 }'
-        '';
-        conflicts = ["CSMode.service"];
-        serviceConfig.Type = "oneshot";
-      };
-      "FreeSyncMode" = {
-        description = "Enable FreeSync screen only";
-        script = ''
-          ${pkgs.xorg.xrandr}/bin/xrandr ${DP4Config}
-          /run/current-system/sw/bin/nvidia-settings --assign CurrentMetaMode="DP-4: 3440x1440_144 { AllowGSYNCCompatible=On }"
-          ${pkgs.xorg.xrandr}/bin/xrandr --output HDMI-0 --off
-        '';
-        conflicts = ["CSMode.service"];
-        serviceConfig.Type = "oneshot";
-      };
-      "CSMode" = {
-        description = "Enable 4:3 black bars";
-        script = ''
-          ${pkgs.xorg.xrandr}/bin/xrandr ${DP4Config} --primary
-          /run/current-system/sw/bin/nvidia-settings --assign CurrentMetaMode="DP-4: 3440x1440_144 { ViewPortIn=3440x1440, ViewPortOut=1920x1440+760+0, AllowGSYNCCompatible=On }"
-          ${pkgs.xorg.xrandr}/bin/xrandr --output HDMI-0 --off
-        '';
-        preStop = ''
-          /run/current-system/sw/bin/nvidia-settings --assign CurrentMetaMode="DP-4: 3440x1440_144 { ViewPortIn=3440x1440, ViewPortOut=3440x1440+0+0, AllowGSYNCCompatible=On }"
-        '';
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = true;
-        };
-      };
-    };
+  services.printing.enable = true;
+  services.printing.drivers = [ pkgs.hplip ];
+
+  systemd.services = {
+    zfs-replication.serviceConfig.StateDirectory = "zfs-replication";
  };

+  boot.enableContainers = false;
  system.stateVersion = "20.03";
 }
--- a/systems/PC-Fixe/hardware-configuration.nix
+++ b/systems/PC-Fixe/hardware-configuration.nix
@ -11,6 +11,10 @@

  services.xserver.videoDrivers = [ "nvidia" ];
  hardware.cpu.amd.updateMicrocode = true;
+  hardware.nvidia = {
+    open = false;
+    modesetting.enable = true;
+  };

  fileSystems."/" =
    { device = "rpool/root/nixos";
@ -37,10 +41,10 @@
      fsType = "zfs";
    };

-  fileSystems."/mnt/hdd" =
-    { device = "/dev/mapper/ManjaroVG-ManjaroRoot";
-      fsType = "ext4";
-    };
+  # fileSystems."/mnt/hdd" =
+  #   { device = "/dev/mapper/ManjaroVG-ManjaroRoot";
+  #     fsType = "ext4";
+  #   };

  fileSystems."/mnt/medias" =
    { device = "10.30.0.1:/mnt/medias";
@ -50,6 +54,6 @@

  swapDevices = [ ];

-  nix.maxJobs = lib.mkDefault 12;
+  nix.settings.max-jobs = lib.mkDefault 12;
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/systems/common-cli.nix
+++ b/systems/common-cli.nix
@ -11,12 +11,13 @@
      vimAlias = true;
      configure = {
        customRC = ''
-	  set tabstop=8
+	        set tabstop=8
          set shiftwidth=4
          set softtabstop=0
          set expandtab
-	  set smarttab
+	        set smarttab
          set background=dark
+          set mouse=
        '';
        packages.myVimPackage = with pkgs.vimPlugins; {
          start = [
@ -29,7 +30,6 @@
    })

    # Gestionnaires de version
-    gitMinimal
    tig
    gitAndTools.hub
    quilt
@ -49,7 +49,6 @@
    inetutils
    rclone
    lftp
-    wireguard-tools
    nfs-utils
    nmap

@ -57,7 +56,7 @@
    fzf
    file
    ncdu
-    youtube-dl
+    yt-dlp
    tldr
    starship

@ -104,6 +103,8 @@
    bash.interactiveShellInit = ''
      eval "$(starship init bash)"
    '';
+
+    git.enable = true;
  };

  environment.variables = let
--- a/systems/common-gui.nix
+++ b/systems/common-gui.nix
@ -1,8 +1,6 @@
 { config, pkgs, ... }:

 {
-  nixpkgs.config.allowUnfreePredicate = (pkg: true);
-
  environment.systemPackages = with pkgs; [
    filezilla
    qbittorrent
@ -10,20 +8,18 @@

    sc-controller
    steam-run
-    minecraft
+    prismlauncher
    lutris
    teamspeak_client
+    ryujinx

    betaflight-configurator

-    electrum
-    electron-cash
    ledger-live-desktop
    monero-gui

-    firefox
    tor-browser-bundle-bin
-    chromium
+    brave

    tdesktop
    element-desktop
@ -39,7 +35,7 @@
    ark
    kate
    kmail
-    kdeconnect
+    kdePackages.kdeconnect-kde
    okular
    yakuake
    konversation
@ -62,12 +58,10 @@
    obs-studio
    vlc
    mpv
-    jellyfin-mpv-shim
    kdenlive

    glxinfo
    i7z
-    appimage-run
    pavucontrol
  ];

@ -77,58 +71,58 @@

  console.keyMap = "fr";

-  programs.steam.enable = true;
-
-  # hardware = {
-  #   pulseaudio.enable = true;
-  # };
-
-  # sound.enable = true;
-
-  security.rtkit.enable = true;
-
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-  };
-
  networking.networkmanager.enable = true;

  systemd.extraConfig = "DefaultLimitNOFILE=1048576";
-  security.pam.loginLimits = [{
-    domain = "*";
-    type = "hard";
-    item = "nofile";
-    value = "1048576";
-  }];
+
+  security = {
+    pam.loginLimits = [{
+      domain = "*";
+      type = "hard";
+      item = "nofile";
+      value = "1048576";
+    }];
+    rtkit.enable = true;
+  };

  programs = {
    gnupg.agent = { enable = true; enableSSHSupport = true; };
    browserpass.enable = true;
+    steam.enable = true;
+    firefox.enable = true;
+    appimage.enable = true;
  };

  services = {
+    # desktopManager.plasma6.enable = true;
+    displayManager = {
+      sddm = {
+        enable = true;
+        # wayland.enable = true;
+        autoLogin.relogin = true;
+      };
+    };
    xserver = {
      enable = true;
-      layout = "fr";
+      xkb.layout = "fr";
      exportConfiguration = true;
-      displayManager.sddm.enable = true;
      desktopManager.plasma5.enable = true;
    };
-    udev.packages = with pkgs; [ ledger-udev-rules ];
-    pcscd = {
+    pipewire = {
      enable = true;
-      plugins = [
-        (pkgs.ccid.overrideAttrs (oldAttrs: rec {
-            preBuild = ''
-              echo "0x2C97:0x0001:Ledger Token" >> ./readers/supported_readers.txt
-            '';
-          })
-        )
-      ];
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      extraConfig.pipewire = {
+      "10-clock-rate" = {
+        "context.properties" = {
+          "default.clock.allowed-rates"  = [ 48000 ];
+        };
+      };
    };
+    };
+    udev.packages = with pkgs; [ ledger-udev-rules ];
+    pcscd.enable = true;
  };

  environment.etc = {