zigbee2mqtt: set stable usb serial path

clean old config
allow ipv4 forwarding needed by NAT
2025-01-08 22:24:19 +01:00 · 2025-01-07 16:42:37 +01:00 · 2025-01-07 16:00:50 +01:00 · 2025-01-07 16:00:26 +01:00 · 2025-01-06 15:44:21 +01:00 · 2025-01-03 14:56:07 +01:00
37 changed files with 2069 additions and 1704 deletions
--- a/containers/vsftpd.nix
+++ b/containers/vsftpd.nix
@ -1,49 +0,0 @@
-{ config, pkgs, ... }:
-{
-  containers.vsftpd = {
-    autoStart = true;
-    config =
-      { config, pkgs, ... }:
-      {
-        nixpkgs.overlays = [
-          (import ../overlays/vsftpd.nix)
-        ];
-        services.vsftpd = {
-          enable = true;
-          forceLocalLoginsSSL = true;
-          forceLocalDataSSL = true;
-          userlistDeny = false;
-          localUsers = true;
-          userlist = ["claire" "manu"];
-          rsaCertFile = "/var/vsftpd/vsftpd.pem";
-          extraConfig = ''
-            pasv_min_port=64000
-            pasv_max_port=65535
-            local_root=/mnt/medias
-          '';
-        };
-
-        users.extraUsers = {
-          claire = {
-            isNormalUser = true;
-            hashedPassword = "$6$Mu47EjsbNTewDkRp$XeQh6rcdvb3BUXzsGqekKImLTrMgnN0VyERoSbpI4rMPlx8oHM9NNeHZtfIiLEaZGtQ9otnbLa54jYse5Iwev1";
-            description = "Claire TREHIOU";
-          };
-
-          manu = {
-            isNormalUser = true;
-            hashedPassword = "$6$YGNIdGEclo$JcUotBS6hqlpENjjUeYhDjtrwxu10oARF4Nq4tEo072Sumr3Rl/w3ZXSHI5/3RxfvUMmJ4ulUVctBLhwrqP.g0";
-            description = "Emmanuel ZENNER";
-          };
-        };
-      };
-    bindMounts = {
-      "/var/vsftpd/vsftpd.pem" = {
-        hostPath = "/var/vsftpd/vsftpd.pem";
-      };
-      "/mnt/medias" = {
-        hostPath = "/mnt/medias";
-      };
-    };
-  };
-}
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,162 @@
+{
+  "nodes": {
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
+    "dogetipbot-telegram": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730148450,
+        "narHash": "sha256-CSxPIeDqavQ3fJhshuNs0oS84P1p87BsbNoashKlrKg=",
+        "owner": "nyanloutre",
+        "repo": "dogetipbot-telegram",
+        "rev": "667e318212920005917792b06e0f480b421fa6d3",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "nyanloutre",
+        "ref": "master",
+        "repo": "dogetipbot-telegram",
+        "type": "gitlab"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "ipmihddtemp": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1635966341,
+        "narHash": "sha256-Y70jZPL3/fY8SzkPnpw9Ta411zbbkJ1D3qOYJ76zuIA=",
+        "owner": "nyanloutre",
+        "repo": "ipmihddtemp",
+        "rev": "6fe5d14f588956dfff89716f81b8101c7a94cd6d",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "nyanloutre",
+        "ref": "master",
+        "repo": "ipmihddtemp",
+        "type": "gitlab"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1735669367,
+        "narHash": "sha256-tfYRbFhMOnYaM4ippqqid3BaLOXoFNdImrfBfCp4zn0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "edf04b75c13c2ac0e54df5ec5c543e300f76f1c9",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-24.11",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-4a3fc4cf7": {
+      "locked": {
+        "lastModified": 1716914467,
+        "narHash": "sha256-KkT6YM/yNQqirtYj/frn6RRakliB8RDvGqVGGaNhdcU=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "4a3fc4cf736b7d2d288d7a8bf775ac8d4c0920b4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "4a3fc4cf736b7d2d288d7a8bf775ac8d4c0920b4",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1735471104,
+        "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "dogetipbot-telegram": "dogetipbot-telegram",
+        "ipmihddtemp": "ipmihddtemp",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-4a3fc4cf7": "nixpkgs-4a3fc4cf7",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "simple-nixos-mailserver": "simple-nixos-mailserver"
+      }
+    },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ],
+        "nixpkgs-24_11": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734884447,
+        "narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "63209b1def2c9fc891ad271f474a3464a5833294",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-24.11",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,110 @@
+{
+  inputs = {
+    nixpkgs.url = "flake:nixpkgs/nixos-24.11";
+    nixpkgs-unstable.url = "flake:nixpkgs/nixos-unstable";
+    # transmission 4.0.5 downgrade to fix tracker bug
+    nixpkgs-4a3fc4cf7.url = "github:nixos/nixpkgs/4a3fc4cf736b7d2d288d7a8bf775ac8d4c0920b4";
+    simple-nixos-mailserver = {
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11";
+      inputs = {
+        nixpkgs.follows = "nixpkgs-unstable";
+        nixpkgs-24_11.follows = "nixpkgs";
+      };
+    };
+    dogetipbot-telegram = {
+      url = "gitlab:nyanloutre/dogetipbot-telegram/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    ipmihddtemp = {
+      url = "gitlab:nyanloutre/ipmihddtemp/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    nixpkgs-unstable,
+    nixpkgs-4a3fc4cf7,
+    simple-nixos-mailserver,
+    dogetipbot-telegram,
+    ipmihddtemp
+  }@inputs: {
+
+    packages.x86_64-linux = (import ./pkgs nixpkgs.legacyPackages.x86_64-linux);
+
+    nixosConfigurations.paul-fixe = nixpkgs-unstable.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        nixpkgs-unstable.nixosModules.notDetected
+        {
+          nixpkgs.config.allowUnfree = true;
+          nix = {
+            settings.experimental-features = [ "nix-command" "flakes" ];
+            registry = {
+              nixpkgs.to = {
+                type = "path";
+                path = nixpkgs-unstable.legacyPackages.x86_64-linux.path;
+              };
+            };
+          };
+        }
+        ./systems/PC-Fixe/configuration.nix
+      ];
+    };
+
+    nixosConfigurations.loutreos = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      specialArgs = {
+        inputs = inputs;
+        pkgs-unstable = import nixpkgs-unstable {
+          inherit system;
+          config.permittedInsecurePackages = [
+            "aspnetcore-runtime-6.0.36"
+            "aspnetcore-runtime-wrapped-6.0.36"
+            "dotnet-sdk-6.0.428"
+            "dotnet-sdk-wrapped-6.0.428"
+          ];
+        };
+        pkgs-4a3fc4cf7 = import nixpkgs-4a3fc4cf7 {
+          inherit system;
+        };
+      };
+      modules = [
+        nixpkgs-unstable.nixosModules.notDetected
+        simple-nixos-mailserver.nixosModule
+        dogetipbot-telegram.nixosModule
+        ipmihddtemp.nixosModule
+        {
+          nix = {
+            settings.experimental-features = [ "nix-command" "flakes" ];
+            registry = {
+              nixpkgs.to = {
+                type = "path";
+                path = nixpkgs.legacyPackages.x86_64-linux.path;
+              };
+            };
+          };
+          systemd.services.watcharr = {
+            description = "Watcharr";
+            after = [ "network.target" ];
+            environment = {
+              PORT = "3005";
+              WATCHARR_DATA = "/var/lib/watcharr";
+            };
+            serviceConfig = {
+              DynamicUser = true;
+              StateDirectory = "watcharr";
+              ExecStart = "${self.packages.x86_64-linux.watcharr}/bin/Watcharr";
+              PrivateTmp = true;
+            };
+            wantedBy = [ "multi-user.target" ];
+          };
+        }
+        ./systems/LoutreOS/configuration.nix
+      ];
+    };
+
+  };
+}
+
--- a/overlays/dogetipbot-telegram.nix
+++ b/overlays/dogetipbot-telegram.nix
@ -1,9 +0,0 @@
-self: super:
-
-{
-  dogetipbot-telegram = super.callPackage (super.fetchgit {
-    url = "https://gitlab.com/nyanloutre/dogetipbot-telegram.git";
-    rev = "3bf1c89aaccded42ce41452c72f7ebf6d4d056ca";
-    sha256 = "1gd1wi054ihbxanvj1ac7mz5ghnxab89a0r3i4hy482sglbxqcih";
-  }) { pkgs = self; };
-}
--- a/overlays/ledger-udev-rules.nix
+++ b/overlays/ledger-udev-rules.nix
@ -1,18 +0,0 @@
-self: super:
-
-{
-  ledger-udev-rules = super.writeTextFile {
-    name = "ledger-udev-rules";
-    text = ''
-      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
-      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="2b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
-      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="3b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
-      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="4b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
-      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1807", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
-      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1808", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
-      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0000", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
-      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
-    '';
-    destination = "/etc/udev/rules.d/99-ledger.rules";
-  };
-}
--- a/overlays/neovim.nix
+++ b/overlays/neovim.nix
@ -1,22 +0,0 @@
-self: super:
-{
-  neovim = super.neovim.override {
-    viAlias = true;
-    vimAlias = true;
-    configure = {
-      customRC = ''
-        set shiftwidth=2
-        set softtabstop=2
-        set expandtab
-        set background=dark
-      '';
-      packages.myVimPackage = with super.vimPlugins; {
-        start = [
-          vim-startify  airline             sensible
-          polyglot      ale                 fugitive
-        ];
-        opt = [ ];
-      };
-    };
-  };
-} 
--- a/overlays/riot-web.nix
+++ b/overlays/riot-web.nix
@ -1,13 +0,0 @@
-self: super:
-{
-  riot-web = super.riot-web.override {
-    conf = ''
-      {
-        "default_hs_url": "https://matrix.nyanlout.re",
-        "default_is_url": "https://vector.im",
-        "brand": "Nyanloutre",
-        "default_theme": "dark"
-      }
-    '';
-  };
-} 
--- a/overlays/sudo.nix
+++ b/overlays/sudo.nix
@ -1,6 +0,0 @@
-self: super:
-{
-  sudo = super.sudo.override {
-    withInsults = true;
-  };
-} 
--- a/overlays/vsftpd.nix
+++ b/overlays/vsftpd.nix
@ -1,6 +0,0 @@
-self: super:
-{
-  vsftpd = super.vsftpd.override {
-    sslEnable = true;
-  };
-} 
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -0,0 +1,3 @@
+pkgs: {
+  watcharr = pkgs.callPackage ./watcharr { };
+}
--- a/pkgs/site-max/default.nix
+++ b/pkgs/site-max/default.nix
@ -1,30 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, sassc }:
-
-stdenv.mkDerivation rec {
-  name= "site-max-${version}";
-  version = "1.0.1";
-
-  src = fetchFromGitHub {
-    owner = "nyanloutre";
-    repo = "site-max";
-    rev = "85e30457291e6a1dfe85a5d7a78f226657bad279";
-    sha256 = "0fj5w43gcvp0gq0xlknrf6yp0b48wg01686wp02fjc9npm424g0v";
-  };
-
-  buildPhase = ''
-    ${sassc}/bin/sassc -m auto -t compressed scss/creative.scss css/creative.css
-  '';
-
-  installPhase = ''
-    mkdir -p $out/
-    cp -R . $out/
-  '';
-
-  meta = {
-    description = "Site de présentation de Max Spiegel";
-    homepage = https://maxspiegel.fr/;
-    maintainers = with stdenv.lib.maintainers; [ nyanloutre ];
-    license = stdenv.lib.licenses.cc-by-nc-sa-40;
-    platforms = stdenv.lib.platforms.all;
-  };
-}
--- a/pkgs/watcharr/default.nix
+++ b/pkgs/watcharr/default.nix
@ -0,0 +1,64 @@
+{ lib
+, pkgs
+, buildGoModule
+, fetchFromGitHub
+, buildNpmPackage
+, nixosTests
+, caddy
+, testers
+, installShellFiles
+, stdenv
+}:
+
+let
+  version = "1.41.0";
+  src = fetchFromGitHub {
+    owner = "sbondCo";
+    repo = "Watcharr";
+    rev = "v${version}";
+    hash = "sha256-ZvCxgfZZ9pbp+NvH+IhWphJWnAwgAH0x/REPd/XxJ70=";
+  };
+
+  frontend = buildNpmPackage {
+    pname = "watcharr-ui";
+    inherit version src;
+    npmDepsHash = "sha256-73paI0y4QyzkEnU99f1HeLD/hW8GP3F9N8tGGQnloH8=";
+
+    installPhase = ''
+      cp -r build $out
+      cp package.json package-lock.json $out
+      cd $out && npm ci --omit=dev
+    '';
+  };
+in
+buildGoModule {
+  pname = "watcharr";
+  inherit version;
+
+  src = src + "/server";
+
+  vendorHash = "sha256-86pFpS8ZSj+c7vwn0QCwzXlvVYJIf3SBj4X81zlwBWQ=";
+
+  # Inject frontend assets into go embed
+  prePatch = ''
+    # rm -rf ui
+    # ln -s ${frontend} ui
+    substituteInPlace watcharr.go \
+        --replace-fail ui/index.js ${frontend}/index.js \
+        --replace-fail \"127.0.0.1:3000\" "\"127.0.0.1:\"+os.Getenv(\"PORT\")"
+  '';
+
+  buildInputs = [ pkgs.makeWrapper ];
+
+  postFixup = ''
+    wrapProgram "$out/bin/Watcharr" --prefix PATH : "${lib.makeBinPath [ pkgs.nodejs ]}"
+  '';
+
+  meta = with lib; {
+    homepage = "https://watcharr.app/";
+    description = "Open source, self-hostable watched list for all your content with user authentication, modern and clean UI and a very simple setup";
+    license = licenses.asl20;
+    # mainProgram = "caddy";
+    maintainers = with maintainers; [ nyanloutre ];
+  };
+}
--- a/services/auto-pr.nix
+++ b/services/auto-pr.nix
@ -1,44 +0,0 @@
-{lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.auto-pr;
-in
-{
-  options.services.auto-pr = {
-    enable = mkEnableOption "Cron job PR mise à jour automatique";
-  };
-
-  config = mkIf cfg.enable {
-
-    systemd.services.auto-pr-bot = {
-      description = "Création d'un PR si mise à jour";
-      requires = ["network-online.target"];
-      environment = { HOME = "/var/lib/auto-pr-bot"; };
-      serviceConfig = {
-        DynamicUser = true;
-        CacheDirectory = "auto-pr-bot";
-        StateDirectory = "auto-pr-bot";
-        Type = "oneshot";
-        ExecStart = with pkgs;
-          let env = python3Packages.python.buildEnv.override {
-            extraLibs = [ python3Packages.PyGithub python3Packages.pyjwt python3Packages.colorama ];
-            ignoreCollisions = true;
-          };
-        in "${pkgs.writeShellScriptBin "run.sh" ''
-          ${env}/bin/python ${pkgs.writeScript "pr-autobot.py" "${readFile ./pr-autobot.py}"} --private-key /var/lib/auto-pr-bot/private-key.pem --app-id 19565 --installation-id 407088 --repo nyanloutre/nixpkgs --cache-dir /var/cache/auto-pr-bot
-        ''}/bin/run.sh";
-      };
-    };
-
-    systemd.timers.auto-pr-bot = {
-      description = "Timer auto PR bot";
-      requires = ["network-online.target"];
-      wantedBy = ["multi-user.target"];
-      timerConfig = { OnCalendar = "daily"; Unit = "auto-pr-bot.service"; };
-    };
-
-  };
-
-}
--- a/services/haproxy-acme.nix
+++ b/services/haproxy-acme.nix
@ -1,149 +0,0 @@
-{ lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.haproxy-acme;
-
-  nginx_port = 54321;
-
-  haproxyConf = ''
-    global
-      log /dev/log local0
-      log /dev/log local1 notice
-      user haproxy
-      group haproxy
-      ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-      ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-      ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-      ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-    defaults
-      option forwardfor
-      option http-server-close
-      timeout client 10s
-      timeout connect 4s
-      timeout server 30s
-    userlist LOUTRE
-      user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy.
-    frontend public
-      bind :::80 v4v6
-      bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1
-      mode http
-      acl letsencrypt-acl path_beg /.well-known/acme-challenge/
-      acl haproxy-acl path_beg /haproxy
-      redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
-      http-response set-header Strict-Transport-Security max-age=15768000
-      use_backend letsencrypt-backend if letsencrypt-acl
-      use_backend haproxy_stats if haproxy-acl
-
-    ${concatStrings (
-      mapAttrsToList (name: value:
-        "  acl ${name}-acl hdr(host) -i ${name}\n"
-      + "  use_backend ${name}-backend if ${name}-acl\n"
-      ) cfg.services)}
-
-    backend letsencrypt-backend
-      mode http
-      server letsencrypt 127.0.0.1:${toString nginx_port}
-    backend haproxy_stats
-      mode http
-      stats enable
-      stats hide-version
-      acl AuthOK_LOUTRE http_auth(LOUTRE)
-      http-request auth realm LOUTRE if !AuthOK_LOUTRE
-
-    ${concatStrings (
-      mapAttrsToList (name: value:
-        ''
-        backend ${name}-backend
-          mode http
-          ${(
-            if value.socket == "" then
-              ''
-                server ${name} ${value.ip}:${toString value.port}
-              ''
-            else
-              ''
-                server ${name} ${value.socket}
-              ''
-          )}
-          ${(if value.auth then (
-          value.extraAcls
-          + ''
-              acl AUTH_OK http_auth(LOUTRE)
-              http-request auth realm LOUTRE if ${value.aclBool}
-            ''
-          ) else "")}
-        ''
-      ) cfg.services)}
-
-  '';
-in
-{
-  options.services.haproxy-acme = {
-    enable = mkEnableOption "HAproxy + ACME";
-
-    domaine = mkOption {
-      type = types.string;
-      example = "example.com";
-      description = ''
-        Sous domaine à utiliser
-
-        Il est necessaire d'avoir un enregistrement pointant sur la wildcard de ce domaine vers le serveur
-      '';
-    };
-
-    services = mkOption {
-      type = with types; attrsOf (submodule { options = {
-        ip = mkOption { type = str; description = "IP address"; };
-        port = mkOption { type = int; description = "Port number"; };
-        socket = mkOption { type = str; description = "Emplacement du socket"; default = ""; };
-        auth = mkOption { type = bool; description = "Enable authentification"; default = false; };
-        extraAcls = mkOption { type = str; description = "ACL HaProxy suplémentaires"; default = ""; };
-        aclBool = mkOption { type = str; description = "Logique d'authentification"; default = "!AUTH_OK"; };
-      }; });
-      example = ''
-        haproxy_backends = {
-          example = { ip = "127.0.0.1"; port = 1234; auth = false; };
-        };
-      '';
-      description = "Liste des noms de domaines associés à leur backend";
-    };
-  };
-
-  config = mkIf cfg.enable {
-
-    services.haproxy.enable = true;
-
-    services.haproxy.config = haproxyConf;
-
-    services.nginx.enable = true;
-    services.nginx.virtualHosts = {
-      "acme" = {
-        listen = [ { addr = "127.0.0.1"; port = nginx_port; } ];
-        locations = { "/" = { root = "/var/www/challenges"; }; };
-      };
-    };
-
-    security.acme.certs = {
-      ${cfg.domaine} = {
-        extraDomains = mapAttrs' (name: value:
-          nameValuePair ("${name}") (null)
-        ) cfg.services;
-        webroot = "/var/www/challenges";
-        email = "paul@nyanlout.re";
-        user = "haproxy";
-        group = "haproxy";
-        postRun = ''
-          systemctl reload haproxy.service
-        '';
-      };
-    };
-    security.acme.directory = "/var/lib/acme";
-
-    networking.firewall.allowedTCPPorts = [
-      80 443
-    ];
-
-  };
-}
--- a/services/mail-server.nix
+++ b/services/mail-server.nix
@ -1,67 +0,0 @@
-{ lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.mailserver;
-in
-{
-  options.services.mailserver = {
-    enable = mkEnableOption "Mail Server";
-    domaine = mkOption {
-      type = types.string;
-      example = "example.com";
-      description = "Nom de domaine du serveur de mails";
-    };
-  };
-
-  imports = [
-    (builtins.fetchTarball {
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz";
-      sha256 = "0gqzgy50hgb5zmdjiffaqp277a68564vflfpjvk1gv6079zahksc";
-    })
-  ];
-
-  config = mkIf cfg.enable {
-
-    mailserver = {
-      enable = true;
-      fqdn = "mail.${cfg.domaine}";
-      domains = [ cfg.domaine ];
-
-      # A list of all login accounts. To create the password hashes, use
-      # mkpasswd -m sha-512 "super secret password"
-      loginAccounts = {
-        "paul@${cfg.domaine}" = {
-          hashedPassword = "$6$8wWQbtqVqUoH8$pQKg0bZPcjCbuPvyhjJ1lQy949M/AgfmAye/hDEIVUnCfwtlUxC1yj8CBHpNKeiiXhd8IUqk9r0/IJNvB6okf0";
-        };
-      };
-
-      # Certificate setup
-      certificateScheme = 1;
-      certificateFile = "/var/lib/acme/${cfg.domaine}/fullchain.pem";
-      keyFile = "/var/lib/acme/${cfg.domaine}/key.pem";
-
-      # Enable IMAP and POP3
-      enableImap = true;
-      enablePop3 = true;
-      enableImapSsl = true;
-      enablePop3Ssl = true;
-
-      # Enable the ManageSieve protocol
-      enableManageSieve = true;
-    };
-
-    security.acme.certs = {
-      "${cfg.domaine}" = {
-        extraDomains = {
-          "mail.${cfg.domaine}" = null;
-        };
-        postRun = ''
-          systemctl reload dovecot2.service
-        '';
-      };
-    };
-
-  };
-}
--- a/services/pr-autobot.py
+++ b/services/pr-autobot.py
@ -1,74 +0,0 @@
-#!/usr/bin/env python
-
-import jwt, time, urllib.request, json, datetime, argparse, sys, textwrap
-from github import Github
-from colorama import Fore, Style
-from time import sleep
-
-parser = argparse.ArgumentParser(description='Create PR to update nixpkgs fork')
-parser.add_argument('--private-key')
-parser.add_argument('--app-id')
-parser.add_argument('--installation-id')
-parser.add_argument('--repo')
-parser.add_argument('--cache-dir')
-args = vars(parser.parse_args())
-
-channel_req = urllib.request.Request(url='https://nixos.org/channels/nixos-18.09/git-revision')
-latest_commit = urllib.request.urlopen(channel_req).read().decode('utf-8')
-try:
-    previous_commit = open(args['cache_dir'] + '/git-revision', 'r').read()
-except FileNotFoundError:
-    open(args['cache_dir'] + '/git-revision', 'w').write(latest_commit)
-    print("Premier lancement, le hash du dernier commit à été sauvegardé")
-    sys.exit(0)
-
-print("Dernier commit : " + latest_commit)
-print("Commit précédent : " + previous_commit)
-
-if latest_commit != previous_commit:
-    bearer_token = jwt.encode({
-                                'iat': int(time.time()),
-                                'exp': int(time.time()) + (10 * 60),
-                                'iss': args['app_id']
-                              },
-                              open(args['private_key'],"r").read(),
-                              algorithm='RS256')
-
-    req = urllib.request.Request(url='https://api.github.com/app/installations/' +
-                                    args['installation_id'] +
-                                    '/access_tokens',
-                                 method='POST')
-
-    req.add_header('Authorization', 'Bearer ' + bearer_token.decode('utf-8'))
-    req.add_header('Accept', 'application/vnd.github.machine-man-preview+json')
-
-    token = json.loads(urllib.request.urlopen(req).read().decode('utf-8'))['token']
-
-    g = Github(token)
-    repo = g.get_repo(args['repo'])
-
-    branch = "upgrade-" + datetime.datetime.now().strftime('%Y-%m-%d') + '-' + latest_commit[:11];
-
-    repo.create_git_ref('refs/heads/' + branch, latest_commit)
-
-    pr_message = textwrap.dedent("""\
-                    ### Pull request automatique
-                    ### Avancement mise à jour
-                    - [ ] Fusionner la branche
-                 """)
-
-    pr = repo.create_pull(title=branch, body=pr_message, base='nixos-18.09', head=branch)
-
-    print("Pull request numéro " + str(pr.number) + " créée")
-    print("URL : " + pr.html_url)
-
-    while pr.mergeable == None:
-        pr = repo.get_pull(pr.number)
-        sleep(1)
-
-    pr.edit(body = pr.body + "\n- [ ] Exécuter `nixos-rebuild -I nixpkgs=https://github.com/nyanloutre/nixpkgs/archive/" + pr.merge_commit_sha + ".tar.gz switch`")
-    print("État : " + ((Fore.GREEN + "Fusionnable") if pr.mergeable else (Fore.RED + "Conflit")) + Style.RESET_ALL)
-
-    open(args['cache_dir'] + '/git-revision', 'w').write(latest_commit)
-else:
-    print(Fore.GREEN + "Aucun changement détecté" + Style.RESET_ALL)
--- a/services/python-ci.nix
+++ b/services/python-ci.nix
@ -1,41 +0,0 @@
-{lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.python-ci;
-in
-{
-  options.services.python-ci = {
-    enable = mkEnableOption "Service de CI Nix écrit en Python";
-  };
-
-  config = mkIf cfg.enable {
-
-    systemd.services.python-ci = {
-      description = "CI Nix en Python";
-      requires = ["network-online.target"];
-      wantedBy = ["multi-user.target"];
-      environment = { HOME = "/var/lib/python-ci"; NIX_PATH = concatStringsSep ":" config.nix.nixPath; NIXPKGS_ALLOW_UNFREE = "1";};
-      path = with pkgs;[ nix gnutar gzip ];
-      serviceConfig = {
-        DynamicUser = true;
-        StateDirectory = "python-ci";
-        RuntimeDirectory = "python-ci";
-        RuntimeDirectoryPreserve = "yes";
-        ExecStart = with pkgs;
-        let env = python3Packages.python.buildEnv.override {
-          extraLibs = with python3Packages;[ pyramid python-gitlab ];
-          ignoreCollisions = true;
-        };
-        in "${pkgs.writeShellScriptBin "run.sh" ''
-          ${env}/bin/python ${pkgs.writeScript "python-ci.py" "${readFile ./python-ci.py}"} --port 52350 \
-              --secret /var/lib/python-ci/secret --gitlab-token /var/lib/python-ci/gitlab_token \
-              --gitea-token /var/lib/python-ci/gitea_token --output /run/python-ci
-        ''}/bin/run.sh";
-      };
-    };
-
-  };
-
-}
--- a/services/python-ci.py
+++ b/services/python-ci.py
@ -1,153 +0,0 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i python3 -p "python3.withPackages(ps: [ps.pyramid ps.python-gitlab])"
-from wsgiref.simple_server import make_server
-from pyramid.config import Configurator
-from pyramid.view import view_config, view_defaults
-from pyramid.httpexceptions import HTTPNotFound
-from subprocess import check_call, CalledProcessError
-import urllib.request
-import tarfile
-from tempfile import TemporaryDirectory
-from multiprocessing import Pool
-from gitlab import Gitlab
-import urllib.request
-import json
-import argparse
-
-
-def gitlab_build(payload, gl):
-    commit = gl.projects.get(payload['project']['path_with_namespace']).commits.get(payload['checkout_sha'])
-
-    commit.statuses.create({'state': 'running', 'name': 'Python CI'})
-    print("push from " + payload['user_name'])
-    print("repo: " + payload['project']['path_with_namespace'])
-    print("commit: " + payload['checkout_sha'])
-    temp_dir = TemporaryDirectory()
-    repo_dir = temp_dir.name + '/' + payload['project']['name'] + '-' + payload['checkout_sha']
-    archive_url = payload['project']['web_url'] + '/-/archive/' + payload['checkout_sha'] + \
-                  '/' + payload['project']['name'] + '-' + payload['checkout_sha'] + '.tar.gz'
-
-    with urllib.request.urlopen(archive_url) as gitlab_archive:
-        with tarfile.open(fileobj=gitlab_archive, mode='r|gz') as gitlab_repo_files:
-            gitlab_repo_files.extractall(path=temp_dir.name)
-
-    check_call(['ls', '-lha', repo_dir])
-
-    try:
-        check_call(['nix-build', '-o', args.output + '/' + payload['project']['path_with_namespace'], repo_dir])
-    except CalledProcessError:
-        commit.statuses.create({'state': 'failed', 'name': 'Python CI'})
-        print("erreur build")
-    else:
-        commit.statuses.create({'state': 'success', 'name': 'Python CI'})
-        print("build terminé")
-
-
-@view_defaults(
-        route_name="gitlab_payload", renderer="json", request_method="POST"
-)
-class GitlabHook(object):
-
-    def __init__(self, request):
-        self.request = request
-        self.payload = self.request.json
-        self.whitelist = ['nyanloutre/site-musique']
-        self.secret = open(args.secret, 'r').readline().splitlines()[0]
-        self.gitlab_token = open(args.gitlab_token, 'r').readline().splitlines()[0]
-        self.gl = Gitlab('https://gitlab.com', private_token=self.gitlab_token)
-
-    @view_config(header="X-Gitlab-Event:Push Hook")
-    def push_hook(self):
-        if self.payload['project']['path_with_namespace'] in self.whitelist and self.request.headers['X-Gitlab-Token'] == self.secret:
-            self.gl.projects.get(self.payload['project']['path_with_namespace']).commits.get(self.payload['checkout_sha']).statuses.create({'state': 'pending', 'name': 'Python CI'})
-            pool.apply_async(gitlab_build, (self.payload, self.gl))
-            return "build started"
-        else:
-            raise HTTPNotFound
-
-
-def gitea_status_update(repo, commit, token, status):
-    url = 'https://gitea.nyanlout.re/api/v1/repos/' + repo + '/statuses/' + commit
-    print(url)
-    req = urllib.request.Request(url)
-    req.add_header('Content-Type', 'application/json; charset=utf-8')
-    req.add_header('accept', 'application/json')
-    req.add_header('Authorization', 'token ' + token)
-
-    jsondata = json.dumps({'state': status}).encode('utf-8')
-    req.add_header('Content-Length', len(jsondata))
-
-    urllib.request.urlopen(req, jsondata)
-
-def gitea_build(payload, token):
-    commit = payload['after']
-    repo = payload['repository']['full_name']
-
-    gitea_status_update(repo, commit, token, 'pending')
-
-    print("push from " + payload['pusher']['username'])
-    print("repo: " + repo)
-    print("commit: " + commit)
-    temp_dir = TemporaryDirectory()
-    repo_dir = temp_dir.name + '/' + payload['repository']['name']
-    archive_url = payload['repository']['html_url'] + '/archive/' + commit + '.tar.gz'
-
-    with urllib.request.urlopen(archive_url) as gitea_archive:
-        with tarfile.open(fileobj=gitea_archive, mode='r|gz') as gitea_repo_files:
-            gitea_repo_files.extractall(path=temp_dir.name)
-
-    check_call(['ls', '-lha', repo_dir])
-
-    try:
-        check_call(['nix-build', '-o', args.output + '/' + repo, repo_dir])
-    except CalledProcessError:
-        gitea_status_update(repo, commit, token, 'failure')
-        print("erreur build")
-    else:
-        gitea_status_update(repo, commit, token, 'success')
-        print("build terminé")
-
-
-@view_defaults(
-        route_name="gitea_payload", renderer="json", request_method="POST"
-)
-class GiteaHook(object):
-
-    def __init__(self, request):
-        self.request = request
-        self.payload = self.request.json
-        self.whitelist = ['nyanloutre/site-musique', 'nyanloutre/site-max']
-        self.secret = open(args.secret, 'r').readline().splitlines()[0]
-        self.gitea_token = open(args.gitea_token, 'r').readline().splitlines()[0]
-
-    @view_config(header="X-Gitea-Event:push")
-    def push_hook(self):
-        if self.payload['repository']['full_name'] in self.whitelist and self.payload['secret'] == self.secret:
-            pool.apply_async(gitea_build, (self.payload, self.gitea_token))
-            return "build started"
-        else:
-            raise HTTPNotFound
-
-
-if __name__ == "__main__":
-    parser = argparse.ArgumentParser(description='CI server')
-    parser.add_argument('--address', help='listening address', default='127.0.0.1')
-    parser.add_argument('--port', type=int, help='listening port')
-    parser.add_argument('--output', help='output directory')
-    parser.add_argument('--secret', help='repo secret file')
-    parser.add_argument('--gitlab-token', help='gitlab token file')
-    parser.add_argument('--gitea-token', help='gitea token file')
-    args = parser.parse_args()
-
-    pool = Pool(1)
-
-    config = Configurator()
-
-    config.add_route("gitlab_payload", "/gitlab_payload")
-    config.add_route("gitea_payload", "/gitea_payload")
-    config.scan()
-
-    app = config.make_wsgi_app()
-    server = make_server(args.address, args.port, app)
-    print('listening ...')
-    server.serve_forever()
--- a/services/sdtdserver.nix
+++ b/services/sdtdserver.nix
@ -1,120 +0,0 @@
-{lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.sdtdserver;
-  gamePath = "/var/lib/sdtdserver";
-  gameOptions = {
-    ServerPort="26900";
-    ServerVisibility="2";
-    ServerName="Serveur des loutres";
-    ServerPassword="";
-    ServerMaxPlayerCount="16";
-    ServerReservedSlots="0";
-    ServerReservedSlotsPermission="100";
-    ServerAdminSlots="0";
-    ServerAdminSlotsPermission="0";
-    ServerDescription="Un serveur idiot anti gilets jaunes";
-    ServerWebsiteURL="";
-    ServerDisabledNetworkProtocols="";
-    GameWorld="Navezgane";
-    WorldGenSeed="Lakeu";
-    WorldGenSize="4096";
-    GameName="Lakeu";
-    GameDifficulty="2";
-    GameMode="GameModeSurvival";
-    ZombiesRun="0";
-    ZombieMove="0";
-    ZombieMoveNight="3";
-    ZombieFeralMove="3";
-    ZombieBMMove="3";
-    BuildCreate="false";
-    DayNightLength="60";
-    DayLightLength="18";
-    PlayerKillingMode="3";
-    PersistentPlayerProfiles="false";
-    PlayerSafeZoneLevel="5";
-    PlayerSafeZoneHours="5";
-    ControlPanelEnabled="false";
-    ControlPanelPort="8080";
-    ControlPanelPassword="CHANGEME";
-    TelnetEnabled="false";
-    TelnetPort="8081";
-    TelnetPassword="";
-    TelnetFailedLoginLimit="10";
-    TelnetFailedLoginsBlocktime="10";
-    TerminalWindowEnabled="false";
-    AdminFileName="serveradmin.xml";
-    DropOnDeath="0";
-    DropOnQuit="0";
-    BloodMoonEnemyCount="8";
-    EnemySpawnMode="true";
-    EnemyDifficulty="0";
-    BlockDurabilityModifier="100";
-    LootAbundance="100";
-    LootRespawnDays="30";
-    LandClaimSize="41";
-    LandClaimDeadZone="30";
-    LandClaimExpiryTime="3";
-    LandClaimDecayMode="0";
-    LandClaimOnlineDurabilityModifier="4";
-    LandClaimOfflineDurabilityModifier="4";
-    PartySharedKillRange="100";
-    AirDropFrequency="72";
-    AirDropMarker="false";
-    MaxSpawnedZombies="60";
-    MaxSpawnedAnimals="50";
-    EACEnabled="true";
-    HideCommandExecutionLog="0";
-    MaxUncoveredMapChunksPerPlayer="131072";
-    BedrollDeadZoneSize="15";
-    ServerLoginConfirmationText="Prout";
-  };
-  gameConfig = builtins.toFile "serverconfig.xml" ''
-    <?xml version="1.0"?>
-    <ServerSettings>
-    ${concatStrings (
-      mapAttrsToList (name: value:
-       "  <property name=\"${name}\"	value=\"${value}\"/>\n"
-    ) gameOptions)}
-    </ServerSettings>
-  '';
-in
-{
-  options.services.sdtdserver = {
-    enable = mkEnableOption "Activation du serveur dédié 7 Days to Die";
-  };
-
-  config = mkIf cfg.enable {
-
-    systemd.services.sdtdserver = {
-      description = "Serveur dédié 7 Days to Die";
-      requires = ["network-online.target"];
-      wantedBy = ["multi-user.target"];
-      environment = { HOME = gamePath; };
-      serviceConfig = {
-        DynamicUser = true;
-        StateDirectory = "sdtdserver";
-      };
-      preStart = let
-        libPath = with pkgs; lib.makeLibraryPath [
-          stdenv.cc.cc.lib
-        ];
-      in ''
-        ${pkgs.steamcmd}/bin/steamcmd +login anonymous +force_install_dir ${gamePath} +app_update 294420 validate +quit
-        install -m666 ${gameConfig} ${gamePath}/serverconfig.xml
-      '';
-      script = ''
-        ${pkgs.steam-run}/bin/steam-run ${gamePath}/7DaysToDieServer.x86_64 -quit -batchmode -nographics -dedicated -configfile=serverconfig.xml
-      '';
-    };
-
-    networking.firewall = {
-      allowedTCPPorts = [ 26900 ];
-      allowedUDPPorts = [ 26900 26901 26902 ];
-    };
-
-  };
-
-}
--- a/services/site-max.nix
+++ b/services/site-max.nix
@ -1,42 +0,0 @@
-{ lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.site-max;
-in
-{
-  options.services.site-max = {
-    enable = mkEnableOption "Site Max Spiegel";
-
-    port = mkOption {
-      type = types.int;
-      example = 54321;
-      description = "Local listening port";
-    };
-
-    domaine = mkOption {
-      type = types.str;
-      example = "example.com";
-      description = "Domaine à utiliser";
-    };
-  };
-
-  config = mkIf cfg.enable {
-
-    services.haproxy-acme.services = {
-      ${cfg.domaine} = { ip = "127.0.0.1"; port = cfg.port; auth = false; };
-    };
-
-    services.nginx = {
-      virtualHosts = {
-        "max" = {
-          listen = [ { addr = "127.0.0.1"; port = cfg.port; } ];
-          locations."/" = {
-            root = "/run/python-ci/nyanloutre/site-max";
-          };
-        };
-      };
-    };
-  };
-}
--- a/services/site-musique.nix
+++ b/services/site-musique.nix
@ -1,66 +0,0 @@
-{ lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.site-musique;
-in
-{
-  options.services.site-musique = {
-    enable = mkEnableOption "Site musique";
-
-    port = mkOption {
-      type = types.int;
-      example = 54321;
-      description = "Local listening port";
-    };
-
-    domaine = mkOption {
-      type = types.str;
-      example = "example.com";
-      description = "Domaine à utiliser";
-    };
-  };
-
-  config = mkIf cfg.enable {
-
-    services.haproxy-acme.services = {
-      ${cfg.domaine} = { ip = "127.0.0.1"; port = cfg.port; auth = false; };
-    };
-
-    services.nginx.virtualHosts = {
-      "musique" = {
-        listen = [ { addr = "127.0.0.1"; port = cfg.port; } ];
-        locations."/" = {
-          root = "/run/python-ci/nyanloutre/site-musique";
-          index = "index.php";
-          extraConfig = ''
-            location ~* \.php$ {
-              fastcgi_split_path_info ^(.+\.php)(/.+)$;
-              fastcgi_pass unix:/run/phpfpm/musique;
-              include ${pkgs.nginx}/conf/fastcgi_params;
-              include ${pkgs.nginx}/conf/fastcgi.conf;
-            }
-          '';
-        };
-      };
-    };
-
-    services.phpfpm.poolConfigs.musique = ''
-      listen = /run/phpfpm/musique
-      listen.owner = nginx
-      listen.group = nginx
-      listen.mode = 0660
-      user = nginx
-      pm = dynamic
-      pm.max_children = 75
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 20
-      pm.max_requests = 500
-      php_admin_value[error_log] = 'stderr'
-      php_admin_flag[log_errors] = on
-      catch_workers_output = yes
-    '';
-  };
-}
--- a/systems/ASUS-G46VW/configuration.nix
+++ b/systems/ASUS-G46VW/configuration.nix
@ -7,15 +7,11 @@
 {
  imports =
    [
-      ../common.nix
+      ../common-cli.nix
+      ../common-gui.nix
      ./hardware-configuration.nix
    ];

-  nixpkgs.overlays = [
-    (import ../../overlays/ledger-udev-rules.nix)
-  ];
-
-  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.tmpOnTmpfs = true;
@ -29,128 +25,11 @@
    ENERGY_PERF_POLICY_ON_BAT=powersave
  '';

-  # NVIDIA
-  services.xserver.videoDrivers = [ "nvidia" ];
-  hardware.nvidia.optimus_prime.enable = true;
-  hardware.nvidia.modesetting.enable = true;
-  hardware.nvidia.optimus_prime.nvidiaBusId = "PCI:1:0:0";
-  hardware.nvidia.optimus_prime.intelBusId = "PCI:0:2:0";
-
-  # For Steam
-  hardware.opengl.driSupport32Bit = true;
-  hardware.pulseaudio.support32Bit = true;
-  hardware.steam-hardware.enable = true;
-
-  hardware.u2f.enable = true;
-
-  services.udev.packages = with pkgs; [
-    ledger-udev-rules
-  ];
-
-  networking.hostName = "rog-paul"; # Define your hostname.
-  networking.networkmanager.enable = true;  # Enables wireless support via wpa_supplicant.
-
-  # Select internationalisation properties.
-  i18n = {
-  #   consoleFont = "Lat2-Terminus16";
-    consoleKeyMap = "fr";
-    defaultLocale = "fr_FR.UTF-8";
-  };
-
-  # List packages installed in system profile. To search by name, run:
-  # $ nix-env -qaP | grep wget
-  nixpkgs.config.allowUnfree = true;
-  environment.systemPackages = with pkgs; [
-    filezilla
-    wineStaging
-    winetricks
-    qbittorrent
-    transmission-remote-gtk
-    appimage-run
-    bat
-
-    gopass
-    xclip
-
-    electrum
-    electron-cash
-
-    firefox
-    torbrowser
-    chromium
-    qutebrowser
-
-    tdesktop
-    mumble
-
-    kleopatra
-    gnupg
-
-    kdeplasma-addons
-    ark
-    kate
-    kmail
-    kdeconnect
-    okular
-    yakuake
-    konversation
-    gwenview
-    kcalc
-    spectacle
-    kile
-    (texlive.combine {
-      inherit (texlive) scheme-small titling collection-langfrench cm-super;
-    })
-    imagemagick
-
-    gnome-breeze
-    arc-theme
-    materia-theme
-    
-    libreoffice
-    gimp
-    vlc
-    kodiPlain
-    mpv
-
-    steam
-    sc-controller
-    steam-run
-    minecraft
-
-    glxinfo
-    i7z
-    obs-studio
-  ];
+  networking.hostName = "rog-paul";

  programs.wireshark.enable = true;
  programs.wireshark.package = pkgs.wireshark;

-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.bash.enableCompletion = true;
-  # programs.mtr.enable = true;
-  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
-  programs.browserpass.enable = true;
-  services.pcscd.enable = true;
-  services.pcscd.plugins = [
-    (pkgs.ccid.overrideAttrs (oldAttrs: rec {
-        preBuild = ''
-	  echo "0x2C97:0x0001:Ledger Token" >> ./readers/supported_readers.txt
-        '';
-      })
-    )
-  ];
-
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ 8000 ];
-  # networking.firewall.allowedUDPPorts = [  ];
-  # Or disable the firewall altogether.
  networking.firewall.enable = false;

  networking.wireguard.interfaces = {
@ -168,42 +47,29 @@
    };
  };

-  # Enable CUPS to print documents.
  services.printing.enable = true;
  services.printing.drivers = [ pkgs.hplip ];

-  # Enable sound.
-  sound.enable = true;
-  hardware.pulseaudio.enable = true;
-
-  # Enable the X11 windowing system.
-  services.xserver.enable = true;
-  services.xserver.layout = "fr";
-  # services.xserver.xkbOptions = "eurosign:e";
-
-  # Enable touchpad support.
  services.xserver.libinput.enable = true;
  services.xserver.libinput.naturalScrolling = true;

-  # Enable the KDE Desktop Environment.
-  services.xserver.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.plasma5.enable = true;
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.extraUsers.paul = {
    isNormalUser = true;
    uid = 1000;
-    extraGroups = [ "wheel" "networkmanager" "wireshark" ];
+    extraGroups = [ "wheel" "networkmanager" "wireshark" "dialout" ];
  };

  services.syncthing.enable = true;
  services.syncthing.user = "paul";
  services.syncthing.group = "users";

-  # This value determines the NixOS release with which your system is to be
-  # compatible, in order to avoid breaking some software such as database
-  # servers. You should change this only after NixOS release notes say you
-  # should.
-  system.stateVersion = "18.03"; # Did you read the comment?
+  services.redshift = {
+    enable = true;
+    temperature.night = 2700;
+  };

+  location.latitude = 48.573406;
+  location.longitude = 7.752111;
+
+  system.stateVersion = "18.03"; # Did you read the comment?
 }
--- a/systems/ASUS-G46VW/hardware-configuration.nix
+++ b/systems/ASUS-G46VW/hardware-configuration.nix
@ -12,6 +12,13 @@
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

+  # NVIDIA
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.nvidia.optimus_prime.enable = true;
+  hardware.nvidia.modesetting.enable = true;
+  hardware.nvidia.optimus_prime.nvidiaBusId = "PCI:1:0:0";
+  hardware.nvidia.optimus_prime.intelBusId = "PCI:0:2:0";
+
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/7bd3a09b-b188-4ce7-bdcc-d5c5087edc86";
      fsType = "ext4";
--- a/systems/LoutreOS/configuration.nix
+++ b/systems/LoutreOS/configuration.nix
@ -1,21 +1,16 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
+{ config, pkgs, inputs, ... }:

-{ config, pkgs, ... }:
-
-let
-  gitRev = "baee8283bb858602e6b8d9c4763f11f79d4ac813";
-  nixpkgs = fetchTarball "https://github.com/nyanloutre/nixpkgs/archive/${gitRev}.tar.gz";
-in
 {
  imports = [
-    ../common.nix
+    ../common-cli.nix
    ./hardware-configuration.nix
+    ./network.nix
    ./users.nix
    ./services.nix
  ];

+  nix.settings.trusted-users = [ "root" "paul" ];
+
  boot = {
    loader = {
      systemd-boot.enable = true;
@ -24,40 +19,43 @@ in

    supportedFilesystems = [ "zfs" ];

-    tmpOnTmpfs = true;
+    tmp.useTmpfs = true;
+
+    # Enabling both boot.enableContainers & virtualisation.containers on system.stateVersion < 22.05 is unsupported
+    enableContainers = false;
  };

-  nix.nixPath = [
-    "nixpkgs=${nixpkgs}"
-    "nixos-config=/etc/nixos/configuration.nix"
-  ];
+  documentation.nixos.enable = false;

  services.zfs = {
    autoSnapshot.enable = true;
-    autoScrub.enable = true;
+    autoScrub = {
+      enable = true;
+      interval = "monthly";
+    };
  };

-  networking = {
-    hostName = "loutreos"; # Define your hostname.
-    hostId = "7e66e347";
-  };
-
-  nixpkgs.overlays = [
-    (import ../../overlays/riot-web.nix)
-  ];
-
  services.openssh = {
    enable = true;
-    permitRootLogin = "no";
-    passwordAuthentication = false;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      X11Forwarding = true;
+    };
  };

-  networking.firewall = {
-    allowedTCPPorts = [ ];
-    allowedUDPPorts = [ ];
-    enable = true;
+  users = {
+    groups.autossh = { };
+    users.autossh = {
+      home = "/home/autossh";
+      createHome = true;
+      group = "autossh";
+      isSystemUser = true;
+    };
  };

+  virtualisation.podman.enable = true;
+
  security.sudo.wheelNeedsPassword = false;

  system.stateVersion = "18.03";
--- a/systems/LoutreOS/hardware-configuration.nix
+++ b/systems/LoutreOS/hardware-configuration.nix
@ -4,10 +4,6 @@
 { config, lib, pkgs, ... }:

 {
-  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    ];
-
  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
@ -67,21 +63,16 @@
      fsType = "zfs";
    };

-  fileSystems."/exports/steam" =
-    { device = "loutrepool/steam";
-      fsType = "zfs";
-    };
-
-  fileSystems."/var/lib/emby/ProgramData-Server" =
-    { device = "loutrepool/var/emby";
-      fsType = "zfs";
-    };
-
  fileSystems."/var/lib/syncthing" =
    { device = "loutrepool/var/syncthing";
      fsType = "zfs";
    };

+  fileSystems."/mnt/medias/incomplete" =
+    { device = "loutrepool/torrent-dl";
+      fsType = "zfs";
+    };
+
  fileSystems."/mnt/medias" =
    { device = "loutrepool/medias";
      fsType = "zfs";
@ -117,6 +108,11 @@
      fsType = "zfs";
    };

+  fileSystems."/var/lib/private/factorio" =
+    { device = "loutrepool/var/factorio";
+      fsType = "zfs";
+    };
+
  fileSystems."/var/dkim" =
    { device = "loutrepool/var/dkim";
      fsType = "zfs";
@ -127,10 +123,10 @@
      fsType = "zfs";
    };

-  fileSystems."/mnt/backup" =
-    { device = "backup";
-      fsType = "zfs";
-    };
+  # fileSystems."/mnt/backup" =
+  #   { device = "backup";
+  #     fsType = "zfs";
+  #   };

  fileSystems."/mnt/backup_loutre" =
    { device = "loutrepool/backup";
@ -142,6 +138,46 @@
      fsType = "zfs";
    };

+  fileSystems."/var/lib/minecraft" =
+    { device = "loutrepool/var/minecraft";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/www" =
+    { device = "loutrepool/var/www";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/mastodon" =
+    { device = "loutrepool/var/mastodon";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/hass" =
+    { device = "loutrepool/var/hass";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/nextcloud" =
+    { device = "loutrepool/var/nextcloud";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/private/photoprism" =
+    { device = "loutrepool/var/photoprism";
+      fsType = "zfs";
+    };
+
+  fileSystems."/mnt/paul-home" =
+    { device = "loutrepool/zfs-replicate/paul-fixe/fastaf/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/mnt/webdav" =
+    { device = "loutrepool/webdav";
+      fsType = "zfs";
+    };
+
  swapDevices =
    [
      {
@ -150,6 +186,6 @@
      }
    ];

-  nix.maxJobs = lib.mkDefault 4;
+  nix.settings.max-jobs = lib.mkDefault 4;
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/systems/LoutreOS/medias.nix
+++ b/systems/LoutreOS/medias.nix
@ -0,0 +1,60 @@
+{ config, lib, pkgs, pkgs-unstable, pkgs-4a3fc4cf7, ... }:
+
+{
+  services = {
+    transmission = {
+      enable = true;
+      package = pkgs-4a3fc4cf7.transmission_4;
+      home = "/var/lib/transmission";
+      group = "medias";
+      settings = {
+        rpc-bind-address = "127.0.0.1";
+        rpc-port = 9091;
+        rpc-host-whitelist = "*";
+        rpc-whitelist-enabled = false;
+        peer-port = 51413;
+        incomplete-dir = "/mnt/medias/incomplete";
+        download-dir = "/mnt/medias/torrent";
+      };
+    };
+
+    radarr = {
+      enable = true;
+      package = pkgs-unstable.radarr;
+    };
+    sonarr = {
+      enable = true;
+      package = pkgs-unstable.sonarr;
+    };
+    flaresolverr = {
+      enable = false;
+      package = pkgs-unstable.flaresolverr;
+    };
+    prowlarr = {
+      enable = true;
+      package = pkgs-unstable.prowlarr;
+    };
+
+    jellyfin = {
+      enable = true;
+      package = pkgs-unstable.jellyfin;
+    };
+
+    slimserver.enable = true;
+  };
+
+  systemd.services.transmission.serviceConfig = {
+    BindPaths = [ "/mnt/medias" ];
+    LimitNOFILE = 1048576;
+  };
+
+  networking = {
+    firewall.allowedTCPPorts = [
+      config.services.transmission.settings.peer-port
+    ];
+
+    firewall.allowedUDPPorts = [
+      config.services.transmission.settings.peer-port
+    ];
+  };
+}
--- a/systems/LoutreOS/monitoring.nix
+++ b/systems/LoutreOS/monitoring.nix
@ -0,0 +1,127 @@
+{ config, lib, pkgs, ... }:
+
+let
+  domaine = "nyanlout.re";
+in
+{
+  services = {
+    smartd = {
+      enable = true;
+      defaults.monitored = "-a -o on -s (S/../.././02|L/../15/./02)";
+      notifications.mail = {
+        enable = true;
+        recipient = "paul@nyanlout.re";
+      };
+    };
+
+    influxdb = {
+      enable = true;
+      dataDir = "/var/db/influxdb";
+    };
+
+    telegraf = {
+      enable = true;
+      extraConfig = {
+        inputs = {
+          zfs = { poolMetrics = true; };
+          net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
+          netstat = {};
+          cpu = { totalcpu = true; };
+          kernel = {};
+          mem = {};
+          processes = {};
+          system = {};
+          disk = {};
+          cgroup = [
+            {
+              paths = [
+                "/sys/fs/cgroup/system.slice/*"
+              ];
+              files = ["memory.current" "cpu.stat"];
+            }
+          ];
+          ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
+          smart = {
+            path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
+          };
+          exec= [
+            {
+              commands = [
+                "${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" ''
+                  import json
+                  from subprocess import check_output
+
+                  columns = ["NAME", "SIZE", "ALLOC", "FREE", "CKPOINT", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"]
+                  health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24}
+
+                  stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n')
+                  parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1]
+
+                  for pool in parsed_stdout:
+                    for item in pool:
+                      if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]:
+                        pool[item] = int(pool[item])
+                      if item in ["DEDUP"]:
+                        pool[item] = float(pool[item])
+                      if item == "HEALTH":
+                        pool[item] = health[pool[item]]
+
+                  print(json.dumps(parsed_stdout))
+                ''}"
+              ];
+              tag_keys = [ "NAME" ];
+              data_format = "json";
+              name_suffix = "_python_zpool";
+            }
+          ];
+        };
+        outputs = {
+          influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
+        };
+      };
+    };
+
+    udev.extraRules = ''
+      KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
+    '';
+
+    grafana = {
+      enable = true;
+      dataDir = "/var/lib/grafana";
+      settings = {
+        server = {
+          http_addr = "127.0.0.1";
+          root_url = "https://grafana.${domaine}";
+        };
+        smtp = {
+          enabled = true;
+          from_address = "grafana@${domaine}";
+          skip_verify = true;
+        };
+        auth = {
+          disable_signout_menu = true;
+        };
+        "auth.basic" = {
+          enabled = false;
+        };
+        "auth.proxy" = {
+          enabled = true;
+          header_name = "X-WEBAUTH-USER";
+        };
+      };
+    };
+
+    zfs.zed.settings = {
+      ZED_EMAIL_ADDR = [ "paul@nyanlout.re" ];
+      ZED_NOTIFY_VERBOSE = true;
+    };
+  };
+
+  systemd.services.influxdb.serviceConfig = {
+    TimeoutStartSec = "10min";
+  };
+
+  security.sudo.extraRules = [
+    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
+  ];
+}
--- a/systems/LoutreOS/network.nix
+++ b/systems/LoutreOS/network.nix
@ -0,0 +1,362 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  boot = {
+    kernel.sysctl = {
+      "net.ipv6.conf.all.forwarding" = true;
+      "net.ipv6.conf.default.forwarding" = true;
+      "net.ipv4.conf.all.forwarding" = true;
+      "net.ipv4.conf.default.forwarding" = true;
+    };
+  };
+
+  # Enable LTE drivers
+  hardware.usb-modeswitch.enable = true;
+
+  ##################
+  # NETWORK CONFIG #
+  ##################
+
+  # eno1      -> VLAN100 -> Internet
+  # eno2      -> LAN
+  # eno3      -> Pas utilisé
+  # eno4      -> Pas utilisé
+  # enp0s21u1 -> Clé 4G Bouygues
+  # wg0       -> Tunnel Wireguard ARN
+
+  networking = {
+    hostName = "loutreos"; # Define your hostname.
+    hostId = "7e66e347";
+
+    useNetworkd = true;
+    useDHCP = false;
+
+    nameservers = [
+      "1.1.1.1"
+      "1.0.0.1"
+    ];
+
+    vlans = {
+      bouygues = {
+        id = 100;
+        interface = "eno1";
+      };
+    };
+
+    interfaces = {
+      bouygues = {
+        # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303
+        macAddress = "E8:AD:A6:21:73:68";
+        useDHCP = true;
+      };
+      eno2 = {
+        ipv4.addresses = [
+          { address = "10.30.0.1"; prefixLength = 16; }
+        ];
+      };
+      enp0s21u1.useDHCP = true;
+    };
+
+    nftables = {
+      enable = true;
+      flushRuleset = false;
+      tables = {
+        "multi-wan-routing" = {
+          family = "inet";
+          content = ''
+            chain PREROUTING {
+              type filter hook prerouting priority mangle; policy accept;
+              # Restore the packet's CONNMARK to the MARK for existing incoming connections
+              counter meta mark set ct mark
+              # If packet MARK is set, then it means that there is already a connection mark
+              meta mark != 0x00000000 counter accept
+              # Else, we need to mark the packet.
+              # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3
+              iifname "bouygues" counter meta mark set 0x1
+              iifname "enp0s21u1" counter meta mark set 0x2
+              iifname "wg0" counter meta mark set 0x3
+              # Save new mark in CONNMARK
+              counter ct mark set mark
+            }
+
+            chain OUTPUT {
+              type route hook output priority mangle; policy accept;
+              # Restore CONNMARK to MARK for outgoing packets before final routing decision
+              counter meta mark set ct mark
+            }
+
+            chain POSTROUTING {
+              type filter hook postrouting priority mangle; policy accept;
+              # Save MARK to CONNMARK
+              counter ct mark set mark
+            }
+          '';
+        };
+
+        "redirect-external-to-local" = {
+          family = "ip";
+          content = ''
+            chain PREROUTING {
+              type nat hook prerouting priority dstnat; policy accept;
+              # Redirect local network request from server external IP to internal IP
+              # This allow access to server without internet access
+              ip saddr 10.30.0.0/16 ip daddr 176.180.172.105 counter dnat to 10.30.0.1
+            }
+          '';
+        };
+      };
+    };
+
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPorts = [ ];
+
+      # Open ports on local netwok only
+      interfaces.eno2 = {
+        allowedTCPPorts = [
+          111 2049 4000 4001 4002 # NFS
+          3483 9000 9090 # Slimserver
+          1935 # RTMP
+        ];
+        allowedUDPPorts = [
+          111 2049 4000 4001 4002 # NFS
+          3483 # Slimserver
+          67 # DHCP
+        ];
+      };
+
+      # Don't forward incoming IPv6 requests to local network
+      filterForward = true;
+      extraForwardRules = ''
+        # Forward all IPv6 traffic from local network
+        iifname "eno2" counter accept
+      '';
+    };
+  };
+
+  systemd.services.systemd-networkd = {
+    unitConfig = {
+      RequiresMountsFor = "/mnt/secrets/wireguard";
+    };
+    serviceConfig = {
+      LoadCredential = [
+          "network.wireguard.private.wg0:/mnt/secrets/wireguard/wireguard.private"
+          "network.wireguard.preshared.wg0:/mnt/secrets/wireguard/wireguard.preshared"
+      ];
+    };
+  };
+
+  #################
+  # ROUTING RULES #
+  #################
+
+  # 0:      from all lookup local
+  # 60:     from all iif lo dport 25 lookup vpn  # mails are forced to vpn table
+  # 32766:  from all lookup main                 # main table should contain no default routes, only local network routes
+  # 32767:  from all lookup default
+  # 41000:  from all fwmark 0x1 lookup fiber     # fwmark indicate established connection that must go through same interface
+  # 42000:  from all fwmark 0x2 lookup lte
+  # 43000:  from all fwmark 0x3 lookup vpn
+  # 51000:  from all lookup fiber                # first table encountered with a default route if fiber is up
+  # 52000:  from all lookup lte                  # first table encountered with a default route if fiber is down
+
+  systemd.network = let
+    routeTables = {
+      fiber = 1;
+      lte = 2; 
+      vpn = 3;
+    };
+  in {
+    enable = true;
+
+    config = {
+      inherit routeTables;
+      addRouteTablesToIPRoute2 = true;
+    };
+
+    # Wireguard ARN device configuation
+    netdevs = {
+      "10-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+          MTUBytes = "1450";
+        };
+        wireguardConfig = {
+          PrivateKey = "@network.wireguard.private.wg0";
+          RouteTable = routeTables.vpn;
+        };
+        wireguardPeers = [
+          {
+            Endpoint = "89.234.141.83:8095";
+            PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g=";
+            PresharedKey = "@network.wireguard.preshared.wg0";
+            AllowedIPs = ["0.0.0.0/0" "::/0"];
+            PersistentKeepalive = 15;
+          }
+        ];
+      };
+    };
+
+    networks = {
+      #########
+      # FIBER #
+      #########
+
+      # Set route metric to highest priority
+      # Set DHCP client magic settings for Bouygues
+      "40-bouygues" = {
+        dhcpV4Config.RouteTable = routeTables.fiber;
+
+        dhcpV6Config = {
+          DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68";
+          WithoutRA = "solicit";
+        };
+
+        ipv6AcceptRAConfig = {
+          DHCPv6Client = true;
+          RouteTable = routeTables.fiber;
+        };
+
+        networkConfig = {
+          KeepConfiguration = "dhcp-on-stop";
+          IPv6AcceptRA = true;
+          DHCPPrefixDelegation = true;
+        };
+
+        # Static attribution of first IPv6 subnet
+        dhcpPrefixDelegationConfig.SubnetId = "0";
+
+        # Route everything to fiber link with a priority of 40000
+        routingPolicyRules = [
+          {
+            FirewallMark = 1;
+            Table = routeTables.fiber;
+            Priority = 41000;
+            Family = "both";
+          }
+          {
+            Table = routeTables.fiber;
+            Priority = 51000;
+            Family = "both";
+          }
+        ];
+      };
+
+      # Don't check VLAN physical interface as it is not directly used
+      "40-eno1".linkConfig.RequiredForOnline = "no";
+
+      #######
+      # LTE #
+      #######
+
+      # Set LTE route to lower priority
+      "40-enp0s21u1" = {
+        dhcpV4Config.RouteTable = routeTables.lte;
+
+        # Route all to lte link with a priority of 50000
+        routingPolicyRules = [
+          {
+            FirewallMark = 2;
+            Table = routeTables.lte;
+            Priority = 42000;
+            Family = "both";
+          }
+          {
+            Table = routeTables.lte;
+            Priority = 52000;
+            Family = "both";
+          }
+        ];
+      };
+
+      #######
+      # VPN #
+      #######
+
+      # Wireguard ARN network configuation
+      "10-wg0" = {
+        matchConfig.Name = "wg0";
+        address = [
+          "89.234.141.196/32"
+          "2a00:5881:8119:400::1/128"
+        ];
+        routingPolicyRules = [
+          # Route outgoing emails to VPN table
+          {
+            IncomingInterface = "lo";
+            DestinationPort = "25";
+            Table = routeTables.vpn;
+            Priority = 60;
+            Family = "both";
+          }
+          # Route packets originating from wg0 device to VPN table
+          # Allow server to respond on the wg0 interface requests
+          {
+            FirewallMark = 3;
+            Table = routeTables.vpn;
+            Priority = 43000;
+            Family = "both";
+          }
+        ];
+      };
+
+      #######
+      # LAN #
+      #######
+
+      # LAN DHCP server config
+      "40-eno2" = {
+        networkConfig = {
+          IPv6SendRA = true;
+          DHCPPrefixDelegation = true;
+          DHCPServer = true;
+          IPMasquerade = "ipv4";
+        };
+        dhcpServerConfig = {
+          EmitRouter = true;
+          EmitDNS = true;
+          DNS = [
+            "1.1.1.1"
+            "1.0.0.1"
+          ];
+        };
+        dhcpServerStaticLeases = [
+          # IPMI
+          {
+            Address = "10.30.1.1";
+            MACAddress = "ac:1f:6b:4b:01:15";
+          }
+          # paul-fixe
+          {
+            Address = "10.30.50.1";
+            MACAddress = "b4:2e:99:ed:24:26";
+          }
+          # salonled
+          {
+            Address = "10.30.40.1";
+            MACAddress = "e0:98:06:85:e9:ce";
+          }
+          # miroir-bleu
+          {
+            Address = "10.30.40.2";
+            MACAddress = "e0:98:06:86:38:fc";
+          }
+          # miroir-orange
+          {
+            Address = "10.30.40.3";
+            MACAddress = "50:02:91:78:be:be";
+          }
+        ];
+        ipv6SendRAConfig = {
+          EmitDNS = true;
+          DNS = [
+            "2606:4700:4700::1111"
+            "2606:4700:4700::1001"
+          ];
+        };
+      };
+    };
+  };
+}
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@ -5,306 +5,129 @@ with lib;
 let
  domaine = "nyanlout.re";

-  riot_port = 52345;
-  pgmanage_port = 52347;
-  max_port = 52348;
-  musique_port = 52349;
+  sendMail = to: subject: message: pkgs.writeShellScriptBin "mail.sh" ''
+    ${pkgs.system-sendmail}/bin/sendmail ${to} <<EOF
+    From: root@nyanlout.re
+    Subject: ${subject}
+    ${message}
+    EOF
+  '';
+
+  login_mail_alert = pkgs.writeShellScriptBin "mail_alert.sh" ''
+    if [ "$PAM_TYPE" != "close_session" ] && [ "$PAM_USER" != "zfspaulfixe" ] && [ "$PAM_USER" != "synology" ] && [ "$PAM_USER" != "rezome" ]; then
+      ${sendMail "paul@nyanlout.re" "SSH Login: $PAM_USER from $PAM_RHOST" "`env`"}/bin/mail.sh
+    fi
+  '';
+
+  backup_mail_alert = sendMail "paul@nyanlout.re" "ERREUR: Sauvegarde Borg" "Impossible de terminer la sauvegarde. Merci de voir les logs";
 in

 {
  imports = [
-    ../../services/haproxy-acme.nix
-    ../../services/mail-server.nix
-    ../../services/site-musique.nix
-    ../../services/site-max.nix
-    ../../services/auto-pr.nix
-    ../../services/python-ci.nix
-    ../../services/sdtdserver.nix
-    ../../containers/vsftpd.nix
+    ./monitoring.nix
+    ./medias.nix
+    ./web.nix
  ];

-  nixpkgs.overlays = [
-    (import ../../overlays/dogetipbot-telegram.nix)
-  ];
+  security.acme.certs = {
+    "${domaine}" = {
+      extraDomainNames = [
+        "mail.${domaine}"
+      ];
+      postRun = ''
+        systemctl reload dovecot2.service
+      '';
+    };
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.${domaine}";
+    domains = [ domaine ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # mkpasswd -m sha-512 "super secret password"
+    loginAccounts = {
+      "paul@${domaine}" = {
+        hashedPassword = "$6$eGmy2W7kbkfHAh$/y.ZML4eYL/v14WaVwSIG2ulkUFKFk82uBmrYBDULLtqUR8hQD3/BQIrRiBtsloxrUSja8aZ.E7ypChO.OiOI/";
+      };
+      "claire@${domaine}" = {
+        hashedPassword = "$6$Y.vlWP9./DX$NEQQOLzYftbHOvXDkKdBYFAjzIjh8mlpomDuQRq6qkkZijrdy/p6jSbrpBLhoWwVmj4j1OWekHU1f4C9xCNJk.";
+      };
+    };
+
+    # Certificate setup
+    certificateScheme = "manual";
+    certificateFile = "/var/lib/acme/${domaine}/fullchain.pem";
+    keyFile = "/var/lib/acme/${domaine}/key.pem";
+
+    # Enable IMAP and POP3
+    enableImap = true;
+    enablePop3 = true;
+    enableImapSsl = true;
+    enablePop3Ssl = true;
+
+    # Enable the ManageSieve protocol
+    enableManageSieve = true;
+  };

  services = {
+    rspamd.workers.controller.extraConfig = ''
+      secure_ip = ["0.0.0.0/0", "::"];
+    '';
+
+    # redis.enable = true;
+
+    # enable with nginx defult config
+    logrotate.enable = true;

    fail2ban.enable = true;

-    smartd = {
-      enable = true;
-      defaults.monitored = "-a -o on -s (S/../.././02|L/../../1/04)";
-      notifications.mail = {
-        enable = true;
-        recipient = "paul@nyanlout.re";
-      };
-    };
-
    fstrim.enable = true;

-    haproxy-acme = {
-      enable = true;
-      domaine = domaine;
-      services = {
-        "grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; };
-        "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; };
-        "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API path_beg /api\n"; aclBool = "!AUTH_OK !API"; };
-        "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = "acl API path_beg /api\n"; aclBool = "!AUTH_OK !API"; };
-        "transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; };
-        "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
-        "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
-        "searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
-        "riot.${domaine}" = { ip = "127.0.0.1"; port = riot_port; auth = false; };
-        "matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
-        "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; };
-        "gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; };
-        "ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; };
-      };
-    };
-
-    mailserver = {
-      enable = true;
-      domaine = domaine;
-    };
-
-    influxdb = {
-      enable = true;
-      dataDir = "/var/db/influxdb";
-    };
-
-    telegraf = {
-      enable = true;
-      extraConfig = {
-        inputs = {
-          zfs = { poolMetrics = true; };
-          net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
-          netstat = {};
-          cpu = { totalcpu = true; };
-          kernel = {};
-          mem = {};
-          processes = {};
-          system = {};
-          disk = {};
-          ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
-          smart = {
-            path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
-          };
-          exec= [
-            { commands = [
-              "${pkgs.python}/bin/python ${
-                  pkgs.fetchgit {
-                    url = "https://gitlab.com/nyanloutre/tplink-smartplug.git";
-                    rev = "a0996112fc451b76448589698de440ad5fd6ea79";
-                    sha256 = "1f1625g7rfsddgk428g76p8fr7vz5gfhq3f452q17bjni3rf2pj3";
-                  }
-                }/tplink_smartplug.py -t 192.168.0.57 -c energy"
-              ];
-              data_format = "json";
-              name_suffix = "_tplink-smartplug";
-            }
-            {
-              commands = [
-                "${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" ''
-                  import json
-                  from subprocess import check_output
-
-                  columns = ["NAME", "SIZE", "ALLOC", "FREE", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"]
-                  health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24}
-
-                  stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n')
-                  parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1]
-
-                  for pool in parsed_stdout:
-                    for item in pool:
-                      if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]:
-                        pool[item] = int(pool[item])
-                      if item in ["DEDUP"]:
-                        pool[item] = float(pool[item])
-                      if item == "HEALTH":
-                        pool[item] = health[pool[item]]
-
-                  print(json.dumps(parsed_stdout))
-                ''}"
-              ];
-              tag_keys = [ "NAME" ];
-              data_format = "json";
-              name_suffix = "_python_zpool";
-            }
-          ];
-        };
-        outputs = {
-          influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
-        };
-      };
-    };
-
-    udev.extraRules = ''
-      KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
-    '';
-
-    grafana = {
-      enable = true;
-      addr = "127.0.0.1";
-      dataDir = "/var/lib/grafana";
-      extraOptions = {
-        SERVER_ROOT_URL = "https://grafana.${domaine}";
-        SMTP_ENABLED = "true";
-        SMTP_FROM_ADDRESS = "grafana@${domaine}";
-        SMTP_SKIP_VERIFY = "true";
-        AUTH_DISABLE_LOGIN_FORM = "true";
-        AUTH_DISABLE_SIGNOUT_MENU = "true";
-        AUTH_ANONYMOUS_ENABLED = "true";
-        AUTH_ANONYMOUS_ORG_ROLE = "Admin";
-        AUTH_BASIC_ENABLED = "false";
-      };
-    };
-
-    emby = {
-      enable = true;
-      dataDir = "/var/lib/emby/ProgramData-Server";
-    };
-
-    slimserver = {
-      enable = true;
-      dataDir = "/var/lib/slimserver";
-    };
-
-    syncthing = {
-      enable = true;
-      dataDir = "/var/lib/syncthing";
-      openDefaultPorts = true;
-    };
-
    nfs.server = {
      enable = true;
      exports = ''
-        /mnt/medias  192.168.0.0/16(ro,no_root_squash)
-        /exports/steam  192.168.0.0/24(rw,no_root_squash)
+        /mnt/medias  10.30.0.0/16(ro,no_root_squash)
+        /var/lib/minecraft  10.30.0.0/16(rw,no_root_squash)
      '';
      statdPort = 4000;
      lockdPort = 4001;
      mountdPort = 4002;
    };

-    transmission = {
-      enable = true;
-      home = "/var/lib/transmission";
-      settings = {
-        rpc-bind-address = "127.0.0.1";
-        rpc-host-whitelist = "*";
-        rpc-whitelist-enabled = false;
-      };
-    };
-
-    radarr.enable = true;
-    sonarr.enable = true;
-    jackett.enable = true;
-
-    searx.enable = true;
-
-    nginx = {
-      enable = true;
-      virtualHosts = {
-        "riot" = {
-          listen = [ { addr = "127.0.0.1"; port = riot_port; } ];
-          locations = { "/" = { root = pkgs.riot-web; }; };
-        };
-      };
-    };
-
-    postgresql.enable = true;
-
-    matrix-synapse = {
-      enable = true;
-      enable_registration = true;
-      server_name = "nyanlout.re";
-      listeners = [
-        { # federation
-          bind_address = "";
-          port = 8448;
-          resources = [
-            { compress = true; names = [ "client" "webclient" ]; }
-            { compress = false; names = [ "federation" ]; }
-          ];
-          tls = true;
-          type = "http";
-          x_forwarded = false;
-        }
-        { # client
-          bind_address = "127.0.0.1";
-          port = 8008;
-          resources = [
-            { compress = true; names = [ "client" "webclient" ]; }
-          ];
-          tls = false;
-          type = "http";
-          x_forwarded = true;
-        }
-      ];
-      database_type = "psycopg2";
-      database_args = {
-        database = "matrix-synapse";
-      };
-      extraConfig = ''
-        max_upload_size: "100M"
-      '';
-      logConfig = ''
-        version: 1
-
-        formatters:
-            journal_fmt:
-                format: '%(name)s: [%(request)s] %(message)s'
-
-        filters:
-            context:
-                (): synapse.util.logcontext.LoggingContextFilter
-                request: ""
-
-        handlers:
-            journal:
-                class: systemd.journal.JournalHandler
-                formatter: journal_fmt
-                filters: [context]
-                SYSLOG_IDENTIFIER: synapse
-
-        root:
-            level: WARNING
-            handlers: [journal]
-
-        disable_existing_loggers: False
-      '';
-    };
-
-    pgmanage = {
-      enable = true;
-      port = pgmanage_port;
-      connections = {
-        localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
-      };
-    };
-
-    /*
    borgbackup.jobs = {
      loutre = {
        paths = [
          "/var/certs"
          "/var/dkim"
+          "/var/lib/jellyfin"
          "/var/lib/gitea"
          "/var/lib/grafana"
-          "/var/lib/matrix-synapse"
          "/var/lib/jackett"
-          "/var/lib/postgresql/.zfs/snapshot/borgsnap"
+          "/mnt/borgsnap/postgresql"
          "/var/lib/radarr"
          "/var/lib/sonarr"
-          "/var/lib/syncthing"
          "/var/lib/transmission"
-          "/mnt/medias/musique"
-          "/mnt/medias/torrent/lidarr"
-          "/mnt/medias/torrent/musique"
+          "/var/lib/airsonic"
+          "/var/lib/hass"
+          "/var/lib/opendkim"
+          "/var/lib/slimserver"
+          "/var/lib/watcharr"
+          "/var/lib/nextcloud"
+          "/mnt/paul-home/paul"
          "/var/sieve"
          "/var/vmail"
+          "/mnt/backup_loutre/amandoleen"
+          "/mnt/secrets"
        ];
-        repo = "/mnt/backup/borg";
+        exclude = [
+          "/var/lib/radarr/.config/Radarr/radarr.db-wal"
+          "/var/lib/radarr/.config/Radarr/radarr.db-shm"
+          "/mnt/paul-home/paul/.cache"
+        ];
+        repo = "ssh://u306925@u306925.your-storagebox.de:23/./loutreos";
+        environment = { BORG_RSH = "ssh -i /mnt/secrets/hetzner_ssh_key"; };
        encryption = {
          mode = "repokey-blake2";
          passCommand = "cat /mnt/secrets/borgbackup_loutre_encryption_pass";
@ -315,16 +138,18 @@ in
          weekly = 4;
          monthly = 12;
        };
-        preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap";
+        preHook = ''
+          ${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap
+          mkdir -p /mnt/borgsnap/postgresql
+          ${config.security.wrapperDir}/mount -t zfs loutrepool/var/postgresql@borgsnap /mnt/borgsnap/postgresql
+        '';
+        readWritePaths = [ "/var/lib/postfix/queue/maildrop" ];
        postHook = ''
+          ${config.security.wrapperDir}/umount /mnt/borgsnap/postgresql
          ${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
-          if [[ $exitStatus == 0 ]]; then
-            ${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO loutre_ovh:loutre
-          fi
        '';
      };
    };
-    */

    borgbackup.repos = {
      diskstation = {
@ -332,97 +157,172 @@ in
        path = "/mnt/backup_loutre/diskstation_borg";
        user = "synology";
      };
-    };
-
-    gitea = {
-      enable = true;
-      cookieSecure = true;
-      httpPort = 3001;
-      rootUrl = "https://gitea.nyanlout.re/";
-      database = {
-        type = "postgres";
-        port = 5432;
-        passwordFile = "/mnt/secrets/gitea_database_passwordFile";
+      minecraft-rezome = {
+        authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc1nGsSesW96k0DPMSt/chjvCrYmfgPgHG1hdUYB5x0pZPdOJaVRIlETWdoFlO+ViviC518B3TF7Qc3oJXPZMchJQl684Nukbc312juf+j9z/KT3dqD8YvKX6o5ynx1Dyq52ftrfkBAEAvzE0OfRljUPbwGBOM0dGRD4R1jbiHquTXpITlbgGTZymbwr4Jr9W9atgf5kHMiX7xOqMZcasDtUE8g+AG4ysHdpjOrBOUM9QeRbVP1bxEFP8xjqOOoET5tbkwektP4B2jaf+EHBPUy2lkwjVEKT6MaSlkJx/wMvUWp25kG9mrXgwUw1bgfOeZIsK6ztcki3l92BJQD9ip shame@minecraft.rezom.eu" ];
+        path = "/mnt/backup_loutre/minecraft_rezome";
+        user = "rezome";
      };
    };

-    site-musique = {
+    kresd = {
      enable = true;
-      port = musique_port;
-      domaine = "musique-meyenheim.fr";
    };

-    site-max = {
+    mosquitto = {
      enable = true;
-      port = max_port;
-      domaine = "maxspiegel.fr";
+      listeners = [
+        {
+          acl = [ "pattern readwrite #" ];
+          omitPasswordAuth = true;
+          address = "127.0.0.1";
+          settings.allow_anonymous = true;
+        }
+      ];
    };

-    auto-pr.enable = true;
-
-    python-ci.enable = true;
-
-    sdtdserver.enable = true;
-  };
-
-  /*
-  systemd.services.dogetipbot-telegram = {
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-    script = "${pkgs.dogetipbot-telegram}/bin/dogetipbot-telegram --block-io-api-key $BLOCK_IO_API_KEY --block-io-pin $BLOCK_IO_PIN --telegram-api-key $TELEGRAM_API_KEY --network DOGE";
-    enable = true;
-    serviceConfig = {
-      EnvironmentFile = "/mnt/secrets/dogetipbot-telegram_env";
-      User = "nobody";
-      Group = "nogroup";
+    zigbee2mqtt = {
+      enable = true;
+      settings = {
+        serial.port = "/dev/serial/by-id/usb-Texas_Instruments_TI_CC2531_USB_CDC___0X00124B0014D97058-if00";
+        mqtt = {
+          server = "mqtt://${(head config.services.mosquitto.listeners).address}:${toString (head config.services.mosquitto.listeners).port}";
+        };
+        frontend = {
+          port = 8080;
+          host = "127.0.0.1";
+          url = "https://zigbee.nyanlout.re";
+        };
+        groups = {
+          "101" = {
+            friendly_name = "salon";
+            devices = [
+              "0x94deb8fffe760f3d"
+            ];
+          };
+          "102" = {
+            friendly_name = "cuisine";
+            devices = [
+              "0x003c84fffe6d9ee6"
+            ];
+          };
+          "103" = {
+            friendly_name = "entrée";
+            devices = [
+              "0x84ba20fffe5ec243"
+            ];
+          };
+          "104" = {
+            friendly_name = "tout";
+            devices = [
+              "0x94deb8fffe760f3d"
+              "0x003c84fffe6d9ee6"
+              "0x84ba20fffe5ec243"
+            ];
+          };
+          "107" = {
+            friendly_name = "chambre";
+            devices = [
+              "0x84ba20fffe5eb120"
+            ];
+          };
+        };
+      };
    };
-  };
-  */

-  systemd.services.matrix-synapse = {
-    serviceConfig = {
-      MemoryHigh = "3G";
-      MemoryMax = "5G";
-    };
-  };
-
-  security.sudo.extraRules = [
-    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
-  ];
-
-  networking = {
-    wireguard.interfaces = {
-      wg0 = {
-        ips = [ "192.168.20.1/24" ];
-        privateKeyFile = "/mnt/secrets/wireguard/wg0.privatekey";
-        listenPort = 51820;
-        allowedIPsAsRoutes = false;
-        peers = [
+    home-assistant = {
+      enable = true;
+      extraComponents = [
+        # Components required to complete the onboarding
+        "met"
+        "radio_browser"
+      ];
+      config = {
+        default_config = {};
+        homeassistant = {
+          country = "FR";
+          latitude = 48.60038;
+          longitude = 7.74063;
+          elevation = 146;
+        };
+        meteo_france = null;
+        http = {
+          use_x_forwarded_for = true;
+          trusted_proxies = [ "127.0.0.1" ];
+        };
+        mqtt = null;
+        esphome = null;
+        light = [
          {
-            allowedIPs = [ "0.0.0.0/0" ];
-            publicKey = "b/SXiqo+GPdNOc54lyEVeUBc6B5AbVMKh+g5EZPGzlE=";
+            platform = "group";
+            name = "Salon";
+            entities = [
+              "light.salon_light"
+              "light.cuisine_light"
+              "light.entree_light"
+            ];
+          }
+        ];
+        media_player = [
+          {
+            platform = "squeezebox";
+            host = "10.30.0.1";
          }
        ];
      };
    };

+    photoprism = {
+      enable = true;
+      originalsPath = "/mnt/backup_loutre/amandoleen/d/Users/Amand/Pictures";
+      passwordFile = "/mnt/secrets/photoprism_pass";
+      settings = {
+        PHOTOPRISM_READONLY = "1";
+        PHOTOPRISM_DETECT_NSFW = "1";
+        PHOTOPRISM_SITE_URL = "https://photo.nyanlout.re/";
+      };
+    };
+  };
+
+  systemd = {
+    timers."lg-devmode-reset" = {
+      wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnBootSec = "5m";
+          OnUnitActiveSec = "1w";
+        };
+    };
+    services = {
+      "borgbackup-job-loutre".serviceConfig.TemporaryFileSystem = ["/mnt/borgsnap"];
+      "lg-devmode-reset" = {
+        script = ''
+          ${pkgs.curl}/bin/curl https://developer.lge.com/secure/ResetDevModeSession.dev\?sessionToken\=9f94269da0dc14fd924b65d8dca28b076f931ad1ca04fe7a09ac78cdb0e22cb4
+        '';
+        serviceConfig = {
+          Type = "oneshot";
+        };
+      };
+    };
+  };
+
+  dogetipbot-telegram.enable = true;
+
+  ipmihddtemp.enable = true;
+
+  users.groups.nginx.members = [ "matrix-synapse" ];
+
+  security.pam.services.sshd.text = pkgs.lib.mkDefault( pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh" );
+
+  networking = {
+    firewall.interfaces.eno2.allowedTCPPorts = [
+      3260
+    ];
+
    firewall.allowedTCPPorts = [
-      111 2049 4000 4001 4002 # NFS
-      3483 9000 9090 # Slimserver
-      51413 # Transmission
-      8448 # Matrix federation
      20 21 # FTP
    ];

    firewall.allowedTCPPortRanges = [
      { from = 64000; to = 65535; } # FTP
    ];
-
-    firewall.allowedUDPPorts = [
-      111 2049 4000 4001 4002 # NFS
-      3483 # Slimserver
-      51413 # Transmission
-      51820 # Wireguard
-    ];
  };
 }
--- a/systems/LoutreOS/users.nix
+++ b/systems/LoutreOS/users.nix
@ -1,12 +1,12 @@
-{ config, pkgs, ... }:
+{ lib, config, pkgs, ... }:

 {
-  users.extraUsers = {
+  users.users = {
    paul = {
      uid = 1000;
      isNormalUser = true;
      description = "Paul TREHIOU";
-      extraGroups = [ "wheel" "medias" ];
+      extraGroups = [ "wheel" "medias" "transmission" "podman" ];
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAF7VlzHzgg70uFbRFtVTS34qNBke/RD36mRENAsa33RxztxrqMsIDscAD/d6CTe6HDy7MCGzJnWCJSXj5iOQFM4RRMvKNEgCKPHqfhmfVvO4YZuMjNB0ufVf6zhJL4Hy43STf7NIWrenGemUP+OvVSwN/ujgl2KKw4KJZt25/h/7JjlCgsZm4lWg4xcjoiKL701W2fbEoU73XKdbRTgTvKoeK1CGxdAPFefFDFcv/mtJ7d+wIxw9xODcLcA66Bu94WGMdpyEAJc4nF8IOy4pW8AzllDi0qNEZGCQ5+94upnLz0knG1ue9qU2ScAkW1/5rIJTHCVtBnmbLNSAOBAstaGQJuSL40TWZ1oPA5i1qUEhunNcJ+Sgtp6XP69qY34T/AeJvHRyw5M5LfN0g+4ka9k06NPBhbpHFASz4M8nabQ0iM63++xcapnw/8gk+EPhYVKW86SsyTa9ur+tt6oDWEKNaOhgscX44LexY7jKdeBRt3GaObtBJtVLBRx3Z2aRXgjgnKGqS40mGRiSkqb2DShspI1l8DV2RrPiuwdBzXVQjWRc0KXmJrcgXX9uoPSxihxwaUQyvmITOV1Y+NEuek4gRkVNOxjoG7RGnaYvYzxEQVoI5TwZC2/DCrAUgCv8DQawkcpEiWnBq7Q5VnpmFx5juVQ/I0G8byOkPXgRUOk9 openpgp:0xAB524BBC"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCACVI2dL4AmOdcb7RSl3JZpfK33NhqrYFfWfXMYow5SPJ9VPteOp5kVvKUuSbGH3chjpttYC/ueQJJhFagiKmkeftQTslIw6C009wUExGpJwRotHqISXv2ctURGURKy2FF848whd7xZJzdj49ZJ6S+SCbRFZvVWfT2dP/JwTiWW1mbEaWKyOgrixH6wSKt9ECumjX9KjqSWGw+k3yLJxIhdqiZAjNv4soJs1mQYdIlFCXCuznzoZIQBexZPQCx0j9HjczPz1feMLWkrHzEMexNjsBE2uA6yXLbH1wa8xCJ4VOeD7u9JqVY579AsicD62G+qIgw0B2zmyz7xTrdPv+061zmYn6qYr8EXGTk4dVgedZp8M1XzZ1PVoeeftPFcClXC7zCGyCR2uzJbQLzlaTwZrdghAiS9UhMRuKpNgZy2zDWw4MqdojrF5bndPkoijlXWYrPYBFED5OU1mpwzpanYgldowJC/Ixjwi+Hmse2q4XgZ+egfuotBqPfqB+bWsCa5GNiJWGdLP69uBSsXubGnqLwvE0FAQ2GHb+SEoZKFy/QV9GzOLlVrGlgK5YFgKJD+Q1nn1QRycXt1oMVC/AtR/NshOGanhdvIRpPATGmaxLVXSY093vyAOW4MPrS00fPAXzAfJUwIuWcloFfLMo5Jitj5rpE1s6FX8xrl4upQ== paul@nyanlout.re"
@ -19,20 +19,43 @@
      isNormalUser = true;
      description = "Victor SENE";
      openssh.authorizedKeys.keys = [
-		"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCaCc2qcQsd/VPDX1K97zJ/MjObWnTfRkA98xeNnVTeGoMmbf/fW1KszB+3IYCngCKLhliotHEXkqOK24vMLZ9ylVPTIPLNY5OWLFRQSOU/OykP8r4ikDWmMOwI+tqkoBknTUZdA1MN1JmkpE1cWL8vRJ7mnwl/p7xCMHV19N5+UdoIx3bFsm0CCUMIYSaIefoD3tpIzmgVqBkIH4FSmNwvXHwcXhhOTGqXbTJYC/GY2mI0AFvZI3T61ReV325ms7QRQlElXP8Rv8lpjr57VISNjKsPPNvifLjy10RjIS8iNioN6fJ0XBCfKOmm37VX86aFkAgWdpzxGojprOXnViwZEWSegnvKGx8FNx3gB54zF76e6koWS+qnYf9UTdogO6uXhXZb7AoMC9XD0/l6Egh8HzPWAUZtLx74zhB8ufoKmzqOp4YrCK8Cu4N/1UTFyPUoeSCZJdcE/9iqldym06mOi4rDV5cKCzs+Q0bVP8+x8SZ9ajYUH7l4sxjDHtHiyAYniWIxGPO5NazCfx7J+1GGzbtV0HuBwE/U20z+nBy+WZ4MowQTNb2E2uhq4OgQASx7uTKtyhnfT09A3toHZVerfH8ET8YEVnwdYMCA0GHYMOZ48h1ORdE+OLyqRlxjYTCB17Kc2icSL3iv8Yd66vQagy3A+C8OhZP1rdc15bEZnw== openpgp:0x28DF0235"
-		"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1r2ZzVnOlmoNoLgrc3+Lx7whO8mzcwUf2p9DiYAVg2zo2zbfubLVG1BAgFDe7y+2HwJIbGDDMNUaT+FAsv0mHRlfdUMXXF3nVsFPWGovo1ks31O5zUI9IE3qFU5AJ7SPICS4lQYox1o594iS1OcwJ7Iu6pjEQRRG1OLVYSILJ994vtGsDxfz1CZ8b7u9oSwHz0E4pdy6epkFSE/+9WsZl+ziDMigYZfubjzUCzMy2uT5Z6t+r6bW6mcxnmYax/YmrRvL/dTeDE64Qf7nugjB0XOKUOKCPN5dtqYRx0fN9aDSRf4ubmyVaYeKudm9vttGHXjSPVWAvow+jUDOq2cGr victor@sene.ovh"
-	  ];
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCaCc2qcQsd/VPDX1K97zJ/MjObWnTfRkA98xeNnVTeGoMmbf/fW1KszB+3IYCngCKLhliotHEXkqOK24vMLZ9ylVPTIPLNY5OWLFRQSOU/OykP8r4ikDWmMOwI+tqkoBknTUZdA1MN1JmkpE1cWL8vRJ7mnwl/p7xCMHV19N5+UdoIx3bFsm0CCUMIYSaIefoD3tpIzmgVqBkIH4FSmNwvXHwcXhhOTGqXbTJYC/GY2mI0AFvZI3T61ReV325ms7QRQlElXP8Rv8lpjr57VISNjKsPPNvifLjy10RjIS8iNioN6fJ0XBCfKOmm37VX86aFkAgWdpzxGojprOXnViwZEWSegnvKGx8FNx3gB54zF76e6koWS+qnYf9UTdogO6uXhXZb7AoMC9XD0/l6Egh8HzPWAUZtLx74zhB8ufoKmzqOp4YrCK8Cu4N/1UTFyPUoeSCZJdcE/9iqldym06mOi4rDV5cKCzs+Q0bVP8+x8SZ9ajYUH7l4sxjDHtHiyAYniWIxGPO5NazCfx7J+1GGzbtV0HuBwE/U20z+nBy+WZ4MowQTNb2E2uhq4OgQASx7uTKtyhnfT09A3toHZVerfH8ET8YEVnwdYMCA0GHYMOZ48h1ORdE+OLyqRlxjYTCB17Kc2icSL3iv8Yd66vQagy3A+C8OhZP1rdc15bEZnw== openpgp:0x28DF0235"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1r2ZzVnOlmoNoLgrc3+Lx7whO8mzcwUf2p9DiYAVg2zo2zbfubLVG1BAgFDe7y+2HwJIbGDDMNUaT+FAsv0mHRlfdUMXXF3nVsFPWGovo1ks31O5zUI9IE3qFU5AJ7SPICS4lQYox1o594iS1OcwJ7Iu6pjEQRRG1OLVYSILJ994vtGsDxfz1CZ8b7u9oSwHz0E4pdy6epkFSE/+9WsZl+ziDMigYZfubjzUCzMy2uT5Z6t+r6bW6mcxnmYax/YmrRvL/dTeDE64Qf7nugjB0XOKUOKCPN5dtqYRx0fN9aDSRf4ubmyVaYeKudm9vttGHXjSPVWAvow+jUDOq2cGr victor@sene.ovh"
+      ];
+    };
+
+    amandoleen = {
+      isNormalUser = true;
+      isSystemUser = lib.mkForce false;
+      description = "Amandine <3";
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRu0M10AfF2nS8Ky9JzQ4cDRbcjmR+LLvENohxTJhW4xwAwN/f2I0ObbiJ5PHC3mXi8V5JqnSaYNdIMXuULDxxc1QEa0aeLw4xIrYw1wEOrHvL9DeYvS289sRgWSb/PvyejEHwcBBm4Xf0/nQNQF462C064Ms56cT3YAOhNBA7ubyCAqd0VW8RHc1mZ5b/owzM7SviXrpcIM5QDPVP2051SxrqGbunAnwe5x2kNDeYqicyIik61rpYe+erhkyvL3WdgC7mHnF8VPKx049zIsfK5UmJwI+rI24cDUT9E6B4XZttpdyJK6i7/6NSYm4nrMXQxCF1tofd5yZK5vpYH8Dyiic5ykhB57kr1QCmck70VMmt77uOoMeGZ+IJCY5oZYcR/n04mUwN9mmRsECcr17a8IDQkmPd8PNbjrNRgtVKDVLtw4HyOPCAfdH+XzEGiMxnZfzq0rLEYU3S4RAkLpe2W3C0fWniEWzSnXj76AGcyJcxIVzrIYg4uzTgNhZlb08vO1ytw9QaEY17Po5YFjBD8fT9Z0UijG3WQBm7AmSrcg/OLP6UOghbnlkZFYpC0hYcbX1sTfdfysw9kT/d8BImQvwBzmJ/YRqHmCejZGTkCCmw8i93EYFm3uVFZypcSe50JV9rx9P7yPtWS4QVOg/6ltlvJiGsz45P87qjA9nO/Q== amandoleen"
+      ];
    };

    synology = {
      uid = 1001;
      isNormalUser = true;
+      isSystemUser = lib.mkForce false;
      description = "Synology Diskstation maison";
    };
+
+    rezome = {
+      description = "Rezome Minecraft backup";
+    };
+
+    zfspaulfixe = {
+      uid = 1002;
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIQjzpEBNEwJhBTh82K5bJMyPSuHvYJyipaZYVtOZSJIDIRcec9YwMOQuMl9+O5kI36tiataEpmb/y3OWU567DXKp/BtljfVfNSQracKJPt6GJFOz4fKqCqoBh7M06ZGsBHUi/NsKIvw4asJsBuK6uACvxKFt2pSR6fp+/2y/3NH0LpDmDuuYORhciJUBC+RUTCLtVUfzkMAeR2p+M079Ia0rnkEXNFgc75FQon1bQu/0bnbHPweSwnNfRB0XPm6Qgz3sS2Cyhf1/GqgvARs80P4MWuqqZFXhsBTajOHOjCu6fiaylPNXNWfLnahkRzKIOkIy7/yEO+MmMD+V7pjbvSqB7MD1T5wfcPHvHTISM4E+7dw9aPj9+JspkgSSACtIFKsqxkWlq5creUV1syDm2Cd4rBnKrc8yWtAxBSusFWbAr6xtxP6I+ibS4trjNdHHrjMJK9jpbPxdblJJrO3qn6VYC/WzFAxzDDUi5ysGzNdpQLacacne/95gSGXCgIIc= root@paul-fixe"
+      ];
+      description = "paul-fixe zfs backup user";
+    };
  };

  users.extraGroups.medias = {
    gid = 498;
-    members = [ "slimserver" "radarr" "sonarr" "emby" "transmission" ];
+    members = [ "slimserver" "radarr" "sonarr" "jellyfin" "transmission" ];
  };
 }
--- a/systems/LoutreOS/web.nix
+++ b/systems/LoutreOS/web.nix
@ -0,0 +1,403 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  nginxSsoAuth = pkgs.writeText "nginx-sso_auth.inc" ''
+    # Protect this location using the auth_request
+    auth_request /sso-auth;
+
+    # Redirect the user to the login page when they are not logged in
+    error_page 401 = @error401;
+
+    location /sso-auth {
+        # Do not allow requests from outside
+        internal;
+
+        # Access /auth endpoint to query login state
+        proxy_pass http://127.0.0.1:${toString(config.services.nginx.sso.configuration.listen.port)}/auth;
+
+        # Do not forward the request body (nginx-sso does not care about it)
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+
+        # Set custom information for ACL matching: Each one is available as
+        # a field for matching: X-Host = x-host, ...
+        proxy_set_header X-Origin-URI $request_uri;
+        proxy_set_header X-Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # If the user is lead to /logout redirect them to the logout endpoint
+    # of ngninx-sso which then will redirect the user to / on the current host
+    location /sso-logout {
+        return 302 https://login.nyanlout.re/logout?go=$scheme://$http_host/;
+    }
+
+    # Define where to send the user to login and specify how to get back
+    location @error401 {
+        return 302 https://login.nyanlout.re/login?go=$scheme://$http_host$request_uri;
+    }
+  '';
+in
+{
+  security.acme = {
+    defaults.email = "paul@nyanlout.re";
+    acceptTerms = true;
+  };
+
+  users.groups = {
+    webdav = {};
+  };
+  users.users = {
+    webdav = {
+      isSystemUser = true;
+      group = config.users.groups.webdav.name;
+    };
+  };
+
+  services = {
+    phpfpm.pools = {
+      drive = {
+        user = config.users.users.webdav.name;
+        settings = {
+          "listen.owner" = config.services.nginx.user;
+          "pm" = "dynamic";
+          "pm.max_children" = 75;
+          "pm.start_servers" = 10;
+          "pm.min_spare_servers" = 5;
+          "pm.max_spare_servers" = 20;
+          "pm.max_requests" = 500;
+        };
+        phpOptions = ''
+          output_buffering=off
+        '';
+      };
+    };
+    nginx = {
+      enable = true;
+      package = pkgs.nginx.override {
+        modules = with pkgs.nginxModules; [ dav moreheaders ];
+      };
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      commonHttpConfig = ''
+        map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+        }
+        add_header Strict-Transport-Security  $hsts_header;
+        add_header Referrer-Policy            origin-when-cross-origin;
+      '';
+      sso = {
+        enable = true;
+        configuration = {
+          listen = {
+            addr = "127.0.0.1";
+            port = 8082;
+          };
+          login = {
+            title = "LoutreOS login";
+            default_method = "simple";
+            hide_mfa_field = true;
+            names.simple = "Username / Password";
+          };
+          cookie = {
+            domain = ".nyanlout.re";
+            secure = true;
+          };
+          audit_log = {
+            targets = [ "fd://stdout" ];
+            events = [ "access_denied" "login_success" "login_failure" "logout" ];
+          };
+          providers.simple = {
+            enable_basic_auth = true;
+            users = {
+              paul = "$2y$10$RMqeJF/hUasXZ5/SLKAu4uKKp6ac6qXCaRu4OY/fIN6ZYucDXzqYm";
+            };
+            groups = {
+              admins = [ "paul" ];
+            };
+          };
+          acl = {
+            rule_sets = [
+              {
+                rules = [ { field = "x-host"; regexp = ".*"; } ];
+                allow = [ "@admins" ];
+              }
+            ];
+          };
+        };
+      };
+      virtualHosts = let
+        base = locations: {
+          locations = locations // {
+            "@maintenance" = {
+              root = "/var/www/errorpages/";
+              extraConfig = ''
+                rewrite ^(.*)$ /50x.html break;
+              '';
+            };
+          };
+          forceSSL = true;
+          enableACME = true;
+          extraConfig = ''
+            error_page 500 502 503 504 = @maintenance;
+          '';
+        };
+        simpleReverse = rport: base {
+          "/" = {
+            proxyPass = "http://127.0.0.1:${toString(rport)}/";
+          };
+        };
+        authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
+          (base {
+            "/" = {
+              proxyPass = "http://127.0.0.1:${toString(rport)}/";
+              extraConfig = ''
+                auth_request_set $cookie $upstream_http_set_cookie;
+                auth_request_set $username $upstream_http_x_username;
+                proxy_set_header X-WEBAUTH-USER $username;
+                add_header Set-Cookie $cookie;
+              '';
+            };
+          })
+          {
+            extraConfig = ''
+              include ${nginxSsoAuth};
+            '';
+          }
+        ];
+      in {
+        "nyanlout.re" = base {
+          "/" = {
+            alias = "/var/www/site-perso/";
+          };
+          "/maintenance/" = {
+            alias = "/var/www/errorpages/";
+          };
+          "/.well-known/openpgpkey/" = {
+            alias = "/var/lib/gnupg/wks/nyanlout.re";
+            extraConfig = ''
+              add_header Access-Control-Allow-Origin * always;
+            '';
+          };
+        } // { default = true; };
+        "musique-meyenheim.fr" = base {
+          "/" = {
+            proxyPass = "http://unix:/run/site-musique.sock";
+          };
+          "/static/" = {
+            alias = "/var/www/site-musique/staticfiles/";
+          };
+          "/media/" = {
+            alias = "/var/www/site-musique/media/";
+          };
+        };
+        "www.musique-meyenheim.fr" = {
+          enableACME = true;
+          forceSSL = true;
+          globalRedirect = "musique-meyenheim.fr";
+        };
+        "login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port;
+        "grafana.nyanlout.re" = authReverse config.services.grafana.settings.server.http_port;
+        "transmission.nyanlout.re" = authReverse config.services.transmission.settings.rpc-port;
+        "radarr.nyanlout.re" = authReverse 7878;
+        "sonarr.nyanlout.re" = authReverse 8989;
+        "syncthing.nyanlout.re" = authReverse 8384;
+        "prowlarr.nyanlout.re" = authReverse 9696;
+        "watcharr.nyanlout.re" = simpleReverse 3080;
+        "emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
+          locations."/" = {
+            proxyWebsockets = true;
+          };
+        };
+        "gitea.nyanlout.re" = simpleReverse config.services.gitea.settings.server.HTTP_PORT;
+        "photo.nyanlout.re" = recursiveUpdate (simpleReverse config.services.photoprism.port) {
+          locations."/" = {
+            proxyWebsockets = true;
+          };
+        };
+        "zigbee.nyanlout.re" = recursiveUpdate (authReverse config.services.zigbee2mqtt.settings.frontend.port) {
+          locations."/" = {
+            proxyWebsockets = true;
+          };
+        };
+        "apart.nyanlout.re" = recursiveUpdate (simpleReverse config.services.home-assistant.config.http.server_port) {
+          locations."/" = {
+            proxyWebsockets = true;
+          };
+        };
+        "drive.nyanlout.re" = base {
+          "/" = {
+            extraConfig = ''
+              fastcgi_split_path_info ^(.+\.php)(/.+)$;
+              fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
+              include ${pkgs.nginx}/conf/fastcgi_params;
+              include ${pkgs.nginx}/conf/fastcgi.conf;
+              fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+              fastcgi_intercept_errors on;
+              fastcgi_buffers 64 4K;
+              client_body_temp_path /mnt/webdav/tmp_upload;
+              client_max_body_size 0;
+              proxy_request_buffering off;
+            '';
+          };
+        } // {
+          root = "/mnt/webdav";
+        };
+        "rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
+          (base {
+            "/" = {
+              proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
+              extraConfig = ''
+                auth_request_set $cookie $upstream_http_set_cookie;
+                add_header Set-Cookie $cookie;
+              '';
+            };
+          })
+          {
+            extraConfig = ''
+              include ${nginxSsoAuth};
+            '';
+          }
+        ];
+        "designyourfuture.amandoline-creations.fr" = base {
+          "/".alias = "/var/www/amandoline-designyourfuture/";
+        };
+        "amandoline-creations.fr" = base {
+          "/".alias = "/var/www/amandoline-portfolio/";
+        };
+        "www.amandoline-creations.fr" = {
+          enableACME = true;
+          forceSSL = true;
+          globalRedirect = "amandoline-creations.fr";
+        };
+        "challenge.amandoline-creations.fr" = base {
+          "/".alias = "/var/www/amandoline-challenge/";
+        };
+        ${config.services.nextcloud.hostName} = {
+          forceSSL = true;
+          enableACME = true;
+        };
+      };
+    };
+
+    postgresql = {
+      enable = true;
+      package = pkgs.postgresql_14;
+      settings = {
+        full_page_writes = false;
+      };
+    };
+
+    gitea = {
+      enable = true;
+      database = {
+        type = "postgres";
+        port = 5432;
+        passwordFile = "/var/lib/gitea/custom/conf/database_password";
+      };
+      settings = {
+        server = {
+          HTTP_PORT = 3001;
+          ROOT_URL = "https://gitea.nyanlout.re/";
+        };
+        log.LEVEL = "Warn";
+        service.DISABLE_REGISTRATION = true;
+        session.COOKIE_SECURE = true;
+      };
+    };
+
+    nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud30;
+      hostName = "cloud.nyanlout.re";
+      database.createLocally = true;
+      https = true;
+      maxUploadSize = "16G";
+      config = {
+        dbtype = "pgsql";
+        adminpassFile = "$CREDENTIALS_DIRECTORY/nextcloud_admin.pass";
+      };
+      settings = {
+        "preview_max_filesize_image" = "-1";
+        "preview_max_memory" = "1024";
+        "preview_ffmpeg_path" = "${pkgs.ffmpeg}/bin/ffmpeg";
+        "enabledPreviewProviders" = [
+          ''OC\Preview\BMP''
+          ''OC\Preview\GIF''
+          ''OC\Preview\JPEG''
+          ''OC\Preview\Krita''
+          ''OC\Preview\MarkDown''
+          ''OC\Preview\MP3''
+          ''OC\Preview\OpenDocument''
+          ''OC\Preview\PNG''
+          ''OC\Preview\TXT''
+          ''OC\Preview\XBitmap''
+          ''OC\Preview\Movie''
+        ];
+      };
+      autoUpdateApps.enable = true;
+    };
+
+  };
+
+  systemd.services.nginx.serviceConfig = {
+    ReadWritePaths = [
+      "/var/www/hls"
+      "/mnt/webdav"
+    ];
+  };
+
+  systemd.services.phpfpm-drive.serviceConfig = {
+    ReadWritePaths = [
+      "/mnt/webdav"
+    ];
+  };
+
+  systemd.services.nextcloud-setup.serviceConfig = {
+    LoadCredential = "nextcloud_admin.pass:/mnt/secrets/nextcloud_admin.pass";
+  };
+
+  systemd.services.site-musique = let
+    djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_4 pillow setuptools ]));
+  in {
+    description = "Site Django de la musique de Meyenheim";
+    after = [ "network.target" ];
+    requires = [ "site-musique.socket" ];
+    preStart = ''
+      ${djangoEnv}/bin/python manage.py migrate;
+      ${djangoEnv}/bin/python manage.py collectstatic --no-input;
+    '';
+    environment = {
+      DJANGO_SETTINGS_MODULE = "site_musique.settings.prod";
+      NGINX_DIRECTORY = "/var/www/site-musique";
+    };
+    serviceConfig = {
+      DynamicUser = true;
+      Group = "nginx";
+      StateDirectory = "site-musique";
+      WorkingDirectory = "/var/www/site-musique/";
+      ReadWritePaths = [ "/var/www/site-musique/staticfiles" "/var/www/site-musique/media" ];
+      EnvironmentFile = "/mnt/secrets/site-musique.env";
+      ExecStart = ''${djangoEnv}/bin/gunicorn \
+        --access-logfile - \
+        --bind unix:/run/site-musique.sock \
+        site_musique.wsgi:application
+      '';
+      PrivateTmp = true;
+    };
+  };
+
+  systemd.sockets.site-musique = {
+    description = "Site Musique socket";
+    wantedBy = [ "sockets.target" ];
+    listenStreams = [ "/run/site-musique.sock" ];
+  };
+
+  systemd.services.nginx-sso.serviceConfig.EnvironmentFile = "/mnt/secrets/nginx-sso.env";
+}
--- a/systems/PC-Fixe/codemasters.pem
+++ b/systems/PC-Fixe/codemasters.pem
@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5zCCAs+gAwIBAgIJAIIfD20HgCPEMA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD
+VQQGEwJVSzEVMBMGA1UECAwMV2Fyd2lja3NoaXJlMSEwHwYDVQQKDBhDb2RlbWFz
+dGVycyBTb2Z0d2FyZSBMdGQxGzAZBgNVBAsMEkNvZGVtYXN0ZXJzIE9ubGluZTEj
+MCEGA1UEAwwaQ29kZW1hc3RlcnMgT25saW5lIFJvb3QgQ0EwHhcNMTAwOTIyMDgx
+NjA4WhcNMzUwOTE2MDgxNjA4WjCBiTELMAkGA1UEBhMCVUsxFTATBgNVBAgMDFdh
+cndpY2tzaGlyZTEhMB8GA1UECgwYQ29kZW1hc3RlcnMgU29mdHdhcmUgTHRkMRsw
+GQYDVQQLDBJDb2RlbWFzdGVycyBPbmxpbmUxIzAhBgNVBAMMGkNvZGVtYXN0ZXJz
+IE9ubGluZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+ncw3VeQt3N8ZJmNGiCa8UJ61qtBWxat2yx9bWfyf2o4VqQtn7Cc79esHkf5Zbjpc
+zqMpxO/c0vZnHWgH1R0TWRDrSqKHuJxgbxT2JFoLAQQKm+uTUOclLvlC00IrINks
+Y6KPYaQDkaLDAQWX42YGqb7CaKna8DwX6Ms4RHLEm5+L0L5GgRk9RfPlphVYCA9r
+tjJIQluYMc0Ny4tzJ6IuCnDjgRfmehWSpBV+UAx8FHFxmOUgone6dhA0pTLtR/lu
+P/S2aISWgQZJ0GWWfQ/mjVpccnWKtZUK0TCVoKTPpGaV4kTDHYq9ylpuNItTww9E
+rXR0/9gWOZHQ49QXd2rnrQIDAQABo1AwTjAdBgNVHQ4EFgQU9vW1MrzNfAbZeTQJ
+gHCzyQQlAZgwHwYDVR0jBBgwFoAU9vW1MrzNfAbZeTQJgHCzyQQlAZgwDAYDVR0T
+BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAcOUnPyvrbAdzMSPN9PLnvh34I9jW
+EwU81ks67EBNHaMdghiUhOFZ65vzQLoUYoqQcgzu+i0rAkLZrfviC1TUlv+mdlgK
+ce6eD2VgpQOPrpOG6O/TfmyAhS5mOlA35NMsZqZTpIiTZnZLGHSSu/Shvnk7UDTs
+lTp1yNj6etlY03ABieBsSIDu0UmhNfEY2HgjPaGGiAmcenw2d4U5Z2oCiJVDseeq
+RdlVx/sg4UM8L24/ccqn5uV05cg5aUF5dAlAYLq2wXNgbkpePtmo+/tqdiE3pL+q
+TRW14lealjJNmjUUTO/KHjKOpfPJNCHSGLk/h/UskEvcTUTqwDZATCl4jw==
+-----END CERTIFICATE-----
--- a/systems/PC-Fixe/configuration.nix
+++ b/systems/PC-Fixe/configuration.nix
@ -8,155 +8,118 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../common.nix
+      ../common-cli.nix
+      ../common-gui.nix
    ];

-  nixpkgs.overlays = [
-    (import ../../overlays/ledger-udev-rules.nix)
-  ];
+  nix.settings.trusted-users = [ "root" "paul" ];

-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
-  # boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.kernelParams = ["acpi_enforce_resources=lax"];
-  boot.tmpOnTmpfs = true;
+  boot.loader.grub = {
+    efiSupport = true;
+    device = "nodev";
+    zfsSupport = true;
+    memtest86.enable = true;
+    fontSize = 32;
+  };
+  boot.kernelParams = [
+    "acpi_enforce_resources=lax"
+    "zfs.zfs_arc_max=2147483648"
+  ];
+  boot.tmp.useTmpfs = false;
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.extraModprobeConfig = ''
+    options hid_apple fnmode=2
+  '';

-  # NVIDIA
-  services.xserver.videoDrivers = [ "nvidia" ];
+  zramSwap.enable = true;

-  # For Steam
-  hardware.opengl.driSupport32Bit = true;
-  hardware.pulseaudio.support32Bit = true;
-  hardware.steam-hardware.enable = true;
+  virtualisation.podman.enable = true;

-  hardware.u2f.enable = true;
+  services.zfs = {
+    trim = {
+      enable = false;
+      interval = "monthly";
+    };
+    autoScrub = {
+      enable = false;
+      interval = "monthly";
+    };
+    autoSnapshot = {
+      enable = true;
+      monthly = 6;
+    };
+    autoReplication = {
+      enable = true;
+      host = "nyanlout.re";
+      username = "zfspaulfixe";
+      identityFilePath = "/var/lib/zfs-replication/id_rsa";
+      localFilesystem = "fastaf/home";
+      remoteFilesystem = "loutrepool/zfs-replicate/paul-fixe";
+    };
+  };
+
+  hardware.bluetooth.enable = true;
+
+  # Logitech G920
+  hardware.usb-modeswitch.enable = true;

  services.udev.packages = with pkgs; [
-    ledger-udev-rules
    usb-modeswitch-data # Logitech G920
  ];

-  networking.hostName = "paul-fixe"; # Define your hostname.
-  networking.networkmanager.enable = true;  # Enables wireless support via wpa_supplicant.
+  services.udev.extraRules = ''
+    ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="0664", GROUP="dialout"
+  '';

-  # Select internationalisation properties.
-  i18n = {
-    consoleKeyMap = "fr";
-    defaultLocale = "fr_FR.UTF-8";
+  networking.hostName = "paul-fixe";
+  networking.hostId = "3a1f739e";
+
+  networking.hosts = {
+    "10.30.0.1" = ["emby.nyanlout.re" "nyanlout.re"];
  };

-  # List packages installed in system profile. To search by name, run:
-  # $ nix-env -qaP | grep wget
-  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
-    filezilla
-    wineStaging
-    winetricks
-    qbittorrent
-    transmission-remote-gtk
-    appimage-run
-    bat
-    usb_modeswitch
-
-    gopass
-    xclip
-
-    electrum
-    electron-cash
-
-    firefox
-    chromium
-
-    tdesktop
-    mumble
-
-    kleopatra
-    gnupg
-
-    kdeplasma-addons
-    ark
-    kate
-    kmail
-    kdeconnect
-    okular
-    yakuake
-    konversation
-    gwenview
-    kcalc
-    spectacle
-    kile
-    (texlive.combine {
-      inherit (texlive) scheme-small titling collection-langfrench cm-super;
-    })
-    imagemagick
-
-    gnome-breeze
-    arc-theme
-    materia-theme
-    
-    libreoffice
-    gimp
-    vlc
-    kodiPlain
-
-    steam
-    sc-controller
-    steam-run
-    minecraft
-
-    glxinfo
-    i7z
-    lm_sensors
-    obs-studio
+    usb-modeswitch
+    esphome
  ];

-  programs.wireshark.enable = true;
-  programs.wireshark.package = pkgs.wireshark;
-
-  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
-  programs.browserpass.enable = true;
-  services.pcscd.enable = true;
-  services.pcscd.plugins = [
-    (pkgs.ccid.overrideAttrs (oldAttrs: rec {
-        preBuild = ''
-	  echo "0x2C97:0x0001:Ledger Token" >> ./readers/supported_readers.txt
-        '';
-      })
-    )
-  ];
+  programs = {
+    wireshark.enable = true;
+    alvr.enable = true;
+  };

  networking.firewall.enable = false;

-  # Enable sound.
-  sound.enable = true;
-  hardware.pulseaudio.enable = true;
+  services.displayManager.autoLogin.user = "paul";

-  # Enable the X11 windowing system.
-  services.xserver.enable = true;
-  services.xserver.layout = "fr";
-
-  # Enable the KDE Desktop Environment.
-  services.xserver.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.plasma5.enable = true;
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.paul = {
    isNormalUser = true;
-    extraGroups = [ "wheel" "networkmanager" "wireshark" "input" ];
+    extraGroups = [ "wheel" "networkmanager" "wireshark" "input" "dialout" "libvirtd" "vboxusers" ];
    uid = 1000;
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDstFRwMoTEip5IBSYE4dUj3miO0LsKrnUKQJmp7d5QYo3VhXk43jU6VUU0tVAegkzWLlQ3ohoFns+8bZyf7hj7roftrDfoC9bbbx4ihhWrZTlF0gzoH4t52yetFO5eC/tV2sm/zFoa+3IWLokOEFmAoknAVag1MmVLXTQ6WPoTPD4UsX/D3lyE4dbSKxHpMOIjqIdqSEgO0BeTdnHe5afvGXXO1VYTvPsGDHT9w8EHwQV9JXIPn7KVOp3qin7OwvFFrrB3QbiEVTJvGiH2hrfxcARTN/+TxGtf+aOFeuQykURG9Wz/aBK60EWE0wGrzuIymxtNdOR1NhmnNrUZ976Tb9WdR7FC+yM6+/kdfICy+sGQmmn8TLsGvcJTT/pl4Pa9uRAKjRJuLIEgYY6W/ms9lCRyf484yRkDlq+V0BPuN9Jy6Eb7x+tmZNkpEtkqso7wfXD8sf5BIwv2K69SVMpfTswydHGmDwHZ0zaDKGlyCiyJ1QGqUhCTXqtYVq+kQ3AcjKcysMwVEmwx/ySu0XFuV8oUkl9XK/RUoc++sMEd0EbHcn8uwCmBARNX+GLQ03vxwyMW3HyneP8EAxoqtSepZXbTdVP/0i+l7EUUeA7zsaWfU2a82ktZWpVPFGfxkuo0l3zLF19EsXPKZNqlRfkOWjSgp+qWihAkQIQk3GoduQ== openpgp:0x75EE3375"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3fEmkmrhccW8NegIk/Ubu6Yw80VCQ1ttG419e+1V1wkJPXFAqcIhffwrIlz81dJ47T+H+zeptpAX8U1Gbk1B5ZH4DW8OcqU6ymM+j6g/gICpvrjJUOpdgyA3GIOjuBJGijGQGggDw1k2SdopAVV1H38YUAJ33RGDvjLJO6VREYLDYLF4oaDp8ann7Wn8BpX2T7cRvhrzqcwbEGaw1f/xrLE5KklOb6pOHRWFJMxW83d8OKiLkQvM4vFGlvvG0/AKGZaZWHDXS7ldoyAv+vnN8DrIxmWEQjdNLfAwYDBHp6XqE0slde4dqBjVHji5+ajFr7eJnrzc4IXsHJ1jM9xGB paul@loutreos"
+    ];
  };

-  services.syncthing.enable = true;
-  services.syncthing.user = "paul";
-  services.syncthing.group = "users";
+  services.openssh.enable = true;
+  services.openssh.settings = {
+    PasswordAuthentication = false;
+    X11Forwarding = true;
+  };

-  virtualisation.rkt.enable = true;
+  services.xserver.deviceSection = ''
+    Option "metamodes" "DP-4: 3440x1440_144 +0+0 {AllowGSYNCCompatible=On}"
+  '';

-  # This value determines the NixOS release with which your system is to be
-  # compatible, in order to avoid breaking some software such as database
-  # servers. You should change this only after NixOS release notes say you
-  # should.
-  system.stateVersion = "18.09"; # Did you read the comment?
+  services.printing.enable = true;
+  services.printing.drivers = [ pkgs.hplip ];

+  systemd.services = {
+    zfs-replication.serviceConfig.StateDirectory = "zfs-replication";
+  };
+
+  boot.enableContainers = false;
+  system.stateVersion = "20.03";
 }
--- a/systems/PC-Fixe/hardware-configuration.nix
+++ b/systems/PC-Fixe/hardware-configuration.nix
@ -4,63 +4,56 @@
 { config, lib, pkgs, ... }:

 {
-  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    ];
-
-  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "firewire_ohci" "pata_marvell" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
-  boot.kernelModules = [ "kvm-intel" "nct6775" ];
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" "coretemp" "it87" ];
  boot.extraModulePackages = [ ];
-  boot.blacklistedKernelModules = [ "hid-steam" ];
+
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.cpu.amd.updateMicrocode = true;
+  hardware.nvidia = {
+    open = false;
+    modesetting.enable = true;
+  };

  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/509a5842-56fe-40bd-8b00-6bda87e02e5e";
-      fsType = "ext4";
+    { device = "rpool/root/nixos";
+      fsType = "zfs";
    };

  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/A225-07A5";
+    { device = "/dev/disk/by-uuid/F4EC-57DF";
      fsType = "vfat";
    };

-  fileSystems."/mnt/hdd" =
-    { device = "/dev/mapper/ManjaroVG-ManjaroRoot";
-      fsType = "ext4";
-    };
-
-  fileSystems."/home/paul/Documents" =
-    { device = "/mnt/hdd/paul/Documents";
-      options = [ "bind" ];
-    };
-
-  fileSystems."/home/paul/Downloads" =
-    { device = "/mnt/hdd/paul/Téléchargements";
-      options = [ "bind" ];
-    };
-
-  fileSystems."/home/paul/Music" =
-    { device = "/mnt/hdd/paul/Musique";
-      options = [ "bind" ];
-    };
-
-  fileSystems."/home/paul/Pictures" =
-    { device = "/mnt/hdd/paul/Images";
-      options = [ "bind" ];
-    };
-
-  fileSystems."/home/paul/Videos" =
-    { device = "/mnt/hdd/paul/Vidéos";
-      options = [ "bind" ];
+  fileSystems."/home" =
+    { device = "fastaf/home";
+      fsType = "zfs";
    };

  fileSystems."/mnt/steam" =
-    { device = "192.168.0.5:/exports/steam";
+    { device = "fastaf/steam";
+      fsType = "zfs";
+    };
+
+  fileSystems."/mnt/games" =
+    { device = "fastaf/games";
+      fsType = "zfs";
+    };
+
+  # fileSystems."/mnt/hdd" =
+  #   { device = "/dev/mapper/ManjaroVG-ManjaroRoot";
+  #     fsType = "ext4";
+  #   };
+
+  fileSystems."/mnt/medias" =
+    { device = "10.30.0.1:/mnt/medias";
      fsType = "nfs";
      options = ["x-systemd.automount" "noauto"];
    };

  swapDevices = [ ];

-  nix.maxJobs = lib.mkDefault 4;
-  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+  nix.settings.max-jobs = lib.mkDefault 12;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/systems/common-cli.nix
+++ b/systems/common-cli.nix
@ -0,0 +1,125 @@
+{ config, pkgs, ... }:
+
+{
+
+  time.timeZone = "Europe/Paris";
+
+  environment.systemPackages = with pkgs; [
+    # Editeurs
+    (neovim.override {
+      viAlias = true;
+      vimAlias = true;
+      configure = {
+        customRC = ''
+	        set tabstop=8
+          set shiftwidth=4
+          set softtabstop=0
+          set expandtab
+	        set smarttab
+          set background=dark
+          set mouse=
+        '';
+        packages.myVimPackage = with pkgs.vimPlugins; {
+          start = [
+            vim-startify  airline             sensible
+            polyglot      ale                 fugitive
+          ];
+          opt = [ ];
+        };
+      };
+    })
+
+    # Gestionnaires de version
+    tig
+    gitAndTools.hub
+    quilt
+
+    # Gestion de paquets
+    nix-prefetch-scripts
+    nox
+    nix-index
+
+    # Système
+    smartmontools
+    htop
+    lshw
+    usbutils
+
+    # Réseau
+    inetutils
+    rclone
+    lftp
+    nfs-utils
+    nmap
+
+    # Divers
+    fzf
+    file
+    ncdu
+    yt-dlp
+    tldr
+    starship
+
+    # Audio
+    beets
+
+    # Outils
+    borgbackup
+    binutils
+    bat
+    molly-guard
+    nix-template
+    lz4
+
+    # Développement
+    openssl
+  ];
+
+  users.defaultUserShell = pkgs.zsh;
+  programs = {
+    tmux = {
+      enable = true;
+      clock24 = true;
+    };
+
+    zsh = {
+      enable = true;
+      autosuggestions.enable = true;
+      enableCompletion = true;
+      syntaxHighlighting.enable = true;
+      interactiveShellInit = ''
+        source "$(${pkgs.fzf}/bin/fzf-share)/key-bindings.zsh"
+        eval "$(starship init zsh)"
+      '';
+      ohMyZsh = {
+        enable = true;
+        plugins = [ "git" "colored-man-pages" "command-not-found" "extract" "nix" ];
+        customPkgs = with pkgs;[
+          nix-zsh-completions
+        ];
+      };
+    };
+
+    bash.interactiveShellInit = ''
+      eval "$(starship init bash)"
+    '';
+
+    git.enable = true;
+  };
+
+  environment.variables = let
+    starshipConfToml =
+      pkgs.writeText "starship.toml" ''
+        [[battery.display]]
+        threshold = 50
+      '';
+  in {
+    EDITOR = "nvim";
+    STARSHIP_CONFIG = "${starshipConfToml}";
+  };
+
+  nix.gc.automatic = true;
+  nix.gc.options = "--delete-older-than 15d";
+  systemd.timers.nix-gc.timerConfig.Persistent = true;
+
+}
--- a/systems/common-gui.nix
+++ b/systems/common-gui.nix
@ -0,0 +1,142 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    filezilla
+    qbittorrent
+    transmission-remote-gtk
+
+    sc-controller
+    steam-run
+    prismlauncher
+    lutris
+    teamspeak_client
+    ryujinx
+
+    betaflight-configurator
+
+    ledger-live-desktop
+    monero-gui
+
+    tor-browser-bundle-bin
+    brave
+
+    tdesktop
+    element-desktop
+    mumble
+    discord
+
+    kleopatra
+    gnupg
+    gopass
+    xclip
+
+    kdeplasma-addons
+    ark
+    kate
+    kmail
+    kdePackages.kdeconnect-kde
+    okular
+    yakuake
+    konversation
+    gwenview
+    kcalc
+    spectacle
+    kinfocenter
+    kile
+    (texlive.combine {
+      inherit (texlive) scheme-small titling collection-langfrench cm-super;
+    })
+
+    libsForQt5.breeze-gtk
+
+    libreoffice
+
+    gimp
+    inkscape
+    imagemagick
+    obs-studio
+    vlc
+    mpv
+    kdenlive
+
+    glxinfo
+    i7z
+    pavucontrol
+  ];
+
+  i18n = {
+    defaultLocale = "fr_FR.UTF-8";
+  };
+
+  console.keyMap = "fr";
+
+  networking.networkmanager.enable = true;
+
+  systemd.extraConfig = "DefaultLimitNOFILE=1048576";
+
+  security = {
+    pam.loginLimits = [{
+      domain = "*";
+      type = "hard";
+      item = "nofile";
+      value = "1048576";
+    }];
+    rtkit.enable = true;
+  };
+
+  programs = {
+    gnupg.agent = { enable = true; enableSSHSupport = true; };
+    browserpass.enable = true;
+    steam.enable = true;
+    firefox.enable = true;
+    appimage.enable = true;
+  };
+
+  services = {
+    # desktopManager.plasma6.enable = true;
+    displayManager = {
+      sddm = {
+        enable = true;
+        # wayland.enable = true;
+        autoLogin.relogin = true;
+      };
+    };
+    xserver = {
+      enable = true;
+      xkb.layout = "fr";
+      exportConfiguration = true;
+      desktopManager.plasma5.enable = true;
+    };
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      extraConfig.pipewire = {
+      "10-clock-rate" = {
+        "context.properties" = {
+          "default.clock.allowed-rates"  = [ 48000 ];
+        };
+      };
+    };
+    };
+    udev.packages = with pkgs; [ ledger-udev-rules ];
+    pcscd.enable = true;
+  };
+
+  environment.etc = {
+    "mpv/mpv.conf" = {
+      text = ''
+        profile=gpu-hq
+        scale=ewa_lanczossharp
+        cscale=ewa_lanczossharp
+        video-sync=display-resample
+        interpolation
+        tscale=oversample
+      '';
+    };
+    # CK3 fix
+    "ssl/certs/f387163d.0".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/Starfield_Class_2_CA.crt";
+  };
+}
--- a/systems/common.nix
+++ b/systems/common.nix
@ -1,93 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-
-  time.timeZone = "Europe/Paris";
-
-  nixpkgs.overlays = [
-    (import ../overlays/sudo.nix)
-    (import ../overlays/neovim.nix)
-  ];
-
-  nixpkgs.config.allowUnfree = true;
-  environment.systemPackages = with pkgs; [
-    # Editeurs
-    neovim
-
-    # Gestionnaires de version
-    gitFull
-    tig
-
-    # Gestion de paquets
-    nix-prefetch-scripts
-    nox
-    nix-index
-
-    # Système
-    smartmontools
-    htop
-    lshw
-    usbutils
-
-    # Réseau
-    telnet
-    rclone
-    lftp
-    wireguard
-    nfsUtils
-    nmap
-
-    # Divers
-    fzf
-    file
-    ncdu
-    youtube-dl
-    tldr
-
-    # Audio
-    beets
-
-    # Outils
-    borgbackup
-
-    # Développement
-    openssl
-  ];
-
-  programs.tmux = {
-    enable = true;
-    clock24 = true;
-  };
-
-  users.defaultUserShell = pkgs.zsh;
-  programs.zsh = {
-    enable = true;
-    autosuggestions.enable = true;
-    enableCompletion = true;
-    syntaxHighlighting.enable = true;
-    interactiveShellInit = ''
-      source "$(${pkgs.fzf}/bin/fzf-share)/key-bindings.zsh"
-    '';
-    ohMyZsh = {
-      enable = true;
-      plugins = [ "git" "colored-man-pages" "command-not-found" "extract" "nix" ];
-      customPkgs = with pkgs;[
-        spaceship-prompt
-        nix-zsh-completions
-      ];
-      theme = "spaceship";
-    };
-  };
-
-  environment.variables = {
-    EDITOR = "nvim";
-    SPACESHIP_TIME_SHOW = "true";
-    SPACESHIP_BATTERY_THRESHOLD = "50";
-    SPACESHIP_EXIT_CODE_SHOW = "true";
-  };
-
-  nix.gc.automatic = true;
-  nix.gc.options = "--delete-older-than 15d";
-  systemd.timers.nix-gc.timerConfig.Persistent = true;
-
-}