zigbee2mqtt: set stable usb serial path

clean old config
allow ipv4 forwarding needed by NAT
2025-01-08 22:24:19 +01:00 · 2025-01-07 16:42:37 +01:00 · 2025-01-07 16:00:50 +01:00 · 2025-01-07 16:00:26 +01:00 · 2025-01-06 15:44:21 +01:00 · 2025-01-03 14:56:07 +01:00
37 changed files with 2069 additions and 1704 deletions
--- a/containers/vsftpd.nix
+++ b/containers/vsftpd.nix
@ -1,49 +0,0 @@
 { config, pkgs, ... }:
 {
  containers.vsftpd = {
    autoStart = true;
    config =
      { config, pkgs, ... }:
      {
        nixpkgs.overlays = [
          (import ../overlays/vsftpd.nix)
        ];
        services.vsftpd = {
          enable = true;
          forceLocalLoginsSSL = true;
          forceLocalDataSSL = true;
          userlistDeny = false;
          localUsers = true;
          userlist = ["claire" "manu"];
          rsaCertFile = "/var/vsftpd/vsftpd.pem";
          extraConfig = ''
            pasv_min_port=64000
            pasv_max_port=65535
            local_root=/mnt/medias
          '';
        };
        users.extraUsers = {
          claire = {
            isNormalUser = true;
            hashedPassword = "$6$Mu47EjsbNTewDkRp$XeQh6rcdvb3BUXzsGqekKImLTrMgnN0VyERoSbpI4rMPlx8oHM9NNeHZtfIiLEaZGtQ9otnbLa54jYse5Iwev1";
            description = "Claire TREHIOU";
          };
          manu = {
            isNormalUser = true;
            hashedPassword = "$6$YGNIdGEclo$JcUotBS6hqlpENjjUeYhDjtrwxu10oARF4Nq4tEo072Sumr3Rl/w3ZXSHI5/3RxfvUMmJ4ulUVctBLhwrqP.g0";
            description = "Emmanuel ZENNER";
          };
        };
      };
    bindMounts = {
      "/var/vsftpd/vsftpd.pem" = {
        hostPath = "/var/vsftpd/vsftpd.pem";
      };
      "/mnt/medias" = {
        hostPath = "/mnt/medias";
      };
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,162 @@
 {
  "nodes": {
    "blobs": {
      "flake": false,
      "locked": {
        "lastModified": 1604995301,
        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "type": "gitlab"
      }
    },
    "dogetipbot-telegram": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1730148450,
        "narHash": "sha256-CSxPIeDqavQ3fJhshuNs0oS84P1p87BsbNoashKlrKg=",
        "owner": "nyanloutre",
        "repo": "dogetipbot-telegram",
        "rev": "667e318212920005917792b06e0f480b421fa6d3",
        "type": "gitlab"
      },
      "original": {
        "owner": "nyanloutre",
        "ref": "master",
        "repo": "dogetipbot-telegram",
        "type": "gitlab"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "ipmihddtemp": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1635966341,
        "narHash": "sha256-Y70jZPL3/fY8SzkPnpw9Ta411zbbkJ1D3qOYJ76zuIA=",
        "owner": "nyanloutre",
        "repo": "ipmihddtemp",
        "rev": "6fe5d14f588956dfff89716f81b8101c7a94cd6d",
        "type": "gitlab"
      },
      "original": {
        "owner": "nyanloutre",
        "ref": "master",
        "repo": "ipmihddtemp",
        "type": "gitlab"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1735669367,
        "narHash": "sha256-tfYRbFhMOnYaM4ippqqid3BaLOXoFNdImrfBfCp4zn0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "edf04b75c13c2ac0e54df5ec5c543e300f76f1c9",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-24.11",
        "type": "indirect"
      }
    },
    "nixpkgs-4a3fc4cf7": {
      "locked": {
        "lastModified": 1716914467,
        "narHash": "sha256-KkT6YM/yNQqirtYj/frn6RRakliB8RDvGqVGGaNhdcU=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "4a3fc4cf736b7d2d288d7a8bf775ac8d4c0920b4",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "4a3fc4cf736b7d2d288d7a8bf775ac8d4c0920b4",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1735471104,
        "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-unstable",
        "type": "indirect"
      }
    },
    "root": {
      "inputs": {
        "dogetipbot-telegram": "dogetipbot-telegram",
        "ipmihddtemp": "ipmihddtemp",
        "nixpkgs": "nixpkgs",
        "nixpkgs-4a3fc4cf7": "nixpkgs-4a3fc4cf7",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "simple-nixos-mailserver": "simple-nixos-mailserver"
      }
    },
    "simple-nixos-mailserver": {
      "inputs": {
        "blobs": "blobs",
        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
        "nixpkgs-24_11": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1734884447,
        "narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
        "rev": "63209b1def2c9fc891ad271f474a3464a5833294",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
        "ref": "nixos-24.11",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,110 @@
 {
  inputs = {
    nixpkgs.url = "flake:nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "flake:nixpkgs/nixos-unstable";
    # transmission 4.0.5 downgrade to fix tracker bug
    nixpkgs-4a3fc4cf7.url = "github:nixos/nixpkgs/4a3fc4cf736b7d2d288d7a8bf775ac8d4c0920b4";
    simple-nixos-mailserver = {
      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11";
      inputs = {
        nixpkgs.follows = "nixpkgs-unstable";
        nixpkgs-24_11.follows = "nixpkgs";
      };
    };
    dogetipbot-telegram = {
      url = "gitlab:nyanloutre/dogetipbot-telegram/master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    ipmihddtemp = {
      url = "gitlab:nyanloutre/ipmihddtemp/master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = {
    self,
    nixpkgs,
    nixpkgs-unstable,
    nixpkgs-4a3fc4cf7,
    simple-nixos-mailserver,
    dogetipbot-telegram,
    ipmihddtemp
  }@inputs: {
    packages.x86_64-linux = (import ./pkgs nixpkgs.legacyPackages.x86_64-linux);
    nixosConfigurations.paul-fixe = nixpkgs-unstable.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        nixpkgs-unstable.nixosModules.notDetected
        {
          nixpkgs.config.allowUnfree = true;
          nix = {
            settings.experimental-features = [ "nix-command" "flakes" ];
            registry = {
              nixpkgs.to = {
                type = "path";
                path = nixpkgs-unstable.legacyPackages.x86_64-linux.path;
              };
            };
          };
        }
        ./systems/PC-Fixe/configuration.nix
      ];
    };
    nixosConfigurations.loutreos = nixpkgs.lib.nixosSystem rec {
      system = "x86_64-linux";
      specialArgs = {
        inputs = inputs;
        pkgs-unstable = import nixpkgs-unstable {
          inherit system;
          config.permittedInsecurePackages = [
            "aspnetcore-runtime-6.0.36"
            "aspnetcore-runtime-wrapped-6.0.36"
            "dotnet-sdk-6.0.428"
            "dotnet-sdk-wrapped-6.0.428"
          ];
        };
        pkgs-4a3fc4cf7 = import nixpkgs-4a3fc4cf7 {
          inherit system;
        };
      };
      modules = [
        nixpkgs-unstable.nixosModules.notDetected
        simple-nixos-mailserver.nixosModule
        dogetipbot-telegram.nixosModule
        ipmihddtemp.nixosModule
        {
          nix = {
            settings.experimental-features = [ "nix-command" "flakes" ];
            registry = {
              nixpkgs.to = {
                type = "path";
                path = nixpkgs.legacyPackages.x86_64-linux.path;
              };
            };
          };
          systemd.services.watcharr = {
            description = "Watcharr";
            after = [ "network.target" ];
            environment = {
              PORT = "3005";
              WATCHARR_DATA = "/var/lib/watcharr";
            };
            serviceConfig = {
              DynamicUser = true;
              StateDirectory = "watcharr";
              ExecStart = "${self.packages.x86_64-linux.watcharr}/bin/Watcharr";
              PrivateTmp = true;
            };
            wantedBy = [ "multi-user.target" ];
          };
        }
        ./systems/LoutreOS/configuration.nix
      ];
    };
  };
 }
--- a/overlays/dogetipbot-telegram.nix
+++ b/overlays/dogetipbot-telegram.nix
@ -1,9 +0,0 @@
 self: super:
 {
  dogetipbot-telegram = super.callPackage (super.fetchgit {
    url = "https://gitlab.com/nyanloutre/dogetipbot-telegram.git";
    rev = "3bf1c89aaccded42ce41452c72f7ebf6d4d056ca";
    sha256 = "1gd1wi054ihbxanvj1ac7mz5ghnxab89a0r3i4hy482sglbxqcih";
  }) { pkgs = self; };
 }
--- a/overlays/ledger-udev-rules.nix
+++ b/overlays/ledger-udev-rules.nix
@ -1,18 +0,0 @@
 self: super:
 {
  ledger-udev-rules = super.writeTextFile {
    name = "ledger-udev-rules";
    text = ''
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="2b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="3b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="4b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1807", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1808", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0000", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
      SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001", MODE="0660", TAG+="uaccess", TAG+="udev-acl", GROUP="users"
    '';
    destination = "/etc/udev/rules.d/99-ledger.rules";
  };
 }
--- a/overlays/neovim.nix
+++ b/overlays/neovim.nix
@ -1,22 +0,0 @@
 self: super:
 {
  neovim = super.neovim.override {
    viAlias = true;
    vimAlias = true;
    configure = {
      customRC = ''
        set shiftwidth=2
        set softtabstop=2
        set expandtab
        set background=dark
      '';
      packages.myVimPackage = with super.vimPlugins; {
        start = [
          vim-startify  airline             sensible
          polyglot      ale                 fugitive
        ];
        opt = [ ];
      };
    };
  };
 } 
--- a/overlays/riot-web.nix
+++ b/overlays/riot-web.nix
@ -1,13 +0,0 @@
 self: super:
 {
  riot-web = super.riot-web.override {
    conf = ''
      {
        "default_hs_url": "https://matrix.nyanlout.re",
        "default_is_url": "https://vector.im",
        "brand": "Nyanloutre",
        "default_theme": "dark"
      }
    '';
  };
 } 
--- a/overlays/sudo.nix
+++ b/overlays/sudo.nix
@ -1,6 +0,0 @@
 self: super:
 {
  sudo = super.sudo.override {
    withInsults = true;
  };
 } 
--- a/overlays/vsftpd.nix
+++ b/overlays/vsftpd.nix
@ -1,6 +0,0 @@
 self: super:
 {
  vsftpd = super.vsftpd.override {
    sslEnable = true;
  };
 } 
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -0,0 +1,3 @@
 pkgs: {
  watcharr = pkgs.callPackage ./watcharr { };
 }
--- a/pkgs/site-max/default.nix
+++ b/pkgs/site-max/default.nix
@ -1,30 +0,0 @@
 { lib, stdenv, fetchFromGitHub, sassc }:
 stdenv.mkDerivation rec {
  name= "site-max-${version}";
  version = "1.0.1";
  src = fetchFromGitHub {
    owner = "nyanloutre";
    repo = "site-max";
    rev = "85e30457291e6a1dfe85a5d7a78f226657bad279";
    sha256 = "0fj5w43gcvp0gq0xlknrf6yp0b48wg01686wp02fjc9npm424g0v";
  };
  buildPhase = ''
    ${sassc}/bin/sassc -m auto -t compressed scss/creative.scss css/creative.css
  '';
  installPhase = ''
    mkdir -p $out/
    cp -R . $out/
  '';
  meta = {
    description = "Site de présentation de Max Spiegel";
    homepage = https://maxspiegel.fr/;
    maintainers = with stdenv.lib.maintainers; [ nyanloutre ];
    license = stdenv.lib.licenses.cc-by-nc-sa-40;
    platforms = stdenv.lib.platforms.all;
  };
 }
--- a/pkgs/watcharr/default.nix
+++ b/pkgs/watcharr/default.nix
@ -0,0 +1,64 @@
 { lib
 , pkgs
 , buildGoModule
 , fetchFromGitHub
 , buildNpmPackage
 , nixosTests
 , caddy
 , testers
 , installShellFiles
 , stdenv
 }:
 let
  version = "1.41.0";
  src = fetchFromGitHub {
    owner = "sbondCo";
    repo = "Watcharr";
    rev = "v${version}";
    hash = "sha256-ZvCxgfZZ9pbp+NvH+IhWphJWnAwgAH0x/REPd/XxJ70=";
  };
  frontend = buildNpmPackage {
    pname = "watcharr-ui";
    inherit version src;
    npmDepsHash = "sha256-73paI0y4QyzkEnU99f1HeLD/hW8GP3F9N8tGGQnloH8=";
    installPhase = ''
      cp -r build $out
      cp package.json package-lock.json $out
      cd $out && npm ci --omit=dev
    '';
  };
 in
 buildGoModule {
  pname = "watcharr";
  inherit version;
  src = src + "/server";
  vendorHash = "sha256-86pFpS8ZSj+c7vwn0QCwzXlvVYJIf3SBj4X81zlwBWQ=";
  # Inject frontend assets into go embed
  prePatch = ''
    # rm -rf ui
    # ln -s ${frontend} ui
    substituteInPlace watcharr.go \
        --replace-fail ui/index.js ${frontend}/index.js \
        --replace-fail \"127.0.0.1:3000\" "\"127.0.0.1:\"+os.Getenv(\"PORT\")"
  '';
  buildInputs = [ pkgs.makeWrapper ];
  postFixup = ''
    wrapProgram "$out/bin/Watcharr" --prefix PATH : "${lib.makeBinPath [ pkgs.nodejs ]}"
  '';
  meta = with lib; {
    homepage = "https://watcharr.app/";
    description = "Open source, self-hostable watched list for all your content with user authentication, modern and clean UI and a very simple setup";
    license = licenses.asl20;
    # mainProgram = "caddy";
    maintainers = with maintainers; [ nyanloutre ];
  };
 }
--- a/services/auto-pr.nix
+++ b/services/auto-pr.nix
@ -1,44 +0,0 @@
 {lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.auto-pr;
 in
 {
  options.services.auto-pr = {
    enable = mkEnableOption "Cron job PR mise à jour automatique";
  };
  config = mkIf cfg.enable {
    systemd.services.auto-pr-bot = {
      description = "Création d'un PR si mise à jour";
      requires = ["network-online.target"];
      environment = { HOME = "/var/lib/auto-pr-bot"; };
      serviceConfig = {
        DynamicUser = true;
        CacheDirectory = "auto-pr-bot";
        StateDirectory = "auto-pr-bot";
        Type = "oneshot";
        ExecStart = with pkgs;
          let env = python3Packages.python.buildEnv.override {
            extraLibs = [ python3Packages.PyGithub python3Packages.pyjwt python3Packages.colorama ];
            ignoreCollisions = true;
          };
        in "${pkgs.writeShellScriptBin "run.sh" ''
          ${env}/bin/python ${pkgs.writeScript "pr-autobot.py" "${readFile ./pr-autobot.py}"} --private-key /var/lib/auto-pr-bot/private-key.pem --app-id 19565 --installation-id 407088 --repo nyanloutre/nixpkgs --cache-dir /var/cache/auto-pr-bot
        ''}/bin/run.sh";
      };
    };
    systemd.timers.auto-pr-bot = {
      description = "Timer auto PR bot";
      requires = ["network-online.target"];
      wantedBy = ["multi-user.target"];
      timerConfig = { OnCalendar = "daily"; Unit = "auto-pr-bot.service"; };
    };
  };
 }
--- a/services/haproxy-acme.nix
+++ b/services/haproxy-acme.nix
@ -1,149 +0,0 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.haproxy-acme;
  nginx_port = 54321;
  haproxyConf = ''
    global
      log /dev/log local0
      log /dev/log local1 notice
      user haproxy
      group haproxy
      ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
      ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
      ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
      ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    defaults
      option forwardfor
      option http-server-close
      timeout client 10s
      timeout connect 4s
      timeout server 30s
    userlist LOUTRE
      user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy.
    frontend public
      bind :::80 v4v6
      bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1
      mode http
      acl letsencrypt-acl path_beg /.well-known/acme-challenge/
      acl haproxy-acl path_beg /haproxy
      redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
      http-response set-header Strict-Transport-Security max-age=15768000
      use_backend letsencrypt-backend if letsencrypt-acl
      use_backend haproxy_stats if haproxy-acl
    ${concatStrings (
      mapAttrsToList (name: value:
        "  acl ${name}-acl hdr(host) -i ${name}\n"
      + "  use_backend ${name}-backend if ${name}-acl\n"
      ) cfg.services)}
    backend letsencrypt-backend
      mode http
      server letsencrypt 127.0.0.1:${toString nginx_port}
    backend haproxy_stats
      mode http
      stats enable
      stats hide-version
      acl AuthOK_LOUTRE http_auth(LOUTRE)
      http-request auth realm LOUTRE if !AuthOK_LOUTRE
    ${concatStrings (
      mapAttrsToList (name: value:
        ''
        backend ${name}-backend
          mode http
          ${(
            if value.socket == "" then
              ''
                server ${name} ${value.ip}:${toString value.port}
              ''
            else
              ''
                server ${name} ${value.socket}
              ''
          )}
          ${(if value.auth then (
          value.extraAcls
          + ''
              acl AUTH_OK http_auth(LOUTRE)
              http-request auth realm LOUTRE if ${value.aclBool}
            ''
          ) else "")}
        ''
      ) cfg.services)}
  '';
 in
 {
  options.services.haproxy-acme = {
    enable = mkEnableOption "HAproxy + ACME";
    domaine = mkOption {
      type = types.string;
      example = "example.com";
      description = ''
        Sous domaine à utiliser
        Il est necessaire d'avoir un enregistrement pointant sur la wildcard de ce domaine vers le serveur
      '';
    };
    services = mkOption {
      type = with types; attrsOf (submodule { options = {
        ip = mkOption { type = str; description = "IP address"; };
        port = mkOption { type = int; description = "Port number"; };
        socket = mkOption { type = str; description = "Emplacement du socket"; default = ""; };
        auth = mkOption { type = bool; description = "Enable authentification"; default = false; };
        extraAcls = mkOption { type = str; description = "ACL HaProxy suplémentaires"; default = ""; };
        aclBool = mkOption { type = str; description = "Logique d'authentification"; default = "!AUTH_OK"; };
      }; });
      example = ''
        haproxy_backends = {
          example = { ip = "127.0.0.1"; port = 1234; auth = false; };
        };
      '';
      description = "Liste des noms de domaines associés à leur backend";
    };
  };
  config = mkIf cfg.enable {
    services.haproxy.enable = true;
    services.haproxy.config = haproxyConf;
    services.nginx.enable = true;
    services.nginx.virtualHosts = {
      "acme" = {
        listen = [ { addr = "127.0.0.1"; port = nginx_port; } ];
        locations = { "/" = { root = "/var/www/challenges"; }; };
      };
    };
    security.acme.certs = {
      ${cfg.domaine} = {
        extraDomains = mapAttrs' (name: value:
          nameValuePair ("${name}") (null)
        ) cfg.services;
        webroot = "/var/www/challenges";
        email = "paul@nyanlout.re";
        user = "haproxy";
        group = "haproxy";
        postRun = ''
          systemctl reload haproxy.service
        '';
      };
    };
    security.acme.directory = "/var/lib/acme";
    networking.firewall.allowedTCPPorts = [
      80 443
    ];
  };
 }
--- a/services/mail-server.nix
+++ b/services/mail-server.nix
@ -1,67 +0,0 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.mailserver;
 in
 {
  options.services.mailserver = {
    enable = mkEnableOption "Mail Server";
    domaine = mkOption {
      type = types.string;
      example = "example.com";
      description = "Nom de domaine du serveur de mails";
    };
  };
  imports = [
    (builtins.fetchTarball {
      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz";
      sha256 = "0gqzgy50hgb5zmdjiffaqp277a68564vflfpjvk1gv6079zahksc";
    })
  ];
  config = mkIf cfg.enable {
    mailserver = {
      enable = true;
      fqdn = "mail.${cfg.domaine}";
      domains = [ cfg.domaine ];
      # A list of all login accounts. To create the password hashes, use
      # mkpasswd -m sha-512 "super secret password"
      loginAccounts = {
        "paul@${cfg.domaine}" = {
          hashedPassword = "$6$8wWQbtqVqUoH8$pQKg0bZPcjCbuPvyhjJ1lQy949M/AgfmAye/hDEIVUnCfwtlUxC1yj8CBHpNKeiiXhd8IUqk9r0/IJNvB6okf0";
        };
      };
      # Certificate setup
      certificateScheme = 1;
      certificateFile = "/var/lib/acme/${cfg.domaine}/fullchain.pem";
      keyFile = "/var/lib/acme/${cfg.domaine}/key.pem";
      # Enable IMAP and POP3
      enableImap = true;
      enablePop3 = true;
      enableImapSsl = true;
      enablePop3Ssl = true;
      # Enable the ManageSieve protocol
      enableManageSieve = true;
    };
    security.acme.certs = {
      "${cfg.domaine}" = {
        extraDomains = {
          "mail.${cfg.domaine}" = null;
        };
        postRun = ''
          systemctl reload dovecot2.service
        '';
      };
    };
  };
 }
--- a/services/pr-autobot.py
+++ b/services/pr-autobot.py
@ -1,74 +0,0 @@
 #!/usr/bin/env python
 import jwt, time, urllib.request, json, datetime, argparse, sys, textwrap
 from github import Github
 from colorama import Fore, Style
 from time import sleep
 parser = argparse.ArgumentParser(description='Create PR to update nixpkgs fork')
 parser.add_argument('--private-key')
 parser.add_argument('--app-id')
 parser.add_argument('--installation-id')
 parser.add_argument('--repo')
 parser.add_argument('--cache-dir')
 args = vars(parser.parse_args())
 channel_req = urllib.request.Request(url='https://nixos.org/channels/nixos-18.09/git-revision')
 latest_commit = urllib.request.urlopen(channel_req).read().decode('utf-8')
 try:
    previous_commit = open(args['cache_dir'] + '/git-revision', 'r').read()
 except FileNotFoundError:
    open(args['cache_dir'] + '/git-revision', 'w').write(latest_commit)
    print("Premier lancement, le hash du dernier commit à été sauvegardé")
    sys.exit(0)
 print("Dernier commit : " + latest_commit)
 print("Commit précédent : " + previous_commit)
 if latest_commit != previous_commit:
    bearer_token = jwt.encode({
                                'iat': int(time.time()),
                                'exp': int(time.time()) + (10 * 60),
                                'iss': args['app_id']
                              },
                              open(args['private_key'],"r").read(),
                              algorithm='RS256')
    req = urllib.request.Request(url='https://api.github.com/app/installations/' +
                                    args['installation_id'] +
                                    '/access_tokens',
                                 method='POST')
    req.add_header('Authorization', 'Bearer ' + bearer_token.decode('utf-8'))
    req.add_header('Accept', 'application/vnd.github.machine-man-preview+json')
    token = json.loads(urllib.request.urlopen(req).read().decode('utf-8'))['token']
    g = Github(token)
    repo = g.get_repo(args['repo'])
    branch = "upgrade-" + datetime.datetime.now().strftime('%Y-%m-%d') + '-' + latest_commit[:11];
    repo.create_git_ref('refs/heads/' + branch, latest_commit)
    pr_message = textwrap.dedent("""\
                    ### Pull request automatique
                    ### Avancement mise à jour
                    - [ ] Fusionner la branche
                 """)
    pr = repo.create_pull(title=branch, body=pr_message, base='nixos-18.09', head=branch)
    print("Pull request numéro " + str(pr.number) + " créée")
    print("URL : " + pr.html_url)
    while pr.mergeable == None:
        pr = repo.get_pull(pr.number)
        sleep(1)
    pr.edit(body = pr.body + "\n- [ ] Exécuter `nixos-rebuild -I nixpkgs=https://github.com/nyanloutre/nixpkgs/archive/" + pr.merge_commit_sha + ".tar.gz switch`")
    print("État : " + ((Fore.GREEN + "Fusionnable") if pr.mergeable else (Fore.RED + "Conflit")) + Style.RESET_ALL)
    open(args['cache_dir'] + '/git-revision', 'w').write(latest_commit)
 else:
    print(Fore.GREEN + "Aucun changement détecté" + Style.RESET_ALL)
--- a/services/python-ci.nix
+++ b/services/python-ci.nix
@ -1,41 +0,0 @@
 {lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.python-ci;
 in
 {
  options.services.python-ci = {
    enable = mkEnableOption "Service de CI Nix écrit en Python";
  };
  config = mkIf cfg.enable {
    systemd.services.python-ci = {
      description = "CI Nix en Python";
      requires = ["network-online.target"];
      wantedBy = ["multi-user.target"];
      environment = { HOME = "/var/lib/python-ci"; NIX_PATH = concatStringsSep ":" config.nix.nixPath; NIXPKGS_ALLOW_UNFREE = "1";};
      path = with pkgs;[ nix gnutar gzip ];
      serviceConfig = {
        DynamicUser = true;
        StateDirectory = "python-ci";
        RuntimeDirectory = "python-ci";
        RuntimeDirectoryPreserve = "yes";
        ExecStart = with pkgs;
        let env = python3Packages.python.buildEnv.override {
          extraLibs = with python3Packages;[ pyramid python-gitlab ];
          ignoreCollisions = true;
        };
        in "${pkgs.writeShellScriptBin "run.sh" ''
          ${env}/bin/python ${pkgs.writeScript "python-ci.py" "${readFile ./python-ci.py}"} --port 52350 \
              --secret /var/lib/python-ci/secret --gitlab-token /var/lib/python-ci/gitlab_token \
              --gitea-token /var/lib/python-ci/gitea_token --output /run/python-ci
        ''}/bin/run.sh";
      };
    };
  };
 }
--- a/services/python-ci.py
+++ b/services/python-ci.py
@ -1,153 +0,0 @@
 #! /usr/bin/env nix-shell
 #! nix-shell -i python3 -p "python3.withPackages(ps: [ps.pyramid ps.python-gitlab])"
 from wsgiref.simple_server import make_server
 from pyramid.config import Configurator
 from pyramid.view import view_config, view_defaults
 from pyramid.httpexceptions import HTTPNotFound
 from subprocess import check_call, CalledProcessError
 import urllib.request
 import tarfile
 from tempfile import TemporaryDirectory
 from multiprocessing import Pool
 from gitlab import Gitlab
 import urllib.request
 import json
 import argparse
 def gitlab_build(payload, gl):
    commit = gl.projects.get(payload['project']['path_with_namespace']).commits.get(payload['checkout_sha'])
    commit.statuses.create({'state': 'running', 'name': 'Python CI'})
    print("push from " + payload['user_name'])
    print("repo: " + payload['project']['path_with_namespace'])
    print("commit: " + payload['checkout_sha'])
    temp_dir = TemporaryDirectory()
    repo_dir = temp_dir.name + '/' + payload['project']['name'] + '-' + payload['checkout_sha']
    archive_url = payload['project']['web_url'] + '/-/archive/' + payload['checkout_sha'] + \
                  '/' + payload['project']['name'] + '-' + payload['checkout_sha'] + '.tar.gz'
    with urllib.request.urlopen(archive_url) as gitlab_archive:
        with tarfile.open(fileobj=gitlab_archive, mode='r|gz') as gitlab_repo_files:
            gitlab_repo_files.extractall(path=temp_dir.name)
    check_call(['ls', '-lha', repo_dir])
    try:
        check_call(['nix-build', '-o', args.output + '/' + payload['project']['path_with_namespace'], repo_dir])
    except CalledProcessError:
        commit.statuses.create({'state': 'failed', 'name': 'Python CI'})
        print("erreur build")
    else:
        commit.statuses.create({'state': 'success', 'name': 'Python CI'})
        print("build terminé")
@view_defaults(
        route_name="gitlab_payload", renderer="json", request_method="POST"
 )
 class GitlabHook(object):
    def __init__(self, request):
        self.request = request
        self.payload = self.request.json
        self.whitelist = ['nyanloutre/site-musique']
        self.secret = open(args.secret, 'r').readline().splitlines()[0]
        self.gitlab_token = open(args.gitlab_token, 'r').readline().splitlines()[0]
        self.gl = Gitlab('https://gitlab.com', private_token=self.gitlab_token)
    @view_config(header="X-Gitlab-Event:Push Hook")
    def push_hook(self):
        if self.payload['project']['path_with_namespace'] in self.whitelist and self.request.headers['X-Gitlab-Token'] == self.secret:
            self.gl.projects.get(self.payload['project']['path_with_namespace']).commits.get(self.payload['checkout_sha']).statuses.create({'state': 'pending', 'name': 'Python CI'})
            pool.apply_async(gitlab_build, (self.payload, self.gl))
            return "build started"
        else:
            raise HTTPNotFound
 def gitea_status_update(repo, commit, token, status):
    url = 'https://gitea.nyanlout.re/api/v1/repos/' + repo + '/statuses/' + commit
    print(url)
    req = urllib.request.Request(url)
    req.add_header('Content-Type', 'application/json; charset=utf-8')
    req.add_header('accept', 'application/json')
    req.add_header('Authorization', 'token ' + token)
    jsondata = json.dumps({'state': status}).encode('utf-8')
    req.add_header('Content-Length', len(jsondata))
    urllib.request.urlopen(req, jsondata)
 def gitea_build(payload, token):
    commit = payload['after']
    repo = payload['repository']['full_name']
    gitea_status_update(repo, commit, token, 'pending')
    print("push from " + payload['pusher']['username'])
    print("repo: " + repo)
    print("commit: " + commit)
    temp_dir = TemporaryDirectory()
    repo_dir = temp_dir.name + '/' + payload['repository']['name']
    archive_url = payload['repository']['html_url'] + '/archive/' + commit + '.tar.gz'
    with urllib.request.urlopen(archive_url) as gitea_archive:
        with tarfile.open(fileobj=gitea_archive, mode='r|gz') as gitea_repo_files:
            gitea_repo_files.extractall(path=temp_dir.name)
    check_call(['ls', '-lha', repo_dir])
    try:
        check_call(['nix-build', '-o', args.output + '/' + repo, repo_dir])
    except CalledProcessError:
        gitea_status_update(repo, commit, token, 'failure')
        print("erreur build")
    else:
        gitea_status_update(repo, commit, token, 'success')
        print("build terminé")
@view_defaults(
        route_name="gitea_payload", renderer="json", request_method="POST"
 )
 class GiteaHook(object):
    def __init__(self, request):
        self.request = request
        self.payload = self.request.json
        self.whitelist = ['nyanloutre/site-musique', 'nyanloutre/site-max']
        self.secret = open(args.secret, 'r').readline().splitlines()[0]
        self.gitea_token = open(args.gitea_token, 'r').readline().splitlines()[0]
    @view_config(header="X-Gitea-Event:push")
    def push_hook(self):
        if self.payload['repository']['full_name'] in self.whitelist and self.payload['secret'] == self.secret:
            pool.apply_async(gitea_build, (self.payload, self.gitea_token))
            return "build started"
        else:
            raise HTTPNotFound
 if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='CI server')
    parser.add_argument('--address', help='listening address', default='127.0.0.1')
    parser.add_argument('--port', type=int, help='listening port')
    parser.add_argument('--output', help='output directory')
    parser.add_argument('--secret', help='repo secret file')
    parser.add_argument('--gitlab-token', help='gitlab token file')
    parser.add_argument('--gitea-token', help='gitea token file')
    args = parser.parse_args()
    pool = Pool(1)
    config = Configurator()
    config.add_route("gitlab_payload", "/gitlab_payload")
    config.add_route("gitea_payload", "/gitea_payload")
    config.scan()
    app = config.make_wsgi_app()
    server = make_server(args.address, args.port, app)
    print('listening ...')
    server.serve_forever()
--- a/services/sdtdserver.nix
+++ b/services/sdtdserver.nix
@ -1,120 +0,0 @@
 {lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.sdtdserver;
  gamePath = "/var/lib/sdtdserver";
  gameOptions = {
    ServerPort="26900";
    ServerVisibility="2";
    ServerName="Serveur des loutres";
    ServerPassword="";
    ServerMaxPlayerCount="16";
    ServerReservedSlots="0";
    ServerReservedSlotsPermission="100";
    ServerAdminSlots="0";
    ServerAdminSlotsPermission="0";
    ServerDescription="Un serveur idiot anti gilets jaunes";
    ServerWebsiteURL="";
    ServerDisabledNetworkProtocols="";
    GameWorld="Navezgane";
    WorldGenSeed="Lakeu";
    WorldGenSize="4096";
    GameName="Lakeu";
    GameDifficulty="2";
    GameMode="GameModeSurvival";
    ZombiesRun="0";
    ZombieMove="0";
    ZombieMoveNight="3";
    ZombieFeralMove="3";
    ZombieBMMove="3";
    BuildCreate="false";
    DayNightLength="60";
    DayLightLength="18";
    PlayerKillingMode="3";
    PersistentPlayerProfiles="false";
    PlayerSafeZoneLevel="5";
    PlayerSafeZoneHours="5";
    ControlPanelEnabled="false";
    ControlPanelPort="8080";
    ControlPanelPassword="CHANGEME";
    TelnetEnabled="false";
    TelnetPort="8081";
    TelnetPassword="";
    TelnetFailedLoginLimit="10";
    TelnetFailedLoginsBlocktime="10";
    TerminalWindowEnabled="false";
    AdminFileName="serveradmin.xml";
    DropOnDeath="0";
    DropOnQuit="0";
    BloodMoonEnemyCount="8";
    EnemySpawnMode="true";
    EnemyDifficulty="0";
    BlockDurabilityModifier="100";
    LootAbundance="100";
    LootRespawnDays="30";
    LandClaimSize="41";
    LandClaimDeadZone="30";
    LandClaimExpiryTime="3";
    LandClaimDecayMode="0";
    LandClaimOnlineDurabilityModifier="4";
    LandClaimOfflineDurabilityModifier="4";
    PartySharedKillRange="100";
    AirDropFrequency="72";
    AirDropMarker="false";
    MaxSpawnedZombies="60";
    MaxSpawnedAnimals="50";
    EACEnabled="true";
    HideCommandExecutionLog="0";
    MaxUncoveredMapChunksPerPlayer="131072";
    BedrollDeadZoneSize="15";
    ServerLoginConfirmationText="Prout";
  };
  gameConfig = builtins.toFile "serverconfig.xml" ''
    <?xml version="1.0"?>
    <ServerSettings>
    ${concatStrings (
      mapAttrsToList (name: value:
       "  <property name=\"${name}\"	value=\"${value}\"/>\n"
    ) gameOptions)}
    </ServerSettings>
  '';
 in
 {
  options.services.sdtdserver = {
    enable = mkEnableOption "Activation du serveur dédié 7 Days to Die";
  };
  config = mkIf cfg.enable {
    systemd.services.sdtdserver = {
      description = "Serveur dédié 7 Days to Die";
      requires = ["network-online.target"];
      wantedBy = ["multi-user.target"];
      environment = { HOME = gamePath; };
      serviceConfig = {
        DynamicUser = true;
        StateDirectory = "sdtdserver";
      };
      preStart = let
        libPath = with pkgs; lib.makeLibraryPath [
          stdenv.cc.cc.lib
        ];
      in ''
        ${pkgs.steamcmd}/bin/steamcmd +login anonymous +force_install_dir ${gamePath} +app_update 294420 validate +quit
        install -m666 ${gameConfig} ${gamePath}/serverconfig.xml
      '';
      script = ''
        ${pkgs.steam-run}/bin/steam-run ${gamePath}/7DaysToDieServer.x86_64 -quit -batchmode -nographics -dedicated -configfile=serverconfig.xml
      '';
    };
    networking.firewall = {
      allowedTCPPorts = [ 26900 ];
      allowedUDPPorts = [ 26900 26901 26902 ];
    };
  };
 }
--- a/services/site-max.nix
+++ b/services/site-max.nix
@ -1,42 +0,0 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.site-max;
 in
 {
  options.services.site-max = {
    enable = mkEnableOption "Site Max Spiegel";
    port = mkOption {
      type = types.int;
      example = 54321;
      description = "Local listening port";
    };
    domaine = mkOption {
      type = types.str;
      example = "example.com";
      description = "Domaine à utiliser";
    };
  };
  config = mkIf cfg.enable {
    services.haproxy-acme.services = {
      ${cfg.domaine} = { ip = "127.0.0.1"; port = cfg.port; auth = false; };
    };
    services.nginx = {
      virtualHosts = {
        "max" = {
          listen = [ { addr = "127.0.0.1"; port = cfg.port; } ];
          locations."/" = {
            root = "/run/python-ci/nyanloutre/site-max";
          };
        };
      };
    };
  };
 }
--- a/services/site-musique.nix
+++ b/services/site-musique.nix
@ -1,66 +0,0 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.site-musique;
 in
 {
  options.services.site-musique = {
    enable = mkEnableOption "Site musique";
    port = mkOption {
      type = types.int;
      example = 54321;
      description = "Local listening port";
    };
    domaine = mkOption {
      type = types.str;
      example = "example.com";
      description = "Domaine à utiliser";
    };
  };
  config = mkIf cfg.enable {
    services.haproxy-acme.services = {
      ${cfg.domaine} = { ip = "127.0.0.1"; port = cfg.port; auth = false; };
    };
    services.nginx.virtualHosts = {
      "musique" = {
        listen = [ { addr = "127.0.0.1"; port = cfg.port; } ];
        locations."/" = {
          root = "/run/python-ci/nyanloutre/site-musique";
          index = "index.php";
          extraConfig = ''
            location ~* \.php$ {
              fastcgi_split_path_info ^(.+\.php)(/.+)$;
              fastcgi_pass unix:/run/phpfpm/musique;
              include ${pkgs.nginx}/conf/fastcgi_params;
              include ${pkgs.nginx}/conf/fastcgi.conf;
            }
          '';
        };
      };
    };
    services.phpfpm.poolConfigs.musique = ''
      listen = /run/phpfpm/musique
      listen.owner = nginx
      listen.group = nginx
      listen.mode = 0660
      user = nginx
      pm = dynamic
      pm.max_children = 75
      pm.start_servers = 2
      pm.min_spare_servers = 1
      pm.max_spare_servers = 20
      pm.max_requests = 500
      php_admin_value[error_log] = 'stderr'
      php_admin_flag[log_errors] = on
      catch_workers_output = yes
    '';
  };
 }
--- a/systems/ASUS-G46VW/configuration.nix
+++ b/systems/ASUS-G46VW/configuration.nix
@ -7,15 +7,11 @@
 {
  imports =
    [
-      ../common.nix
+      ../common-cli.nix
      ../common-gui.nix
      ./hardware-configuration.nix
    ];
  nixpkgs.overlays = [
    (import ../../overlays/ledger-udev-rules.nix)
  ];
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.tmpOnTmpfs = true;
@ -29,128 +25,11 @@
    ENERGY_PERF_POLICY_ON_BAT=powersave
  '';
-  # NVIDIA
+  networking.hostName = "rog-paul";
  services.xserver.videoDrivers = [ "nvidia" ];
  hardware.nvidia.optimus_prime.enable = true;
  hardware.nvidia.modesetting.enable = true;
  hardware.nvidia.optimus_prime.nvidiaBusId = "PCI:1:0:0";
  hardware.nvidia.optimus_prime.intelBusId = "PCI:0:2:0";
  # For Steam
  hardware.opengl.driSupport32Bit = true;
  hardware.pulseaudio.support32Bit = true;
  hardware.steam-hardware.enable = true;
  hardware.u2f.enable = true;
  services.udev.packages = with pkgs; [
    ledger-udev-rules
  ];
  networking.hostName = "rog-paul"; # Define your hostname.
  networking.networkmanager.enable = true;  # Enables wireless support via wpa_supplicant.
  # Select internationalisation properties.
  i18n = {
  #   consoleFont = "Lat2-Terminus16";
    consoleKeyMap = "fr";
    defaultLocale = "fr_FR.UTF-8";
  };
  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
    filezilla
    wineStaging
    winetricks
    qbittorrent
    transmission-remote-gtk
    appimage-run
    bat
    gopass
    xclip
    electrum
    electron-cash
    firefox
    torbrowser
    chromium
    qutebrowser
    tdesktop
    mumble
    kleopatra
    gnupg
    kdeplasma-addons
    ark
    kate
    kmail
    kdeconnect
    okular
    yakuake
    konversation
    gwenview
    kcalc
    spectacle
    kile
    (texlive.combine {
      inherit (texlive) scheme-small titling collection-langfrench cm-super;
    })
    imagemagick
    gnome-breeze
    arc-theme
    materia-theme
    libreoffice
    gimp
    vlc
    kodiPlain
    mpv
    steam
    sc-controller
    steam-run
    minecraft
    glxinfo
    i7z
    obs-studio
  ];
  programs.wireshark.enable = true;
  programs.wireshark.package = pkgs.wireshark;
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.bash.enableCompletion = true;
  # programs.mtr.enable = true;
  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
  programs.browserpass.enable = true;
  services.pcscd.enable = true;
  services.pcscd.plugins = [
    (pkgs.ccid.overrideAttrs (oldAttrs: rec {
        preBuild = ''
 	  echo "0x2C97:0x0001:Ledger Token" >> ./readers/supported_readers.txt
        '';
      })
    )
  ];
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ 8000 ];
  # networking.firewall.allowedUDPPorts = [  ];
  # Or disable the firewall altogether.
  networking.firewall.enable = false;
  networking.wireguard.interfaces = {
@ -168,42 +47,29 @@
    };
  };
  # Enable CUPS to print documents.
  services.printing.enable = true;
  services.printing.drivers = [ pkgs.hplip ];
  # Enable sound.
  sound.enable = true;
  hardware.pulseaudio.enable = true;
  # Enable the X11 windowing system.
  services.xserver.enable = true;
  services.xserver.layout = "fr";
  # services.xserver.xkbOptions = "eurosign:e";
  # Enable touchpad support.
  services.xserver.libinput.enable = true;
  services.xserver.libinput.naturalScrolling = true;
  # Enable the KDE Desktop Environment.
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.extraUsers.paul = {
    isNormalUser = true;
    uid = 1000;
-    extraGroups = [ "wheel" "networkmanager" "wireshark" ];
+    extraGroups = [ "wheel" "networkmanager" "wireshark" "dialout" ];
  };
  services.syncthing.enable = true;
  services.syncthing.user = "paul";
  services.syncthing.group = "users";
-  # This value determines the NixOS release with which your system is to be
+  services.redshift = {
-  # compatible, in order to avoid breaking some software such as database
+    enable = true;
-  # servers. You should change this only after NixOS release notes say you
+    temperature.night = 2700;
-  # should.
+  };
  system.stateVersion = "18.03"; # Did you read the comment?
  location.latitude = 48.573406;
  location.longitude = 7.752111;
  system.stateVersion = "18.03"; # Did you read the comment?
 }
--- a/systems/ASUS-G46VW/hardware-configuration.nix
+++ b/systems/ASUS-G46VW/hardware-configuration.nix
@ -12,6 +12,13 @@
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  # NVIDIA
  services.xserver.videoDrivers = [ "nvidia" ];
  hardware.nvidia.optimus_prime.enable = true;
  hardware.nvidia.modesetting.enable = true;
  hardware.nvidia.optimus_prime.nvidiaBusId = "PCI:1:0:0";
  hardware.nvidia.optimus_prime.intelBusId = "PCI:0:2:0";
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/7bd3a09b-b188-4ce7-bdcc-d5c5087edc86";
      fsType = "ext4";
--- a/systems/LoutreOS/configuration.nix
+++ b/systems/LoutreOS/configuration.nix
@ -1,21 +1,16 @@
-# Edit this configuration file to define what should be installed on
+{ config, pkgs, inputs, ... }:
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 let
  gitRev = "baee8283bb858602e6b8d9c4763f11f79d4ac813";
  nixpkgs = fetchTarball "https://github.com/nyanloutre/nixpkgs/archive/${gitRev}.tar.gz";
 in
 {
  imports = [
-    ../common.nix
+    ../common-cli.nix
    ./hardware-configuration.nix
    ./network.nix
    ./users.nix
    ./services.nix
  ];
  nix.settings.trusted-users = [ "root" "paul" ];
  boot = {
    loader = {
      systemd-boot.enable = true;
@ -24,40 +19,43 @@ in
    supportedFilesystems = [ "zfs" ];
-    tmpOnTmpfs = true;
+    tmp.useTmpfs = true;
    # Enabling both boot.enableContainers & virtualisation.containers on system.stateVersion < 22.05 is unsupported
    enableContainers = false;
  };
-  nix.nixPath = [
+  documentation.nixos.enable = false;
    "nixpkgs=${nixpkgs}"
    "nixos-config=/etc/nixos/configuration.nix"
  ];
  services.zfs = {
    autoSnapshot.enable = true;
-    autoScrub.enable = true;
+    autoScrub = {
      enable = true;
      interval = "monthly";
    };
  };
  networking = {
    hostName = "loutreos"; # Define your hostname.
    hostId = "7e66e347";
  };
  nixpkgs.overlays = [
    (import ../../overlays/riot-web.nix)
  ];
  services.openssh = {
    enable = true;
-    permitRootLogin = "no";
+    settings = {
-    passwordAuthentication = false;
+      PermitRootLogin = "no";
      PasswordAuthentication = false;
      X11Forwarding = true;
    };
  };
-  networking.firewall = {
+  users = {
-    allowedTCPPorts = [ ];
+    groups.autossh = { };
-    allowedUDPPorts = [ ];
+    users.autossh = {
-    enable = true;
+      home = "/home/autossh";
      createHome = true;
      group = "autossh";
      isSystemUser = true;
    };
  };
  virtualisation.podman.enable = true;
  security.sudo.wheelNeedsPassword = false;
  system.stateVersion = "18.03";
--- a/systems/LoutreOS/hardware-configuration.nix
+++ b/systems/LoutreOS/hardware-configuration.nix
@ -4,10 +4,6 @@
 { config, lib, pkgs, ... }:
 {
  imports =
    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
    ];
  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
@ -67,21 +63,16 @@
      fsType = "zfs";
    };
  fileSystems."/exports/steam" =
    { device = "loutrepool/steam";
      fsType = "zfs";
    };
  fileSystems."/var/lib/emby/ProgramData-Server" =
    { device = "loutrepool/var/emby";
      fsType = "zfs";
    };
  fileSystems."/var/lib/syncthing" =
    { device = "loutrepool/var/syncthing";
      fsType = "zfs";
    };
  fileSystems."/mnt/medias/incomplete" =
    { device = "loutrepool/torrent-dl";
      fsType = "zfs";
    };
  fileSystems."/mnt/medias" =
    { device = "loutrepool/medias";
      fsType = "zfs";
@ -117,6 +108,11 @@
      fsType = "zfs";
    };
  fileSystems."/var/lib/private/factorio" =
    { device = "loutrepool/var/factorio";
      fsType = "zfs";
    };
  fileSystems."/var/dkim" =
    { device = "loutrepool/var/dkim";
      fsType = "zfs";
@ -127,10 +123,10 @@
      fsType = "zfs";
    };
-  fileSystems."/mnt/backup" =
+  # fileSystems."/mnt/backup" =
-    { device = "backup";
+  #   { device = "backup";
-      fsType = "zfs";
+  #     fsType = "zfs";
-    };
+  #   };
  fileSystems."/mnt/backup_loutre" =
    { device = "loutrepool/backup";
@ -142,6 +138,46 @@
      fsType = "zfs";
    };
  fileSystems."/var/lib/minecraft" =
    { device = "loutrepool/var/minecraft";
      fsType = "zfs";
    };
  fileSystems."/var/www" =
    { device = "loutrepool/var/www";
      fsType = "zfs";
    };
  fileSystems."/var/lib/mastodon" =
    { device = "loutrepool/var/mastodon";
      fsType = "zfs";
    };
  fileSystems."/var/lib/hass" =
    { device = "loutrepool/var/hass";
      fsType = "zfs";
    };
  fileSystems."/var/lib/nextcloud" =
    { device = "loutrepool/var/nextcloud";
      fsType = "zfs";
    };
  fileSystems."/var/lib/private/photoprism" =
    { device = "loutrepool/var/photoprism";
      fsType = "zfs";
    };
  fileSystems."/mnt/paul-home" =
    { device = "loutrepool/zfs-replicate/paul-fixe/fastaf/home";
      fsType = "zfs";
    };
  fileSystems."/mnt/webdav" =
    { device = "loutrepool/webdav";
      fsType = "zfs";
    };
  swapDevices =
    [
      {
@ -150,6 +186,6 @@
      }
    ];
-  nix.maxJobs = lib.mkDefault 4;
+  nix.settings.max-jobs = lib.mkDefault 4;
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/systems/LoutreOS/medias.nix
+++ b/systems/LoutreOS/medias.nix
@ -0,0 +1,60 @@
 { config, lib, pkgs, pkgs-unstable, pkgs-4a3fc4cf7, ... }:
 {
  services = {
    transmission = {
      enable = true;
      package = pkgs-4a3fc4cf7.transmission_4;
      home = "/var/lib/transmission";
      group = "medias";
      settings = {
        rpc-bind-address = "127.0.0.1";
        rpc-port = 9091;
        rpc-host-whitelist = "*";
        rpc-whitelist-enabled = false;
        peer-port = 51413;
        incomplete-dir = "/mnt/medias/incomplete";
        download-dir = "/mnt/medias/torrent";
      };
    };
    radarr = {
      enable = true;
      package = pkgs-unstable.radarr;
    };
    sonarr = {
      enable = true;
      package = pkgs-unstable.sonarr;
    };
    flaresolverr = {
      enable = false;
      package = pkgs-unstable.flaresolverr;
    };
    prowlarr = {
      enable = true;
      package = pkgs-unstable.prowlarr;
    };
    jellyfin = {
      enable = true;
      package = pkgs-unstable.jellyfin;
    };
    slimserver.enable = true;
  };
  systemd.services.transmission.serviceConfig = {
    BindPaths = [ "/mnt/medias" ];
    LimitNOFILE = 1048576;
  };
  networking = {
    firewall.allowedTCPPorts = [
      config.services.transmission.settings.peer-port
    ];
    firewall.allowedUDPPorts = [
      config.services.transmission.settings.peer-port
    ];
  };
 }
--- a/systems/LoutreOS/monitoring.nix
+++ b/systems/LoutreOS/monitoring.nix
@ -0,0 +1,127 @@
 { config, lib, pkgs, ... }:
 let
  domaine = "nyanlout.re";
 in
 {
  services = {
    smartd = {
      enable = true;
      defaults.monitored = "-a -o on -s (S/../.././02|L/../15/./02)";
      notifications.mail = {
        enable = true;
        recipient = "paul@nyanlout.re";
      };
    };
    influxdb = {
      enable = true;
      dataDir = "/var/db/influxdb";
    };
    telegraf = {
      enable = true;
      extraConfig = {
        inputs = {
          zfs = { poolMetrics = true; };
          net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
          netstat = {};
          cpu = { totalcpu = true; };
          kernel = {};
          mem = {};
          processes = {};
          system = {};
          disk = {};
          cgroup = [
            {
              paths = [
                "/sys/fs/cgroup/system.slice/*"
              ];
              files = ["memory.current" "cpu.stat"];
            }
          ];
          ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
          smart = {
            path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
          };
          exec= [
            {
              commands = [
                "${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" ''
                  import json
                  from subprocess import check_output
                  columns = ["NAME", "SIZE", "ALLOC", "FREE", "CKPOINT", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"]
                  health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24}
                  stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n')
                  parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1]
                  for pool in parsed_stdout:
                    for item in pool:
                      if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]:
                        pool[item] = int(pool[item])
                      if item in ["DEDUP"]:
                        pool[item] = float(pool[item])
                      if item == "HEALTH":
                        pool[item] = health[pool[item]]
                  print(json.dumps(parsed_stdout))
                ''}"
              ];
              tag_keys = [ "NAME" ];
              data_format = "json";
              name_suffix = "_python_zpool";
            }
          ];
        };
        outputs = {
          influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
        };
      };
    };
    udev.extraRules = ''
      KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
    '';
    grafana = {
      enable = true;
      dataDir = "/var/lib/grafana";
      settings = {
        server = {
          http_addr = "127.0.0.1";
          root_url = "https://grafana.${domaine}";
        };
        smtp = {
          enabled = true;
          from_address = "grafana@${domaine}";
          skip_verify = true;
        };
        auth = {
          disable_signout_menu = true;
        };
        "auth.basic" = {
          enabled = false;
        };
        "auth.proxy" = {
          enabled = true;
          header_name = "X-WEBAUTH-USER";
        };
      };
    };
    zfs.zed.settings = {
      ZED_EMAIL_ADDR = [ "paul@nyanlout.re" ];
      ZED_NOTIFY_VERBOSE = true;
    };
  };
  systemd.services.influxdb.serviceConfig = {
    TimeoutStartSec = "10min";
  };
  security.sudo.extraRules = [
    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
  ];
 }
--- a/systems/LoutreOS/network.nix
+++ b/systems/LoutreOS/network.nix
@ -0,0 +1,362 @@
 { config, pkgs, inputs, ... }:
 {
  boot = {
    kernel.sysctl = {
      "net.ipv6.conf.all.forwarding" = true;
      "net.ipv6.conf.default.forwarding" = true;
      "net.ipv4.conf.all.forwarding" = true;
      "net.ipv4.conf.default.forwarding" = true;
    };
  };
  # Enable LTE drivers
  hardware.usb-modeswitch.enable = true;
  ##################
  # NETWORK CONFIG #
  ##################
  # eno1      -> VLAN100 -> Internet
  # eno2      -> LAN
  # eno3      -> Pas utilisé
  # eno4      -> Pas utilisé
  # enp0s21u1 -> Clé 4G Bouygues
  # wg0       -> Tunnel Wireguard ARN
  networking = {
    hostName = "loutreos"; # Define your hostname.
    hostId = "7e66e347";
    useNetworkd = true;
    useDHCP = false;
    nameservers = [
      "1.1.1.1"
      "1.0.0.1"
    ];
    vlans = {
      bouygues = {
        id = 100;
        interface = "eno1";
      };
    };
    interfaces = {
      bouygues = {
        # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303
        macAddress = "E8:AD:A6:21:73:68";
        useDHCP = true;
      };
      eno2 = {
        ipv4.addresses = [
          { address = "10.30.0.1"; prefixLength = 16; }
        ];
      };
      enp0s21u1.useDHCP = true;
    };
    nftables = {
      enable = true;
      flushRuleset = false;
      tables = {
        "multi-wan-routing" = {
          family = "inet";
          content = ''
            chain PREROUTING {
              type filter hook prerouting priority mangle; policy accept;
              # Restore the packet's CONNMARK to the MARK for existing incoming connections
              counter meta mark set ct mark
              # If packet MARK is set, then it means that there is already a connection mark
              meta mark != 0x00000000 counter accept
              # Else, we need to mark the packet.
              # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3
              iifname "bouygues" counter meta mark set 0x1
              iifname "enp0s21u1" counter meta mark set 0x2
              iifname "wg0" counter meta mark set 0x3
              # Save new mark in CONNMARK
              counter ct mark set mark
            }
            chain OUTPUT {
              type route hook output priority mangle; policy accept;
              # Restore CONNMARK to MARK for outgoing packets before final routing decision
              counter meta mark set ct mark
            }
            chain POSTROUTING {
              type filter hook postrouting priority mangle; policy accept;
              # Save MARK to CONNMARK
              counter ct mark set mark
            }
          '';
        };
        "redirect-external-to-local" = {
          family = "ip";
          content = ''
            chain PREROUTING {
              type nat hook prerouting priority dstnat; policy accept;
              # Redirect local network request from server external IP to internal IP
              # This allow access to server without internet access
              ip saddr 10.30.0.0/16 ip daddr 176.180.172.105 counter dnat to 10.30.0.1
            }
          '';
        };
      };
    };
    firewall = {
      enable = true;
      allowedTCPPorts = [ 80 443 ];
      allowedUDPPorts = [ ];
      # Open ports on local netwok only
      interfaces.eno2 = {
        allowedTCPPorts = [
          111 2049 4000 4001 4002 # NFS
          3483 9000 9090 # Slimserver
          1935 # RTMP
        ];
        allowedUDPPorts = [
          111 2049 4000 4001 4002 # NFS
          3483 # Slimserver
          67 # DHCP
        ];
      };
      # Don't forward incoming IPv6 requests to local network
      filterForward = true;
      extraForwardRules = ''
        # Forward all IPv6 traffic from local network
        iifname "eno2" counter accept
      '';
    };
  };
  systemd.services.systemd-networkd = {
    unitConfig = {
      RequiresMountsFor = "/mnt/secrets/wireguard";
    };
    serviceConfig = {
      LoadCredential = [
          "network.wireguard.private.wg0:/mnt/secrets/wireguard/wireguard.private"
          "network.wireguard.preshared.wg0:/mnt/secrets/wireguard/wireguard.preshared"
      ];
    };
  };
  #################
  # ROUTING RULES #
  #################
  # 0:      from all lookup local
  # 60:     from all iif lo dport 25 lookup vpn  # mails are forced to vpn table
  # 32766:  from all lookup main                 # main table should contain no default routes, only local network routes
  # 32767:  from all lookup default
  # 41000:  from all fwmark 0x1 lookup fiber     # fwmark indicate established connection that must go through same interface
  # 42000:  from all fwmark 0x2 lookup lte
  # 43000:  from all fwmark 0x3 lookup vpn
  # 51000:  from all lookup fiber                # first table encountered with a default route if fiber is up
  # 52000:  from all lookup lte                  # first table encountered with a default route if fiber is down
  systemd.network = let
    routeTables = {
      fiber = 1;
      lte = 2; 
      vpn = 3;
    };
  in {
    enable = true;
    config = {
      inherit routeTables;
      addRouteTablesToIPRoute2 = true;
    };
    # Wireguard ARN device configuation
    netdevs = {
      "10-wg0" = {
        netdevConfig = {
          Kind = "wireguard";
          Name = "wg0";
          MTUBytes = "1450";
        };
        wireguardConfig = {
          PrivateKey = "@network.wireguard.private.wg0";
          RouteTable = routeTables.vpn;
        };
        wireguardPeers = [
          {
            Endpoint = "89.234.141.83:8095";
            PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g=";
            PresharedKey = "@network.wireguard.preshared.wg0";
            AllowedIPs = ["0.0.0.0/0" "::/0"];
            PersistentKeepalive = 15;
          }
        ];
      };
    };
    networks = {
      #########
      # FIBER #
      #########
      # Set route metric to highest priority
      # Set DHCP client magic settings for Bouygues
      "40-bouygues" = {
        dhcpV4Config.RouteTable = routeTables.fiber;
        dhcpV6Config = {
          DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68";
          WithoutRA = "solicit";
        };
        ipv6AcceptRAConfig = {
          DHCPv6Client = true;
          RouteTable = routeTables.fiber;
        };
        networkConfig = {
          KeepConfiguration = "dhcp-on-stop";
          IPv6AcceptRA = true;
          DHCPPrefixDelegation = true;
        };
        # Static attribution of first IPv6 subnet
        dhcpPrefixDelegationConfig.SubnetId = "0";
        # Route everything to fiber link with a priority of 40000
        routingPolicyRules = [
          {
            FirewallMark = 1;
            Table = routeTables.fiber;
            Priority = 41000;
            Family = "both";
          }
          {
            Table = routeTables.fiber;
            Priority = 51000;
            Family = "both";
          }
        ];
      };
      # Don't check VLAN physical interface as it is not directly used
      "40-eno1".linkConfig.RequiredForOnline = "no";
      #######
      # LTE #
      #######
      # Set LTE route to lower priority
      "40-enp0s21u1" = {
        dhcpV4Config.RouteTable = routeTables.lte;
        # Route all to lte link with a priority of 50000
        routingPolicyRules = [
          {
            FirewallMark = 2;
            Table = routeTables.lte;
            Priority = 42000;
            Family = "both";
          }
          {
            Table = routeTables.lte;
            Priority = 52000;
            Family = "both";
          }
        ];
      };
      #######
      # VPN #
      #######
      # Wireguard ARN network configuation
      "10-wg0" = {
        matchConfig.Name = "wg0";
        address = [
          "89.234.141.196/32"
          "2a00:5881:8119:400::1/128"
        ];
        routingPolicyRules = [
          # Route outgoing emails to VPN table
          {
            IncomingInterface = "lo";
            DestinationPort = "25";
            Table = routeTables.vpn;
            Priority = 60;
            Family = "both";
          }
          # Route packets originating from wg0 device to VPN table
          # Allow server to respond on the wg0 interface requests
          {
            FirewallMark = 3;
            Table = routeTables.vpn;
            Priority = 43000;
            Family = "both";
          }
        ];
      };
      #######
      # LAN #
      #######
      # LAN DHCP server config
      "40-eno2" = {
        networkConfig = {
          IPv6SendRA = true;
          DHCPPrefixDelegation = true;
          DHCPServer = true;
          IPMasquerade = "ipv4";
        };
        dhcpServerConfig = {
          EmitRouter = true;
          EmitDNS = true;
          DNS = [
            "1.1.1.1"
            "1.0.0.1"
          ];
        };
        dhcpServerStaticLeases = [
          # IPMI
          {
            Address = "10.30.1.1";
            MACAddress = "ac:1f:6b:4b:01:15";
          }
          # paul-fixe
          {
            Address = "10.30.50.1";
            MACAddress = "b4:2e:99:ed:24:26";
          }
          # salonled
          {
            Address = "10.30.40.1";
            MACAddress = "e0:98:06:85:e9:ce";
          }
          # miroir-bleu
          {
            Address = "10.30.40.2";
            MACAddress = "e0:98:06:86:38:fc";
          }
          # miroir-orange
          {
            Address = "10.30.40.3";
            MACAddress = "50:02:91:78:be:be";
          }
        ];
        ipv6SendRAConfig = {
          EmitDNS = true;
          DNS = [
            "2606:4700:4700::1111"
            "2606:4700:4700::1001"
          ];
        };
      };
    };
  };
 }
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@ -5,306 +5,129 @@ with lib;
 let
  domaine = "nyanlout.re";
-  riot_port = 52345;
+  sendMail = to: subject: message: pkgs.writeShellScriptBin "mail.sh" ''
-  pgmanage_port = 52347;
+    ${pkgs.system-sendmail}/bin/sendmail ${to} <<EOF
-  max_port = 52348;
+    From: root@nyanlout.re
-  musique_port = 52349;
+    Subject: ${subject}
    ${message}
    EOF
  '';
  login_mail_alert = pkgs.writeShellScriptBin "mail_alert.sh" ''
    if [ "$PAM_TYPE" != "close_session" ] && [ "$PAM_USER" != "zfspaulfixe" ] && [ "$PAM_USER" != "synology" ] && [ "$PAM_USER" != "rezome" ]; then
      ${sendMail "paul@nyanlout.re" "SSH Login: $PAM_USER from $PAM_RHOST" "`env`"}/bin/mail.sh
    fi
  '';
  backup_mail_alert = sendMail "paul@nyanlout.re" "ERREUR: Sauvegarde Borg" "Impossible de terminer la sauvegarde. Merci de voir les logs";
 in
 {
  imports = [
-    ../../services/haproxy-acme.nix
+    ./monitoring.nix
-    ../../services/mail-server.nix
+    ./medias.nix
-    ../../services/site-musique.nix
+    ./web.nix
    ../../services/site-max.nix
    ../../services/auto-pr.nix
    ../../services/python-ci.nix
    ../../services/sdtdserver.nix
    ../../containers/vsftpd.nix
  ];
-  nixpkgs.overlays = [
+  security.acme.certs = {
-    (import ../../overlays/dogetipbot-telegram.nix)
+    "${domaine}" = {
-  ];
+      extraDomainNames = [
        "mail.${domaine}"
      ];
      postRun = ''
        systemctl reload dovecot2.service
      '';
    };
  };
  mailserver = {
    enable = true;
    fqdn = "mail.${domaine}";
    domains = [ domaine ];
    # A list of all login accounts. To create the password hashes, use
    # mkpasswd -m sha-512 "super secret password"
    loginAccounts = {
      "paul@${domaine}" = {
        hashedPassword = "$6$eGmy2W7kbkfHAh$/y.ZML4eYL/v14WaVwSIG2ulkUFKFk82uBmrYBDULLtqUR8hQD3/BQIrRiBtsloxrUSja8aZ.E7ypChO.OiOI/";
      };
      "claire@${domaine}" = {
        hashedPassword = "$6$Y.vlWP9./DX$NEQQOLzYftbHOvXDkKdBYFAjzIjh8mlpomDuQRq6qkkZijrdy/p6jSbrpBLhoWwVmj4j1OWekHU1f4C9xCNJk.";
      };
    };
    # Certificate setup
    certificateScheme = "manual";
    certificateFile = "/var/lib/acme/${domaine}/fullchain.pem";
    keyFile = "/var/lib/acme/${domaine}/key.pem";
    # Enable IMAP and POP3
    enableImap = true;
    enablePop3 = true;
    enableImapSsl = true;
    enablePop3Ssl = true;
    # Enable the ManageSieve protocol
    enableManageSieve = true;
  };
  services = {
    rspamd.workers.controller.extraConfig = ''
      secure_ip = ["0.0.0.0/0", "::"];
    '';
    # redis.enable = true;
    # enable with nginx defult config
    logrotate.enable = true;
    fail2ban.enable = true;
    smartd = {
      enable = true;
      defaults.monitored = "-a -o on -s (S/../.././02|L/../../1/04)";
      notifications.mail = {
        enable = true;
        recipient = "paul@nyanlout.re";
      };
    };
    fstrim.enable = true;
    haproxy-acme = {
      enable = true;
      domaine = domaine;
      services = {
        "grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; };
        "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; };
        "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API path_beg /api\n"; aclBool = "!AUTH_OK !API"; };
        "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = "acl API path_beg /api\n"; aclBool = "!AUTH_OK !API"; };
        "transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; };
        "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
        "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
        "searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
        "riot.${domaine}" = { ip = "127.0.0.1"; port = riot_port; auth = false; };
        "matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
        "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; };
        "gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; };
        "ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; };
      };
    };
    mailserver = {
      enable = true;
      domaine = domaine;
    };
    influxdb = {
      enable = true;
      dataDir = "/var/db/influxdb";
    };
    telegraf = {
      enable = true;
      extraConfig = {
        inputs = {
          zfs = { poolMetrics = true; };
          net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
          netstat = {};
          cpu = { totalcpu = true; };
          kernel = {};
          mem = {};
          processes = {};
          system = {};
          disk = {};
          ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
          smart = {
            path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
          };
          exec= [
            { commands = [
              "${pkgs.python}/bin/python ${
                  pkgs.fetchgit {
                    url = "https://gitlab.com/nyanloutre/tplink-smartplug.git";
                    rev = "a0996112fc451b76448589698de440ad5fd6ea79";
                    sha256 = "1f1625g7rfsddgk428g76p8fr7vz5gfhq3f452q17bjni3rf2pj3";
                  }
                }/tplink_smartplug.py -t 192.168.0.57 -c energy"
              ];
              data_format = "json";
              name_suffix = "_tplink-smartplug";
            }
            {
              commands = [
                "${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" ''
                  import json
                  from subprocess import check_output
                  columns = ["NAME", "SIZE", "ALLOC", "FREE", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"]
                  health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24}
                  stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n')
                  parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1]
                  for pool in parsed_stdout:
                    for item in pool:
                      if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]:
                        pool[item] = int(pool[item])
                      if item in ["DEDUP"]:
                        pool[item] = float(pool[item])
                      if item == "HEALTH":
                        pool[item] = health[pool[item]]
                  print(json.dumps(parsed_stdout))
                ''}"
              ];
              tag_keys = [ "NAME" ];
              data_format = "json";
              name_suffix = "_python_zpool";
            }
          ];
        };
        outputs = {
          influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
        };
      };
    };
    udev.extraRules = ''
      KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
    '';
    grafana = {
      enable = true;
      addr = "127.0.0.1";
      dataDir = "/var/lib/grafana";
      extraOptions = {
        SERVER_ROOT_URL = "https://grafana.${domaine}";
        SMTP_ENABLED = "true";
        SMTP_FROM_ADDRESS = "grafana@${domaine}";
        SMTP_SKIP_VERIFY = "true";
        AUTH_DISABLE_LOGIN_FORM = "true";
        AUTH_DISABLE_SIGNOUT_MENU = "true";
        AUTH_ANONYMOUS_ENABLED = "true";
        AUTH_ANONYMOUS_ORG_ROLE = "Admin";
        AUTH_BASIC_ENABLED = "false";
      };
    };
    emby = {
      enable = true;
      dataDir = "/var/lib/emby/ProgramData-Server";
    };
    slimserver = {
      enable = true;
      dataDir = "/var/lib/slimserver";
    };
    syncthing = {
      enable = true;
      dataDir = "/var/lib/syncthing";
      openDefaultPorts = true;
    };
    nfs.server = {
      enable = true;
      exports = ''
-        /mnt/medias  192.168.0.0/16(ro,no_root_squash)
+        /mnt/medias  10.30.0.0/16(ro,no_root_squash)
-        /exports/steam  192.168.0.0/24(rw,no_root_squash)
+        /var/lib/minecraft  10.30.0.0/16(rw,no_root_squash)
      '';
      statdPort = 4000;
      lockdPort = 4001;
      mountdPort = 4002;
    };
    transmission = {
      enable = true;
      home = "/var/lib/transmission";
      settings = {
        rpc-bind-address = "127.0.0.1";
        rpc-host-whitelist = "*";
        rpc-whitelist-enabled = false;
      };
    };
    radarr.enable = true;
    sonarr.enable = true;
    jackett.enable = true;
    searx.enable = true;
    nginx = {
      enable = true;
      virtualHosts = {
        "riot" = {
          listen = [ { addr = "127.0.0.1"; port = riot_port; } ];
          locations = { "/" = { root = pkgs.riot-web; }; };
        };
      };
    };
    postgresql.enable = true;
    matrix-synapse = {
      enable = true;
      enable_registration = true;
      server_name = "nyanlout.re";
      listeners = [
        { # federation
          bind_address = "";
          port = 8448;
          resources = [
            { compress = true; names = [ "client" "webclient" ]; }
            { compress = false; names = [ "federation" ]; }
          ];
          tls = true;
          type = "http";
          x_forwarded = false;
        }
        { # client
          bind_address = "127.0.0.1";
          port = 8008;
          resources = [
            { compress = true; names = [ "client" "webclient" ]; }
          ];
          tls = false;
          type = "http";
          x_forwarded = true;
        }
      ];
      database_type = "psycopg2";
      database_args = {
        database = "matrix-synapse";
      };
      extraConfig = ''
        max_upload_size: "100M"
      '';
      logConfig = ''
        version: 1
        formatters:
            journal_fmt:
                format: '%(name)s: [%(request)s] %(message)s'
        filters:
            context:
                (): synapse.util.logcontext.LoggingContextFilter
                request: ""
        handlers:
            journal:
                class: systemd.journal.JournalHandler
                formatter: journal_fmt
                filters: [context]
                SYSLOG_IDENTIFIER: synapse
        root:
            level: WARNING
            handlers: [journal]
        disable_existing_loggers: False
      '';
    };
    pgmanage = {
      enable = true;
      port = pgmanage_port;
      connections = {
        localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
      };
    };
    /*
    borgbackup.jobs = {
      loutre = {
        paths = [
          "/var/certs"
          "/var/dkim"
          "/var/lib/jellyfin"
          "/var/lib/gitea"
          "/var/lib/grafana"
          "/var/lib/matrix-synapse"
          "/var/lib/jackett"
-          "/var/lib/postgresql/.zfs/snapshot/borgsnap"
+          "/mnt/borgsnap/postgresql"
          "/var/lib/radarr"
          "/var/lib/sonarr"
          "/var/lib/syncthing"
          "/var/lib/transmission"
-          "/mnt/medias/musique"
+          "/var/lib/airsonic"
-          "/mnt/medias/torrent/lidarr"
+          "/var/lib/hass"
-          "/mnt/medias/torrent/musique"
+          "/var/lib/opendkim"
          "/var/lib/slimserver"
          "/var/lib/watcharr"
          "/var/lib/nextcloud"
          "/mnt/paul-home/paul"
          "/var/sieve"
          "/var/vmail"
          "/mnt/backup_loutre/amandoleen"
          "/mnt/secrets"
        ];
-        repo = "/mnt/backup/borg";
+        exclude = [
          "/var/lib/radarr/.config/Radarr/radarr.db-wal"
          "/var/lib/radarr/.config/Radarr/radarr.db-shm"
          "/mnt/paul-home/paul/.cache"
        ];
        repo = "ssh://u306925@u306925.your-storagebox.de:23/./loutreos";
        environment = { BORG_RSH = "ssh -i /mnt/secrets/hetzner_ssh_key"; };
        encryption = {
          mode = "repokey-blake2";
          passCommand = "cat /mnt/secrets/borgbackup_loutre_encryption_pass";
@ -315,16 +138,18 @@ in
          weekly = 4;
          monthly = 12;
        };
-        preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap";
+        preHook = ''
          ${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap
          mkdir -p /mnt/borgsnap/postgresql
          ${config.security.wrapperDir}/mount -t zfs loutrepool/var/postgresql@borgsnap /mnt/borgsnap/postgresql
        '';
        readWritePaths = [ "/var/lib/postfix/queue/maildrop" ];
        postHook = ''
          ${config.security.wrapperDir}/umount /mnt/borgsnap/postgresql
          ${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
          if [[ $exitStatus == 0 ]]; then
            ${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO loutre_ovh:loutre
          fi
        '';
      };
    };
    */
    borgbackup.repos = {
      diskstation = {
@ -332,97 +157,172 @@ in
        path = "/mnt/backup_loutre/diskstation_borg";
        user = "synology";
      };
-    };
+      minecraft-rezome = {
-
+        authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc1nGsSesW96k0DPMSt/chjvCrYmfgPgHG1hdUYB5x0pZPdOJaVRIlETWdoFlO+ViviC518B3TF7Qc3oJXPZMchJQl684Nukbc312juf+j9z/KT3dqD8YvKX6o5ynx1Dyq52ftrfkBAEAvzE0OfRljUPbwGBOM0dGRD4R1jbiHquTXpITlbgGTZymbwr4Jr9W9atgf5kHMiX7xOqMZcasDtUE8g+AG4ysHdpjOrBOUM9QeRbVP1bxEFP8xjqOOoET5tbkwektP4B2jaf+EHBPUy2lkwjVEKT6MaSlkJx/wMvUWp25kG9mrXgwUw1bgfOeZIsK6ztcki3l92BJQD9ip shame@minecraft.rezom.eu" ];
-    gitea = {
+        path = "/mnt/backup_loutre/minecraft_rezome";
-      enable = true;
+        user = "rezome";
      cookieSecure = true;
      httpPort = 3001;
      rootUrl = "https://gitea.nyanlout.re/";
      database = {
        type = "postgres";
        port = 5432;
        passwordFile = "/mnt/secrets/gitea_database_passwordFile";
      };
    };
-    site-musique = {
+    kresd = {
      enable = true;
      port = musique_port;
      domaine = "musique-meyenheim.fr";
    };
-    site-max = {
+    mosquitto = {
      enable = true;
-      port = max_port;
+      listeners = [
-      domaine = "maxspiegel.fr";
+        {
          acl = [ "pattern readwrite #" ];
          omitPasswordAuth = true;
          address = "127.0.0.1";
          settings.allow_anonymous = true;
        }
      ];
    };
-    auto-pr.enable = true;
+    zigbee2mqtt = {
-
+      enable = true;
-    python-ci.enable = true;
+      settings = {
-
+        serial.port = "/dev/serial/by-id/usb-Texas_Instruments_TI_CC2531_USB_CDC___0X00124B0014D97058-if00";
-    sdtdserver.enable = true;
+        mqtt = {
-  };
+          server = "mqtt://${(head config.services.mosquitto.listeners).address}:${toString (head config.services.mosquitto.listeners).port}";
-
+        };
-  /*
+        frontend = {
-  systemd.services.dogetipbot-telegram = {
+          port = 8080;
-    after = [ "network.target" ];
+          host = "127.0.0.1";
-    wantedBy = [ "multi-user.target" ];
+          url = "https://zigbee.nyanlout.re";
-    script = "${pkgs.dogetipbot-telegram}/bin/dogetipbot-telegram --block-io-api-key $BLOCK_IO_API_KEY --block-io-pin $BLOCK_IO_PIN --telegram-api-key $TELEGRAM_API_KEY --network DOGE";
+        };
-    enable = true;
+        groups = {
-    serviceConfig = {
+          "101" = {
-      EnvironmentFile = "/mnt/secrets/dogetipbot-telegram_env";
+            friendly_name = "salon";
-      User = "nobody";
+            devices = [
-      Group = "nogroup";
+              "0x94deb8fffe760f3d"
            ];
          };
          "102" = {
            friendly_name = "cuisine";
            devices = [
              "0x003c84fffe6d9ee6"
            ];
          };
          "103" = {
            friendly_name = "entrée";
            devices = [
              "0x84ba20fffe5ec243"
            ];
          };
          "104" = {
            friendly_name = "tout";
            devices = [
              "0x94deb8fffe760f3d"
              "0x003c84fffe6d9ee6"
              "0x84ba20fffe5ec243"
            ];
          };
          "107" = {
            friendly_name = "chambre";
            devices = [
              "0x84ba20fffe5eb120"
            ];
          };
        };
      };
    };
  };
  */
-  systemd.services.matrix-synapse = {
+    home-assistant = {
-    serviceConfig = {
+      enable = true;
-      MemoryHigh = "3G";
+      extraComponents = [
-      MemoryMax = "5G";
+        # Components required to complete the onboarding
-    };
+        "met"
-  };
+        "radio_browser"
-
+      ];
-  security.sudo.extraRules = [
+      config = {
-    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
+        default_config = {};
-  ];
+        homeassistant = {
-
+          country = "FR";
-  networking = {
+          latitude = 48.60038;
-    wireguard.interfaces = {
+          longitude = 7.74063;
-      wg0 = {
+          elevation = 146;
-        ips = [ "192.168.20.1/24" ];
+        };
-        privateKeyFile = "/mnt/secrets/wireguard/wg0.privatekey";
+        meteo_france = null;
-        listenPort = 51820;
+        http = {
-        allowedIPsAsRoutes = false;
+          use_x_forwarded_for = true;
-        peers = [
+          trusted_proxies = [ "127.0.0.1" ];
        };
        mqtt = null;
        esphome = null;
        light = [
          {
-            allowedIPs = [ "0.0.0.0/0" ];
+            platform = "group";
-            publicKey = "b/SXiqo+GPdNOc54lyEVeUBc6B5AbVMKh+g5EZPGzlE=";
+            name = "Salon";
            entities = [
              "light.salon_light"
              "light.cuisine_light"
              "light.entree_light"
            ];
          }
        ];
        media_player = [
          {
            platform = "squeezebox";
            host = "10.30.0.1";
          }
        ];
      };
    };
    photoprism = {
      enable = true;
      originalsPath = "/mnt/backup_loutre/amandoleen/d/Users/Amand/Pictures";
      passwordFile = "/mnt/secrets/photoprism_pass";
      settings = {
        PHOTOPRISM_READONLY = "1";
        PHOTOPRISM_DETECT_NSFW = "1";
        PHOTOPRISM_SITE_URL = "https://photo.nyanlout.re/";
      };
    };
  };
  systemd = {
    timers."lg-devmode-reset" = {
      wantedBy = [ "timers.target" ];
        timerConfig = {
          OnBootSec = "5m";
          OnUnitActiveSec = "1w";
        };
    };
    services = {
      "borgbackup-job-loutre".serviceConfig.TemporaryFileSystem = ["/mnt/borgsnap"];
      "lg-devmode-reset" = {
        script = ''
          ${pkgs.curl}/bin/curl https://developer.lge.com/secure/ResetDevModeSession.dev\?sessionToken\=9f94269da0dc14fd924b65d8dca28b076f931ad1ca04fe7a09ac78cdb0e22cb4
        '';
        serviceConfig = {
          Type = "oneshot";
        };
      };
    };
  };
  dogetipbot-telegram.enable = true;
  ipmihddtemp.enable = true;
  users.groups.nginx.members = [ "matrix-synapse" ];
  security.pam.services.sshd.text = pkgs.lib.mkDefault( pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh" );
  networking = {
    firewall.interfaces.eno2.allowedTCPPorts = [
      3260
    ];
    firewall.allowedTCPPorts = [
      111 2049 4000 4001 4002 # NFS
      3483 9000 9090 # Slimserver
      51413 # Transmission
      8448 # Matrix federation
      20 21 # FTP
    ];
    firewall.allowedTCPPortRanges = [
      { from = 64000; to = 65535; } # FTP
    ];
    firewall.allowedUDPPorts = [
      111 2049 4000 4001 4002 # NFS
      3483 # Slimserver
      51413 # Transmission
      51820 # Wireguard
    ];
  };
 }
--- a/systems/LoutreOS/users.nix
+++ b/systems/LoutreOS/users.nix
@ -1,12 +1,12 @@
-{ config, pkgs, ... }:
+{ lib, config, pkgs, ... }:
 {
-  users.extraUsers = {
+  users.users = {
    paul = {
      uid = 1000;
      isNormalUser = true;
      description = "Paul TREHIOU";
-      extraGroups = [ "wheel" "medias" ];
+      extraGroups = [ "wheel" "medias" "transmission" "podman" ];
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAF7VlzHzgg70uFbRFtVTS34qNBke/RD36mRENAsa33RxztxrqMsIDscAD/d6CTe6HDy7MCGzJnWCJSXj5iOQFM4RRMvKNEgCKPHqfhmfVvO4YZuMjNB0ufVf6zhJL4Hy43STf7NIWrenGemUP+OvVSwN/ujgl2KKw4KJZt25/h/7JjlCgsZm4lWg4xcjoiKL701W2fbEoU73XKdbRTgTvKoeK1CGxdAPFefFDFcv/mtJ7d+wIxw9xODcLcA66Bu94WGMdpyEAJc4nF8IOy4pW8AzllDi0qNEZGCQ5+94upnLz0knG1ue9qU2ScAkW1/5rIJTHCVtBnmbLNSAOBAstaGQJuSL40TWZ1oPA5i1qUEhunNcJ+Sgtp6XP69qY34T/AeJvHRyw5M5LfN0g+4ka9k06NPBhbpHFASz4M8nabQ0iM63++xcapnw/8gk+EPhYVKW86SsyTa9ur+tt6oDWEKNaOhgscX44LexY7jKdeBRt3GaObtBJtVLBRx3Z2aRXgjgnKGqS40mGRiSkqb2DShspI1l8DV2RrPiuwdBzXVQjWRc0KXmJrcgXX9uoPSxihxwaUQyvmITOV1Y+NEuek4gRkVNOxjoG7RGnaYvYzxEQVoI5TwZC2/DCrAUgCv8DQawkcpEiWnBq7Q5VnpmFx5juVQ/I0G8byOkPXgRUOk9 openpgp:0xAB524BBC"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCACVI2dL4AmOdcb7RSl3JZpfK33NhqrYFfWfXMYow5SPJ9VPteOp5kVvKUuSbGH3chjpttYC/ueQJJhFagiKmkeftQTslIw6C009wUExGpJwRotHqISXv2ctURGURKy2FF848whd7xZJzdj49ZJ6S+SCbRFZvVWfT2dP/JwTiWW1mbEaWKyOgrixH6wSKt9ECumjX9KjqSWGw+k3yLJxIhdqiZAjNv4soJs1mQYdIlFCXCuznzoZIQBexZPQCx0j9HjczPz1feMLWkrHzEMexNjsBE2uA6yXLbH1wa8xCJ4VOeD7u9JqVY579AsicD62G+qIgw0B2zmyz7xTrdPv+061zmYn6qYr8EXGTk4dVgedZp8M1XzZ1PVoeeftPFcClXC7zCGyCR2uzJbQLzlaTwZrdghAiS9UhMRuKpNgZy2zDWw4MqdojrF5bndPkoijlXWYrPYBFED5OU1mpwzpanYgldowJC/Ixjwi+Hmse2q4XgZ+egfuotBqPfqB+bWsCa5GNiJWGdLP69uBSsXubGnqLwvE0FAQ2GHb+SEoZKFy/QV9GzOLlVrGlgK5YFgKJD+Q1nn1QRycXt1oMVC/AtR/NshOGanhdvIRpPATGmaxLVXSY093vyAOW4MPrS00fPAXzAfJUwIuWcloFfLMo5Jitj5rpE1s6FX8xrl4upQ== paul@nyanlout.re"
@ -19,20 +19,43 @@
      isNormalUser = true;
      description = "Victor SENE";
      openssh.authorizedKeys.keys = [
-		"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCaCc2qcQsd/VPDX1K97zJ/MjObWnTfRkA98xeNnVTeGoMmbf/fW1KszB+3IYCngCKLhliotHEXkqOK24vMLZ9ylVPTIPLNY5OWLFRQSOU/OykP8r4ikDWmMOwI+tqkoBknTUZdA1MN1JmkpE1cWL8vRJ7mnwl/p7xCMHV19N5+UdoIx3bFsm0CCUMIYSaIefoD3tpIzmgVqBkIH4FSmNwvXHwcXhhOTGqXbTJYC/GY2mI0AFvZI3T61ReV325ms7QRQlElXP8Rv8lpjr57VISNjKsPPNvifLjy10RjIS8iNioN6fJ0XBCfKOmm37VX86aFkAgWdpzxGojprOXnViwZEWSegnvKGx8FNx3gB54zF76e6koWS+qnYf9UTdogO6uXhXZb7AoMC9XD0/l6Egh8HzPWAUZtLx74zhB8ufoKmzqOp4YrCK8Cu4N/1UTFyPUoeSCZJdcE/9iqldym06mOi4rDV5cKCzs+Q0bVP8+x8SZ9ajYUH7l4sxjDHtHiyAYniWIxGPO5NazCfx7J+1GGzbtV0HuBwE/U20z+nBy+WZ4MowQTNb2E2uhq4OgQASx7uTKtyhnfT09A3toHZVerfH8ET8YEVnwdYMCA0GHYMOZ48h1ORdE+OLyqRlxjYTCB17Kc2icSL3iv8Yd66vQagy3A+C8OhZP1rdc15bEZnw== openpgp:0x28DF0235"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCaCc2qcQsd/VPDX1K97zJ/MjObWnTfRkA98xeNnVTeGoMmbf/fW1KszB+3IYCngCKLhliotHEXkqOK24vMLZ9ylVPTIPLNY5OWLFRQSOU/OykP8r4ikDWmMOwI+tqkoBknTUZdA1MN1JmkpE1cWL8vRJ7mnwl/p7xCMHV19N5+UdoIx3bFsm0CCUMIYSaIefoD3tpIzmgVqBkIH4FSmNwvXHwcXhhOTGqXbTJYC/GY2mI0AFvZI3T61ReV325ms7QRQlElXP8Rv8lpjr57VISNjKsPPNvifLjy10RjIS8iNioN6fJ0XBCfKOmm37VX86aFkAgWdpzxGojprOXnViwZEWSegnvKGx8FNx3gB54zF76e6koWS+qnYf9UTdogO6uXhXZb7AoMC9XD0/l6Egh8HzPWAUZtLx74zhB8ufoKmzqOp4YrCK8Cu4N/1UTFyPUoeSCZJdcE/9iqldym06mOi4rDV5cKCzs+Q0bVP8+x8SZ9ajYUH7l4sxjDHtHiyAYniWIxGPO5NazCfx7J+1GGzbtV0HuBwE/U20z+nBy+WZ4MowQTNb2E2uhq4OgQASx7uTKtyhnfT09A3toHZVerfH8ET8YEVnwdYMCA0GHYMOZ48h1ORdE+OLyqRlxjYTCB17Kc2icSL3iv8Yd66vQagy3A+C8OhZP1rdc15bEZnw== openpgp:0x28DF0235"
-		"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1r2ZzVnOlmoNoLgrc3+Lx7whO8mzcwUf2p9DiYAVg2zo2zbfubLVG1BAgFDe7y+2HwJIbGDDMNUaT+FAsv0mHRlfdUMXXF3nVsFPWGovo1ks31O5zUI9IE3qFU5AJ7SPICS4lQYox1o594iS1OcwJ7Iu6pjEQRRG1OLVYSILJ994vtGsDxfz1CZ8b7u9oSwHz0E4pdy6epkFSE/+9WsZl+ziDMigYZfubjzUCzMy2uT5Z6t+r6bW6mcxnmYax/YmrRvL/dTeDE64Qf7nugjB0XOKUOKCPN5dtqYRx0fN9aDSRf4ubmyVaYeKudm9vttGHXjSPVWAvow+jUDOq2cGr victor@sene.ovh"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1r2ZzVnOlmoNoLgrc3+Lx7whO8mzcwUf2p9DiYAVg2zo2zbfubLVG1BAgFDe7y+2HwJIbGDDMNUaT+FAsv0mHRlfdUMXXF3nVsFPWGovo1ks31O5zUI9IE3qFU5AJ7SPICS4lQYox1o594iS1OcwJ7Iu6pjEQRRG1OLVYSILJ994vtGsDxfz1CZ8b7u9oSwHz0E4pdy6epkFSE/+9WsZl+ziDMigYZfubjzUCzMy2uT5Z6t+r6bW6mcxnmYax/YmrRvL/dTeDE64Qf7nugjB0XOKUOKCPN5dtqYRx0fN9aDSRf4ubmyVaYeKudm9vttGHXjSPVWAvow+jUDOq2cGr victor@sene.ovh"
-	  ];
+      ];
    };
    amandoleen = {
      isNormalUser = true;
      isSystemUser = lib.mkForce false;
      description = "Amandine <3";
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRu0M10AfF2nS8Ky9JzQ4cDRbcjmR+LLvENohxTJhW4xwAwN/f2I0ObbiJ5PHC3mXi8V5JqnSaYNdIMXuULDxxc1QEa0aeLw4xIrYw1wEOrHvL9DeYvS289sRgWSb/PvyejEHwcBBm4Xf0/nQNQF462C064Ms56cT3YAOhNBA7ubyCAqd0VW8RHc1mZ5b/owzM7SviXrpcIM5QDPVP2051SxrqGbunAnwe5x2kNDeYqicyIik61rpYe+erhkyvL3WdgC7mHnF8VPKx049zIsfK5UmJwI+rI24cDUT9E6B4XZttpdyJK6i7/6NSYm4nrMXQxCF1tofd5yZK5vpYH8Dyiic5ykhB57kr1QCmck70VMmt77uOoMeGZ+IJCY5oZYcR/n04mUwN9mmRsECcr17a8IDQkmPd8PNbjrNRgtVKDVLtw4HyOPCAfdH+XzEGiMxnZfzq0rLEYU3S4RAkLpe2W3C0fWniEWzSnXj76AGcyJcxIVzrIYg4uzTgNhZlb08vO1ytw9QaEY17Po5YFjBD8fT9Z0UijG3WQBm7AmSrcg/OLP6UOghbnlkZFYpC0hYcbX1sTfdfysw9kT/d8BImQvwBzmJ/YRqHmCejZGTkCCmw8i93EYFm3uVFZypcSe50JV9rx9P7yPtWS4QVOg/6ltlvJiGsz45P87qjA9nO/Q== amandoleen"
      ];
    };
    synology = {
      uid = 1001;
      isNormalUser = true;
      isSystemUser = lib.mkForce false;
      description = "Synology Diskstation maison";
    };
    rezome = {
      description = "Rezome Minecraft backup";
    };
    zfspaulfixe = {
      uid = 1002;
      isNormalUser = true;
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIQjzpEBNEwJhBTh82K5bJMyPSuHvYJyipaZYVtOZSJIDIRcec9YwMOQuMl9+O5kI36tiataEpmb/y3OWU567DXKp/BtljfVfNSQracKJPt6GJFOz4fKqCqoBh7M06ZGsBHUi/NsKIvw4asJsBuK6uACvxKFt2pSR6fp+/2y/3NH0LpDmDuuYORhciJUBC+RUTCLtVUfzkMAeR2p+M079Ia0rnkEXNFgc75FQon1bQu/0bnbHPweSwnNfRB0XPm6Qgz3sS2Cyhf1/GqgvARs80P4MWuqqZFXhsBTajOHOjCu6fiaylPNXNWfLnahkRzKIOkIy7/yEO+MmMD+V7pjbvSqB7MD1T5wfcPHvHTISM4E+7dw9aPj9+JspkgSSACtIFKsqxkWlq5creUV1syDm2Cd4rBnKrc8yWtAxBSusFWbAr6xtxP6I+ibS4trjNdHHrjMJK9jpbPxdblJJrO3qn6VYC/WzFAxzDDUi5ysGzNdpQLacacne/95gSGXCgIIc= root@paul-fixe"
      ];
      description = "paul-fixe zfs backup user";
    };
  };
  users.extraGroups.medias = {
    gid = 498;
-    members = [ "slimserver" "radarr" "sonarr" "emby" "transmission" ];
+    members = [ "slimserver" "radarr" "sonarr" "jellyfin" "transmission" ];
  };
 }
--- a/systems/LoutreOS/web.nix
+++ b/systems/LoutreOS/web.nix
@ -0,0 +1,403 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  nginxSsoAuth = pkgs.writeText "nginx-sso_auth.inc" ''
    # Protect this location using the auth_request
    auth_request /sso-auth;
    # Redirect the user to the login page when they are not logged in
    error_page 401 = @error401;
    location /sso-auth {
        # Do not allow requests from outside
        internal;
        # Access /auth endpoint to query login state
        proxy_pass http://127.0.0.1:${toString(config.services.nginx.sso.configuration.listen.port)}/auth;
        # Do not forward the request body (nginx-sso does not care about it)
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        # Set custom information for ACL matching: Each one is available as
        # a field for matching: X-Host = x-host, ...
        proxy_set_header X-Origin-URI $request_uri;
        proxy_set_header X-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    # If the user is lead to /logout redirect them to the logout endpoint
    # of ngninx-sso which then will redirect the user to / on the current host
    location /sso-logout {
        return 302 https://login.nyanlout.re/logout?go=$scheme://$http_host/;
    }
    # Define where to send the user to login and specify how to get back
    location @error401 {
        return 302 https://login.nyanlout.re/login?go=$scheme://$http_host$request_uri;
    }
  '';
 in
 {
  security.acme = {
    defaults.email = "paul@nyanlout.re";
    acceptTerms = true;
  };
  users.groups = {
    webdav = {};
  };
  users.users = {
    webdav = {
      isSystemUser = true;
      group = config.users.groups.webdav.name;
    };
  };
  services = {
    phpfpm.pools = {
      drive = {
        user = config.users.users.webdav.name;
        settings = {
          "listen.owner" = config.services.nginx.user;
          "pm" = "dynamic";
          "pm.max_children" = 75;
          "pm.start_servers" = 10;
          "pm.min_spare_servers" = 5;
          "pm.max_spare_servers" = 20;
          "pm.max_requests" = 500;
        };
        phpOptions = ''
          output_buffering=off
        '';
      };
    };
    nginx = {
      enable = true;
      package = pkgs.nginx.override {
        modules = with pkgs.nginxModules; [ dav moreheaders ];
      };
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      commonHttpConfig = ''
        map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
        }
        add_header Strict-Transport-Security  $hsts_header;
        add_header Referrer-Policy            origin-when-cross-origin;
      '';
      sso = {
        enable = true;
        configuration = {
          listen = {
            addr = "127.0.0.1";
            port = 8082;
          };
          login = {
            title = "LoutreOS login";
            default_method = "simple";
            hide_mfa_field = true;
            names.simple = "Username / Password";
          };
          cookie = {
            domain = ".nyanlout.re";
            secure = true;
          };
          audit_log = {
            targets = [ "fd://stdout" ];
            events = [ "access_denied" "login_success" "login_failure" "logout" ];
          };
          providers.simple = {
            enable_basic_auth = true;
            users = {
              paul = "$2y$10$RMqeJF/hUasXZ5/SLKAu4uKKp6ac6qXCaRu4OY/fIN6ZYucDXzqYm";
            };
            groups = {
              admins = [ "paul" ];
            };
          };
          acl = {
            rule_sets = [
              {
                rules = [ { field = "x-host"; regexp = ".*"; } ];
                allow = [ "@admins" ];
              }
            ];
          };
        };
      };
      virtualHosts = let
        base = locations: {
          locations = locations // {
            "@maintenance" = {
              root = "/var/www/errorpages/";
              extraConfig = ''
                rewrite ^(.*)$ /50x.html break;
              '';
            };
          };
          forceSSL = true;
          enableACME = true;
          extraConfig = ''
            error_page 500 502 503 504 = @maintenance;
          '';
        };
        simpleReverse = rport: base {
          "/" = {
            proxyPass = "http://127.0.0.1:${toString(rport)}/";
          };
        };
        authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
          (base {
            "/" = {
              proxyPass = "http://127.0.0.1:${toString(rport)}/";
              extraConfig = ''
                auth_request_set $cookie $upstream_http_set_cookie;
                auth_request_set $username $upstream_http_x_username;
                proxy_set_header X-WEBAUTH-USER $username;
                add_header Set-Cookie $cookie;
              '';
            };
          })
          {
            extraConfig = ''
              include ${nginxSsoAuth};
            '';
          }
        ];
      in {
        "nyanlout.re" = base {
          "/" = {
            alias = "/var/www/site-perso/";
          };
          "/maintenance/" = {
            alias = "/var/www/errorpages/";
          };
          "/.well-known/openpgpkey/" = {
            alias = "/var/lib/gnupg/wks/nyanlout.re";
            extraConfig = ''
              add_header Access-Control-Allow-Origin * always;
            '';
          };
        } // { default = true; };
        "musique-meyenheim.fr" = base {
          "/" = {
            proxyPass = "http://unix:/run/site-musique.sock";
          };
          "/static/" = {
            alias = "/var/www/site-musique/staticfiles/";
          };
          "/media/" = {
            alias = "/var/www/site-musique/media/";
          };
        };
        "www.musique-meyenheim.fr" = {
          enableACME = true;
          forceSSL = true;
          globalRedirect = "musique-meyenheim.fr";
        };
        "login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port;
        "grafana.nyanlout.re" = authReverse config.services.grafana.settings.server.http_port;
        "transmission.nyanlout.re" = authReverse config.services.transmission.settings.rpc-port;
        "radarr.nyanlout.re" = authReverse 7878;
        "sonarr.nyanlout.re" = authReverse 8989;
        "syncthing.nyanlout.re" = authReverse 8384;
        "prowlarr.nyanlout.re" = authReverse 9696;
        "watcharr.nyanlout.re" = simpleReverse 3080;
        "emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
          locations."/" = {
            proxyWebsockets = true;
          };
        };
        "gitea.nyanlout.re" = simpleReverse config.services.gitea.settings.server.HTTP_PORT;
        "photo.nyanlout.re" = recursiveUpdate (simpleReverse config.services.photoprism.port) {
          locations."/" = {
            proxyWebsockets = true;
          };
        };
        "zigbee.nyanlout.re" = recursiveUpdate (authReverse config.services.zigbee2mqtt.settings.frontend.port) {
          locations."/" = {
            proxyWebsockets = true;
          };
        };
        "apart.nyanlout.re" = recursiveUpdate (simpleReverse config.services.home-assistant.config.http.server_port) {
          locations."/" = {
            proxyWebsockets = true;
          };
        };
        "drive.nyanlout.re" = base {
          "/" = {
            extraConfig = ''
              fastcgi_split_path_info ^(.+\.php)(/.+)$;
              fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
              include ${pkgs.nginx}/conf/fastcgi_params;
              include ${pkgs.nginx}/conf/fastcgi.conf;
              fastcgi_param SCRIPT_FILENAME $document_root/index.php;
              fastcgi_intercept_errors on;
              fastcgi_buffers 64 4K;
              client_body_temp_path /mnt/webdav/tmp_upload;
              client_max_body_size 0;
              proxy_request_buffering off;
            '';
          };
        } // {
          root = "/mnt/webdav";
        };
        "rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
          (base {
            "/" = {
              proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
              extraConfig = ''
                auth_request_set $cookie $upstream_http_set_cookie;
                add_header Set-Cookie $cookie;
              '';
            };
          })
          {
            extraConfig = ''
              include ${nginxSsoAuth};
            '';
          }
        ];
        "designyourfuture.amandoline-creations.fr" = base {
          "/".alias = "/var/www/amandoline-designyourfuture/";
        };
        "amandoline-creations.fr" = base {
          "/".alias = "/var/www/amandoline-portfolio/";
        };
        "www.amandoline-creations.fr" = {
          enableACME = true;
          forceSSL = true;
          globalRedirect = "amandoline-creations.fr";
        };
        "challenge.amandoline-creations.fr" = base {
          "/".alias = "/var/www/amandoline-challenge/";
        };
        ${config.services.nextcloud.hostName} = {
          forceSSL = true;
          enableACME = true;
        };
      };
    };
    postgresql = {
      enable = true;
      package = pkgs.postgresql_14;
      settings = {
        full_page_writes = false;
      };
    };
    gitea = {
      enable = true;
      database = {
        type = "postgres";
        port = 5432;
        passwordFile = "/var/lib/gitea/custom/conf/database_password";
      };
      settings = {
        server = {
          HTTP_PORT = 3001;
          ROOT_URL = "https://gitea.nyanlout.re/";
        };
        log.LEVEL = "Warn";
        service.DISABLE_REGISTRATION = true;
        session.COOKIE_SECURE = true;
      };
    };
    nextcloud = {
      enable = true;
      package = pkgs.nextcloud30;
      hostName = "cloud.nyanlout.re";
      database.createLocally = true;
      https = true;
      maxUploadSize = "16G";
      config = {
        dbtype = "pgsql";
        adminpassFile = "$CREDENTIALS_DIRECTORY/nextcloud_admin.pass";
      };
      settings = {
        "preview_max_filesize_image" = "-1";
        "preview_max_memory" = "1024";
        "preview_ffmpeg_path" = "${pkgs.ffmpeg}/bin/ffmpeg";
        "enabledPreviewProviders" = [
          ''OC\Preview\BMP''
          ''OC\Preview\GIF''
          ''OC\Preview\JPEG''
          ''OC\Preview\Krita''
          ''OC\Preview\MarkDown''
          ''OC\Preview\MP3''
          ''OC\Preview\OpenDocument''
          ''OC\Preview\PNG''
          ''OC\Preview\TXT''
          ''OC\Preview\XBitmap''
          ''OC\Preview\Movie''
        ];
      };
      autoUpdateApps.enable = true;
    };
  };
  systemd.services.nginx.serviceConfig = {
    ReadWritePaths = [
      "/var/www/hls"
      "/mnt/webdav"
    ];
  };
  systemd.services.phpfpm-drive.serviceConfig = {
    ReadWritePaths = [
      "/mnt/webdav"
    ];
  };
  systemd.services.nextcloud-setup.serviceConfig = {
    LoadCredential = "nextcloud_admin.pass:/mnt/secrets/nextcloud_admin.pass";
  };
  systemd.services.site-musique = let
    djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_4 pillow setuptools ]));
  in {
    description = "Site Django de la musique de Meyenheim";
    after = [ "network.target" ];
    requires = [ "site-musique.socket" ];
    preStart = ''
      ${djangoEnv}/bin/python manage.py migrate;
      ${djangoEnv}/bin/python manage.py collectstatic --no-input;
    '';
    environment = {
      DJANGO_SETTINGS_MODULE = "site_musique.settings.prod";
      NGINX_DIRECTORY = "/var/www/site-musique";
    };
    serviceConfig = {
      DynamicUser = true;
      Group = "nginx";
      StateDirectory = "site-musique";
      WorkingDirectory = "/var/www/site-musique/";
      ReadWritePaths = [ "/var/www/site-musique/staticfiles" "/var/www/site-musique/media" ];
      EnvironmentFile = "/mnt/secrets/site-musique.env";
      ExecStart = ''${djangoEnv}/bin/gunicorn \
        --access-logfile - \
        --bind unix:/run/site-musique.sock \
        site_musique.wsgi:application
      '';
      PrivateTmp = true;
    };
  };
  systemd.sockets.site-musique = {
    description = "Site Musique socket";
    wantedBy = [ "sockets.target" ];
    listenStreams = [ "/run/site-musique.sock" ];
  };
  systemd.services.nginx-sso.serviceConfig.EnvironmentFile = "/mnt/secrets/nginx-sso.env";
 }
--- a/systems/PC-Fixe/codemasters.pem
+++ b/systems/PC-Fixe/codemasters.pem
@ -0,0 +1,23 @@
 -----BEGIN CERTIFICATE-----
 MIID5zCCAs+gAwIBAgIJAIIfD20HgCPEMA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD
 VQQGEwJVSzEVMBMGA1UECAwMV2Fyd2lja3NoaXJlMSEwHwYDVQQKDBhDb2RlbWFz
 dGVycyBTb2Z0d2FyZSBMdGQxGzAZBgNVBAsMEkNvZGVtYXN0ZXJzIE9ubGluZTEj
 MCEGA1UEAwwaQ29kZW1hc3RlcnMgT25saW5lIFJvb3QgQ0EwHhcNMTAwOTIyMDgx
 NjA4WhcNMzUwOTE2MDgxNjA4WjCBiTELMAkGA1UEBhMCVUsxFTATBgNVBAgMDFdh
 cndpY2tzaGlyZTEhMB8GA1UECgwYQ29kZW1hc3RlcnMgU29mdHdhcmUgTHRkMRsw
 GQYDVQQLDBJDb2RlbWFzdGVycyBPbmxpbmUxIzAhBgNVBAMMGkNvZGVtYXN0ZXJz
 IE9ubGluZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
 ncw3VeQt3N8ZJmNGiCa8UJ61qtBWxat2yx9bWfyf2o4VqQtn7Cc79esHkf5Zbjpc
 zqMpxO/c0vZnHWgH1R0TWRDrSqKHuJxgbxT2JFoLAQQKm+uTUOclLvlC00IrINks
 Y6KPYaQDkaLDAQWX42YGqb7CaKna8DwX6Ms4RHLEm5+L0L5GgRk9RfPlphVYCA9r
 tjJIQluYMc0Ny4tzJ6IuCnDjgRfmehWSpBV+UAx8FHFxmOUgone6dhA0pTLtR/lu
 P/S2aISWgQZJ0GWWfQ/mjVpccnWKtZUK0TCVoKTPpGaV4kTDHYq9ylpuNItTww9E
 rXR0/9gWOZHQ49QXd2rnrQIDAQABo1AwTjAdBgNVHQ4EFgQU9vW1MrzNfAbZeTQJ
 gHCzyQQlAZgwHwYDVR0jBBgwFoAU9vW1MrzNfAbZeTQJgHCzyQQlAZgwDAYDVR0T
 BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAcOUnPyvrbAdzMSPN9PLnvh34I9jW
 EwU81ks67EBNHaMdghiUhOFZ65vzQLoUYoqQcgzu+i0rAkLZrfviC1TUlv+mdlgK
 ce6eD2VgpQOPrpOG6O/TfmyAhS5mOlA35NMsZqZTpIiTZnZLGHSSu/Shvnk7UDTs
 lTp1yNj6etlY03ABieBsSIDu0UmhNfEY2HgjPaGGiAmcenw2d4U5Z2oCiJVDseeq
 RdlVx/sg4UM8L24/ccqn5uV05cg5aUF5dAlAYLq2wXNgbkpePtmo+/tqdiE3pL+q
 TRW14lealjJNmjUUTO/KHjKOpfPJNCHSGLk/h/UskEvcTUTqwDZATCl4jw==
 -----END CERTIFICATE-----
--- a/systems/PC-Fixe/configuration.nix
+++ b/systems/PC-Fixe/configuration.nix
@ -8,155 +8,118 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../common.nix
+      ../common-cli.nix
      ../common-gui.nix
    ];
-  nixpkgs.overlays = [
+  nix.settings.trusted-users = [ "root" "paul" ];
    (import ../../overlays/ledger-udev-rules.nix)
  ];
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
-  # boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.loader.grub = {
-  boot.kernelParams = ["acpi_enforce_resources=lax"];
+    efiSupport = true;
-  boot.tmpOnTmpfs = true;
+    device = "nodev";
    zfsSupport = true;
    memtest86.enable = true;
    fontSize = 32;
  };
  boot.kernelParams = [
    "acpi_enforce_resources=lax"
    "zfs.zfs_arc_max=2147483648"
  ];
  boot.tmp.useTmpfs = false;
  boot.supportedFilesystems = [ "zfs" ];
  boot.extraModprobeConfig = ''
    options hid_apple fnmode=2
  '';
-  # NVIDIA
+  zramSwap.enable = true;
  services.xserver.videoDrivers = [ "nvidia" ];
-  # For Steam
+  virtualisation.podman.enable = true;
  hardware.opengl.driSupport32Bit = true;
  hardware.pulseaudio.support32Bit = true;
  hardware.steam-hardware.enable = true;
-  hardware.u2f.enable = true;
+  services.zfs = {
    trim = {
      enable = false;
      interval = "monthly";
    };
    autoScrub = {
      enable = false;
      interval = "monthly";
    };
    autoSnapshot = {
      enable = true;
      monthly = 6;
    };
    autoReplication = {
      enable = true;
      host = "nyanlout.re";
      username = "zfspaulfixe";
      identityFilePath = "/var/lib/zfs-replication/id_rsa";
      localFilesystem = "fastaf/home";
      remoteFilesystem = "loutrepool/zfs-replicate/paul-fixe";
    };
  };
  hardware.bluetooth.enable = true;
  # Logitech G920
  hardware.usb-modeswitch.enable = true;
  services.udev.packages = with pkgs; [
    ledger-udev-rules
    usb-modeswitch-data # Logitech G920
  ];
-  networking.hostName = "paul-fixe"; # Define your hostname.
+  services.udev.extraRules = ''
-  networking.networkmanager.enable = true;  # Enables wireless support via wpa_supplicant.
+    ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="0664", GROUP="dialout"
  '';
-  # Select internationalisation properties.
+  networking.hostName = "paul-fixe";
-  i18n = {
+  networking.hostId = "3a1f739e";
-    consoleKeyMap = "fr";
+
-    defaultLocale = "fr_FR.UTF-8";
+  networking.hosts = {
    "10.30.0.1" = ["emby.nyanlout.re" "nyanlout.re"];
  };
  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
-    filezilla
+    usb-modeswitch
-    wineStaging
+    esphome
    winetricks
    qbittorrent
    transmission-remote-gtk
    appimage-run
    bat
    usb_modeswitch
    gopass
    xclip
    electrum
    electron-cash
    firefox
    chromium
    tdesktop
    mumble
    kleopatra
    gnupg
    kdeplasma-addons
    ark
    kate
    kmail
    kdeconnect
    okular
    yakuake
    konversation
    gwenview
    kcalc
    spectacle
    kile
    (texlive.combine {
      inherit (texlive) scheme-small titling collection-langfrench cm-super;
    })
    imagemagick
    gnome-breeze
    arc-theme
    materia-theme
    libreoffice
    gimp
    vlc
    kodiPlain
    steam
    sc-controller
    steam-run
    minecraft
    glxinfo
    i7z
    lm_sensors
    obs-studio
  ];
-  programs.wireshark.enable = true;
+  programs = {
-  programs.wireshark.package = pkgs.wireshark;
+    wireshark.enable = true;
-
+    alvr.enable = true;
-  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+  };
  programs.browserpass.enable = true;
  services.pcscd.enable = true;
  services.pcscd.plugins = [
    (pkgs.ccid.overrideAttrs (oldAttrs: rec {
        preBuild = ''
 	  echo "0x2C97:0x0001:Ledger Token" >> ./readers/supported_readers.txt
        '';
      })
    )
  ];
  networking.firewall.enable = false;
-  # Enable sound.
+  services.displayManager.autoLogin.user = "paul";
  sound.enable = true;
  hardware.pulseaudio.enable = true;
  # Enable the X11 windowing system.
  services.xserver.enable = true;
  services.xserver.layout = "fr";
  # Enable the KDE Desktop Environment.
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.paul = {
    isNormalUser = true;
-    extraGroups = [ "wheel" "networkmanager" "wireshark" "input" ];
+    extraGroups = [ "wheel" "networkmanager" "wireshark" "input" "dialout" "libvirtd" "vboxusers" ];
    uid = 1000;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDstFRwMoTEip5IBSYE4dUj3miO0LsKrnUKQJmp7d5QYo3VhXk43jU6VUU0tVAegkzWLlQ3ohoFns+8bZyf7hj7roftrDfoC9bbbx4ihhWrZTlF0gzoH4t52yetFO5eC/tV2sm/zFoa+3IWLokOEFmAoknAVag1MmVLXTQ6WPoTPD4UsX/D3lyE4dbSKxHpMOIjqIdqSEgO0BeTdnHe5afvGXXO1VYTvPsGDHT9w8EHwQV9JXIPn7KVOp3qin7OwvFFrrB3QbiEVTJvGiH2hrfxcARTN/+TxGtf+aOFeuQykURG9Wz/aBK60EWE0wGrzuIymxtNdOR1NhmnNrUZ976Tb9WdR7FC+yM6+/kdfICy+sGQmmn8TLsGvcJTT/pl4Pa9uRAKjRJuLIEgYY6W/ms9lCRyf484yRkDlq+V0BPuN9Jy6Eb7x+tmZNkpEtkqso7wfXD8sf5BIwv2K69SVMpfTswydHGmDwHZ0zaDKGlyCiyJ1QGqUhCTXqtYVq+kQ3AcjKcysMwVEmwx/ySu0XFuV8oUkl9XK/RUoc++sMEd0EbHcn8uwCmBARNX+GLQ03vxwyMW3HyneP8EAxoqtSepZXbTdVP/0i+l7EUUeA7zsaWfU2a82ktZWpVPFGfxkuo0l3zLF19EsXPKZNqlRfkOWjSgp+qWihAkQIQk3GoduQ== openpgp:0x75EE3375"
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3fEmkmrhccW8NegIk/Ubu6Yw80VCQ1ttG419e+1V1wkJPXFAqcIhffwrIlz81dJ47T+H+zeptpAX8U1Gbk1B5ZH4DW8OcqU6ymM+j6g/gICpvrjJUOpdgyA3GIOjuBJGijGQGggDw1k2SdopAVV1H38YUAJ33RGDvjLJO6VREYLDYLF4oaDp8ann7Wn8BpX2T7cRvhrzqcwbEGaw1f/xrLE5KklOb6pOHRWFJMxW83d8OKiLkQvM4vFGlvvG0/AKGZaZWHDXS7ldoyAv+vnN8DrIxmWEQjdNLfAwYDBHp6XqE0slde4dqBjVHji5+ajFr7eJnrzc4IXsHJ1jM9xGB paul@loutreos"
    ];
  };
-  services.syncthing.enable = true;
+  services.openssh.enable = true;
-  services.syncthing.user = "paul";
+  services.openssh.settings = {
-  services.syncthing.group = "users";
+    PasswordAuthentication = false;
    X11Forwarding = true;
  };
-  virtualisation.rkt.enable = true;
+  services.xserver.deviceSection = ''
    Option "metamodes" "DP-4: 3440x1440_144 +0+0 {AllowGSYNCCompatible=On}"
  '';
-  # This value determines the NixOS release with which your system is to be
+  services.printing.enable = true;
-  # compatible, in order to avoid breaking some software such as database
+  services.printing.drivers = [ pkgs.hplip ];
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "18.09"; # Did you read the comment?
  systemd.services = {
    zfs-replication.serviceConfig.StateDirectory = "zfs-replication";
  };
  boot.enableContainers = false;
  system.stateVersion = "20.03";
 }
--- a/systems/PC-Fixe/hardware-configuration.nix
+++ b/systems/PC-Fixe/hardware-configuration.nix
@ -4,63 +4,56 @@
 { config, lib, pkgs, ... }:
 {
-  imports =
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
-    ];
+  boot.kernelModules = [ "kvm-amd" "coretemp" "it87" ];
  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "firewire_ohci" "pata_marvell" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
  boot.kernelModules = [ "kvm-intel" "nct6775" ];
  boot.extraModulePackages = [ ];
-  boot.blacklistedKernelModules = [ "hid-steam" ];
+
  services.xserver.videoDrivers = [ "nvidia" ];
  hardware.cpu.amd.updateMicrocode = true;
  hardware.nvidia = {
    open = false;
    modesetting.enable = true;
  };
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/509a5842-56fe-40bd-8b00-6bda87e02e5e";
+    { device = "rpool/root/nixos";
-      fsType = "ext4";
+      fsType = "zfs";
    };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/A225-07A5";
+    { device = "/dev/disk/by-uuid/F4EC-57DF";
      fsType = "vfat";
    };
-  fileSystems."/mnt/hdd" =
+  fileSystems."/home" =
-    { device = "/dev/mapper/ManjaroVG-ManjaroRoot";
+    { device = "fastaf/home";
-      fsType = "ext4";
+      fsType = "zfs";
    };
  fileSystems."/home/paul/Documents" =
    { device = "/mnt/hdd/paul/Documents";
      options = [ "bind" ];
    };
  fileSystems."/home/paul/Downloads" =
    { device = "/mnt/hdd/paul/Téléchargements";
      options = [ "bind" ];
    };
  fileSystems."/home/paul/Music" =
    { device = "/mnt/hdd/paul/Musique";
      options = [ "bind" ];
    };
  fileSystems."/home/paul/Pictures" =
    { device = "/mnt/hdd/paul/Images";
      options = [ "bind" ];
    };
  fileSystems."/home/paul/Videos" =
    { device = "/mnt/hdd/paul/Vidéos";
      options = [ "bind" ];
    };
  fileSystems."/mnt/steam" =
-    { device = "192.168.0.5:/exports/steam";
+    { device = "fastaf/steam";
      fsType = "zfs";
    };
  fileSystems."/mnt/games" =
    { device = "fastaf/games";
      fsType = "zfs";
    };
  # fileSystems."/mnt/hdd" =
  #   { device = "/dev/mapper/ManjaroVG-ManjaroRoot";
  #     fsType = "ext4";
  #   };
  fileSystems."/mnt/medias" =
    { device = "10.30.0.1:/mnt/medias";
      fsType = "nfs";
      options = ["x-systemd.automount" "noauto"];
    };
  swapDevices = [ ];
-  nix.maxJobs = lib.mkDefault 4;
+  nix.settings.max-jobs = lib.mkDefault 12;
-  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/systems/common-cli.nix
+++ b/systems/common-cli.nix
@ -0,0 +1,125 @@
 { config, pkgs, ... }:
 {
  time.timeZone = "Europe/Paris";
  environment.systemPackages = with pkgs; [
    # Editeurs
    (neovim.override {
      viAlias = true;
      vimAlias = true;
      configure = {
        customRC = ''
 	        set tabstop=8
          set shiftwidth=4
          set softtabstop=0
          set expandtab
 	        set smarttab
          set background=dark
          set mouse=
        '';
        packages.myVimPackage = with pkgs.vimPlugins; {
          start = [
            vim-startify  airline             sensible
            polyglot      ale                 fugitive
          ];
          opt = [ ];
        };
      };
    })
    # Gestionnaires de version
    tig
    gitAndTools.hub
    quilt
    # Gestion de paquets
    nix-prefetch-scripts
    nox
    nix-index
    # Système
    smartmontools
    htop
    lshw
    usbutils
    # Réseau
    inetutils
    rclone
    lftp
    nfs-utils
    nmap
    # Divers
    fzf
    file
    ncdu
    yt-dlp
    tldr
    starship
    # Audio
    beets
    # Outils
    borgbackup
    binutils
    bat
    molly-guard
    nix-template
    lz4
    # Développement
    openssl
  ];
  users.defaultUserShell = pkgs.zsh;
  programs = {
    tmux = {
      enable = true;
      clock24 = true;
    };
    zsh = {
      enable = true;
      autosuggestions.enable = true;
      enableCompletion = true;
      syntaxHighlighting.enable = true;
      interactiveShellInit = ''
        source "$(${pkgs.fzf}/bin/fzf-share)/key-bindings.zsh"
        eval "$(starship init zsh)"
      '';
      ohMyZsh = {
        enable = true;
        plugins = [ "git" "colored-man-pages" "command-not-found" "extract" "nix" ];
        customPkgs = with pkgs;[
          nix-zsh-completions
        ];
      };
    };
    bash.interactiveShellInit = ''
      eval "$(starship init bash)"
    '';
    git.enable = true;
  };
  environment.variables = let
    starshipConfToml =
      pkgs.writeText "starship.toml" ''
        [[battery.display]]
        threshold = 50
      '';
  in {
    EDITOR = "nvim";
    STARSHIP_CONFIG = "${starshipConfToml}";
  };
  nix.gc.automatic = true;
  nix.gc.options = "--delete-older-than 15d";
  systemd.timers.nix-gc.timerConfig.Persistent = true;
 }
--- a/systems/common-gui.nix
+++ b/systems/common-gui.nix
@ -0,0 +1,142 @@
 { config, pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    filezilla
    qbittorrent
    transmission-remote-gtk
    sc-controller
    steam-run
    prismlauncher
    lutris
    teamspeak_client
    ryujinx
    betaflight-configurator
    ledger-live-desktop
    monero-gui
    tor-browser-bundle-bin
    brave
    tdesktop
    element-desktop
    mumble
    discord
    kleopatra
    gnupg
    gopass
    xclip
    kdeplasma-addons
    ark
    kate
    kmail
    kdePackages.kdeconnect-kde
    okular
    yakuake
    konversation
    gwenview
    kcalc
    spectacle
    kinfocenter
    kile
    (texlive.combine {
      inherit (texlive) scheme-small titling collection-langfrench cm-super;
    })
    libsForQt5.breeze-gtk
    libreoffice
    gimp
    inkscape
    imagemagick
    obs-studio
    vlc
    mpv
    kdenlive
    glxinfo
    i7z
    pavucontrol
  ];
  i18n = {
    defaultLocale = "fr_FR.UTF-8";
  };
  console.keyMap = "fr";
  networking.networkmanager.enable = true;
  systemd.extraConfig = "DefaultLimitNOFILE=1048576";
  security = {
    pam.loginLimits = [{
      domain = "*";
      type = "hard";
      item = "nofile";
      value = "1048576";
    }];
    rtkit.enable = true;
  };
  programs = {
    gnupg.agent = { enable = true; enableSSHSupport = true; };
    browserpass.enable = true;
    steam.enable = true;
    firefox.enable = true;
    appimage.enable = true;
  };
  services = {
    # desktopManager.plasma6.enable = true;
    displayManager = {
      sddm = {
        enable = true;
        # wayland.enable = true;
        autoLogin.relogin = true;
      };
    };
    xserver = {
      enable = true;
      xkb.layout = "fr";
      exportConfiguration = true;
      desktopManager.plasma5.enable = true;
    };
    pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
      extraConfig.pipewire = {
      "10-clock-rate" = {
        "context.properties" = {
          "default.clock.allowed-rates"  = [ 48000 ];
        };
      };
    };
    };
    udev.packages = with pkgs; [ ledger-udev-rules ];
    pcscd.enable = true;
  };
  environment.etc = {
    "mpv/mpv.conf" = {
      text = ''
        profile=gpu-hq
        scale=ewa_lanczossharp
        cscale=ewa_lanczossharp
        video-sync=display-resample
        interpolation
        tscale=oversample
      '';
    };
    # CK3 fix
    "ssl/certs/f387163d.0".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/Starfield_Class_2_CA.crt";
  };
 }
--- a/systems/common.nix
+++ b/systems/common.nix
@ -1,93 +0,0 @@
 { config, pkgs, ... }:
 {
  time.timeZone = "Europe/Paris";
  nixpkgs.overlays = [
    (import ../overlays/sudo.nix)
    (import ../overlays/neovim.nix)
  ];
  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
    # Editeurs
    neovim
    # Gestionnaires de version
    gitFull
    tig
    # Gestion de paquets
    nix-prefetch-scripts
    nox
    nix-index
    # Système
    smartmontools
    htop
    lshw
    usbutils
    # Réseau
    telnet
    rclone
    lftp
    wireguard
    nfsUtils
    nmap
    # Divers
    fzf
    file
    ncdu
    youtube-dl
    tldr
    # Audio
    beets
    # Outils
    borgbackup
    # Développement
    openssl
  ];
  programs.tmux = {
    enable = true;
    clock24 = true;
  };
  users.defaultUserShell = pkgs.zsh;
  programs.zsh = {
    enable = true;
    autosuggestions.enable = true;
    enableCompletion = true;
    syntaxHighlighting.enable = true;
    interactiveShellInit = ''
      source "$(${pkgs.fzf}/bin/fzf-share)/key-bindings.zsh"
    '';
    ohMyZsh = {
      enable = true;
      plugins = [ "git" "colored-man-pages" "command-not-found" "extract" "nix" ];
      customPkgs = with pkgs;[
        spaceship-prompt
        nix-zsh-completions
      ];
      theme = "spaceship";
    };
  };
  environment.variables = {
    EDITOR = "nvim";
    SPACESHIP_TIME_SHOW = "true";
    SPACESHIP_BATTERY_THRESHOLD = "50";
    SPACESHIP_EXIT_CODE_SHOW = "true";
  };
  nix.gc.automatic = true;
  nix.gc.options = "--delete-older-than 15d";
  systemd.timers.nix-gc.timerConfig.Persistent = true;
 }