Add incomplete grocy configuration

2022-04-12 15:46:59 +02:00
69 changed files with 442 additions and 795 deletions
--- a/.EditorConfig
+++ b/.EditorConfig
@ -1,4 +0,0 @@
-root = true
-
-[*.nix]
-indent_style = "tab"
--- a/.git-crypt/keys/default/0/3C377393274931EF017630D5A2168D0DBE59D7CC.gpg
+++ b/.git-crypt/keys/default/0/3C377393274931EF017630D5A2168D0DBE59D7CC.gpg
--- a/.git-crypt/keys/default/0/8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg
+++ b/.git-crypt/keys/default/0/8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg
--- a/.gitmodules
+++ b/.gitmodules
@ -1,3 +0,0 @@
-[submodule "config/hosts/grondahl/services/ooye"]
-	path = config/hosts/grondahl/services/ooye
-	url = https://cgit.rory.gay/nix/OOYE-module.git
--- a/12
+++ b/12
@ -1,12 +0,0 @@
-all: result
-	
-.PHONY: update result deploy
-
-result:
-	nix build -f deploy/default.nix
-
-update:
-	cd config/sources && niv update
-
-deploy:
-	./result
--- a/README.md
+++ b/README.md
@ -1,27 +1 @@
 NixOS deployments using [nixus](https://github.com/Infinisil/nixus).
-
-TL;DR:
-1. `make update`
-2. `make result`
-3. `make deploy`
-
-First make sure you have `niv` so you can upgrade dependency versions in `sources.json`.
-```sh
-nix-shell -p niv
-(cd config/sources && niv update)
-```
-Build with:
-```sh
-nix-build deploy/
-```
-Deploy by running the generated executable.
-```sh
-./result
-```
-
-## Switching nixpkgs branch
-```sh
-cd config/sources
-niv modify nixpkgs -b nixos-xx.yy
-```
-
--- a/config/common/configuration/documentation.nix
+++ b/config/common/configuration/documentation.nix
@ -1,12 +0,0 @@
-{ ... }:
-
-{
-	# Some docs fail to build, so we need to disable some of it
-	documentation = {
-		enable = true;
-		man.enable = true;
-		doc.enable = true;
-		dev.enable = false;
-		nixos.enable = false;
-	};
-}
--- a/config/common/configuration/nix.nix
+++ b/config/common/configuration/nix.nix
@ -1,12 +0,0 @@
-{ ... }:
-
-# Configuration options for the nix package manager
-{
-	nix.gc = {
-		# Run garbage collection automatically
-		automatic = true;
-		# Run it once a week
-		dates = "weekly";
-		options = "--delete-older-than 30d";
-	};
-}
--- a/config/common/data/pubkeys/backup_host_ed25519_key.pub
+++ b/config/common/data/pubkeys/backup_host_ed25519_key.pub
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4C5OgZpxoF42L5rPqwejs+Q1ViN9TM9o/fEbpnPFtA
--- a/config/common/data/pubkeys/despondos_host_ed25519_key.pub
+++ b/config/common/data/pubkeys/despondos_host_ed25519_key.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7
--- a/config/common/services/nginx.nix
+++ b/config/common/services/nginx.nix
@ -20,26 +20,26 @@
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
-      #add_header Strict-Transport-Security $hsts_header;
+      add_header Strict-Transport-Security $hsts_header;

      # Enable CSP for your services.
      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

      # Minimize information leaked to other domains
-      #add_header 'Referrer-Policy' 'same-origin';
+      add_header 'Referrer-Policy' 'same-origin';

      # Disable embedding as a frame
-      #add_header X-Frame-Options DENY;
+      add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
-      #add_header X-Content-Type-Options nosniff;
+      add_header X-Content-Type-Options nosniff;

      # Enable XSS protection of the browser.
      # May be unnecessary when CSP is configured properly (see above)
-      #add_header X-XSS-Protection "1; mode=block";
+      add_header X-XSS-Protection "1; mode=block";

      # This might create errors
-      #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
  };
 }
--- a/config/common/services/ssh.nix
+++ b/config/common/services/ssh.nix
@ -2,21 +2,19 @@
 {
  services.openssh = {
    enable = true;
+    permitRootLogin = "no";
+    passwordAuthentication = false;
+    challengeResponseAuthentication = false;
    hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ];
-    settings = {
-      KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
-      Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
-      PermitRootLogin = "no";
-      KbdInteractiveAuthentication = false;
-      PasswordAuthentication = false;
+    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];

-    };
  };

  programs.ssh.knownHosts = {
-    backup = {
-      hostNames = [ "backup.graven.dev" ];
-      publicKeyFile = ../data/pubkeys/backup_host_ed25519_key.pub;
+    despondos = {
+      hostNames = [ "despondos.nao.sh" ];
+      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
    };
  };

--- a/config/common/services/tailscale.nix
+++ b/config/common/services/tailscale.nix
@ -1,37 +0,0 @@
-{ config, pkgs, ... }:
-{
-environment.systemPackages = [ pkgs.tailscale ];
-
-services.tailscale.enable = false;
-
-  # ...
-
-  # create a oneshot job to authenticate to Tailscale
-  systemd.services.tailscale-autoconnect = {
-    description = "Automatic connection to Tailscale";
-
-    # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
-
-    # have the job run this shell script
-    script = with pkgs; ''
-      # wait for tailscaled to settle
-      sleep 2
-
-      # check if we are already authenticated to tailscale
-      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
-      if [ $status = "Running" ]; then # if so, then do nothing
-        exit 0
-      fi
-
-      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up -authkey CHANGEME
-    '';
-  };
-
-}
--- a/config/common/users.nix
+++ b/config/common/users.nix
@ -5,7 +5,8 @@
 			isNormalUser = true;
 			extraGroups = [ "wheel" ];
 			openssh.authorizedKeys.keys = [
-				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAn9xV1GA/hMkCFoP7DWzYyGmbeiri823fHMRz0ZVoxq emelie-personal-bw"
+              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+							"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed"

 			];
 		};
@ -16,10 +17,6 @@
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwmREgBmckocQerEfO4XhB+dbKDsZopok37ePWHwCEj id_ed25519"
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILrZWS1PBVRbdmPh8IJdIPHhK0+ZuSnQCR10a8Bl11VZAAAABHNzaDo= amanda@sharpy"
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6v5D/aJuIhuIVcnzFA7ocxPMI8JgHEnxSPuD+SaLHX amanda@sharpy"
-				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+0x2uHcuXpFQdeXeUWeLGPefWo6Sd7yy2FJlyZy8V+ amanda@tappy"
-				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKWhc20jOFF+pVVT/Mf1ACYOtppkYWkP7NkY0/fPvjPAAAAFHNzaDphMy1uazNhLXBlcnNvbmFs ssh:a3-nk3a-personal"
-				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMLbLay9KARrdb8QM4OLzmqWIN48rZMX6wCddBwYT/U amanda@gpg"
-				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGMWTQc7A3W/LI4AgFWy/Uw/+oMucmSziuJKxC2rleo amanda@bitwarden"
 			];
 		};
 	};
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@ -5,26 +5,23 @@
    [ # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./data/secrets/secrets.nix
-    ../../common/configuration/nix.nix
-    ../../common/configuration/documentation.nix
    ../../common/services/ssh.nix
-    ../../common/services/tailscale.nix
-    ../../common/users.nix
+		../../common/users.nix
    ./services/acme.nix
-    ./services/borg.nix
    ./services/coturn.nix
    ./services/nginx.nix
+    ./services/restic.nix
    ./services/synapse.nix
    ./services/postgres.nix
-    ./services/ooye.nix
 		#./services/mail.nix
 		#./services/containers.nix
 		#./services/redis.nix
    ];

  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";
-  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  boot.kernelPackages = pkgs.linuxPackages_5_10;
  networking = {
    hostName = "grondahl";
    useDHCP = false;
@ -52,9 +49,9 @@

  security.sudo.wheelNeedsPassword = false;

-  nix.settings = {
-    auto-optimise-store = true;
-    trusted-users = [
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
      "root"
      "@wheel"
    ];
@ -75,15 +72,9 @@
    dig
  ];

-  networking.firewall = {
-    enable = true;
-    checkReversePath = "loose";
-    trustedInterfaces = [ "tailscale0" ];
-    allowedUDPPorts = [ config.services.tailscale.port ];
-    allowedTCPPorts = [ 22 80 443 ];
-    allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
-    allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
-  };
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
+  networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];

  system.stateVersion = "21.05";

--- a/config/hosts/grondahl/data/secrets/acme_anarkafem_dev
+++ b/config/hosts/grondahl/data/secrets/acme_anarkafem_dev
--- a/config/hosts/grondahl/data/secrets/borg_pass
+++ b/config/hosts/grondahl/data/secrets/borg_pass
--- a/config/hosts/grondahl/data/secrets/ooye_client_secret
+++ b/config/hosts/grondahl/data/secrets/ooye_client_secret
--- a/config/hosts/grondahl/data/secrets/ooye_token
+++ b/config/hosts/grondahl/data/secrets/ooye_token
--- a/config/hosts/grondahl/data/secrets/secrets.nix
+++ b/config/hosts/grondahl/data/secrets/secrets.nix
--- a/config/hosts/grondahl/data/secrets/synapse_db_password
+++ b/config/hosts/grondahl/data/secrets/synapse_db_password
--- a/config/hosts/grondahl/data/secrets/synapse_extra_config
+++ b/config/hosts/grondahl/data/secrets/synapse_extra_config
--- a/config/hosts/grondahl/hardware-configuration.nix
+++ b/config/hosts/grondahl/hardware-configuration.nix
@ -2,7 +2,7 @@
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
-      #(modulesPath + "/profiles/minimal.nix")
+      (modulesPath + "/profiles/minimal.nix")
    ];

  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
--- a/config/hosts/grondahl/services/acme.nix
+++ b/config/hosts/grondahl/services/acme.nix
@ -3,7 +3,12 @@
 {
  security.acme = {
    acceptTerms = true;
-    defaults.email = "admin+certs@anarkafem.dev";
+    email = "admin+certs@anarkafem.dev";
+    certs."anarkafem.dev" = {
+      extraDomainNames = [ "*.anarkafem.dev" ];
+      dnsProvider = "hurricane";
+      credentialsFile = config.secrets.files.acme_anarkafem_dev.file;
+    };
  };
 }

--- a/config/hosts/grondahl/services/borg.nix
+++ b/config/hosts/grondahl/services/borg.nix
@ -1,26 +0,0 @@
-{ config, ... }:
-
-{
-	services.borgbackup.jobs = {
-		postgres = {
-			paths = "/var/lib/postgresql/backup";
-			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/postgres";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:15:00";
-			user = "postgres";
-		};
-		synapse = {
-			paths = "/var/lib/matrix-synapse";
-			repo =  "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/synapse";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:45:00";
-			user = "matrix-synapse";
-		};
-	};
-}
--- a/config/hosts/grondahl/services/nginx.nix
+++ b/config/hosts/grondahl/services/nginx.nix
@ -1,13 +1,8 @@
 {
  imports = [ ../../../common/services/nginx.nix ];
  services.nginx.virtualHosts = {
-    "ooye.anarkafem.dev" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/".proxyPass = "http://127.0.0.1:6693/";
-    };
    "anarkafem.dev" = {
-      enableACME = true;
+      useACMEHost = "anarkafem.dev";
      forceSSL = true;
      locations."/".root = "/var/www/anarkafem.dev/public";
      locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
@ -26,21 +21,14 @@
      };
    };
 		"cal.anarkafem.dev" = {
-			enableACME = true;
+			useACMEHost = "anarkafem.dev";
 			forceSSL = true;
 			locations."/".proxyPass = "http://127.0.0.1:4000";
 		};
 		"auth.anarkafem.dev" = {
-			enableACME = true;
+			useACMEHost = "anarkafem.dev";
 			forceSSL = true;
 			locations."/".proxyPass = "http://127.0.0.1:9000";
 		};
-    "beanz.one" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        root = "/var/www/beanz.one/public";
-      };
-    };
  };
 }
--- a/config/hosts/grondahl/services/ooye
+++ b/config/hosts/grondahl/services/ooye
@ -1 +0,0 @@
-Subproject commit 11cc65efa2909bdc7e3e978bf1f56f6d141bf82a
--- a/config/hosts/grondahl/services/ooye.nix
+++ b/config/hosts/grondahl/services/ooye.nix
@ -1,16 +0,0 @@
-# Out of your Element prerequisites
-{ config, ... }:
-{
-  imports = [
-	./ooye/module.nix
-  ];
-  services.matrix-ooye = {
-	enable = true;
-	homeserver = "http://localhost:8008";
-	namespace = "_discord_";
-	discordClientSecretPath = builtins.toString config.secrets.files.ooye_client_secret.file;
-	discordTokenPath = builtins.toString config.secrets.files.ooye_token.file;
-	bridgeOrigin = "https://ooye.anarkafem.dev";
-	enableSynapseIntegration = true;
-  };
-}
--- a/config/hosts/grondahl/services/postgres.nix
+++ b/config/hosts/grondahl/services/postgres.nix
@ -2,8 +2,8 @@
 {
  services.postgresql = {
    enable = true;
-    package = pkgs.postgresql_16;
-		extensions = with config.services.postgresql.package.pkgs; [
+    package = pkgs.postgresql_13;
+		extraPlugins = with config.services.postgresql.package.pkgs; [
 			postgis
 		];
    ensureDatabases = [ 
@ -14,15 +14,15 @@
    ensureUsers = [
    	{
 				name = "matrix-synapse";
-				ensureDBOwnership = true;
+      	ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
    	}
 			{
 				name = "mobilizon";
-				ensureDBOwnership = true;
+      	ensurePermissions."DATABASE mobilizon" = "ALL PRIVILEGES";
  		}
 			{ 
 				name = "authentik";
-				ensureDBOwnership = true;
+				ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES";
 			}
    ];
    initialScript = pkgs.writeText "synapse-init.sql" ''
--- a/config/hosts/grondahl/services/redis.nix
+++ b/config/hosts/grondahl/services/redis.nix
@ -1,13 +1,11 @@
 { config, ...  }:
 {
  services.redis = {
+    enable = true;
+    unixSocket = "/run/redis/redis.sock";
    vmOverCommit = true;
-    servers."" = {
-      enable = true;
-      unixSocket = "/run/redis/redis.sock";
-      unixSocketPerm = 770;
-      #requirePassfile = config.secrets.files.redis_pass.file;
-    };
+    unixSocketPerm = 770;
+    #requirePassfile = config.secrets.files.redis_pass.file;
  }; 
 }

--- a/config/hosts/grondahl/services/restic.nix
+++ b/config/hosts/grondahl/services/restic.nix
@ -0,0 +1,26 @@
+{ config, ... }:
+{
+  services.restic.backups = {
+    "postgres" = {
+      paths = [ "/var/lib/postgresql/backup" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/postgres";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
+    };
+    "synapse" = {
+      paths = [ "/var/lib/matrix-synapse" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/synapse";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:45"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "matrix-synapse";
+    };
+  };
+}
+
--- a/config/hosts/grondahl/services/synapse.nix
+++ b/config/hosts/grondahl/services/synapse.nix
@ -3,76 +3,72 @@
 {
  services.matrix-synapse = {
    enable = true;
+    server_name = "anarkafem.dev";
+    enable_registration = false;
+    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    max_upload_size = "100M";
+    database_type = "psycopg2";
+		database_args = { 
+			password = builtins.toString config.secrets.files.synapse_db_password.file;
+		};
+    turn_uris = [
+      "turn:turn.anarkafem.dev:3478?transport=udp"
+      "turn:turn.anarkafem.dev:3478?transport=tcp"
+      "turn:turn.anarkafem.dev:3479?transport=udp"
+      "turn:turn.anarkafem.dev:3479?transport=tcp"
+      "turns:turn.anarkafem.dev:5349?transport=udp"
+      "turns:turn.anarkafem.dev:5349?transport=tcp"
+      "turns:turn.anarkafem.dev:5350?transport=udp"
+      "turns:turn.anarkafem.dev:5350?transport=tcp"
+    ];
+    report_stats = false;
    withJemalloc = true;
-    settings = {
-      database = {
-        name = "psycopg2";
-        args.user = "matrix-synapse";
-        args.database = "matrix-synapse";
-      };
+    servers = { "anarkafem.dev" = {}; };
+    extraConfig = ''
+      default_room_version: "9"
+      auto_join_rooms:
+        - "#suf-aalborg:anarkafem.dev"
+    '';
+    logConfig = ''
+      version: 1

-      server_name = "anarkafem.dev";
-      enable_registration = false;
-      registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
-      turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
-      max_upload_size = "100M";
-      turn_uris = [
-        "turn:turn.anarkafem.dev:3478?transport=udp"
-        "turn:turn.anarkafem.dev:3478?transport=tcp"
-        "turn:turn.anarkafem.dev:3479?transport=udp"
-        "turn:turn.anarkafem.dev:3479?transport=tcp"
-        "turns:turn.anarkafem.dev:5349?transport=udp"
-        "turns:turn.anarkafem.dev:5349?transport=tcp"
-        "turns:turn.anarkafem.dev:5350?transport=udp"
-        "turns:turn.anarkafem.dev:5350?transport=tcp"
-      ];
-      report_stats = false;
-      servers = { "anarkafem.dev" = {}; };
-      extraConfig = ''
-        default_room_version: "9"
-        auto_join_rooms:
-          - "#suf-aalborg:anarkafem.dev"
-      '';
-      logConfig = ''
-        version: 1
+      formatters:
+          precise:
+              format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'

-        formatters:
-            precise:
-                format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+      handlers:
+          console:
+              class: logging.StreamHandler
+              formatter: precise

-        handlers:
-            console:
-                class: logging.StreamHandler
-                formatter: precise
+      loggers:
+          synapse.storage.SQL:
+              # beware: increasing this to DEBUG will make synapse log sensitive
+              # information such as access tokens.
+              level: INFO

-        loggers:
-            synapse.storage.SQL:
-                # beware: increasing this to DEBUG will make synapse log sensitive
-                # information such as access tokens.
-                level: INFO
+      root:
+          level: INFO
+          handlers: [console]

-        root:
-            level: INFO
-            handlers: [console]
-
-        disable_existing_loggers: false
-      '';
-      listeners = [
-        {
-          port = 8008;
-          bind_addresses = ["127.0.0.1"];
-          type = "http";
-          tls = false;
-          x_forwarded = true;
-          resources = [
-            { 
-              names = [ "client" "federation" ];
-              compress = false;
-            }
-          ];
-        }
-      ];
-    };
+      disable_existing_loggers: false
+    '';
+    listeners = [
+      {
+        port = 8008;
+        bind_address = "127.0.0.1";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          { 
+            names = [ "client" "federation" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
  };
 }
    
--- a/config/hosts/rudiger/configuration.nix
+++ b/config/hosts/rudiger/configuration.nix
@ -1,93 +1,83 @@
 { config, pkgs, ... }:

 {
-	imports = [
-		./hardware-configuration.nix
-		./data/secrets/secrets.nix
-		../../common/configuration/nix.nix
-		../../common/configuration/documentation.nix
-		../../common/services/ssh.nix
-		../../common/services/tailscale.nix
-		../../common/users.nix
-		./services/acme.nix
-		./services/immich.nix
-		./services/nextcloud.nix
-		./services/nginx.nix
-		./services/postgres.nix
-		./services/redis.nix
-		./services/restic.nix
-	];
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./data/secrets/secrets.nix
+      ../../common/services/ssh.nix
+			../../common/users.nix
+      ./services/acme.nix
+      ./services/nextcloud.nix
+      ./services/nginx.nix
+      ./services/postgres.nix
+      ./services/redis.nix
+      ./services/restic.nix
+    ];

-	boot.loader.grub.enable = true;
-	boot.loader.grub.device = "/dev/sda";
-	boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";

-	boot.supportedFilesystems = ["zfs"];
-	services.zfs.autoSnapshot.enable = false;
-	services.zfs.autoScrub.enable = true;
+  boot.supportedFilesystems = ["zfs"];
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoScrub.enable = true;

-	time.timeZone = "Europe/Copenhagen";
+  time.timeZone = "Europe/Copenhagen";

-	networking = {
-		hostName = "rudiger";
-		hostId = "8c7b66a4";
-		useDHCP = false;
-		tempAddresses = "disabled";
-		interfaces = {
-			"ens3" = {
-				ipv4.addresses = [ {
-					address = "202.61.202.170";
-					prefixLength = 22;
-				} ];
-				ipv6.addresses = [ {
-					address = "2a03:4000:5a:c61::1";
-					prefixLength = 64;
-				} ];
-			};
-		};
-		defaultGateway = "202.61.200.1";
-		defaultGateway6 = {
-			address = "fe80::1";
-			interface = "ens3";
-		};
-		nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
-	};
+  networking = {
+    hostName = "rudiger";
+    hostId = "8c7b66a4";
+    useDHCP = false;
+    tempAddresses = "disabled";
+    interfaces = {
+      "ens3" = {
+        ipv4.addresses = [ {
+          address = "202.61.202.170";
+          prefixLength = 22;
+        } ];
+        ipv6.addresses = [ {
+          address = "2a03:4000:5a:c61::1";
+          prefixLength = 64;
+        } ];
+      };
+    };
+    defaultGateway = "202.61.200.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "ens3";
+    };
+    nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
+  };


-	nix.settings = {
-		auto-optimise-store = true;
-		trusted-users = [
-			"root"
-			"@wheel"
-		];
-	};
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
+      "root"
+      "@wheel"
+    ];
+  };

-	environment.systemPackages = with pkgs; [
-		vim
-		wget
-		htop
-		iotop
-		dig
-		tailscale
-	];
-	security.sudo.wheelNeedsPassword = false;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    iotop
+    dig
+  ];
+  security.sudo.wheelNeedsPassword = false;

-	systemd.services."nextcloud-setup" = {
-		requires = [ "postgresql.service" "redis.service" ];
-		after = [ "postgresql.service" "redis.service" ];
-	};
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" "redis.service" ];
+    after = [ "postgresql.service" "redis.service" ];
+  };

-	users.groups.redis.members = [ "nextcloud" ];
-	users.groups.backup.members = [ "nextcloud" "postgres" ];
+  users.groups.redis.members = [ "nextcloud" ];
+  users.groups.backup.members = [ "nextcloud" "postgres" ];

-	networking.firewall = {
-		allowedTCPPorts = [ 22 80 443 ];
-		allowedUDPPorts = [ config.services.tailscale.port ];
-		trustedInterfaces = [ "tailscale0" ];
-		enable = true;
-		checkReversePath = "loose";
-	};
-	# networking.firewall.allowedUDPPorts = [ ... ];
-	system.stateVersion = "21.05";
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  system.stateVersion = "21.05";

 }
--- a/config/hosts/rudiger/hardware-configuration.nix
+++ b/config/hosts/rudiger/hardware-configuration.nix
@ -3,7 +3,7 @@
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
-      #(modulesPath + "/profiles/minimal.nix")
+      (modulesPath + "/profiles/minimal.nix")
    ];

  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
--- a/config/hosts/rudiger/services/acme.nix
+++ b/config/hosts/rudiger/services/acme.nix
@ -3,7 +3,7 @@
 {
  security.acme = {
    acceptTerms = true;
-    defaults.email = "admin+certs@graven.dev";
+    email = "admin+certs@graven.dev";
  };
 }

--- a/config/hosts/rudiger/services/borg.nix
+++ b/config/hosts/rudiger/services/borg.nix
@ -1,27 +0,0 @@
-
-{ config, ... }:
-
-{
-	services.borgbackup.jobs = {
-		postgres = {
-			paths = "/var/lib/postgresql/backup";
-			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/postgres";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:15:00";
-			user = "postgres";
-		};
-		synapse = {
-			paths = "/var/lib/nextcloud/data";
-			repo =  "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/nextcloud";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:45:00";
-			user = "nextcloud";
-		};
-	};
-}
--- a/config/hosts/rudiger/services/immich.nix
+++ b/config/hosts/rudiger/services/immich.nix
@ -1,9 +0,0 @@
-{ ... }:
-
-{
-	services.immich = {
-		enable = true;
-		port = 2283;
-		settings.server.externalDomain = "https://immich.graven.dev";
-	};
-}
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@ -1,25 +1,22 @@
 { config, pkgs, ... }:
 {
-	services.nextcloud = {
-		enable = true;
-		hostName = "cloud.graven.dev";
-		https = true;
-		package = pkgs.nextcloud32;
-		autoUpdateApps.enable = true;
-		maxUploadSize = "10G";
-		webfinger = true;
-		caching.redis = true;
-		config = {
-			dbtype = "pgsql";
-			dbuser = "nextcloud";
-			dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
-			dbname = "nextcloud";
-			adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
-			adminuser = "root";
-		};
-		settings = {
-			default_phone_region = "DK";
-		};
-		phpOptions."opcache.interned_strings_buffer" = "23";
-	};
+  services.nextcloud = {
+    enable = true;
+    hostName = "cloud.graven.dev";
+    https = true;
+    package = pkgs.nextcloud22;
+    autoUpdateApps.enable = true;
+    maxUploadSize = "10G";
+    webfinger = true;
+    caching.redis = true;
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbname = "nextcloud";
+      defaultPhoneRegion = "DK";
+      adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
+      adminuser = "root";
+    };
+  };
 }
--- a/config/hosts/rudiger/services/nginx.nix
+++ b/config/hosts/rudiger/services/nginx.nix
@ -1,25 +1,8 @@
-{ config, ... }:
+{ ... }:
 {
  imports = [ ../../../common/services/nginx.nix ];
  services.nginx.virtualHosts."cloud.graven.dev" = {
    enableACME = true;
    forceSSL = true;
  };
-  services.nginx.virtualHosts."immich.graven.dev" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://[::1]:${toString config.services.immich.port}";      
-      proxyWebsockets = true;
-      recommendedProxySettings = true;
-      extraConfig = ''
-        client_max_body_size      50000M;
-        proxy_read_timeout        600s;
-        proxy_send_timeout        600s;
-        send_timeout              600s;
-        proxy_max_temp_file_size  0;
-        proxy_buffering           off;
-      '';
-    };
-  };
 }
--- a/config/hosts/rudiger/services/postgres.nix
+++ b/config/hosts/rudiger/services/postgres.nix
@ -1,15 +1,14 @@
-{ pkgs, ... }:
+{ ... }:
 {
  services.postgresql = {
    enable = true;
-    package = pkgs.postgresql_15;
    ensureDatabases = [ 
 			"nextcloud"
 		];
    ensureUsers = [
    	{
 				name = "nextcloud";
-      	ensureDBOwnership = true;
+      	ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
    	}
    ];
  };
--- a/config/hosts/rudiger/services/redis.nix
+++ b/config/hosts/rudiger/services/redis.nix
@ -1,12 +1,10 @@
 { config, ...  }:
 {
  services.redis = {
+    enable = true;
+    unixSocket = "/run/redis/redis.sock";
    vmOverCommit = true;
-    servers."" = {
-      enable = true;
-      unixSocket = "/run/redis/redis.sock";
-      unixSocketPerm = 770;
-      #requirePassfile = config.secrets.files.redis_pass.file;
-    };
+    unixSocketPerm = 770;
+    #requirePassfile = config.secrets.files.redis_pass.file;
  }; 
 }
--- a/config/hosts/rudiger/services/restic.nix
+++ b/config/hosts/rudiger/services/restic.nix
@ -3,21 +3,21 @@
  services.restic.backups = {
    "postgres" = {
      paths = [ "/var/lib/postgresql/backup" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/postgres";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/postgres";
      initialize = true;
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
      timerConfig = { "OnCalendar" = "04:15"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
      user = "postgres";
    };
    "nextcloud" = {
      paths = [ "/var/lib/nextcloud/data" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/nextcloud";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/nextcloud";
      initialize = true;
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
      timerConfig = { "OnCalendar" = "04:30"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
      user = "nextcloud";
    };
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@ -1,16 +1,13 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:

 {
 	imports = [ 
 		./hardware-configuration.nix 
-		../../common/configuration/nix.nix
-		../../common/configuration/documentation.nix
 		../../common/services/ssh.nix
-		../../common/services/tailscale.nix
 		../../common/users.nix
 		./services/acme.nix
-		./services/borg.nix
 		./services/coturn.nix
+		#./services/grocy.nix
 		./services/nginx.nix
 		./services/postgres.nix
 		./services/synapse.nix
@ -19,15 +16,15 @@
 		./services/restic.nix
 		./services/vaultwarden.nix
 		./services/wireguard.nix
-		./services/akkoma.nix
 		./data/secrets/secrets.nix
 		];

 	boot.loader.grub.enable = true;
+	boot.loader.grub.version = 2;
 	boot.loader.grub.device = "/dev/sda";
-	boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+	boot.kernelPackages = pkgs.linuxPackages_5_10;
 	boot.supportedFilesystems = ["zfs"];
-	services.zfs.autoSnapshot.enable = false;
+	services.zfs.autoSnapshot.enable = true;
 	services.zfs.autoScrub.enable = true;

 	networking.hostName = "wind";
@ -53,12 +50,11 @@
 		htop
 		iotop
 		dig
-		tailscale
 	];

-	nix.settings = {
-		auto-optimise-store = true;
-		trusted-users = [
+	nix = {
+		autoOptimiseStore = true;
+		trustedUsers = [
 			"root"
 			"@wheel"
 		];
--- a/config/hosts/wind/data/secrets/acme_graven_dev.env
+++ b/config/hosts/wind/data/secrets/acme_graven_dev.env
--- a/config/hosts/wind/data/secrets/acme_graven_se.env
+++ b/config/hosts/wind/data/secrets/acme_graven_se.env
--- a/config/hosts/wind/data/secrets/borg_pass
+++ b/config/hosts/wind/data/secrets/borg_pass
--- a/config/hosts/wind/data/secrets/secrets.nix
+++ b/config/hosts/wind/data/secrets/secrets.nix
--- a/config/hosts/wind/data/secrets/ssh_key
+++ b/config/hosts/wind/data/secrets/ssh_key
--- a/config/hosts/wind/data/secrets/ssh_key.pub
+++ b/config/hosts/wind/data/secrets/ssh_key.pub
--- a/config/hosts/wind/data/secrets/synapse_extra_config
+++ b/config/hosts/wind/data/secrets/synapse_extra_config
--- a/config/hosts/wind/data/secrets/synapse_sliding_sync_env
+++ b/config/hosts/wind/data/secrets/synapse_sliding_sync_env
--- a/config/hosts/wind/hardware-configuration.nix
+++ b/config/hosts/wind/hardware-configuration.nix
@ -6,7 +6,7 @@
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
-      #(modulesPath + "/profiles/minimal.nix")
+      (modulesPath + "/profiles/minimal.nix")
      #(modulesPath + "/profiles/hardened.nix")
    ];

--- a/config/hosts/wind/services/acme.nix
+++ b/config/hosts/wind/services/acme.nix
@ -3,7 +3,19 @@
 {
  security.acme = {
    acceptTerms = true;
-    defaults.email = "admin+certs@graven.dev";
+    email = "admin+certs@graven.dev";
+		certs = {
+			"graven.dev" = {
+				extraDomainNames = [ "*.graven.dev" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_dev.file;
+			};
+			"graven.se" = {
+				extraDomainNames = [ "*.graven.se" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_se.file;
+			};
+		};
  };
 }

--- a/config/hosts/wind/services/akkoma.nix
+++ b/config/hosts/wind/services/akkoma.nix
@ -1,36 +0,0 @@
-{ config, pkgs, ... }:
-{
-
-  services.akkoma = {
-    enable = true;
-      config = {
-      ":pleroma" = {
-        ":instance" = {
-          name = "graven.se";
-          description = "Graven Fedi";
-          email = "charlie@graven.se";
-          registration_open = false;
-        };
-
-        "Pleroma.Web.Endpoint" = {
-          url.host = "fedi.graven.se";
-        };
-        "Pleroma.Web.Webfinger" = {
-          domain = "graven.se";
-        };
-        "Pleroma.Upload".filters =
-          map (pkgs.formats.elixirConf { }).lib.mkRaw
-            [
-              "Pleroma.Upload.Filter.Exiftool"
-              "Pleroma.Upload.Filter.Dedupe"
-              "Pleroma.Upload.Filter.AnonymizeFilename"
-            ];
-      };
-    };
-    nginx = {
-      enableACME = true;
-      forceSSL = true;
-      serverName = "fedi.graven.se";
-    };
-  };
-}
--- a/config/hosts/wind/services/borg.nix
+++ b/config/hosts/wind/services/borg.nix
@ -1,36 +0,0 @@
-{ config, ... }:
-
-{
-	services.borgbackup.jobs = {
-		gitea = {
-			paths = "/var/lib/gitea";
-			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/gitea";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_gitea.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_gitea.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 02:15:00";
-			user = "gitea";
-		};
-		postgres = {
-			paths = "/var/lib/postgresql/backup";
-			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/postgres";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:15:00";
-			user = "postgres";
-		};
-		synapse = {
-			paths = "/var/lib/matrix-synapse";
-			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/synapse";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:15:00";
-			user = "matrix-synapse";
-		};
-	};
-}
--- a/config/hosts/wind/services/coturn.nix
+++ b/config/hosts/wind/services/coturn.nix
@ -1,7 +1,7 @@
 { config, ... }:
 {
  services.coturn = {
-    enable = false;
+    enable = true;
    lt-cred-mech = true;
    use-auth-secret = true;
    static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;
--- a/config/hosts/wind/services/gitea.nix
+++ b/config/hosts/wind/services/gitea.nix
@ -1,32 +1,16 @@
 { ... }:

 {
-  services.forgejo = {
+  services.gitea = {
    enable = true;
-    user = "gitea";
-    group = "gitea";
-    stateDir = "/var/lib/gitea";
+    domain = "git.graven.dev";
+    rootUrl = "https://git.graven.dev";
+    enableUnixSocket = true;
+    cookieSecure = true;
+    appName = "Graven Gitea";
+    settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; };
    database = {
      type = "postgres";
-      name = "gitea";
-      user = "gitea";
-    };
-    settings = {
-      DEFAULT.APP_NAME = "Graven Gitea";
-      service.DISABLE_REGISTRATION = true;
-      session.COOKIE_SECURE = true;
-      server.DOMAIN = "git.graven.dev";
-      server.ROOT_URL = "https://git.graven.dev";
-      server.PROTOCOL = "http+unix";
    };
  };
-
-  users.users.gitea = {
-    home = "/var/lib/gitea";
-    useDefaultShell = true;
-    group = "gitea";
-    isSystemUser = true;
-  };
-
-  users.groups.gitea = {};
 }
--- a/config/hosts/wind/services/grocy.nix
+++ b/config/hosts/wind/services/grocy.nix
@ -0,0 +1,10 @@
+{
+	services.grocy = {
+		enable = true;
+		hostName = "grocy.graven.dev";
+		settings = {
+			currency = "DKK";
+			calendar.firstDayOfWeek = 1;
+		};
+	};
+}
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@ -2,13 +2,11 @@
 	imports = [ ../../../common/services/nginx.nix ];
 	services.nginx.virtualHosts = {
 		"graven.dev" = {
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			forceSSL = true;
 			locations."/".root = "/var/www/graven.dev/public";
-			locations."~ ^(\\/_matrix|\\/_synapse\\/client)" = {
-				proxyPass = "http://127.0.0.1:8008";
-				priority = 1000;
-			};
+			locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
+			locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
 			locations."/.well-known/matrix/" = {
 				root = "/var/www/matrix/public";
 				extraConfig = ''
@ -16,34 +14,24 @@
 					add_header Access-Control-Allow-Origin "*";
 					add_header Strict-Transport-Security $hsts_header;
 					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
 					add_header X-Content-Type-Options "nosniff";
 					add_header X-XSS-Protection "1; mode=block";
 				'';
 			};
 		};
-		# Fedi webfinger
-		"graven.se" = {
-			enableACME = true;
-			forceSSL = true;
-			locations."/.well-known/host-meta".return = "301 https://fedi.graven.se$request_uri";
-		};
-		"amanda.graven.dev" = {
-			enableACME = true;
-			forceSSL = true;
-			locations."/".root = "/var/www/amanda.graven.dev/public";
-		};
 		"rss.graven.dev" = {
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			forceSSL = true;
 		};
 		"git.graven.dev" = {
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			forceSSL = true;
-			locations."/".proxyPass = "http://unix:/run/forgejo/forgejo.sock:";
+			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
 		};
 		"vault.graven.dev" = {
 			forceSSL = true;
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			locations."/" = {
 				proxyPass = "http://localhost:8812";
 				proxyWebsockets = true;
@ -59,7 +47,7 @@
 		};
 		"openpgpkey.graven.dev" = {
 			forceSSL = true;
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			locations."/" = {
 				root = "/var/www/openpgpkey";
 				extraConfig = ''
@ -75,7 +63,7 @@
 		};
 		"openpgpkey.graven.se" = {
 			forceSSL = true;
-			enableACME = true;
+			useACMEHost = "graven.se";
 			locations."/" = {
 				root = "/var/www/openpgpkey";
 				extraConfig = ''
@ -91,7 +79,7 @@
 		};
 		"tor.graven.dev" = {
 			forceSSL = true;
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			locations."/" = {
 				root = "/var/www/tor";
 				extraConfig = ''
--- a/config/hosts/wind/services/postgres.nix
+++ b/config/hosts/wind/services/postgres.nix
@ -2,7 +2,7 @@
 {
  services.postgresql = {
    enable = true;
-    package = pkgs.postgresql_16;
+    package = pkgs.postgresql_13;
    initialScript = pkgs.writeText "synapse-init.sql" ''
                      CREATE ROLE synapse;
                      CREATE DATABASE synapse WITH OWNER synapse
--- a/config/hosts/wind/services/restic.nix
+++ b/config/hosts/wind/services/restic.nix
@ -5,41 +5,41 @@
  services.restic.backups = {
    "gitea" = {
      paths = [ "/var/lib/gitea" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/gitea";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/gitea";
      initialize = true;
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
      timerConfig = { "OnCalendar" = "02:15"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
      user = "gitea";
    };
    "postgres" = {
      paths = [ "/var/lib/postgresql/backup" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/postgres";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/postgres";
      initialize = true;
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
      timerConfig = { "OnCalendar" = "03:00"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
      user = "postgres";
    };
    "synapse" = {
      paths = [ "/var/lib/matrix-synapse" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/synapse";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/synapse";
      initialize = true;
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
      timerConfig = { "OnCalendar" = "03:30"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
      user = "matrix-synapse";
    };
    "vaultwarden" = {
      paths = [ "/var/lib/bitwarden_rs" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/vaultwarden";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
      initialize = true;
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
      timerConfig = { "OnCalendar" = "23:45"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
      user = "vaultwarden";
    };
--- a/config/hosts/wind/services/synapse.nix
+++ b/config/hosts/wind/services/synapse.nix
@ -3,68 +3,87 @@
 {
  services.matrix-synapse = {
    enable = true;
+    server_name = "graven.dev";
+    enable_registration = false;
+    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    max_upload_size = "100M";
+    database_type = "psycopg2";
+    database_user = "synapse";
+    database_name = "synapse";
+    turn_uris = [
+      "turn:turn.graven.dev:3478?transport=udp"
+      "turn:turn.graven.dev:3478?transport=tcp"
+      "turn:turn.graven.dev:3479?transport=udp"
+      "turn:turn.graven.dev:3479?transport=tcp"
+      "turns:turn.graven.dev:5349?transport=udp"
+      "turns:turn.graven.dev:5349?transport=tcp"
+      "turns:turn.graven.dev:5350?transport=udp"
+      "turns:turn.graven.dev:5350?transport=tcp"
+    ];
+    report_stats = true;
    withJemalloc = true;
-    extraConfigFiles = [ config.secrets.files.synapse_extra_config.file ];
-    settings = {
-      server_name = "graven.dev";
-      enable_registration = false;
-      registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
-      turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
-      max_upload_size = "100M";
-      database.name = "psycopg2";
-      database.args.user = "synapse";
-      database.args.database = "synapse";
-      turn_uris = [
-        "turn:turn.graven.dev:3478?transport=udp"
-        "turn:turn.graven.dev:3478?transport=tcp"
-        "turn:turn.graven.dev:3479?transport=udp"
-        "turn:turn.graven.dev:3479?transport=tcp"
-        "turns:turn.graven.dev:5349?transport=udp"
-        "turns:turn.graven.dev:5349?transport=tcp"
-        "turns:turn.graven.dev:5350?transport=udp"
-        "turns:turn.graven.dev:5350?transport=tcp"
-      ];
-      report_stats = true;
-      logConfig = ''
-  version: 1

-  formatters:
-      precise:
-          format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+    extraConfig = ''
+password_config:
+  enabled: false
+oidc_providers:
+  - idp_id: authentik
+    idp_name: authentik
+    discover: true
+    issuer: "https://auth.graven.dev/application/o/synapse/"
+    client_id: "7a77036d3b360265895f2ab5a51264ba586c93d5"
+    client_secret: "a9f9146fd13338230481a71c824d122bfb5e8a2118f2cdaf882746ad6726aeecd50ef522338acec89d3f8ccb8014124e022a6af6769807ea4271931f219a3f55"
+    allow_existing_users: true
+    scopes:
+      - "openid"
+      - "profile"
+      - "email"
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ user.name }}"
+        display_name_template: "{{ user.name|capitalize }}"
+    '';

-  handlers:
-      console:
-          class: logging.StreamHandler
-          formatter: precise
+    logConfig = ''
+version: 1

-  loggers:
-      synapse.storage.SQL:
-          # beware: increasing this to DEBUG will make synapse log sensitive
-          # information such as access tokens.
-          level: WARN
+formatters:
+    precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'

-  root:
-      level: WARN
-      handlers: [console]
+handlers:
+    console:
+        class: logging.StreamHandler
+        formatter: precise

-  disable_existing_loggers: false
-      '';
-      listeners = [
-        {
-          port = 8008;
-          bind_addresses = ["127.0.0.1"];
-          type = "http";
-          tls = false;
-          x_forwarded = true;
-          resources = [
-            { 
-              names = [ "client" "federation" ];
-              compress = false;
-            }
-          ];
-        }
-      ];
-    };
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: WARN
+
+root:
+    level: WARN
+    handlers: [console]
+
+disable_existing_loggers: false
+    '';
+    listeners = [
+      {
+        port = 8008;
+        bind_address = "127.0.0.1";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          { 
+            names = [ "client" "federation" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
  };
 }
    
--- a/config/hosts/wind/services/ttrss-plugins/fever.nix
+++ b/config/hosts/wind/services/ttrss-plugins/fever.nix
@ -1,37 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, tt-rss, ... }:
-
-stdenv.mkDerivation rec {
-	pname = "tt-rss-fever-api";
-	version = "2.3.0";
-
-	src = fetchFromGitHub {
-		owner = "DigitalDJ";
-		repo = "tinytinyrss-fever-plugin";
-		rev = "${version}";
-		sha256 = "fKHnF7pXMD04sWygoRnPH5hLUyWW4Dv/e4JWtfobX/g=";
-	};
-
-	installPhase = ''
-		mkdir -p $out/fever
-		cp -r fever_api.php index.php init.php $out/fever/
-	'';
-
-	meta = {
-		description = "Fever API for Tiny Tiny RSS";
-		longDescription = ''
-			This is a plugin for Tiny Tiny RSS (tt-rss).
-
-			It lets you use feed reader programs which interface with the Fever feed
-			reader API together with Tiny Tiny RSS
-		'';
-		license = lib.licenses.gpl3Only;
-		homepage = "https://github.com/DigitalDJ/tinytinyrss-fever-plugin";
-		maintainers = [ {
-			email = "amanda@graven.dev";
-			name = "Amanda Graven";
-			github = "agraven";
-			githubId = 23525639;
-		} ];
-		inherit (tt-rss.meta) platforms;
-	};
-}
--- a/config/hosts/wind/services/ttrss.nix
+++ b/config/hosts/wind/services/ttrss.nix
@ -1,13 +1,10 @@
-{ config, pkgs, ... }:
+{ config, ... }:

 {
-	services.tt-rss = {
-		enable = true;
-		registration.enable = false;
-		virtualHost = "rss.graven.dev";
-		selfUrlPath = "https://rss.graven.dev";
-		pluginPackages = [
-			(pkgs.callPackage ./ttrss-plugins/fever.nix {})
-		];
-	};
+  services.tt-rss = {
+    enable = true;
+    registration.enable = true;
+    virtualHost = "rss.graven.dev";
+    selfUrlPath = "https://rss.graven.dev";
+  };
 }
--- a/config/hosts/wind/services/vaultwarden.nix
+++ b/config/hosts/wind/services/vaultwarden.nix
@ -3,7 +3,7 @@
  services.vaultwarden = {
    enable = true;
    environmentFile = config.secrets.files.vaultwarden_env.file;
-    backupDir = "/var/backup/vaultwarden";
+    backupDir = "/var/lib/bitwarden_rs/backup";
    config = {
      domain = "https://vault.graven.dev";
      signupsAllowed = false;
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@ -5,10 +5,10 @@
        "homepage": "https://github.com/nmattia/niv",
        "owner": "nmattia",
        "repo": "niv",
-        "rev": "368268e45dee0c94d1cf898381a384856379ad76",
-        "sha256": "1k03n7qmaz6yf2r8i5sng4kii3rr1y36g8k70sg7piqz3npxisy3",
+        "rev": "df49d53b71ad5b6b5847b32e5254924d60703c46",
+        "sha256": "1j5p8mi1wi3pdcq0lfb881p97i232si07nb605dl92cjwnira88c",
        "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/368268e45dee0c94d1cf898381a384856379ad76.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/df49d53b71ad5b6b5847b32e5254924d60703c46.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixos-hardware": {
@ -17,22 +17,22 @@
        "homepage": "",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
-        "sha256": "1al72rhlaa6g725syx72klpismv8xygdd55smqfwa9xglhv35r34",
+        "rev": "feceb4d24f582817d8f6e737cd40af9e162dee05",
+        "sha256": "1q92jq6xf5b1pshai9j72cj17r0ah3fhrx669h3vc58rj7xvgiw7",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/2096f3f411ce46e88a79ae4eafcfc9df8ed41c61.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/feceb4d24f582817d8f6e737cd40af9e162dee05.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs": {
-        "branch": "nixos-25.11",
+        "branch": "nixos-21.11",
        "description": "Nix Packages collection",
        "homepage": "",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160",
-        "sha256": "0vma331213djanwmb7ibgmi5290952h6ri123xwb66mg58k8r200",
+        "rev": "ccb90fb9e11459aeaf83cc28d5f8910816d90dd0",
+        "sha256": "1jlyhw5nf7pcxg22k1bwkv13vm02p86d7jf6znihl3hczz1yfgi0",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/a4bf06618f0b5ee50f14ed8f0da77d34ecc19160.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/ccb90fb9e11459aeaf83cc28d5f8910816d90dd0.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixus": {
@ -41,10 +41,10 @@
        "homepage": "",
        "owner": "Infinisil",
        "repo": "nixus",
-        "rev": "b12665bc80134ac167eef1fff2f4e41e1f8925cb",
-        "sha256": "11894412807mhg0kgkrn4bjbdk9b2a89b0plh0bpdn06c8pfg11g",
+        "rev": "d1e1057a31f16a75d9f871e311c4aaaf664561b9",
+        "sha256": "0d4576dssr6l4vdpi86rbf6dyn3jfl3csvmn9csd4n6dj53f5pqm",
        "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/b12665bc80134ac167eef1fff2f4e41e1f8925cb.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/d1e1057a31f16a75d9f871e311c4aaaf664561b9.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    }
 }
--- a/config/sources/nix/sources.nix
+++ b/config/sources/nix/sources.nix
@ -10,50 +10,29 @@ let
    let
      name' = sanitizeName name + "-src";
    in
-    if spec.builtin or true then
-      builtins_fetchurl { inherit (spec) url sha256; name = name'; }
-    else
-      pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
+      if spec.builtin or true then
+        builtins_fetchurl { inherit (spec) url sha256; name = name'; }
+      else
+        pkgs.fetchurl { inherit (spec) url sha256; name = name'; };

  fetch_tarball = pkgs: name: spec:
    let
      name' = sanitizeName name + "-src";
    in
-    if spec.builtin or true then
-      builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
-    else
-      pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
+      if spec.builtin or true then
+        builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
+      else
+        pkgs.fetchzip { name = name'; inherit (spec) url sha256; };

  fetch_git = name: spec:
    let
      ref =
-        spec.ref or (
+        if spec ? ref then spec.ref else
          if spec ? branch then "refs/heads/${spec.branch}" else
-          if spec ? tag then "refs/tags/${spec.tag}" else
-          abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"
-        );
-      submodules = spec.submodules or false;
-      submoduleArg =
-        let
-          nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
-          emptyArgWithWarning =
-            if submodules
-            then
-              builtins.trace
-                (
-                  "The niv input \"${name}\" uses submodules "
-                  + "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
-                  + "does not support them"
-                )
-                { }
-            else { };
-        in
-        if nixSupportsSubmodules
-        then { inherit submodules; }
-        else emptyArgWithWarning;
+            if spec ? tag then "refs/tags/${spec.tag}" else
+              abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
    in
-    builtins.fetchGit
-      ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
+      builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };

  fetch_local = spec: spec.path;

@ -87,16 +66,16 @@ let
      hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
      hasThisAsNixpkgsPath = <nixpkgs> == ./.;
    in
-    if builtins.hasAttr "nixpkgs" sources
-    then sourcesNixpkgs
-    else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
-      import <nixpkgs> { }
-    else
-      abort
-        ''
-          Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
-          add a package called "nixpkgs" to your sources.json.
-        '';
+      if builtins.hasAttr "nixpkgs" sources
+      then sourcesNixpkgs
+      else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
+        import <nixpkgs> {}
+      else
+        abort
+          ''
+            Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+            add a package called "nixpkgs" to your sources.json.
+          '';

  # The actual fetching function.
  fetch = pkgs: name: spec:
@ -116,13 +95,13 @@ let
  # the path directly as opposed to the fetched source.
  replace = name: drv:
    let
-      saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
+      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
      ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
    in
-    if ersatz == "" then drv else
-      # this turns the string into an actual Nix path (for both absolute and
-      # relative paths)
-    if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
+      if ersatz == "" then drv else
+        # this turns the string into an actual Nix path (for both absolute and
+        # relative paths)
+        if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";

  # Ports of functions for older nix versions

@ -133,7 +112,7 @@ let
  );

  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
-  range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
+  range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);

  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
@ -144,46 +123,43 @@ let
  concatStrings = builtins.concatStringsSep "";

  # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
-  optionalAttrs = cond: as: if cond then as else { };
+  optionalAttrs = cond: as: if cond then as else {};

  # fetchTarball version that is compatible between all the versions of Nix
  builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
    let
      inherit (builtins) lessThan nixVersion fetchTarball;
    in
-    if lessThan nixVersion "1.12" then
-      fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
-    else
-      fetchTarball attrs;
+      if lessThan nixVersion "1.12" then
+        fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchTarball attrs;

  # fetchurl version that is compatible between all the versions of Nix
  builtins_fetchurl = { url, name ? null, sha256 }@attrs:
    let
      inherit (builtins) lessThan nixVersion fetchurl;
    in
-    if lessThan nixVersion "1.12" then
-      fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
-    else
-      fetchurl attrs;
+      if lessThan nixVersion "1.12" then
+        fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchurl attrs;

  # Create the final "sources" from the config
  mkSources = config:
-    mapAttrs
-      (
-        name: spec:
-          if builtins.hasAttr "outPath" spec
-          then
-            abort
-              "The values in sources.json should not have an 'outPath' attribute"
-          else
-            spec // { outPath = replace name (fetch config.pkgs name spec); }
-      )
-      config.sources;
+    mapAttrs (
+      name: spec:
+        if builtins.hasAttr "outPath" spec
+        then abort
+          "The values in sources.json should not have an 'outPath' attribute"
+        else
+          spec // { outPath = replace name (fetch config.pkgs name spec); }
+    ) config.sources;

  # The "config" used by the fetchers
  mkConfig =
    { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
-    , sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile)
+    , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
    , system ? builtins.currentSystem
    , pkgs ? mkPkgs sources system
    }: rec {
@ -195,4 +171,4 @@ let
    };

 in
-mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); }
+mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
--- a/deploy/default.nix
+++ b/deploy/default.nix
@ -13,21 +13,21 @@ in import "${sources.nixus}" {} ({ config, ... }: {

  nodes = {
    wind = { lib, config, ... }: {
-      host = "graven.dev";
+      host = "emelie@graven.dev";
      configuration = ../config/hosts/wind/configuration.nix;
      switchTimeout = 300;
      successTimeout = 300;
      ignoreFailingSystemdUnits = true;
    };
    grondahl = { lib, config, ... }: {
-      host = "anarkafem.dev";
+      host = "emelie@anarkafem.dev";
      configuration = ../config/hosts/grondahl/configuration.nix;
      successTimeout = 300;
      switchTimeout = 300;
      ignoreFailingSystemdUnits = true;
    };
    rudiger = { lib, config, ... }: {
-      host = "cloud.graven.dev";
+      host = "emelie@cloud.graven.dev";
      configuration = ../config/hosts/rudiger/configuration.nix;
      switchTimeout = 300;
      successTimeout = 300;
--- a/shell.nix
+++ b/shell.nix
@ -1,7 +0,0 @@
-{ pkgs ? import <nixpkgs> {} }:
-
-pkgs.mkShell {
-	packages = with pkgs; [
-		niv
-	];
-}
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4C5OgZpxoF42L5rPqwejs+Q1ViN9TM9o/fEbpnPFtA`
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7`
				`@ -1 +0,0 @@`
				`Subproject commit 11cc65efa2909bdc7e3e978bf1f56f6d141bf82a`