chore: even more restructuring

2024-11-22 18:21:58 +01:00 · 2022-10-25 09:53:40 +02:00 · 2022-10-25 09:53:40 +02:00 · 3bb742392a
commit 3bb742392a
parent 543d2d6f90
57 changed files with 1263 additions and 333 deletions
--- a/TODO.md
+++ b/TODO.md
@ -1,14 +1,15 @@
 # Todo

+## desktop
+
 * clickup (package https://nixos.org/manual/nixpkgs/stable/#sec-pkgs-appimageTools)
 * curseforge (package)
-* deezer (mpd / mopidy)
 * mail (thunderbird / mailspring / prospect-mail)
+* assign windows to right desktop
+* autostart standard tools on desktops

-# Maybe
+## server

-* hexchat (irc client)
-* irssi (irc client)
-* kitty (terminal)
-* mangohud (fps overlay)
-* ncmpcpp (mpd client)
+* coredns for private domain names
+* nfs server on asgard
+* mount nfs volumes on utgard
--- a/flake.lock
+++ b/flake.lock
@ -20,6 +20,26 @@
        "type": "github"
      }
    },
+    "arion": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1654878283,
+        "narHash": "sha256-JWdKBMzEibS2neY0nEs9E8kn4zRepEbwSw7HzxbEiAg=",
+        "owner": "hercules-ci",
+        "repo": "arion",
+        "rev": "e5fb978143240f8d293e6e5acc9691acf472928d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "arion",
+        "type": "github"
+      }
+    },
    "deployrs": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -60,16 +80,15 @@
    },
    "hardware": {
      "locked": {
-        "lastModified": 1664387039,
-        "narHash": "sha256-RlSksOo/OUwBXus7qnS84mzjNwO3cRgHbdF0KzATPlw=",
+        "lastModified": 1665987993,
+        "narHash": "sha256-MvlaIYTRiqefG4dzI5p6vVCfl+9V8A1cPniUjcn6Ngc=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "203dd7d7b9361c92579f086581f278f2707bcd76",
+        "rev": "0e6593630071440eb89cd97a52921497482b22c6",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "master",
        "repo": "nixos-hardware",
        "type": "github"
      }
@ -78,30 +97,30 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ]
+        ],
+        "utils": "utils_2"
      },
      "locked": {
-        "lastModified": 1656169755,
-        "narHash": "sha256-Nlnm4jeQWEGjYrE6hxi/7HYHjBSZ/E0RtjCYifnNsWk=",
+        "lastModified": 1664783440,
+        "narHash": "sha256-KlMwR7mUf5h8MPnzV7nGFUAt6ih/euW5xgvZ5x+hwvI=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "4a3d01fb53f52ac83194081272795aa4612c2381",
+        "rev": "e4e639dd4dc3e431aa5b5f95325f9a66ac7e0dd9",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-22.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1664281702,
-        "narHash": "sha256-haixZ4TJLu1Dciow54wrHrHvlGDVr5sW6MTeAV/ZLuI=",
+        "lastModified": 1664780719,
+        "narHash": "sha256-Oxe6la5dSqRfJogjtY4sRzJjDDqvroJIVkcGEOT87MA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "7e52b35fe98481a279d89f9c145f8076d049d2b9",
+        "rev": "fd54651f5ffb4a36e8463e0c327a78442b26cbe7",
        "type": "github"
      },
      "original": {
@ -113,11 +132,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1664400119,
-        "narHash": "sha256-G6gKRK9uOk7kt1uWCzmyuLB/qdQtGO8mxjs/dtTIr9A=",
+        "lastModified": 1664894790,
+        "narHash": "sha256-FAixnreJ0bXzK/m5a9KsC5XoiZFHqC4le0tseldsHZc=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "e378da2e2cd205a55a0203b91162fefba04087e6",
+        "rev": "529b4b6fc32b428cd07cc2a11abf728bdc59b4e5",
        "type": "github"
      },
      "original": {
@ -129,12 +148,13 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
+        "arion": "arion",
        "deployrs": "deployrs",
        "hardware": "hardware",
        "homemanager": "homemanager",
        "nixpkgs": "nixpkgs",
        "nur": "nur",
-        "utils": "utils_2"
+        "utils": "utils_3"
      }
    },
    "utils": {
@ -166,6 +186,21 @@
        "repo": "flake-utils",
        "type": "github"
      }
+    },
+    "utils_3": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -6,10 +6,6 @@
      url = "github:nixos/nixpkgs/nixos-unstable";
    };

-    hardware = {
-      url = "github:nixos/nixos-hardware/master";
-    };
-
    nur = {
      url = "github:nix-community/NUR";
    };
@ -18,23 +14,32 @@
      url = "github:numtide/flake-utils";
    };

-    deployrs = {
-      url = "github:serokell/deploy-rs";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    homemanager = {
-      url = "github:nix-community/home-manager/release-22.05";
+      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    deployrs = {
+      url = "github:serokell/deploy-rs";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    arion = {
+      url = "github:hercules-ci/arion";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    hardware = {
+      url = "github:nixos/nixos-hardware";
+    };
  };

-  outputs = { self, nixpkgs, hardware, nur, utils, deployrs, agenix, homemanager, ... }@inputs:
+  outputs = { self, nixpkgs, nur, utils, agenix, homemanager, deployrs, arion, hardware, ... }@inputs:
    let

    in
@ -64,8 +69,12 @@
              })
            homemanager.nixosModules.home-manager
            agenix.nixosModules.age
+            arion.nixosModules.arion
            ./machines/chnum
            ./profiles/thomas
+            # ./profiles/anna
+            # ./profiles/adrian
+            # ./profiles/tabea
          ];

          specialArgs = {
@ -98,8 +107,12 @@
            hardware.nixosModules.raspberry-pi-4
            homemanager.nixosModules.home-manager
            agenix.nixosModules.age
+            arion.nixosModules.arion
            ./machines/midgard
            ./profiles/thomas
+            # ./profiles/anna
+            # ./profiles/adrian
+            # ./profiles/tabea
          ];

          specialArgs = {
@ -133,8 +146,12 @@
              })
            homemanager.nixosModules.home-manager
            agenix.nixosModules.age
+            arion.nixosModules.arion
            ./machines/utgard
            ./profiles/thomas
+            # ./profiles/anna
+            # ./profiles/adrian
+            # ./profiles/tabea
          ];

          specialArgs = {
@ -166,8 +183,12 @@
              })
            homemanager.nixosModules.home-manager
            agenix.nixosModules.age
+            arion.nixosModules.arion
            ./machines/asgard
            ./profiles/thomas
+            # ./profiles/anna
+            # ./profiles/adrian
+            # ./profiles/tabea
          ];

          specialArgs = {
--- a/machines/asgard/default.nix
+++ b/machines/asgard/default.nix
@ -12,7 +12,17 @@
  ];

  personal = {
-    services = { };
+    services = {
+      docker = {
+        enable = true;
+      };
+      samba = {
+        enable = true;
+      };
+      tailscale = {
+        enable = true;
+      };
+    };
  };

  system = {
--- a/machines/midgard/default.nix
+++ b/machines/midgard/default.nix
@ -12,7 +12,23 @@
  ];

  personal = {
-    services = { };
+    services = {
+      acme = {
+        enable = true;
+      };
+      adguard = {
+        enable = true;
+      };
+      coredns = {
+        enable = true;
+      };
+      docker = {
+        enable = true;
+      };
+      tailscale = {
+        enable = true;
+      };
+    };
  };

  system = {
--- a/machines/modules/default.nix
+++ b/machines/modules/default.nix
@ -3,7 +3,6 @@ with lib;

 {
  imports = [
-    ./frpc.nix
    ./network.nix
    ./nixpkgs.nix
    ./prowlarr.nix
--- a/machines/modules/frpc.nix
+++ b/machines/modules/frpc.nix
@ -1,106 +0,0 @@
-{ pkgs, lib, config, options, ... }:
-with lib;
-
-let
-  cfg = config.services.frpc;
-
-  configFile =
-    pkgs.writeText "frpc.conf" (generators.toINI { } cfg.settings);
-
-in
-{
-  options.services.frpc = {
-    enable = mkEnableOption "frpc";
-
-    user = mkOption {
-      type = types.str;
-      default = "frpc";
-      description = ''
-        User under which frpc runs.
-      '';
-    };
-
-    group = mkOption {
-      type = types.str;
-      default = "frpc";
-      description = ''
-        Group under which frpc runs.
-      '';
-    };
-
-    package = mkOption {
-      type = types.package;
-      default = pkgs.frp;
-      defaultText = "pkgs.frp";
-      description = ''
-        The frp package to use.
-      '';
-    };
-
-    token = mkOption {
-      type = types.str;
-      default = "";
-      description = ''
-        Path to token secret file.
-      '';
-    };
-
-    settings = mkOption {
-      description = ''
-        Full settings for the client.
-      '';
-      type = types.attrsOf types.attrs;
-      default = { };
-      example = literalExpression ''
-        common = {
-          server_addr = "example.com";
-          server_port = 7001;
-        };
-        http = {
-          type = "tcp";
-          local_ip = "127.0.0.1";
-          local_port = 80;
-        };
-        https = {
-          type = "tcp";
-          local_ip = "127.0.0.1";
-          local_port = 443;
-        };
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users.groups = mkIf (cfg.group == "frpc") {
-      frpc = { };
-    };
-
-    users.users = mkIf (cfg.user == "frpc") {
-      frpc = {
-        group = cfg.group;
-        shell = pkgs.bashInteractive;
-        createHome = false;
-        description = "frpc user";
-        isSystemUser = true;
-      };
-    };
-
-    systemd.services.frpc = {
-      description = "FRP Client";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-
-      serviceConfig = {
-        Type = "simple";
-        User = cfg.user;
-        Group = cfg.group;
-        Restart = "on-failure";
-        ExecStart = pkgs.writeShellScript "frpc.sh" ''
-          set -eu
-          export FRP_TOKEN=$(<${cfg.token})
-          ${cfg.package}/bin/frpc -c ${configFile}
-        '';
-      };
-    };
-  };
-}
--- a/machines/modules/tools.nix
+++ b/machines/modules/tools.nix
@ -6,6 +6,7 @@ with lib;
    environment = {
      systemPackages = with pkgs; [
        coreutils
+        dig
        file
        git
        gnumake
--- a/machines/modules/users.nix
+++ b/machines/modules/users.nix
@ -10,7 +10,7 @@ with lib;
      users = {
        root = {
          shell = pkgs.zsh;
-          hashedPassword = "$6$yuwsoikF5utqohar$fdcvq0iXdmiioiRyBGeVZICzQm4nKlv6.pj9AWh13VRCsE07dN9StDnXV0aslIBb0SWRFC4dY5Um2MYiAMfmH0";
+          passwordFile = config.age.secrets."users/root/password".path;
          openssh = {
            authorizedKeys = {
              keys = [
@ -20,10 +20,11 @@ with lib;
          };
        };
        admin = {
+          description = "Admin";
          shell = pkgs.zsh;
          isNormalUser = true;
+          passwordFile = config.age.secrets."users/admin/password".path;
          uid = 1337;
-          hashedPassword = "$6$yuwsoikF5utqohar$fdcvq0iXdmiioiRyBGeVZICzQm4nKlv6.pj9AWh13VRCsE07dN9StDnXV0aslIBb0SWRFC4dY5Um2MYiAMfmH0";
          openssh = {
            authorizedKeys = {
              keys = [
@ -39,5 +40,13 @@ with lib;
        };
      };
    };
+
+    age.secrets."users/root/password" = {
+      file = ../../secrets/users/root/password.age;
+    };
+
+    age.secrets."users/admin/password" = {
+      file = ../../secrets/users/admin/password.age;
+    };
  };
 }
--- a/machines/services/adguard.nix
+++ b/machines/services/adguard.nix
@ -0,0 +1,63 @@
+{ pkgs, lib, config, options, fetchurl, ... }:
+with lib;
+
+let
+  cfg = config.personal.services.adguard;
+
+in
+{
+  options = {
+    personal = {
+      services = {
+        adguard = {
+          enable = mkEnableOption "Adguard";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services = {
+      adguardhome = {
+        enable = true;
+        mutableSettings = false;
+
+        host = "127.0.0.1";
+        port = 3000;
+
+        settings = {
+          dns = {
+            port = 5353;
+            bind_host = "127.0.0.1";
+            bootstrap_dns = "1.1.1.1";
+
+            upstream_dns = [
+              "1.1.1.1"
+              "8.8.8.8"
+            ];
+          };
+
+          users = [{
+            name = "admin";
+            password = "$2y$05$wzuDDF0NaP0zX.gguP8EyuBJ1wlyTPjLvXf.LCK8VCBKIUq4PnR62";
+          }];
+        };
+      };
+    };
+
+    personal = {
+      services = {
+        webserver = {
+          enable = true;
+
+          hosts = [
+            {
+              domain = "adguard.boerger.ws";
+              proxy = "http://localhost:3000";
+            }
+          ];
+        };
+      };
+    };
+  };
+}
--- a/machines/services/citrix.nix
+++ b/machines/services/citrix.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, options, ... }:
+{ pkgs, lib, config, options, fetchurl, ... }:
 with lib;

 let
--- a/machines/services/coredns.nix
+++ b/machines/services/coredns.nix
@ -0,0 +1,20 @@
+{ pkgs, lib, config, options, fetchurl, ... }:
+with lib;
+
+let
+  cfg = config.personal.services.coredns;
+
+in
+{
+  options = {
+    personal = {
+      services = {
+        coredns = {
+          enable = mkEnableOption "CoreDNS";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable { };
+}
--- a/machines/services/default.nix
+++ b/machines/services/default.nix
@ -3,15 +3,18 @@
 {
  imports = [
    ./acme.nix
+    ./adguard.nix
    ./citrix.nix
+    ./coredns.nix
    ./desktop.nix
    ./docker.nix
-    ./frpc.nix
+    ./hass.nix
    ./haveged.nix
    ./libvirt.nix
    ./media.nix
    ./nixbuild.nix
    ./openssh.nix
+    ./tailscale.nix
    ./timesyncd.nix
    ./webserver.nix
  ];
--- a/machines/services/frpc.nix
+++ b/machines/services/frpc.nix
@ -1,70 +0,0 @@
-{ pkgs, lib, config, options, ... }:
-with lib;
-
-let
-  cfg = config.personal.services.frpc;
-
-in
-{
-  options = {
-    personal = {
-      services = {
-        frpc = {
-          enable = mkEnableOption "FRP Client";
-        };
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services = {
-      frpc = {
-        enable = true;
-        token = config.age.secrets."services/frpc/token".path;
-
-        settings = {
-          common = {
-            server_addr = "frps.boerger.ws";
-            server_port = 30601;
-            token = "{{ .Envs.FRP_TOKEN }}";
-            admin_addr = "127.0.0.1";
-            admin_port = 7400;
-            admin_user = "admin";
-            admin_pwd = "admin";
-            tls_enable = true;
-          };
-          http = {
-            type = "tcp";
-            local_ip = "127.0.0.1";
-            local_port = 80;
-            use_encryption = true;
-            use_compression = true;
-            remote_port = 8080;
-            health_check_type = "tcp";
-            health_check_timeout_s = 3;
-            health_check_max_failed = 3;
-            health_check_interval_s = 10;
-          };
-          https = {
-            type = "tcp";
-            local_ip = "127.0.0.1";
-            local_port = 443;
-            use_encryption = true;
-            use_compression = true;
-            remote_port = 8443;
-            health_check_type = "tcp";
-            health_check_timeout_s = 3;
-            health_check_max_failed = 3;
-            health_check_interval_s = 10;
-          };
-        };
-      };
-    };
-
-    age.secrets."services/frpc/token" = {
-      file = ../../secrets/services/frpc/token.age;
-      owner = "frpc";
-      group = "frpc";
-    };
-  };
-}
--- a/machines/services/hass.nix
+++ b/machines/services/hass.nix
@ -0,0 +1,93 @@
+{ pkgs, lib, config, options, fetchurl, ... }:
+with lib;
+
+let
+  cfg = config.personal.services.hass;
+
+in
+{
+  options = {
+    personal = {
+      services = {
+        hass = {
+          enable = mkEnableOption "Home Assistant";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment = {
+      systemPackages = with pkgs; [
+        sqlite
+      ];
+    };
+
+    services = {
+      home-assistant = {
+        enable = true;
+
+        package = (pkgs.home-assistant.override {
+          extraPackages = python3Packages: with python3Packages; [
+            pyicloud
+            radios
+            securetar
+          ];
+
+          extraComponents = [
+            "accuweather"
+            "adguard"
+            "alexa"
+            "default_config"
+          ];
+        }).overrideAttrs (oldAttrs: {
+          doInstallCheck = false;
+        });
+
+        config = {
+          http = {
+            server_host = "127.0.0.1";
+            server_port = 8123;
+            trusted_proxies = [ "127.0.0.1" ];
+            use_x_forwarded_for = true;
+          };
+
+          homeassistant = {
+            name = "Boerger";
+            latitude = 49.406330;
+            longitude = 11.036830;
+            time_zone = "Europe/Berlin";
+            unit_system = "metric";
+            temperature_unit = "C";
+          };
+
+          default_config = { };
+        };
+      };
+    };
+
+    personal = {
+      services = {
+        webserver = {
+          enable = true;
+
+          hosts = [
+            {
+              domain = "home.boerger.ws";
+              proxy = "http://127.0.0.1:8123";
+
+              proxyOptions = ''
+                proxy_http_version 1.1;
+
+                proxy_set_header Host $host;
+                proxy_set_header X-Forwarded-Ssl on;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection $connection_upgrade;
+              '';
+            }
+          ];
+        };
+      };
+    };
+  };
+}
--- a/machines/services/media.nix
+++ b/machines/services/media.nix
@ -11,14 +11,6 @@ in
      services = {
        media = {
          enable = mkEnableOption "Media";
-
-          domain = mkOption {
-            description = ''
-              Domain used for media vhosts
-            '';
-            type = types.str;
-            default = "boerger.ws";
-          };
        };
      };
    };
@ -28,10 +20,13 @@ in
    users = {
      users = {
        media = {
+          uid = 20000;
+          description = "Media";
+          shell = pkgs.zsh;
+          isSystemUser = true;
          group = "media";
          home = "/var/lib/media";
-          uid = 20000;
-          isSystemUser = true;
+          passwordFile = config.age.secrets."users/media/password".path;
        };
      };

@ -138,35 +133,35 @@ in

          hosts = [
            {
-              domain = "nzbget.${cfg.domain}";
+              domain = "nzbget.boerger.ws";
              proxy = "http://localhost:6789";
            }
            {
-              domain = "jellyfin.${cfg.domain}";
+              domain = "jellyfin.boerger.ws";
              proxy = "http://localhost:8096";
            }
            {
-              domain = "radarr.${cfg.domain}";
+              domain = "radarr.boerger.ws";
              proxy = "http://localhost:7878";
            }
            {
-              domain = "sonarr.${cfg.domain}";
+              domain = "sonarr.boerger.ws";
              proxy = "http://localhost:8989";
            }
            {
-              domain = "lidarr.${cfg.domain}";
+              domain = "lidarr.boerger.ws";
              proxy = "http://localhost:8686";
            }
            {
-              domain = "readarr.${cfg.domain}";
+              domain = "readarr.boerger.ws";
              proxy = "http://localhost:8787";
            }
            {
-              domain = "bazarr.${cfg.domain}";
+              domain = "bazarr.boerger.ws";
              proxy = "http://localhost:6767";
            }
            {
-              domain = "prowlarr.${cfg.domain}";
+              domain = "prowlarr.boerger.ws";
              proxy = "http://localhost:9696";
            }
          ];
@ -180,5 +175,9 @@ in
        allowedUDPPorts = [ 1900 7359 ];
      };
    };
+
+    age.secrets."users/media/password" = {
+      file = ../../secrets/users/media/password.age;
+    };
  };
 }
--- a/machines/services/samba.nix
+++ b/machines/services/samba.nix
@ -0,0 +1,188 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+let
+  cfg = config.personal.services.samba;
+
+in
+{
+  options = {
+    personal = {
+      services = {
+        samba = {
+          enable = mkEnableOption "Samba";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users = {
+      users = {
+        media = {
+          uid = 20000;
+          description = "Media";
+          shell = pkgs.zsh;
+          isSystemUser = true;
+          group = "media";
+          home = "/var/lib/media";
+          passwordFile = config.age.secrets."users/media/password".path;
+        };
+        printer = {
+          uid = 20001;
+          description = "Printer";
+          shell = pkgs.zsh;
+          isSystemUser = true;
+          group = "printer";
+          home = "/var/lib/printer";
+          passwordFile = config.age.secrets."users/printer/password".path;
+        };
+      };
+
+      groups = {
+        media = {
+          gid = 20000;
+        };
+        printer = {
+          gid = 20001;
+        };
+      };
+    };
+
+    services = {
+      samba = {
+        enable = true;
+        openFirewall = true;
+
+        extraConfig = ''
+          workgroup = WORKGROUP
+          server string = Sharing
+          netbios name = Sharing
+          guest account = nobody
+          map to guest = bad user
+        '';
+
+        shares = {
+          photos = {
+            comment = "Shared photos";
+            path = "/var/lib/media/photos";
+
+            "browseable" = "yes";
+            "read only" = "no";
+            "writeable" = "yes";
+            "guest ok" = "yes";
+            "force user" = "media";
+            "force group" = "media";
+          };
+
+          videos = {
+            comment = "Shared videos";
+            path = "/var/lib/media/videos";
+
+            "browseable" = "yes";
+            "read only" = "no";
+            "writeable" = "yes";
+            "guest ok" = "yes";
+            "force user" = "media";
+            "force group" = "media";
+          };
+
+          movies = {
+            comment = "Shared movies";
+            path = "/var/lib/media/movies";
+
+            "browseable" = "no";
+            "read only" = "no";
+            "writeable" = "yes";
+            "guest ok" = "no";
+            "force user" = "media";
+            "force group" = "media";
+            "valid users" = "media";
+          };
+
+          shows = {
+            comment = "Shared shows";
+            path = "/var/lib/media/shows";
+
+            "browseable" = "no";
+            "read only" = "no";
+            "writeable" = "yes";
+            "guest ok" = "no";
+            "force user" = "media";
+            "force group" = "media";
+            "valid users" = "media";
+          };
+
+          books = {
+            comment = "Shared books";
+            path = "/var/lib/media/books";
+
+            "browseable" = "no";
+            "read only" = "no";
+            "writeable" = "yes";
+            "guest ok" = "no";
+            "force user" = "media";
+            "force group" = "media";
+            "valid users" = "media";
+          };
+
+          music = {
+            comment = "Shared music";
+            path = "/var/lib/media/music";
+
+            "browseable" = "no";
+            "read only" = "no";
+            "writeable" = "yes";
+            "guest ok" = "no";
+            "force user" = "media";
+            "force group" = "media";
+            "valid users" = "media";
+          };
+
+          downloads = {
+            comment = "Shared downloads";
+            path = "/var/lib/media/downloads";
+
+            "browseable" = "no";
+            "read only" = "no";
+            "writeable" = "yes";
+            "guest ok" = "no";
+            "force user" = "media";
+            "force group" = "media";
+            "valid users" = "media";
+          };
+
+          printer = {
+            comment = "Shared printer";
+            path = "/var/lib/printer";
+
+            "browseable" = "yes";
+            "read only" = "no";
+            "writeable" = "yes";
+            "guest ok" = "yes";
+            "force user" = "printer";
+            "force group" = "printer";
+          };
+
+          backup = {
+            comment = "Shared backup";
+            path = "/var/lib/backup/%u";
+
+            "browseable" = "yes";
+            "read only" = "no";
+            "writeable" = "yes";
+            "guest ok" = "no";
+          };
+        };
+      };
+    };
+
+    age.secrets."users/printer/password" = {
+      file = ../../secrets/users/printer/password.age;
+    };
+
+    age.secrets."users/media/password" = {
+      file = ../../secrets/users/media/password.age;
+    };
+  };
+}
--- a/machines/services/tailscale.nix
+++ b/machines/services/tailscale.nix
@ -0,0 +1,57 @@
+{ pkgs, lib, config, options, fetchurl, ... }:
+with lib;
+
+let
+  cfg = config.personal.services.tailscale;
+
+in
+{
+  options = {
+    personal = {
+      services = {
+        tailscale = {
+          enable = mkEnableOption "Tailscale";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking = {
+      firewall = {
+        checkReversePath = "loose";
+      };
+    };
+
+    services = {
+      tailscale = {
+        enable = true;
+      };
+    };
+
+    systemd.services.tailscaled-autoconnect = {
+      description = "Automatic connection for Tailscale";
+
+      after = [ "network-pre.target" "tailscale.service" ];
+      wants = [ "network-pre.target" "tailscale.service" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig.Type = "oneshot";
+
+      script = ''
+        sleep 3
+
+        STATUS="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
+        if [ $\{STATUS\} = "Running" ]; then
+          exit 0
+        fi
+
+        ${pkgs.tailscale}/bin/tailscale up --auth-key file:${config.age.secrets."services/tailscale/authkey".path}
+      '';
+    };
+
+    age.secrets."services/tailscale/authkey" = {
+      file = ../../secrets/services/tailscale/authkey.age;
+    };
+  };
+}
--- a/machines/services/webserver.nix
+++ b/machines/services/webserver.nix
@ -60,22 +60,6 @@ in
            type = types.str;
            default = "boerger.ws";
          };
-
-          defaultDomain = mkOption {
-            description = ''
-              Domain used by default vhost
-            '';
-            type = types.str;
-            default = "boerger.ws";
-          };
-
-          redirectDomain = mkOption {
-            description = ''
-              Domain to redirect the default
-            '';
-            type = types.str;
-            default = "jellyfin.boerger.ws";
-          };
        };
      };
    };
@ -101,20 +85,25 @@ in
                locations = {
                  "/" = mkIf (builtins.hasAttr "proxy" elem) {
                    proxyPass = elem.proxy;
-                    extraConfig = ''
+                    extraConfig = (
+                      elem.proxyOptions or ''
+                        proxy_http_version 1.1;
+                        proxy_set_header Upgrade $http_upgrade;
+                        proxy_set_header Connection $http_connection;
                        proxy_set_header X-Forwarded-Ssl on;
-                    '' + (elem.proxyOptions or "");
+                      ''
+                    );
                  };
                };
              } // (elem.domainOptions or { });
            })
            config.personal.services.webserver.hosts) // {
-          "${cfg.defaultDomain}" = {
+          "boerger.ws" = {
            useACMEHost = cfg.acmeHost;
            addSSL = true;
            forceSSL = false;
            default = true;
-            globalRedirect = cfg.redirectDomain;
+            root = "/var/empty";
          };
        };
      };
--- a/machines/utgard/default.nix
+++ b/machines/utgard/default.nix
@ -16,12 +16,15 @@
      acme = {
        enable = true;
      };
-      frpc = {
+      hass = {
        enable = true;
      };
      media = {
        enable = true;
      };
+      tailscale = {
+        enable = true;
+      };
    };
  };

--- a/machines/utgard/filesystems.nix
+++ b/machines/utgard/filesystems.nix
@ -1,6 +1,25 @@
 { config, lib, pkgs, ... }:
+let
+  cifsServer = "\\192.168.1.10";
+  cifsOptions = [
+    "x-systemd.automount"
+    "noauto"
+    "x-systemd.idle-timeout=60"
+    "x-systemd.device-timeout=5s"
+    "x-systemd.mount-timeout=5s"
+    "credentials=${config.age.secrets."users/media/smbpasswd".path}"
+    "uid=${config.users.users.media.uid}"
+    "gid=${config.users.groups.media.gid}"
+  ];

+in
 {
+  environment = {
+    systemPackages = with pkgs; [
+      cifs-utils
+    ];
+  };
+
  swapDevices = [{
    device = "/dev/disk/by-label/swap";
  }];
@ -109,20 +128,6 @@
    ];
  };

-  fileSystems."/var/lib/media/downloads" = {
-    device = "/dev/disk/by-label/downloads";
-    fsType = "ext4";
-    options = [
-      "noatime"
-      "discard"
-    ];
-  };
-
-  # fileSystems."/var/lib/media/downloads" = {
-  #   device = "192.168.1.10:/downloads";
-  #   fsType = "nfs";
-  # };
-
  fileSystems."/var/lib/media/movies" = {
    device = "/dev/disk/by-label/movies";
    fsType = "ext4";
@ -133,8 +138,9 @@
  };

  # fileSystems."/var/lib/media/movies" = {
-  #   device = "192.168.1.10:/movies";
-  #   fsType = "nfs";
+  #   device = "${cifsServer}/movies";
+  #   fsType = "cifs";
+  #   options = cifsOptions;
  # };

  fileSystems."/var/lib/media/series" = {
@ -146,9 +152,10 @@
    ];
  };

-  # fileSystems."/var/lib/media/series" = {
-  #   device = "192.168.1.10:/series";
-  #   fsType = "nfs";
+  # fileSystems."/var/lib/media/shows" = {
+  #   device = "${cifsServer}/shows";
+  #   fsType = "cifs";
+  #   options = cifsOptions;
  # };

  fileSystems."/var/lib/media/books" = {
@ -161,8 +168,9 @@
  };

  # fileSystems."/var/lib/media/books" = {
-  #   device = "192.168.1.10:/books";
-  #   fsType = "nfs";
+  #   device = "${cifsServer}/books";
+  #   fsType = "cifs";
+  #   options = cifsOptions;
  # };

  fileSystems."/var/lib/media/music" = {
@ -175,7 +183,27 @@
  };

  # fileSystems."/var/lib/media/music" = {
-  #   device = "192.168.1.10:/music";
-  #   fsType = "nfs";
+  #   device = "${cifsServer}/music";
+  #   fsType = "cifs";
+  #   options = cifsOptions;
  # };
+
+  fileSystems."/var/lib/media/downloads" = {
+    device = "/dev/disk/by-label/downloads";
+    fsType = "ext4";
+    options = [
+      "noatime"
+      "discard"
+    ];
+  };
+
+  # fileSystems."/var/lib/media/downloads" = {
+  #   device = "${cifsServer}/downloads";
+  #   fsType = "cifs";
+  #   options = cifsOptions;
+  # };
+
+  age.secrets."users/media/smbpasswd" = {
+    file = ../../secrets/users/media/smbpasswd.age;
+  };
 }
--- a/profiles/adrian/default.nix
+++ b/profiles/adrian/default.nix
@ -0,0 +1,52 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+let
+  username = "adrian";
+  fullname = "Adrian Boerger";
+  desktop = config.personal.services.desktop.enable;
+
+in
+{
+  imports = [
+    ../modules
+    ./desktop
+
+    ../programs
+    ./programs
+
+    ../services
+    ./services
+  ];
+
+  profile = {
+    username = username;
+  };
+
+  users = {
+    users = {
+      "${username}" = {
+        description = "${fullname}";
+        shell = pkgs.zsh;
+        isNormalUser = true;
+        passwordFile = config.age.secrets."users/${username}/password".path;
+        extraGroups = [
+          "audio"
+          "video"
+          "networkmanager"
+        ];
+      };
+    };
+  };
+
+  home-manager.users."${username}" = { config, ... }: {
+    home = {
+      homeDirectory = "/home/${username}";
+      stateVersion = "18.09";
+    };
+  };
+
+  age.secrets."users/${username}/password" = {
+    file = ../../secrets/users/${username}/password.age;
+  };
+}
--- a/profiles/adrian/desktop/default.nix
+++ b/profiles/adrian/desktop/default.nix
@ -0,0 +1,9 @@
+{ pkgs, lib, config, options, ... }:
+
+{
+  options = {
+    profile = {
+      desktop = { };
+    };
+  };
+}
--- a/profiles/adrian/programs/default.nix
+++ b/profiles/adrian/programs/default.nix
@ -0,0 +1,7 @@
+{ pkgs, lib, config, options, ... }:
+
+{
+  imports = [
+
+  ];
+}
--- a/profiles/adrian/services/default.nix
+++ b/profiles/adrian/services/default.nix
@ -0,0 +1,7 @@
+{ pkgs, lib, config, options, ... }:
+
+{
+  imports = [
+
+  ];
+}
--- a/profiles/anna/default.nix
+++ b/profiles/anna/default.nix
@ -0,0 +1,52 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+let
+  username = "anna";
+  fullname = "Anna Boerger";
+  desktop = config.personal.services.desktop.enable;
+
+in
+{
+  imports = [
+    ../modules
+    ./desktop
+
+    ../programs
+    ./programs
+
+    ../services
+    ./services
+  ];
+
+  profile = {
+    username = username;
+  };
+
+  users = {
+    users = {
+      "${username}" = {
+        description = "${fullname}";
+        shell = pkgs.zsh;
+        isNormalUser = true;
+        passwordFile = config.age.secrets."users/${username}/password".path;
+        extraGroups = [
+          "audio"
+          "video"
+          "networkmanager"
+        ];
+      };
+    };
+  };
+
+  home-manager.users."${username}" = { config, ... }: {
+    home = {
+      homeDirectory = "/home/${username}";
+      stateVersion = "18.09";
+    };
+  };
+
+  age.secrets."users/${username}/password" = {
+    file = ../../secrets/users/${username}/password.age;
+  };
+}
--- a/profiles/anna/desktop/default.nix
+++ b/profiles/anna/desktop/default.nix
@ -0,0 +1,9 @@
+{ pkgs, lib, config, options, ... }:
+
+{
+  options = {
+    profile = {
+      desktop = { };
+    };
+  };
+}
--- a/profiles/anna/programs/default.nix
+++ b/profiles/anna/programs/default.nix
@ -0,0 +1,7 @@
+{ pkgs, lib, config, options, ... }:
+
+{
+  imports = [
+
+  ];
+}
--- a/profiles/anna/services/default.nix
+++ b/profiles/anna/services/default.nix
@ -0,0 +1,7 @@
+{ pkgs, lib, config, options, ... }:
+
+{
+  imports = [
+
+  ];
+}
--- a/profiles/programs/default.nix
+++ b/profiles/programs/default.nix
@ -31,6 +31,8 @@
    ./slack.nix
    ./steam.nix
    ./teams.nix
+    ./telegram.nix
+    ./thunderbird.nix
    ./tmux.nix
    ./whatsapp.nix
    ./wine.nix
--- a/profiles/programs/develop.nix
+++ b/profiles/programs/develop.nix
@ -4,18 +4,18 @@ with lib;
 let
  cfg = config.profile.programs.develop;

-  python = pkgs.python39.withPackages (p: with p; [
-    ansible-core
-    ansible-doctor
-    # ansible-later
-    ansible-lint
-    boto3
-    botocore
-    hcloud
-    passlib
-    requests
-    yamllint
-  ]);
+  # python = pkgs.python39.withPackages (p: with p; [
+  #   ansible-core
+  #   ansible-doctor
+  #   # ansible-later
+  #   ansible-lint
+  #   boto3
+  #   botocore
+  #   hcloud
+  #   passlib
+  #   requests
+  #   yamllint
+  # ]);

 in
 {
@ -32,20 +32,18 @@ in
  config = mkIf cfg.enable {
    environment = {
      systemPackages = with pkgs; [
-        python
-
-        php80
-        php80Packages.composer
-
-        nodejs-16_x
-        yarn
+        # python

        act
+        ansible-doctor
+        ansible-later
+        ansible-lint
        awscli2
        eksctl
        git-chglog
        gopass
        graphviz
+        hcloud
        httpie
        ipcalc
        ngrok
@ -53,9 +51,17 @@ in
        reflex
        shellcheck
        sops
+        upx
+        yamllint
+
+        checkov
        terraform
        terragrunt
-        upx
+        tflint
+        tfsec
+
+        nodejs-16_x
+        yarn
      ];
    };
  };
--- a/profiles/programs/mattermost.nix
+++ b/profiles/programs/mattermost.nix
@ -19,7 +19,7 @@ in
  config = mkIf cfg.enable {
    environment = {
      systemPackages = with pkgs; [
-        mattermost
+        mattermost-desktop
      ];
    };
  };
--- a/profiles/programs/telegram.nix
+++ b/profiles/programs/telegram.nix
@ -0,0 +1,26 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+let
+  cfg = config.profile.programs.telegram;
+
+in
+{
+  options = {
+    profile = {
+      programs = {
+        telegram = {
+          enable = mkEnableOption "Telegram";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment = {
+      systemPackages = with pkgs; [
+        tdesktop
+      ];
+    };
+  };
+}
--- a/profiles/programs/thunderbird.nix
+++ b/profiles/programs/thunderbird.nix
@ -0,0 +1,26 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+let
+  cfg = config.profile.programs.thunderbird;
+
+in
+{
+  options = {
+    profile = {
+      programs = {
+        thunderbird = {
+          enable = mkEnableOption "Thunderbird";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment = {
+      systemPackages = with pkgs; [
+        thunderbird-bin
+      ];
+    };
+  };
+}
--- a/profiles/services/default.nix
+++ b/profiles/services/default.nix
@ -5,6 +5,7 @@
    ./blueman.nix
    ./caffeine.nix
    ./flameshot.nix
+    ./mopidy.nix
    ./nmapplet.nix
    ./owncloud.nix
    ./udiskie.nix
--- a/profiles/services/mopidy.nix
+++ b/profiles/services/mopidy.nix
@ -0,0 +1,50 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+let
+  cfg = config.profile.services.mopidy;
+
+in
+{
+  options = {
+    profile = {
+      services = {
+        mopidy = {
+          enable = mkEnableOption "Mopidy";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    home-manager.users."${config.profile.username}" = { config, ... }: {
+      programs = {
+        ncmpcpp = {
+          enable = true;
+        };
+      };
+
+      services = {
+        mopidy = {
+          enable = true;
+
+          extensionPackages = with pkgs; [
+            mopidy-iris
+            mopidy-jellyfin
+            mopidy-mpd
+            mopidy-tunein
+          ];
+
+          # extraConfigFiles = [
+          #   config.age.secrets."services/mopidy/jellyfin".path
+          # ];
+        };
+      };
+    };
+
+    # age.secrets."services/mopidy/jellyfin" = {
+    #   file = ../../secrets/services/mopidy/jellyfin.age;
+    #   owner = config.profile.username;
+    # };
+  };
+}
--- a/profiles/tabea/default.nix
+++ b/profiles/tabea/default.nix
@ -0,0 +1,52 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+let
+  username = "tabea";
+  fullname = "Tabea Boerger";
+  desktop = config.personal.services.desktop.enable;
+
+in
+{
+  imports = [
+    ../modules
+    ./desktop
+
+    ../programs
+    ./programs
+
+    ../services
+    ./services
+  ];
+
+  profile = {
+    username = username;
+  };
+
+  users = {
+    users = {
+      "${username}" = {
+        description = "${fullname}";
+        shell = pkgs.zsh;
+        isNormalUser = true;
+        passwordFile = config.age.secrets."users/${username}/password".path;
+        extraGroups = [
+          "audio"
+          "video"
+          "networkmanager"
+        ];
+      };
+    };
+  };
+
+  home-manager.users."${username}" = { config, ... }: {
+    home = {
+      homeDirectory = "/home/${username}";
+      stateVersion = "18.09";
+    };
+  };
+
+  age.secrets."users/${username}/password" = {
+    file = ../../secrets/users/${username}/password.age;
+  };
+}
--- a/profiles/tabea/desktop/default.nix
+++ b/profiles/tabea/desktop/default.nix
@ -0,0 +1,9 @@
+{ pkgs, lib, config, options, ... }:
+
+{
+  options = {
+    profile = {
+      desktop = { };
+    };
+  };
+}
--- a/profiles/tabea/programs/default.nix
+++ b/profiles/tabea/programs/default.nix
@ -0,0 +1,7 @@
+{ pkgs, lib, config, options, ... }:
+
+{
+  imports = [
+
+  ];
+}
--- a/profiles/tabea/services/default.nix
+++ b/profiles/tabea/services/default.nix
@ -0,0 +1,7 @@
+{ pkgs, lib, config, options, ... }:
+
+{
+  imports = [
+
+  ];
+}
--- a/profiles/thomas/default.nix
+++ b/profiles/thomas/default.nix
@ -20,7 +20,7 @@ in
  ];

  profile = {
-    username = "${username}";
+    username = username;

    desktop = {
      i3 = {
@ -68,6 +68,9 @@ in
      lutris = {
        enable = desktop;
      };
+      thunderbird = {
+        enable = desktop;
+      };
      mattermost = {
        enable = desktop;
      };
@ -80,9 +83,9 @@ in
      owncloud = {
        enable = desktop;
      };
-      playonlinux = {
-        enable = desktop;
-      };
+      # playonlinux = {
+      #   enable = desktop;
+      # };
      rocketchat = {
        enable = desktop;
      };
@ -101,6 +104,9 @@ in
      teams = {
        enable = desktop;
      };
+      telegram = {
+        enable = desktop;
+      };
      whatsapp = {
        enable = desktop;
      };
@ -141,6 +147,9 @@ in
      flameshot = {
        enable = desktop;
      };
+      mopidy = {
+        enable = desktop;
+      };
      nmapplet = {
        enable = desktop;
      };
@ -151,9 +160,9 @@ in
        enable = desktop;
      };

-      dunst = {
-        enable = desktop;
-      };
+      # dunst = {
+      #   enable = desktop;
+      # };
      polybar = {
        enable = desktop;
      };
@ -166,7 +175,7 @@ in
        description = "${fullname}";
        shell = pkgs.zsh;
        isNormalUser = true;
-        hashedPassword = "$6$yuwsoikF5utqohar$fdcvq0iXdmiioiRyBGeVZICzQm4nKlv6.pj9AWh13VRCsE07dN9StDnXV0aslIBb0SWRFC4dY5Um2MYiAMfmH0";
+        passwordFile = config.age.secrets."users/${username}/password".path;
        openssh = {
          authorizedKeys = {
            keys = [
@ -229,4 +238,8 @@ in
      stateVersion = "18.09";
    };
  };
+
+  age.secrets."users/${username}/password" = {
+    file = ../../secrets/users/${username}/password.age;
+  };
 }
--- a/profiles/thomas/desktop/i3.nix
+++ b/profiles/thomas/desktop/i3.nix
@ -4,6 +4,81 @@ with lib;
 let
  cfg = config.profile.desktop.i3;

+  programs = {
+    term = [
+      {
+        exec = "Alacritty";
+        class = "Alacritty";
+      }
+    ];
+
+    editor = [
+      {
+        exec = "code";
+        class = "code";
+      }
+    ];
+
+    browser = [
+      {
+        exec = "google-chrome-stable";
+        class = "google-chrome";
+      }
+    ];
+
+    music = [ ];
+
+    mail = [
+      {
+        exec = "thunderbird";
+        class = "thunderbird";
+      }
+    ];
+
+    chat = [
+      {
+        exec = "discord";
+        class = "discord";
+      }
+      {
+        exec = "element-desktop";
+        class = "element";
+      }
+      {
+        exec = "mattermost-desktop";
+        class = "mattermost";
+      }
+      {
+        exec = "rocketchat-desktop";
+        class = "rocket.chat";
+      }
+      {
+        exec = "signal-desktop";
+        class = "signal";
+      }
+      {
+        exec = "skypeforlinux";
+        class = "skype";
+      }
+      {
+        exec = "slack";
+        class = "slack";
+      }
+      {
+        exec = "teams";
+        class = "microsoft teams";
+      }
+      {
+        exec = "tdekstop";
+        class = "telegram-desktop";
+      }
+      {
+        exec = "whatsapp-for-linux";
+        class = "whatsapp-for-linux";
+      }
+    ];
+  };
+
 in
 {
  options = {
@ -21,15 +96,23 @@ in
      home = {
        packages = with pkgs; [
          betterlockscreen
+          deadd-notification-center
          feh
          gnome.nautilus
          gucharmap
+          libnotify
          lxappearance
          playerctl
          scrot
        ];
      };

+      services = {
+        gnome-keyring = {
+          enable = true;
+        };
+      };
+
      xsession = {
        enable = true;

@ -55,21 +138,23 @@ in
              };

              assigns = {
-                "1" = [{
-                  class = "Alacritty";
-                }];
-                "3" = [{
-                  class = "google-chrome";
-                }];
+                "1" = map (i: { class = i.class; }) programs.term;
+                "2" = map (i: { class = i.class; }) programs.editor;
+                "3" = map (i: { class = i.class; }) programs.browser;
+                "4" = map (i: { class = i.class; }) programs.mail;
+                "5" = map (i: { class = i.class; }) programs.music;
+                "6" = map (i: { class = i.class; }) programs.chat;
              };

              startup = [
                {
-                  command = "feh --borderless --no-fehbg --bg-scale $HOME/.wallpapers/tower.jpg";
+                  command = "feh --no-fehbg --bg-scale $HOME/.wallpapers/tower.jpg";
+                  always = false;
                  notification = false;
                }
                {
-                  command = "betterlockscreen -w dim -u $HOME/.wallpapers/tower.jpg";
+                  command = "betterlockscreen --update $HOME/.wallpapers/tower.jpg";
+                  always = false;
                  notification = false;
                }
                {
@ -77,11 +162,11 @@ in
                  always = true;
                  notification = false;
                }
-                {
-                  command = "systemctl --user restart dunst";
-                  always = true;
-                  notification = false;
-                }
+                # {
+                #   command = "systemctl --user restart dunst";
+                #   always = true;
+                #   notification = false;
+                # }
                {
                  command = "systemctl --user restart udiskie";
                  always = true;
@ -97,7 +182,19 @@ in
                  always = true;
                  notification = false;
                }
-              ];
+
+                {
+                  command = "deadd-notification-center";
+                  always = false;
+                  notification = false;
+                }
+
+                # {
+                #   command = "clockify";
+                #   always = false;
+                #   notification = false;
+                # }
+              ] ++ (map (i: { command = i.exec; notification = false; }) programs.term) ++ (map (i: { command = i.exec; notification = false; }) programs.editor) ++ (map (i: { command = i.exec; notification = false; }) programs.browser) ++ (map (i: { command = i.exec; notification = false; }) programs.mail) ++ (map (i: { command = i.exec; notification = false; }) programs.music) ++ (map (i: { command = i.exec; notification = false; }) programs.chat);

              gaps = {
                smartGaps = true;
@ -210,7 +307,7 @@ in
              set $power "[l]ock log[o]ut [s]uspend [h]ibernate [r]eboot [p]oweroff"

              mode $power {
-                  bindsym l exec betterlockscreen -w dim -u $HOME/.wallpapers/tower.jpg; mode "default"
+                  bindsym l exec betterlockscreen --lock dim; mode "default"
                  bindsym o exec i3-msg exit; mode "default"
                  bindsym s exec systemctl suspend; mode "default"
                  bindsym h exec systemctl hibernate; mode "default"
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -2,11 +2,27 @@ let
  thomas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINaQYR0/Oj6k1H03kshz2J7rlGCaDSuaGPhhOs9FcZfn";
  users = [ thomas ];

+  midgard = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGC6aSeeKiMO9y3NMxPOh2JvvGYcyS4za+0+hSqI3Bj";
+  asgard = "";
  utgard = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN02izetkp+Wru4KE0ZASwOcjJfXr3U0H/Q/i0fjdgJ7";
-  systems = [ utgard ];
+  systems = [ midgard asgard utgard ];
 in
 {
  "services/acme/credentials.age".publicKeys = users ++ systems;
  "services/frpc/token.age".publicKeys = users ++ systems;
+  "services/mopidy/jellyfin.age".publicKeys = users ++ systems;
  "services/nixbuild/sshkey.age".publicKeys = users ++ systems;
+  "services/tailscale/authkey.age".publicKeys = users ++ systems;
+
+  "users/media/password.age".publicKeys = users ++ systems;
+  "users/media/smbpasswd.age".publicKeys = users ++ systems;
+
+  "users/printer/password.age".publicKeys = users ++ systems;
+  "users/root/password.age".publicKeys = users ++ systems;
+  "users/admin/password.age".publicKeys = users ++ systems;
+
+  "users/thomas/password.age".publicKeys = users ++ systems;
+  "users/anna/password.age".publicKeys = users ++ systems;
+  "users/adrian/password.age".publicKeys = users ++ systems;
+  "users/tabea/password.age".publicKeys = users ++ systems;
 }
--- a/secrets/services/acme/credentials.age
+++ b/secrets/services/acme/credentials.age
--- a/secrets/services/frpc/token.age
+++ b/secrets/services/frpc/token.age
@ -1,9 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 ptT1OQ zh94IvnUClD1KSf07GormPU11pydyI2mJ0QR+dj35AU
-WJmyov9jnDRU0XOfNly+YctW4u/74nbLjp84JRHncWE
-> ssh-ed25519 QkapZw 63is6AXw4FTrqsD0up52mIGSfLFcb+X+ZJ47QiOLgHo
-NiILE2Wc05JFcISN0HV0oZ+m8H4HUQOADLrNoAWMVmk
-> [nwC-grease dC<=9<F[
-hiGKFg8H+Vj1ZRCNDLcJUclYKKw
--- cy6U+0/Q0gTt5+XKisuoGbFFxggmfE3CfJkgWCuLty8
-@^ç°µYô-œ”/WQŽ&=›‡
<0A>kO y·ZêmD:íÌ)ùÕ+·‹¥+ZÙ<19>èØ¦!d
+-> ssh-ed25519 ptT1OQ G0UMa/hBBgKiYtBUgm6E+LHVVly/sr2+0dThm+VsNV0
+GFlyE+NmG7wND92/WXCJFFkq9M1Nsfq3k7YRnAIiH+s
+-> ssh-ed25519 vDK6kA IMw7Ugc3JS3lo+jdy3VTfxNe+BcWRvIurYcHo8/20Gw
+x6EZAsfUt/Q99W5ibar3GznBJPxgZiHGwplouzXDFdc
+-> ssh-ed25519 QkapZw u+G8NcRFQARVgqHA8GgQI/FwAVJIEPYdyMOwEcQYIDY
+EQdhk9LxqWPdIwzIhBG13dLVpXZJyadWr87YQ8M1UcQ
+-> J-grease SyWuYE |$6Yno7V B^+)$-n
+xH13RODn/QcYvsniQH4
+--- ha8bj14RU/C0zmMc4kVty3WsN6fRF8ZdyhSmqKyPshs
+<EFBFBD>ﾛ<EFBFBD>ﾐ广]2(y>ｹ鋕VCﾃZ;ﾑｬｴＤ+ｻ\!.OEpqｻI&fSｪﾌLﾒﾌ>A｢K
--- a/secrets/services/mopidy/jellyfin.age
+++ b/secrets/services/mopidy/jellyfin.age
--- a/secrets/services/nixbuild/sshkey.age
+++ b/secrets/services/nixbuild/sshkey.age
--- a/secrets/services/tailscale/authkey.age
+++ b/secrets/services/tailscale/authkey.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptT1OQ LnnwfsdOcAom5MZY4xYG+m1CUOcR2LhCYU+UMGQxwU4
+UxV1cyR0seHEmhzI0ngmf9MNEqA7Se77G52b4kw8a5E
+-> ssh-ed25519 vDK6kA 4iqbkl1XVdmO/4bb8oCPstM+c90jjlNUqx1EPnKZqAs
+voRRt0wWr4DIpkY5R+S9e7dhJ7PsirrQGYkku/86iLY
+-> ssh-ed25519 QkapZw 7atPx1R+UvxoIevJwJSuDWjs4Uwtarae1ubDKXLLWGA
+z3Xfmk2ysy+j57aRbt4kv0Jv+7ajeBlDw1VrADjNJlw
+-> Jo:^-grease 68x TN\24 Y<eo UEy
+AoDN8iMG
+--- Hkh8+TIqB75tkzt1n2Biy9ZLKogTCdTzsT11w7N+/BI
+–<*W^š†2Ú}äqî“r4Øg[Màüi<08>bbdÛ
+ÐóªêcæãOÔè	„’Vttáhð9ÎÂ$iìÊ+Q™qhf½Aï_#×™(lZõ‰lp/"
--- a/secrets/users/admin/password.age
+++ b/secrets/users/admin/password.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptT1OQ OnQmMRmL4vooeJARScu0RFDRxF+DAwzzHA6Xfs9E60M
+q0oXUE7RKv/b5/v2nHbRDK0B/m/D5HQ9pCnCF1Hub/c
+-> ssh-ed25519 vDK6kA iYH6SGuEb2frh2Av9/NnhsD5SYxPU/ymow7qiwPdPAA
+iei5JokDZ4vyKYa4+oKi6tt4X+m6C9Q64YUHX75cJKo
+-> ssh-ed25519 QkapZw WrWt+aqpoT/jQdD3ktFygrodrZ1dutukEWzSlAiCFDk
+1mvKL9cnEE61wfY+yZE1N8E8SfYUWyyLftOg30JIgRg
+-> W^&%6jtg-grease v8zD(}
+NZAuTFXfI/X9rK8azx1w4fqKMrvOKcRWrGx3iXWn8Cdkb/cAtfRyckPc659jONns
+/gJx2jcqstgYR7O38wnOuuevexEeRn/2i5bISRLbN1AGW4Q
+--- LW/pRhTdYie4pUsBKMqRp38ltz1fJ9tZMRAcV71ykZk
+údb»^‚FB¤f‰‰·mÒ
+s˜Æ"2TºˆLb#¢Â‘¨p_Ï
--- a/secrets/users/adrian/password.age
+++ b/secrets/users/adrian/password.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptT1OQ 6owQsraIjwntWOLM/IgsCfo9k4xP7EgBqGHz/9ACOgc
+Qlee7D1NbteTDL97/yfvfkZnuuF1n5oCMCjwJZIERH0
+-> ssh-ed25519 vDK6kA 6OPdEol4Z3nCRInYKRNb+EboSByN+ed1X0dVVZBTLkE
+6kDLoKD+GQVaIzAy5GHdF8K/3iMZTg7x0cb8ScNA0B4
+-> ssh-ed25519 QkapZw oZ6I/sL0ZGVu+8qK+Ol4QMlOCAFy4CaS83EAnV1XLWw
+R63uqZ48KJ+M7HZ2vCQ/1eEXyzeTLZSHpp3AM6zLlTQ
+-> dw,mS#A0-grease -?,a d<}@U<
+aiBxTwXkpHMDz2mrp3+6PZE9pxA4TZe/+ioGsek0iWLjNGZ2zh1/z3cZ5dHodDfc
+pHW/9wWa0j4
+--- Yl4jZiBuNi+e4Hxo5JcbRmQGM5tzYz1UG0naPSH8fzI
+Ñ6ß®ç³âSá….BXp JR¼ð<C2BC>¢ÕŸáK±Õ‘_÷IJ±®š¸dA
--- a/secrets/users/anna/password.age
+++ b/secrets/users/anna/password.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptT1OQ ZwHZuEtXIywjlO1Qylc54X5yliYN2C20lXtxRleDOgE
+h3PEPfWVR7Y3Xc80e26UwMg8SU9ZDgs4SkyAQsYzj+Q
+-> ssh-ed25519 vDK6kA +yWQE2uLXFSpX4iCxaKyaxk/219fItLaZGC3vlzgQFs
+g6wiwF/Ym7KUuWnPVLZyMzcvwOc+gEzQtVEOMcTGE2c
+-> ssh-ed25519 QkapZw Ymvdm1Lh4AdNYQsvtnlTB+xFU0ukt0qvQGmSPodVT1M
+5wKYkK+69TVRm0P+dZEASBfbAT0R7jBNJKmzwU6KIKk
+-> (`jv:-grease j(N
+2LnNRS5xWT3s9x5gg1ls7pfVbg/uFgCyLNr9/KK4YbQbsNKrNg
+--- hLiE6yB2F7kOJw3qT31+bCbnMtcK32XYgxbI82WVlmY
+öA,½ÍìÔXx[†Z›©Ëg-2‡¦–®#â)»9ƒÚzºbÃïÿ[V¼€
--- a/secrets/users/media/password.age
+++ b/secrets/users/media/password.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptT1OQ 6nrRFAT0bfW/YJUvUidI1VKSuLYwInjTHAVBsW1m8QE
+zXaMZLYdHMe552DAOJIE+2Ej4FbNoiC0lMUVK0HwkYw
+-> ssh-ed25519 vDK6kA IgdF+Ru31yku4rGyIX9Kb5kbxfi8flHMw9jElsr/twM
+HKL3yIg8tiYgmMnjVbSxk4kq5XvtSrk30bNuyj35mg4
+-> ssh-ed25519 QkapZw vgukk5ZXct7y3e+3IDfKjM1Z/jKJhqmF2lg1WO/FfCo
+kK1WaS6PCfhbJj04PVOMgc3nGU8tFQS6kJxqhWHV6ZE
+-> V-grease * G#N'H$(
+BV3zew7ZPBc3kj8Vlsm8egFoTN0jTe7mqzFqjucThfldN+YFcKZK6VxzzCsbB6mn
+Ez2qmevGVI43inhwSmIUSnqVvj1+8hc5NICZJs24P+34HA
+--- vjzDvpUTaCep8r5cGc5JDnZUdaQ/I2qXMDHIF7gDIdo
+†Fa<46>Ûç<C39B>þC`žóìS@Op8Ü{ª)|q+öìó×v::’lú÷ìñ<>'æ!ì¹¦×c¢¶,
--- a/secrets/users/media/smbpasswd.age
+++ b/secrets/users/media/smbpasswd.age
--- a/secrets/users/printer/password.age
+++ b/secrets/users/printer/password.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptT1OQ 9z0mc7gau0SlDVq8NAZI0T+t2yetYhRJ5jJ+cx/pFTM
+4Yz8DPjhtAsy0abWxKR5WE9uC7n5BfhADTSUiDZBqUk
+-> ssh-ed25519 vDK6kA UPR/LPzCEBBo3WcTywbS/yjb7v+uQTjPzGVVv05VOkk
+UcbxNWcmE14VIUa6Sq4U4Q0SHLhQ7OKiE+xnGVq90tc
+-> ssh-ed25519 QkapZw uPxyBvN/TO//OGorad6hxvnDIqoLhROtU+HIcOOhXVs
+J3u69kfjynkf5lUVDk7X+4JHmOSca0Q14YOwAV14lb8
+-> GY`;C-grease (L,'+} $/@h ~
+ur0Lzp2w7e9/dJlEDbya+IIzQ6mwiEowxCUnCzm/JPELX/OLh/hlwUUzLOAJsVS
+Kw6Rf41t6o5HPJZXLFBtQtyjgLeZx/rlIjrBmFQ41BJ0Lbmf7/g
+--- E1i31zsuxNyizZMMeGBbgi1f77T3T5cn/kORrliha6U
+õcgBˆÉMòØµZ/MÌ
+]»C³®LbÅR*’å¨ƒ »Ç
¸`½Ý,îi†£|÷°£ÕeD
--- a/secrets/users/root/password.age
+++ b/secrets/users/root/password.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptT1OQ YcyAUwVMlw4/ALw7mnNSf0mZEIBy2QutWPnw/dIcdGU
+T12rjnbOaILGoVMRr2Ggi/kNThnacoLBFjCOBIROQgU
+-> ssh-ed25519 vDK6kA t/nieYJLDvK/t6nmqv9uZeznMXKZx0w6haAdGGbRUig
+L1RtzBdd2byvSb+Bei7cQk4pSeG572CmRnQ2fMl4xk8
+-> ssh-ed25519 QkapZw h50sCx6P4KcKJ1FuKBG7b1fXvfE3uLHM4CbFj0p2+zU
+b4llW691ia4zsUewi61ubDdTVuqKmZHkOQc+zcow3lo
+-> [@JJ3u-grease H9 XQF %fy3, Za.Zvj_}
+T68o20cFBiNu9Wgmk8ZpABs80V7f7Y6wBa3ldggYvp62kTswfS0mIGsO+ta6FZt9
++GxRoSprkcVmg4
+--- 4yMs1I5euxBUuhkdu98y/ExONALCQkfx7K/6uHAFh6A
+åJ<>Á•<1B>ûèíuŸ«°!ÈÛåˆ]Œ‚;ó)5œ7ªbsÉ¹ów:›=ÅÃ
--- a/secrets/users/tabea/password.age
+++ b/secrets/users/tabea/password.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptT1OQ aldRZAe2K4bGX8GbnW01BC7pkreWmEYG50iFM5+cVkM
+Ix3RuSN12AQr0kggdEwgVBmpv7oal99PHyTeAv0tDdc
+-> ssh-ed25519 vDK6kA c9sm7SGxgbgJt2M/mKT0mnDPv8kMgvU4E+WM88pszDE
+K7jsUZzDX5cXcnTCeswxOz/5+wMJMt80/pSU36UkE+w
+-> ssh-ed25519 QkapZw HsnZIJNhcwAf7uAU6g+NtsNYSpnK0A7LOWZfNYN8tkE
+i6y8GMfYo3iwH5reeUdMwmbzjR/BcKGZg+2OKNPRfIU
+-> |/"ga-grease \:S|s5} 3HKp9_~
+hewqWDDpTlc
+--- gznXnky7kkgfMGD88xGo4dAXpZkLX7DKx8xMxRFgL+w
+*術(4qG0YEﾀ>H*7wNe､･ｩ<>cG[ｸ｢L噤以<E599A4>ｪ徠
--- a/secrets/users/thomas/password.age
+++ b/secrets/users/thomas/password.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptT1OQ fwUu8pY2budRGKQ5KH8g3PpQkYw8nxQjXPMypWRVzmg
+KqgwVHgyLsJHXn46OwwH5a6+mXIeu4JjsXXH3nZCFQQ
+-> ssh-ed25519 vDK6kA QWFjCWEDx9y9hsBaVfdECb/9XiPtNR3SRf1dXd9szmI
+fv9QTZ9h2JWW9d+rjjTnePOW/lxOnvVNYl3P3a2Fgnc
+-> ssh-ed25519 QkapZw 9aLnV1zSbaws9Kzx7gFYBc3xQPzoNpqF8C3woF8D03E
+CUZodCA2dAvZra7367A1PNdHlVkgKqfMl/LBlD35MKo
+-> D-grease ;95[E YS| [,!+^H P~&
+fpm
+--- FJSm4ETZT3yielQi7G05UJXRRNpOJawgSogBmyC51MU
+i%`vø\? ‡\Yã{ö›‡×I¼¾w5œCÌõrpP=ï®Gº¶Xðø<C3B0>