feat: many changes

2025-08-01 19:48:49 +02:00
parent 7f01dc4cac
commit 3990566fe5
21 changed files with 363 additions and 170 deletions
--- a/hosts/fw/modules/dnsmasq.nix
+++ b/hosts/fw/modules/dnsmasq.nix
@@ -66,9 +66,9 @@
      ];
      dhcp-host = [
        "30:05:5c:56:62:37,${config.networkPrefix}.96.100,brn30055c566237"
        "24:df:a7:b1:1b:74,${config.networkPrefix}.96.101,rmproplus-b1-1b-74"
        "30:05:5c:56:62:37,${config.networkPrefix}.99.100,brn30055c566237"
        "1a:c4:04:6e:29:bd,${config.networkPrefix}.97.2,omada"
        "02:00:00:00:00:04,${config.networkPrefix}.97.6,matrix"
        "ea:db:d4:c1:18:ba,${config.networkPrefix}.97.50,git"
@@ -79,7 +79,6 @@
        "f0:2f:9e:d4:3b:21,${config.networkPrefix}.99.11,firetv-living"
        "e4:2a:ac:32:3f:79,${config.networkPrefix}.99.13,xbox"
        "f0:2f:9e:c1:74:72,${config.networkPrefix}.99.21,firetv-bedroom"
        "30:05:5c:56:62:37,${config.networkPrefix}.99.100,brn30055c566237"
        "fc:ee:28:03:63:e9,${config.networkPrefix}.100.148,k1c"
        "cc:50:e3:bc:27:64,${config.networkPrefix}.100.112,Nuki_Bridge_1A753F72"
@@ -100,7 +99,7 @@
        "/feeds.cloonar.com/188.34.191.144"
        "/nukibridge1a753f72.cloonar.smart/${config.networkPrefix}.100.112"
        "/allywatch.cloonar.com/${config.networkPrefix}.97.5"
-        "/brn30055c566237.cloonar.com/${config.networkPrefix}.96.100"
+        "/brn30055c566237.cloonar.multimedia/${config.networkPrefix}.99.100"
        "/stage.wsw.at/10.254.235.22"
        "/prod.wsw.at/10.254.217.23"
--- a/hosts/fw/modules/foundry-vtt.nix
+++ b/hosts/fw/modules/foundry-vtt.nix
@@ -38,6 +38,7 @@ in {
          address = "${hostConfig.networkPrefix}.96.1";
          interface = "eth0";
        };
        firewall.enable = false;
        nameservers = [ "${hostConfig.networkPrefix}.97.1" ];
      };
      systemd.services.foundry-vtt = {
@@ -66,12 +67,6 @@ in {
        gid = cids.gids.foundry-vtt;
      };
      networking.firewall = {
        enable = true;
        allowedTCPPorts = [ 30000 ];
      };
      system.stateVersion = "24.05";
    };
  };
--- a/hosts/fw/modules/home-assistant/light.nix
+++ b/hosts/fw/modules/home-assistant/light.nix
@@ -274,46 +274,88 @@
        };
      };
    };
-    "automation bed_button_1" = {
+    "automation bedroom light" = {
-      alias = "bed_button_1";
+      alias = "bedroom light";
-      trigger = {
+      trigger = [
-        platform = "event";
+        {
-        event_type = "shelly.click";
+          platform = "event";
-        event_data = {
+          event_type = "button_pressed";
-          device = "shellybutton1-E8DB84AA196D";
+          event_data = {
-        };
+            id = [ 254 207 162 105 ];
-      };
+            which = 1;
            onoff = 1;
            pushed = 1;
          };
        }
        {
          platform = "event";
          event_type = "shelly.click";
          event_data = {
            device = "shellybutton1-E8DB84AA136D";
            click_type = "double";
          };
        }
      ];
      action = [
        {
-          choose = [
+          service = "light.toggle";
-            {
+          target = {
-              conditions = [ "{{ trigger.event.data.click_type == \"single\" }}" ];
+            entity_id = "light.bedroom_lights";
-              sequence = [
+          };
-                {
+        }
-                  service = "light.toggle";
+      ];
-                  entity_id = "light.bed_reading_1";
+    };
-                }
+    "automation bed light" = {
-              ];
+      alias = "bed light";
-            }
+      trigger = [
-            {
+        {
-              conditions = [ "{{ trigger.event.data.click_type == \"double\" }}" ];
+          platform = "event";
-              sequence = [
+          event_type = "button_pressed";
-                {
+          event_data = {
-                  service = "light.toggle";
+            id = [ 254 207 162 105 ];
-                  entity_id = "light.bedroom_lights";
+            which = 0;
-                }
+            onoff = 1;
-              ];
+            pushed = 1;
-            }
+          };
-            {
+        }
-              conditions = [ "{{ trigger.event.data.click_type == \"triple\" }}" ];
+        {
-              sequence = [
+          platform = "event";
-                {
+          event_type = "shelly.click";
-                  service = "light.toggle";
+          event_data = {
-                  entity_id = "light.bedroom_bed";
+            device = "shellybutton1-E8DB84AA136D";
-                }
+            click_type = "triple";
-              ];
+          };
-            }
+        }
-          ];
+      ];
      action = [
        {
          service = "light.toggle";
          target = {
            entity_id = "light.bedroom_bed";
          };
        }
      ];
    };
    "automation reading 1 light" = {
      alias = "reading 1 light";
      trigger = [
        {
          platform = "event";
          event_type = "button_pressed";
          event_data = {
            id = [ 254 207 162 105 ];
            which = 0;
            onoff = 0;
            pushed = 1;
          };
        }
      ];
      action = [
        {
          service = "light.toggle";
          target = {
            entity_id = "light.bed_reading_1";
          };
        }
      ];
    };
@@ -338,24 +380,6 @@
                }
              ];
            }
            {
              conditions = [ "{{ trigger.event.data.click_type == \"double\" }}" ];
              sequence = [
                {
                  service = "light.toggle";
                  entity_id = "light.bedroom_lights";
                }
              ];
            }
            {
              conditions = [ "{{ trigger.event.data.click_type == \"triple\" }}" ];
              sequence = [
                {
                  service = "light.toggle";
                  entity_id = "light.bedroom_bed";
                }
              ];
            }
          ];
        }
      ];
--- a/hosts/fw/modules/home-assistant/multimedia.nix
+++ b/hosts/fw/modules/home-assistant/multimedia.nix
@@ -290,16 +290,6 @@
            command = "b64:JgDaAAABKZMUERMSExITEhMSExETEhMSExITEhMSExETNxQ2ExITEhMSEzcTNxM3ExITEhM3ExITNxMSEhITEhM3EzcTEhM3EwAFyAABKJQUERMSEhITEhMSExITEhMSEhITEhMSExITNxM3ExITEhMREzcTNxQ3EhITEhM3ExITNxMSExITEhM3EzcTEhM3EwAFyAABKJQUERMSExETEhMSExITEhMSExETEhMSExITNxM3ExITEhMREzcTOBI4ExETEhM3ExITNxMSExITEhM3EzcTEhM3E5IGAA0FAAAAAAAAAAAAAAAAAAA=";
          };
        }
        {
          delay = 30;
        }
        # turn off tv switch
        {
          service = "switch.turn_off";
          target = {
            entity_id = "switch.tv_switch";
          };
        }
      ];
    };
    "automation all_multimedia_on" = {
--- a/hosts/fw/modules/home-assistant/sleep.nix
+++ b/hosts/fw/modules/home-assistant/sleep.nix
@@ -7,10 +7,6 @@
        at = "input_datetime.wakeup";
      };
      action = [
        {
          service = "switch.turn_on";
          entity_id = "switch.coffee";
        }
        {
          delay = 1700;
        }
@@ -27,34 +23,21 @@
      trigger = [
        {
          platform = "event";
-          event_type = "shelly.click";
+          event_type = "button_pressed";
          event_data = {
-            device = "shellybutton1-E8DB84AA196D";
+            id = [ 254 207 162 105 ];
-          };
+            which = 1;
-        }
+            onoff = 0;
-        {
+            pushed = 1;
          platform = "event";
          event_type = "shelly.click";
          event_data = {
            device = "shellybutton1-E8DB84AA136D";
          };
        }
      ];
      action = [
        {
-          choose = [
+          service = "script.turn_on";
-            {
+          target = {
-              conditions = [ "{{ trigger.event.data.click_type == \"long\" }}" ];
+            entity_id = "script.turn_off_everything";
-              sequence = [
+          };
                {
                  service = "script.turn_on";
                  target = {
                    entity_id = "script.turn_off_everything";
                  };
                }
              ];
            }
          ];
        }
      ];
    };
@@ -65,22 +48,18 @@
            service = "light.turn_off";
            entity_id = "all";
          }
-          {
+          # {
-            service = "switch.turn_off";
+          #   service = "switch.turn_off";
-            entity_id = "switch.coffee";
+          #   entity_id = "switch.78_8c_b5_fe_41_62_port_2_poe";
-          }
+          # }
-          {
+          # {
-            service = "switch.turn_off";
+          #   service = "switch.turn_off";
-            entity_id = "switch.78_8c_b5_fe_41_62_port_2_poe";
+          #   entity_id = "switch.78_8c_b5_fe_41_62_port_3_poe";
-          }
+          # }
-          {
+          # {
-            service = "switch.turn_off";
+          #   service = "switch.turn_off";
-            entity_id = "switch.78_8c_b5_fe_41_62_port_3_poe";
+          #   entity_id = "switch.hallway_circuit";
-          }
+          # }
          {
            service = "switch.turn_off";
            entity_id = "switch.hallway_circuit";
          }
          # TODO: needs to stay on because phone is not loading otherwise
          # { 
          #   service = "switch.turn_off";
--- a/hosts/fw/modules/phpldapadmin.nix
+++ b/hosts/fw/modules/phpldapadmin.nix
@@ -4,7 +4,7 @@
  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers = {
    phpldapadmin = {
-      image = "phpldapadmin/phpldapadmin:latest";
+      image = "phpldapadmin/phpldapadmin:2.2.2";
      autoStart = true;
      ports = [
        "80:8087/tcp"
--- a/hosts/nb/configuration.nix
+++ b/hosts/nb/configuration.nix
@@ -21,6 +21,7 @@ in {
      ./modules/appimage.nix
      ./modules/desktop
      ./modules/development
      ./modules/printer.nix
      # ./modules/cyberghost.nix
      ./utils/modules/autoupgrade.nix
      ./modules/puppeteer.nix
--- a/hosts/nb/modules/desktop/bitwarden.nix
+++ b/hosts/nb/modules/desktop/bitwarden.nix
@@ -1,9 +1,42 @@
 { config, pkgs, ... }:
-
+let
  polkitAgent = pkgs.lxqt.lxqt-policykit;
 in
 {
  #### Fingerprint stack #######################################################
  services.fprintd.enable = true;
  services.fprintd.tod.enable = true;
  # Change the driver if your sensor isn’t Goodix.
  services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix;
  #### Polkit (needed for Bitwarden’s “system authentication” prompt) ###########
  security.polkit.enable = true;
  services.dbus.enable = true;
  systemd.user.services.polkit-agent = {
    description = "Polkit authentication agent";
    after = [ "graphical-session.target" ];
    wantedBy = [ "graphical-session.target" ];
    serviceConfig.ExecStart = "${polkitAgent}/bin/lxqt-policykit-agent";
    serviceConfig.Restart = "on-failure";
  };
  #### Autostart Bitwarden desktop in your user session ########################
  systemd.user.services.bitwarden = {
    description = "Bitwarden Desktop";
    after = [ "graphical-session.target" ];
    wantedBy = [ "graphical-session.target" ];
    serviceConfig.ExecStart = "${pkgs.bitwarden}/bin/bitwarden";
    serviceConfig.Restart = "on-abort";
  };
  #### Handy tools #############################################################
  environment.systemPackages = with pkgs; [
    goldwarden
    bitwarden
    bitwarden-cli
    fprintd
    lxqt.lxqt-policykit
  ];
  environment.shellAliases = {
@@ -14,4 +47,43 @@
  environment.shellInit = ''
    mkdir -p ~/.config/bitwarden-cli-epicenter ~/.config/bitwarden-cli-cloonar
  '';
  # environment.systemPackages = with pkgs; [
  #   bitwarden
  #   bitwarden-cli
  #   (runCommand "bitwarden-polkit-policy" {} ''
  #     mkdir -p $out/share/polkit-1/actions
  #     cat > $out/share/polkit-1/actions/com.bitwarden.Bitwarden.policy <<'EOF'
  #     <?xml version="1.0" encoding="UTF-8"?>
  #     <!DOCTYPE policyconfig PUBLIC
  #     "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
  #     "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
  #     <policyconfig>
  #       <action id="com.bitwarden.Bitwarden.unlock">
  #         <description>Unlock Bitwarden</description>
  #         <message>Authenticate to unlock Bitwarden</message>
  #         <defaults>
  #           <allow_any>no</allow_any>
  #           <allow_inactive>no</allow_inactive>
  #           <allow_active>auth_self</allow_active>
  #         </defaults>
  #       </action>
  #     </policyconfig>
  #     EOF
  #   '')
  # ];
  # systemd.user.services.polkit-gnome-authentication-agent-1 = {
  #   description = "polkit-gnome-authentication-agent-1";
  #   wantedBy = [ "graphical-session.target" ];
  #   wants = [ "graphical-session.target" ];
  #   after = [ "graphical-session.target" ];
  #   serviceConfig = {
  #     Type = "simple";
  #     ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
  #     Restart = "on-failure";
  #     RestartSec = 1;
  #     TimeoutStopSec = 10;
  #   };
  # };
 }
--- a/hosts/nb/modules/desktop/default.nix
+++ b/hosts/nb/modules/desktop/default.nix
@@ -19,6 +19,7 @@ in {
    freecad
    firefox
    openscad
    orca-slicer
    (where-is-my-sddm-theme.override {
      themeConfig.General = {
--- a/hosts/nb/modules/development/default.nix
+++ b/hosts/nb/modules/development/default.nix
@@ -21,7 +21,11 @@ in {
    git
    git-filter-repo
    glib
    gnumake
    air
    go
    jq
    mkcert
    mqttui
--- a/hosts/nb/modules/printer.nix
+++ b/hosts/nb/modules/printer.nix
@@ -1,5 +1,22 @@
 { lib, pkgs, ... }:
 let
  printerFix = pkgs.writeShellApplication {
    name = "printer-fix";
    runtimeInputs = [ pkgs.cups ];
    text = ''
      lpadmin -p 'Cloonar' -E \
      -v 'ipp://brn30055c566237.cloonar.multimedia/ipp/print' \
      -m 'everywhere'
      lpadmin -d 'epicenter.works'
    '';
  };
  printerFixDesktopItem = pkgs.makeDesktopItem {
    name = "printer-fix";
    desktopName = "Printer Fix";
    exec = "printer-fix";
  };
 in {
  services.printing.enable = true;
--- a/hosts/nb/users/configs/project_history
+++ b/hosts/nb/users/configs/project_history
@@ -10,6 +10,7 @@
 /home/dominik/projects/cloonar/updns
 /home/dominik/projects/cloonar/mcp-servers-nix
 /home/dominik/projects/cloonar/ldap2vcard
 /home/dominik/projects/accessowl/ao-domainscraping
 /home/dominik/projects/cloonar/flow/flow-docs
 /home/dominik/projects/cloonar/flow/flow-user-service
--- a/hosts/nb/users/dominik.nix
+++ b/hosts/nb/users/dominik.nix
@@ -607,6 +607,7 @@ in
      git clone gitea@git.cloonar.com:Cloonar/updns.git ${persistHome}/projects/cloonar/updns 2>/dev/null
      git clone git@github.com:dpolakovics/mcp-servers-nix.git ${persistHome}/cloonar/mcp-servers-nix 2>/dev/null
      git clone gitea@git.cloonar.com:Cloonar/ldap2vcard.git ${persistHome}/projects/cloonar/ldap2vcard 2>/dev/null
      git clone gitea@git.cloonar.com:AccessOwl/ao-domainscraping.git ${persistHome}/projects/accessowl/ao-domainscraping 2>/dev/null
      git clone gitea@git.cloonar.com:Cloonar/flow-docs.git ${persistHome}/projects/cloonar/flow/flow-docs 2>/dev/null
      git clone gitea@git.cloonar.com:Cloonar/flow-user-service.git ${persistHome}/projects/cloonar/flow/flow-user-service 2>/dev/null
--- a/hosts/web-arm/configuration.nix
+++ b/hosts/web-arm/configuration.nix
@@ -23,6 +23,7 @@
    ./utils/modules/autoupgrade.nix
    ./utils/modules/promtail
    ./utils/modules/borgbackup.nix
    # ./utils/modules/ldap-auth.nix
    ./modules/set-nix-channel.nix # Automatically manage nix-channel from /var/bento/channel
    ./hardware-configuration.nix
@@ -35,6 +36,9 @@
    ./sites/autoconfig.cloonar.com.nix
    ./sites/feeds.cloonar.com.nix
    ./sites/vcard.cloonar.dev.nix
    ./sites/vcard.cloonar.com.nix
    ./sites/cloonar.com.nix
    ./sites/gbv-aktuell.at.nix
    ./sites/matomo.cloonar.com.nix
--- a/hosts/web-arm/modules/authelia/default.nix
+++ b/hosts/web-arm/modules/authelia/default.nix
@@ -177,7 +177,7 @@ in {
              public = false;
              authorization_policy = "one_factor";
              redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ];
-              pre_configured_consent_duration = "1y";
+              consent_mode = "implicit";
              scopes = [
                "openid"
                "profile"
@@ -194,7 +194,7 @@ in {
              redirect_uris = [ 
                "https://nextcloud.cloonar.com/apps/oidc_login/oidc"
              ];
-              pre_configured_consent_duration = "1y";
+              consent_mode = "implicit";
              scopes = [
                "openid"
                "profile"
@@ -210,7 +210,7 @@ in {
              public = false;
              authorization_policy = "one_factor";
              redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ];
-              pre_configured_consent_duration = "1y";
+              consent_mode = "implicit";
              scopes = [
                "openid"
                "profile"
@@ -226,7 +226,7 @@ in {
              public = false;
              authorization_policy = "one_factor";
              redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ];
-              pre_configured_consent_duration = "1y";
+              consent_mode = "implicit";
              token_endpoint_auth_method = "client_secret_post";
              scopes = [
                "openid"
--- a/hosts/web-arm/modules/grafana/default.nix
+++ b/hosts/web-arm/modules/grafana/default.nix
@@ -28,13 +28,12 @@ let
 in
 {
  imports = [
-    # Individual alert files removed, now handled by alerting/system/default.nix
+    ./alerting/system/default.nix
-    ./alerting/system/default.nix # Added: Imports the consolidated system alerts module
+    ./alerting/service/default.nix
-    ./alerting/service/default.nix # Added: Imports the new service alerts module
+    ./alerting/websites/default.nix
-    ./alerting/websites/default.nix # Added: Imports the new websites alerts module
+
    # ... other rule files can be added here ...
    ./datasources/victoriametrics.nix
-    ./datasources/loki.nix # Add Loki datasource
+    ./datasources/loki.nix
  ];
  systemd.services.grafana.script = lib.mkBefore ''
@@ -97,15 +96,15 @@ in
    };
    provision = {
      alerting = {
-        rules.settings.groups = lib.mkMerge []; # Allows rule groups to be merged (including the one from system/default.nix)
+        rules.settings.groups = lib.mkMerge [];
        contactPoints = {
          settings = {
-            apiVersion = 1; # As per Grafana provisioning API
+            apiVersion = 1;
            contactPoints = [{
              orgId = 1;
              name = "cp_dominik";
              receivers = [{
-                uid = "dominik_pushover_cp_receiver"; # Made UID even more specific
+                uid = "dominik_pushover_cp_receiver";
                type = "pushover";
                settings = {
                  apiToken = "\${PUSHOVER_API_TOKEN}";
@@ -125,49 +124,16 @@ in
          };
        };
-        policies = { # Corrected from notificationPolicies to policies
+        policies = {
          settings = {
-            apiVersion = 1; # As per Grafana provisioning API
+            apiVersion = 1;
-
+            policies = [{
-            # Grafana's new unified alerting expects a single policy tree per org.
+              receiver = "cp_dominik";
            # For OrgID 1 (default), this defines the root of that tree.
            # The NixOS module should translate this into the correct YAML structure.
            # The `policies` attribute within `settings` usually takes a list of policy trees.
            # For a single default organization, we define one policy tree.
            # Grafana's own YAML examples show a top-level 'route' for the default policy,
            # or a list under 'policies' if you're managing multiple policy sets (less common for basic setup).
            # Given the NixOS option `services.grafana.provision.alerting.policies.settings.policies`,
            # it's likely expecting a list here.
            policies = [{ # This outer list corresponds to the `policies` option
              # orgId = 1; # Usually implicit for the default policy file, but can be specified
              receiver = "cp_dominik"; # This sets the default receiver for the root route
              # The actual routing tree starts here.
              # For a simple setup where all alerts go to one receiver,
              # just setting the top-level 'receiver' is often enough.
              # If more complex routing is needed, 'routes' would be defined here.
              # Example:
              # route = {
              #   receiver = "cp_dominik";
              #   group_by = [ "alertname", "job" ];
              #   # ... other root route settings
              #   routes = [
              #     {
              #       matcher_re = { severity = "critical" };
              #       receiver = "critical_alerts_receiver"; # Another contact point
              #       continue = false;
              #     },
              #     # ... other specific routes
              #   ];
              # };
              # For the simplest case, just defining the receiver at this level should work
              # as the root policy for the default organization.
            }];
            # resetPolicies = false; # Default, set to true to remove existing policies not in this config.
          };
        };
      };
-      datasources.settings.datasources = lib.mkMerge []; # Allows datasources to be merged
+      datasources.settings.datasources = lib.mkMerge [];
    };
  };
--- a/hosts/web-arm/sites/vcard.cloonar.com.nix
+++ b/hosts/web-arm/sites/vcard.cloonar.com.nix
@@ -0,0 +1,38 @@
 { pkgs, lib, config, ... }:
 {
  services.webstack.instances."vcard.cloonar.com" = {
    enableDefaultLocations = false;
    enableMysql = false;
    authorizedKeys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkN2nAB8RIJqeYl/d20P0viXmKsGDIrUIl5N+HAN99b"
    ];
    extraConfig = ''
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-Content-Type-Options "nosniff";
      index index.php
      charset utf-8;
    '';
    locations."/favicon.ico".extraConfig = ''
      log_not_found off;
      access_log off;
    '';
    locations."/robots.txt".extraConfig = ''
      access_log off;
      log_not_found off;
    '';
    locations."/".extraConfig = ''
      try_files $uri $uri/ /index.php$is_args$args;
    '';
    phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
      enabled ++ [ all.imagick ]);
    phpOptions = ''
      opcache.enable=1
      opcache.memory_consumption=128
      opcache.validate_timestamps=0
      opcache.revalidate_path=0
    '';
  };
 }
--- a/hosts/web-arm/sites/vcard.cloonar.dev.nix
+++ b/hosts/web-arm/sites/vcard.cloonar.dev.nix
@@ -0,0 +1,38 @@
 { pkgs, lib, config, ... }:
 {
  services.webstack.instances."vcard.cloonar.dev" = {
    enableDefaultLocations = false;
    enableMysql = false;
    authorizedKeys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzlgVs4/MCCU/Mw3nXsZquSXZ2x8h4uXjBEWLEvdQgV"
    ];
    extraConfig = ''
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-Content-Type-Options "nosniff";
      index index.php
      charset utf-8;
    '';
    locations."/favicon.ico".extraConfig = ''
      log_not_found off;
      access_log off;
    '';
    locations."/robots.txt".extraConfig = ''
      access_log off;
      log_not_found off;
    '';
    locations."/".extraConfig = ''
      try_files $uri $uri/ /index.php$is_args$args;
    '';
    phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
      enabled ++ [ all.imagick ]);
    phpOptions = ''
      opcache.enable=1
      opcache.memory_consumption=128
      opcache.validate_timestamps=0
      opcache.revalidate_path=0
    '';
  };
 }
--- a/todos.md
+++ b/todos.md
@@ -3,3 +3,7 @@ change sddm theme
 add yubikey
 change playmouth theme
 look into secure boot
 ## chache server
 https://github.com/zhaofengli/attic
--- a/utils/modules/borgbackup.nix
+++ b/utils/modules/borgbackup.nix
@@ -77,6 +77,8 @@ in {
        "/var/cache"
        "/var/tmp"
        "/var/log"
        "var/lib/microvms"
        "/var/lib/nixos-containers"
      ];
      environment.BORG_RSH = "ssh -p23 -i ${config.sops.secrets.borg-ssh-key.path}";
      repo = repo;
--- a/utils/modules/ldap-auth.nix
+++ b/utils/modules/ldap-auth.nix
@@ -0,0 +1,57 @@
 { lib, config, pkgs, ... }:
 let
  ldapAuthorizedKeys =
    pkgs.writeShellScript "ldap-authorized-keys" ''
      exec ${pkgs.openldap}/bin/ldapsearch -LLL -x -H ldap://ldap.cloonar.com \
        -D "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com" \
        -y ${config.sops.secrets.linuxbind-password.path} \
        -b "ou=users,dc=cloonar,dc=com" \
        "(uid=$1)" sshPublicKey \
      | sed -n 's/^sshPublicKey: //p'
    '';
 in
 {
  environment.systemPackages = with pkgs; [ openldap ];
  users.ldap = {
    enable = true;
    daemon.enable = true;
    base = "ou=users,dc=cloonar,dc=com";
    server = "ldap://ldap.cloonar.com/";
    useTLS = true;
    bind = {
      policy = "soft";
      distinguishedName = "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com";
      passwordFile = config.sops.secrets.linuxbind-password.path;
    };
    loginPam = true;
    extraConfig = ''
      ldap_version 3
      # pam_password ssha
      pam_filter objectClass=posixAccount
      pam_login_attribute uid
      pam_member_attribute gidNumber
    '';
  };
  security.pam.services.login.makeHomeDir = true;
  security.pam.services.systemd-user.makeHomeDir = true;
  systemd.services.nslcd = {
    after = [ "Network-Manager.service" ];
  };
  # evil, horrifying hack for dysfunctional nss_override_attribute_value
  systemd.tmpfiles.rules = [
    "L /bin/bash - - - - /run/current-system/sw/bin/bash"
  ];
  services.openssh = {
    settings = {
      AuthorizedKeysCommand      = ldapAuthorizedKeys;
      AuthorizedKeysCommandUser  = "nslcd";   # default is “nobody” :contentReference[oaicite:0]{index=0}
      PubkeyAuthentication       = "yes";
    };
  };
  sops.secrets.linuxbind-password.owner = "nslcd";
 }