changes

hosts/fw/configuration.nix

@@ -26,12 +26,14 @@
     ./modules/ddclient.nix
     # ./modules/wol.nix
 
+
     # microvm
     ./modules/microvm.nix
     ./modules/gitea-vm.nix
     # ./modules/vscode-server.nix  # Add VS Code Server microvm
 
     ./modules/ai-mailer.nix
+    ./modules/wazuh.nix
 
     # web
     ./modules/web

hosts/fw/modules/ai-mailer.nix

@@ -49,7 +49,7 @@
 
       logging:
         level: "info"
-        file_path: "/var/log/ai-mailer.log"
+        file_path: "/var/log/ai-mailer/ai-mailer.log"
     '';
   };
 
@@ -72,7 +72,7 @@
       User = "ai-mailer";
       Group = "ai-mailer";
       WorkingDirectory = "/var/lib/ai-mailer";
-      ExecStart = "${pkgs.ai-mailer}/bin/paraclub-ai-mailer -config /etc/ai-mailer/config.yaml";
+      ExecStart = "${pkgs.ai-mailer}/bin/ai-mailer -config /etc/ai-mailer/config.yaml";
       Restart = "always";
       RestartSec = "10s";
       StateDirectory = "ai-mailer";

hosts/fw/modules/ddclient.nix

@@ -15,6 +15,7 @@
       "palworld.cloonar.com"
       "matrix.cloonar.com"
       "element.cloonar.com"
+      "tinder.cloonar.com"
     ];
   };
 

hosts/fw/modules/home-assistant/default.nix

@@ -4,7 +4,7 @@ let
   pkgs-with-home-assistant = import (builtins.fetchGit {
     name = "new-home-assistant";
     url = "https://github.com/nixos/nixpkgs/";
-    rev = "41dea55321e5a999b17033296ac05fe8a8b5a257";
+    rev = "18dd725c29603f582cf1900e0d25f9f1063dbf11";
   }) {};
   networkPrefix = config.networkPrefix;
 in
@@ -161,7 +161,7 @@ in
         };
         script = ''
           set -e
-          HACS_VERSION="2.0.1"  # Replace with the latest version
+          HACS_VERSION="2.0.5"  # Replace with the latest version
           HACS_DIR="/var/lib/hass/custom_components/hacs"
           
           mkdir -p "$HACS_DIR"

hosts/fw/modules/home-assistant/multimedia.nix

@@ -76,7 +76,7 @@
                   {
                     service = "automation.turn_off";
                     target = {
-                      entity_id = "automation.all_multimedia_off";  # Replace with your target automation ID
+                      entity_id = "automation.all_multimedia_off";
                     };
                   }
                   {
@@ -115,7 +115,7 @@
                   {
                     service = "automation.turn_on";
                     target = {
-                      entity_id = "automation.all_multimedia_off";  # Replace with your target automation ID
+                      entity_id = "automation.all_multimedia_off";
                     };
                   }
                 ];
@@ -289,6 +289,9 @@
             command = "b64:JgDaAAABKZMUERMSExITEhMSExETEhMSExITEhMSExETNxQ2ExITEhMSEzcTNxM3ExITEhM3ExITNxMSEhITEhM3EzcTEhM3EwAFyAABKJQUERMSEhITEhMSExITEhMSEhITEhMSExITNxM3ExITEhMREzcTNxQ3EhITEhM3ExITNxMSExITEhM3EzcTEhM3EwAFyAABKJQUERMSExETEhMSExITEhMSExETEhMSExITNxM3ExITEhMREzcTOBI4ExETEhM3ExITNxMSExITEhM3EzcTEhM3E5IGAA0FAAAAAAAAAAAAAAAAAAA=";
           };
         }
+        {
+          delay = 20;
+        }
         # turn off tv switch
         {
           service = "switch.turn_off";

hosts/fw/modules/setupnetwork.nix

@@ -26,6 +26,7 @@
       };
       subnet4 = [
         {
+          id = 110;
           pools = [
             {
               pool = "${config.networkPrefix}.110.100 - ${config.networkPrefix}.110.240";

hosts/fw/modules/tinder-api.nix

@@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.tinder-api-wrapper;
+in {
+  options.services.tinder-api-wrapper = with lib; {
+    enable = mkEnableOption "Tinder API wrapper service";
+    
+    port = mkOption {
+      type = types.port;
+      default = 8080;
+      description = "Port to listen on";
+    };
+
+    apiEndpoint = mkOption {
+      type = types.str;
+      default = "https://api.gotinder.com";
+      description = "Target Tinder API endpoint URL";
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "tinder-api";
+      description = "User account to run service.";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "tinder-api";
+      description = "Group account to run service.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    nixpkgs.overlays = [
+      (self: super: {
+        tinder-api-wrapper = self.callPackage ../pkgs/tinder-api.nix {};
+      })
+    ];
+
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+      description = "Tinder API wrapper service user";
+    };
+
+    users.groups.${cfg.group} = {};
+
+    systemd.services.tinder-api-wrapper = {
+      description = "Tinder API Wrapper Service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        ExecStart = "${pkgs.tinder-api-wrapper}/bin/server -listen :${toString cfg.port} -target ${cfg.apiEndpoint}";
+        Restart = "always";
+        RestartSec = "10";
+        
+        # Hardening
+        NoNewPrivileges = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+      };
+    };
+  };
+}

hosts/fw/modules/unbound.nix

@@ -54,6 +54,9 @@ let
         "\"switch.cloonar.com IN A ${config.networkPrefix}.97.10\""
         "\"mopidy.cloonar.com IN A ${config.networkPrefix}.97.21\""
         "\"deconz.cloonar.com IN A ${config.networkPrefix}.97.22\""
+        "\"wazuh-manager.cloonar.com IN A ${config.networkPrefix}.97.31\""
+        "\"wazuh-indexer.cloonar.com IN A ${config.networkPrefix}.97.32\""
+        "\"wazuh.cloonar.com IN A ${config.networkPrefix}.97.33\""
         "\"brn30055c566237.cloonar.com IN A ${config.networkPrefix}.96.100\""
         "\"snapcast.cloonar.com IN A ${config.networkPrefix}.97.21\""
         "\"home-assistant.cloonar.com IN A ${config.networkPrefix}.97.20\""
@@ -61,6 +64,7 @@ let
         "\"matrix.cloonar.com IN A ${config.networkPrefix}.97.5\""
         "\"element.cloonar.com IN A ${config.networkPrefix}.97.5\""
         "\"support.cloonar.com IN A ${config.networkPrefix}.97.5\""
+        "\"tinder.cloonar.com IN A ${config.networkPrefix}.97.5\""
         "\"git.cloonar.com IN A ${config.networkPrefix}.97.50\""
         "\"sync.cloonar.com IN A ${config.networkPrefix}.97.51\""
 

hosts/fw/modules/wazuh.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation.oci-containers.containers = {
+    # Wazuh Manager Container
+    wazuh-manager = {
+      autoStart = false;
+      image = "docker://wazuh/wazuh-manager:latest";
+      volumes = [
+        "/var/lib/wazuh:/var/ossec"
+      ];
+      extraOptions = [
+        "--network=server"
+        "--mac-address=10:10:00:00:00:01"
+        "--ip=${config.networkPrefix}.97.31"
+      ];
+    };
+
+    # Wazuh Indexer Container (Elasticsearch)
+    wazuh-indexer = {
+      autoStart = false;
+      image = "docker://wazuh/wazuh-indexer:latest";
+      volumes = [
+        "/var/lib/wazuh-indexer:/usr/share/elasticsearch/data"
+      ];
+      environment = {
+        "discovery.type" = "single-node";
+      };
+      extraOptions = [
+        "--network=server"
+        "--mac-address=10:10:00:00:00:02"
+        "--ip=${config.networkPrefix}.97.32"
+      ];
+    };
+
+    # Wazuh Dashboard Container (Kibana)
+    wazuh-dashboard = {
+      autoStart = false;
+      image = "docker://wazuh/wazuh-dashboard:latest";
+      volumes = [
+        "/var/lib/wazuh-indexer:/usr/share/elasticsearch/data"
+      ];
+      environment = {
+        "discovery.type" = "single-node";
+      };
+      environment = {
+        # Optionally, configure to connect to the indexer/manager:
+        WAZUH_INDEXER_URL = "http://wazuh-indexer.cloonar.com:9200";
+        WAZUH_MANAGER_URL = "http://wazuh-manager.cloonar.com:55000";
+      };
+      extraOptions = [
+        "--network=server"
+        "--mac-address=10:10:00:00:00:03"
+        "--ip=${config.networkPrefix}.97.33"
+      ];
+    };
+  };
+}

hosts/fw/modules/web/default.nix

@@ -52,11 +52,13 @@ in {
           ../network-prefix.nix
           ../../utils/modules/sops.nix
           ../../utils/modules/lego/lego.nix
+          ../../modules/tinder-api.nix
           # ../../utils/modules/borgbackup.nix
 
           ./zammad.nix
           ./proxies.nix
           ./matrix.nix
+          ./tinder-api.nix
         ];
 
         networkPrefix = config.networkPrefix;

hosts/fw/modules/web/tinder-api.nix

@@ -0,0 +1,28 @@
+{ config, pkgs, ... }:
+
+{
+  services.tinder-api-wrapper = {
+    enable = true;
+    port = 8080;  # default port
+    apiEndpoint = "https://api.gotinder.com";
+  };
+  
+  services.nginx.virtualHosts."tinder.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8080";
+      proxyWebsockets = true;
+      extraConfig =
+        "proxy_set_header X-Forwarded-Proto 'https';" +
+        "proxy_set_header X-Forwarded-Ssl on;" +
+        "proxy_connect_timeout  300;" +
+        "proxy_send_timeout     300;" +
+        "proxy_read_timeout     300;" +
+        "send_timeout           300;"
+      ;
+    };
+  };
+}

hosts/fw/pkgs/tinder-api.nix

@@ -0,0 +1,21 @@
+{ lib, buildGoModule, fetchgit }:
+
+buildGoModule rec {
+  pname = "tinder-api-wrapper";
+  version = "0.1.0";
+
+  src = fetchgit {
+    url = "https://git.cloonar.com/dominik.polakovics/tinder-api-wrapper.git";
+    rev = "e99b56e4346ac4ae5c1e0747e51ff3a0259440d3";
+    sha256 = "sha256-ZGuoFVaTBJcnGiToNvk+MRD+zW9IUQldbbqFVLEfkeU=";
+  };
+
+  vendorHash = null;
+
+  meta = with lib; {
+    description = "Tinder API Wrapper Service";
+    homepage = "https://git.cloonar.com/dominik.polakovics/tinder-api-wrapper";
+    license = licenses.mit;
+    maintainers = with maintainers; [ /* add maintainers */ ];
+  };
+}

hosts/mail/modules/dovecot.nix

@@ -255,7 +255,7 @@ in
       "imap-test.${domain}"
       "imap-02.${domain}"
     ];
-    postRun = "sleep 2 && systemctl restart dovecot2.service";
+    postRun = "systemctl --no-block restart dovecot2.service";
   };
 
   networking.firewall.allowedTCPPorts = [

hosts/nb/configuration.nix

@@ -27,13 +27,16 @@ in {
       ./modules/sway/sway.nix
       ./modules/printer.nix
       # ./modules/cyberghost.nix
-      ./modules/nvim/default.nix
       ./utils/modules/autoupgrade.nix
       ./modules/puppeteer.nix
 
       ./cachix.nix
       ./users
 
+      # coding
+      ./modules/nvim/default.nix
+      ./modules/coding.nix
+
       # ./modules/steam.nix
 
       ./hardware-configuration.nix
@@ -200,12 +203,14 @@ in {
     git-filter-repo
     nix-prefetch-git
     openaudible
+    openmanus
     vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
     wget
     wireguard-tools
     wineWowPackages.stable
     wineWowPackages.fonts
     winetricks
+    pinentry-curses
     # ykfde
   ];
 
@@ -267,6 +272,14 @@ in {
     };
   };
 
+  # pgp
+  services.pcscd.enable = true;
+  programs.gnupg.agent = {
+     enable = true;
+     enableSSHSupport = true;
+     pinentryPackage = pkgs.pinentry-curses;
+  };
+
   # networking.networkmanager.insertNameservers = [ "9.9.9.9" "149.112.112.11" "2620:fe::fe" "2620:fe::9" ];
   # services.avahi.enable = false;
   # networking.resolvconf.enable = lib.mkForce false;

hosts/nb/modules/coding.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+let
+  unstable = import (fetchTarball https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz) {
+    config = { allowUnfree = true; };
+  };
+in {
+  environment.systemPackages = with pkgs; [
+    unstable.claude-code
+  ];
+}

hosts/nb/modules/development/default.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+ 
+with lib;
+
+let
+  unstable = import (fetchTarball https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz) {
+    config = { allowUnfree = true; };
+  };
+in {
+  imports = [
+    ./mcp.nix
+  ];
+}

hosts/nb/modules/development/mcp.nix

@@ -0,0 +1,11 @@
+
+{ config, pkgs, lib, ... }:
+let
+in {
+  nixpkgs.overlays = [
+    (import (builtins.fetchTarball "https://github.com/natsukium/mcp-servers-nix/archive/main.tar.gz")).overlays.default
+  ];
+  environment.systemPackages = with pkgs; [
+    mcp-server-fetch
+  ];
+}

hosts/nb/modules/sway/sway.nix

@@ -84,6 +84,9 @@ in {
     hypnotix
 
     unstable.code-cursor
+    unstable.windsurf
+    unstable.codex
+    # vscode-insiders
     # unstable.vscode-fhs
 
     quickemu
@@ -139,13 +142,14 @@ in {
     nextcloud-client
     nodejs_22
     onlyoffice-bin
+    obs-studio
     pavucontrol
     pcmanfm
     pinentry
     rbw
     rofi-rbw
     # unstable.rustdesk
-    unstable.rustdesk-flutter
+    rustdesk-flutter
     slurp
     sway
     swaybg

hosts/nb/modules/sway/vscode.nix

@@ -4,7 +4,7 @@
   };
   vscode-insiders = (unstable.vscode.override { isInsiders = true; }).overrideAttrs (oldAttrs: rec {
     src = (builtins.fetchTarball {
-      url = "https://update.code.visualstudio.com/1.98.0-insider/linux-x64/insider";
+      url = "https://update.code.visualstudio.com/1.98.2-insider/linux-x64/insider";
       sha256 = "sha256-tV0VxDLJJPD4jfNEgVh3wMXg899VJxCS5a3putdetkA=";
     });
     version = "1.98.0";

hosts/nb/users/configs/project_history

@@ -5,6 +5,8 @@
 /home/dominik/projects/cloonar/phishguard
 /home/dominik/projects/cloonar/phishguard-frontend
 /home/dominik/projects/cloonar/gitapi
+/home/dominik/projects/cloonar/cloonar-assistant
+/home/dominik/projects/cloonar/updns
 
 /home/dominik/projects/cloonar/flow/flow-docs
 /home/dominik/projects/cloonar/flow/flow-user-service
@@ -27,11 +29,14 @@
 /home/dominik/projects/cloonar/wohnservice-wien
 /home/dominik/projects/cloonar/wohnservice-gdpr
 /home/dominik/projects/cloonar/gbv-aktuell
+/home/dominik/projects/cloonar/cloonar-technologies-website
+
 /home/dominik/projects/cloonar/paraclub/paraclub-api
 /home/dominik/projects/cloonar/paraclub/paraclub-frontend
 /home/dominik/projects/cloonar/paraclub/paraclub-website
 /home/dominik/projects/cloonar/paraclub/paraclub-module
 /home/dominik/projects/cloonar/paraclub/paraclub-ai-mailer
+
 /home/dominik/projects/cloonar/amz/amz-api
 /home/dominik/projects/cloonar/amz/amz-frontend
 /home/dominik/projects/cloonar/hilgenberg-website
@@ -48,5 +53,6 @@
 /home/dominik/projects/epicenter.works/padexporter
 /home/dominik/projects/epicenter.works/ansible-pull
 /home/dominik/projects/cloonar/lena-schilling-website
+/home/dominik/projects/cloonar/dialog-relations-website
 /home/dominik/projects/cloonar/imperfect-perfect.com
 /home/dominik/projects/cloonar/yaapi

hosts/nb/users/dominik.nix

@@ -3,6 +3,10 @@ let
 
   # impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
 
+  unstable = import (fetchTarball https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz) {
+    config = { allowUnfree = true; };
+  };
+
   thunderbirdSettings = {
     "extensions.activeThemeID" = "thunderbird-compact-dark@mozilla.org";
     "browser.theme.content-theme" = 0;
@@ -176,12 +180,13 @@ in
 
     programs.vscode = {
       enable = true;
+      # package = (unstable.vscode.override { isInsiders = true; });
       package = (pkgs.vscode.override { isInsiders = true; }).overrideAttrs (oldAttrs: rec {
         src = builtins.fetchTarball {
-          url = "https://update.code.visualstudio.com/1.98.0-insider/linux-x64/insider";
+          url = "https://update.code.visualstudio.com/1.99.0-insider/linux-x64/insider";
-          sha256 = "1bbp8ix3brx6jq9zhzvq33fmlv3dl4s4m9p280hh2rr95rmd5xab";
+          sha256 = "0z3x9m9pndzka9gzm2phnks453d2mwbdid9yd7qw3bvv965h71j5";
         };
-        version = "1.98.0";
+        version = "1.99.0";
       });
     };
 
@@ -484,6 +489,23 @@ in
         realName = "Dominik Polakovics";        
         address = "dominik.polakovics@epicenter.works";
         userName = "dominik.polakovics@epicenter.works";
+        signature = {
+          showSignature = "append";
+          text = ''
+            <div style="font-family: 'Open Sans', Helvetica, Arial, sans-serif;">
+              <p style="margin-bottom: 0;"><img src="https://epicenter.works/sites/default/files/ew_logo_rgb-xs.png" /><br>
+              <b>epicenter.works – for digital rights</b><br>
+              Dominik Polakovics, Technical Advisor</p>
+
+              <table style="border: none;border-left: 5px solid #ccc;font-size: 80%;">
+              <tr>
+              <td style="padding-right:10px;">E-Mail:</td>
+              <td>dominik.polakovics@epicenter.works</td>
+              </tr>
+              </table>
+            </div>
+          '';
+        };
         imap = {
           host = "mail.epicenter.works";
           port = 993;
@@ -586,6 +608,8 @@ in
       git clone gitea@git.cloonar.com:Cloonar/phishguard-frontend.git ${persistHome}/projects/cloonar/phishguard-frontend 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/gitapi.git ${persistHome}/projects/cloonar/gitapi 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/ai.nvim.git ${persistHome}/cloonar/ai.nvim 2>/dev/null
+      git clone gitea@git.cloonar.com:Cloonar/cloonar-assistant.git ${persistHome}/projects/cloonar/cloonar-assistant 2>/dev/null
+      git clone gitea@git.cloonar.com:Cloonar/updns.git ${persistHome}/projects/cloonar/updns 2>/dev/null
 
       git clone gitea@git.cloonar.com:Cloonar/flow-docs.git ${persistHome}/projects/cloonar/flow/flow-docs 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/flow-user-service.git ${persistHome}/projects/cloonar/flow/flow-user-service 2>/dev/null
@@ -605,6 +629,8 @@ in
       git clone gitea@git.cloonar.com:Cloonar/wohnservice-gdpr.git ${persistHome}/projects/cloonar/wohnservice-gdpr 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/gbv-aktuell.git ${persistHome}/projects/cloonar/gbv-aktuell 2>/dev/null
 
+      git clone gitea@git.cloonar.com:Cloonar/cloonar-technologies-website.git ${persistHome}/projects/cloonar/cloonar-technologies-website 2>/dev/null
+
       git clone gitea@git.cloonar.com:Paraclub/api.git ${persistHome}/projects/cloonar/paraclub/paraclub-api 2>/dev/null
       git clone gitea@git.cloonar.com:Paraclub/frontend.git ${persistHome}/projects/cloonar/paraclub/paraclub-frontend 2>/dev/null
       git clone gitea@git.cloonar.com:Paraclub/website.git ${persistHome}/projects/cloonar/paraclub/paraclub-website 2>/dev/null
@@ -616,6 +642,7 @@ in
       git clone gitea@git.cloonar.com:hilgenberg/website.git ${persistHome}/projects/cloonar/hilgenberg-website 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/korean-skin.care.git ${persistHome}/projects/cloonar/korean-skin.care 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/lena-schilling-website.git ${persistHome}/projects/cloonar/lena-schilling-website 2>/dev/null
+      git clone gitea@git.cloonar.com:Cloonar/dialog-relations-website.git ${persistHome}/projects/cloonar/dialog-relations-website 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/imperfect-perfect.com.git ${persistHome}/projects/cloonar/imperfect-perfect.com 2>/dev/null
 
       git clone gitea@git.cloonar.com:Cloonar/lego-hetzner-bridge.git ${persistHome}/projects/home-automation/lego-hetzner-bridge 2>/dev/null

hosts/web-arm/configuration.nix

@@ -34,6 +34,7 @@
     ./sites/gbv-aktuell.at.nix
     ./sites/matomo.cloonar.com.nix
     ./sites/support.cloonar.dev.nix
+    ./sites/stage.cloonar-technologies.at.nix
 
     ./sites/cloonar.dev.nix
     ./sites/paraclub.cloonar.dev.nix
@@ -41,10 +42,11 @@
     ./sites/tandem.paraclub.cloonar.dev.nix
     ./sites/module.paraclub.cloonar.dev.nix
     ./sites/gbv-aktuell.cloonar.dev.nix
-    ./sites/lena-schilling.cloonar.dev.nix
     ./sites/stage.myhidden.life.nix
     ./sites/stage.korean-skin.care.nix
     ./sites/feeds.jordanrannells.com.nix
+    ./sites/dialog-relations.cloonar.dev.nix
+    ./sites/lena-schilling.cloonar.dev.nix
     ./sites/lena-schilling.at.nix
   ];
 

hosts/web-arm/modules/authelia/default.nix

@@ -1,6 +1,10 @@
-{ config, ... }:
+{ config, pkgs, ... }:
-
+let
-{
+  unstable = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz") {
+    config = config.nixpkgs.config;
+    system = pkgs.system;
+  };
+in {
   sops.secrets.authelia-jwt-secret = {
     owner = "authelia-main";
   };
@@ -24,6 +28,7 @@
   };
 
   services.authelia.instances.main = {
+    package = unstable.authelia;
     enable = true;
     secrets = {
       jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path;

hosts/web-arm/modules/web/typo3.nix

@@ -134,8 +134,8 @@ in
       nameValuePair ("typo3-cron-" + domain) {
         script = ''
           set -eu
-          ${instanceOpts.phpPackage}/bin/php /var/www/${domain}/.Build/bin/typo3 scheduler:run
+          ${instanceOpts.phpPackage}/bin/php /var/www/${domain}/current/bin/typo3 scheduler:run
-          ${instanceOpts.phpPackage}/bin/php /var/www/${domain}/.Build/bin/typo3 ke_search:indexing
+          ${instanceOpts.phpPackage}/bin/php /var/www/${domain}/current/bin/typo3 ke_search:indexing
         '';
         serviceConfig = {
           Type = "oneshot";

hosts/web-arm/sites/api.paraclub.cloonar.dev.nix

@@ -31,5 +31,11 @@
     '';
     phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
       enabled ++ [ all.imagick ]);
+    phpOptions = ''
+      opcache.enable=1
+      opcache.memory_consumption=128
+      opcache.validate_timestamps=0
+      opcache.revalidate_path=0
+    '';
   };
 }

hosts/web-arm/sites/cloonar.dev.nix

@@ -3,16 +3,11 @@ let
   domain = "cloonar.dev";
   dataDir = "/var/www/${domain}";
 in {
-  services.nginx.virtualHosts."${domain}" = {
-    forceSSL = true;
-    enableACME = true;
-    acmeRoot = null;
-    root = "${dataDir}";
 
-    locations."/favicon.ico".extraConfig = ''
+  services.webstack.instances."${domain}" = {
-      log_not_found off;
+    authorizedKeys = [
-      access_log off;
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6frP875aOnuFALjgP3ZCySCcYSGqtIzIK80S/L/D/w"
-    '';
+    ];
 
     locations."/".extraConfig = ''
       index index.html;
@@ -35,26 +30,22 @@ in {
       }
     '';
 
+    locations."^~ /vcards/".extraConfig = ''
+        location ~ /\.env {
+            deny all;
+            return 404;
+        }
+
+        # Determine if the requested file exists
+        try_files $uri $uri/ /vcards/index.php$is_args$args;
+    '';
+
     locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
       expires 365d;
       add_header Pragma "public";
       add_header Cache-Control "public";
     '';
 
-    locations."~ [^/]\.php(/|$)".extraConfig = ''
+    phpPackage = pkgs.php;
-      deny all;
-    '';
   };
-  users.users."${domain}" = {
-    isNormalUser = true;
-    createHome = true;
-    home = dataDir;
-    homeMode= "770";
-    #home = "/home/${domain}";
-    group  = "nginx";
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE="
-    ];
-  };
-  users.groups.${domain} = {};
 }

hosts/web-arm/sites/dialog-relations.cloonar.dev.nix

@@ -0,0 +1,10 @@
+{ pkgs, lib, config, ... }:
+{
+  services.typo3.instances."dialog-relations.cloonar.dev" = {
+    acmeRoot = "/var/lib/acme/acme-challenge";
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1jkPi2LbnzP5hM4Mpt6rh+Vq5pTe63+zS3QvVyA4Ma"
+    ];
+    phpPackage = pkgs.php83;
+  };
+}

hosts/web-arm/sites/dialog-relations.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1jkPi2LbnzP5hM4Mpt6rh+Vq5pTe63+zS3QvVyA4Ma dominik@nb-01

hosts/web-arm/sites/paraclub.at.nix

@@ -16,6 +16,7 @@ in {
 
     locations."/".extraConfig = ''
       index index.html;
+      error_page 404 /404.html;
     '';
 
     locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''

hosts/web-arm/sites/paraclub.cloonar.dev.nix

@@ -16,6 +16,7 @@ in {
 
     locations."/".extraConfig = ''
       index index.html;
+      error_page 404 /de/404.html;
     '';
 
     locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''

hosts/web-arm/sites/stage.cloonar-technologies.at.nix

@@ -0,0 +1,43 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "stage.cloonar-technologies.at";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."${domain}" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/zRVX9TyYcimkC8lxGjfJAoaL2zHDBH3QnRfUvgYHc"
+    ];
+  };
+  users.groups.${domain} = {};
+}

utils/modules/autoupgrade.nix

@@ -3,5 +3,5 @@
 {
   system.autoUpgrade.enable = true;
   system.autoUpgrade.allowReboot = false;
-  system.autoUpgrade.channel = "https://channels.nixos.org/nixos-24.05";
+  system.autoUpgrade.channel = "https://channels.nixos.org/nixos-24.11";
 }

utils/overlays/packages.nix

@@ -3,6 +3,7 @@ self: super: {
   ykfde = (super.callPackage ../pkgs/ykfde { });
   creality-print = (super.callPackage ../pkgs/creality-print.nix { });
   openaudible = (super.callPackage ../pkgs/openaudible.nix { });
+  openmanus = (super.callPackage ../pkgs/openmanus.nix { });
   ai-mailer = self.callPackage ../pkgs/ai-mailer.nix { };
 
   # vscode-insiders = (super.callPackage ../pkgs/vscode-insiders.nix { });

utils/pkgs/ai-mailer.nix

@@ -6,16 +6,23 @@ buildGoModule rec {
 
   src = fetchgit {
     url = "https://git.cloonar.com/Paraclub/ai-mailer.git";
-    rev = "be9f2fea8fb37182ca983061c40e30eecb48286b";
+    rev = "8903aa072a482e1e52170c840bf87d8da5d9d9e0";
-    sha256 = "sha256-Df1ioHnlhALaliPW2/x1PhR7od/I/RqU8o8YpoI5jiY=";
+    sha256 = "sha256-+YPB3tcy2+ZiiwYfg6QzPcrg1gf9ivlLaZRzviwWe90=";
   };
 
   vendorHash = "sha256-h4RaB891GXAkgObZHYil6BOvbYp6yJSRxRj40Fhchmw=";
   
+  subPackages = [ "cmd/paraclub-ai-mailer" ];
+
   preBuild = ''
     sed -i 's/go 1.23.5/go 1.22/' go.mod
   '';
 
+  postInstall = ''
+    mv $out/bin/paraclub-ai-mailer $out/bin/ai-mailer
+    ln -s $out/bin/ai-mailer $out/bin/paraclub-ai-mailer
+  '';
+
   meta = with lib; {
     description = "AI Mail Assistant Service";
     homepage = "https://git.cloonar.com/Paraclub/ai-mailer";

utils/pkgs/openmanus.nix

@@ -0,0 +1,43 @@
+{ lib
+, fetchFromGitHub
+, python312
+, python312Packages
+}:
+
+python312Packages.buildPythonApplication rec {
+  pname = "openmanus";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "mannaandpoem";
+    repo = "OpenManus";
+    rev = "74f438bde38a47da884ba5de2d20960aa9a57990";
+    sha256 = "sha256-zO2UgMxMvE7yk7ILsYnxjBuXrhqlLK42rZNYrxljcg4="; # Replace with actual hash after first build attempt
+  };
+
+  propagatedBuildInputs = with python312Packages; [
+    openai
+    python-dotenv
+    requests
+    tomli
+    pydantic
+    pydantic-settings
+    numpy
+    tqdm
+    pillow
+    fastapi
+    uvicorn
+    gradio
+    colorlog
+  ];
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "OpenManus - An open-source framework for building general AI agents";
+    homepage = "https://github.com/mannaandpoem/OpenManus";
+    license = licenses.mit;
+    maintainers = with maintainers; [ ];
+    mainProgram = "openmanus";
+  };
+}

utils/pkgs/vscode-insiders.nix

@@ -9,10 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "vscode-insiders";
-  version = "1.87.0-1708777035";
+  # version = "1.98.2-1708777035";
+  version = "1.98.2";
 
   src = fetchurl {
-    url = "https://az764295.vo.msecnd.net/insider/9319989589821514c6d3dea07e90292d59431d35/code-insider-${version}-linux-x64.tar.gz";
+    # url = "https://az764295.vo.msecnd.net/insider/9319989589821514c6d3dea07e90292d59431d35/code-insider-${version}-linux-x64.tar.gz";
+    # url = "https://az764295.vo.msecnd.net/insider/2bdf282f0aa8f3022a0540949724ccf8a909ec45/code-insider-${version}-linux-x64.tar.gz";
+    url = "https://update.code.visualstudio.com/${version}/linux-x64/stable";
     hash = "sha256-Mm34T2/laoqxN8MR+H0rHxxA0WAKgc5d/ZvGGC+ETok=";
   };