changes

2024-10-16 20:24:40 +02:00
parent b7bfb0f62a
commit c681eb3139
110 changed files with 2924 additions and 720 deletions
--- a/hosts/fw.cloonar.com/configuration.nix
+++ b/hosts/fw.cloonar.com/configuration.nix
@@ -49,6 +49,9 @@
    ./modules/palworld.nix
    # ./modules/ark-survival-evolved.nix

+    # setup network
+    ./modules/setupnetwork.nix
+

    ./hardware-configuration.nix
  ];
@@ -84,37 +87,42 @@
    inotify-tools
  ];

-  nix.gc = {
-    automatic = true;
-    options = "--delete-older-than 60d";
+  nix = {
+    settings.auto-optimise-store = true;
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 60d";
+    };
+    # Free up to 1GiB whenever there is less than 100MiB left.
+    extraOptions = ''
+      min-free = ${toString (100 * 1024 * 1024)}
+      max-free = ${toString (1024 * 1024 * 1024)}
+    '';
  };

-  services.auto-cpufreq.enable = true;
-  services.auto-cpufreq.settings = {
-    charger = {
-       governor = "powersave";
-       turbo = "auto";
+  services.tlp = {
+    enable = true;
+    settings = {
+      CPU_SCALING_GOVERNOR_ON_AC = "powersave"; # powersave or performance
+      CPU_ENERGY_PERF_POLICY_ON_AC = "power"; # power or performance
+      # CPU_MIN_PERF_ON_AC = 0;
+      # CPU_MAX_PERF_ON_AC = 100; # max 100
    };
  };

-  boot = {
-    kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {});
-
-    # kernelParams copy from Armbian's /boot/armbianEnv.txt & /boot/boot.cmd
-    kernelParams = [
-      "rootwait"
-
-      "earlycon" # enable early console, so we can see the boot messages via serial port / HDMI
-      "consoleblank=0" # disable console blanking(screen saver)
-      "console=ttyS2,1500000" # serial port
-      "console=tty1" # HDMI
-
-      # docker optimizations
-      "cgroup_enable=cpuset"
-      "cgroup_memory=1"
-      "cgroup_enable=memory"
-      "swapaccount=1"
-    ];
+  systemd.services = {
+    powertop = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "multi-user.target" ];
+      description = "Powertop tunings";
+      path = [ pkgs.kmod ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = "yes";
+        ExecStart = "${pkgs.powertop}/bin/powertop --auto-tune && for dev in /sys/class/net/*; do echo on > \"$dev/device/power/control\"; done'";
+      };
+    };
  };

  boot.tmp.cleanOnBoot = true;
--- a/hosts/fw.cloonar.com/hardware-configuration.nix
+++ b/hosts/fw.cloonar.com/hardware-configuration.nix
@@ -1,6 +1,9 @@
 { lib, config, modulesPath, ... }:
 {
-	boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot = {
+    enable = true;
+    configurationLimit = 5;
+  };

  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ];
  boot.initrd.kernelModules = [ "nvme" "kvm-intel" ];
--- a/hosts/fw.cloonar.com/modules/ddclient.nix
+++ b/hosts/fw.cloonar.com/modules/ddclient.nix
@@ -13,6 +13,7 @@
      "vpn.cloonar.com"
      "git.cloonar.com"
      "palworld.cloonar.com"
+      "matrix.cloonar.com"
    ];
  };

--- a/hosts/fw.cloonar.com/modules/dhcp4.nix
+++ b/hosts/fw.cloonar.com/modules/dhcp4.nix
@@ -92,6 +92,11 @@
              ip-address = "10.42.97.5";
              server-hostname = "web-02.cloonar.com";
            }
+            {
+              hw-address = "02:00:00:00:00:04";
+              ip-address = "10.42.97.6";
+              server-hostname = "matrix.cloonar.com";
+            }
            {
              hw-address = "ea:db:d4:c1:18:ba";
              ip-address = "10.42.97.50";
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -33,7 +33,7 @@
              iifname "wan" tcp dport 9273 counter accept comment "Prometheus traffic"
              iifname "lan" tcp dport 5931 counter accept comment "Spice"
              iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
-              iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS"
+              iifname { "multimedia", "smart", "infrastructure", "podman0", "setup" } udp dport { 53, 5353 } counter accept comment "DNS"
              iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"

              # Accept mDNS for avahi reflection
@@ -92,10 +92,9 @@
              oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept 

              # lan and vpn to any
-              # TODO: disable wan when finished
-              iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter log prefix "basic forward allow rule" accept
+              iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar", "guest", "setup" } counter accept
              iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept
-              iifname { "infrastructure" } oifname { "server", "vserver" } counter accept
+              iifname { "infrastructure", "setup" } oifname { "server", "vserver" } counter accept
              iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld"

              # accept palword server
@@ -121,6 +120,7 @@
                "wg_cloonar",
                "podman*",
                "guest",
+                "setup",
                "vb-*",
                "vm-*",
              } oifname {
--- a/hosts/fw.cloonar.com/modules/home-assistant/default.nix
+++ b/hosts/fw.cloonar.com/modules/home-assistant/default.nix
@@ -1,6 +1,11 @@
 { config, pkgs, ... }:
 let
  domain = "home-assistant.cloonar.com";
+  pkgs-with-home-assistant = import (builtins.fetchGit {
+    name = "new-home-assistant";
+    url = "https://github.com/nixos/nixpkgs/";
+    rev = "268bb5090a3c6ac5e1615b38542a868b52ef8088";
+  }) {};
 in
 {
  users.users.hass = {
@@ -35,21 +40,21 @@ in
    extraFlags = [
      "--capability=CAP_NET_ADMIN"
    ];
-    allowedDevices = [
-      {
-        modifier = "rwm";
-        node = "char-usb_device";
-      }
-      {
-        modifier = "rwm";
-        node = "char-ttyUSB";
-      }
-    ];
+    # allowedDevices = [
+    #   {
+    #     modifier = "rwm";
+    #     node = "char-usb_device";
+    #   }
+    #   {
+    #     modifier = "rwm";
+    #     node = "char-ttyUSB";
+    #   }
+    # ];
    bindMounts = {
-      "/dev/ttyUSB0" = {
-        hostPath = "/dev/ttyUSB0";
-        isReadOnly = false;
-      };
+      # "/dev/ttyUSB0" = {
+      #   hostPath = "/dev/ttyUSB0";
+      #   isReadOnly = false;
+      # };
      "/etc/localtime" = {
        hostPath = "/etc/localtime";
      };
@@ -104,6 +109,7 @@ in

      environment.systemPackages = [
        pkgs.wol
+        pkgs.mariadb
      ];

      services.nginx.enable = true;
@@ -127,6 +133,7 @@ in
      };

      services.home-assistant = {
+        package = pkgs-with-home-assistant.home-assistant;
        enable = true;
      };

@@ -140,6 +147,30 @@ in
        "tplink_omada"
      ];

+      services.home-assistant.extraPackages = ps: with ps; [
+        mysqlclient
+      ];
+
+      services.mysql = {
+        enable = true;
+        package = pkgs.mariadb;
+        ensureDatabases = [ "hass" ];
+        ensureUsers = [
+          {
+            name = "hass";
+            ensurePermissions = {
+              "hass.*" = "ALL PRIVILEGES";
+            };
+          }
+        ];
+
+      };
+
+      services.mysqlBackup = {
+        enable = true;
+        databases = [ "hass" ];
+      };
+
      services.home-assistant.config =
        let
          hiddenEntities = [
@@ -148,6 +179,9 @@ in
          ];
        in
        {
+          recorder = {
+            db_url = "mysql://hass@localhost/hass?unix_socket=/var/run/mysqld/mysqld.sock";
+          };
          homeassistant = {
            name = "Home";
            latitude = "!secret home_latitude";
--- a/hosts/fw.cloonar.com/modules/home-assistant/light.nix
+++ b/hosts/fw.cloonar.com/modules/home-assistant/light.nix
@@ -370,6 +370,7 @@
      {
        platform = "group";
        name = "Livingroom Lights";
+        all = true;
        entities = [
          "light.livingroom_switch"
          "light.living_bulb_1"
@@ -380,6 +381,37 @@
          "light.living_bulb_6"
        ];
      }
+      {
+        platform = "switch";
+        name = "Kitchen Switch";
+        entity_id = "switch.kitchen_switch";
+      }
+      {
+        platform = "group";
+        name = "Kitchen Lights";
+        all = true;
+        entities = [
+          "light.kitchen_switch"
+          "light.kitchen"
+        ];
+      }
+      {
+        platform = "switch";
+        name = "Bedroom Switch";
+        entity_id = "switch.bedroom_switch";
+      }
+      {
+        platform = "group";
+        name = "Bedroom Lights";
+        all = true;
+        entities = [
+          "light.bedroom_switch"
+          "light.bedroom_bulb_1"
+          "light.bedroom_bulb_2"
+          "light.bedroom_bulb_3"
+          "light.bedroom_bulb_4"
+        ];
+      }
    ];
  };
 }
--- a/hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix
+++ b/hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix
@@ -48,7 +48,7 @@
            friendly_name = "Any multimedia device on";
            device_class = "connectivity";
            value_template = ''
-              {% if is_state('binary_sensor.ps5', 'on') or is_state('binary_sensor.xbox', 'on') or (states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'off' and states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'unavailable') or (is_state('binary_sensor.steamdeck', 'on') and (states('sensor.steamdeck_power') | float > 5)) %}
+              {% if is_state('binary_sensor.ps5', 'on') or is_state('binary_sensor.xbox', 'on') or (states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'off' and states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'unavailable') or (is_state('binary_sensor.steamdeck', 'on') and (states('sensor.steamdeck_power') | float(default=0) > 5)) %}
                 on
              {% else %}
                 off
--- a/hosts/fw.cloonar.com/modules/home-assistant/shelly.nix
+++ b/hosts/fw.cloonar.com/modules/home-assistant/shelly.nix
@@ -7,17 +7,22 @@ let
    { name = "Living Bulb 4"; id = "485519D94A28"; }
    { name = "Living Bulb 5"; id = "485519DA6B6A"; }
    { name = "Living Bulb 6"; id = "485519D9E018"; }
+    { name = "Bedroom Bulb 1"; id = "08F9E06F4EB4"; }
+    { name = "Bedroom Bulb 2"; id = "485519EE0ED9"; }
+    { name = "Bedroom Bulb 3"; id = "08F9E06FE779"; }
+    { name = "Bedroom Bulb 4"; id = "485519EE00A0"; }
  ];

  switches = [
-    { name = "Kitchen Switch"; id = "483FDA8274C2"; relay = "0"; }
-    { name = "Livingroom Switch"; id = "483FDA8274C2"; relay = "1"; }
  ];

  proswitches = [
-    { name = "Hallway Circuit"; id = "c8f09e894448"; relay = "0"; }
-    { name = "Bathroom Circuit"; id = "c8f09e894448"; relay = "1"; }
-    { name = "Kitchen Circuit"; id = "c8f09e894448"; relay = "2"; }
+    { name = "Livingroom Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "0"; }
+    { name = "Kitchen Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "1"; }
+    { name = "Bedroom Switch"; id = "shelly1pmminig3-34b7da933fe0"; relay = "0"; }
+    { name = "Hallway Circuit"; id = "shellypro3-c8f09e894448"; relay = "0"; }
+    { name = "Bathroom Circuit"; id = "shellypro3-c8f09e894448"; relay = "1"; }
+    { name = "Kitchen Circuit"; id = "shellypro3-c8f09e894448"; relay = "2"; }
  ];
 in {
  services.home-assistant.extraComponents = [
@@ -45,14 +50,14 @@ in {
          in {
            name = switch.name;
            unique_id = unique_id;
-            state_topic = "shellies/shellypro3-${switch.id}/status/switch:${switch.relay}";
+            state_topic = "shellies/${switch.id}/status/switch:${switch.relay}";
            value_template = "{{ value_json.output }}";
            state_on = true;
            state_off = false;
-            command_topic = "shellies/shellypro3-c8f09e894448/rpc";
+            command_topic = "shellies/${switch.id}/rpc";
            payload_on = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":true}}";
            payload_off = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":false}}";
-            availability_topic = "shellies/shellypro3-${switch.id}/online";
+            availability_topic = "shellies/${switch.id}/online";
            payload_available = "true";
            payload_not_available = "false";
          }
--- a/hosts/fw.cloonar.com/modules/home-assistant/sleep.nix
+++ b/hosts/fw.cloonar.com/modules/home-assistant/sleep.nix
@@ -14,6 +14,14 @@
        {
          delay = 1700;
        }
+        {
+          service = "switch.turn_on";
+          entity_id = "switch.hallway_circuit";
+        }
+        {
+          service = "switch.turn_on";
+          entity_id = "switch.bathroom_circuit";
+        }
        {
          service = "switch.turn_on";
          entity_id = "switch.78_8c_b5_fe_41_62_port_2_poe"; # livingroom
@@ -64,6 +72,14 @@
                  service = "switch.turn_off";
                  entity_id = "switch.78_8c_b5_fe_41_62_port_3_poe";
                }
+                {
+                  service = "switch.turn_off";
+                  entity_id = "switch.hallway_circuit";
+                }
+                {
+                  service = "switch.turn_off";
+                  entity_id = "switch.bathroom_circuit";
+                }
              ];
            }
          ];
--- a/hosts/fw.cloonar.com/modules/setupnetwork.nix
+++ b/hosts/fw.cloonar.com/modules/setupnetwork.nix
@@ -0,0 +1,58 @@
+{ ... }: {
+  networking = {
+    vlans = {
+      setup = {
+        id = 110;
+        interface = "enp5s0";
+      };
+    };
+
+    interfaces = {
+      setup = {
+        ipv4.addresses = [{
+          address = "10.42.110.1";
+          prefixLength = 24;
+        }];
+      };
+    };
+  };
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [
+          "setup"
+        ];
+      };
+      subnet4 = [
+        {
+          pools = [
+            {
+              pool = "10.42.110.100 - 10.42.110.240";
+            }
+          ];
+          subnet = "10.42.110.0/24";
+          interface = "setup";
+          option-data = [
+            {
+              name = "routers";
+              data = "10.42.110.1";
+            }
+            {
+              name = "domain-name";
+              data = "cloonar.com";
+            }
+            {
+              name = "domain-search";
+              data = "cloonar.com";
+            }
+            {
+              name = "domain-name-servers";
+              data = "10.42.97.1";
+            }
+          ];
+        }
+      ];
+    };
+  };
+}
--- a/hosts/fw.cloonar.com/modules/unbound.nix
+++ b/hosts/fw.cloonar.com/modules/unbound.nix
@@ -23,9 +23,9 @@ let
  cfg = {
    remote-control.control-enable = true;
    server = {
-      include = [
-        "\"${adblockLocalZones}\""
-      ];
+      # include = [
+      #   "\"${adblockLocalZones}\""
+      # ];
      interface = [ "0.0.0.0" "::0" ];
      interface-automatic = "yes";
      access-control = [
@@ -56,6 +56,7 @@ let
        "\"snapcast.cloonar.com IN A 10.42.97.21\""
        "\"home-assistant.cloonar.com IN A 10.42.97.20\""
        "\"web-02.cloonar.com IN A 10.42.97.5\""
+        "\"matrix.cloonar.com IN A 10.42.97.5\""
        "\"support.cloonar.com IN A 10.42.97.5\""
        "\"git.cloonar.com IN A 10.42.97.50\""
        "\"sync.cloonar.com IN A 10.42.97.51\""
@@ -73,6 +74,7 @@ let
        "\"mieterhilfe.at IN A 10.254.240.109\""
        "\"wohnpartner-wien.at IN A 10.254.240.109\""
        "\"new.wohnberatung-wien.at IN A 10.254.240.109\""
+        "\"new.wohnpartner-wien.at IN A 10.254.240.109\""
        "\"wohnberatung-wien.at IN A 10.254.240.109\""
        "\"wienbautvor.at IN A 10.254.240.109\""
        "\"wienwohntbesser.at IN A 10.254.240.109\""
@@ -94,6 +96,7 @@ let
        "\"b.stage.mieterhilfe.at IN A 10.254.240.110\""
        "\"b.stage.wohnpartner-wien.at IN A 10.254.240.110\""
        "\"b.stage.new.wohnberatung-wien.at IN A 10.254.240.110\""
+        "\"b.stage.new.wohnpartner-wien.at IN A 10.254.240.110\""
        "\"b.stage.wohnberatung-wien.at IN A 10.254.240.110\""
        "\"b.stage.wienbautvor.at IN A 10.254.240.110\""
        "\"b.stage.wienwohntbesser.at IN A 10.254.240.110\""
--- a/hosts/fw.cloonar.com/modules/web/default.nix
+++ b/hosts/fw.cloonar.com/modules/web/default.nix
@@ -1,10 +1,18 @@
-{ lib, nixpkgs, pkgs, ... }: let
+{ lib, pkgs, config, ... }: let
  hostname = "web-02";
  json = pkgs.formats.json { };
  impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
 in {
  microvm.vms = {
    web = {
+      pkgs = import pkgs.path {
+        config = {
+          permittedInsecurePackages = [
+            # needed for matrix
+            "olm-3.2.16"
+          ];
+        };
+      };
      config = {
        microvm = {
          mem = 4096;
@@ -47,6 +55,7 @@ in {

          # ./zammad.nix
          ./proxies.nix
+          ./matrix.nix
        ];

        time.timeZone = "Europe/Vienna";
@@ -93,6 +102,14 @@ in {
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
        ];

+        services.nginx = {
+          enable = true;
+          recommendedTlsSettings = true;
+          recommendedOptimisation = true;
+          recommendedGzipSettings = true;
+          recommendedProxySettings = true;
+        };
+
        # backups
        # borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg";

--- a/hosts/fw.cloonar.com/modules/web/matrix.nix
+++ b/hosts/fw.cloonar.com/modules/web/matrix.nix
@@ -0,0 +1,484 @@
+{ pkgs, lib, config, ... }:
+let
+  hostname = "matrix";
+  fqdn = "${hostname}.cloonar.com";
+  baseUrl = "https://matrix.cloonar.com";
+  clientConfig."m.homeserver".base_url = baseUrl;
+  serverConfig."m.server" = "${fqdn}:443";
+  mkWellKnown = data: ''
+    default_type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in {
+  sops.secrets.matrix-shared-secret = {
+  };
+  sops.secrets.dendrite-private-key = {
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "dendrite" ];
+    ensureUsers = [
+      {
+        name = "dendrite";
+      }
+    ];
+  };
+  services.postgresqlBackup.enable = true;
+  services.postgresqlBackup.databases = [ "dendrite" ];
+
+  services.nginx.virtualHosts."${fqdn}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    locations."/".extraConfig = ''
+      return 404;
+    '';
+    locations."/_dendrite".proxyPass = "http://[::1]:8008";
+    locations."/_matrix".proxyPass = "http://[::1]:8008";
+    locations."/_synapse/client".proxyPass = "http://[::1]:8008";
+  };
+
+
+  services.dendrite = {
+    enable = true;
+    settings = {
+      global = {
+        server_name = "cloonar.com";
+        private_key = "$CREDENTIALS_DIRECTORY/private_key";
+        database.connection_string = "postgresql:///dendrite?host=/run/postgresql";
+      };
+      client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
+      app_service_api.config_files = [
+        "$CREDENTIALS_DIRECTORY/whatsapp_registration"
+        "$CREDENTIALS_DIRECTORY/signal_registration"
+        "$CREDENTIALS_DIRECTORY/discord_registration"
+      ];
+      app_service_api.database.connection_string = "";
+      federation_api.database.connection_string = "";
+      key_server.database.connection_string = "";
+      relay_api.database.connection_string = "";
+      media_api.database.connection_string = "";
+      room_server.database.connection_string = "";
+      sync_api.database.connection_string = "";
+      user_api.account_database.connection_string = "";
+      user_api.device_database.connection_string = "";
+      mscs.database.connection_string = "";
+    };
+    loadCredential = [ 
+      "private_key:${config.sops.secrets.dendrite-private-key.path}"
+      "whatsapp_registration:/var/lib/mautrix-whatsapp/whatsapp-registration.yaml"
+      "signal_registration:/var/lib/mautrix-signal/signal-registration.yaml"
+      "discord_registration:/var/lib/mautrix-discord/discord-registration.yaml"
+    ];
+    environmentFile = config.sops.secrets.matrix-shared-secret.path;
+  };
+
+  users.users.mautrix-whatsapp = {
+    isSystemUser = true;
+    group = "mautrix-whatsapp";
+    home = "/var/lib/mautrix-whatsapp";
+    description = "Mautrix-WhatsApp bridge user";
+  };
+
+  users.groups.mautrix-whatsapp = {};
+  systemd.services.mautrix-whatsapp = let
+    dataDir = "/var/lib/mautrix-whatsapp";
+    registrationFile = "${dataDir}/whatsapp-registration.yaml";
+    settingsFile = "${dataDir}/config.json";
+    settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" defaultConfig;
+    settingsFormat = pkgs.formats.json {};
+    appservicePort = 29318;
+    defaultConfig = {
+      homeserver = {
+        address = "http://[::1]:8008";
+        domain = "cloonar.com";
+      };
+      appservice = {
+        hostname = "[::]";
+        port = appservicePort;
+        database.type = "sqlite3";
+        database.uri = "${dataDir}/mautrix-whatsapp.db";
+        id = "whatsapp";
+        bot.username = "whatsappbot";
+        bot.displayname = "WhatsApp Bridge Bot";
+        as_token = "";
+        hs_token = "";
+      };
+      bridge = {
+        username_template = "whatsapp_{{.}}";
+        displayname_template = "{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}} (WA)";
+        double_puppet_server_map = {};
+        login_shared_secret_map = {};
+        command_prefix = "!wa";
+        permissions."*" = "relay";
+        permissions."cloonar.com" = "user";
+        relay.enabled = true;
+        history_sync.request_full_sync = false;
+        encryption = {
+          allow = true;
+          default = true;
+          require = true;
+        };
+      };
+      logging = {
+        min_level = "info";
+        writers = lib.singleton {
+          type = "stdout";
+          format = "pretty-colored";
+          time_format = " ";
+        };
+      };
+    };
+  in {
+    description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix";
+
+    wantedBy = ["multi-user.target"];
+    wants = ["network-online.target"];
+    after = ["network-online.target"];
+
+    preStart = ''
+      test -f '${settingsFile}' && rm -f '${settingsFile}'
+      old_umask=$(umask)
+      umask 0177
+      ${pkgs.envsubst}/bin/envsubst \
+        -o '${settingsFile}' \
+        -i '${settingsFileUnsubstituted}'
+      umask $old_umask
+
+      # generate the appservice's registration file if absent
+      if [ ! -f '${registrationFile}' ]; then
+        ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
+          --generate-registration \
+          --config='${settingsFile}' \
+          --registration='${registrationFile}'
+      fi
+      chmod 640 ${registrationFile}
+
+      umask 0177
+      ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
+        | .[0].appservice.hs_token = .[1].hs_token
+        | .[0]' '${settingsFile}' '${registrationFile}' \
+        > '${settingsFile}.tmp'
+      mv '${settingsFile}.tmp' '${settingsFile}'
+      umask $old_umask
+    '';
+
+    serviceConfig = {
+      User = "mautrix-whatsapp";
+      Group = "mautrix-whatsapp";
+      # EnvironmentFile = cfg.environmentFile;
+      StateDirectory = baseNameOf dataDir;
+      WorkingDirectory = dataDir;
+      ExecStart = ''
+        ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
+        --config='${settingsFile}' \
+        --registration='${registrationFile}' \
+        --ignore-unsupported-server
+      '';
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectSystem = "strict";
+      Restart = "on-failure";
+      RestartSec = "30s";
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallErrorNumber = "EPERM";
+      SystemCallFilter = ["@system-service"];
+      Type = "simple";
+      UMask = 0027;
+    };
+    restartTriggers = [settingsFileUnsubstituted];
+  };
+
+  users.users.mautrix-signal = {
+    isSystemUser = true;
+    group = "mautrix-signal";
+    home = "/var/lib/mautrix-signal";
+    description = "Mautrix-Signal bridge user";
+  };
+
+  users.groups.mautrix-signal = {};
+  systemd.services.mautrix-signal = let
+    pkgswithsignal = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/fd698a4ab779fb7fb95425f1b56974ba9c2fa16c.tar.gz") {
+      config = {
+        permittedInsecurePackages = [
+          # needed for matrix
+          "olm-3.2.16"
+        ];
+      };
+    };
+    dataDir = "/var/lib/mautrix-signal";
+    registrationFile = "${dataDir}/signal-registration.yaml";
+    settingsFile = "${dataDir}/config.json";
+    settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" defaultConfig;
+    settingsFormat = pkgs.formats.json {};
+    appservicePort = 29328;
+    defaultConfig = {
+      homeserver = {
+        address = "http://[::1]:8008";
+        domain = "cloonar.com";
+      };
+      appservice = {
+        hostname = "[::]";
+        port = appservicePort;
+        database.type = "sqlite3";
+        database.uri = "file:${dataDir}/mautrix-signal.db?_txlock=immediate";
+        id = "signal";
+        bot = {
+          username = "signalbot";
+          displayname = "Signal Bridge Bot";
+        };
+        as_token = "";
+        hs_token = "";
+      };
+      bridge = {
+        username_template = "signal_{{.}}";
+        displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";
+        double_puppet_server_map = { };
+        login_shared_secret_map = { };
+        command_prefix = "!signal";
+        permissions."*" = "relay";
+        permissions."cloonar.com" = "user";
+        relay.enabled = true;
+        encryption = {
+          allow = true;
+          default = true;
+          require = true;
+        };
+      };
+      logging = {
+        min_level = "info";
+        writers = lib.singleton {
+          type = "stdout";
+          format = "pretty-colored";
+          time_format = " ";
+        };
+      };
+    };
+  in {
+    description = "Mautrix-Signal Service - A Signal bridge for Matrix";
+
+    wantedBy = ["multi-user.target"];
+    wants = ["network-online.target"];
+    after = ["network-online.target"];
+
+    preStart = ''
+      test -f '${settingsFile}' && rm -f '${settingsFile}'
+      old_umask=$(umask)
+      umask 0177
+      ${pkgs.envsubst}/bin/envsubst \
+        -o '${settingsFile}' \
+        -i '${settingsFileUnsubstituted}'
+      umask $old_umask
+
+      # generate the appservice's registration file if absent
+      if [ ! -f '${registrationFile}' ]; then
+        ${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \
+          --generate-registration \
+          --config='${settingsFile}' \
+          --registration='${registrationFile}'
+      fi
+      chmod 640 ${registrationFile}
+
+      umask 0177
+      ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
+        | .[0].appservice.hs_token = .[1].hs_token
+        | .[0]
+        | if env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET else . end' \
+        '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'
+      mv '${settingsFile}.tmp' '${settingsFile}'
+      umask $old_umask
+    '';
+
+    serviceConfig = {
+      User = "mautrix-signal";
+      Group = "mautrix-signal";
+      # EnvironmentFile = cfg.environmentFile;
+      StateDirectory = baseNameOf dataDir;
+      WorkingDirectory = dataDir;
+      ExecStart = ''
+        ${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \
+        --config='${settingsFile}' \
+        --registration='${registrationFile}' \
+        --ignore-unsupported-server
+      '';
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectSystem = "strict";
+      Restart = "on-failure";
+      RestartSec = "30s";
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallErrorNumber = "EPERM";
+      SystemCallFilter = ["@system-service"];
+      Type = "simple";
+      UMask = 0027;
+    };
+    restartTriggers = [settingsFileUnsubstituted];
+  };
+
+
+  users.users.mautrix-discord = {
+    isSystemUser = true;
+    group = "mautrix-discord";
+    home = "/var/lib/mautrix-discord";
+    description = "Mautrix-Discord bridge user";
+  };
+
+  users.groups.mautrix-discord = {};
+  systemd.services.mautrix-discord = let
+    pkgswithdiscord = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ed627539ac84809c78b2dd6d26a5cebeb5ae269.tar.gz") {
+      config = {
+        permittedInsecurePackages = [
+          # needed for matrix
+          "olm-3.2.16"
+        ];
+      };
+    };
+    dataDir = "/var/lib/mautrix-discord";
+    registrationFile = "${dataDir}/discord-registration.yaml";
+    settingsFile = "${dataDir}/config.json";
+    settingsFileUnsubstituted = settingsFormat.generate "mautrix-discord-config-unsubstituted.json" defaultConfig;
+    settingsFormat = pkgs.formats.json {};
+    appservicePort = 29329;
+    defaultConfig = {
+      homeserver = {
+        address = "http://[::1]:8008";
+        domain = "cloonar.com";
+      };
+      appservice = {
+        hostname = "[::]";
+        port = appservicePort;
+        database.type = "sqlite3";
+        database.uri = "file:${dataDir}/mautrix-discord.db?_txlock=immediate";
+        id = "discord";
+        bot = {
+          username = "discordbot";
+          displayname = "Discord Bridge Bot";
+        };
+        as_token = "";
+        hs_token = "";
+      };
+      bridge = {
+        username_template = "discord_{{.}}";
+        displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";
+        double_puppet_server_map = { };
+        login_shared_secret_map = { };
+        command_prefix = "!discord";
+        permissions."*" = "relay";
+        permissions."cloonar.com" = "user";
+        relay.enabled = true;
+        encryption = {
+          allow = true;
+          default = true;
+          require = true;
+        };
+      };
+      logging = {
+        min_level = "info";
+        writers = lib.singleton {
+          type = "stdout";
+          format = "pretty-colored";
+          time_format = " ";
+        };
+      };
+    };
+  in {
+    description = "Mautrix-Discord Service - A Discord bridge for Matrix";
+
+    wantedBy = ["multi-user.target"];
+    wants = ["network-online.target"];
+    after = ["network-online.target"];
+
+    preStart = ''
+      test -f '${settingsFile}' && rm -f '${settingsFile}'
+      old_umask=$(umask)
+      umask 0177
+      ${pkgs.envsubst}/bin/envsubst \
+        -o '${settingsFile}' \
+        -i '${settingsFileUnsubstituted}'
+      umask $old_umask
+
+      # generate the appservice's registration file if absent
+      if [ ! -f '${registrationFile}' ]; then
+        ${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \
+          --generate-registration \
+          --config='${settingsFile}' \
+          --registration='${registrationFile}'
+      fi
+      chmod 640 ${registrationFile}
+
+      umask 0177
+      ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
+        | .[0].appservice.hs_token = .[1].hs_token
+        | .[0]
+        | if env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET else . end' \
+        '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'
+      mv '${settingsFile}.tmp' '${settingsFile}'
+      umask $old_umask
+    '';
+
+    serviceConfig = {
+      User = "mautrix-discord";
+      Group = "mautrix-discord";
+      # EnvironmentFile = cfg.environmentFile;
+      StateDirectory = baseNameOf dataDir;
+      WorkingDirectory = dataDir;
+      ExecStart = ''
+        ${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \
+        --config='${settingsFile}' \
+        --registration='${registrationFile}'
+      '';
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectSystem = "strict";
+      Restart = "on-failure";
+      RestartSec = "30s";
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallErrorNumber = "EPERM";
+      SystemCallFilter = ["@system-service"];
+      Type = "simple";
+      UMask = 0027;
+    };
+    restartTriggers = [settingsFileUnsubstituted];
+  };
+}
--- a/hosts/fw.cloonar.com/modules/web/secrets.yaml
+++ b/hosts/fw.cloonar.com/modules/web/secrets.yaml
@@ -1,6 +1,8 @@
 borg-passphrase: ENC[AES256_GCM,data:2WjoqMRmXvW9EGMmpMYhrC0Qt0Dk7QWlbEncZPdK2SxVljEoFibjVEr6jeYdAx6UkaXdjk9pD3PBbls2tWt0TiNQdh8=,iv:bHzASNjqqfPsQ/1w/oM7x0FubAzzRkn+iWrZlenU9rs=,tag:ektqi0rqEywg9YGybPQesw==,type:str]
 borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXxEyffUeaiGsT9Gh9yQqOKTstTihA48nVk/4ekAPD/ZGDQ189V1BwKkQ5chN9TSULofekfmemhUhVGjnx8OFl6hYYpTttQSTLHtczmfE2iX1JyrZy2Z+H+w6dbZjkYDayRUt/4+5wCtQJ1Nt7bjzwLWhjdVtwDeBLm/kCywVguZLCgyiuqmXMr1h9jpUS7URZegGz1lFs34Ismu1LtaRjFGRyd8aKaTU6PSxDbjE4dQ3Lh1Hm3nhtOrSkswBZLp8OTP6emrQ7c3oJp1zqO5zQHXxD2V5hkPw6ln0Ee1aQp1rvLD8shRXzRbHG+mySvjKLJvLypnNuYfQklqlnhbG+M1/NN13oVF13nHpKwP5q33sRr49mfHw8YHdRhHuhYHVrpy8ep0AmPXiDYCDM4cnlOMnzlH/toF0fq0YRny6QoqKNpaYhmA61MXRPTZCqoAcE1N+oo7HymjJetzL9b2FkPCoDOx989IJ8SUaBJpzR+agNsFi87htVllRp4ozms/m56dI0AdwqeAre00iMBzpVS0hXURE7fqvAnLHQD1goW9XB2mztqcJ09YafrOgTA3oyazWcAjxgV33GupxxIDmwRdLmavvr4qrHfddYctYLPI7VolqT9JmKN6iVG9vYsDutgoyRlhzbGASKPLgcYn9sGG+LBgTHfZyABnYOaUetVP72mhSN30ZZixcCskVlGg5C53wrW5o6mBv+PyG8PimxLmQylbvHUdGGVLQfMpJaaXgpUjBX1MWdQAVa+Nyjm7QwYdRKoCb3suQ6bOq5O9eotel3GPB8gpKzInhNA/0xiB4UyCGp1i21iRS9+Rc7yufo5s3t56k0643K2DhBUVgssiTsG15BbQdX4c1O28i9zwEZ+wVci1yvLX38M0a3tDDt9iW1BIOWehShS7dpyJR2/OgWLFagw9hYP5h24t5k6Gz2ODhPouaFccYDRUBR6UECxA+gDS+trN8iNSX1oWa0ys0XvgwWpJ2CrdSArNqe1BdhM47BQwudiA3RwaEN3wRh5PeykSk/3BUXK+ZdAr0BZ8ij2q4F8zQexLxnrV6xRqofNcVs62iJAjx6g86InSv0nNjLQ9U/fBTL66u1iRZFJhuxPjDNfLJZqT0TvRR7KBcNWTwTuMCGNp5s9TngMUF4uhHx8qGxtjfH58WjixOhC9lgUt7cYEFIeefcwIO9VVnKoiXK5sPIvIsjtLRzGvejYSd0ZwSF3Ly9FkWLkr+o5rs5bXtGMsSQ+BUFg5nM1BqrHIGv9M+F4kPxhnqm9/JXuMSQ+JUzix5N0vHuSTphCayDpMHJYRUEkDEmwPXMyB9zWVmvMb0ByUnfs/n/jmL4WRuggYqchIR3/xuco5HUqLbEKXiJ39wVgy+i3/biWOOEu5BmMx3qbgQ1+6nlxY+f1qpXZ8br0RlXLOQ6L/O9Qa9gKZaxLm/5GCiFZ+SeU/c5OgUndYqTk6FsbDlNurA69IqjwubG345lpdB9VPoGP7dLsx3VaGKW0bvr06oRaeasMx90SN5bGQJH+0iQFkGPhp0m2v31zpBk1IibXi5Qb1OWGXGYd+iNt1ZQF0HVuEqQEXI62x92QkaR7eHowR4tCRF1xH1ZrBkyjtdofUU2wPqsRrOWqGIZWUh/JpfXkSAZQo9yJKnHcp9d3BPEvWpLWS9g1Jfej5XG497aP6crWw5XawOyzi+PEgz2Y3Q0R/MM3S1W2R7Z+21nekbCfghpNylwIX4UYkeX8YorheiumkUfFXjktPSkFCTuUrYAA89WZjIIqd4/gt3tS7keCsjEiTkW2KdDPlzNItKnC8xWnpRc+Wh6ghA/nt3j4POb880j3scFoDjgOv5lNk2Q84S/IW+DQ3U8o4JrKiXsxchDvmgGbU4FbXZTGLXeM1CybmbZKogIHdwJkhC425oqA1PMiq5tDPLKpl2214JuaV4Xd8R0bwCSHYjQp9gqJT9j1Wg/3P0M3/VGZGoJEVriiBl6PBHP2CcvxK1NADDmMHgGQwwfROoSijAzzPKCy9sgzsquTkqzq8q4aChjGKShxs+52dpnmmuygSlxjyVQCEW9kLERf1Nm1arsLkHJ4ZsWgSrskGvjsPEvyEnpY33gGB7fpy90NW0GtELgGzEw/1nfLcFbRBJ7gH+4Dby2fBTxoV2ks9m0Fv6OWsfIe6H54zWLmqB1RkQaskb1wDKU3HATOmuYo/fByLIsMyR5l3P7LXWF5CJOprzp41rGts/ybJEG1EUtmVCs2epTwbeG/Waq1DB3TFa639ETjxOfGQ65PXp5aT1d5v+ko87LiR+0us6xwlfZ6NMRRZuPt4wycFgPUAAmpdmguwDKifHKA258g9kzotT25JeFFEMVhsMi1PoXEqA+sFomdsLt+Vtpr2aGMUWyHD/E2fgAtybLwxbjqDINi8vXWJxv/UZdH8wBOlWLtaeGg5/jRsMuL/hSSZ84Q2zfRVvV7/BZ7wnxfoXmAwRdTZijAvc9TxWszP6E5mAix7s/znU+1vnseJdxWa4Ff1wOGVL/Tem2K0J/mp75XuzSP7nCYDMgqhnvfzlD8vv6QpxtDUAbdTBDyPkQ4U9L6+y5ul5Aegpui+p0G9/0UHdBYhJiFd90omnhSmyHx2pvgUTfbL/Kv/pk7nwTv89a87NXNA9K6AATwx0kUPgIWs/5FGi8leCXGSsgBbJogL1htC72pKzVH6ckEzKeBzRADmwFLhnPIvp37ZkQPj0rrWRhkd5RqsFcN0166N+M4lPD0hzPd2+nEXDAOHoCK7U+BcRcJ3GUlyPU91dbWfo9otPd3naTvGVZuFDxOihLtBXaLTsxmS4STk6DVRjwNmX8YC9FwXkED19xEeH6KkaFs1nVXnmDqpvi2BcueT96t6TOeu5HcA9fAgFTpOKVT6cK2PcHTtJhjrPkfSYr0/ksJdV7r9N4JgAEfiASMMHS5uQWJlyJKWo92rJ2IvSCQx4lcK3gasgcTsVaYmuRORM+6263r4NKS8W8r55XvVyW/C7vvsVq6wF3xUkQadBkxIUQUVWxxCc1pWOlfWwMs0i+ZssoaWopbs7x45z86i+3HsHmfS6GuXUpQfgvXe9Bn7mOj7VQWaG9NIFUpIxisGfdY9L8+RXobo7etD3da7TNMs40BT+34tijcX53FzKwvG3ESNPB2hjOAITDta6LDOHhJrlVqn90p1DicThHOaT3fxt6ST287EhWqK9S1gpkLrp0gNSA9v+K9mBvWaWYNDXY7sGxOIMzCEIdFT18Pra92NhGTJtC0XizHDMUfGx5WAaard1Iy/PYXvavoAwp30qDCQGF+PgwSProa+JtQQPzoEgtSXNVhUWIzz10TACuo+vHt8sHvFG3VuU7jSOr9sqVrN36KMDUlwo0gavHKsjRxHf2OGh552q7AP+sM6Y5WhA4KhmQSUKCVxYVQ==,iv:U3+fjacm8+gZAjPQNz2mjFYTUbLyltTaPiSKb3lvCmk=,tag:ZR6zI1UijDayIvH3v35Hqg==,type:str]
 zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str]
+dendrite-private-key: ENC[AES256_GCM,data:ZHDIa/iYSZGofE67JU63fHRdKbs/ZyEJY45tV6H8WZAOcduGafPYBo2NCZ7nqLbc2Z9dUUgsrpzvkQ3+VaWqFUv7YsE+CbCx4CeiLGMkj8EAGzX4rkJGHMzkkc2UT7v9znCnKACS3fZtU69trqVMcf1PzgqepOHMBku37dzpwOQC/Tc3UTuO72M=,iv:Ljun1/ruY9cDBm9vu62riUrpGjrWtFFx90GeE7uc3Yo=,tag:FF4xPb1SDhK/4ITr/idvYg==,type:str]
+matrix-shared-secret: ENC[AES256_GCM,data:HeS4PT0R+TRU6Htwa5TChjK1VAjAdgSS8tSnva+ga3f+mEfJPTQ02pEvS2WFvcnchmEjNYy39zL/rbtX,iv:4yR+VgdJY3VcvLg18v+5jbJDSkFzaeyLNAZ0k8ivjdQ=,tag:RA96iSFDUdlXq30c/vkvpA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -25,8 +27,8 @@ sops:
            Q05BN0VnQ0haeHBobWhRV0EzL3dLSEkKWlALiX5mvG8y0WUc8yFWMbcpSRrSGoQx
            SHaOlDCjYvViZ7GPRLqnSwDGZ1clC6JsTbwKXrMsWdZBKvSO/VIWQw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-16T11:12:23Z"
-    mac: ENC[AES256_GCM,data:nMLxD/WP3LxLTECQ/wQjiDW3F2Lx8yeMTkNIg97eipebVZwTLiVGg4t+sVzen+X3t4tPixO2a72mWMtIVQKs8d2MzkydLh+LjYItUBP+uw/rnCjB0zfxiPN883+FO6q4+BoT0JJc4LUHbgQQWEDnKaqld4/ICE1xJbPZVEJWo40=,iv:JenHaRqB8ZVDRV5rUOgMURflqQzfOrt9pHege2oiT7g=,tag:xv0p2oW1P0FPqcrRoQ/6tw==,type:str]
+    lastmodified: "2024-10-14T16:53:41Z"
+    mac: ENC[AES256_GCM,data:DUi6zUrZBMVaYZ/BvWny7RwPgXe+vQ+odO30fGe8iZHj9d3gzB95F75CqIgENi4gVOA4CQDADE+p45z/mtl04HAh7RiT0/k21RSdQcH2W9AX525fOzeqbxbPA/tXJOctwGrytFwlK9UdJULXkJCwYrJnwNc0XPnBk1FodTykXWs=,iv:q/eapgTVL/rifrrZeIcXT5VO9bEoS4EmmEhYJ2xHvQ4=,tag:xb0Qj/wu17cLTkvefsDqiw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/hosts/fw.cloonar.com/modules/web/zammad.nix
+++ b/hosts/fw.cloonar.com/modules/web/zammad.nix
@@ -10,7 +10,6 @@
    };
  };
  
-  services.nginx.enable = true;
  services.nginx.virtualHosts."support.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
--- a/hosts/fw.cloonar.com/secrets.yaml
+++ b/hosts/fw.cloonar.com/secrets.yaml
@@ -11,6 +11,7 @@ gitea-runner-token: ENC[AES256_GCM,data:Nd0vsnuJficsdZaqeBZXa9vD7PLMdDtV9sMX0TxU
 drone: ENC[AES256_GCM,data:S8WTZqGHfcdpSojavZ87GdE5dagcTAdHBVQEbHHgnB4V7aczS6c5QdEJxK920Pjpf6o54OOQYniVsPiiXSxwjExDKPzhs/DG2hfigmf8RgfkP+3tF2W0KiPmV2jxog8w226ZKnI+hSBs8tuIfJBhrpY7Y/YNmTPfq+cnnLS8ibYqytcpzoogI9I8THzHCu3r+yejoGSyTMs9L4gPhOjz5aK4UV6V,iv:zqN/aSBI3xGGNDnpHPGyQnQP2YZOGUk6dAGtON/QlHU=,tag:o9YFDKAB5uR9lPmChyxB8g==,type:str]
 home-assistant-ldap: ENC[AES256_GCM,data:uZEPbSnkgQYSd8ev6FD8TRHWWr+vusadtMcvP7KKL2AZAV0h1hga5fODN6I5u0DNL9hq2pNM+FwU0E/svWLRww==,iv:IhmUgSu34NaAY+kUZehx40uymydUYYAyte1aGqQ33/8=,tag:BKFCJPr7Vz4EG78ry/ZD7g==,type:str]
 home-assistant-secrets.yaml: ENC[AES256_GCM,data:m7uOVo7hPk/RmqqRS6y7NKoMKsR9Bdi1ntatsZdDOAbJMjZmZL2FgPEHi/zF73zCfRfTOca3dwpulR3WXZ9Ic1sbUIggmusJMg4Gellw1CUhx7SbQN5nieAbPbB9GVxMuV4OakD1u7Swz8JggDT6IwojSnuD5omCRCyUH1wvKB+Re59q6EStderlm5MJNVFlVrbKVbLKLcw4yRgTh34BGnTTjcJmgSlQjO1ciu2B7YQmdl0Fw6d8AdbEzgB5TFG5ONc85UhJDE8Wlw==,iv:GCtpcVChN2UMWtfnWURozCfVj2YbRPqp/bH4Jjntybs=,tag:pcxP7gTBtXMNT5iyW5YXTw==,type:str]
+matrix-shared-secret: ENC[AES256_GCM,data:67imd3m6WBeGP/5Msmjy8B6sP983jMyWzRIzWgNVV5jZslX+GBJyEYzm3OTDs1iTZf4ScvuYheTH0QFPfw==,iv:7ElCpESWumbIHmmFaedcpkFm5M58ZT3vW9wb9e1Sbh4=,tag:wr4FIymtJBtCerVqae+Xlw==,type:str]
 palworld: ENC[AES256_GCM,data:rdqChPt4gSJHS1D60+HJ+4m5mg35JbC+pOmevK21Y95QyAIeyBLVGhRYlOaUcqdZM2e4atyTTSf6z4nHsm539ddCbW7J2DCdF5PQkrAGDmmdTVq+jyJAT8gTrbXXCglT1wvFYY5dbf2NKA4ASJIA8bdVNuwRZU0CtFiishzLuc9m8ZcGCNwQ/+xkMZgkUAHYRlEJAZyMpXR6KkFftiR05JRAFczD4N7GXPPe+vyvgXg7QBGtf20Qd4SGBUw0zI/SNTRmifHUuc4Z6+Fe9JHgvTc3uFcTMVnty0fEuL+a29liaVdAFq8BnqJfc5CNV401ZSUeMbG41lCn1cegP/WChs9J6HXNrhWDgiXa6ln++NoKcfOHIfZVbYOCoOxFR6+YWeBU2+sHmdwI9j5XQf5Ly2hmg12j0Ds2Cn8k4PG5aQP+HT2bedqyxwSt6fi97A0Osnh4ig7+DzYAjSNLewbYLzVdK39VdvB9hqLto+yFS3gAaeYOHwPwtqa+COI85c55lHiyKHlSwPhBqYaaiDu00lQTUzq9R5vz6F/l+T3bUjuna5RryUu8yhnk5DyK834KycTOg4ETcZTqro6prfiEBxc+Utsc9JvEtZgwFv6fsVLOu7nHxuiYuvseZ4YA8LlYdwPJboMPO2XsuhwWtT1uz/rh2orH7/vsXvzA/kF8NFemWBEMVLYA8byC5ze8doiGDYp4T5AAf10nJB1ceQ==,iv:gs78fxhvo9KlTaR5nzs12/LdgPChSFPHD2k4VQp3ARo=,tag:lpWBOi9xh2cWkS+71KD/UQ==,type:str]
 ark: ENC[AES256_GCM,data:YYGyzoVIKI9Ac1zGOr0BEpd3fgBsvp1hSwAvfO07/EQdg8ufMWUkNvqNHDKN62ZK5A1NnY3JTA1p4gyZ4ryQeAOsbwqU1GSk2YKHFyPeEnpLz/Ml82KMsv7XPGXuKRXZ4v3UcLu0R8k1Q0gQsMWo4FjCs3FF5mVtJG/YWxxbCYHoBLJ/di5p0DgjuFgJBQknYBpuLzr+yIoeqEyN7XcGYAJO53trEJuOOxLILULifkqISHjZ66i5F1fHW0iUdRbmeWV4aOAeOrsQqXYv,iv:gJwV5ip84zHqpU0l0uESfWWOtcgihMvEEdLaeI+twcU=,tag:sy8udVQsKxV/jOqwhJmWAg==,type:str]
 firefox-sync: ENC[AES256_GCM,data:uAJAdyKAuXRuqCFl8742vIejU5RnAPpUxUFCC0s0QeXZR5oH2YOrDh+3vKUmckW4V1cIhSHoe+4+I4HuU5E73DDrJThfIzBEw+spo4HXwZf5KBtu3ujgX6/fSTlPWV7pEsDDsZ0y6ziKPADBDym8yEk0bU9nRedvTBUhVryo3aolzF/c+gJvdeDvKUYa8+8=,iv:yuvE4KG7z7Rp9ZNlLiJ2rh0keed3DuvrELzsfJu4+bs=,tag:HFo1A53Eva31NJ8fRE7TlA==,type:str]
@@ -47,8 +48,8 @@ sops:
            ejhXSmVkVjlhRDF3d1JDQlBzd2N3WncK6taU4OsyYoZc5P/2fMrSidLo2tYcH6Yw
            tNJRIOqR2Iq1M4ey27jnTdw3NvYKyxjn60ZeW2xcn8CYrpf0X4gLQA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-02T22:57:14Z"
-    mac: ENC[AES256_GCM,data:U9/pKXdqXMvjQgyTIGz0JG+88aBXVgp29Fmm0OE66KMArkX8ungcEtdnGYKhD0gFJKLrKZZY5V8oyAXEq95D+Bh8ZnfmQibYw04cPldc6kTZstsrpbzrWVfn6sqG/ih12oXdsLws+H6IeN+O2qGZHDIVjvPufAdJ3A2X+Yakahg=,iv:mG+dGv3l/PNhggvlujLxDGU5z47qVA9sOTUbU2b2dPo=,tag:Rz2av33iwa9aYR7c0cviEg==,type:str]
+    lastmodified: "2024-10-13T22:30:43Z"
+    mac: ENC[AES256_GCM,data:sEySfQaBevydqFBOab7RPCse8fOwiix6GIsXeR9paBCCCHOxDZDusdn0/k97wLeWzvHi0SJB/8+g8qlqXtRuJ/3mT1vJxfWwoJk3gz2WD+d8recG+KkdtkSGu04addHgBZQqGqhOfkRHYypVW3GaBfLteY08nvob4/yjaHCtGig=,iv:lsHvIovstgHmY6OrV3CO0tju2OQb1AcWgMov8klkSqA=,tag:zcvCoCwTgeZhhS1MOvH3HA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1