moved all services out of nixos containers

fixed a lot as well
2025-12-10 00:43:56 -05:00 · 2023-09-18 22:38:12 -04:00 · 2023-09-18 22:38:12 -04:00 · 66ee1bb541
commit 66ee1bb541
parent 4fd4b0ad74
10 changed files with 247 additions and 266 deletions
--- a/hosts/gerg-desktop/containers/minecraft.nix_
+++ b/hosts/gerg-desktop/containers/minecraft.nix_
@ -1,107 +0,0 @@
-{self, ...}: {
-  containers."minecraft" = {
-    ephemeral = true;
-    autoStart = true;
-    privateNetwork = true;
-    hostBridge = "br0";
-    localAddress = "192.168.1.10/24";
-    bindMounts."/minecraft" = {
-      hostPath = "/persist/minecraft";
-      isReadOnly = false;
-    };
-    config = {
-      pkgs,
-      lib,
-      ...
-    }: {
-      nixpkgs.config.allowUnfree = true;
-      environment.systemPackages = [pkgs.neovim];
-      networking = {
-        defaultGateway = "192.168.1.1";
-        nameservers = ["192.168.1.1"];
-        useHostResolvConf = lib.mkForce false;
-
-        firewall = {
-          allowedUDPPorts = [25565];
-          allowedTCPPorts = [25565];
-        };
-      };
-      systemd.services.setmacaddr = {
-        script = ''
-          /run/current-system/sw/bin/ip link set dev eth0 address 00:00:00:00:00:10
-        '';
-        wantedBy = ["basic.target"];
-        after = ["dhcpcd.service"];
-      };
-      boot.initrd.postDeviceCommands = "mkdir -p /minecraft";
-
-      system.stateVersion = "unstable";
-      users.users.minecraft = {
-        description = "Minecraft server service user";
-        home = "/minecraft";
-        createHome = true;
-        isSystemUser = true;
-        group = "minecraft";
-      };
-      users.groups.minecraft = {};
-
-      systemd.sockets.minecraft-server = {
-        bindsTo = ["minecraft-server.service"];
-        socketConfig = {
-          ListenFIFO = "/run/minecraft-server.stdin";
-          SocketMode = "0660";
-          SocketUser = "minecraft";
-          SocketGroup = "minecraft";
-          RemoveOnStop = true;
-          FlushPending = true;
-        };
-      };
-
-      systemd.services.minecraft-server = {
-        enable = true;
-        description = "Minecraft Server Service";
-        wantedBy = ["multi-user.target"];
-        requires = ["minecraft-server.socket"];
-        after = ["network.target" "minecraft-server.socket"];
-
-        serviceConfig = {
-          ExecStart = "${self.packages.${pkgs.system}.papermc}/bin/minecraft-server -Xms8G -Xmx8G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
-          Restart = "always";
-          User = "minecraft";
-          WorkingDirectory = "/minecraft";
-
-          StandardInput = "socket";
-          StandardOutput = "journal";
-          StandardError = "journal";
-
-          # Hardening
-          CapabilityBoundingSet = [""];
-          DeviceAllow = [""];
-          LockPersonality = true;
-          PrivateDevices = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectProc = "invisible";
-          RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          SystemCallArchitectures = "native";
-          UMask = "0077";
-        };
-        preStart = ''
-          echo "eula=true" > eula.txt
-
-        '';
-      };
-    };
-  };
-  _file = ./minecraft.nix;
-}
--- a/hosts/gerg-desktop/containers/website.nix
+++ b/hosts/gerg-desktop/containers/website.nix
@ -1,125 +0,0 @@
-_: {
-  sops.secrets = {
-    "website/sql_gitea" = {
-      mode = "0444";
-    };
-    "website/sql_nextcloud" = {
-      mode = "0444";
-    };
-    "website/nextcloud" = {
-      mode = "0444";
-    };
-  };
-  containers."website" = {
-    ephemeral = true;
-    autoStart = true;
-    privateNetwork = true;
-    hostBridge = "br0";
-    localAddress = "192.168.1.11/24";
-    bindMounts = {
-      "/var" = {
-        hostPath = "/persist/website/var";
-        isReadOnly = false;
-      };
-      "/etc/ssh" = {
-        hostPath = "/persist/website/etc/ssh/";
-        isReadOnly = false;
-      };
-      "/secrets".hostPath = "/run/secrets/website";
-    };
-    config = {
-      pkgs,
-      config,
-      lib,
-      ...
-    }: let
-      giteaPort = 3000;
-    in {
-      nixpkgs.config.allowUnfree = true;
-      environment.systemPackages = [pkgs.neovim];
-      networking = {
-        defaultGateway = "192.168.1.1";
-        nameservers = ["192.168.1.1"];
-        useHostResolvConf = lib.mkForce false;
-        firewall.allowedTCPPorts = [giteaPort 80 443 22];
-      };
-      systemd.services.setmacaddr = {
-        script = ''
-          /run/current-system/sw/bin/ip link set dev eth0 address 00:00:00:00:00:11
-        '';
-        wantedBy = ["basic.target"];
-        after = ["dhcpcd.service"];
-      };
-      system.stateVersion = "unstable";
-      services = {
-        gitea = {
-          enable = true;
-          appName = "Powered by NixOS";
-          settings = {
-            server = {
-              DOMAIN = "git.gerg-l.com";
-              ROOT_URL = "https://git.gerg-l.com/";
-              HTTP_PORT = giteaPort;
-              LANDING_PAGE = "/explore/repos";
-            };
-            ui = {
-              DEFAULT_THEME = "arc-green";
-            };
-            service = {
-              DISABLE_REGISTRATION = true;
-            };
-          };
-          database = {
-            type = "postgres";
-            passwordFile = "/secrets/sql_gitea";
-          };
-        };
-        nextcloud = {
-          enable = true;
-          package = pkgs.nextcloud27;
-          hostName = "next.gerg-l.com";
-          autoUpdateApps.enable = true;
-          enableBrokenCiphersForSSE = false;
-          config = {
-            dbtype = "pgsql";
-            dbhost = "/run/postgresql";
-            dbpassFile = "/secrets/sql_nextcloud";
-            adminpassFile = "/secrets/nextcloud";
-            adminuser = "admin-root";
-            defaultPhoneRegion = "IL";
-          };
-        };
-        postgresql = {
-          enable = true;
-          package = pkgs.postgresql_13;
-          ensureDatabases = [config.services.nextcloud.config.dbname];
-          ensureUsers = [
-            {
-              name = config.services.nextcloud.config.dbuser;
-              ensurePermissions."DATABASE ${config.services.nextcloud.config.dbname}" = "ALL PRIVILEGES";
-            }
-          ];
-          authentication = ''
-            local gitea all ident map=gitea-users
-          '';
-          identMap = ''
-            gitea-users gitea gitea
-          '';
-        };
-        openssh = {
-          enable = true;
-          settings = {
-            PermitRootLogin = "no";
-            PasswordAuthentication = false;
-            KbdInteractiveAuthentication = false;
-          };
-        };
-      };
-      systemd.services."nextcloud-setup" = {
-        requires = ["postgresql.service"];
-        after = ["postgresql.service"];
-      };
-    };
-  };
-  _file = ./website.nix;
-}
--- a/hosts/gerg-desktop/secrets.yaml
+++ b/hosts/gerg-desktop/secrets.yaml
@ -2,10 +2,9 @@ discordenv: ENC[AES256_GCM,data:dzl1FaBUPiiGR8hOmUVDulGnS9wBwX0ddYYV/euilrrHGO8G
 searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str]
 gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str]
 store_key: ENC[AES256_GCM,data:/1wAHcMZl3loV2IR7mj1z51lwfKmaP24DgEjl2w8qwbrKHBIS09meLXrVTvsvQmFM4AvKig9ADs1aeYoVTTEa4QE9nKJ/LyRI5z8dHe7j7H5Y+UI+Syr0CUKN2I9UuqkOAyWrPM=,iv:5cLxhzNawFMTKn+MT5cHILTvggHmxteycL+2bxUPsoc=,tag:q8voriNRZUL4pYYfOvJT0A==,type:str]
-website:
-    nextcloud: ENC[AES256_GCM,data:JoxSXYzBhXV+h4Ar,iv:jKlAwWfX58DpgGbGOqWBIwcnx8EdIxhFKOUzsDccr7w=,tag:L6UBHh1HU8Je+OczQCypXg==,type:str]
-    sql_gitea: ENC[AES256_GCM,data:Usfd0QDm/4ntj7kzXXYa3O7H7/E=,iv:3xUD2KuQvJUQtai6C+qAnQ2RbkpN5VLK8BUJFiMpQkY=,tag:E6KNzFIZekgecJCBPlw4YA==,type:str]
-    sql_nextcloud: ENC[AES256_GCM,data:xkJioAZCCd8aIxS283UhZ2yfLgQ=,iv:7SQ2iSJShX6dDP3qD0KPaJP49CQ6RMHQ6uY5J/WODtI=,tag:HNXYa1L88mGB5uOrmTuFDg==,type:str]
+nextcloud: ENC[AES256_GCM,data:CJqcH+l7EMwV8q7S,iv:uiq+lRMYR8APoVCmliAvUEthBUABdPXxs53y8I1WB+M=,tag:ObRMNYp9xIKR4VPxQr3JfA==,type:str]
+sql_gitea: ENC[AES256_GCM,data:KX6q1xqCgdAzC+A+HadEIo0JrQ8=,iv:Ljqy5VE6PpqZyS27PXRJbVH4yPE2GQBbVYZimNdF4o0=,tag:/wo72SvCfycb5zZ62O480A==,type:str]
+sql_nextcloud: ENC[AES256_GCM,data:LzIJ1ikyxBkmCvInmvxZ2KqYHv8=,iv:t3uYBkbLR1U+IKFkF+myZcPUsA1zQs7hU0JAY0ZBvZc=,tag:xQ7Da2c6s9ZFDq13fT54ew==,type:str]
 gerg_ssl_key: ENC[AES256_GCM,data:F51mBHbLzfgJ8SdFQwxRIHOfG/iYi35EwOzQ/PlWkI6VzAGoFn3K/Team1dMAS62CxIq96WByqctLhfgNl/sI63LT9KoGAKV/8sLKXav9FtVJlrsqWCCswMRV95ia6vUj6yiqCdX2qgawq+sYO1ztUu5pTfvG2DEO+2r+SXCFPBARJ5CQl39i+clnyjVSsZLHlRwdqSG5uzfNyjMand/0jgQ6yxFExaqahSiyf20H7liK0G8vnv4R4X1Gs+6Cqm2nMRy89rSLVndoX+IH7tvfjxMB+oHJkjdYqcznfUuIDeRMTxeQq6RiQuSmBYgPfYBWenMgMgt0IiuTRxfCdShjveDGXJr1lO8ZkmxPV6VUgL7stbRUs+UkWgpct7cUbgwcsbdgUvo3SiHRDHikqAJgWihV3V8jOUBsJrNbCyam999cZtyTCHRxnpHYR+zEfqA4823c9tW6KYQRr+FW8mHYxGCPLyDgXzCsNYf3bOzkKx6UIw5iNjRfQIPVlQinJtTfcYY20CXn25k+V15wRWMvs2QrOWj7qdssIyPgDalb70mj0lrLbdceHWW6JTmHiSQAjFK1pYEmXIEa9G1jES3Zq3G9Ty0/XUmt3yGUJr2TBQxhDbryr5Kd6PLfIrHBh/msw1QlSbdSv4a4BeGos1qD0HJgXrE/xqHPCUX07wCYpXVeEHR5OXF0SVgc6dCWo+s5iE7AggS4j3dKqZoDV2l0rZGI7RQvf8BoEAl+RwsCgrgY2zo7qeSb12NVP8Kb/wA0hIWT3IFrj4wLyk93vjsHwdbt9QJWf7yAFqIkB3y2MwPGQdn0s88FzZTeZCqDo+Q2vH0+GhzNozg1NV6XorV8kRO5t0hTM8fw8PGFdt7cUm1PGg60Fg5lBOs3t/y9OFDZcfsgEuxnOwZeslzkPmnLHf3DBPizdc2XCXuYmEKGiBiiFSC+zJF6+3S9W9/6uHvHEffJrIRSPxC4ElDfyvpxxY4kA5BMCXALpkYDaDCRPQSpu1EF1bi0mBSONHl6in+aYr1leVG185n+AOR3SsaY8jftN/rU4VxV2W5zszx2KZk/LzAjoDAZbBHgBVgY7KsD8Zs2+TBJppnxg35S4s0+PRQM/0t7mFfSNGv75ih98UX9jzvIpb/evR5vD8ImUJy1BzO1nVyzKHQiILETixxz6kRMDUlvP6OpsBXcAWR0w0AKX4irAXT6xVyaSYfIBIJuwzE/mN68kNhPT62eaFnTUTV7KLf7yM/3+blXHcELtEVO2z1WcC3QJZNTA9WVTli+YTeJ//2M5gyBKOAQ3bfYeNz8mubxJQh0XpZaVdUu6TGVG3bIjbj0ixnnuAt6IVlZQK74h/Ah542oSuqLclrXlmNYn5vU5OdxjRgThZZKhZFoqiY+W79OulXDzSbhlMvI5tiGGjiIc31iFSKS0JYyISt1jdiwogv/b8/d7whQCwh9IvG7loKFsPBP2NgW6hYlixqcdaSpP9S7hrG54BPZe2o2S0Ci3BMasits2WFr6u7Qsx1AvuWyJ/rO+llmuvWVl64WNQxi8EYKiMJx0QI3Pr1Od66wVir/LtAlR04vsNHAvzM6gjuQYefWV9X2cXlklbGJYrE/9DCWr8fvUzmh659/81d2+CCkd7jxxFh8BHTR7oFHhM/H21BEUzOSu35vrMTPwy8y4mLhywNqmbLdOiOIGgkw4g+q5r4v9Byf15PqGcR02K+TmpQpF3HIpnv/3UH3lD4TtjIzWocTIdlKuriHsZcIIlHDxoWj/2mlo6+QxOiiTyR0jhQA372T2tlEo5/v3VFDuWikrBhgnmVe5zngkTqUUghrucbxJDDsehlwzSbrcczvYGwSNYu+DdS+57WDUGoLTJ7oOWovz5XCbV11LOQUNP8TYP597YzeV/eVguYvjUoSqSmo0m6kHGkhLZWbWyZrl7e2F7cOf+S6cdheREkp2Q/Eet8/B9fVWxRBBTXTLnOCC2q/Y1A9Ls+lpW4OXYO7QJjQAx9SKXfrjGgujrXH7oLMxQZfORwjnZzT1LQU7T0wNhQvZLHmUoA0VRZdSxSqEWlEjSF0eJjx/SNoKOacinHTCiT3r0P0cKmIypENef9czRURKgiunmlvSgQ5jOeu2C69KmF9Qau5YnRt6rXjkJzu+lji5ArVfkDxDG+mx5dtVSxwovbdAh065JDHo52ROaXLCb3nfFWKWSgoemYXrsbH9lT4/Ro3P2JC+iDeJFwz4r9OjTvPDWh9YTfzOlhfvg7m+2lg9vV74gmXd+IgSKh,iv:aE4/hxhfju3jJXjwK0TrfI/cbLsFgDEDspg2zTgqo4M=,tag:LAmit77WTZnpoCX1iuhkbQ==,type:str]
 gerg_ssl_cert: ENC[AES256_GCM,data:ByPI7ACEz9IvUmVcFvnuJ4+GQmccF+REH55/zgf4CpKMW2MB6jEurGjNXKmCxv/ac4CTHxk9iMKCbHm5Nt+C7sfCSBUbgxXOcRnnVkTKUtV8P6bdWFDtWWFx3xcxpNraGXhIoPTTNm4fFkE/wmYOv0nJylYiPO5JOMg86AilAvhVK3g9y/zu4Z6c0P4ZxfmXkXyBJRMXhPCRu/Y8FSNmepXTxBdq4AmmQpcMogCVcmr2X/PH/zWxb+akGaIbxZHngb1YQWrcXiKFN0kteprVaFb2M20sbp5A/jPsZvXc9nUk961oOd9/0UpUmv/ZpwbF8vQQKg9vZu+fKDP2GuWxNJfwASQEEv41t+3wi51rnCPRlzcuhUsHxPv7jtGeQKcjZ1SehgS2SBDnZvCf16c13RIm1HiyBIVJryaHUm0j4hgFOAsrSBzg/D5KJGYmC10AhoL3JNmcK3yOpH1KHvJ/8Yjxkws7QQlIJ8duS0lMcPLDlHi8Bx6safQeAA9MbNEN/cZxy7DluvuqO9pIihpaY7sh3SD6LWZoXP4BPvw7iZgo4oMacchsYB9RRRr6sNCAo1391BOzaB3gYyMkOz9DGjbOk9UXvINhpAWjSGXKxOik179+CAWNIPK5AclyV/2A5DAoXYQi1Ix7dxZ2HFx8p9fVRn8RdtwnXqyq/NtJKHNTKcUCYbgBAkcAcfC8ha75l7VQjPY9pShjf1H4e4k+bPEklC0P/J4liCLAppIu8D1hoQED/wDd3ah1IFrW8ClCyU4oal5y3ezBrzJHbVBibQhaIS/kH9KW4aqlLRWm+Ec/AduHaaUO3iH6yzSrB5bMQblk2B/N/KdySMOJ9ZIusn+iPcjWghgZSAdY8yObqoZkbTOhzkml0Y+tR4BNH8edKNBnN6TdqVYhqh3KqvuNCf6W2v8sQ9YdVnT0mEOH3dvWfGDMg+XIRPEpFF9ukYGfxQzFtKuLc6gA7l4dPRzdkXGwdQsu8YfQBvw1i3Nw6EHe8J05Wa9yEK8b4xSiZiCavnAKivLQAQZiQmaOanbyR2aS6ItN7S2X4GMxJfqazxWJm2y9RI/OdU6bU8xUx/kNi4+UPkh2e9IGo3kmv8eyA5hRtW2poMmHxRaCE0yJqP4llEy5rnW+S3Atfm3axC89ZpD+5wgmtV/BeIexZRUOZVSXSvlBtC4bmyWOfJCck8FoBSXmwvm4u4VB1bi9bTj0IAkTtcgRuNQOVf54XuhIrprMKtbiEa2/HbLcFB5Vox7aWJbq+HrAbVUUqBLSJwv6t6/5y0Gby1LPSicTvQ0tqWzmgPGxO2luvV7PeeqJcKJFAeqq31bgM7w861qz1KbATUsgx3gZD2y3QvtSwdRGYiNPPYnsG8O62tnulF9VgV5DO0fKMLJbE+q5+tWLscux1iyvzAZfgL5pSS+0ODmWCDr9H8RMhxElAEGDbsuhrOq6pyUiNmosKZ85xOf9qFtwgpEk5PDbWF9n/4qc+LXML3X8IOkABI54DtVqDTzssaNjW/rowcAgCOm7/Py1//anTxzD5RgOWfOEk3AO6dURpXwheB+cSdELt4b6vt1lTiEtcFBBc4Xif31/5eDDu7hRk+61medR1GZMEvs6VgnMbxoBia2MjdN5MAHNJFePiuabUsJeCOTVhO+OTRpq3Ni37xnJc2VieGIBwzaYaBE5p5HEkyiX76VYwpkE2C0Zi72DWLLLtyGX+FGFJpzIlNuYaJauzPQgPSbAHlZ8GSMtRiiEszhGvht77G87iBx3rut3YCkN63cLpKv08ah3/C4HBjG25viQR5u1S1e8jnCmzQyQYHrefgJim+nayriZdF2BqsLzOZwrgSEjKpQJ2UlSCQdoJoBf+5ceqz/noxEHjr2b6EIZL/omvMWdolH1BzapAbaAI5iQ0hDGMCVPbGi2C0dmRFKRTfEqR534b2Xy7+FknLifeRCQX4HMiDmYsjlWLlMdIGqtMkodHtPT387PGYJznzUAlWACGbC0qzOdi7Gaaa2AUHpPK9VwgQHeA2MuaK1LuZQoIbq4y4NE47MDdKKZH+/LB71JR7TjrrLZRvFdfp+HpK1YZymoHRgR+1NKWKKP+xpFlAsUa+7IDACBEzcBehkWlM0g22Ii7GEad/kxsQbExNDxg9gTspRPtT7cMAlQON7BRdjTT/emJGI5AOogPR4vkORwODV1cY3TvRDyE1Kqpw4KVRLWhf4e3w==,iv:ncEJNbY/7oUGNKRvhRHLq7Z8J5dCXl91oT5BYuOV5ZE=,tag:Us+lhVE7d5eeix1Iw/08+w==,type:str]
 nixfu_ssl_key: ENC[AES256_GCM,data:gwMbdsu2mlcZvCFrh6G/SQoIJLcUNyMkInw73+gUqR1EJH/kShqQGkQluE1lEoXobnh6wK5Rqz9yN4EJwWw/u4W6gYnXKOIHlb13faJHpRwTu1RPMmiJdJcCfjmW7sx+Yao1WjPq9h5Wr6CQjsACU4KPpIp0FWkVr5I6gGX91gkXyQgksGOKUcLQJYJDKLYbvTBnSA68Yoho4Tv5USG+GuxE1NQn3mc3cysA8V9sSZiR54cx2zK+u5l+MeC1Kcxh2KU9CER+B43jOonYxPj5EID0ZTv8aovkRcxkTTBzSdUvwCiUUx6IEectW0xtMeHxXrdDXwsxyuVCNPfmtgsqt5jIIJmEy985zLFjXNddG1CBgGTqxGamsMZ+McXCSb9ZD0wiMp9KVa6+ohLnc8PLIiN2qGFg1X2PNYzTTyesM6qja/9cV6A1raoQWhZOFfjEbsLmVtTI99QuBUtVJP6Q5lHeELIVm9ALc2W13P4/4waeCo2lQbI0hmU9FcL5hd3oiot0/DotnlqXhi6a9Qa2OSwBgpTHzZIihAPkMnxSskgymcK6CAX6es9m1v+526XG4gRAcSZ0nQWLRnF3++2g7jNCU/ivAdu1exzQRw6Y3UaluyaY46i67V53zVtddgsQlyRAxtCouJNFFCJp5KJ8+6J6ohF4wuN2L8ABR/DrrZ+piiAfgwnrOevGxRwKyKOzL+SjSLwM/ybxhgSDcM0LffMcs8FdUHgV7Qtr4lBvhluFGKza4N5ZYTe5bJLnm2poIKiXjsUPKSJmuipmYzPbRwOm8Y329J418MXNQNhDr8DV/BzOyzzWSWM//B2FMLTgJrn69VWrsdGGUKv/j5dwRRU1iYpO5Of83JiIJzHbWL35iQ0RsfC/O+oTrjYGNw3Bc3XyIogCW054u6kDjxBDTcG+26kSPujUz1D7DxJ4hZwMnr84/CkR5qmktgn1rpH4caz3bUjJjmrO4jeLYQP3eTEXnahTU2N81SjzCekvYsiIB/nq3oVtxnSFlEiAu5KiqswqBv0j8XOABbPu4elyUi09ekYz2ZQ2DtBLz+I5r6seDykIVL9zWmBEJHawGAC1yRAI4CWe28cCTOnpkt2keewBmZG1QwbINvEc21Q0NutGdZ3s27RHkGnsoda8tk5DipF8k5dyxmLy8jzFmHAwNB7m1UG5IYhFy95+C8ihfQF2tJfmO6VEDHuAviSdso/+wgYVsfp1MbtK9w+ACQvEbO90yRDBQ9VBg326C87kk9pXLal7l94JkBMR7cbLTAKH60ApYpLPVIZDvaHV2jxSrXypK6hdyTjpVnpyyC3SQXo1bn/Ixtd/tfA2fP5/IPB7xdNYEYu7lJWa7sY91BjhnnxRPkfCINt491MIXGqTO6LpGc/hJBukQI7rTr+mxJK5ajkvBpgDg7O+5sS/kmCbcFSAFw/T85n+WDo6QMQbrZqgrqmT6PaRtCLVWAIVX5UBDNUvXf6gUX/8WnSdQZtOPfkTBu3JEyDCkF/ETI+OZDnXVnOXKmYT7SMVHbPWxsTtmBuH1FZYi1aw7wyj/M7IC3k1ytm2YfOtRgO+xUi402gWS09fdENVWQ4fyRkNmwFvi9lBBvi9W2gCFWe53X2GO4Z3MQnKAtVCi0Rv8Xwh+hu8MijMwrs3CSSDAX1C3MAYQ9enzSXPeMQuZ84MQi4P664saNBd3gPRHQT52yH3tobpIwIZ8xUnHJ/Q6Rw6HRMtAqE8XWIxBGf7b0qqYkfwquE1uwiCVuq/j/af6qX3aNro1GyRymcPJN0Ko9JNOSn39SQxCqKawPHaFv7HX3JjEI299KNMGlD7lu8RKorD/+gIoz/7BTe1kmoUZDVPrgzudRvFAOrOATCoV/+FC48OQYoa24CITQx5ymJ1zTLE9d4M8vwNiOCpcVPyjabn8kt8rJmajjSidPAY+OX6lHpNbjcORZmjExZNMO5qApIqdl4WW9/pVq/pZSUwM31WbM0/JpJdws1LX5Ao+G2m/CO2fJqQS53mXMHfF85UWkJ1BuO5Be4Z54AWDDp4ZJzNfnQS/Ee84peTEExJ9mFvWYSlPLtzFOeUvI22RAcUJpQ/2vo8pI8S8h3BYCfSRyRW7ISYBCcRCpw/AkLWkgvOvXDYNj8xvPAtzftiP1GkMwjJSpbX3QGOYgO31KTy8lh836ePrJWsZa1MPD9nxyhajxs4MwKm2384UMtqu53mTtx7s2MchhiqrJoRUJW0Brq/oZM/WhhKHSjWssYrwLx5bymhg//Oa9PBP30j,iv:BbD2i/35D8p0/eEQ6RuM5nsDnQV+x2nTLU890LSju38=,tag:to2mYPiNkdYBHsgG7NJDbQ==,type:str]
@ -25,8 +24,8 @@ sops:
            dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy
            MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-17T05:38:47Z"
-    mac: ENC[AES256_GCM,data:Qf7Xlq2cO+zZQHmf9FYKEVU5MNtjW63EZkUd78bDcACXU8SHjtN9LY6rT8cXdtGdjY/rwG78bhT1uoh22BsUSuLDymMV9oNPnc9OZUb+OTVJ6tI0LMnJguHcKWzIwSjVhpabhkbs9O5VrDQGDX+suuNYjp3Fb0jmudUGgsvhQQM=,iv:6pUVqz46wOauPyrWwwtA6IujviAMgY3UGvgZemqkQwQ=,tag:Ti3HDw8psfPN2+REZGmx4w==,type:str]
+    lastmodified: "2023-09-18T23:06:30Z"
+    mac: ENC[AES256_GCM,data:tpG03ndPvbIdNx/YnMLI9nxjhocApV06xqfCo/k1cAeNB6K43chePtEn2pAw49J65xoumIgT3AstRtX7iIEryAGV/wkafRVyU72SzrOXQwl/+FxXxEFqJctzctZ8Ievh1utwXOigSAuZNMVwgaEhXAAmKwPScTELC0JXUMM9HYw=,iv:v6jbcyVioLvAxeuXvtWvPKuwC1/Q0O46TF1DaJR6GYk=,tag:Vp8WwSjqH+KXsw9ANx8Q6w==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/hosts/gerg-desktop/services/gitea.nix
+++ b/hosts/gerg-desktop/services/gitea.nix
@ -0,0 +1,34 @@
+_: {config, ...}: {
+  sops.secrets.sql_gitea = {
+    owner = config.services.gitea.user;
+    inherit (config.services.gitea) group;
+  };
+  users.users = {
+    ${config.services.gitea.user}.openssh.authorizedKeys.keys = [config.local.keys.gerg_gerg-desktop];
+    ${config.services.nginx.user}.extraGroups = [config.services.gitea.group];
+  };
+  services = {
+    gitea = {
+      enable = true;
+      stateDir = "/persist/services/gitea";
+      appName = "Powered by NixOS";
+      settings = {
+        server = {
+          DOMAIN = "git.gerg-l.com";
+          ROOT_URL = "https://git.gerg-l.com/";
+          LANDING_PAGE = "/explore/repos";
+          HTTP_ADDR = "/run/gitea/gitea.sock";
+          PROTOCOL = "http+unix";
+          UNIX_SOCKET_PERMISSION = "660";
+        };
+        ui.DEFAULT_THEME = "arc-green";
+        service.DISABLE_REGISTRATION = true;
+      };
+      database = {
+        type = "postgres";
+        passwordFile = config.sops.secrets.sql_gitea.path;
+      };
+    };
+  };
+  _file = ./gitea.nix;
+}
--- a/hosts/gerg-desktop/services/minecraft.nix
+++ b/hosts/gerg-desktop/services/minecraft.nix
@ -0,0 +1,101 @@
+{self, ...}: {
+  pkgs,
+  lib,
+  ...
+}: {
+  # I manually switch this sometimes
+  config = lib.mkIf false {
+    networking.firewall.allowedTCPPorts = [25565];
+
+    system.stateVersion = "unstable";
+    users.users.minecraft = {
+      description = "Minecraft server service user";
+      home = "/persist/minecraft";
+      createHome = true;
+      isSystemUser = true;
+      group = "minecraft";
+    };
+    users.groups.minecraft = {};
+
+    systemd.sockets.minecraft-server = {
+      bindsTo = ["minecraft-server.service"];
+      socketConfig = {
+        ListenFIFO = "/run/minecraft-server.stdin";
+        SocketMode = "0660";
+        SocketUser = "minecraft";
+        SocketGroup = "minecraft";
+        RemoveOnStop = true;
+        FlushPending = true;
+      };
+    };
+
+    systemd.services.minecraft-server = {
+      enable = true;
+      description = "Minecraft Server Service";
+      wantedBy = ["multi-user.target"];
+      requires = ["minecraft-server.socket"];
+      after = ["network.target" "minecraft-server.socket"];
+      path = [self.packages.${pkgs.system}.papermc];
+      script = ''
+        minecraft-server \
+          -Xms8G \
+          -Xmx8G \
+          -XX:+UseG1GC \
+          -XX:+ParallelRefProcEnabled \
+          -XX:MaxGCPauseMillis=200 \
+          -XX:+UnlockExperimentalVMOptions \
+          -XX:+DisableExplicitGC \
+          -XX:+AlwaysPreTouch \
+          -XX:G1NewSizePercent=30 \
+          -XX:G1MaxNewSizePercent=40 \
+          -XX:G1HeapRegionSize=8M \
+          -XX:G1ReservePercent=20 \
+          -XX:G1HeapWastePercent=5 \
+          -XX:G1MixedGCCountTarget=4 \
+          -XX:InitiatingHeapOccupancyPercent=15 \
+          -XX:G1MixedGCLiveThresholdPercent=90 \
+          -XX:G1RSetUpdatingPauseTimePercent=5 \
+          -XX:SurvivorRatio=32 \
+          -XX:+PerfDisableSharedMem \
+          -XX:MaxTenuringThreshold=1 \
+          -Dusing.aikars.flags=https://mcflags.emc.gs-Daikars.new.flags=true \
+      '';
+
+      serviceConfig = {
+        Restart = "always";
+        User = "minecraft";
+        WorkingDirectory = "/minecraft";
+
+        StandardInput = "socket";
+        StandardOutput = "journal";
+        StandardError = "journal";
+
+        # Hardening
+        CapabilityBoundingSet = [""];
+        DeviceAllow = [""];
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+      };
+      preStart = ''
+        echo "eula=true" > eula.txt
+      '';
+    };
+  };
+  _file = ./minecraft.nix;
+}
--- a/hosts/gerg-desktop/services/nextcloud.nix
+++ b/hosts/gerg-desktop/services/nextcloud.nix
@ -0,0 +1,40 @@
+_: {
+  pkgs,
+  config,
+  ...
+}: {
+  sops.secrets = {
+    sql_nextcloud = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+    nextcloud = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+  };
+  systemd.tmpfiles.rules = [
+    "d /persist/services/nextcloud - nextcloud nextcloud - -"
+  ];
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud27;
+    datadir = "/persist/services/nextcloud";
+    hostName = "next.gerg-l.com";
+    autoUpdateApps.enable = false;
+    enableBrokenCiphersForSSE = false;
+    config = {
+      dbtype = "pgsql";
+      dbhost = "/run/postgresql";
+      dbpassFile = config.sops.secrets.sql_nextcloud.path;
+      adminpassFile = config.sops.secrets.sql_nextcloud.path;
+      adminuser = "admin-root";
+      defaultPhoneRegion = "US";
+    };
+  };
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+  _file = ./nextcloud.nix;
+}
--- a/hosts/gerg-desktop/services/nginx.nix
+++ b/hosts/gerg-desktop/services/nginx.nix
@ -3,17 +3,18 @@ _: {
  lib,
  ...
 }: {
-  sops.secrets = lib.mapAttrs (_: v:
-    {
-      owner = "nginx";
-      group = "nginx";
-    }
-    // v) {
-    nixfu_ssl_cert = {};
-    nixfu_ssl_key = {};
-    gerg_ssl_key = {};
-    gerg_ssl_cert = {};
-  };
+  sops.secrets =
+    lib.genAttrs [
+      "nixfu_ssl_cert"
+      "nixfu_ssl_key"
+      "gerg_ssl_key"
+      "gerg_ssl_cert"
+    ]
+    (_: {
+      owner = config.services.nginx.user;
+      inherit (config.services.nginx) group;
+    });
+
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
@ -25,30 +26,29 @@ _: {
        forceSSL = true;
        sslCertificate = config.sops.secrets.nixfu_ssl_cert.path;
        sslCertificateKey = config.sops.secrets.nixfu_ssl_key.path;
-        serverAliases = ["www.nix-fu.com" "nix-fu.com"];
-        locations."/".return = "301 $scheme://www.github.com/Gerg-L$request_uri";
+        serverAliases = ["www.nix-fu.com"];
+        globalRedirect = "github.com/Gerg-L";
      };
-      "search.Gerg-L.com" = {
+      "search.gerg-l.com" = {
        forceSSL = true;
        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
-        locations."/".proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
+        locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};";
+        extraConfig = "access_log off;";
      };
-      "git.Gerg-L.com" = {
+      "git.gerg-l.com" = {
        forceSSL = true;
        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
-        locations."/".proxyPass = "http://192.168.1.11:3000";
+        locations."/".proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
      };
-      "next.Gerg-L.com" = {
+      "next.gerg-l.com" = {
        forceSSL = true;
        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
-        locations."/".proxyPass = "http://192.168.1.11:80";
      };
    };
  };
-  networking.firewall = {
-    allowedTCPPorts = [80 443];
-  };
+  networking.firewall.allowedTCPPorts = [80 443];
+  _file = ./nginx.nix;
 }
--- a/hosts/gerg-desktop/services/parrot.nix
+++ b/hosts/gerg-desktop/services/parrot.nix
@ -4,7 +4,7 @@ _: {
  lib,
  ...
 }: {
-  #discord bot stuff
+  sops.secrets.discordenv = {};
  systemd.services.parrot = {
    enable = true;
    wantedBy = ["multi-user.target"];
@ -17,6 +17,5 @@ _: {
      RestartSec = "30s";
    };
  };
-  sops.secrets.discordenv = {};
-  _file = ./sops.nix;
+  _file = ./parrot.nix;
 }
--- a/hosts/gerg-desktop/services/postgresql.nix
+++ b/hosts/gerg-desktop/services/postgresql.nix
@ -0,0 +1,24 @@
+_: {
+  config,
+  pkgs,
+  ...
+}: {
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+    dataDir = "/persist/services/postgresql";
+    ensureDatabases = [config.services.nextcloud.config.dbname];
+    ensureUsers = [
+      {
+        name = config.services.nextcloud.config.dbuser;
+        ensurePermissions."DATABASE ${config.services.nextcloud.config.dbname}" = "ALL PRIVILEGES";
+      }
+      {
+        name = config.services.gitea.database.user;
+
+        ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+  _file = ./postgresql.nix;
+}
--- a/hosts/gerg-desktop/services/searxng.nix
+++ b/hosts/gerg-desktop/services/searxng.nix
@ -3,16 +3,31 @@ _: {
  pkgs,
  ...
 }: {
-  sops.secrets.searxngenv = {};
+  sops.secrets.searxngenv = {
+    owner = "searx";
+    group = "searx";
+  };
+  users.users.${config.services.nginx.user}.extraGroups = ["searx"];
  services.searx = {
    enable = true;
-    runInUwsgi = false;
    package = pkgs.searxng;
+    #Later
+    /*
+    redisCreateLocally = true;
+    limiterSettings = {};
+    */
+    runInUwsgi = true;
+    uwsgiConfig = {
+      socket = "/run/searx/searx.sock";
+      chmod-socket = "660";
+      disable-logging = true;
+    };
    environmentFile = config.sops.secrets.searxngenv.path;
    settings = {
+      general.instance_name = "Gerg search";
      server = {
-        port = 8765;
        secret_key = "@SEARXNG_SECRET@";
+        base_url = "https://search.gerg-l.com";
      };
      search.formats = [
        "html"
@ -31,4 +46,5 @@ _: {
      ui.theme_args.simple_style = "dark";
    };
  };
+  _file = ./searxng.nix;
 }