meow

2025-11-24 09:33:42 +01:00 · 2025-11-24 09:33:42 +01:00 · a9c92dafed
commit a9c92dafed
parent 83de52d5db
212 changed files with 987 additions and 13525 deletions
--- a/instances/nemesis/configuration.nix
+++ b/instances/nemesis/configuration.nix
@ -0,0 +1,79 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+{
+  nixpkgs.system = "x86_64-linux";
+  imports = [
+    ./hardware-configuration.nix
+    # ./services/attic.nix
+    # ./services/immich.nix
+    # ./services/jellyfin.nix
+    # ./services/paperless.nix
+    # ./services/ytdl-sub.nix
+
+  ];
+  time.timeZone = "Europe/Berlin";
+  networking.hostId = "7b4c2932";
+
+  containers.ds9 = {
+    autoStart = true;
+    privateNetwork = true;
+    enableTun = true;
+    additionalCapabilities = [
+      "CAP_NET_ADMIN"
+      "CAP_MKNOD"
+      "CAP_BPF"
+      "CAP_DAC_READ_SEARCH"
+      "CAP_SYS_RESOURCE"
+      "CAP_SYS_ADMIN"
+    ];
+    hostAddress = "192.168.100.10";
+    localAddress = "192.168.100.11";
+
+    path = inputs.oldConf.nixosConfigurations.ds9.config.system.build.toplevel;
+    
+    bindMounts = {
+      "/data" = {
+        hostPath = "/data";
+        isReadOnly = false;
+      };
+      "/backup" = {
+        hostPath = "/backup";
+        isReadOnly = false;
+      };
+      "/persistent" = {
+        hostPath = "/oldds9/persistent";
+        isReadOnly = false;
+      };
+    };
+  };
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = [ "ve-+" ];
+  networking.nat.externalInterface = "enp1s0f1"; # TODO: changeme
+
+  xyno.services.traefik = {
+    enable = true;
+    simpleProxy.oldds9 = {
+      host = "*.hailsatan.eu";
+      internal = "http://192.168.100.11";
+    };
+  };
+
+  xyno.presets.cli.enable = true;
+  xyno.presets.server.enable = true;
+  # xyno.services.wireguard.enable = true;
+  # xyno.services.caddy.enable = true;
+  # xyno.services.monitoring.enable = true;
+  # xyno.services.authentik.enable = true;
+  xyno.presets.home-manager.enable = true;
+  xyno.system.user.enable = true;
+  xyno.networking.networkd = {
+    enable = true;
+  };
+
+  system.stateVersion = "25.11";
+}
--- a/instances/nemesis/default.nix
+++ b/instances/nemesis/default.nix
@ -0,0 +1,11 @@
+{
+  imports = [ ./configuration.nix ];
+  # xyno.services.monitoring.prometheusServer = true;
+  xyno.meta = {
+    sopsKey = "fada7e7be28e186e463ad745a38d17f36849d8a7";
+  };
+  # xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc=";
+  deployment = {
+    targetHost = "nemesis.xyno.systems";
+  };
+}
--- a/instances/nemesis/hardware-configuration.nix
+++ b/instances/nemesis/hardware-configuration.nix
@ -0,0 +1,129 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ "${modulesPath}/installer/scan/not-detected.nix" ];
+
+  # boot.lanzaboote = {
+  #   enable = true;
+  #   pkiBundle = "/var/lib/sbctl";
+  # };
+  # boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.systemd-boot.enable = true;
+
+  boot.initrd.availableKernelModules = [
+    "r8169"
+    "ahci"
+    "vfio-pci"
+    "xhci_pci"
+    "ehci_pci"
+    "nvme"
+    "usbhid"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.kernelModules = [ "kvm-amd" ];
+  nix.settings.max-jobs = lib.mkDefault 12;
+  powerManagement.powertop.enable = true;
+  powerManagement.cpuFreqGovernor = "powersave";
+  powerManagement.scsiLinkPolicy = "min_power";
+
+  services.zfs.autoScrub.enable = true;
+
+  services.sanoid.datasets."rpool/content/safe/data/media" = { };
+  services.sanoid.datasets."rpool/content/safe/data" = { };
+  services.sanoid.datasets."spool/nemesis/persistent" = { };
+  services.sanoid.enable = true;
+  services.sanoid.interval = "0/8:00:00";
+
+  boot.initrd.systemd = {
+    enable = true;
+  };
+  boot.initrd.network = {
+    enable = true;
+    postCommands = ''
+      zpool import rpool
+      zpool import spool
+      echo "zfs load-key -a; killall zfs" >> /root/.profile
+    '';
+    ssh = {
+      enable = true;
+      port = 2222;
+      hostKeys = [
+        "/persistent/initrd/ssh_host_rsa_key"
+        "/persistent/initrd/ssh_host_ed25519_key"
+      ];
+      authorizedKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/oMAi5jyQsNohfhcSH2ItisTpBGB0WtYTVxJYKKqhj" # TODO
+      ];
+
+    };
+
+  };
+
+  # swapDevices = [
+  #   {
+  #     device = "/dev/disk/by-id/nvme-eui.000000000000000100a075202c247839-part1";
+  #     randomEncryption = true;
+  #   }
+  # ];
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/149F-23AA";
+    fsType = "vfat";
+    options = [
+      "noauto"
+      "x-systemd.automount"
+    ];
+  };
+
+  zramSwap.enable = true;
+  zramSwap.writebackDevice = "/dev/zvol/spool/nemesis/zswap";
+
+  fileSystems."/persistent/var/lib/postgres" = { # has things of https://wiki.archlinux.org/title/ZFS#Databases set
+    device = "spool/nemesis/postgres";
+    fsType = "zfs";
+  };
+  fileSystems."/persistent" = {
+    device = "spool/nemesis/persistent";
+    fsType = "zfs";
+  };
+  fileSystems."/var/log" = {
+    device = "spool/nemesis/varlog";
+    fsType = "zfs";
+  };
+  fileSystems."/nix" = {
+    device = "spool/local/nix";
+    fsType = "zfs";
+  };
+
+  fileSystems."/data" = {
+    device = "rpool/content/safe/data";
+    fsType = "zfs";
+  };
+  fileSystems."/data/media" = {
+    device = "rpool/content/safe/data/media";
+    fsType = "zfs";
+  };
+  fileSystems."/backups" = {
+    device = "rpool/content/local/backups";
+    fsType = "zfs";
+  };
+
+  fileSystems."/oldds9/persistent" = {
+    device = "spool/safe/persist";
+    fsType = "zfs";
+  };
+  fileSystems."/oldds9/varlog" = {
+    device = "spool/local/journal";
+    fsType = "zfs";
+  };
+
+}
--- a/instances/nemesis/secrets/atticd.yaml
+++ b/instances/nemesis/secrets/atticd.yaml
--- a/instances/nemesis/secrets/authentik.yaml
+++ b/instances/nemesis/secrets/authentik.yaml
@ -0,0 +1,57 @@
+authentik:
+    env: ENC[AES256_GCM,data:lHo29WanGT+AqxfIPFACXfklsYRZss/iZwsZmjbhXu9Od9GnUozzh9P2P0h+AeMIw6CCreJyohIe53ju+nlFGkyRsQ0BJ6K8fRiIglDuFF2vLK6ATuDP6QpoK2tOFpUW2Ne5SqnnAhEnAyJ42NpmDTiepuZPiUYLH/vg35AavQhE5OrRGG2YjblZ12e3pXxIWC/Frqa7fnbzh2I2dhyLGCkYkDfOI4WiZieERphnTkP9wBIi3on1I27dZEZJ0f6k5ei5Upre3kIaQKwGJSIw2NoD6FiFTQ5ytsv8tbN37nIyTPp4O+mvEuXYCwM6BqCvZnNkvoZkTOnAVr2CjzNK/JCmimFU6Kk9rxRzhbmAsoCkx1Rns9c6qdCo8qMH94o+4YWOdW9GcQT0FsLa/WzIRgDpOIfqCpKQiXbU1wlh+Yw87MInMZpvXsRpwtVnZz0SVvjr9c1IOyqWwyThM0lg+wijepAzEZZVJfUU5+GR+RgQNoQJAeUyXubH07RDTcV5XfjsLP85C8grgN/PieIC,iv:eoQ8QEBAW9w6/PV+HDdZ6NgB2kINpphPMCbarmKBay0=,tag:TsINizOipDtkXjbWPJ4pRQ==,type:str]
+sops:
+    lastmodified: "2025-09-06T18:00:23Z"
+    mac: ENC[AES256_GCM,data:bI9CvBD1vFgTJc6L13alqYPJ1/Jj5h/KCWqSSlaYVm0SZVigeRWxAg84RKRZki1DcUpLFxQdCcNUEGfffMcg6PVHJkQMiQJ1vfmRDDRNijCIoWjUDuL+QXpR38y+dBX7VL67z435jcqAOw/K9/mDfHF92BNmYDuzp4edS4tJOfY=,iv:M5/tgSh2NsZnedBxfgQO/+e9OMuDweTYbUNhtLP8q1s=,tag:pWJaXjUp65G2Buz8M2eq4A==,type:str]
+    pgp:
+        - created_at: "2025-09-06T17:57:55Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hL4DAAAAAAAAAAASBAMEfRbweJXEuALhkTVq+G9vZKseHSs0v2RJ7BlrCXX1HlqN
+            QMk+uNFyogw+4+0NAqOSWcj5nBBtRH/hX/p6G2l88wlc9JydmbbYQ2Gi+8TnuOgG
+            VamODcj9AWsJQ8y3CW/10RfcniyHB9JZcaBqFGsXUDDvmZPu0N+SUeEHSzg7tAUw
+            SwJUjalaTPDROP+R/y0ZFka4jKp8XqPr4H/4hvnpf6TXd+8WzYH/yC6yuoZDIexx
+            0l4BzxHrfFkN0qdQazATJDB/Rqxr+aWCw6OtO2+wt7O/rXhiqJdumGcK6/ZgqCGJ
+            V29dn+x3oUM/wsc7LEFVAZe1cXB9DAZ4jJLUjRyUdHHgauYS4XZBRvsFMAJ2P9km
+            =29z4
+            -----END PGP MESSAGE-----
+          fp: 0D98D5964AC8BB1CA034CE4EC456133700066642
+        - created_at: "2025-09-06T17:57:55Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMAwAAAAAAAAAAAQv/UGwFHKX91CovaBAeRVKqT0asZCb9gJ1CYOLllY9GzZGq
+            yvFXAd13d8+ckQEI2w482sgMgpxUxxxJV9L68AT5nZSFWxQLATAA9Jx2Vxa7eUWH
+            HC9ImmtU+nhF5HuErq3/eMRdtbskvrvSD4MKI47apNh+OWyNJ3Oapv38Fu8c3jtY
+            0zdYgKSQgu6O/5XbvuPJcQu44zEPr5q8IkXEt43R/SVBEWCN3NVvK0wQcUn6Li0j
+            rhdnZyLVB8BdlzjV2Q7X/6k4bcE+q+r//fNwQTw/CkWgYejt40VzZf0do2Z/iYgb
+            Vqmc4ka99z9laSsrxd8974k6ZYcgb1ZY76pLZwyo17LNn5yYamp6fDaat9p0+Jyw
+            UlD9nz+JOnnlRaN7hGs5kXuUTCmvEbck5nKhbejPhCKhUFY+42Mrk+X3cdXUyk4u
+            wYBFN/wW9TPMeJ2QxaXqmiBKJznMz0I32gJ/wPmUNLSlPlnb2CXG4jJjuKfMI8Px
+            9hQhxS/t4ztZB4Cny2l80lgB10M5NTaOz9VCr/lsX9tTcnRNHsKuByHGgtbTTkiF
+            ozE/5VeSpfOfR/nDmE2HwqvXP9aBHYBo2bX0BWCpHcbLddynptNVmorwvDchlmjJ
+            Mp6Lg0T+d21O
+            =wy3b
+            -----END PGP MESSAGE-----
+          fp: fada7e7be28e186e463ad745a38d17f36849d8a7
+        - created_at: "2025-09-06T17:57:55Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMAwAAAAAAAAAAAQv/VcY7gbDGzqkJARd+73lH/Az24Phmyq5vF4KKBU6bpwN1
+            AZJsglCNYYekR99Iadjz7Wj8mxpSEf8VxmjW7EYH0SIh71YLFDaOPkcebTVWpsFA
+            xYdiYUFiujYz71CfvOSweC3hEqREWma15FPD3jA0TPfoekAYOML95ytCf452hOL+
+            YHaIe8LiaqchJ0AX5JtUZS+NWsiyITd1S9VPgraDH3skUruF+JpzYvg/NIW3wexT
+            +Ul6ACzDOtpx7lfZlcj5rYndR4glhELF/bsIfhM9s2ESAuc/uFK46kzhDfe1rnRw
+            Edx09n7udIB5RZcn4x3jgCS721Dz0wSqnbC49OWfxHux4DadcIwzITI6MZFyWPhk
+            3Gbo1cNnxMvYSE4X86J6ZY9zqrxu9w2hRV7JSeR2ATeC5AHYdU+gTsUyzTlaSNKn
+            9uVOLuczajuaFMnp7Hbd/H8rVJv8SNTeDtZE+wvUnRX2+yjDsPzdqquTEnk6N2uM
+            WTGKHc6DJk9/MDmovJMa0lgBzaUUSCHoxeOaWUuNUiyvLJyyzClmD60VkU0DrBID
+            rdotdzKIYL1GLfjfD/tSjKCqEQ3d2PSXSSnvvVkBUvkZSFNRYYqJOKwcFs3szmvM
+            0ZJFm0C+a3YJ
+            =Us6w
+            -----END PGP MESSAGE-----
+          fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/instances/nemesis/secrets/wg.yaml
+++ b/instances/nemesis/secrets/wg.yaml
@ -0,0 +1,57 @@
+wg:
+    privkey: ENC[AES256_GCM,data:b7wB43mIt64PLb4ig80/TwjEDvHldH+g1cMg4y0t45xD5moCIyTQQMYW8XI=,iv:c6YJzKnSqbG2A7tp9I8CGqo8jPtNh14oHlrTI8/gVrA=,tag:hhfzSb5ubiMFcQu0FdGmzg==,type:str]
+sops:
+    lastmodified: "2025-09-06T23:31:51Z"
+    mac: ENC[AES256_GCM,data:dp1W5HM1NjubonM1Cxa21gTGozYzZLQgjcBmAnDxnK7GEec3lHgWFXkQ6KALmuisIFpvR7SkVjCu4gyZzmh0IuGpqtpHpluzny1uHBUCQer7ojsdNkcp5kETUk8VwiZZja6Gj0kDtXfEf103bpT0T0Z+UOVMrWKoWGQbv4brVaQ=,iv:FfcsqVdd7YVkQmCplzLTv/sHDSNAEHjcP4OxOZA7g28=,tag:/43cCFLF6cgX1iNfGk+ohw==,type:str]
+    pgp:
+        - created_at: "2025-09-06T23:31:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hL4DAAAAAAAAAAASBAMEQwLDACmQv4ORHq85U/BoynySfEpqqyUtzPZOiFR4Hj2s
+            eF5hblqTIMcdiRkIVeF+Lg1Oor4tui8MgKwKA7kfq54MQysMFtpRWIu2AMrneC9E
+            wJ+FnhKTaRrqiH7v41OLtjX1twZxOWUvHo+kOhEN29UhwdiaA12f5BnN4a7qzz4w
+            Y0cl6YKlE6XKn345TVvl3GXB/+/4VUrReDmAjxJhZ/gdmLBQ1Pjz6/Nvp/gu3BZP
+            0l4BXwEklaJ/2ILKbGmdzyH9XAl2BW768+B7ygawHtPOnlMtyoJG8/3FMWv/ZbcP
+            Ar38mIH2+rbQMgTwe3WAbaQ0QPwZrw0bZFvqcWdGpBU8qQDmpr67A0gH2TfXTIhY
+            =E1SN
+            -----END PGP MESSAGE-----
+          fp: 0D98D5964AC8BB1CA034CE4EC456133700066642
+        - created_at: "2025-09-06T23:31:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMAwAAAAAAAAAAAQv/dOE7FqGma8ic/QIX01yqNL4si2Dq/QNnHWfGeHdIwUtb
+            bERaEk92TgixAopOvGiXNoxNMORaFmbbt93ikVIEO4omYQjyrMgM1iv+UtRgom3i
+            Cdo2esCcNzVsktpM611JopoEZWMetoZ9arQUZkpR1lS7oa/yvSVDavv6WWe2/Uug
+            pisC4btLdQW1yy8fvH1TUolBXOHI28Ms5AMTh8wqHIFOv5szVJU+nD+8jiL63Wmw
+            q94HwU4B5/o3KazpbpPv4b7EtLr+aki2n0NYsgKNI9e8in4Hl4fmcnGNWhkryg/5
+            7iY2y50aG8vJyd7KnVmsgv08cN9Cdb5YSljE4V4Lh4cgISVEHJCyfaITAH+kozyL
+            wNskdIkFABpMotNPKXvTEFIqxHhosCKZjcmJiK7VI1cSKO7UujUpgJspia4gvd2f
+            aAgyVVLaJjO2xA5fAa6hJWolib0jJdFc7OjfMV1lneEQrDI8KGC6kkwAkYRDTECn
+            9n1B6s3607KSVTLux69L0lgBY2l9TErn/JygNrGsOhxrL8HdEHbT8vM/ys0Ty0sp
+            6IkhEP3WAruWafBlI+Ih3Vfeo/Ixb6s1f+v721Ft0CtoZEah57xKEpqthrkqYt6q
+            v/GJ8XdboDBZ
+            =7YJl
+            -----END PGP MESSAGE-----
+          fp: fada7e7be28e186e463ad745a38d17f36849d8a7
+        - created_at: "2025-09-06T23:31:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGLAwAAAAAAAAAAAQv1HZzh5kRuqrRm/ZEk5zhzjs1ijDOWvkAdFexm77xWGKFo
+            geaixzxqq7y9wz9DowXJGAf5PETFJK08BCW9eJFesX+Qbnbb8baxaK/L1O0bJfw9
+            fdcUeA5cZ8soBUqKFFi5XYGYKHh2HbKyXHvSrgZq7aG+9OTa2Qhw8XbbPu6TeeqS
+            jRpsmVD2K/60zVrwV9ZtNe1lBdl8S9BHFJEceCtFDuBi4Or+OkLBXatTzxUSu1Qv
+            atdQX0gliUOrlytafuGwbcKrMuMPX7WXbaAPblewuDUPemBr4YBLJOn1hIhJy9vb
+            Yz9JtP9VZgH5OWh0icsEuCAgxzh8LW/cZ5FUmx30m19949AROHjlemtSlrvgkU5c
+            FwoN9wZCeVncWzWcRVlWBHbp4aqOCZXTDKnZEK0pX+jPaUgIVwXwV0L66dfb265E
+            PLA2xe+HcIvuCsdctgywuoO/9czJw3wt63FBAq66BzUITdd619o4CkqbuBnm/5Of
+            +SY7jScWxnzlQttwBbfSWAHOJFkVS4hczvhzsAoYFMJjN6f9yEWsoXen85JnUJoM
+            WhjGOJkCF+AoX/Z0SA9WibgALjIPqvLLfrLSMPoWFrbysc2p+17RqaqlQSSVk5uB
+            epnIJRWjUTU=
+            =zxBa
+            -----END PGP MESSAGE-----
+          fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/instances/nemesis/secrets/woodpecker.yaml
+++ b/instances/nemesis/secrets/woodpecker.yaml
@ -0,0 +1,59 @@
+woodpecker:
+    agent_secret: ENC[AES256_GCM,data:3UeEZus6umg6PgIHRz91PN3oiUqpq/PWMrleOt3MCtfUf/oSefFdAZ/QuHK0jhrYMXBbbswql9jEu7DY1ztzP05oEfk2XtGQHnXr9yhizLRvCeJ4izFNYEc=,iv:c9RipnwCLe2RRSQJrVh+Rh6pDA2kssTNe0aNvcQbBnE=,tag:JfHn71sb6/ZE6OLzzCxcNQ==,type:str]
+    gitea: ENC[AES256_GCM,data:nG6YB4MK/GJG98LsVEMbeaEDvlGHmAsQRpoQZQ==,iv:7Ew2Ri/QTV0N3u3BrJ+uafDktcw57c3jArGaq7Wrrr8=,tag:eYCYxhGuYVZb51qGI4uynQ==,type:str]
+    prometheus: ENC[AES256_GCM,data:q2Z8uO7Cvg31eY9c8rPcYIEuzF/VIHVfViPKWej4DIBYmJqxEWbwdDEPYN1iDKLQDr/PwDj9Zm0QeOqek7qLPanNaLsynZmz29j//bqQOjds2KrPhQQZ,iv:kujSbMkIOtAUfOsftT7mbH2n/M1y/eeoOcMTqKwI4Wo=,tag:V3Lpe54p4oBcxe/KGdHQFw==,type:str]
+sops:
+    lastmodified: "2025-09-06T22:46:06Z"
+    mac: ENC[AES256_GCM,data:LpSU8hHNrMOXfx+4DZstOYlRF/2MjJWwCwUwjyA4Gxn4+OivfC/tVLxicYw3UYMwIksG4ENwMgdm3j+UI3+x9UWdG1qjBnXKOqQK35IlSP7sF0/Ksa+4suB7axhz/kXNm+ntuvyzTKIRtYnYT0uBWPhAuEIwn2yIdY2x0AOPOjo=,iv:5+kExY4v6i4ws7pGABx0dXUrFEq7F2njNUWPzuhz5ZU=,tag:e36ICN2K2hkhtHOBNYmb1A==,type:str]
+    pgp:
+        - created_at: "2025-09-06T22:36:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hL4DAAAAAAAAAAASBAMELJIJb18SjKdjEsA9tR4uBLctJlaD4L4i3f1bYzUFiu/Q
+            Skn+W1TwQKMYxZnr7YlIAQcZSjpZLzQE1AY/ZjzgLDtTesx9RQejtWzaXrk744Ge
+            /o53slD0pOd/bwvb5YFFBQzR9o0leK7Rfogps9DXDG9UsSJmW8HUFqaBOOeYVNEw
+            o6zHGUYRNef8U5nxW50PWa1YbH6g5mX0Q8vP6j7lWBe6UGbBwXTJIctMknxUViid
+            0l4Bedn5GIN3xC0EJuJQ9mhVhHH2YMwcqKSQR2YcimKXIayy3ADVSWqnh0uEhXHD
+            EBkUmk5a9FVxrWr/D+2ZW6Md0SG6fV33VcxT13Yx/YVg/L1nNLYcfP2ZWDVpibq0
+            =DFT7
+            -----END PGP MESSAGE-----
+          fp: 0D98D5964AC8BB1CA034CE4EC456133700066642
+        - created_at: "2025-09-06T22:36:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMAwAAAAAAAAAAAQwAtVrcsgUEgocwIx8OQ4cba/KQYl5nyIuL2ElnJcKBHoOu
+            2tsC9zXFomGpguGh+RnTsbApOXajSVbEmvH85flShEi1qm8IUUTofO2I1e9/bXDt
+            tDu4QXH5Z2mp6x6HZZRC2tx/otem3Inn/RMmNJWaaotsBq6AFCRrSzlaaXkNZEJQ
+            zaIolujXoNgXE6xEZ4J2RfjIyITBktHI7IwfkKXBWeb920QGRXG88rTwenlkhPOS
+            gXyu8hGvLuDL6y4TPvDO0E3rnelDyeLwaCek7S4qLAyd+pvx1bTla2svCZTVZCfh
+            WxRQ4S5fZt9HnsmLe91vYYkxLi7O1qzVKhueAEqa1T1/Bp0RHbAcDph/rakGm0Z0
+            1GQJD77TrGtsj2ZD+1OtYDX9Uj/TmaJktTwYNhe3HxelOM1+GL3MybPuW+kgEN3x
+            1LRu3X1Gk3MzpmEpv3aehwHGOWplGwmCygptgg3x27O68c+Nf2Qdz5aa04mhzV3g
+            R2G3uX9HXJmrXIaXURwi0lgBkBbh26shJIrqTvo2K+ZB3LTFtOozSlcw2KAP5TKo
+            S3gUpdl8WZ8tK51U5WI+KQkeXGmGlLtmkorB1PS1lL03A4s/TBgHcpAmaz4/CdfI
+            3kfq/UxdviG/
+            =n2oS
+            -----END PGP MESSAGE-----
+          fp: fada7e7be28e186e463ad745a38d17f36849d8a7
+        - created_at: "2025-09-06T22:36:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMAwAAAAAAAAAAAQwAqKJADgVZRAYxVg4ddDtzJjdh/XyaQaFktn1BkAyq/bUT
+            T5rtyrRsDnRW/JvYIWJt9O9ewsNYRWF0CPfPRaLeUaWMXnvmRPFeZB+CqfIjxQdE
+            qZcDLq0UL6lv4y7RUYi7HL8qoKATqVyxmBkKb04SWm/R6iGm2O7mO1cg/sqwCCnv
+            m0abeQvn/wlIl0yeQxsT/b1ZUzxIn/5TPOPu5MIbpeUNRZJU3xgD+6K9ZFZphx3T
+            0FQjz54MHgJ+GHEAfPIVJ1zZ1pnAY2EsigWqLOwttG5FwXKAhmtkCXcZc9biG3bO
+            K5mI1zosHO9ktp04YA8hE7cybgnlut3roWFlnPb1UFj3T2q8UUUKXjB9ztIF58Nd
+            GCIg1zua/5Iuz58G3nTCmUg4+0tnJGbTYRTixZLdF9q3Ff0R3ckOIw7wFZQL6ZHm
+            Fx1XXZ+3CffjySf2iBT2j+eR8Pe6Aue3aD7dkmq/m7hatoG/0FqnrDWeiMXBqBrY
+            MEad4gm8QC4IVTzDSfR60lgBTMVc9vJAS22UwEcVgCDxXeoQnXu4HCsnxi5XmWQc
+            BNeQ5gdVrmDQZ56ER1ik6hYUUzmZd3iOGV+r7oi3qWq6PHAjl9tx9KZkhEO3Sqvf
+            kzeCBEUPKfGc
+            =rb5/
+            -----END PGP MESSAGE-----
+          fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/instances/nemesis/services/attic.nix
+++ b/instances/nemesis/services/attic.nix
@ -0,0 +1,29 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.attic.extraConfig =
+    "reverse_proxy http://[::1]:8089";
+  services.postgresql.ensureDatabases = [ "atticd" ];
+  services.postgresql.ensureUsers = [
+    {
+      name = "atticd";
+      ensureDBOwnership = true;
+    }
+  ];
+  services.atticd = {
+    enable = true;
+    settings.database.url = "postgresql://atticd@localhost/atticd?host=/run/postgresql";
+    settings.listen = "[::1]:8089";
+    settings.allowed-hosts = [ "attic.hailsatan.eu" ];
+    settings.api_endpoint = [ "https://attic.hailsatan.eu/" ];
+    environmentFile = config.sops.secrets."atticd/env".path;
+  };
+  sops.secrets."atticd/env" = {
+    sopsFile = ../secrets/atticd.yaml;
+  };
+  xyno.impermanence.directories = [ "/var/lib/atticd" ];
+}
--- a/instances/nemesis/services/immich.nix
+++ b/instances/nemesis/services/immich.nix
@ -0,0 +1,19 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.immich.extraConfig =
+    "reverse_proxy http://[::1]:${toString config.services.immich.port}";
+  services.immich = {
+    enable = true;
+    group = "users";
+    mediaLocation = "/data/immich";
+    settings = {
+      newVersionCheck.enabled = false;
+      externalDomain = "https://immich.hailsatan.eu";
+    };
+  };
+}
--- a/instances/nemesis/services/jellyfin.nix
+++ b/instances/nemesis/services/jellyfin.nix
@ -0,0 +1,20 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.j.extraConfig =
+    "reverse_proxy http://[::1]:8096";
+  xyno.impermanence.directories = [ config.services.jellyfin.dataDir ];
+  xyno.services.authentik.ldapApps.jellyfin = {
+    name = "Lucy+";
+    meta_description = "Jellyfin";
+    meta_launch_url = "https://j.hailsatan.eu";
+  };
+  services.jellyfin = {
+    enable = true;
+    group = "users";
+  };
+}
--- a/instances/nemesis/services/paperless.nix
+++ b/instances/nemesis/services/paperless.nix
@ -0,0 +1,26 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.paperless.extraConfig =
+    "import reverse_proxy_auth http://${config.services.paperless.address}:${toString config.services.paperless.port}";
+  xyno.impermanence.directories = [ config.services.paperless.dataDir ];
+  xyno.services.authentik.proxyApps.paperless = {
+    externalHost = "https://paperless.hailsatan.eu";
+    name = "Paperless";
+    groups = [ "admin" ];
+  };
+  services.paperless = {
+    configureTika = true;
+    enable = true;
+    database.createLocally = true;
+    domain = "paperless.hailsatan.eu";
+    exporter = {
+      enable = true;
+      directory = "/data/paperless-export";
+    };
+  };
+}
--- a/instances/nemesis/services/woodpecker.nix
+++ b/instances/nemesis/services/woodpecker.nix
@ -0,0 +1,75 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.woodpecker.extraConfig =
+    "reverse_proxy http://[::1]:18000";
+  xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.woodpecker-agent.extraConfig =
+    "reverse_proxy h2c://[::1]:19000";
+  services.postgresql.ensureDatabases = [ "woodpecker" ];
+  services.postgresql.ensureUsers = [
+    {
+      name = "woodpecker";
+      ensureDBOwnership = true;
+    }
+  ];
+
+  services.woodpecker-server = {
+    enable = true;
+    environment = {
+      GITEA = true;
+      GITEA_URL = "https://git.xyno.systems";
+      GRPC_ADDR = ":19000";
+      SERVER_ADDR = ":18000";
+      WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker@localhost/woodpecker?host=/run/postgresql";
+      WOODPECKER_DATABASE_DRIVER = "postgres";
+      WOODPECKER_HOST = "https://woodpecker.hailsatan.eu";
+    };
+    environmentFile = [
+      config.sops.secrets."woodpecker/agent_secret".path
+      config.sops.secrets."woodpecker/gitea".path
+    ];
+  };
+
+  virtualisation.podman = {
+    dockerSocket.enable = true;
+    enable = true;
+    autoPrune.enable = true;
+    defaultNetwork.settings = {
+      dns_enabled = true;
+    };
+  };
+  # This is needed for podman to be able to talk over dns
+  networking.firewall.interfaces."podman0" = {
+    allowedUDPPorts = [ 53 ];
+    allowedTCPPorts = [ 53 ];
+  };
+  services.woodpecker-agents.podman = {
+    environment = {
+      WOODPECKER_SERVER = "[::1]:19000";
+      WOODPECKER_BACKEND = "docker";
+      WOODPECKER_MAX_WORKFLOWS = 4;
+      DOCKER_HOST = "unix:///run/podman/podman.sock"; # the woodpecker can have a little podman. as a treat
+    };
+    environmentFile = [
+      config.sops.secrets."woodpecker/agent_secret".path
+    ];
+    extraGroups = [ "podman" ];
+  };
+  sops.secrets."woodpecker/agent_secret" = {
+    sopsFile = ../secrets/woodpecker.yaml;
+  };
+  sops.secrets."woodpecker/gitea" = {
+    sopsFile = ../secrets/woodpecker.yaml;
+  };
+  sops.secrets."woodpecker/prometheus" = {
+    sopsFile = ../secrets/woodpecker.yaml;
+  };
+  xyno.impermanence.directories = [
+    "/var/lib/woodpecker"
+    "/var/lib/containers"
+  ];
+}
--- a/instances/nemesis/services/ytdl-sub.nix
+++ b/instances/nemesis/services/ytdl-sub.nix
@ -0,0 +1,129 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+with lib;
+let
+  channels = {
+    "Entertainment" = [
+      "2BoredGuysOfficial"
+      "AlexPrinz"
+      "BagelBoyOfficial"
+      "DiedeutschenBackrooms"
+      "DankPods"
+      "Defunctland"
+      "Ididathing"
+      "GarbageTime420"
+      "Boy_Boy"
+      "ContraPoints"
+      "PhilosophyTube"
+      "PosyMusic"
+      "RobBubble"
+      "agingwheels"
+      "NileBlue"
+      "NileRed"
+      "styropyro"
+      "williamosman"
+      "billwurtz"
+      "f4micom"
+      "hbomberguy"
+      "simonegiertz"
+      "Parabelritter"
+      "DeviantOllam"
+      "MaxFosh"
+      "MichaelReeves"
+      "TomScottGo"
+      "WilliamOsman2"
+    ];
+    "Tism" = [
+      "Echoray1" # alwin meschede
+      "TechnologyConnections"
+      "TechnologyConnextras"
+      "TheB1M"
+      "bahnblick_eu"
+      "jameshoffmann"
+      "scottmanley"
+      "theCodyReeder"
+      "standupmaths"
+    ];
+    "Making" = [
+      "DIYPerks"
+      "MaxMakerChannel"
+      "Nerdforge"
+      "iliketomakestuff"
+      "ZackFreedman"
+
+    ];
+    "Games" = [
+      "TylerMcVicker1"
+      "gabe.follower"
+      "altf4games"
+    ];
+    "Programming" = [
+      "BenEater"
+      "NoBoilerplate"
+      "stacksmashing"
+    ];
+    "Tech" = [
+      "LinusTechTips"
+    ];
+  };
+in
+
+{
+  systemd.services."ytdl-sub-default".serviceConfig.ReadWritePaths = [ "/data/media/yt" ];
+  services.ytdl-sub = {
+    instances.default = {
+      enable = true;
+      schedule = "0/6:0";
+      config = {
+        presets."Sponsorblock" = {
+          ytdl_options.cookiefile = "/data/media/yt/cookies.Personal.txt";
+          subtitles = {
+            embed_subtitles = true;
+            languages = [
+              "en"
+              "de"
+            ];
+            allow_auto_generated_subtitles = false;
+          };
+          chapters = {
+            embed_chapters = true;
+            sponsorblock_categories = [
+              # "outro"
+              "selfpromo"
+              "preview"
+              "interaction"
+              "sponsor"
+              "music_offtopic"
+              # "intro"
+            ];
+            remove_sponsorblock_categories = "all";
+            force_key_frames = false;
+          };
+        };
+      };
+      subscriptions = {
+        "__preset__".overrides = {
+          tv_show_directory = "/data/media/yt";
+          only_recent_max_files = 30;
+          # only_recent_date_range = "30days";
+        };
+        "Jellyfin TV Show by Date | Sponsorblock | Only Recent | Max 1080p" = mapAttrs' (
+          n: v: nameValuePair "= ${n}" (genAttrs v (x: "https://youtube.com/@${x}"))
+        ) channels;
+        "Jellyfin TV Show Collection | Sponsorblock" = {
+          "~Murder Drones" = {
+            s01_url = "https://www.youtube.com/playlist?list=PLHovnlOusNLiJz3sm0d5i2Evwa2LDLdrg";
+            tv_show_collection_episode_ordering = "playlist-index";
+          };
+        };
+      };
+    };
+    group = "users";
+
+  };
+}