feat: add firefly-iii to winters

SwarselSystems.org

@@ -371,19 +371,20 @@ In this section I am creating some attributes that define general concepts of my
       in
       {
         default = pkgs.mkShell {
+            # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+            #   buildInputs = [pkgs.nixVersions.latest pkgs.boost];
+            #   patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ];
+            # })}/lib/nix/plugins
           NIX_CONFIG = ''
-            plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+            plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
-              buildInputs = [pkgs.nixVersions.latest pkgs.boost];
-              patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ];
-            })}/lib/nix/plugins
             extra-builtins-file = ${self + /nix/extra-builtins.nix}
           '';
           inherit (checks.pre-commit-check) shellHook;
 
           buildInputs = checks.pre-commit-check.enabledPackages;
           nativeBuildInputs = [
-  # (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
+            (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
-            pkgs.nix
+            # pkgs.nix
             pkgs.home-manager
             pkgs.git
             pkgs.just
@@ -1275,7 +1276,7 @@ This machine mainly acts as an external sync helper. It manages the following th
   All of these are processes that use little cpu but can take a lot of storage. For this I use a free Ampere instance from OCI with 50G of space. In case my account gets terminated, all of this data is easily replaceable or backed up regularly anyways.
 
 #+begin_src nix :tangle hosts/nixos/sync/default.nix
-  { lib, primaryUser, ... }:
+  { lib, config, primaryUser, ... }:
   let
     sharedOptions = {
       isBtrfs = false;
@@ -1327,6 +1328,8 @@ This machine mainly acts as an external sync helper. It manages the following th
 
     system.stateVersion = "23.11";
 
+
+    node.secretsDir = ./secrets;
     services = {
       nginx = {
         virtualHosts = {
@@ -4274,6 +4277,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
             freshrss = lib.mkDefault true;
             jenkins = lib.mkDefault false;
             kanidm = lib.mkDefault true;
+            firefly = lib.mkDefault true;
           };
         };
       };
@@ -4576,6 +4580,15 @@ TODO
       }
     );
 
+    # mkUser = name: {
+    #   config.users.users.${name} = {
+    #     group = name;
+    #     isSystemUser = true;
+    #   };
+
+    #   config.users.groups.${name} = {};
+    # };
+
     mkTrueOption = lib.mkOption {
       type = lib.types.bool;
       default = true;
@@ -4849,7 +4862,8 @@ I usually use =mutableUsers = false= in my NixOS configuration. However, on a ne
 #+begin_src nix :tangle modules/nixos/common/sharedsetup.nix
   { lib, ... }:
   {
-    options.swarselsystems = {
+    options = {
+      swarselsystems = {
         withHomeManager = lib.mkOption {
           type = lib.types.bool;
           default = true;
@@ -4871,7 +4885,7 @@ I usually use =mutableUsers = false= in my NixOS configuration. However, on a ne
 
         isImpermanence = lib.mkEnableOption "use impermanence on this system";
         isSecureBoot = lib.mkEnableOption "use secure boot on this system";
-
+      };
       globals = lib.mkOption {
         default = { };
         type = lib.types.submodule {
@@ -4895,10 +4909,15 @@ I usually use =mutableUsers = false= in my NixOS configuration. However, on a ne
                 description = "My main domain.";
               };
             };
-
           };
         };
       };
+      # _globalsDefs = lib.mkOption {
+      #   type = lib.types.unspecified;
+      #   default = options.globals.definitions;
+      #   readOnly = true;
+      #   internal = true;
+      # };
     };
   }
 #+end_src
@@ -7919,11 +7938,15 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
 
         gotenberg = {
           enable = true;
+          package = pkgs.stable.gotenberg;
           port = 3002;
           bindIP = "127.0.0.1";
+          timeout = "600s";
+          chromium.package = pkgs.stable.chromium;
         };
       };
 
+
       # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
       systemd.services.paperless-web.script = lib.mkBefore ''
         oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
@@ -8623,7 +8646,7 @@ I am using this with CapyReader on my phone, set it up as a FreshRSS account wit
         enable = true;
         virtualHost = "signpost.swarsel.win";
         baseUrl = "https://signpost.swarsel.win";
-        authType = "none";
+        authType = "form";
         dataDir = "/Vault/data/tt-rss";
         defaultUser = "Swarsel";
         passwordFile = config.sops.secrets.fresh.path;
@@ -8647,11 +8670,15 @@ I am using this with CapyReader on my phone, set it up as a FreshRSS account wit
 
                   # pass information via X-User and X-Email headers to backend,
                   # requires running with --set-xauthrequest flag (done by NixOS)
-                  auth_request_set $user   $upstream_http_x_auth_request_preferred_username;
+                  auth_request_set $user   $upstream_http_x_auth_request_user;
-                  # Set the email to our own domain in case user change their mail
+                  auth_request_set $email  $upstream_http_x_auth_request_email;
-                  auth_request_set $email  "''${upstream_http_x_auth_request_preferred_username}@swarsel.win";
                   proxy_set_header X-User  $user;
                   proxy_set_header X-Email $email;
+                  proxy_set_header Remote-User  $user;
+
+                  # if you enabled --pass-access-token, this will pass the token to the backend
+                  auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                  proxy_set_header X-Access-Token $token;
 
                   # if you enabled --cookie-refresh, this is needed for it to work with auth_request
                   auth_request_set $auth_cookie $upstream_http_set_cookie;
@@ -8980,6 +9007,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
               "nextcloud.admins" = { };
               "navidrome.access" = { };
               "freshrss.access" = { };
+              "firefly.access" = { };
             };
             persons = {
               swarsel = {
@@ -8994,6 +9022,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
                   "nextcloud.access"
                   "freshrss.access"
                   "navidrome.access"
+                  "firefly.access"
                 ];
                 displayName = "Swarsel";
               };
@@ -9106,21 +9135,31 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
                   originUrl = "https://${oauth2ProxyDomain}/oauth2/callback";
                   originLanding = "https://${oauth2ProxyDomain}/";
                   basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path;
-                  scopeMaps."freshrss.access" = [
+                  scopeMaps = {
+                    "freshrss.access" = [
                       "openid"
                       "email"
                       "profile"
                     ];
-                  scopeMaps."navidrome.access" = [
+                    "navidrome.access" = [
                       "openid"
                       "email"
                       "profile"
                     ];
+                    "firefly.access" = [
+                      "openid"
+                      "email"
+                      "profile"
+                    ];
+                  };
                   preferShortUsername = true;
                   claimMaps.groups = {
                     joinType = "array";
-                    valuesByGroup."freshrss.access" = [ "ttrss_access" ];
+                    valuesByGroup = {
-                    valuesByGroup."navidrome.access" = [ "navidrome_access" ];
+                      "freshrss.access" = [ "ttrss_access" ];
+                      "navidrome.access" = [ "navidrome_access" ];
+                      "firefly.access" = [ "firefly_access" ];
+                    };
                   };
                 };
               };
@@ -9223,6 +9262,117 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
   }
 #+end_src
 
+**** Firefly-III
+
+#+begin_src nix :tangle modules/nixos/server/firefly-iii.nix
+  { lib, config, ... }:
+  let
+    cfg = config.services.firefly-iii;
+    fireflyDomain = "stonks.swarsel.win";
+    fireflyUser = "firefly-iii";
+  in
+  {
+    options.swarselsystems.modules.server.firefly = lib.mkEnableOption "enable firefly-iii on server";
+    config = lib.mkIf config.swarselsystems.modules.server.firefly {
+
+      users.users.firefly-iii = {
+        group = "nginx";
+        isSystemUser = true;
+      };
+
+      sops = {
+        secrets = {
+          "firefly-iii-app-key" = { owner = fireflyUser; group = "nginx"; mode = "0440"; };
+        };
+      };
+
+      services = {
+        firefly-iii = {
+          enable = true;
+          user = fireflyUser;
+          group = if cfg.enableNginx then "nginx" else fireflyUser;
+          dataDir = "/Vault/data/firefly-iii";
+          settings = {
+            TZ = config.repo.secrets.common.location.timezone;
+            APP_URL = "https://${fireflyDomain}";
+            APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path;
+            APP_ENV = "local";
+            DB_CONNECTION = "sqlite";
+            # AUTHENTICATION_GUARD = "remote_user_guard";
+            # AUTHENTICATION_GUARD_HEADER = "X-User";
+            # AUTHENTICATION_GUARD_EMAIL = "X-Email";
+          };
+          enableNginx = true;
+          virtualHost = fireflyDomain;
+        };
+
+        nginx = {
+          virtualHosts = {
+            "${fireflyDomain}" = {
+              enableACME = true;
+              forceSSL = true;
+              acmeRoot = null;
+              # main config is automatically added by nixos firefly config.
+              # hence, only provide certificate
+              locations = {
+                "/" = {
+                  extraConfig = ''
+                    auth_request /oauth2/auth;
+                    error_page 401 = /oauth2/sign_in;
+
+                    # pass information via X-User and X-Email headers to backend,
+                    # requires running with --set-xauthrequest flag (done by NixOS)
+                    auth_request_set $user   $upstream_http_x_auth_request_user;
+                    auth_request_set $email  $upstream_http_x_auth_request_email;
+                    proxy_set_header X-User  $user;
+                    proxy_set_header X-Email $email;
+
+                    # if you enabled --pass-access-token, this will pass the token to the backend
+                    auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                    proxy_set_header X-Access-Token $token;
+
+                    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                    auth_request_set $auth_cookie $upstream_http_set_cookie;
+                    add_header Set-Cookie $auth_cookie;
+                  '';
+                };
+                "/oauth2/" = {
+                  proxyPass = "http://oauth2-proxy";
+                  extraConfig = ''
+
+                    proxy_set_header X-Scheme                $scheme;
+                    proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+                  '';
+                };
+                "= /oauth2/auth" = {
+                  proxyPass = "http://oauth2-proxy/oauth2/auth";
+                  extraConfig = ''
+                    internal;
+
+                    proxy_set_header X-Scheme         $scheme;
+                    # nginx auth_request includes headers but not body
+                    proxy_set_header Content-Length   "";
+                    proxy_pass_request_body           off;
+                  '';
+                };
+                "/api" = {
+                  extraConfig = ''
+                    index index.php;
+                    try_files $uri $uri/ /index.php?$query_string;
+                    add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS';
+                    proxy_set_header X-User  "";
+                    proxy_set_header X-Email "";
+                  '';
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  }
+#+end_src
+
 *** Darwin
 :PROPERTIES:
 :CUSTOM_ID: h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47

flake.nix

@@ -128,19 +128,20 @@
         in
         {
           default = pkgs.mkShell {
+            # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+            #   buildInputs = [pkgs.nixVersions.latest pkgs.boost];
+            #   patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ];
+            # })}/lib/nix/plugins
             NIX_CONFIG = ''
-              plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+              plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
-                buildInputs = [pkgs.nixVersions.latest pkgs.boost];
-                patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ];
-              })}/lib/nix/plugins
               extra-builtins-file = ${self + /nix/extra-builtins.nix}
             '';
             inherit (checks.pre-commit-check) shellHook;
 
             buildInputs = checks.pre-commit-check.enabledPackages;
             nativeBuildInputs = [
-              # (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
+              (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
-              pkgs.nix
+              # pkgs.nix
               pkgs.home-manager
               pkgs.git
               pkgs.just

hosts/nixos/sync/default.nix

@@ -1,4 +1,4 @@
-{ lib, primaryUser, ... }:
+{ lib, config, primaryUser, ... }:
 let
   sharedOptions = {
     isBtrfs = false;
@@ -50,6 +50,8 @@ in
 
   system.stateVersion = "23.11";
 
+
+  node.secretsDir = ./secrets;
   services = {
     nginx = {
       virtualHosts = {

index.html

@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2025-06-11 Mi 21:36 -->
+<!-- 2025-06-13 Fr 02:34 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>SwarselSystems: NixOS + Emacs Configuration</title>
@@ -263,9 +263,9 @@
 <li><a href="#h:7056b9a0-f38b-4bca-b2ba-ab34e2d73493">3.1.4.3. Home-manager only (default non-NixOS)</a></li>
 <li><a href="#h:e1498bef-ec67-483d-bf02-76264e30be8e">3.1.4.4. ChaosTheatre (Demo Physical/VM)</a>
 <ul>
-<li><a href="#orgf2fbce0">3.1.4.4.1. Main configuration</a></li>
+<li><a href="#orge6ad58f">3.1.4.4.1. Main configuration</a></li>
-<li><a href="#orgc66a6e8">3.1.4.4.2. NixOS dummy options configuration</a></li>
+<li><a href="#orga3d14c3">3.1.4.4.2. NixOS dummy options configuration</a></li>
-<li><a href="#org9cd8c12">3.1.4.4.3. home-manager dummy options configuration</a></li>
+<li><a href="#orgb9cef36">3.1.4.4.3. home-manager dummy options configuration</a></li>
 </ul>
 </li>
 </ul>
@@ -305,8 +305,8 @@
 <li><a href="#h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0">3.2.1.27. fhs</a></li>
 <li><a href="#h:814d5e7f-4b95-412d-b246-33f888514ec6">3.2.1.28. swarsel-displaypower</a></li>
 <li><a href="#h:799579f3-ddd3-4f76-928a-a8c665980476">3.2.1.29. swarsel-mgba</a></li>
-<li><a href="#orgef379d5">3.2.1.30. swarsel-deploy</a></li>
+<li><a href="#org6c977da">3.2.1.30. swarsel-deploy</a></li>
-<li><a href="#orgc43a0b3">3.2.1.31. sshrm</a></li>
+<li><a href="#orgbf90fc3">3.2.1.31. sshrm</a></li>
 </ul>
 </li>
 <li><a href="#h:5e3e21e0-57af-4dad-b32f-6400af9b7aab">3.2.2. Overlays (additions, overrides, nixpkgs-stable)</a></li>
@@ -314,37 +314,37 @@
 <ul>
 <li><a href="#h:14e68518-8ec7-48ec-b208-0e3d6d49954d">3.2.3.1. NixOS</a>
 <ul>
-<li><a href="#org523aa9d">3.2.3.1.1. Personal</a></li>
+<li><a href="#org7ab2427">3.2.3.1.1. Personal</a></li>
-<li><a href="#org15286d1">3.2.3.1.2. Chaostheatre</a></li>
+<li><a href="#orgebed78c">3.2.3.1.2. Chaostheatre</a></li>
-<li><a href="#org3b27958">3.2.3.1.3. toto</a></li>
+<li><a href="#org1615bc2">3.2.3.1.3. toto</a></li>
-<li><a href="#org73fceed">3.2.3.1.4. Work</a></li>
+<li><a href="#orgc7113d0">3.2.3.1.4. Work</a></li>
-<li><a href="#orgf3db313">3.2.3.1.5. Framework</a></li>
+<li><a href="#org9ac5e22">3.2.3.1.5. Framework</a></li>
-<li><a href="#org86bb837">3.2.3.1.6. AMD CPU</a></li>
+<li><a href="#org1c1802e">3.2.3.1.6. AMD CPU</a></li>
-<li><a href="#orgc8e6e00">3.2.3.1.7. AMD GPU</a></li>
+<li><a href="#org619b6ae">3.2.3.1.7. AMD GPU</a></li>
-<li><a href="#org71595b2">3.2.3.1.8. Hibernation</a></li>
+<li><a href="#org14d09b9">3.2.3.1.8. Hibernation</a></li>
-<li><a href="#orgee11529">3.2.3.1.9. BTRFS</a></li>
+<li><a href="#org9c9d768">3.2.3.1.9. BTRFS</a></li>
-<li><a href="#orgecce17c">3.2.3.1.10. Local Server</a></li>
+<li><a href="#orgff2b98d">3.2.3.1.10. Local Server</a></li>
-<li><a href="#org2c09e0d">3.2.3.1.11. OCI Sync Server</a></li>
+<li><a href="#orgeeba793">3.2.3.1.11. OCI Sync Server</a></li>
 </ul>
 </li>
 <li><a href="#h:ced5841f-c088-4d88-b3a1-7d62aad8837b">3.2.3.2. home-manager</a>
 <ul>
-<li><a href="#org2765523">3.2.3.2.1. Personal</a></li>
+<li><a href="#orgdcc40f5">3.2.3.2.1. Personal</a></li>
-<li><a href="#org9ebf16d">3.2.3.2.2. Chaostheatre</a></li>
+<li><a href="#orgda5bd25">3.2.3.2.2. Chaostheatre</a></li>
-<li><a href="#org5533dd5">3.2.3.2.3. toto</a></li>
+<li><a href="#org78bfd93">3.2.3.2.3. toto</a></li>
-<li><a href="#org8f9aa78">3.2.3.2.4. Work</a></li>
+<li><a href="#org095828f">3.2.3.2.4. Work</a></li>
-<li><a href="#org1ba4503">3.2.3.2.5. Framework</a></li>
+<li><a href="#org71075bc">3.2.3.2.5. Framework</a></li>
-<li><a href="#org7268790">3.2.3.2.6. Darwin</a></li>
+<li><a href="#orgab68be6">3.2.3.2.6. Darwin</a></li>
-<li><a href="#org035bebd">3.2.3.2.7. Local Server</a></li>
+<li><a href="#orgc70220b">3.2.3.2.7. Local Server</a></li>
 </ul>
 </li>
 </ul>
 </li>
 <li><a href="#h:4d38c9f7-2680-4c02-a1f4-ed8db0d55ce4">3.2.4. Library functions</a></li>
-<li><a href="#org392d09c">3.2.5. Auxiliary files</a>
+<li><a href="#org111a002">3.2.5. Auxiliary files</a>
 <ul>
-<li><a href="#orgd72cdaa">3.2.5.1. extra-builtins</a></li>
+<li><a href="#orgac4d22d">3.2.5.1. extra-builtins</a></li>
-<li><a href="#org0df99c4">3.2.5.2. sops-decrypt-and-cache</a></li>
+<li><a href="#org12f22da">3.2.5.2. sops-decrypt-and-cache</a></li>
 </ul>
 </li>
 </ul>
@@ -369,9 +369,9 @@
 <li><a href="#h:aa433f5e-a455-4414-b76b-0a2692fa06aa">3.3.1.14. Pipewire</a></li>
 <li><a href="#h:7d696b64-debe-4a95-80b5-1e510156a6c6">3.3.1.15. Common network settings</a></li>
 <li><a href="#h:852d59ab-63c3-4831-993d-b5e23b877796">3.3.1.16. Time, locale settings</a></li>
-<li><a href="#orge74406e">3.3.1.17. Meta options</a></li>
+<li><a href="#org4af165f">3.3.1.17. Meta options</a></li>
 <li><a href="#h:d87d80fd-2ac7-4f29-b338-0518d06b4deb">3.3.1.18. sops</a></li>
-<li><a href="#orgc853a17">3.3.1.19. PII management</a></li>
+<li><a href="#org040e64b">3.3.1.19. PII management</a></li>
 <li><a href="#h:e6e44705-94af-49fe-9ca0-0629d0f7d932">3.3.1.20. Theme (stylix)</a></li>
 <li><a href="#h:2bbf5f31-246d-4738-925f-eca40681f7b6">3.3.1.21. Programs (including zsh setup)</a>
 <ul>
@@ -386,7 +386,7 @@
 <li><a href="#h:f101daa2-604d-4553-99e2-f64b9c207f51">3.3.1.22.3. enable GVfs</a></li>
 <li><a href="#h:08d213d5-a9f4-4309-8635-ba557b01dc7d">3.3.1.22.4. interception-tools: Make CAPS work as ESC/CTRL</a></li>
 <li><a href="#h:82fbba41-3a46-4db7-aade-49e4c23fc475">3.3.1.22.5. power-profiles-daemon</a></li>
-<li><a href="#org29775c4">3.3.1.22.6. SwayOSD</a></li>
+<li><a href="#orgcef61ea">3.3.1.22.6. SwayOSD</a></li>
 </ul>
 </li>
 <li><a href="#h:7a89b5e3-b700-4167-8b14-2b8172f33936">3.3.1.23. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules</a>
@@ -438,7 +438,8 @@
 <li><a href="#h:9da3df74-6fc5-4ee1-a345-23ab4e8a613d">3.3.2.24. FreshRSS</a></li>
 <li><a href="#h:a9965660-4358-4b9a-8c46-d55f28598344">3.3.2.25. forgejo (git server)</a></li>
 <li><a href="#h:cb3f6552-7751-4f9a-b4c7-8d8ba5b255c4">3.3.2.26. Anki Sync Server</a></li>
-<li><a href="#org34a4b66">3.3.2.27. IDM (kanidm + oauth2-proxy)</a></li>
+<li><a href="#orgadabdd9">3.3.2.27. IDM (kanidm + oauth2-proxy)</a></li>
+<li><a href="#org1319ef2">3.3.2.28. Firefly-III</a></li>
 </ul>
 </li>
 <li><a href="#h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47">3.3.3. Darwin</a>
@@ -453,11 +454,11 @@
 <li><a href="#h:34db28fb-62f7-4597-a9ff-0de2991a8415">3.3.4.3. VmWare</a></li>
 <li><a href="#h:fa8d9ec4-3e22-458a-9239-859cffe7f55c">3.3.4.4. Auto-login</a></li>
 <li><a href="#h:5c41c4ee-22ca-405b-9e4f-cc4051634edd">3.3.4.5. nswitch-rcm</a></li>
-<li><a href="#orge3e941d">3.3.4.6. Framework</a></li>
+<li><a href="#org2a02f56">3.3.4.6. Framework</a></li>
-<li><a href="#org16ea1dc">3.3.4.7. AMD CPU</a></li>
+<li><a href="#orgdbf44f7">3.3.4.7. AMD CPU</a></li>
-<li><a href="#org0af6d94">3.3.4.8. AMD GPU</a></li>
+<li><a href="#orgecd29c2">3.3.4.8. AMD GPU</a></li>
-<li><a href="#org7ff8e48">3.3.4.9. Hibernation</a></li>
+<li><a href="#orgda0d8f6">3.3.4.9. Hibernation</a></li>
-<li><a href="#orgbc1d428">3.3.4.10. BTRFS</a></li>
+<li><a href="#org957abf9">3.3.4.10. BTRFS</a></li>
 <li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.3.4.11. work</a></li>
 <li><a href="#h:3fc1d301-7bae-4678-9085-d12c23eed8ac">3.3.4.12. Minimal Install</a></li>
 </ul>
@@ -506,7 +507,7 @@
 <li><a href="#h:cb812c8a-247c-4ce5-a00c-59332c2f5fb9">3.4.1.29.1. gnome-keyring</a></li>
 <li><a href="#h:be6afd89-9e1e-40b6-8542-5c07a0ab780d">3.4.1.29.2. KDE Connect</a></li>
 <li><a href="#h:99d05729-df35-4958-9940-3319d6a41359">3.4.1.29.3. Mako</a></li>
-<li><a href="#orgbc58a8f">3.4.1.29.4. SwayOSD</a></li>
+<li><a href="#org6a90363">3.4.1.29.4. SwayOSD</a></li>
 <li><a href="#h:1598c90b-f195-41a0-9132-94612edf3586">3.4.1.29.5. yubikey-touch-detector</a></li>
 </ul>
 </li>
@@ -531,7 +532,7 @@
 <ul>
 <li><a href="#h:84fd7029-ecb6-4131-9333-289982f24ffa">3.4.4.1. Gaming</a></li>
 <li><a href="#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6">3.4.4.2. Work</a></li>
-<li><a href="#org0b7d6c4">3.4.4.3. Framework</a></li>
+<li><a href="#orgead591d">3.4.4.3. Framework</a></li>
 </ul>
 </li>
 </ul>
@@ -709,7 +710,7 @@
 <ul>
 <li><a href="#h:c1e53aed-fb47-4aff-930c-dc52f3c5dcb8">6.1. Server Emacs config</a></li>
 <li><a href="#h:fc64f42f-e7cf-4829-89f6-2d0d58e04f51">6.2. tridactylrc</a></li>
-<li><a href="#orge07d1e7">6.3. tridactyl theme</a></li>
+<li><a href="#org71bf76e">6.3. tridactyl theme</a></li>
 <li><a href="#h:77b1c523-5074-4610-b320-90af95e6134d">6.4. Waybar style.css</a></li>
 <li><a href="#h:788937cf-8816-466b-8e57-1b695cb50f52">6.5. justfile</a></li>
 </ul>
@@ -718,7 +719,7 @@
 </div>
 </div>
 <p>
-<b>This file has 66327 words spanning 17467 lines and was last revised on 2025-06-11 21:36:46 +0200.</b>
+<b>This file has 66782 words spanning 17613 lines and was last revised on 2025-06-13 02:34:40 +0200.</b>
 </p>
 
 <p>
@@ -771,7 +772,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
 </p>
 
 <p>
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-11 21:36:46 +0200)
+My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-13 02:34:40 +0200)
 </p></li>
 </ul>
 
@@ -1012,19 +1013,20 @@ In <code>outputs = inputs@ [...]</code>, the <code>inputs@</code> makes it so th
         in
         {
           default = pkgs.mkShell {
+              # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+              #   buildInputs = [pkgs.nixVersions.latest pkgs.boost];
+              #   patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ];
+              # })}/lib/nix/plugins
             NIX_CONFIG = ''
-                plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+              plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
-                  buildInputs = [pkgs.nixVersions.latest pkgs.boost];
-                  patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ];
-                })}/lib/nix/plugins
               extra-builtins-file = ${self + /nix/extra-builtins.nix}
             '';
             inherit (checks.pre-commit-check) shellHook;
 
             buildInputs = checks.pre-commit-check.enabledPackages;
             nativeBuildInputs = [
-      # (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
+              (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
-                pkgs.nix
+              # pkgs.nix
               pkgs.home-manager
               pkgs.git
               pkgs.just
@@ -1289,15 +1291,15 @@ They are defined in <a href="#h:5e3e21e0-57af-4dad-b32f-6400af9b7aab">Overlays (
 </ul>
 
 <div class="org-src-container">
-<pre class="src src-nix">  inherit lib;
+<pre class="src src-nix">inherit lib;
 
-  # nixosModules = import ./modules/nixos { inherit lib; };
+# nixosModules = import ./modules/nixos { inherit lib; };
-  # homeModules = import ./modules/home { inherit lib; };
+# homeModules = import ./modules/home { inherit lib; };
-  packages = lib.swarselsystems.forEachSystem (pkgs: import ./pkgs { inherit lib pkgs; });
+packages = lib.swarselsystems.forEachSystem (pkgs: import ./pkgs { inherit lib pkgs; });
-  formatter = lib.swarselsystems.forEachSystem (pkgs: pkgs.nixpkgs-fmt);
+formatter = lib.swarselsystems.forEachSystem (pkgs: pkgs.nixpkgs-fmt);
-  overlays = import ./overlays { inherit self lib inputs; };
+overlays = import ./overlays { inherit self lib inputs; };
 
-  apps = lib.swarselsystems.forAllSystems (system:
+apps = lib.swarselsystems.forAllSystems (system:
   let
     appNames = [
       "swarsel-bootstrap"
@@ -1311,28 +1313,29 @@ They are defined in <a href="#h:5e3e21e0-57af-4dad-b32f-6400af9b7aab">Overlays (
   appSet // {
     default = appSet.swarsel-bootstrap;
   }
-  );
+);
 
-  devShells = lib.swarselsystems.forAllSystems (system:
+devShells = lib.swarselsystems.forAllSystems (system:
   let
     pkgs = lib.swarselsystems.pkgsFor.${system};
     checks = self.checks.${system};
   in
   {
     default = pkgs.mkShell {
+        # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+        #   buildInputs = [pkgs.nixVersions.latest pkgs.boost];
+        #   patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ];
+        # })}/lib/nix/plugins
       NIX_CONFIG = ''
-          plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+        plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
-            buildInputs = [pkgs.nixVersions.latest pkgs.boost];
-            patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ];
-          })}/lib/nix/plugins
         extra-builtins-file = ${self + /nix/extra-builtins.nix}
       '';
       inherit (checks.pre-commit-check) shellHook;
 
       buildInputs = checks.pre-commit-check.enabledPackages;
       nativeBuildInputs = [
-# (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
+        (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
-          pkgs.nix
+        # pkgs.nix
         pkgs.home-manager
         pkgs.git
         pkgs.just
@@ -1345,18 +1348,18 @@ They are defined in <a href="#h:5e3e21e0-57af-4dad-b32f-6400af9b7aab">Overlays (
       ];
     };
   }
-  );
+);
 
-  templates = import ./templates { inherit lib; };
+templates = import ./templates { inherit lib; };
 
-  checks = lib.swarselsystems.forAllSystems (system:
+checks = lib.swarselsystems.forAllSystems (system:
   let
     pkgs = lib.swarselsystems.pkgsFor.${system};
   in
   import ./checks { inherit self inputs system pkgs; }
-  );
+);
 
-  diskoConfigurations.default = import .templates/hosts/nixos/disk-config.nix;
+diskoConfigurations.default = import .templates/hosts/nixos/disk-config.nix;
 </pre>
 </div>
 </div>
@@ -2269,7 +2272,7 @@ All of these are processes that use little cpu but can take a lot of storage. Fo
 </ul>
 
 <div class="org-src-container">
-<pre class="src src-nix">{ lib, primaryUser, ... }:
+<pre class="src src-nix">{ lib, config, primaryUser, ... }:
 let
   sharedOptions = {
     isBtrfs = false;
@@ -2321,6 +2324,8 @@ in
 
   system.stateVersion = "23.11";
 
+
+  node.secretsDir = ./secrets;
   services = {
     nginx = {
       virtualHosts = {
@@ -2903,8 +2908,8 @@ This is just a demo host. It applies all the configuration found in the common p
 I also set the <code>WLR_RENDERER_ALLOW_SOFTWARE=1</code> to allow this configuration to run in a virtualized environment. I also enable <code>qemuGuest</code> for a smoother experience when testing on QEMU.
 </p>
 </div>
-<div id="outline-container-orgf2fbce0" class="outline-6">
+<div id="outline-container-orge6ad58f" class="outline-6">
-<h6 id="orgf2fbce0"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
+<h6 id="orge6ad58f"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ self, inputs, config, pkgs, lib, primaryUser, ... }:
@@ -2983,8 +2988,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgc66a6e8" class="outline-6">
+<div id="outline-container-orga3d14c3" class="outline-6">
-<h6 id="orgc66a6e8"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
+<h6 id="orga3d14c3"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-2">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@@ -2994,8 +2999,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org9cd8c12" class="outline-6">
+<div id="outline-container-orgb9cef36" class="outline-6">
-<h6 id="org9cd8c12"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
+<h6 id="orgb9cef36"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-3">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@@ -4776,8 +4781,8 @@ appimageTools.wrapType2 {
 </div>
 </div>
 </div>
-<div id="outline-container-orgef379d5" class="outline-5">
+<div id="outline-container-org6c977da" class="outline-5">
-<h5 id="orgef379d5"><span class="section-number-5">3.2.1.30.</span> swarsel-deploy</h5>
+<h5 id="org6c977da"><span class="section-number-5">3.2.1.30.</span> swarsel-deploy</h5>
 <div class="outline-text-5" id="text-3-2-1-30">
 <div class="org-src-container">
 <pre class="src src-nix"># heavily inspired from https://github.com/oddlama/nix-config/blob/d42cbde676001a7ad8a3cace156e050933a4dcc3/pkgs/deploy.nix
@@ -4908,8 +4913,8 @@ writeShellApplication {
 </div>
 </div>
 </div>
-<div id="outline-container-orgc43a0b3" class="outline-5">
+<div id="outline-container-orgbf90fc3" class="outline-5">
-<h5 id="orgc43a0b3"><span class="section-number-5">3.2.1.31.</span> sshrm</h5>
+<h5 id="orgbf90fc3"><span class="section-number-5">3.2.1.31.</span> sshrm</h5>
 <div class="outline-text-5" id="text-3-2-1-31">
 <p>
 This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually.
@@ -5066,8 +5071,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-org523aa9d" class="outline-6">
+<div id="outline-container-org7ab2427" class="outline-6">
-<h6 id="org523aa9d"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
+<h6 id="org7ab2427"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-1-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5137,8 +5142,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org15286d1" class="outline-6">
+<div id="outline-container-orgebed78c" class="outline-6">
-<h6 id="org15286d1"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
+<h6 id="orgebed78c"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-1-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5200,8 +5205,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org3b27958" class="outline-6">
+<div id="outline-container-org1615bc2" class="outline-6">
-<h6 id="org3b27958"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
+<h6 id="org1615bc2"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-1-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5233,8 +5238,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org73fceed" class="outline-6">
+<div id="outline-container-orgc7113d0" class="outline-6">
-<h6 id="org73fceed"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
+<h6 id="orgc7113d0"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-1-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5255,8 +5260,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgf3db313" class="outline-6">
+<div id="outline-container-org9ac5e22" class="outline-6">
-<h6 id="orgf3db313"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
+<h6 id="org9ac5e22"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-1-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5277,8 +5282,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org86bb837" class="outline-6">
+<div id="outline-container-org1c1802e" class="outline-6">
-<h6 id="org86bb837"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
+<h6 id="org1c1802e"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5299,8 +5304,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgc8e6e00" class="outline-6">
+<div id="outline-container-org619b6ae" class="outline-6">
-<h6 id="orgc8e6e00"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
+<h6 id="org619b6ae"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5321,8 +5326,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org71595b2" class="outline-6">
+<div id="outline-container-org14d09b9" class="outline-6">
-<h6 id="org71595b2"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
+<h6 id="org14d09b9"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
 <div class="outline-text-6" id="text-3-2-3-1-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5343,8 +5348,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgee11529" class="outline-6">
+<div id="outline-container-org9c9d768" class="outline-6">
-<h6 id="orgee11529"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
+<h6 id="org9c9d768"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
 <div class="outline-text-6" id="text-3-2-3-1-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5365,8 +5370,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgecce17c" class="outline-6">
+<div id="outline-container-orgff2b98d" class="outline-6">
-<h6 id="orgecce17c"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
+<h6 id="orgff2b98d"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5407,6 +5412,7 @@ in
           freshrss = lib.mkDefault true;
           jenkins = lib.mkDefault false;
           kanidm = lib.mkDefault true;
+          firefly = lib.mkDefault true;
         };
       };
     };
@@ -5418,8 +5424,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org2c09e0d" class="outline-6">
+<div id="outline-container-orgeeba793" class="outline-6">
-<h6 id="org2c09e0d"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
+<h6 id="orgeeba793"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-11">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5475,8 +5481,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-org2765523" class="outline-6">
+<div id="outline-container-orgdcc40f5" class="outline-6">
-<h6 id="org2765523"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
+<h6 id="orgdcc40f5"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-2-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5533,8 +5539,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org9ebf16d" class="outline-6">
+<div id="outline-container-orgda5bd25" class="outline-6">
-<h6 id="org9ebf16d"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
+<h6 id="orgda5bd25"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-2-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5586,8 +5592,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org5533dd5" class="outline-6">
+<div id="outline-container-org78bfd93" class="outline-6">
-<h6 id="org5533dd5"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
+<h6 id="org78bfd93"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-2-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5607,8 +5613,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org8f9aa78" class="outline-6">
+<div id="outline-container-org095828f" class="outline-6">
-<h6 id="org8f9aa78"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
+<h6 id="org095828f"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-2-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5628,8 +5634,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org1ba4503" class="outline-6">
+<div id="outline-container-org71075bc" class="outline-6">
-<h6 id="org1ba4503"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
+<h6 id="org71075bc"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-2-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5650,8 +5656,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org7268790" class="outline-6">
+<div id="outline-container-orgab68be6" class="outline-6">
-<h6 id="org7268790"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
+<h6 id="orgab68be6"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
 <div class="outline-text-6" id="text-3-2-3-2-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5669,8 +5675,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org035bebd" class="outline-6">
+<div id="outline-container-orgc70220b" class="outline-6">
-<h6 id="org035bebd"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
+<h6 id="orgc70220b"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-2-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5749,6 +5755,15 @@ in
     }
   );
 
+  # mkUser = name: {
+  #   config.users.users.${name} = {
+  #     group = name;
+  #     isSystemUser = true;
+  #   };
+
+  #   config.users.groups.${name} = {};
+  # };
+
   mkTrueOption = lib.mkOption {
     type = lib.types.bool;
     default = true;
@@ -5901,12 +5916,12 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org392d09c" class="outline-4">
+<div id="outline-container-org111a002" class="outline-4">
-<h4 id="org392d09c"><span class="section-number-4">3.2.5.</span> Auxiliary files</h4>
+<h4 id="org111a002"><span class="section-number-4">3.2.5.</span> Auxiliary files</h4>
 <div class="outline-text-4" id="text-3-2-5">
 </div>
-<div id="outline-container-orgd72cdaa" class="outline-5">
+<div id="outline-container-orgac4d22d" class="outline-5">
-<h5 id="orgd72cdaa"><span class="section-number-5">3.2.5.1.</span> extra-builtins</h5>
+<h5 id="orgac4d22d"><span class="section-number-5">3.2.5.1.</span> extra-builtins</h5>
 <div class="outline-text-5" id="text-3-2-5-1">
 <div class="org-src-container">
 <pre class="src src-nix">
@@ -5941,8 +5956,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org0df99c4" class="outline-5">
+<div id="outline-container-org12f22da" class="outline-5">
-<h5 id="org0df99c4"><span class="section-number-5">3.2.5.2.</span> sops-decrypt-and-cache</h5>
+<h5 id="org12f22da"><span class="section-number-5">3.2.5.2.</span> sops-decrypt-and-cache</h5>
 <div class="outline-text-5" id="text-3-2-5-2">
 <div class="org-src-container">
 <pre class="src src-shell">#!/usr/bin/env bash
@@ -6040,7 +6055,8 @@ I usually use <code>mutableUsers = false</code> in my NixOS configuration. Howev
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, ... }:
 {
-  options.swarselsystems = {
+  options = {
+    swarselsystems = {
       withHomeManager = lib.mkOption {
         type = lib.types.bool;
         default = true;
@@ -6062,7 +6078,7 @@ I usually use <code>mutableUsers = false</code> in my NixOS configuration. Howev
 
       isImpermanence = lib.mkEnableOption "use impermanence on this system";
       isSecureBoot = lib.mkEnableOption "use secure boot on this system";
-
+    };
     globals = lib.mkOption {
       default = { };
       type = lib.types.submodule {
@@ -6086,10 +6102,15 @@ I usually use <code>mutableUsers = false</code> in my NixOS configuration. Howev
               description = "My main domain.";
             };
           };
-
         };
       };
     };
+    # _globalsDefs = lib.mkOption {
+    #   type = lib.types.unspecified;
+    #   default = options.globals.definitions;
+    #   readOnly = true;
+    #   internal = true;
+    # };
   };
 }
 </pre>
@@ -6915,8 +6936,8 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
 </div>
 </div>
 </div>
-<div id="outline-container-orge74406e" class="outline-5">
+<div id="outline-container-org4af165f" class="outline-5">
-<h5 id="orge74406e"><span class="section-number-5">3.3.1.17.</span> Meta options</h5>
+<h5 id="org4af165f"><span class="section-number-5">3.3.1.17.</span> Meta options</h5>
 <div class="outline-text-5" id="text-3-3-1-17">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, ... }:
@@ -7004,8 +7025,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgc853a17" class="outline-5">
+<div id="outline-container-org040e64b" class="outline-5">
-<h5 id="orgc853a17"><span class="section-number-5">3.3.1.19.</span> PII management</h5>
+<h5 id="org040e64b"><span class="section-number-5">3.3.1.19.</span> PII management</h5>
 <div class="outline-text-5" id="text-3-3-1-19">
 <div class="org-src-container">
 <pre class="src src-nix">{ config, inputs, lib, ... }:
@@ -7397,8 +7418,8 @@ Most of the time I am using <code>power-saver</code>, however, it is good to be
 </div>
 </div>
 </div>
-<div id="outline-container-org29775c4" class="outline-6">
+<div id="outline-container-orgcef61ea" class="outline-6">
-<h6 id="org29775c4"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
+<h6 id="orgcef61ea"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-3-1-22-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, pkgs, config, ... }:
@@ -9247,11 +9268,15 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of <code>
 
       gotenberg = {
         enable = true;
+        package = pkgs.stable.gotenberg;
         port = 3002;
         bindIP = "127.0.0.1";
+        timeout = "600s";
+        chromium.package = pkgs.stable.chromium;
       };
     };
 
+
     # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
     systemd.services.paperless-web.script = lib.mkBefore ''
       oidcSecret=$(&lt; ${config.sops.secrets.kanidm-paperless-client.path})
@@ -10230,8 +10255,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org34a4b66" class="outline-5">
+<div id="outline-container-orgadabdd9" class="outline-5">
-<h5 id="org34a4b66"><span class="section-number-5">3.3.2.27.</span> IDM (kanidm + oauth2-proxy)</h5>
+<h5 id="orgadabdd9"><span class="section-number-5">3.3.2.27.</span> IDM (kanidm + oauth2-proxy)</h5>
 <div class="outline-text-5" id="text-3-3-2-27">
 <p>
 The forgejo configuration is a little broken and will show a 500 error when signing in through kanidm. However, when pressing back and refreshing the page, I am logged in. Currently I cannot be bothered to fix this.
@@ -10331,6 +10356,7 @@ in
             "nextcloud.admins" = { };
             "navidrome.access" = { };
             "freshrss.access" = { };
+            "firefly.access" = { };
           };
           persons = {
             swarsel = {
@@ -10345,6 +10371,7 @@ in
                 "nextcloud.access"
                 "freshrss.access"
                 "navidrome.access"
+                "firefly.access"
               ];
               displayName = "Swarsel";
             };
@@ -10457,21 +10484,31 @@ in
                 originUrl = "https://${oauth2ProxyDomain}/oauth2/callback";
                 originLanding = "https://${oauth2ProxyDomain}/";
                 basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path;
-                scopeMaps."freshrss.access" = [
+                scopeMaps = {
+                  "freshrss.access" = [
                     "openid"
                     "email"
                     "profile"
                   ];
-                scopeMaps."navidrome.access" = [
+                  "navidrome.access" = [
                     "openid"
                     "email"
                     "profile"
                   ];
+                  "firefly.access" = [
+                    "openid"
+                    "email"
+                    "profile"
+                  ];
+                };
                 preferShortUsername = true;
                 claimMaps.groups = {
                   joinType = "array";
-                  valuesByGroup."freshrss.access" = [ "ttrss_access" ];
+                  valuesByGroup = {
-                  valuesByGroup."navidrome.access" = [ "navidrome_access" ];
+                    "freshrss.access" = [ "ttrss_access" ];
+                    "navidrome.access" = [ "navidrome_access" ];
+                    "firefly.access" = [ "firefly_access" ];
+                  };
                 };
               };
             };
@@ -10576,6 +10613,120 @@ in
 </div>
 </div>
 </div>
+<div id="outline-container-org1319ef2" class="outline-5">
+<h5 id="org1319ef2"><span class="section-number-5">3.3.2.28.</span> Firefly-III</h5>
+<div class="outline-text-5" id="text-3-3-2-28">
+<div class="org-src-container">
+<pre class="src src-nix">{ lib, config, ... }:
+let
+  cfg = config.services.firefly-iii;
+  fireflyDomain = "stonks.swarsel.win";
+  fireflyUser = "firefly-iii";
+in
+{
+  options.swarselsystems.modules.server.firefly = lib.mkEnableOption "enable firefly-iii on server";
+  config = lib.mkIf config.swarselsystems.modules.server.firefly {
+
+    users.users.firefly-iii = {
+      group = "nginx";
+      isSystemUser = true;
+    };
+
+    sops = {
+      secrets = {
+        "firefly-iii-app-key" = { owner = fireflyUser; group = "nginx"; mode = "0440"; };
+      };
+    };
+
+    services = {
+      firefly-iii = {
+        enable = true;
+        user = fireflyUser;
+        group = if cfg.enableNginx then "nginx" else fireflyUser;
+        dataDir = "/Vault/data/firefly-iii";
+        settings = {
+          TZ = config.repo.secrets.common.location.timezone;
+          APP_URL = "https://${fireflyDomain}";
+          APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path;
+          APP_ENV = "local";
+          DB_CONNECTION = "sqlite";
+          # AUTHENTICATION_GUARD = "remote_user_guard";
+          # AUTHENTICATION_GUARD_HEADER = "X-User";
+          # AUTHENTICATION_GUARD_EMAIL = "X-Email";
+        };
+        enableNginx = true;
+        virtualHost = fireflyDomain;
+      };
+
+      nginx = {
+        virtualHosts = {
+          "${fireflyDomain}" = {
+            enableACME = true;
+            forceSSL = true;
+            acmeRoot = null;
+            # main config is automatically added by nixos firefly config.
+            # hence, only provide certificate
+            locations = {
+              "/" = {
+                extraConfig = ''
+                  auth_request /oauth2/auth;
+                  error_page 401 = /oauth2/sign_in;
+
+                  # pass information via X-User and X-Email headers to backend,
+                  # requires running with --set-xauthrequest flag (done by NixOS)
+                  auth_request_set $user   $upstream_http_x_auth_request_user;
+                  auth_request_set $email  $upstream_http_x_auth_request_email;
+                  proxy_set_header X-User  $user;
+                  proxy_set_header X-Email $email;
+
+                  # if you enabled --pass-access-token, this will pass the token to the backend
+                  auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                  proxy_set_header X-Access-Token $token;
+
+                  # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                  auth_request_set $auth_cookie $upstream_http_set_cookie;
+                  add_header Set-Cookie $auth_cookie;
+                '';
+              };
+              "/oauth2/" = {
+                proxyPass = "http://oauth2-proxy";
+                extraConfig = ''
+
+                  proxy_set_header X-Scheme                $scheme;
+                  proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+                '';
+              };
+              "= /oauth2/auth" = {
+                proxyPass = "http://oauth2-proxy/oauth2/auth";
+                extraConfig = ''
+                  internal;
+
+                  proxy_set_header X-Scheme         $scheme;
+                  # nginx auth_request includes headers but not body
+                  proxy_set_header Content-Length   "";
+                  proxy_pass_request_body           off;
+                '';
+              };
+              "/api" = {
+                extraConfig = ''
+                  index index.php;
+                  try_files $uri $uri/ /index.php?$query_string;
+                  add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS';
+                  proxy_set_header X-User  "";
+                  proxy_set_header X-Email "";
+                '';
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
+</pre>
+</div>
+</div>
+</div>
 </div>
 <div id="outline-container-h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47" class="outline-4">
 <h4 id="h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47"><span class="section-number-4">3.3.3.</span> Darwin</h4>
@@ -10788,8 +10939,8 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
 </div>
 </div>
 </div>
-<div id="outline-container-orge3e941d" class="outline-5">
+<div id="outline-container-org2a02f56" class="outline-5">
-<h5 id="orge3e941d"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
+<h5 id="org2a02f56"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-3-4-6">
 <p>
 This holds configuration that is specific to framework laptops.
@@ -10827,8 +10978,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org16ea1dc" class="outline-5">
+<div id="outline-container-orgdbf44f7" class="outline-5">
-<h5 id="org16ea1dc"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
+<h5 id="orgdbf44f7"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
 <div class="outline-text-5" id="text-3-3-4-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -10844,8 +10995,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org0af6d94" class="outline-5">
+<div id="outline-container-orgecd29c2" class="outline-5">
-<h5 id="org0af6d94"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
+<h5 id="orgecd29c2"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
 <div class="outline-text-5" id="text-3-3-4-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -10867,8 +11018,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org7ff8e48" class="outline-5">
+<div id="outline-container-orgda0d8f6" class="outline-5">
-<h5 id="org7ff8e48"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
+<h5 id="orgda0d8f6"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
 <div class="outline-text-5" id="text-3-3-4-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -10899,8 +11050,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-orgbc1d428" class="outline-5">
+<div id="outline-container-org957abf9" class="outline-5">
-<h5 id="orgbc1d428"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
+<h5 id="org957abf9"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
 <div class="outline-text-5" id="text-3-3-4-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -13838,8 +13989,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-orgbc58a8f" class="outline-6">
+<div id="outline-container-org6a90363" class="outline-6">
-<h6 id="orgbc58a8f"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
+<h6 id="org6a90363"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-4-1-29-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -15085,8 +15236,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org0b7d6c4" class="outline-5">
+<div id="outline-container-orgead591d" class="outline-5">
-<h5 id="org0b7d6c4"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
+<h5 id="orgead591d"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-4-4-3">
 <p>
 This holds configuration that is specific to framework laptops.
@@ -18926,8 +19077,8 @@ autocmd DocStart vc-impimba-1.m.imp.ac.at/ui/webconsole mode ignore
 </div>
 </div>
 </div>
-<div id="outline-container-orge07d1e7" class="outline-3">
+<div id="outline-container-org71bf76e" class="outline-3">
-<h3 id="orge07d1e7"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
+<h3 id="org71bf76e"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
 <div class="outline-text-3" id="text-6-3">
 <div class="org-src-container">
 <pre class="src src-config">
@@ -19424,7 +19575,7 @@ sync USER HOST:
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Leon Schwarzäugl</p>
-<p class="date">Created: 2025-06-11 Mi 21:36</p>
+<p class="date">Created: 2025-06-13 Fr 02:34</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>

lib/default.nix

@@ -26,6 +26,15 @@ in
     }
   );
 
+  # mkUser = name: {
+  #   config.users.users.${name} = {
+  #     group = name;
+  #     isSystemUser = true;
+  #   };
+
+  #   config.users.groups.${name} = {};
+  # };
+
   mkTrueOption = lib.mkOption {
     type = lib.types.bool;
     default = true;

modules/nixos/common/sharedsetup.nix

@@ -1,6 +1,7 @@
 { lib, ... }:
 {
-  options.swarselsystems = {
+  options = {
+    swarselsystems = {
       withHomeManager = lib.mkOption {
         type = lib.types.bool;
         default = true;
@@ -22,7 +23,7 @@
 
       isImpermanence = lib.mkEnableOption "use impermanence on this system";
       isSecureBoot = lib.mkEnableOption "use secure boot on this system";
-
+    };
     globals = lib.mkOption {
       default = { };
       type = lib.types.submodule {
@@ -46,9 +47,14 @@
               description = "My main domain.";
             };
           };
-
         };
       };
     };
+    # _globalsDefs = lib.mkOption {
+    #   type = lib.types.unspecified;
+    #   default = options.globals.definitions;
+    #   readOnly = true;
+    #   internal = true;
+    # };
   };
 }

modules/nixos/server/firefly-iii.nix

@@ -0,0 +1,106 @@
+{ lib, config, ... }:
+let
+  cfg = config.services.firefly-iii;
+  fireflyDomain = "stonks.swarsel.win";
+  fireflyUser = "firefly-iii";
+in
+{
+  options.swarselsystems.modules.server.firefly = lib.mkEnableOption "enable firefly-iii on server";
+  config = lib.mkIf config.swarselsystems.modules.server.firefly {
+
+    users.users.firefly-iii = {
+      group = "nginx";
+      isSystemUser = true;
+    };
+
+    sops = {
+      secrets = {
+        "firefly-iii-app-key" = { owner = fireflyUser; group = "nginx"; mode = "0440"; };
+      };
+    };
+
+    services = {
+      firefly-iii = {
+        enable = true;
+        user = fireflyUser;
+        group = if cfg.enableNginx then "nginx" else fireflyUser;
+        dataDir = "/Vault/data/firefly-iii";
+        settings = {
+          TZ = config.repo.secrets.common.location.timezone;
+          APP_URL = "https://${fireflyDomain}";
+          APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path;
+          APP_ENV = "local";
+          DB_CONNECTION = "sqlite";
+          # AUTHENTICATION_GUARD = "remote_user_guard";
+          # AUTHENTICATION_GUARD_HEADER = "X-User";
+          # AUTHENTICATION_GUARD_EMAIL = "X-Email";
+        };
+        enableNginx = true;
+        virtualHost = fireflyDomain;
+      };
+
+      nginx = {
+        virtualHosts = {
+          "${fireflyDomain}" = {
+            enableACME = true;
+            forceSSL = true;
+            acmeRoot = null;
+            # main config is automatically added by nixos firefly config.
+            # hence, only provide certificate
+            locations = {
+              "/" = {
+                extraConfig = ''
+                  auth_request /oauth2/auth;
+                  error_page 401 = /oauth2/sign_in;
+
+                  # pass information via X-User and X-Email headers to backend,
+                  # requires running with --set-xauthrequest flag (done by NixOS)
+                  auth_request_set $user   $upstream_http_x_auth_request_user;
+                  auth_request_set $email  $upstream_http_x_auth_request_email;
+                  proxy_set_header X-User  $user;
+                  proxy_set_header X-Email $email;
+
+                  # if you enabled --pass-access-token, this will pass the token to the backend
+                  auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                  proxy_set_header X-Access-Token $token;
+
+                  # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                  auth_request_set $auth_cookie $upstream_http_set_cookie;
+                  add_header Set-Cookie $auth_cookie;
+                '';
+              };
+              "/oauth2/" = {
+                proxyPass = "http://oauth2-proxy";
+                extraConfig = ''
+
+                  proxy_set_header X-Scheme                $scheme;
+                  proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+                '';
+              };
+              "= /oauth2/auth" = {
+                proxyPass = "http://oauth2-proxy/oauth2/auth";
+                extraConfig = ''
+                  internal;
+
+                  proxy_set_header X-Scheme         $scheme;
+                  # nginx auth_request includes headers but not body
+                  proxy_set_header Content-Length   "";
+                  proxy_pass_request_body           off;
+                '';
+              };
+              "/api" = {
+                extraConfig = ''
+                  index index.php;
+                  try_files $uri $uri/ /index.php?$query_string;
+                  add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS';
+                  proxy_set_header X-User  "";
+                  proxy_set_header X-Email "";
+                '';
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

modules/nixos/server/kanidm.nix

@@ -82,6 +82,7 @@ in
             "nextcloud.admins" = { };
             "navidrome.access" = { };
             "freshrss.access" = { };
+            "firefly.access" = { };
           };
           persons = {
             swarsel = {
@@ -96,6 +97,7 @@ in
                 "nextcloud.access"
                 "freshrss.access"
                 "navidrome.access"
+                "firefly.access"
               ];
               displayName = "Swarsel";
             };
@@ -208,21 +210,31 @@ in
                 originUrl = "https://${oauth2ProxyDomain}/oauth2/callback";
                 originLanding = "https://${oauth2ProxyDomain}/";
                 basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path;
-                scopeMaps."freshrss.access" = [
+                scopeMaps = {
+                  "freshrss.access" = [
                     "openid"
                     "email"
                     "profile"
                   ];
-                scopeMaps."navidrome.access" = [
+                  "navidrome.access" = [
                     "openid"
                     "email"
                     "profile"
                   ];
+                  "firefly.access" = [
+                    "openid"
+                    "email"
+                    "profile"
+                  ];
+                };
                 preferShortUsername = true;
                 claimMaps.groups = {
                   joinType = "array";
-                  valuesByGroup."freshrss.access" = [ "ttrss_access" ];
+                  valuesByGroup = {
-                  valuesByGroup."navidrome.access" = [ "navidrome_access" ];
+                    "freshrss.access" = [ "ttrss_access" ];
+                    "navidrome.access" = [ "navidrome_access" ];
+                    "firefly.access" = [ "firefly_access" ];
+                  };
                 };
               };
             };

modules/nixos/server/paperless.nix

@@ -65,11 +65,15 @@
 
       gotenberg = {
         enable = true;
+        package = pkgs.stable.gotenberg;
         port = 3002;
         bindIP = "127.0.0.1";
+        timeout = "600s";
+        chromium.package = pkgs.stable.chromium;
       };
     };
 
+
     # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
     systemd.services.paperless-web.script = lib.mkBefore ''
       oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})

profiles/nixos/localserver/default.nix

@@ -36,6 +36,7 @@
           freshrss = lib.mkDefault true;
           jenkins = lib.mkDefault false;
           kanidm = lib.mkDefault true;
+          firefly = lib.mkDefault true;
         };
       };
     };

secrets/repo/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:t46tqCQNV0Anyt3ZhfoFA6HnSC7ECCjbsdMAGQ+Xno4BjBFXBJdhcKuEdfqqKylBberfQ5zpS7PI9TWUrhjJdQJq8uC7pMcLK652OjAJAdxHaHAt2eBPq2+UXAHvwzXwEauEZ78m7iv0VuFvN9pLbUBVDGFRdWLrt32DD2xVASLSscn/wpYnXhBrd+fi9nKtt41mhe8UvAEIxdYtIEh4/ylL3PjvCEJBBEci7Fe/UuokNxhlMNc2xV0AVo25aM3mQbXny8LPF5++PVteVr4RWHm9R1qtRR8cKmJI/j2ObwS5WSsnRAJHgO6b6Wq9F4SNdEFscqW7d8/WWBPTvv+H3VSQ3K0xxaOrbnJYxBbSAboTDZogkbYSrY41SXqXh1Gorvh92eCvYCSxTFLnbkKVx3F35+3NKYK8RQ0OYsIl+k8qE9kK35kNjXrm3gl7p/WjyDXJ2mhHmt5ZQSleseh4meOhg73kJFC+VeUlI5no+kDeaYwn5EM/pi/ZzsAQwq/wGqVrPgSVnTbyfBAD1FRqeUxNCo2ceTGW12ZvOvm+XxUJ8tVef2PvUuqKvg1Xx4TN3hRQUcYhXwZWzKgseiAonRA4Euzs/BKA5K233uP22t8klCy23Ngti0LJt5tbmsNeBBwb2f5Wcs4oDn2YIFTm9Bg9QLbfkYyZf/ZkbA0U7HfbvhlIKANmzy1G8+MYlpS4ZED36wT1fEDcEBVygzyHVx9sXEZuj6Nm1ekxSGgJciVL,iv:PBwZiNQjDguQF/GFegm1oVYHF0lG6fjK0vxBuQN1HFo=,tag:VH2pH+rKgyBSIzGo8py6bw==,type:str]",
+	"data": "ENC[AES256_GCM,data:lLLUOryVRlriVc94mUX486tGhdg3yO6MkVf43hQIfo9mmYks0NbvCb05VeN/zzVP5fZU4kX/KKA5gfpK8lPKnnE0eN0Tv98hfkAExH1zTowUaj+XcXOPmCyRydeKm04sITDPsuhH7c6jkk2RNXBF/3ER8VZ3uho0K1gqokJlQUcA3QPCDFh6t5jlJakB2AX0rQYBtlG/QfLMf1YqU+hMsOFSrEXkPL7B1FwTkOHlU3oefpia1h4OJBJEjXQW+e57zgPRqc7z9lT8sOsXKRldWXgb1bhQM6MTDbSnEkSE44EtsFefkrmU34riu0KjQMcDbDFH3NpNibtKammlHBaKEWrxyFsgEEnFtqpMrr/ageW+DIttHIEbO170PHyaExo2pw1if0x/kRMe9/aPdDbG4oXtoZ9WqqB/ziBVTy+rau/aeuBU5XOEF+iQGwlkdQcjaUv55VVaCrT1DLSLdfWj5bmlls2pgu3SRkqhRFa+QveFu8i80rLQT9KcELuGpx7AB8U7gz8Oz4pU0iZkH3A1Cw9sO2vjwPd2AnPi8YQsqCIGQtZp/Y/OJa/7GfPFmmJlWZFiFbKGUfZg6sPsLPyTqTzES0erf67dwpXaBtuz7iS1yS58HQwhT0ZdrRJdMsrg0j+rejYHdIbZeeRVRLoPastyHjVKTarrYtAeT3MuqKbqjQRTdoaNlOQovG8WBlPNRJ93qOWh0wLVYuD2ou3epDlwGbwIuJ8D/DbW5mWNw5gpbI50LC1+SM6/flb3iG7bJ5DmkA1c2+fm8Jm5me5SCCE=,iv:8VSsznbOJyV/ZYCP9hKuAprtjssYTQEjW0Z/P5fgYqw=,tag:Tc/N0KgF9sNHuTXjWKksUw==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -23,8 +23,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bFIrQjZ5cUFBQUp4dTRW\ndEdaZys0OHE5L3BPaVNic3ZZRDQ5N09SaGdZCllhWnY4T2lLZzVUMlp5VjMvQ2lP\ndGFNSTBqbjNMaUcwbVRaWFVCazU3OEUKLS0tIHBIWUZCYjFDVDgzbUUxMC9TNzdp\naFdiWmV6TGIva0RNUDNHWmdJZGgzNHMKiIzjo6sH/SP12cAXTvXiP0X9EE/A8Qw1\nIfgZfyEHdf/Mxd/iNzlWb2Nb0MLerYYw/qZ/+L5eDpUr4Vl051qOXA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-06-11T12:35:26Z",
+		"lastmodified": "2025-06-12T22:56:18Z",
-		"mac": "ENC[AES256_GCM,data:qySqNhw1CPbilUmJPSOsLGG3mbLrvPMXzkzUGIj5l1EBLl//BVfAqvkgc06AhjDexr708CyUU5tiW0JydFBkEcByxDK21JhnZGVTdiTidBUl5lS392bCxdnrWgNCm6BnIznLsF3UpuqStsztOgjRJa2pawC2b5i6VCm4asif2lQ=,iv:M0JEy5+8g2wesVMpfhl0OZOKh4MFnh6RwUm9tteSYJ4=,tag:2zxRZLab6Z5XDsh9MMHSlg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:KnewBjWIibq08JjmotKuJWJS6zqBWH7akh7a5nI3Sq6ae+QINN8M7ueTjdpbq1PqK9leiubbdECT4F/qHwpwmIKEB2vKY8eSsDsmjSmbtVFdYEv4UaOPEJAGr/8u3t7q97m+Ad2P+tLH/jIDc0BXGXYfQYogSiaHqKqytJK9cQo=,iv:8U6m1+00n1Aip08kO2Q0cdX/TnRy7Bpig7b23H6Plgg=,tag:UPskdkeO/qO7RkninZ4jow==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-11T01:05:00Z",

secrets/winters/secrets.yaml

@@ -63,6 +63,8 @@ kanidm-freshrss: ENC[AES256_GCM,data:4y0X3sSOfs5pKNCmZGJhxlAKH7GD1UACdw==,iv:LuQ
 #ENC[AES256_GCM,data:8eDo+FQoBEKMTRY2,iv:ZSrV+Z+1S5AoW+jq49LBFzSwd/NJl3aZYHe7oUvGriU=,tag:3cw3hUigrPViQ+XsuMiksg==,type:comment]
 oauth2-cookie-secret: ENC[AES256_GCM,data:l8BPYA7t9NG9MPFs/LDlFHqwbnwsvie7FM5v613358E+jLf2wD+tipyUb6c=,iv:1kZ6G6Z0cSQS53kc/hygh/1Ke491agWDlYHR9Yq0jT0=,tag:mi7Un2JBnrq1dnP3jZX4ng==,type:str]
 kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:+mcA/sz3AZuw+I44iIdOEfDmtjEVdxi2fg==,iv:m4NpieUicS7xsR+F5AgPqkcUFRF+CGOA8IK6GeS9tgM=,tag:1wypxpiHPdQBD8Td/PSdMw==,type:str]
+#ENC[AES256_GCM,data:Y1BVSKrxqnK/8yk=,iv:Bg8OSExGPV9kwkuDb/69BXMyDnzbr1TAnVZEOxNWljo=,tag:Cq76DQ1g26pFLHwZP3pqYQ==,type:comment]
+firefly-iii-app-key: ENC[AES256_GCM,data:hzgl8eRL0irNRP5TO7G1rNtNM7fXCkmbcaX4QoTsM0xA1rgyKwiy6a4lYDjoXZyOMy5p,iv:q5eepIELwIecyQ56A6THUOu+rebK3irKVYb7/gNHlU8=,tag:+M/KTX1JzPzXeK4TRzW42w==,type:str]
 sops:
     age:
         - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
@@ -74,8 +76,8 @@ sops:
             MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
             qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-09T19:50:17Z"
+    lastmodified: "2025-06-12T18:54:27Z"
-    mac: ENC[AES256_GCM,data:Cx7bI5HRkVVmZTcs/Q3uPtLZaaGd28ZqUsyPRcqd8yEaRxNN0JU6EcQ2ZjU5Zi9jLRLDiR/PxuWsWcmDWH8vW0UZGh6ao75Cw3UO7QhKZHfM5cHqnleo/RIIl5d/Q0hnS9EQmcEPA3qKLQUIrOa+MAgMCkti50ZuNcZnkywLn54=,iv:QPDj4K22G6Go6RDE5ZGbCntmC+mn/5mMyH6ohyQYNuY=,tag:NJ3mjmo2LRmJRXKrYIJZKg==,type:str]
+    mac: ENC[AES256_GCM,data:5SPDEOz+PBoavltKbVCAAFOexS3In1+jOUdP3V59ssWevKnxX09ALENfwQW4DkL/U4wrryKp9zQ1qmg43SPK2cWrbswsIhzupYE+VvhR3pORiCk/k3GhtE9jnQPD3W7WvNz29rMthgyo5AY/QERfd+YiuMLGmKofoqaWWpKnhRA=,iv:FTDBDKlRgUja5zRIzpO8d6IfCjvmMq1RDRSi3AfmB3A=,tag:zV0boAnx98PxgK1H3jRWOA==,type:str]
     pgp:
         - created_at: "2024-12-17T16:24:32Z"
           enc: |-