From 9d10005e35d9d18192b22dc7b19397578dab7247 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?=
 <leon.schwarzaeugl@imba.oeaw.ac.at>
Date: Mon, 9 Jun 2025 18:11:02 +0200
Subject: [PATCH] feat: add nextcloud to kanidm

---
 SwarselSystems.org                  | 104 ++++++---
 hosts/nixos/sync/default.nix        |   4 +
 index.html                          | 314 +++++++++++++++++-----------
 modules/nixos/common/hardware.nix   |   2 +-
 modules/nixos/server/forgejo.nix    |   2 +-
 modules/nixos/server/kanidm.nix     |  41 +++-
 modules/nixos/server/monitoring.nix |   4 +-
 modules/nixos/server/navidrome.nix  |   3 +-
 modules/nixos/server/nextcloud.nix  |  25 ++-
 modules/nixos/server/paperless.nix  |  12 +-
 secrets/winters/secrets.yaml        |   7 +-
 11 files changed, 338 insertions(+), 180 deletions(-)

diff --git a/SwarselSystems.org b/SwarselSystems.org
index 7bff01f..01aed2f 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -1318,6 +1318,10 @@ This machine mainly acts as an external sync helper. It manages the following th
       };
     };
 
+    hardware = {
+      enableAllFirmware = lib.mkForce false;
+    };
+
     system.stateVersion = "23.11";
 
     services = {
@@ -5096,7 +5100,7 @@ Enable OpenGL, Sound, Bluetooth and various drivers.
 
         keyboard.qmk.enable = true;
 
-        enableAllFirmware = true;
+        enableAllFirmware = lib.mkDefault true;
 
         bluetooth = lib.mkIf config.swarselsystems.hasBluetooth {
           enable = true;
@@ -6856,8 +6860,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
 
 
       hardware = {
-        # opengl.enable = true;
-        enableAllFirmware = true;
+        enableAllFirmware = lib.mkForce true;
       };
 
       networking.firewall.allowedTCPPorts = [ 4040 ];
@@ -7397,29 +7400,40 @@ Here we just define some aliases for rebuilding the system, and we allow some in
 
 #+begin_src nix :tangle modules/nixos/server/nextcloud.nix
   { pkgs, lib, config, ... }:
+  let
+    nextcloudDomain = "stash.swarsel.win";
+  in
   {
     options.swarselsystems.modules.server.nextcloud = lib.mkEnableOption "enable nextcloud on server";
     config = lib.mkIf config.swarselsystems.modules.server.nextcloud {
 
-      sops.secrets.nextcloudadminpass = {
-        owner = "nextcloud";
-        group = "nextcloud";
-        mode = "0440";
+      sops.secrets = {
+        nextcloudadminpass = {
+          owner = "nextcloud";
+          group = "nextcloud";
+          mode = "0440";
+        };
+        kanidm-nextcloud-client = {
+          owner = "nextcloud";
+          group = "nextcloud";
+          mode = "0440";
+        };
       };
 
       services = {
         nextcloud = {
           enable = true;
           package = pkgs.nextcloud31;
-          hostName = "stash.swarsel.win";
+          hostName = nextcloudDomain;
           home = "/Vault/apps/nextcloud";
           datadir = "/Vault/data/nextcloud";
           https = true;
           configureRedis = true;
           maxUploadSize = "4G";
           extraApps = {
-            inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks;
+            inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks sociallogin;
           };
+          extraAppsEnable = true;
           config = {
             adminuser = "admin";
             adminpassFile = config.sops.secrets.nextcloudadminpass.path;
@@ -7429,7 +7443,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
 
         nginx = {
           virtualHosts = {
-            "stash.swarsel.win" = {
+            "${nextcloudDomain}" = {
               enableACME = true;
               forceSSL = true;
               acmeRoot = null;
@@ -7509,6 +7523,10 @@ Here we just define some aliases for rebuilding the system, and we allow some in
 :CUSTOM_ID: h:89638fb5-0593-4420-9567-f85f0223e341
 :END:
 
+This is my personal document management system. It automatically pulls documents from several sources, the only manual step for physical documents is to put them in my scanner and use email delivery.
+
+Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml='s. This is needed for e.g. online services that only send their invoices through email body text.
+
 #+begin_src nix :tangle modules/nixos/server/paperless.nix
   { lib, pkgs, config, ... }:
   {
@@ -7524,7 +7542,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
         kanidm-paperless-client = {
           owner = "paperless";
           group = "paperless";
-          mode = "440";
+          mode = "0440";
         };
       };
 
@@ -7547,7 +7565,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
             };
             PAPERLESS_TIKA_ENABLED = "true";
             PAPERLESS_TIKA_ENDPOINT = "http://localhost:9998";
-            PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:3001";
+            PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:3002";
             PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
             PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
               openid_connect = {
@@ -7557,7 +7575,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
                     provider_id = "kanidm";
                     name = "Kanidm";
                     client_id = "paperless";
-                    # secret will be added dynamically
+                    # secret will be added by paperless-web.service (see below)
                     #secret = "";
                     settings.server_url = "https://sso.swarsel.win/oauth2/openid/${client_id}/.well-known/openid-configuration";
                   }
@@ -7577,7 +7595,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
 
         gotenberg = {
           enable = true;
-          port = 3001;
+          port = 3002;
           bindIP = "127.0.0.1";
         };
       };
@@ -7603,6 +7621,10 @@ Here we just define some aliases for rebuilding the system, and we allow some in
                 proxyPass = "http://localhost:28981";
                 extraConfig = ''
                   client_max_body_size    0;
+                  proxy_connect_timeout   300;
+                  proxy_send_timeout      300;
+                  proxy_read_timeout      300;
+                  send_timeout            300;
                 '';
               };
             };
@@ -7971,7 +7993,7 @@ This section exposes several metrics that I use to check the health of my server
         kanidm-grafana-client = {
           owner = "grafana";
           group = "grafana";
-          mode = "440";
+          mode = "0440";
         };
       };
 
@@ -8123,7 +8145,7 @@ This section exposes several metrics that I use to check the health of my server
 
         nginx = {
           virtualHosts = {
-            "status.swarsel.win" = {
+            "${grafanaDomain}" = {
               enableACME = true;
               forceSSL = true;
               acmeRoot = null;
@@ -8299,7 +8321,7 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as
         kanidm-forgejo-client = {
           owner = "forgejo";
           group = "forgejo";
-          mode = "440";
+          mode = "0440";
         };
       };
 
@@ -8475,6 +8497,13 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as
 
 **** kanidm
 
+The forgejo configuration is a little broken and will show a 500 error when signing in through kanidm. However, when pressing back and refreshing the page, I am logged in. Currently I cannot be bothered to fix this.
+
+A stupid (but simple) way to get the =originUrl= is to simply set any URL there and try to auth using kanidm. Then check the logs (=journalctl -eu kanidm=) and check for the line that says something along the lines of
+  `🚧 [warn]: Invalid OAuth2 redirect_uri (must be an exact match to a redirect-url) - got <your =originURL=>`
+
+To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clientID>/.well-known/oauth-authorization-server, e.g. https://sso.swarsel.win/oauth2/openid/nextcloud/.well-known/oauth-authorization-server, with clienID being the client name as specified in kanidm.
+
 #+begin_src nix :tangle modules/nixos/server/kanidm.nix
   { self, lib, pkgs, config, ... }:
   let
@@ -8494,14 +8523,15 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as
       users.groups.kanidm = { };
 
       sops.secrets = {
-        "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
-        "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
-        "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-        "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-        "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-        "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-        "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-        "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
+        "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+        "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+        "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+        "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+        "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+        "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+        "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+        "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+        "kanidm-nextcloud" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
       };
 
       services.kanidm = {
@@ -8534,6 +8564,8 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as
             "grafana.editors" = { };
             "grafana.admins" = { };
             "grafana.server-admins" = { };
+            "nextcloud.access" = { };
+            "nextcloud.admins" = { };
           };
           persons = {
             swarsel = {
@@ -8545,6 +8577,7 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as
                 "paperless.access"
                 "grafana.access"
                 "forgejo.access"
+                "nextcloud.access"
               ];
               displayName = "Swarsel";
             };
@@ -8620,6 +8653,25 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as
                   };
                 };
               };
+              nextcloud = {
+                displayName = "Nextcloud";
+                originUrl = " https://stash.swarsel.win/apps/sociallogin/custom_oidc/kanidm";
+                originLanding = "https://stash.swarsel.win/";
+                basicSecretFile = config.sops.secrets.kanidm-nextcloud.path;
+                allowInsecureClientDisablePkce = true;
+                scopeMaps."nextcloud.access" = [
+                  "openid"
+                  "email"
+                  "profile"
+                ];
+                preferShortUsername = true;
+                claimMaps.groups = {
+                  joinType = "array";
+                  valuesByGroup = {
+                    "nextcloud.admins" = [ "admin" ];
+                  };
+                };
+              };
             };
           };
         };
@@ -8629,7 +8681,7 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as
 
       services.nginx = {
         virtualHosts = {
-          "sso.swarsel.win" = {
+          "${kanidmDomain}" = {
             enableACME = true;
             forceSSL = true;
             acmeRoot = null;
diff --git a/hosts/nixos/sync/default.nix b/hosts/nixos/sync/default.nix
index 98a6001..25cfd68 100644
--- a/hosts/nixos/sync/default.nix
+++ b/hosts/nixos/sync/default.nix
@@ -48,6 +48,10 @@ in
     };
   };
 
+  hardware = {
+    enableAllFirmware = lib.mkForce false;
+  };
+
   system.stateVersion = "23.11";
 
   services = {
diff --git a/index.html b/index.html
index c5866e6..c2fffe7 100644
--- a/index.html
+++ b/index.html
@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2025-06-09 Mo 17:22 -->
+<!-- 2025-06-09 Mo 19:11 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>SwarselSystems: NixOS + Emacs Configuration</title>
@@ -263,9 +263,9 @@
 <li><a href="#h:7056b9a0-f38b-4bca-b2ba-ab34e2d73493">3.1.4.3. Home-manager only (default non-NixOS)</a></li>
 <li><a href="#h:e1498bef-ec67-483d-bf02-76264e30be8e">3.1.4.4. ChaosTheatre (Demo Physical/VM)</a>
 <ul>
-<li><a href="#org432aefb">3.1.4.4.1. Main configuration</a></li>
-<li><a href="#org88b6a47">3.1.4.4.2. NixOS dummy options configuration</a></li>
-<li><a href="#org0af687b">3.1.4.4.3. home-manager dummy options configuration</a></li>
+<li><a href="#orgb2b8cf0">3.1.4.4.1. Main configuration</a></li>
+<li><a href="#org68ec049">3.1.4.4.2. NixOS dummy options configuration</a></li>
+<li><a href="#org993be50">3.1.4.4.3. home-manager dummy options configuration</a></li>
 </ul>
 </li>
 </ul>
@@ -305,7 +305,7 @@
 <li><a href="#h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0">3.2.1.27. fhs</a></li>
 <li><a href="#h:814d5e7f-4b95-412d-b246-33f888514ec6">3.2.1.28. swarsel-displaypower</a></li>
 <li><a href="#h:799579f3-ddd3-4f76-928a-a8c665980476">3.2.1.29. swarsel-mgba</a></li>
-<li><a href="#orgaa50845">3.2.1.30. sshrm</a></li>
+<li><a href="#org22d3ae9">3.2.1.30. sshrm</a></li>
 </ul>
 </li>
 <li><a href="#h:5e3e21e0-57af-4dad-b32f-6400af9b7aab">3.2.2. Overlays (additions, overrides, nixpkgs-stable)</a></li>
@@ -313,28 +313,28 @@
 <ul>
 <li><a href="#h:14e68518-8ec7-48ec-b208-0e3d6d49954d">3.2.3.1. NixOS</a>
 <ul>
-<li><a href="#org3971cd0">3.2.3.1.1. Personal</a></li>
-<li><a href="#org1521e85">3.2.3.1.2. Chaostheatre</a></li>
-<li><a href="#orgb5b90ba">3.2.3.1.3. toto</a></li>
-<li><a href="#orgfe965eb">3.2.3.1.4. Work</a></li>
-<li><a href="#orgaf8754c">3.2.3.1.5. Framework</a></li>
-<li><a href="#org88ca9f3">3.2.3.1.6. AMD CPU</a></li>
-<li><a href="#org689c495">3.2.3.1.7. AMD GPU</a></li>
-<li><a href="#org0d25b72">3.2.3.1.8. Hibernation</a></li>
-<li><a href="#org2f5a365">3.2.3.1.9. BTRFS</a></li>
-<li><a href="#org0a1567e">3.2.3.1.10. Local Server</a></li>
-<li><a href="#org7a8f611">3.2.3.1.11. OCI Sync Server</a></li>
+<li><a href="#orgb76e417">3.2.3.1.1. Personal</a></li>
+<li><a href="#orgeebc200">3.2.3.1.2. Chaostheatre</a></li>
+<li><a href="#org3a2d170">3.2.3.1.3. toto</a></li>
+<li><a href="#orgd20da99">3.2.3.1.4. Work</a></li>
+<li><a href="#orgd4434b7">3.2.3.1.5. Framework</a></li>
+<li><a href="#org6eab996">3.2.3.1.6. AMD CPU</a></li>
+<li><a href="#orgbf1e084">3.2.3.1.7. AMD GPU</a></li>
+<li><a href="#org0f3b68a">3.2.3.1.8. Hibernation</a></li>
+<li><a href="#org33fa56c">3.2.3.1.9. BTRFS</a></li>
+<li><a href="#org3ce30da">3.2.3.1.10. Local Server</a></li>
+<li><a href="#org7998cbb">3.2.3.1.11. OCI Sync Server</a></li>
 </ul>
 </li>
 <li><a href="#h:ced5841f-c088-4d88-b3a1-7d62aad8837b">3.2.3.2. home-manager</a>
 <ul>
-<li><a href="#orgab7f06f">3.2.3.2.1. Personal</a></li>
-<li><a href="#org39f6866">3.2.3.2.2. Chaostheatre</a></li>
-<li><a href="#org2fd51b7">3.2.3.2.3. toto</a></li>
-<li><a href="#orgf3716ba">3.2.3.2.4. Work</a></li>
-<li><a href="#orga366bb7">3.2.3.2.5. Framework</a></li>
-<li><a href="#orgeadc59a">3.2.3.2.6. Darwin</a></li>
-<li><a href="#orgce7a37e">3.2.3.2.7. Local Server</a></li>
+<li><a href="#org3b47a07">3.2.3.2.1. Personal</a></li>
+<li><a href="#orgb69bb17">3.2.3.2.2. Chaostheatre</a></li>
+<li><a href="#org4e5683b">3.2.3.2.3. toto</a></li>
+<li><a href="#org514d330">3.2.3.2.4. Work</a></li>
+<li><a href="#orgf448b84">3.2.3.2.5. Framework</a></li>
+<li><a href="#org093c33e">3.2.3.2.6. Darwin</a></li>
+<li><a href="#org7978a81">3.2.3.2.7. Local Server</a></li>
 </ul>
 </li>
 </ul>
@@ -379,7 +379,7 @@
 <li><a href="#h:f101daa2-604d-4553-99e2-f64b9c207f51">3.3.1.22.3. enable GVfs</a></li>
 <li><a href="#h:08d213d5-a9f4-4309-8635-ba557b01dc7d">3.3.1.22.4. interception-tools: Make CAPS work as ESC/CTRL</a></li>
 <li><a href="#h:82fbba41-3a46-4db7-aade-49e4c23fc475">3.3.1.22.5. power-profiles-daemon</a></li>
-<li><a href="#org4154b72">3.3.1.22.6. SwayOSD</a></li>
+<li><a href="#org19e1c87">3.3.1.22.6. SwayOSD</a></li>
 </ul>
 </li>
 <li><a href="#h:7a89b5e3-b700-4167-8b14-2b8172f33936">3.3.1.23. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules</a>
@@ -431,7 +431,7 @@
 <li><a href="#h:9da3df74-6fc5-4ee1-a345-23ab4e8a613d">3.3.2.24. FreshRSS</a></li>
 <li><a href="#h:a9965660-4358-4b9a-8c46-d55f28598344">3.3.2.25. forgejo (git server)</a></li>
 <li><a href="#h:cb3f6552-7751-4f9a-b4c7-8d8ba5b255c4">3.3.2.26. Anki Sync Server</a></li>
-<li><a href="#org82b1fef">3.3.2.27. kanidm</a></li>
+<li><a href="#org9187e63">3.3.2.27. kanidm</a></li>
 </ul>
 </li>
 <li><a href="#h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47">3.3.3. Darwin</a>
@@ -446,11 +446,11 @@
 <li><a href="#h:34db28fb-62f7-4597-a9ff-0de2991a8415">3.3.4.3. VmWare</a></li>
 <li><a href="#h:fa8d9ec4-3e22-458a-9239-859cffe7f55c">3.3.4.4. Auto-login</a></li>
 <li><a href="#h:5c41c4ee-22ca-405b-9e4f-cc4051634edd">3.3.4.5. nswitch-rcm</a></li>
-<li><a href="#org9792fac">3.3.4.6. Framework</a></li>
-<li><a href="#org9d31a20">3.3.4.7. AMD CPU</a></li>
-<li><a href="#org6a134e3">3.3.4.8. AMD GPU</a></li>
-<li><a href="#org75277cf">3.3.4.9. Hibernation</a></li>
-<li><a href="#org6cb6d17">3.3.4.10. BTRFS</a></li>
+<li><a href="#org5a82981">3.3.4.6. Framework</a></li>
+<li><a href="#orga8a179d">3.3.4.7. AMD CPU</a></li>
+<li><a href="#org00ce247">3.3.4.8. AMD GPU</a></li>
+<li><a href="#orgf108079">3.3.4.9. Hibernation</a></li>
+<li><a href="#org5c280d6">3.3.4.10. BTRFS</a></li>
 <li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.3.4.11. work</a></li>
 <li><a href="#h:3fc1d301-7bae-4678-9085-d12c23eed8ac">3.3.4.12. Minimal Install</a></li>
 </ul>
@@ -499,7 +499,7 @@
 <li><a href="#h:cb812c8a-247c-4ce5-a00c-59332c2f5fb9">3.4.1.29.1. gnome-keyring</a></li>
 <li><a href="#h:be6afd89-9e1e-40b6-8542-5c07a0ab780d">3.4.1.29.2. KDE Connect</a></li>
 <li><a href="#h:99d05729-df35-4958-9940-3319d6a41359">3.4.1.29.3. Mako</a></li>
-<li><a href="#org539f100">3.4.1.29.4. SwayOSD</a></li>
+<li><a href="#orgdcc7202">3.4.1.29.4. SwayOSD</a></li>
 <li><a href="#h:1598c90b-f195-41a0-9132-94612edf3586">3.4.1.29.5. yubikey-touch-detector</a></li>
 </ul>
 </li>
@@ -524,7 +524,7 @@
 <ul>
 <li><a href="#h:84fd7029-ecb6-4131-9333-289982f24ffa">3.4.4.1. Gaming</a></li>
 <li><a href="#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6">3.4.4.2. Work</a></li>
-<li><a href="#org3855d85">3.4.4.3. Framework</a></li>
+<li><a href="#org1fd635e">3.4.4.3. Framework</a></li>
 </ul>
 </li>
 </ul>
@@ -702,7 +702,7 @@
 <ul>
 <li><a href="#h:c1e53aed-fb47-4aff-930c-dc52f3c5dcb8">6.1. Server Emacs config</a></li>
 <li><a href="#h:fc64f42f-e7cf-4829-89f6-2d0d58e04f51">6.2. tridactylrc</a></li>
-<li><a href="#org2a9550f">6.3. tridactyl theme</a></li>
+<li><a href="#orgd553dac">6.3. tridactyl theme</a></li>
 <li><a href="#h:77b1c523-5074-4610-b320-90af95e6134d">6.4. Waybar style.css</a></li>
 <li><a href="#h:788937cf-8816-466b-8e57-1b695cb50f52">6.5. justfile</a></li>
 </ul>
@@ -711,7 +711,7 @@
 </div>
 </div>
 <p>
-<b>This file has 64081 words spanning 16905 lines and was last revised on 2025-06-09 17:22:28 +0200.</b>
+<b>This file has 64380 words spanning 16957 lines and was last revised on 2025-06-09 19:11:36 +0200.</b>
 </p>
 
 <p>
@@ -764,7 +764,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
 </p>
 
 <p>
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-09 17:22:28 +0200)
+My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-09 19:11:36 +0200)
 </p></li>
 </ul>
 
@@ -2297,6 +2297,10 @@ in
     };
   };
 
+  hardware = {
+    enableAllFirmware = lib.mkForce false;
+  };
+
   system.stateVersion = "23.11";
 
   services = {
@@ -2881,8 +2885,8 @@ This is just a demo host. It applies all the configuration found in the common p
 I also set the <code>WLR_RENDERER_ALLOW_SOFTWARE=1</code> to allow this configuration to run in a virtualized environment. I also enable <code>qemuGuest</code> for a smoother experience when testing on QEMU.
 </p>
 </div>
-<div id="outline-container-org432aefb" class="outline-6">
-<h6 id="org432aefb"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
+<div id="outline-container-orgb2b8cf0" class="outline-6">
+<h6 id="orgb2b8cf0"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ self, inputs, config, pkgs, lib, primaryUser, ... }:
@@ -2961,8 +2965,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org88b6a47" class="outline-6">
-<h6 id="org88b6a47"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
+<div id="outline-container-org68ec049" class="outline-6">
+<h6 id="org68ec049"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-2">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@@ -2972,8 +2976,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org0af687b" class="outline-6">
-<h6 id="org0af687b"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
+<div id="outline-container-org993be50" class="outline-6">
+<h6 id="org993be50"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-3">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@@ -4754,8 +4758,8 @@ appimageTools.wrapType2 {
 </div>
 </div>
 </div>
-<div id="outline-container-orgaa50845" class="outline-5">
-<h5 id="orgaa50845"><span class="section-number-5">3.2.1.30.</span> sshrm</h5>
+<div id="outline-container-org22d3ae9" class="outline-5">
+<h5 id="org22d3ae9"><span class="section-number-5">3.2.1.30.</span> sshrm</h5>
 <div class="outline-text-5" id="text-3-2-1-30">
 <p>
 This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually.
@@ -4912,8 +4916,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-org3971cd0" class="outline-6">
-<h6 id="org3971cd0"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
+<div id="outline-container-orgb76e417" class="outline-6">
+<h6 id="orgb76e417"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-1-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -4980,8 +4984,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org1521e85" class="outline-6">
-<h6 id="org1521e85"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
+<div id="outline-container-orgeebc200" class="outline-6">
+<h6 id="orgeebc200"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-1-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5045,8 +5049,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgb5b90ba" class="outline-6">
-<h6 id="orgb5b90ba"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
+<div id="outline-container-org3a2d170" class="outline-6">
+<h6 id="org3a2d170"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-1-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5078,8 +5082,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgfe965eb" class="outline-6">
-<h6 id="orgfe965eb"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
+<div id="outline-container-orgd20da99" class="outline-6">
+<h6 id="orgd20da99"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-1-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5100,8 +5104,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgaf8754c" class="outline-6">
-<h6 id="orgaf8754c"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
+<div id="outline-container-orgd4434b7" class="outline-6">
+<h6 id="orgd4434b7"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-1-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5122,8 +5126,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org88ca9f3" class="outline-6">
-<h6 id="org88ca9f3"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
+<div id="outline-container-org6eab996" class="outline-6">
+<h6 id="org6eab996"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5144,8 +5148,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org689c495" class="outline-6">
-<h6 id="org689c495"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
+<div id="outline-container-orgbf1e084" class="outline-6">
+<h6 id="orgbf1e084"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5166,8 +5170,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org0d25b72" class="outline-6">
-<h6 id="org0d25b72"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
+<div id="outline-container-org0f3b68a" class="outline-6">
+<h6 id="org0f3b68a"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
 <div class="outline-text-6" id="text-3-2-3-1-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5188,8 +5192,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org2f5a365" class="outline-6">
-<h6 id="org2f5a365"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
+<div id="outline-container-org33fa56c" class="outline-6">
+<h6 id="org33fa56c"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
 <div class="outline-text-6" id="text-3-2-3-1-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5210,8 +5214,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org0a1567e" class="outline-6">
-<h6 id="org0a1567e"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
+<div id="outline-container-org3ce30da" class="outline-6">
+<h6 id="org3ce30da"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5264,8 +5268,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org7a8f611" class="outline-6">
-<h6 id="org7a8f611"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
+<div id="outline-container-org7998cbb" class="outline-6">
+<h6 id="org7998cbb"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-11">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5322,8 +5326,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-orgab7f06f" class="outline-6">
-<h6 id="orgab7f06f"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
+<div id="outline-container-org3b47a07" class="outline-6">
+<h6 id="org3b47a07"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-2-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5380,8 +5384,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org39f6866" class="outline-6">
-<h6 id="org39f6866"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
+<div id="outline-container-orgb69bb17" class="outline-6">
+<h6 id="orgb69bb17"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-2-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5433,8 +5437,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org2fd51b7" class="outline-6">
-<h6 id="org2fd51b7"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
+<div id="outline-container-org4e5683b" class="outline-6">
+<h6 id="org4e5683b"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-2-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5454,8 +5458,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgf3716ba" class="outline-6">
-<h6 id="orgf3716ba"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
+<div id="outline-container-org514d330" class="outline-6">
+<h6 id="org514d330"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-2-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5475,8 +5479,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orga366bb7" class="outline-6">
-<h6 id="orga366bb7"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
+<div id="outline-container-orgf448b84" class="outline-6">
+<h6 id="orgf448b84"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-2-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5497,8 +5501,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgeadc59a" class="outline-6">
-<h6 id="orgeadc59a"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
+<div id="outline-container-org093c33e" class="outline-6">
+<h6 id="org093c33e"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
 <div class="outline-text-6" id="text-3-2-3-2-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5516,8 +5520,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgce7a37e" class="outline-6">
-<h6 id="orgce7a37e"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
+<div id="outline-container-org7978a81" class="outline-6">
+<h6 id="org7978a81"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-2-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -6292,7 +6296,7 @@ Enable OpenGL, Sound, Bluetooth and various drivers.
 
       keyboard.qmk.enable = true;
 
-      enableAllFirmware = true;
+      enableAllFirmware = lib.mkDefault true;
 
       bluetooth = lib.mkIf config.swarselsystems.hasBluetooth {
         enable = true;
@@ -7050,8 +7054,8 @@ Most of the time I am using <code>power-saver</code>, however, it is good to be
 </div>
 </div>
 </div>
-<div id="outline-container-org4154b72" class="outline-6">
-<h6 id="org4154b72"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
+<div id="outline-container-org19e1c87" class="outline-6">
+<h6 id="org19e1c87"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-3-1-22-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, pkgs, config, ... }:
@@ -8147,8 +8151,7 @@ in
 
 
     hardware = {
-      # opengl.enable = true;
-      enableAllFirmware = true;
+      enableAllFirmware = lib.mkForce true;
     };
 
     networking.firewall.allowedTCPPorts = [ 4040 ];
@@ -8688,29 +8691,40 @@ in
 <div class="outline-text-5" id="text-h:d11ad8d5-25d7-4691-b319-61c16ccef715">
 <div class="org-src-container">
 <pre class="src src-nix">{ pkgs, lib, config, ... }:
+let
+  nextcloudDomain = "stash.swarsel.win";
+in
 {
   options.swarselsystems.modules.server.nextcloud = lib.mkEnableOption "enable nextcloud on server";
   config = lib.mkIf config.swarselsystems.modules.server.nextcloud {
 
-    sops.secrets.nextcloudadminpass = {
-      owner = "nextcloud";
-      group = "nextcloud";
-      mode = "0440";
+    sops.secrets = {
+      nextcloudadminpass = {
+        owner = "nextcloud";
+        group = "nextcloud";
+        mode = "0440";
+      };
+      kanidm-nextcloud-client = {
+        owner = "nextcloud";
+        group = "nextcloud";
+        mode = "0440";
+      };
     };
 
     services = {
       nextcloud = {
         enable = true;
         package = pkgs.nextcloud31;
-        hostName = "stash.swarsel.win";
+        hostName = nextcloudDomain;
         home = "/Vault/apps/nextcloud";
         datadir = "/Vault/data/nextcloud";
         https = true;
         configureRedis = true;
         maxUploadSize = "4G";
         extraApps = {
-          inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks;
+          inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks sociallogin;
         };
+        extraAppsEnable = true;
         config = {
           adminuser = "admin";
           adminpassFile = config.sops.secrets.nextcloudadminpass.path;
@@ -8720,7 +8734,7 @@ in
 
       nginx = {
         virtualHosts = {
-          "stash.swarsel.win" = {
+          "${nextcloudDomain}" = {
             enableACME = true;
             forceSSL = true;
             acmeRoot = null;
@@ -8800,6 +8814,14 @@ in
 <div id="outline-container-h:89638fb5-0593-4420-9567-f85f0223e341" class="outline-5">
 <h5 id="h:89638fb5-0593-4420-9567-f85f0223e341"><span class="section-number-5">3.3.2.17.</span> paperless</h5>
 <div class="outline-text-5" id="text-h:89638fb5-0593-4420-9567-f85f0223e341">
+<p>
+This is my personal document management system. It automatically pulls documents from several sources, the only manual step for physical documents is to put them in my scanner and use email delivery.
+</p>
+
+<p>
+Also I install Tika and Gotenberg, which are needed to create PDFs out of <code>.eml</code>'s. This is needed for e.g. online services that only send their invoices through email body text.
+</p>
+
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, pkgs, config, ... }:
 {
@@ -8815,7 +8837,7 @@ in
       kanidm-paperless-client = {
         owner = "paperless";
         group = "paperless";
-        mode = "440";
+        mode = "0440";
       };
     };
 
@@ -8838,7 +8860,7 @@ in
           };
           PAPERLESS_TIKA_ENABLED = "true";
           PAPERLESS_TIKA_ENDPOINT = "http://localhost:9998";
-          PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:3001";
+          PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:3002";
           PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
           PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
             openid_connect = {
@@ -8848,7 +8870,7 @@ in
                   provider_id = "kanidm";
                   name = "Kanidm";
                   client_id = "paperless";
-                  # secret will be added dynamically
+                  # secret will be added by paperless-web.service (see below)
                   #secret = "";
                   settings.server_url = "https://sso.swarsel.win/oauth2/openid/${client_id}/.well-known/openid-configuration";
                 }
@@ -8868,7 +8890,7 @@ in
 
       gotenberg = {
         enable = true;
-        port = 3001;
+        port = 3002;
         bindIP = "127.0.0.1";
       };
     };
@@ -8894,6 +8916,10 @@ in
               proxyPass = "http://localhost:28981";
               extraConfig = ''
                 client_max_body_size    0;
+                proxy_connect_timeout   300;
+                proxy_send_timeout      300;
+                proxy_read_timeout      300;
+                send_timeout            300;
               '';
             };
           };
@@ -9266,7 +9292,7 @@ in
       kanidm-grafana-client = {
         owner = "grafana";
         group = "grafana";
-        mode = "440";
+        mode = "0440";
       };
     };
 
@@ -9418,7 +9444,7 @@ in
 
       nginx = {
         virtualHosts = {
-          "status.swarsel.win" = {
+          "${grafanaDomain}" = {
             enableACME = true;
             forceSSL = true;
             acmeRoot = null;
@@ -9602,7 +9628,7 @@ in
       kanidm-forgejo-client = {
         owner = "forgejo";
         group = "forgejo";
-        mode = "440";
+        mode = "0440";
       };
     };
 
@@ -9778,9 +9804,22 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org82b1fef" class="outline-5">
-<h5 id="org82b1fef"><span class="section-number-5">3.3.2.27.</span> kanidm</h5>
+<div id="outline-container-org9187e63" class="outline-5">
+<h5 id="org9187e63"><span class="section-number-5">3.3.2.27.</span> kanidm</h5>
 <div class="outline-text-5" id="text-3-3-2-27">
+<p>
+The forgejo configuration is a little broken and will show a 500 error when signing in through kanidm. However, when pressing back and refreshing the page, I am logged in. Currently I cannot be bothered to fix this.
+</p>
+
+<p>
+A stupid (but simple) way to get the <code>originUrl</code> is to simply set any URL there and try to auth using kanidm. Then check the logs (<code>journalctl -eu kanidm</code>) and check for the line that says something along the lines of
+  `🚧 [warn]: Invalid OAuth2 redirect<sub>uri</sub> (must be an exact match to a redirect-url) - got &lt;your =originURL=&gt;`
+</p>
+
+<p>
+To get other URLs (token, etc.), use <a href="https://&lt;kanidmdomain&gt;/oauth2/openid/%3CclientID%3E/.well-known/oauth-authorization-server">https://&lt;kanidmdomain&gt;/oauth2/openid/%3CclientID%3E/.well-known/oauth-authorization-server</a>, e.g. <a href="https://sso.swarsel.win/oauth2/openid/nextcloud/.well-known/oauth-authorization-server">https://sso.swarsel.win/oauth2/openid/nextcloud/.well-known/oauth-authorization-server</a>, with clienID being the client name as specified in kanidm.
+</p>
+
 <div class="org-src-container">
 <pre class="src src-nix">{ self, lib, pkgs, config, ... }:
 let
@@ -9800,14 +9839,15 @@ in
     users.groups.kanidm = { };
 
     sops.secrets = {
-      "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
+      "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-nextcloud" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
     };
 
     services.kanidm = {
@@ -9840,6 +9880,8 @@ in
           "grafana.editors" = { };
           "grafana.admins" = { };
           "grafana.server-admins" = { };
+          "nextcloud.access" = { };
+          "nextcloud.admins" = { };
         };
         persons = {
           swarsel = {
@@ -9851,6 +9893,7 @@ in
               "paperless.access"
               "grafana.access"
               "forgejo.access"
+              "nextcloud.access"
             ];
             displayName = "Swarsel";
           };
@@ -9926,6 +9969,25 @@ in
                 };
               };
             };
+            nextcloud = {
+              displayName = "Nextcloud";
+              originUrl = " https://stash.swarsel.win/apps/sociallogin/custom_oidc/kanidm";
+              originLanding = "https://stash.swarsel.win/";
+              basicSecretFile = config.sops.secrets.kanidm-nextcloud.path;
+              allowInsecureClientDisablePkce = true;
+              scopeMaps."nextcloud.access" = [
+                "openid"
+                "email"
+                "profile"
+              ];
+              preferShortUsername = true;
+              claimMaps.groups = {
+                joinType = "array";
+                valuesByGroup = {
+                  "nextcloud.admins" = [ "admin" ];
+                };
+              };
+            };
           };
         };
       };
@@ -9935,7 +9997,7 @@ in
 
     services.nginx = {
       virtualHosts = {
-        "sso.swarsel.win" = {
+        "${kanidmDomain}" = {
           enableACME = true;
           forceSSL = true;
           acmeRoot = null;
@@ -10168,8 +10230,8 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
 </div>
 </div>
 </div>
-<div id="outline-container-org9792fac" class="outline-5">
-<h5 id="org9792fac"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
+<div id="outline-container-org5a82981" class="outline-5">
+<h5 id="org5a82981"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-3-4-6">
 <p>
 This holds configuration that is specific to framework laptops.
@@ -10207,8 +10269,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org9d31a20" class="outline-5">
-<h5 id="org9d31a20"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
+<div id="outline-container-orga8a179d" class="outline-5">
+<h5 id="orga8a179d"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
 <div class="outline-text-5" id="text-3-3-4-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -10224,8 +10286,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org6a134e3" class="outline-5">
-<h5 id="org6a134e3"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
+<div id="outline-container-org00ce247" class="outline-5">
+<h5 id="org00ce247"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
 <div class="outline-text-5" id="text-3-3-4-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -10247,8 +10309,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org75277cf" class="outline-5">
-<h5 id="org75277cf"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
+<div id="outline-container-orgf108079" class="outline-5">
+<h5 id="orgf108079"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
 <div class="outline-text-5" id="text-3-3-4-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -10279,8 +10341,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org6cb6d17" class="outline-5">
-<h5 id="org6cb6d17"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
+<div id="outline-container-org5c280d6" class="outline-5">
+<h5 id="org5c280d6"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
 <div class="outline-text-5" id="text-3-3-4-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -13228,8 +13290,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org539f100" class="outline-6">
-<h6 id="org539f100"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
+<div id="outline-container-orgdcc7202" class="outline-6">
+<h6 id="orgdcc7202"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-4-1-29-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -14478,8 +14540,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org3855d85" class="outline-5">
-<h5 id="org3855d85"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
+<div id="outline-container-org1fd635e" class="outline-5">
+<h5 id="org1fd635e"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-4-4-3">
 <p>
 This holds configuration that is specific to framework laptops.
@@ -18319,8 +18381,8 @@ autocmd DocStart vc-impimba-1.m.imp.ac.at/ui/webconsole mode ignore
 </div>
 </div>
 </div>
-<div id="outline-container-org2a9550f" class="outline-3">
-<h3 id="org2a9550f"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
+<div id="outline-container-orgd553dac" class="outline-3">
+<h3 id="orgd553dac"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
 <div class="outline-text-3" id="text-6-3">
 <div class="org-src-container">
 <pre class="src src-config">
@@ -18817,7 +18879,7 @@ sync USER HOST:
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Leon Schwarzäugl</p>
-<p class="date">Created: 2025-06-09 Mo 17:22</p>
+<p class="date">Created: 2025-06-09 Mo 19:11</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>
diff --git a/modules/nixos/common/hardware.nix b/modules/nixos/common/hardware.nix
index 6badc2a..13ca819 100644
--- a/modules/nixos/common/hardware.nix
+++ b/modules/nixos/common/hardware.nix
@@ -29,7 +29,7 @@
 
       keyboard.qmk.enable = true;
 
-      enableAllFirmware = true;
+      enableAllFirmware = lib.mkDefault true;
 
       bluetooth = lib.mkIf config.swarselsystems.hasBluetooth {
         enable = true;
diff --git a/modules/nixos/server/forgejo.nix b/modules/nixos/server/forgejo.nix
index c6ad306..805f6e9 100644
--- a/modules/nixos/server/forgejo.nix
+++ b/modules/nixos/server/forgejo.nix
@@ -19,7 +19,7 @@ in
       kanidm-forgejo-client = {
         owner = "forgejo";
         group = "forgejo";
-        mode = "440";
+        mode = "0440";
       };
     };
 
diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix
index c9bc4ed..c2d60d0 100644
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@@ -16,14 +16,15 @@ in
     users.groups.kanidm = { };
 
     sops.secrets = {
-      "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
+      "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-nextcloud" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
     };
 
     services.kanidm = {
@@ -56,6 +57,8 @@ in
           "grafana.editors" = { };
           "grafana.admins" = { };
           "grafana.server-admins" = { };
+          "nextcloud.access" = { };
+          "nextcloud.admins" = { };
         };
         persons = {
           swarsel = {
@@ -67,6 +70,7 @@ in
               "paperless.access"
               "grafana.access"
               "forgejo.access"
+              "nextcloud.access"
             ];
             displayName = "Swarsel";
           };
@@ -142,6 +146,25 @@ in
                 };
               };
             };
+            nextcloud = {
+              displayName = "Nextcloud";
+              originUrl = " https://stash.swarsel.win/apps/sociallogin/custom_oidc/kanidm";
+              originLanding = "https://stash.swarsel.win/";
+              basicSecretFile = config.sops.secrets.kanidm-nextcloud.path;
+              allowInsecureClientDisablePkce = true;
+              scopeMaps."nextcloud.access" = [
+                "openid"
+                "email"
+                "profile"
+              ];
+              preferShortUsername = true;
+              claimMaps.groups = {
+                joinType = "array";
+                valuesByGroup = {
+                  "nextcloud.admins" = [ "admin" ];
+                };
+              };
+            };
           };
         };
       };
@@ -151,7 +174,7 @@ in
 
     services.nginx = {
       virtualHosts = {
-        "sso.swarsel.win" = {
+        "${kanidmDomain}" = {
           enableACME = true;
           forceSSL = true;
           acmeRoot = null;
diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix
index f80f50f..ed21b34 100644
--- a/modules/nixos/server/monitoring.nix
+++ b/modules/nixos/server/monitoring.nix
@@ -16,7 +16,7 @@ in
       kanidm-grafana-client = {
         owner = "grafana";
         group = "grafana";
-        mode = "440";
+        mode = "0440";
       };
     };
 
@@ -168,7 +168,7 @@ in
 
       nginx = {
         virtualHosts = {
-          "status.swarsel.win" = {
+          "${grafanaDomain}" = {
             enableACME = true;
             forceSSL = true;
             acmeRoot = null;
diff --git a/modules/nixos/server/navidrome.nix b/modules/nixos/server/navidrome.nix
index 60f6a39..f88cd25 100644
--- a/modules/nixos/server/navidrome.nix
+++ b/modules/nixos/server/navidrome.nix
@@ -30,8 +30,7 @@ in
 
 
     hardware = {
-      # opengl.enable = true;
-      enableAllFirmware = true;
+      enableAllFirmware = lib.mkForce true;
     };
 
     networking.firewall.allowedTCPPorts = [ 4040 ];
diff --git a/modules/nixos/server/nextcloud.nix b/modules/nixos/server/nextcloud.nix
index fa815cb..d5fa06d 100644
--- a/modules/nixos/server/nextcloud.nix
+++ b/modules/nixos/server/nextcloud.nix
@@ -1,27 +1,38 @@
 { pkgs, lib, config, ... }:
+let
+  nextcloudDomain = "stash.swarsel.win";
+in
 {
   options.swarselsystems.modules.server.nextcloud = lib.mkEnableOption "enable nextcloud on server";
   config = lib.mkIf config.swarselsystems.modules.server.nextcloud {
 
-    sops.secrets.nextcloudadminpass = {
-      owner = "nextcloud";
-      group = "nextcloud";
-      mode = "0440";
+    sops.secrets = {
+      nextcloudadminpass = {
+        owner = "nextcloud";
+        group = "nextcloud";
+        mode = "0440";
+      };
+      kanidm-nextcloud-client = {
+        owner = "nextcloud";
+        group = "nextcloud";
+        mode = "0440";
+      };
     };
 
     services = {
       nextcloud = {
         enable = true;
         package = pkgs.nextcloud31;
-        hostName = "stash.swarsel.win";
+        hostName = nextcloudDomain;
         home = "/Vault/apps/nextcloud";
         datadir = "/Vault/data/nextcloud";
         https = true;
         configureRedis = true;
         maxUploadSize = "4G";
         extraApps = {
-          inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks;
+          inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks sociallogin;
         };
+        extraAppsEnable = true;
         config = {
           adminuser = "admin";
           adminpassFile = config.sops.secrets.nextcloudadminpass.path;
@@ -31,7 +42,7 @@
 
       nginx = {
         virtualHosts = {
-          "stash.swarsel.win" = {
+          "${nextcloudDomain}" = {
             enableACME = true;
             forceSSL = true;
             acmeRoot = null;
diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix
index 0ac2d54..72a1cdf 100644
--- a/modules/nixos/server/paperless.nix
+++ b/modules/nixos/server/paperless.nix
@@ -12,7 +12,7 @@
       kanidm-paperless-client = {
         owner = "paperless";
         group = "paperless";
-        mode = "440";
+        mode = "0440";
       };
     };
 
@@ -35,7 +35,7 @@
           };
           PAPERLESS_TIKA_ENABLED = "true";
           PAPERLESS_TIKA_ENDPOINT = "http://localhost:9998";
-          PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:3001";
+          PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:3002";
           PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
           PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
             openid_connect = {
@@ -45,7 +45,7 @@
                   provider_id = "kanidm";
                   name = "Kanidm";
                   client_id = "paperless";
-                  # secret will be added dynamically
+                  # secret will be added by paperless-web.service (see below)
                   #secret = "";
                   settings.server_url = "https://sso.swarsel.win/oauth2/openid/${client_id}/.well-known/openid-configuration";
                 }
@@ -65,7 +65,7 @@
 
       gotenberg = {
         enable = true;
-        port = 3001;
+        port = 3002;
         bindIP = "127.0.0.1";
       };
     };
@@ -91,6 +91,10 @@
               proxyPass = "http://localhost:28981";
               extraConfig = ''
                 client_max_body_size    0;
+                proxy_connect_timeout   300;
+                proxy_send_timeout      300;
+                proxy_read_timeout      300;
+                send_timeout            300;
               '';
             };
           };
diff --git a/secrets/winters/secrets.yaml b/secrets/winters/secrets.yaml
index 582508b..cd73b9b 100644
--- a/secrets/winters/secrets.yaml
+++ b/secrets/winters/secrets.yaml
@@ -33,7 +33,9 @@ vpnprot: ENC[AES256_GCM,data:/NV2,iv:wVvlcdisq2PdLeNpaxE7cwBsKEJgoi/MAmWoTgHFMbQ
 vpnloc: ENC[AES256_GCM,data:U8ModKho4vSHnMo9BOE978V6ZlMeQEoLaFW/,iv:Sw06YsWSZ4tGt/TRhRGkU4KdLBcmZTCY4mGqQbpEh7Q=,tag:kDoTkpzXZKEUIa1CSh3Pwg==,type:str]
 #ENC[AES256_GCM,data:yp7ApA4YLSk=,iv:O/SQxKe9EWqExHbeKsTXvbst0pjCxy3yiOjmeCVjmdY=,tag:RMkAOLOLCodnPSDEuImwRw==,type:comment]
 swarseluser: ENC[AES256_GCM,data:XvmOHYFNhb/bAYAZ/kmUWbbmRy/WrxSYri/Y5k+SH4N7ZIjuZDHOkWk93ERFuTb77HvhbPX/NRQraUoJoFsxGGg5co/gJnyfRg==,iv:J50PeDcC4PM3+yQ/YQNb8TW4kubwi2kjjSFU0RVFM30=,tag:ydLYkz1YKyguGZZZD/JcLA==,type:str]
+#ENC[AES256_GCM,data:7UtHAqAZLmzT,iv:xBbdv1aHFrSc5/H6o3VujZdtAN7JwHbpckDcoZ5z78M=,tag:0ZEFJcPa6RIwv+kIgNHj4A==,type:comment]
 nextcloudadminpass: ENC[AES256_GCM,data:ZOCsu4/ijfheBfY9ZR5DBXSB,iv:bNlTLKQblnt2eYJqVgXwCaGAyAw2yhlb9Whsz0LBhm4=,tag:VQAWP/b8IghzXDFLJxXZ4Q==,type:str]
+kanidm-nextcloud-client: ENC[AES256_GCM,data:RJ5XSYvnJS6r2zzs2SOBZYx+GV7EVjB7XQ==,iv:KfinHenUiYgWrZtMBSGTuVUd5aZlfxvM7Rf8ocFv64k=,tag:WiknAlc29ohsLwnBCXzHpQ==,type:str]
 #ENC[AES256_GCM,data:dyEwvFDSvI0=,iv:4LPFthS73mIYQt6MRLBTeNxCwKnJGc7sNFJfZCpMU3Y=,tag:X2mBwG1++2gcFIOi/xIgFA==,type:comment]
 grafanaadminpass: ENC[AES256_GCM,data:TBu0WOdvE+9CAH8EVm8=,iv:/usKOYscSXpo8tiSV/Las9eucBeYnpwG5DM9gJg8bfU=,tag:/LZqwuPWQyjSZURnsqq3hA==,type:str]
 kanidm-grafana-client: ENC[AES256_GCM,data:tV25k0XoFZ9wLF0UWvAabgigayowr3wo0g==,iv:p0y/UyIrFBTvWZKHbfdOSEpbMun7dZ8FyB5W7VS0oSY=,tag:+jKD+d9cRGKJkapGYxUEnw==,type:str]
@@ -53,6 +55,7 @@ kanidm-immich: ENC[AES256_GCM,data:is5Zx9FE9Qb/cajv6ZQU6B/0iKUgbBCp/g==,iv:vBU6w
 kanidm-paperless: ENC[AES256_GCM,data:bJJC20q8aJVzmIMXAHWvOoH652lSCFXDNg==,iv:0ctoPwxzMD1cSpZ7DyjOv9qP+cYt0MJsk2cfuzft3n8=,tag:KX1MtgOvcMxt1QHhAcXWcg==,type:str]
 kanidm-forgejo: ENC[AES256_GCM,data:zw0LcfNJw4q28l1E9q58D9bTKtl/CjGA3w==,iv:fYRGasFiM7PXeP5sWW6whj10CUKIqCfhIYQCNZjxQGo=,tag:sxQJa+ItPA+L3keWZ34SJA==,type:str]
 kanidm-grafana: ENC[AES256_GCM,data:61PEA1fBcaRy8+x0dn9WrH9P0D+NOkbeZw==,iv:kbR3JWzHsmsef+VlFGciZmyforxJCdvzHijvGFvFwpk=,tag:K+6baLIKy0L37KrJEQUgPg==,type:str]
+kanidm-nextcloud: ENC[AES256_GCM,data:9FjsOzBos18ouHBeuzrzHIpCDowFt0Aktw==,iv:iqUQUsWsO5N+KZqHyqNxMxSija/yPrrrAqvz4b1NG1M=,tag:/WC3wg/eYXV3hLJPRVWLog==,type:str]
 sops:
     age:
         - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
@@ -64,8 +67,8 @@ sops:
             MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
             qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-09T14:21:21Z"
-    mac: ENC[AES256_GCM,data:6CPsA5krx40G1FoKNQsOFvw3KPX5orSmtYeXeLj0PuDP6l+Pus6LNGxhMyLkL5b/QUx/48ocFwFguRjvREH/qh7K0p6+QJgcJHzE7VLAQw7vZA9m2MB3d3z4LlC7YSUrqlTd67BOt68Jdf1/jpvf71YYcWMC1v1pcVmsoQTR4S4=,iv:ZqO+gqrJLp/XgLzyxE3/zV6Ef9HY2ICgd5vX1CSDVGs=,tag:zsP2y46vscb9xnfWIwiPKw==,type:str]
+    lastmodified: "2025-06-09T16:04:54Z"
+    mac: ENC[AES256_GCM,data:ggq/mHOw4kaIalgVNI9YASGewzOwR8+DxhvuuOLo3L4Qnn71/HtXkYnKPMm+Ip58AJi7yH5adNOP2q7MZ/wlG/Ygg95PiM/dBso7l79suycrBo+Zz2bGwUjnT6d35Sz2lqsAIDZgpSwk2M51FjivVXD+Un0aWlt/dj5XOwBhlnU=,iv:WRuIlZ1zc+ITNC4R4Zn2ORy7G2hRFnlEBvnjts4n+RE=,tag:wduo+u6Kjm3LyvkLO8OG+w==,type:str]
     pgp:
         - created_at: "2024-12-17T16:24:32Z"
           enc: |-