chore: general cleanup

2025-12-06 09:07:21 +01:00 · 2025-06-16 23:02:57 +02:00 · 2025-06-16 23:02:57 +02:00 · b69ff8e50d
commit b69ff8e50d
parent 266ad63ceb
14 changed files with 709 additions and 548 deletions
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@ -1623,16 +1623,6 @@ This machine mainly acts as an external sync helper. It manages the following th
              devices = [ "winters" "magicant" "${workHostName}" ];
              id = "hgp9s-fyq3p";
            };
            ".elfeed" = {
              path = "/sync/elfeed";
              type = "receiveonly";
              versioning = {
                type = "simple";
                params.keep = "5";
              };
              devices = [ "winters" ];
              id = "h7xbs-fs9v1";
            };
            "Documents" = {
              path = "/sync/Documents";
              type = "receiveonly";
@ -4685,6 +4675,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
            navidrome = lib.mkDefault true;
            spotifyd = lib.mkDefault true;
            mpd = lib.mkDefault true;
            postgresql = lib.mkDefault true;
            matrix = lib.mkDefault true;
            nextcloud = lib.mkDefault true;
            immich = lib.mkDefault true;
@ -7722,8 +7713,6 @@ Here we just define some aliases for rebuilding the system, and we allow some in
        lego
      ];
      # users.users.acme = {};
      sops = {
        # secrets.dnstokenfull = { owner = "acme"; };
        secrets.dnstokenfull = { };
@ -7836,6 +7825,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
        user = serviceUser;
        settings.Port = servicePort;
        tokenKeyFile = config.sops.secrets.kavita.path;
        dataDir = "/Vault/data/kavita";
      };
      nodes.moonside.services.nginx = {
@ -7960,7 +7950,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
      users = {
        groups = {
-          "$(serviceGroup}" = {
+          "${serviceGroup}" = {
            gid = 61593;
          };
        };
@ -7990,6 +7980,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
          Port = servicePort;
          MusicFolder = "/Vault/Eternor/Music";
          PlaylistsPath = "./Playlists";
          AutoImportPlaylists = false;
          EnableSharing = true;
          EnableTranscodingConfig = true;
          Scanner.GroupAlbumReleases = true;
@ -8016,6 +8007,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
          };
          UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png";
          UIWelcomeMessage = "~SwarselSound~";
          EnableInsightsCollector = false;
        };
      };
@ -8218,13 +8210,35 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
  }
 #+end_src
 **** postgresql
 #+begin_src nix :tangle modules/nixos/server/postgresql.nix
  { config, lib, pkgs, ... }:
  let
    serviceName = "postgresql";
    postgresVersion = 14;
  in
  {
    options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
    config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
      services = {
        postgresql = {
          enable = true;
          package = pkgs."postgresql_${builtins.toString postgresVersion}";
          dataDir = "/Vault/data/postgresql/${builtins.toString postgresVersion}";
        };
      };
    };
  }
 #+end_src
 **** matrix
 :PROPERTIES:
 :CUSTOM_ID: h:1e68d84a-8f99-422f-89ac-78f664ac0013
 :END:
 #+begin_src nix :tangle modules/nixos/server/matrix.nix
-  { config, lib, pkgs, sops, ... }:
+  { lib, config, pkgs, ... }:
  let
    matrixDomain = "swatrix.swarsel.win";
    serviceName = "matrix";
@ -8342,12 +8356,16 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
        matrix-synapse = {
          enable = true;
          dataDir = "/Vault/data/matrix-synapse";
          settings = {
-            app_service_config_files = [
+            app_service_config_files = let
-              "/var/lib/matrix-synapse/telegram-registration.yaml"
+              inherit (config.services.matrix-synapse) dataDir;
-              "/var/lib/matrix-synapse/whatsapp-registration.yaml"
+            in
-              "/var/lib/matrix-synapse/signal-registration.yaml"
+              [
-              "/var/lib/matrix-synapse/doublepuppet.yaml"
+              "${dataDir}/telegram-registration.yaml"
              "${dataDir}/whatsapp-registration.yaml"
              "${dataDir}/signal-registration.yaml"
              "${dataDir}/doublepuppet.yaml"
            ];
            server_name = matrixDomain;
            public_baseurl = "https://${matrixDomain}";
@ -8602,7 +8620,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
          };
          package = pkgs.nextcloud31;
          hostName = serviceDomain;
-          home = "/Vault/apps/nextcloud";
+          home = "/Vault/data/nextcloud";
          datadir = "/Vault/data/nextcloud";
          https = true;
          configureRedis = true;
@ -8672,7 +8690,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
        host = "0.0.0.0";
        port = servicePort;
        openFirewall = true;
-        mediaLocation = "/Vault/Eternor/Immich";
+        mediaLocation = "/Vault/Eternor/Immich"; # dataDir
        environment = {
          IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
        };
@ -8866,6 +8884,21 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
  { self, pkgs, lib, config, ... }:
  let
    serviceDomain = "store.swarsel.win";
    lidarrUser = "lidarr";
    lidarrGroup = lidarrUser;
    lidarrPort = 8686;
    radarrUser = "radarr";
    radarrGroup = radarrUser;
    radarrPort = 7878;
    sonarrUser = "sonarr";
    sonarrGroup = sonarrUser;
    sonarrPort = 8989;
    readarrUser = "readarr";
    readarrGroup = readarrUser;
    readarrPort = 8787;
    prowlarrUser = "prowlarr";
    prowlarrGroup = prowlarrUser;
    prowlarrPort = 9696;
  in
  {
    options.swarselsystems.modules.server.transmission = lib.mkEnableOption "enable transmission and friends on server";
@ -8877,11 +8910,11 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
          dockeruser = {
            gid = 1155;
          };
-          radarr = { };
+          "${radarrGroup}" = { };
-          readarr = { };
+          "${readarrGroup}" = { };
-          sonarr = { };
+          "${sonarrGroup}" = { };
-          lidarr = { };
+          "${lidarrGroup}" = { };
-          prowlarr = { };
+          "${prowlarrGroup}" = { };
        };
        users = {
          dockeruser = {
@ -8890,29 +8923,29 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
            group = "docker";
            extraGroups = [ "users" ];
          };
-          radarr = {
+          "${radarrUser}" = {
            isSystemUser = true;
-            group = "radarr";
+            group = radarrGroup;
            extraGroups = [ "users" ];
          };
-          readarr = {
+          "${readarrGroup}" = {
            isSystemUser = true;
-            group = "readarr";
+            group = readarrGroup;
            extraGroups = [ "users" ];
          };
-          sonarr = {
+          "${sonarrGroup}" = {
            isSystemUser = true;
-            group = "sonarr";
+            group = sonarrGroup;
            extraGroups = [ "users" ];
          };
-          lidarr = {
+          "${lidarrUser}" = {
            isSystemUser = true;
-            group = "lidarr";
+            group = lidarrGroup;
            extraGroups = [ "users" ];
          };
-          prowlarr = {
+          "${prowlarrGroup}" = {
            isSystemUser = true;
-            group = "prowlarr";
+            group = prowlarrGroup;
            extraGroups = [ "users" ];
          };
        };
@ -8938,32 +8971,45 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
      services = {
        radarr = {
          enable = true;
          user = radarrUser;
          group = radarrGroup;
          settings.server.port = radarrPort;
          openFirewall = true;
-          dataDir = "/Vault/apps/radarr";
+          dataDir = "/Vault/data/radarr";
        };
        readarr = {
          enable = true;
          user = readarrUser;
          group = readarrGroup;
          settings.server.port = readarrPort;
          openFirewall = true;
-          dataDir = "/Vault/apps/readarr";
+          dataDir = "/Vault/data/readarr";
        };
        sonarr = {
          enable = true;
          user = sonarrUser;
          group = sonarrGroup;
          settings.server.port = sonarrPort;
          openFirewall = true;
-          dataDir = "/Vault/apps/sonarr";
+          dataDir = "/Vault/data/sonarr";
        };
        lidarr = {
          enable = true;
          user = lidarrUser;
          group = lidarrGroup;
          settings.server.port = lidarrPort;
          openFirewall = true;
-          dataDir = "/Vault/apps/lidarr";
+          dataDir = "/Vault/data/lidarr";
        };
        prowlarr = {
          enable = true;
          settings.server.port = prowlarrPort;
          openFirewall = true;
        };
        nginx = {
          virtualHosts = {
-            "store.swarsel.win" = {
+            "${serviceDomain}" = {
              enableACME = false;
              forceSSL = false;
              acmeRoot = null;
@ -8975,31 +9021,31 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
                  '';
                };
                "/radarr" = {
-                  proxyPass = "http://localhost:7878";
+                  proxyPass = "http://localhost:${builtins.toString radarrPort}";
                  extraConfig = ''
                    client_max_body_size    0;
                  '';
                };
                "/readarr" = {
-                  proxyPass = "http://localhost:8787";
+                  proxyPass = "http://localhost:${builtins.toString readarrPort}";
                  extraConfig = ''
                    client_max_body_size    0;
                  '';
                };
                "/sonarr" = {
-                  proxyPass = "http://localhost:8989";
+                  proxyPass = "http://localhost:${builtins.toString sonarrPort}";
                  extraConfig = ''
                    client_max_body_size    0;
                  '';
                };
                "/lidarr" = {
-                  proxyPass = "http://localhost:8686";
+                  proxyPass = "http://localhost:${builtins.toString lidarrPort}";
                  extraConfig = ''
                    client_max_body_size    0;
                  '';
                };
                "/prowlarr" = {
-                  proxyPass = "http://localhost:9696";
+                  proxyPass = "http://localhost:${builtins.toString prowlarrPort}";
                  extraConfig = ''
                    client_max_body_size    0;
                  '';
@ -9048,7 +9094,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
        user = serviceUser;
        group = serviceGroup;
        dataDir = "/Vault/data/syncthing";
-        configDir = "/Vault/apps/syncthing";
+        configDir = "/Vault/data/syncthing/.config/syncthing";
        guiAddress = "0.0.0.0:${builtins.toString servicePort}";
        openDefaultPorts = true; # opens ports TCP/UDP 22000 and UDP 21027 for discovery
        relay.enable = false;
@ -9106,16 +9152,16 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
              devices = [ "sync (@oracle)" "magicant" "${workHostName}" "moonside (@oracle)" ];
              id = "hgp9s-fyq3p";
            };
-            "Documents" = {
+            # "Documents" = {
-              path = "/Vault/data/syncthing/Documents";
+            #   path = "/Vault/data/syncthing/Documents";
-              type = "receiveonly";
+            #   type = "receiveonly";
-              versioning = {
+            #   versioning = {
-                type = "simple";
+            #     type = "simple";
-                params.keep = "5";
+            #     params.keep = "5";
-              };
+            #   };
-              devices = [ "magicant" "${workHostName}" "moonside (@oracle)" ];
+            #   devices = [ "magicant" "${workHostName}" "moonside (@oracle)" ];
-              id = "hgr3d-pfu3w";
+            #   id = "hgr3d-pfu3w";
-            };
+            # };
          };
        };
      };
@ -9188,7 +9234,6 @@ This manages backups for my pictures and obsidian files.
              "/Vault/Eternor/Paperless"
              "/Vault/Eternor/Bilder"
              "/Vault/Eternor/Immich"
              "/Vault/familymedia"
            ];
            pruneOpts = [
              "--keep-daily 3"
--- a/hosts/nixos/moonside/default.nix
+++ b/hosts/nixos/moonside/default.nix
@ -167,16 +167,6 @@ in
            devices = [ "winters" "magicant" "${workHostName}" ];
            id = "hgp9s-fyq3p";
          };
          ".elfeed" = {
            path = "/sync/elfeed";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "5";
            };
            devices = [ "winters" ];
            id = "h7xbs-fs9v1";
          };
          "Documents" = {
            path = "/sync/Documents";
            type = "receiveonly";
--- a/index.html
+++ b/index.html
--- a/modules/nixos/server/immich.nix
+++ b/modules/nixos/server/immich.nix
@ -20,7 +20,7 @@ in
      host = "0.0.0.0";
      port = servicePort;
      openFirewall = true;
-      mediaLocation = "/Vault/Eternor/Immich";
+      mediaLocation = "/Vault/Eternor/Immich"; # dataDir
      environment = {
        IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
      };
--- a/modules/nixos/server/kavita.nix
+++ b/modules/nixos/server/kavita.nix
@ -31,6 +31,7 @@ in
      user = serviceUser;
      settings.Port = servicePort;
      tokenKeyFile = config.sops.secrets.kavita.path;
      dataDir = "/Vault/data/kavita";
    };
    nodes.moonside.services.nginx = {
--- a/modules/nixos/server/matrix.nix
+++ b/modules/nixos/server/matrix.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, sops, ... }:
+{ lib, config, pkgs, ... }:
 let
  matrixDomain = "swatrix.swarsel.win";
  serviceName = "matrix";
@ -116,12 +116,17 @@ in
      matrix-synapse = {
        enable = true;
        dataDir = "/Vault/data/matrix-synapse";
        settings = {
-          app_service_config_files = [
+          app_service_config_files =
-            "/var/lib/matrix-synapse/telegram-registration.yaml"
+            let
-            "/var/lib/matrix-synapse/whatsapp-registration.yaml"
+              inherit (config.services.matrix-synapse) dataDir;
-            "/var/lib/matrix-synapse/signal-registration.yaml"
+            in
-            "/var/lib/matrix-synapse/doublepuppet.yaml"
+            [
              "${dataDir}/telegram-registration.yaml"
              "${dataDir}/whatsapp-registration.yaml"
              "${dataDir}/signal-registration.yaml"
              "${dataDir}/doublepuppet.yaml"
            ];
          server_name = matrixDomain;
          public_baseurl = "https://${matrixDomain}";
--- a/modules/nixos/server/navidrome.nix
+++ b/modules/nixos/server/navidrome.nix
@ -17,7 +17,7 @@ in
    users = {
      groups = {
-        "$(serviceGroup}" = {
+        "${serviceGroup}" = {
          gid = 61593;
        };
      };
@ -47,6 +47,7 @@ in
        Port = servicePort;
        MusicFolder = "/Vault/Eternor/Music";
        PlaylistsPath = "./Playlists";
        AutoImportPlaylists = false;
        EnableSharing = true;
        EnableTranscodingConfig = true;
        Scanner.GroupAlbumReleases = true;
@ -73,6 +74,7 @@ in
        };
        UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png";
        UIWelcomeMessage = "~SwarselSound~";
        EnableInsightsCollector = false;
      };
    };
--- a/modules/nixos/server/nextcloud.nix
+++ b/modules/nixos/server/nextcloud.nix
@ -31,7 +31,7 @@ in
        };
        package = pkgs.nextcloud31;
        hostName = serviceDomain;
-        home = "/Vault/apps/nextcloud";
+        home = "/Vault/data/nextcloud";
        datadir = "/Vault/data/nextcloud";
        https = true;
        configureRedis = true;
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@ -6,8 +6,6 @@
      lego
    ];
    # users.users.acme = {};
    sops = {
      # secrets.dnstokenfull = { owner = "acme"; };
      secrets.dnstokenfull = { };
--- a/modules/nixos/server/postgresql.nix
+++ b/modules/nixos/server/postgresql.nix
@ -0,0 +1,17 @@
 { config, lib, pkgs, ... }:
 let
  serviceName = "postgresql";
  postgresVersion = 14;
 in
 {
  options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
    services = {
      postgresql = {
        enable = true;
        package = pkgs."postgresql_${builtins.toString postgresVersion}";
        dataDir = "/Vault/data/postgresql/${builtins.toString postgresVersion}";
      };
    };
  };
 }
--- a/modules/nixos/server/restic.nix
+++ b/modules/nixos/server/restic.nix
@ -30,7 +30,6 @@ in
            "/Vault/Eternor/Paperless"
            "/Vault/Eternor/Bilder"
            "/Vault/Eternor/Immich"
            "/Vault/familymedia"
          ];
          pruneOpts = [
            "--keep-daily 3"
--- a/modules/nixos/server/syncthing.nix
+++ b/modules/nixos/server/syncthing.nix
@ -26,7 +26,7 @@ in
      user = serviceUser;
      group = serviceGroup;
      dataDir = "/Vault/data/syncthing";
-      configDir = "/Vault/apps/syncthing";
+      configDir = "/Vault/data/syncthing/.config/syncthing";
      guiAddress = "0.0.0.0:${builtins.toString servicePort}";
      openDefaultPorts = true; # opens ports TCP/UDP 22000 and UDP 21027 for discovery
      relay.enable = false;
@ -84,16 +84,16 @@ in
            devices = [ "sync (@oracle)" "magicant" "${workHostName}" "moonside (@oracle)" ];
            id = "hgp9s-fyq3p";
          };
-          "Documents" = {
+          # "Documents" = {
-            path = "/Vault/data/syncthing/Documents";
+          #   path = "/Vault/data/syncthing/Documents";
-            type = "receiveonly";
+          #   type = "receiveonly";
-            versioning = {
+          #   versioning = {
-              type = "simple";
+          #     type = "simple";
-              params.keep = "5";
+          #     params.keep = "5";
-            };
+          #   };
-            devices = [ "magicant" "${workHostName}" "moonside (@oracle)" ];
+          #   devices = [ "magicant" "${workHostName}" "moonside (@oracle)" ];
-            id = "hgr3d-pfu3w";
+          #   id = "hgr3d-pfu3w";
-          };
+          # };
        };
      };
    };
--- a/modules/nixos/server/transmission.nix
+++ b/modules/nixos/server/transmission.nix
@ -1,6 +1,21 @@
 { self, pkgs, lib, config, ... }:
 let
  serviceDomain = "store.swarsel.win";
  lidarrUser = "lidarr";
  lidarrGroup = lidarrUser;
  lidarrPort = 8686;
  radarrUser = "radarr";
  radarrGroup = radarrUser;
  radarrPort = 7878;
  sonarrUser = "sonarr";
  sonarrGroup = sonarrUser;
  sonarrPort = 8989;
  readarrUser = "readarr";
  readarrGroup = readarrUser;
  readarrPort = 8787;
  prowlarrUser = "prowlarr";
  prowlarrGroup = prowlarrUser;
  prowlarrPort = 9696;
 in
 {
  options.swarselsystems.modules.server.transmission = lib.mkEnableOption "enable transmission and friends on server";
@ -12,11 +27,11 @@ in
        dockeruser = {
          gid = 1155;
        };
-        radarr = { };
+        "${radarrGroup}" = { };
-        readarr = { };
+        "${readarrGroup}" = { };
-        sonarr = { };
+        "${sonarrGroup}" = { };
-        lidarr = { };
+        "${lidarrGroup}" = { };
-        prowlarr = { };
+        "${prowlarrGroup}" = { };
      };
      users = {
        dockeruser = {
@ -25,29 +40,29 @@ in
          group = "docker";
          extraGroups = [ "users" ];
        };
-        radarr = {
+        "${radarrUser}" = {
          isSystemUser = true;
-          group = "radarr";
+          group = radarrGroup;
          extraGroups = [ "users" ];
        };
-        readarr = {
+        "${readarrGroup}" = {
          isSystemUser = true;
-          group = "readarr";
+          group = readarrGroup;
          extraGroups = [ "users" ];
        };
-        sonarr = {
+        "${sonarrGroup}" = {
          isSystemUser = true;
-          group = "sonarr";
+          group = sonarrGroup;
          extraGroups = [ "users" ];
        };
-        lidarr = {
+        "${lidarrUser}" = {
          isSystemUser = true;
-          group = "lidarr";
+          group = lidarrGroup;
          extraGroups = [ "users" ];
        };
-        prowlarr = {
+        "${prowlarrGroup}" = {
          isSystemUser = true;
-          group = "prowlarr";
+          group = prowlarrGroup;
          extraGroups = [ "users" ];
        };
      };
@ -73,32 +88,45 @@ in
    services = {
      radarr = {
        enable = true;
        user = radarrUser;
        group = radarrGroup;
        settings.server.port = radarrPort;
        openFirewall = true;
-        dataDir = "/Vault/apps/radarr";
+        dataDir = "/Vault/data/radarr";
      };
      readarr = {
        enable = true;
        user = readarrUser;
        group = readarrGroup;
        settings.server.port = readarrPort;
        openFirewall = true;
-        dataDir = "/Vault/apps/readarr";
+        dataDir = "/Vault/data/readarr";
      };
      sonarr = {
        enable = true;
        user = sonarrUser;
        group = sonarrGroup;
        settings.server.port = sonarrPort;
        openFirewall = true;
-        dataDir = "/Vault/apps/sonarr";
+        dataDir = "/Vault/data/sonarr";
      };
      lidarr = {
        enable = true;
        user = lidarrUser;
        group = lidarrGroup;
        settings.server.port = lidarrPort;
        openFirewall = true;
-        dataDir = "/Vault/apps/lidarr";
+        dataDir = "/Vault/data/lidarr";
      };
      prowlarr = {
        enable = true;
        settings.server.port = prowlarrPort;
        openFirewall = true;
      };
      nginx = {
        virtualHosts = {
-          "store.swarsel.win" = {
+          "${serviceDomain}" = {
            enableACME = false;
            forceSSL = false;
            acmeRoot = null;
@ -110,31 +138,31 @@ in
                '';
              };
              "/radarr" = {
-                proxyPass = "http://localhost:7878";
+                proxyPass = "http://localhost:${builtins.toString radarrPort}";
                extraConfig = ''
                  client_max_body_size    0;
                '';
              };
              "/readarr" = {
-                proxyPass = "http://localhost:8787";
+                proxyPass = "http://localhost:${builtins.toString readarrPort}";
                extraConfig = ''
                  client_max_body_size    0;
                '';
              };
              "/sonarr" = {
-                proxyPass = "http://localhost:8989";
+                proxyPass = "http://localhost:${builtins.toString sonarrPort}";
                extraConfig = ''
                  client_max_body_size    0;
                '';
              };
              "/lidarr" = {
-                proxyPass = "http://localhost:8686";
+                proxyPass = "http://localhost:${builtins.toString lidarrPort}";
                extraConfig = ''
                  client_max_body_size    0;
                '';
              };
              "/prowlarr" = {
-                proxyPass = "http://localhost:9696";
+                proxyPass = "http://localhost:${builtins.toString prowlarrPort}";
                extraConfig = ''
                  client_max_body_size    0;
                '';
--- a/profiles/nixos/localserver/default.nix
+++ b/profiles/nixos/localserver/default.nix
@ -24,6 +24,7 @@
          navidrome = lib.mkDefault true;
          spotifyd = lib.mkDefault true;
          mpd = lib.mkDefault true;
          postgresql = lib.mkDefault true;
          matrix = lib.mkDefault true;
          nextcloud = lib.mkDefault true;
          immich = lib.mkDefault true;