feat: add slink

chore: flake cleanup
2025-12-06 09:07:21 +01:00 · 2025-07-17 22:34:07 +02:00 · 2025-07-17 21:50:14 +02:00
25 changed files with 500 additions and 436 deletions
--- a/.github/README.md
+++ b/.github/README.md
@ -122,13 +122,13 @@ Alternatively, to install this from any NixOS live ISO, run `nix run --experimen
 ### Services
 | Topic                 | Program                                                                                                             |
-|-----------------------|---------------------------------|
+|-----------------------|---------------------------------------------------------------------------------------------------------------------|
 |📖 **Books**           |  [Kavita](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kavita.nix)                           |
 |📼 **Videos**          | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix)                        |
 |🎵 **Music**           | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) +  [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) +  [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix)                                                              |
 |🗨️ **Messaging**       | [Matrix](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/matrix.nix)                            |
 |📁 **Filesharing**     | [Nectcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix)                      |
-|📷 **Photos**          | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix)                         |
+|🎞️ **Photos**          | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix)                            |
 |📄 **Documents**       | [Paperless](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/paperless.nix)                      |
 |🔄 **File Sync**       | [Syncthing](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/syncthing.nix)                      |
 |💾 **Backups**         | [Restic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/restic.nix)                            |
@ -143,6 +143,7 @@ Alternatively, to install this from any NixOS live ISO, run `nix run --experimen
 |📅 **CalDav/CardDav**  | [Radicale](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/radicale.nix)                        |
 |↔️ **P2P Filesharing** | [Croc](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/croc.nix)                                |
 |✂️ **Paste Tool**      | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix)                        |
 |📸 **Image Sharing**   | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix)                              |
 |🔗 **Link Shortener**  | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                            |
 ### Hosts
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@ -269,13 +269,13 @@ Here I give a brief overview over the hostmachines that I am using. This is held
 #+begin_src markdown :tangle no :noweb-ref services
  | Topic                 | Program                                                                                                             |
-  |-----------------------|---------------------------------|
+  |-----------------------|---------------------------------------------------------------------------------------------------------------------|
  |📖 **Books**           |  [Kavita](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kavita.nix)                           |
  |📼 **Videos**          | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix)                        |
  |🎵 **Music**           | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) +  [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) +  [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix)                                                              |
  |🗨️ **Messaging**       | [Matrix](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/matrix.nix)                            |
  |📁 **Filesharing**     | [Nectcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix)                      |
-  |📷 **Photos**          | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix)                         |
+  |🎞️ **Photos**          | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix)                            |
  |📄 **Documents**       | [Paperless](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/paperless.nix)                      |
  |🔄 **File Sync**       | [Syncthing](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/syncthing.nix)                      |
  |💾 **Backups**         | [Restic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/restic.nix)                            |
@ -290,6 +290,7 @@ Here I give a brief overview over the hostmachines that I am using. This is held
  |📅 **CalDav/CardDav**  | [Radicale](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/radicale.nix)                        |
  |↔️ **P2P Filesharing** | [Croc](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/croc.nix)                                |
  |✂️ **Paste Tool**      | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix)                        |
  |📸 **Image Sharing**   | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix)                              |
  |🔗 **Link Shortener**  | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                            |
 #+end_src
@ -840,9 +841,12 @@ The rest of the outputs either define or help define the actual configurations:
                };
                swarselprofiles = {
-                  minimal = lib.mkIf minimal true;
+                  minimal = lib.mkIf minimal (lib.mkDefault true);
                };
                swarselsystems = {
                  mainUser = lib.mkDefault "swarsel";
                };
              }
            ];
          };
@ -2028,13 +2032,7 @@ My personal laptop.
  { self, config, inputs, lib, minimal, ... }:
  let
    primaryUser = config.swarselsystems.mainUser;
-    sharedOptions = {
+    sharedOptions = { };
      isLaptop = true;
      isNixos = true;
      isBtrfs = true;
      isLinux = true;
      sharescreen = "eDP-1";
    };
  in
  {
@ -2048,12 +2046,18 @@ My personal laptop.
    swarselprofiles = {
      reduced = lib.mkIf (!minimal) true;
        minimal = lib.mkIf minimal true;
      btrfs = true;
    };
    swarselsystems = lib.recursiveUpdate
      {
        isLaptop = true;
        isNixos = true;
        isBtrfs = true;
        isLinux = true;
        lowResolution = "1280x800";
        highResolution = "1920x1080";
        sharescreen = "eDP-1";
        info = "Lenovo ThinkPad";
        firewall = lib.mkForce true;
        wallpaper = self + /files/wallpaper/lenovowp.png;
@ -2070,15 +2074,8 @@ My personal laptop.
      sharedOptions;
    home-manager.users."${primaryUser}" = {
      swarselprofiles = {
        reduced = lib.mkIf (!minimal) true;
        minimal = lib.mkIf minimal true;
      };
      # home.stateVersion = lib.mkForce "23.05";
-      swarselsystems = lib.recursiveUpdate
+      swarselsystems = {
        {
          lowResolution = "1280x800";
          highResolution = "1920x1080";
        monitors = {
          main = {
            name = "LG Display 0x04EF Unknown";
@ -2089,8 +2086,7 @@ My personal laptop.
            output = "eDP-1";
          };
        };
-        }
+      };
        sharedOptions;
    };
  }
@ -2270,15 +2266,7 @@ This is my main server that I run at home. It handles most tasks that require bi
 :CUSTOM_ID: h:8ad68406-4a75-45ba-97ad-4c310b921124
 :END:
 #+begin_src nix-ts :tangle hosts/nixos/winters/default.nix
-  { lib, config, ... }:
+  { config, ... }:
  let
    primaryUser = config.swarselsystems.mainUser;
    sharedOptions = {
      isBtrfs = false;
      isLinux = true;
      isNixos = true;
    };
  in
  {
    imports = [
@ -2302,21 +2290,17 @@ This is my main server that I run at home. It handles most tasks that require bi
    swarselprofiles = {
      server.local = true;
    };
-    swarselsystems = lib.recursiveUpdate
+
-      {
+    swarselsystems = {
      info = "ASRock J4105-ITX, 32GB RAM";
      isImpermanence = false;
      isSecureBoot = true;
      isCrypted = true;
-      }
+      isBtrfs = false;
-      sharedOptions;
+      isLinux = true;
-
+      isNixos = true;
    home-manager.users."${primaryUser}" = {
      home.stateVersion = lib.mkForce "23.05";
      swarselsystems = lib.recursiveUpdate
        { }
        sharedOptions;
    };
  }
@ -2492,15 +2476,7 @@ This machine mainly acts as an external sync helper. It manages the following th
 :END:
 #+begin_src nix-ts :tangle hosts/nixos/milkywell/default.nix
-  { lib, config, minimal, ... }:
+  { lib, minimal, ... }:
  let
    primaryUser = config.swarselsystems.mainUser;
    sharedOptions = {
      isBtrfs = true;
      isLinux = true;
      isNixos = true;
    };
  in
  {
    imports = [
      ./hardware-configuration.nix
@ -2527,8 +2503,7 @@ This machine mainly acts as an external sync helper. It manages the following th
      minimal = lib.mkIf minimal true;
      server.syncserver = true;
    };
-    swarselsystems = lib.recursiveUpdate
+    swarselsystems = {
      {
      info = "VM.Standard.E2.1.Micro";
      isImpermanence = true;
      isSecureBoot = false;
@ -2536,13 +2511,9 @@ This machine mainly acts as an external sync helper. It manages the following th
      isSwap = true;
      rootDisk = "/dev/sda";
      swapSize = "4G";
-      }
+      isBtrfs = true;
-      sharedOptions;
+      isLinux = true;
-
+      isNixos = true;
    home-manager.users."${primaryUser}" = {
      swarselsystems = lib.recursiveUpdate
        { }
        sharedOptions;
    };
  }
@ -2696,17 +2667,10 @@ This machine mainly acts as an external sync helper. It manages the following th
 #+begin_src nix-ts :tangle hosts/nixos/moonside/default.nix
  { lib, config, globals, ... }:
  let
    primaryUser = config.swarselsystems.mainUser;
    inherit (config.repo.secrets.common) workHostName;
    inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
    inherit (config.swarselsystems) sopsFile;
    serviceDomain = config.repo.secrets.common.services.domains.syncthing3;
    sharedOptions = {
      isBtrfs = true;
      isNixos = true;
      isLinux = true;
    };
  in
  {
    imports = [
@ -2908,24 +2872,18 @@ This machine mainly acts as an external sync helper. It manages the following th
    swarselprofiles = {
      server.moonside = true;
    };
-    swarselsystems = lib.recursiveUpdate
+
-      {
+    swarselsystems = {
      info = "VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM";
      isImpermanence = true;
      isSecureBoot = false;
      isCrypted = false;
      isSwap = false;
      rootDisk = "/dev/sda";
-      }
+      isBtrfs = true;
-      sharedOptions;
+      isNixos = true;
-
+      isLinux = true;
    home-manager.users."${primaryUser}" = {
      home.stateVersion = lib.mkForce "23.11";
      swarselsystems = lib.recursiveUpdate
        { }
        sharedOptions;
    };
  }
 #+end_src
@ -3100,14 +3058,7 @@ This is a slim setup for developing base configuration. I do not track the hardw
 :CUSTOM_ID: h:4e53b40b-98b2-4615-b1b0-3696a75edd6e
 :END:
 #+begin_src nix-ts :tangle hosts/nixos/toto/default.nix
-  { self, config, lib, minimal, ... }:
+  { self, lib, minimal, ... }:
  let
    primaryUser = config.swarselsystems.mainUser;
    sharedOptions = {
      isBtrfs = true;
      isLinux = true;
    };
  in
  {
    imports = [
@ -3115,8 +3066,6 @@ This is a slim setup for developing base configuration. I do not track the hardw
      ./hardware-configuration.nix
    ];
    networking = {
      hostName = "toto";
      firewall.enable = false;
@ -3124,11 +3073,10 @@ This is a slim setup for developing base configuration. I do not track the hardw
    swarselprofiles = {
      toto = lib.mkIf (!minimal) true;
        minimal = lib.mkIf minimal true;
      btrfs = true;
    };
-    swarselsystems = lib.recursiveUpdate
+
-      {
+    swarselsystems = {
      info = "~SwarselSystems~ remote install helper";
      wallpaper = self + /files/wallpaper/lenovowp.png;
      isImpermanence = true;
@ -3139,18 +3087,12 @@ This is a slim setup for developing base configuration. I do not track the hardw
      # rootDisk = "/dev/nvme0n1";
      rootDisk = "/dev/vda";
      # rootDisk = "/dev/vda";
-      }
+      isBtrfs = true;
-      sharedOptions;
+      isLinux = true;
    home-manager.users.${primaryUser} = {
      home.stateVersion = lib.mkForce "23.05";
      swarselsystems = lib.recursiveUpdate
        {
      isLaptop = false;
      isNixos = true;
        }
        sharedOptions;
    };
  }
@ -3537,12 +3479,6 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru
  { self, config, pkgs, lib, minimal, ... }:
  let
    mainUser = "demo";
    sharedOptions = {
      inherit mainUser;
      isBtrfs = false;
      isLinux = true;
      isPublic = true;
    };
  in
  {
@ -3576,8 +3512,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru
      minimal = lib.mkIf minimal true;
      btrfs = true;
    };
-      swarselsystems = lib.recursiveUpdate
+    swarselsystems = {
        {
      info = "~SwarselSystems~ demo host";
      wallpaper = self + /files/wallpaper/lenovowp.png;
      isImpermanence = true;
@ -3586,17 +3521,13 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru
      isSwap = true;
      swapSize = "4G";
      rootDisk = "/dev/vda";
-        }
+      isBtrfs = false;
-        sharedOptions;
+      inherit mainUser;
-
+      isLinux = true;
-      home-manager.users.${mainUser} = {
+      isPublic = true;
        home.stateVersion = lib.mkForce "23.05";
        swarselsystems = lib.recursiveUpdate
          {
      isNixos = true;
          }
          sharedOptions;
    };
  }
@ -4158,7 +4089,7 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the
          useGlobalPkgs = true;
          useUserPackages = true;
          verbose = true;
-          users.swarsel.imports = [
+          users.${config.swarselsystems.mainUser}.imports = [
            inputs.nix-index-database.hmModules.nix-index
            inputs.sops-nix.homeManagerModules.sops
            # inputs.stylix.homeModules.stylix
@ -4209,8 +4140,8 @@ For that reason, make sure that =sops-nix= is properly working before finishing
          users."${config.swarselsystems.mainUser}" = {
            isNormalUser = true;
            description = "Leon S";
-            password = lib.mkIf minimal "setup";
+            password = lib.mkIf (minimal || config.swarselsystems.isPublic) "setup";
-            hashedPasswordFile = lib.mkIf (!minimal) config.sops.secrets.main-user-hashed-pw.path;
+            hashedPasswordFile = lib.mkIf (!minimal && !config.swarselsystems.isPublic) config.sops.secrets.main-user-hashed-pw.path;
            extraGroups = [ "wheel" ] ++ lib.optionals (!minimal) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
            packages = with pkgs; [ ];
          };
@ -8592,6 +8523,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
              "freshrss.access" = { };
              "firefly.access" = { };
              "radicale.access" = { };
              "slink.access" = { };
            };
            inherit (config.repo.secrets.local) persons;
@ -8712,6 +8644,11 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
                      "email"
                      "profile"
                    ];
                    "slink.access" = [
                      "openid"
                      "email"
                      "profile"
                    ];
                  };
                  preferShortUsername = true;
                  claimMaps.groups = {
@ -8721,6 +8658,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
                      "navidrome.access" = [ "navidrome_access" ];
                      "firefly.access" = [ "firefly_access" ];
                      "radicale.access" = [ "radicale_access" ];
                      "slink.access" = [ "slink_access" ];
                    };
                  };
                };
@ -9386,7 +9324,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
      };
      systemd.tmpfiles.rules = [
-        "d '${cfg.settings.storage.filesystem_folder}'        0750 ${serviceUser} ${serviceGroup} - -"
+        "d ${cfg.settings.storage.filesystem_folder} 0750 ${serviceUser} ${serviceGroup} - -"
      ];
      networking.firewall.allowedTCPPorts = [ servicePort ];
@ -9728,6 +9666,96 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
  }
 #+end_src
 **** slink
 Deployment notes:
  - enable user: =podman exec -it slink slink user:activate --email=<mail>=
  - make user admin: =podman  exec -it slink slink user:grant:role --email=<mail> ROLE_ADMIN=
  - finally, disable new user registration in web ui
 #+begin_src nix-ts :tangle modules/nixos/server/slink.nix
  { self, lib, config, ... }:
  let
    servicePort = 3000;
    serviceName = "slink";
    serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
    serviceDir = "/var/lib/slink";
    containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9";
  in
  {
    options = {
      swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
    };
    config = lib.mkIf config.swarselmodules.server.${serviceName} {
      virtualisation.oci-containers.containers.${serviceName} = {
        image = "anirdev/slink@${containerRev}";
        environment = {
          "ORIGIN" = "https://${serviceDomain}";
          "TZ" = config.repo.secrets.common.location.timezone;
          "STORAGE_PROVIDER" = "local";
          "IMAGE_MAX_SIZE" = "50M";
          "USER_APPROVAL_REQUIRED" = "true";
        };
        ports = [ "${builtins.toString servicePort}:${builtins.toString servicePort}" ];
        volumes = [
          "${serviceDir}/var/data:/app/var/data"
          "${serviceDir}/images:/app/slink/images"
        ];
      };
      systemd.tmpfiles.rules = [
        "d ${serviceDir}/var/data 0750 root root - -"
        "d ${serviceDir}/images   0750 root root - -"
      ];
      networking.firewall.allowedTCPPorts = [ servicePort ];
      environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
        { directory = serviceDir; }
      ];
      topology.self.services.${serviceName} = {
        name = lib.swarselsystems.toCapitalized serviceName;
        info = "https://${serviceDomain}";
        icon = "${self}/files/topology-images/shlink.png";
      };
      globals.services.${serviceName}.domain = serviceDomain;
      services.nginx = {
        upstreams = {
          ${serviceName} = {
            servers = {
              "localhost:${builtins.toString servicePort}" = { };
            };
          };
        };
        virtualHosts = {
          "${serviceDomain}" = {
            enableACME = true;
            forceSSL = true;
            acmeRoot = null;
            oauth2.enable = true;
            oauth2.allowedGroups = [ "slink_access" ];
            locations = {
              "/" = {
                proxyPass = "http://${serviceName}";
                setOauth2Headers = false;
              };
              "/image" = {
                proxyPass = "http://${serviceName}";
                setOauth2Headers = false;
                bypassAuth = true;
              };
            };
          };
        };
      };
    };
  }
 #+end_src
 *** Darwin
 :PROPERTIES:
 :CUSTOM_ID: h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47
@ -10273,6 +10301,9 @@ Options that I need specifically at work. There are more options at [[#h:f0b2ea9
        spice-protocol
        win-virtio
        win-spice
        powershell
        gh
      ];
@ -16123,7 +16154,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
 :END:
 #+begin_src nix-ts :tangle profiles/nixos/personal/default.nix :mkdirp yes
-  { lib, config, minimal, ... }:
+  { lib, config, ... }:
  {
    options.swarselprofiles.personal = lib.mkEnableOption "is this a personal host";
    config = lib.mkIf config.swarselprofiles.personal {
@ -16182,7 +16213,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
      };
      home-manager.users."${config.swarselsystems.mainUser}" = {
        swarselprofiles = {
-          personal = lib.mkIf (!minimal) true;
+          personal = lib.mkDefault true;
        };
      };
@ -16249,6 +16280,11 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
          ssh = lib.mkDefault true;
        };
      };
      home-manager.users."${config.swarselsystems.mainUser}" = {
        swarselprofiles = {
          personal = lib.mkDefault true;
        };
      };
    };
@ -16308,6 +16344,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
        home-manager = lib.mkDefault true;
        xserver = lib.mkDefault true;
        users = lib.mkDefault true;
        sops = lib.mkDefault true;
        env = lib.mkDefault true;
        security = lib.mkDefault true;
        systemdTimeout = lib.mkDefault true;
@ -16316,7 +16353,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
        pipewire = lib.mkDefault true;
        network = lib.mkDefault true;
        time = lib.mkDefault true;
        sops = lib.mkDefault false;
        stylix = lib.mkDefault true;
        programs = lib.mkDefault true;
        zsh = lib.mkDefault true;
@ -16327,7 +16363,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
        interceptionTools = lib.mkDefault true;
        swayosd = lib.mkDefault true;
        ppd = lib.mkDefault true;
-        yubikey = lib.mkDefault true;
+        yubikey = lib.mkDefault false;
        ledger = lib.mkDefault true;
        keyboards = lib.mkDefault true;
        login = lib.mkDefault true;
@ -16389,7 +16425,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
 :END:
 #+begin_src nix-ts :tangle profiles/nixos/work/default.nix :mkdirp yes
-  { lib, config, minimal, ... }:
+  { lib, config, ... }:
  {
    options.swarselprofiles.work = lib.mkEnableOption "is this a work host";
    config = lib.mkIf config.swarselprofiles.work {
@ -16400,7 +16436,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
      };
      home-manager.users."${config.swarselsystems.mainUser}" = {
        swarselprofiles = {
-          work = lib.mkIf (!minimal) true;
+          work = lib.mkDefault true;
        };
      };
@ -16416,7 +16452,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
 :END:
 #+begin_src nix-ts :tangle profiles/nixos/framework/default.nix :mkdirp yes
-  { lib, config, minimal, ... }:
+  { lib, config, ... }:
  {
    options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host";
    config = lib.mkIf config.swarselprofiles.framework {
@ -16427,7 +16463,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
      };
      home-manager.users."${config.swarselsystems.mainUser}" = {
        swarselprofiles = {
-          framework = lib.mkIf (!minimal) true;
+          framework = lib.mkDefault true;
        };
      };
@ -16641,6 +16677,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
            croc = lib.mkDefault true;
            microbin = lib.mkDefault true;
            shlink = lib.mkDefault true;
            slink = lib.mkDefault true;
          };
      };
    };
@ -20847,7 +20884,7 @@ This file defines a few workflows that I often need to run when working on my co
    sudo dd if=$(eza --sort changed {{ISO}} | tail -n1) of={{DRIVE}} bs=4M status=progress oflag=sync
  sync USER HOST:
-    rsync -av --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/
+    rsync -rltv --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/
 #+end_src
 ** aspell.conf
--- a/flake.lock
+++ b/flake.lock
@ -1618,11 +1618,11 @@
    },
    "nixpkgs-dev": {
      "locked": {
-        "lastModified": 1752440522,
+        "lastModified": 1752736260,
-        "narHash": "sha256-CInQkEG3f8XwIBQxYFhuFCT+T++JPstThfifAMD0yRk=",
+        "narHash": "sha256-90Gt98hmw/20aOAd7KaSW6otXu7MOBctRmI9RlXD/s0=",
        "owner": "Swarsel",
        "repo": "nixpkgs",
-        "rev": "1f569e3bd49502cb4ec312214662d93619cf2c54",
+        "rev": "169c3483f7c06fbb58c9346e4d9d112c8aa7827e",
        "type": "github"
      },
      "original": {
--- a/hosts/nixos/bakery/default.nix
+++ b/hosts/nixos/bakery/default.nix
@ -1,13 +1,7 @@
 { self, config, inputs, lib, minimal, ... }:
 let
  primaryUser = config.swarselsystems.mainUser;
-  sharedOptions = {
+  sharedOptions = { };
    isLaptop = true;
    isNixos = true;
    isBtrfs = true;
    isLinux = true;
    sharescreen = "eDP-1";
  };
 in
 {
@ -21,12 +15,18 @@ in
  swarselprofiles = {
    reduced = lib.mkIf (!minimal) true;
    minimal = lib.mkIf minimal true;
    btrfs = true;
  };
  swarselsystems = lib.recursiveUpdate
    {
      isLaptop = true;
      isNixos = true;
      isBtrfs = true;
      isLinux = true;
      lowResolution = "1280x800";
      highResolution = "1920x1080";
      sharescreen = "eDP-1";
      info = "Lenovo ThinkPad";
      firewall = lib.mkForce true;
      wallpaper = self + /files/wallpaper/lenovowp.png;
@ -43,15 +43,8 @@ in
    sharedOptions;
  home-manager.users."${primaryUser}" = {
    swarselprofiles = {
      reduced = lib.mkIf (!minimal) true;
      minimal = lib.mkIf minimal true;
    };
    # home.stateVersion = lib.mkForce "23.05";
-    swarselsystems = lib.recursiveUpdate
+    swarselsystems = {
      {
        lowResolution = "1280x800";
        highResolution = "1920x1080";
      monitors = {
        main = {
          name = "LG Display 0x04EF Unknown";
@ -62,7 +55,6 @@ in
          output = "eDP-1";
        };
      };
-      }
+    };
      sharedOptions;
  };
 }
--- a/hosts/nixos/chaostheatre/default.nix
+++ b/hosts/nixos/chaostheatre/default.nix
@ -1,12 +1,6 @@
 { self, config, pkgs, lib, minimal, ... }:
 let
  mainUser = "demo";
  sharedOptions = {
    inherit mainUser;
    isBtrfs = false;
    isLinux = true;
    isPublic = true;
  };
 in
 {
@ -40,8 +34,7 @@ in
    minimal = lib.mkIf minimal true;
    btrfs = true;
  };
-  swarselsystems = lib.recursiveUpdate
+  swarselsystems = {
    {
    info = "~SwarselSystems~ demo host";
    wallpaper = self + /files/wallpaper/lenovowp.png;
    isImpermanence = true;
@ -50,15 +43,11 @@ in
    isSwap = true;
    swapSize = "4G";
    rootDisk = "/dev/vda";
-    }
+    isBtrfs = false;
-    sharedOptions;
+    inherit mainUser;
-
+    isLinux = true;
-  home-manager.users.${mainUser} = {
+    isPublic = true;
    home.stateVersion = lib.mkForce "23.05";
    swarselsystems = lib.recursiveUpdate
      {
    isNixos = true;
      }
      sharedOptions;
  };
 }
--- a/hosts/nixos/milkywell/default.nix
+++ b/hosts/nixos/milkywell/default.nix
@ -1,12 +1,4 @@
-{ lib, config, minimal, ... }:
+{ lib, minimal, ... }:
 let
  primaryUser = config.swarselsystems.mainUser;
  sharedOptions = {
    isBtrfs = true;
    isLinux = true;
    isNixos = true;
  };
 in
 {
  imports = [
    ./hardware-configuration.nix
@ -33,8 +25,7 @@ in
    minimal = lib.mkIf minimal true;
    server.syncserver = true;
  };
-  swarselsystems = lib.recursiveUpdate
+  swarselsystems = {
    {
    info = "VM.Standard.E2.1.Micro";
    isImpermanence = true;
    isSecureBoot = false;
@ -42,13 +33,9 @@ in
    isSwap = true;
    rootDisk = "/dev/sda";
    swapSize = "4G";
-    }
+    isBtrfs = true;
-    sharedOptions;
+    isLinux = true;
-
+    isNixos = true;
  home-manager.users."${primaryUser}" = {
    swarselsystems = lib.recursiveUpdate
      { }
      sharedOptions;
  };
 }
--- a/hosts/nixos/moonside/default.nix
+++ b/hosts/nixos/moonside/default.nix
@ -1,16 +1,9 @@
 { lib, config, globals, ... }:
 let
  primaryUser = config.swarselsystems.mainUser;
  inherit (config.repo.secrets.common) workHostName;
  inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
  inherit (config.swarselsystems) sopsFile;
  serviceDomain = config.repo.secrets.common.services.domains.syncthing3;
  sharedOptions = {
    isBtrfs = true;
    isNixos = true;
    isLinux = true;
  };
 in
 {
  imports = [
@ -212,22 +205,16 @@ in
  swarselprofiles = {
    server.moonside = true;
  };
-  swarselsystems = lib.recursiveUpdate
+
-    {
+  swarselsystems = {
    info = "VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM";
    isImpermanence = true;
    isSecureBoot = false;
    isCrypted = false;
    isSwap = false;
    rootDisk = "/dev/sda";
-    }
+    isBtrfs = true;
-    sharedOptions;
+    isNixos = true;
-
+    isLinux = true;
  home-manager.users."${primaryUser}" = {
    home.stateVersion = lib.mkForce "23.11";
    swarselsystems = lib.recursiveUpdate
      { }
      sharedOptions;
  };
 }
--- a/hosts/nixos/toto/default.nix
+++ b/hosts/nixos/toto/default.nix
@ -1,11 +1,4 @@
-{ self, config, lib, minimal, ... }:
+{ self, lib, minimal, ... }:
 let
  primaryUser = config.swarselsystems.mainUser;
  sharedOptions = {
    isBtrfs = true;
    isLinux = true;
  };
 in
 {
  imports = [
@ -13,8 +6,6 @@ in
    ./hardware-configuration.nix
  ];
  networking = {
    hostName = "toto";
    firewall.enable = false;
@ -22,11 +13,10 @@ in
  swarselprofiles = {
    toto = lib.mkIf (!minimal) true;
    minimal = lib.mkIf minimal true;
    btrfs = true;
  };
-  swarselsystems = lib.recursiveUpdate
+
-    {
+  swarselsystems = {
    info = "~SwarselSystems~ remote install helper";
    wallpaper = self + /files/wallpaper/lenovowp.png;
    isImpermanence = true;
@ -37,16 +27,10 @@ in
    # rootDisk = "/dev/nvme0n1";
    rootDisk = "/dev/vda";
    # rootDisk = "/dev/vda";
-    }
+    isBtrfs = true;
-    sharedOptions;
+    isLinux = true;
  home-manager.users.${primaryUser} = {
    home.stateVersion = lib.mkForce "23.05";
    swarselsystems = lib.recursiveUpdate
      {
    isLaptop = false;
    isNixos = true;
      }
      sharedOptions;
  };
 }
--- a/hosts/nixos/winters/default.nix
+++ b/hosts/nixos/winters/default.nix
@ -1,12 +1,4 @@
-{ lib, config, ... }:
+{ config, ... }:
 let
  primaryUser = config.swarselsystems.mainUser;
  sharedOptions = {
    isBtrfs = false;
    isLinux = true;
    isNixos = true;
  };
 in
 {
  imports = [
@ -30,19 +22,15 @@ in
  swarselprofiles = {
    server.local = true;
  };
-  swarselsystems = lib.recursiveUpdate
+
-    {
+  swarselsystems = {
    info = "ASRock J4105-ITX, 32GB RAM";
    isImpermanence = false;
    isSecureBoot = true;
    isCrypted = true;
-    }
+    isBtrfs = false;
-    sharedOptions;
+    isLinux = true;
-
+    isNixos = true;
  home-manager.users."${primaryUser}" = {
    home.stateVersion = lib.mkForce "23.05";
    swarselsystems = lib.recursiveUpdate
      { }
      sharedOptions;
  };
 }
--- a/hosts/nixos/winters/secrets/pii.nix.enc
+++ b/hosts/nixos/winters/secrets/pii.nix.enc
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:XEzKhJ1+iwQZ24wnf7FdThWMwOKEwaYr3ecGjjLpTqx4+kq3W9FWFDSKkHAwo6077tsVTu7NCGZfat/gAylg1xgqAZAHA8/PMQejowAgIPCG7eCQvQfTMepcuWjgc9BAyFYcBjPFmLnvX69LE80Fw0Io1QeKIa6CVJKp4P6eC8OIKeG1fTc3/sWxr+3ZKTzGPKiGCnSMo7qM0/2HlV0bhp8yWFni+2nZ8UlPJluEnmx0bBR0uZ6bdqzLX/fFrmgTd6m30+Zq8pjKVhiHpEQd9m5aU2inCWv4OeNE3EQsLYcnhcVdrcySZ6R4AZ1nlZZedDhf+Ee4AwcIPVsA8HHqlUEY1CayHF5wLpkxralOpt+RFZYJkvupmozP/uYRymoAA6YgJGesr2Oki0wT041nioB9AvpU9xFvfCqbqXXsBvwtvhxpwhEJJOogZENKnjvvoDoLGZlFVPzkfqDANuv5SAJQiWuFLWEdcmQncRlsjwSPOGOnI+r+puHszPOaDsZigF/yuL4rd5a0RkS6dCOfYtCvQBBAMfEAWX13AiKF0Dtz5/ijEEK7iojoMF/B6rnoENs2l0cSljq7TGV0DVRDjFUTiMNbfRxUJUkMuqJFnNzMwz4METmAwgqHn217uvUk2V8UJ5v9k4sapRmogPTfCwhvxGDV1e9AJvL6WXJ2m0ldhKOcQXFiO/+ZtNB1FHJ22ZFcxcSSOSRmEQsB5Yw3zPEjQ7sU93sKRLEPrTEqSSNG75iZ+vZm9iEI2trFhtEOlU98Ury/USC9sjPN/sxGGR5hcRZajY2HUxVTucMheIWJ7mxhxLHg7rz/qWLSqC6TqKwnyv+NdBnrVaLWaRnZGRCgtvN+oJKRjyxCsiDHVoY52cP5SmdXGn3yrVxDuYGrkLf/JOj76Hs/TCSsYptMvKqH4R4vT8SlDnplpcIfd5KTr4sM1n4q4sai1wRc1wlN0EkwK7+otTYcStxtvgUUtW/4jkk+73TdvvR9IkV0PqghKuB6FdAM6qRX1M8AebcXNyZYW9k7sHRVWGk+eMrMe/qX2IAY1WUgdt7hs2Ci9XoJqWKCG17rcKZ/ORu0utrJt+l0H9fZihO8+aYHabsHueiyJTKJvZx9+12r5a6deXShtdpsdQVnMlczWKGKUIdQ7TB12HILGPAvvZkJh0aDq043UU/4dUwyUezi70QnH/Z/GRip68kXH6njBmZRlmmNAFSCHkGxMKxpgssHyXXNEvET/TIVEJeR1vYjqFoGIBrFQV1Bqu2yk3A2pZLBEEbsCQrOuE2CPpfrn5kCUnw2sJOWpnVqyQ+SA4xZ7W1vw7i8aL2ThZlKE3zsriECpOfEaDWv8ME2HsiL42VUmgv+6zm/2hiVK+OayQucBUbY8IC6Yjl2kXB7EPvUsc60V2xOJl40KIAJxa0GNgaRMWkYoFtnVrYbY4yT37UjIAu2fJD725qgkXOJwbFPlX7na86PVVB0MQ==,iv:JSG8DynJg8t7HEDoW7IwYt189P22h4BPMFYsJmo3mcU=,tag:cHoNQBL2DCpntJyhqay54Q==,type:str]",
+	"data": "ENC[AES256_GCM,data:Ow17QtITRfXk4BJGWb4jw1gX8HRIAdpBDpyGtif3Vb42cCqSWpLaIR1KecbU3OPkGesC/vh2tgmfE/xlm6nUR8kvRDZdhFr7UckeKFiD4hlfHBhGckaCXOiRZ3ACHrHfM/a2CbKDl14xLDMFDervdMRfB/4vjvnn9xvhjepZ1e7+Iopd9agL8r658AMFF3j2tRYZp7l5GLArs+7mUsFfXujkui1Xgh5+TRvYPh3zQ18RWyP4QMYP6HPHgHRH7S6uciUb6Qq1yEytOy3pCJTb+gZaa9xI1azzP7r83b7KeXdukupR+9fNWN52swDHXRugThMrh4kOrBdyaafJ1v2w4FTTPwj6JQvkxT+vMV4+WIclhD/FWtEHtUqsHDFnMzTIQfyTMt42HZKNdQDwp2fwuV1BP0qOUqRnheaTPiyZiZL8I27xDfwp5zfSqxA7KEzLL2uRbIPefdqNFlcte/xL9IkbTux+AmHaIjQeLkiPyMf2wc2NTIabWPk/ILC917vnancdAQuujB38SaWPrKeCEqDKsArvgjnmn47ctBND73G4PszieneCnuq4sNT9QrC81mk/AQv5TFG0i0fvPoXfpO4ul7MgaP+iPodb2CThHKDAwL+Gnq/6+tg+vJbTKxrsixHvYViA9p/ke1YaRFg2R8V7NwRDl68NI2yCaqj3qlS6Sa8Mx7IUQR6aCN4nkpcJs2GLVCEhWKFBsNXXhPa01C/81JGJ6+/zfHuGbY6gGtS7k3cZ9+dfizN29nBlp+A1U+Noxjl9arYOX4gjEnQhvo9Tp/gBCmrvXjoE6ja8XXUv78/Bfnvup52gdNunYRYv3Aj91F0u6fH6UqoWPXVTy6eznV727Pj9H1BPzMEfmf3EPc6Qcg7AR7vKORfH3U0PFXxFMY0kGEJdug5jmLuwUoRR9zOyHOqdS4Tk9BcMT02gRyQf6LZ3drDoqC35L5hop/gfbleUXXODn3cE1mEuAuZ08OSavZ24IHo1aMr50gjn32WSBKkjfC0dobBWzWwykxhu0vZZI3xYJx/59qqsodDGAJAhry5N6vrwM/PK/O73L2QBqkaT50eImIQ4+vpahcvFPRIkHLvQkzxlyH0dafuGyyF2gfig5Rq3vw02pT8z06LjmJ/ehvteyy1BE9CdiUvYHjaBXiWg2n5FvAe5e8EQxUx9+SwfwEpnucuocp7g+d3W3cXJOU6m9JxwvK7LX95MbpKOtdPq11yi35LLb1TikFLdFZyu+SeaNFD3AzQMOSem6Lwc7N7WHC5z3Ah7FvqqnL2J51hDfMLW78A7DCI9GNRVoyVjx++gRr+ftEf8UUAYmkJdT/D898wtLWmBXikY/2e36q3QJV0Hy3fGBjxLmN/Tdz62jgCaXrNdJqJTFZ5h+hjd03GT6utmPwp0D2lBSM0LXsZsql+jI54P8cFdu3S4mNIjHZqV1kmsk0MCCVJKnGODeLQLxJhp287N3+0HJEm4KicGWMchef/YeiLLtD7mz7ov/9OI,iv:KvoTnlj+f+eMsFEZP8F1v0r/xZ4aVBUWmO+zsQCvhS4=,tag:U1ziE2832QfNkP0yjIzBeA==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyK0w2RjJ5R1l2ay94QXRj\nekJwSlowcFVLc1cvWVFjNEVFUnFocEJHYlNnCnBnUEYvNWdNWE9BTjB5ODRuTlAw\nMUh4QmlTeVVYNHM0S1FwWG5qUG42VDgKLS0tIHh5VlU2dVZmUlRIMDRlVEJmNU55\ncFlXR1BzMkVnMkFWN3BBZWhHalltMlEKibdARxBcFqaXUhYp3KkrrvO9YgaBDacl\n8BEv4ph0f2baDN0dsymJjmdHStwKTjOwDspRtCTs5u75hR35a2xyFQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-07-02T10:26:33Z",
+		"lastmodified": "2025-07-17T20:14:29Z",
-		"mac": "ENC[AES256_GCM,data:/rmQKH7up3IcAdyYpdpx6H6gdyiNsnPS6TaozSU0EXxoaods50xC5sf2/quqLaeSRJE/NjKvh+3BWchbFJMQZM4PvSML3XAO8w9t/GqmOwwLJrvnMyulqS5y7BVDJZysmDe9TFNz05UJfZdbvLrH8kyhTHF7ciA8HgJq5JzFiBc=,iv:ORyza5fzjptuq5WD3NA9/OTFbACtzHp5e6kNKT/EaTE=,tag:wsp3Z/ySHVmDC9uRCn30Uw==,type:str]",
+		"mac": "ENC[AES256_GCM,data:4YP1fp9Mcbx0pvS5l9Xzc5cbhFnBo5GkqyRvcEspNYQ3IW5LIWtPwItwLZH/ymfEkpwIVYOugnB12HJJo9jpudgfUMXtp43ImDUNVHs59qkNhJFmTSoEZMBHQjPtE/jE17OIAZzeA41EAItesrmExV1W8ePy7rTgHQl5BDooWME=,iv:vyZ0BGjMUDeoVMkDw6wLZK3KKIECK5caz/nQB3nXlGs=,tag:GAqKNcSf3Ny/WsB3tYM/og==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-11T11:42:23Z",
--- a/2
+++ b/2
@ -24,4 +24,4 @@ dd DRIVE ISO:
  sudo dd if=$(eza --sort changed {{ISO}} | tail -n1) of={{DRIVE}} bs=4M status=progress oflag=sync
 sync USER HOST:
-  rsync -av --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/
+  rsync -rltv --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/
--- a/modules/nixos/common/home-manager.nix
+++ b/modules/nixos/common/home-manager.nix
@ -6,7 +6,7 @@
      useGlobalPkgs = true;
      useUserPackages = true;
      verbose = true;
-      users.swarsel.imports = [
+      users.${config.swarselsystems.mainUser}.imports = [
        inputs.nix-index-database.hmModules.nix-index
        inputs.sops-nix.homeManagerModules.sops
        # inputs.stylix.homeModules.stylix
--- a/modules/nixos/common/users.nix
+++ b/modules/nixos/common/users.nix
@ -12,8 +12,8 @@ in
      users."${config.swarselsystems.mainUser}" = {
        isNormalUser = true;
        description = "Leon S";
-        password = lib.mkIf minimal "setup";
+        password = lib.mkIf (minimal || config.swarselsystems.isPublic) "setup";
-        hashedPasswordFile = lib.mkIf (!minimal) config.sops.secrets.main-user-hashed-pw.path;
+        hashedPasswordFile = lib.mkIf (!minimal && !config.swarselsystems.isPublic) config.sops.secrets.main-user-hashed-pw.path;
        extraGroups = [ "wheel" ] ++ lib.optionals (!minimal) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
        packages = with pkgs; [ ];
      };
--- a/modules/nixos/optional/work.nix
+++ b/modules/nixos/optional/work.nix
@ -208,6 +208,9 @@ in
      spice-protocol
      win-virtio
      win-spice
      powershell
      gh
    ];
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@ -84,6 +84,7 @@ in
            "freshrss.access" = { };
            "firefly.access" = { };
            "radicale.access" = { };
            "slink.access" = { };
          };
          inherit (config.repo.secrets.local) persons;
@ -204,6 +205,11 @@ in
                    "email"
                    "profile"
                  ];
                  "slink.access" = [
                    "openid"
                    "email"
                    "profile"
                  ];
                };
                preferShortUsername = true;
                claimMaps.groups = {
@ -213,6 +219,7 @@ in
                    "navidrome.access" = [ "navidrome_access" ];
                    "firefly.access" = [ "firefly_access" ];
                    "radicale.access" = [ "radicale_access" ];
                    "slink.access" = [ "slink_access" ];
                  };
                };
              };
--- a/modules/nixos/server/radicale.nix
+++ b/modules/nixos/server/radicale.nix
@ -76,7 +76,7 @@ in
    };
    systemd.tmpfiles.rules = [
-      "d '${cfg.settings.storage.filesystem_folder}'        0750 ${serviceUser} ${serviceGroup} - -"
+      "d ${cfg.settings.storage.filesystem_folder} 0750 ${serviceUser} ${serviceGroup} - -"
    ];
    networking.firewall.allowedTCPPorts = [ servicePort ];
--- a/modules/nixos/server/slink.nix
+++ b/modules/nixos/server/slink.nix
@ -0,0 +1,80 @@
 { self, lib, config, ... }:
 let
  servicePort = 3000;
  serviceName = "slink";
  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
  serviceDir = "/var/lib/slink";
  containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9";
 in
 {
  options = {
    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  };
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
    virtualisation.oci-containers.containers.${serviceName} = {
      image = "anirdev/slink@${containerRev}";
      environment = {
        "ORIGIN" = "https://${serviceDomain}";
        "TZ" = config.repo.secrets.common.location.timezone;
        "STORAGE_PROVIDER" = "local";
        "IMAGE_MAX_SIZE" = "50M";
        "USER_APPROVAL_REQUIRED" = "true";
      };
      ports = [ "${builtins.toString servicePort}:${builtins.toString servicePort}" ];
      volumes = [
        "${serviceDir}/var/data:/app/var/data"
        "${serviceDir}/images:/app/slink/images"
      ];
    };
    systemd.tmpfiles.rules = [
      "d ${serviceDir}/var/data 0750 root root - -"
      "d ${serviceDir}/images   0750 root root - -"
    ];
    networking.firewall.allowedTCPPorts = [ servicePort ];
    environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
      { directory = serviceDir; }
    ];
    topology.self.services.${serviceName} = {
      name = lib.swarselsystems.toCapitalized serviceName;
      info = "https://${serviceDomain}";
      icon = "${self}/files/topology-images/shlink.png";
    };
    globals.services.${serviceName}.domain = serviceDomain;
    services.nginx = {
      upstreams = {
        ${serviceName} = {
          servers = {
            "localhost:${builtins.toString servicePort}" = { };
          };
        };
      };
      virtualHosts = {
        "${serviceDomain}" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          oauth2.enable = true;
          oauth2.allowedGroups = [ "slink_access" ];
          locations = {
            "/" = {
              proxyPass = "http://${serviceName}";
              setOauth2Headers = false;
            };
            "/image" = {
              proxyPass = "http://${serviceName}";
              setOauth2Headers = false;
              bypassAuth = true;
            };
          };
        };
      };
    };
  };
 }
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@ -28,9 +28,12 @@
              };
              swarselprofiles = {
-                minimal = lib.mkIf minimal true;
+                minimal = lib.mkIf minimal (lib.mkDefault true);
              };
              swarselsystems = {
                mainUser = lib.mkDefault "swarsel";
              };
            }
          ];
        };
--- a/profiles/nixos/chaostheatre/default.nix
+++ b/profiles/nixos/chaostheatre/default.nix
@ -8,6 +8,7 @@
      home-manager = lib.mkDefault true;
      xserver = lib.mkDefault true;
      users = lib.mkDefault true;
      sops = lib.mkDefault true;
      env = lib.mkDefault true;
      security = lib.mkDefault true;
      systemdTimeout = lib.mkDefault true;
@ -16,7 +17,6 @@
      pipewire = lib.mkDefault true;
      network = lib.mkDefault true;
      time = lib.mkDefault true;
      sops = lib.mkDefault false;
      stylix = lib.mkDefault true;
      programs = lib.mkDefault true;
      zsh = lib.mkDefault true;
@ -27,7 +27,7 @@
      interceptionTools = lib.mkDefault true;
      swayosd = lib.mkDefault true;
      ppd = lib.mkDefault true;
-      yubikey = lib.mkDefault true;
+      yubikey = lib.mkDefault false;
      ledger = lib.mkDefault true;
      keyboards = lib.mkDefault true;
      login = lib.mkDefault true;
--- a/profiles/nixos/framework/default.nix
+++ b/profiles/nixos/framework/default.nix
@ -1,4 +1,4 @@
-{ lib, config, minimal, ... }:
+{ lib, config, ... }:
 {
  options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host";
  config = lib.mkIf config.swarselprofiles.framework {
@ -9,7 +9,7 @@
    };
    home-manager.users."${config.swarselsystems.mainUser}" = {
      swarselprofiles = {
-        framework = lib.mkIf (!minimal) true;
+        framework = lib.mkDefault true;
      };
    };
--- a/profiles/nixos/moonside/default.nix
+++ b/profiles/nixos/moonside/default.nix
@ -20,6 +20,7 @@
        croc = lib.mkDefault true;
        microbin = lib.mkDefault true;
        shlink = lib.mkDefault true;
        slink = lib.mkDefault true;
      };
    };
  };
--- a/profiles/nixos/personal/default.nix
+++ b/profiles/nixos/personal/default.nix
@ -1,4 +1,4 @@
-{ lib, config, minimal, ... }:
+{ lib, config, ... }:
 {
  options.swarselprofiles.personal = lib.mkEnableOption "is this a personal host";
  config = lib.mkIf config.swarselprofiles.personal {
@ -57,7 +57,7 @@
    };
    home-manager.users."${config.swarselsystems.mainUser}" = {
      swarselprofiles = {
-        personal = lib.mkIf (!minimal) true;
+        personal = lib.mkDefault true;
      };
    };
--- a/profiles/nixos/reduced/default.nix
+++ b/profiles/nixos/reduced/default.nix
@ -49,6 +49,11 @@
        ssh = lib.mkDefault true;
      };
    };
    home-manager.users."${config.swarselsystems.mainUser}" = {
      swarselprofiles = {
        personal = lib.mkDefault true;
      };
    };
  };
--- a/profiles/nixos/work/default.nix
+++ b/profiles/nixos/work/default.nix
@ -1,4 +1,4 @@
-{ lib, config, minimal, ... }:
+{ lib, config, ... }:
 {
  options.swarselprofiles.work = lib.mkEnableOption "is this a work host";
  config = lib.mkIf config.swarselprofiles.work {
@ -9,7 +9,7 @@
    };
    home-manager.users."${config.swarselsystems.mainUser}" = {
      swarselprofiles = {
-        work = lib.mkIf (!minimal) true;
+        work = lib.mkDefault true;
      };
    };
--- a/secrets/repo/pii.nix.enc
+++ b/secrets/repo/pii.nix.enc
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:EF0WWDO7RbeBETTY74hH+dPkI0gxqZwJcciHT687Jj/w4T5MuiVBHd61LPhYsnMmoN//yBzRGgNqHr5Cw5EZiwnK2X2/tobv6f8iD56CLM8wQvtUtmRaqjwirSL2MVJlDuaGkUS2D+6hdzqGnRFRiL9FN0Lt/FLU4mX+Iv4iy+SOfd6gaGjJBq34ZdrL1EU5hdzoRFhQKWRi8GyBq5jhyn7JgTDF2q99Cx5EwuN1NrgKsMhtW0VaYxwL6wnhO/iHO0WIIf+ORXuRVZBLFr6AOAg4nG7JL9HWn+QZ8uUBCzYYryqPcUWZ/2V6e/gVsLCNpfVB0MqGnn8zLYx0ADeBnlKTWID2zp8Mb4Ygxx+2pj6pbVKWj2kPG1pMXH58NxaqSU1ouoh8+uhnGj/VMIvJ7I13eo/rf5ju13Qj9mh5MCFMTh8uBN9M6euGgHgwS41N/GmZIGa01qVDjIc4r0NQjIa5/31IcedTzrVaChjV5RVFJIMD0NmqKv4zkv95Q0+mlee/9SZXirXAfgA4bvUnBR/dTOogC7c2MrANyl/mUAch6UmA0FG5ALC+trlvfY2FYdsbKuL4TWN3CqUCO+bD2Nfeg1y7PK/2xZ5gVNCbIRQy/AdZMWU4NX1N4Hrm+seT9cP6etIu2JjFDg4VIyCCgnFW2O95GOHkBRcVZmBE6Y6ttZ7D+UNSsctXO4duerjMd1Hf2NwaDS0KBNPct2wbCfx5L6iCN4/5KW+vzzy3TPxti1qarZG7jyUeWWAsgn27mKq8v7xbAKIPs6+ebsAH2GB4dY1Bk+cr2mpNychJXJ9G+hfRPuU+7eMhNG/ckFx2Axw1BC6MYaz2zGPQZXayTWVvcbx1Lhx9jqL1QjC2WKc3bxPUKWZy9xhOTS/tGMK8MIWk75s5JnJfhnQ/wMMqXjEsaITSQ1hJhKKVDUTo6FfooZXgFhY7wKpW5gl6hstL9YI+ccZmRtHkyb03ibiOVBni0xzQlpY7vh+DKkOCgl+DcKwAslmhCDFyR9s4ARrQojY5LZtDwPStV/LklU5lcelzHiwUNdirWSd0xN7wobZDLO8U1SrMYkqdwKDNGGObc2G5DqDNtpIxv+bvAr5llth5GmVd0soJdTrORDO8ZfbbDcc145pfva58D4jptvpuTbMnTTtYh3vNHZDxUoTVICUsfA+EMKwNSAog4eQhc/jLdCgLO2AdfL+0bGhAu6mk270IOZOD8ZEXCW/ZC5JwYPXLmictIWGtGjZocV8qMXFJB4LDyLm/49HntW22xcgTEG56VN/Y9YHXDrA2KmjPWNRy9OazPwe4Xqk2CjtwL3be0XuQ/dwwUcd8jh7v765cDrLNWgmwFM2SdmImtyKTeevKPiQOjQgfa2yK5Mmmtw8HpyPkYjdGJSFHm+gco+HaEyl3EfZNB/zQ1vhkWK8Fo70FOZ4tCgi6u+6vuxKPSWz8Vgy4d/fWzF1r+/bite6b4fOQYQu7G0yMVMk2aDGJt5cLTsHLTKy/CNFCc8phBfJXi17u+YVvqyjLuD2QwK0ehF/XIvF5xyog7hWruGaAM1homjATItlLe2Bv6Ag8HXMmcS6CFK5FNKhoLIqiCP1rShzQpYQ94f3kwPFCtXehUSj4WY4XKsYGyFQYiQiqxG7SESXDsmaJKl688e/nsFBGNhJa/AKRflN6XC3ZCtarlG00RNiVjh+lpR8Qx2OFv+u96KumbZ+KDiN9s29AWNBJES0wLoLTZ4NDtIBTV6s5quEEh+R6+m0fLQXjvcnR0uQGtdIf4SDp4Is96oUHEfcmmp48lJD5s8nXT5cKA+ZeHyo7ixh/jiZWhHm2hMWK4+US/wPLoFaeiGGl5jaeV4RSL2uF+lJtfDRHR+4u9PFUro0RWNStHIov21kFkCyxzVQ5hBz2avGgqnoPDbYA31PcPlXXEttWmcEaq7Q+5v0Ttm50UBasS9D/gX+h9AzyP7xljf7i+lqlYjS8Abu8V1wwzPXt9kkYfOUX986QGittxhyKAffyGl/D6hvgv3kuzkzQivskrQLw+3y+My2JHRvIawkUVw2twr6sDY8hsNrvQHVfd6nfIBBsC7ZQO+xF68yjEAA2TwGu3eh3nD3i0G6XcZBHhmlTHM4gtRX4/BD2WM2JxSYlRg7cMtKObICP7cBSE7Mxy6Xatx49Ckp7+sE9H/y/EMCHUc48ayoasLPo8LwdjcZsWp69t9zFO1fdW/HBNCAmhrHwdvNieadPqjzGs7gU8cy/GE/pYXoBrWh2Qr3awMvAmmoshnVsHB8BATVo73FVI3UTkNOkppKhzcOFIULxa4qEI/tgjSGBqVTXdMPEX6WL7OQMm7bkhlUyU3BMcNd8IyxK2p+VsznOOQW8fN0NdZtqi6a8lYQIulX73oqM0p/th2eFl18bxMbkm5agEk+bzFPdAQmRKwExwzWDTxjKIf7jChQ8MYD4a7/i2Qc1qYXZGtkNAF6Yf7Rb7q8ECqkiIcAGDiPDtoncM5Fq4z/hFsPbKEypoZqgnRkMWDOGqQFDr6wpJ2U72CJ7FiZQ2Jhwqz8z/wKpRxI5srbzgRkIo/ZCThvKmFfcjLhZGqmtLk0F1VOzW6xgEh9rzaFEvsrY3lrwiDEN3f6D0XftXLYXw+jdqy9pN9twYsbAbWzYGvLp8vQAz6Q/uiyqYxzQnrUKLJYr5e3RfSEP4g8m97y6EqHx9IsYeT8Yybvnc+qKmh4H1xg0VgLzNDKOKjVP4XUtWJax61VDVzICFO/SX88hbmf6fEgNLO79OmWh8svkS7yYFdi4LxWlxeYQOf+hsfawCpRQ0d4AIvOATRDZK0itOKDU/Nx9wyj9MFSHDwAh9MzEQ3BknCNbo/feOx7pri66eVMNJlOTa7dSTAgQsiP8+weNkCWhJrnxgPlNXxicCkPjLtPWPQZm8gozjuNM3fe+YY4zkwkz7E7tctxq5Zai7Ple5stRUYHTPBOXP6TrUUVJfiElh6PHRhamAZUiMzcrM+qM4tdJjtvRJLR7JucAqZqW2dh6Yq9bfH1LufxvukwR+my5sND3mjz9E+S2YPV3fr2cB7sqQqrtBa+UtC3tywk4aVIJ6hTOiWB+HAGAsRGBNuxVb/oUZIlI7ub8N8Vf/tMPwLyfS49LKwwx4lFTxQRKkvpv/ZARR5PtZVIS3nLh4AORqylM2gIi2Lx2862tJ4SEo4WQy1aukQ==,iv:pEDV2WLEFisblx+XrhuoaNpxtk4Byj+jB/ixhsk3uPQ=,tag:T4xI5g6sIrIobuSuViG5+A==,type:str]",
+	"data": "ENC[AES256_GCM,data:ZCr4rLLBECUNkFevlJ+D+F/EzVf2UiIEQ3+L7joyWsX2VRNYYNQGGy3PN20a3unME4PpeTeYNLTqrLOX2rSPO7SW5jOnesAEwLfVwIpUfcJAp37Mc0LOcs/nJHS9wkkIeIee5oOL2pzBtyBq2f6hdRewjwmJNOiXiK0z8WTo7peO72JihfLFAknAFYGvJUC0he1LsbOQIY7JQ0DACG5Kw+eNdYi8HnB47dwHnH+GKklfgOybQfRs0c/YGKKDuzaPSvzd3cdZdzhUPQao1YbvLIUI/VQeImZQvIMjgzkgY8AunbNYlxbDXlvJcXc6z2hXg0NQLndEGALsCAgxoARsxYI2yXIJZcRVqkwFG4beOuRTwoRoDD02IIuSVAT6X8GGf4+wWmWBetawO7Bfxxe4eFu1q2kzzS16XIy4+CllUYDhIyPi8Nig3gVN8ZF85X5r5grpeJBxrE8/cZPevX6OeFO/BxEkfwaukPTtqmPySNzYkcbPgiaYwTmgFrMcsn/RGPm5CrrY1RMiY+2M7RPn9bfvjbHR3U8IwKqM6TGTLAIodfW04Ee8mVH7S7SQnz3lzfmKhUWUw+BsKUgbObs9KIx2ytncuQwq1AubdZGPaZ5HgWCtIlvK2KsN/Y+hTZjkGiqk+K9pzhthQOrsLT6vOM50cNqUkzHcvu8TXnRknXzalH85VEB4Q+zQBRN4Qvu15tE9xTZYe32Xu4qCb9qvRcaCLAh4cmTAirORwVBNs5apEDl8Sl9MzM54+SM4QZbJ5XBLJzUsBqVEVSY9p43lTV1cpJtVbcZ2kTti9fj+7WMeFUAwuq0uVal0JTOHgpU0VcxwHPoXo2IC5KS/3TEaHEHtSIqOjsO/dqTfCqUuhUTDdLajTvOdqGShrQtaRq0sGa2b2n6dqj3CRNuwTSdqg9b19zABGBRTZ7QNTfYwZuiAAfUtYszd9JW4T7TZIocYNlvBSzhkc969WO+tAu/WChrHWuYPtz2sYxGaujFLEKiTEU1NnFiNel9wuqz5JnnQzxS19H3wiCroJ9kFrjFYtTeTTv4xe4197tq0eBs92JqzUi3M2bjSL/vBLWXG91eFxhMkucEg04KlBRcPACCGHM0q0ffrrHhHqRmDm53ba/74qA9jH64oIAPiRafk+5o32VCyaOhLEaP/iTDlaY1kdzMgrnkgVrcrXKQAOGO5mAVwvwreXGnBkubi2zf2AcbTKoG2d1rOlowkP+/x5x0fVXqQIjETFr1ZCt5qtf2uRn4o4Ee/JxbVor1+nGrToam0pF2gVY098ASzUeKBnNZPJLefnhfM9u3/TplfvTumcYd5ilM/FraKJ23E4UKQ8ErWDMTJUDse8KuIu6yRCGG7hLPo1OEXCyzKMigzZjkalv/BrKZgXUpZQ6VdBQj4EutetI62CwY3oJ/gy2c2WpLBi+YXGzIJiVVJuVoEg7UOjq6zYbrZc3kwYz/AUZjUsw0f2xJMhvsRrEgJzUEVUk+EsxtnNsEVKndnikwRjKjNeKT+gADEKdFQp5WTLT2jdEAynY6evR7cuLGt6yprnniiYn/QB5s3Q/ogOinkYj6zTcsL3PI0HI5pptVBccKTFA7v7CeRS840zcxYi7f7powNOKSqhZ2QtQv4mEkaW6+khx5lSM6mXAwgolknz3jmSvN7FC1qqIrFLeyKgtg/nCQWx/KdFuTYVzcIUHyL8HCdyl+X+MQa1ZMqyEYkQ3ap24pIhuQG8Eu5Jh+vIEcv7qOkBWsU6dyuyLd8GxIaJC/1qbYsETgCPW9Tmt3k63BdEDj/9QDoO1HxZJW65sJNOEyl/5fhhwt58J20UeXtLevVufG7ZthY860QMxiwtsRgae/jCKj1QtsepELWXovTIzl4D1U1j9GTgO4yxtUgPl3V0ukLHkdrptWOKLFo1BPbUaLRM7bTiEeHZvq9mDAl0kGyZ4Kl39b4/pvTydNlM+BywavjYSIijClg/I51tWY19YoHtyHHKyPpTSkgGJ120efATo86XxVz+yxtievPlgbqxilWUIm24igYBh9GUAzvmpDvnUHBfgpscnN3B1B3Kn6MXqzFV1oQ/q4ML77eAwUtOf9b4Hp4aeP85wa5fmxqC6zga/pa/NfE6v3LT26cwPYc6JAqg3W8Gmrhy6bJ6WO2pOf1Eh6wVs8Cu+Rsw9HND6xkjXN53R1/6U2Gsmv2+xY+D01rVPBndJSoeJPL7ujwh3kG1qmzeGbMYSbuG+eOrW9e8WiBBOnojfGHnfRBBCa46gvq/YdRtXMODRg03JJoPBZwHyc3o7ee8UIUtABu9PBkzhdspCy9v7V5rwRx19W4pf8T+igR41a+/qNP+zgPu62NtZ0BmxupAn5v4Nn4yCgEydifiu6KkeWEWmElzy/CwNRgZ0D7B/SQN1knr36fpLSLwdlyXNW7vqx15tgbYRBz29+ZWVoesM2M/gNrKUJtKs6jcAgxnKYD6tqyuQcF3G6p6aUQTrnXi7t3YVzFSSUCaaDSY9XGoZ6m8oN4bDgGkPnehtBch7XJn7oGHqvY2S+u3LuHIhhHK+hA8Si9WWpRPUbzjJRAQzlDf5zfRa2nPVVz4RpdVPPtrD8AnWkDgYn/JusNzIkLRr/0czSeqWtQRRthrY7YFqD12eI3JjSgk1G5KByfW5P/Iv8QUVb2btLYbkoy3J+5SvQhGKTiZEYD8mE2AL3ak3Al965jSVK3fJY4f53+hEhm1bVEtComhVB5X7+n82POOrhrgoas60aNeR8f1uxLzHNYoOY42TcwANqW0KG3+NHFGtIKCn0wLbAg91QSgaj/KMCVJuPVVUc0Uvt2xDd77qiIMKVqbxOlyWeVjUGfXykh5+NhlSE9TktlKjpVVsF+mWtA9di58JDlvc/OA4rSHnOnlL/8Tc9ZCUXO5iYB5/NsRY7o8UEEHMPOsYjNwii4RsIplcLitxj2kc8zSYYDO/7Tqil6Vo1fOWECbqcIEA2m59fNTQmSaZ1QCgEP/KsYswwGDxdZTDU2cyfcDsReNghUdg2u0pqJQdsaQn3C6yUNxBlnyuUW29BAlbOyUUPW+98EeW16PSNRM5JZLRXXJLqxcuPxF7XwLvzB8qYV8Oi34WWnKES4wOSZD3f2y2XlRvOzfK1+7c7ofOQ3v1ufu42x+tAvmnmc6YfNnU7ybeekHCDusKGORMlFl1N7a2RaT2mi72ems0ztTuGG7gdlrYldYOQ0dEqD1oeNWLrlOqnWVQwMT9eZ,iv:0eoQAssueYsHRvU1qHTSdryeZxeTYv+mDMt2uQR64hA=,tag:N62wqpHutX4mUAFkfiS6vQ==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -27,8 +27,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU240VjVRZmJ5TGsrclJF\nRXRLbTRCZURtR0Z3d2E2eDNNeGRDODlXVEY4CllTeVFYbDJQWlRSS1RFLzAxSnlM\nZi9NU1c3cWo3YWRLcUJ2U2ZFWFBBVEEKLS0tIGtmZU9qSWdBT3RDeStaaFFDSWtk\ndkUzZXJwZUl4LzVxYXdidmxXRnNnclUKyAMZqCKSY/RQvTR4bbjLaPnGKwdBcHXc\nvtiVSrLdIdzMa6id/J07TJH5UesUmcp0wjU41MDa4aMBLy+cXhuBHA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-07-14T02:08:47Z",
+		"lastmodified": "2025-07-17T19:51:34Z",
-		"mac": "ENC[AES256_GCM,data:ZT2q2cHleWw+h7JNzWi+UnFo7G72xMMjzkbr4Ixp09xT9jqHjeHRitRveoNyh8jcRSbWxVeYf1fpKEKPEAxqU77NORhD/QBFjQm1iG/UH/xkRNBTQ/kE+yp/6jlkyfJ/m8ulTSbegz2eQkko9HP9qG7+QMcESP6zE7ko8UFPXAY=,iv:AvQDzn9kQYj1cr6K/luFZkv2G1UAQT27cA9/pQMRJl0=,tag:uuH3aZSI644HrJXYR5I7UQ==,type:str]",
+		"mac": "ENC[AES256_GCM,data:c+ayFaTrFkoUcXF2YU5boi4twMg3ZUEPwAc8CUvIjxZWDVgqb4WZHPJ9j9T4hdZZq0URGAPTi4x8EXGTxv0pl7EQnAEYZEXPFwFjbuMzBvmsRfCsxeGFkgX1R3wg2PPs5ssXP22+rm7nuLKa91bloX5h3H7b1VbFQkWDJMg5QtM=,iv:5SblNcf0wAYHGd8NvCvxKTsg3ktr96aF6nUBtuZnfoM=,tag:ZIbmfUuW97RYbEqZn7iEnA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-13T20:13:06Z",
Author	SHA1	Message	Date
Leon Schwarzäugl	6f33ffe8c9	feat: add slink	2025-07-17 22:34:07 +02:00
Leon Schwarzäugl	db5c21b2bb	chore: flake cleanup	2025-07-17 21:50:14 +02:00