From fb653eb0f45501adbae71671c298028fb5b717cd Mon Sep 17 00:00:00 2001
From: materus <materus@podkos.pl>
Date: Wed, 24 Jun 2026 00:06:21 +0200
Subject: [PATCH] waffentrager: init

---
 flake.nix                                     |  12 +
 nix-config/home/materus/default.nix           |   1 -
 nix-config/host/materusPC/boot.nix            |   3 +-
 nix-config/host/materusPC/configuration.nix   |   4 +-
 .../host/materusPC/home-manager/materus.nix   |   1 -
 nix-config/host/oldie/configuration.nix       |   1 -
 nix-config/host/valkyrie/default.nix          |   6 +-
 .../host/waffentrager/configuration.nix       | 168 ++++++++++++
 nix-config/host/waffentrager/default.nix      |  18 ++
 .../waffentrager/hardware-configuration.nix   |  52 ++++
 .../waffentrager/home-manager/materus.nix     |   5 +
 .../host/waffentrager/private/default.nix     | Bin 0 -> 2075 bytes
 .../host/waffentrager/private/secrets.yaml    | Bin 0 -> 5037 bytes
 .../waffentrager/services/auth/authelia.nix   |  80 ++++++
 .../waffentrager/services/auth/default.nix    |  13 +
 .../host/waffentrager/services/auth/lldap.nix |  87 +++++++
 .../host/waffentrager/services/default.nix    |  30 +++
 .../host/waffentrager/services/monitoring.nix |  57 +++++
 .../services/multimedia/jellyfin.nix          | 150 +++++++++++
 .../services/multimedia/scrobbling.nix        | 240 ++++++++++++++++++
 .../host/waffentrager/services/nginx.nix      |  39 +++
 .../host/waffentrager/services/postgresql.nix |  27 ++
 .../services/storage/elements.nix             |  65 +++++
 .../waffentrager/services/storage/gitea.nix   |  62 +++++
 .../services/storage/mount-acme.nix           |  29 +++
 .../services/storage/nextcloud.nix            | 100 ++++++++
 .../waffentrager/services/storage/samba.nix   |  57 +++++
 .../services/storage/syncthing.nix            |  26 ++
 nix-config/shared/default.nix                 |   3 +-
 nix-config/shared/private/variables.nix       | Bin 925 -> 957 bytes
 30 files changed, 1325 insertions(+), 11 deletions(-)
 create mode 100644 nix-config/host/waffentrager/configuration.nix
 create mode 100644 nix-config/host/waffentrager/default.nix
 create mode 100644 nix-config/host/waffentrager/hardware-configuration.nix
 create mode 100644 nix-config/host/waffentrager/home-manager/materus.nix
 create mode 100644 nix-config/host/waffentrager/private/default.nix
 create mode 100644 nix-config/host/waffentrager/private/secrets.yaml
 create mode 100644 nix-config/host/waffentrager/services/auth/authelia.nix
 create mode 100644 nix-config/host/waffentrager/services/auth/default.nix
 create mode 100644 nix-config/host/waffentrager/services/auth/lldap.nix
 create mode 100644 nix-config/host/waffentrager/services/default.nix
 create mode 100644 nix-config/host/waffentrager/services/monitoring.nix
 create mode 100644 nix-config/host/waffentrager/services/multimedia/jellyfin.nix
 create mode 100644 nix-config/host/waffentrager/services/multimedia/scrobbling.nix
 create mode 100644 nix-config/host/waffentrager/services/nginx.nix
 create mode 100644 nix-config/host/waffentrager/services/postgresql.nix
 create mode 100644 nix-config/host/waffentrager/services/storage/elements.nix
 create mode 100644 nix-config/host/waffentrager/services/storage/gitea.nix
 create mode 100644 nix-config/host/waffentrager/services/storage/mount-acme.nix
 create mode 100644 nix-config/host/waffentrager/services/storage/nextcloud.nix
 create mode 100644 nix-config/host/waffentrager/services/storage/samba.nix
 create mode 100644 nix-config/host/waffentrager/services/storage/syncthing.nix

diff --git a/flake.nix b/flake.nix
index 7247682..80da229 100644
--- a/flake.nix
+++ b/flake.nix
@@ -140,6 +140,11 @@
           host = "valkyrie";
           stable = true;
         };
+        waffentrager = makeSystem {
+          host = "waffentrager";
+          stable = true;
+          arch = "aarch64-linux";
+        };
       };
 
       homeConfigurations = {
@@ -158,6 +163,13 @@
           host = "valkyrie";
           stable = true;
         };
+
+        "materus@waffentrager" = makeHome {
+          user = "materus";
+          host = "waffentrager";
+          arch = "aarch64-linux";
+          stable = true;
+        };
       };
 
     };
diff --git a/nix-config/home/materus/default.nix b/nix-config/home/materus/default.nix
index 9e7cac6..f7a101f 100644
--- a/nix-config/home/materus/default.nix
+++ b/nix-config/home/materus/default.nix
@@ -2,7 +2,6 @@
   config,
   pkgs,
   lib,
-  materusArgs,
   ...
 }:
 
diff --git a/nix-config/host/materusPC/boot.nix b/nix-config/host/materusPC/boot.nix
index 0323749..5f8d7ad 100644
--- a/nix-config/host/materusPC/boot.nix
+++ b/nix-config/host/materusPC/boot.nix
@@ -1,7 +1,6 @@
 {
   pkgs,
   lib,
-  materusArgs,
   mkk,
   ...
 }:
@@ -83,7 +82,7 @@
       ssh = {
         enable = true;
         port = 22;
-        authorizedKeyFiles = [ materusArgs.files.ssh-keys.materus ];
+        authorizedKeyFiles = [ mkk.files.ssh-keys.materus ];
         hostKeys = [
           "/mkk/keys/ssh_host_ed25519_key"
           "/mkk/keys/ssh_host_rsa_key"
diff --git a/nix-config/host/materusPC/configuration.nix b/nix-config/host/materusPC/configuration.nix
index b2474ad..c6759cf 100644
--- a/nix-config/host/materusPC/configuration.nix
+++ b/nix-config/host/materusPC/configuration.nix
@@ -6,13 +6,13 @@
   config,
   lib,
   pkgs,
-  materusArgs,
+  mkk,
   ...
 }:
 let
   patchedBwrap = pkgs.bubblewrap.overrideAttrs (o: {
     patches = (o.patches or [ ]) ++ [
-      materusArgs.files.patches.bwrap
+      mkk.files.patches.bwrap
     ];
   });
 in
diff --git a/nix-config/host/materusPC/home-manager/materus.nix b/nix-config/host/materusPC/home-manager/materus.nix
index ee7ed25..38a252d 100644
--- a/nix-config/host/materusPC/home-manager/materus.nix
+++ b/nix-config/host/materusPC/home-manager/materus.nix
@@ -1,6 +1,5 @@
 {
   pkgs,
-  materusArgs,
   config,
   lib,
   ...
diff --git a/nix-config/host/oldie/configuration.nix b/nix-config/host/oldie/configuration.nix
index 0efcd31..9f16368 100644
--- a/nix-config/host/oldie/configuration.nix
+++ b/nix-config/host/oldie/configuration.nix
@@ -6,7 +6,6 @@
   config,
   lib,
   pkgs,
-  materusArgs,
   mkk,
   ...
 }:
diff --git a/nix-config/host/valkyrie/default.nix b/nix-config/host/valkyrie/default.nix
index 269d551..a91adfa 100644
--- a/nix-config/host/valkyrie/default.nix
+++ b/nix-config/host/valkyrie/default.nix
@@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running `nixos-help`).
 
-{ lib, pkgs, materusArgs, config, ... }:
+{ lib, pkgs, mkk, materusArgs, config, ... }:
 
 {
   imports =
@@ -70,10 +70,10 @@
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
     packages = [
     ];
-    openssh.authorizedKeys.keyFiles = [ "${materusArgs.files.ssh-keys.materus}" ];
+    openssh.authorizedKeys.keyFiles = [ "${mkk.files.ssh-keys.materus}" ];
     shell = pkgs.zsh;
   };
-  users.users.acme.openssh.authorizedKeys.keyFiles = [ "${materusArgs.files.ssh-keys.waffentrager}" ];
+  users.users.acme.openssh.authorizedKeys.keyFiles = [ "${mkk.files.ssh-keys.waffentrager}" ];
   users.users.acme.shell = pkgs.scponly;
   # List packages installed in system profile. To search, run:
   # $ nix search wget
diff --git a/nix-config/host/waffentrager/configuration.nix b/nix-config/host/waffentrager/configuration.nix
new file mode 100644
index 0000000..6f77217
--- /dev/null
+++ b/nix-config/host/waffentrager/configuration.nix
@@ -0,0 +1,168 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running `nixos-help`).
+
+{ config, pkgs, mkk, lib, materusArgs, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+  networking.firewall.allowedTCPPorts = [ 1900 ];
+  networking.firewall.allowedUDPPorts = [ 1900 7359];
+  environment.etc."current-flake".source = materusArgs.self;
+
+  nix.settings = {
+    experimental-features = lib.mkMerge [
+      [
+        "nix-command"
+        "flakes"
+      ]
+    ];
+    auto-optimise-store = true;
+    trusted-users = [
+      "root"
+      "@wheel"
+    ];
+
+    substituters = [
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+      "https://nixerus.cachix.org/"
+    ];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "nixerus.cachix.org-1:2x7sIG7y1vAoxc8BNRJwsfapZsiX4hIl4aTi9V5ZDdE="
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi
+    raspberrypi-eeprom
+    git
+
+    p7zip
+    unrar
+    bzip2
+    unzip
+    zstd
+    xz
+    zip
+    gzip
+
+  ];
+  
+  boot.tmp.useTmpfs = true;
+  services.xserver.enable = false;
+  networking.hostName = "waffentrager";
+
+  services.openssh.enable = true;
+  services.openssh.settings.PermitRootLogin = "no";
+
+  users.users.materus = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keyFiles = [ mkk.files.ssh-keys.materus ];
+    hashedPasswordFile = config.sops.secrets."users/materus".path;
+    shell = pkgs.zsh;
+  };
+
+  # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
+  boot.loader.grub.enable = false;
+  # Enables the generation of /boot/extlinux/extlinux.conf
+  boot.loader.generic-extlinux-compatible.enable = true;
+  # networking.hostName = "nixos"; # Define your hostname.
+  # Pick only one of the below networking options.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # Set your time zone.
+  # time.timeZone = "Europe/Amsterdam";
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  #   useXkbConfig = true; # use xkbOptions in tty.
+  # };
+
+  # Enable the X11 windowing system.
+  # services.xserver.enable = true;
+
+
+
+
+  # Configure keymap in X11
+  # services.xserver.layout = "us";
+  # services.xserver.xkbOptions = "eurosign:e,caps:escape";
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable sound.
+  # sound.enable = true;
+  # hardware.pulseaudio.enable = true;
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  services.libinput.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.users.alice = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+  #   packages = with pkgs; [
+  #     firefox
+  #     tree
+  #   ];
+  # };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  # environment.systemPackages = with pkgs; [
+  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+  #   wget
+  # ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  # services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  nixpkgs.config.allowUnfree = true;
+  programs.zsh.enable = true;
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+}
+
diff --git a/nix-config/host/waffentrager/default.nix b/nix-config/host/waffentrager/default.nix
new file mode 100644
index 0000000..4ccc19d
--- /dev/null
+++ b/nix-config/host/waffentrager/default.nix
@@ -0,0 +1,18 @@
+{ config, pkgs, ... }:
+{
+
+  imports = [
+   
+    ./configuration.nix
+    ./private
+    ./services
+  ];
+
+  virtualisation.podman.autoPrune.enable = true;
+  virtualisation.podman.autoPrune.dates = "daily";
+  virtualisation.podman.defaultNetwork.settings = {
+    default_subnet = "10.88.0.0/16";
+  };
+  virtualisation.oci-containers.backend = "podman";
+
+}
diff --git a/nix-config/host/waffentrager/hardware-configuration.nix b/nix-config/host/waffentrager/hardware-configuration.nix
new file mode 100644
index 0000000..8710f13
--- /dev/null
+++ b/nix-config/host/waffentrager/hardware-configuration.nix
@@ -0,0 +1,52 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, materusArgs, ... }:
+let 
+  crossPkgs = import pkgs.path {
+          localSystem = "x86_64-linux";
+          crossSystem = pkgs.stdenv.hostPlatform.system;
+        };
+        rpi4-kernel =
+          crossPkgs.callPackage (materusArgs.inputs.nixos-hardware.outPath + "/raspberry-pi/common/kernel.nix")
+            {
+              rpiVersion = 4;
+            };
+in
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+       materusArgs.inputs.nixos-hardware.nixosModules.raspberry-pi-4
+    ];
+  
+  #boot.kernelPackages = pkgs.linuxPackagesFor materusArgs.inputs.nixos-hardware.packages.aarch64-linux.rpi4-kernel;
+  boot.kernelPackages = crossPkgs.linuxPackagesFor rpi4-kernel;
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+  boot.kernel.sysctl = {
+    "vm.swappiness" = 10;
+  };
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      fsType = "ext4";
+    };
+  swapDevices = [{
+    device = "/var/.swapfile";
+    size = 8 * 1024;
+  }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = "aarch64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
diff --git a/nix-config/host/waffentrager/home-manager/materus.nix b/nix-config/host/waffentrager/home-manager/materus.nix
new file mode 100644
index 0000000..c5b014b
--- /dev/null
+++ b/nix-config/host/waffentrager/home-manager/materus.nix
@@ -0,0 +1,5 @@
+{ config, pkgs, lib, ... }:
+{
+  home.stateVersion = "23.11";
+  home.homeDirectory = "/home/materus";
+}
diff --git a/nix-config/host/waffentrager/private/default.nix b/nix-config/host/waffentrager/private/default.nix
new file mode 100644
index 0000000000000000000000000000000000000000..5251c719919b160481ccf5cccca07f7077c30e01
GIT binary patch
literal 2075
zcmZQ@_Y83kiVO&0U^0v{JlwrSYuknE>ogL!+zm^8y}7b~)eA54`|O_<9($=IcTr{)
zx39^PiGTlY{<`S?#O^%N7fKILMsRg2RPIVBekiv30e6geNgR{G<af*u?0w#fF{|89
zKcPPR_bOMmU3ccr;hI-eSXZ>SPUI*ne^Bi9;K!0v+osEv9#1$Q{O{m*|B8+GR%x`n
z`+v3mp_SLd_1{y!?(*<l+##H-E%IKH+oD)ObGy$UVR!DmY;MISDbjqh)>5i>XZ|<e
zbzd$~^~rVPmC1Vp#N3~h<$Nnko__Sm^2>3X?HV6eb?o$gSW@$0!yLV+u2#Ma(l6d#
zojv!~ucD-HJG1@#JW{wmZuRp!q~rT{(`WC?Wy@}e$OW9;E0ef+a_7vx`~O6jxi?HW
z|8(lr*UCA*FQ;m4`}>non!mDqUSFc-QR_r*2cB!E7X7HavYwfL_x$HmZ9g;XXKxP>
z(LQ3oz|xg{(og3zuJgCvGCK8Z*^NU>3eqpUa9P&b|LsfF?G0yVZGG7AK0kZa_W8UW
z!5Y`j&-wLmx>%X+N5QIXPZw%1JkYf<sWfiNbyO3b&uJ&nD0G19;m0_qjGj$mf8L$D
zX3YF`o<K+ZX6DLM-A|uK$?^OusC9q#Q18jThK^I`4lMFoAV2T$BmGrpAO1aZo!v&_
zo8#jNAz7DB{AUg7X5{(dw?faWO}s)VZw^Bn+rhBTDgUSE8oMr4EBtlbNb5a+L&faX
zF*Eqxl8emsZT|Hf->-P!{r`Jg?QT5}*sOh~@1Mh^K8u>F56hlK8tbP2&SrJlbN{2C
z^~^G_zs5;k7AF<uBeD`UEeiOxR%5c$$?L&f$u`YVw@-hzd}HsW#qg{A)^?o_5BN4e
zQf<>c*t&VGmACL*g9G1FQj~T^yxb|8wDi{+^KEs^vkzZ#OJ1+%{BHNYNAe%<?q6%S
z!h6azj>$biOI+tqIHtL9lEvdipE#CX+8?Mp<9V6Q`en?VZRhSEo`0m)a&lV+$0}}K
z+v>~B^|$oCY+W<`hMj+d@`v=!y&W4*hb)p=cu;<F&JpixRw{0n-&~yj)4FJW@ji_<
z5p@ki{@SAIiCz~R-syO@iErTebwJp<B_nd_)071}@6RZ9@Y$&|%PVloA<6yb@mEbn
zcF(rS41KD!PEBCNeNA>*^Sz(8R!K}YI~AnyN4MFfD|DseU1hhw*FFdGXWaDF>U=$i
z`~F7l6cz3gzv#)K3l;aVT}glXgmuw{`8L0pS2gt%<m_D%=6y=#HTUOz_b(+*m@l4i
z!vFQdsEo=7(|L9jO%l75E>tq>ftmi^U-y>XaSU#`v$k}J)Ts;e!{7Q8R_s!~KHbMr
zZYJNZrH>w6<W)4tJm7Fr>5_t4VwG%|&%E`M`F0h*onvEKd+tyCZg<|=EQZ^$4-PlD
zA2a_OYo2}mrBl&5mfSgK4|$3IIXLyL@ady2`*kPmnfadGUpV(zSFFaF-qPj#MO_vv
z^SkaXyYh9}loMWFKhHEdeDTrkdfR!7yYuBa=D-Ytqirl3@&x|;4|>LC>Yg0QnRw-Z
zuFPH))>S=wS;csGxwf##pOALh$h9G`n%{c8R(R93*^wH4n#(Hd_ssLXb1Y!by6+wv
z)DCWPK6<~w@645&waX0Zq%vL~>+lf!6Cs&rlc18f?8U6!cfRjGwu{8Xob|X9x8_Rk
zQPlzgmN)tDyL*maTb9AZk^g|<#GTJO*mbA<Tg-3h&J~<{Q$w?>)OhB)ur;|a7oJw$
zWjlYFR>h*@)4MkA+_8Il;7`@-X1BxyjaZ%vnA`hrmK8Qx{Ob27Ig>sAUawpdzSzcL
z{(G?%r73&~d<l_ip<BP(PH|q>!FaCW^%0RL$<ZZ|Vr5f{?rl5w-|Uy<YH8^*?_2h}
zO}76N&X*`+jsCnyJ1B8qj5XUPs|oz3>!lTZ7hCNxnUPy^`Ss3dG3SLon^kk#w&{o_
z@qG!>x})Q$KHYiU0>jgK`x>5$tc|+8$Xi(6<jOzC1)&QcFJ81)p8F5e^3YZONq&NI
zH<FkZE^MufTlT}FM&d<R631k#svNzx#ho(#U7uyW83Hql^N#2%1UQ_%G3&2`rM%`o
zjYkH@|1Npi8Xu5!?f(zOjV^3Qym>Oz=DV9;YSip-T%VLG#hoT4HCzAAq1CEfMcNWh
ze_u-8xAtswlK)-7EOtON@8gR{n>Sg`_nd#Nv*(7|%{bjh&;L!IcJ}W7;!fkbd@~t;
zzpvMCXe#g96SbwVB&07;;ELtZ?Lj-_C90;*eR5gRK*J+k@WE=a<b`R|?`~VP|7mn%
z`;K{mH%y*BGk^L}$myK-H*v1$2@bmIm5NL^H`-gT$~|iS!7Mh(*{9!k#&YHlYPpRY
zBv<_W?(cShUFh-BMNu(%x@THBk{^l`GDHh*x|zHE^lIZtB3HAwu{OvVge58R<k`43
zci4ZtY9`vR#k5C!eyj72xgxis^W4J=CiG>-w>~v~q+_>cYlm|7o8N1<Toro}9vhH8
zsnvgNCXfHz%LiQ6OsF%vT(;0D%=N*&()5h;(=;j?^nZRhnr(jBLUr2u(yA$pG2MOV
zPqlE*^4&j|ul3U&*6o2`#1d27?pTWTFFz0^(e^;-z?p>5e~xL@hb|~*6n^P-&bF<#
zzf@)&c>P<{(`X*%%r7tZKD#7(_IAIyx5Fgwf}aUu=`6Q)Xl<H(WI^g_K2iHA&->f_
zZXZ1-)!1_&zCO_COT?Q=lckUOtZ~<4EL5{>`?cYEnS|1T?vx*rP6dVvX<>)92WX`;
ztm^Jwy(8biWqO3AU+mU{LYw(jw}#ZrI9vX6@$z|92mhpXJ51-36lwhDTj~2n;e_|=
KkGC$R$p8Su$@!xI

literal 0
HcmV?d00001

diff --git a/nix-config/host/waffentrager/private/secrets.yaml b/nix-config/host/waffentrager/private/secrets.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6b3ddf83e82d7da47f801ea24510708f9740edc7
GIT binary patch
literal 5037
zcmZQ@_Y83kiVO&0FjzL_tG=9Y?$(ROoXHc@KTB`lA8&BFRJQN&cBNx${;phg_J_CZ
zSr_Hh?XT0BWpZP6*ebIxF5UEdesBJC9nZN5X%U95zqh!0s&2l2*vPT*sL|gmUqaN9
ziWaJJpDmgCMmn|Y_U1#YSe2F?*9w}Wm)>!3&6Zo;tLpMU-L>VPKIt1<*xJTNkDO=6
z89QFvw_7i`WYYHLl9u&F&w|n_`vq(+3P0<1*jOra{gAKlyMz#xJ+1!!H*cwOl;oM-
zH2M*$lCfv%<%$}ahS&9yDRZ8`xpDsOoEsJbE`CWjeJa?ZLVeouS#;b*OFX}POh^_!
zUpZy7z`xGL<$NWI!WtzTRu{H@<A@Z|nR8)nlf|5^D_VI|E39_UZCkE-cW=;1|6^S8
zr(c(@JQ8&4!s!>?La#2i2ru1yr>I3L(Cswet=+~8J3s%JG5y%WS&l7XA5uT;xseue
zSZ}SgMt<X4_A`g4?3vc^ySZ)Y0nh8x6ehhB?-IYJA|(60Zm-Mrccl#HzbJ3~DYGu@
z(0MDKfUm2}(?30BHa@nB>&ww2r!rD1w)(ADy<V?<_sI><CS15@Y<h{&++{`BZRd;e
zbCOkrW))p@Q!ER&+3?jsA;4;JdB)ll4esDOs_P~S7jQ^U%GWn}@J(FJSz7<qpGo1o
z|Nc(elgF=iWU=jqLp8oRJ4AL1O=t}_yt`;xj1TiXKhtCBsWCh!O=cgEyCWWEJB>q4
zW8EvU*|V~)+^wiDbjxxN3O#w&LdLD@)GN6;uXc3Da_(z=U3UD)`po{4kaFpgxxWL|
zq?bvnJ@#R*7o2y(Wb<c}`h4|$*H2Z%O?H;_bXMVh-k)(eZMT!y>S?0uElzT7xcF2r
zK)^h7iC&8K>kqf&Prqc~n8fG(AU!sx>$y|?9C!acQ@9T>|JxPAvFdBgK}M;WG5qS;
z58jJ}n6a$>a&c;>#-Ts^{+wxDtkyWsLD6E<tj^%|!KaNjnH|1z`J+>MnY)%=-pvQ+
zntK;Kx)T$)`u5hTpG(3QZ(SkikTXRj&(dbU3|Fx2!JLm*IL`^K4cs4hWq$L9Cy8DH
z;T>-(&3xV|Z%8|k6jB@L7&{>{P5p(_uZEP4`GqZ?vnIY-5Lb3`^MpH3iY|S2lw$u{
zs-W}x!d3RPIq%X}^Pf<@ek}Bd?AcGrmQQO1>dyH&+%-RN`pVUp>h*RJf9<8d%qjl4
z=I_B0<8Ql{3RI`9denRWH~S)uj(N<xn8p3?b{k(^$g3pyCt=-&MrqeImm^g2U#xz6
zk!8J8#oVR;zB1;=@E_Z@zk6=5j{C`NU5mv6cdZwf%J48*{be1?q2A*rQzakz$w`0e
zo7DWY^^o%m=2xA$o0M1W4tO5E)%@-23q_I<9&b&f_%^qnaOar+a?zy3j5!mzr>^rX
zc_{zk{Oo%*uY;?%u*=!!ey{D<5lR&3I<h4C`Q4sHc@1R=^A%b-PP>)8sGYRtc)X}+
z*;GYAp%1<>N3$*0Kge2AdL-t^9iPePcHTPuh@<%P2iZ)9$l2}EA9IqMJ9s>7Cg)zU
zJ2~gy`pWr*TfD6F75ty1>h9R!JZD-?;@4(J4YBsFxF3tpSx%5Rrgm%F<CDub{5=?O
z;LPRb6Wk%+68;$HG@kizPC2?nd1F+w<_`TQzDKzq>c5!t*<ejVA9LG%H9qxhiGznW
zmw)iwyiiMF*OkSspLe+a_T1xJn=1SKqWc4NV{aEPrQ&F*DIvjgm)+cFeQlF<)(u@}
z&Pm~4W}oBPxiq4nHDgw7!|sjYoT-_U441{u4|jd?px&=%jhx!c{4e`<uG!V8w|8RZ
zcj*YLnO^HpiD`d0EBDg-eCO3;v$r`c+tYotCi3ZCW(|Sq`EE9q>0ZU>@=6XL7gb-G
z-c&qgRkx!MW2?};mqw@d7MY%!@Vn4$#&b)r{p&UN>MO+fTU5R9zSFM$T0MA|Nw9K#
zTF&(t2DzuVgYAqCuk-l1K96PPlph-FLf*YS@MxRIQjTXfB^Az>4y_Q)vHtQ{BuB_v
zMD4rCDjA-huU-AmXH2~EA^qraccxj|Py0RpCVIs^5aMEvJN|B&zPwt*ZriT9+`#V3
z<!>J`?6>D!dgxo#l#j=!UQ^5FyuPfryz1ZHwPA1M;$j-w!nfuLE1#Gmro>pUS{AbD
z`ejoo^>?Lw-|asB-@G>aNv-AUAU0vo%i%dPxp!<cj$ij!7jxPC>eI8^%gnqA=AOEL
z{Yrgkwe?YDmGv9>89#qH{^`cz?M4oh)Q{H2NxfjTdA|Ac_8um~Ek8n&D=Zaw6!tki
zKQ8NkV-x2GsXZ4~`MV}eTQ2qX`{lwJ_4=-^bAn&oWmccuvFgvO;MARS>-!(B>&OiL
z)D%9??Z+3neauHCUkQr(uKAN4yOi^L>V_)OnLj_JJmroT*mT>>_rTnje^<R$zudv3
zs&v}?vgH<|r{7OFz2aK5dyn;<gziI9?a%Y3&3^VmdKO#RpQkHNEnL(ue&P6;pxsAq
zCNf6sE?C9>b;dfDThWVVq%7Yl`zNNJd&9ABchy%LKfW=keOiBn!?RNo?;N(aEIt1A
z(DRsvi!*yC{+M!o@BbXz=RM0)OCx?8Phs6ZuT{)WVAI~Ohc%f0Xt#CFT(MbX?%{^-
z$9AOd*jd=H%XHS1S4@4Pi%uPNiHs`I6g_%z!GfA%DKmjrdPW<yJ33yaFZ{(W?HzFc
zh^$Yi^{NcPwUW1*N~|JV-`lnym>IU7EjRaCLvYD$ZT8CnQFiz8rKBzucey_f&9ID}
zY#r=)z)0^#?G)Cqt^>R7IO_Sm^kT8uw1e~F*S_h&;vav{VA*b-d)$b1U-{QJO{a`c
z+~Q8_jhUgLt#Dxv;}7eK>8$_GN8DJ%)v;skuhq2*y9y@NbMm!3N)(%Nrm3$ksPkP)
zQq|X2QpZ+J&bhY1uzu&Z{7s3j)rM<2gB{#Vr}wE;2i6p}%-Z_m_m;$pD@n82ufFqG
z8Fyok=_F;Xn8w`ImKJG_rblJ(d(7gWeJOp{oBr)TcslDQ1|Q73ui^S-X{OFKZ9m)F
zcAh(q8k_w4WR~F7@mVOMxBJ$v+vj(7RsDa{dExWs9T%3~x!TLjbDd|WP<`kkz3G=S
zl-~=-+)>=Q$$mqqwRX?8BgSjny>Aq3U6uCx-c}x?{UHruje8TN{9gaRyj7xh_Qwn*
z`<t)YHywNWUGrs9Nm1<sx6e~{E!H*K)tsHa{%fbQ{I;W$Zr`<^;$`(A>~O5iv)cvh
z?xyyB%B%=)YJQb<^ys^9=0{7iru?4v(2_y_(XYG5zD^L{HUCeQ<6^FhkG}2S&;Df5
zu5FDkMPt`-eog9*eO0u{@Cnm}C-HWQ`O^iaE6SJrG%d*t``jDy;<(z*;5h5|?=+Y7
z$$eu`^4#zHy{Yi$ii@^ud0z!feN;~76%I(8eSLpp=?kU|&-x?11`hhsb|=*BxAS(&
zOqGAOd$QQf`^Ovt1$@6p&3b&cTV3RIiOU4Zr&oN^7`J*?{GaP7yftsSrEFW*of{LU
z%xSvFB-4_#XX)1V;ui@ME_o)sk3S^G)6Q^@OT2=8>h~w{&$ntmdR$epx87@G$O#7y
z9e-c3!nm#152tU|611CaZ53B>_O|fbIg_VWCf1kQWge5|nQ=J2W%12<waKfiXZz1o
zh?$x5Xe-aI><#uWg7{*UJ}AmAUBBY-w~Ox|s!UA`y~Djd=f`gq9<hUGO+PBGYb#**
z<#>0$lTx#i&}*+sWe!1)w6ajoLry0?iuB}(_J5fa!2R9jQbDeN<#O58OAAlPFL^5!
z7PCe!yW}+!XRI5K!6xs!t6DPlRxFb|=J`&7eX}N;qTZLNlQ&Pd<V4TjeX;OUCvV>y
zkv73^3aj!16Z!;M!m`?%L@M|@4<@CqTWK8E^!A&R>tqYrnjIBCQ+8*5^D<a@<}?TM
zPG-gfuA4upw5h3Ex4KLz&DIU}-dp-(`tb^$qptmHdUtYM(8+i6oERQ6pHIS5Ir_8d
zUFFFa%ab-;TWwyU9Gbt|Dk)yw{q*CBf~JeUzrDTUfypI~=%wwS%gp@UJ5%0HIuoZC
zp>cGbrpcMx$1dI5^jJA;X13z8<&*rXpBo=;@2;P?Bk~jHT9#;oPVFhnGa~#ZxU9T4
zV?WyhzNa;J=D)2@J6%7kyLr*Kgq!V*cKN~*FN4G{&gboDJ<lvE;@USUbB1xo5$iZR
z!+?z1=jIEKU5-monO7y=aKhGbzX9Wmog4NCb<X*Gzk8dFkBQsHxeAZ9lOj%^yqqLA
z`NV(E$^P+rqMkRlM1MIt@jQ>r!WSIHcT)GHoNZ(|V#G1$-L*TSn~xot=J1ax_Ni!N
z-KQSQ)d#JO=iBSgF7&+rinnfM!v@jCt0(0i3=7<%#C0l{Yr{c3p&0+@ilkN<J;jFe
zQh~SHs^`=n(ci41^3q25P`9IVdBsvDK8+I(N>*Aa1iV{%r)`R!&E9unQ!;-V$jDti
z?{BU3V@_12myF}dN9x}`N6YG#Xxvo|t0-z*_EjpN@4%+Xeg!Kzs=oL{c3Aw~=_ESo
z@uAehQid1LKGzEE+29d6ReOKwl3F$CDV}aEkNu2vayYA|OI%CaZ2Ut(s`=yY?TMYb
zxi|kls4Bd=L;A^t-T8iQj9<%j1&?U#Jreoyr;xBy?O7SF`dIm0@n63;tjzrqbv5K@
zl9}%9D_8%_Id1dhkM@V!;9ok~H+tTFT5)GnH@8muc_+<T+L~**=j~xV#WjyNitFho
zrIjhuE$dbr{60PZWsIiN*{Pe3?)vcP)8?f3Io^7I_tkCQ7q5I>%+y;mNM~x9Y_h}>
z?Pc3fP4Q~tH;bRuyK<fG@2#rFkLT-b;IZ0ua?ixObM|>`jyAh>lX()$Tkl}c^LIir
zZsip@U1+Fc-+Mfdlcg`jZb{ksi^=Q%FI+0mHs#27qxy(lR^40|3nw?s`ZVFkyDJqU
zPdc?<Uc4`A8g#MX!`=<+kN*1p?(K?<uNyyIng7*$F-MO40`Vx37=?*SO|jGLd^VqY
z|2FgTmz~R(o@F_iw?(UL-{$!(*Qd4#ZsP4V;rw|0wA%TwV=EOLm}*-0NT>Skn>n$u
zc|GgCOFWXtRn|27dv8>@Zt$ajPDmzW>BSDF`s10A6EXshbMPG9HS7Mylv|2lgC&=J
ze$?+(w=gUEplhy()raqFuNePb+h=n#YDMBHg>Jih#cL+5J+VLezzONwHCJvbPIw`u
z`DjDvkxf&>7iK&X)1Eu&Q|xU+$sP__*%yac8WgKfUSGMSG;rCXeQ(lQ`x^OdIK5LM
zjMF}RF?=oMZg4RDxBj;Ovd8Cho_X6}8n;~KaeJ0$U-_oMiJWoag2(OS#T8$^JgB{*
zYn}!7<U?}~-juQ2`YA3`GDx>}nK<j4q#aIwnOCYWd#X0iB9p~nhDB@i`Ri`S*cA@`
zSh#dwg5HL_rB`bTJ3pMb?{=ti0rT|pik10u(*C)AV}1XvNAZiSQvJd5)0rH<PHb^@
zHTqE*Et9}i8@?=k&s%}nciH3Tb7o0z+Ie@qE>nMy^VvDV{~SUWuWvS6*tesp+sV-F
z>!muK>Wz2SYy4QkJ8R{cryh?#ROWnXU&p8Cdr#@$#cV#gE|FHRdFQ#-Y@L$2&0kMY
z_Q1J2Lf2Qyb}*)Si9e5)`@4DPoUr##8NW8ROaH&LZ*%g?w8n-2KC#KM)vC+5oG00I
z%5}tOt=(3+;a2PPP}UijbgpbaWa9UN;fnj(NqTXQC-xK`N#&_sm0or2=K0&-Wo)_j
zeRkN8#I^9@g$E_`8CmYv89b~MZRg2JUH(aY)4i1yAt627%8mQZPkO?-ZI?dRre-U{
zuDR<sO!Ds8q1boqUgvV3*XAwr>gpmSPJP(4dV2bK&W|ipJXVVqr_0XR>lJ<Nm4Eog
zWm`i7zm|WASZ}L&_uh*g%lDXj*2_%&o#i5>?Re+%<IK0R%T|6k^Jc0?L`u>VzaR&@
zMJ#4Md#toya_u{G{oV4U;8V9=Zk+H=Wz&{}O|}ZJIGH%vc0EnMxtFc)te~uQ?!k3l
z&J!KJt^3OCcX7Ybf!U1#p$TDE9~I_Vq;C7W*O0s2t8-h}^h9NeKXXiuwr*Lf@=wP6
z>V>1r-Y~sidi!>ZOKCuoPtul&T}Df%A1>61X83n5=j8XinWxwGc=t?_o3XW^qwCl2
zr~bv+LH(QmO_{y1gS{llh2j6L`MFcP+HMEC_N_JYZFYWs>cTu@23}cVv7LM4x|-!K
z{5kmcjce}f-Cq{+@TKM_+}&go$>OYWGCuKo{!)d)tbO?cFQ<oeb`=}U+jG7+^Q^bz
z4W1VtW-Q;Pm-_s}xxlwGKc4$m`F>Fm@87V>w14MB4_)ak&HAw@nS(*ckAYQaR;=Ln
zKUe=uHNSr{=<($Ln-&INW?<Z>uF#>dT|{EN)HSwE7pz`?*b=<kLg9h<^(e>rNhWe(
zA0k&~uke!Fp-}bOa$zVdf6NV^-G5atTP(7Tj(VJBXVQA`&R>h83mD3uO>q3QoyYzz
z|EitW%5HT1e!uF*`x*tIUvm``mPWKDx-R8i*V_6&e%bo6uS?diH-Aye_-aLO%-q}4
zOjOkC4LDL(PkD5&fahG|QN8(Z8kIJ&Isfwd`2X*Q*+o4E*hA)g{vWKlh|jfV^Mtv+
z3sx^Yv{L-4T=soGk6jW6b*G$ket2-^jh3}H*B;|n<J`M1S?1{ETz28AvzJe7aI<ny
z==k?Gz_lXGa7Egx*&8!HYMQm|N_%&v{Yk<~rg-OoUEbO9aq*`P`zJj<P&DzhfP49t
zkBg2ZmRy{-`uu{6_iIF=!d8b&{&8W8?+&B9p3io&!l5Q}@2xx_6~~vD+5F5gB(;!f
zqsRfZWf%M}v20sw)%QELZ0(N3jYs}n<-MAGdmX3dHM6DBE(P3L)8}n5(sm22EB@*v
X<|O14qZ6|5>iyMq;-{Hcby@)c6!qvs

literal 0
HcmV?d00001

diff --git a/nix-config/host/waffentrager/services/auth/authelia.nix b/nix-config/host/waffentrager/services/auth/authelia.nix
new file mode 100644
index 0000000..e29fbc8
--- /dev/null
+++ b/nix-config/host/waffentrager/services/auth/authelia.nix
@@ -0,0 +1,80 @@
+{ config, pkgs, lib, mkk, ... }:
+{
+  options.waffentragerService.auth.authelia.enable = mkk.lib.mkBoolOpt false "Enable authelia";
+  config =
+    let
+      cfg = config.waffentragerService.auth.authelia;
+      port = 9091;
+    in
+    lib.mkIf cfg.enable {
+      sops.secrets."authelia-storagekey" = { owner = "authelia"; };
+      sops.secrets."authelia-database" = { owner = "authelia"; };
+      sops.secrets."ldap-master" = { owner = "authelia"; };
+      users.users.authelia = {
+        group = "lldap";
+        isSystemUser = true;
+      };
+      services.authelia.instances.main = {
+        enable = true;
+        user = "authelia";
+        environmentVariables = {
+          AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."ldap-master".path;
+          AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = config.sops.secrets."authelia-database".path;
+        };
+        secrets = {
+          jwtSecretFile = config.sops.secrets.jwt.path;
+          storageEncryptionKeyFile = config.sops.secrets."authelia-storagekey".path;
+        };
+        settings = {
+          access_control = {
+            default_policy = "one_factor";
+          };
+          authentication_backend = {
+            ldap.url = "ldap://127.0.0.1:3890";
+            ldap.implementation = "custom";
+            ldap.base_dn = config.services.lldap.settings.ldap_base_dn;
+            ldap.user = "CN=master,ou=people,DC=podkos,DC=pl";
+            ldap.additional_users_dn = "OU=people";
+            ldap.users_filter = "(&({username_attribute}={input})(objectClass=person))";
+            ldap.additional_groups_dn = "OU=groups";
+            ldap.groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
+          };
+          storage = {
+            postgres.host = "/var/run/postgresql";
+            postgres.port = "5432";
+            postgres.database = "authelia";
+            postgres.username = "authelia";
+
+          };
+          notifier = {
+            disable_startup_check = false;
+            filesystem.filename = "/tmp/test_notification.txt";
+          };
+          session = {
+            name = "materus-session";
+            domain = "materus.pl";
+          };
+
+          default_redirection_url = "https://materus.pl";
+          server.port = port;
+        };
+      };
+      services.nginx.virtualHosts."gatekeeper.materus.pl" = {
+        forceSSL = true;
+        http3 = true;
+        sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+        sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+        sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${builtins.toString port}";
+          extraConfig = ''
+            proxy_set_header    Host                $host;
+            proxy_set_header    X-Real-IP           $remote_addr;
+            proxy_set_header    X-Forwarded-Ssl     on;
+            proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Proto   $scheme;
+          '';
+        };
+      };
+    };
+}
diff --git a/nix-config/host/waffentrager/services/auth/default.nix b/nix-config/host/waffentrager/services/auth/default.nix
new file mode 100644
index 0000000..3ac11bd
--- /dev/null
+++ b/nix-config/host/waffentrager/services/auth/default.nix
@@ -0,0 +1,13 @@
+{ config, lib, pkgs, ... }:
+{
+  imports =
+    [
+      ./lldap.nix
+      ./authelia.nix
+    ];
+  config = 
+    {
+      waffentragerService.auth.lldap.enable = true;
+      waffentragerService.auth.authelia.enable = true;
+    };
+}
diff --git a/nix-config/host/waffentrager/services/auth/lldap.nix b/nix-config/host/waffentrager/services/auth/lldap.nix
new file mode 100644
index 0000000..babc258
--- /dev/null
+++ b/nix-config/host/waffentrager/services/auth/lldap.nix
@@ -0,0 +1,87 @@
+{
+  config,
+  pkgs,
+  lib,
+  mkk,
+  ...
+}:
+{
+  options.waffentragerService.auth.lldap.enable = mkk.lib.mkBoolOpt false "Enable lldap";
+  config =
+    let
+      cfg = config.waffentragerService.auth.lldap;
+    in
+    lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;
+      waffentragerService.nginx.enable = true;
+      services.nginx.virtualHosts."mamba.podkos.pl" = {
+        forceSSL = true;
+        http3 = true;
+        sslTrustedCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/chain.pem";
+        sslCertificateKey = "/var/lib/mnt_acme/mamba.podkos.pl/key.pem";
+        sslCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/fullchain.pem";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:17170";
+          extraConfig = ''
+            proxy_set_header    Host                $host;
+            proxy_set_header    X-Real-IP           $remote_addr;
+            proxy_set_header    X-Forwarded-Ssl     on;
+            proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Proto   $scheme;
+
+
+            allow ${mkk.wireguard.ip-masks.main};
+            allow 192.168.100.0/24;
+            deny all;
+          '';
+        };
+      };
+
+      systemd.services.lldap = {
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+        serviceConfig = {
+          DynamicUser = lib.mkForce false;
+          WorkingDirectory = lib.mkForce config.waffentragerService.elements.lldapDir;
+        };
+      };
+      users.groups.lldap = { };
+      users.users.lldap = {
+        group = "lldap";
+        isSystemUser = true;
+      };
+      sops.secrets.jwt = {
+        owner = "lldap";
+        group = "lldap";
+        mode = "0440";
+      };
+      sops.secrets."lldap-database" = {
+        owner = "lldap";
+        group = "lldap";
+      };
+      services.lldap.enable = true;
+      services.lldap.environmentFile = config.sops.templates."lldap.env".path;
+      sops.templates."lldap.env" = {
+        content = ''
+          LLDAP_JWT_SECRET_FILE="${config.sops.secrets.jwt.path}"
+          LLDAP_DATABASE_URL="postgres://lldap:${
+            config.sops.placeholder."lldap-database"
+          }@%2Fvar%2Frun%2Fpostgresql/lldap"
+        '';
+        owner = "lldap";
+        group = "lldap";
+      };
+      services.lldap.silenceForceUserPassResetWarning = true;
+      services.lldap.settings = {
+        ldap_base_dn = "dc=podkos,dc=pl";
+
+        ldap_host = "127.0.0.1";
+        http_url = "https://mamba.podkos.pl";
+        ldap_user_dn = "master";
+        ldap_user_email = "materus@podkos.pl";
+        ldap_port = 3890;
+        key_seed = mkk.waffentrager.lldap.seed;
+        ldap_user_pass_file = config.sops.secrets.LLDAP_LDAP_USER_PASS_FILE.path;
+      };
+    };
+}
diff --git a/nix-config/host/waffentrager/services/default.nix b/nix-config/host/waffentrager/services/default.nix
new file mode 100644
index 0000000..c57dca0
--- /dev/null
+++ b/nix-config/host/waffentrager/services/default.nix
@@ -0,0 +1,30 @@
+{ ... }:
+{
+  imports =
+    [
+      ./storage/elements.nix
+      ./storage/mount-acme.nix
+      ./storage/gitea.nix
+      ./storage/nextcloud.nix
+      ./storage/samba.nix
+      ./storage/syncthing.nix
+      ./multimedia/jellyfin.nix
+      ./multimedia/scrobbling.nix
+      ./monitoring.nix
+      ./nginx.nix
+      ./postgresql.nix
+      ./auth
+    ];
+  waffentragerService.elements.enable = true;
+  waffentragerService.postgresql.enable = true;
+  waffentragerService.mount-acme.enable = true;
+  waffentragerService.gitea.enable = true;
+  waffentragerService.nginx.enable = true;
+  waffentragerService.nextcloud.enable = true;
+  waffentragerService.samba.enable = true;
+  waffentragerService.jellyfin.enable = true;
+  waffentragerService.scrobbling.enable = true;
+
+  waffentragerService.syncthing.enable = true;
+  waffentragerService.monitoring.enable = false;
+}
\ No newline at end of file
diff --git a/nix-config/host/waffentrager/services/monitoring.nix b/nix-config/host/waffentrager/services/monitoring.nix
new file mode 100644
index 0000000..8755437
--- /dev/null
+++ b/nix-config/host/waffentrager/services/monitoring.nix
@@ -0,0 +1,57 @@
+{ config, lib, mkk, ... }:
+{
+  options.waffentragerService.monitoring.enable = mkk.lib.mkBoolOpt false "Enable monitoring";
+  config =
+    let
+      cfg = config.waffentragerService.monitoring;
+    in
+    lib.mkIf cfg.enable {
+      services.grafana = {
+        dataDir = "${config.waffentragerService.elements.path}/services/grafana";
+        enable = true;
+        settings = {
+          server = {
+            http_addr = "127.0.0.1";
+            http_port = 3232;
+            
+            domain = "watchman.materus.pl";
+            serve_from_sub_path = true;
+          };
+        };
+      };
+      services.prometheus = {
+        enable = true;
+        port = 3233;
+        globalConfig.scrape_interval = "30s";
+        stateDir = "elements/services/prometheus";
+        scrapeConfigs = [
+          {
+            job_name = "node";
+            static_configs = [{
+              targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
+            }];
+          }
+        ];
+      };
+      services.prometheus.exporters.node = {
+        enable = true;
+        port = 3234;
+        enabledCollectors = [ "systemd" ];
+        extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
+        
+      };
+      services.nginx.virtualHosts."watchman.materus.pl" = {
+        addSSL = true;
+        sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+        sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+        sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+        http2 = false;
+        http3 = true;
+        locations."/" = {
+          proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+        };
+      };
+    };
+}
diff --git a/nix-config/host/waffentrager/services/multimedia/jellyfin.nix b/nix-config/host/waffentrager/services/multimedia/jellyfin.nix
new file mode 100644
index 0000000..c236abf
--- /dev/null
+++ b/nix-config/host/waffentrager/services/multimedia/jellyfin.nix
@@ -0,0 +1,150 @@
+{ lib, config, mkk, ... }:
+{
+  options.waffentragerService.jellyfin.enable = mkk.lib.mkBoolOpt false "Enable jellyfin";
+
+  config =
+    let
+      cfg = config.waffentragerService.jellyfin;
+    in
+    lib.mkIf cfg.enable {
+      services.jellyfin = rec {
+        enable = true;
+        openFirewall = true;
+        user = "materus";
+        group = "nextcloud";
+        dataDir = config.waffentragerService.elements.jellyfinDir;
+        cacheDir = "${dataDir}/cache";
+      };
+      /*
+      services.jellyseerr = {
+        enable = true;
+        openFirewall = true;
+      };*/
+
+      services.nginx = {
+        appendHttpConfig = ''
+          map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
+          map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
+        '';
+        proxyCachePath."jellyfin" = {
+          enable = true;
+          maxSize = "1g";
+          levels = "1:2";
+          keysZoneName = "jellyfin";
+          keysZoneSize = "100m";
+          inactive = "1d";
+          useTempPath = false;
+
+        };
+        virtualHosts = {
+          "noot.materus.pl" = {
+            extraConfig = ''
+              client_max_body_size 20M;
+              add_header X-Frame-Options "SAMEORIGIN";
+              add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
+              add_header X-Content-Type-Options "nosniff";
+              add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+            '';
+            sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+            sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+            sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+            addSSL = true;
+            http2 = false;
+            http3 = true;
+            locations."~ /Items/(.*)/Images" = {
+              proxyPass = "http://127.0.0.1:8096";
+              extraConfig = ''
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Forwarded-Protocol $scheme;
+                proxy_set_header X-Forwarded-Host $http_host;
+
+                proxy_cache jellyfin;
+                proxy_cache_revalidate on;
+                proxy_cache_lock on;
+              '';
+            };
+            locations."~ ^/web/htmlVideoPlayer-plugin.[0-9a-z]+.chunk.js$" = {
+              proxyPass = "http://127.0.0.1:8096";
+              extraConfig = ''
+                proxy_set_header Accept-Encoding "";
+
+                sub_filter_types *;
+                sub_filter 'return u=30' 'return u=600';
+                sub_filter 'return u=6' 'return u=60';
+                sub_filter 'maxBufferLength:u' 'maxBufferLength:u,maxBufferSize:180000000';
+                sub_filter_once on;
+              '';
+            };
+            locations."~* ^/Videos/(.*)/(?!live)" = {
+              proxyPass = "http://127.0.0.1:8096";
+              extraConfig = ''
+                # Set size of a slice (this amount will be always requested from the backend by nginx)
+                # Higher value means more latency, lower more overhead
+                # This size is independent of the size clients/browsers can request
+                slice 2m;
+
+                proxy_cache jellyfin;
+                proxy_cache_valid 200 206 301 302 30d;
+                proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
+                proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+                proxy_connect_timeout 15s;
+                proxy_http_version 1.1;
+                proxy_set_header Connection "";
+                # Transmit slice range to the backend
+                proxy_set_header Range $slice_range;
+
+                # This saves bandwidth between the proxy and jellyfin, as a file is only downloaded one time instead of multiple times when multiple clients want to at the same time
+                # The first client will trigger the download, the other clients will have to wait until the slice is cached
+                # Esp. practical during SyncPlay
+                proxy_cache_lock on;
+                proxy_cache_lock_age 60s;
+
+                proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=$slice_range";
+
+              '';
+            };
+            locations."/" = {
+              proxyPass = "http://127.0.0.1:8096";
+              extraConfig = ''
+                proxy_pass_request_headers on;
+
+                proxy_set_header Host $host;
+
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Forwarded-Host $http_host;
+
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection $http_connection;
+                
+
+              '';
+            };
+            locations."/socket" = {
+              proxyPass = "http://127.0.0.1:8096";
+              extraConfig = ''
+                proxy_pass_request_headers on;
+
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Forwarded-Protocol $scheme;
+                proxy_set_header X-Forwarded-Host $http_host;
+
+
+              '';
+            };
+
+          };
+        };
+      };
+    };
+}
diff --git a/nix-config/host/waffentrager/services/multimedia/scrobbling.nix b/nix-config/host/waffentrager/services/multimedia/scrobbling.nix
new file mode 100644
index 0000000..a977f6f
--- /dev/null
+++ b/nix-config/host/waffentrager/services/multimedia/scrobbling.nix
@@ -0,0 +1,240 @@
+{ config, pkgs, lib, mkk, ... }:
+{
+  options.waffentragerService.scrobbling.enable = mkk.lib.mkBoolOpt false "Enable scrobbling";
+
+
+
+
+  config =
+    let
+      cfg = config.waffentragerService.scrobbling;
+    in
+
+
+    #### MALOJA --------------------------------------------------------------------
+    lib.mkIf cfg.enable {
+      sops.templates."maloja.env".content = ''
+        MALOJA_DATA_DIRECTORY=/data
+        MALOJA_DIRECTORY_STATE=/data/state
+        MALOJA_DIRECTORY_CACHE=/data/cache
+        
+        MALOJA_SKIP_SETUP=yes
+        MALOJA_FORCE_PASSWORD=${config.sops.placeholder.maloja}
+        MALOJA_SPOTIFY_API_ID=${config.sops.placeholder.spotify-client-id}
+        MALOJA_SPOTIFY_API_SECRET=${config.sops.placeholder.spotify-client-secret}
+        
+        MALOJA_NAME=Melody
+
+        MALOJA_WEEK_OFFSET=1
+
+        PUID=${builtins.toString config.users.users.scrobbler.uid}
+        PGID=${builtins.toString config.users.groups.scrobbler.gid}
+        TC=Europe/Warsaw
+        TIMEZONE=Europe/Warsaw
+      '';
+      services.nginx.virtualHosts = {
+        "melody.materus.pl" = {
+          sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+          sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+          sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+          addSSL = true;
+          http2 = false;
+          http3 = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:42010";
+            extraConfig = ''
+              proxy_http_version 1.1;
+              proxy_set_header    Host                $host;
+              proxy_set_header    X-Real-IP           $remote_addr;
+              proxy_set_header    X-Forwarded-Ssl     on;
+              proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+              proxy_set_header    X-Forwarded-Proto   $scheme;
+              
+            '';
+          };
+
+        };
+
+      };
+
+
+      virtualisation.oci-containers.containers.maloja =
+        {
+
+          image = "krateng/maloja:latest";
+          ports = [
+            "42010:42010"
+          ];
+          volumes = [
+            "${config.waffentragerService.elements.malojaDir}:/data"
+          ];
+          environmentFiles = [
+            config.sops.templates."maloja.env".path
+          ];
+        };
+      systemd.services."${config.virtualisation.oci-containers.backend}-maloja" =
+
+        let
+          malojaCfg = pkgs.writeText "settings.ini" ''[MALOJA]
+directory_config = /data
+lastfm_api_key = False
+audiodb_api_key = False
+spotify_api_id = False
+spotify_api_secret = False
+delimiters_feat = ["ft.","ft","feat.","feat","featuring","Ft.","Ft","Feat.","Feat","Featuring"]
+delimiters_informal = ["vs.","vs","&","with"]
+delimiters_formal = ["; ",";"]
+metadata_providers = ["spotify","deezer","lastfm","audiodb","musicbrainz"]
+
+'';
+        in
+        {
+          requires = [ "elements-mount.service" ];
+          after = [ "elements-mount.service" ];
+          preStart = ''cp --update=none ${malojaCfg} ${config.waffentragerService.elements.malojaDir}/settings.ini'';
+
+        };
+
+      #### MULTI SCROBBLER --------------------------------------------------------------------
+      users.groups.scrobbler = { gid = 3000; };
+      users.users.scrobbler = {
+        group = "scrobbler";
+        uid = 3000;
+        isSystemUser = true;
+      };
+      sops.templates."multi-scrobbler.env".content = ''
+        TC=Europe/Warsaw
+        CONFIG_DIR=/config
+        PUID=${builtins.toString config.users.users.scrobbler.uid}
+        PGID=${builtins.toString config.users.groups.scrobbler.gid}
+      '';
+      sops.templates."multi-scrobbler.json".owner = "scrobbler";
+      sops.templates."multi-scrobbler.json".group = "scrobbler";
+      sops.templates."multi-scrobbler.json".content = builtins.toJSON {
+        baseUrl = "https://scrobbler.materus.pl";
+        disableWeb = false;
+        debugMode = false;
+        sources = [
+          {
+            name = "materus-spotify";
+            enable = true;
+            clients = [ "maloja" ];
+            data = {
+              clientId = "${config.sops.placeholder.spotify-client-id}";
+              clientSecret = "${config.sops.placeholder.spotify-client-secret}";
+              redirectUri = "https://scrobbler.materus.pl/callback";
+              interval = 30;
+            };
+            type = "spotify";
+          }
+          {
+            name = "materus-jellyfin";
+            enable = true;
+            clients = [ "maloja" ];
+            data = {
+              users = [
+                "materus"
+              ];
+              servers = [
+                "waffentrager"
+              ];
+            };
+            options = {
+              logPayload = false;
+              logFilterFailure = "warn";
+            };
+            type = "jellyfin";
+          }
+        ];
+        clients = [
+          {
+            name = "maloja";
+            enable = true;
+            data = {
+              url = "https://melody.materus.pl/";
+              apiKey = "${config.sops.placeholder.maloja-api}";
+            };
+            type = "maloja";
+          }
+          {
+            name = "materus-brainz";
+            enable = true;
+            configureAs = "client";
+            data = {
+              token = "${config.sops.placeholder.listenbrainz-api}";
+              username = "materus";
+            };
+            type = "listenbrainz";
+          }
+          {
+            name = "materus-lastfm";
+            enable = true;
+            configureAs = "client";
+            data = {
+              apiKey = "${config.sops.placeholder.lastfm-api}";
+              secret = "${config.sops.placeholder.lastfm-secret}";
+              redirectUri = "https://scrobbler.materus.pl/lastfm/callback";
+            };
+            type = "lastfm";
+          }
+
+        ];
+
+      };
+
+
+
+
+      services.nginx.virtualHosts = {
+        "scrobbler.materus.pl" = {
+          sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+          sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+          sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+          addSSL = true;
+          http2 = false;
+          http3 = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:42011";
+            extraConfig = ''
+              allow ${mkk.wireguard.ip-masks.main};
+              allow 192.168.100.0/24;
+              deny all;
+              proxy_http_version 1.1;
+              proxy_set_header    Host                $host;
+              proxy_set_header    X-Real-IP           $remote_addr;
+              proxy_set_header    X-Forwarded-Ssl     on;
+              proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+              proxy_set_header    X-Forwarded-Proto   $scheme;
+
+            '';
+          };
+
+        };
+
+      };
+      systemd.services."${config.virtualisation.oci-containers.backend}-multi-scrobbler" =
+        {
+          preStart = ''cp -f ${config.sops.templates."multi-scrobbler.json".path} ${config.waffentragerService.elements.malojaDir}/multi-scrobbler/config.json'';
+          requires = [ "elements-mount.service" ];
+          after = [ "elements-mount.service" ];
+        };
+      virtualisation.oci-containers.containers.multi-scrobbler = {
+        image = "foxxmd/multi-scrobbler:latest";
+        ports = [
+          "127.0.0.1:42011:9078"
+        ];
+        volumes = [
+          "${config.waffentragerService.elements.malojaDir}/multi-scrobbler:/config"
+        ];
+        environmentFiles = [
+          config.sops.templates."multi-scrobbler.env".path
+        ];
+      };
+
+
+
+
+
+
+    };
+}
diff --git a/nix-config/host/waffentrager/services/nginx.nix b/nix-config/host/waffentrager/services/nginx.nix
new file mode 100644
index 0000000..4f0daff
--- /dev/null
+++ b/nix-config/host/waffentrager/services/nginx.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, mkk, ... }:
+{
+  options.waffentragerService.nginx.enable = mkk.lib.mkBoolOpt false "Enable nginx";
+
+
+  config =
+    let
+      cfg = config.waffentragerService.nginx;
+    in
+    lib.mkIf cfg.enable {
+      networking.firewall.allowedTCPPorts = [ 80 443 ];
+      services.nginx = {
+        enable = true;
+        recommendedTlsSettings = true;
+        recommendedOptimisation = true;
+        recommendedGzipSettings = true;
+        package = pkgs.tengine;
+        virtualHosts."default" = {
+          sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+          sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+          sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+          forceSSL = true;
+          http2 = false;
+          default = true;
+          locations."/" = { extraConfig = ''deny all;''; };
+        };
+      };
+
+      systemd.services.nginx = {
+        requires = [ "var-lib-mnt_acme.mount" ];
+        after = [ "var-lib-mnt_acme.mount" ];
+        serviceConfig = {
+          restart = "always";
+          restartSec = 60;
+        };
+      };
+    };
+
+}
diff --git a/nix-config/host/waffentrager/services/postgresql.nix b/nix-config/host/waffentrager/services/postgresql.nix
new file mode 100644
index 0000000..15d8ac3
--- /dev/null
+++ b/nix-config/host/waffentrager/services/postgresql.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, mkk, ... }:
+{
+  options.waffentragerService.postgresql.enable = mkk.lib.mkBoolOpt false "Enable postgresql";
+  options.waffentragerService.postgresql.version = lib.mkOption { default = "16"; };
+
+  config =
+    let
+      cfg = config.waffentragerService.postgresql;
+    in
+    lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;
+
+      services.postgresql.enable = true;
+      services.postgresql.package = pkgs."postgresql_${cfg.version}";
+      services.postgresql.dataDir = "${config.waffentragerService.elements.postgresqlDir}/${cfg.version}";
+      services.postgresql.enableJIT = true;
+      services.postgresql.authentication = pkgs.lib.mkOverride 10 ''
+        local all all trust
+        host all all 127.0.0.1/32 scram-sha-256
+        host all all ::1/128 scram-sha-256
+      '';
+      systemd.services.postgresql = {
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+      };
+    };
+}
diff --git a/nix-config/host/waffentrager/services/storage/elements.nix b/nix-config/host/waffentrager/services/storage/elements.nix
new file mode 100644
index 0000000..c04500d
--- /dev/null
+++ b/nix-config/host/waffentrager/services/storage/elements.nix
@@ -0,0 +1,65 @@
+{ mkk, config, lib, pkgs, ... }:
+{
+  options.waffentragerService.elements.enable = mkk.lib.mkBoolOpt false "Enable elements drive";
+  options.waffentragerService.elements.path = lib.mkOption { default = "/var/lib/elements"; };
+  options.waffentragerService.elements.uuid = lib.mkOption { default = "e32039c6-e98d-44b0-8e7d-120994bf7be1"; };
+  options.waffentragerService.elements.postgresqlDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/postgresql"; };
+  options.waffentragerService.elements.nextcloudDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/nextcloud"; };
+  options.waffentragerService.elements.lldapDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/lldap"; };
+  options.waffentragerService.elements.jellyfinDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/jellyfin"; };
+  options.waffentragerService.elements.malojaDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/maloja"; };
+
+  config =
+    let
+      cfg = config.waffentragerService.elements;
+    in
+    lib.mkIf cfg.enable {
+
+      systemd.services.elements-mount = {
+        description = "Decrypt and mount elements drive";
+        wantedBy = [ "multi-user.target" ];
+        path = [ pkgs.cryptsetup pkgs.coreutils pkgs.util-linux ];
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = true;
+        script = ''
+          mkdir -p ${cfg.path}
+          cryptsetup luksOpen /dev/disk/by-uuid/${cfg.uuid} elements -d ${config.sops.secrets.elements.path}
+          mount /dev/mapper/elements ${cfg.path}
+        ''
+
+        ;
+        preStop = ''
+          umount ${cfg.path}
+          cryptsetup luksClose elements
+        '';
+      };
+
+      systemd.services.elements-dirmake = {
+        description = "Create dirs in elements drive";
+        path = [ pkgs.cryptsetup pkgs.coreutils pkgs.util-linux ];
+
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = false;
+        script = lib.optionalString config.waffentragerService.postgresql.enable ''
+          mkdir -p ${cfg.postgresqlDir}/${config.waffentragerService.postgresql.version}
+          chown -R postgres:postgres ${cfg.postgresqlDir}
+        '' + lib.optionalString config.waffentragerService.nextcloud.enable ''
+          mkdir -p ${cfg.nextcloudDir}
+          chown -R nextcloud:nextcloud ${cfg.nextcloudDir}
+        '' + lib.optionalString config.waffentragerService.auth.lldap.enable ''
+          mkdir -p ${cfg.lldapDir}
+          chown -R lldap:lldap ${cfg.lldapDir}
+        '' + lib.optionalString config.waffentragerService.jellyfin.enable ''
+          mkdir -p ${cfg.jellyfinDir}
+          chown -R materus:nextcloud ${cfg.jellyfinDir}
+        '' + lib.optionalString config.waffentragerService.scrobbling.enable ''
+          mkdir -p ${cfg.malojaDir}/multi-scrobbler
+          chown -R scrobbler:scrobbler ${cfg.malojaDir}
+        ''
+
+
+        ;
+      };
+
+    };
+}
diff --git a/nix-config/host/waffentrager/services/storage/gitea.nix b/nix-config/host/waffentrager/services/storage/gitea.nix
new file mode 100644
index 0000000..8dce3d1
--- /dev/null
+++ b/nix-config/host/waffentrager/services/storage/gitea.nix
@@ -0,0 +1,62 @@
+{ config, lib, mkk, ... }:
+{
+  options.waffentragerService.gitea.enable = mkk.lib.mkBoolOpt false "Enable gitea";
+
+
+  config =
+    let
+      cfg = config.waffentragerService.gitea;
+    in
+    lib.mkMerge
+      [
+        (lib.mkIf cfg.enable {
+          waffentragerService.postgresql.enable = true;
+          waffentragerService.elements.enable = true;
+
+          services.gitea.enable = true;
+          services.gitea.lfs.enable = true;
+          services.gitea.stateDir = "${config.waffentragerService.elements.path}/services/gitea";
+          services.gitea.settings.service.DISABLE_REGISTRATION = true;
+          services.gitea.settings.server.DOMAIN = "baka.materus.pl";
+          services.gitea.settings.server.ROOT_URL = lib.mkForce "https://baka.materus.pl/";
+          services.gitea.settings.server.PROTOCOL = "fcgi+unix";
+          services.gitea.settings.cors = {
+            ENABLED = true;
+            X_FRAME_OPTIONS = "ALLOW-FROM https://*.materus.pl/";
+          };
+
+          services.gitea.database.type = "postgres";
+          services.gitea.database.socket = "/var/run/postgresql/";
+
+        })
+        (lib.mkIf (cfg.enable && config.waffentragerService.nginx.enable) {
+
+          services.nginx.virtualHosts = {
+            "baka.materus.pl" = {
+              sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+              sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+              sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+              addSSL = true;
+              http2 = false;
+              locations."/" = {
+                extraConfig = ''
+                  client_max_body_size 2G;
+                  include ${config.services.nginx.package}/conf/fastcgi.conf;
+                  include ${config.services.nginx.package}/conf/fastcgi_params;
+                  proxy_http_version 1.1;
+                  proxy_set_header    Host                $host;
+                  proxy_set_header    X-Real-IP           $remote_addr;
+                  proxy_set_header    X-Forwarded-Ssl     on;
+                  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+                  proxy_set_header    X-Forwarded-Proto   $scheme;
+
+                  fastcgi_pass  unix:/var/run/gitea/gitea.sock;
+                '';
+              };
+
+            };
+          };
+        }
+        )
+      ];
+}
diff --git a/nix-config/host/waffentrager/services/storage/mount-acme.nix b/nix-config/host/waffentrager/services/storage/mount-acme.nix
new file mode 100644
index 0000000..9a80fec
--- /dev/null
+++ b/nix-config/host/waffentrager/services/storage/mount-acme.nix
@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  mkk,
+  ...
+}:
+{
+  options.waffentragerService.mount-acme.enable = mkk.lib.mkBoolOpt false "Enable mount-acme";
+
+  config =
+    let
+      cfg = config.waffentragerService.mount-acme;
+    in
+    lib.mkIf cfg.enable {
+      environment.systemPackages = with pkgs; [ sshfs ];
+      systemd.mounts = [
+        {
+          description = "Mount remote acme dir from valkyrie";
+          what = "acme@valkyrie:/var/lib/acme";
+          where = "/var/lib/mnt_acme";
+          type = "fuse.sshfs";
+          options = "reconnect,gid=${toString config.ids.gids.nginx},_netdev,rw,nosuid,allow_other,default_permissions,follow_symlinks,idmap=user,compression=yes,identityfile=/materus/root/ssh_host_ed25519_key";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "wg-quick-wg0.service" ];
+        }
+      ];
+    };
+}
diff --git a/nix-config/host/waffentrager/services/storage/nextcloud.nix b/nix-config/host/waffentrager/services/storage/nextcloud.nix
new file mode 100644
index 0000000..778f980
--- /dev/null
+++ b/nix-config/host/waffentrager/services/storage/nextcloud.nix
@@ -0,0 +1,100 @@
+{ config, lib, pkgs, mkk, ... }:
+{
+  options.waffentragerService.nextcloud.enable = mkk.lib.mkBoolOpt false "Enable nextcloud";
+
+  config =
+    let
+      cfg = config.waffentragerService.nextcloud;
+    in
+    lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;
+      waffentragerService.postgresql.enable = true;
+      waffentragerService.nginx.enable = true;
+      environment.systemPackages = [ pkgs.samba pkgs.exiftool pkgs.ffmpeg-headless ];
+      sops.secrets.nextcloud-adminpass.owner = config.users.users.nextcloud.name;
+      sops.secrets.nextcloud-adminpass.group = config.users.users.nextcloud.group;
+
+      services.postgresql.ensureDatabases = [ "nextcloud" ];
+      services.postgresql.ensureUsers = [{
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }];
+      services.nextcloud = {
+        enable = true;
+        package = pkgs.nextcloud33;
+        hostName = "waffentrager.materus.pl";
+        home = config.waffentragerService.elements.nextcloudDir;
+        config.adminuser = "nextcloud-master";
+        config.adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
+        config.dbtype = "pgsql";
+        extraAppsEnable = true;
+        maxUploadSize = "8G";
+        https = true;
+        enableImagemagick = true;
+        configureRedis = true;
+        webfinger = true;
+        appstoreEnable = true;
+        database.createLocally = true;
+        extraApps = with pkgs.nextcloud33Packages.apps; {
+          inherit notify_push previewgenerator;
+        };
+        settings = {
+          log_type = "file";
+          "profile.enabled" = true;
+          default_phone_region = "PL";
+          trusted_proxies = [ mkk.network.valkyrie.ip mkk.wireguard.peers.valkyrie.ip mkk.wireguard.peers.waffentrager.ip ];
+          mail_smtpmode = "sendmail";
+          mail_sendmailmode = "pipe";
+          enable_previews = true;
+          preview_format = "webp";
+          enabledPreviewProviders = [
+            ''OC\Preview\Movie''
+            ''OC\Preview\PNG''
+            ''OC\Preview\JPEG''
+            ''OC\Preview\GIF''
+            ''OC\Preview\BMP''
+            ''OC\Preview\XBitmap''
+            ''OC\Preview\MP3''
+            ''OC\Preview\OGG''
+            ''OC\Preview\OPUS''
+            ''OC\Preview\MP4''
+            ''OC\Preview\TXT''
+            ''OC\Preview\MarkDown''
+            ''OC\Preview\PDF''
+            ''OC\Preview\WebP''
+            ''OC\Preview\OpenDocument''
+            ''OC\Preview\Krita''
+            ''OC\Preview\AVIF''
+          ];
+          "overwrite.cli.url" = "https://${config.services.nextcloud.hostName}";
+        };
+
+        phpOptions = {
+          "opcache.memory_consumption" = "512";
+          "opcache.interned_strings_buffer" = "64";
+          "opcache.max_accelerated_files"="50000";
+          "opcache.jit" = "1255";
+          "opcache.jit_buffer_size" = "128M";
+          "opcache.validate_timestamps" = "0";
+          "opcache.revalidate_freq" = "0";
+          "opcache.fast_shutdown" = "1";
+          "opcache.save_comments" = "1";
+        };
+        phpExtraExtensions = ex: [ ex.zip ex.zlib ex.tidy ex.smbclient ex.sodium ];
+      };
+      services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+        forceSSL = true;
+        http3 = true;
+        sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+        sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+        sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+        extraConfig = ''
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          dav_methods PUT DELETE MKCOL COPY MOVE;
+          dav_ext_methods PROPFIND OPTIONS;
+          create_full_put_path on;
+          dav_access user:rw group:rw all:r;
+        '';
+      };
+    };
+}
diff --git a/nix-config/host/waffentrager/services/storage/samba.nix b/nix-config/host/waffentrager/services/storage/samba.nix
new file mode 100644
index 0000000..43a5d41
--- /dev/null
+++ b/nix-config/host/waffentrager/services/storage/samba.nix
@@ -0,0 +1,57 @@
+{ lib, pkgs, config, mkk, ... }:
+{
+  options.waffentragerService.samba.enable = mkk.lib.mkBoolOpt false "Enable samba";
+
+  config =
+    let
+      cfg = config.waffentragerService.samba;
+    in
+    lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;
+
+      systemd.services.samba-nmbd = {
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+      };
+      systemd.services.samba-wsdd = {
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+      };
+      services.samba-wsdd.enable = true;
+      services.samba-wsdd.openFirewall = true;
+      services.samba = {
+        enable = true;
+        package = pkgs.sambaFull;
+        securityType = "user";
+        openFirewall = true;
+        settings = 
+          {
+            global = {
+              "workgroup" = "WORKGROUP";
+              "server string" = "smbwaffentrager";
+              "netbios name" = "smbwaffentrager";
+              "security" = "user"; 
+              "hosts allow" = "${mkk.wireguard.sambaIp} 192.168.100. 127.0.0.1 localhost";
+              "hosts deny" = "0.0.0.0/0";
+              "guest account" = "nobody";
+              "map to guest" = "bad user";
+              "mangled names" = "no";
+              "dos charset" = "CP850";
+              "unix charset" = "UTF-8";
+	            "display charset" = "UTF-8";
+              "catia:mappings" = "0x22:0xa8,0x2a:0xa4,0x2f:0xf8,0x3a:0xf7,0x3c:0xab,0x3e:0xbb,0x3f:0xbf,0x5c:0xff,0x7c:0xa6";
+            };
+            materus = {
+              "path" = "${config.waffentragerService.elements.path}/storage/materus";
+              "browseable" = "yes";
+              "read only" = "no";
+              "guest ok" = "no";
+              "create mask" = "0770";
+              "directory mask" = "0770";
+              "force user" = "materus";
+              "force group" = "nextcloud";   
+            };
+          };
+      };
+    };
+}
diff --git a/nix-config/host/waffentrager/services/storage/syncthing.nix b/nix-config/host/waffentrager/services/storage/syncthing.nix
new file mode 100644
index 0000000..e600550
--- /dev/null
+++ b/nix-config/host/waffentrager/services/storage/syncthing.nix
@@ -0,0 +1,26 @@
+{ lib, config, mkk, ... }:
+{
+  options.waffentragerService.syncthing.enable = mkk.lib.mkBoolOpt false "Enable syncthing";
+
+  config =
+    let
+      cfg = config.waffentragerService.syncthing;
+    in
+    lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;      networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
+      networking.firewall.allowedUDPPorts = [ 22000 21027 ];
+      systemd.services.syncthing = {
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+      };
+      services = {
+        syncthing = {
+            enable = true;
+            user = "materus";
+            group = "nextcloud";
+            dataDir = "${config.waffentragerService.elements.path}/storage/materus";
+            configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/";  
+        };
+      };
+    };
+}
diff --git a/nix-config/shared/default.nix b/nix-config/shared/default.nix
index ba78d52..16654b2 100644
--- a/nix-config/shared/default.nix
+++ b/nix-config/shared/default.nix
@@ -27,6 +27,7 @@ isHm:
   config._module.args.mkk = rec {
     nixerus.pkgs = materusArgs.inputs.nixerus.packages."${config.nixpkgs.hostPlatform.system}";
     lib = nixerus.pkgs.lib;
-
+    files = materusArgs.files;
+    args = materusArgs;
   } // config.mkk.var;
 }
diff --git a/nix-config/shared/private/variables.nix b/nix-config/shared/private/variables.nix
index e79c278661daaa193c98a6cb472aba723aff82a2..b0e94ddcb1fe2e92a2ac7bdaa63d23d22b5a89ca 100644
GIT binary patch
literal 957
zcmZQ@_Y83kiVO&0__dck#Z2nGVrTb~cO?bB`GFty+Pryj-X)^&z=>n$UvpUPvEnRw
z!FJ_>{qa@vo#Jf%w)oCj*LSc+ys;^H)3GJr)~Izk7+LqQu48}tqr++=?*y6T#Nel2
zbg!f;i@49~>2X$m9@v)j`pE@_LdI2MJY4HO>=cVWG<D}XXQBS@h28CLPRaLIdQM%(
z_56Eb<L8~LuCMcu5&3pFPW@xXg};rDm%Gim=KOcc?bUsc4bSum&oe!Dr{hSX5kn;V
zq_u0Wtx?OWe)!Fm<=X7Z54Y3!Z=|0&)hw|<v}~vA)>g$STUZ@*C5&cO1Rj0=d*SS(
zRd4e4Rrv%uaD5Gw4AR?ombKb3e$l(v;-Vka^Z$z(Y}mEf+&`oA(Y=`-X*sSxPsiuI
zvv?z-7x8dPe!Z??uH_p0h^;A(=2xRElvBE|-{fvvwX}cl@*DsCPE;i)`+v-tmvky2
z?UhdG`pMs)Tq}EgxAwT(K0OZR^5XJu5kj+)4E*OZe)_v@pSXN}_{+ClCTAA3oAmnM
zdC`AyQp=geo3*$y4u!pong26Php%v@MUB-Y@%3UU5`G(tE!V$eaJ|c*knyiCT{`9W
z_478n^<uSt<=7v*sm$S9qUK@o{@VXqqm6SV9F*9Ts--S2&Mh?I{~Op5Z7;mYBA7EY
z_+y|{Y?a+z<vVV6ik~<?GXyF-?%casQRV!WIOf*p+#8G3+TYr=9cZ?={d8)x?A;f+
z+NY%BXU_Vnb??r5cedioOPB@9<m}G!uX3HJe*4ZTr^u`JyV%latYmml^(ato!uH}X
z%$@eTJ)T;MDO=3T;xcMW*G+kUv;JABA9t1XIq$md*7XJc&MM2}SPY}$6Ii4Ta(0T@
zuU=c~#Qp8E@-Ll=-1E(*rv0)rmz`cWX~nw^u}2v)>*FQQ^knOMJkT(iT$C5S@5Iha
z4Eb$Vs%wL6KhK`DxbFU%m<5YcmmT{Nkr9#RACeSPUbSUr{hNy?Yyaz*GaTj-|KFe|
zXJeJJLa$P?S7iU<hx!5>mlq#ZGxuG@aVK*A-RNf9?suOHlBFbUzkR5h$~cLCb;t9J
zK8{rOAOl-J`|b(4i~N|+tqqQoow|bm%bSpCna_*Vvfp<-zhKNUv5Y-}OX+1x?Eix<
ze|KDpXUKSUH&xqm+mGCRZ@1<DTaohYrQW}mc@AmW^QWf-2hGgAYxIxD{Ofk%T|TTg
zA71|cw5fa9Mz@cdCpI%`R~0fgTxt96@l3kHw0F)k#zyl)=XfHRo?0%+ezs=qj?Ztp
Y-o`)Cl53H8B<T`o6Y@PIQFnbm04kr+(f|Me

literal 925
zcmZQ@_Y83kiVO&0P?{3G=k;NG%Sp>8h4@_m=Ke6I{&uPI^l%lXBEP4<8g^7XzOys$
zX7ZfX2Yx)f_(Ur_zdKZI<%5HgY|~F{e6;SRae;mDUy0cJbA^6IC&cW!lQubc|Mr;L
zOBZY#1YN3DR8+k4P5$2h^^_3X&Ku_+E?OMfc3mjwDT6|S8oO7N;6-`!;2m2Sy$YYD
zzfr1<@d;JlIs0+r-1EB&>(uR&CiyHj+9+@KNp|zWi<Y}5?akZcVz$xyuaL?YhJOoh
z7&vp3<@;#`Uop6&rT6i{%FekaOS}&mKFYV=y;7oYw&Tre&*MUp`|4~WCYq-voIRZN
z$8~GIiL~wX?`M*hDy-oYc=fc6sm4NZf2vN*s-^^vsPwes)6{-*X=<(!TJqnquZTS<
zDo6Bmeb4mn$7@|SH&1q)sN<+owB$Y)fA1ZE4|++O9%9NH7HT}L-L?MS-;dun#dkkd
z2o&`HY_)s2$8GQPqN3gc*+GVhcc0qXy-9A1`X0^ERVSNrZp)v)pI2Qjl6z3N_h<7$
z!|2r>JZWape%eZN4)B-#K7C0yRd>IS=-e=;XD%z$w;sKe-R0wP`*7+EH<t9v-HN5D
zJ==1=30$Z+>!i0p&gSZ318&iOJE!c{nKJ$Ahq$vB-x!9nzuo#Zsn}fQrsYZ1{h?>0
zlB*ch``%yK<`ky?=lTRoB{@gS02lw4ZVLroOg|P^RKN9JhTMZo)*GK)VL6z(`&Hrs
z#^>|?m1qjDV9+`ex;ArK0k3U`$&RVg;-SA>x>Y?d3M(@T#tSlw?~ar5?VZi;TrlTO
z$%CX;--pX@XTH3>AU`OfeP4LwZkNBe0(R#v|NHT*!p~K*a@IDxB(@a4Uai;Cx%^XK
zMD*3oK8tMcRjFEQzAcdQ<huU1Rf{_zN;O5&vR?CC-@IbqR}8!5C)KX*U3~4we!EKz
zhDQx&7Kc93`8jE4U5V*ao=z>vgtd1sA3wUX^2$f=0Aa_{Ns4@ZQ||Gzo9H>I@7;a2
zX3dLMA={E8pY@l16K5zF->nzn<@We4dq{rWeD>4rHSA2zN8hd7$FgizYg+f}nvWGH
zuJ-7Cy!q6&GpyZy)}z?fm+x2mW&WNr^@3jGnMe6?=~`$0JyGKDm~c6(X_@cdw;~dE
zKHt3Gdi?dNLw+8e>JOaWIfbPa8GVr1DEiY&WND+w(=P7teWupmR$r-Mb>VIiJInQp
sUG;$K)w_}^dpqyO`7xz$^_x8JG{5-L$iiLA@{3(JW$CdnCVjL30KbXCmH+?%