Gitea: Disable Jupyter notebook rendering

base/defaults.nix

@@ -3,13 +3,12 @@
     config = lib.mkDefault {
         i18n.defaultLocale = "en_GB.UTF-8";
         console.keyMap = "us";
-        services.xserver.xkb.layout = "us-fruchti";
+        services.xserver.layout = "us-fruchti";
         services.openssh = {
             enable = true;
             settings = {
                 PasswordAuthentication = false;
                 KbdInteractiveAuthentication = false;
-                X11Forwarding = true;
             };
         };
 

base/hardware.nix

@@ -3,8 +3,5 @@
     services.udev.extraRules = ''
         # Keychron C2 function key fix
         SUBSYSTEMS=="input", ATTRS{name}=="Keychron Keychron C2", RUN+="${pkgs.bash}/bin/bash -c 'echo 0 > /sys/module/hid_apple/parameters/fnmode'"
-
-        # EM8026 thermal printer
-        SUBSYSTEM=="usb", ATTRS{idVendor}=="28e9", ATTRS{idProduct}=="0289", MODE="0660", GROUP="plugdev"
     '';
 }

base/neovim.nix

@@ -19,7 +19,7 @@
                     changeColorScheme-vim
                     vim-dispatch
                     vimtex
-                    vim-suda
+                    suda-vim
                 ]; 
                 opt = [];
             };

base/packages.nix

@@ -5,8 +5,7 @@
         tmux zellij
         wget
         rsync
-        magic-wormhole
+        git
-        git git-lfs
         gnupg
         file
         ripgrep
@@ -14,7 +13,7 @@
         htop
         ncdu
         killall
-        ranger nnn # joshuto
+        ranger nnn joshuto
         hexyl
         rink
 
@@ -38,7 +37,7 @@
         xsel
     ];
 
-    fonts.packages = with pkgs; [
+    fonts.fonts = with pkgs; [
         vollkorn
         alegreya alegreya-sans
         b612

base/users.nix

@@ -24,7 +24,7 @@ in
             groups = [ "wheel" ];
             commands = [
                 {
-                    command = "/run/current-system/sw/bin/nixos-rebuild";
+                    command = "${pkgs.nixos-rebuild}/bin/nixos-rebuild *";
                     options = [ "NOPASSWD" ];
                 }
             ];

base/xkb/default.nix

@@ -1,6 +1,6 @@
 { ... }:
 {
-    services.xserver.xkb.extraLayouts = {
+    services.xserver.extraLayouts = {
         de-x270 = {
             description = "DE layout with some small changes for Thinkpad X270";
             languages   = [ "deu" ];

hosts/Disco.nix

@@ -2,17 +2,16 @@
 {
     imports = [
         ./development.nix
-        ./xfce.nix
+        ./gnome.nix
         ./x270.nix
         ./scanner.nix
         ./printer.nix
-        # ./clamav.nix
     ];
 
     boot.loader.systemd-boot.enable = true;
     boot.loader.efi.canTouchEfiVariables = true;
     console.keyMap = "de";
-    services.xserver.xkb.layout = "de-x270";
+    services.xserver.layout = "de-x270";
     i18n.defaultLocale = "de_DE.UTF-8";
     networking.hostName = "Disco";
     networking.networkmanager.enable = true;
@@ -45,11 +44,11 @@
         htop
         ncmpcpp
         usbutils  # lsusb etc.
-        nmap
+        file
-        file exiftool binwalk
+        binwalk
         shellcheck
 
-        #wine
+        wine
         wineWowPackages.stable
         winePackages.fonts
         pavucontrol
@@ -64,27 +63,20 @@
 
         zathura
         inkscape
-        vlc mpv a52dec
+        vlc
         gthumb
         gimp
-        darktable
         tenacity
-
         openscad
         freecad
         solvespace
-        dune3d
-
         vscodium
         marktext
         tor-browser-bundle-bin
         libreoffice-fresh
         tdesktop
-        signal-desktop
         horizon-eda
-        kicad-small
+        cura
-        # cura
-        (pkgs.callPackage ../packages/cura-appimage.nix {})
         pulseview
         nextcloud-client
     ];
@@ -95,8 +87,6 @@
     system.extraDependencies = with pkgs; [
         # For various development environments
         gcc-arm-embedded
-        pkgsCross.arm-embedded.buildPackages.gcc
-        pkgsCross.riscv32-embedded.buildPackages.gcc
         gnumake
     ];
 
@@ -122,9 +112,8 @@
 
     programs.steam = {
         enable = true;
-        remotePlay.openFirewall = true;
+        # remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
-        dedicatedServer.openFirewall = true;
+        # dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
-        localNetworkGameTransfers.openFirewall = true;
     };
 
     nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
@@ -132,7 +121,6 @@
         "steam-original"
         "steam-runtime"
         "steam-run"
-        "steam-unwrapped"
     ];
 
     fileSystems."/windows" = {
@@ -184,20 +172,6 @@
         LidSwitchIgnoreInhibited = no
     '';
 
-    services.earlyoom = {
-        enable = true;
-        enableNotifications = true;
-    };
-
-    swapDevices = [{
-        device = "/swapfile";
-        size = 16 * 1024;
-    }];
-
-    environment.variables = {
-        FREETYPE_PROPERTIES = "cff:no-stem-darkening=0 autofitter:no-stem-darkening=0 type1:no-stem-darkening=0 t1cid:no-stem-darkening=0";
-    };
-
     # This value determines the NixOS release from which the default
     # settings for stateful data, like file locations and database versions
     # on your system were taken. It‘s perfectly fine and recommended to leave

hosts/Emitter.nix

@@ -1,12 +1,12 @@
 { config, pkgs, ... }:
 {
     imports = [
-        ./forgejo.nix
+        ./gitea.nix
         ./tls_sni.nix
     ];
 
     boot.loader.grub.enable = true;
-    boot.loader.grub.device = "/dev/sda";
+    boot.loader.grub.device = "/dev/vda";
 
     networking.hostName = "Emitter";
 
@@ -14,12 +14,12 @@
     networking.useDHCP = false;
     networking = {
         defaultGateway = {
-            address = "176.96.139.1";
+            address = "2.59.133.1";
-            interface = "ens18";
+            interface = "ens3";
         };
         defaultGateway6 = {
-            address = "2a0d:5940:80:4e::1";
+            address = "2a0d:5940:7::1";
-            interface = "ens18";
+            interface = "ens3";
         };
         nameservers = [
             "9.9.9.10"
@@ -27,38 +27,38 @@
             "2606:4700:4700::1111"
             "2001:4860:4860::8888"
         ];
-        interfaces.ens18 = {
+        interfaces.ens3 = {
             ipv4 = {
                 addresses = [
                     {
-                        address = "176.96.139.54";
+                        address = "2.59.133.12";
                         prefixLength = 24;
                     }
                 ];
                 routes = [
                     {
-                        address = "176.96.139.0";
+                        address = "2.59.133.0";
                         prefixLength = 24;
-                        via = "176.96.139.1";
+                        via = "2.59.133.1";
                     }
                 ];
             };
             ipv6 = {
                 addresses = [
                     {
-                        address = "2a0d:5940:80:4e::2";
+                        address = "2a0d:5940:7:16f:216:3cff:fe63:9a54";
                         prefixLength = 64;
                     }
                     {
-                        address = "fe80::4874:40ff:fe38:7a45";
+                        address = "fe80::216:3cff:fe63:9a54";
                         prefixLength = 64;
                     }
                 ];
                 routes = [
                     {
-                        address = "2a0d:5940:80:4e::2";
+                        address = "2a0d:5940:7:16f:216:3cff:fe63:9a54";
                         prefixLength = 64;
-                        via = "2a0d:5940:80:4e::1";
+                        via = "2a0d:5940:7::1";
                     }
                 ];
             };
@@ -98,12 +98,9 @@
                     cat > $out/sbin/burp <<-EOF
                     #!/${pkgs.bash}/bin/bash
                     set -e
-                    echo "Ensuring rupert.gvfr.de is up."
                     ${pkgs.dig}/bin/nslookup rupert.gvfr.de
-                    ${pkgs.unixtools.ping}/bin/ping -c2 rupert.gvfr.de
+                    ${pkgs.unixtools.ping}/bin/ping -c1 rupert.gvfr.de >/dev/null
-                    echo "Opening SSH tunnel."
+                    ${pkgs.openssh}/bin/ssh -i /secrets/id_burp_remote -o IdentitiesOnly=yes -o ExitOnForwardFailure=yes -L 4971:localhost:4971 burp-remote@rupert.gvfr.de -f true
-                    ${pkgs.openssh}/bin/ssh -6 -i /secrets/id_burp_remote -o IdentitiesOnly=yes -o ExitOnForwardFailure=yes -L 4971:localhost:4971 burp-remote@rupert.gvfr.de -f true
-                    echo "Beginning backup operation."
                     $out/sbin/burp-untunneled \$@
                     EOF
                     chmod +x $out/sbin/burp
@@ -134,20 +131,7 @@
         };
         serviceConfig = {
             Restart = "on-failure";
-
             RestartSec = retryDelay;
-            # Skip transitions through failed state, i.e. don’t send a e-mail
-            # before the maximum number of retries is exhausted
-            RestartMode = "direct";
-        };
-    };
-
-    services.postgresql.package = pkgs.postgresql_13;
-
-    services.logrotate = {
-        enable = true;
-        settings.nginx = {
-            rotate = 2;
         };
     };
 

hosts/Rupert.nix

@@ -17,42 +17,10 @@ in
         # ./open-pgsql.nix
     ];
 
-    nixpkgs.overlays = let
-        libbluray = pkgs.libbluray.override {
-            withAACS = true;
-            withBDplus = true;
-        };
-    in
-    [
-        (
-            self: super: {
-                vlc = super.vlc.override { inherit libbluray; };
-            }
-        )
-    ];
-
     boot.loader.systemd-boot.enable = true;
     boot.loader.efi.canTouchEfiVariables = true;
     boot.kernelParams = [ "acpi=force" "reboot=bios" ];
 
-    boot.initrd.kernelModules = [ "i915" ];
-    nixpkgs.config.packageOverrides = pkgs: {
-        vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
-    };
-    hardware.graphics = {
-        enable = true;
-        extraPackages = with pkgs; [
-            intel-vaapi-driver
-            libvdpau-va-gl
-            vaapiVdpau
-            # intel-media-driver
-        ];
-    };
-    environment.variables = {
-        VDPAU_DRIVER = "va_gl";
-    };
-    hardware.cpu.intel.updateMicrocode = true;
-
     networking.hostName = "Rupert";
 
     users.users = {
@@ -74,7 +42,6 @@ in
 
     environment.systemPackages = with pkgs; [
         ntfsprogs
-        smartmontools
         texlive.combined.scheme-full
         ncmpcpp
     ];
@@ -89,7 +56,6 @@ in
     services.flatpak.enable = true;
     xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
     xdg.portal.enable = true;
-    xdg.portal.config.common.default = "*";
 
     hardware.bluetooth = {
         enable = true;
@@ -103,12 +69,14 @@ in
         enableSSHSupport = true;
     };
 
+    # List services that you want to enable:
+
+    # Enable the OpenSSH daemon.
     services.openssh = {
         enable = true;
         settings = {
+            # ForwardX11 = true;
             PasswordAuthentication = false;
-            KbdInteractiveAuthentication = false;
-            X11Forwarding = true;
         };
     };
 
@@ -120,6 +88,11 @@ in
         4971  # BURP
     ];
 
+    # Copy the NixOS configuration file and link it from the resulting system
+    # (/run/current-system/configuration.nix). This is useful in case you
+    # accidentally delete configuration.nix.
+    # system.copySystemConfiguration = true;
+
     system.autoUpgrade = {
         enable = true;
         allowReboot = true;
@@ -127,21 +100,10 @@ in
         gitPull = true;
         gitDeploymentKeyFile = "/secrets/ssh_id_gitea_nixos_configuration";
         gitUser = "fruchti";
-        rebootIgnoreUsersActive = [ "waldi" ];
     };
 
     # systemd.services.nixos-upgrade.onFailure = lib.mkIf config.system.autoUpgrade.enable [ "status-email@%n.service" ];
 
-    services.smartd = {
-        enable = true;
-        notifications.x11.enable = false;
-        notifications.mail = {
-            enable = true;
-            sender = config.email.fromAddress;
-            recipient = config.email.adminEmail;
-            mailer = "${pkgs.system-sendmail}/bin/sendmail";
-        };
-    };
     services.btrfsScrub = {
         enable = true;
         paths = {
@@ -153,23 +115,6 @@ in
             };
         };
     };
-    services.beesd = {
-        filesystems = {
-            "data" = {
-                spec = "/data";
-                hashTableSizeMB = 1024;
-                verbosity = "alert";
-            };
-            "backup-disk" = {
-                spec = "/mnt/backup";
-                hashTableSizeMB = 1024;
-                verbosity = "alert";
-            };
-        };
-    };
-    # Don’t start automatically
-    systemd.services."beesd@backup-disk".wantedBy = lib.mkForce [];
-    systemd.services."beesd@data".serviceConfig.CPUQuota = "10%";
 
     security.acme = {
         defaults = {
@@ -182,11 +127,6 @@ in
           SUBSYSTEM=="video4linux", ATTRS{idProduct}=="0002", ATTRS{idVendor}=="1d6b", SYMLINK+="hdmi_capture"
     '';
 
-    swapDevices = [{
-        device = "/swapfile";
-        size = 8 * 1024;
-    }];
-
     # This value determines the NixOS release from which the default
     # settings for stateful data, like file locations and database versions
     # on your system were taken. It‘s perfectly fine and recommended to leave

hosts/bspwm.nix

@@ -4,14 +4,12 @@
         enable = true;
         windowManager.bspwm.enable = true;
         displayManager = {
+            defaultSession = "none+bspwm";
             lightdm.enable = true;
+            autoLogin.enable = true;
+            autoLogin.user = "waldi";
         };
     };
-    services.displayManager = {
-        defaultSession = "none+bspwm";
-        autoLogin.enable = true;
-        autoLogin.user = "waldi";
-    };
 
     services.unclutter-xfixes = {
         enable = true;

hosts/burp-server.nix

@@ -19,7 +19,6 @@
             "Berthold"
             "Ernesto"
             "Emitter"
-            "Adelheid"
         ]);
         superClients = [
             config.networking.hostName

hosts/clamav.nix

@@ -1,9 +0,0 @@
-{ pkgs, ... }:
-{
-    environment.systemPackages = [
-        pkgs.clamav
-    ];
-    services.clamav.daemon.enable = true;
-
-    services.clamav.updater.enable = true;
-}

hosts/development.nix

@@ -30,11 +30,8 @@
         # ST-LINK/V2
         SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3748", MODE="0660", GROUP="plugdev"
 
-        # ST-LINK/V2.1
-        SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3752", MODE="0660", GROUP="plugdev"
-
         # WCH-LinkE
-        SUBSYSTEMS=="usb", ATTRS{idVendor}=="1a86", ATTRS{idProduct}=="8010", MODE="0660", GROUP="plugdev"
+        SUBSYSTEM=="usb", ATTRS{idVendor}=="1a86", ATTRS{idProduct}=="8010", MODE="0660", GROUP="plugdev"
 
         # Glasgow
         SUBSYSTEM=="usb", ATTRS{idVendor}=="20b7", ATTRS{idProduct}=="9db1", MODE="0660", GROUP="plugdev"

hosts/forgejo.nix

@@ -1,166 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-    domain = "git.25120.org";
-    forgejoCustom = pkgs.callPackage ../packages/directory.nix {
-        name = "forgejo-custom";
-        source = ./forgejo-custom;
-    };
-in
-{
-    services.forgejo = {
-        enable = true;
-        database = {
-            type = "postgres";
-            passwordFile = "/secrets/forgejo_db_password";
-            createDatabase = false;
-        };
-        repositoryRoot = "/data/git/repositories";
-        lfs = {
-            enable = true;
-            contentDir = "/data/git/data/lfs";
-        };
-        settings = let
-            python = pkgs.python311;
-            docutils =
-                python.withPackages (ps: with ps; [
-                docutils  # Provides rendering of ReStructured Text files
-                pygments  # Provides syntax highlighting
-            ]);
-            nbconvert = python.withPackages (ps: with ps; [
-                jupyter
-                ipykernel
-                nbconvert
-            ]);
-            max_cached_jupyter_notebooks = 200;
-            cached_jupyter_preview = pkgs.writeScript "cache_preview" ''
-                #!${pkgs.bash}/bin/bash
-
-                set -eu
-
-                input_file="$1"
-
-                command="${nbconvert}/bin/jupyter nbconvert --stdout --to html --template basic"
-                cache_directory="${config.services.forgejo.stateDir}/markup_cache/jupyter"
-                max_cache_file_count="${toString max_cached_jupyter_notebooks}"
-
-                cache_file="$cache_directory/$(md5sum "$input_file" | cut -d' ' -f1)"
-
-                if [ -e "$cache_file" ] ; then
-                    >&2 echo "Using cached file $cache_file"
-                    touch "$cache_file"
-                else
-                    (
-                        if cd "$cache_directory" ; then
-                            ls -t | tail -n "+$max_cache_file_count" | xargs -r rm
-                        else
-                            mkdir -p "$cache_directory"
-                        fi
-                    )
-                    eval "$command \"$input_file\" > \"$cache_file\""
-                fi
-
-                cat "$cache_file"
-            '';
-        in
-        {
-            DEFAULT.APP_NAME = "${domain}";
-            server = {
-                SSH_PORT = lib.head config.services.openssh.ports;
-                ROOT_URL = "https://${domain}/";
-                HTTP_PORT = 3001;
-                DOMAIN = "${domain}";
-            };
-            service.DISABLE_REGISTRATION = true;
-            session.COOKIE_SECURE = true;
-            UI.DEFAULT_THEME = "forgejo-auto";
-            "markup.restructuredtext" = {
-                ENABLED = true;
-                FILE_EXTENSIONS = ".rst";
-                RENDER_COMMAND = "${docutils}/bin/rst2html.py";
-                IS_INPUT_FILE = false;
-            };
-            "markup.jupyter" = {
-                ENABLED = true;
-                FILE_EXTENSIONS = ".ipynb";
-                # RENDER_COMMAND = "\"${nbconvert}/bin/jupyter nbconvert --stdout --to html --template basic \"";
-                RENDER_COMMAND = "\"${cached_jupyter_preview} \"";
-                IS_INPUT_FILE = true;
-                # RENDER_CONTENT_MODE = "iframe";
-            };
-            "markup.sanitizer.jupyter.div" = { ELEMENT = "div"; ALLOW_ATTR = "class"; REGEXP = ""; };
-            "markup.sanitizer.jupyter.span" = { ELEMENT = "span"; ALLOW_ATTR = "class"; REGEXP = ""; };
-            "markup.sanitizer.jupyter.img" = { ELEMENT = "img"; ALLOW_ATTR = "class"; REGEXP = ""; ALLOW_DATA_URI_IMAGES = "true"; };
-            "markup.sanitizer.jupyter.svg.width" = { ELEMENT = "svg"; ALLOW_ATTR = "width"; REGEXP = ""; };
-            "markup.sanitizer.jupyter.svg.height" = { ELEMENT = "svg"; ALLOW_ATTR = "height"; REGEXP = ""; };
-            "markup.sanitizer.jupyter.svg.viewbox" = { ELEMENT = "svg"; ALLOW_ATTR = "viewbox"; REGEXP = ""; };
-            "markup.sanitizer.jupyter.svg.use" = { ELEMENT = "use"; ALLOW_ATTR = "transform"; REGEXP = ""; };
-            "markup.sanitizer.jupyter.svg.g" = { ELEMENT = "g"; ALLOW_ATTR = "class"; REGEXP = ""; };
-            "markup.sanitizer.jupyter.svg.path.style" = { ELEMENT = "path"; ALLOW_ATTR = "style"; REGEXP = ""; };
-            "markup.sanitizer.jupyter.svg.path.d" = { ELEMENT = "path"; ALLOW_ATTR = "d"; REGEXP = ""; };
-            "markup.sanitizer.jupyter.svg.path.transform" = { ELEMENT = "path"; ALLOW_ATTR = "transform"; REGEXP = ""; };
-        };
-    };
-
-    services.postgresql = {
-        enable = true;
-        authentication = ''
-          local forgejo all ident map=forgejo-users
-        '';
-        # Map the forgejo user to postgresql
-        identMap = ''
-            forgejo-users forgejo forgejo
-        '';
-    };
-
-    services.nginx = {
-        enable = true;
-        recommendedGzipSettings = true;
-        recommendedOptimisation = true;
-        recommendedProxySettings = true;
-        recommendedTlsSettings = true;
-        virtualHosts."${domain}" = {
-            enableACME = true;
-            forceSSL = true;
-            locations."/".proxyPass = "http://localhost:3001/";
-            extraConfig = ''
-                # Maximum upload file size for git-lfs
-                client_max_body_size 100M;
-
-                set_real_ip_from 127.0.0.1;
-                set_real_ip_from ::1;
-                real_ip_header proxy_protocol;
-                proxy_set_header X-Real-IP $proxy_protocol_addr;
-                proxy_set_header X-Fowarded-For $proxy_protocol_addr;
-
-                access_log /var/log/nginx/access.${domain}.log combined_realip;
-            '';
-            locations."/awstats/" = {
-                basicAuthFile = "/secrets/webstats_auth";
-            };
-        };
-    };
-
-    services.awstats = {
-        enable = true;
-        updateAt = "hourly";
-        configs."${domain}" = {
-            logFile = "/var/log/nginx/access.${domain}.log";
-            domain = domain;
-            webService.enable = true;
-        };
-    };
-
-    # users.users.forgejo.extraGroups = [ "keys" ];
-    systemd.services.forgejo = {
-        serviceConfig = {
-            ReadOnlyPaths = [ "/secrets" ];
-        };
-        preStart = ''
-            cp -frT "${forgejoCustom}/" "${config.services.forgejo.stateDir}/custom/"
-            find  "${config.services.forgejo.stateDir}/custom/" -type d -exec chmod 0750 '{}' + -or -type f -exec chmod 0640 '{}' +
-        '';
-    };
-
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
-}

hosts/gitea.nix

@@ -0,0 +1,140 @@
+{ config, pkgs, lib, ... }:
+
+let
+    domain = "git.25120.org";
+    giteaCustom = pkgs.callPackage ../packages/directory.nix {
+        name = "gitea-custom";
+        source = ./gitea-custom;
+    };
+in
+{
+    services.gitea = {
+        enable = true;
+        appName = "${domain}";
+        database = {
+            type = "postgres";
+            passwordFile = "/secrets/gitea_db_password";
+            createDatabase = false;
+        };
+        repositoryRoot = "/data/git/repositories";
+        lfs = {
+            enable = true;
+            contentDir = "/data/git/data/lfs";
+        };
+        settings = let
+            python = pkgs.python311;
+            docutils =
+                python.withPackages (ps: with ps; [
+                docutils  # Provides rendering of ReStructured Text files
+                pygments  # Provides syntax highlighting
+            ]);
+            nbconvert = python.withPackages (ps: with ps; [
+                jupyter
+                ipykernel
+                nbconvert
+            ]);
+            max_cached_jupyter_notebooks = 200;
+            cached_jupyter_preview = pkgs.writeScript "cache_preview" ''
+                #!${pkgs.bash}/bin/bash
+
+                set -eu
+
+                input_file="$1"
+
+                command="${nbconvert}/bin/jupyter nbconvert --stdout --to html --template basic"
+                cache_directory="${config.services.gitea.stateDir}/markup_cache/jupyter"
+                max_cache_file_count="${toString max_cached_jupyter_notebooks}"
+
+                cache_file="$cache_directory/$(md5sum "$input_file" | cut -d' ' -f1)"
+
+                if [ -e "$cache_file" ] ; then
+                    >&2 echo "Using cached file $cache_file"
+                    touch "$cache_file"
+                else
+                    (
+                        if cd "$cache_directory" ; then
+                            ls -t | tail -n "+$max_cache_file_count" | xargs -r rm
+                        else
+                            mkdir -p "$cache_directory"
+                        fi
+                    )
+                    eval "$command \"$input_file\" > \"$cache_file\""
+                fi
+
+                cat "$cache_file"
+            '';
+        in
+        {
+            server = {
+                SSH_PORT = lib.head config.services.openssh.ports;
+                ROOT_URL = "https://${domain}/";
+                HTTP_PORT = 3001;
+                DOMAIN = "${domain}";
+            };
+            service.DISABLE_REGISTRATION = true;
+            session.COOKIE_SECURE = true;
+            "markup.restructuredtext" = {
+                ENABLED = true;
+                FILE_EXTENSIONS = ".rst";
+                RENDER_COMMAND = "${docutils}/bin/rst2html.py";
+                IS_INPUT_FILE = false;
+            };
+            # "markup.jupyter" = {
+            #     ENABLED = true;
+            #     FILE_EXTENSIONS = ".ipynb";
+            #     # RENDER_COMMAND = "\"${nbconvert}/bin/jupyter nbconvert --stdout --to html --template basic \"";
+            #     RENDER_COMMAND = "\"${cached_jupyter_preview} \"";
+            #     IS_INPUT_FILE = true;
+            #     # RENDER_CONTENT_MODE = "iframe";
+            # };
+            # "markup.sanitizer.jupyter.div" = { ELEMENT = "div"; ALLOW_ATTR = "class"; REGEXP = ""; };
+            # "markup.sanitizer.jupyter.span" = { ELEMENT = "span"; ALLOW_ATTR = "class"; REGEXP = ""; };
+            # "markup.sanitizer.jupyter.img" = { ELEMENT = "img"; ALLOW_ATTR = "class"; REGEXP = ""; ALLOW_DATA_URI_IMAGES = "true"; };
+            # "markup.sanitizer.jupyter.svg.width" = { ELEMENT = "svg"; ALLOW_ATTR = "width"; REGEXP = ""; };
+            # "markup.sanitizer.jupyter.svg.height" = { ELEMENT = "svg"; ALLOW_ATTR = "height"; REGEXP = ""; };
+            # "markup.sanitizer.jupyter.svg.viewbox" = { ELEMENT = "svg"; ALLOW_ATTR = "viewbox"; REGEXP = ""; };
+            # "markup.sanitizer.jupyter.svg.use" = { ELEMENT = "use"; ALLOW_ATTR = "transform"; REGEXP = ""; };
+            # "markup.sanitizer.jupyter.svg.g" = { ELEMENT = "g"; ALLOW_ATTR = "class"; REGEXP = ""; };
+            # "markup.sanitizer.jupyter.svg.path.style" = { ELEMENT = "path"; ALLOW_ATTR = "style"; REGEXP = ""; };
+            # "markup.sanitizer.jupyter.svg.path.d" = { ELEMENT = "path"; ALLOW_ATTR = "d"; REGEXP = ""; };
+            # "markup.sanitizer.jupyter.svg.path.transform" = { ELEMENT = "path"; ALLOW_ATTR = "transform"; REGEXP = ""; };
+        };
+    };
+
+    services.postgresql = {
+        enable = true;
+        authentication = ''
+          local gitea all ident map=gitea-users
+        '';
+        # Map the gitea user to postgresql
+        identMap = ''
+            gitea-users gitea gitea
+        '';
+    };
+
+    services.nginx = {
+        enable = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+        virtualHosts."${domain}" = {
+            enableACME = true;
+            forceSSL = true;
+            locations."/".proxyPass = "http://localhost:3001/";
+        };
+    };
+
+    # users.users.gitea.extraGroups = [ "keys" ];
+    systemd.services.gitea = {
+        serviceConfig = {
+            ReadOnlyPaths = [ "/secrets" ];
+        };
+        preStart = ''
+            cp -frT "${giteaCustom}/" "${config.services.gitea.stateDir}/custom/"
+            find  "${config.services.gitea.stateDir}/custom/" -type d -exec chmod 0750 '{}' + -or -type f -exec chmod 0640 '{}' +
+        '';
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+}

hosts/gnome.nix

@@ -11,7 +11,6 @@
     autoLogin.user = "fruchti";
   };
   security.pam.services.gdm.enableGnomeKeyring = true;
-  services.gnome.gnome-keyring.enable = true;
 
   services.touchegg.enable = true;
   services.gnome.gnome-settings-daemon.enable = true;

hosts/hedgedoc.nix

@@ -5,6 +5,7 @@ in
 {
     services.hedgedoc = {
         enable = true;
+        workDir = "/data/hedgedoc";
         environmentFile = "/secrets/hedgedoc.env";
         settings = {
             port = 7000;
@@ -38,7 +39,9 @@ in
         ensureUsers = [
             {
                 name = "hedgedoc";
-                ensureDBOwnership = true;
+                ensurePermissions = {
+                    "DATABASE hedgedoc" = "ALL PRIVILEGES";
+                };
             }
         ];
         ensureDatabases = [ "hedgedoc" ];

hosts/mpd.nix

@@ -38,13 +38,12 @@ in
         '';
     };
 
-    services.pulseaudio = {
+    hardware.pulseaudio = {
         enable = true;
         systemWide = true;
         tcp.enable = true;
         tcp.anonymousClients.allowedIpRanges = [ "127.0.0.1" ];
     };
-    services.pipewire.enable = false;
 
     users.extraGroups.pulse-access = {
         members = [ "mpd" ];

hosts/nextcloud.nix

@@ -6,24 +6,20 @@ in
     services.nextcloud = {
         enable = true;
         https = true;
-        package = pkgs.nextcloud31;
+        package = pkgs.nextcloud26;
         hostName = hostName;
         datadir = "/data/nextcloud";
-        settings = {
-            trusted_domains = [
-                ((lib.toLower config.networking.hostName) + ".lan")
-                (lib.toLower config.networking.hostName)
-            ];
-            blacklisted_files = [];
-            trashbin_retention_obligation = "auto, 14";
-            "simpleSignUpLink.shown" = false;
-        };
         config = {
             dbtype = "pgsql";
             dbhost = "/run/postgresql";
             adminpassFile = "/secrets/nextcloud_admin_password.txt";
+            extraTrustedDomains = [
+                ((lib.toLower config.networking.hostName) + ".lan")
+                (lib.toLower config.networking.hostName)
+            ];
         };
         caching.redis = true;
+        enableBrokenCiphersForSSE = false;
     };
 
     services.postgresql = {
@@ -31,14 +27,16 @@ in
         ensureUsers = [
             {
                 name = "nextcloud";
-                ensureDBOwnership = true;
+                ensurePermissions = {
+                    "DATABASE nextcloud" = "ALL PRIVILEGES";
+                };
+            }
+            {
+                name = "superuser";
+                ensurePermissions = {
+                    "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
+                };
             }
-            # {
-            #     name = "superuser";
-            #     ensurePermissions = {
-            #         "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-            #     };
-            # }
         ];
         ensureDatabases = [ "nextcloud" ];
     };
@@ -49,41 +47,13 @@ in
         after = ["postgresql.service"];
     };
 
-    networking.firewall.allowedTCPPorts = [ 80 443 4431 ];
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     services.nginx = {
         virtualHosts.${hostName} = {
             forceSSL = true;
             enableACME = true;
         };
-        defaultListen = [
-            {
-                addr = "[::]";
-                port = 443;
-                ssl = true;
-            }
-            {
-                addr = "0.0.0.0";
-                port = 443;
-                ssl = true;
-            }
-            {
-                addr = "[::]";
-                port = 80;
-                ssl = false;
-            }
-            {
-                addr = "0.0.0.0";
-                port = 80;
-                ssl = false;
-            }
-            {
-                addr = "[::]";
-                port = 4431;
-                ssl = true;
-                proxyProtocol = true;
-            }
-        ];
     };
 
     users.extraGroups.music = {

hosts/tls_sni.nix

@@ -4,12 +4,11 @@
         streamConfig = ''
             map $ssl_preread_server_name $target_backend {
                 md.gvfr.de rupert;
-                rupert.gvfr.de rupert;
                 default localserv;
             }
 
             upstream rupert {
-                server rupert.gvfr.de:4431;
+                server rupert.gvfr.de:443;
             }
 
             upstream localserv {
@@ -18,42 +17,16 @@
 
             server {
                 listen 443;
-                ssl_preread on;
 
                 # proxy_connect_timeout 1s;
                 # proxy_timeout 3s;
                 # resolver 1.1.1.1;
 
                 proxy_pass $target_backend;
-                proxy_next_upstream off;
+                ssl_preread on;
-
-                proxy_protocol on;
             }
         '';
 
-        defaultListen = [
+        defaultSSLListenPort = 4431;
-            {
-                addr = "0.0.0.0";
-                port = 80;
-                ssl = false;
-            }
-            {
-                addr = "[::0]";
-                port = 80;
-                ssl = false;
-            }
-            {
-                addr = "0.0.0.0";
-                port = 4431;
-                ssl = true;
-                proxyProtocol = true;
-            }
-            {
-                addr = "[::0]";
-                port = 4431;
-                ssl = true;
-                proxyProtocol = true;
-            }
-        ];
     };
 }

hosts/x270.nix

@@ -1,19 +1,27 @@
 { lib, pkgs, ... }:
 {
-    imports = [
-        <nixos-hardware/lenovo/thinkpad/x270>
-    ];
     hardware.trackpoint = {
         enable = true;
         sensitivity = 230;
         speed = 170;
     };
 
-    hardware.graphics = {
+    services.xserver.videoDrivers = [ "modesetting" ];
+
+    boot.initrd.kernelModules = [ "i915" ];
+    hardware.opengl = {
         enable = true;
         # driSupport = true;
         # driSupport32Bit = true;
     };
+    environment.variables = {
+        VDPAU_DRIVER = "va_gl";
+    };
+    hardware.opengl.extraPackages = with pkgs; [
+        (if (lib.versionOlder (lib.versions.majorMinor lib.version) "23.11") then vaapiIntel else intel-vaapi-driver)
+        libvdpau-va-gl
+        intel-media-driver
+    ];
 
     console = {
         font = "Lat2-Terminus16";

hosts/xfce.nix

@@ -1,54 +0,0 @@
-{ config, pkgs, ... }:
-{
-    services.xserver = {
-        enable = true;
-        desktopManager = {
-            xfce= {
-                enable = true;
-                enableXfwm = true;
-            };
-            xterm.enable = false;
-        };
-        displayManager = {
-            lightdm.enable = true;
-            gdm.wayland = false;
-        };
-    };
-    services.displayManager = {
-        defaultSession = "xfce";
-        autoLogin.enable = true;
-        autoLogin.user = "fruchti";
-    };
-    services.libinput.enable = true;
-    services.pipewire = {
-        enable = true;
-        alsa.enable = true;
-        alsa.support32Bit = true;
-        pulse.enable = true;
-    };
-    hardware.bluetooth.enable = true;
-    services.blueman.enable = true;
-    # environment.xfce.excludePackages = with pkgs.xfce; [
-    #     xfce4-terminal
-    # ];
-    environment.systemPackages = with pkgs; [
-        xfce.xfce4-whiskermenu-plugin
-        xfce.xfce4-pulseaudio-plugin
-        xfce.xfce4-volumed-pulse
-        xfce.xfwm4-themes
-        pinentry-gtk2
-        lounge-gtk-theme
-        hackneyed
-        blueman
-        file-roller
-        gnome-font-viewer
-    ];
-    security.pam.services.lightdm.enableGnomeKeyring = true;
-    services.gnome.gnome-keyring.enable = true;
-
-    services.cpupower-gui.enable = true;
-
-    programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2;
-    services.pcscd.enable = true;
-    services.dbus.packages = [ pkgs.gcr ];
-}

options/auto-upgrade.nix

@@ -36,13 +36,6 @@ in
                 User used for the `git pull` operation (if `gitPull` is enabled).
             '';
         };
-        rebootIgnoreUsersActive = mkOption {
-            type = types.listOf types.str;
-            default = [];
-            description = mdDoc ''
-                If reboots are allowed, active users will prohibit a reboot. Users listed here are ignored from that check.
-            '';
-        };
     };
 
     config = mkIf cfg.enable {
@@ -163,14 +156,6 @@ in
                 EOF
                         )"
                         activate_configuration="no"
-
-                        # Check if any user sessions are open
-                        active_users=$(users | tr ' ' '\n' | sort | uniq | grep -vE '^(${concatStringsSep "|" cfg.rebootIgnoreUsersActive})$')
-                        if [ "$reboot_allowed" = "yes" ] && [ -n "$active_users" ] ; then
-                            reboot_allowed=no
-                            email_body="$(printf "%s\n%s\n%s" "$email_body" "The system cannot reboot since the following users are active:" "$active_users")"
-                        fi
-
                         if [ "$reboot_allowed" = "yes" ] && [ $exit_code -eq 0 ] ; then
                             email_body="$(printf "%s\n%s" "$email_body" "The system will reboot now.")"
                             do_reboot="yes"
@@ -193,7 +178,7 @@ in
                 upgrade_output="$(cat "$output_file")"
                 rm -f "$output_file"
 
-                possible_warnings="$(grep -e "^\(warning\|trace\|evaluation warning\):" <<<"$upgrade_output" || true)"
+                possible_warnings="$(grep -e "^\(warning\|trace\):" <<<"$upgrade_output" || true)"
                 if [ "$possible_warnings" != "" ] ; then
                     send_email=yes
                     email_subject_additions="$email_subject_additions with warnings"

options/dyndns.nix

@@ -63,7 +63,7 @@ in
                 dyndns_user="${cfg.username}"
                 dyndns_password="$(cat "${cfg.passwordFile}")"
 
-                new_ip=$(${pkgs.iproute2}/bin/ip -6 a show scope global -temporary dev "$interface" | ${pkgs.gnused}/bin/sed -n -E 's/^\ *inet6\ (2001(:[0-9a-f]+)+).*$/\1/p' | head -1)
+                new_ip=$(${pkgs.iproute}/bin/ip -6 a show scope global -temporary dev "$interface" | ${pkgs.gnused}/bin/sed -n -E 's/^\ *inet6\ (2001(:[0-9a-f]+)+).*$/\1/p' | head -1)
 
                 if [ -z "$new_ip" ] ; then
                     echo "Could not determine IP address."

options/email.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 with lib;
 let
     cfg = config.email;
@@ -37,7 +37,7 @@ in
             default = {
                 auth = true;
                 host = "gvfr.de";
-                passwordeval = "${pkgs.coreutils}/bin/cat /secrets/email_password.txt";
+                passwordeval = "cat /secrets/email_password.txt";
                 user = cfg.fromAddress;
                 from = cfg.fromAddress;
                 port = 465;

options/status-email.nix

@@ -20,7 +20,7 @@ in
                 to="${toAddress}"
                 service="$1"
                 full_status="$(systemctl status --full --lines 200 "$service")"
-                exit_code="$(echo "$full_status" | head -n5 | tail -1 | sed -e 's/.*ExecStart=.*status=\(.*\))$/\1/g')"
+                exit_code="$(echo "$full_status" | head -n5 | tail -1 | sed -e 's/.*status=\(.*\))$/\1/g')"
                 # state="$(systemctl is-failed "$service")"
 
                 fail_priority=1

packages/cura-appimage.nix

@@ -1,131 +0,0 @@
-{
-  lib,
-  stdenv,
-  stdenvNoCC,
-  fetchurl,
-  writeScriptBin,
-  appimageTools,
-  copyDesktopItems,
-  makeDesktopItem,
-  nix-update-script,
-  wrapGAppsHook3,
-}:
-
-stdenvNoCC.mkDerivation rec {
-  pname = "cura-appimage";
-  version = "5.9.0";
-
-  # Give some good names so the intermediate packages are easy
-  # to recognise by name in the Nix store.
-  appimageBinName = "cura-appimage-tools-output";
-  wrapperScriptName = "${pname}-wrapper-script";
-
-  src = fetchurl {
-    url = "https://github.com/Ultimaker/Cura/releases/download/${version}/Ultimaker-Cura-${version}-linux-X64.AppImage";
-    hash = "sha256-STtVeM4Zs+PVSRO3cI0LxnjRDhOxSlttZF+2RIXnAp4=";
-  };
-
-  appimageContents = appimageTools.extract {
-    inherit pname version src;
-  };
-
-  curaAppimageToolsWrapped = appimageTools.wrapType2 {
-    inherit src;
-    # For `appimageTools.wrapType2`, `pname` determines the binary's name in `bin/`.
-    pname = appimageBinName;
-    inherit version;
-    extraPkgs = _: [ ];
-  };
-
-  # The `QT_QPA_PLATFORM=xcb` fixes Wayland support, see https://github.com/NixOS/nixpkgs/issues/186570#issuecomment-2526277637
-  # The `GTK_USE_PORTAL=1` fixes file dialog issues under Gnome, see https://github.com/NixOS/nixpkgs/pull/372614#issuecomment-2585663161
-  script = writeScriptBin wrapperScriptName ''
-    #!${stdenv.shell}
-    # AppImage version of Cura loses current working directory and treats all paths relateive to $HOME.
-    # So we convert each of the files passed as argument to an absolute path.
-    # This fixes use cases like `cd /path/to/my/files; cura mymodel.stl anothermodel.stl`.
-
-    args=()
-    for a in "$@"; do
-      if [ -e "$a" ]; then
-        a="$(realpath "$a")"
-      fi
-      args+=("$a")
-    done
-    QT_QPA_PLATFORM=xcb GTK_USE_PORTAL=1 exec "${curaAppimageToolsWrapped}/bin/${appimageBinName}" "''${args[@]}"
-  '';
-
-  dontUnpack = true;
-
-  nativeBuildInputs = [
-    copyDesktopItems
-    wrapGAppsHook3
-  ];
-  desktopItems = [
-    # Based on upstream.
-    # https://github.com/Ultimaker/Cura/blob/382b98e8b0c910fdf8b1509557ae8afab38f1817/packaging/AppImage/cura.desktop.jinja
-    (makeDesktopItem {
-      name = "cura";
-      desktopName = "UltiMaker Cura";
-      genericName = "3D Printing Software";
-      comment = meta.longDescription;
-      exec = "cura";
-      icon = "cura-icon";
-      terminal = false;
-      type = "Application";
-      mimeTypes = [
-        "model/stl"
-        "application/vnd.ms-3mfdocument"
-        "application/prs.wavefront-obj"
-        "image/bmp"
-        "image/gif"
-        "image/jpeg"
-        "image/png"
-        "text/x-gcode"
-        "application/x-amf"
-        "application/x-ply"
-        "application/x-ctm"
-        "model/vnd.collada+xml"
-        "model/gltf-binary"
-        "model/gltf+json"
-        "model/vnd.collada+xml+zip"
-      ];
-      categories = [ "Graphics" ];
-      keywords = [
-        "3D"
-        "Printing"
-      ];
-    })
-  ];
-
-  installPhase = ''
-    runHook preInstall
-
-    mkdir -p $out/bin
-    cp ${script}/bin/${wrapperScriptName} $out/bin/cura
-
-    mkdir -p $out/share/applications $out/share/icons/hicolor/128x128/apps
-    install -Dm644 ${appimageContents}/usr/share/icons/hicolor/128x128/apps/cura-icon.png $out/share/icons/hicolor/128x128/apps/cura-icon.png
-
-    runHook postInstall
-  '';
-
-  passthru.updateScript = nix-update-script { extraArgs = [ "--version-regex=([56789].+)" ]; };
-
-  meta = {
-    description = "3D printing software";
-    homepage = "https://github.com/ultimaker/cura";
-    changelog = "https://github.com/Ultimaker/Cura/releases/tag/${version}";
-    longDescription = ''
-      Cura converts 3D models into paths for a 3D printer. It prepares your print for maximum accuracy, minimum printing time and good reliability with many extra features that make your print come out great.
-    '';
-    license = lib.licenses.lgpl3Plus;
-    platforms = [ "x86_64-linux" ];
-    mainProgram = "cura";
-    maintainers = with lib.maintainers; [
-      pbek
-      nh2
-      fliegendewurst
-    ];
-  };
-}