remove quassel, update stateVersion, move to new server, some tidying

2024-05-25 21:10:26 +01:00 · 2024-05-25 21:10:26 +01:00 · 74dff8996d
parent 062200f2f4
commit 74dff8996d
38 changed files with 186 additions and 628 deletions
--- a/data/serverIPs.nix
+++ b/data/serverIPs.nix
@ -3,12 +3,8 @@ rec {
    ipv4 = "65.21.145.62";
    ipv6 = "2a01:4f9:c012:9dbf::1";
  };
  "hetzner-arm-new" = {
    ipv4 = "65.21.0.145";
    ipv6 = "2a01:4f9:c012:9b6b::1";
  };
  "vault" = {
    ipv4 = "65.21.0.145";
    ipv6 = "2a01:4f9:c012:9b6b::1";
  };
-}
+}
--- a/home/musicLibrary.nix
+++ b/home/musicLibrary.nix
@ -44,23 +44,17 @@ in {
    '';
  };
-  home.file."Music/music-sync.sh" = {
+  home.file."Music/music-gen-listing.sh" = {
    executable = true;
    text = ''
      #!/usr/bin/env bash
-      SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+      TMPDIR=$(mktemp -d)
      cd "''${SCRIPT_DIR}"
      rclone sync -P . Storage:Music --exclude "/*.sh"
      restic-music backup $(fd -t d --max-depth=1 && fd -t f --max-depth=1)
      TITLE="chaos's Music Library"
      DESCRIPTION="A listing of all music we listen to and have downloaded/brought"
      LINK_BASE="https://storage-http.owo.monster/Music"
      TMPDIR=$(mktemp -d)
      musicutil genhtml . "$TMPDIR" --title "$TITLE" --description "$DESCRIPTION" --link-base="$LINK_BASE"
      pushd "$TMPDIR"
@ -79,6 +73,21 @@ in {
    '';
  };
  home.file."Music/music-sync.sh" = {
    executable = true;
    text = ''
      #!/usr/bin/env bash
      SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
      cd "''${SCRIPT_DIR}"
      rclone sync -P . Storage:Music --exclude "/*.sh"
      restic-music backup $(fd -t d --max-depth=1 && fd -t f --max-depth=1)
      bash $HOME/Music/music-gen-listing.sh
    '';
  };
  home.file."Music/music-download.sh" = {
    executable = true;
    text = ''
--- a/hosts/hetzner-arm/containers/caldav/default.nix
+++ b/hosts/hetzner-arm/containers/caldav/default.nix
@ -39,8 +39,8 @@ in {
      networking.firewall.allowedTCPPorts = [5232];
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
--- a/hosts/hetzner-arm/containers/forgejo/default.nix
+++ b/hosts/hetzner-arm/containers/forgejo/default.nix
@ -45,8 +45,8 @@ in {
      networking.firewall.allowedTCPPorts = [2222];
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
--- a/hosts/hetzner-arm/containers/grocy/default.nix
+++ b/hosts/hetzner-arm/containers/grocy/default.nix
@ -42,8 +42,8 @@ in {
      networking.firewall.allowedTCPPorts = [80];
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
--- a/hosts/hetzner-arm/containers/jellyfin/default.nix
+++ b/hosts/hetzner-arm/containers/jellyfin/default.nix
@ -60,8 +60,8 @@ in {
          restic
        ]);
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
--- a/hosts/hetzner-arm/containers/mail/default.nix
+++ b/hosts/hetzner-arm/containers/mail/default.nix
@ -72,8 +72,8 @@ in {
        enable = mkForce false;
      };
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
--- a/hosts/hetzner-arm/containers/music/default.nix
+++ b/hosts/hetzner-arm/containers/music/default.nix
@ -24,12 +24,6 @@
  containerSecrets = config.containers.${containerName}.config.services.secrets.secrets;
  pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path;
 in {
  nixpkgs.overlays = [
    (final: _prev: {
      mpd = final.mpd-headless;
    })
  ];
  containers.music = {
    autoStart = true;
    privateNetwork = true;
@ -75,7 +69,6 @@ in {
        ]
        ++ (with hosts.hetzner-arm.containers.music.profiles; [
          mpd
          #musicMount
        ]);
      home-manager.users.root.imports = with tree; [home.apps.musicutil];
@ -88,8 +81,8 @@ in {
        mpd-flac
      ];
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
--- a/hosts/hetzner-arm/containers/music/modules/mpd-fork.nix
+++ b/hosts/hetzner-arm/containers/music/modules/mpd-fork.nix
@ -1,268 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 with lib; let
  name = "mpd";
  uid = config.ids.uids.mpd;
  gid = config.ids.gids.mpd;
  cfg = config.services.mpd-fork;
  credentialsPlaceholder = creds: let
    placeholders =
      imap0
      (i: c: ''password "{{password-${toString i}}}@${concatStringsSep "," c.permissions}"'')
      creds;
  in
    concatStringsSep "\n" placeholders;
  mpdConf = pkgs.writeText "mpd.conf" ''
    # This file was automatically generated by NixOS. Edit mpd's configuration
    # via NixOS' configuration.nix, as this file will be rewritten upon mpd's
    # restart.
    music_directory     "${cfg.musicDirectory}"
    playlist_directory  "${cfg.playlistDirectory}"
    ${lib.optionalString (cfg.dbFile != null) ''
      db_file             "${cfg.dbFile}"
    ''}
    state_file          "${cfg.dataDir}/state"
    sticker_file        "${cfg.dataDir}/sticker.sql"
    ${optionalString (cfg.network.listenAddress != "any") ''bind_to_address "${cfg.network.listenAddress}"''}
    ${optionalString (cfg.network.port != 6600) ''port "${toString cfg.network.port}"''}
    ${optionalString cfg.fluidsynth ''
      decoder {
              plugin "fluidsynth"
              soundfont "${pkgs.soundfont-fluid}/share/soundfonts/FluidR3_GM2-2.sf2"
      }
    ''}
    ${optionalString (cfg.credentials != []) (credentialsPlaceholder cfg.credentials)}
    ${cfg.extraConfig}
  '';
 in {
  ###### interface
  options = {
    services.mpd-fork = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = lib.mdDoc ''
          Whether to enable MPD, the music player daemon.
        '';
      };
      package = mkPackageOption pkgs "mpd" {};
      startWhenNeeded = mkOption {
        type = types.bool;
        default = false;
        description = lib.mdDoc ''
          If set, {command}`mpd` is socket-activated; that
          is, instead of having it permanently running as a daemon,
          systemd will start it on the first incoming connection.
        '';
      };
      musicDirectory = mkOption {
        type = with types; either path (strMatching "(http|https|nfs|smb)://.+");
        default = "${cfg.dataDir}/music";
        defaultText = literalExpression ''"''${dataDir}/music"'';
        description = lib.mdDoc ''
          The directory or NFS/SMB network share where MPD reads music from. If left
          as the default value this directory will automatically be created before
          the MPD server starts, otherwise the sysadmin is responsible for ensuring
          the directory exists with appropriate ownership and permissions.
        '';
      };
      playlistDirectory = mkOption {
        type = types.path;
        default = "${cfg.dataDir}/playlists";
        defaultText = literalExpression ''"''${dataDir}/playlists"'';
        description = lib.mdDoc ''
          The directory where MPD stores playlists. If left as the default value
          this directory will automatically be created before the MPD server starts,
          otherwise the sysadmin is responsible for ensuring the directory exists
          with appropriate ownership and permissions.
        '';
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = lib.mdDoc ''
          Extra directives added to to the end of MPD's configuration file,
          mpd.conf. Basic configuration like file location and uid/gid
          is added automatically to the beginning of the file. For available
          options see {manpage}`mpd.conf(5)`.
        '';
      };
      dataDir = mkOption {
        type = types.path;
        default = "/var/lib/${name}";
        description = lib.mdDoc ''
          The directory where MPD stores its state, tag cache, playlists etc. If
          left as the default value this directory will automatically be created
          before the MPD server starts, otherwise the sysadmin is responsible for
          ensuring the directory exists with appropriate ownership and permissions.
        '';
      };
      user = mkOption {
        type = types.str;
        default = name;
        description = lib.mdDoc "User account under which MPD runs.";
      };
      group = mkOption {
        type = types.str;
        default = name;
        description = lib.mdDoc "Group account under which MPD runs.";
      };
      network = {
        listenAddress = mkOption {
          type = types.str;
          default = "127.0.0.1";
          example = "any";
          description = lib.mdDoc ''
            The address for the daemon to listen on.
            Use `any` to listen on all addresses.
          '';
        };
        port = mkOption {
          type = types.port;
          default = 6600;
          description = lib.mdDoc ''
            This setting is the TCP port that is desired for the daemon to get assigned
            to.
          '';
        };
      };
      dbFile = mkOption {
        type = types.nullOr types.str;
        default = "${cfg.dataDir}/tag_cache";
        defaultText = literalExpression ''"''${dataDir}/tag_cache"'';
        description = lib.mdDoc ''
          The path to MPD's database. If set to `null` the
          parameter is omitted from the configuration.
        '';
      };
      credentials = mkOption {
        type = types.listOf (types.submodule {
          options = {
            passwordFile = mkOption {
              type = types.path;
              description = lib.mdDoc ''
                Path to file containing the password.
              '';
            };
            permissions = let
              perms = ["read" "add" "control" "admin"];
            in
              mkOption {
                type = types.listOf (types.enum perms);
                default = ["read"];
                description = lib.mdDoc ''
                  List of permissions that are granted with this password.
                  Permissions can be "${concatStringsSep "\", \"" perms}".
                '';
              };
          };
        });
        description = lib.mdDoc ''
          Credentials and permissions for accessing the mpd server.
        '';
        default = [];
        example = [
          {
            passwordFile = "/var/lib/secrets/mpd_readonly_password";
            permissions = ["read"];
          }
          {
            passwordFile = "/var/lib/secrets/mpd_admin_password";
            permissions = ["read" "add" "control" "admin"];
          }
        ];
      };
      fluidsynth = mkOption {
        type = types.bool;
        default = false;
        description = lib.mdDoc ''
          If set, add fluidsynth soundfont and configure the plugin.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    # install mpd units
    systemd.packages = [cfg.package];
    systemd.sockets.mpd = mkIf cfg.startWhenNeeded {
      wantedBy = ["sockets.target"];
      listenStreams = [
        "" # Note: this is needed to override the upstream unit
        (
          if pkgs.lib.hasPrefix "/" cfg.network.listenAddress
          then cfg.network.listenAddress
          else "${optionalString (cfg.network.listenAddress != "any") "${cfg.network.listenAddress}:"}${toString cfg.network.port}"
        )
      ];
    };
    systemd.services.mpd = {
      wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target";
      preStart =
        ''
          set -euo pipefail
          install -m 600 ${mpdConf} /run/mpd/mpd.conf
        ''
        + optionalString (cfg.credentials != [])
        (concatStringsSep "\n"
          (imap0
            (i: c: ''${pkgs.replace-secret}/bin/replace-secret '{{password-${toString i}}}' '${c.passwordFile}' /run/mpd/mpd.conf'')
            cfg.credentials));
      serviceConfig = {
        User = "${cfg.user}";
        # Note: the first "" overrides the ExecStart from the upstream unit
        ExecStart = ["" "${cfg.package}/bin/mpd --systemd /run/mpd/mpd.conf"];
        RuntimeDirectory = "mpd";
        StateDirectory =
          optionals (cfg.dataDir == "/var/lib/${name}") [name]
          ++ optionals (cfg.playlistDirectory == "/var/lib/${name}/playlists") [name "${name}/playlists"]
          ++ optionals (cfg.musicDirectory == "/var/lib/${name}/music") [name "${name}/music"];
      };
    };
    users.users = optionalAttrs (cfg.user == name) {
      "${name}" = {
        inherit uid;
        inherit (cfg) group;
        extraGroups = ["audio"];
        description = "Music Player Daemon user";
        home = "${cfg.dataDir}";
      };
    };
    users.groups = optionalAttrs (cfg.group == name) {
      "${name}".gid = gid;
    };
  };
 }
--- a/hosts/hetzner-arm/containers/music/profiles/mpd.nix
+++ b/hosts/hetzner-arm/containers/music/profiles/mpd.nix
@ -14,10 +14,16 @@ in {
    mpc_cli
  ];
  systemd.tmpfiles.rules = [
    "d /var/lib/mpd - mpd mpd"
    "d /var/lib/mpd/state - mpd mpd"
  ];
  services.mpd = {
    enable = true;
    network.listenAddress = "0.0.0.0";
-    musicDirectory = "/Music";
+    musicDirectory = "nfs://127.0.0.1:2049/?version=3";
    dbFile = null;
    credentials = [
      {
        passwordFile = "${secrets.mpd_control_password.path}";
@ -70,4 +76,45 @@ in {
        }
      '';
  };
  systemd.services.mpd = {
    wants = ["rclone-serve-nfs-music.service"];
    after = ["rclone-serve-nfs-music.service"];
  };
  systemd.tmpfiles.rules = [
    "d /caches - root root"
    "d /caches/music_serve - mpd mpd"
  ];
  services.rclone-serve = {
    enable = true;
    remotes = [
      {
        id = "main";
        remote = "Music:";
        type = "nfs";
        user = "mpd";
        serviceConfig = {
          before = ["mpd.service"];
          partOf = ["mpd.service"];
        };
        extraArgs = let
          rcloneConfig = builtins.toFile "rclone.conf" ''
            [Music]
            type = webdav
            url = https://storage-webdav.owo.monster/MusicRO/
            vendor = other
          '';
        in [
          "--addr=127.0.0.1:2049"
          "--config=${rcloneConfig}"
          "--cache-dir=/caches/music_serve"
          "--vfs-cache-max-age=7d"
          "--vfs-cache-max-size=4g"
          "--vfs-cache-mode=full"
        ];
      }
    ];
  };
 }
--- a/hosts/hetzner-arm/containers/music/profiles/musicMount.nix
+++ b/hosts/hetzner-arm/containers/music/profiles/musicMount.nix
@ -1,70 +0,0 @@
 {
  pkgs,
  config,
  ...
 }: let
  inherit (pkgs) writeShellScriptBin;
  inherit (builtins) toFile;
  rcloneConfig = toFile "rclone.conf" ''
    [Music]
    type = webdav
    url = https://storage-webdav.owo.monster/MusicRO/
    vendor = other
  '';
  mountMusic = pkgs.writeShellScriptBin "mount-music" ''
    umount -flR /Music || true
    rclone --config ${rcloneConfig} mount Music: /Music \
      --allow-other \
      --uid=${toString config.users.users.mpd.uid} \
      --gid=${toString config.users.groups.mpd.gid} \
      --fast-list \
      --umask=666 \
      --cache-dir=/root/.cache/music-mount  \
      --dir-cache-time=60m \
      --vfs-cache-mode=full \
      --vfs-cache-max-size=2g \
      --vfs-cache-max-age=7d \
      --log-level=INFO "$@"
  '';
 in {
  environment.systemPackages = with pkgs; [
    rclone
    (writeShellScriptBin "rclone-music" ''
      rclone --config ${rcloneConfig} "$@"
    '')
    fuse
    fuse3
    mountMusic
  ];
  programs.fuse.userAllowOther = true;
  systemd.services.music-mount = {
    wantedBy = ["mpd.service"];
    partOf = ["mpd.service"];
    path = with pkgs; [
      fuse
      fuse3
      rclone
      util-linux
    ];
    serviceConfig.ExecStart = "${mountMusic}/bin/mount-music --syslog";
  };
  systemd.tmpfiles.rules = [
    "d /Music - mpd mpd"
    "d /root/.cache - root root"
    "d /root/.cache/music-mount - root root"
  ];
  systemd.services.mpd = {
    wants = ["music-mount.service"];
    after = ["music-mount.service"];
    serviceConfig = {
      ReadOnlyPaths = "/Music";
    };
  };
 }
--- a/hosts/hetzner-arm/containers/owncast/default.nix
+++ b/hosts/hetzner-arm/containers/owncast/default.nix
@ -45,8 +45,8 @@ in {
        8080
      ];
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
--- a/hosts/hetzner-arm/containers/postgresql/default.nix
+++ b/hosts/hetzner-arm/containers/postgresql/default.nix
@ -39,8 +39,8 @@ in {
      networking.firewall.allowedTCPPorts = [5432];
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
 }
--- a/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix
+++ b/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix
@ -8,23 +8,17 @@ in {
    enableTCPIP = true;
    ensureDatabases = [
      "gotosocial"
      "quassel"
    ];
    ensureUsers = [
      {
        name = "gotosocial";
        ensureDBOwnership = true;
      }
      {
        name = "quassel";
        ensureDBOwnership = true;
      }
    ];
    # If the host is a local container then use the container's IP
    # otherwise use the host's IP
    authentication = ''
      host gotosocial gotosocial ${localContainersAddresses.containers."social"}/32 trust
      host quassel quassel ${localContainersAddresses.containers."quassel"}/32 trust
    '';
  };
 }
--- a/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix
@ -10,7 +10,6 @@
  backupPrepareCommand = "${
    (pkgs.writeShellScriptBin "backupPrepareCommand" ''
      systemctl start remotePostgreSQLBackup-gotosocial --wait
      systemctl start remotePostgreSQLBackup-quassel --wait
    '')
  }/bin/backupPrepareCommand";
 in {
@ -47,7 +46,6 @@ in {
    backupUser = "postgres";
    databases = [
      "gotosocial"
      "quassel"
    ];
  };
 }
--- a/hosts/hetzner-arm/containers/quassel/default.nix
+++ b/hosts/hetzner-arm/containers/quassel/default.nix
@ -1,56 +0,0 @@
 {
  self,
  hostPath,
  tree,
  inputs,
  config,
  pkgs,
  ...
 }: let
  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.quassel;
 in {
  containers.quassel = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
    };
    config = {...}: {
      nixpkgs.pkgs = pkgs;
      imports = with tree;
        [
          presets.nixos.containerBase
          ./secrets.nix
        ]
        ++ (with hosts.hetzner-arm.containers.quassel.profiles; [
          quassel
          restic
        ]);
      networking.firewall.allowedTCPPorts = [4242];
      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
  };
  networking.nat.forwardPorts = [
    {
      sourcePort = 4242;
      destination = "${containerIP}\:4242";
    }
  ];
  networking.firewall.allowedTCPPorts = [4242];
 }
--- a/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix
+++ b/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix
@ -1,6 +0,0 @@
 {...}: {
  services.quassel = {
    enable = true;
    interfaces = ["0.0.0.0"];
  };
 }
--- a/hosts/hetzner-arm/containers/quassel/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/quassel/profiles/restic.nix
@ -1,37 +0,0 @@
 {
  self,
  pkgs,
  config,
  ...
 }: let
  backupSchedules = import "${self}/data/backupSchedules.nix";
  inherit (config.services.secrets) secrets;
 in {
  environment.systemPackages = with pkgs; [
    restic
    (pkgs.writeShellScriptBin "restic-quassel" ''
      env \
        RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
        $(cat ${secrets.restic_env.path}) \
      ${pkgs.restic}/bin/restic $@
    '')
  ];
  services.restic.backups.quassel = {
    user = "root";
    paths = [
      # it's only backing up initial setup / credentials
      # so no matter what DB is restored to it should work
      "/home/quassel/.config/quassel-irc.org"
    ];
    # repository is overrided in environmentFile to contain auth
    # make sure to keep up to date when changing repository
    repository = "rest:https://storage-restic.owo.monster/Quassel";
    passwordFile = "${secrets.restic_password.path}";
    environmentFile = "${secrets.restic_env.path}";
    pruneOpts = ["--keep-last 5"];
    timerConfig = backupSchedules.restic.low;
  };
 }
--- a/hosts/hetzner-arm/containers/quassel/secrets.nix
+++ b/hosts/hetzner-arm/containers/quassel/secrets.nix
@ -1,37 +0,0 @@
 {...}: {
  services.secrets = {
    enable = true;
    vaultLogin = {
      enable = true;
      loginUsername = "hetzner-arm-container-quassel";
    };
    autoSecrets = {
      enable = true;
    };
    requiredVaultPaths = [
      "api-keys/data/storage/restic/Quassel"
      "private-public-keys/data/restic/Quassel"
    ];
    secrets = {
      vault_password = {
        manual = true;
      };
      restic_password = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Quassel" .password > "$secretFile"
        '';
      };
      restic_env = {
        fetchScript = ''
          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Quassel" .restic)
          echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile"
        '';
      };
    };
  };
 }
--- a/hosts/hetzner-arm/containers/rss/default.nix
+++ b/hosts/hetzner-arm/containers/rss/default.nix
@ -39,8 +39,8 @@ in {
      networking.firewall.allowedTCPPorts = [80];
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
--- a/hosts/hetzner-arm/containers/social/default.nix
+++ b/hosts/hetzner-arm/containers/social/default.nix
@ -42,8 +42,8 @@ in {
        allowedTCPPorts = [8080];
      };
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
--- a/hosts/hetzner-arm/containers/storage/data/ports.nix
+++ b/hosts/hetzner-arm/containers/storage/data/ports.nix
@ -14,15 +14,14 @@ in {
  restic_music = restic + 0;
  restic_vault = restic + 1;
  restic_social = restic + 2;
-  restic_quassel = restic + 3;
+  restic_postgresql = restic + 3;
-  restic_postgresql = restic + 4;
+  restic_mail = restic + 4;
-  restic_mail = restic + 5;
+  restic_forgejo = restic + 5;
-  restic_forgejo = restic + 6;
+  restic_caldav = restic + 6;
-  restic_caldav = restic + 7;
+  restic_owncast = restic + 7;
-  restic_owncast = restic + 8;
+  restic_jellyfin = restic + 8;
-  restic_jellyfin = restic + 9;
+  restic_grocy = restic + 9;
-  restic_grocy = restic + 10;
+  restic_lappy_t495 = restic + 10;
  restic_lappy_t495 = restic + 11;
  http_music = http + 0;
  http_public = http + 1;
--- a/hosts/hetzner-arm/containers/storage/default.nix
+++ b/hosts/hetzner-arm/containers/storage/default.nix
@ -76,8 +76,8 @@ in {
        allowedTCPPorts = attrValues ports;
      };
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
@ -118,7 +118,6 @@ in {
      "/Music/".proxyPass = "http://${containerIP}:${toString ports.restic_music}";
      "/Vault/".proxyPass = "http://${containerIP}:${toString ports.restic_vault}";
      "/Social/".proxyPass = "http://${containerIP}:${toString ports.restic_social}";
      "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.restic_quassel}";
      "/PostgreSQL/".proxyPass = "http://${containerIP}:${toString ports.restic_postgresql}";
      "/Mail/".proxyPass = "http://${containerIP}:${toString ports.restic_mail}";
      "/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.restic_forgejo}";
--- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
+++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
@ -163,16 +163,6 @@ in {
          "--baseurl=/Social/"
        ];
      }
      {
        id = "restic-quassel";
        remote = "StorageBox:Backups/Restic/Quassel";
        type = "restic";
        extraArgs = [
          "--addr=0.0.0.0:${toString ports.restic_quassel}"
          "--htpasswd=${secrets.restic_quassel_htpasswd.path}"
          "--baseurl=/Quassel/"
        ];
      }
      {
        id = "restic-postgresql";
        remote = "StorageBox:Backups/Restic/PostgreSQL";
--- a/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix
+++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix
@ -50,7 +50,7 @@ in {
      {
        source = "StorageBox:Notes";
        dest = "B2-Chaos-Notes:";
-        id = "chaos_notes_public";
+        id = "chaos_notes";
      }
      # Pheonix System's B2
      {
--- a/hosts/hetzner-arm/containers/storage/secrets.nix
+++ b/hosts/hetzner-arm/containers/storage/secrets.nix
@ -29,7 +29,6 @@
      "api-keys/data/storage/restic/Music"
      "api-keys/data/storage/restic/Vault"
      "api-keys/data/storage/restic/Social"
      "api-keys/data/storage/restic/Quassel"
      "api-keys/data/storage/restic/PostgreSQL"
      "api-keys/data/storage/restic/Mail"
      "api-keys/data/storage/restic/Forgejo"
@ -131,14 +130,6 @@
        '';
      };
      restic_quassel_htpasswd = {
        user = "storage";
        group = "storage";
        fetchScript = ''
          simple_get_htpasswd "/api-keys/storage/restic/Quassel" "$secretFile"
        '';
      };
      restic_postgresql_htpasswd = {
        user = "storage";
        group = "storage";
--- a/hosts/hetzner-arm/containers/vault-ca/default.nix
+++ b/hosts/hetzner-arm/containers/vault-ca/default.nix
@ -41,8 +41,8 @@ in {
      networking.firewall.allowedTCPPorts = [8200 8443];
-      home-manager.users.root.home.stateVersion = "23.05";
+      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "23.05";
+      system.stateVersion = "24.05";
    };
  };
--- a/hosts/hetzner-arm/data/containerAddresses.nix
+++ b/hosts/hetzner-arm/data/containerAddresses.nix
@ -4,14 +4,13 @@
    storage = "10.0.1.2";
    social = "10.0.1.3";
    music = "10.0.1.4";
-    quassel = "10.0.1.5";
+    forgejo = "10.0.1.5";
-    forgejo = "10.0.1.6";
+    postgresql = "10.0.1.6";
-    postgresql = "10.0.1.7";
+    caldav = "10.0.1.7";
-    caldav = "10.0.1.8";
+    owncast = "10.0.1.8";
-    owncast = "10.0.1.9";
+    jellyfin = "10.0.1.9";
-    jellyfin = "10.0.1.10";
+    grocy = "10.0.1.10";
-    grocy = "10.0.1.11";
+    rss = "10.0.1.11";
-    rss = "10.0.1.12";
+    vault-ca = "10.0.1.12";
    vault-ca = "10.0.1.13";
  };
 }
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -14,7 +14,7 @@ in {
      profiles.nginx
      profiles.firewallAllow.httpCommon
-      profiles.chaosInternalWireGuard
+      # profiles.chaosInternalWireGuard
      ./hardware.nix
      ./secrets.nix
@ -22,22 +22,44 @@ in {
    ++ (forEach [
      "social"
      "storage"
      "music"
      "quassel"
      "postgresql"
      "mail"
      "forgejo"
      "caldav"
      "owncast"
      "jellyfin"
      "grocy"
      #"rss"
      "vault-ca"
      "music"
      # "owncast"
      # TODO: "rss"
    ] (name: ./containers + "/${name}"))
    ++ (with hosts.hetzner-arm.profiles; [
      staticSites
    ]);
  # TODO: environment.noXlibs = true;
  nixpkgs.overlays = [
    (_final: prev: {
      # So we don't need to build all Vault
      # when we already are using vault-bin on this server
      vault = prev.vault-bin;
      # Have no need for HW Accel, hoping it works with this
      jellyfin-ffmpeg = prev.ffmpeg_6-headless;
      ffmpeg = prev.ffmpeg-headless;
      ffmpeg_4 = prev.ffmpeg_4-headless;
      ffmpeg_5 = prev.ffmpeg_5-headless;
      ffmpeg_6 = prev.ffmpeg_6-headless;
      ffmpeg_7 = prev.ffmpeg_7-headless;
      mpd = prev.mpd-headless;
    })
  ];
  # TODO: system.forbiddenDependenciesRegexes = ["libX11*"];
  # For Containers
  networking.nat = {
    enable = true;
@ -47,6 +69,6 @@ in {
  networking.hostName = "hetzner-arm";
-  home-manager.users.root.home.stateVersion = "23.05";
+  home-manager.users.root.home.stateVersion = "24.05";
-  system.stateVersion = "23.05";
+  system.stateVersion = "24.05";
 }
--- a/hosts/lappy-surface/lappy-surface.nix
+++ b/hosts/lappy-surface/lappy-surface.nix
@ -19,7 +19,7 @@
  home-manager.users.root = {
    imports = with tree; [home.base];
-    home.stateVersion = "23.05";
+    home.stateVersion = "24.05";
  };
  home-manager.users.chaos = {
@ -35,7 +35,7 @@
      home.programming.languages.rust
      home.programming.languages.nix
    ];
-    home.stateVersion = "23.05";
+    home.stateVersion = "24.05";
  };
  networking.firewall.enable = true;
@ -46,5 +46,5 @@
  networking.hostName = "lappy-surface";
  time.timeZone = "Europe/London";
-  system.stateVersion = "23.05";
+  system.stateVersion = "24.05";
 }
--- a/hosts/lappy-surface/profiles/music-player-target.nix
+++ b/hosts/lappy-surface/profiles/music-player-target.nix
@ -52,7 +52,7 @@ in {
    imports = with tree; [
      home.base
    ];
-    home.stateVersion = "23.05";
+    home.stateVersion = "24.05";
  };
  systemd.services."music-player" = {
--- a/hosts/lappy-t495/lappy-t495.nix
+++ b/hosts/lappy-t495/lappy-t495.nix
@ -21,7 +21,7 @@
  home-manager.users.root = {
    imports = with tree; [home.base];
-    home.stateVersion = "23.05";
+    home.stateVersion = "24.05";
  };
  home-manager.users.chaos = {
@ -39,7 +39,7 @@
      home.gaming.platforms.steam
    ];
-    home.stateVersion = "23.05";
+    home.stateVersion = "24.05";
  };
  networking.firewall.enable = true;
@ -50,5 +50,5 @@
  networking.hostName = "lappy-t495";
  time.timeZone = "Europe/London";
-  system.stateVersion = "23.05";
+  system.stateVersion = "24.05";
 }
--- a/hosts/nixos.nix
+++ b/hosts/nixos.nix
@ -62,7 +62,7 @@
          })
        ];
    };
-in {
+in rec {
  lappy-t495 = nixosUnstableSystem {
    specialArgs =
      defaultSpecialArgs
@ -77,7 +77,7 @@ in {
    specialArgs =
      defaultSpecialArgs
      // {
-        hostPath = ./lappy-surfacr;
+        hostPath = ./lappy-surface;
      };
    system = "x86_64-linux";
    modules = defaultModules ++ [./lappy-surface/lappy-surface.nix ./lappy-surface/hardware.nix];
--- a/hosts/raspberry/raspberry.nix
+++ b/hosts/raspberry/raspberry.nix
@ -23,6 +23,6 @@
  networking.hostName = "raspberry";
  time.timeZone = "Europe/London";
-  home-manager.users.root.home.stateVersion = "23.05";
+  home-manager.users.root.home.stateVersion = "24.05";
-  system.stateVersion = "23.05";
+  system.stateVersion = "24.05";
 }
--- a/hosts/wsl/wsl.nix
+++ b/hosts/wsl/wsl.nix
@ -11,15 +11,15 @@
  ];
  home-manager.users.root = {
-    home.stateVersion = "23.05";
+    home.stateVersion = "24.05";
  };
  home-manager.users.chaos = {
-    home.stateVersion = "23.05";
+    home.stateVersion = "24.05";
  };
  networking.hostName = "wsl";
  time.timeZone = "Europe/London";
-  system.stateVersion = "23.05";
+  system.stateVersion = "24.05";
 }
--- a/outputs.nix
+++ b/outputs.nix
@ -54,7 +54,7 @@ in
          packages = {
            inherit (pkgs) comic-code comic-sans;
            inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive;
-            inherit (pkgs) gotosocial mpd-headless owncast;
+            inherit (pkgs) gotosocial mpd-headless;
            inherit (pkgs) kitty-terminfo;
          };
        }
--- a/overlay/default.nix
+++ b/overlay/default.nix
@ -39,46 +39,9 @@ final: prev: rec {
        "systemd"
        "syslog"
        "io_uring"
        "curl"
        "nfs"
        "webdav"
      ];
    };
  owncast =
    (prev.owncast.override {
      ffmpeg = final.ffmpeg_6-headless;
    })
    .overrideAttrs (_old: {doCheck = false;});
  gotosocial = prev.gotosocial.overrideAttrs (_old: let
    owner = "superseriousbusiness";
    repo = "gotosocial";
    version = "0.15.0";
    source-hash = "sha256-z0iETddkw4C2R6ig9ZO8MTvhuWnmQ37/6q3oZ4WAzd4=";
    web-assets-hash = "sha256-vrSdFIdBcfj6+sxtvv1s/Mu85I1mKxjyUYS902oLKk4=";
    web-assets = final.fetchurl {
      url = "https://github.com/${owner}/${repo}/releases/download/v${version}/${repo}_${version}_web-assets.tar.gz";
      hash = web-assets-hash;
    };
  in {
    inherit version;
    src = final.fetchFromGitHub {
      inherit owner repo;
      rev = "refs/tags/v${version}";
      hash = source-hash;
    };
    passthru.web-assets = web-assets;
    ldflags = ["-s" "-w" "-X main.Version=${version}"];
    doCheck = false;
    postInstall = ''
      tar xf ${web-assets}
      mkdir -p $out/share/gotosocial
      mv web $out/share/gotosocial/
    '';
  });
 }
--- a/profiles/serverExtras.nix
+++ b/profiles/serverExtras.nix
@ -17,12 +17,36 @@
 in {
  environment.systemPackages =
    [
      (writeShellScriptBin "server-extras-info" ''
        ${pkgs.bat}/bin/bat -l markdown ${builtins.toFile "server-extras-info.md" ''
          # Available Commands:
          - journalctl-vaccum-all
              Vaccums host and all container systemd journals
          - journalctl-vaccum-host
              Vaccums systemd journal on host
          - journalctl-vaccum-`$name`
              Vaccums systemd journal on a specific container
          - journalctl-container-`$name`
              journalctl but for a specific container
          - systemctl-container-`$name`
              systemctl but for a specific container
          - systemctl-list-failed-all
              Lists all failed units in host and containers
          - restart-service-all
              Restarts a service on host and all containers
          - shell-enter-`$name`
              Opens an interactive shell with container
        ''}
      '')
      (writeShellScriptBin "journalctl-vaccum-all" ''
        journalctl --vacuum-size=${vaccumSize}
        ${concatStringsSep "\n" (forEach containerNames (name: ''
          journalctl --vacuum-size=${vaccumSize} --root /var/lib/nixos-containers/${name}
        ''))}
      '')
      (writeShellScriptBin "journalctl-vaccum-host" ''
        journalctl --vacuum-size=${vaccumSize}
      '')
      (writeShellScriptBin "systemctl-list-failed-all" ''
        echo "Host: "
        systemctl --failed
@ -31,6 +55,14 @@ in {
          systemctl -M ${name} --failed
        ''))}
      '')
      (writeShellScriptBin "restart-service-all" ''
        echo "Host: "
        systemctl restart $@
        ${concatStringsSep "\n" (forEach containerNames (name: ''
          echo "Container: ${name}"
          systemctl -M ${name} restart $@
        ''))}
      '')
    ]
    ++ forEach containerNames (name: (writeShellScriptBin "journalctl-vaccum-${name}" ''
      journalctl --vacuum-size=${vaccumSize} --root /var/lib/nixos-containers/${name}