manatee: Add new vdev to zpool

As it breaks tailscale <-> openvpn

> At the time of September 2023, systemd upstream advise to disable DNSSEC
> by default as the current code is not robust enough to deal with
> “in the wild” non-compliant servers, which will usually give you a
> broken bad experience in addition of insecure.

flake.lock

@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1723293904,
+        "lastModified": 1760836749,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "2f0f812f69f3eb4140157fe15e12739adf82e32a",
         "type": "github"
       },
       "original": {
@@ -31,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700795494,
+        "lastModified": 1744478979,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
         "type": "github"
       },
       "original": {
@@ -45,6 +45,26 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1760701190,
+        "narHash": "sha256-y7UhnWlER8r776JsySqsbTUh2Txf7K30smfHlqdaIQw=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "3a9450b26e69dcb6f8de6e2b07b3fc1c288d85f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "emacs-overlay": {
       "inputs": {
         "nixpkgs": [
@@ -53,11 +73,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1734599675,
+        "lastModified": 1760951609,
-        "narHash": "sha256-jTfIoLxbVK3r6rFHKs0JS8WEYrmp0AGomzGaPTDZvrE=",
+        "narHash": "sha256-rWkUWKWcLin0+dKvinWC1IZVxJnIvXV3q/wlmmKkzo4=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "df40078d8d4f3f0439e52a3f3e44af0005e6072e",
+        "rev": "41bee8f6a80b36b0348a8e750e5db88fea528171",
         "type": "github"
       },
       "original": {
@@ -66,6 +86,24 @@
         "type": "github"
       }
     },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -74,11 +112,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703113217,
+        "lastModified": 1745494811,
-        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
         "type": "github"
       },
       "original": {
@@ -94,11 +132,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734622158,
+        "lastModified": 1760969583,
-        "narHash": "sha256-h/fdzqlCqSa2ZCIqtDc9kshCJm6kQIoKuO0MSSmAX4A=",
+        "narHash": "sha256-vsf5mvR0xxK4GsfLx5bMJAQ4ysdrKymMIifNw+4TP7g=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "832920a60833533eaabcc93ab729801bf586fa0c",
+        "rev": "c9d758b500e53db5b74aa02d17dc45b65229e8e9",
         "type": "github"
       },
       "original": {
@@ -114,11 +152,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733056338,
+        "lastModified": 1759613406,
-        "narHash": "sha256-sp14z0mrqrtmouz1+bU4Jh8/0xi+xwQHF2l7mhGSSVU=",
+        "narHash": "sha256-PzgQJydp+RlKvwDi807pXPlURdIAVqLppZDga3DwPqg=",
         "owner": "hyprwm",
         "repo": "contrib",
-        "rev": "d7c55140f1785b8d9fef351f1cd2a4c9e1eaa466",
+        "rev": "32e1a75b65553daefb419f0906ce19e04815aa3a",
         "type": "github"
       },
       "original": {
@@ -127,6 +165,27 @@
         "type": "github"
       }
     },
+    "naviterm": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1757496832,
+        "narHash": "sha256-R5EMcms24G6QGk62iNAMApeZmKsHwCDLj68UUdkhSLw=",
+        "owner": "detoxify92",
+        "repo": "naviterm",
+        "rev": "3b3bd2bace3676000f530b2f47fa28f431c56761",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "detoxify92",
+        "repo": "naviterm",
+        "type": "gitlab"
+      }
+    },
     "nh": {
       "inputs": {
         "nixpkgs": [
@@ -134,11 +193,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733912267,
+        "lastModified": 1760961269,
-        "narHash": "sha256-I3ubew5jt8YZ27AOtIodRAYo0aew6wxY8UkWCSqz6B4=",
+        "narHash": "sha256-Udg6DnM6scJj+imbttJR7GQpG2WWeDZ1JOtySTY99M0=",
         "owner": "viperML",
         "repo": "nh",
-        "rev": "6a69a145b0c7dbd5616bbded512b8bf8b5d2f8a4",
+        "rev": "e27508e06f74c7f03616150c1ac1431eaef7f443",
         "type": "github"
       },
       "original": {
@@ -164,11 +223,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1734352517,
+        "lastModified": 1760958188,
-        "narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=",
+        "narHash": "sha256-2m1S4jl+GEDtlt2QqeHil8Ny456dcGSKJAM7q3j/BFU=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd",
+        "rev": "d6645c340ef7d821602fd2cd199e8d1eed10afbc",
         "type": "github"
       },
       "original": {
@@ -180,11 +239,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1734424634,
+        "lastModified": 1760878510,
-        "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=",
+        "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33",
+        "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67",
         "type": "github"
       },
       "original": {
@@ -196,16 +255,16 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1734323986,
+        "lastModified": 1760862643,
-        "narHash": "sha256-m/lh6hYMIWDYHCAsn81CDAiXoT3gmxXI9J987W5tZrE=",
+        "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "394571358ce82dff7411395829aa6a3aad45b907",
+        "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -234,14 +293,18 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "disko": "disko",
         "emacs-overlay": "emacs-overlay",
         "home-manager": "home-manager_2",
         "hyprland-contrib": "hyprland-contrib",
+        "naviterm": "naviterm",
         "nh": "nh",
         "nix-gc-env": "nix-gc-env",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
-        "pppdotpm-site": "pppdotpm-site"
+        "pppdotpm-site": "pppdotpm-site",
+        "whib-backend": "whib-backend",
+        "whib-frontend": "whib-frontend"
       }
     },
     "systems": {
@@ -258,6 +321,63 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "whib-backend": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1739029248,
+        "narHash": "sha256-ux/Udy0Mhs66P/EQQ8S+xIuXRm9UHEYwSy12IZtlbnA=",
+        "ref": "master",
+        "rev": "222a8f6dde2e9270f6390b5e1e83c7ae1ea48290",
+        "revCount": 371,
+        "type": "git",
+        "url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
+      },
+      "original": {
+        "ref": "master",
+        "type": "git",
+        "url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
+      }
+    },
+    "whib-frontend": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1761508816,
+        "narHash": "sha256-adV/lyxcmuopyuzZ49v46Yt0gft+ioEL4yl1S+vUbus=",
+        "ref": "master",
+        "rev": "ab10bf50cb6b023a1b99f91c7e8d550231135eef",
+        "revCount": 223,
+        "type": "git",
+        "url": "ssh://gitea@git.ppp.pm:1122/alex/whib-react.git"
+      },
+      "original": {
+        "ref": "master",
+        "type": "git",
+        "url": "ssh://gitea@git.ppp.pm:1122/alex/whib-react.git"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -6,6 +6,11 @@
 
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
 
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     nh = {
       url = "github:viperML/nh";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -33,10 +38,25 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    naviterm = {
+      url = "gitlab:detoxify92/naviterm";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     pppdotpm-site = {
       url = "git+ssh://gitea@git.ppp.pm:1122/alex/ppp.pm-site.git?ref=main";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    whib-backend = {
+      url = "git+ssh://gitea@git.ppp.pm:1122/alex/whib.git?ref=master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    whib-frontend = {
+      url = "git+ssh://gitea@git.ppp.pm:1122/alex/whib-react.git?ref=master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =
@@ -55,6 +75,17 @@
           ];
         };
 
+        manatee = inputs.nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          specialArgs = {
+            inherit inputs;
+          };
+          modules = [
+            ./hosts/manatee/configuration.nix
+            ./hosts/manatee/home.nix
+          ];
+        };
+
         backwards = inputs.nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
           specialArgs = {
@@ -66,23 +97,37 @@
           ];
         };
 
-        tadpole = inputs.nixpkgs.lib.nixosSystem {
+        tadpole =
+          let
             system = "x86_64-linux";
+          in
+          inputs.nixpkgs.lib.nixosSystem {
+            inherit system;
             specialArgs = {
               inherit inputs;
             };
             modules = [
               ./hosts/tadpole/configuration.nix
               ./hosts/tadpole/home.nix
+              inputs.whib-backend.nixosModules.${system}.default
+              inputs.whib-frontend.nixosModules.${system}.default
             ];
           };
 
-        test-vm = inputs.nixpkgs.lib.nixosSystem {
+        test-vm =
+          let
             system = "x86_64-linux";
+          in
+          inputs.nixpkgs.lib.nixosSystem {
+            inherit system;
             specialArgs = {
               inherit inputs;
             };
-          modules = [ ./hosts/test-vm/configuration.nix ];
+            modules = [
+              ./hosts/test-vm/configuration.nix
+              inputs.whib-backend.nixosModules.${system}.default
+              inputs.whib-frontend.nixosModules.${system}.default
+            ];
           };
       };
 

hosts/backwards/configuration.nix

@@ -15,7 +15,7 @@
 
   console.keyMap = "sv-latin1";
 
-  hardware.pulseaudio.enable = false;
+  services.pulseaudio.enable = false;
   security.rtkit.enable = true;
   services.pipewire = {
     enable = true;
@@ -24,12 +24,24 @@
     pulse.enable = true;
   };
 
+  hardware = {
+    graphics = {
+      enable = true;
+      extraPackages = [
+        pkgs.intel-media-driver
+        pkgs.libvdpau-va-gl
+      ];
+    };
+  };
+
   users.users.alex = {
     isNormalUser = true;
     description = "alex";
     extraGroups = [
       "networkmanager"
       "wheel"
+      "video"
+      "render"
     ];
     packages = [ ];
   };

hosts/backwards/modules/default.nix

@@ -15,9 +15,6 @@ in
       nginx.enable = true;
       syncthing.enable = true;
       restic.enable = true;
-      transmission.enable = true;
-      audiobookshelf.enable = true;
-      calibre-web.enable = true;
     };
   };
 }

hosts/backwards/modules/firefox/default.nix

@@ -29,7 +29,7 @@ let
   ff-alex = pkgs.writeShellApplication {
     name = "ff-alex";
     text = ''
-      ${wrapped}/bin/firefox -P alex --new-window "$@"
+      ${wrapped}/bin/firefox-devedition -P alex --new-window "$@"
     '';
   };
 

hosts/backwards/modules/games/default.nix

@@ -2,16 +2,16 @@
 {
   home-manager.users.alex = {
     home.packages = [
+      pkgs.nethack
+
       pkgs.moonlight-qt
 
       pkgs.pcsx2
-      (pkgs.retroarch.override {
+      (pkgs.retroarch.withCores (cores: [
-        cores = [
         pkgs.libretro.snes9x
         pkgs.libretro.genesis-plus-gx
         pkgs.libretro.swanstation
-        ];
+      ]))
-      })
     ];
   };
 }

hosts/backwards/modules/jellyfin/default.nix

@@ -1,87 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-let
-  nginxEnabled = config.mod.nginx.enable;
-in
-{
-  fileSystems."/home/alex/media" = {
-    device = "/dev/disk/by-uuid/ad4acc0f-172c-40f8-8473-777c957e8764";
-    fsType = "ext4";
-    options = [ "nofail" ];
-  };
-
-  # 1. enable vaapi on OS-level
-  nixpkgs.config.packageOverrides = pkgs: {
-    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
-  };
-
-  hardware = {
-    graphics = {
-      enable = true;
-
-      extraPackages = with pkgs; [
-        intel-media-driver
-        intel-vaapi-driver # previously vaapiIntel
-        vaapiVdpau
-        libvdpau-va-gl
-        intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
-        vpl-gpu-rt # QSV on 11th gen or newer
-      ];
-    };
-  };
-
-  services = {
-    jellyfin = {
-      enable = true;
-      openFirewall = true;
-
-      user = "alex";
-      group = "users";
-
-      dataDir = "/home/alex/media/jellyfin";
-    };
-
-    prowlarr.enable = true;
-
-    sonarr = {
-      enable = true;
-
-      user = "alex";
-      group = "users";
-    };
-
-    radarr = {
-      enable = true;
-
-      user = "alex";
-      group = "users";
-    };
-
-    jellyseerr.enable = true;
-
-    nginx = lib.mkIf nginxEnabled {
-      virtualHosts."jelly.ppp.pm" = {
-        locations = {
-          "/" = {
-            proxyPass = "http://127.0.0.1:8096";
-          };
-
-          "/socket" = {
-            proxyPass = "http://127.0.0.1:8096";
-            proxyWebsockets = true;
-          };
-        };
-      };
-    };
-  };
-
-  environment.systemPackages = [
-    pkgs.jellyfin
-    pkgs.jellyfin-web
-    pkgs.jellyfin-ffmpeg
-  ];
-}

hosts/backwards/modules/restic/default.nix

@@ -46,6 +46,7 @@ in
           repositoryFile = config.age.secrets.restic-cloud-sync-repository.path;
 
           paths = [ "/home/alex/sync" ];
+          exclude = [ "/home/alex/sync/reading-material" ];
 
           timerConfig = {
             OnCalendar = "*-*-* 0/12:00:00"; # Every 12th hour, i.e. twice a day
@@ -65,7 +66,8 @@ in
       secrets = {
         "restic-password".file = ../../../../secrets/backwards/restic-password.age;
         "restic-cloud-sync-key".file = ../../../../secrets/backwards/restic-cloud-sync-key.age;
-        "restic-cloud-sync-repository".file = ../../../../secrets/backwards/restic-cloud-sync-repository.age;
+        "restic-cloud-sync-repository".file =
+          ../../../../secrets/backwards/restic-cloud-sync-repository.age;
       };
     };
   };

hosts/backwards/modules/ssh/default.nix

@@ -23,6 +23,13 @@ in
         enable = true;
 
         matchBlocks = {
+          "manatee" = {
+            hostname = "manatee";
+            user = "alex";
+            identityFile = "/home/alex/.ssh/alex.backwards-manatee";
+            port = 1122;
+          };
+
           "git.ppp.pm" = {
             hostname = "git.ppp.pm";
             identityFile = "/home/alex/.ssh/alex.backwards-git.ppp.pm";
@@ -34,6 +41,8 @@ in
           };
         };
       };
+
+      home.packages = [ pkgs.sshfs ];
     };
 
     environment.etc."ssh/authorized_keys_command" = {
@@ -84,6 +93,19 @@ in
         path = "${rootSSHKeyPath}/root.backwards.pub";
       };
 
+      "alex.backwards-manatee" = {
+        file = ../../../../secrets/backwards/alex.backwards-manatee.age;
+        path = "/home/alex/.ssh/alex.backwards-manatee";
+        owner = "alex";
+        group = "users";
+      };
+      "alex.backwards-manatee.pub" = {
+        file = ../../../../secrets/backwards/alex.backwards-manatee.pub.age;
+        path = "/home/alex/.ssh/alex.backwards-manatee.pub";
+        owner = "alex";
+        group = "users";
+      };
+
       "alex.pinwheel-backwards.pub" = {
         file = ../../../../secrets/pinwheel/alex.pinwheel-backwards.pub.age;
         path = "${authorizedKeysPath}/alex.pinwheel-backwards.pub";

hosts/backwards/modules/syncthing/default.nix

@@ -34,6 +34,7 @@ in
         devices = {
           phone.id = config.lib.syncthing.phone;
           pinwheel.id = config.lib.syncthing.pinwheel;
+          tablet.id = config.lib.syncthing.tablet;
         };
 
         folders = {
@@ -74,7 +75,7 @@ in
           };
 
           books = {
-            path = "/home/alex/sync/books";
+            path = "/home/alex/sync/reading-material/books";
             devices = [ "pinwheel" ];
             versioning = {
               type = "staggered";

hosts/manatee/configuration.nix

@@ -0,0 +1,56 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ../../config-manager/default.nix
+    ../../shared-modules/syncthing.nix
+    ./hardware-configuration.nix
+    ./disk-config.nix
+    ./modules
+  ];
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nixpkgs.config.allowUnfree = true;
+
+  users.users.alex = {
+    isNormalUser = true;
+    description = "alex";
+    extraGroups = [
+      "wheel"
+      "storage"
+    ];
+  };
+
+  environment.variables.EDITOR = "vim";
+
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+  ];
+
+  config-manager = {
+    flakePath = "/home/alex/config";
+  };
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.11"; # Did you read the comment?
+
+}

hosts/manatee/disk-config.nix

@@ -0,0 +1,243 @@
+{
+  inputs,
+  pkgs,
+  config,
+  ...
+}:
+{
+  imports = [ inputs.disko.nixosModules.disko ];
+
+  config = {
+    users.groups.storage = { };
+
+    users.users.storage = {
+      isSystemUser = true;
+      description = "storage";
+      group = "storage";
+    };
+
+    systemd.tmpfiles.settings = {
+      "10-media-public" = {
+        "/mnt/media/public" = {
+          d = {
+            # Create directory
+            user = "storage";
+            group = "storage";
+            mode = "2775";
+          };
+          z = {
+            # Ensure permissions are inherited
+            user = "storage";
+            group = "storage";
+            mode = "2775";
+          };
+        };
+      };
+
+      "10-cameras-public" = {
+        "/mnt/cameras/public" = {
+          d = {
+            # Create directory
+            user = "storage";
+            group = "storage";
+            mode = "2775";
+          };
+          z = {
+            # Ensure permissions are inherited
+            user = "storage";
+            group = "storage";
+            mode = "2775";
+          };
+        };
+      };
+
+      "10-sync-public" = {
+        "/mnt/sync/public" = {
+          d = {
+            # Create directory
+            user = "storage";
+            group = "storage";
+            mode = "2775";
+          };
+          z = {
+            # Ensure permissions are inherited
+            user = "storage";
+            group = "storage";
+            mode = "2775";
+          };
+        };
+      };
+    };
+
+    environment.systemPackages = [
+      pkgs.smartmontools
+    ];
+
+    services.smartd = {
+      enable = true;
+      devices = [
+        { device = config.disko.devices.disk.root.device; }
+        { device = config.disko.devices.disk.disk1.device; }
+        { device = config.disko.devices.disk.disk2.device; }
+      ];
+    };
+
+    services.zfs.autoScrub.enable = true;
+
+    networking.hostId = "0a9474e7"; # Required by ZFS
+    disko.devices = {
+      disk = {
+        root = {
+          type = "disk";
+          device = "/dev/nvme0n1";
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                size = "500M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "umask=0077" ];
+                };
+              };
+
+              root = {
+                size = "100%";
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+            };
+          };
+        };
+
+        disk1 = {
+          type = "disk";
+          device = "/dev/disk/by-id/ata-ST8000VN004-3CP101_WWZ8QCG4";
+          content = {
+            type = "gpt";
+            partitions = {
+              zfs = {
+                size = "100%";
+                content = {
+                  type = "zfs";
+                  pool = "storage";
+                };
+              };
+            };
+          };
+        };
+
+        disk2 = {
+          type = "disk";
+          device = "/dev/disk/by-id/ata-ST8000VN004-3CP101_WWZ8QDJ5";
+          content = {
+            type = "gpt";
+            partitions = {
+              zfs = {
+                size = "100%";
+                content = {
+                  type = "zfs";
+                  pool = "storage";
+                };
+              };
+            };
+          };
+        };
+        disk3 = {
+          type = "disk";
+          device = "/dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_85K2A0UCF4MJ";
+          content = {
+            type = "gpt";
+            partitions = {
+              zfs = {
+                size = "100%";
+                content = {
+                  type = "zfs";
+                  pool = "storage";
+                };
+              };
+            };
+          };
+        };
+
+        disk4 = {
+          type = "disk";
+          device = "/dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_85K2A0V6F4MJ";
+          content = {
+            type = "gpt";
+            partitions = {
+              zfs = {
+                size = "100%";
+                content = {
+                  type = "zfs";
+                  pool = "storage";
+                };
+              };
+            };
+          };
+        };
+      };
+
+      zpool = {
+        storage = {
+          type = "zpool";
+
+          mode = {
+            topology = {
+              type = "topology";
+              vdev = [
+                {
+                  mode = "mirror";
+                  members = [
+                    "disk1"
+                    "disk2"
+                  ];
+                }
+                {
+                  mode = "mirror";
+                  members = [
+                    "disk3"
+                    "disk4"
+                  ];
+                }
+              ];
+            };
+          };
+
+          rootFsOptions = {
+            mountpoint = "none";
+            compression = "zstd";
+            xattr = "sa";
+            "com.sun:auto-snapshot" = "false";
+          };
+
+          datasets = {
+            media = {
+              type = "zfs_fs";
+              mountpoint = "/mnt/media";
+              options.mountpoint = "legacy"; # otherwise we get a race between systemd and zfs; https://github.com/nix-community/disko/issues/214
+            };
+
+            cameras = {
+              type = "zfs_fs";
+              mountpoint = "/mnt/cameras";
+              options.mountpoint = "legacy"; # otherwise we get a race between systemd and zfs; https://github.com/nix-community/disko/issues/214
+            };
+
+            sync = {
+              type = "zfs_fs";
+              mountpoint = "/mnt/sync";
+              options.mountpoint = "legacy"; # otherwise we get a race between systemd and zfs; https://github.com/nix-community/disko/issues/214
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/manatee/hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "nvme"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/manatee/home.nix

@@ -0,0 +1,22 @@
+{ inputs, ... }:
+{
+  imports = [ inputs.home-manager.nixosModules.home-manager ];
+
+  config = {
+    home-manager = {
+      useGlobalPkgs = true;
+      useUserPackages = true;
+
+      users.alex = {
+        programs.home-manager.enable = true;
+
+        home.username = "alex";
+        home.homeDirectory = "/home/alex";
+
+        home.packages = [ ];
+
+        home.stateVersion = "24.11";
+      };
+    };
+  };
+}

hosts/manatee/modules/age/default.nix

@@ -0,0 +1,14 @@
+{ inputs, pkgs, ... }:
+{
+  imports = [ inputs.agenix.nixosModules.default ];
+
+  config = {
+    age = {
+      identityPaths = [ "/etc/ssh/manatee" ];
+    };
+
+    environment.systemPackages = [
+      inputs.agenix.packages."${pkgs.system}".default
+    ];
+  };
+}

hosts/manatee/modules/audiobookshelf/default.nix

@@ -10,17 +10,17 @@ in
   };
 
   config = lib.mkIf enabled {
-    fileSystems."/home/alex/media" = {
+    users.users.audiobookshelf = {
-      device = "/dev/disk/by-uuid/ad4acc0f-172c-40f8-8473-777c957e8764";
+      isSystemUser = true;
-      fsType = "ext4";
+      description = "audiobookshelf";
-      options = [ "nofail" ];
+      group = "storage";
     };
 
     services.audiobookshelf = {
       enable = true;
 
-      user = "alex";
+      user = "audiobookshelf";
-      group = "users";
+      group = "storage";
 
       host = "0.0.0.0";
       port = 8000;

hosts/manatee/modules/boot/default.nix

@@ -0,0 +1,43 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+let
+  configurationLimit = config.mod.gc.configurationLimit;
+in
+{
+  imports = [ inputs.nix-gc-env.nixosModules.default ];
+
+  options = {
+    mod.gc = {
+      configurationLimit = lib.mkOption {
+        type = lib.types.int;
+        default = 10;
+        description = "number of configuration generations to keep";
+      };
+    };
+  };
+
+  config = {
+    nix.gc = {
+      automatic = true;
+      dates = "weekly";
+
+      # `delete_generations` added by nix-gc-env
+      delete_generations = "+${builtins.toString configurationLimit}";
+    };
+
+    boot = {
+      loader = {
+        systemd-boot = {
+          enable = true;
+          inherit configurationLimit;
+        };
+
+        efi.canTouchEfiVariables = true;
+      };
+    };
+  };
+}

hosts/manatee/modules/calibre-web/default.nix

@@ -14,19 +14,34 @@ in
       calibre-web = {
         enable = true;
 
-        user = "alex";
+        user = "storage";
-        group = "users";
+        group = "storage";
 
         listen = {
           ip = "0.0.0.0";
           port = 8083;
         };
 
+        dataDir = "/mnt/media/public/books";
+
         options = {
-          calibreLibrary = "/home/alex/sync/books";
+          calibreLibrary = "/mnt/media/public/books";
           enableBookUploading = true;
         };
       };
+
+      nginx = {
+        virtualHosts."books.ppp.pm" = {
+
+          extraConfig = ''
+            client_max_body_size 1024M;
+          '';
+
+          locations."/" = {
+            proxyPass = "http://0.0.0.0:8083"; # TODO add option for port + host
+          };
+        };
+      };
     };
   };
 }

hosts/manatee/modules/default.nix

@@ -0,0 +1,26 @@
+{ lib, ... }:
+let
+  toModulePath = dir: _: ./. + "/${dir}";
+  filterDirs = dirs: lib.attrsets.filterAttrs (_: type: type == "directory") dirs;
+in
+{
+  imports = lib.mapAttrsToList toModulePath (filterDirs (builtins.readDir ./.));
+
+  config = {
+    mod = {
+      gc.configurationLimit = 10;
+
+      ssh.enable = true;
+      git.enable = true;
+
+      nginx.enable = true;
+      syncthing.enable = true;
+      transmission.enable = true;
+      calibre-web.enable = true;
+      audiobookshelf.enable = true;
+      jellyfin.enable = true;
+      immich.enable = true;
+      navidrome.enable = true;
+    };
+  };
+}

hosts/manatee/modules/git/default.nix

@@ -0,0 +1,39 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  enabled = config.mod.git.enable;
+in
+{
+  options = {
+    mod.git = {
+      enable = lib.mkEnableOption "enable git module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    home-manager.users.alex = {
+      programs.git = {
+        enable = true;
+
+        includes = [
+          { path = ./gitconfig; }
+        ];
+
+        extraConfig = {
+          rerere.enable = true;
+        };
+      };
+
+      home.packages = [ pkgs.tig ];
+
+      home.file.".tigrc".text = ''
+        set main-view-line-number = yes
+        set main-view-line-number-interval = 1
+      '';
+    };
+  };
+}

hosts/manatee/modules/git/gitconfig

@@ -0,0 +1,9 @@
+[user]
+    name = Alexander Heldt
+    email = me@alexanderheldt.se
+
+[url "git@github.com:"]
+    insteadOf = https://github.com/
+
+[url "gitea@git.ppp.pm:"]
+    insteadOf = https://git.ppp.pm/

hosts/manatee/modules/immich/default.nix

@@ -0,0 +1,35 @@
+{ lib, config, ... }:
+let
+  enabled = config.mod.immich.enable;
+in
+{
+  options = {
+    mod.immich = {
+      enable = lib.mkEnableOption "Enable immich module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    users.users.immich = {
+      isSystemUser = true;
+      group = "storage";
+
+      extraGroups = [
+        "render"
+        "video"
+      ];
+    };
+
+    services.immich = {
+      enable = true;
+
+      user = "immich";
+      group = "storage";
+
+      host = "0.0.0.0";
+
+      mediaLocation = "/mnt/cameras/public";
+      accelerationDevices = [ "/dev/dri/renderD128" ];
+    };
+  };
+}

hosts/manatee/modules/jellyfin/default.nix

@@ -0,0 +1,55 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  enabled = config.mod.jellyfin.enable;
+in
+{
+  options = {
+    mod.jellyfin = {
+      enable = lib.mkEnableOption "Enable jellyfin module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    users.users.jellyfin = {
+      isSystemUser = true;
+      group = "storage";
+
+      extraGroups = [
+        "render"
+        "video"
+      ];
+    };
+
+    hardware = {
+      graphics = {
+        enable = true;
+        extraPackages = [
+          pkgs.intel-media-driver # Modern Intel VA-API driver (needed for N305)
+          pkgs.libvdpau-va-gl # VDPAU backend for VA-API GLX interop
+        ];
+
+      };
+    };
+
+    services = {
+      jellyfin = {
+        enable = true;
+        openFirewall = true;
+
+        user = "jellyfin";
+        group = "storage";
+      };
+    };
+
+    environment.systemPackages = [
+      pkgs.jellyfin
+      pkgs.jellyfin-web
+      pkgs.jellyfin-ffmpeg
+    ];
+  };
+}

hosts/manatee/modules/navidrome/default.nix

@@ -0,0 +1,33 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  navidromeEnabled = config.mod.navidrome.enable;
+in
+{
+  options = {
+    mod.navidrome = {
+      enable = lib.mkEnableOption "Enable navidrome module";
+    };
+  };
+
+  config = {
+    services = lib.mkIf navidromeEnabled {
+      navidrome = {
+        enable = true;
+        openFirewall = true;
+
+        user = "navidrome";
+        group = "storage";
+        settings = {
+          Port = 4533;
+          Address = "0.0.0.0";
+          MusicFolder = "/mnt/media/public/music";
+        };
+      };
+    };
+  };
+}

hosts/manatee/modules/network/default.nix

@@ -0,0 +1,22 @@
+{ ... }:
+{
+  networking = {
+    hostName = "manatee";
+
+    defaultGateway = "192.168.50.1";
+    nameservers = [ "1.1.1.1" ];
+    interfaces = {
+      enp3s0 = {
+        useDHCP = false;
+        ipv4 = {
+          addresses = [
+            {
+              address = "192.168.50.203";
+              prefixLength = 24;
+            }
+          ];
+        };
+      };
+    };
+  };
+}

hosts/manatee/modules/nginx/default.nix

@@ -0,0 +1,22 @@
+{ lib, config, ... }:
+let
+  enabled = config.mod.nginx.enable;
+in
+{
+  options = {
+    mod.nginx = {
+      enable = lib.mkEnableOption "Enable nginx module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    services = {
+      nginx = {
+        enable = true;
+
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+      };
+    };
+  };
+}

hosts/manatee/modules/ssh/default.nix

@@ -0,0 +1,106 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  enabled = config.mod.ssh.enable;
+
+  authorizedKeysPath = "/home/alex/.ssh/authorized-keys";
+  rootSSHKeyPath = "/etc/ssh";
+in
+{
+  options = {
+    mod.ssh = {
+      enable = lib.mkEnableOption "enable ssh module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    home-manager.users.alex = {
+      programs.ssh = {
+        enable = true;
+
+        matchBlocks = {
+          "git.ppp.pm" = {
+            hostname = "git.ppp.pm";
+            identityFile = "/home/alex/.ssh/alex.manatee-git.ppp.pm";
+          };
+        };
+      };
+    };
+
+    environment.etc."ssh/authorized_keys_command" = {
+      mode = "0755";
+      text = ''
+        #!${pkgs.bash}/bin/bash
+        for file in ${authorizedKeysPath}/*; do
+          ${pkgs.coreutils}/bin/cat "$file"
+        done
+      '';
+    };
+
+    services = {
+      openssh = {
+        enable = true;
+        ports = [ 1122 ];
+
+        hostKeys = [
+          {
+            path = "${rootSSHKeyPath}/root.manatee";
+            type = "ed25519";
+          }
+        ];
+
+        settings = {
+          PasswordAuthentication = false;
+          KbdInteractiveAuthentication = false;
+        };
+
+        authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
+        authorizedKeysCommandUser = "root";
+      };
+    };
+
+    networking = {
+      firewall = {
+        allowedTCPPorts = [ 1122 ];
+      };
+    };
+
+    age.secrets = {
+      "root.manatee" = {
+        file = ../../../../secrets/manatee/root.manatee.age;
+        path = "${rootSSHKeyPath}/root.manatee";
+      };
+      "root.manatee.pub" = {
+        file = ../../../../secrets/manatee/root.manatee.pub.age;
+        path = "${rootSSHKeyPath}/root.manatee.pub";
+      };
+
+      "alex.pinwheel-manatee.pub" = {
+        file = ../../../../secrets/pinwheel/alex.pinwheel-manatee.pub.age;
+        path = "${authorizedKeysPath}/alex.pinwheel-manatee.pub";
+      };
+
+      "alex.backwards-manatee.pub" = {
+        file = ../../../../secrets/backwards/alex.backwards-manatee.pub.age;
+        path = "${authorizedKeysPath}/alex.backwards-manatee.pub";
+      };
+
+      "alex.manatee-git.ppp.pm" = {
+        file = ../../../../secrets/manatee/alex.manatee-git.ppp.pm.age;
+        path = "/home/alex/.ssh/alex.manatee-git.ppp.pm";
+        owner = "alex";
+        group = "users";
+      };
+      "alex.manatee-git.ppp.pm.pub" = {
+        file = ../../../../secrets/manatee/alex.manatee-git.ppp.pm.pub.age;
+        path = "/home/alex/.ssh/alex.manatee-git.ppp.pm.pub";
+        owner = "alex";
+        group = "users";
+      };
+    };
+  };
+}

hosts/manatee/modules/syncthing/default.nix

@@ -0,0 +1,61 @@
+{ lib, config, ... }:
+let
+  enabled = config.mod.syncthing.enable;
+in
+{
+  options = {
+    mod.syncthing = {
+      enable = lib.mkEnableOption "Enable syncthing module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    services.syncthing = {
+      enable = true;
+
+      cert = config.age.secrets.syncthing-cert.path;
+      key = config.age.secrets.syncthing-key.path;
+
+      user = "storage";
+      group = "storage";
+
+      dataDir = "/mnt/sync/public";
+
+      guiAddress = "0.0.0.0:8384";
+
+      settings = {
+        gui = {
+          user = "syncthing";
+          password = "$2a$12$YBcqhl8AXpoLmIWikuMtkOQLcrPXKKj0xY/qy4hggWnfjeVLQ3Ct6";
+          insecureSkipHostcheck = false;
+        };
+
+        devices = {
+          pinwheel.id = config.lib.syncthing.pinwheel;
+        };
+
+        folders = {
+          org = {
+            path = "/mnt/sync/public/org";
+            devices = [
+              "pinwheel"
+            ];
+            versioning = {
+              type = "staggered";
+              params = {
+                maxage = "2592000"; # 30 days
+              };
+            };
+          };
+        };
+      };
+    };
+
+    age = {
+      secrets = {
+        "syncthing-cert".file = ../../../../secrets/manatee/syncthing-cert.age;
+        "syncthing-key".file = ../../../../secrets/manatee/syncthing-key.age;
+      };
+    };
+  };
+}

hosts/manatee/modules/tailscale/default.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  # If an exit node is used, set:
+  # tailscale set --exit-node-allow-lan-access
+  services.tailscale.enable = true;
+
+  networking.firewall = {
+    checkReversePath = "loose";
+    allowedUDPPorts = [ 41641 ];
+  };
+}

hosts/manatee/modules/transmission/default.nix

@@ -6,8 +6,6 @@
 }:
 let
   enabled = config.mod.transmission.enable;
-
-  nginxEnabled = config.mod.nginx.enable;
 in
 {
   options = {
@@ -22,31 +20,27 @@ in
         enable = true;
         package = pkgs.transmission_4;
 
-        user = "alex";
+        openFirewall = true;
-        group = "users";
 
-        home = "/home/alex/media/ts-home";
+        user = "storage";
+        group = "storage";
+
+        home = "/mnt/media/public/.ts-home";
         downloadDirPermissions = "775";
 
         settings = {
-          rpc-bind-address = "0.0.0.0";
-          rpc-port = 9191;
-
           incomplete-dir-enabled = false;
-          download-dir = "/home/alex/media/downloads";
+          download-dir = "/mnt/media/public/downloads";
 
-          rpc-authentication-required = true;
+          rpc-bind-address = "0.0.0.0";
+
+          # Required to have empty user/pass to satisfy transmissionA
+          # https://github.com/transmission/transmission/discussions/1941#discussioncomment-1472352
           rpc-whitelist-enabled = false;
-          rpc-username = "transmission";
+          rpc-authentication-required = true;
-          rpc-password = "{55d884e4042db67313da49e05d7089a368eb64b3Br.3X.Xi";
+          rpc-username = "";
-        };
+          rpc-password = "";
-      };
 
-      nginx = lib.mkIf nginxEnabled {
-        virtualHosts."ts.ppp.pm" = {
-          locations."/" = {
-            proxyPass = "http://localhost:9191";
-          };
         };
       };
     };

hosts/pinwheel/home.nix

@@ -14,6 +14,8 @@
         home.homeDirectory = "/home/alex";
 
         home.packages = [
+          inputs.whib-backend.packages.${pkgs.system}.whib-import
+          # pkgs.beekeeper-studio
           pkgs.bitwarden-desktop
           pkgs.gimp
           pkgs.zip
@@ -23,6 +25,7 @@
           pkgs.htop
           pkgs.onlyoffice-bin
           pkgs.wdisplays
+          pkgs.vlc
         ];
 
         home.stateVersion = "23.05";

hosts/pinwheel/modules/colors/default.nix

@@ -3,7 +3,7 @@
     colors = {
       foreground = "bd93f9";
       foreground-dim = "644294";
-      background = "1E2029";
+      background = "1E1E2F";
 
       gray = "3a3a3a";
       warning = "ff6969";

hosts/pinwheel/modules/default.nix

@@ -33,6 +33,7 @@ in
       rust.enable = true;
       scala.enable = true;
       python.enable = true;
+      gleam.enable = true;
 
       keyboard.enable = true;
       containers = {

hosts/pinwheel/modules/dunst/default.nix

@@ -7,8 +7,6 @@
       settings = {
         global = {
           monitor = 1;
-          width = 300;
-          height = 300;
           offset = "10x10";
           origin = "top-right";
           transparency = 10;

hosts/pinwheel/modules/emacs/config.org

@@ -479,7 +479,34 @@ Setup prefix for keybindings.
 
 * Flycheck
 #+BEGIN_SRC emacs-lisp
-  (use-package flycheck)
+  (use-package flycheck
+    :preface
+    (defun mp-flycheck-eldoc (callback &rest _ignored)
+      "Print flycheck messages at point by calling CALLBACK."
+      (when-let ((flycheck-errors (and flycheck-mode (flycheck-overlay-errors-at (point)))))
+        (mapc
+         (lambda (err)
+           (funcall callback
+             (format "%s: %s"
+                     (let ((level (flycheck-error-level err)))
+                       (pcase level
+                         ('info (propertize "I" 'face 'flycheck-error-list-info))
+                         ('error (propertize "E" 'face 'flycheck-error-list-error))
+                         ('warning (propertize "W" 'face 'flycheck-error-list-warning))
+                         (_ level)))
+                     (flycheck-error-message err))
+             :thing (or (flycheck-error-id err)
+                        (flycheck-error-group err))
+             :face 'font-lock-doc-face))
+         flycheck-errors)))
+
+    (defun mp-flycheck-prefer-eldoc ()
+      (add-hook 'eldoc-documentation-functions #'mp-flycheck-eldoc nil t)
+      (setq eldoc-documentation-strategy 'eldoc-documentation-compose-eagerly)
+      (setq flycheck-display-errors-function nil)
+      (setq flycheck-help-echo-function nil))
+
+    :hook ((flycheck-mode . mp-flycheck-prefer-eldoc)))
 
   (use-package flycheck-eglot
     :after (flycheck eglot)
@@ -503,6 +530,12 @@ Setup prefix for keybindings.
         (add-hook 'before-save-hook #'eglot-format-buffer -10 t))))
 
   (use-package eglot
+    :preface
+    (defun mp-eglot-eldoc ()
+  	(setq eldoc-echo-area-use-multiline-p nil)
+      (setq eldoc-documentation-strategy
+        'eldoc-documentation-compose-eagerly))
+
     :config
     (add-to-list 'eglot-server-programs
       '(scala-mode .
@@ -511,6 +544,9 @@ Setup prefix for keybindings.
     (add-to-list 'eglot-server-programs
        '(nix-mode . ("nixd")))
 
+    (add-to-list 'eglot-server-programs
+      '(gleam-ts-mode . ("gleam" "lsp")))
+
     (setq-default eglot-workspace-configuration
       '(
         :metals (
@@ -520,6 +556,7 @@ Setup prefix for keybindings.
     )
 
     :hook (
+           (eglot-managed-mode . mp-eglot-eldoc)
            (go-mode . eglot-ensure)
            (go-mode . alex/organize-imports-on-save)
            (go-mode . alex/format-on-save)
@@ -529,6 +566,9 @@ Setup prefix for keybindings.
            (nix-mode . eglot-ensure)
            (nix-mode . alex/format-on-save)
 
+           (gleam-ts-mode . eglot-ensure)
+           (gleam-ts-mode . alex/format-on-save)
+
            (python-mode . eglot-ensure)
            (javascript-mode . eglot-ensure)
            (js-mode . eglot-ensure)
@@ -549,13 +589,6 @@ Setup prefix for keybindings.
     :after eglot
     :config (eglot-booster-mode))
 #+END_SRC
-** Eldoc-box
-#+BEGIN_SRC emacs-lisp
-  (use-package eldoc-box
-    :after eglot
-    :bind (:map eglot-mode-map
-              ("M-h" . eldoc-box-help-at-point)))
-#+END_SRC
 ** Go
 #+BEGIN_SRC emacs-lisp
   (use-package go-mode
@@ -573,6 +606,12 @@ Setup prefix for keybindings.
     )
   )
 #+END_SRC
+** Gleam
+#+BEGIN_SRC emacs-lisp
+  (use-package gleam-ts-mode
+    :mode "\\.gleam\\'"
+  )
+#+END_SRC
 ** YAML
 #+BEGIN_SRC emacs-lisp
   (use-package yaml-mode

hosts/pinwheel/modules/firefox/default.nix

@@ -29,14 +29,14 @@ let
   ff = pkgs.writeShellApplication {
     name = "ff";
     text = ''
-      ${wrapped}/bin/firefox --ProfileManager
+      ${wrapped}/bin/firefox-devedition --ProfileManager
     '';
   };
 
   ff-alex = pkgs.writeShellApplication {
     name = "ff-alex";
     text = ''
-      ${wrapped}/bin/firefox -P alex --new-window "$@"
+      ${wrapped}/bin/firefox-devedition -P alex --new-window "$@"
     '';
   };
 

hosts/pinwheel/modules/gleam/default.nix

@@ -0,0 +1,25 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  enabled = config.mod.gleam.enable;
+in
+{
+  options = {
+    mod.gleam = {
+      enable = lib.mkEnableOption "enable gleam module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    home-manager.users.alex = {
+      home.packages = [
+        pkgs.gleam
+        pkgs.erlang
+      ];
+    };
+  };
+}

hosts/pinwheel/modules/go/default.nix

@@ -20,7 +20,9 @@ in
         enable = true;
 
         package = pkgs.go;
-        goPath = "code/go";
+        env = {
+          GOPATH = "/home/alex/code/go";
+        };
       };
 
       home.packages = [

hosts/pinwheel/modules/hyprland/default.nix

@@ -25,11 +25,14 @@ in
 
         extraConfig = ''
           exec-once=waybar
+          exec-once=hyprctl setcursor Adwaita 24
 
           env = GDK_DPI_SCALE,1.5
-          env = XCURSOR_SIZE,64
+          env = HYPRCURSOR_THEME,Adwaita
+          env = HYPRCURSOR_SIZE,24
 
-          monitor=eDP-1, 1920x1200, 0x0, 1
+          monitor=eDP-1, 1920x1200, auto-center-down, 1
+          monitor=HDMI-A-1, 2560x1440@100, auto-center-up, 1
 
           workspace = 1, monitor:HDMI-A-1
           workspace = 2, monitor:HDMI-A-1
@@ -177,88 +180,5 @@ in
 
     # openGL is needed for wayland/hyprland
     hardware.graphics.enable = true;
-
-    systemd.user.services.hyprland-monitors = {
-      # systemctl --user restart hyprland-monitors.service
-      # journalctl --user -u hyprland-monitors.service -e -f
-      unitConfig = {
-        Description = "handles hyprland monitor connect/disconnect";
-      };
-
-      wantedBy = [ "graphical-session.target" ];
-      requires = [ "graphical-session.target" ];
-      after = [ "graphical-session.target" ];
-
-      path = [
-        pkgs.coreutils # to include `cat`
-        pkgs.waybar
-        pkgs.hyprland
-        pkgs.socat
-        pkgs.jq
-        pkgs.bc
-        pkgs.libnotify
-      ];
-
-      script =
-        let
-          moveWSToMonitor =
-            monitor: first: last:
-            if last < first then
-              throw "'first' has to be less than or equal to 'last'"
-            else
-              builtins.genList (
-                n: "dispatch moveworkspacetomonitor ${builtins.toString (first + n)} ${monitor}"
-              ) (last - first + 1);
-
-          external = moveWSToMonitor "HDMI-A-1" 1 5;
-          internal = moveWSToMonitor "eDPI-1" 6 10;
-          onlyInternal = moveWSToMonitor "eDPI-1" 1 10;
-        in
-        ''
-          update() {
-            HDMI_STATUS=$(cat /sys/class/drm/card1-HDMI-A-1/status)
-
-            INTERNAL_WIDTH=1920
-            INTERNAL_HEIGHT=1200
-
-            if [ $HDMI_STATUS = "connected" ]; then
-              notify-send "Using external and laptop monitor"
-
-              hyprctl keyword monitor HDMI-A-1,preferred,0x0,1
-
-              HDMI=$(hyprctl monitors -j | jq '.[] | select(.name=="HDMI-A-1")')
-              HDMI_WIDTH=$(echo $HDMI | jq .width)
-              HDMI_HEIGHT=$(echo $HDMI | jq .height)
-
-              INTERNAL_POS_X=$(echo "($HDMI_WIDTH - $INTERNAL_WIDTH) / 2" | bc)
-              if (( $(echo "$INTERNAL_POS_X < 0" | bc) )); then INTERNAL_POS_X=0; fi
-              INTERNAL_POS_Y=$HDMI_HEIGHT
-
-              hyprctl keyword monitor eDP-1,$INTERNAL_WIDTH"x"$INTERNAL_HEIGHT,$INTERNAL_POS_X"x"$INTERNAL_POS_Y,1
-              hyprctl --batch "${lib.strings.concatStringsSep ";" (external ++ internal)}"
-            else
-              notify-send "Using only laptop monitor"
-
-              hyprctl --batch "keyword monitor HDMI-A,disable; keyword monitor eDP-1,$INTERNAL_WIDTH"x"$INTERNAL_HEIGHT,0x0,1"
-              hyprctl --batch "${lib.strings.concatStringsSep ";" onlyInternal}"
-            fi
-          }
-
-          handle() {
-            case $1 in
-              monitoradded\>\>*|monitorremoved\>\>*)
-                echo "handling event: \"$1\""
-                update ;;
-            esac
-          }
-
-          echo "Starting service with instance \"$HYPRLAND_INSTANCE_SIGNATURE\""
-
-          # Do initial configuration
-          update
-
-          socat -U - UNIX-CONNECT:$XDG_RUNTIME_DIR/hypr/$HYPRLAND_INSTANCE_SIGNATURE/.socket2.sock | while read -r line; do handle "$line"; done
-        '';
-    };
   };
 }

hosts/pinwheel/modules/music/default.nix

@@ -1,4 +1,5 @@
 {
+  inputs,
   pkgs,
   lib,
   config,
@@ -13,18 +14,18 @@ in
       settings = {
         bind =
           let
-            prev = "${pkgs.playerctl}/bin/playerctl -p spotify previous";
+            prev = "${pkgs.playerctl}/bin/playerctl -p naviterm,spotify previous";
-            next = "${pkgs.playerctl}/bin/playerctl -p spotify next";
+            next = "${pkgs.playerctl}/bin/playerctl -p naviterm,spotify next";
           in
           [
             ", XF86AudioPrev, exec, ${prev}"
             ", XF86AudioNext, exec, ${next}"
-            ", XF86AudioPlay, exec, ${pkgs.playerctl}/bin/playerctl -p spotify play-pause"
+            ", XF86AudioPlay, exec, ${pkgs.playerctl}/bin/playerctl -p naviterm,spotify play-pause"
-            ", XF86AudioPause, exec, ${pkgs.playerctl}/bin/playerctl -p spoitfy play-pause"
+            ", XF86AudioPause, exec, ${pkgs.playerctl}/bin/playerctl -p naviterm,spoitfy play-pause"
 
             "$mod ALT, LEFT, exec, ${prev}"
             "$mod ALT, RIGHT, exec, ${next}"
-            "$mod ALT, DOWN, exec, ${pkgs.playerctl}/bin/playerctl -p spotify play-pause"
+            "$mod ALT, DOWN, exec, ${pkgs.playerctl}/bin/playerctl -p naviterm,spotify play-pause"
           ];
       };
     };
@@ -32,6 +33,7 @@ in
     home.packages = [
       pkgs.playerctl
       pkgs.spotify
+      inputs.naviterm.packages.${pkgs.system}.default
     ];
   };
 

hosts/pinwheel/modules/openvpn/default.nix

@@ -18,13 +18,12 @@ in
     home-manager.users.alex = {
       home.packages = [
         pkgs.openvpn
-        pkgs.update-systemd-resolved
       ];
     };
 
     services.resolved = {
-      enable = false;
+      enable = true;
-      dnssec = "true";
+      dnssec = "false";
       domains = [ "~." ];
       fallbackDns = [
         "1.1.1.1#one.one.one.one"

hosts/pinwheel/modules/sound/default.nix

@@ -10,7 +10,7 @@ in
 {
   users.users.alex.extraGroups = [ "audio" ];
 
-  hardware.pulseaudio.enable = false;
+  services.pulseaudio.enable = false;
   security.rtkit.enable = true;
 
   services.pipewire = {

hosts/pinwheel/modules/ssh/default.nix

@@ -5,6 +5,13 @@
       enable = true;
 
       matchBlocks = {
+        "manatee" = {
+          hostname = "manatee";
+          user = "alex";
+          identityFile = "/home/alex/.ssh/alex.pinwheel-manatee";
+          port = 1122;
+        };
+
         "backwards" = {
           hostname = "backwards";
           user = "alex";
@@ -12,12 +19,6 @@
           port = 1122;
         };
 
-        "andromeda" = {
-          hostname = "andromeda.a2x.se";
-          user = "alex";
-          identityFile = "/home/alex/.ssh/alex.pinwheel-andromeda";
-        };
-
         "tadpole" = {
           hostname = "65.21.106.222";
           user = "alex";
@@ -46,6 +47,19 @@
   };
 
   age.secrets = {
+    "alex.pinwheel-manatee" = {
+      file = ../../../../secrets/pinwheel/alex.pinwheel-manatee.age;
+      path = "/home/alex/.ssh/alex.pinwheel-manatee";
+      owner = "alex";
+      group = "users";
+    };
+    "alex.pinwheel-manatee.pub" = {
+      file = ../../../../secrets/pinwheel/alex.pinwheel-manatee.pub.age;
+      path = "/home/alex/.ssh/alex.pinwheel-manatee.pub";
+      owner = "alex";
+      group = "users";
+    };
+
     "alex.pinwheel-backwards" = {
       file = ../../../../secrets/pinwheel/alex.pinwheel-backwards.age;
       path = "/home/alex/.ssh/alex.pinwheel-backwards";
@@ -98,19 +112,6 @@
       group = "users";
     };
 
-    "alex.pinwheel-andromeda" = {
-      file = ../../../../secrets/pinwheel/alex.pinwheel-andromeda.age;
-      path = "/home/alex/.ssh/alex.pinwheel-andromeda";
-      owner = "alex";
-      group = "users";
-    };
-    "alex.pinwheel-andromeda.pub" = {
-      file = ../../../../secrets/pinwheel/alex.pinwheel-andromeda.pub.age;
-      path = "/home/alex/.ssh/alex.pinwheel-andromeda.pub";
-      owner = "alex";
-      group = "users";
-    };
-
     "alex.pinwheel-tadpole" = {
       file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole.age;
       path = "/home/alex/.ssh/alex.pinwheel-tadpole";

hosts/pinwheel/modules/syncthing/default.nix

@@ -16,6 +16,7 @@
       devices = {
         phone.id = config.lib.syncthing.phone;
         backwards.id = config.lib.syncthing.backwards;
+        manatee.id = config.lib.syncthing.manatee;
       };
 
       folders = {
@@ -24,6 +25,7 @@
           devices = [
             "phone"
             "backwards"
+            "manatee"
           ];
           versioning = {
             type = "staggered";
@@ -56,7 +58,7 @@
         };
 
         books = {
-          path = "/home/alex/sync/books";
+          path = "/home/alex/sync/reading-material/books";
           devices = [ "backwards" ];
           versioning = {
             type = "staggered";

hosts/pinwheel/modules/waybar/default.nix

@@ -7,14 +7,14 @@
 let
   hyprlandEnabled = config.mod.hyprland.enable;
 
-  spotify-status = pkgs.writeShellScript "spotify-status" ''
+  music-status = pkgs.writeShellScript "music-status" ''
-    STATUS=$(${pkgs.playerctl}/bin/playerctl -p spotify status 2>&1)
+    STATUS=$(${pkgs.playerctl}/bin/playerctl -p naviterm,spotify status 2>&1)
 
     if [ "$STATUS" = "No players found" ]; then
       echo ""
     else
       FORMAT="{{markup_escape(xesam:title)}} - {{markup_escape(xesam:artist)}}"
-      OUTPUT=$(${pkgs.playerctl}/bin/playerctl -p spotify metadata --format "$FORMAT")
+      OUTPUT=$(${pkgs.playerctl}/bin/playerctl -p naviterm,spotify metadata --format "$FORMAT")
       case "$STATUS" in
         "Playing")
           echo "<span font='14' rise='-3000'></span> $OUTPUT"
@@ -126,7 +126,7 @@ in
           modules-left = lib.mkIf hyprlandEnabled [ "hyprland/workspaces" ];
           modules-right = [
             "custom/work-vpn-status"
-            "custom/spotify"
+            "custom/music"
             "custom/container-status"
             "custom/dunst"
             "bluetooth"
@@ -142,8 +142,8 @@ in
             interval = 2;
           };
 
-          "custom/spotify" = {
+          "custom/music" = {
-            exec = spotify-status;
+            exec = music-status;
             interval = 2;
             max-length = 70;
             tooltip = false;
@@ -222,7 +222,10 @@ in
           height = 30;
           spacing = 20;
           fixed-center = false;
-          output = [ "HDMI-A-1" ];
+          output = [
+            "HDMI-A-1"
+            "DP-3"
+          ];
 
           modules-left = lib.mkIf hyprlandEnabled [ "hyprland/workspaces" ];
           modules-right = [

hosts/pinwheel/modules/work/default.nix

@@ -16,25 +16,11 @@ in
       GITHUB_TOKEN = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.work-github-token.path})";
     };
 
-    home.packages =
+    home.packages = [
-      let
-        intellij = (
-          pkgs.jetbrains.idea-ultimate.overrideAttrs (
-            final: prev: {
-              version = "2024.2.4";
-              src = pkgs.fetchurl {
-                url = "https://download.jetbrains.com/idea/ideaIU-${final.version}.tar.gz";
-                sha256 = "8411fda793a20356a4982e4f18f6691839d8a471e2081ab6d8cc78b3f8b02532";
-              };
-            }
-          )
-        );
-      in
-      [
       # (pkgs.callPackage ./pants.nix { inherit (pkgs) system; })
       # (pkgs.callPackage ./syb-cli.nix { })
 
-        (pkgs.jetbrains.plugins.addPlugins intellij [ "ideavim" ])
+      (pkgs.jetbrains.plugins.addPlugins pkgs.jetbrains.idea-ultimate [ "ideavim" ])
 
       (pkgs.google-cloud-sdk.withExtraComponents [
         pkgs.google-cloud-sdk.components.gke-gcloud-auth-plugin
@@ -51,7 +37,9 @@ in
     ];
 
     programs.go = lib.mkIf goEnabled {
-      goPrivate = [ "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.work-go-private.path})" ];
+      env = {
+        GOPRIVATE = [ "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.work-go-private.path})" ];
+      };
     };
 
     programs.git = lib.mkIf gitEnabled {

hosts/pinwheel/modules/zsh/default.nix

@@ -54,7 +54,7 @@ in
           }
         ];
 
-        initExtra = lib.strings.concatStringsSep "\n" [
+        initContent = lib.strings.concatStringsSep "\n" [
           "export KEYTIMEOUT=1"
           "bindkey -v '^?' backward-delete-char"
           "bindkey '^a' beginning-of-line"

hosts/tadpole/modules/certs/default.nix

@@ -17,6 +17,21 @@
         webroot = "/var/lib/acme/acme-challenge/";
         group = "nginx";
       };
+
+      "whib.ppp.pm" = {
+        webroot = "/var/lib/acme/acme-challenge/";
+        group = "nginx";
+      };
+
+      "api.whib.ppp.pm" = {
+        webroot = "/var/lib/acme/acme-challenge/";
+        group = "nginx";
+      };
+
+      "grafana.whib.ppp.pm" = {
+        webroot = "/var/lib/acme/acme-challenge/";
+        group = "nginx";
+      };
     };
   };
 }

hosts/tadpole/modules/default.nix

@@ -22,6 +22,8 @@ in
       };
 
       pppdotpm-site.enable = true;
+      whib-backend.enable = true;
+      whib-frontend.enable = true;
     };
   };
 }

hosts/tadpole/modules/gitea/default.nix

@@ -7,8 +7,6 @@
 let
   conf = config.mod.gitea;
   gitDomain = "git.${conf.baseDomain}";
-
-  nginxEnable = config.mod.nginx.enable;
 in
 {
   options = {
@@ -37,8 +35,12 @@ in
     };
   };
 
-  config = lib.mkIf (conf.enable && nginxEnable) {
+  config = lib.mkIf conf.enable {
     assertions = [
+      {
+        assertion = config.services.nginx.enable;
+        message = "Option 'config.services.nginx' must be enabled";
+      }
       {
         assertion = conf.baseDomain != "";
         message = "Option 'mod.gitea.baseDomain' cannot be empty";
@@ -62,6 +64,7 @@ in
           ROOT_URL = "https://${gitDomain}";
 
           SSH_PORT = 1122; # see `ssh` module
+          HTTP_PORT = 3001;
         };
 
         database = {
@@ -121,7 +124,7 @@ in
         useACMEHost = gitDomain;
 
         locations."/" = {
-          proxyPass = "http://0.0.0.0:3000";
+          proxyPass = "http://0.0.0.0:3001";
           proxyWebsockets = true;
         };
       };

hosts/tadpole/modules/ppp.pm-site/default.nix

@@ -6,8 +6,6 @@
 }:
 let
   enabled = config.mod.pppdotpm-site.enable;
-
-  nginxEnabled = config.mod.nginx.enable;
 in
 {
   imports = [ inputs.pppdotpm-site.nixosModules.default ];
@@ -18,7 +16,14 @@ in
     };
   };
 
-  config = lib.mkIf (enabled && nginxEnabled) {
+  config = lib.mkIf enabled {
+    assertions = [
+      {
+        assertion = config.services.nginx.enable;
+        message = "Option 'config.services.nginx' must be enabled";
+      }
+    ];
+
     services.pppdotpm-site = {
       enable = true;
       domain = "ppp.pm";

hosts/tadpole/modules/whib/default.nix

@@ -0,0 +1,79 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  backendEnabled = config.mod.whib-backend.enable;
+  frontendEnabled = config.mod.whib-frontend.enable;
+in
+{
+  options = {
+    mod.whib-backend = {
+      enable = lib.mkEnableOption "enable WHIB backend";
+    };
+
+    mod.whib-frontend = {
+      enable = lib.mkEnableOption "enable WHIB frontend";
+    };
+  };
+
+  config = {
+    assertions = [
+      {
+        assertion = backendEnabled && config.services.nginx.enable;
+        message = "Option 'config.services.nginx' must be enabled";
+      }
+    ];
+
+    services = {
+      whib-backend = lib.mkIf backendEnabled {
+        enable = true;
+
+        backend = {
+          domain = "api.whib.ppp.pm";
+          useACMEHost = "api.whib.ppp.pm";
+
+          environmentFile = config.age.secrets.whib-backend-env-vars.path;
+        };
+
+        postgres = {
+          environmentFile = config.age.secrets.whib-postgres-env-vars.path;
+
+          backup = {
+            interval = "*-*-* 00:00:00 UTC";
+
+            environmentFile = config.age.secrets.whib-postgres-backup-env-vars.path;
+            gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
+          };
+        };
+
+        grafana = {
+          domain = "grafana.whib.ppp.pm";
+          useACMEHost = "grafana.whib.ppp.pm";
+
+          environmentFile = config.age.secrets.whib-grafana-env-vars.path;
+        };
+      };
+
+      whib-frontend = lib.mkIf frontendEnabled {
+        enable = true;
+
+        domain = "whib.ppp.pm";
+        useACMEHost = "whib.ppp.pm";
+        backendHost = "https://api.whib.ppp.pm";
+      };
+    };
+
+    age.secrets = {
+      "whib-backend-env-vars".file = ../../../../secrets/tadpole/whib-backend-env-vars.age;
+      "whib-postgres-env-vars".file = ../../../../secrets/tadpole/whib-postgres-env-vars.age;
+
+      "whib-postgres-backup-env-vars".file =
+        ../../../../secrets/tadpole/whib-postgres-backup-env-vars.age;
+      "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
+
+      "whib-grafana-env-vars".file = ../../../../secrets/tadpole/whib-grafana-env-vars.age;
+    };
+  };
+}

hosts/test-vm/configuration.nix

@@ -2,6 +2,8 @@
 {
   imports = [
     ./ppp.pm-site.nix
+    ./whib-backend.nix
+    ./whib-frontend.nix
   ];
 
   config = {
@@ -10,7 +12,9 @@
     networking.hostName = "test-vm";
 
     mod = {
-      pppdotpm-site.enable = true;
+      pppdotpm-site.enable = false;
+      whib-backend.enable = true;
+      whib-frontend.enable = true;
     };
 
     users.users.a = {
@@ -22,9 +26,9 @@
     security.sudo.wheelNeedsPassword = false;
 
     virtualisation.vmVariant = {
-      # following configuration is added only when building VM with build-vm
+      # following configuration is added only when building VM the *first* time with `build-vm`
       virtualisation = {
-        diskSize = 4096;
+        diskSize = 8192;
         memorySize = 2048;
         cores = 3;
         graphics = false;

hosts/test-vm/whib-backend.nix

@@ -0,0 +1,124 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  enabled = config.mod.whib-backend.enable;
+in
+{
+  options = {
+    mod.whib-backend = {
+      enable = lib.mkEnableOption "enable WHIB backend";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    services.whib-backend =
+      let
+        backendEnvVars = pkgs.writeText "backend-env-vars" ''
+          SIGNING_KEY=signingkey
+          POSTGRES_DB=whib
+          POSTGRES_USER=whib
+          POSTGRES_PASSWORD=pgpassword
+        '';
+
+        postgresEnvVars = pkgs.writeText "postgres-env-vars" ''
+          POSTGRES_DB=whib
+          POSTGRES_USER=whib
+          POSTGRES_PASSWORD=pgpassword
+        '';
+
+        postgresBackupEnvVars = pkgs.writeText "postgres-backup-env-vars" ''
+          PGDATABASE=whib
+          PGUSER=whib
+          PGPASSWORD=pgpassword
+          B2_BUCKET=a
+          B2_APPLICATION_KEY_ID=b
+          B2_APPLICATION_KEY=c
+        '';
+
+        gpgPassphraseFile = pkgs.writeText "gpg-passphrase" ''
+          foobar
+        '';
+
+        grafanaEnvVars = pkgs.writeText "grafana-env-vars" ''
+          GF_SECURITY_ADMIN_PASSWORD=grafanapassword
+          GF_USERS_ALLOW_SIGN_UP=false
+        '';
+
+      in
+      {
+        enable = true;
+
+        backend = {
+          domain = "whib-backend.local";
+
+          environmentFile = backendEnvVars;
+        };
+
+        postgres = {
+          environmentFile = postgresEnvVars;
+
+          backup = {
+            interval = "*-*-* *:*:00 UTC"; # Every minute, for testing
+
+            environmentFile = postgresBackupEnvVars;
+            gpgPassphraseFile = gpgPassphraseFile;
+
+          };
+        };
+
+        grafana = {
+          domain = "grafana.local";
+
+          environmentFile = grafanaEnvVars;
+        };
+      };
+
+    virtualisation.vmVariant = {
+      virtualisation = {
+        sharedDirectories = {
+          my-shared = {
+            source = "/home/alex/whib-backup";
+            target = "/mnt/shared";
+          };
+        };
+
+        forwardPorts = [
+          {
+            # Service API
+            from = "host";
+            host.port = 8080;
+            guest.port = 8080;
+          }
+          {
+            # Service Metrics
+            from = "host";
+            host.port = 8181;
+            guest.port = 8181;
+          }
+          {
+            # Postgres
+            from = "host";
+            host.port = 5432;
+            guest.port = 5432;
+          }
+          {
+            # Grafana
+            from = "host";
+            host.port = 3000;
+            guest.port = 3000;
+          }
+          {
+            # Prometheus
+            from = "host";
+            host.port = 9090;
+            guest.port = 9090;
+          }
+        ];
+      };
+    };
+  };
+}

hosts/test-vm/whib-frontend.nix

@@ -0,0 +1,34 @@
+{ lib, config, ... }:
+let
+  enabled = config.mod.whib-frontend.enable;
+in
+{
+  options = {
+    mod.whib-frontend = {
+      enable = lib.mkEnableOption "enable WHIB backend";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    services.whib-frontend = {
+      enable = true;
+
+      domain = "whib-frontend.local";
+      port = "8081";
+      backendHost = "https://api.whib.ppp.pm/"; # "whib-backend.local";
+    };
+
+    virtualisation.vmVariant = {
+      virtualisation = {
+        forwardPorts = [
+          {
+            # Service API
+            from = "host";
+            host.port = 8081;
+            guest.port = 8081;
+          }
+        ];
+      };
+    };
+  };
+}

secrets/manatee/alex.manatee-git.ppp.pm.pub.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 wkRvNA NmI7zT9UKGRlh3wQIt61Xww4p4pHMf9dtbZjYoWZ8Uw
+f+zEnvRCRG5jg/jvJyhn7cDwNQiQdycS1MjbEnD64Tc
+-> ssh-ed25519 +oNaHQ 73NC7E0ns+6Y5mSZFdlkPhZHWsqxe61CMnEqFEMZ90I
+hRfah4GDNd7Jcrfy0Xc6mGtTFGugm1R9EQTXWIQ3Dlo
+--- nCgXbaJ4nU1ovuOTtD025pzEwmtr2svW2XXj+oqd49g
+<EFBFBD><EFBFBD><EFBFBD>○<EFBFBD>.<2E><><EFBFBD>Q1pUv<55>i@<40><>yQ<79>h7<16><>n.r	<09><>%<25><>"YL<59>Rmw<6D><77>܌<><DC8C><EFBFBD>$g<14><>j<EFBFBD><6A>ϸ<EFBFBD><CFB8><EFBFBD>KY<4B>Ő<><14>g&<26>Me<>w<EFBFBD>o<><6F><EFBFBD>﨡<EFBFBD><EFA8A1><EFBFBD><EFBFBD>*<2A><>4W<34>8<EFBFBD><38>һN<D2BB><4E>n<EFBFBD>@Q<><51>c^<5E><> WƋ<57><C68B><08><>8S…<53>

secrets/manatee/root.manatee.pub.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 wkRvNA UqHbjXvBR0t5JDL698Ir+5Ea/8P12dlRwf8s8K4DLxU
+T4hCFBfgcGjX4bdcY3FAOAT+Y//gigh2wD+tulkzYg0
+-> ssh-ed25519 +oNaHQ rYO/FGLizmtgBbaum8n7Ey/fxLLzBY+qdCGEGA2eglg
+wWzReIBthn3dm8yfSljaIkyTVcegNQBFyUbUyWRpryU
+--- 4LIzUebAHUKqBwVaLPQntXiuj1hfyTvoRb9VusyQ01w
+ϪI<EFBFBD>k^<0F>f<EFBFBD><66>L2<4C><32>Y<EFBFBD><59><03><12>Ki<4B><69>kR<6B>;<3B><>O<EFBFBD><4F><EFBFBD>ժ9<D5AA><39>.hA
+<EFBFBD><18>^<5E>Bl%<25>1U<31><55>y}Y<>0c<30>!vHƋ<><C68B><EFBFBD>Ͻtjv<6A>߅<EFBFBD>AoE<6F><45><EFBFBD><EFBFBD>D<EFBFBD>جtCb<43>i5<69>4ab[<1D>og<6F><67>c<EFBFBD><12>9<EFBFBD>X@

secrets/manatee/syncthing-key.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 wkRvNA YbZzduvipUNKn6QnmQu9b/qFNLKXZ4rIykPEBUvvGGs
+aITJQ+ska4vfDL0Z7+wocYZYi5/QjodjHGJj7caE2+Q
+-> ssh-ed25519 +oNaHQ s8fl+itCgMK/Hl621+xEdlXl3w1v+Zyx/XihIvh1ahk
+BuumBEu6B2Csxr2VRRagyPnF/T7Thoz1Fq9F/NIAa0o
+--- /VPi7PCZNCHPL5dSS+QeSsZLUqBzJZygOWHKVYMyLIM
+<EFBFBD> <20><>qA<71>s<EFBFBD>	<09>x

secrets/pinwheel/alex.pinwheel-manatee.pub.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 vxPbZg eRWhz6fZKuP5v5E16uZg6si0/vlp3FdzcWud0OfAV38
+9ipUEQuy7IZZRi5RtoiH5/f093YCicJ/3VpH0TC7lh4
+-> ssh-ed25519 wkRvNA 938EBkoteypEXGVYII8KP1sm4fpN7MmasqN+lxW70DQ
+qt5DS5u1oCPvlOwO0DsoZp0OdEgZ/hRIJkD77c19Kts
+-> ssh-ed25519 +oNaHQ LJSsvOsWwHm+JygGKZ31+IBLKPNadx1OvIcA4Zm34G8
+AtSUR73XCikmAovR8YidLDy7WqZhsvjozzZM82qLsQA
+--- wDbiqcaXCRtSYx4qTqxFe8xn56J5ZkdtPrMs5Ba+4No
+<EFBFBD>d<1A><><EFBFBD><EFBFBD>RM<52>E<EFBFBD><45><EFBFBD><04>4<EFBFBD>\<5C>`<60><><EFBFBD><EFBFBD>X<EFBFBD>0<EFBFBD><30><EFBFBD>=<3D><><EFBFBD>l<EFBFBD><6C>.<2E>3ҡ<>d&`<60><>C<EFBFBD><43>'<27>Ͽ<EFBFBD>'<27>~<18>+<2B><>ܽ0<DCBD><10>`Ga<47><61>b<EFBFBD><1E>R,d<14>:<18><1A>Q|є<><D194><EFBFBD><EFBFBD><EFBFBD><16>}B<>Iߪ#<23>c<EFBFBD><63>L<EFBFBD><4C>%<10><>eD<65>Rp<52><70>ۘ6

secrets/secrets.nix

@@ -1,6 +1,7 @@
 let
-  # see `modules/age/default.nix` where these are defined
+  # see `<host>/modules/age/default.nix` where these are defined
   pinwheel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoI7Q4zT2AGXU+i8fLmzcNLdfMkEnfHYh4PmaEmo2QW root@pinwheel";
+  manatee = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqJi/Oml2s/2KBqzLrCF77YJKn36Gute8jaTCEkHEZN root.manatee";
   backwards = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcTK3CUtTsgavuLlbfOqCbHYLtUrIKqnSqYmtzGCZnv root.backwards";
   tadpole = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDbyj/vYafqpJH33jFz5HV+gwCiEIJTpxKrEFrBWx73A root@tadpole";
   alex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTgiHYcdhS87pPnduLunZVEgLVj4EtbG9XVSZP1l5s5 alex";
@@ -8,14 +9,14 @@ in {
   "pinwheel/syncthing-cert.age".publicKeys = [ pinwheel alex ];
   "pinwheel/syncthing-key.age".publicKeys = [ pinwheel alex ];
   "pinwheel/tailscale-preferred-exit-node.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/alex.pinwheel-manatee.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/alex.pinwheel-manatee.pub.age".publicKeys = [ pinwheel manatee alex ];
   "pinwheel/alex.pinwheel-backwards.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-backwards.pub.age".publicKeys = [ pinwheel backwards alex ];
   "pinwheel/alex.pinwheel-tadpole.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-tadpole.pub.age".publicKeys = [ pinwheel tadpole alex ];
   "pinwheel/alex.pinwheel-github.com.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-github.com.pub.age".publicKeys = [ pinwheel alex ];
-  "pinwheel/alex.pinwheel-andromeda.age".publicKeys = [ pinwheel alex ];
-  "pinwheel/alex.pinwheel-andromeda.pub.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-codeberg.org.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-codeberg.org.pub.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-git.ppp.pm.age".publicKeys = [ pinwheel alex ];
@@ -27,11 +28,20 @@ in {
   "pinwheel/work-staging-ovpn.age".publicKeys = [ pinwheel alex ];
   "pinwheel/work-production-ovpn.age".publicKeys = [ pinwheel alex ];
 
+  "manatee/root.manatee.age".publicKeys = [ manatee alex ];
+  "manatee/root.manatee.pub.age".publicKeys = [ manatee alex ];
+  "manatee/alex.manatee-git.ppp.pm.age".publicKeys = [ manatee alex ];
+  "manatee/alex.manatee-git.ppp.pm.pub.age".publicKeys = [ manatee alex ];
+  "manatee/syncthing-cert.age".publicKeys = [ manatee alex ];
+  "manatee/syncthing-key.age".publicKeys = [ manatee alex ];
+
   "backwards/root.backwards.age".publicKeys = [ backwards alex ];
   "backwards/root.backwards.pub.age".publicKeys = [ backwards alex ];
+  "backwards/alex.backwards-manatee.age".publicKeys = [ backwards alex ];
+  "backwards/alex.backwards-manatee.pub.age".publicKeys = [ backwards manatee alex ];
   "backwards/syncthing-cert.age".publicKeys = [ backwards alex ];
   "backwards/syncthing-key.age".publicKeys = [ backwards alex ];
-  "backwards/restic-sync-password.age".publicKeys = [ backwards alex ];
+  "backwards/restic-password.age".publicKeys = [ backwards alex ];
   "backwards/restic-cloud-sync-key.age".publicKeys = [ backwards alex ];
   "backwards/restic-cloud-sync-repository.age".publicKeys = [ backwards alex ];
   "backwards/alex.backwards-codeberg.org.age".publicKeys = [ backwards alex ];
@@ -47,4 +57,10 @@ in {
   "tadpole/alex.tadpole-git.ppp.pm.age".publicKeys = [ tadpole alex ];
   "tadpole/alex.tadpole-git.ppp.pm.pub.age".publicKeys = [ tadpole alex ];
   "tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ];
+
+  "tadpole/whib-backend-env-vars.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-postgres-env-vars.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-postgres-backup-env-vars.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-gpg-key.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-grafana-env-vars.age".publicKeys = [ tadpole alex ];
 }

secrets/tadpole/whib-gpg-key.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 5R7G9A Q6V8S5312DQhP0QtPbAlbn+uDER6jpi+gvn40ndmnn0
+soymoaAKbNlYicSbtHhqn54D0zVBHBuHUKngex/VgoM
+-> ssh-ed25519 +oNaHQ cpzCyu/9Jrm9Rx5C/rhuZku6uJWjrlHpCYxWOwuwQWw
+1GA8NsLeOTo/zHs/k0vt/N8hH+2MXfMNRy+qKBqi3fM
+--- 5O74sFn1xDZ53xHM7KHZ+ge7DzdnhyeB0W0znMk7NYQ
+u<EFBFBD><1E><><EFBFBD>w<EFBFBD>D<EFBFBD>ms"<22><>4<EFBFBD><34><EFBFBD><EFBFBD>w<EFBFBD><77>G<7F>L<>ur	7V`G=	<09><><EFBFBD><EFBFBD>C<EFBFBD><43>n2<6E><32>n<0C><0C>3S~go<67><18><><EFBFBD><EFBFBD>cs<63>@7œƳ

shared-modules/syncthing.nix

@@ -1,9 +1,11 @@
 {
   lib = {
     syncthing = {
-      phone = "HCL2CKI-SA3NWOT-PMJZNFP-I7QETYE-JOKZHXN-TSI74FV-ZA6RDO2-QQMXPAP";
+      phone = "WLDQC7C-EFOW5HM-R3PULLO-ZMADECF-6FK73FD-FRK5NF4-J6UB7DY-7B4DFQR";
       pinwheel = "AKS5L2A-NFCG5GV-3U5SSSZ-PLOX6BQ-ZL5ALXI-D7OK4KE-R2JPWRJ-B6AQJQ7";
+      manatee = "6YDVLXR-NZV6XKD-ASWPZQS-WKBRHAD-52JV5HU-JEPQ32G-6RGY7KJ-OVBO7AM";
       backwards = "XRSQ4NZ-LHCZS6H-R3A75S5-W4FH7F4-3DGA5X2-SOPYWOP-A2WRKGC-IPXH4AM";
+      tablet = "5BEPSWB-BN4MDZM-7W3ITMP-KJ53J6M-WJMLWEF-GTDJTWI-C4C5SPQ-SFS3DAY";
     };
   };
 }