WIP: nixgl wrappers

There's now a home-manager module for it, let's try it out.

flake.lock

@@ -14,11 +14,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736955230,
-        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
+        "lastModified": 1750173260,
+        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
+        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
         "type": "github"
       },
       "original": {
@@ -36,11 +36,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700795494,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "lastModified": 1751413152,
+        "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742649964,
-        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
+        "lastModified": 1750779888,
+        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
+        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
         "type": "github"
       },
       "original": {
@@ -159,11 +159,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743869639,
-        "narHash": "sha256-Xhe3whfRW/Ay05z9m1EZ1/AkbV1yo0tm1CbgjtCi4rQ=",
+        "lastModified": 1752467539,
+        "narHash": "sha256-4kaR+xmng9YPASckfvIgl5flF/1nAZOplM+Wp9I5SMI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d094c6763c6ddb860580e7d3b4201f8f496a6836",
+        "rev": "1e54837569e0b80797c47be4720fab19e0db1616",
         "type": "github"
       },
       "original": {
@@ -173,13 +173,37 @@
         "type": "github"
       }
     },
+    "nixgl": {
+      "inputs": {
+        "flake-utils": [
+          "futils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1752054764,
+        "narHash": "sha256-Ob/HuUhANoDs+nvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ=",
+        "owner": "nix-community",
+        "repo": "nixGL",
+        "rev": "a8e1ce7d49a149ed70df676785b07f63288f53c5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "main",
+        "repo": "nixGL",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1743689281,
-        "narHash": "sha256-y7Hg5lwWhEOgflEHRfzSH96BOt26LaYfrYWzZ+VoVdg=",
+        "lastModified": 1752644555,
+        "narHash": "sha256-oeRcp4VEyZ/3ZgfRRoq60/08l2zy0K53l8MdfSIYd24=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2bfc080955153be0be56724be6fa5477b4eefabb",
+        "rev": "9100a4f6bf446603b9575927c8585162f9ec9aa6",
         "type": "github"
       },
       "original": {
@@ -221,6 +245,7 @@
         "futils": "futils",
         "git-hooks": "git-hooks",
         "home-manager": "home-manager",
+        "nixgl": "nixgl",
         "nixpkgs": "nixpkgs",
         "nur": "nur",
         "systems": "systems"

flake.nix

@@ -43,6 +43,17 @@
       };
     };
 
+    nixgl = {
+      type = "github";
+      owner = "nix-community";
+      repo = "nixGL";
+      ref = "main";
+      inputs = {
+        flake-utils.follows = "futils";
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
+
     nixpkgs = {
       type = "github";
       owner = "NixOS";

flake/home-manager.nix

@@ -22,10 +22,6 @@ let
   ];
 
   mkHome = name: system: inputs.home-manager.lib.homeManagerConfiguration {
-    # Work-around for home-manager
-    # * not letting me set `lib` as an extraSpecialArgs
-    # * not respecting `nixpkgs.overlays` [1]
-    # [1]: https://github.com/nix-community/home-manager/issues/2954
     pkgs = inputs.nixpkgs.legacyPackages.${system};
 
     modules = defaultModules ++ [

flake/nixos.nix

@@ -15,8 +15,10 @@ let
   ];
 
   buildHost = name: system: lib.nixosSystem {
-    inherit system;
     modules = defaultModules ++ [
+      {
+        nixpkgs.hostPlatform = system;
+      }
       "${self}/hosts/nixos/${name}"
     ];
     specialArgs = {

hosts/homes/ambroisie@bazin/default.nix

@@ -4,6 +4,20 @@
   services.gpg-agent.enable = lib.mkForce false;
 
   my.home = {
+    atuin = {
+      package = pkgs.stdenv.mkDerivation {
+        pname = "atuin";
+        version = "18.4.0";
+
+        buildCommand = ''
+          mkdir -p $out/bin
+          ln -s /usr/bin/atuin $out/bin/atuin
+        '';
+
+        meta.mainProgram = "atuin";
+      };
+    };
+
     git = {
       package = pkgs.emptyDirectory;
     };

hosts/homes/ambroisie@mousqueton/default.nix

@@ -7,6 +7,20 @@
   services.gpg-agent.enable = lib.mkForce false;
 
   my.home = {
+    atuin = {
+      package = pkgs.stdenv.mkDerivation {
+        pname = "atuin";
+        version = "18.4.0";
+
+        buildCommand = ''
+          mkdir -p $out/bin
+          ln -s /usr/bin/atuin $out/bin/atuin
+        '';
+
+        meta.mainProgram = "atuin";
+      };
+    };
+
     git = {
       package = pkgs.emptyDirectory;
     };

hosts/nixos/aramis/home.nix

@@ -20,7 +20,7 @@
       element-desktop # Matrix client
       jellyfin-media-player # Wraps the webui and mpv together
       pavucontrol # Audio mixer GUI
-      transgui # Transmission remote
+      trgui-ng # Transmission remote
     ];
     # Minimal video player
     mpv.enable = true;

hosts/nixos/porthos/secrets/secrets.nix

@@ -81,6 +81,7 @@ in
   "pyload/credentials.age".publicKeys = all;
 
   "servarr/autobrr/session-secret.age".publicKeys = all;
+  "servarr/cross-seed/configuration.json.age".publicKeys = all;
 
   "sso/auth-key.age" = {
     owner = "nginx-sso";

hosts/nixos/porthos/services.nix

@@ -51,6 +51,10 @@ in
         passwordFile = secrets."forgejo/mail-password".path;
       };
     };
+    # Home inventory
+    homebox = {
+      enable = true;
+    };
     # Jellyfin media server
     jellyfin.enable = true;
     # Gitea mirrorig service
@@ -144,6 +148,9 @@ in
       autobrr = {
         sessionSecretFile = secrets."servarr/autobrr/session-secret".path;
       };
+      cross-seed = {
+        secretSettingsFile = secrets."servarr/cross-seed/configuration.json".path;
+      };
       # ... But not Lidarr because I don't care for music that much
       lidarr = {
         enable = false;

modules/home/atuin/default.nix

@@ -8,6 +8,10 @@ in
 
     # I want the full experience by default
     package = mkPackageOption pkgs "atuin" { };
+
+    daemon = {
+      enable = my.mkDisableOption "atuin daemon";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -15,12 +19,18 @@ in
       enable = true;
       inherit (cfg) package;
 
+      daemon = lib.mkIf cfg.daemon.enable {
+        enable = true;
+      };
+
       flags = [
         # I *despise* this hijacking of the up key, even though I use Ctrl-p
         "--disable-up-arrow"
       ];
 
       settings = {
+        # Reasonable date format
+        dialect = "uk";
         # The package is managed by Nix
         update_check = false;
         # I don't care for the fancy display

modules/home/default.nix

@@ -8,6 +8,7 @@
     ./bluetooth
     ./calibre
     ./comma
+    ./delta
     ./dircolors
     ./direnv
     ./discord
@@ -27,6 +28,7 @@
     ./mail
     ./mpv
     ./nix
+    ./nix-gl
     ./nix-index
     ./nixpkgs
     ./nm-applet
@@ -50,9 +52,6 @@
   # First sane reproducible version
   home.stateVersion = "20.09";
 
-  # Who am I?
-  home.username = "ambroisie";
-
   # Start services automatically
   systemd.user.startServices = "sd-switch";
 }

modules/home/delta/default.nix

@@ -0,0 +1,68 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.my.home.delta;
+in
+{
+  options.my.home.delta = with lib; {
+    enable = my.mkDisableOption "delta configuration";
+
+    package = mkPackageOption pkgs "delta" { };
+
+    git = {
+      enable = my.mkDisableOption "git integration";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        # For its configuration
+        assertion = cfg.enable -> cfg.git.enable;
+        message = ''
+          `config.my.home.delta` must enable `config.my.home.delta.git` to be
+          properly configured.
+        '';
+      }
+      {
+        assertion = cfg.enable -> config.programs.git.enable;
+        message = ''
+          `config.my.home.delta` relies on `config.programs.git` to be
+          enabled.
+        '';
+      }
+    ];
+
+    home.packages = [ cfg.package ];
+
+    programs.git = lib.mkIf cfg.git.enable {
+      delta = {
+        enable = true;
+        inherit (cfg) package;
+
+        options = {
+          features = "diff-highlight decorations";
+
+          # Less jarring style for `diff-highlight` emulation
+          diff-highlight = {
+            minus-style = "red";
+            minus-non-emph-style = "red";
+            minus-emph-style = "bold red 52";
+
+            plus-style = "green";
+            plus-non-emph-style = "green";
+            plus-emph-style = "bold green 22";
+
+            whitespace-error-style = "reverse red";
+          };
+
+          # Personal preference for easier reading
+          decorations = {
+            commit-style = "raw"; # Do not recolor meta information
+            keep-plus-minus-markers = true;
+            paging = "always";
+          };
+        };
+      };
+    };
+  };
+}

modules/home/direnv/lib/python.sh

@@ -46,7 +46,7 @@ layout_uv() {
     fi
 
     # create venv if it doesn't exist
-    uv venv -q
+    uv venv -q --allow-existing
 
     export VIRTUAL_ENV
     export UV_ACTIVE=1

modules/home/firefox/tridactyl/default.nix

@@ -12,9 +12,7 @@ let
 in
 {
   config = lib.mkIf cfg.enable {
-    xdg.configFile."tridactyl/tridactylrc".source = pkgs.substituteAll {
-      src = ./tridactylrc;
-
+    xdg.configFile."tridactyl/tridactylrc".source = pkgs.replaceVars ./tridactylrc {
       editorcmd = lib.concatStringsSep " " [
         # Use my configured terminal
         term

modules/home/git/default.nix

@@ -42,34 +42,6 @@ in
 
     lfs.enable = true;
 
-    delta = {
-      enable = true;
-
-      options = {
-        features = "diff-highlight decorations";
-
-        # Less jarring style for `diff-highlight` emulation
-        diff-highlight = {
-          minus-style = "red";
-          minus-non-emph-style = "red";
-          minus-emph-style = "bold red 52";
-
-          plus-style = "green";
-          plus-non-emph-style = "green";
-          plus-emph-style = "bold green 22";
-
-          whitespace-error-style = "reverse red";
-        };
-
-        # Personal preference for easier reading
-        decorations = {
-          commit-style = "raw"; # Do not recolor meta information
-          keep-plus-minus-markers = true;
-          paging = "always";
-        };
-      };
-    };
-
     # There's more
     extraConfig = {
       # Makes it a bit more readable

modules/home/gpg/default.nix

@@ -17,7 +17,7 @@ in
     services.gpg-agent = {
       enable = true;
       enableSshSupport = true; # One agent to rule them all
-      pinentryPackage = cfg.pinentry;
+      pinentry.package = cfg.pinentry;
       extraConfig = ''
         allow-loopback-pinentry
       '';

modules/home/nix-gl/default.nix

@@ -0,0 +1,21 @@
+{ config, inputs, lib, ... }:
+let
+  cfg = config.my.home.nix-gl;
+in
+{
+  options.my.home.nix-gl = with lib; {
+    enable = mkEnableOption "nixGL configuration";
+  };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      nixGL = {
+        inherit (inputs.nixgl) packages;
+
+        defaultWrapper = "mesa";
+
+        installScripts = [ "mesa" ];
+      };
+    }
+  ]);
+}

modules/home/tmux/default.nix

@@ -6,7 +6,7 @@ let
     (config.my.home.wm.windowManager != null)
   ];
 
-  mkTerminalFlags = opt: flag:
+  mkTerminalFeature = opt: flag:
     let
       mkFlag = term: ''set -as terminal-features ",${term}:${flag}"'';
       enabledTerminals = lib.filterAttrs (_: v: v.${opt}) cfg.terminalFeatures;
@@ -48,7 +48,7 @@ in
     keyMode = "vi"; # Home-row keys and other niceties
     clock24 = true; # I'm one of those heathens
     escapeTime = 0; # Let vim do its thing instead
-    historyLimit = 100000; # Bigger buffer
+    historyLimit = 1000000; # Bigger buffer
     mouse = false; # I dislike mouse support
     focusEvents = true; # Report focus events
     terminal = "tmux-256color"; # I want accurate termcap info
@@ -123,9 +123,9 @@ in
       }
 
       # Force OSC8 hyperlinks for each relevant $TERM
-      ${mkTerminalFlags "hyperlinks" "hyperlinks"}
+      ${mkTerminalFeature "hyperlinks" "hyperlinks"}
       # Force 24-bit color for each relevant $TERM
-      ${mkTerminalFlags "trueColor" "RGB"}
+      ${mkTerminalFeature "trueColor" "RGB"}
     '';
   };
 }

modules/home/vim/after/queries/gitcommit/highlights.scm

@@ -0,0 +1,6 @@
+; extends
+
+; Highlight over-extended subject lines (rely on wrapping for message body)
+((subject) @comment.error
+  (#vim-match? @comment.error ".\{50,}")
+  (#offset! @comment.error 0 50 0 0))

modules/home/vim/default.nix

@@ -80,7 +80,6 @@ in
       nvim-surround # Deal with pairs, now in Lua
       oil-nvim # Better alternative to NetrW
       telescope-fzf-native-nvim # Use 'fzf' fuzzy matching algorithm
-      telescope-lsp-handlers-nvim # Use 'telescope' for various LSP actions
       telescope-nvim # Fuzzy finder interface
       which-key-nvim # Show available mappings
     ];

modules/home/vim/lua/ambroisie/lsp.lua

@@ -53,6 +53,10 @@ M.on_attach = function(client, bufnr)
         vim.diagnostic.open_float(nil, { scope = "buffer" })
     end
 
+    local function toggle_inlay_hints()
+        vim.lsp.inlay_hint.enable(not vim.lsp.inlay_hint.is_enabled())
+    end
+
     local keys = {
         buffer = bufnr,
         -- LSP navigation
@@ -67,6 +71,7 @@ M.on_attach = function(client, bufnr)
         { "<leader>ca", vim.lsp.buf.code_action, desc = "Code actions" },
         { "<leader>cd", cycle_diagnostics_display, desc = "Cycle diagnostics display" },
         { "<leader>cD", show_buffer_diagnostics, desc = "Show buffer diagnostics" },
+        { "<leader>ch", toggle_inlay_hints, desc = "Toggle inlay hints" },
         { "<leader>cr", vim.lsp.buf.rename, desc = "Rename symbol" },
         { "<leader>cs", vim.lsp.buf.signature_help, desc = "Show signature" },
         { "<leader>ct", vim.lsp.buf.type_definition, desc = "Go to type definition" },

modules/home/vim/plugin/numbertoggle.lua

@@ -22,13 +22,3 @@ vim.api.nvim_create_autocmd({ "BufLeave", "FocusLost", "InsertEnter", "WinLeave"
         end
     end,
 })
-
--- Never show the sign column in a terminal buffer
-vim.api.nvim_create_autocmd({ "TermOpen" }, {
-    pattern = "*",
-    group = numbertoggle,
-    callback = function()
-        vim.opt.number = false
-        vim.opt.relativenumber = false
-    end,
-})

modules/home/vim/plugin/settings/telescope.lua

@@ -23,7 +23,6 @@ telescope.setup({
 })
 
 telescope.load_extension("fzf")
-telescope.load_extension("lsp_handlers")
 
 local keys = {
     { "<leader>f", group = "Fuzzy finder" },

modules/home/vim/plugin/signtoggle.lua

@@ -1,26 +1,21 @@
 local signtoggle = vim.api.nvim_create_augroup("signtoggle", { clear = true })
 
--- Only show sign column for the currently focused buffer
+-- Only show sign column for the currently focused buffer, if it has a number column
 vim.api.nvim_create_autocmd({ "BufEnter", "FocusGained", "WinEnter" }, {
     pattern = "*",
     group = signtoggle,
     callback = function()
-        vim.opt.signcolumn = "yes"
+        if vim.opt.number:get() then
+            vim.opt.signcolumn = "yes"
+        end
     end,
 })
 vim.api.nvim_create_autocmd({ "BufLeave", "FocusLost", "WinLeave" }, {
     pattern = "*",
     group = signtoggle,
     callback = function()
-        vim.opt.signcolumn = "no"
-    end,
-})
-
--- Never show the sign column in a terminal buffer
-vim.api.nvim_create_autocmd({ "TermOpen" }, {
-    pattern = "*",
-    group = signtoggle,
-    callback = function()
-        vim.opt.signcolumn = "no"
+        if vim.opt.number:get() then
+            vim.opt.signcolumn = "no"
+        end
     end,
 })

modules/home/wm/i3/default.nix

@@ -127,6 +127,7 @@ in
             { class = "^Blueman-.*$"; }
             { title = "^htop$"; }
             { class = "^Thunderbird$"; instance = "Mailnews"; window_role = "filterlist"; }
+            { class = "^firefox$"; instance = "Places"; window_role = "Organizer"; }
             { class = "^pavucontrol.*$"; }
             { class = "^Arandr$"; }
             { class = "^\\.blueman-manager-wrapped$"; }

modules/nixos/profiles/wm/default.nix

@@ -24,6 +24,8 @@ in
       my.home.udiskie.enable = true;
       # udiskie fails if it can't find this dbus service
       services.udisks2.enable = true;
+      # Ensure i3lock can actually unlock the session
+      security.pam.services.i3lock.enable = true;
     })
   ];
 }

modules/nixos/services/drone/server/default.nix

@@ -6,8 +6,8 @@ in
   config = lib.mkIf cfg.enable {
     systemd.services.drone-server = {
       wantedBy = [ "multi-user.target" ];
-      after = [ "postgresql.service" ];
-      requires = [ "postgresql.service" ];
+      after = [ "postgresql.target" ];
+      requires = [ "postgresql.target" ];
       serviceConfig = {
         EnvironmentFile = [
           cfg.secretFile

modules/nixos/services/homebox/default.nix

@@ -19,6 +19,11 @@ in
     services.homebox = {
       enable = true;
 
+      # Automatic PostgreSQL provisioning
+      database = {
+        createLocally = true;
+      };
+
       settings = {
         # FIXME: mailer?
         HBOX_WEB_PORT = toString cfg.port;
@@ -28,6 +33,7 @@ in
     my.services.nginx.virtualHosts = {
       homebox = {
         inherit (cfg) port;
+        websocketsLocations = [ "/api" ];
       };
     };
 

modules/nixos/services/mealie/default.nix

@@ -32,33 +32,14 @@ in
         BASE_URL = "https://mealie.${config.networking.domain}";
         TZ = config.time.timeZone;
         ALLOw_SIGNUP = "false";
-
-        # Use PostgreSQL
-        DB_ENGINE = "postgres";
-        # Make it work with socket auth
-        POSTGRES_URL_OVERRIDE = "postgresql://mealie:@/mealie?host=/run/postgresql";
       };
-    };
 
-    systemd.services = {
-      mealie = {
-        after = [ "postgresql.service" ];
-        requires = [ "postgresql.service" ];
+      # Automatic PostgreSQL provisioning
+      database = {
+        createLocally = true;
       };
     };
 
-    # Set-up database
-    services.postgresql = {
-      enable = true;
-      ensureDatabases = [ "mealie" ];
-      ensureUsers = [
-        {
-          name = "mealie";
-          ensureDBOwnership = true;
-        }
-      ];
-    };
-
     my.services.nginx.virtualHosts = {
       mealie = {
         inherit (cfg) port;

modules/nixos/services/nextcloud/default.nix

@@ -44,11 +44,15 @@ in
         adminuser = cfg.admin;
         adminpassFile = cfg.passwordFile;
         dbtype = "pgsql";
-        dbhost = "/run/postgresql";
       };
 
       https = true;
 
+      # Automatic PostgreSQL provisioning
+      database = {
+        createLocally = true;
+      };
+
       settings = {
         overwriteprotocol = "https"; # Nginx only allows SSL
       };
@@ -60,22 +64,6 @@ in
       };
     };
 
-    services.postgresql = {
-      enable = true;
-      ensureDatabases = [ "nextcloud" ];
-      ensureUsers = [
-        {
-          name = "nextcloud";
-          ensureDBOwnership = true;
-        }
-      ];
-    };
-
-    systemd.services."nextcloud-setup" = {
-      requires = [ "postgresql.service" ];
-      after = [ "postgresql.service" ];
-    };
-
     # The service above configures the domain, no need for my wrapper
     services.nginx.virtualHosts."nextcloud.${config.networking.domain}" = {
       forceSSL = true;

modules/nixos/services/paperless/default.nix

@@ -52,30 +52,28 @@ in
 
       mediaDir = lib.mkIf (cfg.documentPath != null) cfg.documentPath;
 
-      settings =
-        let
-          paperlessDomain = "paperless.${config.networking.domain}";
-        in
-        {
-          # Use SSO
-          PAPERLESS_ENABLE_HTTP_REMOTE_USER = true;
-          PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_USER";
+      settings = {
+        # Use SSO
+        PAPERLESS_ENABLE_HTTP_REMOTE_USER = true;
+        PAPERLESS_ENABLE_HTTP_REMOTE_USER_API = true;
+        PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_USER";
 
-          # Security settings
-          PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
-          PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
+        # Security settings
+        PAPERLESS_URL = "https://paperless.${config.networking.domain}";
+        PAPERLESS_USE_X_FORWARD_HOST = true;
+        PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ];
 
-          # OCR settings
-          PAPERLESS_OCR_LANGUAGE = "fra+eng";
+        # OCR settings
+        PAPERLESS_OCR_LANGUAGE = "fra+eng";
 
-          # Workers
-          PAPERLESS_TASK_WORKERS = 3;
-          PAPERLESS_THREADS_PER_WORKER = 4;
+        # Workers
+        PAPERLESS_TASK_WORKERS = 3;
+        PAPERLESS_THREADS_PER_WORKER = 4;
 
-          # Misc
-          PAPERLESS_TIME_ZONE = config.time.timeZone;
-          PAPERLESS_ADMIN_USER = cfg.username;
-        };
+        # Misc
+        PAPERLESS_TIME_ZONE = config.time.timeZone;
+        PAPERLESS_ADMIN_USER = cfg.username;
+      };
 
       # Admin password
       passwordFile = cfg.passwordFile;

modules/nixos/services/servarr/autobrr.nix

@@ -1,4 +1,4 @@
-# IRC-based
+# IRC-based indexer
 { config, lib, ... }:
 let
   cfg = config.my.services.servarr.autobrr;
@@ -40,6 +40,7 @@ in
     my.services.nginx.virtualHosts = {
       autobrr = {
         inherit (cfg) port;
+        websocketsLocations = [ "/api" ];
       };
     };
 
@@ -54,7 +55,7 @@ in
     environment.etc = {
       "fail2ban/filter.d/autobrr.conf".text = ''
         [Definition]
-        failregex = ^.*Auth: invalid login \[.*\] from: <HOST>$
+        failregex = "message":"Auth: Failed login attempt username: \[.*\] ip: <HOST>"
         journalmatch = _SYSTEMD_UNIT=autobrr.service
       '';
     };

modules/nixos/services/servarr/cross-seed.nix

@@ -0,0 +1,96 @@
+# Automatic cross-seeding for video media
+{ config, lib, ... }:
+let
+  cfg = config.my.services.servarr.cross-seed;
+in
+{
+  options.my.services.servarr.cross-seed = with lib; {
+    enable = mkEnableOption "cross-seed daemon" // {
+      default = config.my.services.servarr.enableAll;
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 2468;
+      example = 8080;
+      description = "Internal port for daemon";
+    };
+
+    linkDirectory = mkOption {
+      type = types.str;
+      default = "/data/downloads/complete/links";
+      example = "/var/lib/cross-seed/links";
+      description = "Link directory";
+    };
+
+    secretSettingsFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/cross-seed-secrets.json";
+      description = ''
+        File containing secret settings.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.cross-seed = {
+      enable = true;
+      group = "media";
+
+      # Rely on recommended defaults for tracker snatches etc...
+      useGenConfigDefaults = true;
+
+      settings = {
+        inherit (cfg) port;
+        host = "127.0.0.1";
+
+        # Inject torrents to client directly
+        action = "inject";
+        # Query the client for torrents to match
+        useClientTorrents = true;
+        # Use hardlinks
+        linkType = "hardlink";
+        # Use configured link directory
+        linkDirs = [ cfg.linkDirectory ];
+        # Match as many torrents as possible
+        matchMode = "partial";
+        # Cross-seed full season if at least 50% of episodes are already downloaded
+        seasonFromEpisodes = 0.5;
+      };
+
+      settingsFile = cfg.secretSettingsFile;
+    };
+
+    systemd.services.cross-seed = {
+      serviceConfig = {
+        # Loose umask to make cross-seed links readable by `media`
+        UMask = "0002";
+      };
+    };
+
+    # Set-up media group
+    users.groups.media = { };
+
+    my.services.nginx.virtualHosts = {
+      cross-seed = {
+        inherit (cfg) port;
+      };
+    };
+
+    services.fail2ban.jails = {
+      cross-seed = ''
+        enabled = true
+        filter = cross-seed
+        action = iptables-allports
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/cross-seed.conf".text = ''
+        [Definition]
+        failregex = ^.*Unauthorized API access attempt to .* from <HOST>$
+        journalmatch = _SYSTEMD_UNIT=cross-seed.service
+      '';
+    };
+  };
+}

modules/nixos/services/servarr/default.nix

@@ -7,6 +7,7 @@
   imports = [
     ./autobrr.nix
     ./bazarr.nix
+    ./cross-seed.nix
     ./jackett.nix
     ./nzbhydra.nix
     ./prowlarr.nix

modules/nixos/services/tandoor-recipes/default.nix

@@ -26,18 +26,16 @@ in
     services.tandoor-recipes = {
       enable = true;
 
+      database = {
+        createLocally = true;
+      };
+
       port = cfg.port;
       extraConfig =
         let
           tandoorRecipesDomain = "recipes.${config.networking.domain}";
         in
         {
-          # Use PostgreSQL
-          DB_ENGINE = "django.db.backends.postgresql";
-          POSTGRES_HOST = "/run/postgresql";
-          POSTGRES_USER = "tandoor_recipes";
-          POSTGRES_DB = "tandoor_recipes";
-
           # Security settings
           ALLOWED_HOSTS = tandoorRecipesDomain;
           CSRF_TRUSTED_ORIGINS = "https://${tandoorRecipesDomain}";
@@ -49,27 +47,12 @@ in
 
     systemd.services = {
       tandoor-recipes = {
-        after = [ "postgresql.service" ];
-        requires = [ "postgresql.service" ];
-
         serviceConfig = {
           EnvironmentFile = cfg.secretKeyFile;
         };
       };
     };
 
-    # Set-up database
-    services.postgresql = {
-      enable = true;
-      ensureDatabases = [ "tandoor_recipes" ];
-      ensureUsers = [
-        {
-          name = "tandoor_recipes";
-          ensureDBOwnership = true;
-        }
-      ];
-    };
-
     my.services.nginx.virtualHosts = {
       recipes = {
         inherit (cfg) port;

modules/nixos/services/transmission/default.nix

@@ -47,6 +47,7 @@ in
       enable = true;
       package = pkgs.transmission_4;
       group = "media";
+      webHome = pkgs.trgui-ng-web;
 
       downloadDirPermissions = "775";
 
@@ -65,6 +66,8 @@ in
         # Proxied behind Nginx.
         rpc-whitelist-enabled = true;
         rpc-whitelist = "127.0.0.1";
+
+        umask = "002"; # To go with `downloadDirPermissions`
       };
     };
 

modules/nixos/services/woodpecker/server/default.nix

@@ -24,8 +24,8 @@ in
     };
 
     systemd.services.woodpecker-server = {
-      after = [ "postgresql.service" ];
-      requires = [ "postgresql.service" ];
+      after = [ "postgresql.target" ];
+      requires = [ "postgresql.target" ];
 
       serviceConfig = {
         # Set username for DB access