alpine: many changes

- updates - snapserver - graphana dashboards - loki - ddclient - arr suite, jellyseer - mautrix fixes
2025-01-18 00:18:11 +00:00 · 2025-01-18 00:18:11 +00:00 · 123e7088f5
commit 123e7088f5
parent d1772cb4be
58 changed files with 2136 additions and 735 deletions
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -8,6 +8,7 @@
 }: let
  user = config.user;
 in {
+
  nix = {
    settings = {
      experimental-features = ["nix-command" "flakes"];
@ -94,31 +95,6 @@ in {
    sops
  ];

-  programs.tmux.enable = true;
-  programs.tmux.extraConfig = ''
-    set escape-time 0
-    set -g default-terminal screen
-
-    bind -n M-s split-window -v
-    bind -n M-v split-window -h
-    bind -n M-Enter split-window -h
-    bind -n M-h select-pane -L
-    bind -n M-j select-pane -D
-    bind -n M-k select-pane -U
-    bind -n M-l select-pane -R
-    bind -n M-q kill-pane
-    bind -n M-< resize-pane -L 10
-    bind -n M-> resize-pane -R 10
-    bind -n M-- resize-pane -D 10
-    bind -n M-+ resize-pane -U 10
-    bind -n M-u copy-mode
-    bind -n M-p paste-buffer
-
-    set-window-option -g mode-keys vi
-    bind-key -T copy-mode-vi v send-keys -X begin-selection
-    bind-key -T copy-mode-vi y send-keys -X copy-selection
-  '';
-
  boot.kernel.sysctl = {
    "net.ipv4.ip_unprivileged_port_start" = 53;
  };
--- a/nixos/modules/work.nix
+++ b/nixos/modules/work.nix
@ -13,12 +13,21 @@ in {
      "steam-run"
    ];

+  nixpkgs.config.permittedInsecurePackages = [
+    "openssl-1.1.1w" # required for mongodb
+  ];
+
  networking = {
    networkmanager = {
      plugins = [pkgs.networkmanager-openvpn];
    };
  };

+  # breaks some work projects ):<
+  networking.stevenblack.enable = false;
+
+  nixpkgs.overlays = [(import ../../lib/cypress.nix)];
+
  services.onedrive.enable = true;

  users.users.${user}.extraGroups = ["docker"];
--- a/nixos/programs/cosmic.nix
+++ b/nixos/programs/cosmic.nix
@ -0,0 +1,20 @@
+{
+  inputs,
+  config,
+  ...
+}: {
+  imports = [
+    inputs.nixos-cosmic.nixosModules.default
+  ];
+  nix.settings = {
+    substituters = ["https://cosmic.cachix.org/"];
+    trusted-public-keys = ["cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="];
+  };
+  services.desktopManager.cosmic.enable = true;
+  services.displayManager.cosmic-greeter.enable = true;
+  services.system76-scheduler.enable = true;
+  home-manager.users.${config.user}.imports = [
+    (import "${inputs.home-manager-cosmic}/modules/programs/cosmic/.")
+    ../../home/desktop/cosmic/.
+  ];
+}
--- a/nixos/programs/gamer.nix
+++ b/nixos/programs/gamer.nix
@ -1,4 +1,8 @@
-{lib, ...}: {
+{
+  lib,
+  pkgs,
+  ...
+}: {
  nixpkgs.config.allowUnfreePredicate = pkg:
    builtins.elem (lib.getName pkg) [
      "steam"
@ -6,9 +10,12 @@
      "steam-original"
      "osu-lazer"
    ];
-
  programs.steam = {
    enable = true;
+    extest.enable = true;
+    extraCompatPackages = with pkgs; [
+      proton-ge-bin
+    ];
    remotePlay.openFirewall = true;
    dedicatedServer.openFirewall = true;
  };
--- a/nixos/programs/hyprland.nix
+++ b/nixos/programs/hyprland.nix
@ -0,0 +1,13 @@
+{config, ...}: {
+  programs.hyprland.enable = true;
+  security.pam.services.hyprlock = {};
+
+  imports = [
+    ./pipewire.nix
+    ../workstation.nix
+  ];
+
+  home-manager.users.${config.user}.imports = [
+    ../../home/desktop/hyprland/.
+  ];
+}
--- a/nixos/programs/pipewire.nix
+++ b/nixos/programs/pipewire.nix
@ -0,0 +1,14 @@
+{
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+    raopOpenFirewall = true;
+  };
+  # network streaming
+  networking.firewall.allowedTCPPorts = [4713];
+}
--- a/nixos/services/arr.nix
+++ b/nixos/services/arr.nix
@ -0,0 +1,70 @@
+{config, lib, ...}: let
+  inherit (config) sops;
+  inherit (sops) templates placeholder;
+in {
+  users.groups.media = {};
+  services.jackett = {
+    enable = true;
+  };
+  services.lidarr = {
+    enable = true;
+    group = "media";
+  };
+  services.sonarr = {
+    enable = true;
+    group = "media";
+  };
+  services.radarr = {
+    enable = true;
+    group = "media";
+  };
+  services.jellyseerr.enable = true;
+  sops.secrets.sonarr-sslkey = {
+    sopsFile = ../../certs/alpine.prawn-justice.ts.net.key;
+    format = "binary";
+    owner = "nginx";
+  };
+  # this was fun to figure out, but pointless atm.
+  services.nginx.virtualHosts."alpine.prawn-justice.ts.net" = {
+    forceSSL = true;
+    sslCertificateKey = config.sops.secrets.sonarr-sslkey.path;
+    sslCertificate = ../../certs/alpine.prawn-justice.ts.net.crt;
+  };
+  # probably easier if i just put this in a nixos-container
+  virtualisation.oci-containers.containers.transmission = {
+    autoStart = false;
+    image = "docker.io/haugene/transmission-openvpn:5.3.1";
+    ports = ["9091:9091"];
+    volumes = [
+      "/mnt/storage/downloads:/data"
+      "transmission-config:/config"
+      "/mnt/storage/media/unsorted:/data/completed"
+    ];
+    environmentFiles = [ templates."transmission/env".path ];
+    environment = {
+      PUID = "1000";
+      GUID = "1000";
+      SUBNET = "100.0.0.0/8";
+    };
+    extraOptions = builtins.map (cap: "--cap-add=${cap}") [
+      "NET_ADMIN"
+      "NET_RAW"
+      "MKNOD"
+    ];
+  };
+  sops.secrets = {
+    "transmission/auth/OPENVPN_PROVIDER" = {};
+    "transmission/auth/OPENVPN_CONFIG" = {};
+    "transmission/auth/OPENVPN_USERNAME" = {};
+    "transmission/auth/OPENVPN_PASSWORD" = {};
+  };
+  sops.templates."transmission/env" = {
+    owner = "tristan";
+    content = ''
+      OPENVPN_PROVIDER="${placeholder."transmission/auth/OPENVPN_PROVIDER"}"
+      OPENVPN_CONFIG="${placeholder."transmission/auth/OPENVPN_CONFIG"}"
+      OPENVPN_USERNAME="${placeholder."transmission/auth/OPENVPN_USERNAME"}"
+      OPENVPN_PASSWORD="${placeholder."transmission/auth/OPENVPN_PASSWORD"}"
+    '';
+  };
+}
--- a/nixos/services/authentik.nix
+++ b/nixos/services/authentik.nix
@ -0,0 +1,97 @@
+{config, ...}: let
+  inherit (config) sops;
+  inherit (sops) templates placeholder;
+  redis_port = "6380";
+  authentik_port = "8084";
+  postgres = {
+    user = "authentik";
+    db = "authentik";
+    port = "5437";
+  };
+  authentik-config = {
+    autoStart = true;
+    image = "ghcr.io/goauthentik/server:2024.8.2";
+    volumes = ["/home/tristan/pods/authentik/media:/media"];
+    environment = {
+      AUTHENTIK_POSTGRESQL__USER = postgres.user;
+      AUTHENTIK_POSTGRESQL__HOST = "192.168.1.2";
+      AUTHENTIK_POSTGRESQL__PORT = postgres.port;
+      AUTHENTIK_REDIS__HOST = "192.168.1.2";
+      AUTHENTIK_REDIS__PORT = redis_port;
+      AUTHENTIK_EMAIL__FROM = "Authentik <tristan@tristans.cloud>";
+      AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME = "false";
+    };
+    environmentFiles = [templates."authentik/environment".path];
+    dependsOn = ["authentik-redis" "authentik-postgres"];
+  };
+in {
+  sops.secrets = {
+    "authentik/postgres_password" = {};
+    "authentik/secret_key" = {};
+    "mail/host" = {};
+    "mail/port" = {};
+    "mail/username" = {};
+    "mail/password" = {};
+    "mail/ssl" = {};
+  };
+  sops.templates = {
+    "authentik/environment" = {
+      content = ''
+        AUTHENTIK_POSTGRESQL__PASSWORD="${placeholder."authentik/postgres_password"}"
+        AUTHENTIK_SECRET_KEY="${placeholder."authentik/secret_key"}"
+        AUTHENTIK_EMAIL__HOST="${placeholder."mail/host"}"
+        AUTHENTIK_EMAIL__PORT="${placeholder."mail/port"}"
+        AUTHENTIK_EMAIL__USERNAME="${placeholder."mail/username"}"
+        AUTHENTIK_EMAIL__PASSWORD="${placeholder."mail/password"}"
+        AUTHENTIK_EMAIL__USE_SSL="${placeholder."mail/ssl"}"
+      '';
+    };
+    "authentik/postgres_env" = {
+      content = ''
+        POSTGRES_PASSWORD="${placeholder."authentik/postgres_password"}"
+      '';
+    };
+  };
+  virtualisation.oci-containers.containers = {
+    authentik-redis = {
+      autoStart = true;
+      image = "redis:7.2-alpine";
+      ports = ["${redis_port}:6379"];
+      volumes = ["authentik-redis:/data"];
+    };
+
+    authentik-server =
+      authentik-config
+      // {
+        cmd = ["server"];
+        ports = ["${authentik_port}:9000" "9084:9300"];
+      };
+
+    authentik-worker =
+      authentik-config
+      // {
+        cmd = ["worker"];
+      };
+
+    authentik-postgres = {
+      autoStart = true;
+      image = "docker.io/postgres:14-alpine";
+      ports = ["${postgres.port}:5432"];
+      volumes = ["/home/tristan/pods/authentik/db:/var/lib/postgresql/data"];
+      environment = {
+        POSTGRES_USER = postgres.user;
+        POSTGRES_DB = postgres.db;
+      };
+      environmentFiles = [templates."authentik/postgres_env".path];
+    };
+  };
+
+  services.nginx.virtualHosts."auth.tristans.cloud" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."~" = {
+      proxyPass = "http://localhost:${authentik_port}";
+      proxyWebsockets = true;
+    };
+  };
+}
--- a/nixos/services/grafana.nix
+++ b/nixos/services/grafana.nix
@ -1,6 +1,15 @@
-{config, ...}: let
+{config, lib, pkgs, ...}: let
  cfg = config.services.grafana;
  secrets = config.sops.secrets;
+  mkDashboards = dashboards: pkgs.symlinkJoin {
+    name = "dashboards";
+    paths = map mkDashboard dashboards;
+  };
+  mkDashboard = {name, url, sha256}: pkgs.writeTextFile {
+    inherit name;
+    text = builtins.readFile ( builtins.fetchurl {inherit url sha256;} );
+    destination = "/dash/${name}.json";
+  };
 in {
  sops.secrets."grafana/oidc_client_secret" = {
    owner = "grafana";
@ -25,6 +34,22 @@ in {
        role_attribute_path = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
      };
    };
+    provision.dashboards.settings.providers = [{
+      name = "Node Exporter";
+      type = "file";
+      options.path = mkDashboards [
+      {
+        name = "node-exporter";
+        url = "https://grafana.com/api/dashboards/1860/revisions/37/download";
+        sha256 = "sha256:0qza4j8lywrj08bqbww52dgh2p2b9rkhq5p313g72i57lrlkacfl";
+      }
+      {
+        name = "synapse";
+        url = "https://raw.githubusercontent.com/element-hq/synapse/refs/heads/master/contrib/grafana/synapse.json";
+        sha256 = "sha256:07qlr0waw9phmyd38bv22bn5v303w3397b89l44l3lzwhpnhs16s";
+      }
+      ];
+    }];
  };
  services.nginx.virtualHosts = {
    ${cfg.settings.server.domain} = {
--- a/nixos/services/jellyfin.nix
+++ b/nixos/services/jellyfin.nix
@ -1,6 +1,7 @@
 {
  services.jellyfin = {
    enable = true;
+    group = "media"; # access to user stuff
  };
  services.nginx.virtualHosts."movies.tristans.cloud" = {
    forceSSL = true;
--- a/nixos/services/loki.nix
+++ b/nixos/services/loki.nix
@ -0,0 +1,94 @@
+{config, ...}: let
+  inherit (config.services) loki;
+in {
+  services.loki = {
+    enable = true;
+    configuration = {
+      auth_enabled = false;
+      server.http_listen_port = 3100;
+      schema_config.configs = [
+        {
+          from = "2024-10-12";
+          object_store = "filesystem";
+          store = "tsdb";
+          schema = "v13";
+          index = {
+            prefix = "index_";
+            period = "24h";
+          };
+        }
+      ];
+      storage_config."filesystem".directory = "/tmp/loki/chunks";
+      common = {
+        ring = {
+          instance_addr = "127.0.0.1";
+          kvstore.store = "inmemory";
+        };
+        replication_factor = 1;
+        path_prefix = "/tmp/loki";
+      };
+      limits_config.ingestion_rate_strategy = "local";
+    };
+  };
+  services.prometheus.scrapeConfigs = [{
+    job_name = "loki";
+    static_configs = [
+      {
+        targets = ["localhost:3100"];
+      }
+    ];
+  }];
+  services.promtail = {
+    enable = true;
+    # https://grafana.com/docs/loki/latest/send-data/promtail/configuration/
+    configuration = {
+      server = {
+        http_listen_port = 9080;
+        grpc_listen_port = 0;
+      };
+      clients = [
+        {url = "http://localhost:3100/loki/api/v1/push";}
+      ];
+      scrape_configs = [
+        {
+          job_name = "system";
+          journal = {
+            path = "/var/log/journal/";
+          };
+          relabel_configs = [
+            {
+              source_labels = ["__journal_message"];
+              target_label = "message";
+              regex = "(.+)";
+            }
+            {
+              source_labels = ["__journal__systemd_unit"];
+              target_label = "systemd_unit";
+              regex = "(.+)";
+            }
+            {
+              source_labels = ["__journal__systemd_user_unit"];
+              target_label = "systemd_user_unit";
+              regex = "(.+)";
+            }
+            {
+              source_labels = ["__journal__transport"];
+              target_label = "transport";
+              regex = "(.+)";
+            }
+            {
+              source_labels = ["__journal__priority_keyword"];
+              target_label = "severity";
+              regex = "(.+)";
+            }
+          ];
+        }
+      ];
+    };
+  };
+  services.grafana.provision.datasources.settings.datasources = [{
+    name = "Loki";
+    type = "loki";
+    url = "http://localhost:${toString loki.configuration.server.http_listen_port}";
+  }];
+}
--- a/nixos/services/mautrix/signal.nix
+++ b/nixos/services/mautrix/signal.nix
@ -1,9 +1,44 @@
-{config, ...}: let
-  inherit (config) sops;
-  inherit (sops) templates placeholder;
+{config, lib, ...}: let
  inherit (import ./lib.nix) toAppRegistration;
+  inherit (config.sops) templates placeholder;
 in {
+
+  virtualisation.oci-containers.containers.mautrix-signal = {
+    image = "dock.mau.dev/mautrix/signal:v0.7.1";
+    dependsOn = ["mautrix-signal-psql"];
+    volumes = [
+      "/home/tristan/pods/signal-bridge/mautrix-signal:/data:z"
+    ];
+    ports = [
+      "29328:29328"
+      "8000:8000"
+    ];
+  };
+
+# when you get around to backing this up
+# 1. stop the server.
+# 2. backup the db.
+# 3. migrate to newer version of postgres
+# 4. migrate db to local
+  virtualisation.oci-containers.containers.mautrix-signal-psql = {
+    image = "docker.io/postgres:14-alpine";
+    # ports = [ "127.0.0.1:5435:5432" ];
+    ports = [ "5435:5432" ];
+    volumes = [ "/home/tristan/pods/signal-bridge/db:/var/lib/postgresql/data" ];
+    environmentFiles = [templates."mautrix-signal/psql.env".path];
+  };
+  sops.templates = {
+    "mautrix-signal/psql.env" = {
+      owner = config.users.users.nobody.name;
+      content = lib.strings.toShellVars {
+        POSTGRES_PASSWORD = placeholder."mautrix-signal/postgres_password";
+        POSTGRES_USER = "signald";
+        POSTGRES_DB = "signald";
+      };
+    };
+  };
  sops.secrets = {
+    "mautrix-signal/postgres_password" = {};
    "mautrix-signal/as_token" = {};
    "mautrix-signal/hs_token" = {};
  };
@ -20,10 +55,8 @@ in {
      };
    };
  };
-
-  # mautrix-signal server currently in ansible/podman
-
  services.matrix-synapse.settings.app_service_config_files = [
    templates."mautrix-signal/appservice.yaml".path
  ];
+
 }
--- a/nixos/services/mautrix/whatsapp.nix
+++ b/nixos/services/mautrix/whatsapp.nix
@ -1,33 +1,11 @@
-{config, ...}: let
-  inherit (config) sops;
-  inherit (sops) templates placeholder;
-  inherit (import ./lib.nix) toAppRegistration;
-in {
-  sops.secrets = {
-    "mautrix-whatsapp/as_token" = {};
-    "mautrix-whatsapp/hs_token" = {};
-  };
-  sops.templates = {
-    "mautrix-whatsapp/appservice.yaml" = {
-      owner = "matrix-synapse";
-      content = toAppRegistration {
-        id = "whatsapp";
-        port = config.services.mautrix-whatsapp.settings.appservice.port;
-        as_token = placeholder."mautrix-whatsapp/as_token";
-        hs_token = placeholder."mautrix-whatsapp/hs_token";
-        sender_localpart = "Gx8tLTHsxVlrdD3qibaPdaP9t7GhfciV";
-        "de.sorunome.msc2409.push_ephemeral" = true;
-      };
-    };
-    # "mautrix-whatsapp/env".content = ''
-    #   MAUTRIX_WHATSAPP_APPSERVICE_AS_TOKEN=${placeholder."mautrix-whatsapp/as_token"}
-    #   MAUTRIX_WHATSAPP_APPSERVICE_HS_TOKEN=${placeholder."mautrix-whatsapp/hs_token"}
-    # '';
-  };
+{config, ...}: {
+  nixpkgs.config.permittedInsecurePackages = [
+    "olm-3.2.16"
+  ];

  services.mautrix-whatsapp = {
    enable = true;
-    # environmentFile = templates."mautrix-whatsapp/env".path;
+    registerToSynapse = true;
    settings = {
      homeserver = {
        address = "http://localhost:8008";
@ -46,9 +24,4 @@ in {
      };
    };
  };
-
-  services.matrix-synapse.settings.app_service_config_files = [
-    templates."mautrix-whatsapp/appservice.yaml".path
-    # "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml"
-  ];
 }
--- a/nixos/services/monero.nix
+++ b/nixos/services/monero.nix
@ -0,0 +1,16 @@
+{...}: {
+  services.monero = {
+    enable = true;
+    rpc = {
+      address = "0.0.0.0";
+      restricted = true;
+    };
+    extraConfig = ''
+      prune-blockchain=1
+      confirm-external-bind=1
+      out-peers=64              # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays
+      in-peers=1024             # The default is unlimited; we prefer to put a cap on this
+      zmq-pub=tcp://localhost:18083
+    '';
+  };
+}
--- a/nixos/services/mpd.nix
+++ b/nixos/services/mpd.nix
@ -2,6 +2,26 @@
  services.mpd = {
    enable = true;
    network.listenAddress = "0.0.0.0";
+    extraConfig = ''
+      audio_output {
+      type "fifo"
+      name "snapcast"
+      path "${config.services.snapserver.streams.mpd.location}"
+      format "${config.services.snapserver.streams.mpd.sampleFormat}"
+      mixer_type "software"
+      }
+    '';
  };
  networking.firewall.allowedTCPPorts = [config.services.mpd.network.port];
+  services.snapserver = {
+    enable = true;
+    openFirewall = true;
+    buffer = 1000;
+    streams.mpd = {
+      type = "pipe";
+      location = "/run/snapserver/mpd";
+      sampleFormat = "44100:16:2";
+      codec = "pcm";
+    };
+  };
 }
--- a/nixos/services/nextcloud.nix
+++ b/nixos/services/nextcloud.nix
@ -1,6 +1,7 @@
 {
  config,
  pkgs,
+  lib,
  ...
 }: let
  nextcloud = config.services.nextcloud;
@ -27,6 +28,7 @@ in {
  services.nextcloud = {
    enable = true;
    https = true;
+    package = pkgs.nextcloud29;
    hostName = "files.${config.networking.domain}";
    configureRedis = true;
    database.createLocally = true;
@ -78,15 +80,16 @@ in {
        notes
        maps
        previewgenerator
+        deck
        ;
      oidc_login = pkgs.fetchNextcloudApp {
-        sha256 = "sha256-cN5azlThKPKRVip14yfUNR85of5z+N6NVI7sg6pSGQI=";
-        url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.0.2/oidc_login.tar.gz";
+        sha256 = "sha256-DrbaKENMz2QJfbDKCMrNGEZYpUEvtcsiqw9WnveaPZA=";
+        url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.2.0/oidc_login.tar.gz";
        license = "agpl3Only";
      };
      news = pkgs.fetchNextcloudApp {
-        sha256 = "sha256-aePXUn57U+1e01dntxFuzWZ8ILzwbnsAOs60Yz/6zUU=";
-        url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha4/news.tar.gz";
+        sha256 = "sha256-jH1F/IZItlZEpsfgXhRojiYD6ZEVhsuRvz8Qs0Z3UFI=";
+        url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha9/news.tar.gz";
        license = "agpl3Only";
      };
    };
--- a/nixos/services/prometheus.nix
+++ b/nixos/services/prometheus.nix
@ -34,4 +34,9 @@ in {
      };
    };
  };
+  services.grafana.provision.datasources.settings.datasources = [{
+    name = "Prometheus";
+    type = "prometheus";
+    url = "http://localhost:${toString prometheus.port}";
+  }];
 }
--- a/nixos/services/synapse/default.nix
+++ b/nixos/services/synapse/default.nix
@ -16,6 +16,8 @@
  inherit (config.services) matrix-synapse matrix-sliding-sync;
  inherit (sops) secrets templates;
 in {
+  imports = [./metrics.nix];
+
  services.postgresql.enable = true;
  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
@ -66,7 +68,7 @@ in {
      server_name = domain;
      baseurl = "https://${domain}";
      oidc_providers = [];
-      settings.listeners = [
+      listeners = [
        {
          inherit port;
          bind_addresses = ["localhost"];
--- a/nixos/services/synapse/metrics.nix
+++ b/nixos/services/synapse/metrics.nix
@ -0,0 +1,25 @@
+let
+  port = 9008;
+in {
+  services.prometheus.scrapeConfigs = [{
+    job_name = "synapse";
+    metrics_path = "/_synapse/metrics";
+    static_configs = [{
+      targets = ["localhost:${toString port}"];
+    }];
+  }];
+  services.matrix-synapse.settings = {
+    enable_metrics = true;
+    listeners = [
+      {
+        port = port;
+        type = "metrics";
+        bind_addresses = ["127.0.0.1"];
+        tls = false;
+        resources = []; # unneeded with type: metrics, just to make the nix module happy
+      }
+    ];
+  };
+# Grafana rules? 
+# https://github.com/element-hq/synapse/tree/master/contrib/prometheus/
+}
--- a/nixos/workstation.nix
+++ b/nixos/workstation.nix
@ -1,45 +1,15 @@
 {
  inputs,
  pkgs,
+  lib,
+  config,
  ...
 }: {
  imports = [
    inputs.stylix.nixosModules.stylix
  ];
-  nixpkgs.config.permittedInsecurePackages = [
-    "electron-25.9.0"
-  ];

-  # use pipewire
-  hardware.pulseaudio.enable = false;
-  security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-    jack.enable = true;
-  };
-  # pipewire raop
-  networking.firewall.allowedUDPPorts = [6002 6001];
-  # network streaming
-  networking.firewall.allowedTCPPorts = [4713];
-
-  security.pam.services.swaylock = {};
  security.polkit.enable = true;
-  systemd.user.services.polkit-gnome-authentication-agent-1 = {
-    description = "polkit-gnome-authentication-agent-1";
-    wantedBy = ["graphical-session.target"];
-    wants = ["graphical-session.target"];
-    after = ["graphical-session.target"];
-    serviceConfig = {
-      Type = "simple";
-      ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
-      Restart = "on-failure";
-      RestartSec = 1;
-      TimeoutStopSec = 10;
-    };
-  };

  hardware.opentabletdriver.enable = true;

@ -47,7 +17,10 @@

  services.printing.enable = true;

-  services.dbus.enable = true;
+  services.dbus = {
+    enable = true;
+    packages = [pkgs.gcr];
+  };
  programs.light.enable = true;
  programs.dconf.enable = true;

@ -59,19 +32,34 @@
  virtualisation.waydroid.enable = true;

  networking.stevenblack = {
-    enable = true;
+    enable = lib.mkDefault true;
    block = ["porn" "gambling"];
  };

  stylix = {
+    enable = true;
    image = ../images/nix-soft.png;
-    base16Scheme = "${pkgs.base16-schemes}/share/themes/onedark.yaml";
+    base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-dark-hard.yaml";
    opacity = {
      terminal = 0.9;
      applications = 0.9;
      desktop = 0.9;
      popups = 0.9;
    };
+    cursor = {
+      name = "Vanilla-DMZ";
+      package = pkgs.vanilla-dmz;
+      size = 24;
+    };
+    targets = {
+      gtk.enable = false; # fails to switch with cosmic overriding it (grr)
+      grub = {
+        useImage = true;
+      };
+      nixvim = {
+        transparentBackground.main = true;
+      };
+    };
  };

  nixpkgs.overlays = [
@ -84,4 +72,8 @@
    nerdfonts
    interalia
  ];
+
+  home-manager.users.${config.user}.imports = [
+    ../home/workstation.nix
+  ];
 }