feat: initial commit, migrate main config from dot013/.nix

.gitignore

@@ -0,0 +1,3 @@
+*.*~
+*.iso
+Session.vim

.sops.yaml

@@ -0,0 +1,11 @@
+keys:
+  - &primary age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz
+creation_rules:
+  - path_regex: secrets/spacestation.yaml$
+    key_groups:
+      - age:
+        - *primary
+  - path_regex: secrets/spacestation.lesser.json$
+    key_groups:
+      - age:
+        - *primary

configuration.nix

@@ -0,0 +1,81 @@
+{ config
+, lib
+, inputs
+, pkgs
+, ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    inputs.dot013-environment.nixosModules.default
+    ./services
+    ./modules
+    ./secrets.nix
+  ];
+
+  programs.nh.enable = true;
+  programs.nh.flake = "/home/guz/nix";
+
+  profiles.locale.enable = true;
+
+  home-manager.extraSpecialArgs = { inherit inputs; };
+  users.users."guz" = {
+    shell = pkgs.zsh;
+    hashedPasswordFile = builtins.toString config.sops.secrets."guz/password".path;
+    home = "/home/guz";
+    isNormalUser = true;
+    extraGroups = [ "wheel" "networkmanager" "plugdev" ];
+  };
+  home-manager.users."guz" = import ./homes/guz.nix;
+
+  dot013.environment.enable = true;
+  dot013.environment.interception-tools.enable = false;
+
+  programs.gnupg.agent = {
+    enable = true;
+    pinentryPackage = pkgs.pinentry-gnome3;
+    settings = {
+      default-cache-ttl = 3600 * 24;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    libinput
+  ];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.package = pkgs.nixVersions.nix_2_21;
+
+  networking = {
+    networkmanager.enable = true;
+    hostName = "spacestation";
+    wireless.enable = false;
+    dhcpcd.enable = true;
+    defaultGateway = "192.168.1.1";
+    interfaces."eno1".ipv4.addresses = [
+      {
+        address = "192.168.1.10";
+        prefixLength = 24;
+      }
+    ];
+  };
+
+  services.openssh.enable = true;
+
+  security.rtkit.enable = true;
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

flake.lock

@@ -0,0 +1,142 @@
+{
+  "nodes": {
+    "dot013-environment": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1718398180,
+        "narHash": "sha256-jru21A3VkuAZNMauZe8DrdiotIdu1SfUNtksI1PxwUk=",
+        "owner": "dot013",
+        "repo": "environment",
+        "rev": "7f4cfd9924d6abcc23fafe1d48fd1e849c6448a4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "dot013",
+        "repo": "environment",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1718243258,
+        "narHash": "sha256-abBpj2VU8p6qlRzTU8o22q68MmOaZ4v8zZ4UlYl5YRU=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "8d5e27b4807d25308dfe369d5a923d87e7dbfda3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nix-index-database": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1718458449,
+        "narHash": "sha256-FcX3/lTbb+WIW783b18SPudPYhdmmNLQADf4S3SsZos=",
+        "owner": "Mic92",
+        "repo": "nix-index-database",
+        "rev": "963639a87fb7f746d45f14b8ab429d2c52dbb396",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "nix-index-database",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1718318537,
+        "narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1717880976,
+        "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1718318537,
+        "narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "dot013-environment": "dot013-environment",
+        "home-manager": "home-manager",
+        "nix-index-database": "nix-index-database",
+        "nixpkgs": "nixpkgs_2",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1718137936,
+        "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,41 @@
+{
+  description = ".homelab";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nix-index-database = {
+      url = "github:Mic92/nix-index-database";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    dot013-environment.url = "github:dot013/environment";
+  };
+  outputs =
+    { nixpkgs
+    , home-manager
+    , ...
+    } @ inputs: {
+      nixosConfigurations = {
+        spacestation = nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            inherit inputs;
+          };
+          modules = [
+            inputs.home-manager.nixosModules.default
+            ./configuration.nix
+          ];
+        };
+      };
+    };
+}

hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config
+, lib
+, pkgs
+, modulesPath
+, ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_acpi" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/26878c61-60d2-4ac9-967f-30faffc0f21f";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/ACCB-816C";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/878a189a-e5df-4e1c-92d5-df6f77ff53bb"; }
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

homes/guz.nix

@@ -0,0 +1,17 @@
+{ config
+, pkgs
+, inputs
+, lib
+, ...
+}: {
+  imports = [
+    inputs.dot013-environment.homeManagerModule
+  ];
+
+  programs.home-manager.enable = true;
+
+  home.username = "guz";
+  home.homeDirectory = "/home/guz";
+
+  home.stateVersion = "23.11"; # DO NOT CHANGE
+}

modules/adguardhome.nix

@@ -0,0 +1,62 @@
+{ config
+, lib
+, ...
+}:
+let
+  cfg = config.services.adguardhome;
+in
+{
+  imports = [ ];
+  options.services.adguardhome = with lib;
+    with lib.types; {
+      dns.filters = mkOption {
+        type = attrsOf (submodule ({ lib, ... }: {
+          options = {
+            name = mkOption {
+              type = nullOr str;
+              default = null;
+            };
+            url = mkOption {
+              type = str;
+            };
+            enabled = mkOption {
+              type = bool;
+              default = true;
+            };
+          };
+        }));
+        default = { };
+      };
+      dns.rewrites = mkOption {
+        type = attrsOf str;
+        default = { };
+      };
+    };
+  config = with lib;
+    mkIf cfg.enable {
+      networking.firewall.allowedTCPPorts = [ 53 ];
+      networking.firewall.allowedUDPPorts = [ 53 51820 ];
+
+      services.adguardhome = {
+        settings = {
+          filtering.rewrites = builtins.attrValues (builtins.mapAttrs
+            (from: to: {
+              domain = from;
+              answer = to;
+            })
+            cfg.dns.rewrites);
+          filters = attrValues (mapAttrs
+            (id: list: {
+              name =
+                if isNull list.name
+                then id
+                else list.name;
+              ID = id;
+              url = list.url;
+              enabled = list.enabled;
+            })
+            cfg.dns.filters);
+        };
+      };
+    };
+}

modules/default.nix

@@ -0,0 +1,9 @@
+{ ... }: {
+  imports = [
+    ./adguardhome.nix
+    ./forgejo
+    ./locales.nix
+    ./nh
+    ./tailscale.nix
+  ];
+}

modules/forgejo/default.nix

@@ -0,0 +1,205 @@
+{ config
+, lib
+, pkgs
+, utils
+, ...
+}:
+let
+  cfg = config.services.forgejo;
+  yamlFormat = pkgs.formats.yaml { };
+  users = builtins.attrValues (builtins.mapAttrs
+    (username: info: {
+      name =
+        if isNull info.name
+        then username
+        else info.name;
+      email = info.email;
+      password = info.password;
+      admin = info.admin;
+    })
+    cfg.users);
+  initList = l: lib.strings.concatStringsSep "," l;
+in
+{
+  imports = [ ];
+  options.services.forgejo = with lib;
+    with lib.types; {
+      handleUndeclaredUsers = mkOption {
+        type = bool;
+        default = false;
+      };
+      users = mkOption {
+        type = attrsOf (submodule ({ config
+                                   , lib
+                                   , ...
+                                   }:
+          with lib;
+          with lib.types; {
+            options = {
+              name = mkOption {
+                type = nullOr (either str path);
+                default = null;
+              };
+              password = mkOption {
+                type = either str path;
+              };
+              email = mkOption {
+                type = either str path;
+              };
+              admin = mkOption {
+                type = bool;
+                default = false;
+              };
+            };
+          }));
+        default = { };
+      };
+      actions = {
+        enable = mkOption {
+          type = bool;
+          default = cfg.enable;
+        };
+        token = mkOption {
+          type = str;
+        };
+        url = mkOption {
+          type = str;
+          default = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
+        };
+        labels = mkOption {
+          type = listOf str;
+          default = [
+            /*
+          Remember to install git on these images so actions/checkout can work,
+          without it, the actions tries to use the /api/v3/repos/{user}/{repo}/tarball/{ref}
+          api endpoint, which Gitea/Forgejo doesn't has.
+            */
+            "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest-slim"
+            "ubuntu-latest-full:docker://gitea/runner-images:ubuntu-latest"
+          ];
+        };
+      };
+    };
+  config = with lib;
+    mkIf cfg.enable {
+      networking.firewall.allowedTCPPorts = mkIf cfg.settings.actions.ENABLED [
+        cfg.settings.server.HTTP_PORT
+      ];
+      networking.firewall.allowedUDPPorts = mkIf cfg.settings.actions.ENABLED [
+        cfg.settings.server.HTTP_PORT
+      ];
+
+      users.users."${cfg.user}" = {
+        home = cfg.stateDir;
+        useDefaultShell = true;
+        group = cfg.group;
+        isSystemUser = true;
+        extraGroups = [ "wheel" "networkmanager" ];
+      };
+      users.groups."${cfg.group}" = { };
+
+      services.forgejo = {
+        user = mkDefault "git";
+        group = mkDefault cfg.user;
+        settings = {
+          DEFAULT = {
+            APP_NAME = mkDefault "Forgejo: Beyond coding. We forge.";
+          };
+          actions = {
+            ENABLED = mkDefault cfg.actions.enable;
+            DEFAULT_ACTIONS_URL = mkDefault "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
+          };
+          repository = {
+            DEFAULT_REPO_UNITS = mkDefault (initList [
+              "repo.code"
+            ]);
+            DISABLED_REPO_UNITS = mkIf (!cfg.actions.enable) (mkDefault (initList [
+              "repo.actions"
+            ]));
+          };
+          service = {
+            # DISABLE_REGISTRARION = mkDefault true;
+          };
+        };
+      };
+
+      virtualisation.docker.enable = mkIf cfg.actions.enable (mkDefault true);
+      services.gitea-actions-runner = mkIf cfg.actions.enable {
+        package =
+          if config.services.gitea.enable
+          then pkgs.gitea-actions-runner
+          else pkgs.forgejo-actions-runner;
+        instances."forgejo${toString cfg.settings.server.HTTP_PORT}" = {
+          enable = mkDefault true;
+          token = mkDefault cfg.actions.token;
+          name = mkDefault "${cfg.settings.DEFAULT.APP_NAME} - Actions";
+          url = cfg.actions.url;
+          labels = mkDefault cfg.actions.labels;
+          settings = {
+            runner = {
+              insecure = true;
+            };
+          };
+        };
+      };
+
+      systemd.services."forgejo-users-setup" = with builtins; {
+        script = ''
+          function gum() { ${pkgs.gum}/bin/gum "$@"; }
+          function forgejo() {
+            # local config_file="${toString cfg.stateDir}/custom/conf/app.ini";
+            # touch $config_file
+            ${cfg.package}/bin/gitea \
+              --work-path ${cfg.stateDir} \
+              "$@"
+          }
+          function fjuser() { forgejo admin user "$@"; }
+          function awk() { ${pkgs.gawk}/bin/awk "$@"; }
+
+          handle_undeclared_users="${
+            if cfg.handleUndeclaredUsers
+            then "true"
+            else "false"
+          }";
+
+          declared_users=(${toString (map (user: "${
+              if isPath user.name
+              then "$(cat ${toString user.name})"
+              else user.name
+            }")
+            users)});
+
+          ${readFile ./user-handler.sh}
+
+          ${toString (map (user: ''
+              set-user "${
+                if isPath user.name
+                then "$(cat ${toString user.name})"
+                else user.name
+              }" "${
+                if isPath user.email
+                then "$(cat ${toString user.email})"
+                else user.email
+              }" "${
+                if isPath user.password
+                then "$(cat ${toString user.password})"
+                else user.password
+              }" \
+                       "${
+                if user.admin
+                then "true"
+                else "false"
+              }"
+            '')
+            users)}
+        '';
+        wantedBy = [ "multi-user.target" ];
+        after = [ "forgejo.service" ];
+        serviceConfig = {
+          Type = "oneshot";
+          User = cfg.user;
+          Group = cfg.group;
+        };
+      };
+    };
+}

modules/locales.nix

@@ -0,0 +1,65 @@
+{ config
+, lib
+, ...
+}:
+let
+  cfg = config.profiles.locale;
+in
+{
+  imports = [ ];
+  options.profiles.locale = with lib;
+    with lib.types; {
+      enable = mkEnableOption "";
+      locale = mkOption {
+        type = str;
+        default = "en_US.UTF-8";
+      };
+      extraLocales = mkOption {
+        type = attrsOf str;
+        default = rec {
+          LC_ADDRESS = "pt_BR.UTF-8";
+          LC_IDENTIFICATION = LC_ADDRESS;
+          LC_MEASUREMENT = LC_ADDRESS;
+          LC_MONETARY = LC_ADDRESS;
+          LC_NAME = LC_ADDRESS;
+          LC_NUMERIC = LC_ADDRESS;
+          LC_PAPER = LC_ADDRESS;
+          LC_TELEPHONE = LC_ADDRESS;
+          LC_TIME = LC_ADDRESS;
+        };
+      };
+      keymap.layout = mkOption {
+        type = str;
+        default = "br";
+      };
+      keymap.variant = mkOption {
+        type = str;
+        default = "";
+      };
+      keymap.console = mkOption {
+        type = str;
+        default = "br-abnt2";
+      };
+      timeZone = mkOption {
+        type = str;
+        default = "America/Sao_Paulo";
+      };
+    };
+  config = {
+    i18n = {
+      defaultLocale = cfg.locale;
+      extraLocaleSettings = cfg.extraLocales;
+    };
+
+    services.xserver = {
+      xkb.layout = cfg.keymap.layout;
+      xkb.variant = cfg.keymap.variant;
+    };
+
+    console.keyMap = cfg.keymap.console;
+
+    time = {
+      timeZone = cfg.timeZone;
+    };
+  };
+}

modules/nh/default.nix

@@ -0,0 +1,27 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+let
+  cfg = config.programs.nh;
+  wrapper = pkgs.writeShellScriptBin "nh" ''
+    function alejandra() { ${pkgs.alejandra}/bin/alejandra "$@"; }
+    function git() { ${pkgs.git}/bin/git "$@"; }
+    function lazygit() { ${pkgs.lazygit}/bin/lazygit "$@"; }
+    function nh() { ${pkgs.nh}/bin/nh "$@"; }
+    function shellharden() { ${pkgs.shellharden}/bin/shellharden "$@"; }
+
+    FLAKE_DIR=${toString cfg.flake}
+
+    ${builtins.readFile ./wrapper.sh}
+  '';
+in
+{
+  options.programs.nh = with lib; with lib.types; { };
+  config = with lib;
+    mkIf cfg.enable {
+      programs.nh.package = wrapper;
+      programs.nh.clean.enable = mkDefault true;
+    };
+}

modules/nh/wrapper.sh

@@ -0,0 +1,154 @@
+function set_colors() {
+	COLOR_CYAN='\033[0;35m'
+	COLOR_RED='\033[0;31m'
+	COLOR_YELLOW='\033[1;33m'
+	COLOR_NC='\033[0m'
+}
+function set_labels() {
+	set_colors
+	function echo_info() {
+		if [ -t 1 ]; then
+			echo -e "${COLOR_CYAN}INFO:${COLOR_NC} $@";
+		else
+			echo -e "INFO: $@";
+		fi
+	}
+	function echo_warn() {
+		if [ -t 1 ]; then
+			echo -e "${COLOR_YELLOW}WARN:${COLOR_NC} $@";
+		else
+			echo -e "WARN: $@";
+		fi
+	}
+	function echo_error() {
+		if [ -t 1 ]; then
+			echo -e "${COLOR_RED}ERRO:${COLOR_NC} $@";
+		else
+			echo -e "ERRO: $@";
+		fi
+	}
+}
+set_labels
+
+function decrypt_lesser_secrets() {
+	set -e
+	pushd "$FLAKE_DIR" > /dev/null
+
+	for f in ./secrets/*.lesser.*; do
+		local filename="$(basename -- "$f")"
+		local extension="${filename##*.}"
+		local filename="${filename%.*}"
+		local subextenstion="${filename##*.}"
+
+		if [[ "$subextenstion" == "decrypted" ]]; then
+			echo_warn "$PREFIX - File already decrypted! file=$f"
+		else
+			echo_info "$PREFIX - Decrypting lesser secret file. file=$f"
+			sops --output "./secrets/$filename.decrypted.$extension" -d "$f"
+		fi
+	done
+
+	echo_info "$PREFIX - Adding decrypted secret files"
+	git add ./secrets/*.decrypted.*
+
+	popd > /dev/null
+}
+
+function remove_decrypted_secrets() {
+	set -e
+	pushd "$FLAKE_DIR" > /dev/null
+
+	echo_info "$PREFIX - Removing descrypted files"
+	for f in "$FLAKE_DIR"/secrets/*.decrypted.*; do
+		echo_info "$PREFIX - Removing descrypted files. file=$f"
+		git reset "$f"
+		rm "$f"
+	done
+
+	popd > /dev/null
+}
+
+function format_files() {
+	set -e
+	pushd "$FLAKE_DIR" > /dev/null
+
+	echo_info "$PREFIX - Formatting *.nix files"
+	alejandra . &>/dev/null \
+	|| (alejandra . ; \
+		echo_error - "$PREFIX - Failed to format files" \
+		&& exit 1)
+
+	echo_info "$PREFIX - Formatting *.sh files"
+	find "$FLAKE_DIR" -type f -name "*.sh" -execdir shellharden --replace {} \;
+
+	popd > /dev/null
+}
+
+function build_os() {
+	set -e
+	pushd "$FLAKE_DIR" > /dev/null
+
+	echo_info "$PREFIX - Building NixOS"
+	nh os switch "$@" "$FLAKE_DIR" \
+		|| (echo_error "$PREFIX - Failed to build NixOS" \
+		&& remove_decrypted_secrets \
+		&& exit 1)
+
+	popd > /dev/null
+}
+
+case "$1" in
+	"os")
+		case "$2" in
+			"switch")
+				PREFIX="nh os switch"
+
+				decrypt_lesser_secrets
+				format_files
+
+				shift 2
+				build_os "$@"
+
+				remove_decrypted_secrets
+			;;
+			*) echo_error "\"$2\" subcommand does not exist"
+			;;
+		esac
+	;;
+	"edit")
+		pushd "$FLAKE_DIR" > /dev/null
+
+		"$EDITOR" .
+
+		popd > /dev/null
+	;;
+	"sync")
+		pushd "$FLAKE_DIR" > /dev/null
+
+		lazygit
+
+		popd > /dev/null
+	;;
+	"secrets")
+		PREFIX="nh secrets"
+		case "$2" in
+			"-d"|"--decrypt") decrypt_lesser_secrets
+			;;
+			"-r"|"--remove") remove_decrypted_secrets
+			;;
+		esac
+	;;
+	"format")
+		pushd "$FLAKE_DIR" > /dev/null
+
+		format_files
+
+		popd > /dev/null
+	;;
+	"--")
+		shift 1
+		nh "$@"
+	;;
+	*) echo_error "\"$1\" command does not exist"
+	;;
+esac

modules/tailscale.nix

@@ -0,0 +1,62 @@
+{ config
+, lib
+, ...
+}:
+let
+  cfg = config.services.tailscale;
+in
+{
+  imports = [ ];
+  options.services.tailscale = with lib;
+    with lib.types; {
+      exitNode = mkOption {
+        type = bool;
+        default = false;
+      };
+      tailnetName = mkOption {
+        type = str;
+      };
+      tailnetUrl = mkOption {
+        type = str;
+        default = "${config.services.tailscale.tailnetName}.ts.net";
+      };
+      deviceUrl = mkOption {
+        type = str;
+        default = "${config.networking.hostName}.${config.services.tailscale.tailnetUrl}";
+      };
+      deviceIp = mkOption {
+        type = str;
+      };
+    };
+  config = with lib;
+    mkIf cfg.enable {
+      services.tailscale = {
+        extraUpFlags = [
+          (
+            if cfg.exitNode
+            then "--advertise-exit-node"
+            else null
+          )
+          (
+            if cfg.exitNode
+            then "--exit-node"
+            else null
+          )
+        ];
+        useRoutingFeatures = mkDefault (
+          if cfg.exitNode
+          then "server"
+          else "client"
+        );
+      };
+
+      systemd.services."tailscaled" = mkIf config.services.caddy.enable (mkDefault {
+        serviceConfig = {
+          Environment = [ "TS_PERMIT_CERT_UID=caddy" ];
+        };
+      });
+
+      boot.kernel.sysctl."net.ipv4.ip_forward" = mkIf cfg.exitNode (mkDefault 1);
+      boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = mkIf cfg.exitNode (mkDefault 1);
+    };
+}

secrets.nix

@@ -0,0 +1,54 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}: let
+  lesser-secrets = with builtins;
+    fromJSON (readFile ./secrets/spacestation.lesser.decrypted.json);
+  jsonType = pkgs.formats.json {};
+in {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+  options.spacestation-secrets = with lib;
+  with lib.types; {
+    lesser = mkOption {
+      type = submodule ({...}: {
+        freeformType = jsonType.type;
+        options = {};
+      });
+      default = lesser-secrets;
+    };
+  };
+  config = with lib; {
+    environment.systemPackages = with pkgs; [
+      sops
+    ];
+
+    sops.defaultSopsFile = ./secrets/spacestation.yaml;
+    sops.defaultSopsFormat = "yaml";
+
+    sops.secrets."guz/password" = {
+      owner = config.users.users."guz".name;
+    };
+
+    sops.secrets."muse/secrets" = {};
+
+    sops.secrets."forgejo/user1/name" = mkIf config.services.forgejo.enable {
+      owner = config.services.forgejo.user;
+    };
+    sops.secrets."forgejo/user1/password" = mkIf config.services.forgejo.enable {
+      owner = config.services.forgejo.user;
+    };
+    sops.secrets."forgejo/user1/email" = mkIf config.services.forgejo.enable {
+      owner = config.services.forgejo.user;
+    };
+    sops.secrets."forgejo/git-password" = mkIf config.services.forgejo.enable {
+      owner = config.services.forgejo.user;
+    };
+
+    sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt";
+  };
+}

secrets/spacestation.lesser.json

@@ -0,0 +1,80 @@
+{
+	"tailnet-name": "ENC[AES256_GCM,data:f9T+/IRApqThgMlE,iv:LufRlHxdon5mahAi1+jwbhTqcOZh2bdnUubfEL6QFg0=,tag:KmJ4E0EggzQh8ZCm2fLeGw==,type:str]",
+	"device-ip": "ENC[AES256_GCM,data:Ed6hS/9F52UGVLpAyw==,iv:sg9iVEmZxA2lNJoc0xwLRyDzoF1Cy48wp9CQf3zOOzQ=,tag:77RYGvjgw0QdZUsPcqVTvA==,type:str]",
+	"homelab-domain": "ENC[AES256_GCM,data:IQAkzgxJL4WsOqJ0RA==,iv:COJSPyCP33ZJJXz1blr4CTH3DfZ9oH/Em72VWlGWtO0=,tag:sLj91nAgVtvDiRcVzqgIsg==,type:str]",
+	"services": {
+		"adguard": {
+			"domain": "ENC[AES256_GCM,data:QquWEbgpXY13UMV9BTXplQ5LhSgv,iv:0AstA5oaS8714QME3QK0/aiv9Khqk1bLCcFdCEPn+IA=,tag:XXIWjIjHQ0gZFSFBHU49Ag==,type:str]",
+			"port": "ENC[AES256_GCM,data:4JC+Dg==,iv:jACiG3MB0u8mKFhghBN3VzLBGkUYeCC58fGOuLePJ+M=,tag:Lz4Q8U24aOfjIA4tK6yZwg==,type:float]"
+		},
+		"dashdot": {
+			"domain": "ENC[AES256_GCM,data:eHFlKb+63lJDkQ1UdJywFWQNTC3a,iv:T0G0Is1goSBXyfyfnDm/YcgVm4acYfVXQOgcXVWdk/Q=,tag:0EF2AJgWIUHhm6+9USecsA==,type:str]",
+			"port": "ENC[AES256_GCM,data:T7LPwQ==,iv:AP7nnvV0NQWwnkBxOyIyFF3FS+BGMflxmr0UXnFOTvg=,tag:yaYsMrdXL9puSrLPnOfKdw==,type:float]"
+		},
+		"ferdium-server": {
+			"domain": "ENC[AES256_GCM,data:wFFgzZoSZoejlXA5c0J9gg6sULwDZCc7KuvZiQ==,iv:Lbgt3FbalVLTEHwBviUPwt1tObnlVEyCVBp8YEFG6rw=,tag:n3UywY7WvdkfHG68kcE7aQ==,type:str]",
+			"port": "ENC[AES256_GCM,data:qAmD2g==,iv:BAuRv4tbmAf7uan2JBKIr9430tp235YBdrxNaMSrgtw=,tag:H6aYpnONS+MQh7z1IGuy7w==,type:float]"
+		},
+		"forgejo": {
+			"domain": "ENC[AES256_GCM,data:DJDExE7VVmAk4ZLhOkTfD2wBY5i1,iv:tnOgrKCpglvDyk75mnmeoiz2trmD3r3wCL2etHmALC4=,tag:rAiEK9U48cR1q+W7Zbkhvg==,type:str]",
+			"port": "ENC[AES256_GCM,data:ydSACw==,iv:0RWRLLCU8YyYmOmTawns2Iy+ABiBFbBqgQ10+buZNt0=,tag:3QW0NzbKeUkcfYh/5my3fA==,type:float]",
+			"actions-token": "ENC[AES256_GCM,data:eNZtfpBt0ZjgLrykGKGEL3gtKCHHE+UWaDATgi0QHBGj7ZZX7ROuKQ==,iv:J8wmqFVmi8sarGupw/F4PP20HdaGTrxC4pF8GERwZxs=,tag:wZve5TI4/NpacMpHtpBnoA==,type:str]",
+			"actions-labels": [
+				"ENC[AES256_GCM,data:QFgl5alecI2Ecc6hTisc1orcvOE5dmdoNf3gwN5HWeq40B65NhsmXcZuTpkALEE8gm42mLfq4Wtb8xvnBQ==,iv:Cktpy6ot7T9PVoertFmkznateg1GuI82j2/niAlTcP8=,tag:KJspmDE0OUCWI3sFY/5J4Q==,type:str]",
+				"ENC[AES256_GCM,data:7vnIpQXr6k+I5/1siptl6OEkSJj3FFRFXOEd5yv+c5pIzJU6CilcdTOHo+7Yp1E2IvKFla7MqcWZ0OjSAg==,iv:lPhi+CC8xJgvW5WR6C9OAbfEzXl8ueQOSl4JWKk9Zmo=,tag:5xY+AtNUWn+D3L4G3PmkpQ==,type:str]",
+				"ENC[AES256_GCM,data:KybqnMcU6ON30jLPHHdKB8oc2clxwV7otpUfinlm/YCWgvLZpsjFPnm/eu9hjKLfcwPEsWqi,iv:mmhWpJLzLJJJ8eJkNQtVLYudNG+wgIFoIEvc0o9KP7I=,tag:YB/x4AF+jrC1i0q/LhtnCw==,type:str]",
+				"ENC[AES256_GCM,data:ewFeb0pgS7t7ugV1rvEqQHkZ3UfHf7BdPXh9rIZAmyAG04E53EFYFcjuLLlZKnsu,iv:Dc+8zlv0bKkNbmMYgUXOrBkolOKJLrasen2KfUjwyoc=,tag:TUmz6hvwS3jbxvSfq3ajTQ==,type:str]"
+			]
+		},
+		"homarr": {
+			"domain": "ENC[AES256_GCM,data:IsFYq/sZtCgrCGuEFJCFZ8Yn3st4ILg=,iv:Iexxw/OcbjIuVz5VtY/170yAc/h3fLqNw5BJGiyROdg=,tag:PTYsnvq2Cr+M8MaHvMiJjw==,type:str]",
+			"port": "ENC[AES256_GCM,data:c0D1FA==,iv:tWr+ryzFU65X58YAKXPhJe+P+CN0hhJ0FY4K9sAJr8I=,tag:e4GetvqSzqZ/vhhyxyZQVQ==,type:float]"
+		},
+		"jellyfin": {
+			"domain": "ENC[AES256_GCM,data:0XAqHmiw/9e3sIqMUk28sZ/2BBWafw==,iv:0auXERqDZFVVWpS2Y6b4jgqZHGv3tF7b83i6UTOBUNg=,tag:Xlgf6hyMKpfR2uEa/aUjsg==,type:str]",
+			"port": "ENC[AES256_GCM,data:E9A2Lw==,iv:J8GYwoLI/C7yc5fFu0Z6Qu7YPxHXvlyY5d36cWmm9Eg=,tag:fus1uxQxObj7mS3e7U4yTg==,type:float]"
+		},
+		"jellyseerr": {
+			"domain": "ENC[AES256_GCM,data:yWRvgk6vGt+VIuOA7RiwHQBfjftLbDpq,iv:acbAerP79Fq7hRhpnifQ876CI+gavGe3sQvM7RIalBw=,tag:CXHKHgKTLeJeyKko8dr1Qg==,type:str]",
+			"port": "ENC[AES256_GCM,data:TTvqPg==,iv:Mu+T9LJ626BWB/xt/KHb6PGX2oAWd4h4f34oz1RirHQ=,tag:5zYrwtZD13ljcFFNlvwWJA==,type:float]"
+		},
+		"jellystat": {
+			"domain": "ENC[AES256_GCM,data:JuOqn1eRSwgSmxGpI+cl8+rFPnTN+Wk=,iv:Wmp1jU2vaCZUaiAv/f6TQXdukWWHp1qr7Ay3YPbzDAA=,tag:pGc6PgHNR/uC5fkwXmTZ7w==,type:str]",
+			"port": "ENC[AES256_GCM,data:VLEiaQ==,iv:aN+vIsVK/snhGfjvmhsAcuGu06peqaa4uKJri14bgL4=,tag:A/vBY3vGS/PzlqtqFRpclg==,type:float]",
+			"db_password": "ENC[AES256_GCM,data:PSns4kHm0502Reo0iEOP,iv:VKULz9m+HAZqwI2QyKUAQ2x9977Qfj3j4sz9TzSssIA=,tag:EaFlN8gIVtBCeEGsCRG9UQ==,type:str]"
+		},
+		"prowlarr": {
+			"domain": "ENC[AES256_GCM,data:cfeDhy+TD6SVUEgKlCNo0/NkWw5GZg==,iv:X3AXVcWPYJXUSdtkHH/Kkv2+fuztL3/f/ZOFu0iW4hs=,tag:gwxL14I8UUH1K0OEQrLgfQ==,type:str]",
+			"port": "ENC[AES256_GCM,data:sn6HCA==,iv:ghIKe2IeTBtCQfLN9mLrVYbb2cii1cb+UKFL0DtiNWc=,tag:2X40jOxNbLR0FboTa4xONg==,type:float]"
+		},
+		"qbittorrent": {
+			"domain": "ENC[AES256_GCM,data:U2QUvsdFxhwLJO89QlFa37WxdDA2,iv:vbO9lc7jovM5KrU9n57h8PmSZxZSvSMIEZ1Sqe+L+ew=,tag:TYB9djUpDoYFmJ1qylE97w==,type:str]",
+			"port": "ENC[AES256_GCM,data:EYXJ/Q==,iv:ByiAPEg8n0p0ZZWkSssrpdEYl8NMqrGsFLcFwiyttQ4=,tag:b5hzfPPWj/N3ZtzNEe/2xQ==,type:float]"
+		},
+		"radarr": {
+			"domain": "ENC[AES256_GCM,data:tbuhPJRqWNs47GofrHLrIPr8JI0=,iv:UpotCjNr4070MsBIlkTTtliekHegOJe976xjrc3So3s=,tag:yeu1lL3ldIYZ/FMzb4igbw==,type:str]",
+			"port": "ENC[AES256_GCM,data:e/JFRg==,iv:4EH69nzM2buQ3v56+tVUSjaYDlhfevA5fStA5FpSwxE=,tag:Maw8kdf3eF0dQeDOjVrDrw==,type:float]"
+		},
+		"sonarr": {
+			"domain": "ENC[AES256_GCM,data:ElXSeC+fok18BtlzsQujUkWhVRg=,iv:bK91RHb66zGpmVf2qjDSWTLbSDm/hwmrhbcZ8+870RQ=,tag:T2aHrofrlqK6qhMHy8Xg5w==,type:str]",
+			"port": "ENC[AES256_GCM,data:5gAdwQ==,iv:6h+9iJWLjG8/s8+KVyVbCBL3T1tfpQdA0kBHY8/nuDM=,tag:/eY4dmkppBCj/ZucyLyFvA==,type:float]"
+		}
+	},
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL3dCY1VLMmoxRFRmS0Ir\nV0ppTnI0RE5ZMjcvRGNPWkNxWFdJYTBDTG00ClRGQkh1UStGTmc0RE5aNy9nL3FI\nbHJIa3hLR0ZkTjd6WkFzOFkzeFdMNUEKLS0tIDBidk93Qy9LenFlSGZ2aEpuTUFt\nWVM2eS9UdXAvbzE4eEdKMjVEM3RLdm8KKeIhk+YOKVL9Y19lLyb6/Pxv8rbewK2e\nLm96jx+LOMOCFcQGxuFKWqQbTB4br/cPvRKSY5jFmFWqVg7pCPTAzQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-05-21T18:13:55Z",
+		"mac": "ENC[AES256_GCM,data:P+tqLu/mY+qadDeyDwEYf/Mwv2tJOBEghvkBhRzLguaynCk4pLhy40P+eIvd8/DWfERW/CAnOH038kJRO9zG5qZiYKZgTB1MVFACnpPoF4Ek1a0+eSmQfiHBBLd45fvExfyYo3XLi6e0ZNZYiQOSL++WqBPGcSAz0N2bhxnPqFE=,iv:b7xEGJybByQwl2FfIdC3q2UVuDgOTHrVPPqZe/w8cmc=,tag:upZP6dukO70Qm5hb3odTWg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

secrets/spacestation.yaml

@@ -0,0 +1,38 @@
+guz:
+    password: ENC[AES256_GCM,data:zlO5xSFho7TXjFv62lgFir9SAgn+UE6XjdNEvIAgmQG9oDkthfgxO84wYdI0mQDwRIIs2PmSdBRfo0DPc3hji+ySCrItolPL8g==,iv:MZfhTxwfcbmXh5C6DkQhnY9NQGdE8zEwwvFOHQiUgKY=,tag:JjJN2bYcSXNN3ueGj5RNLg==,type:str]
+network:
+    ip: ENC[AES256_GCM,data:AkbNOQLXRKLYjU2ywg==,iv:xqdTPCUYiT/cPe2zAbBJ7fUiEMViW9LZND4j0DdydLY=,tag:tq6nA5fGH4/mAvF6InUFgQ==,type:str]
+    localIp: ENC[AES256_GCM,data:PK8THL9NW//2sal1,iv:9h3f255rIgedYToVaUGuQ9RzD33V8sczRWsZe+rTyC0=,tag:OoJbes6k0FqxXzGQ8ZG0aA==,type:str]
+forgejo:
+    git-password: ENC[AES256_GCM,data:SDyFBCwTxnZ1E6R/8HZCBIBj4AREYfqWrgzSEQ6SA3BDGPFsHghiVmF+Jt4omdzUQSoCCblMBsAx0NQBbBJrCbEoBWtybRM7Cg==,iv:KbtjXW1F8YJeapVpEkf8AdXhojmhOQKxG8nCZv7vW4k=,tag:odrL53KeKLVD5AoQB14veA==,type:str]
+    user1:
+        name: ENC[AES256_GCM,data:UL3g,iv:+ftGx57fhzN06DuLItxZTc7lXX2g4MhqrEqnDjk4Aug=,tag:ZNpwWuPYhBzDjRQBKikCDA==,type:str]
+        password: ENC[AES256_GCM,data:KXx9Kv9f9UP3sAU=,iv:bCBv+IEieR+RGjgjXLKMLlsqoBOLLYjvT167QIxxFmA=,tag:dPNUcrBrE66xDlFJltmIKg==,type:str]
+        email: ENC[AES256_GCM,data:iZjmn511sSRggO+ptkYZAeGKAFIMeV8R,iv:sBigXBpdYlj7zk7evE8IbQEa/YRVoCh2S/PFihx8VRU=,tag:XNSS+RFC8ChzZ/EzcQoDvg==,type:str]
+nextcloud:
+    user1:
+        name: ENC[AES256_GCM,data:VJ2K,iv:RbCyfKweGteghP1X2II3WXQ6xjAqBz1PvFA+w6r6WA8=,tag:dRDTMXdvTFzS7xl9L1xbVA==,type:str]
+        password: ENC[AES256_GCM,data:u2F2aBuVt7CByfZcUA==,iv:YvRX13U/f6UTs4bvnwEMiNJydzaCM0etkRo/Uh7hf/Y=,tag:aqG10k2p0i8LAqWRQ92xjQ==,type:str]
+        email: ENC[AES256_GCM,data:J/xFtIs3+sUeHll0VPkpRX1dEwpX9RxH,iv:SikaNGysgIVXJgp4zKLkPrhuNN9lZa0nXmB5bTUdbOQ=,tag:CIiVsYRkig4H6j94293qbw==,type:str]
+muse:
+    secrets: ENC[AES256_GCM,data:Kz9nq9uxrwjlbg38F8M0a7s0wuSpnZ42iGT6NOQa9LyEVr07PRHeqxAtAloPEX7gmAlTKyHY9hmkA/yUxrkioiaEd6PW5rF5Fq7wKSEYhyh9kUnwAf6NdQhFBj2UMnfWHpz50WQ27msJ2UzgJKzXQ24GYAXGlQwgyHkixpYPQ63t873YUNPaa53mx7STh7vRk//o940aP+Uar4OnMEdTGrmPqWLluR5/eVyNnDANhGWcCg626uZS26nZFO+gyrWJk2e1RsSVmzfjcIyaVkdTaEj1RQRUGxn/AS3FvqfGJ7tF9tWSaZ1PY2U2IdQv9usfa9m4Y6bRcoGN,iv:L4Y2F88NCSiB/KNL9HQ/49QRQwj2HfKuBEs8jsqpfR8=,tag://7BxypNznXIpWP2Mfvseg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkeGg1UzNkV0g1U0J4cUhr
+            dS9lZ1c0c0sxQzJjanRNSVBmQ09rQ1R2S0RRCmhzalFnWUNISis0K1JHSmcyN2cx
+            QWhQWFMxdmxKL1FkYU1PdmFHL1BoQncKLS0tIFN4MFRZTW5mUDI5T1Mra2tMS0Qz
+            amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO
+            4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-11T14:18:33Z"
+    mac: ENC[AES256_GCM,data:VbvpmpSadpIQVwGWOa2A9VLn1+k8V8t95lgDhuv49NFkX7LnJQ4YPoSXINfDw52oaBL0nb4BtICpifCLY7kVtSTVDRHmXhmpXLz/8axNUQZtcHviUU+QlTYuyghxr0y+1ZMlVH4gOqCkoSYwfjN3/c8KR5ukf47lIxwoogXyLKo=,iv:4OYVcV2PUx7N+QHyA7wp0307+VM1yZcBH7PNDONn+qU=,tag:8El/gNZGnNEVD8k5aMRc/w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

services/adguardhome.nix

@@ -0,0 +1,60 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+let
+  secrets = config.spacestation-secrets.lesser;
+  deviceIp = config.services.tailscale.deviceIp;
+in
+{
+  imports = [
+    ../modules/adguardhome.nix
+  ];
+  services.adguardhome = {
+    enable = true;
+    dns.rewrites = {
+      "*.${secrets.homelab-domain}" = deviceIp;
+      "${secrets.homelab-domain}" = deviceIp;
+    };
+    openFirewall = true;
+    port = secrets.services.adguard.port;
+    dns.filters = {
+      "Hagezi's Multi PRO" = {
+        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.txt";
+      };
+      "Hagezi's Badware Hoster" = {
+        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/hoster.txt";
+      };
+      "Hagezi's DNS Bypass blocking" = {
+        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/doh-vpn-proxy-bypass.txt";
+      };
+      "Hagezi's Dynamic DNS blocking" = {
+        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/dyndns.txt";
+      };
+      "Hagezi's Gambling" = {
+        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/gambling.txt";
+      };
+      "Hagezi's Native - LG webOS" = {
+        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/native.lgwebos.txt";
+      };
+      "Hagezi's Native - Tiktok (Agressive)" = {
+        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/native.tiktok.extended.txt";
+      };
+      "Hagezi's Native - Microsoft/Windows" = {
+        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/native.winoffice.txt";
+      };
+      "Hagezi's Pop-up Ads" = {
+        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/popupads.txt";
+      };
+      "Hagezi's TIF" = {
+        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/tif.txt";
+      };
+    };
+    settings.user_rules = [
+      "@@||tumblr.com^$important"
+      "@@||wordpress.com^$important"
+      "@@||tailscale.com^$important"
+    ];
+  };
+}

services/containers/default.nix

@@ -0,0 +1,11 @@
+{ ... }: {
+  imports = [
+    ./prata-music.nix
+  ];
+  virtualisation = {
+    docker.enable = true;
+    oci-containers = {
+      backend = "docker";
+    };
+  };
+}

services/containers/prata-music.nix

@@ -0,0 +1,17 @@
+{ config
+, lib
+, pkgs
+, ...
+}: {
+  imports = [ ];
+  virtualisation.oci-containers.containers.prata-music = {
+    image = "codetheweb/muse:latest";
+    autoStart = true;
+    volumes = [
+      "/var/lib/muse/data:/data"
+    ];
+    environmentFiles = [
+      (/. + config.sops.secrets."muse/secrets".path)
+    ];
+  };
+}

services/default.nix

@@ -0,0 +1,8 @@
+{ ... }: {
+  imports = [
+    ./adguardhome.nix
+    ./containers
+    ./forgejo.nix
+    ./tailscale.nix
+  ];
+}

services/forgejo.nix

@@ -0,0 +1,37 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+let
+  secrets = config.spacestation-secrets.lesser;
+in
+{
+  imports = [
+    ../modules/forgejo
+  ];
+  services.forgejo = {
+    enable = true;
+    actions = {
+      enable = true;
+      token = secrets.services.forgejo.actions-token;
+      url = "http://192.168.1.10:${toString secrets.services.forgejo.port}";
+      labels = secrets.services.forgejo.actions-labels;
+    };
+    users = {
+      user1 = {
+        name = /. + config.sops.secrets."forgejo/user1/name".path;
+        password = /. + config.sops.secrets."forgejo/user1/password".path;
+        email = /. + config.sops.secrets."forgejo/user1/email".path;
+        admin = true;
+      };
+    };
+    settings = {
+      server = {
+        HTTP_PORT = secrets.services.forgejo.port;
+        DOMAIN = secrets.services.forgejo.domain;
+        ROOT_URL = "https://${secrets.services.forgejo.domain}";
+      };
+    };
+  };
+}

services/tailscale.nix

@@ -0,0 +1,20 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+let
+  secrets = config.spacestation-secrets.lesser;
+in
+{
+  imports = [
+    ../modules/tailscale.nix
+  ];
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "both";
+    exitNode = true;
+    tailnetName = secrets.tailnet-name;
+    deviceIp = secrets.device-ip;
+  };
+}