initial commit

2026-04-01 08:50:01 +03:00 · 2026-04-01 08:50:01 +03:00 · 30ce0dafc2
commit 30ce0dafc2
195 changed files with 8902 additions and 0 deletions
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@ -0,0 +1,42 @@
+name: Nix CI
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: Enable flakes
+        run: |
+          mkdir -p ~/.config/nix
+          echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+
+      - name: Setup SOPS key
+        if: env.SOPS_AGE_KEY != ''
+        run: |
+          echo "$SOPS_AGE_KEY" > /tmp/key.txt
+          export SOPS_AGE_KEY_FILE=/tmp/key.txt
+        env:
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+
+      - name: Flake check
+        run: nix flake check
+
+      - name: Build all hosts
+        run: |
+          nix flake show --json | jq -r '
+            .nixosConfigurations | keys[]' | while read host; do
+              echo "Building $host"
+              nix build .#nixosConfigurations.$host.config.system.build.toplevel
+          done
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+.envrc
+.direnv
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,13 @@
+creation_rules:
+  - path_regex: \.sops\.yaml$
+    encrypted_regex: ^(data|stringData|\$ANSIBLE_VAULT)
+  - path_regex: ^secrets/.*\.ya?ml$
+    key_groups:
+      - age:
+          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPRVeP7aRYdbIku7Qr6dLFLQrcq8LUUTTpYZZ3E8ZoQK rus07tam
+          - age1qchtmcrsuq7ehf8c60yezurt2cgt64unlhzx2ldntgtnaqds4elslthql3
+          - age10hsw859vkkjk6lss3npzmhu9urjtuhn0x8l63v4h3lfk8wrdxd7s8pfu5g
+
+          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFg3eK2k8JC+iUMsYJFjb8ux19Nl23pi9qQ81ns563Db root@velarion
+          - age13uupj0vkwn6dlgeqvu06le5d2ms0meu0j694tpnvvn6mnct9xs8ssyjtc2
+          - age1723x4jfn3urne8knvxqawmslq8ysr66uml8c3svj6zy0j3hdh4hs94yfqf
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,3 @@
+{
+  "nixEnvSelector.nixFile": "${workspaceFolder}/flake.nix"
+}
--- a/24
+++ b/24
@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <https://unlicense.org>
--- a/README.md
+++ b/README.md
@ -0,0 +1,166 @@
+# nixos-infra
+
+Declarative NixOS infrastructure: host configurations, system modules, services, and user environments. Built on **Nix flakes**, **NixOS modules**, and **Home Manager**.
+
+**Design principles:**
+
+- Single source of truth for all systems
+- Fully reproducible builds
+- Minimal duplication; shared logic in modules and lib
+- Modular services with a unified `machine.<service>.*` interface
+
+**Contents:**
+
+- [Machines](#machines)
+- [Architecture](#architecture)
+- [Repository structure](#repository-structure)
+- [Security](#security)
+- [System update (nixos-update)](#system-update-nixos-update)
+- [Deployment](#deployment)
+- [TODO](#todo)
+- [License](#license)
+
+---
+
+## Machines
+
+| Host         | Role                                        |
+| ------------ | ------------------------------------------- |
+| **elaris**   | Personal desktop                            |
+| **velarion** | RuJect infrastructure (Forgejo, mail, etc.) |
+
+---
+
+## Architecture
+
+- **hosts/** — per-machine configuration (hardware, disk, common baseline)
+- **modules/** — reusable NixOS modules (SSH, security, fonts, nixos-update, etc.)
+- **services/** — service definitions with `options.nix` and `service.nix`; enabled via `machine.<name>.enable`, `machine.<name>.domain`, etc.
+- **users/** — user accounts and Home Manager configs (`system.nix`, `default.nix`, `hosts/<host>.nix`)
+- **lib/** — `mkNixos`, `mkUsers`, `mkHome` for assembling systems and home configs
+
+---
+
+## Repository structure
+
+```plaintext
+.
+├── flake.nix
+├── hosts/
+│   ├── common/          # shared baseline (modules, packages, locale)
+│   ├── elaris/
+│   └── velarion/
+├── modules/             # NixOS modules (ssh, security, nixos-update, …)
+├── services/             # machine.<name>.* service definitions
+├── users/
+├── lib/
+└── secrets/
+```
+
+### Hosts
+
+Per-host config lives under `hosts/<hostname>/` (e.g. `disk.nix`, `machine.nix`, `default.nix`). The `common/` import provides a shared baseline for all hosts (see `hosts/common/default.nix`).
+
+### Lib
+
+- **mkNixos** — builds a `nixosSystem`: flake inputs, host config, Home Manager, users. Entrypoint: `mkNixos { hostname = "velarion"; users = [ "rus07tam" ]; }`.
+- **mkUsers** — turns `users/<name>/system.nix` and `users/<name>/default.nix` into system modules and Home Manager config.
+- **mkHome** — builds Home Manager config for a user on a given host; supports `users/<name>/hosts/<hostname>.nix` overrides.
+
+### Services
+
+Each service is a module with a unified NixOS option namespace `machine.<service>.*`.
+
+**Typical layout** (see `services/forgejo/`):
+
+| File | Purpose |
+|------|---------|
+| `default.nix` | Entry point; imports `options.nix`, `service.nix`, and optional submodules |
+| `options.nix` | Declares `machine.<service>.*` options (enable, domain, port, database, etc.) |
+| `service.nix` | Core service config: enables the service, configures settings, system packages, SSH `AllowUsers` if needed |
+
+**Optional components:**
+
+| File                        | Purpose                                                                                    |
+|---------------------------- |------------------------------------------------------------------------------------------- |
+| `network.nix` / `nginx.nix` | Firewall (`allowedTCPPorts`), nginx virtualHost with reverse proxy, SSL/ACME               |
+| `mail.nix`                  | SMTP/mailer config for the service; mailserver login accounts (when `machine.mail.enable`) |
+| `tmpfiles.nix`              | `systemd.tmpfiles.rules` for directories and static assets (e.g. custom themes)            |
+| `secrets.nix`               | Sops secrets referenced by the service                                                     |
+| `database.nix`              | Database setup (PostgreSQL `ensureDatabases`, `ensureUsers`) when the service needs a DB   |
+
+### Users
+
+Per-user directory: `users/<username>/`.
+
+- **system.nix** — system-level: `users.users.<name>` (groups, `hashedPasswordFile`, `openssh.authorizedKeys`), `services.openssh.settings.AllowUsers`, shared programs (e.g. `programs.fish.enable`). Passwords and sensitive data come from **sops** secrets.
+- **default.nix** — Home Manager base: `imports` (variables, modules), `home.packages`, `targets.genericLinux.enable`.
+- **hosts/\<hostname\>.nix** — host-specific Home Manager overrides.
+- **modules/**, **variables/**, **assets/** — user-local modules and shared variables.
+
+Example layout: `users/rus07tam/{system.nix, default.nix, secrets.nix, variables/, modules/, hosts/}`.
+
+### Secrets
+
+Managed with **sops**. Layout: `secrets/common.yaml`, `secrets/rus07tam.yaml`, etc. Secrets are decrypted at evaluation time and referenced in config (e.g. `config.sops.secrets."rus07tam/hashedPassword".path`).
+
+---
+
+## Security
+
+### Sudo
+
+Configures **sudo** for group `wheel`: NOPASSWD for a fixed set of commands only:
+
+- `nixos-rebuild`
+- `nix`
+- `systemctl`
+- `reboot`
+- `poweroff`
+
+All other operations require a password. This keeps privilege escalation explicit and limited.
+
+### OpenSSH
+
+- **services.openssh**: enabled, `openFirewall = true`.
+- **Global settings**: Access is key-only; root login is disabled.
+- **Per-user access**: each user and each service account that needs SSH (e.g. `forgejo` for git) is added explicitly via `services.openssh.settings.AllowUsers` in the corresponding module (e.g. in `users/rus07tam/system.nix` or `services/forgejo/service.nix`).
+
+---
+
+## System update (nixos-update)
+
+The module **`modules/nixos-update.nix`** (included in the common host baseline) provides a script `nixos-update`, installed as a system package.
+
+It:
+
+1. Clones or updates the flake from `ssh://forgejo@git.ruject.fun/RuJect/nixos-infra.git` into a fixed directory (e.g. `/tmp/nixos-infra-flake`).
+2. Prompts for confirmation.
+3. Runs `nh os switch` for the current host.
+
+Interactive shell startup reminds the user to use `nixos-update` for system updates. Adjust the flake URL and paths in the module if your setup differs.
+
+---
+
+## Deployment
+
+On a host, apply the configuration for that host:
+
+```bash
+sudo nixos-rebuild switch --flake .#<hostname>
+```
+
+Alternatively, use the **nixos-update** script (see [System update (nixos-update)](#system-update-nixos-update)) to pull the latest flake from the remote and run `nh os switch`.
+
+---
+
+## TODO
+
+- Decouple service dependencies so that services can run independently (many currently depend on nginx).
+- Configure **Synapse** and **Prosody**.
+
+---
+
+## License
+
+See [LICENSE](LICENSE).
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,986 @@
+{
+  "nodes": {
+    "apple-fonts": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "ny": "ny",
+        "sf-arabic": "sf-arabic",
+        "sf-armenian": "sf-armenian",
+        "sf-compact": "sf-compact",
+        "sf-georgian": "sf-georgian",
+        "sf-hebrew": "sf-hebrew",
+        "sf-mono": "sf-mono",
+        "sf-pro": "sf-pro"
+      },
+      "locked": {
+        "lastModified": 1772251183,
+        "narHash": "sha256-Zfr9trB8LaesfpupugDgXPqC4F25MO18kyMyb9b2PkM=",
+        "owner": "Lyndeno",
+        "repo": "apple-fonts.nix",
+        "rev": "f8dad87c2cb956695d18c1f36360322d8a0b7d63",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Lyndeno",
+        "repo": "apple-fonts.nix",
+        "type": "github"
+      }
+    },
+    "base16": {
+      "inputs": {
+        "fromYaml": "fromYaml"
+      },
+      "locked": {
+        "lastModified": 1755819240,
+        "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=",
+        "owner": "SenchoPens",
+        "repo": "base16.nix",
+        "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "SenchoPens",
+        "repo": "base16.nix",
+        "type": "github"
+      }
+    },
+    "base16-fish": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1765809053,
+        "narHash": "sha256-XCUQLoLfBJ8saWms2HCIj4NEN+xNsWBlU1NrEPcQG4s=",
+        "owner": "tomyun",
+        "repo": "base16-fish",
+        "rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tomyun",
+        "repo": "base16-fish",
+        "rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
+        "type": "github"
+      }
+    },
+    "base16-helix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1760703920,
+        "narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=",
+        "owner": "tinted-theming",
+        "repo": "base16-helix",
+        "rev": "d646af9b7d14bff08824538164af99d0c521b185",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "base16-helix",
+        "type": "github"
+      }
+    },
+    "base16-vim": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1732806396,
+        "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=",
+        "owner": "tinted-theming",
+        "repo": "base16-vim",
+        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "base16-vim",
+        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1773889306,
+        "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "dns": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768143854,
+        "narHash": "sha256-E5/kyPz4zAZn/lZdvqlF83jMgCWNxmqYjjWuadngCbk=",
+        "owner": "nix-community",
+        "repo": "dns.nix",
+        "rev": "a97cf4156e9f044fe4bed5be531061000dfabb07",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "dns.nix",
+        "type": "github"
+      }
+    },
+    "firefox-gnome-theme": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1764873433,
+        "narHash": "sha256-1XPewtGMi+9wN9Ispoluxunw/RwozuTRVuuQOmxzt+A=",
+        "owner": "rafaelmardojai",
+        "repo": "firefox-gnome-theme",
+        "rev": "f7ffd917ac0d253dbd6a3bf3da06888f57c69f92",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rafaelmardojai",
+        "repo": "firefox-gnome-theme",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1751685974,
+        "narHash": "sha256-NKw96t+BgHIYzHUjkTK95FqYRVKB8DHpVhefWSz/kTw=",
+        "ref": "refs/heads/main",
+        "rev": "549f2762aebeff29a2e5ece7a7dc0f955281a1d1",
+        "revCount": 92,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/flake-compat.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/flake-compat.git"
+      }
+    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nvf",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769996383,
+        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "stylix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1767609335,
+        "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "250481aafeb741edfe23d29195671c19b36b6dca",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1614513358,
+        "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "fromYaml": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1731966426,
+        "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=",
+        "owner": "SenchoPens",
+        "repo": "fromYaml",
+        "rev": "106af9e2f715e2d828df706c386a685698f3223b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "SenchoPens",
+        "repo": "fromYaml",
+        "type": "github"
+      }
+    },
+    "gnome-shell": {
+      "flake": false,
+      "locked": {
+        "host": "gitlab.gnome.org",
+        "lastModified": 1767737596,
+        "narHash": "sha256-eFujfIUQDgWnSJBablOuG+32hCai192yRdrNHTv0a+s=",
+        "owner": "GNOME",
+        "repo": "gnome-shell",
+        "rev": "ef02db02bf0ff342734d525b5767814770d85b49",
+        "type": "gitlab"
+      },
+      "original": {
+        "host": "gitlab.gnome.org",
+        "owner": "GNOME",
+        "ref": "gnome-49",
+        "repo": "gnome-shell",
+        "type": "gitlab"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1774738535,
+        "narHash": "sha256-2jfBEZUC67IlnxO5KItFCAd7Oc+1TvyV/jQlR+2ykGQ=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "769e07ef8f4cf7b1ec3b96ef015abec9bc6b1e2a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "hyprpanel",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1750798083,
+        "narHash": "sha256-DTCCcp6WCFaYXWKFRA6fiI2zlvOLCf5Vwx8+/0R8Wc4=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "ff31a4677c1a8ae506aa7e003a3dba08cb203f82",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_3": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-openclaw",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1767909183,
+        "narHash": "sha256-u/bcU0xePi5bgNoRsiqSIwaGBwDilKKFTz3g0hqOBAo=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "cd6e96d56ed4b2a779ac73a1227e0bb1519b3509",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "hyprpanel": {
+      "inputs": {
+        "flake-utils": "flake-utils_3",
+        "home-manager": "home-manager_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1774257081,
+        "narHash": "sha256-92ZbaBfsEXEE7VaWJjv9aRSk3l9nyoYYyMe2AwTqSZI=",
+        "owner": "Jas-SinghFSU",
+        "repo": "HyprPanel",
+        "rev": "e919b4a8a8ab5f2a0752f68576ab3eed6993cefd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Jas-SinghFSU",
+        "repo": "HyprPanel",
+        "type": "github"
+      }
+    },
+    "libnbtplusplus": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650031308,
+        "narHash": "sha256-TvVOjkUobYJD9itQYueELJX3wmecvEdCbJ0FinW2mL4=",
+        "owner": "PolyMC",
+        "repo": "libnbtplusplus",
+        "rev": "2203af7eeb48c45398139b583615134efd8d407f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "PolyMC",
+        "repo": "libnbtplusplus",
+        "type": "github"
+      }
+    },
+    "mnw": {
+      "locked": {
+        "lastModified": 1770419553,
+        "narHash": "sha256-b1XqsH7AtVf2dXmq2iyRr2NC1yG7skY7Z6N2MpWHlK4=",
+        "owner": "Gerg-L",
+        "repo": "mnw",
+        "rev": "2aaffa8030d0b262176146adbb6b0e6374ce2957",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Gerg-L",
+        "repo": "mnw",
+        "type": "github"
+      }
+    },
+    "ndg": {
+      "inputs": {
+        "nixpkgs": [
+          "nvf",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768214250,
+        "narHash": "sha256-hnBZDQWUxJV3KbtvyGW5BKLO/fAwydrxm5WHCWMQTbw=",
+        "owner": "feel-co",
+        "repo": "ndg",
+        "rev": "a6bd3c1ce2668d096e4fdaaa03ad7f03ba1fbca8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "feel-co",
+        "ref": "refs/tags/v2.6.0",
+        "repo": "ndg",
+        "type": "github"
+      }
+    },
+    "nix-openclaw": {
+      "inputs": {
+        "flake-utils": "flake-utils_4",
+        "home-manager": "home-manager_3",
+        "nix-steipete-tools": "nix-steipete-tools",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1773851886,
+        "narHash": "sha256-+3ygZuf5K8mtSGMMEZ/h+vxGvXCu1CmiB+531KMagH8=",
+        "owner": "openclaw",
+        "repo": "nix-openclaw",
+        "rev": "64d410666821866c565e048a4d07d6cf5d8e494e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "openclaw",
+        "repo": "nix-openclaw",
+        "type": "github"
+      }
+    },
+    "nix-steipete-tools": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1773561580,
+        "narHash": "sha256-wT0bKTp45YnMkc4yXQvk943Zz/rksYiIjEXGdWzxnic=",
+        "owner": "openclaw",
+        "repo": "nix-steipete-tools",
+        "rev": "cd4c429ff3b3aaef9f92e59812cf2baf5704b86f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "openclaw",
+        "repo": "nix-steipete-tools",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773628058,
+        "narHash": "sha256-hpXH0z3K9xv0fHaje136KY872VT2T5uwxtezlAskQgY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "f8573b9c935cfaa162dd62cc9e75ae2db86f85df",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1767364772,
+        "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1774386573,
+        "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1761880412,
+        "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nur": {
+      "inputs": {
+        "flake-parts": [
+          "stylix",
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "stylix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1767810917,
+        "narHash": "sha256-ZKqhk772+v/bujjhla9VABwcvz+hB2IaRyeLT6CFnT0=",
+        "owner": "nix-community",
+        "repo": "NUR",
+        "rev": "dead29c804adc928d3a69dfe7f9f12d0eec1f1a4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "NUR",
+        "type": "github"
+      }
+    },
+    "nvf": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "mnw": "mnw",
+        "ndg": "ndg",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1774736237,
+        "narHash": "sha256-uQ+Was7QP9Bupr0XZyZXOAD32Ox8z2mJnevT2FmDwS8=",
+        "owner": "notashelf",
+        "repo": "nvf",
+        "rev": "a0636d5c977743851c91d3c2e74bfac90be48835",
+        "type": "github"
+      },
+      "original": {
+        "owner": "notashelf",
+        "repo": "nvf",
+        "type": "github"
+      }
+    },
+    "ny": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-3257NAH4qlan2YHVLpNRy7x8IJqR2pal3OzFo/ykqXs=",
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/NY.dmg"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/NY.dmg"
+      }
+    },
+    "polymc": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "libnbtplusplus": "libnbtplusplus",
+        "nixpkgs": "nixpkgs_4",
+        "tomlplusplus": "tomlplusplus"
+      },
+      "locked": {
+        "lastModified": 1772648049,
+        "narHash": "sha256-iPOTfk1seKcKdus3+ksnZUUr3NFxwsz9d93vtxSmg5c=",
+        "owner": "PolyMC",
+        "repo": "PolyMC",
+        "rev": "5603242bf3b70d83a8dbd171b52be5f4fcedfc1c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "PolyMC",
+        "repo": "PolyMC",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "apple-fonts": "apple-fonts",
+        "disko": "disko",
+        "dns": "dns",
+        "flake-utils": "flake-utils_2",
+        "home-manager": "home-manager",
+        "hyprpanel": "hyprpanel",
+        "nix-openclaw": "nix-openclaw",
+        "nixpkgs": "nixpkgs_3",
+        "nvf": "nvf",
+        "polymc": "polymc",
+        "sops-nix": "sops-nix",
+        "stylix": "stylix"
+      }
+    },
+    "sf-arabic": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-/0gjRimqvZyE60xYxxPdlU+7Q2LJnnvtbmwOP0YmS9U=",
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Arabic.dmg"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Arabic.dmg"
+      }
+    },
+    "sf-armenian": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-rRoDkbNMYkzOHZmQm96Zv80TZvRlAeoxkv4pMHP5nUg=",
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Armenian.dmg"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Armenian.dmg"
+      }
+    },
+    "sf-compact": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-oLhkN4HYkU1Xjxk+xdmyxJmROSzo1qd/tafdxw7icxs=",
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Compact.dmg"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Compact.dmg"
+      }
+    },
+    "sf-georgian": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-IevVNOC28IiR45YfI3PsZzXLMRxuB5u7UiE53Zn6tRU=",
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Georgian.dmg"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Georgian.dmg"
+      }
+    },
+    "sf-hebrew": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-Dw84kYwMpCtKKKqm8cZcQ9TZ7GayU5MO7W0LJw0Rcwk=",
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Hebrew.dmg"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Hebrew.dmg"
+      }
+    },
+    "sf-mono": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-ICdHRFdNL7PM/fXJUzS7LgZxZiqcyIuCMHLze4En4vg=",
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Mono.dmg"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Mono.dmg"
+      }
+    },
+    "sf-pro": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-s42hsaUe0Vkaw5yw8G7G3W3AYJb2TPqSlMqPyY0e5WU=",
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Pro.dmg"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://devimages-cdn.apple.com/design/resources/download/SF-Pro.dmg"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1774760784,
+        "narHash": "sha256-D+tgywBHldTc0klWCIC49+6Zlp57Y4GGwxP1CqfxZrY=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "8adb84861fe70e131d44e1e33c426a51e2e0bfa5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "stylix": {
+      "inputs": {
+        "base16": "base16",
+        "base16-fish": "base16-fish",
+        "base16-helix": "base16-helix",
+        "base16-vim": "base16-vim",
+        "firefox-gnome-theme": "firefox-gnome-theme",
+        "flake-parts": "flake-parts_2",
+        "gnome-shell": "gnome-shell",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nur": "nur",
+        "systems": "systems_5",
+        "tinted-foot": "tinted-foot",
+        "tinted-kitty": "tinted-kitty",
+        "tinted-schemes": "tinted-schemes",
+        "tinted-tmux": "tinted-tmux",
+        "tinted-zed": "tinted-zed"
+      },
+      "locked": {
+        "lastModified": 1774124764,
+        "narHash": "sha256-Poz9WTjiRlqZIf197CrMMJfTifZhrZpbHFv0eU1Nhtg=",
+        "owner": "danth",
+        "repo": "stylix",
+        "rev": "e31c79f571c5595a155f84b9d77ce53a84745494",
+        "type": "github"
+      },
+      "original": {
+        "owner": "danth",
+        "repo": "stylix",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "tinted-foot": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1726913040,
+        "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
+        "owner": "tinted-theming",
+        "repo": "tinted-foot",
+        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "tinted-foot",
+        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
+        "type": "github"
+      }
+    },
+    "tinted-kitty": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1735730497,
+        "narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=",
+        "owner": "tinted-theming",
+        "repo": "tinted-kitty",
+        "rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "tinted-kitty",
+        "type": "github"
+      }
+    },
+    "tinted-schemes": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767710407,
+        "narHash": "sha256-+W1EB79Jl0/gm4JqmO0Nuc5C7hRdp4vfsV/VdzI+des=",
+        "owner": "tinted-theming",
+        "repo": "schemes",
+        "rev": "2800e2b8ac90f678d7e4acebe4fa253f602e05b2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "schemes",
+        "type": "github"
+      }
+    },
+    "tinted-tmux": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767489635,
+        "narHash": "sha256-e6nnFnWXKBCJjCv4QG4bbcouJ6y3yeT70V9MofL32lU=",
+        "owner": "tinted-theming",
+        "repo": "tinted-tmux",
+        "rev": "3c32729ccae99be44fe8a125d20be06f8d7d8184",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "tinted-tmux",
+        "type": "github"
+      }
+    },
+    "tinted-zed": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767488740,
+        "narHash": "sha256-wVOj0qyil8m+ouSsVZcNjl5ZR+1GdOOAooAatQXHbuU=",
+        "owner": "tinted-theming",
+        "repo": "base16-zed",
+        "rev": "11abb0b282ad3786a2aae088d3a01c60916f2e40",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "base16-zed",
+        "type": "github"
+      }
+    },
+    "tomlplusplus": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1756542235,
+        "narHash": "sha256-qcc8yXND9htFqjQADU60+xoJZ0acoQwcs7tIK1LgAOg=",
+        "owner": "marzer",
+        "repo": "tomlplusplus",
+        "rev": "e7aaccca3fa3dbde9818ab8313250f3da4976e37",
+        "type": "github"
+      },
+      "original": {
+        "owner": "marzer",
+        "repo": "tomlplusplus",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,103 @@
+{
+  description = "RuJect Nix meta repository";
+
+  inputs = {
+    # nixpkgs
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+
+    # home-manager
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # games
+    polymc.url = "github:PolyMC/PolyMC";
+
+    # other
+    flake-utils.url = "github:numtide/flake-utils";
+    disko.url = "github:nix-community/disko";
+    nvf = {
+      url = "github:notashelf/nvf";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    stylix = {
+      url = "github:danth/stylix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    apple-fonts = {
+      url = "github:Lyndeno/apple-fonts.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    hyprpanel = {
+      url = "github:Jas-SinghFSU/HyprPanel";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    dns = {
+      url = "github:nix-community/dns.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nix-openclaw = {
+      url = "github:openclaw/nix-openclaw";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    {
+      nixpkgs,
+      flake-utils,
+      ...
+    }@inputs:
+    let
+      mkNixos = import ./lib/mkNixos.nix;
+      infra = {
+        users = [
+          "rus07tam"
+        ];
+        modules = [
+          inputs.disko.nixosModules.disko
+        ];
+        overlays = [
+          inputs.polymc.overlay
+          inputs.nix-openclaw.overlays.default
+        ];
+        inherit inputs;
+      };
+    in
+    flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        pkgs = nixpkgs.legacyPackages.${system};
+      in
+      {
+        packages = { };
+
+        formatter = pkgs.nixfmt-tree;
+      }
+    )
+    // {
+      nixosConfigurations = {
+        elaris = mkNixos (
+          infra
+          // {
+            hostname = "elaris";
+          }
+        );
+        velarion = mkNixos (
+          infra
+          // {
+            hostname = "velarion";
+            users = [
+              "rus07tam"
+              "macan"
+            ];
+          }
+        );
+      };
+    };
+}
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -0,0 +1,75 @@
+{
+  pkgs,
+  modulesPath,
+  hostname,
+  lib,
+  config,
+  ...
+}:
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    ../../modules/direnv.nix
+    ../../modules/fonts.nix
+    ../../modules/motd.nix
+    ../../modules/nh.nix
+    ../../modules/nix.nix
+    ../../modules/nixos-update.nix
+    ../../modules/sops.nix
+    ../../modules/ssh.nix
+    ../../modules/remote-build.nix
+    ../../modules/security.nix
+    ../../modules/tmux.nix
+    ../../services
+  ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  system.stateVersion = "25.11";
+  environment.systemPackages = with pkgs; [
+    atool
+    curl
+    cmake
+    dig
+    eza
+    fastfetch
+    git
+    ripgrep
+    bat
+    rmtrash
+  ];
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      LC_ADDRESS = "en_US.UTF-8";
+      LC_IDENTIFICATION = "en_US.UTF-8";
+      LC_MEASUREMENT = "en_US.UTF-8";
+      LC_MONETARY = "en_US.UTF-8";
+      LC_NAME = "en_US.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "en_US.UTF-8";
+      LC_TELEPHONE = "en_US.UTF-8";
+      LC_TIME = "en_US.UTF-8";
+    };
+  };
+
+  console = {
+    font = "cyr-sun16";
+    keyMap = "ruwin_alt_sh-UTF-8";
+  };
+
+  programs.nix-ld = {
+    enable = true;
+    libraries = [ ];
+  };
+
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+  };
+
+  time.timeZone = lib.mkDefault "Europe/Moscow";
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/elaris/default.nix
+++ b/hosts/elaris/default.nix
@ -0,0 +1,23 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./secrets.nix
+    ./machine.nix
+    ../../modules/audio.nix
+    ../../modules/throne.nix
+    ../../modules/opentablet.nix
+  ];
+
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sdc";
+    useOSProber = true;
+  };
+
+  programs.dconf.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    android-tools
+  ];
+}
--- a/hosts/elaris/hardware-configuration.nix
+++ b/hosts/elaris/hardware-configuration.nix
@ -0,0 +1,30 @@
+{
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "ahci"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/5a3b4297-3879-4adc-a8eb-6b7c13bfcb81";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/ba42c990-1896-4a4d-8a08-d5ada45c4b72"; }
+  ];
+
+  hardware = {
+    graphics.enable = true;
+    nvidia.modesetting.enable = true;
+  };
+}
--- a/hosts/elaris/machine.nix
+++ b/hosts/elaris/machine.nix
@ -0,0 +1,7 @@
+{
+  machine.xray-3x-ui = {
+    enable = true;
+    domain = "3x-ui.ruject.fun";
+    subscriptions.domain = "sub.3x-ui.ruject.fun";
+  };
+}
--- a/hosts/elaris/secrets.nix
+++ b/hosts/elaris/secrets.nix
@ -0,0 +1,16 @@
+{
+  sops.secrets = {
+    "elaris/publicKey" = {
+      sopsFile = ./../../secrets/elaris.yaml;
+      mode = "0644";
+      owner = "root";
+      group = "root";
+    };
+    "elaris/privateKey" = {
+      sopsFile = ./../../secrets/elaris.yaml;
+      mode = "0600";
+      owner = "root";
+      group = "root";
+    };
+  };
+}
--- a/hosts/velarion/default.nix
+++ b/hosts/velarion/default.nix
@ -0,0 +1,25 @@
+{ modulesPath, ... }:
+{
+  imports = [
+    ./disk.nix
+    ./machine.nix
+    ./secrets.nix
+    ../../modules/podman.nix
+    (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    useOSProber = true;
+  };
+
+  programs.dconf.enable = true;
+
+  # Setup DKIM key directory
+  systemd.tmpfiles.rules = [
+    "d /var/dkim 0755 root root - -"
+  ];
+}
--- a/hosts/velarion/disk.nix
+++ b/hosts/velarion/disk.nix
@ -0,0 +1,37 @@
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = "/dev/vda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/velarion/machine.nix
+++ b/hosts/velarion/machine.nix
@ -0,0 +1,161 @@
+{dns, ...}: let
+  domain = "ruject.fun";
+  database = {
+    host = "127.0.0.1";
+    port = 5432;
+  };
+  ipv4 = "94.156.112.0";
+in {
+  services.nginx.enable = true;
+  machine = {
+    gateway = "10.0.0.1";
+    inherit ipv4;
+    bind = {
+      enable = true;
+      inherit domain;
+      zones = with dns.lib.combinators; {
+        ${domain} = {
+          SOA = {
+            nameServer = "ns1";
+            adminEmail = "hostmaster";
+            serial = 2019030800;
+            refresh = 3 * 60 * 60; # 3 hours
+            retry = 1 * 60 * 60; # 1 hour
+            expire = 7 * 24 * 60 * 60; # 7 days
+          };
+          useOrigin = false;
+          NS = [
+            "ns1"
+            "ns2"
+          ];
+
+          A = [ipv4];
+
+          subdomains = rec {
+            ns1 = host ipv4 null;
+            ns2 = ns1;
+            "3x-ui" = ns1;
+            "sub.3x-ui" = ns1;
+            git = ns1;
+            music = ns1;
+            bitwarden = ns1;
+            roundcube = ns1;
+            status = ns1;
+            irc = ns1;
+            "upload.irc" = ns1;
+            nextcloud = ns1;
+            code = ns1;
+            mail = ns1;
+            matrix = ns1;
+            chat = ns1;
+            turn = ns1;
+          };
+
+          TXT = [
+            (with spf; strict ["a:mail.ruject.fun"])
+          ];
+
+          MX = with mx; [(mx 10 "mail.ruject.fun.")];
+
+          DMARC = [
+            {
+              p = "quarantine";
+              adkim = "strict";
+              aspf = "strict";
+            }
+          ];
+          DKIM = [
+            {
+              selector = "mail";
+              k = "rsa";
+              p = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0L14rM/ObA5WwVlPpCMiy3ESOhqo9Ye0edtc52sjt+YxJxpDgT1oo1yCdoXWbF38/f2RfqgmBCKg0+N9YQFsAL8FbBcAlkERXbt52T/5A5gBkfUnwB1I646WQdT43JsCWiSYgDc4IcVM/tG8Quj/oKois+b8W6dco6NWLET7bBcnBCEfJYL7TLnG+O83poB+gHef3g0WqwMMqXqbgvJutGb4uevJ327Ywa77fcUp7oYrMvgz6ESmetgmsizTwJadwuXC2k4E50ZmlM3tdjpisQgaUImJBqEa311SXfkhD9AbKjfp5tmOjinPMZwqVM09GFkIn89X7U6LDykh85zBNwIDAQAB";
+            }
+          ];
+        };
+      };
+    };
+    code-server = {
+      enable = true;
+      port = 4444;
+      domain = "code.${domain}";
+      user = "rus07tam";
+      hashedPassword = "$argon2i$v=19$m=4096,t=3,p=1$Z29zNjNOalFobUwyak1YY3pwYlYwL0IrN053PQ$hmRE46O8UM9zTgINjt5/xn35xypU+MMxNNq1r7xPXqo";
+    };
+    coturn = {
+      enable = true;
+      startPort = 49000;
+      endPort = 50000;
+      realm = "turn.${domain}";
+    };
+    forgejo = {
+      enable = true;
+      enableRunner = true;
+      domain = "git.${domain}";
+      port = 3000;
+      inherit database;
+    };
+    mail = {
+      enable = true;
+      inherit domain;
+      fqdn = "mail.${domain}";
+    };
+    minecraft-server = {
+      enable = false;
+      port = 25565;
+    };
+    mysql = {
+      enable = true;
+      port = 3306;
+    };
+    navidrome = {
+      enable = true;
+      domain = "music.${domain}";
+      port = 4533;
+      folder = "/mnt/music";
+    };
+    postgresql = {
+      enable = true;
+      port = 5432;
+    };
+    prosody = {
+      enable = true;
+      port = 5347;
+      domain = "irc.${domain}";
+    };
+    nextcloud = {
+      enable = true;
+      host = "nextcloud.${domain}";
+    };
+    redis = {
+      enable = true;
+      port = 6379;
+    };
+    roundcube = {
+      enable = true;
+      domain = "roundcube.${domain}";
+    };
+    synapse = {
+      enable = true;
+      element = {
+        enable = true;
+        domain = "chat.${domain}";
+      };
+      domain = "matrix.${domain}";
+      port = 8008;
+      metrics = {
+        enable = true;
+        port = 9000;
+      };
+    };
+    uptime-kuma = {
+      enable = true;
+      domain = "status.${domain}";
+      port = 4000;
+    };
+    vaultwarden = {
+      enable = true;
+      domain = "bitwarden.${domain}";
+      port = 4534;
+    };
+  };
+}
--- a/hosts/velarion/secrets.nix
+++ b/hosts/velarion/secrets.nix
@ -0,0 +1,25 @@
+{
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.bind;
+in
+with lib; mkIf cfg.enable {
+  sops.secrets = {
+    "velarion/publicKey" = {
+      sopsFile = ./../../secrets/velarion.yaml;
+      path = "/etc/ssh/ssh_host_ed25519_key.pub";
+      mode = "0644";
+      owner = "root";
+      group = "root";
+    };
+    "velarion/privateKey" = {
+      sopsFile = ./../../secrets/velarion.yaml;
+      path = "/etc/ssh/ssh_host_ed25519_key";
+      mode = "0600";
+      owner = "root";
+      group = "root";
+    };
+  };
+}
--- a/lib/baseHome.nix
+++ b/lib/baseHome.nix
@ -0,0 +1,16 @@
+{
+  osConfig,
+  config,
+  username,
+  ...
+}:
+{
+  _module.args = {
+    me = {
+      inherit username;
+    }
+    // osConfig.users.users.${username};
+    osSec = osConfig.sops.secrets;
+    sec = config.sops.secrets;
+  };
+}
--- a/lib/mkColmena.nix
+++ b/lib/mkColmena.nix
@ -0,0 +1,49 @@
+{
+  hostname,
+  inputs,
+  users ? [ ],
+  modules ? [ ],
+  overlays ? [ ],
+}:
+let
+  mkHome = import ./mkHome.nix;
+  usersHomes = builtins.listToAttrs (
+    map (username: {
+      name = username;
+      value = mkHome {
+        inherit username hostname;
+      };
+    }) users
+  );
+  usersSystemsConfigs = map (username: ../users/${username}/system.nix) users;
+in
+{
+  deployment = {
+    allowLocalDeployment = true;
+    tags = [ hostname ];
+  };
+  imports = [
+    {
+      _module.args = {
+        inherit inputs;
+        inherit hostname;
+      };
+      nixpkgs.overlays = overlays;
+    }
+    ../hosts/${hostname}
+    ../hosts/common
+    inputs.home-manager.nixosModules.home-manager
+    {
+      home-manager = {
+        useGlobalPkgs = true;
+        extraSpecialArgs = {
+          inherit inputs;
+          inherit hostname;
+        };
+        users = usersHomes;
+      };
+    }
+  ]
+  ++ modules
+  ++ usersSystemsConfigs;
+}
--- a/lib/mkHome.nix
+++ b/lib/mkHome.nix
@ -0,0 +1,19 @@
+{
+  username,
+  hostname,
+}:
+{
+  imports = [
+    ./baseHome.nix
+    ../users/${username}/home.nix
+    ../users/${username}/hosts/${hostname}.nix
+  ];
+  home = {
+    inherit username;
+    stateVersion = "25.05";
+  };
+  _module.args = {
+    inherit username;
+    inherit hostname;
+  };
+}
--- a/lib/mkNixos.nix
+++ b/lib/mkNixos.nix
@ -0,0 +1,45 @@
+{
+  hostname,
+  inputs,
+  system ? "x86_64-linux",
+  users ? [ ],
+  modules ? [ ],
+  homeModules ? [ ],
+  overlays ? [ ],
+}:
+let
+  mkUsers = import ./mkUsers.nix;
+in
+inputs.nixpkgs.lib.nixosSystem {
+  inherit system;
+  modules = [
+    {
+      _module.args = {
+        inherit inputs;
+        inherit hostname;
+        inherit system;
+      }
+      // inputs;
+      nixpkgs.overlays = overlays;
+    }
+    inputs.sops-nix.nixosModules.sops
+    inputs.home-manager.nixosModules.home-manager
+    {
+      home-manager = {
+        useGlobalPkgs = true;
+        sharedModules = [ inputs.sops-nix.homeManagerModules.sops ] ++ homeModules;
+        extraSpecialArgs = {
+          inherit inputs;
+          inherit hostname;
+        };
+      };
+    }
+    ../hosts/${hostname}
+    ../hosts/common
+    (mkUsers {
+      inherit hostname;
+      inherit users;
+    })
+  ]
+  ++ modules;
+}
--- a/lib/mkUsers.nix
+++ b/lib/mkUsers.nix
@ -0,0 +1,20 @@
+{
+  hostname,
+  users ? [ ],
+}:
+let
+  mkHome = import ./mkHome.nix;
+  usersHomes = builtins.listToAttrs (
+    map (username: {
+      name = username;
+      value = mkHome {
+        inherit username hostname;
+      };
+    }) users
+  );
+  usersSystemsConfigs = map (username: ../users/${username}/system.nix) users;
+in
+{
+  home-manager.users = usersHomes;
+  imports = usersSystemsConfigs;
+}
--- a/modules/audio.nix
+++ b/modules/audio.nix
@ -0,0 +1,21 @@
+{
+  security.rtkit.enable = true;
+  services.pulseaudio.enable = false;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+    wireplumber = {
+      enable = true;
+      extraConfig = {
+        "10-disable-camera" = {
+          "wireplumber.profiles" = {
+            main."monitor.libcamera" = "disabled";
+          };
+        };
+      };
+    };
+  };
+}
--- a/modules/direnv.nix
+++ b/modules/direnv.nix
@ -0,0 +1,8 @@
+{
+  programs.direnv = {
+    enable = true;
+    nix-direnv = {
+      enable = true;
+    };
+  };
+}
--- a/modules/fonts.nix
+++ b/modules/fonts.nix
@ -0,0 +1,25 @@
+{ pkgs, ... }:
+{
+  fonts = {
+    packages = with pkgs; [
+      roboto
+      work-sans
+      comic-neue
+      source-sans
+      comfortaa
+      inter
+      lato
+      lexend
+      jost
+      dejavu_fonts
+      noto-fonts
+      noto-fonts-cjk-sans
+      noto-fonts-color-emoji
+      nerd-fonts.fira-code
+      nerd-fonts.meslo-lg
+      openmoji-color
+      twemoji-color-font
+    ];
+    enableDefaultPackages = false;
+  };
+}
--- a/modules/home-manager.nix
+++ b/modules/home-manager.nix
@ -0,0 +1,6 @@
+{
+  home-manager = {
+    useUserPackages = true;
+    backupFileExtension = "backup";
+  };
+}
--- a/modules/motd.nix
+++ b/modules/motd.nix
@ -0,0 +1,13 @@
+{
+  hostname,
+  system,
+  ...
+}:
+{
+  users.motd = ''
+    This is a NixOS machine.
+    Machine: ${hostname} (${system})
+    Configuration: https://git.ruject.fun/RuJect/nixos-infra
+    If you administer this machine, you can run 'nixos-update' to update the configuration
+  '';
+}
--- a/modules/nh.nix
+++ b/modules/nh.nix
@ -0,0 +1,8 @@
+{
+  programs.nh = {
+    enable = true;
+    clean.enable = true;
+    clean.extraArgs = "--keep-since 4d --keep 3";
+    flake = "/home/rus07tam/nixos-infra";
+  };
+}
--- a/modules/nix.nix
+++ b/modules/nix.nix
@ -0,0 +1,39 @@
+{ lib, ... }:
+{
+  nixpkgs = {
+    hostPlatform = lib.mkDefault "x86_64-linux";
+    config.allowUnfree = true;
+  };
+
+  nix = {
+    channel.enable = false;
+    extraOptions = ''
+      warn-dirty = false
+    '';
+    settings = {
+      download-buffer-size = 262144000; # 250 MB
+      auto-optimise-store = true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+      substituters = [
+        "https://cache.nixos.org?priority=10"
+        "https://hyprland.cachix.org"
+        "https://nix-community.cachix.org"
+        "https://numtide.cachix.org"
+        "https://walker-git.cachix.org"
+      ];
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
+      trusted-public-keys = [
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
+        "walker-git.cachix.org-1:vmC0ocfPWh0S/vRAQGtChuiZBTAe4wiKDeyyXM0/7pM="
+      ];
+    };
+  };
+}
--- a/modules/nixos-update.nix
+++ b/modules/nixos-update.nix
@ -0,0 +1,55 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  hostname = config.networking.hostName;
+  flakeDir = "/tmp/nixos-infra-flake";
+  updateScript = pkgs.writeShellScriptBin "nixos-update" ''
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    FLAKE_URL="ssh://forgejo@git.ruject.fun/RuJect/nixos-infra.git"
+    FLAKE_DIR="${flakeDir}"
+    REBUILD_CMD="nh os switch $FLAKE_DIR -H ${hostname}"
+
+    echo "→ Updating flake from git.ruject.fun..."
+
+    if [[ ! -d "$FLAKE_DIR/.git" ]]; then
+        echo "→ Cloning $FLAKE_DIR ..."
+        git clone --depth=1 "$FLAKE_URL" "$FLAKE_DIR"
+    else
+        echo "→ Repository $FLAKE_DIR already exists, updating..."
+        git -C "$FLAKE_DIR" fetch --depth=1
+        git -C "$FLAKE_DIR" reset --hard FETCH_HEAD
+    fi
+
+    echo "→ Will run:"
+    echo "    $REBUILD_CMD"
+
+    read -r -p "→ Continue? [Y/n] " answer
+    case "$answer" in
+        [Yy]*|"")
+            echo "→ Running..."
+            $REBUILD_CMD
+            ;;
+        *)
+            echo "→ Cancelled by user."
+            exit 0
+            ;;
+    esac
+
+    echo
+    echo "→ Done."
+  '';
+in
+{
+  environment.systemPackages = [
+    updateScript
+  ];
+
+  environment.interactiveShellInit = ''
+    echo "For update system use command:  nixos-update"
+  '';
+}
--- a/modules/opentablet.nix
+++ b/modules/opentablet.nix
@ -0,0 +1,3 @@
+{
+  hardware.opentabletdriver.enable = true;
+}
--- a/modules/podman.nix
+++ b/modules/podman.nix
@ -0,0 +1,19 @@
+{ pkgs, ... }:
+{
+  virtualisation = {
+    containers.enable = true;
+    oci-containers.backend = "podman";
+  };
+
+  virtualisation.podman = {
+    enable = true;
+    dockerSocket.enable = true;
+    dockerCompat = true;
+    defaultNetwork.settings.dns_enabled = false;
+  };
+
+  environment.systemPackages = with pkgs; [
+    podman
+    podman-compose
+  ];
+}
--- a/modules/remote-build.nix
+++ b/modules/remote-build.nix
@ -0,0 +1,61 @@
+{ pkgs, ... }:
+{
+  sops.secrets = {
+    "remote-build/publicKey" = {
+      sopsFile = ./../secrets/common.yaml;
+      path = "/root/.ssh/remote-build.pub";
+      mode = "0644";
+      owner = "root";
+      group = "root";
+    };
+    "remote-build/privateKey" = {
+      sopsFile = ./../secrets/common.yaml;
+      path = "/root/.ssh/remote-build";
+      mode = "0600";
+      owner = "root";
+      group = "root";
+    };
+  };
+
+  services.openssh.settings.AllowUsers = [ "remotebuild" ];
+  users = {
+    users.remotebuild = {
+      isSystemUser = true;
+      group = "remotebuild";
+      shell = pkgs.bashInteractive;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDGsHMycO4DL/HlkyWbzSQ6fzeWwRje/pb44NNwrwB11 remotebuild@ruject"
+      ];
+    };
+    groups.remotebuild = { };
+  };
+
+  nix = {
+    distributedBuilds = true;
+    settings = {
+      builders-use-substitutes = true;
+      trusted-users = [ "remotebuild" ];
+    };
+
+    buildMachines = [
+      {
+        hostName = "ruject.fun";
+        sshUser = "remotebuild";
+        sshKey = "/root/.ssh/remote-build";
+        protocol = "ssh";
+        system = "x86_64-linux";
+        systems = [
+          "x86_64-linux"
+        ];
+        maxJobs = 4;
+        speedFactor = 2;
+        supportedFeatures = [
+          "nixos-test"
+          "benchmark"
+          "big-parallel"
+          "kvm"
+        ];
+      }
+    ];
+  };
+}
--- a/modules/security.nix
+++ b/modules/security.nix
@ -0,0 +1,32 @@
+{
+  security.sudo = {
+    enable = true;
+    extraRules = [
+      {
+        groups = [ "wheel" ];
+        commands = [
+          {
+            command = "/run/current-system/sw/bin/nixos-rebuild";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "/run/current-system/sw/bin/nix";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "/run/current-system/sw/bin/systemctl";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "/run/current-system/sw/bin/reboot";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "/run/current-system/sw/bin/poweroff";
+            options = [ "NOPASSWD" ];
+          }
+        ];
+      }
+    ];
+  };
+}
--- a/modules/sops.nix
+++ b/modules/sops.nix
@ -0,0 +1,19 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+{
+  _module.args = {
+    sec = config.sops.secrets;
+  };
+
+  environment.systemPackages = with pkgs; [
+    sops
+  ];
+
+  sops = {
+    defaultSopsFile = ./../secrets/common.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+}
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -0,0 +1,11 @@
+{
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+}
--- a/modules/throne.nix
+++ b/modules/throne.nix
@ -0,0 +1,9 @@
+{
+  programs.throne = {
+    enable = true;
+    tunMode = {
+      enable = true;
+      setuid = true;
+    };
+  };
+}
--- a/modules/tmux.nix
+++ b/modules/tmux.nix
@ -0,0 +1,6 @@
+{
+  programs.tmux = {
+    enable = true;
+    clock24 = true;
+  };
+}
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@ -0,0 +1,86 @@
+pgsql:
+    stub_password: ENC[AES256_GCM,data:sv1LiXVMp0M1K0V3p3uNUw9Z+Csxzn92R1dmPw==,iv:7QVwH0VKEWekmdL3AGIZ4StCQenk2Fkgg/j1cx+EQ6s=,tag:9phQFL5zoRg2Ozc3y+oUhw==,type:str]
+    ruject_password: ENC[AES256_GCM,data:1aK1JyxhlFO8l1O4BmI/Rg==,iv:QUB3gVt7sfK7h9zmIuafl3aVpI6Bfl6W5YS3Y6CUXZs=,tag:uu19ZMFu8SpB6BotYwSxtA==,type:str]
+redis:
+    password: ENC[AES256_GCM,data:JlPBdw8kYha0njCEIg1lWjDGl9bOM3Nf0YsmRWhXAENvmJCfJxRym3/KKvu2yzaq1u+gUtur,iv:5W8gzdPP28GOtcRGfY7Cm9EwI8RxOX43g1nPY1WUido=,tag:xZhLXIfchwy/PTpqYe38bw==,type:str]
+forgejo:
+    runnerToken: ENC[AES256_GCM,data:35QFaIHQTh2vkqH2r7yJIeMqmJoeUm6cAnwNGIwhMVlZDwx0CqwXcrKJ9B5qQg==,iv:VLMWH5RUZQua2CWfI7fm6b6NgXgxcY/ofj8c1ue9F4c=,tag:U/Q0EeQeyL/ptz/5phPqHA==,type:str]
+mail:
+    adminPassword: ENC[AES256_GCM,data:AHE/5iezL1MEPQ==,iv:+xEuFvWcjvW9mNEuOkcRZpGynJ1m4BBEyFR0OOgCBjg=,tag:qPlKRvnXByeQ+rCk2x8XZQ==,type:str]
+    servicePassword: ENC[AES256_GCM,data:3MIyNYsTYoYfjixtkSrafXGfJSwFCR9XPTVP73dnkWmsRhtKJJiE63AyzkSNHrmq9TYDrRhB8rrAlYegVnkgEpV3HJYmjrYVCvpcd+/qyckx0XXoyRF4VMFjpKwR/Zs54VvWgY45AO9c5vgzyo+v6VKZcdEJZHKd05p0oTY5KDk=,iv:EswLlL0BEljkLM7eN9qcd5TCeRhXAJsKHuZkC08GkPg=,tag:343y2ccMtiW6XhSm9yCdXw==,type:str]
+    serviceHashedPassword: ENC[AES256_GCM,data:Hgkyrxdkrp0V0ufP1/83yjgn1InyvwSW1qbHPDknLKdmD8tSAP8Du8KCHnAvApFc9zZznxs74/0X9c/MrqPiWly4Rire0UklmQ==,iv:DuL4bzlTO2BCf1cFEn6vHvitWifch3KTCPO1y2yhp8o=,tag:Nz4F+7vTpRwDP3jBPX7ncg==,type:str]
+    NikitaHapanulStaff228HashedPassword: ENC[AES256_GCM,data:zU2J7VgjKcfLKWINzpMXyn7t56c29elaQOs5QwTUh3/jtZmW6NMmK7ixfe0q0RpbPUvlZ3+aoZx53iK5,iv:YBh5BulGBqPFMlgeGCmAUOsbwEpWTVikdnYdEZAiL6E=,tag:ME+rXqlN599i7HfOCxAWlQ==,type:str]
+    nikitapocox6prohype: ENC[AES256_GCM,data:YWoNud+wj+vNuoDwggJ2u/wRsrBCHVJZzmrjuawEcFir0AgKKDmSE6TgA23ME8nbgf5eZDe/W9OrqScC,iv:CCa6xHt7tlZmqR/efUVbptc+dgAUFYKtYFgY/RuTsmU=,tag:Wt1+XvnmgizoD/bq9F8PXg==,type:str]
+nextcloud:
+    adminPassword: ENC[AES256_GCM,data:DAcDVpXzB4YGW4WjhfdbRmD4KqzCNzSGkeLUkLWqBjDD5oUzHJGQPWmCPGA0FPjnD7m+Amp7PGL2EiVUb25fnZLpjdvCMBlV3LX+7FhrbhgRLC08tuzNnbTC5wZnFMnNVyafVo6KbHizNZ010CLS7nPmNLEQ66u8D1itfjzAhiM=,iv:oFSMCPuGrvxo1FmdZzItCKo8MBXdPwypxJTNIHZtaYE=,tag:VihrlVnC8f2C3bBNl1EiLQ==,type:str]
+matrix:
+    registrationSharedSecret: ENC[AES256_GCM,data:D7QXctCxuAklGaJ97Hs1FVklGir+Bm0FywEobBy/g10OZep59k5ZZvMIryD9mliRcTBZ6yDCLEUSrCR/mivODMwCIeHa7j/bQ+aRePdfldGxKwVTDPj9bPrqHlIjD/udnCfLxMUoiDlW28qRvREViFV2UCUsfv30Vs781Cb+w+jxMYd+jlvGlMQ8yR1KcHiz/OFmXqa4Mf9VGWBk3lo46hXp3hfUPNmRkEe1TJydkqsk/tT983W5T1D3yPEhYyFKffOW5DoxZCVqB/rqgI3sxKImNnbKSXaHOcNS7pd3X6eT6bASwA57Drn2Eq9GGCbFuHKiwcFK5IfGGQ1iGnSQ9Q==,iv:XKToUDOV72dgTEwYR4AsDGPyr+4ifR8HKXYQV9yMAMY=,tag:iubeVLZlE8lQos35BUFxaA==,type:str]
+    signingKey: ENC[AES256_GCM,data:DdTsNPxrma6o/1BgsZlk/E6hDewNnU8AbukKR65U1b4WvS+YF3ffCRqYU7i1AMpbgUgf43H5bhlUTw==,iv:uTdZ5Rqf1/XCusoICInGp25CFDIanUzbl23K22ASDmI=,tag:vO7KGumD5slZrDCx134oCQ==,type:str]
+turn:
+    authSecret: ENC[AES256_GCM,data:MjeCwd8CTugY5SccIOPMhGPwSurPiWnqlxmAVlMxSAWDMtngFwmyCl97ixW8BRMYTZy2iaml2AGlWrDyV42JgsFhvohYx/H3bsWFgKC2pO+PxHtC0syYKiuRWj2V8+mIb8wcsr//2L7O9gCTKBnyrwYbv8hG8J3SLfHqFDCBhX5dyzKCht6wjnhJOU3ZXN+foZHCyapOEqoY75K4oeVJxsWRCI9T/VPhuiH3QyosjTiyNBXYhz8UWYG+tpuh4AY7IPmHYeof04BqiuojjjTjaSuy+2v2QHVR2RSDJ6kCb4QkqwwsoGaDujm3el4xnduzRwLh60yZeNPFscKIylHi6A==,iv:Hq6yM3iurnj2TVjyvQb6iaUD+MRjas3bTFkht/mZ2Iw=,tag:YeR2fdglcdRKNgMZizGgOg==,type:str]
+remote-build:
+    publicKey: ENC[AES256_GCM,data:NxHuASqi56IftFCJKLjw1mbTedT87T05frAdM8HEEHPDcxC5pkcf+KTiNFTZHlfaI4/ZHI86LowK1PsHaS9CDOflwY4R8x6nT+Ysz0ff0udXzfrWR9qknHBWbvUEowunCU+/,iv:3j5TrIi0Rej6VYb7lRsPTxL+jHCqvvPMKptQ9r+vm2Q=,tag:84n/Sc5KOiZ49EZW8Ya9nA==,type:str]
+    privateKey: ENC[AES256_GCM,data:bLE+T+s0b/+TqNUpDZ2kTYQwDlflCGeFhqsuq6Mc/og7TFn4JRfFxCR0B0glvbuMJs4GM/v+IERIRUNolVmg3u1Sqc6mmWXM5pKlba3NXsZW/MxzOeLgsiUQFnhEyo1rEmAqNr0CQH1fTbiOiBYLxEpnAvz2Swggd7wXUDhM5NrlQeVUSnsyET12Nc/WH7K5YRyIEa/KjIvjo3DWPzUuWcqwQ39f7j17uutjwdfirAsojakmW/jfd/SI7/9oqC5MI5Uwnk4DqmNGviO1SHRHQQ9cGlA5WYVw3kIzW8faEaygbKxbzJYTpoO3jljZKEn/Xakj6rpmCeKKGbKB7JoZbMI2ye3GSj/W77kYLj6QaMuDBy7BqLo6CytFKTUl+QxmXkOWngzLDA8VhKzZVIRIjIQTB5d+82f77ztXLvPkq7AOEOhd9ySRZHC23yPPjLpzl+BcmxLSDzNrTah2LcfaNAUptN3VvgHcl3uNjKRdTj9aJ4ERXeExVjDqsIKRczg0mklYwGbjQNtqCfu68Z61oX3C57LiIwa2ByTp,iv:HuCYE3EwVJbc6a6VB9liWMAKZvk6Wbs6S2hrNj2SseQ=,tag:KPP3KWtF6jZ7D18Bx3PXrA==,type:str]
+dkim_default_private: ENC[AES256_GCM,data:/+rjVdc3CRahnHdpDM0ZMJaskE3qdcwwd69v9+teLF9H7gqL4I9Y7Lvs0zxmraDv2+C9uNmjvN/XP50bV42wKqVR1yhKRn9zfw9fyM/MHQuynxnlxwN8yMWUaiJ0B1llpbrg7nBxUkiIP4bjRIrIVDcW7I5waju9OceDFE09nLaJuFl4zzRbKf+tBRqynRPNH3rBug+SL8RbpLwipULMaWQTieOktDFy5NdW75lV458F/BWzfWHdPu9YRgW/w8r7QEZc2BZSH/GaVFA5OORUG9GaHMw3FWeOxejrrx1BThPn7+ILqPUXjakIk//W0mPFcbxD498kfbNgmIsP0jjLb+lsEY5AKQF+57ldePKLQx6kX4tMi+Ofg1qWVk7n0dywTVYB8yBKkp9N08JawAMuMQnXpdIj/XYGUJzsYw9s8ysps+J+suEd9o1AuK0iI6f/TZJfBhn3ptYwUyCtKSk13cKSzZFaQRSBHHnv6XmOMDhzucnJKjefAOF7zJIc7ZR2Cy73gXFACx1eqdwky68F0iM1NxVJ9DwX1552KjKmQ3gXVlm6R24juTsGwOsj0/iVS3GOqGNeBFTYNF+mXvAjLUuhONFxImsZGIMON/Ufbsa/yBhtSGIlkRKDF480n5fEKEnaIALPaEV8E4nnQHvYJuDp3lp7teGRFOSDdXL1d5/jSJ/ASvFJY+BarE8W1CocSvCObKS++LpqVcak8Re6FvYmuacA966spmX/ftXXsszdlGHbgGlCNgEDIySAcdGMGFJSjgFQpX4IOIAxxTwdLebTiJlHTn9seKmopb6PdqgPTnRj8i8RQHYx29PX+ZTWs60HHpBvMaSk9R4PDNi3DC0pffa40jHmH9s5K0qf2Dkv0f6s+KyrRurEXo8MOgqT9ErDiZdR+MJkSHls67tk/nYP8eFYdGrYle9+DA2IFdaJpcaCCI0ZBsN33ZXRx27d8LIxmhrBv5FeomHxAleiumSTnsaO1jkM47YHe6ZIqoWloiKmvkS8zc9CrK2VVhpJlx1M01RoUMntBKbiqN3pJoZ86ZRSPZnurqGgTe7IWlfmlvgIvJkvmst2JaWoOfNYZqRFbJERvUsuPku1ggvHTWiOt/ICgGb0HFxuYutySkBZuddiO2an3r+0zkMSiHE77T8QHh+sV+RrcCWINBfg/0MPLy0IMjKanx9qBKDRVbniLqSaMjSfdAVhI9lzre96mWu8dAHEsslMGLoKu2vOzQjwL+RUHSEunIkEs5xiL4SjHpPnTd5QjcA+q0BEls8HkQkdoFzJHycFM2OP4gVEjIXW/fhRx4j4JejUCqO7XjLX1qcBVV5JD50VVuPgZbPP00P94z2Rw3VnZQhpwHXxsPczhv3FYgM8fs+xC5Wwnjq61KQBYxQ5o6j6XEfFlmLPrwAMJs5peC2wHf1JcihvSsw8zAiZ8fvrOv/TiaUgQ+8YHCRtg29/1ykLQdq7gqU4o5ZMeGBYxwTvN5yHqlxkhl4HSsusQYF4lyCjpNe+QdJzHie2g9IuarY8pYVIPyGOvQypLCYdJiYXMr2Zz6eDkv5oUv5LYaNPL5mgl8KvtEYZhscdAkuuNxSMVZ5OBReJ7+YQ6ujuWk80anyXoYQLDeYEdBiteGUbYDYwLPPJDC+3vs6mh3mLqCaW3mSbfjj7igs7oIFpGMW1n+iVizroSNPbtljHaan0NSnYNAIsxNagTRVPG9wax0oMPPhbD9S6Km7HRPL52MRDIRFAgp5Ja4cxO/sbYQ/6u6a2hv1550iVe5G0ITkZJQO9/wYEfp2sSLqGxCmidI1eSkWkXxaMuRaFEVejm0t1ns4qk/vyjsdbPc/LHizBYNY/wogATYFyUUbkvH793b6vylVm2kP1vvcd+U6n1GqfiqPPbAAWSHXrEc9MpMK90xlyrVjhT8Cm07CEqPpphDuD8u8zPAE0Pckd5/js/Mu6GDabrwNI/wcYuIUw9sE1U4Wzh3xtToIix3p3xWC04KTGR6HjoggHzuuG1cytpdmaZ9MqjhuT92iCPMPSm3zvWY4AjSEGsPnng4LQZZ5aRlRcXdd7MDvXEN5Oq+1clW008/zKpjPKvtIes3JJosPDgHw3iyMx+dayAGxb/zwKY7L2xexDnX9GZnVyNfzfi90dTm7RTofOr4cXrxhRKXlR4MLTgg77FMMVDc2ogffX4WQMzl03fyQjwTphURq7aMlRn4McB+UxbqLxZi0pYJWGYPKY7MRl7nDFrkkkDvecXjID7jN71gzfg03U8yBQo7CB,iv:CaV9+khwZ1OVxGxePjSAnw4Nd3rzqlk1pNQBRXjwpgo=,tag:trfnSC1cnSJsp8tafKY76w==,type:str]
+sops:
+    age:
+        - recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPRVeP7aRYdbIku7Qr6dLFLQrcq8LUUTTpYZZ3E8ZoQK rus07tam
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFhvTldnZyBsclJN
+            cjNSSmVjUnlqZ1pNcHlOUTJXMWRJbDRla09uV0s5QXlpTWwzTlVJClpTOXZpdjdL
+            Y09ocEMyTDFmNWpnQlZ5cVg3aUNra3cwVUgyRnBSUnFCa1EKLS0tIGRjdEJiMXl2
+            NVMwaFFlLzF2bWF3cVZwMXp0Vnc0OHBxbUc1YlJDS3pKWFEKsZIAtDpHFPyWKGcW
+            /Ost3aPXNZTzioM867BiGpZytJPD2fLp+7cJS5Ym4QaAYlJ3AvwL9iRjbFoacLqP
+            /Vo39A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qchtmcrsuq7ehf8c60yezurt2cgt64unlhzx2ldntgtnaqds4elslthql3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUkErUVIwaTI0U2hpT1Ry
+            OEdRNlFDMzlaVnpnbW5yaWQ0cWFIdXJma2lZCnhJc2V5ZGhoS252eEJUNGhEVDRS
+            UGVyY0VBMnRleEIyYTZzc1VGcGE1eFUKLS0tIGRORVYwcEFuZDVzY3dweEtYc3lN
+            ek9qcVA5WVExVHA0MmFLV3hOWjdVTGMKKQNfuEDdJYOtKZOtzmMUZ2i/Q09lLRIS
+            bHW+pKIIiFg+udq0HQm6M6xpY+pBnpkAGx3G+jNIB8jByiDu3ZK6cg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10hsw859vkkjk6lss3npzmhu9urjtuhn0x8l63v4h3lfk8wrdxd7s8pfu5g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeVg0Z1VYY0R5Q1lMN2tF
+            by9VSlJWS0JYNXdJMlFMRnBUVUNGUFlaOVNBCndTT05uWG5Cc3M0Wi9kUHVDZExI
+            RCtTTkxFUW9uWEpTZTRoM2pvTlpXa28KLS0tIFZaWU9hTVFxODJFSjk0VGpFcVVq
+            TGh0Sk5wbTJVWmhDdE1Yd3crMmppV2cKS7Ob18TDJlA/DJ5eqQ5ikqCY/367LQAX
+            /G4YUOnvYENHjcxT0o9RsH8JVHu0gGdjDrsYKHYgAtMn/6iOhLWddQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFg3eK2k8JC+iUMsYJFjb8ux19Nl23pi9qQ81ns563Db root@velarion
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDUxMmYxdyBDYUZa
+            SjJHb1EweUZaaHpVMXFHMnVPUXBNVVB1RnNJYkZhRUxUcVpadjJrCkVNTi9sUzl1
+            aFU1UTh6OTFONEFySi9oeEY3bFVuT1FKczk1RzZYOTdZWkEKLS0tIFIxemNuS21D
+            V2lwRjUycXlHVi9PR3ZvZ2tVanFabWVpUlQxcXpjWEg4K2sKZr4ayMfAAQZloZ2J
+            ieD9150XkqhWLYjiSjSOR01Fp8liXxpkU39knmajzGd0UySQyVjhmzc4V9TW7VWI
+            nP2OnA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13uupj0vkwn6dlgeqvu06le5d2ms0meu0j694tpnvvn6mnct9xs8ssyjtc2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaEkwa2Q3T2J4eFcwb05G
+            N3hOUmZCeU5UMFJLNUMyWTVOQ1MzN3QyaDNFClR4bW04M0ZnN0hOb0RuWDhROTFy
+            YXpNOWlDQUtnQWFVelF2SU1RbWd6cjAKLS0tIFV1S0psUy9HZUZkTzRLS1RvRG9X
+            MzVJejJmYTlqK3NYMVNMOTIyeVdtQ0EKQ897Cuaey+kUW7V+/beZcYyuV3vWDnVz
+            i1NXoMh9+Feek4rFsczIP69TFMQes78KMP6L55+2dEq3+OE3pUQZqg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1723x4jfn3urne8knvxqawmslq8ysr66uml8c3svj6zy0j3hdh4hs94yfqf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNXpmOWRiSFhzYy9XcHNi
+            NFJnN1hIOHgyYXpSazdCZGVreU91S1A3eXhRCk5nVWo5b1VnYi91WnBjVE1xMEhz
+            K3dHTWk0MTJkTTdjQ09sYnM0VG5PcEkKLS0tIHZESFFLNlcrQjBjaFV1enJkTUVq
+            eXNxVEZzUW5lR0dqaUhMTWJmcWJNUHMKXZuzo97FE43+c+KcxibO9bcFA+4omTjB
+            LQUFFMxenelJ1MWawmUhCeJ13rKjk3EEeTbEav14EF1WzYd4bZgbZQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T07:56:54Z"
+    mac: ENC[AES256_GCM,data:RbblTICMaiSX47NKgKbCoi/2dTDmT/dCXOnM+dXtAYMQI/VNDlbF7EbyXuslmtk9c1rAiW4Bw8iG2JOfbYb/x7Fx6aFm22Caq4cswicuJkYFPKQAEzJo+RkYZXHsdQzXPDTgUZDJJHGka64fOJbss3qDMCTy+JYXlSGMza15OFI=,iv:woR1tD86pX/cNn15JaUfOkFof4WwIu/30DZ/DHlpysk=,tag:KbXiPJPHRd4gNKxQ/T8vwA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2
--- a/secrets/elaris.yaml
+++ b/secrets/elaris.yaml
@ -0,0 +1,65 @@
+elaris:
+    publicKey: ENC[AES256_GCM,data:WzoDspLsEQ/klU8mgg2C6tVwCl5LPHlJZWw64HyQytfrO4DueJXybs6o5U1tdPODFnsz7BNvmB0XhUu+WVYE2D2PeRr55cAvzZaD+aHSMKedyrcivKGxyZC7fvI=,iv:HQxiEU7PI9uiiDOS15hZzVnpcpWoEY+P868NNCFjbHg=,tag:wqM71r1loamG8yeltgx0qg==,type:str]
+    privateKey: ENC[AES256_GCM,data:DEYszBbarR/8bysDscQRvsrmzdhkhVABylNtKblG+RkXPnTbdXSwN4K9JZQES8bu0iyas82Ml6Q603Umt29Gv+U0eoGlBeUVAMliZYz7r6/4T0zAauY3oCiZej0SxpQX7ixIQ6HDlqde3lnd9rAA2XltrKGI+WgyknlssOqY6eXI3WN0kfn5b7C25LkaAf9y4I2neT98BfB0hN112EK63faNGa25AEBAnQ/DB1wR3feuWWEkF6N6vwtfdECWZ+onvHzWEMGDIeY8E94n/er3vMZKCKZjbFYJyeANMdDLkIR0K6RJEv0gpsNHhnrDudVUeOod3vbqai/ReAaZVsQBKvvrOSc7NdHTdkaGtxyWTSSVTlJkFwhkTcWYA0yPdIaMaFqGftAXDnjsb020UJZapX2KYcku8R7Q/NPk3TinuM12RFolKm2a9OkIkS3YOo7oDa+sPr0vyCPsIO4LXojGGboeHnu0ui11D93FChq62LQeg7GZJbSKWgH9JSJwE9oVAmUFT91qctj8IVfMo3ET,iv:ms9GGnUm1aTR/uYdt/veidoGChjB8uzYEYyOR4dTEXQ=,tag:WEEmJVAF5B1NKqwyb6OPvA==,type:str]
+sops:
+    age:
+        - recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPRVeP7aRYdbIku7Qr6dLFLQrcq8LUUTTpYZZ3E8ZoQK rus07tam
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFhvTldnZyBTU1Vu
+            UDloYmlGL1BBTlg4dzBtRFpUTk5Kb280VEljTld3MTkvK3JqL2dBCndVWDg3d3Na
+            eUVFSkRxRnR1WFp3WW5JYUtjaWM2aVZUQ2g1TTNLMHZYb0EKLS0tIDU0SGdCUGpF
+            UjFsVlY0NkVmcC9YMExMYzN5VWorYUNyU3dlR3lMeDNhaDgKrbAzaLaeZtOkeD2u
+            dO8ct2PPfvt5wNmVdujuX3LvW6w+YjHow78ddz+Ob1KZVqVZV2cmXXmMMdpGmaDn
+            2rEEnA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qchtmcrsuq7ehf8c60yezurt2cgt64unlhzx2ldntgtnaqds4elslthql3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYkJYbjRXMzJMQ0NWL0g2
+            eGVzMWJHSTFIYUxMWEl4T1NrZUJYT3huVG5jCnI2RFZqODFwaHlENTRCQzhkS1hQ
+            dFppWFhCeHhZZTdGZTFwWGx4MFdFWlEKLS0tICswcm1mZ2ExUEJEbHNrejBrYXVu
+            YnhUbCsrY0kvcUdWVmt5U2dLRkZhYzgKY9tY80Rz53Fz9/4//c3ILj0mlHOATBgK
+            isuAvj9hONSBmdVH1Jz9DQGZaJ5GgFatQtdkmVgpA7Q5/2Vf3aSFKQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10hsw859vkkjk6lss3npzmhu9urjtuhn0x8l63v4h3lfk8wrdxd7s8pfu5g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNEdiaWEyeGhvWk9oRGxT
+            Z1o3dEZRdXIwZXI3NGhIZ0IweG9wNGU4YUFRCm5rSDg1NjgyVGNabXZDaXduQzdS
+            MUp3emc4aUhYVzF3WVZvbWVWTGd0bzgKLS0tIDYxR2h2VS9nWDBYTzRtcnkzaEFw
+            OCtFTlhkVWEyRHYwNDdFZVFoRUFOYTAKwCuCAX+lPrnZ/LvquuRsFNHLF969qkBU
+            Zx8W8FwJvy6vzzt4g087yKZmTXnjPDz7iKIJxuOAS/pWptpfxNTi8Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFg3eK2k8JC+iUMsYJFjb8ux19Nl23pi9qQ81ns563Db root@velarion
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDUxMmYxdyBYcGxa
+            cW1EMmpTOXJLa1o2UThpdmlHbnRvNXpvekhwbXgzZlltVytmbFhFCmZ5cENyaDI1
+            cXRnOEFqTG9aUFF0c1ZWVm01V3pYZHVnV2Eyd1JFYTVFbnMKLS0tIFYrVFVPZkNp
+            YkhYZTcvSUxlSmM1ZXcyUEdDWXVHYzN0dmxXbktmZVVVdUUKVKARFFdSFHqJEDqb
+            oS4w2CRVpXwp9mqXs34VPa5xmLON2UXXMpYgNd8FBywhayTO1R8ASec/GVLR0SdZ
+            oqY/cQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13uupj0vkwn6dlgeqvu06le5d2ms0meu0j694tpnvvn6mnct9xs8ssyjtc2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdkV0MzhOck9tbXJ3ajNR
+            aE0zVVpTS1IxbDlMMk1IL3ZHalQ2TjdKNGpVCldTVDF5M1NaMkYxMHJmdjlOcWxn
+            NkFnbHJ5dlNnbjZkNHQ3ZW1FV1ozc0EKLS0tIGNHejhLWVRvWUwyamE2QXJhZzMx
+            YW1HTkl6aFdQazlwaE93WnoxV3FSM3MK1v0ONp3YyM3Xqb5t/ND7xw/pO9gXfrqt
+            Yf+HTSO1MvHZ8Rb+Q4H/XWxVcMSCbsBGVd51lWfonNEwX8MoJakdYw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1723x4jfn3urne8knvxqawmslq8ysr66uml8c3svj6zy0j3hdh4hs94yfqf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrbnFyY1c5amFveThyQ0pJ
+            MFN4RFdyUVYwQmN2emUwZmh1VU9xNFEyOWx3CjhTdmtjRzIxS3FzMVpZaGhDdnZt
+            allGcXpmbzRjeHBST2Q0MCtlR2tFQlEKLS0tIFc1SVpkOVRXWCs2QWtJd3kyRUlW
+            M0pDVzFaZi9HQUd1NkttaTFza2FUMG8K30FbhmejxcVyL0d2eD9aXkpHlkJmr4wB
+            VXkWaX8ywy7HJ2UCZAGDO1N6IXF2HP8lOaOvJmCTN8JueSTXkkYWMA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-14T12:52:49Z"
+    mac: ENC[AES256_GCM,data:bTMRGIAX5QWpLmUNu+K2nKABdVoPAmB7wizrFlPVOJcvzyJqnQNHH6Ruj1TJLG+xwH3AYyzq+zlfhJPtYXNzc8DoU23LotKfGRiWH+Kn4Eip0wm1m3IiA2a3NssRusiVfrxnm1HDDuRNRDNUv38j/u/aRMtTGz0iICyDiTRIrh4=,iv:7BNXbCL/BU6zfCWFAdAR98kLzqti6FvJ37KfTij5TS0=,tag:5C7sBUNNTd91ZAIz4y3hiA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
--- a/secrets/rus07tam.yaml
+++ b/secrets/rus07tam.yaml
@ -0,0 +1,75 @@
+rus07tam:
+    password: ENC[AES256_GCM,data:xgbrEeExmAE3fg==,iv:PhVdo10JII7stLx5E4PX6H3IIYoNuw//fSkd/HQfE/w=,tag:eAGcduhXN5kLF02LsNybHg==,type:str]
+    hashedPassword: ENC[AES256_GCM,data:Qu0yg569duyqnUQLJyG0niLyGk7pcrh543bvdrMacVlzfp9L1i2tdphb1ErTWgTxXulqosN5UUAEyfRr1xmRjdup23Xxw7xpwQ==,iv:y3rqLeccE1KLly8rXzWtLHywWAuLMw43fAOA1AGaZjE=,tag:F4zPV3N1fMdiTrRxagSHzw==,type:str]
+    tokens:
+        forgejo.ruject.fun: ENC[AES256_GCM,data:HL49uipEgJfSHSMh9rD7sL3uDCaBNSlgm/545+PtWaCwoTI+ljNWxw==,iv:bC26lj2vDT5k/dHrIPkFoSTLubEtCSnYh0BlrmnjEFc=,tag:Nink73kyVskdOq1tOtWgMw==,type:str]
+        nextcloud.ruject.fun: ENC[AES256_GCM,data:Mxu7ixvMmhYD7dQxml6g9RaKMRZhWOmtdZWnr4I=,iv:LXljC2dMoIqGx6WNudPGTOBFCB958BsKBApDYcxXGpg=,tag:Bk2OlTKRgaiRO+IoGM2BTA==,type:str]
+    openclaw:
+        gatewayToken: ENC[AES256_GCM,data:c0pWl4Dh4OKERL026UzNrAgfeE+N67Tk6lJc3FUwBuQcILoV9Oqscz6TngkObrM=,iv:yIZ6h0YpZ9e3HQ+FX1txeISrsiXatbbwNSmMgL8/C3A=,tag:mksrURr/EGpOzsYbpdNpBw==,type:str]
+        telegramToken: ENC[AES256_GCM,data:imMIGjU3s4wks1IOutAlwUF9XSu1d4487sZX7YyBSlbicgpL/OsRyX2m8lXTgw==,iv:UN4vudmyBOkM8bK+KGVBFKlzUXmPM3hFskaPc4J5Wzo=,tag:tojoRu2dDkv/Jsj6+qoHtg==,type:str]
+    keys:
+        ssh:
+            public: ENC[AES256_GCM,data:HTMK1R3JNCAXUzqAtpC9ree4goOx+B+Z/DRZsr5oZ18J/HFsaDDCi+LggHZD9LrFo+J8uJbliWIh7/yVztqLTPAaUUgACN/uNw0w5o4W6q5dFybJZIQHRM6MxLnRCblW,iv:XZ2CjdyDzr/Vjerlp2/oPU66atbzXCXLfYFwUji5hCs=,tag:sLW1oNGqS4ZeNSOgCm64EQ==,type:str]
+            private: ENC[AES256_GCM,data:nNFimf3QXUB7Zcy/nTI0EMWY65m++pY2I7EkgmXEiATeh0S5br0ETean66uWWXeSzEBeW55mt59hxhAdbWlLIVknf4XsKzhcVTiU2SArCQQWnKRJzq8UMINNfxh4XCjYBxQxeV+B2p2hSo8aypfpOksblLE5db8pi+gg6lc8RspHFUCzid41weu3E8IW+cVMs9cUF7x6/Db5wAwhpGlsEPDtisamFlCXaVEhVivPAP3Qq5YkCXvvzlH3uTm+FNcp0LWMF+yUqzwAcsPOm2sCtOa4j7ZtkGYSYNtXpywM6HusScvp7JcKgEBvyrF4AtWJ5SUGnw4mjz8CDqE8CfMeiiyY7ZlFRKTxKMHT1CJUR2WPfjEFtcFzM9WjaouoNFn97bEUHIb/znqWXOIkPF2qBml6AEKdRauNRI9sRCwJfGsSwpZJMDl/XSoNDyhYg7tUYF7eHP/Ckmv9UUtD/zgEkYpvnssednjVK8SX01Wf+hzWbCYFidKWmoNGTYaK3FnGHcNu,iv:wcvEiLSKM0/rh9vYaOWWrVFGsdvG4aVpG8K+l7u3JD8=,tag:E+o+jErQS+GMmOTiMlfIEw==,type:str]
+sops:
+    age:
+        - recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPRVeP7aRYdbIku7Qr6dLFLQrcq8LUUTTpYZZ3E8ZoQK rus07tam
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFhvTldnZyBRcmJs
+            d2IxS0lwVFJuRGpwdGdCaWovVnNlcExoV05hVmhrd3Mwd2RTSlFnCkRvSE1lRGdq
+            Tk5xdFVnVTI1dE1ETjVvTkFCUEYxSmgrU2FBQ0Z2OE8yQU0KLS0tIGJGN3BtVUVa
+            emxTMTF6QXVxa2c5MDZaSGE0cDRtVTQxZ283aFVsd3BqcGcKtuN9MND0deqD2Ajw
+            mX+4cn19Qx+mBdnddwztdaPn1yo0Uug2TX2ioaNSm0jIbeLeLJKNN1iSGyc1V8Ht
+            JAJFQA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qchtmcrsuq7ehf8c60yezurt2cgt64unlhzx2ldntgtnaqds4elslthql3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaVROWTNBU2R5VzZEZ3do
+            cmQ5bE9mMUdkcFlGOG1Jc0paS1lET0kzOGpNClViMGRuWWpoUXE0bU5zNUV5VFQx
+            d0MvZ3U4U3dXamlNcWRkT3JmSXNXbmsKLS0tIHp6cTN3RG84VkdIeWJTdWtBUis5
+            WStmOWVWUnVGYUxISGJZUXdYQ01mZHcK/daRFSEv8Ojqubkh1M0gNCqiM51LC3oc
+            AbLckEXLIIRHRt/IZqCBw6UuGZuS9PYbffTMn1lr2fXht+jw3hGmpw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10hsw859vkkjk6lss3npzmhu9urjtuhn0x8l63v4h3lfk8wrdxd7s8pfu5g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbGVKOGY0VndENHhxcXA1
+            bFdic3JkcktSQitTUkYxMG5OUlpDYWcvZENvCmNPZC9ETXJmekVqS2NTZHE4MS8r
+            Z0FlT1NXcVRCclorcWkwdm5wYlYvaHMKLS0tIEFJTVdpUE9xcUYrR1VzWmcvYWdZ
+            MGFxcG8rMXROL2pFY2xKM0J1aVppV2MKIysYDx5ygqzISV51/1ik1g8QVzk8Kkf8
+            Vtr592p/cjgNDDpu4W5kXgCPqR3vh46Doj638tkBqXemMIw0ouIyFw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFg3eK2k8JC+iUMsYJFjb8ux19Nl23pi9qQ81ns563Db root@velarion
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDUxMmYxdyBwNVVi
+            dWE1RE9YeS9iaU1sb0o0bFByN2Mwbk9yTHQvWmMxWEthKzZjVUFFCnZBRTVwY1Bj
+            eWRML3ZBS2hKOU0rZUpNWE5RdzBXMnlqWk1xTVFQN0t2ZnMKLS0tIGZnQXdWS3Qz
+            cnpwNWZtbGdKd2FNcWNRZS9WL0lHUVE3Y2dlZ21ybVd6ajQKTu5fy/YznOtlE8gg
+            zzvWwm6Q8dZIMPmfsZQayob4exJ7nKapGYk/NvvBdOnnlHPQpe8wBB/sVdij3RlZ
+            AAAQ5w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13uupj0vkwn6dlgeqvu06le5d2ms0meu0j694tpnvvn6mnct9xs8ssyjtc2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4QkhzSHpZbVM2dytvL1Jl
+            NklkTkpRalc2M3U1Mkt0b0pDUWpyeXFLaVYwCmlIY0ttT0R1NlVvZGtPUk9TK2Ns
+            OEEzRmNFTFp6dk85TTBKdXVlaFhLVHcKLS0tIDdaY1hhZjZKbk93STVKNlBjbDRx
+            WFNnOGlBQ284cmJ1SmNuRTNYcGpFU0kK7NVOsmQE3kMsmGaYzcmUigWGRCARccQl
+            D31cj6R0O8c0T/oQQ1SarP4CV8uM0e5bJUTzAGDQdWWstaof9qHWuA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1723x4jfn3urne8knvxqawmslq8ysr66uml8c3svj6zy0j3hdh4hs94yfqf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4NTVUclVpN016cCtQWGVo
+            c2hCREpUMW1CSDIvdkRxbVZhMmNWWlMwZ253CjhUaEpCZE5CWjkwUjZzSVdaMGcy
+            aktOWElxQUZ3VTFaZHJkNlBKamVTejAKLS0tIEVlU2lkdmxiZW1EQkU0azV1TEcy
+            Ky8wb0Z5TDRnWjJ4Y0haU0Fzb0xWSjQKEoPTlWh+ldPBzqkycMwEDR/+eEgpXXqt
+            0t4p6looSG7GR8EEGlJAXl286Ee1/jBbUETsvcpZ4mTtqiy8a4gA7Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T08:00:11Z"
+    mac: ENC[AES256_GCM,data:oVEVe5UsQ/Xsc2tKi8P+1ysejjFui7iuvOnkjntUNm8NX74uvvbY2IajzbWXYRC0Bsh1IlYLQR3EqqO+gLzxilr+WPOBa2uQJsKWhORzKTlCHJpRA0ubxtWgh871oh8IBEooqFiTP8lgaKooy8hWvCS97I9xr90xmSvGlaSnu0s=,iv:VOUXq2Uc1eLOxxOSMzAcbifjoiMmkc0HrZUWxNbq8zk=,tag:fleyFUkWqpnUVh6UAeK9LQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2
--- a/secrets/velarion.yaml
+++ b/secrets/velarion.yaml
@ -0,0 +1,65 @@
+velarion:
+    publicKey: ENC[AES256_GCM,data:x7N0hicf4OIn552Y6oiSvTXDAhAO9A1HXOyXLaPkbBCMdUodN1BsTdXeOVVjDF8o2FepWd6V+JsQ79FB95jCYm2HAXYv8RVQk1CRJe0LhKbroXNPmZF5pnyifXUQ7w==,iv:QQBIC/KjH3410QlAPvxBo9ISJ3MtMkpK2+zlIlWJYn8=,tag:8luzXFyG+EVaNsuSyujH0g==,type:str]
+    privateKey: ENC[AES256_GCM,data:gPgVoLIN4Yx7+H7EftQfoQbJlEbj1OZ5z2E9Ph7fFs3HJhghHnpgEdx7pYs3fMY2ItkJbaFmwjgaUBgqg/Hf5+gIdkNZkpGSVzGo5uQ9HzpmxT0xvOAOdM1p9RauNTGZ+C5vCF+E+L1by0OD4AQkJWC+3Z+KXyTuA/YrsDA40tIjQRBLACXdNWUjYrt7HwtLugI7/mIA5XnsUJfM8BTPR1FDmkvvvVnmd5LKZEMCnIPdP/WNTbzQZjKAwZDODrv+XBsRywgrUwPyKsyFltSYAkGaOTO0oynutwO/E1GdZJKoqL0FoIv/GXDgrCKsoGwjXjRg5IkfC8/mpq5iMjM33D5ojXE0d0aV5IPnG/+0tIoi7wJQwMJWzLHTFbnq4XnyZEDHmcvLpiADQMC8vHedWiUbgWFjRICeQy6fILUvoRp5hCYmX9UrLUlZ6hltbsleLiQviBirJv+XHsebenrlDuVAD40YShH+hMkMXXPdpr7EI9jaSOmT6MG80UisMVB5AdhZthUX9TToJf4Lcuhv,iv:crGxpSc9SdGOVMYvaF4XSMt7UVpxFHj/oUPEjsQDZDk=,tag:5mQL52tFQH/QmzHAUs/wDg==,type:str]
+sops:
+    age:
+        - recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPRVeP7aRYdbIku7Qr6dLFLQrcq8LUUTTpYZZ3E8ZoQK rus07tam
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFhvTldnZyAvRG9z
+            Q2MzZDd3QWN1TU1lQjUyWCt4T2Y1Ullza0RMeHAyRUZDYmw2eWtvClBtZk1yd1Bj
+            UHFiODZEaHlheXlVSVJCdmRNSVk2ZzFvRmJJRWNILzUydncKLS0tIFRUVU41MjBt
+            OEZVK2FLSFRxOEhGakNXUW04YWV5bTRmYVlPRVh1N29RdzQKo/t5hxuJRbO0jrHG
+            Iqk7LsYG3LEeXiDdq1T6AX7xl5UI8KWQfGqZ0IyYB5kIeDvTqJ5JPX/L7QXpH3eN
+            QOPJew==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qchtmcrsuq7ehf8c60yezurt2cgt64unlhzx2ldntgtnaqds4elslthql3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdmY4MlgwdHBNRVVtWFhO
+            SjExM0U3RkR3RU9wRW5QSEhFcWlZYXdtVkJzCjBYTVEwUjhxYmZYRUdydWhmUHY2
+            eUxSTVJlYXZtT3FLZXc5QkRTeWRLejQKLS0tIGpRaWVxZ1E0NEJjM1hGWndYdjhu
+            dkRkaDdmZGYzbjBkNFF6K1gzVllvSzQKn3/x/Mdht+Gqnxt452pteXYutqcN14Lu
+            FWyeXleKdDRDbKUWhOr9dqrvvD3xedLw0OMSD2vPjFqbDcJ4T52Vbw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10hsw859vkkjk6lss3npzmhu9urjtuhn0x8l63v4h3lfk8wrdxd7s8pfu5g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbXJXMm5ESFlLNk5PSm9H
+            cmhyNDEvdkVZMFlwNXZnSlNyRml5SzJzb1YwCmxLYjIvQ1hjMlBtbDZQWlRvR3VL
+            cmZsam1xSUFaYStQaGR1SEJiUTlabncKLS0tIEROZkFjdEdzbGxmVnZ3Qkg2eUV2
+            a0F5eTNzSDdWQmkwRXJicnFqVGptMkkKZo1h0NrllsdSxeuK/b5hEpnQx1cEb4MY
+            rl8PEuqDET6EPF6YumTwO8a4rBk0aFr70j5d1Nwt9NP/7/sabJT44A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFg3eK2k8JC+iUMsYJFjb8ux19Nl23pi9qQ81ns563Db root@velarion
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDUxMmYxdyBkN0Fy
+            WnNuM2VUNzlnbEhOL3JaZjRMdG9nN2NwdlVvNUJFQ000cGxzUFFzCjJlcm9weFVt
+            YWU4TVNIaVRtM0tISUJ1UXN5c2psVEF4OWxRQm5JM1owOFEKLS0tIHBjSFBONEhl
+            Z2U2ZnRMZkNPTWFtWUZtYWFEN2VjRlBXTStyZjNlL2Zqb0UKgSbnykvrEounRQYX
+            qadBQe1L7mLF2kLZ7rCBtrvoeig++n3vkxiTUAWXzrrIn0GrW/0aec73HbxWUcw3
+            vnDgYQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13uupj0vkwn6dlgeqvu06le5d2ms0meu0j694tpnvvn6mnct9xs8ssyjtc2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMZXpqRVdwWWZVbGsvNkgv
+            d0tMSlF0RU1QNHhneUgvM3pKeXJoTWhPT3lJCnR3VHFJOFpCbEtmeW1aTXpWV1dL
+            emJEY3BQRjZ3QmcrbVZ5VTNkTGcvV2MKLS0tIDdDNkNlS2ZNWTc0UUY3M0RhTVQ0
+            NTBQR2pZWWVGbCs0VHdGRDN4OG9QS00K8IVI+E1HYJPwI0t+QbiTPjc11CV2/SuD
+            yM1AYGMPR607X8hONxMSDUXSfbr9p/gasV9/SAFyY8vDswthm7KkIQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1723x4jfn3urne8knvxqawmslq8ysr66uml8c3svj6zy0j3hdh4hs94yfqf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlekErdGgrOHdjOFRlTG9R
+            UDhXa2o1eHY2NjhFb0t4QjNrUGRZMXlKSVRFCnMyczd5MUs3Q0gzM1pqcCtTeCsy
+            dEYwUU1pTkptRWVzdDV5OVd2NWlNelEKLS0tIGVTQUQwZmlVVDJPRXhUd1lzNDU5
+            YkhmakNxQm1QQk9FUklnK21Uak9ZSzQKakWIF83WIkFewGf5JujB4B0olIEFKPs/
+            dW6TAVEPU8HCVuxW5Lw/1ku2BgC+BfHpSVWADop8TkhGTIQNO5Nppg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-14T12:52:16Z"
+    mac: ENC[AES256_GCM,data:6scaFNi1tCyacOBgpZdQ14VVD/GQ8wvUyl3pgOdPPjxbtbbe5k9dcj9cpGiAjyyk0iPW23W0x5EZBB4jqZxUgaNebyyXhKB/VlJZ0dcWRy4ogBMgUoLMteNdU4i+6FVcEm4SWyrZ2se8ud5FEDbDOuZtHiN4TFRwtNmboWIigRA=,iv:4cJfCgHKxisyqNzhzLnoZAI3GYHn2Y2meQ55hWsqy+Y=,tag:afRV4ED0L5E4gF81q9BChQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
--- a/services/bind/default.nix
+++ b/services/bind/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./firewall.nix
+    ./options.nix
+    ./service.nix
+  ];
+}
--- a/services/bind/firewall.nix
+++ b/services/bind/firewall.nix
@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.bind;
+in
+with lib; mkIf cfg.enable {
+  networking.firewall = {
+    allowedTCPPorts = [ cfg.port ];
+    allowedUDPPorts = [ cfg.port ];
+  };
+}
--- a/services/bind/options.nix
+++ b/services/bind/options.nix
@ -0,0 +1,25 @@
+{
+  dns,
+  lib,
+  ...
+}:
+with lib;
+{
+  options.machine.bind = {
+    enable = mkEnableOption "Bind Server";
+    domain = mkOption {
+      type = types.str;
+      description = "Domain name";
+    };
+    port = mkOption {
+      type = types.port;
+      default = 53;
+      description = "Port to listen on.";
+    };
+    zones = mkOption {
+      type = types.attrsOf dns.lib.types.zone;
+      default = { };
+      description = "DNS zones";
+    };
+  };
+}
--- a/services/bind/service.nix
+++ b/services/bind/service.nix
@ -0,0 +1,21 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.bind;
+in
+with lib; mkIf cfg.enable {
+  services.bind = {
+    enable = cfg.enable;
+    listenOnPort = cfg.port;
+    zones = {
+      ${cfg.domain} = {
+        master = true;
+        file = pkgs.writeText "zone-${cfg.domain}" (builtins.toString cfg.zones.${cfg.domain});
+      };
+    };
+  };
+}
--- a/services/code-server/default.nix
+++ b/services/code-server/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./options.nix
+    ./service.nix
+    ./nginx.nix
+  ];
+}
--- a/services/code-server/nginx.nix
+++ b/services/code-server/nginx.nix
@ -0,0 +1,27 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.machine.code-server;
+in
+with lib; mkIf cfg.enable {
+  services.nginx.virtualHosts = mkIf (cfg.domain != null) {
+    ${cfg.domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_set_header X-Real-IP         $remote_addr;
+          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_read_timeout                 86400;
+          proxy_send_timeout                 86400;
+        '';
+      };
+    };
+  };
+}
--- a/services/code-server/options.nix
+++ b/services/code-server/options.nix
@ -0,0 +1,33 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.machine.code-server;
+in
+with lib; {
+  options.machine.code-server = {
+    enable = mkEnableOption "code-server";
+    port = mkOption {
+      type = types.port;
+      default = 4444;
+      description = "Port to listen on.";
+    };
+    domain = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "domain for the code-server instance.";
+    };
+    hashedPassword = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Hashed password for code-server";
+    };
+    user = mkOption {
+      type = types.str;
+      default = config.services.code-server.user;
+      description = "The user to run code-server as";
+    };
+  };
+}
--- a/services/code-server/service.nix
+++ b/services/code-server/service.nix
@ -0,0 +1,49 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.code-server;
+in
+with lib; mkIf cfg.enable {
+  services.code-server = {
+    enable = cfg.enable;
+    port = cfg.port;
+    hashedPassword = cfg.hashedPassword;
+    user = cfg.user;
+    host = "127.0.0.1";
+    disableTelemetry = true;
+    disableUpdateCheck = true;
+    disableWorkspaceTrust = true;
+    package = pkgs.vscode-with-extensions.override {
+      vscode = pkgs.code-server;
+      vscodeExtensions =
+        (with pkgs.vscode-extensions; [
+          rust-lang.rust-analyzer
+          fill-labs.dependi
+          ms-python.black-formatter
+          ms-python.python
+          ms-python.isort
+          ms-python.mypy-type-checker
+          intellsmi.comment-translate
+          editorconfig.editorconfig
+          dbaeumer.vscode-eslint
+          davidanson.vscode-markdownlint
+          yzhang.markdown-all-in-one
+          jnoortheen.nix-ide
+          ziglang.vscode-zig
+          bbenoist.nix
+        ])
+        ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
+          {
+            name = "purpleVoid";
+            publisher = "Rej";
+            version = "1.0.3";
+            sha256 = "oCZ2N8j2U0xGvechD7DlW64KiL0eSDKYwniYft0kVu4=";
+          }
+        ];
+    };
+  };
+}
--- a/services/coturn/default.nix
+++ b/services/coturn/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./firewall.nix
+    ./options.nix
+    ./service.nix
+  ];
+}
--- a/services/coturn/firewall.nix
+++ b/services/coturn/firewall.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.coturn;
+in
+with lib; mkIf cfg.enable {
+  networking.firewall = {
+    interfaces.enp2s0 =
+      let
+        range = with config.services.coturn; [
+          {
+            from = min-port;
+            to = max-port;
+          }
+        ];
+      in
+      {
+        allowedUDPPortRanges = range;
+        allowedUDPPorts = [
+          3478
+          5349
+        ];
+        allowedTCPPortRanges = [ ];
+        allowedTCPPorts = [
+          3478
+          5349
+        ];
+      };
+  };
+}
--- a/services/coturn/options.nix
+++ b/services/coturn/options.nix
@ -0,0 +1,22 @@
+{ lib, ... }:
+with lib;
+{
+  options.machine.coturn = {
+    enable = mkEnableOption "Coturn";
+    startPort = mkOption {
+      type = types.port;
+      default = 49000;
+      description = "Start port for Coturn.";
+    };
+    endPort = mkOption {
+      type = types.port;
+      default = 50000;
+      description = "End port for Coturn.";
+    };
+    realm = mkOption {
+      type = types.str;
+      default = "turn.example.com";
+      description = "Realm for Coturn.";
+    };
+  };
+}
--- a/services/coturn/service.nix
+++ b/services/coturn/service.nix
@ -0,0 +1,60 @@
+{
+  config,
+  lib,
+  sec,
+  ...
+}:
+let
+  inherit (config.machine.coturn)
+    enable
+    startPort
+    endPort
+    realm
+    ;
+in
+with lib; mkIf enable {
+  services.coturn = rec {
+    inherit realm enable;
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = startPort;
+    max-port = endPort;
+    use-auth-secret = true;
+    static-auth-secret-file = sec."turn/authSecret".path;
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    extraConfig = ''
+      # for debugging
+      verbose
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+
+  security.acme.certs.${config.services.coturn.realm} = {
+    postRun = "systemctl restart coturn.service";
+    group = "turnserver";
+  };
+}
--- a/services/default.nix
+++ b/services/default.nix
@ -0,0 +1,23 @@
+{
+  imports = [
+    ./bind
+    ./code-server
+    ./coturn
+    ./forgejo
+    ./mail
+    ./minecraft-server
+    ./mysql
+    ./navidrome
+    ./networking
+    ./nextcloud
+    ./nginx
+    ./postgresql
+    ./prosody
+    ./redis
+    ./roundcube
+    ./synapse
+    ./uptime-kuma
+    ./vaultwarden
+    ./xray-3x-ui
+  ];
+}
--- a/services/forgejo/default.nix
+++ b/services/forgejo/default.nix
@ -0,0 +1,10 @@
+{
+  imports = [
+    ./mail.nix
+    ./network.nix
+    ./options.nix
+    ./runners.nix
+    ./service.nix
+    ./tmpfiles.nix
+  ];
+}
--- a/services/forgejo/mail.nix
+++ b/services/forgejo/mail.nix
@ -0,0 +1,37 @@
+{
+  config,
+  pkgs,
+  lib,
+  sec,
+  ...
+}:
+let
+  inherit (config.machine.forgejo) domain;
+  address = "noreply@${domain}";
+in
+with lib; mkIf config.machine.mail.enable {
+  services.forgejo = {
+    secrets = {
+      mailer.PASSWD = sec."mail/servicePassword".path;
+    };
+    settings.mailer = {
+      ENABLED = true;
+      FROM = address;
+      USER = address;
+      SMTP_ADDR = config.machine.mail.fqdn;
+      SMTP_PORT = 465;
+      PROTOCOL = "smtps";
+      SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
+      SEND_AS_PLAIN_TEXT = true;
+    };
+  };
+
+  mailserver = {
+    domains = [ domain ];
+    accounts.${address} = {
+      hashedPasswordFile = sec."mail/serviceHashedPassword".path;
+      aliases = [ ];
+      sendOnly = true;
+    };
+  };
+}
--- a/services/forgejo/network.nix
+++ b/services/forgejo/network.nix
@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.machine.forgejo)
+    enable
+    domain
+    port
+    ;
+in
+with lib; mkIf enable {
+  networking.firewall = {
+    allowedTCPPorts = [ port ];
+  };
+
+  services.nginx.virtualHosts = with lib; mkIf (domain != null) {
+    "${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://[::1]:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
--- a/services/forgejo/options.nix
+++ b/services/forgejo/options.nix
@ -0,0 +1,40 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib)
+    mkEnableOption
+    mkOption
+    types
+    ;
+in
+{
+  options.machine.forgejo = {
+    enable = mkEnableOption "Forgejo";
+    enableRunner = mkEnableOption "Actions runner";
+    domain = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Domain name. If not set, will be disabled, and use the localhost.";
+    };
+    port = mkOption {
+      type = types.port;
+      default = 3000;
+      description = "Listen port.";
+    };
+    database = {
+      host = mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+        description = "PostgreSQL database host address.";
+      };
+      port = mkOption {
+        type = types.port;
+        default = config.services.postgresql.port;
+        description = "PostgreSQL database host port.";
+      };
+    };
+  };
+}
--- a/services/forgejo/runners.nix
+++ b/services/forgejo/runners.nix
@ -0,0 +1,41 @@
+{
+  config,
+  pkgs,
+  lib,
+  sec,
+  ...
+}:
+let
+  url = config.services.forgejo.settings.server.ROOT_URL;
+  cfg = config.machine.forgejo;
+in
+with lib; mkIf cfg.enableRunner {
+  sops.secrets = {
+    "forgejo/runnerToken" = {
+      sopsFile = ./../../secrets/common.yaml;
+    };
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances.default = {
+      name = "forgejo-runner";
+      enable = cfg.enableRunner;
+      tokenFile = sec."forgejo/runnerToken".path;
+      inherit url;
+      labels = [
+        "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
+        "ubuntu-26.04:docker://ghcr.io/catthehacker/ubuntu:act-26.04"
+        "ubuntu-24.04:docker://ghcr.io/catthehacker/ubuntu:act-24.04"
+        "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
+        "nixos:docker://nixos/nix:latest"
+        "nixos-2.34.4:docker://nixos/nix:2.34.4"
+      ];
+      settings = {
+        container = {
+          network = "host";
+        };
+      };
+    };
+  };
+}
--- a/services/forgejo/service.nix
+++ b/services/forgejo/service.nix
@ -0,0 +1,64 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.machine.forgejo)
+    enable
+    database
+    domain
+    port
+    ;
+in
+{
+  environment.systemPackages = lib.optionals enable [
+    config.services.forgejo.package
+  ];
+
+  services.openssh.settings.AllowUsers = [
+    "forgejo"
+  ];
+
+  services.forgejo = {
+    inherit enable;
+    database = {
+      type = "postgres";
+      inherit (database) host;
+      inherit (database) port;
+    };
+    lfs.enable = true;
+    settings = {
+      DEFAULT = {
+        APP_NAME = "RuJect Forgejo";
+      };
+      server = {
+        DOMAIN = if (domain != null) then domain else "[::1]";
+        ROOT_URL = if (domain != null) then "https://${domain}/" else "http://[::1]/";
+        HTTP_PORT = port;
+      };
+      service = {
+        SHOW_REGISTRATION_BUTTON = true;
+        REGISTER_EMAIL_CONFIRM = true;
+        ENABLE_NOTIFY_MAIL = true;
+      };
+      "repository.signing" = {
+        DEFAULT_TRUST_MODEL = "committer";
+      };
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+      picture = {
+        AVATAR_MAX_FILE_SIZE = 10485760;
+        AVATAR_MAX_WIDTH = 8192;
+        AVATAR_MAX_HEIGHT = 8192;
+        AVATAR_MAX_ORIGIN_SIZE = 5242880;
+      };
+      ui = {
+        DEFAULT_THEME = "catppuccin-mocha";
+        THEMES = "forgejo-auto,forgejo-light,forgejo-dark,catppuccin-mocha";
+      };
+    };
+  };
+}
--- a/services/forgejo/themes/theme-catppuccin-mocha-lavender.css
+++ b/services/forgejo/themes/theme-catppuccin-mocha-lavender.css
@ -0,0 +1,873 @@
+:root {
+  color-scheme: dark;
+  --is-dark-theme: true;
+  accent-color: #b4befe;
+  --color-primary: #b4befe;
+  --color-primary-contrast: #11111b;
+  --color-primary-hover: rgb(154.8355263158, 168.1907894737, 253.6644736842);
+  --color-primary-dark-1: rgb(164.9013157895, 176.9144736842, 253.7986842105);
+  --color-primary-dark-2: rgb(149.8026315789, 163.8289473684, 253.5973684211);
+  --color-primary-dark-3: rgb(134.7039473684, 150.7434210526, 253.3960526316);
+  --color-primary-dark-4: rgb(119.6052631579, 137.6578947368, 253.1947368421);
+  --color-primary-dark-5: rgb(104.5065789474, 124.5723684211, 252.9934210526);
+  --color-primary-dark-6: rgb(89.4078947368, 111.4868421053, 252.7921052632);
+  --color-primary-dark-7: rgb(74.3092105263, 98.4013157895, 252.5907894737);
+  --color-primary-light-1: rgb(195.0986842105, 203.0855263158, 254.2013157895);
+  --color-primary-light-2: rgb(210.1973684211, 216.1710526316, 254.4026315789);
+  --color-primary-light-3: rgb(225.2960526316, 229.2565789474, 254.6039473684);
+  --color-primary-light-4: rgb(240.3947368421, 242.3421052632, 254.8052631579);
+  --color-primary-light-5: hsl(231.8918918919, 97.3684210526%, 100.0980392157%);
+  --color-primary-light-6: hsl(231.8918918919, 97.3684210526%, 103.0980392157%);
+  --color-primary-light-7: hsl(231.8918918919, 97.3684210526%, 106.0980392157%);
+  --color-primary-alpha-10: rgba(180, 190, 254, 0.1);
+  --color-primary-alpha-20: rgba(180, 190, 254, 0.2);
+  --color-primary-alpha-30: rgba(180, 190, 254, 0.3);
+  --color-primary-alpha-40: rgba(180, 190, 254, 0.4);
+  --color-primary-alpha-50: rgba(180, 190, 254, 0.5);
+  --color-primary-alpha-60: rgba(180, 190, 254, 0.6);
+  --color-primary-alpha-70: rgba(180, 190, 254, 0.7);
+  --color-primary-alpha-80: rgba(180, 190, 254, 0.8);
+  --color-primary-alpha-90: rgba(180, 190, 254, 0.9);
+  --color-secondary: #45475a;
+  --color-secondary-dark-1: rgb(55.4076923077, 56.5384615385, 76.8923076923);
+  --color-secondary-dark-2: rgb(61.8153846154, 63.0769230769, 85.7846153846);
+  --color-secondary-dark-3: rgb(68.2230769231, 69.6153846154, 94.6769230769);
+  --color-secondary-dark-4: rgb(74.6307692308, 76.1538461538, 103.5692307692);
+  --color-secondary-dark-5: rgb(81.0384615385, 82.6923076923, 112.4615384615);
+  --color-secondary-dark-6: rgb(87.4461538462, 89.2307692308, 121.3538461538);
+  --color-secondary-dark-7: rgb(93.8538461538, 95.7692307692, 130.2461538462);
+  --color-secondary-dark-8: rgb(100.2615384615, 102.3076923077, 139.1384615385);
+  --color-secondary-dark-9: rgb(106.6692307692, 108.8461538462, 148.0307692308);
+  --color-secondary-dark-10: rgb(115.5128205128, 117.5641025641, 154.4871794872);
+  --color-secondary-dark-11: rgb(124.4051282051, 126.3256410256, 160.8948717949);
+  --color-secondary-dark-12: rgb(133.2974358974, 135.0871794872, 167.3025641026);
+  --color-secondary-dark-13: rgb(142.1897435897, 143.8487179487, 173.7102564103);
+  --color-secondary-light-1: rgb(42.5923076923, 43.4615384615, 59.1076923077);
+  --color-secondary-light-2: rgb(36.1846153846, 36.9230769231, 50.2153846154);
+  --color-secondary-light-3: rgb(29.7769230769, 30.3846153846, 41.3230769231);
+  --color-secondary-light-4: rgb(23.3692307692, 23.8461538462, 32.4307692308);
+  --color-secondary-alpha-10: rgba(49, 50, 68, 0.1);
+  --color-secondary-alpha-20: rgba(49, 50, 68, 0.2);
+  --color-secondary-alpha-30: rgba(49, 50, 68, 0.3);
+  --color-secondary-alpha-40: rgba(49, 50, 68, 0.4);
+  --color-secondary-alpha-50: rgba(49, 50, 68, 0.5);
+  --color-secondary-alpha-60: rgba(49, 50, 68, 0.6);
+  --color-secondary-alpha-70: rgba(49, 50, 68, 0.7);
+  --color-secondary-alpha-80: rgba(49, 50, 68, 0.8);
+  --color-secondary-alpha-90: rgba(49, 50, 68, 0.9);
+  /* colors */
+  --color-red: #f38ba8;
+  --color-orange: #fab387;
+  --color-yellow: #f9e2af;
+  --color-olive: #a6e3a1;
+  --color-green: #a6e3a1;
+  --color-teal: #94e2d5;
+  --color-blue: #89b4fa;
+  --color-violet: #b4befe;
+  --color-purple: #cba6f7;
+  --color-pink: #f5c2e7;
+  --color-brown: #f2cdcd;
+  --color-grey: #9399b2;
+  --color-black: #181825;
+  /* light variants - produced via Sass scale-color(color, $lightness: -10%) */
+  --color-red-light: rgb(238.21875, 92.78125, 133.3359375);
+  --color-orange-light: rgb(247.96, 147.992, 86.04);
+  --color-yellow-light: rgb(245.4418604651, 208.8023255814, 127.5581395349);
+  --color-olive-light: rgb(128.7950819672, 215.2950819672, 121.7049180328);
+  --color-green-light: rgb(128.7950819672, 215.2950819672, 121.7049180328);
+  --color-teal-light: rgb(107.875, 215.125, 197.25);
+  --color-blue-light: rgb(88.0731707317, 148.9024390244, 247.9268292683);
+  --color-violet-light: rgb(129.6710526316, 146.3815789474, 253.3289473684);
+  --color-purple-light: rgb(175.6597938144, 119.206185567, 242.793814433);
+  --color-pink-light: rgb(237.8169014085, 150.1830985915, 213.7605633803);
+  --color-brown-light: rgb(231.4761904762, 164.5238095238, 164.5238095238);
+  --color-grey-light: rgb(117.227027027, 124.8810810811, 156.772972973);
+  --color-black-light: rgb(3.9344262295, 3.9344262295, 6.0655737705);
+  /* dark 1 variants - produced via Sass scale-color(color, $lightness: -10%) */
+  --color-red-dark-1: rgb(238.21875, 92.78125, 133.3359375);
+  --color-orange-dark-1: rgb(247.96, 147.992, 86.04);
+  --color-yellow-dark-1: rgb(245.4418604651, 208.8023255814, 127.5581395349);
+  --color-olive-dark-1: rgb(128.7950819672, 215.2950819672, 121.7049180328);
+  --color-green-dark-1: rgb(128.7950819672, 215.2950819672, 121.7049180328);
+  --color-teal-dark-1: rgb(107.875, 215.125, 197.25);
+  --color-blue-dark-1: rgb(88.0731707317, 148.9024390244, 247.9268292683);
+  --color-violet-dark-1: rgb(129.6710526316, 146.3815789474, 253.3289473684);
+  --color-purple-dark-1: rgb(175.6597938144, 119.206185567, 242.793814433);
+  --color-pink-dark-1: rgb(237.8169014085, 150.1830985915, 213.7605633803);
+  --color-brown-dark-1: rgb(231.4761904762, 164.5238095238, 164.5238095238);
+  --color-black-dark-1: rgb(3.9344262295, 3.9344262295, 6.0655737705);
+  /* dark 2 variants - produced via Sass scale-color(color, $lightness: -20%) */
+  --color-red-dark-2: rgb(233.4375, 46.5625, 98.671875);
+  --color-orange-dark-2: rgb(245.92, 116.984, 37.08);
+  --color-yellow-dark-2: rgb(241.8837209302, 191.6046511628, 80.1162790698);
+  --color-olive-dark-2: rgb(91.5901639344, 203.5901639344, 82.4098360656);
+  --color-green-dark-2: rgb(91.5901639344, 203.5901639344, 82.4098360656);
+  --color-teal-dark-2: rgb(67.75, 204.25, 181.5);
+  --color-blue-dark-2: rgb(39.1463414634, 117.8048780488, 245.8536585366);
+  --color-violet-dark-2: rgb(79.3421052632, 102.7631578947, 252.6578947368);
+  --color-purple-dark-2: rgb(148.3195876289, 72.412371134, 238.587628866);
+  --color-pink-dark-2: rgb(230.6338028169, 106.3661971831, 196.5211267606);
+  --color-brown-dark-2: rgb(220.9523809524, 124.0476190476, 124.0476190476);
+  --color-black-dark-2: hsl(240, 21.3114754098%, -8.0392156863%);
+  /* other colors */
+  --color-gold: #f5e0dc;
+  --color-white: #cdd6f4;
+  --color-diff-removed-word-bg: rgba(243, 139, 168, 0.15);
+  --color-diff-added-word-bg: rgba(166, 227, 161, 0.15);
+  --color-diff-removed-row-bg: rgba(243, 139, 168, 0.07);
+  --color-diff-moved-row-bg: rgba(249, 226, 175, 0.07);
+  --color-diff-added-row-bg: rgba(166, 227, 161, 0.07);
+  --color-diff-removed-row-border: rgba(243, 139, 168, 0.07);
+  --color-diff-moved-row-border: rgba(249, 226, 175, 0.07);
+  --color-diff-added-row-border: rgba(166, 227, 161, 0.07);
+  --color-diff-inactive: #9399b2;
+  --color-error-border: #f38ba8;
+  --color-error-bg: #f38ba8;
+  --color-error-bg-active: rgb(240.609375, 115.890625, 150.66796875);
+  --color-error-bg-hover: rgb(238.21875, 92.78125, 133.3359375);
+  --color-error-text: #11111b;
+  --color-success-border: rgb(128.7950819672, 215.2950819672, 121.7049180328);
+  --color-success-bg: #a6e3a1;
+  --color-success-text: #11111b;
+  --color-warning-border: rgb(245.4418604651, 208.8023255814, 127.5581395349);
+  --color-warning-bg: #f9e2af;
+  --color-warning-text: #11111b;
+  --color-info-border: rgb(88.0731707317, 148.9024390244, 247.9268292683);
+  --color-info-bg: #11111b;
+  --color-info-text: #cdd6f4;
+  --color-red-badge: rgb(238.21875, 92.78125, 133.3359375);
+  --color-red-badge-bg: #11111b;
+  --color-red-badge-hover-bg: rgb(240.609375, 115.890625, 150.66796875);
+  --color-green-badge: #a6e3a1;
+  --color-green-badge-bg: #a6e3a1;
+  --color-green-badge-hover-bg: rgb(147.3975409836, 221.1475409836, 141.3524590164);
+  --color-yellow-badge: #f9e2af;
+  --color-yellow-badge-bg: #11111b;
+  --color-yellow-badge-hover-bg: rgb(247.2209302326, 217.4011627907, 151.2790697674);
+  --color-orange-badge: #fab387;
+  --color-orange-badge-bg: #11111b;
+  --color-orange-badge-hover-bg: rgb(248.98, 163.496, 110.52);
+  --color-git: #fab387;
+  --color-highlight-bg: rgba(249, 226, 175, 0.15);
+  /* target-based colors */
+  --color-body: #11111b;
+  --color-box-header: #181825;
+  --color-box-body: #181825;
+  --color-box-body-highlight: #313244;
+  --color-text-dark: #a6adc8;
+  --color-text: #cdd6f4;
+  --color-text-light: #bac2de;
+  --color-text-light-1: #bac2de;
+  --color-text-light-2: #bac2de;
+  --color-text-light-3: #bac2de;
+  --color-footer: #181825;
+  --color-timeline: #313244;
+  --color-input-text: #cdd6f4;
+  --color-input-background: #313244;
+  --color-input-toggle-background: #313244;
+  --color-input-border: #45475a;
+  --color-input-border-hover: #585b70;
+  --color-nav-bg: #181825;
+  --color-nav-hover-bg: var(--color-hover);
+  --color-navbar: #181825;
+  --color-navbar-transparent: rgba(17, 17, 27, 0);
+  --color-light: rgba(88, 91, 112, 0.3);
+  --color-light-mimic-enabled: rgba(
+    0,
+    0,
+    0,
+    calc(40 / 255 * 222 / 255 / var(--opacity-disabled))
+  );
+  --color-light-border: #585b70;
+  --color-hover: rgba(108, 112, 134, 0.2);
+  --color-active: rgba(205, 214, 244, 0.1);
+  --color-menu: #313244;
+  --color-card: #313244;
+  --color-markup-table-row: rgba(205, 214, 244, 0.02);
+  --color-markup-code-block: rgba(205, 214, 244, 0.05);
+  --color-markup-code-inline: #313244;
+  --color-button: #313244;
+  --color-code-bg: #1e1e2e;
+  --color-code-sidebar-bg: #313244;
+  --color-shadow: rgba(17, 17, 27, 0.1);
+  --color-tooltip-bg: #313244;
+  --color-tooltip-text: var(--color-text);
+  --color-secondary-bg: #313244;
+  --color-text-focus: #cdd6f4;
+  --color-expand-button: #585b70;
+  --color-placeholder-text: #a6adc8;
+  --color-editor-line-highlight: var(--color-primary-light-5);
+  --color-project-board-bg: var(--color-secondary-light-2);
+  /* gitea source code: */
+  /* should ideally be --color-text-dark, see go-gitea/gitea#15651 */
+  --color-caret: var(--color-text);
+  --color-reaction-bg: rgba(205, 214, 244, 0.07);
+  --color-reaction-active-bg: var(--color-primary-alpha-40);
+  --color-header-wrapper: #181825;
+  --color-header-wrapper-transparent: rgba(24, 24, 37, 0);
+  --color-label-text: #11111b;
+  --color-label-bg: #b4befe;
+  --color-label-hover-bg: rgb(149.8026315789, 163.8289473684, 253.5973684211);
+  --color-label-active-bg: rgb(164.9013157895, 176.9144736842, 253.7986842105);
+  --color-accent: var(--color-primary-light-1);
+  --color-small-accent: var(--color-primary-light-5);
+  --color-active-line: #45475a;
+}
+
+/* invert emojis that are hard to read otherwise */
+.emoji[aria-label="check mark"],
+.emoji[aria-label="currency exchange"],
+.emoji[aria-label="TOP arrow"],
+.emoji[aria-label="END arrow"],
+.emoji[aria-label="ON! arrow"],
+.emoji[aria-label="SOON arrow"],
+.emoji[aria-label="heavy dollar sign"],
+.emoji[aria-label=copyright],
+.emoji[aria-label=registered],
+.emoji[aria-label="trade mark"],
+.emoji[aria-label=multiply],
+.emoji[aria-label=plus],
+.emoji[aria-label=minus],
+.emoji[aria-label=divide],
+.emoji[aria-label="curly loop"],
+.emoji[aria-label="double curly loop"],
+.emoji[aria-label="wavy dash"],
+.emoji[aria-label="paw prints"],
+.emoji[aria-label="musical note"],
+.emoji[aria-label="musical notes"] {
+  filter: invert(100%) hue-rotate(180deg);
+}
+
+.ui.ui.ui.button:not(.inverted, .basic).primary, .ui.ui.ui.button:not(.inverted, .basic).green, .ui.ui.ui.button:not(.inverted, .basic).red, .ui.ui.ui.button:not(.inverted, .basic).teal,
+.ui.ui.ui.label:not(.inverted, .basic).primary,
+.ui.ui.ui.label:not(.inverted, .basic).green,
+.ui.ui.ui.label:not(.inverted, .basic).red,
+.ui.ui.ui.label:not(.inverted, .basic).teal {
+  color: #11111b;
+}
+.ui.ui.ui.button:not(.inverted, .basic).primary:hover, .ui.ui.ui.button:not(.inverted, .basic).green:hover, .ui.ui.ui.button:not(.inverted, .basic).red:hover, .ui.ui.ui.button:not(.inverted, .basic).teal:hover,
+.ui.ui.ui.label:not(.inverted, .basic).primary:hover,
+.ui.ui.ui.label:not(.inverted, .basic).green:hover,
+.ui.ui.ui.label:not(.inverted, .basic).red:hover,
+.ui.ui.ui.label:not(.inverted, .basic).teal:hover {
+  color: #1e1e2e;
+}
+
+.ui.basic.modal {
+  background-color: #1e1e2e;
+}
+
+.ui.commit-header-row .svg.gitea-lock ~ a {
+  color: #11111b;
+}
+
+.ui.negative.message .header {
+  color: var(--color-error-text);
+}
+
+.ui.sha.isSigned.isVerified .shortsha {
+  color: #11111b;
+}
+.ui.sha.isSigned.isVerified svg.gitea-lock {
+  fill: #11111b;
+}
+
+.ui.basic.modal,
+.ui.basic.modal > .header,
+.ui.inverted.button {
+  color: #cdd6f4 !important;
+}
+
+#repo-topics,
+#topic_edit > .ui.selection.dropdown {
+  color: var(--color-label-text) !important;
+}
+
+blockquote.attention-tip {
+  border-left-color: var(--color-success-bg);
+}
+blockquote.attention-warning {
+  border-left-color: var(--color-warning-bg);
+}
+
+svg.attention-tip,
+strong.attention-tip {
+  color: var(--color-success-bg);
+}
+svg.attention-warning,
+strong.attention-warning {
+  color: var(--color-warning-bg);
+}
+
+.inline-code-block {
+  color: #11111b;
+}
+
+::selection {
+  background: rgba(180, 190, 254, 0.3) !important;
+}
+
+/* NameBuiltinPseudo */
+.chroma .bp {
+  color: #fab387;
+}
+
+/* Comment */
+.chroma .c {
+  color: #6c7086;
+}
+
+/* CommentSingle */
+.chroma .c1 {
+  color: #6c7086;
+}
+
+/* CommentHashbang */
+.chroma .ch {
+  color: #6c7086;
+}
+
+/* CommentMultiline */
+.chroma .cm {
+  color: #6c7086;
+}
+
+/* CommentPreproc */
+.chroma .cp {
+  color: #89b4fa;
+}
+
+/* CommentPreprocFile */
+.chroma .cpf {
+  color: #89b4fa;
+}
+
+/* CommentSpecial */
+.chroma .cs {
+  color: #6c7086;
+}
+
+/* LiteralStringDelimiter */
+.chroma .dl {
+  color: #89b4fa;
+}
+
+/* NameFunctionMagic */
+/* Generic */
+/* GenericDeleted */
+.chroma .gd {
+  color: #cdd6f4;
+  background-color: rgba(243, 139, 168, 0.15);
+}
+
+/* GenericEmph */
+.chroma .ge {
+  font-style: italic;
+}
+
+/* GenericHeading */
+.chroma .gh {
+  color: #89dceb;
+}
+
+/* GenericInserted */
+.chroma .gi {
+  color: #cdd6f4;
+  background-color: rgba(166, 227, 161, 0.15);
+}
+
+/* GenericUnderline */
+/* GenericOutput */
+.chroma .go {
+  color: #fab387;
+}
+
+/* GenericPrompt */
+.chroma .gp {
+  color: #6c7086;
+  font-weight: bold;
+}
+
+/* GenericError */
+.chroma .gr {
+  color: #eba0ac;
+}
+
+/* GenericStrong */
+.chroma .gs {
+  font-weight: bold;
+}
+
+/* GenericTraceback */
+.chroma .gt {
+  color: #eba0ac;
+}
+
+/* GenericSubheading */
+.chroma .gu {
+  color: #89dceb;
+}
+
+/* LiteralNumberIntegerLong */
+.chroma .il {
+  color: #fab387;
+}
+
+/* Keyword */
+.chroma .k {
+  color: #cba6f7;
+}
+
+/* KeywordConstant */
+.chroma .kc {
+  color: #f9e2af;
+}
+
+/* KeywordDeclaration */
+.chroma .kd {
+  color: #cba6f7;
+}
+
+/* KeywordNamespace */
+.chroma .kn {
+  color: #f9e2af;
+}
+
+/* KeywordPseudo */
+.chroma .kp {
+  color: #cba6f7;
+  font-weight: bold;
+}
+
+/* KeywordReserved */
+.chroma .kr {
+  color: #cba6f7;
+}
+
+/* KeywordType */
+.chroma .kt {
+  color: #f9e2af;
+}
+
+/* Literal */
+/* LiteralDate */
+/* LiteralNumber */
+.chroma .m {
+  color: #fab387;
+}
+
+/* LiteralNumberBin */
+.chroma .mb {
+  color: #fab387;
+}
+
+/* LiteralNumberFloat */
+.chroma .mf {
+  color: #fab387;
+}
+
+/* LiteralNumberHex */
+.chroma .mh {
+  color: #fab387;
+}
+
+/* LiteralNumberInteger */
+.chroma .mi {
+  color: #fab387;
+}
+
+/* LiteralNumberOct */
+.chroma .mo {
+  color: #fab387;
+}
+
+/* Name */
+.chroma .n {
+  color: #b4befe;
+}
+
+/* NameAttribute */
+.chroma .na {
+  color: #f9e2af;
+}
+
+/* NameBuiltin */
+.chroma .nb {
+  color: #fab387;
+}
+
+/* NameClass */
+.chroma .nc {
+  color: #f9e2af;
+}
+
+/* NameDecorator */
+.chroma .nd {
+  color: #f5c2e7;
+}
+
+/* NameException */
+.chroma .ne {
+  color: #eba0ac;
+}
+
+/* NameFunction */
+.chroma .nf {
+  color: #89b4fa;
+}
+
+/* NameEntity */
+.chroma .ni {
+  color: #f5c2e7;
+}
+
+/* NameLabel */
+.chroma .nl {
+  color: #f9e2af;
+}
+
+/* NameNamespace */
+.chroma .nn {
+  color: #f9e2af;
+}
+
+/* NameConstant */
+.chroma .no {
+  color: #f9e2af;
+}
+
+/* NameTag */
+.chroma .nt {
+  color: #cba6f7;
+}
+
+/* NameVariable */
+.chroma .nv {
+  color: #fab387;
+}
+
+/* NameOther */
+.chroma .nx {
+  color: #fab387;
+}
+
+/* Operator */
+.chroma .o {
+  color: #89dceb;
+}
+
+/* OperatorWord */
+.chroma .ow {
+  color: #89dceb;
+  font-weight: bold;
+}
+
+/* Punctuation */
+.chroma .p {
+  color: #9399b2;
+}
+
+/* NameProperty */
+/* LiteralString */
+.chroma .s {
+  color: #a6e3a1;
+}
+
+/* LiteralStringSingle */
+.chroma .s1 {
+  color: #a6e3a1;
+}
+
+/* LiteralStringDouble */
+.chroma .s2 {
+  color: #a6e3a1;
+}
+
+/* LiteralStringAffix */
+.chroma .sa {
+  color: #a6e3a1;
+}
+
+/* LiteralStringBacktick */
+.chroma .sb {
+  color: #a6e3a1;
+}
+
+/* LiteralStringChar */
+.chroma .sc {
+  color: #a6e3a1;
+}
+
+/* LiteralStringDoc */
+.chroma .sd {
+  color: #a6e3a1;
+}
+
+/* LiteralStringEscape */
+.chroma .se {
+  color: #89b4fa;
+}
+
+/* LiteralStringHeredoc */
+.chroma .sh {
+  color: #a6e3a1;
+}
+
+/* LiteralStringInterpol */
+.chroma .si {
+  color: #a6e3a1;
+}
+
+/* LiteralStringRegex */
+.chroma .sr {
+  color: #89b4fa;
+}
+
+/* LiteralStringSymbol */
+.chroma .ss {
+  color: #a6e3a1;
+}
+
+/* LiteralStringOther */
+.chroma .sx {
+  color: #a6e3a1;
+}
+
+/* NameVariableClass */
+.chroma .vc {
+  color: #f9e2af;
+}
+
+/* NameVariableGlobal */
+.chroma .vg {
+  color: #fab387;
+}
+
+/* NameVariableInstance */
+.chroma .vi {
+  color: #f9e2af;
+}
+
+/* NameVariableMagic */
+/* TextWhitespace */
+.chroma .w {
+  color: #313244;
+}
+
+.CodeMirror .cm-property,
+.CodeMirror.cm-s-default .cm-property,
+.CodeMirror.cm-s-paper .cm-property {
+  color: #cdd6f4;
+}
+.CodeMirror .cm-header,
+.CodeMirror.cm-s-default .cm-header,
+.CodeMirror.cm-s-paper .cm-header {
+  color: #cdd6f4;
+}
+.CodeMirror .cm-quote,
+.CodeMirror.cm-s-default .cm-quote,
+.CodeMirror.cm-s-paper .cm-quote {
+  color: #a6e3a1;
+}
+.CodeMirror .cm-keyword,
+.CodeMirror.cm-s-default .cm-keyword,
+.CodeMirror.cm-s-paper .cm-keyword {
+  color: #cba6f7;
+}
+.CodeMirror .cm-atom,
+.CodeMirror.cm-s-default .cm-atom,
+.CodeMirror.cm-s-paper .cm-atom {
+  color: #f38ba8;
+}
+.CodeMirror .cm-number,
+.CodeMirror.cm-s-default .cm-number,
+.CodeMirror.cm-s-paper .cm-number {
+  color: #fab387;
+}
+.CodeMirror .cm-def,
+.CodeMirror.cm-s-default .cm-def,
+.CodeMirror.cm-s-paper .cm-def {
+  color: #cdd6f4;
+}
+.CodeMirror .cm-variable-2,
+.CodeMirror.cm-s-default .cm-variable-2,
+.CodeMirror.cm-s-paper .cm-variable-2 {
+  color: #89dceb;
+}
+.CodeMirror .cm-variable-3,
+.CodeMirror.cm-s-default .cm-variable-3,
+.CodeMirror.cm-s-paper .cm-variable-3 {
+  color: #94e2d5;
+}
+.CodeMirror .cm-comment,
+.CodeMirror.cm-s-default .cm-comment,
+.CodeMirror.cm-s-paper .cm-comment {
+  color: #585b70;
+}
+.CodeMirror .cm-string,
+.CodeMirror.cm-s-default .cm-string,
+.CodeMirror.cm-s-paper .cm-string {
+  color: #a6e3a1;
+}
+.CodeMirror .cm-string-2,
+.CodeMirror.cm-s-default .cm-string-2,
+.CodeMirror.cm-s-paper .cm-string-2 {
+  color: #a6e3a1;
+}
+.CodeMirror .cm-meta,
+.CodeMirror.cm-s-default .cm-meta,
+.CodeMirror.cm-s-paper .cm-meta {
+  color: #fab387;
+}
+.CodeMirror .cm-qualifier,
+.CodeMirror.cm-s-default .cm-qualifier,
+.CodeMirror.cm-s-paper .cm-qualifier {
+  color: #fab387;
+}
+.CodeMirror .cm-builtin,
+.CodeMirror.cm-s-default .cm-builtin,
+.CodeMirror.cm-s-paper .cm-builtin {
+  color: #fab387;
+}
+.CodeMirror .cm-bracket,
+.CodeMirror.cm-s-default .cm-bracket,
+.CodeMirror.cm-s-paper .cm-bracket {
+  color: #cdd6f4;
+}
+.CodeMirror .cm-tag,
+.CodeMirror.cm-s-default .cm-tag,
+.CodeMirror.cm-s-paper .cm-tag {
+  color: #f9e2af;
+}
+.CodeMirror .cm-attribute,
+.CodeMirror.cm-s-default .cm-attribute,
+.CodeMirror.cm-s-paper .cm-attribute {
+  color: #f9e2af;
+}
+.CodeMirror .cm-hr,
+.CodeMirror.cm-s-default .cm-hr,
+.CodeMirror.cm-s-paper .cm-hr {
+  color: #9399b2;
+}
+.CodeMirror .cm-url,
+.CodeMirror.cm-s-default .cm-url,
+.CodeMirror.cm-s-paper .cm-url {
+  color: #89b4fa;
+}
+.CodeMirror .cm-link,
+.CodeMirror.cm-s-default .cm-link,
+.CodeMirror.cm-s-paper .cm-link {
+  color: #89b4fa;
+}
+.CodeMirror .cm-error,
+.CodeMirror.cm-s-default .cm-error,
+.CodeMirror.cm-s-paper .cm-error {
+  color: #f38ba8;
+}
+
+.monaco-editor .selected-text {
+  background-color: #313244 !important;
+}
+.monaco-editor .margin-view-overlays .line-numbers {
+  color: #a6adc8 !important;
+}
+.monaco-editor .line-numbers.active-line-number {
+  color: #b4befe !important;
+}
+.monaco-editor .view-overlays .current-line,
+.monaco-editor .margin-view-overlays .current-line-margin {
+  background-color: rgb(42.16, 42.8, 60.08) !important;
+}
+.monaco-editor .mtk1 {
+  color: #cdd6f4 !important;
+}
+.monaco-editor .mtk2 {
+  color: #ff69b4 !important;
+}
+.monaco-editor .mtk3 {
+  color: #fab387 !important;
+}
+.monaco-editor .mtk4 {
+  color: #94e2d5 !important;
+}
+.monaco-editor .mtk5 {
+  color: #cdd6f4 !important;
+}
+.monaco-editor .mtk6 {
+  color: #cba6f7 !important;
+}
+.monaco-editor .mtk7 {
+  color: #fab387 !important;
+}
+.monaco-editor .mtk8 {
+  color: #9399b2 !important;
+}
+.monaco-editor .mtk9 {
+  color: #cba6f7 !important;
+}
+.monaco-editor .mtk10 {
+  color: #a6adc8 !important;
+}
+.monaco-editor .mtk11 {
+  color: #94e2d5 !important;
+}
+.monaco-editor .mtk12 {
+  color: #94e2d5 !important;
+}
+.monaco-editor .mtk13 {
+  color: #ff69b4 !important;
+}
+.monaco-editor .mtk14 {
+  color: #ff69b4 !important;
+}
+.monaco-editor .mtk15 {
+  color: #cba6f7 !important;
+}
+.monaco-editor .mtk16 {
+  color: #9399b2 !important;
+}
+.monaco-editor .mtk17 {
+  color: #ff69b4 !important;
+}
+.monaco-editor .mtk18 {
+  color: #ff69b4 !important;
+}
+.monaco-editor .mtk19 {
+  color: #94e2d5 !important;
+}
+.monaco-editor .mtk20 {
+  color: #ff69b4 !important;
+}
+.monaco-editor .mtk21 {
+  color: #a6e3a1 !important;
+}
+.monaco-editor .mtk22 {
+  color: #ff69b4 !important;
+}
+.monaco-editor .mtk23 {
+  color: #89b4fa !important;
+}
+.monaco-editor .mtk24 {
+  color: #fab387 !important;
+}
+.monaco-editor .mtk25 {
+  color: #f5c2e7 !important;
+}
+.monaco-editor .bracket-highlighting-0 {
+  color: rgb(227.8, 169, 198.4) !important;
+}
+.monaco-editor .bracket-highlighting-1 {
+  color: rgb(232, 193, 178.6) !important;
+}
+.monaco-editor .bracket-highlighting-2 {
+  color: rgb(231.4, 221.2, 202.6) !important;
+}
+.monaco-editor .bracket-highlighting-3 {
+  color: rgb(181.6, 221.8, 194.2) !important;
+}
+.monaco-editor .bracket-highlighting-4 {
+  color: rgb(164.2, 193.6, 247.6) !important;
+}
+.monaco-editor .bracket-highlighting-5 {
+  color: rgb(203.8, 185.2, 245.8) !important;
+}
--- a/services/forgejo/tmpfiles.nix
+++ b/services/forgejo/tmpfiles.nix
@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.forgejo;
+  customDir = config.services.forgejo.customDir;
+in
+with lib; mkIf cfg.enable {
+  systemd.tmpfiles.rules = [
+    "d '${customDir}/templates' - forgejo forgejo - -"
+    "d '${customDir}/public' - forgejo forgejo - -"
+    "d '${customDir}/public/assets' - forgejo forgejo - -"
+    "d '${customDir}/public/assets/css' - forgejo forgejo - -"
+    "C+ '${customDir}/public/assets/css/theme-catppuccin-mocha.css' - forgejo forgejo - ${./themes/theme-catppuccin-mocha-lavender.css}"
+  ];
+}
--- a/services/mail/default.nix
+++ b/services/mail/default.nix
@ -0,0 +1,9 @@
+{
+  imports = [
+    ./options.nix
+    ./rspamd.nix
+    ./secrets.nix
+    ./service.nix
+    ./tmpfiles.nix
+  ];
+}
--- a/services/mail/options.nix
+++ b/services/mail/options.nix
@ -0,0 +1,23 @@
+{ lib, ... }:
+let
+  inherit (lib)
+    mkEnableOption
+    mkOption
+    types
+    ;
+in
+{
+  options.machine.mail = {
+    enable = mkEnableOption "Mail";
+    domain = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Domain name";
+    };
+    fqdn = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "fqdn";
+    };
+  };
+}
--- a/services/mail/rspamd.nix
+++ b/services/mail/rspamd.nix
@ -0,0 +1,20 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (config.machine.mail) enable;
+in
+with lib; mkIf enable {
+  services.rspamd = {
+    enable = true;
+    overrides = {
+      "local.d/greylist.conf" = {
+        text = ''
+          enabled = false;
+        '';
+      };
+    };
+  };
+}
--- a/services/mail/secrets.nix
+++ b/services/mail/secrets.nix
@ -0,0 +1,25 @@
+{
+  sops.secrets = {
+    dkim_default_private = {
+      key = "dkim_default_private";
+      owner = "root";
+      group = "root";
+      mode = "0600";
+    };
+    "rus07tam/hashedPassword" = {
+      sopsFile = ./../../secrets/rus07tam.yaml;
+    };
+    "mail/serviceHashedPassword" = {
+      sopsFile = ./../../secrets/common.yaml;
+    };
+    "mail/servicePassword" = {
+      sopsFile = ./../../secrets/common.yaml;
+    };
+    "mail/NikitaHapanulStaff228HashedPassword" = {
+      sopsFile = ./../../secrets/common.yaml;
+    };
+    "mail/nikitapocox6prohype" = {
+      sopsFile = ./../../secrets/common.yaml;
+    };
+  };
+}
--- a/services/mail/service.nix
+++ b/services/mail/service.nix
@ -0,0 +1,66 @@
+{ config, lib, ... }:
+let
+  sec = config.sops.secrets;
+  inherit (config.machine.mail)
+    enable
+    domain
+    fqdn
+    ;
+in
+{
+  imports = [
+    (builtins.fetchTarball {
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/master/nixos-mailserver-master.tar.gz";
+      sha256 = "0vnczps1ns4d7b3l5m4qwp2fp567pr6b38w40h1x48qfw70x8mf0";
+    })
+  ];
+
+  mailserver = {
+    inherit enable;
+    inherit fqdn;
+    stateVersion = 5;
+    domains = [ domain ];
+    messageSizeLimit = 52428800; # 50MB
+    enableManageSieve = true;
+
+    localDnsResolver = false;
+
+    accounts = {
+      "admin@${domain}" = {
+        hashedPasswordFile = sec."mail/serviceHashedPassword".path;
+        aliases = [
+          "postmaster@${domain}"
+          "system@${domain}"
+          "contact@${domain}"
+          "sales@${domain}"
+        ];
+      };
+      "rus07tam@${domain}" = {
+        hashedPasswordFile = sec."rus07tam/hashedPassword".path;
+        aliases = [ ];
+      };
+      "nikitahapanulstaff228@${domain}" = {
+        hashedPasswordFile = sec."mail/NikitaHapanulStaff228HashedPassword".path;
+        aliases = [
+          "mamutraxal@${domain}"
+          "sava.uwu@${domain}"
+        ];
+      };
+      "nikitapocox6prohype@${domain}" = {
+        hashedPasswordFile = sec."mail/nikitapocox6prohype".path;
+        aliases = [
+          "pomoemuhype@${domain}"
+          "nikita.uwu@${domain}"
+        ];
+      };
+    };
+
+    x509.useACMEHost = config.mailserver.fqdn;
+
+    dkim = {
+      enable = true;
+      keyDirectory = "/var/dkim";
+      defaults.selector = "default";
+    };
+  };
+}
--- a/services/mail/tmpfiles.nix
+++ b/services/mail/tmpfiles.nix
@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  sec,
+  ...
+}:
+let
+  inherit (config.machine.mail) enable;
+in
+with lib; mkIf enable {
+  systemd.tmpfiles.rules = [
+    "C /var/dkim/default.private 0600 root root - - ${sec.dkim_default_private.path}"
+  ];
+}
--- a/services/minecraft-server/default.nix
+++ b/services/minecraft-server/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./options.nix
+    ./firewall.nix
+    ./service.nix
+  ];
+}
--- a/services/minecraft-server/firewall.nix
+++ b/services/minecraft-server/firewall.nix
@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.machine.minecraft-server)
+    enable
+    port
+    ;
+in
+with lib; mkIf enable {
+  networking.firewall.allowedTCPPorts = [
+    port
+  ];
+}
--- a/services/minecraft-server/options.nix
+++ b/services/minecraft-server/options.nix
@ -0,0 +1,12 @@
+{ lib, ... }:
+with lib;
+{
+  options.machine.minecraft-server = {
+    enable = mkEnableOption "Minecraft Server";
+    port = mkOption {
+      type = types.port;
+      default = 25565;
+      description = "Listen port.";
+    };
+  };
+}
--- a/services/minecraft-server/service.nix
+++ b/services/minecraft-server/service.nix
@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (config.machine.minecraft-server)
+    enable
+    port
+    ;
+in
+with lib; mkIf enable {
+  services.minecraft-server = {
+    inherit enable;
+    dataDir = "/var/lib/minecraft";
+    declarative = true;
+    eula = true;
+    jvmOpts = "-Xms2046M -Xmx2046M -XX:+UseZGC";
+    package = pkgs.papermcServers.papermc-1_21;
+    serverProperties = {
+      server-port = port;
+      query-port = port;
+      allow-flight = false;
+      broadcast-console-to-ops = false;
+      broadcast-rcon-to-ops = false;
+      difficulty = "hard";
+      enable-query = true;
+      enable-rcon = false;
+      enable-status = true;
+      enforce-whitelist = false;
+      force-gamemode = true;
+      gamemode = "survival";
+      log-ips = false;
+      max-players = 20;
+      max-tick-time = -1;
+      motd = "RuJect's Minecraft Server";
+      online-mode = false;
+      op-permission-level = 4;
+      simulation-distance = 16;
+      view-distance = 16;
+      spawn-protection = 0;
+      white-list = false;
+    };
+  };
+}
--- a/services/mysql/default.nix
+++ b/services/mysql/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./firewall.nix
+    ./options.nix
+    ./service.nix
+  ];
+}
--- a/services/mysql/firewall.nix
+++ b/services/mysql/firewall.nix
@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.mysql;
+in
+with lib; mkIf cfg.enable {
+  networking.firewall = {
+    allowedTCPPorts = [ cfg.port ];
+  };
+}
--- a/services/mysql/options.nix
+++ b/services/mysql/options.nix
@ -0,0 +1,12 @@
+{ lib, ... }:
+with lib;
+{
+  options.machine.mysql = {
+    enable = mkEnableOption "Postgresql";
+    port = mkOption {
+      type = types.port;
+      default = 3306;
+      description = "The port on which listens.";
+    };
+  };
+}
--- a/services/mysql/service.nix
+++ b/services/mysql/service.nix
@ -0,0 +1,22 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (config.machine.mysql)
+    port
+    enable
+    ;
+in
+with lib; mkIf enable {
+  services.mysql = {
+    inherit enable;
+    package = pkgs.mysql84;
+    ensureDatabases = [ ];
+    settings.mysqld = {
+      inherit port;
+    };
+  };
+}
--- a/services/navidrome/default.nix
+++ b/services/navidrome/default.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ./options.nix
+    ./service.nix
+  ];
+}
--- a/services/navidrome/options.nix
+++ b/services/navidrome/options.nix
@ -0,0 +1,22 @@
+{ lib, ... }:
+with lib;
+{
+  options.machine.navidrome = {
+    enable = mkEnableOption "Navidrome";
+    domain = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Domain name. If not set, will be disabled, and use the localhost.";
+    };
+    port = mkOption {
+      type = types.port;
+      default = 4533;
+      description = "Listen port.";
+    };
+    folder = mkOption {
+      type = types.str;
+      default = "/mnt/music";
+      description = "Navidrome music folder.";
+    };
+  };
+}
--- a/services/navidrome/service.nix
+++ b/services/navidrome/service.nix
@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.machine.navidrome)
+    enable
+    domain
+    port
+    folder
+    ;
+in
+with lib; mkIf enable {
+  services.nginx.virtualHosts = with lib; mkIf (domain != null) {
+    "${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://[::1]:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  services.navidrome = {
+    inherit enable;
+    settings = {
+      Address = "0.0.0.0";
+      Port = port;
+      MusicFolder = folder;
+      DefaultTheme = "AMusic";
+      EnableSharing = true;
+    };
+  };
+}
--- a/services/networking/default.nix
+++ b/services/networking/default.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ./options.nix
+    ./service.nix
+  ];
+}
--- a/services/networking/options.nix
+++ b/services/networking/options.nix
@ -0,0 +1,17 @@
+{ lib, ... }:
+with lib;
+{
+  options.machine = {
+    gateway = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Default network gateway";
+    };
+
+    ipv4 = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Main IPv4 address";
+    };
+  };
+}
--- a/services/networking/service.nix
+++ b/services/networking/service.nix
@ -0,0 +1,32 @@
+{ config, lib, hostname, ... }:
+let
+  inherit (config.machine) ipv4 gateway;
+in
+with lib; {
+  networking = {
+    hostName = hostname;
+    networkmanager.enable = mkDefault true;
+    firewall = {
+      enable = true;
+      allowPing = true;
+    };
+    nameservers = [
+      "1.1.1.1"
+      "1.0.0.1"
+      "9.9.9.9"
+      "8.8.8.8"
+    ];
+    interfaces.ens3 = mkIf (ipv4 != null) {
+      ipv4.addresses = [
+        {
+          address = ipv4;
+          prefixLength = 32;
+        }
+      ];
+    };
+    defaultGateway = mkIf (gateway != null) {
+      address = gateway;
+      interface = "ens3";
+    };
+  };
+}
--- a/services/nextcloud/database.nix
+++ b/services/nextcloud/database.nix
@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  pgsqlEnable = config.machine.postgresql.enable;
+  cfg = config.machine.nextcloud;
+in
+with lib; mkIf cfg.enable {
+  services.nextcloud.config =
+    if pgsqlEnable then
+      {
+        dbtype = "pgsql";
+        dbhost = "localhost:${toString config.machine.postgresql.port}";
+      }
+    else
+      {
+        dbtype = "sqlite";
+        dbhost = "localhost";
+      };
+
+  services.postgresql = with lib; mkIf pgsqlEnable {
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+}
--- a/services/nextcloud/default.nix
+++ b/services/nextcloud/default.nix
@ -0,0 +1,8 @@
+{
+  imports = [
+    ./database.nix
+    ./mail.nix
+    ./options.nix
+    ./service.nix
+  ];
+}
--- a/services/nextcloud/mail.nix
+++ b/services/nextcloud/mail.nix
@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  sec,
+  ...
+}:
+let
+  inherit (config.machine.nextcloud)
+    enable
+    host
+    ;
+  address = "noreply@${host}";
+in
+with lib; mkIf enable {
+  services.nextcloud = {
+    settings = {
+      mail_smtpmode = "smtp";
+      mail_sendmailmode = "smtp";
+      mail_smtpsecure = "ssl";
+      mail_domain = host;
+      mail_from_address = "noreply";
+      mail_smtpname = address;
+      mail_smtphost = config.machine.mail.fqdn;
+      mail_smtpport = 465;
+      mail_smtpauth = true;
+    };
+    secrets = {
+      mail_smtppassword = sec."mail/servicePassword".path;
+    };
+  };
+
+  mailserver = {
+    domains = [ host ];
+    accounts.${address} = {
+      hashedPasswordFile = sec."mail/serviceHashedPassword".path;
+      aliases = [ ];
+      sendOnly = true;
+    };
+  };
+}
--- a/services/nextcloud/options.nix
+++ b/services/nextcloud/options.nix
@ -0,0 +1,12 @@
+{ lib, ... }:
+with lib;
+{
+  options.machine.nextcloud = {
+    enable = mkEnableOption "Nextcloud";
+    host = mkOption {
+      type = types.str;
+      default = "localhost";
+      description = "FQDN for the nextcloud instance.";
+    };
+  };
+}
--- a/services/nextcloud/service.nix
+++ b/services/nextcloud/service.nix
@ -0,0 +1,44 @@
+{
+  pkgs,
+  config,
+  lib,
+  sec,
+  ...
+}:
+let
+  cfg = config.machine.nextcloud;
+in
+with lib; mkIf cfg.enable {
+  services.nextcloud = {
+    inherit enable;
+    appstoreEnable = false;
+    autoUpdateApps.enable = false;
+    config.adminpassFile = sec."nextcloud/adminPassword".path;
+    hostName = cfg.host;
+    package = pkgs.nextcloud33;
+    https = if cfg.host == "localhost" then false else true;
+    settings = {
+      default_phone_region = "RU";
+      log_type = "file";
+      loglevel = 1;
+    };
+    extraAppsEnable = true;
+    extraApps = with pkgs.nextcloud33Packages.apps; {
+      inherit
+        mail
+        contacts
+        collectives
+        impersonate
+        ;
+    };
+  };
+
+  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+    forceSSL = true;
+    enableACME = true;
+  };
+
+  sops.secrets = {
+    "nextcloud/adminPassword" = { };
+  };
+}
--- a/services/nginx/acme.nix
+++ b/services/nginx/acme.nix
@ -0,0 +1,10 @@
+{ lib, config, ... }:
+with lib; mkIf (config.nginx.enable) {
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "admin@ruject.fun";
+      webroot = "/var/lib/acme/acme-challenge/";
+    };
+  };
+}
--- a/services/nginx/default.nix
+++ b/services/nginx/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./acme.nix
+    ./firewall.nix
+    ./service.nix
+  ];
+}
--- a/services/nginx/firewall.nix
+++ b/services/nginx/firewall.nix
@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.services.nginx) enable;
+in
+with lib; mkIf enable {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}
--- a/services/nginx/service.nix
+++ b/services/nginx/service.nix
@ -0,0 +1,12 @@
+{
+  users.groups.acme.members = [
+    "nginx"
+  ];
+
+  services.nginx = {
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+  };
+}
--- a/services/postgresql/default.nix
+++ b/services/postgresql/default.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ./options.nix
+    ./service.nix
+  ];
+}
--- a/services/postgresql/options.nix
+++ b/services/postgresql/options.nix
@ -0,0 +1,14 @@
+{ lib, ... }:
+with lib;
+{
+  options.machine.postgresql = {
+    enable = mkEnableOption "Postgresql";
+    port = mkOption {
+      type = types.port;
+      default = 5432;
+      description = ''
+        The port on which PostgreSQL listens.
+      '';
+    };
+  };
+}
--- a/services/postgresql/service.nix
+++ b/services/postgresql/service.nix
@ -0,0 +1,29 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (config.machine.postgresql)
+    port
+    enable
+    ;
+in
+with lib; mkIf enable {
+  services.postgresql = {
+    inherit enable;
+    settings = {
+      inherit port;
+    };
+    ensureDatabases = [ ];
+    enableTCPIP = true;
+    authentication = mkOverride 10 ''
+      #type database DBuser origin-address auth-method
+      local all      all                   trust
+      host  all      all    127.0.0.1/32   trust
+      host  all      all    ::1/128        trust
+      host  all      all    0.0.0.0/0      md5
+    '';
+  };
+}
--- a/services/prometheus/default.nix
+++ b/services/prometheus/default.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ./options.nix
+    ./service.nix
+  ];
+}
--- a/services/prometheus/options.nix
+++ b/services/prometheus/options.nix
@ -0,0 +1,15 @@
+{
+  options.machine.prometheus = {
+    enable = mkEnableOption "Prometheus";
+    domain = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Domain name. If not set, will be disabled, and use the localhost.";
+    };
+    port = mkOption {
+      type = types.port;
+      default = cfg.port;
+      description = "Listen port.";
+    };
+  };
+}
--- a/services/prometheus/service.nix
+++ b/services/prometheus/service.nix
@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.machine.prometheus)
+    enable
+    port
+    ;
+in
+with lib; mkIf enable {
+  services.prometheus = {
+    inherit enable port;
+  };
+}
--- a/services/prosody/default.nix
+++ b/services/prosody/default.nix
@ -0,0 +1,8 @@
+{
+  imports = [
+    ./firewall.nix
+    ./nginx.nix
+    ./options.nix
+    ./service.nix
+  ];
+}
--- a/services/prosody/firewall.nix
+++ b/services/prosody/firewall.nix
@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.machine.prosody)
+    enable
+    ;
+in
+with lib; mkIf enable {
+  networking.firewall = {
+    allowedTCPPorts = [
+      # HTTP filer
+      80
+      443
+
+      # C2S
+      5222
+      5223
+
+      # S2S
+      5269
+      5270
+
+      # WebSockets / BOSH
+      5280
+      5281
+    ]
+    ++ concatLists (
+      with config.services.prosody;
+      [
+        httpPorts
+        httpsPorts
+      ]
+    );
+  };
+}
--- a/Show more
+++ b/Show more