format the repo files

2026-04-26 10:27:50 +02:00
parent 92fd97c9a2
commit b319cd93e9
116 changed files with 4726 additions and 4247 deletions
--- a/modules/services/server/coturn.nix
+++ b/modules/services/server/coturn.nix
@@ -1,4 +1,9 @@
-{config, pkgs, lib, ...}: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
  # enable coturn
  services.coturn = rec {
    enable = true;
@@ -43,21 +48,24 @@
  # open the firewall
  networking.firewall = {
    interfaces.ens18 = let
-      range = with config.services.coturn; [ {
-      from = min-port;
-      to = max-port;
-    } ];
-    in
-    {
+      range = with config.services.coturn; [
+        {
+          from = min-port;
+          to = max-port;
+        }
+      ];
+    in {
      allowedUDPPortRanges = range;
-      allowedUDPPorts = [ 3478 ];
+      allowedUDPPorts = [3478];
      allowedTCPPortRanges = range;
-      allowedTCPPorts = [ 3478 5349 ];
+      allowedTCPPorts = [3478 5349];
    };
  };
  # get a certificate
  security.acme.certs.${config.services.coturn.realm} = {
-    /* insert here the right configuration to obtain a certificate */
+    /*
+    insert here the right configuration to obtain a certificate
+    */
    postRun = "systemctl restart coturn.service";
    group = "turnserver";
  };
@@ -67,7 +75,7 @@
  #};

  age.secrets."services/coturn/static-auth" = {
-      file = ../../../secrets/services/coturn/static-auth.age;
-      owner = "turnserver";
+    file = ../../../secrets/services/coturn/static-auth.age;
+    owner = "turnserver";
  };
 }
--- a/modules/services/server/default.nix
+++ b/modules/services/server/default.nix
@@ -9,7 +9,6 @@
 #           └─ default.nix *
 #               └─ ...
 #
-
 [
  ./postgresql.nix
  ./gitea.nix
@@ -19,8 +18,8 @@
  ./coturn.nix
  ./hydra.nix
  ./mealie.nix
-#  ./ollama.nix
+  #  ./ollama.nix
 ]
-
 # picom, polybar and sxhkd are pulled from desktop module
 # redshift temporarely disables
+
--- a/modules/services/server/gitea.nix
+++ b/modules/services/server/gitea.nix
@@ -1,10 +1,12 @@
 #
 # System notifications
 #
-
-{ config, lib, pkgs, ... }:
-
 {
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
  services.gitea = {
    enable = true;
    dump.enable = false;
@@ -19,56 +21,56 @@
    appName = "Kabtop Git";
    mailerPasswordFile = config.age.secrets."services/gitea/mailerPassword".path;
    settings = {
-        server = {
-            ROOT_URL = "https://git.kabtop.de";
-            HTTP_ADDR = "localhost";
-            DOMAIN = "git.kabtop.de";
-            SSH_PORT = 2220;
-            ENABLE_GZIP = true;
-	    LFS_START_SERVER = true;
-	    LFS_ALLOW_PURE_SSH = true;
-        };
-        security = {
-            MIN_PASSWORD_LENGTH = 12;
-            PASSWORD_CHECK_PWN = true;
-            PASSWORD_HASH_ALGO = "argon2";
-        };
-#        oauth2 = {
-#            ENABLE = true;
-#            #JWT_SECRET = "secret123";
-#        };
-        repository = {
-            MAX_CREATION_LIMIT = 100;
-        };
-        ui = {
-            SHOW_USER_EMAIL = false;
-            DEFAULT_THEME = "gitea-dark";
-        };
-#        openid = {
-#            ENABLE_OPENID_SIGNIN = true;
-#            WHITELISTED_URIS = "https://auth.kabtop.de";
-#        };
-#        oauth2_client = {
-#            ENABLE_AUTO_REGISTRATION = true;
-#        };
-        time = {
-            DEFAULT_UI_LOCATION = "Europe/Berlin";
-        };
-        other = {
-            SHOW_FOOTER_VERSION = false;
-        };
+      server = {
+        ROOT_URL = "https://git.kabtop.de";
+        HTTP_ADDR = "localhost";
+        DOMAIN = "git.kabtop.de";
+        SSH_PORT = 2220;
+        ENABLE_GZIP = true;
+        LFS_START_SERVER = true;
+        LFS_ALLOW_PURE_SSH = true;
+      };
+      security = {
+        MIN_PASSWORD_LENGTH = 12;
+        PASSWORD_CHECK_PWN = true;
+        PASSWORD_HASH_ALGO = "argon2";
+      };
+      #        oauth2 = {
+      #            ENABLE = true;
+      #            #JWT_SECRET = "secret123";
+      #        };
+      repository = {
+        MAX_CREATION_LIMIT = 100;
+      };
+      ui = {
+        SHOW_USER_EMAIL = false;
+        DEFAULT_THEME = "gitea-dark";
+      };
+      #        openid = {
+      #            ENABLE_OPENID_SIGNIN = true;
+      #            WHITELISTED_URIS = "https://auth.kabtop.de";
+      #        };
+      #        oauth2_client = {
+      #            ENABLE_AUTO_REGISTRATION = true;
+      #        };
+      time = {
+        DEFAULT_UI_LOCATION = "Europe/Berlin";
+      };
+      other = {
+        SHOW_FOOTER_VERSION = false;
+      };

-        session.COOKIE_SECURE = true;
-        service = {
-            REGISTER_EMAIL_CONFIRM = true;
-            DISABLE_REGISTRATION = true;
-        };
-        actions = {
-            ENABLED = true;
-        };
-	indexer = {
-	    REPO_INDEXER_ENABLED = false;
-	};
+      session.COOKIE_SECURE = true;
+      service = {
+        REGISTER_EMAIL_CONFIRM = true;
+        DISABLE_REGISTRATION = true;
+      };
+      actions = {
+        ENABLED = true;
+      };
+      indexer = {
+        REPO_INDEXER_ENABLED = false;
+      };
    };
  };

@@ -87,11 +89,11 @@
    };
  };
  age.secrets."services/gitea/mailerPassword" = {
-      file = ../../../secrets/services/gitea/mailerPassword.age;
-      owner = "gitea";
+    file = ../../../secrets/services/gitea/mailerPassword.age;
+    owner = "gitea";
  };
  age.secrets."services/gitea/databasePassword" = {
-      file = ../../../secrets/services/gitea/databasePassword.age;
-      owner = "gitea";
+    file = ../../../secrets/services/gitea/databasePassword.age;
+    owner = "gitea";
  };
 }
--- a/modules/services/server/gitea_runner.nix
+++ b/modules/services/server/gitea_runner.nix
@@ -1,59 +1,62 @@
-{ lib, config, pkgs, ... }:
-
 {
-    virtualisation = {
-      podman ={
-        enable = true;
-        autoPrune.enable = true;
-        dockerCompat = true;
-      };
-      containers.containersConf.settings = {
-        # podman seems to not work with systemd-resolved
-        containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  virtualisation = {
+    podman = {
+      enable = true;
+      autoPrune.enable = true;
+      dockerCompat = true;
+    };
+    containers.containersConf.settings = {
+      # podman seems to not work with systemd-resolved
+      containers.dns_servers = ["8.8.8.8" "8.8.4.4"];
+    };
+  };
+
+  services.gitea-actions-runner.instances = {
+    serverrunner = {
+      enable = true;
+      url = "https://git.kabtop.de";
+      name = "Server runner";
+      tokenFile = config.age.secrets."services/gitea/serverrunner-token".path;
+      labels = [
+        "server"
+        "debian-latest:docker://node:18-bullseye"
+        "ubuntu-latest:docker://node:16-bullseye"
+        "ubuntu-22.04:docker://node:16-bullseye"
+        "ubuntu-20.04:docker://node:16-bullseye"
+        "ubuntu-18.04:docker://node:16-buster"
+        "native:host"
+      ];
+      hostPackages = with pkgs; [
+        bash
+        coreutils
+        curl
+        gawk
+        gitMinimal
+        gnused
+        nodejs
+        wget
+      ];
+      settings = {
+        # container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+        # the default network that also respects our dns server settings
+        container.network = "host";
+        container.privileged = false;
+        # container.valid_volumes = [
+        #   "/nix"
+        #   "${storeDeps}/bin"
+        #   "${storeDeps}/etc/ssl"
+        # ];
      };
    };
+  };

-    services.gitea-actions-runner.instances = {
-        serverrunner = {
-            enable = true;
-            url = "https://git.kabtop.de";
-            name = "Server runner";
-            tokenFile = config.age.secrets."services/gitea/serverrunner-token".path;
-            labels = [ 
-              "server"
-              "debian-latest:docker://node:18-bullseye"
-              "ubuntu-latest:docker://node:16-bullseye"
-              "ubuntu-22.04:docker://node:16-bullseye"
-              "ubuntu-20.04:docker://node:16-bullseye"
-              "ubuntu-18.04:docker://node:16-buster"
-              "native:host"
-            ];
-            hostPackages = with pkgs; [
-              bash
-              coreutils
-              curl
-              gawk
-              gitMinimal
-              gnused
-              nodejs
-              wget
-            ];
-            settings = {
-             # container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
-               # the default network that also respects our dns server settings
-              container.network = "host";
-              container.privileged = false;
-             # container.valid_volumes = [
-             #   "/nix"
-             #   "${storeDeps}/bin"
-             #   "${storeDeps}/etc/ssl"
-             # ];
-            };
-        };
-    };
-
-    age.secrets."services/gitea/serverrunner-token" = {
-      file = ../../../secrets/services/gitea/serverrunner-token.age;
-      owner = "gitea-runner";
-    };
+  age.secrets."services/gitea/serverrunner-token" = {
+    file = ../../../secrets/services/gitea/serverrunner-token.age;
+    owner = "gitea-runner";
+  };
 }
--- a/modules/services/server/hydra.nix
+++ b/modules/services/server/hydra.nix
@@ -1,77 +1,79 @@
-{ lib, config, pkgs, ... }:
-
 {
-    services = {
-      hydra = {
-        enable = true;
-        hydraURL = "https://hydra.ci.kabtop.de";
-        listenHost = "127.0.0.1";
-        port = 3001;
-        notificationSender = "hydra@kabtop.de";
-        useSubstitutes = true;
-        minimumDiskFree = 50;
-	maxServers = 10;
-      };
-      nix-serve = {
-          enable = true;
-          port = 5001;
-          bindAddress = "127.0.0.1";
-          secretKeyFile = config.age.secrets."keys/nixsign".path;
-      };
-      nginx = {
-        enable = true;
-        recommendedProxySettings = true;
-        recommendedTlsSettings = true;
-        recommendedGzipSettings = true;
-        recommendedOptimisation = true;
-        virtualHosts = {
-          "ci.kabtop.de" = {
-            enableACME = true;
-            forceSSL = true;
-            default = true;
-            locations."/".return = "503";
-          };
-          "hydra.ci.kabtop.de" = {
-            enableACME = true;
-            forceSSL = true;
-            locations."/" = {
-              proxyPass = "http://localhost:3001";
-              extraConfig = ''
-                proxy_set_header X-Forwarded-Port 443;
-              '';
-            };
-          };
-          "cache.ci.kabtop.de" = {
-            enableACME = true;
-            forceSSL = true;
-            locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  services = {
+    hydra = {
+      enable = true;
+      hydraURL = "https://hydra.ci.kabtop.de";
+      listenHost = "127.0.0.1";
+      port = 3001;
+      notificationSender = "hydra@kabtop.de";
+      useSubstitutes = true;
+      minimumDiskFree = 50;
+      maxServers = 10;
+    };
+    nix-serve = {
+      enable = true;
+      port = 5001;
+      bindAddress = "127.0.0.1";
+      secretKeyFile = config.age.secrets."keys/nixsign".path;
+    };
+    nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      virtualHosts = {
+        "ci.kabtop.de" = {
+          enableACME = true;
+          forceSSL = true;
+          default = true;
+          locations."/".return = "503";
+        };
+        "hydra.ci.kabtop.de" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://localhost:3001";
+            extraConfig = ''
+              proxy_set_header X-Forwarded-Port 443;
+            '';
          };
        };
+        "cache.ci.kabtop.de" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+        };
      };
    };
+  };

-    nix = {
-      settings = {
-        cores = 5;
-	max-jobs = 1;
-        trusted-users = [
-          "hydra"
-        ];
-        allowed-uris = [
-	  "github:"
-	  "https://github.com/"
-  	  "git+ssh://github.com/"
-  	];
-      };
-
-      extraOptions = ''
-        secret-key-files = ${config.age.secrets."keys/nixsign".path}
-      '';
-    };
-    
-    age.secrets."keys/nixsign" = {
-      file = ../../../secrets/keys/nixservepriv.age;
-      owner = "hydra";
+  nix = {
+    settings = {
+      cores = 5;
+      max-jobs = 1;
+      trusted-users = [
+        "hydra"
+      ];
+      allowed-uris = [
+        "github:"
+        "https://github.com/"
+        "git+ssh://github.com/"
+      ];
    };

+    extraOptions = ''
+      secret-key-files = ${config.age.secrets."keys/nixsign".path}
+    '';
+  };
+
+  age.secrets."keys/nixsign" = {
+    file = ../../../secrets/keys/nixservepriv.age;
+    owner = "hydra";
+  };
 }
--- a/modules/services/server/jitsi.nix
+++ b/modules/services/server/jitsi.nix
@@ -1,46 +1,48 @@
-
-{ config, pkgs, ... }:
 {
-    services.jitsi-meet = {
-        enable = true;
-        hostName = "meet.kabtop.de";
-        config = {
-            enableWelcomePage = false;
-            prejoinPageEnabled = true;
-            defaultLang = "en";
-        };
-        interfaceConfig = {
-            SHOW_JITSI_WATERMARK = false;
-            SHOW_WATERMARK_FOR_GUESTS = false;
-        };
+  config,
+  pkgs,
+  ...
+}: {
+  services.jitsi-meet = {
+    enable = true;
+    hostName = "meet.kabtop.de";
+    config = {
+      enableWelcomePage = false;
+      prejoinPageEnabled = true;
+      defaultLang = "en";
    };
-    #services.jibri = {
-    #    enable = true;
-    #    config = {
-    #        recording = {
-    #          recordings-directory = "/var/lib/jitsi-meet-recordings";
-    #        };
-    #        ffmpeg = {
-    #          #framerate = 30;
-    #          #video-encode-preset = "veryfast"; # https://trac.ffmpeg.org/wiki/Encode/H.264#a2.Chooseapresetandtune
-    #          h264-constant-rate-factor = 21; # https://trac.ffmpeg.org/wiki/Encode/H.264#a1.ChooseaCRFvalue
-    #        };
-    #    };
-    #};
-    services.jitsi-videobridge = {
-        enable = true;
-        openFirewall = true;
+    interfaceConfig = {
+      SHOW_JITSI_WATERMARK = false;
+      SHOW_WATERMARK_FOR_GUESTS = false;
    };
+  };
+  #services.jibri = {
+  #    enable = true;
+  #    config = {
+  #        recording = {
+  #          recordings-directory = "/var/lib/jitsi-meet-recordings";
+  #        };
+  #        ffmpeg = {
+  #          #framerate = 30;
+  #          #video-encode-preset = "veryfast"; # https://trac.ffmpeg.org/wiki/Encode/H.264#a2.Chooseapresetandtune
+  #          h264-constant-rate-factor = 21; # https://trac.ffmpeg.org/wiki/Encode/H.264#a1.ChooseaCRFvalue
+  #        };
+  #    };
+  #};
+  services.jitsi-videobridge = {
+    enable = true;
+    openFirewall = true;
+  };

-    services.prosody.extraConfig = ''
-        log = "/var/log/prosody/prosody.log"
-    '';
-    systemd.tmpfiles.rules = [
-      "d /var/log/prosody - prosody prosody"
-      #"d ${config.services.jibri.config.recording.recordings-directory} 0750 jibri jibri -"
-    ];
+  services.prosody.extraConfig = ''
+    log = "/var/log/prosody/prosody.log"
+  '';
+  systemd.tmpfiles.rules = [
+    "d /var/log/prosody - prosody prosody"
+    #"d ${config.services.jibri.config.recording.recordings-directory} 0750 jibri jibri -"
+  ];

-    security.acme.defaults.email = "webmaster@kabtop.de";
-    security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
-    security.acme.acceptTerms = true;
+  security.acme.defaults.email = "webmaster@kabtop.de";
+  security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
+  security.acme.acceptTerms = true;
 }
--- a/modules/services/server/matrix.nix
+++ b/modules/services/server/matrix.nix
@@ -1,10 +1,12 @@
 #
 # System notifications
 #
-
-{ config, lib, pkgs, ... }:
-
-let
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
  fqdn = "matrix.${config.networking.domain}";
  clientConfig = {
    "m.homeserver".base_url = "https://${fqdn}";
@@ -24,230 +26,237 @@ in {
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    virtualHosts = {
-      "${config.networking.domain}" = { 
+      "${config.networking.domain}" = {
        enableACME = true;
        forceSSL = true;
-        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; 
-        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; 
-        locations."/_matrix".proxyPass = "http://localhost:8008"; 
+        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+        locations."/_matrix".proxyPass = "http://localhost:8008";
      };
      "${fqdn}" = {
        enableACME = true;
        forceSSL = true;
-        locations."/health".proxyPass = "http://localhost:8008"; 
-        locations."/_matrix".proxyPass = "http://localhost:8008"; 
-        locations."/_synapse/client".proxyPass = "http://localhost:8008"; 
-        locations."/".extraConfig = '' 
+        locations."/health".proxyPass = "http://localhost:8008";
+        locations."/_matrix".proxyPass = "http://localhost:8008";
+        locations."/_synapse/client".proxyPass = "http://localhost:8008";
+        locations."/".extraConfig = ''
          return 404;
        '';
      };
-#      "element.${config.networking.domain}" = {
-#        enableACME = true;
-#        forceSSL = true;
-#
-#        root = pkgs.element-web.override {
-#            conf = {
-#                default_server_config = clientConfig;
-#            };
-#        };
-#      };
+      #      "element.${config.networking.domain}" = {
+      #        enableACME = true;
+      #        forceSSL = true;
+      #
+      #        root = pkgs.element-web.override {
+      #            conf = {
+      #                default_server_config = clientConfig;
+      #            };
+      #        };
+      #      };
    };
  };

-  imports = [ ../../kabbone/mautrix-whatsapp.nix ];
+  imports = [../../kabbone/mautrix-whatsapp.nix];

  services.matrix-synapse = {
    enable = true;
    settings = {
-        server_name = config.networking.domain;
-        public_baseurl = "https://matrix.${config.networking.domain}";
-        listeners = [
-          { port = 8008;
-            bind_addresses = [ "::1" ];
-            type = "http";
-            tls = false;
-            x_forwarded = true;
-            resources = [ 
-              { names = [ "client" ]; compress = true; }
-              { names = [ "federation" ]; compress = false; }
-            ];
-          }
-        ];
+      server_name = config.networking.domain;
+      public_baseurl = "https://matrix.${config.networking.domain}";
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client"];
+              compress = true;
+            }
+            {
+              names = ["federation"];
+              compress = false;
+            }
+          ];
+        }
+      ];
    };
    extraConfigFiles = [
-        config.age.secrets."services/matrix/synapse.yml".path
+      config.age.secrets."services/matrix/synapse.yml".path
    ];
  };

  systemd.services = {
-      matrix-synapse = {
-          requires = [ "postgresql.service" ];
-      };
+    matrix-synapse = {
+      requires = ["postgresql.service"];
+    };
  };

  services = {
-      mautrix-telegram = {
-          enable = true;
-	  registerToSynapse = true;
-          environmentFile = config.age.secrets."services/matrix/mautrix-telegram.env".path;
-          settings = {
-              homeserver = {
-                  address = "http://localhost:8008";
-                  domain = "kabtop.de";
-              };
-              appservice = {
-                  hostname = "127.0.0.1";
-                  provisioning.enabled = false;
-                  id = "telegram";
-                  public = {
-                      enabled = false;
-                  };
-              };
-              bridge = {
-                  sync_channel_members = true;
-                  startup_sync = true;
-                  public_portals = true;
-                  double_puppet_server_map = {
-                    "kabtop.de" = "https://kabtop.de";
-                  };
-                  encryption = {
-                      allow = true;
-                      default = true;
-                      verification_levels = {
-                          receive = "cross-signed-untrusted";
-                          send = "cross-signed-untrusted";
-                      };
-                  };
-                  private_chat_portal_meta = "default";
-                  backfill = {
-                      disable_notifications = true;
-                  };
-                  permissions = {
-                      "@kabbone:kabtop.de" = "admin";
-                  };
-              };
-              logging = {
-                  loggers = {
-                    mau = {
-                      level = "WARN";
-                    };
-                    telethon = {
-                      level = "WARN";
-                    };
-                  };
-                  root = {
-                    handlers = [
-                      "console"
-                    ];
-                    level = "WARN";
-                  };
-              };
+    mautrix-telegram = {
+      enable = true;
+      registerToSynapse = true;
+      environmentFile = config.age.secrets."services/matrix/mautrix-telegram.env".path;
+      settings = {
+        homeserver = {
+          address = "http://localhost:8008";
+          domain = "kabtop.de";
+        };
+        appservice = {
+          hostname = "127.0.0.1";
+          provisioning.enabled = false;
+          id = "telegram";
+          public = {
+            enabled = false;
          };
-      };
-      mautrix-signal = {
-          enable = true;
-	  registerToSynapse = true;
-          environmentFile = config.age.secrets."services/matrix/mautrix-signal.env".path;
-          settings = {
-              homeserver = {
-                  address = "http://localhost:8008";
-                  domain = "kabtop.de";
-              };
-              appservice = {
-                  hostname = "127.0.0.1";
-                  id = "signal";
-		  as_token = "$MAUTRIX_SIGNAL_AS_TOKEN";
-		  hs_token = "$MAUTRIX_SIGNAL_HS_TOKEN";
-              };
-	      database = {
-	        type = "postgres";
-	        uri = "$MAUTRIX_SIGNAL_APPSERVICE_DATABASE";
-	      };
-              encryption = {
-                  allow = true;
-                  default = true;
-                  verification_levels = {
-                      receive = "cross-signed-untrusted";
-                      send = "cross-signed-untrusted";
-                  };
-	          pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
-              };
-	      backfill = {
-	          enabled = true;
-	      };
-              bridge = {
-                  permissions = {
-                      "@kabbone:kabtop.de" = "admin";
-                  };
-              };
-              logging = {
-	          min_level = "warn";
-		  writers = [
-		    {
-		      format = "pretty-colored";
-		      type = "stdout";
-		    }
-		  ];
-              };
+        };
+        bridge = {
+          sync_channel_members = true;
+          startup_sync = true;
+          public_portals = true;
+          double_puppet_server_map = {
+            "kabtop.de" = "https://kabtop.de";
          };
-      };
-      kabbone_mautrix-whatsapp = {
-          enable = true;
-	  registerToSynapse = true;
-          environmentFile = config.age.secrets."services/matrix/mautrix-whatsapp.env".path;
-          settings = {
-              homeserver = {
-                  address = "http://localhost:8008";
-                  domain = "kabtop.de";
-              };
-              appservice = {
-                  hostname = "127.0.0.1";
-                  id = "whatsapp";
-		  as_token = "$MAUTRIX_WHATSAPP_AS_TOKEN";
-		  hs_token = "$MAUTRIX_WHATSAPP_HS_TOKEN";
-	      };
-	      database = {
-	        type = "postgres";
-	        uri = "$MAUTRIX_WHATSAPP_APPSERVICE_DATABASE";
-              };
-              encryption = {
-                  allow = true;
-                  default = true;
-                  verification_levels = {
-                      receive = "cross-signed-untrusted";
-                      send = "cross-signed-untrusted";
-                  };
-	          pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
-              };
-	      network = {
-                  history_sync.request_full_sync = true;
-	      };
-              bridge = {
-                  permissions = {
-                      "@kabbone:kabtop.de" = "admin";
-                  };
-              };
-              logging = {
-	          min_level = "warn";
-              };
+          encryption = {
+            allow = true;
+            default = true;
+            verification_levels = {
+              receive = "cross-signed-untrusted";
+              send = "cross-signed-untrusted";
+            };
          };
+          private_chat_portal_meta = "default";
+          backfill = {
+            disable_notifications = true;
+          };
+          permissions = {
+            "@kabbone:kabtop.de" = "admin";
+          };
+        };
+        logging = {
+          loggers = {
+            mau = {
+              level = "WARN";
+            };
+            telethon = {
+              level = "WARN";
+            };
+          };
+          root = {
+            handlers = [
+              "console"
+            ];
+            level = "WARN";
+          };
+        };
      };
+    };
+    mautrix-signal = {
+      enable = true;
+      registerToSynapse = true;
+      environmentFile = config.age.secrets."services/matrix/mautrix-signal.env".path;
+      settings = {
+        homeserver = {
+          address = "http://localhost:8008";
+          domain = "kabtop.de";
+        };
+        appservice = {
+          hostname = "127.0.0.1";
+          id = "signal";
+          as_token = "$MAUTRIX_SIGNAL_AS_TOKEN";
+          hs_token = "$MAUTRIX_SIGNAL_HS_TOKEN";
+        };
+        database = {
+          type = "postgres";
+          uri = "$MAUTRIX_SIGNAL_APPSERVICE_DATABASE";
+        };
+        encryption = {
+          allow = true;
+          default = true;
+          verification_levels = {
+            receive = "cross-signed-untrusted";
+            send = "cross-signed-untrusted";
+          };
+          pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
+        };
+        backfill = {
+          enabled = true;
+        };
+        bridge = {
+          permissions = {
+            "@kabbone:kabtop.de" = "admin";
+          };
+        };
+        logging = {
+          min_level = "warn";
+          writers = [
+            {
+              format = "pretty-colored";
+              type = "stdout";
+            }
+          ];
+        };
+      };
+    };
+    kabbone_mautrix-whatsapp = {
+      enable = true;
+      registerToSynapse = true;
+      environmentFile = config.age.secrets."services/matrix/mautrix-whatsapp.env".path;
+      settings = {
+        homeserver = {
+          address = "http://localhost:8008";
+          domain = "kabtop.de";
+        };
+        appservice = {
+          hostname = "127.0.0.1";
+          id = "whatsapp";
+          as_token = "$MAUTRIX_WHATSAPP_AS_TOKEN";
+          hs_token = "$MAUTRIX_WHATSAPP_HS_TOKEN";
+        };
+        database = {
+          type = "postgres";
+          uri = "$MAUTRIX_WHATSAPP_APPSERVICE_DATABASE";
+        };
+        encryption = {
+          allow = true;
+          default = true;
+          verification_levels = {
+            receive = "cross-signed-untrusted";
+            send = "cross-signed-untrusted";
+          };
+          pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
+        };
+        network = {
+          history_sync.request_full_sync = true;
+        };
+        bridge = {
+          permissions = {
+            "@kabbone:kabtop.de" = "admin";
+          };
+        };
+        logging = {
+          min_level = "warn";
+        };
+      };
+    };
  };

  age.secrets."services/matrix/synapse.yml" = {
-     file = ../../../secrets/services/matrix/synapse.age;
-     owner = "matrix-synapse";
+    file = ../../../secrets/services/matrix/synapse.age;
+    owner = "matrix-synapse";
  };
  age.secrets."services/matrix/mautrix-telegram.env" = {
-     file = ../../../secrets/services/matrix/mautrix-telegram.age;
-     owner = "mautrix-telegram";
+    file = ../../../secrets/services/matrix/mautrix-telegram.age;
+    owner = "mautrix-telegram";
  };
  age.secrets."services/matrix/mautrix-whatsapp.env" = {
-     file = ../../../secrets/services/matrix/mautrix-whatsapp.age;
-     owner = "mautrix-whatsapp";
+    file = ../../../secrets/services/matrix/mautrix-whatsapp.age;
+    owner = "mautrix-whatsapp";
  };
  age.secrets."services/matrix/mautrix-signal.env" = {
-     file = ../../../secrets/services/matrix/mautrix-signal.age;
-     owner = "mautrix-signal";
+    file = ../../../secrets/services/matrix/mautrix-signal.age;
+    owner = "mautrix-signal";
  };
 }
--- a/modules/services/server/mealie.nix
+++ b/modules/services/server/mealie.nix
@@ -1,36 +1,36 @@
-
-{ config, pkgs, ... }:
 {
-
-    services.mealie = {
-        enable = true;
-        listenAddress = "127.0.0.1";
-	credentialsFile = config.age.secrets."services/mealie/credentialsFile".path;
-        settings = {
-            ALLOW_SIGNUP = "false";
-            DB_ENGINE    = "postgres";
-            TZ           = "Europe/Berlin";
-        };
+  config,
+  pkgs,
+  ...
+}: {
+  services.mealie = {
+    enable = true;
+    listenAddress = "127.0.0.1";
+    credentialsFile = config.age.secrets."services/mealie/credentialsFile".path;
+    settings = {
+      ALLOW_SIGNUP = "false";
+      DB_ENGINE = "postgres";
+      TZ = "Europe/Berlin";
    };
+  };

-    services.nginx = {
-      enable = true;
-      virtualHosts = {
-        "mealie.kabtop.de" = {
-          enableACME = true;
-          forceSSL = true;
-          locations."/".proxyPass = "http://localhost:9000";
-        };
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "mealie.kabtop.de" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://localhost:9000";
      };
    };
+  };

-    age.secrets."services/mealie/credentialsFile" = {
-        file = ../../../secrets/services/mealie/credentialsFile.age;
-        owner = "mealie";
-    };
-
-    security.acme.defaults.email = "webmaster@kabtop.de";
-    security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
-    security.acme.acceptTerms = true;
+  age.secrets."services/mealie/credentialsFile" = {
+    file = ../../../secrets/services/mealie/credentialsFile.age;
+    owner = "mealie";
+  };

+  security.acme.defaults.email = "webmaster@kabtop.de";
+  security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
+  security.acme.acceptTerms = true;
 }
--- a/modules/services/server/microvm.nix
+++ b/modules/services/server/microvm.nix
@@ -1,48 +1,55 @@
-{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }:
-let
-  name = "gitea-runner";
-in
 {
+  config,
+  microvm,
+  lib,
+  pkgs,
+  user,
+  agenix,
+  impermanence,
+  ...
+}: let
+  name = "gitea-runner";
+in {
  microvm = {
    autostart = [
      name
    ];
    vms = {
      ${name} = {
-
        inherit pkgs;

        config = {
-          imports = 
-            [ agenix.nixosModules.default ] ++
-            [ impermanence.nixosModules.impermanence ] ++
-            [( ./gitea_runner.nix )];
+          imports =
+            [agenix.nixosModules.default]
+            ++ [impermanence.nixosModules.impermanence]
+            ++ [(./gitea_runner.nix)];

          networking = {
            hostName = "${name}";

            firewall = {
              enable = true;
-                allowedUDPPorts = [  ];
-                allowedTCPPorts = [  ];
+              allowedUDPPorts = [];
+              allowedTCPPorts = [];
            };
          };
          systemd.network = {
-              enable = true;
-              networks = {
-                  "10-lan" = {
-                      matchConfig.Name = "*";
-                      networkConfig = {
-                        DHCP = "yes";
-                        IPv6AcceptRA = true;
-                      };
-                  };
+            enable = true;
+            networks = {
+              "10-lan" = {
+                matchConfig.Name = "*";
+                networkConfig = {
+                  DHCP = "yes";
+                  IPv6AcceptRA = true;
+                };
              };
+            };
          };

-          users.users.${user} = {                   # System User
+          users.users.${user} = {
+            # System User
            isNormalUser = true;
-            extraGroups = [ "wheel" ];
+            extraGroups = ["wheel"];
            uid = 2000;
            openssh.authorizedKeys.keys = [
              "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
@@ -56,30 +63,32 @@ in
              enable = true;
              settings.PasswordAuthentication = false;
              hostKeys = [
-              {
+                {
                  path = "/persist/etc/ssh/ssh_host_ed25519_key";
                  type = "ed25519";
-              }
-              {
+                }
+                {
                  path = "/persist/etc/ssh/ssh_host_rsa_key";
                  type = "rsa";
                  bits = 4096;
-              }];
+                }
+              ];
            };
          };

          fileSystems."/persist".neededForBoot = lib.mkForce true;

          environment = {
-            systemPackages = with pkgs; [           # Default packages install system-wide
-               bash
-               coreutils
-               curl
-               gawk
-               gitMinimal
-               gnused
-               nodejs
-               wget
+            systemPackages = with pkgs; [
+              # Default packages install system-wide
+              bash
+              coreutils
+              curl
+              gawk
+              gitMinimal
+              gnused
+              nodejs
+              wget
            ];
            persistence."/persist" = {
              directories = [
@@ -100,23 +109,26 @@ in
            mem = 4096;
            #kernel = pkgs.linuxKernel.packages.linux_latest;
            interfaces = [
-            {
-              type = "user";
-              id = "vm-${name}";
-              mac = "04:00:00:00:00:01";
-            } ];
-             shares = [{
-              source = "/nix/store";
-              mountPoint = "/nix/.ro-store";
-              tag = "ro-store";
-              proto = "virtiofs";
-            }
-            {
-              source = "/etc/vm-persist/${name}";
-              mountPoint = "/persist";
-              tag = "persist";
-              proto = "virtiofs";
-            }];
+              {
+                type = "user";
+                id = "vm-${name}";
+                mac = "04:00:00:00:00:01";
+              }
+            ];
+            shares = [
+              {
+                source = "/nix/store";
+                mountPoint = "/nix/.ro-store";
+                tag = "ro-store";
+                proto = "virtiofs";
+              }
+              {
+                source = "/etc/vm-persist/${name}";
+                mountPoint = "/persist";
+                tag = "persist";
+                proto = "virtiofs";
+              }
+            ];
            #writableStoreOverlay = "/nix/.rw-store";
            #storeOnDisk = true;
          };
--- a/modules/services/server/nextcloud.nix
+++ b/modules/services/server/nextcloud.nix
@@ -1,35 +1,37 @@
-
-{ config, pkgs, ... }:
 {
-    services.nextcloud = {
-        enable = true;
-        hostName = "cloud.kabtop.de";
-        https = true;
-        package = pkgs.nextcloud32;
-        database.createLocally = false;
-        notify_push.enable = false;
-	enableImagemagick = true;
-	maxUploadSize = "512M";
-        caching = {
-            redis = true;
-            apcu = true;
-        };
-	imaginary.enable = true;
-        settings = {
-            log_type = "file";
-            logfile = "nextcloud.log";
-            overwriteprotocol = "https";
-            default_phone_region = "DE";
+  config,
+  pkgs,
+  ...
+}: {
+  services.nextcloud = {
+    enable = true;
+    hostName = "cloud.kabtop.de";
+    https = true;
+    package = pkgs.nextcloud32;
+    database.createLocally = false;
+    notify_push.enable = false;
+    enableImagemagick = true;
+    maxUploadSize = "512M";
+    caching = {
+      redis = true;
+      apcu = true;
+    };
+    imaginary.enable = true;
+    settings = {
+      log_type = "file";
+      logfile = "nextcloud.log";
+      overwriteprotocol = "https";
+      default_phone_region = "DE";

-            redis = {
-                host = "/run/redis-nextcloud/redis.sock";
-                port = 0;
-            };
-            "memcache.local" = "\\OC\\Memcache\\APCu";
-            "memcache.distributed" = "\\OC\\Memcache\\Redis";
-            "memcache.locking" = "\\OC\\Memcache\\Redis";
-            "enable_previews" = true;
-            "enabledPreviewproviders" = "
+      redis = {
+        host = "/run/redis-nextcloud/redis.sock";
+        port = 0;
+      };
+      "memcache.local" = "\\OC\\Memcache\\APCu";
+      "memcache.distributed" = "\\OC\\Memcache\\Redis";
+      "memcache.locking" = "\\OC\\Memcache\\Redis";
+      "enable_previews" = true;
+      "enabledPreviewproviders" = "
             array (
               'OC\Preview\PNG',
               'OC\Preview\JPEG',
@@ -43,57 +45,56 @@
               'OC\Preview\Krita',
               'OC\Preview\HEIC',
             )";
-            "maintenance_window_start" = "1";
-        };
-        config = {
-            dbtype = "pgsql";
-            dbuser = "nextcloud";
-            dbhost = "localhost";
-            dbname = "nextclouddb";
-            adminuser = "kabbone"; 
-            adminpassFile = config.age.secrets."services/nextcloud/adminpassFile".path;
-            dbpassFile = config.age.secrets."services/nextcloud/dbpassFile".path;
-        };
-        phpOptions = {
-            "opcache.interned_strings_buffer" = "16";
-        };
+      "maintenance_window_start" = "1";
    };
-
-    services.redis = {
-        vmOverCommit = true;
-        servers.nextcloud = {
-            enable = true;
-            user = "nextcloud";
-            port = 0;
-        };
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "localhost";
+      dbname = "nextclouddb";
+      adminuser = "kabbone";
+      adminpassFile = config.age.secrets."services/nextcloud/adminpassFile".path;
+      dbpassFile = config.age.secrets."services/nextcloud/dbpassFile".path;
    };
+    phpOptions = {
+      "opcache.interned_strings_buffer" = "16";
+    };
+  };

-    services.nginx = {
+  services.redis = {
+    vmOverCommit = true;
+    servers.nextcloud = {
      enable = true;
-      virtualHosts = {
-        "${config.services.nextcloud.hostName}" = {
-          enableACME = true;
-          forceSSL = true;
-        };
+      user = "nextcloud";
+      port = 0;
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "${config.services.nextcloud.hostName}" = {
+        enableACME = true;
+        forceSSL = true;
      };
    };
+  };

-    age.secrets."services/nextcloud/dbpassFile" = {
-        file = ../../../secrets/services/nextcloud/dbpassFile.age;
-        owner = "nextcloud";
-    };
-    age.secrets."services/nextcloud/adminpassFile" = {
-        file = ../../../secrets/services/nextcloud/adminpassFile.age;
-        owner = "nextcloud";
-    };
+  age.secrets."services/nextcloud/dbpassFile" = {
+    file = ../../../secrets/services/nextcloud/dbpassFile.age;
+    owner = "nextcloud";
+  };
+  age.secrets."services/nextcloud/adminpassFile" = {
+    file = ../../../secrets/services/nextcloud/adminpassFile.age;
+    owner = "nextcloud";
+  };

-    systemd.services."nextcloud-setup" = {
-        requires = ["postgresql.service"];
-        after = ["postgresql.service"];
-    };
-
-    security.acme.defaults.email = "webmaster@kabtop.de";
-    security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
-    security.acme.acceptTerms = true;
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };

+  security.acme.defaults.email = "webmaster@kabtop.de";
+  security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
+  security.acme.acceptTerms = true;
 }
--- a/modules/services/server/ollama.nix
+++ b/modules/services/server/ollama.nix
@@ -1,9 +1,10 @@
-
-{ config, pkgs, ... }:
-let
-  ollamahostname = "llm.kabtop.de";
-in
 {
+  config,
+  pkgs,
+  ...
+}: let
+  ollamahostname = "llm.kabtop.de";
+in {
  virtualisation.oci-containers.containers."open-webui" = {
    autoStart = true;
    image = "ghcr.io/open-webui/open-webui:ollama";
@@ -11,17 +12,17 @@ in
      "/var/lib/open-webui:/app/backend/data"
    ];
    hostname = "open-webui";
-    ports = [ "8081:8080" ];
+    ports = ["8081:8080"];
  };

  services = {
    nginx = {
      virtualHosts = {
-          ${ollamahostname} = {
-              enableACME = true;
-              forceSSL = true;
-              locations."/".proxyPass = "http://localhost:8081";
-          };
+        ${ollamahostname} = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/".proxyPass = "http://localhost:8081";
+        };
      };
    };
  };
--- a/modules/services/server/postgresql.nix
+++ b/modules/services/server/postgresql.nix
@@ -1,37 +1,39 @@
 #
 # System notifications
 #
-
-{ config, lib, pkgs, ... }:
-
 {
-#  imports = [ ./postgresql_upgrade.nix ];
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  #  imports = [ ./postgresql_upgrade.nix ];
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
    settings = {
-        max_connections = 200;
-        listen_addresses = "localhost";
-        password_encryption = "scram-sha-256";
-        shared_buffers = "4GB";
-        work_mem = "2GB";
-        maintenance_work_mem = "500MB";
-        autovacuum_work_mem = -1;
-        log_timezone = "Europe/Berlin";
-        timezone = "Europe/Berlin";
+      max_connections = 200;
+      listen_addresses = "localhost";
+      password_encryption = "scram-sha-256";
+      shared_buffers = "4GB";
+      work_mem = "2GB";
+      maintenance_work_mem = "500MB";
+      autovacuum_work_mem = -1;
+      log_timezone = "Europe/Berlin";
+      timezone = "Europe/Berlin";
    };
    authentication = pkgs.lib.mkOverride 14 ''
-        local  all           postgres        peer
-        host   giteadb       gitea          localhost scram-sha-256
-        host   nextclouddb   nextcloud      localhost scram-sha-256
-        host   synapsedb     synapse        localhost scram-sha-256
-        host   whatsappdb    mautrixwa      localhost scram-sha-256
-        host   telegramdb    mautrixtele    localhost scram-sha-256
-        host   signaldb      mautrixsignal  localhost scram-sha-256
-        host   mealie        mealie         localhost scram-sha-256
-        host   onlyoffice    onlyoffice     localhost scram-sha-256
-        local  onlyoffice    onlyoffice     peer
-        local  hydra         all            ident map=hydra-users
+      local  all           postgres        peer
+      host   giteadb       gitea          localhost scram-sha-256
+      host   nextclouddb   nextcloud      localhost scram-sha-256
+      host   synapsedb     synapse        localhost scram-sha-256
+      host   whatsappdb    mautrixwa      localhost scram-sha-256
+      host   telegramdb    mautrixtele    localhost scram-sha-256
+      host   signaldb      mautrixsignal  localhost scram-sha-256
+      host   mealie        mealie         localhost scram-sha-256
+      host   onlyoffice    onlyoffice     localhost scram-sha-256
+      local  onlyoffice    onlyoffice     peer
+      local  hydra         all            ident map=hydra-users
    '';
    identMap = ''
      hydra-users hydra hydra
@@ -47,8 +49,7 @@
  services.postgresqlBackup.enable = true;

  age.secrets."services/postgresql/initScript.sql" = {
-      file = ../../../secrets/services/postgresql/initScript.age;
-      owner = "postgres";
+    file = ../../../secrets/services/postgresql/initScript.age;
+    owner = "postgres";
  };
-
 }
--- a/modules/services/server/postgresql_upgrade.nix
+++ b/modules/services/server/postgresql_upgrade.nix
@@ -1,5 +1,9 @@
-{ config, lib, pkgs, ... }:
 {
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
  environment.systemPackages = [
    (let
      # XXX specify the postgresql package you'd like to upgrade to.
@@ -8,26 +12,27 @@
        # pp.plv8
      ]);
      cfg = config.services.postgresql;
-    in pkgs.writeScriptBin "upgrade-pg-cluster" ''
-      set -eux
-      # XXX it's perhaps advisable to stop all services that depend on postgresql
-      systemctl stop postgresql
+    in
+      pkgs.writeScriptBin "upgrade-pg-cluster" ''
+        set -eux
+        # XXX it's perhaps advisable to stop all services that depend on postgresql
+        systemctl stop postgresql

-      export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
+        export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"

-      export NEWBIN="${newPostgres}/bin"
+        export NEWBIN="${newPostgres}/bin"

-      export OLDDATA="${cfg.dataDir}"
-      export OLDBIN="${cfg.package}/bin"
+        export OLDDATA="${cfg.dataDir}"
+        export OLDBIN="${cfg.package}/bin"

-      install -d -m 0700 -o postgres -g postgres "$NEWDATA"
-      cd "$NEWDATA"
-      sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" ${lib.escapeShellArgs cfg.initdbArgs}
+        install -d -m 0700 -o postgres -g postgres "$NEWDATA"
+        cd "$NEWDATA"
+        sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" ${lib.escapeShellArgs cfg.initdbArgs}

-      sudo -u postgres $NEWBIN/pg_upgrade \
-        --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
-        --old-bindir $OLDBIN --new-bindir $NEWBIN \
-        "$@"
-    '')
+        sudo -u postgres $NEWBIN/pg_upgrade \
+          --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
+          --old-bindir $OLDBIN --new-bindir $NEWBIN \
+          "$@"
+      '')
  ];
 }
--- a/modules/services/server/woodpecker.nix
+++ b/modules/services/server/woodpecker.nix
@@ -1,11 +1,14 @@
 #
 # CI/CD Woodpecker
 #
-
-{ config, lib, pkgs, ...  }:
-
 {
-  environment.systemPackages = with pkgs; [           # Default packages install system-wide
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = with pkgs; [
+    # Default packages install system-wide
    woodpecker-server
    woodpecker-cli
  ];
@@ -28,35 +31,35 @@
  systemd.services = {
    woodpecker-server = {
      description = "CI/CD Pipeline Server";
-      wantedBy = [ "multi-user.target"  ];
-      after = [ "network.target" "postgresql.service" ];
-      requires = [ "postgresql.service" ];
+      wantedBy = ["multi-user.target"];
+      after = ["network.target" "postgresql.service"];
+      requires = ["postgresql.service"];
      script = "${pkgs.woodpecker-server}/bin/woodpecker-server";
      serviceConfig = {
-        User="woodpecker";
-        Group="woodpecker";
-        Environment="HOME=/var/lib/woodpecker";
-        EnvironmentFile=config.age.secrets."services/woodpecker/environment".path;
-        ReadWritePaths="/var/lib/woodpecker /var/log/woodpecker";
-        NoNewPrivileges=true;
-        MemoryDenyWriteExecute=true;
-        PrivateDevices=true;
-        PrivateTmp=true;
-        ProtectHome=true;
-        ProtectSystem="strict";
-        ProtectControlGroups=true;
-        RestrictSUIDSGID=true;
-        RestrictRealtime=true;
-        LockPersonality=true;
-        ProtectKernelLogs=true;
-        ProtectKernelTunables=true;
-        ProtectHostname=true;
-        ProtectKernelModules=true;
-        PrivateUsers=true;
-        ProtectClock=true;
-        SystemCallArchitectures="native";
-        SystemCallErrorNumber="EPERM";
-        SystemCallFilter="@system-service";
+        User = "woodpecker";
+        Group = "woodpecker";
+        Environment = "HOME=/var/lib/woodpecker";
+        EnvironmentFile = config.age.secrets."services/woodpecker/environment".path;
+        ReadWritePaths = "/var/lib/woodpecker /var/log/woodpecker";
+        NoNewPrivileges = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectSystem = "strict";
+        ProtectControlGroups = true;
+        RestrictSUIDSGID = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
+        ProtectKernelLogs = true;
+        ProtectKernelTunables = true;
+        ProtectHostname = true;
+        ProtectKernelModules = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        SystemCallArchitectures = "native";
+        SystemCallErrorNumber = "EPERM";
+        SystemCallFilter = "@system-service";
      };
    };
  };
@@ -81,9 +84,7 @@
  };

  age.secrets."services/woodpecker/environment" = {
-      file = ../../../secrets/services/woodpecker/environment.age;
-      owner = "woodpecker";
+    file = ../../../secrets/services/woodpecker/environment.age;
+    owner = "woodpecker";
  };
-
 }
-