theclaw

Makefile

@@ -6,4 +6,4 @@ rebuild-pi:
 	NIX_SSHOPTS="-o IdentitiesOnly=yes -i ~/.ssh/id_rsa" nixos-rebuild switch --flake .#pi --target-host pi --build-host server --use-remote-sudo
 
 deploy-server:
-	nixos-rebuild switch --flake .#server --target-host server --build-host server --use-remote-sudo --ask-sudo-password
+	nixos-rebuild switch --flake .#server --target-host server --build-host server --sudo --ask-sudo-password

devices/asus/configuration.nix

@@ -1,12 +1,7 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-{
+{ config, lib, pkgs, ... }: {
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
@@ -38,13 +33,7 @@
   users.users.polen = {
     isNormalUser = true;
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-    packages = with pkgs; [
+    packages = with pkgs; [ neovim tree htop git ranger ];
-      neovim
-      tree
-      htop
-      git
-      ranger
-    ];
   };
 
   # List packages installed in system profile.

devices/asus/hardware-configuration.nix

@@ -4,34 +4,32 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/disk/by-uuid/50ea20bc-d9bb-40c7-8e4a-34e31da665b5";
+    device = "/dev/disk/by-uuid/50ea20bc-d9bb-40c7-8e4a-34e31da665b5";
     fsType = "ext4";
   };
 
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/9267-2ED4";
+    device = "/dev/disk/by-uuid/9267-2ED4";
     fsType = "vfat";
     options = [ "fmask=0077" "dmask=0077" ];
   };
 
-  fileSystems."/data" =
+  fileSystems."/data" = {
-    { device = "/dev/disk/by-uuid/465aa01d-2cc4-4955-bebb-b44c21528e4f";
+    device = "/dev/disk/by-uuid/465aa01d-2cc4-4955-bebb-b44c21528e4f";
     fsType = "ext4";
   };
 
   swapDevices =
-    [ { device = "/dev/disk/by-uuid/90dd6c81-79a7-45e2-b063-e263cabf1c28"; }
+    [{ device = "/dev/disk/by-uuid/90dd6c81-79a7-45e2-b063-e263cabf1c28"; }];
-    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -42,5 +40,6 @@
   # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

devices/latoure/configuration.nix

@@ -1,11 +1,7 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running 'nixos-help').
-{
+{ config, pkgs, ... }: {
-  config,
-  pkgs,
-  ...
-}: {
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
@@ -109,13 +105,7 @@
 
   # List packages installed in system profile. To search, run:
   # $ nix search wget
-  environment.systemPackages = with pkgs; [
+  environment.systemPackages = with pkgs; [ htop-vim ranger neovim wget git ];
-    htop-vim
-    ranger
-    neovim
-    wget
-    git
-  ];
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.

devices/latoure/hardware-configuration.nix

@@ -4,44 +4,52 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
 
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "xhci_pci" "pata_marvell" "firewire_ohci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ahci"
+    "xhci_pci"
+    "pata_marvell"
+    "firewire_ohci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+    "sr_mod"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/disk/by-uuid/62a34abf-561a-410d-b913-eb2ad7ede6f5";
+    device = "/dev/disk/by-uuid/62a34abf-561a-410d-b913-eb2ad7ede6f5";
     fsType = "ext4";
   };
 
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/9B7B-A012";
+    device = "/dev/disk/by-uuid/9B7B-A012";
     fsType = "vfat";
     options = [ "fmask=0022" "dmask=0022" ];
   };
 
-  fileSystems."/data" =
+  fileSystems."/data" = {
-    { device = "/dev/disk/by-uuid/b7de7b88-6239-4340-9e7a-6486814bbd83";
+    device = "/dev/disk/by-uuid/b7de7b88-6239-4340-9e7a-6486814bbd83";
     fsType = "ext4";
   };
 
-  fileSystems."/data1" =
+  fileSystems."/data1" = {
-    { device = "/dev/disk/by-uuid/86a239f2-50a5-4c26-9534-0636fb718fc8";
+    device = "/dev/disk/by-uuid/86a239f2-50a5-4c26-9534-0636fb718fc8";
     fsType = "ext4";
   };
 
-  fileSystems."/home" =
+  fileSystems."/home" = {
-    { device = "/dev/disk/by-uuid/5181dbcf-7e00-46d9-ac04-c22d4c4e9827";
+    device = "/dev/disk/by-uuid/5181dbcf-7e00-46d9-ac04-c22d4c4e9827";
     fsType = "ext4";
   };
 
   swapDevices =
-    [ { device = "/dev/disk/by-uuid/29ac34a7-fa51-489b-b9da-8c5d02bdd2c4"; }
+    [{ device = "/dev/disk/by-uuid/29ac34a7-fa51-489b-b9da-8c5d02bdd2c4"; }];
-    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -52,5 +60,6 @@
   # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

devices/macbook/configuration.nix

@@ -1,11 +1,5 @@
-{
+{ pkgs, inputs, system, config, ... }:
-  pkgs,
+let my-emacs = pkgs.emacsNativeComp;
-  inputs,
-  system,
-  config,
-  ...
-}: let
-  my-emacs = pkgs.emacsNativeComp;
 in {
   nixpkgs.config.allowUnfree = true;
 
@@ -90,9 +84,7 @@ in {
   programs.direnv.enable = true;
   programs.gnupg.agent.enable = true;
 
-  services.yabai = {
+  services.yabai = { enable = true; };
-    enable = true;
-  };
   services.skhd.enable = true;
 
   services.emacs = {
@@ -113,9 +105,7 @@ in {
     tilesize = 32;
   };
 
-  system.defaults.menuExtraClock = {
+  system.defaults.menuExtraClock = { Show24Hour = true; };
-    Show24Hour = true;
-  };
 
   launchd.user.agents.remap-keys = {
     serviceConfig = {
@@ -123,7 +113,8 @@ in {
         "/usr/bin/hidutil"
         "property"
         "--set"
-        ''          {
+        ''
+          {
                     "UserKeyMapping":[
                     {"HIDKeyboardModifierMappingSrc":0x700000039,"HIDKeyboardModifierMappingDst":0x7000000E7}
                     ]

devices/pi/configuration.nix

@@ -1,10 +1,5 @@
-{
+{ inputs, config, pkgs, lib, ... }:
-  inputs,
+let
-  config,
-  pkgs,
-  lib,
-  ...
-}: let
   user = "polen";
   hostname = "pi";
 in {
@@ -25,12 +20,10 @@ in {
     };
   };
 
-  swapDevices = [
+  swapDevices = [{
-    {
     device = "/var/lib/swapfile";
     size = 10 * 1024;
-    }
+  }];
-  ];
 
   #sops.defaultSopsFile = ../../secrets/secrets.yaml;
   #sops.defaultSopsFormat = "yaml";
@@ -50,13 +43,7 @@ in {
 
   nix.settings.trusted-users = [ user ];
 
-  environment.systemPackages = with pkgs; [
+  environment.systemPackages = with pkgs; [ htop-vim neovim curl wget ranger ];
-    htop-vim
-    neovim
-    curl
-    wget
-    ranger
-  ];
 
   services.openssh.enable = true;
 
@@ -68,9 +55,7 @@ in {
         #hashedPasswordFile = config.sops.secrets.pi_user_pass.path;
         extraGroups = [ "wheel" ];
       };
-      lauria = {
+      lauria = { isNormalUser = true; };
-        isNormalUser = true;
-      };
     };
   };
 

devices/server/configuration.nix

@@ -64,7 +64,8 @@ in {
       openFirewall = true; # 11434
       host = "0.0.0.0";
       syncModels = true;
-      loadModels = [ "mistral:7b" "phi3.5:3.8b" ];
+      loadModels =
+        [ "qwen3:4b" "lfm2.5-thinking:1.2b" "ministral-3:8b" "ministral-3:3b" ];
     };
   };
 
@@ -161,6 +162,7 @@ in {
       9000 # mealie
       8989 # sonarr
       10222 # taskchampion-sync-server
+      18789 # openclaw
     ];
     firewall.allowedUDPPorts = [
       5353 # mDNS
@@ -170,12 +172,15 @@ in {
   time.timeZone = "America/Toronto";
 
   users.users."${user}" = {
+    isNormalUser = true;
+    group = "polen";
     extraGroups = [ "wheel" "transmission" "jellyfin" "polensky" "docker" ];
     shell = pkgs.zsh;
     openssh.authorizedKeys.keys = [
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6O2MJqR+P/FwRyVSz1HWYhMtIwh16ozBU71Y2vf0oNDQ6DZ5T8Bvp5/4uSJgS8lOl3qYyNy0e0zJMIyfFVJnu89ycKBEdixA4HqWOUQGiyvn1C4s740jHolOzN1xNB24PDXFz0vHcVb+G5nU/xeKeaq0vrszrkK2zctqXshw94/x3ah0m3fr5CwM4S2RY/VODOdt11fllFEvN8HGE2mQTPn5sJzwtGW20npQ5iJ7ShugPbC4D1G2JU1R7MqkvWEpq9OFVb1prTpJM+i/lcqCn3lBv8XxpKKnD3q+48eeO1geosAsG/kgUWPDildbzcSfytgj7/TCTujx2ow4ZUfS4kWUrNaXM3M99SG61rFN7zLMAv14SOSsgegmX3q0ZAwOieUhCifqIqdfFr5QjEUP11ALofYRC6567X1YrEVXZFFnZSXMKGkBKpTxx0jaTTGnFSd6F49kDlI30cKJnVUgAK5nESissdEFn3UGRSFfxmjZkYvhY5l3LqtbO3kEutJU= polen@polen-xps"
     ];
   };
+  users.groups.polen = { };
 
   # Luna user for OpenClaw AI assistant
   users.users.luna = {
@@ -197,16 +202,17 @@ in {
     defaultSopsFile = ../../secrets/secrets.yaml;
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
     secrets = {
-      luna-telegram-token = {
+      luna_telegram_token = {
         owner = "luna";
         group = "luna";
       };
-      luna-gateway-token = {
+      luna_gateway_token = {
         owner = "luna";
         group = "luna";
       };
     };
   };
+
   environment.systemPackages = with pkgs; [
     neovim
     htop-vim

devices/server/hardware-configuration.nix

@@ -1,18 +1,11 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }: {
-  config,
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
 
-  boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "hpsa" "usb_storage" "usbhid" "sd_mod"];
+  boot.initrd.availableKernelModules =
+    [ "uhci_hcd" "ehci_pci" "hpsa" "usb_storage" "usbhid" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
@@ -22,9 +15,8 @@
     fsType = "ext4";
   };
 
-  swapDevices = [
+  swapDevices =
-    {device = "/dev/disk/by-uuid/6fc86a5b-ac4b-41ed-a7c9-56f734f5e711";}
+    [{ device = "/dev/disk/by-uuid/6fc86a5b-ac4b-41ed-a7c9-56f734f5e711"; }];
-  ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -37,5 +29,6 @@
   # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

devices/server/luna.nix

@@ -7,35 +7,105 @@
   home.homeDirectory = "/var/lib/luna";
   home.stateVersion = "25.05";
 
+  home.packages = with pkgs; [ xmlstarlet ];
+
   programs.openclaw = {
     enable = true;
-    documents = ./luna-documents;
 
     config = {
-      # Use local Ollama - auto-detected at 127.0.0.1:11434
+      models = {
-      agents.defaults.model = {
+        providers = {
-        primary = "ollama/mistral:7b";
+          ollama = {
-        fallbacks = [ "ollama/phi3.5:3.8b" ];
+            baseUrl = "http://127.0.0.1:11434/v1";
+            apiKey = "ollama-local";
+            api = "openai-completions";
+            models = [ ];
+          };
+        };
+      };
+
+      agents = {
+        defaults = {
+          model = { primary = "github-copilot/gpt-5-mini"; };
+          workspace = "/var/lib/luna/.openclaw/workspace";
+          maxConcurrent = 4;
+          subagents = { maxConcurrent = 8; };
+          models = { "github-copilot/gpt-5-mini" = { }; };
+        };
+      };
+
+      commands = {
+        native = "auto";
+        nativeSkills = "auto";
+      };
+
+      channels = {
+        telegram = {
+          dmPolicy = "pairing";
+          tokenFile = "/run/secrets/luna_telegram_token";
+          groups = { "*" = { requireMention = true; }; };
+          allowFrom = [ 1268580775 ];
+          groupPolicy = "allowlist";
+          streamMode = "partial";
+        };
       };
 
       gateway = {
         mode = "local";
-        auth = { tokenFile = "/run/secrets/luna-gateway-token"; };
+        auth = {
+          token =
+            "14db7eaede5f363bce5f5efd23baea45fd8c7984fd3d9234d9b98e1d52c88db7";
+          mode = "token";
+        };
+        port = 18789;
+        bind = "loopback";
+        tailscale = {
+          mode = "off";
+          resetOnExit = false;
+        };
       };
 
-      channels.telegram = {
+      plugins = { entries = { telegram = { enabled = true; }; }; };
-        tokenFile = "/run/secrets/luna-telegram-token";
+
-        allowFrom = [
+      messages = { ackReactionScope = "group-mentions"; };
-          1268580775
+
-        ];
+      auth = {
-        groups = { "*" = { requireMention = true; }; };
+        profiles = {
+          "github-copilot:github" = {
+            provider = "github-copilot";
+            mode = "token";
+          };
+        };
+      };
+
+      hooks = {
+        internal = {
+          enabled = true;
+          entries = {
+            "boot-md" = { enabled = true; };
+            "command-logger" = { enabled = true; };
+            "session-memory" = { enabled = true; };
+          };
+        };
+      };
+
+      wizard = {
+        lastRunAt = "2026-02-10T18:36:29.457Z";
+        lastRunVersion = "2026.2.6-3";
+        lastRunCommand = "onboard";
+        lastRunMode = "local";
+      };
+
+      meta = {
+        lastTouchedVersion = "2026.2.6-3";
+        lastTouchedAt = "2026-02-10T18:36:29.472Z";
       };
     };
 
     # Plugins useful for homelab Q&A
     bundledPlugins = {
       summarize.enable = true; # Summarize docs/web pages
-      oracle.enable = true; # Web search
+      oracle.enable = false; # Web search
     };
   };
 

devices/xps13/configuration.nix

@@ -1,12 +1,7 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running 'nixos-help').
-{
+{ config, pkgs, inputs, ... }: {
-  config,
-  pkgs,
-  inputs,
-  ...
-}: {
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix

devices/xps13/hardware-configuration.nix

@@ -4,27 +4,26 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/disk/by-uuid/6faa62c9-8566-4ed7-b372-355e04ac4ca6";
+    device = "/dev/disk/by-uuid/6faa62c9-8566-4ed7-b372-355e04ac4ca6";
     fsType = "ext4";
   };
 
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/A769-2F96";
+    device = "/dev/disk/by-uuid/A769-2F96";
     fsType = "vfat";
   };
 
-  fileSystems."/home" =
+  fileSystems."/home" = {
-    { device = "/dev/disk/by-uuid/8b28694c-3401-4545-9974-521674baa450";
+    device = "/dev/disk/by-uuid/8b28694c-3401-4545-9974-521674baa450";
     fsType = "ext4";
   };
 
@@ -38,5 +37,6 @@
   # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

devices/xps13/sddm-theme.nix

@@ -1,7 +1,6 @@
-{pkgs}: let
+{ pkgs }:
-  image = ./assets/a_forest_of_trees_with_fog.jpg;
+let image = ./assets/a_forest_of_trees_with_fog.jpg;
-in
+in pkgs.stdenv.mkDerivation {
-  pkgs.stdenv.mkDerivation {
   name = "sddm-theme";
   src = pkgs.fetchFromGitHub {
     owner = "MarianArlt";

flake.nix

@@ -46,12 +46,15 @@
           specialArgs = { inherit inputs; };
           system = "x86_64-linux";
           modules = [
+            { nixpkgs.overlays = [ nix-openclaw.overlays.default ]; }
+
             disko.nixosModules.disko
             sops-nix.nixosModules.sops
             home-manager.nixosModules.home-manager
             {
               home-manager.useGlobalPkgs = true;
               home-manager.useUserPackages = true;
+              home-manager.backupFileExtension = "backup";
               home-manager.extraSpecialArgs = { inherit inputs; };
               home-manager.users.luna = import ./devices/server/luna.nix;
             }

modules/default.nix

@@ -1,5 +1 @@
-{...}: {
+{ ... }: { imports = [ ./pocketbase.nix ]; }
-  imports = [
-    ./pocketbase.nix
-  ];
-}

modules/pocketbase.nix

@@ -1,10 +1,5 @@
-{
+{ config, pkgs, lib, ... }:
-  config,
+let cfg = config.services.pocketbase;
-  pkgs,
-  lib,
-  ...
-}: let
-  cfg = config.services.pocketbase;
 in {
   options.services.pocketbase = {
     enable = lib.mkEnableOption "PocketBase backend";
@@ -12,7 +7,8 @@ in {
     dataDir = lib.mkOption {
       type = lib.types.path;
       default = "/var/lib/pocketbase";
-      description = "Working directory containing the PocketBase binary and data.";
+      description =
+        "Working directory containing the PocketBase binary and data.";
     };
 
     openFirewall = lib.mkOption {
@@ -52,9 +48,8 @@ in {
 
   config = lib.mkIf cfg.enable {
     # Optional: ensure the directory exists with proper ownership
-    systemd.tmpfiles.rules = [
+    systemd.tmpfiles.rules =
-      "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.group} -"
+      [ "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.group} -" ];
-    ];
 
     systemd.services.pocketbase = {
       description = "PocketBase";
@@ -71,7 +66,11 @@ in {
         WorkingDirectory = cfg.dataDir;
 
         ExecStart = ''
-          ${lib.getExe cfg.package} serve --dir ${cfg.dataDir}/pb_data --http=0.0.0.0:${toString cfg.port}
+          ${
+            lib.getExe cfg.package
+          } serve --dir ${cfg.dataDir}/pb_data --http=0.0.0.0:${
+            toString cfg.port
+          }
         '';
 
         # Switch to systemd stdout/stderr logging by default
@@ -80,8 +79,7 @@ in {
         StandardError = "append:${cfg.logFile}";
       };
     };
-    networking.firewall = lib.mkIf cfg.openFirewall {
+    networking.firewall =
-      allowedTCPPorts = [cfg.port];
+      lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; };
-    };
   };
 }

secrets/secrets.yaml

@@ -6,11 +6,29 @@ sops:
         - recipient: age1x8qsd7kxxjvan4psvnvua3r0emljsnq07agxnu6jqw56ky8z6faqyjq0e3
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxN2ZzTUpSeWRWejVxVm4y
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzRy9DblE4WnhEc1kvcjcw
-            dzF3MU9DOTBTZUF0Y3I2SUVURGZCZDBqTVV3ClNwL29hejN2OFdVaHk2TEppNWFj
+            ZVBEeVVoRUMxNUZ6Q09QZXdYcEZaSGp0UHpFCnc3UnZOZThLdDYwN05GUjJqYnhK
-            V3NYcEM4RHNyWUszWFlLa2pXa2FyVmsKLS0tIExOL254cGh4RkJDandqZzJ2RjRi
+            Z0tZMXo2N0J4R2ZPLzRLcS83QVRBZncKLS0tICs3dDVIV0s2ZTRBQk5wMVE3WjVP
-            b3AxOTd2VmdHdXd5c3NNTkJoYW12bUUKbX199Z7jI6nornm0erzm7dSQ+XuxAnXb
+            NENYZHlvR3U3Um5XWm90RW01eEM3eHMKewyXEa9TInEFz65LoDo8BHBdjibdYF4r
-            glw60TnUSnLUWIHTTx/jVSRR4uO5I6FzxUUfVJ2BMOn/eUNa5BJ70A==
+            DGQtPlYF5yuVd8PVMATxMBhs/6hXJLfK2Y54NEeJo2gydyq11Lpm2Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1y2s7ah49jmhd8n05q7tw0gjcnv3390s0uxp3ewjqueekq7a7rvdqzytgd2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGMlBaWURCSTd6cjRYTTB1
+            VWQvTHBFaDgrMFRpb0crRld6ZjVOUXkrb0cwCnFpcE1nSERwUlowRW54SnEwTk9u
+            S2N1Rm9kUCtWM3pEWmh1aE1HU3oxT1UKLS0tIE5HSXdFT29XazloR0VjVDVqQWVq
+            RURoYXdtZFh2djVaem15Qjk4UFhBOEEKEjAuKJ8vpVKoBO8ioyH4EcXVmEkfwrQh
+            JtDzik9QwZgUNdamWu5BhDlNA1Jmu87VYchhR4CXIS5OG4ticUqr7g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age107mmu7nkjfpm7ygp25zpj69m06ftckc9gh7a37umkjq0y7ac34msd6uj3u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodExKajhTZzRZdWlXWG9n
+            V09sRDZrK0gvaDI4TmtzUmR0cUF0OFl1OGxJCmNUMk5aWkV3LzYzeTJJMDFlR0p4
+            Qlp0STk4dFN3WGswb05BRHlOQit2VGMKLS0tIGJTVkp0Y1Yrd2pqMm1yUlJaYkMy
+            TzlCMWpMQ1hRMTRObWNyN2Q0YWtsZmcKFHVmvu6U0Qw+EUsBEmdST2cyQ3rZyh6w
+            62vmALGxE2NWDYQmwtHJmYqeO14HHEDclUErQiCmUt+hLgOLF2MxwA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2026-02-09T03:39:35Z"
     mac: ENC[AES256_GCM,data:lVU+w4EOpNACzz1CjtBGwGcoB/huatCa97sJ4irzX/dNP8LYwMiRvm6axsyqNiBns76WyKHAS9r+drByQzNAFAIh+2EwJCk7Mm7Njy3+kL0GNd0RanMhI51WSHTbjHIqrGC81jgS4ydcsGDMDmZBOZHL5t/uTcrdn/SRjgDvHTA=,iv:F4kbFHvTFmG4mhvMIAUtNq6WCwXyILOlbYvIaFno6BI=,tag:JSYzsKF86cuJtApPeTVDTA==,type:str]