theclaw

2026-02-18 11:07:01 -05:00 · 2026-02-18 11:07:01 -05:00 · 36c73a41ff
commit 36c73a41ff
parent 143cd6c603
17 changed files with 275 additions and 234 deletions
--- a/2
+++ b/2
@ -6,4 +6,4 @@ rebuild-pi:
 	NIX_SSHOPTS="-o IdentitiesOnly=yes -i ~/.ssh/id_rsa" nixos-rebuild switch --flake .#pi --target-host pi --build-host server --use-remote-sudo

 deploy-server:
-	nixos-rebuild switch --flake .#server --target-host server --build-host server --use-remote-sudo --ask-sudo-password
+	nixos-rebuild switch --flake .#server --target-host server --build-host server --sudo --ask-sudo-password
--- a/devices/asus/configuration.nix
+++ b/devices/asus/configuration.nix
@ -1,12 +1,7 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
+{ config, lib, pkgs, ... }: {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
@ -38,13 +33,7 @@
  users.users.polen = {
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-    packages = with pkgs; [
-      neovim
-      tree
-      htop
-      git
-      ranger
-    ];
+    packages = with pkgs; [ neovim tree htop git ranger ];
  };

  # List packages installed in system profile.
--- a/devices/asus/hardware-configuration.nix
+++ b/devices/asus/hardware-configuration.nix
@ -4,34 +4,32 @@
 { config, lib, pkgs, modulesPath, ... }:

 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/50ea20bc-d9bb-40c7-8e4a-34e31da665b5";
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/50ea20bc-d9bb-40c7-8e4a-34e31da665b5";
    fsType = "ext4";
  };

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/9267-2ED4";
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/9267-2ED4";
    fsType = "vfat";
    options = [ "fmask=0077" "dmask=0077" ];
  };

-  fileSystems."/data" =
-    { device = "/dev/disk/by-uuid/465aa01d-2cc4-4955-bebb-b44c21528e4f";
+  fileSystems."/data" = {
+    device = "/dev/disk/by-uuid/465aa01d-2cc4-4955-bebb-b44c21528e4f";
    fsType = "ext4";
  };

  swapDevices =
-    [ { device = "/dev/disk/by-uuid/90dd6c81-79a7-45e2-b063-e263cabf1c28"; }
-    ];
+    [{ device = "/dev/disk/by-uuid/90dd6c81-79a7-45e2-b063-e263cabf1c28"; }];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@ -42,5 +40,6 @@
  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/devices/latoure/configuration.nix
+++ b/devices/latoure/configuration.nix
@ -1,11 +1,7 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running 'nixos-help').
-{
-  config,
-  pkgs,
-  ...
-}: {
+{ config, pkgs, ... }: {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
@ -109,13 +105,7 @@

  # List packages installed in system profile. To search, run:
  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    htop-vim
-    ranger
-    neovim
-    wget
-    git
-  ];
+  environment.systemPackages = with pkgs; [ htop-vim ranger neovim wget git ];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
--- a/devices/latoure/hardware-configuration.nix
+++ b/devices/latoure/hardware-configuration.nix
@ -4,44 +4,52 @@
 { config, lib, pkgs, modulesPath, ... }:

 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "xhci_pci" "pata_marvell" "firewire_ohci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ahci"
+    "xhci_pci"
+    "pata_marvell"
+    "firewire_ohci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+    "sr_mod"
+  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/62a34abf-561a-410d-b913-eb2ad7ede6f5";
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/62a34abf-561a-410d-b913-eb2ad7ede6f5";
    fsType = "ext4";
  };

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/9B7B-A012";
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/9B7B-A012";
    fsType = "vfat";
    options = [ "fmask=0022" "dmask=0022" ];
  };

-  fileSystems."/data" =
-    { device = "/dev/disk/by-uuid/b7de7b88-6239-4340-9e7a-6486814bbd83";
+  fileSystems."/data" = {
+    device = "/dev/disk/by-uuid/b7de7b88-6239-4340-9e7a-6486814bbd83";
    fsType = "ext4";
  };

-  fileSystems."/data1" =
-    { device = "/dev/disk/by-uuid/86a239f2-50a5-4c26-9534-0636fb718fc8";
+  fileSystems."/data1" = {
+    device = "/dev/disk/by-uuid/86a239f2-50a5-4c26-9534-0636fb718fc8";
    fsType = "ext4";
  };

-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/5181dbcf-7e00-46d9-ac04-c22d4c4e9827";
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/5181dbcf-7e00-46d9-ac04-c22d4c4e9827";
    fsType = "ext4";
  };

  swapDevices =
-    [ { device = "/dev/disk/by-uuid/29ac34a7-fa51-489b-b9da-8c5d02bdd2c4"; }
-    ];
+    [{ device = "/dev/disk/by-uuid/29ac34a7-fa51-489b-b9da-8c5d02bdd2c4"; }];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@ -52,5 +60,6 @@
  # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/devices/macbook/configuration.nix
+++ b/devices/macbook/configuration.nix
@ -1,11 +1,5 @@
-{
-  pkgs,
-  inputs,
-  system,
-  config,
-  ...
-}: let
-  my-emacs = pkgs.emacsNativeComp;
+{ pkgs, inputs, system, config, ... }:
+let my-emacs = pkgs.emacsNativeComp;
 in {
  nixpkgs.config.allowUnfree = true;

@ -90,9 +84,7 @@ in {
  programs.direnv.enable = true;
  programs.gnupg.agent.enable = true;

-  services.yabai = {
-    enable = true;
-  };
+  services.yabai = { enable = true; };
  services.skhd.enable = true;

  services.emacs = {
@ -113,9 +105,7 @@ in {
    tilesize = 32;
  };

-  system.defaults.menuExtraClock = {
-    Show24Hour = true;
-  };
+  system.defaults.menuExtraClock = { Show24Hour = true; };

  launchd.user.agents.remap-keys = {
    serviceConfig = {
@ -123,7 +113,8 @@ in {
        "/usr/bin/hidutil"
        "property"
        "--set"
-        ''          {
+        ''
+          {
                    "UserKeyMapping":[
                    {"HIDKeyboardModifierMappingSrc":0x700000039,"HIDKeyboardModifierMappingDst":0x7000000E7}
                    ]
--- a/devices/pi/configuration.nix
+++ b/devices/pi/configuration.nix
@ -1,10 +1,5 @@
-{
-  inputs,
-  config,
-  pkgs,
-  lib,
-  ...
-}: let
+{ inputs, config, pkgs, lib, ... }:
+let
  user = "polen";
  hostname = "pi";
 in {
@ -25,12 +20,10 @@ in {
    };
  };

-  swapDevices = [
-    {
+  swapDevices = [{
    device = "/var/lib/swapfile";
    size = 10 * 1024;
-    }
-  ];
+  }];

  #sops.defaultSopsFile = ../../secrets/secrets.yaml;
  #sops.defaultSopsFormat = "yaml";
@ -50,13 +43,7 @@ in {

  nix.settings.trusted-users = [ user ];

-  environment.systemPackages = with pkgs; [
-    htop-vim
-    neovim
-    curl
-    wget
-    ranger
-  ];
+  environment.systemPackages = with pkgs; [ htop-vim neovim curl wget ranger ];

  services.openssh.enable = true;

@ -68,9 +55,7 @@ in {
        #hashedPasswordFile = config.sops.secrets.pi_user_pass.path;
        extraGroups = [ "wheel" ];
      };
-      lauria = {
-        isNormalUser = true;
-      };
+      lauria = { isNormalUser = true; };
    };
  };

--- a/devices/server/configuration.nix
+++ b/devices/server/configuration.nix
@ -64,7 +64,8 @@ in {
      openFirewall = true; # 11434
      host = "0.0.0.0";
      syncModels = true;
-      loadModels = [ "mistral:7b" "phi3.5:3.8b" ];
+      loadModels =
+        [ "qwen3:4b" "lfm2.5-thinking:1.2b" "ministral-3:8b" "ministral-3:3b" ];
    };
  };

@ -161,6 +162,7 @@ in {
      9000 # mealie
      8989 # sonarr
      10222 # taskchampion-sync-server
+      18789 # openclaw
    ];
    firewall.allowedUDPPorts = [
      5353 # mDNS
@ -170,12 +172,15 @@ in {
  time.timeZone = "America/Toronto";

  users.users."${user}" = {
+    isNormalUser = true;
+    group = "polen";
    extraGroups = [ "wheel" "transmission" "jellyfin" "polensky" "docker" ];
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6O2MJqR+P/FwRyVSz1HWYhMtIwh16ozBU71Y2vf0oNDQ6DZ5T8Bvp5/4uSJgS8lOl3qYyNy0e0zJMIyfFVJnu89ycKBEdixA4HqWOUQGiyvn1C4s740jHolOzN1xNB24PDXFz0vHcVb+G5nU/xeKeaq0vrszrkK2zctqXshw94/x3ah0m3fr5CwM4S2RY/VODOdt11fllFEvN8HGE2mQTPn5sJzwtGW20npQ5iJ7ShugPbC4D1G2JU1R7MqkvWEpq9OFVb1prTpJM+i/lcqCn3lBv8XxpKKnD3q+48eeO1geosAsG/kgUWPDildbzcSfytgj7/TCTujx2ow4ZUfS4kWUrNaXM3M99SG61rFN7zLMAv14SOSsgegmX3q0ZAwOieUhCifqIqdfFr5QjEUP11ALofYRC6567X1YrEVXZFFnZSXMKGkBKpTxx0jaTTGnFSd6F49kDlI30cKJnVUgAK5nESissdEFn3UGRSFfxmjZkYvhY5l3LqtbO3kEutJU= polen@polen-xps"
    ];
  };
+  users.groups.polen = { };

  # Luna user for OpenClaw AI assistant
  users.users.luna = {
@ -197,16 +202,17 @@ in {
    defaultSopsFile = ../../secrets/secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = {
-      luna-telegram-token = {
+      luna_telegram_token = {
        owner = "luna";
        group = "luna";
      };
-      luna-gateway-token = {
+      luna_gateway_token = {
        owner = "luna";
        group = "luna";
      };
    };
  };
+
  environment.systemPackages = with pkgs; [
    neovim
    htop-vim
--- a/devices/server/hardware-configuration.nix
+++ b/devices/server/hardware-configuration.nix
@ -1,18 +1,11 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+{ config, lib, pkgs, modulesPath, ... }: {
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

-  boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "hpsa" "usb_storage" "usbhid" "sd_mod"];
+  boot.initrd.availableKernelModules =
+    [ "uhci_hcd" "ehci_pci" "hpsa" "usb_storage" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
@ -22,9 +15,8 @@
    fsType = "ext4";
  };

-  swapDevices = [
-    {device = "/dev/disk/by-uuid/6fc86a5b-ac4b-41ed-a7c9-56f734f5e711";}
-  ];
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/6fc86a5b-ac4b-41ed-a7c9-56f734f5e711"; }];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@ -37,5 +29,6 @@
  # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/devices/server/luna.nix
+++ b/devices/server/luna.nix
@ -7,35 +7,105 @@
  home.homeDirectory = "/var/lib/luna";
  home.stateVersion = "25.05";

+  home.packages = with pkgs; [ xmlstarlet ];
+
  programs.openclaw = {
    enable = true;
-    documents = ./luna-documents;

    config = {
-      # Use local Ollama - auto-detected at 127.0.0.1:11434
-      agents.defaults.model = {
-        primary = "ollama/mistral:7b";
-        fallbacks = [ "ollama/phi3.5:3.8b" ];
+      models = {
+        providers = {
+          ollama = {
+            baseUrl = "http://127.0.0.1:11434/v1";
+            apiKey = "ollama-local";
+            api = "openai-completions";
+            models = [ ];
+          };
+        };
+      };
+
+      agents = {
+        defaults = {
+          model = { primary = "github-copilot/gpt-5-mini"; };
+          workspace = "/var/lib/luna/.openclaw/workspace";
+          maxConcurrent = 4;
+          subagents = { maxConcurrent = 8; };
+          models = { "github-copilot/gpt-5-mini" = { }; };
+        };
+      };
+
+      commands = {
+        native = "auto";
+        nativeSkills = "auto";
+      };
+
+      channels = {
+        telegram = {
+          dmPolicy = "pairing";
+          tokenFile = "/run/secrets/luna_telegram_token";
+          groups = { "*" = { requireMention = true; }; };
+          allowFrom = [ 1268580775 ];
+          groupPolicy = "allowlist";
+          streamMode = "partial";
+        };
      };

      gateway = {
        mode = "local";
-        auth = { tokenFile = "/run/secrets/luna-gateway-token"; };
+        auth = {
+          token =
+            "14db7eaede5f363bce5f5efd23baea45fd8c7984fd3d9234d9b98e1d52c88db7";
+          mode = "token";
+        };
+        port = 18789;
+        bind = "loopback";
+        tailscale = {
+          mode = "off";
+          resetOnExit = false;
+        };
      };

-      channels.telegram = {
-        tokenFile = "/run/secrets/luna-telegram-token";
-        allowFrom = [
-          1268580775
-        ];
-        groups = { "*" = { requireMention = true; }; };
+      plugins = { entries = { telegram = { enabled = true; }; }; };
+
+      messages = { ackReactionScope = "group-mentions"; };
+
+      auth = {
+        profiles = {
+          "github-copilot:github" = {
+            provider = "github-copilot";
+            mode = "token";
+          };
+        };
+      };
+
+      hooks = {
+        internal = {
+          enabled = true;
+          entries = {
+            "boot-md" = { enabled = true; };
+            "command-logger" = { enabled = true; };
+            "session-memory" = { enabled = true; };
+          };
+        };
+      };
+
+      wizard = {
+        lastRunAt = "2026-02-10T18:36:29.457Z";
+        lastRunVersion = "2026.2.6-3";
+        lastRunCommand = "onboard";
+        lastRunMode = "local";
+      };
+
+      meta = {
+        lastTouchedVersion = "2026.2.6-3";
+        lastTouchedAt = "2026-02-10T18:36:29.472Z";
      };
    };

    # Plugins useful for homelab Q&A
    bundledPlugins = {
      summarize.enable = true; # Summarize docs/web pages
-      oracle.enable = true; # Web search
+      oracle.enable = false; # Web search
    };
  };

--- a/devices/xps13/configuration.nix
+++ b/devices/xps13/configuration.nix
@ -1,12 +1,7 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running 'nixos-help').
-{
-  config,
-  pkgs,
-  inputs,
-  ...
-}: {
+{ config, pkgs, inputs, ... }: {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
--- a/devices/xps13/hardware-configuration.nix
+++ b/devices/xps13/hardware-configuration.nix
@ -4,27 +4,26 @@
 { config, lib, pkgs, modulesPath, ... }:

 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/6faa62c9-8566-4ed7-b372-355e04ac4ca6";
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/6faa62c9-8566-4ed7-b372-355e04ac4ca6";
    fsType = "ext4";
  };

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/A769-2F96";
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/A769-2F96";
    fsType = "vfat";
  };

-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/8b28694c-3401-4545-9974-521674baa450";
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/8b28694c-3401-4545-9974-521674baa450";
    fsType = "ext4";
  };

@ -38,5 +37,6 @@
  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/devices/xps13/sddm-theme.nix
+++ b/devices/xps13/sddm-theme.nix
@ -1,7 +1,6 @@
-{pkgs}: let
-  image = ./assets/a_forest_of_trees_with_fog.jpg;
-in
-  pkgs.stdenv.mkDerivation {
+{ pkgs }:
+let image = ./assets/a_forest_of_trees_with_fog.jpg;
+in pkgs.stdenv.mkDerivation {
  name = "sddm-theme";
  src = pkgs.fetchFromGitHub {
    owner = "MarianArlt";
--- a/flake.nix
+++ b/flake.nix
@ -46,12 +46,15 @@
          specialArgs = { inherit inputs; };
          system = "x86_64-linux";
          modules = [
+            { nixpkgs.overlays = [ nix-openclaw.overlays.default ]; }
+
            disko.nixosModules.disko
            sops-nix.nixosModules.sops
            home-manager.nixosModules.home-manager
            {
              home-manager.useGlobalPkgs = true;
              home-manager.useUserPackages = true;
+              home-manager.backupFileExtension = "backup";
              home-manager.extraSpecialArgs = { inherit inputs; };
              home-manager.users.luna = import ./devices/server/luna.nix;
            }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,5 +1 @@
-{...}: {
-  imports = [
-    ./pocketbase.nix
-  ];
-}
+{ ... }: { imports = [ ./pocketbase.nix ]; }
--- a/modules/pocketbase.nix
+++ b/modules/pocketbase.nix
@ -1,10 +1,5 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: let
-  cfg = config.services.pocketbase;
+{ config, pkgs, lib, ... }:
+let cfg = config.services.pocketbase;
 in {
  options.services.pocketbase = {
    enable = lib.mkEnableOption "PocketBase backend";
@ -12,7 +7,8 @@ in {
    dataDir = lib.mkOption {
      type = lib.types.path;
      default = "/var/lib/pocketbase";
-      description = "Working directory containing the PocketBase binary and data.";
+      description =
+        "Working directory containing the PocketBase binary and data.";
    };

    openFirewall = lib.mkOption {
@ -52,9 +48,8 @@ in {

  config = lib.mkIf cfg.enable {
    # Optional: ensure the directory exists with proper ownership
-    systemd.tmpfiles.rules = [
-      "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.group} -"
-    ];
+    systemd.tmpfiles.rules =
+      [ "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.group} -" ];

    systemd.services.pocketbase = {
      description = "PocketBase";
@ -71,7 +66,11 @@ in {
        WorkingDirectory = cfg.dataDir;

        ExecStart = ''
-          ${lib.getExe cfg.package} serve --dir ${cfg.dataDir}/pb_data --http=0.0.0.0:${toString cfg.port}
+          ${
+            lib.getExe cfg.package
+          } serve --dir ${cfg.dataDir}/pb_data --http=0.0.0.0:${
+            toString cfg.port
+          }
        '';

        # Switch to systemd stdout/stderr logging by default
@ -80,8 +79,7 @@ in {
        StandardError = "append:${cfg.logFile}";
      };
    };
-    networking.firewall = lib.mkIf cfg.openFirewall {
-      allowedTCPPorts = [cfg.port];
-    };
+    networking.firewall =
+      lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; };
  };
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -6,11 +6,29 @@ sops:
        - recipient: age1x8qsd7kxxjvan4psvnvua3r0emljsnq07agxnu6jqw56ky8z6faqyjq0e3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxN2ZzTUpSeWRWejVxVm4y
-            dzF3MU9DOTBTZUF0Y3I2SUVURGZCZDBqTVV3ClNwL29hejN2OFdVaHk2TEppNWFj
-            V3NYcEM4RHNyWUszWFlLa2pXa2FyVmsKLS0tIExOL254cGh4RkJDandqZzJ2RjRi
-            b3AxOTd2VmdHdXd5c3NNTkJoYW12bUUKbX199Z7jI6nornm0erzm7dSQ+XuxAnXb
-            glw60TnUSnLUWIHTTx/jVSRR4uO5I6FzxUUfVJ2BMOn/eUNa5BJ70A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzRy9DblE4WnhEc1kvcjcw
+            ZVBEeVVoRUMxNUZ6Q09QZXdYcEZaSGp0UHpFCnc3UnZOZThLdDYwN05GUjJqYnhK
+            Z0tZMXo2N0J4R2ZPLzRLcS83QVRBZncKLS0tICs3dDVIV0s2ZTRBQk5wMVE3WjVP
+            NENYZHlvR3U3Um5XWm90RW01eEM3eHMKewyXEa9TInEFz65LoDo8BHBdjibdYF4r
+            DGQtPlYF5yuVd8PVMATxMBhs/6hXJLfK2Y54NEeJo2gydyq11Lpm2Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1y2s7ah49jmhd8n05q7tw0gjcnv3390s0uxp3ewjqueekq7a7rvdqzytgd2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGMlBaWURCSTd6cjRYTTB1
+            VWQvTHBFaDgrMFRpb0crRld6ZjVOUXkrb0cwCnFpcE1nSERwUlowRW54SnEwTk9u
+            S2N1Rm9kUCtWM3pEWmh1aE1HU3oxT1UKLS0tIE5HSXdFT29XazloR0VjVDVqQWVq
+            RURoYXdtZFh2djVaem15Qjk4UFhBOEEKEjAuKJ8vpVKoBO8ioyH4EcXVmEkfwrQh
+            JtDzik9QwZgUNdamWu5BhDlNA1Jmu87VYchhR4CXIS5OG4ticUqr7g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age107mmu7nkjfpm7ygp25zpj69m06ftckc9gh7a37umkjq0y7ac34msd6uj3u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodExKajhTZzRZdWlXWG9n
+            V09sRDZrK0gvaDI4TmtzUmR0cUF0OFl1OGxJCmNUMk5aWkV3LzYzeTJJMDFlR0p4
+            Qlp0STk4dFN3WGswb05BRHlOQit2VGMKLS0tIGJTVkp0Y1Yrd2pqMm1yUlJaYkMy
+            TzlCMWpMQ1hRMTRObWNyN2Q0YWtsZmcKFHVmvu6U0Qw+EUsBEmdST2cyQ3rZyh6w
+            62vmALGxE2NWDYQmwtHJmYqeO14HHEDclUErQiCmUt+hLgOLF2MxwA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-02-09T03:39:35Z"
    mac: ENC[AES256_GCM,data:lVU+w4EOpNACzz1CjtBGwGcoB/huatCa97sJ4irzX/dNP8LYwMiRvm6axsyqNiBns76WyKHAS9r+drByQzNAFAIh+2EwJCk7Mm7Njy3+kL0GNd0RanMhI51WSHTbjHIqrGC81jgS4ydcsGDMDmZBOZHL5t/uTcrdn/SRjgDvHTA=,iv:F4kbFHvTFmG4mhvMIAUtNq6WCwXyILOlbYvIaFno6BI=,tag:JSYzsKF86cuJtApPeTVDTA==,type:str]