initial setup

root/base/apps-shell/default.nix

@@ -0,0 +1,11 @@
+# Shell Apps for every host.
+{ pkgs, ... }:
+{
+  environment.systemPackages =
+   (with pkgs; [
+    wget
+    git
+    nil
+    yaml-language-server
+    ]);
+}

root/base/boot/default.nix

@@ -0,0 +1,16 @@
+# Boot options.
+{ ... }:
+{
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.consoleMode = "max";
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.timeout = 1;
+  boot.consoleLogLevel = 0;
+  # Lots of kernel params for pure quiet boot.
+  boot.kernelParams = [ "quiet" "splash" "boot.shell_on_fail" "i915.fastboot=1" "loglevel=3" "rd.systemd.show_status=false" "rd.udev.log_level=3" "udev.log_priority=3" "i915.enable_guc=2" ];
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.verbose = false;
+  boot.initrd.enable = true;
+  boot.plymouth.enable = true;
+  boot.plymouth.theme = "bgrt";
+}

root/base/firewall/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  networking.firewall = {
+  enable = false;
+};
+}

root/base/firmware/default.nix

@@ -0,0 +1,6 @@
+# Firmware updater.
+{ ... }:
+{
+  services.fwupd.enable = true;
+  hardware.enableAllFirmware = true;
+}

root/base/home-manager/default.nix

@@ -0,0 +1,8 @@
+# Home Manager Settings.
+{ pkgs, user, hostName, ... }:
+{
+    home-manager.useGlobalPkgs = true;
+    home-manager.useUserPackages = true;
+    home-manager.extraSpecialArgs = { inherit pkgs; inherit user; inherit hostName; };
+    home-manager.backupFileExtension = "backup";
+}

root/base/locale/default.nix

@@ -0,0 +1,19 @@
+# Locale settings.
+{ ... }:
+{
+  time.timeZone = "Europe/Berlin";
+  i18n.defaultLocale = "de_DE.UTF-8";
+  console.keyMap = "de";
+  services.xserver.xkb.layout = "de";
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "de_DE.UTF-8";
+    LC_IDENTIFICATION = "de_DE.UTF-8";
+    LC_MEASUREMENT = "de_DE.UTF-8";
+    LC_MONETARY = "de_DE.UTF-8";
+    LC_NAME = "de_DE.UTF-8";
+    LC_NUMERIC = "de_DE.UTF-8";
+    LC_PAPER = "de_DE.UTF-8";
+    LC_TELEPHONE = "de_DE.UTF-8";
+    LC_TIME = "de_DE.UTF-8";
+  };
+}

root/base/microcode/default.nix

@@ -0,0 +1,6 @@
+# CPU microcode, uses both since it can't hurt
+{ lib, config,... }:
+{
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

root/base/networking/default.nix

@@ -0,0 +1,8 @@
+# Simple networking settings. Uses DHCP.
+{ lib,  hostName, ... }:
+{
+  networking.hostName = hostName;
+  networking.useDHCP = lib.mkDefault true;
+  networking.networkmanager.enable = true;
+  networking.interfaces.enp11s0.wakeOnLan.enable = true;
+}

root/base/nixsettings/default.nix

@@ -0,0 +1,7 @@
+# Misc. nix settings.
+{ lib, ... }:
+{
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  nixpkgs.config.allowUnfree = true;
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+}

root/base/security/default.nix

@@ -0,0 +1,5 @@
+# For now only enable rtkit.
+{ ... }:
+{
+  security.rtkit.enable = true;
+}

root/base/shell/default.nix

@@ -0,0 +1,12 @@
+# ZSH global settings. No HM needed.
+{ pkgs,  ... }:
+{
+  programs.zsh.enable = true;
+  programs.zsh.enableCompletion = true;
+  programs.zsh.syntaxHighlighting.enable = true;
+  programs.zsh.autosuggestions.enable = true;
+  programs.zsh.autosuggestions.async = true;
+  programs.zsh.ohMyZsh.enable = true;
+  programs.zsh.ohMyZsh.theme = "agnoster";
+  users.defaultUserShell = pkgs.zsh;
+}

root/base/ssh/default.nix

@@ -0,0 +1,12 @@
+# SSH settings. Defined authorized internal key and enables key authentication.
+{ user, ... }:
+{
+    services.openssh = {
+        enable = true;
+        settings.PasswordAuthentication = false;
+        settings.KbdInteractiveAuthentication = false;
+    };
+    users.users.${user}.openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxNhl9lAA7SGpFv0/YhIrL+C1nrODGsvpXlevjpOP9d Interne Infrastruktur"
+    ];
+}

root/base/systemversion/default.nix

@@ -0,0 +1,5 @@
+# NixOS state version.
+{ ... }:
+{
+  system.stateVersion = "25.05";
+}

root/base/upgrades/default.nix

@@ -0,0 +1,15 @@
+# Autoupdate settings. Maybe make it weekly.
+{ hostName, ... }:
+{
+   # nix.optimise.automatic = true;
+   # nix.optimise.dates = [ "03:45" ];
+   # system.autoUpgrade = {
+   #     enable = true;
+   #     dates = "04:00";
+   #     persistent = true;
+   #     flake = "git+ssh://git@github.com/Moe1369/nixos-config.git?ref=main#${hostName}";
+   #     flags = [
+   #     ];
+   #     allowReboot = false;
+   # };
+}

root/base/users/default.nix

@@ -0,0 +1,10 @@
+# Define users. Hashed Password reused across devices.
+{ user, ... }:
+{
+  users.users.${user} = {
+    hashedPassword = "$y$j9T$qziHkyBuG215vEKwqmoFl1$Pd1zqAsFlx1.kENKSn7BCWA1vHTLF2wlq7BQjFxgTu8";
+    description = "Mohamed Chrayed";
+    isNormalUser = true;
+    extraGroups = [ "wheel" "networkmanager" ];
+  };
+}

root/desktop/apps-misc/default.nix

@@ -0,0 +1,14 @@
+# Normal desktop programs for both gnome and plasma.
+{ pkgs, ... }:
+{
+  environment.systemPackages =
+   (with pkgs; [
+    ibm-plex
+    adwaita-fonts
+    pciutils
+    aha
+    vesktop
+    obs-studio
+    teams-for-linux
+    ]);
+}

root/desktop/bluetooth/default.nix

@@ -0,0 +1,6 @@
+# Enable bluetooth on boot.
+{ ... }:
+{
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+}

root/desktop/browser/default.nix

@@ -0,0 +1,8 @@
+# Only install Chrome. Declaritive options not needed.
+{ pkgs, ... }:
+{
+  environment.systemPackages =
+   (with pkgs; [
+    google-chrome
+    ]);
+}

root/desktop/controller/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  # Ignore Dualsense touchpad in desktop mode.
+  services.udev.extraRules =''
+    ACTION=="add|change", KERNEL=="event[0-9]*", ATTRS{name}=="*Wireless Controller Touchpad", ENV{LIBINPUT_IGNORE_DEVICE}="1"
+  '';
+}

root/desktop/graphics/default.nix

@@ -0,0 +1,15 @@
+# Install GPU drivers and vulkan hdr layer
+{ pkgs, ... }:
+ {
+  hardware.amdgpu.initrd.enable = true;
+  boot.initrd.kernelModules = [ "amdgpu" ];
+  boot.kernelModules = [ "amdgpu" ];
+  environment.systemPackages = with pkgs;[
+    vulkan-tools
+    vulkan-hdr-layer-kwin6
+  ];
+  hardware.graphics = {
+    enable = true;
+    enable32Bit = true;
+  };
+}

root/desktop/input/default.nix

@@ -0,0 +1,5 @@
+# Enable libinput.
+{ ... }:
+{
+  services.libinput.enable = true;
+}

root/desktop/printing/default.nix

@@ -0,0 +1,5 @@
+# Enable CUPS for printing.
+{ ... }:
+{
+  services.printing.enable = true;
+}

root/desktop/sound/default.nix

@@ -0,0 +1,11 @@
+# Use pipewire and alsa instead of pulseaudio.
+{ ... }:
+{
+  #hardware.pulseaudio.enable = false;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+}

root/filesystem/client/default.nix

@@ -0,0 +1,19 @@
+# Filesystem for clients. Use partlabel as device to make it reusable. Singledisk setup.
+{ ... }:
+{
+    fileSystems."/" =
+    { device = "/dev/disk/by-label/root";
+      fsType = "xfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-label/BOOT";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ {
+    device = "/var/lib/swapfile";
+    size = 16*1024;
+  }];
+}

root/filesystem/server/default.nix

@@ -0,0 +1,30 @@
+# Filesystem settings for homeserver. Singledisk root with ext4 and external disks. External disks with ZFS.
+{ ... }:
+{
+  # ZFS NEEDS hostID
+  networking.hostId = "efc6dacc";
+  boot.zfs.devNodes = "/dev/disk/by-id";
+  boot.zfs.extraPools = [ "ssd" "hdd" ];
+
+    fileSystems."/" =
+    { device = "/dev/disk/by-partlabel/root";
+      fsType = "ext4";
+    };
+
+  fileSystems."/var/lib/docker" =
+    { device = "ssd/docker";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/data" =
+    { device = "hdd/data";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  swapDevices = [ {
+    device = "/var/lib/swapfile";
+    size = 16*1024;
+  }];
+}

root/gaming/console/jovian/default.nix

@@ -0,0 +1,7 @@
+{ user, ... }:
+{
+  jovian.steam.enable = true;
+  jovian.steam.autoStart = true;
+  jovian.steam.user = user;
+  jovian.steam.desktopSession = "plasma";
+}

root/gaming/desktop/lact/default.nix

@@ -0,0 +1,24 @@
+# Use LACT for GPU overclocking
+{ pkgs,... }:
+{
+  environment.systemPackages =
+   (with pkgs; [
+    lact
+    ]);
+
+  # Enable Modprobe
+  boot.extraModprobeConfig = ''
+    options amdgpu ppfeaturemask=0xFFF7FFFF
+ '';
+
+  # Enable Systemd Service
+  systemd.services.lact = {
+    enable = true;
+    description = "AMDGPU Control Daemon";
+    after = ["multi-user.target"];
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      ExecStart = "${pkgs.lact}/bin/lact daemon";
+    };
+  };
+}

root/gaming/desktop/steam/default.nix

@@ -0,0 +1,48 @@
+{ pkgs, ... }:
+# Scripts for SteamOS session
+let
+  jupiter-biosupdate = pkgs.writeShellScriptBin "jupiter-biosupdate" ''
+    exit 0;
+  '';
+
+  steamos-update = pkgs.writeShellScriptBin "steamos-update" ''
+    exit 7;
+  '';
+
+  steamos-select-branch = pkgs.writeShellScriptBin "steamos-select-branch" ''
+    echo "Not applicable for this OS"
+  '';
+
+  steamos-session-select = pkgs.writeShellScriptBin "steamos-session-select" ''
+    steam -shutdown
+  '';
+in
+{
+  environment.systemPackages = [
+    jupiter-biosupdate
+    steamos-update
+    steamos-select-branch
+    steamos-session-select
+  ];
+  hardware.steam-hardware.enable = true;
+  programs.steam = {
+    enable = true;
+    extest.enable = true;
+    gamescopeSession.enable = true;
+    gamescopeSession.args = [
+      "--mangoapp"
+    ];
+    gamescopeSession.steamArgs = [
+      "-steamdeck"
+      "-steamos3"
+    ];
+    extraCompatPackages = with pkgs; [
+      proton-ge-bin
+    ];
+    extraPackages = with pkgs; [
+      gamescope
+      mangohud
+      vulkan-hdr-layer-kwin6
+    ];
+  };
+}

root/gnome/applications/default.nix

@@ -0,0 +1,52 @@
+{ pkgs, ...}:{
+  # Install applications.
+  programs.file-roller.enable = true;
+  services.gnome.tinysparql.enable = true;
+  environment.systemPackages = with pkgs; [
+  gnome-text-editor
+  dconf-editor
+  mission-center
+  amberol
+  clapper
+  speedtest
+  pdfarranger
+  video-trimmer
+  commit
+  cartridges
+  gnome-obfuscate
+  parabolic
+  gnome-tweaks
+  adw-gtk3
+  adwsteamgtk
+  gdm-settings
+  tsukimi
+  gnomeExtensions.appindicator
+  gnomeExtensions.rounded-window-corners-reborn
+  gnomeExtensions.clipboard-indicator
+  gnomeExtensions.middle-click-to-close-in-overview
+  gnomeExtensions.wallpaper-slideshow
+  gnomeExtensions.alphabetical-app-grid
+  gnomeExtensions.night-theme-switcher
+  ];
+  # Don't install unneeded applications.
+  environment.gnome.excludePackages = (with pkgs; [
+  xterm
+  gnome-software
+  gnome-connections
+  gnome-maps
+  gnome-weather
+  gnome-photos
+  gnome-tour
+  gedit
+  gnome-music
+  gnome-terminal
+  epiphany
+  geary
+  gnome-characters
+  totem
+  tali
+  iagno
+  hitori
+  atomix
+  ]);
+}

root/gnome/desktop-environment/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  # Install Gnome.
+  services.xserver.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+}

root/gnome/display-manager/default.nix

@@ -0,0 +1,13 @@
+# Gnome Display Manager.
+{ user, lib, config, ... }:
+{
+# Enable GDM only on workstation.
+services.xserver = lib.mkIf (config.networking.hostName == "Computer-Mo") {
+    displayManager.gdm.enable = true;
+};
+# Autologin only on workstation. Not needed on konsole or steamdeck. Jovian Greeter is being used.
+services.displayManager = lib.mkIf (config.networking.hostName == "Computer-Mo") {
+    autoLogin.enable = true;
+    autoLogin.user = user;
+};
+}

root/hyprland/default.nix

@@ -0,0 +1,15 @@
+{pkgs, ...}:
+{
+    programs.hyprland.enable = true;
+    programs.waybar.enable = true;
+    programs.hyprlock.enable = true;
+    programs.uwsm.enable = true;
+    programs.hyprland.withUWSM = true;
+    environment.systemPackages = [
+        pkgs.kitty
+        pkgs.wofi
+        pkgs.anyrun
+        pkgs.ptyxis
+        pkgs.hyprpolkitagent
+    ];
+}

root/plasma/applications/default.nix

@@ -0,0 +1,27 @@
+{ pkgs, ...}: {
+environment.systemPackages =
+   (with pkgs; [
+    nur.repos.shadowrz.klassy-qt6
+    kdePackages.kate
+    kdePackages.isoimagewriter
+    kdePackages.gwenview
+    kdePackages.okular
+    kdePackages.kdenlive
+    kdePackages.elisa
+    kdePackages.wallpaper-engine-plugin
+    kdePackages.qtwebengine
+    haruna
+    krita
+    kdePackages.kcolorchooser
+    kdePackages.kfind
+    kdePackages.kcalc
+    kdePackages.filelight
+    kdePackages.skanlite
+    kdePackages.ksystemlog
+    kdePackages.partitionmanager
+    kdePackages.plasma-browser-integration
+    kdePackages.koi
+    python312Packages.kde-material-you-colors
+    pywal
+    ]);
+}

root/plasma/desktop-environment/default.nix

@@ -0,0 +1,6 @@
+{ pkgs, user,  ... }:
+{
+  # Install plasma without xserver. Use wayland.
+  services.desktopManager.plasma6.enable = true;
+  services.xserver.enable = false;
+}

root/plasma/display-manager/default.nix

@@ -0,0 +1,10 @@
+{ user, ... }:
+{
+  # Only use sddm on Computer-Mo.
+  services.displayManager =  {
+    sddm.wayland.enable = true;
+    sddm.enable = true;
+    autoLogin.enable = true;
+    autoLogin.user = user;
+  };
+}

root/services/authentik/default.nix

@@ -0,0 +1,118 @@
+{ ... }:
+{
+  virtualisation.oci-containers.containers."container-authentik-cache" = {
+    image = "docker.io/library/redis:alpine";
+    networks = [
+      "network-internal"
+    ];
+    volumes = [
+      "volume-authentik-cache:/data:rw"
+    ];
+    cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
+    extraOptions = [
+      "--pull=always"
+    ];
+  };
+
+  virtualisation.oci-containers.containers."container-authentik-db" = {
+    image = "docker.io/library/postgres:12-alpine";
+    environment = {
+      "POSTGRES_DB" = "authentik";
+      "POSTGRES_PASSWORD" = "shmJQWMIWJRI23jn19842!";
+      "POSTGRES_USER" = "authentik";
+    };
+    networks = [
+      "network-internal"
+    ];
+    volumes = [
+      "volume-authentik-db:/var/lib/postgresql/data:rw"
+    ];
+    extraOptions = [
+     "--pull=always"
+    ];
+  };
+  virtualisation.oci-containers.containers."container-authentik-ldap" = {
+    image = "ghcr.io/goauthentik/ldap";
+    environment = {
+      "AUTHENTIK_HOST" = "http://container-authentik-server:9000";
+      "AUTHENTIK_INSECURE" = "true";
+      "AUTHENTIK_TOKEN" = "yZPlmWkdLsteKXXAJJPFO0Txd7o9zZlIfFdyBlGh0LjPjatYjpcqSYHwzMQ9";
+    };
+    networks = [
+      "network-internal"
+    ];
+    ports = [
+      "389:3389"
+      "636:6636"
+    ];
+    dependsOn = [
+      "container-authentik-server"
+      "container-authentik-worker"
+      "container-authentik-cache"
+      "container-authentik-db"
+    ];
+    extraOptions = [
+      "--pull=always"
+    ];
+  };
+  virtualisation.oci-containers.containers."container-authentik-server" = {
+    image = "ghcr.io/goauthentik/server";
+    environment = {
+      "AUTHENTIK_SECRET_KEY" = "OS7C4vThZKf5tPGKlOu3QXgZIHWAF7HBfpk/Y6LMVh7QMdyOD6NwojmASlKb3lwtYA5OdZzDLB2GNSQg";
+      "AUTHENTIK_POSTGRESQL__HOST" = "container-authentik-db";
+      "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
+      "AUTHENTIK_POSTGRESQL__PASSWORD" = "shmJQWMIWJRI23jn19842!";
+      "AUTHENTIK_POSTGRESQL__USER" = "authentik";
+      "AUTHENTIK_REDIS__HOST" = "container-authentik-cache";
+      "AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS" = "172.16.0.0/12";
+    };
+    networks = [
+      "network-internal"
+    ];
+    ports = [
+    "9000:9000"
+    "9443:9443"
+    ];
+    volumes = [
+      "volume-authentik-media:/media:rw"
+      "volume-authentik-templates:/templates:rw"
+    ];
+    cmd = [ "server" ];
+    dependsOn = [
+      "container-authentik-cache"
+      "container-authentik-db"
+    ];
+    extraOptions = [
+      "--pull=always"
+    ];
+  };
+  virtualisation.oci-containers.containers."container-authentik-worker" = {
+    image = "ghcr.io/goauthentik/server";
+    environment = {
+      "AUTHENTIK_SECRET_KEY" = "OS7C4vThZKf5tPGKlOu3QXgZIHWAF7HBfpk/Y6LMVh7QMdyOD6NwojmASlKb3lwtYA5OdZzDLB2GNSQg";
+      "AUTHENTIK_POSTGRESQL__HOST" = "container-authentik-db";
+      "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
+      "AUTHENTIK_POSTGRESQL__PASSWORD" = "shmJQWMIWJRI23jn19842!";
+      "AUTHENTIK_POSTGRESQL__USER" = "authentik";
+      "AUTHENTIK_REDIS__HOST" = "container-authentik-cache";
+      "AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS" = "172.16.0.0/12";
+    };
+    networks = [
+      "network-internal"
+    ];
+    volumes = [
+      "/run/docker.sock:/var/run/docker.sock:rw"
+      "volume-authentik-certs:/certs:rw"
+      "volume-authentik-media:/media:rw"
+      "volume-authentik-templates:/templates:rw"
+    ];
+    cmd = [ "worker" ];
+    dependsOn = [
+      "container-authentik-cache"
+      "container-authentik-db"
+    ];
+    extraOptions = [
+      "--pull=always"
+    ];
+  };
+}

root/services/bazarr/default.nix

@@ -0,0 +1,23 @@
+{ ... }:
+{
+  virtualisation.oci-containers.containers."container-bazarr-app" = {
+    autoStart = true;
+    image = "lscr.io/linuxserver/bazarr:latest";
+    environment = {
+      "TZ" = "Europe/Berlin";
+      "PUID" = "0";
+      "PGID" = "0";
+    };
+    networks = [
+      "network-internal"
+    ];
+    volumes = [
+      "volume-bazarr-config:/config:rw"
+      "/data:/data:rw"
+    ];
+    ports = ["6767:6767"];
+    extraOptions = [
+      "--pull=always"
+    ];
+  };
+}

root/services/borg/default.nix

@@ -0,0 +1,12 @@
+{pkgs, ...}:
+{
+    services.borgbackup.jobs."server" = {
+        paths = "/var/lib/docker";
+        encryption.mode = "repokey-blake2";
+        encryption.passCommand = "cat /root/passphrase";
+        environment.BORG_RSH = "ssh -i /home/administrator/.ssh/extern";
+        repo = "e6cr76lv@e6cr76lv.repo.borgbase.com:repo";
+        compression = "auto,zstd";
+        startAt = "daily";
+    };
+}

root/services/docker-network/default.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  system.activationScripts.network-internal = ''
+    ${pkgs.docker}/bin/docker network create network-internal
+  '';
+}

root/services/docker-runtime/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  virtualisation.docker = {
+    enable = true;
+    autoPrune.enable = false;
+  };
+  virtualisation.oci-containers.backend = "docker";
+}

root/services/emby/default.nix

@@ -0,0 +1,37 @@
+{ pkgs, ... }:
+{
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      intel-compute-runtime
+      vpl-gpu-rt
+      vaapiVdpau
+      libvdpau-va-gl
+      intel-vaapi-driver
+    ];
+  };
+  virtualisation.oci-containers.containers."container-emby-app" = {
+    autoStart = true;
+    image = "lscr.io/linuxserver/emby:beta";
+    devices = [
+        "/dev/dri:/dev/dri"
+    ];
+    environment = {
+      "TZ" = "Europe/Berlin";
+      "PUID" = "0";
+      "PGID" = "0";
+    };
+    networks = [
+      "network-internal"
+    ];
+    volumes = [
+      "volume-emby-config:/config:rw"
+      "/data:/data:rw"
+    ];
+    ports = ["8096:8096"];
+    extraOptions = [
+      "--pull=always"
+    ];
+  };
+}

root/services/home-assistant/default.nix

@@ -0,0 +1,48 @@
+{ ... }:
+{
+  virtualisation.oci-containers.containers."container-home-assistant-app" = {
+    autoStart = true;
+    image = "ghcr.io/home-assistant/home-assistant:stable";
+    devices = [
+        "/dev/ttyUSB0:/dev/ttyUSB0"
+    ];
+    environment = {
+      "TZ" = "Europe/Berlin";
+      "PUID" = "0";
+      "PGID" = "0";
+    };
+    networks = [
+      "network-internal"
+    ];
+    ports = [
+      "8123:8123"
+    ];
+    volumes = [
+      "volume-home-assistant-config:/config:rw"
+      "/var/run/docker.sock:/var/run/docker.sock:ro"
+    ];
+    extraOptions = [
+       "--pull=always"
+     ];
+  };
+  virtualisation.oci-containers.containers."container-home-assistant-mqtt" = {
+    autoStart = true;
+    image = "eclipse-mosquitto:latest";
+    environment = {
+      "TZ" = "Europe/Berlin";
+      "PUID" = "0";
+      "PGID" = "0";
+    };
+    networks = [
+      "network-internal"
+    ];
+    ports = [
+      "1883:1883"
+      "9001:9001"
+    ];
+    volumes = [
+      "volume-home-assistant-mqtt:/etc/mosquitto:rw"
+      "volume-home-assistant-mqtt-config:/mosquitto/config:rw"
+    ];
+  };
+}

root/services/jellyseerr/default.nix

@@ -0,0 +1,21 @@
+{ ... }:
+{
+  virtualisation.oci-containers.containers."container-jellyseerr-app" = {
+    autoStart = true;
+    image = "fallenbagel/jellyseerr";
+    environment = {
+      "TZ" = "Europe/Berlin";
+      "JELLYFIN_TYPE" = "emby";
+    };
+    networks = [
+      "network-internal"
+    ];
+    volumes = [
+      "volume-jellyseerr-config:/app/config:rw"
+    ];
+    ports = ["5055:5055"];
+    extraOptions = [
+      "--pull=always"
+    ];
+  };
+}

root/services/radarr/default.nix

@@ -0,0 +1,24 @@
+{ ... }:
+{
+  virtualisation.oci-containers.containers."container-radarr-app" = {
+    autoStart = true;
+    image = "lscr.io/linuxserver/radarr:latest";
+    environment = {
+      "TZ" = "Europe/Berlin";
+      "PUID" = "0";
+      "PGID" = "0";
+    };
+    networks = [
+      "network-internal"
+      "network-external"
+    ];
+    volumes = [
+      "volume-radarr-config:/config:rw"
+      "/data:/data:rw"
+    ];
+    ports = ["7878:7878"];
+    extraOptions = [
+      "--pull=always"
+    ];
+  };
+}

root/services/recyclarr/default.nix

@@ -0,0 +1,21 @@
+{ ... }:
+{
+  virtualisation.oci-containers.containers."container-recyclarr-app" = {
+    autoStart = true;
+    image = "ghcr.io/recyclarr/recyclarr:latest";
+    environment = {
+      "TZ" = "Europe/Berlin";
+      "PUID" = "0";
+      "PGID" = "0";
+    };
+    networks = [
+      "network-internal"
+    ];
+    volumes = [
+      "volume-recyclarr-config:/config:rw"
+    ];
+    extraOptions = [
+      "--pull=always"
+    ];
+  };
+}

root/services/recyclarr/dotfiles/recyclarr.yml

@@ -0,0 +1,108 @@
+sonarr:
+  series:
+    media_naming:
+      series: emby
+      season: default
+      episodes:
+        rename: true
+        standard: default
+        daily: default
+        anime: default
+    base_url: 'http://container-sonarr-app:8989'
+    api_key: 21811d916522404eae24cb2e1c32a655
+    include:
+      - template: sonarr-v4-quality-profile-web-2160p
+      - template: sonarr-v4-custom-formats-web-2160p
+    quality_profiles:
+      - name: WEB-2160p
+        reset_unmatched_scores:
+          enabled: true
+        min_format_score: -10000
+        upgrade:
+          allowed: true
+          until_quality: Bluray-2160p
+        score_set: default
+        quality_sort: top
+        qualities:
+          - name: Bluray-2160p
+          - name: Bluray-2160p Remux
+          - name: 2160p MQ
+              - WEBDL-2160p
+              - WEBRip-2160p
+          - name: Bluray-1080p Remux
+          - name: Bluray-1080p
+          - name: 1080p MQ
+            qualities:
+              - WEBDL-1080p
+              - WEBRip-1080p
+          - name: LQ
+            qualities:
+              - HDTV-2160p
+              - HDTV-1080p
+          - name: Trash
+            qualities:
+              - Bluray-720p
+              - WEBDL-720p
+              - WEBRip-720p
+              - HDTV-720p
+              - Bluray-576p
+              - Bluray-480p
+              - WEBDL-480p
+              - WEBRip-480p
+              - DVD
+              - SDTV
+radarr:
+  movies:
+    media_naming:
+      folder: emby
+      movie:
+        rename: true
+        standard: emby
+    base_url: 'http://container-radarr-app:7878'
+    api_key: 81dc7e319c2745138bf86f19a0e4cf2d
+    include:
+      - template: radarr-quality-profile-sqp-1-2160p-default
+      - template: radarr-custom-formats-sqp-1-2160p
+    custom_formats:
+      - trash_ids:
+            - b17886cb4158d9fea189859409975758
+            - 55a5b50cb416dea5a50c4955896217ab
+    quality_profiles:
+      - name: SQP-1 (2160p)
+        reset_unmatched_scores:
+          enabled: true
+        min_format_score: -10000
+        upgrade:
+          allowed: true
+          until_quality: Bluray-2160p
+        score_set: SQP-1
+        quality_sort: top
+        qualities:
+          - name: Bluray-2160p
+          - name: Remux-2160p
+          - name: 2160-MQ
+            qualities:
+              - WEBDL-2160p
+              - WEBRip-2160p
+          - name: Remux-1080p
+          - name: Bluray-1080p
+          - name: 1080p
+            qualities:
+              - WEBDL-1080p
+              - WEBRip-1080p
+          - name: LQ
+            qualities:
+              - HDTV-2160p
+              - HDTV-1080p
+          - name: Trash
+            qualities:
+              - Bluray-720p
+              - WEBDL-720p
+              - WEBRip-720p
+              - HDTV-720p
+              - Bluray-576p
+              - WEBRip-480p
+              - WEBDL-480p
+              - Bluray-480p
+              - DVD
+              - SDTV

root/services/sabnzbd/default.nix

@@ -0,0 +1,23 @@
+{ ... }:
+{
+  virtualisation.oci-containers.containers."container-sabnzbd-app" = {
+    autoStart = true;
+    image = "lscr.io/linuxserver/sabnzbd:latest";
+    environment = {
+      "TZ" = "Europe/Berlin";
+      "PUID" = "0";
+      "PGID" = "0";
+    };
+    networks = [
+      "network-internal"
+    ];
+    volumes = [
+      "volume-sabnzbd-config:/config:rw"
+      "/data:/data:rw"
+    ];
+    ports = ["8080:8080"];
+    extraOptions = [
+      "--pull=always"
+    ];
+  };
+}

root/services/sonarr/default.nix

@@ -0,0 +1,23 @@
+{ ... }:
+{
+  virtualisation.oci-containers.containers."container-sonarr-app" = {
+    autoStart = true;
+    image = "lscr.io/linuxserver/sonarr:latest";
+    environment = {
+      "TZ" = "Europe/Berlin";
+      "PUID" = "0";
+      "PGID" = "0";
+    };
+    networks = [
+      "network-internal"
+    ];
+    volumes = [
+      "volume-sonarr-config:/config:rw"
+      "/data:/data:rw"
+    ];
+    ports = ["8989:8989"];
+    extraOptions = [
+      "--pull=always"
+    ];
+  };
+}