Add domain, ACME cert and virtual host for bitwarden.kempinger.at with a
proxy to the local Vaultwarden instance. Update Vaultwarden settings:
ROCKET_LOG -> "info", SMTP_HOST -> "192.168.69.69". Comment out stalwart
authentication fallback-admin and set stalwart stateVersion to "25.05".
Use pkgs.linuxPackages instead of linuxPackages_latest for
kernelPackages.
Enable the system firewall (networking.firewall.enable = true).
Comment out users.groups.kemp members entry.
Add jdk and gradle to environment.systemPackages.
Enable VirtualBox host and extension pack and add kemp to vboxusers.
Reassign multiple service frontends from 81xx to 80xx ports (Forgejo,
ntopng, AdGuard, Scrutiny, Paperless, Whats Up Docker, etc.) and update
homepage links.
Configure ACME (webroot) and add certs for kempinger.at,
webadmin.kempinger.at,
and bilder.kempinger.at; update nginx virtual hosts to use ACME hosts
and
serve the ACME challenge path.
Add users stalwart-mail and nginx to the acme group and open
SMTP-related
firewall ports (25, 587) plus mail UI ports (8090, 8091).
Add and configure the Stalwart mail service (SMTP, submissions, IMAP,
JMAP)
and adjust related service ports/settings (ntopng, scrutiny, influxdb,
WUD).
Stop appending wind_speed_unit in weather.forecast_home value to avoid
duplicating units (the attribute already supplies the units). Also add
libwebp to the kemptop package list for WebP image support.
Bump nixpkgs and rust-overlay in flake.lock. Add a wud container
(ghcr.io/getwud/wud) on port 8186 and enable paperless on port 8187
with OCR settings and public consumption. Switch homepage theme to
light and set a background image. Comment out onnxruntime CUDA overlay.
Rename group "libvirt" to "libvirtd".
Add diffoscope and nix-index to systemPackages.
Replace hplipWithPlugin with hplip.
Enable spice USB redirection and add pkgs.virtiofsd to
virtualisation.libvirtd.qemu.vhostUserPackages.
Open firewall ports for Scrutiny (8185) and homepage (8080).
Add binutils to systemPackages and enable services.influxdb2.
Configure Scrutiny to use InfluxDB.
Enable homepage-dashboard with widgets, bookmarks and an
environmentFile for secrets.
Fix docker pull string formatting and minor whitespace cleanup.
Enable and configure openssh service:
- enable service
- disable PasswordAuthentication and KbdInteractiveAuthentication
- set PermitRootLogin to prohibit-password (allow root keys only)
- add ed25519 public key to authorizedKeys
Open firewall TCP port 22
Add detailed fail2ban configuration: global settings, immich and
forgejo jails with systemd backend, journalmatch identifiers and
local filter definitions.
Remove standalone services.fail2ban.enable and eliminate unused
TCP port 9000 plus a debug log-level flag in netflow2ng. Add nixpkgs
overlay to
build onnxruntime with cudaSupport.
Enable hardware.graphics, nvidia.open and nvidia-container-toolkit; set
xserver video driver to nvidia and enable nixpkgs.allowUnfree
Update Frigate container to stable-tensorrt, add nvidia GPU device,
mount model cache and add --privileged
Add lshw to system packages
