From c49474d8ce7b0612523d6bde593bc843e7fe2687 Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Tue, 2 Dec 2025 09:56:36 -0600
Subject: [PATCH 01/12] flake: Upgrade nixpkgs to nixos-25.11 family

This commit upgrades nixpkgs to nixos-25.11, and all other management
systems (home-manager, nix-darwin, etc.) to the equivalent tag, and also
upgrades any syntax within the modules to follow new syntax.

1. Upgrades nixpkgs to nixos-25.11
2. Upgrades nixpkgs-darwin to nixpkgs-25.11-darwin
3. Upgrades home-manger to release-25.11
4. Upgrades nix-darwin to 25.11
5. Implements conditional to use nixpkgs on Linux and nixpkgs-darwin on
   Darwin
6. Replace micromamba with mamba-cpp and set alias, see
   <https://github.com/NixOS/nixpkgs/issues/456288#issuecomment-3584844923>
7. Replace asitop with its new name: macpm
8. Remove ollama package and launchd service. ollama was removed from
   Linux in 275270cef7, but remained in Darwin. The build process
   technically did not fail, but it did extend build time and is unused,
   so it was removed.
9. Switch git program module to use new syntax
10. Switch to NixOS-provided Crowdsec module
11. Switch logind lidSwitch settings to use new syntax
12. Switch sabma module to use new syntax
---
 flake.lock                 | 122 ++++++++++-------------------------
 flake.nix                  |  22 +++----
 homes/common.nix           |   3 +-
 homes/darwin.nix           |  18 +-----
 homes/desktop.nix          |   1 -
 programs/git.nix           |   8 ++-
 programs/shells.nix        |   2 +-
 services/crowdsec.nix      | 128 +++++++++++--------------------------
 services/samba.nix         |   1 -
 systems/linux/bosephus.nix |   4 +-
 10 files changed, 91 insertions(+), 218 deletions(-)

diff --git a/flake.lock b/flake.lock
index a1cd1d3..982ba78 100644
--- a/flake.lock
+++ b/flake.lock
@@ -14,11 +14,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1754433428,
-        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
+        "lastModified": 1762618334,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
         "type": "github"
       },
       "original": {
@@ -27,27 +27,6 @@
         "type": "github"
       }
     },
-    "crowdsec": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1752497357,
-        "narHash": "sha256-9epXn1+T6U4Kfyw8B9zMzbERxDB3VfaPXhVebtai6CE=",
-        "ref": "refs/heads/main",
-        "rev": "84db7dcea77f7f477d79e69e35fb0bb560232667",
-        "revCount": 42,
-        "type": "git",
-        "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
-      }
-    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -69,23 +48,6 @@
         "type": "github"
       }
     },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems_2"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "id": "flake-utils",
-        "type": "indirect"
-      }
-    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -93,16 +55,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1756679287,
-        "narHash": "sha256-Xd1vOeY9ccDf5VtVK12yM0FS6qqvfUop8UQlxEB+gTQ=",
+        "lastModified": 1764613336,
+        "narHash": "sha256-L979az28t/+SXvYw9qhOno5HLlDwkZOpz6LzCLnjmRM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "07fc025fe10487dd80f2ec694f1cd790e752d0e8",
+        "rev": "f3902b5d8767985680875ad86d028371100faeb3",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -114,59 +76,59 @@
         ]
       },
       "locked": {
-        "lastModified": 1757432263,
-        "narHash": "sha256-qHn+/0+IOz5cG68BZUwL9BV3EO/e9eNKCjH3+N7wMdI=",
+        "lastModified": 1764161084,
+        "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "1fef4404de4d1596aa5ab2bd68078370e1b9dcdb",
+        "rev": "e95de00a471d07435e0527ff4db092c84998698e",
         "type": "github"
       },
       "original": {
         "owner": "LnL7",
-        "ref": "nix-darwin-25.05",
+        "ref": "nix-darwin-25.11",
         "repo": "nix-darwin",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1757545623,
-        "narHash": "sha256-mCxPABZ6jRjUQx3bPP4vjA68ETbPLNz9V2pk9tO7pRQ=",
+        "lastModified": 1764522689,
+        "narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8cd5ce828d5d1d16feff37340171a98fc3bf6526",
+        "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-darwin": {
       "locked": {
-        "lastModified": 1757590060,
-        "narHash": "sha256-EWwwdKLMZALkgHFyKW7rmyhxECO74+N+ZO5xTDnY/5c=",
+        "lastModified": 1764572236,
+        "narHash": "sha256-hLp6T/vKdrBQolpbN3EhJOKTXZYxJZPzpnoZz+fEGlE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0ef228213045d2cdb5a169a95d63ded38670b293",
+        "rev": "b0924ea1889b366de6bb0018a9db70b2c43a15f8",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixpkgs-25.05-darwin",
+        "ref": "nixpkgs-25.11-darwin",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1757034884,
-        "narHash": "sha256-PgLSZDBEWUHpfTRfFyklmiiLBE1i1aGCtz4eRA3POao=",
+        "lastModified": 1764642553,
+        "narHash": "sha256-mvbFFzVBhVK1FjyPHZGMAKpNiqkr7k++xIwy+p/NQvA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ca77296380960cd497a765102eeb1356eb80fed0",
+        "rev": "f720de59066162ee879adcc8c79e15c51fe6bfb4",
         "type": "github"
       },
       "original": {
@@ -184,11 +146,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1757647720,
-        "narHash": "sha256-qf/utP3d1qBDl5R4yWUCt7E7CHTkw2NY8BEsS7lJ0dc=",
+        "lastModified": 1764683664,
+        "narHash": "sha256-Mr5HKf/bjAJ8H7/H0qJSk2BEV/OILkDIFKrGK0dUVUk=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "ef767aa25f9f917fe25d3848051f0e54ae42349f",
+        "rev": "b8b40e258cf4c959b06b7322648c87674633629b",
         "type": "github"
       },
       "original": {
@@ -207,11 +169,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756632588,
-        "narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=",
+        "lastModified": 1763909441,
+        "narHash": "sha256-56LwV51TX/FhgX+5LCG6akQ5KrOWuKgcJa+eUsRMxsc=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "d47428e5390d6a5a8f764808a4db15929347cd77",
+        "rev": "b24ed4b272256dfc1cc2291f89a9821d5f9e14b4",
         "type": "github"
       },
       "original": {
@@ -222,11 +184,11 @@
     },
     "quadlet-nix": {
       "locked": {
-        "lastModified": 1754008153,
-        "narHash": "sha256-MYT1mDtSkiVg343agxgBFsnuNU3xS8vRy399JXX1Vw0=",
+        "lastModified": 1763141753,
+        "narHash": "sha256-XAHkOkLEWbRQZ6t/SowwOukrUfIneNQOC/UEQlTaPBU=",
         "owner": "SEIAROTg",
         "repo": "quadlet-nix",
-        "rev": "1b2d27d460d8c7e4da5ba44ede463b427160b5c4",
+        "rev": "211b5c626cf9ea91403b510e2ac5ca03a7194566",
         "type": "github"
       },
       "original": {
@@ -238,7 +200,6 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
-        "crowdsec": "crowdsec",
         "home-manager": "home-manager",
         "nix-darwin": "nix-darwin",
         "nixpkgs": "nixpkgs",
@@ -258,11 +219,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1757591399,
-        "narHash": "sha256-OlvNzfsqDok0y5PDY+2dK5T53GsxAdm1YGdYHjxAiHM=",
+        "lastModified": 1764648280,
+        "narHash": "sha256-xniOnxIx/qhm+maO4mb9BZ7FytcUhNeTm1Y/QBjNf8o=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "b7d4f61ce9db44ba82859e15f6e1c175959948e3",
+        "rev": "119826bd51ad1a8012e0585f3a073571a35a812e",
         "type": "gitlab"
       },
       "original": {
@@ -286,21 +247,6 @@
         "repo": "default",
         "type": "github"
       }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 204941e..bbd1632 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,8 +3,8 @@
 
   inputs = {
     # Specify the source of Home Manager and Nixpkgs.
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
-    nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-25.05-darwin";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
+    nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-25.11-darwin";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
 
     # Inputs for both darwin and linux systems
@@ -17,7 +17,7 @@
       };
     };
     home-manager = {
-      url = "github:nix-community/home-manager/release-25.05";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nur = {
@@ -30,10 +30,6 @@
     };
 
     # Linux-specific inputs
-    crowdsec = {
-      url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     plasma-manager = {
       url = "github:nix-community/plasma-manager";
       inputs = {
@@ -45,20 +41,21 @@
 
     # Darwin-specific inputs
     nix-darwin = {
-      url = "github:LnL7/nix-darwin/nix-darwin-25.05";
+      url = "github:LnL7/nix-darwin/nix-darwin-25.11";
       inputs.nixpkgs.follows = "nixpkgs-darwin";
     };
   };
 
   outputs = { self, nix-darwin, nixpkgs, nixpkgs-darwin, nixpkgs-unstable
-    , home-manager, agenix, rycee-nurpkgs, nur, crowdsec, plasma-manager
-    , quadlet-nix, ... }:
+    , home-manager, agenix, rycee-nurpkgs, nur, plasma-manager, quadlet-nix, ...
+    }:
     let
       mkHomeConfiguration = { hostname, arch ? "x86_64", os ? "linux"
         , desktop ? false, extraModules ? [ ] }:
         let
           system = "${arch}-${os}";
-          pkgs = import nixpkgs {
+          syspkg = if os == "darwin" then nixpkgs-darwin else nixpkgs;
+          pkgs = import syspkg {
             inherit system;
             config.allowUnfree = true;
             overlays = [ nur.overlays.default agenix.overlays.default ];
@@ -146,9 +143,6 @@
             agenix.nixosModules.default
             home-manager.nixosModules.home-manager
             quadlet-nix.nixosModules.quadlet
-            crowdsec.nixosModules.crowdsec
-            crowdsec.nixosModules.crowdsec-firewall-bouncer
-            { nixpkgs.overlays = [ crowdsec.overlays.default ]; }
           ];
         };
       };
diff --git a/homes/common.nix b/homes/common.nix
index 61ba3f1..078bdd5 100644
--- a/homes/common.nix
+++ b/homes/common.nix
@@ -45,7 +45,7 @@ in {
       jq
       julia-bin
       lynx
-      micromamba
+      mamba-cpp
       most
       nextflow
       p7zip
@@ -84,6 +84,7 @@ in {
         "tailscale set --exit-node=$(tailscale exit-node suggest | awk '{print $4}' | head -n1)";
       # tsed - TailScale Exit node Disconnect
       tsed = "tailscale set --exit-node=";
+      micromamba = "mamba";
     };
     sessionPath = [ "$HOME/.local/bin" ];
     activation = {
diff --git a/homes/darwin.nix b/homes/darwin.nix
index d3c2982..9cabb63 100644
--- a/homes/darwin.nix
+++ b/homes/darwin.nix
@@ -7,7 +7,7 @@
   ];
   home = {
     packages = with pkgs; [
-      asitop
+      macpm
       pinentry_mac
       (pkgs.writeShellScriptBin "uq" ''
         xattr -rdv com.apple.quarantine "/Applications/$1.app"
@@ -34,22 +34,6 @@
   launchd = {
     enable = true;
     agents = {
-      ollama = {
-        enable = true;
-        config = {
-          Label = "local.home-manager.ollama";
-          ProgramArguments = [ "${pkgs.ollama}/bin/ollama" "serve" ];
-          RunAtLoad = true;
-          KeepAlive = true;
-          StandardOutPath =
-            "${config.home.homeDirectory}/Library/Logs/ollama.log";
-          StandardErrorPath =
-            "${config.home.homeDirectory}/Library/Logs/ollama-error.log";
-          EnvironmentVariables = {
-            PATH = "${lib.makeBinPath [ pkgs.ollama ]}:$PATH";
-          };
-        };
-      };
 
       freetube-sync = {
         enable = true;
diff --git a/homes/desktop.nix b/homes/desktop.nix
index 03229ed..7b1b2ad 100644
--- a/homes/desktop.nix
+++ b/homes/desktop.nix
@@ -22,7 +22,6 @@
       nil
       nixd
       nixfmt-classic
-      ollama
       quarto
       roboto-slab
       shellcheck
diff --git a/programs/git.nix b/programs/git.nix
index b4d790d..173e5f1 100644
--- a/programs/git.nix
+++ b/programs/git.nix
@@ -1,9 +1,11 @@
 { ... }: {
   programs.git = {
     enable = true;
-    userName = "Thomas A. Christensen II";
-    userEmail = "25492070+MillironX@users.noreply.github.com";
-    extraConfig = {
+    settings = {
+      user = {
+        name = "Thomas A. Christensen II";
+        email = "25492070+MillironX@users.noreply.github.com";
+      };
       core = { editor = "nvim"; };
       credential = { helper = "store"; };
       color = { ui = "auto"; };
diff --git a/programs/shells.nix b/programs/shells.nix
index 93b2d9d..6745cf4 100644
--- a/programs/shells.nix
+++ b/programs/shells.nix
@@ -1,7 +1,7 @@
 { pkgs, ... }:
 let
   conda_init = shell: ''
-    eval "$(${pkgs.micromamba}/bin/micromamba shell hook --shell ${shell})"
+    eval "$(${pkgs.mamba-cpp}/bin/mamba shell hook --shell ${shell})"
 
   '';
   nd_bash_function = ''
diff --git a/services/crowdsec.nix b/services/crowdsec.nix
index 6a54584..5c3e279 100644
--- a/services/crowdsec.nix
+++ b/services/crowdsec.nix
@@ -1,101 +1,49 @@
-{ pkgs, config, ... }:
-let
-  crowdsec-port = "2763";
-  firewall-bouncer-name = "fw-bouncer";
-  # Although this key can be reproduced by anyone who actually cares to, the
-  # Crowdsec API will not be exposed to the outside world, so keeping this key
-  # super secret really isn't that important to me. Still make it look random
-  # so that hungry botnets can't just slurp up the password in plaintext.
-  firewall-bouncer-key = builtins.hashString "sha256"
-    "${config.networking.hostName}-crowdsec-bouncer-salt";
-  toMultiYAML = items:
-    pkgs.lib.concatMapStrings (item:
-      ''
-
-        ---
-      '' + (pkgs.lib.generators.toYAML { } item) + "\n") items;
-in {
+{ pkgs, config, ... }: {
   services = {
     crowdsec = {
       enable = true;
-      allowLocalJournalAccess = true;
-      settings = {
-        api.server = { listen_uri = "127.0.0.1:${crowdsec-port}"; };
-        crowdsec_service.acquisition_path = pkgs.writeText "acquisitions.yaml"
-          (toMultiYAML [
-            {
-              source = "journalctl";
-              journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
-              labels.type = "syslog";
-            }
-            {
-              filenames = [ "/var/log/auth.log" ];
-              labels.type = "syslog";
-            }
-            {
-              filenames = [ "/var/log/syslog" "/var/log/kern.log" ];
-              labels.type = "syslog";
-            }
-          ]);
+      localConfig = {
+        acquisitions = [
+          {
+            source = "journalctl";
+            journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+            labels.type = "syslog";
+          }
+          {
+            filenames = [ "/var/log/auth.log" ];
+            labels.type = "syslog";
+          }
+          {
+            filenames = [ "/var/log/syslog" "/var/log/kern.log" ];
+            labels.type = "syslog";
+          }
+        ];
       };
+      hub = {
+        collections = [
+          "crowdsecurity/base-http-scenarios"
+          "crowdsecurity/http-cve"
+          "crowdsecurity/http-dos"
+          "crowdsecurity/iptables"
+          "crowdsecurity/linux"
+          "crowdsecurity/sshd"
+          "crowdsecurity/whitelist-good-actors"
+        ];
+      };
+      settings = {
+        general = { api.server.enable = true; };
+        # See https://github.com/NixOS/nixpkgs/issues/445342
+        lapi.credentialsFile = "/var/lib/crowdsec/lapi-credentials.yaml";
+      };
+      autoUpdateService = true;
     };
+
     crowdsec-firewall-bouncer = {
       enable = true;
-      settings = {
-        api_url = "http://localhost:${crowdsec-port}";
-        api_key = firewall-bouncer-key;
-      };
+      registerBouncer.enable = true;
     };
   };
 
-  systemd.services.crowdsec.serviceConfig = {
-    ExecStartPre = let
-      bouncer-script = pkgs.writeScriptBin "register-bouncer" ''
-        #!${pkgs.runtimeShell}
-        set -eu
-        set -o pipefail
-
-        if ! cscli bouncers list | grep -q "${firewall-bouncer-name}"; then
-          cscli bouncers add "${firewall-bouncer-name}" --key "${firewall-bouncer-key}"
-        fi
-      '';
-      collection-check = collection: ''
-
-        if ! cscli collections list | grep -q "${collection}"; then
-          cscli collections --trace install "${collection}"
-          sleep 1
-        fi
-
-      '';
-      collections = [
-        "crowdsecurity/base-http-scenarios"
-        "crowdsecurity/http-cve"
-        "crowdsecurity/http-dos"
-        "crowdsecurity/iptables"
-        "crowdsecurity/linux"
-        "crowdsecurity/sshd"
-        "crowdsecurity/whitelist-good-actors"
-      ];
-      collection-script = pkgs.writeScriptBin "install-collections" ''
-        #!${pkgs.runtimeShell}
-        set -eu
-        set -o pipefail
-
-        # I had to run these commands in order to manually install collections
-        # using cscli.
-        # Not sure how often they should actually be run, but I would rather
-        # include this here.
-        # https://discourse.crowdsec.net/t/solved-cant-find-collections-appsec/1830
-        cscli capi register
-        sleep 1
-        cscli hub update
-        sleep 1
-
-        ${pkgs.lib.concatMapStrings collection-check collections}
-      '';
-    in [
-      "${bouncer-script}/bin/register-bouncer"
-      "${collection-script}/bin/install-collections"
-    ];
-  };
+  systemd.tmpfiles.rules = let cfg = config.services.crowdsec;
+  in [ "d /var/lib/crowdsec 0755 ${cfg.user} ${cfg.group}" ];
 }
diff --git a/services/samba.nix b/services/samba.nix
index e6fa607..b248d33 100644
--- a/services/samba.nix
+++ b/services/samba.nix
@@ -2,7 +2,6 @@
   services.samba = {
     enable = true;
     package = pkgs.sambaFull;
-    securityType = "user";
     openFirewall = true;
     settings = {
       global = {
diff --git a/systems/linux/bosephus.nix b/systems/linux/bosephus.nix
index 98cf0e7..79dcf54 100644
--- a/systems/linux/bosephus.nix
+++ b/systems/linux/bosephus.nix
@@ -17,8 +17,8 @@
   boot.loader.efi.canTouchEfiVariables = true;
 
   # Ignore lid - so I can close without having the system go into sleep mode
-  services.logind.lidSwitch = "ignore";
-  services.logind.lidSwitchDocked = "ignore";
+  services.logind.settings.Login.HandleLidSwitch = "ignore";
+  services.logind.settings.Login.HandleLidSwitchDocked = "ignore";
 
   # Secrets
   age.secrets = {

From 24d7b7d533c875f9bb47a1062352268dcebb5147 Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Thu, 4 Dec 2025 08:59:53 -0600
Subject: [PATCH 02/12] programs (zed): Add build+preview on demand support for
 LaTeX

---
 programs/zed.nix            | 25 ++++++++++++++++++++++++-
 systems/darwin/corianne.nix |  1 +
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/programs/zed.nix b/programs/zed.nix
index 19beb45..b3f7fd6 100644
--- a/programs/zed.nix
+++ b/programs/zed.nix
@@ -1,4 +1,4 @@
-{ ... }: {
+{ pkgs, ... }: {
   programs.zed-editor = {
     enable = true;
     extensions = [
@@ -58,6 +58,22 @@
           initialization_options.formatting.command = [ "nixfmt" ];
           settings.nix.flake.autoArchive = true;
         };
+        texlab = {
+          settings = {
+            build = {
+              onSave = false;
+              forwardSearchAfter = true;
+            };
+            forwardSearch = if pkgs.stdenv.hostPlatform.isDarwin then {
+              executable =
+                "/Applications/Skim.app/Contents/SharedSupport/displayline";
+              args = [ "-r" "%l" "%p" "%f" "-g" ];
+            } else {
+              executable = "/usr/bin/okular";
+              args = [ "--unique" "file:%p#src:%l%f" ];
+            };
+          };
+        };
         tinymist = {
           settings = {
             exportPdf = "onSave";
@@ -81,5 +97,12 @@
       ui_font_size = 16;
       wrap_guides = [ 80 92 120 ];
     };
+    userTasks = [{
+      label = "latexmk (project)";
+      command = "latexmk";
+      args = [ "-synctex=1" "-pdf" "-recorder" ];
+      cwd = "$ZED_DIRNAME";
+      tags = [ "latex-build" ];
+    }];
   };
 }
diff --git a/systems/darwin/corianne.nix b/systems/darwin/corianne.nix
index dea0f34..df713b7 100644
--- a/systems/darwin/corianne.nix
+++ b/systems/darwin/corianne.nix
@@ -206,6 +206,7 @@ in {
       "rig"
       "rstudio"
       "signal"
+      "skim"
       "slack"
       "stats"
       "steam"

From ac837750c9aeafa1d29e85ec89dcbd8b7e981e14 Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Thu, 4 Dec 2025 09:00:37 -0600
Subject: [PATCH 03/12] nix-builder (corianne): Add rosetta builder

---
 flake.lock                  | 59 +++++++++++++++++++++++++++++++++++++
 flake.nix                   | 15 +++++++---
 systems/darwin/corianne.nix | 24 +++++++++++++--
 3 files changed, 91 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index 982ba78..6141529 100644
--- a/flake.lock
+++ b/flake.lock
@@ -90,6 +90,64 @@
         "type": "github"
       }
     },
+    "nix-rosetta-builder": {
+      "inputs": {
+        "nixos-generators": "nixos-generators",
+        "nixpkgs": [
+          "nixpkgs-darwin"
+        ]
+      },
+      "locked": {
+        "lastModified": 1756177999,
+        "narHash": "sha256-aSbB7/jrt7ujiJ55f2uGhOo+usGxVSkqbAMVgg2jDls=",
+        "owner": "cpick",
+        "repo": "nix-rosetta-builder",
+        "rev": "ebb7162a975074fb570a2c3ac02bc543ff2e9df4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cpick",
+        "repo": "nix-rosetta-builder",
+        "type": "github"
+      }
+    },
+    "nixlib": {
+      "locked": {
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixos-generators": {
+      "inputs": {
+        "nixlib": "nixlib",
+        "nixpkgs": [
+          "nix-rosetta-builder",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1737057290,
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1764522689,
@@ -202,6 +260,7 @@
         "agenix": "agenix",
         "home-manager": "home-manager",
         "nix-darwin": "nix-darwin",
+        "nix-rosetta-builder": "nix-rosetta-builder",
         "nixpkgs": "nixpkgs",
         "nixpkgs-darwin": "nixpkgs-darwin",
         "nixpkgs-unstable": "nixpkgs-unstable",
diff --git a/flake.nix b/flake.nix
index bbd1632..59c9ce0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -44,11 +44,15 @@
       url = "github:LnL7/nix-darwin/nix-darwin-25.11";
       inputs.nixpkgs.follows = "nixpkgs-darwin";
     };
+    nix-rosetta-builder = {
+      url = "github:cpick/nix-rosetta-builder";
+      inputs.nixpkgs.follows = "nixpkgs-darwin";
+    };
   };
 
   outputs = { self, nix-darwin, nixpkgs, nixpkgs-darwin, nixpkgs-unstable
-    , home-manager, agenix, rycee-nurpkgs, nur, plasma-manager, quadlet-nix, ...
-    }:
+    , home-manager, agenix, rycee-nurpkgs, nur, plasma-manager, quadlet-nix
+    , nix-rosetta-builder, ... }:
     let
       mkHomeConfiguration = { hostname, arch ? "x86_64", os ? "linux"
         , desktop ? false, extraModules ? [ ] }:
@@ -119,8 +123,11 @@
           };
           agenix = agenix;
         };
-        modules =
-          [ ./systems/darwin/corianne.nix agenix.darwinModules.default ];
+        modules = [
+          ./systems/darwin/corianne.nix
+          agenix.darwinModules.default
+          nix-rosetta-builder.darwinModules.default
+        ];
       };
 
       nixosConfigurations = {
diff --git a/systems/darwin/corianne.nix b/systems/darwin/corianne.nix
index df713b7..f1c1eb2 100644
--- a/systems/darwin/corianne.nix
+++ b/systems/darwin/corianne.nix
@@ -26,9 +26,27 @@ in {
   };
 
   # Auto upgrade nix package and the daemon service.
-  nix.enable = true;
-  #services.nix-daemon.tempDir = "/nix/tmp";
-  nix.package = pkgs.nix;
+  nix = {
+    enable = true;
+    gc = {
+      automatic = true;
+      interval = { Weekday = 1; };
+      options = ''
+        --delete-older-than 14d
+      '';
+    };
+    # Needed for rosetta-builder, see
+    # <https://github.com/cpick/nix-rosetta-builder/issues/40#issuecomment-3368602687>
+    # <https://github.com/cpick/nix-rosetta-builder/issues/37>
+    linux-builder = {
+      enable = true;
+      ephemeral = true;
+    };
+    extraOptions = ''
+      extra-platforms = x86_64-darwin
+    '';
+  };
+  nix-rosetta-builder.onDemand = true;
 
   # Create /etc/zshrc that loads the nix-darwin environment.
   programs.zsh.enable = true; # default shell on catalina

From 91083619640f3f1df55a554bc453c9ca601bc5ba Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Thu, 4 Dec 2025 09:00:54 -0600
Subject: [PATCH 04/12] pkgs (desktop): add nixos-rebuild package

---
 homes/desktop.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/homes/desktop.nix b/homes/desktop.nix
index 7b1b2ad..255db78 100644
--- a/homes/desktop.nix
+++ b/homes/desktop.nix
@@ -22,6 +22,7 @@
       nil
       nixd
       nixfmt-classic
+      nixos-rebuild
       quarto
       roboto-slab
       shellcheck

From 0571d801edfe6009b430207bed9ba06682de736a Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Thu, 4 Dec 2025 09:07:16 -0600
Subject: [PATCH 05/12] services (bosephus): Remove pihole service

---
 services/pihole.nix        | 27 ---------------------------
 systems/linux/bosephus.nix |  1 -
 2 files changed, 28 deletions(-)
 delete mode 100644 services/pihole.nix

diff --git a/services/pihole.nix b/services/pihole.nix
deleted file mode 100644
index ed4cd19..0000000
--- a/services/pihole.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ config, ... }:
-
-{
-  age.secrets = {
-    pihole-credentials = {
-      file = ./../secrets/pihole.age;
-      owner = "root";
-      group = "root";
-    };
-  };
-  virtualisation = {
-    quadlet = {
-      containers = {
-        pihole = {
-          containerConfig = {
-            image = "docker.io/pihole/pihole:2025.06.2";
-            publishPorts =
-              [ "53:53/tcp" "53:53/udp" "80:80/tcp" "443:443/tcp" ];
-            environmentFiles = [ config.age.secrets.pihole-credentials.path ];
-            networks = [ "bridge" ];
-            dns = [ "127.0.0.1" "194.242.2.9" "9.9.9.9" ];
-          };
-        };
-      };
-    };
-  };
-}
diff --git a/systems/linux/bosephus.nix b/systems/linux/bosephus.nix
index 79dcf54..6c8d181 100644
--- a/systems/linux/bosephus.nix
+++ b/systems/linux/bosephus.nix
@@ -9,7 +9,6 @@
     ./hardware-configuration/bosephus.nix
     ./hardware-configuration/bosephus-external-drives.nix
     ./../../services/samba.nix
-    ./../../services/pihole.nix
   ];
 
   # Bootloader.

From a0175f565bd07dcade50fc431660c0d37152efc3 Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Mon, 8 Dec 2025 08:11:43 -0600
Subject: [PATCH 06/12] secrets! (pihole): Remove pihole secrets

---
 secrets.nix        |   1 -
 secrets/pihole.age | Bin 926 -> 0 bytes
 2 files changed, 1 deletion(-)
 delete mode 100644 secrets/pihole.age

diff --git a/secrets.nix b/secrets.nix
index 8042bf6..1e0ec3d 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -36,5 +36,4 @@ in {
     ++ [ corianne-host ];
   "secrets/network-information.age".publicKeys = system-administrators
     ++ [ bosephus-host ];
-  "secrets/pihole.age".publicKeys = system-administrators ++ [ bosephus-host ];
 }
diff --git a/secrets/pihole.age b/secrets/pihole.age
deleted file mode 100644
index 1b2bc2533d7d7de5063e15de08cacfa0e5dd6df6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 926
zcmZ9~ON-nD003YWtr$u@C<-EMEXr2Hn8#!?31T6WWL}x<Bs-Z*CVFVH$t0P{V`lQs
z!HOV@h$2-FJrsme6&DYMLbW}&;ufT!trTH<5QQSLx{CO~*Li-yclmVNs#w9+vY5wi
z7(5#;Z8$}N%5gA?oQh>)wHiu+u2=O+39LsdRK+FNAr|z)>7yg5R_Y5XYpTwKC@i|0
zm>2{Jbij0gVmR{R$;MKx8y=gND(0nem`}D~8mAS7bV!j+JYSbvD!!_rHk@Y}NT%gR
zOET+xPfU=sn&Jr5@3mQaG%gV_o;75@KmwYe)DZ_jnrT~^fv~fd7(`U*aHY??lB*y-
z7fG_0W0P^jNDMlZRyEV$t#$?msJa|8@kGvL&K^u6NNfhI-W7UXVkD5c&?hw8@1>~5
zMSwA(>3HcYbr&(Z2s(os94^o%PY(K##3-8?O2(eUY_=F~RjV$<II%&i0Y@f36uPwC
zpo(^AZt<vzWHu`%ET##gR=~Rm6vpx(0^+%+82n^mxK`Ajg)SMZ1f1~$vlC=`SC4gG
zZdUnlhHsFo8Z>LTP6lee#<rBcl(obLT+lsCPlpp_DGc~VNh6fNbrvZ_akhm<Kp080
zP{dqmk@Q2iugptnq_dR6R<Y4YpZjC3ELm4JJafFNO$~(ZNnp$D&dH$TQIxN>1(c{c
zbvDlXP>h>Q(ZHJ`yy#a`KB#*gAi%Q0R^rQ1b%<G+Zq1l+Gs#0KL5)G#@p(08m9QhL
zLGk~RN(HRtEhXtTmT;F9v1wD)<Tj;Rj@ryEjmR}R!=^qwklI-t0d~Iq;@q*1AHVhd
zy%+b_K08Q%Ie35jn}_dT|1#qD|9S2FN5a)#U%vAM_Qrd~^2qIF0oC_5p+nqn*U=5;
z)b>j+97Ue9&K$chfAp+!&jp*<d*!-bUORa}pPbfD9C`86ugCl1ci^AL&&<IGxb4MS
z8#?#aT2382`Q{J!`9r5JzjODyCraa1`{&(1oSmBw{&Zt^o%{Pz_*n4o=ZBBh+&jwV
sUpwoMeDXc;(5t6AcU}Db$FE+0`bzcoGrheJ&Q9gGi`{FdpZf6de<06F761SM


From 7145bf01edb5e436572829d8b9a07f9a9502c95a Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Mon, 8 Dec 2025 14:44:22 -0600
Subject: [PATCH 07/12] service (freshrss): Add freshrss service

---
 secrets.nix                |   2 +
 secrets/freshrss.toml.age  | Bin 0 -> 1285 bytes
 services/freshrss.nix      | 124 +++++++++++++++++++++++++++++++++++++
 systems/linux/mcentire.nix |   1 +
 4 files changed, 127 insertions(+)
 create mode 100644 secrets/freshrss.toml.age
 create mode 100644 services/freshrss.nix

diff --git a/secrets.nix b/secrets.nix
index 1e0ec3d..45783ee 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -34,6 +34,8 @@ in {
     ++ [ mcentire-host ];
   "secrets/darwin-policies-json.age".publicKeys = system-administrators
     ++ [ corianne-host ];
+  "secrets/freshrss.toml.age".publicKeys = system-administrators
+    ++ [ mcentire-host ];
   "secrets/network-information.age".publicKeys = system-administrators
     ++ [ bosephus-host ];
 }
diff --git a/secrets/freshrss.toml.age b/secrets/freshrss.toml.age
new file mode 100644
index 0000000000000000000000000000000000000000..9bfa06c148bbaa685ffb520116db0ee1f6964663
GIT binary patch
literal 1285
zcmZY2`)?Bk003YE1h+0LkPQeLvQlLul+s<>>w~~d*Vnb(wY^@i*DEB@_O93V+Fl>m
z_O1}ZcuaJX06N$phz`ic28huOofE?VB`{FKQwL)Rh%BNI351z|zt8U<_<}Sgr&8gp
zkmh1+YAKtg6$L;fZ;<42Q8`5_K@iYOVhL5Egh+5ZWR{V>dV?1=nMnc9vj!~;<aolC
zH3TSLm-gYj&FT+;K30^>CyPF7AcE;&1>nuFkTpm|DK(6zQjkfb#bYsb#AhaC8YeP&
z184<bEJ{!h%PUL;LYIUDR3EmPvKl&*iA5dWv?^7f=7hM+k<8{)egF|ch$)_80wK;!
zmkJq10je`T9o@wFSww-x-Hn!{0i&bAkXa8;-pG)Hf{GG#2?baPb+b{KInB5NX$uOv
zRS77buFqOcid@N*ZxRxEzp_3jQZTeR)kJz+yvr0+IdyI{;-pzlt>GiQkn}1IM&1!g
z(s`$hnY^hoZZ1ztQZa)kX15@KTL|d+JVXSnc8$ZU5Fp-)+9^C+G5}FK0t()u$l{H8
zG0usg@w7HU>5^_ISO}|1O)hHyRbiNqF*t(OFbC)hhRK_ZX^cgSlAswQ^C}Sb+qsm+
zqq8WIE~}fisC{G(H1nWK<z%oz*n)&(tjOb(Q655XgfYtOY6R%U5?3-g0&1LQiU6T2
zhByi~`Poq1ulwI-tj9gHg!NkxD36nFS)ODFf$`g&KEz0v@)mvCPaw2S;j+h+_N+Ro
z7Fked2#6~|1Wq6UC?9nQD3M7Tl`71q)9P|~E(r2|SlQ^Haw550E^#qd!LJP2TyPA;
z^O#xhG1gOr-J?cOJIdjB&SSQxF%Rk@Y0*mZ9$fQkaL1@s*8k6|%#U^3kn^jn%g5S&
zX5>=wmdNhYWox0aaao1<SqEyGXe-?sY`*wX^yQT9meQun!e_>QpEx?TaAfU*<@-xp
zryUvWyDoivC)Kos+jmiPue-NXc-8UA=5s?2?q3)^<*Vr)t6kGvR&`6%I<$8721RGb
zgY8xC{C(o=)xU23AdYW&Ffn!JiMmbAvtGRAxqa~clM%XX&Unq6W5S_@<#Q@$x1oF6
z;kS3xZDTIANc;NEzo<Cl89BFoReNpSvw8iSd!awR>KR#=K74Iy*tzx3Wz(J?95txP
z*H=tH^FzH=ElLA19T;9w=W5HooNwI!FwwIP*0=v#`Au4~NlARP5c^f~^}XD;$yI@^
z8%OR|HY@gYtlz19a`W1THBY;O15(>}AUI0y>FkQOFOrR2s>Jp&ORML~-S&-VD#q!>
zTgJ8rrkovqI*~b=71e-Di}X-gZ|~-nktJ<|Aw>MSY{u}48T}tb$_K9Y3?T2mH@Bhr
zy0$vK$hoMZ0%s*>_`|(#M5T|92bcXOJ{+3zu=~leN4t-Yw@e>CG0_;~X4Xmf+O+LM
zP4TV+8l&y<n&MvF-RI`-Z&d%(fBVt$W2bvO36Uew+<JET{h^%)B6ok0?;4rcN_H+j
ziQlTea_V5k2jW>JXZO){*uaxJ>ve-XzT=C^2`hQ!M(zAQ)9MCl+5)(?A!}{j1rD@7
YLKB}BFMJ%nQT5@0^545&+b<sc4|Y@bIRF3v

literal 0
HcmV?d00001

diff --git a/services/freshrss.nix b/services/freshrss.nix
new file mode 100644
index 0000000..e1da1ef
--- /dev/null
+++ b/services/freshrss.nix
@@ -0,0 +1,124 @@
+{ config, pkgs, home-manager-quadlet-nix, ... }:
+
+let
+  user = "freshrss";
+  port = "37374";
+  stateDirectory = "/var/lib/freshrss";
+  serviceContainer = "freshrss";
+  stateSubDir = subDir: "${stateDirectory}/${subDir}";
+  createTmpfilesRule = subDir: "d ${stateSubDir subDir} 1755 ${user} ${user}";
+  volumeMount = subDir: bindDir: "${stateDirectory}/${subDir}:${bindDir}:U";
+
+  dbDirectories = [ "database" ];
+  serviceDirectories = [ ];
+in {
+  age.secrets = {
+    "freshrss.toml" = {
+      file = ./../secrets/freshrss.toml.age;
+      owner = "${user}";
+    };
+  };
+
+  millironx.podman-secrets.freshrss = {
+    user = "${user}";
+    secrets-files = [ config.age.secrets."freshrss.toml".path ];
+  };
+
+  services.caddy.virtualHosts."feeds.millironx.com".extraConfig = ''
+    reverse_proxy http://127.0.0.1:${port}
+  '';
+
+  systemd.tmpfiles.rules = builtins.map createTmpfilesRule
+    ([ stateDirectory ] ++ dbDirectories ++ serviceDirectories);
+
+  services.borgmatic.configurations."${config.networking.hostName}" = {
+    source_directories = builtins.map stateSubDir dbDirectories;
+
+    postgresql_databases = [{
+      name = serviceContainer;
+      psql_command =
+        "/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${serviceContainer}-db psql --username=${user}";
+      pg_dump_command =
+        "/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${serviceContainer}-db pg_dump --username=${user}";
+      pg_restore_command =
+        "/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${serviceContainer}-db pg_restore --username=${user}";
+    }];
+  };
+
+  users.users."${user}" = {
+    group = "${user}";
+    isNormalUser = true;
+    home = "${stateDirectory}";
+    createHome = true;
+    linger = true;
+    autoSubUidGidRange = true;
+  };
+  users.groups."${user}" = { };
+
+  home-manager.users."${user}" = { config, osConfig, ... }: {
+    imports = [ home-manager-quadlet-nix ];
+
+    home.stateVersion = "25.05";
+
+    virtualisation.quadlet = let
+      inherit (config.virtualisation.quadlet) containers;
+      inherit (config.virtualisation.quadlet) networks;
+      secrets = osConfig.millironx.podman-secrets.freshrss;
+
+    in {
+      containers = {
+        "${serviceContainer}-db" = {
+          autoStart = true;
+          containerConfig = {
+            image = "docker.io/library/postgres:16";
+            environments = {
+              POSTGRES_DB = "${user}";
+              POSTGRES_USER = "${user}";
+            };
+            secrets = [
+              "POSTGRES_PASSWORD,type=env"
+              "POSTGRES_PASSWORD,type=env,target=PGPASSWORD"
+            ];
+            healthCmd = "pg_isready -d $\${POSTGRES_DB} -U $\${POSTGRES_USER}";
+            healthInterval = "30s";
+            healthRetries = 5;
+            healthStartPeriod = "20s";
+            volumes = pkgs.lib.imap0 (i: sub:
+              volumeMount sub
+              (builtins.elemAt [ "/var/lib/postgresql/data" ] i)) dbDirectories;
+            networks = [ networks."${serviceContainer}".ref ];
+          };
+          unitConfig.Requires = [ secrets.ref ];
+          unitConfig.After = [ secrets.ref ];
+        };
+
+        "${serviceContainer}" = {
+          autoStart = true;
+          containerConfig = {
+            image = "docker.io/freshrss/freshrss:1";
+            environments = {
+              TZ = osConfig.time.timeZone;
+              CRON_MIN = "2,32";
+              LISTEN = "0.0.0.0:${port}";
+              OIDC_ENABLED = "1";
+            };
+            secrets = [ "FRESHRSS_INSTALL,type=env" "FRESHRSS_USER,type=env" ];
+            healthCmd = "cli/health.php";
+            healthTimeout = "10s";
+            healthStartPeriod = "60s";
+            healthStartupInterval = "11s";
+            healthInterval = "75s";
+            healthRetries = 3;
+            networks = [ networks."${serviceContainer}".ref ];
+          };
+          unitConfig.Requires = [ containers."${serviceContainer}-db".ref ];
+          unitConfig.After = [ containers."${serviceContainer}-db".ref ];
+        };
+      };
+
+      networks."${serviceContainer}" = { };
+
+      autoUpdate.enable = true;
+    };
+  };
+}
diff --git a/systems/linux/mcentire.nix b/systems/linux/mcentire.nix
index 4bd52f3..fa0c08b 100644
--- a/systems/linux/mcentire.nix
+++ b/systems/linux/mcentire.nix
@@ -7,6 +7,7 @@
     ./../../services/borgmatic.nix
     ./../../services/crowdsec.nix
     ./../../services/authentik.nix
+    ./../../services/freshrss.nix
   ];
 
   # Use the GRUB 2 boot loader.

From 335fed99f30a37a6d805934b675d89ad667fa37a Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Mon, 8 Dec 2025 17:22:33 -0600
Subject: [PATCH 08/12] fix (freshrss): Set OIDC variables

---
 secrets/freshrss.toml.age | Bin 1285 -> 1652 bytes
 services/freshrss.nix     |  18 +++++++++++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/secrets/freshrss.toml.age b/secrets/freshrss.toml.age
index 9bfa06c148bbaa685ffb520116db0ee1f6964663..9fc2f10451f6ba0748e727945e1c5e1e0668054f 100644
GIT binary patch
delta 1569
zcmV++2HyFF3iJ$+EPpq8Nl!&)MQ&|jMNeT#GHEn5O)^qcSx!lAcSdq;V^3yhL25@+
zVMtV0X9_h-Ic!vTbV*ilL`-8vWO!#%Rdz^KP*hhnGBkNFbb3!sGi73VMlnxkRSGRW
zAaiqQEoEdfH8n9gATehzcz1UoRCz&RVt8#yNo#3RLuhGDI7V_&XJvIZOlEIGGgmla
zNlj@~Q*lBtT6I!u3TjkDGizBkQg}!(V>32WNkVp0NNZMdO>8eYT61euaW8CaR&Qu>
zF-}c1k?|K-cvfp=cvm@dVsuPSR&POCI5jYGSTHzYH8C%6bwzA4Y(`{od2VkwcR^<g
zc|kQpGI>N|ZDC|EH!*rjcrS8tQ8Q9cZ&+knP*_)RIdW)hQCc@RdTC>mUjY|aR&PNy
zR!L?`Lu6D}SZzmjW@l4!a6)=aFL^I{O;2KNFLG^cGFoO)aWZcTaaUP%VK+BdF=j6{
zN^3|}aZyKaM^IKlIY&%pNn~nsVK7Z-XJspHS8sEZ%>fvHLQP0@W<+&KFi=cROhY+K
zK}bbKT32!}ZB9~8NN`n2Suj#;F;;nXML`N{ZBKVXVMSCpI5=@ZbSp)7GdD6xGEFou
zI9G5oFHB`ZQ*uycNpeF=XE+KiJ|J^*Xf0)AGBq_ZIUp-TFjrD%Aa!OhVR1)MXmD0W
zIZIS+czQ2?c}{OKRVz1eM{`$jLNskJXJ{{1b4xN)X9{6SdSOv)LUB@YOm1#@QZ_Yh
zaY<5YP%=eUSZh&aH$zrxNm+13F;_)&Zwf6fEg)7mGg2}`M0a8`M^0`wNNPrSLT7Jb
zdR9keN?J=$PjPp3XI58wZEkZ}FbcW1l)wDe@Wl#$Gq4W$K|7M?WR~j263n<x>SlO(
zmtM~sX)J_?T)aw{0@QyN&|5kOHGyO@8&F{OxbaF#G+*PoiSd!Y(eutUqLgFJ!9ZBe
z!H){7-g;K_4IA2DoMW*&DR&Pv0gz{a2AeE)Qh=}%!Qlmbg>7!B_hw+|xX8W28oW~h
z0OhZL#xItLH@ze_HavoHHu*pPn{OLvrd}O|u;EvgMZw`lC7F54CEG?q39(UMvJ9zl
zvz=<<t$+!5W$eNn?OH}q1pukTs8vA7&A3QC*eBx;$zH_&*7|$N5Gk=9D8gs>)x?7#
z)F0(l_BFG+DWT-m<o$)LQ<ysmQc3HGncowCPCBe>8_sMS?!mWRu{-t7%>LP(fJEWK
zDwLUd9T&jubm&?+D#v7usMKgb*kAt(8YZMJz+{vSbHt>`+#|hZLWMAP@Ld8R&bZY?
zV9}9pS^9+yKiV`Xb&RplSMBRzKPWIGh;Adpor|jAJ8$G?7Sjp?w`N!in%x~)CX*e1
zt3D}I22~bW^N_m6OvuqD62FngU1E;YAMAujEElS~KuNMyaA+pKhNj5PzK6R92sIlq
zoRaeA7jlszyVm{H4u=v<6RU3DHdwq28}&4KB#^0VfdqYaL6$7@QJMhkGz+dL4(w&e
ztwhh5=wUj!$<>1Cbk^QH(GljOr<UY@Pb1ZZU_l7~4ZZ*5bG=Kw-qCs;qlE-eH=xe5
zz}siS;b@xm1OJ>j9G}rdx@}w+aNxQ_|Ii?FHz!jdgV;bzBGGJixvh+I(IxQBHWNAd
z`6GkJ^NLIael`mwbr}_sMvlsSkc46)Eua>II|SAV=-oGYeo4_9S=q9OzVGpW8Dq5s
z-IV#f#N}-d%F(H|{_59Jx^X2^Wc{jm&CFU;K6OM>tS9=JnM;B+f@Ymot-c2lXA`JN
zq|}?IpfFuHWuGf9V`+0>Q7@q*K@4@SbG_o>wEA3>suwixEKVy<69^@ukDS9ovJ8eo
zV^jPX)6uqz54IA(wRy(CfRVs|ifEZ?1SsXuzF3yxXONJBx8|V>D4F_xyM?Cfy;fPJ
zJ(OONxG9v;Xa^#?D6N}6DyCenC7}@^q_`LXSsBZw1Sr*R$wPXoNo~Y>PH76F(rW;9
z04u>ER$=8|_jcw@oArL`RX1=ELPJgkTkW!NDm5s6V~MmGTTyn>SBhL1#)TO^>eMj7
TQ<ma0+-OA17bwb-dN``1hZC8U

delta 1199
zcmZ9}`)?Bk003Zl1h<<jkPRjpvQlLul+yKaeGr)G`ntBews+U-^$H2Jz4qE(-;edK
z5Xyi}bdYS|V1pn!AR8MXMmKa$3<H$FKn+hFj3FShh_Xl^%mn=1?_c<yzR?7<E-Mgb
zNH3(EH5vz|(^DLgjcb&!B+Zhhl*a96RS74-nv5<t=!^r=Y&7RIx&ych7E2t-IArvY
zLBAX(VlhakP!ge#JmA!mLWLCpM78{MIw<l}QV^7=`4U>p=5l-tjk9811F4Ea9H#b}
zbcU3IP9{S^iz6Y6)g&@pSZIl+(lVC>0U$&djxla;Mo;G(l8hLXC!H#~KI4ibVk~U0
zGek8w9rSqhYPfB(f{^DiNgTrL@t{zjU~KM$0R!!_2oz4#q>MUoI<L#ta}l*mT9XFE
z46TpVQ>cx#={z#4%8muBbUY(humP5fI;0vcYY9Z@tX0VDT05<Rh=nw0$ZS9)cFwJ4
zvk>VvniUp@n1fg&X7&@Qyhai<BOvF<0R~6NfoH4;7EUN5epS?N1si;_e7()+#$-6|
zWHc6!(U*~^8#KEvO?$JT$EmCggk9!LOo6Hl;;7ANrwwu^l?L@JXp>nPyuoKce4#ji
zT7`a;RBK_}uea4n=(>C+ud}%21kL0mq$=ml_+gzZ?hU(C{|^vqYY3F)$6W>l$`X`a
zn57t!V_fEf)rn|HUDlvZxJZOHiEZYP)SQw><$wXRdL>~gh`<rV4P}EC4kMFMtyG3P
zRZ3NwNP9rm1xxEJ{xl#GiTF0g$ho9mlMN1mL>AYpQEiQ%G^26^Gh-QoNTYgl0!J|$
zMFXp;`*7u}p|-JtQ8@6=tK^T>JCF-&%Zta`e`Z7iUQ=MtnWFX3_=K>8_pB4sO||E5
z4>ewT34A%dr#Zjn3ip|Iz{v~FXgIol(aHn)Z8MJ!_1_RYxf`ormf3#^xZl&)#l7nM
zWb66ihYv1}opx6Cj90B|EGoMVv<$DGw@KX9`LMO@y}wVMyH@z?)(^aJ)5ED5b52%o
zX`K7w9rVtj4^IW?qWKe*Z;x|_7Z=Yjo!5@->ww>FtKPv}ZWi?SUwBb+79Bm`x~8M5
z`q_ekt$olRU-gb|NF2Go+-KeP=Zcxn4~=Q$)a$FJpoQMPvSz7<oFy4qRc&iey<Dh0
z@F>!|0akbXTl!6cU)UlgKU$3c%K!R)`rGIl_qNTW_evYZdpkGoR8HQyzG>alZqJ~=
z^c@I}QG2_(gB?qR<CjbE{mk<63X$Es`E1Dqy|ih()jj>($kVChu@q1VGR=a+MSXo+
zR|l504|x&Z=fc?|t7Z>u4-^kx>m5Yi|Dd9_@rJTIvBbKhq)<Y{`DfW9eQyN?PfmDN
z{Kh-to&Kn2^7!LDCnlO_jhvjS3uWe13-+0m9mDnE?t==g>B_p?KGnVF`tNU+|1@yt
z@yg?8deI1Ai8QvHTlrvk=fS|eUqrh{7qn1aOHUEE%deh3RI;5nH*f7ZwgDfUyt`2~
z#1d^^luj9`t2e8v7WV7b*7|2If~#s%#+KdSV8>%D@@ekk$G)3oyABrr-u>DE-q3&D
C6W@&h

diff --git a/services/freshrss.nix b/services/freshrss.nix
index e1da1ef..93272aa 100644
--- a/services/freshrss.nix
+++ b/services/freshrss.nix
@@ -101,8 +101,19 @@ in {
               CRON_MIN = "2,32";
               LISTEN = "0.0.0.0:${port}";
               OIDC_ENABLED = "1";
+              OIDC_PROVIDER_METADATA_URL =
+                "https://auth.millironx.com/application/o/freshrss/.well-known/openid-configuration";
+              OIDC_REMOTE_USER_CLAIM = "preferred_username";
+              # OIDC_SCOPES = "openid profile";
+              # OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
             };
-            secrets = [ "FRESHRSS_INSTALL,type=env" "FRESHRSS_USER,type=env" ];
+            secrets = [
+              "FRESHRSS_INSTALL,type=env"
+              "FRESHRSS_USER,type=env"
+              "OIDC_CLIENT_ID,type=env"
+              "OIDC_CLIENT_SECRET,type=env"
+              "OIDC_CLIENT_CRYPTO_KEY,type=env"
+            ];
             healthCmd = "cli/health.php";
             healthTimeout = "10s";
             healthStartPeriod = "60s";
@@ -111,14 +122,15 @@ in {
             healthRetries = 3;
             networks = [ networks."${serviceContainer}".ref ];
           };
-          unitConfig.Requires = [ containers."${serviceContainer}-db".ref ];
-          unitConfig.After = [ containers."${serviceContainer}-db".ref ];
+          unitConfig.Requires = [ secrets.ref containers."${serviceContainer}-db".ref ];
+          unitConfig.After = [ secrets.ref containers."${serviceContainer}-db".ref ];
         };
       };
 
       networks."${serviceContainer}" = { };
 
       autoUpdate.enable = true;
+      autoEscape = true;
     };
   };
 }

From 1eebebdeb0848b48a7db2f157e8cf6454c2e2895 Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Mon, 8 Dec 2025 17:25:48 -0600
Subject: [PATCH 09/12] fix (freshrss): Bind port

---
 services/freshrss.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/services/freshrss.nix b/services/freshrss.nix
index 93272aa..8f4d193 100644
--- a/services/freshrss.nix
+++ b/services/freshrss.nix
@@ -121,6 +121,7 @@ in {
             healthInterval = "75s";
             healthRetries = 3;
             networks = [ networks."${serviceContainer}".ref ];
+            publishPorts = [ "127.0.0.1:${port}:${port}" ];
           };
           unitConfig.Requires = [ secrets.ref containers."${serviceContainer}-db".ref ];
           unitConfig.After = [ secrets.ref containers."${serviceContainer}-db".ref ];

From 3f35901fd31c5862fa6791f6e7588d1150369712 Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Mon, 8 Dec 2025 17:29:00 -0600
Subject: [PATCH 10/12] fix (freshrss): Uncomment required variables

---
 services/freshrss.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/services/freshrss.nix b/services/freshrss.nix
index 8f4d193..b2985db 100644
--- a/services/freshrss.nix
+++ b/services/freshrss.nix
@@ -104,8 +104,8 @@ in {
               OIDC_PROVIDER_METADATA_URL =
                 "https://auth.millironx.com/application/o/freshrss/.well-known/openid-configuration";
               OIDC_REMOTE_USER_CLAIM = "preferred_username";
-              # OIDC_SCOPES = "openid profile";
-              # OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
+              OIDC_SCOPES = "openid profile";
+              OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
             };
             secrets = [
               "FRESHRSS_INSTALL,type=env"

From 1fc358b482ce80a3e0ba8528a2be9eed9f84362d Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Mon, 8 Dec 2025 20:40:27 -0600
Subject: [PATCH 11/12] fix (freshrss): Networking stack fixes

---
 services/freshrss.nix | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/services/freshrss.nix b/services/freshrss.nix
index b2985db..aa1210b 100644
--- a/services/freshrss.nix
+++ b/services/freshrss.nix
@@ -25,7 +25,9 @@ in {
   };
 
   services.caddy.virtualHosts."feeds.millironx.com".extraConfig = ''
-    reverse_proxy http://127.0.0.1:${port}
+    reverse_proxy http://127.0.0.1:${port} {
+            header_up X-Forwarded-Port 443
+        }
   '';
 
   systemd.tmpfiles.rules = builtins.map createTmpfilesRule
@@ -96,16 +98,21 @@ in {
           autoStart = true;
           containerConfig = {
             image = "docker.io/freshrss/freshrss:1";
+            # Required to allow the container to talk to the host ports, in
+            # other words, to resolve Authentik correctly
+            addHosts = [ "auth.millironx.com:host-gateway" ];
             environments = {
               TZ = osConfig.time.timeZone;
               CRON_MIN = "2,32";
               LISTEN = "0.0.0.0:${port}";
+              TRUSTED_PROXY = "172.16.0.1/12 192.168.0.1/16";
               OIDC_ENABLED = "1";
               OIDC_PROVIDER_METADATA_URL =
                 "https://auth.millironx.com/application/o/freshrss/.well-known/openid-configuration";
               OIDC_REMOTE_USER_CLAIM = "preferred_username";
-              OIDC_SCOPES = "openid profile";
-              OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
+              OIDC_SCOPES = "openid email profile";
+              OIDC_X_FORWARDED_HEADERS =
+                "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
             };
             secrets = [
               "FRESHRSS_INSTALL,type=env"
@@ -123,8 +130,10 @@ in {
             networks = [ networks."${serviceContainer}".ref ];
             publishPorts = [ "127.0.0.1:${port}:${port}" ];
           };
-          unitConfig.Requires = [ secrets.ref containers."${serviceContainer}-db".ref ];
-          unitConfig.After = [ secrets.ref containers."${serviceContainer}-db".ref ];
+          unitConfig.Requires =
+            [ secrets.ref containers."${serviceContainer}-db".ref ];
+          unitConfig.After =
+            [ secrets.ref containers."${serviceContainer}-db".ref ];
         };
       };
 

From 6fbf0f2b7d209ad5bd60c1cc2d7f05bfe3125115 Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Tue, 9 Dec 2025 08:47:04 -0600
Subject: [PATCH 12/12] fix (freshrss): OIDC config mounting

After much troubleshooting, I figured out that FreshRSS does not actually support OIDC with the use of the environment variables for configuration. Instead, the config files actually have to be set with the web wizard and persisted with a volume mount. Do that.
---
 secrets/freshrss.toml.age | Bin 1652 -> 1185 bytes
 services/freshrss.nix     |  14 +++++++-------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/secrets/freshrss.toml.age b/secrets/freshrss.toml.age
index 9fc2f10451f6ba0748e727945e1c5e1e0668054f..e253b881a3ab7741cedfcd65baaf390014ecedea 100644
GIT binary patch
delta 1099
zcmZ9}>u(bU003}7B3eMjOa=t7VwS<Wde`gqC7`x<>-&0ly|&kONL}x)*RJdPx_dBE
z4DbPDB7rO#AIl=T3^v6DV$dLv@YrT1%xp0*6eB@JKpBJKkgDJP{R_Xl3wxe;yRkwV
zT`=Hs(-8-6@R2z0PoR2)@MR0F6dVdUXsg$%fW|E2lX;aVizxzWNA(1pC}v&yc$v0=
zpr6xaas+@&e!ClWx{_%Z2L@Hzm(`_GQp>TB!JxCKbvz)6qB=qg?h+ia;^jbz1Sz9v
z_v`eW#hf5;)Jtht!9qb$u&qq_Y@~|gm0}Bu#;sB`V`8vu8uZ$A0E7fRN}Rw_P=GX0
zSw&+ITupnYYUxD4m5fN<phJkp3s5>}@tf`8B$_r@t;RG3DGJ2<*(MyYp+ObiE|fJS
zD`*P-6q1IBq%nsS`7o|&$pKPp0;Wx9Ims2%oJ-snn^Q}NfdXnM!hwvH#A&L%-2`%^
z3~0g_YA!|dCcm5mQW>ORNjO|8o{3n(h!o6%vKPzdNspTk$U+uG87o2(PLC7Aynd&F
z5ToM0(K)ph#)zUVb`Fs7h%HWO^6de$E@@+pZrNuNO(h~6@;M7EE959xWy@wV8Yin@
zrW9vu;~Ys;iicWwEE(`5K-8t!y+tBvH6cZY`Tu|h0ck(4&H`kJY0<HyjxQP0M%h!b
z@f^%iObTIa7Gnl=#N!247x0BZQN?6jCaX;OxP&H-z$Q<-2x};jGqNR;#sw@NAej`G
zG5K{KP^Hys)omP@H9KWbJl9T12}BWE^Nv&*E7JN@T!?CDk(An!1Rz^85!GSr$iKtf
zxq-@>b5;Kb<GnQB-2m6T^zi(>1L!UF)NZ_KV$BTmHHs<Qxz|pfJYFw$^)9Z7&f_2M
z*;$!bzJK~XeQVc?AKF(XuI*}sN{e=0`NqBU`I`&>d@wwJLC>QN(U1QLJ@Q3O{e%9Y
zz4^~s$%Bq>yXJgmviH`O*UhBd7+c1!pZ;W-P$>*5!wa@mmQU{)&Q~t4K(ELH-);C_
zf4g&X)_kXWBhgoPdGaauxvKPTqRsZJcA&Z+Y9M}+R8Z`+dHU>*p<w8^*7(MX14~oh
zS3q)<GgY1&AFLUws^^y%9mG0_@YZnW*pjI;hdVBYZDXsQBa7t?9UU`EDzV^bOSPwR
z=kmJVPcQ8G{ov*$mwq{8-kKY~zW{FD+|f_wfGu0*e!HXa&g%TlO~~~TeBK4!ADd1z
ziC5lwcD5$c46n`Ay^3zUF*UbucW15Q`|a5MlV8@muA;(3*Xfw==bn|b>yY$V!)N^?
zq55N<ul8^M;ndOjtFHgmz5D##dp{mJ+kE@b3pRT*9$s<({goH%rM_8k=2T;>T<xYW
x-3@FU{Cn<<?!c<6Pp=*PXtE1G)p_*9<FPvE$Yb3D>H)!l);;MMUC+I_@;`Ldwif^Z

delta 1570
zcmV+-2Hp9g3G@t*EPpq8Nl!&)MQ&|jMNeT#GHEn5O)^qcSx!lAcSdq;V^3yhL25@+
zVMtV0X9_h-Ic!vTbV*ilL`-8vWO!#%Rdz^KP*hhnGBkNFbb3!sGi73VMlnxkRSGRW
zAaiqQEoEdfH8n9gATehzcz1UoRCz&RVt8#yNo#3RLuhGDI7V_&XJvIZOlEIGGgmla
zNlj@~Q*lBtT6I!u3TjkDGizBkQg}!(V>32WNkVp0NNZMdO>8eYT61euaW8CaR&Qu>
zF-}c1k?|K-cvfp=cvm@dVsuPSR&POCI5jYGSTHzYH8C%6bwzA4Y(`{od2VkwcR^<g
zc|kQpGI>N|ZDC|EH!*rjcrS8tQ8Q9cZ&+knP*_)RIdW)hQCc@RdTC>mUjY|aR&PNy
zR!L?`Lu6D}SZzmjW@l4!a6)=aFL^I{O;2KNFLG^cGFoO)aWZcTaaUP%VK+BdF=j6{
zN^3|}aZyKaM^IKlIY&%pNn~nsVK7Z-XJspHS8sEZ%>fsGVM0wvb!J3$Nia}MPE12N
zOF>9QMOs&KFKtdzPe^c8Nm(#bY%x}Obwxo6Yi&<=LSaQzI5;?QL3ArccQZFKNit0|
zFF03lGA~SJLQ`^3Wl3^FOJ_I=Ej}P~b7(DPWHL21F*zVBLoioTXCQTEFJW;<QD|^h
zMmbAVZFqWrFL_RHGF2-#a7S}ja6&X~FK1{kS941;Q)dccNqS*XY(jBTaZGM*c~Ukt
zZE;CbYEUvoR#<CMWH&=rYDrmeMKM=JbZ-hREiE8cH#1T)LqvCCGDl8sHb`nlctU4y
zVR}|aWlCC0P)~7pb!S#rdTnlVSuhH@x0Jv9*6_uD3Nx?{_(408=VX@Z#uCi9PU>cO
zd6!<#8)+<rhg`f$m;%&)7SLNd2Q`6YG8<4}_PFs%N;F^Nx{2|TztQu~G@_Ja&A~ue
z&B2cftKNE6^bH%@Uz}sHJ1KV$Gy#xjfCif^c2a<_6T#sHe1&apsrP1J=(xze!Wz6&
z0RZKHuf{Kyh&R0?Ha0whaW?rs{+n+bXr^8rg|OjQl|{kfMkSef%O%@JLJ6@^U$P9T
zakHIj;;n!QcxCLu9PL_0Pz3;~!>Cn2$j!J&J=iDX56ND{|JM3@$q*^A9w@?R_|?RN
zA=Dq`RrWQryD6dM)#Uw!tW%gf2~tVxh?(Di6HYp;Ya7mN8}7lkU9mg$&dmPVoq$B)
z!YY)Rc^wzP?R4l`IV#6wjHuLTKiFUY3mPV*F2H1z4Rge#$lN2nWkQ88cJN&SAkMhe
zL}1a8Z&~_<4L{m6D0Pgn&{ys2VLvD^BZzJz!<~z&;5%>RXBN{61Gi>a3!2>>StgTz
z9jiVmR0dTRS@V#(#!Sf3CKA7q#$95L(;w`FM=TeryFf{@Rd8q~zlNsB&Ax}b2M9GA
zF`Sa}=NEF3BD>c8)eeUeOcSea-!@ph3>)<{c_fgjYk>rPc0rab^HG`r>@*9mCl2go
z$E`%qnCM|TxyjXn>2%iKJkb&6qo<aC<WD2jg<wGl{|&wW<a51Cz24D!9ixQ=P&c5?
zv%uSD!r^F|^#lK$I2@nRM7nKU7jWRZL;uhqb2lebAcNRIOCr&1cDb#LbI~R6%{CJ`
z`S~M*$McFz1b#LPC3P7Ul17foe2|1<A}yd6gF6J)3FzH7d45UJ8d=%0hraKB@fl;a
z1l^SRyu{^g56aQ0w*KnZQMz#@Qe^$Ac+JdOQ$BS>Q>-WYnVCz1G=gTGR;|7V5oZ&q
zNu<=9r=T!hIAxzJE@NqPU{NojBS8#xu5-QO;k5c(l&Tjr?<`I$P7??vqK}-zLb42o
zLSs|>7}L?Vix0LEz_oeCz<`l|z=~*@Y6K|d(7srf;%AVMg16?O3n-cTe!GRH>%CT4
zr9G5hk+><8(P#%Ex+txiKPskNt|g%nA*8q%0a+Q#rUWR}ZplM>s!46cdQNEyqS9*s
zbpR{DAy#4KU-x$AO`G+8>Qy&z5kf;w1zYX1a4Iz@eq)KW8Cy|y(pQQZT*ieNKI+sk
U!BdvvGu&uI%oixil6p9*qiI{35C8xG

diff --git a/services/freshrss.nix b/services/freshrss.nix
index aa1210b..2f142ff 100644
--- a/services/freshrss.nix
+++ b/services/freshrss.nix
@@ -7,10 +7,9 @@ let
   serviceContainer = "freshrss";
   stateSubDir = subDir: "${stateDirectory}/${subDir}";
   createTmpfilesRule = subDir: "d ${stateSubDir subDir} 1755 ${user} ${user}";
-  volumeMount = subDir: bindDir: "${stateDirectory}/${subDir}:${bindDir}:U";
 
   dbDirectories = [ "database" ];
-  serviceDirectories = [ ];
+  serviceDirectories = [ "data" "extensions" ];
 in {
   age.secrets = {
     "freshrss.toml" = {
@@ -85,9 +84,8 @@ in {
             healthInterval = "30s";
             healthRetries = 5;
             healthStartPeriod = "20s";
-            volumes = pkgs.lib.imap0 (i: sub:
-              volumeMount sub
-              (builtins.elemAt [ "/var/lib/postgresql/data" ] i)) dbDirectories;
+            volumes =
+              [ "${stateDirectory}/database:/var/lib/postgresql/data:U" ];
             networks = [ networks."${serviceContainer}".ref ];
           };
           unitConfig.Requires = [ secrets.ref ];
@@ -115,8 +113,6 @@ in {
                 "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
             };
             secrets = [
-              "FRESHRSS_INSTALL,type=env"
-              "FRESHRSS_USER,type=env"
               "OIDC_CLIENT_ID,type=env"
               "OIDC_CLIENT_SECRET,type=env"
               "OIDC_CLIENT_CRYPTO_KEY,type=env"
@@ -129,6 +125,10 @@ in {
             healthRetries = 3;
             networks = [ networks."${serviceContainer}".ref ];
             publishPorts = [ "127.0.0.1:${port}:${port}" ];
+            volumes = [
+              "${stateDirectory}/data:/var/www/FreshRSS/data:U"
+              "${stateDirectory}/extensions:/var/www/FreshRSS/extensions:U"
+            ];
           };
           unitConfig.Requires =
             [ secrets.ref containers."${serviceContainer}-db".ref ];