From dbda818a24af12bd3de6416199451f419557acb4 Mon Sep 17 00:00:00 2001
From: spl3g <spleefer6@gmail.com>
Date: Tue, 24 Mar 2026 00:06:02 +0300
Subject: feat(servers): add search, mail, git and fix some things

---
 flake.lock                                         | 102 +++++++---
 flake.nix                                          |   7 +
 modules/hosts/ltrr-block/configuration.nix         | 219 +++++++++++++++++++--
 ...0f1ce536b1c47d686f069d9215d2-stalwart-admin.age |   9 +
 ...384b05f3c1e02246b581adc35f26293-stalwart-pk.age | Bin 0 -> 583 bytes
 ...16177ce556ace6c3b469e9e10d1e0-stalwart-cert.age | Bin 0 -> 3214 bytes
 .../ltrr-block/secrets/stalwart-admin.key.age      |   9 +
 modules/hosts/ltrr-block/secrets/stalwart-cert.age | Bin 0 -> 3159 bytes
 modules/hosts/ltrr-block/secrets/stalwart-pk.age   | Bin 0 -> 582 bytes
 modules/hosts/ltrr-cloud/configuration.nix         | 170 +++++++++++-----
 .../ltrr-cloud/secrets/authelia-users.yaml.age     | Bin 0 -> 595 bytes
 ...0776898d34c69149dfd6e093d324-authelia-users.age | Bin 0 -> 548 bytes
 modules/nixosModules/nginxProxy.nix                |  55 ++++--
 modules/nixosModules/watcharr.nix                  |   2 +-
 14 files changed, 459 insertions(+), 114 deletions(-)
 create mode 100644 modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age
 create mode 100644 modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age
 create mode 100644 modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age
 create mode 100644 modules/hosts/ltrr-block/secrets/stalwart-admin.key.age
 create mode 100644 modules/hosts/ltrr-block/secrets/stalwart-cert.age
 create mode 100644 modules/hosts/ltrr-block/secrets/stalwart-pk.age
 create mode 100644 modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.age
 create mode 100644 modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.age

diff --git a/flake.lock b/flake.lock
index b6e3589..c7ff500 100644
--- a/flake.lock
+++ b/flake.lock
@@ -35,11 +35,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1759699908,
-        "narHash": "sha256-kYVGY8sAfqwpNch706Fy2+/b+xbtfidhXSnzvthAhIQ=",
+        "lastModified": 1772478757,
+        "narHash": "sha256-OZ/rD87JVagLiHCz5M/kfu5n3+32G+kvoZ3F5xmzVng=",
         "owner": "oddlama",
         "repo": "agenix-rekey",
-        "rev": "42362b12f59978aabf3ec3334834ce2f3662013d",
+        "rev": "4b0b511675cc368956a3917f0710dd62ba7b4043",
         "type": "github"
       },
       "original": {
@@ -72,6 +72,24 @@
         "type": "github"
       }
     },
+    "beaker-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1773884524,
+        "narHash": "sha256-1dnlofWaxI/YRID+WPz2jHZNDyloBubDt/bAQk9ePLU=",
+        "ref": "refs/heads/master",
+        "rev": "abc598baf15d6f8a4de395a27ba34b1e769558e1",
+        "revCount": 21,
+        "shallow": false,
+        "type": "git",
+        "url": "https://git.bwaaa.monster/beaker"
+      },
+      "original": {
+        "shallow": false,
+        "type": "git",
+        "url": "https://git.bwaaa.monster/beaker"
+      }
+    },
     "crane": {
       "locked": {
         "lastModified": 1760924934,
@@ -158,11 +176,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769524058,
-        "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
+        "lastModified": 1773889306,
+        "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
+        "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
         "type": "github"
       },
       "original": {
@@ -229,11 +247,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1768135262,
-        "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
+        "lastModified": 1772408722,
+        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
+        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
         "type": "github"
       },
       "original": {
@@ -309,11 +327,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1769699427,
-        "narHash": "sha256-dAQt3qXugGhg92A+jqaUcmH0elbgEN/mV4vy1+ohLZk=",
+        "lastModified": 1774007980,
+        "narHash": "sha256-FOnZjElEI8pqqCvB6K/1JRHTE8o4rer8driivTpq2uo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2a08ab21abc8b482f41c521b5f9b0df5b18a67eb",
+        "rev": "9670de2921812bc4e0452f6e3efd8c859696c183",
         "type": "github"
       },
       "original": {
@@ -324,11 +342,11 @@
     },
     "import-tree": {
       "locked": {
-        "lastModified": 1763762820,
-        "narHash": "sha256-ZvYKbFib3AEwiNMLsejb/CWs/OL/srFQ8AogkebEPF0=",
+        "lastModified": 1773693634,
+        "narHash": "sha256-BtZ2dtkBdSUnFPPFc+n0kcMbgaTxzFNPv2iaO326Ffg=",
         "owner": "vic",
         "repo": "import-tree",
-        "rev": "3c23749d8013ec6daa1d7255057590e9ca726646",
+        "rev": "c41e7d58045f9057880b0d85e1152d6a4430dbf1",
         "type": "github"
       },
       "original": {
@@ -355,11 +373,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1765674936,
-        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
+        "lastModified": 1772328832,
+        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
+        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
         "type": "github"
       },
       "original": {
@@ -370,11 +388,11 @@
     },
     "nixpkgs-small": {
       "locked": {
-        "lastModified": 1769651179,
-        "narHash": "sha256-+CBdFa+LgNhX63PxP5JsBi9iMbf9GPBzxXOHQweFBRU=",
+        "lastModified": 1774041495,
+        "narHash": "sha256-Jbzx23j3YPRChU/djx7EhhupGlDq7CRQ8L0IWYCbav4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fabe65b5b16d107e904f3d9a590b91bed77e767a",
+        "rev": "5ba249aa104c36c3542e3017d85cf55196732b7b",
         "type": "github"
       },
       "original": {
@@ -386,11 +404,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1769598131,
-        "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=",
+        "lastModified": 1773814637,
+        "narHash": "sha256-GNU+ooRmrHLfjlMsKdn0prEKVa0faVanm0jrgu1J/gY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
+        "rev": "fea3b367d61c1a6592bc47c72f40a9f3e6a53e96",
         "type": "github"
       },
       "original": {
@@ -402,11 +420,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1769018530,
-        "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=",
+        "lastModified": 1773821835,
+        "narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "88d3861acdd3d2f0e361767018218e51810df8a1",
+        "rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0",
         "type": "github"
       },
       "original": {
@@ -418,11 +436,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1769461804,
-        "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
+        "lastModified": 1773821835,
+        "narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
+        "rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0",
         "type": "github"
       },
       "original": {
@@ -432,6 +450,27 @@
         "type": "github"
       }
     },
+    "omnisearch": {
+      "inputs": {
+        "beaker-src": "beaker-src",
+        "nixpkgs": [
+          "nixpkgs-stable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1774184185,
+        "narHash": "sha256-uxvwbXjpJUpWgXLi3Oadd+PqR3UV5MC7B/lm45oluLc=",
+        "ref": "refs/heads/master",
+        "rev": "bcee71cbbb0282d84841ba9b8908773ab56decf2",
+        "revCount": 66,
+        "type": "git",
+        "url": "https://git.bwaaa.monster/omnisearch"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.bwaaa.monster/omnisearch"
+      }
+    },
     "pre-commit-hooks": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -466,7 +505,8 @@
         "import-tree": "import-tree",
         "nixpkgs": "nixpkgs_3",
         "nixpkgs-small": "nixpkgs-small",
-        "nixpkgs-stable": "nixpkgs-stable"
+        "nixpkgs-stable": "nixpkgs-stable",
+        "omnisearch": "omnisearch"
       }
     },
     "rust-overlay": {
diff --git a/flake.nix b/flake.nix
index 497471e..7019be4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -24,6 +24,13 @@
     };
 
     deploy-rs.url = "github:serokell/deploy-rs";
+
+    omnisearch = {
+      url = "git+https://git.bwaaa.monster/omnisearch";
+      inputs = {
+        nixpkgs.follows = "nixpkgs-stable";
+      };
+    };
   };
 
   outputs = inputs:
diff --git a/modules/hosts/ltrr-block/configuration.nix b/modules/hosts/ltrr-block/configuration.nix
index 5ee4711..556c852 100644
--- a/modules/hosts/ltrr-block/configuration.nix
+++ b/modules/hosts/ltrr-block/configuration.nix
@@ -13,6 +13,7 @@
     modulesPath,
     pkgs,
     config,
+    lib,
     ...
   }: let
     domain = "kcu.su";
@@ -63,6 +64,15 @@
       };
     };
 
+    users.users.git = {
+      group = "git";
+      extraGroups = ["files"];
+      home = lib.mkForce "/var/lib/git";
+      createHome = true;
+      isSystemUser = true;
+    };
+    users.groups.git = {};
+
     users.users.mc = {
       isNormalUser = true;
       packages = with pkgs; [
@@ -99,8 +109,18 @@
 
     networking.hostName = "ltrr-block";
     networking.firewall = {
-      allowedTCPPorts = [80 5030 2049 25565];
-      allowedUDPPorts = [51820 16261 16262];
+      allowedTCPPorts = [
+        80
+        # mail
+        25
+        465
+        993
+
+        25565 # minecraft
+      ];
+      allowedUDPPorts = [
+        51820
+      ];
     };
 
     security.acme = {
@@ -137,13 +157,24 @@
         "tube".proxyPass = "http://127.0.0.1:5410";
         "torrents".proxyPass = "http://127.0.0.1:7317";
         "jellyfin".proxyPass = "http://127.0.0.1:8096";
+        "books" = {
+          proxyPass = "http://127.0.0.1:6458";
+          proxyWebsockets = true;
+        };
         "lidarr" = {
           proxyPass = "http://127.0.0.1:8686";
           proxyWebsockets = true;
         };
-
-        "prowlarr".proxyPass = "http://127.0.0.1:9696";
         "shelfmark".proxyPass = "http://127.0.0.1:8084";
+        "mail".proxyPass = "http://127.0.0.1:7845";
+      };
+      extraVirtualHosts = {
+        "navidrome.${domain}" = {
+          enableAuthelia = false;
+        };
+        "git.${domain}" = {
+          enableAuthelia = false;
+        };
       };
     };
 
@@ -235,10 +266,6 @@
       group = "music";
     };
 
-    services.prowlarr = {
-      enable = true;
-    };
-
     services.qbittorrent = {
       enable = true;
       user = "files";
@@ -410,7 +437,7 @@
     #     "127.0.0.1:8083:8083"
     #   ];
     #   volumes = [
-    #     "/srv/files/books:/calibre-library"
+    #     "/srv/files/books/library:/calibre-library"
     #     "/srv/files/books/injest:/cwa-book-ingest"
     #     "/var/lib/cwa:/config"
     #   ];
@@ -441,16 +468,36 @@
         "host"
       ];
     };
-    services.booklore = {
+
+    services.audiobookshelf = {
       enable = true;
-      subdomain = "books";
-      uid = "1000";
-      gid = "1001";
-      settings = {
-        timezone = "Europe/Yekaterinburg";
-        booksDir = "/srv/files/books/library";
-        bookdropDir = "/srv/files/books/injest";
+      port = 6458;
+      user = "files";
+      group = "books";
+    };
+
+    createPaths."/var/lib/stump" = {
+      owner = "files";
+      group = "books";
+      permissions = "0750";
+    };
+
+    virtualisation.oci-containers.containers.stump = {
+      image = "aaronleopold/stump:nightly";
+      volumes = [
+        "/var/lib/stump:/config"
+        "/srv/files/books/library:/data"
+      ];
+      ports = [
+        "127.0.0.1:10821:10801"
+      ];
+      environment = {
+        PUID = "1000";
+        PGID = "1001";
       };
+      networks = [
+        "host"
+      ];
     };
 
     services.watcharr = {
@@ -458,6 +505,144 @@
       subdomain = "watched";
     };
 
+    age.secrets.stalwart-admin = {
+      rekeyFile = ./secrets/stalwart-admin.key.age;
+    };
+    age.secrets.stalwart-cert = {
+      rekeyFile = ./secrets/stalwart-cert.age;
+    };
+    age.secrets.stalwart-pk = {
+      rekeyFile = ./secrets/stalwart-pk.age;
+    };
+
+    services.stalwart-mail = {
+      enable = true;
+      settings = {
+        server = {
+          hostname = "mail.kcu.su";
+          listener = {
+            smtp = {
+              bind = ["[::]:25"];
+              protocol = "smtp";
+            };
+            submissions = {
+              bind = ["[::]:465"];
+              protocol = "smtp";
+              tls.implicit = true;
+            };
+            imaptls = {
+              bind = ["[::]:993"];
+              protocol = "imap";
+              tls.implicit = true;
+            };
+            management = {
+              bind = ["127.0.0.1:7845"];
+              protocol = "http";
+            };
+          };
+        };
+        storage = {
+          data = "rocksdb";
+          fts = "rocksdb";
+          blob = "rocksdb";
+          lookup = "rocksdb";
+          directory = "internal";
+        };
+        store.rocksdb = {
+          type = "rocksdb";
+          path = "${config.services.stalwart-mail.dataDir}/data";
+          compression = "lz4";
+        };
+        directory.internal = {
+          type = "internal";
+          store = "rocksdb";
+        };
+        tracer.stdout = {
+          type = "stdout";
+          level = "info";
+          ansi = false;
+          enable = true;
+        };
+        authentication.fallback-admin = {
+          user = "admin_fallback";
+          secret = "%{file:/run/credentials/stalwart-mail.service/admin_secret}%";
+        };
+        config = {
+          local-keys = [
+            "store.*"
+            "directory.*"
+            "tracer.*"
+            "!server.blocked-ip.*"
+            "!server.allowed-ip.*"
+            "server.*"
+            "authentication.fallback-admin.*"
+            "cluster.*"
+            "config.local-keys.*"
+            "storage.data"
+            "storage.blob"
+            "storage.lookup"
+            "storage.fts"
+            "storage.directory"
+            "certificate.*"
+          ];
+        };
+        certificate.default = {
+          cert = "%{file:/run/credentials/stalwart-mail.service/cert}%";
+          private-key = "%{file:/run/credentials/stalwart-mail.service/pk}%";
+          default = true;
+        };
+      };
+      credentials = {
+        cert = config.age.secrets.stalwart-cert.path;
+        pk = config.age.secrets.stalwart-pk.path;
+        admin_secret = config.age.secrets.stalwart-admin.path;
+      };
+    };
+
+    createPaths."/srv/files/git" = {
+      owner = "git";
+      group = "git";
+      permissions = "0770";
+    };
+    services.cgit.kcu = {
+      enable = true;
+      user = "git";
+      group = "git";
+      scanPath = "/srv/files/git";
+      gitHttpBackend = {
+        enable = true;
+        checkExportOkFiles = false;
+      };
+      nginx.virtualHost = "git.${domain}";
+
+      settings = {
+        root-title = "kcu.su git";
+        root-desc = "this is where i keep my (dead) projects";
+
+        enable-git-config = 1;
+
+        about-filter = "${pkgs.cgit}/lib/filters/about-formatting.sh";
+        source-filter = "${pkgs.cgit}/lib/filters/syntax-highlighting.py";
+        readme = [
+          "master:README.md"
+          "master:README.org"
+        ];
+        project-list = "/var/lib/git/projects.list";
+      };
+    };
+
+    services.gitolite = {
+      enable = true;
+      user = "git";
+      description = "";
+      group = "git";
+      adminPubkey = "";
+      extraGitoliteRc = ''
+        $RC{GIT_CONFIG_KEYS} = ".*";
+        $RC{GL_REPO_BASE} = "/srv/files/git";
+      '';
+    };
+
     services.immich = {
       enable = true;
     };
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age b/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age
new file mode 100644
index 0000000..90ca528
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptoveQ vDi/rd7OWJyvz4nnM2kwX+8f9Vvru1lgvEXXHoD5TgQ
+qMckZ4SxsRksF8Yg8MtSlZtvn/sm73xskjI9DSmIQtE
+-> 8-grease k# SA{/ =I;)gK
+844hA/7PS0QSd1dP16JX7JTJW8NWhSouyEF7VBpa8+uIZSrfUOwJDs+Af7dtIEd2
+
+--- TLscAo6DhT5qKf7AAH7GqpigW8L/bMsoSBpoDWmVRtI
+�7�+��"R���y��&�����(�_(H�k�VL�Nm8�WC�g�[�p������Zk�ΗK`����o�"���e�V#KܰD��y�yRċT��iB��
|��u�W
+	d%��v��P�H&��ۻ�:�z
\ No newline at end of file
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age b/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age
new file mode 100644
index 0000000..8a778bf
Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age differ
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age b/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age
new file mode 100644
index 0000000..4279838
Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age differ
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age b/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age
new file mode 100644
index 0000000..8ae6dd3
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 5YBERzwh+Vis6esJiMwoUQbRSeB3XqufSnpOLvx8qRw
+0tgBOtYD7n5C8yMluNij1rimPAxc4k8/WLWcxdvR7A8
+-> ?&'/-grease bm}^I5I uJ~R_S '/<ECm
+l6zIQMmDjFRA8hqVXsfu+6Qmn9LHQu8X3axNNMSIoId2FCG38gd/xbSq80z3BWhg
+2t1sXRD7+msi8Vxghdh56e++atH5oli36/vQOoyhfcM
+--- fq2O9hy5sEtEpHrayYJ5c6Z6UmN+fW/iukMQJeAjVt4
++W�q���J��2�3��D�Ș��(���By�0�
+1��RN�n
�W63���4A&���Z��A�-|E��3��h�r��y�֏L��0HY�N�e��^I�m�B�nԮ0�L�n^h�Y�̴agVӰu������
\ No newline at end of file
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-cert.age b/modules/hosts/ltrr-block/secrets/stalwart-cert.age
new file mode 100644
index 0000000..88ae1b9
Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/stalwart-cert.age differ
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-pk.age b/modules/hosts/ltrr-block/secrets/stalwart-pk.age
new file mode 100644
index 0000000..b0f092a
Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/stalwart-pk.age differ
diff --git a/modules/hosts/ltrr-cloud/configuration.nix b/modules/hosts/ltrr-cloud/configuration.nix
index 34a74e0..03d7c1e 100644
--- a/modules/hosts/ltrr-cloud/configuration.nix
+++ b/modules/hosts/ltrr-cloud/configuration.nix
@@ -31,6 +31,8 @@
 
       inputs.agenix.nixosModules.default
       inputs.agenix-rekey.nixosModules.default
+
+      inputs.omnisearch.nixosModules.default
     ];
     nixpkgs.hostPlatform = "x86_64-linux";
 
@@ -86,7 +88,7 @@
     swapDevices = [
       {
         device = "/var/lib/swapfile";
-        size = 2 * 1024;
+        size = 1024;
       }
     ];
 
@@ -108,26 +110,37 @@
 
         preUp = ''
           sysctl -w net.ipv4.ip_forward=1
-          # 16261
-          iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261
-          iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT
-          iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE
-
-          # 16262
-          iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262
-          iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT
-          iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE
+          # 25
+          iptables -t nat -I PREROUTING 1 -i ens3 -p tcp --dport 25 -j DNAT --to-destination 10.1.1.2:25
+          iptables -A FORWARD -p tcp -d 10.1.1.2 --dport 25 -j ACCEPT
+          iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 25 -d 10.1.1.2 -j MASQUERADE
+
+          # 465
+          iptables -t nat -I PREROUTING 1 -i ens3 -p tcp --dport 465 -j DNAT --to-destination 10.1.1.2:465
+          iptables -A FORWARD -p tcp -d 10.1.1.2 --dport 465 -j ACCEPT
+          iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 465 -d 10.1.1.2 -j MASQUERADE
+
+          # 993
+          iptables -t nat -I PREROUTING 1 -i ens3 -p tcp --dport 993 -j DNAT --to-destination 10.1.1.2:993
+          iptables -A FORWARD -p tcp -d 10.1.1.2 --dport 993 -j ACCEPT
+          iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 993 -d 10.1.1.2 -j MASQUERADE
         '';
+
         postDown = ''
-          # 16261
-          iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261
-          iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT
-          iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE
-
-          # 16262
-          iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262
-          iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT
-          iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE
+          # 25
+          iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 25 -j DNAT --to-destination 10.1.1.2:25
+          iptables -D FORWARD -p tcp -d 10.1.1.2 --dport 25 -j ACCEPT
+          iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 25 -d 10.1.1.2 -j MASQUERADE
+
+          # 465
+          iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 465 -j DNAT --to-destination 10.1.1.2:465
+          iptables -D FORWARD -p tcp -d 10.1.1.2 --dport 465 -j ACCEPT
+          iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 465 -d 10.1.1.2 -j MASQUERADE
+
+          # 993
+          iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 993 -j DNAT --to-destination 10.1.1.2:993
+          iptables -D FORWARD -p tcp -d 10.1.1.2 --dport 993 -j ACCEPT
+          iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 993 -d 10.1.1.2 -j MASQUERADE
         '';
 
         peers = [
@@ -140,9 +153,45 @@
       };
     };
 
-    networking.firewall.allowedTCPPorts = [80 443 25565];
-    networking.firewall.allowedUDPPorts = [51820 16261 16262];
+    networking.firewall.allowedTCPPorts = [
+      # http
+      80
+      443
+
+      #mail
+      25
+      465
+      993
+
+      25565 # minecraft
+    ];
+    networking.firewall.allowedUDPPorts = [
+      51820 # wg
+    ];
+
+    environment.etc = {
+      "fail2ban/filter.d/authelia.conf".text = ''
+         # Fail2Ban filter for Authelia
+
+         # Make sure that the HTTP header "X-Forwarded-For" received by Authelia's backend
+         # only contains a single IP address (the one from the end-user), and not the proxy chain
+         # (it is misleading: usually, this is the purpose of this header).
+
+         # the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt
+         # second line) as a failure.
+         # the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors
+
+         [Definition]
+         failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+                     ^.*Unsuccessful (TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+
+         ignoreregex = ^.*level=debug.*
+                       ^.*level=info.*
+                       ^.*level=warning.*
 
+        journalmatch = _SYSTEMD_UNIT=authelia-kcu.service + _COMM=authelia
+      '';
+    };
     services.fail2ban = {
       enable = true;
       ignoreIP = [
@@ -157,12 +206,6 @@
       };
 
       jails = {
-        nginx-http-auth.settings = {
-          enabled = true;
-          port = "http,https";
-          logpath = "/var/log/nginx/*.log";
-          backend = "auto";
-        };
         nginx-botsearch.settings = {
           enabled = true;
           port = "http,https";
@@ -175,6 +218,10 @@
           logpath = "/var/log/nginx/*.log";
           backend = "auto";
         };
+        authelia = ''
+          enabled  = true
+          port     = http,https
+        '';
       };
     };
 
@@ -203,15 +250,14 @@
           proxyPass = "http://127.0.0.1:8090";
         };
         "auth".proxyPass = "http://127.0.0.1:9091";
+
+        "search".proxyPass = "http://127.0.0.1:8087";
       };
 
       extraVirtualHosts = {
-        "kcu.su" = {
+        "${domain}" = {
           forceSSL = true;
           enableACME = true;
-          locations."/apple" = {
-            root = "/var/www";
-          };
           locations."/" = {
             return = 444;
           };
@@ -228,6 +274,7 @@
         homeConfig = self.nixosConfigurations.ltrr-block.config;
       in {
         subdomains = homeConfig.nginxProxy.subdomains;
+        virtualHosts = homeConfig.nginxProxy.extraVirtualHosts;
         url = "http://10.1.1.2";
       };
     };
@@ -242,6 +289,11 @@
       owner = "authelia-kcu";
       group = "authelia-kcu";
     };
+    age.secrets.authelia-users = {
+      rekeyFile = ./secrets/authelia-users.yaml.age;
+      owner = "authelia-kcu";
+      group = "authelia-kcu";
+    };
     services.authelia.instances.kcu = {
       enable = true;
       secrets = {
@@ -251,7 +303,7 @@
       settings = {
         authentication_backend = {
           file = {
-            path = "/var/lib/authelia-kcu/users_database.yml";
+            path = config.age.secrets.authelia-users.path;
           };
         };
 
@@ -285,6 +337,15 @@
           ];
         };
 
+        server.endpoints.authz.auth-request = {
+          implementation = "AuthRequest";
+          authn_strategies = [
+            {
+              name = "CookieSession";
+            }
+          ];
+        };
+
         storage = {
           local = {
             path = "/var/lib/authelia-kcu/db.sqlite3";
@@ -300,6 +361,15 @@
       };
     };
 
+    services.omnisearch = {
+      enable = true;
+      settings = {
+        server = {
+          domain = "https://search.${domain}";
+        };
+      };
+    };
+
     services.headscale = {
       enable = true;
       package = pkgs.headscale;
@@ -321,24 +391,24 @@
       };
     };
     virtualisation.oci-containers.backend = "podman";
-    virtualisation.oci-containers.containers = {
-      "uptime-kuma" = {
-        image = "louislam/uptime-kuma:2";
-        volumes = [
-          "/var/lib/uptime-kuma:/app/data"
-        ];
-        ports = [
-          "127.0.0.1:8762:3001"
-        ];
-        capabilities = {
-          NET_RAW = true;
-        };
-      };
-    };
-
-    services.beszel.hub = {
-      enable = true;
-    };
+    # virtualisation.oci-containers.containers = {
+    #   "uptime-kuma" = {
+    #     image = "louislam/uptime-kuma:2";
+    #     volumes = [
+    #       "/var/lib/uptime-kuma:/app/data"
+    #     ];
+    #     ports = [
+    #       "127.0.0.1:8762:3001"
+    #     ];
+    #     capabilities = {
+    #       NET_RAW = true;
+    #     };
+    #   };
+    # };
+
+    # services.beszel.hub = {
+    #   enable = true;
+    # };
 
     system.stateVersion = "24.05";
   };
diff --git a/modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.age b/modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.age
new file mode 100644
index 0000000..aec8015
Binary files /dev/null and b/modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.age differ
diff --git a/modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.age b/modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.age
new file mode 100644
index 0000000..fea60a5
Binary files /dev/null and b/modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.age differ
diff --git a/modules/nixosModules/nginxProxy.nix b/modules/nixosModules/nginxProxy.nix
index 36fdc59..e7af19d 100644
--- a/modules/nixosModules/nginxProxy.nix
+++ b/modules/nixosModules/nginxProxy.nix
@@ -10,7 +10,19 @@
       locationOptions = import (pkgs.path + "/nixos/modules/services/web-servers/nginx/location-options.nix");
       nginxOptions = import (pkgs.path + "/nixos/modules/services/web-servers/nginx/default.nix");
 
-      autheliaAuth = url: ''
+      authVhostOptions =
+        recursiveUpdate
+        (vhostOptions {inherit config lib;})
+        {
+          options = {
+            enableAuthelia = mkOption {
+              type = types.bool;
+              default = cfg.home.authelia.enable;
+            };
+          };
+        };
+
+      autheliaAuth = ''
         auth_request /internal/authelia/authz;
         auth_request_set $redirection_url $upstream_http_location;
         error_page 401 =302 $redirection_url;
@@ -84,13 +96,13 @@
         };
 
         extraVirtualHosts = mkOption {
-          type = types.attrsOf (types.submodule (vhostOptions {inherit config lib;}));
+          type = types.attrsOf (types.submodule authVhostOptions);
           default = {};
         };
 
         home = {
           virtualHosts = mkOption {
-            type = types.attrsOf (types.submodule (vhostOptions {inherit config lib;}));
+            type = types.attrsOf (types.submodule authVhostOptions);
             default = {};
             description = ''
               Virtual hosts from another nginx configuration, that will be used to decrypt ssl and forward traffic to another server.
@@ -187,29 +199,42 @@
           homeRoutes = homeVirtualHosts: homeUrl:
             builtins.mapAttrs
             (name: value:
-              {
-                locations."/" =
-                  value.locations."/"
-                  // {
-                    proxyPass = homeUrl;
-                    recommendedProxySettings = true;
-                    extraConfig = value.locations."/".extraConfig + (autheliaAuth cfg.home.authelia.publicUrl);
-                  };
-                locations."/internal/authelia/authz" = mkIf cfg.home.authelia.enable {
-                  extraConfig = autheliaLocation cfg.home.authelia.localUrl;
+              recursiveUpdate value {
+                locations."/" = {
+                  proxyPass = homeUrl;
+                  recommendedProxySettings = true;
                 };
               }
               // ssl)
             homeVirtualHosts;
 
+          removeAuthelia = filterAttrsRecursive (n: v: n != "enableAuthelia");
+
           vhosts = makeVhosts cfg.domain cfg.subdomains;
-          homeVhosts = homeRoutes ((makeVhosts (cfg.home.domain) cfg.home.subdomains) // cfg.home.virtualHosts) cfg.home.url;
+          homeVhosts = homeRoutes (recursiveUpdate (makeVhosts (cfg.home.domain) cfg.home.subdomains) cfg.home.virtualHosts) cfg.home.url;
+          addAutheliaRoutes = isHome: vhosts:
+            builtins.mapAttrs
+            (name: value: (recursiveUpdate value {
+              locations."/" = {
+                extraConfig =
+                  value.locations."/".extraConfig or ""
+                  + concatStrings (optional (value.enableAuthelia or true && !isHome) autheliaAuth);
+              };
+              locations."/internal/authelia/authz" = mkIf (value.enableAuthelia or true && !isHome) {
+                extraConfig = autheliaLocation cfg.home.authelia.localUrl;
+              };
+            }))
+            vhosts;
         in
           {
             enable = true;
             recommendedProxySettings = cfg.recommendedProxySettings;
 
-            virtualHosts = vhosts // homeVhosts // cfg.extraVirtualHosts;
+            virtualHosts =
+              removeAuthelia
+              (addAutheliaRoutes
+                (homeVhosts == {})
+                (recursiveUpdate (recursiveUpdate vhosts homeVhosts) cfg.extraVirtualHosts));
           }
           // cfg.extraConfig;
       };
diff --git a/modules/nixosModules/watcharr.nix b/modules/nixosModules/watcharr.nix
index 2263e4f..061a18c 100644
--- a/modules/nixosModules/watcharr.nix
+++ b/modules/nixosModules/watcharr.nix
@@ -63,7 +63,7 @@
         virtualisation.oci-containers.containers.watcharr = {
           image = "ghcr.io/sbondco/watcharr:latest";
           ports = [
-            "127.0.0.1${port}:3080"
+            "127.0.0.1:${port}:3080"
           ];
           volumes = [
             "${cfg.settings.dataDir}:/data"
-- 
cgit v1.2.3