flake.lock: Update

Flake lock file updates:

• Updated input 'emacs-overlay':
    'github:nix-community/emacs-overlay/2a6d6d064e33d65dc660b65c28ce17195e539db6' (2025-04-28)
  → 'github:nix-community/emacs-overlay/841c18a6fe787b669ea362e3e14f54a5bd12a63c' (2025-04-29)
• Updated input 'emacs-overlay/nixpkgs':
    'github:NixOS/nixpkgs/f771eb401a46846c1aebd20552521b233dd7e18b' (2025-04-24)
  → 'github:NixOS/nixpkgs/5461b7fa65f3ca74cef60be837fd559a8918eaa0' (2025-04-27)
• Updated input 'homeManager':
    'github:nix-community/home-manager/be7cf1709b469a2a2c62169172a167d1fed3509f' (2025-04-28)
  → 'github:nix-community/home-manager/1ad123239957d40e11ef66c203d0a7e272eb48aa' (2025-04-29)
• Updated input 'nixosHardware':
    'github:NixOS/nixos-hardware/f7bee55a5e551bd8e7b5b82c9bc559bc50d868d1' (2025-04-24)
  → 'github:NixOS/nixos-hardware/f1e52a018166e1a324f832de913e12c0e55792d0' (2025-04-29)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/f771eb401a46846c1aebd20552521b233dd7e18b' (2025-04-24)
  → 'github:NixOS/nixpkgs/5461b7fa65f3ca74cef60be837fd559a8918eaa0' (2025-04-27)
• Updated input 'treefmt-nix':
    'github:numtide/treefmt-nix/d1863f30d9ca67f679f9c2583d7adf674b5d9b8a' (2025-04-28)
  → 'github:numtide/treefmt-nix/82bf32e541b30080d94e46af13d46da0708609ea' (2025-04-29)

flake.lock

@@ -122,11 +122,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1745830889,
-        "narHash": "sha256-P51C3ennff9hNhHr6SsxowZKpbPsa2U4DjC+DIu4Lyg=",
+        "lastModified": 1745921824,
+        "narHash": "sha256-8FFSHBE0HgW0HGrTULbaUVH29aeVP31Clf2HDtDfqaE=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "2a6d6d064e33d65dc660b65c28ce17195e539db6",
+        "rev": "841c18a6fe787b669ea362e3e14f54a5bd12a63c",
         "type": "github"
       },
       "original": {
@@ -387,11 +387,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745810134,
-        "narHash": "sha256-WfnYH/i7DFzn4SESQfWviXiNUZjohZhzODqLwKYHIPI=",
+        "lastModified": 1745894335,
+        "narHash": "sha256-m47zhftaod/oHOwoVT25jstdcVLhkrVGyvEHKjbnFHI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "be7cf1709b469a2a2c62169172a167d1fed3509f",
+        "rev": "1ad123239957d40e11ef66c203d0a7e272eb48aa",
         "type": "github"
       },
       "original": {
@@ -569,11 +569,11 @@
     },
     "nixosHardware": {
       "locked": {
-        "lastModified": 1745503349,
-        "narHash": "sha256-bUGjvaPVsOfQeTz9/rLTNLDyqbzhl0CQtJJlhFPhIYw=",
+        "lastModified": 1745907084,
+        "narHash": "sha256-Q8SpDbTI95vtKXgNcVl1VdSUhhDOORE8R77wWS2rmg8=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "f7bee55a5e551bd8e7b5b82c9bc559bc50d868d1",
+        "rev": "f1e52a018166e1a324f832de913e12c0e55792d0",
         "type": "github"
       },
       "original": {
@@ -711,11 +711,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1745526057,
-        "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=",
+        "lastModified": 1745794561,
+        "narHash": "sha256-T36rUZHUART00h3dW4sV5tv4MrXKT7aWjNfHiZz7OHg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f771eb401a46846c1aebd20552521b233dd7e18b",
+        "rev": "5461b7fa65f3ca74cef60be837fd559a8918eaa0",
         "type": "github"
       },
       "original": {
@@ -742,11 +742,11 @@
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1745526057,
-        "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=",
+        "lastModified": 1745794561,
+        "narHash": "sha256-T36rUZHUART00h3dW4sV5tv4MrXKT7aWjNfHiZz7OHg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f771eb401a46846c1aebd20552521b233dd7e18b",
+        "rev": "5461b7fa65f3ca74cef60be837fd559a8918eaa0",
         "type": "github"
       },
       "original": {
@@ -1009,11 +1009,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745829891,
-        "narHash": "sha256-aRkV0ZpfT/ERgRlGrbgjHFRcEWdseltSO+wPnpdPYKg=",
+        "lastModified": 1745929750,
+        "narHash": "sha256-k5ELLpTwRP/OElcLpNaFWLNf8GRDq4/eHBmFy06gGko=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "d1863f30d9ca67f679f9c2583d7adf674b5d9b8a",
+        "rev": "82bf32e541b30080d94e46af13d46da0708609ea",
         "type": "github"
       },
       "original": {

hosts/kirk/default.nix

@@ -33,7 +33,7 @@
       "adb"
       "binfmt"
       "prometheus-exporters"
-      "promtail"
+      "alloy"
       "syncthing"
       "zerotier"
     ]

hosts/picard/default.nix

@@ -40,8 +40,8 @@
       "mount-sisko"
       "adb"
       "prometheus-exporters"
-      # "promtail"
       "zerotier"
+      "alloy"
     ]
     ++ [ ./disko.nix ];
 

hosts/pike/default.nix

@@ -35,7 +35,7 @@
     "mount-sisko"
     "adb"
     "prometheus-exporters"
-    # "promtail"
+    "alloy"
     "zerotier"
   ];
 
@@ -157,6 +157,8 @@
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   hardware.enableRedistributableFirmware = lib.mkDefault true;
 
+  services.power-profiles-daemon.enable = true;
+
   hardware.graphics = {
     enable = true;
     enable32Bit = true;

hosts/sisko/default.nix

@@ -21,7 +21,7 @@
       "grafana"
       "prometheus-exporters"
       "loki"
-      "promtail"
+      "alloy"
       "restic"
       "atuin"
       "immich"
@@ -33,6 +33,8 @@
       "arr"
       "zerotier"
       "mosh"
+      "amule"
+      "adguard-home"
     ]
     ++ [
       ./disko.nix

hosts/tpol/default.nix

@@ -24,6 +24,7 @@
       "battery"
       "printing"
       "wireguard-client"
+      "alloy"
     ];
 
   boot.initrd.availableKernelModules = [

lib/default.nix

@@ -1,7 +1,7 @@
 {
   keys = {
     users = {
-      ccr-ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzCmDCtlGscpesHuoiruVWD2IjYEFtaIl9Y2JZGiOAyf3V17KPx0MikcknfmxSHi399SxppiaXQHxo/1wjGxXkXNTTv6h1fBuqwhJE6C8+ZSV+gal81vEnXX+/9w2FQqtVgnG2/mO7oJ0e3FY+6kFpOsGEhYexoGt/UxIpAZoqIN+CWNhJIASUkneaZWtgwiL8Afb59kJQ2E7WbBu+PjYZ/s5lhPobhlkz6s8rkhItvYdiSHT0DPDKvp1oEbxsxd4E4cjJFbahyS8b089NJd9gF5gs0b74H/2lUUymnl63cV37Mp4iXB4rtE69MbjqsGEBKTPumLualmc8pOGBHqWIdhAqGdZQeBajcb6VK0E3hcU0wBB+GJgm7KUzlAHGdC3azY0KlHMrLaZN0pBrgCVR6zBNWtZz2B2qMBZ8Cw+K4vut8GuspdXZscID10U578GxQvJAB9CdxNUtrzSmKX2UtZPB1udWjjIAlejzba4MG73uXgQEdv0NcuHNwaLuCWxTUT5QQF18IwlJ23Mg8aPK8ojUW5A+kGHAu9wtgZVcX1nS5cmYKSgLzcP1LA1l9fTJ1vqBSuy38GTdUzfzz7AbnkRfGPj2ALDgyx17Rc5ommjc1k0gFoeIqiLaxEs5FzDcRyo7YvZXPsGeIqNCYwQWw3+U+yUEJby8bxGb2d/6YQ== andrea.ciceri@autistici.org";
+      ccr-ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIm9Sl/I+5G4g4f6iE4oCUJteP58v+wMIew9ZuLB+Gea";
       oneplus8t = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8da1Mf11vXFF0kVDgxocVoGwpHHMEs9emS9T+v8hLb oneplus8t";
       hercules-ci-agent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPupm00BiveTIYF6CNwuMijF5VvEaPDMjvt+vMlAy+N hercules-ci-agent";
     };

modules/adguard-home/default.nix

@@ -1,18 +1,57 @@
-{ config, ... }:
+{ config, lib, ... }:
+let
+  interface = "enP4p65s0";
+in
 {
   services.adguardhome = {
     enable = true;
-    port = 3000;
     mutableSettings = true;
     settings = {
-      openFirewall = true;
+      dhcp = {
+        enabled = true;
+        interface_name = interface;
+
+        dhcpv4 = {
+          gateway_ip = "10.1.1.1";
+          range_start = "10.1.1.2";
+          range_end = "10.1.1.255";
+          subnet_mask = "255.255.255.0";
+        };
+      };
+      dns = {
+        upstream_dns = [
+          "https://dns10.quad9.net/dns-query"
+        ];
+
+        bind_hosts = [
+          "127.0.0.1"
+          "10.1.1.2"
+        ];
+      };
     };
   };
-  networking.firewall.allowedTCPPorts = [
-    3000
+
+  # otherwise it creates a directory in /var/lib/private which can't be easily persisted
+  systemd.services.adguardhome.serviceConfig.DynamicUser = lib.mkForce false;
+
+  networking.firewall.allowedUDPPorts = [
     53
+    67
   ];
-  networking.firewall.allowedUDPPorts = [ 53 ];
+  networking.firewall.allowedTCPPorts = [ 53 ];
+
+  networking.interfaces.${interface} = {
+    ipv4.addresses = [
+      {
+        address = "10.1.1.2";
+        prefixLength = 24;
+      }
+    ];
+    useDHCP = false;
+  };
+
+  networking.defaultGateway = "10.1.1.1";
+
   environment.persistence."/persist".directories = [
     "/var/lib/AdGuardHome"
   ];

modules/alloy/default.nix

@@ -0,0 +1,53 @@
+{ config, ... }:
+{
+  services.alloy = {
+    enable = true;
+  };
+  environment.etc."alloy/config.alloy".text = ''
+    local.file_match "local_files" {
+      path_targets = [{
+        __path__ = "/var/log/*.log",
+      }]
+      sync_period = "5s"
+    }
+
+    loki.source.journal "systemd" {
+      max_age    = "24h"
+      forward_to = [loki.write.default.receiver]
+    }
+
+    loki.source.journal "kernel" {
+      max_age = "24h"
+      forward_to = [loki.write.default.receiver]
+    }
+
+    loki.relabel "nixfleet_journal" {
+      forward_to = []
+      rule {
+      	source_labels = ["__journal__systemd_unit"]
+      	target_label = "systemd_unit"
+      }
+      rule {
+      	source_labels = ["__journal_syslog_identifier"]
+      	target_label = "syslog_identifier"
+      }
+    }
+
+    loki.source.journal "nixfleet_journal" {
+      forward_to = [loki.write.default.receiver]
+      relabel_rules = loki.relabel.nixfleet_journal.rules
+      format_as_json = true
+    }
+
+    loki.write "default" {
+      endpoint {
+        url = "http://sisko.wg.aciceri.dev:${
+          builtins.toString config.services.loki.configuration.server.http_listen_port or 3100
+        }/loki/api/v1/push"
+      }
+      external_labels = {
+        host = "${config.networking.hostName}",
+      }
+    }
+  '';
+}

modules/amarr/default.nix

@@ -0,0 +1,23 @@
+args@{ lib, pkgs, ... }:
+let
+  pkgs = builtins.getFlake "github:NixOS/nixpkgs/d278c7bfb89130ac167e80d2250f9abc0bede419";
+  amarr = pkgs.legacyPackages.${args.pkgs.system}.amarr;
+in
+{
+  systemd.services.amarr = {
+    description = "amarr";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      User = "root";
+      Type = "oneshot";
+      ExecStart = lib.getExe amarr;
+    };
+    environment = {
+      AMULE_HOST = "localhost";
+      AMULE_PORT = "4712";
+      AMULE_PASSWORD = "";
+    };
+  };
+
+}

modules/amule/default.nix

@@ -0,0 +1,34 @@
+{ config, lib, ... }:
+{
+  users.users.amule = {
+    isSystemUser = true;
+    group = "amule";
+    extraGroups = [ "amule" ];
+    home = config.services.amule.dataDir;
+  };
+
+  users.groups.amule = { };
+  services.amule = {
+    dataDir = "/mnt/hd/amule";
+    enable = true;
+    user = "amule";
+  };
+
+  # sometimes the service crashes with a segfeault without any reason...
+  systemd.services.amuled.serviceConfig.Restart = lib.mkForce "always";
+
+  environment.persistence."/persist".directories = [
+    config.services.amule.dataDir
+  ];
+
+  networking.firewall = {
+    allowedTCPPorts = [ 4662 ];
+    allowedUDPPortRanges = [
+      {
+        from = 4665;
+        to = 4672;
+      }
+    ];
+  };
+
+}