trilium & authelia setup

test
reactivate authelia module
2026-01-29 09:45:10 +01:00 · 2026-01-27 20:40:20 +01:00 · 2026-01-26 16:47:05 +01:00 · 2026-01-26 16:46:43 +01:00 · 2026-01-23 23:05:58 +01:00 · 2026-01-23 20:22:03 +01:00
23 changed files with 490 additions and 283 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -49,11 +49,11 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1768336726,
-        "narHash": "sha256-Os4qn0S0bv7MauXGz16ozyOYZuMrA2FJuXNjDnr5yps=",
+        "lastModified": 1769470446,
+        "narHash": "sha256-nze0VZ70K2kbDxjE+BBZLD7juOmnZqNYdOhl9aUNGWg=",
        "owner": "9001",
        "repo": "copyparty",
-        "rev": "c46cd7f57a8ae3b121866485c91ec078c4dd970e",
+        "rev": "2f57228fd4e62f8cd8e12cb80a3531dc2d4d170a",
        "type": "github"
      },
      "original": {
@@ -91,11 +91,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1766150702,
-        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
+        "lastModified": 1769524058,
+        "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
+        "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
        "type": "github"
      },
      "original": {
@@ -136,22 +136,6 @@
        "type": "github"
      }
    },
-    "flake-compat_3": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
    "flake-utils": {
      "locked": {
        "lastModified": 1659877975,
@@ -200,24 +184,6 @@
        "type": "github"
      }
    },
-    "flake-utils_4": {
-      "inputs": {
-        "systems": "systems_3"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -267,31 +233,11 @@
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1767838769,
-        "narHash": "sha256-KCLU6SUU80tEBKIVZsBrSjRYX6kn1eVIYI3fEEqOp24=",
+        "lastModified": 1769567010,
+        "narHash": "sha256-R4ESxjCluQQlSIPw4NaRYVvEtvsnKGRwmACcXU1at6g=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "4da21f019f6443f513f16af7f220ba4db1cdfc04",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Infinidoge",
-        "repo": "nix-minecraft",
-        "type": "github"
-      }
-    },
-    "nix-minecraft_2": {
-      "inputs": {
-        "flake-compat": "flake-compat_3",
-        "flake-utils": "flake-utils_4",
-        "nixpkgs": "nixpkgs_6"
-      },
-      "locked": {
-        "lastModified": 1767147099,
-        "narHash": "sha256-395ehjdAtaqCbKmx+PhKAqnkYLvTtAzq2qzFG9qaGDw=",
-        "owner": "Infinidoge",
-        "repo": "nix-minecraft",
-        "rev": "01f571579edd64433f97c4294137fbc366deef4b",
+        "rev": "1c9c95fea177a4f8430c34dc1f974394e72bca1f",
        "type": "github"
      },
      "original": {
@@ -365,51 +311,21 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1767313136,
-        "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
+        "lastModified": 1769318308,
+        "narHash": "sha256-Mjx6p96Pkefks3+aA+72lu1xVehb6mv2yTUUqmSet6Q=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d",
+        "rev": "1cd347bf3355fce6c64ab37d3967b4a2cb4b878c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_6": {
-      "locked": {
-        "lastModified": 1748929857,
-        "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_7": {
-      "locked": {
-        "lastModified": 1767364772,
-        "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs_8": {
      "locked": {
        "lastModified": 1737062831,
        "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
@@ -423,7 +339,7 @@
        "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz"
      }
    },
-    "nixpkgs_9": {
+    "nixpkgs_7": {
      "locked": {
        "lastModified": 1736549401,
        "narHash": "sha256-ibkQrMHxF/7TqAYcQE+tOnIsSEzXmMegzyBWza6uHKM=",
@@ -439,26 +355,6 @@
        "type": "github"
      }
    },
-    "reclamation": {
-      "inputs": {
-        "nix-minecraft": "nix-minecraft_2",
-        "nixpkgs": "nixpkgs_7",
-        "utils": "utils"
-      },
-      "locked": {
-        "lastModified": 1767786101,
-        "narHash": "sha256-ENlpYr2V5u0/Enq07nIHfzetqmS95aydQYIM6sISVUc=",
-        "ref": "refs/heads/master",
-        "rev": "b71acff364b7b5eb3e1b68915aeb379053b86c94",
-        "revCount": 10,
-        "type": "git",
-        "url": "https://git.shobu.fr/sin_serhao/reclamation"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.shobu.fr/sin_serhao/reclamation"
-      }
-    },
    "root": {
      "inputs": {
        "agenix": "agenix",
@@ -467,7 +363,6 @@
        "disko": "disko",
        "nix-minecraft": "nix-minecraft",
        "nixpkgs": "nixpkgs_5",
-        "reclamation": "reclamation",
        "shoblog-front": "shoblog-front",
        "testing-grounds": "testing-grounds",
        "unstable": "unstable"
@@ -475,7 +370,7 @@
    },
    "shoblog-front": {
      "inputs": {
-        "nixpkgs": "nixpkgs_8"
+        "nixpkgs": "nixpkgs_6"
      },
      "locked": {
        "lastModified": 1752594581,
@@ -537,39 +432,9 @@
        "type": "github"
      }
    },
-    "systems_3": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_4": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
    "testing-grounds": {
      "inputs": {
-        "nixpkgs": "nixpkgs_9"
+        "nixpkgs": "nixpkgs_7"
      },
      "locked": {
        "lastModified": 1755527993,
@@ -587,11 +452,11 @@
    },
    "unstable": {
      "locked": {
-        "lastModified": 1768127708,
-        "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=",
+        "lastModified": 1769461804,
+        "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38",
+        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
        "type": "github"
      },
      "original": {
@@ -600,24 +465,6 @@
        "repo": "nixpkgs",
        "type": "github"
      }
-    },
-    "utils": {
-      "inputs": {
-        "systems": "systems_4"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -3,7 +3,7 @@

  # Flake inputs
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
    unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
    colmena.url = "github:zhaofengli/colmena";

@@ -17,10 +17,7 @@
    # sin inputs
    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
    testing-grounds.url = "gitlab:shobu13/testing-grounds";
-    reclamation.url = "git+https://git.shobu.fr/sin_serhao/reclamation";
    shoblog-front.url = "gitlab:shobu13/shoblog";
-    # striped-front.url = "git+ssh://git@gitlab.com/striped1/striped-front";
-    # striped-back.url = "git+ssh://git@gitlab.com/striped1/striped-back";

    copyparty.url = "github:9001/copyparty";

@@ -44,7 +41,6 @@
      # striped-back,
      nix-minecraft,
      testing-grounds,
-      reclamation,
      copyparty,
      ...
    }:
--- a/hosts/sin/configuration.nix
+++ b/hosts/sin/configuration.nix
@@ -17,6 +17,7 @@
    ./secrets.nix
    ./coredns
    ./copyparty.nix
+    ./trilium.nix
  ];

  boot.initrd.kernelModules = [ "usb_storage" ];
@@ -43,6 +44,8 @@

        3000 # gitea

+        config.services.trilium-server.port
+
        53
      ];

--- a/hosts/sin/copyparty.nix
+++ b/hosts/sin/copyparty.nix
@@ -27,13 +27,50 @@
      shr = "/shares";
    };

+    accounts = {
+      serhao = {
+        passwordFile = config.age.secrets.copyparty-serhao.path;
+      };
+    };
+
    volumes = {
-      "/media" = {
-        path = "/mnt/mediacenter/media";
+      "/movies" = {
+        path = "/mnt/mediacenter/media/movies";
        access = {
          r = "*";
        };
      };
+      "/shows" = {
+        path = "/mnt/mediacenter/media/shows";
+        access = {
+          r = "*";
+        };
+      };
+
+      "/musics" = {
+        path = "/mnt/mediacenter/media/musics";
+        access = {
+          r = "*";
+        };
+      };
+      "/mediacenter" = {
+        path = "/mnt/mediacenter/media";
+        access = {
+          rw = ["serhao"];
+        };
+        flags = {
+          e2d = true;
+        };
+      };
+      "/data" = {
+        path = "/mnt/data";
+        access = {
+          rwd = ["serhao"];
+        };
+        flags = {
+          e2d = true;
+        };
+      };
    };
  };

--- a/hosts/sin/homepage.nix
+++ b/hosts/sin/homepage.nix
@@ -122,7 +122,7 @@
              description = "bring back your world to life";
              widget = {
                type = "minecraft";
-                url = "udp://minecraft.shobu.fr:43001";
+                url = "udp://minecraft.shobu.fr:25665";
              };
            };
          }
--- a/hosts/sin/jellyfin.nix
+++ b/hosts/sin/jellyfin.nix
@@ -11,10 +11,9 @@ in
    extraPackages = with pkgs; [
      intel-media-driver
      intel-vaapi-driver
-      vaapiVdpau
+      libva-vdpau-driver
      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
      vpl-gpu-rt # QSV on 11th gen or newer
-      intel-media-sdk # QSV up to 11th gen
    ];
  };

@@ -82,15 +81,27 @@ in
      enable = true;
      openFirewall = true;
      group = "starr";
+      settings = {
+        authentication.AuthenticationMethod = "external";
+        authentication.AuthenticationType = "enabled";
+      };
    };
    radarr = {
      enable = true;
      openFirewall = true;
      group = "starr";
+      settings = {
+        authentication.AuthenticationMethod = "external";
+        authentication.AuthenticationType = "enabled";
+      };
    };
    prowlarr = {
      enable = true;
      openFirewall = true;
+      settings = {
+        authentication.AuthenticationMethod = "external";
+        authentication.AuthenticationType = "enabled";
+      };
    };
    bazarr = {
      enable = true;
@@ -99,10 +110,18 @@ in
    lidarr = {
      enable = true;
      openFirewall = true;
+      settings = {
+        authentication.AuthenticationMethod = "external";
+        authentication.AuthenticationType = "enabled";
+      };
    };
    whisparr = {
      enable = true;
      openFirewall = true;
+      settings = {
+        authentication.AuthenticationMethod = "external";
+        authentication.AuthenticationType = "enabled";
+      };
    };

    jellyseerr = {
--- a/hosts/sin/luks-btrfs-raid.nix
+++ b/hosts/sin/luks-btrfs-raid.nix
@@ -7,7 +7,7 @@
      # and the actual btrfs raid on the second disk, and the name of these entries matters!
      system = {
        type = "disk";
-        device = "/dev/mmcblk0";
+        device = "/dev/sdb";
        content = {
          type = "gpt";
          partitions = {
@@ -42,6 +42,10 @@
                    "/root" = {
                      mountpoint = "/";
                    };
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [ "compress=zstd:3" ];
+                    };
                  };
                };
              };
@@ -50,31 +54,9 @@
        };
      };

-      # data1 = {
-      #   type = "disk";
-      #   device = "/dev/sda";
-      #   content = {
-      #     type = "gpt";
-      #     partitions = {
-      #       crypt_p1 = {
-      #         size = "100%";
-      #         content = {
-      #           type = "luks";
-      #           name = "p_data1"; # device-mapper name when decrypted
-      #           # Remove settings.keyFile if you want to use interactive password entry
-      #           settings = {
-      #             allowDiscards = true;
-      #             keyFile = "/dev/disk/by-uuid/2021-07-11-12-33-27-00";
-      #             keyFileSize = 4096;
-      #           };
-      #         };
-      #       };
-      #     };
-      #   };
-      # };
      data = {
        type = "disk";
-        device = "/dev/sdc";
+        device = "/dev/sda";
        content = {
          type = "gpt";
          partitions = {
@@ -83,27 +65,6 @@
              content = {
                type = "luks";
                name = "p_data";
-                settings = {
-                  allowDiscards = true;
-                  keyFile = "/dev/disk/by-uuid/2021-07-11-12-33-27-00";
-                  keyFileSize = 4096;
-                };
-              };
-            };
-          };
-        };
-      };
-      data1 = {
-        type = "disk";
-        device = "/dev/sdb";
-        content = {
-          type = "gpt";
-          partitions = {
-            crypt_p = {
-              size = "100%";
-              content = {
-                type = "luks";
-                name = "p_data1";
                # Remove settings.keyFile if you want to use interactive password entry
                settings = {
                  allowDiscards = true;
@@ -112,19 +73,11 @@
                };
                content = {
                  type = "btrfs";
-                  extraArgs = [
-                    "-d raid0"
-                    "/dev/mapper/p_data3" # Use decrypted mapped device, same name as defined in disk1
-                  ];
                  subvolumes = {
                    "/" = {
                      mountpoint = "/mnt/fs";
                      mountOptions = [ "compress=zstd:3" ];
                    };
-                    "/nix" = {
-                      mountpoint = "/nix";
-                      mountOptions = [ "compress=zstd:3" ];
-                    };

                    "/data" = {
                      mountpoint = "/mnt/data";
--- a/hosts/sin/secrets.nix
+++ b/hosts/sin/secrets.nix
@@ -10,5 +10,22 @@
      file = ./secrets/airvpn_wireguard_key_env.age;
      mode = "700";
    };
+    copyparty-serhao = {
+      file = ./secrets/copyparty-serhao.age;
+      mode = "700";
+      owner = "copyparty";
+    };
+    authelia-jwt = {
+      file = ./secrets/authelia-jwt.age;
+      mode = "700";
+    };
+    authelia-encryption = {
+      file = ./secrets/authelia-encryption.age;
+      mode = "700";
+    };
+    authelia-session = {
+      file = ./secrets/authelia-session.age;
+      mode = "700";
+    };
  };
 }
--- a/hosts/sin/secrets/authelia-encryption.age
+++ b/hosts/sin/secrets/authelia-encryption.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 /uqj4A L95rgX9APIgoMvkplZIYgMQDhKBOsPGOw/maymMhiks
+LNfa/YBCd84iknAMk4wbQps4KMXCvrhPp2d9KkhJWHI
+-> ssh-ed25519 NoSl6Q G/y6DUFTyV6Jy6KHo8yc+xxtu3aJtTOF3Ldmxq3FmyE
+FOExj321S/VIPQ/qdvZBcJ930HI/GsjDVjJp9WMSXLA
+--- iIpq/CWng+4+kQbvJQb/qgejr/eza94wCkegEJ2dvno
+ÿNôU*1=DÔOˆ£W6]_â©Kà=©*ÊÞký¦_ù˜ÝøÉ‡™tmË•ãw°
--- a/hosts/sin/secrets/authelia-jwt.age
+++ b/hosts/sin/secrets/authelia-jwt.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 /uqj4A i6SPCzjkGrPMjhC9NQDdYTk3fzXoD4OSQdhS1togN0A
+Lqus8sROz1O4EepauPwC4RX/qH+SnDiL2H5iZGtAhXo
+-> ssh-ed25519 NoSl6Q LxV4a5HiB6qfPjbba75dkVVECzaqrMjksMXHh53JbGQ
+x4POzurz+J2mymT81M+cu69Iv/MeiYt+JvaRteinm5Q
+--- OFqooyZ2HPBxP756PqpgJAyVOTkqhJ0LhEQsLJBZUtE
+—>»&È†w·\D„Au{õz{CˆÁ~á$‘_ˆ9»¢ZZ<5A>U^„ÎÊL!(lnÐ¿Âó‰Üv{fdº 1Ýßl¢,<2C>|<7C>Ü.¤çH«¤³êVaù¥ÍÓˆ™PêwOo3ž
--- a/hosts/sin/secrets/authelia-session.age
+++ b/hosts/sin/secrets/authelia-session.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 /uqj4A eff535EaT7gEZOacWx9raBJMdd4PPd9+y6Y3eOt1wBI
+5P4aefjWVJ4L11ff+Cg8j3gQ58I+agDPUMFWiCaL/sQ
+-> ssh-ed25519 NoSl6Q 3+EZtaiiZQk7JK6zCNo/nUSSRAJzf8nal2X1sFkYmxo
+f5gzpiOtCbYdiV7vOxfZvJPRmRruTbHg6T8g0r5JRgc
+--- BBL3wE2eSmHVI4tlhq+5fy84cauw6P6G69nFXuObLKE
+êéæí	@[¡SÓcñ‘<C3B1>SyÉŠ‡<; í†<C3AD>e±ËèŒŸ<C592><C5B8>§(°Æž1\Yj›È¯½½4åõ ÝÈ¹.3>Â[Èq¢Jh8í·šÕVt”øX[Ì~[(#^‘_5€§<E282AC>
--- a/hosts/sin/secrets/copyparty-serhao.age
+++ b/hosts/sin/secrets/copyparty-serhao.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 BoEq8A O6x9n4kvpqLucX7NuNeD2SsMmvT5n6aVYwo4nQt21H8
+R+4g1QuXtxovyv5Mav+mAhgGjOcGQW4q17FSBtzXZQo
+-> ssh-ed25519 NoSl6Q iKPipXfIGWxUobXF/9CSRhc/zKgmKKWWZhDTDgX0jWA
+LB4TFCdbEG0VToYzTWdFedd0duF5PKlCnpBs4nBbLAQ
+--- D7VE3Mwgx9ehk5rNuHm62S5ggQBm9wJodZa61jLEVsY
+8ÔîÐÄÒë`S«šéT¯Fª9&(½Ú²Á‡¸=~Ïášoù».XŽ¶ž7ðV&'Øøå ÒÔ¸‹%ã î
--- a/hosts/sin/trilium.nix
+++ b/hosts/sin/trilium.nix
@@ -0,0 +1,9 @@
+{ ... }:
+{
+  services.trilium-server = {
+    enable = true;
+    port = 12783;
+    host = "0.0.0.0";
+    noAuthentication = true;
+  };
+}
--- a/hosts/thea/authelia.nix
+++ b/hosts/thea/authelia.nix
@@ -0,0 +1,126 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.authelia.instances.main;
+  dataDir = "/var/lib/authelia-${cfg.name}";
+  authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
+in
+{
+  services.authelia.instances = {
+    main = {
+      enable = true;
+      secrets = {
+        jwtSecretFile = config.age.secrets.authelia-jwt.path;
+        storageEncryptionKeyFile = config.age.secrets.authelia-encryption.path;
+        sessionSecretFile = config.age.secrets.authelia-session.path;
+      };
+      settings = {
+        theme = "light";
+        log.level = "debug";
+
+        authentication_backend = {
+          file = {
+            path = dataDir + "/users.yml";
+          };
+        };
+        storage = {
+          local = {
+            path = dataDir + "/db.sqlite3";
+          };
+        };
+        session = {
+          cookies = [
+            {
+              domain = "shobu.fr";
+              authelia_url = "https://auth.shobu.fr";
+              default_redirection_url = "https://shobu.fr";
+            }
+          ];
+        };
+        notifier = {
+          filesystem = {
+            filename = "${dataDir}/notification.txt";
+          };
+        };
+        access_control = {
+          default_policy = "deny";
+          rules = [
+            # {
+            #   domain = "radarr.shobu.fr";
+            #   policy = "bypass";
+            # }
+            {
+              domain = "*.shobu.fr";
+              policy = "one_factor";
+            }
+          ];
+        };
+        server = {
+          endpoints = {
+            authz = {
+              auth-request = {
+                implementation = "AuthRequest";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  # systemd.tmpfiles.rules = lib.mkIf cfg.enable [
+  #   "d '${dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
+  # ];
+
+  age.secrets = {
+    authelia-jwt = {
+      owner = cfg.user;
+      file = ./secrets/authelia-jwt.age;
+      mode = "700";
+    };
+    authelia-encryption = {
+      owner = cfg.user;
+      file = ./secrets/authelia-encryption.age;
+      mode = "700";
+    };
+    authelia-session = {
+      owner = cfg.user;
+      file = ./secrets/authelia-session.age;
+      mode = "700";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."auth.shobu.fr" =
+      let
+        upstream = "http://thea:9091";
+      in
+      {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."/" = {
+          proxyPass = upstream;
+          extraConfig = ''
+            error_log /var/log/nginx/debug_authelia.log debug;
+            include ${authelia-snippets.proxy};
+            set $upstream ${upstream};
+          '';
+        };
+        locations."/api/verify" = {
+          proxyPass = upstream;
+        };
+        locations."/api/authz" = {
+          proxyPass = upstream;
+        };
+      };
+  };
+}
--- a/hosts/thea/configuration.nix
+++ b/hosts/thea/configuration.nix
@@ -16,10 +16,11 @@ in
 {
  imports = [
    ./nginx.nix
-    # ./striped
    # ./cybercoffee
    ./ollama.nix
    ./minecraft.nix
+    ./secrets
+    ./authelia.nix
  ];

  # Use the systemd-boot EFI boot loader.
@@ -36,7 +37,14 @@ in
    # dhcpcd.extraConfig = "nohook resolv.conf";

    firewall = {
-      allowedTCPPorts = [ nodes.sin.config.services.gitea.settings.server.SSH_PORT ];
+      allowedTCPPorts = [
+        nodes.sin.config.services.gitea.settings.server.SSH_PORT
+      ]
+      ++ [
+        # minecraft ad hoc server ports
+        25665
+        25675
+      ];
    };
    nat = {
      enable = true;
--- a/hosts/thea/lib/autheliaSnippets.nix
+++ b/hosts/thea/lib/autheliaSnippets.nix
@@ -0,0 +1,81 @@
+{ pkgs }:
+{
+  proxy = pkgs.writeText "proxy.conf" ''
+    ## Headers
+    # proxy_set_header Host $host;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-URI $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_set_header X-Forwarded-For $remote_addr;
+  '';
+  authelia-location = pkgs.writeText "authelia-location.conf" ''
+    set $upstream_authelia http://192.168.1.12:9091/api/authz/auth-request;
+
+    ## Virtual endpoint created by nginx to forward auth requests.
+    location /internal/authelia/authz {
+        ## Essential Proxy Configuration
+        internal;
+        proxy_pass $upstream_authelia;
+
+        ## Headers
+        ## The headers starting with X-* are required.
+        proxy_set_header X-Original-Method $request_method;
+        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Content-Length "";
+        proxy_set_header Connection "";
+
+        ## Basic Proxy Configuration
+        proxy_pass_request_body off;
+        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
+        proxy_redirect http:// $scheme://;
+        proxy_http_version 1.1;
+        proxy_cache_bypass $cookie_session;
+        proxy_no_cache $cookie_session;
+        proxy_buffers 4 32k;
+        client_body_buffer_size 128k;
+
+        ## Advanced Proxy Configuration
+        send_timeout 5m;
+        proxy_read_timeout 240;
+        proxy_send_timeout 240;
+        proxy_connect_timeout 240;
+    }
+  '';
+  authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" ''
+    ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
+    auth_request /internal/authelia/authz;
+
+    ## Save the upstream metadata response headers from Authelia to variables.
+    auth_request_set $user $upstream_http_remote_user;
+    auth_request_set $groups $upstream_http_remote_groups;
+    auth_request_set $name $upstream_http_remote_name;
+    auth_request_set $email $upstream_http_remote_email;
+
+    ## Inject the metadata response headers from the variables into the request made to the backend.
+    proxy_set_header Remote-User $user;
+    proxy_set_header Remote-Groups $groups;
+    proxy_set_header Remote-Email $email;
+    proxy_set_header Remote-Name $name;
+
+    ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
+    ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
+    ## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
+
+    ## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
+    auth_request_set $redirection_url $upstream_http_location;
+
+    ## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
+    error_page 401 =302 $redirection_url;
+
+    ## Legacy Method: Set $target_url to the original requested URL.
+    ## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
+    # set_escape_uri $target_url $scheme://$http_host$request_uri;
+
+    ## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
+    ## URL parameter set to $target_url. This requires users update 'auth.shobu.fr/' with their external authelia URL.
+    # error_page 401 =302 https://auth.shobu.fr/?rd=$target_url;
+  '';
+}
--- a/hosts/thea/minecraft.nix
+++ b/hosts/thea/minecraft.nix
@@ -9,7 +9,10 @@ let
    url = "file:///${inputs.testing-grounds.modpack}/pack.toml";
    packHash = "sha256-+taYj4uroLNxM4Nia3n+5P1Y/g6dzE6Iq13TsZgk4mU=";
  };
-  reclamation = inputs.reclamation.packages.${pkgs.stdenv.system};
+  gregpack = pkgs.fetchPackwizModpack {
+    url = "https://raw.githubusercontent.com/GregTechCEu/GregTech-Modern-Community-Pack/refs/heads/main/pack.toml";
+    packHash = "sha256-SE86gP15H/Aug6vTLmMxHuxF2/+iLmCI/wQlON1xasM=";
+  };
 in
 {
  imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
@@ -20,28 +23,6 @@ in
    eula = true;
    openFirewall = true;

-    servers.reclamation = {
-      enable = false;
-      package = pkgs.fabricServers.fabric;
-
-      symlinks = {
-        "mods" = "${reclamation.modpack}/mods";
-        "FTBLang" = "${reclamation.modpack}/FTBLang";
-        "defaultconfigs" = "${reclamation.modpack}/defaultconfigs";
-        "ressourcepacks" = "${reclamation.modpack}/ressourcepacks";
-        "config" = "${reclamation.modpack}/config";
-        "kubejs" = "${reclamation.modpack}/kubejs";
-        "patchouli_books" = "${reclamation.modpack}/patchouli_books";
-        "server.dat" = "${reclamation.modpack}/server.dat";
-      };
-
-      serverProperties = {
-        server-port = 43001;
-        motd = "all hail the gorgon v3.14";
-        allow-flight = true;
-      };
-    };
-
    servers.testing-grounds = {
      enable = true;

@@ -58,4 +39,10 @@ in
      };
    };
  };
+
+  networking.firewall.allowedTCPPorts = [
+    25865 # autismcraft
+    25665 # reclamation
+    25675 # reclamation
+  ];
 }
--- a/hosts/thea/nginx.nix
+++ b/hosts/thea/nginx.nix
@@ -1,8 +1,14 @@
-{ inputs, ... }:
+{
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
 let
  # striped-front = inputs.striped-front;

  sin-address = "192.168.1.14";
+  authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
 in
 {

@@ -17,36 +23,92 @@ in
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

+    typesHashMaxSize = 512;
+    mapHashMaxSize = 512;
+
    virtualHosts =
      let
-        mkStarr = host: port: {
+        mkVHost = host: port: {
          "${host}" = {
            enableACME = true;
            forceSSL = true;

            locations."/" = {
              proxyPass = "http://${sin-address}:${port}";
+            };
+          };
+        };
+        mkStarr = host: port: {
+          "${host}" = {
+            enableACME = true;
+            forceSSL = true;
+
+            extraConfig = ''
+              include ${authelia-snippets.authelia-location};
+            '';
+
+            locations."/api" = {
+              proxyPass = "http://${sin-address}:${port}";
              proxyWebsockets = true;
              extraConfig = ''
                proxy_ssl_server_name on;
+              '';
+            };
+            locations."/" = {
+              proxyPass = "http://${sin-address}:${port}";
+              proxyWebsockets = true;
+              extraConfig = ''
+                include ${authelia-snippets.proxy};
+                include ${authelia-snippets.authelia-authrequest};
+
+                proxy_ssl_server_name on;
                proxy_read_timeout 4800s;
              '';
            };
          };
        };
+        withAuthelia =
+          vhost: location:
+          (builtins.mapAttrs (
+            name: value:
+            (lib.recursiveUpdate value {
+              extraConfig = (if value ? extraConfig then value.extraConfig else "") + ''
+                include ${authelia-snippets.authelia-location};
+              '';
+              locations."${location}".extraConfig =
+                (
+                  if value.locations."${location}" ? extraConfig then
+                    value.locations."${location}".extraConfig
+                  else
+                    ""
+                )
+                + ''
+                  include ${authelia-snippets.proxy};
+                  include ${authelia-snippets.authelia-authrequest};
+                '';
+            })
+          ) vhost);
+        withWebsockets =
+          vhost: location:
+          (builtins.mapAttrs (
+            name: value:
+            (lib.recursiveUpdate value {
+              locations."${location}".proxyWebsockets = true;
+            })
+          ) vhost);
      in
      (
-        mkStarr "jellyfin.shobu.fr" "8096"
+        (withWebsockets (mkVHost "jellyfin.shobu.fr" "8096") "/")
        // mkStarr "radarr.shobu.fr" "7878"
        // mkStarr "sonarr.shobu.fr" "8989"
        // mkStarr "prowlarr.shobu.fr" "9696"
        // mkStarr "bazarr.shobu.fr" "6767"
-        // mkStarr "jellyseerr.shobu.fr" "5055"
-        // mkStarr "fileshelter.shobu.fr" "5091"
        // mkStarr "lidarr.shobu.fr" "8686"
        // mkStarr "whisparr.shobu.fr" "6969"
-        // mkStarr "transmission.shobu.fr" "9091"
-        // mkStarr "zimablade-admin.shobu.fr" "61208"
+        // mkVHost "jellyseerr.shobu.fr" "5055"
+        // mkVHost "transmission.shobu.fr" "9091"
+        // mkVHost "zimablade-admin.shobu.fr" "61208"
+        // (withWebsockets (withAuthelia (mkVHost "trilium.shobu.fr" "12783") "/") "/")
        // {
          "shobu.fr" = {
            enableACME = true;
@@ -109,10 +171,18 @@ in
            enableACME = true;
            forceSSL = true;

+            extraConfig = ''
+              # include ${authelia-snippets.authelia-location};
+              # error_log /var/log/nginx/debug_files.log debug;
+            '';
+
            locations."/" = {
              proxyPass = "http://${sin-address}:8086";
              extraConfig = ''
+                # include ${authelia-snippets.proxy};
+                # include ${authelia-snippets.authelia-authrequest};
                proxy_set_header X-Real-IP $remote_addr;
+                client_max_body_size 100M;
              '';
            };
          };
--- a/hosts/thea/secrets/authelia-encryption.age
+++ b/hosts/thea/secrets/authelia-encryption.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 /uqj4A 9cZH/SlDpiluz2O3wCxRcBhmt3L5eN24I0HHwiJDWRU
+VVZaJlB4QzxBPcaN3MjCemjptEbqSUMD8VVtKyGezH8
+-> ssh-ed25519 70Re8Q ZFEQxmnm+dFKSXcQAc0KxkewCB59J5FyL1Ob/uEEtVg
+fRdEZpIytxjUeSKPieIzvZaAn5Mikjp28HlZhKwzS7M
+-> ssh-ed25519 QvCxGg ifsqXBKO0mqE1RuJ44Y7qDJ7lyci8iyz+J1xFgO38jI
+MkhMTZ+RttBFFMkbIaSCSQiExR1gf4OyFWHXIsx+QYQ
+--- nnMlLyQjixpBkx+bSU5I364IP3KnZ0qnmMPueBcRHpU
+ë˜<EFBFBD>6TX—ÕÞÌfÁ““É
+®?Z7M<37>T<EFBFBD>Å|ÚQf
--- a/hosts/thea/secrets/authelia-jwt.age
+++ b/hosts/thea/secrets/authelia-jwt.age
--- a/hosts/thea/secrets/authelia-session.age
+++ b/hosts/thea/secrets/authelia-session.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 /uqj4A yxpGM3pJxfnM/5q9+NzdfG2kBjjNex6bdyUeZEBKjnI
+UO6ovn2cFeNi6SbcGpfF71/OAyQccyG+l6aZXubUal8
+-> ssh-ed25519 70Re8Q GW40lmeg6Lj7ntZswT0/hWZFpYBWoV3CMq4pdo+Ncgc
+oWTYuM/s3G7EKPWPQpHbXo9Tpzgn7YlYVQHYGn4xKS8
+-> ssh-ed25519 QvCxGg pKLpxtuMIa0xPXoaeb4WeQWVEINRE/j4nrxDB1J9BUI
+1azpt5MImTiDSF+Ts9EvUCdWMeVG7lErUHSBQfMiip4
+--- IOOR8Us6zlZhJm0V4X3IlbkHSdtR3GLLxEfa4i+lqv0
+ó P¬¥rhé"BFãŽÌŸtÌ€ê¤{¾(öB`q“Óø"AµnN_ ™f*ÏŒºvPpj&{)ìŠØ@‹ÃkFÂ«Ú]<Aš*Á<>‡<EFBFBD>´WTm”ÆªD‡,Ý1E™”¦³eÑ¨·O¢š
--- a/hosts/thea/secrets/default.nix
+++ b/hosts/thea/secrets/default.nix
@@ -0,0 +1,3 @@
+{ ... }:
+{
+}
--- a/modules/gitea/thea/virtualisation.nix
+++ b/modules/gitea/thea/virtualisation.nix
@@ -16,6 +16,10 @@
    };
  };

+  environment.systemPackages = with pkgs; [
+    podman-compose
+  ];
+
  virtualisation.oci-containers.containers =
    let
      runner_config = pkgs.writeTextFile {
Author	SHA1	Message	Date
Sin Ser'hao	b5aa64e74a	trilium & authelia setup Some checks failed / perform flake analysis (push) Has been cancelled Details / build hive configuration (push) Failing after 22m46s Details	2026-01-29 09:45:10 +01:00
Sin Ser'Hao	d7c765b80e	test Some checks failed / perform flake analysis (push) Failing after 3h0m29s Details	2026-01-27 20:40:20 +01:00
Sin Ser'hao	b3b8ffd90f	reactivate authelia module Some checks failed / perform flake analysis (push) Has been cancelled Details / build hive configuration (push) Successful in 11m6s Details	2026-01-26 16:47:05 +01:00
Sin Ser'hao	c3614c5397	use header only authelia snippet Some checks failed / build hive configuration (push) Has been cancelled Details / perform flake analysis (push) Has been cancelled Details	2026-01-26 16:46:43 +01:00
shobu	7e3186e632	fix authelia snippets Some checks failed / build hive configuration (push) Successful in 9m47s Details / perform flake analysis (push) Failing after 3h14m48s Details	2026-01-23 23:05:58 +01:00
Sin Ser'hao	2db673093e	basic authella configuration All checks were successful / perform flake analysis (push) Successful in 39s Details / build hive configuration (push) Successful in 8m59s Details	2026-01-23 20:22:03 +01:00
Sin Ser'hao	f894f65024	extend body capacity for copyparty to 100M All checks were successful / perform flake analysis (push) Successful in 38s Details / build hive configuration (push) Successful in 10m39s Details	2026-01-20 12:24:14 +01:00
Sin Ser'hao	7468ccd09f	start authelia config and change copyparty upload max size	2026-01-20 12:24:12 +01:00
sin serhao	c2f8b28b5d	collect path for volumes All checks were successful / perform flake analysis (push) Successful in 37s Details / build hive configuration (push) Successful in 10m33s Details	2026-01-20 08:16:34 +01:00
sin serhao	ff52a9c024	new disk config with ssd Some checks failed / perform flake analysis (push) Successful in 39s Details / build hive configuration (push) Failing after 9m51s Details	2026-01-20 07:39:14 +01:00
shobu	2389cfb703	delete permission on data folder All checks were successful / perform flake analysis (push) Successful in 37s Details / build hive configuration (push) Successful in 10m2s Details	2026-01-17 16:44:09 +01:00
shobu	ab408f5eed	correct permission for copyparty secrets All checks were successful / perform flake analysis (push) Successful in 38s Details / build hive configuration (push) Successful in 10m14s Details	2026-01-17 16:25:40 +01:00
shobu	37b5d11b75	change copyparty folders and add write access Some checks failed / perform flake analysis (push) Successful in 39s Details / build hive configuration (push) Has been cancelled Details	2026-01-17 16:20:53 +01:00
Sin Ser'hao	d83ecd19dd	remove reclamation flake All checks were successful / perform flake analysis (push) Successful in 36s Details / build hive configuration (push) Successful in 10m2s Details	2026-01-16 22:24:04 +01:00
sin serhao	92ab3eb6d6	lock disk to sdb Some checks failed / perform flake analysis (push) Successful in 36s Details / build hive configuration (push) Failing after 27s Details	2026-01-16 22:18:44 +01:00
sin serhao	92b6f03db1	luks	2026-01-16 22:18:44 +01:00
sin serhao	fa6bd362c8	single disk array	2026-01-16 22:18:44 +01:00
Sin Ser'hao	ccf9e6b624	add config for adhoc minecraft server Some checks failed / perform flake analysis (push) Successful in 39s Details / build hive configuration (push) Failing after 29s Details	2026-01-16 22:16:06 +01:00