19 files changed, 295 insertions, 73 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 7c8da63a..32651e14 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,9 +12,8 @@ let
 in {
  imports = with flake.nixosModules.systemProfiles; [
    ./hw.nix
-    ./mail ./libvirt
+    ./mail ./libvirt ./greetd
-    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines
+    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager
-    networkmanager
    flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
    flakeInputs.impermanence.nixosModules.impermanence
    flakeInputs.nixVirt.nixosModules.default
@@ -27,6 +26,9 @@ in {
        allowUnfree = true;
        pulseaudio = true;
      };
+      extraOverlays = [
+        flakeInputs.niri-flake.overlays.niri
+      ];
    };
    time.timeZone = null;
@@ -34,7 +36,6 @@ in {
    boot = {
      initrd = {
        systemd = {
-          enable = false;
          emergencyAccess = config.users.users.root.hashedPassword;
        };
        luks.devices = {
@@ -62,15 +63,20 @@ in {
      plymouth.enable = true;
      kernelPackages = pkgs.linuxPackages_latest;
-      extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
-      kernelModules = ["v4l2loopback"];
      kernelPatches = [
        { name = "edac-config";
          patch = null;
-          extraConfig = ''
+          extraStructuredConfig = with lib.kernel; {
-            EDAC y
+            EDAC = yes;
-            EDAC_IE31200 y
+            EDAC_IE31200 = yes;
-          '';
+          };
+        }
+        { name = "zswap-default";
+          patch = null;
+          extraStructuredConfig = with lib.kernel; {
+            ZSWAP_DEFAULT_ON = yes;
+            ZSWAP_SHRINKER_DEFAULT_ON = yes;
+          };
        }
      ];
@@ -439,7 +445,7 @@ in {
      };
      xserver = {
-        enable = true;
+        enable = false;
        xkb = {
          layout = "us";
@@ -465,46 +471,15 @@ in {
      };
      libinput.enable = true;
-      greetd = {
+      envfs.enable = false;
-        enable = true;
-      #   settings.default_session.command = let
-      #     cfg = config.programs.regreet;
-      #   in pkgs.writeShellScript "greeter" ''
-      #       modprobe -r nvidia_drm
-      #       exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package}
-      #     '';
-      };
-    };
-    programs.regreet = {
-      enable = true;
-      theme = {
-        package = pkgs.equilux-theme;
-        name = "Equilux-compact";
-      };
-      iconTheme = {
-        package = pkgs.paper-icon-theme;
-        name = "Paper-Mono-Dark";
-      };
-      font = {
-        package = pkgs.fira;
-        name = "Fira Sans";
-        # size = 6;
-      };
-      cageArgs = [ "-s" "-m" "last" ];
-      settings = {
-        GTK.application_prefer_dark_theme = true;
-      };
    };
-    programs.hyprland.enable = true;
    systemd.tmpfiles.settings = {
      "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
      "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
        last_user = "gkleen";
-        user_to_last_sess.gkleen = "Hyprland";
+        user_to_last_sess.gkleen = "niri";
      });
    };
@@ -614,15 +589,15 @@ in {
      };
      nvidia = {
-        open = true;
+        open = false;
        modesetting.enable = true;
        powerManagement.enable = true;
-        prime = {
+        # prime = {
-          nvidiaBusId = "PCI:1:0:0";
+        #   nvidiaBusId = "PCI:1:0:0";
-          intelBusId = "PCI:0:2:0";
+        #   intelBusId = "PCI:0:2:0";
-          reverseSync.enable = true;
+        #   reverseSync.enable = true;
-          offload.enableOffloadCmd = true;
+        #   offload.enableOffloadCmd = true;
-        };
+        # };
      };
      graphics = {
@@ -696,6 +671,7 @@ in {
    services.dbus.packages = with pkgs;
      [ dbus dconf
+        xdg-desktop-portal-gtk
      ];
    services.udisks2.enable = true;
@@ -704,12 +680,8 @@ in {
      light.enable = true;
      wireshark.enable = true;
      dconf.enable = true;
-    };
+      niri.enable = true;
+      fuse.userAllowOther = true;
-    zramSwap = {
-      enable = true;
-      algorithm = "zstd";
-      writebackDevice = "/dev/disk/by-label/swap";
    };
    services.pcscd.enable = true;
@@ -729,6 +701,16 @@ in {
    environment.sessionVariables."GTK_USE_PORTAL" = "1";
    xdg.portal = {
      enable = true;
+      extraPortals = with pkgs; [ xdg-desktop-portal-gtk ];
+      config.niri = {
+        default = ["gnome" "gtk"];
+        "org.freedesktop.impl.portal.FileChooser" = ["gtk"];
+        "org.freedesktop.impl.portal.OpenFile" = ["gtk"];
+        "org.freedesktop.impl.portal.Access" = ["gtk"];
+        "org.freedesktop.impl.portal.Notification" = ["gtk"];
+        "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
+        "org.freedesktop.impl.portal.Inhibit" = ["none"];
+      };
    };
    environment.persistence."/.bcachefs" = {
@@ -736,11 +718,11 @@ in {
      directories = [
        "/nix"
        "/root"
+        "/home"
        "/var/log"
        "/var/lib/sops-nix"
        "/var/lib/nixos"
        "/var/lib/systemd"
-        "/home"
        "/var/lib/chrony"
        "/var/lib/fprint"
        "/var/lib/bluetooth"
@@ -769,6 +751,10 @@ in {
    home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];
+    environment.pathsToLink = [
+      "share/zsh"
+    ];
    system.stateVersion = "24.11";
  };
 }
diff --git a/hosts/sif/greetd/default.nix b/hosts/sif/greetd/default.nix
new file mode 100644
index 00000000..f609fc05
--- /dev/null
+++ b/hosts/sif/greetd/default.nix
@@ -0,0 +1,44 @@
+{ pkgs, ... }:
+{
+  config = {
+    services.greetd = {
+      enable = true;
+    #   settings.default_session.command = let
+    #     cfg = config.programs.regreet;
+    #   in pkgs.writeShellScript "greeter" ''
+    #       modprobe -r nvidia_drm
+    #       exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package}
+    #     '';
+    };
+    programs.regreet = {
+      enable = true;
+      theme = {
+        package = pkgs.equilux-theme;
+        name = "Equilux-compact";
+      };
+      iconTheme = {
+        package = pkgs.paper-icon-theme;
+        name = "Paper-Mono-Dark";
+      };
+      font = {
+        package = pkgs.fira;
+        name = "Fira Sans";
+        # size = 6;
+      };
+      cageArgs = [ "-s" "-m" "last" ];
+      settings = {
+        GTK.application_prefer_dark_theme = true;
+        widget.clock.format = "%F %H:%M:%S%:z";
+        background = {
+          path = pkgs.runCommand "wallpaper.png" {
+            buildInputs = with pkgs; [ imagemagick ];
+          } ''
+            magick ${./wallpaper.png} -filter Gaussian -resize 6.25% -define filter:sigma=2.5 -resize 1600% "$out"
+          '';
+          fit = "Cover";
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/sif/greetd/wallpaper.png b/hosts/sif/greetd/wallpaper.png
new file mode 100644
index 00000000..20fc761a
--- /dev/null
+++ b/hosts/sif/greetd/wallpaper.png
Binary files differ
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
index fc20ef7c..1bcf0261 100644
--- a/hosts/sif/hw.nix
+++ b/hosts/sif/hw.nix
@@ -8,15 +8,28 @@
        options = [ "fmask=0033" "dmask=0022" ];
      };
    "/.bcachefs" =
-      { device = "/dev/mapper/sif-nvm0:/dev/mapper/sif-nvm1";
+      { options = [
+          "x-systemd.requires=/dev/disk/by-id/dm-name-sif-nvm0"
+          "x-systemd.requires=/dev/disk/by-id/dm-name-sif-nvm1"
+        ];
+        device = "/dev/disk/by-uuid/fe7bdaac-d2f3-4535-a635-e2fb97ef3802";
        fsType = "bcachefs";
        neededForBoot = true;
      };
    "/var/lib/sops-nix".neededForBoot = true;
    "/var/lib/systemd".neededForBoot = true;
  };
-  system.etc.overlay.enable = false;
+  swapDevices = [
-  systemd.sysusers.enable = false;
+    { label = "swap"; }
+  ];
+  # system.etc.overlay.enable = false;
+  boot.initrd.systemd.packages = [
+    (pkgs.writeTextDir "/etc/systemd/system/\\x2ebcachefs.mount.d/block_scan.conf" ''
+      [Mount]
+      Environment=BCACHEFS_BLOCK_SCAN=1
+    '')
+  ];
  # boot.initrd.supportedFilesystems.bcachefs = true;
  # boot.initrd.systemd.units."dev-sif-nvm0:-dev-sif-nvm1.device".enable = false;
diff --git a/hosts/sif/libvirt/default.nix b/hosts/sif/libvirt/default.nix
index d0be7dff..9712d0d9 100644
--- a/hosts/sif/libvirt/default.nix
+++ b/hosts/sif/libvirt/default.nix
@@ -8,6 +8,7 @@ with flakeInputs.nixVirt.lib;
      qemu.swtpm.enable = true;
      allowedBridges = ["virbr0" "rz-0971" "rz-2403"];
    };
+    virtualisation.spiceUSBRedirection.enable = true;
    virtualisation.libvirt = {
      enable = true;
      swtpm.enable = true;
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
index f36cd599..8d6cd705 100644
--- a/hosts/sif/mail/default.nix
+++ b/hosts/sif/mail/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
  services.postfix = {
    enable = true;
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 223e1f10..b8a639d5 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -6,7 +6,7 @@ with lib;
  imports = with flake.nixosModules.systemProfiles; [
    tmpfs-root qemu-guest openssh rebuild-machines zfs
    ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
-    ./prometheus ./email ./vpn ./borg.nix ./etebase
+    ./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix
  ];
  config = {
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 53df798e..ee1d089d 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -157,7 +157,7 @@ in {
        ${concatMapStringsSep "\n" mkZone [
          { domain = "yggdrasil.li";
            addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };
-            acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "app.etesync.yggdrasil.li"];
+            acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li"];
          }
          { domain = "nights.email";
            addACLs = { "nights.email" = ["ymir_acme_acl"]; };
diff --git a/hosts/surtr/dns/keys/immich.yggdrasil.li_acme b/hosts/surtr/dns/keys/immich.yggdrasil.li_acme
new file mode 100644
index 00000000..c31234bd
--- /dev/null
+++ b/hosts/surtr/dns/keys/immich.yggdrasil.li_acme
@@ -0,0 +1,24 @@
+{
+        "data": "ENC[AES256_GCM,data:1i27jx1E4nn8/iXEN90tnQve0MX0HcXyYZoQfga1djcESDARd7kX78jncqnSdEMJPIQCyq2zmvOwEiAwyofIjSBSW2teoxD1PybSZdyvKwOnwLqpVWxgw6LORUoN5c1y4+WmnQa1SJ0a1WJwZ3cFRa3LP5JPbZzmNCZWEg+yGwVHNMsmrBSrjLRFC1NPIfX69lWGZl5VIMw2/SoSMDcOsSURWIpVSEYe9LNrc4/cKQQC/rmpXBg9ekIa8xd7NQTcDZA42bDIBQxJzqkUNV3JeIrl0C+eQw==,iv:MEDhvUvy0PfcLGim06VXkiIGgkNgaQcYqGhJraaGC6M=,tag:43CdGFe5JXOsMCHrvgl+BA==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOU5OL0xxVVE2dzVOYnhP\nMUlhYlpyZGZSamU4QkpObHJLS1NJdjdwcmtjCks0OElnaHZvb3BSNnYySnVPcEUx\nazdNVUpZZGRNOVNBVTVUNUdnaC9DM00KLS0tIHUxU2dHMCt4d3hJbXlSNzBKUk1W\na05uZVRwVlMrbEZ2WEkvUy9PUVhmWXcKemRLnCC2mAkCEbZ3bC+iZmIWQCQsI+ew\ni4mmc/mUkGx8/61SR571NXIKmxSx2U5L2IK1pIKy6G/xMkPq+wDgUQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VnNUV2lRR292ZmpNeU51\nQ2YxcnVnd21ybGdpd0I1QlJuSEQwNGZYTDJrCml0YUdxaWJHTEFNYWVIY01jWGk2\nZEJSQ0VZcVV1bU9VZ3dBbUh3a0N1ekUKLS0tIFhvNnRqcnRUZFNYOVhuWkFrZ3Vk\nMjU0YnNDODJRYk9lVENLUU9KU2dkWm8KHqtuNtC39S4oiQFRhNT2OOUOY9KQvDYW\nvtcdR8MSZDE7jsqgLgGS/8lIc0GBbIwYWghgFsLmn2Bkdh2q/VuO9w==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-01-03T15:31:39Z",
+                "mac": "ENC[AES256_GCM,data:NKUbtcQf2DfALfm9kwiirmwD3slfTh4HNIg8BT/xbySHfwsaFtmlZTkhavBNr+b5snR8opATVXnJPAoykxXq8q4G1yDeitnTw6x9KfwgyZKpbJANMTBZEwK+CnZbqYRas1bFC88+D0yWI1yUnle+NPQ8VUj+KxCiUNuWO80mWhE=,iv:2a7CawUQujcZuR1pmsm9L2KGKcrBRAOxiIWEKCkTCEM=,tag:j8caxyN2fvx2FnWXHkWKcw==,type:str]",
+                "pgp": null,
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.9.2"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index 092d23ec..9af6232f 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2024102100 ; serial
+  2025010300 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -69,6 +69,14 @@ _acme-challenge.app.etesync IN	NS	ns.yggdrasil.li.
 app.etesync             IN      HTTPS   1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
+immich                 IN      A       202.61.241.61
+immich                 IN      AAAA    2a03:4000:52:ada::
+immich                 IN      MX      0 surtr.yggdrasil.li
+immich                 IN      TXT     "v=spf1 redirect=surtr.yggdrasil.li"
+_acme-challenge.immich  IN      NS      ns.yggdrasil.li.
+immich                  IN      HTTPS   1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
 vidhar                  IN      AAAA    2a03:4000:52:ada:4:1::
 vidhar                  IN      MX      0 ymir.yggdrasil.li
 vidhar                  IN      TXT     "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/immich.nix b/hosts/surtr/immich.nix
new file mode 100644
index 00000000..61a55e77
--- /dev/null
+++ b/hosts/surtr/immich.nix
@@ -0,0 +1,66 @@
+{ config, ... }:
+{
+  config = {
+    security.acme.rfc2136Domains = {
+      "immich.yggdrasil.li" = {
+        restartUnits = ["nginx.service"];
+      };
+    };
+    services.nginx = {
+      upstreams."immich" = {
+        servers = {
+          "[2a03:4000:52:ada:4:1::]:2283" = {};
+        };
+        extraConfig = ''
+          keepalive 8;
+        '';
+      };
+      virtualHosts = {
+        "immich.yggdrasil.li" = {
+          kTLS = true;
+          http3 = true;
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/immich.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/immich.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/immich.yggdrasil.li.chain.pem";
+          extraConfig = ''
+            charset utf-8;
+          '';
+          locations = {
+            "/".extraConfig = ''
+              proxy_pass http://immich;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+              proxy_redirect off;
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Host $server_name;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              client_max_body_size 0;
+              proxy_request_buffering off;
+              proxy_buffering off;
+            '';
+          };
+        };
+      };
+    };
+    systemd.services.nginx = {
+      serviceConfig = {
+        LoadCredential = [
+          "immich.yggdrasil.li.key.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/key.pem"
+          "immich.yggdrasil.li.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/fullchain.pem"
+          "immich.yggdrasil.li.chain.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/chain.pem"
+        ];
+      };
+    };
+  };
+}
diff --git a/hosts/surtr/tls/tsig_key.gup b/hosts/surtr/tls/tsig_key.gup
index 3d81b603..825479e5 100644
--- a/hosts/surtr/tls/tsig_key.gup
+++ b/hosts/surtr/tls/tsig_key.gup
@@ -1,6 +1,6 @@
 #!/usr/bin/env zsh
-keyFile=../dns/keys/${2:t}_acme.yaml
+keyFile=../dns/keys/${2:t}_acme
 gup -u $keyFile
 sops -d --input-type=binary --output-type=binary ${keyFile} | yq -r '.key[0].secret' > $1
-sops -p '7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8,30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51' --input-type=binary -e -i $1
-\ No newline at end of file
+sops -p '7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8,30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51' --input-type=binary -e -i $1
diff --git a/hosts/surtr/tls/tsig_keys/immich.yggdrasil.li b/hosts/surtr/tls/tsig_keys/immich.yggdrasil.li
new file mode 100644
index 00000000..73104cc1
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/immich.yggdrasil.li
@@ -0,0 +1,24 @@
+{
+        "data": "ENC[AES256_GCM,data:COfmT91I4+yiPhN3Hi7BTqMHyKhdKtwlzT9vNgTZc7FWTHhfuTtCHQo/rhX0,iv:RDs//AT8peUhKwIRdchCScUr/PlEzyMzQPB90S4k3g4=,tag:Lh4BULmQ6+hC+Ed8s9k0Hw==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVEQvU29uWnVjMS8xcGp1\nam5hZVN3ejAxaGdpVWNia0VxT0I3dzR4YlV3ClczOGd0ZDJmUDhqb2dEdm5VeUdX\nRlR1WDNYUU9qaTYrRzhYMXBTV1JjV1UKLS0tIHBONU55RWtRSkR6K2NTNFZrUEZj\nbktqY0xBdGtiZWFFV3JUUVZTOC9YV2MKI4Ytz1NZ9+Og0GzIt/bh6L3aJUeR476g\nyRNifW4eOHf4Ne02ElpEoq6woInkxk8Ou/SJVIRmEOhjwm+qbV17gQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVOVNydWcyYjFrZDR2WStu\nWkJQd3VTTGtqVzdLVFR1eFdPZXBtVFBzVXc4ClREQVpKeXlhWlBFQzVFL0VGME5K\nUUhoa3A1YWdvSkZVV1FQcUh5L3RoUmMKLS0tIHE4c3A1OTNXVk9xZHJPZTlSMlQ4\nZnZUTXdjUGZuN3NoSEFSSko1aU5aQUEKHcuI2+9q7DsDwRn7mfwcSyC7AixzCC0e\nhqnGaW0HxmtLeOFuSPLdFMhhockCYGEV/907i/X6EImepWC4cf3bqA==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-01-03T15:31:40Z",
+                "mac": "ENC[AES256_GCM,data:soDFDk35A1ULzOosZNrbhvtG3NPJDpAtLP3xrDtCBxgSGQ0lWrQ0o3MaKaJoDXQv7g/vYghmSwjH+0In0Ib3OWg0WLAlhwTEsiAn1o4JNRu/wF5aqvazOiDzFu7cyWil4Lsphy5eZgtc4IUp75SlCQc71xlNLoxudPpdcSxNLWg=,iv:jBYUZbiWM5gxFA+ZdpxpZIkz3WfgFi59tXFp242/qr8=,tag:H7ihAryZ8be+BbaqXFhRRg==,type:str]",
+                "pgp": null,
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.9.2"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 42a9e80d..b0797d8a 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 {
  imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix
    tmpfs-root zfs
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
@@ -136,7 +136,7 @@ with lib;
      wantedBy = ["basic.target"];
      serviceConfig = {
        ExecStart = pkgs.writeShellScript "limit-pstate-start" ''
-          echo 60 > /sys/devices/system/cpu/intel_pstate/max_perf_pct
+          echo 50 > /sys/devices/system/cpu/intel_pstate/max_perf_pct
        '';
        RemainAfterExit = true;
        ExecStop = pkgs.writeShellScript "limit-pstate-stop" ''
diff --git a/hosts/vidhar/immich.nix b/hosts/vidhar/immich.nix
new file mode 100644
index 00000000..a1f145a8
--- /dev/null
+++ b/hosts/vidhar/immich.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  config = {
+    services.immich = {
+      enable = true;
+      host = "2a03:4000:52:ada:4:1::";
+    };
+  };
+}
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 9f519302..10fd4c51 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -1,4 +1,5 @@
 define icmp_protos = { ipv6-icmp, icmp, igmp }
+define bifrost_surtr = 2a03:4000:52:ada:4::/128
 table arp filter {
  limit lim_arp_local {
@@ -90,6 +91,7 @@ table inet filter {
  counter http-rx {}
  counter tftp-rx {}
  counter pgbackrest-rx {}
+  counter immich-rx {}
  counter established-rx {}
@@ -118,6 +120,7 @@ table inet filter {
  counter http-tx {}
  counter tftp-tx {}
  counter pgbackrest-tx {}
+  counter immich-tx {}
  counter tx {}
@@ -193,6 +196,8 @@ table inet filter {
    tcp dport 8432 counter name pgbackrest-rx accept
+    iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
    ct state { established, related } counter name established-rx accept
@@ -240,6 +245,8 @@ table inet filter {
    tcp sport 8432 counter name pgbackrest-tx accept
+    iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
    counter name tx
  }
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix
index ffb149f5..1e0828ce 100644
--- a/hosts/vidhar/pgbackrest/default.nix
+++ b/hosts/vidhar/pgbackrest/default.nix
@@ -130,8 +130,9 @@ in {
    };
    systemd.tmpfiles.rules = [
-      "d /var/lib/pgbackrest 0750 pgbackrest pgbackrest - -"
+      "d /var/lib/pgbackrest 0770 pgbackrest pgbackrest - -"
-      "d /var/spool/pgbackrest 0750 pgbackrest pgbackrest - -"
+      "d /var/spool/pgbackrest 0770 pgbackrest pgbackrest - -"
+      "d /tmp/pgbackrest 0770 pgbackrest pgbackrest - -"
    ];
    users = {
@@ -141,7 +142,9 @@ in {
        isSystemUser = true;
        home = "/var/lib/pgbackrest";
      };
-      groups.pgbackrest = {};
+      groups.pgbackrest = {
+        members = [ "postgres" ];
+      };
    };
    systemd.services."pgbackrest-tls-server".serviceConfig = {
diff --git a/hosts/vidhar/postgresql.nix b/hosts/vidhar/postgresql.nix
new file mode 100644
index 00000000..7e44e69f
--- /dev/null
+++ b/hosts/vidhar/postgresql.nix
@@ -0,0 +1,36 @@
+{ pkgs, config, flake, flakeInputs, ... }:
+let
+  nixpkgs-pgbackrest = import (flakeInputs.nixpkgs-pgbackrest.outPath + "/pkgs/top-level") {
+    overlays = [ flake.overlays.libdscp ];
+    localSystem = config.nixpkgs.system;
+  };
+in {
+  config = {
+    services.postgresql = {
+      enable = true;
+      package = pkgs.postgresql_15;
+    };
+    services.pgbackrest = {
+      settings."vidhar" = {
+        pg1-path = config.services.postgresql.dataDir;
+        repo1-path = "/var/lib/pgbackrest";
+        repo1-retention-full-type = "time";
+        repo1-retention-full = 14;
+        repo1-retention-archive = 7;
+      };
+      backups."vidhar-daily" = {
+        stanza = "vidhar";
+        repo = "1";
+        timerConfig.OnCalendar = "daily";
+      };
+    };
+    systemd.services.postgresql.serviceConfig = {
+      ReadWritePaths = [ "/var/spool/pgbackrest" "/var/lib/pgbackrest/archive/vidhar" ];
+    };
+  };
+}
diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix
index 518c3287..9d667fd6 100644
--- a/hosts/vidhar/zfs.nix
+++ b/hosts/vidhar/zfs.nix
@@ -34,7 +34,7 @@ with lib;
        };
      "/etc/zfs/zfs-list.cache" =
-        { device = "ssd-raid1/local/zfs-zfs--list.cache";
+        { device = "ssd-raid1/local/etc-zfs-zfs--list.cache";
          fsType = "zfs";
          neededForBoot = true;
        };