chore(ssh): Update keys

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/7df7ff7d8e00218376575f0acdcc5d66741351ee?narHash=sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs%3D' (2025-10-02)
  → 'github:NixOS/nixpkgs/544961dfcce86422ba200ed9a0b00dd4b1486ec5?narHash=sha256-EVAqOteLBFmd7pKkb0%2BFIUyzTF61VKi7YmvP1tw4nEw%3D' (2025-10-15)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/9fcfabe085281dd793589bdc770a2e577a3caa5d?narHash=sha256-f9QC2KKiNReZDG2yyKAtDZh0rSK2Xp1wkPzKbHeQVRU%3D' (2025-09-29)
  → 'github:Mic92/sops-nix/ab8d56e85b8be14cff9d93735951e30c3e86a437?narHash=sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E%3D' (2025-10-13)

.gitignore

@@ -0,0 +1 @@
+.idea

flake.lock

@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1759381078,
+        "lastModified": 1760524057,
-        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
+        "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
+        "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5",
         "type": "github"
       },
       "original": {
@@ -48,11 +48,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1759188042,
+        "lastModified": 1760393368,
-        "narHash": "sha256-f9QC2KKiNReZDG2yyKAtDZh0rSK2Xp1wkPzKbHeQVRU=",
+        "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "9fcfabe085281dd793589bdc770a2e577a3caa5d",
+        "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437",
         "type": "github"
       },
       "original": {

hosts/Binnenpost/default.nix

@@ -16,6 +16,7 @@
       apps = {
         speedtest.enable = true;
         technitiumDNS.enable = true;
+        traefik.enable = true;
       };
       virtualisation.guest.enable = true;
     };
@@ -76,6 +77,14 @@
       };
     };
 
+    virtualisation.oci-containers.containers.traefik.labels = {
+      "traefik.http.routers.roxanne.rule" = "Host(`roxanne.depeuter.dev`)";
+      "traefik.http.services.roxanne.loadbalancer.server.url" = "https://192.168.0.13:8006";
+
+      "traefik.http.routers.hugo.rule" = "Host(`hugo.depeuter.dev`)";
+      "traefik.http.services.hugo.loadbalancer.server.url" = "https://192.168.0.11:444";
+    };
+
     system.stateVersion = "24.05";
   };
 }

hosts/Gitea/default.nix

@@ -5,6 +5,13 @@
     homelab = {
       apps.gitea.enable = true;
       virtualisation.guest.enable = true;
+
+      users.admin = {
+        enable = true;
+        authorizedKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrp6aM62Bf7bj1YM5AlAWuNrANU3N5e8+LtbbpmZPKS"
+        ];
+      };
     };
 
     networking = {

hosts/Vaultwarden/default.nix

@@ -9,6 +9,13 @@
         name = "Hugo's Vault";
       };
       virtualisation.guest.enable = true;
+
+      users.admin = {
+        enable = true;
+        authorizedKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93"
+        ];
+      };
     };
 
     networking = {

modules/apps/arr/default.nix

@@ -12,7 +12,16 @@ let
   PGID = toString config.users.groups.media.gid;
   UMASK = "002";
 in {
-  options.homelab.apps.arr = {
+  options.homelab.apps.arr = let
+    mkAppOption = appName: {
+      enable = lib.mkEnableOption "${appName} using Docker";
+      exposePorts = lib.mkOption {
+        type = lib.types.bool;
+        description = "Expose ${appName} port";
+        default = cfg.exposePorts;
+      };
+    };
+  in {
     enable = lib.mkEnableOption "Arr Stack using Docker";
     exposePorts = lib.mkOption {
       type = lib.types.bool;
@@ -21,46 +30,11 @@ in {
       default = ! config.homelab.apps.traefik.enable;
     };
 
-    bazarr = {
+    bazarr = mkAppOption "Bazarr";
-      enable = lib.mkEnableOption "Bazarr using Docker";
+    prowlarr = mkAppOption "Prowlarr";
-      exposePorts = lib.mkOption {
+    qbittorrent = mkAppOption "qBittorrent";
-        type = lib.types.bool;
+    radarr = mkAppOption "Radarr";
-        description = "Expose Bazarr port";
+    sonarr = mkAppOption "Sonarr";
-        default = cfg.exposePorts;
-      };
-    };
-    prowlarr = {
-      enable = lib.mkEnableOption "Prowlarr using Docker";
-      exposePorts = lib.mkOption {
-        type = lib.types.bool;
-        description = "Expose Prowlarr port";
-        default = cfg.exposePorts;
-      };
-    };
-    qbittorrent = {
-      enable = lib.mkEnableOption "qBittorrent using Docker";
-      exposePorts = lib.mkOption {
-        type = lib.types.bool;
-        description = "Expose qBittorrent port";
-        default = cfg.exposePorts;
-      };
-    };
-    radarr = {
-      enable = lib.mkEnableOption "Radarr using Docker";
-      exposePorts = lib.mkOption {
-        type = lib.types.bool;
-        description = "Expose Radarr port";
-        default = cfg.exposePorts;
-      };
-    };
-    sonarr = {
-      enable = lib.mkEnableOption "Sonarr using Docker";
-      exposePorts = lib.mkOption {
-        type = lib.types.bool;
-        description = "Expose Sonarr port";
-        default = cfg.exposePorts;
-      };
-    };
   };
 
   config = {
@@ -87,9 +61,9 @@ in {
       virtualisation.containers.enable = lib.mkIf inUse true;
     };
 
-    fileSystems = lib.mkIf inUse {
+    fileSystems = let
-      "/srv/bazarr-backup" = lib.mkIf cfg.bazarr.enable {
+      mkFileSystem = device: {
-        device = "192.168.0.11:/mnt/BIG/BACKUP/BAZARR";
+        inherit device;
         fsType = "nfs";
         options = [
           "rw"
@@ -102,75 +76,14 @@ in {
         ];
       };
 
-      "/srv/prowlarr-backup" = lib.mkIf cfg.prowlarr.enable {
+      hugoBackup = "192.168.0.11:/mnt/BIG/BACKUP";
-        device = "192.168.0.11:/mnt/BIG/BACKUP/PROWLARR";
+    in lib.mkIf inUse {
-        fsType = "nfs";
+      "/srv/bazarr-backup" = lib.mkIf cfg.bazarr.enable (mkFileSystem "${hugoBackup}/BAZARR");
-        options = [
+      "/srv/prowlarr-backup" = lib.mkIf cfg.bazarr.enable (mkFileSystem "${hugoBackup}/PROWLARR");
-          "rw"
+      "/srv/qbittorrent" = lib.mkIf cfg.qbittorrent.enable (mkFileSystem "192.168.0.11:/mnt/SMALL/CONFIG/QBITTORRENT");
-          "auto"
+      "/srv/radarr-backup" = lib.mkIf cfg.radarr.enable (mkFileSystem "${hugoBackup}/RADARR");
-          "nfsvers=4.2"
+      "/srv/sonarr-backup" = lib.mkIf cfg.sonarr.enable (mkFileSystem "${hugoBackup}/SONARR");
-          "rsize=1048576" "wsize=1048576"
+      "/srv/torrent" = mkFileSystem "192.168.0.11:/mnt/SMALL/MEDIA/TORRENT";
-          "hard"
-          "timeo=600" "retrans=2"
-          "_netdev" "nosuid" "tcp"
-        ];
-      };
-
-      "/srv/qbittorrent" = lib.mkIf cfg.qbittorrent.enable {
-        device = "192.168.0.11:/mnt/SMALL/CONFIG/QBITTORRENT";
-        fsType = "nfs";
-        options = [
-          "rw"
-          "auto"
-          "nfsvers=4.2"
-          "rsize=1048576" "wsize=1048576"
-          "hard"
-          "timeo=600" "retrans=2"
-          "_netdev" "nosuid" "tcp"
-        ];
-      };
-
-      "/srv/radarr-backup" = lib.mkIf cfg.radarr.enable {
-        device = "192.168.0.11:/mnt/BIG/BACKUP/RADARR";
-        fsType = "nfs";
-        options = [
-          "rw"
-          "auto"
-          "nfsvers=4.2"
-          "rsize=1048576" "wsize=1048576"
-          "hard"
-          "timeo=600" "retrans=2"
-          "_netdev" "nosuid" "tcp"
-        ];
-      };
-
-      "/srv/sonarr-backup" = lib.mkIf cfg.sonarr.enable {
-        device = "192.168.0.11:/mnt/BIG/BACKUP/SONARR";
-        fsType = "nfs";
-        options = [
-          "rw"
-          "auto"
-          "nfsvers=4.2"
-          "rsize=1048576" "wsize=1048576"
-          "hard"
-          "timeo=600" "retrans=2"
-          "_netdev" "nosuid" "tcp"
-        ];
-      };
-
-      "/srv/torrent" = {
-        device = "192.168.0.11:/mnt/SMALL/MEDIA/TORRENT";
-        fsType = "nfs";
-        options = [
-          "rw"
-          "auto"
-          "nfsvers=4.2"
-          "rsize=1048576" "wsize=1048576"
-          "hard"
-          "timeo=600" "retrans=2"
-          "_netdev" "nosuid" "tcp"
-        ];
-      };
     };
 
     # Make sure the Docker network exists.
@@ -195,45 +108,24 @@ in {
     };
 
     # Create a user for each app.
-    users.users = {
+    users.users = let
-      bazarr = lib.mkIf cfg.bazarr.enable {
+      mkUser = uid: {
-        uid = lib.mkForce 3003;
+        uid = lib.mkForce uid;
         isSystemUser = true;
         group = config.users.groups.media.name;
         home = "/var/empty";
         shell = null;
       };
-      prowlarr = lib.mkIf cfg.prowlarr.enable {
+    in {
-        uid = lib.mkForce 3004;
+      bazarr = lib.mkIf cfg.bazarr.enable (mkUser 3003);
-        isSystemUser = true;
+      prowlarr = lib.mkIf cfg.prowlarr.enable (mkUser 3004);
-        group = config.users.groups.media.name;
+      qbittorrent = lib.mkIf cfg.qbittorrent.enable (mkUser 3005) // {
-        home = "/var/empty";
-        shell = null;
-      };
-      qbittorrent = lib.mkIf cfg.qbittorrent.enable {
-        uid = lib.mkForce 3005;
-        isSystemUser = true;
-        group = config.users.groups.media.name;
         extraGroups = [
           config.users.groups.apps.name
         ];
-        home = "/var/empty";
-        shell = null;
-      };
-      radarr = lib.mkIf cfg.radarr.enable {
-        uid = lib.mkForce 3006;
-        isSystemUser = true;
-        group = config.users.groups.media.name;
-        home = "/var/empty";
-        shell = null;
-      };
-      sonarr = lib.mkIf cfg.sonarr.enable {
-        uid = lib.mkForce 3007;
-        isSystemUser = true;
-        group = config.users.groups.media.name;
-        home = "/var/empty";
-        shell = null;
       };
+      radarr = lib.mkIf cfg.radarr.enable (mkUser 3006);
+      sonarr = lib.mkIf cfg.sonarr.enable (mkUser 3007);
     };
 
     virtualisation.oci-containers.containers = let

users/admin/default.nix

@@ -3,24 +3,30 @@
 let
   cfg = config.homelab.users.admin;
 in {
-  options.homelab.users.admin.enable = lib.mkEnableOption "user System Administrator";
+  options.homelab.users.admin = {
+    enable = lib.mkEnableOption "user System Administrator";
+    authorizedKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [
+        # HomeLab > NixOS > admin > ssh
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWIOOEqTy8cWKpENVbzD4p7bsQgQb/Dgpzk8i0dZ00T"
+      ];
+    };
+  };
 
   config = lib.mkIf cfg.enable {
     nix.settings.trusted-users = [
-      config.users.users.admin.name
+      config.users.users.gh0st.name
     ];
 
-    users.users.admin = {
+    users.users.gh0st = {
       description = "System Administrator";
       isNormalUser = true;
       extraGroups = [
         config.users.groups.wheel.name # Enable 'sudo' for the user.
       ];
       initialPassword = "ChangeMe";
-      openssh.authorizedKeys.keys = [
+      openssh.authorizedKeys.keys = cfg.authorizedKeys;
-        # HomeLab > NixOS > admin > ssh
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWIOOEqTy8cWKpENVbzD4p7bsQgQb/Dgpzk8i0dZ00T"
-      ];
       packages = with pkgs; [
         curl
         git

users/backup/default.nix

@@ -13,13 +13,8 @@ in {
         "docker" # Allow access to the docker socket.
       ];
       openssh.authorizedKeys.keys = [
-        # TODO ChangeMe
-
-        # Tibo-NixFat
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
-
         # Hugo
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAxR813vqq5zbu1NHrIybu5Imlu3k0rDCGxHiuGEhPoVV9c5FpnKNGLCi3ctm15ZcVBX4HcponYsKRBsCzM2pI4uXjxhHkLzbss5LttFuSzv5v/QHfLW1bvyJEMBEPxguGqAydAeWrBFdI9uHBEXeb325uKxMKBZHYvvpyAQ115c1wKy1bL8BfR0LTkhsFqexRvI86q59AVrAU/KFf6RXO0T9QA6H/vyWLlIPc7Ta+tSWwQ68bMmS5Pwn8q58tOAOAd6Lpt4TqUDJSppPjLEPKyKC6ShwMdEjwmwpEG0hxfsvaU8XERyQbSbEE9sLHRA2LoEdtMx3J8nzX3AwYUNspsqIv6NQZksnVqJ8OfL45ngUFcSJ6kBsUvCZfzEUGUTJ6Js0v84NOIXxNG/ZfPsk6ArXm3dvj2TYeK8llO6wpJnMMyztmmiODWoj9tepZSij44IgVM5wdWYIK/RZoYTsCQbmvJFfB8jhyJnf/7F19Vo5+LwhmCOsQh/KEK0F1DVc= admin@Hugo"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh"
       ];
     };
   };