- Added extra HTTP headers and security configurations in the Nginx proxy for Headscale.
- Improves websocket handling, security headers, and HTTPS redirection.
- Introduced OIDC settings in Headscale, including allowed domains, client ID, client secret path, and issuer.
- Enables support for OpenID Connect authentication.
- Included `headscale.nix` in the MX system configuration for VPN management.
- Added Nginx and ACME configuration to route traffic securely to Headscale.
- Ensures Headscale is enabled with required settings and packaged in the system.
- Added `services.tailscale.enable = true` to the configurations of SGX, MX, and X1 systems for VPN support.
- Improves secure connectivity and simplifies network management across these systems.
- Added OIDC app to Nextcloud with specific URL, SHA256, and license configuration for authentication support.
- Configured Nginx to redirect `.well-known/webfinger` to Nextcloud for improved compatibility.
- Updated Nextcloud settings to include `overwrite.cli.url` for proper URL handling.
- Changed `powerManagement.cpuFreqGovernor` from `ondemand` to `performance` for enhanced CPU performance.
- Aligns system configuration with performance optimization goals.
- Disabled `security.tpm2.enable` and `security.tpm2.abrmd.enable` options.
- Ensures TPM2-related services are not active on the system for this configuration.
- Added `emailOnFailure.enable` option to metacfg with a default of `false`.
- Enabled email notifications on failure for SGX and MX systems.
- Enhanced `systemd-email-notify` module to support the new configuration.
- Removed SGX-specific settings including `aesmd_dcap`, `sgx_default_qcnl.conf`, and `security.tpm2` configurations.
- Updated `system.stateVersion` and switched kernel modules to `kvm-amd`.
- Adjusted disk UUIDs and removed unused `/boot` filesystem definition.
- Set `boot.tmp.useTmpfs` to `false` in `x86_64-linux/sgx/default.nix`.
- Applied `lib.mkDefault` to `boot.tmp.useTmpfs` in `services/base/default.nix` for consistency.
- Enabled `services.cratedocs-mcp` with firewall access in the SGX module for enhanced functionality.
- Updated multiple Flake lockfile entries to the latest revisions, ensuring access to updated upstream changes.
- Added `wantedBy = ["graphical.target"]` to the `gnome-remote-desktop` service configuration.
- Ensures the service starts automatically with the graphical session.
- Enabled `gnome-remote-desktop` to allow remote desktop connectivity by default on the `x1` system.
- Improves accessibility and remote management for the system.
- Set minimum protocol to SMB2 and enabled extended attribute (EA) support in Samba settings.
- Added `fruit:nfs_aces` and `fruit:wipe_intentionally_left_blank_rfork` options for improved macOS compatibility.
- Changed the `time-machine` key to `TimeMachineBackup` in the Samba share configuration.
- Aligns key naming to standard conventions and improves readability.
- Disabled Netatalk service by setting `enable` to `false`.
- Improved macOS compatibility in Samba with specific `fruit` and `vfs` options.
- Added a new Time Machine share configuration for backups.
- Added `power.pm_freeze_timeout` kernel setting with a value of 30000 to extend system freeze timeout.
- Removed `cloudflare-warp` from system packages and systemd packages for cleanup.
- Introduced `gemini-cli` as a CLI tool in the x1 configuration.
- Added a new overlay for `gemini-cli` package with npm dependencies.
- Removed `goose-cli` and `aider-chat` from the existing application list.
- Enabled the cratedocs-mcp service in the x1 configuration.
- Added `cratedocs` as a new flake input and included its modules and overlay.
- Updated multiple flake inputs (`nixpkgs`, `rust-overlay`, etc.) with new revisions.
- Removed inotify sysctl settings from hardware configuration.
- Added updated inotify limits under GUI services for JetBrains IDEs.
This ensures better compatibility and performance for these tools.
Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
Adjusted the virtual_alias_maps to properly include both root and admin email forwarding. Removed unused rootAlias line and ensured the configuration aligns with intended email routing behavior.
Added configuration for Postfix to use an external SMTP relay with encrypted credentials managed by SOPS. Updated `mail.nix` to include relay settings and linked the secrets file for password storage.
