Add audacity and vlc to default app list

flake.lock

@@ -1005,11 +1005,11 @@
     },
     "nixpkgs_12": {
       "locked": {
-        "lastModified": 1740560979,
+        "lastModified": 1741379970,
-        "narHash": "sha256-Vr3Qi346M+8CjedtbyUevIGDZW8LcA1fTG0ugPY/Hic=",
+        "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5135c59491985879812717f4c9fea69604e7f26f",
+        "rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f",
         "type": "github"
       },
       "original": {
@@ -1544,11 +1544,11 @@
         "rust-overlay": "rust-overlay_4"
       },
       "locked": {
-        "lastModified": 1740496613,
+        "lastModified": 1741618312,
-        "narHash": "sha256-dIc02V+62Q9SftBEzsghruUSzAx/0ZWJA3eAe41KNec=",
+        "narHash": "sha256-xE/lt7LitX2ONR88L8bj0AlwuGK256AKWgiZdwhoPi8=",
         "owner": "natsukagami",
         "repo": "youmubot",
-        "rev": "f995852a1297cbbded3e2fb31d532ffb885382df",
+        "rev": "a36fa879645469dde741cb399e202834e9b6fedd",
         "type": "github"
       },
       "original": {
@@ -1562,11 +1562,11 @@
         "nixpkgs": "nixpkgs_12"
       },
       "locked": {
-        "lastModified": 1740729275,
+        "lastModified": 1741672271,
-        "narHash": "sha256-/0dJi65+7oBpfEYWrg4jihkEzAf975TVeOk+FpxaW6o=",
+        "narHash": "sha256-uwzPVIiJUus20WRMhN7xVcHNaniYPEkXjeWoM3I5rQ0=",
         "owner": "youwen5",
         "repo": "zen-browser-flake",
-        "rev": "17bd241d6a5692848b01737f595824a707de855a",
+        "rev": "f9ed87557cb28ba557a15bb313f9b81554e90e0a",
         "type": "github"
       },
       "original": {

home/modules/linux/graphical/default.nix

@@ -83,6 +83,8 @@ in
       vivaldi
       # Audio
       qpwgraph # Pipewire graph
+      audacity
+      vlc
 
       unstable.zotero
       libreoffice

home/osu.nix

@@ -5,10 +5,10 @@ let
   osu-pkg = with pkgs; with lib;
     appimageTools.wrapType2 rec {
       pname = "osu-lazer-bin";
-      version = "2025.225.0";
+      version = "2025.310.0";
       src = fetchurl {
         url = "https://github.com/ppy/osu/releases/download/${version}/osu.AppImage";
-        hash = "sha256-detSX0/akBJE2bdTxUvUUlBMKswHPF1qg9tsWZ00zso=";
+        hash = "sha256-DQQMgG4lQLonKvmQSJgGqNl1RaVPDVLfqgVeN7JLIkM=";
       };
       extraPkgs = pkgs: with pkgs; [ icu ];
 

modules/cloud/authentik/default.nix

@@ -22,8 +22,8 @@ let
     };
     authentik = mkImage {
       imageName = "ghcr.io/goauthentik/server";
-      finalImageTag = "2024.1.0.4";
+      finalImageTag = "2025.2.1";
-      imageDigest = "sha256:5843c56a56be58dcee8927c705f8c9def0af7189511c0e8e687d430f543b0f6d";
+      imageDigest = "sha256:dc07e81b4462a1dad9c6720f4c73993e37d7cb2d2f94a306187318704d112e71";
     };
   };
   authentikEnv = pkgs.writeText "authentik.env" ''

nki-personal-do/configuration.nix

@@ -27,6 +27,7 @@
     ./outline.nix
     ./vikunja.nix
     ./n8n.nix
+    ./grist.nix
   ];
 
   system.stateVersion = "21.11";
@@ -202,6 +203,16 @@
     envFile = config.sops.secrets.gts-env.path;
   };
 
+  # Grist
+  sops.secrets."grist/env" = { restartUnits = [ "arion-grist.service" ]; };
+  cloud.grist = {
+    enable = true;
+    envFile = config.sops.secrets."grist/env".path;
+    host = "tables.dtth.ch";
+    dataDir = "/mnt/data/grist";
+  };
+
+
   # ntfy
   cloud.traefik.hosts.ntfy-sh = { host = "ntfy.nkagami.me"; port = 11161; noCloudflare = true; };
   services.ntfy-sh = {

nki-personal-do/grist.nix

@@ -0,0 +1,127 @@
+{ pkgs, config, lib, ... }:
+
+with lib;
+let
+  cfg = config.cloud.grist;
+
+  mkImage =
+    { imageName, imageDigest, ... }: "${imageName}@${imageDigest}";
+  # If we can pullImage we can just do
+  # mkImage = pkgs.dockerTools.pullImage;
+
+  images = {
+    # https://hub.docker.com/r/gristlabs/grist/tags
+    grist = mkImage {
+      imageName = "docker.io/gristlabs/grist-oss";
+      finalImageTag = "1.4.2";
+      imageDigest = "sha256:508ed0024f08702ae8797a6607e42ca67e1a0be0ac95c02e75c2a226b5e9cb9b";
+    };
+    # https://hub.docker.com/r/valkey/valkey/tags
+    valkey = mkImage {
+      imageName = "docker.io/valkey/valkey";
+      finalImageTag = "8.0.2-alpine";
+      imageDigest = "sha256:0fae58181c223280867e8b6d9d5fa29fca507770aeb6819f36d059cab73fa2fd";
+    };
+  };
+  defaultEnv = {
+    GRIST_HIDE_UI_ELEMENTS = lib.concatStringsSep "," [ "helpCenter" "billing" "multiAccounts" "supportGrist" ];
+    GRIST_PAGE_TITLE_SUFFIX = " - DTTH Grist";
+    GRIST_FORCE_LOGIN = "true";
+    GRIST_WIDGET_LIST_URL = "https://github.com/gristlabs/grist-widget/releases/download/latest/manifest.json";
+    GRIST_EXTERNAL_ATTACHMENTS_MODE = "snapshots";
+
+    GRIST_SANDBOX_FLAVOR = "gvisor";
+    PYTHON_VERSION = "3";
+    PYTHON_VERSION_ON_CREATION = "3";
+  };
+in
+{
+  options.cloud.grist = {
+    enable = mkEnableOption "Grist database server";
+    envFile = mkOption {
+      type = types.path;
+      description = "Path to an environment file that specifies GRIST_SESSION_SECRET and others";
+    };
+    host = mkOption {
+      type = types.str;
+      description = "Exposed hostname";
+    };
+    port = mkOption {
+      type = types.int;
+      description = "Exposed port";
+      default = 9674;
+    };
+    dataDir = mkOption {
+      type = types.str;
+      description = "Path to the data directory";
+    };
+
+    settings = {
+      allowedWebhookDomains = mkOption {
+        type = types.listOf types.str;
+        description = "List of domains to be allowed in webhooks";
+        default = [ "dtth.ch" "nkagami.me" "discord.com" ];
+      };
+      defaultEmail = mkOption {
+        type = types.str;
+        description = "Default email address for admin user";
+        default = "nki@nkagami.me";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    cloud.traefik.hosts.grist = {
+      inherit (cfg) port host;
+    };
+    systemd.services.arion-grist = {
+      serviceConfig.Type = "notify";
+      serviceConfig.NotifyAccess = "all";
+      serviceConfig.TimeoutSec = 300;
+      script = lib.mkBefore ''
+        ${lib.getExe pkgs.wait4x} http http://127.0.0.1:${toString cfg.port} -t 0 -q -- systemd-notify --ready &
+      '';
+      unitConfig.RequiresMountsFor = [ cfg.dataDir ];
+      unitConfig.ReadWritePaths = [ cfg.dataDir ];
+    };
+    virtualisation.arion.projects.grist.settings = {
+      services.grist-server.service = {
+        image = images.grist;
+        restart = "unless-stopped";
+        volumes = [ "${cfg.dataDir}:/persist" ];
+        environment = defaultEnv // {
+          APP_HOME_URL = "https://${cfg.host}";
+          ALLOWED_WEBHOOK_DOMAINS = lib.concatStringsSep "," cfg.settings.allowedWebhookDomains;
+          GRIST_DEFAULT_EMAIL = cfg.settings.defaultEmail;
+          REDIS_URL = "redis://valkey/1";
+        };
+        env_file = [ cfg.envFile ];
+        ports = [
+          "127.0.0.1:${toString cfg.port}:8484"
+        ];
+      };
+      services.valkey.service = {
+        image = images.valkey;
+        command = "--save 60 1 --loglevel warning";
+        restart = "unless-stopped";
+        healthcheck = {
+          test = [ "CMD-SHELL" "valkey-cli ping | grep PONG" ];
+          start_period = "20s";
+          interval = "30s";
+          retries = 5;
+          timeout = "3s";
+        };
+        volumes = [ "valkey:/data" ];
+      };
+      docker-compose.volumes = {
+        valkey.driver = "local";
+      };
+    };
+    systemd.tmpfiles.settings."10-grist".${cfg.dataDir}.d = {
+      user = "root";
+      group = "root";
+      mode = "0700";
+    };
+  };
+}
+

nki-personal-do/secrets/secrets.yaml

@@ -47,6 +47,8 @@ vikunja:
     provider-clientsecret: ENC[AES256_GCM,data:/fN1rH2CKoaivhespd+/KamERjBQOdwR7QQ+hoB+pQ3ZSrBVIKbLMWyOJe8f7rVwXAByqDxQIZJEVPjcjhWSU1eicwpu57FBx+/xJLFazspTVZ+5XKyAwR+UxTHDGAgtFV00QHN53l7ygg4joWWko4IPN1JIpNIASaIWWzpsrIo=,iv:NLsZcmE1kKlzV7B/XPVfENMWlpQtOpESH0ByX1KQ8IQ=,tag:P+ZmsKq0KJAeRTTbvbduMg==,type:str]
 n8n:
     env: ENC[AES256_GCM,data:LA/6tMfGgX0cDNfhIZ+n2Ay+6OW5gPPebcXQnfO3qQJSjMjf9vwauF2+W3KpIvM1Dsg3hyNEwqLNRn/28bgWC/qpBpgU2/gVI2n5oxcQaYGgnS/jB0nZWXvORVTnXjH0R+HBFCWgMJe7v+o0EeBH6kni/Nc9geb8paRkxZOGVKeJQy9K4OB2CN6FVO9KeR7gpeQpsh5V5SVW1MoND2tpCOiIK7d0uM6OHF/7p2RFrEEAarvJssj/dZRHjA/jALuqbQ6UDAaAppqlkEgIdZdFEfgebfCWR4e4aWjznW1DGOQQYtg4k/Kj8J/df8CWXX+lUO+9nTo/lhhcH395w+CRE8GUwze15yxQppUwqyLKdYwgmpK1tFnLP/W/As2f97c1fBB9rXrZYOUEIq4GspHOTPgjzcRfWOxX8cMKG69EmeZ3mWPsIDaC1ZvkVQjjcH/o9aC7QeFCwPfcy+mgI+9RjAaCw7qdig1CwgQabAaCd2hzQ4FTXBFJoZRfYZ1v3Rdwe8zqMivIcw2AHv6kYx6c9A==,iv:KmyJ/CLAGrYfzHjSWygtgA/+am9fUrKnOsGRPgV9QfU=,tag:G3LhfdSujcaC9ZZFUse0DQ==,type:str]
+grist:
+    env: ENC[AES256_GCM,data:eT4eFHMU6UgCr/lNbdqFivzZgNREHcM4b/7ZEoKYWWNssrgIJybLm709BG8Q8/kKnBHaFUlczRQNvjS/nexZ3LymMeiXEHcuxC7lEM5otMqKzYFar2Z4YzPaUWGGezYcYBK56Ia5CF8TdWDdTbgnaSBY6R2ViJYTvS3QSdK6AhWfgGrdTVbye2lL6b11TrfI4vC25DhHJbrhFCXf995Q4nnwoACGAQ+Pkk6dsuYme4plV4WfZ8w61Y4SyNhdWYPp/rsJiAQkPajVCFjfZhH6cQCxVmSVn4c59H8MFx4qTbbXCKp3tXV5eQPWQBri5rc1XXAxgHKyrBUpx3QiYI6UDjGbf6hjXPSEWHQPXFLiLVPgH0CjXZeyxcYsr2ZLcOF87grUTR+CcxbiP4CshuJbvKyWiQ4ISOAm3m84XjXNVqn2WEf4ndqpNEG8H+BVbQ9RrGvrdlJqcrqD6rNzw0y+4SEiVPpv1NQ5M7+f+SABO8S2T4BFp95fvX2DmR/z+c9g2xiAOmZDFMzjG97rPrKuZq8+b+H3jlBZ4mxUBiz7l0c3NJ1RGtIUgr+idYGMwpSyh4C1a6LEzlW72F4vF5e5sEyWAHApRGxQCIMAP7ACBotMYgIKSPAzwThHtoTcUdBlDiQw8blsU/1c/FzkpAF5kotyNnk4vJea0H1yZ7NSz12E61qH6utG1YW5BZzZn+TKj7RfPEqzFE1POA0H8v1egE0bu1ClrYDX112iGEGI4IQHXMOu2p15O0/D+Y+QBOhpDwQWbgDXTf3ZMS2tyBtOiYT//ejfExYzV99V9t86xqmAvHODc69WC5nzWUp7SqkLLTP6gBUPSrkPs4ugZRE0q3STOmcnfxGkgpW94oj+jcZZY5supmYWK6zvJsPF9mn6,iv:pfIiOiWVEl0wEK03gnWj+ZKxOBwtBtf1hqzYOSpTm10=,tag:il0r2A/Z8q88sAiVgsuEEA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -80,8 +82,8 @@ sops:
             by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd
             hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-07T23:38:16Z"
+    lastmodified: "2025-03-06T23:20:44Z"
-    mac: ENC[AES256_GCM,data:GKCMZJVKj5Fq7Ak4wQgI/pAl8JKDdzAYCBRwnxHlg0Z10AstbchAYm+LLwCaE85ebl6m/JexmfJeutJo0yGXuOIQKcEgfyNq9O/i/y34ISc4looQ6cyH5Hcxsd9JXgrmgQzVPquBXQzDHz4rj93VhNrvqmw+SgDPZVwcUznvCBI=,iv:HtUmf0qjvbYW7ngocISpqycX7ceNv0YsILgZhOMTSMg=,tag:kJ7EFOLL8o/2OFkn5PhvJw==,type:str]
+    mac: ENC[AES256_GCM,data:XSYbqif2lhjTW2yUnoqtQehXG3DjS9It1IX4LplRMSxPkK0cpK64z/ouFRi12a1tjzE5YkdmZ9DDIxkAVPG8/5kgcZr5c4ddS/Zt4d97bCeeij47yuvhhoKMRzgIDSokMMmoelOV1k4FkDOfTDuMp2+tjyCao//N9YJjhhRPFYc=,iv:YpNNrIPotZAAQOF8GXBTpMjTFxYDdAFSLB1CBvLOE+k=,tag:1eGTkLRlL4s8TruVDPCA/g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4