feat: add ollama-webui, disable fucking dnssec until it works (never)

2025-10-11 07:10:39 +02:00 · 2024-06-09 20:19:41 +02:00 · 2024-06-09 20:19:41 +02:00 · 673ea778a0
commit 673ea778a0
parent 17eceb2253
15 changed files with 195 additions and 125 deletions
--- a/config/graphical/default.nix
+++ b/config/graphical/default.nix
@ -47,7 +47,7 @@ in
        enable = true;
        xdgOpenUsePortal = true;
        config.common = {
-          default = ["hyprland" "gtk"];
+          default = ["gtk"];
          "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
          "org.freedesktop.impl.portal.ScreenCast" = ["hyprland"];
          "org.freedesktop.impl.portal.Screenshot" = ["hyprland"];
--- a/config/resolved.nix
+++ b/config/resolved.nix
@ -5,7 +5,7 @@
 }: {
  services.resolved = {
    enable = true;
-    dnssec = "allow-downgrade";
+    dnssec = "false"; # wake me up in 20 years when DNSSEC is at least partly working
    fallbackDns = [
      "1.1.1.1"
      "2606:4700:4700::1111"
--- a/flake.lock
+++ b/flake.lock
@ -28,11 +28,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1715290355,
+        "lastModified": 1716561646,
-        "narHash": "sha256-2T7CHTqBXJJ3ZC6R/4TXTcKoXWHcvubKNj9SfomURnw=",
+        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "8d37c5bdeade12b6479c85acd133063ab53187a0",
+        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
        "type": "github"
      },
      "original": {
@ -51,11 +51,11 @@
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1717022817,
+        "lastModified": 1717947583,
-        "narHash": "sha256-PHyHgQL5/b0+A/kmNCHVOM/WSJSGe1jZ+LFWfYNx31E=",
+        "narHash": "sha256-vN/pfiAzYH4i3cUb5pLqkXgPoAPtaxjUXv5aRpbKShU=",
        "owner": "oddlama",
        "repo": "agenix-rekey",
-        "rev": "c6c1ca5b9ceaaa40fd979fb25bb7043adf4554ad",
+        "rev": "4551006c2807ab361ea4db5e171afb4798da4fc2",
        "type": "github"
      },
      "original": {
@ -275,11 +275,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1713532798,
+        "lastModified": 1717408969,
-        "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
+        "narHash": "sha256-Q0OEFqe35fZbbRPPRdrjTUUChKVhhWXz3T9ZSKmaoVY=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
+        "rev": "1ebbe68d57457c8cae98145410b164b5477761f4",
        "type": "github"
      },
      "original": {
@ -341,11 +341,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1713532798,
+        "lastModified": 1717408969,
-        "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
+        "narHash": "sha256-Q0OEFqe35fZbbRPPRdrjTUUChKVhhWXz3T9ZSKmaoVY=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
+        "rev": "1ebbe68d57457c8cae98145410b164b5477761f4",
        "type": "github"
      },
      "original": {
@ -361,11 +361,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1716168343,
+        "lastModified": 1717915259,
-        "narHash": "sha256-82oT27w9smpItZ+PyN2C0PjIwZYbIocwXSM4u1igXuc=",
+        "narHash": "sha256-VsGPboaleIlPELHY5cNTrXK4jHVmgUra8uC6h7KVC5c=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "6f01b9710bc4d3bf006eb8df928b4b15e0430901",
+        "rev": "1bbdb06f14e2621290b250e631cf3d8948e4d19b",
        "type": "github"
      },
      "original": {
@ -545,11 +545,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1715865404,
+        "lastModified": 1717285511,
-        "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
+        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
+        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
        "type": "github"
      },
      "original": {
@ -566,11 +566,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715865404,
+        "lastModified": 1717285511,
-        "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
+        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
+        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
        "type": "github"
      },
      "original": {
@ -597,21 +597,6 @@
        "type": "github"
      }
    },
    "flake-root": {
      "locked": {
        "lastModified": 1713493429,
        "narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=",
        "owner": "srid",
        "repo": "flake-root",
        "rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd",
        "type": "github"
      },
      "original": {
        "owner": "srid",
        "repo": "flake-root",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_3"
@ -707,11 +692,11 @@
        "systems": "systems_7"
      },
      "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1705309234,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
        "type": "github"
      },
      "original": {
@ -761,11 +746,11 @@
        "systems": "systems_11"
      },
      "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1701680307,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
        "type": "github"
      },
      "original": {
@ -808,6 +793,33 @@
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": "flake-compat_7",
        "gitignore": "gitignore_5",
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1717664902,
        "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
@ -900,7 +912,7 @@
      "inputs": {
        "nixpkgs": [
          "nixvim",
-          "pre-commit-hooks",
+          "git-hooks",
          "nixpkgs"
        ]
      },
@ -963,11 +975,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715930644,
+        "lastModified": 1717931644,
-        "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
+        "narHash": "sha256-Sz8Wh9cAiD5FhL8UWvZxBfnvxETSCVZlqWSYWaCPyu0=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
+        "rev": "3d65009effd77cb0d6e7520b68b039836a7606cf",
        "type": "github"
      },
      "original": {
@ -984,11 +996,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715930644,
+        "lastModified": 1717525419,
-        "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
+        "narHash": "sha256-5z2422pzWnPXHgq2ms8lcCfttM0dz+hg+x1pCcNkAws=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
+        "rev": "a7117efb3725e6197dd95424136f79147aa35e5b",
        "type": "github"
      },
      "original": {
@ -999,11 +1011,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1708968331,
+        "lastModified": 1717932370,
-        "narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
+        "narHash": "sha256-7C5lCpiWiyPoIACOcu2mukn/1JRtz6HC/1aEMhUdcw0=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
+        "rev": "27979f1c3a0d3b9617a3563e2839114ba7d48d3f",
        "type": "github"
      },
      "original": {
@ -1034,11 +1046,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1715787097,
+        "lastModified": 1717441449,
-        "narHash": "sha256-TPp2j0ttvBvkk4oXidvo8Y071zEab0BtcNsC3ZEkluI=",
+        "narHash": "sha256-juxjgmLnFbl+/hhIO2cVtIa6caCO4pLKlZWUMwAOznM=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "fa673bf8656fe6f28253b83971a36999bc9995d2",
+        "rev": "e3a4dd5b381fb580804105594cc9c71dc45abdb5",
        "type": "github"
      },
      "original": {
@ -1055,11 +1067,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715901937,
+        "lastModified": 1716993688,
-        "narHash": "sha256-eMyvWP56ZOdraC2IOvZo0/RTDcrrsqJ0oJWDC76JTak=",
+        "narHash": "sha256-vo5k2wQekfeoq/2aleQkBN41dQiQHNTniZeVONWiWLs=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "ffc01182f90118119930bdfc528c1ee9a39ecef8",
+        "rev": "c0d5b8c54d6828516c97f6be9f2d00c63a363df4",
        "type": "github"
      },
      "original": {
@ -1075,11 +1087,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1716170277,
+        "lastModified": 1717919703,
-        "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=",
+        "narHash": "sha256-4i/c31+dnpv6KdUA3BhbMDS9Lvg/CDin78caYJlq0bY=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "e0638db3db43b582512a7de8c0f8363a162842b9",
+        "rev": "a157a81d0a4bc909b2b6666dd71909bcdc8cd0d6",
        "type": "github"
      },
      "original": {
@ -1173,11 +1185,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1716173274,
+        "lastModified": 1717828156,
-        "narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
+        "narHash": "sha256-YvstO0lobf3JWQuAfZCLYRTROC2ZDEgtWeQtWbO49p4=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
+        "rev": "057a7996d012f342a38a26261ee529cebb1755ef",
        "type": "github"
      },
      "original": {
@ -1209,11 +1221,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1716137900,
+        "lastModified": 1717786204,
-        "narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=",
+        "narHash": "sha256-4q0s6m0GUcN7q+Y2DqD27iLvbcd1G50T2lv08kKxkSI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1",
+        "rev": "051f920625ab5aabe37c920346e3e69d7d34400e",
        "type": "github"
      },
      "original": {
@ -1225,14 +1237,14 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1714640452,
+        "lastModified": 1717284937,
-        "narHash": "sha256-QBx10+k6JWz6u7VsohfSw8g8hjdBZEf8CFzXH1/1Z94=",
+        "narHash": "sha256-lIbdfCsf8LMFloheeE6N31+BMIeixqyQWbSr2vk79EQ=",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
      }
    },
    "nixpkgs-lib_2": {
@ -1348,21 +1360,20 @@
        "devshell": "devshell_5",
        "flake-compat": "flake-compat_6",
        "flake-parts": "flake-parts_2",
-        "flake-root": "flake-root",
+        "git-hooks": "git-hooks",
        "home-manager": "home-manager_2",
        "nix-darwin": "nix-darwin",
        "nixpkgs": [
          "nixpkgs"
        ],
        "pre-commit-hooks": "pre-commit-hooks_5",
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1716243146,
+        "lastModified": 1717922156,
-        "narHash": "sha256-zZBIPlqtg/E8i820VwiV3pxiMs4xzM1bAnoZD6Nnpxg=",
+        "narHash": "sha256-C/TgTnKY4iWXnBmKocV9KeV+OtZGCh+1Pcw26Elx7JM=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "5b09c711e28e9b41ad0fe094e7d62232c1e7c3de",
+        "rev": "8a462dc9570bce1de5a7dd1beabd83f95958315b",
        "type": "github"
      },
      "original": {
@ -1484,33 +1495,6 @@
      }
    },
    "pre-commit-hooks_5": {
      "inputs": {
        "flake-compat": "flake-compat_7",
        "gitignore": "gitignore_5",
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1716213921,
        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "type": "github"
      }
    },
    "pre-commit-hooks_6": {
      "inputs": {
        "flake-compat": "flake-compat_8",
        "gitignore": "gitignore_6",
@ -1520,11 +1504,11 @@
        "nixpkgs-stable": "nixpkgs-stable_5"
      },
      "locked": {
-        "lastModified": 1716213921,
+        "lastModified": 1717664902,
-        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
+        "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
+        "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
        "type": "github"
      },
      "original": {
@ -1552,7 +1536,7 @@
        "nixos-nftables-firewall": "nixos-nftables-firewall",
        "nixpkgs": "nixpkgs",
        "nixvim": "nixvim",
-        "pre-commit-hooks": "pre-commit-hooks_6",
+        "pre-commit-hooks": "pre-commit-hooks_5",
        "stylix": "stylix",
        "templates": "templates",
        "wired-notify": "wired-notify"
@ -1639,11 +1623,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1716206302,
+        "lastModified": 1717866166,
-        "narHash": "sha256-5Qc3aQGVyPEOuN82zVamStaV81HebHvLjk3fGfpyCPY=",
+        "narHash": "sha256-iOeRZXIhFpQJdxzNJ3nUAANyDfLqCslRhjGhLD2RstM=",
        "owner": "danth",
        "repo": "stylix",
-        "rev": "81df8443556335016d6f0bc22630a95776a56d8b",
+        "rev": "ca3247ed8cfbf369f3fe1b7a421579812a95c101",
        "type": "github"
      },
      "original": {
@ -1870,11 +1854,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715940852,
+        "lastModified": 1717850719,
-        "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
+        "narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
+        "rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed",
        "type": "github"
      },
      "original": {
@ -1892,11 +1876,11 @@
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1715552757,
+        "lastModified": 1717582696,
-        "narHash": "sha256-ZOgCSIcdvG8+RcZCXSAEmb/LZ2Ap9wU4nvbxNDA+QN0=",
+        "narHash": "sha256-NfBasvGOrxOzkreAbVpa5KS+dMLq+oUid7Q27AaIk9o=",
        "owner": "Toqozz",
        "repo": "wired-notify",
-        "rev": "18b44306b2636fc7f238a9d946c7b8aac217122d",
+        "rev": "9fb2153a878f9b20f21a63ae5e7ee8f70f18c0d0",
        "type": "github"
      },
      "original": {
--- a/hosts/sire/guests/ai.nix
+++ b/hosts/sire/guests/ai.nix
@ -1,18 +1,80 @@
-{
+{config, ...}: let
  openWebuiDomain = "chat.${config.repo.secrets.global.domains.me}";
 in {
  microvm.mem = 1024 * 16;
  microvm.vcpu = 20;
-  networking.firewall.allowedTCPPorts = [11434];
+  wireguard.proxy-home = {
    client.via = "ward";
    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
      config.services.open-webui.port
    ];
  };
  networking.firewall.allowedTCPPorts = [config.services.ollama.port];
  environment.persistence."/state".directories = [
    {
      directory = "/var/lib/private/ollama";
      mode = "0700";
    }
    {
      directory = "/var/lib/private/open-webui";
      mode = "0700";
    }
  ];
  services.ollama = {
    enable = true;
-    listenAddress = "0.0.0.0:11434";
+    host = "0.0.0.0";
    port = 11434;
  };
  services.open-webui = {
    enable = true;
    host = "0.0.0.0";
    port = 11222;
    environment = {
      SCARF_NO_ANALYTICS = "True";
      DO_NOT_TRACK = "True";
      ANONYMIZED_TELEMETRY = "False";
      WEBUI_AUTH = "False";
      ENABLE_SIGNUP = "False";
      OLLAMA_BASE_URL = "http://localhgost:11434";
      TRANSFORMERS_CACHE = "/var/lib/open-webui/.cache/huggingface";
    };
  };
  globals.services.open-webui.domain = openWebuiDomain;
  nodes.ward-web-proxy = {
    services.nginx = {
      upstreams.open-webui = {
        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.open-webui.port}" = {};
        extraConfig = ''
          zone open-webui 64k;
          keepalive 2;
        '';
      };
      virtualHosts.${openWebuiDomain} = {
        forceSSL = true;
        useACMEWildcardHost = true;
        oauth2.enable = true;
        oauth2.allowedGroups = ["access_openwebui"];
        # FIXME: refer to lan 192.168... and fd10:: via globals
        extraConfig = ''
          client_max_body_size 512M;
          allow 192.168.1.0/24;
          allow fd10::/64;
          deny all;
        '';
        locations."/" = {
          proxyPass = "http://open-webui";
          proxyWebsockets = true;
          X-Frame-Options = "SAMEORIGIN";
        };
      };
    };
  };
 }
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -92,6 +92,7 @@ in {
          globals.services.influxdb.domain
          globals.services.loki.domain
          globals.services.paperless.domain
          globals.services.open-webui.domain
          "home.${config.repo.secrets.global.domains.me}"
          "fritzbox.${config.repo.secrets.global.domains.me}"
        ];
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -174,7 +174,7 @@ in {
      # Web Sentinel
      groups."web-sentinel.access" = {};
      groups."web-sentinel.adguardhome" = {};
-      groups."web-sentinel.influxdb" = {};
+      groups."web-sentinel.openwebui" = {};
      systems.oauth2.web-sentinel = {
        displayName = "Web Sentinel";
        originUrl = "https://oauth2.${domains.me}/";
@ -184,7 +184,7 @@ in {
        claimMaps.groups = {
          joinType = "array";
          valuesByGroup."web-sentinel.adguardhome" = ["access_adguardhome"];
-          valuesByGroup."web-sentinel.influxdb" = ["access_influxdb"];
+          valuesByGroup."web-sentinel.openwebui" = ["access_openwebui"];
        };
      };
    };
--- a/hosts/ward/kea.nix
+++ b/hosts/ward/kea.nix
@ -41,6 +41,7 @@ in {
      ];
      subnet4 = [
        {
          id = 1;
          interface = "lan-self";
          subnet = lanCidrv4;
          pools = [
--- a/hosts/zackbiene/kea.nix
+++ b/hosts/zackbiene/kea.nix
@ -29,6 +29,7 @@ in {
      };
      subnet4 = [
        {
          id = 1;
          interface = "wlan1";
          subnet = iotCidrv4;
          pools = [
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -15,8 +15,8 @@
      patches =
        old.patches
        ++ [
-          "${provisionSrc}/patches/${old.version}-oauth2-basic-secret-modify.patch"
+          "${provisionSrc}/patches/1.2.0-oauth2-basic-secret-modify.patch"
-          "${provisionSrc}/patches/${old.version}-recover-account.patch"
+          "${provisionSrc}/patches/1.2.0-recover-account.patch"
        ];
      passthru.enableSecretProvisioning = true;
      doCheck = false;
--- a/secrets/rekeyed/sire-ai/9341385afdc96bb54570bceb6808df74-wireguard-proxy-home-psks-sire-ai+ward.age
+++ b/secrets/rekeyed/sire-ai/9341385afdc96bb54570bceb6808df74-wireguard-proxy-home-psks-sire-ai+ward.age
--- a/secrets/rekeyed/sire-ai/b52800d176723e270d8c6f4720913cd2-wireguard-proxy-home-priv-sire-ai.age
+++ b/secrets/rekeyed/sire-ai/b52800d176723e270d8c6f4720913cd2-wireguard-proxy-home-priv-sire-ai.age
--- a/secrets/rekeyed/ward/b3ad9024ec69682628580e4dd4d5396b-wireguard-proxy-home-psks-sire-ai+ward.age
+++ b/secrets/rekeyed/ward/b3ad9024ec69682628580e4dd4d5396b-wireguard-proxy-home-psks-sire-ai+ward.age
--- a/secrets/wireguard/proxy-home/keys/sire-ai.age
+++ b/secrets/wireguard/proxy-home/keys/sire-ai.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> X25519 EHZOocK6ki9ByQ7QVSNPeH/yX8GFvnCKw86X6VissFU
 NG0XGoauXPFStwEQaJZqj+aKxMq2yu9zIH7htVU35Fg
 -> piv-p256 xqSe8Q AkIh87bcLjSl8pGWP583p3NpauDLip5va9hOJGBfXOCf
 V+sWvUnQUv7mBtC47eiqz/1s4lLkGa/IWZzp2OId+Zs
 -> NTZ)8hx-grease <S[o 2B|awYD H s>Y
 HcbGXvM6X2C+YLvMLbmhocK+NPuygjtGfDXhS5WRtSFCgcux9a274RxGX2I7mxYv
 sBizj09Z
 --- nMAflYYQnXHUWO5sk4cbx9U40h6BidZU6YG7LCedK7E
 
�ÞwC	ØFžï{å¬Ž”£³‘ç³ÒÚ»»sþOöB²¤£T¤!šB%€� “™'Ÿ
‚Û8¿{°–ªô¹ïrä85ä¶ùäŽ
--- a/secrets/wireguard/proxy-home/keys/sire-ai.pub
+++ b/secrets/wireguard/proxy-home/keys/sire-ai.pub
@ -0,0 +1 @@
 +ezamKKVKpethfVh4oowFZL6PGGTQiSe/bUDrL7YtTs=
--- a/secrets/wireguard/proxy-home/psks/sire-ai+ward.age
+++ b/secrets/wireguard/proxy-home/psks/sire-ai+ward.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> X25519 zJuAbhzmmCV0FfJ20rJdl6R55B5TXclR/xPQn6qhfnk
 57DJyjPyhgLfAmAD23XvUUrXDV0FRYhIh20MEGt5X7U
 -> piv-p256 xqSe8Q AnNIcn5ZuGJwBs9yWcR6AtzmpDljOpSaRZfePaYSLKTk
 W1XIdk8IrAg3pVTycJjN0CZXHLTOVAG5B4jmsHWoDU8
 -> fC;-grease ZzOIt gC6Z
 iXojZhiS/V8nloHaiCzD/Wbm9551tHTFz10nyES3lqEo0N40803WZJ+GrYZcwkSc
 gQUE7EH4aoqJifkD72HiCtrxTN3XsWQgT+PPeT5mLeM4IvqCCBjjsZI
 --- 3bQlPu16W8oFAGXu/iaCJSgXqCDMDKxQ6UeUrEFU52c
 Á�Â,>ÆÙ=($S…O²Å,þÛ»=Ö\2Å¯@:¢ÎË \ü€šø‰n2ÊˆK:¾[Ñ�5È˜àËeÔqg/G2,o0ü
		`@ -0,0 +1 @@`
							`+ezamKKVKpethfVh4oowFZL6PGGTQiSe/bUDrL7YtTs=`