From b4586e8661d3aba2e734026eb0d5b9950e864e39 Mon Sep 17 00:00:00 2001
From: "Lennart J. Kurzweg (Nx2)" <git@nx2.site>
Date: Mon, 27 Jan 2025 22:17:00 +0100
Subject: [PATCH 01/10] chmod

---
 .gitattributes                                      |   0
 .gitignore                                          |   0
 git-crypt/easyroam-hsmw/easyroam_client_cert.pem    | Bin
 git-crypt/easyroam-hsmw/easyroam_client_key.pem     | Bin
 git-crypt/easyroam-hsmw/easyroam_root_ca.pem        | Bin
 git-crypt/pnx-vpn/ljk-pnx-ca.pem                    | Bin
 git-crypt/pnx-vpn/ljk-pnx-cert.key                  | Bin
 git-crypt/pnx-vpn/ljk-pnx-cert.pem                  | Bin
 git-crypt/pnx-vpn/ljk-pnx.ovpn                      | Bin
 .../USERTrust-ECC-Certification-Authority.pem       | Bin
 .../USERTrust-RSA-Certification-Authority.pem       | Bin
 .../pnx_rdp_srv-phoe3-vmdms_192-168-1-104.remmina   |   0
 .../pnx/pnx_rdp_srv-phoenix-3_192-168-1-108.remmina |   0
 .../pnx/pnx_rdp_srv-phoenix2_192-168-1-101.remmina  |   0
 .../pnx/pnx_rdp_srv-remote_192-168-1-21.remmina     |   0
 home-modules/bash.nix                               |   0
 home-modules/bitwarden.nix                          |   0
 home-modules/chatterino.nix                         |   0
 home-modules/direnv.nix                             |   0
 home-modules/discord.nix                            |   0
 home-modules/email.nix                              |   0
 home-modules/fish.nix                               |   0
 home-modules/games.nix                              |   0
 home-modules/gestures.nix                           |   0
 home-modules/gimp.nix                               |   0
 home-modules/git.nix                                |   0
 home-modules/gtk.nix                                |   0
 home-modules/hyprland-autoname-workspaces.nix       |   0
 home-modules/hyprland.nix                           |   0
 home-modules/kitty.nix                              |   0
 home-modules/latex.nix                              |   0
 home-modules/mako.nix                               |   0
 home-modules/nh.nix                                 |   0
 home-modules/nx-gcal-event.nix                      |   0
 home-modules/office.nix                             |   0
 home-modules/pnx.nix                                |   0
 home-modules/programming/python.nix                 |   0
 home-modules/qt.nix                                 |   0
 home-modules/rofi.nix                               |   0
 home-modules/ssh.nix                                |   0
 home-modules/starship.nix                           |   0
 home-modules/tts.nix                                |   0
 home-modules/virt-manager.nix                       |   0
 home-modules/vscode.nix                             |   0
 home-modules/waybar.nix                             |   0
 home-modules/wlogout.nix                            |   0
 home-modules/yazi.nix                               |   0
 home-modules/zoxide.nix                             |   0
 nxlib/ricelib.nix                                   |   0
 system-modules/boot.nix                             |   0
 system-modules/davmail.nix                          |   0
 system-modules/dm.nix                               |   0
 system-modules/docker.nix                           |   0
 system-modules/fuse.nix                             |   0
 system-modules/hardware-configuration.nix           |   0
 system-modules/health_reminder.nix                  |   0
 system-modules/hsmw.nix                             |   0
 system-modules/networking.nix                       |   0
 system-modules/nvidia.nix                           |   0
 system-modules/ollama.nix                           |   0
 system-modules/sound.nix                            |   0
 system-modules/virtualisation.nix                   |   0
 62 files changed, 0 insertions(+), 0 deletions(-)
 mode change 100755 => 100644 .gitattributes
 mode change 100755 => 100644 .gitignore
 mode change 100755 => 100644 git-crypt/easyroam-hsmw/easyroam_client_cert.pem
 mode change 100755 => 100644 git-crypt/easyroam-hsmw/easyroam_client_key.pem
 mode change 100755 => 100644 git-crypt/easyroam-hsmw/easyroam_root_ca.pem
 mode change 100755 => 100644 git-crypt/pnx-vpn/ljk-pnx-ca.pem
 mode change 100755 => 100644 git-crypt/pnx-vpn/ljk-pnx-cert.key
 mode change 100755 => 100644 git-crypt/pnx-vpn/ljk-pnx-cert.pem
 mode change 100755 => 100644 git-crypt/pnx-vpn/ljk-pnx.ovpn
 mode change 100755 => 100644 git-crypt/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem
 mode change 100755 => 100644 git-crypt/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem
 mode change 100755 => 100644 home-modules/assets/pnx/pnx_rdp_srv-phoe3-vmdms_192-168-1-104.remmina
 mode change 100755 => 100644 home-modules/assets/pnx/pnx_rdp_srv-phoenix-3_192-168-1-108.remmina
 mode change 100755 => 100644 home-modules/assets/pnx/pnx_rdp_srv-phoenix2_192-168-1-101.remmina
 mode change 100755 => 100644 home-modules/assets/pnx/pnx_rdp_srv-remote_192-168-1-21.remmina
 mode change 100755 => 100644 home-modules/bash.nix
 mode change 100755 => 100644 home-modules/bitwarden.nix
 mode change 100755 => 100644 home-modules/chatterino.nix
 mode change 100755 => 100644 home-modules/direnv.nix
 mode change 100755 => 100644 home-modules/discord.nix
 mode change 100755 => 100644 home-modules/email.nix
 mode change 100755 => 100644 home-modules/fish.nix
 mode change 100755 => 100644 home-modules/games.nix
 mode change 100755 => 100644 home-modules/gestures.nix
 mode change 100755 => 100644 home-modules/gimp.nix
 mode change 100755 => 100644 home-modules/git.nix
 mode change 100755 => 100644 home-modules/gtk.nix
 mode change 100755 => 100644 home-modules/hyprland-autoname-workspaces.nix
 mode change 100755 => 100644 home-modules/hyprland.nix
 mode change 100755 => 100644 home-modules/kitty.nix
 mode change 100755 => 100644 home-modules/latex.nix
 mode change 100755 => 100644 home-modules/mako.nix
 mode change 100755 => 100644 home-modules/nh.nix
 mode change 100755 => 100644 home-modules/nx-gcal-event.nix
 mode change 100755 => 100644 home-modules/office.nix
 mode change 100755 => 100644 home-modules/pnx.nix
 mode change 100755 => 100644 home-modules/programming/python.nix
 mode change 100755 => 100644 home-modules/qt.nix
 mode change 100755 => 100644 home-modules/rofi.nix
 mode change 100755 => 100644 home-modules/ssh.nix
 mode change 100755 => 100644 home-modules/starship.nix
 mode change 100755 => 100644 home-modules/tts.nix
 mode change 100755 => 100644 home-modules/virt-manager.nix
 mode change 100755 => 100644 home-modules/vscode.nix
 mode change 100755 => 100644 home-modules/waybar.nix
 mode change 100755 => 100644 home-modules/wlogout.nix
 mode change 100755 => 100644 home-modules/yazi.nix
 mode change 100755 => 100644 home-modules/zoxide.nix
 mode change 100755 => 100644 nxlib/ricelib.nix
 mode change 100755 => 100644 system-modules/boot.nix
 mode change 100755 => 100644 system-modules/davmail.nix
 mode change 100755 => 100644 system-modules/dm.nix
 mode change 100755 => 100644 system-modules/docker.nix
 mode change 100755 => 100644 system-modules/fuse.nix
 mode change 100755 => 100644 system-modules/hardware-configuration.nix
 mode change 100755 => 100644 system-modules/health_reminder.nix
 mode change 100755 => 100644 system-modules/hsmw.nix
 mode change 100755 => 100644 system-modules/networking.nix
 mode change 100755 => 100644 system-modules/nvidia.nix
 mode change 100755 => 100644 system-modules/ollama.nix
 mode change 100755 => 100644 system-modules/sound.nix
 mode change 100755 => 100644 system-modules/virtualisation.nix

diff --git a/.gitattributes b/.gitattributes
old mode 100755
new mode 100644
diff --git a/.gitignore b/.gitignore
old mode 100755
new mode 100644
diff --git a/git-crypt/easyroam-hsmw/easyroam_client_cert.pem b/git-crypt/easyroam-hsmw/easyroam_client_cert.pem
old mode 100755
new mode 100644
diff --git a/git-crypt/easyroam-hsmw/easyroam_client_key.pem b/git-crypt/easyroam-hsmw/easyroam_client_key.pem
old mode 100755
new mode 100644
diff --git a/git-crypt/easyroam-hsmw/easyroam_root_ca.pem b/git-crypt/easyroam-hsmw/easyroam_root_ca.pem
old mode 100755
new mode 100644
diff --git a/git-crypt/pnx-vpn/ljk-pnx-ca.pem b/git-crypt/pnx-vpn/ljk-pnx-ca.pem
old mode 100755
new mode 100644
diff --git a/git-crypt/pnx-vpn/ljk-pnx-cert.key b/git-crypt/pnx-vpn/ljk-pnx-cert.key
old mode 100755
new mode 100644
diff --git a/git-crypt/pnx-vpn/ljk-pnx-cert.pem b/git-crypt/pnx-vpn/ljk-pnx-cert.pem
old mode 100755
new mode 100644
diff --git a/git-crypt/pnx-vpn/ljk-pnx.ovpn b/git-crypt/pnx-vpn/ljk-pnx.ovpn
old mode 100755
new mode 100644
diff --git a/git-crypt/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem b/git-crypt/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem
old mode 100755
new mode 100644
diff --git a/git-crypt/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem b/git-crypt/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem
old mode 100755
new mode 100644
diff --git a/home-modules/assets/pnx/pnx_rdp_srv-phoe3-vmdms_192-168-1-104.remmina b/home-modules/assets/pnx/pnx_rdp_srv-phoe3-vmdms_192-168-1-104.remmina
old mode 100755
new mode 100644
diff --git a/home-modules/assets/pnx/pnx_rdp_srv-phoenix-3_192-168-1-108.remmina b/home-modules/assets/pnx/pnx_rdp_srv-phoenix-3_192-168-1-108.remmina
old mode 100755
new mode 100644
diff --git a/home-modules/assets/pnx/pnx_rdp_srv-phoenix2_192-168-1-101.remmina b/home-modules/assets/pnx/pnx_rdp_srv-phoenix2_192-168-1-101.remmina
old mode 100755
new mode 100644
diff --git a/home-modules/assets/pnx/pnx_rdp_srv-remote_192-168-1-21.remmina b/home-modules/assets/pnx/pnx_rdp_srv-remote_192-168-1-21.remmina
old mode 100755
new mode 100644
diff --git a/home-modules/bash.nix b/home-modules/bash.nix
old mode 100755
new mode 100644
diff --git a/home-modules/bitwarden.nix b/home-modules/bitwarden.nix
old mode 100755
new mode 100644
diff --git a/home-modules/chatterino.nix b/home-modules/chatterino.nix
old mode 100755
new mode 100644
diff --git a/home-modules/direnv.nix b/home-modules/direnv.nix
old mode 100755
new mode 100644
diff --git a/home-modules/discord.nix b/home-modules/discord.nix
old mode 100755
new mode 100644
diff --git a/home-modules/email.nix b/home-modules/email.nix
old mode 100755
new mode 100644
diff --git a/home-modules/fish.nix b/home-modules/fish.nix
old mode 100755
new mode 100644
diff --git a/home-modules/games.nix b/home-modules/games.nix
old mode 100755
new mode 100644
diff --git a/home-modules/gestures.nix b/home-modules/gestures.nix
old mode 100755
new mode 100644
diff --git a/home-modules/gimp.nix b/home-modules/gimp.nix
old mode 100755
new mode 100644
diff --git a/home-modules/git.nix b/home-modules/git.nix
old mode 100755
new mode 100644
diff --git a/home-modules/gtk.nix b/home-modules/gtk.nix
old mode 100755
new mode 100644
diff --git a/home-modules/hyprland-autoname-workspaces.nix b/home-modules/hyprland-autoname-workspaces.nix
old mode 100755
new mode 100644
diff --git a/home-modules/hyprland.nix b/home-modules/hyprland.nix
old mode 100755
new mode 100644
diff --git a/home-modules/kitty.nix b/home-modules/kitty.nix
old mode 100755
new mode 100644
diff --git a/home-modules/latex.nix b/home-modules/latex.nix
old mode 100755
new mode 100644
diff --git a/home-modules/mako.nix b/home-modules/mako.nix
old mode 100755
new mode 100644
diff --git a/home-modules/nh.nix b/home-modules/nh.nix
old mode 100755
new mode 100644
diff --git a/home-modules/nx-gcal-event.nix b/home-modules/nx-gcal-event.nix
old mode 100755
new mode 100644
diff --git a/home-modules/office.nix b/home-modules/office.nix
old mode 100755
new mode 100644
diff --git a/home-modules/pnx.nix b/home-modules/pnx.nix
old mode 100755
new mode 100644
diff --git a/home-modules/programming/python.nix b/home-modules/programming/python.nix
old mode 100755
new mode 100644
diff --git a/home-modules/qt.nix b/home-modules/qt.nix
old mode 100755
new mode 100644
diff --git a/home-modules/rofi.nix b/home-modules/rofi.nix
old mode 100755
new mode 100644
diff --git a/home-modules/ssh.nix b/home-modules/ssh.nix
old mode 100755
new mode 100644
diff --git a/home-modules/starship.nix b/home-modules/starship.nix
old mode 100755
new mode 100644
diff --git a/home-modules/tts.nix b/home-modules/tts.nix
old mode 100755
new mode 100644
diff --git a/home-modules/virt-manager.nix b/home-modules/virt-manager.nix
old mode 100755
new mode 100644
diff --git a/home-modules/vscode.nix b/home-modules/vscode.nix
old mode 100755
new mode 100644
diff --git a/home-modules/waybar.nix b/home-modules/waybar.nix
old mode 100755
new mode 100644
diff --git a/home-modules/wlogout.nix b/home-modules/wlogout.nix
old mode 100755
new mode 100644
diff --git a/home-modules/yazi.nix b/home-modules/yazi.nix
old mode 100755
new mode 100644
diff --git a/home-modules/zoxide.nix b/home-modules/zoxide.nix
old mode 100755
new mode 100644
diff --git a/nxlib/ricelib.nix b/nxlib/ricelib.nix
old mode 100755
new mode 100644
diff --git a/system-modules/boot.nix b/system-modules/boot.nix
old mode 100755
new mode 100644
diff --git a/system-modules/davmail.nix b/system-modules/davmail.nix
old mode 100755
new mode 100644
diff --git a/system-modules/dm.nix b/system-modules/dm.nix
old mode 100755
new mode 100644
diff --git a/system-modules/docker.nix b/system-modules/docker.nix
old mode 100755
new mode 100644
diff --git a/system-modules/fuse.nix b/system-modules/fuse.nix
old mode 100755
new mode 100644
diff --git a/system-modules/hardware-configuration.nix b/system-modules/hardware-configuration.nix
old mode 100755
new mode 100644
diff --git a/system-modules/health_reminder.nix b/system-modules/health_reminder.nix
old mode 100755
new mode 100644
diff --git a/system-modules/hsmw.nix b/system-modules/hsmw.nix
old mode 100755
new mode 100644
diff --git a/system-modules/networking.nix b/system-modules/networking.nix
old mode 100755
new mode 100644
diff --git a/system-modules/nvidia.nix b/system-modules/nvidia.nix
old mode 100755
new mode 100644
diff --git a/system-modules/ollama.nix b/system-modules/ollama.nix
old mode 100755
new mode 100644
diff --git a/system-modules/sound.nix b/system-modules/sound.nix
old mode 100755
new mode 100644
diff --git a/system-modules/virtualisation.nix b/system-modules/virtualisation.nix
old mode 100755
new mode 100644

From ac36fa13ac447e51b91b2ae1fee59f598d6c19fc Mon Sep 17 00:00:00 2001
From: "Lennart J. Kurzweg (Nx2)" <git@nx2.site>
Date: Mon, 27 Jan 2025 22:18:57 +0100
Subject: [PATCH 02/10] paperless update

---
 git-crypt/secrets.nix                | Bin 3512 -> 3490 bytes
 system-modules/nx2site/paperless.nix | 330 ++++++++++++++-------------
 system-modules/nx2site/proxy.nix     |  21 +-
 system-modules/postgres.nix          |   5 +
 4 files changed, 191 insertions(+), 165 deletions(-)
 mode change 100755 => 100644 git-crypt/secrets.nix

diff --git a/git-crypt/secrets.nix b/git-crypt/secrets.nix
old mode 100755
new mode 100644
index d500f2ebb8888408f3b786a9c620ec0d9463a538..c616a1ed376884e9aba07cc13d7496f86fd9a235
GIT binary patch
literal 3490
zcmZQ@_Y83kiVO&0c(XCVyYM&v;Z0M+c@xf0QJ-)xWwr66nSBvbC;D#O{`8@DPHpyy
z!|UgNw#@A=KYC(?mD?r7!YjLSB`<j1j+WTq=o9(uN7v$zgBPEF-?7N=jFDJT%h5y2
zuC?iZT`Fz!)_?zkRHcjWUKlNTJAHAAX21XTm8^N~{d)`csbnu-b2W3`#?}54a=uRg
zabPRoQ_*WRM@y&em%M+nKHSv!iK)|J@jVx|D%DIai+qy*<JOyfv%lOFRm@p*;8^R$
z%!7~2TQ=^|Uel57Us`PPa>}HGQ`(!~PQI17$=u@c@fSV**LEnXd0aPOlmB`uy#J};
zjKI0kn-2;6-^lGeiQD|f9n+QlQ+{SwuAG*!uB?TbQK+%SG)U#n<g4l#{(oJLXa(CE
zzT*@8TKMF1RsYx18|GvlY}@eY9Vd(3)NKocCvE=vt^55`xmm^R48ONm+%*<(%et_~
zeowXU)}^v)r7Q1CznlK%|HrM-`)^Cw%{zJ4A}W=0^Y+fLXsw17=0B=qLM}8hOy93C
ziMfp9E{nfH+8$<hgMY;=_m7A!QP{F)kNu(wxdU07Wxu{xV2X9nZ8@_p^4qT+Qu8Zj
z&bAZem;D{3xc;+%T?4Zvukp>CRelzGLeEvq$Xye~dg1Tf>9KF*rZH+Cx_PX!IO*e`
z*V-EWe?BbqjY-)b@BcWfe@=>3*Xp_YMu*R@pCfThbeYj>w%T-yB-RSO^;agE74sgh
zzhpe+$lLt|8~>Vw8b6GX{x6l1WTfhUE7t4S)VrqZA4rSr@{(J=$8Fs{55dz1Ztgsi
z5Mz{e#r%>*Ue{6EnAi8-zCD-d>B18pz<kJdYU9Ny&$m}jgtWdoR3^*xRca+m!X=)-
zgXwRR1U*ju{}OSdlk<|egDczQka^bfjQ+1SAILhkW=3P*v3>q_2g}OK-UM@h4NQ|_
zm>h9k^xUZwG0A>+CEbq~PyS8e{jRHf_H4{;mdAWo*MuByd;G*I|GoXcXybJ^T$;>h
z$^XCEA}TXoXi5IMn3r>^<_frJq&|8Ybnou6rn?7g0?k`_lIP~6q~y+jD#8>t@qhVc
z&LW<Lb&pr;Z7sHXZ_D{Y^<R<{*YBx;C%@@tuHjREV9z>j)wgHU!sfQEO_6%Ch-uQz
z+RdI9QmUU=?{}Bwnzq?5eUhYBYoPi%;Y67dMX@_!n-6LjKAPR}`<3myuVoLLSi*j9
zHoPVO{Hx|;JHxu>#E8dsu6FjFF7F>tj$pF<S)ZDA@^<Wv3#Q3;zA<0RU|wLF`C(U|
z`)9#>tNwlcCwG@Q^y~MP)^*h;+n235)SSh-`Ek_5|6i{E=9;kY+V{V$y%+o%Ru))H
zH0N_sym+Yf8uz0wim&zVM?~@66^rbj8?G<4_3PtLOS4aS>}R$O@>C40_)@QViDS=1
z5sf77r~ZELAK329VEA%nzWIc|4-7Y55tO(*drGl;!lPh2$2n_R3WS)w?oX~*UK_Fh
zL->XOciwd;pKET{TRZ2#1o7038<cm<O53x=!SmHO{=LuFq;h92oAi+1`bmjSirMqp
zDc5S}?=tLrmg2W+qGx^PwdSant=6So(V;UHJUln@9>@(X|EO3!-OVO+`o55Z;vu(I
zR;*bul}mK7TGH2tVQyM#R~x@E-v4cPe!BRPC%1RJx82^~>Ttg9g5hmNm*aZ2fnIkn
z+<m{<)6O6#;Md!eT%C*9#M(YK1}(MHRe$=)X6>e5=AFR-sW(#t4Sy_q@xnm$CeP2A
z3_cR_t@$cnzVKZ<lHPiF$HY3(1nX$?qXkVS_1P}(0~8-Dyl=ej@vZ$+=O-kwwlAu_
zc=_Jk<SROj3LcY|>n;q)-fbUvZmQRD+4oy#oaA55V!Hh5vRB!snYJnYELeNXPVi~R
z>Sgx%M>^kL%sa;__TE*j?aZO?D+@D4k{Wm(ZTf3;P5H*mJ=?@4imYsiP*5?uy|Gev
z%L=Qlkx%B$%sgP#e01H7!}s+i*4f8?2$!ECQ2+fvdoNpVvhIPY=UTJ*jb4kF^~qk}
z8h`0j5MPLfgyHqz$Xz=AyZqUO<hSQOOn>z8Rq0Lt>fnAI-NF>N)~D?6Ix<|-y4erp
zgs>)V;yk!B_+O;vXH~tOTQ^=2bc-}w?Yz(Gg^THaLCa5HrW<_x_I;LF-DHQ8T?@}y
zA9<8<`{KT^QpKy6{|b0~__{_iX<wO!yRD2yCBOUsRf|QoDYAw<G?0_b6_EGd@qwS^
zZ^wMO5Kp;}6|-JHa#vNJ_WO0Sz{W@CinZ?BM#u{vc30h{y&=lBR$|R9ZPTKAPxY-b
zYSZ1Hns(}oe!5aN+eRt5K<^uq#IfDS&&uzrySeh@|9Xa+^lv!}?9J9#v*|VJKYN#!
zne}LyH}CsIqxCKa3&d`jTi06s2sxWMYw_*VyDxuP#H9JcZ^5f*&Em(l+0GFUa-5A0
zYEM~dsG{&O=;{v3=NlbZ^P1*;e8s)(gilgm!u*{KOvl8U)|ooX$<@YYKR>zS!vfiw
z#3TLuY{6`b1`><^gzx^Jb+2e$R{hH6Fh6eJ1DQ@tuBj1kYQIkm-nw?HwBq}F7Aqc{
zC|`bfvEz1259_~w^mpcM=x5J0*pcD%>-hZ{(JeU}`8LGLSEx<T_{Jf{xH?8M;-%yN
z^X+>$Htc)5t1`JrtL)U}%Rhb}vts%j&VSP3TD9#5-`Dcf7F#uP^SZ1xD2c6lDLFgF
zeT&GigC+t`I+$Kq`&sDa%(CLCyFSI^>7x%b61Vl3h<bU;2}ZFhhptO_XnQdC&?%*m
zx0h`<-!AF<a92noT=wl7<ATiT->0k>|M^@)eMh>_joOIRS&w{Vrf<owD@f`S7WAKB
zeSYU%8|DMWl1a;}ma!JSOP>(oIUy+H<?@T)Pak=ESShvVo%65R2PSYP8VGD^?z?0Y
zvroEqe)(Q5j?FjTWiQF8<7U-su}a9uk4t?tO~3rY2GjIe)dud-f@0!M^G{5k<?YUx
zRW6r)@crtJzVwQ@(`}bI{g>*Uv6la~vv%Zv4YR7Q7ZHCd4<3qIyjU{wx)`%g>9k43
z_g~9?eXVL3%dkUm+S8AR=Oo?{X=i6RTM$w=Q{79d<fHuGj{;KNt#_7mbNy5C%CodN
zJmJ2Wr~i~lOVtc^SBq61&1`*Jk9Yjjnf$m#ul8dCx6<DOJ|<hD44kIqsW19<`DoS$
zy{$E~>k=l_Id|`O$yvVa*>jI2bIv`TcZT)C_3lH;8H+b*RrXJHym$Bhk)V!Bi<Gzv
zPP)>KE${Xz%4}Tw{^rI7M>cU)cAq?>)6uANx`^kqbDWO0!lvctmWdp<Vvwt_4Ew8l
z`q93?x6fm`{;0g&A8}8DjYp>4mdoVaLK)e;ty&8guV7vL*Z3Vv&yL_zdF}U>Rme#u
znr(kt{xdbMq3qFr&S24*JZwn@yLHk!o4BuZzMPyK=^T4Tyz%ea4XsXTJKVk}ZMTxR
zZ+7L<gY`#OO|6_W<@?hzi7)Mm+vVMr7oGd#!N?U_Bv8=v%DB<KhiB(G@fPbJ&5_1l
zml8i`f1Mo6bTLxqY0>m%mQa1W3)f#6_4HS~p7_WyzWu6pSVrQyh{tIwZ=Tkuxw$fU
zTk7-g48h#q=4)<b+c`e*bG9vvEuI`aDY~fW<<g+@Q}ir!KQ&DcXMD9lYq`)4F{OxH
zi^Da&-(%)|_tamzK#1x3mi25G81o+LEMCu*d%AS{v=S8+7PiUn(;lA7GGyGYslCMZ
zWy&1QkCWEQ2suTor#@Ql^iAj7S2N8c-0Vvi2N|F9ty9@9mw(#qJ;M)!LtKvz%$Vfy
zmPbb_ba#h61H(!mC-xuD4~uB;@tEl{p-WZTsyWovYaaXhQ1|K2y*tY9huiWl78c{+
z%-B}_<eG`b`o2O&_Lt9EuW8r|oz{(M&RQ*fAV}kXM7)LEx??9?A6%1LeBRA0Ow8h7
zdGcmmp6biab23gRHU{);;(TD=8Wbq};^)83n^w;b?rZ#$vwO?i_M}iVk>_POuCuSS
z7^}K#FFs?vy<q2?oyIc+clI>+PjXAW@!RuE<>SZBr+??q`=m5??OCQKjemJ8{yyFh
zpX^y7EWTq$f7VLJ%kJH;%mqqgm;Oz@FyAsyYufSm{HFU{U%v@m8(C2;6Cj%!5Y{r|
z>-50j6Cz&}Q+%cQmrmkNI+B>Em1S3(;G6&PiKyZ1yI)Il6ExmLSok^`%bkut;L^p=
zvg6ZrfpDWIi@*PxQ=%S`EZ8D)IyGWn==n))WjEi<+Th+e$1o_$<90xV8@KCA`5bY#
zqyMK_99j2!(?mgsPnT!i+QYpw|H8pr`}V7z`;=`iwfvX8-o&_o2YfH)%_*L!Cs63u
zkuJhCami8#5w(Cxq3(XyqkZRY>l5banz_U|{qUSr_hWvG&Pd9C_{8=?-C0M>dPaG7
z+d9kbBJY2t@8b?q40^Co?dWT3-t5JTcFIq`ywlQiiP#SgPww<r`{h-t>(p77-4s})
zIm7BC(>WcrTn8OSm7j+m8+|Kw^gEPU?Q)zWdGgm)8>juVcUW(J_d{{?^h(p$2YyUj
ztz&Y3N@MxPi2C@)eDW_07D&%EC~p3-bJ4{Ew_Q@B_@$%wom)0hXr8d3>*|i%E8gfN
zzW(U4@T7$4>YMQsi+5yp%@o<0=FQ5P#vT~m7dLzLY~R3)n2-BoKYaP=T_EkF{c`p9
zB@6l1e7MFi^MuwXn-y7cFBb3Aw^<NtdG63IsncJs`>nh&KW~B6od0i3xesJth=|MH
uEito_v#oM@zLUdhf#b8M2`|u)7uaT{>cRV{ukwfttKUDp^z9LT1}^~m-@2Os

literal 3512
zcmZQ@_Y83kiVO&0@R?V9^J4YQcM1oLo8xP@^1O_aQWr08`}&aSbn;;d+tWYpU%T1I
z$#b`|+I;4cQ2y9Q3(OxKxz?*b<C4Om^>S9%maXmka+teXWO8tOKpt1(&pBuKd*)<+
zc&cS9vmv!<ZCiC#Yig<L7Jj?xtKP4sM(S@gQ?}n;xj5t0SLw+)^LcmNys=<oNay`G
z+l~Lfi+FPVb#OpP#O~&!zpl&<@XYOsbCKvUpLcf8{|~Io-4|+BPLB(pW0tL`Z}7g%
zTlsovs^r!e{^_b!-z?bIeG&CLUc80z_~y?}%<r$dHN+mXZf|hg$DJp5d&P<8F*d;u
zS$_-P_<bOFV(F~nyIQ*pqu6)Jy2T!f&vg3aQS0pFmv@1+GXKNe8QWj8B!8*noM~|I
z_yVVWw;$>&+MoUqaA(%^4ZC-(a$fOEpZRybO~U>;=Yr1|N`KF9+xcwy!g;;FW9P0^
zW^tH&;$27O+lyPQ4oNk9|5cjQDR+W9{@m9#9jA*N;Wd)8ln?!?5;!JS<y{i>R+vlf
zbjcA9WqJ27%L#SIS{*fW4fRwFX4XEAW_9S^T5?=lVE^Nw-)~AZPR%?NqjkBDaa-WF
zZ4Jk!emV9-S<ZUm>5I8mhi&fPd44(aotNw-t*e($MxSuiX*12dTJJdXTCwGo(y-5w
zvnxUw66T(J{W^s4j-kHf-PVi^9FyZiZ#Yz%tGVsId_6JfdM@`8--)w0jV>MM?LIg8
zW)-KJ$+g2-XHQNkV|=(t)kmc^ST(e!P)@u)iM1>*zI4%r@E)Cavk!%f?}_)`6S*Sl
z@a2<zce5gHP5azu>ASq?`O^hk^8NV}jPu2P-n%|6|Gc~Wb;bWx&&~@c=ER%$<s3Qv
zI(_DKi+{qo%qp_HI$y45YrYixXMLsa@|sg~dyd<=PAK2hKUaEDoqCws8{q>-Uw^MU
zD*mhNnrmb1qs#kFYE_<#x-WFS&C@9-(<7-d=%zX61XKP{+lPGRKOX*&<-ar`Dsk;x
zBaQqcRj>Q6bxm1pVx-7%%%+-MP~6QeWlibC4L5l<25h~hc3teMQQ!7y376--?!MR&
zZo$@m-|z427b_BUt5ohdr^$+cO<y&K({q2yk^9Fom)u)ky;I@eX^DrYHmk6GeEOi{
zRJPY%?w-w?GWPg8e&%RQzqruiP3uADqz#jORX07YY2J0I{)L#`p9tloJ-;}(Sp|xh
zf1b~+^psP8)BIz8&zJj`yuQ85f62mG&tdt1XZ6;nGHXuEy;SgekKFAx!E<&>U+(F(
zha6h0@QHVWdTFYAX!{2~opsw1MVz(7g8xpmuKhE6i80SEo{FO!$yf3M>Yem56+WDi
zy?gP&r;P_D6;%|*^;_)UCT)~4C4H)R&Zot$>m~?2$-B-wp-_LV^*O;;2RF4$H{p8A
z&Lw2!6wtIHtoB;V>7_0*ab62%+Z~88sJybq!~fFZ<2mupkJyhXt!palc3ArU*WBL^
zV={i-sG8ifCns+9#RUH8VSE2KYF8_N_2kN}b2HCZ2>ueWd-|am^Q1M*Nxng=(>Z^$
zdVaaTQ&>zd_|UBv-TM!9^7yCN24uSayvtc+b90Wdzwac!ctPjD2ZFP1EOgrF-`I8F
zQ*pWbi-2`5&3E^G&dV>l6lZdPp(K$%KfLdg+<ZkQ>y_nkXCCFZTe5E1;U~c}pYNpB
zq>r9T*M0Z0tWjK(r{UEVcH_tO6#{Y1zFKn)U;GQpUXf>aua>j8Ih;HHqf&=cs{h@Z
zsc&rWEOS?hc&g6B+-j1VE+AGQcOvkZ(e$6OTPLmhW$S!&<>s$PPW-Ln_3^9P-m%f+
z!7C4!A8u3f%pwncNH%Z{H-1|9C7=7tzV1bux6f&?r^g@ICtGHs&bn^1(77!EyRvgW
zq%uix#OpHbuPvLLz51bTA&=qp>0Wv4=baC2PTwpn|FNv5ahK`rYr+iMn2$<+^_=Z`
zdcm^*mZcXXe=YT5DR}T{cD>ruwmoV`c3b=DOH7-o^VXX)o9DZ>v$E-_@9KtMqm~tE
zo|aY7=ebrZoWC;Asxmz}Z?SOHt0tF!$&2!3mYC%$bGKDZpAet_|J(YDGj4XqGWtJD
zpV;u<Os+P>rKbJ6OWRVT)+Ba@w>=$iP8`VJ{V}LpE_;S<`u^_^ndQ!>UeexeC6V!}
zPQ5he6vyg?n)-3ywtT&@!pP8clM2I(c=eN^yLr{mP1tbd=I1qAC(B;eJCb~e|1R&*
z(=%=>yh>BL*7|R@){U<_6k@g-$6v4b{_#lu8iRKWdH(r3Jo)+bc(d@U1&n4_{vAEU
zwes2=ckUM-uS!Q}IQ1vqm~Fsew`k|4_GIx@Wtx|Imwh`GtiGXA*?+p%qNRee%9BnV
z2(#X|TJ+L}Eez^EZc5dJ{Xdc-b5#GL(z263t0c~GcV}jAw4RgS=atd!Smem3c1t&_
zX#Sa_r=Og;^;EfPe(@5<Kfh(qZIB6)op|OFQ{I9p>qJyO$MfF)azI#6qGR?Vx0`pj
zajdoP`)TKU@fGvVU+udc?Qbf`eP`jiSl_xs>e=J8RrU9-XbN05)10(a{56AAuZhY0
zX@A;JOwR4m;4G{EQMT{jt}hxcr<(QV*s$yi|Ii^Bcc3N8ro8#H^URb~qo3<}rgeY1
zIH_0piu#_6cjq$m*ZYe`m?jtb9E%m>u6tZA6{^oDAt)Za^OD_PqyCetE424<n@vnr
zJ6;ee999=w@GHDo^62727BOOc$Dc)IwzvJibjq~+kmL13j5%{H9y=*aR|-mCVcVFt
zbIYkoRVf!I?dK>+TUE^;wzRQ#pZ7I;kruZ@KirO=ohc^97pmJlXJNhY%Nz?khnoEr
zD_?zjrSG&mbo;M+H8T=A6~Yf$dy4-*a{IiAN^iGLM^WRW^DlB=-!*?5zG&Cwz|xlD
z@YCPxtB(ZxyyX%WEts_Ga?q12do9D?zjR)8@T+_K|G>Vr%x5?kB>DP!N=H3T`j}O2
z5x(u#&a&B8=6zMzdgzJN`L^F@mpv^PW=uPO`<R2K+tKdST{GSbS6<2R{@(YnQ$H&H
zPtM`W#~dZ!-7d|Z;K{b%R<8D;hV$gtZ6-};s;6<))h93YnS4C%A@`LEh8pihX*~b)
zm8Y4`OPjHGK}lnz=qkscxjQ}o$xoXtf8a+|@|#G5d%tZtANdxW>gQdvm^16yGZkai
z*{+Lr=ao)gwKJ`DvedE@t%1z$>ug^e@UWDB?7XxzuiBt+D~sKpw>KG7XXWo%)@*pM
z{I8jFT4n9?X;%#nsIh+FJ^hv;ZhmmsjQA71M|5Z0uU_+mXW66U8MhAjeCx>Qc(-}~
zmrL)tzpAiqu6^OM>$iH|vI@_CCv6wje!VW@<~seOG0Q40XI7J$k`g---m`w=J#}|&
zb6Cgwy?48l4j-7DU4Ovu((whEnf`Y!>2V1gnREsQc^A}4eQ5}Zj;sDrc{QGmEw_^U
zOuB4;$6U=Cwi`Roip*K?*@yX$qPLZMvvd2A((ZY&v*aJ1aA@5b{h-lWp1J;XfPzGo
z%;_n<R~TyaUG4sH_RGC~d!VZC^J$;(g0IhoN&|l;?|3h~KFr=~`cx^+KM^_m7lnL^
z6c>oC|K2iZt3+wA(;p=d<uB4_s~0WbyT|43L;3o3vr?=!uiLxn(D9{nS9$U}1Q$+Q
z)4PD7jJG(jCu#ZO+G(oxx1yh^x~}?kpyK}xEtS6Hx!Oy)ijGFPwEhWY*WU3Y$yrbE
zNnO^&Ey0%#?(DF5<9&YDiDq}7HZ9%#JKVLzURk{IH9sYC^ws5z(?72?PM3e)uYc11
z>pE+XwJ-MaKHc?HGvIeq=8u0CQ!bV>yp`H(5Vn57GT)z}{mWDKa$kEcb~y62)gjk3
z_L*MWeRH18Up!59WnJ%)#*9xAVN-bLT;b{t`}^tc{)Kj{l+|@)R2RG~Ke2-8$H_ef
zlW*SByv1^`X3p-3hg;*m#6Nn+bN0;Y8#{Ksb-DH3`1?(kqLsTQ^Gr6n5cKepON8^6
z&}7XmPi#7!G=Hdj9ZpkSpl1BG{ZP!R%0)8*9(^#G6f!?_jbfGS^9}DD7TNra_!aWc
zqCvMJL&o#MyEnqk9G#WjXJ%`yI6e9Aj$C;o(QfW;nZrk~^!P0Ev)lT9YvAIFGIx2N
zgU7#J`NcM+p8w_CS7{7)eGIJ=v{IE$c-_6F<Tx*&we+%64x7=zpP#qxQ7+0lboifU
zzG3e9$mWI&uGRP46@!j#mTjM6K2vFl!ac^Gh0i~o>u{R(qeSP}yg#`If?hv<d#K0%
z^fTQXe8LvXW*nSmGnr4?+cNL8@}y@9rAxMFrku7-bQVxfn%5vv=2WMiHQ{`c)P)YK
zhns{WTB05@dfxuufBVQM`vp=<)|=*6obR0Jx$EdzpLd~g@+_BshfUp?=*0X(;bV&2
zcVq4+=lC8@D7c~YZGWVhE`v~p;j>j~O*1Q3p63v~-S+7`cf{0S)*6}b-JcjPZ1Ci`
zU%yf1<;DMRl`npNWUwME_Ty=tWp~|gxGP*Ze8gF=oiW8J$>IddkEj`Qy&b<zjCz{4
z=ADBp=PJ>vkL(BMHWkk)Dz^OXwdttP9;*V4Pu*poc2!K|)Lq>byFn!@<wxQ+o$34Y
zPPYBO!DLxdQ>o@+R3R{P=QNXv)AOR=9$em~94E7K-^Jyc^ZH9-PG>JL7vc(gyj(|U
z{y}yfV_6Gj<|ncjmX%pNb2B(|;d@x6M9ZtZ{7~-g{|$CV%xQe|vgBm%?XGLqDs9ti
zm$!ATe9?4b$@bq%ESDZEx}ETh<EGArUAppn{*^6Msh>Zcvr~{~L)6O;t<BYienB5&
RkF5z6R8u>*`}+2yM*szd+tmO7

diff --git a/system-modules/nx2site/paperless.nix b/system-modules/nx2site/paperless.nix
index a5e45c9..185fe33 100644
--- a/system-modules/nx2site/paperless.nix
+++ b/system-modules/nx2site/paperless.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, secrets, user, domain, ... }:
+{ pkgs, config, secrets, domain, user, ... }:
 let paperless-user = "paperless"; in
 {
   sops.secrets = {
@@ -7,7 +7,10 @@ let paperless-user = "paperless"; in
     };
   };
 
-  users.users."${user}".extraGroups = [ paperless-user ];
+  users.users = {
+    "${user}".extraGroups = [ paperless-user ];
+    "${paperless-user}".extraGroups = [ "redis-paperless" ];
+  }; 
 
   services = {
     postgresql = {
@@ -19,179 +22,182 @@ let paperless-user = "paperless"; in
     };
     paperless = {
       enable = true;
-      address = "127.0.0.1";
+      # address = "0.0.0.0";
       port = 8441;
       user = paperless-user;
       consumptionDirIsPublic = true;
       # package = pkgs.paperless-ngx;
       # dataDir = "/var/lib/paperless"; # default
-      # address = "127.0.0.1";
+      address = "127.0.0.1";
       # mediaDir = "${dataDir}/media";
       passwordFile = config.sops.secrets."nx2site/paperless.pw".path;
       # consumptionDir = "${dataDir}/consume";
       # consumptionDirIsPublic = false;
       # openMPThreadingWorkaround = true;
       settings = {
-        # PAPERLESS_REDIS = "redis://localhost:6379";
-        # PAPERLESS_REDIS_PREFIX=""
-
-      PAPERLESS_DBENGINE = "postgresql";
-      # PAPERLESS_DBHOST = "/run/postgresql"; # config.services.postgresql.settings.listen_addresses;
-      # PAPERLESS_DBPORT = config.services.postgresql.settings.port;
-      PAPERLESS_DBNAME = paperless-user;
-      PAPERLESS_DBUSER = paperless-user;
-      PAPERLESS_DBPASS = secrets.nx2site.paperless.PAPERLESS_DBPASS;
-        # PAPERLESS_DBSSLMODE=
-        # PAPERLESS_DBSSLROOTCERT=null; # unset, using the documented path in the home directory.
-        # PAPERLESS_DBSSLCERT=null; # unset, using the documented path in the home directory.
-        # PAPERLESS_DBSSLKEY=null; # unset, using the documented path in the home directory.
-        # PAPERLESS_DB_TIMEOUT=null; # unset, keeping the Django defaults.
-        # PAPERLESS_TIKA_ENABLED=false
-        # PAPERLESS_TIKA_ENDPOINT="http://localhost:9998".
-        # PAPERLESS_TIKA_GOTENBERG_ENDPOINT="http://localhost:3000".
-      PAPERLESS_CONSUMPTION_DIR = "${config.services.paperless.dataDir}/consume/";  
-      # PAPERLESS_DATA_DIR = "${config.services.paperless.dataDir}/data/"; 
-      PAPERLESS_EMPTY_TRASH_DIR ="${config.services.paperless.dataDir}/trash/"; # null = really delete files
-      # PAPERLESS_MEDIA_ROOT = "${config.services.paperless.dataDir}/media/"; 
-      # PAPERLESS_STATICDIR = "${config.services.paperless.dataDir}/static/"; 
-        # PAPERLESS_FILENAME_FORMAT=
-        # PAPERLESS_FILENAME_FORMAT_REMOVE_NONE=
-      # PAPERLESS_LOGGING_DIR = "${config.services.paperless.dataDir}/log/";
-        # PAPERLESS_NLTK_DIR =
-        # PAPERLESS_MODEL_FILE= PAPERLESS_DATA_DIR/classification_model.pickle.
-        # PAPERLESS_LOGROTATE_MAX_SIZE= 1 MiB.
-        # PAPERLESS_LOGROTATE_MAX_BACKUPS= 20.
-        # PAPERLESS_SECRET_KEY=
-        # PAPERLESS_URL="" # empty string, leaving the other settings unaffected.
-        # PAPERLESS_CSRF_TRUSTED_ORIGINS=
-        # PAPERLESS_ALLOWED_HOSTS=
-        # PAPERLESS_CORS_ALLOWED_HOSTS=
-        # PAPERLESS_TRUSTED_PROXIES=
-        # PAPERLESS_FORCE_SCRIPT_NAME=
-        # PAPERLESS_STATIC_URL= "/static/".
-        # PAPERLESS_AUTO_LOGIN_USERNAME=null;
-      PAPERLESS_ADMIN_USER="${user}";
-      PAPERLESS_ADMIN_MAIL=secrets.email.gmail-online.mail;
-      # PAPERLESS_ADMIN_PASSWORD=;
-        # PAPERLESS_COOKIE_PREFIX=
-        # PAPERLESS_ENABLE_HTTP_REMOTE_USER=
-        # PAPERLESS_ENABLE_HTTP_REMOTE_USER_API=
-        # PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=
-      # PAPERLESS_LOGOUT_REDIRECT_URL="https://youtu.be/dMN-pjcchrE?si=EcFYvAnbXFkounYR";
-        # PAPERLESS_USE_X_FORWARD_HOST= false
-        # PAPERLESS_USE_X_FORWARD_PORT= false
-        # PAPERLESS_PROXY_SSL_HEADER= null
-        # PAPERLESS_EMAIL_CERTIFICATE_LOCATION = null;
-        # PAPERLESS_SOCIALACCOUNT_PROVIDERS=;
-        # PAPERLESS_SOCIAL_AUTO_SIGNUP = false;
-        # PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS= True
-        # PAPERLESS_ACCOUNT_ALLOW_SIGNUPS= False
-        # PAPERLESS_ACCOUNT_DEFAULT_HTTP_PROTOCOL= 'https'
-        # PAPERLESS_ACCOUNT_EMAIL_VERIFICATION= 'optional'
-        # PAPERLESS_DISABLE_REGULAR_LOGIN= False
-        # PAPERLESS_REDIRECT_LOGIN_TO_SSO= False
-        # PAPERLESS_ACCOUNT_SESSION_REMEMBER= True
-        # PAPERLESS_SESSION_COOKIE_AGE= 1209600; # (2 weeks)
-        PAPERLESS_OCR_LANGUAGE = "eng+deu";
-        # PAPERLESS_OCR_MODE= "skip";
-        # PAPERLESS_OCR_SKIP_ARCHIVE_FILE=
-        # PAPERLESS_OCR_CLEAN= clean.
-        # PAPERLESS_OCR_DESKEW = true; # which enables this feature.
-        # PAPERLESS_OCR_ROTATE_PAGES = true; # which enables this feature.
-        # PAPERLESS_OCR_ROTATE_PAGES_THRESHOLD = "12";
-        # PAPERLESS_OCR_OUTPUT_TYPE = "pdfa";
-        # PAPERLESS_OCR_PAGES = null;
-        # PAPERLESS_OCR_IMAGE_DPI = null;
-        # PAPERLESS_OCR_MAX_IMAGE_PIXELS=
-        # PAPERLESS_OCR_COLOR_CONVERSION_STRATEGY=
-        PAPERLESS_OCR_USER_ARGS = {
-          optimize = 1;
-          pdfa_image_compression = "lossless";
-        };
-        # PAPERLESS_TASK_WORKERS= 1
-        # PAPERLESS_THREADS_PER_WORKER=
-        # PAPERLESS_WORKER_TIMEOUT=
-        PAPERLESS_TIME_ZONE = "CET";
-        # PAPERLESS_ENABLE_NLTK=1;
-        # PAPERLESS_EMAIL_TASK_CRON= */10 * * * * or every ten minutes.
-        # PAPERLESS_TRAIN_TASK_CRON= 5 */1 * * * or every hour at 5 minutes past the hour.
-        # PAPERLESS_INDEX_TASK_CRON= 0 0 * * * or daily at midnight.
-        # PAPERLESS_SANITY_TASK_CRON= 30 0 * * sun or Sunday at 30 minutes past midnight.
-        # PAPERLESS_ENABLE_COMPRESSION = 1; # enabling compression.
-        # PAPERLESS_CONVERT_MEMORY_LIMIT = 0; # which disables the limit.
-        # PAPERLESS_CONVERT_TMPDIR =
-        # PAPERLESS_APPS = null;
-        # PAPERLESS_MAX_IMAGE_PIXELS = null;
-        # PAPERLESS_CONSUMER_DELETE_DUPLICATES= false.
-        # PAPERLESS_CONSUMER_RECURSIVE= false.
-        # PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS= false.
-        PAPERLESS_CONSUMER_IGNORE_PATTERNS = [
-          ".DS_Store"
-          ".DS_STORE"
-          "._*"
-          ".stfolder/*"
-          ".stversions/*"
-          ".localized/*"
-          "desktop.ini"
-          "@eaDir/*"
-          "Thumbs.db"
-        ];
-        # PAPERLESS_CONSUMER_BARCODE_SCANNER=
-        # PAPERLESS_PRE_CONSUME_SCRIPT=
-        # PAPERLESS_POST_CONSUME_SCRIPT=
-        # PAPERLESS_FILENAME_DATE_ORDER= none, which disables this feature.
-        # PAPERLESS_NUMBER_OF_SUGGESTED_DATES= 3. Set to 0 to disable this feature.
-        # PAPERLESS_THUMBNAIL_FONT_NAME= /usr/share/fonts/liberation/LiberationSerif-Regular.ttf.
-        # PAPERLESS_IGNORE_DATES="";
-        # PAPERLESS_DATE_ORDER = "DMY";
-        # PAPERLESS_ENABLE_GPG_DECRYPTOR = false;
-        # PAPERLESS_CONSUMER_POLLING = 0; # which disables polling and uses filesystem notifications.
-        # PAPERLESS_CONSUMER_POLLING_RETRY_COUNT = 5;
-        # PAPERLESS_CONSUMER_POLLING_DELAY = 5;
-        # PAPERLESS_CONSUMER_INOTIFY_DELAY= 0.5; # seconds.
-        # PAPERLESS_OAUTH_CALLBACK_BASE_URL = null;
-        # PAPERLESS_GMAIL_OAUTH_CLIENT_ID = null;
-        # PAPERLESS_GMAIL_OAUTH_CLIENT_SECRET = null;
-        # PAPERLESS_OUTLOOK_OAUTH_CLIENT_ID = null;
-        # PAPERLESS_OUTLOOK_OAUTH_CLIENT_SECRET = null;
-        # PAPERLESS_EMAIL_GNUPG_HOME=
-        # PAPERLESS_CONSUMER_ENABLE_BARCODES=
-        # PAPERLESS_CONSUMER_BARCODE_TIFF_SUPPORT= false.
-        # PAPERLESS_CONSUMER_BARCODE_STRING= "PATCHT"
-        # PAPERLESS_CONSUMER_BARCODE_RETAIN_SPLIT_PAGES= false.
-        # PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE= false.
-        # PAPERLESS_CONSUMER_ASN_BARCODE_PREFIX= "ASN"
-        # PAPERLESS_CONSUMER_BARCODE_UPSCALE= 0.0
-        # PAPERLESS_CONSUMER_BARCODE_DPI= "300"
-        # PAPERLESS_CONSUMER_BARCODE_MAX_PAGES= "0"
-        # PAPERLESS_CONSUMER_ENABLE_TAG_BARCODE= false.
-        # PAPERLESS_CONSUMER_TAG_BARCODE_MAPPING=
-        # PAPERLESS_AUDIT_LOG_ENABLED= true.
-        # PAPERLESS_CONSUMER_ENABLE_COLLATE_DOUBLE_SIDED= false.
-        # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_SUBDIR_NAME= "double-sided".
-        # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_TIFF_SUPPORT= false.
-      # PAPERLESS_EMPTY_TRASH_DELAY = 30; # days, minimum of 1 day.
-        # PAPERLESS_EMPTY_TRASH_TASK_CRON= 0 1 * * *, once per day.
-        # PAPERLESS_CONVERT_BINARY = "convert".
-      # PAPERLESS_GS_BINARY = "${pkgs.ghostscript}/bin/gs";
-        # PAPERLESS_WEBSERVER_WORKERS= 1;
-        # PAPERLESS_BIND_ADDR= [::], meaning all interfaces, including IPv6.
-        # PAPERLESS_PORT = config.services.paperless.port;
-        # PAPERLESS_OCR_LANGUAGES=
-        # PAPERLESS_ENABLE_FLOWER=
-        # PAPERLESS_SUPERVISORD_WORKING_DIR=
-      # PAPERLESS_APP_TITLE = "NxPPL";
-        # PAPERLESS_APP_LOGO =
-        # PAPERLESS_ENABLE_UPDATE_CHECK=false;
-        # PAPERLESS_EMAIL_HOST = "localhost";
-        # PAPERLESS_EMAIL_PORT= 25.
-        # PAPERLESS_EMAIL_HOST_USER= "";
-        # PAPERLESS_EMAIL_FROM=
-        # PAPERLESS_EMAIL_HOST_PASSWORD = "".
-        # PAPERLESS_EMAIL_USE_TLS = false.
-        # PAPERLESS_EMAIL_USE_SSL = false. 
+          # PAPERLESS_REDIS = "redis://localhost:6379";
+          # PAPERLESS_REDIS_PREFIX=""
+        # PAPERLESS_DBENGINE = "postgresql";
+        PAPERLESS_DBHOST = "/run/postgresql";
+        # PAPERLESS_DBHOST = config.services.postgresql.settings.listen_addresses;
+        # PAPERLESS_DBPORT = config.services.postgresql.settings.port;
+        # PAPERLESS_DBNAME = paperless-user;
+        # PAPERLESS_DBUSER = paperless-user;
+        PAPERLESS_DBPASS = secrets.nx2site.paperless.PAPERLESS_DBPASS;
+          # PAPERLESS_DBSSLMODE=
+          # PAPERLESS_DBSSLROOTCERT=null; # unset, using the documented path in the home directory.
+          # PAPERLESS_DBSSLCERT=null; # unset, using the documented path in the home directory.
+          # PAPERLESS_DBSSLKEY=null; # unset, using the documented path in the home directory.
+          # PAPERLESS_DB_TIMEOUT=null; # unset, keeping the Django defaults.
+          # PAPERLESS_TIKA_ENABLED=false
+          # PAPERLESS_TIKA_ENDPOINT="http://localhost:9998".
+          # PAPERLESS_TIKA_GOTENBERG_ENDPOINT="http://localhost:3000".
+        PAPERLESS_CONSUMPTION_DIR = "${config.services.paperless.dataDir}/consume/";  
+        # PAPERLESS_DATA_DIR = "${config.services.paperless.dataDir}/data/"; 
+        # PAPERLESS_MEDIA_ROOT = "${config.services.paperless.dataDir}/media/"; 
+        # PAPERLESS_STATICDIR = "${config.services.paperless.dataDir}/static/"; 
+          # PAPERLESS_FILENAME_FORMAT=
+          # PAPERLESS_FILENAME_FORMAT_REMOVE_NONE=
+        # PAPERLESS_LOGGING_DIR = "${config.services.paperless.dataDir}/log/";
+          # PAPERLESS_NLTK_DIR =
+          # PAPERLESS_MODEL_FILE= PAPERLESS_DATA_DIR/classification_model.pickle.
+          # PAPERLESS_LOGROTATE_MAX_SIZE= 1 MiB.
+          # PAPERLESS_LOGROTATE_MAX_BACKUPS= 20.
+          # PAPERLESS_SECRET_KEY=
+          PAPERLESS_URL = "https://doc.${domain}";
+          # PAPERLESS_CSRF_TRUSTED_ORIGINS=
+          # PAPERLESS_ALLOWED_HOSTS=
+          # PAPERLESS_CORS_ALLOWED_HOSTS=
+          # PAPERLESS_TRUSTED_PROXIES=
+          # PAPERLESS_FORCE_SCRIPT_NAME=
+          # PAPERLESS_STATIC_URL= "/static/".
+          # PAPERLESS_AUTO_LOGIN_USERNAME=null;
+        # PAPERLESS_ADMIN_USER="${user}";
+        # PAPERLESS_ADMIN_MAIL=secrets.email.gmail-online.mail;
+        # PAPERLESS_ADMIN_PASSWORD=;
+          # PAPERLESS_COOKIE_PREFIX=
+          # PAPERLESS_ENABLE_HTTP_REMOTE_USER=
+          # PAPERLESS_ENABLE_HTTP_REMOTE_USER_API=
+          # PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=
+        # PAPERLESS_LOGOUT_REDIRECT_URL="https://youtu.be/dMN-pjcchrE?si=EcFYvAnbXFkounYR";
+          # PAPERLESS_USE_X_FORWARD_HOST= false
+          # PAPERLESS_USE_X_FORWARD_PORT= false
+          # PAPERLESS_PROXY_SSL_HEADER= null
+          # PAPERLESS_EMAIL_CERTIFICATE_LOCATION = null;
+          # PAPERLESS_SOCIALACCOUNT_PROVIDERS=;
+          # PAPERLESS_SOCIAL_AUTO_SIGNUP = false;
+          # PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS= True
+          # PAPERLESS_ACCOUNT_ALLOW_SIGNUPS= False
+          # PAPERLESS_ACCOUNT_DEFAULT_HTTP_PROTOCOL= 'https'
+          # PAPERLESS_ACCOUNT_EMAIL_VERIFICATION= 'optional'
+          # PAPERLESS_DISABLE_REGULAR_LOGIN= False
+          # PAPERLESS_REDIRECT_LOGIN_TO_SSO= False
+          # PAPERLESS_ACCOUNT_SESSION_REMEMBER= True
+          # PAPERLESS_SESSION_COOKIE_AGE= 1209600; # (2 weeks)
+          PAPERLESS_OCR_LANGUAGE = "eng+deu";
+          # PAPERLESS_OCR_MODE= "skip";
+          # PAPERLESS_OCR_SKIP_ARCHIVE_FILE=
+          # PAPERLESS_OCR_CLEAN= clean.
+          # PAPERLESS_OCR_DESKEW = true; # which enables this feature.
+          # PAPERLESS_OCR_ROTATE_PAGES = true; # which enables this feature.
+          # PAPERLESS_OCR_ROTATE_PAGES_THRESHOLD = "12";
+          # PAPERLESS_OCR_OUTPUT_TYPE = "pdfa";
+          # PAPERLESS_OCR_PAGES = null;
+          # PAPERLESS_OCR_IMAGE_DPI = null;
+          # PAPERLESS_OCR_MAX_IMAGE_PIXELS=
+          # PAPERLESS_OCR_COLOR_CONVERSION_STRATEGY=
+          PAPERLESS_OCR_USER_ARGS = {
+            optimize = 1;
+            pdfa_image_compression = "lossless";
+          };
+          # PAPERLESS_TASK_WORKERS= 1
+          # PAPERLESS_THREADS_PER_WORKER=
+          # PAPERLESS_WORKER_TIMEOUT=
+          PAPERLESS_TIME_ZONE = "CET";
+          # PAPERLESS_ENABLE_NLTK=1;
+          # PAPERLESS_EMAIL_TASK_CRON= */10 * * * * or every ten minutes.
+          # PAPERLESS_TRAIN_TASK_CRON= 5 */1 * * * or every hour at 5 minutes past the hour.
+          # PAPERLESS_INDEX_TASK_CRON= 0 0 * * * or daily at midnight.
+          # PAPERLESS_SANITY_TASK_CRON= 30 0 * * sun or Sunday at 30 minutes past midnight.
+          # PAPERLESS_ENABLE_COMPRESSION = 1; # enabling compression.
+          # PAPERLESS_CONVERT_MEMORY_LIMIT = 0; # which disables the limit.
+          # PAPERLESS_CONVERT_TMPDIR =
+          # PAPERLESS_APPS = null;
+          # PAPERLESS_MAX_IMAGE_PIXELS = null;
+          # PAPERLESS_CONSUMER_DELETE_DUPLICATES= false.
+          # PAPERLESS_CONSUMER_RECURSIVE= false.
+          # PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS= false.
+          PAPERLESS_CONSUMER_IGNORE_PATTERNS = [
+            ".DS_Store"
+            ".DS_STORE"
+            "._*"
+            ".stfolder/*"
+            ".stversions/*"
+            ".localized/*"
+            "desktop.ini"
+            "@eaDir/*"
+            "Thumbs.db"
+          ];
+          # PAPERLESS_CONSUMER_BARCODE_SCANNER=
+          # PAPERLESS_PRE_CONSUME_SCRIPT=
+          # PAPERLESS_POST_CONSUME_SCRIPT=
+          # PAPERLESS_FILENAME_DATE_ORDER= none, which disables this feature.
+          # PAPERLESS_NUMBER_OF_SUGGESTED_DATES= 3. Set to 0 to disable this feature.
+          # PAPERLESS_THUMBNAIL_FONT_NAME= /usr/share/fonts/liberation/LiberationSerif-Regular.ttf.
+          # PAPERLESS_IGNORE_DATES="";
+          # PAPERLESS_DATE_ORDER = "DMY";
+          # PAPERLESS_ENABLE_GPG_DECRYPTOR = false;
+          # PAPERLESS_CONSUMER_POLLING = 0; # which disables polling and uses filesystem notifications.
+          # PAPERLESS_CONSUMER_POLLING_RETRY_COUNT = 5;
+          # PAPERLESS_CONSUMER_POLLING_DELAY = 5;
+          # PAPERLESS_CONSUMER_INOTIFY_DELAY= 0.5; # seconds.
+          # PAPERLESS_OAUTH_CALLBACK_BASE_URL = null;
+          # PAPERLESS_GMAIL_OAUTH_CLIENT_ID = null;
+          # PAPERLESS_GMAIL_OAUTH_CLIENT_SECRET = null;
+          # PAPERLESS_OUTLOOK_OAUTH_CLIENT_ID = null;
+          # PAPERLESS_OUTLOOK_OAUTH_CLIENT_SECRET = null;
+          # PAPERLESS_EMAIL_GNUPG_HOME=
+          # PAPERLESS_CONSUMER_ENABLE_BARCODES=
+          # PAPERLESS_CONSUMER_BARCODE_TIFF_SUPPORT= false.
+          # PAPERLESS_CONSUMER_BARCODE_STRING= "PATCHT"
+          # PAPERLESS_CONSUMER_BARCODE_RETAIN_SPLIT_PAGES= false.
+          # PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE= false.
+          # PAPERLESS_CONSUMER_ASN_BARCODE_PREFIX= "ASN"
+          # PAPERLESS_CONSUMER_BARCODE_UPSCALE= 0.0
+          # PAPERLESS_CONSUMER_BARCODE_DPI= "300"
+          # PAPERLESS_CONSUMER_BARCODE_MAX_PAGES= "0"
+          # PAPERLESS_CONSUMER_ENABLE_TAG_BARCODE= false.
+          # PAPERLESS_CONSUMER_TAG_BARCODE_MAPPING=
+          # PAPERLESS_AUDIT_LOG_ENABLED= true.
+          # PAPERLESS_CONSUMER_ENABLE_COLLATE_DOUBLE_SIDED= false.
+          # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_SUBDIR_NAME= "double-sided".
+          # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_TIFF_SUPPORT= false.
+        PAPERLESS_EMPTY_TRASH_DELAY = 30; # days, minimum of 1 day.
+          # PAPERLESS_EMPTY_TRASH_TASK_CRON= 0 1 * * *, once per day.
+          # PAPERLESS_CONVERT_BINARY = "convert".
+        PAPERLESS_GS_BINARY = "${pkgs.ghostscript}/bin/gs";
+          # PAPERLESS_WEBSERVER_WORKERS= 1;
+          # PAPERLESS_BIND_ADDR= [::], meaning all interfaces, including IPv6.
+          # PAPERLESS_PORT = config.services.paperless.port;
+          # PAPERLESS_OCR_LANGUAGES=
+          # PAPERLESS_ENABLE_FLOWER=
+          # PAPERLESS_SUPERVISORD_WORKING_DIR=
+        PAPERLESS_APP_TITLE = "NxPPL";
+          # PAPERLESS_APP_LOGO =
+          # PAPERLESS_ENABLE_UPDATE_CHECK=false;
+          # PAPERLESS_EMAIL_HOST = "localhost";
+          # PAPERLESS_EMAIL_PORT= 25.
+          # PAPERLESS_EMAIL_HOST_USER= "";
+          # PAPERLESS_EMAIL_FROM=
+          # PAPERLESS_EMAIL_HOST_PASSWORD = "".
+          # PAPERLESS_EMAIL_USE_TLS = false.
+          # PAPERLESS_EMAIL_USE_SSL = false. 
 
       };
     };
   };
+  systemd.services.paperless-web.after = [ "postgresql.service" ];
+  systemd.services.paperless-task-queue.after = [ "postgresql.service" ];
+  systemd.services.paperless-consumer.after = [ "postgresql.service" ];
+  systemd.services.paperless-sceduler.after = [ "postgresql.service" ];
 }
diff --git a/system-modules/nx2site/proxy.nix b/system-modules/nx2site/proxy.nix
index d961d1e..fe6b9cb 100644
--- a/system-modules/nx2site/proxy.nix
+++ b/system-modules/nx2site/proxy.nix
@@ -14,7 +14,7 @@
     };
     certs = {
       "${domain}" = {
-        extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "git" "pw" "sync" ];
+        extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "sync" ];
       };
     };
   };
@@ -140,9 +140,24 @@
         listen = dl;
         locations = { "/" = { proxyPass = "http://127.0.0.1:5232"; }; }; 
       });
-      "nc.${domain}" = vh // {
-        # directly to nc 
+      # "nc.${domain}" = vh // {
+      #   # directly to nc 
+      # };
+      "abs.${domain}" = vh // {
+        listen = dl;
+        locations = { "/" = { 
+          proxyPass = "http://127.0.0.1:${builtins.toString config.services.audiobookshelf.port}";
+          proxyWebsockets = true;
+        }; }; 
       };
+      # is done atomatically
+      # "cal.${domain}" = vh // {
+      #   listen = dl;
+      #   locations = { "/" = { 
+      #     proxyPass = "http://unix:///run/open-web-calendar/socket";
+      #     proxyWebsockets = true;
+      #   }; }; 
+      # };
       "~^(.*).${domain}$" = {
         listen = dl;
         root = "/var/nginx/webroot";
diff --git a/system-modules/postgres.nix b/system-modules/postgres.nix
index 6ab4f63..39c3f15 100644
--- a/system-modules/postgres.nix
+++ b/system-modules/postgres.nix
@@ -26,6 +26,7 @@
 			ensureDatabases = [
 				"gitea"
 				"vaultwarden"
+				"paperless"
 				"nextcloud"
 			];
 			settings = {
@@ -49,6 +50,10 @@
 					name = "nextcloud";
 					ensureDBOwnership = true;
 				}
+				{
+					name = "paperless";
+					ensureDBOwnership = true;
+				}
 			];
 		};
 		postgresqlBackup = {

From 9c96585401c7d3d813f92e35a39d45c848dc6358 Mon Sep 17 00:00:00 2001
From: "Lennart J. Kurzweg (Nx2)" <git@nx2.site>
Date: Mon, 27 Jan 2025 22:19:32 +0100
Subject: [PATCH 03/10] audiobookshelf

---
 configuration.nix                         |  1 +
 system-modules/nx2site/audiobookshelf.nix | 14 ++++++++++++++
 system-modules/users.nix                  |  1 +
 3 files changed, 16 insertions(+)
 create mode 100644 system-modules/nx2site/audiobookshelf.nix
 mode change 100755 => 100644 system-modules/users.nix

diff --git a/configuration.nix b/configuration.nix
index eacb613..3bbb61b 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -42,6 +42,7 @@
     ./system-modules/nx2site.nix
     ./system-modules/postgres.nix
     ./system-modules/nx2site/proxy.nix
+    ./system-modules/nx2site/audiobookshelf.nix
     ./system-modules/nx2site/gitea.nix
     ./system-modules/nx2site/radicale.nix
     # ./system-modules/nx2site/nextcloud.nix
diff --git a/system-modules/nx2site/audiobookshelf.nix b/system-modules/nx2site/audiobookshelf.nix
new file mode 100644
index 0000000..9efedf6
--- /dev/null
+++ b/system-modules/nx2site/audiobookshelf.nix
@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+{
+  services = {
+    audiobookshelf = {
+      # authentication is mangaed imperatively in the web interface upon first start
+      enable = true;
+      # user = "audiobookshelf";
+      # group = "audiobookshelf";
+      # host = "127.0.0.1";
+      port = 11648; # spells out audi(o)
+      package = pkgs.audiobookshelf;
+    };
+  };
+}
diff --git a/system-modules/users.nix b/system-modules/users.nix
old mode 100755
new mode 100644
index 608c20d..d8860ba
--- a/system-modules/users.nix
+++ b/system-modules/users.nix
@@ -21,6 +21,7 @@
       "adbusers" 
       "postgres"
       "radicale"
+      "audiobookshelf"
       "nextcloud"
     ];
     useDefaultShell = true;

From 2206e5472bb607b749eca591ce88dc9b73709683 Mon Sep 17 00:00:00 2001
From: "Lennart J. Kurzweg (Nx2)" <git@nx2.site>
Date: Mon, 27 Jan 2025 22:20:27 +0100
Subject: [PATCH 04/10] calendar public

---
 configuration.nix                            |   2 +
 system-modules/calendar-publish.nix          | 138 +++++++++++++++++++
 system-modules/nx2site/open-web-calendar.nix |  15 ++
 3 files changed, 155 insertions(+)
 create mode 100644 system-modules/calendar-publish.nix
 create mode 100644 system-modules/nx2site/open-web-calendar.nix

diff --git a/configuration.nix b/configuration.nix
index 3bbb61b..3c2c630 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -42,8 +42,10 @@
     ./system-modules/nx2site.nix
     ./system-modules/postgres.nix
     ./system-modules/nx2site/proxy.nix
+    ./system-modules/calendar-publish.nix
     ./system-modules/nx2site/audiobookshelf.nix
     ./system-modules/nx2site/gitea.nix
+    ./system-modules/nx2site/open-web-calendar.nix
     ./system-modules/nx2site/radicale.nix
     # ./system-modules/nx2site/nextcloud.nix
     ./system-modules/nx2site/vaultwarden.nix
diff --git a/system-modules/calendar-publish.nix b/system-modules/calendar-publish.nix
new file mode 100644
index 0000000..c7b706f
--- /dev/null
+++ b/system-modules/calendar-publish.nix
@@ -0,0 +1,138 @@
+{ config, pkgs, user, ... }:
+{
+  environment.systemPackages = with pkgs; let
+    radicale-root = "/var/lib/radicale";
+    web-root = "/var/nginx/webroot";
+  in [
+    (writers.writePython3Bin "nx_cal_pub" {
+      libraries = with python3Packages; [ 
+        ical
+        ics
+        requests
+        dateutils
+      ];
+      flakeIgnore = [ "E302" "E305" "E226" "E501" ];
+    } /*python */ ''
+import pytz
+import os
+from ics import Calendar, Event
+from ics.grammar.parse import ContentLine
+from dateutil.rrule import rrulestr
+from ics.event import datetime, timedelta
+
+def combine_ics_from_directories(directories, output_file):
+    """
+    Combine all .ics events from a list of directories into one .ics file, supporting recurring events.
+
+    :param directories: List of directories containing .ics files.
+    :param output_file: Path to the output .ics file.
+    """
+    combined_calendar = Calendar()
+
+    for directory in directories:
+        if not os.path.exists(directory):
+            print(f"Directory '{directory}' does not exist. Skipping.")
+            continue
+
+        for filename in os.listdir(directory):
+            if filename.endswith(".ics"):
+                file_path = os.path.join(directory, filename)
+                try:
+                    with open(file_path, 'r') as file:
+                        calendar = Calendar(file.read())
+                        for event in calendar.events:
+                            # Handle recurring events
+                            rrule_line = None
+                            for line in event.extra:
+                                if isinstance(line, ContentLine) and line.name == "RRULE":
+                                    rrule_line = line
+                                    break
+
+                            if rrule_line:
+                                # Convert UNTIL to UTC if DTSTART is timezone-aware
+                                rrule_params = rrule_line.value.split(";")
+                                rrule_dict = {}
+                                for param in rrule_params:
+                                    key, value = param.split("=")
+                                    rrule_dict[key] = value
+
+                                if "UNTIL" in rrule_dict and event.begin.tzinfo:
+                                    until = datetime.fromisoformat(rrule_dict["UNTIL"])
+                                    if until.tzinfo is None:  # If UNTIL is naive, make it UTC
+                                        until = until.astimezone(pytz.UTC)
+                                    rrule_dict["UNTIL"] = until.astimezone(pytz.UTC).strftime("%Y%m%dT%H%M%SZ")
+
+                                # Reconstruct RRULE string
+                                rrule_fixed = ";".join(f"{key}={value}" for key, value in rrule_dict.items())
+                                rrule = rrulestr(rrule_fixed, dtstart=event.begin.astimezone(pytz.timezone('CET')))
+
+                                # Expand recurring events and filter based on the date
+                                for occurrence in rrule:
+                                    notTooOld = occurrence.date() >= (datetime.now().astimezone(pytz.UTC) - timedelta(days=1)).date()
+                                    notTooFuturisic = occurrence.date() < (datetime.now().astimezone(pytz.UTC) + timedelta(days=60)).date()
+                                    if notTooOld and notTooFuturisic:
+                                        new_event = Event(
+                                            name="",
+                                            begin=occurrence,
+                                            end=occurrence + (event.end - event.begin),
+                                            transparent=event.transparent or True,
+                                        )
+                                        combined_calendar.events.add(new_event)
+                            else:
+                                # Regular events, directly add if within date range
+                                if event.begin.astimezone(pytz.timezone('CET')).date() >= (datetime.now().astimezone(pytz.timezone('CET')) - timedelta(days=1)).date():
+                                    new_event = Event(
+                                        name="",
+                                        begin=event.begin,
+                                        end=event.end,
+                                        transparent=event.transparent or True,
+                                    )
+                                    combined_calendar.events.add(new_event)
+
+                except Exception as e:
+                    print(f"Error reading file '{file_path}': {e}")
+                    exit(1)
+
+    try:
+        with open(output_file, 'w') as file:
+            file.writelines(combined_calendar.serialize_iter())
+        print(f"Combined .ics file saved to '{output_file}'")
+    except Exception as e:
+        print(f"Error saving combined .ics file: {e}")
+
+if __name__ == "__main__":
+    # List of directories containing .ics files
+    DIRECTORIES = [
+        "${radicale-root}/collections/collection-root/${user}/preservation",
+        "${radicale-root}/collections/collection-root/${user}/effort",
+        "${radicale-root}/collections/collection-root/${user}/experience",
+        "${radicale-root}/collections/collection-root/${user}/exposure",
+        "${radicale-root}/collections/collection-root/${user}/engagement",
+    ]
+
+    # Path to the output .ics file
+    OUTPUT_FILE = "${web-root}/schedule.ics"
+
+    combine_ics_from_directories(DIRECTORIES, OUTPUT_FILE)
+'')
+  ];
+  systemd.timers."nx_cal_publish" = {
+    enable = true;
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "2m";
+      OnUnitActiveSec = "6h";
+      Unit = "nx_cal_publish.service";
+    };
+  };
+
+  systemd.services."nx_cal_publish" = {
+    script = ''
+      nx_cal_publish
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "nx2";
+    };
+  };
+}
diff --git a/system-modules/nx2site/open-web-calendar.nix b/system-modules/nx2site/open-web-calendar.nix
new file mode 100644
index 0000000..056f663
--- /dev/null
+++ b/system-modules/nx2site/open-web-calendar.nix
@@ -0,0 +1,15 @@
+{ pkgs, domain, ... }:
+{
+  services = {
+    open-web-calendar = {
+      enable = true;
+      domain = "cal.${domain}";
+      package = pkgs.open-web-calendar;
+      settings = {
+        # PORT = 21342;        
+      };
+      calendarSettings = {
+      };
+    };
+  };
+}

From 78359c710fc067676b29c67935853740232fa594 Mon Sep 17 00:00:00 2001
From: "Lennart J. Kurzweg (Nx2)" <git@nx2.site>
Date: Mon, 27 Jan 2025 22:22:28 +0100
Subject: [PATCH 05/10] gitea-dump fix

---
 system-modules/nx2site/gitea.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/system-modules/nx2site/gitea.nix b/system-modules/nx2site/gitea.nix
index 9226f4f..d6ea24e 100644
--- a/system-modules/nx2site/gitea.nix
+++ b/system-modules/nx2site/gitea.nix
@@ -41,7 +41,7 @@ let git-user = "git"; in
     dump = {
       enable = true;
       backupDir = "/var/backup/gitea";
-      file = null; # default = chosen by gitea
+      file = "gitea-dump.zip"; # default = chosen by gitea
       interval = "daily";
       type = "zip"; # default
     };
@@ -99,7 +99,7 @@ let git-user = "git"; in
   in {
     "gitea-theme" = /* bash */ ''
       mkdir -p ${config.services.gitea.stateDir}/custom/public/assets/css/
-      ln -s ${theme}/theme-pitchblack.css ${config.services.gitea.stateDir}/custom/public/assets/css/theme-pitchblack.css
+      ln -fs ${theme}/theme-pitchblack.css ${config.services.gitea.stateDir}/custom/public/assets/css/theme-pitchblack.css
       chown -R ${git-user}:${git-user} ${config.services.gitea.stateDir}/custom/ 
     '';
   };

From a6a17574b841c630dbd23459264399d1d23f59e4 Mon Sep 17 00:00:00 2001
From: "Lennart J. Kurzweg (Nx2)" <git@nx2.site>
Date: Mon, 27 Jan 2025 22:22:48 +0100
Subject: [PATCH 06/10] weird fix

---
 configuration.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/configuration.nix b/configuration.nix
index 3c2c630..7b24c0e 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -123,6 +123,9 @@
     xwayland.enable = true;
   };
 
+  systemd.extraConfig = "DefaultLimitNOFILE=2048";
+  boot.tmp.useTmpfs = false; 
+
   system.stateVersion = "24.11";
 
   nixpkgs.config.allowUnfree = true;

From 3f553d27e1435165cd9b4e8adb74dad9bcd79db0 Mon Sep 17 00:00:00 2001
From: "Lennart J. Kurzweg (Nx2)" <git@nx2.site>
Date: Mon, 27 Jan 2025 22:23:10 +0100
Subject: [PATCH 07/10] pv

---
 home.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/home.nix b/home.nix
index 45f0168..0b29b04 100644
--- a/home.nix
+++ b/home.nix
@@ -93,7 +93,9 @@
     speedtest-go
 
     glib
+    pv
     gsettings-desktop-schemas
+
     wl-clipboard
     xclip
     xournal

From 99c07ec5fbc37b2c76310b09cb93b3676aae9917 Mon Sep 17 00:00:00 2001
From: "Lennart J. Kurzweg (Nx2)" <git@nx2.site>
Date: Mon, 27 Jan 2025 22:23:19 +0100
Subject: [PATCH 08/10] yt-dlp

---
 home.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/home.nix b/home.nix
index 0b29b04..d2c3c53 100644
--- a/home.nix
+++ b/home.nix
@@ -96,6 +96,7 @@
     pv
     gsettings-desktop-schemas
 
+    yt-dlp
     wl-clipboard
     xclip
     xournal

From c2f151e03e1de03c1609e4dfbdebdcd333588b08 Mon Sep 17 00:00:00 2001
From: "Lennart J. Kurzweg (Nx2)" <git@nx2.site>
Date: Thu, 30 Jan 2025 13:41:12 +0100
Subject: [PATCH 09/10] nx2site-backup

---
 home-modules/nx2site-backup.nix | 67 +++++++++++++++++++++++++++++++++
 home.nix                        |  8 ++--
 2 files changed, 72 insertions(+), 3 deletions(-)
 create mode 100644 home-modules/nx2site-backup.nix

diff --git a/home-modules/nx2site-backup.nix b/home-modules/nx2site-backup.nix
new file mode 100644
index 0000000..44722b5
--- /dev/null
+++ b/home-modules/nx2site-backup.nix
@@ -0,0 +1,67 @@
+{ pkgs, ... }:
+{
+  home.packages = [
+    (pkgs.writeShellApplication {
+      name = "nx_backup";
+      runtimeInputs = [ ];
+      text = let
+        web-root = "/var/nginx/webroot";
+        gitea-backup = "/var/backup/gitea";
+        postgres-backup = "/var/backup/postgresql";
+      in /* bash */ ''
+        DIRECTORIES=(
+          "${web-root}"
+          "${gitea-backup}"
+          "${postgres-backup}"
+        )
+
+        NOW=$(date +%Y_%m_%d-%H_%M)
+        TEMP_BAK_DIR=$(mktemp -d)
+        TEMP_WORKING_DIR=$(mktemp -d)
+        ZIP_NAME="nx2site-backup-''${NOW}.zip"
+        ZIP_FILE="$TEMP_WORKING_DIR/$ZIP_NAME"
+        ENCRYPTED_NAME="''${ZIP_NAME}.asc"
+        ENCRYPTED_FILE="$TEMP_WORKING_DIR/$ENCRYPTED_NAME"
+        DESTINATION="/vault/$ENCRYPTED_NAME"
+        WEBROOT="${web-root}"
+
+        echo "Fixing Permissions of Gitea dump"
+        sudo chmod -R g+r "${gitea-backup}"
+
+        echo "Fixing Permissions of Postgres dump"
+        sudo chmod -R g+r "${postgres-backup}"
+        sudo chmod g+x "${postgres-backup}"
+        echo "Fixing Ownership of Postgres dump"
+        sudo chown -R postgres:postgres "${postgres-backup}"
+
+        echo "Copying files to backup to tempoary directory $TEMP_BAK_DIR ..."
+        for DIR in "''${DIRECTORIES[@]}"; do
+            rsync -aR "$DIR" "$TEMP_BAK_DIR"
+        done
+
+        # Create the zip file
+        echo "Adding files to $ZIP_NAME ..."
+        zip -qr "$ZIP_FILE" "$TEMP_BAK_DIR"
+
+        # Encrypt the zip file using GPG
+        echo "Encryping file with gpg"
+        gpg -e -r gpg@nx2.site -o "$ENCRYPTED_FILE" "$ZIP_FILE"
+
+        echo "Moving file to Destination $DESTINATION"
+        mv "$ENCRYPTED_FILE" "$DESTINATION"
+
+        echo "Updating latest-bakup path in $WEBROOT"
+        echo "$DESTINATION" > "$WEBROOT/latest-backup"
+
+        echo "Cleaning up tempoary files and directories"
+        rm -rf "$TEMP_BAK_DIR" "$TEMP_WORKING_DIR" "$ZIP_FILE"
+
+        echo "Backup and encryption complete: $DESTINATION"
+
+        echo "Space remaining:"
+        df -h | head -n 1
+        df -h | grep -P "^/dev.+? "
+      '';
+    })
+  ];
+}
diff --git a/home.nix b/home.nix
index 58f4e08..a2f6144 100644
--- a/home.nix
+++ b/home.nix
@@ -1,4 +1,4 @@
-{ pkgs, pkgs-unstable, host, user, inputs, ... }:
+{ pkgs, pkgs-unstable, lib, host, user, inputs, ... }:
 {
   imports = [
     ./home-modules/auto-mount.nix
@@ -31,7 +31,6 @@
     ./home-modules/nh.nix
     ./home-modules/nixd.nix
     ./home-modules/nvidia.nix
-    ./home-modules/nx2site.nix
     ./home-modules/nxgs.nix
     # ./home-modules/nx-gcal-event.nix
     ./home-modules/obs.nix
@@ -62,7 +61,10 @@
     ./home-modules/yazi.nix
     ./home-modules/zathura.nix
     ./home-modules/zoxide.nix
-  ];
+  ] ++ (if (host == "NxACE") then [ 
+    ./home-modules/nx2site.nix
+    ./home-modules/nx2site-backup.nix
+  ] else []);
   home.username = user;
   home.homeDirectory = "/home/${user}";
   home.stateVersion = "24.05";

From a5c8d284ee60e12ba08e2e075e06749c239f6dbf Mon Sep 17 00:00:00 2001
From: "Lennart J. Kurzweg (Nx2)" <git@nx2.site>
Date: Thu, 30 Jan 2025 13:41:27 +0100
Subject: [PATCH 10/10] calendar-lec

---
 configuration.nix               |  1 +
 home-modules/calendar.nix       |  2 +-
 system-modules/calendar-lec.nix | 97 +++++++++++++++++++++++++++++++++
 3 files changed, 99 insertions(+), 1 deletion(-)
 create mode 100644 system-modules/calendar-lec.nix

diff --git a/configuration.nix b/configuration.nix
index fdc5800..5a4cde4 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -44,6 +44,7 @@
     ./system-modules/postgres.nix
     ./system-modules/nx2site/proxy.nix
     ./system-modules/calendar-publish.nix
+    ./system-modules/calendar-lec.nix
     ./system-modules/nx2site/audiobookshelf.nix
     ./system-modules/nx2site/gitea.nix
     ./system-modules/nx2site/open-web-calendar.nix
diff --git a/home-modules/calendar.nix b/home-modules/calendar.nix
index 27069f5..c728d35 100644
--- a/home-modules/calendar.nix
+++ b/home-modules/calendar.nix
@@ -35,7 +35,7 @@
     }
     {
       name = "LEC";
-      url = "https://zlypher.github.io/lol-events/cal/league-of-legends-lec.ical";
+      url = "https://${domain}/lec.ics";
       color = "#A87000";
       read-only = true;
       type = "ics";
diff --git a/system-modules/calendar-lec.nix b/system-modules/calendar-lec.nix
new file mode 100644
index 0000000..0fd5742
--- /dev/null
+++ b/system-modules/calendar-lec.nix
@@ -0,0 +1,97 @@
+{ config, pkgs, user, domain, ... }:
+{
+  systemd.timers."nx_cal_lec" = {
+    enable = true;
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "40m";
+      OnUnitActiveSec = "24h";
+      Unit = "nx_cal_lec.service";
+    };
+  };
+
+  systemd.services."nx_cal_lec" = {
+    script = let 
+      nx_cal_lec = (pkgs.writers.writePython3Bin "nx_cal_lec" {
+      libraries = with pkgs.python3Packages; [
+        ical
+        ics
+        requests
+        dateutils
+      ];
+      flakeIgnore = [ "E302" "E305" "E226" "E501" ];
+    } /*python */ ''
+import hashlib
+from ics import Calendar
+import requests
+from datetime import timedelta
+
+def get_event_hash(event):
+    """
+    Generate a unique hash for an event based on its details.
+    """
+    event_data = f"{event.name}{event.begin}{event.end}{event.description}"
+    return hashlib.md5(event_data.encode('utf-8')).hexdigest()
+
+def adjust_events(events):
+    """
+    Adjust overlapping events to ensure they do not conflict.
+    """
+    sorted_events = sorted(events, key=lambda e: e.begin)
+    for i in range(1, len(sorted_events)):
+        previous_event = sorted_events[i - 1]
+        current_event = sorted_events[i]
+
+        if current_event.begin < previous_event.end:
+            # Adjust the start time of the current event to just after the previous event
+            current_event.begin = previous_event.end + timedelta(minutes=1)
+            print(f"Adjusted event '{current_event.name}' to start at {current_event.begin} and end at {current_event.end}")
+    return sorted_events
+
+def fetch_and_save_ical_events(ical_url, save_path):
+    """
+    Fetch events from an iCal URL and save them as a single combined calendar.
+    """
+    try:
+        # Fetch the iCal data
+        response = requests.get(ical_url)
+        response.raise_for_status()
+
+        # Parse the iCal data
+        calendar = Calendar(response.text)
+
+        # Adjust events
+        adjusted_events = adjust_events(list(calendar.events))
+
+        # Create a new combined calendar
+        combined_calendar = Calendar()
+        for event in adjusted_events:
+            combined_calendar.events.add(event)
+
+        # Save the combined calendar to a single .ics file
+        with open(save_path, 'w') as file:
+            file.writelines(combined_calendar.serialize_iter())
+
+        print(f"Saved combined calendar to {save_path}")
+
+    except requests.exceptions.RequestException as e:
+        print(f"Error fetching iCal data: {e}")
+    except Exception as e:
+        print(f"Error processing iCal data: {e}")
+
+if __name__ == "__main__":
+    # Replace with your iCal URL and target file path
+    ICAL_URL = "https://zlypher.github.io/lol-events/cal/league-of-legends-lec.ical"
+    SAVE_PATH = "${config.services.nginx.virtualHosts."${domain}".root}/lec.ics"
+
+    fetch_and_save_ical_events(ICAL_URL, SAVE_PATH)
+'');
+    in ''
+      ${nx_cal_lec}/bin/nx_cal_lec
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "nx2";
+    };
+  };
+}