feat: setup distrobox module

hosts/arcturus/default.nix

@@ -19,7 +19,7 @@
     ../../modules/nixos/selfhosted/headscale.nix
     ../../modules/nixos/selfhosted/vaultwarden.nix
     ../../modules/nixos/selfhosted/gitea.nix
-    ../../modules/nixos/selfhosted/plausible.nix
+    ../../modules/nixos/selfhosted/umami.nix
     ../../modules/nixos/selfhosted/monitoring/grafana.nix
     ../../modules/nixos/selfhosted/monitoring/loki.nix
     ../../modules/nixos/selfhosted/monitoring/promtail.nix
@@ -97,6 +97,10 @@
     aiostreams = {
       sopsFile = ./secrets.yaml;
     };
+
+    umami = {
+      sopsFile = ./secrets.yaml;
+    };
   };
 
   nixpkgs = {

hosts/arcturus/secrets.yaml

@@ -12,6 +12,7 @@ cs2_secrets:
     CS2_RCONPW: ENC[AES256_GCM,data:ZyVeoOngZjxKR/ObYo5yJC1ViCNufuA=,iv:+fJK0sY39V/iH7OjT0AzQq6RefVzLZCDETYcAMFnZNU=,tag:IOhRUQRdffNMXa2cKZvi/w==,type:str]
     CS2_PW: ENC[AES256_GCM,data:W1Cur7YT1F/+45vmqif2JbpjVURfnfo=,iv:sBNDM2N+QWDAMculBBZtYZcM7ILEfpwkwOd7ErORQhI=,tag:XFsxTUjctZKU38RQUfJ8HQ==,type:str]
 aiostreams: ENC[AES256_GCM,data:2U2EoRUsKr4OIkqrudmIUEp2bABNlSlNUTzR3vtvTfSJVemIGK31iu0SG8aR4tLSQFEZyhIP9M22zZJVWY5hX1UcMEJ1rmtXnaRjTiurRSpTj76pT9plnrjp0NWDcSWY+uhDrAsEko4oPPJEECTT3qMYLXipnzqpPeWsTrNYiuxmfDPcZw==,iv:tHKbtnLMNfY7B2ssE8x0dri9XhA2M6jIj2KOxOsmG2o=,tag:8hjqmniL/P+PfwfYiAdAwA==,type:str]
+umami: ENC[AES256_GCM,data:BJN9VpwknBaX+mz6xjq1GX9epM2bukplraPw67TttnLhM9JTmZiela5oFWZiaGjG3Oss3n4WPsPvhC4m28Ah+TQLCoiDFCFqervk228=,iv:YwbJ2/1hXs5Jbqx1dNj1t4ExFS27PWbA4NT9h8/tyU8=,tag:+R1aRF/TaMSGbLDi9GnYwA==,type:str]
 sops:
     age:
         - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
@@ -32,7 +33,7 @@ sops:
             NGprRGVyZ2plWVNrM3drM3JSUjM2L0UKuNk5DqYn2DIfRpY72zDRP5BKoVAXtNv9
             uLI//8wc7f4I3uBdARQdpRE1fapY1UOJOn3i0yndrZARPEbdohRK1Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-14T07:04:37Z"
+    lastmodified: "2025-11-14T08:22:34Z"
-    mac: ENC[AES256_GCM,data:6fiO+dtyMqVH+KeZerAwjYpK1pwa9bLcSSinA6U/UZa5r8GsVlL2C3Z0edsuqgyC84rYZKF7rbV41earhds2i29RhrfiJUeGdTG04ce3ncWlqHWL8gtyw+wop3FYgC2UYi0IwhLxd8vYQe2XqD6Ml949SsqkKe/taIf7uJ9aDXA=,iv:IlgHvw5XB847ZhFFiy2Vmbm3/zQW6mvVv3VX6pSzh7o=,tag:nqDDq+jAjDP+/QbhOu9JNg==,type:str]
+    mac: ENC[AES256_GCM,data:IiZKrdo500rf0JS2c94u1XiCtIB6QguJr1XKFcPilxN4G7coUJyD8v/z/BDqSyCDbiY6RjRWoyttyi1gzKlj/WQsJh65tbDHTXhk2nPGBoHL4ojnP1a7PYCaRKk64SyBg6vjNWHb0wILc2wu/yvKNfVKX6FtMEGhUcpReoJomAI=,iv:a4hmm47FAHnY2k+YY+WmLUWjpEE+5KwtUxc+Dq6sCMQ=,tag:Rx0yOoiKd2mRx/H5k8Hq8w==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

hosts/canopus/default.nix

@@ -23,6 +23,7 @@
 
   hardware.nvidia-container-toolkit.enable = true;
   tux.services.openssh.enable = true;
+  tux.packages.distrobox.enable = true;
   nixpkgs.config.cudaSupport = true;
 
   sops.secrets = {

hosts/canopus/home.nix

@@ -77,7 +77,6 @@
     copyq
     vlc
     tor-browser
-    distrobox
     bluetui
     impala
   ];
@@ -91,6 +90,7 @@
       "Videos"
       "Projects"
       "Stuff"
+      "Distrobox"
       "go"
       ".mozilla"
       ".ssh"

hosts/common/default.nix

@@ -17,6 +17,7 @@
     ../../modules/nixos/selfhosted/cyber-tux.nix
     ../../modules/nixos/selfhosted/containers/aiostreams.nix
     ../../modules/nixos/networking/ssh.nix
+    ../../modules/nixos/distrobox.nix
   ];
 
   sops.secrets.tux-password = {

hosts/node/default.nix

@@ -2,7 +2,8 @@
   inputs,
   username,
   ...
-}: {
+}:
+{
   imports = [
     inputs.disko.nixosModules.default
 
@@ -28,7 +29,13 @@
     };
     firewall = {
       enable = true;
-      allowedTCPPorts = [22];
+      allowedTCPPorts = [
+        22
+        8545
+        8546
+        9545
+        9546
+      ];
     };
   };
 

modules/nixos/distrobox.nix

@@ -0,0 +1,112 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.tux.packages.distrobox;
+in {
+  options.tux.packages.distrobox = {
+    enable = mkEnableOption "Enable DistroBox";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      distrobox
+
+      (writeShellScriptBin "dbox-create" ''
+        #!/usr/bin/env bash
+
+        # 1. Initialize variables
+        IMAGE=""
+        NAME=""
+
+        # Array to hold optional arguments (like volumes)
+        declare -a EXTRA_ARGS
+
+        # 2. Parse arguments
+        while [[ $# -gt 0 ]]; do
+          case $1 in
+            -i|--image)
+              IMAGE="$2"
+              shift 2
+              ;;
+            -n|--name)
+              NAME="$2"
+              shift 2
+              ;;
+            -p|--profile)
+              echo ":: Profile mode enabled: Mounting Nix store and user profiles (Read-Only)"
+              # Add volume flags to the array
+              EXTRA_ARGS+=( "--volume" "/nix/store:/nix/store:ro" )
+              EXTRA_ARGS+=( "--volume" "/etc/profiles/per-user:/etc/profiles/per-user:ro" )
+              EXTRA_ARGS+=( "--volume" "/etc/static/profiles/per-user:/etc/static/profiles/per-user:ro" )
+              shift 1
+              ;;
+            *)
+              echo "Unknown option $1"
+              exit 1
+              ;;
+          esac
+        done
+
+        if [ -z "$IMAGE" ] || [ -z "$NAME" ]; then
+            echo "Usage: dbox-create -i <image> -n <name> [-p]"
+            exit 1
+        fi
+
+        # 3. Define the custom home path
+        CUSTOM_HOME="$HOME/Distrobox/$NAME"
+
+        echo "------------------------------------------------"
+        echo "Creating Distrobox: $NAME"
+        echo "Location: $CUSTOM_HOME"
+        echo "------------------------------------------------"
+
+        # 4. Run Distrobox Create
+        # We expand "''${EXTRA_ARGS[@]}" to properly pass the volume arguments
+        ${pkgs.distrobox}/bin/distrobox create \
+          --image "$IMAGE" \
+          --name "$NAME" \
+          --home "$CUSTOM_HOME" \
+          "''${EXTRA_ARGS[@]}"
+
+        # Check exit code
+        if [ $? -ne 0 ]; then
+            echo "Error: Distrobox creation failed."
+            exit 1
+        fi
+
+        # 5. Post-Creation: Symlink Config Files
+        echo "--> Linking configurations to $NAME..."
+
+        # Helper function to symlink
+        link_config() {
+            SRC="$1"
+            DEST="$2"
+            DEST_DIR=$(dirname "$DEST")
+
+            # Create parent directory if it doesn't exist
+            mkdir -p "$DEST_DIR"
+
+            if [ -e "$SRC" ]; then
+                # ln -sf: symbolic link, force overwrite
+                ln -sf "$SRC" "$DEST"
+                echo "    [LINK] $DEST -> $SRC"
+            else
+                echo "    [SKIP] $SRC not found on host"
+            fi
+        }
+
+        # Create Symlinks
+        link_config "$HOME/.zshrc"                "$CUSTOM_HOME/.zshrc"
+        link_config "$HOME/.zshenv"               "$CUSTOM_HOME/.zshenv"
+        link_config "$HOME/.config/fastfetch"     "$CUSTOM_HOME/.config/fastfetch"
+        link_config "$HOME/.config/starship.toml" "$CUSTOM_HOME/.config/starship.toml"
+
+        echo "--> Done! Enter via: distrobox enter $NAME"
+      '')
+    ];
+  };
+}

modules/nixos/selfhosted/umami.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  services = {
+    umami = {
+      enable = true;
+      settings = {
+        APP_SECRET_FILE = config.sops.secrets.umami.path;
+        PORT = 4645;
+      };
+      createPostgresqlDatabase = true;
+    };
+
+    nginx = {
+      enable = lib.mkForce true;
+      virtualHosts = {
+        "umami.tux.rs" = {
+          forceSSL = true;
+          useACMEHost = "tux.rs";
+          locations = {
+            "/" = {
+              proxyPass = "http://localhost:${toString config.services.umami.settings.PORT}";
+              proxyWebsockets = true;
+            };
+          };
+        };
+      };
+    };
+  };
+}