Fix zitadel config

Flake lock file updates:

• Updated input 'secrets':
    'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=0cf25cbc71fcfe7c16250847e5f31abd730e04c4' (2024-08-11)
  → 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=b47efe67031e12a2d5560b94fdb4de7dca3df80c' (2024-08-11)

flake.lock

@@ -8,11 +8,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1722339003,
+        "lastModified": 1723293904,
-        "narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=",
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
         "type": "github"
       },
       "original": {
@@ -107,11 +107,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722821805,
+        "lastModified": 1723080788,
-        "narHash": "sha256-FGrUPUD+LMDwJsYyNSxNIzFMldtCm8wXiQuyL2PHSrM=",
+        "narHash": "sha256-C5LbM5VMdcolt9zHeLQ0bYMRjUL+N+AL5pK7/tVTdes=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "0257e44f4ad472b54f19a6dd1615aee7fa48ed49",
+        "rev": "ffc1f95f6c28e1c6d1e587b51a2147027a3e45ed",
         "type": "github"
       },
       "original": {
@@ -123,11 +123,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1721276923,
+        "lastModified": 1723137499,
-        "narHash": "sha256-HJKuwVvi+yGv+8n9Ez4EwaJA0B79JRss9J30vpgy/GI=",
+        "narHash": "sha256-MOE9NeU2i6Ws1GhGmppMnjOHkNLl2MQMJmGhaMzdoJM=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "cc70ec20e2775df7cd2bccdd20dcdecc3e0a733b",
+        "rev": "fb5b578a4f49ae8705e5fea0419242ed1b8dba70",
         "type": "github"
       },
       "original": {
@@ -233,11 +233,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1721042469,
+        "lastModified": 1722857853,
-        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
+        "narHash": "sha256-3Zx53oz/MSIyevuWO/SumxABkrIvojnB7g9cimxkhiE=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
+        "rev": "06939f6b7ec4d4f465bf3132a05367cccbbf64da",
         "type": "github"
       },
       "original": {
@@ -373,11 +373,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722609272,
+        "lastModified": 1722924007,
-        "narHash": "sha256-Kkb+ULEHVmk07AX+OhwyofFxBDpw+2WvsXguUS2m6e4=",
+        "narHash": "sha256-+CQDamNwqO33REJLft8c26NbUi2Td083hq6SvAm2xkU=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "f7142b8024d6b70c66fd646e1d099d3aa5bfec49",
+        "rev": "91010a5613ffd7ee23ee9263213157a1c422b705",
         "type": "github"
       },
       "original": {
@@ -388,11 +388,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1722332872,
+        "lastModified": 1723310128,
-        "narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=",
+        "narHash": "sha256-IiH8jG6PpR4h9TxSGMYh+2/gQiJW9MwehFvheSb5rPc=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "14c333162ba53c02853add87a0000cbd7aa230c2",
+        "rev": "c54cf53e022b0b3c1d3b8207aa0f9b194c24f0cf",
         "type": "github"
       },
       "original": {
@@ -459,11 +459,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1722630782,
+        "lastModified": 1723175592,
-        "narHash": "sha256-hMyG9/WlUi0Ho9VkRrrez7SeNlDzLxalm9FwY7n/Noo=",
+        "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d04953086551086b44b6f3c6b7eeb26294f207da",
+        "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b",
         "type": "github"
       },
       "original": {
@@ -490,11 +490,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1722791413,
+        "lastModified": 1723282977,
-        "narHash": "sha256-rCTrlCWvHzMCNcKxPE3Z/mMK2gDZ+BvvpEVyRM4tKmU=",
+        "narHash": "sha256-oTK91aOlA/4IsjNAZGMEBz7Sq1zBS0Ltu4/nIQdYDOg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8b5b6723aca5a51edf075936439d9cd3947b7b2c",
+        "rev": "a781ff33ae258bbcfd4ed6e673860c3e923bf2cc",
         "type": "github"
       },
       "original": {
@@ -517,11 +517,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1722688115,
+        "lastModified": 1722925293,
-        "narHash": "sha256-Ubk5KzAp2Z4Dzmi81aGgabvy41QXjZMwNikDYm7+jS0=",
+        "narHash": "sha256-saXm5dd/e3PMsYTEcp1Qbzifm3KsZtNFkrWjmLhXHGE=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "4e6974c619bd280789ef3697a73fcf7c20f70819",
+        "rev": "170df9814c3e41d5a4d6e3339e611801b1f02ce2",
         "type": "github"
       },
       "original": {
@@ -541,11 +541,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722804745,
+        "lastModified": 1723232379,
-        "narHash": "sha256-l6N3QaiDqN2QmHDAxjczQPLPCTv+Kp7PsrtJBltmhTo=",
+        "narHash": "sha256-F4Y3f9305aHGWKqAd3s2GyNRONdpDBuNuK4TCSdaHz8=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "61d9342fb471cd3c45a047406428fba7b6fb49ad",
+        "rev": "22bea90404c5ff6457913a03c1a54a3caa5b1c57",
         "type": "github"
       },
       "original": {
@@ -576,11 +576,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1722712220,
+        "lastModified": 1723385164,
-        "narHash": "sha256-gEmbk/DROfVZ+v/BAZHDloHzS0KdqIzxtW7z9g2eH4Y=",
+        "narHash": "sha256-/z4nBwpHsGWl1gmGv7FQQgoOcPwUaVzL7rfjI5nTOLg=",
         "ref": "refs/heads/master",
-        "rev": "dfe0e95be5ef539bf28602ff47beeea26cc4d1b8",
+        "rev": "b47efe67031e12a2d5560b94fdb4de7dca3df80c",
-        "revCount": 22,
+        "revCount": 24,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
       },

flake.nix

@@ -51,82 +51,60 @@
     };
   };
 
-  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, agenix, deploy-rs, disko, home-manager, nixos-hardware, nixos-mailserver, ... }:
+  outputs = inputs @ { self, nixpkgs, ... }:
     let
       inherit (nixpkgs) lib;
+
+      domain = "mesh.vimium.net";
+      forEverySystem = lib.getAttrs lib.systems.flakeExposed;
       forEachSystem = lib.genAttrs [
         "x86_64-linux"
         "aarch64-linux"
       ];
-      mkPkgsForSystem = system: inputs.nixpkgs;
+      mkDeployNode = hostName: {
-      customPkgs = forEachSystem (system:
+        hostname = "${hostName}.${domain}";
-        lib.packagesFromDirectoryRecursive {
+
-          callPackage = nixpkgs.legacyPackages.${system}.callPackage;
+        profiles.system = {
-          directory = ./pkgs;
+          user = "root";
-        });
+          path = inputs.deploy-rs.lib.${self.nixosConfigurations.${hostName}.config.system.build.toplevel.system}.activate.nixos self.nixosConfigurations.${hostName};
-      overlays = [
-        agenix.overlays.default
-        (import ./overlays/gnome.nix)
-        (import ./overlays/default.nix)
-        (
-          final: prev: {
-            unstable = import inputs.nixpkgs-unstable { system = final.system; };
-          }
-        )
-      ];
-      commonModules = [
-        agenix.nixosModules.age
-        disko.nixosModules.disko
-        nixos-mailserver.nixosModule
-        home-manager.nixosModule
-        ./modules
-      ];
-      mkNixosSystem = { system, name, extraModules ? [] }:
-        let
-          nixpkgs = mkPkgsForSystem system;
-          lib = (import nixpkgs { inherit overlays system; }).lib;
-        in
-        inputs.nixpkgs.lib.nixosSystem {
-          inherit lib system;
-          specialArgs = { modulesPath = toString (nixpkgs + "/nixos/modules"); inherit inputs; };
-          baseModules = import (nixpkgs + "/nixos/modules/module-list.nix");
-          modules = commonModules ++ [
-            ({ config, ... }:
-              {
-                nixpkgs.pkgs = import nixpkgs {
-                  inherit overlays system;
-                  config.allowUnfree = true;
-                  config.nvidia.acceptLicense = true;
         };
-                networking.hostName = name;
-              })
-            ./hosts/${name}
-          ] ++ extraModules;
       };
     in
     {
+      overlays = lib.packagesFromDirectoryRecursive {
+        callPackage = path: overrides: import path;
+        directory = ./overlays;
+      };
+
       legacyPackages = forEachSystem (system:
         lib.packagesFromDirectoryRecursive {
           callPackage = nixpkgs.legacyPackages.${system}.callPackage;
           directory = ./pkgs;
         });
 
-      nixosConfigurations = {
+      nixosConfigurations = lib.pipe ./hosts [
-        atlas = mkNixosSystem { system = "x86_64-linux"; name = "atlas"; };
+        builtins.readDir
-        eos = mkNixosSystem { system = "x86_64-linux"; name = "eos"; };
+        (lib.filterAttrs (name: value: value == "directory"))
-        helios = mkNixosSystem { system = "x86_64-linux"; name = "helios"; };
+        (lib.mapAttrs (name: value:
-        hypnos = mkNixosSystem { system = "x86_64-linux"; name = "hypnos"; };
+          lib.nixosSystem {
-        library = mkNixosSystem { system = "x86_64-linux"; name = "library"; };
+            specialArgs = { inherit self; };
-        mail = mkNixosSystem { system = "x86_64-linux"; name = "mail"; };
+
-        odyssey = mkNixosSystem { system = "x86_64-linux"; name = "odyssey"; };
+            modules = [
-        pi = mkNixosSystem { system = "aarch64-linux"; name = "pi"; extraModules = [ nixos-hardware.nixosModules.raspberry-pi-4 ]; };
+              {
-        skycam = mkNixosSystem { system = "aarch64-linux"; name = "skycam"; extraModules = [ nixos-hardware.nixosModules.raspberry-pi-4 ]; };
+                networking = {
-        vps1 = mkNixosSystem { system = "x86_64-linux"; name = "vps1"; };
+                  inherit domain;
+                  hostName = name;
                 };
+              }
+              ./hosts/${name}
+            ];
+          }))
+      ];
 
       devShells.x86_64-linux.default = nixpkgs.legacyPackages.x86_64-linux.mkShell {
         buildInputs = [
-          deploy-rs.packages.x86_64-linux.deploy-rs
+          inputs.agenix.packages.x86_64-linux.agenix
+          inputs.deploy-rs.packages.x86_64-linux.deploy-rs
         ];
       };
 
@@ -134,35 +112,10 @@
         magicRollback = true;
         autoRollback = true;
         sshUser = "root";
-        nodes = {
+        nodes = lib.genAttrs [ "mail" "pi" "skycam" "vps1" ] mkDeployNode;
-          mail = {
-            hostname = "mail.mesh.vimium.net";
-
-            profiles.system = {
-              user = "root";
-              path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.mail;
-            };
-          };
-          vps1 = {
-            hostname = "vps1.mesh.vimium.net";
-
-            profiles.system = {
-              user = "root";
-              path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vps1;
-            };
-          };
-          # pi = {
-          #   hostname = "10.0.1.191";
-          #
-          #   profiles.system = {
-          #     user = "root";
-          #     path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pi;
-          #   };
-          # };
-        };
       };
 
-      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
     };
 }
 

hosts/atlas/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, ... }:
 
 {
   imports = [
@@ -6,6 +6,8 @@
     ../desktop.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;

hosts/common.nix

@@ -1,6 +1,22 @@
-{ config, pkgs, ... }:
+{ config, pkgs, self, ... }:
 
 {
+  imports = [
+    self.inputs.agenix.nixosModules.age
+    self.inputs.home-manager.nixosModule
+    ../modules
+  ];
+
+  nixpkgs.overlays = [
+    self.inputs.agenix.overlays.default
+    (import ../overlays/default.nix)
+    (
+      final: prev: {
+        unstable = import self.inputs.nixpkgs-unstable { system = final.system; };
+      }
+    )
+  ];
+
   time.timeZone = "Europe/London";
 
   i18n.defaultLocale = "en_GB.UTF-8";
@@ -45,10 +61,11 @@
     buildMachines = [
       {
         hostName = "10.0.1.79";
-        sshUser = "builder";
+        sshUser = "root";
         system = "aarch64-linux";
         maxJobs = 6;
         speedFactor = 1;
+        supportedFeatures = [ "big-parallel" "benchmark" ];
       }
     ];
     distributedBuilds = true;

hosts/desktop.nix

@@ -1,10 +1,14 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   imports = [
     ./common.nix
   ];
 
+  nixpkgs.overlays = [
+    (import ../overlays/gnome)
+  ];
+
   services.printing.enable = true;
   services.openssh.startWhenNeeded = true;
 

hosts/eos/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, ... }:
 
 {
   imports = [
@@ -6,6 +6,8 @@
     ../desktop.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;

hosts/helios/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, ... }:
 
 {
   imports = [
@@ -6,6 +6,8 @@
     ../desktop.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   boot = {
     loader.grub = {
       enable = true;

hosts/hypnos/default.nix

@@ -1,12 +1,21 @@
-{ config, lib, ... }:
+{ config, lib, self, ... }:
 
 {
   imports = [
+    self.inputs.disko.nixosModules.disko
     ./hardware-configuration.nix
     ./disko-config.nix
     ../desktop.nix
   ];
 
+  nixpkgs = {
+    hostPlatform = "x86_64-linux";
+    config = {
+      allowUnfree = true;
+      nvidia.acceptLicense = true;
+    };
+  };
+
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;

hosts/library/default.nix

@@ -6,6 +6,8 @@
     ../server.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   boot = {
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;
@@ -13,7 +15,6 @@
   };
 
   networking = {
-    domain = "mesh.vimium.net";
     hostId = "d24ae953";
     firewall = {
       enable = true;

hosts/mail/default.nix

@@ -1,15 +1,17 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, self, ... }:
 
 {
   imports = [
+    self.inputs.disko.nixosModules.disko
     ./hardware-configuration.nix
     ./disko-config.nix
     ../server.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   networking = {
     hostId = "08ac2f14";
-    domain = "mesh.vimium.net";
     firewall = {
       enable = true;
       allowedTCPPorts = [

hosts/odyssey/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, ... }:
 
 {
   imports = [
@@ -6,6 +6,14 @@
     ../desktop.nix
   ];
 
+  nixpkgs = {
+    hostPlatform = "x86_64-linux";
+    config = {
+      allowUnfree = true;
+      nvidia.acceptLicense = true;
+    };
+  };
+
   boot.loader = {
     systemd-boot = {
       enable = true;

hosts/pi/default.nix

@@ -1,12 +1,13 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 {
   imports = [
+    self.inputs.nixos-hardware.nixosModules.raspberry-pi-4
     ./hardware-configuration.nix
     ../server.nix
   ];
 
-  networking.hostId = "731d1660";
+  nixpkgs.hostPlatform = "aarch64-linux";
 
   hardware = {
     raspberry-pi."4" = {
@@ -97,6 +98,8 @@
     ];
   };
 
+  networking.hostId = "731d1660";
+
   sound.enable = true;
 
   security.rtkit.enable = true;
@@ -108,7 +111,7 @@
   };
 
   age.secrets."files/services/home-assistant/secrets.yaml" = {
-    file = "${inputs.secrets}/files/services/home-assistant/secrets.yaml.age";
+    file = "${self.inputs.secrets}/files/services/home-assistant/secrets.yaml.age";
     path = "${config.services.home-assistant.configDir}/secrets.yaml";
     owner = "hass";
     group = "hass";
@@ -173,7 +176,7 @@
   };
 
   age.secrets."files/services/zigbee2mqtt/secret.yaml" = {
-    file = "${inputs.secrets}/files/services/zigbee2mqtt/secret.yaml.age";
+    file = "${self.inputs.secrets}/files/services/zigbee2mqtt/secret.yaml.age";
     path = "${config.services.zigbee2mqtt.dataDir}/secret.yaml";
     owner = "zigbee2mqtt";
     group = "zigbee2mqtt";

hosts/skycam/README.md

@@ -20,3 +20,10 @@ SD card | `/dev/mmcblk0` (ext4, NixOS Root)
 ## Devices and connections
 - Camera Module 3 with wide-angle lens
 
+## Building
+To generate a compressed SD card image for Skycam, run:
+`nix build '.#nixosConfigurations.skycam.config.system.build.sdImage'`
+
+Once a card is imaged, the existing SSH host keys should be copied to
+`/etc/ssh` manually to enable secret decryption.
+

hosts/skycam/default.nix

@@ -1,11 +1,14 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 {
   imports = [
+    self.inputs.nixos-hardware.nixosModules.raspberry-pi-4
     ./hardware-configuration.nix
     ../server.nix
   ];
 
+  nixpkgs.hostPlatform = "aarch64-linux";
+
   hardware = {
     raspberry-pi."4" = {
       apply-overlays-dtmerge.enable = true;
@@ -42,14 +45,19 @@
     };
     firmware = with pkgs; [
       firmwareLinuxNonfree
-      wireless-regdb
     ];
   };
 
   services.udev.extraRules = ''
-    SUBSYSTEM="dma_heap", GROUP="video", MODE="0600"
+    SUBSYSTEM=="rpivid-*", GROUP="video", MODE="0660"
+    KERNEL=="vcsm-cma", GROUP="video", MODE="0660"
+    SUBSYSTEM=="dma_heap", GROUP="video", MODE="0660"
   '';
 
+  nixpkgs.overlays = [
+    (import ./../../overlays/libcamera)
+  ];
+
   networking = {
     hostId = "731d1660";
     firewall = {
@@ -67,13 +75,34 @@
 
   services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
 
+  systemd.services.ustreamer = {
+    enable = true;
+    description = "uStreamer service";
+    unitConfig = {
+      Type = "simple";
+      ConditionPathExists = "/sys/bus/i2c/drivers/imx708/10-001a/video4linux";
+    };
+    serviceConfig = {
+      ExecStart = ''${pkgs.libcamera}/bin/libcamerify ${pkgs.unstable.ustreamer}/bin/ustreamer \
+        --host=0.0.0.0 \
+        --resolution=4608x2592
+      '';
+      DynamicUser = "yes";
+      SupplementaryGroups = [ "video" ];
+      Restart = "always";
+      RestartSec = 10;
+    };
+    wantedBy = [ "network-online.target" ];
+    confinement.mode = "chroot-only";
+  };
+
   environment.systemPackages = with pkgs; [
     camera-streamer
     git
     neovim
+    libcamera
     libraspberrypi
     raspberrypi-eeprom
-    rpicam-apps
     v4l-utils
     unstable.ustreamer
   ];

hosts/skycam/hardware-configuration.nix

@@ -7,9 +7,12 @@
 
   boot = {
     kernelModules = [ "bcm2835-v4l2" ];
-    kernelParams = [ "cma=512M" ];
+    kernelParams = [
-    supportedFilesystems = lib.mkForce [ "f2fs" "vfat xfs" ];
+      "cma=512M"
-    tmp.cleanOnBoot = true;
+      "panic=0"
+    ];
+    supportedFilesystems = lib.mkForce [ "f2fs" "vfat" "xfs" ];
+    tmp.cleanOnBoot = false;
   };
 
   nixpkgs.overlays = [

hosts/vps1/default.nix

@@ -1,7 +1,4 @@
-{
+{ config, lib, self, ... }:
-  lib,
-  ...
-}:
 
 {
   imports = [
@@ -9,9 +6,10 @@
     ../server.nix
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   networking = {
     hostId = "08bf6db3";
-    domain = "mesh.vimium.net";
     firewall = {
       enable = true;
       allowedTCPPorts = [
@@ -43,6 +41,90 @@
 
   services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
 
+  services.postgresql = {
+    ensureUsers = [
+      {
+        name = "zitadel";
+        ensureDBOwnership = true;
+        ensureClauses = {
+          superuser = true;
+        };
+      }
+    ];
+    ensureDatabases = [ "zitadel" ];
+  };
+
+  age.secrets."files/services/zitadel/masterkey" = {
+    file = "${self.inputs.secrets}/files/services/zitadel/masterkey.age";
+    owner = "zitadel";
+    group = "zitadel";
+  };
+
+  systemd.services.zitadel = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  services.zitadel = {
+    enable = true;
+    masterKeyFile = config.age.secrets."files/services/zitadel/masterkey".path;
+    settings = {
+      Database.postgres = {
+        Host = "/run/postgresql";
+        Port = 5432;
+        Database = "zitadel";
+        User = {
+          Username = "zitadel";
+          SSL.Mode = "disable";
+        };
+        Admin = {
+          ExistingDatabase = "zitadel";
+          Username = "zitadel";
+          SSL.Mode = "disable";
+        };
+      };
+      ExternalDomain = "id.vimium.com";
+      ExternalPort = 443;
+      ExternalSecure = true;
+      Machine = {
+        Identification = {
+          Hostname.Enabled = true;
+          PrivateIp.Enabled = false;
+          Webhook.Enabled = false;
+        };
+      };
+      Port = 8081;
+      WebAuthNName = "Vimium";
+    };
+    steps.FirstInstance = {
+      InstanceName = "Vimium";
+      Org.Name = "Vimium";
+      Org.Human = {
+        UserName = "jordan@vimium.com";
+        FirstName = "Jordan";
+        LastName = "Holt";
+        Email = {
+          Address = "jordan@vimium.com";
+          Verified = true;
+        };
+        Password = "Password1!";
+        PasswordChangeRequired = true;
+      };
+      LoginPolicy.AllowRegister = false;
+    };
+  };
+
+  services.nginx.virtualHosts."id.vimium.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      extraConfig = ''
+        grpc_pass grpc://localhost:${builtins.toString config.services.zitadel.settings.Port};
+        grpc_set_header Host $host:$server_port;
+      '';
+    };
+  };
+
   modules = rec {
     databases.postgresql.enable = true;
     services = {

modules/databases/postgresql.nix

@@ -17,6 +17,7 @@ in {
   config = lib.mkIf cfg.enable {
     services.postgresql = {
       enable = true;
+      enableJIT = true;
       initdbArgs = [
         "--allow-group-access"
         "--encoding=UTF8"

modules/desktop/apps/thunderbird.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, self, ... }:
 
 let cfg = config.modules.desktop.apps.thunderbird;
 in {
@@ -10,7 +10,7 @@ in {
   };
   
   config = lib.mkIf cfg.enable {
-    home.file.".thunderbird/Default/chrome/thunderbird-gnome-theme".source = inputs.thunderbird-gnome-theme;
+    home.file.".thunderbird/Default/chrome/thunderbird-gnome-theme".source = self.inputs.thunderbird-gnome-theme;
 
     home.programs.thunderbird = {
       enable = true;

modules/desktop/browsers/brave.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, ... }:
 
 let cfg = config.modules.desktop.browsers.brave;
 in {

modules/desktop/browsers/firefox.nix

@@ -1,4 +1,4 @@
-{ config, lib, inputs, ... }:
+{ config, lib, self, ... }:
 
 let cfg = config.modules.desktop.browsers.firefox;
 in {
@@ -10,7 +10,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    home.file.".mozilla/firefox/Default/chrome/firefox-gnome-theme".source = inputs.firefox-gnome-theme;
+    home.file.".mozilla/firefox/Default/chrome/firefox-gnome-theme".source = self.inputs.firefox-gnome-theme;
 
     home.programs.firefox = {
       enable = true;

modules/desktop/gnome.nix

@@ -1,4 +1,4 @@
-{ config, inputs, lib, pkgs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 let cfg = config.modules.desktop.gnome;
 in {
@@ -207,7 +207,7 @@ in {
       "Kvantum/kvantum.kvconfig".text = lib.generators.toINI {} {
         General.theme = "KvLibadwaitaDark";
       };
-      "Kvantum/KvLibadwaita".source = "${inputs.kvlibadwaita}/src/KvLibadwaita";
+      "Kvantum/KvLibadwaita".source = "${self.inputs.kvlibadwaita}/src/KvLibadwaita";
     };
 
     user.packages = with pkgs; [

modules/networking/tailscale.nix

@@ -1,4 +1,4 @@
-{ config, inputs, lib, pkgs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 let
   cfg = config.modules.networking.tailscale;
@@ -18,7 +18,7 @@ in {
 
   config = lib.mkIf cfg.enable {
     age.secrets."passwords/services/tailscale/${hostname}-authkey" = {
-      file = "${inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
+      file = "${self.inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
     };
 
     environment.systemPackages = [ pkgs.tailscale ];

modules/networking/wireless.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 with lib;
 
@@ -19,7 +19,7 @@ in {
 
   config = mkIf cfg.enable {
     age.secrets."passwords/networks" = {
-      file = "${inputs.secrets}/passwords/networks.age";
+      file = "${self.inputs.secrets}/passwords/networks.age";
     };
 
     networking = {

modules/options.nix

@@ -1,4 +1,4 @@
-{ config, options, lib, home-manager, inputs, ... }:
+{ config, options, lib, self, ... }:
 
 with lib;
 {
@@ -29,7 +29,7 @@ with lib;
   };
 
   config = {
-    age.secrets."passwords/users/jordan".file = "${inputs.secrets}/passwords/users/jordan.age";
+    age.secrets."passwords/users/jordan".file = "${self.inputs.secrets}/passwords/users/jordan.age";
     user =
       let user = builtins.getEnv "USER";
           name = if elem user [ "" "root" ] then "jordan" else user;
@@ -68,8 +68,8 @@ with lib;
       };
 
       sharedModules = [
-        inputs.nixvim.homeManagerModules.nixvim
+        self.inputs.nixvim.homeManagerModules.nixvim
-        inputs.plasma-manager.homeManagerModules.plasma-manager
+        self.inputs.plasma-manager.homeManagerModules.plasma-manager
       ];
     };
 

modules/services/borgmatic/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, self, ... }:
 
 let
   cfg = config.modules.services.borgmatic;
@@ -27,7 +27,7 @@ in {
 
   config = lib.mkIf cfg.enable {
     age.secrets."passwords/services/borg/${hostname}-passphrase" = {
-      file = "${inputs.secrets}/passwords/services/borg/${hostname}-passphrase.age";
+      file = "${self.inputs.secrets}/passwords/services/borg/${hostname}-passphrase.age";
     };
 
     services.borgmatic = {

modules/services/coturn/default.nix

@@ -1,9 +1,4 @@
-{
+{ config, lib, self, ... }:
-  config,
-  lib,
-  inputs,
-  ...
-}:
 
 let
   cfg = config.modules.services.coturn;
@@ -54,13 +49,13 @@ in {
 
     age.secrets = {
       "passwords/services/coturn/static-auth-secret" = {
-        file = "${inputs.secrets}/passwords/services/coturn/static-auth-secret.age";
+        file = "${self.inputs.secrets}/passwords/services/coturn/static-auth-secret.age";
         owner = "turnserver";
         group = "turnserver";
       };
     } // (if cfg.matrixIntegration then {
       "passwords/services/coturn/matrix-turn-config.yml" = {
-        file = "${inputs.secrets}/passwords/services/coturn/matrix-turn-config.yml.age";
+        file = "${self.inputs.secrets}/passwords/services/coturn/matrix-turn-config.yml.age";
         owner = "matrix-synapse";
         group = "matrix-synapse";
       };

modules/services/gitea-runner/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, lib, inputs, ... }:
+{ pkgs, config, lib, self, ... }:
 
 # Based on: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
 
@@ -176,7 +176,7 @@ in
     users.groups.nix-ci-user = { };
 
     age.secrets."files/services/gitea-runner/${hostname}-token" = {
-      file = "${inputs.secrets}/files/services/gitea-runner/${hostname}-token.age";
+      file = "${self.inputs.secrets}/files/services/gitea-runner/${hostname}-token.age";
       group = "podman";
     };
 

modules/services/gitea/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 let
   cfg = config.modules.services.gitea;
@@ -40,9 +40,9 @@ in {
 
     systemd.tmpfiles.rules = [
       "d '${config.services.gitea.customDir}/public/assets/css' 0750 ${config.services.gitea.user} ${config.services.gitea.group} - -"
-      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github.css' - - - - ${inputs.gitea-github-theme}/theme-github.css"
+      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github.css' - - - - ${self.inputs.gitea-github-theme}/theme-github.css"
-      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-auto.css' - - - - ${inputs.gitea-github-theme}/theme-github-auto.css"
+      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-auto.css' - - - - ${self.inputs.gitea-github-theme}/theme-github-auto.css"
-      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-dark.css' - - - - ${inputs.gitea-github-theme}/theme-github-dark.css"
+      "L+ '${config.services.gitea.customDir}/public/assets/css/theme-github-dark.css' - - - - ${self.inputs.gitea-github-theme}/theme-github-dark.css"
     ];
 
     services.gitea = rec {

modules/services/headscale/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 

modules/services/mail/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, self, ... }:
 
 let
   cfg = config.modules.services.mail;
@@ -22,6 +22,10 @@ in {
     };
   };
 
+  imports = [
+    self.inputs.nixos-mailserver.nixosModule
+  ];
+
   config = lib.mkIf cfg.enable {
     services.roundcube = {
       enable = true;

modules/services/matrix/default.nix

@@ -1,10 +1,4 @@
-{
+{ config, lib, pkgs, self, ... }:
-  config,
-  lib,
-  pkgs,
-  inputs,
-  ...
-}:
 
 let
   cfg = config.modules.services.matrix;
@@ -197,7 +191,7 @@ in {
 
     age.secrets = if cfg.slidingSync.enable then {
       "files/services/matrix/sliding-sync" = {
-        file = "${inputs.secrets}/files/services/matrix/sliding-sync.age";
+        file = "${self.inputs.secrets}/files/services/matrix/sliding-sync.age";
       };
     } else {};
 

modules/services/nginx/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 
@@ -82,6 +82,13 @@ in {
         worker_connections 20000;
         multi_accept off;
       '';
+      proxyCachePath = {
+        "skycam" = {
+          enable = true;
+          keysZoneName = "skycam_cache";
+          maxSize = "100m";
+        };
+      };
       virtualHosts = {
         ## Static sites
         "jellyfin.vimium.com" = {
@@ -105,6 +112,21 @@ in {
             '';
           };
         };
+        "jdholt.com" = {
+          forceSSL = true;
+          enableACME = true;
+          serverAliases = [ "www.jdholt.com" ];
+          extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
+          locations."/skycam/snapshot.jpg" = {
+            proxyPass = "http://skycam.mesh.vimium.net:8080/snapshot";
+            extraConfig = ''
+              proxy_cache skycam_cache;
+              proxy_cache_valid any 10s;
+              proxy_ignore_headers Cache-Control Expires Set-Cookie;
+            '';
+          };
+          locations."/".return = "301 https://vimium.com$request_uri";
+        };
         "pki.vimium.com" = {
           addSSL = true;
           forceSSL = false;
@@ -142,7 +164,6 @@ in {
       ## Redirects
       // (mkRedirect "h0lt.com" "jdholt.com")
       // (mkRedirect "jordanholt.xyz" "jdholt.com")
-      // (mkRedirect "jdholt.com" "vimium.com")
       // (mkRedirect "omnimagic.com" "vimium.com")
       // (mkRedirect "omnimagic.net" "vimium.com")
       // (mkRedirect "thelostlegend.com" "suhailhussain.com")

modules/services/photoprism/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 with lib;
 
@@ -36,7 +36,7 @@ in {
     };
 
     age.secrets."passwords/services/photoprism/admin" = {
-      file = "${inputs.secrets}/passwords/services/photoprism/admin.age";
+      file = "${self.inputs.secrets}/passwords/services/photoprism/admin.age";
     };
 
     services.photoprism = {

overlays/gnome/default.nix

@@ -1,8 +1,8 @@
-self: super:
+final: prev:
 {
-  gnome = super.gnome.overrideScope' (gself: gsuper: {
+  gnome = prev.gnome.overrideScope' (gself: gsuper: {
     mutter = gsuper.mutter.overrideAttrs (oldAttrs: {
-      src = super.fetchurl {
+      src = prev.fetchurl {
         url = "https://gitlab.gnome.org/Community/Ubuntu/mutter/-/archive/triple-buffering-v4-46/mutter-triple-buffering-v4-46.tar.gz";
         sha256 = "mmFABDsRMzYnLO3+Cf3CJ60XyUBl3y9NAUj+vs7nLqE=";
       };

overlays/libcamera/0001-Ignore-IPA-signing.patch

@@ -0,0 +1,25 @@
+From 625939e594ce255afa3fab3a40c3e524460e1f8b Mon Sep 17 00:00:00 2001
+From: Jordan Holt <jordan@vimium.com>
+Date: Sat, 10 Aug 2024 18:28:08 +0100
+Subject: [PATCH] Ignore IPA signing
+
+---
+ src/libcamera/ipa_manager.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
+index 6d5bbd05..43004175 100644
+--- a/src/libcamera/ipa_manager.cpp
++++ b/src/libcamera/ipa_manager.cpp
+@@ -295,7 +295,7 @@ bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const
+ 	if (data.empty())
+ 		return false;
+ 
+-	bool valid = pubKey_.verify(data, ipa->signature());
++	bool valid = true;
+ 
+ 	LOG(IPAManager, Debug)
+ 		<< "IPA module " << ipa->path() << " signature is "
+-- 
+2.44.1
+

overlays/libcamera/0001-Remove-relative-config-lookups.patch

@@ -0,0 +1,142 @@
+From 57128bb78f56cadf9e2dcca5ba4d710c3bd478a7 Mon Sep 17 00:00:00 2001
+From: Jordan Holt <jordan@vimium.com>
+Date: Mon, 5 Aug 2024 21:53:09 +0100
+Subject: [PATCH] Remove relative config lookups
+
+---
+ src/libcamera/ipa_manager.cpp      | 16 ----------
+ src/libcamera/ipa_proxy.cpp        | 48 ++----------------------------
+ src/libcamera/pipeline_handler.cpp | 21 ++-----------
+ 3 files changed, 4 insertions(+), 81 deletions(-)
+
+diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
+index f4e0b633..6d5bbd05 100644
+--- a/src/libcamera/ipa_manager.cpp
++++ b/src/libcamera/ipa_manager.cpp
+@@ -131,22 +131,6 @@ IPAManager::IPAManager()
+ 				<< "No IPA found in '" << modulePaths << "'";
+ 	}
+ 
+-	/*
+-	 * When libcamera is used before it is installed, load IPAs from the
+-	 * same build directory as the libcamera library itself.
+-	 */
+-	std::string root = utils::libcameraBuildPath();
+-	if (!root.empty()) {
+-		std::string ipaBuildPath = root + "src/ipa";
+-		constexpr int maxDepth = 2;
+-
+-		LOG(IPAManager, Info)
+-			<< "libcamera is not installed. Adding '"
+-			<< ipaBuildPath << "' to the IPA search path";
+-
+-		ipaCount += addDir(ipaBuildPath.c_str(), maxDepth);
+-	}
+-
+ 	/* Finally try to load IPAs from the installed system path. */
+ 	ipaCount += addDir(IPA_MODULE_DIR);
+ 
+diff --git a/src/libcamera/ipa_proxy.cpp b/src/libcamera/ipa_proxy.cpp
+index 69975d8f..cd9284a3 100644
+--- a/src/libcamera/ipa_proxy.cpp
++++ b/src/libcamera/ipa_proxy.cpp
+@@ -122,33 +122,11 @@ std::string IPAProxy::configurationFile(const std::string &name,
+ 		}
+ 	}
+ 
+-	std::string root = utils::libcameraSourcePath();
+-	if (!root.empty()) {
+-		/*
+-		 * When libcamera is used before it is installed, load
+-		 * configuration files from the source directory. The
+-		 * configuration files are then located in the 'data'
+-		 * subdirectory of the corresponding IPA module.
+-		 */
+-		std::string ipaConfDir = root + "src/ipa/" + ipaName + "/data";
+-
+-		LOG(IPAProxy, Info)
+-			<< "libcamera is not installed. Loading IPA configuration from '"
+-			<< ipaConfDir << "'";
+-
+-		std::string confPath = ipaConfDir + "/" + name;
++	for (const auto &dir : utils::split(IPA_CONFIG_DIR, ":")) {
++		std::string confPath = dir + "/" + ipaName + "/" + name;
+ 		ret = stat(confPath.c_str(), &statbuf);
+ 		if (ret == 0 && (statbuf.st_mode & S_IFMT) == S_IFREG)
+ 			return confPath;
+-
+-	} else {
+-		/* Else look in the system locations. */
+-		for (const auto &dir : utils::split(IPA_CONFIG_DIR, ":")) {
+-			std::string confPath = dir + "/" + ipaName + "/" + name;
+-			ret = stat(confPath.c_str(), &statbuf);
+-			if (ret == 0 && (statbuf.st_mode & S_IFMT) == S_IFREG)
+-				return confPath;
+-		}
+ 	}
+ 
+ 	if (fallbackName.empty()) {
+@@ -197,28 +175,6 @@ std::string IPAProxy::resolvePath(const std::string &file) const
+ 		}
+ 	}
+ 
+-	/*
+-	 * When libcamera is used before it is installed, load proxy workers
+-	 * from the same build directory as the libcamera directory itself.
+-	 * This requires identifying the path of the libcamera.so, and
+-	 * referencing a relative path for the proxy workers from that point.
+-	 */
+-	std::string root = utils::libcameraBuildPath();
+-	if (!root.empty()) {
+-		std::string ipaProxyDir = root + "src/libcamera/proxy/worker";
+-
+-		LOG(IPAProxy, Info)
+-			<< "libcamera is not installed. Loading proxy workers from '"
+-			<< ipaProxyDir << "'";
+-
+-		std::string proxyPath = ipaProxyDir + proxyFile;
+-		if (!access(proxyPath.c_str(), X_OK))
+-			return proxyPath;
+-
+-		return std::string();
+-	}
+-
+-	/* Else try finding the exec target from the install directory. */
+ 	std::string proxyPath = std::string(IPA_PROXY_DIR) + proxyFile;
+ 	if (!access(proxyPath.c_str(), X_OK))
+ 		return proxyPath;
+diff --git a/src/libcamera/pipeline_handler.cpp b/src/libcamera/pipeline_handler.cpp
+index 5ea2ca78..fd8555ca 100644
+--- a/src/libcamera/pipeline_handler.cpp
++++ b/src/libcamera/pipeline_handler.cpp
+@@ -561,25 +561,8 @@ std::string PipelineHandler::configurationFile(const std::string &subdir,
+ 	struct stat statbuf;
+ 	int ret;
+ 
+-	std::string root = utils::libcameraSourcePath();
+-	if (!root.empty()) {
+-		/*
+-		 * When libcamera is used before it is installed, load
+-		 * configuration files from the source directory. The
+-		 * configuration files are then located in the 'data'
+-		 * subdirectory of the corresponding pipeline handler.
+-		 */
+-		std::string confDir = root + "src/libcamera/pipeline/";
+-		confPath = confDir + subdir + "/data/" + name;
+-
+-		LOG(Pipeline, Info)
+-			<< "libcamera is not installed. Loading platform configuration file from '"
+-			<< confPath << "'";
+-	} else {
+-		/* Else look in the system locations. */
+-		confPath = std::string(LIBCAMERA_DATA_DIR)
+-				+ "/pipeline/" + subdir + '/' + name;
+-	}
++	confPath = std::string(LIBCAMERA_DATA_DIR)
++			+ "/pipeline/" + subdir + '/' + name;
+ 
+ 	ret = stat(confPath.c_str(), &statbuf);
+ 	if (ret == 0 && (statbuf.st_mode & S_IFMT) == S_IFREG)
+-- 
+2.44.1
+

overlays/libcamera/default.nix

@@ -0,0 +1,64 @@
+final: prev:
+{
+  libpisp = final.stdenv.mkDerivation {
+    name = "libpisp";
+    version = "1.0.5";
+    src = final.fetchFromGitHub {
+      owner = "raspberrypi";
+      repo = "libpisp";
+      rev = "v1.0.5";
+      hash = "sha256-CHd44CH5dBcZuK+5fZtONZ8HE/lwGKwK5U0BYUK8gG4=";
+    };
+
+    nativeBuildInputs = with final; [
+      pkg-config
+      meson
+      ninja
+    ];
+
+    buildInputs = with final; [
+      nlohmann_json
+      boost
+    ];
+
+    BOOST_INCLUDEDIR = "${prev.lib.getDev final.boost}/include";
+    BOOST_LIBRARYDIR = "${prev.lib.getLib final.boost}/lib";
+  };
+
+  libcamera = prev.libcamera.overrideAttrs (old: {
+    src = final.fetchFromGitHub {
+      owner = "raspberrypi";
+      repo = "libcamera";
+      rev = "eb00c13d7c9f937732305d47af5b8ccf895e700f";
+      hash = "sha256-p0/inkHPRUkxSIsTmj7VI7sIaX7OXdqjMGZ31W7cnt4=";
+    };
+
+    postPatch = ''
+      patchShebangs utils/ src/py/
+    '';
+
+    patches = [
+      ./0001-Remove-relative-config-lookups.patch
+      ./0001-Ignore-IPA-signing.patch
+    ];
+
+    buildInputs = old.buildInputs ++ (with final; [
+      libpisp
+      libglibutil
+    ]);
+
+    mesonFlags = old.mesonFlags ++ [
+      "--buildtype=release"
+      "-Dpipelines=rpi/vc4,rpi/pisp"
+      "-Dipas=rpi/vc4,rpi/pisp"
+      "-Dgstreamer=enabled"
+      "-Dtest=false"
+      "-Dcam=enabled"
+      "-Dpycamera=disabled"
+    ];
+  });
+
+  camera-streamer = prev.callPackage ../pkgs/camera-streamer/package.nix {
+    libcamera = final.libcamera;
+  };
+}

pkgs/camera-streamer/0001-Disable-libdatachannel.patch

@@ -0,0 +1,25 @@
+From 0f17bb86772afe9495891e420a809a0b3c071caf Mon Sep 17 00:00:00 2001
+From: Jordan Holt <jordan@vimium.com>
+Date: Sat, 10 Aug 2024 15:37:15 +0100
+Subject: [PATCH] Disable libdatachannel
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index d5029bd..e50ba1a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -23,7 +23,7 @@ USE_HW_H264 ?= 1
+ USE_FFMPEG ?= $(shell pkg-config libavutil libavformat libavcodec && echo 1)
+ USE_LIBCAMERA ?= $(shell pkg-config libcamera && echo 1)
+ USE_RTSP ?= $(shell pkg-config live555 && echo 1)
+-USE_LIBDATACHANNEL ?= $(shell [ -e $(LIBDATACHANNEL_PATH)/CMakeLists.txt ] && echo 1)
++USE_LIBDATACHANNEL ?= 0
+ 
+ ifeq (1,$(DEBUG))
+ CFLAGS += -g
+-- 
+2.44.1
+

pkgs/camera-streamer/package.nix

@@ -12,9 +12,9 @@
 , ffmpeg
 , libcameraSupport ? true
 , libcamera
-, rtspSupport ? true
+, rtspSupport ? false
 , live555
-, webrtcSupport ? true
+, webrtcSupport ? false
 , openssl
 
 , lib
@@ -32,6 +32,10 @@ stdenv.mkDerivation (finalAttrs: {
     fetchSubmodules = true;
   };
 
+  patches = [
+    ./0001-Disable-libdatachannel.patch
+  ];
+
   # Second replacement fixes literal newline in generated version.h.
   postPatch = ''
     substituteInPlace Makefile \