Update the database configuration to the current architecture.

.sops.yaml

@@ -13,3 +13,8 @@ creation_rules:
       - age:
         - *admin_christine
         - *server_traefik
+  - path_regex: nix-system-configs/secrets/database/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *admin_christine
+          - *server_traefik

nix-system-configs/database-deprecated/configuration.nix

@@ -120,6 +120,7 @@
     fastfetch
     hyfetch
     pgadmin4
+    google-cloud-sdk
   ];
 
   # Some programs need SUID wrappers, can be configured further or are

nix-system-configs/modules/desktop-manager/gnome.nix

@@ -4,7 +4,49 @@
   lib,
   ...
 }: {
+  # Enable the X11 windowing system.
   services.xserver.enable = true;
+
+  # Enable the GNOME Desktop Environment.
   services.xserver.displayManager.gdm.enable = true;
-  services.xserver.desktopManager.gnome3.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+
+  # Configure keymap in X11
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+  };
+
+  # Enable CUPS to print documents.
+  services.printing.enable = true;
+
+  # Enable sound with pipewire.
+  services.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    # If you want to use JACK applications, uncomment this
+    #jack.enable = true;
+
+    # use the example session manager (no others are packaged yet so this is enabled by default,
+    # no need to redefine it in your config for now)
+    #media-session.enable = true;
+  };
+
+  # Install firefox.
+  programs.firefox.enable = true;
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  programs.mtr.enable = true;
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
 }

nix-system-configs/modules/secrets-config/sops-database.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = let
+    # replace this with an actual commit id or tag
+    commit = "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c";
+  in [
+    "${builtins.fetchTarball {
+      url = "https://github.com/Mic92/sops-nix/archive/${commit}.tar.gz";
+      # replace this with an actual hash
+      sha256 = "ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=";
+    }}/modules/sops"
+  ];
+
+  # This will add secrets.yml to the nix store
+  # You can avoid this by adding a string to the full path instead, i.e.
+  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
+  sops.defaultSopsFile = ../../secrets/songsheet/secrets.yaml;
+  # This will automatically import SSH keys as age keys
+  sops.age.sshKeyPaths = ["/home/songsheetprg/.ssh/id_ed25519.pub"];
+  # This is using an age key that is expected to already be in the filesystem
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  # This will generate a new key if the key specified above does not exist
+  sops.age.generateKey = true;
+}

nix-system-configs/modules/system/compose-songsheet.nix

@@ -38,7 +38,7 @@
     #
     ## Compose modules for Portainer service
     ./modules/songsheet/wavelog/docker-compose.nix
-    ./modules/secrets-config/sops-nix.nix
+    ./modules/secrets-config/sops-composesongsheet.nix
   ];
 
   config = {

nix-system-configs/modules/system/database.nix

@@ -0,0 +1,100 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  options.local = {
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      default = "nixos-default";
+      description = "System hostname";
+    };
+    username = lib.mkOption {
+      type = lib.types.str;
+      default = "user";
+      description = "Primary user username";
+    };
+    userDescription = lib.mkOption {
+      type = lib.types.str;
+      default = "NixOS User";
+      description = "Primary user description";
+    };
+    address = lib.mkOption {
+      type = lib.types.str;
+      default = "10.1.1.100";
+      description = "Static IP address";
+    };
+  };
+
+  imports = [
+    ./modules/desktop-manager/gnome.nix
+    ./modules/local/hostname_username.nix
+    ./modules/local/networking_local.nix
+    ./modules/lix-default.nix
+    ./modules/secrets-config/sops-database.nix
+    ./hardware-configuration.nix
+  ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  config = {
+    local.hostname = "nixosdd";
+    local.username = "nixosdd";
+    local.userDescription = "NixOS Dedicated Database";
+    local.address = "10.1.1.251";
+
+    networking.firewall.allowedTCPPorts = [
+      5432 # PostgreSQL
+      3306 # MariaDB/MySQL
+    ];
+    networking.firewall.allowedUDPPorts = [
+      5432 # PostgreSQL
+      3306 # MariaDB/MySQL
+    ];
+
+    # List services that you want to enable:
+
+    # Enable PostgreSQL
+    services.postgresql = {
+      enable = true;
+      enableTCPIP = true;
+      ensureDatabases = ["forgejo" "part_db_database"];
+      settings = {
+        listen_addresses = "*";
+      };
+      authentication = pkgs.lib.mkOverride 10 ''
+        local   all             all                                 trust
+        host    all             all             10.1.1.4/32         scram-sha-256
+        host    all             all             10.1.1.249/32       scram-sha-256
+        host    all             all             127.0.0.1/32        trust
+        host    all             all             ::1/128             trust
+      '';
+    };
+
+    # Enable MariaDB
+    services.mysql = {
+      enable = true;
+      package = pkgs.mariadb;
+    };
+
+    # Enable Tailscale
+    services.tailscale.enable = true;
+
+    # List packages installed in system profile. To search, run:
+    # $ nix search wget
+    environment.systemPackages = with pkgs; [
+      #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+      wget
+      helix
+      fastfetch
+      hyfetch
+      pgadmin4
+      google-cloud-sdk
+    ];
+
+    system.stateVersion = "25.11";
+  };
+}

nix-system-configs/secrets/database/gcloud_bucket.json

@@ -0,0 +1,29 @@
+{
+	"type": "ENC[AES256_GCM,data:bl74l+sY5V4qeLYBANRU,iv:uKOGWFTF6ltq3mQ4ojd1/bZgofPi1J4Gtz3/PUCfLLs=,tag:TxGwCf5qCDPVfIMzFgB01w==,type:str]",
+	"project_id": "ENC[AES256_GCM,data:6cW8StwOvkdGXIjuI5Jj8DuCoE/9z0ky7tEWMIbg,iv:bAyX1+phAdiMRVZNRwDGE+QkbFo71u+Gut+z+yPQjg8=,tag:9JuGbq13tBUJUb/tUWolbQ==,type:str]",
+	"private_key_id": "ENC[AES256_GCM,data:j9xf5MtzNTn7OV2PNWXPPSqSLU4elVLjF1MB6xmlFXSy6XXJEbz/uA==,iv:iVCTbjtVHGEsvKtBHnrwiI3MPgGKGQlyEv9zAMcQ7sE=,tag:VzsIQHMjBvrIl9X5Ul2j+Q==,type:str]",
+	"private_key": "ENC[AES256_GCM,data:X5HOWhmdI/J9TqQ9bVcplgeFXtZSk3m4+9duXzc38IZ+e8E2gBISq/bfQ8HGzK7r54c85aCNFiYYbzkNHRh+newlNSBCHhmfHc0Ko7OLQS3+wcEX6Z+D2llMJxKAFAXGh63L6gWdYCAgTgpL8OlKv4sW1V4yH2N+Ei+iiYcHfc6g/xDRky3PxBNQcoA2qTzfBpZ8lDRMFLQQDeKeGmiC8m5o0RPdiSdA9oDc4IMkWPPEidCTu4hUn4YLr3Yz5NMEFqMqaiVq4G9FsS3fVZdk4HSdFHNlse6apkIQDTUWkQhjSwktl4ul2jimgKBxa2aNcHmKZcxnoSgF1wg37P6b+RNAsUx5OgpqLmXoaSC9+5PHMkvUrnwp0kwMLqmtXhUDtJcA1zRGaWgI7jXXcHlvXMxtod+GdGygMsNNMPoNqAacT7OZ3Fc3TqoBERd2yvORbKQmKuXSOslFsWa17toqo42tUEZReXbnQkvHe9ZQKUAaPvjVX9pQzraR8tj2ReLsO/8L9gluRv5j9NSt1DnzBZyggRUj5trE81fJ6joiNCHQmcJyagInDeDXGZVmzPtXofOwjR8U8+fVbnxpp7ji7HLjFVtecxF2DteihTJ8SqsjQMpWwV5E241AK0N4gnnGi2QmvWpq+x83Xceu6zwNgTVnnyR7mWgOuYKnzeez9a9ozRPDkf2EvCxaTzyAzzXLem+Ui9m6hJ0IO3bZERvLZzCP0yykE7BhbF9LDwVfc6TSr2bCgdIy07DCI5ccNm8nqdtE1m/xqQRQ3uNrRkLzJOFUUXSfDwmE+dFPxbL1x5Bmqac+jvH8Coj10l1rdAExyOLNyIFJG4ZmmxVIsf0CnYc87ezZmF8nLcL/rLjg6lngAlqQo2KE8H2omAfFNDCAiqQGqLuqi6DBQS12K08Aqk9tN7zrmB5sRCzVDpo0SmCSS5VvPduaSk1TWAIH5Z1gHMU1cdz++3hyMZvvG9b7hiRFQoFBPHZnDyKta427X7ccsLM2OCIEI7Tb3T0zO6IK8/WrZolAqwxzJv4kJJUQan0lhASFC7koUEJ+1W6yycaLXeibNlzllP6Rc5ovp8QOuOgUNdR5dvEeVkAXqII49qvP/zr9N6aMGgFXNCZNKJq/nUSFAlOoawoJwWKowgDy2nmA/a9jamDT4cSxguOKa6JIBfT3aqZw7hVvMoqVzp47HI6FimEPxKPSJHbM3skEYEi3aLoDGPoG/NlT+uZ1ojqV0P0w0ESxb69RCnF8alvIIVZSMyC3YTbEfjdaOSl+UYvgkeWttujJ0z/utDOG2xe7fIkyI264tE91iebh2shHXri2I0vofL60DJBttYZ97cM26DzJTtOo6P30ilG5K0HRHc8K1O/yLZJroSjQXZM8O1Mk3b8cSYvjcbboOKCxPIxdqQpI3+AYHUvge4jqZHot+wOjIo+GKFDhxcTopkwJbKfayNAzQkac5DIBDmZWK5baNG9tG03NZGaRvP31mlmfBElr2s3EGbj3j4V7++rv+4mzleCH/oSGBob+crFbrq/QVU9zPtOKzKz5tQvb2BRlRE30hOkmq2cQfT3M2kS0fVjxBgCeFFPzMnXBs9kbg73zJZXLO3f7EhrmT9CbZjcW18D4ptqD6MZeojGn6+7D/JnccsVB4dYJg8MWDEDnHmCnL12gGQEWPwkZEchENginl28P3ZPTQwnFje+hnKWwCMa4TdqgD89bKksEuOP9PPe+3yGgjXWDj7E862bvCXVi1sHrHexkrcC1B+kdcnFGbsra/2K48+aWUED0405V7OqCYOygFLg7e1/oMN39PfDuX51A39Fi+/4sX6JCMRjG1/2EbKowcbNYnNjC7SWjYNWc062jA0PMYlhE4Tf8+1cdliAmuD+A6JyhcNZj2ulyBSqkR3tTV6UrnrWkaT+25ywWSkBiBkPWFt8sB0VOqZN4F6aBVrsjIFjZrx/GWDNXPpMiaEIokzlPLCvJ9XeKq6cWB/W3tAqog6GWorJcjsLi+glVjUvskDlLslj3Vd4eqnAjbktBIknzEv23557ghQMYpxIBFw3dqewz+Z6p+XoVsY73t84llbtT+PhhL/FdZJIlQ8iPnEdZTKfeTCcOQsbn1KXmEF1L9sdibCxi4qWdBkclnuH8VUpQto+2TDyQ2whJPASiiqNSV5W/QPDUjcR9AtEpRYXKmuXMts0M4X9sg6yLVq4QOe6rOPCPelxOC52I+FuVCOsoRQ8FGjFmhNQX2TN4UzJU9O0docpO0ubWuUCcoKr2,iv:KMBWDjUNBEGOEadSCzajAhaRgZy0x6ZJ53dQV4WsxuI=,tag:cqPBsxqiNlOWE5sv3gS2Qw==,type:str]",
+	"client_email": "ENC[AES256_GCM,data:5GS7lQmxfEhIiqLEOZQElCyL7mnrCPpWhBC5b9GsefHRu8MIZdiU/J5Kl2tAK7iGKlPVcoblYuwjg9jAxwq2Mwp6GBiVJ8pC80xwiC4g7w==,iv:bE4BhJTvprgW5NOJMspvEY43w0DB3B59dPP/iI7+9U8=,tag:tDEQXWClCHrE9zUbXbWVMA==,type:str]",
+	"client_id": "ENC[AES256_GCM,data:smvsjKHs4FZ545bbNnsKLyxklwJG,iv:UdbOhgdUkwLUF9BXpVZhs6bshCT/w2GsUBx8TA6IJYA=,tag:UgvsYx4bVUiLX/ivSn4V/g==,type:str]",
+	"auth_uri": "ENC[AES256_GCM,data:MoSyAWIMF31wGC1Th9lBVdxNUcKI9ChFQQ/9NcOpawZBKCWRpvUPPRk=,iv:0M/ckQguvifJswhl6fRZoLFDLotL4pqVWtgCJnneuvg=,tag:jg9yVdYsa3SzU15QodJSCg==,type:str]",
+	"token_uri": "ENC[AES256_GCM,data:VU6Jz5gmDMkRk8xVXz/GmBKqAU8LXWDWDd8wDG2LAgvYCf8=,iv:PsKBpoHzDJsrQgagYgSmDGfy/hi68PiDO5Cp1840gIE=,tag:4PnonD0ZhEb0ubshGY8wgQ==,type:str]",
+	"auth_provider_x509_cert_url": "ENC[AES256_GCM,data:DUe6H/PflOHgZ8V25EzCqtpIHiMHCI6xmfEmOQOOJTxBgKYm+PRDxIDD,iv:hNAgapcSmqKuGYNS0Ru/OAVR7DIGV73TOdGZVwBgF1w=,tag:texXV9bYMsev8oZT/Zs0LQ==,type:str]",
+	"client_x509_cert_url": "ENC[AES256_GCM,data:8Herex6V+OajFPQHlSlEFWyY9UHZ1O59Uk6DhU/YN99Uapo2D0WkE9OBDRwI/CFbPWEg6i7yUHVTTCw132kC7tB+QeqX1GHLYedV3AE4QyRzHlQPSsLkxMFr/q283IAu5Evm4WtQdZYQcqF8+olqd9veQuxMpnfWzz9hD4PpV6djur8=,iv:wloNQK6DSXCk4x5p6Clyi90GXYBHkhgTcJ2HJdz5b48=,tag:coYQsiCRE2IakoWz4P5dOw==,type:str]",
+	"universe_domain": "ENC[AES256_GCM,data:Juy31OVAEIAvPDV1fow=,iv:GKLpORARKRm7Hm14/H44RdAcnQYIyqi6e+UWaG9KjlI=,tag:saBZsuMBlTSEcVoFbnoLNQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1746rvsvsc3snxfl7cndm222wd5kck4aqj3x7nednlegq0gdjhfcqx0qv7m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeTFMQlBOS1kyNjJkYito\nZG9XQ3NJSmJxNk1pZDF2T3FoOUU5SEhqYmw0CmN4VnE5cWR3Tm1kdkZnWEZJcHha\nejBNODZkOXFnckRFdTVwdFJwTUVWaDgKLS0tIGRCY2VaS2RMcjQ4clZRbG52ZGdI\nQXdZZ3hBcktmMUlhNDV4TGVaT2c0UEkKH9e+rTKrRt9JqYG+RkFrlcaNXd8zn+0/\no65SOKlwMC0VAAb7rDDU0xGmahW2/bWErW2qJ/88dvDuqdX2sD28Pg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1rdcs8y4fjfyagwt2q9599ax329thceersh6dg2f0p6nsghm5xufq00qu0p",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZTI4dUQxdExvTjA1UDJj\nMUtFZ1F4SzZzVGhXTjJQYkRQaVlyUEZsaTFVCjdtc01Ydk9lMWd2cnVrbTAzeERN\nbG1XcTYzU1RPRXRYcFlzK3RJQzJUV2MKLS0tIEJETzZKaHZENTdrbUVTYWIxNmhB\ndWhvNEJpNVQvcG9lam1lbkV1dGxpMDAK9OspZrLOshe7JLROJvJ9dkzejkSRixyJ\nzD0IbFv3N+HIC3DeStDzCUnRdLmrM/q4HOYCPNCmAtT9jvOrD96ejw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-02-07T20:01:07Z",
+		"mac": "ENC[AES256_GCM,data:fjKrLuYFXZhHa2KwyWTmDiEyZInyJluI4QjevW2liWKyv7rtJbwzxlzUEb4hUG3pwFFOWeeNwAvIg+la+0Y+sERIEM5P5j60buia2cQZFTK6WvNwLsNN+/sDptznGfrUsI3GJOBtIQgdCCBrrDwj7YARP+T6kk0wh7iw6LgfuWY=,iv:Psy2bv2w9J4OXNH8MESCZD1zSCWDRKlmaOijgyKyorc=,tag:QpiPUT9WMzQQLUVTwtfWjw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}