i hope this works

modules/common/core/system/virtualization/default.nix

@@ -10,8 +10,7 @@
 in {
   config = mkIf cfg.enable {
     environment.systemPackages = with pkgs;
-      []
-      ++ optionals cfg.qemu.enable [
+      optionals cfg.qemu.enable [
         virt-manager
         virt-viewer
       ]
@@ -63,6 +62,28 @@ in {
 
       waydroid.enable = cfg.waydroid.enable;
       lxd.enable = mkDefault config.virtualisation.waydroid.enable;
+
+      systemd.user = mkIf cfg.distrobox.enable {
+        timers."distrobox-update" = {
+          enable = true;
+          wantedBy = ["timers.target"];
+          timerConfig = {
+            OnBootSec = "1h";
+            OnUnitActiveSec = "1d";
+            Unit = "distrobox-update.service";
+          };
+        };
+
+        services."distrobox-update" = {
+          enable = true;
+          script = ''
+            ${pkgs.distrobox}/bin/distrobox upgrade --all
+          '';
+          serviceConfig = {
+            Type = "oneshot";
+          };
+        };
+      };
     };
   };
 }

modules/common/types/server/services/databases/postgresql/default.nix

@@ -14,17 +14,46 @@ in {
     services.postgresql = {
       enable = true;
       package = pkgs.postgresql;
-      checkConfig = true;
       dataDir = "/srv/storage/postgresql/${config.services.postgresql.package.psqlSchema}";
 
+      enableTCPIP = false;
+
+      checkConfig = true;
+      settings = {
+        log_connections = true;
+        log_statement = "all";
+        logging_collector = true;
+        log_disconnections = true;
+        log_destination = lib.mkForce "syslog";
+      };
+
       ensureDatabases = [
         "miniflux"
+        "gitea"
+        "grafana"
+        "vaultwarden"
       ];
       ensureUsers = [
         {
           name = "miniflux";
           ensurePermissions."DATABASE miniflux" = "ALL PRIVILEGES";
         }
+        {
+          name = "postgres";
+          ensurePermissions."ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
+        }
+        {
+          name = "gitea";
+          ensurePermissions."DATABASE gitea" = "ALL PRIVILEGES";
+        }
+        {
+          name = "grafana";
+          ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES";
+        }
+        {
+          name = "vaultwarden";
+          ensurePermissions."DATABASE vaultwarden" = "ALL PRIVILEGES";
+        }
       ];
     };
   };

modules/common/types/server/services/databases/redis/default.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+
+  cfg = config.modules.services.database.redis;
+in {
+  config = mkIf cfg.enable {
+    services.redis = {
+      vmOverCommit = true;
+      servers = {
+        gitea = mkIf cfg.gitea.enable {
+          enable = true;
+          user = "gitea";
+          port = 6371;
+          databases = 16;
+          logLevel = "debug";
+          requirePass = "gitea";
+        };
+
+        searxng = mkIf cfg.searxng.enable {
+          enable = true;
+          user = "searx";
+          port = 6370;
+          databases = 16;
+          logLevel = "debug";
+          requirePass = "searxng";
+        };
+      };
+    };
+  };
+}

modules/common/types/server/services/gitea/default.nix

@@ -17,7 +17,15 @@ with lib; let
   };
 in {
   config = mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [config.services.gitea.settings.server.HTTP_PORT];
+    networking.firewall.allowedTCPPorts = [
+      config.services.gitea.settings.server.HTTP_PORT
+      config.services.forgejo.settings.server.SSH_PORT
+    ];
+
+    modules.system.services.database = {
+      redis.enable = true;
+      postgresql.enable = true;
+    };
 
     systemd.services = {
       gitea = {
@@ -38,21 +46,10 @@ in {
         enable = true;
         package = pkgs.forgejo;
         appName = "iztea";
-        lfs.enable = true;
-        user = "git";
-        group = "git";
-        database.user = "git";
         stateDir = "/srv/storage/gitea/data";
 
         mailerPasswordFile = config.sops.secrets.mailserver-gitea-nohash.path;
 
-        dump = {
-          enable = true;
-          backupDir = "/srv/storage/gitea/dump";
-          interval = "06:00";
-          type = "tar.zst";
-        };
-
         settings = {
           server = {
             ROOT_URL = "https://${gitea_domain}";
@@ -81,10 +78,23 @@ in {
                   (builtins.attrNames (builtins.readDir theme))));
           };
 
-          "ui.meta" = {
-            AUTHOR = "Isabel Roses";
-            DESCRIPTION = "A great place to hide my code from you";
-            KEYWORDS = "git,self-hosted,gitea,isabelroses,catppuccin,open-source,forgejo";
+          actions = {
+            ENABLED = true;
+            DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
+          };
+
+          database = {
+            DB_TYPE = lib.mkForce "postgres";
+            HOST = "/run/postgresql";
+            NAME = "gitea";
+            USER = "gitea";
+            PASSWD = "gitea";
+          };
+
+          cache = {
+            ENABLED = true;
+            ADAPTER = "redis";
+            HOST = "redis://:gitea@localhost:6371";
           };
 
           migrations.ALLOWED_DOMAINS = "github.com, *.github.com, gitlab.com, *.gitlab.com";
@@ -103,15 +113,14 @@ in {
             USER = "git@${domain}";
           };
         };
-      };
 
-      openssh = {
-        extraConfig = ''
-          Match User git
-            AuthorizedKeysCommandUser git
-            AuthorizedKeysCommand ${lib.getExe pkgs.forgejo} keys -e git -u %u -t %t -k %k
-          Match all
-        '';
+        # backup
+        dump = {
+          enable = true;
+          backupDir = "/srv/storage/forgejo/dump";
+          interval = "06:00";
+          type = "tar.zst";
+        };
       };
     };
   };

modules/common/types/server/services/monitoring/default.nix

@@ -1,6 +1,6 @@
 _: {
   imports = [
-    ./grafana.nix
-    ./prometheus.nix
+    ./grafana
+    ./prometheus
   ];
 }

modules/common/types/server/services/monitoring/grafana/default.nix

@@ -0,0 +1,86 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+  inherit (config.networking) domain;
+
+  cfg = config.modules.services.monitoring.grafana;
+
+  port = 3100;
+in {
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [port];
+
+    services = {
+      postgresql = {
+        enable = true;
+        ensureDatabases = ["grafana"];
+        ensureUsers = [
+          {
+            name = "grafana";
+            ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES";
+          }
+        ];
+      };
+
+      grafana = {
+        enable = true;
+        settings = {
+          analytics = {
+            reporting_enabled = false;
+            check_for_updates = false;
+          };
+
+          server = {
+            http_port = port;
+            http_addr = "0.0.0.0";
+            domain = "graph.${domain}";
+            enforce_domain = true;
+          };
+
+          "auth.anonymous".enabled = true;
+          "auth.basic".enabled = false;
+
+          users = {
+            allow_signup = false;
+          };
+
+          database = {
+            type = "postgres";
+            host = "/run/postgresql";
+            name = "grafana";
+            user = "grafana";
+            ssl_mode = "disable";
+          };
+
+          smtp = let
+            mailer = "grafana@${domain}";
+          in {
+            enabled = true;
+
+            user = mailer;
+            password = "$__file{" + config.sops.secrets.mailserver-grafana-nohash.path + "}";
+
+            host = "mail.${domain}:465";
+            from_address = mailer;
+            startTLS_policy = "MandatoryStartTLS";
+          };
+        };
+        provision = {
+          datasources.settings = {
+            datasources = [
+              {
+                name = "Prometheus";
+                type = "prometheus";
+                url = "http://localhost:9090";
+                orgId = 1;
+              }
+            ];
+          };
+        };
+      };
+    };
+  };
+}