murmur (mumble server) and non-caddy acme client

Flake lock file updates:

• Updated input 'darwin':
    'github:lnl7/nix-darwin/0d7874ef7e3ba02d58bebb871e6e29da36fa1b37' (2026-02-04)
  → 'github:lnl7/nix-darwin/6c5a56295d2a24e43bcd8af838def1b9a95746b2' (2026-02-12)
• Updated input 'home-manager':
    'github:nix-community/home-manager/471e6a065f9efed51488d7c51a9abbd387df91b8' (2026-02-05)
  → 'github:nix-community/home-manager/05e6dc0f6ed936f918cb6f0f21f1dad1e4c53150' (2026-02-14)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/00c21e4c93d963c50d4c0c89bfa84ed6e0694df2' (2026-02-04)
  → 'github:nixos/nixpkgs/ec7c70d12ce2fc37cb92aff673dcdca89d187bae' (2026-02-11)
• Updated input 'nur':
    'github:nix-community/nur/227b931ac44365853d7a0026360878cb990b426e' (2026-02-07)
  → 'github:nix-community/nur/40fb292376611e388cb14329c96853966f57763a' (2026-02-14)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/9922ff9f99a6436756cbe6f5d11f9c3630e58cf0' (2026-02-07)
  → 'github:oxalica/rust-overlay/d7a86c8a4df49002446737603a3e0d7ef91a9637' (2026-02-14)
• Updated input 'wsl':
    'github:nix-community/NixOS-WSL/38a5250e57f583662eac3b944830e4b9e169e965' (2026-01-24)
  → 'github:nix-community/NixOS-WSL/5b50ea1aaa14945d4794c80fcc99c4aa1db84d2d' (2026-02-09)

flake.lock

@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768764703,
+        "lastModified": 1770922915,
-        "narHash": "sha256-5ulSDyOG1U+1sJhkJHYsUOWEsmtLl97O0NTVMvgIVyc=",
+        "narHash": "sha256-6J/JoK9iL7sHvKJcGW2KId2agaKv1OGypsa7kN+ZBD4=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "0fc4e7ac670a0ed874abacf73c4b072a6a58064b",
+        "rev": "6c5a56295d2a24e43bcd8af838def1b9a95746b2",
         "type": "github"
       },
       "original": {
@@ -179,11 +179,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769813945,
+        "lastModified": 1771037579,
-        "narHash": "sha256-9ABv9Lo9t6MrFjlnRnU8Zw1C6LVj2+R8PipQ/rxGLHk=",
+        "narHash": "sha256-NX5XuhGcsmk0oEII2PEtMRgvh2KaAv3/WWQsOpxAgR4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "475921375def3eb930e1f8883f619ff8609accb6",
+        "rev": "05e6dc0f6ed936f918cb6f0f21f1dad1e4c53150",
         "type": "github"
       },
       "original": {
@@ -198,9 +198,7 @@
         "cl-nix-lite": "cl-nix-lite",
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
-        "nixpkgs": [
+        "nixpkgs": "nixpkgs_3",
-          "nixpkgs"
-        ],
         "systems": "systems_2",
         "treefmt-nix": "treefmt-nix_2"
       },
@@ -339,6 +337,22 @@
       }
     },
     "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1732617236,
+        "narHash": "sha256-PYkz6U0bSEaEB1al7O1XsqVNeSNS+s3NVclJw7YC43w=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "af51545ec9a44eadf3fe3547610a5cdd882bc34e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "af51545ec9a44eadf3fe3547610a5cdd882bc34e",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
       "locked": {
         "lastModified": 1761236834,
         "narHash": "sha256-+pthv6hrL5VLW2UqPdISGuLiUZ6SnAXdd2DdUE+fV2Q=",
@@ -354,13 +368,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
       "locked": {
-        "lastModified": 1769461804,
+        "lastModified": 1770841267,
-        "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
+        "narHash": "sha256-9xejG0KoqsoKEGp2kVbXRlEYtFFcDTHjidiuX8hGO44=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
+        "rev": "ec7c70d12ce2fc37cb92aff673dcdca89d187bae",
         "type": "github"
       },
       "original": {
@@ -370,7 +384,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_5": {
+    "nixpkgs_6": {
       "locked": {
         "lastModified": 1744536153,
         "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=",
@@ -394,11 +408,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769834069,
+        "lastModified": 1771044752,
-        "narHash": "sha256-GjeN/5TdWev/L/Izem3XScV6i/55Z+n+GfjKa1srBcU=",
+        "narHash": "sha256-9pnZltSDksIepwd1PJIskZKXTGQzdElS/zK/qnlj2uU=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "2db81de33100ef4d86ebc80dc4bc30df1fe97c5d",
+        "rev": "40fb292376611e388cb14329c96853966f57763a",
         "type": "github"
       },
       "original": {
@@ -415,7 +429,7 @@
         "mac-app-util": "mac-app-util",
         "nix2vim": "nix2vim",
         "nixos-generators": "nixos-generators",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_5",
         "nixpkgs-stable": "nixpkgs-stable",
         "nur": "nur",
         "rust-overlay": "rust-overlay",
@@ -426,14 +440,14 @@
     },
     "rust-overlay": {
       "inputs": {
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_6"
       },
       "locked": {
-        "lastModified": 1769828398,
+        "lastModified": 1771038269,
-        "narHash": "sha256-zmnvRUm15QrlKH0V1BZoiT3U+Q+tr+P5Osi8qgtL9fY=",
+        "narHash": "sha256-TygYZ7JhnJbRoWOk7d5HaA/GhEVCvtRruN7TqaN9s/c=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "a1d32c90c8a4ea43e9586b7e5894c179d5747425",
+        "rev": "d7a86c8a4df49002446737603a3e0d7ef91a9637",
         "type": "github"
       },
       "original": {
@@ -522,7 +536,7 @@
     },
     "treefmt-nix_2": {
       "inputs": {
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_4"
       },
       "locked": {
         "lastModified": 1766000401,
@@ -546,11 +560,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769217863,
+        "lastModified": 1770657009,
-        "narHash": "sha256-RY9kJDXD6+2Td/59LkZ0PFSereCXHdBX9wIkbYjRKCY=",
+        "narHash": "sha256-v/LA5ZSJ+JQYzMSKB4sySM0wKfsAqddNzzxLLnbsV/E=",
         "owner": "nix-community",
         "repo": "NixOS-WSL",
-        "rev": "38a5250e57f583662eac3b944830e4b9e169e965",
+        "rev": "5b50ea1aaa14945d4794c80fcc99c4aa1db84d2d",
         "type": "github"
       },
       "original": {

flake.nix

@@ -37,7 +37,7 @@
     # Better App install management in macOS
     mac-app-util = {
       url = "github:hraban/mac-app-util";
-      inputs.nixpkgs.follows = "nixpkgs"; # Use system packages list for their inputs
+      # inputs.nixpkgs.follows = "nixpkgs"; # Use system packages list for their inputs
     };
 
     # Manage disk format and partitioning
@@ -132,6 +132,7 @@
           mathesar = "mathesar.${baseName}";
           metrics = "metrics.${baseName}";
           minecraft = "minecraft.${baseName}";
+          mumble = "mumble.${baseName}";
           n8n = "n8n.${baseName}";
           navidrome = "music.${baseName}";
           notifications = "ntfy.${baseName}";

pkgs/firefox-history-exporter/manifest.json

@@ -1,7 +1,7 @@
 {
   "manifest_version": 3,
   "name": "History Exporter",
-  "version": "1.0",
+  "version": "1.1",
   "description": "Automatically exports today's browsing history.",
   "permissions": [
     "history",

pkgs/firefox-history-exporter/package.nix

@@ -2,7 +2,7 @@
 
 pkgs.stdenv.mkDerivation rec {
   pname = "firefox-history-exporter";
-  version = "1.0";
+  version = "1.1";
   src = ./.;
 
   nativeBuildInputs = [ pkgs.zip ];

platforms/nix-darwin/modules/nmasur/presets/services/daily-summary/daily-summary.nix

@@ -17,7 +17,7 @@ let
   #   ];
   # } (builtins.readFile ./process-urls.py);
   # prompt = "Based on my browser usage for today from the markdown file located in /Users/${username}/Downloads/Sidebery/todays_urls.md, create or update a daily summary markdown file in the generated notes directory located in /Users/${username}/dev/personal/notes/generated/ with the filename format 'YYYY-MM-DD Daily Summary.md'. The resulting markdown file should use /Users/${username}/dev/personal/notes/templates/generated-summary.md as a format template, and it should summarize where I have spent my time today and highlight any notable links that I have visited. Please create markdown links to other relevant notes in /Users/${username}/dev/personal/notes/. If there is an existing markdown file for today, update it to include the newest information.";
-  prompt = "Based on my browser usage for today from the JSON file located in /Users/${username}/Downloads/firefox-history/history-YYYY-MM-DD.json, create or update a daily summary markdown file in the generated notes directory located in /Users/${username}/dev/personal/notes/generated/ with the filename format 'YYYY-MM-DD Daily Summary.md'. The resulting markdown file should use /Users/${username}/dev/personal/notes/templates/generated-summary.md as a format template, and it should summarize where I have spent my time today and highlight any notable pages that I have visited, using the titles of each URL in the JSON file for markdown links. Please create markdown links to other relevant notes in /Users/${username}/dev/personal/notes/ and explain why they are being referenced. If there is an existing markdown file for today, update it to include the newest information.";
+  prompt = "Based on my browser usage for today from the JSON file located in /Users/${username}/Downloads/firefox-history/history-YYYY-MM-DD.json, create or update a daily summary markdown file in the generated notes directory located in /Users/${username}/dev/personal/notes/generated/ with the filename format 'YYYY-MM-DD Daily Summary.md'. If the JSON file for today doesn't exist, exit. The resulting markdown file should use /Users/${username}/dev/personal/notes/templates/generated-summary.md as a format template, and it should summarize where I have spent my time today and highlight any notable pages that I have visited, using the titles of each URL in the JSON file for markdown links. Please create markdown links to other relevant notes in /Users/${username}/dev/personal/notes/ and explain why they are being referenced. If there is an existing markdown file for today, update it to include the newest information.";
 in
 
 {
@@ -32,7 +32,7 @@ in
       #   GEMINI_API_KEY=$(cat /Users/${username}/.config/gemini/.gemini_api_key) ${pkgs.gemini-cli}/bin/gemini --allowed-tools all --yolo --include-directories /Users/${username}/Downloads/Sidebery/ --include-directories /Users/${username}/dev/personal/notes/ "${prompt}"
       # '';
       script = ''
-        GEMINI_API_KEY=$(cat /Users/${username}/.config/gemini/.gemini_api_key) ${pkgs.gemini-cli}/bin/gemini --allowed-tools all --yolo --include-directories /Users/${username}/Downloads/firefox-history/ --include-directories /Users/${username}/dev/personal/notes/ "${prompt}"
+        GEMINI_API_KEY=$(cat /Users/${username}/.config/gemini/.gemini_api_key) ${pkgs.gemini-cli}/bin/gemini --allowed-tools all --yolo --include-directories "/Users/${username}/Downloads/firefox-history/,/Users/${username}/dev/personal/notes/" "${prompt} | tee -a /Users/${username}/dev/personal/gemini-archive/daily-summary-logs/$(date +"%Y-%m-%d").log"
       '';
 
       path = [

platforms/nixos/modules/nmasur/presets/services/caddy.nix

@@ -58,6 +58,7 @@ in
           {
             handler = "static_response";
             status_code = "403";
+            body = "IP not allowed";
           }
         ];
       }
@@ -109,96 +110,95 @@ in
             apps.tls.automation.policies = cfg.tlsPolicies;
 
             # Setup logging to journal and files
-            logging.logs =
+            logging.logs = {
-              {
+              # System logs and catch-all
-                # System logs and catch-all
+              # Must be called `default` to override Caddy's built-in default logger
-                # Must be called `default` to override Caddy's built-in default logger
+              default = {
-                default = {
+                level = "INFO";
-                  level = "INFO";
+                encoder.format = "console";
-                  encoder.format = "console";
+                writer = {
-                  writer = {
+                  output = "stderr";
-                    output = "stderr";
-                  };
-                  exclude = (map (hostname: "http.log.access.${hostname}") (builtins.attrNames hostname_map)) ++ [
-                    "http.log.access.${default_logger_name}"
-                  ];
                 };
-                # This is for the default access logs (anything not captured by hostname)
+                exclude = (map (hostname: "http.log.access.${hostname}") (builtins.attrNames hostname_map)) ++ [
-                other = {
+                  "http.log.access.${default_logger_name}"
-                  level = "INFO";
+                ];
-                  encoder.format = "json";
+              };
-                  writer = {
+              # This is for the default access logs (anything not captured by hostname)
-                    output = "file";
+              other = {
-                    filename = "${config.services.caddy.logDir}/other.log";
-                    roll = true;
-                    inherit roll_size_mb;
-                  };
-                  include = [ "http.log.access.${default_logger_name}" ];
-                };
-                # This is for using the Caddy API, which will probably never happen
-                admin = {
-                  level = "INFO";
-                  encoder.format = "json";
-                  writer = {
-                    output = "file";
-                    filename = "${config.services.caddy.logDir}/admin.log";
-                    roll = true;
-                    inherit roll_size_mb;
-                  };
-                  include = [ "admin" ];
-                };
-                # This is for TLS cert management tracking
-                tls = {
-                  level = "INFO";
-                  encoder.format = "json";
-                  writer = {
-                    output = "file";
-                    filename = "${config.services.caddy.logDir}/tls.log";
-                    roll = true;
-                    inherit roll_size_mb;
-                  };
-                  include = [ "tls" ];
-                };
-                # This is for debugging
-                debug = {
-                  level = "DEBUG";
-                  encoder.format = "json";
-                  writer = {
-                    output = "file";
-                    filename = "${config.services.caddy.logDir}/debug.log";
-                    roll = true;
-                    roll_keep = 1;
-                    inherit roll_size_mb;
-                  };
-                };
-              }
-              # These are the access logs for individual hostnames
-              // (lib.mapAttrs (name: value: {
                 level = "INFO";
                 encoder.format = "json";
                 writer = {
                   output = "file";
-                  filename = "${config.services.caddy.logDir}/${name}-access.log";
+                  filename = "${config.services.caddy.logDir}/other.log";
+                  roll = true;
+                  inherit roll_size_mb;
+                };
+                include = [ "http.log.access.${default_logger_name}" ];
+              };
+              # This is for using the Caddy API, which will probably never happen
+              admin = {
+                level = "INFO";
+                encoder.format = "json";
+                writer = {
+                  output = "file";
+                  filename = "${config.services.caddy.logDir}/admin.log";
+                  roll = true;
+                  inherit roll_size_mb;
+                };
+                include = [ "admin" ];
+              };
+              # This is for TLS cert management tracking
+              tls = {
+                level = "INFO";
+                encoder.format = "json";
+                writer = {
+                  output = "file";
+                  filename = "${config.services.caddy.logDir}/tls.log";
+                  roll = true;
+                  inherit roll_size_mb;
+                };
+                include = [ "tls" ];
+              };
+              # This is for debugging
+              debug = {
+                level = "DEBUG";
+                encoder.format = "json";
+                writer = {
+                  output = "file";
+                  filename = "${config.services.caddy.logDir}/debug.log";
+                  roll = true;
+                  roll_keep = 1;
+                  inherit roll_size_mb;
+                };
+              };
+            }
+            # These are the access logs for individual hostnames
+            // (lib.mapAttrs (name: value: {
+              level = "INFO";
+              encoder.format = "json";
+              writer = {
+                output = "file";
+                filename = "${config.services.caddy.logDir}/${name}-access.log";
+                roll = true;
+                inherit roll_size_mb;
+              };
+              include = [ "http.log.access.${name}" ];
+            }) hostname_map)
+            # We also capture just the errors separately for easy debugging
+            // (lib.mapAttrs' (name: value: {
+              name = "${name}-error";
+              value = {
+                level = "ERROR";
+                encoder.format = "json";
+                writer = {
+                  output = "file";
+                  filename = "${config.services.caddy.logDir}/${name}-error.log";
                   roll = true;
                   inherit roll_size_mb;
                 };
                 include = [ "http.log.access.${name}" ];
-              }) hostname_map)
+              };
-              # We also capture just the errors separately for easy debugging
+            }) hostname_map);
-              // (lib.mapAttrs' (name: value: {
-                name = "${name}-error";
-                value = {
-                  level = "ERROR";
-                  encoder.format = "json";
-                  writer = {
-                    output = "file";
-                    filename = "${config.services.caddy.logDir}/${name}-error.log";
-                    roll = true;
-                    inherit roll_size_mb;
-                  };
-                  include = [ "http.log.access.${name}" ];
-                };
-              }) hostname_map);
           }
         );
       };

platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix

@@ -173,5 +173,16 @@ in
     # Enable the home-made service that we created for non-proxied records
     services.cloudflare-dyndns-noproxy.enable = true;
 
+    # Create certs when not using proxy
+    secrets.cloudflare-dns-api-prefixed = {
+      source = ./cloudflare-api.age;
+      dest = "${config.secretsDirectory}/cloudflare-dns-api-prefixed";
+      prefix = "CLOUDFLARE_DNS_API_TOKEN=";
+    };
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "acme@${config.nmasur.presets.programs.msmtp.domain}";
+    };
+
   };
 }

platforms/nixos/modules/nmasur/presets/services/murmur.nix

@@ -0,0 +1,41 @@
+# murmur is a Mumble server for hosting voice chat
+
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.nmasur.settings) hostnames;
+  cfg = config.nmasur.presets.services.murmur;
+in
+
+{
+
+  options.nmasur.presets.services.murmur.enable =
+    lib.mkEnableOption "murmur (mumble) voice chat service";
+
+  config = lib.mkIf cfg.enable {
+
+    services.murmur = {
+      enable = true;
+      users = 50; # Max concurrent users
+      bonjour = false; # Auto-connect LAN
+      registerUrl = "https://${hostnames.mumble}";
+      registerName = "Mumble";
+      environmentFile = null;
+      sslKey = "${config.security.acme.certs."${hostnames.mumble}".directory}/key.pem";
+      sslCert = "${config.security.acme.certs."${hostnames.mumble}".directory}/fullchain.pem";
+      openFirewall = true;
+    };
+
+    # Configure Cloudflare DNS to point to this machine
+    nmasur.presets.services.cloudflare.noProxyDomains = [ hostnames.mumble ];
+
+    security.acme.certs."${hostnames.mumble}" = {
+      dnsProvider = "cloudflare";
+      credentialsFile = config.secrets.cloudflare-dns-api-prefixed.dest;
+      group = config.services.murmur.group;
+    };
+  };
+}

platforms/nixos/modules/nmasur/profiles/communications.nix

@@ -32,6 +32,7 @@ in
         mathesar.enable = lib.mkDefault true;
         mealie.enable = lib.mkDefault true;
         minecraft-server.enable = lib.mkDefault false;
+        murmur.enable = lib.mkDefault true;
         n8n.enable = lib.mkDefault true;
         nix-autoupgrade.enable = lib.mkDefault true; # On by default for communications
         ntfy-sh.enable = lib.mkDefault true;