153 current 2025-10-09 12:27:20 25.05.20251006.20c4598 6.12.50 *

modules/homelab/services/bak/gitea/default.nix

@@ -0,0 +1,111 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.gitea;
+  ids = 2703;
+  default_port = 3000;
+  data_dir = "/var/lib/gitea";
+in
+{
+  options.modules.services.gitea = {
+    enable = lib.mkEnableOption "enables gitea";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7703;
+      description = "set port for gitea (default: ${toString default_port}";
+    };
+
+    # set ssh port
+    ssh_port = lib.mkOption {
+      type = lib.types.int;
+      default = 7567;
+      description = "set port for gitea (default: 2222";
+    };
+
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for gitea";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare gitea group
+    users.groups.gitea = { gid = ids; };
+
+    # declare gitea user
+    users.users.gitea = {
+      description = lib.mkForce "gitea server user";
+      uid = ids;
+      isSystemUser = true;
+      shell = pkgs.bash;
+      home = "/var/lib/gitea";
+      createHome = true;
+      group = "gitea";
+      extraGroups = [];
+    };
+
+    # enable the gitea service
+    services.gitea = {
+      enable = true;
+      user = "gitea";
+      group = "gitea";
+      stateDir = data_dir;
+      appName =  "gitea";
+      settings = {
+        server = {
+          DOMAIN = "git.blakedheld.xyz";
+          HTTP_PORT = cfg.port;
+          SSH_PORT = cfg.ssh_port;
+          START_SSH_SERVER = true;
+          ENABLE_PUSH_CREATE_USER = true;
+
+        };
+      };
+      database = {
+        passwordFile = "${toString config.sops.secrets."gitea_database_password".path}";
+      };
+    };
+    
+    # override umask to make permissions work out
+    systemd.services.gitea.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+    # open firewall
+    networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."git.snowbelle.lan" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+     # external reverse proxy entry
+     services.nginx.virtualHosts."git.blakedheld.xyz" = {
+      enableACME = true;
+      forceSSL = true;
+#      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+#      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+
+    sops.secrets = {
+      "gitea_database_password" = {
+        owner = "gitea";
+        group = "gitea";
+#        neededForUsers = true;
+      };
+    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
+  };
+}

modules/homelab/services/bak/jellyfin/default.nix

@@ -0,0 +1,82 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.jellyfin;
+  ids = 701;
+  default_port = 8096;
+  data_dir = "/var/lib/jellyfin";
+in
+{
+  options.modules.services.jellyfin = {
+    enable = lib.mkEnableOption "enables jellyfin";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7101;
+      description = "set port for jellyfin (default: ${toString default_port}";
+    };
+
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare jellyfin group
+    users.groups.jellyfin = { gid = ids; };
+
+    # declare jellyfin user
+    users.users.jellyfin = {
+      description = "jellyfin media server user";
+      uid = ids;
+      isSystemUser = true;
+      home = data_dir;
+      createHome = true;
+      group = "jellyfin";
+      extraGroups = [ "media" "video" "render" ];
+    };
+
+    # enable the jellyfin service
+    services.jellyfin = {
+      enable = true;
+      openFirewall = true;        # Opens 8096/8920 automatically
+      user = "jellyfin";          # Default: jellyfin
+      group = "jellyfin";         # Default: jellyfin
+      dataDir = "/var/lib/jellyfin"; # Config + metadata storage
+    };
+
+    # override umask to make permissions work out
+    systemd.services.jellyfin.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."jellyfin.snowbelle.lan" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+
+    # external reverse proxy entry
+    services.nginx.virtualHosts."media.blakedheld.xyz" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+
+    # add to backups
+    modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
+  };
+}

modules/homelab/services/bak/nginx-proxy/default.nix

@@ -0,0 +1,39 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.homelab.nginx-proxy;
+in
+{
+  options.modules.homelab.nginx-proxy = {
+    enable = lib.mkEnableOption "enables nginx-proxy";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # enable nginx proxy manager
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+    };
+    # enable acme for auto ssl certs with lets encrypt
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "me@blakedheld.xyz";
+    };
+
+    # nginx secrets
+    sops.secrets = {
+      "ssl_blakedheld_crt" = {
+        restartUnits = [ "nginx.service" ];
+        owner = "nginx";
+        group = "nginx";
+#        neededForUsers = true;
+      };
+      "ssl_blakedheld_key" = {
+        owner = "nginx";
+        group = "nginx";
+#        neededForUsers = true;
+      };
+    };
+  };
+}

modules/homelab/services/bak/qbittorrent/default.nix

@@ -0,0 +1,102 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.qbittorrent;
+  default_port = 8080;
+  data_dir = "/var/lib/qBittorrent";
+  ids = 2003;
+  vpn_inf = "enp89s0.69"; # vpn interfacve
+in
+{
+  options.modules.services.qbittorrent = {
+    enable = lib.mkEnableOption "enables qbittorrent";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7103;
+      description = "set port for qbittorrent (default: ${toString default_port}";
+    };
+
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for qbittorrent";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare qbittorrent group
+    users.groups.qbittorrent = { gid = ids; };
+
+    # declare qbittorrent user
+    users.users.qbittorrent = {
+      description = "qbittorrent server user";
+      uid = ids;
+      isSystemUser = true;
+      home = data_dir;
+      createHome = true;
+      group = "qbittorrent";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the qbittorrent service
+    services.qbittorrent = {
+      enable = true;
+      openFirewall = true;
+      user = "qbittorrent";
+      group = "qbittorrent";
+      profileDir = data_dir;
+      webuiPort = cfg.port;
+#      torrentingPort = cfg.port;
+    };
+
+    # override umask to make permissions work out
+    systemd.services.qbittorrent = {
+      serviceConfig = {
+        UMask = lib.mkForce "0007";
+      };
+    };
+
+    networking.firewall.extraCommands = ''
+      iptables -F QBIT
+      iptables -X QBIT
+      iptables -N QBIT
+      iptables -A OUTPUT -m owner --uid-owner ${toString ids} -j QBIT
+      iptables -A QBIT -o ${vpn_inf} -j ACCEPT
+      iptables -A QBIT -p udp --dport 53 -o ${vpn_inf} -j ACCEPT
+      iptables -A QBIT -p tcp --dport 53 -o ${vpn_inf} -j ACCEPT
+      iptables -A QBIT -p tcp -d 127.0.0.1 --dport ${toString cfg.port} -j ACCEPT
+      iptables -A QBIT -p tcp -o enp89s0 -d 10.0.0.0/8 --dport ${toString cfg.port} -j ACCEPT
+      iptables -A QBIT -j DROP
+    '';
+
+
+
+# ------------------------------------------------------------------------------
+#      # add systemd service to VPN network namespace
+#      vpnConfinement = {
+#        enable = true;
+#        vpnNamespace = "wgmex";
+#      };
+# ------------------------------------------------------------------------------
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."qbit.snowbelle.lan" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
+  };
+}

modules/homelab/services/bak/vaultwarden/default.nix

@@ -0,0 +1,105 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.vaultwarden;
+  ids = 2771;
+  default_port = 8000;
+  data_dir = "/var/lib/vaultwarden";
+  domain = https://pass.blakedheld.xyz;
+in
+{
+  options.modules.services.vaultwarden = {
+    enable = lib.mkEnableOption "enables vaultwarden";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7701;
+      description = "set port for vaultwarden (default: ${toString default_port}";
+    };
+
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for vaultwarden";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare vaultwarden group
+    users.groups.vaultwarden = { gid = ids; };
+
+    # declare vaultwarden user
+    users.users.vaultwarden = {
+      description = "vaultwarden server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/vaultwarden";
+      createHome = true;
+      group = "vaultwarden";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the vaultwarden service
+    services.vaultwarden = {
+      enable = true;
+      config = {
+        DOMAIN = domain;
+        ROCKET_ADDRESS = "0.0.0.0";
+        ROCKET_PORT = cfg.port;
+        SIGNUPS_ALLOWED = true;
+#        ADMIN_TOKEN = "yuh";
+        ADMIN_TOKEN = "${toString config.sops.secrets."vaultwarden_admin_token".path}";
+        EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials,autofill-overlay,autofill-v2,inline-menu-positioning-improvements,ssh-key-vault-item";
+          # The following flags are available:
+          # - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
+          # - "autofill-v2": Use the new autofill implementation.
+          # - "browser-fileless-import": Directly import credentials from other providers without a file.
+          # - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
+          # - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
+          # - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
+          # - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
+          # - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
+      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.vaultwarden.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."pass.snowbelle.lan" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+     # external reverse proxy entry
+     services.nginx.virtualHosts."pass.blakedheld.xyz" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+
+    sops.secrets = {
+      "vaultwarden_admin_token" = {
+        owner = "vaultwarden";
+        group = "vaultwarden";
+        path = "/home/blake/.nix/.keyring/vaultwarden_admin_token";
+      };
+    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
+    };
+}

modules/homelab/services/jellyfin/default_temp.nix

@@ -0,0 +1,108 @@
+{ pkgs, config, lib, ... }:
+
+let
+  service = "";
+  cfg = config.modules.services.${service};
+  sec = config.sops.secrets;
+  homelab = config.modules.homelab;
+in
+{
+  options.modules.services.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = <port>;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "${service}.${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      home = cfg.data_dir;
+      createHome = true;
+      group = "${service}";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the ${service} service
+    services.${service} = {
+      enable = true;
+      openFirewall = true;
+      user = "${service}";
+      group = "${service}";
+      dataDir = cfg.data_dir;
+      settings = {
+        server.port = cfg.port;
+      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+#      User = "${service}";
+#      Group = "${service}";
+    };
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."${cfg.url}" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+#     # external reverse proxy entry
+#     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
+#      forceSSL = true;
+#      sslCertificate = sec."ssl_blakedheld_crt".path;
+#      sslCertificateKey = sec."ssl_blakedheld_key".path;
+#      locations."/" = {
+#        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+#      };
+#    };
+#
+#    sops.secrets = {
+#      "${service}_" = {
+#        owner = "${service}";
+#        group = "${service}";
+#      };
+#    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+  };
+}

modules/homelab/services/qbittorrent/default_temp.nix

@@ -0,0 +1,108 @@
+{ pkgs, config, lib, ... }:
+
+let
+  service = "";
+  cfg = config.modules.services.${service};
+  sec = config.sops.secrets;
+  homelab = config.modules.homelab;
+in
+{
+  options.modules.services.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = <port>;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "${service}.${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      home = cfg.data_dir;
+      createHome = true;
+      group = "${service}";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the ${service} service
+    services.${service} = {
+      enable = true;
+      openFirewall = true;
+      user = "${service}";
+      group = "${service}";
+      dataDir = cfg.data_dir;
+      settings = {
+        server.port = cfg.port;
+      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+#      User = "${service}";
+#      Group = "${service}";
+    };
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."${cfg.url}" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+#     # external reverse proxy entry
+#     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
+#      forceSSL = true;
+#      sslCertificate = sec."ssl_blakedheld_crt".path;
+#      sslCertificateKey = sec."ssl_blakedheld_key".path;
+#      locations."/" = {
+#        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+#      };
+#    };
+#
+#    sops.secrets = {
+#      "${service}_" = {
+#        owner = "${service}";
+#        group = "${service}";
+#      };
+#    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+  };
+}

modules/homelab/services/vaultwarden/default_temp.nix

@@ -0,0 +1,108 @@
+{ pkgs, config, lib, ... }:
+
+let
+  service = "";
+  cfg = config.modules.services.${service};
+  sec = config.sops.secrets;
+  homelab = config.modules.homelab;
+in
+{
+  options.modules.services.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = <port>;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "${service}.${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      home = cfg.data_dir;
+      createHome = true;
+      group = "${service}";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the ${service} service
+    services.${service} = {
+      enable = true;
+      openFirewall = true;
+      user = "${service}";
+      group = "${service}";
+      dataDir = cfg.data_dir;
+      settings = {
+        server.port = cfg.port;
+      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+#      User = "${service}";
+#      Group = "${service}";
+    };
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."${cfg.url}" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+#     # external reverse proxy entry
+#     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
+#      forceSSL = true;
+#      sslCertificate = sec."ssl_blakedheld_crt".path;
+#      sslCertificateKey = sec."ssl_blakedheld_key".path;
+#      locations."/" = {
+#        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+#      };
+#    };
+#
+#    sops.secrets = {
+#      "${service}_" = {
+#        owner = "${service}";
+#        group = "${service}";
+#      };
+#    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+  };
+}