nvf

Merge pull request 'chore(deps): update ghcr.io/koush/scrypted docker tag to v0.138.12' (#86 ) from renovate/ghcr.io-koush-scrypted-0.x into main
Reviewed-on: #86
2025-03-11 13:25:31 -05:00 · 2025-03-11 12:39:27 -05:00 · 2025-03-11 12:36:06 -05:00 · 2025-03-11 12:35:28 -05:00 · 2025-03-11 12:34:32 -05:00 · 2025-03-11 16:31:21 +00:00
177 changed files with 19191 additions and 2761 deletions
--- a/.archive/flake.nix
+++ b/.archive/flake.nix
@ -11,7 +11,7 @@
    profileModules = [
      ./nixos/profiles/role-workstation.nix
      ./nixos/profiles/role-dev.nix
-      { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
+      {home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
    ];
  };
@ -24,13 +24,13 @@
      inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
      ./nixos/profiles/hw-legion-15arh05h.nix
      disko.nixosModules.disko
-      (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
+      (import ./nixos/profiles/disko-nixos.nix {disks = ["/dev/nvme0n1"];})
    ];
    profileModules = [
      ./nixos/profiles/role-dev.nix
      ./nixos/profiles/role-gaming.nix
      ./nixos/profiles/role-workstation.nix
-      { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
+      {home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
    ];
  };
 }
--- a/.archive/home/modules/programs/de/default.nix
+++ b/.archive/home/modules/programs/de/default.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  imports = [
    ./gnome
  ];
--- a/.archive/home/modules/programs/de/gnome/default.nix
+++ b/.archive/home/modules/programs/de/gnome/default.nix
@ -6,8 +6,7 @@
  osConfig,
  ...
 }:
-with lib.hm.gvariant;
+with lib.hm.gvariant; {
 {
  config = lib.mkIf osConfig.mySystem.de.gnome.enable {
    # add user packages
    home.packages = with pkgs; [
@ -23,7 +22,7 @@ with lib.hm.gvariant;
        workspaces-only-on-primary = false;
      };
      "org/gnome/settings-daemon/plugins/media-keys" = {
-        home = [ "<Super>e" ];
+        home = ["<Super>e"];
      };
      "org/gnome/desktop/wm/preferences" = {
        workspace-names = [
--- a/.archive/hosts/durincore/default.nix
+++ b/.archive/hosts/durincore/default.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  config = {
    networking.hostId = "ad4380db";
    networking.hostName = "durincore";
@ -12,10 +11,10 @@
          "usb_storage"
          "sd_mod"
        ];
-        kernelModules = [ ];
+        kernelModules = [];
      };
-      kernelModules = [ "kvm-intel" ];
+      kernelModules = ["kvm-intel"];
-      extraModulePackages = [ ];
+      extraModulePackages = [];
    };
    fileSystems = {
@ -39,7 +38,7 @@
      };
    };
-    swapDevices = [ ];
+    swapDevices = [];
    # System settings and services.
    mySystem = {
@ -48,6 +47,5 @@
        "wlp4s0"
      ];
    };
  };
 }
--- a/.archive/hosts/gandalf/config/incus-preseed.nix
+++ b/.archive/hosts/gandalf/config/incus-preseed.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  config = {
    "core.https_address" = "10.1.1.15:8445"; # Need quotes around key
  };
@ -27,7 +26,7 @@
  ];
  profiles = [
    {
-      config = { };
+      config = {};
      description = "";
      devices = {
        eth0 = {
@ -44,6 +43,6 @@
      name = "default";
    }
  ];
-  projects = [ ];
+  projects = [];
  cluster = null;
 }
--- a/.archive/hosts/gandalf/config/samba-config.nix
+++ b/.archive/hosts/gandalf/config/samba-config.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  global = {
    "workgroup" = "WORKGROUP";
    "server string" = "gandalf";
--- a/.archive/hosts/gandalf/config/sanoid.nix
+++ b/.archive/hosts/gandalf/config/sanoid.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  outputs = {
    # ZFS automated snapshots
    templates = {
@ -14,22 +13,22 @@
    };
    datasets = {
      "eru/xen-backups" = {
-        useTemplate = [ "production" ];
+        useTemplate = ["production"];
      };
      "eru/hansonhive" = {
-        useTemplate = [ "production" ];
+        useTemplate = ["production"];
      };
      "eru/tm_joe" = {
-        useTemplate = [ "production" ];
+        useTemplate = ["production"];
      };
      "eru/tm_elisia" = {
-        useTemplate = [ "production" ];
+        useTemplate = ["production"];
      };
      "eru/containers/volumes/xo-data" = {
-        useTemplate = [ "production" ];
+        useTemplate = ["production"];
      };
      "eru/containers/volumes/xo-redis-data" = {
-        useTemplate = [ "production" ];
+        useTemplate = ["production"];
      };
    };
  };
--- a/.archive/hosts/gandalf/default.nix
+++ b/.archive/hosts/gandalf/default.nix
@ -17,7 +17,7 @@
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    inputs.disko.nixosModules.disko
-    (import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; })
+    (import ../../profiles/disko-nixos.nix {disks = ["/dev/sda"];})
  ];
  boot = {
@ -31,8 +31,8 @@
        "usb_storage"
        "sd_mod"
      ];
-      kernelModules = [ "nfs" ];
+      kernelModules = ["nfs"];
-      supportedFilesystems = [ "nfs" ];
+      supportedFilesystems = ["nfs"];
    };
    kernelModules = [
@ -42,7 +42,7 @@
      "vfio_pci"
      "vfio_virqfd"
    ];
-    extraModulePackages = [ ];
+    extraModulePackages = [];
    kernelParams = [
      "iommu=pt"
      "intel_iommu=on"
@ -50,7 +50,7 @@
    ]; # 100GB
  };
-  swapDevices = [ ];
+  swapDevices = [];
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
@ -107,13 +107,13 @@
        sopsFile = ./secrets.sops.yaml;
        owner = "jahanson";
        mode = "400";
-        restartUnits = [ "syncthing.service" ];
+        restartUnits = ["syncthing.service"];
      };
      "syncthing/privateKey" = {
        sopsFile = ./secrets.sops.yaml;
        owner = "jahanson";
        mode = "400";
-        restartUnits = [ "syncthing.service" ];
+        restartUnits = ["syncthing.service"];
      };
    };
  };
--- a/.archive/hosts/gandalf/secrets.sops.yaml
+++ b/.archive/hosts/gandalf/secrets.sops.yaml
@ -1,92 +1,65 @@
 lego:
    dnsimple:
-        token: ENC[AES256_GCM,data:Lf3sSTJ1XQAMe80p7LnoElvN7uv8bMblcvskiyBZQx0A9inBkoIjBf9/0w==,iv:D53d/uIRZeyXWB64NZFjrnutToua7+6nsh8wvsBfqdQ=,tag:ODzXnRExlTFP0ewl81QE4Q==,type:str]
+        token: ENC[AES256_GCM,data:xWFVA0xhifz+odHKmGaGswT6fZ4G70clfS8AzbWnxc18JF4e75dcG6BhiA==,iv:B4pNvag4nSrw1LwL/OGyXdEcw0gZeBFBBcNzqlimjYc=,tag:ta8l7XqbQqLO+ll8Wr+mug==,type:str]
 borg:
    repository:
-        passphrase: ENC[AES256_GCM,data:xJ9KLh1V0ykeEusRon3AiXLH9fs=,iv:D5ICrIoTegc9IfdagbqjQ9NpW9fm3yq1CxnOH3v1qbs=,tag:ENnLfTRuQaDx38gGuz9Cew==,type:str]
+        passphrase: ENC[AES256_GCM,data:qyqATupWXH5Gjx7t1660mvC1YUU=,iv:GhEbT8x5+SNXcF3b3ITk+3Dsv5PxzR56JSEufxQUBio=,tag:qWanlk8ox2uoFtyK7aiMcg==,type:str]
 syncthing:
-    publicCert: ENC[AES256_GCM,data:AnzODcQM57zYK9krVlydQjQ26Shd65ui/F5n3/CxZuICgMzn4KJujgCJpW+2TtT+apTehmVwnCZH8sdI8EcB09dyjEawncZxeI+n1JqgE+PoLI1A1enjzM1S7OwNUIl09yMiZflKRvQNKtUihd0/HLcoIRkBNYu78UP69uxMeOFkKVeeSl2k+ERvv1tvO7lcY3ksBRV8H554xv139ojJWtIrUCjibx6uCL8I+TWwXIhH+DjAsE2d/bnsJ1NMEuDM5Mg1wVp4ZWIoQU/HoOM3b2Khb9vW+AvuQPeK1IUkYPRqteykUP2eoIwFV9IFfj6w/VrwFazXqg/DoaOC6mWr4/+0uam1uHO4QGfLP3idVBWbAdUoFvlVDUSLYOrG25Xssry7dn+JPBu3n8Y5uzNdfSthYLPRQuippQ34SlYIcgvGVJaNlf4/aglA2x5rC6xRi3/OwIFzbmADonDKsLyNsmiIUUo1VYUYPEEhLYeY3Hu0xV5Y52CMEF8MFpPsS43/9Dv89VYgKTPywY2/PjtpNuc5pysOYzJAvOiD28YTFgz0Dp5m0ShGmXjSFK6ekAzTvJYHzFMNCIBWcYrFbao2OFYqT17kh19+wdQDK4t0q7FHwQVwm8OtpYvstNasBCU+jZCuUUUdHYAAOj5F7U2mr+GqG0rp4wonSU1Qa96M/3KsNR5wbMY1ygpj6ADDCaxL/dUOS5kz2eBlaiMYxakCrAmccfoSMNcG3QmCpyr6QjvIAJPGgNMjVa25LGIs3GCKDrEHfN3I54KV3SNRYeGplw3HDQg9gFpuZ7ZqlhdJOvO62m3rwDTtCF2acouhu3dy/3XENWceCbRuSGktORxklUrLOcXBLXYbTs1hmDI6S1hRGQTxcTXSuVlkjkOcxZ4rpqbIGErpBeQodh69XWbOJ9yFC4XSj4oNydt2JtqDW/H9q4GYt9njcUFP3RoxI2BCUtwOqdaPO3o3svevVgC5SaIcDsMnz+dLRs+cr5FZk/AIDta9+RVBCl5clv4svoWfSOn8ff6mrhYqjo3Wtf7k3KLqmfIDawuKfQU=,iv:UiCdr9U1sTph8VOJNiq7VS1c3JvpRPrti0G7sOJeAmc=,tag:OwFs0+2cIwDi6LLxr4jbFA==,type:str]
+    publicCert: ENC[AES256_GCM,data:q8EYRAkpwrTF8dodEH84ycDAhADLZ1uJvnArn698bueLgxtP4FHgsAHJXADtLj5/KBVJRNSBMl592wNLF9UVg0OM2b+KnMaLcVH6VHlpTQIzQBjVRjjlfU/uUfvDWXcXvfKdkS3RvDMDtR9vD3MRjdLIqjKY+7swmP2L2+WWyMXsZ3dgFvxpzH/yDekklxj8c0QVb+YJV858nNPvTKc8wkbcovsQiIQICmHhxAVU3Y51pjFXYTDaMGS/RkL47JYjYDpkCdetqe0R1wePlz5t7wbNSlg1u9d4xVtcW3yoqLErBI4ArleA/PPNflSzpx6WVLYXZ9T0BzYvDObt5VfpZ7zhNBTzXD0cvQZKyUWD6yY17JcJ+zQQiQqajSnhg8Iv4E/rwy0pRUM+YCBX2D7SiLpnlqYvHHAT8zMHpq0x/iw0t6h4ypxVVr9MU2LxfFxTbfgabJB94nxr/lk0/ONGq+gCxf3K0NOW5n6IDCB3o75KIqIG631E7F6WK2EmXF4KgS8EQEJVWWj4GKcB5dKGI+/jz3MUB4JXVLhME3X3ReDQbkZjr2OmIs6KbxuxWR5TSEj5G/sTXRxpqdKkE/aVfQMYoj7LCP4+HdM6NGP+irOSMSSC4PoHJPYtVDLluNKE+K/4w1MUK0m6EzdNrfHggY/0oS7UF5VCLrHZCNkI7CAIyVoR0A3kOMYhWjwIxDoQCSA1E/kJqYaB0dChL451xXKjvMkPQajZHK9kU/tRTcaAFgAwdLR8SYDpvN7eb1Zf6Cc4g0qP7BKA4FIqBjS+0bNobgO6oiH4TmsmIseLvevnhT0nRu3t/Lmuf2nFxAOlXyvHEp/6ulMIY+aOVcLRpi/5UjbL4rQTddHS0Y/54ofZcnD/yXiUafJAYzk/vmM3RTCj1qzmT8olw2n092LiQ7SjCIIs5PAIqWsq0O/YnyJlE7t83UcfES23DrLjc7ewcskSqG3GsPVp6qCz7/9nFgS7Sr6yHRMKGTCHSzGVlxXP4bHsDfe+DZc0R9ll67AjfErLDVlrwHOo2dpiXWcZD0Rs86h0dVCYSUE=,iv:0b7Jpbp4AXt7ngAZo5J5Fah8LByfmBRJwXQiGU5E0aY=,tag:he2qKsX5ne7tMRyc1EVFGw==,type:str]
-    privateKey: ENC[AES256_GCM,data:2Ue/vbCIN8ceJEBRnl5pSrdEPHGDy92eRO0QtesU/FvrrwQq8ga5DCCCB1Cee1zWXrXT1R94b0GSvjfWu9M9JQvNdIjFTzwOIElRL/NrplVbJKSd18P/SHEJHZ+/vWxFkOk0FDmN1xkFrVQEf+g2xbHtcYYA3TT8b4a9eDHJSUQGCYo3LJVkJUbgsNgpoRPOXrA1LKXNsoaUqDHYXoY86j+ShFNlx2wPRkeymIkoULK7gyykeAVFaE/QMXkel/BVNz94lPFlnOymbj0vLa6qAhdRyeV5sh2Q9AdR5tM5bUBoSOCe304Q9P7/BLh3dpmRAeI4dq0FcJlDF2Y8z5A+ZPBsySObYSkDXlwgFOvwJgVVXbcdd9y8FwpV/kVnbPeP,iv:MM9d8VwvWWUxID/9HKa4m5zDeNR5yu7REVDHujIvyA0=,tag:0DvBfO3X58FmjnCWyupVgA==,type:str]
+    privateKey: ENC[AES256_GCM,data:2BzXadahdEIAyllwmBLYeiNciPaQ0Ds/MJ450hX361SzNOkSsV/Wpbhr1plG6MyTc72BmD8C++5hlSCrD1O3C8mpKFNKV7om7NEJ36DSnpHlKFwmTvoQQw7cscBpZokWlgBlsRbbnrWWaac+k9tQp2pOfPscwKWMkULxR/59TsvLO5b0tZp8G5uL+Ah00x0eVtqqE/o2mQ7YpH80sgv3qHGKImyflMugvd8CKm6R2pYEN6K3Aw+N8ReVSoKXu7oaoxutHzLjuEMYlXJa1UnbE/8uajhIwXy5XcAHHywrPl4vDm9Jer+7fn8qqslBDD13bSiwuh0+LtB6QS72pg70sHPK/uuNcAbMcJ00Bwx1IsuLah3I2r3yZdh+co5qxcG6,iv:HWAhyDTP8cryZusGyemzr11Ax821aEl/a3O/wXMbPNY=,tag:uK3mGe/bvsmmCGjidKp77g==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucldMTnVlS1dRNHdRSzNt
            K0pmaU1lSkwrOTZLSDdjM0dkMUZKNXJJS3dZCncvMmZ0K3lwRjJSOUFHTDA2QW5C
            bW4raVc1RXMrbXV0WmcyVklBU3NZM00KLS0tIHhoTDFHc3MvcDdNV2RBVTAxQjZT
            dWtaajROWFFSSU81YU45QkdGZVAreVEKdRfFV5aXf+TCLrC9rlIgOIgvXKSRLXV3
            AaE+DMreP3ipFj3sRtbWhwpwdKG3ww3oUVuSOzkupxBviKLuZjOpZQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMRGp4MWxOclZFZThsZXlU
            SU5MeWlBUkxyYkpWMTRraG9kUVdkZVZIRTJNCktDdkZMUUJJVG92R1Nrd3g1N0Qw
            Q05HV3NPaUlxOHgwUzAxSzZEejFCdjAKLS0tIDhZL1JTUEh5eUM1V1RScTZ6bWhW
            ZDdnOXhGR2JkVjk5YllKVjc2TS9RNDQKyi08QEOaZfb4Dj+CviQoIGKkyi0qGHUC
            jUeERhVwT346p1Bx5JLcHAyoPMdbxm37pNrC2P/LoI9/enxoWZ/hKw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTR0plTmZ3Q1BuY2Z2bzdR
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBla1U3d01iTzIxZE9SNFZL
-            aHlSTFQ2bkl6ekVDdmpxZ2lCMDV4TFYwd0FJCmFHczFwanZTVkx1cytqd2pHYXhr
+            UTJZVDFhN3FUaGxCQkxQQlRwMzZPbTVZQkVFCm85eXQvZUNQVWtISTFCYVh0ZUxP
-            b3I3SnRkM3dMd1VpbjNYbmI4Z2Z0MVkKLS0tIEw0ZjNxK0NUckdFYVpIeDRDSGMv
+            ZE9MRnF4aDZoSGtXNUg3by92S2FYNVkKLS0tIHJta016cmNPNFhTSVdrc2dDRmx0
-            b0lObG1iYS91aVNaZ3VRbXBPOFFYYkkKexf0g60IXy+LNqFkXgpfx+FWDeFiO8+3
+            MlNlMHhxQk5wUThFYTZyVjIraXJGYVUKMvTxkSUbaxDj2yy+XpFLyjNeGQkXTLfV
-            9EQWEEQMurYqVzAT+BcJq3LuAex5lEFO1nLav1k2rammA1epB8QYpg==
+            onQ8JwVJ3ZP94O/hBlLsa8/akggDatKVKoDKZI3UrypNA5tWQr4uwQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKK0VybENLM1Bpa1l1THo3
            VnczdzFraWpKMVNOREduVjJ2V1grczdxTUNZCkcrYTExalljWVlOWXFtMmlmemt3
            eGM0Z1hXaDZXRDcyOVFrc2FRL1J0YjAKLS0tIG9wOWpnV1ZYQy9DWG1zR2dOR2FH
            MXdmVWkvS2dCNzBJNEJGQzJjSHhXVHcKbVzAr0o45xaS33bYY2Pb11cEHiBTi+7l
            H1IlJBdJbyJ8NMFJfvnyKBHLttUKb57Xz2mjeaC4vkDHT450r+k5Jw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKS2tTUzBlZFl6WU92d3M4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUHpzUy9EaCtKRTRMNi8y
-            Wjg4WVpvRk5mdWRCWnFxK0RFS1BTZGJ4ZUJnCllNY2ZQRUwvN0lKM1V2dURDYXQv
+            bHcvMlhWSDMyRGk5eHhLV1dMMEU2L0MrbFRRCjJnWjZVazdDbmZiaWlLZm95blFa
-            cXNTbmZkcEhMZDRNNjY1a09CRDYweVkKLS0tIG5Qdnp1cFl6UCtpMTh1ZUZoTTRM
+            Um5qZFBXcEg2cTN0aDYxd2FlT1RuVzgKLS0tIDBpZHZ1bDhUWXZKS2prYnlnaVFB
-            dnpjQ2tkOXFCa1ZvekxBeFR2UXprWEUK9tBZsGeIMLiW8Lrodir6zynFg2I3LqW9
+            cEVhTnMvTENleDlzRERZc0JnVEtBcmMKSFePvV4GOeD297tSpKy6Xb+XNfNhjSHM
-            bMjUyF6CM8U8Aid7ftX5fiEMFCyssrSRBQ4CVs28jic4dYJ/3Nceiw==
+            j3X3tA+Q0W1H17RijW1h4dyj5qzQsrSf7DSpIxXqwzamEVV40Z3nHA==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTQ0hGa2d4VmpMV0ttYis5
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMlVTWFkwcXhBOWJCL0ds
-            OFZibUxkSjdiYVgyajhGblRxMGkrTSsxRlgwClVnVy93YXBMRjM1TEIyUzB4S3My
+            TXUxOHNmclRKczRJYzVOMFdMNG5Qb2sxeDJ3CklNa3MzbXc5ZGZSeHk4d3hmWnNo
-            TG9KSjNVc1BpODBvV201dkRmZitvMzQKLS0tIFRLZFJxclJPK1lvMVFGZ2UzaVFu
+            dnFVOTB6QUxUTDQya0ZneWZiM0lyUjAKLS0tIFdoVlg0Unl0aDB0VjRQMit0Mmkr
-            VFJkcm1QaGdDeTJuVWpNV3pva2RKVzQKI0s2hQHI16T72AYVvaO4f+nIza5768S4
+            YjVJejg0RVB1U2Rybk1iM1RraXIwbWsKRaqoxEytcx4JhoHFYeL0QBtOhGrqrZjn
-            pQN3UUOjug8L7/85ytHvOQOxBC+PMAG/aJABoj7FMhZNRvKtbC2J/g==
+            z090Ml8zukXq/UVnWlt8GwIf9yKkDSixNywZJZF58/9omOpoHagv7Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVHU5Z1cyWjFjbjRncmRu
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMHNsaTRqb0hkdUFhV1VO
-            NklQRGVNK2VZZlhKMFgxT2dGYU15MzRTV0VFCnVDUkY4elNNS0VqZWUrQjdWU1Jh
+            QzBHekV3c1VJTVQ5VUNqWnJFSWJlM1JWTUZRCk55bFVrRUxFV2Vpb0Rvc0pZRGN4
-            RUZTUE5Qa0FsYmljQThyd3p4bm9FbDAKLS0tIG9MRGZ4UkhteUk1cFk1b3JXZzVY
+            ZThTMWd0SGFoYVZ3cG9TNGZKd1hpd0kKLS0tIEpLTzlBN3FuaXhCQ1ErZG1LaGgx
-            VTkxcEppQ2Y0VVg1dThQS3FkcFdPTVkKG0/RNreCjjbdsUq4PoXCsfVOnd3fF0jS
+            cDNDdDNteVI1ZHBtZUdtSEVxN3RtaFUKntQ9CvSB8BUrJctW3Rj7dxWwgIPGrdVP
-            Sw6bTIpifslRFu0JJRB83AxRxjPbl4h6QOz3VlDHWfGCJ5eO9RQfjw==
+            hLsD6xe4LHoG/hChRamhQOnI0AvubkeXWMWhLU11NT5KFspEsmIlXA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWStjeTFGVmM0YWN5bWcx
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwaTM3RzAyUG4zTFk5WFB0
-            eThvdTNoclNkd0N4VklRc2UrOFFIejFXYVJvCkNlaE5iL2ExcFlZQ0trZGQzenlQ
+            anFsNG9QY1p1NTRObFVQL3pLL0V4cm13RnhJCjh4MGhZaHI0WXVoWHY3M3dwRDYw
-            WkZMdUtaUUU5NXFWeVlPYkJ5eit5U1UKLS0tIDhONzk1M0pEV3plR3JHdnFRNVQ5
+            QXpIRjlkZEUydThQVXZxSFI0MjMwVFUKLS0tIGFiYmE5UTQ0NnM5dktZbGZPcmE1
-            L2FjVW9qREJjUUtZSzROV1lQc1lUaTgKSFx81K8XYD5KFJNBlAyLshwQQQYqdGos
+            REM5NHVzUy9rRkNQL3hjU0lRQklXeFUKhcDEgKFwhoGWPS6JDsgvFeb52H0N6Foh
-            goYyedCpe7JdXp49sSaCdAWpdphznFTdElzFCuM3LSxM76tI0JEe/A==
+            10hkCG4eftdrfT1r0Fxcr4LD1oHgOZN61Kfvr0t4UqoEOnLMxOPM/Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-27T09:27:41Z"
+    lastmodified: "2025-03-09T06:33:41Z"
-    mac: ENC[AES256_GCM,data:c91/QM6/I7NYvAKQlnqTvv1n9HXt1LlTAa8OXaKzYB2Pg2Ofsl0z4XFf7dpLiITRFjBZCJWKyg4rVPKpNOUAwE4TS/7D+lh2xjJh5YPW1C4nwmu9dQ4/KSfBH71KKsSLJUnktgZXg7LNhE7QBFxntoJvznjv+vjjkzgovbBqC+Y=,iv:tCy5h0BscT7WKncaB4iCGWx6Up9OqZzRFYFQiLiNxgA=,tag:BPp6dZzKD0zUENoHRTlckg==,type:str]
+    mac: ENC[AES256_GCM,data:Eb/ss98+IxI2RL3Iu7VHIYko7YOiPZhkIUAYF5UNAwyNZsqjiPKtxFejjtuixTzCVuKejSZBkYTCcd5QI9SquQhh9TloTg9lsEI94+vMn7hiJW816rsllx+cvaKM/MVYOaVX1R50QKpzjsjT1hZR8XVQUm1s3pmwaZi9KSesc18=,iv:RtODAtOjuTcWJzCJoHRXj9tp3lC5XYG0+upBPnAas1g=,tag:pOES1vOW7u9tSHkWaPJ1ag==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4
--- a/.archive/hosts/legiondary/default.nix
+++ b/.archive/hosts/legiondary/default.nix
@ -6,9 +6,7 @@
  lib,
  modulesPath,
  ...
-}:
+}: {
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
@ -24,9 +22,9 @@
      "usbhid"
      "sd_mod"
    ];
-    initrd.kernelModules = [ ];
+    initrd.kernelModules = [];
-    kernelModules = [ "kvm-amd" ];
+    kernelModules = ["kvm-amd"];
-    extraModulePackages = [ ];
+    extraModulePackages = [];
  };
  fileSystems = {
@ -57,7 +55,7 @@
  #     options = [ "fmask=0022" "dmask=0022" ];
  #   };
-  swapDevices = [ ];
+  swapDevices = [];
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
--- a/.archive/hosts/telchar/default.nix
+++ b/.archive/hosts/telchar/default.nix
@ -1,93 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  networking.hostId = "4488bd1a";
  networking.hostName = "telchar";
  boot = {
    initrd.availableKernelModules = [
      "nvme"
      "xhci_pci"
      "thunderbolt"
      "usbhid"
      "usb_storage"
      "sd_mod"
    ];
    initrd.kernelModules = [ "amdgpu" ];
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
  swapDevices = [ ];
  virtualisation.docker.enable = true;
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # Enable Flatpak support
  services.flatpak.enable = true;
  ## Base config programs.
  programs = {
    # Enable Wireshark
    wireshark.enable = true;
    # Enable OpenJDK
    java.enable = true;
  };
  # sops
  sops.secrets = {
    "syncthing/publicCert" = {
      sopsFile = ./secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = [ "syncthing.service" ];
    };
    "syncthing/privateKey" = {
      sopsFile = ./secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = [ "syncthing.service" ];
    };
  };
  ## System settings and services.
  mySystem = {
    purpose = "Development";
    services.syncthing = {
      enable = true;
      user = "jahanson";
      publicCertPath = config.sops.secrets."syncthing/publicCert".path;
      privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
    };
    ## Desktop Environment
    ## Gnome
    # de.gnome.enable = true;
    ## KDE
    de.kde.enable = true;
    ## Games
    games.steam.enable = true;
    ## System config
    system = {
      motd.networkInterfaces = [ "wlp1s0" ];
      fingerprint-reader-on-laptop-lid.enable = true;
    };
    framework_wifi_swap.enable = true;
    security._1password.enable = true;
  };
 }
--- a/.archive/hosts/telchar/secrets.sops.yaml
+++ b/.archive/hosts/telchar/secrets.sops.yaml
@ -1,86 +0,0 @@
 syncthing:
    publicCert: ENC[AES256_GCM,data:SVEKnnuq30TJJoxbgTYRHTEdQyNYsn50+223Ly0QmX9V96xNb+qMIgJfOX9dGMZdoxNfQOkeecLvwgNZc6sEXNdlhFt/a/bqL6wNJvRY2PdyNoX2IKZvfZFulZtxuAAWsG0dwP04CT8cDmK4dUQIWEKRUOUAKRFQkD8cgglO7OHDGVZ0gZT1g6P1CAIJ2kWZiO3yRDSBWkcxGoY+Hy+tbCMS1Ut9Evh0bDAHslYvVPVqlNhurADTF0vkJO88027+ODQjts4M2ecgafZE4y8L0CmMF/+sdGtkCRiYqTYmxAwjWZmL8YjmsWI6Cl7VaaH3pqyvgPPBksBbfb4Zj+Nq41DLBz/vHIC8qpsIjrPvl/4lRmesuTUgut0HfiK+h3VpeUtU08wb0UtHixcOhvxEdSShMS1bXvmCEeEIKeagxImCfuwR8nHAkXRVSqhIovDYfL1GYsyjeK5b/zAYdckzk7zuGgTX4wD2TnVG3ve2SGJQ+9HUUiaiDlrQAzyer2kjMIDFqEvSNZ087ATYTaB6FI5DYFCsd3yEM10AcdzaMe2wCvGuNYg+NRKbFrVxYacT7sdb4m+gf7u8SimlEy3e9URQTJ6T5xsg0xeLMmAtOawKSzhVNjxQM64N42cyQmfHBUqj2LneO4/ma3/URpqtxoWBKu3wQlBv9aUAiyWycYmr8DjvyiWOn8D07cCOAj6x/4EnY+Q9gXaj0w6sj9VrsL+fQQKUIWpCt32nmYHLmSFUuCqUAkY+dGnMFWepJWuOsLPLoSK9M6UMuYVxggBNn6lngo+0SRj6pEGspebWku8VfKTWUqBIjrHvhzKmT6FrCXkfzIQ9231+mBUWM9+74TnzwgRKCeHIQW554pynfTqs1M9AiLtHvIt3ixNq5txMZCgqS/Mg3YGEj81c8X+RVvvqIHv5GDeQGAeTJV4Tjof9UiOOr+UOmhgy15PnnZl3Z6Fhty6+bTClDFDXqqBhg/kDEWf416qL53IgoHgE12tWNn28SFFHBvq/YCF72P65+TXhns9pCSe8RDWLeDRawM8rlZ+8VQ==,iv:7vLLWbV7TUe7Dv0KaRvOrgwrjwXMABa5eaR/SxeghvY=,tag:K0Rz8OVUKOS4SRlGwZrfEw==,type:str]
    privateKey: ENC[AES256_GCM,data:kkBxN6LuI6R+69rbNGfvioNT6d04/S+LF31+FOq2K9goQtGZ2dTbBdMkpsxlmtxNqqV/svVGPOFQc904Mdyy+djOPGUF7YQooRTIiCWMXaCHrpL3okP/ONYYDLVXxNqnBGboWYqlqr2kQANH4DBACUzN1RhPh/Qy0dob4vqx8nnSbutbo9wdVygi9JIzdmS2VmihfNR1bgG7+z0pUi9+dwZ7Y116VUEx/S4qpq+FbOOEctDL0mj/E/iW0dFTZO95nFjG8MpzX2M74Mm64VdZZ/MygSLj6B1+p90rryv0R5YW3zuFj4YIS3GurBEojG+rbk94SWN1SY5s3jc1GaQ3Sjtk+pugmU6sxkOaLxX+XfbytZ1FrUalwGHCvfQbWP1T,iv:PJ6EhA+fW5C6jkBIdfsx2U0uGshyWdAC1T3fC3Hr9p4=,tag:fyToI/FQPI9gFvN7+bSf6A==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYVZMa25OeHo3d0J6NlJv
            TkFOVUxzNy94Skoxd3pwT1o1WWFtVTBzRFY4CjMrRS9RRk5PNmx2aTlaMnU2WEU0
            d05pWnhLeFhqY3A1VUN2S0NxTnVDRU0KLS0tIEdPKzlQM0JuMTlsTUQxOGtHS0xD
            WDdnL1k2YmwxM0JEREJnc0dZZjVuMlUKYLP8F+3/ze0LZAiP+u0aVW/bLSIk1K25
            NqbqT6SNDXuyeq61ysi6CwhYokUwnLBANv/BRsBLT2JX5tI8uIaKTQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUbm84cFI1eCtqR0hnaUVU
            SDREVDJFQ2JTN3I4OXdrdTk1MVhheGY1cUFnClhidGRBMDNuTjlCekNOcS9YUEs1
            ZHFZanFnWmlZbFF1eEhwayt0clhuR2sKLS0tIDFJKzdxNzErRlV5blp2dEg0UGNx
            d01XeHdJaU5BRUJMVXMra1dNRnJqZUkKgkfspMPpA1rg9d87eFWN1ThdQyXaRM9P
            8eBkOG0H8W5Afsb0kOqA8gJGL6bzM3fzbVDjK7VPq06zrzY9uaLkCA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVVlxVHZ4MTBpanBSc1J3
            bEgwQTh2WHNSUm0wVmtXNUhMbXNQaHVjc0ZVCjBUNUJITStSektTVWhzWXlPb2VJ
            TTNoNHEyeXhraHJqRzYzQXRMcmp3L2sKLS0tIHRiK05XeVJGMzl1VlVITjNHSDhY
            N3ZmWWtlSGx2cjFxZ3hUNm0wYlFCMlEKrUEV8phjcnciK+tuOFEBz5PxJKbbwJNM
            BY4gs0zkhk/jkvdiljgfeyKrlcjwfz1b8kLW316PfkTBJiIAc6Zncw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTFM2TzB2eDE3bVVNK3FN
            a3pEVkkzUExKdnRNTGFSaWJOa0lVUmRrT2p3CnV3SGlSa1VFblR3ZDdvRGRlcXp2
            cjIwTHkwTGhJWHAyVllxV3FZT0NIaWMKLS0tIGRsUDRMcFUwS1c2OVZsbGdvSVlv
            bXlNeTBaZ0dOYnFIS09haXZOV0Q0azAK/6UGR0cd+gtR/7Yz75v87NWWcz7gP2iU
            sPtvPHEIYh5gnop2DwZTpATwwvxZWp0b8OpV/2AyUiL6tniCV6qDvg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVVJEZmxsR1A3a0luU0po
            ejN2ZHZERlhoeVYwV29LajlXYjY5TzFzZjFnCkFOSHJMbktYZFpBcDdWZ3RsVHo2
            UlNSeUpxbWVsVzkrblNlZkJhV3dGTWcKLS0tIHhOb1VmaDNCNU1xMzZCVWlFeDF1
            OVZOcC93M1p0VThDaHRLVTc1N0ZyQk0KZWDWhjrmnqfkbJmZRCwXHGMdRmL0W4Sa
            4cEGr8XbvJlzFTmbm81X6KLKdYz62V8fa99mAEzffOB0SqegBTb8Ig==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJNDRydUJieU81RVdubEFu
            OWM0dEF2YTZ2WVZSUFQvakgwa29NNTdrb2hnCmJ0dHZqTE9vMXVHbHBtd1pUY203
            UFhnZ0ZLOWxCZnptd2pTWU1scXF0TEUKLS0tIGt3a0wwNklQTUR3V2MvQzVkQzBN
            b2RqWjd2Nkt3YmZ2eHlYOUhJNFB3RjAKdnCRIg3zqLaN9rjjc8tCBj8lOH1SWw2Q
            s/0TLrsXy62nlWibDxsuiE9mPCediFVbJWxTCAs4ze/jELGESV6S/w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNUlIQTdQZHNsWEdselAw
            RWJjazYvK0xSU1NteWs2RFlWVHRYQzF4bnhNCjg5RHQvRm5hWTcrYUxYWGlIWFdW
            dUNoaEQ1V21DWGdRREZZOHFBeldiTkkKLS0tIFR5aG1TNGJZY3pmMWdJbXhEWG9N
            aTlZcVdCaWltdURHbEx4b2h5RjlIUm8KfpXCYGLch4RAhEPfgikR60sp5tywKV1R
            fRsXad3X31fAS42ZeczPn399byImcXoL9n7mIoT6NbDWgCvd+iSiHw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYkM3V282TldQbHBQVmQy
            bWdielQySUNJaXEvOHA3Q1JqMEdMWEs1bFVVCnJKK0d5dG54aXk4dWtnSkdkbkU3
            TU5xOFNGcklJdWcvZUlZVjNqanpqRlEKLS0tIGZGc0M5eE0xTTd6LzVjdXI1Ulg3
            Zk9RdUU5RTdZd1A4dGRUVVVpT0E1SXMKOEL/yUCERTc8aiPmfGJWF9ESzfKbxYCO
            dCByzJpIsI9IUgmcjMq8bREnATd8cZ65kVMpqME0Xfk3/Fl+OaLm1Q==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-27T09:27:41Z"
    mac: ENC[AES256_GCM,data:VrP3O1WKuRBXhzg9hOyeRHRL8Cg47HWvno/B2TUllFUlKLrlgJapazbCs4aQJQka/1gQu2xguHlu/CqF9WKp90B/CxJ8XnYc4mrsMZ104aHSStQInShquRwrpm6iDc61d+ZZqkQbYUTiznm8jAonjjNEKHFsnRw9q+c9SJKYmJU=,iv:WuEJ2kgLHwKSUb8TDNH17N+P5gHsCQ+loP07Ec0y7/Y=,tag:bNhrMV5GY5q/vmmxYlL6Cw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/.archive/modules/nixos/containers/lego-auto/default.nix
+++ b/.archive/modules/nixos/containers/lego-auto/default.nix
@ -1,6 +1,9 @@
-{ lib, config, ... }:
+{
-with lib;
+  lib,
-let
+  config,
  ...
 }:
 with lib; let
  app = "lego-auto";
  image = "ghcr.io/bjw-s/lego-auto:v0.3.0";
  user = "999"; # string
@ -8,8 +11,7 @@ let
  port = 9898; # int
  cfg = config.mySystem.services.${app};
  appFolder = "/eru/containers/volumes/${app}";
-in
+in {
 {
  options.mySystem.services.${app} = {
    enable = mkEnableOption "${app}";
    dnsimpleTokenPath = mkOption {
@ -56,9 +58,11 @@ in
          DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
        };
-      volumes = [
+      volumes =
-        "${appFolder}/cert:/cert"
+        [
-      ] ++ optionals (cfg.provider == "dnsimple") [ "${cfg.dnsimpleTokenPath}:/config/dnsimple-token" ];
+          "${appFolder}/cert:/cert"
        ]
        ++ optionals (cfg.provider == "dnsimple") ["${cfg.dnsimpleTokenPath}:/config/dnsimple-token"];
    };
  };
 }
--- a/.archive/modules/nixos/containers/unifi/default.nix
+++ b/.archive/modules/nixos/containers/unifi/default.nix
@ -1,54 +1,57 @@
-{ lib, config, ... }:
+{
-with lib;
+  lib,
-let
+  config,
  ...
 }:
 with lib; let
  app = "unifi";
  # renovate: depName=goofball222/unifi datasource=github-releases
  version = "8.4.62";
  cfg = config.mySystem.services.${app};
  appFolder = "/eru/containers/volumes/${app}";
 in
-# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
+  # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
-{
+  {
-  options.mySystem.services.${app} = {
+    options.mySystem.services.${app} = {
-    enable = mkEnableOption "${app}";
+      enable = mkEnableOption "${app}";
-  };
+    };
-  config = mkIf cfg.enable {
+    config = mkIf cfg.enable {
-    networking.firewall.interfaces = {
+      networking.firewall.interfaces = {
-      enp130s0f0 = {
+        enp130s0f0 = {
-        allowedTCPPorts = [ 8443 ];
+          allowedTCPPorts = [8443];
        };
        podman0 = {
          allowedTCPPorts = [
            8080
            8443
            8880
            8843
          ];
          allowedUDPPorts = [3478];
        };
      };
-      podman0 = {
+      virtualisation.oci-containers.containers.${app} = {
-        allowedTCPPorts = [
+        image = "ghcr.io/goofball222/unifi:${version}";
-          8080
+        autoStart = true;
-          8443
+        ports = [
-          8880
+          "3478:3478/udp" # STUN
-          8843
+          "8080:8080" # inform controller
          "8443:8443" # https
          "8880:8880" # HTTP portal redirect
          "8843:8843" # HTTPS portal redirect
        ];
        environment = {
          TZ = "America/Chicago";
          RUNAS_UID0 = "false";
          PGID = "102";
          PUID = "999";
        };
        volumes = [
          "${appFolder}/cert:/usr/lib/unifi/cert"
          "${appFolder}/data:/usr/lib/unifi/data"
          "${appFolder}/logs:/usr/lib/unifi/logs"
        ];
        allowedUDPPorts = [ 3478 ];
      };
    };
-    virtualisation.oci-containers.containers.${app} = {
+  }
      image = "ghcr.io/goofball222/unifi:${version}";
      autoStart = true;
      ports = [
        "3478:3478/udp" # STUN
        "8080:8080" # inform controller
        "8443:8443" # https
        "8880:8880" # HTTP portal redirect
        "8843:8843" # HTTPS portal redirect
      ];
      environment = {
        TZ = "America/Chicago";
        RUNAS_UID0 = "false";
        PGID = "102";
        PUID = "999";
      };
      volumes = [
        "${appFolder}/cert:/usr/lib/unifi/cert"
        "${appFolder}/data:/usr/lib/unifi/data"
        "${appFolder}/logs:/usr/lib/unifi/logs"
      ];
    };
  };
 }
--- a/.archive/modules/nixos/de/gnome.nix
+++ b/.archive/modules/nixos/de/gnome.nix
@ -3,24 +3,27 @@
  config,
  pkgs,
  ...
-}:
+}: let
 let
  cfg = config.mySystem.de.gnome;
-in
+in {
 {
  options = {
    mySystem.de.gnome = {
-      enable = lib.mkEnableOption "GNOME" // {
+      enable =
-        default = false;
+        lib.mkEnableOption "GNOME"
-      };
+        // {
-      systrayicons = lib.mkEnableOption "Enable systray icons" // {
+          default = false;
-        default = true;
+        };
-      };
+      systrayicons =
-      gsconnect = lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // {
+        lib.mkEnableOption "Enable systray icons"
-        default = true;
+        // {
-      };
+          default = true;
        };
      gsconnect =
        lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)"
        // {
          default = true;
        };
    };
  };
  config = lib.mkIf cfg.enable {
@ -49,14 +52,13 @@ in
        };
      };
-      udev.packages = lib.optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
+      udev.packages = lib.optionals cfg.systrayicons [pkgs.gnome.gnome-settings-daemon]; # support appindicator
    };
    # systyray icons
    # extra pkgs and extensions
    environment = {
-      systemPackages =
+      systemPackages = with pkgs;
        with pkgs;
        [
          wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
          playerctl # gsconnect play/pause command
@ -70,7 +72,7 @@ in
          gnomeExtensions.caffeine
          gnomeExtensions.dash-to-dock
        ]
-        ++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ];
+        ++ optionals cfg.systrayicons [pkgs.gnomeExtensions.appindicator];
    };
    # enable gsconnect
--- a/.archive/modules/nixos/de/kde.nix
+++ b/.archive/modules/nixos/de/kde.nix
@ -3,17 +3,17 @@
  config,
  pkgs,
  ...
-}:
+}: let
 let
  cfg = config.mySystem.de.kde;
-  flameshotOverride = pkgs.unstable.flameshot.override { enableWlrSupport = true; };
+  flameshotOverride = pkgs.unstable.flameshot.override {enableWlrSupport = true;};
-in
+in {
 {
  options = {
    mySystem.de.kde = {
-      enable = lib.mkEnableOption "KDE" // {
+      enable =
-        default = false;
+        lib.mkEnableOption "KDE"
-      };
+        // {
          default = false;
        };
    };
  };
--- a/.archive/modules/nixos/services/cockpit/default.nix
+++ b/.archive/modules/nixos/services/cockpit/default.nix
@ -4,11 +4,9 @@
  pkgs,
  ...
 }:
-with lib;
+with lib; let
 let
  cfg = config.mySystem.services.cockpit;
-in
+in {
 {
  options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit";
  config.services.cockpit = mkIf cfg.enable {
--- a/.archive/modules/nixos/services/vault/default.nix
+++ b/.archive/modules/nixos/services/vault/default.nix
@ -3,11 +3,9 @@
  lib,
  pkgs,
  ...
-}:
+}: let
 let
  cfg = config.mySystem.services.vault;
-in
+in {
 {
  options.mySystem.services.vault = {
    enable = lib.mkEnableOption "vault";
    address = lib.mkOption {
--- a/.archive/profiles/disko-telchar.nix
+++ b/.archive/profiles/disko-telchar.nix
@ -23,7 +23,7 @@
              size = "100%";
              content = {
                type = "btrfs";
-                extraArgs = [ "-f" ]; # Override existing partition
+                extraArgs = ["-f"]; # Override existing partition
                # Subvolumes must set a mountpoint in order to be mounted,
                # unless their parent is mounted
                subvolumes = {
@ -33,11 +33,11 @@
                  };
                  # Subvolume name is the same as the mountpoint
                  "/home" = {
-                    mountOptions = [ "compress=zstd" ];
+                    mountOptions = ["compress=zstd"];
                    mountpoint = "/home";
                  };
                  # Sub(sub)volume doesn't need a mountpoint as its parent is mounted
-                  "/home/user" = { };
+                  "/home/user" = {};
                  # Parent is not mounted so the mountpoint must be set
                  "/nix" = {
                    mountOptions = [
--- a/.archive/profiles/hw-framework-16-7840hs.nix
+++ b/.archive/profiles/hw-framework-16-7840hs.nix
@ -1,32 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  mySystem = {
    security.wheelNeedsSudoPassword = false;
  };
  boot = {
    # for managing/mounting nfs
    supportedFilesystems = [ "nfs" ];
    loader = {
      systemd-boot.enable = true;
      efi = {
        canTouchEfiVariables = true;
      };
    };
  };
  # For updating firmware on the Framework.
  services.fwupd.enable = true;
  networking = {
    useDHCP = lib.mkDefault true;
    networkmanager.enable = true;
  };
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/.archive/profiles/hw-legion-15arh05h.nix
+++ b/.archive/profiles/hw-legion-15arh05h.nix
@ -1,5 +1,8 @@
 { lib, pkgs, ... }:
 {
  lib,
  pkgs,
  ...
 }: {
  # Support windows partition
  mySystem = {
    security.wheelNeedsSudoPassword = false;
@ -22,7 +25,7 @@
        device = "nodev";
        mirroredBoots = [
          {
-            devices = [ "nodev" ];
+            devices = ["nodev"];
            path = "/boot";
          }
        ];
--- a/.archive/profiles/hw-thinkpad-t470.nix
+++ b/.archive/profiles/hw-thinkpad-t470.nix
@ -1,5 +1,8 @@
 { config, lib, ... }:
 {
  config,
  lib,
  ...
 }: {
  boot = {
    # Use the systemd-boot EFI boot loader.
    loader = {
--- a/.archive/profiles/role-gaming.nix
+++ b/.archive/profiles/role-gaming.nix
@ -1,12 +1,15 @@
 { lib, pkgs, ... }:
 {
  lib,
  pkgs,
  ...
 }: {
  # Enable module for NVIDIA graphics
  mySystem = {
    hardware.nvidia.enable = true;
  };
  # set xserver videodrivers for NVIDIA gpu
-  services.xserver.videoDrivers = [ "nvidia" ];
+  services.xserver.videoDrivers = ["nvidia"];
  # Install steam systemwide
  programs.steam = {
    enable = true;
@ -35,5 +38,4 @@
    pulse.enable = true;
    jack.enable = true;
  };
 }
--- a/.archive/profiles/role-workstation.nix
+++ b/.archive/profiles/role-workstation.nix
@ -1,79 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 # Role for workstations
 # Covers desktops/laptops, expected to have a GUI and do workloads
 # Will have home-manager installs
 let
  vivaldiOverride = pkgs.vivaldi.override {
    proprietaryCodecs = true;
    enableWidevine = true;
  };
 in
 with config;
 {
  mySystem = {
    shell.fish.enable = true;
    editor.vscode.enable = true;
    system.resticBackup.local.enable = false;
    system.resticBackup.remote.enable = false;
  };
  boot = {
    binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
    plymouth.enable = true; # hide console with splash screen
  };
  nix.settings = {
    # Avoid disk full issues
    max-free = lib.mkDefault (1000 * 1000 * 1000);
    min-free = lib.mkDefault (128 * 1000 * 1000);
  };
  services = {
    # set xserver videodrivers if used
    xserver.enable = true;
    # Enable the Gnome keyring for auto unlocking ssh keys on login
    gnome.gnome-keyring.enable = true;
    fwupd.enable = config.boot.loader.systemd-boot.enable; # fwupd does not work in BIOS mode
    thermald.enable = true;
    smartd.enable = true;
  };
  hardware = {
    enableAllFirmware = true;
    sensor.hddtemp = {
      enable = true;
      drives = [ "/dev/disk/by-id/*" ];
    };
  };
  environment.systemPackages = with pkgs; [
    # Sensors etc
    lm_sensors
    cpufrequtils
    cpupower-gui
    vivaldiOverride
    gparted
    termius
  ];
  i18n = {
    defaultLocale = lib.mkDefault "en_US.UTF-8";
  };
  programs = {
    mtr.enable = true;
    ssh.startAgent = true;
    # Enable appimage support and executing them via the appimage-run helper.
    appimage = {
      enable = true;
      binfmt = true;
    };
  };
 }
--- a/.envrc
+++ b/.envrc
@ -1,3 +1,2 @@
 use nix
 export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
 export EDITOR="hx"
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@ -37,7 +37,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Set up Cachix
-        uses: https://github.com/cachix/cachix-action@v15
+        uses: https://github.com/cachix/cachix-action@v16
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          name: hsndev
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -9,10 +9,12 @@ repos:
          - --config-file
          - .yamllint.yaml
        id: yamllint
        exclude: "borgmatic-template.yaml"
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
      - id: trailing-whitespace
        exclude: "borgmatic-template.yaml"
      - id: end-of-file-fixer
      - id: fix-byte-order-marker
      - id: mixed-line-ending
@ -26,14 +28,14 @@ repos:
      - id: remove-crlf
      - id: remove-tabs
        exclude: (Makefile|Caddyfile)
-  - repo: https://github.com/zricethezav/gitleaks
+      #  - repo: https://github.com/zricethezav/gitleaks
-    rev: v8.22.0
+      #    rev: v8.23.3
-    hooks:
+      #    hooks:
-      - id: gitleaks
+      #      - id: gitleaks
-  - repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
+      #  - repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
-    rev: v1.1
+      #    rev: v1.1
-    hooks:
+      #    hooks:
-      - id: sops-encryption
+      #      - id: sops-encryption
-        # Uncomment to exclude all markdown files from encryption
+      #        # Uncomment to exclude all markdown files from encryption
-        # exclude: *.\.md
+      #        # exclude: *.\.md
-        files: .*secrets.*
+      #        files: .*secrets.*
--- a/.sops.yaml
+++ b/.sops.yaml
@ -10,26 +10,19 @@
 keys:
  - users:
-    - &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
+      - &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
  - hosts:
-    - &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
+      - &shadowfax age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
-    - &gandalf age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
+      - &telchar age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
-    - &legiondary age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
+      - &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
-    - &shadowfax age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
+      - &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
    - &telchar age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
    - &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
    - &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
 creation_rules:
  - path_regex: .*\.sops\.yaml$
    key_groups:
      - age:
-        - *durincore
+          - *jahanson
-        - *gandalf
+          - *shadowfax
-        - *jahanson
+          - *telchar
-        - *legiondary
+          - *telperion
-        - *shadowfax
+          - *varda
        - *telchar
        - *telperion
        - *varda
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -1,8 +1,6 @@
 {
  "recommendations": [
    "jnoortheen.nix-ide",
    "mikestead.dotenv",
    "redhat.vscode-yaml",
    "signageos.signageos-vscode-sops",
    "pkief.material-icon-theme",
    "ms-vscode-remote.remote-ssh"
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -11,20 +11,21 @@
  "files.trimTrailingWhitespace": true,
  "sops.defaults.ageKeyFile": "age.key",
  "nix.enableLanguageServer": true,
-  "nix.serverPath": "/run/current-system/sw/bin/nil",
+  "nix.serverPath": "nixd",
-  "nix.formatterPath": "/run/current-system/sw/bin/nixfmt",
+  "nix.formatterPath": "alejandra",
  "nix.serverSettings": {
-    "nil": {
+    "nixd": {
      "formatting": {
-        "command": ["nixfmt"]
+        "command": ["alejandra"]
      },
-      "diagnostics": {
+      "options": {
-        "ignored": [],
+        "nixos": {
-        "excludedFiles": []
+          "expr": "(builtins.getFlake \"/home/jahanson/projects/mochi\").nixosConfigurations.shadowfax.options"
        }
      }
    },
    "nix": {
-      "binary": "/run/current-system/sw/bin/nix",
+      "binary": "nix",
      "maxMemoryMB": null,
      "flake": {
        "autoEvalInputs": true,
--- a/README.md
+++ b/README.md
@ -2,23 +2,30 @@
 ## Goals
- [ ] Learn nix
+-   [ ] Learn nix
- [ ] Services I want to separate from my kubernetes cluster I will use Nix.
+-   [ ] Services I want to separate from my kubernetes cluster I will use Nix.
- [ ] Approval-based update automation for flakes.
+-   [ ] Approval-based update automation for flakes.
- [ ] Expand usage to other shell environments such as WSL, etc
+-   [ ] Expand usage to other shell environments such as WSL, etc
- [ ] keep it simple, use trusted boring tools
+-   [ ] keep it simple, use trusted boring tools
 ## TODO
- [x] Forgejo Actions
+-   [x] Forgejo Actions
- [ ] Bring over hosts
+-   [ ] Bring over hosts
-  - [x] Varda (forgejo)
+    -   [x] Varda (forgejo)
-  - [x] Thinkpad T470
+    -   [x] Thinkpad T470
-  - [x] Legion 15 AMD/Nvidia
+    -   [x] Legion 15 AMD/Nvidia
-  - [x] Telperion (network services)
+    -   [x] Telperion (network services)
-  - [ ] Gandalf (NixNAS)
+    -   [ ] Gandalf (NixNAS)
 ## Links & References
- [truxnell/dotfiles](https://github.com//truxnell/nix-config/)
+-   [truxnell/dotfiles](https://github.com//truxnell/nix-config/)
- [billimek/dotfiles](https://github.com/billimek/dotfiles/)
+-   [billimek/dotfiles](https://github.com/billimek/dotfiles/)
 ## Upgrading the borgmatic template for reference
 ```sh
 borgmatic config generate --source nixos/hosts/shadowfax/config/borgmatic/borgmatic-template.yaml --destination nixos/hosts/shadowfax/config/borgmatic/borgmatic-t
 emplate.yaml  --overwrite
 ```
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -1,10 +1,194 @@
 {
  description = "My NixOS flake";
  outputs = {
    self,
    nixpkgs,
    nixpkgs-unstable,
    sops-nix,
    home-manager,
    disko,
    lix-module,
    vscode-server,
    nvf,
    ...
  } @ inputs: let
    forAllSystems = nixpkgs.lib.genAttrs [
      "aarch64-linux"
      "x86_64-linux"
    ];
  in rec {
    # Use nixpkgs-fmt for 'nix fmt'
    formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixfmt-rfc-style);
    # setup devshells against shell.nix
    # devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
    # extend lib with my custom functions
    lib = nixpkgs.lib.extend (
      final: prev: {
        inherit inputs;
        myLib = import ./nixos/lib {
          inherit inputs;
          lib = final;
        };
      }
    );
    nixosConfigurations = let
      inherit inputs;
      # Import overlays for building nixosconfig with them.
      overlays = import ./nixos/overlays {inherit inputs;};
      # generate a base nixos configuration with the specified overlays, hardware modules, and any AerModules applied
      mkNixosConfig = {
        hostname,
        system ? "x86_64-linux",
        nixpkgs ? inputs.nixpkgs,
        disabledModules ? [],
        hardwareModules ? [],
        # basemodules is the base of the entire machine building
        # here we import all the modules and setup home-manager
        baseModules ? [
          sops-nix.nixosModules.sops
          home-manager.nixosModules.home-manager
          nvf.nixosModules.default
          ./nixos/profiles/global.nix # all machines get a global profile
          ./nixos/modules/nixos # all machines get nixos modules
          ./nixos/hosts/${hostname} # load this host's config folder for machine-specific config
          {
            inherit disabledModules;
            home-manager = {
              useUserPackages = true;
              useGlobalPkgs = true;
              extraSpecialArgs = {
                inherit inputs hostname system;
              };
            };
          }
        ],
        profileModules ? [],
      }: let
        pkgs = import nixpkgs {
          inherit system;
          overlays = builtins.attrValues overlays;
          config = {
            allowUnfree = true;
            allowUnfreePredicate = _: true;
          };
        };
      in
        nixpkgs.lib.nixosSystem {
          inherit system lib;
          modules = baseModules ++ hardwareModules ++ profileModules;
          specialArgs = {
            inherit self inputs nixpkgs;
            myPkgs = lib.myLib.mkMyPkgs pkgs;
          };
          inherit pkgs;
        };
    in {
      "shadowfax" = mkNixosConfig {
        # Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
        # Workloads server
        hostname = "shadowfax";
        system = "x86_64-linux";
        disabledModules = [
          "services/web-servers/minio.nix"
          "services/web-servers/caddy/default.nix"
        ];
        hardwareModules = [
          lix-module.nixosModules.default
          ./nixos/profiles/hw-threadripperpro.nix
        ];
        profileModules = [
          vscode-server.nixosModules.default
          "${nixpkgs-unstable}/nixos/modules/services/web-servers/minio.nix"
          "${nixpkgs-unstable}/nixos/modules/services/web-servers/caddy/default.nix"
          ./nixos/profiles/role-dev.nix
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
        ];
      };
      "telchar" = mkNixosConfig {
        # Framework 16 Ryzen 7 7840HS - Radeon 780M Graphics
        # Hyprland first, QEMU Windows second
        hostname = "telchar";
        system = "x86_64-linux";
        hardwareModules = [
          inputs.nixos-hardware.nixosModules.framework-16-7040-amd
          ./nixos/profiles/hw-framework-16-7840hs.nix
          disko.nixosModules.disko
          (import ./nixos/profiles/disko/simple-efi.nix)
          lix-module.nixosModules.default
        ];
        profileModules = [
          ./nixos/profiles/role-dev.nix
          ./nixos/profiles/role-workstation.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
        ];
      };
      "telperion" = mkNixosConfig {
        # HP-S01 Intel G5900
        # Network services server
        hostname = "telperion";
        system = "x86_64-linux";
        hardwareModules = [
          ./nixos/profiles/hw-hp-s01.nix
          disko.nixosModules.disko
          (import ./nixos/profiles/disko-nixos.nix {disks = ["/dev/nvme0n1"];})
        ];
        profileModules = [
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/server.nix;}
        ];
      };
      "varda" = mkNixosConfig {
        # Arm64 cax21 @ Hetzner
        # forgejo server
        hostname = "varda";
        system = "aarch64-linux";
        hardwareModules = [
          ./nixos/profiles/hw-hetzner-cax.nix
        ];
        profileModules = [
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/server.nix;}
        ];
      };
    };
    # Convenience output that aggregates the outputs for home, nixos.
    # Also used in ci to build targets generally.
    top = let
      nixtop = nixpkgs.lib.genAttrs (builtins.attrNames inputs.self.nixosConfigurations) (
        attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel
      );
    in
      nixtop;
  };
  nixConfig.extra-substituters = [
    "https://hsndev.cachix.org"
    "https://nix-community.cachix.org"
    "https://numtide.cachix.org"
    "https://hyprland.cachix.org"
  ];
  nixConfig.extra-trusted-public-keys = [
    "hsndev.cachix.org-1:vN1/XGBZtMLnTFYDmTLDrullgZHSUYY3Kqt+Yg/C+tE="
    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
    "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
    "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
  ];
  inputs = {
    # Nixpkgs and unstable
    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-master.url = "github:nixos/nixpkgs/master";
    # Lix - Substitution of the Nix package manager, focused on correctness, usability, and growth – and committed to doing right by its community.
    # https://git.lix.systems/lix-project/lix
@ -71,13 +255,6 @@
    # vscode-server - NixOS module for running vscode-server
    vscode-server.url = "github:nix-community/nixos-vscode-server";
    # krewfile - Declarative krew plugin management
    krewfile = {
      # url = "github:brumhard/krewfile";
      url = "github:brumhard/krewfile";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # nix-minecraft - Minecraft server management
    # https://github.com/infinidoge/nix-minecraft
    nix-minecraft = {
@ -86,158 +263,37 @@
    };
    # Hyprland
-    hyprland.url = "github:hyprwm/Hyprland";
+    hyprland = {
      url = "github:hyprwm/Hyprland";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Hyprlock
    hyprlock = {
      url = "github:hyprwm/hyprlock";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Hyprland plugins
    hyprland-plugins = {
      url = "github:hyprwm/hyprland-plugins";
      inputs.hyprland.follows = "hyprland";
    };
-  };
+    # Hyprland AGS (Application Grouping System)
    ags.url = "github:Aylur/ags/v1";
-  outputs = {
+    # nvf -  A highly modular, extensible and distro-agnostic Neovim configuration framework for Nix/NixOS.
-    self,
+    nvf.url = "github:notashelf/nvf";
    nixpkgs,
    nixpkgs-unstable,
    sops-nix,
    home-manager,
    nix-vscode-extensions,
    disko,
    talhelper,
    lix-module,
    vscode-server,
    krewfile,
    ...
  } @ inputs: let
    forAllSystems = nixpkgs.lib.genAttrs [
      "aarch64-linux"
      "x86_64-linux"
    ];
  in rec {
    # Use nixpkgs-fmt for 'nix fmt'
    formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixfmt-rfc-style);
-    # setup devshells against shell.nix
+    # Zen Browser
-    # devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
+    zen-browser.url = "github:0xc000022070/zen-browser-flake";
-    # extend lib with my custom functions
+    # Buildbot for Nix
-    lib = nixpkgs.lib.extend (
+    buildbot-nix = {
-      final: prev: {
+      url = "github:nix-community/buildbot-nix";
        inherit inputs;
        myLib = import ./nixos/lib {
          inherit inputs;
          lib = final;
        };
      }
    );
    nixosConfigurations = let
      inherit inputs;
      # Import overlays for building nixosconfig with them.
      overlays = import ./nixos/overlays {inherit inputs;};
      # generate a base nixos configuration with the specified overlays, hardware modules, and any AerModules applied
      mkNixosConfig = {
        hostname,
        system ? "x86_64-linux",
        nixpkgs ? inputs.nixpkgs,
        disabledModules ? [],
        hardwareModules ? [],
        # basemodules is the base of the entire machine building
        # here we import all the modules and setup home-manager
        baseModules ? [
          sops-nix.nixosModules.sops
          home-manager.nixosModules.home-manager
          ./nixos/profiles/global.nix # all machines get a global profile
          ./nixos/modules/nixos # all machines get nixos modules
          ./nixos/hosts/${hostname} # load this host's config folder for machine-specific config
          {
            home-manager = {
              useUserPackages = true;
              useGlobalPkgs = true;
              extraSpecialArgs = {
                inherit inputs hostname system;
              };
            };
            disabledModules = disabledModules;
          }
        ],
        profileModules ? [],
      }:
        nixpkgs.lib.nixosSystem {
          inherit system lib;
          modules = baseModules ++ hardwareModules ++ profileModules;
          specialArgs = {inherit self inputs nixpkgs;};
          # Add our overlays
          pkgs = import nixpkgs {
            inherit system;
            overlays = builtins.attrValues overlays;
            config = {
              allowUnfree = true;
              allowUnfreePredicate = _: true;
            };
          };
        };
    in {
      "shadowfax" = mkNixosConfig {
        # Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
        # Workloads server
        hostname = "shadowfax";
        system = "x86_64-linux";
        disabledModules = [
          "services/web-servers/minio.nix"
          "services/web-servers/caddy/default.nix"
        ];
        hardwareModules = [
          lix-module.nixosModules.default
          ./nixos/profiles/hw-threadripperpro.nix
        ];
        profileModules = [
          vscode-server.nixosModules.default
          "${nixpkgs-unstable}/nixos/modules/services/web-servers/minio.nix"
          "${nixpkgs-unstable}/nixos/modules/services/web-servers/caddy/default.nix"
          ./nixos/profiles/role-dev.nix
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/server.nix;}
        ];
      };
      "telperion" = mkNixosConfig {
        # HP-S01 Intel G5900
        # Network services server
        hostname = "telperion";
        system = "x86_64-linux";
        hardwareModules = [
          ./nixos/profiles/hw-hp-s01.nix
          disko.nixosModules.disko
          (import ./nixos/profiles/disko-nixos.nix {disks = ["/dev/nvme0n1"];})
        ];
        profileModules = [
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/server.nix;}
        ];
      };
      "varda" = mkNixosConfig {
        # Arm64 cax21 @ Hetzner
        # forgejo server
        hostname = "varda";
        system = "aarch64-linux";
        hardwareModules = [
          ./nixos/profiles/hw-hetzner-cax.nix
        ];
        profileModules = [
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/server.nix;}
        ];
      };
    };
-    # Convenience output that aggregates the outputs for home, nixos.
+    # Ghostty 👻 - Awesome terminal that uses GPU acceleration
-    # Also used in ci to build targets generally.
+    ghostty = {
-    top = let
+      url = "github:ghostty-org/ghostty/v1.1.2";
-      nixtop = nixpkgs.lib.genAttrs (builtins.attrNames inputs.self.nixosConfigurations) (
+    };
        attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel
      );
    in
      nixtop;
  };
 }
--- a/nixos/home/jahanson/global.nix
+++ b/nixos/home/jahanson/global.nix
@ -2,9 +2,7 @@
  pkgs,
  config,
  ...
-}:
+}: {
 with config;
 {
  imports = [
    ../modules
  ];
@ -32,7 +30,6 @@ with config;
    };
    home = {
      # Install these packages for my user
      packages = with pkgs; [
        # misc
@ -57,6 +54,7 @@ with config;
        direnv
        git
        python3
        pipx
        fzf
        ripgrep
        lsd
@ -106,7 +104,6 @@ with config;
        # backup tools
        unstable.rclone
        unstable.restic
      ];
    };
  };
--- a/nixos/home/jahanson/server.nix
+++ b/nixos/home/jahanson/server.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  imports = [
    ./global.nix
  ];
--- a/nixos/home/jahanson/workstation.nix
+++ b/nixos/home/jahanson/workstation.nix
@ -1,37 +1,16 @@
-{
+{pkgs, ...}: {
  pkgs,
  inputs,
  ...
 }:
 let
  coderMainline = pkgs.coder.override { channel = "mainline"; };
 in
 {
  imports = [
    ./global.nix
    inputs.krewfile.homeManagerModules.krewfile
  ];
  config = {
-    # Krewfile management
+    # Custom Home Manager Configuration
    programs.krewfile = {
      enable = true;
      krewPackage = pkgs.krew;
      indexes = {
        "netshoot" = "https://github.com/nilic/kubectl-netshoot.git";
      };
      plugins = [
        "netshoot/netshoot"
        "resource-capacity"
        "rook-ceph"
      ];
    };
    myHome = {
-      programs.firefox.enable = true;
+      de.hyprland.enable = true;
-      programs.thunderbird.enable = true;
+      programs = {
        firefox.enable = true;
        thunderbird.enable = true;
      };
      shell = {
        wezterm.enable = true;
        git = {
          enable = true;
          username = "Joseph Hanson";
@ -41,15 +20,16 @@ in
      };
    };
    # Home Manager Configuration
    home = {
      # Install these packages for my user
      packages = with pkgs; [
        # apps
-        obsidian
+        # parsec-bin
        parsec-bin
        solaar # open source manager for logitech unifying receivers
        unstable.bruno
        # unstable.fractal
        unstable.obsidian
        unstable.httpie
        unstable.jetbrains.datagrip
        unstable.jetbrains.rust-rover
@ -57,23 +37,13 @@ in
        unstable.talosctl # overlay override
        unstable.telegram-desktop
        unstable.tidal-hifi
-        unstable.xpipe
+        # unstable.xpipe
        # unstable.vesktop # gpu issues. Using the flatpak version solves this issue.
        vlc
        yt-dlp
        # cli
        brightnessctl
        # dev utils
        kubectl
        minio-client # S3 management
        pre-commit # Pre-commit tasks for git
        shellcheck # shell script linting
        unstable.act # run GitHub actions locally
        unstable.kubebuilder # k8s controller development
        unstable.nodePackages_latest.prettier # code formatter
        coderMainline # VSCode in the browser -- has overlay
      ];
    };
  };
--- a/nixos/home/modules/de/default.nix
+++ b/nixos/home/modules/de/default.nix
@ -0,0 +1,5 @@
 {...}: {
  imports = [
    ./hyprland.nix
  ];
 }
--- a/nixos/home/modules/de/hyprland.nix
+++ b/nixos/home/modules/de/hyprland.nix
@ -0,0 +1,91 @@
 {
  lib,
  config,
  pkgs,
  inputs,
  ...
 }:
 with lib; let
  cfg = config.myHome.de.hyprland;
 in {
  options.myHome.de.hyprland.enable = mkEnableOption "Hyprland";
  imports = [inputs.ags.homeManagerModules.default];
  config = mkIf cfg.enable {
    # Downloads the Theme Resources
    home.packages = with pkgs; [
      andromeda-gtk-theme
      flat-remix-icon-theme
      bibata-cursors
    ];
    # 'Installs' (sym-links) the Theme Resources
    home.file = {
      ".themes/Andromeda".source = "${pkgs.andromeda-gtk-theme}/share/themes/Andromeda";
      ".icons/Flat-Remix-Blue-Dark".source = "${pkgs.flat-remix-icon-theme}/share/icons/Flat-Remix-Blue-Dark";
      ".icons/Bibata-Modern-Ice".source = "${pkgs.bibata-cursors}/share/icons/Bibata-Modern-Ice";
    };
    # Theme settings
    gtk = {
      enable = true;
      # Some apps just need the good ol' ini files.
      gtk3.extraConfig = {
        gtk-application-prefer-dark-theme = 1;
        gtk-theme-name = "Andromeda";
        gtk-icon-theme-name = "Flat-Remix-Blue-Dark";
        gtk-font-name = "Fira Code Semi-Bold 14";
        gtk-cursor-theme-name = "Bibata-Modern-Ice";
        gtk-cursor-theme-size = 24;
        gtk-toolbar-style = "GTK_TOOLBAR_ICONS";
        gtk-toolbar-icon-size = "GTK_ICON_SIZE_LARGE_TOOLBAR";
        gtk-button-images = 1;
        gtk-menu-images = 1;
        gtk-enable-event-sounds = 1;
        gtk-enable-input-feedback-sounds = 0;
        gtk-xft-antialias = 1;
        gtk-xft-hinting = 1;
        gtk-xft-hintstyle = "hintslight";
        gtk-xft-rgba = "rgb";
      };
      gtk4.extraConfig = {
        gtk-application-prefer-dark-theme = "1";
        gtk-theme-name = "Andromeda";
        gtk-icon-theme-name = "Flat-Remix-Blue-Dark";
        gtk-font-name = "Fira Code Semi-Bold 14";
        gtk-cursor-theme-name = "Bibata-Modern-Ice";
        gtk-cursor-theme-size = 24;
        gtk-toolbar-style = "GTK_TOOLBAR_ICONS";
        gtk-toolbar-icon-size = "GTK_ICON_SIZE_LARGE_TOOLBAR";
        gtk-button-images = 1;
        gtk-menu-images = 1;
        gtk-enable-event-sounds = 1;
        gtk-enable-input-feedback-sounds = 0;
        gtk-xft-antialias = 1;
        gtk-xft-hinting = 1;
        gtk-xft-hintstyle = "hintslight";
        gtk-xft-rgba = "rgb";
      };
    };
    # Wayland and apps pull from dconf since we're using the gtk portal.
    dconf.settings = {
      "org/gnome/desktop/interface" = {
        color-scheme = "prefer-dark";
        cursor-size = 24;
        cursor-theme = "Bibata-Modern-Ice";
        gtk-theme = "Andromeda";
        icon-theme = "Flat-Remix-Blue-Dark";
      };
    };
    programs.ags = {
      enable = true;
      # I don't want Home Manager to manage these config files.
      # Just setup the programs.
      configDir = null;
      extraPackages = with pkgs; [
        gtksourceview
        webkitgtk_6_0
        accountsservice
      ];
    };
  };
 }
--- a/nixos/home/modules/default.nix
+++ b/nixos/home/modules/default.nix
@ -1,7 +1,6 @@
-{ lib, ... }:
+{lib, ...}: {
 {
  imports = [
    ./de
    ./shell
    ./programs
    ./security
@ -33,5 +32,4 @@
      allowUnfree = true;
    };
  };
 }
--- a/nixos/home/modules/programs/browsers/default.nix
+++ b/nixos/home/modules/programs/browsers/default.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  imports = [
    ./firefox
  ];
--- a/nixos/home/modules/programs/browsers/firefox/default.nix
+++ b/nixos/home/modules/programs/browsers/firefox/default.nix
@ -4,11 +4,9 @@
  pkgs,
  ...
 }:
-with lib;
+with lib; let
 let
  cfg = config.myHome.programs.firefox;
-in
+in {
 {
  options.myHome.programs.firefox.enable = mkEnableOption "Firefox";
  config = mkIf cfg.enable {
@ -18,18 +16,10 @@ in
        extraPolicies = {
          DontCheckDefaultBrowser = true;
          DisablePocket = true;
          # See nixpkgs' firefox/wrapper.nix to check which options you can use
          nativeMessagingHosts = [
            # Gnome shell native connector
            pkgs.gnome-browser-connector
            # plasma connector
            # plasma5Packages.plasma-browser-integration
          ];
        };
      };
      policies = import ./policies.nix;
-
+      profiles.default = import ./profile-default.nix {inherit pkgs;};
      profiles.default = import ./profile-default.nix { inherit pkgs; };
    };
  };
 }
--- a/nixos/home/modules/programs/browsers/firefox/policies.nix
+++ b/nixos/home/modules/programs/browsers/firefox/policies.nix
@ -8,9 +8,9 @@
    Fingerprinting = true;
  };
  DisablePocket = true;
-  # DisableFirefoxAccounts = true;
+  DisableFirefoxAccounts = true;
-  # DisableAccounts = true;
+  DisableAccounts = true;
-  # DisableFirefoxScreenshots = true;
+  DisableFirefoxScreenshots = true;
  # OverrideFirstRunPage = "";
  OverridePostUpdatePage = "";
  DontCheckDefaultBrowser = true;
--- a/nixos/home/modules/programs/browsers/firefox/profile-default.nix
+++ b/nixos/home/modules/programs/browsers/firefox/profile-default.nix
@ -1,5 +1,4 @@
-{ pkgs }:
+{pkgs}: {
 {
  id = 0;
  name = "default";
  isDefault = true;
@ -11,22 +10,21 @@
    # 2 => the last page viewed in Firefox
    # 3 => previous session windows and tabs
    "browser.startup.page" = "3";
    "browser.send_pings" = false;
    # Do not track
    "privacy.donottrackheader.enabled" = "true";
    "privacy.donottrackheader.value" = 1;
    "browser.display.use_system_colors" = "true";
    "browser.display.use_document_colors" = "false";
    "devtools.theme" = "dark";
    "extensions.pocket.enabled" = false;
  };
  extensions = with pkgs.nur.repos.rycee.firefox-addons; [
    ublock-origin
    privacy-badger
    link-cleaner
    refined-github
    kagi-search
    languagetool
    onepassword-password-manager
    streetpass-for-mastodon
    dearrow
    sponsorblock
  ];
 }
--- a/nixos/home/modules/programs/default.nix
+++ b/nixos/home/modules/programs/default.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  imports = [
    ./browsers
    ./thunderbird
--- a/nixos/home/modules/programs/thunderbird/default.nix
+++ b/nixos/home/modules/programs/thunderbird/default.nix
@ -3,8 +3,7 @@
  pkgs,
  lib,
  ...
-}:
+}: let
 let
  cfg = config.myHome.programs.thunderbird;
  policies = {
@ -25,15 +24,14 @@ let
      };
    };
  };
-in
+in {
 {
  options.myHome.programs.thunderbird.enable = lib.mkEnableOption "Thunderbird";
  config = lib.mkIf cfg.enable {
    programs.thunderbird = {
      enable = true;
      package = pkgs.thunderbird-128.override (old: {
-        extraPolicies = (old.extrapPolicies or { }) // policies;
+        extraPolicies = (old.extrapPolicies or {}) // policies;
      });
      profiles.default.isDefault = true;
--- a/nixos/home/modules/security/default.nix
+++ b/nixos/home/modules/security/default.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  imports = [
    ./ssh
  ];
--- a/nixos/home/modules/security/ssh/default.nix
+++ b/nixos/home/modules/security/ssh/default.nix
@ -1,14 +1,16 @@
 { config, lib, ... }:
 with lib;
 let
  cfg = config.myHome.security.ssh;
 in
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.myHome.security.ssh;
 in {
  options.myHome.security.ssh = {
    enable = mkEnableOption "ssh";
    matchBlocks = mkOption {
      type = types.attrs;
-      default = { };
+      default = {};
    };
  };
--- a/nixos/home/modules/shell/atuind/default.nix
+++ b/nixos/home/modules/shell/atuind/default.nix
@ -4,11 +4,9 @@
  lib,
  ...
 }:
-with lib;
+with lib; let
 let
  cfg = config.myHome.shell.atuind;
-in
+in {
 {
  options.myHome.shell.atuind = {
    enable = mkEnableOption "atuind";
  };
@ -17,10 +15,10 @@ in
    (mkIf cfg.enable {
      systemd.user.services.atuind = {
        Install = {
-          WantedBy = [ "default.target" ];
+          WantedBy = ["default.target"];
        };
        Unit = {
-          After = [ "network.target" ];
+          After = ["network.target"];
        };
        Service = {
          Environment = "ATUIN_LOG=info";
--- a/nixos/home/modules/shell/default.nix
+++ b/nixos/home/modules/shell/default.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  imports = [
    ./atuind
    ./fish
--- a/nixos/home/modules/shell/fish/default.nix
+++ b/nixos/home/modules/shell/fish/default.nix
@ -4,12 +4,10 @@
  lib,
  ...
 }:
-with lib;
+with lib; let
 let
  inherit (config.myHome) username homeDirectory;
  cfg = config.myHome.shell.fish;
-in
+in {
 {
  options.myHome.shell.fish = {
    enable = mkEnableOption "fish";
  };
@ -33,16 +31,9 @@ in
        };
        shellAbbrs = {
-          nrs = "sudo nixos-rebuild switch --flake .";
+          nrs = "sudo nixos-rebuild switch --flake . --show-trace --accept-flake-config";
          nfc = "nix flake check --show-trace --accept-flake-config";
          nvdiff = "nvd diff /run/current-system result";
          # rook & ceph versions.
          rcv = ''
            kubectl \
              -n rook-ceph \
              get deployments \
              -l rook_cluster=rook-ceph \
              -o jsonpath='{range .items[*]}{.metadata.name}{"  \treq/upd/avl: "}{.spec.replicas}{"/"}{.status.updatedReplicas}{"/"}{.status.readyReplicas}{"  \trook-version="}{.metadata.labels.rook-version}{"  \tceph-version="}{.metadata.labels.ceph-version}{"\n"}{end}'
          '';
        };
        functions = {
@ -86,6 +77,7 @@ in
          update_path ${homeDirectory}/go/bin
          update_path ${homeDirectory}/.cargo/bin
          update_path ${homeDirectory}/.local/bin
          update_path ${homeDirectory}/.npm-packages/bin
          set -gx EDITOR "vim"
--- a/nixos/home/modules/shell/git/default.nix
+++ b/nixos/home/modules/shell/git/default.nix
@ -3,11 +3,9 @@
  config,
  lib,
  ...
-}:
+}: let
 let
  cfg = config.myHome.shell.git;
-in
+in {
 {
  options.myHome.shell.git = {
    enable = lib.mkEnableOption "git";
    username = lib.mkOption {
@ -61,6 +59,8 @@ in
            "*.decrypted.*"
            # Python virtualenvs
            ".venv"
            # Aider Chat
            ".aider*"
          ];
        };
      };
--- a/nixos/home/modules/shell/starship/default.nix
+++ b/nixos/home/modules/shell/starship/default.nix
@ -3,11 +3,9 @@
  config,
  ...
 }:
-with lib;
+with lib; let
 let
  cfg = config.myHome.shell.starship;
-in
+in {
 {
  options.myHome.shell.starship = {
    enable = mkEnableOption "starship";
  };
--- a/nixos/home/modules/shell/wezterm/default.nix
+++ b/nixos/home/modules/shell/wezterm/default.nix
@ -4,11 +4,9 @@
  lib,
  ...
 }:
-with lib;
+with lib; let
 let
  cfg = config.myHome.shell.wezterm;
-in
+in {
 {
  options.myHome.shell.wezterm = {
    enable = mkEnableOption "wezterm";
    configPath = mkOption {
--- a/nixos/hosts/shadowfax/config/borgmatic/borgmatic-template.yaml
+++ b/nixos/hosts/shadowfax/config/borgmatic/borgmatic-template.yaml
--- a/nixos/hosts/shadowfax/config/borgmatic/default.nix
+++ b/nixos/hosts/shadowfax/config/borgmatic/default.nix
@ -0,0 +1,12 @@
 {lib, ...}:
 # Includes all files with .nix suffix in the current directory except default.nix
 let
  dir = ./.;
  files = lib.filterAttrs (
    name: type:
      type == "regular" && name != "default.nix" && lib.hasSuffix ".nix" name
  ) (builtins.readDir dir);
  imports = map (name: "${dir}/${name}") (builtins.attrNames files);
 in {
  imports = imports;
 }
--- a/nixos/hosts/shadowfax/config/borgmatic/jellyfin.nix
+++ b/nixos/hosts/shadowfax/config/borgmatic/jellyfin.nix
@ -0,0 +1,40 @@
 {
  config,
  pkgs,
  ...
 }: {
  mySystem.services.borgmatic = {
    configurations.jellyfin = {
      source_directories = [
        "/nahar/containers/volumes/jellyfin"
      ];
      repositories = [
        {
          label = "local";
          path = "/eru/borg/jellyfin";
        }
        {
          label = "remote";
          path = "ssh://uy5oy4m3@uy5oy4m3.repo.borgbase.com/./repo";
        }
      ];
      ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgmatic/jellyfin/append_key".path}";
      encryption_passcommand = ''${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgmatic/jellyfin/encryption_passphrase".path}'';
      # Retention settings
      keep_daily = 14;
      exclude_patterns = [
        "*/Cache/*"
      ];
      zfs = {
        zfs_command = "${pkgs.zfs}/bin/zfs";
        mount_command = "${pkgs.util-linux}/bin/mount";
        umount_command = "${pkgs.util-linux}/bin/umount";
      };
    };
  };
 }
--- a/nixos/hosts/shadowfax/config/borgmatic/plex.nix
+++ b/nixos/hosts/shadowfax/config/borgmatic/plex.nix
@ -0,0 +1,40 @@
 {
  config,
  pkgs,
  ...
 }: {
  mySystem.services.borgmatic = {
    configurations.plex = {
      source_directories = [
        "/nahar/containers/volumes/plex"
      ];
      repositories = [
        {
          label = "local";
          path = "/eru/borg/plex";
        }
        {
          label = "remote";
          path = "ssh://kvq39z04@kvq39z04.repo.borgbase.com/./repo";
        }
      ];
      ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgmatic/plex/append_key".path}";
      encryption_passcommand = ''${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgmatic/plex/encryption_passphrase".path}'';
      # Retention settings
      keep_daily = 14;
      exclude_patterns = [
        "*/Cache/*"
      ];
      zfs = {
        zfs_command = "${pkgs.zfs}/bin/zfs";
        mount_command = "${pkgs.util-linux}/bin/mount";
        umount_command = "${pkgs.util-linux}/bin/umount";
      };
    };
  };
 }
--- a/nixos/hosts/shadowfax/config/incus-preseed.nix
+++ b/nixos/hosts/shadowfax/config/incus-preseed.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  config = {
    "core.https_address" = "10.1.1.61:8443"; # Need quotes around key
  };
@ -27,7 +26,7 @@
  ];
  profiles = [
    {
-      config = { };
+      config = {};
      description = "";
      devices = {
        eth0 = {
@ -44,6 +43,6 @@
      name = "default";
    }
  ];
-  projects = [ ];
+  projects = [];
  cluster = null;
 }
--- a/nixos/hosts/shadowfax/config/sanoid.nix
+++ b/nixos/hosts/shadowfax/config/sanoid.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  outputs = {
    # ZFS automated snapshots
    templates = {
@ -10,31 +9,31 @@
        daily = 7;
        monthly = 12;
      };
      "nvr" = {
        autoprune = true;
        autosnap = true;
        hourly = 24;
        daily = 7;
      };
    };
    datasets = {
-      "nahar/scrypted" = {
+      "nahar/qbittorrent" = {
-        useTemplate = [ "nvr" ];
+        useTemplate = ["production"];
      };
      "nahar/containers/volumes/plex" = {
        useTemplate = [ "production" ];
        recursive = true;
      };
-      "nahar/containers/volumes/scrypted" = {
+      "nahar/sabnzbd" = {
-        useTemplate = [ "production" ];
+        useTemplate = ["production"];
        recursive = true;
      };
      "nahar/containers/volumes/jellyfin" = {
-        useTemplate = [ "production" ];
+        useTemplate = ["production"];
        recursive = true;
      };
      "nahar/containers/volumes/plex" = {
        useTemplate = ["production"];
        recursive = true;
      };
      "nahar/containers/volumes/scrutiny" = {
-        useTemplate = [ "production" ];
+        useTemplate = ["production"];
        recursive = true;
      };
      "nahar/containers/volumes/scrypted" = {
        useTemplate = ["production"];
        recursive = true;
      };
    };
--- a/nixos/hosts/shadowfax/config/soft-serve.nix
+++ b/nixos/hosts/shadowfax/config/soft-serve.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  name = "Soft Serve";
  log = {
    format = "text";
@ -27,6 +26,7 @@
    public_url = "http://10.1.1.61:23232";
  };
  stats = {
    enabled = false;
    listen_addr = "10.1.1.61:23233";
  };
  db = {
--- a/nixos/hosts/shadowfax/config/sops-secrets.nix
+++ b/nixos/hosts/shadowfax/config/sops-secrets.nix
@ -0,0 +1,230 @@
 {...}: {
  secrets = {
    # Minio
    "minio" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "minio";
      group = "minio";
      mode = "400";
      restartUnits = ["minio.service"];
    };
    # Syncthing
    "syncthing/publicCert" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = ["syncthing.service"];
    };
    "syncthing/privateKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = ["syncthing.service"];
    };
    # Prowlarr
    "arr/prowlarr/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = ["prowlarr.service"];
    };
    "arr/prowlarr/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = ["prowlarr.service"];
    };
    "arr/prowlarr/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = ["prowlarr.service"];
    };
    "arr/prowlarr/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = ["prowlarr.service"];
    };
    "arr/prowlarr/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = ["prowlarr.service"];
    };
    # Sonarr
    "arr/sonarr/1080p/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/1080p/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/1080p/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/1080p/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/1080p/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/1080p/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/anime/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    "arr/sonarr/anime/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    "arr/sonarr/anime/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    "arr/sonarr/anime/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    "arr/sonarr/anime/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    "arr/sonarr/anime/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    # Radarr
    "arr/radarr/1080p/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/1080p/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/1080p/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/1080p/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/1080p/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/1080p/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/anime/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    "arr/radarr/anime/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    "arr/radarr/anime/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    "arr/radarr/anime/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    "arr/radarr/anime/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    "arr/radarr/anime/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    # Unpackerr
    "arr/unpackerr/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "unpackerr";
      mode = "400";
      restartUnits = ["unpackerr.service"];
    };
    # Borgmatic
    "borgmatic/plex/encryption_passphrase" = {
      sopsFile = ../secrets.sops.yaml;
      mode = "400";
      restartUnits = ["borgmatic.service"];
    };
    "borgmatic/plex/append_key" = {
      sopsFile = ../secrets.sops.yaml;
      mode = "400";
      restartUnits = ["borgmatic.service"];
    };
    "borgmatic/jellyfin/encryption_passphrase" = {
      sopsFile = ../secrets.sops.yaml;
      mode = "400";
      restartUnits = ["borgmatic.service"];
    };
    "borgmatic/jellyfin/append_key" = {
      sopsFile = ../secrets.sops.yaml;
      mode = "400";
      restartUnits = ["borgmatic.service"];
    };
  };
 }
--- a/nixos/hosts/shadowfax/default.nix
+++ b/nixos/hosts/shadowfax/default.nix
@ -1,54 +1,74 @@
 {
  config,
  lib,
  inputs,
  pkgs,
  ...
-}:
+}: let
-let
+  sanoidConfig = import ./config/sanoid.nix {};
  sanoidConfig = import ./config/sanoid.nix { };
  disks = import ./config/disks.nix;
-  smartdDevices = map (device: { inherit device; }) disks;
+  smartdDevices = map (device: {inherit device;}) disks;
-in
+  pushoverNotify = pkgs.writeShellApplication {
-{
+    name = "pushover-notify";
    runtimeInputs = with pkgs; [
      curl
      jo
      jq
    ];
    excludeShellChecks = ["SC2154"];
    text = ''
      ${builtins.readFile ./scripts/pushover-notify.sh}
    '';
  };
  refreshSeries = pkgs.writeShellApplication {
    name = "refresh-series";
    runtimeInputs = with pkgs; [
      curl
      jq
    ];
    excludeShellChecks = ["SC2154"];
    text = ''
      ${builtins.readFile ./scripts/refresh-series.sh}
    '';
  };
 in {
  imports = [
    inputs.disko.nixosModules.disko
    (import ../../profiles/disko-nixos.nix {
-      disks = [ "/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E" ];
+      disks = ["/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"];
    })
    ./config/borgmatic
    inputs.nix-minecraft.nixosModules.minecraft-servers
  ];
-  boot = {
+  environment = {
-    initrd = {
+    sessionVariables = {
-      kernelModules = [ "nfs" ];
+      # Wayland and Chromium/Electron apps.
-      supportedFilesystems = [ "nfs" ];
+      NIXOS_OZONE_WL = "1";
    };
-
+    # System packages
-    binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for arm compilation
+    systemPackages = with pkgs; [
-
+      inputs.zen-browser.packages."${system}".default # beta
-    kernelModules = [
+      inputs.ghostty.packages."${system}".default # terminal
-      "vfio"
+      pavucontrol # Pulseaudio volume control
-      "vfio_iommu_type1"
+      zulu
-      "vfio_pci"
+      # dev
-      "vfio_virqfd"
+      uv
      # fun
      fastfetch
      prismlauncher # Minecraft launcher
      # Scripts
      pushoverNotify
      refreshSeries
    ];
    extraModulePackages = [ ];
    kernelParams = [ "zfs.zfs_arc_max=107374182400" ]; # 100GB
  };
-  swapDevices = [ ];
+  users.users.root.openssh.authorizedKeys.keys = [];
  hardware = {
    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
    nvidia.open = true;
    graphics.enable = true;
    # opengl.enable = true;
    nvidia-container-toolkit.enable = true;
  };
  users.users.root.openssh.authorizedKeys.keys = [ ];
  # Network settings
  networking = {
    hostName = "shadowfax";
@ -73,24 +93,22 @@ in
    };
  };
  # enable docker socket at /run/docker.sock
  virtualisation.podman.dockerSocket.enable = true;
  programs = {
    # 1Password cli
    _1password.enable = true;
    _1password-gui.enable = true;
    # Mosh
-    mosh.enable = true;
+    mosh = {
      enable = true;
      openFirewall = true;
    };
    # VSCode Compatibility Settings
    nix-ld.enable = true;
    # Hyprland
    hyprland = {
      enable = true;
      package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
      portalPackage =
        inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
      withUWSM = true;
    };
  };
  # Open ports in the firewall.
@ -99,28 +117,49 @@ in
      # Caddy
      80 # http
      443 # https
      179 # BGP
      2019 # caddy admin api
      # Minio
      9000 # console web interface
      9001 # api interface
-
+      # Soft-serve
      23231 # SSH
      23232 # HTTP
      9418 # Git
      # scrypted
      45005
    ];
  };
  services = {
-    # Caddy
+    # Minecraft
-    # caddy = {
+    minecraft-servers = {
-    #   enable = true;
+      enable = true;
-    #   package = pkgs.unstable.caddy;
+      eula = true;
-    #   extraConfig = builtins.readFile ./config/Caddyfile;
+      openFirewall = true;
-    #   logFormat = lib.mkForce "level INFO";
+      dataDir = "/nahar/minecraft";
-    #   environmentFile = config.sops.secrets."caddy/env".path;
+      servers.fabric = {
-    # };
+        enable = true;
        # Specify the custom minecraft server package
        package = pkgs.fabricServers.fabric-1_21_4;
        symlinks = {
          mods = pkgs.linkFarmFromDrvs "mods" (
            builtins.attrValues {
              Fabric-API = pkgs.fetchurl {
                url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/ZNwYCTsk/fabric-api-0.118.0%2B1.21.4.jar";
                sha512 = "1e0d31b6663dc2c7be648f3a5a9cf7b698b9a0fd0f7ae16d1d3f32d943d7c5205ff63a4f81b0c4e94a8997482cce026b7ca486e99d9ce35ac069aeb29b02a30d";
              };
            }
          );
        };
      };
    };
    # Minio
    minio = {
      enable = true;
-      dataDir = [ "/eru/minio" ];
+      dataDir = ["/eru/minio"];
      rootCredentialsFile = config.sops.secrets."minio".path;
    };
@ -147,7 +186,16 @@ in
    # Soft Serve - SSH git server
    soft-serve = {
      enable = true;
-      settings = import ./config/soft-serve.nix { };
+      settings = import ./config/soft-serve.nix {};
      package = pkgs.unstable.soft-serve;
    };
    sunshine = {
      enable = true;
      autoStart = true;
      capSysAdmin = true; # only needed for Wayland
      openFirewall = true;
      package = pkgs.unstable.sunshine;
    };
    # Tailscale
@ -159,43 +207,23 @@ in
    # VSCode Compatibility Settings
    vscode-server.enable = true;
-    xserver.videoDrivers = [ "nvidia" ];
+    xserver.videoDrivers = ["nvidia"];
  };
  # sops
-  sops.secrets = {
+  sops = import ./config/sops-secrets.nix {};
    "minio" = {
      sopsFile = ./secrets.sops.yaml;
      owner = "minio";
      group = "minio";
      mode = "400";
      restartUnits = [ "minio.service" ];
    };
    "syncthing/publicCert" = {
      sopsFile = ./secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = [ "syncthing.service" ];
    };
    "syncthing/privateKey" = {
      sopsFile = ./secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = [ "syncthing.service" ];
    };
    # "caddy/env" = {
    #   sopsFile = ./secrets.sops.yaml;
    #   owner = "caddy";
    #   mode = "400";
    #   restartUnits = [ "caddy.service" ];
    # };
  };
  # System settings and services.
  mySystem = {
    ## Desktop Environment
    # Hyprland
    de.hyprland.enable = true;
    # VS Code
    editor.vscode.enable = true;
    # Containers
    containers = {
      jellyfin.enable = true;
      jellyseerr.enable = true;
      ollama.enable = true;
      plex.enable = true;
      scrypted.enable = true;
@ -203,9 +231,107 @@ in
    purpose = "Production";
    # Services
    services = {
      borgmatic.enable = true;
      # Misc
      libvirt-qemu.enable = true;
      podman.enable = true;
      # Prowlarr
      prowlarr = {
        enable = true;
        package = pkgs.unstable.prowlarr;
        dataDir = "/nahar/prowlarr";
        port = 9696;
        openFirewall = true;
        hardening = true;
        apiKeyFile = config.sops.secrets."arr/prowlarr/apiKey".path;
      };
      # Radarr
      radarr = {
        enable = true;
        instances = {
          movies1080p = {
            enable = true;
            package = pkgs.unstable.radarr;
            dataDir = "/nahar/radarr/1080p";
            extraEnvVarFile = config.sops.secrets."arr/radarr/1080p/extraEnvVars".path;
            moviesDir = "/moria/media/Movies";
            user = "radarr";
            group = "kah";
            port = 7878;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/radarr/1080p/apiKey".path;
          };
          moviesAnime = {
            enable = true;
            package = pkgs.unstable.radarr;
            dataDir = "/nahar/radarr/anime";
            extraEnvVarFile = config.sops.secrets."arr/radarr/anime/extraEnvVars".path;
            moviesDir = "/moria/media/Anime/Movies";
            user = "radarr";
            group = "kah";
            port = 7879;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/radarr/anime/apiKey".path;
          };
        };
      };
      # Sonarr
      sonarr = {
        enable = true;
        instances = {
          tv1080p = {
            enable = true;
            package = pkgs.unstable.sonarr;
            dataDir = "/nahar/sonarr/1080p";
            extraEnvVarFile = config.sops.secrets."arr/sonarr/1080p/extraEnvVars".path;
            tvDir = "/moria/media/TV";
            user = "sonarr";
            group = "kah";
            port = 8989;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/sonarr/1080p/apiKey".path;
          };
          anime = {
            enable = true;
            package = pkgs.unstable.sonarr;
            dataDir = "/nahar/sonarr/anime";
            extraEnvVarFile = config.sops.secrets."arr/sonarr/anime/extraEnvVars".path;
            tvDir = "/moria/media/Anime/Shows";
            user = "sonarr";
            group = "kah";
            port = 8990;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/sonarr/anime/apiKey".path;
          };
        };
      };
      # Sabnzbd
      sabnzbd = {
        enable = true;
        package = pkgs.unstable.sabnzbd;
        configFile = "/nahar/sabnzbd/sabnzbd.ini";
        port = 8457;
        user = "sabnzbd";
        group = "kah";
        # Security hardening.
        dataDir = "/nahar/sabnzbd";
        downloadsDir = "/eru/media/sabnzbd";
        hardening = true;
        openFirewall = true;
      };
      # Unpackerr
      unpackerr = {
        enable = true;
        package = pkgs.unstable.unpackerr;
        configFile = "/tmp/unpackerr/config.yaml";
        extraEnvVarsFile = config.sops.secrets."arr/unpackerr/extraEnvVars".path;
        user = "unpackerr";
        group = "kah";
      };
      # Sanoid
      sanoid = {
        enable = true;
@ -229,22 +355,29 @@ in
        publicCertPath = config.sops.secrets."syncthing/publicCert".path;
        privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
      };
-      # ZFS nightly snapshot of container volumes
+      # qBittorrent
-      zfs-nightly-snap = {
+      qbittorrent = {
        enable = true;
-        mountPath = "/mnt/restic_nightly_backup";
+        package = pkgs.unstable.qbittorrent.override {guiSupport = false;};
-        zfsDataset = "nahar/containers/volumes";
+        user = "qbittorrent";
-        snapshotName = "restic_nightly_snap";
+        group = "kah";
-        startAt = "*-*-* 06:30:00 America/Chicago";
+        dataDir = "/nahar/qbittorrent";
        downloadsDir = "/eru/media/qb/downloads";
        webuiPort = 8456;
        openFirewall = true;
        hardening = true;
        qbittorrentPort = 50413;
      };
      zfs-nightly-snap.enable = true;
    };
    # System
    system = {
      incus = {
        enable = true;
-        preseed = import ./config/incus-preseed.nix { };
+        preseed = import ./config/incus-preseed.nix {};
      };
-      motd.networkInterfaces = [ "bond0" ];
+      motd.networkInterfaces = ["bond0"];
      nfs.enable = true;
      zfs.enable = true;
      zfs.mountPoolsAtBoot = [
--- a/nixos/hosts/shadowfax/scripts/pushover-notify.sh
+++ b/nixos/hosts/shadowfax/scripts/pushover-notify.sh
@ -0,0 +1,89 @@
 # shellcheck disable=SC2154,2148
 # User defined variables for pushover
 PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-required}"
 PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-required}"
 PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
 PUSHOVER_TITLE="${sonarr_eventtype} - Title unset"
 PUSHOVER_MESSAGE="${sonarr_eventtype} - Message unset"
 PUSHOVER_URL="${sonarr_eventtype} - url unset"
 PUSHOVER_URL_TITLE="${sonarr_eventtype} - url title unset"
 if [[ "${sonarr_eventtype:-}" == "Test" ]]; then
  PUSHOVER_PRIORITY="1"
  printf -v PUSHOVER_TITLE \
    "Test Notification"
  printf -v PUSHOVER_MESSAGE \
    "Howdy this is a test notification from %s" \
    "${sonarr_instancename:-Sonarr}"
  printf -v PUSHOVER_URL \
    "%s" \
    "${sonarr_applicationurl:-localhost}"
  printf -v PUSHOVER_URL_TITLE \
    "Open %s" \
    "${sonarr_instancename:-Sonarr}"
 fi
 if [[ "${sonarr_eventtype:-}" == "Download" ]]; then
  printf -v PUSHOVER_TITLE \
    "Episode %s" \
    "$([[ "${sonarr_isupgrade}" == "True" ]] && echo "Upgraded" || echo "Downloaded")"
  printf -v PUSHOVER_MESSAGE \
    "<b>%s (S%02dE%02d)</b><small>\n%s</small><small>\n\n<b>Quality:</b> %s</small><small>\n<b>Client:</b> %s</small>" \
    "${sonarr_series_title}" \
    "${sonarr_episodefile_seasonnumber}" \
    "${sonarr_episodefile_episodenumbers}" \
    "${sonarr_episodefile_episodetitles}" \
    "${sonarr_episodefile_quality:-Unknown}" \
    "${sonarr_download_client:-Unknown}"
  printf -v PUSHOVER_URL \
    "%s/series/%s" \
    "${sonarr_applicationurl:-localhost}" \
    "${sonarr_series_titleslug}"
  printf -v PUSHOVER_URL_TITLE \
    "View series in %s" \
    "${sonarr_instancename:-Sonarr}"
 fi
 if [[ "${sonarr_eventtype:-}" == "ManualInteractionRequired" ]]; then
  PUSHOVER_PRIORITY="1"
  printf -v PUSHOVER_TITLE \
    "Episode import requires intervention"
  printf -v PUSHOVER_MESSAGE \
    "<b>%s</b><small>\n<b>Client:</b> %s</small>" \
    "${sonarr_series_title}" \
    "${sonarr_download_client:-Unknown}"
  printf -v PUSHOVER_URL \
    "%s/activity/queue" \
    "${sonarr_applicationurl:-localhost}"
  printf -v PUSHOVER_URL_TITLE \
    "View queue in %s" \
    "${sonarr_instancename:-Sonarr}"
 fi
 json_data=$(
  jo \
    token="${PUSHOVER_TOKEN}" \
    user="${PUSHOVER_USER_KEY}" \
    title="${PUSHOVER_TITLE}" \
    message="${PUSHOVER_MESSAGE}" \
    url="${PUSHOVER_URL}" \
    url_title="${PUSHOVER_URL_TITLE}" \
    priority="${PUSHOVER_PRIORITY}" \
    html="1"
 )
 status_code=$(
  curl \
    --silent \
    --write-out "%{http_code}" \
    --output /dev/null \
    --request POST \
    --header "Content-Type: application/json" \
    --data-binary "${json_data}" \
    "https://api.pushover.net/1/messages.json"
 )
 printf "pushover notification returned with HTTP status code %s and payload: %s\n" \
  "${status_code}" \
  "$(echo "${json_data}" | jq --compact-output)" >&2
--- a/nixos/hosts/shadowfax/scripts/refresh-series.sh
+++ b/nixos/hosts/shadowfax/scripts/refresh-series.sh
@ -0,0 +1,19 @@
 # shellcheck disable=SC2154,2148
 CURL_CMD=(curl -fsSL --header "X-Api-Key: ${SONARR__AUTH__APIKEY:-}")
 SONARR_API_URL="http://localhost:${SONARR__SERVER__PORT:-}/api/v3"
 if [[ "${sonarr_eventtype:-}" == "Grab" ]]; then
  tba=$("${CURL_CMD[@]}" "${SONARR_API_URL}/episode?seriesId=${sonarr_series_id:-}" | jq --raw-output '
        [.[] | select((.title == "TBA") or (.title == "TBD"))] | length
    ')
  if ((tba > 0)); then
    echo "INFO: Refreshing series ${sonarr_series_id:-} due to TBA/TBD episodes found"
    "${CURL_CMD[@]}" \
      --request POST \
      --header "Content-Type: application/json" \
      --data-binary '{"name": "RefreshSeries", "seriesId": '"${sonarr_series_id:-}"'}' \
      "${SONARR_API_URL}/command" &>/dev/null
  fi
 fi
--- a/nixos/hosts/shadowfax/secrets.sops.yaml
+++ b/nixos/hosts/shadowfax/secrets.sops.yaml
@ -1,91 +1,120 @@
 syncthing:
-    publicCert: ENC[AES256_GCM,data:XGQus3CTr8j7LBnOf/Fk5cu2V41X+Udo1yXEq9WP4nJuRvQRQ3IVKrgVyIZfIFM6b02GXJHmvsujZiqLnszTM1ltW67uKhnepj4N8ywogUiEudGyMsu99HchsTN4EhWBeenmOR+Fh1Eruva/fxZlaPMZYEAGSQR8iwC/NqPeGdrS2j4HstxAWd8jn7fJg3MXirTBykiNTGd83gCLjSKoueal8KNF1Sa9peho84u/FrFP5V5JB/E8LT2WLegrdZXEgVwInvYqciZbwWZwP5lWVaiKHPRqVMWCGtBgkxTuD41icFiCFz8OwMFR58+p+LxicGl7IgXDbQtIR+0+WR1Lz+BVOxjUkbr/U0znvta4JYkIbZp3utfbU+K9P7PBCPo4d5WQrVkaEUxNYA0aCgf4ZF4S+upXkV5Dfzc5nnEQi1kme6yScnheKDCMROLnCG1PYZRXk+Q5XQz/iW7KriI1GkNW1u01GB90RwHSTC9btTQEG0c8mgv/4yf8ObGYxDHR2o7QvsEgrfLOrHjBDJ0eGl3sSPH8m6XRGnZBj9prjA1x1h83vZo0omR5nFjA98xRN2U4v4NIeS5KqptDcTsVQdcWpRBjpnZYtb1pJ97p9/gUTNT3UzCt/7LpvO2LyO6CmnV1dVU+HlMVkJJIQHSFnvsk8PsnJEhGcoJIj+GvkkjzgOA2gbtnzpZ3HlM2jPTuSx8VlrLcPb7tsdeGM+ESbDrD/8tHMyOEaoGYOkSLRfE5QhSFuTN7woG3Eg2x+UK92JwkXPpHqr15Vvsw7ElfjnY7NBUz2jcCSJIPLlX1Gs277egZQKumu3TO2h16ced07ABtPPaptAFwh7GR+o5o60mleYdh2NhJGv9Db3i8X+ty3sFEnsIhoOBD75WTsy3cdtls5wWE0Ox162FFhXXqSbxhLaTDkpM6C71+BR97Og8e+/zfN5bK/8pmGUk8EzkL3Anp1rCtD8MxY/CPpxK2oHgPALQwcpGVzpdnk65P5m+61T9boo3UfoC/27G2HyqSj4zz0NCt5Dlqio+hxeZIuaJKx00RIASosXo=,iv:gI/BtvEcAcwTkqpSvpzo1kFR2miK0CiWNY6bQvijbRo=,tag:u6rLmKskE7FClh4V5/3FDA==,type:str]
+    publicCert: ENC[AES256_GCM,data:qPtXFKL8BrUNMmuF4YOKNAmcL3USnTrMMAahnHCaBFyTNNrSa8zktRG0gryBUvsFTYqwcP6r/FFq5bEpjq6mGPJ942LrYSvv5nqRDnvhEJs3X6wiZfriq2Dyps+2MLqcWjU0tsj+M3IfkOGIry0XSP5EkWFgBJxB3HbRlwqA2ZDAnSOT1OWQbFOl4dYQ7gkssMDyVfrfMoiaw33Q9ttHhLswJIbMK/p1wSWPsEY20ZHEa4fSq06Eks0vUYCmDIrSiFr/fNF5veLO8LAnojJkSm87ZDkX+tAMa7/ZI96fZssHbJHU4dHrsbTlpVyG8AOQ7M9D0cMaH7WjJlV3fn5gAM8xgMjj9YcC3zMFSfBMeVyJF36l0G3jhY+1BO7omqqWY3lwEx/clt/HJ+q6K8z4/uyTfBsuMGPakkDXmplV6j23hwz9jzd/tCMh7/jVFyiwdSf9Ykykf0Qh8af4v1RVzcwbcBnpb4pjMic16WvBWpogt4lTu0o0u9NAMZX/Nu99pxDES7+DLKAIDOoIZwxAYWPY+zTlVusMrbuQ+yvnv1koAi0VJl5n2DpKKxPKKxMYcKN3SqMQ7TX8img3OUIsIje43kbLFnpWwdoBwdKov0PZzBHcH/9SgsBD/aepT1iRkg1Fe6c3EiOF3wKwXBpwuPq61s7+d7ESvOL3sVFEuo6fXhN0aGJK77VnZKqYERjlEOkETjSMNP6ZH1A86YQBFWRXHub1KrhNcZUbTdxuT3UD+gNvoD52InsodblYyDtmSqeEVix9m25buWeurmzSBngPr3L8xxlYt1gRrHZ/4yy2EQPWFo/oMTjqnd1YtcRkNtOzSl7zcXmV0KnY3yAyyyTlwe08PY2rRJ4JUqYS5C3fnv0yQgb7MrYH1Ysau14TOX2WTrTpklPL4zwPz/hVL9hVIeByNshQQZm7KsZXjBGzC8XXRu/3HWNXYXLItHwgNgtVkd8WuYe+bF+u86h1UTDABf4w2tfGVVA6/HqwPQcmdbhQZ+mPHSTbuVcMPLN8MNEK/B1JtBlQID9ybMcbON+pik70d3d+blI=,iv:Ut7rbEVIc2p095rzq9Y6ZS6npa0+atBRLrBjN3mQ6zM=,tag:g1krDi5xhOwr9FfXFQ4mMw==,type:str]
-    privateKey: ENC[AES256_GCM,data:W9+O6G3xhABcztmdqZIy4LKXt9uuoz8fhM56flvJGrJ1WGN9BX9Syn/mblYP2PDWFHBHQtMd+fWsRC1cDPAbwPB8e4CX3gU4NvxQEtkTb6UceP6nF/LZGJkUPIVHflbz4zQxBFet1TDA4pW9IaOrQYYAOcAJtNzF8ybhXepY+RErdnEKIYp5m7M60wvAgs9EDaAbsD3wuzzjs/+s3tR8/Ga8n8qrWSwfbQwRMbXETN0D1PV5HydsBcwiQ2w0FrjQ6w27ASuKQGSAKFNxU8I5/SF5tFLiR8LV+wcUIoUoCN4AxYQQBdxpNcyhxjTFSu7rUvqV7Ni85JUnmnep1cM4j+4hkmj2M06m0SHy87kiJcJfRkwXVKEJUJiUuLQCR+20,iv:FbZnaXDr5+jjSs7wKSE01z0p2Kd9UzGw2alGfd8m1ik=,tag:CD8vp7hloHDYQF/pkm0a7A==,type:str]
+    privateKey: ENC[AES256_GCM,data:CFW8XMhLaGFHYqo3+v+4Q8hemV44/Pps/0hBaz8eMwbv5GI34dkSmQ8jh2VY+bRhfGX6sWGXlxBKB44qiTP+jCs4rgBu+AA0j3F4b4/hH/Qj8XoflGMHCfBwsTwYm9vb7Ith3H4F5Fbcv1Dva6mOw3CA65lTfKlxF/NVyj9/cAnqjF0T90jaRYpFN9pLrwkAVBeydc+sofnReFOeI7/IFupxtPKkOaR9wGZK82KQj3+7sXEBgL0HekX677ENBqE4fZHUbe9AKbCe1I4k1RtL9DqANnjTED+ktochzuQ1cUeSnBHtbYD6GDVPisIkJc3Y2a6kmTh5YVF/u8zXMN4n0zwTX+QPA4xms0NCa/528YCSY8VfOfvk9mhQbpmdIob6,iv:gaILRQxX/0poYQedDYZXzL9/ojzIY7BQ+M68HMxD4go=,tag:D0X9OA7ohL5Z8zPsXPdybw==,type:str]
 restic:
    plex:
-        resticUri: ENC[AES256_GCM,data:aA3kc/Wxg/UxrAUeDd0y9z/8mN9LjWsycS3aUuEwgTcAO2NkfUcH9kw/PXOvazA8t5UJ9RVPYYF7910JeftmMNgs,iv:4GaR5XuJKPnQsBehihraCgqBUumDeq6IiRQrSvtQKgg=,tag:U1fVporyT4S48Dmdf5ghSw==,type:str]
+        resticUri: ENC[AES256_GCM,data:INfsXRDS0oTwxmbUeuns2GtguB+OJvE1UC5uKjR9dqY7tZo9gS7Byjf7RrBhcq3SAAV1yPFnT1F5IZXrwgyBp1h4,iv:nsvINjznTn0PYrCO3sLaOMwSJeZV5gvDTefNKksgep4=,tag:KeA4+WW9+dV7XjScbDzCVg==,type:str]
-        resticPassword: ENC[AES256_GCM,data:rC5P60IK52dYOSiSkpnkZ2VvqI0=,iv:xIr6BYmpbGXg9zKCKVcstK2ANHN2Y0MzZ1HhDIL9oxI=,tag:J14I0dvIW0FMW1LLB4KuNw==,type:str]
+        resticPassword: ENC[AES256_GCM,data:+U4xZIzo7HbuF+MmZAJhj6+ekO4=,iv:GznZk8Ga4w7Zqx6QoXq/SUn1uURLxW9fMN89zTq7BNI=,tag:IuBFTTS0awiVILNx7Z3iLA==,type:str]
-minio: ENC[AES256_GCM,data:IJTwUJOC84a5n798fTDlwRzVc8p5zRiccjdoNTPCNlls0RAyGllijf7GAQG3fxQZQWB2xNd7G0F4/Bv+KmThX2Nxy0c5JFbed+AekuMbNQ==,iv:QDB8JUSehsApBnRhLeGtS2ZczIJA0awN0g0sfkKK810=,tag:NMDfAN8R0mcT7Ec1ldyZbw==,type:str]
+minio: ENC[AES256_GCM,data:EqFhTRqb5fY7IKZSis71i6aN6Llv2EAQxKjBrmoJKRLKFfQUVzHBgGXse42nd9KD2hirGsBiPgvuXulTw1z+bPmh4EVPaq2uR4fva5g4LA==,iv:4Ru3cHsw2Vyw6mtCoNECMVP/r5toYJ/BBvNNa0m3DK8=,tag:pFtHhgX1WgzRYNe87Zh6dw==,type:str]
 postgres:
    host: ENC[AES256_GCM,data:NkAc3BN09j4=,iv:M52sslgEY9QXcsG5Z+snGFZ7vt4IWiT6uqowoUUk78I=,tag:n/SXxbBuX2+vZknk/gBs5g==,type:str]
    port: ENC[AES256_GCM,data:eVFfWA==,iv:sYcdDt9Vw/M0lM7LCVb8wHbwgQ62OfwM+MahvbcG4vs=,tag:uo63B0+r1GOv52bqzeiMZw==,type:int]
 pushover:
    userKey: ENC[AES256_GCM,data:efCy551JEtPagnRGHkNCKHT+r0yJ/5bqyGTsdeGOdw==,iv:DDAfy3EDSGHo0r5TapW6yjo7XMpVESYYtnUQLBPMg2I=,tag:9ws7n3hlhM4+++aIxOspYg==,type:str]
 borgmatic:
    plex:
        encryption_passphrase: ENC[AES256_GCM,data:+PVidwqMgGuZJE0a9TyLda75viaodnZtEPA6nQWNp1KMR7zHQVBjtRojLuRh5Sd78Q==,iv:zJFecISN0l4r2QKfqAw3sds+l5eBHp+wapE+TDUgX3E=,tag:cy4HWmoJw0ygRhaAQ45zwQ==,type:str]
        append_key: ENC[AES256_GCM,data:ht+OoijAcc8BnuAIoZ0K3kfvzlXYgmi61OHOpaR/H8YpadsMgruym2E2VIAibVhrAt0JamHQ8wEps1/Ur7GPRyQgZmq8dUlEJwVFyD31kOFjJDH3r7hZIMuJopAKYEHxuJ0PANqZO4mHbVd6rnnSvb5oOzACst0oKAoqarmjzVKSfRfRCxSP0df6WhuU4/bMq6u8L4FjMXbrYWbeK77tMdv4eEAHEM6SIuMXOad/AKvgYXIUYmhjohsBXfWQ+gENEVQEpYV48bc/zTC6j4RZI335iZQZq39sg5VWMnSsQtQT+UVzsHBbOYZbzC/FyjUKBNduYoniBQFuswf8IbDgwIcEd8eSRhTGWMOATOdy6MtVstXqZhc9YEHytFrAd6biTt7DHAVUTu9ZqqkyouiuGc8f4kdimGz8kSb3ltKUqN7qTACVHjFXNY5PkdHAy5brKiHp0lPyTiHFQYxabeyPD6VfeDNthK40IzmrIbXJynxNbfOfP3lkmDJ3iD5zM0anU8xcNtRu+1NA9k70GGEvgwTdUbpP+Myicn6u,iv:BAyqOh13D2kRyhKf6qX/gEeRMlmhiR4jD+VrRhKejn8=,tag:GGu1hK8t74cnKbP0dNL6vw==,type:str]
    jellyfin:
        encryption_passphrase: ENC[AES256_GCM,data:G7xk+FGsjV7BxwvBGozXcj0n00EjBhDw+Yea4Wf8fmXl,iv:goylWvW4OLWxi3rIyQ5FbmnNtHSuP93Mnb/P4dCes7c=,tag:UiVw9Q0iTw0TxG4hFzg4SA==,type:str]
        append_key: ENC[AES256_GCM,data:1XPDRh3HtKZbgdXf/YyrIWwvuIsTRADtRea+0G0as5vKfMyrqv60IKvCSDqjlZNhUvtmAMFZS/y5AexLB2qNZNM2qjFvbwr1C2WJw9J1fkpcc2mYRrH2XaghFhwLKuD5PCo4jVztOOMGwXzKcwG5BKr0jm+FiffvoUlB8rlEgIihwmDDf00g4sBAvDpjVQdqxNgc14VALzUiuu4X55xIHW/tQk5R84PDfTR++41EvjDxFQau5TxA3xVeQK/skOSRo4RZRE8vF1I3Dc7njVBMK/PyV0iKLJydfK9Ql33ZwDQmHdt+aw/pPlaPWfMAPzLxbdGuOtUaGQijQmELKQP11101QKHDk2q7LYXfGw62VAqb7W1SJYPczZzdzqyFb4NULykAQOhHGW9I8esRCYn0t4Y5vBEYaPjyBuAJz8ClG4zhxwJPAAQBkntIId0Xjk9NjZDeNKqAXpgs3CDIOJYtGUmtA1Am/B/22/VLl9adheEnTtkYlSTRM8/u5RoiA3utipMFJcdkssmBudH8BvXbJFJChoh3qUDD3Gnz,iv:CZyuBaiKMxNaOlFu/OYFmHOeEVWBNJ3rUIBpV/Oh4GQ=,tag:EX5yoC+KRf6IkVm+7d+Qiw==,type:str]
 arr:
    prowlarr:
        apiKey: ENC[AES256_GCM,data:7NKS0QWc/5MIBbasmHHz/EN8wF4ILmsxBQpfZL3J2fs7,iv:WctX4v9GFkseJ+Vqk3U2l5qrgWCcw1Bv3N6RQuwQ1HY=,tag:7FxfWn5ydXu1Pp/B82TOSQ==,type:str]
        postgres:
            host: ENC[AES256_GCM,data:++C/D+s30hs=,iv:P0HIuGzVypgxfYmhcNodMXbEufPdrlO/nuQwHZ60kxY=,tag:qHzYYmFaeBXyty6ga6sfQw==,type:str]
            dbName: ENC[AES256_GCM,data:8t6Ms7cVgSMzN4Vn4w==,iv:mh1nOUuVllIMlj+lhuvXIQqTZ5VCcaU3jj3nOGxAsGs=,tag:OZVFFM2YMENHN3pf9uF+5Q==,type:str]
            user: ENC[AES256_GCM,data:ji+57XLFMus=,iv:xC+EuVBs9wzZG+leFnAIZCKbxFwtMmSwqhJgVl4SRak=,tag:o7SqVcv33zukUOJ31ORAgw==,type:str]
            password: ENC[AES256_GCM,data:aSiZR0cTtevhD6s0f6+24qILUmfH5OCBUQ==,iv:xPqiNf9N2Mm6Z7lvcB9xsTjgiJ1tren04pM4rOjRc2A=,tag:NSGr7kedaVgqyM5qwKM40w==,type:str]
    sonarr:
        1080p:
            apiKey: ENC[AES256_GCM,data:h2vPlVVkdOScJg0uvs5yv/WK9NpotcF70bD65gTR8TdY,iv:T6F/u4jFt1k+jaLO0epq5nkTr2c1FvtrEfxadNuQLVU=,tag:GNVgD4oAI1OdBrHlXFlYIA==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:8DruSnH9MBs=,iv:WBgn1seW8Tgy8CLB7mv+BgojNk20LUqqVyS+o3aFtWQ=,tag:bNqeKmcXb95167YHIZD8Kw==,type:str]
                dbName: ENC[AES256_GCM,data:s/XMwlVu648dmAA=,iv:sUtQxqGmpNM7f2Atwm1b5TPj63nynZPIJfHFe2XCjz4=,tag:NTYMuvlBuWDWyUAHPrKlow==,type:str]
                user: ENC[AES256_GCM,data:OF1jJTDj,iv:u20mF60SJevMeIQAjnIzCbIIKKFqJ95+mG3f5zfX+iI=,tag:BZK7NhoLWDJss/tnf0ZHtQ==,type:str]
                password: ENC[AES256_GCM,data:2IWE6CK9bOQ9Zhjfkw9WOkwElKtLRiJRKQ==,iv:ySSML6PKNq0JbhcSwQ0rxSEAD+h74u0X5ncfIWbh0KY=,tag:R2nnvakD8SEyEn2GjgkgXg==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:H6ZGRWsRyZ635t2eELbvz2QvCy47wiN59ViytOxX9SebXC2b4cfvGpGJi1RIOlkcz59BUYUizK58sUNbgMeFn178xVkT24mOXYu5VkO/4n5WuY2zWN9gbnL6RWnrQZw=,iv:RLroNHNseCQeYuNdad9KiFjrKkZI44gP4E/Uj73R3qg=,tag:++t7TZvUEDAiU3Smgffitg==,type:str]
        anime:
            apiKey: ENC[AES256_GCM,data:/1GRSCBEgm+MFQRoIddchoe1290/A1hvVCNmp1hfsSGS,iv:GOeXBu7uKklK6KE8RvpewzBaySdoKonVo4rApadoIzw=,tag:EinKbUl+X92plkp9p3AXOA==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:hvZGv3MQ0JU=,iv:HFs62YuhV0uypvBGA2kfAlorwWbjRr6M5/VJwx2LVC0=,tag:c7B6eco64WzvC0Uo44q76g==,type:str]
                dbName: ENC[AES256_GCM,data:aT4STqdwfQ/kRlYQ,iv:XUyJPrqkDaLt5TmJl1+u8xZitY7x1wI2BpykmYQivjA=,tag:YSyzENEHcrv0y4GTYdW7QA==,type:str]
                user: ENC[AES256_GCM,data:Io5JmxNKuJ33MRgS,iv:DXLRl2ZSRNkdTXRY3UzL0zxM+1m3xpdJgaWZqbl6Vok=,tag:rD/HrAOUF2LJDc13blJyRA==,type:str]
                password: ENC[AES256_GCM,data:whbjCtd6TOxPKWwvL7L1lKcxr8tEZEx7YTdJNQUtcw==,iv:n3YBj1HSLo1EJ+XnuRXsn9wWXIAaIe4zwkfFLaKx53M=,tag:gtENwItQT6dgr0fBrEipaQ==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:MYQWHBE8bcttmXhh3HDir1zBJq1t1W4Xik7JnyEVmHKdXQu/GPUvbQLctGIXC9psD7x5lk6xMwg2WxSFLHcGFhadDHnm8rla9wFCSh0VlTyWekvKZ+XZPuhcDFxfYVA=,iv:3HzZU/1wJEXizscc7rSLLmJqe/FMiwqu+RiqvCBxBtY=,tag:3OXclcolF4WgW0Hu2FDojg==,type:str]
    radarr:
        1080p:
            apiKey: ENC[AES256_GCM,data:w4VmflaV51T17tp2Zwa+2Ifm1FfPgVRxLmWomhsHe5wa,iv:xYvuQL2u7GwDxAWpohAJTuX5tmvxwxo6xS4Uz/9MXOc=,tag:uVVxdY0QreC1ZA+LWpKTmg==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:wFG60E/SiJg=,iv:glgvp1UsgO16tXjfSBKaQsMSzekMiWFLG1ptcgS00Gs=,tag:LhA3+kQzMF7IsCZEPaEeGg==,type:str]
                dbName: ENC[AES256_GCM,data:/AWMN9BQw7vDvg8=,iv:CwUt1tur+xdrd+egaVs1ETr9ueWyrb4rpiLWTHtkFuo=,tag:EmYEZJw3j4/D98KXzcLpFw==,type:str]
                user: ENC[AES256_GCM,data:K4OFAbH9,iv:O2HHLVNC7YUtD/BQWSjUaz/tFdd0O9tYkqTy03/M08c=,tag:Qrwq6x/oxLd/1CjtPXSNJA==,type:str]
                password: ENC[AES256_GCM,data:QYHNzqggnZ0v9byc41txTX5FcLPjSLZP+Q==,iv:dbrnn9btZd6b/KhnE3nbpljqkjr75PFrBERuju4wvv0=,tag:6/COq83YDfYkpLwW+S6avw==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:IF6EntbTjCs51DjVfWRJQ7JYLat+ade0bVVyDPxBJXzUJAsGIg2wxsMOCBZONs/VJgh+lUmlYuuCj5Vfy37YTOaFRdSEBEYkHL+iwThHV29nAV2GJyn/E6Fau+Hpj6A=,iv:ysLb5Em4hg+RAkqotLhJ0p29yribQjv5SK87HkfWMcI=,tag:zM40WAugV73e2QorCw1eVQ==,type:str]
        anime:
            apiKey: ENC[AES256_GCM,data:pQsxmcLwAOfPlwJIARgsgqObW0weoNfgeX7xNZ8nRLZ1,iv:IjyJdeONnrzcBQj6VScf5mO6IAGGaxLFn00avZchQ30=,tag:z9xqycT/Y9FnZ+qbXjLW1Q==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:rmPRKNCDNuY=,iv:+b/NQZS7mPF1t8DlcuI3MXZwX7BcOIb0hiVANXCdfSk=,tag:1YqGTRl0LUz4vqy+SCM1HQ==,type:str]
                dbName: ENC[AES256_GCM,data:/y8nkutIioMtH7Q=,iv:AcNHukerGYCxW7i3tvXbK1a3cy88623tF2xE2CQhrsA=,tag:YqllmENzjiKzMyLCMhZu/w==,type:str]
                user: ENC[AES256_GCM,data:XUHlPPiaeUEJM/ii,iv:VHL5CoBf9/dnaFUav3EOwoRlBYt7pQ1b9fhpBN+UJDs=,tag:CZNf0Ix10Us4iS//Fth4wg==,type:str]
                password: ENC[AES256_GCM,data:Fp13YKpwv9rWhLirbX6k9YG+5w7AWA==,iv:M18dOvzRHt9WXA7ThmOUGTE8o3lTXR6rzwYRbO2x7ns=,tag:alAzOfQCJ8d44S960aT2Bw==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:HxYI/7VKvP5jheDHg78SY5WL7R8i9tO2nmmOfJQTyz30tHMFucJJ490AovKXxmnUy8NXv0EFIHt6hP5zCUW8cqGf8rKb/aY6pzpga9uBNStM8yzk1K34qVT2VjAMtLk=,iv:wBZfS8gh8dmKYcB2Uba3Hdak2NRZgqUceumgqf97nCY=,tag:dvQEIHFhdyjYof0a6NHMfw==,type:str]
    unpackerr:
        extraEnvVars: ENC[AES256_GCM,data:/M7qxzcp5VO1nJfmOg/LKE+o0oqGgx8ohLCBqwsBzAaCcAe+L5PZb9J0Avgf7dFIeYXHXtkPXZNUYo04btsFqCizRrPBa/MxdSp6Wc7vLONaJXx/3PSJI3GgFR4AB0aeGEW4HaodLs6K35JqE7FV9NdX4Sy+O/s4TK5s9EAebVfkTIuaBA685L0JPUUHxdzuyMpMP9C7RoZ7XyoToiVxVJi7cBeXwuevTZJwCY9+p+RjiUcNrHt+HNjSPZMUpYo1d1CAJaAmy10kE3yydjYo+9vZwEpdoKVXlw3pio5rVpGLV5nlk5Mv+XHeZ8h6Ic8LLoDcy616oCmn5Vp0B6spElgSBx1tNjwF902ku+8rteh6931EHdNoD/APhg1h1/u9kBLZfxQ0v6DK3kSYfETW/8X2Y/V7bvSaiYhKjHdOYBxXkmIlpTBR50FPBLQ=,iv:I5jHRJFTZWawfwndvNrjPNLldrZyABynfXKUZMFeZiA=,tag:RnEebZ1LpfJWPiNTxT4ZVA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOK2piTS9FTXJ3TWMzdVFr
            aWFUSkJSbTdCR21iQks3OCttNzZOcWg5RlFJCnhQQk5sb2Jjd285bWZaVjVrQzRy
            REMvZnR4YUREUUwzK1IxRzJwNUdVcncKLS0tIHB0MTRxWWJRR3psMEVBTmQycCtL
            MjhkT0JGdjBmeUw2MGFLZUFhMW5IKzAKVY5fLZeRk/6dvCimJ7Jgj1hOjqtZ3Q35
            EH1L3X2/n+fTzYIASj1UJxvAJd6U7rrmfozQQYIKch2Ri+EV3QHRKA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSFVLTFZqeHNuSENWWWZG
            QmI4QXEvbG5SeTJHMVhSaThPYkNzZDI1TnpZCkdobm5IaUhESVk3NVVxcTVITUZh
            Vk0wTjdtS3hxcnEvRkV3bmZJdVlmTUkKLS0tIGhqQkFPcXFKcjhCWEZvR1BrMi83
            THFOTXdoc2pFKzhZTkNUdC9VN0IvTTAKdmOR0iZ6pzJX/ZgxhxvS6yUCEGjq/ePV
            NIPJwMMcAatrrFunBdIEOzfu1LO1in5ZADaA54JUIiftLrhA8Lraig==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZ2lxb0JiYzlmRHZ0Ymhk
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTbXJYbUNJaEkzQlJqU1Zx
-            OVo2cXFRcmtGdGFqTWlJY1dXVlNZbTFIUFZVCmFuMU9SNjRtU0tTSlRnMHFQSFJi
+            Zzc1M0RxMFdMQXpIekwwMmhlMWo5d3BRZ2pBCjQzdTd4ZklNUTJYa2c0QW56NVQw
-            K21OQ1Z2K0lYWHA1cmRibWFTVUIrRU0KLS0tIHNZTkY1UXY4TjZrWCsyK2hPeEVH
+            UzBja3pRV3MxSGlROURML0VLTVdKTmMKLS0tIDAzTzJacU9UVTJNakRrWWhPeUM3
-            NEpZcU96Q1lobzFVTWNrUFJHQjZhM1UKZQzhD32rkAylJfSp+N648jrs6YvYtg+X
+            OStNbWNzS0V3SXIvNEVWZDVPb245OTQKeFrwTJHVxc13tv0LWU3h+8nZiedbC3II
-            tpT4jvyeAcQJ+txZunhwiTwZslJEQMOZlwAyMO6riQNtATTU4Bycsw==
+            pOJlGu1+iAssnu6p2eEefH7Urwlr7Qsa2G55G+l31hzZsFzuL1yLwA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbGNIemRkQUtobFliUCtx
            aUNLQUZhM2xVOHI4YUUxR0xKNmROUDQ2cW5ZCi9zQU1LYnBFWC9NMHAvUDBKYWZL
            TC85ZnllOTgzS3B6QjJxYWhtZG4zbVUKLS0tIHNhUk9ocVhpaUJ3emxHR2pZb2c1
            S2FOK0gwNGJwbFduNkwyZkZGdmVMY00KH1SjfNNdeKRmqwidEB2MM5EO/8jJk36D
            86Ehn4wHIW3CSfqJYDLmYBmreFfqgQq/BGThGJs2EdkNb2VkyZnTUg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTVRLeHlFb2FpYUdZNXV0
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSXRDRSs2MDBaNG5SV0ds
-            T1dXMTROTk4rM09KaG9SK0FuVEZQTmJIUVZnCkNJODJpY0NZUWthdHBEamRPMlNl
+            cmRKM0FDbHZnQVZ1R256SlZzUHpwZmZGU0VjCnJVWGQ5WTE0Z2MvVHM2Q3VYZDNM
-            UStpUlphSDFKZ1pJalhjRGIybms0QUEKLS0tIFBlZFAvaE83YmEzU0hnTXhJSVdH
+            Zm15RkVidlFEWkduYVM0TU12YXdWRDQKLS0tIFF0WHM5UytOY0tZSTZNb3ZTbXAr
-            Vm5pRTB6ZEpZRnZ3Nk5UY3ljcG9lQncKW+/xvvA8gU6f9SlF5jGkddXpmSZlOCfh
+            S1Z2blBqSWI3cWJOb1JSZUhKcW1GNnMK5EVQb2zVqHdBWQWmmEze7kWSXf7NEt34
-            xXXAFB50J/9fmBRMXVItzdERKK1MxZm9p1g5gmIYkyH/wm48ZTyrwA==
+            PnA0DiGCHnHm+UQg6Hw9/duYo71oQ163AbPBxD5hrCOoPgViVKFEHA==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFd21SSGpTclllWWdIWmda
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZ2FpckhNendHNU5yVWRm
-            TzlkZ2VNWDZ3YUVwWDkzZHlyYythZ1JMUTJVCk15TVZUMVdTSWpldnozMVhVQ0dE
+            OVNqcmZyckdGTmhuU1psTjA1YzZyU0ZLcG5FCjArMjBGT0pOU05xY1V0aVMwc2ND
-            S3FaTzhLWE1Pd3B2RW1YTU1TVXIxbEkKLS0tIFhoZHBTeEpUekdEajRNZ0xRcnpi
+            eUVjdkh4a2o2VGMvakZUMk1GTE1CZGMKLS0tIHpVMmdNN1V4OXpLdVpEUWg1QjAz
-            d2xDaDBWKzhaK2RzOUoxbDAvQnQwK2cKXifwRj2MHtsPYykP92gkkf2drlSBf/4U
+            L0hmYy9kSktvdmxLcGcvVDlFNGRiYjQKCwUhrXyEWzyFQvmKPnnjQyF/n5SF5yiT
-            AXvjfndT7yqvlBHfTCusos6AollCJ+QNPQJoCdzZzSyLZS5S55QY5Q==
+            42Vh1REycPIWlegr6/j5bF+tFOPT9Wb/Hnmc6FPKjQt5Hwgt+Buhmg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbW5HOHp1UUVhN3ljZkpO
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBESk8vMlpueWVZUW9ndysw
-            RlZYdDVsUlYyL2VXdGROalZrRnVxMmFEb1ZrCjVEYmd2a2NrelFkSGt6ZnpYblBi
+            REc1Qm4vRU5QcjVzOVBBTlNjaFNpSjE3eTNRClZjaVJLZkNOZW9zZUdxRGxJQXNO
-            aStXRk5YQ05HUkJZMW11QzRUSGhVMWsKLS0tIDBhVXVBTTB3U1dnMWxEd2VaMWd4
+            WjQ0eE9Ua1JPMkNINnVmcXI5SzZSalUKLS0tIEk0emhxdmJjRDJQYVU1cVRSejYz
-            THltK2VHRU1PQkpOc3VyUFN6K2l5OEUK7dWJCGhvw+Xr3ny68iWgo05iApyiqzZI
+            V25uTVF4Z2RZeEZpMTlxOERaMnRtVG8KHQrPSRD07W0pTH1ynePwXRxXPWn8n9sZ
-            pwUG0ZfzQlwC0cvYTqHfc8nGyHcAsjs6LTeBYrn+WGZtvEUBAZvIHQ==
+            Gxu327fptOKoKjDXrLduoHFuO0m9WJcXYP6v9rtVmrTDhU/Ntye3UQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbUlTR3d1UTBWOWJPK2E2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OStleHcyMHlUTW5wN2dl
-            OVc4cWNYbm9zcDRydHdFT3pEaWxxZDVkUkUwCktEYWt5dmdmWGRESnFFVnVIcFRa
+            cHRCMmFmM0tMRzVmYStlUU1mdzYzMkR3Q0JVCjNTeTE2WFZiMzJScWdFMEticHoy
-            T0Q0WUdjSk1TaVRsdXBRTGo4cjZIZW8KLS0tIENzcUJxeFBtRWx4aTVsTndTWkFC
+            RDd1VVpnU3FVNjdNOWR6L2VqZ25RYnMKLS0tIEdQL2lFS1hINlV2SEZvWkJVQTEx
-            aVlOSHhFb2I5UnYwVytyQzlWTXBDYUUKdQKilmfJ1F7UYKtQV9zV95FcRIK17p4M
+            aHY2Wjl0b1FVbG53elRxNWpqcWRrbE0KjAvjOqSEQF2286Bj2jF25BoKuD4OLoHY
-            vGvu/pGJ32tH8xI7cNs9I5Hmg9c5wOam21W1FDk+VlJ/ClXqQzS0MA==
+            U4pqq52per87pnJs4gBkRS8DNoSbRq9JwyTwzKz2BZgPJvVDGXDTOA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-23T00:36:34Z"
+    lastmodified: "2025-03-09T06:33:41Z"
-    mac: ENC[AES256_GCM,data:2H1NCCVjvR/pSTI6njNkE7RuWWlCSPIvKLBqkJbEKNvc2aaPIUmGLlLpvNRQ1rQJbQa2okVnL4wITeYT+uuBhus4ubTAD7RH3HIjXMcK2HFCA/ey/kJ9GZI6I+0pwyjavUlWitIqUjUpTOK1hGSTzRSm6G38uSLhfQGMG3clUjw=,iv:1qZ6eKIaE/6QF3r4adGw2dvKlrZvjCktmgJ2L3n3kEs=,tag:kZ7wAbXebk0VF1kAbjxRSA==,type:str]
+    mac: ENC[AES256_GCM,data:MX6qN7VW6B2zR6O2n3znHt8DvB8GuaSjT15OPEc+T4aoXZ6g+OgOCQez8Yyd8B4Nv6joKJrQUKIM4sMSAmQ8bwwvXx1YTUKQxJ05MKGGorZYuZCOvhmsOnhRYJGVt40XZiIMIYDvl+uRjkG4NSBOoYdWF7qldphjTNzXrc5Qcnc=,iv:Xj3cCr6p+cmc41FVhxiiNfjhOKY1rlpT9zUR43hSvGo=,tag:FTVX4awkq5UDXGIAgSbZsA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4
--- a/nixos/hosts/telchar/default.nix
+++ b/nixos/hosts/telchar/default.nix
@ -0,0 +1,88 @@
 {
  pkgs,
  inputs,
  ...
 }: {
  imports = [];
  swapDevices = [];
  virtualisation.docker.enable = true;
  # System packages
  environment = {
    sessionVariables = {
      # Wayland and Chromium/Electron apps.
      NIXOS_OZONE_WL = "1";
    };
    systemPackages = with pkgs; [
      # myPkgs.modrinth-app-unwrapped
      inputs.zen-browser.packages."${system}".default # beta
      inputs.ghostty.packages."${system}".default # terminal
      dconf-editor
      fastfetch
      gtk3
      nodejs_22
      pavucontrol # Pulseaudio volume control
      vesktop # Discord custom client
      zulu # Java OpenJDK
    ];
  };
  services = {
    # Tailscale
    tailscale = {
      enable = true;
      openFirewall = true;
    };
    # Pipewire and Pulseaudio
    pipewire = {
      enable = true;
      alsa.enable = true;
      pulse.enable = true;
      extraConfig.pipewire = {
        "10-clock-rate" = {
          "context.properties" = {
            "default.clock.rate" = 48000;
          };
        };
        "10-clock-quantum" = {
          "context.properties" = {
            "default.clock.quantum" = 1024;
          };
        };
      };
    };
    blueman.enable = true;
  };
  ## System settings and services.
  mySystem = {
    purpose = "Development";
    #services.syncthing = {
    #  enable = false;
    #  user = "jahanson";
    #  publicCertPath = config.sops.secrets."syncthing/publicCert".path;
    #  privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
    #};
    ## Desktop Environment
    ## Gnome
    # de.gnome.enable = true;
    ## KDE
    # de.kde.enable = true;
    ## Hyprland
    de.hyprland.enable = true;
    ## Games
    # games.steam.enable = true;
    ## System config
    system = {
      motd.networkInterfaces = ["wlp1s0"];
      fingerprint-reader-on-laptop-lid.enable = true;
    };
    framework_wifi_swap.enable = true;
    security._1password.enable = true;
  };
 }
--- a/nixos/hosts/telchar/secrets.sops.yaml
+++ b/nixos/hosts/telchar/secrets.sops.yaml
@ -0,0 +1,59 @@
 syncthing:
    publicCert: ENC[AES256_GCM,data:eqTuzoyuzVC5ZITeipdlHWH+o+xPMPQeiwwGkUdQPIEvjhPWQoHeodwPWOXGDQyFwJfD+77bphWTTVImdTNKJbbtjP/oneQRZPLsQThPNHXcOMDjhzhyBVaOrKhn1eZy849Q4MNBArbQn0470Sn8tkpL2SyiwxKeyel7MFIkZpoCPRt0T4lkF3GW0M+CcR83jqagR4dBX8aEj0VReRPYtoqTfHH9SBWM00unzWzG4XGO+MzoFLyBl9SU9cANv+K21xzsChUxUCGgKCr7Fe7400M+U+G3pepI6SJ/VxuTTC063i0oZVmVMafdGYTbM7lsVGj/53PJzLiQOW9EZt+YiYNvPc49F9EpCYYXIbdTKb71NaP4bpgRKaWHx1cUnqfVo9zPqc9cAxEUEEGajwdCkcLNR7P+6Ws/SEKPcaxjoYeGqRPls8IaXFNqq86okIQ90wtR2BPr60tTR2tW22DAxHHngpGYPyl7D2TsjS3ok/E9kicQD2nl9P9VWZDzWN+3HhCYtMxrgb2qK8KYWRd6yAEmexU9Tc6Mh6gKRRhLBfSsDsE1hbo4TxqROtZwFpq7YAn7vvieQ7Pfz98fLjciInlDwmWTgp7Vkd7YLoMTBlzsNFXpxct5Gx24rNHMp13TUtfg9+mNvMoxIHFq5cR6GZonvPlTC278hiowgjkRTlQ+jgsQjgUeusy49/ytB9SNmSrTbtcOakepH3H1H7usedKbJBXcpGfohqd53xHs2dkno+lCg/kGzgkthbGgmTUsz/84x2ep0mVQC0RUQf3lyDeXko9szk683kR+aPw+UTi1q0X6A1u9A1PIKnB0+WpHQSfAcMjytJx9qYkvJ4drP99Y5olHn+JORKhKE80sHabpST6uVR6Ym6epjJop1MkFfD8Kh/NmsuDgz8kP9j/2sYJuusG5/DhX2vua4D2TCB2yby4uLCnXwazbzq+3A1F2FOPn2ynUZAnrKTNEBl/FfHLoIoHUl5rnlaIfz6VuSUWx6LafX0GZ+XTnGIfEv534/C1zc8b3BupbHNz44kNd8BVb+s6gqw==,iv:A2PVFa4J0JPsBh8LU1Z9KqgQGKWqO4hJ/cRTeznJY3Y=,tag:5gumadR51zYVscNt9SE3Jw==,type:str]
    privateKey: ENC[AES256_GCM,data:qHNpyCmJ/2vM3COwzOqI2Wi4TQRHAI672URYPa7y5irtlBJoRy+hlBvHF+0+gAHRtx9cgFkspKBmxiC8M0VBYULBjVlYxlUySluRnZ9P1rv6Qj0Lv1T6kOrdGaL9VjEI4SWfYmA1/sFALxyZpCDm8oHhUPZfs1+Qd5U3nupLIyNsTO5aKT63MfjSTkLrrlnkQGW7B7Eyia+A/OVhAXaGMaXcKnCIUo7H+t2zSTeUQ6hgTkxE/sHxSyspvB9M2MHF0CtwwLlsyTNj9MtDE7NWwFxt2Hd7AXL5Ho5PhOrgwxp9FSFocdR4j6BPTYTMMgwFcMNOBb5ORveijp6qVA+KUNMBwezYp/TQnaC1DPMdcuh567SxRnstICIsSh1l/5RL,iv:z6DuPK51dBnJCyVI5wSqEqSLdqEXVnxlGakBBr07aYw=,tag:rjaVe4SrVghdG1zqiU1o1A==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNVh6c3BaZHdMLzZ4NE9G
            YWQxVTluVE4xWTRwZFdnOHVLZUwxeTBnMWlnCmpRNkVaL1dxSVlvTmExa1B2U1k0
            V3ZQTUcvMldFZlhJaW5GNVdPakx0ZFUKLS0tIGVkb1A1TlppZjJ4TU83Q1Vld2V4
            U3IzaWFmZC9oc1ZRZitwb3V2UXRFb3MKyViC3mT4RW11E6XmVVztMmJgm2NP9JX9
            Bf0jGvYhO7Etg5O05NwTAy1WZLB68hqTHAJ2tMJD2934sJicWfg/kg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudTg0ZElzdndiSGowNUxk
            cmRDTS9ZTW9DVHB1dlNYZU0yOFdqdkRVUzNNCjJaY01ISklDQjc4YkVtSyt2UlFm
            cWJGazNwdklDdTJvOE5ZUWl0VVZpV2cKLS0tIFVRQll0d3lKSTNZZk80YlNhQzlE
            TXU1WE5wUWdhUnhRemhNYllHK2gyQzAKPuT00v8c2W1iSCx4nAG4XzCz317D3jql
            ANYcLgmd47N8Jj+jssAPgoG9Oavj4II2NmXpLGKSDyAPtdrTqowAXg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreExpaEI4YmxLTE5jcTVT
            dkExSlMzQmJVMVpCcklwRjBGWE1ZZWZjOGpBClVSOEtoUTlGVkIrN2J4U0ppSDdY
            MmFoNnlzWCtOMDg1NWxQVk1QRzBVazAKLS0tIFdiNFJsWXZLTGpRTVNmRlRJWFQx
            dUZVMXhMYWlNdGZBY01ZTGxsK1RIa2MKY5F4BSYaeSo7rFUc8DJ8HUGCkUSHwR+/
            XTKp2FkXD38hFOC1jWtityqEF8vCMA/m567nw0adTCFl5S4vegpy1w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WHRxYk82ekZpVUtxVVZZ
            WFRXR3NZMkt6R2FnSGh3bG96NHRub0EwU3k4CkNmcHdRT3BWTjRVdllGQmtqSHN0
            T0wzV0xpWkY1UXNFSWtsTHVZTFdEMDQKLS0tICtpbS8zQTFXbllpOWl0Q3lyVjFR
            WHpJNFAyeGtPUG1lRWdKMFdqNkNWeEkK0DcfsEUECFhSXPQvsmKx5gVdHyZMb5lr
            XoKOFrrjJ+NtqxfyAuqKmt6TxpPvzgBLdnbmQ0CTG7qb86O3o88tKA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcHB3RVlyaldnaUJqOVpF
            WDd2d2RKUmR0VnU2SEVvZWR0dnVPZklweTFrCmhhb1VYaW5PM2VaamZtWURQOGhH
            UlBCV2J5d2xYNjN2RkF2QmxjMHcwNzgKLS0tIGFZY3NhWHhYZzBzVGROZ1ZXckdQ
            QnoxZlAwRjQwQ0hQc2xrV2E3ZWJLL1UKwrILkzbDJlUdIN9un0RTGNXPzmlddo7r
            ThuBWigFXDscsIHkwbhqfWPJy4YGcVnhYE9bfTV8k3AWAljWl6kL7w==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-09T06:33:41Z"
    mac: ENC[AES256_GCM,data:VoNIfkIOFC5EZ7s0Zd4SD0RGLxyGmZ7VDIMz4c19Bp62zsvo2xeXp1z2Q/UFIt3EX8Tr1txRWawDmbImTYNb7Tzk/QvE8NZswDnRGpMloo3aAHT6acalm5z0To7jvsCZnLyR+3cwH9RGuMx76CNbyDrpSbrPawFjj1LAfsiXyvo=,iv:sOU7iOlkHKWRuKSpb6+JVoac/L4lDd2cILV+uoKzOnc=,tag:GTwHnF8X9+TSm7ZjWQI+zQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/nixos/hosts/telperion/config/bind.nix
+++ b/nixos/hosts/telperion/config/bind.nix
@ -1,5 +1,4 @@
-{ config, ... }:
+{config, ...}: ''
 ''
  include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
  acl trusted {
--- a/nixos/hosts/telperion/config/haproxy.nix
+++ b/nixos/hosts/telperion/config/haproxy.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: ''
 ''
  global
    log /dev/log local0
    log /dev/log local1 notice
--- a/nixos/hosts/telperion/default.nix
+++ b/nixos/hosts/telperion/default.nix
@ -7,9 +7,7 @@
  modulesPath,
  pkgs,
  ...
-}:
+}: {
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
@ -25,9 +23,9 @@
      "usb_storage"
      "sd_mod"
    ];
-    initrd.kernelModules = [ ];
+    initrd.kernelModules = [];
-    kernelModules = [ "kvm-intel" ];
+    kernelModules = ["kvm-intel"];
-    extraModulePackages = [ ];
+    extraModulePackages = [];
  };
  fileSystems = {
    "/" = {
@ -51,7 +49,7 @@
    };
  };
-  swapDevices = [ ];
+  swapDevices = [];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # Until I can figure out why the tftp port is not opening, disable the firewall.
@ -118,12 +116,12 @@
      bind = {
        enable = true;
-        extraConfig = import ./config/bind.nix { inherit config; };
+        extraConfig = import ./config/bind.nix {inherit config;};
      };
      haproxy = {
        enable = true;
-        config = import ./config/haproxy.nix { inherit config; };
+        config = import ./config/haproxy.nix {inherit config;};
        tcpPorts = [
          6443
          6444
--- a/nixos/hosts/telperion/secrets.sops.yaml
+++ b/nixos/hosts/telperion/secrets.sops.yaml
@ -1,90 +1,63 @@
-1password-credentials.json: ENC[AES256_GCM,data:mPnJtGeZfSGnMjiJsUUfTnKwGNtuPLK/+XhGTrztiQN3bPh2EFtOg18nihsvdI6klWov9OymwATput//StpRuO2u9XtF3ayET8m8qrrldELi4IGujEBp5rmQ3DIeknhJCNGRscYDEIbRcSuVjPRIJtN42njOOr7SSvJzw0o3MTPwfJrRedOeAbvVLQ5+37JGGvS4mvfyZXXi3LFhmWPqWFyzGCUdaDJ+pBwr6Z2JY89votbh2JaTp+kRIgWm4XI2oi3sKGD+kbORHoVeCS9qzUBdGmGvmqNXLkAYJvOMGk6lT2qaMlN9/6ab57Ob9YBT5qb5CxBZr+JAk0/BrjVakjvf+gS5JFehpLkx2yTllhbcD+GvGu86m37HyMi/PZefxeO9BiGdUhpAapuQzGRk5E484ClbwSW8D7SylKPkTU1gy88L1C2hHbdJdBsTL4r9bkwAwLEuRNri5t0QXNjKlGLtWM0FJvRJC1NkBPwA5rc0Vl7d6Bvf6AV0WQjD0qSh8FDmu2ouMfRJQ6ceM654xQTt6UfVxDJV1AxFEB78rIECuIfkPyMf9GG20l+LdlACHLTBtWGWesjuWag22ONwDsopX52ttAHkMslttpN2PA5wrtoy1KS8mia9BvvdVVv9ykURjYISn85/oHgiw1nCYQQlgPVCb3fmrkQhSZinawIBvKz9xB1xA5JVBuHSOeIzZizkh1S2T3QlSllqWpdHFVsif4gaEfFq9h3DVDcr05sTya6/SV3A1Lv8R5RkpOSO/T0w1Uco8EcXi/ZyaEvQ4v/oJGJBJNiTJI8IEMx8s59tZ660SmefUS8BLVlSxhxJ2PdON2lEbMcva7FvvuRNfMfXEv7psDdXDUWIxPfwsn+llqrosqcDcPNkS/ksVC5kCZlWCxgpnGAKnUkyV9KM484O3W/tVzE5qmUPRUse+bIJ/CX95qK6oSWDK+lBICTayYdgHHwiMJygXUDzWlS1ulL7UyX6M30v7I/WUMNFJ3IeCVuETkNhttP8WsyyNPv7Nh6qSH14Yaz9+EpBRvY8qU7IbNXfeNq6MkMn91l4Mlwfo38AExJ3jtd6ql7eOTPFJYbwY4y4bdkF0kLx0eaw79aLE/fcsnfmxE1zsu0Ihn7NSu0IYgOPsp2t8JS95jVqSc0N6cfCUo4/N6YYfpDsfiNVCAz6poqIHAWo69oD224xAz6Qx9k01/d341KHC1GhjgZ5gdK0caGhQJ633V8w6v5IBR1Uz0Q/F5/rCfRmFE7sCWf8eqMoQaJ+CpmEvdgQpl9Zao1LSObJjk36X5R0YLY8Q5lkh/di0/E2KEDgcId4Z3gBHvpK+TKXJR3ajF8oWgGJO/o+WfsJstyJqcTS8uxWiQaG6vBkomrujEmwNu7r32Z4WC0NBI32TtzT1FOslBEIsruosRJ0gXaDBaXCQuycJS2NFvDZoOdDW6dBIKg=,iv:uyFfI8iGwRHBbVS7zsyAewFlaHe38enW5sBW+J/ipG0=,tag:cZy0HBx64HpRCdzOnTDS5Q==,type:str]
+1password-credentials.json: ENC[AES256_GCM,data:LhPG3XyCRZobdAN77ATiEy+A3d8P+1E0+lS8JXbvY55v/qhXk0xNUMb1KsBjGazsj6jq2j4u0dq55KmTDWckC5C7MIUzI69bbHrEtQ8c/XgBo5ulmsaMgkRNjsXMJ6h318/M5XC5wd/MhWz+80eWvnVu7PI5E0Ar77W+KeoGwCiaZ7oQGoE+e5TJpNlOhtiMNfjtmUzx7L7D2JNB9LhA21Y6LcLToGVm06KguHMPZAK//3fBbJfw7nbY7MHJ5tYCu20pUF2eJWnRcB11QDqPIOszJ/tKZ9JQtXd8DBmXKgrjeOaq0Y8XIgTo0co5gcfriQQ7SC/m0MWE4LkoGOpmbdw+hZhqfIVOl5+IXwXkH2EMn86gJTBxdgtPXz6EPkuPSNamO+uh5L9vjodFcCKZVZnW/QvhzxYaRErB5hbSJ1PrPIRcJsnOkDcIcBtW4b3qvjJtewvX33RDd7qEIoqd71jNOEyxeZgidpUCyfA9bHLVb367DcwbCB5jZ488ZvcjbcEXuvPkQfZ6xR49vuijff03thN+Ob3kQI7ofcasqbRO0eKYEQQapDaTz9IbraRf1z3JgQ+o/Brh8LHxEBgMQA/GwDGz4n/wnMczylH2O/ODsjkI76kYk7qLR9Z+8WT9tazrcPrBs/scuJSHu5Sl6c8K07HN9W0jPnD8dAP4J5Pl+lxpS66SDVfGImYwjuQjfDF+RY7A/UP0iPxdklkfLVQ0Yu4Pa+8Y10YAXY8UG1NQW51REobTGIEF6El6/pzfNElqAdFG4+5JNZF1/4IXWPVJQly1VstUY9D4f+0Z+7X/eAdz7VxWjI8hOSGH+jPbylXe7eNQZdhDZ2PNfoqGNsgLZfT6AcBtLR8eHZlAY9O139YsSzPqae7CRP4TqX0KwUQHiZ1OWh+zG/OFUEPV/IiaGi+aUcfZzzz6mVrXXsyFosDtaqf3HYPcMuhJ8YiTY5g1/OK3EUDR6CBOENJf/iMjC03OBqf5xll5Bzw68pcX2rR8kkTmJx9mWE6SRxqOpVOxNZQaK2O1NrJxBQrR4/b/Vd5Sct+VvT24Kh3eue7+LhKIzJzh499sJ4PgNJ1plbRDzKpfj2qH704xj7YzqsKPcKIq+VHQQakQ3VdAOoMzo7RXchVh2BDTp0I4GljUOoOh9sv2DIrjmpnN5KWwAk7gl1zkcc/DPEqa6UN8z6WVlTIC4pHGm68IyRl0HV34owyLEezGcoidIu7t+AwZZrD4SRHFPFCoFd6ubbcr2/7xZgRaKqGU/82hUEjR/SrxRQpjeN9Vf2PAAGDbVsZGC9f+pthMamlD10oZzfamf9DliYdF2aNH6/IR6IPVBTbUoLuBDbqJH0lPtgLDqmpoS4t5cGvmmlGgjm4I9prrV5Ogz0ct30L1XW+KfxT5alnGZsx46ZaW6hlgmkGqiUUHhUuxW0GT+16UxOQLE/sZVgg=,iv:wPy/dePJ4x0IdPyB7ChN0B2msEAMcAuM69liIOaumZE=,tag:0CA6RZZ8mkDM9gCCDevM5A==,type:str]
 bind:
    rndc-keys:
-        main: ENC[AES256_GCM,data:2K8QGlLH4TVdqUh4Qx99+/IhBqEldfdEnuVxzWrSiJpCXA8IVD8oQ+43hvfbxTG4Q5Jx1T1dx1VlQLjOikWhW0feYT7Uexn7Q+qNb9il5ioKoiqSHGvPbiy8KceDx2xHcFGquhN7,iv:ibeYbWtFCq0MGMbwIsNrjTTTrqio8gdrEvTIkBHw6+4=,tag:+59enmEps91uROm2jjtm3w==,type:str]
+        main: ENC[AES256_GCM,data:HETQLs4FDXeZINlCSnGYqF6Mntd7EurCRSyf5NIAz2Qmq87IAj2TbvesC8PnIBXMul5Uj8ggDym4xO6Qcoq6KQNfCtVOI/TaA3JYZbIOmNWZR82LsWwO77hd2kx8U+E9K6kFtBbV,iv:WGmWjcW1RkOWSoBjrbkyQkDbI6yYB7hakOrmXo4Q6eA=,tag:CfAe/x+HOu7tf0ZY4HIB/Q==,type:str]
-        externaldns: ENC[AES256_GCM,data:yRNBvr/dq3+2MFANmtIvj0iHZ0Qz705VxA1vg0jl9IkYZhzUtwUlIJF25vDQCsS30BzsXIAQgfncoPxMnqmswoH2Cd3a7W2Pf/Ck9aDMKaCSNJYrl/D86Crwq8nhMJLiDyta7zkwkMTE,iv:V1fQB2zdL1ReBY2f5ofwJju8zrxdh7yxbGCKQ6p29AA=,tag:Qn8PQcTJ4it092qQyAh6gw==,type:str]
+        externaldns: ENC[AES256_GCM,data:5kIBIpRYdGmBZBvwWSIufUzAs2Z+9scgMQOMHtDLFgcQ8OFKYbKlOQ2+G7exo/YfrD8QQfbPjHD/ScQbbs0SyFYhx9ivX2vizyV82uYqZ1hODKBsMHCuEvWMNydopbT5/vobKCnAER2T,iv:AA1uUmyTxfovgRnvktRQxmu2Bj5mStWd7MRrvUaI6LE=,tag:NPGhBf5yBbTPD63QnBA9PA==,type:str]
    zones:
-        jahanson.tech: ENC[AES256_GCM,data:bCg54kzMqGJdq6+adMz59mfbeIVIoP9qmyFi0uoQX0KTCKU6XNX3FCzI0ludEfUrFtKqjdbmKJzGJbaCTVyL5yDBq9VFtFnBPeaTG0TlzKxO1VBad97+OqSJge5ZlpeNgUR1LUkHa+h2IkNRjde7kIBVHu8hpOqGpXI3UKi+FSYAUiIV1PKLzVh9pSiLp4kL8K0mursA/wSPzEaZ782FFKwIlXMVoTlWgB+tGIxanOekLpUMRaGaUktSJwmSrdSbs1Wn6/FVdWWjiZxHcDL9BU9RyiTyUh9tT9n2mMk7PICihrl5RINObVqi1tssqivN479NCNnXqeJ9wOJdsDZcVdI9ijGuJzcYsAeH2m+zdUGGiMFVRScdtuxgVqEOg014xL+FSe49X2ZXI41Gt3cyWIwX9HHdFMdzTeL/Si2V6dWmFJpdfA/k5hM7UTIkKYgCKeyc0ymZ6xF21pQck7OSTddcCgMBGgk1acfzJgxAzrLD9MjEVWzCdyYTzW0dWPOTcCN7ox9MCrHJWaIuGbgsZuT+Pc5K+/UrXHETidh527wiR/p5I7kozZj9t1u+gT5SNL9sQg3zOnWq1qL+WDWuW31tXR9vlE98T3ZvRHJOiXYK7eYU97ww1hwa09h92lmwkBWNMNL2ouNNLHTDTevCT+1KjLSWlpo3XjwVmk9RfgAbLrQtPIK1C4Q44WZ59f6l+3daz8EmGy+9aXoCW8bfk9bR7O8su+UO5gCHHp72mWtWpE5z+TRMCPXL53bw0IXh/H8Inj98KP05ebpIXvfbnjdfUFA8ujZcJMlvBCUYPHg+0gQtiANfzr9FbUcHVwMHamWww9EpQ3YGmRG/LYY8kJlPRvLaeg9e6gLbz2l9/GM+G5BAMO1ZqaxyOlQ6/J1bBY0WKQDSER1f1W8U/EAi75y+s3LXz+Y3LU9wmmJ7qWeVULjszlaZr+W0NxkX1Qh+ys/ffV7j+NMwa4nNyC1MJnsjgBzLNGxp3fpcCZTqApfZmCbvz3yG65pTDa7BfTsYy596wPec+kquBGYTVnNbg2oXzAPLV99nzJRISeCBtOiuwbIHzbLIEI820OPdMnA+PWAPRWXMIqAq5PDpsZws65pY73Pp,iv:bck9vjCWvfx31ZKNwfkaSHazIKRvMXX//E2hG9lNNFY=,tag:vrsZ4v+LtsuYZH5XCnrfcQ==,type:str]
+        jahanson.tech: ENC[AES256_GCM,data:HGvI3MRQHHwFW+ElBQJNuItKP+fi59ZXepjzY4IoRZ3mBDEORBMTreCk6i+HlM2GouVhJo028Ilkl6P/i17O1LchTUcK+NZOkJukIdd/WQknusZOxoQKhRYloyDGa2IYe4YzQDtRd3vrPdHffEkZcRvd7KF7EAYROMmWk6OSfasf1ta3iHQe6xm93Ql8EY1o6oqhjlS31w5XDOMaNvFkJF7pD+C2OQ6pGORYxv0ePH6gDr56FBPI1sZStDQtFFSrJEDKyuR+yrjhpg/fHnxa6XIRASSBSrOIrITE5VACZpuXB3hcUT/4BA+5P0GDayDuZv7ODw6NUPqBxgpgypfaUZjNwJl+MaUPbkFaRECZexbEwvNCl9/xEruBKlbhl2jL4CKLGKaNOSukYq3Gskcqc3qkvQCWEucmMguShSBv7QOq3l1sWOlbHxEQgvdLrZ4cRI0bUQCxk5xO7LRgodf8ACOZVrdHInsARuvX7r2mzGrYA7a6qPXpJOhE7Rai7mg1RQdabJ4i5nd0GSJV9WWrGH9/0yw5uj9f6nwEWuK23gkxK+2B7B+nt703WbDfDmnWNjaxHHz++IBxWiNLUFPGVt9GNx3VpMV70Y9PY5VmL4O8L7Fc+3TcTz+bG0pbWrO6MpwKdieWxmeLLn/blFGzd0acQUtV4UCv3lYjqofCDbfS8S/ADE93bcuxxnsVDwoVVnmWSOsXkERvtrZ9VggeXODZCwPhSbUXXYyF/KNmChbpdJDBbfTPjlWPqy1423SCi6TTX5xCNAbl1JL/2aTVCGOgQ2+QfSKzjbjSsp77ZzCQNWVMOenvSYgb4D98QfDOcukVs0ewa06CxLBEycjq2T6XR8+3/JMPDElmDVfdaOscW6QcpJXJEeWRU0kujHWoaZbmclgnmhPMcoMa5fuC0/p0+/DVOOn4ZINGGdAGy57NVUOOtyLYZn1J1F2EZAXRITRfxHNjHLLsuj8q9iCs7so80LUHejfKjqer8TGLLT948Vs3+Im/iB7dE7k1QmFxVd2lArNFFlPj7QsLtbM7sT6Kj8YRjiSoGer0AQVjkKewSIxnUH+n825Hc0efBFBYDCAN36LwF12FNB5+nTnI0fKIvV/N,iv:GYlqE0pT3vaNufSoM/RZNTW4j5IZHUkKj3KUdmc6ZjU=,tag:89rtkSyISHDzhDtF1VTuzg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUzhJTjZHYnRkNC9tQWJu
            eWZxKzUvRDdoTVVKcXNDRk5MTmV3Q2RtMEFFCkhjY0pRV2dRYlU4R1ZzWGkra2hN
            YVV0K1g4bmd6a3phVW5tanUreW5tY1kKLS0tIDJOUzViem1vRTFPWXFJWXdQbjZF
            OW14UDNGTlpQZll3cGVVMWQ0eGQ3clEKuPbfceFH/+MChLOiA6J/LCGKce/k45aw
            w1KmPaBfFEl4kAAyAXe0qVypNmzQsVh0rdPMlRq4Fnk1EbnkjAlMyQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOFN3TU1NQ1R2Rk9kd1FZ
            cFprUlJUajRkK1N2S3JhSERLVHQ1ekczWmxRCk0rMmRrNjdiQmpnQVJmdHM4ZitL
            V3JVLy8xU3J3T0ZiMDY5dEN2bW9OWUEKLS0tIHBoeU1RbVhsMU0xMm1pcnV3bHA1
            dGpRU0VvTU8wSTlva0VzMkZVMkxtUFUK1/7ioFSrAsuyRJkk3rTnEy5xbq2q19xW
            5bE8rMfyOBRVrqIUYooDnR1OCpnfD51D3ro80NTfmKxVhxoTH9Miug==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORGV1RGg3WHRvWmhzRjkz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSzIwRUNKSnczYm1Eaklo
-            aFJOUTVHN3IvdlVHK1QwNlpPN002T1FOSmpFCm02T210R2FYUlcrL2h3RFdQYWhY
+            dzlSckxLT1FHc3diSy8rRXBIRTJKUVpkaXdVCkhHSXN3Z0FZLzQ3TFpiUWFZS0FZ
-            NkZxZVpNU3JGNCtWNEtIQmZhd3RKK0UKLS0tIEZudTlEbEFyQ2xOcDV6ODkvQkNz
+            QnVHTEVKVHNXWkdvRTF2WFJlRUIvNEkKLS0tIHo0OXZMQ0xkUWZyZExEWHhiZnRm
-            Mjk2SXFka05jYUNBNUxiSll5TVp6cjgKRK1errmBICcb3irz4qysjkd9rYH5K5Tf
+            SXBpaUNvWFByMis3dFlCLytRdEpIOTQKDBKJ+gvF84j2KOfPniyjJbmrh7GxgF3m
-            l+fTyGb3U26dlvP4Krlx/6dfH76NH/ZkvJ3E11aIvXAhu31upzALgQ==
+            DLhPHMaRkaQkWZaLTxijyAXv680X2vCFdBjRPA1fQMz55/2m9OdnPQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRUhiT1pHa0dYM2FPQlIz
            dHBadUlLanhYdTB1bjhnQWdsbHllOVFRNUdjCnNyaW45SUhydlErd3dRYnJHa3lD
            bGRnc1RTdm55VFZlR01icG5NNWJibG8KLS0tIDI5WjBOL3p4M1k2ZWI0d00weHpJ
            Nk5CeUY2M1VrZm1NZkVRa3ZMbDE3a3MKAb1sjdyJTVu3h52xEqJedn2MdNaFryLX
            gZOMBhtz4fac11RZC3nFA6RDra3KddQsad5lwK5JOeFFRi688x5cag==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2S3VPZHVrbGoxVUVldnJX
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNmg2R3V2b2ZLWGdWSGRp
-            L1dNL0JaRGVNemkzZkMwaDlOQ01RY2YyTmdrCmthaHRYVzV1Qk8xOE1aS29GUDha
+            bGpuWndqd0twcGdkT0xTWEV4MjR0MllhVG1JCnM2ZnFWcHEvb1U4S2xuRzdhMmFP
-            MUtlZ2FuVCtycWRMbWxrVURBUDg0dlkKLS0tIDRwSmJsN2FsVVpzOWV5WnZUaGkx
+            b2pickR4ZER6MWZHUExyTUw5c1VXR1EKLS0tIEtndm02blQxUlVEeko2SUxrUG9Y
-            ODcvNjl3cjE1Nm5DRHhzalRVUGdjUGcKOMfvjsP04O9UoRpyGncQ3Hon91rvXUH6
+            am1ZWVlFdm5HNWlhWkFQa3JLV0RCUGsKvlCCLWWui9UVDvI5P6qvSHFGWcbLByFC
-            fM6BWVEoH7tYq779YB3qEt2lh5TN/DDd8/ROOx25a4hL7F0/zy3vNA==
+            nX7x8fWBxaqF3wK32ndmVMBO6jlPVXcv6NsjpdRpbDxx1iMxFqc2+g==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSzVyTE44NUUzLzZVaDl0
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRjhpUXlNUmYvVTE1eklI
-            TmNWYWNuK21mS1RlTy83OFRrUlZSU1FYZGc4Cmx4eExyY3o2OUhmeEdoOEtNSFJQ
+            OEx4VWNSMXFuTWxIZWZTZUU2TFBYNEZUa1E0CjRzL1ZWc1VlZ1pxa3gyREUwZE1I
-            NUx3cnVBVEV1VGgxTWZFSmVoYlJtQUkKLS0tIHRjZTVtKzByWmRJMnpxNWo3RjEr
+            SnBNTVBQZTU3T3hHNEd1TlVYUkZmUVEKLS0tIG1SV3JUM2tlVVh5Z3B3ak5CNnhF
-            NCtmMTNmUWNkbUlIL0pEWUxCVk9XTzQKIxVOgsWjLvKwKpKMFQnkt5zzFMJ1P1AE
+            TVhFWnVON3hCVE8xVGRTR2FoNUF6ckEKA3Zy1LJoc+Ij+6nwMyyZ0yVycfpJEtSD
-            XqsOg5bKN7Yzw771PZ7nYPIIvsFPqznVARKTPxnjELjSUqT+VrJT/g==
+            icqaVJyssOaraf/GjWC03bLWUaIbGg6khBVBvsetS0m83wPeOwkmYQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpVGNIeTc1VFRRZjB5Q2tR
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVk9jNkx5WGFpZjFvdFVz
-            TjB2T3BRNk5xc0cyTE9KODBvMUdkOGxyN3o4CkNoYUl6QVhUN2dmcjYvdWRFTHpT
+            VVVwZ2lLU2lxZWp2bWd0cGhJd2kzQUJFWXdRCkFoOTJtRk9OMEtmamdOL2thc2dw
-            SDVIVmt3VFk3cHd4d0F2RHFkQ0lQbkEKLS0tIHNhaXhEbmJlMzZ5aWFZNWRRV25O
+            bURQRWNwRzBVVm82b1pKUm9ueTNDMHMKLS0tIHMxdGVQVzhjQ29zYXljUmNoTW1W
-            emh5UnZpRC9MWE9yWkxNYXQwa05kRWcKbo9ONgyzMWCCkG17nIRWOUkLR8WtPeL4
+            clJScGVoRU00Z0VxWWtSMmZPU3VwR1UKB7+fV7RD9MoiOzgVmTtWyPG+9G9i/VYk
-            U4yF9SDKtdwIJKuC097uIEXvF5blEkhf+5Mai0TMrhq+NMggjP7M1w==
+            4AK2BSXVJuz8Zhh82+xh04vh28/mT61WVWPMWfVryPuPELLo56HNOg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOXBwN0JoMjlidmVvdHB4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1OHBQZDNvSDBVK0dReDZa
-            QkhqaDRjd0t1SEl1WllVTjVhMENJMGNoK1FjCnExSkJzanpmdWFick9BZy9BMDkv
+            Ykpkd3lEWG9zKzRIaHlNL095V3BaM0hPNm5RCi9pYzN0QVlHeVRtTFdQbjlaTWJp
-            UGV2VTlsL3hZWllkdlcwSGc4RlZJODQKLS0tIEZEM2hTZlN4VFI3Qk5JRXErUVNG
+            MlcyeDlpTGx1bkdJN245Y2xwaXc1TjgKLS0tIFN5U2xXK2RDcWpNRXBQa0hOVE9n
-            aUdDTlg0Y25rZHVwSjFnODk4MHZ4aEEKxYeMCkODa2JhGX3zlpmDJ+sbXD5T5DtT
+            cW52OFA2UVR6bnJhcWd2bms4VE8rNlEK8M0dEF85yzzkV1otG0a++a/TDw6n4zcN
-            Iedq5KFLmmvXBOu0sXlVdO+G0/qBgl/5t4pwLFDCx+qsxZgEJkUEMg==
+            YGbRLQTRfwmXgvX0cjU2lSU9tEtdSvHFHNcTLLOo+tbGNg2K45moDg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-27T09:27:41Z"
+    lastmodified: "2025-03-09T06:33:41Z"
-    mac: ENC[AES256_GCM,data:T2obxwbBbBiR3dPq3wYzrGEMdzUKZ9F5LJSDlG9zlECIsyYdlSCx4n0qrhOioNYpjwUNCGoBL0EH11cmTlUzpV/mA8e7oW2oXbVydP1xu9p8LQHtTO8veLPqfKYqEL6iCF/6iJWh/o+NYCAHzp1BWGR0VbrF4QBgYWSPRjy9HXQ=,iv:cdu2Y5OQ7wpLoAXWP94hU+syjqYhh7Z2G6ezgdDgGRg=,tag:/aHcyP+SmY4SQ9L+sEsemg==,type:str]
+    mac: ENC[AES256_GCM,data:UaQJeAhm6uIBAG6b/3UQvjTUPaOOVipwCxVJS6PqhGU1xcOL+/9jxh1ULpF5rXArhzLgTSCOIAEj5d7eMkDZVaBtvcdRyEWSqc1J4dD4I/kjFZBW6D6pews9YV4guVIDA49Sc6zFAl8NNzZW116FuUpqPfbBr0HjPWDVP665ZJY=,iv:VDoiyZGFrt3GtUqlFCvcQCPb7u7MukcWyzCKJ0rZ0Qo=,tag:FnV0+6DGc4WZ2oyPCQrrpA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4
--- a/nixos/hosts/varda/default.nix
+++ b/nixos/hosts/varda/default.nix
@ -1,6 +1,9 @@
 { pkgs, config, ... }:
 {
-  imports = [ ./resources/prune-backup.nix ];
+  pkgs,
  config,
  ...
 }: {
  imports = [./resources/prune-backup.nix];
  networking.hostId = "cdab8473";
  networking.hostName = "varda"; # Define your hostname.
@ -8,6 +11,7 @@
  # Add required CIFS support
  environment.systemPackages = with pkgs; [
    cifs-utils
    minio-client
  ];
  fileSystems = {
@ -30,17 +34,15 @@
      device = "//u370253-sub2.your-storagebox.de/u370253-sub2";
      fsType = "cifs";
-      options =
+      options = let
-        let
+        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,vers=3";
-          automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,vers=3";
+      in [
-        in
+        "${automount_opts},credentials=${config.sops.secrets.sambaCredentials.path},uid=994,gid=993" # evaluated and deployed from another machine
-        [
+      ];
          "${automount_opts},credentials=${config.sops.secrets.sambaCredentials.path},uid=994,gid=993" # evaluated and deployed from another machine
        ];
    };
  };
-  swapDevices = [ ];
+  swapDevices = [];
  # sops
  sops = {
@ -48,14 +50,49 @@
      "sambaCredentials" = {
        sopsFile = ./secrets.sops.yaml;
      };
      "security/acme/env" = {
        sopsFile = ./secrets.sops.yaml;
      };
    };
  };
  programs = {
    # Mosh
    mosh = {
      enable = true;
      openFirewall = true;
    };
  };
  services = {
    zfs = {
      # This helps a lot when upgrading
      expandOnBoot = "all";
      autoScrub.enable = true;
      trim.enable = true;
    };
  };
  # ACME (Let's Encrypt) Configuration
  security.acme = {
    acceptTerms = true;
    defaults.email = "admin@${config.networking.domain}";
    certs.${config.networking.domain} = {
      extraDomainNames = [
        "${config.networking.domain}"
        "*.${config.networking.domain}"
      ];
      dnsProvider = "dnsimple";
      dnsResolver = "1.1.1.1:53";
      credentialsFile = config.sops.secrets."security/acme/env".path;
    };
  };
  # System settings and services.
  mySystem = {
    purpose = "Production";
-    system.motd.networkInterfaces = [ "enp1s0" ];
+    system.motd.networkInterfaces = ["enp1s0"];
    security.acme.enable = true;
    services = {
      forgejo = {
        enable = true;
--- a/nixos/hosts/varda/resources/prune-backup.nix
+++ b/nixos/hosts/varda/resources/prune-backup.nix
@ -1,13 +1,10 @@
-{ pkgs, ... }:
+{pkgs, ...}: let
 let
  cleanupScript = pkgs.writeShellScriptBin "cleanup-backups.sh" (
    builtins.readFile ./prune-backups.sh
  );
-in
+in {
 {
  systemd.timers.cleanup-backups = {
-    wantedBy = [ "timers.target" ];
+    wantedBy = ["timers.target"];
    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
--- a/nixos/hosts/varda/secrets.sops.yaml
+++ b/nixos/hosts/varda/secrets.sops.yaml
@ -1,84 +1,60 @@
-sambaCredentials: ENC[AES256_GCM,data:/Ghze4VQ0RKyTKZAh9T5rX37c2l+W44bayusTSHzU9jBviThWYHJBhPwgnpGaqw=,iv:3PvwXwTpQTsdKL/jqbOs0z6ErnWjY9YW5yQylUwtBMA=,tag:ecaNKAytyCC+eveQHiOtaA==,type:str]
+sambaCredentials: ENC[AES256_GCM,data:0caF4cBW5TSn36pZQmcjHbM9nrFGF55HmPVD4HMea1Ul7A3y1HHz0Pgl4rrYzdg=,iv:OCme9i0tHhDbypits5TKfsGXnblYqBPouhwSVeu5q+M=,tag:F9zub18fB0zZh5ssHal+Gw==,type:str]
 security:
    acme:
        env: ENC[AES256_GCM,data:LMrK8IIpx1d5Jl60VHDdwVLm4lyFDSELX1pF9wvFrNY0OJZ1EuHQ7Jgtf1wZ/cNy3XYFRxD9lEuNPJd0UN4vCw==,iv:2WEiipdYcsPX4frAvO7Iyp8zKWtydYlaPPKBd/1SFDM=,tag:G0Va5OcgSEO5E+m8jxsrFA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WXpsV2xYNVdWMkNWZ2NK
            bUhCaXhpZG5GeWVXakdySzZhNjdnbmVFNFY4CmZiZEZDaDJSdmFCS1dQZ053V1lF
            Z1ZBa0dWRy9jMVZkYXJlLy9WRmIrREEKLS0tIFFLbEhxaTI5OXQyRFJ2bWF1dU9U
            WGZxd2dSZGhOVnBLSUNwaEZlMEFydzQKVG18nJUQgS0w69l+x2XD6BA9IEYra4E7
            Wr7GURRrSnS19eqpJR3NTcVBhRO4wUxaj8Xq+nJ54Duik13X1XXdkw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NDdTNHlnSkZaT2s2TTVs
            MnlSSXJFMUdtQ256LzIyZVJ6eFluejMyYmlNCnp5UzFjelN5bXlqRCttMTNiLzg2
            Z0xzWGZmK2U2Y0xzMlF6QnUzWmRidWcKLS0tIFB4YmJ0bDYzS2llN1RFT1Y5RE40
            KzhXQ1NtbVBWbGxGZjVMRUsvVnI1aTAKxdac0X3IX2HcKtuGHfqJn0MXhxU8bdGw
            D1RbcNR1R+uTwZ1IYLG8l6YHXSYV0U6wtv9BuFA7k6ayTA/PmziI6g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5U0FjbjFrOVd0Rkp1TDJJ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZjRIRWd5TnRJekYwNFNU
-            RTgrb0Q4cENjcEljTEJZOEI3NHZWVVI3S1dJCjVnS0JpL0dFbmdSN3Bnc3J1cXd5
+            SVRrYUNRandCbTZuN1FlbTQ3cUJPVmx6L0hvCnN3ZXo4TVVqT3d0ZUVBdHAzNVdx
-            TE1uai92QVEwZFZKU0VUUEwyK3dyNG8KLS0tIEhZTG1kOWgzU2lCbkcxUTc2NHZH
+            TmlDZkpxekV0R2ZTejhlMERqeGlpY0kKLS0tIEVjNENWd1FYMyt0YzZDVGRQZGRD
-            VjdjaEsyT1B6RjdsZWpVK3BJaU1EMlEKvOxJ5TyUYfpvCwpGNQpL+munayzBye2+
+            WG9sZWpoVmsrTUdnM1l3R044UUJmVGcKiYd6OSj0vPSGpfWDNBeAYMDp9W7Yvmip
-            aWKwNfbJS/0gZy+YpdDRwSliiOMh+DKa0rUHCDt/t79+Bhq/1FEpjA==
+            rqqt+Y9/ovF/yd1hDrM8nWru0W299u+ftSvwi/phxkmTBvK20U7Gtw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDL2pSS2JQeDVDa2EvMFhx
            OEFOT0RvUXdpT2ZYcHFNcmVxYzM1TS9lWkJvCmMvRE1ueUp0akxhVWxtY1dLTmRC
            M1U0ajdjT3ppZS81Y1llQll1UGg1emMKLS0tIFFMTEhHRmZrS1hVTjByS3ZmYjJJ
            Y2VtanY0RU51N2FFRlM1cVhQWktuSFkKRHc3kH4vvDFgFETVDSWZLES5lfWRcwVW
            eQs/glxlPh6yUhCutuEvrIy/fGwNbVaJsuud8jqFMemggt7x981DWg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreXVOaSsvQlBsTXB2dlUy
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRmFJZFV3Qmx5NW96ZW5Z
-            VlNNMHhNTVFEamJBMTI0dDl4ZlBDSVNlZVg4CjhCNTlIMmdxUjJ0cHJuYUJUT0dV
+            Ykl4VDN2NGZGVmtJZWxIQXpoTlpqajdvYnd3CmlwWGErTDNBdHhHeTlXQWYrdmNu
-            UWFLNnZwTzVrbitFZTRXVjREYWVlSjQKLS0tIGMvZ25UNkttRTU1dmE1NThBVUR1
+            U0h6cG9sVXY0S1IvQlFNREV0TVk4U1EKLS0tIGhWT0UrMDNYTmlxSkdHRUYyNmhk
-            eWdMcy9rejNncEQ0T282QXpsUU1RWHcKJ5b/n751BlLzhsJNxRjAhMuCOD8ed630
+            NUphaExURXRsMVRVVTI0cVBxVWNDakkKbUZ1BOpKbi/Qs32bMhKa2YN2YFHaDlug
-            urmj6eX8piCSGOgChviahqEpyrlhrs0WJJxlJyiYWjQ4e0HRgHZaMg==
+            ywpwdGaa7IGNZbwN1bKJVNDGBOGXxX+rSqueK4c1AXwGtG3HfAVApg==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZDMwKzlLUnVJdW8zbU1L
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OVNLRkF2S0RyT3p4a2tT
-            ZDBBMm1zV0tWSWxZSU51NU8yS3JNaDk0T1hrCnpFcy8rVUViODNHT0pJR210WUhR
+            eURkOGkzTFcxajh5eHRFajlkYmdHQ2xBaVgwCkNqTm1Pem8yVWJUSEYvdnhTbjZN
-            aXp5ZlNENzEyRjI0TXducXpKN1ZsK1EKLS0tIC9HZW9OTnd4WjYxeXNuNDVQeTZx
+            R2h1RG4vMytUZmlFYzlKSXMva2tnYmsKLS0tIDVlT2dsRDRNQUZ1NklvT2Y1YnR6
-            LytvMjhzTk9NUVFUckJ1MVJhK2MyeWsKJALG7c/heYITQb/EBTAAQCCr4YovGqsH
+            Y1JkSXBEN1NhUUxUODhDS2J5eTVac0UKPR1qGMm94p2sKwXmCHygxZt8mfXJ3hCS
-            Y6FhDlwUsPn8SHmHwsi0haAoc7tlMKN6Mtv4MyJ6rSbCBo+c6H0n5A==
+            El5vgLXuzuE/qNB2g88j7bNOBN9g2Mxs2eLNdUEWj8tyahJ4BOTtWw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRU56YlJCcHdxQUZ5enJE
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByOWQ5WGdrNWpNWEFpa0Zq
-            VGd5cnlKUFpvdGMwVXRDd1B5VmUvVlFUeno4CmF5RVRiSUVTQVJYS2lDdnpFbGgy
+            UTRRYkJMOWZJcWtxNmRpTWpxOE82bVVaYkFzCnNGWkdaaXhySkk2NlJ1YlpsckFQ
-            OTgzMkVHSWdsTWl6MWtxck5nTU41V1EKLS0tIFpZencxelRCd3R5c2dFSGNRV29l
+            S3dITHhkNDkxb1VIZDNlQkd1enBvSU0KLS0tIDRGMklHTzNHUE8zUUNaK3l4dnF0
-            aU5kS1BnYjNXSC92bFdvV21kRER6TmMK6uKyU0iINdkRXwGfxxFjg+DzowkAFVFa
+            MHlIU3c4V0ZxeDlrTHlMeHpHaFRNYWsKmYaSicrgNvozfO6miBqvBr8voQlkOioZ
-            vsZAbx1Q7V6prwldJwQz516CfvByqLi8s3GYDU7/s99TjK/V+MPqSw==
+            dzBkLr/0de+WBm85GzhuTDpYb0cvzzxwoUlNyxDMjSSSGzLpc/dqxw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNnBWSklCT3RFSExsSDRO
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NU9nSVpRMnNwQWpIekdT
-            V2hPNmtiUGl5bjdaVU13dVFKVW5wL1hGOTBrClBKcG1YS0x5aGFyNGt5dkhPSDVC
+            b3R1NFhWYitNRFppT1FudlBNK1NZa0l1RlZBCmd5b0x6YThOTUhHN01pMUQvYm9Q
-            VWNDRFd5VHNjTHVWOEZSNEIwdFNNSUUKLS0tIE9abWUwZDdDUmIybnJ2aVJKbEcw
+            L0FUdVdRaHczRW1BbDNoYi9NeW4zdE0KLS0tIHJuWHFvSnRoSFZNUTUwaU9DRXJ3
-            c3dRV3NmMTFFbUlRUjF4dWZscEV0b3cKgXYOPwLnUyIBOkB2hIlnM42e3TQXXSIf
+            UHdRbDBBeXFwR0Vtc1h1N05mN0pVZzgKxLuY/RNLkhPpPDGDkO3yqbelCGng/qm1
-            GpaLKqOVw1fMSC0u7l/sTz7c2tAWVAfSXyOFcyUGpV7VAIKPjXj4og==
+            9Yo97TlLq4zyw1cu2z0Fvcid3ZJt107+NN/2DZ4o8eXSnBSVXUcktw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-03T20:11:27Z"
+    lastmodified: "2025-03-09T17:15:11Z"
-    mac: ENC[AES256_GCM,data:UFU5bQg2/OuCTkqV5efbGh8VPKqJWmyld0r01j97M7+CQGwyWoXlDmaMR+27xSjSDQPxwAhb+ejQue5585VNcztdBoaH0F8wOWgkdlzxiHMvQRC5TXjao4anxNRnedf07+YHQZ74udUa9Qf8UXZqIwb6HNCDmebrNi38GOWfoS0=,iv:YQ8gGj5LgMvaZqwTD3Vtj3tSjaAlmTaCFKaWkgM5WDA=,tag:K2tbaECleS8Rn0uIfL7x9w==,type:str]
+    mac: ENC[AES256_GCM,data:8nCX56znsRy2y1NmkCBJ5e/szd8CTJ1BIbNew40hdT50EruedQTmQWrOhql+na3ZDSWOfPHwufgX6hFwA6UHuOYZCswsS0ST2vtV1Y/f7Y0i20q7jAxslDxUt8MT94Z+WunZ7OgZn+3DVCSVkwtc3VqLT/gcATaA3KgbHTsiEFQ=,iv:PSkQC6oIlKAkwyVrwHJBLNVnhGVkSkVhtOyoV0FwPdY=,tag:bszELdBw3HnK9g5rPaocMQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4
--- a/nixos/lib/default.nix
+++ b/nixos/lib/default.nix
@ -1,63 +1,71 @@
-{ lib, ... }:
+{lib, ...}:
 with lib; rec {
  firstOrDefault = first: default:
    if first != null
    then first
    else default;
  existsOrDefault = x: set: default:
    if builtins.hasAttr x set
    then builtins.getAttr x set
    else default;
-with lib;
+  # Create custom package set
-rec {
+  mkMyPkgs = pkgs: {
-
+    borgmatic = pkgs.callPackage ../../nixos/packages/borgmatic {};
-  firstOrDefault = first: default: if first != null then first else default;
+    mods = pkgs.callPackage ../../nixos/packages/charm-mods {};
-  existsOrDefault =
+    # modrinth-app-unwrapped = pkgs.callPackage ../../nixos/packages/modrinth {};
-    x: set: default:
+  };
    if builtins.hasAttr x set then builtins.getAttr x set else default;
  # main service builder
-  mkService =
+  mkService = options: (
-    options:
+    let
-    (
+      user = existsOrDefault "user" options "568";
-      let
+      group = existsOrDefault "group" options "568";
        user = existsOrDefault "user" options "568";
        group = existsOrDefault "group" options "568";
-        enableBackups =
+      # enableBackups =
-          (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options)
+      #   (lib.attrsets.hasAttrByPath ["persistence" "folder"] options)
-          && (lib.attrsets.attrByPath [ "persistence" "enable" ] true options);
+      #   && (lib.attrsets.attrByPath ["persistence" "enable"] true options);
-        # Security options for containers
+      # Security options for containers
-        containerExtraOptions =
+      containerExtraOptions =
-          lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [
+        lib.optionals (lib.attrsets.attrByPath ["container" "caps" "privileged"] false options) [
-            "--privileged"
+          "--privileged"
-          ]
+        ]
-          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [
+        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "readOnly"] false options) [
-            "--read-only"
+          "--read-only"
-          ]
+        ]
-          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [
+        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "tmpfs"] false options) [
-            (map (folders: "--tmpfs=${folders}") tmpfsFolders)
+          (map (folders: "--tmpfs=${folders}") tmpfsFolders)
-          ]
+        ]
-          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [
+        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "noNewPrivileges"] false options) [
-            "--security-opt=no-new-privileges"
+          "--security-opt=no-new-privileges"
-          ]
+        ]
-          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [
+        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "dropAll"] false options) [
-            "--cap-drop=ALL"
+          "--cap-drop=ALL"
-          ];
+        ];
-      in
+    in {
-      {
+      virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
-        virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
+        image = "${options.container.image}";
-          image = "${options.container.image}";
+        user = "${user}:${group}";
-          user = "${user}:${group}";
+        environment =
-          environment = {
+          {
            TZ = options.timeZone;
-          } // options.container.env;
+          }
-          environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options;
+          // options.container.env;
-          volumes =
+        environmentFiles = lib.attrsets.attrByPath ["container" "envFiles"] [] options;
-            [ "/etc/localtime:/etc/localtime:ro" ]
+        volumes =
-            ++ lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [
+          ["/etc/localtime:/etc/localtime:ro"]
-              "${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
+          ++ lib.optionals (lib.attrsets.hasAttrByPath ["container" "persistentFolderMount"] options) [
-            ]
+            "${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
-            ++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options;
+          ]
-          extraOptions = containerExtraOptions;
+          ++ lib.attrsets.attrByPath ["container" "volumes"] [] options;
-        };
+        extraOptions = containerExtraOptions;
-        systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [
+      };
      systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [
          "persistence"
          "folder"
-        ] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ];
+        ]
-      }
+        options) ["d ${options.persistence.folder} 0750 ${user} ${group} -"];
-    );
+    }
  );
 }
--- a/nixos/modules/nixos/containers/default.nix
+++ b/nixos/modules/nixos/containers/default.nix
@ -1,6 +1,7 @@
 {
  imports = [
    ./jellyfin
    ./jellyseerr
    ./ollama
    ./plex
    ./scrutiny
--- a/nixos/modules/nixos/containers/jellyfin/default.nix
+++ b/nixos/modules/nixos/containers/jellyfin/default.nix
@ -11,7 +11,7 @@ with lib; let
  image = "ghcr.io/jellyfin/jellyfin:${version}";
  user = "kah";
  # renovate: depName=ghcr.io/jellyfin/jellyfin datasource=docker
-  version = "10.10.4";
+  version = "10.10.6";
  volumeLocation = "/nahar/containers/volumes/jellyfin";
 in {
  # Options
@ -88,37 +88,6 @@ in {
      ];
    };
    sops.secrets = {
      "restic/jellyfin/env" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
      "restic/jellyfin/password" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
      "restic/jellyfin/template" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
    };
    # Restic backups for `jellyfin-local` and `jellyfin-remote`
    services.restic.backups = config.lib.mySystem.mkRestic {
      inherit app user;
      environmentFile = config.sops.secrets."restic/jellyfin/env".path;
      excludePaths = [];
      localResticTemplate = "/eru/restic/jellyfin";
      passwordFile = config.sops.secrets."restic/jellyfin/password".path;
      paths = [volumeLocation];
      remoteResticTemplateFile = config.sops.secrets."restic/jellyfin/template".path;
    };
    # TODO add nginx proxy
    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
    #   useACMEHost = config.networking.domain;
--- a/nixos/modules/nixos/containers/jellyfin/secrets.sops.yaml
+++ b/nixos/modules/nixos/containers/jellyfin/secrets.sops.yaml
@ -1,88 +1,61 @@
 restic:
    jellyfin:
-        env: ENC[AES256_GCM,data:293v4afGmUZuHMtdkcs=,iv:Aitx2N/qGXQDCpcgFa72cfvPW9KXLyqBkJ5csDitUMo=,tag:k6t0XYErgU5TuRW/e9AnXw==,type:str]
+        env: ENC[AES256_GCM,data:aau+5TFpye6u/e6Xnlg=,iv:ooDueH38Xukvvh+XORfW4giR+TaeVZEwK+EQnxFMKE8=,tag:u5JaeiGFi4e7gk3Bb1JLsw==,type:str]
-        password: ENC[AES256_GCM,data:eR0jFe6o6pLpKR9KjUpH6GWVMAys4EiX981VecNq9Et/fQ==,iv:l9tCvWH80sl+nS0RKdApCqzEr1PPpNQDJlr0ILZYK94=,tag:R4rnUw1y2QBG01XkMp1JSA==,type:str]
+        password: ENC[AES256_GCM,data:0tkviPFQsP9wAVcbxspwOdN7eT352pibr/gjSoVmmL77xw==,iv:H2R8HofrrUkTqPuGDkt4xkOhvi16/kdT2/GjvSY5HQg=,tag:atT5aBQgmxBeUsMd5IYXIQ==,type:str]
-        template: ENC[AES256_GCM,data:tj3qrery9dHplVa8ecac2x3yfISuaUSJJDKsXuRF1ek9G43Uj7B3P8m4JEFHBeCK6vvYIK2QGEcUW5QElnuPYCaB,iv:jp5biUiDMpAMghuO6sNaQ+RN0uFCAFgmPOQLB71KdCY=,tag:et41JJnD6/ZZsBLRCyJtHw==,type:str]
+        template: ENC[AES256_GCM,data:9P8G2rwOTMAj0PkHVGEouSLd9h2FrUxakYWQa4BMt6LiHxgwzlAVe9QSJFOr1di+HmfK+3Y2dG27pz/WW1J5OArD,iv:smq5UTpzJJ2GlfCkwjA0q4jl3XJo0M8KhBecXIqipx0=,tag:RA0UpqoBSLgwlHK5Lz9VEA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMWnp6K2RsVHRmTFhYNGRs
            ZnRyVmVZU3hUNVVBZnRtWGVFZTgwTitLWlZrClZ1cUVOSHRCc0xBQ3pYWFI2VUgy
            NjVCMGxJWVpXNXc0R1p4cnNIazJHNlkKLS0tIFEzdE9pZ2N6cnVUTVdoRHFaZXQ0
            dVpzQU9tbzlURlVIMllYZEZpaE1PT0UKAqtn9wmQNNy8qMYy6tSc40/1I/4eseVs
            jsrfZU+73/OM5FvOLDo9EVBYhHGSO9/gTedbX8FJCzTYNcNPR/X6ww==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsS040Q0Y2N0hYczFsdkhT
            Rm5ERGVxaHJtYmZwUmpDUlpZc2hpZHNlOFI0Cm1oMmJ3SUZkT2pnVVNBS280d3Y0
            YU1mRWtqSlM0aDh1ZkRuWGpHVHNzTlUKLS0tIEQzU093U091WktCYjRHKzF2ODU4
            a0ozSGhwVFFkdkUrcFdqR3ZPd1IyNkEK+GZf0el8RwGXSHHSPqZ2NDhr3/788IT/
            z9A/zz56OcsRCT8l24+nVtx3pDhcqxvg201wtx0t54n1cLInpxAKSA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXNjdJaEFYVVd6cElieTN4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZ0hkNVA5TXN4UmpZdG1z
-            Qm1vQVVDWmdNM2F4R3dDaU1SMjh5UWNwQzA4CkNCS1JxZHZHVU14T1pmQXZCS0ZE
+            dGEwUExxcnc4M01TV2hYTHprRTBDek1iMmpFCjhOT01lblB2aVpuRVZXZEJxeGJY
-            cTBHV2dUUmVMYTg2VGJCZTJGTFpMRUEKLS0tIEJ1YTcyOHZtNklVMk9mbDJEWjM0
+            cGNqWEVUMmlmVzlScng3TCtqSkxUL3MKLS0tIG9wWlVIYnRjOU1ZZ0pEdTFWWE4x
-            VmczY2UybkY5U2tzaitUN2pvWmpHV28KGJ8nlNSA+Fx0GaqMVraMrRGYbPk7BhcM
+            SFh5Tzc5SytvU0ZYbENDT2E4Y1doNHMKT5qjHInpLf8qEc+6FRM2hpQcbOJPFR15
-            92aNv8+1QqOU9NDveRapxv02Uo6dffCVH/343wGh9lPr4orF+OlOVg==
+            65UbBv00T6K8s8/ltNzwDUtjufIbtyOXjY+QrPGVm1lhFOXRYEBLWw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMDNrQ1Vuck4yTGFuZmp0
            Tm1GZWViTFF4S3JZUlBEK2Mvait2UE9NM1VBClhXMEpSenlWNkNYVFE4eUhoS0Zu
            NWt0NjEyUDdoQjRQSUNubDRBbDZGTlkKLS0tIGNJOXB6clUvQUk2dE1hMGV3T2po
            Q1VMS3J0alQ1bGxkYVFuMUhUalVuSjAKNnHfUtGfNKw+K7pAcyMaybFukjncAjFc
            AIoJPOiw83Vn1Ps+9tjRrEUzTNkTfaMqeIsN8BEDQ3LzQbX2b+Hnxw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVDV4eDM2N3ZialBWc2ds
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSDJNYnd6NTFOaXJ0QUpU
-            dWVIY0NQb21VcUxKM2VVWWFrYUd0eFoyY2owCkFQTmIvZDJzalRpUkJTcnNJMWFH
+            M1BCeHo0QmczQXN2ZEc1cXhsbTVaZzlkNDBFCjcwVnhvaC9KRjVzRjVTY3E0Q0RR
-            d3FtcmNVMnNEQkdUUFlTdGN0VmtWZjAKLS0tIGJNM09TVXJiNnR1MGQ0TG43Wno1
+            QUxRRGdPcEkxWmVPVVNxcXFBNVFDWW8KLS0tIGFBUlh1ZVJvd1dXc2NEM25sd0Fa
-            TFZFU3hPZkJHZkM3TjJyQVlGYW1MMUUK+5RtvM8icCrs8OBcJing+O+rfAiOI+BC
+            YWwyUS9LZnJyMEY4VzB0czFoWURSZEUKBg5zxFww39sHfH78p9WnkIcXyvq6VyIQ
-            z1p1vesZ7BCjFlPNAOt2QGii5h8XFwPyrXEklNXfIRzOmjIVgVC9Bw==
+            f1/zFRkuM8X3iuqOpNjjqThey1HKkvTzH18st5YLciDC6SV299JqZQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNYThIdzRlZTdYaHI2Z2Ji
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dStpS3Uyb21NWFBJa2hV
-            NTFTUnBaWXAyS2R4Zlk4RjhjQU41YmFNZ0JZCmJjcSsxWFFGVkhUOG82ZTR5a0xa
+            VTJnSk9iV1ZMNkZnc3JId3hhbE1sSk5LSzJVCnZSeUJBTjNGVkhTYkpGZGZudDUz
-            VVVna3RTVVRKNWV4VVBoa3ZiUnJldlkKLS0tIDUyK2d1YS96WDZjV2Y3eWFJdHJN
+            RXc2VFVJNkM3bGpGMUlxc0s1Q2J4Mk0KLS0tIFFsMkdOWnQzeFlmYStaWWlYSHEz
-            VGJ3cHlCV25HMXIvTmdJcWtJTk9EUGsKpnsANd3XK5sH2bjSZJTZqYb7GjcY97K6
+            SUdtQTc5OVB5eklpVWFxRTNBUFhsVXcKX5xNh9jnOllbRaMyzjh/70ohLcO8BeU5
-            iEapD1nLkH4XTpqV0RnrKcIJFJ58LIupvSZZanRk3xt8NIvRTBp5OA==
+            hTWmdnTgclbVaFBOPTPY6CCXNnBuvqjdi+ok9QULDE9cvtLUpstbWQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoenJtK2xtUkJuS3dWZ0Vx
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaTlQaWt5QTFHVE9yS3lH
-            QldCOVkxYmY1VHhIYmYrVUUrelNCTVlybUhjCnVoK3o0VlZsblNTTW1Kbmp1dWpi
+            MVd5RmI2TVZaVGpodEFvOUhDLzg2Qjl3dDE0CllGWHhGTExVbDJydlhMclQ3RFBz
-            Tkl5bE41Qm9RUnpjWHMwSFczbGhrMGMKLS0tIHlIVVJ5QUxtYjhQcDhlOVpiaEdp
+            V2V1a3NTMG80Ykt2eHUwUW9aMXFMYzgKLS0tIHpJeFR3ZEJxWkg5Y2RQR0NUNUND
-            WG94a1JLbG9BeXVzdUY4bXFPbGREQncK8GS2wkyL0yFee/zSr7YD1RDyTtIiRp74
+            RERQbjlZNDJEUWVTd3d6YytVbUt5TzgKksgSnaMHY/wBVZyXBgrxsfxZABNDyuA3
-            ifygcB6UrJ+IhDLxWdcx8XhxkUHDLwUvLRQ71iRE54NytZbW29+FkQ==
+            8kgYBqd8p3g0OyW5h2UzDh7F7oweHhbljdL4CNlGDJ713ZlBggfsaQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWkpMbmNNdW01WTF2bG1Y
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYY0VXRm5SRTZYQ0JWK3JM
-            QUlGbDR1TU5QV0VXa1F0UzYwY1Q5R0hjQ2k4CkRWY0FONlJBS1c3V3BXU1FXOTVr
+            TW9POGhRVGZ2b0t4SGVEaUczaFBlaDlsc2p3CkhEb2JBTnNFdzl0RHM3aW5jaHFN
-            RnF3Vll0Uzg4bmtvVVRYZ1lVd1l5c28KLS0tIHRmQzRqUnVDUVZwOWtoQ3lib0g4
+            dzl6ellHY2prNk1xeUUwMVE4WVdiYmMKLS0tIDM4YVdMeFpyb0kzRmdLUXduWXdI
-            Z1UxbEtkU29kMndqTE5YbnArY3NEYWMKBpF0XsaNxby01RlquQg0nueXZdz7U+oA
+            KyswMHA3VDNkV1g1bEhhcUlNdHlFVW8K8fuwy7OtIoybFpaBBsZlxO40XUhDaxDR
-            32fA+V8AQ/aHg18JhxScsi4dILfnz7d4WZThbd4HYMKzxiCApguf2w==
+            W9xy0wVJplCNWDDN0Ff93hEXaYVcF/B3V3EdouzAbdycVTrtXhiO2g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-27T09:27:41Z"
+    lastmodified: "2025-03-09T06:33:40Z"
-    mac: ENC[AES256_GCM,data:vCxrV5Y1v6PuRVZI8tEmaai3kLatLQfk2xDR9wl4teTcSzvU1U2OWToEMFz695fgX62Gld8/U961WC0Q6HQWFPL9lrP/0vYoL9DWu7KAKIYI4lpPtAWi4pvudIJnT5Shd0aC6A/JC1iuI/JqekXRTJIqMUth9tIeoT7SmIgFn4E=,iv:BiqBRxMmUeXGiM5DgrInebr3yCXSd0FdVBfeI2Kc1sI=,tag:gsISmRZkL6XcRE9pLpSwWA==,type:str]
+    mac: ENC[AES256_GCM,data:MZx07lkc3i1nJicWlUofCr4gq05g/BYGx3949DSILeAWegrsTQXh8zqBWpultONgABPdYgIb/JwJClMmKQ+p37u+6aTklwZfW+su3tOYwknkPogHSxTFaLW0Yxzy4CvM2VNiFDNuvZT8LjCminBKpjJebYq+HCjNQn6Y9/dPyXI=,iv:LXwamgr7uE0dfKoRJC9IGvzZ+HmRXw8cdVoXG2DuuxM=,tag:tsJo/PFZLGcEoa02nXNbXg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4
--- a/nixos/modules/nixos/containers/jellyseerr/default.nix
+++ b/nixos/modules/nixos/containers/jellyseerr/default.nix
@ -0,0 +1,86 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  app = "jellyseerr";
  cfg = config.mySystem.containers.${app};
  group = "kah";
  image = "ghcr.io/fallenbagel/jellyseerr:${version}";
  user = "jellyseerr";
  # renovate: depName=ghcr.io/fallenbagel/jellyseerr datasource=docker
  version = "2.5.0";
  volumeLocation = "/nahar/containers/volumes/jellyseerr";
 in {
  # Options
  options.mySystem.containers.${app} = {
    enable = mkEnableOption "${app}";
    openFirewall =
      mkEnableOption "Open firewall for ${app}"
      // {
        default = true;
      };
  };
  # Implementation
  config = mkIf cfg.enable {
    # User configuration
    users = mkIf (user == "jellyseerr") {
      users.jellyseerr = {
        inherit group;
        isSystemUser = true;
      };
    };
    # Systemd service for container
    systemd.services.${app} = {
      description = "Jellyseerr media request and discovery manager for Jellyfin";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];
      serviceConfig = {
        ExecStartPre = "${pkgs.writeShellScript "jellyseerr-start-pre" ''
          set -o errexit
          set -o nounset
          set -o pipefail
          ${pkgs.podman}/bin/podman rm -f ${app} || true
          rm -f /run/${app}.ctr-id
        ''}";
        ExecStart = ''
          ${pkgs.podman}/bin/podman run \
            --rm \
            --name=${app} \
            --user="${toString config.users.users."${user}".uid}:${
            toString config.users.groups."${group}".gid
          }" \
            --log-driver=journald \
            --cidfile=/run/${app}.ctr-id \
            --cgroups=no-conmon \
            --sdnotify=conmon \
            --volume="${volumeLocation}:/app/config:rw" \
            --volume="/moria/media:/media:rw" \
            --volume="tmpfs:/cache:rw" \
            --volume="tmpfs:/transcode:rw" \
            --volume="tmpfs:/tmp:rw" \
            --env=TZ=America/Chicago \
            -p 5055:5055 \
            ${image}
        '';
        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
        Type = "simple";
        Restart = "always";
      };
    };
    # Firewall
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        5055 # HTTP web interface
      ];
    };
  };
 }
--- a/nixos/modules/nixos/containers/ollama/default.nix
+++ b/nixos/modules/nixos/containers/ollama/default.nix
@ -7,7 +7,7 @@
 with lib; let
  app = "ollama";
  # renovate: depName=docker.io/ollama/ollama datasource=docker
-  version = "0.5.7";
+  version = "0.5.13";
  image = "docker.io/ollama/ollama:${version}";
  cfg = config.mySystem.containers.${app};
 in {
--- a/nixos/modules/nixos/containers/plex/default.nix
+++ b/nixos/modules/nixos/containers/plex/default.nix
@ -11,7 +11,7 @@ with lib; let
  image = "ghcr.io/onedr0p/plex:${version}";
  user = "kah";
  # renovate: depName=ghcr.io/onedr0p/plex datasource=docker versioning=loose
-  version = "1.41.3.9314-a0bfb8370";
+  version = "1.41.5.9522-a96edc606";
  volumeLocation = "/nahar/containers/volumes/plex";
 in {
  # Options
@ -41,7 +41,6 @@ in {
          ${pkgs.podman}/bin/podman rm -f ${app} || true
          rm -f /run/${app}.ctr-id
        ''}";
        # TODO: mount /config instead of /config/Library/Application Support/Plex Media Server
        ExecStart = ''
          ${pkgs.podman}/bin/podman run \
            --rm \
@ -80,38 +79,6 @@ in {
      ];
    };
    sops.secrets = {
      "restic/plex/env" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
      "restic/plex/password" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
      "restic/plex/template" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
    };
    # Restic backups for `plex-local` and `plex-remote`
    services.restic.backups = config.lib.mySystem.mkRestic {
      inherit app user;
      environmentFile = config.sops.secrets."restic/plex/env".path;
      excludePaths = ["${volumeLocation}/Library/Application Support/Plex Media Server/Cache"];
      localResticTemplate = "/eru/restic/plex";
      passwordFile = config.sops.secrets."restic/plex/password".path;
      paths = ["${volumeLocation}/Library"];
      remoteResticTemplateFile = config.sops.secrets."restic/plex/template".path;
    };
    # TODO add nginx proxy
    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
    #   useACMEHost = config.networking.domain;
--- a/nixos/modules/nixos/containers/plex/secrets.sops.yaml
+++ b/nixos/modules/nixos/containers/plex/secrets.sops.yaml
@ -1,88 +0,0 @@
 restic:
    plex:
        env: ENC[AES256_GCM,data:FwBQ9TJTiDGDEyrJkHo=,iv:pxqdwOPoxYAc+yY2xdNTi08jFNz+PvnZ9HYhmchEfiM=,tag:3uIPLUoZmDogmuShXqnAlw==,type:str]
        password: ENC[AES256_GCM,data:79FMf5T1gYQX0PYTiEUhPQnHbEIekmH2vJxqwhdCw1MpoA==,iv:n3cQ4cLoEKw7rbCgysc14CMmKtYUfhZW2I6V3qrFp3Q=,tag:ooNflv+TnUOD0JX6NAqxvQ==,type:str]
        template: ENC[AES256_GCM,data:br+HPd37B3rWYPLIYW8MiIHvR+PmsnBXEYLh8MT/v1rbcNH6ppyhwGMgP1kPkUX3o/0Y7PkW1pet5DRHcKUVnXpi,iv:O4MQQBpYCD8hkdTEroUn9+luUdCyz7MYUugjaYhF3Uc=,tag:db5DQBfPGX9ToQzwn1K7GA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbSs2TFBpbW51aThtcEJL
            eW80aG50VHJzcWVFSDlTbE40dHZqTnVpWDFBCkUwNVIrZkdyd1dKcjFzMENFdTN5
            dVBZKzVIYnFJdnkzTlRCT2hITTVsSzgKLS0tIFREVWJENUtoWGR1THlwWXNNV3p4
            cElGSzFtallzc2xBajRYSGNvOHJnM3cKIdyVG7MySM9caGUXaiTSsz1VVlD7GxRz
            +5NNPoZgfe1SiptiQl3vO8FcIg5XtutI2nwYqLK5gzxZ7x6+D2Oedw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dFAxT3ZCZ1BlV2VSQmlr
            cW9SbWpLRUE4QlNGN21YdGM2NXhGdm1kVmlZClBORG5Mbmtaait4WXZiYkp3cGxR
            WGFWT3NwaS9RK0IzN1FDR3ZWUjIyQVkKLS0tIDJYaVRORk94UXYySStUN0lJYlB5
            L01LdFBzYUhmcENPMGIrYWU0dW91c2sKlraBMZ30AerY2YrGnV1pkeL6xJIGUPlX
            JzjzPmkvqidCaT+gADxM9xTp9S5ZavLn0sGLapqfx2P7pDndRh74Qg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtanl6bWlrQlM2R1Bud0dk
            cWJZdjJZUFVMY3BudEdRVVFOMy9IMTNGS1NzCnZHNXYzRVl5akFDYlNWVXZtMzNL
            UnZEN3ZFUDB6b05Wa3lSc291WXVVeGMKLS0tIGk5ZTJ6d3A4M3ZqTm9KSjVudVBX
            TzNNemlGc1JOckxERUx5V3VCbHBIZlkK+7+PJhU+4hnOiURvfhQOMh3Njl5E8OCj
            CCH5feYLIOpfgEKQbhW8LFkakoqlU5ASdralMRq5h4OZt8hGciYgwg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VFovdW1UbjlLZnRFZWZh
            MUg0RkZqckcxcENRSG5aSkdQNkoraXFTbTNrCnlYWWVOdHVxYUwwaWYvOS8xaG9y
            eS9za000VmR0T0ZZeHp5RXl0c1FUZDgKLS0tIERjY0hrdDlQb29UWC8ybDgwdXQy
            WEVNVjBYV3RUZUN2SksvWDlzYnJydWcKEzXYhd0GUZNDdQcJ1lc5Ci4TAebQHzdd
            Nyrf7Xhgb/vNoScFAvLxpJaEP9aJzWOL7wVHgnzFdf9ViRGF0yynnw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwU3JKelJlUUZxRi90RmRP
            VUpoYXZaQlZpaEZiL3orb2Rva3U4TkZ2TDBVCmpwQXFtUHlicHh0S2h3TUN0U2dE
            MXIrcUdhbWZLdFdhRnB1YkhDL2JkV3cKLS0tIFdCZWVmMytST3dHVG5LL1duckRj
            alZDNkYxVnljUk9Gc25vVElPL0RXSDQKM84i+oIeivQFSIDBhT9Gg3XHk8GFRbzO
            IwUrRIkj+yDKepz+r2Lc+yD2BOeFo+CNuReoJd2SGou7e628VysB4g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRE5UbGxUenRZVjU2NVF6
            RHNUOXJ5bnJmdm13YTNKV1YwdFdJS3JpMTBrCkRNQWNiMXp4SHZ6bGdJay9pYjgr
            UW1CSVRNMFFWNjA5YSttTHBGTWpCcE0KLS0tIDBUV25tdUZHbHpIb3Y1U281dGtl
            bUNHazJDUnEwc015WXlybTdEK1RHL1UKZE/5YGvUN2tR1t7s/Lq1jG3FoMIOmKDK
            GXwUQb1HG7PDG9V/pKWs9OVoFxv7qVuuBm29rRnI44pEERARtbs55Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWHBEUDNuRDhVMmp4QUYr
            cCtmZ2RMWVFNWVhVck44U3ROTE8xNm9kV0Y4CktSelh0ckdQZHNTVnVsVXJweUly
            UmphNzRJU3JOSThQVXB3ZXRlY3BOK1UKLS0tIG1nT09WUm1YcVFJRHZyWFJOKzZx
            OTFDbExmeXBBWmRjSE5BUnpGY0xLRjAKnLWKZEmlI9SsfZgus7tuCOFzokDobz8F
            s7zQ078Dv7R55EPoYPfq8rsMvFpELrAqrNLAR9x4W5YledBDJV8s+A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRSttM1NDdFJib2FleTY0
            UnkrUFhBUFlWNkxEZUNLMjVTUWh4VkhPbkY4CllRY3d0ZXpGRkM0ZG45TVE5SGx3
            ek9BNW9SUGVLZjRiSkVlT2MrSU85VGsKLS0tIEtlcklOOXZldUJwZmVDaWhNeFh2
            RDgrMDlLVm9rN2JRZ3gxSCtxOWlhWkEKkXtZtmXnRn1ukRI4CkjkYefyGOuCw+GC
            HCKKdsASQm4JjcnlUbkL97bC0H+VcLNqHm6NR9dghI9IYuYAeLqMNA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-27T09:27:41Z"
    mac: ENC[AES256_GCM,data:OU23F2vdLKE2aas9xUsx5cmObBmdqybXSfdUT+BGd/mdhThF6vNR3Xwo4PcaK8VPmQ8JmXjOUJ/A9vKvcgz1LuEywgAacayDf6TUu1yXPDm09wFwWGTAYugy2Z54a0VQ8u7Cu/4Ijx0hU0luaYsbCyr7FmKgeO+H+L47JKnrPp8=,iv:dowA2KQqSjNIoPq1A0Yv9g71FSJgey5mMQMuJJMSSWA=,tag:eJrk49soG6dA8UilhuKGaw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/nixos/modules/nixos/containers/scrutiny/default.nix
+++ b/nixos/modules/nixos/containers/scrutiny/default.nix
@ -1,12 +1,14 @@
-{ lib, config, ... }:
+{
-with lib;
+  lib,
-let
+  config,
  ...
 }:
 with lib; let
  app = "scrutiny";
  # renovate: depName=AnalogJ/scrutiny datasource=github-releases
  version = "v0.8.1";
  cfg = config.mySystem.services.${app};
-in
+in {
 {
  options.mySystem.services.${app} = {
    enable = mkEnableOption "${app}";
@ -33,7 +35,7 @@ in
    # --device /dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
    devices = mkOption {
      type = types.listOf types.str;
-      default = [ ];
+      default = [];
      description = ''
        Devices to monitor on Scrutiny.
      '';
--- a/nixos/modules/nixos/containers/scrypted/default.nix
+++ b/nixos/modules/nixos/containers/scrypted/default.nix
@ -7,7 +7,7 @@
 with lib; let
  app = "scrypted";
  # renovate: depName=ghcr.io/koush/scrypted datasource=docker versioning=docker
-  version = "v0.127.1-noble-nvidia";
+  version = "v0.138.12-noble-nvidia";
  image = "ghcr.io/koush/scrypted:${version}";
  cfg = config.mySystem.containers.${app};
 in {
@ -75,6 +75,7 @@ in {
        11080 # Main Scrypted interface
        10443 # HTTPS interface
        8554 # RTSP server
        33961 # Homekit
      ];
      allowedUDPPorts = [
        10443 # HTTPS interface
--- a/nixos/modules/nixos/de/default.nix
+++ b/nixos/modules/nixos/de/default.nix
@ -0,0 +1,7 @@
 {
  imports = [
    ./gnome.nix
    ./hyprland.nix
    ./kde.nix
  ];
 }
--- a/nixos/modules/nixos/de/gnome.nix
+++ b/nixos/modules/nixos/de/gnome.nix
@ -0,0 +1,114 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: let
  cfg = config.mySystem.de.gnome;
 in {
  options = {
    mySystem.de.gnome = {
      enable =
        lib.mkEnableOption "GNOME"
        // {
          default = false;
        };
      systrayicons =
        lib.mkEnableOption "Enable systray icons"
        // {
          default = true;
        };
      gsconnect =
        lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)"
        // {
          default = true;
        };
    };
  };
  config = lib.mkIf cfg.enable {
    # Ref: https://nixos.wiki/wiki/GNOME
    services = {
      displayManager = {
        defaultSession = "gnome";
        autoLogin = {
          enable = false;
          user = "jahanson"; # TODO move to config overlay
        };
      };
      xserver = {
        enable = true;
        xkb.layout = "us"; # `localctl` will give you
        displayManager = {
          gdm.enable = true;
        };
        desktopManager = {
          # GNOME
          gnome.enable = true;
        };
      };
      udev.packages = lib.optionals cfg.systrayicons [pkgs.gnome.gnome-settings-daemon]; # support appindicator
    };
    # systyray icons
    # extra pkgs and extensions
    environment = {
      systemPackages = with pkgs;
        [
          wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
          playerctl # gsconnect play/pause command
          pamixer # gcsconnect volume control
          gnome.gnome-tweaks
          gnome.dconf-editor
          # This installs the extension packages, but
          # dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
          gnomeExtensions.vitals
          gnomeExtensions.caffeine
          gnomeExtensions.dash-to-dock
        ]
        ++ optionals cfg.systrayicons [pkgs.gnomeExtensions.appindicator];
    };
    # enable gsconnect
    # this method also opens the firewall ports required when enable = true
    programs.kdeconnect = lib.mkIf cfg.gsconnect {
      enable = true;
      package = pkgs.gnomeExtensions.gsconnect;
    };
    # GNOME connection to browsers - requires flag on browser as well
    services.gnome.gnome-browser-connector.enable = lib.any (user: user.programs.firefox.enable) (
      lib.attrValues config.home-manager.users
    );
    # And dconf
    programs.dconf.enable = true;
    # Exclude default GNOME packages that dont interest me.
    environment.gnome.excludePackages =
      (with pkgs; [
        gnome-photos
        gnome-tour
        gedit # text editor
      ])
      ++ (with pkgs.gnome; [
        cheese # webcam tool
        gnome-music
        gnome-terminal
        epiphany # web browser
        geary # email reader
        evince # document viewer
        gnome-characters
        totem # video player
        tali # poker game
        iagno # go game
        hitori # sudoku game
        atomix # puzzle game
      ]);
  };
 }
--- a/nixos/modules/nixos/de/hyprland.nix
+++ b/nixos/modules/nixos/de/hyprland.nix
@ -0,0 +1,146 @@
 {
  lib,
  config,
  pkgs,
  inputs,
  ...
 }: let
  cfg = config.mySystem.de.hyprland;
  hypr-pkgs = inputs.hyprland.inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system};
 in {
  options = {
    mySystem.de.hyprland = {
      enable =
        lib.mkEnableOption "Hyprland"
        // {
          default = false;
        };
    };
  };
  config = lib.mkIf cfg.enable {
    # We need all hyprland packages to follow the same MESA version
    hardware = {
      graphics = {
        package = hypr-pkgs.mesa.drivers;
      };
    };
    # Hyprland nixpkgs system packages
    environment.systemPackages = with pkgs; [
      # Hyprland
      cava # Audio visualizer
      cliphist # Clipboard history
      duf # du tui - Disk Usage
      greetd.tuigreet # TUI login manager
      grim # Screenshot tool
      hypridle # Hyprland idle daemon
      inputs.ags.packages.${pkgs.stdenv.hostPlatform.system}.ags # AGS
      inxi # System information tool
      libva-utils # to view graphics capabilities
      loupe # Screenshot tool
      nvtopPackages.full # Video card monitoring
      nwg-displays # Display manager for Hyprland
      nwg-look # GTK settings editor, designed for Wayland.
      pamixer # Volume control
      pyprland # Python bindings for Hyprland
      rofi-wayland # Window switcher and run dialog
      slurp # Select a region in Wayland
      swappy # Snapshot editor, designed for Wayland.
      swaynotificationcenter
      swww # Wallpaper daemon for wayland
      wallust # Generate and change colors schemes on the fly.
      waybar # Wayland top bar
      wl-clipboard # Pipe to and from the clipboard
      wlogout
      wlr-randr # Wayland screen management
      wofi # Rofi for Wayland
      yad # Display dialog boxes from shell scripts
      (mpv.override {scripts = [mpvScripts.mpris];})
      # XDG things
      xdg-user-dirs
      xdg-utils
      # GTK things
      gnome-system-monitor
      bc
      baobab
      glib
      # Qt things
      gsettings-qt
      libsForQt5.qtstyleplugin-kvantum # Kvantum theme engine
      # bar
      libappindicator
      libnotify
      busybox
    ];
    # Enabling Hyprlock to unlock the system
    security = {
      pam.services.hyprlock = {};
      polkit.enable = true;
    };
    # Hyprland nixpkgs program modules
    programs = {
      # Hyprland DE
      hyprland = {
        enable = true;
        package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
        portalPackage =
          inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
        withUWSM = true;
      };
      dconf.enable = true;
      seahorse.enable = true;
      ssh = {
        enableAskPassword = true;
        askPassword = "${pkgs.seahorse}/libexec/seahorse/ssh-askpass";
      };
      fuse.userAllowOther = true;
      ## Additional programs for the overall Hyprland experience
      hyprlock = {
        enable = true;
        package = inputs.hyprlock.packages.${pkgs.stdenv.hostPlatform.system}.hyprlock;
      };
      nm-applet.indicator = true; # Compatability; Application indicator for NetworkManager
      thunar.enable = true;
      thunar.plugins = with pkgs.xfce; [
        exo
        mousepad
        thunar-archive-plugin
        thunar-volman
        tumbler
      ];
      gnupg.agent = {
        enable = true;
        enableSSHSupport = true;
      };
    };
    # Hyprland nixpkgs service modules
    services = {
      greetd = {
        enable = true;
        vt = 3;
        settings = {
          default_session = {
            user = "jahanson";
            command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd='uwsm start select'"; # start Hyprland with a TUI login manager
          };
        };
      };
      gnome.gnome-keyring.enable = true;
    };
    # Fonts
    fonts.packages = with pkgs; [
      fira-code
      font-awesome
      jetbrains-mono
      noto-fonts
      noto-fonts-cjk-sans
      terminus_font
      victor-mono
      unstable.nerd-fonts.jetbrains-mono
      unstable.nerd-fonts.fira-code
      unstable.nerd-fonts.fantasque-sans-mono
    ];
  };
 }
--- a/nixos/modules/nixos/de/kde.nix
+++ b/nixos/modules/nixos/de/kde.nix
@ -0,0 +1,70 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: let
  cfg = config.mySystem.de.kde;
  flameshotOverride = pkgs.unstable.flameshot.override {enableWlrSupport = true;};
 in {
  options = {
    mySystem.de.kde = {
      enable =
        lib.mkEnableOption "KDE"
        // {
          default = false;
        };
    };
  };
  config = lib.mkIf cfg.enable {
    # Ref: https://wiki.nixos.org/wiki/KDE
    # KDE
    services = {
      displayManager = {
        sddm = {
          enable = true;
          wayland = {
            enable = true;
          };
        };
      };
      desktopManager.plasma6.enable = true;
    };
    security = {
      # realtime process priority
      rtkit.enable = true;
      # KDE Wallet PAM integration for unlocking the default wallet on login
      pam.services."sddm".kwallet.enable = true;
    };
    # enable pipewire for sound
    services.pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
    };
    # extra pkgs and extensions
    environment = {
      systemPackages = with pkgs; [
        wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
        playerctl # gsconnect play/pause command
        vorta # Borg backup tool
        flameshotOverride # screenshot tool
        libsForQt5.qt5.qtbase # for vivaldi compatibility
        kdePackages.discover # KDE software center -- mainly for flatpak updates
      ];
    };
    # enable kdeconnect
    # this method also opens the firewall ports required when enable = true
    programs.kdeconnect = {
      enable = true;
    };
  };
 }
--- a/nixos/modules/nixos/default.nix
+++ b/nixos/modules/nixos/default.nix
@ -1,8 +1,12 @@
 { lib, config, ... }:
 with lib;
 {
  lib,
  config,
  ...
 }:
 with lib; {
  imports = [
    ./containers
    ./de
    ./editor
    ./hardware
    ./lib.nix
@ -51,7 +55,7 @@ with lib;
    monitoring.prometheus.scrapeConfigs = mkOption {
      type = lib.types.listOf lib.types.attrs;
      description = "Prometheus scrape targets";
-      default = [ ];
+      default = [];
    };
  };
--- a/nixos/modules/nixos/editor/default.nix
+++ b/nixos/modules/nixos/editor/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
    ./nvim.nix
    ./vim.nix
    ./vscode.nix
  ];
--- a/nixos/modules/nixos/editor/nvim.nix
+++ b/nixos/modules/nixos/editor/nvim.nix
@ -0,0 +1,199 @@
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.mySystem.editor.nvim;
 in {
  options.mySystem.editor.nvim.enable = mkEnableOption "nvim";
  config = mkIf cfg.enable {
    # Enable nvim and configure plugins/settings
    # Uses nvf https://github.com/NotAShelf/nvf to configure nvim on nix.
    programs.nvf = {
      enable = true;
      settings.vim = {
        keymaps = [
          {
            mode = "n";
            key = "<leader>rp";
            action = ":lua require('precognition').peek()<CR>";
            desc = "Peek recognition";
          }
        ];
        viAlias = false;
        vimAlias = true;
        lsp = {
          enable = true;
          formatOnSave = true;
          lspsaga.enable = false;
          trouble.enable = true;
          lspSignature.enable = true;
          otter-nvim.enable = true;
          lsplines.enable = true;
          nvim-docs-view.enable = true;
        };
        languages = {
          enableLSP = true;
          enableFormat = true;
          enableTreesitter = true;
          enableExtraDiagnostics = true;
          nix.enable = true;
          markdown.enable = true;
          bash.enable = true;
          css.enable = true;
          html.enable = true;
          sql.enable = true;
          ts.enable = true;
          go.enable = true;
          lua.enable = true;
          zig.enable = true;
          python.enable = true;
          rust = {
            enable = true;
            crates.enable = true;
          };
          astro.enable = true;
          nu.enable = true;
          csharp.enable = true;
          tailwind.enable = true;
        };
        visuals = {
          nvim-scrollbar.enable = true;
          nvim-web-devicons.enable = true;
          nvim-cursorline.enable = true;
          cinnamon-nvim.enable = true;
          fidget-nvim.enable = true;
          highlight-undo.enable = true;
          indent-blankline.enable = true;
          cellular-automaton.enable = true;
        };
        statusline = {
          lualine = {
            enable = true;
            theme = "catppuccin";
          };
        };
        theme = {
          enable = true;
          name = "catppuccin";
          style = "mocha";
          transparent = false;
        };
        autopairs.nvim-autopairs.enable = true;
        autocomplete.nvim-cmp.enable = true;
        snippets.luasnip.enable = true;
        filetree.neo-tree.enable = true;
        tabline.nvimBufferline.enable = true;
        treesitter.context.enable = true;
        binds = {
          whichKey.enable = true;
          cheatsheet.enable = true;
        };
        telescope.enable = true;
        git = {
          enable = true;
          gitsigns = {
            enable = true;
            codeActions.enable = false;
          };
        };
        minimap = {
          minimap-vim.enable = false;
          codewindow.enable = true;
        };
        dashboard = {
          dashboard-nvim.enable = false;
          alpha.enable = true;
        };
        notify = {
          nvim-notify.enable = true;
        };
        projects = {
          project-nvim.enable = true;
        };
        utility = {
          vim-wakatime.enable = true;
          icon-picker.enable = true;
          surround.enable = true;
          diffview-nvim.enable = true;
          yanky-nvim.enable = false;
          motion = {
            hop.enable = true;
            leap.enable = true;
            precognition = {
              enable = true;
              setupOpts.startVisible = false;
            };
          };
          images = {
            image-nvim.enable = false;
          };
        };
        notes = {
          mind-nvim.enable = true;
          todo-comments.enable = true;
        };
        terminal = {
          toggleterm = {
            enable = true;
            lazygit.enable = true;
          };
        };
        ui = {
          borders.enable = true;
          noice.enable = true;
          colorizer.enable = true;
          modes-nvim.enable = false;
          illuminate.enable = true;
          breadcrumbs = {
            enable = true;
            navbuddy.enable = true;
          };
          smartcolumn = {
            enable = true;
            setupOpts.custom_colorcolumn = {
              nix = "110";
              ruby = "120";
              java = "130";
              go = ["90" "130"];
            };
          };
          fastaction.enable = true;
        };
        assistant = {
          copilot = {
            enable = true;
            cmp.enable = true;
          };
        };
        session = {
          nvim-session-manager.enable = false;
        };
        comments = {
          comment-nvim.enable = true;
        };
        presence = {
          neocord.enable = false;
        };
      };
    };
  };
 }
--- a/nixos/modules/nixos/editor/vim.nix
+++ b/nixos/modules/nixos/editor/vim.nix
@ -1,12 +1,13 @@
 # /home/jahanson/projects/mochi/nixos/modules/nixos/editor/vim.nix
 { config, lib, ... }:
 with lib;
 let
  cfg = config.mySystem.editor.vim;
  users = [ "jahanson" ];
 in
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.mySystem.editor.vim;
  users = ["jahanson"];
 in {
  options.mySystem.editor.vim.enable = mkEnableOption "vim";
  config = mkIf cfg.enable {
    # Enable vim and set as default editor
@ -16,19 +17,20 @@ in
    # Visual mode off and syntax highlighting on
    home-manager.users =
      mapAttrs
-        (user: _: {
+      (user: _: {
-          home.file.".vimrc".text = ''
+        home.file.".vimrc".text = ''
-            set mouse-=a
+          set mouse-=a
-            syntax on
+          syntax on
-          '';
+        '';
-        })
+      })
-        (
+      (
-          listToAttrs (
+        listToAttrs (
-            map (u: {
+          map (u: {
-              name = u;
+            name = u;
-              value = { };
+            value = {};
-            }) users
+          })
-          )
+          users
-        );
+        )
      );
  };
 }
--- a/nixos/modules/nixos/editor/vscode.nix
+++ b/nixos/modules/nixos/editor/vscode.nix
@ -4,26 +4,19 @@
  pkgs,
  ...
 }:
-with lib;
+with lib; let
 let
  cfg = config.mySystem.editor.vscode;
  # VSCode Community Extensions. These are updated daily.
  vscodeCommunityExtensions = [
    "ahmadalli.vscode-nginx-conf"
    "astro-build.astro-vscode"
    "bmalehorn.vscode-fish"
    "coder.coder-remote"
    "dracula-theme.theme-dracula"
    "catppuccin.catppuccin-vsc"
    "editorconfig.editorconfig"
    "esbenp.prettier-vscode"
    "foxundermoon.shell-format"
    "github.copilot"
    "hashicorp.hcl"
    "jnoortheen.nix-ide"
    "mikestead.dotenv"
    "mrmlnc.vscode-json5"
    "ms-azuretools.vscode-docker"
    # "ms-python.python" # Python extensions *required* for redhat.ansible/vscode-yaml
    "ms-python.vscode-pylance"
    "ms-vscode-remote.remote-ssh-edit"
    "pkief.material-icon-theme"
@ -37,10 +30,11 @@ let
    "fill-labs.dependi"
    "rust-lang.rust-analyzer"
    "dustypomerleau.rust-syntax"
    "mattheworford.hocon-tools"
    "pgourlain.erlang"
    "exiasr.hadolint"
    "astro-build.astro-vscode"
    # "github.copilot"
    # "github.copilot-chat"
    # "ms-python.python" # Python extensions *required* for redhat.ansible/vscode-yaml
  ];
  # Nixpkgs Extensions. These are updated whenver they get around to it.
  vscodeNixpkgsExtensions = [
@ -49,52 +43,47 @@ let
  ];
  # Straight from the VSCode marketplace.
  marketplaceExtensions = [
-    # {
+    {
-    #   name = "copilot";
+      name = "copilot";
-    #   publisher = "github";
+      publisher = "github";
-    #   version = "1.219.0";
+      version = "1.277.0";
-    #   sha256 = "Y/l59JsmAKtENhBBf965brSwSkTjSOEuxc3tlWI88sY=";
+      sha256 = "sha256-cRz5gby2VOk4QS+Z67Sm/rb5heBANJFitkn+s06yVv0=";
-    # }
+    }
    {
      # Apparently there's no insiders build for copilot-chat so the latest isn't what we want.
      # The latest generally targets insiders build of vs code right now and it won't load on stable.
      name = "copilot-chat";
      publisher = "github";
-      version = "0.21.1";
+      version = "0.25.0";
-      sha256 = "sha256-8naCDn6esc1ZR30aX7/+F6ClFjQLPQ3k3r6jyVZ3iNg=";
+      sha256 = "sha256-rureag8PaZwEME41EdaDMIVnYN17CqBhu9Pa5SuWRKU=";
    }
    {
      name = "remote-ssh";
      publisher = "ms-vscode-remote";
      version = "0.113.1";
      sha256 = "sha256-/tyyjf3fquUmjdEX7Gyt3MChzn1qMbijyej8Lskt6So=";
    }
    {
      # Same issue as the above -- auto pulling nightly builds not compatible with vscode stable.
      name = "python";
      publisher = "ms-python";
-      version = "2024.14.1";
+      version = "2025.2.0";
-      sha256 = "sha256-NhE3xATR4D6aAqIT/hToZ/qzMvZxjTmpTyDoIrdvuTE=";
+      sha256 = "sha256-f573A/7s8jVfH1f3ZYZSTftrfBs6iyMWewhorX4Z0Nc=";
    }
  ];
  # Extract extension strings and coerce them to a list of valid attribute paths.
-  vscodeCommunityExtensionsPackages = map (
+  vscodeCommunityExtensionsPackages =
-    ext: getAttrFromPath (splitString "." ext) pkgs.vscode-marketplace
+    map (
-  ) vscodeCommunityExtensions;
+      ext: getAttrFromPath (splitString "." ext) pkgs.vscode-marketplace
-  nixpkgsExtensionsPackages = map (
+    )
-    ext: getAttrFromPath (splitString "." ext) pkgs.vscode-extensions
+    vscodeCommunityExtensions;
-  ) vscodeNixpkgsExtensions;
+  nixpkgsExtensionsPackages =
    map (
      ext: getAttrFromPath (splitString "." ext) pkgs.vscode-extensions
    )
    vscodeNixpkgsExtensions;
  marketplaceExtensionsPackages = pkgs.vscode-utils.extensionsFromVscodeMarketplace marketplaceExtensions;
-in
+in {
 {
  options.mySystem.editor.vscode.enable = mkEnableOption "vscode";
  config = mkIf cfg.enable {
    # Enable vscode & addons
    environment.systemPackages = with pkgs; [
      (vscode-with-extensions.override {
-        inherit (unstable) vscode;
+        inherit (master) vscode;
        # Merge all the extension packages together.
        vscodeExtensions =
          vscodeCommunityExtensionsPackages ++ nixpkgsExtensionsPackages ++ marketplaceExtensionsPackages;
--- a/nixos/modules/nixos/games/steam/steam.nix
+++ b/nixos/modules/nixos/games/steam/steam.nix
@ -3,11 +3,9 @@
  lib,
  pkgs,
  ...
-}:
+}: let
 let
  cfg = config.mySystem.games.steam;
-in
+in {
 {
  options.mySystem.games.steam = {
    enable = lib.mkEnableOption "Steam";
  };
@ -24,6 +22,5 @@ in
    environment.systemPackages = with pkgs; [
      protonup-qt
    ];
  };
 }
--- a/nixos/modules/nixos/hardware/nvidia/default.nix
+++ b/nixos/modules/nixos/hardware/nvidia/default.nix
@ -4,15 +4,12 @@
  pkgs,
  ...
 }:
-with lib;
+with lib; let
 let
  cfg = config.mySystem.hardware.nvidia;
-in
+in {
 {
  options.mySystem.hardware.nvidia.enable = mkEnableOption "NVIDIA config";
  config = mkIf cfg.enable {
    environment.sessionVariables.NIXOS_OZONE_WL = "1";
    # ref: https://nixos.wiki/wiki/Nvidia
    # Enable OpenGL
@ -30,7 +27,6 @@ in
      # This is for the benefit of VSCODE running natively in wayland
      nvidia = {
        # Modesetting is required.
        modesetting.enable = true;
--- a/nixos/modules/nixos/lib.nix
+++ b/nixos/modules/nixos/lib.nix
@ -3,44 +3,43 @@
  config,
  pkgs,
  ...
-}:
+}: {
 {
  # container builder
-  lib.mySystem.mkContainer =
+  lib.mySystem.mkContainer = options: (
-    options:
+    let
-    (
+      containerExtraOptions =
-      let
+        lib.optionals (lib.attrsets.attrByPath ["caps" "privileged"] false options) ["--privileged"]
-        containerExtraOptions =
+        ++ lib.optionals (lib.attrsets.attrByPath ["caps" "readOnly"] false options) ["--read-only"]
-          lib.optionals (lib.attrsets.attrByPath [ "caps" "privileged" ] false options) [ "--privileged" ]
+        ++ lib.optionals (lib.attrsets.attrByPath ["caps" "tmpfs"] false options) (
-          ++ lib.optionals (lib.attrsets.attrByPath [ "caps" "readOnly" ] false options) [ "--read-only" ]
+          map (folders: "--tmpfs=${folders}") options.caps.tmpfsFolders
-          ++ lib.optionals (lib.attrsets.attrByPath [ "caps" "tmpfs" ] false options) (
+        )
-            map (folders: "--tmpfs=${folders}") options.caps.tmpfsFolders
+        ++ lib.optionals (lib.attrsets.attrByPath ["caps" "noNewPrivileges"] false options) [
-          )
+          "--security-opt=no-new-privileges"
-          ++ lib.optionals (lib.attrsets.attrByPath [ "caps" "noNewPrivileges" ] false options) [
+        ]
-            "--security-opt=no-new-privileges"
+        ++ lib.optionals (lib.attrsets.attrByPath ["caps" "dropAll"] false options) ["--cap-drop=ALL"];
-          ]
+    in {
-          ++ lib.optionals (lib.attrsets.attrByPath [ "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ];
+      ${options.app} = {
-      in
+        image = "${options.image}";
-      {
+        user = "${options.user}:${options.group}";
-        ${options.app} = {
+        environment =
-          image = "${options.image}";
+          {
          user = "${options.user}:${options.group}";
          environment = {
            TZ = config.time.timeZone;
-          } // lib.attrsets.attrByPath [ "env" ] { } options;
+          }
-          dependsOn = lib.attrsets.attrByPath [ "dependsOn" ] [ ] options;
+          // lib.attrsets.attrByPath ["env"] {} options;
-          entrypoint = lib.attrsets.attrByPath [ "entrypoint" ] null options;
+        dependsOn = lib.attrsets.attrByPath ["dependsOn"] [] options;
-          cmd = lib.attrsets.attrByPath [ "cmd" ] [ ] options;
+        entrypoint = lib.attrsets.attrByPath ["entrypoint"] null options;
-          environmentFiles = lib.attrsets.attrByPath [ "envFiles" ] [ ] options;
+        cmd = lib.attrsets.attrByPath ["cmd"] [] options;
-          volumes = [
+        environmentFiles = lib.attrsets.attrByPath ["envFiles"] [] options;
        volumes =
          [
            "/etc/localtime:/etc/localtime:ro"
-          ] ++ lib.attrsets.attrByPath [ "volumes" ] [ ] options;
+          ]
-          ports = lib.attrsets.attrByPath [ "ports" ] [ ] options;
+          ++ lib.attrsets.attrByPath ["volumes"] [] options;
-          extraOptions = containerExtraOptions;
+        ports = lib.attrsets.attrByPath ["ports"] [] options;
-        };
+        extraOptions = containerExtraOptions;
-      }
+      };
-    );
+    }
  );
  ## Creates a standardized restic backup configuration for both local and remote backups per app.
  # One S3 bucket per server. Each app has its own repository in the bucket.
@ -76,73 +75,79 @@
  # This creates two backup jobs:
  #   - nextcloud-local: backs up to local storage
  #   - nextcloud-remote: backs up to remote storage (e.g. S3)
-  lib.mySystem.mkRestic =
+  lib.mySystem.mkRestic = options: let
-    options:
+    # excludePaths is optional
-    let
+    # excludePaths =
-      # excludePaths is optional
+    #   if builtins.hasAttr "excludePaths" options
-      excludePaths = if builtins.hasAttr "excludePaths" options then options.excludePaths else [ ];
+    #   then options.excludePaths
-      # Decide which mutually exclusive options to use
+    #   else [];
-      remoteResticTemplateFile =
+    # Decide which mutually exclusive options to use
-        if builtins.hasAttr "remoteResticTemplateFile" options then
+    remoteResticTemplateFile =
-          options.remoteResticTemplateFile
+      if builtins.hasAttr "remoteResticTemplateFile" options
-        else
+      then options.remoteResticTemplateFile
-          null;
+      else null;
-      remoteResticTemplate =
+    remoteResticTemplate =
-        if builtins.hasAttr "remoteResticTemplate" options then options.remoteResticTemplate else null;
+      if builtins.hasAttr "remoteResticTemplate" options
-      # 2:05 daily backup with 3h random delay
+      then options.remoteResticTemplate
-      timerConfig = {
+      else null;
-        OnCalendar = "06:05"; # night snap is taken at 02:10
+    # 2:05 daily backup with 3h random delay
-        Persistent = true;
+    timerConfig = null;
-        RandomizedDelaySec = "30m";
+    #{
-      };
+    #OnCalendar = "00:20"; # night snap is taken at 02:10
-      # 7 daily, 5 weekly, 12 monthly backups
+    #Persistent = true;
-      pruneOpts = [
+    #RandomizedDelaySec = "30m";
-        "--keep-daily 7"
+    #};
-        "--keep-weekly 5"
+    # 7 daily, 5 weekly, 12 monthly backups
-      ];
+    pruneOpts = [
-      # Initialize the repository if it doesn't exist
+      "--keep-daily 7"
-      initialize = true;
+      "--keep-weekly 5"
-      # Only one backup is ever running at a time it's safe to say that we can remove stale locks
+    ];
-      backupPrepareCommand = ''
+    # Initialize the repository if it doesn't exist
-        # remove stale locks - this avoids some occasional annoyance
+    initialize = true;
-        #
+    # Only one backup is ever running at a time it's safe to say that we can remove stale locks
-        ${pkgs.restic}/bin/restic unlock --remove-all || true
+    backupPrepareCommand = ''
-      '';
+      # remove stale locks - this avoids some occasional annoyance
-    in
+      #
-    {
+      ${pkgs.restic}/bin/restic unlock --remove-all || true
-      # local backup
+    '';
-      "${options.app}-local" = {
+  in {
-        inherit
+    # local backup
-          pruneOpts
+    "${options.app}-local" = {
-          timerConfig
+      inherit
-          initialize
+        pruneOpts
-          backupPrepareCommand
+        timerConfig
-          ;
+        initialize
-        inherit (options) user passwordFile environmentFile;
+        backupPrepareCommand
-        # Move the path to the zfs snapshot path
+        ;
-        paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths;
+      inherit (options) user passwordFile environmentFile;
-        exclude = map (
+      # Move the path to the zfs snapshot path
      paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths;
      exclude =
        map (
          x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}"
-        ) options.excludePaths;
+        )
-        repository = "${options.localResticTemplate}";
+        options.excludePaths;
-      };
+      repository = "${options.localResticTemplate}";
      # remote backup
      "${options.app}-remote" = {
        inherit
          pruneOpts
          timerConfig
          initialize
          backupPrepareCommand
          ;
        inherit (options) user passwordFile environmentFile;
        # Move the path to the zfs snapshot path
        paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths;
        repository = remoteResticTemplate;
        repositoryFile = remoteResticTemplateFile;
        exclude = map (
          x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}"
        ) options.excludePaths;
      };
    };
    # remote backup
    "${options.app}-remote" = {
      inherit
        pruneOpts
        timerConfig
        initialize
        backupPrepareCommand
        ;
      inherit (options) user passwordFile environmentFile;
      # Move the path to the zfs snapshot path
      paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths;
      repository = remoteResticTemplate;
      repositoryFile = remoteResticTemplateFile;
      exclude =
        map (
          x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}"
        )
        options.excludePaths;
    };
  };
 }
--- a/nixos/modules/nixos/programs/shell/fish.nix
+++ b/nixos/modules/nixos/programs/shell/fish.nix
@ -1,9 +1,11 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.mySystem.shell.fish;
 in
 {
  lib,
  config,
  ...
 }:
 with lib; let
  cfg = config.mySystem.shell.fish;
 in {
  options.mySystem.shell.fish = {
    enable = mkEnableOption "Fish";
    enablePlugins = mkOption {
@ -22,5 +24,4 @@ in
      functions.enable = true;
    };
  };
 }
--- a/nixos/modules/nixos/security/1password/default.nix
+++ b/nixos/modules/nixos/security/1password/default.nix
@ -1,10 +1,12 @@
-{ config, lib, ... }:
+{
-with lib;
+  config,
-let
+  lib,
  ...
 }:
 with lib; let
  cfg = config.mySystem.security._1password;
  user = "jahanson";
-in
+in {
 {
  options.mySystem.security._1password = {
    enable = mkEnableOption "_1password";
  };
@ -14,7 +16,7 @@ in
      _1password.enable = true;
      _1password-gui = {
        enable = true;
-        polkitPolicyOwners = [ "${user}" ];
+        polkitPolicyOwners = ["${user}"];
      };
    };
@ -28,6 +30,7 @@ in
      "1password/custom_allowed_browsers" = {
        text = ''
          vivaldi-bin
          zen
        '';
        mode = "0755";
      };
--- a/nixos/modules/nixos/security/acme/default.nix
+++ b/nixos/modules/nixos/security/acme/default.nix
@ -1,30 +0,0 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.mySystem.security.acme;
 in
 {
  options.mySystem.security.acme.enable = mkEnableOption "acme";
  config = mkIf cfg.enable {
    sops.secrets = {
      "security/acme/env".sopsFile = ./secrets.sops.yaml;
      "security/acme/env".restartUnits = [ "lego.service" ];
    };
    security.acme = {
      acceptTerms = true;
      defaults.email = "admin@${config.networking.domain}";
      certs.${config.networking.domain} = {
        extraDomainNames = [
          "${config.networking.domain}"
          "*.${config.networking.domain}"
        ];
        dnsProvider = "cloudflare";
        dnsResolver = "1.1.1.1:53";
        credentialsFile = config.sops.secrets."security/acme/env".path;
      };
    };
  };
 }
--- a/nixos/modules/nixos/security/acme/secrets.sops.yaml
+++ b/nixos/modules/nixos/security/acme/secrets.sops.yaml
@ -1,86 +0,0 @@
 security:
    acme:
        env: ENC[AES256_GCM,data:YTs3BpKlOAmFW2hEXdQINCwznXI6RtpdePwwekG8b/3OuQkAFV6Zkvyn7hXut6FSPSQMOW2RXrc+4HvhYUcJy3o=,iv:GFS1gf58jini93yqrZiceJ/GuXNokZGQ+CRFUWB8OX0=,tag:8BGR6T93Wwxx3GRutr4c7g==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SWIvMUNEbVpUNUJFSXJk
            U1V2T1NmbzdqeGhxZkt5MmtYUzRDQVJQOWc0CnkrZjgvbW9ESEpPdUZqVzV0OEk2
            Y21kVEswUUFlV2hYOFZqMzdnNGpKbFUKLS0tIFhoRlVtSW5RN2E2dWIxMmNleW91
            bFdPMmZxaVU2VWFPL1RLemlBRnZzTEEKh6ftfs2Q0X1pCDZae3HA2//Ds5MGmj6C
            U0ZP41k4a9M6q3QR+XbTtRVeQ0ZsgEEtHifCfwZ1zzjvCNtH8/t0cg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWmFKeWVsTGJ4YnA1Q2R4
            Wi9KZVVqd1l6TGh3aStaZmNYK29SUXladVZzCjJNVk93dWRSTHkrMkI1NGx5VkNH
            Y3Rwd01zQkxtTEpVK3BIdGx0eVNsWDgKLS0tIEdwTTIwcjVQbTdRUTBYVXl4Nno2
            WmxRWHFzKzVGTHhrNmtGYXF6cDlTYWMKmgcQQQBeCVvn8D0J4sDWmutD4FtbIIcM
            9mvmjb7AC5jZfaLs+XZIghs48vLfE1PnV3eJDo2mVneLvz8H1ZBeVg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUnpRakhVOFpyU2NjdDlr
            OHdNcEtKb3lkTWJjZDc0YzZ2cUdjWlhEcWo4CkxqMGlTU3NKMTljOWZ0VmNWVHZz
            bXM2L1NSME1CVk9rVUE2QXpzR01TMWMKLS0tIERPNEdxWndwQVc2SkhKV1pBTnRU
            VENyeERJZC8rRlFsY0Y5ZktxVUNTb2cK9EkFNElu/XBjCcLaLfHTg7FvyUhSYVqh
            BV8BSLvlk7VKWZXdoDA7l067+rP8i/vHvUToWTmBT+8TTAVrJ5GxdQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dElKZ0VFclpmRE9LdUkw
            dFoxdGs4SlBwYWJ0OHU2YUxlN2lpVGZnblNVCitZMm1ad25ZTzc2U0lsN1lLdm4y
            R3pJNStKMkhTbnRQK2lCZWlxMlJ5WTAKLS0tIFRWYnllU0Y2VlkyVm02bUJRUXdS
            VlQzeDVoNC9VTWtkNlRkNGRZWkM3RFUK/GXcyCI43ccib9tJRqvUc49AgY+XFY8G
            xFXyZENlrdok4gLzkZU/6rsREPZvH5f8Wy/N0wckDVbr+ItT5C8Jgw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNnN0MUd3WFgwV1VMeTUr
            UXhLdEFkVUxEWnhtSDgzTkdDd2NHK0hmcGxzCnk4U3lMWjE5QjIxc3dVRVRyaDdz
            bGh1cFBhR3Vwa1MzMVlVTFBiZ1hYT28KLS0tIDUvWmY1SUpuU3dOei9HZi9RY1o2
            ekFnQVVDZyszU09ISUdZVUJveGIxdHcK4fVUOjtKv22HOLehHdnICd3u9/lqWFQc
            fg0o8ORvx03p3Dkv+EBtiR5xvMhs8o0B5+njpxKpWGcx4/eclQjZbA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbmlucy9xRnVMdkJjcGJm
            SGc3TFJYdHJjT0wxeTRYd2lsa0Z2Si9kbFJJCjgyZU13VTlENndsY29CZ2FmcWRL
            NlovK3REWlpsOU4zejBzMGt6Y1d1c00KLS0tIHFScnJIYUs5QnhLQ0JTcC9lU25S
            R0N4MkwvSkZMcVQyc01UUGY5cHFYRGsK1AChAqWcAF9KHGRjkKXxiWYcgrWg/4Gf
            7o81nkJTw8IwQdpSZ7wqNEt0q5mNk6EDALNe+uCcoipi9m/8qlWtqA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYdkQ2U1JVdGtWUlpNQ1hk
            L2oyWXQxZTdqUkhFWXZMZmFaSDN5ekpLQndBCkN2KzlDdUdOTmRnTmRGQ1ptWDlq
            eWFtS2ZqMG9ZWm5VRDdvdHJiQTFBeUEKLS0tIG1vRmliWmZ3bmV0QnNaWldqdENr
            OCtERmcvWm1MRy9JMWpWWW5jeWNDUVEK8mc8dU+Z/tJD25Qo5rKnYwDhpk+OXDvI
            HepjgAjpl7s00zZlZfizCF1Ekn3RJOY74VEI7aJk5RAzYB2XBNr0Vg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSnFGUVAxak5aeTAxR09m
            cm5DajdZS2tnWWNzZm9RZTE4VDQ3U3EvZGprCkc2WkZKOW1MQVpKM0EreUVSRDJ5
            ZS9ORnlkUnNVVFp4YTZnNkFSNlVaZk0KLS0tIERDbzBUQlRRQ3g3OXR6aVJCa3V2
            QUs4WVFncENjZ0xjU0xVejZpV3oybm8KdHXR6uxiCmhpznGRg4Mr4nPavgFcCKH1
            jwpTZ2eiQHKlrfBP+kwgFtCQXofNgtv09rbKW1NRElsXzjQNG9rCbg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-27T09:27:41Z"
    mac: ENC[AES256_GCM,data:A9ltB8LJC28ysgjiEVdjGRZexorstigJZooqvwi7OPUcV7QfR/A9kRBMagZs5bjU62Ntg05LBel7pnT5ftWspWFBAARpW2eio6yR2UwZh9TCQDJsOzNr9hNykaGuzKcutRsVysgenvClPLoLgXZo71Rt84ExlWJI0qs6y4NHGpA=,iv:p+VB0VP1zJ+TuysH+72LpVMyOsSGOvndCnatOVHdX/E=,tag:M7oOo1yCxBUCckaE5TXtBg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Joseph Hanson	553a39c0dc	nvf	2025-03-11 13:25:31 -05:00
Joseph Hanson	5be8330807	Merge pull request 'chore(deps): update ghcr.io/koush/scrypted docker tag to v0.138.12' (#86 ) from renovate/ghcr.io-koush-scrypted-0.x into main Reviewed-on: #86	2025-03-11 12:39:27 -05:00
Joseph Hanson	fc17937891	Merge pull request 'chore(deps): update https://github.com/cachix/cachix-action action to v16' (#88 ) from renovate/https-github.com-cachix-cachix-action-16.x into main Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 2m6s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 2m59s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 31m33s Details Reviewed-on: #88	2025-03-11 12:36:06 -05:00
Joseph Hanson	1b5fe8c91c	Merge pull request 'chore(deps): update ghcr.io/fallenbagel/jellyseerr docker tag to v2.5.0' (#87 ) from renovate/ghcr.io-fallenbagel-jellyseerr-2.x into main Reviewed-on: #87	2025-03-11 12:35:28 -05:00
Joseph Hanson	2da705ae31	Merge pull request 'chore(deps): update ghcr.io/onedr0p/plex docker tag to v1.41.5.9522-a96edc606' (#89 ) from renovate/ghcr.io-onedr0p-plex-1.x into main Reviewed-on: #89	2025-03-11 12:34:32 -05:00
Renovate Bot	e2f5b239dc	chore(deps): update ghcr.io/onedr0p/plex docker tag to v1.41.5.9522-a96edc606	2025-03-11 16:31:21 +00:00
Renovate Bot	a62f5b01b2	chore(deps): update ghcr.io/fallenbagel/jellyseerr docker tag to v2.5.0	2025-03-11 03:32:24 +00:00
Renovate Bot	69ae9a0473	chore(deps): update https://github.com/cachix/cachix-action action to v16	2025-03-10 19:01:29 +00:00
Joseph Hanson	a5657bb002	switch shadowfax to workstation and remove sworkstation now that it's fully capable	2025-03-10 12:44:15 -05:00
Joseph Hanson	a57fc1c6c5	add ghostty package Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 41s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 3m3s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 33m43s Details	2025-03-10 10:28:50 -05:00
Renovate Bot	36ab47590c	chore(deps): update ghcr.io/koush/scrypted docker tag to v0.138.12	2025-03-10 03:02:22 +00:00
Joseph Hanson	5c88fcde15	different service now	2025-03-09 13:15:00 -05:00
Joseph Hanson	358929aafa	clean up and move acme to each host	2025-03-09 12:53:38 -05:00
Joseph Hanson	96af04f592	update abbr	2025-03-09 00:41:26 -06:00
Joseph Hanson	a4533ae581	update telchar sops pub key update hosts and roll sops	2025-03-09 00:34:50 -06:00
Joseph Hanson	2c57288228	enable mosh on varda	2025-03-09 00:17:28 -06:00
Joseph Hanson	7b1e1b8cf4	remove cosmic substituter	2025-03-08 13:10:58 -06:00
Joseph Hanson	11078a6ba0	add astro extension	2025-03-08 13:10:46 -06:00
Joseph Hanson	b91da39d03	add distrobox and flake-config substituters Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 1m22s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 2m52s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 24m39s Details	2025-03-07 19:49:23 -06:00
Joseph Hanson	7179e99f2a	enable nightly snap	2025-03-07 19:48:39 -06:00
Joseph Hanson	ab200ae814	feat: add zen browser Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 1m40s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 4m56s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 22m14s Details	2025-03-07 06:15:01 -06:00
Joseph Hanson	e6e258feeb	reformat --> alejandra	2025-03-06 09:51:33 -06:00
Joseph Hanson	f4e15b7e90	update soft-serve and disable stats server Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 21s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 4m50s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 29m41s Details vscode --> master. update extensions.	2025-03-06 09:44:07 -06:00
Joseph Hanson	638158ecc5	move hardware to profile	2025-03-05 22:41:39 -06:00
Joseph Hanson	62e3cd1a09	refactor: remove obsolete commented-out code	2025-03-05 13:43:48 -06:00
Joseph Hanson	68cc4b8558	Merge pull request 'chore(deps): update ghcr.io/koush/scrypted docker tag to v0.138.8' (#85 ) from renovate/ghcr.io-koush-scrypted-0.x into main Reviewed-on: #85	2025-03-05 13:37:15 -06:00
Joseph Hanson	8ab253654c	refactor: Move inputs section to bottom of flake.nix	2025-03-05 13:36:25 -06:00
Joseph Hanson	b90d0361fb	aider	2025-03-05 12:53:45 -06:00
Renovate Bot	72545c1181	chore(deps): update ghcr.io/koush/scrypted docker tag to v0.138.8	2025-03-05 17:00:51 +00:00
Joseph Hanson	efbf50f860	fix nvidia and ozone env var	2025-03-05 10:57:06 -06:00
Joseph Hanson	a21deba5f2	move ozone var to wayland global	2025-03-05 10:35:26 -06:00
Joseph Hanson	7624c21894	Merge pull request 'chore(deps): update ghcr.io/koush/scrypted docker tag to v0.138.7' (#84 ) from renovate/ghcr.io-koush-scrypted-0.x into main Reviewed-on: #84	2025-03-04 22:54:36 -06:00
Renovate Bot	48033142a4	chore(deps): update ghcr.io/koush/scrypted docker tag to v0.138.7	2025-03-05 04:14:13 +00:00
Joseph Hanson	f20aee2353	Merge pull request 'Update docker.io/ollama/ollama Docker tag to v0.5.13' (#83 ) from renovate/docker.io-ollama-ollama-0.x into main Reviewed-on: #83	2025-03-04 21:37:46 -06:00
Joseph Hanson	3a80f4d084	Merge pull request 'Update ghcr.io/koush/scrypted Docker tag to v0.138.6' (#82 ) from renovate/ghcr.io-koush-scrypted-0.x into main Reviewed-on: #82	2025-03-04 21:37:28 -06:00
Renovate Bot	8f5942938e	Update ghcr.io/koush/scrypted Docker tag to v0.138.6	2025-03-05 03:31:53 +00:00
Joseph Hanson	68bccb1c90	Flake lock update -- all Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 1m16s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 4m59s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 38m1s Details	2025-03-04 17:32:42 -06:00
Joseph Hanson	3025ed02f6	install themes from nixpkgs	2025-03-04 17:12:59 -06:00
Renovate Bot	d0d65ba07a	chore(deps): update docker.io/ollama/ollama docker tag to v0.5.13	2025-03-04 01:30:50 +00:00
Joseph Hanson	20b1998378	not needed	2025-03-03 18:58:11 -06:00
Joseph Hanson	079b0858d9	hyprland and myPkg/overlay migrations	2025-03-03 17:08:24 -06:00
Joseph Hanson	12dee64ccd	format	2025-03-03 17:07:42 -06:00
Joseph Hanson	5c08f24307	Merge pull request 'chore(deps): update docker.io/ollama/ollama docker tag to v0.5.12' (#80 ) from renovate/docker.io-ollama-ollama-0.x into main Reviewed-on: #80	2025-03-01 07:50:59 -06:00
Joseph Hanson	6e6111f5a5	correct path	2025-02-28 23:44:35 -06:00
Joseph Hanson	98c0f8d201	add data dir	2025-02-28 23:38:51 -06:00
Joseph Hanson	a221eca57b	add minecraft server test	2025-02-28 23:17:22 -06:00
Joseph Hanson	9ba6e6ae4e	add vesktop	2025-02-28 23:17:11 -06:00
Joseph Hanson	96393b4476	Cleanup db entries.	2025-02-28 22:48:27 -06:00
Joseph Hanson	1f550f4019	moved my npm globals	2025-02-28 22:46:21 -06:00
Joseph Hanson	6ec3873832	ah yes, gtk4	2025-02-28 22:46:07 -06:00
Joseph Hanson	9155ae4cae	add nodejs, zulu open jdk, remove modrinth for now. I'll just use prism.	2025-02-28 22:45:52 -06:00
Joseph Hanson	3300dd0480	fixes -- but no tls for some reason	2025-02-28 22:45:12 -06:00
Joseph Hanson	60fa032842	Add modrinth v0.9.3	2025-02-28 16:57:17 -06:00
Joseph Hanson	af474361ef	correct ask-pass program Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 37s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 2m56s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 26m31s Details	2025-02-28 13:57:28 -06:00
Joseph Hanson	fd9c2f3d13	lots of fixes for hyprland	2025-02-28 13:17:00 -06:00
Joseph Hanson	c689c4fe4a	hyprland fixes and roll sops	2025-02-28 07:34:36 -06:00
Joseph Hanson	aa71e5bc55	Merge pull request 'feat: hyprland module and adding telchar' (#81 ) from hyprland-and-telchar into main Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 2m23s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 7m15s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 28m46s Details Reviewed-on: #81	2025-02-27 14:55:22 -06:00
Joseph Hanson	21da9f6da2	feat: hyprland module and adding telchar	2025-02-27 13:59:11 -06:00
Joseph Hanson	d0496de0b3	messy code deserves a one-liner doc	2025-02-25 13:03:44 -06:00
Joseph Hanson	f5e45209ec	remove restic, add borgmatic. update template update config template update	2025-02-25 13:03:44 -06:00
Joseph Hanson	f96ed50dfa	Add 'my packages'	2025-02-24 16:14:45 -06:00
Joseph Hanson	fca664b887	correct comment	2025-02-23 21:18:06 -06:00
Joseph Hanson	4493b2519d	check network mount before backup - fail if disconnected	2025-02-23 20:25:53 -06:00
Joseph Hanson	d3d9e0fd1a	zfs auto expand, scrub, and trim	2025-02-23 20:25:19 -06:00
Renovate Bot	95939c8b99	Update docker.io/ollama/ollama Docker tag to v0.5.12	2025-02-21 23:32:13 +00:00
Joseph Hanson	c2004c61c7	add jellyseerr to containers	2025-02-20 11:31:25 -06:00
Joseph Hanson	9d7fe1c0d5	Merge pull request 'Update ghcr.io/jellyfin/jellyfin Docker tag to v10.10.6' (#78 ) from renovate/ghcr.io-jellyfin-jellyfin-10.x into main Reviewed-on: #78	2025-02-20 07:12:17 -06:00
Joseph Hanson	d12f39bc0a	Merge pull request 'Update ghcr.io/koush/scrypted Docker tag to v0.138.2' (#79 ) from renovate/ghcr.io-koush-scrypted-0.x into main Reviewed-on: #79	2025-02-20 07:12:07 -06:00
Joseph Hanson	d94f172721	update radarr and arr derivation names	2025-02-19 15:52:40 -06:00
Joseph Hanson	a7e673ac69	db is now optional for sonarr, radarr, and prowlarr.	2025-02-19 15:33:09 -06:00
Renovate Bot	5a11c51b33	Update ghcr.io/koush/scrypted Docker tag to v0.138.2	2025-02-18 22:02:21 +00:00
Renovate Bot	e310dbc581	Update ghcr.io/jellyfin/jellyfin Docker tag to v10.10.6	2025-02-16 22:33:10 +00:00
Joseph Hanson	18274be266	update firewall, add wlr-xrandr Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 2m14s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 5m53s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 31m10s Details	2025-02-15 18:24:14 -06:00
Joseph Hanson	2bb9d5bf13	update arrs	2025-02-15 18:23:11 -06:00
Joseph Hanson	fa3dd0637b	Merge pull request 'Update ghcr.io/koush/scrypted Docker tag to v0.138.0' (#73 ) from renovate/ghcr.io-koush-scrypted-0.x into main Reviewed-on: #73	2025-02-14 12:03:25 -06:00
Joseph Hanson	b392e37b0c	Merge pull request 'Update ghcr.io/onedr0p/plex Docker tag to v1.41.4.9463-630c9f557' (#77 ) from renovate/ghcr.io-onedr0p-plex-1.x into main Reviewed-on: #77	2025-02-14 12:03:09 -06:00
Joseph Hanson	3f7007d88e	Merge pull request 'Update docker.io/ollama/ollama Docker tag to v0.5.11' (#76 ) from renovate/docker.io-ollama-ollama-0.x into main Reviewed-on: #76	2025-02-14 12:02:54 -06:00
Renovate Bot	d9e42a4d32	Update docker.io/ollama/ollama Docker tag to v0.5.11	2025-02-14 08:03:05 +00:00
Joseph Hanson	abc5c7cfd2	format and remove unused	2025-02-12 12:36:33 -06:00
Renovate Bot	50a1363b28	Update ghcr.io/onedr0p/plex Docker tag to v1.41.4.9463-630c9f557	2025-02-12 17:33:05 +00:00
Joseph Hanson	9924c2e66c	enable 1pass gui and docker socket for podman	2025-02-12 09:22:47 -06:00
Joseph Hanson	f69efddb53	try out alejandra and shorten bin paths	2025-02-12 09:22:47 -06:00
Joseph Hanson	59ca85f8d6	dotenv and yaml not needed for nix	2025-02-12 09:20:14 -06:00
Joseph Hanson	ffaeb78187	Use uwsm instead of running hyprland directly	2025-02-11 16:42:51 -06:00
Joseph Hanson	04271382e1	Merge pull request 'feat: add multi-sonarr' (#75 ) from multi-sonarr into main Reviewed-on: #75	2025-02-10 15:02:26 -06:00
Joseph Hanson	fd800ff25d	add multi-sonarr	2025-02-10 15:01:31 -06:00
Joseph Hanson	24bca63df5	cleanup	2025-02-10 12:13:09 -06:00
Joseph Hanson	77d0962f1c	Merge pull request 'feat: multi-radarr' (#74 ) from multi-radarr into main Reviewed-on: #74	2025-02-10 11:49:52 -06:00
Joseph Hanson	81ae076baf	enable radarr anime	2025-02-10 11:47:44 -06:00
Joseph Hanson	b19ab0375b	reverse logic	2025-02-10 11:47:36 -06:00
Joseph Hanson	5fa10d7038	update service names	2025-02-10 11:20:44 -06:00
Joseph Hanson	5161eba75c	reconfig - no mkfunction	2025-02-10 11:20:38 -06:00
Joseph Hanson	934af3c9b8	update flake lock -- all	2025-02-10 11:10:49 -06:00
Joseph Hanson	84577eba78	update flake lock -- all Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 23s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 2m50s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 22m31s Details	2025-02-10 10:34:41 -06:00
Joseph Hanson	2edb7c56ab	mkRadarrInstance	2025-02-09 23:32:13 -06:00
Joseph Hanson	f02407bfca	mkRestic modifications, will add mkBorg later and use that instead.	2025-02-09 19:26:53 -06:00
Joseph Hanson	4a4cce4e94	privatemounts = false is required if snap is separate from the backup service.	2025-02-09 19:24:36 -06:00
Joseph Hanson	e782f7c268	to remove/rearrange files privileged is required.	2025-02-09 19:24:05 -06:00
Joseph Hanson	aae3f3397e	add homekit port to scrypted/firewall	2025-02-09 19:23:31 -06:00
Joseph Hanson	0d0245f850	harden sonarr, change zfs snap time	2025-02-09 19:23:16 -06:00
Renovate Bot	7fceed8568	Update ghcr.io/koush/scrypted Docker tag to v0.138.0	2025-02-05 21:33:04 +00:00
Joseph Hanson	12f1164e0c	pull straight from servarr	2025-02-04 12:02:57 -06:00
Joseph Hanson	de9e778a9d	update radarr	2025-02-04 11:34:33 -06:00
Joseph Hanson	fee475957c	added unpackerr and pushover scripts	2025-02-04 11:18:05 -06:00
Joseph Hanson	7c18be7e9a	add mnt	2025-02-04 10:42:03 -06:00
Joseph Hanson	9728d8c014	Merge pull request 'Update ghcr.io/koush/scrypted Docker tag to v0.132.0' (#72 ) from renovate/ghcr.io-koush-scrypted-0.x into main Reviewed-on: #72	2025-02-04 10:41:38 -06:00
Renovate Bot	4d77bcd28b	Update ghcr.io/koush/scrypted Docker tag to v0.132.0	2025-02-04 16:03:11 +00:00
Joseph Hanson	1e1d27b85a	add sonarr service and overlay sonarr/radarr unstable packages.	2025-02-03 16:13:03 -06:00
Joseph Hanson	9041d39a77	add Radarr Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 1m5s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 3m2s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 21m25s Details	2025-02-03 15:07:44 -06:00
Joseph Hanson	7f4bc84e9e	update firefox, vscode, nvim, and added prowlarr service config Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 21s Details Build / nix-build (native-x86_64, telperion) (push) Successful in 4m48s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 33m52s Details switched shadowfax to a sworkstation config from server config.	2025-02-02 16:02:02 -06:00
Joseph Hanson	9c5fb62042	temp config for hyprland, sunshine, prowlarr, and re-enable vs code Some checks failed Build / nix-build (native-x86_64, gandalf) (push) Failing after 30s Details Build / nix-build (native-x86_64, telperion) (push) Failing after 1m11s Details Build / nix-build (native-x86_64, shadowfax) (push) Failing after 2m20s Details will move most of this to other files soon	2025-01-31 19:20:58 -06:00
Joseph Hanson	9ec040c7df	add kitty	2025-01-31 19:20:58 -06:00
Joseph Hanson	eb78727d78	add arr/qb/sab groups if they exist	2025-01-31 19:20:58 -06:00
Joseph Hanson	96da9c78ae	add prowlarr overlay	2025-01-31 19:20:58 -06:00
Joseph Hanson	497d4148df	keep my own version updates for prowlarr	2025-01-31 19:17:31 -06:00
Joseph Hanson	b6a3b644e1	reduce the amount of vs code extensions and update them	2025-01-31 19:16:46 -06:00
Joseph Hanson	4388e399c5	disable precog on nvim unless there's an easy access peek option i'll keep this disabled. It's very jarring.	2025-01-31 19:16:04 -06:00
Joseph Hanson	0764864142	add nvim and config	2025-01-29 09:35:46 -06:00
Joseph Hanson	ecb833b4f9	Merge pull request 'Update ghcr.io/koush/scrypted Docker tag to v0.130.1' (#67 ) from renovate/ghcr.io-koush-scrypted-0.x into main Reviewed-on: #67	2025-01-29 08:09:00 -06:00
Joseph Hanson	90a4a3bffe	Merge pull request 'Update ghcr.io/jellyfin/jellyfin Docker tag to v10.10.5' (#71 ) from renovate/ghcr.io-jellyfin-jellyfin-10.x into main Reviewed-on: #71	2025-01-29 08:07:59 -06:00
Renovate Bot	9f7ec5d41d	Update ghcr.io/koush/scrypted Docker tag to v0.130.1	2025-01-27 21:38:07 +00:00
Renovate Bot	b82793d688	Update ghcr.io/jellyfin/jellyfin Docker tag to v10.10.5	2025-01-25 19:33:19 +00:00
Joseph Hanson	b10f89e54c	added fd - finding files easier	2025-01-24 19:33:26 -06:00
Joseph Hanson	95554bf9f0	added missing parameters	2025-01-24 19:33:08 -06:00
Joseph Hanson	b79062c4ea	enable snaps for sabnzbd and qbittorrent appdata	2025-01-24 19:32:45 -06:00
Joseph Hanson	f1dbebd3e9	Merge pull request 'add sabnzbd' (#70 ) from sabnzbd into main Reviewed-on: #70	2025-01-24 17:43:03 -06:00
Joseph Hanson	5e0cd3a7ee	add sabnzbd	2025-01-24 17:41:49 -06:00
Joseph Hanson	debdcbfd6c	gonna need that internet back thanks	2025-01-24 11:11:53 -06:00
Joseph Hanson	88b2c35cb0	cleanup	2025-01-24 11:11:53 -06:00
Joseph Hanson	e83d3dc743	add qbittorrent (#68 ) Reviewed-on: #68	2025-01-24 10:29:19 -06:00