Merge pull request 'chore(deps): update docker.io/ollama/ollama docker tag to v0.6.1' (#92 ) from renovate/docker.io-ollama-ollama-0.x into main

Reviewed-on: #92
chore(deps): update docker.io/ollama/ollama docker tag to v0.6.1
2025-03-14 21:58:27 -05:00 · 2025-03-14 20:01:57 +00:00 · 2025-03-14 09:39:12 -05:00 · 2025-03-14 09:39:04 -05:00 · 2025-03-12 17:01:28 +00:00 · 2025-03-12 01:01:31 +00:00
220 changed files with 24467 additions and 3159 deletions
--- a/.archive/flake.nix
+++ b/.archive/flake.nix
@ -0,0 +1,36 @@
 {
  "durincore" = mkNixosConfig {
    # T470 Thinkpad Intel i7-6600U
    # Backup Nix dev laptop
    hostname = "durincore";
    system = "x86_64-linux";
    hardwareModules = [
      ./nixos/profiles/hw-thinkpad-t470.nix
      inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
    ];
    profileModules = [
      ./nixos/profiles/role-workstation.nix
      ./nixos/profiles/role-dev.nix
      {home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
    ];
  };
  "legiondary" = mkNixosConfig {
    # Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
    # Nix dev/gaming laptop
    hostname = "legiondary";
    system = "x86_64-linux";
    hardwareModules = [
      inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
      ./nixos/profiles/hw-legion-15arh05h.nix
      disko.nixosModules.disko
      (import ./nixos/profiles/disko-nixos.nix {disks = ["/dev/nvme0n1"];})
    ];
    profileModules = [
      ./nixos/profiles/role-dev.nix
      ./nixos/profiles/role-gaming.nix
      ./nixos/profiles/role-workstation.nix
      {home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
    ];
  };
 }
--- a/.archive/home/modules/programs/de/default.nix
+++ b/.archive/home/modules/programs/de/default.nix
@ -1,4 +1,4 @@
-{ ... }: {
+{...}: {
  imports = [
    ./gnome
  ];
--- a/.archive/home/modules/programs/de/gnome/default.nix
+++ b/.archive/home/modules/programs/de/gnome/default.nix
@ -0,0 +1,83 @@
 # Adjusted manually from generated output of dconf2nix
 # https://github.com/gvolpe/dconf2nix
 {
  lib,
  pkgs,
  osConfig,
  ...
 }:
 with lib.hm.gvariant; {
  config = lib.mkIf osConfig.mySystem.de.gnome.enable {
    # add user packages
    home.packages = with pkgs; [
      dconf2nix
    ];
    # worked out from dconf2nix
    # `dconf dump / | dconf2nix > dconf.nix`
    # can also dconf watch
    dconf.settings = {
      "org/gnome/mutter" = {
        edge-tiling = true;
        workspaces-only-on-primary = false;
      };
      "org/gnome/settings-daemon/plugins/media-keys" = {
        home = ["<Super>e"];
      };
      "org/gnome/desktop/wm/preferences" = {
        workspace-names = [
          "sys"
          "talk"
          "web"
          "edit"
          "run"
        ];
        button-layout = "appmenu:minimize,close";
      };
      "org/gnome/shell" = {
        disabled-extensions = [
          "apps-menu@gnome-shell-extensions.gcampax.github.com"
          "light-style@gnome-shell-extensions.gcampax.github.com"
          "places-menu@gnome-shell-extensions.gcampax.github.com"
          "drive-menu@gnome-shell-extensions.gcampax.github.com"
          "window-list@gnome-shell-extensions.gcampax.github.com"
          "workspace-indicator@gnome-shell-extensions.gcampax.github.com"
        ];
        enabled-extensions = [
          "appindicatorsupport@rgcjonas.gmail.com"
          "caffeine@patapon.info"
          "dash-to-dock@micxgx.gmail.com"
          "gsconnect@andyholmes.github.io"
          "Vitals@CoreCoding.com"
          "sp-tray@sp-tray.esenliyim.github.com"
        ];
        favorite-apps = [
          "com.mitchellh.ghostty.desktop"
          "vivaldi-stable.desktop"
          "obsidian.desktop"
          "code.desktop"
          "vesktop.desktop"
        ];
      };
      "org/gnome/nautilus/preferences" = {
        default-folder-viewer = "list-view";
      };
      "org/gnome/nautilus/icon-view" = {
        default-zoom-level = "small";
      };
      "org/gnome/desktop/interface" = {
        color-scheme = "prefer-dark";
      };
      "org/gnome/desktop/peripherals/touchpad" = {
        tap-to-click = false;
      };
      "org/gnome/desktop/interface" = {
        clock-format = "12h";
        show-battery-percentage = true;
      };
      "org/gnome/settings-daemon/plugins/power" = {
        ambient-enabled = false;
      };
    };
  };
 }
--- a/.archive/hosts/durincore/default.nix
+++ b/.archive/hosts/durincore/default.nix
@ -0,0 +1,51 @@
 {...}: {
  config = {
    networking.hostId = "ad4380db";
    networking.hostName = "durincore";
    # Kernel mods
    boot = {
      initrd = {
        availableKernelModules = [
          "xhci_pci"
          "nvme"
          "usb_storage"
          "sd_mod"
        ];
        kernelModules = [];
      };
      kernelModules = ["kvm-intel"];
      extraModulePackages = [];
    };
    fileSystems = {
      "/" = {
        device = "rpool/root";
        fsType = "zfs";
      };
      "/home" = {
        device = "rpool/home";
        fsType = "zfs";
      };
      "/boot" = {
        device = "/dev/disk/by-uuid/F1B9-CA7C";
        fsType = "vfat";
        options = [
          "fmask=0077"
          "dmask=0077"
        ];
      };
    };
    swapDevices = [];
    # System settings and services.
    mySystem = {
      system.motd.networkInterfaces = [
        "enp0s31f6"
        "wlp4s0"
      ];
    };
  };
 }
--- a/.archive/hosts/gandalf/config/disks.nix
+++ b/.archive/hosts/gandalf/config/disks.nix
@ -0,0 +1,16 @@
 [
  "/dev/disk/by-id/ata-Seagate_IronWolfPro_ZA240NX10001-2ZH100_7TF002RA"
  "/dev/disk/by-id/nvme-Samsung_SSD_960_EVO_250GB_S3ESNX0K308438J"
  "/dev/disk/by-id/scsi-350000c0f02f0830c"
  "/dev/disk/by-id/scsi-350000c0f01e7d190"
  "/dev/disk/by-id/scsi-350000c0f01ea443c"
  "/dev/disk/by-id/scsi-350000c0f01f8230c"
  "/dev/disk/by-id/scsi-35000c500586e5057"
  "/dev/disk/by-id/scsi-35000c500624a0ddb"
  "/dev/disk/by-id/scsi-35000c500624a1a8b"
  "/dev/disk/by-id/scsi-35000cca046135ad8"
  "/dev/disk/by-id/scsi-35000cca04613722c"
  "/dev/disk/by-id/scsi-35000cca0461810f8"
  "/dev/disk/by-id/scsi-35000cca04618b930"
  "/dev/disk/by-id/scsi-35000cca04618cec4"
 ]
--- a/.archive/hosts/gandalf/config/incus-preseed.nix
+++ b/.archive/hosts/gandalf/config/incus-preseed.nix
@ -0,0 +1,48 @@
 {...}: {
  config = {
    "core.https_address" = "10.1.1.15:8445"; # Need quotes around key
  };
  networks = [
    {
      config = {
        "ipv4.address" = "auto"; # Need quotes around key
        "ipv6.address" = "auto"; # Need quotes around key
      };
      description = "";
      name = "incusbr0";
      type = "";
      project = "default";
    }
  ];
  storage_pools = [
    {
      config = {
        source = "eru/incus";
      };
      description = "";
      name = "default";
      driver = "zfs";
    }
  ];
  profiles = [
    {
      config = {};
      description = "";
      devices = {
        eth0 = {
          name = "eth0";
          network = "incusbr0";
          type = "nic";
        };
        root = {
          path = "/";
          pool = "default";
          type = "disk";
        };
      };
      name = "default";
    }
  ];
  projects = [];
  cluster = null;
 }
--- a/.archive/hosts/gandalf/config/samba-config.nix
+++ b/.archive/hosts/gandalf/config/samba-config.nix
@ -1,4 +1,14 @@
-{ ... }: {
+{...}: {
  global = {
    "workgroup" = "WORKGROUP";
    "server string" = "gandalf";
    "netbios name" = "gandalf";
    "security" = "user";
    # note: localhost is the ipv6 localhost ::1
    "hosts allow" = "0.0.0.0/0";
    "guest account" = "nobody";
    "map to guest" = "bad user";
  };
  xen = {
    path = "/eru/xen-backups";
    browseable = "yes";
--- a/.archive/hosts/gandalf/config/sanoid.nix
+++ b/.archive/hosts/gandalf/config/sanoid.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  outputs = {
    # ZFS automated snapshots
    templates = {
--- a/.archive/hosts/gandalf/default.nix
+++ b/.archive/hosts/gandalf/default.nix
@ -0,0 +1,185 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  inputs,
  ...
 }:
 # let
 # sanoidConfig = import ./config/sanoid.nix { };
 # disks = import ./config/disks.nix;
 # smartdDevices = map (device: { inherit device; }) disks;
 # in
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    inputs.disko.nixosModules.disko
    (import ../../profiles/disko-nixos.nix {disks = ["/dev/sda"];})
  ];
  boot = {
    initrd = {
      availableKernelModules = [
        "ehci_pci"
        "ahci"
        "mpt3sas"
        "isci"
        "usbhid"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = ["nfs"];
      supportedFilesystems = ["nfs"];
    };
    kernelModules = [
      "kvm-intel"
      "vfio"
      "vfio_iommu_type1"
      "vfio_pci"
      "vfio_virqfd"
    ];
    extraModulePackages = [];
    kernelParams = [
      "iommu=pt"
      "intel_iommu=on"
      "zfs.zfs_arc_max=107374182400"
    ]; # 100GB
  };
  swapDevices = [];
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
  ];
  # Network settings
  networking = {
    hostName = "gandalf";
    hostId = "e2fc95cd";
    useDHCP = false; # needed for bridge
    networkmanager.enable = true;
    firewall.enable = false;
    nftables.enable = false;
    interfaces = {
      "enp130s0f0".useDHCP = true;
      "eno1".useDHCP = true;
    };
  };
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # VSCode Compatibility Settings
  programs.nix-ld.enable = true;
  services.vscode-server = {
    enable = true;
  };
  # Home Manager
  home-manager.users.jahanson = {
    # Git settings
    # TODO: Move to config module.
    programs.git = {
      enable = true;
      userName = "Joseph Hanson";
      userEmail = "joe@veri.dev";
      extraConfig = {
        core.autocrlf = "input";
        init.defaultBranch = "main";
        pull.rebase = true;
        rebase.autoStash = true;
      };
    };
  };
  # sops
  sops = {
    secrets = {
      "borg/repository/passphrase" = {
        sopsFile = ./secrets.sops.yaml;
      };
      "syncthing/publicCert" = {
        sopsFile = ./secrets.sops.yaml;
        owner = "jahanson";
        mode = "400";
        restartUnits = ["syncthing.service"];
      };
      "syncthing/privateKey" = {
        sopsFile = ./secrets.sops.yaml;
        owner = "jahanson";
        mode = "400";
        restartUnits = ["syncthing.service"];
      };
    };
  };
  services = {
    # Smart daemon for monitoring disk health.
    smartd = {
      # devices = smartdDevices;
      # Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
      defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
    };
    # ZFS Exporter
    prometheus.exporters.zfs.enable = true;
    # samba = {
    #   enable = true;
    #   settings = import ./config/samba-config.nix { };
    #   openFirewall = true;
    # };
  };
  # System settings and services.
  mySystem = {
    purpose = "Production";
    system = {
      motd.networkInterfaces = [
        "enp130s0f0"
        "eno1"
      ];
      # Incus
      # incus = {
      #   enable = true;
      #   preseed = import ./config/incus-preseed.nix { };
      #   webuiport = 8445;
      # };
      # ZFS
      zfs.enable = true;
      # zfs.mountPoolsAtBoot = [ "eru" ];
      # NFS
      nfs.enable = true;
    };
    services = {
      libvirt-qemu.enable = true;
      podman.enable = true;
      # Syncthing
      syncthing = {
        enable = true;
        user = "jahanson";
        publicCertPath = config.sops.secrets."syncthing/publicCert".path;
        privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
      };
      # # Scrutiny
      # scrutiny = {
      #   enable = true;
      #   devices = disks;
      #   extraCapabilities = [ "SYS_RAWIO" ];
      #   containerVolumeLocation = "/eru/containers/volumes/scrutiny";
      #   port = 8585;
      # };
      # Sanoid
      # sanoid = {
      #   enable = true;
      #   inherit (sanoidConfig.outputs) templates datasets;
      # };
    };
  };
 }
--- a/.archive/hosts/gandalf/secrets.sops.yaml
+++ b/.archive/hosts/gandalf/secrets.sops.yaml
@ -0,0 +1,65 @@
 lego:
    dnsimple:
        token: ENC[AES256_GCM,data:xWFVA0xhifz+odHKmGaGswT6fZ4G70clfS8AzbWnxc18JF4e75dcG6BhiA==,iv:B4pNvag4nSrw1LwL/OGyXdEcw0gZeBFBBcNzqlimjYc=,tag:ta8l7XqbQqLO+ll8Wr+mug==,type:str]
 borg:
    repository:
        passphrase: ENC[AES256_GCM,data:qyqATupWXH5Gjx7t1660mvC1YUU=,iv:GhEbT8x5+SNXcF3b3ITk+3Dsv5PxzR56JSEufxQUBio=,tag:qWanlk8ox2uoFtyK7aiMcg==,type:str]
 syncthing:
    publicCert: ENC[AES256_GCM,data:q8EYRAkpwrTF8dodEH84ycDAhADLZ1uJvnArn698bueLgxtP4FHgsAHJXADtLj5/KBVJRNSBMl592wNLF9UVg0OM2b+KnMaLcVH6VHlpTQIzQBjVRjjlfU/uUfvDWXcXvfKdkS3RvDMDtR9vD3MRjdLIqjKY+7swmP2L2+WWyMXsZ3dgFvxpzH/yDekklxj8c0QVb+YJV858nNPvTKc8wkbcovsQiIQICmHhxAVU3Y51pjFXYTDaMGS/RkL47JYjYDpkCdetqe0R1wePlz5t7wbNSlg1u9d4xVtcW3yoqLErBI4ArleA/PPNflSzpx6WVLYXZ9T0BzYvDObt5VfpZ7zhNBTzXD0cvQZKyUWD6yY17JcJ+zQQiQqajSnhg8Iv4E/rwy0pRUM+YCBX2D7SiLpnlqYvHHAT8zMHpq0x/iw0t6h4ypxVVr9MU2LxfFxTbfgabJB94nxr/lk0/ONGq+gCxf3K0NOW5n6IDCB3o75KIqIG631E7F6WK2EmXF4KgS8EQEJVWWj4GKcB5dKGI+/jz3MUB4JXVLhME3X3ReDQbkZjr2OmIs6KbxuxWR5TSEj5G/sTXRxpqdKkE/aVfQMYoj7LCP4+HdM6NGP+irOSMSSC4PoHJPYtVDLluNKE+K/4w1MUK0m6EzdNrfHggY/0oS7UF5VCLrHZCNkI7CAIyVoR0A3kOMYhWjwIxDoQCSA1E/kJqYaB0dChL451xXKjvMkPQajZHK9kU/tRTcaAFgAwdLR8SYDpvN7eb1Zf6Cc4g0qP7BKA4FIqBjS+0bNobgO6oiH4TmsmIseLvevnhT0nRu3t/Lmuf2nFxAOlXyvHEp/6ulMIY+aOVcLRpi/5UjbL4rQTddHS0Y/54ofZcnD/yXiUafJAYzk/vmM3RTCj1qzmT8olw2n092LiQ7SjCIIs5PAIqWsq0O/YnyJlE7t83UcfES23DrLjc7ewcskSqG3GsPVp6qCz7/9nFgS7Sr6yHRMKGTCHSzGVlxXP4bHsDfe+DZc0R9ll67AjfErLDVlrwHOo2dpiXWcZD0Rs86h0dVCYSUE=,iv:0b7Jpbp4AXt7ngAZo5J5Fah8LByfmBRJwXQiGU5E0aY=,tag:he2qKsX5ne7tMRyc1EVFGw==,type:str]
    privateKey: ENC[AES256_GCM,data:2BzXadahdEIAyllwmBLYeiNciPaQ0Ds/MJ450hX361SzNOkSsV/Wpbhr1plG6MyTc72BmD8C++5hlSCrD1O3C8mpKFNKV7om7NEJ36DSnpHlKFwmTvoQQw7cscBpZokWlgBlsRbbnrWWaac+k9tQp2pOfPscwKWMkULxR/59TsvLO5b0tZp8G5uL+Ah00x0eVtqqE/o2mQ7YpH80sgv3qHGKImyflMugvd8CKm6R2pYEN6K3Aw+N8ReVSoKXu7oaoxutHzLjuEMYlXJa1UnbE/8uajhIwXy5XcAHHywrPl4vDm9Jer+7fn8qqslBDD13bSiwuh0+LtB6QS72pg70sHPK/uuNcAbMcJ00Bwx1IsuLah3I2r3yZdh+co5qxcG6,iv:HWAhyDTP8cryZusGyemzr11Ax821aEl/a3O/wXMbPNY=,tag:uK3mGe/bvsmmCGjidKp77g==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBla1U3d01iTzIxZE9SNFZL
            UTJZVDFhN3FUaGxCQkxQQlRwMzZPbTVZQkVFCm85eXQvZUNQVWtISTFCYVh0ZUxP
            ZE9MRnF4aDZoSGtXNUg3by92S2FYNVkKLS0tIHJta016cmNPNFhTSVdrc2dDRmx0
            MlNlMHhxQk5wUThFYTZyVjIraXJGYVUKMvTxkSUbaxDj2yy+XpFLyjNeGQkXTLfV
            onQ8JwVJ3ZP94O/hBlLsa8/akggDatKVKoDKZI3UrypNA5tWQr4uwQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUHpzUy9EaCtKRTRMNi8y
            bHcvMlhWSDMyRGk5eHhLV1dMMEU2L0MrbFRRCjJnWjZVazdDbmZiaWlLZm95blFa
            Um5qZFBXcEg2cTN0aDYxd2FlT1RuVzgKLS0tIDBpZHZ1bDhUWXZKS2prYnlnaVFB
            cEVhTnMvTENleDlzRERZc0JnVEtBcmMKSFePvV4GOeD297tSpKy6Xb+XNfNhjSHM
            j3X3tA+Q0W1H17RijW1h4dyj5qzQsrSf7DSpIxXqwzamEVV40Z3nHA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMlVTWFkwcXhBOWJCL0ds
            TXUxOHNmclRKczRJYzVOMFdMNG5Qb2sxeDJ3CklNa3MzbXc5ZGZSeHk4d3hmWnNo
            dnFVOTB6QUxUTDQya0ZneWZiM0lyUjAKLS0tIFdoVlg0Unl0aDB0VjRQMit0Mmkr
            YjVJejg0RVB1U2Rybk1iM1RraXIwbWsKRaqoxEytcx4JhoHFYeL0QBtOhGrqrZjn
            z090Ml8zukXq/UVnWlt8GwIf9yKkDSixNywZJZF58/9omOpoHagv7Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMHNsaTRqb0hkdUFhV1VO
            QzBHekV3c1VJTVQ5VUNqWnJFSWJlM1JWTUZRCk55bFVrRUxFV2Vpb0Rvc0pZRGN4
            ZThTMWd0SGFoYVZ3cG9TNGZKd1hpd0kKLS0tIEpLTzlBN3FuaXhCQ1ErZG1LaGgx
            cDNDdDNteVI1ZHBtZUdtSEVxN3RtaFUKntQ9CvSB8BUrJctW3Rj7dxWwgIPGrdVP
            hLsD6xe4LHoG/hChRamhQOnI0AvubkeXWMWhLU11NT5KFspEsmIlXA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwaTM3RzAyUG4zTFk5WFB0
            anFsNG9QY1p1NTRObFVQL3pLL0V4cm13RnhJCjh4MGhZaHI0WXVoWHY3M3dwRDYw
            QXpIRjlkZEUydThQVXZxSFI0MjMwVFUKLS0tIGFiYmE5UTQ0NnM5dktZbGZPcmE1
            REM5NHVzUy9rRkNQL3hjU0lRQklXeFUKhcDEgKFwhoGWPS6JDsgvFeb52H0N6Foh
            10hkCG4eftdrfT1r0Fxcr4LD1oHgOZN61Kfvr0t4UqoEOnLMxOPM/Q==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-09T06:33:41Z"
    mac: ENC[AES256_GCM,data:Eb/ss98+IxI2RL3Iu7VHIYko7YOiPZhkIUAYF5UNAwyNZsqjiPKtxFejjtuixTzCVuKejSZBkYTCcd5QI9SquQhh9TloTg9lsEI94+vMn7hiJW816rsllx+cvaKM/MVYOaVX1R50QKpzjsjT1hZR8XVQUm1s3pmwaZi9KSesc18=,iv:RtODAtOjuTcWJzCJoHRXj9tp3lC5XYG0+upBPnAas1g=,tag:pOES1vOW7u9tSHkWaPJ1ag==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/.archive/hosts/legiondary/default.nix
+++ b/.archive/hosts/legiondary/default.nix
@ -1,41 +1,53 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, modulesPath, ... }:
 {
-  imports =
+  config,
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+  lib,
-    ];
+  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  networking.hostId = "2132e3bf";
  networking.hostName = "legiondary";
  boot = {
-    initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+    initrd.availableKernelModules = [
-    initrd.kernelModules = [ ];
+      "xhci_pci"
-    kernelModules = [ "kvm-amd" ];
+      "nvme"
-    extraModulePackages = [ ];
+      "ahci"
      "usb_storage"
      "usbhid"
      "sd_mod"
    ];
    initrd.kernelModules = [];
    kernelModules = ["kvm-amd"];
    extraModulePackages = [];
  };
-  fileSystems."/" =
+  fileSystems = {
-    { device = "zroot/root";
+    "/" = {
      device = "zroot/root";
      fsType = "zfs";
    };
-  fileSystems."/nix" =
+    "/nix" = {
-    { device = "zroot/nix";
+      device = "zroot/nix";
      fsType = "zfs";
    };
-  fileSystems."/var" =
+    "/var" = {
-    { device = "zroot/var";
+      device = "zroot/var";
      fsType = "zfs";
    };
-  fileSystems."/home" =
+    "/home" = {
-    { device = "zroot/home";
+      device = "zroot/home";
      fsType = "zfs";
    };
  };
  # fileSystems."/boot" =
  #   { device = "/dev/disk/by-uuid/E532-B74A";
@ -43,13 +55,16 @@
  #     options = [ "fmask=0022" "dmask=0022" ];
  #   };
-  swapDevices = [ ];
+  swapDevices = [];
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # System settings and services.
  mySystem = {
    purpose = "Development";
-    system.motd.networkInterfaces = [ "eno1" "wlp4s0" ];
+    system.motd.networkInterfaces = [
      "eno1"
      "wlp4s0"
    ];
  };
 }
--- a/.archive/modules/nixos/containers/lego-auto/default.nix
+++ b/.archive/modules/nixos/containers/lego-auto/default.nix
@ -1,15 +1,17 @@
-{ lib, config, ... }:
+{
-with lib;
+  lib,
-let
+  config,
  ...
 }:
 with lib; let
  app = "lego-auto";
  image = "ghcr.io/bjw-s/lego-auto:v0.3.0";
-  user = "999"; #string
+  user = "999"; # string
-  group = "102"; #string
+  group = "102"; # string
-  port = 9898; #int
+  port = 9898; # int
  cfg = config.mySystem.services.${app};
  appFolder = "/eru/containers/volumes/${app}";
-in
+in {
 {
  options.mySystem.services.${app} = {
    enable = mkEnableOption "${app}";
    dnsimpleTokenPath = mkOption {
@ -43,20 +45,24 @@ in
      extraOptions = [
        "--dns=1.1.1.1"
      ];
-      environment = {
+      environment =
-        TZ = "America/Chicago";
+        {
-        LA_DATADIR = "/cert";
+          TZ = "America/Chicago";
-        LA_CACHEDIR = "/cert/.cache";
+          LA_DATADIR = "/cert";
-        LA_EMAIL = cfg.email;
+          LA_CACHEDIR = "/cert/.cache";
-        LA_DOMAINS = cfg.domains;
+          LA_EMAIL = cfg.email;
-        LA_PROVIDER = cfg.provider;
+          LA_DOMAINS = cfg.domains;
-      } // lib.optionalAttrs (cfg.provider == "dnsimple") {
+          LA_PROVIDER = cfg.provider;
-        DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
+        }
-      };
+        // lib.optionalAttrs (cfg.provider == "dnsimple") {
          DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
        };
-      volumes = [
+      volumes =
-        "${appFolder}/cert:/cert"
+        [
-      ] ++ optionals (cfg.provider == "dnsimple") [ "${cfg.dnsimpleTokenPath}:/config/dnsimple-token" ];
+          "${appFolder}/cert:/cert"
        ]
        ++ optionals (cfg.provider == "dnsimple") ["${cfg.dnsimpleTokenPath}:/config/dnsimple-token"];
    };
  };
 }
--- a/.archive/modules/nixos/containers/unifi/default.nix
+++ b/.archive/modules/nixos/containers/unifi/default.nix
@ -0,0 +1,57 @@
 {
  lib,
  config,
  ...
 }:
 with lib; let
  app = "unifi";
  # renovate: depName=goofball222/unifi datasource=github-releases
  version = "8.4.62";
  cfg = config.mySystem.services.${app};
  appFolder = "/eru/containers/volumes/${app}";
 in
  # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
  {
    options.mySystem.services.${app} = {
      enable = mkEnableOption "${app}";
    };
    config = mkIf cfg.enable {
      networking.firewall.interfaces = {
        enp130s0f0 = {
          allowedTCPPorts = [8443];
        };
        podman0 = {
          allowedTCPPorts = [
            8080
            8443
            8880
            8843
          ];
          allowedUDPPorts = [3478];
        };
      };
      virtualisation.oci-containers.containers.${app} = {
        image = "ghcr.io/goofball222/unifi:${version}";
        autoStart = true;
        ports = [
          "3478:3478/udp" # STUN
          "8080:8080" # inform controller
          "8443:8443" # https
          "8880:8880" # HTTP portal redirect
          "8843:8843" # HTTPS portal redirect
        ];
        environment = {
          TZ = "America/Chicago";
          RUNAS_UID0 = "false";
          PGID = "102";
          PUID = "999";
        };
        volumes = [
          "${appFolder}/cert:/usr/lib/unifi/cert"
          "${appFolder}/data:/usr/lib/unifi/data"
          "${appFolder}/logs:/usr/lib/unifi/logs"
        ];
      };
    };
  }
--- a/.archive/modules/nixos/de/default.nix
+++ b/.archive/modules/nixos/de/default.nix
@ -0,0 +1,6 @@
 {
  imports = [
    ./gnome.nix
    ./kde.nix
  ];
 }
--- a/.archive/modules/nixos/de/gnome.nix
+++ b/.archive/modules/nixos/de/gnome.nix
@ -0,0 +1,115 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: let
  cfg = config.mySystem.de.gnome;
 in {
  options = {
    mySystem.de.gnome = {
      enable =
        lib.mkEnableOption "GNOME"
        // {
          default = false;
        };
      systrayicons =
        lib.mkEnableOption "Enable systray icons"
        // {
          default = true;
        };
      gsconnect =
        lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)"
        // {
          default = true;
        };
    };
  };
  config = lib.mkIf cfg.enable {
    # Ref: https://nixos.wiki/wiki/GNOME
    # GNOME plz
    services = {
      displayManager = {
        defaultSession = "gnome";
        autoLogin = {
          enable = false;
          user = "jahanson"; # TODO move to config overlay
        };
      };
      xserver = {
        enable = true;
        xkb.layout = "us"; # `localctl` will give you
        displayManager = {
          gdm.enable = true;
        };
        desktopManager = {
          # GNOME
          gnome.enable = true;
        };
      };
      udev.packages = lib.optionals cfg.systrayicons [pkgs.gnome.gnome-settings-daemon]; # support appindicator
    };
    # systyray icons
    # extra pkgs and extensions
    environment = {
      systemPackages = with pkgs;
        [
          wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
          playerctl # gsconnect play/pause command
          pamixer # gcsconnect volume control
          gnome.gnome-tweaks
          gnome.dconf-editor
          # This installs the extension packages, but
          # dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
          gnomeExtensions.vitals
          gnomeExtensions.caffeine
          gnomeExtensions.dash-to-dock
        ]
        ++ optionals cfg.systrayicons [pkgs.gnomeExtensions.appindicator];
    };
    # enable gsconnect
    # this method also opens the firewall ports required when enable = true
    programs.kdeconnect = lib.mkIf cfg.gsconnect {
      enable = true;
      package = pkgs.gnomeExtensions.gsconnect;
    };
    # GNOME connection to browsers - requires flag on browser as well
    services.gnome.gnome-browser-connector.enable = lib.any (user: user.programs.firefox.enable) (
      lib.attrValues config.home-manager.users
    );
    # And dconf
    programs.dconf.enable = true;
    # Exclude default GNOME packages that dont interest me.
    environment.gnome.excludePackages =
      (with pkgs; [
        gnome-photos
        gnome-tour
        gedit # text editor
      ])
      ++ (with pkgs.gnome; [
        cheese # webcam tool
        gnome-music
        gnome-terminal
        epiphany # web browser
        geary # email reader
        evince # document viewer
        gnome-characters
        totem # video player
        tali # poker game
        iagno # go game
        hitori # sudoku game
        atomix # puzzle game
      ]);
  };
 }
--- a/.archive/modules/nixos/de/kde.nix
+++ b/.archive/modules/nixos/de/kde.nix
@ -0,0 +1,70 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: let
  cfg = config.mySystem.de.kde;
  flameshotOverride = pkgs.unstable.flameshot.override {enableWlrSupport = true;};
 in {
  options = {
    mySystem.de.kde = {
      enable =
        lib.mkEnableOption "KDE"
        // {
          default = false;
        };
    };
  };
  config = lib.mkIf cfg.enable {
    # Ref: https://wiki.nixos.org/wiki/KDE
    # KDE
    services = {
      displayManager = {
        sddm = {
          enable = true;
          wayland = {
            enable = true;
          };
        };
      };
      desktopManager.plasma6.enable = true;
    };
    security = {
      # realtime process priority
      rtkit.enable = true;
      # KDE Wallet PAM integration for unlocking the default wallet on login
      pam.services."sddm".kwallet.enable = true;
    };
    # enable pipewire for sound
    services.pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
    };
    # extra pkgs and extensions
    environment = {
      systemPackages = with pkgs; [
        wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
        playerctl # gsconnect play/pause command
        vorta # Borg backup tool
        flameshotOverride # screenshot tool
        libsForQt5.qt5.qtbase # for vivaldi compatibility
        kdePackages.discover # KDE software center -- mainly for flatpak updates
      ];
    };
    # enable kdeconnect
    # this method also opens the firewall ports required when enable = true
    programs.kdeconnect = {
      enable = true;
    };
  };
 }
--- a/.archive/modules/nixos/services/cockpit/default.nix
+++ b/.archive/modules/nixos/services/cockpit/default.nix
@ -1,9 +1,12 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.mySystem.services.cockpit;
 in
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.mySystem.services.cockpit;
 in {
  options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit";
  config.services.cockpit = mkIf cfg.enable {
--- a/.archive/modules/nixos/services/vault/default.nix
+++ b/.archive/modules/nixos/services/vault/default.nix
@ -0,0 +1,33 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  cfg = config.mySystem.services.vault;
 in {
  options.mySystem.services.vault = {
    enable = lib.mkEnableOption "vault";
    address = lib.mkOption {
      type = lib.types.str;
      default = "127.0.0.1:8200";
      description = "Address of the Vault server";
      example = "127.0.0.1:8200";
    };
  };
  config = lib.mkIf cfg.enable {
    services.vault = {
      enable = true;
      package = pkgs.unstable.vault;
      address = cfg.address;
      dev = false;
      storageBackend = "raft";
      extraConfig = ''
        api_addr = "http://127.0.0.1:8200"
        cluster_addr = "http://127.0.0.1:8201"
        ui = true
      '';
    };
  };
 }
--- a/.archive/modules/nixos/services/vault/resources/vault-config.hcl
+++ b/.archive/modules/nixos/services/vault/resources/vault-config.hcl
@ -0,0 +1,14 @@
 listener "tcp" {
    address = "0.0.0.0:8200"
    tls_disable = true
 }
 storage "raft" {
    path = "/var/lib/vault/data"
    node_id = "node1"
 }
 disable_mlock = true
 api_addr = "http://localhost:8200"
 cluster_addr = "http://localhost:8201"
 ui = true
--- a/.archive/profiles/disko-telchar.nix
+++ b/.archive/profiles/disko-telchar.nix
@ -0,0 +1,59 @@
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/disk/by-diskseq/1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              priority = 1;
              name = "ESP";
              start = "1M";
              end = "128M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
              };
            };
            root = {
              size = "100%";
              content = {
                type = "btrfs";
                extraArgs = ["-f"]; # Override existing partition
                # Subvolumes must set a mountpoint in order to be mounted,
                # unless their parent is mounted
                subvolumes = {
                  # Subvolume name is different from mountpoint
                  "/rootfs" = {
                    mountpoint = "/";
                  };
                  # Subvolume name is the same as the mountpoint
                  "/home" = {
                    mountOptions = ["compress=zstd"];
                    mountpoint = "/home";
                  };
                  # Sub(sub)volume doesn't need a mountpoint as its parent is mounted
                  "/home/user" = {};
                  # Parent is not mounted so the mountpoint must be set
                  "/nix" = {
                    mountOptions = [
                      "compress=zstd"
                      "noatime"
                    ];
                    mountpoint = "/nix";
                  };
                };
                mountpoint = "/partition-root";
              };
            };
          };
        };
      };
    };
  };
 }
--- a/.archive/profiles/hw-legion-15arh05h.nix
+++ b/.archive/profiles/hw-legion-15arh05h.nix
@ -1,5 +1,8 @@
 { lib, pkgs, ... }:
 {
  lib,
  pkgs,
  ...
 }: {
  # Support windows partition
  mySystem = {
    security.wheelNeedsSudoPassword = false;
@ -10,7 +13,10 @@
  boot = {
    # for managing/mounting ntfs
-    supportedFilesystems = [ "ntfs" "nfs" ];
+    supportedFilesystems = [
      "ntfs"
      "nfs"
    ];
    loader = {
      grub = {
@ -18,7 +24,10 @@
        zfsSupport = true;
        device = "nodev";
        mirroredBoots = [
-          { devices = [ "nodev" ]; path = "/boot"; }
+          {
            devices = ["nodev"];
            path = "/boot";
          }
        ];
      };
    };
--- a/.archive/profiles/hw-thinkpad-t470.nix
+++ b/.archive/profiles/hw-thinkpad-t470.nix
@ -1,5 +1,8 @@
 { config, lib, ... }:
 {
  config,
  lib,
  ...
 }: {
  boot = {
    # Use the systemd-boot EFI boot loader.
    loader = {
--- a/.archive/profiles/role-gaming.nix
+++ b/.archive/profiles/role-gaming.nix
@ -1,12 +1,15 @@
 { lib, pkgs, ... }:
 {
  lib,
  pkgs,
  ...
 }: {
  # Enable module for NVIDIA graphics
  mySystem = {
    hardware.nvidia.enable = true;
  };
  # set xserver videodrivers for NVIDIA gpu
-  services.xserver.videoDrivers = [ "nvidia" ];
+  services.xserver.videoDrivers = ["nvidia"];
  # Install steam systemwide
  programs.steam = {
    enable = true;
@ -35,5 +38,4 @@
    pulse.enable = true;
    jack.enable = true;
  };
 }
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,16 @@
 root = true
 [*]
 end_of_line = lf
 insert_final_newline = true
 indent_style = space
 indent_size = 2
 charset = utf-8
 trim_trailing_whitespace = true
 [*.{yaml,yml,json5}]
 indent_style = space
 indent_size = 2
 [*.md]
 indent_size = 4
 trim_trailing_whitespace = false
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@ -0,0 +1,53 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: "Build"
 on:
  push:
    branches:
      - main
    paths:
      - ".forgejo/workflows/build.yaml"
      - "flake.lock"
  workflow_dispatch:
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
  cancel-in-progress: true
 jobs:
  nix-build:
    if: github.event.pull_request.draft == false
    strategy:
      fail-fast: false
      matrix:
        include:
          - system: gandalf
            os: native-x86_64
          - system: telperion
            os: native-x86_64
          - system: shadowfax
            os: native-x86_64
          # - system: varda
          #   os: native-x86_64
    runs-on: ${{ matrix.os }}
    env:
      PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
    steps:
      - name: Checkout repository
        uses: https://github.com/actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Cachix
        uses: https://github.com/cachix/cachix-action@v16
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          name: hsndev
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Garbage collect build dependencies
        run: nix-collect-garbage
      - name: Build new ${{ matrix.system }} system
        shell: bash
        run: |
          nix build ".#top.${{ matrix.system }}" --profile ./profile --fallback -v \
            > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@ -1,50 +0,0 @@
 name: "Build"
 on:
  pull_request:
 jobs:
  nix-build:
    if: github.event.pull_request.draft == false
    strategy:
      fail-fast: false
      matrix:
        include:
          - system: varda
            os: native-aarch64
          - system: telchar
            os: native-x86_64
    runs-on: ${{ matrix.os }}
    env:
      PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
    steps:
      - name: Checkout repository
        uses: https://github.com/actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: https://github.com/cachix/cachix-action@v15
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          name: hsndev
          # If you chose API tokens for write access OR if you have a private cache
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
        # env:
          # USER: 'root'
      - name: Garbage collect build dependencies
        run: nix-collect-garbage
      - name: Build new ${{ matrix.system }} system
        shell: bash
        run: |
          set -o pipefail
          nix build \
            ".#top.${{ matrix.system }}" \
            --profile ./profile \
            --fallback \
            -v \
            --log-format raw \
             > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
      - name: Push to Cachix
        if: success()
        env:
          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
        run: nix build ".#top.${{ matrix.system }}" --json | jq -r .[].drvPath | cachix push hsndev
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,13 @@
 **/*.tmp.sops.yaml
 **/*.sops.tmp.yaml
 **/*sync-conflict*
 age.key
 result*
 .decrypted~*
 .direnv
 .kube
 .github
 .profile
 .idea
 .secrets
 .op
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -9,10 +9,12 @@ repos:
          - --config-file
          - .yamllint.yaml
        id: yamllint
        exclude: "borgmatic-template.yaml"
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
    hooks:
      - id: trailing-whitespace
        exclude: "borgmatic-template.yaml"
      - id: end-of-file-fixer
      - id: fix-byte-order-marker
      - id: mixed-line-ending
@ -25,14 +27,15 @@ repos:
    hooks:
      - id: remove-crlf
      - id: remove-tabs
-        exclude: (Makefile)
+        exclude: (Makefile|Caddyfile)
-  - repo: https://github.com/zricethezav/gitleaks
+      #  - repo: https://github.com/zricethezav/gitleaks
-    rev: v8.18.2
+      #    rev: v8.23.3
-    hooks:
+      #    hooks:
-      - id: gitleaks
+      #      - id: gitleaks
-  - repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
+      #  - repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
-    rev: v1.1
+      #    rev: v1.1
-    hooks:
+      #    hooks:
-      - id: sops-encryption
+      #      - id: sops-encryption
-        # Uncomment to exclude all markdown files from encryption
+      #        # Uncomment to exclude all markdown files from encryption
-        # exclude: *.\.md
+      #        # exclude: *.\.md
      #        files: .*secrets.*
--- a/.prettierrc
+++ b/.prettierrc
@ -0,0 +1,4 @@
 {
  "quoteProps": "preserve",
  "trailingComma": "none"
 }
--- a/.sops.yaml
+++ b/.sops.yaml
@ -10,24 +10,19 @@
 keys:
  - users:
-    - &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
+      - &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
  - hosts:
-    - &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
+      - &shadowfax age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
-    - &gandalf age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
+      - &telchar age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
-    - &legiondary age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
+      - &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
-    - &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
+      - &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
    - &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
    - &telchar age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
 creation_rules:
  - path_regex: .*\.sops\.yaml$
    key_groups:
      - age:
-        - *durincore
+          - *jahanson
-        - *gandalf
+          - *shadowfax
-        - *jahanson
+          - *telchar
-        - *legiondary
+          - *telperion
-        - *telchar
+          - *varda
        - *telperion
        - *varda
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -1,9 +1,6 @@
 {
  "recommendations": [
    "jnoortheen.nix-ide",
    "mikestead.dotenv",
    "redhat.ansible",
    "redhat.vscode-yaml",
    "signageos.signageos-vscode-sops",
    "pkief.material-icon-theme",
    "ms-vscode-remote.remote-ssh"
--- a/.vscode/module.code-snippets
+++ b/.vscode/module.code-snippets
@ -1,32 +0,0 @@
 {
  "nix-module": {
    "prefix": "nm",
    "body": [
      "{ lib",
      ", config",
      ", pkgs",
      ", ...",
      "}:",
      "with lib;",
      "let",
      "  cfg = config.mySystem.${1}.${2};",
      "  app = \"${3}\"",
      "  appFolder = \"apps/${app}\";",
      "  persistentFolder = \"${config.mySystem.persistentFolder}/${appFolder}\";",
      "  user = app;",
      "  group = app;",
      "in",
      "{",
      "  options.mySystem.${1}.${2}.enable = mkEnableOption \"${4}\";",
      "",
      "  config = mkIf cfg.enable {",
      "",
      "  $5",
      "",
      "  };",
      "}",
      ""
    ],
    "description": "nix-module"
  }
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,46 @@
 {
  "editor.fontFamily": "CaskaydiaMono Nerd Font Mono",
  "files.associations": {
    "*.json5": "jsonc"
  },
  "editor.hover.delay": 1500,
  "editor.bracketPairColorization.enabled": true,
  "editor.guides.bracketPairs": true,
  "editor.guides.bracketPairsHorizontal": true,
  "editor.guides.highlightActiveBracketPair": true,
  "files.trimTrailingWhitespace": true,
  "sops.defaults.ageKeyFile": "age.key",
  "nix.enableLanguageServer": true,
  "nix.serverPath": "nixd",
  "nix.formatterPath": "alejandra",
  "nix.serverSettings": {
    "nixd": {
      "formatting": {
        "command": ["alejandra"]
      },
      "options": {
        "nixos": {
          "expr": "(builtins.getFlake \"/home/jahanson/projects/mochi\").nixosConfigurations.shadowfax.options"
        }
      }
    },
    "nix": {
      "binary": "nix",
      "maxMemoryMB": null,
      "flake": {
        "autoEvalInputs": true,
        "autoArchive": true,
        "nixpkgsInputName": "nixpkgs"
      }
    }
  },
  "[jsonc]": {
    "editor.defaultFormatter": "esbenp.prettier-vscode"
  },
  "sops.binPath": "/run/current-system/sw/bin/sops",
  "editor.formatOnSave": true,
  "bashIde.explainshellEndpoint": "http://localhost:5000",
  "bashIde.shellcheckPath": "/run/current-system/sw/bin/shellcheck",
  "bashIde.shfmt.path": "/run/current-system/sw/bin/shfmt",
  "mise.binPath": "/etc/profiles/per-user/jahanson/bin/mise"
 }
--- a/README.md
+++ b/README.md
@ -2,23 +2,30 @@
 ## Goals
- [ ] Learn nix
+-   [ ] Learn nix
- [ ] Services I want to separate from my kubernetes cluster I will use Nix.
+-   [ ] Services I want to separate from my kubernetes cluster I will use Nix.
- [ ] Approval-based update automation for flakes.
+-   [ ] Approval-based update automation for flakes.
- [ ] Expand usage to other shell environments such as WSL, etc
+-   [ ] Expand usage to other shell environments such as WSL, etc
- [ ] keep it simple, use trusted boring tools
+-   [ ] keep it simple, use trusted boring tools
 ## TODO
- [x] Forgejo Actions
+-   [x] Forgejo Actions
- [ ] Bring over hosts
+-   [ ] Bring over hosts
-  - [x] Varda (forgejo)
+    -   [x] Varda (forgejo)
-  - [x] Thinkpad T470
+    -   [x] Thinkpad T470
-  - [x] Legion 15 AMD/Nvidia
+    -   [x] Legion 15 AMD/Nvidia
-  - [x] Telperion (network services)
+    -   [x] Telperion (network services)
-  - [ ] Gandalf (NixNAS)
+    -   [ ] Gandalf (NixNAS)
 ## Links & References
- [truxnell/dotfiles](https://github.com//truxnell/nix-config/)
+-   [truxnell/dotfiles](https://github.com//truxnell/nix-config/)
- [billimek/dotfiles](https://github.com/billimek/dotfiles/)
+-   [billimek/dotfiles](https://github.com/billimek/dotfiles/)
 ## Upgrading the borgmatic template for reference
 ```sh
 borgmatic config generate --source nixos/hosts/shadowfax/config/borgmatic/borgmatic-template.yaml --destination nixos/hosts/shadowfax/config/borgmatic/borgmatic-t
 emplate.yaml  --overwrite
 ```
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -1,14 +1,201 @@
 {
  description = "My NixOS flake";
  outputs = {
    self,
    nixpkgs,
    nixpkgs-unstable,
    sops-nix,
    home-manager,
    disko,
    lix-module,
    vscode-server,
    nvf,
    ...
  } @ inputs: let
    forAllSystems = nixpkgs.lib.genAttrs [
      "aarch64-linux"
      "x86_64-linux"
    ];
  in rec {
    # Use nixpkgs-fmt for 'nix fmt'
    formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixfmt-rfc-style);
    # setup devshells against shell.nix
    # devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
    # extend lib with my custom functions
    lib = nixpkgs.lib.extend (
      final: prev: {
        inherit inputs;
        myLib = import ./nixos/lib {
          inherit inputs;
          lib = final;
        };
      }
    );
    nixosConfigurations = let
      inherit inputs;
      # Import overlays for building nixosconfig with them.
      overlays = import ./nixos/overlays {inherit inputs;};
      # generate a base nixos configuration with the specified overlays, hardware modules, and any AerModules applied
      mkNixosConfig = {
        hostname,
        system ? "x86_64-linux",
        nixpkgs ? inputs.nixpkgs,
        disabledModules ? [],
        hardwareModules ? [],
        # basemodules is the base of the entire machine building
        # here we import all the modules and setup home-manager
        baseModules ? [
          sops-nix.nixosModules.sops
          home-manager.nixosModules.home-manager
          nvf.nixosModules.default
          ./nixos/profiles/global.nix # all machines get a global profile
          ./nixos/modules/nixos # all machines get nixos modules
          ./nixos/hosts/${hostname} # load this host's config folder for machine-specific config
          {
            inherit disabledModules;
            home-manager = {
              useUserPackages = true;
              useGlobalPkgs = true;
              extraSpecialArgs = {
                inherit inputs hostname system;
              };
            };
          }
        ],
        profileModules ? [],
      }: let
        pkgs = import nixpkgs {
          inherit system;
          overlays = builtins.attrValues overlays;
          config = {
            allowUnfree = true;
            allowUnfreePredicate = _: true;
          };
        };
      in
        nixpkgs.lib.nixosSystem {
          inherit system lib;
          modules = baseModules ++ hardwareModules ++ profileModules;
          specialArgs = {
            inherit self inputs nixpkgs;
            myPkgs = lib.myLib.mkMyPkgs pkgs;
          };
          inherit pkgs;
        };
    in {
      "shadowfax" = mkNixosConfig {
        # Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
        # Workloads server
        hostname = "shadowfax";
        system = "x86_64-linux";
        disabledModules = [
          "services/web-servers/minio.nix"
          "services/web-servers/caddy/default.nix"
        ];
        hardwareModules = [
          lix-module.nixosModules.default
          ./nixos/profiles/hw-threadripperpro.nix
        ];
        profileModules = [
          vscode-server.nixosModules.default
          "${nixpkgs-unstable}/nixos/modules/services/web-servers/minio.nix"
          "${nixpkgs-unstable}/nixos/modules/services/web-servers/caddy/default.nix"
          ./nixos/profiles/role-dev.nix
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
        ];
      };
      "telchar" = mkNixosConfig {
        # Framework 16 Ryzen 7 7840HS - Radeon 780M Graphics
        # Hyprland first, QEMU Windows second
        hostname = "telchar";
        system = "x86_64-linux";
        hardwareModules = [
          inputs.nixos-hardware.nixosModules.framework-16-7040-amd
          ./nixos/profiles/hw-framework-16-7840hs.nix
          disko.nixosModules.disko
          (import ./nixos/profiles/disko/simple-efi.nix)
          lix-module.nixosModules.default
        ];
        profileModules = [
          ./nixos/profiles/role-dev.nix
          ./nixos/profiles/role-workstation.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
        ];
      };
      "telperion" = mkNixosConfig {
        # HP-S01 Intel G5900
        # Network services server
        hostname = "telperion";
        system = "x86_64-linux";
        hardwareModules = [
          ./nixos/profiles/hw-hp-s01.nix
          disko.nixosModules.disko
          (import ./nixos/profiles/disko-nixos.nix {disks = ["/dev/nvme0n1"];})
        ];
        profileModules = [
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/server.nix;}
        ];
      };
      "varda" = mkNixosConfig {
        # Arm64 cax21 @ Hetzner
        # forgejo server
        hostname = "varda";
        system = "aarch64-linux";
        hardwareModules = [
          ./nixos/profiles/hw-hetzner-cax.nix
        ];
        profileModules = [
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/server.nix;}
        ];
      };
    };
    # Convenience output that aggregates the outputs for home, nixos.
    # Also used in ci to build targets generally.
    top = let
      nixtop = nixpkgs.lib.genAttrs (builtins.attrNames inputs.self.nixosConfigurations) (
        attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel
      );
    in
      nixtop;
  };
  nixConfig.extra-substituters = [
    "https://hsndev.cachix.org"
    "https://nix-community.cachix.org"
    "https://numtide.cachix.org"
    "https://hyprland.cachix.org"
  ];
  nixConfig.extra-trusted-public-keys = [
    "hsndev.cachix.org-1:vN1/XGBZtMLnTFYDmTLDrullgZHSUYY3Kqt+Yg/C+tE="
    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
    "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
    "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
  ];
  inputs = {
    # Nixpkgs and unstable
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-master.url = "github:nixos/nixpkgs/master";
-    # impermanence
+    # Lix - Substitution of the Nix package manager, focused on correctness, usability, and growth – and committed to doing right by its community.
-    # https://github.com/nix-community/impermanence
+    # https://git.lix.systems/lix-project/lix
-    impermanence.url = "github:nix-community/impermanence";
+    lix-module = {
      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0.tar.gz";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Nix User Repository: User contributed nix packages
    nur.url = "github:nix-community/NUR";
@ -26,7 +213,7 @@
    # home-manager - Manage user configuration with nix
    # https://github.com/nix-community/home-manager
    home-manager = {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-24.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };
@ -44,13 +231,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # nix-index database
    # https://github.com/nix-community/nix-index-database
    nix-index-database = {
      url = "github:nix-community/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # nix-inspect - inspect nix derivations usingn a TUI interface
    # https://github.com/bluskript/nix-inspect
    nix-inspect = {
@ -59,18 +239,12 @@
    };
    # talhelper - A tool to help creating Talos kubernetes cluster
    # https://github.com/budimanjojo/talhelper
    talhelper = {
      url = "github:budimanjojo/talhelper";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    # Lix- Substitution of the Nix package manager, focused on correctness, usability, and growth – and committed to doing right by its community.
    # https://git.lix.systems/lix-project/lix
    lix-module = {
      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0.tar.gz";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # NixVirt for qemu & libvirt
    # https://github.com/AshleyYakeley/NixVirt
    nixvirt-git = {
@ -78,188 +252,48 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
-  };
+    # vscode-server - NixOS module for running vscode-server
    vscode-server.url = "github:nix-community/nixos-vscode-server";
-  outputs =
+    # nix-minecraft - Minecraft server management
-    { self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, ... } @ inputs:
+    # https://github.com/infinidoge/nix-minecraft
-    let
+    nix-minecraft = {
-      forAllSystems = nixpkgs.lib.genAttrs [
+      url = "github:Infinidoge/nix-minecraft";
-        "aarch64-linux"
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
        "x86_64-linux"
      ];
    in
    rec {
      # Use nixpkgs-fmt for 'nix fmt'
      formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
      # setup devshells against shell.nix
      # devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
      # extend lib with my custom functions
      lib = nixpkgs.lib.extend (
        final: prev: {
          inherit inputs;
          myLib = import ./nixos/lib { inherit inputs; lib = final; };
        }
      );
      nixosConfigurations =
        let
          inherit inputs;
          # Import overlays for building nixosconfig with them.
          overlays = import ./nixos/overlays { inherit inputs; };
          # generate a base nixos configuration with the specified overlays, hardware modules, and any AerModules applied
          mkNixosConfig =
            { hostname
            , system ? "x86_64-linux"
            , nixpkgs ? inputs.nixpkgs
            , hardwareModules ? [ ]
              # basemodules is the base of the entire machine building
              # here we import all the modules and setup home-manager
            , baseModules ? [
                sops-nix.nixosModules.sops
                home-manager.nixosModules.home-manager
                impermanence.nixosModules.impermanence
                ./nixos/profiles/global.nix # all machines get a global profile
                ./nixos/modules/nixos # all machines get nixos modules
                ./nixos/hosts/${hostname}   # load this host's config folder for machine-specific config
                {
                  home-manager = {
                    useUserPackages = true;
                    useGlobalPkgs = true;
                    extraSpecialArgs = {
                      inherit inputs hostname system;
                    };
                  };
                }
              ]
            , profileModules ? [ ]
            }:
            nixpkgs.lib.nixosSystem {
              inherit system lib;
              modules = baseModules ++ hardwareModules ++ profileModules;
              specialArgs = { inherit self inputs nixpkgs; };
              # Add our overlays
              pkgs = import nixpkgs {
                inherit system;
                overlays = builtins.attrValues overlays;
                config = {
                  allowUnfree = true;
                  allowUnfreePredicate = _: true;
                };
              };
            };
        in
        {
          "durincore" = mkNixosConfig {
            # T470 Thinkpad Intel i7-6600U
            # Nix dev laptop
            hostname = "durincore";
            system = "x86_64-linux";
            hardwareModules = [
              ./nixos/profiles/hw-thinkpad-t470.nix
              inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
            ];
            profileModules = [
              ./nixos/profiles/role-workstation.nix
              ./nixos/profiles/role-dev.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
            ];
          };
          "legiondary" = mkNixosConfig {
            # Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
            # Nix dev/gaming laptop
            hostname = "legiondary";
            system = "x86_64-linux";
            hardwareModules = [
              inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
              ./nixos/profiles/hw-legion-15arh05h.nix
              disko.nixosModules.disko
              (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
            ];
            profileModules = [
              ./nixos/profiles/role-dev.nix
              ./nixos/profiles/role-gaming.nix
              ./nixos/profiles/role-workstation.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
            ];
          };
          "telchar" = mkNixosConfig {
            # Framework 16 Ryzen 7 7840HS - Radeon 780M Graphics
            # Nix dev laptop
            hostname = "telchar";
            system = "x86_64-linux";
            hardwareModules = [
              inputs.nixos-hardware.nixosModules.framework-16-7040-amd
              ./nixos/profiles/hw-framework-16-7840hs.nix
              disko.nixosModules.disko
              (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
              lix-module.nixosModules.default
            ];
            profileModules = [
              ./nixos/profiles/role-dev.nix
              ./nixos/profiles/role-workstation.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
            ];
          };
          "varda" = mkNixosConfig {
            # Arm64 cax21 @ Hetzner
            # forgejo server
            hostname = "varda";
            system = "aarch64-linux";
            hardwareModules = [
              ./nixos/profiles/hw-hetzner-cax.nix
            ];
            profileModules = [
              ./nixos/profiles/role-server.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
            ];
          };
          "telperion" = mkNixosConfig {
            # HP-S01 Intel G5900
            # Network services server
            hostname = "telperion";
            system = "x86_64-linux";
            hardwareModules = [
              ./nixos/profiles/hw-hp-s01.nix
              disko.nixosModules.disko
              (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
            ];
            profileModules = [
              ./nixos/profiles/role-server.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
            ];
          };
          "gandalf" = mkNixosConfig {
            # X9DRi-LN4+/X9DR3-LN4+ - Intel(R) Xeon(R) CPU E5-2650 v2
            # NAS
            hostname = "gandalf";
            system = "x86_64-linux";
            hardwareModules = [
              lix-module.nixosModules.default
              ./nixos/profiles/hw-supermicro.nix
            ];
            profileModules = [
              ./nixos/profiles/role-server.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
            ];
          };
        };
      # Convenience output that aggregates the outputs for home, nixos.
      # Also used in ci to build targets generally.
      top =
        let
          nixtop = nixpkgs.lib.genAttrs
            (builtins.attrNames inputs.self.nixosConfigurations)
            (attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel);
        in
        nixtop;
    };
    # Hyprland
    hyprland = {
      url = "github:hyprwm/Hyprland";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Hyprlock
    hyprlock = {
      url = "github:hyprwm/hyprlock";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Hyprland plugins
    hyprland-plugins = {
      url = "github:hyprwm/hyprland-plugins";
      inputs.hyprland.follows = "hyprland";
    };
    # Hyprland AGS (Application Grouping System)
    ags.url = "github:Aylur/ags/v1";
    # nvf -  A highly modular, extensible and distro-agnostic Neovim configuration framework for Nix/NixOS.
    nvf.url = "github:notashelf/nvf";
    # Zen Browser
    zen-browser.url = "github:0xc000022070/zen-browser-flake";
    # Buildbot for Nix
    buildbot-nix = {
      url = "github:nix-community/buildbot-nix";
    };
    # Ghostty 👻 - Awesome terminal that uses GPU acceleration
    ghostty = {
      url = "github:ghostty-org/ghostty/v1.1.2";
    };
  };
 }
--- a/nixos/home/jahanson/global.nix
+++ b/nixos/home/jahanson/global.nix
@ -1,18 +1,34 @@
 { pkgs, config, ... }:
 with config;
 {
  pkgs,
  config,
  ...
 }: {
  imports = [
    ../modules
  ];
  config = {
-    myHome.username = "jahanson";
+    myHome = {
-    myHome.homeDirectory = "/home/jahanson/";
+      username = "jahanson";
      homeDirectory = "/home/jahanson/";
      shell = {
        atuind.enable = true;
        starship.enable = true;
        fish.enable = true;
      };
    };
    systemd.user.sessionVariables = {
      EDITOR = "vim";
    };
    # Home Manager
    ## Tasks, env, and secrets management.
    programs.mise = {
      enable = true;
      package = pkgs.unstable.mise;
    };
    home = {
      # Install these packages for my user
      packages = with pkgs; [
@ -33,39 +49,41 @@ with config;
        p7zip
        # cli
        _1password
        bat
        dbus
        direnv
        git
        nix-index
        python3
        pipx
        fzf
        ripgrep
        vim
        lsd
        unstable.atuin
        # terminal file managers
        nnn
        ranger
-        yazi
+        unstable.yazi-unwrapped
        # networking tools
        iperf3
-        dnsutils  # `dig` + `nslookup`
+        dnsutils # `dig` + `nslookup`
        ldns # replacement of `dig`, it provide the command `drill`
        aria2 # A lightweight multi-protocol & multi-source command-line download utility
        socat # replacement of openbsd-netcat
        nmap # A utility for network discovery and security auditing
-        ipcalc  # it is a calculator for the IPv4/v6 addresses
+        ipcalc # it is a calculator for the IPv4/v6 addresses
        # system tools
        sysstat
        lm_sensors # for `sensors` command
-        ethtool
+        ethtool # modify network interface settings or firmware
        pciutils # lspci
        usbutils # lsusb
        lshw # lshw
        # filesystem tools
        gptfdisk # sgdisk
        # system call monitoring
        strace # system call monitoring
@ -82,13 +100,11 @@ with config;
        # nix tools
        nvd
        # backup tools
        unstable.rclone
        unstable.restic
      ];
      sessionVariables = {
        EDITOR = "vim";
      };
    };
  };
 }
--- a/nixos/home/jahanson/server.nix
+++ b/nixos/home/jahanson/server.nix
@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
 {
  imports = [
    ./global.nix
  ];
--- a/nixos/home/jahanson/workstation.nix
+++ b/nixos/home/jahanson/workstation.nix
@ -1,52 +1,50 @@
-{ pkgs, config, ... }:
+{pkgs, ...}: {
 with config;
 {
  imports = [
    ./global.nix
  ];
-
+  config = {
-  myHome.programs.firefox.enable = true;
+    # Custom Home Manager Configuration
-
+    myHome = {
-  myHome.shell = {
+      de.hyprland.enable = true;
-    starship.enable = true;
+      programs = {
-    fish.enable = true;
+        firefox.enable = true;
-    wezterm.enable = true;
+        thunderbird.enable = true;
-    atuind.enable = true;
+      };
-
+      shell = {
-    git = {
+        git = {
-      enable = true;
+          enable = true;
-      username = "Joseph Hanson";
+          username = "Joseph Hanson";
-      email = "joe@veri.dev";
+          email = "joe@veri.dev";
-      signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
+          signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
        };
      };
    };
  };
-  home = {
+    # Home Manager Configuration
-    # Install these packages for my user
+    home = {
-    packages = with pkgs;
+      # Install these packages for my user
-      [
+      packages = with pkgs; [
-        #apps
+        # apps
-        _1password-gui
+        # parsec-bin
-        discord
+        solaar # open source manager for logitech unifying receivers
-        flameshot
+        unstable.bruno
        # unstable.fractal
        unstable.obsidian
        unstable.httpie
        unstable.jetbrains.datagrip
        unstable.jetbrains.rust-rover
        unstable.seabird
        unstable.talosctl # overlay override
        unstable.telegram-desktop
        unstable.tidal-hifi
        # unstable.xpipe
        # unstable.vesktop # gpu issues. Using the flatpak version solves this issue.
        vlc
-        warp-terminal
+        yt-dlp
        termius
        obsidian
        jetbrains.datagrip
        talosctl
        pika-backup
        parsec-bin
        unstable.nheko
        # cli
        brightnessctl
        # dev utils
        pre-commit # Pre-commit tasks for git
        minio-client # S3 management
        shellcheck # shell script linting
        unstable.act
      ];
    };
  };
 }
--- a/nixos/home/modules/de/default.nix
+++ b/nixos/home/modules/de/default.nix
@ -0,0 +1,5 @@
 {...}: {
  imports = [
    ./hyprland.nix
  ];
 }
--- a/nixos/home/modules/de/hyprland.nix
+++ b/nixos/home/modules/de/hyprland.nix
@ -0,0 +1,91 @@
 {
  lib,
  config,
  pkgs,
  inputs,
  ...
 }:
 with lib; let
  cfg = config.myHome.de.hyprland;
 in {
  options.myHome.de.hyprland.enable = mkEnableOption "Hyprland";
  imports = [inputs.ags.homeManagerModules.default];
  config = mkIf cfg.enable {
    # Downloads the Theme Resources
    home.packages = with pkgs; [
      andromeda-gtk-theme
      flat-remix-icon-theme
      bibata-cursors
    ];
    # 'Installs' (sym-links) the Theme Resources
    home.file = {
      ".themes/Andromeda".source = "${pkgs.andromeda-gtk-theme}/share/themes/Andromeda";
      ".icons/Flat-Remix-Blue-Dark".source = "${pkgs.flat-remix-icon-theme}/share/icons/Flat-Remix-Blue-Dark";
      ".icons/Bibata-Modern-Ice".source = "${pkgs.bibata-cursors}/share/icons/Bibata-Modern-Ice";
    };
    # Theme settings
    gtk = {
      enable = true;
      # Some apps just need the good ol' ini files.
      gtk3.extraConfig = {
        gtk-application-prefer-dark-theme = 1;
        gtk-theme-name = "Andromeda";
        gtk-icon-theme-name = "Flat-Remix-Blue-Dark";
        gtk-font-name = "Fira Code Semi-Bold 14";
        gtk-cursor-theme-name = "Bibata-Modern-Ice";
        gtk-cursor-theme-size = 24;
        gtk-toolbar-style = "GTK_TOOLBAR_ICONS";
        gtk-toolbar-icon-size = "GTK_ICON_SIZE_LARGE_TOOLBAR";
        gtk-button-images = 1;
        gtk-menu-images = 1;
        gtk-enable-event-sounds = 1;
        gtk-enable-input-feedback-sounds = 0;
        gtk-xft-antialias = 1;
        gtk-xft-hinting = 1;
        gtk-xft-hintstyle = "hintslight";
        gtk-xft-rgba = "rgb";
      };
      gtk4.extraConfig = {
        gtk-application-prefer-dark-theme = "1";
        gtk-theme-name = "Andromeda";
        gtk-icon-theme-name = "Flat-Remix-Blue-Dark";
        gtk-font-name = "Fira Code Semi-Bold 14";
        gtk-cursor-theme-name = "Bibata-Modern-Ice";
        gtk-cursor-theme-size = 24;
        gtk-toolbar-style = "GTK_TOOLBAR_ICONS";
        gtk-toolbar-icon-size = "GTK_ICON_SIZE_LARGE_TOOLBAR";
        gtk-button-images = 1;
        gtk-menu-images = 1;
        gtk-enable-event-sounds = 1;
        gtk-enable-input-feedback-sounds = 0;
        gtk-xft-antialias = 1;
        gtk-xft-hinting = 1;
        gtk-xft-hintstyle = "hintslight";
        gtk-xft-rgba = "rgb";
      };
    };
    # Wayland and apps pull from dconf since we're using the gtk portal.
    dconf.settings = {
      "org/gnome/desktop/interface" = {
        color-scheme = "prefer-dark";
        cursor-size = 24;
        cursor-theme = "Bibata-Modern-Ice";
        gtk-theme = "Andromeda";
        icon-theme = "Flat-Remix-Blue-Dark";
      };
    };
    programs.ags = {
      enable = true;
      # I don't want Home Manager to manage these config files.
      # Just setup the programs.
      configDir = null;
      extraPackages = with pkgs; [
        gtksourceview
        webkitgtk_6_0
        accountsservice
      ];
    };
  };
 }
--- a/nixos/home/modules/default.nix
+++ b/nixos/home/modules/default.nix
@ -1,6 +1,6 @@
-{ lib, ... }: {
+{lib, ...}: {
  imports = [
    ./de
    ./shell
    ./programs
    ./security
@ -32,5 +32,4 @@
      allowUnfree = true;
    };
  };
 }
--- a/nixos/home/modules/programs/browsers/default.nix
+++ b/nixos/home/modules/programs/browsers/default.nix
@ -1,4 +1,4 @@
-{ ... }: {
+{...}: {
  imports = [
    ./firefox
  ];
--- a/nixos/home/modules/programs/browsers/firefox/default.nix
+++ b/nixos/home/modules/programs/browsers/firefox/default.nix
@ -1,32 +1,25 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.myHome.programs.firefox;
 in
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.myHome.programs.firefox;
 in {
  options.myHome.programs.firefox.enable = mkEnableOption "Firefox";
-  config = mkIf cfg.enable
+  config = mkIf cfg.enable {
-    {
+    programs.firefox = {
-      programs.firefox = {
+      enable = true;
-        enable = true;
+      package = pkgs.firefox.override {
-        package = pkgs.firefox.override
+        extraPolicies = {
-          {
+          DontCheckDefaultBrowser = true;
-            extraPolicies = {
+          DisablePocket = true;
-              DontCheckDefaultBrowser = true;
+        };
              DisablePocket = true;
              # See nixpkgs' firefox/wrapper.nix to check which options you can use
              nativeMessagingHosts = [
                # Gnome shell native connector
                pkgs.gnome-browser-connector
                # plasma connector
                # plasma5Packages.plasma-browser-integration
              ];
            };
          };
        policies = import ./policies.nix;
        profiles.default = import ./profile-default.nix { inherit pkgs; };
      };
      policies = import ./policies.nix;
      profiles.default = import ./profile-default.nix {inherit pkgs;};
    };
  };
 }
--- a/nixos/home/modules/programs/browsers/firefox/policies.nix
+++ b/nixos/home/modules/programs/browsers/firefox/policies.nix
@ -8,9 +8,9 @@
    Fingerprinting = true;
  };
  DisablePocket = true;
-  # DisableFirefoxAccounts = true;
+  DisableFirefoxAccounts = true;
-  # DisableAccounts = true;
+  DisableAccounts = true;
-  # DisableFirefoxScreenshots = true;
+  DisableFirefoxScreenshots = true;
  # OverrideFirstRunPage = "";
  OverridePostUpdatePage = "";
  DontCheckDefaultBrowser = true;
--- a/nixos/home/modules/programs/browsers/firefox/profile-default.nix
+++ b/nixos/home/modules/programs/browsers/firefox/profile-default.nix
@ -1,5 +1,4 @@
-{ pkgs }:
+{pkgs}: {
 {
  id = 0;
  name = "default";
  isDefault = true;
@ -11,22 +10,21 @@
    # 2 => the last page viewed in Firefox
    # 3 => previous session windows and tabs
    "browser.startup.page" = "3";
    "browser.send_pings" = false;
    # Do not track
    "privacy.donottrackheader.enabled" = "true";
    "privacy.donottrackheader.value" = 1;
    "browser.display.use_system_colors" = "true";
    "browser.display.use_document_colors" = "false";
    "devtools.theme" = "dark";
    "extensions.pocket.enabled" = false;
  };
  extensions = with pkgs.nur.repos.rycee.firefox-addons; [
    ublock-origin
    privacy-badger
    link-cleaner
    refined-github
    kagi-search
    languagetool
    onepassword-password-manager
    streetpass-for-mastodon
    dearrow
    sponsorblock
  ];
 }
--- a/nixos/home/modules/programs/de/gnome/default.nix
+++ b/nixos/home/modules/programs/de/gnome/default.nix
@ -1,46 +0,0 @@
 # Adjusted manually from generated output of dconf2nix
 # https://github.com/gvolpe/dconf2nix
 { lib, pkgs, osConfig, ... }:
 with lib.hm.gvariant; {
  config = lib.mkIf osConfig.mySystem.de.gnome.enable {
    # add user packages
    home.packages = with pkgs;  [
      dconf2nix
    ];
    # worked out from dconf2nix
    # dconf dump / | dconf2nix > dconf.nix
    # can also dconf watch
    dconf.settings = {
      "org/gnome/mutter" = {
        edge-tiling = true;
        workspaces-only-on-primary = false;
      };
      "org/gnome/desktop/wm/preferences" = {
        workspace-names = [ "sys" "talk" "web" "edit" "run" ];
      };
      "org/gnome/shell" = {
        disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
        enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
        favorite-apps = [ "org.gnome.Nautilus.desktop" "vivaldi-stable.desktop" "termius-app.desktop" "dev.warp.Warp.desktop" "org.wezfurlong.wezterm.desktop" "obsidian.desktop" "org.gnome.Console.desktop" "code.desktop" "discord.desktop" ];
      };
      "org/gnome/nautilus/preferences" = {
        default-folder-viewer = "list-view";
      };
      "org/gnome/nautilus/icon-view" = {
        default-zoom-level = "small";
      };
      "org/gnome/desktop/interface" = {
        color-scheme = "prefer-dark";
      };
      "org/gnome/desktop/peripherals/touchpad" = {
        tap-to-click = false;
      };
      "org/gnome/desktop/interface" = {
        clock-format = "12h";
        show-battery-percentage = true;
      };
    };
  };
 }
--- a/nixos/home/modules/programs/default.nix
+++ b/nixos/home/modules/programs/default.nix
@ -1,6 +1,6 @@
-{ ... }: {
+{...}: {
  imports = [
    ./browsers
-    ./de
+    ./thunderbird
  ];
 }
--- a/nixos/home/modules/programs/thunderbird/default.nix
+++ b/nixos/home/modules/programs/thunderbird/default.nix
@ -0,0 +1,40 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
  cfg = config.myHome.programs.thunderbird;
  policies = {
    ExtensionSettings = {
      "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
      "quickmove@mozilla.kewis.ch" = {
        # Quick folder move
        # https://addons.thunderbird.net/en-US/thunderbird/addon/quick-folder-move/
        install_url = "https://addons.thunderbird.net/thunderbird/downloads/latest/quick-folder-move/latest.xpi";
        installation_mode = "force_installed";
      };
      # https://addons.thunderbird.net/user-media/addons/_attachments/987716/minimize_on_close-2.0.1.4-tb.xpi
      "minimizeonclose@rsjtdrjgfuzkfg.com" = {
        # Minimize on Close
        # https://addons.thunderbird.net/en-US/thunderbird/addon/minimize-on-close/
        install_url = "https://addons.thunderbird.net/user-media/addons/_attachments/987716/minimize_on_close-2.0.1.4-tb.xpi";
        installation_mode = "force_installed";
      };
    };
  };
 in {
  options.myHome.programs.thunderbird.enable = lib.mkEnableOption "Thunderbird";
  config = lib.mkIf cfg.enable {
    programs.thunderbird = {
      enable = true;
      package = pkgs.thunderbird-128.override (old: {
        extraPolicies = (old.extrapPolicies or {}) // policies;
      });
      profiles.default.isDefault = true;
    };
  };
 }
--- a/nixos/home/modules/security/default.nix
+++ b/nixos/home/modules/security/default.nix
@ -1,4 +1,4 @@
-{ ... }: {
+{...}: {
  imports = [
    ./ssh
  ];
--- a/nixos/home/modules/security/ssh/default.nix
+++ b/nixos/home/modules/security/ssh/default.nix
@ -1,13 +1,16 @@
-{ config, lib, ... }:
+{
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.myHome.security.ssh;
-in
+in {
 {
  options.myHome.security.ssh = {
    enable = mkEnableOption "ssh";
    matchBlocks = mkOption {
      type = types.attrs;
-      default = { };
+      default = {};
    };
  };
--- a/nixos/home/modules/shell/atuind/default.nix
+++ b/nixos/home/modules/shell/atuind/default.nix
@ -1,31 +1,33 @@
 { config, pkgs, lib, ... }:
 with lib; let
  inherit (config.myHome) username homeDirectory;
  cfg = config.myHome.shell.atuind;
 in
 {
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; let
  cfg = config.myHome.shell.atuind;
 in {
  options.myHome.shell.atuind = {
    enable = mkEnableOption "atuind";
  };
  config = mkMerge [
    (mkIf cfg.enable {
-      systemd.user.services.atuind =
+      systemd.user.services.atuind = {
-        {
+        Install = {
-          Install = {
+          WantedBy = ["default.target"];
            WantedBy = [ "default.target" ];
          };
          Unit = {
            After = [ "network.target" ];
          };
          Service = {
            Environment = "ATUIN_LOG=info";
            ExecStart = "${pkgs.unstable.atuin}/bin/atuin daemon";
            # Remove the socket file if the daemon is not running. 
            # Unexpected shutdowns may have left this file here.
            ExecStartPre="/run/current-system/sw/bin/bash -c '! pgrep atuin && /run/current-system/sw/bin/rm -f ~/.local/share/atuin/atuin.sock'";
          };
        };
        Unit = {
          After = ["network.target"];
        };
        Service = {
          Environment = "ATUIN_LOG=info";
          ExecStart = "${pkgs.unstable.atuin}/bin/atuin daemon";
          # Remove the socket file if the daemon is not running.
          # Unexpected shutdowns may have left this file here.
          ExecStartPre = "/run/current-system/sw/bin/bash -c '! pgrep atuin && /run/current-system/sw/bin/rm -f ~/.local/share/atuin/atuin.sock'";
        };
      };
    })
  ];
 }
--- a/nixos/home/modules/shell/default.nix
+++ b/nixos/home/modules/shell/default.nix
@ -1,4 +1,4 @@
-{ ... }: {
+{...}: {
  imports = [
    ./atuind
    ./fish
--- a/nixos/home/modules/shell/fish/default.nix
+++ b/nixos/home/modules/shell/fish/default.nix
@ -1,9 +1,13 @@
-{ config, pkgs, lib, ... }:
+{
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; let
  inherit (config.myHome) username homeDirectory;
  cfg = config.myHome.shell.fish;
-in
+in {
 {
  options.myHome.shell.fish = {
    enable = mkEnableOption "fish";
  };
@ -21,14 +25,26 @@ in
          lt = "${pkgs.lsd}/bin/lsd --tree";
          lla = "${pkgs.lsd}/bin/lsd -la";
          tm = "tmux attach -t (basename $PWD) || tmux new -s (basename $PWD)";
          lsusb = "cyme --headings --tree --hide-buses";
          x = "exit";
          ncdu = "ncdu --color dark";
        };
        shellAbbrs = {
-          nrs = "sudo nixos-rebuild switch --flake .";
+          nrs = "sudo nixos-rebuild switch --flake . --show-trace --accept-flake-config";
          nfc = "nix flake check --show-trace --accept-flake-config";
          nvdiff = "nvd diff /run/current-system result";
        };
        functions = {
          nix-which = {
            body = ''
              set -l cmd $argv[1]
              nix-locate --whole-name --type x --type s "$cmd"
            '';
          };
        };
        interactiveShellInit = ''
          # Erase fish_mode_prompt function
          functions -e fish_mode_prompt
@ -47,10 +63,12 @@ in
            end
          end
          # Krew
          set -q KREW_ROOT; and set -gx PATH $PATH $KREW_ROOT/.krew/bin; or set -gx PATH $PATH $HOME/.krew/bin
          # Paths are in reverse priority order
          update_path /opt/homebrew/opt/postgresql@16/bin
          update_path /opt/homebrew/bin
          update_path ${homeDirectory}/.krew/bin
          update_path /nix/var/nix/profiles/default/bin
          update_path /run/current-system/sw/bin
          update_path /etc/profiles/per-user/${username}/bin
@ -59,13 +77,41 @@ in
          update_path ${homeDirectory}/go/bin
          update_path ${homeDirectory}/.cargo/bin
          update_path ${homeDirectory}/.local/bin
          update_path ${homeDirectory}/.npm-packages/bin
          set -gx EDITOR "vim"
          if test (hostname) = "telchar"
            set -gx VISUAL "code"
          end
          set -gx SSH_ASKPASS_REQUIRE "prefer" # This is for git to use the ssh-askpass
          set -gx ATUIN_SYNC_ADDRESS "https://sh.hsn.dev"
          # Mise https://mise.jdx.dev
          mise activate fish | source
          # One Password cli
          if test -e ~/.config/op/plugins.sh
            source ~/.config/op/plugins.sh
          end
          set -gx LSCOLORS "Gxfxcxdxbxegedabagacad"
          set -gx LS_COLORS 'di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:'
-          atuin init fish | source
+          set -l connection_type
          # Disable atuin up arrow and ctrl-r keybindings when running in a tty
          if test -z "$DISPLAY" && test -z "$WAYLAND_DISPLAY" && test -z "$SSH_CLIENT"
            atuin init fish --disable-up-arrow --disable-ctrl-r | source
          else
            atuin init fish | source
          end
          # Ghostty shell integration for Bash. This must be at the top of your fish!!!
          if set -q GHOSTTY_RESOURCES_DIR
              source "$GHOSTTY_RESOURCES_DIR/shell-integration/fish/vendor_conf.d/ghostty-shell-integration.fish"
          end
        '';
      };
--- a/nixos/home/modules/shell/git/default.nix
+++ b/nixos/home/modules/shell/git/default.nix
@ -1,8 +1,11 @@
 { pkgs, config, lib, ... }:
 let
  cfg = config.myHome.shell.git;
 in
 {
  pkgs,
  config,
  lib,
  ...
 }: let
  cfg = config.myHome.shell.git;
 in {
  options.myHome.shell.git = {
    enable = lib.mkEnableOption "git";
    username = lib.mkOption {
@ -18,51 +21,54 @@ in
  config = lib.mkMerge [
    (lib.mkIf cfg.enable {
-      programs.gh.enable = true;
+      programs = {
-      programs.gpg.enable = true;
+        gh.enable = true;
        gpg.enable = true;
        git = {
          enable = true;
-      programs.git = {
+          userName = cfg.username;
-        enable = true;
+          userEmail = cfg.email;
-        userName = cfg.username;
+          extraConfig = {
-        userEmail = cfg.email;
+            core.autocrlf = "input";
-
+            init.defaultBranch = "main";
-        extraConfig = {
+            pull.rebase = true;
-          core.autocrlf = "input";
+            rebase.autoStash = true;
-          init.defaultBranch = "main";
+            # public key for signing commits
-          pull.rebase = true;
+            user.signingKey = cfg.signingKey;
-          rebase.autoStash = true;
+            # ssh instead of gpg
-          # public key for signing commits
+            gpg.format = "ssh";
-          user.signingKey = cfg.signingKey;
+            # 1password signing gui git signing
-          # ssh instead of gpg
+            gpg.ssh.program = "${pkgs._1password-gui}/bin/op-ssh-sign";
-          gpg.format = "ssh";
+            # Auto sign commits without -S
-          # 1password signing gui git signing
+            commit.gpgsign = true;
-          gpg.ssh.program = "${pkgs._1password-gui}/bin/op-ssh-sign";
+          };
-          # Auto sign commits without -S
+          aliases = {
-          commit.gpgsign = true;
+            co = "checkout";
          };
          ignores = [
            # Mac OS X hidden files
            ".DS_Store"
            # Windows files
            "Thumbs.db"
            # asdf
            ".tool-versions"
            # Sops
            ".decrypted~*"
            "*.decrypted.*"
            # Python virtualenvs
            ".venv"
            # Aider Chat
            ".aider*"
          ];
        };
        aliases = {
          co = "checkout";
        };
        ignores = [
          # Mac OS X hidden files
          ".DS_Store"
          # Windows files
          "Thumbs.db"
          # asdf
          ".tool-versions"
          # Sops
          ".decrypted~*"
          "*.decrypted.*"
          # Python virtualenvs
          ".venv"
        ];
      };
      home.packages = [
        pkgs.git-filter-repo
        pkgs.tig
-        pkgs.lazygit
+        pkgs.unstable.lazygit
      ];
    })
  ];
--- a/nixos/home/modules/shell/starship/default.nix
+++ b/nixos/home/modules/shell/starship/default.nix
@ -1,12 +1,14 @@
-{ lib
+{
-, config
+  lib,
-, ...
+  config,
  ...
 }:
 with lib; let
  cfg = config.myHome.shell.starship;
-in
+in {
-{
+  options.myHome.shell.starship = {
-  options.myHome.shell.starship = { enable = mkEnableOption "starship"; };
+    enable = mkEnableOption "starship";
  };
  config = mkIf cfg.enable {
    programs.starship = {
--- a/nixos/home/modules/shell/wezterm/default.nix
+++ b/nixos/home/modules/shell/wezterm/default.nix
@ -1,8 +1,12 @@
-{ config, pkgs, lib, ... }:
+{
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; let
  cfg = config.myHome.shell.wezterm;
-in
+in {
 {
  options.myHome.shell.wezterm = {
    enable = mkEnableOption "wezterm";
    configPath = mkOption {
--- a/nixos/hosts/durincore/default.nix
+++ b/nixos/hosts/durincore/default.nix
@ -1,39 +0,0 @@
 { ... }: {
  config = {
    networking.hostId = "ad4380db";
    networking.hostName = "durincore";
    # Kernel mods
    boot = {
      initrd = {
        availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
        kernelModules = [ ];
      };
      kernelModules = [ "kvm-intel" ];
      extraModulePackages = [ ];
    };
    fileSystems."/" =
      { device = "rpool/root";
        fsType = "zfs";
      };
    fileSystems."/home" =
      { device = "rpool/home";
        fsType = "zfs";
      };
    fileSystems."/boot" =
      { device = "/dev/disk/by-uuid/F1B9-CA7C";
        fsType = "vfat";
        options = [ "fmask=0077" "dmask=0077" ];
      };
    swapDevices = [ ];
    # System settings and services.
    mySystem = {
      system.motd.networkInterfaces = [ "enp0s31f6" "wlp4s0" ];
    };
  };
 }
--- a/nixos/hosts/gandalf/config/samba-config.nix
+++ b/nixos/hosts/gandalf/config/samba-config.nix
@ -1,11 +0,0 @@
 { ... }:
 ''
  workgroup = WORKGROUP
  server string = gandalf
  netbios name = gandalf
  security = user 
  # note: localhost is the ipv6 localhost ::1
  hosts allow = 0.0.0.0/0
  guest account = nobody
  map to guest = bad user
 ''
--- a/nixos/hosts/gandalf/default.nix
+++ b/nixos/hosts/gandalf/default.nix
@ -1,105 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, modulesPath, inputs, ... }:
 let 
  sanoidConfig = import ./config/sanoid.nix { };
 in
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
      inputs.disko.nixosModules.disko
      (import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; })
    ];
  boot = {
    initrd = {
      availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "isci" "usbhid" "usb_storage" "sd_mod" ];
      kernelModules = [ "nfs" ];
      supportedFilesystems = [ "nfs" ];
    };
    kernelModules = [ "kvm-intel" "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
    extraModulePackages = [ ];
    kernelParams = [ "iommu=pt" "intel_iommu=on" "zfs.zfs_arc_max=107374182400" ]; # 100GB
  };
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/W445gX2IINRbE6crIMwgN6Ks8LTzAXR86pS9xp335 root@Sting"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
  ];
  # Network settings
  networking = {
    hostName = "gandalf";
    hostId = "e2fc95cd";
    useDHCP = false; # needed for bridge
    networkmanager.enable = true;
    # TODO: Add ports specifically.
    # firewall.enable = false;
    interfaces = {
      "enp130s0f0".useDHCP = true;
      "enp130s0f1".useDHCP = true;
    };
    # For VMs
    bridges = {
      "br0" = {
        interfaces = [ "enp130s0f1" ];
      };
    };
  };
  swapDevices = [ ];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  sops = {
    secrets = {
      "lego/dnsimple/token" = {
        mode = "0444";
        sopsFile = ./secrets.sops.yaml;
      };
    };
  };
  # System settings and services.
  mySystem = {
    purpose = "Production";
    system = {
      motd.networkInterfaces = [ "enp130s0f0" "enp130s0f1" ];
      # ZFS
      zfs.enable = true;
      zfs.mountPoolsAtBoot = [ "eru" ];
      # NFS
      nfs.enable = true;
      # Samba
      samba.enable = true;
      samba.shares = import ./config/samba-shares.nix { };
      samba.extraConfig = import ./config/samba-config.nix { };
    };
    services = {
      podman.enable = true;
      libvirt-qemu.enable = true;
      # Sanoid
      sanoid = {
        enable = true;
        inherit (sanoidConfig.outputs) templates datasets;
      };
      # Unifi & Lego-Auto
      unifi.enable = true;
      lego-auto = {
        enable = true;
        dnsimpleTokenPath = "${config.sops.secrets."lego/dnsimple/token".path}";
        domains = "gandalf.jahanson.tech";
        email = "joe@veri.dev";
        provider = "dnsimple";
      };
    };
  };
 }
--- a/nixos/hosts/gandalf/secrets.sops.yaml
+++ b/nixos/hosts/gandalf/secrets.sops.yaml
@ -1,77 +0,0 @@
 lego:
    dnsimple:
        token: ENC[AES256_GCM,data:CfRFhGE8AyZfO9RzoXXTfm8kstvx+Fuy53o9ulYNZiufzzSQ4KzwYIoCRw==,iv:HEC8hRpmk7YDI7RHj29ZAeFKyPgsWTHw1sxjdZuhcrw=,tag:7RhEhZ9GkyBE9PJRe+gD+Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZVhNdGh2c3dpYWU2TDNJ
            M2Vyb29jQ2xHMXBKVk10dkhWVUFmVkpmV2tnCjF5ZnBBcGtkZjFYbU0zQXNNRCti
            QzVKOGR2OUQvRXVvOXZlb1I0V00rcWsKLS0tIElHeHhkSmt5UkZhTjk1dkFSbUp0
            M1BiUzZkU0pDbHVQNC9yQ3pzSU5INm8KcRB4uY0PHnDfc4bJZwqkK/S7FbEXuxEu
            ot9oVR4sZBs7Uhi5Ixz7Kmk9dBJ+E9dWPxDeYhYo3V0Tq77h1vVOyg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNalVRWXVGN0hqZDdYUDVZ
            TVRwVHJsTEJoTVIzenFuY0dnTWs1bnRHZnhzCnNPTnJ1Uk92aVRaMlA4VTRYbXNh
            MW5ycEUzUVk0RW1Iby9kWjQ1cTVXWDgKLS0tIDdVaTcvNm9Ca2hTMzBlSGZVUnZN
            a2U1ZjIwRWx1bWp6TktablBqMUduUmMKCFT9vPMu/fob5SQG1004925OB1KNhsUm
            obph/984DUTQxk6IvnJ7fPrnFwL5yY1azdybjPlwGw6o5SmwKpxWBQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RjUvSFJqNGxieVZiVE9q
            NjB4RHcraXk5TnJtN1RSNXZSMlEwbjgxaUZVCjRxUGUwTjBFSU9nTHpRbWpmVkRQ
            cllyei9URXYyRGgrTGdjWXRSZmpRYnMKLS0tIHNQOXpkZnI5b200d0JiSVI2N1BU
            MS9MRW5ocGRMWXdBL0E5N00zbGZzVFEKxeMB0/opzFTnlSBK1vEsLqQ0qIDhOuw5
            S+g8eYTVXSIs/3TMUnOJxDezAG2l00vyWryPw2sGOnqgZCnF9VB/mw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzJDWHhIT2tSekxpWmFR
            cVFocEl6N0VWM2FYVC9FeE9zeG0wYUhnazJRCllsdlFVZXR0YTA2T2h0ZUVienpQ
            MmhJVTkwd1Q4VjNVaWxkL0lVTEVLemsKLS0tIHVqMHhQaW55MHBsVmc5TjJjT1Jy
            RXdOeXk0NFJuL1ZKTUt3dXdkdlpLenMKmlQ0k9CmSWQ7MqueMbmd/TqYyQiDFZ0G
            FPtUIFWxxPY79vsEHq3kxyz4CGMUv7tYx00OK6niLgLZUStd/3Bxmw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWTk5S2VkQmNnNjIwQ05y
            TkR2MjdnY1pGMVZpT2dadE5icjIvRWtnT2pVClRCcTVHa3BaMGRDWTgzNE5zQzBq
            MWRWWi83b0k3OUo5WXhHTVRZSmovMWMKLS0tIFF4UlNtNVFkd3phTzd6R2FuY0Js
            VWpzZTdXSWpiV2tRbnc5VlVWM3FCak0KQGy+ZWdvEh09y9z1Dj3GTVyeAJ5notCH
            ujbOfaly8e9E2g4uOxISxyFe39xlOZd6zEInZ5qiKPrZz37ASChBkA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZDNFa0U4MWs0dmVkZXhi
            V3JjdXIrTTdkamkzRW1jU0wzNnluQ0lJbmpNCkcxNUNwc3ZxMXJreXBxNUlaR0xN
            RmFDZ3RIaVU5aCttS3Q5dWo0QUovVDgKLS0tIEVJQm1xWE80OVRyWUxkMzFXRHBp
            RlJTZjgzQ3pDVHRPQ2dFbHBqdzA3N0EKGBFnnJMqUrbaIviqpX4CP4Ps45Lk/Yyn
            fpVxSlwjOHNDwQ4ojUjv11FRo9WHUTGACFniUtvYc0oaLNygNgf8+Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodERMdDN4cVRiS0tVck5h
            N3RySnRtSXJHZEthRWZNcENrNXY4bHNHa0R3Cm1HL0lzWnpocWhXNDV3RFRxL1ZG
            dWlCQWtzMEZlRnNML2NrOUVPSVRTcHMKLS0tIEsrbk5VOUZhbDFRRHRuWW56TjE1
            V1d0d1lKb3hyYVQ4elBIZ0hnU3FTbnMKiWERjAwlJRPK+PILCBV03uyNVnNgolA8
            PS0vbIDVNiX0pIrRlM2sVivZwqajjTB3XROXMmbIKpQxDMjvpHgqJA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-07-15T23:16:58Z"
    mac: ENC[AES256_GCM,data:OQn/8yJX1xRapEUflwUHaHabt8i1EbK27vAM5mJge5n/y2+G7xYfpt2YsRUikogl1q4hqSGLe12WFYdG3TXqD5aBnwnf8if0Cax2wcjcm0ybcuWflXgZbtjWnVKV9w1Y8LCXpMd129VeeqysrY/lThRjXk1ByBcfbZ/RMZOyWOw=,iv:9mn0FH39xgFXisuEZrERhsjXCM7nQhMSoNdNTuGoHXc=,tag:T7AgJ8fYKVLDtRPm794AAg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/hosts/shadowfax/config/Caddyfile
+++ b/nixos/hosts/shadowfax/config/Caddyfile
@ -0,0 +1,14 @@
 redeye.hsn.dev {
 	log {
 		output file /var/log/caddy/redeye.hsn.dev.log
 	}
 	tls {
 		dns cloudflare {env.CLOUDFLARE_API_TOKEN}
 	}
 	reverse_proxy {
 		transport http {
 			tls_insecure_skip_verify
 		}
 		to http://127.0.0.1:11080
 	}
 }
--- a/nixos/hosts/shadowfax/config/borgmatic/borgmatic-template.yaml
+++ b/nixos/hosts/shadowfax/config/borgmatic/borgmatic-template.yaml
--- a/nixos/hosts/shadowfax/config/borgmatic/default.nix
+++ b/nixos/hosts/shadowfax/config/borgmatic/default.nix
@ -0,0 +1,12 @@
 {lib, ...}:
 # Includes all files with .nix suffix in the current directory except default.nix
 let
  dir = ./.;
  files = lib.filterAttrs (
    name: type:
      type == "regular" && name != "default.nix" && lib.hasSuffix ".nix" name
  ) (builtins.readDir dir);
  imports = map (name: "${dir}/${name}") (builtins.attrNames files);
 in {
  imports = imports;
 }
--- a/nixos/hosts/shadowfax/config/borgmatic/jellyfin.nix
+++ b/nixos/hosts/shadowfax/config/borgmatic/jellyfin.nix
@ -0,0 +1,40 @@
 {
  config,
  pkgs,
  ...
 }: {
  mySystem.services.borgmatic = {
    configurations.jellyfin = {
      source_directories = [
        "/nahar/containers/volumes/jellyfin"
      ];
      repositories = [
        {
          label = "local";
          path = "/eru/borg/jellyfin";
        }
        {
          label = "remote";
          path = "ssh://uy5oy4m3@uy5oy4m3.repo.borgbase.com/./repo";
        }
      ];
      ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgmatic/jellyfin/append_key".path}";
      encryption_passcommand = ''${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgmatic/jellyfin/encryption_passphrase".path}'';
      # Retention settings
      keep_daily = 14;
      exclude_patterns = [
        "*/Cache/*"
      ];
      zfs = {
        zfs_command = "${pkgs.zfs}/bin/zfs";
        mount_command = "${pkgs.util-linux}/bin/mount";
        umount_command = "${pkgs.util-linux}/bin/umount";
      };
    };
  };
 }
--- a/nixos/hosts/shadowfax/config/borgmatic/plex.nix
+++ b/nixos/hosts/shadowfax/config/borgmatic/plex.nix
@ -0,0 +1,40 @@
 {
  config,
  pkgs,
  ...
 }: {
  mySystem.services.borgmatic = {
    configurations.plex = {
      source_directories = [
        "/nahar/containers/volumes/plex"
      ];
      repositories = [
        {
          label = "local";
          path = "/eru/borg/plex";
        }
        {
          label = "remote";
          path = "ssh://kvq39z04@kvq39z04.repo.borgbase.com/./repo";
        }
      ];
      ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgmatic/plex/append_key".path}";
      encryption_passcommand = ''${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgmatic/plex/encryption_passphrase".path}'';
      # Retention settings
      keep_daily = 14;
      exclude_patterns = [
        "*/Cache/*"
      ];
      zfs = {
        zfs_command = "${pkgs.zfs}/bin/zfs";
        mount_command = "${pkgs.util-linux}/bin/mount";
        umount_command = "${pkgs.util-linux}/bin/umount";
      };
    };
  };
 }
--- a/nixos/hosts/shadowfax/config/disks.nix
+++ b/nixos/hosts/shadowfax/config/disks.nix
@ -0,0 +1,32 @@
 [
  # zroot
  "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"
  # nahar
  "/dev/nvme0"
  "/dev/nvme1"
  "/dev/nvme2"
  "/dev/nvme3"
  "/dev/nvme4"
  "/dev/nvme5"
  # moria
  "/dev/disk/by-id/scsi-35000cca23bc8a504"
  "/dev/disk/by-id/scsi-35000cca23bd29918"
  "/dev/disk/by-id/scsi-35000cca23bd29970"
  "/dev/disk/by-id/scsi-35000cca2524cc70c"
  "/dev/disk/by-id/scsi-35000cca2524e03f4"
  "/dev/disk/by-id/scsi-35000cca2525680dc"
  "/dev/disk/by-id/scsi-35000cca25256b484"
  # eru
  "/dev/disk/by-id/scsi-350000c0f02f0830c" # unused
  "/dev/disk/by-id/scsi-350000c0f01e7d190" # unused
  "/dev/disk/by-id/scsi-350000c0f01ea443c"
  "/dev/disk/by-id/scsi-350000c0f01f8230c"
  "/dev/disk/by-id/scsi-35000c500586e5057"
  "/dev/disk/by-id/scsi-35000c500624a0ddb"
  "/dev/disk/by-id/scsi-35000c500624a1a8b"
  "/dev/disk/by-id/scsi-35000cca046135ad8"
  "/dev/disk/by-id/scsi-35000cca04613722c"
  "/dev/disk/by-id/scsi-35000cca0461810f8"
  "/dev/disk/by-id/scsi-35000cca04618b930"
  "/dev/disk/by-id/scsi-35000cca04618cec4"
 ]
--- a/nixos/hosts/shadowfax/config/incus-preseed.nix
+++ b/nixos/hosts/shadowfax/config/incus-preseed.nix
@ -0,0 +1,48 @@
 {...}: {
  config = {
    "core.https_address" = "10.1.1.61:8443"; # Need quotes around key
  };
  networks = [
    {
      config = {
        "ipv4.address" = "auto"; # Need quotes around key
        "ipv6.address" = "auto"; # Need quotes around key
      };
      description = "";
      name = "incusbr0";
      type = "";
      project = "default";
    }
  ];
  storage_pools = [
    {
      config = {
        source = "nahar/incus";
      };
      description = "";
      name = "default";
      driver = "zfs";
    }
  ];
  profiles = [
    {
      config = {};
      description = "";
      devices = {
        eth0 = {
          name = "eth0";
          network = "incusbr0";
          type = "nic";
        };
        root = {
          path = "/";
          pool = "default";
          type = "disk";
        };
      };
      name = "default";
    }
  ];
  projects = [];
  cluster = null;
 }
--- a/nixos/hosts/shadowfax/config/sanoid.nix
+++ b/nixos/hosts/shadowfax/config/sanoid.nix
@ -0,0 +1,41 @@
 {...}: {
  outputs = {
    # ZFS automated snapshots
    templates = {
      "production" = {
        autoprune = true;
        autosnap = true;
        hourly = 24;
        daily = 7;
        monthly = 12;
      };
    };
    datasets = {
      "nahar/qbittorrent" = {
        useTemplate = ["production"];
        recursive = true;
      };
      "nahar/sabnzbd" = {
        useTemplate = ["production"];
        recursive = true;
      };
      "nahar/containers/volumes/jellyfin" = {
        useTemplate = ["production"];
        recursive = true;
      };
      "nahar/containers/volumes/plex" = {
        useTemplate = ["production"];
        recursive = true;
      };
      "nahar/containers/volumes/scrutiny" = {
        useTemplate = ["production"];
        recursive = true;
      };
      "nahar/containers/volumes/scrypted" = {
        useTemplate = ["production"];
        recursive = true;
      };
    };
  };
 }
--- a/nixos/hosts/shadowfax/config/soft-serve.nix
+++ b/nixos/hosts/shadowfax/config/soft-serve.nix
@ -0,0 +1,46 @@
 {...}: {
  name = "Soft Serve";
  log = {
    format = "text";
    time_format = "2006-01-02 15:04:05";
  };
  ssh = {
    listen_addr = ":23231";
    public_url = "ssh://10.1.1.61:23231";
    key_path = "ssh/soft_serve_host_ed25519";
    client_key_path = "ssh/soft_serve_client_ed25519";
    max_timeout = 0;
    idle_timeout = 600;
  };
  git = {
    listen_addr = ":9418";
    public_url = "git://10.1.1.61";
    max_timeout = 0;
    idle_timeout = 3;
    max_connections = 32;
  };
  http = {
    listen_addr = ":23232";
    tls_key_path = null;
    tls_cert_path = null;
    public_url = "http://10.1.1.61:23232";
  };
  stats = {
    enabled = false;
    listen_addr = "10.1.1.61:23233";
  };
  db = {
    driver = "sqlite";
    data_source = "soft-serve.db?_pragma=busy_timeout(5000)&_pragma=foreign_keys(1)";
  };
  lfs = {
    enabled = true;
    ssh_enabled = false;
  };
  jobs = {
    mirror_pull = "@every 10m";
  };
  initial_admin_keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
  ];
 }
--- a/nixos/hosts/shadowfax/config/sops-secrets.nix
+++ b/nixos/hosts/shadowfax/config/sops-secrets.nix
@ -0,0 +1,230 @@
 {...}: {
  secrets = {
    # Minio
    "minio" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "minio";
      group = "minio";
      mode = "400";
      restartUnits = ["minio.service"];
    };
    # Syncthing
    "syncthing/publicCert" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = ["syncthing.service"];
    };
    "syncthing/privateKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = ["syncthing.service"];
    };
    # Prowlarr
    "arr/prowlarr/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = ["prowlarr.service"];
    };
    "arr/prowlarr/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = ["prowlarr.service"];
    };
    "arr/prowlarr/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = ["prowlarr.service"];
    };
    "arr/prowlarr/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = ["prowlarr.service"];
    };
    "arr/prowlarr/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = ["prowlarr.service"];
    };
    # Sonarr
    "arr/sonarr/1080p/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/1080p/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/1080p/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/1080p/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/1080p/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/1080p/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-tv1080p.service"];
    };
    "arr/sonarr/anime/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    "arr/sonarr/anime/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    "arr/sonarr/anime/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    "arr/sonarr/anime/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    "arr/sonarr/anime/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    "arr/sonarr/anime/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = ["sonarr-anime.service"];
    };
    # Radarr
    "arr/radarr/1080p/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/1080p/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/1080p/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/1080p/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/1080p/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/1080p/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-movies1080p.service"];
    };
    "arr/radarr/anime/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    "arr/radarr/anime/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    "arr/radarr/anime/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    "arr/radarr/anime/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    "arr/radarr/anime/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    "arr/radarr/anime/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = ["radarr-anime.service"];
    };
    # Unpackerr
    "arr/unpackerr/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "unpackerr";
      mode = "400";
      restartUnits = ["unpackerr.service"];
    };
    # Borgmatic
    "borgmatic/plex/encryption_passphrase" = {
      sopsFile = ../secrets.sops.yaml;
      mode = "400";
      restartUnits = ["borgmatic.service"];
    };
    "borgmatic/plex/append_key" = {
      sopsFile = ../secrets.sops.yaml;
      mode = "400";
      restartUnits = ["borgmatic.service"];
    };
    "borgmatic/jellyfin/encryption_passphrase" = {
      sopsFile = ../secrets.sops.yaml;
      mode = "400";
      restartUnits = ["borgmatic.service"];
    };
    "borgmatic/jellyfin/append_key" = {
      sopsFile = ../secrets.sops.yaml;
      mode = "400";
      restartUnits = ["borgmatic.service"];
    };
  };
 }
--- a/nixos/hosts/shadowfax/default.nix
+++ b/nixos/hosts/shadowfax/default.nix
@ -0,0 +1,390 @@
 {
  config,
  inputs,
  pkgs,
  ...
 }: let
  sanoidConfig = import ./config/sanoid.nix {};
  disks = import ./config/disks.nix;
  smartdDevices = map (device: {inherit device;}) disks;
  pushoverNotify = pkgs.writeShellApplication {
    name = "pushover-notify";
    runtimeInputs = with pkgs; [
      curl
      jo
      jq
    ];
    excludeShellChecks = ["SC2154"];
    text = ''
      ${builtins.readFile ./scripts/pushover-notify.sh}
    '';
  };
  refreshSeries = pkgs.writeShellApplication {
    name = "refresh-series";
    runtimeInputs = with pkgs; [
      curl
      jq
    ];
    excludeShellChecks = ["SC2154"];
    text = ''
      ${builtins.readFile ./scripts/refresh-series.sh}
    '';
  };
 in {
  imports = [
    inputs.disko.nixosModules.disko
    (import ../../profiles/disko-nixos.nix {
      disks = ["/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"];
    })
    ./config/borgmatic
    inputs.nix-minecraft.nixosModules.minecraft-servers
  ];
  environment = {
    sessionVariables = {
      # Wayland and Chromium/Electron apps.
      NIXOS_OZONE_WL = "1";
    };
    # System packages
    systemPackages = with pkgs; [
      inputs.zen-browser.packages."${system}".default # beta
      inputs.ghostty.packages."${system}".default # terminal
      pavucontrol # Pulseaudio volume control
      zulu
      # dev
      uv
      # fun
      fastfetch
      prismlauncher # Minecraft launcher
      # Scripts
      pushoverNotify
      refreshSeries
    ];
  };
  users.users.root.openssh.authorizedKeys.keys = [];
  # Network settings
  networking = {
    hostName = "shadowfax";
    hostId = "a885fabe";
  };
  # Home Manager
  home-manager.users.jahanson = {
    # Git settings
    # TODO: Move to config module.
    programs.git = {
      enable = true;
      userName = "Joseph Hanson";
      userEmail = "joe@veri.dev";
      extraConfig = {
        core.autocrlf = "input";
        init.defaultBranch = "main";
        pull.rebase = true;
        rebase.autoStash = true;
      };
    };
  };
  # enable docker socket at /run/docker.sock
  virtualisation.podman.dockerSocket.enable = true;
  programs = {
    # 1Password cli
    _1password.enable = true;
    _1password-gui.enable = true;
    # Mosh
    mosh = {
      enable = true;
      openFirewall = true;
    };
    # VSCode Compatibility Settings
    nix-ld.enable = true;
  };
  # Open ports in the firewall.
  networking.firewall = {
    allowedTCPPorts = [
      # Caddy
      80 # http
      443 # https
      179 # BGP
      2019 # caddy admin api
      # Minio
      9000 # console web interface
      9001 # api interface
      # Soft-serve
      23231 # SSH
      23232 # HTTP
      9418 # Git
      # scrypted
      45005
    ];
  };
  services = {
    # Minecraft
    minecraft-servers = {
      enable = true;
      eula = true;
      openFirewall = true;
      dataDir = "/nahar/minecraft";
      servers.fabric = {
        enable = true;
        # Specify the custom minecraft server package
        package = pkgs.fabricServers.fabric-1_21_4;
        symlinks = {
          mods = pkgs.linkFarmFromDrvs "mods" (
            builtins.attrValues {
              Fabric-API = pkgs.fetchurl {
                url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/ZNwYCTsk/fabric-api-0.118.0%2B1.21.4.jar";
                sha512 = "1e0d31b6663dc2c7be648f3a5a9cf7b698b9a0fd0f7ae16d1d3f32d943d7c5205ff63a4f81b0c4e94a8997482cce026b7ca486e99d9ce35ac069aeb29b02a30d";
              };
            }
          );
        };
      };
    };
    # Minio
    minio = {
      enable = true;
      dataDir = ["/eru/minio"];
      rootCredentialsFile = config.sops.secrets."minio".path;
    };
    # Netdata
    netdata = {
      enable = true;
    };
    # Prometheus exporters
    prometheus.exporters = {
      # Node Exporter - port 9100
      node.enable = true;
      # ZFS Exporter - port 9134
      zfs.enable = true;
    };
    # Smart daemon for monitoring disk health.
    smartd = {
      devices = smartdDevices;
      # Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
      defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
    };
    # Soft Serve - SSH git server
    soft-serve = {
      enable = true;
      settings = import ./config/soft-serve.nix {};
      package = pkgs.unstable.soft-serve;
    };
    sunshine = {
      enable = true;
      autoStart = true;
      capSysAdmin = true; # only needed for Wayland
      openFirewall = true;
      package = pkgs.unstable.sunshine;
    };
    # Tailscale
    tailscale = {
      enable = true;
      openFirewall = true;
    };
    # VSCode Compatibility Settings
    vscode-server.enable = true;
    xserver.videoDrivers = ["nvidia"];
  };
  # sops
  sops = import ./config/sops-secrets.nix {};
  # System settings and services.
  mySystem = {
    ## Desktop Environment
    # Hyprland
    de.hyprland.enable = true;
    # VS Code
    editor.vscode.enable = true;
    # Containers
    containers = {
      jellyfin.enable = true;
      jellyseerr.enable = true;
      ollama.enable = true;
      plex.enable = true;
      scrypted.enable = true;
    };
    purpose = "Production";
    # Services
    services = {
      borgmatic.enable = true;
      # Misc
      libvirt-qemu.enable = true;
      podman.enable = true;
      # Prowlarr
      prowlarr = {
        enable = true;
        package = pkgs.unstable.prowlarr;
        dataDir = "/nahar/prowlarr";
        port = 9696;
        openFirewall = true;
        hardening = true;
        apiKeyFile = config.sops.secrets."arr/prowlarr/apiKey".path;
      };
      # Radarr
      radarr = {
        enable = true;
        instances = {
          movies1080p = {
            enable = true;
            package = pkgs.unstable.radarr;
            dataDir = "/nahar/radarr/1080p";
            extraEnvVarFile = config.sops.secrets."arr/radarr/1080p/extraEnvVars".path;
            moviesDir = "/moria/media/Movies";
            user = "radarr";
            group = "kah";
            port = 7878;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/radarr/1080p/apiKey".path;
          };
          moviesAnime = {
            enable = true;
            package = pkgs.unstable.radarr;
            dataDir = "/nahar/radarr/anime";
            extraEnvVarFile = config.sops.secrets."arr/radarr/anime/extraEnvVars".path;
            moviesDir = "/moria/media/Anime/Movies";
            user = "radarr";
            group = "kah";
            port = 7879;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/radarr/anime/apiKey".path;
          };
        };
      };
      # Sonarr
      sonarr = {
        enable = true;
        instances = {
          tv1080p = {
            enable = true;
            package = pkgs.unstable.sonarr;
            dataDir = "/nahar/sonarr/1080p";
            extraEnvVarFile = config.sops.secrets."arr/sonarr/1080p/extraEnvVars".path;
            tvDir = "/moria/media/TV";
            user = "sonarr";
            group = "kah";
            port = 8989;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/sonarr/1080p/apiKey".path;
          };
          anime = {
            enable = true;
            package = pkgs.unstable.sonarr;
            dataDir = "/nahar/sonarr/anime";
            extraEnvVarFile = config.sops.secrets."arr/sonarr/anime/extraEnvVars".path;
            tvDir = "/moria/media/Anime/Shows";
            user = "sonarr";
            group = "kah";
            port = 8990;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/sonarr/anime/apiKey".path;
          };
        };
      };
      # Sabnzbd
      sabnzbd = {
        enable = true;
        package = pkgs.unstable.sabnzbd;
        configFile = "/nahar/sabnzbd/sabnzbd.ini";
        port = 8457;
        user = "sabnzbd";
        group = "kah";
        # Security hardening.
        dataDir = "/nahar/sabnzbd";
        downloadsDir = "/eru/media/sabnzbd";
        hardening = true;
        openFirewall = true;
      };
      # Unpackerr
      unpackerr = {
        enable = true;
        package = pkgs.unstable.unpackerr;
        configFile = "/tmp/unpackerr/config.yaml";
        extraEnvVarsFile = config.sops.secrets."arr/unpackerr/extraEnvVars".path;
        user = "unpackerr";
        group = "kah";
      };
      # Sanoid
      sanoid = {
        enable = true;
        inherit (sanoidConfig.outputs) templates datasets;
      };
      # Scrutiny
      scrutiny = {
        enable = true;
        devices = disks;
        extraCapabilities = [
          "SYS_RAWIO"
          "SYS_ADMIN"
        ];
        containerVolumeLocation = "/nahar/containers/volumes/scrutiny";
        port = 8585;
      };
      # Syncthing
      syncthing = {
        enable = false;
        user = "jahanson";
        publicCertPath = config.sops.secrets."syncthing/publicCert".path;
        privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
      };
      # qBittorrent
      qbittorrent = {
        enable = true;
        package = pkgs.unstable.qbittorrent.override {guiSupport = false;};
        user = "qbittorrent";
        group = "kah";
        dataDir = "/nahar/qbittorrent";
        downloadsDir = "/eru/media/qb/downloads";
        webuiPort = 8456;
        openFirewall = true;
        hardening = true;
        qbittorrentPort = 50413;
      };
      zfs-nightly-snap.enable = true;
    };
    # System
    system = {
      incus = {
        enable = true;
        preseed = import ./config/incus-preseed.nix {};
      };
      motd.networkInterfaces = ["bond0"];
      nfs.enable = true;
      zfs.enable = true;
      zfs.mountPoolsAtBoot = [
        "eru"
        "moria"
        "nahar"
      ];
    };
  };
 }
--- a/nixos/hosts/shadowfax/scripts/pushover-notify.sh
+++ b/nixos/hosts/shadowfax/scripts/pushover-notify.sh
@ -0,0 +1,89 @@
 # shellcheck disable=SC2154,2148
 # User defined variables for pushover
 PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-required}"
 PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-required}"
 PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
 PUSHOVER_TITLE="${sonarr_eventtype} - Title unset"
 PUSHOVER_MESSAGE="${sonarr_eventtype} - Message unset"
 PUSHOVER_URL="${sonarr_eventtype} - url unset"
 PUSHOVER_URL_TITLE="${sonarr_eventtype} - url title unset"
 if [[ "${sonarr_eventtype:-}" == "Test" ]]; then
  PUSHOVER_PRIORITY="1"
  printf -v PUSHOVER_TITLE \
    "Test Notification"
  printf -v PUSHOVER_MESSAGE \
    "Howdy this is a test notification from %s" \
    "${sonarr_instancename:-Sonarr}"
  printf -v PUSHOVER_URL \
    "%s" \
    "${sonarr_applicationurl:-localhost}"
  printf -v PUSHOVER_URL_TITLE \
    "Open %s" \
    "${sonarr_instancename:-Sonarr}"
 fi
 if [[ "${sonarr_eventtype:-}" == "Download" ]]; then
  printf -v PUSHOVER_TITLE \
    "Episode %s" \
    "$([[ "${sonarr_isupgrade}" == "True" ]] && echo "Upgraded" || echo "Downloaded")"
  printf -v PUSHOVER_MESSAGE \
    "<b>%s (S%02dE%02d)</b><small>\n%s</small><small>\n\n<b>Quality:</b> %s</small><small>\n<b>Client:</b> %s</small>" \
    "${sonarr_series_title}" \
    "${sonarr_episodefile_seasonnumber}" \
    "${sonarr_episodefile_episodenumbers}" \
    "${sonarr_episodefile_episodetitles}" \
    "${sonarr_episodefile_quality:-Unknown}" \
    "${sonarr_download_client:-Unknown}"
  printf -v PUSHOVER_URL \
    "%s/series/%s" \
    "${sonarr_applicationurl:-localhost}" \
    "${sonarr_series_titleslug}"
  printf -v PUSHOVER_URL_TITLE \
    "View series in %s" \
    "${sonarr_instancename:-Sonarr}"
 fi
 if [[ "${sonarr_eventtype:-}" == "ManualInteractionRequired" ]]; then
  PUSHOVER_PRIORITY="1"
  printf -v PUSHOVER_TITLE \
    "Episode import requires intervention"
  printf -v PUSHOVER_MESSAGE \
    "<b>%s</b><small>\n<b>Client:</b> %s</small>" \
    "${sonarr_series_title}" \
    "${sonarr_download_client:-Unknown}"
  printf -v PUSHOVER_URL \
    "%s/activity/queue" \
    "${sonarr_applicationurl:-localhost}"
  printf -v PUSHOVER_URL_TITLE \
    "View queue in %s" \
    "${sonarr_instancename:-Sonarr}"
 fi
 json_data=$(
  jo \
    token="${PUSHOVER_TOKEN}" \
    user="${PUSHOVER_USER_KEY}" \
    title="${PUSHOVER_TITLE}" \
    message="${PUSHOVER_MESSAGE}" \
    url="${PUSHOVER_URL}" \
    url_title="${PUSHOVER_URL_TITLE}" \
    priority="${PUSHOVER_PRIORITY}" \
    html="1"
 )
 status_code=$(
  curl \
    --silent \
    --write-out "%{http_code}" \
    --output /dev/null \
    --request POST \
    --header "Content-Type: application/json" \
    --data-binary "${json_data}" \
    "https://api.pushover.net/1/messages.json"
 )
 printf "pushover notification returned with HTTP status code %s and payload: %s\n" \
  "${status_code}" \
  "$(echo "${json_data}" | jq --compact-output)" >&2
--- a/nixos/hosts/shadowfax/scripts/refresh-series.sh
+++ b/nixos/hosts/shadowfax/scripts/refresh-series.sh
@ -0,0 +1,19 @@
 # shellcheck disable=SC2154,2148
 CURL_CMD=(curl -fsSL --header "X-Api-Key: ${SONARR__AUTH__APIKEY:-}")
 SONARR_API_URL="http://localhost:${SONARR__SERVER__PORT:-}/api/v3"
 if [[ "${sonarr_eventtype:-}" == "Grab" ]]; then
  tba=$("${CURL_CMD[@]}" "${SONARR_API_URL}/episode?seriesId=${sonarr_series_id:-}" | jq --raw-output '
        [.[] | select((.title == "TBA") or (.title == "TBD"))] | length
    ')
  if ((tba > 0)); then
    echo "INFO: Refreshing series ${sonarr_series_id:-} due to TBA/TBD episodes found"
    "${CURL_CMD[@]}" \
      --request POST \
      --header "Content-Type: application/json" \
      --data-binary '{"name": "RefreshSeries", "seriesId": '"${sonarr_series_id:-}"'}' \
      "${SONARR_API_URL}/command" &>/dev/null
  fi
 fi
--- a/nixos/hosts/shadowfax/secrets.sops.yaml
+++ b/nixos/hosts/shadowfax/secrets.sops.yaml
@ -0,0 +1,120 @@
 syncthing:
    publicCert: ENC[AES256_GCM,data:qPtXFKL8BrUNMmuF4YOKNAmcL3USnTrMMAahnHCaBFyTNNrSa8zktRG0gryBUvsFTYqwcP6r/FFq5bEpjq6mGPJ942LrYSvv5nqRDnvhEJs3X6wiZfriq2Dyps+2MLqcWjU0tsj+M3IfkOGIry0XSP5EkWFgBJxB3HbRlwqA2ZDAnSOT1OWQbFOl4dYQ7gkssMDyVfrfMoiaw33Q9ttHhLswJIbMK/p1wSWPsEY20ZHEa4fSq06Eks0vUYCmDIrSiFr/fNF5veLO8LAnojJkSm87ZDkX+tAMa7/ZI96fZssHbJHU4dHrsbTlpVyG8AOQ7M9D0cMaH7WjJlV3fn5gAM8xgMjj9YcC3zMFSfBMeVyJF36l0G3jhY+1BO7omqqWY3lwEx/clt/HJ+q6K8z4/uyTfBsuMGPakkDXmplV6j23hwz9jzd/tCMh7/jVFyiwdSf9Ykykf0Qh8af4v1RVzcwbcBnpb4pjMic16WvBWpogt4lTu0o0u9NAMZX/Nu99pxDES7+DLKAIDOoIZwxAYWPY+zTlVusMrbuQ+yvnv1koAi0VJl5n2DpKKxPKKxMYcKN3SqMQ7TX8img3OUIsIje43kbLFnpWwdoBwdKov0PZzBHcH/9SgsBD/aepT1iRkg1Fe6c3EiOF3wKwXBpwuPq61s7+d7ESvOL3sVFEuo6fXhN0aGJK77VnZKqYERjlEOkETjSMNP6ZH1A86YQBFWRXHub1KrhNcZUbTdxuT3UD+gNvoD52InsodblYyDtmSqeEVix9m25buWeurmzSBngPr3L8xxlYt1gRrHZ/4yy2EQPWFo/oMTjqnd1YtcRkNtOzSl7zcXmV0KnY3yAyyyTlwe08PY2rRJ4JUqYS5C3fnv0yQgb7MrYH1Ysau14TOX2WTrTpklPL4zwPz/hVL9hVIeByNshQQZm7KsZXjBGzC8XXRu/3HWNXYXLItHwgNgtVkd8WuYe+bF+u86h1UTDABf4w2tfGVVA6/HqwPQcmdbhQZ+mPHSTbuVcMPLN8MNEK/B1JtBlQID9ybMcbON+pik70d3d+blI=,iv:Ut7rbEVIc2p095rzq9Y6ZS6npa0+atBRLrBjN3mQ6zM=,tag:g1krDi5xhOwr9FfXFQ4mMw==,type:str]
    privateKey: ENC[AES256_GCM,data:CFW8XMhLaGFHYqo3+v+4Q8hemV44/Pps/0hBaz8eMwbv5GI34dkSmQ8jh2VY+bRhfGX6sWGXlxBKB44qiTP+jCs4rgBu+AA0j3F4b4/hH/Qj8XoflGMHCfBwsTwYm9vb7Ith3H4F5Fbcv1Dva6mOw3CA65lTfKlxF/NVyj9/cAnqjF0T90jaRYpFN9pLrwkAVBeydc+sofnReFOeI7/IFupxtPKkOaR9wGZK82KQj3+7sXEBgL0HekX677ENBqE4fZHUbe9AKbCe1I4k1RtL9DqANnjTED+ktochzuQ1cUeSnBHtbYD6GDVPisIkJc3Y2a6kmTh5YVF/u8zXMN4n0zwTX+QPA4xms0NCa/528YCSY8VfOfvk9mhQbpmdIob6,iv:gaILRQxX/0poYQedDYZXzL9/ojzIY7BQ+M68HMxD4go=,tag:D0X9OA7ohL5Z8zPsXPdybw==,type:str]
 restic:
    plex:
        resticUri: ENC[AES256_GCM,data:INfsXRDS0oTwxmbUeuns2GtguB+OJvE1UC5uKjR9dqY7tZo9gS7Byjf7RrBhcq3SAAV1yPFnT1F5IZXrwgyBp1h4,iv:nsvINjznTn0PYrCO3sLaOMwSJeZV5gvDTefNKksgep4=,tag:KeA4+WW9+dV7XjScbDzCVg==,type:str]
        resticPassword: ENC[AES256_GCM,data:+U4xZIzo7HbuF+MmZAJhj6+ekO4=,iv:GznZk8Ga4w7Zqx6QoXq/SUn1uURLxW9fMN89zTq7BNI=,tag:IuBFTTS0awiVILNx7Z3iLA==,type:str]
 minio: ENC[AES256_GCM,data:EqFhTRqb5fY7IKZSis71i6aN6Llv2EAQxKjBrmoJKRLKFfQUVzHBgGXse42nd9KD2hirGsBiPgvuXulTw1z+bPmh4EVPaq2uR4fva5g4LA==,iv:4Ru3cHsw2Vyw6mtCoNECMVP/r5toYJ/BBvNNa0m3DK8=,tag:pFtHhgX1WgzRYNe87Zh6dw==,type:str]
 postgres:
    host: ENC[AES256_GCM,data:NkAc3BN09j4=,iv:M52sslgEY9QXcsG5Z+snGFZ7vt4IWiT6uqowoUUk78I=,tag:n/SXxbBuX2+vZknk/gBs5g==,type:str]
    port: ENC[AES256_GCM,data:eVFfWA==,iv:sYcdDt9Vw/M0lM7LCVb8wHbwgQ62OfwM+MahvbcG4vs=,tag:uo63B0+r1GOv52bqzeiMZw==,type:int]
 pushover:
    userKey: ENC[AES256_GCM,data:efCy551JEtPagnRGHkNCKHT+r0yJ/5bqyGTsdeGOdw==,iv:DDAfy3EDSGHo0r5TapW6yjo7XMpVESYYtnUQLBPMg2I=,tag:9ws7n3hlhM4+++aIxOspYg==,type:str]
 borgmatic:
    plex:
        encryption_passphrase: ENC[AES256_GCM,data:+PVidwqMgGuZJE0a9TyLda75viaodnZtEPA6nQWNp1KMR7zHQVBjtRojLuRh5Sd78Q==,iv:zJFecISN0l4r2QKfqAw3sds+l5eBHp+wapE+TDUgX3E=,tag:cy4HWmoJw0ygRhaAQ45zwQ==,type:str]
        append_key: ENC[AES256_GCM,data:ht+OoijAcc8BnuAIoZ0K3kfvzlXYgmi61OHOpaR/H8YpadsMgruym2E2VIAibVhrAt0JamHQ8wEps1/Ur7GPRyQgZmq8dUlEJwVFyD31kOFjJDH3r7hZIMuJopAKYEHxuJ0PANqZO4mHbVd6rnnSvb5oOzACst0oKAoqarmjzVKSfRfRCxSP0df6WhuU4/bMq6u8L4FjMXbrYWbeK77tMdv4eEAHEM6SIuMXOad/AKvgYXIUYmhjohsBXfWQ+gENEVQEpYV48bc/zTC6j4RZI335iZQZq39sg5VWMnSsQtQT+UVzsHBbOYZbzC/FyjUKBNduYoniBQFuswf8IbDgwIcEd8eSRhTGWMOATOdy6MtVstXqZhc9YEHytFrAd6biTt7DHAVUTu9ZqqkyouiuGc8f4kdimGz8kSb3ltKUqN7qTACVHjFXNY5PkdHAy5brKiHp0lPyTiHFQYxabeyPD6VfeDNthK40IzmrIbXJynxNbfOfP3lkmDJ3iD5zM0anU8xcNtRu+1NA9k70GGEvgwTdUbpP+Myicn6u,iv:BAyqOh13D2kRyhKf6qX/gEeRMlmhiR4jD+VrRhKejn8=,tag:GGu1hK8t74cnKbP0dNL6vw==,type:str]
    jellyfin:
        encryption_passphrase: ENC[AES256_GCM,data:G7xk+FGsjV7BxwvBGozXcj0n00EjBhDw+Yea4Wf8fmXl,iv:goylWvW4OLWxi3rIyQ5FbmnNtHSuP93Mnb/P4dCes7c=,tag:UiVw9Q0iTw0TxG4hFzg4SA==,type:str]
        append_key: ENC[AES256_GCM,data:1XPDRh3HtKZbgdXf/YyrIWwvuIsTRADtRea+0G0as5vKfMyrqv60IKvCSDqjlZNhUvtmAMFZS/y5AexLB2qNZNM2qjFvbwr1C2WJw9J1fkpcc2mYRrH2XaghFhwLKuD5PCo4jVztOOMGwXzKcwG5BKr0jm+FiffvoUlB8rlEgIihwmDDf00g4sBAvDpjVQdqxNgc14VALzUiuu4X55xIHW/tQk5R84PDfTR++41EvjDxFQau5TxA3xVeQK/skOSRo4RZRE8vF1I3Dc7njVBMK/PyV0iKLJydfK9Ql33ZwDQmHdt+aw/pPlaPWfMAPzLxbdGuOtUaGQijQmELKQP11101QKHDk2q7LYXfGw62VAqb7W1SJYPczZzdzqyFb4NULykAQOhHGW9I8esRCYn0t4Y5vBEYaPjyBuAJz8ClG4zhxwJPAAQBkntIId0Xjk9NjZDeNKqAXpgs3CDIOJYtGUmtA1Am/B/22/VLl9adheEnTtkYlSTRM8/u5RoiA3utipMFJcdkssmBudH8BvXbJFJChoh3qUDD3Gnz,iv:CZyuBaiKMxNaOlFu/OYFmHOeEVWBNJ3rUIBpV/Oh4GQ=,tag:EX5yoC+KRf6IkVm+7d+Qiw==,type:str]
 arr:
    prowlarr:
        apiKey: ENC[AES256_GCM,data:7NKS0QWc/5MIBbasmHHz/EN8wF4ILmsxBQpfZL3J2fs7,iv:WctX4v9GFkseJ+Vqk3U2l5qrgWCcw1Bv3N6RQuwQ1HY=,tag:7FxfWn5ydXu1Pp/B82TOSQ==,type:str]
        postgres:
            host: ENC[AES256_GCM,data:++C/D+s30hs=,iv:P0HIuGzVypgxfYmhcNodMXbEufPdrlO/nuQwHZ60kxY=,tag:qHzYYmFaeBXyty6ga6sfQw==,type:str]
            dbName: ENC[AES256_GCM,data:8t6Ms7cVgSMzN4Vn4w==,iv:mh1nOUuVllIMlj+lhuvXIQqTZ5VCcaU3jj3nOGxAsGs=,tag:OZVFFM2YMENHN3pf9uF+5Q==,type:str]
            user: ENC[AES256_GCM,data:ji+57XLFMus=,iv:xC+EuVBs9wzZG+leFnAIZCKbxFwtMmSwqhJgVl4SRak=,tag:o7SqVcv33zukUOJ31ORAgw==,type:str]
            password: ENC[AES256_GCM,data:aSiZR0cTtevhD6s0f6+24qILUmfH5OCBUQ==,iv:xPqiNf9N2Mm6Z7lvcB9xsTjgiJ1tren04pM4rOjRc2A=,tag:NSGr7kedaVgqyM5qwKM40w==,type:str]
    sonarr:
        1080p:
            apiKey: ENC[AES256_GCM,data:h2vPlVVkdOScJg0uvs5yv/WK9NpotcF70bD65gTR8TdY,iv:T6F/u4jFt1k+jaLO0epq5nkTr2c1FvtrEfxadNuQLVU=,tag:GNVgD4oAI1OdBrHlXFlYIA==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:8DruSnH9MBs=,iv:WBgn1seW8Tgy8CLB7mv+BgojNk20LUqqVyS+o3aFtWQ=,tag:bNqeKmcXb95167YHIZD8Kw==,type:str]
                dbName: ENC[AES256_GCM,data:s/XMwlVu648dmAA=,iv:sUtQxqGmpNM7f2Atwm1b5TPj63nynZPIJfHFe2XCjz4=,tag:NTYMuvlBuWDWyUAHPrKlow==,type:str]
                user: ENC[AES256_GCM,data:OF1jJTDj,iv:u20mF60SJevMeIQAjnIzCbIIKKFqJ95+mG3f5zfX+iI=,tag:BZK7NhoLWDJss/tnf0ZHtQ==,type:str]
                password: ENC[AES256_GCM,data:2IWE6CK9bOQ9Zhjfkw9WOkwElKtLRiJRKQ==,iv:ySSML6PKNq0JbhcSwQ0rxSEAD+h74u0X5ncfIWbh0KY=,tag:R2nnvakD8SEyEn2GjgkgXg==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:H6ZGRWsRyZ635t2eELbvz2QvCy47wiN59ViytOxX9SebXC2b4cfvGpGJi1RIOlkcz59BUYUizK58sUNbgMeFn178xVkT24mOXYu5VkO/4n5WuY2zWN9gbnL6RWnrQZw=,iv:RLroNHNseCQeYuNdad9KiFjrKkZI44gP4E/Uj73R3qg=,tag:++t7TZvUEDAiU3Smgffitg==,type:str]
        anime:
            apiKey: ENC[AES256_GCM,data:/1GRSCBEgm+MFQRoIddchoe1290/A1hvVCNmp1hfsSGS,iv:GOeXBu7uKklK6KE8RvpewzBaySdoKonVo4rApadoIzw=,tag:EinKbUl+X92plkp9p3AXOA==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:hvZGv3MQ0JU=,iv:HFs62YuhV0uypvBGA2kfAlorwWbjRr6M5/VJwx2LVC0=,tag:c7B6eco64WzvC0Uo44q76g==,type:str]
                dbName: ENC[AES256_GCM,data:aT4STqdwfQ/kRlYQ,iv:XUyJPrqkDaLt5TmJl1+u8xZitY7x1wI2BpykmYQivjA=,tag:YSyzENEHcrv0y4GTYdW7QA==,type:str]
                user: ENC[AES256_GCM,data:Io5JmxNKuJ33MRgS,iv:DXLRl2ZSRNkdTXRY3UzL0zxM+1m3xpdJgaWZqbl6Vok=,tag:rD/HrAOUF2LJDc13blJyRA==,type:str]
                password: ENC[AES256_GCM,data:whbjCtd6TOxPKWwvL7L1lKcxr8tEZEx7YTdJNQUtcw==,iv:n3YBj1HSLo1EJ+XnuRXsn9wWXIAaIe4zwkfFLaKx53M=,tag:gtENwItQT6dgr0fBrEipaQ==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:MYQWHBE8bcttmXhh3HDir1zBJq1t1W4Xik7JnyEVmHKdXQu/GPUvbQLctGIXC9psD7x5lk6xMwg2WxSFLHcGFhadDHnm8rla9wFCSh0VlTyWekvKZ+XZPuhcDFxfYVA=,iv:3HzZU/1wJEXizscc7rSLLmJqe/FMiwqu+RiqvCBxBtY=,tag:3OXclcolF4WgW0Hu2FDojg==,type:str]
    radarr:
        1080p:
            apiKey: ENC[AES256_GCM,data:w4VmflaV51T17tp2Zwa+2Ifm1FfPgVRxLmWomhsHe5wa,iv:xYvuQL2u7GwDxAWpohAJTuX5tmvxwxo6xS4Uz/9MXOc=,tag:uVVxdY0QreC1ZA+LWpKTmg==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:wFG60E/SiJg=,iv:glgvp1UsgO16tXjfSBKaQsMSzekMiWFLG1ptcgS00Gs=,tag:LhA3+kQzMF7IsCZEPaEeGg==,type:str]
                dbName: ENC[AES256_GCM,data:/AWMN9BQw7vDvg8=,iv:CwUt1tur+xdrd+egaVs1ETr9ueWyrb4rpiLWTHtkFuo=,tag:EmYEZJw3j4/D98KXzcLpFw==,type:str]
                user: ENC[AES256_GCM,data:K4OFAbH9,iv:O2HHLVNC7YUtD/BQWSjUaz/tFdd0O9tYkqTy03/M08c=,tag:Qrwq6x/oxLd/1CjtPXSNJA==,type:str]
                password: ENC[AES256_GCM,data:QYHNzqggnZ0v9byc41txTX5FcLPjSLZP+Q==,iv:dbrnn9btZd6b/KhnE3nbpljqkjr75PFrBERuju4wvv0=,tag:6/COq83YDfYkpLwW+S6avw==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:IF6EntbTjCs51DjVfWRJQ7JYLat+ade0bVVyDPxBJXzUJAsGIg2wxsMOCBZONs/VJgh+lUmlYuuCj5Vfy37YTOaFRdSEBEYkHL+iwThHV29nAV2GJyn/E6Fau+Hpj6A=,iv:ysLb5Em4hg+RAkqotLhJ0p29yribQjv5SK87HkfWMcI=,tag:zM40WAugV73e2QorCw1eVQ==,type:str]
        anime:
            apiKey: ENC[AES256_GCM,data:pQsxmcLwAOfPlwJIARgsgqObW0weoNfgeX7xNZ8nRLZ1,iv:IjyJdeONnrzcBQj6VScf5mO6IAGGaxLFn00avZchQ30=,tag:z9xqycT/Y9FnZ+qbXjLW1Q==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:rmPRKNCDNuY=,iv:+b/NQZS7mPF1t8DlcuI3MXZwX7BcOIb0hiVANXCdfSk=,tag:1YqGTRl0LUz4vqy+SCM1HQ==,type:str]
                dbName: ENC[AES256_GCM,data:/y8nkutIioMtH7Q=,iv:AcNHukerGYCxW7i3tvXbK1a3cy88623tF2xE2CQhrsA=,tag:YqllmENzjiKzMyLCMhZu/w==,type:str]
                user: ENC[AES256_GCM,data:XUHlPPiaeUEJM/ii,iv:VHL5CoBf9/dnaFUav3EOwoRlBYt7pQ1b9fhpBN+UJDs=,tag:CZNf0Ix10Us4iS//Fth4wg==,type:str]
                password: ENC[AES256_GCM,data:Fp13YKpwv9rWhLirbX6k9YG+5w7AWA==,iv:M18dOvzRHt9WXA7ThmOUGTE8o3lTXR6rzwYRbO2x7ns=,tag:alAzOfQCJ8d44S960aT2Bw==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:HxYI/7VKvP5jheDHg78SY5WL7R8i9tO2nmmOfJQTyz30tHMFucJJ490AovKXxmnUy8NXv0EFIHt6hP5zCUW8cqGf8rKb/aY6pzpga9uBNStM8yzk1K34qVT2VjAMtLk=,iv:wBZfS8gh8dmKYcB2Uba3Hdak2NRZgqUceumgqf97nCY=,tag:dvQEIHFhdyjYof0a6NHMfw==,type:str]
    unpackerr:
        extraEnvVars: ENC[AES256_GCM,data:/M7qxzcp5VO1nJfmOg/LKE+o0oqGgx8ohLCBqwsBzAaCcAe+L5PZb9J0Avgf7dFIeYXHXtkPXZNUYo04btsFqCizRrPBa/MxdSp6Wc7vLONaJXx/3PSJI3GgFR4AB0aeGEW4HaodLs6K35JqE7FV9NdX4Sy+O/s4TK5s9EAebVfkTIuaBA685L0JPUUHxdzuyMpMP9C7RoZ7XyoToiVxVJi7cBeXwuevTZJwCY9+p+RjiUcNrHt+HNjSPZMUpYo1d1CAJaAmy10kE3yydjYo+9vZwEpdoKVXlw3pio5rVpGLV5nlk5Mv+XHeZ8h6Ic8LLoDcy616oCmn5Vp0B6spElgSBx1tNjwF902ku+8rteh6931EHdNoD/APhg1h1/u9kBLZfxQ0v6DK3kSYfETW/8X2Y/V7bvSaiYhKjHdOYBxXkmIlpTBR50FPBLQ=,iv:I5jHRJFTZWawfwndvNrjPNLldrZyABynfXKUZMFeZiA=,tag:RnEebZ1LpfJWPiNTxT4ZVA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTbXJYbUNJaEkzQlJqU1Zx
            Zzc1M0RxMFdMQXpIekwwMmhlMWo5d3BRZ2pBCjQzdTd4ZklNUTJYa2c0QW56NVQw
            UzBja3pRV3MxSGlROURML0VLTVdKTmMKLS0tIDAzTzJacU9UVTJNakRrWWhPeUM3
            OStNbWNzS0V3SXIvNEVWZDVPb245OTQKeFrwTJHVxc13tv0LWU3h+8nZiedbC3II
            pOJlGu1+iAssnu6p2eEefH7Urwlr7Qsa2G55G+l31hzZsFzuL1yLwA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSXRDRSs2MDBaNG5SV0ds
            cmRKM0FDbHZnQVZ1R256SlZzUHpwZmZGU0VjCnJVWGQ5WTE0Z2MvVHM2Q3VYZDNM
            Zm15RkVidlFEWkduYVM0TU12YXdWRDQKLS0tIFF0WHM5UytOY0tZSTZNb3ZTbXAr
            S1Z2blBqSWI3cWJOb1JSZUhKcW1GNnMK5EVQb2zVqHdBWQWmmEze7kWSXf7NEt34
            PnA0DiGCHnHm+UQg6Hw9/duYo71oQ163AbPBxD5hrCOoPgViVKFEHA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZ2FpckhNendHNU5yVWRm
            OVNqcmZyckdGTmhuU1psTjA1YzZyU0ZLcG5FCjArMjBGT0pOU05xY1V0aVMwc2ND
            eUVjdkh4a2o2VGMvakZUMk1GTE1CZGMKLS0tIHpVMmdNN1V4OXpLdVpEUWg1QjAz
            L0hmYy9kSktvdmxLcGcvVDlFNGRiYjQKCwUhrXyEWzyFQvmKPnnjQyF/n5SF5yiT
            42Vh1REycPIWlegr6/j5bF+tFOPT9Wb/Hnmc6FPKjQt5Hwgt+Buhmg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBESk8vMlpueWVZUW9ndysw
            REc1Qm4vRU5QcjVzOVBBTlNjaFNpSjE3eTNRClZjaVJLZkNOZW9zZUdxRGxJQXNO
            WjQ0eE9Ua1JPMkNINnVmcXI5SzZSalUKLS0tIEk0emhxdmJjRDJQYVU1cVRSejYz
            V25uTVF4Z2RZeEZpMTlxOERaMnRtVG8KHQrPSRD07W0pTH1ynePwXRxXPWn8n9sZ
            Gxu327fptOKoKjDXrLduoHFuO0m9WJcXYP6v9rtVmrTDhU/Ntye3UQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OStleHcyMHlUTW5wN2dl
            cHRCMmFmM0tMRzVmYStlUU1mdzYzMkR3Q0JVCjNTeTE2WFZiMzJScWdFMEticHoy
            RDd1VVpnU3FVNjdNOWR6L2VqZ25RYnMKLS0tIEdQL2lFS1hINlV2SEZvWkJVQTEx
            aHY2Wjl0b1FVbG53elRxNWpqcWRrbE0KjAvjOqSEQF2286Bj2jF25BoKuD4OLoHY
            U4pqq52per87pnJs4gBkRS8DNoSbRq9JwyTwzKz2BZgPJvVDGXDTOA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-09T06:33:41Z"
    mac: ENC[AES256_GCM,data:MX6qN7VW6B2zR6O2n3znHt8DvB8GuaSjT15OPEc+T4aoXZ6g+OgOCQez8Yyd8B4Nv6joKJrQUKIM4sMSAmQ8bwwvXx1YTUKQxJ05MKGGorZYuZCOvhmsOnhRYJGVt40XZiIMIYDvl+uRjkG4NSBOoYdWF7qldphjTNzXrc5Qcnc=,iv:Xj3cCr6p+cmc41FVhxiiNfjhOKY1rlpT9zUR43hSvGo=,tag:FTVX4awkq5UDXGIAgSbZsA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/nixos/hosts/telchar/default.nix
+++ b/nixos/hosts/telchar/default.nix
@ -1,51 +1,88 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, modulesPath, ... }:
 {
-  imports =
+  pkgs,
-    [
+  inputs,
-      (modulesPath + "/installer/scan/not-detected.nix")
+  ...
-    ];
+}: {
-
+  imports = [];
-  networking.hostId = "4488bd1a";
+  swapDevices = [];
  networking.hostName = "telchar";
  boot = {
    initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
    initrd.kernelModules = [ ];
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
  fileSystems."/" = {
    device = "zroot/root";
    fsType = "zfs";
  };
  fileSystems."/nix" = {
    device = "zroot/nix";
    fsType = "zfs";
  };
  fileSystems."/var" = {
    device = "zroot/var";
    fsType = "zfs";
  };
  fileSystems."/home" = {
    device = "zroot/home";
    fsType = "zfs";
  };
  swapDevices = [ ];
  virtualisation.docker.enable = true;
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  # System packages
  environment = {
    sessionVariables = {
      # Wayland and Chromium/Electron apps.
      NIXOS_OZONE_WL = "1";
    };
    systemPackages = with pkgs; [
      # myPkgs.modrinth-app-unwrapped
      inputs.zen-browser.packages."${system}".default # beta
      inputs.ghostty.packages."${system}".default # terminal
      dconf-editor
      fastfetch
      gtk3
      nodejs_22
      pavucontrol # Pulseaudio volume control
      vesktop # Discord custom client
      zulu # Java OpenJDK
    ];
  };
-  # System settings and services.
+  services = {
    # Tailscale
    tailscale = {
      enable = true;
      openFirewall = true;
    };
    # Pipewire and Pulseaudio
    pipewire = {
      enable = true;
      alsa.enable = true;
      pulse.enable = true;
      extraConfig.pipewire = {
        "10-clock-rate" = {
          "context.properties" = {
            "default.clock.rate" = 48000;
          };
        };
        "10-clock-quantum" = {
          "context.properties" = {
            "default.clock.quantum" = 1024;
          };
        };
      };
    };
    blueman.enable = true;
  };
  ## System settings and services.
  mySystem = {
    purpose = "Development";
-    system.motd.networkInterfaces = [ "wlp1s0" ];
+
    #services.syncthing = {
    #  enable = false;
    #  user = "jahanson";
    #  publicCertPath = config.sops.secrets."syncthing/publicCert".path;
    #  privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
    #};
    ## Desktop Environment
    ## Gnome
    # de.gnome.enable = true;
    ## KDE
    # de.kde.enable = true;
    ## Hyprland
    de.hyprland.enable = true;
    ## Games
    # games.steam.enable = true;
    ## System config
    system = {
      motd.networkInterfaces = ["wlp1s0"];
      fingerprint-reader-on-laptop-lid.enable = true;
    };
    framework_wifi_swap.enable = true;
    security._1password.enable = true;
  };
 }
--- a/nixos/hosts/telchar/secrets.sops.yaml
+++ b/nixos/hosts/telchar/secrets.sops.yaml
@ -0,0 +1,59 @@
 syncthing:
    publicCert: ENC[AES256_GCM,data:eqTuzoyuzVC5ZITeipdlHWH+o+xPMPQeiwwGkUdQPIEvjhPWQoHeodwPWOXGDQyFwJfD+77bphWTTVImdTNKJbbtjP/oneQRZPLsQThPNHXcOMDjhzhyBVaOrKhn1eZy849Q4MNBArbQn0470Sn8tkpL2SyiwxKeyel7MFIkZpoCPRt0T4lkF3GW0M+CcR83jqagR4dBX8aEj0VReRPYtoqTfHH9SBWM00unzWzG4XGO+MzoFLyBl9SU9cANv+K21xzsChUxUCGgKCr7Fe7400M+U+G3pepI6SJ/VxuTTC063i0oZVmVMafdGYTbM7lsVGj/53PJzLiQOW9EZt+YiYNvPc49F9EpCYYXIbdTKb71NaP4bpgRKaWHx1cUnqfVo9zPqc9cAxEUEEGajwdCkcLNR7P+6Ws/SEKPcaxjoYeGqRPls8IaXFNqq86okIQ90wtR2BPr60tTR2tW22DAxHHngpGYPyl7D2TsjS3ok/E9kicQD2nl9P9VWZDzWN+3HhCYtMxrgb2qK8KYWRd6yAEmexU9Tc6Mh6gKRRhLBfSsDsE1hbo4TxqROtZwFpq7YAn7vvieQ7Pfz98fLjciInlDwmWTgp7Vkd7YLoMTBlzsNFXpxct5Gx24rNHMp13TUtfg9+mNvMoxIHFq5cR6GZonvPlTC278hiowgjkRTlQ+jgsQjgUeusy49/ytB9SNmSrTbtcOakepH3H1H7usedKbJBXcpGfohqd53xHs2dkno+lCg/kGzgkthbGgmTUsz/84x2ep0mVQC0RUQf3lyDeXko9szk683kR+aPw+UTi1q0X6A1u9A1PIKnB0+WpHQSfAcMjytJx9qYkvJ4drP99Y5olHn+JORKhKE80sHabpST6uVR6Ym6epjJop1MkFfD8Kh/NmsuDgz8kP9j/2sYJuusG5/DhX2vua4D2TCB2yby4uLCnXwazbzq+3A1F2FOPn2ynUZAnrKTNEBl/FfHLoIoHUl5rnlaIfz6VuSUWx6LafX0GZ+XTnGIfEv534/C1zc8b3BupbHNz44kNd8BVb+s6gqw==,iv:A2PVFa4J0JPsBh8LU1Z9KqgQGKWqO4hJ/cRTeznJY3Y=,tag:5gumadR51zYVscNt9SE3Jw==,type:str]
    privateKey: ENC[AES256_GCM,data:qHNpyCmJ/2vM3COwzOqI2Wi4TQRHAI672URYPa7y5irtlBJoRy+hlBvHF+0+gAHRtx9cgFkspKBmxiC8M0VBYULBjVlYxlUySluRnZ9P1rv6Qj0Lv1T6kOrdGaL9VjEI4SWfYmA1/sFALxyZpCDm8oHhUPZfs1+Qd5U3nupLIyNsTO5aKT63MfjSTkLrrlnkQGW7B7Eyia+A/OVhAXaGMaXcKnCIUo7H+t2zSTeUQ6hgTkxE/sHxSyspvB9M2MHF0CtwwLlsyTNj9MtDE7NWwFxt2Hd7AXL5Ho5PhOrgwxp9FSFocdR4j6BPTYTMMgwFcMNOBb5ORveijp6qVA+KUNMBwezYp/TQnaC1DPMdcuh567SxRnstICIsSh1l/5RL,iv:z6DuPK51dBnJCyVI5wSqEqSLdqEXVnxlGakBBr07aYw=,tag:rjaVe4SrVghdG1zqiU1o1A==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNVh6c3BaZHdMLzZ4NE9G
            YWQxVTluVE4xWTRwZFdnOHVLZUwxeTBnMWlnCmpRNkVaL1dxSVlvTmExa1B2U1k0
            V3ZQTUcvMldFZlhJaW5GNVdPakx0ZFUKLS0tIGVkb1A1TlppZjJ4TU83Q1Vld2V4
            U3IzaWFmZC9oc1ZRZitwb3V2UXRFb3MKyViC3mT4RW11E6XmVVztMmJgm2NP9JX9
            Bf0jGvYhO7Etg5O05NwTAy1WZLB68hqTHAJ2tMJD2934sJicWfg/kg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudTg0ZElzdndiSGowNUxk
            cmRDTS9ZTW9DVHB1dlNYZU0yOFdqdkRVUzNNCjJaY01ISklDQjc4YkVtSyt2UlFm
            cWJGazNwdklDdTJvOE5ZUWl0VVZpV2cKLS0tIFVRQll0d3lKSTNZZk80YlNhQzlE
            TXU1WE5wUWdhUnhRemhNYllHK2gyQzAKPuT00v8c2W1iSCx4nAG4XzCz317D3jql
            ANYcLgmd47N8Jj+jssAPgoG9Oavj4II2NmXpLGKSDyAPtdrTqowAXg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreExpaEI4YmxLTE5jcTVT
            dkExSlMzQmJVMVpCcklwRjBGWE1ZZWZjOGpBClVSOEtoUTlGVkIrN2J4U0ppSDdY
            MmFoNnlzWCtOMDg1NWxQVk1QRzBVazAKLS0tIFdiNFJsWXZLTGpRTVNmRlRJWFQx
            dUZVMXhMYWlNdGZBY01ZTGxsK1RIa2MKY5F4BSYaeSo7rFUc8DJ8HUGCkUSHwR+/
            XTKp2FkXD38hFOC1jWtityqEF8vCMA/m567nw0adTCFl5S4vegpy1w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WHRxYk82ekZpVUtxVVZZ
            WFRXR3NZMkt6R2FnSGh3bG96NHRub0EwU3k4CkNmcHdRT3BWTjRVdllGQmtqSHN0
            T0wzV0xpWkY1UXNFSWtsTHVZTFdEMDQKLS0tICtpbS8zQTFXbllpOWl0Q3lyVjFR
            WHpJNFAyeGtPUG1lRWdKMFdqNkNWeEkK0DcfsEUECFhSXPQvsmKx5gVdHyZMb5lr
            XoKOFrrjJ+NtqxfyAuqKmt6TxpPvzgBLdnbmQ0CTG7qb86O3o88tKA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcHB3RVlyaldnaUJqOVpF
            WDd2d2RKUmR0VnU2SEVvZWR0dnVPZklweTFrCmhhb1VYaW5PM2VaamZtWURQOGhH
            UlBCV2J5d2xYNjN2RkF2QmxjMHcwNzgKLS0tIGFZY3NhWHhYZzBzVGROZ1ZXckdQ
            QnoxZlAwRjQwQ0hQc2xrV2E3ZWJLL1UKwrILkzbDJlUdIN9un0RTGNXPzmlddo7r
            ThuBWigFXDscsIHkwbhqfWPJy4YGcVnhYE9bfTV8k3AWAljWl6kL7w==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-09T06:33:41Z"
    mac: ENC[AES256_GCM,data:VoNIfkIOFC5EZ7s0Zd4SD0RGLxyGmZ7VDIMz4c19Bp62zsvo2xeXp1z2Q/UFIt3EX8Tr1txRWawDmbImTYNb7Tzk/QvE8NZswDnRGpMloo3aAHT6acalm5z0To7jvsCZnLyR+3cwH9RGuMx76CNbyDrpSbrPawFjj1LAfsiXyvo=,iv:sOU7iOlkHKWRuKSpb6+JVoac/L4lDd2cILV+uoKzOnc=,tag:GTwHnF8X9+TSm7ZjWQI+zQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/nixos/hosts/telperion/config/Caddyfile
+++ b/nixos/hosts/telperion/config/Caddyfile
@ -0,0 +1,21 @@
 telperion.meerkat-dab.ts.net {
 	log {
 		output file /var/log/caddy/telperion.meerkat-dab.ts.net.log
 	}
 	reverse_proxy {
 		transport http {
 			tls_insecure_skip_verify
 		}
 		fail_duration 10s
 		health_interval 5s
 		health_timeout 2s
 		health_uri /
 		lb_policy client_ip_hash
 		lb_try_duration 5s
 		lb_try_interval 250ms
 		max_fails 1
 		unhealthy_status 5xx
 		to https://legion.meerkat-dab.ts.net:8006
 		to https://rosie.meerkat-dab.ts.net:8006
 	}
 }
--- a/nixos/hosts/telperion/config/bind.nix
+++ b/nixos/hosts/telperion/config/bind.nix
@ -1,27 +1,26 @@
-{config, ...}: 
+{config, ...}: ''
-''
+  include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
 include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
-acl trusted {
+  acl trusted {
-  10.33.44.0/24;  # LAN
+    10.33.44.0/24;  # LAN
-  10.1.1.0/24;    # Servers
+    10.1.1.0/24;    # Servers
-  10.1.2.0/24;    # Trusted
+    10.1.2.0/24;    # Trusted
-  10.1.3.0/24;    # IoT
+    10.1.3.0/24;    # IoT
-  10.1.4.0/24;    # Video
+    10.1.4.0/24;    # Video
-};
+  };
-zone "jahanson.tech." {
+  zone "jahanson.tech." {
-  type master;
+    type master;
-  file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
+    file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
-  journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
+    journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
-  allow-transfer {
+    allow-transfer {
-    key "externaldns";
+      key "externaldns";
    };
    update-policy {
      grant externaldns zonesub ANY;
    };
    allow-query {
      trusted;
    };
  };
  update-policy {
    grant externaldns zonesub ANY;
  };
  allow-query {
    trusted;
  };
 };
 ''
--- a/nixos/hosts/telperion/config/haproxy.nix
+++ b/nixos/hosts/telperion/config/haproxy.nix
@ -1,53 +1,38 @@
-{ ... }:
+{...}: ''
-''
+  global
-global
+    log /dev/log local0
-  log /dev/log local0
+    log /dev/log local1 notice
-  log /dev/log local1 notice
+    daemon
-  daemon
+
-
+  defaults
-defaults
+    mode http
-  mode http
+    log global
-  log global
+    option httplog
-  option httplog
+    option dontlognull
-  option dontlognull
+    option http-server-close
-  option http-server-close
+    option redispatch
-  option redispatch
+    retries 3
-  retries 3
+    timeout http-request 10s
-  timeout http-request 10s
+    timeout queue 20s
-  timeout queue 20s
+    timeout connect 10s
-  timeout connect 10s
+    timeout client 1h
-  timeout client 1h
+    timeout server 1h
-  timeout server 1h
+    timeout http-keep-alive 10s
-  timeout http-keep-alive 10s
+    timeout check 10s
-  timeout check 10s
+
-
+  frontend k8s_theshire_apiserver
-frontend k8s_homelab_apiserver
+    bind *:6443
-  bind *:6443
+    mode tcp
-  mode tcp
+    option tcplog
-  option tcplog
+    default_backend k8s_theshire_controlplane
-  default_backend k8s_homelab_controlplane
+
-
+  backend k8s_theshire_controlplane
-frontend k8s_erebor_apiserver
+    option httpchk GET /healthz
-  bind *:6444
+    http-check expect status 200
-  mode tcp
+    mode tcp
-  option tcplog
+    option ssl-hello-chk
-  default_backend k8s_erebor_controlplane
+    balance roundrobin
-
+    server bilbo 10.1.1.62:6443 check
-backend k8s_homelab_controlplane
+    server frodo 10.1.1.63:6443 check
-  option httpchk GET /healthz
+    server sam 10.1.1.64:6443 check
  http-check expect status 200
  mode tcp
  option ssl-hello-chk
  balance roundrobin
  server shadowfax 10.1.1.61:6443 check
 backend k8s_erebor_controlplane
  option httpchk GET /healthz
  http-check expect status 200
  mode tcp
  option ssl-hello-chk
  balance roundrobin
  server nenya 10.1.1.81:6443 check
  server vilya 10.1.1.82:6443 check
  server narya 10.1.1.83:6443 check
 ''
--- a/nixos/hosts/telperion/default.nix
+++ b/nixos/hosts/telperion/default.nix
@ -1,46 +1,59 @@
 # Do not modify this file!  It was generated by `nixos-generate-config`
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, modulesPath, ... }:
 {
-  imports =
+  config,
-    [
+  lib,
-      (modulesPath + "/installer/scan/not-detected.nix")
+  modulesPath,
-    ];
+  pkgs,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  networking.hostId = "ce196a02";
  networking.hostName = "telperion";
  boot = {
-    initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+    initrd.availableKernelModules = [
-    initrd.kernelModules = [ ];
+      "xhci_pci"
-    kernelModules = [ "kvm-intel" ];
+      "ahci"
-    extraModulePackages = [ ];
+      "nvme"
      "usbhid"
      "usb_storage"
      "sd_mod"
    ];
    initrd.kernelModules = [];
    kernelModules = ["kvm-intel"];
    extraModulePackages = [];
  };
  fileSystems = {
    "/" = {
      device = "zroot/root";
      fsType = "zfs";
    };
    "/nix" = {
      device = "zroot/nix";
      fsType = "zfs";
    };
    "/var" = {
      device = "zroot/var";
      fsType = "zfs";
    };
    "/home" = {
      device = "zroot/home";
      fsType = "zfs";
    };
  };
-  fileSystems."/" = {
+  swapDevices = [];
    device = "zroot/root";
    fsType = "zfs";
  };
  fileSystems."/nix" = {
    device = "zroot/nix";
    fsType = "zfs";
  };
  fileSystems."/var" = {
    device = "zroot/var";
    fsType = "zfs";
  };
  fileSystems."/home" = {
    device = "zroot/home";
    fsType = "zfs";
  };
  swapDevices = [ ];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # Until I can figure out why the tftp port is not opening, disable the firewall.
  networking.firewall.enable = false;
  sops = {
    # Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
@ -61,11 +74,37 @@
      };
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
    2019
  ];
  services = {
    # Caddy
    caddy = {
      enable = true;
      package = pkgs.unstable.caddy;
      extraConfig = builtins.readFile ./config/Caddyfile;
      logFormat = lib.mkForce "level INFO";
    };
    # Tailscale
    tailscale = {
      enable = true;
      openFirewall = true;
      permitCertUid = builtins.toString config.users.users.caddy.uid;
    };
  };
  # System settings and services.
  mySystem = {
    purpose = "Production";
-    system.motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
+    system = {
      motd.networkInterfaces = [
        "enp2s0"
        "wlp3s0"
      ];
    };
    services = {
      podman.enable = true;
@ -77,13 +116,31 @@
      bind = {
        enable = true;
-        extraConfig = import ./config/bind.nix { inherit config; };
+        extraConfig = import ./config/bind.nix {inherit config;};
      };
      haproxy = {
        enable = true;
-        config = import ./config/haproxy.nix { inherit config; };
+        config = import ./config/haproxy.nix {inherit config;};
-        tcpPorts = [ 6443 6444 50000 ];
+        tcpPorts = [
          6443
          6444
          50000
        ];
      };
      matchbox = {
        enable = true;
        # /var/lib/matchbox/{profiles,groups,ignition,cloud,generic}
        dataPath = "/opt/talbox/data";
        # /var/lib/matchbox/assets
        assetPath = "/opt/talbox/assets";
      };
      dnsmasq = {
        enable = true;
        tftpRoot = "/opt/talbox";
        bootAsset = "http://10.1.1.57:8086/boot.ipxe";
      };
    };
  };
--- a/nixos/hosts/telperion/secrets.sops.yaml
+++ b/nixos/hosts/telperion/secrets.sops.yaml
@ -1,81 +1,63 @@
-1password-credentials.json: ENC[AES256_GCM,data:odK6x2TscY1WNCOaPBSfo2ln7hsa5UopakUpOgB4ci64p4LGIwTTDnSiq8+UXkrDndQ7tSqtr9RUvB+AwwYOuh1KBAwWmlZN7agtxUYc1wvMdQv8WPDfhqe9m0FNP5gyTaohcjBdBddZlv7izScVePUQUdG04dGYqUg6mQ/gmPtJy27hil8GivvxRN6FnFtkgoyfE+ZLfkTuMdeL4cxai4j+UeGc5XgmsrBLrW5udeDw2hktGXEBp2vMC6t+D7uzZ7DeLBDiHRbBZBeo+krnVdPsLxU3yFF/hC8vWVbkT7Wt/UhB0+X8SWvhYOvc3KW+NfyHcU0SONhQCM4iOkk/1qvcaDHy7idqexKxOtfQaZtuHW0vB3icgbxTO9usFxOxUPe63yXHUg+UDKSN4UGCF10eLoZKaV7zO76BkTFXQLl2Q+dytaxEKathhW4fS5lUBpuxXNDXuIxMiUIclXwVWVDpL7qchTJCopWwwDRaeHrUPev+pQptEsDLYpZeuf27hPjCMiOWkxt2kg2eKPjJ8AUtI8N3OlFPCyAurLgLSrFj0Wzm24LJLKsjs1if2y2jb/pR4MPdgnHgNnHS8VQ9JVprVyuw9C/wDhVV7yW+D4tlJ/d7AXaJq/dkO8XnwCEVPyFr9bUMB076z+tleYgvv9rHkdQMaqHr5HCHAtuYfM4f0Zpfr9alJ4wxCsj+MAn/PLGxjNd/hQQY+oYRpzBne2mUoxhRt3ZjnGH8LUBFSlz+e0+PB0anS3oV3XZUt0XuwGpNIxp4LsRFgmDC2qoMKZ2X7/DfTdmb3te0YbYNUUeHxlQ5AImzU6Lj1qw/clD7ViS82Rjc/WCavg9J7U7CdDbzhtv6xCxbyd3j1r8Wi4XLAXy4ZdcdvCEyYDHwJeExY8pp/jvS3CqSrlC/PyBUemloIQ+jSQiRYDv26XpRKbJ9Yd8fJ4ANPCMuvXU21iXtxHIRwopTo87hWqqSaORFcyVOmCxJJpa/TXL5fdd4ISy6CSqZXZCCIfiVxq4fBkqSoya4XMXQQq9Ki5xwLf1bDhaT3v7okP87A9d/j9Vru2RIZtRT71jVKvwDvJhLAfYuXyIUfQh5cvIw4/HlAZzP5vi1w5KlIJGf1uVVhvTl7p23/Gi9LAX3/P75dbK+x4VYOyqjMowER3jxk9m6GyFDl7iuceNh1bIpgPN1s4QOba7N2Tex5oa/aJJKOLYE4GYDtom5auDP6Xqa/Nd4NaDyd5oVuXcP7Lp7tDu9sIW5rhGaVYKU7jhzALN9HjfmAen+cZ50oy8L3IYKlS/91qzGughYDOjK4qeQ2XrMxySnCPja7ElV4gxmB3X73nxN+N0ZLEDhAGIS1FOaOammDjK2Pj/3vA5+S2hO3GYLh9glNgRnIGlNUVtw3My9H1mYIc4eP+LGGXz1KPnQMQWRtXZHH4d4fsOyhk+CE8as7WtyO7M=,iv:RkYdMs72Nq7dwHScKZeXMNSJ53ztTXCb3lkhrr9K2oE=,tag:XDdPfd+Be9nSAbvate52AQ==,type:str]
+1password-credentials.json: ENC[AES256_GCM,data:LhPG3XyCRZobdAN77ATiEy+A3d8P+1E0+lS8JXbvY55v/qhXk0xNUMb1KsBjGazsj6jq2j4u0dq55KmTDWckC5C7MIUzI69bbHrEtQ8c/XgBo5ulmsaMgkRNjsXMJ6h318/M5XC5wd/MhWz+80eWvnVu7PI5E0Ar77W+KeoGwCiaZ7oQGoE+e5TJpNlOhtiMNfjtmUzx7L7D2JNB9LhA21Y6LcLToGVm06KguHMPZAK//3fBbJfw7nbY7MHJ5tYCu20pUF2eJWnRcB11QDqPIOszJ/tKZ9JQtXd8DBmXKgrjeOaq0Y8XIgTo0co5gcfriQQ7SC/m0MWE4LkoGOpmbdw+hZhqfIVOl5+IXwXkH2EMn86gJTBxdgtPXz6EPkuPSNamO+uh5L9vjodFcCKZVZnW/QvhzxYaRErB5hbSJ1PrPIRcJsnOkDcIcBtW4b3qvjJtewvX33RDd7qEIoqd71jNOEyxeZgidpUCyfA9bHLVb367DcwbCB5jZ488ZvcjbcEXuvPkQfZ6xR49vuijff03thN+Ob3kQI7ofcasqbRO0eKYEQQapDaTz9IbraRf1z3JgQ+o/Brh8LHxEBgMQA/GwDGz4n/wnMczylH2O/ODsjkI76kYk7qLR9Z+8WT9tazrcPrBs/scuJSHu5Sl6c8K07HN9W0jPnD8dAP4J5Pl+lxpS66SDVfGImYwjuQjfDF+RY7A/UP0iPxdklkfLVQ0Yu4Pa+8Y10YAXY8UG1NQW51REobTGIEF6El6/pzfNElqAdFG4+5JNZF1/4IXWPVJQly1VstUY9D4f+0Z+7X/eAdz7VxWjI8hOSGH+jPbylXe7eNQZdhDZ2PNfoqGNsgLZfT6AcBtLR8eHZlAY9O139YsSzPqae7CRP4TqX0KwUQHiZ1OWh+zG/OFUEPV/IiaGi+aUcfZzzz6mVrXXsyFosDtaqf3HYPcMuhJ8YiTY5g1/OK3EUDR6CBOENJf/iMjC03OBqf5xll5Bzw68pcX2rR8kkTmJx9mWE6SRxqOpVOxNZQaK2O1NrJxBQrR4/b/Vd5Sct+VvT24Kh3eue7+LhKIzJzh499sJ4PgNJ1plbRDzKpfj2qH704xj7YzqsKPcKIq+VHQQakQ3VdAOoMzo7RXchVh2BDTp0I4GljUOoOh9sv2DIrjmpnN5KWwAk7gl1zkcc/DPEqa6UN8z6WVlTIC4pHGm68IyRl0HV34owyLEezGcoidIu7t+AwZZrD4SRHFPFCoFd6ubbcr2/7xZgRaKqGU/82hUEjR/SrxRQpjeN9Vf2PAAGDbVsZGC9f+pthMamlD10oZzfamf9DliYdF2aNH6/IR6IPVBTbUoLuBDbqJH0lPtgLDqmpoS4t5cGvmmlGgjm4I9prrV5Ogz0ct30L1XW+KfxT5alnGZsx46ZaW6hlgmkGqiUUHhUuxW0GT+16UxOQLE/sZVgg=,iv:wPy/dePJ4x0IdPyB7ChN0B2msEAMcAuM69liIOaumZE=,tag:0CA6RZZ8mkDM9gCCDevM5A==,type:str]
 bind:
    rndc-keys:
-        main: ENC[AES256_GCM,data:X0HTyNmqH1epIVNkXMyFlavqAodDw92Gs2sK54USNv0mWIwmk8NEb69x/Od8TAwDZw63k0lEAymyj/hBfkpav9yKT1M1hGxr09xjWsR/DTAM9tFv140cvnMEon0ZbXVXp4ou24jP,iv:7AsoCrxf8CyPiyWYfHZsGE0Qw/wutCVvCEiRdUdmIHA=,tag:oJi4BTDrD3FLEQuYeDR3dA==,type:str]
+        main: ENC[AES256_GCM,data:HETQLs4FDXeZINlCSnGYqF6Mntd7EurCRSyf5NIAz2Qmq87IAj2TbvesC8PnIBXMul5Uj8ggDym4xO6Qcoq6KQNfCtVOI/TaA3JYZbIOmNWZR82LsWwO77hd2kx8U+E9K6kFtBbV,iv:WGmWjcW1RkOWSoBjrbkyQkDbI6yYB7hakOrmXo4Q6eA=,tag:CfAe/x+HOu7tf0ZY4HIB/Q==,type:str]
-        externaldns: ENC[AES256_GCM,data:WhH4vAR4Q4iTXq2fT+Z8kOXkwnneNV4bXWYytov62DFDSnYwsvWIbol5MvYIwXM+gEbQ/k/uk62MSFx26T34881EGJmH7KXWr7ji273D8oKAp0Fw6jOt2NZT6XkBwhWEIathUOwNdN6E,iv:SepdyBzYga7s03ppSppiBB/wTbTrL/y70aa/B/m02r4=,tag:vWqlZLx+FvstJjgRj4mjWg==,type:str]
+        externaldns: ENC[AES256_GCM,data:5kIBIpRYdGmBZBvwWSIufUzAs2Z+9scgMQOMHtDLFgcQ8OFKYbKlOQ2+G7exo/YfrD8QQfbPjHD/ScQbbs0SyFYhx9ivX2vizyV82uYqZ1hODKBsMHCuEvWMNydopbT5/vobKCnAER2T,iv:AA1uUmyTxfovgRnvktRQxmu2Bj5mStWd7MRrvUaI6LE=,tag:NPGhBf5yBbTPD63QnBA9PA==,type:str]
    zones:
-        jahanson.tech: ENC[AES256_GCM,data:XqOX6lbCubPEi1pXgIEXW0qyD2+iJXNugTPdQOB/yCm4AX1mMiANAV51FBDb9f+QQ+q1EDqGz/83VKggoIvHSZCOW3dkNWR2uy82uO8C59sbsLrR5AzTTnZN2zlaIjW2q42I838mKfO7MfYXutwQbTpepr/Brtbldm+HRjxugJJMDFvBqSlylSnFA+jeWq7RNRP1+ZxGULO8I2BTPqdRVyRHcIWjyQABTctDcDgDLMpPxrMBTtmC2/CFH5pIT3w6gbrYRwYFZh7fNprOYRRPOkGHMZK6ccMCpm2uRR4b5daB1MidqJUsX999ma2TEmsUJSQZr6mS2r/QvwZ2R9QziIkBxh91vCg6HMaHl8/ISlryZVlkWNY1P2jgCMw0jJ58NxeBVAjVWw3iL+i9JU/q51r8J3nZHi5ql90JMaVdYWw8I2GLYWDHQnES9srEXtJwJNLzE69lQuL8ARmey4gt8Q9snen0v3RJVFb466nPKvH51TjIAr3FB2L8NY3RumD4eYl05L5JdNcFVuqmsYdoWQSQdZz23BxRM/QKT2qKjrhxfZuQW1naNDg3qbx5+bLGHlG6m8wRdtkR5SXWQc5a7LG2eURY9T7vy8yxMWzjd5LPMFLd7JlUSjwXw9YBhYTafGuc2TUESs8DCO/hU2zjAn1KM+rmc2T4aF3HexJwt7b7HBmMrDWObdtj09ycV10tp1Z57ZMz18aJdIbaZKopERN25FzIKiTlytiZiWsesLo6mUbsgb7bmjGGjBEDbp9P7ozgZv5H+aR5Y7POl9EG3gfERPsa1nF1qlloOrYT/GX8pUNhXAxH6QfX7WF+ANiMB/L/X4L0/XufV7shCWfQwogZ3t7ARGHr3dIOyx1ABus+M2QUZyI94jHTn+/J6aaxL8qsDGDZ6383Gk/CHa57BklRUrZZYVs9jzDe7+12gDfID/eP+nnKuohwCY1KcHL5QCRUg8KN1ZIyH1FYz489l/qKFG1nO33iJv/l6opWjIv98EM88ckA7zxU1+UgjxNiBo0EGJPw1erwTwUzehTnj303HuTGbtGjgE/vK8M+rCCpL9L0YAFQyXqeuqQs6yM3PHCyKfvThCAnwnTIGn2mZcyu/GGGOO9Hse/islh4cYldxC8psKNfNlf6qT43MOf+gDJ2GKU2kzU5tivlNqXbgAs=,iv:8SWNl65v24W504eG64L65rDmvqrkF5VJhufN3u/wRG4=,tag:oapDfnOAPyPDiJrxGHtiJA==,type:str]
+        jahanson.tech: ENC[AES256_GCM,data:HGvI3MRQHHwFW+ElBQJNuItKP+fi59ZXepjzY4IoRZ3mBDEORBMTreCk6i+HlM2GouVhJo028Ilkl6P/i17O1LchTUcK+NZOkJukIdd/WQknusZOxoQKhRYloyDGa2IYe4YzQDtRd3vrPdHffEkZcRvd7KF7EAYROMmWk6OSfasf1ta3iHQe6xm93Ql8EY1o6oqhjlS31w5XDOMaNvFkJF7pD+C2OQ6pGORYxv0ePH6gDr56FBPI1sZStDQtFFSrJEDKyuR+yrjhpg/fHnxa6XIRASSBSrOIrITE5VACZpuXB3hcUT/4BA+5P0GDayDuZv7ODw6NUPqBxgpgypfaUZjNwJl+MaUPbkFaRECZexbEwvNCl9/xEruBKlbhl2jL4CKLGKaNOSukYq3Gskcqc3qkvQCWEucmMguShSBv7QOq3l1sWOlbHxEQgvdLrZ4cRI0bUQCxk5xO7LRgodf8ACOZVrdHInsARuvX7r2mzGrYA7a6qPXpJOhE7Rai7mg1RQdabJ4i5nd0GSJV9WWrGH9/0yw5uj9f6nwEWuK23gkxK+2B7B+nt703WbDfDmnWNjaxHHz++IBxWiNLUFPGVt9GNx3VpMV70Y9PY5VmL4O8L7Fc+3TcTz+bG0pbWrO6MpwKdieWxmeLLn/blFGzd0acQUtV4UCv3lYjqofCDbfS8S/ADE93bcuxxnsVDwoVVnmWSOsXkERvtrZ9VggeXODZCwPhSbUXXYyF/KNmChbpdJDBbfTPjlWPqy1423SCi6TTX5xCNAbl1JL/2aTVCGOgQ2+QfSKzjbjSsp77ZzCQNWVMOenvSYgb4D98QfDOcukVs0ewa06CxLBEycjq2T6XR8+3/JMPDElmDVfdaOscW6QcpJXJEeWRU0kujHWoaZbmclgnmhPMcoMa5fuC0/p0+/DVOOn4ZINGGdAGy57NVUOOtyLYZn1J1F2EZAXRITRfxHNjHLLsuj8q9iCs7so80LUHejfKjqer8TGLLT948Vs3+Im/iB7dE7k1QmFxVd2lArNFFlPj7QsLtbM7sT6Kj8YRjiSoGer0AQVjkKewSIxnUH+n825Hc0efBFBYDCAN36LwF12FNB5+nTnI0fKIvV/N,iv:GYlqE0pT3vaNufSoM/RZNTW4j5IZHUkKj3KUdmc6ZjU=,tag:89rtkSyISHDzhDtF1VTuzg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSS9JWTZPak52ZFloYTZq
            N3Ewa2hrbUZmZ0Y2aVpzaTZjN1hzWTlqRmg0CkdIZk9IMDdWQ2xsYmdHcGM3WmVk
            cnVXVkprbXlQeDdzSkEvbW9SSE1aU3cKLS0tIHpuQUY1TmdKbGpZQ3N5Vk5LdzBC
            VVp6Q1ZNR3gycSsxU3Q3SGtNUDN4cEUKDXO3QyNQfXqn587meoAZqraGMl4ASeOf
            rVJDGWkNhne1YFdAfvbiY6pD7RDxscwiRFqDofH/t0EfN4vwrzIx3Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSEZKOUJTTjE4YTRQUnFW
            bzhMcjlSVTRNRWNkSmZSbU5ITFFTbURFbGpJCnpndFR1OVJvWnBOMVovdVVGWkZ4
            Wk9xa29kekgxRnlqbFg4YzN0OE9ZYUUKLS0tIGsxeUhWdU5NaTE3cHpYNXF2OUlK
            eGNyTXdqWFNvZ0NVOCsvaG55dUdaMEkKW9SxqP6Jpn72VAwPhn3laO1OE+gYzLvb
            10NfaR+2P0EJZ3nwc0sLKmPmSzcRiE9etGtNGFiLgoUNkQ3lnwXj6A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTF2TjJ0WGJaTUFIWE9s
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSzIwRUNKSnczYm1Eaklo
-            S1NHQmRiQUVjSGJLQXZ2VUUrclorT3dIOXprCnQwOUorNXFzNG1DbG8wRW83QTdC
+            dzlSckxLT1FHc3diSy8rRXBIRTJKUVpkaXdVCkhHSXN3Z0FZLzQ3TFpiUWFZS0FZ
-            a2ZpZnM5Vit6bk1SaXRSZnZZT1g4ZzQKLS0tIFd4RVR2LzdvVG5nVzBiKzBPL1p2
+            QnVHTEVKVHNXWkdvRTF2WFJlRUIvNEkKLS0tIHo0OXZMQ0xkUWZyZExEWHhiZnRm
-            eFJWOGx3Z240clRQN3dNa0Ztb2hrUk0KunfKdWPTZD32KagC+VXmAQDxJAoElHAp
+            SXBpaUNvWFByMis3dFlCLytRdEpIOTQKDBKJ+gvF84j2KOfPniyjJbmrh7GxgF3m
-            mo8a0GGdeVuJiUneJlZ2KYuLkseCyn0HC5qQMUIT8HZJ2bb+RH0vDg==
+            DLhPHMaRkaQkWZaLTxijyAXv680X2vCFdBjRPA1fQMz55/2m9OdnPQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZHAxMVNsK3U1ZlJnaEJj
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNmg2R3V2b2ZLWGdWSGRp
-            eTNhZzRidW9HQ3Jrck0zNmxPYXcvVUtJRTJFClFiMGNuYnEzbVNJNExVSkZ3dVJy
+            bGpuWndqd0twcGdkT0xTWEV4MjR0MllhVG1JCnM2ZnFWcHEvb1U4S2xuRzdhMmFP
-            MHlRdG1uNHhZb3daNW03bVJrOGZmNmsKLS0tIER3RUg0TDRQT09jdy9xNzF6OUtq
+            b2pickR4ZER6MWZHUExyTUw5c1VXR1EKLS0tIEtndm02blQxUlVEeko2SUxrUG9Y
-            VHR4NjUxZGpRYzNKaHhlVTdJQXBmTlkKHgqnACFlEusz0/W+I/O2smr/SV2Oiw9Y
+            am1ZWVlFdm5HNWlhWkFQa3JLV0RCUGsKvlCCLWWui9UVDvI5P6qvSHFGWcbLByFC
-            wCqCyVfB+kGrfgq08e8ki8NXv3PDT637BU3kXFaOTQhzSE0aCpD8qw==
+            nX7x8fWBxaqF3wK32ndmVMBO6jlPVXcv6NsjpdRpbDxx1iMxFqc2+g==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTXJWQThMaDZNajBFOVRT
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRjhpUXlNUmYvVTE1eklI
-            NEpJK3RvbzRKUXE0NWpRQVA0aWJSYVNxWkhNCk1nWHVaYmZNQkdQZFJIOTZKTWxC
+            OEx4VWNSMXFuTWxIZWZTZUU2TFBYNEZUa1E0CjRzL1ZWc1VlZ1pxa3gyREUwZE1I
-            RXpOaHc4dzNBZ0txcFhtbjVVSjhDbXMKLS0tIDkwSnFTTjBZZE5hZTdXeTI1Q2F6
+            SnBNTVBQZTU3T3hHNEd1TlVYUkZmUVEKLS0tIG1SV3JUM2tlVVh5Z3B3ak5CNnhF
-            Skw3OUt4SVlrQ0M0d0h3KzNubjZ6SDgKiEvuO+RqygeSSzeUlQJSPuzNY4tbzKso
+            TVhFWnVON3hCVE8xVGRTR2FoNUF6ckEKA3Zy1LJoc+Ij+6nwMyyZ0yVycfpJEtSD
-            bt/fSCV4ulFTvjybD9lfA9dclHGM/IRA9obCQd8RsCBQuXo9cuWnjA==
+            icqaVJyssOaraf/GjWC03bLWUaIbGg6khBVBvsetS0m83wPeOwkmYQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZkQ0NzVGMWJ4Tk9vYnZC
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVk9jNkx5WGFpZjFvdFVz
-            dmo5U2FJa0pOUmt1K09MWFdRamNnaUgwbEM0CnhKRmMyN0RYMG5Uc3ArQVZhVFZX
+            VVVwZ2lLU2lxZWp2bWd0cGhJd2kzQUJFWXdRCkFoOTJtRk9OMEtmamdOL2thc2dw
-            RHQ3SU1TUnQ1SlhvZGp6emFOV1FuVE0KLS0tIE1oQjQ1dUhTMVBaTnZIeVpVNmxp
+            bURQRWNwRzBVVm82b1pKUm9ueTNDMHMKLS0tIHMxdGVQVzhjQ29zYXljUmNoTW1W
-            cnk3ckEyWkdhWkpkQlhJTHlsaGFTNDAK79D2C2RZql38hBJOBnqhOOdb7Z7EJNgj
+            clJScGVoRU00Z0VxWWtSMmZPU3VwR1UKB7+fV7RD9MoiOzgVmTtWyPG+9G9i/VYk
-            aWfivACOM//hsPCZK+9YFpXJ08Nb6iBlNKzYsTW7qJ+Ue9M9i9JShA==
+            4AK2BSXVJuz8Zhh82+xh04vh28/mT61WVWPMWfVryPuPELLo56HNOg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdHRRVEY1dmR2WjM3YVhk
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1OHBQZDNvSDBVK0dReDZa
-            dFZ6UmUxUTJKR3RKMUM0UXVaMUJwMzJRTmpnCjJtdjgwNnphOU5EdUxkSUp6UkQy
+            Ykpkd3lEWG9zKzRIaHlNL095V3BaM0hPNm5RCi9pYzN0QVlHeVRtTFdQbjlaTWJp
-            cS92MGdlTExVbWJIWGlGVVFla001MGcKLS0tIHF6c3MxR1V3N2szeXlNdWhUaGpW
+            MlcyeDlpTGx1bkdJN245Y2xwaXc1TjgKLS0tIFN5U2xXK2RDcWpNRXBQa0hOVE9n
-            WWRlTHl1MWFmU293NGJyRVNRTE1RWWMKu5nK98591T0Z4rHIHxCY7mqBW/CF6abl
+            cW52OFA2UVR6bnJhcWd2bms4VE8rNlEK8M0dEF85yzzkV1otG0a++a/TDw6n4zcN
-            3/ygImXkb15Ws4b4mcN67vk3omg9CB6s0SHfFk1GAu6CiN7MufHQ+Q==
+            YGbRLQTRfwmXgvX0cjU2lSU9tEtdSvHFHNcTLLOo+tbGNg2K45moDg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
+    lastmodified: "2025-03-09T06:33:41Z"
-    mac: ENC[AES256_GCM,data:pmZjxv+vcznnamHNvOL7sr8wrejmcqo6D/NpizVo7TPo6cs59vTQ2fXmM0zlfJs81wZVe8cMcv2LXITSmjpZOsrhYuzMpPsc9HGzdwfOXVTfdVDYWVwNd4LsXMW40rqUbZyVtp8zAOW4eF5iY0H+acPxMcBbogoQKOU94a0NqzU=,iv:vFcpIrA9KRMawLCbMqWbKcGFPBcMp3mQRIgje5dV5S8=,tag:iuEaP9jjhhvjMjChvaoBCQ==,type:str]
+    mac: ENC[AES256_GCM,data:UaQJeAhm6uIBAG6b/3UQvjTUPaOOVipwCxVJS6PqhGU1xcOL+/9jxh1ULpF5rXArhzLgTSCOIAEj5d7eMkDZVaBtvcdRyEWSqc1J4dD4I/kjFZBW6D6pews9YV4guVIDA49Sc6zFAl8NNzZW116FuUpqPfbBr0HjPWDVP665ZJY=,iv:VDoiyZGFrt3GtUqlFCvcQCPb7u7MukcWyzCKJ0rZ0Qo=,tag:FnV0+6DGc4WZ2oyPCQrrpA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.4
--- a/nixos/hosts/varda/default.nix
+++ b/nixos/hosts/varda/default.nix
@ -1,33 +1,103 @@
-{ ... }: {
+{
-  imports = [ ];
+  pkgs,
  config,
  ...
 }: {
  imports = [./resources/prune-backup.nix];
  networking.hostId = "cdab8473";
  networking.hostName = "varda"; # Define your hostname.
-  fileSystems."/" = {
+  # Add required CIFS support
-    device = "rpool/root";
+  environment.systemPackages = with pkgs; [
-    fsType = "zfs";
+    cifs-utils
    minio-client
  ];
  fileSystems = {
    "/" = {
      device = "rpool/root";
      fsType = "zfs";
    };
    "/home" = {
      device = "rpool/home";
      fsType = "zfs";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/8091-E7F2";
      fsType = "vfat";
    };
    "/mnt/storagebox" = {
      device = "//u370253-sub2.your-storagebox.de/u370253-sub2";
      fsType = "cifs";
      options = let
        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,vers=3";
      in [
        "${automount_opts},credentials=${config.sops.secrets.sambaCredentials.path},uid=994,gid=993" # evaluated and deployed from another machine
      ];
    };
  };
-  fileSystems."/home" = {
+  swapDevices = [];
-    device = "rpool/home";
+
-    fsType = "zfs";
+  # sops
  sops = {
    secrets = {
      "sambaCredentials" = {
        sopsFile = ./secrets.sops.yaml;
      };
      "security/acme/env" = {
        sopsFile = ./secrets.sops.yaml;
      };
    };
  };
-  fileSystems."/boot" = {
+  programs = {
-    device = "/dev/disk/by-uuid/8091-E7F2";
+    # Mosh
-    fsType = "vfat";
+    mosh = {
      enable = true;
      openFirewall = true;
    };
  };
-  swapDevices = [ ];
+  services = {
    zfs = {
      # This helps a lot when upgrading
      expandOnBoot = "all";
      autoScrub.enable = true;
      trim.enable = true;
    };
  };
  # ACME (Let's Encrypt) Configuration
  security.acme = {
    acceptTerms = true;
    defaults.email = "admin@${config.networking.domain}";
    certs.${config.networking.domain} = {
      extraDomainNames = [
        "${config.networking.domain}"
        "*.${config.networking.domain}"
      ];
      dnsProvider = "dnsimple";
      dnsResolver = "1.1.1.1:53";
      credentialsFile = config.sops.secrets."security/acme/env".path;
    };
  };
  # System settings and services.
  mySystem = {
    purpose = "Production";
-    system.motd.networkInterfaces = [ "enp1s0" ];
+    system.motd.networkInterfaces = ["enp1s0"];
    security.acme.enable = true;
    services = {
-      forgejo.enable = true;
+      forgejo = {
        enable = true;
        package = pkgs.unstable.forgejo;
      };
      nginx.enable = true;
    };
  };
--- a/nixos/hosts/varda/resources/prune-backup.nix
+++ b/nixos/hosts/varda/resources/prune-backup.nix
@ -0,0 +1,23 @@
 {pkgs, ...}: let
  cleanupScript = pkgs.writeShellScriptBin "cleanup-backups.sh" (
    builtins.readFile ./prune-backups.sh
  );
 in {
  systemd.timers.cleanup-backups = {
    wantedBy = ["timers.target"];
    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
    };
  };
  systemd.services.cleanup-backups = {
    script = "${cleanupScript}/bin/cleanup-backups.sh";
    serviceConfig = {
      Type = "oneshot";
      User = "forgejo";
      StandardOutput = "journal+console";
      StandardError = "journal+console";
    };
  };
 }
--- a/nixos/hosts/varda/resources/prune-backups.sh
+++ b/nixos/hosts/varda/resources/prune-backups.sh
@ -0,0 +1,19 @@
 # Set the backup directory
 BACKUP_DIR="/mnt/storagebox/forgejo/backup"
 KEEP_NUM=7
 echo "Starting backup cleanup process..."
 echo "Keeping the $KEEP_NUM most recent backups in $BACKUP_DIR"
 # Find all backup files, sort by modification time (newest first),
 # skip the first KEEP_NUM, and delete the rest
 find "$BACKUP_DIR" -type f -name "forgejo-dump-*" -print0 |
  sort -z -t_ -k2 -r |
  tail -z -n +$((KEEP_NUM + 1)) |
  while IFS= read -r -d '' file; do
    echo "Deleting: $file"
    rm -f "$file"
  done
 echo "Cleanup complete. Deleted all but the $KEEP_NUM most recent backups."
--- a/nixos/hosts/varda/secrets.sops.yaml
+++ b/nixos/hosts/varda/secrets.sops.yaml
@ -0,0 +1,60 @@
 sambaCredentials: ENC[AES256_GCM,data:0caF4cBW5TSn36pZQmcjHbM9nrFGF55HmPVD4HMea1Ul7A3y1HHz0Pgl4rrYzdg=,iv:OCme9i0tHhDbypits5TKfsGXnblYqBPouhwSVeu5q+M=,tag:F9zub18fB0zZh5ssHal+Gw==,type:str]
 security:
    acme:
        env: ENC[AES256_GCM,data:LMrK8IIpx1d5Jl60VHDdwVLm4lyFDSELX1pF9wvFrNY0OJZ1EuHQ7Jgtf1wZ/cNy3XYFRxD9lEuNPJd0UN4vCw==,iv:2WEiipdYcsPX4frAvO7Iyp8zKWtydYlaPPKBd/1SFDM=,tag:G0Va5OcgSEO5E+m8jxsrFA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZjRIRWd5TnRJekYwNFNU
            SVRrYUNRandCbTZuN1FlbTQ3cUJPVmx6L0hvCnN3ZXo4TVVqT3d0ZUVBdHAzNVdx
            TmlDZkpxekV0R2ZTejhlMERqeGlpY0kKLS0tIEVjNENWd1FYMyt0YzZDVGRQZGRD
            WG9sZWpoVmsrTUdnM1l3R044UUJmVGcKiYd6OSj0vPSGpfWDNBeAYMDp9W7Yvmip
            rqqt+Y9/ovF/yd1hDrM8nWru0W299u+ftSvwi/phxkmTBvK20U7Gtw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRmFJZFV3Qmx5NW96ZW5Z
            Ykl4VDN2NGZGVmtJZWxIQXpoTlpqajdvYnd3CmlwWGErTDNBdHhHeTlXQWYrdmNu
            U0h6cG9sVXY0S1IvQlFNREV0TVk4U1EKLS0tIGhWT0UrMDNYTmlxSkdHRUYyNmhk
            NUphaExURXRsMVRVVTI0cVBxVWNDakkKbUZ1BOpKbi/Qs32bMhKa2YN2YFHaDlug
            ywpwdGaa7IGNZbwN1bKJVNDGBOGXxX+rSqueK4c1AXwGtG3HfAVApg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OVNLRkF2S0RyT3p4a2tT
            eURkOGkzTFcxajh5eHRFajlkYmdHQ2xBaVgwCkNqTm1Pem8yVWJUSEYvdnhTbjZN
            R2h1RG4vMytUZmlFYzlKSXMva2tnYmsKLS0tIDVlT2dsRDRNQUZ1NklvT2Y1YnR6
            Y1JkSXBEN1NhUUxUODhDS2J5eTVac0UKPR1qGMm94p2sKwXmCHygxZt8mfXJ3hCS
            El5vgLXuzuE/qNB2g88j7bNOBN9g2Mxs2eLNdUEWj8tyahJ4BOTtWw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByOWQ5WGdrNWpNWEFpa0Zq
            UTRRYkJMOWZJcWtxNmRpTWpxOE82bVVaYkFzCnNGWkdaaXhySkk2NlJ1YlpsckFQ
            S3dITHhkNDkxb1VIZDNlQkd1enBvSU0KLS0tIDRGMklHTzNHUE8zUUNaK3l4dnF0
            MHlIU3c4V0ZxeDlrTHlMeHpHaFRNYWsKmYaSicrgNvozfO6miBqvBr8voQlkOioZ
            dzBkLr/0de+WBm85GzhuTDpYb0cvzzxwoUlNyxDMjSSSGzLpc/dqxw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NU9nSVpRMnNwQWpIekdT
            b3R1NFhWYitNRFppT1FudlBNK1NZa0l1RlZBCmd5b0x6YThOTUhHN01pMUQvYm9Q
            L0FUdVdRaHczRW1BbDNoYi9NeW4zdE0KLS0tIHJuWHFvSnRoSFZNUTUwaU9DRXJ3
            UHdRbDBBeXFwR0Vtc1h1N05mN0pVZzgKxLuY/RNLkhPpPDGDkO3yqbelCGng/qm1
            9Yo97TlLq4zyw1cu2z0Fvcid3ZJt107+NN/2DZ4o8eXSnBSVXUcktw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-09T17:15:11Z"
    mac: ENC[AES256_GCM,data:8nCX56znsRy2y1NmkCBJ5e/szd8CTJ1BIbNew40hdT50EruedQTmQWrOhql+na3ZDSWOfPHwufgX6hFwA6UHuOYZCswsS0ST2vtV1Y/f7Y0i20q7jAxslDxUt8MT94Z+WunZ7OgZn+3DVCSVkwtc3VqLT/gcATaA3KgbHTsiEFQ=,iv:PSkQC6oIlKAkwyVrwHJBLNVnhGVkSkVhtOyoV0FwPdY=,tag:bszELdBw3HnK9g5rPaocMQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/nixos/lib/default.nix
+++ b/nixos/lib/default.nix
@ -1,10 +1,20 @@
-{ lib, ... }:
+{lib, ...}:
 with lib; rec {
  firstOrDefault = first: default:
    if first != null
    then first
    else default;
  existsOrDefault = x: set: default:
    if builtins.hasAttr x set
    then builtins.getAttr x set
    else default;
-with lib;
+  # Create custom package set
-rec {
+  mkMyPkgs = pkgs: {
-
+    borgmatic = pkgs.callPackage ../../nixos/packages/borgmatic {};
-  firstOrDefault = first: default: if first != null then first else default;
+    mods = pkgs.callPackage ../../nixos/packages/charm-mods {};
-  existsOrDefault = x: set: default: if builtins.hasAttr x set then builtins.getAttr x set else default;
+    # modrinth-app-unwrapped = pkgs.callPackage ../../nixos/packages/modrinth {};
  };
  # main service builder
  mkService = options: (
@ -12,32 +22,50 @@ rec {
      user = existsOrDefault "user" options "568";
      group = existsOrDefault "group" options "568";
-      enableBackups = (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options)
+      # enableBackups =
-        && (lib.attrsets.attrByPath [ "persistence" "enable" ] true options);
+      #   (lib.attrsets.hasAttrByPath ["persistence" "folder"] options)
      #   && (lib.attrsets.attrByPath ["persistence" "enable"] true options);
      # Security options for containers
-      containerExtraOptions = lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [ "--privileged" ]
+      containerExtraOptions =
-        ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [ "--read-only" ]
+        lib.optionals (lib.attrsets.attrByPath ["container" "caps" "privileged"] false options) [
-        ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs=${folders}") tmpfsFolders) ]
+          "--privileged"
-        ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [ "--security-opt=no-new-privileges" ]
+        ]
-        ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ]
+        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "readOnly"] false options) [
-      ;
+          "--read-only"
-    in
+        ]
-    {
+        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "tmpfs"] false options) [
          (map (folders: "--tmpfs=${folders}") tmpfsFolders)
        ]
        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "noNewPrivileges"] false options) [
          "--security-opt=no-new-privileges"
        ]
        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "dropAll"] false options) [
          "--cap-drop=ALL"
        ];
    in {
      virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
        image = "${options.container.image}";
        user = "${user}:${group}";
-        environment = {
+        environment =
-          TZ = options.timeZone;
+          {
-        } // options.container.env;
+            TZ = options.timeZone;
-        environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options;
+          }
-        volumes = [ "/etc/localtime:/etc/localtime:ro" ] ++
+          // options.container.env;
-          lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [
+        environmentFiles = lib.attrsets.attrByPath ["container" "envFiles"] [] options;
        volumes =
          ["/etc/localtime:/etc/localtime:ro"]
          ++ lib.optionals (lib.attrsets.hasAttrByPath ["container" "persistentFolderMount"] options) [
            "${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
-          ] ++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options;
+          ]
          ++ lib.attrsets.attrByPath ["container" "volumes"] [] options;
        extraOptions = containerExtraOptions;
      };
-      systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ];
+      systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [
          "persistence"
          "folder"
        ]
        options) ["d ${options.persistence.folder} 0750 ${user} ${group} -"];
    }
  );
 }
--- a/nixos/modules/nixos/containers/backrest/default.nix
+++ b/nixos/modules/nixos/containers/backrest/default.nix
@ -1,56 +0,0 @@
 { lib, config, ... }:
 with lib;
 let
  app = "backrest";
  image = "garethgeorge/backrest:v1.1.0";
  user = "568"; #string
  group = "568"; #string
  port = 9898; #int
  cfg = config.mySystem.services.${app};
  appFolder = "/var/lib/${app}";
  # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
 in
 {
  options.mySystem.services.${app} =
    {
      enable = mkEnableOption "${app}";
      addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
    };
  config = mkIf cfg.enable {
    # ensure folder exist and has correct owner/group
    systemd.tmpfiles.rules = [
      "d ${appFolder}/config 0750 ${user} ${group} -"
      "d ${appFolder}/data 0750 ${user} ${group} -"
      "d ${appFolder}/cache 0750 ${user} ${group} -"
    ];
    virtualisation.oci-containers.containers.${app} = {
      image = "${image}";
      user = "${user}:${group}";
      environment = {
        BACKREST_PORT = "9898";
        BACKREST_DATA = "/data";
        BACKREST_CONFIG = "/config/config.json";
        XDG_CACHE_HOME = "/cache";
      };
      volumes = [
        "${appFolder}/nixos/config:/config:rw"
        "${appFolder}/nixos/data:/data:rw"
        "${appFolder}/nixos/cache:/cache:rw"
        "${config.mySystem.nasFolder}/backup/nixos/nixos:/repos:rw"
        "/etc/localtime:/etc/localtime:ro"
      ];
    };
    services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
      useACMEHost = config.networking.domain;
      forceSSL = true;
      locations."^~ /" = {
        proxyPass = "http://${app}:${builtins.toString port}";
        extraConfig = "resolver 10.88.0.1;";
      };
    };
  };
 }
--- a/nixos/modules/nixos/containers/default.nix
+++ b/nixos/modules/nixos/containers/default.nix
@ -1,7 +1,10 @@
 {
  imports = [
-    ./backrest
+    ./jellyfin
-    ./lego-auto
+    ./jellyseerr
-    ./unifi
+    ./ollama
    ./plex
    ./scrutiny
    ./scrypted
  ];
 }
--- a/nixos/modules/nixos/containers/jellyfin/default.nix
+++ b/nixos/modules/nixos/containers/jellyfin/default.nix
@ -0,0 +1,136 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  app = "jellyfin";
  cfg = config.mySystem.containers.${app};
  group = "kah";
  image = "ghcr.io/jellyfin/jellyfin:${version}";
  user = "kah";
  # renovate: depName=ghcr.io/jellyfin/jellyfin datasource=docker
  version = "10.10.6";
  volumeLocation = "/nahar/containers/volumes/jellyfin";
 in {
  # Options
  options.mySystem.containers.${app} = {
    enable = mkEnableOption "${app}";
    openFirewall =
      mkEnableOption "Open firewall for ${app}"
      // {
        default = true;
      };
  };
  # Implementation
  config = mkIf cfg.enable {
    # Systemd service for container
    systemd.services.${app} = {
      description = "Jellyfin Media Server";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];
      serviceConfig = {
        ExecStartPre = "${pkgs.writeShellScript "jellyfin-start-pre" ''
          set -o errexit
          set -o nounset
          set -o pipefail
          ${pkgs.podman}/bin/podman rm -f ${app} || true
          rm -f /run/${app}.ctr-id
        ''}";
        ExecStart = ''
          ${pkgs.podman}/bin/podman run \
            --rm \
            --name=${app} \
            --user="${toString config.users.users."${user}".uid}:${
            toString config.users.groups."${group}".gid
          }" \
            --device='nvidia.com/gpu=all' \
            --log-driver=journald \
            --cidfile=/run/${app}.ctr-id \
            --cgroups=no-conmon \
            --sdnotify=conmon \
            --volume="${volumeLocation}:/config:rw" \
            --volume="/moria/media:/media:rw" \
            --volume="tmpfs:/cache:rw" \
            --volume="tmpfs:/transcode:rw" \
            --volume="tmpfs:/tmp:rw" \
            --env=TZ=America/Chicago \
            --env=DOTNET_SYSTEM_IO_DISABLEFILELOCKING=true \
            --env=JELLYFIN_FFmpeg__probesize=50000000 \
            --env=JELLYFIN_FFmpeg__analyzeduration=50000000 \
            --env=JELLYFIN_PublishedServerUrl=http://10.1.1.61:8096 \
            -p 8096:8096 \
            -p 8920:8920 \
            -p 1900:1900/udp \
            -p 7359:7359/udp \
            ${image}
        '';
        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
        Type = "simple";
        Restart = "always";
      };
    };
    # Firewall
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        8096 # HTTP web interface
        8920 # HTTPS web interface
      ];
      allowedUDPPorts = [
        1900 # DLNA discovery
        7359 # Jellyfin auto-discovery
      ];
    };
    # TODO add nginx proxy
    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
    #   useACMEHost = config.networking.domain;
    #   forceSSL = true;
    #   locations."^~ /" = {
    #     proxyPass = "http://${app}:${builtins.toString port}";
    #     extraConfig = "resolver 10.88.0.1;";
    #   };
    # };
    ## TODO add to homepage
    # mySystem.services.homepage.media = mkIf cfg.addToHomepage [
    #   {
    #     Plex = {
    #       icon = "${app}.svg";
    #       href = "https://${app}.${config.mySystem.domain}";
    #       description = "Media streaming service";
    #       container = "${app}";
    #       widget = {
    #         type = "tautulli";
    #         url = "https://tautulli.${config.mySystem.domain}";
    #         key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
    #       };
    #     };
    #   }
    # ];
    # TODO add gatus monitor
    # mySystem.services.gatus.monitors = [
    #   {
    #     name = app;
    #     group = "media";
    #     url = "https://${app}.${config.mySystem.domain}/web/";
    #     interval = "1m";
    #     conditions = [
    #       "[CONNECTED] == true"
    #       "[STATUS] == 200"
    #       "[RESPONSE_TIME] < 50"
    #     ];
    #   }
    # ];
  };
 }
--- a/nixos/modules/nixos/containers/jellyfin/secrets.sops.yaml
+++ b/nixos/modules/nixos/containers/jellyfin/secrets.sops.yaml
@ -0,0 +1,61 @@
 restic:
    jellyfin:
        env: ENC[AES256_GCM,data:aau+5TFpye6u/e6Xnlg=,iv:ooDueH38Xukvvh+XORfW4giR+TaeVZEwK+EQnxFMKE8=,tag:u5JaeiGFi4e7gk3Bb1JLsw==,type:str]
        password: ENC[AES256_GCM,data:0tkviPFQsP9wAVcbxspwOdN7eT352pibr/gjSoVmmL77xw==,iv:H2R8HofrrUkTqPuGDkt4xkOhvi16/kdT2/GjvSY5HQg=,tag:atT5aBQgmxBeUsMd5IYXIQ==,type:str]
        template: ENC[AES256_GCM,data:9P8G2rwOTMAj0PkHVGEouSLd9h2FrUxakYWQa4BMt6LiHxgwzlAVe9QSJFOr1di+HmfK+3Y2dG27pz/WW1J5OArD,iv:smq5UTpzJJ2GlfCkwjA0q4jl3XJo0M8KhBecXIqipx0=,tag:RA0UpqoBSLgwlHK5Lz9VEA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZ0hkNVA5TXN4UmpZdG1z
            dGEwUExxcnc4M01TV2hYTHprRTBDek1iMmpFCjhOT01lblB2aVpuRVZXZEJxeGJY
            cGNqWEVUMmlmVzlScng3TCtqSkxUL3MKLS0tIG9wWlVIYnRjOU1ZZ0pEdTFWWE4x
            SFh5Tzc5SytvU0ZYbENDT2E4Y1doNHMKT5qjHInpLf8qEc+6FRM2hpQcbOJPFR15
            65UbBv00T6K8s8/ltNzwDUtjufIbtyOXjY+QrPGVm1lhFOXRYEBLWw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSDJNYnd6NTFOaXJ0QUpU
            M1BCeHo0QmczQXN2ZEc1cXhsbTVaZzlkNDBFCjcwVnhvaC9KRjVzRjVTY3E0Q0RR
            QUxRRGdPcEkxWmVPVVNxcXFBNVFDWW8KLS0tIGFBUlh1ZVJvd1dXc2NEM25sd0Fa
            YWwyUS9LZnJyMEY4VzB0czFoWURSZEUKBg5zxFww39sHfH78p9WnkIcXyvq6VyIQ
            f1/zFRkuM8X3iuqOpNjjqThey1HKkvTzH18st5YLciDC6SV299JqZQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dStpS3Uyb21NWFBJa2hV
            VTJnSk9iV1ZMNkZnc3JId3hhbE1sSk5LSzJVCnZSeUJBTjNGVkhTYkpGZGZudDUz
            RXc2VFVJNkM3bGpGMUlxc0s1Q2J4Mk0KLS0tIFFsMkdOWnQzeFlmYStaWWlYSHEz
            SUdtQTc5OVB5eklpVWFxRTNBUFhsVXcKX5xNh9jnOllbRaMyzjh/70ohLcO8BeU5
            hTWmdnTgclbVaFBOPTPY6CCXNnBuvqjdi+ok9QULDE9cvtLUpstbWQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaTlQaWt5QTFHVE9yS3lH
            MVd5RmI2TVZaVGpodEFvOUhDLzg2Qjl3dDE0CllGWHhGTExVbDJydlhMclQ3RFBz
            V2V1a3NTMG80Ykt2eHUwUW9aMXFMYzgKLS0tIHpJeFR3ZEJxWkg5Y2RQR0NUNUND
            RERQbjlZNDJEUWVTd3d6YytVbUt5TzgKksgSnaMHY/wBVZyXBgrxsfxZABNDyuA3
            8kgYBqd8p3g0OyW5h2UzDh7F7oweHhbljdL4CNlGDJ713ZlBggfsaQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYY0VXRm5SRTZYQ0JWK3JM
            TW9POGhRVGZ2b0t4SGVEaUczaFBlaDlsc2p3CkhEb2JBTnNFdzl0RHM3aW5jaHFN
            dzl6ellHY2prNk1xeUUwMVE4WVdiYmMKLS0tIDM4YVdMeFpyb0kzRmdLUXduWXdI
            KyswMHA3VDNkV1g1bEhhcUlNdHlFVW8K8fuwy7OtIoybFpaBBsZlxO40XUhDaxDR
            W9xy0wVJplCNWDDN0Ff93hEXaYVcF/B3V3EdouzAbdycVTrtXhiO2g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-09T06:33:40Z"
    mac: ENC[AES256_GCM,data:MZx07lkc3i1nJicWlUofCr4gq05g/BYGx3949DSILeAWegrsTQXh8zqBWpultONgABPdYgIb/JwJClMmKQ+p37u+6aTklwZfW+su3tOYwknkPogHSxTFaLW0Yxzy4CvM2VNiFDNuvZT8LjCminBKpjJebYq+HCjNQn6Y9/dPyXI=,iv:LXwamgr7uE0dfKoRJC9IGvzZ+HmRXw8cdVoXG2DuuxM=,tag:tsJo/PFZLGcEoa02nXNbXg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/nixos/modules/nixos/containers/jellyseerr/default.nix
+++ b/nixos/modules/nixos/containers/jellyseerr/default.nix
@ -0,0 +1,86 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  app = "jellyseerr";
  cfg = config.mySystem.containers.${app};
  group = "kah";
  image = "ghcr.io/fallenbagel/jellyseerr:${version}";
  user = "jellyseerr";
  # renovate: depName=ghcr.io/fallenbagel/jellyseerr datasource=docker
  version = "2.5.0";
  volumeLocation = "/nahar/containers/volumes/jellyseerr";
 in {
  # Options
  options.mySystem.containers.${app} = {
    enable = mkEnableOption "${app}";
    openFirewall =
      mkEnableOption "Open firewall for ${app}"
      // {
        default = true;
      };
  };
  # Implementation
  config = mkIf cfg.enable {
    # User configuration
    users = mkIf (user == "jellyseerr") {
      users.jellyseerr = {
        inherit group;
        isSystemUser = true;
      };
    };
    # Systemd service for container
    systemd.services.${app} = {
      description = "Jellyseerr media request and discovery manager for Jellyfin";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];
      serviceConfig = {
        ExecStartPre = "${pkgs.writeShellScript "jellyseerr-start-pre" ''
          set -o errexit
          set -o nounset
          set -o pipefail
          ${pkgs.podman}/bin/podman rm -f ${app} || true
          rm -f /run/${app}.ctr-id
        ''}";
        ExecStart = ''
          ${pkgs.podman}/bin/podman run \
            --rm \
            --name=${app} \
            --user="${toString config.users.users."${user}".uid}:${
            toString config.users.groups."${group}".gid
          }" \
            --log-driver=journald \
            --cidfile=/run/${app}.ctr-id \
            --cgroups=no-conmon \
            --sdnotify=conmon \
            --volume="${volumeLocation}:/app/config:rw" \
            --volume="/moria/media:/media:rw" \
            --volume="tmpfs:/cache:rw" \
            --volume="tmpfs:/transcode:rw" \
            --volume="tmpfs:/tmp:rw" \
            --env=TZ=America/Chicago \
            -p 5055:5055 \
            ${image}
        '';
        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
        Type = "simple";
        Restart = "always";
      };
    };
    # Firewall
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        5055 # HTTP web interface
      ];
    };
  };
 }
--- a/nixos/modules/nixos/containers/ollama/default.nix
+++ b/nixos/modules/nixos/containers/ollama/default.nix
@ -0,0 +1,135 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  app = "ollama";
  # renovate: depName=docker.io/ollama/ollama datasource=docker
  version = "0.6.1";
  image = "docker.io/ollama/ollama:${version}";
  cfg = config.mySystem.containers.${app};
 in {
  # Options
  options.mySystem.containers.${app} = {
    enable = mkEnableOption "${app}";
    # TODO add to homepage
    # addToHomepage = mkEnableOption "Add ${app} to homepage" // {
    #   default = true;
    # };
    openFirewall =
      mkEnableOption "Open firewall for ${app}"
      // {
        default = true;
      };
  };
  # Implementation
  config = mkIf cfg.enable {
    # Systemd service for container
    systemd.services.${app} = {
      description = "Ollama";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];
      serviceConfig = {
        ExecStartPre = "${pkgs.writeShellScript "ollama-start-pre" ''
          set -o errexit
          set -o nounset
          set -o pipefail
           ${pkgs.podman}/bin/podman rm -f ${app} || true
          rm -f /run/${app}.ctr-id
        ''}";
        ExecStart = ''
          ${pkgs.podman}/bin/podman run \
            --rm \
            --name=${app} \
            --user=568:568 \
            --device='nvidia.com/gpu=all' \
            --log-driver=journald \
            --cidfile=/run/${app}.ctr-id \
            --cgroups=no-conmon \
            --sdnotify=conmon \
            --volume="/nahar/containers/volumes/ollama:/.ollama:rw" \
            --volume="/nahar/ollama/models:/models:rw" \
            --volume="tmpfs:/cache:rw" \
            --volume="tmpfs:/tmp:rw" \
            --env=TZ=America/Chicago \
            --env=OLLAMA_HOST=0.0.0.0 \
            --env=OLLAMA_ORIGINS=* \
            --env=OLLAMA_MODELS=/models \
            --env=OLLAMA_KEEP_ALIVE=24h \
            -p 11434:11434 \
            ${image}
        '';
        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
        Type = "simple";
        Restart = "always";
      };
    };
    # Firewall
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        11434 # HTTP web interface
      ];
      allowedUDPPorts = [];
    };
    # TODO add nginx proxy
    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
    #   useACMEHost = config.networking.domain;
    #   forceSSL = true;
    #   locations."^~ /" = {
    #     proxyPass = "http://${app}:${builtins.toString port}";
    #     extraConfig = "resolver 10.88.0.1;";
    #   };
    # };
    ## TODO add to homepage
    # mySystem.services.homepage.media = mkIf cfg.addToHomepage [
    #   {
    #     Plex = {
    #       icon = "${app}.svg";
    #       href = "https://${app}.${config.mySystem.domain}";
    #       description = "Media streaming service";
    #       container = "${app}";
    #       widget = {
    #         type = "tautulli";
    #         url = "https://tautulli.${config.mySystem.domain}";
    #         key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
    #       };
    #     };
    #   }
    # ];
    # TODO add gatus monitor
    # mySystem.services.gatus.monitors = [
    #   {
    #     name = app;
    #     group = "media";
    #     url = "https://${app}.${config.mySystem.domain}/web/";
    #     interval = "1m";
    #     conditions = [
    #       "[CONNECTED] == true"
    #       "[STATUS] == 200"
    #       "[RESPONSE_TIME] < 50"
    #     ];
    #   }
    # ];
    # TODO add restic backup
    # services.restic.backups = config.lib.mySystem.mkRestic {
    #   inherit app user;
    #   excludePaths = [ "Backups" ];
    #   paths = [ appFolder ];
    #   inherit appFolder;
    # };
  };
 }
--- a/nixos/modules/nixos/containers/plex/default.nix
+++ b/nixos/modules/nixos/containers/plex/default.nix
@ -0,0 +1,127 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  app = "plex";
  cfg = config.mySystem.containers.${app};
  group = "kah";
  image = "ghcr.io/onedr0p/plex:${version}";
  user = "kah";
  # renovate: depName=ghcr.io/onedr0p/plex datasource=docker versioning=loose
  version = "1.41.5.9522-a96edc606";
  volumeLocation = "/nahar/containers/volumes/plex";
 in {
  # Options
  options.mySystem.containers.${app} = {
    enable = mkEnableOption "${app}";
    openFirewall =
      mkEnableOption "Open firewall for ${app}"
      // {
        default = true;
      };
  };
  # Implementation
  config = mkIf cfg.enable {
    # Systemd service for container
    systemd.services.${app} = {
      description = "Plex Media Server";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];
      serviceConfig = {
        ExecStartPre = "${pkgs.writeShellScript "plex-start-pre" ''
          set -o errexit
          set -o nounset
          set -o pipefail
          ${pkgs.podman}/bin/podman rm -f ${app} || true
          rm -f /run/${app}.ctr-id
        ''}";
        ExecStart = ''
          ${pkgs.podman}/bin/podman run \
            --rm \
            --name=${app} \
            --device='nvidia.com/gpu=all' \
            --log-driver=journald \
            --cidfile=/run/${app}.ctr-id \
            --cgroups=no-conmon \
            --sdnotify=conmon \
            --user="${toString config.users.users."${user}".uid}:${
            toString config.users.groups."${group}".gid
          }" \
            --volume="${volumeLocation}:/config:rw" \
            --volume="/moria/media:/media:rw" \
            --volume="tmpfs:/config/Library/Application Support/Plex Media Server/Logs:rw" \
            --volume="tmpfs:/tmp:rw" \
            --volume="tmpfs:/transcode:rw" \
            --env=TZ=America/Chicago \
            --env=PLEX_ADVERTISE_URL=https://10.1.1.61:32400 \
            --env=PLEX_NO_AUTH_NETWORKS=10.1.1.0/24 \
            # nvidia-container-runtime mounts the nvidia libraries here.
            --env=LD_LIBRARY_PATH=/usr/local/nvidia/lib:/usr/local/nvidia/lib64 \
            -p 32400:32400 \
            ${image}
        '';
        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
        Type = "simple";
        Restart = "always";
      };
    };
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        32400 # Primary Plex port
      ];
    };
    # TODO add nginx proxy
    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
    #   useACMEHost = config.networking.domain;
    #   forceSSL = true;
    #   locations."^~ /" = {
    #     proxyPass = "http://${app}:${builtins.toString port}";
    #     extraConfig = "resolver 10.88.0.1;";
    #   };
    # };
    ## TODO add to homepage
    # mySystem.services.homepage.media = mkIf cfg.addToHomepage [
    #   {
    #     Plex = {
    #       icon = "${app}.svg";
    #       href = "https://${app}.${config.mySystem.domain}";
    #       description = "Media streaming service";
    #       container = "${app}";
    #       widget = {
    #         type = "tautulli";
    #         url = "https://tautulli.${config.mySystem.domain}";
    #         key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
    #       };
    #     };
    #   }
    # ];
    # TODO add gatus monitor
    # mySystem.services.gatus.monitors = [
    #   {
    #     name = app;
    #     group = "media";
    #     url = "https://${app}.${config.mySystem.domain}/web/";
    #     interval = "1m";
    #     conditions = [
    #       "[CONNECTED] == true"
    #       "[STATUS] == 200"
    #       "[RESPONSE_TIME] < 50"
    #     ];
    #   }
    # ];
  };
 }
--- a/nixos/modules/nixos/containers/scrutiny/default.nix
+++ b/nixos/modules/nixos/containers/scrutiny/default.nix
@ -0,0 +1,93 @@
 {
  lib,
  config,
  ...
 }:
 with lib; let
  app = "scrutiny";
  # renovate: depName=AnalogJ/scrutiny datasource=github-releases
  version = "v0.8.1";
  cfg = config.mySystem.services.${app};
 in {
  options.mySystem.services.${app} = {
    enable = mkEnableOption "${app}";
    # Port to expose the web ui on.
    port = mkOption {
      type = types.int;
      default = 8080;
      description = ''
        Port to expose the web ui on.
      '';
      example = 8080;
    };
    # Location where the container will store its data.
    containerVolumeLocation = mkOption {
      type = types.str;
      default = "/mnt/data/containers/${app}";
      description = ''
        The location where the container will store its data.
      '';
      example = "/mnt/data/containers/${app}";
    };
    # podman equivalent:
    # --device /dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
    devices = mkOption {
      type = types.listOf types.str;
      default = [];
      description = ''
        Devices to monitor on Scrutiny.
      '';
      example = [
        "/dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
      ];
    };
    # podman equivalent:
    # --cap-add SYS_RAWIO
    extraCapabilities = mkOption {
      type = types.listOf types.str;
      default = [
        "SYS_RAWIO"
      ];
      description = ''
        Extra capabilities to add to the container.
      '';
      example = [
        "SYS_RAWIO"
      ];
    };
  };
  config = mkIf cfg.enable {
    # TODO: Add automatic restarting of the container when disks.nix changes.
    # - https://github.com/nix-community/home-manager/issues/3865#issuecomment-1631998032
    # - https://github.com/NixOS/nixpkgs/blob/6f6c45b5134a8ee2e465164811e451dcb5ad86e3/nixos/modules/virtualisation/oci-containers.nix
    virtualisation.oci-containers.containers.${app} = {
      image = "ghcr.io/analogj/scrutiny:${version}-omnibus";
      autoStart = true;
      ports = [
        "${toString cfg.port}:8080" # web ui
        "8086:8086" # influxdb2
      ];
      environment = {
        TZ = "America/Chicago";
      };
      volumes = [
        "${cfg.containerVolumeLocation}:/opt/scrutiny/config"
        "${cfg.containerVolumeLocation}/influxdb2:/opt/scrutiny/influxdb"
        "/run/udev:/run/udev:ro"
      ];
      # Merge the devices and extraCapabilities into the extraOptions property
      # using the --device and --cap-add flags
      extraOptions =
        (map (disk: "--device=${toString disk}") cfg.devices)
        ++ (map (cap: "--cap-add=${cap}") cfg.extraCapabilities);
    };
  };
 }
--- a/nixos/modules/nixos/containers/scrypted/default.nix
+++ b/nixos/modules/nixos/containers/scrypted/default.nix
@ -0,0 +1,139 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  app = "scrypted";
  # renovate: depName=ghcr.io/koush/scrypted datasource=docker versioning=docker
  version = "v0.138.15-noble-nvidia";
  image = "ghcr.io/koush/scrypted:${version}";
  cfg = config.mySystem.containers.${app};
 in {
  # Options
  options.mySystem.containers.${app} = {
    enable = mkEnableOption "${app}";
    # TODO add to homepage
    # addToHomepage = mkEnableOption "Add ${app} to homepage" // {
    #   default = true;
    # };
    openFirewall =
      mkEnableOption "Open firewall for ${app}"
      // {
        default = true;
      };
  };
  # Implementation
  config = mkIf cfg.enable {
    # Systemd service for container
    systemd.services.${app} = {
      description = "Scrypted Home Security";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];
      serviceConfig = {
        ExecStartPre = "${pkgs.writeShellScript "scrypted-start-pre" ''
          set -o errexit
          set -o nounset
          set -o pipefail
          ${pkgs.podman}/bin/podman rm -f ${app} || true
          rm -f /run/${app}.ctr-id
        ''}";
        ExecStart = ''
          ${pkgs.podman}/bin/podman run \
            --rm \
            --name=${app} \
            --device=/dev/bus/usb \
            --device='nvidia.com/gpu=all' \
            --log-driver=journald \
            --cidfile=/run/${app}.ctr-id \
            --cgroups=no-conmon \
            --sdnotify=conmon \
            --volume="/nahar/containers/volumes/scrypted:/server/volume:rw" \
            --volume="/nahar/scrypted/:/recordings:rw" \
            --volume="tmpfs:/.cache:rw" \
            --volume="tmpfs:/.npm:rw" \
            --volume="tmpfs:/tmp:rw" \
            --env=TZ=America/Chicago \
            --env=LD_LIBRARY_PATH=/usr/local/nvidia/lib:/usr/local/nvidia/lib64 \
            --network=host \
            ${image}
        '';
        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
        Type = "simple";
        Restart = "always";
      };
    };
    # Firewall
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        11080 # Main Scrypted interface
        10443 # HTTPS interface
        8554 # RTSP server
        33961 # Homekit
      ];
      allowedUDPPorts = [
        10443 # HTTPS interface
        8554 # RTSP server
      ];
    };
    # TODO add nginx proxy
    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
    #   useACMEHost = config.networking.domain;
    #   forceSSL = true;
    #   locations."^~ /" = {
    #     proxyPass = "http://${app}:${builtins.toString port}";
    #     extraConfig = "resolver 10.88.0.1;";
    #   };
    # };
    ## TODO add to homepage
    # mySystem.services.homepage.media = mkIf cfg.addToHomepage [
    #   {
    #     Plex = {
    #       icon = "${app}.svg";
    #       href = "https://${app}.${config.mySystem.domain}";
    #       description = "Media streaming service";
    #       container = "${app}";
    #       widget = {
    #         type = "tautulli";
    #         url = "https://tautulli.${config.mySystem.domain}";
    #         key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
    #       };
    #     };
    #   }
    # ];
    # TODO add gatus monitor
    # mySystem.services.gatus.monitors = [
    #   {
    #     name = app;
    #     group = "media";
    #     url = "https://${app}.${config.mySystem.domain}/web/";
    #     interval = "1m";
    #     conditions = [
    #       "[CONNECTED] == true"
    #       "[STATUS] == 200"
    #       "[RESPONSE_TIME] < 50"
    #     ];
    #   }
    # ];
    # TODO add restic backup
    # services.restic.backups = config.lib.mySystem.mkRestic {
    #   inherit app user;
    #   excludePaths = [ "Backups" ];
    #   paths = [ appFolder ];
    #   inherit appFolder;
    # };
  };
 }
--- a/nixos/modules/nixos/containers/unifi/default.nix
+++ b/nixos/modules/nixos/containers/unifi/default.nix
@ -1,46 +0,0 @@
 { lib, config, ... }:
 with lib;
 let
  app = "unifi";
  image = "ghcr.io/goofball222/unifi:8.2.93";
  user = "999"; #string
  group = "102"; #string
  port = 9898; #int
  cfg = config.mySystem.services.${app};
  appFolder = "/eru/containers/volumes/${app}";
  # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
 in
 {
  options.mySystem.services.${app} = {
    enable = mkEnableOption "${app}";
  };
  config = mkIf cfg.enable {
    networking.firewall.interfaces.podman0 = {
      allowedTCPPorts = [ 8080 8443 8880 8843 ];
      allowedUDPPorts = [ 3478 ];
    };
    virtualisation.oci-containers.containers.${app} = {
      image = "${image}";
      autoStart = true;
      ports = [
        "3478:3478/udp" # STUN
        "8080:8080" # inform controller
        "8443:8443" # https
        "8880:8880" # HTTP portal redirect
        "8843:8843" # HTTPS portal redirect
      ];
      environment = {
        TZ = "America/Chicago";
        RUNAS_UID0 = "false";
        PGID = "102";
        PUID = "999";
      };
      volumes = [
        "${appFolder}/cert:/usr/lib/unifi/cert"
        "${appFolder}/data:/usr/lib/unifi/data"
        "${appFolder}/logs:/usr/lib/unifi/logs"
      ];
    };
  };
 }
--- a/nixos/modules/nixos/de/default.nix
+++ b/nixos/modules/nixos/de/default.nix
@ -1,5 +1,7 @@
 {
  imports = [
    ./gnome.nix
    ./hyprland.nix
    ./kde.nix
  ];
 }
--- a/nixos/modules/nixos/de/gnome.nix
+++ b/nixos/modules/nixos/de/gnome.nix
@ -1,18 +1,34 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.mySystem.de.gnome;
 in
 {
-  options.mySystem.de.gnome.enable = mkEnableOption "GNOME";
+  lib,
-  options.mySystem.de.gnome.systrayicons = mkEnableOption "Enable systray icons" // { default = true; };
+  config,
-  options.mySystem.de.gnome.gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; };
+  pkgs,
-
+  ...
-  config = mkIf cfg.enable {
+}: let
  cfg = config.mySystem.de.gnome;
 in {
  options = {
    mySystem.de.gnome = {
      enable =
        lib.mkEnableOption "GNOME"
        // {
          default = false;
        };
      systrayicons =
        lib.mkEnableOption "Enable systray icons"
        // {
          default = true;
        };
      gsconnect =
        lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)"
        // {
          default = true;
        };
    };
  };
  config = lib.mkIf cfg.enable {
    # Ref: https://nixos.wiki/wiki/GNOME
    # GNOME plz
    services = {
      displayManager = {
        defaultSession = "gnome";
@ -35,41 +51,40 @@ in
        };
      };
-      udev.packages = optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
+      udev.packages = lib.optionals cfg.systrayicons [pkgs.gnome.gnome-settings-daemon]; # support appindicator
    };
    # systyray icons
    # extra pkgs and extensions
    environment = {
-      systemPackages = with pkgs; [
+      systemPackages = with pkgs;
-        wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
+        [
-        playerctl # gsconnect play/pause command
+          wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
-        pamixer # gcsconnect volume control
+          playerctl # gsconnect play/pause command
-        gnome.gnome-tweaks
+          pamixer # gcsconnect volume control
-        gnome.dconf-editor
+          gnome.gnome-tweaks
          gnome.dconf-editor
-        # This installs the extension packages, but
+          # This installs the extension packages, but
-        # dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
+          # dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
-        gnomeExtensions.vitals
+          gnomeExtensions.vitals
-        gnomeExtensions.caffeine
+          gnomeExtensions.caffeine
-        gnomeExtensions.dash-to-dock
+          gnomeExtensions.dash-to-dock
-      ]
+        ]
-      ++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ];
+        ++ optionals cfg.systrayicons [pkgs.gnomeExtensions.appindicator];
    };
    # enable gsconnect
    # this method also opens the firewall ports required when enable = true
-    programs.kdeconnect = mkIf
+    programs.kdeconnect = lib.mkIf cfg.gsconnect {
-      cfg.gsconnect
+      enable = true;
-      {
+      package = pkgs.gnomeExtensions.gsconnect;
-        enable = true;
+    };
        package = pkgs.gnomeExtensions.gsconnect;
      };
    # GNOME connection to browsers - requires flag on browser as well
-    services.gnome.gnome-browser-connector.enable = lib.any
+    services.gnome.gnome-browser-connector.enable = lib.any (user: user.programs.firefox.enable) (
-      (user: user.programs.firefox.enable)
+      lib.attrValues config.home-manager.users
-      (lib.attrValues config.home-manager.users);
+    );
    # And dconf
    programs.dconf.enable = true;
@ -96,6 +111,4 @@ in
        atomix # puzzle game
      ]);
  };
 }
--- a/nixos/modules/nixos/de/hyprland.nix
+++ b/nixos/modules/nixos/de/hyprland.nix
@ -0,0 +1,146 @@
 {
  lib,
  config,
  pkgs,
  inputs,
  ...
 }: let
  cfg = config.mySystem.de.hyprland;
  hypr-pkgs = inputs.hyprland.inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system};
 in {
  options = {
    mySystem.de.hyprland = {
      enable =
        lib.mkEnableOption "Hyprland"
        // {
          default = false;
        };
    };
  };
  config = lib.mkIf cfg.enable {
    # We need all hyprland packages to follow the same MESA version
    hardware = {
      graphics = {
        package = hypr-pkgs.mesa.drivers;
      };
    };
    # Hyprland nixpkgs system packages
    environment.systemPackages = with pkgs; [
      # Hyprland
      cava # Audio visualizer
      cliphist # Clipboard history
      duf # du tui - Disk Usage
      greetd.tuigreet # TUI login manager
      grim # Screenshot tool
      hypridle # Hyprland idle daemon
      inputs.ags.packages.${pkgs.stdenv.hostPlatform.system}.ags # AGS
      inxi # System information tool
      libva-utils # to view graphics capabilities
      loupe # Screenshot tool
      nvtopPackages.full # Video card monitoring
      nwg-displays # Display manager for Hyprland
      nwg-look # GTK settings editor, designed for Wayland.
      pamixer # Volume control
      pyprland # Python bindings for Hyprland
      rofi-wayland # Window switcher and run dialog
      slurp # Select a region in Wayland
      swappy # Snapshot editor, designed for Wayland.
      swaynotificationcenter
      swww # Wallpaper daemon for wayland
      wallust # Generate and change colors schemes on the fly.
      waybar # Wayland top bar
      wl-clipboard # Pipe to and from the clipboard
      wlogout
      wlr-randr # Wayland screen management
      wofi # Rofi for Wayland
      yad # Display dialog boxes from shell scripts
      (mpv.override {scripts = [mpvScripts.mpris];})
      # XDG things
      xdg-user-dirs
      xdg-utils
      # GTK things
      gnome-system-monitor
      bc
      baobab
      glib
      # Qt things
      gsettings-qt
      libsForQt5.qtstyleplugin-kvantum # Kvantum theme engine
      # bar
      libappindicator
      libnotify
      busybox
    ];
    # Enabling Hyprlock to unlock the system
    security = {
      pam.services.hyprlock = {};
      polkit.enable = true;
    };
    # Hyprland nixpkgs program modules
    programs = {
      # Hyprland DE
      hyprland = {
        enable = true;
        package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
        portalPackage =
          inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
        withUWSM = true;
      };
      dconf.enable = true;
      seahorse.enable = true;
      ssh = {
        enableAskPassword = true;
        askPassword = "${pkgs.seahorse}/libexec/seahorse/ssh-askpass";
      };
      fuse.userAllowOther = true;
      ## Additional programs for the overall Hyprland experience
      hyprlock = {
        enable = true;
        package = inputs.hyprlock.packages.${pkgs.stdenv.hostPlatform.system}.hyprlock;
      };
      nm-applet.indicator = true; # Compatability; Application indicator for NetworkManager
      thunar.enable = true;
      thunar.plugins = with pkgs.xfce; [
        exo
        mousepad
        thunar-archive-plugin
        thunar-volman
        tumbler
      ];
      gnupg.agent = {
        enable = true;
        enableSSHSupport = true;
      };
    };
    # Hyprland nixpkgs service modules
    services = {
      greetd = {
        enable = true;
        vt = 3;
        settings = {
          default_session = {
            user = "jahanson";
            command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd='uwsm start select'"; # start Hyprland with a TUI login manager
          };
        };
      };
      gnome.gnome-keyring.enable = true;
    };
    # Fonts
    fonts.packages = with pkgs; [
      fira-code
      font-awesome
      jetbrains-mono
      noto-fonts
      noto-fonts-cjk-sans
      terminus_font
      victor-mono
      unstable.nerd-fonts.jetbrains-mono
      unstable.nerd-fonts.fira-code
      unstable.nerd-fonts.fantasque-sans-mono
    ];
  };
 }
--- a/Show more
+++ b/Show more