update firewall, add wlr-xrandr

update arrs
Merge pull request 'Update ghcr.io/koush/scrypted Docker tag to v0.138.0' (#73 ) from renovate/ghcr.io-koush-scrypted-0.x into main
2025-02-15 18:24:14 -06:00 · 2025-02-15 18:23:11 -06:00 · 2025-02-14 12:03:25 -06:00 · 2025-02-14 12:03:09 -06:00 · 2025-02-14 12:02:54 -06:00 · 2025-02-14 08:03:05 +00:00
203 changed files with 10195 additions and 2712 deletions
--- a/.archive/flake.nix
+++ b/.archive/flake.nix
@ -0,0 +1,36 @@
 {
  "durincore" = mkNixosConfig {
    # T470 Thinkpad Intel i7-6600U
    # Backup Nix dev laptop
    hostname = "durincore";
    system = "x86_64-linux";
    hardwareModules = [
      ./nixos/profiles/hw-thinkpad-t470.nix
      inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
    ];
    profileModules = [
      ./nixos/profiles/role-workstation.nix
      ./nixos/profiles/role-dev.nix
      { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
    ];
  };
  "legiondary" = mkNixosConfig {
    # Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
    # Nix dev/gaming laptop
    hostname = "legiondary";
    system = "x86_64-linux";
    hardwareModules = [
      inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
      ./nixos/profiles/hw-legion-15arh05h.nix
      disko.nixosModules.disko
      (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
    ];
    profileModules = [
      ./nixos/profiles/role-dev.nix
      ./nixos/profiles/role-gaming.nix
      ./nixos/profiles/role-workstation.nix
      { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
    ];
  };
 }
--- a/.archive/home/modules/programs/de/default.nix
+++ b/.archive/home/modules/programs/de/default.nix
@ -1,4 +1,5 @@
-{ ... }: {
+{ ... }:
 {
  imports = [
    ./gnome
  ];
--- a/.archive/home/modules/programs/de/gnome/default.nix
+++ b/.archive/home/modules/programs/de/gnome/default.nix
@ -0,0 +1,84 @@
 # Adjusted manually from generated output of dconf2nix
 # https://github.com/gvolpe/dconf2nix
 {
  lib,
  pkgs,
  osConfig,
  ...
 }:
 with lib.hm.gvariant;
 {
  config = lib.mkIf osConfig.mySystem.de.gnome.enable {
    # add user packages
    home.packages = with pkgs; [
      dconf2nix
    ];
    # worked out from dconf2nix
    # `dconf dump / | dconf2nix > dconf.nix`
    # can also dconf watch
    dconf.settings = {
      "org/gnome/mutter" = {
        edge-tiling = true;
        workspaces-only-on-primary = false;
      };
      "org/gnome/settings-daemon/plugins/media-keys" = {
        home = [ "<Super>e" ];
      };
      "org/gnome/desktop/wm/preferences" = {
        workspace-names = [
          "sys"
          "talk"
          "web"
          "edit"
          "run"
        ];
        button-layout = "appmenu:minimize,close";
      };
      "org/gnome/shell" = {
        disabled-extensions = [
          "apps-menu@gnome-shell-extensions.gcampax.github.com"
          "light-style@gnome-shell-extensions.gcampax.github.com"
          "places-menu@gnome-shell-extensions.gcampax.github.com"
          "drive-menu@gnome-shell-extensions.gcampax.github.com"
          "window-list@gnome-shell-extensions.gcampax.github.com"
          "workspace-indicator@gnome-shell-extensions.gcampax.github.com"
        ];
        enabled-extensions = [
          "appindicatorsupport@rgcjonas.gmail.com"
          "caffeine@patapon.info"
          "dash-to-dock@micxgx.gmail.com"
          "gsconnect@andyholmes.github.io"
          "Vitals@CoreCoding.com"
          "sp-tray@sp-tray.esenliyim.github.com"
        ];
        favorite-apps = [
          "com.mitchellh.ghostty.desktop"
          "vivaldi-stable.desktop"
          "obsidian.desktop"
          "code.desktop"
          "vesktop.desktop"
        ];
      };
      "org/gnome/nautilus/preferences" = {
        default-folder-viewer = "list-view";
      };
      "org/gnome/nautilus/icon-view" = {
        default-zoom-level = "small";
      };
      "org/gnome/desktop/interface" = {
        color-scheme = "prefer-dark";
      };
      "org/gnome/desktop/peripherals/touchpad" = {
        tap-to-click = false;
      };
      "org/gnome/desktop/interface" = {
        clock-format = "12h";
        show-battery-percentage = true;
      };
      "org/gnome/settings-daemon/plugins/power" = {
        ambient-enabled = false;
      };
    };
  };
 }
--- a/.archive/hosts/durincore/default.nix
+++ b/.archive/hosts/durincore/default.nix
@ -0,0 +1,53 @@
 { ... }:
 {
  config = {
    networking.hostId = "ad4380db";
    networking.hostName = "durincore";
    # Kernel mods
    boot = {
      initrd = {
        availableKernelModules = [
          "xhci_pci"
          "nvme"
          "usb_storage"
          "sd_mod"
        ];
        kernelModules = [ ];
      };
      kernelModules = [ "kvm-intel" ];
      extraModulePackages = [ ];
    };
    fileSystems = {
      "/" = {
        device = "rpool/root";
        fsType = "zfs";
      };
      "/home" = {
        device = "rpool/home";
        fsType = "zfs";
      };
      "/boot" = {
        device = "/dev/disk/by-uuid/F1B9-CA7C";
        fsType = "vfat";
        options = [
          "fmask=0077"
          "dmask=0077"
        ];
      };
    };
    swapDevices = [ ];
    # System settings and services.
    mySystem = {
      system.motd.networkInterfaces = [
        "enp0s31f6"
        "wlp4s0"
      ];
    };
  };
 }
--- a/.archive/hosts/gandalf/config/disks.nix
+++ b/.archive/hosts/gandalf/config/disks.nix
@ -0,0 +1,16 @@
 [
  "/dev/disk/by-id/ata-Seagate_IronWolfPro_ZA240NX10001-2ZH100_7TF002RA"
  "/dev/disk/by-id/nvme-Samsung_SSD_960_EVO_250GB_S3ESNX0K308438J"
  "/dev/disk/by-id/scsi-350000c0f02f0830c"
  "/dev/disk/by-id/scsi-350000c0f01e7d190"
  "/dev/disk/by-id/scsi-350000c0f01ea443c"
  "/dev/disk/by-id/scsi-350000c0f01f8230c"
  "/dev/disk/by-id/scsi-35000c500586e5057"
  "/dev/disk/by-id/scsi-35000c500624a0ddb"
  "/dev/disk/by-id/scsi-35000c500624a1a8b"
  "/dev/disk/by-id/scsi-35000cca046135ad8"
  "/dev/disk/by-id/scsi-35000cca04613722c"
  "/dev/disk/by-id/scsi-35000cca0461810f8"
  "/dev/disk/by-id/scsi-35000cca04618b930"
  "/dev/disk/by-id/scsi-35000cca04618cec4"
 ]
--- a/.archive/hosts/gandalf/config/incus-preseed.nix
+++ b/.archive/hosts/gandalf/config/incus-preseed.nix
@ -0,0 +1,49 @@
 { ... }:
 {
  config = {
    "core.https_address" = "10.1.1.15:8445"; # Need quotes around key
  };
  networks = [
    {
      config = {
        "ipv4.address" = "auto"; # Need quotes around key
        "ipv6.address" = "auto"; # Need quotes around key
      };
      description = "";
      name = "incusbr0";
      type = "";
      project = "default";
    }
  ];
  storage_pools = [
    {
      config = {
        source = "eru/incus";
      };
      description = "";
      name = "default";
      driver = "zfs";
    }
  ];
  profiles = [
    {
      config = { };
      description = "";
      devices = {
        eth0 = {
          name = "eth0";
          network = "incusbr0";
          type = "nic";
        };
        root = {
          path = "/";
          pool = "default";
          type = "disk";
        };
      };
      name = "default";
    }
  ];
  projects = [ ];
  cluster = null;
 }
--- a/.archive/hosts/gandalf/config/samba-config.nix
+++ b/.archive/hosts/gandalf/config/samba-config.nix
@ -1,4 +1,15 @@
-{ ... }: {
+{ ... }:
 {
  global = {
    "workgroup" = "WORKGROUP";
    "server string" = "gandalf";
    "netbios name" = "gandalf";
    "security" = "user";
    # note: localhost is the ipv6 localhost ::1
    "hosts allow" = "0.0.0.0/0";
    "guest account" = "nobody";
    "map to guest" = "bad user";
  };
  xen = {
    path = "/eru/xen-backups";
    browseable = "yes";
--- a/.archive/hosts/gandalf/config/sanoid.nix
+++ b/.archive/hosts/gandalf/config/sanoid.nix
@ -14,22 +14,22 @@
    };
    datasets = {
      "eru/xen-backups" = {
-        useTemplate = ["production"];
+        useTemplate = [ "production" ];
      };
      "eru/hansonhive" = {
-        useTemplate = ["production"];
+        useTemplate = [ "production" ];
      };
      "eru/tm_joe" = {
-        useTemplate = ["production"];
+        useTemplate = [ "production" ];
      };
      "eru/tm_elisia" = {
-        useTemplate = ["production"];
+        useTemplate = [ "production" ];
      };
      "eru/containers/volumes/xo-data" = {
-        useTemplate = ["production"];
+        useTemplate = [ "production" ];
      };
      "eru/containers/volumes/xo-redis-data" = {
-        useTemplate = ["production"];
+        useTemplate = [ "production" ];
      };
    };
  };
--- a/.archive/hosts/gandalf/default.nix
+++ b/.archive/hosts/gandalf/default.nix
@ -0,0 +1,185 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  inputs,
  ...
 }:
 # let
 # sanoidConfig = import ./config/sanoid.nix { };
 # disks = import ./config/disks.nix;
 # smartdDevices = map (device: { inherit device; }) disks;
 # in
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    inputs.disko.nixosModules.disko
    (import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; })
  ];
  boot = {
    initrd = {
      availableKernelModules = [
        "ehci_pci"
        "ahci"
        "mpt3sas"
        "isci"
        "usbhid"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = [ "nfs" ];
      supportedFilesystems = [ "nfs" ];
    };
    kernelModules = [
      "kvm-intel"
      "vfio"
      "vfio_iommu_type1"
      "vfio_pci"
      "vfio_virqfd"
    ];
    extraModulePackages = [ ];
    kernelParams = [
      "iommu=pt"
      "intel_iommu=on"
      "zfs.zfs_arc_max=107374182400"
    ]; # 100GB
  };
  swapDevices = [ ];
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
  ];
  # Network settings
  networking = {
    hostName = "gandalf";
    hostId = "e2fc95cd";
    useDHCP = false; # needed for bridge
    networkmanager.enable = true;
    firewall.enable = false;
    nftables.enable = false;
    interfaces = {
      "enp130s0f0".useDHCP = true;
      "eno1".useDHCP = true;
    };
  };
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # VSCode Compatibility Settings
  programs.nix-ld.enable = true;
  services.vscode-server = {
    enable = true;
  };
  # Home Manager
  home-manager.users.jahanson = {
    # Git settings
    # TODO: Move to config module.
    programs.git = {
      enable = true;
      userName = "Joseph Hanson";
      userEmail = "joe@veri.dev";
      extraConfig = {
        core.autocrlf = "input";
        init.defaultBranch = "main";
        pull.rebase = true;
        rebase.autoStash = true;
      };
    };
  };
  # sops
  sops = {
    secrets = {
      "borg/repository/passphrase" = {
        sopsFile = ./secrets.sops.yaml;
      };
      "syncthing/publicCert" = {
        sopsFile = ./secrets.sops.yaml;
        owner = "jahanson";
        mode = "400";
        restartUnits = [ "syncthing.service" ];
      };
      "syncthing/privateKey" = {
        sopsFile = ./secrets.sops.yaml;
        owner = "jahanson";
        mode = "400";
        restartUnits = [ "syncthing.service" ];
      };
    };
  };
  services = {
    # Smart daemon for monitoring disk health.
    smartd = {
      # devices = smartdDevices;
      # Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
      defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
    };
    # ZFS Exporter
    prometheus.exporters.zfs.enable = true;
    # samba = {
    #   enable = true;
    #   settings = import ./config/samba-config.nix { };
    #   openFirewall = true;
    # };
  };
  # System settings and services.
  mySystem = {
    purpose = "Production";
    system = {
      motd.networkInterfaces = [
        "enp130s0f0"
        "eno1"
      ];
      # Incus
      # incus = {
      #   enable = true;
      #   preseed = import ./config/incus-preseed.nix { };
      #   webuiport = 8445;
      # };
      # ZFS
      zfs.enable = true;
      # zfs.mountPoolsAtBoot = [ "eru" ];
      # NFS
      nfs.enable = true;
    };
    services = {
      libvirt-qemu.enable = true;
      podman.enable = true;
      # Syncthing
      syncthing = {
        enable = true;
        user = "jahanson";
        publicCertPath = config.sops.secrets."syncthing/publicCert".path;
        privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
      };
      # # Scrutiny
      # scrutiny = {
      #   enable = true;
      #   devices = disks;
      #   extraCapabilities = [ "SYS_RAWIO" ];
      #   containerVolumeLocation = "/eru/containers/volumes/scrutiny";
      #   port = 8585;
      # };
      # Sanoid
      # sanoid = {
      #   enable = true;
      #   inherit (sanoidConfig.outputs) templates datasets;
      # };
    };
  };
 }
--- a/.archive/hosts/gandalf/secrets.sops.yaml
+++ b/.archive/hosts/gandalf/secrets.sops.yaml
@ -0,0 +1,92 @@
 lego:
    dnsimple:
        token: ENC[AES256_GCM,data:Lf3sSTJ1XQAMe80p7LnoElvN7uv8bMblcvskiyBZQx0A9inBkoIjBf9/0w==,iv:D53d/uIRZeyXWB64NZFjrnutToua7+6nsh8wvsBfqdQ=,tag:ODzXnRExlTFP0ewl81QE4Q==,type:str]
 borg:
    repository:
        passphrase: ENC[AES256_GCM,data:xJ9KLh1V0ykeEusRon3AiXLH9fs=,iv:D5ICrIoTegc9IfdagbqjQ9NpW9fm3yq1CxnOH3v1qbs=,tag:ENnLfTRuQaDx38gGuz9Cew==,type:str]
 syncthing:
    publicCert: ENC[AES256_GCM,data:AnzODcQM57zYK9krVlydQjQ26Shd65ui/F5n3/CxZuICgMzn4KJujgCJpW+2TtT+apTehmVwnCZH8sdI8EcB09dyjEawncZxeI+n1JqgE+PoLI1A1enjzM1S7OwNUIl09yMiZflKRvQNKtUihd0/HLcoIRkBNYu78UP69uxMeOFkKVeeSl2k+ERvv1tvO7lcY3ksBRV8H554xv139ojJWtIrUCjibx6uCL8I+TWwXIhH+DjAsE2d/bnsJ1NMEuDM5Mg1wVp4ZWIoQU/HoOM3b2Khb9vW+AvuQPeK1IUkYPRqteykUP2eoIwFV9IFfj6w/VrwFazXqg/DoaOC6mWr4/+0uam1uHO4QGfLP3idVBWbAdUoFvlVDUSLYOrG25Xssry7dn+JPBu3n8Y5uzNdfSthYLPRQuippQ34SlYIcgvGVJaNlf4/aglA2x5rC6xRi3/OwIFzbmADonDKsLyNsmiIUUo1VYUYPEEhLYeY3Hu0xV5Y52CMEF8MFpPsS43/9Dv89VYgKTPywY2/PjtpNuc5pysOYzJAvOiD28YTFgz0Dp5m0ShGmXjSFK6ekAzTvJYHzFMNCIBWcYrFbao2OFYqT17kh19+wdQDK4t0q7FHwQVwm8OtpYvstNasBCU+jZCuUUUdHYAAOj5F7U2mr+GqG0rp4wonSU1Qa96M/3KsNR5wbMY1ygpj6ADDCaxL/dUOS5kz2eBlaiMYxakCrAmccfoSMNcG3QmCpyr6QjvIAJPGgNMjVa25LGIs3GCKDrEHfN3I54KV3SNRYeGplw3HDQg9gFpuZ7ZqlhdJOvO62m3rwDTtCF2acouhu3dy/3XENWceCbRuSGktORxklUrLOcXBLXYbTs1hmDI6S1hRGQTxcTXSuVlkjkOcxZ4rpqbIGErpBeQodh69XWbOJ9yFC4XSj4oNydt2JtqDW/H9q4GYt9njcUFP3RoxI2BCUtwOqdaPO3o3svevVgC5SaIcDsMnz+dLRs+cr5FZk/AIDta9+RVBCl5clv4svoWfSOn8ff6mrhYqjo3Wtf7k3KLqmfIDawuKfQU=,iv:UiCdr9U1sTph8VOJNiq7VS1c3JvpRPrti0G7sOJeAmc=,tag:OwFs0+2cIwDi6LLxr4jbFA==,type:str]
    privateKey: ENC[AES256_GCM,data:2Ue/vbCIN8ceJEBRnl5pSrdEPHGDy92eRO0QtesU/FvrrwQq8ga5DCCCB1Cee1zWXrXT1R94b0GSvjfWu9M9JQvNdIjFTzwOIElRL/NrplVbJKSd18P/SHEJHZ+/vWxFkOk0FDmN1xkFrVQEf+g2xbHtcYYA3TT8b4a9eDHJSUQGCYo3LJVkJUbgsNgpoRPOXrA1LKXNsoaUqDHYXoY86j+ShFNlx2wPRkeymIkoULK7gyykeAVFaE/QMXkel/BVNz94lPFlnOymbj0vLa6qAhdRyeV5sh2Q9AdR5tM5bUBoSOCe304Q9P7/BLh3dpmRAeI4dq0FcJlDF2Y8z5A+ZPBsySObYSkDXlwgFOvwJgVVXbcdd9y8FwpV/kVnbPeP,iv:MM9d8VwvWWUxID/9HKa4m5zDeNR5yu7REVDHujIvyA0=,tag:0DvBfO3X58FmjnCWyupVgA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucldMTnVlS1dRNHdRSzNt
            K0pmaU1lSkwrOTZLSDdjM0dkMUZKNXJJS3dZCncvMmZ0K3lwRjJSOUFHTDA2QW5C
            bW4raVc1RXMrbXV0WmcyVklBU3NZM00KLS0tIHhoTDFHc3MvcDdNV2RBVTAxQjZT
            dWtaajROWFFSSU81YU45QkdGZVAreVEKdRfFV5aXf+TCLrC9rlIgOIgvXKSRLXV3
            AaE+DMreP3ipFj3sRtbWhwpwdKG3ww3oUVuSOzkupxBviKLuZjOpZQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMRGp4MWxOclZFZThsZXlU
            SU5MeWlBUkxyYkpWMTRraG9kUVdkZVZIRTJNCktDdkZMUUJJVG92R1Nrd3g1N0Qw
            Q05HV3NPaUlxOHgwUzAxSzZEejFCdjAKLS0tIDhZL1JTUEh5eUM1V1RScTZ6bWhW
            ZDdnOXhGR2JkVjk5YllKVjc2TS9RNDQKyi08QEOaZfb4Dj+CviQoIGKkyi0qGHUC
            jUeERhVwT346p1Bx5JLcHAyoPMdbxm37pNrC2P/LoI9/enxoWZ/hKw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTR0plTmZ3Q1BuY2Z2bzdR
            aHlSTFQ2bkl6ekVDdmpxZ2lCMDV4TFYwd0FJCmFHczFwanZTVkx1cytqd2pHYXhr
            b3I3SnRkM3dMd1VpbjNYbmI4Z2Z0MVkKLS0tIEw0ZjNxK0NUckdFYVpIeDRDSGMv
            b0lObG1iYS91aVNaZ3VRbXBPOFFYYkkKexf0g60IXy+LNqFkXgpfx+FWDeFiO8+3
            9EQWEEQMurYqVzAT+BcJq3LuAex5lEFO1nLav1k2rammA1epB8QYpg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKK0VybENLM1Bpa1l1THo3
            VnczdzFraWpKMVNOREduVjJ2V1grczdxTUNZCkcrYTExalljWVlOWXFtMmlmemt3
            eGM0Z1hXaDZXRDcyOVFrc2FRL1J0YjAKLS0tIG9wOWpnV1ZYQy9DWG1zR2dOR2FH
            MXdmVWkvS2dCNzBJNEJGQzJjSHhXVHcKbVzAr0o45xaS33bYY2Pb11cEHiBTi+7l
            H1IlJBdJbyJ8NMFJfvnyKBHLttUKb57Xz2mjeaC4vkDHT450r+k5Jw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKS2tTUzBlZFl6WU92d3M4
            Wjg4WVpvRk5mdWRCWnFxK0RFS1BTZGJ4ZUJnCllNY2ZQRUwvN0lKM1V2dURDYXQv
            cXNTbmZkcEhMZDRNNjY1a09CRDYweVkKLS0tIG5Qdnp1cFl6UCtpMTh1ZUZoTTRM
            dnpjQ2tkOXFCa1ZvekxBeFR2UXprWEUK9tBZsGeIMLiW8Lrodir6zynFg2I3LqW9
            bMjUyF6CM8U8Aid7ftX5fiEMFCyssrSRBQ4CVs28jic4dYJ/3Nceiw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTQ0hGa2d4VmpMV0ttYis5
            OFZibUxkSjdiYVgyajhGblRxMGkrTSsxRlgwClVnVy93YXBMRjM1TEIyUzB4S3My
            TG9KSjNVc1BpODBvV201dkRmZitvMzQKLS0tIFRLZFJxclJPK1lvMVFGZ2UzaVFu
            VFJkcm1QaGdDeTJuVWpNV3pva2RKVzQKI0s2hQHI16T72AYVvaO4f+nIza5768S4
            pQN3UUOjug8L7/85ytHvOQOxBC+PMAG/aJABoj7FMhZNRvKtbC2J/g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVHU5Z1cyWjFjbjRncmRu
            NklQRGVNK2VZZlhKMFgxT2dGYU15MzRTV0VFCnVDUkY4elNNS0VqZWUrQjdWU1Jh
            RUZTUE5Qa0FsYmljQThyd3p4bm9FbDAKLS0tIG9MRGZ4UkhteUk1cFk1b3JXZzVY
            VTkxcEppQ2Y0VVg1dThQS3FkcFdPTVkKG0/RNreCjjbdsUq4PoXCsfVOnd3fF0jS
            Sw6bTIpifslRFu0JJRB83AxRxjPbl4h6QOz3VlDHWfGCJ5eO9RQfjw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWStjeTFGVmM0YWN5bWcx
            eThvdTNoclNkd0N4VklRc2UrOFFIejFXYVJvCkNlaE5iL2ExcFlZQ0trZGQzenlQ
            WkZMdUtaUUU5NXFWeVlPYkJ5eit5U1UKLS0tIDhONzk1M0pEV3plR3JHdnFRNVQ5
            L2FjVW9qREJjUUtZSzROV1lQc1lUaTgKSFx81K8XYD5KFJNBlAyLshwQQQYqdGos
            goYyedCpe7JdXp49sSaCdAWpdphznFTdElzFCuM3LSxM76tI0JEe/A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-27T09:27:41Z"
    mac: ENC[AES256_GCM,data:c91/QM6/I7NYvAKQlnqTvv1n9HXt1LlTAa8OXaKzYB2Pg2Ofsl0z4XFf7dpLiITRFjBZCJWKyg4rVPKpNOUAwE4TS/7D+lh2xjJh5YPW1C4nwmu9dQ4/KSfBH71KKsSLJUnktgZXg7LNhE7QBFxntoJvznjv+vjjkzgovbBqC+Y=,iv:tCy5h0BscT7WKncaB4iCGWx6Up9OqZzRFYFQiLiNxgA=,tag:BPp6dZzKD0zUENoHRTlckg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/.archive/hosts/legiondary/default.nix
+++ b/.archive/hosts/legiondary/default.nix
@ -1,41 +1,55 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
+{
  config,
  lib,
  modulesPath,
  ...
 }:
 {
-  imports =
+  imports = [
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  ];
  networking.hostId = "2132e3bf";
  networking.hostName = "legiondary";
  boot = {
-    initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+    initrd.availableKernelModules = [
      "xhci_pci"
      "nvme"
      "ahci"
      "usb_storage"
      "usbhid"
      "sd_mod"
    ];
    initrd.kernelModules = [ ];
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
-  fileSystems."/" =
+  fileSystems = {
-    { device = "zroot/root";
+    "/" = {
      device = "zroot/root";
      fsType = "zfs";
    };
-  fileSystems."/nix" =
+    "/nix" = {
-    { device = "zroot/nix";
+      device = "zroot/nix";
      fsType = "zfs";
    };
-  fileSystems."/var" =
+    "/var" = {
-    { device = "zroot/var";
+      device = "zroot/var";
      fsType = "zfs";
    };
-  fileSystems."/home" =
+    "/home" = {
-    { device = "zroot/home";
+      device = "zroot/home";
      fsType = "zfs";
    };
  };
  # fileSystems."/boot" =
  #   { device = "/dev/disk/by-uuid/E532-B74A";
@ -50,6 +64,9 @@
  # System settings and services.
  mySystem = {
    purpose = "Development";
-    system.motd.networkInterfaces = [ "eno1" "wlp4s0" ];
+    system.motd.networkInterfaces = [
      "eno1"
      "wlp4s0"
    ];
  };
 }
--- a/.archive/hosts/telchar/default.nix
+++ b/.archive/hosts/telchar/default.nix
@ -0,0 +1,93 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  networking.hostId = "4488bd1a";
  networking.hostName = "telchar";
  boot = {
    initrd.availableKernelModules = [
      "nvme"
      "xhci_pci"
      "thunderbolt"
      "usbhid"
      "usb_storage"
      "sd_mod"
    ];
    initrd.kernelModules = [ "amdgpu" ];
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
  swapDevices = [ ];
  virtualisation.docker.enable = true;
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # Enable Flatpak support
  services.flatpak.enable = true;
  ## Base config programs.
  programs = {
    # Enable Wireshark
    wireshark.enable = true;
    # Enable OpenJDK
    java.enable = true;
  };
  # sops
  sops.secrets = {
    "syncthing/publicCert" = {
      sopsFile = ./secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = [ "syncthing.service" ];
    };
    "syncthing/privateKey" = {
      sopsFile = ./secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = [ "syncthing.service" ];
    };
  };
  ## System settings and services.
  mySystem = {
    purpose = "Development";
    services.syncthing = {
      enable = true;
      user = "jahanson";
      publicCertPath = config.sops.secrets."syncthing/publicCert".path;
      privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
    };
    ## Desktop Environment
    ## Gnome
    # de.gnome.enable = true;
    ## KDE
    de.kde.enable = true;
    ## Games
    games.steam.enable = true;
    ## System config
    system = {
      motd.networkInterfaces = [ "wlp1s0" ];
      fingerprint-reader-on-laptop-lid.enable = true;
    };
    framework_wifi_swap.enable = true;
    security._1password.enable = true;
  };
 }
--- a/.archive/hosts/telchar/secrets.sops.yaml
+++ b/.archive/hosts/telchar/secrets.sops.yaml
@ -0,0 +1,86 @@
 syncthing:
    publicCert: ENC[AES256_GCM,data:SVEKnnuq30TJJoxbgTYRHTEdQyNYsn50+223Ly0QmX9V96xNb+qMIgJfOX9dGMZdoxNfQOkeecLvwgNZc6sEXNdlhFt/a/bqL6wNJvRY2PdyNoX2IKZvfZFulZtxuAAWsG0dwP04CT8cDmK4dUQIWEKRUOUAKRFQkD8cgglO7OHDGVZ0gZT1g6P1CAIJ2kWZiO3yRDSBWkcxGoY+Hy+tbCMS1Ut9Evh0bDAHslYvVPVqlNhurADTF0vkJO88027+ODQjts4M2ecgafZE4y8L0CmMF/+sdGtkCRiYqTYmxAwjWZmL8YjmsWI6Cl7VaaH3pqyvgPPBksBbfb4Zj+Nq41DLBz/vHIC8qpsIjrPvl/4lRmesuTUgut0HfiK+h3VpeUtU08wb0UtHixcOhvxEdSShMS1bXvmCEeEIKeagxImCfuwR8nHAkXRVSqhIovDYfL1GYsyjeK5b/zAYdckzk7zuGgTX4wD2TnVG3ve2SGJQ+9HUUiaiDlrQAzyer2kjMIDFqEvSNZ087ATYTaB6FI5DYFCsd3yEM10AcdzaMe2wCvGuNYg+NRKbFrVxYacT7sdb4m+gf7u8SimlEy3e9URQTJ6T5xsg0xeLMmAtOawKSzhVNjxQM64N42cyQmfHBUqj2LneO4/ma3/URpqtxoWBKu3wQlBv9aUAiyWycYmr8DjvyiWOn8D07cCOAj6x/4EnY+Q9gXaj0w6sj9VrsL+fQQKUIWpCt32nmYHLmSFUuCqUAkY+dGnMFWepJWuOsLPLoSK9M6UMuYVxggBNn6lngo+0SRj6pEGspebWku8VfKTWUqBIjrHvhzKmT6FrCXkfzIQ9231+mBUWM9+74TnzwgRKCeHIQW554pynfTqs1M9AiLtHvIt3ixNq5txMZCgqS/Mg3YGEj81c8X+RVvvqIHv5GDeQGAeTJV4Tjof9UiOOr+UOmhgy15PnnZl3Z6Fhty6+bTClDFDXqqBhg/kDEWf416qL53IgoHgE12tWNn28SFFHBvq/YCF72P65+TXhns9pCSe8RDWLeDRawM8rlZ+8VQ==,iv:7vLLWbV7TUe7Dv0KaRvOrgwrjwXMABa5eaR/SxeghvY=,tag:K0Rz8OVUKOS4SRlGwZrfEw==,type:str]
    privateKey: ENC[AES256_GCM,data:kkBxN6LuI6R+69rbNGfvioNT6d04/S+LF31+FOq2K9goQtGZ2dTbBdMkpsxlmtxNqqV/svVGPOFQc904Mdyy+djOPGUF7YQooRTIiCWMXaCHrpL3okP/ONYYDLVXxNqnBGboWYqlqr2kQANH4DBACUzN1RhPh/Qy0dob4vqx8nnSbutbo9wdVygi9JIzdmS2VmihfNR1bgG7+z0pUi9+dwZ7Y116VUEx/S4qpq+FbOOEctDL0mj/E/iW0dFTZO95nFjG8MpzX2M74Mm64VdZZ/MygSLj6B1+p90rryv0R5YW3zuFj4YIS3GurBEojG+rbk94SWN1SY5s3jc1GaQ3Sjtk+pugmU6sxkOaLxX+XfbytZ1FrUalwGHCvfQbWP1T,iv:PJ6EhA+fW5C6jkBIdfsx2U0uGshyWdAC1T3fC3Hr9p4=,tag:fyToI/FQPI9gFvN7+bSf6A==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYVZMa25OeHo3d0J6NlJv
            TkFOVUxzNy94Skoxd3pwT1o1WWFtVTBzRFY4CjMrRS9RRk5PNmx2aTlaMnU2WEU0
            d05pWnhLeFhqY3A1VUN2S0NxTnVDRU0KLS0tIEdPKzlQM0JuMTlsTUQxOGtHS0xD
            WDdnL1k2YmwxM0JEREJnc0dZZjVuMlUKYLP8F+3/ze0LZAiP+u0aVW/bLSIk1K25
            NqbqT6SNDXuyeq61ysi6CwhYokUwnLBANv/BRsBLT2JX5tI8uIaKTQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUbm84cFI1eCtqR0hnaUVU
            SDREVDJFQ2JTN3I4OXdrdTk1MVhheGY1cUFnClhidGRBMDNuTjlCekNOcS9YUEs1
            ZHFZanFnWmlZbFF1eEhwayt0clhuR2sKLS0tIDFJKzdxNzErRlV5blp2dEg0UGNx
            d01XeHdJaU5BRUJMVXMra1dNRnJqZUkKgkfspMPpA1rg9d87eFWN1ThdQyXaRM9P
            8eBkOG0H8W5Afsb0kOqA8gJGL6bzM3fzbVDjK7VPq06zrzY9uaLkCA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVVlxVHZ4MTBpanBSc1J3
            bEgwQTh2WHNSUm0wVmtXNUhMbXNQaHVjc0ZVCjBUNUJITStSektTVWhzWXlPb2VJ
            TTNoNHEyeXhraHJqRzYzQXRMcmp3L2sKLS0tIHRiK05XeVJGMzl1VlVITjNHSDhY
            N3ZmWWtlSGx2cjFxZ3hUNm0wYlFCMlEKrUEV8phjcnciK+tuOFEBz5PxJKbbwJNM
            BY4gs0zkhk/jkvdiljgfeyKrlcjwfz1b8kLW316PfkTBJiIAc6Zncw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTFM2TzB2eDE3bVVNK3FN
            a3pEVkkzUExKdnRNTGFSaWJOa0lVUmRrT2p3CnV3SGlSa1VFblR3ZDdvRGRlcXp2
            cjIwTHkwTGhJWHAyVllxV3FZT0NIaWMKLS0tIGRsUDRMcFUwS1c2OVZsbGdvSVlv
            bXlNeTBaZ0dOYnFIS09haXZOV0Q0azAK/6UGR0cd+gtR/7Yz75v87NWWcz7gP2iU
            sPtvPHEIYh5gnop2DwZTpATwwvxZWp0b8OpV/2AyUiL6tniCV6qDvg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVVJEZmxsR1A3a0luU0po
            ejN2ZHZERlhoeVYwV29LajlXYjY5TzFzZjFnCkFOSHJMbktYZFpBcDdWZ3RsVHo2
            UlNSeUpxbWVsVzkrblNlZkJhV3dGTWcKLS0tIHhOb1VmaDNCNU1xMzZCVWlFeDF1
            OVZOcC93M1p0VThDaHRLVTc1N0ZyQk0KZWDWhjrmnqfkbJmZRCwXHGMdRmL0W4Sa
            4cEGr8XbvJlzFTmbm81X6KLKdYz62V8fa99mAEzffOB0SqegBTb8Ig==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJNDRydUJieU81RVdubEFu
            OWM0dEF2YTZ2WVZSUFQvakgwa29NNTdrb2hnCmJ0dHZqTE9vMXVHbHBtd1pUY203
            UFhnZ0ZLOWxCZnptd2pTWU1scXF0TEUKLS0tIGt3a0wwNklQTUR3V2MvQzVkQzBN
            b2RqWjd2Nkt3YmZ2eHlYOUhJNFB3RjAKdnCRIg3zqLaN9rjjc8tCBj8lOH1SWw2Q
            s/0TLrsXy62nlWibDxsuiE9mPCediFVbJWxTCAs4ze/jELGESV6S/w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNUlIQTdQZHNsWEdselAw
            RWJjazYvK0xSU1NteWs2RFlWVHRYQzF4bnhNCjg5RHQvRm5hWTcrYUxYWGlIWFdW
            dUNoaEQ1V21DWGdRREZZOHFBeldiTkkKLS0tIFR5aG1TNGJZY3pmMWdJbXhEWG9N
            aTlZcVdCaWltdURHbEx4b2h5RjlIUm8KfpXCYGLch4RAhEPfgikR60sp5tywKV1R
            fRsXad3X31fAS42ZeczPn399byImcXoL9n7mIoT6NbDWgCvd+iSiHw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYkM3V282TldQbHBQVmQy
            bWdielQySUNJaXEvOHA3Q1JqMEdMWEs1bFVVCnJKK0d5dG54aXk4dWtnSkdkbkU3
            TU5xOFNGcklJdWcvZUlZVjNqanpqRlEKLS0tIGZGc0M5eE0xTTd6LzVjdXI1Ulg3
            Zk9RdUU5RTdZd1A4dGRUVVVpT0E1SXMKOEL/yUCERTc8aiPmfGJWF9ESzfKbxYCO
            dCByzJpIsI9IUgmcjMq8bREnATd8cZ65kVMpqME0Xfk3/Fl+OaLm1Q==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-27T09:27:41Z"
    mac: ENC[AES256_GCM,data:VrP3O1WKuRBXhzg9hOyeRHRL8Cg47HWvno/B2TUllFUlKLrlgJapazbCs4aQJQka/1gQu2xguHlu/CqF9WKp90B/CxJ8XnYc4mrsMZ104aHSStQInShquRwrpm6iDc61d+ZZqkQbYUTiznm8jAonjjNEKHFsnRw9q+c9SJKYmJU=,iv:WuEJ2kgLHwKSUb8TDNH17N+P5gHsCQ+loP07Ec0y7/Y=,tag:bNhrMV5GY5q/vmmxYlL6Cw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/.archive/modules/nixos/containers/lego-auto/default.nix
+++ b/.archive/modules/nixos/containers/lego-auto/default.nix
@ -3,9 +3,9 @@ with lib;
 let
  app = "lego-auto";
  image = "ghcr.io/bjw-s/lego-auto:v0.3.0";
-  user = "999"; #string
+  user = "999"; # string
-  group = "102"; #string
+  group = "102"; # string
-  port = 9898; #int
+  port = 9898; # int
  cfg = config.mySystem.services.${app};
  appFolder = "/eru/containers/volumes/${app}";
 in
@ -43,16 +43,18 @@ in
      extraOptions = [
        "--dns=1.1.1.1"
      ];
-      environment = {
+      environment =
-        TZ = "America/Chicago";
+        {
-        LA_DATADIR = "/cert";
+          TZ = "America/Chicago";
-        LA_CACHEDIR = "/cert/.cache";
+          LA_DATADIR = "/cert";
-        LA_EMAIL = cfg.email;
+          LA_CACHEDIR = "/cert/.cache";
-        LA_DOMAINS = cfg.domains;
+          LA_EMAIL = cfg.email;
-        LA_PROVIDER = cfg.provider;
+          LA_DOMAINS = cfg.domains;
-      } // lib.optionalAttrs (cfg.provider == "dnsimple") {
+          LA_PROVIDER = cfg.provider;
-        DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
+        }
-      };
+        // lib.optionalAttrs (cfg.provider == "dnsimple") {
          DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
        };
      volumes = [
        "${appFolder}/cert:/cert"
--- a/.archive/modules/nixos/containers/unifi/default.nix
+++ b/.archive/modules/nixos/containers/unifi/default.nix
@ -2,26 +2,34 @@
 with lib;
 let
  app = "unifi";
-  image = "ghcr.io/goofball222/unifi:8.2.93";
+  # renovate: depName=goofball222/unifi datasource=github-releases
-  user = "999"; #string
+  version = "8.4.62";
  group = "102"; #string
  port = 9898; #int
  cfg = config.mySystem.services.${app};
  appFolder = "/eru/containers/volumes/${app}";
  # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
 in
 # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
 {
  options.mySystem.services.${app} = {
    enable = mkEnableOption "${app}";
  };
  config = mkIf cfg.enable {
-    networking.firewall.interfaces.podman0 = {
+    networking.firewall.interfaces = {
-      allowedTCPPorts = [ 8080 8443 8880 8843 ];
+      enp130s0f0 = {
-      allowedUDPPorts = [ 3478 ];
+        allowedTCPPorts = [ 8443 ];
      };
      podman0 = {
        allowedTCPPorts = [
          8080
          8443
          8880
          8843
        ];
        allowedUDPPorts = [ 3478 ];
      };
    };
    virtualisation.oci-containers.containers.${app} = {
-      image = "${image}";
+      image = "ghcr.io/goofball222/unifi:${version}";
      autoStart = true;
      ports = [
        "3478:3478/udp" # STUN
--- a/.archive/modules/nixos/de/default.nix
+++ b/.archive/modules/nixos/de/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
    ./gnome.nix
    ./kde.nix
  ];
 }
--- a/.archive/modules/nixos/de/gnome.nix
+++ b/.archive/modules/nixos/de/gnome.nix
@ -1,15 +1,29 @@
-{ lib, config, pkgs, ... }:
+{
-with lib;
+  lib,
  config,
  pkgs,
  ...
 }:
 let
  cfg = config.mySystem.de.gnome;
 in
 {
-  options.mySystem.de.gnome.enable = mkEnableOption "GNOME";
+  options = {
-  options.mySystem.de.gnome.systrayicons = mkEnableOption "Enable systray icons" // { default = true; };
+    mySystem.de.gnome = {
-  options.mySystem.de.gnome.gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; };
+      enable = lib.mkEnableOption "GNOME" // {
        default = false;
      };
      systrayicons = lib.mkEnableOption "Enable systray icons" // {
        default = true;
      };
      gsconnect = lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // {
        default = true;
      };
    };
-  config = mkIf cfg.enable {
+  };
  config = lib.mkIf cfg.enable {
    # Ref: https://nixos.wiki/wiki/GNOME
    # GNOME plz
@ -35,41 +49,41 @@ in
        };
      };
-      udev.packages = optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
+      udev.packages = lib.optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
    };
    # systyray icons
    # extra pkgs and extensions
    environment = {
-      systemPackages = with pkgs; [
+      systemPackages =
-        wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
+        with pkgs;
-        playerctl # gsconnect play/pause command
+        [
-        pamixer # gcsconnect volume control
+          wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
-        gnome.gnome-tweaks
+          playerctl # gsconnect play/pause command
-        gnome.dconf-editor
+          pamixer # gcsconnect volume control
          gnome.gnome-tweaks
          gnome.dconf-editor
-        # This installs the extension packages, but
+          # This installs the extension packages, but
-        # dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
+          # dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
-        gnomeExtensions.vitals
+          gnomeExtensions.vitals
-        gnomeExtensions.caffeine
+          gnomeExtensions.caffeine
-        gnomeExtensions.dash-to-dock
+          gnomeExtensions.dash-to-dock
-      ]
+        ]
-      ++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ];
+        ++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ];
    };
    # enable gsconnect
    # this method also opens the firewall ports required when enable = true
-    programs.kdeconnect = mkIf
+    programs.kdeconnect = lib.mkIf cfg.gsconnect {
-      cfg.gsconnect
+      enable = true;
-      {
+      package = pkgs.gnomeExtensions.gsconnect;
-        enable = true;
+    };
        package = pkgs.gnomeExtensions.gsconnect;
      };
    # GNOME connection to browsers - requires flag on browser as well
-    services.gnome.gnome-browser-connector.enable = lib.any
+    services.gnome.gnome-browser-connector.enable = lib.any (user: user.programs.firefox.enable) (
-      (user: user.programs.firefox.enable)
+      lib.attrValues config.home-manager.users
-      (lib.attrValues config.home-manager.users);
+    );
    # And dconf
    programs.dconf.enable = true;
@ -96,6 +110,4 @@ in
        atomix # puzzle game
      ]);
  };
 }
--- a/.archive/modules/nixos/de/kde.nix
+++ b/.archive/modules/nixos/de/kde.nix
@ -0,0 +1,70 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 let
  cfg = config.mySystem.de.kde;
  flameshotOverride = pkgs.unstable.flameshot.override { enableWlrSupport = true; };
 in
 {
  options = {
    mySystem.de.kde = {
      enable = lib.mkEnableOption "KDE" // {
        default = false;
      };
    };
  };
  config = lib.mkIf cfg.enable {
    # Ref: https://wiki.nixos.org/wiki/KDE
    # KDE
    services = {
      displayManager = {
        sddm = {
          enable = true;
          wayland = {
            enable = true;
          };
        };
      };
      desktopManager.plasma6.enable = true;
    };
    security = {
      # realtime process priority
      rtkit.enable = true;
      # KDE Wallet PAM integration for unlocking the default wallet on login
      pam.services."sddm".kwallet.enable = true;
    };
    # enable pipewire for sound
    services.pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
    };
    # extra pkgs and extensions
    environment = {
      systemPackages = with pkgs; [
        wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
        playerctl # gsconnect play/pause command
        vorta # Borg backup tool
        flameshotOverride # screenshot tool
        libsForQt5.qt5.qtbase # for vivaldi compatibility
        kdePackages.discover # KDE software center -- mainly for flatpak updates
      ];
    };
    # enable kdeconnect
    # this method also opens the firewall ports required when enable = true
    programs.kdeconnect = {
      enable = true;
    };
  };
 }
--- a/.archive/modules/nixos/services/cockpit/default.nix
+++ b/.archive/modules/nixos/services/cockpit/default.nix
@ -1,4 +1,9 @@
-{ lib, config, pkgs, ... }:
+{
  lib,
  config,
  pkgs,
  ...
 }:
 with lib;
 let
  cfg = config.mySystem.services.cockpit;
--- a/.archive/modules/nixos/services/vault/default.nix
+++ b/.archive/modules/nixos/services/vault/default.nix
@ -0,0 +1,35 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.mySystem.services.vault;
 in
 {
  options.mySystem.services.vault = {
    enable = lib.mkEnableOption "vault";
    address = lib.mkOption {
      type = lib.types.str;
      default = "127.0.0.1:8200";
      description = "Address of the Vault server";
      example = "127.0.0.1:8200";
    };
  };
  config = lib.mkIf cfg.enable {
    services.vault = {
      enable = true;
      package = pkgs.unstable.vault;
      address = cfg.address;
      dev = false;
      storageBackend = "raft";
      extraConfig = ''
        api_addr = "http://127.0.0.1:8200"
        cluster_addr = "http://127.0.0.1:8201"
        ui = true
      '';
    };
  };
 }
--- a/.archive/modules/nixos/services/vault/resources/vault-config.hcl
+++ b/.archive/modules/nixos/services/vault/resources/vault-config.hcl
@ -0,0 +1,14 @@
 listener "tcp" {
    address = "0.0.0.0:8200"
    tls_disable = true
 }
 storage "raft" {
    path = "/var/lib/vault/data"
    node_id = "node1"
 }
 disable_mlock = true
 api_addr = "http://localhost:8200"
 cluster_addr = "http://localhost:8201"
 ui = true
--- a/.archive/profiles/disko-telchar.nix
+++ b/.archive/profiles/disko-telchar.nix
@ -0,0 +1,59 @@
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/disk/by-diskseq/1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              priority = 1;
              name = "ESP";
              start = "1M";
              end = "128M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
              };
            };
            root = {
              size = "100%";
              content = {
                type = "btrfs";
                extraArgs = [ "-f" ]; # Override existing partition
                # Subvolumes must set a mountpoint in order to be mounted,
                # unless their parent is mounted
                subvolumes = {
                  # Subvolume name is different from mountpoint
                  "/rootfs" = {
                    mountpoint = "/";
                  };
                  # Subvolume name is the same as the mountpoint
                  "/home" = {
                    mountOptions = [ "compress=zstd" ];
                    mountpoint = "/home";
                  };
                  # Sub(sub)volume doesn't need a mountpoint as its parent is mounted
                  "/home/user" = { };
                  # Parent is not mounted so the mountpoint must be set
                  "/nix" = {
                    mountOptions = [
                      "compress=zstd"
                      "noatime"
                    ];
                    mountpoint = "/nix";
                  };
                };
                mountpoint = "/partition-root";
              };
            };
          };
        };
      };
    };
  };
 }
--- a/.archive/profiles/hw-framework-16-7840hs.nix
+++ b/.archive/profiles/hw-framework-16-7840hs.nix
@ -1,4 +1,9 @@
-{ lib, pkgs, ... }:
+{
  config,
  lib,
  pkgs,
  ...
 }:
 {
  mySystem = {
    security.wheelNeedsSudoPassword = false;
@ -16,7 +21,7 @@
    };
  };
-   # For updating firmware on the Framework.
+  # For updating firmware on the Framework.
  services.fwupd.enable = true;
  networking = {
--- a/.archive/profiles/hw-legion-15arh05h.nix
+++ b/.archive/profiles/hw-legion-15arh05h.nix
@ -10,7 +10,10 @@
  boot = {
    # for managing/mounting ntfs
-    supportedFilesystems = [ "ntfs" "nfs" ];
+    supportedFilesystems = [
      "ntfs"
      "nfs"
    ];
    loader = {
      grub = {
@ -18,7 +21,10 @@
        zfsSupport = true;
        device = "nodev";
        mirroredBoots = [
-          { devices = [ "nodev" ]; path = "/boot"; }
+          {
            devices = [ "nodev" ];
            path = "/boot";
          }
        ];
      };
    };
--- a/.archive/profiles/hw-thinkpad-t470.nix
+++ b/.archive/profiles/hw-thinkpad-t470.nix
--- a/.archive/profiles/role-gaming.nix
+++ b/.archive/profiles/role-gaming.nix
--- a/.archive/profiles/role-workstation.nix
+++ b/.archive/profiles/role-workstation.nix
@ -1,12 +1,21 @@
-{ config, lib, pkgs, ... }:
+{
  config,
  lib,
  pkgs,
  ...
 }:
 # Role for workstations
 # Covers desktops/laptops, expected to have a GUI and do workloads
 # Will have home-manager installs
-
+let
  vivaldiOverride = pkgs.vivaldi.override {
    proprietaryCodecs = true;
    enableWidevine = true;
  };
 in
 with config;
 {
  mySystem = {
    de.gnome.enable = true;
    shell.fish.enable = true;
    editor.vscode.enable = true;
@ -48,8 +57,9 @@ with config;
    lm_sensors
    cpufrequtils
    cpupower-gui
-    vivaldi
+    vivaldiOverride
    gparted
    termius
  ];
  i18n = {
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,16 @@
 root = true
 [*]
 end_of_line = lf
 insert_final_newline = true
 indent_style = space
 indent_size = 2
 charset = utf-8
 trim_trailing_whitespace = true
 [*.{yaml,yml,json5}]
 indent_style = space
 indent_size = 2
 [*.md]
 indent_size = 4
 trim_trailing_whitespace = false
--- a/.envrc
+++ b/.envrc
@ -1,2 +1,3 @@
 use nix
 export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
 export EDITOR="hx"
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@ -0,0 +1,53 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: "Build"
 on:
  push:
    branches:
      - main
    paths:
      - ".forgejo/workflows/build.yaml"
      - "flake.lock"
  workflow_dispatch:
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
  cancel-in-progress: true
 jobs:
  nix-build:
    if: github.event.pull_request.draft == false
    strategy:
      fail-fast: false
      matrix:
        include:
          - system: gandalf
            os: native-x86_64
          - system: telperion
            os: native-x86_64
          - system: shadowfax
            os: native-x86_64
          # - system: varda
          #   os: native-x86_64
    runs-on: ${{ matrix.os }}
    env:
      PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
    steps:
      - name: Checkout repository
        uses: https://github.com/actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Cachix
        uses: https://github.com/cachix/cachix-action@v15
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          name: hsndev
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: Garbage collect build dependencies
        run: nix-collect-garbage
      - name: Build new ${{ matrix.system }} system
        shell: bash
        run: |
          nix build ".#top.${{ matrix.system }}" --profile ./profile --fallback -v \
            > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@ -1,50 +0,0 @@
 name: "Build"
 on:
  pull_request:
 jobs:
  nix-build:
    if: github.event.pull_request.draft == false
    strategy:
      fail-fast: false
      matrix:
        include:
          - system: varda
            os: native-aarch64
          - system: telchar
            os: native-x86_64
    runs-on: ${{ matrix.os }}
    env:
      PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
    steps:
      - name: Checkout repository
        uses: https://github.com/actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: https://github.com/cachix/cachix-action@v15
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          name: hsndev
          # If you chose API tokens for write access OR if you have a private cache
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
        # env:
          # USER: 'root'
      - name: Garbage collect build dependencies
        run: nix-collect-garbage
      - name: Build new ${{ matrix.system }} system
        shell: bash
        run: |
          set -o pipefail
          nix build \
            ".#top.${{ matrix.system }}" \
            --profile ./profile \
            --fallback \
            -v \
            --log-format raw \
             > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
      - name: Push to Cachix
        if: success()
        env:
          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
        run: nix build ".#top.${{ matrix.system }}" --json | jq -r .[].drvPath | cachix push hsndev
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,13 @@
 **/*.tmp.sops.yaml
 **/*.sops.tmp.yaml
 **/*sync-conflict*
 age.key
 result*
 .decrypted~*
 .direnv
 .kube
 .github
 .profile
 .idea
 .secrets
 .op
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -10,7 +10,7 @@ repos:
          - .yamllint.yaml
        id: yamllint
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
@ -25,14 +25,15 @@ repos:
    hooks:
      - id: remove-crlf
      - id: remove-tabs
-        exclude: (Makefile)
+        exclude: (Makefile|Caddyfile)
-  - repo: https://github.com/zricethezav/gitleaks
+      #  - repo: https://github.com/zricethezav/gitleaks
-    rev: v8.18.2
+      #    rev: v8.23.3
-    hooks:
+      #    hooks:
-      - id: gitleaks
+      #      - id: gitleaks
-  - repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
+      #  - repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
-    rev: v1.1
+      #    rev: v1.1
-    hooks:
+      #    hooks:
-      - id: sops-encryption
+      #      - id: sops-encryption
-        # Uncomment to exclude all markdown files from encryption
+      #        # Uncomment to exclude all markdown files from encryption
-        # exclude: *.\.md
+      #        # exclude: *.\.md
      #        files: .*secrets.*
--- a/.prettierrc
+++ b/.prettierrc
@ -0,0 +1,4 @@
 {
  "quoteProps": "preserve",
  "trailingComma": "none"
 }
--- a/.sops.yaml
+++ b/.sops.yaml
@ -15,9 +15,10 @@ keys:
    - &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
    - &gandalf age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
    - &legiondary age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
    - &shadowfax age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
    - &telchar age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
    - &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
    - &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
    - &telchar age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
 creation_rules:
@ -28,6 +29,7 @@ creation_rules:
        - *gandalf
        - *jahanson
        - *legiondary
        - *shadowfax
        - *telchar
        - *telperion
        - *varda
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -1,9 +1,6 @@
 {
  "recommendations": [
    "jnoortheen.nix-ide",
    "mikestead.dotenv",
    "redhat.ansible",
    "redhat.vscode-yaml",
    "signageos.signageos-vscode-sops",
    "pkief.material-icon-theme",
    "ms-vscode-remote.remote-ssh"
--- a/.vscode/module.code-snippets
+++ b/.vscode/module.code-snippets
@ -1,32 +0,0 @@
 {
  "nix-module": {
    "prefix": "nm",
    "body": [
      "{ lib",
      ", config",
      ", pkgs",
      ", ...",
      "}:",
      "with lib;",
      "let",
      "  cfg = config.mySystem.${1}.${2};",
      "  app = \"${3}\"",
      "  appFolder = \"apps/${app}\";",
      "  persistentFolder = \"${config.mySystem.persistentFolder}/${appFolder}\";",
      "  user = app;",
      "  group = app;",
      "in",
      "{",
      "  options.mySystem.${1}.${2}.enable = mkEnableOption \"${4}\";",
      "",
      "  config = mkIf cfg.enable {",
      "",
      "  $5",
      "",
      "  };",
      "}",
      ""
    ],
    "description": "nix-module"
  }
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,46 @@
 {
  "editor.fontFamily": "CaskaydiaMono Nerd Font Mono",
  "files.associations": {
    "*.json5": "jsonc"
  },
  "editor.hover.delay": 1500,
  "editor.bracketPairColorization.enabled": true,
  "editor.guides.bracketPairs": true,
  "editor.guides.bracketPairsHorizontal": true,
  "editor.guides.highlightActiveBracketPair": true,
  "files.trimTrailingWhitespace": true,
  "sops.defaults.ageKeyFile": "age.key",
  "nix.enableLanguageServer": true,
  "nix.serverPath": "nixd",
  "nix.formatterPath": "alejandra",
  "nix.serverSettings": {
    "nixd": {
      "formatting": {
        "command": ["alejandra"]
      },
      "options": {
        "nixos": {
          "expr": "(builtins.getFlake \"/home/jahanson/projects/mochi\").nixosConfigurations.shadowfax.options"
        }
      }
    },
    "nix": {
      "binary": "nix",
      "maxMemoryMB": null,
      "flake": {
        "autoEvalInputs": true,
        "autoArchive": true,
        "nixpkgsInputName": "nixpkgs"
      }
    }
  },
  "[jsonc]": {
    "editor.defaultFormatter": "esbenp.prettier-vscode"
  },
  "sops.binPath": "/run/current-system/sw/bin/sops",
  "editor.formatOnSave": true,
  "bashIde.explainshellEndpoint": "http://localhost:5000",
  "bashIde.shellcheckPath": "/run/current-system/sw/bin/shellcheck",
  "bashIde.shfmt.path": "/run/current-system/sw/bin/shfmt",
  "mise.binPath": "/etc/profiles/per-user/jahanson/bin/mise"
 }
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -3,12 +3,15 @@
  inputs = {
    # Nixpkgs and unstable
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    # impermanence
+    # Lix - Substitution of the Nix package manager, focused on correctness, usability, and growth – and committed to doing right by its community.
-    # https://github.com/nix-community/impermanence
+    # https://git.lix.systems/lix-project/lix
-    impermanence.url = "github:nix-community/impermanence";
+    lix-module = {
      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0.tar.gz";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Nix User Repository: User contributed nix packages
    nur.url = "github:nix-community/NUR";
@ -26,7 +29,7 @@
    # home-manager - Manage user configuration with nix
    # https://github.com/nix-community/home-manager
    home-manager = {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-24.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };
@ -44,13 +47,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # nix-index database
    # https://github.com/nix-community/nix-index-database
    nix-index-database = {
      url = "github:nix-community/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # nix-inspect - inspect nix derivations usingn a TUI interface
    # https://github.com/bluskript/nix-inspect
    nix-inspect = {
@ -59,18 +55,12 @@
    };
    # talhelper - A tool to help creating Talos kubernetes cluster
    # https://github.com/budimanjojo/talhelper
    talhelper = {
      url = "github:budimanjojo/talhelper";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    # Lix- Substitution of the Nix package manager, focused on correctness, usability, and growth – and committed to doing right by its community.
    # https://git.lix.systems/lix-project/lix
    lix-module = {
      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0.tar.gz";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # NixVirt for qemu & libvirt
    # https://github.com/AshleyYakeley/NixVirt
    nixvirt-git = {
@ -78,188 +68,177 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # vscode-server - NixOS module for running vscode-server
    vscode-server.url = "github:nix-community/nixos-vscode-server";
    # krewfile - Declarative krew plugin management
    # krewfile = {
    #  url = "github:brumhard/krewfile";
    #  inputs.nixpkgs.follows = "nixpkgs";
    # };
    # nix-minecraft - Minecraft server management
    # https://github.com/infinidoge/nix-minecraft
    nix-minecraft = {
      url = "github:Infinidoge/nix-minecraft";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    # Hyprland
    hyprland.url = "github:hyprwm/Hyprland";
    # Hyprland plugins
    hyprland-plugins = {
      url = "github:hyprwm/hyprland-plugins";
      inputs.hyprland.follows = "hyprland";
    };
    # nvf -  A highly modular, extensible and distro-agnostic Neovim configuration framework for Nix/NixOS.
    nvf.url = "github:notashelf/nvf";
  };
-  outputs =
+  outputs = {
-    { self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, ... } @ inputs:
+    self,
-    let
+    nixpkgs,
-      forAllSystems = nixpkgs.lib.genAttrs [
+    nixpkgs-unstable,
-        "aarch64-linux"
+    sops-nix,
-        "x86_64-linux"
+    home-manager,
-      ];
+    disko,
-    in
+    lix-module,
-    rec {
+    vscode-server,
-      # Use nixpkgs-fmt for 'nix fmt'
+    nvf,
-      formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
+    ...
  } @ inputs: let
    forAllSystems = nixpkgs.lib.genAttrs [
      "aarch64-linux"
      "x86_64-linux"
    ];
  in rec {
    # Use nixpkgs-fmt for 'nix fmt'
    formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixfmt-rfc-style);
-      # setup devshells against shell.nix
+    # setup devshells against shell.nix
-      # devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
+    # devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
-      # extend lib with my custom functions
+    # extend lib with my custom functions
-      lib = nixpkgs.lib.extend (
+    lib = nixpkgs.lib.extend (
-        final: prev: {
+      final: prev: {
        inherit inputs;
        myLib = import ./nixos/lib {
          inherit inputs;
-          myLib = import ./nixos/lib { inherit inputs; lib = final; };
+          lib = final;
-        }
+        };
-      );
+      }
    );
-      nixosConfigurations =
+    nixosConfigurations = let
-        let
+      inherit inputs;
-          inherit inputs;
+      # Import overlays for building nixosconfig with them.
-          # Import overlays for building nixosconfig with them.
+      overlays = import ./nixos/overlays {inherit inputs;};
-          overlays = import ./nixos/overlays { inherit inputs; };
+      # generate a base nixos configuration with the specified overlays, hardware modules, and any AerModules applied
-          # generate a base nixos configuration with the specified overlays, hardware modules, and any AerModules applied
+      mkNixosConfig = {
-          mkNixosConfig =
+        hostname,
-            { hostname
+        system ? "x86_64-linux",
-            , system ? "x86_64-linux"
+        nixpkgs ? inputs.nixpkgs,
-            , nixpkgs ? inputs.nixpkgs
+        disabledModules ? [],
-            , hardwareModules ? [ ]
+        hardwareModules ? [],
-              # basemodules is the base of the entire machine building
+        # basemodules is the base of the entire machine building
-              # here we import all the modules and setup home-manager
+        # here we import all the modules and setup home-manager
-            , baseModules ? [
+        baseModules ? [
-                sops-nix.nixosModules.sops
+          sops-nix.nixosModules.sops
-                home-manager.nixosModules.home-manager
+          home-manager.nixosModules.home-manager
-                impermanence.nixosModules.impermanence
+          nvf.nixosModules.default
-                ./nixos/profiles/global.nix # all machines get a global profile
+          ./nixos/profiles/global.nix # all machines get a global profile
-                ./nixos/modules/nixos # all machines get nixos modules
+          ./nixos/modules/nixos # all machines get nixos modules
-                ./nixos/hosts/${hostname}   # load this host's config folder for machine-specific config
+          ./nixos/hosts/${hostname} # load this host's config folder for machine-specific config
-                {
+          {
-                  home-manager = {
+            inherit disabledModules;
-                    useUserPackages = true;
+            home-manager = {
-                    useGlobalPkgs = true;
+              useUserPackages = true;
-                    extraSpecialArgs = {
+              useGlobalPkgs = true;
-                      inherit inputs hostname system;
+              extraSpecialArgs = {
-                    };
+                inherit inputs hostname system;
                  };
                }
              ]
            , profileModules ? [ ]
            }:
            nixpkgs.lib.nixosSystem {
              inherit system lib;
              modules = baseModules ++ hardwareModules ++ profileModules;
              specialArgs = { inherit self inputs nixpkgs; };
              # Add our overlays
              pkgs = import nixpkgs {
                inherit system;
                overlays = builtins.attrValues overlays;
                config = {
                  allowUnfree = true;
                  allowUnfreePredicate = _: true;
                };
              };
            };
-        in
+          }
-        {
+        ],
-          "durincore" = mkNixosConfig {
+        profileModules ? [],
-            # T470 Thinkpad Intel i7-6600U
+      }:
-            # Nix dev laptop
+        nixpkgs.lib.nixosSystem {
-            hostname = "durincore";
+          inherit system lib;
-            system = "x86_64-linux";
+          modules = baseModules ++ hardwareModules ++ profileModules;
-            hardwareModules = [
+          specialArgs = {inherit self inputs nixpkgs;};
-              ./nixos/profiles/hw-thinkpad-t470.nix
+          # Add our overlays
-              inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
+          pkgs = import nixpkgs {
-            ];
+            inherit system;
-            profileModules = [
+            overlays = builtins.attrValues overlays;
-              ./nixos/profiles/role-workstation.nix
+            config = {
-              ./nixos/profiles/role-dev.nix
+              allowUnfree = true;
-              { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
+              allowUnfreePredicate = _: true;
-            ];
+            };
          };
          "legiondary" = mkNixosConfig {
            # Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
            # Nix dev/gaming laptop
            hostname = "legiondary";
            system = "x86_64-linux";
            hardwareModules = [
              inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
              ./nixos/profiles/hw-legion-15arh05h.nix
              disko.nixosModules.disko
              (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
            ];
            profileModules = [
              ./nixos/profiles/role-dev.nix
              ./nixos/profiles/role-gaming.nix
              ./nixos/profiles/role-workstation.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
            ];
          };
          "telchar" = mkNixosConfig {
            # Framework 16 Ryzen 7 7840HS - Radeon 780M Graphics
            # Nix dev laptop
            hostname = "telchar";
            system = "x86_64-linux";
            hardwareModules = [
              inputs.nixos-hardware.nixosModules.framework-16-7040-amd
              ./nixos/profiles/hw-framework-16-7840hs.nix
              disko.nixosModules.disko
              (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
              lix-module.nixosModules.default
            ];
            profileModules = [
              ./nixos/profiles/role-dev.nix
              ./nixos/profiles/role-workstation.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
            ];
          };
          "varda" = mkNixosConfig {
            # Arm64 cax21 @ Hetzner
            # forgejo server
            hostname = "varda";
            system = "aarch64-linux";
            hardwareModules = [
              ./nixos/profiles/hw-hetzner-cax.nix
            ];
            profileModules = [
              ./nixos/profiles/role-server.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
            ];
          };
          "telperion" = mkNixosConfig {
            # HP-S01 Intel G5900
            # Network services server
            hostname = "telperion";
            system = "x86_64-linux";
            hardwareModules = [
              ./nixos/profiles/hw-hp-s01.nix
              disko.nixosModules.disko
              (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
            ];
            profileModules = [
              ./nixos/profiles/role-server.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
            ];
          };
          "gandalf" = mkNixosConfig {
            # X9DRi-LN4+/X9DR3-LN4+ - Intel(R) Xeon(R) CPU E5-2650 v2
            # NAS
            hostname = "gandalf";
            system = "x86_64-linux";
            hardwareModules = [
              lix-module.nixosModules.default
              ./nixos/profiles/hw-supermicro.nix
            ];
            profileModules = [
              ./nixos/profiles/role-server.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
            ];
          };
        };
    in {
      "shadowfax" = mkNixosConfig {
        # Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
        # Workloads server
        hostname = "shadowfax";
        system = "x86_64-linux";
        disabledModules = [
          "services/web-servers/minio.nix"
          "services/web-servers/caddy/default.nix"
        ];
        hardwareModules = [
          lix-module.nixosModules.default
          ./nixos/profiles/hw-threadripperpro.nix
        ];
        profileModules = [
          vscode-server.nixosModules.default
          "${nixpkgs-unstable}/nixos/modules/services/web-servers/minio.nix"
          "${nixpkgs-unstable}/nixos/modules/services/web-servers/caddy/default.nix"
          ./nixos/profiles/role-dev.nix
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/sworkstation.nix;}
        ];
      };
-      # Convenience output that aggregates the outputs for home, nixos.
+      "telperion" = mkNixosConfig {
-      # Also used in ci to build targets generally.
+        # HP-S01 Intel G5900
-      top =
+        # Network services server
-        let
+        hostname = "telperion";
-          nixtop = nixpkgs.lib.genAttrs
+        system = "x86_64-linux";
-            (builtins.attrNames inputs.self.nixosConfigurations)
+        hardwareModules = [
-            (attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel);
+          ./nixos/profiles/hw-hp-s01.nix
-        in
+          disko.nixosModules.disko
-        nixtop;
+          (import ./nixos/profiles/disko-nixos.nix {disks = ["/dev/nvme0n1"];})
        ];
        profileModules = [
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/server.nix;}
        ];
      };
      "varda" = mkNixosConfig {
        # Arm64 cax21 @ Hetzner
        # forgejo server
        hostname = "varda";
        system = "aarch64-linux";
        hardwareModules = [
          ./nixos/profiles/hw-hetzner-cax.nix
        ];
        profileModules = [
          ./nixos/profiles/role-server.nix
          {home-manager.users.jahanson = ./nixos/home/jahanson/server.nix;}
        ];
      };
    };
    # Convenience output that aggregates the outputs for home, nixos.
    # Also used in ci to build targets generally.
    top = let
      nixtop = nixpkgs.lib.genAttrs (builtins.attrNames inputs.self.nixosConfigurations) (
        attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel
      );
    in
      nixtop;
  };
 }
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
--- a/nixos/home/jahanson/global.nix
+++ b/nixos/home/jahanson/global.nix
@ -1,4 +1,8 @@
-{ pkgs, config, ... }:
+{
  pkgs,
  config,
  ...
 }:
 with config;
 {
  imports = [
@ -6,14 +10,29 @@ with config;
  ];
  config = {
-    myHome.username = "jahanson";
+    myHome = {
-    myHome.homeDirectory = "/home/jahanson/";
+      username = "jahanson";
      homeDirectory = "/home/jahanson/";
      shell = {
        atuind.enable = true;
        starship.enable = true;
        fish.enable = true;
      };
    };
    systemd.user.sessionVariables = {
      EDITOR = "vim";
    };
    # Home Manager
    ## Tasks, env, and secrets management.
    programs.mise = {
      enable = true;
      package = pkgs.unstable.mise;
    };
    home = {
      # Install these packages for my user
      packages = with pkgs; [
        # misc
@ -33,39 +52,40 @@ with config;
        p7zip
        # cli
        _1password
        bat
        dbus
        direnv
        git
        nix-index
        python3
        fzf
        ripgrep
        vim
        lsd
        unstable.atuin
        # terminal file managers
        nnn
        ranger
-        yazi
+        unstable.yazi-unwrapped
        # networking tools
        iperf3
-        dnsutils  # `dig` + `nslookup`
+        dnsutils # `dig` + `nslookup`
        ldns # replacement of `dig`, it provide the command `drill`
        aria2 # A lightweight multi-protocol & multi-source command-line download utility
        socat # replacement of openbsd-netcat
        nmap # A utility for network discovery and security auditing
-        ipcalc  # it is a calculator for the IPv4/v6 addresses
+        ipcalc # it is a calculator for the IPv4/v6 addresses
        # system tools
        sysstat
        lm_sensors # for `sensors` command
-        ethtool
+        ethtool # modify network interface settings or firmware
        pciutils # lspci
        usbutils # lsusb
        lshw # lshw
        # filesystem tools
        gptfdisk # sgdisk
        # system call monitoring
        strace # system call monitoring
@ -82,13 +102,12 @@ with config;
        # nix tools
        nvd
        # backup tools
        unstable.rclone
        unstable.restic
      ];
      sessionVariables = {
        EDITOR = "vim";
      };
    };
  };
 }
--- a/nixos/home/jahanson/sworkstation.nix
+++ b/nixos/home/jahanson/sworkstation.nix
@ -0,0 +1,33 @@
 {pkgs, ...}: {
  imports = [
    ./global.nix
  ];
  config = {
    myHome = {
      programs.firefox.enable = true;
      programs.thunderbird.enable = true;
      shell = {
        # soon(tm)
        # ghostty.enable = true;
        git = {
          enable = true;
          username = "Joseph Hanson";
          email = "joe@veri.dev";
          signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
        };
      };
    };
    home = {
      # Install these packages for my user
      packages = with pkgs; [
        # apps
        solaar # open source manager for logitech unifying receivers
        # unstable.vesktop # gpu issues. Using the flatpak version solves this issue.
        vlc
      ];
    };
  };
 }
--- a/nixos/home/jahanson/workstation.nix
+++ b/nixos/home/jahanson/workstation.nix
@ -1,52 +1,80 @@
-{ pkgs, config, ... }:
+{
-with config;
+  pkgs,
  inputs,
  ...
 }:
 let
  coderMainline = pkgs.coder.override { channel = "mainline"; };
 in
 {
  imports = [
    ./global.nix
    inputs.krewfile.homeManagerModules.krewfile
  ];
-
+  config = {
-  myHome.programs.firefox.enable = true;
+    # Krewfile management
-
+    programs.krewfile = {
  myHome.shell = {
    starship.enable = true;
    fish.enable = true;
    wezterm.enable = true;
    atuind.enable = true;
    git = {
      enable = true;
-      username = "Joseph Hanson";
+      krewPackage = pkgs.krew;
-      email = "joe@veri.dev";
+      indexes = {
-      signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
+        "netshoot" = "https://github.com/nilic/kubectl-netshoot.git";
      };
      plugins = [
        "netshoot/netshoot"
        "resource-capacity"
        "rook-ceph"
      ];
    };
  };
-  home = {
+    myHome = {
-    # Install these packages for my user
+      programs.firefox.enable = true;
-    packages = with pkgs;
+      programs.thunderbird.enable = true;
-      [
+      shell = {
-        #apps
+        wezterm.enable = true;
-        _1password-gui
+
-        discord
+        git = {
-        flameshot
+          enable = true;
-        vlc
+          username = "Joseph Hanson";
-        warp-terminal
+          email = "joe@veri.dev";
-        termius
+          signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
        };
      };
    };
    home = {
      # Install these packages for my user
      packages = with pkgs; [
        # apps
        obsidian
        jetbrains.datagrip
        talosctl
        pika-backup
        parsec-bin
-        unstable.nheko
+        solaar # open source manager for logitech unifying receivers
        unstable.bruno
        # unstable.fractal
        unstable.httpie
        unstable.jetbrains.datagrip
        unstable.jetbrains.rust-rover
        unstable.seabird
        unstable.talosctl # overlay override
        unstable.telegram-desktop
        unstable.tidal-hifi
        unstable.xpipe
        # unstable.vesktop # gpu issues. Using the flatpak version solves this issue.
        vlc
        yt-dlp
        # cli
        brightnessctl
        # dev utils
-        pre-commit # Pre-commit tasks for git
+        kubectl
        minio-client # S3 management
        pre-commit # Pre-commit tasks for git
        shellcheck # shell script linting
-        unstable.act
+        unstable.act # run GitHub actions locally
        unstable.kubebuilder # k8s controller development
        unstable.nodePackages_latest.prettier # code formatter
        coderMainline # VSCode in the browser -- has overlay
      ];
    };
  };
 }
--- a/nixos/home/modules/default.nix
+++ b/nixos/home/modules/default.nix
@ -1,4 +1,5 @@
-{ lib, ... }: {
+{ lib, ... }:
 {
  imports = [
    ./shell
--- a/nixos/home/modules/programs/browsers/default.nix
+++ b/nixos/home/modules/programs/browsers/default.nix
@ -1,4 +1,5 @@
-{ ... }: {
+{ ... }:
 {
  imports = [
    ./firefox
  ];
--- a/nixos/home/modules/programs/browsers/firefox/default.nix
+++ b/nixos/home/modules/programs/browsers/firefox/default.nix
@ -1,32 +1,25 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.myHome.programs.firefox;
 in
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.myHome.programs.firefox;
 in {
  options.myHome.programs.firefox.enable = mkEnableOption "Firefox";
-  config = mkIf cfg.enable
+  config = mkIf cfg.enable {
-    {
+    programs.firefox = {
-      programs.firefox = {
+      enable = true;
-        enable = true;
+      package = pkgs.firefox.override {
-        package = pkgs.firefox.override
+        extraPolicies = {
-          {
+          DontCheckDefaultBrowser = true;
-            extraPolicies = {
+          DisablePocket = true;
-              DontCheckDefaultBrowser = true;
+        };
              DisablePocket = true;
              # See nixpkgs' firefox/wrapper.nix to check which options you can use
              nativeMessagingHosts = [
                # Gnome shell native connector
                pkgs.gnome-browser-connector
                # plasma connector
                # plasma5Packages.plasma-browser-integration
              ];
            };
          };
        policies = import ./policies.nix;
        profiles.default = import ./profile-default.nix { inherit pkgs; };
      };
      policies = import ./policies.nix;
      profiles.default = import ./profile-default.nix {inherit pkgs;};
    };
  };
 }
--- a/nixos/home/modules/programs/browsers/firefox/policies.nix
+++ b/nixos/home/modules/programs/browsers/firefox/policies.nix
@ -8,9 +8,9 @@
    Fingerprinting = true;
  };
  DisablePocket = true;
-  # DisableFirefoxAccounts = true;
+  DisableFirefoxAccounts = true;
-  # DisableAccounts = true;
+  DisableAccounts = true;
-  # DisableFirefoxScreenshots = true;
+  DisableFirefoxScreenshots = true;
  # OverrideFirstRunPage = "";
  OverridePostUpdatePage = "";
  DontCheckDefaultBrowser = true;
--- a/nixos/home/modules/programs/browsers/firefox/profile-default.nix
+++ b/nixos/home/modules/programs/browsers/firefox/profile-default.nix
@ -1,5 +1,4 @@
-{ pkgs }:
+{pkgs}: {
 {
  id = 0;
  name = "default";
  isDefault = true;
@ -11,22 +10,21 @@
    # 2 => the last page viewed in Firefox
    # 3 => previous session windows and tabs
    "browser.startup.page" = "3";
    "browser.send_pings" = false;
    # Do not track
    "privacy.donottrackheader.enabled" = "true";
    "privacy.donottrackheader.value" = 1;
    "browser.display.use_system_colors" = "true";
    "browser.display.use_document_colors" = "false";
    "devtools.theme" = "dark";
    "extensions.pocket.enabled" = false;
  };
  extensions = with pkgs.nur.repos.rycee.firefox-addons; [
    ublock-origin
    privacy-badger
    link-cleaner
    refined-github
    kagi-search
    languagetool
    onepassword-password-manager
    streetpass-for-mastodon
    dearrow
    sponsorblock
  ];
 }
--- a/nixos/home/modules/programs/de/gnome/default.nix
+++ b/nixos/home/modules/programs/de/gnome/default.nix
@ -1,46 +0,0 @@
 # Adjusted manually from generated output of dconf2nix
 # https://github.com/gvolpe/dconf2nix
 { lib, pkgs, osConfig, ... }:
 with lib.hm.gvariant; {
  config = lib.mkIf osConfig.mySystem.de.gnome.enable {
    # add user packages
    home.packages = with pkgs;  [
      dconf2nix
    ];
    # worked out from dconf2nix
    # dconf dump / | dconf2nix > dconf.nix
    # can also dconf watch
    dconf.settings = {
      "org/gnome/mutter" = {
        edge-tiling = true;
        workspaces-only-on-primary = false;
      };
      "org/gnome/desktop/wm/preferences" = {
        workspace-names = [ "sys" "talk" "web" "edit" "run" ];
      };
      "org/gnome/shell" = {
        disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
        enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
        favorite-apps = [ "org.gnome.Nautilus.desktop" "vivaldi-stable.desktop" "termius-app.desktop" "dev.warp.Warp.desktop" "org.wezfurlong.wezterm.desktop" "obsidian.desktop" "org.gnome.Console.desktop" "code.desktop" "discord.desktop" ];
      };
      "org/gnome/nautilus/preferences" = {
        default-folder-viewer = "list-view";
      };
      "org/gnome/nautilus/icon-view" = {
        default-zoom-level = "small";
      };
      "org/gnome/desktop/interface" = {
        color-scheme = "prefer-dark";
      };
      "org/gnome/desktop/peripherals/touchpad" = {
        tap-to-click = false;
      };
      "org/gnome/desktop/interface" = {
        clock-format = "12h";
        show-battery-percentage = true;
      };
    };
  };
 }
--- a/nixos/home/modules/programs/default.nix
+++ b/nixos/home/modules/programs/default.nix
@ -1,6 +1,7 @@
-{ ... }: {
+{ ... }:
 {
  imports = [
    ./browsers
-    ./de
+    ./thunderbird
  ];
 }
--- a/nixos/home/modules/programs/thunderbird/default.nix
+++ b/nixos/home/modules/programs/thunderbird/default.nix
@ -0,0 +1,42 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.myHome.programs.thunderbird;
  policies = {
    ExtensionSettings = {
      "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
      "quickmove@mozilla.kewis.ch" = {
        # Quick folder move
        # https://addons.thunderbird.net/en-US/thunderbird/addon/quick-folder-move/
        install_url = "https://addons.thunderbird.net/thunderbird/downloads/latest/quick-folder-move/latest.xpi";
        installation_mode = "force_installed";
      };
      # https://addons.thunderbird.net/user-media/addons/_attachments/987716/minimize_on_close-2.0.1.4-tb.xpi
      "minimizeonclose@rsjtdrjgfuzkfg.com" = {
        # Minimize on Close
        # https://addons.thunderbird.net/en-US/thunderbird/addon/minimize-on-close/
        install_url = "https://addons.thunderbird.net/user-media/addons/_attachments/987716/minimize_on_close-2.0.1.4-tb.xpi";
        installation_mode = "force_installed";
      };
    };
  };
 in
 {
  options.myHome.programs.thunderbird.enable = lib.mkEnableOption "Thunderbird";
  config = lib.mkIf cfg.enable {
    programs.thunderbird = {
      enable = true;
      package = pkgs.thunderbird-128.override (old: {
        extraPolicies = (old.extrapPolicies or { }) // policies;
      });
      profiles.default.isDefault = true;
    };
  };
 }
--- a/nixos/home/modules/security/default.nix
+++ b/nixos/home/modules/security/default.nix
@ -1,4 +1,5 @@
-{ ... }: {
+{ ... }:
 {
  imports = [
    ./ssh
  ];
--- a/nixos/home/modules/security/ssh/default.nix
+++ b/nixos/home/modules/security/ssh/default.nix
@ -1,5 +1,6 @@
 { config, lib, ... }:
-with lib; let
+with lib;
 let
  cfg = config.myHome.security.ssh;
 in
 {
--- a/nixos/home/modules/shell/atuind/default.nix
+++ b/nixos/home/modules/shell/atuind/default.nix
@ -1,6 +1,11 @@
-{ config, pkgs, lib, ... }:
+{
-with lib; let
+  config,
-  inherit (config.myHome) username homeDirectory;
+  pkgs,
  lib,
  ...
 }:
 with lib;
 let
  cfg = config.myHome.shell.atuind;
 in
 {
@ -10,22 +15,21 @@ in
  config = mkMerge [
    (mkIf cfg.enable {
-      systemd.user.services.atuind =
+      systemd.user.services.atuind = {
-        {
+        Install = {
-          Install = {
+          WantedBy = [ "default.target" ];
            WantedBy = [ "default.target" ];
          };
          Unit = {
            After = [ "network.target" ];
          };
          Service = {
            Environment = "ATUIN_LOG=info";
            ExecStart = "${pkgs.unstable.atuin}/bin/atuin daemon";
            # Remove the socket file if the daemon is not running. 
            # Unexpected shutdowns may have left this file here.
            ExecStartPre="/run/current-system/sw/bin/bash -c '! pgrep atuin && /run/current-system/sw/bin/rm -f ~/.local/share/atuin/atuin.sock'";
          };
        };
        Unit = {
          After = [ "network.target" ];
        };
        Service = {
          Environment = "ATUIN_LOG=info";
          ExecStart = "${pkgs.unstable.atuin}/bin/atuin daemon";
          # Remove the socket file if the daemon is not running.
          # Unexpected shutdowns may have left this file here.
          ExecStartPre = "/run/current-system/sw/bin/bash -c '! pgrep atuin && /run/current-system/sw/bin/rm -f ~/.local/share/atuin/atuin.sock'";
        };
      };
    })
  ];
 }
--- a/nixos/home/modules/shell/default.nix
+++ b/nixos/home/modules/shell/default.nix
@ -1,4 +1,5 @@
-{ ... }: {
+{ ... }:
 {
  imports = [
    ./atuind
    ./fish
--- a/nixos/home/modules/shell/fish/default.nix
+++ b/nixos/home/modules/shell/fish/default.nix
@ -1,5 +1,11 @@
-{ config, pkgs, lib, ... }:
+{
-with lib; let
+  config,
  pkgs,
  lib,
  ...
 }:
 with lib;
 let
  inherit (config.myHome) username homeDirectory;
  cfg = config.myHome.shell.fish;
 in
@ -21,12 +27,31 @@ in
          lt = "${pkgs.lsd}/bin/lsd --tree";
          lla = "${pkgs.lsd}/bin/lsd -la";
          tm = "tmux attach -t (basename $PWD) || tmux new -s (basename $PWD)";
          lsusb = "cyme --headings --tree --hide-buses";
          x = "exit";
          ncdu = "ncdu --color dark";
        };
        shellAbbrs = {
          nrs = "sudo nixos-rebuild switch --flake .";
          nvdiff = "nvd diff /run/current-system result";
          # rook & ceph versions.
          rcv = ''
            kubectl \
              -n rook-ceph \
              get deployments \
              -l rook_cluster=rook-ceph \
              -o jsonpath='{range .items[*]}{.metadata.name}{"  \treq/upd/avl: "}{.spec.replicas}{"/"}{.status.updatedReplicas}{"/"}{.status.readyReplicas}{"  \trook-version="}{.metadata.labels.rook-version}{"  \tceph-version="}{.metadata.labels.ceph-version}{"\n"}{end}'
          '';
        };
        functions = {
          nix-which = {
            body = ''
              set -l cmd $argv[1]
              nix-locate --whole-name --type x --type s "$cmd"
            '';
          };
        };
        interactiveShellInit = ''
@ -47,10 +72,12 @@ in
            end
          end
          # Krew
          set -q KREW_ROOT; and set -gx PATH $PATH $KREW_ROOT/.krew/bin; or set -gx PATH $PATH $HOME/.krew/bin
          # Paths are in reverse priority order
          update_path /opt/homebrew/opt/postgresql@16/bin
          update_path /opt/homebrew/bin
          update_path ${homeDirectory}/.krew/bin
          update_path /nix/var/nix/profiles/default/bin
          update_path /run/current-system/sw/bin
          update_path /etc/profiles/per-user/${username}/bin
@ -61,11 +88,38 @@ in
          update_path ${homeDirectory}/.local/bin
          set -gx EDITOR "vim"
          if test (hostname) = "telchar"
            set -gx VISUAL "code"
          end
          set -gx SSH_ASKPASS_REQUIRE "prefer" # This is for git to use the ssh-askpass
          set -gx ATUIN_SYNC_ADDRESS "https://sh.hsn.dev"
          # Mise https://mise.jdx.dev
          mise activate fish | source
          # One Password cli
          if test -e ~/.config/op/plugins.sh
            source ~/.config/op/plugins.sh
          end
          set -gx LSCOLORS "Gxfxcxdxbxegedabagacad"
          set -gx LS_COLORS 'di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:'
-          atuin init fish | source
+          set -l connection_type
          # Disable atuin up arrow and ctrl-r keybindings when running in a tty
          if test -z "$DISPLAY" && test -z "$WAYLAND_DISPLAY" && test -z "$SSH_CLIENT"
            atuin init fish --disable-up-arrow --disable-ctrl-r | source
          else
            atuin init fish | source
          end
          # Ghostty shell integration for Bash. This must be at the top of your fish!!!
          if set -q GHOSTTY_RESOURCES_DIR
              source "$GHOSTTY_RESOURCES_DIR/shell-integration/fish/vendor_conf.d/ghostty-shell-integration.fish"
          end
        '';
      };
--- a/nixos/home/modules/shell/git/default.nix
+++ b/nixos/home/modules/shell/git/default.nix
@ -1,4 +1,9 @@
-{ pkgs, config, lib, ... }:
+{
  pkgs,
  config,
  lib,
  ...
 }:
 let
  cfg = config.myHome.shell.git;
 in
@ -18,51 +23,52 @@ in
  config = lib.mkMerge [
    (lib.mkIf cfg.enable {
-      programs.gh.enable = true;
+      programs = {
-      programs.gpg.enable = true;
+        gh.enable = true;
        gpg.enable = true;
        git = {
          enable = true;
-      programs.git = {
+          userName = cfg.username;
-        enable = true;
+          userEmail = cfg.email;
-        userName = cfg.username;
+          extraConfig = {
-        userEmail = cfg.email;
+            core.autocrlf = "input";
-
+            init.defaultBranch = "main";
-        extraConfig = {
+            pull.rebase = true;
-          core.autocrlf = "input";
+            rebase.autoStash = true;
-          init.defaultBranch = "main";
+            # public key for signing commits
-          pull.rebase = true;
+            user.signingKey = cfg.signingKey;
-          rebase.autoStash = true;
+            # ssh instead of gpg
-          # public key for signing commits
+            gpg.format = "ssh";
-          user.signingKey = cfg.signingKey;
+            # 1password signing gui git signing
-          # ssh instead of gpg
+            gpg.ssh.program = "${pkgs._1password-gui}/bin/op-ssh-sign";
-          gpg.format = "ssh";
+            # Auto sign commits without -S
-          # 1password signing gui git signing
+            commit.gpgsign = true;
-          gpg.ssh.program = "${pkgs._1password-gui}/bin/op-ssh-sign";
+          };
-          # Auto sign commits without -S
+          aliases = {
-          commit.gpgsign = true;
+            co = "checkout";
          };
          ignores = [
            # Mac OS X hidden files
            ".DS_Store"
            # Windows files
            "Thumbs.db"
            # asdf
            ".tool-versions"
            # Sops
            ".decrypted~*"
            "*.decrypted.*"
            # Python virtualenvs
            ".venv"
          ];
        };
        aliases = {
          co = "checkout";
        };
        ignores = [
          # Mac OS X hidden files
          ".DS_Store"
          # Windows files
          "Thumbs.db"
          # asdf
          ".tool-versions"
          # Sops
          ".decrypted~*"
          "*.decrypted.*"
          # Python virtualenvs
          ".venv"
        ];
      };
      home.packages = [
        pkgs.git-filter-repo
        pkgs.tig
-        pkgs.lazygit
+        pkgs.unstable.lazygit
      ];
    })
  ];
--- a/nixos/home/modules/shell/starship/default.nix
+++ b/nixos/home/modules/shell/starship/default.nix
@ -1,12 +1,16 @@
-{ lib
+{
-, config
+  lib,
-, ...
+  config,
  ...
 }:
-with lib; let
+with lib;
 let
  cfg = config.myHome.shell.starship;
 in
 {
-  options.myHome.shell.starship = { enable = mkEnableOption "starship"; };
+  options.myHome.shell.starship = {
    enable = mkEnableOption "starship";
  };
  config = mkIf cfg.enable {
    programs.starship = {
--- a/nixos/home/modules/shell/wezterm/default.nix
+++ b/nixos/home/modules/shell/wezterm/default.nix
@ -1,5 +1,11 @@
-{ config, pkgs, lib, ... }:
+{
-with lib; let
+  config,
  pkgs,
  lib,
  ...
 }:
 with lib;
 let
  cfg = config.myHome.shell.wezterm;
 in
 {
--- a/nixos/hosts/durincore/default.nix
+++ b/nixos/hosts/durincore/default.nix
@ -1,39 +0,0 @@
 { ... }: {
  config = {
    networking.hostId = "ad4380db";
    networking.hostName = "durincore";
    # Kernel mods
    boot = {
      initrd = {
        availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
        kernelModules = [ ];
      };
      kernelModules = [ "kvm-intel" ];
      extraModulePackages = [ ];
    };
    fileSystems."/" =
      { device = "rpool/root";
        fsType = "zfs";
      };
    fileSystems."/home" =
      { device = "rpool/home";
        fsType = "zfs";
      };
    fileSystems."/boot" =
      { device = "/dev/disk/by-uuid/F1B9-CA7C";
        fsType = "vfat";
        options = [ "fmask=0077" "dmask=0077" ];
      };
    swapDevices = [ ];
    # System settings and services.
    mySystem = {
      system.motd.networkInterfaces = [ "enp0s31f6" "wlp4s0" ];
    };
  };
 }
--- a/nixos/hosts/gandalf/config/samba-config.nix
+++ b/nixos/hosts/gandalf/config/samba-config.nix
@ -1,11 +0,0 @@
 { ... }:
 ''
  workgroup = WORKGROUP
  server string = gandalf
  netbios name = gandalf
  security = user 
  # note: localhost is the ipv6 localhost ::1
  hosts allow = 0.0.0.0/0
  guest account = nobody
  map to guest = bad user
 ''
--- a/nixos/hosts/gandalf/default.nix
+++ b/nixos/hosts/gandalf/default.nix
@ -1,105 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, modulesPath, inputs, ... }:
 let 
  sanoidConfig = import ./config/sanoid.nix { };
 in
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
      inputs.disko.nixosModules.disko
      (import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; })
    ];
  boot = {
    initrd = {
      availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "isci" "usbhid" "usb_storage" "sd_mod" ];
      kernelModules = [ "nfs" ];
      supportedFilesystems = [ "nfs" ];
    };
    kernelModules = [ "kvm-intel" "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
    extraModulePackages = [ ];
    kernelParams = [ "iommu=pt" "intel_iommu=on" "zfs.zfs_arc_max=107374182400" ]; # 100GB
  };
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/W445gX2IINRbE6crIMwgN6Ks8LTzAXR86pS9xp335 root@Sting"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
  ];
  # Network settings
  networking = {
    hostName = "gandalf";
    hostId = "e2fc95cd";
    useDHCP = false; # needed for bridge
    networkmanager.enable = true;
    # TODO: Add ports specifically.
    # firewall.enable = false;
    interfaces = {
      "enp130s0f0".useDHCP = true;
      "enp130s0f1".useDHCP = true;
    };
    # For VMs
    bridges = {
      "br0" = {
        interfaces = [ "enp130s0f1" ];
      };
    };
  };
  swapDevices = [ ];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  sops = {
    secrets = {
      "lego/dnsimple/token" = {
        mode = "0444";
        sopsFile = ./secrets.sops.yaml;
      };
    };
  };
  # System settings and services.
  mySystem = {
    purpose = "Production";
    system = {
      motd.networkInterfaces = [ "enp130s0f0" "enp130s0f1" ];
      # ZFS
      zfs.enable = true;
      zfs.mountPoolsAtBoot = [ "eru" ];
      # NFS
      nfs.enable = true;
      # Samba
      samba.enable = true;
      samba.shares = import ./config/samba-shares.nix { };
      samba.extraConfig = import ./config/samba-config.nix { };
    };
    services = {
      podman.enable = true;
      libvirt-qemu.enable = true;
      # Sanoid
      sanoid = {
        enable = true;
        inherit (sanoidConfig.outputs) templates datasets;
      };
      # Unifi & Lego-Auto
      unifi.enable = true;
      lego-auto = {
        enable = true;
        dnsimpleTokenPath = "${config.sops.secrets."lego/dnsimple/token".path}";
        domains = "gandalf.jahanson.tech";
        email = "joe@veri.dev";
        provider = "dnsimple";
      };
    };
  };
 }
--- a/nixos/hosts/gandalf/secrets.sops.yaml
+++ b/nixos/hosts/gandalf/secrets.sops.yaml
@ -1,77 +0,0 @@
 lego:
    dnsimple:
        token: ENC[AES256_GCM,data:CfRFhGE8AyZfO9RzoXXTfm8kstvx+Fuy53o9ulYNZiufzzSQ4KzwYIoCRw==,iv:HEC8hRpmk7YDI7RHj29ZAeFKyPgsWTHw1sxjdZuhcrw=,tag:7RhEhZ9GkyBE9PJRe+gD+Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZVhNdGh2c3dpYWU2TDNJ
            M2Vyb29jQ2xHMXBKVk10dkhWVUFmVkpmV2tnCjF5ZnBBcGtkZjFYbU0zQXNNRCti
            QzVKOGR2OUQvRXVvOXZlb1I0V00rcWsKLS0tIElHeHhkSmt5UkZhTjk1dkFSbUp0
            M1BiUzZkU0pDbHVQNC9yQ3pzSU5INm8KcRB4uY0PHnDfc4bJZwqkK/S7FbEXuxEu
            ot9oVR4sZBs7Uhi5Ixz7Kmk9dBJ+E9dWPxDeYhYo3V0Tq77h1vVOyg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNalVRWXVGN0hqZDdYUDVZ
            TVRwVHJsTEJoTVIzenFuY0dnTWs1bnRHZnhzCnNPTnJ1Uk92aVRaMlA4VTRYbXNh
            MW5ycEUzUVk0RW1Iby9kWjQ1cTVXWDgKLS0tIDdVaTcvNm9Ca2hTMzBlSGZVUnZN
            a2U1ZjIwRWx1bWp6TktablBqMUduUmMKCFT9vPMu/fob5SQG1004925OB1KNhsUm
            obph/984DUTQxk6IvnJ7fPrnFwL5yY1azdybjPlwGw6o5SmwKpxWBQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RjUvSFJqNGxieVZiVE9q
            NjB4RHcraXk5TnJtN1RSNXZSMlEwbjgxaUZVCjRxUGUwTjBFSU9nTHpRbWpmVkRQ
            cllyei9URXYyRGgrTGdjWXRSZmpRYnMKLS0tIHNQOXpkZnI5b200d0JiSVI2N1BU
            MS9MRW5ocGRMWXdBL0E5N00zbGZzVFEKxeMB0/opzFTnlSBK1vEsLqQ0qIDhOuw5
            S+g8eYTVXSIs/3TMUnOJxDezAG2l00vyWryPw2sGOnqgZCnF9VB/mw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzJDWHhIT2tSekxpWmFR
            cVFocEl6N0VWM2FYVC9FeE9zeG0wYUhnazJRCllsdlFVZXR0YTA2T2h0ZUVienpQ
            MmhJVTkwd1Q4VjNVaWxkL0lVTEVLemsKLS0tIHVqMHhQaW55MHBsVmc5TjJjT1Jy
            RXdOeXk0NFJuL1ZKTUt3dXdkdlpLenMKmlQ0k9CmSWQ7MqueMbmd/TqYyQiDFZ0G
            FPtUIFWxxPY79vsEHq3kxyz4CGMUv7tYx00OK6niLgLZUStd/3Bxmw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWTk5S2VkQmNnNjIwQ05y
            TkR2MjdnY1pGMVZpT2dadE5icjIvRWtnT2pVClRCcTVHa3BaMGRDWTgzNE5zQzBq
            MWRWWi83b0k3OUo5WXhHTVRZSmovMWMKLS0tIFF4UlNtNVFkd3phTzd6R2FuY0Js
            VWpzZTdXSWpiV2tRbnc5VlVWM3FCak0KQGy+ZWdvEh09y9z1Dj3GTVyeAJ5notCH
            ujbOfaly8e9E2g4uOxISxyFe39xlOZd6zEInZ5qiKPrZz37ASChBkA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZDNFa0U4MWs0dmVkZXhi
            V3JjdXIrTTdkamkzRW1jU0wzNnluQ0lJbmpNCkcxNUNwc3ZxMXJreXBxNUlaR0xN
            RmFDZ3RIaVU5aCttS3Q5dWo0QUovVDgKLS0tIEVJQm1xWE80OVRyWUxkMzFXRHBp
            RlJTZjgzQ3pDVHRPQ2dFbHBqdzA3N0EKGBFnnJMqUrbaIviqpX4CP4Ps45Lk/Yyn
            fpVxSlwjOHNDwQ4ojUjv11FRo9WHUTGACFniUtvYc0oaLNygNgf8+Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodERMdDN4cVRiS0tVck5h
            N3RySnRtSXJHZEthRWZNcENrNXY4bHNHa0R3Cm1HL0lzWnpocWhXNDV3RFRxL1ZG
            dWlCQWtzMEZlRnNML2NrOUVPSVRTcHMKLS0tIEsrbk5VOUZhbDFRRHRuWW56TjE1
            V1d0d1lKb3hyYVQ4elBIZ0hnU3FTbnMKiWERjAwlJRPK+PILCBV03uyNVnNgolA8
            PS0vbIDVNiX0pIrRlM2sVivZwqajjTB3XROXMmbIKpQxDMjvpHgqJA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-07-15T23:16:58Z"
    mac: ENC[AES256_GCM,data:OQn/8yJX1xRapEUflwUHaHabt8i1EbK27vAM5mJge5n/y2+G7xYfpt2YsRUikogl1q4hqSGLe12WFYdG3TXqD5aBnwnf8if0Cax2wcjcm0ybcuWflXgZbtjWnVKV9w1Y8LCXpMd129VeeqysrY/lThRjXk1ByBcfbZ/RMZOyWOw=,iv:9mn0FH39xgFXisuEZrERhsjXCM7nQhMSoNdNTuGoHXc=,tag:T7AgJ8fYKVLDtRPm794AAg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/hosts/shadowfax/config/Caddyfile
+++ b/nixos/hosts/shadowfax/config/Caddyfile
@ -0,0 +1,14 @@
 redeye.hsn.dev {
 	log {
 		output file /var/log/caddy/redeye.hsn.dev.log
 	}
 	tls {
 		dns cloudflare {env.CLOUDFLARE_API_TOKEN}
 	}
 	reverse_proxy {
 		transport http {
 			tls_insecure_skip_verify
 		}
 		to http://127.0.0.1:11080
 	}
 }
--- a/nixos/hosts/shadowfax/config/disks.nix
+++ b/nixos/hosts/shadowfax/config/disks.nix
@ -0,0 +1,32 @@
 [
  # zroot
  "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"
  # nahar
  "/dev/nvme0"
  "/dev/nvme1"
  "/dev/nvme2"
  "/dev/nvme3"
  "/dev/nvme4"
  "/dev/nvme5"
  # moria
  "/dev/disk/by-id/scsi-35000cca23bc8a504"
  "/dev/disk/by-id/scsi-35000cca23bd29918"
  "/dev/disk/by-id/scsi-35000cca23bd29970"
  "/dev/disk/by-id/scsi-35000cca2524cc70c"
  "/dev/disk/by-id/scsi-35000cca2524e03f4"
  "/dev/disk/by-id/scsi-35000cca2525680dc"
  "/dev/disk/by-id/scsi-35000cca25256b484"
  # eru
  "/dev/disk/by-id/scsi-350000c0f02f0830c" # unused
  "/dev/disk/by-id/scsi-350000c0f01e7d190" # unused
  "/dev/disk/by-id/scsi-350000c0f01ea443c"
  "/dev/disk/by-id/scsi-350000c0f01f8230c"
  "/dev/disk/by-id/scsi-35000c500586e5057"
  "/dev/disk/by-id/scsi-35000c500624a0ddb"
  "/dev/disk/by-id/scsi-35000c500624a1a8b"
  "/dev/disk/by-id/scsi-35000cca046135ad8"
  "/dev/disk/by-id/scsi-35000cca04613722c"
  "/dev/disk/by-id/scsi-35000cca0461810f8"
  "/dev/disk/by-id/scsi-35000cca04618b930"
  "/dev/disk/by-id/scsi-35000cca04618cec4"
 ]
--- a/nixos/hosts/shadowfax/config/incus-preseed.nix
+++ b/nixos/hosts/shadowfax/config/incus-preseed.nix
@ -0,0 +1,49 @@
 { ... }:
 {
  config = {
    "core.https_address" = "10.1.1.61:8443"; # Need quotes around key
  };
  networks = [
    {
      config = {
        "ipv4.address" = "auto"; # Need quotes around key
        "ipv6.address" = "auto"; # Need quotes around key
      };
      description = "";
      name = "incusbr0";
      type = "";
      project = "default";
    }
  ];
  storage_pools = [
    {
      config = {
        source = "nahar/incus";
      };
      description = "";
      name = "default";
      driver = "zfs";
    }
  ];
  profiles = [
    {
      config = { };
      description = "";
      devices = {
        eth0 = {
          name = "eth0";
          network = "incusbr0";
          type = "nic";
        };
        root = {
          path = "/";
          pool = "default";
          type = "disk";
        };
      };
      name = "default";
    }
  ];
  projects = [ ];
  cluster = null;
 }
--- a/nixos/hosts/shadowfax/config/sanoid.nix
+++ b/nixos/hosts/shadowfax/config/sanoid.nix
@ -0,0 +1,42 @@
 { ... }:
 {
  outputs = {
    # ZFS automated snapshots
    templates = {
      "production" = {
        autoprune = true;
        autosnap = true;
        hourly = 24;
        daily = 7;
        monthly = 12;
      };
    };
    datasets = {
      "nahar/qbittorrent" = {
        useTemplate = [ "production" ];
        recursive = true;
      };
      "nahar/sabnzbd" = {
        useTemplate = [ "production" ];
        recursive = true;
      };
      "nahar/containers/volumes/jellyfin" = {
        useTemplate = [ "production" ];
        recursive = true;
      };
      "nahar/containers/volumes/plex" = {
        useTemplate = [ "production" ];
        recursive = true;
      };
      "nahar/containers/volumes/scrutiny" = {
        useTemplate = [ "production" ];
        recursive = true;
      };
      "nahar/containers/volumes/scrypted" = {
        useTemplate = [ "production" ];
        recursive = true;
      };
    };
  };
 }
--- a/nixos/hosts/shadowfax/config/soft-serve.nix
+++ b/nixos/hosts/shadowfax/config/soft-serve.nix
@ -0,0 +1,46 @@
 { ... }:
 {
  name = "Soft Serve";
  log = {
    format = "text";
    time_format = "2006-01-02 15:04:05";
  };
  ssh = {
    listen_addr = ":23231";
    public_url = "ssh://10.1.1.61:23231";
    key_path = "ssh/soft_serve_host_ed25519";
    client_key_path = "ssh/soft_serve_client_ed25519";
    max_timeout = 0;
    idle_timeout = 600;
  };
  git = {
    listen_addr = ":9418";
    public_url = "git://10.1.1.61";
    max_timeout = 0;
    idle_timeout = 3;
    max_connections = 32;
  };
  http = {
    listen_addr = ":23232";
    tls_key_path = null;
    tls_cert_path = null;
    public_url = "http://10.1.1.61:23232";
  };
  stats = {
    listen_addr = "10.1.1.61:23233";
  };
  db = {
    driver = "sqlite";
    data_source = "soft-serve.db?_pragma=busy_timeout(5000)&_pragma=foreign_keys(1)";
  };
  lfs = {
    enabled = true;
    ssh_enabled = false;
  };
  jobs = {
    mirror_pull = "@every 10m";
  };
  initial_admin_keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
  ];
 }
--- a/nixos/hosts/shadowfax/config/sops-secrets.nix
+++ b/nixos/hosts/shadowfax/config/sops-secrets.nix
@ -0,0 +1,210 @@
 { ... }:
 {
  secrets = {
    # Minio
    "minio" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "minio";
      group = "minio";
      mode = "400";
      restartUnits = [ "minio.service" ];
    };
    # Syncthing
    "syncthing/publicCert" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = [ "syncthing.service" ];
    };
    "syncthing/privateKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "jahanson";
      mode = "400";
      restartUnits = [ "syncthing.service" ];
    };
    # Prowlarr
    "arr/prowlarr/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = [ "prowlarr.service" ];
    };
    "arr/prowlarr/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = [ "prowlarr.service" ];
    };
    "arr/prowlarr/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = [ "prowlarr.service" ];
    };
    "arr/prowlarr/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = [ "prowlarr.service" ];
    };
    "arr/prowlarr/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "prowlarr";
      mode = "400";
      restartUnits = [ "prowlarr.service" ];
    };
    # Sonarr
    "arr/sonarr/1080p/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-tv1080p.service" ];
    };
    "arr/sonarr/1080p/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-tv1080p.service" ];
    };
    "arr/sonarr/1080p/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-tv1080p.service" ];
    };
    "arr/sonarr/1080p/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-tv1080p.service" ];
    };
    "arr/sonarr/1080p/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-tv1080p.service" ];
    };
    "arr/sonarr/1080p/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-tv1080p.service" ];
    };
    "arr/sonarr/anime/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-anime.service" ];
    };
    "arr/sonarr/anime/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-anime.service" ];
    };
    "arr/sonarr/anime/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-anime.service" ];
    };
    "arr/sonarr/anime/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-anime.service" ];
    };
    "arr/sonarr/anime/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-anime.service" ];
    };
    "arr/sonarr/anime/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "sonarr";
      mode = "400";
      restartUnits = [ "sonarr-anime.service" ];
    };
    # Radarr
    "arr/radarr/1080p/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-movies1080p.service" ];
    };
    "arr/radarr/1080p/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-movies1080p.service" ];
    };
    "arr/radarr/1080p/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-movies1080p.service" ];
    };
    "arr/radarr/1080p/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-movies1080p.service" ];
    };
    "arr/radarr/1080p/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-movies1080p.service" ];
    };
    "arr/radarr/1080p/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-movies1080p.service" ];
    };
    "arr/radarr/anime/apiKey" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-anime.service" ];
    };
    "arr/radarr/anime/postgres/dbName" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-anime.service" ];
    };
    "arr/radarr/anime/postgres/user" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-anime.service" ];
    };
    "arr/radarr/anime/postgres/password" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-anime.service" ];
    };
    "arr/radarr/anime/postgres/host" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-anime.service" ];
    };
    "arr/radarr/anime/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "radarr";
      mode = "400";
      restartUnits = [ "radarr-anime.service" ];
    };
    # Unpackerr
    "arr/unpackerr/extraEnvVars" = {
      sopsFile = ../secrets.sops.yaml;
      owner = "unpackerr";
      mode = "400";
      restartUnits = [ "unpackerr.service" ];
    };
  };
 }
--- a/nixos/hosts/shadowfax/default.nix
+++ b/nixos/hosts/shadowfax/default.nix
@ -0,0 +1,456 @@
 {
  config,
  lib,
  inputs,
  pkgs,
  ...
 }: let
  sanoidConfig = import ./config/sanoid.nix {};
  disks = import ./config/disks.nix;
  smartdDevices = map (device: {inherit device;}) disks;
  pushoverNotify = pkgs.writeShellApplication {
    name = "pushover-notify";
    runtimeInputs = with pkgs; [
      curl
      jo
      jq
    ];
    excludeShellChecks = ["SC2154"];
    text = ''
      ${builtins.readFile ./scripts/pushover-notify.sh}
    '';
  };
  refreshSeries = pkgs.writeShellApplication {
    name = "refresh-series";
    runtimeInputs = with pkgs; [
      curl
      jq
    ];
    excludeShellChecks = ["SC2154"];
    text = ''
      ${builtins.readFile ./scripts/refresh-series.sh}
    '';
  };
 in {
  imports = [
    inputs.disko.nixosModules.disko
    (import ../../profiles/disko-nixos.nix {
      disks = ["/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"];
    })
    inputs.nix-minecraft.nixosModules.minecraft-servers
  ];
  boot = {
    initrd = {
      kernelModules = ["nfs"];
      supportedFilesystems = ["nfs"];
    };
    binfmt.emulatedSystems = ["aarch64-linux"]; # Enabled for arm compilation
    kernelModules = [
      "vfio"
      "vfio_iommu_type1"
      "vfio_pci"
      "vfio_virqfd"
    ];
    extraModulePackages = [];
    kernelParams = ["zfs.zfs_arc_max=107374182400"]; # 100GB
  };
  swapDevices = [];
  hardware = {
    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
    nvidia.open = true;
    graphics.enable = true;
    # opengl.enable = true;
    nvidia-container-toolkit.enable = true;
  };
  users.users.root.openssh.authorizedKeys.keys = [];
  # Network settings
  networking = {
    hostName = "shadowfax";
    hostId = "a885fabe";
  };
  # Home Manager
  home-manager.users.jahanson = {
    # Git settings
    # TODO: Move to config module.
    programs.git = {
      enable = true;
      userName = "Joseph Hanson";
      userEmail = "joe@veri.dev";
      extraConfig = {
        core.autocrlf = "input";
        init.defaultBranch = "main";
        pull.rebase = true;
        rebase.autoStash = true;
      };
    };
  };
  # System packages
  environment.systemPackages = with pkgs; [
    libva-utils # to view graphics capabilities
    greetd.tuigreet
    rofi-wayland
    grim
    inxi
    nvtopPackages.full
    pyprland
    swaynotificationcenter
    swww
    wallust
    wl-clipboard
    wlogout
    wlr-randr
    # fun
    fastfetch
    # Scripts
    pushoverNotify
    refreshSeries
  ];
  # enable docker socket at /run/docker.sock
  virtualisation.podman.dockerSocket.enable = true;
  programs = {
    # 1Password cli
    _1password.enable = true;
    _1password-gui.enable = true;
    # Mosh
    mosh.enable = true;
    # VSCode Compatibility Settings
    nix-ld.enable = true;
    # Hyprland
    hyprland = {
      enable = true;
      package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
      portalPackage =
        inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
      withUWSM = true;
      # xwayland.enable = true;
    };
    waybar.enable = true;
    thunar.enable = true;
    thunar.plugins = with pkgs.xfce; [
      exo
      mousepad
      thunar-archive-plugin
      thunar-volman
      tumbler
    ];
  };
  # Open ports in the firewall.
  networking.firewall = {
    allowedTCPPorts = [
      # Caddy
      80 # http
      443 # https
      179 # BGP
      2019 # caddy admin api
      # Minio
      9000 # console web interface
      9001 # api interface
      # Beszel-agent
      45876
    ];
  };
  services = {
    # Minio
    minio = {
      enable = true;
      dataDir = ["/eru/minio"];
      rootCredentialsFile = config.sops.secrets."minio".path;
    };
    # Netdata
    netdata = {
      enable = true;
    };
    # Prometheus exporters
    prometheus.exporters = {
      # Node Exporter - port 9100
      node.enable = true;
      # ZFS Exporter - port 9134
      zfs.enable = true;
    };
    # Smart daemon for monitoring disk health.
    smartd = {
      devices = smartdDevices;
      # Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
      defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
    };
    # Soft Serve - SSH git server
    soft-serve = {
      enable = true;
      settings = import ./config/soft-serve.nix {};
    };
    sunshine = {
      enable = true;
      autoStart = true;
      capSysAdmin = true; # only needed for Wayland
      openFirewall = true;
      package = pkgs.unstable.sunshine;
    };
    # Tailscale
    tailscale = {
      enable = true;
      openFirewall = true;
    };
    # VSCode Compatibility Settings
    vscode-server.enable = true;
    xserver.videoDrivers = ["nvidia"];
    greetd = {
      enable = true;
      vt = 3;
      settings = {
        default_session = {
          user = "jahanson";
          command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd='uwsm start select'"; # start Hyprland with a TUI login manager
        };
      };
    };
  };
  # sops
  sops = import ./config/sops-secrets.nix {};
  # System settings and services.
  mySystem = {
    # VS Code
    editor.vscode.enable = true;
    # Containers
    containers = {
      jellyfin.enable = true;
      ollama.enable = true;
      plex.enable = true;
      scrypted.enable = true;
    };
    purpose = "Production";
    # Services
    services = {
      # Misc
      libvirt-qemu.enable = true;
      podman.enable = true;
      # Prowlarr
      prowlarr = {
        enable = true;
        package = pkgs.unstable.prowlarr;
        dataDir = "/nahar/prowlarr";
        port = 9696;
        openFirewall = true;
        hardening = true;
        apiKeyFile = config.sops.secrets."arr/prowlarr/apiKey".path;
        db = {
          enable = true;
          hostFile = config.sops.secrets."arr/prowlarr/postgres/host".path;
          port = 5432;
          userFile = config.sops.secrets."arr/prowlarr/postgres/user".path;
          passwordFile = config.sops.secrets."arr/prowlarr/postgres/password".path;
        };
      };
      # Radarr
      radarr = {
        enable = true;
        instances = {
          movies1080p = {
            enable = true;
            package = pkgs.unstable.radarr;
            dataDir = "/nahar/radarr/1080p";
            extraEnvVarFile = config.sops.secrets."arr/radarr/1080p/extraEnvVars".path;
            moviesDir = "/moria/media/Movies";
            user = "radarr";
            group = "kah";
            port = 7878;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/radarr/1080p/apiKey".path;
            db = {
              enable = true;
              hostFile = config.sops.secrets."arr/radarr/1080p/postgres/host".path;
              port = 5432;
              dbname = "radarr_main";
              userFile = config.sops.secrets."arr/radarr/1080p/postgres/user".path;
              passwordFile = config.sops.secrets."arr/radarr/1080p/postgres/password".path;
            };
          };
          moviesAnime = {
            enable = true;
            package = pkgs.unstable.radarr;
            dataDir = "/nahar/radarr/anime";
            extraEnvVarFile = config.sops.secrets."arr/radarr/anime/extraEnvVars".path;
            moviesDir = "/moria/media/Anime/Movies";
            user = "radarr";
            group = "kah";
            port = 7879;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/radarr/anime/apiKey".path;
            db = {
              enable = true;
              hostFile = config.sops.secrets."arr/radarr/anime/postgres/host".path;
              port = 5432;
              dbname = "radarr_anime";
              userFile = config.sops.secrets."arr/radarr/anime/postgres/user".path;
              passwordFile = config.sops.secrets."arr/radarr/anime/postgres/password".path;
            };
          };
        };
      };
      # Sonarr
      sonarr = {
        enable = true;
        instances = {
          tv1080p = {
            enable = true;
            package = pkgs.unstable.sonarr;
            dataDir = "/nahar/sonarr/1080p";
            extraEnvVarFile = config.sops.secrets."arr/sonarr/1080p/extraEnvVars".path;
            tvDir = "/moria/media/TV";
            user = "sonarr";
            group = "kah";
            port = 8989;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/sonarr/1080p/apiKey".path;
            db = {
              enable = true;
              hostFile = config.sops.secrets."arr/sonarr/1080p/postgres/host".path;
              port = 5432;
              dbname = "sonarr_main";
              userFile = config.sops.secrets."arr/sonarr/1080p/postgres/user".path;
              passwordFile = config.sops.secrets."arr/sonarr/1080p/postgres/password".path;
            };
          };
          anime = {
            enable = true;
            package = pkgs.unstable.sonarr;
            dataDir = "/nahar/sonarr/anime";
            extraEnvVarFile = config.sops.secrets."arr/sonarr/anime/extraEnvVars".path;
            tvDir = "/moria/media/Anime/Shows";
            user = "sonarr";
            group = "kah";
            port = 8990;
            openFirewall = true;
            hardening = true;
            apiKeyFile = config.sops.secrets."arr/sonarr/anime/apiKey".path;
            db = {
              enable = true;
              hostFile = config.sops.secrets."arr/sonarr/anime/postgres/host".path;
              port = 5432;
              dbname = "sonarr_anime";
              userFile = config.sops.secrets."arr/sonarr/anime/postgres/user".path;
              passwordFile = config.sops.secrets."arr/sonarr/anime/postgres/password".path;
            };
          };
        };
      };
      # Sabnzbd
      sabnzbd = {
        enable = true;
        package = pkgs.unstable.sabnzbd;
        configFile = "/nahar/sabnzbd/sabnzbd.ini";
        port = 8457;
        user = "sabnzbd";
        group = "kah";
        # Security hardening.
        dataDir = "/nahar/sabnzbd";
        downloadsDir = "/eru/media/sabnzbd";
        hardening = true;
        openFirewall = true;
      };
      unpackerr = {
        enable = true;
        package = pkgs.unstable.unpackerr;
        configFile = "/tmp/unpackerr/config.yaml";
        extraEnvVarsFile = config.sops.secrets."arr/unpackerr/extraEnvVars".path;
        user = "unpackerr";
        group = "kah";
      };
      # Sanoid
      sanoid = {
        enable = true;
        inherit (sanoidConfig.outputs) templates datasets;
      };
      # Scrutiny
      scrutiny = {
        enable = true;
        devices = disks;
        extraCapabilities = [
          "SYS_RAWIO"
          "SYS_ADMIN"
        ];
        containerVolumeLocation = "/nahar/containers/volumes/scrutiny";
        port = 8585;
      };
      # Syncthing
      syncthing = {
        enable = false;
        user = "jahanson";
        publicCertPath = config.sops.secrets."syncthing/publicCert".path;
        privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
      };
      # qBittorrent
      qbittorrent = {
        enable = true;
        package = pkgs.unstable.qbittorrent.override {guiSupport = false;};
        user = "qbittorrent";
        group = "kah";
        dataDir = "/nahar/qbittorrent";
        downloadsDir = "/eru/media/qb/downloads";
        webuiPort = 8456;
        openFirewall = true;
        hardening = true;
        qbittorrentPort = 50413;
      };
      # ZFS nightly snapshot of container volumes
      zfs-nightly-snap = {
        enable = true;
        mountPath = "/mnt/restic_nightly_backup";
        zfsDataset = "nahar/containers/volumes";
        snapshotName = "restic_nightly_snap";
        #startAt = "*-*-* 06:30:00 America/Chicago";
        startAt = "*-*-* 00:10:00 America/Chicago";
      };
    };
    # System
    system = {
      incus = {
        enable = true;
        preseed = import ./config/incus-preseed.nix {};
      };
      motd.networkInterfaces = ["bond0"];
      nfs.enable = true;
      zfs.enable = true;
      zfs.mountPoolsAtBoot = [
        "eru"
        "moria"
        "nahar"
      ];
    };
  };
 }
--- a/nixos/hosts/shadowfax/scripts/pushover-notify.sh
+++ b/nixos/hosts/shadowfax/scripts/pushover-notify.sh
@ -0,0 +1,89 @@
 # shellcheck disable=SC2154,2148
 # User defined variables for pushover
 PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-required}"
 PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-required}"
 PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
 PUSHOVER_TITLE="${sonarr_eventtype} - Title unset"
 PUSHOVER_MESSAGE="${sonarr_eventtype} - Message unset"
 PUSHOVER_URL="${sonarr_eventtype} - url unset"
 PUSHOVER_URL_TITLE="${sonarr_eventtype} - url title unset"
 if [[ "${sonarr_eventtype:-}" == "Test" ]]; then
  PUSHOVER_PRIORITY="1"
  printf -v PUSHOVER_TITLE \
    "Test Notification"
  printf -v PUSHOVER_MESSAGE \
    "Howdy this is a test notification from %s" \
    "${sonarr_instancename:-Sonarr}"
  printf -v PUSHOVER_URL \
    "%s" \
    "${sonarr_applicationurl:-localhost}"
  printf -v PUSHOVER_URL_TITLE \
    "Open %s" \
    "${sonarr_instancename:-Sonarr}"
 fi
 if [[ "${sonarr_eventtype:-}" == "Download" ]]; then
  printf -v PUSHOVER_TITLE \
    "Episode %s" \
    "$([[ "${sonarr_isupgrade}" == "True" ]] && echo "Upgraded" || echo "Downloaded")"
  printf -v PUSHOVER_MESSAGE \
    "<b>%s (S%02dE%02d)</b><small>\n%s</small><small>\n\n<b>Quality:</b> %s</small><small>\n<b>Client:</b> %s</small>" \
    "${sonarr_series_title}" \
    "${sonarr_episodefile_seasonnumber}" \
    "${sonarr_episodefile_episodenumbers}" \
    "${sonarr_episodefile_episodetitles}" \
    "${sonarr_episodefile_quality:-Unknown}" \
    "${sonarr_download_client:-Unknown}"
  printf -v PUSHOVER_URL \
    "%s/series/%s" \
    "${sonarr_applicationurl:-localhost}" \
    "${sonarr_series_titleslug}"
  printf -v PUSHOVER_URL_TITLE \
    "View series in %s" \
    "${sonarr_instancename:-Sonarr}"
 fi
 if [[ "${sonarr_eventtype:-}" == "ManualInteractionRequired" ]]; then
  PUSHOVER_PRIORITY="1"
  printf -v PUSHOVER_TITLE \
    "Episode import requires intervention"
  printf -v PUSHOVER_MESSAGE \
    "<b>%s</b><small>\n<b>Client:</b> %s</small>" \
    "${sonarr_series_title}" \
    "${sonarr_download_client:-Unknown}"
  printf -v PUSHOVER_URL \
    "%s/activity/queue" \
    "${sonarr_applicationurl:-localhost}"
  printf -v PUSHOVER_URL_TITLE \
    "View queue in %s" \
    "${sonarr_instancename:-Sonarr}"
 fi
 json_data=$(
  jo \
    token="${PUSHOVER_TOKEN}" \
    user="${PUSHOVER_USER_KEY}" \
    title="${PUSHOVER_TITLE}" \
    message="${PUSHOVER_MESSAGE}" \
    url="${PUSHOVER_URL}" \
    url_title="${PUSHOVER_URL_TITLE}" \
    priority="${PUSHOVER_PRIORITY}" \
    html="1"
 )
 status_code=$(
  curl \
    --silent \
    --write-out "%{http_code}" \
    --output /dev/null \
    --request POST \
    --header "Content-Type: application/json" \
    --data-binary "${json_data}" \
    "https://api.pushover.net/1/messages.json"
 )
 printf "pushover notification returned with HTTP status code %s and payload: %s\n" \
  "${status_code}" \
  "$(echo "${json_data}" | jq --compact-output)" >&2
--- a/nixos/hosts/shadowfax/scripts/refresh-series.sh
+++ b/nixos/hosts/shadowfax/scripts/refresh-series.sh
@ -0,0 +1,19 @@
 # shellcheck disable=SC2154,2148
 CURL_CMD=(curl -fsSL --header "X-Api-Key: ${SONARR__AUTH__APIKEY:-}")
 SONARR_API_URL="http://localhost:${SONARR__SERVER__PORT:-}/api/v3"
 if [[ "${sonarr_eventtype:-}" == "Grab" ]]; then
  tba=$("${CURL_CMD[@]}" "${SONARR_API_URL}/episode?seriesId=${sonarr_series_id:-}" | jq --raw-output '
        [.[] | select((.title == "TBA") or (.title == "TBD"))] | length
    ')
  if ((tba > 0)); then
    echo "INFO: Refreshing series ${sonarr_series_id:-} due to TBA/TBD episodes found"
    "${CURL_CMD[@]}" \
      --request POST \
      --header "Content-Type: application/json" \
      --data-binary '{"name": "RefreshSeries", "seriesId": '"${sonarr_series_id:-}"'}' \
      "${SONARR_API_URL}/command" &>/dev/null
  fi
 fi
--- a/nixos/hosts/shadowfax/secrets.sops.yaml
+++ b/nixos/hosts/shadowfax/secrets.sops.yaml
@ -0,0 +1,140 @@
 syncthing:
    publicCert: ENC[AES256_GCM,data:XGQus3CTr8j7LBnOf/Fk5cu2V41X+Udo1yXEq9WP4nJuRvQRQ3IVKrgVyIZfIFM6b02GXJHmvsujZiqLnszTM1ltW67uKhnepj4N8ywogUiEudGyMsu99HchsTN4EhWBeenmOR+Fh1Eruva/fxZlaPMZYEAGSQR8iwC/NqPeGdrS2j4HstxAWd8jn7fJg3MXirTBykiNTGd83gCLjSKoueal8KNF1Sa9peho84u/FrFP5V5JB/E8LT2WLegrdZXEgVwInvYqciZbwWZwP5lWVaiKHPRqVMWCGtBgkxTuD41icFiCFz8OwMFR58+p+LxicGl7IgXDbQtIR+0+WR1Lz+BVOxjUkbr/U0znvta4JYkIbZp3utfbU+K9P7PBCPo4d5WQrVkaEUxNYA0aCgf4ZF4S+upXkV5Dfzc5nnEQi1kme6yScnheKDCMROLnCG1PYZRXk+Q5XQz/iW7KriI1GkNW1u01GB90RwHSTC9btTQEG0c8mgv/4yf8ObGYxDHR2o7QvsEgrfLOrHjBDJ0eGl3sSPH8m6XRGnZBj9prjA1x1h83vZo0omR5nFjA98xRN2U4v4NIeS5KqptDcTsVQdcWpRBjpnZYtb1pJ97p9/gUTNT3UzCt/7LpvO2LyO6CmnV1dVU+HlMVkJJIQHSFnvsk8PsnJEhGcoJIj+GvkkjzgOA2gbtnzpZ3HlM2jPTuSx8VlrLcPb7tsdeGM+ESbDrD/8tHMyOEaoGYOkSLRfE5QhSFuTN7woG3Eg2x+UK92JwkXPpHqr15Vvsw7ElfjnY7NBUz2jcCSJIPLlX1Gs277egZQKumu3TO2h16ced07ABtPPaptAFwh7GR+o5o60mleYdh2NhJGv9Db3i8X+ty3sFEnsIhoOBD75WTsy3cdtls5wWE0Ox162FFhXXqSbxhLaTDkpM6C71+BR97Og8e+/zfN5bK/8pmGUk8EzkL3Anp1rCtD8MxY/CPpxK2oHgPALQwcpGVzpdnk65P5m+61T9boo3UfoC/27G2HyqSj4zz0NCt5Dlqio+hxeZIuaJKx00RIASosXo=,iv:gI/BtvEcAcwTkqpSvpzo1kFR2miK0CiWNY6bQvijbRo=,tag:u6rLmKskE7FClh4V5/3FDA==,type:str]
    privateKey: ENC[AES256_GCM,data:W9+O6G3xhABcztmdqZIy4LKXt9uuoz8fhM56flvJGrJ1WGN9BX9Syn/mblYP2PDWFHBHQtMd+fWsRC1cDPAbwPB8e4CX3gU4NvxQEtkTb6UceP6nF/LZGJkUPIVHflbz4zQxBFet1TDA4pW9IaOrQYYAOcAJtNzF8ybhXepY+RErdnEKIYp5m7M60wvAgs9EDaAbsD3wuzzjs/+s3tR8/Ga8n8qrWSwfbQwRMbXETN0D1PV5HydsBcwiQ2w0FrjQ6w27ASuKQGSAKFNxU8I5/SF5tFLiR8LV+wcUIoUoCN4AxYQQBdxpNcyhxjTFSu7rUvqV7Ni85JUnmnep1cM4j+4hkmj2M06m0SHy87kiJcJfRkwXVKEJUJiUuLQCR+20,iv:FbZnaXDr5+jjSs7wKSE01z0p2Kd9UzGw2alGfd8m1ik=,tag:CD8vp7hloHDYQF/pkm0a7A==,type:str]
 restic:
    plex:
        resticUri: ENC[AES256_GCM,data:aA3kc/Wxg/UxrAUeDd0y9z/8mN9LjWsycS3aUuEwgTcAO2NkfUcH9kw/PXOvazA8t5UJ9RVPYYF7910JeftmMNgs,iv:4GaR5XuJKPnQsBehihraCgqBUumDeq6IiRQrSvtQKgg=,tag:U1fVporyT4S48Dmdf5ghSw==,type:str]
        resticPassword: ENC[AES256_GCM,data:rC5P60IK52dYOSiSkpnkZ2VvqI0=,iv:xIr6BYmpbGXg9zKCKVcstK2ANHN2Y0MzZ1HhDIL9oxI=,tag:J14I0dvIW0FMW1LLB4KuNw==,type:str]
 minio: ENC[AES256_GCM,data:IJTwUJOC84a5n798fTDlwRzVc8p5zRiccjdoNTPCNlls0RAyGllijf7GAQG3fxQZQWB2xNd7G0F4/Bv+KmThX2Nxy0c5JFbed+AekuMbNQ==,iv:QDB8JUSehsApBnRhLeGtS2ZczIJA0awN0g0sfkKK810=,tag:NMDfAN8R0mcT7Ec1ldyZbw==,type:str]
 postgres:
    host: ENC[AES256_GCM,data:fd0SCRhtJWA=,iv:KNSZ2iaCum+0AlDlgrH5VAVj7D1RRJSSFGEw0eYi5+4=,tag:Gs5HHPN9SeDm+CIzD7GPXQ==,type:str]
    port: ENC[AES256_GCM,data:Z0fHNA==,iv:otbEsYxhJ6/YR+A5oRx3Dwrqk6T6BL9OGka5yu1H+HA=,tag:T+KW8DaRJ8NN7k1mIMn6QA==,type:int]
 pushover:
    userKey: ENC[AES256_GCM,data:RYn9OCGaEgu/41kMolmqjYtr8FRmyEOvNStk+7Uz1A==,iv:L4pJJxGPhrmGSJdRDIP/OONibHvIP8KUdXwED29kTJ8=,tag:6TxYaUA6QA1NroBXhQHRlQ==,type:str]
 arr:
    prowlarr:
        apiKey: ENC[AES256_GCM,data:qxm2yp8ReuMgQ0155mKBAWickKusOaa/FeoIopj9l1Z3,iv:pAeDxK6CGap4fKU5xQ5hZR9It6/1uo27dKZBi5Bl3rc=,tag:HZl914AfFU4D5J7cDS3I1g==,type:str]
        postgres:
            host: ENC[AES256_GCM,data:gvGJT0521ZE=,iv:JsYsq8iQjpU+4eGwbUUx85Vx5ZS7UwVLJpR2K0bUwv8=,tag:xALURbOgT3Xl2x2kXaLE/Q==,type:str]
            dbName: ENC[AES256_GCM,data:2EFvYnz9swxo9nSggQ==,iv:k24q941nEF//Yojv15s4HNiA/V5/G7I0BhWskScv1uA=,tag:BN9thh3VaxFyhq7m5S0dqQ==,type:str]
            user: ENC[AES256_GCM,data:gO8c5bZ3oDY=,iv:YggC8TNFzqHRcRxSBDiV580xF3kLQKgR/ScfyW+5Y5A=,tag:bY7QduxooRkR5SFBxlKjxQ==,type:str]
            password: ENC[AES256_GCM,data:rqryseQj0lMiNmB21ezXYQ7ceaOtiZJLPA==,iv:f0ahBkII+pZOPB50EcCIEMbvHriYHv7ax/u1515KAA8=,tag:EObTc1yd/GTNuVE87tPg0g==,type:str]
    sonarr:
        1080p:
            apiKey: ENC[AES256_GCM,data:e3v+MR2BXCRXXm01/Y09mWN9SnjwH/qQ5tJ5/lNsuqRL,iv:nAT5aFT0ihHGGSTOUBrPZy4d6S+kbOzjNebXftPjoAI=,tag:uAZ1nuDcIYWKAOA2XLdBFQ==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:GH0XC+qbTC4=,iv:WnLz/rHhM44zmP/OyU/AOmsIg8xNhtgExO5MYnA0gqw=,tag:VFrMySTEhDsz6fZU9s+ZKg==,type:str]
                dbName: ENC[AES256_GCM,data:ftOhHHtk/McHs0k=,iv:Zh9/QsLYMTrtpukvA8CM0bj0scxIUaiKwlRkr38mDkI=,tag:DHpH90q2cuLk+KzMeciVQQ==,type:str]
                user: ENC[AES256_GCM,data:M5/SpaeO,iv:GZlxnQl+Vt9jE+f1obSqPJGC9peN3qlqw/ZaIf6p2YU=,tag:vXJHGjvNFLV5LirfBnNs2g==,type:str]
                password: ENC[AES256_GCM,data:M0YWtT/ikSKqQCLkF+Ln+jm3t6ltsLzYJQ==,iv:L6sCp1R1KkNRry2j/PO6+nHsL4gwOpzXVt3btcsC9QI=,tag:fiv3scPVQQzBjuQyzkMYFw==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:W4WQwgSErsTzRAdnfhdYMn0QCrF30GGegTIXnwmweDb5cDRmLaVml5WoYd7PVRcZMlqOnOl7ZomzvkkVeJ77It3iOHiAsoSQ9b8zZCjkkanFGvQw6y3vDdOWXKhyonk=,iv:UK9g5aivhcoSNO7BBmIi8qtEssYEMoae6oPvbIIBS0c=,tag:KlF6idwZmRVJCITe1Sf4PA==,type:str]
        anime:
            apiKey: ENC[AES256_GCM,data:4Xg3O7Xrw0f8ijNvhnDnmizpAeSVL9qS8KbR7qeosz/K,iv:qlIyhT6bqMZCBNtuCKbRm9x/2g/qFCbL3xqa+mEG6ZM=,tag:I1gqP1caMpfIj0eXuS1t3w==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:AZrIFD0MRlI=,iv:lC/CDAq65vSRacWCi7m3Jr3j2l2r9deNbqMyJN0ZNXE=,tag:GiNvGupolm4w9Z7XgQTryg==,type:str]
                dbName: ENC[AES256_GCM,data:74KryUh6B2mBZyIW,iv:fdnogNwmx5+qlfH7eOnDZhNeNJ1C2v8gT/g7X1nNtLI=,tag:S28PslyTuawLopyrUDLD5Q==,type:str]
                user: ENC[AES256_GCM,data:cM133gBrl0WM/DSz,iv:CNyUxvV1VOfAy+D2+dMmJMIoWXGH3qoJ8dXXU76NSXo=,tag:03dMKeF9daZZUwxXW5mz7g==,type:str]
                password: ENC[AES256_GCM,data:/XQNL9a3QUeDhPY7JRE+4/X6WmJ6dliHUhty+m3OmA==,iv:+Nn9Q+lfGGDmpd089qXc26+3PxIbOrHLsoolsgpQK24=,tag:HL7J0TTvd4DDIob71/Zfuw==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:G8muZh4O/kiDFW3CjZXwXnoLxtsimq9evShea0aAbfPdNd3nenudPoI2PYgIF2vT4vHzMaWLCrvbqcd/gLBJUrZZyn4YAvuRo6LBliAD394EyXHZrdrTNNDkLZ8LQRU=,iv:Nh6QZhpwftrMs4Km1emymk1ilmFCtYeW0l05yRmXxug=,tag:CVl6nWN3wyc1r23eKPljmg==,type:str]
    radarr:
        1080p:
            apiKey: ENC[AES256_GCM,data:NVIa3nK4/QxZF1/peKei9Qsxn2AjRiBnBdr2N08QiXhi,iv:h/Rb38FCF8auMCTT+Cuj/i8YAeavntwbbJEA9LwDYUY=,tag:OwAQy76GjIrY9/126zExdA==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:bycrytLkcdI=,iv:zfsSP+uoVpvG2HXydCXT+yfMc5GadjG8qo+4ld+rdjk=,tag:cXtYTFg27hS9Idn3UjUn1A==,type:str]
                dbName: ENC[AES256_GCM,data:pjvSoLQ/TUdd6Y0=,iv:TsThUHuF9Mm1fuGYcEh/GanaDGuoSJxPt7LVRJHSFAo=,tag:tMIdTPSaNE4hOh97lck6DQ==,type:str]
                user: ENC[AES256_GCM,data:0QFQsAfq,iv:+qtq/BhC26fdW9rXlbZFf6fQCOV+UsP1Y9cNMUtn5+w=,tag:WBg4ruYa7t+8d8iHjjPJ1g==,type:str]
                password: ENC[AES256_GCM,data:TvGQsShraVE70JoHkk4PWkoeElu+dn882w==,iv:oQ15XrRCLUZ6XWSifB9hGF+wYActgDE9NEqly+LTTFA=,tag:kUbn5dKq9jU4Xl1+mRI2Zw==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:4E1NFQZOrH7sBGnJus7+VZLTWnzif1Asr+mCeaXorsfO8nJpA14HjQ9diAqPuabTlUsl4vMznFmKjdAFCvuRz9p7xfq96qmJKN3oTKuVaz6SlQbXKcfCeldn2E2EA2k=,iv:CVaiTGR0WpcCNvDpD202P4dHqEjX9xqJEVz0usEeANY=,tag:FRz7t5wV2TePakxmyBkb1Q==,type:str]
        anime:
            apiKey: ENC[AES256_GCM,data:7Z59sJCKBmayd1J71+C72IdoeNlU71jcJS885bUwc+g8,iv:0Uav84UAanmZvvZfJJNoDmvyKY068L8+ONnVGWmldSI=,tag:WYQvccwlm/Y8S2ynPkEPjA==,type:str]
            postgres:
                host: ENC[AES256_GCM,data:EL6Qzm8r/XQ=,iv:Gz099lg7zDRrIf7i2kOb+MSXGwHazTtcnBbCmciVCHE=,tag:l2Lqd7dDeRZYzflhK9/Kdg==,type:str]
                dbName: ENC[AES256_GCM,data:9MJ6UcVlLPN+hI4=,iv:AwCdIJ1KwThbUVGM759m0GVWh3yf3anBHdsfdIjVWP4=,tag:7kUUSTNpt/rOtYHkDRlKxA==,type:str]
                user: ENC[AES256_GCM,data:QE+Lr0L0ad3oufG4,iv:WCTkwhN9FjibXlyPqY7oDjSByXn6Exma/VDsE3ju/FE=,tag:orFBsxd/ETSaiFC1KNsO0A==,type:str]
                password: ENC[AES256_GCM,data:3rYBq3cosu962m/FZIc/WZogr+BZxQ==,iv:dK/IDKYz3NKeAE7PV/f+qRtSu3veg20B6+6gZmaD/eg=,tag:9k0+zrcWC6i6YjwJkMYkzA==,type:str]
            extraEnvVars: ENC[AES256_GCM,data:HAGHXI14CFx/CXbpHGn1MQQeRmMO9zzsnHEJrgTfho96XPtoKJQj+b3h7VNVkkHAifjuMzbKb0BM8qrtAIjssWuQUrWChxgHBg3OWodsJkstYplB0RYIun5RorzHaNY=,iv:3nW9806ciMdblFphEi9zK8kkIB8r01eF/167vYq177w=,tag:7aPJ63Wl+SGzWCBXuitgmA==,type:str]
    unpackerr:
        extraEnvVars: ENC[AES256_GCM,data:UT6HLaEKGEHggZx8Ict23OOLlRppErCnIDA16CleMFe33/IHyyp8El8aBNCq5A/1+NIGN5aZat2El562QAcZBVITa9ffmmtXqnDsheaRo+nDSPR5mGqh39uoKWIy2eSO5nv3rD0jN08MFYjxZNti/k0p0JIDMYN5shnVLiwO7krLs3Z6m+sZntg6euCWnHJMM2p3v38bffUzbZWrD1hEKaOUofOhTL0rDUiiysCawMZvJx6zXgfyO6DeUdwlYIxlg0mZ8SkmDRoFDPYrI40tIA+oSScJhJkDgoNPPJVEuGu6vVMPgqkAWUSucVGeiYVati2PsBJHn9wori2GWRTY0n7mjQKe8cz3nPIKQFWYLRWDZ9UBBvh05bYLa54+C4mGczFFPZra/DDoR2i9gzCXxjhRmt2Qs+g0RqefJTq5W2qQKRLj9PKFr02GuOY=,iv:pmOkkfFd4eGRCburRz6rgqqAFQJhPgjuUKn23ipLg3E=,tag:heZtewMOnnMxE5qSVEiI0Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOK2piTS9FTXJ3TWMzdVFr
            aWFUSkJSbTdCR21iQks3OCttNzZOcWg5RlFJCnhQQk5sb2Jjd285bWZaVjVrQzRy
            REMvZnR4YUREUUwzK1IxRzJwNUdVcncKLS0tIHB0MTRxWWJRR3psMEVBTmQycCtL
            MjhkT0JGdjBmeUw2MGFLZUFhMW5IKzAKVY5fLZeRk/6dvCimJ7Jgj1hOjqtZ3Q35
            EH1L3X2/n+fTzYIASj1UJxvAJd6U7rrmfozQQYIKch2Ri+EV3QHRKA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSFVLTFZqeHNuSENWWWZG
            QmI4QXEvbG5SeTJHMVhSaThPYkNzZDI1TnpZCkdobm5IaUhESVk3NVVxcTVITUZh
            Vk0wTjdtS3hxcnEvRkV3bmZJdVlmTUkKLS0tIGhqQkFPcXFKcjhCWEZvR1BrMi83
            THFOTXdoc2pFKzhZTkNUdC9VN0IvTTAKdmOR0iZ6pzJX/ZgxhxvS6yUCEGjq/ePV
            NIPJwMMcAatrrFunBdIEOzfu1LO1in5ZADaA54JUIiftLrhA8Lraig==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZ2lxb0JiYzlmRHZ0Ymhk
            OVo2cXFRcmtGdGFqTWlJY1dXVlNZbTFIUFZVCmFuMU9SNjRtU0tTSlRnMHFQSFJi
            K21OQ1Z2K0lYWHA1cmRibWFTVUIrRU0KLS0tIHNZTkY1UXY4TjZrWCsyK2hPeEVH
            NEpZcU96Q1lobzFVTWNrUFJHQjZhM1UKZQzhD32rkAylJfSp+N648jrs6YvYtg+X
            tpT4jvyeAcQJ+txZunhwiTwZslJEQMOZlwAyMO6riQNtATTU4Bycsw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbGNIemRkQUtobFliUCtx
            aUNLQUZhM2xVOHI4YUUxR0xKNmROUDQ2cW5ZCi9zQU1LYnBFWC9NMHAvUDBKYWZL
            TC85ZnllOTgzS3B6QjJxYWhtZG4zbVUKLS0tIHNhUk9ocVhpaUJ3emxHR2pZb2c1
            S2FOK0gwNGJwbFduNkwyZkZGdmVMY00KH1SjfNNdeKRmqwidEB2MM5EO/8jJk36D
            86Ehn4wHIW3CSfqJYDLmYBmreFfqgQq/BGThGJs2EdkNb2VkyZnTUg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTVRLeHlFb2FpYUdZNXV0
            T1dXMTROTk4rM09KaG9SK0FuVEZQTmJIUVZnCkNJODJpY0NZUWthdHBEamRPMlNl
            UStpUlphSDFKZ1pJalhjRGIybms0QUEKLS0tIFBlZFAvaE83YmEzU0hnTXhJSVdH
            Vm5pRTB6ZEpZRnZ3Nk5UY3ljcG9lQncKW+/xvvA8gU6f9SlF5jGkddXpmSZlOCfh
            xXXAFB50J/9fmBRMXVItzdERKK1MxZm9p1g5gmIYkyH/wm48ZTyrwA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFd21SSGpTclllWWdIWmda
            TzlkZ2VNWDZ3YUVwWDkzZHlyYythZ1JMUTJVCk15TVZUMVdTSWpldnozMVhVQ0dE
            S3FaTzhLWE1Pd3B2RW1YTU1TVXIxbEkKLS0tIFhoZHBTeEpUekdEajRNZ0xRcnpi
            d2xDaDBWKzhaK2RzOUoxbDAvQnQwK2cKXifwRj2MHtsPYykP92gkkf2drlSBf/4U
            AXvjfndT7yqvlBHfTCusos6AollCJ+QNPQJoCdzZzSyLZS5S55QY5Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbW5HOHp1UUVhN3ljZkpO
            RlZYdDVsUlYyL2VXdGROalZrRnVxMmFEb1ZrCjVEYmd2a2NrelFkSGt6ZnpYblBi
            aStXRk5YQ05HUkJZMW11QzRUSGhVMWsKLS0tIDBhVXVBTTB3U1dnMWxEd2VaMWd4
            THltK2VHRU1PQkpOc3VyUFN6K2l5OEUK7dWJCGhvw+Xr3ny68iWgo05iApyiqzZI
            pwUG0ZfzQlwC0cvYTqHfc8nGyHcAsjs6LTeBYrn+WGZtvEUBAZvIHQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbUlTR3d1UTBWOWJPK2E2
            OVc4cWNYbm9zcDRydHdFT3pEaWxxZDVkUkUwCktEYWt5dmdmWGRESnFFVnVIcFRa
            T0Q0WUdjSk1TaVRsdXBRTGo4cjZIZW8KLS0tIENzcUJxeFBtRWx4aTVsTndTWkFC
            aVlOSHhFb2I5UnYwVytyQzlWTXBDYUUKdQKilmfJ1F7UYKtQV9zV95FcRIK17p4M
            vGvu/pGJ32tH8xI7cNs9I5Hmg9c5wOam21W1FDk+VlJ/ClXqQzS0MA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-02-10T19:15:54Z"
    mac: ENC[AES256_GCM,data:KyP1lzKD/iV6SgHbsEYvVRwgrFy/PqHGMVEjeTAcLFCFrIyn9/Gd5ravTOj+37phVARnHI3h2vetqzOBO7/tE4jz0nsEGawOfVMOTKR1Y7+35TKJaC4FTO3/hfczjzolvoLk8011J9aoeC44yx+UT8Ijehc3mkd4x8zVvOK/OG4=,iv:e6FudQPXESAw/CNVqJWGZG+/8j/J88Z8InjM++GJ9lM=,tag:KaQkmLGSU+jJF3f6YBKhmQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/nixos/hosts/telchar/default.nix
+++ b/nixos/hosts/telchar/default.nix
@ -1,51 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  networking.hostId = "4488bd1a";
  networking.hostName = "telchar";
  boot = {
    initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
    initrd.kernelModules = [ ];
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
  fileSystems."/" = {
    device = "zroot/root";
    fsType = "zfs";
  };
  fileSystems."/nix" = {
    device = "zroot/nix";
    fsType = "zfs";
  };
  fileSystems."/var" = {
    device = "zroot/var";
    fsType = "zfs";
  };
  fileSystems."/home" = {
    device = "zroot/home";
    fsType = "zfs";
  };
  swapDevices = [ ];
  virtualisation.docker.enable = true;
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # System settings and services.
  mySystem = {
    purpose = "Development";
    system.motd.networkInterfaces = [ "wlp1s0" ];
  };
 }
--- a/nixos/hosts/telperion/config/Caddyfile
+++ b/nixos/hosts/telperion/config/Caddyfile
@ -0,0 +1,21 @@
 telperion.meerkat-dab.ts.net {
 	log {
 		output file /var/log/caddy/telperion.meerkat-dab.ts.net.log
 	}
 	reverse_proxy {
 		transport http {
 			tls_insecure_skip_verify
 		}
 		fail_duration 10s
 		health_interval 5s
 		health_timeout 2s
 		health_uri /
 		lb_policy client_ip_hash
 		lb_try_duration 5s
 		lb_try_interval 250ms
 		max_fails 1
 		unhealthy_status 5xx
 		to https://legion.meerkat-dab.ts.net:8006
 		to https://rosie.meerkat-dab.ts.net:8006
 	}
 }
--- a/nixos/hosts/telperion/config/bind.nix
+++ b/nixos/hosts/telperion/config/bind.nix
@ -1,27 +1,27 @@
-{config, ...}: 
+{ config, ... }:
 ''
-include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
+  include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
-acl trusted {
+  acl trusted {
-  10.33.44.0/24;  # LAN
+    10.33.44.0/24;  # LAN
-  10.1.1.0/24;    # Servers
+    10.1.1.0/24;    # Servers
-  10.1.2.0/24;    # Trusted
+    10.1.2.0/24;    # Trusted
-  10.1.3.0/24;    # IoT
+    10.1.3.0/24;    # IoT
-  10.1.4.0/24;    # Video
+    10.1.4.0/24;    # Video
-};
+  };
-zone "jahanson.tech." {
+  zone "jahanson.tech." {
-  type master;
+    type master;
-  file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
+    file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
-  journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
+    journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
-  allow-transfer {
+    allow-transfer {
-    key "externaldns";
+      key "externaldns";
    };
    update-policy {
      grant externaldns zonesub ANY;
    };
    allow-query {
      trusted;
    };
  };
  update-policy {
    grant externaldns zonesub ANY;
  };
  allow-query {
    trusted;
  };
 };
 ''
--- a/nixos/hosts/telperion/config/haproxy.nix
+++ b/nixos/hosts/telperion/config/haproxy.nix
@ -1,53 +1,39 @@
 { ... }:
 ''
-global
+  global
-  log /dev/log local0
+    log /dev/log local0
-  log /dev/log local1 notice
+    log /dev/log local1 notice
-  daemon
+    daemon
-defaults
+  defaults
-  mode http
+    mode http
-  log global
+    log global
-  option httplog
+    option httplog
-  option dontlognull
+    option dontlognull
-  option http-server-close
+    option http-server-close
-  option redispatch
+    option redispatch
-  retries 3
+    retries 3
-  timeout http-request 10s
+    timeout http-request 10s
-  timeout queue 20s
+    timeout queue 20s
-  timeout connect 10s
+    timeout connect 10s
-  timeout client 1h
+    timeout client 1h
-  timeout server 1h
+    timeout server 1h
-  timeout http-keep-alive 10s
+    timeout http-keep-alive 10s
-  timeout check 10s
+    timeout check 10s
-frontend k8s_homelab_apiserver
+  frontend k8s_theshire_apiserver
-  bind *:6443
+    bind *:6443
-  mode tcp
+    mode tcp
-  option tcplog
+    option tcplog
-  default_backend k8s_homelab_controlplane
+    default_backend k8s_theshire_controlplane
-frontend k8s_erebor_apiserver
+  backend k8s_theshire_controlplane
-  bind *:6444
+    option httpchk GET /healthz
-  mode tcp
+    http-check expect status 200
-  option tcplog
+    mode tcp
-  default_backend k8s_erebor_controlplane
+    option ssl-hello-chk
-
+    balance roundrobin
-backend k8s_homelab_controlplane
+    server bilbo 10.1.1.62:6443 check
-  option httpchk GET /healthz
+    server frodo 10.1.1.63:6443 check
-  http-check expect status 200
+    server sam 10.1.1.64:6443 check
  mode tcp
  option ssl-hello-chk
  balance roundrobin
  server shadowfax 10.1.1.61:6443 check
 backend k8s_erebor_controlplane
  option httpchk GET /healthz
  http-check expect status 200
  mode tcp
  option ssl-hello-chk
  balance roundrobin
  server nenya 10.1.1.81:6443 check
  server vilya 10.1.1.82:6443 check
  server narya 10.1.1.83:6443 check
 ''
--- a/nixos/hosts/telperion/default.nix
+++ b/nixos/hosts/telperion/default.nix
@ -1,46 +1,61 @@
 # Do not modify this file!  It was generated by `nixos-generate-config`
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
+{
  config,
  lib,
  modulesPath,
  pkgs,
  ...
 }:
 {
-  imports =
+  imports = [
-    [
+    (modulesPath + "/installer/scan/not-detected.nix")
-      (modulesPath + "/installer/scan/not-detected.nix")
+  ];
    ];
  networking.hostId = "ce196a02";
  networking.hostName = "telperion";
  boot = {
-    initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+    initrd.availableKernelModules = [
      "xhci_pci"
      "ahci"
      "nvme"
      "usbhid"
      "usb_storage"
      "sd_mod"
    ];
    initrd.kernelModules = [ ];
    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
  };
  fileSystems = {
    "/" = {
      device = "zroot/root";
      fsType = "zfs";
    };
-  fileSystems."/" = {
+    "/nix" = {
-    device = "zroot/root";
+      device = "zroot/nix";
-    fsType = "zfs";
+      fsType = "zfs";
-  };
+    };
-  fileSystems."/nix" = {
+    "/var" = {
-    device = "zroot/nix";
+      device = "zroot/var";
-    fsType = "zfs";
+      fsType = "zfs";
-  };
+    };
-  fileSystems."/var" = {
+    "/home" = {
-    device = "zroot/var";
+      device = "zroot/home";
-    fsType = "zfs";
+      fsType = "zfs";
-  };
+    };
  fileSystems."/home" = {
    device = "zroot/home";
    fsType = "zfs";
  };
  swapDevices = [ ];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # Until I can figure out why the tftp port is not opening, disable the firewall.
  networking.firewall.enable = false;
  sops = {
    # Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
@ -61,11 +76,37 @@
      };
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
    2019
  ];
  services = {
    # Caddy
    caddy = {
      enable = true;
      package = pkgs.unstable.caddy;
      extraConfig = builtins.readFile ./config/Caddyfile;
      logFormat = lib.mkForce "level INFO";
    };
    # Tailscale
    tailscale = {
      enable = true;
      openFirewall = true;
      permitCertUid = builtins.toString config.users.users.caddy.uid;
    };
  };
  # System settings and services.
  mySystem = {
    purpose = "Production";
-    system.motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
+    system = {
      motd.networkInterfaces = [
        "enp2s0"
        "wlp3s0"
      ];
    };
    services = {
      podman.enable = true;
@ -83,7 +124,25 @@
      haproxy = {
        enable = true;
        config = import ./config/haproxy.nix { inherit config; };
-        tcpPorts = [ 6443 6444 50000 ];
+        tcpPorts = [
          6443
          6444
          50000
        ];
      };
      matchbox = {
        enable = true;
        # /var/lib/matchbox/{profiles,groups,ignition,cloud,generic}
        dataPath = "/opt/talbox/data";
        # /var/lib/matchbox/assets
        assetPath = "/opt/talbox/assets";
      };
      dnsmasq = {
        enable = true;
        tftpRoot = "/opt/talbox";
        bootAsset = "http://10.1.1.57:8086/boot.ipxe";
      };
    };
  };
--- a/nixos/hosts/telperion/secrets.sops.yaml
+++ b/nixos/hosts/telperion/secrets.sops.yaml
@ -1,10 +1,10 @@
-1password-credentials.json: ENC[AES256_GCM,data:odK6x2TscY1WNCOaPBSfo2ln7hsa5UopakUpOgB4ci64p4LGIwTTDnSiq8+UXkrDndQ7tSqtr9RUvB+AwwYOuh1KBAwWmlZN7agtxUYc1wvMdQv8WPDfhqe9m0FNP5gyTaohcjBdBddZlv7izScVePUQUdG04dGYqUg6mQ/gmPtJy27hil8GivvxRN6FnFtkgoyfE+ZLfkTuMdeL4cxai4j+UeGc5XgmsrBLrW5udeDw2hktGXEBp2vMC6t+D7uzZ7DeLBDiHRbBZBeo+krnVdPsLxU3yFF/hC8vWVbkT7Wt/UhB0+X8SWvhYOvc3KW+NfyHcU0SONhQCM4iOkk/1qvcaDHy7idqexKxOtfQaZtuHW0vB3icgbxTO9usFxOxUPe63yXHUg+UDKSN4UGCF10eLoZKaV7zO76BkTFXQLl2Q+dytaxEKathhW4fS5lUBpuxXNDXuIxMiUIclXwVWVDpL7qchTJCopWwwDRaeHrUPev+pQptEsDLYpZeuf27hPjCMiOWkxt2kg2eKPjJ8AUtI8N3OlFPCyAurLgLSrFj0Wzm24LJLKsjs1if2y2jb/pR4MPdgnHgNnHS8VQ9JVprVyuw9C/wDhVV7yW+D4tlJ/d7AXaJq/dkO8XnwCEVPyFr9bUMB076z+tleYgvv9rHkdQMaqHr5HCHAtuYfM4f0Zpfr9alJ4wxCsj+MAn/PLGxjNd/hQQY+oYRpzBne2mUoxhRt3ZjnGH8LUBFSlz+e0+PB0anS3oV3XZUt0XuwGpNIxp4LsRFgmDC2qoMKZ2X7/DfTdmb3te0YbYNUUeHxlQ5AImzU6Lj1qw/clD7ViS82Rjc/WCavg9J7U7CdDbzhtv6xCxbyd3j1r8Wi4XLAXy4ZdcdvCEyYDHwJeExY8pp/jvS3CqSrlC/PyBUemloIQ+jSQiRYDv26XpRKbJ9Yd8fJ4ANPCMuvXU21iXtxHIRwopTo87hWqqSaORFcyVOmCxJJpa/TXL5fdd4ISy6CSqZXZCCIfiVxq4fBkqSoya4XMXQQq9Ki5xwLf1bDhaT3v7okP87A9d/j9Vru2RIZtRT71jVKvwDvJhLAfYuXyIUfQh5cvIw4/HlAZzP5vi1w5KlIJGf1uVVhvTl7p23/Gi9LAX3/P75dbK+x4VYOyqjMowER3jxk9m6GyFDl7iuceNh1bIpgPN1s4QOba7N2Tex5oa/aJJKOLYE4GYDtom5auDP6Xqa/Nd4NaDyd5oVuXcP7Lp7tDu9sIW5rhGaVYKU7jhzALN9HjfmAen+cZ50oy8L3IYKlS/91qzGughYDOjK4qeQ2XrMxySnCPja7ElV4gxmB3X73nxN+N0ZLEDhAGIS1FOaOammDjK2Pj/3vA5+S2hO3GYLh9glNgRnIGlNUVtw3My9H1mYIc4eP+LGGXz1KPnQMQWRtXZHH4d4fsOyhk+CE8as7WtyO7M=,iv:RkYdMs72Nq7dwHScKZeXMNSJ53ztTXCb3lkhrr9K2oE=,tag:XDdPfd+Be9nSAbvate52AQ==,type:str]
+1password-credentials.json: ENC[AES256_GCM,data:mPnJtGeZfSGnMjiJsUUfTnKwGNtuPLK/+XhGTrztiQN3bPh2EFtOg18nihsvdI6klWov9OymwATput//StpRuO2u9XtF3ayET8m8qrrldELi4IGujEBp5rmQ3DIeknhJCNGRscYDEIbRcSuVjPRIJtN42njOOr7SSvJzw0o3MTPwfJrRedOeAbvVLQ5+37JGGvS4mvfyZXXi3LFhmWPqWFyzGCUdaDJ+pBwr6Z2JY89votbh2JaTp+kRIgWm4XI2oi3sKGD+kbORHoVeCS9qzUBdGmGvmqNXLkAYJvOMGk6lT2qaMlN9/6ab57Ob9YBT5qb5CxBZr+JAk0/BrjVakjvf+gS5JFehpLkx2yTllhbcD+GvGu86m37HyMi/PZefxeO9BiGdUhpAapuQzGRk5E484ClbwSW8D7SylKPkTU1gy88L1C2hHbdJdBsTL4r9bkwAwLEuRNri5t0QXNjKlGLtWM0FJvRJC1NkBPwA5rc0Vl7d6Bvf6AV0WQjD0qSh8FDmu2ouMfRJQ6ceM654xQTt6UfVxDJV1AxFEB78rIECuIfkPyMf9GG20l+LdlACHLTBtWGWesjuWag22ONwDsopX52ttAHkMslttpN2PA5wrtoy1KS8mia9BvvdVVv9ykURjYISn85/oHgiw1nCYQQlgPVCb3fmrkQhSZinawIBvKz9xB1xA5JVBuHSOeIzZizkh1S2T3QlSllqWpdHFVsif4gaEfFq9h3DVDcr05sTya6/SV3A1Lv8R5RkpOSO/T0w1Uco8EcXi/ZyaEvQ4v/oJGJBJNiTJI8IEMx8s59tZ660SmefUS8BLVlSxhxJ2PdON2lEbMcva7FvvuRNfMfXEv7psDdXDUWIxPfwsn+llqrosqcDcPNkS/ksVC5kCZlWCxgpnGAKnUkyV9KM484O3W/tVzE5qmUPRUse+bIJ/CX95qK6oSWDK+lBICTayYdgHHwiMJygXUDzWlS1ulL7UyX6M30v7I/WUMNFJ3IeCVuETkNhttP8WsyyNPv7Nh6qSH14Yaz9+EpBRvY8qU7IbNXfeNq6MkMn91l4Mlwfo38AExJ3jtd6ql7eOTPFJYbwY4y4bdkF0kLx0eaw79aLE/fcsnfmxE1zsu0Ihn7NSu0IYgOPsp2t8JS95jVqSc0N6cfCUo4/N6YYfpDsfiNVCAz6poqIHAWo69oD224xAz6Qx9k01/d341KHC1GhjgZ5gdK0caGhQJ633V8w6v5IBR1Uz0Q/F5/rCfRmFE7sCWf8eqMoQaJ+CpmEvdgQpl9Zao1LSObJjk36X5R0YLY8Q5lkh/di0/E2KEDgcId4Z3gBHvpK+TKXJR3ajF8oWgGJO/o+WfsJstyJqcTS8uxWiQaG6vBkomrujEmwNu7r32Z4WC0NBI32TtzT1FOslBEIsruosRJ0gXaDBaXCQuycJS2NFvDZoOdDW6dBIKg=,iv:uyFfI8iGwRHBbVS7zsyAewFlaHe38enW5sBW+J/ipG0=,tag:cZy0HBx64HpRCdzOnTDS5Q==,type:str]
 bind:
    rndc-keys:
-        main: ENC[AES256_GCM,data:X0HTyNmqH1epIVNkXMyFlavqAodDw92Gs2sK54USNv0mWIwmk8NEb69x/Od8TAwDZw63k0lEAymyj/hBfkpav9yKT1M1hGxr09xjWsR/DTAM9tFv140cvnMEon0ZbXVXp4ou24jP,iv:7AsoCrxf8CyPiyWYfHZsGE0Qw/wutCVvCEiRdUdmIHA=,tag:oJi4BTDrD3FLEQuYeDR3dA==,type:str]
+        main: ENC[AES256_GCM,data:2K8QGlLH4TVdqUh4Qx99+/IhBqEldfdEnuVxzWrSiJpCXA8IVD8oQ+43hvfbxTG4Q5Jx1T1dx1VlQLjOikWhW0feYT7Uexn7Q+qNb9il5ioKoiqSHGvPbiy8KceDx2xHcFGquhN7,iv:ibeYbWtFCq0MGMbwIsNrjTTTrqio8gdrEvTIkBHw6+4=,tag:+59enmEps91uROm2jjtm3w==,type:str]
-        externaldns: ENC[AES256_GCM,data:WhH4vAR4Q4iTXq2fT+Z8kOXkwnneNV4bXWYytov62DFDSnYwsvWIbol5MvYIwXM+gEbQ/k/uk62MSFx26T34881EGJmH7KXWr7ji273D8oKAp0Fw6jOt2NZT6XkBwhWEIathUOwNdN6E,iv:SepdyBzYga7s03ppSppiBB/wTbTrL/y70aa/B/m02r4=,tag:vWqlZLx+FvstJjgRj4mjWg==,type:str]
+        externaldns: ENC[AES256_GCM,data:yRNBvr/dq3+2MFANmtIvj0iHZ0Qz705VxA1vg0jl9IkYZhzUtwUlIJF25vDQCsS30BzsXIAQgfncoPxMnqmswoH2Cd3a7W2Pf/Ck9aDMKaCSNJYrl/D86Crwq8nhMJLiDyta7zkwkMTE,iv:V1fQB2zdL1ReBY2f5ofwJju8zrxdh7yxbGCKQ6p29AA=,tag:Qn8PQcTJ4it092qQyAh6gw==,type:str]
    zones:
-        jahanson.tech: ENC[AES256_GCM,data:XqOX6lbCubPEi1pXgIEXW0qyD2+iJXNugTPdQOB/yCm4AX1mMiANAV51FBDb9f+QQ+q1EDqGz/83VKggoIvHSZCOW3dkNWR2uy82uO8C59sbsLrR5AzTTnZN2zlaIjW2q42I838mKfO7MfYXutwQbTpepr/Brtbldm+HRjxugJJMDFvBqSlylSnFA+jeWq7RNRP1+ZxGULO8I2BTPqdRVyRHcIWjyQABTctDcDgDLMpPxrMBTtmC2/CFH5pIT3w6gbrYRwYFZh7fNprOYRRPOkGHMZK6ccMCpm2uRR4b5daB1MidqJUsX999ma2TEmsUJSQZr6mS2r/QvwZ2R9QziIkBxh91vCg6HMaHl8/ISlryZVlkWNY1P2jgCMw0jJ58NxeBVAjVWw3iL+i9JU/q51r8J3nZHi5ql90JMaVdYWw8I2GLYWDHQnES9srEXtJwJNLzE69lQuL8ARmey4gt8Q9snen0v3RJVFb466nPKvH51TjIAr3FB2L8NY3RumD4eYl05L5JdNcFVuqmsYdoWQSQdZz23BxRM/QKT2qKjrhxfZuQW1naNDg3qbx5+bLGHlG6m8wRdtkR5SXWQc5a7LG2eURY9T7vy8yxMWzjd5LPMFLd7JlUSjwXw9YBhYTafGuc2TUESs8DCO/hU2zjAn1KM+rmc2T4aF3HexJwt7b7HBmMrDWObdtj09ycV10tp1Z57ZMz18aJdIbaZKopERN25FzIKiTlytiZiWsesLo6mUbsgb7bmjGGjBEDbp9P7ozgZv5H+aR5Y7POl9EG3gfERPsa1nF1qlloOrYT/GX8pUNhXAxH6QfX7WF+ANiMB/L/X4L0/XufV7shCWfQwogZ3t7ARGHr3dIOyx1ABus+M2QUZyI94jHTn+/J6aaxL8qsDGDZ6383Gk/CHa57BklRUrZZYVs9jzDe7+12gDfID/eP+nnKuohwCY1KcHL5QCRUg8KN1ZIyH1FYz489l/qKFG1nO33iJv/l6opWjIv98EM88ckA7zxU1+UgjxNiBo0EGJPw1erwTwUzehTnj303HuTGbtGjgE/vK8M+rCCpL9L0YAFQyXqeuqQs6yM3PHCyKfvThCAnwnTIGn2mZcyu/GGGOO9Hse/islh4cYldxC8psKNfNlf6qT43MOf+gDJ2GKU2kzU5tivlNqXbgAs=,iv:8SWNl65v24W504eG64L65rDmvqrkF5VJhufN3u/wRG4=,tag:oapDfnOAPyPDiJrxGHtiJA==,type:str]
+        jahanson.tech: ENC[AES256_GCM,data:bCg54kzMqGJdq6+adMz59mfbeIVIoP9qmyFi0uoQX0KTCKU6XNX3FCzI0ludEfUrFtKqjdbmKJzGJbaCTVyL5yDBq9VFtFnBPeaTG0TlzKxO1VBad97+OqSJge5ZlpeNgUR1LUkHa+h2IkNRjde7kIBVHu8hpOqGpXI3UKi+FSYAUiIV1PKLzVh9pSiLp4kL8K0mursA/wSPzEaZ782FFKwIlXMVoTlWgB+tGIxanOekLpUMRaGaUktSJwmSrdSbs1Wn6/FVdWWjiZxHcDL9BU9RyiTyUh9tT9n2mMk7PICihrl5RINObVqi1tssqivN479NCNnXqeJ9wOJdsDZcVdI9ijGuJzcYsAeH2m+zdUGGiMFVRScdtuxgVqEOg014xL+FSe49X2ZXI41Gt3cyWIwX9HHdFMdzTeL/Si2V6dWmFJpdfA/k5hM7UTIkKYgCKeyc0ymZ6xF21pQck7OSTddcCgMBGgk1acfzJgxAzrLD9MjEVWzCdyYTzW0dWPOTcCN7ox9MCrHJWaIuGbgsZuT+Pc5K+/UrXHETidh527wiR/p5I7kozZj9t1u+gT5SNL9sQg3zOnWq1qL+WDWuW31tXR9vlE98T3ZvRHJOiXYK7eYU97ww1hwa09h92lmwkBWNMNL2ouNNLHTDTevCT+1KjLSWlpo3XjwVmk9RfgAbLrQtPIK1C4Q44WZ59f6l+3daz8EmGy+9aXoCW8bfk9bR7O8su+UO5gCHHp72mWtWpE5z+TRMCPXL53bw0IXh/H8Inj98KP05ebpIXvfbnjdfUFA8ujZcJMlvBCUYPHg+0gQtiANfzr9FbUcHVwMHamWww9EpQ3YGmRG/LYY8kJlPRvLaeg9e6gLbz2l9/GM+G5BAMO1ZqaxyOlQ6/J1bBY0WKQDSER1f1W8U/EAi75y+s3LXz+Y3LU9wmmJ7qWeVULjszlaZr+W0NxkX1Qh+ys/ffV7j+NMwa4nNyC1MJnsjgBzLNGxp3fpcCZTqApfZmCbvz3yG65pTDa7BfTsYy596wPec+kquBGYTVnNbg2oXzAPLV99nzJRISeCBtOiuwbIHzbLIEI820OPdMnA+PWAPRWXMIqAq5PDpsZws65pY73Pp,iv:bck9vjCWvfx31ZKNwfkaSHazIKRvMXX//E2hG9lNNFY=,tag:vrsZ4v+LtsuYZH5XCnrfcQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,68 +14,77 @@ sops:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSS9JWTZPak52ZFloYTZq
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUzhJTjZHYnRkNC9tQWJu
-            N3Ewa2hrbUZmZ0Y2aVpzaTZjN1hzWTlqRmg0CkdIZk9IMDdWQ2xsYmdHcGM3WmVk
+            eWZxKzUvRDdoTVVKcXNDRk5MTmV3Q2RtMEFFCkhjY0pRV2dRYlU4R1ZzWGkra2hN
-            cnVXVkprbXlQeDdzSkEvbW9SSE1aU3cKLS0tIHpuQUY1TmdKbGpZQ3N5Vk5LdzBC
+            YVV0K1g4bmd6a3phVW5tanUreW5tY1kKLS0tIDJOUzViem1vRTFPWXFJWXdQbjZF
-            VVp6Q1ZNR3gycSsxU3Q3SGtNUDN4cEUKDXO3QyNQfXqn587meoAZqraGMl4ASeOf
+            OW14UDNGTlpQZll3cGVVMWQ0eGQ3clEKuPbfceFH/+MChLOiA6J/LCGKce/k45aw
-            rVJDGWkNhne1YFdAfvbiY6pD7RDxscwiRFqDofH/t0EfN4vwrzIx3Q==
+            w1KmPaBfFEl4kAAyAXe0qVypNmzQsVh0rdPMlRq4Fnk1EbnkjAlMyQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSEZKOUJTTjE4YTRQUnFW
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOFN3TU1NQ1R2Rk9kd1FZ
-            bzhMcjlSVTRNRWNkSmZSbU5ITFFTbURFbGpJCnpndFR1OVJvWnBOMVovdVVGWkZ4
+            cFprUlJUajRkK1N2S3JhSERLVHQ1ekczWmxRCk0rMmRrNjdiQmpnQVJmdHM4ZitL
-            Wk9xa29kekgxRnlqbFg4YzN0OE9ZYUUKLS0tIGsxeUhWdU5NaTE3cHpYNXF2OUlK
+            V3JVLy8xU3J3T0ZiMDY5dEN2bW9OWUEKLS0tIHBoeU1RbVhsMU0xMm1pcnV3bHA1
-            eGNyTXdqWFNvZ0NVOCsvaG55dUdaMEkKW9SxqP6Jpn72VAwPhn3laO1OE+gYzLvb
+            dGpRU0VvTU8wSTlva0VzMkZVMkxtUFUK1/7ioFSrAsuyRJkk3rTnEy5xbq2q19xW
-            10NfaR+2P0EJZ3nwc0sLKmPmSzcRiE9etGtNGFiLgoUNkQ3lnwXj6A==
+            5bE8rMfyOBRVrqIUYooDnR1OCpnfD51D3ro80NTfmKxVhxoTH9Miug==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTF2TjJ0WGJaTUFIWE9s
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORGV1RGg3WHRvWmhzRjkz
-            S1NHQmRiQUVjSGJLQXZ2VUUrclorT3dIOXprCnQwOUorNXFzNG1DbG8wRW83QTdC
+            aFJOUTVHN3IvdlVHK1QwNlpPN002T1FOSmpFCm02T210R2FYUlcrL2h3RFdQYWhY
-            a2ZpZnM5Vit6bk1SaXRSZnZZT1g4ZzQKLS0tIFd4RVR2LzdvVG5nVzBiKzBPL1p2
+            NkZxZVpNU3JGNCtWNEtIQmZhd3RKK0UKLS0tIEZudTlEbEFyQ2xOcDV6ODkvQkNz
-            eFJWOGx3Z240clRQN3dNa0Ztb2hrUk0KunfKdWPTZD32KagC+VXmAQDxJAoElHAp
+            Mjk2SXFka05jYUNBNUxiSll5TVp6cjgKRK1errmBICcb3irz4qysjkd9rYH5K5Tf
-            mo8a0GGdeVuJiUneJlZ2KYuLkseCyn0HC5qQMUIT8HZJ2bb+RH0vDg==
+            l+fTyGb3U26dlvP4Krlx/6dfH76NH/ZkvJ3E11aIvXAhu31upzALgQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZHAxMVNsK3U1ZlJnaEJj
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRUhiT1pHa0dYM2FPQlIz
-            eTNhZzRidW9HQ3Jrck0zNmxPYXcvVUtJRTJFClFiMGNuYnEzbVNJNExVSkZ3dVJy
+            dHBadUlLanhYdTB1bjhnQWdsbHllOVFRNUdjCnNyaW45SUhydlErd3dRYnJHa3lD
-            MHlRdG1uNHhZb3daNW03bVJrOGZmNmsKLS0tIER3RUg0TDRQT09jdy9xNzF6OUtq
+            bGRnc1RTdm55VFZlR01icG5NNWJibG8KLS0tIDI5WjBOL3p4M1k2ZWI0d00weHpJ
-            VHR4NjUxZGpRYzNKaHhlVTdJQXBmTlkKHgqnACFlEusz0/W+I/O2smr/SV2Oiw9Y
+            Nk5CeUY2M1VrZm1NZkVRa3ZMbDE3a3MKAb1sjdyJTVu3h52xEqJedn2MdNaFryLX
-            wCqCyVfB+kGrfgq08e8ki8NXv3PDT637BU3kXFaOTQhzSE0aCpD8qw==
+            gZOMBhtz4fac11RZC3nFA6RDra3KddQsad5lwK5JOeFFRi688x5cag==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTXJWQThMaDZNajBFOVRT
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2S3VPZHVrbGoxVUVldnJX
-            NEpJK3RvbzRKUXE0NWpRQVA0aWJSYVNxWkhNCk1nWHVaYmZNQkdQZFJIOTZKTWxC
+            L1dNL0JaRGVNemkzZkMwaDlOQ01RY2YyTmdrCmthaHRYVzV1Qk8xOE1aS29GUDha
-            RXpOaHc4dzNBZ0txcFhtbjVVSjhDbXMKLS0tIDkwSnFTTjBZZE5hZTdXeTI1Q2F6
+            MUtlZ2FuVCtycWRMbWxrVURBUDg0dlkKLS0tIDRwSmJsN2FsVVpzOWV5WnZUaGkx
-            Skw3OUt4SVlrQ0M0d0h3KzNubjZ6SDgKiEvuO+RqygeSSzeUlQJSPuzNY4tbzKso
+            ODcvNjl3cjE1Nm5DRHhzalRVUGdjUGcKOMfvjsP04O9UoRpyGncQ3Hon91rvXUH6
-            bt/fSCV4ulFTvjybD9lfA9dclHGM/IRA9obCQd8RsCBQuXo9cuWnjA==
+            fM6BWVEoH7tYq779YB3qEt2lh5TN/DDd8/ROOx25a4hL7F0/zy3vNA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSzVyTE44NUUzLzZVaDl0
            TmNWYWNuK21mS1RlTy83OFRrUlZSU1FYZGc4Cmx4eExyY3o2OUhmeEdoOEtNSFJQ
            NUx3cnVBVEV1VGgxTWZFSmVoYlJtQUkKLS0tIHRjZTVtKzByWmRJMnpxNWo3RjEr
            NCtmMTNmUWNkbUlIL0pEWUxCVk9XTzQKIxVOgsWjLvKwKpKMFQnkt5zzFMJ1P1AE
            XqsOg5bKN7Yzw771PZ7nYPIIvsFPqznVARKTPxnjELjSUqT+VrJT/g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZkQ0NzVGMWJ4Tk9vYnZC
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpVGNIeTc1VFRRZjB5Q2tR
-            dmo5U2FJa0pOUmt1K09MWFdRamNnaUgwbEM0CnhKRmMyN0RYMG5Uc3ArQVZhVFZX
+            TjB2T3BRNk5xc0cyTE9KODBvMUdkOGxyN3o4CkNoYUl6QVhUN2dmcjYvdWRFTHpT
-            RHQ3SU1TUnQ1SlhvZGp6emFOV1FuVE0KLS0tIE1oQjQ1dUhTMVBaTnZIeVpVNmxp
+            SDVIVmt3VFk3cHd4d0F2RHFkQ0lQbkEKLS0tIHNhaXhEbmJlMzZ5aWFZNWRRV25O
-            cnk3ckEyWkdhWkpkQlhJTHlsaGFTNDAK79D2C2RZql38hBJOBnqhOOdb7Z7EJNgj
+            emh5UnZpRC9MWE9yWkxNYXQwa05kRWcKbo9ONgyzMWCCkG17nIRWOUkLR8WtPeL4
-            aWfivACOM//hsPCZK+9YFpXJ08Nb6iBlNKzYsTW7qJ+Ue9M9i9JShA==
+            U4yF9SDKtdwIJKuC097uIEXvF5blEkhf+5Mai0TMrhq+NMggjP7M1w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdHRRVEY1dmR2WjM3YVhk
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOXBwN0JoMjlidmVvdHB4
-            dFZ6UmUxUTJKR3RKMUM0UXVaMUJwMzJRTmpnCjJtdjgwNnphOU5EdUxkSUp6UkQy
+            QkhqaDRjd0t1SEl1WllVTjVhMENJMGNoK1FjCnExSkJzanpmdWFick9BZy9BMDkv
-            cS92MGdlTExVbWJIWGlGVVFla001MGcKLS0tIHF6c3MxR1V3N2szeXlNdWhUaGpW
+            UGV2VTlsL3hZWllkdlcwSGc4RlZJODQKLS0tIEZEM2hTZlN4VFI3Qk5JRXErUVNG
-            WWRlTHl1MWFmU293NGJyRVNRTE1RWWMKu5nK98591T0Z4rHIHxCY7mqBW/CF6abl
+            aUdDTlg0Y25rZHVwSjFnODk4MHZ4aEEKxYeMCkODa2JhGX3zlpmDJ+sbXD5T5DtT
-            3/ygImXkb15Ws4b4mcN67vk3omg9CB6s0SHfFk1GAu6CiN7MufHQ+Q==
+            Iedq5KFLmmvXBOu0sXlVdO+G0/qBgl/5t4pwLFDCx+qsxZgEJkUEMg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
+    lastmodified: "2024-12-27T09:27:41Z"
-    mac: ENC[AES256_GCM,data:pmZjxv+vcznnamHNvOL7sr8wrejmcqo6D/NpizVo7TPo6cs59vTQ2fXmM0zlfJs81wZVe8cMcv2LXITSmjpZOsrhYuzMpPsc9HGzdwfOXVTfdVDYWVwNd4LsXMW40rqUbZyVtp8zAOW4eF5iY0H+acPxMcBbogoQKOU94a0NqzU=,iv:vFcpIrA9KRMawLCbMqWbKcGFPBcMp3mQRIgje5dV5S8=,tag:iuEaP9jjhhvjMjChvaoBCQ==,type:str]
+    mac: ENC[AES256_GCM,data:T2obxwbBbBiR3dPq3wYzrGEMdzUKZ9F5LJSDlG9zlECIsyYdlSCx4n0qrhOioNYpjwUNCGoBL0EH11cmTlUzpV/mA8e7oW2oXbVydP1xu9p8LQHtTO8veLPqfKYqEL6iCF/6iJWh/o+NYCAHzp1BWGR0VbrF4QBgYWSPRjy9HXQ=,iv:cdu2Y5OQ7wpLoAXWP94hU+syjqYhh7Z2G6ezgdDgGRg=,tag:/aHcyP+SmY4SQ9L+sEsemg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.1
--- a/nixos/hosts/varda/default.nix
+++ b/nixos/hosts/varda/default.nix
@ -1,33 +1,66 @@
-{ ... }: {
+{ pkgs, config, ... }:
-  imports = [ ];
+{
  imports = [ ./resources/prune-backup.nix ];
  networking.hostId = "cdab8473";
  networking.hostName = "varda"; # Define your hostname.
-  fileSystems."/" = {
+  # Add required CIFS support
-    device = "rpool/root";
+  environment.systemPackages = with pkgs; [
-    fsType = "zfs";
+    cifs-utils
-  };
+  ];
-  fileSystems."/home" = {
+  fileSystems = {
-    device = "rpool/home";
+    "/" = {
-    fsType = "zfs";
+      device = "rpool/root";
-  };
+      fsType = "zfs";
    };
-  fileSystems."/boot" = {
+    "/home" = {
-    device = "/dev/disk/by-uuid/8091-E7F2";
+      device = "rpool/home";
-    fsType = "vfat";
+      fsType = "zfs";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/8091-E7F2";
      fsType = "vfat";
    };
    "/mnt/storagebox" = {
      device = "//u370253-sub2.your-storagebox.de/u370253-sub2";
      fsType = "cifs";
      options =
        let
          automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,vers=3";
        in
        [
          "${automount_opts},credentials=${config.sops.secrets.sambaCredentials.path},uid=994,gid=993" # evaluated and deployed from another machine
        ];
    };
  };
  swapDevices = [ ];
  # sops
  sops = {
    secrets = {
      "sambaCredentials" = {
        sopsFile = ./secrets.sops.yaml;
      };
    };
  };
  # System settings and services.
  mySystem = {
    purpose = "Production";
    system.motd.networkInterfaces = [ "enp1s0" ];
    security.acme.enable = true;
    services = {
-      forgejo.enable = true;
+      forgejo = {
        enable = true;
        package = pkgs.unstable.forgejo;
      };
      nginx.enable = true;
    };
  };
--- a/nixos/hosts/varda/resources/prune-backup.nix
+++ b/nixos/hosts/varda/resources/prune-backup.nix
@ -0,0 +1,26 @@
 { pkgs, ... }:
 let
  cleanupScript = pkgs.writeShellScriptBin "cleanup-backups.sh" (
    builtins.readFile ./prune-backups.sh
  );
 in
 {
  systemd.timers.cleanup-backups = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
    };
  };
  systemd.services.cleanup-backups = {
    script = "${cleanupScript}/bin/cleanup-backups.sh";
    serviceConfig = {
      Type = "oneshot";
      User = "forgejo";
      StandardOutput = "journal+console";
      StandardError = "journal+console";
    };
  };
 }
--- a/nixos/hosts/varda/resources/prune-backups.sh
+++ b/nixos/hosts/varda/resources/prune-backups.sh
@ -0,0 +1,19 @@
 # Set the backup directory
 BACKUP_DIR="/mnt/storagebox/forgejo/backup"
 KEEP_NUM=7
 echo "Starting backup cleanup process..."
 echo "Keeping the $KEEP_NUM most recent backups in $BACKUP_DIR"
 # Find all backup files, sort by modification time (newest first),
 # skip the first KEEP_NUM, and delete the rest
 find "$BACKUP_DIR" -type f -name "forgejo-dump-*" -print0 |
  sort -z -t_ -k2 -r |
  tail -z -n +$((KEEP_NUM + 1)) |
  while IFS= read -r -d '' file; do
    echo "Deleting: $file"
    rm -f "$file"
  done
 echo "Cleanup complete. Deleted all but the $KEEP_NUM most recent backups."
--- a/nixos/hosts/varda/secrets.sops.yaml
+++ b/nixos/hosts/varda/secrets.sops.yaml
@ -0,0 +1,84 @@
 sambaCredentials: ENC[AES256_GCM,data:/Ghze4VQ0RKyTKZAh9T5rX37c2l+W44bayusTSHzU9jBviThWYHJBhPwgnpGaqw=,iv:3PvwXwTpQTsdKL/jqbOs0z6ErnWjY9YW5yQylUwtBMA=,tag:ecaNKAytyCC+eveQHiOtaA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WXpsV2xYNVdWMkNWZ2NK
            bUhCaXhpZG5GeWVXakdySzZhNjdnbmVFNFY4CmZiZEZDaDJSdmFCS1dQZ053V1lF
            Z1ZBa0dWRy9jMVZkYXJlLy9WRmIrREEKLS0tIFFLbEhxaTI5OXQyRFJ2bWF1dU9U
            WGZxd2dSZGhOVnBLSUNwaEZlMEFydzQKVG18nJUQgS0w69l+x2XD6BA9IEYra4E7
            Wr7GURRrSnS19eqpJR3NTcVBhRO4wUxaj8Xq+nJ54Duik13X1XXdkw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NDdTNHlnSkZaT2s2TTVs
            MnlSSXJFMUdtQ256LzIyZVJ6eFluejMyYmlNCnp5UzFjelN5bXlqRCttMTNiLzg2
            Z0xzWGZmK2U2Y0xzMlF6QnUzWmRidWcKLS0tIFB4YmJ0bDYzS2llN1RFT1Y5RE40
            KzhXQ1NtbVBWbGxGZjVMRUsvVnI1aTAKxdac0X3IX2HcKtuGHfqJn0MXhxU8bdGw
            D1RbcNR1R+uTwZ1IYLG8l6YHXSYV0U6wtv9BuFA7k6ayTA/PmziI6g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5U0FjbjFrOVd0Rkp1TDJJ
            RTgrb0Q4cENjcEljTEJZOEI3NHZWVVI3S1dJCjVnS0JpL0dFbmdSN3Bnc3J1cXd5
            TE1uai92QVEwZFZKU0VUUEwyK3dyNG8KLS0tIEhZTG1kOWgzU2lCbkcxUTc2NHZH
            VjdjaEsyT1B6RjdsZWpVK3BJaU1EMlEKvOxJ5TyUYfpvCwpGNQpL+munayzBye2+
            aWKwNfbJS/0gZy+YpdDRwSliiOMh+DKa0rUHCDt/t79+Bhq/1FEpjA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDL2pSS2JQeDVDa2EvMFhx
            OEFOT0RvUXdpT2ZYcHFNcmVxYzM1TS9lWkJvCmMvRE1ueUp0akxhVWxtY1dLTmRC
            M1U0ajdjT3ppZS81Y1llQll1UGg1emMKLS0tIFFMTEhHRmZrS1hVTjByS3ZmYjJJ
            Y2VtanY0RU51N2FFRlM1cVhQWktuSFkKRHc3kH4vvDFgFETVDSWZLES5lfWRcwVW
            eQs/glxlPh6yUhCutuEvrIy/fGwNbVaJsuud8jqFMemggt7x981DWg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreXVOaSsvQlBsTXB2dlUy
            VlNNMHhNTVFEamJBMTI0dDl4ZlBDSVNlZVg4CjhCNTlIMmdxUjJ0cHJuYUJUT0dV
            UWFLNnZwTzVrbitFZTRXVjREYWVlSjQKLS0tIGMvZ25UNkttRTU1dmE1NThBVUR1
            eWdMcy9rejNncEQ0T282QXpsUU1RWHcKJ5b/n751BlLzhsJNxRjAhMuCOD8ed630
            urmj6eX8piCSGOgChviahqEpyrlhrs0WJJxlJyiYWjQ4e0HRgHZaMg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZDMwKzlLUnVJdW8zbU1L
            ZDBBMm1zV0tWSWxZSU51NU8yS3JNaDk0T1hrCnpFcy8rVUViODNHT0pJR210WUhR
            aXp5ZlNENzEyRjI0TXducXpKN1ZsK1EKLS0tIC9HZW9OTnd4WjYxeXNuNDVQeTZx
            LytvMjhzTk9NUVFUckJ1MVJhK2MyeWsKJALG7c/heYITQb/EBTAAQCCr4YovGqsH
            Y6FhDlwUsPn8SHmHwsi0haAoc7tlMKN6Mtv4MyJ6rSbCBo+c6H0n5A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRU56YlJCcHdxQUZ5enJE
            VGd5cnlKUFpvdGMwVXRDd1B5VmUvVlFUeno4CmF5RVRiSUVTQVJYS2lDdnpFbGgy
            OTgzMkVHSWdsTWl6MWtxck5nTU41V1EKLS0tIFpZencxelRCd3R5c2dFSGNRV29l
            aU5kS1BnYjNXSC92bFdvV21kRER6TmMK6uKyU0iINdkRXwGfxxFjg+DzowkAFVFa
            vsZAbx1Q7V6prwldJwQz516CfvByqLi8s3GYDU7/s99TjK/V+MPqSw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNnBWSklCT3RFSExsSDRO
            V2hPNmtiUGl5bjdaVU13dVFKVW5wL1hGOTBrClBKcG1YS0x5aGFyNGt5dkhPSDVC
            VWNDRFd5VHNjTHVWOEZSNEIwdFNNSUUKLS0tIE9abWUwZDdDUmIybnJ2aVJKbEcw
            c3dRV3NmMTFFbUlRUjF4dWZscEV0b3cKgXYOPwLnUyIBOkB2hIlnM42e3TQXXSIf
            GpaLKqOVw1fMSC0u7l/sTz7c2tAWVAfSXyOFcyUGpV7VAIKPjXj4og==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-01-03T20:11:27Z"
    mac: ENC[AES256_GCM,data:UFU5bQg2/OuCTkqV5efbGh8VPKqJWmyld0r01j97M7+CQGwyWoXlDmaMR+27xSjSDQPxwAhb+ejQue5585VNcztdBoaH0F8wOWgkdlzxiHMvQRC5TXjao4anxNRnedf07+YHQZ74udUa9Qf8UXZqIwb6HNCDmebrNi38GOWfoS0=,iv:YQ8gGj5LgMvaZqwTD3Vtj3tSjaAlmTaCFKaWkgM5WDA=,tag:K2tbaECleS8Rn0uIfL7x9w==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.2
--- a/nixos/lib/default.nix
+++ b/nixos/lib/default.nix
@ -4,40 +4,60 @@ with lib;
 rec {
  firstOrDefault = first: default: if first != null then first else default;
-  existsOrDefault = x: set: default: if builtins.hasAttr x set then builtins.getAttr x set else default;
+  existsOrDefault =
    x: set: default:
    if builtins.hasAttr x set then builtins.getAttr x set else default;
  # main service builder
-  mkService = options: (
+  mkService =
-    let
+    options:
-      user = existsOrDefault "user" options "568";
+    (
-      group = existsOrDefault "group" options "568";
+      let
        user = existsOrDefault "user" options "568";
        group = existsOrDefault "group" options "568";
-      enableBackups = (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options)
+        enableBackups =
-        && (lib.attrsets.attrByPath [ "persistence" "enable" ] true options);
+          (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options)
          && (lib.attrsets.attrByPath [ "persistence" "enable" ] true options);
-      # Security options for containers
+        # Security options for containers
-      containerExtraOptions = lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [ "--privileged" ]
+        containerExtraOptions =
-        ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [ "--read-only" ]
+          lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [
-        ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs=${folders}") tmpfsFolders) ]
+            "--privileged"
-        ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [ "--security-opt=no-new-privileges" ]
+          ]
-        ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ]
+          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [
-      ;
+            "--read-only"
-    in
+          ]
-    {
+          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [
-      virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
+            (map (folders: "--tmpfs=${folders}") tmpfsFolders)
-        image = "${options.container.image}";
+          ]
-        user = "${user}:${group}";
+          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [
-        environment = {
+            "--security-opt=no-new-privileges"
-          TZ = options.timeZone;
+          ]
-        } // options.container.env;
+          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [
-        environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options;
+            "--cap-drop=ALL"
-        volumes = [ "/etc/localtime:/etc/localtime:ro" ] ++
+          ];
-          lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [
+      in
-            "${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
+      {
-          ] ++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options;
+        virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
-        extraOptions = containerExtraOptions;
+          image = "${options.container.image}";
-      };
+          user = "${user}:${group}";
-      systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ];
+          environment = {
-    }
+            TZ = options.timeZone;
-  );
+          } // options.container.env;
          environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options;
          volumes =
            [ "/etc/localtime:/etc/localtime:ro" ]
            ++ lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [
              "${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
            ]
            ++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options;
          extraOptions = containerExtraOptions;
        };
        systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [
          "persistence"
          "folder"
        ] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ];
      }
    );
 }
--- a/nixos/modules/nixos/containers/backrest/default.nix
+++ b/nixos/modules/nixos/containers/backrest/default.nix
@ -1,56 +0,0 @@
 { lib, config, ... }:
 with lib;
 let
  app = "backrest";
  image = "garethgeorge/backrest:v1.1.0";
  user = "568"; #string
  group = "568"; #string
  port = 9898; #int
  cfg = config.mySystem.services.${app};
  appFolder = "/var/lib/${app}";
  # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
 in
 {
  options.mySystem.services.${app} =
    {
      enable = mkEnableOption "${app}";
      addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
    };
  config = mkIf cfg.enable {
    # ensure folder exist and has correct owner/group
    systemd.tmpfiles.rules = [
      "d ${appFolder}/config 0750 ${user} ${group} -"
      "d ${appFolder}/data 0750 ${user} ${group} -"
      "d ${appFolder}/cache 0750 ${user} ${group} -"
    ];
    virtualisation.oci-containers.containers.${app} = {
      image = "${image}";
      user = "${user}:${group}";
      environment = {
        BACKREST_PORT = "9898";
        BACKREST_DATA = "/data";
        BACKREST_CONFIG = "/config/config.json";
        XDG_CACHE_HOME = "/cache";
      };
      volumes = [
        "${appFolder}/nixos/config:/config:rw"
        "${appFolder}/nixos/data:/data:rw"
        "${appFolder}/nixos/cache:/cache:rw"
        "${config.mySystem.nasFolder}/backup/nixos/nixos:/repos:rw"
        "/etc/localtime:/etc/localtime:ro"
      ];
    };
    services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
      useACMEHost = config.networking.domain;
      forceSSL = true;
      locations."^~ /" = {
        proxyPass = "http://${app}:${builtins.toString port}";
        extraConfig = "resolver 10.88.0.1;";
      };
    };
  };
 }
--- a/nixos/modules/nixos/containers/default.nix
+++ b/nixos/modules/nixos/containers/default.nix
@ -1,7 +1,9 @@
 {
  imports = [
-    ./backrest
+    ./jellyfin
-    ./lego-auto
+    ./ollama
-    ./unifi
+    ./plex
    ./scrutiny
    ./scrypted
  ];
 }
--- a/nixos/modules/nixos/containers/jellyfin/default.nix
+++ b/nixos/modules/nixos/containers/jellyfin/default.nix
@ -0,0 +1,167 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  app = "jellyfin";
  cfg = config.mySystem.containers.${app};
  group = "kah";
  image = "ghcr.io/jellyfin/jellyfin:${version}";
  user = "kah";
  # renovate: depName=ghcr.io/jellyfin/jellyfin datasource=docker
  version = "10.10.5";
  volumeLocation = "/nahar/containers/volumes/jellyfin";
 in {
  # Options
  options.mySystem.containers.${app} = {
    enable = mkEnableOption "${app}";
    openFirewall =
      mkEnableOption "Open firewall for ${app}"
      // {
        default = true;
      };
  };
  # Implementation
  config = mkIf cfg.enable {
    # Systemd service for container
    systemd.services.${app} = {
      description = "Jellyfin Media Server";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];
      serviceConfig = {
        ExecStartPre = "${pkgs.writeShellScript "jellyfin-start-pre" ''
          set -o errexit
          set -o nounset
          set -o pipefail
          ${pkgs.podman}/bin/podman rm -f ${app} || true
          rm -f /run/${app}.ctr-id
        ''}";
        ExecStart = ''
          ${pkgs.podman}/bin/podman run \
            --rm \
            --name=${app} \
            --user="${toString config.users.users."${user}".uid}:${
            toString config.users.groups."${group}".gid
          }" \
            --device='nvidia.com/gpu=all' \
            --log-driver=journald \
            --cidfile=/run/${app}.ctr-id \
            --cgroups=no-conmon \
            --sdnotify=conmon \
            --volume="${volumeLocation}:/config:rw" \
            --volume="/moria/media:/media:rw" \
            --volume="tmpfs:/cache:rw" \
            --volume="tmpfs:/transcode:rw" \
            --volume="tmpfs:/tmp:rw" \
            --env=TZ=America/Chicago \
            --env=DOTNET_SYSTEM_IO_DISABLEFILELOCKING=true \
            --env=JELLYFIN_FFmpeg__probesize=50000000 \
            --env=JELLYFIN_FFmpeg__analyzeduration=50000000 \
            --env=JELLYFIN_PublishedServerUrl=http://10.1.1.61:8096 \
            -p 8096:8096 \
            -p 8920:8920 \
            -p 1900:1900/udp \
            -p 7359:7359/udp \
            ${image}
        '';
        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
        Type = "simple";
        Restart = "always";
      };
    };
    # Firewall
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        8096 # HTTP web interface
        8920 # HTTPS web interface
      ];
      allowedUDPPorts = [
        1900 # DLNA discovery
        7359 # Jellyfin auto-discovery
      ];
    };
    sops.secrets = {
      "restic/jellyfin/env" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
      "restic/jellyfin/password" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
      "restic/jellyfin/template" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
    };
    # Restic backups for `jellyfin-local` and `jellyfin-remote`
    services.restic.backups = config.lib.mySystem.mkRestic {
      inherit app user;
      environmentFile = config.sops.secrets."restic/jellyfin/env".path;
      excludePaths = [];
      localResticTemplate = "/eru/restic/jellyfin";
      passwordFile = config.sops.secrets."restic/jellyfin/password".path;
      paths = [volumeLocation];
      remoteResticTemplateFile = config.sops.secrets."restic/jellyfin/template".path;
    };
    # TODO add nginx proxy
    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
    #   useACMEHost = config.networking.domain;
    #   forceSSL = true;
    #   locations."^~ /" = {
    #     proxyPass = "http://${app}:${builtins.toString port}";
    #     extraConfig = "resolver 10.88.0.1;";
    #   };
    # };
    ## TODO add to homepage
    # mySystem.services.homepage.media = mkIf cfg.addToHomepage [
    #   {
    #     Plex = {
    #       icon = "${app}.svg";
    #       href = "https://${app}.${config.mySystem.domain}";
    #       description = "Media streaming service";
    #       container = "${app}";
    #       widget = {
    #         type = "tautulli";
    #         url = "https://tautulli.${config.mySystem.domain}";
    #         key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
    #       };
    #     };
    #   }
    # ];
    # TODO add gatus monitor
    # mySystem.services.gatus.monitors = [
    #   {
    #     name = app;
    #     group = "media";
    #     url = "https://${app}.${config.mySystem.domain}/web/";
    #     interval = "1m";
    #     conditions = [
    #       "[CONNECTED] == true"
    #       "[STATUS] == 200"
    #       "[RESPONSE_TIME] < 50"
    #     ];
    #   }
    # ];
  };
 }
--- a/nixos/modules/nixos/containers/jellyfin/secrets.sops.yaml
+++ b/nixos/modules/nixos/containers/jellyfin/secrets.sops.yaml
@ -0,0 +1,88 @@
 restic:
    jellyfin:
        env: ENC[AES256_GCM,data:293v4afGmUZuHMtdkcs=,iv:Aitx2N/qGXQDCpcgFa72cfvPW9KXLyqBkJ5csDitUMo=,tag:k6t0XYErgU5TuRW/e9AnXw==,type:str]
        password: ENC[AES256_GCM,data:eR0jFe6o6pLpKR9KjUpH6GWVMAys4EiX981VecNq9Et/fQ==,iv:l9tCvWH80sl+nS0RKdApCqzEr1PPpNQDJlr0ILZYK94=,tag:R4rnUw1y2QBG01XkMp1JSA==,type:str]
        template: ENC[AES256_GCM,data:tj3qrery9dHplVa8ecac2x3yfISuaUSJJDKsXuRF1ek9G43Uj7B3P8m4JEFHBeCK6vvYIK2QGEcUW5QElnuPYCaB,iv:jp5biUiDMpAMghuO6sNaQ+RN0uFCAFgmPOQLB71KdCY=,tag:et41JJnD6/ZZsBLRCyJtHw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMWnp6K2RsVHRmTFhYNGRs
            ZnRyVmVZU3hUNVVBZnRtWGVFZTgwTitLWlZrClZ1cUVOSHRCc0xBQ3pYWFI2VUgy
            NjVCMGxJWVpXNXc0R1p4cnNIazJHNlkKLS0tIFEzdE9pZ2N6cnVUTVdoRHFaZXQ0
            dVpzQU9tbzlURlVIMllYZEZpaE1PT0UKAqtn9wmQNNy8qMYy6tSc40/1I/4eseVs
            jsrfZU+73/OM5FvOLDo9EVBYhHGSO9/gTedbX8FJCzTYNcNPR/X6ww==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsS040Q0Y2N0hYczFsdkhT
            Rm5ERGVxaHJtYmZwUmpDUlpZc2hpZHNlOFI0Cm1oMmJ3SUZkT2pnVVNBS280d3Y0
            YU1mRWtqSlM0aDh1ZkRuWGpHVHNzTlUKLS0tIEQzU093U091WktCYjRHKzF2ODU4
            a0ozSGhwVFFkdkUrcFdqR3ZPd1IyNkEK+GZf0el8RwGXSHHSPqZ2NDhr3/788IT/
            z9A/zz56OcsRCT8l24+nVtx3pDhcqxvg201wtx0t54n1cLInpxAKSA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXNjdJaEFYVVd6cElieTN4
            Qm1vQVVDWmdNM2F4R3dDaU1SMjh5UWNwQzA4CkNCS1JxZHZHVU14T1pmQXZCS0ZE
            cTBHV2dUUmVMYTg2VGJCZTJGTFpMRUEKLS0tIEJ1YTcyOHZtNklVMk9mbDJEWjM0
            VmczY2UybkY5U2tzaitUN2pvWmpHV28KGJ8nlNSA+Fx0GaqMVraMrRGYbPk7BhcM
            92aNv8+1QqOU9NDveRapxv02Uo6dffCVH/343wGh9lPr4orF+OlOVg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMDNrQ1Vuck4yTGFuZmp0
            Tm1GZWViTFF4S3JZUlBEK2Mvait2UE9NM1VBClhXMEpSenlWNkNYVFE4eUhoS0Zu
            NWt0NjEyUDdoQjRQSUNubDRBbDZGTlkKLS0tIGNJOXB6clUvQUk2dE1hMGV3T2po
            Q1VMS3J0alQ1bGxkYVFuMUhUalVuSjAKNnHfUtGfNKw+K7pAcyMaybFukjncAjFc
            AIoJPOiw83Vn1Ps+9tjRrEUzTNkTfaMqeIsN8BEDQ3LzQbX2b+Hnxw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVDV4eDM2N3ZialBWc2ds
            dWVIY0NQb21VcUxKM2VVWWFrYUd0eFoyY2owCkFQTmIvZDJzalRpUkJTcnNJMWFH
            d3FtcmNVMnNEQkdUUFlTdGN0VmtWZjAKLS0tIGJNM09TVXJiNnR1MGQ0TG43Wno1
            TFZFU3hPZkJHZkM3TjJyQVlGYW1MMUUK+5RtvM8icCrs8OBcJing+O+rfAiOI+BC
            z1p1vesZ7BCjFlPNAOt2QGii5h8XFwPyrXEklNXfIRzOmjIVgVC9Bw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNYThIdzRlZTdYaHI2Z2Ji
            NTFTUnBaWXAyS2R4Zlk4RjhjQU41YmFNZ0JZCmJjcSsxWFFGVkhUOG82ZTR5a0xa
            VVVna3RTVVRKNWV4VVBoa3ZiUnJldlkKLS0tIDUyK2d1YS96WDZjV2Y3eWFJdHJN
            VGJ3cHlCV25HMXIvTmdJcWtJTk9EUGsKpnsANd3XK5sH2bjSZJTZqYb7GjcY97K6
            iEapD1nLkH4XTpqV0RnrKcIJFJ58LIupvSZZanRk3xt8NIvRTBp5OA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoenJtK2xtUkJuS3dWZ0Vx
            QldCOVkxYmY1VHhIYmYrVUUrelNCTVlybUhjCnVoK3o0VlZsblNTTW1Kbmp1dWpi
            Tkl5bE41Qm9RUnpjWHMwSFczbGhrMGMKLS0tIHlIVVJ5QUxtYjhQcDhlOVpiaEdp
            WG94a1JLbG9BeXVzdUY4bXFPbGREQncK8GS2wkyL0yFee/zSr7YD1RDyTtIiRp74
            ifygcB6UrJ+IhDLxWdcx8XhxkUHDLwUvLRQ71iRE54NytZbW29+FkQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWkpMbmNNdW01WTF2bG1Y
            QUlGbDR1TU5QV0VXa1F0UzYwY1Q5R0hjQ2k4CkRWY0FONlJBS1c3V3BXU1FXOTVr
            RnF3Vll0Uzg4bmtvVVRYZ1lVd1l5c28KLS0tIHRmQzRqUnVDUVZwOWtoQ3lib0g4
            Z1UxbEtkU29kMndqTE5YbnArY3NEYWMKBpF0XsaNxby01RlquQg0nueXZdz7U+oA
            32fA+V8AQ/aHg18JhxScsi4dILfnz7d4WZThbd4HYMKzxiCApguf2w==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-27T09:27:41Z"
    mac: ENC[AES256_GCM,data:vCxrV5Y1v6PuRVZI8tEmaai3kLatLQfk2xDR9wl4teTcSzvU1U2OWToEMFz695fgX62Gld8/U961WC0Q6HQWFPL9lrP/0vYoL9DWu7KAKIYI4lpPtAWi4pvudIJnT5Shd0aC6A/JC1iuI/JqekXRTJIqMUth9tIeoT7SmIgFn4E=,iv:BiqBRxMmUeXGiM5DgrInebr3yCXSd0FdVBfeI2Kc1sI=,tag:gsISmRZkL6XcRE9pLpSwWA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/nixos/modules/nixos/containers/ollama/default.nix
+++ b/nixos/modules/nixos/containers/ollama/default.nix
@ -0,0 +1,135 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  app = "ollama";
  # renovate: depName=docker.io/ollama/ollama datasource=docker
  version = "0.5.11";
  image = "docker.io/ollama/ollama:${version}";
  cfg = config.mySystem.containers.${app};
 in {
  # Options
  options.mySystem.containers.${app} = {
    enable = mkEnableOption "${app}";
    # TODO add to homepage
    # addToHomepage = mkEnableOption "Add ${app} to homepage" // {
    #   default = true;
    # };
    openFirewall =
      mkEnableOption "Open firewall for ${app}"
      // {
        default = true;
      };
  };
  # Implementation
  config = mkIf cfg.enable {
    # Systemd service for container
    systemd.services.${app} = {
      description = "Ollama";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];
      serviceConfig = {
        ExecStartPre = "${pkgs.writeShellScript "ollama-start-pre" ''
          set -o errexit
          set -o nounset
          set -o pipefail
           ${pkgs.podman}/bin/podman rm -f ${app} || true
          rm -f /run/${app}.ctr-id
        ''}";
        ExecStart = ''
          ${pkgs.podman}/bin/podman run \
            --rm \
            --name=${app} \
            --user=568:568 \
            --device='nvidia.com/gpu=all' \
            --log-driver=journald \
            --cidfile=/run/${app}.ctr-id \
            --cgroups=no-conmon \
            --sdnotify=conmon \
            --volume="/nahar/containers/volumes/ollama:/.ollama:rw" \
            --volume="/nahar/ollama/models:/models:rw" \
            --volume="tmpfs:/cache:rw" \
            --volume="tmpfs:/tmp:rw" \
            --env=TZ=America/Chicago \
            --env=OLLAMA_HOST=0.0.0.0 \
            --env=OLLAMA_ORIGINS=* \
            --env=OLLAMA_MODELS=/models \
            --env=OLLAMA_KEEP_ALIVE=24h \
            -p 11434:11434 \
            ${image}
        '';
        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
        Type = "simple";
        Restart = "always";
      };
    };
    # Firewall
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        11434 # HTTP web interface
      ];
      allowedUDPPorts = [];
    };
    # TODO add nginx proxy
    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
    #   useACMEHost = config.networking.domain;
    #   forceSSL = true;
    #   locations."^~ /" = {
    #     proxyPass = "http://${app}:${builtins.toString port}";
    #     extraConfig = "resolver 10.88.0.1;";
    #   };
    # };
    ## TODO add to homepage
    # mySystem.services.homepage.media = mkIf cfg.addToHomepage [
    #   {
    #     Plex = {
    #       icon = "${app}.svg";
    #       href = "https://${app}.${config.mySystem.domain}";
    #       description = "Media streaming service";
    #       container = "${app}";
    #       widget = {
    #         type = "tautulli";
    #         url = "https://tautulli.${config.mySystem.domain}";
    #         key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
    #       };
    #     };
    #   }
    # ];
    # TODO add gatus monitor
    # mySystem.services.gatus.monitors = [
    #   {
    #     name = app;
    #     group = "media";
    #     url = "https://${app}.${config.mySystem.domain}/web/";
    #     interval = "1m";
    #     conditions = [
    #       "[CONNECTED] == true"
    #       "[STATUS] == 200"
    #       "[RESPONSE_TIME] < 50"
    #     ];
    #   }
    # ];
    # TODO add restic backup
    # services.restic.backups = config.lib.mySystem.mkRestic {
    #   inherit app user;
    #   excludePaths = [ "Backups" ];
    #   paths = [ appFolder ];
    #   inherit appFolder;
    # };
  };
 }
--- a/nixos/modules/nixos/containers/plex/default.nix
+++ b/nixos/modules/nixos/containers/plex/default.nix
@ -0,0 +1,160 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  app = "plex";
  cfg = config.mySystem.containers.${app};
  group = "kah";
  image = "ghcr.io/onedr0p/plex:${version}";
  user = "kah";
  # renovate: depName=ghcr.io/onedr0p/plex datasource=docker versioning=loose
  version = "1.41.4.9463-630c9f557";
  volumeLocation = "/nahar/containers/volumes/plex";
 in {
  # Options
  options.mySystem.containers.${app} = {
    enable = mkEnableOption "${app}";
    openFirewall =
      mkEnableOption "Open firewall for ${app}"
      // {
        default = true;
      };
  };
  # Implementation
  config = mkIf cfg.enable {
    # Systemd service for container
    systemd.services.${app} = {
      description = "Plex Media Server";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];
      serviceConfig = {
        ExecStartPre = "${pkgs.writeShellScript "plex-start-pre" ''
          set -o errexit
          set -o nounset
          set -o pipefail
          ${pkgs.podman}/bin/podman rm -f ${app} || true
          rm -f /run/${app}.ctr-id
        ''}";
        # TODO: mount /config instead of /config/Library/Application Support/Plex Media Server
        ExecStart = ''
          ${pkgs.podman}/bin/podman run \
            --rm \
            --name=${app} \
            --device='nvidia.com/gpu=all' \
            --log-driver=journald \
            --cidfile=/run/${app}.ctr-id \
            --cgroups=no-conmon \
            --sdnotify=conmon \
            --user="${toString config.users.users."${user}".uid}:${
            toString config.users.groups."${group}".gid
          }" \
            --volume="${volumeLocation}:/config:rw" \
            --volume="/moria/media:/media:rw" \
            --volume="tmpfs:/config/Library/Application Support/Plex Media Server/Logs:rw" \
            --volume="tmpfs:/tmp:rw" \
            --volume="tmpfs:/transcode:rw" \
            --env=TZ=America/Chicago \
            --env=PLEX_ADVERTISE_URL=https://10.1.1.61:32400 \
            --env=PLEX_NO_AUTH_NETWORKS=10.1.1.0/24 \
            # nvidia-container-runtime mounts the nvidia libraries here.
            --env=LD_LIBRARY_PATH=/usr/local/nvidia/lib:/usr/local/nvidia/lib64 \
            -p 32400:32400 \
            ${image}
        '';
        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
        Type = "simple";
        Restart = "always";
      };
    };
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        32400 # Primary Plex port
      ];
    };
    sops.secrets = {
      "restic/plex/env" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
      "restic/plex/password" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
      "restic/plex/template" = {
        inherit group;
        sopsFile = ./secrets.sops.yaml;
        owner = user;
        mode = "0400";
      };
    };
    # Restic backups for `plex-local` and `plex-remote`
    services.restic.backups = config.lib.mySystem.mkRestic {
      inherit app user;
      environmentFile = config.sops.secrets."restic/plex/env".path;
      excludePaths = ["${volumeLocation}/Library/Application Support/Plex Media Server/Cache"];
      localResticTemplate = "/eru/restic/plex";
      passwordFile = config.sops.secrets."restic/plex/password".path;
      paths = ["${volumeLocation}/Library"];
      remoteResticTemplateFile = config.sops.secrets."restic/plex/template".path;
    };
    # TODO add nginx proxy
    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
    #   useACMEHost = config.networking.domain;
    #   forceSSL = true;
    #   locations."^~ /" = {
    #     proxyPass = "http://${app}:${builtins.toString port}";
    #     extraConfig = "resolver 10.88.0.1;";
    #   };
    # };
    ## TODO add to homepage
    # mySystem.services.homepage.media = mkIf cfg.addToHomepage [
    #   {
    #     Plex = {
    #       icon = "${app}.svg";
    #       href = "https://${app}.${config.mySystem.domain}";
    #       description = "Media streaming service";
    #       container = "${app}";
    #       widget = {
    #         type = "tautulli";
    #         url = "https://tautulli.${config.mySystem.domain}";
    #         key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
    #       };
    #     };
    #   }
    # ];
    # TODO add gatus monitor
    # mySystem.services.gatus.monitors = [
    #   {
    #     name = app;
    #     group = "media";
    #     url = "https://${app}.${config.mySystem.domain}/web/";
    #     interval = "1m";
    #     conditions = [
    #       "[CONNECTED] == true"
    #       "[STATUS] == 200"
    #       "[RESPONSE_TIME] < 50"
    #     ];
    #   }
    # ];
  };
 }
--- a/nixos/modules/nixos/containers/plex/secrets.sops.yaml
+++ b/nixos/modules/nixos/containers/plex/secrets.sops.yaml
@ -0,0 +1,88 @@
 restic:
    plex:
        env: ENC[AES256_GCM,data:FwBQ9TJTiDGDEyrJkHo=,iv:pxqdwOPoxYAc+yY2xdNTi08jFNz+PvnZ9HYhmchEfiM=,tag:3uIPLUoZmDogmuShXqnAlw==,type:str]
        password: ENC[AES256_GCM,data:79FMf5T1gYQX0PYTiEUhPQnHbEIekmH2vJxqwhdCw1MpoA==,iv:n3cQ4cLoEKw7rbCgysc14CMmKtYUfhZW2I6V3qrFp3Q=,tag:ooNflv+TnUOD0JX6NAqxvQ==,type:str]
        template: ENC[AES256_GCM,data:br+HPd37B3rWYPLIYW8MiIHvR+PmsnBXEYLh8MT/v1rbcNH6ppyhwGMgP1kPkUX3o/0Y7PkW1pet5DRHcKUVnXpi,iv:O4MQQBpYCD8hkdTEroUn9+luUdCyz7MYUugjaYhF3Uc=,tag:db5DQBfPGX9ToQzwn1K7GA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbSs2TFBpbW51aThtcEJL
            eW80aG50VHJzcWVFSDlTbE40dHZqTnVpWDFBCkUwNVIrZkdyd1dKcjFzMENFdTN5
            dVBZKzVIYnFJdnkzTlRCT2hITTVsSzgKLS0tIFREVWJENUtoWGR1THlwWXNNV3p4
            cElGSzFtallzc2xBajRYSGNvOHJnM3cKIdyVG7MySM9caGUXaiTSsz1VVlD7GxRz
            +5NNPoZgfe1SiptiQl3vO8FcIg5XtutI2nwYqLK5gzxZ7x6+D2Oedw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dFAxT3ZCZ1BlV2VSQmlr
            cW9SbWpLRUE4QlNGN21YdGM2NXhGdm1kVmlZClBORG5Mbmtaait4WXZiYkp3cGxR
            WGFWT3NwaS9RK0IzN1FDR3ZWUjIyQVkKLS0tIDJYaVRORk94UXYySStUN0lJYlB5
            L01LdFBzYUhmcENPMGIrYWU0dW91c2sKlraBMZ30AerY2YrGnV1pkeL6xJIGUPlX
            JzjzPmkvqidCaT+gADxM9xTp9S5ZavLn0sGLapqfx2P7pDndRh74Qg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtanl6bWlrQlM2R1Bud0dk
            cWJZdjJZUFVMY3BudEdRVVFOMy9IMTNGS1NzCnZHNXYzRVl5akFDYlNWVXZtMzNL
            UnZEN3ZFUDB6b05Wa3lSc291WXVVeGMKLS0tIGk5ZTJ6d3A4M3ZqTm9KSjVudVBX
            TzNNemlGc1JOckxERUx5V3VCbHBIZlkK+7+PJhU+4hnOiURvfhQOMh3Njl5E8OCj
            CCH5feYLIOpfgEKQbhW8LFkakoqlU5ASdralMRq5h4OZt8hGciYgwg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VFovdW1UbjlLZnRFZWZh
            MUg0RkZqckcxcENRSG5aSkdQNkoraXFTbTNrCnlYWWVOdHVxYUwwaWYvOS8xaG9y
            eS9za000VmR0T0ZZeHp5RXl0c1FUZDgKLS0tIERjY0hrdDlQb29UWC8ybDgwdXQy
            WEVNVjBYV3RUZUN2SksvWDlzYnJydWcKEzXYhd0GUZNDdQcJ1lc5Ci4TAebQHzdd
            Nyrf7Xhgb/vNoScFAvLxpJaEP9aJzWOL7wVHgnzFdf9ViRGF0yynnw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwU3JKelJlUUZxRi90RmRP
            VUpoYXZaQlZpaEZiL3orb2Rva3U4TkZ2TDBVCmpwQXFtUHlicHh0S2h3TUN0U2dE
            MXIrcUdhbWZLdFdhRnB1YkhDL2JkV3cKLS0tIFdCZWVmMytST3dHVG5LL1duckRj
            alZDNkYxVnljUk9Gc25vVElPL0RXSDQKM84i+oIeivQFSIDBhT9Gg3XHk8GFRbzO
            IwUrRIkj+yDKepz+r2Lc+yD2BOeFo+CNuReoJd2SGou7e628VysB4g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRE5UbGxUenRZVjU2NVF6
            RHNUOXJ5bnJmdm13YTNKV1YwdFdJS3JpMTBrCkRNQWNiMXp4SHZ6bGdJay9pYjgr
            UW1CSVRNMFFWNjA5YSttTHBGTWpCcE0KLS0tIDBUV25tdUZHbHpIb3Y1U281dGtl
            bUNHazJDUnEwc015WXlybTdEK1RHL1UKZE/5YGvUN2tR1t7s/Lq1jG3FoMIOmKDK
            GXwUQb1HG7PDG9V/pKWs9OVoFxv7qVuuBm29rRnI44pEERARtbs55Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWHBEUDNuRDhVMmp4QUYr
            cCtmZ2RMWVFNWVhVck44U3ROTE8xNm9kV0Y4CktSelh0ckdQZHNTVnVsVXJweUly
            UmphNzRJU3JOSThQVXB3ZXRlY3BOK1UKLS0tIG1nT09WUm1YcVFJRHZyWFJOKzZx
            OTFDbExmeXBBWmRjSE5BUnpGY0xLRjAKnLWKZEmlI9SsfZgus7tuCOFzokDobz8F
            s7zQ078Dv7R55EPoYPfq8rsMvFpELrAqrNLAR9x4W5YledBDJV8s+A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRSttM1NDdFJib2FleTY0
            UnkrUFhBUFlWNkxEZUNLMjVTUWh4VkhPbkY4CllRY3d0ZXpGRkM0ZG45TVE5SGx3
            ek9BNW9SUGVLZjRiSkVlT2MrSU85VGsKLS0tIEtlcklOOXZldUJwZmVDaWhNeFh2
            RDgrMDlLVm9rN2JRZ3gxSCtxOWlhWkEKkXtZtmXnRn1ukRI4CkjkYefyGOuCw+GC
            HCKKdsASQm4JjcnlUbkL97bC0H+VcLNqHm6NR9dghI9IYuYAeLqMNA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-27T09:27:41Z"
    mac: ENC[AES256_GCM,data:OU23F2vdLKE2aas9xUsx5cmObBmdqybXSfdUT+BGd/mdhThF6vNR3Xwo4PcaK8VPmQ8JmXjOUJ/A9vKvcgz1LuEywgAacayDf6TUu1yXPDm09wFwWGTAYugy2Z54a0VQ8u7Cu/4Ijx0hU0luaYsbCyr7FmKgeO+H+L47JKnrPp8=,iv:dowA2KQqSjNIoPq1A0Yv9g71FSJgey5mMQMuJJMSSWA=,tag:eJrk49soG6dA8UilhuKGaw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/nixos/modules/nixos/containers/scrutiny/default.nix
+++ b/nixos/modules/nixos/containers/scrutiny/default.nix
@ -0,0 +1,91 @@
 { lib, config, ... }:
 with lib;
 let
  app = "scrutiny";
  # renovate: depName=AnalogJ/scrutiny datasource=github-releases
  version = "v0.8.1";
  cfg = config.mySystem.services.${app};
 in
 {
  options.mySystem.services.${app} = {
    enable = mkEnableOption "${app}";
    # Port to expose the web ui on.
    port = mkOption {
      type = types.int;
      default = 8080;
      description = ''
        Port to expose the web ui on.
      '';
      example = 8080;
    };
    # Location where the container will store its data.
    containerVolumeLocation = mkOption {
      type = types.str;
      default = "/mnt/data/containers/${app}";
      description = ''
        The location where the container will store its data.
      '';
      example = "/mnt/data/containers/${app}";
    };
    # podman equivalent:
    # --device /dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
    devices = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = ''
        Devices to monitor on Scrutiny.
      '';
      example = [
        "/dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
      ];
    };
    # podman equivalent:
    # --cap-add SYS_RAWIO
    extraCapabilities = mkOption {
      type = types.listOf types.str;
      default = [
        "SYS_RAWIO"
      ];
      description = ''
        Extra capabilities to add to the container.
      '';
      example = [
        "SYS_RAWIO"
      ];
    };
  };
  config = mkIf cfg.enable {
    # TODO: Add automatic restarting of the container when disks.nix changes.
    # - https://github.com/nix-community/home-manager/issues/3865#issuecomment-1631998032
    # - https://github.com/NixOS/nixpkgs/blob/6f6c45b5134a8ee2e465164811e451dcb5ad86e3/nixos/modules/virtualisation/oci-containers.nix
    virtualisation.oci-containers.containers.${app} = {
      image = "ghcr.io/analogj/scrutiny:${version}-omnibus";
      autoStart = true;
      ports = [
        "${toString cfg.port}:8080" # web ui
        "8086:8086" # influxdb2
      ];
      environment = {
        TZ = "America/Chicago";
      };
      volumes = [
        "${cfg.containerVolumeLocation}:/opt/scrutiny/config"
        "${cfg.containerVolumeLocation}/influxdb2:/opt/scrutiny/influxdb"
        "/run/udev:/run/udev:ro"
      ];
      # Merge the devices and extraCapabilities into the extraOptions property
      # using the --device and --cap-add flags
      extraOptions =
        (map (disk: "--device=${toString disk}") cfg.devices)
        ++ (map (cap: "--cap-add=${cap}") cfg.extraCapabilities);
    };
  };
 }
--- a/nixos/modules/nixos/containers/scrypted/default.nix
+++ b/nixos/modules/nixos/containers/scrypted/default.nix
@ -0,0 +1,139 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  app = "scrypted";
  # renovate: depName=ghcr.io/koush/scrypted datasource=docker versioning=docker
  version = "v0.138.0-noble-nvidia";
  image = "ghcr.io/koush/scrypted:${version}";
  cfg = config.mySystem.containers.${app};
 in {
  # Options
  options.mySystem.containers.${app} = {
    enable = mkEnableOption "${app}";
    # TODO add to homepage
    # addToHomepage = mkEnableOption "Add ${app} to homepage" // {
    #   default = true;
    # };
    openFirewall =
      mkEnableOption "Open firewall for ${app}"
      // {
        default = true;
      };
  };
  # Implementation
  config = mkIf cfg.enable {
    # Systemd service for container
    systemd.services.${app} = {
      description = "Scrypted Home Security";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];
      serviceConfig = {
        ExecStartPre = "${pkgs.writeShellScript "scrypted-start-pre" ''
          set -o errexit
          set -o nounset
          set -o pipefail
          ${pkgs.podman}/bin/podman rm -f ${app} || true
          rm -f /run/${app}.ctr-id
        ''}";
        ExecStart = ''
          ${pkgs.podman}/bin/podman run \
            --rm \
            --name=${app} \
            --device=/dev/bus/usb \
            --device='nvidia.com/gpu=all' \
            --log-driver=journald \
            --cidfile=/run/${app}.ctr-id \
            --cgroups=no-conmon \
            --sdnotify=conmon \
            --volume="/nahar/containers/volumes/scrypted:/server/volume:rw" \
            --volume="/nahar/scrypted/:/recordings:rw" \
            --volume="tmpfs:/.cache:rw" \
            --volume="tmpfs:/.npm:rw" \
            --volume="tmpfs:/tmp:rw" \
            --env=TZ=America/Chicago \
            --env=LD_LIBRARY_PATH=/usr/local/nvidia/lib:/usr/local/nvidia/lib64 \
            --network=host \
            ${image}
        '';
        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
        Type = "simple";
        Restart = "always";
      };
    };
    # Firewall
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        11080 # Main Scrypted interface
        10443 # HTTPS interface
        8554 # RTSP server
        33961 # Homekit
      ];
      allowedUDPPorts = [
        10443 # HTTPS interface
        8554 # RTSP server
      ];
    };
    # TODO add nginx proxy
    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
    #   useACMEHost = config.networking.domain;
    #   forceSSL = true;
    #   locations."^~ /" = {
    #     proxyPass = "http://${app}:${builtins.toString port}";
    #     extraConfig = "resolver 10.88.0.1;";
    #   };
    # };
    ## TODO add to homepage
    # mySystem.services.homepage.media = mkIf cfg.addToHomepage [
    #   {
    #     Plex = {
    #       icon = "${app}.svg";
    #       href = "https://${app}.${config.mySystem.domain}";
    #       description = "Media streaming service";
    #       container = "${app}";
    #       widget = {
    #         type = "tautulli";
    #         url = "https://tautulli.${config.mySystem.domain}";
    #         key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
    #       };
    #     };
    #   }
    # ];
    # TODO add gatus monitor
    # mySystem.services.gatus.monitors = [
    #   {
    #     name = app;
    #     group = "media";
    #     url = "https://${app}.${config.mySystem.domain}/web/";
    #     interval = "1m";
    #     conditions = [
    #       "[CONNECTED] == true"
    #       "[STATUS] == 200"
    #       "[RESPONSE_TIME] < 50"
    #     ];
    #   }
    # ];
    # TODO add restic backup
    # services.restic.backups = config.lib.mySystem.mkRestic {
    #   inherit app user;
    #   excludePaths = [ "Backups" ];
    #   paths = [ appFolder ];
    #   inherit appFolder;
    # };
  };
 }
--- a/nixos/modules/nixos/default.nix
+++ b/nixos/modules/nixos/default.nix
@ -3,7 +3,6 @@ with lib;
 {
  imports = [
    ./containers
    ./de
    ./editor
    ./hardware
    ./lib.nix
@ -13,51 +12,52 @@ with lib;
    ./system
  ];
-  options.mySystem.persistentFolder = mkOption {
+  options.mySystem = {
-    type = types.str;
+    persistentFolder = mkOption {
-    description = "persistent folder for nixos mutable files";
+      type = types.str;
-    default = "/persist";
+      description = "persistent folder for nixos mutable files";
-  };
+      default = "/persist";
    };
-  options.mySystem.nasFolder = mkOption {
+    nasFolder = mkOption {
-    type = types.str;
+      type = types.str;
-    description = "folder where nas mounts reside";
+      description = "folder where nas mounts reside";
-    default = "/mnt/nas";
+      default = "/mnt/nas";
-  };
+    };
-  options.mySystem.nasAddress = mkOption {
+    nasAddress = mkOption {
-    type = types.str;
+      type = types.str;
-    description = "NAS Address or name for the backup nas";
+      description = "NAS Address or name for the backup nas";
-    default = "10.1.1.13";
+      default = "10.1.1.13";
-  };
+    };
-  options.mySystem.domain = mkOption {
+    domain = mkOption {
-    type = types.str;
+      type = types.str;
-    description = "domain for hosted services";
+      description = "domain for hosted services";
-    default = "";
+      default = "";
-  };
+    };
-  options.mySystem.internalDomain = mkOption {
+    internalDomain = mkOption {
-    type = types.str;
+      type = types.str;
-    description = "domain for local devices";
+      description = "domain for local devices";
-    default = "";
+      default = "";
-  };
+    };
-  options.mySystem.purpose = mkOption {
+    purpose = mkOption {
-    type = types.str;
+      type = types.str;
-    description = "System purpose";
+      description = "System purpose";
-    default = "Development";
+      default = "Development";
-  };
+    };
-
+    monitoring.prometheus.scrapeConfigs = mkOption {
-  options.mySystem.monitoring.prometheus.scrapeConfigs = mkOption {
+      type = lib.types.listOf lib.types.attrs;
-    type = lib.types.listOf lib.types.attrs;
+      description = "Prometheus scrape targets";
-    description = "Prometheus scrape targets";
+      default = [ ];
-    default = [ ];
+    };
  };
  config = {
    systemd.tmpfiles.rules = [
-      "d ${config.mySystem.persistentFolder} 777 - - -" #The - disables automatic cleanup, so the file wont be removed after a period
+      "d ${config.mySystem.persistentFolder} 777 - - -" # The - disables automatic cleanup, so the file wont be removed after a period
    ];
  };
 }
--- a/nixos/modules/nixos/editor/default.nix
+++ b/nixos/modules/nixos/editor/default.nix
@ -1,44 +1,7 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.mySystem.editor.vscode;
 in
 {
-  options.mySystem.editor.vscode.enable = mkEnableOption "vscode";
+  imports = [
-  config = mkIf cfg.enable {
+    ./nvim.nix
-
+    ./vim.nix
-    # Enable vscode & addons
+    ./vscode.nix
-    environment.systemPackages = with pkgs; [
+  ];
      (vscode-with-extensions.override {
        vscode = unstable.vscode;
        vscodeExtensions = with vscode-extensions;
          [
            dracula-theme.theme-dracula
            yzhang.markdown-all-in-one
            signageos.signageos-vscode-sops
            redhat.ansible
            ms-azuretools.vscode-docker
            mikestead.dotenv
            tamasfe.even-better-toml
            pkief.material-icon-theme
            jnoortheen.nix-ide
            ms-vscode-remote.remote-ssh
            ms-vscode-remote.remote-ssh-edit
            # ms-vscode.remote-explorer
            redhat.vscode-yaml
            # continue.continue
            ms-python.python
            ms-python.vscode-pylance
          ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
            {
              name = "cody-ai";
              publisher = "sourcegraph";
              version = "1.27.1721673993";
              sha256 = "ULY2f7Pv1GCkJwqSc6q2cGYvkrKTKyfQ0ErPiQ+/bLQ=";
            }
          ];
      })
    ];
  };
 }
--- a/nixos/modules/nixos/editor/nvim.nix
+++ b/nixos/modules/nixos/editor/nvim.nix
@ -0,0 +1,198 @@
 {
  config,
  lib,
  ...
 }:
 with lib; let
  cfg = config.mySystem.editor.nvim;
 in {
  options.mySystem.editor.nvim.enable = mkEnableOption "nvim";
  config = mkIf cfg.enable {
    # Enable nvim and configure plugins/settings
    programs.nvf = {
      enable = true;
      settings.vim = {
        keymaps = [
          {
            mode = "n";
            key = "<leader>rp";
            action = ":lua require('precognition').peek()<CR>";
            desc = "Peek recognition";
          }
        ];
        viAlias = false;
        vimAlias = true;
        lsp = {
          enable = true;
          formatOnSave = true;
          lspsaga.enable = false;
          trouble.enable = true;
          lspSignature.enable = true;
          otter-nvim.enable = true;
          lsplines.enable = true;
          nvim-docs-view.enable = true;
        };
        languages = {
          enableLSP = true;
          enableFormat = true;
          enableTreesitter = true;
          enableExtraDiagnostics = true;
          nix.enable = true;
          markdown.enable = true;
          bash.enable = true;
          css.enable = true;
          html.enable = true;
          sql.enable = true;
          ts.enable = true;
          go.enable = true;
          lua.enable = true;
          zig.enable = true;
          python.enable = true;
          rust = {
            enable = true;
            crates.enable = true;
          };
          astro.enable = true;
          nu.enable = true;
          csharp.enable = true;
          tailwind.enable = true;
        };
        visuals = {
          nvim-scrollbar.enable = true;
          nvim-web-devicons.enable = true;
          nvim-cursorline.enable = true;
          cinnamon-nvim.enable = true;
          fidget-nvim.enable = true;
          highlight-undo.enable = true;
          indent-blankline.enable = true;
          cellular-automaton.enable = true;
        };
        statusline = {
          lualine = {
            enable = true;
            theme = "catppuccin";
          };
        };
        theme = {
          enable = true;
          name = "catppuccin";
          style = "mocha";
          transparent = false;
        };
        autopairs.nvim-autopairs.enable = true;
        autocomplete.nvim-cmp.enable = true;
        snippets.luasnip.enable = true;
        filetree.neo-tree.enable = true;
        tabline.nvimBufferline.enable = true;
        treesitter.context.enable = true;
        binds = {
          whichKey.enable = true;
          cheatsheet.enable = true;
        };
        telescope.enable = true;
        git = {
          enable = true;
          gitsigns = {
            enable = true;
            codeActions.enable = false;
          };
        };
        minimap = {
          minimap-vim.enable = false;
          codewindow.enable = true;
        };
        dashboard = {
          dashboard-nvim.enable = false;
          alpha.enable = true;
        };
        notify = {
          nvim-notify.enable = true;
        };
        projects = {
          project-nvim.enable = true;
        };
        utility = {
          vim-wakatime.enable = true;
          icon-picker.enable = true;
          surround.enable = true;
          diffview-nvim.enable = true;
          yanky-nvim.enable = false;
          motion = {
            hop.enable = true;
            leap.enable = true;
            precognition = {
              enable = true;
              setupOpts.startVisible = false;
            };
          };
          images = {
            image-nvim.enable = false;
          };
        };
        notes = {
          mind-nvim.enable = true;
          todo-comments.enable = true;
        };
        terminal = {
          toggleterm = {
            enable = true;
            lazygit.enable = true;
          };
        };
        ui = {
          borders.enable = true;
          noice.enable = true;
          colorizer.enable = true;
          modes-nvim.enable = false;
          illuminate.enable = true;
          breadcrumbs = {
            enable = true;
            navbuddy.enable = true;
          };
          smartcolumn = {
            enable = true;
            setupOpts.custom_colorcolumn = {
              nix = "110";
              ruby = "120";
              java = "130";
              go = ["90" "130"];
            };
          };
          fastaction.enable = true;
        };
        assistant = {
          copilot = {
            enable = true;
            cmp.enable = true;
          };
        };
        session = {
          nvim-session-manager.enable = false;
        };
        comments = {
          comment-nvim.enable = true;
        };
        presence = {
          neocord.enable = false;
        };
      };
    };
  };
 }
--- a/nixos/modules/nixos/editor/vim.nix
+++ b/nixos/modules/nixos/editor/vim.nix
@ -0,0 +1,34 @@
 # /home/jahanson/projects/mochi/nixos/modules/nixos/editor/vim.nix
 { config, lib, ... }:
 with lib;
 let
  cfg = config.mySystem.editor.vim;
  users = [ "jahanson" ];
 in
 {
  options.mySystem.editor.vim.enable = mkEnableOption "vim";
  config = mkIf cfg.enable {
    # Enable vim and set as default editor
    programs.vim.enable = true;
    programs.vim.defaultEditor = true;
    # Visual mode off and syntax highlighting on
    home-manager.users =
      mapAttrs
        (user: _: {
          home.file.".vimrc".text = ''
            set mouse-=a
            syntax on
          '';
        })
        (
          listToAttrs (
            map (u: {
              name = u;
              value = { };
            }) users
          )
        );
  };
 }
--- a/nixos/modules/nixos/editor/vscode.nix
+++ b/nixos/modules/nixos/editor/vscode.nix
@ -0,0 +1,92 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.mySystem.editor.vscode;
  # VSCode Community Extensions. These are updated daily.
  vscodeCommunityExtensions = [
    "bmalehorn.vscode-fish"
    "dracula-theme.theme-dracula"
    "catppuccin.catppuccin-vsc"
    "editorconfig.editorconfig"
    "esbenp.prettier-vscode"
    "foxundermoon.shell-format"
    "jnoortheen.nix-ide"
    "mikestead.dotenv"
    "mrmlnc.vscode-json5"
    "ms-python.vscode-pylance"
    "ms-vscode-remote.remote-ssh-edit"
    "pkief.material-icon-theme"
    "redhat.ansible"
    "redhat.vscode-yaml"
    "signageos.signageos-vscode-sops"
    "tamasfe.even-better-toml"
    "task.vscode-task"
    "tyriar.sort-lines"
    "yzhang.markdown-all-in-one"
    "fill-labs.dependi"
    "rust-lang.rust-analyzer"
    "dustypomerleau.rust-syntax"
    "exiasr.hadolint"
    # "github.copilot"
    # "github.copilot-chat"
    # "ms-python.python" # Python extensions *required* for redhat.ansible/vscode-yaml
  ];
  # Nixpkgs Extensions. These are updated whenver they get around to it.
  vscodeNixpkgsExtensions = [
    # Continue ships with a binary that requires the patchelf fix which is done by default in nixpkgs.
    "continue.continue"
  ];
  # Straight from the VSCode marketplace.
  marketplaceExtensions = [
    {
      name = "copilot";
      publisher = "github";
      version = "1.261.0";
      sha256 = "sha256-8IElcnSmngget8gduhdJUMx++PslOg58zcLwhRZCNyk=";
    }
    {
      # Apparently there's no insiders build for copilot-chat so the latest isn't what we want.
      # The latest generally targets insiders build of vs code right now and it won't load on stable.
      name = "copilot-chat";
      publisher = "github";
      version = "0.23.2";
      sha256 = "sha256-OT+ynCA+z8TvDE02hkOEQcJ1mBNz6geLxLOFtgIgKZE=";
    }
    {
      # Same issue as the above -- auto pulling nightly builds not compatible with vscode stable.
      name = "python";
      publisher = "ms-python";
      version = "2024.22.2";
      sha256 = "sha256-uVv4kpTf0W82Gvoju0Q/HKf6SpN2mwuYO7NItlRoezI=";
    }
  ];
  # Extract extension strings and coerce them to a list of valid attribute paths.
  vscodeCommunityExtensionsPackages =
    map (
      ext: getAttrFromPath (splitString "." ext) pkgs.vscode-marketplace
    )
    vscodeCommunityExtensions;
  nixpkgsExtensionsPackages =
    map (
      ext: getAttrFromPath (splitString "." ext) pkgs.vscode-extensions
    )
    vscodeNixpkgsExtensions;
  marketplaceExtensionsPackages = pkgs.vscode-utils.extensionsFromVscodeMarketplace marketplaceExtensions;
 in {
  options.mySystem.editor.vscode.enable = mkEnableOption "vscode";
  config = mkIf cfg.enable {
    # Enable vscode & addons
    environment.systemPackages = with pkgs; [
      (vscode-with-extensions.override {
        inherit (unstable) vscode;
        # Merge all the extension packages together.
        vscodeExtensions =
          vscodeCommunityExtensionsPackages ++ nixpkgsExtensionsPackages ++ marketplaceExtensionsPackages;
      })
    ];
  };
 }
--- a/nixos/modules/nixos/games/default.nix
+++ b/nixos/modules/nixos/games/default.nix
@ -0,0 +1,5 @@
 {
  imports = [
    ./steam
  ];
 }
--- a/Show more
+++ b/Show more