advertise & noauth for plex

until I have the right config
correct podman device
2024-11-22 06:29:08 -06:00 · 2024-11-21 23:11:27 -06:00 · 2024-11-21 17:51:59 -06:00 · 2024-11-21 17:44:51 -06:00 · 2024-11-21 17:26:28 -06:00 · 2024-11-21 17:24:31 -06:00
140 changed files with 4814 additions and 1462 deletions
--- a/.archive/flake.nix
+++ b/.archive/flake.nix
@ -0,0 +1,36 @@
+{
+  "durincore" = mkNixosConfig {
+    # T470 Thinkpad Intel i7-6600U
+    # Backup Nix dev laptop
+    hostname = "durincore";
+    system = "x86_64-linux";
+    hardwareModules = [
+      ./nixos/profiles/hw-thinkpad-t470.nix
+      inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
+    ];
+    profileModules = [
+      ./nixos/profiles/role-workstation.nix
+      ./nixos/profiles/role-dev.nix
+      { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
+    ];
+  };
+
+  "legiondary" = mkNixosConfig {
+    # Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
+    # Nix dev/gaming laptop
+    hostname = "legiondary";
+    system = "x86_64-linux";
+    hardwareModules = [
+      inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
+      ./nixos/profiles/hw-legion-15arh05h.nix
+      disko.nixosModules.disko
+      (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
+    ];
+    profileModules = [
+      ./nixos/profiles/role-dev.nix
+      ./nixos/profiles/role-gaming.nix
+      ./nixos/profiles/role-workstation.nix
+      { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
+    ];
+  };
+}
--- a/.archive/home/modules/programs/de/default.nix
+++ b/.archive/home/modules/programs/de/default.nix
--- a/.archive/home/modules/programs/de/gnome/default.nix
+++ b/.archive/home/modules/programs/de/gnome/default.nix
@ -9,20 +9,24 @@ with lib.hm.gvariant; {
    ];

    # worked out from dconf2nix
-    # dconf dump / | dconf2nix > dconf.nix
+    # `dconf dump / | dconf2nix > dconf.nix`
    # can also dconf watch
    dconf.settings = {
      "org/gnome/mutter" = {
        edge-tiling = true;
        workspaces-only-on-primary = false;
      };
+      "org/gnome/settings-daemon/plugins/media-keys" = {
+        home = [ "<Super>e" ];
+      };
      "org/gnome/desktop/wm/preferences" = {
        workspace-names = [ "sys" "talk" "web" "edit" "run" ];
+        button-layout = "appmenu:minimize,close";
      };
      "org/gnome/shell" = {
        disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
        enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
-        favorite-apps = [ "org.gnome.Nautilus.desktop" "vivaldi-stable.desktop" "termius-app.desktop" "dev.warp.Warp.desktop" "org.wezfurlong.wezterm.desktop" "obsidian.desktop" "org.gnome.Console.desktop" "code.desktop" "discord.desktop" ];
+        favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "vesktop.desktop" ];
      };
      "org/gnome/nautilus/preferences" = {
        default-folder-viewer = "list-view";
@ -40,7 +44,9 @@ with lib.hm.gvariant; {
        clock-format = "12h";
        show-battery-percentage = true;
      };
-
+      "org/gnome/settings-daemon/plugins/power" = {
+        ambient-enabled = false;
+      };
    };
  };
 }
--- a/.archive/hosts/durincore/default.nix
+++ b/.archive/hosts/durincore/default.nix
@ -12,21 +12,26 @@
      extraModulePackages = [ ];
    };

-    fileSystems."/" =
-      { device = "rpool/root";
+    fileSystems = {
+      "/" =
+        {
+          device = "rpool/root";
          fsType = "zfs";
        };

-    fileSystems."/home" =
-      { device = "rpool/home";
+      "/home" =
+        {
+          device = "rpool/home";
          fsType = "zfs";
        };

-    fileSystems."/boot" =
-      { device = "/dev/disk/by-uuid/F1B9-CA7C";
+      "/boot" =
+        {
+          device = "/dev/disk/by-uuid/F1B9-CA7C";
          fsType = "vfat";
          options = [ "fmask=0077" "dmask=0077" ];
        };
+    };

    swapDevices = [ ];

--- a/.archive/hosts/legiondary/default.nix
+++ b/.archive/hosts/legiondary/default.nix
@ -5,7 +5,8 @@

 {
  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
    ];

  networking.hostId = "2132e3bf";
@ -17,25 +18,32 @@
    extraModulePackages = [ ];
  };

-  fileSystems."/" =
-    { device = "zroot/root";
+  fileSystems =
+    {
+      "/" =
+        {
+          device = "zroot/root";
          fsType = "zfs";
        };

-  fileSystems."/nix" =
-    { device = "zroot/nix";
+      "/nix" =
+        {
+          device = "zroot/nix";
          fsType = "zfs";
        };

-  fileSystems."/var" =
-    { device = "zroot/var";
+      "/var" =
+        {
+          device = "zroot/var";
          fsType = "zfs";
        };

-  fileSystems."/home" =
-    { device = "zroot/home";
+      "/home" =
+        {
+          device = "zroot/home";
          fsType = "zfs";
        };
+    };

  # fileSystems."/boot" =
  #   { device = "/dev/disk/by-uuid/E532-B74A";
--- a/.archive/hosts/telchar/default.nix
+++ b/.archive/hosts/telchar/default.nix
@ -0,0 +1,93 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  networking.hostId = "4488bd1a";
+  networking.hostName = "telchar";
+  boot = {
+    initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+      "usbhid"
+      "usb_storage"
+      "sd_mod"
+    ];
+    initrd.kernelModules = [ "amdgpu" ];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  swapDevices = [ ];
+  virtualisation.docker.enable = true;
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  # Enable Flatpak support
+  services.flatpak.enable = true;
+
+  ## Base config programs.
+  programs = {
+    # Enable Wireshark
+    wireshark.enable = true;
+    # Enable OpenJDK
+    java.enable = true;
+  };
+
+  # sops
+  sops.secrets = {
+    "syncthing/publicCert" = {
+      sopsFile = ./secrets.sops.yaml;
+      owner = "jahanson";
+      mode = "400";
+      restartUnits = [ "syncthing.service" ];
+    };
+    "syncthing/privateKey" = {
+      sopsFile = ./secrets.sops.yaml;
+      owner = "jahanson";
+      mode = "400";
+      restartUnits = [ "syncthing.service" ];
+    };
+  };
+
+  ## System settings and services.
+  mySystem = {
+    purpose = "Development";
+
+    services.syncthing = {
+      enable = true;
+      user = "jahanson";
+      publicCertPath = config.sops.secrets."syncthing/publicCert".path;
+      privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
+    };
+
+    ## Desktop Environment
+    ## Gnome
+    # de.gnome.enable = true;
+    ## KDE
+    de.kde.enable = true;
+
+    ## Games
+    games.steam.enable = true;
+
+    ## System config
+    system = {
+      motd.networkInterfaces = [ "wlp1s0" ];
+      fingerprint-reader-on-laptop-lid.enable = true;
+    };
+
+    framework_wifi_swap.enable = true;
+    security._1password.enable = true;
+  };
+}
--- a/.archive/hosts/telchar/secrets.sops.yaml
+++ b/.archive/hosts/telchar/secrets.sops.yaml
@ -0,0 +1,86 @@
+syncthing:
+    publicCert: ENC[AES256_GCM,data:TQ8H4JsIEoSSrOtC9koG12v64ANVDU579hakO+Q/Uo+0uY/wf52U5g6THIJII7maVOJ31VXKhQABKuiirYjGnG5IaWnNkzCRo+8Pv861lr4d0be3H2NBubkIK814HziuiHa9MP5szi/J5aPQu0nj9srHCPYDzsueh8+bZDYQ2VdgKWKAKAbGwZXRcCyyNGP9u1VjUJCfXx/iQ3RbCrLNDuVbSbfmVH9wJxUUlF0ViqnHkaucQCstaAuvIn78tKpGJeM0njG2PDiVDTDBnhb5Pui/NdK+3+QqwVQHwoQRagGvqEoiL05DY3ydBlClMt2J23kqBN5U0Az15plHwQNLJujWVtkXsh4naIM8Pztwdi3xoioTytdZF/7q4q9rT3YmAK2grgSw0A4SEVvHD5RUH4ZuN/cLb0+h3Papt7xUQcwvr2WStoEujDfuHYPjs13bITnErv0PE8Imis9/ffGwC0EMsgbuDOzS8+m+KT+E8smNJD2APBZh0jq2aeSG4K1y1Q+tVnBMfZ89g8K9JZUcPWWKlGFUbWYRzY4Y1ueGH0pAUIfHLGai16q6SFvXA1+WHCJzEbZDYfDMW465yYV27JMiY4vJw+dAGs2P5o2Pf5/DtVuMW35ZQefBB/mFrJi05/3/CRbBMP73RJXvnjkTjnmUQ2FybkdX0w2zqhyWV5C171kSOcTpkBYaNWn1oM0thG246b80npGmbRjNWH7PWqxQm6kR7USiQOLgvy9rbAULNZ1+ou6He0oKD003Hfkm+OSfQVAMviIE8iS2b6xo0f8umvJ/gVEVHrDsv75KUVQHTHOjickYeYvVky6ZqPDI1z4ya8q1csb/UnLqSNvjT16OdMVQvwCOcjSPTtymj5IdDspkHW9bN856dDvbbRn0FxsEnjFpZMATYVvcLf92eA1k1/ghQKJdOcBrZY4HWUKx33e21i5OyDcLrX9JVTOMpVtKjX2pMygmVxzwj6DV5BWQYTrNByI5iHE8ihy+vOFf36b6bcyu4+3PKIoKnC738b5fSudGtPFL+bhlFPMEO9xlIwzUTA==,iv:9K8PKwTAKF1iZNRDY8ABgK2xKDZ4jh6l1C+ZzH1aexQ=,tag:/fxUf++pQQKWD8SZyw3Lqw==,type:str]
+    privateKey: ENC[AES256_GCM,data:ul6WGC0iMOpm7RcZjSPATJcu5IMENcvJtPreulDB8vODKfFWKeXlWiy13CZ2fsJxn3Xd/SbXGgtqd6wNQAyU9Rp8qrbFAVCrTppGjbVElbLTdPdpWMU940Rxn4ICc9z4LmKziALFj28O2neRANEzhtThCv724PStXnS2h6mO9bvfDBvmWyD85l0W8hjYHT2g6RaKAMB0BQ+SGb/7YTzpJkU2qdcYdqFaFlxqae1ZO0Ik4UdOBwAGQFgiDM/BzwL5kM0H/r3mMd0vgLBk7AGcQx9yI76SDlFh8CT7jYyJhE0X+wSKwcMdttA8qeCcdkxdEiXgzzFreBJfRq9CUc5+y20mE+cv83bXCIAz12yT0RDMoml1efvrn5A/valqTn8y,iv:VSSVxItFPc7+t5vHoDBRP2mmiFsulThRNZqNy82RYFI=,tag:F6IHAmk4HEINtuYb9Kvbxg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bGFxTi9OcjUwNlJWRWov
+            OEFtZTJacmxSSDhEeWdGbTRhMHEyQ0pwVW5nCmsvVU5KSHJ4OTZtWExzUWg0ZnBD
+            Q3BXSFhMNUZ2YjZiRmRwcWV0R1BnVnMKLS0tIDZKaG9abm5JeVROdzNQcXhhZG41
+            TDhEVG1yaDhZbWNXVm5HQnFBZld1alUKLjDMyKKMcdh96YjZ3/QPEXecPYlNZMGv
+            8BCG4xZq+cqlzxpQ/f9/P+g8crw+BQD/H8S5R/UsNZuT3jFoZYTgyg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFODdNVDNtYytjZmhxK1FY
+            Q2wvT2M1UFRzbVU5c0hDUXhBd0hXWDNoL21zCnI0ak9ESHl5bCtaM21SMDhpMmlM
+            SUx1SldFeTlVME9iQ09BZnJCRk44OHcKLS0tIDR5dFdDZU9ESVFhTXowZ0NWQnBj
+            bFZpNHNQaDZ5M1RnK1FhYXVUVDhpMTAKjbJ7BboI37aWHQ3IIiwd4F725w9QSq/5
+            TYoApR7X5dDhEy43ytuuSUASDN3Zw7xg96e23/JCPfAYzjeL/6MbLA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcFZ4YitXNXNJaDd6aENK
+            OW9Uc0VHS0hhNWUzZXRXbkdUZnRBWTVOWVdnCnlLNmpVRFB0enpUQ1FIbk8rMFhS
+            a2FHTWZSZTFnbC9vNnFPaWVSK3NFNjAKLS0tIFJDS3N5eFZhQm55QUJQOXV1NER1
+            cTJvYVdta0JPRFZ1TUc4eDBNS2VEQzgKkLXYLUC3Fd27KKajQwbKVUUfAawhb4g5
+            /1cKOxSs1eMfCpK0xxZKwsSaAcTfmYlXuRBMO82ol9lMD+/fBNaCfg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYb2diT3NqQ1UyZFM3Mmc3
+            OWJicDNFVXR5dkNQN3ZVYlVCK29yd3FCMG1jClpPaWdRUWsxK2lrMy9YdGFzWmZ0
+            VVNaNE9Pb0lhNEpsWUdGckFRaXNOc3cKLS0tIERLajl6Q1BGcmh3TUYyNGtCS0dI
+            V2ZhNDNJTlBGWU43MFVHMGpzUElZMncK5i95c/lkjjlnpL2dCchkvhnpoQQzb2w/
+            eGx9DQwj7eLhYh/STrsX39vXEEw6kNuIz/2zVMirzVhv/bQ3xmerTQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dm1wQkx5MEUySWR3YmVS
+            ZWZTRkdaeGZPVFpudit6SHpBWE0xODFZd2xRCjlGYmk3L0E3eVpjYW1NSVRoa3lk
+            OHRFK24rWlJNemVWMHhERlowT3ZUZDQKLS0tIHdKancwR0wrb0hWUDBPS3ZBbnFm
+            bjhSTTNxZVczK3lNSENQUVgyZUlzR3MK++UAqpak2u+E/OjXnpFQ0UFb5SrEm7KK
+            TwS0VBa7OfQtC6UHuix4MtsLJYkaEf8vYjjrBHRGlbbgAP+yFPaOPw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycC82VGhHVFRkeEs1QVl6
+            RHJ3N3RGZXFTWWNIYVpVVXQ0Z0sxdWdyNkRZCnJ0a1QvOUpvekJpckY4eSs5bFRL
+            b3ZiVHdpSUlCcjBXMFlzMnJvQUNlNmcKLS0tIHhNUDFzNHZpWE1zQnR3UFdFWkFO
+            VHBGSENKc3lkMkdZaVdVVHlvcWoyc2MKiatzQlU9D1WSZO/6IwGhyd2zFtnRR3SS
+            t9kqNFnrCfuAReoP7PsMukNbfeZr0edn2bTByZ32EF2qBFmEJicGHQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIOG9TQkhzK0NUazd4RVE3
+            Yjh2Y2hJaEdWcVExaWNmNEw1eTZsZHgxdUFZCmhqcHBSblBhd2pSbE8vYVc1NlQ0
+            ck1BZG9LRHY0aHJqMkFkMFJVUVZwOFkKLS0tIG5Cc0ZVWVBzTXoySm91bSszZXpS
+            TXA1RjFETXdRRFBQK3g2Tmk2VGdXVGsK3jkU01wrOWktuThyt51G4opyTrS1W1dR
+            MKWuw2GljMSeGHij5VP+PwmTfaJrl5KpEm5w8ggKIm8KaR3RI/DYWg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaEtvNUs4T3czQ25ObG5L
+            Yk9uZzBvSHFFcjJwdTVXckJFNE1NellDb0VJCitBTWFjRlpOdS9wL0crN3V0ZnBk
+            bTY2R01LYk9zT3ppVHBaNFlMSkZJRU0KLS0tIDAvOE1Ya29OYUF2Rk41c0ZEbzlq
+            eFZwL0R3R0psRzVRYjlzRlBURGhXOTAKwewHTFEpnXKOGTv544Tl8djUG3uKS7+n
+            h7FAGpzGF1/i45+JJYikXjaWbJmN/WqZRrx9BAyu2ymeTQKPzCHShg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-07T23:27:17Z"
+    mac: ENC[AES256_GCM,data:xPofZ+vRCsvPz1WTTjlxR6bbHYDDTP+sX8Rc8lRWzjAnMcsULsmbpeIwjghcnMgm406Umbct87UX1aFu4LioumG3KE1XHzE/s4Ik095m9IBbo2AVLVx0O2Q5UKwDvP7pPnBJBEmjs4xn70bMsOeYRJl+VECQssN18IzjVUwaVmE=,iv:0we672j+kxTHwXO5aUtu9wCIndgqUDnhGWvEGH2sVQA=,tag:Nu8Fa4bc4BWlvNE4m1DXYw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/.archive/modules/nixos/containers/unifi/default.nix
+++ b/.archive/modules/nixos/containers/unifi/default.nix
@ -2,10 +2,8 @@
 with lib;
 let
  app = "unifi";
-  image = "ghcr.io/goofball222/unifi:8.2.93";
-  user = "999"; #string
-  group = "102"; #string
-  port = 9898; #int
+  # renovate: depName=goofball222/unifi datasource=github-releases
+  version = "8.4.62";
  cfg = config.mySystem.services.${app};
  appFolder = "/eru/containers/volumes/${app}";
  # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
@ -16,12 +14,17 @@ in
  };

  config = mkIf cfg.enable {
-    networking.firewall.interfaces.podman0 = {
+    networking.firewall.interfaces = {
+      enp130s0f0 = {
+        allowedTCPPorts = [ 8443 ];
+      };
+      podman0 = {
        allowedTCPPorts = [ 8080 8443 8880 8843 ];
        allowedUDPPorts = [ 3478 ];
      };
+    };
    virtualisation.oci-containers.containers.${app} = {
-      image = "${image}";
+      image = "ghcr.io/goofball222/unifi:${version}";
      autoStart = true;
      ports = [
        "3478:3478/udp" # STUN
--- a/.archive/modules/nixos/de/default.nix
+++ b/.archive/modules/nixos/de/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
    ./gnome.nix
+    ./kde.nix
  ];
 }
--- a/.archive/modules/nixos/de/gnome.nix
+++ b/.archive/modules/nixos/de/gnome.nix
@ -1,15 +1,29 @@
-{ lib, config, pkgs, ... }:
-with lib;
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
 let
  cfg = config.mySystem.de.gnome;
 in
 {
-  options.mySystem.de.gnome.enable = mkEnableOption "GNOME";
-  options.mySystem.de.gnome.systrayicons = mkEnableOption "Enable systray icons" // { default = true; };
-  options.mySystem.de.gnome.gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; };
+  options = {
+    mySystem.de.gnome = {
+      enable = lib.mkEnableOption "GNOME" // {
+        default = false;
+      };
+      systrayicons = lib.mkEnableOption "Enable systray icons" // {
+        default = true;
+      };
+      gsconnect = lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // {
+        default = true;
+      };
+    };

-  config = mkIf cfg.enable {
+  };

+  config = lib.mkIf cfg.enable {
    # Ref: https://nixos.wiki/wiki/GNOME

    # GNOME plz
@ -35,13 +49,15 @@ in
        };
      };

-      udev.packages = optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
+      udev.packages = lib.optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
    };

    # systyray icons
    # extra pkgs and extensions
    environment = {
-      systemPackages = with pkgs; [
+      systemPackages =
+        with pkgs;
+        [
          wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
          playerctl # gsconnect play/pause command
          pamixer # gcsconnect volume control
@ -59,17 +75,15 @@ in

    # enable gsconnect
    # this method also opens the firewall ports required when enable = true
-    programs.kdeconnect = mkIf
-      cfg.gsconnect
-      {
+    programs.kdeconnect = lib.mkIf cfg.gsconnect {
      enable = true;
      package = pkgs.gnomeExtensions.gsconnect;
    };

    # GNOME connection to browsers - requires flag on browser as well
-    services.gnome.gnome-browser-connector.enable = lib.any
-      (user: user.programs.firefox.enable)
-      (lib.attrValues config.home-manager.users);
+    services.gnome.gnome-browser-connector.enable = lib.any (user: user.programs.firefox.enable) (
+      lib.attrValues config.home-manager.users
+    );

    # And dconf
    programs.dconf.enable = true;
@ -96,6 +110,4 @@ in
        atomix # puzzle game
      ]);
  };
-
-
 }
--- a/.archive/modules/nixos/de/kde.nix
+++ b/.archive/modules/nixos/de/kde.nix
@ -0,0 +1,65 @@
+{ lib, config, pkgs, ... }:
+let
+  cfg = config.mySystem.de.kde;
+  flameshotOverride = pkgs.unstable.flameshot.override { enableWlrSupport = true; };
+in
+{
+  options = {
+    mySystem.de.kde = {
+      enable = lib.mkEnableOption "KDE" // { default = false; };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Ref: https://wiki.nixos.org/wiki/KDE
+
+
+    # KDE
+    services = {
+      displayManager = {
+        sddm = {
+          enable = true;
+          wayland = {
+            enable = true;
+          };
+        };
+      };
+      desktopManager.plasma6.enable = true;
+    };
+
+    security = {
+      # realtime process priority
+      rtkit.enable = true;
+      # KDE Wallet PAM integration for unlocking the default wallet on login
+      pam.services."sddm".kwallet.enable = true;
+    };
+
+    # enable pipewire for sound
+    services.pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+    };
+
+
+    # extra pkgs and extensions
+    environment = {
+      systemPackages = with pkgs; [
+        wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
+        playerctl # gsconnect play/pause command
+        vorta # Borg backup tool
+        flameshotOverride # screenshot tool
+        libsForQt5.qt5.qtbase # for vivaldi compatibility
+        kdePackages.discover # KDE software center -- mainly for flatpak updates
+      ];
+    };
+
+    # enable kdeconnect
+    # this method also opens the firewall ports required when enable = true
+    programs.kdeconnect = {
+      enable = true;
+    };
+  };
+}
--- a/.archive/modules/nixos/services/cockpit/default.nix
+++ b/.archive/modules/nixos/services/cockpit/default.nix
--- a/.archive/modules/nixos/services/glances/default.nix
+++ b/.archive/modules/nixos/services/glances/default.nix
@ -0,0 +1,52 @@
+{ pkgs, config, lib, ... }:
+let
+  cfg = config.mySystem.services.glances;
+in
+with lib;
+{
+  options.mySystem.services.glances =
+    {
+      enable = mkEnableOption "Glances system monitor";
+    };
+  config = mkIf cfg.enable {
+
+    environment.systemPackages = with pkgs;
+      [ glances python310Packages.psutil hddtemp ];
+
+    # port 61208
+    systemd.services.glances = {
+      script = ''
+        ${pkgs.glances}/bin/glances --enable-plugin smart --webserver --bind 0.0.0.0
+      '';
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+    };
+
+    networking = {
+      firewall.allowedTCPPorts = [ 61208 ];
+    };
+
+    environment.etc."glances/glances.conf" = {
+      text = ''
+        [global]
+        check_update=False
+
+        [network]
+        hide=lo,docker.*
+
+        [diskio]
+        hide=loop.*
+
+        [containers]
+        disable=False
+        podman_sock=unix:///var/run/podman/podman.sock
+
+        [connections]
+        disable=True
+
+        [irq]
+        disable=True
+      '';
+    };
+  };
+}
--- a/.archive/modules/nixos/services/postgresql/default.nix
+++ b/.archive/modules/nixos/services/postgresql/default.nix
--- a/.archive/modules/nixos/services/radicale/default.nix
+++ b/.archive/modules/nixos/services/radicale/default.nix
@ -52,8 +52,19 @@ in
      directories = [ "/var/lib/radicale/" ];
    };

+
+    services =
+      {
        ## service
-    services.radicale = {
+        nginx.virtualHosts.${host} = {
+          useACMEHost = config.networking.domain;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${builtins.toString port}";
+          };
+        };
+        ### Ingress
+        radicale = {
          enable = true;
          settings = {
            server.hosts = [ "0.0.0.0:${builtins.toString port}" ];
@ -66,14 +77,6 @@ in
            storage.filesystem_folder = "/var/lib/radicale/collections";
          };
        };
-
-    ### Ingress
-    services.nginx.virtualHosts.${host} = {
-      useACMEHost = config.networking.domain;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString port}";
-      };
      };

    ### firewall config
--- a/.archive/modules/nixos/services/radicale/secrets.sops.yaml
+++ b/.archive/modules/nixos/services/radicale/secrets.sops.yaml
@ -0,0 +1,86 @@
+services:
+    radicale:
+        htpasswd: ENC[AES256_GCM,data:O/bI1CUdpal/aJSiLaWtDQ==,iv:iJ4WrQ2vbjRlICcY21R6NGmtOZwO68zANQv52uwm74k=,tag:c2sMcVCUWOjSALNITdx1dg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZUxOSWd5TnFlazlXcjUv
+            RVBjM01WRjZ4R2d3WGhQWHNheEZWRkdWcWx3CitOekFGZ1RXL1M3QndrWHUzUFNH
+            QkY2dnYyZlhFMGVvTzBQb05oTjFFZ1UKLS0tIDFYN0pQTHBEMUZTU3QvOEJQS0Rh
+            Z2p1ZFVvVVBBZXVwTkhVZ05nNVBOQUkK7qFuomZfRvwFXTUc6LWWT10Ws8xIDcCj
+            AD/HSc9K+lEXHoTNmpHZyUYGnxJljnDNB3d3FS4pKbHujvhvMXwfPQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdnRKZUk5Um5HYUwzbmhL
+            K1A0ZW1YN0d3WllNb28zeDhzS1ppWXhleDBVCmMrRk41WlM1RXN5TkVnVVRYQ3Ev
+            c2RTeVJ1ays1bzg1ZGozMWI5ZWZ1ZHcKLS0tIFRKRlhFT1VwY2lwbUhRd3A4SEds
+            Y3BFY2lpQkExL2V4SjJvU3pTSW5WYzAKO8GMLDaoDrxdZzM8unYvq3/OteDGIwra
+            dRd8c6b5LSoC63Y59WftmmasXFRNrZHZX24vwgwReKapnWmqtQTgrQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVFJQM3BnU2hlTVJvT0RQ
+            WHRVWkJEd3JacnlVSStQYVU3c2QwOThPOVhvCjZOeEFDdXFzeWNoS3JTbktFMDJV
+            ZDJKV2RlMDRiTW0vRHRBUUhCUGlPUlEKLS0tIGxWT0VmaUNGMXk0a1NYTDI0WDQw
+            b2hjeEFPVGdhek8yVEcwN1BzVnFQbFEKNgwnchYNz/afrg6FeFlCikMIaCfsEMYK
+            PHmfIiM64XReGZGsKL+gxIw33yszbyeOu0vr26tqV3HU/QUE7f19gw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTEpra1haektoVFNpMkV6
+            eGVkQnRpblV5amdMaGZJVVJiMUV1VEYwYkVvCmJZZ1ZvWTRUOVpYRnZkSEcvbzk2
+            MDZ0MVl5NmNBQnJ5ZkhqejI5Nm5URDgKLS0tIDZPRURpVHp4Q1NsRG9ZeGVqRU9X
+            WnJ2ejZrZ0hOdDhxZUNnaDhOWVpzVFEKoYnqypCuLKT8OUbtRk6yN9UfWBqbznzE
+            DgCHiOj590zXsfRpaei/UYx0qdEmtymh7FivkxSRNYylfcngjYiadA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QkpxRHJYTEo5cE9ielZl
+            a1NYUllWYmp2NzZZejJtby9MRkF4ejNPWmtNCmNDMWk3cGg3eVlYUXBCTjg0TmdG
+            akRwVFZxMUZMNXAvYzRSYkZlamthVlUKLS0tIHEzYmg3eTFveWppbzk3c3FHM0pn
+            bTZ4K2xhN2xRU2VDK040cGpDbjVmVUUKuAsZczZzTWKKxISxWOaxjzxM6wLnsbpT
+            dxCkcqbjL8tWs1hACsWhJ4cNGNP7gkF+9RELZvvAHgSMrlpMv7Y80w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZVhZeVdXVXRSWi9tMjRv
+            dlJFRE5NNDZZdStsOUdmMFZBdC9wL2o1S0hRCkpPNE5ic2t2UHdvanJ5bTdheDk2
+            SUhsOTlXZnkrTkRvUXRaZE9SbW9EMGsKLS0tIHRZK3ZBQ1UrMlFGWEdIblk1YURV
+            VUJaWXhJMy9NUC81SjhGR0t0QnZPSDAKnQe+zUSRWvfjwr/c5wIkw/alXelnIK+u
+            BmvB/bps060r8GWIGYsN5mVzBpLAYwqqB4ylpjoLTfhAx3J3A+fRCw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaa2hQWlNhdmpZNHkyQmJI
+            WGwwZitJaUx5U0xzdURjdlFpN01jMWFvRUZZCndMcHpNclhoR1NXZzVNOWtlY0JD
+            c1RSNGVzY1RUa0JLYng2a0w0bFozNXcKLS0tIC9Sb0k4MmpaWUVqMkxUbHlEdlgx
+            M0hoN29oY1FVNVFGZFVyZVJTM2owYjAKsnVoccpgW7RPuJL66Q9iCOG5GZ41K65e
+            7J8lGbHkalzX63VGIOgtvSViIXIeQxw9+Tmf70GQUqcM6czwX8fu5Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHZWxZWk53cHd1bzhjVmZF
+            TUk4RmhENGMvNzZnREdKYU9TTDZzS0Jha1I0CnY3NXZzVlJhTGpVNi8yWlZ5SXN1
+            Z3I4b3BOcGtpek4vK3JzV1JUVWVMZUkKLS0tIHJMOEZraFB2WXdBVUFDUisrMzBM
+            TUUzcW1GR1JOcG4yMm9EY3R6WFdTeEUKzJerRRS/5eCDOhOxHEB78qiVOx++z4M/
+            XOEN6X0iDUBDfFJIqtMngMjU9E9DlRIYetMOYLxTpxmdKiv3Njyh/A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-18T23:57:27Z"
+    mac: ENC[AES256_GCM,data:f2p4VkJ7RLGPBbkkesqFKNIVow+/7MobH+AqnELAguGxlMAt1XZaU1cLfyMy1RQIrT0UmUV2xjRf/PGXBVNOTK+A2M0zoI90N8daTvk2xrEX5JVNWycgKVnQfztIgUAf5LA+tcvyWQ/Z/sIN1aGNfbl1tCSq+U+3xjIxZ74qmuw=,iv:wcyjoKWNFLb/jGclNWbHP7wwnkz29iINSfKblqhP+bI=,tag:3RrZXX9pAWQG05ZPI5A35Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/.archive/modules/nixos/services/vault/default.nix
+++ b/.archive/modules/nixos/services/vault/default.nix
@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.mySystem.services.vault;
+in
+{
+  options.mySystem.services.vault = {
+    enable = lib.mkEnableOption "vault";
+    address = lib.mkOption {
+      type = lib.types.str;
+      default = "127.0.0.1:8200";
+      description = "Address of the Vault server";
+      example = "127.0.0.1:8200";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.vault = {
+      enable = true;
+      package = pkgs.unstable.vault;
+      address = cfg.address;
+      dev = false;
+      storageBackend = "raft";
+      extraConfig = ''
+        api_addr = "http://127.0.0.1:8200"
+        cluster_addr = "http://127.0.0.1:8201"
+        ui = true
+      '';
+    };
+  };
+}
--- a/.archive/modules/nixos/services/vault/resources/vault-config.hcl
+++ b/.archive/modules/nixos/services/vault/resources/vault-config.hcl
@ -0,0 +1,14 @@
+listener "tcp" {
+    address = "0.0.0.0:8200"
+    tls_disable = true
+}
+
+storage "raft" {
+    path = "/var/lib/vault/data"
+    node_id = "node1"
+}
+
+disable_mlock = true
+api_addr = "http://localhost:8200"
+cluster_addr = "http://localhost:8201"
+ui = true
--- a/.archive/profiles/disko-telchar.nix
+++ b/.archive/profiles/disko-telchar.nix
@ -0,0 +1,56 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-diskseq/1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              start = "1M";
+              end = "128M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ]; # Override existing partition
+                # Subvolumes must set a mountpoint in order to be mounted,
+                # unless their parent is mounted
+                subvolumes = {
+                  # Subvolume name is different from mountpoint
+                  "/rootfs" = {
+                    mountpoint = "/";
+                  };
+                  # Subvolume name is the same as the mountpoint
+                  "/home" = {
+                    mountOptions = [ "compress=zstd" ];
+                    mountpoint = "/home";
+                  };
+                  # Sub(sub)volume doesn't need a mountpoint as its parent is mounted
+                  "/home/user" = { };
+                  # Parent is not mounted so the mountpoint must be set
+                  "/nix" = {
+                    mountOptions = [ "compress=zstd" "noatime" ];
+                    mountpoint = "/nix";
+                  };
+                };
+
+                mountpoint = "/partition-root";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/.archive/profiles/hw-framework-16-7840hs.nix
+++ b/.archive/profiles/hw-framework-16-7840hs.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
  mySystem = {
    security.wheelNeedsSudoPassword = false;
--- a/.archive/profiles/hw-legion-15arh05h.nix
+++ b/.archive/profiles/hw-legion-15arh05h.nix
--- a/.archive/profiles/hw-thinkpad-t470.nix
+++ b/.archive/profiles/hw-thinkpad-t470.nix
--- a/.archive/profiles/role-gaming.nix
+++ b/.archive/profiles/role-gaming.nix
--- a/.archive/profiles/role-workstation.nix
+++ b/.archive/profiles/role-workstation.nix
@ -2,11 +2,15 @@
 # Role for workstations
 # Covers desktops/laptops, expected to have a GUI and do workloads
 # Will have home-manager installs
-
+let
+  vivaldiOverride = pkgs.vivaldi.override {
+    proprietaryCodecs = true;
+    enableWidevine = true;
+  };
+in
 with config;
 {
  mySystem = {
-    de.gnome.enable = true;
    shell.fish.enable = true;
    editor.vscode.enable = true;

@ -48,8 +52,9 @@ with config;
    lm_sensors
    cpufrequtils
    cpupower-gui
-    vivaldi
+    vivaldiOverride
    gparted
+    termius
  ];

  i18n = {
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,8 @@
+root = true
+[*]
+end_of_line = lf
+insert_final_newline = true
+
+[*.{yaml,yml,json5}]
+indent_style = space
+indent_size = 2
--- a/.envrc
+++ b/.envrc
@ -1,2 +1,3 @@
 use nix
 export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
+export VAULT_ADDR="http://10.1.1.61:8200"
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@ -0,0 +1,53 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: "Build"
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - ".forgejo/workflows/build.yaml"
+      - "flake.lock"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  nix-build:
+    if: github.event.pull_request.draft == false
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - system: gandalf
+            os: native-x86_64
+          - system: telperion
+            os: native-x86_64
+          - system: shadowfax
+            os: native-x86_64
+          # - system: varda
+          #   os: native-x86_64
+    runs-on: ${{ matrix.os }}
+    env:
+      PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
+    steps:
+      - name: Checkout repository
+        uses: https://github.com/actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Cachix
+        uses: https://github.com/cachix/cachix-action@v15
+        if: ${{ !github.event.pull_request.head.repo.fork }}
+        with:
+          name: hsndev
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+
+      - name: Garbage collect build dependencies
+        run: nix-collect-garbage
+
+      - name: Build new ${{ matrix.system }} system
+        shell: bash
+        run: |
+          nix build ".#top.${{ matrix.system }}" --profile ./profile --fallback -v \
+            > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@ -1,50 +0,0 @@
-name: "Build"
-on:
-  pull_request:
-jobs:
-  nix-build:
-    if: github.event.pull_request.draft == false
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - system: varda
-            os: native-aarch64
-          - system: telchar
-            os: native-x86_64
-    runs-on: ${{ matrix.os }}
-    env:
-      PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
-    steps:
-      - name: Checkout repository
-        uses: https://github.com/actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: https://github.com/cachix/cachix-action@v15
-        if: ${{ !github.event.pull_request.head.repo.fork }}
-        with:
-          name: hsndev
-          # If you chose API tokens for write access OR if you have a private cache
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-        # env:
-          # USER: 'root'
-
-      - name: Garbage collect build dependencies
-        run: nix-collect-garbage
-
-      - name: Build new ${{ matrix.system }} system
-        shell: bash
-        run: |
-          set -o pipefail
-          nix build \
-            ".#top.${{ matrix.system }}" \
-            --profile ./profile \
-            --fallback \
-            -v \
-            --log-format raw \
-             > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
-      - name: Push to Cachix
-        if: success()
-        env:
-          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-        run: nix build ".#top.${{ matrix.system }}" --json | jq -r .[].drvPath | cachix push hsndev
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,12 @@
 **/*.tmp.sops.yaml
 **/*.sops.tmp.yaml
+**/*sync-conflict*
 age.key
 result*
 .direnv
 .kube
+.github
+.profile
+.idea
+.secrets
+.op
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -27,7 +27,7 @@ repos:
      - id: remove-tabs
        exclude: (Makefile)
  - repo: https://github.com/zricethezav/gitleaks
-    rev: v8.18.2
+    rev: v8.18.4
    hooks:
      - id: gitleaks
  - repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
@ -36,3 +36,4 @@ repos:
      - id: sops-encryption
        # Uncomment to exclude all markdown files from encryption
        # exclude: *.\.md
+        files: .*secrets.*
--- a/.prettierrc
+++ b/.prettierrc
@ -0,0 +1,4 @@
+{
+  "quoteProps": "preserve",
+  "trailingComma": "none"
+}
--- a/.sops.yaml
+++ b/.sops.yaml
@ -15,9 +15,10 @@ keys:
    - &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
    - &gandalf age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
    - &legiondary age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
+    - &shadowfax age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
+    - &telchar age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
    - &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
    - &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
-    - &telchar age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m


 creation_rules:
@ -28,6 +29,7 @@ creation_rules:
        - *gandalf
        - *jahanson
        - *legiondary
+        - *shadowfax
        - *telchar
        - *telperion
        - *varda
--- a/.vscode/module.code-snippets
+++ b/.vscode/module.code-snippets
@ -1,32 +0,0 @@
-{
-  "nix-module": {
-    "prefix": "nm",
-    "body": [
-      "{ lib",
-      ", config",
-      ", pkgs",
-      ", ...",
-      "}:",
-      "with lib;",
-      "let",
-      "  cfg = config.mySystem.${1}.${2};",
-      "  app = \"${3}\"",
-      "  appFolder = \"apps/${app}\";",
-      "  persistentFolder = \"${config.mySystem.persistentFolder}/${appFolder}\";",
-      "  user = app;",
-      "  group = app;",
-      "in",
-      "{",
-      "  options.mySystem.${1}.${2}.enable = mkEnableOption \"${4}\";",
-      "",
-      "  config = mkIf cfg.enable {",
-      "",
-      "  $5",
-      "",
-      "  };",
-      "}",
-      ""
-    ],
-    "description": "nix-module"
-  }
-}
--- a/.vscode/nixmodule.code-snippets
+++ b/.vscode/nixmodule.code-snippets
@ -0,0 +1,46 @@
+{
+  // If scope is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
+  // used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
+  // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
+  // Placeholders with the same ids are connected.
+  "Nix Module with Enable Option": {
+    "scope": "nix",
+    "prefix": "nixmodule",
+    "body": [
+      "{ config, lib, pkgs, ... }:",
+      "let",
+      "  cfg = config.mySystem.${1:moduleName};",
+      "in",
+      "{",
+      "  options.mySystem.${1:moduleName} = {",
+      "    enable = lib.mkEnableOption \"${2:Description of the module}\";",
+      "  };",
+      "",
+      "  config = lib.mkIf cfg.enable {",
+      "    $0",
+      "  };",
+      "}"
+    ],
+    "description": "Creates a blank Nix module with an enable option"
+  },
+  "Nix Home Manager Module with Enable Option": {
+    "scope": "nix",
+    "prefix": "nixmodule-homemanager",
+    "body": [
+      "{ config, lib, pkgs, ... }:",
+      "let",
+      "  cfg = config.myHome.programs.${1:moduleName};",
+      "in",
+      "{",
+      "  options.myHome.programs.${1:moduleName} = {",
+      "    enable = lib.mkEnableOption \"${2:Description of the module}\";",
+      "  };",
+      "",
+      "  config = lib.mkIf cfg.enable {",
+      "    $0",
+      "  };",
+      "}"
+    ],
+    "description": "Creates a blank Nix module with an enable option"
+  }
+}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,40 @@
+{
+  "editor.fontFamily": "FiraCode Nerd Font",
+  "files.associations": {
+    "*.json5": "jsonc",
+  },
+  "editor.hover.delay": 1500,
+  "editor.bracketPairColorization.enabled": true,
+  "editor.guides.bracketPairs": true,
+  "editor.guides.bracketPairsHorizontal": true,
+  "editor.guides.highlightActiveBracketPair": true,
+  "files.trimTrailingWhitespace": true,
+  "sops.defaults.ageKeyFile": "/home/jahanson/projects/mochi/age.key",
+  "nix.enableLanguageServer": true,
+  "nix.serverPath": "/home/jahanson/.nix-profile/bin/nil",
+  "nix.formatterPath": "/home/jahanson/.nix-profile/bin/nixfmt",
+  "nix.serverSettings": {
+    "nil": {
+      "formatting": {
+        "command": ["nixfmt"]
+      },
+      "diagnostics": {
+        "ignored": [],
+        "excludedFiles": []
+      },
+    },
+    "nix": {
+      "binary": "/nix/var/nix/profiles/default/bin/nix",
+      "maxMemoryMB": null, // disable memory limit
+      "flake": {
+        "autoEvalInputs": true,
+        "autoArchive": true,
+        "nixpkgsInputName": "nixpkgs"
+      }
+    }
+  },
+  "[jsonc]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  },
+  "sops.binPath": "/home/jahanson/.nix-profile/bin/sops"
+}
--- a/flake.lock
+++ b/flake.lock
@ -24,11 +24,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1721871128,
-        "narHash": "sha256-NyWVCnSeePnJHGJxZ0l3zdGQGrVjUcx2IJbV8KIsPf0=",
+        "lastModified": 1732221404,
+        "narHash": "sha256-fWTyjgGt+BHmkeJ5IxOR4zGF4/uc+ceWmhBjOBSVkgQ=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "55e874b9c14764cb791e5740f0e92202e41393fc",
+        "rev": "97c0c4d7072f19b598ed332e9f7f8ad562c6885b",
        "type": "github"
      },
      "original": {
@ -62,6 +62,22 @@
      }
    },
    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@ -82,11 +98,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1719994518,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
        "type": "github"
      },
      "original": {
@ -131,6 +147,60 @@
        "type": "github"
      }
    },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_4"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_5": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "flakey-profile": {
      "locked": {
        "lastModified": 1712898590,
@ -153,27 +223,27 @@
        ]
      },
      "locked": {
-        "lastModified": 1720042825,
-        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
+        "lastModified": 1731880681,
+        "narHash": "sha256-FmYTkIyPBUxSWgA7DPIVTsCCMvSSbs56yOtHpLNSnKg=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
+        "rev": "aecd341dfead1c3ef7a3c15468ecd71e8343b7c6",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-24.05",
+        "ref": "release-24.11",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1719091691,
-        "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
+        "lastModified": 1731242966,
+        "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
+        "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
        "type": "github"
      },
      "original": {
@ -182,23 +252,45 @@
        "type": "github"
      }
    },
+    "krewfile": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1727979884,
+        "narHash": "sha256-nLS37EhKi/ru+0HimB0EIXYpJCxaE/7bVHUHNvHDEoE=",
+        "owner": "ajgon",
+        "repo": "krewfile",
+        "rev": "1821efaad07ad3925d68210f57e0b73bce57d317",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ajgon",
+        "ref": "feat/indexes",
+        "repo": "krewfile",
+        "type": "github"
+      }
+    },
    "lix": {
      "flake": false,
      "locked": {
-        "lastModified": 1720626042,
-        "narHash": "sha256-f8k+BezKdJfmE+k7zgBJiohtS3VkkriycdXYsKOm3sc=",
-        "rev": "2a4376be20d70feaa2b0e640c5041fb66ddc67ed",
+        "lastModified": 1723503926,
+        "narHash": "sha256-Rosl9iA9MybF5Bud4BTAQ9adbY81aGmPfV8dDBGl34s=",
+        "rev": "bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2",
        "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/2a4376be20d70feaa2b0e640c5041fb66ddc67ed.tar.gz"
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2.tar.gz?rev=bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2"
      },
      "original": {
        "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/lix/archive/2.90.0.tar.gz"
+        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.0.tar.gz"
      }
    },
    "lix-module": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "flakey-profile": "flakey-profile",
        "lix": "lix",
        "nixpkgs": [
@ -206,15 +298,15 @@
        ]
      },
      "locked": {
-        "lastModified": 1720641669,
-        "narHash": "sha256-yEO2cGNgzm9x/XxiDQI+WckSWnZX63R8aJLBRSXtYNE=",
-        "rev": "5c48c833c15bb80d127a398a8c2484d42fdd8257",
+        "lastModified": 1723510904,
+        "narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=",
+        "rev": "622a2253a071a1fb97a4d3c8103a91114acc1140",
        "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/5c48c833c15bb80d127a398a8c2484d42fdd8257.tar.gz"
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0.tar.gz"
+        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"
      }
    },
    "mk-naked-shell": {
@ -267,11 +359,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1721531260,
-        "narHash": "sha256-O72uxk4gYFQDwNkoBioyrR3GK9EReZmexCStBaORMW8=",
+        "lastModified": 1731814505,
+        "narHash": "sha256-l9ryrx1Twh08a+gxrMGM9O/aZKEimZfa6sZVyPCImgI=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "b6db9fd8dc59bb2ccb403f76d16ba8bbc1d5263d",
+        "rev": "bdba246946fb079b87b4cada4df9b1cdf1c06132",
        "type": "github"
      },
      "original": {
@ -302,20 +394,42 @@
        "type": "github"
      }
    },
-    "nix-vscode-extensions": {
+    "nix-minecraft": {
      "inputs": {
        "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils_3",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1732153840,
+        "narHash": "sha256-lt8Gdx6TNheby/9lRNE1GMP3vkdpLaXmyHQk+ZvYNAY=",
+        "owner": "Infinidoge",
+        "repo": "nix-minecraft",
+        "rev": "8325d463c1c424f2e6edeef2010c0d902a37b3d3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Infinidoge",
+        "repo": "nix-minecraft",
+        "type": "github"
+      }
+    },
+    "nix-vscode-extensions": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "flake-utils": "flake-utils_4",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1721870946,
-        "narHash": "sha256-w/yVwaDIHGpbWy07n5dFghNEAbbUGMC1+2nxKy2bAXA=",
+        "lastModified": 1732153985,
+        "narHash": "sha256-libOsvOEQjHhlNEVPuG+i4OY5NyO301RZCxYovsVtrc=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "500be2a1404429cfccdb4bf71e515cc38f206a25",
+        "rev": "c53c9d319e51deb97fb9a82001952c4efa74cba7",
        "type": "github"
      },
      "original": {
@ -326,11 +440,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1721911538,
-        "narHash": "sha256-5OrkPJsiZmNe99C6+KX0qx9sphoVLvldFjuqDYAZ8GQ=",
+        "lastModified": 1731797098,
+        "narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "d3c993c851ad40bbab7e08d566138ff72cd8744f",
+        "rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6",
        "type": "github"
      },
      "original": {
@ -342,30 +456,30 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1721821769,
-        "narHash": "sha256-PhmkdTJs2SfqKzSyDB74rDKp1MH4mGk0pG/+WqrnGEw=",
+        "lastModified": 1731755305,
+        "narHash": "sha256-v5P3dk5JdiT+4x69ZaB18B8+Rcu3TIOrcdG4uEX7WZ8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d0907b75146a0ccc1ec0d6c3db287ec287588ef6",
+        "rev": "057f63b6dc1a2c67301286152eb5af20747a9cb4",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1719876945,
-        "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=",
+        "lastModified": 1730504152,
+        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
      }
    },
    "nixpkgs-ovmf": {
@ -384,29 +498,13 @@
        "type": "github"
      }
    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1721524707,
-        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1721743106,
-        "narHash": "sha256-adRZhFpBTnHiK3XIELA3IBaApz70HwCYfv7xNrHjebA=",
+        "lastModified": 1732014248,
+        "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "dc14ed91132ee3a26255d01d8fd0c1f5bff27b2f",
+        "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
        "type": "github"
      },
      "original": {
@ -416,6 +514,20 @@
        "type": "github"
      }
    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1682134069,
+        "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fd901ef4bf93499374c5af385b2943f5801c0833",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
    "nixvirt-git": {
      "inputs": {
        "nixpkgs": [
@ -440,11 +552,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1721947103,
-        "narHash": "sha256-+yzj4QQMGhuk/KhdYT51t2QB9/rwIbVMsxhHctJ+f9Y=",
+        "lastModified": 1732220928,
+        "narHash": "sha256-OOFqnjTax0132/mBsRpVD1QTMlZUCbVexKgKUVUxJNg=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "c0cdc702bf33188ebd6518af5fc94d1bdab702e3",
+        "rev": "8439fca0da7f67b331edcca08eb2a47249be72f4",
        "type": "github"
      },
      "original": {
@ -542,9 +654,11 @@
        "disko": "disko",
        "home-manager": "home-manager",
        "impermanence": "impermanence",
+        "krewfile": "krewfile",
        "lix-module": "lix-module",
        "nix-index-database": "nix-index-database",
        "nix-inspect": "nix-inspect",
+        "nix-minecraft": "nix-minecraft",
        "nix-vscode-extensions": "nix-vscode-extensions",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
@ -552,7 +666,8 @@
        "nixvirt-git": "nixvirt-git",
        "nur": "nur",
        "sops-nix": "sops-nix",
-        "talhelper": "talhelper"
+        "talhelper": "talhelper",
+        "vscode-server": "vscode-server"
      }
    },
    "rust-overlay": {
@ -599,15 +714,14 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
      },
      "locked": {
-        "lastModified": 1721688883,
-        "narHash": "sha256-9jsjsRKtJRqNSTXKj9zuDFRf2PGix30nMx9VKyPgD2U=",
+        "lastModified": 1732186149,
+        "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "aff2f88277dabe695de4773682842c34a0b7fd54",
+        "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
        "type": "github"
      },
      "original": {
@ -646,6 +760,51 @@
        "type": "github"
      }
    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "talhelper": {
      "inputs": {
        "flake-parts": "flake-parts",
@ -654,11 +813,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1721869567,
-        "narHash": "sha256-lx8iJn7MG5fM76d4w9lK+TgDfbCUTGUZS0cZVcpKJlk=",
+        "lastModified": 1732161983,
+        "narHash": "sha256-HnM+3Dv/p4awf0zXffPpcg/v4RywuKiN4yA2t7W1CxE=",
        "owner": "budimanjojo",
        "repo": "talhelper",
-        "rev": "060aecaf60883092b4045f9a4bfae8269449a5a6",
+        "rev": "94487e8cc82617dc9be8b50de94edd33ce1e56ad",
        "type": "github"
      },
      "original": {
@ -688,6 +847,25 @@
        "repo": "treefmt-nix",
        "type": "github"
      }
+    },
+    "vscode-server": {
+      "inputs": {
+        "flake-utils": "flake-utils_5",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1729422940,
+        "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -6,6 +6,13 @@
    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";

+    # Lix - Substitution of the Nix package manager, focused on correctness, usability, and growth – and committed to doing right by its community.
+    # https://git.lix.systems/lix-project/lix
+    lix-module = {
+      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    # impermanence
    # https://github.com/nix-community/impermanence
    impermanence.url = "github:nix-community/impermanence";
@ -59,18 +66,12 @@
    };

    # talhelper - A tool to help creating Talos kubernetes cluster
+    # https://github.com/budimanjojo/talhelper
    talhelper = {
      url = "github:budimanjojo/talhelper";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

-    # Lix- Substitution of the Nix package manager, focused on correctness, usability, and growth – and committed to doing right by its community.
-    # https://git.lix.systems/lix-project/lix
-    lix-module = {
-      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0.tar.gz";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
    # NixVirt for qemu & libvirt
    # https://github.com/AshleyYakeley/NixVirt
    nixvirt-git = {
@ -78,10 +79,25 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    vscode-server.url = "github:nix-community/nixos-vscode-server";
+
+    # krewfile - Declarative krew plugin management
+    krewfile = {
+      # url = "github:brumhard/krewfile";
+      url = "github:ajgon/krewfile?ref=feat/indexes";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # nix-minecraft - Minecraft server management
+    # https://github.com/infinidoge/nix-minecraft
+    nix-minecraft = {
+      url = "github:Infinidoge/nix-minecraft";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
  };

  outputs =
-    { self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, ... } @ inputs:
+    { self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, vscode-server, krewfile, ... } @ inputs:
    let
      forAllSystems = nixpkgs.lib.genAttrs [
        "aarch64-linux"
@ -151,60 +167,6 @@
            };
        in
        {
-          "durincore" = mkNixosConfig {
-            # T470 Thinkpad Intel i7-6600U
-            # Nix dev laptop
-            hostname = "durincore";
-            system = "x86_64-linux";
-            hardwareModules = [
-              ./nixos/profiles/hw-thinkpad-t470.nix
-              inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
-            ];
-            profileModules = [
-              ./nixos/profiles/role-workstation.nix
-              ./nixos/profiles/role-dev.nix
-              { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
-            ];
-          };
-
-          "legiondary" = mkNixosConfig {
-            # Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
-            # Nix dev/gaming laptop
-            hostname = "legiondary";
-            system = "x86_64-linux";
-            hardwareModules = [
-              inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
-              ./nixos/profiles/hw-legion-15arh05h.nix
-              disko.nixosModules.disko
-              (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
-            ];
-            profileModules = [
-              ./nixos/profiles/role-dev.nix
-              ./nixos/profiles/role-gaming.nix
-              ./nixos/profiles/role-workstation.nix
-              { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
-            ];
-          };
-
-          "telchar" = mkNixosConfig {
-            # Framework 16 Ryzen 7 7840HS - Radeon 780M Graphics
-            # Nix dev laptop
-            hostname = "telchar";
-            system = "x86_64-linux";
-            hardwareModules = [
-              inputs.nixos-hardware.nixosModules.framework-16-7040-amd
-              ./nixos/profiles/hw-framework-16-7840hs.nix
-              disko.nixosModules.disko
-              (import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
-              lix-module.nixosModules.default
-            ];
-            profileModules = [
-              ./nixos/profiles/role-dev.nix
-              ./nixos/profiles/role-workstation.nix
-              { home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
-            ];
-          };
-
          "varda" = mkNixosConfig {
            # Arm64 cax21 @ Hetzner
            # forgejo server
@ -246,6 +208,25 @@
              ./nixos/profiles/hw-supermicro.nix
            ];
            profileModules = [
+              vscode-server.nixosModules.default
+              ./nixos/profiles/role-dev.nix
+              ./nixos/profiles/role-server.nix
+              { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
+            ];
+          };
+
+          "shadowfax" = mkNixosConfig {
+            # Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
+            # Workloads server
+            hostname = "shadowfax";
+            system = "x86_64-linux";
+            hardwareModules = [
+              lix-module.nixosModules.default
+              ./nixos/profiles/hw-threadripperpro.nix
+            ];
+            profileModules = [
+              vscode-server.nixosModules.default
+              ./nixos/profiles/role-dev.nix
              ./nixos/profiles/role-server.nix
              { home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
            ];
--- a/nixos/home/jahanson/global.nix
+++ b/nixos/home/jahanson/global.nix
@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ pkgs, config, inputs, ... }:
 with config;
 {
  imports = [
@ -6,14 +6,22 @@ with config;
  ];

  config = {
-    myHome.username = "jahanson";
-    myHome.homeDirectory = "/home/jahanson/";
+    myHome = {
+      username = "jahanson";
+      homeDirectory = "/home/jahanson/";
+      shell = {
+        atuind.enable = true;
+        starship.enable = true;
+        fish.enable = true;
+      };
+    };

    systemd.user.sessionVariables = {
      EDITOR = "vim";
    };

    home = {
+
      # Install these packages for my user
      packages = with pkgs; [
        # misc
@ -33,7 +41,6 @@ with config;
        p7zip

        # cli
-        _1password
        bat
        dbus
        direnv
@ -42,7 +49,6 @@ with config;
        python3
        fzf
        ripgrep
-        vim
        lsd
        unstable.atuin

@ -63,9 +69,14 @@ with config;
        # system tools
        sysstat
        lm_sensors # for `sensors` command
-        ethtool
+        ethtool # modify network interface settings or firmware
        pciutils # lspci
        usbutils # lsusb
+        lshw # lshw
+
+        # filesystem tools
+        gptfdisk # sgdisk
+

        # system call monitoring
        strace # system call monitoring
@ -82,13 +93,12 @@ with config;

        # nix tools
        nvd
+
+        # backup tools
+        unstable.rclone
+        unstable.restic
+
      ];
-
-      sessionVariables = {
-        EDITOR = "vim";
    };
-
-    };
-
  };
 }
--- a/nixos/home/jahanson/workstation.nix
+++ b/nixos/home/jahanson/workstation.nix
@ -1,17 +1,36 @@
-{ pkgs, config, ... }:
-with config;
+{
+  pkgs,
+  inputs,
+  ...
+}:
+let
+  coderMainline = pkgs.coder.override { channel = "mainline"; };
+in
 {
  imports = [
    ./global.nix
+    inputs.krewfile.homeManagerModules.krewfile
  ];
+  config = {
+    # Krewfile management
+    programs.krewfile = {
+      enable = true;
+      krewPackage = pkgs.krew;
+      indexes = {
+        "netshoot" = "https://github.com/nilic/kubectl-netshoot.git";
+      };
+      plugins = [
+        "netshoot/netshoot"
+        "resource-capacity"
+        "rook-ceph"
+      ];
+    };

-  myHome.programs.firefox.enable = true;
-
-  myHome.shell = {
-    starship.enable = true;
-    fish.enable = true;
+    myHome = {
+      programs.firefox.enable = true;
+      programs.thunderbird.enable = true;
+      shell = {
        wezterm.enable = true;
-    atuind.enable = true;

        git = {
          enable = true;
@ -20,33 +39,42 @@ with config;
          signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
        };
      };
+    };

    home = {
      # Install these packages for my user
-    packages = with pkgs;
-      [
+      packages = with pkgs; [
        # apps
-        _1password-gui
-        discord
-        flameshot
-        vlc
-        warp-terminal
-        termius
        obsidian
-        jetbrains.datagrip
-        talosctl
-        pika-backup
        parsec-bin
-        unstable.nheko
+        solaar # open source manager for logitech unifying receivers
+        unstable.bruno
+        # unstable.fractal
+        unstable.httpie
+        unstable.jetbrains.datagrip
+        unstable.jetbrains.rust-rover
+        unstable.seabird
+        unstable.talosctl # overlay override
+        unstable.telegram-desktop
+        unstable.tidal-hifi
+        unstable.xpipe
+        # unstable.vesktop # gpu issues. Using the flatpak version solves this issue.
+        vlc
+        yt-dlp

        # cli
        brightnessctl

        # dev utils
-        pre-commit # Pre-commit tasks for git
+        kubectl
        minio-client # S3 management
+        pre-commit # Pre-commit tasks for git
        shellcheck # shell script linting
-        unstable.act
+        unstable.act # run GitHub actions locally
+        unstable.kubebuilder # k8s controller development
+        unstable.nodePackages_latest.prettier # code formatter
+        coderMainline # VSCode in the browser -- has overlay
      ];
    };
+  };
 }
--- a/nixos/home/modules/programs/default.nix
+++ b/nixos/home/modules/programs/default.nix
@ -1,6 +1,6 @@
 { ... }: {
  imports = [
    ./browsers
-    ./de
+    ./thunderbird
  ];
 }
--- a/nixos/home/modules/programs/thunderbird/default.nix
+++ b/nixos/home/modules/programs/thunderbird/default.nix
@ -0,0 +1,37 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.myHome.programs.thunderbird;
+
+  policies = {
+    ExtensionSettings = {
+      "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
+      "quickmove@mozilla.kewis.ch" = {
+        # Quick folder move
+        # https://addons.thunderbird.net/en-US/thunderbird/addon/quick-folder-move/
+        install_url = "https://addons.thunderbird.net/thunderbird/downloads/latest/quick-folder-move/latest.xpi";
+        installation_mode = "force_installed";
+      };
+      # https://addons.thunderbird.net/user-media/addons/_attachments/987716/minimize_on_close-2.0.1.4-tb.xpi
+      "minimizeonclose@rsjtdrjgfuzkfg.com" = {
+        # Minimize on Close
+        # https://addons.thunderbird.net/en-US/thunderbird/addon/minimize-on-close/
+        install_url = "https://addons.thunderbird.net/user-media/addons/_attachments/987716/minimize_on_close-2.0.1.4-tb.xpi";
+        installation_mode = "force_installed";
+      };
+    };
+  };
+in
+{
+  options.myHome.programs.thunderbird.enable = lib.mkEnableOption "Thunderbird";
+
+  config = lib.mkIf cfg.enable {
+    programs.thunderbird = {
+      enable = true;
+      package = pkgs.thunderbird-128.override (old: {
+        extraPolicies = (old.extrapPolicies or { }) // policies;
+      });
+
+      profiles.default.isDefault = true;
+    };
+  };
+}
--- a/nixos/home/modules/shell/atuind/default.nix
+++ b/nixos/home/modules/shell/atuind/default.nix
@ -1,6 +1,5 @@
 { config, pkgs, lib, ... }:
 with lib; let
-  inherit (config.myHome) username homeDirectory;
  cfg = config.myHome.shell.atuind;
 in
 {
--- a/nixos/home/modules/shell/fish/default.nix
+++ b/nixos/home/modules/shell/fish/default.nix
@ -21,12 +21,22 @@ in
          lt = "${pkgs.lsd}/bin/lsd --tree";
          lla = "${pkgs.lsd}/bin/lsd -la";
          tm = "tmux attach -t (basename $PWD) || tmux new -s (basename $PWD)";
+          lsusb = "cyme --headings --tree --hide-buses";
          x = "exit";
        };

        shellAbbrs = {
          nrs = "sudo nixos-rebuild switch --flake .";
          nvdiff = "nvd diff /run/current-system result";
+          # rook & ceph versions.
+          rcv =
+            ''
+              kubectl \
+                -n rook-ceph \
+                get deployments \
+                -l rook_cluster=rook-ceph \
+                -o jsonpath='{range .items[*]}{.metadata.name}{"  \treq/upd/avl: "}{.spec.replicas}{"/"}{.status.updatedReplicas}{"/"}{.status.readyReplicas}{"  \trook-version="}{.metadata.labels.rook-version}{"  \tceph-version="}{.metadata.labels.ceph-version}{"\n"}{end}'
+            '';
        };

        interactiveShellInit = ''
@ -47,10 +57,12 @@ in
            end
          end

+          # Krew
+          set -q KREW_ROOT; and set -gx PATH $PATH $KREW_ROOT/.krew/bin; or set -gx PATH $PATH $HOME/.krew/bin
+
          # Paths are in reverse priority order
          update_path /opt/homebrew/opt/postgresql@16/bin
          update_path /opt/homebrew/bin
-          update_path ${homeDirectory}/.krew/bin
          update_path /nix/var/nix/profiles/default/bin
          update_path /run/current-system/sw/bin
          update_path /etc/profiles/per-user/${username}/bin
@ -61,11 +73,28 @@ in
          update_path ${homeDirectory}/.local/bin

          set -gx EDITOR "vim"
+
+          if test (hostname) = "telchar"
+            set -gx VISUAL "code"
+          end
+
+          set -gx SSH_ASKPASS_REQUIRE "prefer" # This is for git to use the ssh-askpass
          set -gx ATUIN_SYNC_ADDRESS "https://sh.hsn.dev"

+          # One Password cli
+          if test -e ~/.config/op/plugins.sh
+            source ~/.config/op/plugins.sh
+          end
+
+
          set -gx LSCOLORS "Gxfxcxdxbxegedabagacad"
          set -gx LS_COLORS 'di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:'
          atuin init fish | source
+
+          # Ghostty shell integration for Bash. This must be at the top of your fish!!!
+          if set -q GHOSTTY_RESOURCES_DIR
+              source "$GHOSTTY_RESOURCES_DIR/shell-integration/fish/vendor_conf.d/ghostty-shell-integration.fish"
+          end
        '';
      };

--- a/nixos/home/modules/shell/git/default.nix
+++ b/nixos/home/modules/shell/git/default.nix
@ -18,10 +18,10 @@ in

  config = lib.mkMerge [
    (lib.mkIf cfg.enable {
-      programs.gh.enable = true;
-      programs.gpg.enable = true;
-
-      programs.git = {
+      programs = {
+        gh.enable = true;
+        gpg.enable = true;
+        git = {
          enable = true;

          userName = cfg.username;
@ -58,11 +58,12 @@ in
            ".venv"
          ];
        };
+      };

      home.packages = [
        pkgs.git-filter-repo
        pkgs.tig
-        pkgs.lazygit
+        pkgs.unstable.lazygit
      ];
    })
  ];
--- a/nixos/hosts/gandalf/config/disks.nix
+++ b/nixos/hosts/gandalf/config/disks.nix
@ -0,0 +1,16 @@
+[
+  "/dev/disk/by-id/ata-Seagate_IronWolfPro_ZA240NX10001-2ZH100_7TF002RA"
+  "/dev/disk/by-id/nvme-Samsung_SSD_960_EVO_250GB_S3ESNX0K308438J"
+  "/dev/disk/by-id/scsi-350000c0f02f0830c"
+  "/dev/disk/by-id/scsi-350000c0f01e7d190"
+  "/dev/disk/by-id/scsi-350000c0f01ea443c"
+  "/dev/disk/by-id/scsi-350000c0f01f8230c"
+  "/dev/disk/by-id/scsi-35000c500586e5057"
+  "/dev/disk/by-id/scsi-35000c500624a0ddb"
+  "/dev/disk/by-id/scsi-35000c500624a1a8b"
+  "/dev/disk/by-id/scsi-35000cca046135ad8"
+  "/dev/disk/by-id/scsi-35000cca04613722c"
+  "/dev/disk/by-id/scsi-35000cca0461810f8"
+  "/dev/disk/by-id/scsi-35000cca04618b930"
+  "/dev/disk/by-id/scsi-35000cca04618cec4"
+]
--- a/nixos/hosts/gandalf/config/incus-preseed.nix
+++ b/nixos/hosts/gandalf/config/incus-preseed.nix
@ -0,0 +1,49 @@
+{ ... }:
+{
+  config = {
+    "core.https_address" = "10.1.1.15:8445"; # Need quotes around key
+  };
+  networks = [
+    {
+      config = {
+        "ipv4.address" = "auto"; # Need quotes around key
+        "ipv6.address" = "auto"; # Need quotes around key
+      };
+      description = "";
+      name = "incusbr0";
+      type = "";
+      project = "default";
+    }
+  ];
+  storage_pools = [
+    {
+      config = {
+        source = "eru/incus";
+      };
+      description = "";
+      name = "default";
+      driver = "zfs";
+    }
+  ];
+  profiles = [
+    {
+      config = { };
+      description = "";
+      devices = {
+        eth0 = {
+          name = "eth0";
+          network = "incusbr0";
+          type = "nic";
+        };
+        root = {
+          path = "/";
+          pool = "default";
+          type = "disk";
+        };
+      };
+      name = "default";
+    }
+  ];
+  projects = [ ];
+  cluster = null;
+}
--- a/nixos/hosts/gandalf/default.nix
+++ b/nixos/hosts/gandalf/default.nix
@ -1,13 +1,21 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, inputs, ... }:
+{
+  config,
+  lib,
+  modulesPath,
+  inputs,
+  ...
+}:
 let
  sanoidConfig = import ./config/sanoid.nix { };
+  disks = import ./config/disks.nix;
+  smartdDevices = map (device: { inherit device; }) disks;
+
 in
 {
-  imports =
-    [
+  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    inputs.disko.nixosModules.disko
    (import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; })
@ -15,19 +23,38 @@ in

  boot = {
    initrd = {
-      availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "isci" "usbhid" "usb_storage" "sd_mod" ];
+      availableKernelModules = [
+        "ehci_pci"
+        "ahci"
+        "mpt3sas"
+        "isci"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
      kernelModules = [ "nfs" ];
      supportedFilesystems = [ "nfs" ];
    };

-    kernelModules = [ "kvm-intel" "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
+    kernelModules = [
+      "kvm-intel"
+      "vfio"
+      "vfio_iommu_type1"
+      "vfio_pci"
+      "vfio_virqfd"
+    ];
    extraModulePackages = [ ];
-    kernelParams = [ "iommu=pt" "intel_iommu=on" "zfs.zfs_arc_max=107374182400" ]; # 100GB
+    kernelParams = [
+      "iommu=pt"
+      "intel_iommu=on"
+      "zfs.zfs_arc_max=107374182400"
+    ]; # 100GB
  };

+  swapDevices = [ ];
+
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/W445gX2IINRbE6crIMwgN6Ks8LTzAXR86pS9xp335 root@Sting"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
  ];

@ -38,68 +65,130 @@ in
    useDHCP = false; # needed for bridge
    networkmanager.enable = true;
    # TODO: Add ports specifically.
-    # firewall.enable = false;
+    firewall.enable = false;
+    nftables.enable = false;
    interfaces = {
      "enp130s0f0".useDHCP = true;
-      "enp130s0f1".useDHCP = true;
-    };
-
-    # For VMs
-    bridges = {
-      "br0" = {
-        interfaces = [ "enp130s0f1" ];
+      "eno1".useDHCP = true;
    };
  };
-  };
-
-  swapDevices = [ ];

  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

+  # VSCode Compatibility Settings
+  programs.nix-ld.enable = true;
+  services.vscode-server = {
+    enable = true;
+  };
+
+  # Home Manager
+  home-manager.users.jahanson = {
+    # Git settings
+    # TODO: Move to config module.
+    programs.git = {
+      enable = true;
+      userName = "Joseph Hanson";
+      userEmail = "joe@veri.dev";
+
+      extraConfig = {
+        core.autocrlf = "input";
+        init.defaultBranch = "main";
+        pull.rebase = true;
+        rebase.autoStash = true;
+      };
+    };
+  };
+
+  # sops
  sops = {
    secrets = {
-      "lego/dnsimple/token" = {
-        mode = "0444";
+      "borg/repository/passphrase" = {
        sopsFile = ./secrets.sops.yaml;
      };
+      "syncthing/publicCert" = {
+        sopsFile = ./secrets.sops.yaml;
+        owner = "jahanson";
+        mode = "400";
+        restartUnits = [ "syncthing.service" ];
      };
+      "syncthing/privateKey" = {
+        sopsFile = ./secrets.sops.yaml;
+        owner = "jahanson";
+        mode = "400";
+        restartUnits = [ "syncthing.service" ];
+      };
+    };
+  };
+
+  services = {
+    # Smart daemon for monitoring disk health.
+    smartd = {
+      devices = smartdDevices;
+      # Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
+      defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
+    };
+    # ZFS Exporter
+    prometheus.exporters.zfs.enable = true;
  };

  # System settings and services.
  mySystem = {
    purpose = "Production";
    system = {
-      motd.networkInterfaces = [ "enp130s0f0" "enp130s0f1" ];
+      motd.networkInterfaces = [
+        "enp130s0f0"
+        "eno1"
+      ];
+      # Incus
+      incus = {
+        enable = true;
+        preseed = import ./config/incus-preseed.nix { };
+        webuiport = 8445;
+      };
      # ZFS
      zfs.enable = true;
      zfs.mountPoolsAtBoot = [ "eru" ];
      # NFS
      nfs.enable = true;
      # Samba
-      samba.enable = true;
-      samba.shares = import ./config/samba-shares.nix { };
-      samba.extraConfig = import ./config/samba-config.nix { };
+      samba = {
+        enable = true;
+        shares = import ./config/samba-shares.nix { };
+        extraConfig = import ./config/samba-config.nix { };
+      };
+      resticBackup = {
+        local.enable = false;
+        remote.enable = false;
+        local.noWarning = true;
+        remote.noWarning = true;
+      };
+    };
+    services = {
+      libvirt-qemu.enable = true;
+      podman.enable = true;
+
+      # Syncthing
+      syncthing = {
+        enable = true;
+        user = "jahanson";
+        publicCertPath = config.sops.secrets."syncthing/publicCert".path;
+        privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
      };

-    services = {
-      podman.enable = true;
-      libvirt-qemu.enable = true;
+      # Scrutiny
+      scrutiny = {
+        enable = true;
+        devices = disks;
+        extraCapabilities = [ "SYS_RAWIO" ];
+        containerVolumeLocation = "/eru/containers/volumes/scrutiny";
+        port = 8585;
+      };

      # Sanoid
      sanoid = {
        enable = true;
        inherit (sanoidConfig.outputs) templates datasets;
      };
-      
-      # Unifi & Lego-Auto
-      unifi.enable = true;
-      lego-auto = {
-        enable = true;
-        dnsimpleTokenPath = "${config.sops.secrets."lego/dnsimple/token".path}";
-        domains = "gandalf.jahanson.tech";
-        email = "joe@veri.dev";
-        provider = "dnsimple";
-      };
    };
  };
 }
--- a/nixos/hosts/gandalf/secrets.sops.yaml
+++ b/nixos/hosts/gandalf/secrets.sops.yaml
@ -1,6 +1,12 @@
 lego:
    dnsimple:
-        token: ENC[AES256_GCM,data:CfRFhGE8AyZfO9RzoXXTfm8kstvx+Fuy53o9ulYNZiufzzSQ4KzwYIoCRw==,iv:HEC8hRpmk7YDI7RHj29ZAeFKyPgsWTHw1sxjdZuhcrw=,tag:7RhEhZ9GkyBE9PJRe+gD+Q==,type:str]
+        token: ENC[AES256_GCM,data:wyj88D4qPqnxovjRKS3jg2H6OwznNfhmVyMO9MV7e66mOjUw/vbqkstEqg==,iv:f+1PN+pKpu8bm8eAQ7sFb+ZpMe8fmImukUir41XdKtM=,tag:FRpEAWf0fA8LOoTrJiEwRQ==,type:str]
+borg:
+    repository:
+        passphrase: ENC[AES256_GCM,data:33OMM880zGxJPTtqsNmbCMCCABE=,iv:8tvOqpKzbyx9sOmHLA+8v05vhLXjhRRuHpGHxGVo++s=,tag:MvsLDcVyX6rPr5lwDOvBqw==,type:str]
+syncthing:
+    publicCert: ENC[AES256_GCM,data:jfQge0lfiZrdc+Kfv1hijHh0suGhQSfOou0cD7GcP+t0EigvRmi1JPyUm4l78x5d64oTfQoeO4Iq0Y+PL0tf/SGHU/7tMwo8456FrLSZwl5r+1iGoqRXu+VaEfEm02YXtwcRCZVOMKiwlZC4xMhUZ3CUZ9ohipluNarieivOEFzrNaFbbUeJITALsvYpBPsoIvxOePASrxYwUAjAtGPUVePuL9xfCdUZA2MMDr3alxpuNlz3wOk36qX+OS0Rc0nM9MfACRWxFsKTA8AxlCYouWjCke3kVeqcEh0rVWSEx2zqIOC9N4Ms1Q1zVqcS4hWi1LLe5BN0pK7LHdjEbuni/3Cns1GpBLJc7mwsUwlBQ7RFStAspP99YmIfAlMeztfm7GuacJC2Bddz6PJ/QEMRXli7KRm3Wimb7J2fqOyaECE35xtplvdN8HIhiQ2X6G9aFW+T3h8Hqopihl23HVZFfHe4//c3BGhHUYgzbj/0frLF7s7QySI/j8G242wKyNqpDmiC+9OCPGmpGmTg98h7X+pG4Tl1GH7xpV7jlPqg2kFm3aVGscNdCAMXyWsXoZZIPyiAxTgMauXTFIkgEjEeCB+d8Eml5xOjs4ADUeJLIc4mNOYh1ggPjbSJAAPw7LYqtmaCkazZ3XWRmpMHwcRTpVtQPmo3sLSETY3hgo9T8Z2pVqBbiiH6qVSDdZ5RANvBH2hU7mZrppN9pSVpWxt895iAs01PeTwJlFg3XleqsUcrhncrx9TVGlLn7MP58LbKeUqWpC2LFCKW42O39ajLT8dES3XQ0zjTZhYGLG6CFs6tj9sDIRAX/f0nM0PLF9ctsR3IRYX75kLSl/Wx1UeFxPoIF4/fIKZxkrsd0Pjalp1ToT2EvYL6cq+eyNeF+QIK9CazCO1FfvgLSVy5NKB9KmSj6t6qEByagE9FX2BvAJ9zA36s/inqo84hrmfZz+vf3zJbkEL2Y8xxRtE0Fd2rU0SubmLDxrlmawBUnYQ8skJEKJAA/g8ptYrbdqshtUyZac2m70ZtxO5VZHAGO8tE+jYQsS/UMD4/Iek=,iv:sq21pry1Yz4vZITF29oyFGnvhUwgyDsFwtHrzl059KE=,tag:rOmVsnWpLL87M0d6mfgovw==,type:str]
+    privateKey: ENC[AES256_GCM,data:QZYlRzV2FPbCDun72PPgxxx4qvqGbuj0iZhvHggm/0sh3JFjtZIBZ7V4TfYYjJJykhKP+4Tm8rghnijiAmDSjyuGm0xwr9ENreRe/j7VrMYhcBes3h9PWOWY2jx+kh7U6v3da7/G79ISv5neFtsjvvM7UpGmIb4mwygZ9qO1cRRuC/k3CPehT7uN2kYNCKlfYJcRp/IlmvD0L38BtHsnokK0zCqC3q2nOZWWazfv3Hxck0kbQSV7V3OBmqfd6h7sdN/GQBv4gmgqjUH9DsCHz+3LEEyxIOp340zPKAZFZGg1SpBQREFOyyaYUMgk8iXRqvqIPxHeyruFzkDRZf6URni3klfEbQi/6B7eP8Jzt/BPfsdLYO9QSXyuqSYAj+V5,iv:BvlKA+gltrGHOXggwLsvqI5FCz7X+RwcOOCvdMYf31w=,tag:/SICpca+QkqeEh/dXYUxBw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -10,68 +16,77 @@ sops:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZVhNdGh2c3dpYWU2TDNJ
-            M2Vyb29jQ2xHMXBKVk10dkhWVUFmVkpmV2tnCjF5ZnBBcGtkZjFYbU0zQXNNRCti
-            QzVKOGR2OUQvRXVvOXZlb1I0V00rcWsKLS0tIElHeHhkSmt5UkZhTjk1dkFSbUp0
-            M1BiUzZkU0pDbHVQNC9yQ3pzSU5INm8KcRB4uY0PHnDfc4bJZwqkK/S7FbEXuxEu
-            ot9oVR4sZBs7Uhi5Ixz7Kmk9dBJ+E9dWPxDeYhYo3V0Tq77h1vVOyg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dEJJVHhhTU1XMVp2UmNh
+            cnEwMTg0ck9oZzR0QndXa2t3UlpVK0M1bzBBCm8zZWpZanJYcHFQeXdKK1BDSk9u
+            WVcwSGtvS3h0UTZkNG1ZMkZKT3hORkUKLS0tIFh6S1UzWXE3a085bE5NMjl6Zzgx
+            MDZrbzBNdUNvcnppZS9wMmczVU5uQnMKpYJmsY/Ul7cpUc+ueSt3FkShvR1KqYHW
+            q6bhaoby5Wz3XxLZl0ONBqovabkDwNiP6Er0rGiv0tK6TIaQE/NaUw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNalVRWXVGN0hqZDdYUDVZ
-            TVRwVHJsTEJoTVIzenFuY0dnTWs1bnRHZnhzCnNPTnJ1Uk92aVRaMlA4VTRYbXNh
-            MW5ycEUzUVk0RW1Iby9kWjQ1cTVXWDgKLS0tIDdVaTcvNm9Ca2hTMzBlSGZVUnZN
-            a2U1ZjIwRWx1bWp6TktablBqMUduUmMKCFT9vPMu/fob5SQG1004925OB1KNhsUm
-            obph/984DUTQxk6IvnJ7fPrnFwL5yY1azdybjPlwGw6o5SmwKpxWBQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpTnVFSW8rSUFVN0txbTJz
+            aXFUdXBnSW1GZkRBcFNFZlBWLzFEa2NhTlJJCldEYUlHcHM2a28za2I0N3JORTZm
+            S2Foa0MyQng4TlNpaE53VHpLVGlNZFEKLS0tIHRNSWovZHJlaDhGY0xKd3pRQm5y
+            aExPbjRPVi9kZ2s4bFlxdFhtK3l5bGcK+qEq++r5B48TwAOxyRFWm68MRa91rnZx
+            levAEpFZYIMxfzxk++i26omu6r1jvXsiwtm2YvdoGhmNUqLU2UDWZA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RjUvSFJqNGxieVZiVE9q
-            NjB4RHcraXk5TnJtN1RSNXZSMlEwbjgxaUZVCjRxUGUwTjBFSU9nTHpRbWpmVkRQ
-            cllyei9URXYyRGgrTGdjWXRSZmpRYnMKLS0tIHNQOXpkZnI5b200d0JiSVI2N1BU
-            MS9MRW5ocGRMWXdBL0E5N00zbGZzVFEKxeMB0/opzFTnlSBK1vEsLqQ0qIDhOuw5
-            S+g8eYTVXSIs/3TMUnOJxDezAG2l00vyWryPw2sGOnqgZCnF9VB/mw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZzlkQmFiM2puUHVNUFIr
+            L0E0VGpxck56d2NsemFrNEFWNmZ2MXlTV0Y0CkppUmxYRlVkVUZiWEJoVG55cXAv
+            N0dRY1d1c2srTk0xU3AxSDNqQTZkdFEKLS0tIFpnZ09jellUWk1YZnh0akNsTysx
+            ZnBCMVNqdGRvUm4xOVVRbTF0VzY1eEkKJhjFjnVk6Kr0LIUdyRPI3nPRXbPHHW/Q
+            0NVqBn7s+NbS6pzSCPu5+T/ibo2HofQZQ0hFFUeCN/EO5xNCaueNFA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzJDWHhIT2tSekxpWmFR
-            cVFocEl6N0VWM2FYVC9FeE9zeG0wYUhnazJRCllsdlFVZXR0YTA2T2h0ZUVienpQ
-            MmhJVTkwd1Q4VjNVaWxkL0lVTEVLemsKLS0tIHVqMHhQaW55MHBsVmc5TjJjT1Jy
-            RXdOeXk0NFJuL1ZKTUt3dXdkdlpLenMKmlQ0k9CmSWQ7MqueMbmd/TqYyQiDFZ0G
-            FPtUIFWxxPY79vsEHq3kxyz4CGMUv7tYx00OK6niLgLZUStd/3Bxmw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArandyVGlHU0NacDdmTDdQ
+            ZVg5ei9hYW45VU02RkhkTmlNeHdCODgxQ1h3CmpBdnhvdlBwWUkxVVNqcHgvNDc5
+            bkFydkRGOXE2a2lyTU9rZ2l2U0NjV2cKLS0tIDhyUm5EUlZxcHFRemlpaHFYRjV0
+            ODN2Y1Y5a2tWOU1PTElLa3NPeTVCb3cKqPj5QB/K9uB4RN+KRsK8UGS4WxECJn/q
+            HCVEo/5YFnoEtE0X7xvyBEKgrAokzVsnuHtNqP0i6ka2XIt0yi2xOw==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWTk5S2VkQmNnNjIwQ05y
-            TkR2MjdnY1pGMVZpT2dadE5icjIvRWtnT2pVClRCcTVHa3BaMGRDWTgzNE5zQzBq
-            MWRWWi83b0k3OUo5WXhHTVRZSmovMWMKLS0tIFF4UlNtNVFkd3phTzd6R2FuY0Js
-            VWpzZTdXSWpiV2tRbnc5VlVWM3FCak0KQGy+ZWdvEh09y9z1Dj3GTVyeAJ5notCH
-            ujbOfaly8e9E2g4uOxISxyFe39xlOZd6zEInZ5qiKPrZz37ASChBkA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMbWxBNFpyajNETjM2VUhr
+            TTdmc2pwb1RVNHlNVGNYaUFMelFOQVUwMlFnClBQRldoMXY4dm9nY2Ntd0pRNUZu
+            NEhYeVp4YUthMU1MUmZvSjh3ZjVTajQKLS0tIDNKSHNQcWJYNkVvWmFXV2pSNVBP
+            cHVzY09RZ1ZuSkNWWisxeDQ5V2Z5VW8KybOLJvSkkV5XiH431SBY8k5aSE9QdZ5r
+            UghLUUTB1OFvycYNyxhyIgetX9ycu54PXitEiTBGWphPiAnXyBG3dQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVGRacTlCMjBRaURxMDNt
+            SXBnZXl6M1l3ZmVZUlVDZEV4U2dJSjREcGpnCkF3L1hhOEFYcnp5Y3VLSEsyTWZE
+            NFpTNno3VStINnlXdW9wcXd3bW81UGsKLS0tIGR3b3lQa3VIQmZ1bXREQnphQ1lL
+            KzdCbXNTc054eEJBeklmM0xPVGQ4bmcKgZtxtepmmn/M4HylEsQ0FB/OXlgnyrU8
+            6Yy2ua5/UN+YfFJ2FNoYyxd7OYLDeHsvQQODXJuL7VEGBaF+3ttMHg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZDNFa0U4MWs0dmVkZXhi
-            V3JjdXIrTTdkamkzRW1jU0wzNnluQ0lJbmpNCkcxNUNwc3ZxMXJreXBxNUlaR0xN
-            RmFDZ3RIaVU5aCttS3Q5dWo0QUovVDgKLS0tIEVJQm1xWE80OVRyWUxkMzFXRHBp
-            RlJTZjgzQ3pDVHRPQ2dFbHBqdzA3N0EKGBFnnJMqUrbaIviqpX4CP4Ps45Lk/Yyn
-            fpVxSlwjOHNDwQ4ojUjv11FRo9WHUTGACFniUtvYc0oaLNygNgf8+Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweHZaZjRoaXRCNEFBYk1V
+            ZWJ3YjVJVFFmeGhpUnVHYXhxNlhvOEtqVTBrCjRIa3N3UnRYeTU5ajUyM0xjanNN
+            RjArandlM1ljbEdjcHcvL3Fvd2MweFEKLS0tIDZ2Z0dpN1d3bFc5VlNMbXBmZGNn
+            blVrd3dubmUwWGd5Rk1PSHBPUlFBZ0UKOh5BQgCUxQxFSU2NxmOGEmO3DZ3TuWid
+            d1vLm0TotAjshXBSy/yo62ejDUhvoCJ38PNDi6+zpZwCFYhaviQM7g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodERMdDN4cVRiS0tVck5h
-            N3RySnRtSXJHZEthRWZNcENrNXY4bHNHa0R3Cm1HL0lzWnpocWhXNDV3RFRxL1ZG
-            dWlCQWtzMEZlRnNML2NrOUVPSVRTcHMKLS0tIEsrbk5VOUZhbDFRRHRuWW56TjE1
-            V1d0d1lKb3hyYVQ4elBIZ0hnU3FTbnMKiWERjAwlJRPK+PILCBV03uyNVnNgolA8
-            PS0vbIDVNiX0pIrRlM2sVivZwqajjTB3XROXMmbIKpQxDMjvpHgqJA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4eTdXNlA2bW1OTmpFNktD
+            cTgrUjY0UzV4NTE5NWFHdHlYa1JaeW1DblZVCkwrelZjaE5vdkFyTkErMGR0Mmt0
+            RkVPb1RTMjlEc2pRSDZjMWpwVVNhZVEKLS0tIEpaV3Y2enoxMWZyTVZjdlpYTWtH
+            ZTNZOVhTcTBHSDk2UjhXRE90VCs0R2MKUI6Q/P4v4xLnkqXqMuidlcgccDzf3Ig7
+            P8aVNYbwtQqjsOwjYcoec4PaQehloW0kt/QSnYQx3znxrYQE1WVVNQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:OQn/8yJX1xRapEUflwUHaHabt8i1EbK27vAM5mJge5n/y2+G7xYfpt2YsRUikogl1q4hqSGLe12WFYdG3TXqD5aBnwnf8if0Cax2wcjcm0ybcuWflXgZbtjWnVKV9w1Y8LCXpMd129VeeqysrY/lThRjXk1ByBcfbZ/RMZOyWOw=,iv:9mn0FH39xgFXisuEZrERhsjXCM7nQhMSoNdNTuGoHXc=,tag:T7AgJ8fYKVLDtRPm794AAg==,type:str]
+    lastmodified: "2024-11-08T01:53:24Z"
+    mac: ENC[AES256_GCM,data:C05zcIFQC3gMa5AVKGB2uvpT5Bj/Pt2XyWizjPfIa4gcx1TzueQZ0mlZHjJY/9qu5SccbLrJ/eNmajzh39cTmFZ7211l9Zz6N8BMboh8olzIWUYFeGzZtXgmKXBRMVH6RPpbcuawLOeXeD9pCLSek6V9Qdx/OUnlWokj9ZPfvuc=,iv:PGMPSs99J6neXoSF18yWbxjCE0M9dSjqtz1ntxwk0TU=,tag:pZfVKcroeKPAvlfft1YsOA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.1
--- a/nixos/hosts/shadowfax/config/disks.nix
+++ b/nixos/hosts/shadowfax/config/disks.nix
@ -0,0 +1,18 @@
+[
+  "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"
+  "/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314200DT2P0C"
+  "/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH3142017H2P0C"
+  "/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314201AD2P0C"
+  "/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314201E72P0C"
+  "/dev/nvme0" # These are required to fix a smartctl bug I have yet to upgrade to a version that fixes it.
+  "/dev/nvme1"
+  "/dev/nvme2"
+  "/dev/nvme3"
+  "/dev/disk/by-id/scsi-35000cca23bc8a504"
+  "/dev/disk/by-id/scsi-35000cca23bd29918"
+  "/dev/disk/by-id/scsi-35000cca23bd29970"
+  "/dev/disk/by-id/scsi-35000cca2524cc70c"
+  "/dev/disk/by-id/scsi-35000cca2524e03f4"
+  "/dev/disk/by-id/scsi-35000cca2525680dc"
+  "/dev/disk/by-id/scsi-35000cca25256b484"
+]
--- a/nixos/hosts/shadowfax/config/incus-preseed.nix
+++ b/nixos/hosts/shadowfax/config/incus-preseed.nix
@ -0,0 +1,49 @@
+{ ... }:
+{
+  config = {
+    "core.https_address" = "10.1.1.61:8443"; # Need quotes around key
+  };
+  networks = [
+    {
+      config = {
+        "ipv4.address" = "auto"; # Need quotes around key
+        "ipv6.address" = "auto"; # Need quotes around key
+      };
+      description = "";
+      name = "incusbr0";
+      type = "";
+      project = "default";
+    }
+  ];
+  storage_pools = [
+    {
+      config = {
+        source = "nahar/incus";
+      };
+      description = "";
+      name = "default";
+      driver = "zfs";
+    }
+  ];
+  profiles = [
+    {
+      config = { };
+      description = "";
+      devices = {
+        eth0 = {
+          name = "eth0";
+          network = "incusbr0";
+          type = "nic";
+        };
+        root = {
+          path = "/";
+          pool = "default";
+          type = "disk";
+        };
+      };
+      name = "default";
+    }
+  ];
+  projects = [ ];
+  cluster = null;
+}
--- a/nixos/hosts/shadowfax/config/sanoid.nix
+++ b/nixos/hosts/shadowfax/config/sanoid.nix
@ -0,0 +1,17 @@
+{ ... }:
+{
+  outputs = {
+    # ZFS automated snapshots
+    templates = {
+      "production" = {
+        recursive = true;
+        autoprune = true;
+        autosnap = true;
+        hourly = 24;
+        daily = 7;
+        monthly = 12;
+      };
+    };
+    datasets = { };
+  };
+}
--- a/nixos/hosts/shadowfax/config/soft-serve.nix
+++ b/nixos/hosts/shadowfax/config/soft-serve.nix
@ -0,0 +1,46 @@
+{ ... }:
+{
+  name = "Soft Serve";
+  log = {
+    format = "text";
+    time_format = "2006-01-02 15:04:05";
+  };
+  ssh = {
+    listen_addr = ":23231";
+    public_url = "ssh://10.1.1.61:23231";
+    key_path = "ssh/soft_serve_host_ed25519";
+    client_key_path = "ssh/soft_serve_client_ed25519";
+    max_timeout = 0;
+    idle_timeout = 600;
+  };
+  git = {
+    listen_addr = ":9418";
+    public_url = "git://10.1.1.61";
+    max_timeout = 0;
+    idle_timeout = 3;
+    max_connections = 32;
+  };
+  http = {
+    listen_addr = ":23232";
+    tls_key_path = null;
+    tls_cert_path = null;
+    public_url = "http://10.1.1.61:23232";
+  };
+  stats = {
+    listen_addr = "10.1.1.61:23233";
+  };
+  db = {
+    driver = "sqlite";
+    data_source = "soft-serve.db?_pragma=busy_timeout(5000)&_pragma=foreign_keys(1)";
+  };
+  lfs = {
+    enabled = true;
+    ssh_enabled = false;
+  };
+  jobs = {
+    mirror_pull = "@every 10m";
+  };
+  initial_admin_keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
+  ];
+}
--- a/nixos/hosts/shadowfax/default.nix
+++ b/nixos/hosts/shadowfax/default.nix
@ -0,0 +1,209 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, inputs, pkgs, ... }:
+let
+  sanoidConfig = import ./config/sanoid.nix { };
+  disks = import ./config/disks.nix;
+  smartdDevices = map (device: { inherit device; }) disks;
+in
+{
+  imports =
+    [
+      inputs.disko.nixosModules.disko
+      (import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E" ]; })
+      inputs.nix-minecraft.nixosModules.minecraft-servers
+    ];
+
+  boot = {
+    initrd = {
+      kernelModules = [ "nfs" ];
+      supportedFilesystems = [ "nfs" ];
+    };
+
+    kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
+    extraModulePackages = [ ];
+    kernelParams = [ "zfs.zfs_arc_max=107374182400" ]; # 100GB
+  };
+
+  swapDevices = [ ];
+
+  hardware = {
+    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    nvidia.open = true;
+    # TODO: Swap these once I switch to 24.11
+    # graphics.enable = true;
+    opengl.enable = true;
+    nvidia-container-toolkit.enable = true;
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
+  ];
+
+  # Network settings
+  networking = {
+    hostName = "shadowfax";
+    hostId = "a885fabe";
+    useDHCP = false; # needed for bridge
+    networkmanager.enable = true;
+    firewall.enable = false;
+    interfaces = {
+      "enp36s0f0".useDHCP = true;
+      "enp36s0f1".useDHCP = true;
+    };
+  };
+
+  sops = {
+    secrets = { };
+  };
+
+  # Home Manager
+  home-manager.users.jahanson = {
+    # Git settings
+    # TODO: Move to config module.
+    programs.git = {
+      enable = true;
+      userName = "Joseph Hanson";
+      userEmail = "joe@veri.dev";
+
+      extraConfig = {
+        core.autocrlf = "input";
+        init.defaultBranch = "main";
+        pull.rebase = true;
+        rebase.autoStash = true;
+      };
+    };
+  };
+
+  programs = {
+    # 1Password cli
+    _1password.enable = true;
+
+    # VSCode Compatibility Settings
+    nix-ld.enable = true;
+  };
+
+  services = {
+    xserver.videoDrivers = [ "nvidia" ];
+
+    # Minecraft
+    minecraft-servers = {
+      # Me cc858467-2744-4c22-8514-86568fefd03b
+      enable = true;
+      eula = true;
+      servers.eregion = {
+        enable = true;
+        package = pkgs.paper-server;
+        serverProperties = {
+          motd = "§6§lEregion§r §7- §6§lMinecraft§r";
+        };
+      };
+    };
+
+    # Smart daemon for monitoring disk health.
+    smartd = {
+      devices = smartdDevices;
+      # Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
+      defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
+    };
+
+    # Soft Serve - SSH git server
+    soft-serve = {
+      enable = true;
+      settings = import ./config/soft-serve.nix { };
+    };
+
+    # VSCode Compatibility Settings
+    vscode-server = {
+      enable = true;
+    };
+
+    # ZFS Exporter
+    prometheus.exporters.zfs.enable = true;
+  };
+
+  # sops
+  sops.secrets = {
+    "syncthing/publicCert" = {
+      sopsFile = ./secrets.sops.yaml;
+      owner = "jahanson";
+      mode = "400";
+      restartUnits = [ "syncthing.service" ];
+    };
+    "syncthing/privateKey" = {
+      sopsFile = ./secrets.sops.yaml;
+      owner = "jahanson";
+      mode = "400";
+      restartUnits = [ "syncthing.service" ];
+    };
+  };
+  # System settings and services.
+  mySystem = {
+    purpose = "Production";
+
+    # Containers
+    containers = {
+      plex.enable = true;
+      scrypted.enable = true;
+      jellyfin.enable = true;
+    };
+
+    # System
+    system = {
+      motd.networkInterfaces = [ "enp36s0f0" ];
+      # Incus
+      incus = {
+        enable = true;
+        preseed = import ./config/incus-preseed.nix { };
+      };
+
+      # ZFS
+      zfs.enable = true;
+      zfs.mountPoolsAtBoot = [
+        "nahar"
+        "moria"
+      ];
+
+      # NFS
+      nfs.enable = true;
+
+      resticBackup = {
+        local.enable = false;
+        remote.enable = false;
+        local.noWarning = true;
+        remote.noWarning = true;
+      };
+    };
+
+    # Services
+    services = {
+      podman.enable = true;
+      libvirt-qemu.enable = true;
+
+      # Syncthing
+      syncthing = {
+        enable = true;
+        user = "jahanson";
+        publicCertPath = config.sops.secrets."syncthing/publicCert".path;
+        privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
+      };
+
+      # Scrutiny
+      scrutiny = {
+        enable = true;
+        devices = disks;
+        extraCapabilities = [ "SYS_RAWIO" ];
+        containerVolumeLocation = "/nahar/containers/volumes/scrutiny";
+        port = 8585;
+      };
+
+      # Sanoid
+      sanoid = {
+        enable = true;
+        inherit (sanoidConfig.outputs) templates datasets;
+      };
+    };
+  };
+}
--- a/nixos/hosts/shadowfax/secrets.sops.yaml
+++ b/nixos/hosts/shadowfax/secrets.sops.yaml
@ -0,0 +1,86 @@
+syncthing:
+    publicCert: ENC[AES256_GCM,data:oqQZ/QORhJoMUa1Sn4CoE5DKfgfIwRo7DR30MJoRLC8L3mOEDRQyk+P9ELAn3RIe2sa3OKwionJ9G+GM5htZPTaKg2h/wy//M89sdTRhC01vxJm80wScgQ8sC4HC8BpQCM5yt7A9Ln7mMvp+v61ae6xyEOcPpcZH4i31sxQUxuWURJU/KpdTAHKhora40W+DTx4YL7jEN7VMH+GawhJeW1jNZZDcBoQK/9RvB5uu6AFsQCedRwJE0772F16eaNKeXCu0BpNdTaZ7dNSUEeK0mT/0osb6DNVon8gKcYYEYtAyI/SnUOwRC4x+FeZYkAae3WGWzfKGC6ENN6JEHNG7mS81b83i3tyaN84wwmP/1pgQ5BSSEztH9P494SXLBnw3XxD2u5vxuKjf37q+gPnErq7hCEi9aS5HS/10ksgV5zpzg8eL9fNpyLXHqxDdllfvBo/KJlQaDri2OYcrz8SQlB0oCZI7AbjFz+zomFSzhi5S3gcLN/cB1CXDmK8/Ka26dcc6gAot18PqVt1aCHHVnLGvZEGt9Cj+/bool4Yq9fqQlXDyFMbiu0B57KEYshmeJE5w0fmBhenORyuKq2xhiXL4RCuKVoitjY75T4O2+ZzAqYli3gMcRksG6b+gXAYGF3XhJ2m2tBO5STlWzQx9eo8Ksm8+z0mJk7JgdKpov1mLzWZh9vHNkvUIGw15h+3FBu7oTgcvwrOqGDCCcAQSimMKiPuCUi+r2z4FuFobZOSlqAD2eRX9yh/V8s4VmaohrxacgIdscipkMFnQFGGkV3PHhh4yfMzZNHPll5Dk9fUM0BHrFMUccvP0aww60+4pufTUGWxrW5nRlI6jImPuoMh5KVZj5OAPYUcBj10UHjjtFKWN0V19XGVUx5TBR+AAkQzvAWrobSfyTyuk6P0l3Kpyi6DAJoW1Z7t2EQueKxjAd3uKMeCNDIfJOWVju9j3t2iu4BN3eyZTTbeKMwfkDJALHTsmtisRfc47qLxB3jyOHZXdZsC3OBgzRl2NlejgM+P4CVVH/kwT336u6ouuLJFjpsP+iUdBiRE=,iv:1FVhrbnLirFr2bHWZ53vEdnS6rL+HSMdV/XZarMmNAg=,tag:HCdx2II3FqDGy/t36NGiFA==,type:str]
+    privateKey: ENC[AES256_GCM,data:UNOJu/8lwtOy76y9mURvAQAcCPkAqCr3k4zo0qJw4WoyRiFnHszFrk988LdX9hi1a8d2SYpSbWBdRxAOBOkB0ljycjudgH+xVdOLeJDKZH69zRKkWwdfq6N4vxYhqnUyCuwsRrFvg4cZYeEx9n133QNf3DPYIvovlPEfurQXDt8s3/tDqVeJ1SuJTX2sp8X79KWypCb9T3mar9X67EirV2Tz6uxzeRiWUpekfQbdzcjITiQPZ9silBcu0ZIwgfneBQ9yqAV/Gu01mJph6H6cYqBhK3xO4T8tXsnk66siBjWmqKP+3kVG5pyFDMAhuM0Jz+0VkaKOjYxTaPff1YMsL7/hWQUXcMgM6NyppMbpJBnvqcaMpEbYuEF444pBVktC,iv:H/X4eW+1//f7uyJRiveZRQRJcPGelxHhz1sIlzsMCcM=,tag:n+/dttJpTBeHFK/H40M0oA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIREVLNDdJUVJlbk1OR2o1
+            RFNJLyttRDZoTmoyenZFU2docVUxRnVtdVcwCkM2VEV5ZCtobWJDZUNVYWlkK1I1
+            dlJlbzQwKy94dEkrZG9rb1lma3IweGcKLS0tIEZLQjNxT1lobDh2VEJWY3E5cGZE
+            UzdGT2JpUWtVSzI5VVBXNWVXamlYTEEK5fFvbB55/4Nj3tI2TG3WYhwA1WK3vmfH
+            Qh5H5GcAYGV37Wlw2mZ/J3SYo9IBG+aNyXO8nE2/pwF7Tbw7GDPQ6A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM0Q4ekVwWXhYd3krVzJR
+            anFxQWtaN0I3Qk1qRDE2cFVETGs2T1M0ZHhnCklBL3hmeXh3OWpvYnRzRHJWY2o4
+            TWpnYklpOG04S2pCVEdmTWtCYXJSUWMKLS0tIEdSUmthcEo4UjV4THAweC96cmNJ
+            dVV3TW04eEZDNW83T3JCRFVjMmxrZVkK7mU2HJstMD7p9As/s4XyBuYVJAlqCveA
+            NvC0imDnZ7btrVWKNTV2UB0VgQiM+opgcNHYhqRT1vLpUv/+ZRFDrg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWElORElqTkQveHZFV1pk
+            ZitvWnZLTEJJWVFCTzZTVklQOVNCa0J2ZXhRCktGelNLYS85dmhJdlVjUWxkTWpC
+            R3cycTd0NEVWN2pLZnoxUXFyeG1tSjgKLS0tIHlIbkc0Yzd3YURqOWVwT0NTQlZR
+            bzRaVDdDL0NlNUZ3cTV4NU84NXNTeWsKZXNd2pYBG5P48kurR/XyswPGStyzSkqs
+            2mEjJCwuMZBkBRm9DFzbB/01LxqNnES4U9/6oVri0y4mHl5R7PyTag==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQ3JHSE1IcWJqYW85cGtr
+            WXI3TE1SNGZ1R05iRkNKeW0wR2pVNU12dHlFClJseDYxUjFyOFg3Yjdpb1E0aEVj
+            SExnaTMzK3dDR2NvNEhjTkoyUTI4NlEKLS0tIGsxencxR2dhWWwwaGtFU3VnaU9x
+            bUNibENVMmQ4NWhOTmlOdmJyTTB3eUUKM5zbfS3IOGgXlAFi+40DAIBZbLiDDyLu
+            g5CZKtRAw/85WOqOdWl+WJBYegggyZs3029w2QA9WzxymnkGiyl1nA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZb0xEUFc4MmpOM0RaWmZO
+            Q1MzVkJyRnNFN28zUlQ4TUZ2TktWakFVZVQwCndvdDNzRGJMbE1lMHZaZ1llVzE1
+            dXZFMngzVVM4UjZWV2ZlOGY5bWJjQjgKLS0tIHBMWFlxd0syRjlEQUFwRS9lN1Ji
+            K2hUdmZmUHVWa01qVHVUODBlZ3RvY1UK4u0PsdXstr/NVsYGRglQ8IPhElIcJIbk
+            3G83Dunu+WApUNMhoCFpB0OuxSyc+xDIdEOhqcFGvIoywMmnpWWZ8Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRFBRWWNSU1l5dE44c0No
+            QlJvYlh3dEZKVVVmS2RKOUdyaWtGMythUHhjCmsvR0M1eHlVd1l1NXVCWEw1ZnBa
+            SUNpWDFZWWJlSlVnR0VCNlluSWt0b0UKLS0tIENMa3FFWHpkaTg3YlRXRHpML05j
+            b1dmeXFkZjViVm5hdldOdTJRRWo2QUkK+eoVhfzSHimufxl0O81wRBJQ8iEVb7w2
+            rVLONs1qR5xRGCV6OpCtbRqKaNXQgGY/w1CGb/44xdmh7C2C21gs6g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKV1o1cFphUnNhdlM3blh0
+            dHpKODg1SXNsbVlnRG5zaVFiNllEOGEvWkM4ClFwZDg3a1o2UDYyUUJwdHAxU0JX
+            MUN6Rk9rR0NKSjNyK0ZrQ1BaTWpTNjAKLS0tIDZkYTUvd3lkZHV6ei9xemUrUWFQ
+            TkJ6bDhxVVUzckkzNllsTkZLeFlEMkEKFesi49AfQbNLnYGrlvpCXCwvI22J1DL7
+            QK7lBMlDX3+zlutX6DKygQBT3BckSZWI8upOsK2atjP6d8seDVl3cA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0eld2eEwyRTFyMGhXL2w3
+            Q1JYSG9VMXVqZE1zak1Ub1dOWVZYaVBNUzM4CmVUNURBcDVWeHhUUVBoRDE4M29B
+            SzRyUGU5MUVSL0wzRWZLd2RYOGplSmMKLS0tIDNOYWcvL0t0K0tXMWZGQXNybjY5
+            NDIwV1hIcXoyZWI3dUEyeWtXd3FLcEUK0YBS95TA9luAL1mObUtH6RG4nesYZ7Fc
+            bB3e2p6Mrp/t1Oa/8p6WQXxu4vf5y0XCNLXeW6I6/3udrTXARaNNPA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-08T01:54:39Z"
+    mac: ENC[AES256_GCM,data:YD2Uwxq8rt2NPKfh5gxHvXcbcEmzfO2ZaaYjH0RnhHyNnHrf3jcyzEhJphKkzRRpsCJ/F7UV+x8EQdWkVn7eUykY92TkLeZ9I6TwyqupzfycQGrJK3Ma+jbO0qlG5L7NXXSxj4LKtJ9Rf1BdFH4czeWmrM3aMhtgAclZ4sTSCos=,iv:AElkydOvlkkGu/1iLxclH1bqkd1Pj4uQH3gbp6iGDII=,tag:WEfrJm3F0niQn1vKuowALg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/nixos/hosts/telchar/default.nix
+++ b/nixos/hosts/telchar/default.nix
@ -1,51 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
-
-{
-  imports =
-    [
-      (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  networking.hostId = "4488bd1a";
-  networking.hostName = "telchar";
-  boot = {
-    initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
-    initrd.kernelModules = [ ];
-    kernelModules = [ "kvm-amd" ];
-    extraModulePackages = [ ];
-  };
-
-  fileSystems."/" = {
-    device = "zroot/root";
-    fsType = "zfs";
-  };
-
-  fileSystems."/nix" = {
-    device = "zroot/nix";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var" = {
-    device = "zroot/var";
-    fsType = "zfs";
-  };
-
-  fileSystems."/home" = {
-    device = "zroot/home";
-    fsType = "zfs";
-  };
-
-  swapDevices = [ ];
-  virtualisation.docker.enable = true;
-
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-
-  # System settings and services.
-  mySystem = {
-    purpose = "Development";
-    system.motd.networkInterfaces = [ "wlp1s0" ];
-  };
-}
--- a/nixos/hosts/telperion/config/haproxy.nix
+++ b/nixos/hosts/telperion/config/haproxy.nix
@ -27,11 +27,11 @@ frontend k8s_homelab_apiserver
  option tcplog
  default_backend k8s_homelab_controlplane

-frontend k8s_erebor_apiserver
+frontend k8s_theshire_apiserver
  bind *:6444
  mode tcp
  option tcplog
-  default_backend k8s_erebor_controlplane
+  default_backend k8s_theshire_controlplane

 backend k8s_homelab_controlplane
  option httpchk GET /healthz
@ -41,13 +41,13 @@ backend k8s_homelab_controlplane
  balance roundrobin
  server shadowfax 10.1.1.61:6443 check

-backend k8s_erebor_controlplane
+backend k8s_theshire_controlplane
  option httpchk GET /healthz
  http-check expect status 200
  mode tcp
  option ssl-hello-chk
  balance roundrobin
-  server nenya 10.1.1.81:6443 check
-  server vilya 10.1.1.82:6443 check
-  server narya 10.1.1.83:6443 check
+  server bilbo 10.1.1.62:6443 check
+  server frodo 10.1.1.63:6443 check
+  server sam 10.1.1.64:6443 check
 ''
--- a/nixos/hosts/telperion/default.nix
+++ b/nixos/hosts/telperion/default.nix
@ -17,30 +17,33 @@
    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
  };
-
-  fileSystems."/" = {
+  fileSystems = {
+    "/" = {
      device = "zroot/root";
      fsType = "zfs";
    };

-  fileSystems."/nix" = {
+    "/nix" = {
      device = "zroot/nix";
      fsType = "zfs";
    };

-  fileSystems."/var" = {
+    "/var" = {
      device = "zroot/var";
      fsType = "zfs";
    };

-  fileSystems."/home" = {
+    "/home" = {
      device = "zroot/home";
      fsType = "zfs";
    };
+  };

  swapDevices = [ ];

  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  # Until I can figure out why the tftp port is not opening, disable the firewall.
+  networking.firewall.enable = false;

  sops = {
    # Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
@ -65,7 +68,15 @@
  # System settings and services.
  mySystem = {
    purpose = "Production";
-    system.motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
+    system = {
+      motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
+      resticBackup = {
+        local.enable = false;
+        remote.enable = false;
+        local.noWarning = true;
+        remote.noWarning = true;
+      };
+    };

    services = {
      podman.enable = true;
@ -85,6 +96,20 @@
        config = import ./config/haproxy.nix { inherit config; };
        tcpPorts = [ 6443 6444 50000 ];
      };
+
+      matchbox = {
+        enable = true;
+        # /var/lib/matchbox/{profiles,groups,ignition,cloud,generic}
+        dataPath = "/opt/talbox/data";
+        # /var/lib/matchbox/assets
+        assetPath = "/opt/talbox/assets";
+      };
+
+      dnsmasq = {
+        enable = true;
+        tftpRoot = "/opt/talbox";
+        bootAsset = "http://10.1.1.57:8086/boot.ipxe";
+      };
    };
  };
 }
--- a/nixos/hosts/telperion/secrets.sops.yaml
+++ b/nixos/hosts/telperion/secrets.sops.yaml
@ -1,10 +1,10 @@
-1password-credentials.json: ENC[AES256_GCM,data:odK6x2TscY1WNCOaPBSfo2ln7hsa5UopakUpOgB4ci64p4LGIwTTDnSiq8+UXkrDndQ7tSqtr9RUvB+AwwYOuh1KBAwWmlZN7agtxUYc1wvMdQv8WPDfhqe9m0FNP5gyTaohcjBdBddZlv7izScVePUQUdG04dGYqUg6mQ/gmPtJy27hil8GivvxRN6FnFtkgoyfE+ZLfkTuMdeL4cxai4j+UeGc5XgmsrBLrW5udeDw2hktGXEBp2vMC6t+D7uzZ7DeLBDiHRbBZBeo+krnVdPsLxU3yFF/hC8vWVbkT7Wt/UhB0+X8SWvhYOvc3KW+NfyHcU0SONhQCM4iOkk/1qvcaDHy7idqexKxOtfQaZtuHW0vB3icgbxTO9usFxOxUPe63yXHUg+UDKSN4UGCF10eLoZKaV7zO76BkTFXQLl2Q+dytaxEKathhW4fS5lUBpuxXNDXuIxMiUIclXwVWVDpL7qchTJCopWwwDRaeHrUPev+pQptEsDLYpZeuf27hPjCMiOWkxt2kg2eKPjJ8AUtI8N3OlFPCyAurLgLSrFj0Wzm24LJLKsjs1if2y2jb/pR4MPdgnHgNnHS8VQ9JVprVyuw9C/wDhVV7yW+D4tlJ/d7AXaJq/dkO8XnwCEVPyFr9bUMB076z+tleYgvv9rHkdQMaqHr5HCHAtuYfM4f0Zpfr9alJ4wxCsj+MAn/PLGxjNd/hQQY+oYRpzBne2mUoxhRt3ZjnGH8LUBFSlz+e0+PB0anS3oV3XZUt0XuwGpNIxp4LsRFgmDC2qoMKZ2X7/DfTdmb3te0YbYNUUeHxlQ5AImzU6Lj1qw/clD7ViS82Rjc/WCavg9J7U7CdDbzhtv6xCxbyd3j1r8Wi4XLAXy4ZdcdvCEyYDHwJeExY8pp/jvS3CqSrlC/PyBUemloIQ+jSQiRYDv26XpRKbJ9Yd8fJ4ANPCMuvXU21iXtxHIRwopTo87hWqqSaORFcyVOmCxJJpa/TXL5fdd4ISy6CSqZXZCCIfiVxq4fBkqSoya4XMXQQq9Ki5xwLf1bDhaT3v7okP87A9d/j9Vru2RIZtRT71jVKvwDvJhLAfYuXyIUfQh5cvIw4/HlAZzP5vi1w5KlIJGf1uVVhvTl7p23/Gi9LAX3/P75dbK+x4VYOyqjMowER3jxk9m6GyFDl7iuceNh1bIpgPN1s4QOba7N2Tex5oa/aJJKOLYE4GYDtom5auDP6Xqa/Nd4NaDyd5oVuXcP7Lp7tDu9sIW5rhGaVYKU7jhzALN9HjfmAen+cZ50oy8L3IYKlS/91qzGughYDOjK4qeQ2XrMxySnCPja7ElV4gxmB3X73nxN+N0ZLEDhAGIS1FOaOammDjK2Pj/3vA5+S2hO3GYLh9glNgRnIGlNUVtw3My9H1mYIc4eP+LGGXz1KPnQMQWRtXZHH4d4fsOyhk+CE8as7WtyO7M=,iv:RkYdMs72Nq7dwHScKZeXMNSJ53ztTXCb3lkhrr9K2oE=,tag:XDdPfd+Be9nSAbvate52AQ==,type:str]
+1password-credentials.json: ENC[AES256_GCM,data:AgjrQRlLUHozHTsn2iAf+DoQKmhQfSH6ktISxUZeEjs56k6idjbndkK/kwQXNNrAwmmpT+3OG7cOv0bAPU8AzwZYVyOlpFwp/eXvPJI6YcXlmsCn9lEANpdIbpc28npWTxuYvwZTSavJt5qo/Q9Gf5YQ2qiW6ER3vA1bej7Q6/WRNqcRWKfcMOfNg5YAms/o+nUDKgp2TG4cypyw7tXUoFk9drhCrybNSdlWxWf1t+VdiGLIFk1HvYWkelpxJujRZbKJxNi+4kPT1xQyU8IJbOZx1wXsIfz5I7QPtfoMxbAhRB5ikAwZpNLO1DpnAqBcLES+yqHm0V/hyI48mHz9gSH7fCUvGqj2OqdaKAl0lEpkTMA8PkfRNKGumwHsq2IEh5PP0kj50WlEFFoZszM5QKr9FK7tcvMP0mTL88hlCqnH7rzvNQtpC76BcoReOfKO0ZPtfEAJVGzsQ4F0hkeYzlfyoylqOzldju1QPadQ8Pq3dZFUXg5mZrF2N2kx8gqHqNHqK0BY7KFRrqTIJWebHiLYWe+WWqK3aUSLx3j8iqjuf+HtEBnxAkVIuAYBS6KwHQeXycdD/d1aMm8T46mJzW5FHlUed++GsU5HGQOF2gDZ2gfimdZ7taH0Wlf2wYmuH3BJKFGROefv0SuhuqKMxG1ownFIO0CbCS61ErRTER1P1L44CmaPyIgRNPMmz4nLlKt6+P7Ci4QGpevBkY1wHEn3dT/fNrBBW5EBsrWKRA88guZZHAwB3HLAVNqDno+nWlXlB5RxzaYzya6MYrlXKQxYluU73UQRzH7ikAcL4dJpjVPNIZPkzNRAI75U/IOQX+XspwM+yeIC38TAnNIcARXk2u2FJPaJLQSLqQJYgN9DO5Rg3cIVD/RsSU8TMEq/5jHaoMjZZ4iaYjUHzXbTOvk9WuGBJB1uBm3WUVDwLy6sVp7kHv4PvECcDByNxvhd7Krpbgt9sMi3jsfloo8zOzyoUOkbCEJNr6KCTOvd1/gzRVBxKyTajBkp3P/K7sqGSYpqqmE9qQSeHH6hVMgpicPsn29rzBRW5z0Oep+E6mmDoFuzJ1PJCdLguOIOkVDGiaT+ETtSrg6By3+lhcknElquTd0McoIO2nst80VA3tGUFwPcRJ+GmCtNLBDQgsxz0FtLMzIp5rWi630gnDHBjCf/qXWxyb1YXTpWGmsfWlF3xf8TrH313cnYkKVJAxMBFQVB9GCZMbFcgWg2A9T6b53tVHhmTWIZ5fHGOVBsruo/zU3mhxjoOqsbgrmj6Vi/1sEHvkN0hQq13QGT0bRv4L8BdeIanCMItEP09WZ3lDlDaXY/5xgfwr82oCxrMM7uk/j7COF5C1OjtbsqrGUUB4bphgiVsTT0m7KUw/VdJlPDUNAm3Qu5YUgeypmcNJoNFwsa0deDdg3GllaePP+8BDRbNrGSWUoNB7iNcW/fVaw=,iv:FUiB54c70FVSSkeXZ4stCdKGwihjpSZfsKqKoiDynTA=,tag:aNTbQb2/FUx2NrjQUVMIsA==,type:str]
 bind:
    rndc-keys:
-        main: ENC[AES256_GCM,data:X0HTyNmqH1epIVNkXMyFlavqAodDw92Gs2sK54USNv0mWIwmk8NEb69x/Od8TAwDZw63k0lEAymyj/hBfkpav9yKT1M1hGxr09xjWsR/DTAM9tFv140cvnMEon0ZbXVXp4ou24jP,iv:7AsoCrxf8CyPiyWYfHZsGE0Qw/wutCVvCEiRdUdmIHA=,tag:oJi4BTDrD3FLEQuYeDR3dA==,type:str]
-        externaldns: ENC[AES256_GCM,data:WhH4vAR4Q4iTXq2fT+Z8kOXkwnneNV4bXWYytov62DFDSnYwsvWIbol5MvYIwXM+gEbQ/k/uk62MSFx26T34881EGJmH7KXWr7ji273D8oKAp0Fw6jOt2NZT6XkBwhWEIathUOwNdN6E,iv:SepdyBzYga7s03ppSppiBB/wTbTrL/y70aa/B/m02r4=,tag:vWqlZLx+FvstJjgRj4mjWg==,type:str]
+        main: ENC[AES256_GCM,data:JVFfmWawvoQZNA/phLZAH/ZfDFkuDBAzQsvavFMT/8v8JKi4oJ/V2UjVv4Xhh730SP74Z41UBUA+N1iW+1HsIqCm+UGcjelLWiKoMGQMmuzVSbt4oN0lVtVIZyke+hzlNPm5qTt1,iv:Q5t9beYjCoTiYOm8K3ktqLbkaWWWzPPljcxmdrXdczA=,tag:gZaOrxZ9ou/+ZxukaZ9FDg==,type:str]
+        externaldns: ENC[AES256_GCM,data:eCtagoXcjAqKfvD8AuxUhtL2Rvn1iUxbS3qDv1x1KVUzdg1jGAELgCivgPLv8UaLCZ7dqqtr1XiMgsd8RPKgSZO/AS9TTQx8eGnWUnaorUXdhYfhrGfeUa7LoEPYPNx4jwrN45j3OKsE,iv:ffUDa51TqFMqOBItiezwfiNkf4aajdfIXo6+cR48rAE=,tag:E2jMpk1/hpJGjLfIFuTpqw==,type:str]
    zones:
-        jahanson.tech: ENC[AES256_GCM,data:XqOX6lbCubPEi1pXgIEXW0qyD2+iJXNugTPdQOB/yCm4AX1mMiANAV51FBDb9f+QQ+q1EDqGz/83VKggoIvHSZCOW3dkNWR2uy82uO8C59sbsLrR5AzTTnZN2zlaIjW2q42I838mKfO7MfYXutwQbTpepr/Brtbldm+HRjxugJJMDFvBqSlylSnFA+jeWq7RNRP1+ZxGULO8I2BTPqdRVyRHcIWjyQABTctDcDgDLMpPxrMBTtmC2/CFH5pIT3w6gbrYRwYFZh7fNprOYRRPOkGHMZK6ccMCpm2uRR4b5daB1MidqJUsX999ma2TEmsUJSQZr6mS2r/QvwZ2R9QziIkBxh91vCg6HMaHl8/ISlryZVlkWNY1P2jgCMw0jJ58NxeBVAjVWw3iL+i9JU/q51r8J3nZHi5ql90JMaVdYWw8I2GLYWDHQnES9srEXtJwJNLzE69lQuL8ARmey4gt8Q9snen0v3RJVFb466nPKvH51TjIAr3FB2L8NY3RumD4eYl05L5JdNcFVuqmsYdoWQSQdZz23BxRM/QKT2qKjrhxfZuQW1naNDg3qbx5+bLGHlG6m8wRdtkR5SXWQc5a7LG2eURY9T7vy8yxMWzjd5LPMFLd7JlUSjwXw9YBhYTafGuc2TUESs8DCO/hU2zjAn1KM+rmc2T4aF3HexJwt7b7HBmMrDWObdtj09ycV10tp1Z57ZMz18aJdIbaZKopERN25FzIKiTlytiZiWsesLo6mUbsgb7bmjGGjBEDbp9P7ozgZv5H+aR5Y7POl9EG3gfERPsa1nF1qlloOrYT/GX8pUNhXAxH6QfX7WF+ANiMB/L/X4L0/XufV7shCWfQwogZ3t7ARGHr3dIOyx1ABus+M2QUZyI94jHTn+/J6aaxL8qsDGDZ6383Gk/CHa57BklRUrZZYVs9jzDe7+12gDfID/eP+nnKuohwCY1KcHL5QCRUg8KN1ZIyH1FYz489l/qKFG1nO33iJv/l6opWjIv98EM88ckA7zxU1+UgjxNiBo0EGJPw1erwTwUzehTnj303HuTGbtGjgE/vK8M+rCCpL9L0YAFQyXqeuqQs6yM3PHCyKfvThCAnwnTIGn2mZcyu/GGGOO9Hse/islh4cYldxC8psKNfNlf6qT43MOf+gDJ2GKU2kzU5tivlNqXbgAs=,iv:8SWNl65v24W504eG64L65rDmvqrkF5VJhufN3u/wRG4=,tag:oapDfnOAPyPDiJrxGHtiJA==,type:str]
+        jahanson.tech: ENC[AES256_GCM,data:CEOcBxa38OheRPP+JakWVfm1vbtTlMzEsEYhzehckpRN4hj9epxVwyKzth2JvhdJN7zslP/BydRm2VowSTJLDpEsRBYiC7650ear3co1qM60SvLHNgsKcW+UTfp5RUqIcos2Gfll2vrMFxMIRV9nrSz2g3trteC/4B3wmVLZjnvNQoB5SePpQKXZQQesO5+5aiF7hRqk2OSz57S/ncjHJhLz9h3xyvr7JXrcdUWHTUarqQbARG3owzaxEoPY+n4nqtx5JXqFaYAMSO6bio4OHanHXhdMfSpZud0bT7wBarAtWCFgIIMMKfd4Q1qBm5AFQyApdLKdwQ4zakrRYOx07zp/ZxVOQ5oiGIuFsEumf370PCzR6JPVivX0gHsJXR3EqlXVy4TpFOzit9jc43XD9LgvYKxdQQUUC3LwfCVK/6/rjqVU6+40tA30D8KQS1UZ1Bmm7+QGk4Jdocwg5KfI9BQNSC+Qfrmif8Ckljr8978p7rxEhMU52DkoNeOxHtLcjzsskVV2Mv01KdKQByoHxVR7ySEkmz1nDc6O6kUExgL4mrXRa+zWvTwkQdcjCoOvb5Z4X0sUdUwvt3qQqbZLyCLvXLwLyOjCTlHu3E+nlZ+AESTRoAgexkR+oWQuekoPaFxy1F4FFk8MDpBb2Cgsw5ZHhgmiKaV5e0DVU3oS6mRl1OiqhMSnbBsheyXYVWSHQh8xvlLgvF8/INeJCgZArjDfP/nz15ctkBVKC+6eEyTCXiAnaS1snbJdovTRiz9GUaE3AcQ+uRhhqDL7U1AO6n5vxI/6nKGH1YK2Z+ym7JT3M8+wtBhM/fPs5DjwjMb9c5z07Ks48r+dm8j91jsh2ACTJRvhvyQvxHh4HPWicoUhRdMj/VuLAwMpsCGRCwjsZ8OzNvzWUz/+5kA1J0/XEh6TRW2ZNKO+uzcpFKoAPwRbF0lLgZYnuceEEb1oyjEH0UjdKDL7g8GtnEdN4kem+Nfk/OgyVJKLCN6ILvd8QrhXhmAZri8s18eNEU2np92B6ISmRt/b0pcNyva1fRvYYv3CaIjqjx4RFa7pZvjyXysuomdNzUx6wfwBxVqQn4FjAhOCeGVawtzLDV2ZPfaxc36RIOrK,iv:Y6CcrD/be0F6B9TEfGFF74jWvk7uWVUytutnFGfnG0I=,tag:2JQaYAj4IuFw4LrnQ+gAig==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,68 +14,77 @@ sops:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSS9JWTZPak52ZFloYTZq
-            N3Ewa2hrbUZmZ0Y2aVpzaTZjN1hzWTlqRmg0CkdIZk9IMDdWQ2xsYmdHcGM3WmVk
-            cnVXVkprbXlQeDdzSkEvbW9SSE1aU3cKLS0tIHpuQUY1TmdKbGpZQ3N5Vk5LdzBC
-            VVp6Q1ZNR3gycSsxU3Q3SGtNUDN4cEUKDXO3QyNQfXqn587meoAZqraGMl4ASeOf
-            rVJDGWkNhne1YFdAfvbiY6pD7RDxscwiRFqDofH/t0EfN4vwrzIx3Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5V1ZQcTBNeFF6NjdXMThQ
+            QnMxVFZHZlBwTk5CU1pSNFBPTUt6MmR2NVNrCnFjd0Q5d0pwZGdJbDlDdS8wNG5Q
+            aHdqekpmREhlbEVMUjZNc1BscU5xbjgKLS0tIFdLUC9wNGlyOFd3WjRnc0IwZU85
+            alhDYk1DelpINjYvVmlCa1pKY3hjV3cKF7aIzA9U1bPVP6bQbYCTjXKptE9Rovyi
+            CVBUzWWrb2Z12rvjDzIKc/L1iMqLn0PjPsYHL+CHW8z5A6R3m3FDMw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSEZKOUJTTjE4YTRQUnFW
-            bzhMcjlSVTRNRWNkSmZSbU5ITFFTbURFbGpJCnpndFR1OVJvWnBOMVovdVVGWkZ4
-            Wk9xa29kekgxRnlqbFg4YzN0OE9ZYUUKLS0tIGsxeUhWdU5NaTE3cHpYNXF2OUlK
-            eGNyTXdqWFNvZ0NVOCsvaG55dUdaMEkKW9SxqP6Jpn72VAwPhn3laO1OE+gYzLvb
-            10NfaR+2P0EJZ3nwc0sLKmPmSzcRiE9etGtNGFiLgoUNkQ3lnwXj6A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUFlDK1duT010Nll2cmV3
+            ZVRKM0tFNGVHQXM0Q001ZGtIZVV4bVByTVRZClZVclFEMVlSYnp2ZElNZm1DOGpR
+            bzNCUkQrNXF4UlU5WHloaEtzMW5wMUEKLS0tIFpwQ0pLRjFJOUR0dEhhTVBhT3hJ
+            c09wdG1jVlREUk5QUThKRFpsSlRUM1EKjxe9zkAp8t3gwMFOipPZeVdIyEnOTm77
+            0EnaO+oPJNTE+WefHKEEnqkUP0JY6vkDSkymgLtlPnY9VkAWP7ymbw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTF2TjJ0WGJaTUFIWE9s
-            S1NHQmRiQUVjSGJLQXZ2VUUrclorT3dIOXprCnQwOUorNXFzNG1DbG8wRW83QTdC
-            a2ZpZnM5Vit6bk1SaXRSZnZZT1g4ZzQKLS0tIFd4RVR2LzdvVG5nVzBiKzBPL1p2
-            eFJWOGx3Z240clRQN3dNa0Ztb2hrUk0KunfKdWPTZD32KagC+VXmAQDxJAoElHAp
-            mo8a0GGdeVuJiUneJlZ2KYuLkseCyn0HC5qQMUIT8HZJ2bb+RH0vDg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTlZoVGgwSFNOZ214WlBC
+            dFdBb2tSTjJLU1M2WmZXcS9jU2d4WThab0JFClNQekNJM1dmVjJUeEN3d1F3dVFF
+            R0c2bFlFNkowZjl5eEJXMllXSzZLSUEKLS0tIG1CUWRZeXE3SksxTUxrQjBTaGpS
+            VTZqOHB3eFlHZmNlSU9QOGprdWh3bm8KfvR852TCR0nfmXkDgF3FSOR9agJ8GUPt
+            1iK2aDZHLZKcK4mcuPc/qzfCXvTHlIvTDbSD0PbgCyG7gwgX2Qd8mA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZHAxMVNsK3U1ZlJnaEJj
-            eTNhZzRidW9HQ3Jrck0zNmxPYXcvVUtJRTJFClFiMGNuYnEzbVNJNExVSkZ3dVJy
-            MHlRdG1uNHhZb3daNW03bVJrOGZmNmsKLS0tIER3RUg0TDRQT09jdy9xNzF6OUtq
-            VHR4NjUxZGpRYzNKaHhlVTdJQXBmTlkKHgqnACFlEusz0/W+I/O2smr/SV2Oiw9Y
-            wCqCyVfB+kGrfgq08e8ki8NXv3PDT637BU3kXFaOTQhzSE0aCpD8qw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NXpCcmY2T3Zmejd2TUlX
+            TDZYMSt6OFdIZC9ibHJid3JxVjlHK0pCWXpnCmF4dTJWNzQ1a0FZdWxJUWZVZEhk
+            Tk44YWQ5U2dWc2orcTExMjIwT3ZOVmcKLS0tIDJpbkEyNmJmQU1PemhpYzBycjV6
+            V0pHbjhRcERyb042L0ZMUnZSdVpOOEUKICA6kYzVpAwMaoKrZIkj7GIjv4mGRzu5
+            3sm2D/yeE68TXH6PvHPRZpkLAqrn2HvQuviIgHXH3Flgeuu+DGl8cQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTXJWQThMaDZNajBFOVRT
-            NEpJK3RvbzRKUXE0NWpRQVA0aWJSYVNxWkhNCk1nWHVaYmZNQkdQZFJIOTZKTWxC
-            RXpOaHc4dzNBZ0txcFhtbjVVSjhDbXMKLS0tIDkwSnFTTjBZZE5hZTdXeTI1Q2F6
-            Skw3OUt4SVlrQ0M0d0h3KzNubjZ6SDgKiEvuO+RqygeSSzeUlQJSPuzNY4tbzKso
-            bt/fSCV4ulFTvjybD9lfA9dclHGM/IRA9obCQd8RsCBQuXo9cuWnjA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMLzdsOHpDUW9Vb3c5cVFZ
+            a0VOMEdjS2kzbTVtcU0zeXdOclJxbU5FSFE0CkwrdGN5VTNxT2Y0VUdOT0ZnMWlz
+            VGxwNGFSSUttZjdIVDlRL1JQekhSdkUKLS0tIE9JbUJWeFRVbXVyNkJIVTQ0bS81
+            Zk14MEtrR2pRSWVPUEJONVNKNUl4VXMKJ93XAmrAH25gUTbtY4HQjSKCJqH8yK7t
+            5WGip1wjuP/jab8ycHaM8MK6hH7qKJGLKF0Q+agvQok7RKqZl5+ikA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYUhubnhKcnFDZml5Qjl6
+            MzgvVFk4QzNwOWdSWDh6RlBDdTVzRWMrTmdBCktBZVdKWW9JdGxEVlRtVCtMYXpB
+            YTV4TmNlRnFzMTcwWGZSeWtzN3hxRFkKLS0tIHpsMTNLckhMRkM5V0xqbmFjOUpK
+            ZFl0QlZCUmcvQXBvcFpoZHJNZ0xUQTgKTnAjik5QM++wy3+y8N5zHk+nY1+bMfr8
+            5IQBIQuoJUhvj8GPniyYRHEhzttfYNuYJaENQcuYOaIpbGb3jTmBJA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZkQ0NzVGMWJ4Tk9vYnZC
-            dmo5U2FJa0pOUmt1K09MWFdRamNnaUgwbEM0CnhKRmMyN0RYMG5Uc3ArQVZhVFZX
-            RHQ3SU1TUnQ1SlhvZGp6emFOV1FuVE0KLS0tIE1oQjQ1dUhTMVBaTnZIeVpVNmxp
-            cnk3ckEyWkdhWkpkQlhJTHlsaGFTNDAK79D2C2RZql38hBJOBnqhOOdb7Z7EJNgj
-            aWfivACOM//hsPCZK+9YFpXJ08Nb6iBlNKzYsTW7qJ+Ue9M9i9JShA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQW1McmZlNVhDR1VRMUM5
+            UVk4aGd1RDZxQ3RlSG1UUEd0R1gyUU1VUkg4Clo0eFgxVlcvNnNtWVZZajRGYUZJ
+            K3d0ZzNSSG16dGVONjU2cDMzbkNvazAKLS0tIE1jcU9ERXZhbW4zM0E3Z3RJWTRm
+            anA4RmxVOWplWlo0QkFLQ2xFQ3YrRWsK0Z1iH93d8sMj8PbFaLBBO7xqz04f6ytV
+            m6bFiMoTp+hdnFdGZkl3S+4wQBG44uLJ9z6I/SL3H90ZBrVfE0XV0Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdHRRVEY1dmR2WjM3YVhk
-            dFZ6UmUxUTJKR3RKMUM0UXVaMUJwMzJRTmpnCjJtdjgwNnphOU5EdUxkSUp6UkQy
-            cS92MGdlTExVbWJIWGlGVVFla001MGcKLS0tIHF6c3MxR1V3N2szeXlNdWhUaGpW
-            WWRlTHl1MWFmU293NGJyRVNRTE1RWWMKu5nK98591T0Z4rHIHxCY7mqBW/CF6abl
-            3/ygImXkb15Ws4b4mcN67vk3omg9CB6s0SHfFk1GAu6CiN7MufHQ+Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoTSsvbFEvc0ZjQUl5WWhl
+            Q0tWVndqbGlMcnpYMzUxdnlWVGxubldaWVZFCnpBdHRaa052aUJWZENBR1QvTXgx
+            Nld6UHpPR05yQ0g4ZEVKVVhQUUdNVWcKLS0tIE1aMm1XOWRxWXhiOGk0Y0IzbEdN
+            b0VpUGdsdjNpV2ZJYzBNeUZtTFg0NTgKJ9dSsLlgbxotxWyLrY6XWVyg3I3zugG0
+            pvd/gQmiYFxptVmBPw+GkOZJBugHpURQznXq6DEo0hVaYLoxoaFBNQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:pmZjxv+vcznnamHNvOL7sr8wrejmcqo6D/NpizVo7TPo6cs59vTQ2fXmM0zlfJs81wZVe8cMcv2LXITSmjpZOsrhYuzMpPsc9HGzdwfOXVTfdVDYWVwNd4LsXMW40rqUbZyVtp8zAOW4eF5iY0H+acPxMcBbogoQKOU94a0NqzU=,iv:vFcpIrA9KRMawLCbMqWbKcGFPBcMp3mQRIgje5dV5S8=,tag:iuEaP9jjhhvjMjChvaoBCQ==,type:str]
+    lastmodified: "2024-10-01T23:46:47Z"
+    mac: ENC[AES256_GCM,data:3vtZhdp4eCAlzq+LWypv5wb5qAdFM3wYTmbtvHMIxG21Z2joEH75i2BqYRl8sQPDSM01wbwZp04/pgjEBogrBrwC8Jt3fAB1ptx9A1vPBIwjcprFR53/A0SFRqb3eXJbwRMS3axZx2yp3qzv73en1vcfRgS2YfjaH8knH1f6/CE=,iv:L3NBzPNHi1wBLA2+sI+Ncl57el61friVvar1HbFWSW0=,tag:sxm8CFpwTt4jgyHBPqVihg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/hosts/varda/default.nix
+++ b/nixos/hosts/varda/default.nix
@ -1,33 +1,38 @@
-{ ... }: {
-  imports = [ ];
+{ pkgs, ... }: {
+  imports = [ ./resources/prune-backup.nix ];

  networking.hostId = "cdab8473";
  networking.hostName = "varda"; # Define your hostname.
-
-  fileSystems."/" = {
+  fileSystems = {
+    "/" = {
      device = "rpool/root";
      fsType = "zfs";
    };

-  fileSystems."/home" = {
+    "/home" = {
      device = "rpool/home";
      fsType = "zfs";
    };

-  fileSystems."/boot" = {
+    "/boot" = {
      device = "/dev/disk/by-uuid/8091-E7F2";
      fsType = "vfat";
    };
+  };

  swapDevices = [ ];

+
  # System settings and services.
  mySystem = {
    purpose = "Production";
    system.motd.networkInterfaces = [ "enp1s0" ];
    security.acme.enable = true;
    services = {
-      forgejo.enable = true;
+      forgejo = {
+        enable = true;
+        package = pkgs.unstable.forgejo;
+      };
      nginx.enable = true;
    };
  };
--- a/nixos/hosts/varda/resources/prune-backup.nix
+++ b/nixos/hosts/varda/resources/prune-backup.nix
@ -0,0 +1,24 @@
+{ pkgs, ... }:
+
+let
+  cleanupScript = pkgs.writeShellScriptBin "cleanup-backups.sh" (builtins.readFile ./prune-backups.sh);
+in
+{
+  systemd.timers.cleanup-backups = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = true;
+    };
+  };
+
+  systemd.services.cleanup-backups = {
+    script = "${cleanupScript}/bin/cleanup-backups.sh";
+    serviceConfig = {
+      Type = "oneshot";
+      User = "forgejo";
+      StandardOutput = "journal+console";
+      StandardError = "journal+console";
+    };
+  };
+}
--- a/nixos/hosts/varda/resources/prune-backups.sh
+++ b/nixos/hosts/varda/resources/prune-backups.sh
@ -0,0 +1,20 @@
+# Set the backup directory
+BACKUP_DIR="/var/lib/forgejo/dump"
+
+# Keep the 3 most recent backups
+KEEP_NUM=3
+
+echo "Starting backup cleanup process..."
+echo "Keeping the $KEEP_NUM most recent backups in $BACKUP_DIR"
+
+# Find all backup files, sort by modification time (newest first),
+# skip the first 3, and delete the rest
+find "$BACKUP_DIR" -type f -name "forgejo-dump-*" -print0 |
+  sort -z -t_ -k2 -r |
+  tail -z -n +$((KEEP_NUM + 1)) |
+  while IFS= read -r -d '' file; do
+    echo "Deleting: $file"
+    rm -f "$file"
+  done
+
+echo "Cleanup complete. Deleted all but the $KEEP_NUM most recent backups."
--- a/nixos/modules/nixos/containers/backrest/default.nix
+++ b/nixos/modules/nixos/containers/backrest/default.nix
@ -1,56 +0,0 @@
-{ lib, config, ... }:
-with lib;
-let
-  app = "backrest";
-  image = "garethgeorge/backrest:v1.1.0";
-  user = "568"; #string
-  group = "568"; #string
-  port = 9898; #int
-  cfg = config.mySystem.services.${app};
-  appFolder = "/var/lib/${app}";
-  # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
-in
-{
-  options.mySystem.services.${app} =
-    {
-      enable = mkEnableOption "${app}";
-      addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
-    };
-
-  config = mkIf cfg.enable {
-    # ensure folder exist and has correct owner/group
-    systemd.tmpfiles.rules = [
-      "d ${appFolder}/config 0750 ${user} ${group} -"
-      "d ${appFolder}/data 0750 ${user} ${group} -"
-      "d ${appFolder}/cache 0750 ${user} ${group} -"
-    ];
-
-    virtualisation.oci-containers.containers.${app} = {
-      image = "${image}";
-      user = "${user}:${group}";
-      environment = {
-        BACKREST_PORT = "9898";
-        BACKREST_DATA = "/data";
-        BACKREST_CONFIG = "/config/config.json";
-        XDG_CACHE_HOME = "/cache";
-      };
-      volumes = [
-        "${appFolder}/nixos/config:/config:rw"
-        "${appFolder}/nixos/data:/data:rw"
-        "${appFolder}/nixos/cache:/cache:rw"
-        "${config.mySystem.nasFolder}/backup/nixos/nixos:/repos:rw"
-        "/etc/localtime:/etc/localtime:ro"
-      ];
-    };
-
-    services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
-      useACMEHost = config.networking.domain;
-      forceSSL = true;
-      locations."^~ /" = {
-        proxyPass = "http://${app}:${builtins.toString port}";
-        extraConfig = "resolver 10.88.0.1;";
-      };
-    };
-
-  };
-}
--- a/nixos/modules/nixos/containers/default.nix
+++ b/nixos/modules/nixos/containers/default.nix
@ -1,7 +1,9 @@
 {
  imports = [
-    ./backrest
+    ./jellyfin
    ./lego-auto
-    ./unifi
+    ./plex
+    ./scrutiny
+    ./scrypted
  ];
 }
--- a/nixos/modules/nixos/containers/jellyfin/default.nix
+++ b/nixos/modules/nixos/containers/jellyfin/default.nix
@ -0,0 +1,117 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib;
+let
+  app = "jellyfin";
+  # renovate: depName=ghcr.io/jellyfin/jellyfin datasource=docker
+  version = "10.10.2";
+  image = "ghcr.io/jellyfin/jellyfin:${version}";
+  port = 8096; # int
+  cfg = config.mySystem.containers.${app};
+in
+{
+  # Options
+  options.mySystem.containers.${app} = {
+    enable = mkEnableOption "${app}";
+    # TODO add to homepage
+    # addToHomepage = mkEnableOption "Add ${app} to homepage" // {
+    #   default = true;
+    # };
+    openFirewall = mkEnableOption "Open firewall for ${app}" // {
+      default = true;
+    };
+  };
+
+  # Implementation
+  config = mkIf cfg.enable {
+    # Container
+    virtualisation.oci-containers.containers.${app} = {
+      image = "${image}";
+      user = "568:568";
+
+      volumes = [
+        "/nahar/containers/volumes/jellyfin:/config:rw"
+        "/moria/media:/media:rw"
+        "tmpfs:/cache:rw"
+        "tmpfs:/transcode:rw"
+        "tmpfs:/tmp:rw"
+      ];
+
+      environment = {
+        TZ = "America/Chicago";
+        DOTNET_SYSTEM_IO_DISABLEFILELOCKING = "true";
+        JELLYFIN_FFmpeg__probesize = "50000000";
+        JELLYFIN_FFmpeg__analyzeduration = "50000000";
+      };
+
+      ports = [ "${toString port}:${toString port}" ]; # expose port
+
+      extraOptions = [
+        # "--device nvidia.com/gpu=all"
+      ];
+    };
+
+    # Firewall
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ port ];
+      allowedUDPPorts = [ port ];
+    };
+
+    # TODO add nginx proxy
+    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
+    #   useACMEHost = config.networking.domain;
+    #   forceSSL = true;
+    #   locations."^~ /" = {
+    #     proxyPass = "http://${app}:${builtins.toString port}";
+    #     extraConfig = "resolver 10.88.0.1;";
+
+    #   };
+    # };
+
+    ## TODO add to homepage
+    # mySystem.services.homepage.media = mkIf cfg.addToHomepage [
+    #   {
+    #     Plex = {
+    #       icon = "${app}.svg";
+    #       href = "https://${app}.${config.mySystem.domain}";
+
+    #       description = "Media streaming service";
+    #       container = "${app}";
+    #       widget = {
+    #         type = "tautulli";
+    #         url = "https://tautulli.${config.mySystem.domain}";
+    #         key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
+    #       };
+    #     };
+    #   }
+    # ];
+
+    # TODO add gatus monitor
+    # mySystem.services.gatus.monitors = [
+    #   {
+
+    #     name = app;
+    #     group = "media";
+    #     url = "https://${app}.${config.mySystem.domain}/web/";
+    #     interval = "1m";
+    #     conditions = [
+    #       "[CONNECTED] == true"
+    #       "[STATUS] == 200"
+    #       "[RESPONSE_TIME] < 50"
+    #     ];
+    #   }
+    # ];
+
+    # TODO add restic backup
+    # services.restic.backups = config.lib.mySystem.mkRestic {
+    #   inherit app user;
+    #   excludePaths = [ "Backups" ];
+    #   paths = [ appFolder ];
+    #   inherit appFolder;
+    # };
+
+  };
+}
--- a/nixos/modules/nixos/containers/plex/default.nix
+++ b/nixos/modules/nixos/containers/plex/default.nix
@ -0,0 +1,115 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib;
+let
+  app = "plex";
+  # renovate: depName=ghcr.io/onedr0p/plex datasource=docker versioning=loose
+  version = "1.41.2.9200-c6bbc1b53";
+  image = "ghcr.io/onedr0p/plex:${version}";
+  port = 32400; # int
+  cfg = config.mySystem.containers.${app};
+in
+{
+  # Options
+  options.mySystem.containers.${app} = {
+    enable = mkEnableOption "${app}";
+    # TODO add to homepage
+    # addToHomepage = mkEnableOption "Add ${app} to homepage" // {
+    #   default = true;
+    # };
+    openFirewall = mkEnableOption "Open firewall for ${app}" // {
+      default = true;
+    };
+  };
+
+  # Implementation
+  config = mkIf cfg.enable {
+    # Container
+    virtualisation.oci-containers.containers.${app} = {
+      image = "${image}";
+      user = "568:568";
+
+      volumes = [
+        "/nahar/containers/volumes/plex:/config/Library/Application Support/Plex Media Server:rw"
+        "/moria/media:/media:rw"
+        "tmpfs:/config/Library/Application Support/Plex Media Server/Logs:rw"
+        "tmpfs:/tmp:rw"
+      ];
+
+      extraOptions = [
+        "--device nvidia.com/gpu=all"
+      ];
+
+      environment = {
+        TZ = "America/Chicago";
+        PLEX_ADVERTISE_URL = "https://10.1.1.61:32400";
+        PLEX_NO_AUTH_NETWORKS = "10.1.1.0/24";
+      };
+
+      ports = [ "${toString port}:${toString port}" ]; # expose port
+    };
+
+    # Firewall
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ port ];
+      allowedUDPPorts = [ port ];
+    };
+
+    # TODO add nginx proxy
+    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
+    #   useACMEHost = config.networking.domain;
+    #   forceSSL = true;
+    #   locations."^~ /" = {
+    #     proxyPass = "http://${app}:${builtins.toString port}";
+    #     extraConfig = "resolver 10.88.0.1;";
+
+    #   };
+    # };
+
+    ## TODO add to homepage
+    # mySystem.services.homepage.media = mkIf cfg.addToHomepage [
+    #   {
+    #     Plex = {
+    #       icon = "${app}.svg";
+    #       href = "https://${app}.${config.mySystem.domain}";
+
+    #       description = "Media streaming service";
+    #       container = "${app}";
+    #       widget = {
+    #         type = "tautulli";
+    #         url = "https://tautulli.${config.mySystem.domain}";
+    #         key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
+    #       };
+    #     };
+    #   }
+    # ];
+
+    # TODO add gatus monitor
+    # mySystem.services.gatus.monitors = [
+    #   {
+
+    #     name = app;
+    #     group = "media";
+    #     url = "https://${app}.${config.mySystem.domain}/web/";
+    #     interval = "1m";
+    #     conditions = [
+    #       "[CONNECTED] == true"
+    #       "[STATUS] == 200"
+    #       "[RESPONSE_TIME] < 50"
+    #     ];
+    #   }
+    # ];
+
+    # TODO add restic backup
+    # services.restic.backups = config.lib.mySystem.mkRestic {
+    #   inherit app user;
+    #   excludePaths = [ "Backups" ];
+    #   paths = [ appFolder ];
+    #   inherit appFolder;
+    # };
+
+  };
+}
--- a/nixos/modules/nixos/containers/scrutiny/default.nix
+++ b/nixos/modules/nixos/containers/scrutiny/default.nix
@ -0,0 +1,92 @@
+{ lib, config, ... }:
+with lib;
+let
+  app = "scrutiny";
+  # renovate: depName=AnalogJ/scrutiny datasource=github-releases
+  version = "v0.8.1";
+  cfg = config.mySystem.services.${app};
+in
+{
+  options.mySystem.services.${app} = {
+    enable = mkEnableOption "${app}";
+
+    # Port to expose the web ui on.
+    port = mkOption {
+      type = types.int;
+      default = 8080;
+      description = ''
+        Port to expose the web ui on.
+      '';
+      example = 8080;
+    };
+    # Location where the container will store its data.
+    containerVolumeLocation = mkOption {
+      type = types.str;
+      default = "/mnt/data/containers/${app}";
+      description = ''
+        The location where the container will store its data.
+      '';
+      example = "/mnt/data/containers/${app}";
+    };
+
+    # podman equivalent:
+    # --device /dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    devices = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = ''
+        Devices to monitor on Scrutiny.
+      '';
+      example = [
+        "/dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+      ];
+    };
+
+    # podman equivalent:
+    # --cap-add SYS_RAWIO
+    extraCapabilities = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "SYS_RAWIO"
+      ];
+      description = ''
+        Extra capabilities to add to the container.
+      '';
+      example = [
+        "SYS_RAWIO"
+      ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # TODO: Add automatic restarting of the container when disks.nix changes.
+    # - https://github.com/nix-community/home-manager/issues/3865#issuecomment-1631998032
+    # - https://github.com/NixOS/nixpkgs/blob/6f6c45b5134a8ee2e465164811e451dcb5ad86e3/nixos/modules/virtualisation/oci-containers.nix
+    virtualisation.oci-containers.containers.${app} = {
+      image = "ghcr.io/analogj/scrutiny:${version}-omnibus";
+      autoStart = true;
+
+      ports = [
+        "${toString cfg.port}:8080" # web ui
+        "8086:8086" # influxdb2
+      ];
+
+      environment = {
+        TZ = "America/Chicago";
+      };
+
+      volumes = [
+        "${cfg.containerVolumeLocation}:/opt/scrutiny/config"
+        "${cfg.containerVolumeLocation}/influxdb2:/opt/scrutiny/influxdb"
+        "/run/udev:/run/udev:ro"
+      ];
+
+      # Merge the devices and extraCapabilities into the extraOptions property
+      # using the --device and --cap-add flags
+      extraOptions =
+        (map (disk: "--device=${toString disk}") cfg.devices)
+        ++
+        (map (cap: "--cap-add=${cap}") cfg.extraCapabilities);
+    };
+  };
+}
--- a/nixos/modules/nixos/containers/scrypted/default.nix
+++ b/nixos/modules/nixos/containers/scrypted/default.nix
@ -0,0 +1,116 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib;
+let
+  app = "scrypted";
+  # renovate: depName=ghcr.io/koush/scrypted datasource=docker versioning=docker
+  version = "v0.123.30-jammy-nvidia";
+  image = "ghcr.io/koush/scrypted:${version}";
+  port = 11080; # int
+  cfg = config.mySystem.containers.${app};
+in
+{
+  # Options
+  options.mySystem.containers.${app} = {
+    enable = mkEnableOption "${app}";
+    # TODO add to homepage
+    # addToHomepage = mkEnableOption "Add ${app} to homepage" // {
+    #   default = true;
+    # };
+    openFirewall = mkEnableOption "Open firewall for ${app}" // {
+      default = true;
+    };
+  };
+
+  # Implementation
+  config = mkIf cfg.enable {
+    # Container
+    virtualisation.oci-containers.containers.${app} = {
+      image = "${image}";
+
+      volumes = [
+        "/nahar/containers/volumes/scrypted:/server/volume:rw"
+        # "/nahar/scrypted:/recordings:rw"
+        "tmpfs:/.cache:rw"
+        "tmpfs:/.npm:rw"
+        "tmpfs:/tmp:rw"
+      ];
+
+      extraOptions = [
+        # all usb devices, such as coral tpu
+        "--device=/dev/bus/usb"
+        "--network=host"
+        "--device nvidia.com/gpu=all"
+      ];
+
+      environment = {
+        TZ = "America/Chicago";
+      };
+
+      ports = [ "${toString port}:${toString port}" ]; # expose port
+    };
+
+    # Firewall
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ port ];
+      allowedUDPPorts = [ port ];
+    };
+
+    # TODO add nginx proxy
+    # services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
+    #   useACMEHost = config.networking.domain;
+    #   forceSSL = true;
+    #   locations."^~ /" = {
+    #     proxyPass = "http://${app}:${builtins.toString port}";
+    #     extraConfig = "resolver 10.88.0.1;";
+
+    #   };
+    # };
+
+    ## TODO add to homepage
+    # mySystem.services.homepage.media = mkIf cfg.addToHomepage [
+    #   {
+    #     Plex = {
+    #       icon = "${app}.svg";
+    #       href = "https://${app}.${config.mySystem.domain}";
+
+    #       description = "Media streaming service";
+    #       container = "${app}";
+    #       widget = {
+    #         type = "tautulli";
+    #         url = "https://tautulli.${config.mySystem.domain}";
+    #         key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
+    #       };
+    #     };
+    #   }
+    # ];
+
+    # TODO add gatus monitor
+    # mySystem.services.gatus.monitors = [
+    #   {
+
+    #     name = app;
+    #     group = "media";
+    #     url = "https://${app}.${config.mySystem.domain}/web/";
+    #     interval = "1m";
+    #     conditions = [
+    #       "[CONNECTED] == true"
+    #       "[STATUS] == 200"
+    #       "[RESPONSE_TIME] < 50"
+    #     ];
+    #   }
+    # ];
+
+    # TODO add restic backup
+    # services.restic.backups = config.lib.mySystem.mkRestic {
+    #   inherit app user;
+    #   excludePaths = [ "Backups" ];
+    #   paths = [ appFolder ];
+    #   inherit appFolder;
+    # };
+
+  };
+}
--- a/nixos/modules/nixos/default.nix
+++ b/nixos/modules/nixos/default.nix
@ -3,7 +3,6 @@ with lib;
 {
  imports = [
    ./containers
-    ./de
    ./editor
    ./hardware
    ./lib.nix
@ -13,47 +12,48 @@ with lib;
    ./system
  ];

-  options.mySystem.persistentFolder = mkOption {
+  options.mySystem = {
+    persistentFolder = mkOption {
      type = types.str;
      description = "persistent folder for nixos mutable files";
      default = "/persist";
    };

-  options.mySystem.nasFolder = mkOption {
+    nasFolder = mkOption {
      type = types.str;
      description = "folder where nas mounts reside";
      default = "/mnt/nas";
    };

-  options.mySystem.nasAddress = mkOption {
+    nasAddress = mkOption {
      type = types.str;
      description = "NAS Address or name for the backup nas";
      default = "10.1.1.13";
    };

-  options.mySystem.domain = mkOption {
+    domain = mkOption {
      type = types.str;
      description = "domain for hosted services";
      default = "";
    };

-  options.mySystem.internalDomain = mkOption {
+    internalDomain = mkOption {
      type = types.str;
      description = "domain for local devices";
      default = "";
    };

-  options.mySystem.purpose = mkOption {
+    purpose = mkOption {
      type = types.str;
      description = "System purpose";
      default = "Development";
    };
-
-  options.mySystem.monitoring.prometheus.scrapeConfigs = mkOption {
+    monitoring.prometheus.scrapeConfigs = mkOption {
      type = lib.types.listOf lib.types.attrs;
      description = "Prometheus scrape targets";
      default = [ ];
    };
+  };

  config = {
    systemd.tmpfiles.rules = [
--- a/nixos/modules/nixos/editor/default.nix
+++ b/nixos/modules/nixos/editor/default.nix
@ -1,44 +1,6 @@
-{ lib, config, pkgs, ... }:
-with lib;
-let
-  cfg = config.mySystem.editor.vscode;
-in
 {
-  options.mySystem.editor.vscode.enable = mkEnableOption "vscode";
-  config = mkIf cfg.enable {
-
-    # Enable vscode & addons
-    environment.systemPackages = with pkgs; [
-      (vscode-with-extensions.override {
-        vscode = unstable.vscode;
-
-        vscodeExtensions = with vscode-extensions;
-          [
-            dracula-theme.theme-dracula
-            yzhang.markdown-all-in-one
-            signageos.signageos-vscode-sops
-            redhat.ansible
-            ms-azuretools.vscode-docker
-            mikestead.dotenv
-            tamasfe.even-better-toml
-            pkief.material-icon-theme
-            jnoortheen.nix-ide
-            ms-vscode-remote.remote-ssh
-            ms-vscode-remote.remote-ssh-edit
-            # ms-vscode.remote-explorer
-            redhat.vscode-yaml
-            # continue.continue
-            ms-python.python
-            ms-python.vscode-pylance
-          ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
-            {
-              name = "cody-ai";
-              publisher = "sourcegraph";
-              version = "1.27.1721673993";
-              sha256 = "ULY2f7Pv1GCkJwqSc6q2cGYvkrKTKyfQ0ErPiQ+/bLQ=";
-            }
+  imports = [
+    ./vim.nix
+    ./vscode.nix
  ];
-      })
-    ];
-  };
 }
--- a/nixos/modules/nixos/editor/vim.nix
+++ b/nixos/modules/nixos/editor/vim.nix
@ -0,0 +1,25 @@
+# /home/jahanson/projects/mochi/nixos/modules/nixos/editor/vim.nix
+
+{ config, lib, ... }:
+with lib;
+let
+  cfg = config.mySystem.editor.vim;
+  users = [ "jahanson" ];
+in
+{
+  options.mySystem.editor.vim.enable = mkEnableOption "vim";
+  config = mkIf cfg.enable {
+    # Enable vim and set as default editor
+    programs.vim.defaultEditor = true;
+
+    # Visual mode off and syntax highlighting on
+    home-manager.users = mapAttrs
+      (user: _: {
+        home.file.".vimrc".text = ''
+          set mouse-=a
+          syntax on
+        '';
+      })
+      (listToAttrs (map (u: { name = u; value = { }; }) users));
+  };
+}
--- a/nixos/modules/nixos/editor/vscode.nix
+++ b/nixos/modules/nixos/editor/vscode.nix
@ -0,0 +1,95 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let
+  cfg = config.mySystem.editor.vscode;
+  # VSCode Community Extensions. These are updated daily.
+  vscodeCommunityExtensions = [
+    "ahmadalli.vscode-nginx-conf"
+    "astro-build.astro-vscode"
+    "bmalehorn.vscode-fish"
+    "coder.coder-remote"
+    "dracula-theme.theme-dracula"
+    "editorconfig.editorconfig"
+    "esbenp.prettier-vscode"
+    "foxundermoon.shell-format"
+    "github.copilot"
+    "hashicorp.hcl"
+    "jnoortheen.nix-ide"
+    "mikestead.dotenv"
+    "mrmlnc.vscode-json5"
+    "ms-azuretools.vscode-docker"
+    # "ms-python.python" # Python extensions *required* for redhat.ansible/vscode-yaml
+    "ms-python.vscode-pylance"
+    "ms-vscode-remote.remote-ssh-edit"
+    "pkief.material-icon-theme"
+    "redhat.ansible"
+    "redhat.vscode-yaml"
+    "signageos.signageos-vscode-sops"
+    "tamasfe.even-better-toml"
+    "task.vscode-task"
+    "tyriar.sort-lines"
+    "yzhang.markdown-all-in-one"
+    "fill-labs.dependi"
+    "rust-lang.rust-analyzer"
+    "dustypomerleau.rust-syntax"
+    "mattheworford.hocon-tools"
+    "pgourlain.erlang"
+    "exiasr.hadolint"
+    # "github.copilot-chat"
+  ];
+  # Nixpkgs Extensions. These are updated whenver they get around to it.
+  vscodeNixpkgsExtensions = [
+    # Continue ships with a binary that requires the patchelf fix which is done by default in nixpkgs.
+    "continue.continue"
+  ];
+  # Straight from the VSCode marketplace.
+  marketplaceExtensions = [
+    # {
+    #   name = "copilot";
+    #   publisher = "github";
+    #   version = "1.219.0";
+    #   sha256 = "Y/l59JsmAKtENhBBf965brSwSkTjSOEuxc3tlWI88sY=";
+    # }
+    {
+      # Apparently there's no insiders build for copilot-chat so the latest isn't what we want.
+      # The latest generally targets insiders build of vs code right now and it won't load on stable.
+      name = "copilot-chat";
+      publisher = "github";
+      version = "0.21.1";
+      sha256 = "sha256-8naCDn6esc1ZR30aX7/+F6ClFjQLPQ3k3r6jyVZ3iNg=";
+    }
+    {
+      name = "remote-ssh";
+      publisher = "ms-vscode-remote";
+      version = "0.113.1";
+      sha256 = "sha256-/tyyjf3fquUmjdEX7Gyt3MChzn1qMbijyej8Lskt6So=";
+
+    }
+    {
+      # Same issue as the above -- auto pulling nightly builds not compatible with vscode stable.
+      name = "python";
+      publisher = "ms-python";
+      version = "2024.14.1";
+      sha256 = "sha256-NhE3xATR4D6aAqIT/hToZ/qzMvZxjTmpTyDoIrdvuTE=";
+    }
+  ];
+  # Extract extension strings and coerce them to a list of valid attribute paths.
+  vscodeCommunityExtensionsPackages = map (ext: getAttrFromPath (splitString "." ext) pkgs.vscode-marketplace) vscodeCommunityExtensions;
+  nixpkgsExtensionsPackages = map (ext: getAttrFromPath (splitString "." ext) pkgs.vscode-extensions) vscodeNixpkgsExtensions;
+  marketplaceExtensionsPackages = pkgs.vscode-utils.extensionsFromVscodeMarketplace marketplaceExtensions;
+in
+{
+  options.mySystem.editor.vscode.enable = mkEnableOption "vscode";
+  config = mkIf cfg.enable {
+
+    # Enable vscode & addons
+    environment.systemPackages = with pkgs; [
+      (vscode-with-extensions.override {
+        inherit (unstable) vscode;
+        # Merge all the extension packages together.
+        vscodeExtensions =
+          vscodeCommunityExtensionsPackages ++ nixpkgsExtensionsPackages ++ marketplaceExtensionsPackages;
+      })
+    ];
+  };
+}
--- a/nixos/modules/nixos/games/default.nix
+++ b/nixos/modules/nixos/games/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./steam
+  ];
+}
--- a/nixos/modules/nixos/games/steam/default.nix
+++ b/nixos/modules/nixos/games/steam/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./steam.nix
+  ];
+}
--- a/nixos/modules/nixos/games/steam/steam.nix
+++ b/nixos/modules/nixos/games/steam/steam.nix
@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.mySystem.games.steam;
+in
+{
+  options.mySystem.games.steam = {
+    enable = lib.mkEnableOption "Steam";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Steam Games
+    programs.steam = {
+      enable = true;
+      remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
+      dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
+    };
+
+    # Need that glorious eggroll
+    environment.systemPackages = with pkgs; [
+      protonup-qt
+    ];
+
+  };
+}
--- a/nixos/modules/nixos/hardware/default.nix
+++ b/nixos/modules/nixos/hardware/default.nix
@ -1,5 +1,5 @@
 {
  imports = [
-    ./nvidia
+    # ./nvidia
  ];
 }
--- a/nixos/modules/nixos/hardware/nvidia/default.nix
+++ b/nixos/modules/nixos/hardware/nvidia/default.nix
@ -8,22 +8,23 @@ in

  config = mkIf cfg.enable {

+    environment.sessionVariables.NIXOS_OZONE_WL = "1";
    # ref: https://nixos.wiki/wiki/Nvidia
    # Enable OpenGL
-    hardware.opengl = {
+    hardware = {
+      opengl = {
        enable = true;
        driSupport = true;
        driSupport32Bit = true;
      };

-    hardware.opengl.extraPackages = with pkgs; [
+      opengl.extraPackages = with pkgs; [
        vaapiVdpau
      ];

      # This is for the benefit of VSCODE running natively in wayland
-    environment.sessionVariables.NIXOS_OZONE_WL = "1";

-    hardware.nvidia = {
+      nvidia = {

        # Modesetting is required.
        modesetting.enable = true;
@ -73,6 +74,7 @@ in
            # patches = [ rcu_patch ];
          };
      };
+    };

    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  };
--- a/nixos/modules/nixos/security/1password/config/1password-startup.desktop
+++ b/nixos/modules/nixos/security/1password/config/1password-startup.desktop
@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=1Password
+Exec=1password %U --silent
+Terminal=false
+Type=Application
+Icon=1password
+StartupWMClass=1Password
+Comment=Password manager and secure wallet
+MimeType=x-scheme-handler/onepassword;
+Categories=Office;
--- a/nixos/modules/nixos/security/1password/default.nix
+++ b/nixos/modules/nixos/security/1password/default.nix
@ -0,0 +1,35 @@
+{ config, lib, ... }:
+with lib; let
+  cfg = config.mySystem.security._1password;
+  user = "jahanson";
+in
+{
+  options.mySystem.security._1password = {
+    enable = mkEnableOption "_1password";
+  };
+
+  config = mkIf cfg.enable {
+    programs = {
+      _1password.enable = true;
+      _1password-gui = {
+        enable = true;
+        polkitPolicyOwners = [ "${user}" ];
+      };
+    };
+
+    home-manager.users.${user} = {
+      home.file = {
+        ".config/autostart/1password-startup.desktop".source = ./config/1password-startup.desktop;
+      };
+    };
+
+    environment.etc = {
+      "1password/custom_allowed_browsers" = {
+        text = ''
+          vivaldi-bin
+        '';
+        mode = "0755";
+      };
+    };
+  };
+}
--- a/nixos/modules/nixos/security/acme/secrets.sops.yaml
+++ b/nixos/modules/nixos/security/acme/secrets.sops.yaml
@ -1,6 +1,6 @@
 security:
    acme:
-        env: ENC[AES256_GCM,data:JP+Syy9927T9ePL4Ly9FxlJ8F4/g/xejRn9nw2mqpl2ZUTwudp+R+ZI//h14Nej5S07oJt2L3LD/ol7ugdXHFG8=,iv:NJdqDIA0FZzyKRvDgjWmHA17q0FOCqjCk0WdkFMtd5w=,tag:KG8dgCcEOdroFpljNawdGA==,type:str]
+        env: ENC[AES256_GCM,data:rYeJqYF11Ccw/zDTpfB2ewXIy4cqzHF/d+ar6NUdOGxesiBdJXVbGQtGOOLHTUJ6yKNhdBJ2mpBpCpIdQEdT9+4=,iv:XpjxG0RypUQ0Ub0dKAa8/c4F8TVuRNFXJM5UAfrlMV4=,tag:zCaLPPTp9KHs/AwYNq28gg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -10,68 +10,77 @@ sops:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZFJTREJxZ3NlNGtkSmhG
-            YTcwVmt1OUNmdTRaVDI5N3JNemszNklHV1dNCmVYczBEQ3BHT3ZhbjUySFNJVjhQ
-            dWh6c2ZHRUZTOTJEOTBrS3NuNDNzZW8KLS0tIHp3ckNvdmNYdkh3Znc0OVk5Yk53
-            ZW5jQmxLMHR6MC8yVFpFdFhsTVBub0kKRdYFNppcSFZ/5gm2WvydESeJOTVYd0Yk
-            0HQd6o8bAX8dcRhMHyyveWXz94/mcINkqz2mlXoL1N0HRPXcuUu5tQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKOHNGVG5DWVArcngxYXlv
+            dlFmd1RPenFwSm9TSjhTR3F3cHB6R2lTTGo4Ck1BTVFSd21Xc0hiZlBUdjFrbWFp
+            Q2VoVzQrTEpZbE1yTHpBUVIyNWFiVEUKLS0tIDZLM3gzbUZUajZQaVRtT0dsQlpY
+            VExPSVBLb0R3ekpNTE1jNG9QME5OTkkKPivk0v0xDOzHJSPVJYO6/5wdF1PChXtl
+            xj6JrycRyQPahncXndTZoQL7EbdXnR2tfMtEE5Ua7l4mK11pE3K8cg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RnNVZFowV2NYakYvOEFr
-            c2pFaDVqekVFeEdPWklkVWxoMjNEMEZrbWtFClFmcGNZYkJqUVF3MlRDcmpqWFZI
-            aU11eElxd2c4YTEzNEQ4RFgraFIxS0UKLS0tIEY5Yi9IUGxjYnpyL2I0eVFNNk83
-            Q3VaYjdiYVd0TFVuSld6M25wWHRZMncKaqb2kQvlLGZMaI72npCBuroWK/Fqr9jg
-            oaBz3rpvYJEox2Naismb2D4fNCtI7Z1hLhPqq/jGAiczNaU039N9Bg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQc0p0TXdtcVZNcngrQXM4
+            bzBJcERRWVhxLy9QVHBCSnJEMzJTekF4RlU0CmFDWmtMdEdiOFVrRmhRbXc0R3ZE
+            RC9mQUF4ZjFkbWlYZHkyZ25NV01hREUKLS0tIEVQWHR5YTJ0KytQYi83MmpWL0tO
+            Q0ZKN2JSMGVsU2h5eW5OTk1Kd3hoS0EKNbVvQ3VwkWloO15CV8v3SP8pD4zc2h04
+            uM4/VlXTsVxVBqRxycdTKdWhmIChb8w98ljQC+iqatCCUiC9vHYIsg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQdC9BM21iMldoUkIwdnpr
-            a0hXbUNzNFJFTDF3ZS9CSFBENHdNTTZDU1RzCm9QbVdLMnRyTDRQNFE2U2w3cXpW
-            WkdKRFdocnRNaUxLejExSE5STjdCTkEKLS0tIHZvKzVtWnV4WWxRZXFMVWpobHJt
-            WlVNd2xNb2c0YVB5WlJtbTVreFhadFUK32KcIdcbt1rAk2+GWe5slpAdHcTBWoKs
-            wGOEayXeMi9EGYtx7v1oJ8+xlo2wRW/i1pKdCRK4vi4FtaXT65zglw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNTVwbGNWRHNaRkd4N0Z3
+            U3ZrYWRMNGJSMTI4UjljQkozTHAvdXpIaVZjCmJMNmdoVjBZZHRqcHBkcEpiL2dC
+            ak5xNGVRV0NoV2c5TCsvbkhWM2JqeXMKLS0tIG9uMmpJUzdMTUhVWWsxSWFaSTVy
+            VHhxQ1U3L042VGpNdjI4RVNiRFlqU00KPuDqqR7EeclGGOs0R/3PsB+dnNo20Lh+
+            GiCWjFy9MVEsrlZV7pd9cb0ggYTm09H0ZD5kb+++Er9WJqb7Ss+iOQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxb2wzMW1EUUx5VFp0Ykor
-            UWJEeFlZQTVJTFZIVFExZ1NkcVBCT09XVkU0CmFvWCtsaStjSDR6OVQwTW9iV3Vu
-            cVo3MHhVOTAxQnU3ZWdDcllKaXhnK3cKLS0tIENyYlFtVWtqS05MVVFOWFpZK1Zp
-            cTFkQlpkZFgvOERSdlFMSHFxR1pTZmcKSRYr/tIskcm4mwiF74Qnd5d0zRRDSzC1
-            QXidtsl505oGOgT/ujVtPwSJwvJewZT7NJKVRYktS3xY0v/flr1ieQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRGdRRWUybHNiZzZaM1hv
+            bW5Kb3NIbW1WNFl6aUdLWDA4WWI3RDdZQ0VFCjBXajVsY3BNMWs2QldjZDZWQnZ3
+            VjBvZ1AwZkVGNTB2RGF5aGp4ckFYYTQKLS0tIFd6L1lyblZ6ZEVXTHJGanhna0JQ
+            S25RbHI4TENLUzRtM2NGOFNQQUdENm8K3upUW3cVF6fBrii/pEXua5sLwFcU/as3
+            RNDLpyvvA/CCZCuneNS27/nYUcc2rJVDU71OsDA6A6SUivYLTriRbQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQjdka1hwejFZR25xbXcr
-            Vzc4MVd3eXJOdmxqZVFDVVMvTVhLT0lZdVVFCmFtQkZjSm0wUHdMczM5ckFBaEdQ
-            Y0JMYnR0dGRLYTF1d3NHSyt6MWcrYXcKLS0tIElaT0FjVEdaeExnMUF4OE93Z1Ny
-            cnQ0Kzd0aWdrSlN5Y3NIN1kyOVh1WTQKG825r7fM2BXak4Q4GNPwZgmigmPxZXh4
-            DTdp3xBgHWpw8eQsi+gBzzf+4boLDTDDi+acLshj+SpIhjPdMZ1BwA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaE9UczNPNk0zbWV6Zjdv
+            VXNEVmVibG1xejVObnlBa0JOOVBoQTZvQ0ZVClRSOXBrKzdjVkdGNVc2VmtidE8v
+            Wjlob1Q4cDZRYjB5ejMwWXZzL2NFbUkKLS0tIHdLWjZtcjRjbjNGYjIzeWhqV0t5
+            NFBwOUJZYUlicXRqWWtucnJIM2ZXMXcK9UTQ7NxoE5vozWvaDWT285BpZG/VdBh7
+            3VrNKMWJLt/OuA0ucJAkK8NJ4mBYviytUk0kRR39nUok5+kM1iJJpA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5MjVaRjQ3VTdsUzNHSkxE
+            ZGFiWWZmTzN5N0t3YjBtNGtiWDhNVmduQVM0ClZFMHp6UE5aUjdYaXU3YTk5RDk3
+            Q0ZBcnJLYzVtN3h2UEVSbmtsa1hTbEkKLS0tIEIwL3dkQVRCRm1TaGlUNVpWTUFT
+            MHFjd0ovcXN5S3ZhdXpzU3ZXUnorTjAKPdgr51ho0B2rDKld/UHHC4j1RwRy0fGy
+            6Pl/Qes4Gjvrb4dlDHS4HTEwBs0TbA62DEDI/jquypwxRW55eDMB6g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUmVpUHh0QzNLMVhsMHN5
-            bituWE9Ic2tXTm95cWlUMG9QVWhEcE1sejNBCmw5Q0lTYjExRjdkaCtYMWdkQnZZ
-            dXNrQWhZaERBK1hVK0pkbFlvQkc1RHcKLS0tIGcwK0dzUVZFMFh2b0dmWDMyMjdS
-            d09MQlZST2ZJY28vRWtkRzRjd3JFKzQKH2pjr7P1mG1m/8L/VLaTVrAQem8rcNGN
-            tBWqg9XT3aSc+7NqUDkPVvH8STFGVlEhIskKTJA2TuY6CXfqwS3D5A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMmNINWttMHBndGM0eVJI
+            OFlGUEpQRGthS2xuWnNtcjRaWEY0L0JKZzJvCkYzWCtVdE1VNnh1c2lGaUZoN1J4
+            SnN1M25qempwZXBLV0ZPRjJreklnbEkKLS0tIGJYRk5xaFhuK2FwdUtKMHFaTGJZ
+            QlRmcFpPazh3ZkgzWTh0Y01yTWxMbkEKK525n37sRSRirQQPzVluIwAiYFIbeta+
+            0/baUvErrjD9xofBZOm7kenLw/pPtcGXsUFqp9aCM7KGLjgRQTuK6g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRW80Q2x5bllHVDNzTGsr
-            a29PRHJHcHR2Mng2M2lpb1ZXMkV3UlZkQVRvCk01ciszVDlqeUdpa01FbjRtU3hq
-            V2hPS1NTSEdPL01ZZkxVdmI4ZHRRVFkKLS0tIHpjck5OaGl2dGgyUjZlNmlVWkZB
-            RHZ2TlJOanR6L2tQRm0rc3NVVSs1R1EKdSheY8qXv+ylwqjlpbWsSYD55X4SUT7c
-            W2czHg0Ezbjk8W7vyDuxdS1LjKSMinfRPUG+oyUwxwrjBN3aAwVDIQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqNXhtSE50Yk9BdnRIOUEx
+            UW0rRGNHTFJjWWI0R0xqVGVTUkFvSFZyUVcwCmp6b2I2aStEdlNzcGNtcTVML2dz
+            TWRRUWVpd0doWFBYTWZZRXFjZ0wxR1kKLS0tIFhSU094RFdXVXFrT2FqbVEwc2FB
+            WE93RjBHS1NreWhqTmtEckVWMSt6clEKE24mtrJll0lsXEJktPjCFRpf8DLdxIW4
+            4JjOWY6zgBWxtuvg5rdb5rz7Sp2UaI1LavvhkCdjmpFckdEUDMOOyA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:YEm+/mTkdLblxqrQAkCW8QUoQVkK1drgdHCt463aBUl9r04TJdRbij0p3QuLzVIvXJosdBQ0dN0Y/huuFOkP2bixH1q1WtBaqt98iYuR+Gessj7+kDekTNHCNQoZJjbFfqOwIEFNw/if2kY4aHcUoyQQj//yoGTA0vGbqrWzcX0=,iv:KWIo36gl7hOrEDZulqwRwr6eCfc6Hat5f17hpLLDMW8=,tag:3IBrvYXxN4j9I72lwiKq/A==,type:str]
+    lastmodified: "2024-09-18T23:57:27Z"
+    mac: ENC[AES256_GCM,data:nBRzGlhrgKchrfnidh/SUNiT04UVeeuck7wWL8M6Jfi0zJItankJaCAHlFzHku5+HYCM+6B1TN5bBKzyrizMAAtZ7fwmUjMt1TgXDSmG4CQXrUSmTkItlHnA1W8MvdFbJY5+cS3aJNx7rnvGp5H5OroedL88L+uuIHqxEx/qxRI=,iv:E4MmeS+xBPIvd2QNxpOHGx2Vpj16s9PZzp6kjkbItqA=,tag:FqVEO7iEjvAuJE4EJ35Yww==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/modules/nixos/security/default.nix
+++ b/nixos/modules/nixos/security/default.nix
@ -1,6 +1,7 @@
 { ... }:
 {
  imports = [
+    ./1password
    ./acme
  ];
 }
--- a/nixos/modules/nixos/services/bind/default.nix
+++ b/nixos/modules/nixos/services/bind/default.nix
@ -2,7 +2,6 @@
 with lib;
 let
  cfg = config.mySystem.services.bind;
-  serviceUser = "named";
 in
 {
  options.mySystem.services.bind = {
@ -26,7 +25,7 @@ in
    services.bind = {
      enable = true;
      inherit (cfg) package;
-      extraConfig = cfg.extraConfig;
+      inherit (cfg) extraConfig;
    };

    # Clean up journal files
--- a/nixos/modules/nixos/services/default.nix
+++ b/nixos/modules/nixos/services/default.nix
@ -1,17 +1,17 @@
 {
  imports = [
    ./bind
-    ./cockpit
+    ./dnsmasq
    ./forgejo
    ./haproxy
    ./libvirt-qemu
+    ./matchbox
    ./nginx
    ./onepassword-connect
    ./podman
-    ./postgresql
-    ./radicale
    ./reboot-required-check.nix
    ./restic
    ./sanoid
+    ./syncthing
  ];
 }
--- a/nixos/modules/nixos/services/dnsmasq/default.nix
+++ b/nixos/modules/nixos/services/dnsmasq/default.nix
@ -0,0 +1,61 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let
+  cfg = config.mySystem.services.dnsmasq;
+in
+{
+  options.mySystem.services.dnsmasq = {
+    enable = mkEnableOption "dnsmasq";
+    package = mkPackageOption pkgs "dnsmasq" { };
+    bootAsset = mkOption {
+      type = types.str;
+      example = "http://10.1.1.57:8086/boot.ipxe";
+    };
+    tftpRoot = mkOption {
+      type = types.str;
+      example = "/srv/tftp";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Ensure the tftpRoot directory exists
+    systemd.tmpfiles.rules = [
+      "d ${cfg.tftpRoot} 0755 dnsmasq dnsmasq"
+    ];
+
+    networking.firewall = {
+      # dhcp ports | tftp port
+      allowedUDPPorts = [ 67 68 69 ]; # server/client/tftp
+    };
+
+    # Proxy DHCP for PXE booting. This leaves DHCP address allocation alone and dhcp clients
+    # should merge all responses from their DHCPDISCOVER request.
+    # https://matchbox.psdn.io/network-setup/#proxy-dhcp
+    services.dnsmasq = {
+      enable = true;
+      package = cfg.package;
+      # we just want to proxy DHCP, not serve DNS
+      resolveLocalQueries = false;
+      settings = {
+        # Disables only the DNS port.
+        port = 0;
+        dhcp-range = [ "10.1.1.1,proxy,255.255.255.0" ];
+        # serves TFTP from dnsmasq
+        enable-tftp = true;
+        tftp-root = cfg.tftpRoot;
+        # if request comes from iPXE user class, set tag "ipxe"
+        dhcp-userclass = "set:ipxe,iPXE";
+        # if request comes from older PXE ROM, chainload to iPXE (via TFTP)
+        # ALSO
+        # point ipxe tagged requests to the matchbox iPXE boot script (via HTTP)
+        # pxe-service="tag:ipxe,0,matchbox,http://10.1.1.57:8080/boot.ipxe";
+        pxe-service = [
+          "tag:#ipxe,x86PC,\"PXE chainload to iPXE\",undionly.kpxe"
+          "tag:ipxe,0,matchbox,${cfg.bootAsset}"
+        ];
+        log-queries = true;
+        log-dhcp = true;
+      };
+    };
+  };
+}
--- a/nixos/modules/nixos/services/forgejo/default.nix
+++ b/nixos/modules/nixos/services/forgejo/default.nix
@ -9,6 +9,10 @@ in
 {
  options.mySystem.services.forgejo = {
    enable = mkEnableOption "Forgejo";
+    package = mkOption {
+      type = types.package;
+      default = pkgs.forgejo;
+    };
  };

  config = mkIf cfg.enable {
@ -25,6 +29,7 @@ in

    services.forgejo = {
      enable = true;
+      package = cfg.package;
      # enable sql db dumps daily
      dump.enable = true;
      database.type = "postgres";
@ -75,6 +80,9 @@ in
          COOKIE_SECURE = true;
          COOKIE_NAME = "session";
        };
+        "repository.signing" = {
+          SIGNING_KEY = "default";
+        };
      };
      mailerPasswordFile = config.sops.secrets."services/forgejo/smtp/password".path;
      # secrets = {
--- a/nixos/modules/nixos/services/forgejo/secrets.sops.yaml
+++ b/nixos/modules/nixos/services/forgejo/secrets.sops.yaml
@ -1,7 +1,7 @@
 services:
    forgejo:
        smtp:
-            password: ENC[AES256_GCM,data:kkKrSGJER21Q3efHuJ6YJVcmqILMYMME+e1GRdNDOX+sDgKwapY+lJrlELgD5RFVJN4=,iv:/nxRa6Tn1pGGYQ0mds70p3+a9ZYHv6UidngHvI5GTIY=,tag:4rScz6znMhgtQB9V4iDqWg==,type:str]
+            password: ENC[AES256_GCM,data:sq+vLUV35+sclAszVQRU4up1s1y6K6BNbzSW8hKBN4kavJOZLX6o86xTgNjjScQop1c=,iv:5zbzggdTT59ali0LzmPtaP/jAnGCYoJFcIEZkFNFmJw=,tag:z9s3NQptPwKOC+m/EUVeWA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -11,68 +11,77 @@ sops:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpM0tHclk4K3ZTZ2VyTk1i
-            MXliVmtmUXBMWlFlTjZHeEdEbHArUjJwMVRrClViKzZJNXkwMHF3bW5FQUxROVRF
-            UTdadFdseVkzaUpvMnNKaTZkVWNJSVUKLS0tIGxkUmk5ZmFZOWtlUndJdjFSL056
-            dXh2bG04QXR4THB4WFVSamY0SWpUSGcKwYArSMUjLm7j4+0vdPw8x8WrfIMEvJz1
-            K8Tqc2IJ1KfH4GGcOveYt9UcgUrzuvXsSnPydKWnc86RuFA+X6Qixg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUXYxY2hGci9ZZ3BId0xE
+            TFJJVzdJQ2h2TlhNQk8vZFYyajZyUVpiY0E4CjFJR0lGdG1jYk1EejBNTFVwekJD
+            bE0xR01SNWNib3VyRE52TG1hbFYydXcKLS0tIEtkaW9RN2lqYkhwR29JZm9QcHFM
+            U0hqelgyTWJGUW83emttS1pVYzlNOWcKWp+wQH8iZH6ox+unG6Qx/2vbG8GeMpCa
+            k3lUrtyqEKxw3V08FA1gWvLF8XWVgYGVS1jlZFypOVLbl5Ig9l+VDg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNTVGdjJ0dGE4aHBDbjRx
-            VWlJeXEzVkF5MXNmN2VNUnZrZTFuam94ZmdZCjZiSXpNZTk0VFVuck9ac3hDenZv
-            djZrbndYTjREUG5RSTNFNnhLTkRWSzQKLS0tIHR3L3BDditLcm1BMmlLcWdGNFFt
-            MGRBaFVjTzRNaXlOaGtvUzlmanZTb00Kb/RJFiSQ9XlRAfjrrncoJlDnQAJw9LI3
-            lXX0+BKL4fz8VUFY1dqcuDBSuvssADkDxU4X6yaebt/touhXJ66A8w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcWsvN2w3MGp3M21xc3BT
+            UkVueCtwSmdRNjNXNFdYY1NBTUF4Y2czVFVjCmhzcnpKUkVvZGRzSm1KTGs2SldW
+            cEZ1djNGUWpaek9lRGFkWVlqSHJDWmcKLS0tIHY1TU1FNm52clhZNVBDOWtrOXI2
+            b0RWamMvdWMvS2tSMnRTcTFlV2hBdUUK2RMSSn4WBhBiv5k0NNoXdwjPJkueOoXu
+            OXEeslquRSkZ+f/BpbhzFTXRzlQdLA9keMTcM20SK1IBuKICkJ5eyQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWUVxVGFobUxZV2M0ZUx4
-            NkpWTTVYZkM0cmFYNFJXYkE5SHJaaVpvdlVNCkV6UTN4c09ZT1RkVE1EYjlVZkhm
-            Y1ltSWpuSW95SXVkb3pyUVQ1ZGJ2Q28KLS0tIC82WnVsQ3RxSmxaL3czRlI0cTJV
-            OFd6VXJZUnZkT204Y2locHVvb3VpRHMKg9AMO4e5qGgSno/8FWEseUW9bQmfxVS1
-            UOYzIvtmAZVuL0uxrz6b9TwOv0CooP0+JhNOjcuFzcbMCcM1CQgwvg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbDlZMlcvbkk2WnJmZU1I
+            djR2UEtqbUlsaVVQZjk1R2RjbVpTT3VQVVNBCmV4aWVLOFdkdnhEaWgwU2FzbVRL
+            ZVVLVjN5WVdNMWtxbDcrUGYzZ2xNWDgKLS0tIHpTdExXbXF4V1pnSzBMcnFoSWF4
+            eU83ZVVnblV0eE5ia3QrMndDNG11MXMKF+iGOD0KKJV7YgxmI4ucHjvyGu+0EcIQ
+            smjK+ENxzkfk3yFICjkiIQSVBygvNiV97oPVpYeYGnhyiH3xefgyWQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVFJDbGtEeksrN3lKeXJF
-            dFIzd280SXRwZmVycHl2YlZ2VEo5dHhQVTE4ClBHS0lKd0FaMkNZT0xlVUF0eURO
-            TDZ6ZWJBRmtNMUZFN0FqbEVtdUxjYVEKLS0tIHZOTUZwUVdXenlDb2JxUXE3TVgy
-            UDZMb2xQVGIraDNxTy8yZDV2cEtHc1kKyjdLT8YcpB0yhXugPcN0scRiiTvpaF06
-            AoBdKBnxWHn1EVuypo75gOvKHwUMDdiQY/WUndQdlNOihDjzCSYGUg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUWx5YWhHbWFZeGEvV0VL
+            TnU1akp0WHhlczQwbW9LZ3BTYlhFSUVlaWpvCnFsZFFIdXNubGRyQkFnNm1nSUVQ
+            d3Z2WUwyVjYraXRxV3NoZVZYbVhyQWcKLS0tIG5LV1hDRng4aDd5eDUzY0k1TXQv
+            SWNzRXgwRTRvL3hEc3ZvVGFiRTQ0UEkK/9vK8sXbEqxQ4KCxzMeFHmqoTSLd/kx3
+            JBt18+XISrPYptEekZTV6obp2GKxpHDj0LEsNpUIjPWmIbT6gInHBQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArM3BsTUhJWTlXSitXN2NG
-            cG1LTWs5MFZYV09Ga3JqREdmZ2NDYVRHa25JCm4vNFZXS3JQdTEzUmxmbld5R1BD
-            dFFWM1Ivd1M5dTNJbExLZThNYmdCbE0KLS0tICsyWmh3bjZLVC9ZSUxBVlpkWksv
-            WXpaZDkyOFFnTkYvVDJjdjJGeXVSZGsKjJEb7JlXb8n/l0j32ixReFR+UJm59CYy
-            QyGCeBuAWOpeDw5d4jA+WikFrRRAJyiTcvsVi+PAzzqlOAlT0+/KrA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZmFZUE43L1FzTFltamdX
+            Uk4zNUtjMmlwcFVEeVB6UmFjWHM2OEpMaGxVCi9HYmFOVjl4MDl1MFAzc3pTbWtO
+            WHIwV0labHpmYUFFcWZwNWdrN1dhVk0KLS0tIHM1VENSWWtUN2hFa1hLcUJjU1VJ
+            amJ2K2xHL1FwMlErZitrSXRwek05TEEK/KDJHIOzuMCp1xON6ZYsgMKbYIQ5MAm8
+            W5U9PDE93js7j8lR4dTq2AASB+U5nk3I0MPPrcqhHkVcsSwMuKYSUg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWHUzSTYvaWRQc1dhWEN2
+            d2JwdjFldkRzbi95Q2JpRlZFaUVGWFU0MUFFCmpaaHdQbmw0Q2FVS1JvMkNYSzR6
+            aDRCRVI1NU9jRXkwMndyUzFwL3BDOUkKLS0tIDFvclN5eXJTWEg4VGhDVFpFSHdV
+            V1FlN0JOVFBXZ1A2SmxZaGkvU0MrU3MKuK+c/lbMvzdREphCn46IvL8X1iOw4BwB
+            9FdstXHyEX8OW0hFl35ZCNvPyd9pwO5fK/sObDrZ5+aCfFE0MbFbyg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSXg3NUVia1hkK08raHRI
-            VmlMRENkMHB4bkFJNGNiRGlLUitSQzVrWFZnCkZPWTI4QjhiWUpaYkh2NHZwR1dG
-            Z0Zub0JSdWwvM1ptazhUdWpxL3htR1kKLS0tIE91bWZObHVRSmZNNlBJK2FZK2RF
-            UnBtNmlJbnRYRmVyQ2hMcWNxSjVkVzQKZ9+hpZk/VnMKaVEUoajfBfMjkqz1PbVl
-            Fy6cOfjXzGCtx8vsU3TNILy+23M6e3G7K6ghHnhO5kL4StAY1PTR/w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnK1N0S3pDa2tCdjhiMGJJ
+            T0lDNU9YQXN1bkJuM1NUUnFzeGJBN01WTEVFClVVNmNTekpOOHp6N202L0NzSno3
+            MEwvMUx0c1ZmTFpscFlTM3FDR1VhOE0KLS0tIGM5TjBiQjByWkMwY3lhQm5CVTZJ
+            K1pPUER4aVlmN0FKTElEOXdzbVlRMVUKaqTcad+P1DfUqEhD7YUdsGaIx2H4IMco
+            Kh7lk0/ppXFmcRAKWF3luwdLkaebkFzx56MZjJGroNmMvkR0fMUv9Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzZ3JDSGZ5WTRybGpVdG1Q
-            Y2crbWlQMnAyQjIzbzY4RHcwV3pXdGVzY2s0CnE2MTRLZnRQakU1RzVlQ1NDeXRk
-            U21mM0ExVzQ2QllOdTltQlpNOE5EU1kKLS0tIEtOa1BJdnRVY3FuZ2Zlb3g2ajhN
-            eTRFakI4MlRBbEJKbXBHSXlBWlZJMmcKaeSAhUZHIlXOaKqnRcARJITwQdJLFbpt
-            Hs5sshvnv+EZjvir9L0EgRtgpUmnpkl+mGnQxaBW4YVf/iiQYTyHsA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5T0syRFJiekFaeDRsY0FT
+            NE1DQUgwK3NQS3lQRGRTTXFQVEVkK1pYYkJnCkNWQ3J0b0V1eXF3OVF3R2JjNEpy
+            U3libG9INjl4K2VEMHpMMHdRYVViUkEKLS0tIEliSUFLWlhmblFZWCtRdDRGNlNa
+            VXhhd1BLcmh5TnVsaEJaOUJURG9VYlEKeFta+e5e2EiJCSL7CMrIoYwyAnCeybEq
+            vYfgMETwNaAh/AfGS1mdEABpK1tWi1H6Uu44g8OWTiszjQ09shb76A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:61nap2R6vs3XTFECmq5F1rqPE6eWZyM50dsYtNMfAAWQU9D9cyaDEx6bKkwMyBpxSQNHlGJWoglwRvZH2wQsLB46sdR9UNosqJZD7RRRh/RzkY3SWW6vHeP/YgnfsGgPpMWleBI7jnH/4EMoB8a1PECZiR7L/8BIFDlmdklbJ/I=,iv:G5xTBn3oFBLJHIEqGsghAXrZc115eGwWBbMLBOHET6Y=,tag:bnZodcvP+6nbc/yFcQVogw==,type:str]
+    lastmodified: "2024-09-18T23:57:27Z"
+    mac: ENC[AES256_GCM,data:DrSjFv1jbSuMO2QL6h8h8ln0Y5VBDBSrqC8rvaLZHkd8MOF4IPsjQORN2coZJNNvOpGhZsTiZ2prBBCQfqGRI+QWNlGTezOfWCZpFa7Fkp7g8TXZQmAkvrpnkFYgcL2JyvN5PrvL1j6gK4+zP7ohjLk1+v1VbYOPSab+N9ftYRI=,iv:VDGLfHXC0/vIue1kIKTGxK5x0CskAyG0CcNUOmHEXfc=,tag:CWXtliE0nCSiiW5O630A1A==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/modules/nixos/services/haproxy/default.nix
+++ b/nixos/modules/nixos/services/haproxy/default.nix
@ -32,7 +32,7 @@ in
    services.haproxy = {
      enable = true;
      inherit (cfg) package;
-      config = cfg.config;
+      inherit (cfg) config;
    };
  };
 }
--- a/nixos/modules/nixos/services/matchbox/default.nix
+++ b/nixos/modules/nixos/services/matchbox/default.nix
@ -0,0 +1,59 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let
+  cfg = config.mySystem.services.matchbox;
+in
+{
+  options.mySystem.services.matchbox = {
+    enable = mkEnableOption "matchbox";
+    package = mkPackageOption pkgs "matchbox-server" { };
+    dataPath = mkOption {
+      type = types.str;
+      example = "/var/lib/matchbox";
+      description = "This is where profiles, groups, and other matchbox configuration is stored.";
+    };
+    assetPath = mkOption {
+      type = types.str;
+      example = "/var/lib/matchbox/assets";
+      description = "This is where matchbox will look for assets like kernels and initrds.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Ensure the dataPath and assetPath directories exist
+    systemd.tmpfiles.rules = [
+      "d ${cfg.dataPath} 0755 matchbox matchbox"
+      "d ${cfg.assetPath} 0755 matchbox matchbox"
+    ];
+
+    # Matchbox Server for PXE booting via device profiles
+    environment.systemPackages = [
+      cfg.package
+    ];
+
+    networking.firewall = {
+      # HTTP communication
+      allowedTCPPorts = [ 8086 ];
+    };
+
+    users.groups.matchbox = { };
+    users.users = {
+      matchbox = {
+        home = cfg.dataPath;
+        group = "matchbox";
+        isSystemUser = true;
+      };
+    };
+
+    systemd.services.matchbox = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.matchbox-server}/bin/matchbox -address=0.0.0.0:8086 -data-path=${cfg.dataPath} -assets-path=${cfg.assetPath} -log-level=debug";
+        Restart = "on-failure";
+        User = "matchbox";
+        Group = "matchbox";
+      };
+    };
+  };
+}
--- a/nixos/modules/nixos/services/onepassword-connect/default.nix
+++ b/nixos/modules/nixos/services/onepassword-connect/default.nix
@ -1,4 +1,4 @@
-{ lib, config, pkgs, ... }:
+{ lib, config, ... }:
 with lib;
 let
  cfg = config.mySystem.services.onepassword-connect;
@ -6,6 +6,16 @@ in
 {
  options.mySystem.services.onepassword-connect = {
    enable = mkEnableOption "onepassword-connect";
+    apiVersion = lib.mkOption {
+      type = lib.types.str;
+      # renovate: depName=docker.io/1password/connect-api datasource=docker
+      default = "1.7.3";
+    };
+    syncVersion = lib.mkOption {
+      type = lib.types.str;
+      # renovate: depName=docker.io/1password/connect-sync datasource=docker
+      default = "1.7.3";
+    };
    credentialsFile = lib.mkOption {
      type = lib.types.path;
    };
@ -25,7 +35,7 @@ in
    # Enable onepassword-connect containers.
    virtualisation.oci-containers.containers = {
      onepassword-connect-api = {
-        image = "docker.io/1password/connect-api:1.7.2";
+        image = "docker.io/1password/connect-api:${cfg.apiVersion}";
        autoStart = true;
        ports = [ "8080:8080" ];
        volumes = [
@ -35,7 +45,7 @@ in
      };

      onepassword-connect-sync = {
-        image = "docker.io/1password/connect-sync:1.7.2";
+        image = "docker.io/1password/connect-sync:${cfg.syncVersion}";
        autoStart = true;
        ports = [ "8081:8080" ];
        volumes = [
--- a/nixos/modules/nixos/services/podman/default.nix
+++ b/nixos/modules/nixos/services/podman/default.nix
@ -29,7 +29,7 @@ in

      environment.systemPackages = with pkgs; [
        podman-tui # status of containers in the terminal
-        lazydocker
+        unstable.lazydocker
      ];

      programs.fish.shellAliases = {
@ -40,11 +40,13 @@ in
      networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];

      # extra user for containers
-      users.users.kah = {
+      users.groups.kah = { };
+      users.users = {
+        kah = {
          uid = 568;
          group = "kah";
        };
-      users.groups.kah = { };
-      users.users.jahanson.extraGroups = [ "kah" ];
+        jahanson.extraGroups = [ "kah" ];
+      };
    };
 }
--- a/nixos/modules/nixos/services/radicale/secrets.sops.yaml
+++ b/nixos/modules/nixos/services/radicale/secrets.sops.yaml
@ -1,77 +0,0 @@
-services:
-    radicale:
-        htpasswd: ENC[AES256_GCM,data:5ddA5KQfwz19///HzOsWfQ==,iv:RF0x0m+ODyDjQhn7eSBEXu5Leg0EvpMvuLVErDZihAo=,tag:HhHzXcroFshr1H/ditMARA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UjFGTkNCaHVEK3ROTVBO
-            OUxrcmhjR21YempEZWVIOUlLYVNuMm9XOURNClJkbVZ5MEFmL0dhTWgzNWtYTHUy
-            SUlyZmtYTXZmWUx0V3BGZFRjOTcyWVUKLS0tIDNVSW5ZcU1IdW1jRTJucUxIdm5x
-            TmIvZmRRaFh1clkydDVlcWxvVGJkOGcKFpeAAdv1pi5AixsBKn/0Zo4QRTNBrKdm
-            8Qy6MVZg8HTf/CezK/XjkAoiB5K96fATXTpdZqZ7jfcuYLdpfEU2jA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDQlRJNlhhdkNLcjRjaFZT
-            YVZJdDJLeFYwMzJUZlllaElPazhPaE14YWlRClNBWDVkTWx0Qm8xTExyT2dmSjRP
-            VHdNM3pwQkNXUW5xVTZlVC9YTFFodjQKLS0tIEkyQTVHd0pqelppSXJ5SGpHSVF1
-            aUd6ZGhaU3BsdnFVV3NqMDkwbDdVUjgK1BnXUPCCo7M/sdpGfLOOJ5AAjyI9isSx
-            9WJ5+WmNxygzBDczPjJITBrvZMGduAxWqQP/FrLe9rQ/RA3DGJjThA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdWdJandiNXJhMUxwSm5p
-            eHh5bmM2MmF6d2MvdjBXYmhyZUgvS1V4L2pnCmxDYm1VUi82byt5SFJ6aHdrNmp6
-            dENPTmgvVWZPYmZtN0s2VG8xNHplT00KLS0tIExYcSs1bENBK1NFZUluSjFCOFVp
-            R3lmaUNyT0lyaWlhdGJySWtLWVNqLzAK28Nd/WUDXXW2BXhLvZpzbOU7kSoMRPaX
-            jqx6VRHBcgXvPJcYh1KK0nnxo6+DlLeTXI/ai3H6WI3TbQHNmoLEGQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGc2lUelNyV3BGNjl0STJw
-            clpiSUZUSTUwbEtZYjcvbzVaVi9EQ1d1WlFFCnhQbC9Lelk0V1RmQTJ0K2ZZazdo
-            NTZCREhNUE5KbVR0ek1Hd09UbkN2bkEKLS0tIFVyd2YvZ3g2R2dOaEJOcWVWVG9D
-            b3REQnhvOENGbWxtdER2T05wS2RINTQKRhMiqLnu2Ww098A24fNtfDFSMC/t7A2D
-            qcLdhazNwKvzCSOW0i+EYsG4beWcqLyDFA5dNpGWyfRYSh3QJWTdmA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdWNXSks3MEF4eGVHREpp
-            VllDczcxbThRYUsxZGhHR0J5TVoyTmFtdWpNCmJHbG5UMExLSHh5ZkwyRDMzc2N6
-            UG1WTnNyTTdldHFDa3VKOG45Q1RmU0UKLS0tIFFXKzZHTm0wTVpheEw5RE12bWlo
-            NHFWWlRBdmRRWU1DL25CRmlVdDhhRjgKutzYioPd1LJvQdo/FQ+hQznRqsIhSGfn
-            c2ZwmE3QgPRhfh1CoeoK+iK/STVlrb8DEPi5VPEOz74+kbr18v+K5g==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdERIZTlEN3NRK2R1WUJL
-            T0ZScVpraUdaQWE2WU4zdUp2Rk96T0xzcGhnClNWSGlKODYrSVBlM0V5RkVaMUt6
-            YUJIa1NnZTZhM1ZXOGp4ZHZidTR6V2cKLS0tIG54RU91dkZEeFB4WGdaSFpQTjlX
-            NVF3WGdGZmxxMllBQVlYQy9zTE03VW8KE9LaWyGBs7vRBjayY+8XiFDq0uFQIFfy
-            AqeVIQIAlt6EKXzUwCD/otHgCAJmI1T/2QNc7x34HjgQi1NcjZzxJw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdXNFbGNLb0RqZXpQcXda
-            RDd5ODk1QXk5N1o4Z2N2dytIWlMvVVVSa1VBCkNLSzZWZG5rc1N1d1hQQnladVJ6
-            VGwwSmFkVU9GYmZyQjhiK1ZSNWRrVG8KLS0tIFkyM0FDNUhVK291eGl4cjNTSnRk
-            bUs1eUZkcWJYM0NVU3FDMDFKNTNIWUEKbfdIAAfRNO5OXmvxA4az2be6O+aSIzfL
-            lHfQwH+07owhw6K17vJaKlOVGlpTLVpW88497ILCoUrcH9QbVnGAcg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:mgsfpMzhJ0vaoxNTbfXcVZ395e79wFGTK7YmYZY1nUOrTFP5NO8xUB+A9RlnUVrgKEV6eJBLYah6LX29fjwcllgT3aJnk9oFf32PxBPaYxg93m/L5a1+8cHbYn9JqQcPzaqmCCqT1uK5DphO2ztxKqlBhzEhx4UIfh5hBkyu3cI=,iv:n1oVTFkQriDMdRqmcUNApqzfaCX/rGNhzjGPAgPTK7c=,tag:E3uoBzPxhBk0lBF5GMhNoQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
--- a/nixos/modules/nixos/services/restic/default.nix
+++ b/nixos/modules/nixos/services/restic/default.nix
@ -7,6 +7,12 @@ in
  options.mySystem.system.resticBackup = {
    local = {
      enable = mkEnableOption "Local backups" // { default = true; };
+      noWarning = mkOption
+        {
+          type = types.bool;
+          description = "Disable warning for local backups";
+          default = false;
+        };
      location = mkOption
        {
          type = types.str;
@ -16,6 +22,12 @@ in
    };
    remote = {
      enable = mkEnableOption "Remote backups" // { default = true; };
+      noWarning = mkOption
+        {
+          type = types.bool;
+          description = "Disable warning for remote backups";
+          default = false;
+        };
      location = mkOption
        {
          type = types.str;
@ -34,8 +46,8 @@ in

    # Warn if backups are disable and machine isnt a dev box
    warnings = [
-      (mkIf (!cfg.local.enable && config.mySystem.purpose != "Development") "WARNING: Local backups are disabled!")
-      (mkIf (!cfg.remote.enable && config.mySystem.purpose != "Development") "WARNING: Remote backups are disabled!")
+      (mkIf (!cfg.local.noWarning && !cfg.local.enable && config.mySystem.purpose != "Development") "WARNING: Local backups are disabled for ${config.system.name}!")
+      (mkIf (!cfg.remote.noWarning && !cfg.remote.enable && config.mySystem.purpose != "Development") "WARNING: Remote backups are disabled for ${config.system.name}!")
    ];

    sops.secrets = mkIf (cfg.local.enable || cfg.remote.enable) {
--- a/nixos/modules/nixos/services/restic/secrets.sops.yaml
+++ b/nixos/modules/nixos/services/restic/secrets.sops.yaml
@ -1,8 +1,8 @@
 services:
    restic:
-        password: ENC[AES256_GCM,data:PMY=,iv:GzQOdFF+rDY/WN3uZK7FV2++o2Mh4fnhzHhNnzyiJ4c=,tag:GhnZYmvoaDb3wSbHA50DkQ==,type:str]
-        repository: ENC[AES256_GCM,data:1Ui21g==,iv:qC8f3+nYS9HTF5WqFfiKjAFY0tSQhL1XU6sAgIK7vCs=,tag:ykOm3Tv8XWbqDofPChvHuA==,type:str]
-        env: ENC[AES256_GCM,data:tfXFwJZkdFrhwN90u1tT3Q==,iv:ShVllR4+CNOURMwCIF5ionQZEs6Zv+GCQOwpZ3cNlIU=,tag:udAASv7SH635dqNtNf4z7g==,type:str]
+        password: ENC[AES256_GCM,data:QPU=,iv:6FYmdgpKLplg1uIkXNvyA+DW493xdMLsBLnbenabz+M=,tag:SVY2mEhoPP/exDOENzVRGg==,type:str]
+        repository: ENC[AES256_GCM,data:VGtSJA==,iv:K4FnYzTrfVhjMWf4R7qgPUCdgWFlQAG8JJccfRYlEWM=,tag:43onghqVr44slin0rlIUgQ==,type:str]
+        env: ENC[AES256_GCM,data:TWUJ/GE84CTiLo1Gud+XsA==,iv:gKC1VcWnGqEwn5+e5jIqsIfipi3X2oHGvrG0rgqQl9E=,tag:QIBfXblvSDxAVYbZGAN3Mg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -12,68 +12,77 @@ sops:
        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0QStpWFFiTDF0dkMva28w
-            WGM0TFdOY2VhUGVCTjh6ZzFycmZkci81MWtNCldGZksxNHR5MnFmQ1ZnMVpXK2xo
-            OWltSjQ1OEN3WnNqK2xTN3haYWJWYkEKLS0tIFJBSHhSNWtxSkFYcFZrL1o5dGxX
-            RVFWMVJXMnRQdWhFSEwvOVVicG50ek0KMJYN1Xo4Y1QgPGkGcglXa7wip9u8gOeG
-            E4e4s9upSyjZTKOe+6OOnYXjVl3uc0SJLmdjvQyqqMR7SnOTqjqbfw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRUJEU25EaUhacWFBOVg5
+            TWI3NmtkWFpONHRVZ1BVSVRsQzMraVdmblFBCmd2NzcwMGRTMTR6ck9lcGZSQmVi
+            dHlFeS9RNENKcDEvS2FiRTVrYjVlUGcKLS0tIG1VSW9sejVWZmJHQXlIOVpLMjds
+            SHV6U2ZhUnVpQVNROGNjNEtZZXI1bEUKXjSwBNA8ylfo4CWlefFfajm2JdYtjUVK
+            bqXlIH/nG+nQ+I4Rj1XHo7hAuxCatuN0bGVBkSlzqIZk58/JladwFg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWlNFbXlONEI2L1NhOSs5
-            TXA0dERBV0xmUDlHN2FDeXBKZ3FROEE2d2cwCjF2aWZSbGloYStEemozTkJlelZS
-            TC9tMnNDL05YS01lYWFlSjBDMjBNVmcKLS0tIDFYVSszTGVpTWlQc2JFNE5HTGQx
-            allaTGsycThSKzJPT1R0TjhlZ21tYkEK5eFfulRlIjh0j/n55uCtkgTe9Y25Li1k
-            TaMfOiS56aeDBVJx0x/glR2gvxR4yd0si1fPijsbP2179JqE7zFNSg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMWis3TWZ0djY4YnJNek9N
+            T2VXK0IzaStkMisyaUs5MTVHeXY4bytoUWdnCmlmTmRXRlRwOUZVQm5aWkxSKzFB
+            UzhtbWd2Q09sbTJPeDRWeTFESkcwWUUKLS0tIDVaN0d4UGlTZUhIaXVKaXJRNThS
+            algwTTZsVzNTQngzVUwyU2lpNll0bU0Kjz+34mvPPAfGUQKMH6LXawGou9HjBTjJ
+            p9vxncB+7ykvT4e4Z0PpPE/Zo5yvi9rt1T8bZ6dG7GA5vuE/4BarCA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4YnZoaWIyajVLYjFHT3NR
-            UTNNY2llYW5mWjJIejhCZ08vSGQvWDZiZ1VRCmNMeWdGelRod2x5NmdhS2RVWGhl
-            RmxhOGo4OXFINDgxbjQvQkNpakVkZzgKLS0tIDNNVFRmNGQwWmJKYUlFN3hNbVFw
-            MXZoMXFkaXhCaHhCclZrb2R1WEVjSjAK2InKsgvBb6tI8gUZYwfGAYOly0pa1mFK
-            kuQyj0VMYFI3O7c35ZpwNmHCtFzxt2rza7E0DGrYpVUlJgOte6Gicg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByK2FNS0tJaTdRQzA0VVky
+            aERMTVdqRzBwWFV1WFJJcVRKSTFIUlh3U0E0CmFKZm9jUHBpRjJCZk9PVkNWVEFU
+            RURReEhGNTRmWWpLa1ZNdVFHK3FQQWMKLS0tIHcrMTBiMGhlcFc3RzlmVEp2OEpX
+            ZHZLdXV4a05NaGRmR2Z1SkZCV25kNUEKHU1v1OK0d2ud7QL+gEoA8R4Z5YgVSP42
+            IvnEQxjjXZjC4p+OjFErKcWrVb+3DGzqF1vngJVrXmIgOx/SZKTa/Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZnZKemIveDRTZGhoN3lB
-            bHlNOVNFUnAzdVBjRk5HR3lxdGI4UWdDTFdFCkUzMUdEMXk1dVppdTJhMmgxRjBG
-            UDl3UzlhUi9nOS9WZW5naWhyMlN4NWMKLS0tIGJVZndlOTBQMjM3dEROUTdlQzEw
-            NXRkOUhDaTU1am0wbjNXWkVOMUZsZ2sK5uOwOezrleA+zwYcDYjBdGQXRI+27ZLr
-            850yLNtKO248aFX128JTk5+J1OV5Dv4QYRbzGfpb0/mK0U1uTXLm1g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3MytrUFpsMUVpT3pTNWlq
+            NjMrRjI5a3NqNzlNV2JlczJRNXNicVZaWVdNCjNnRHM2RGV1SEh6M0U3T0NvdlNQ
+            a1JIZFp5bHJwMXlNd29DQ2MwckRrczAKLS0tIHdmd2lFZ1FWTFFMUExPeWRXd2U3
+            RU9UYXJESnAyYXFITTN0cm5QelR2T1UK3XUlIGQED91sUPc1ITq1rXLj/xhkGM9s
+            R4bsTK5RqpXE+RmGfxeAMP7Om424vjM76l6DU2JkoZietDwR35UA8w==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdU93TEgwVHJSeWJmbGNv
-            bDlQZVd5SjQ2eGJ0ZjVYVE9MYnRRZmp6czFzClZvVnFjd213MlU3b01jNHJGWm43
-            cDkxWVh5MTEzY05lVlg0TGJWbWdvYkUKLS0tIEtqc2c3R1JuOTlmazYrSDdlZXJs
-            L21nOU5oZjVySGdJUGpGUy94U3Ixc2sKeHKCmx5yxHprbCq+76K5MNWVZJjOs+ck
-            QiTxxYKvdI7w2cCfyn9l9+dLcMqlqxdRLnoX99oi2ztIDHZEVEmqsg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjc0haNU95V3JRUlpuUjha
+            SHpOWThJWVMwbElRaFcrL21jYXA2SFBHeFR3CnV1MkRxbG9QV1dWdjJxWENtQk5L
+            M1g0cDJXRjN0VFhiRXZKbG1yS3hXaG8KLS0tIEtScWorRENpbFZWMjVXNnIxTTdi
+            djdBdThNMzFZdlI4TVBJSjdxeXg0VE0Kcwsa/et9gMSlm46rt0vZ/dFy3ZCZQ5Oi
+            WLJ492+srIeE47Gpye2jN2XAmM4exCijYkZeQvPpLIFvBFmQCK30hQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTDI0QXZaMlZLUW9ST0lW
+            Q1M1ZmlpTHpvM0NHejFSNEx0UUFnTVJIN0U4CllRcnVpUjFqOUZRRk5CWXZqT0V0
+            YWwweld0TE9zZGFmUTVDVVl6eDNETzAKLS0tIGtEanVWTHgxSk9Ld3NRYndOL3dZ
+            WXJrUWtncDZjVE50dmw2MHRCelpzZ2cKfLIQbrTsVGXY+UZCC5p/7+bXKHhv8nxt
+            dvvr+VGnH57jmELqSUoWOgefJ6GFNcCoGSYHZ9cn0UgvhZgx1Wpoow==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQlNCSytZdTJQbGN3Y2U4
-            NlIxSWsyeTIvU0ZrVjhqVTl2K1pMVHN2UXdnClhCU2djUkZGQzRzYUhNNnc2TmlS
-            RVVrdkdqNUxQdGhCYWwyc3NLQ2l5bFUKLS0tIGVxWm01eU5zb2pma2pUU3VPbmxW
-            cW94Y0dBZVMzbW9icUtyWDV2c1N0ZU0K77jXENggGEHpoe6qQl5O0sBbycrmlPoo
-            fnIMedUGzXpzYRV8cyKnY1sFGwyU2ymGsUff7cIBablwP1/MAKRJmw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRN2M0VmVCQ0JaNVhnRzBj
+            Z2Vqbk9GZUtaZlExYTRPQ3ZJWHIvU283cFRBCjExQnJvZy9SMndJd0VqdUpCSDFJ
+            ZmJpVFJ1em9iNnNOcnFTQUExeGZESm8KLS0tIGdnWXNtNEg2SHpjRW1mR28vVDRv
+            VFVRcDh0TlVXR3pYRk1Ybkx3MjhOaVEKsViUc14dePdnukQa3ud/EesnvZL7OCM1
+            HWJYP81C9O4mU1kwRYtC0lGxMQX6aWiFZ5e2ImSi3w+mBP+KihfmBw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrdm9ZNmdvVnhROFZvVVhu
-            QkJGQ2J5MkI4VjVLNXNSL2svbnBKZUJ2Y1MwClFsQ1JQSEhlK0JJbTRHNzBNU2tI
-            aDl4eFhMMlhib1QzZldUcnVJdVZMSFkKLS0tIHBoYXVYazk4S1VpOE0vV2tqL2hC
-            N3JDRm1OMFFobjloaXBNNENrQ29BeVkK/aAtqd93BGI5q3bZHydLxmVp6iBgfNUE
-            nf+dZioVWVdoK9LSpoREFuOQu4upZ3MjxkClO0hjBJwaACElPrUF2w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUlZ1TER2anNCRHBKQm1v
+            QjhybHFCc1dod1djeWxkRmhBSC9YTW5IV0NJCkM5c3hkYWtLZnJHNVpPYUh4TzBR
+            U3ZaMEdSTVNsenV0RVorTTZMUXdYT3MKLS0tIDV1dWxjbXNtekZaUk9xaVdOYU93
+            UUpVako2MGVobTcvNWRsTWMwZm5ZSVEK1uI5dVSI4vY5hw0oxj21mJYoZB2Jq52z
+            e+RDvcyBFRsS+238UCVi5qDdA8DcnQ2uRiBxKDGC2P3RoVU5TeCfTQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-15T23:16:58Z"
-    mac: ENC[AES256_GCM,data:Eht9Vth1XVzeTCTyS18neiLthQF2c1DZkUkrYv01v1nC6tRPnWPd6+7zPQsQbdUuImwEthFpGDtNY0DLqwuZ9NWWhtEhWspUK2QKxNDKdP/aDT5rnjcf5tvyDK1EGnvTfp/fbw5I+z1mQYfrrUrQNVn6eiZXO+71mF9zoQLu/C0=,iv:TMnbBm1d5BSC6ywdwR4Mmn39qyCEyjSr5ndwtcwQk/k=,tag:qcAjLJl995bSmJtzGX7VbQ==,type:str]
+    lastmodified: "2024-09-18T23:57:27Z"
+    mac: ENC[AES256_GCM,data:88ZnGTkV1xxZO7UuVm5clZrHUMeiqAG++4X4DbCJGwqL+VDagYVhsui1+PzN62h6TgXtARecHON8TXd8z/NF4ekiY+LAcMC3m9x5AzmGYa7Qd5FKht1O6RfRORBDrojj251cqCifDxeGPq3C/X4Zi8Jg4KTSk1lAJoXMsqJQ3+c=,iv:8NnKOlzXD1jRVQ/tgoChEb0YY18Y7VpEiq85YhupTws=,tag:eUbLR66sNqQ2VIQW0/CBwA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/modules/nixos/services/syncthing/config/default.nix
+++ b/nixos/modules/nixos/services/syncthing/config/default.nix
@ -0,0 +1,46 @@
+{ sops, ... }:
+{
+  gui = {
+    user = sops.secrets.username;
+    password = sops.secrets.password;
+  };
+
+  devices = {
+    gandalf = {
+      name = "gandalf";
+      id = "2VYHSOB-4QE3UIJ-EFKAD4D-J7YTLYG-4KF36C2-3SOLD4G-MFR6NK3-C2VSAQV";
+      addresses = [ "tcp://10.1.1.13:22000" ];
+    };
+    legiondary = {
+      name = "legiondary";
+      id = "O4WI2YC-BZBPF2W-2ALNQ2D-UOP3BK5-ZDSEHVH-DIHS2FG-BSVJCXG-GF47XAE";
+      addresses = [ "dynamic" ];
+    };
+    shadowfax = {
+      name = "shadowfax";
+      id = "U3DS7CW-GBZT44M-IFP3MOB-AV6SHVY-YFVEL5P-HE3ACC5-NDDGAOB-HOTKJAC";
+      addresses = [ "tcp://10.1.1.61:22000" ];
+    };
+    telchar = {
+      name = "telchar";
+      id = "ENO4NVK-DUKOLUT-ASJZOEI-IFBVBTA-GDNWKWS-DQF3TZW-JJ72VVB-VWTHNAH";
+      addresses = [ "dynamic" ];
+    };
+  };
+
+  folders = {
+    projects = {
+      id = "projects";
+      path = "~/projects";
+      versioning = {
+        type = "simple";
+        params.keep = 10;
+      };
+      devices = [
+        "legiondary"
+        "shadowfax"
+        "gandalf"
+      ];
+    };
+  };
+}
--- a/nixos/modules/nixos/services/syncthing/default.nix
+++ b/nixos/modules/nixos/services/syncthing/default.nix
@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.mySystem.services.syncthing;
+in
+{
+  options.mySystem.services.syncthing = {
+    enable = lib.mkEnableOption "Syncthing";
+    publicCertPath = lib.mkOption {
+      type = lib.types.path;
+      description = "The public certificate for Syncthing";
+    };
+    privateKeyPath = lib.mkOption {
+      type = lib.types.path;
+      description = "The private key for Syncthing";
+    };
+    user = lib.mkOption {
+      type = lib.types.str;
+      description = "The user to run Syncthing as";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # sops
+    sops.secrets = {
+      "username" = {
+        sopsFile = ./secrets.sops.yaml;
+        owner = "jahanson";
+        mode = "400";
+        restartUnits = [ "syncthing.service" ];
+      };
+      "password" = {
+        sopsFile = ./secrets.sops.yaml;
+        owner = "jahanson";
+        mode = "400";
+        restartUnits = [ "syncthing.service" ];
+      };
+    };
+
+    services = {
+      syncthing = {
+        enable = true;
+        user = cfg.user;
+        dataDir = "/home/${cfg.user}/";
+        openDefaultPorts = true;
+        key = "${cfg.privateKeyPath}";
+        cert = "${cfg.publicCertPath}";
+        settings = import ./config { inherit (config) sops; };
+      };
+    };
+    # Don't create default ~/Sync folder
+    systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true";
+  };
+}
--- a/nixos/modules/nixos/services/syncthing/secrets.sops.yaml
+++ b/nixos/modules/nixos/services/syncthing/secrets.sops.yaml
@ -0,0 +1,85 @@
+username: ENC[AES256_GCM,data:WSQeuKRVE80=,iv:ci1XiMFsDDx3PbM0sH8ph/twu1FlrI3LSaURp3qaUxE=,tag:GrpaeuVBVK6CqOAiK+F2bg==,type:str]
+password: ENC[AES256_GCM,data:Er08gOwq4LMXCiH+c1dPq1eGcVU=,iv:TtYcMYMuIRtsPzT47nCe0SEzpy9byuoBIOMTHWEdJkk=,tag:rIeYTmHDYW44pgntALRx1w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcDA4MXZCNlk5TzVKK09L
+            Q0F3bldGN3p6SCtFM1F5dG9QV09uNXhiMFI4CmhFcit6V0FQL1ZYcVJ2UDc3ZWlu
+            bWc5Qzd0eHBjY3NzRUVXM1V6Sm1tR2MKLS0tIGU4YlNYcGltc21ZbENWMC9TS2JQ
+            VEhZdklMcUdBUmh5Q1ZXdEtYZ3htblEKWr8uQWvUbu36eD3Q09aKpHaAXkzBCx2f
+            g9osxa9r8Ih43NWZvJRTQlXdLi7T+oQj3dyYOT3gTL8L8WkbWuG2eA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMGxrdEV6SUREMFlyK1p5
+            WFZ5aUs4QlNSUUE2eEJXcTVjRitjdlhtTWpFCll1TjlWMWd3N1FoOWRqWTEyODVZ
+            a0dwd1RIb1U0OGdUdkUyM2IvYmhyR3cKLS0tIEhhUzdhTml5b1ZaeWNQV2NpUmVF
+            aHdZV2FWbXpmL0RDTUdjQVBuQnBEUjgKELbs5UPRNslIvZz66Imtf4XfFxLUJkIA
+            xAbMZeGbW61da1kfb5Dc/v/zbB57T1qZNDE48nPfIMpQBNQNh8/9FA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadDFIK1lRR0Z4RVhHRXUw
+            QldxNk8zUTVOVFpIM1cwV3ZMcXZPcFpTbEZrCm1NWVpsc05ob2FpRVY1VlI5Z291
+            WDI3ZEZwS25tRVpTMDR5SDlodE51VDgKLS0tIHk4VmhJcWswTVpwRyt3bEcxZEM0
+            MVQrSHR0WHI0eHVaVkpDZzhqZG5sZ28K2vw5S5phg4UXCeWr2baPdwtHDPM7OaUf
+            idLK+rKGFLxXWOcgzCJPDvwdIbvrmfueEPf8chmqcHus1JPYKzASJA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTWY2YlFHVU94NnBuRlpN
+            RlpMS3kxOUhvTWtsNnVyQ2ExU0YzdXN4ZEdNCnpKczFjWFBkVGhnRGcwL2xRejVu
+            TGhHUHZzeEpVNm5MVk03Zkp3OFYxNjgKLS0tIGEzL2J3SytvZFp6ZTFXWHF5YlU1
+            dGZwelk0eWRsM2xwMmtxMWhQSkNVMEUKUSuFRNYCAuodVIVq59mfFDD3NIK3aCMS
+            WN0/otRuND5kDy4kmTqFil5E8WwRcpHvjZZOAjqDA16DSriZS6mpbQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjckh5R0s5Y0E3STZZbWd3
+            TDNtWUxGYVZCKzluK1FzZG9VaUppVUFpbEJvCjhtZDA0a0preVd1SW8xTW9jQkdO
+            cmJQOE9LNUJDa1Q0dFhYcDh6VUxwSzAKLS0tIEd5SkF0RUwvUUVMSW1IY25Oak1W
+            cHVrZGh6R1YyOStmV2dEbXJsY0U1NTgK7XjhWRazgHzIcsDPIsTV3qrYWhJ6FpCT
+            5P+HUNSjdv1sv/KbexJgjWgG0YNv+eRQnqtxzZaniaWcn5gp1JlR7A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWU0NnS2E1UzlRYVVjcDZC
+            ajhwSGxpUzNENXBSSE82empzd1pmYkt5SUdzCk5TZWJna0w4UU1MQ1R3WHVOMDJU
+            Q0pvM09OZFJFYm5OeHdQVDZBNW1mckUKLS0tIEhraG9YUXYrWUp6S3VqeThpcWZw
+            aEx6bWNNY2t5UFVwcHdBZE9kSEFrYWMKw40ntGaLDFX5tRK5Ir9yRu4Kbsyl7N05
+            uyMlyQ20zL0TmsL5OFEuIF3mhaLyu2GgigQaQcGffx/DUJdLRc8Fnw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SDZaeUtCbWt2OFZRRm9T
+            Y3l1dzZwU2s0WDlaNXNaUHpFaExFamtSS3lRCmE1VHI0M3hqSDNCanFuR2l4SU8r
+            aTR6TlhReDJ4SjUvS0J0aHNyY002eTgKLS0tIHYxdU1WSng0VWZETTFiMGh1OHY5
+            STQyNWUyNDhRTkxVUXd5VHNjZjJjK0kK8SJirqpGCmLCwLlLul6WdAzIWWiAR4Qf
+            usYAmNmjbHLHxNftB9mGLEumJ8IAB20Ywk5EbujMvhJ0w1R7kAyC+w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbCtUMFhveWVLTzI3Y21Z
+            ZlY2UU9vVFplcUVIbk5Jay82UmNxT2lZSnk0Cm5DRHRGMVZSaDZ1cElxWk9PQWhs
+            SmlRMHBiU1lTNVE2UlpQSXgvSDZqazAKLS0tIGxadVhWYUVOV0Jab05LS0ptendn
+            aWtiSlZlTUdwMW9Eb1dXUERVanVOaFEKSqRistshNg61yLJIe/3kuisRLuvfVbWu
+            ZsN/jk357Zv1VIYwmdm80LqI6zCGNzDaP30+Bxp8RTasA3gKM1mKrg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-07T23:25:22Z"
+    mac: ENC[AES256_GCM,data:ngdpFJcw3Qq/G7MWJY4Ka28r5tAobVlPxkQ+ve1MGd4SHKhUMRTA3je7kG+2zB/muQKtZ+SNolFJF4KcCtCOBaC0y70eJcFbGZ7g2iXa8TtNnW53PRpdWPYjJ5BhGbdCcJ3KKNcO+nT/PWIC1JTP6vp0j0aghLlYrm7Bq8+cAj0=,iv:YoTnZcxbn4Mzh+5lGQSr1OxLdyGUtGrnkt/KsNSTw2Q=,tag:63wotwyZVIqnTtZGW47jRA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/nixos/modules/nixos/system/borg/borgbackup/default.nix
+++ b/nixos/modules/nixos/system/borg/borgbackup/default.nix
@ -0,0 +1,40 @@
+{ lib, config, ... }:
+let
+  cfg = config.mySystem.system.borgbackup;
+in
+{
+  options.mySystem.system.borgbackup = {
+    enable = lib.mkEnableOption "borgbackup";
+    paths = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
+    exclude = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
+    repo = lib.mkOption {
+      example = "borgbackup@myserver:repo";
+      type = lib.types.str;
+      default = "";
+    };
+    repoKeyPath = lib.mkOption {
+      example = "/run/secrets/borgbackup/telchar";
+      type = lib.types.str;
+      default = "";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.borgbackup.jobs."borgbackup" = {
+      inherit (cfg) paths;
+      inherit (cfg) exclude;
+      inherit (cfg) repo;
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat ${cfg.repoKeyPath}";
+      };
+      environment.BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+    };
+  };
+}
--- a/nixos/modules/nixos/system/borg/default.nix
+++ b/nixos/modules/nixos/system/borg/default.nix
@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./borgbackup
+    ./pikabackup
+  ];
+}
--- a/nixos/modules/nixos/system/borg/pikabackup/config/pika-backup.desktop
+++ b/nixos/modules/nixos/system/borg/pikabackup/config/pika-backup.desktop
@ -0,0 +1,4 @@
+[Desktop Entry]
+Type=Application
+Name=org.gnome.World.PikaBackup
+Exec=pika-backup-monitor
--- a/nixos/modules/nixos/system/borg/pikabackup/default.nix
+++ b/nixos/modules/nixos/system/borg/pikabackup/default.nix
@ -0,0 +1,23 @@
+{ lib, config, pkgs, ... }:
+let
+  cfg = config.mySystem.system.borg.pika-backup;
+  user = "jahanson";
+in
+{
+  options.mySystem.system.borg.pika-backup = {
+    enable = lib.mkEnableOption "pika-backup";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Add package
+    environment.systemPackages = [
+      pkgs.unstable.pika-backup
+    ];
+    # Setup auto start at login.
+    home-manager.users.${user} = {
+      home.file = {
+        ".config/autostart/pika-backup.desktop".source = ./config/pika-backup.desktop;
+      };
+    };
+  };
+}
--- a/nixos/modules/nixos/system/default.nix
+++ b/nixos/modules/nixos/system/default.nix
@ -1,15 +1,19 @@
 {
  imports = [
+    ./borg
+    ./fingerprint-reader-on-laptop-lid
    ./impermanence.nix
+    ./incus
    ./motd
-    ./nix.nix
    ./nfs
+    ./nix.nix
    ./openssh.nix
    ./pushover
+    ./samba
    ./security.nix
    ./systempackages.nix
-    ./samba
    ./time.nix
+    ./wifi_swap
    ./zfs.nix
  ];
 }
--- a/Show more
+++ b/Show more