feat: flesh out home manager gnome, firefox (#56)

* feat: add test node and spin up podman/cockpit * dev hack * bug: disable wayland temporarily #52 * feat: add nfs mount to nas * chore: add nas to sshconf * derp * hax * fix: hax * feat: firefox and gnome tweaks * chore: tweak nautilus --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>
2024-04-03 12:09:39 +11:00 · 2024-04-03 12:09:39 +11:00 · b447282c7a
commit b447282c7a
parent 74dcd8a683
45 changed files with 922 additions and 236 deletions
--- a/.github/workflows/diff-pr.yaml
+++ b/.github/workflows/diff-pr.yaml
@ -54,6 +54,7 @@ jobs:
          extra_nix_config: |
            experimental-features = nix-command flakes
            extra-platforms = aarch64-linux
      - uses: DeterminateSystems/magic-nix-cache-action@main
      - name: Register binfmt
        run: |
          docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
--- a/.github/workflows/nix-lint.yaml
+++ b/.github/workflows/nix-lint.yaml
@ -17,6 +17,7 @@ jobs:
      uses: cachix/install-nix-action@v26
      with: 
        nix_path: nixpkgs=channel:nixos-unstable
    - uses: DeterminateSystems/magic-nix-cache-action@main
    - name: Install Nix Linting and Formatting Tools
      run: nix-env -i statix nixpkgs-fmt -f '<nixpkgs>'
--- a/.sops.yaml
+++ b/.sops.yaml
@ -9,20 +9,19 @@
 # copying one key to each machine
 keys:
  - &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
  - &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
  - &dns01 age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
  - &dns02 age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
  - &citadel age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
  - &rickenbacker age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
  - &shodan age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
 creation_rules:
  - path_regex: .*\.sops\.yaml$
    key_groups:
      - age:
-          - *nixosvm
+
          - *nixosvm2
          - *dns01
          - *dns02
          - *citadel
          - *rickenbacker
          - *shodan
--- a/.vscode/module.code-snippets
+++ b/.vscode/module.code-snippets
@ -0,0 +1,27 @@
 {
  "nix-module": {
    "prefix": "nm",
    "body": [
      "{ lib",
      ", config",
      ", pkgs",
      ", ...",
      "}:",
      "with lib;",
      "let",
      "  cfg = config.mySystem.${1}.${2};",
      "in",
      "{",
      "  options.mySystem.${1}.${2}.enable = mkEnableOption \"${3}\";",
      "",
      "  config = mkIf cfg.enable {",
      "",
      "  $4{}",
      "",
      "  };",
      "}",
      ""
    ],
    "description": "nix-module"
  }
 }
--- a/docs/tips.md
+++ b/docs/tips.md
@ -0,0 +1,4 @@
 * Dont make conditional imports (nix needs to resolve imports upfront)
 * can pass between nixos and home-manager with config.homemanager.users.<X>.<y> and osConfig.<x?
 * when adding home-manager to existing setup, the home-manager service may fail due to trying to over-write existing files in `~`.  Deleting these should allow the service to start
--- a/docs/vm/installing-x86_64.md
+++ b/docs/vm/installing-x86_64.md
--- a/flake.lock
+++ b/flake.lock
@ -179,6 +179,21 @@
        "type": "github"
      }
    },
    "nur": {
      "locked": {
        "lastModified": 1712033433,
        "narHash": "sha256-iHEU6YnoQAA7odXmUjKzRBVh9Dwa/k9ptCDo4b0wQL8=",
        "owner": "nix-community",
        "repo": "NUR",
        "rev": "4c166e425d61650861a412af9afaae5b749d5781",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "NUR",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "deploy-rs": "deploy-rs",
@ -187,6 +202,7 @@
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nur": "nur",
        "sops-nix": "sops-nix"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@ -6,6 +6,9 @@
    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    # nur
    nur.url = "github:nix-community/NUR";
    # nix-community hardware quirks
    # https://github.com/nix-community
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
@ -177,6 +180,21 @@
            ];
          };
          "shodan" = mkNixosConfig {
            # Rpi for DNS and misc services
            hostname = "shodan";
            system = "x86_64-linux";
            hardwareModules = [
              ./nixos/profiles/hw-generic-x86.nix
            ];
            profileModules = [
              ./nixos/profiles/role-server.nix
              { home-manager.users.truxnell = ./nixos/home/truxnell/server.nix; }
            ];
          };
        };
@ -228,10 +246,9 @@
          };
        in
        {
          rickenbacker = mkDeployConfig "rickenbacker" self.nixosConfigurations.rickenbacker;
          dns01 = mkDeployConfig "10.8.10.11" self.nixosConfigurations.dns01;
          dns02 = mkDeployConfig "10.8.10.10" self.nixosConfigurations.dns02;
-
+          shodan = mkDeployConfig "10.8.20.33" self.nixosConfigurations.shodan;
          # dns02 = mkDeployConfig "dns02.natallan.com" self.nixosConfigurations.dns02;
        };
@ -246,11 +263,8 @@
          nixtop = nixpkgs.lib.genAttrs
            (builtins.attrNames inputs.self.nixosConfigurations)
            (attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel);
          hometop = nixpkgs.lib.genAttrs
            (builtins.attrNames inputs.self.homeConfigurations)
            (attr: inputs.self.homeManagerConfigurations.${attr}.activationPackage);
        in
-        nixtop // hometop;
+        nixtop;
    };
 }
--- a/nixos/home/modules/default.nix
+++ b/nixos/home/modules/default.nix
@ -6,6 +6,7 @@
  imports = [
    ./shell
    ./programs
    ./security
  ];
  options.myHome.username = lib.mkOption {
--- a/nixos/home/modules/programs/browsers/firefox/default.nix
+++ b/nixos/home/modules/programs/browsers/firefox/default.nix
@ -13,7 +13,8 @@ in
 {
  options.myHome.programs.firefox.enable = mkEnableOption "Firefox";
-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable
    {
      programs.firefox = {
        enable = true;
@ -31,9 +32,14 @@ in
              ];
            };
          };
-    };
+        policies = import ./policies.nix;
        profiles.default = import ./profile-default.nix { inherit pkgs; };
      };
    };
 }
--- a/nixos/home/modules/programs/browsers/firefox/policies.nix
+++ b/nixos/home/modules/programs/browsers/firefox/policies.nix
@ -0,0 +1,20 @@
 {
  DisableTelemetry = true;
  DisableFirefoxStudies = true;
  EnableTrackingProtection = {
    Value = true;
    Locked = true;
    Cryptomining = true;
    Fingerprinting = true;
  };
  DisablePocket = true;
  # DisableFirefoxAccounts = true;
  # DisableAccounts = true;
  # DisableFirefoxScreenshots = true;
  # OverrideFirstRunPage = "";
  OverridePostUpdatePage = "";
  DontCheckDefaultBrowser = true;
  DisplayBookmarksToolbar = "never"; # alternatives: "always" or "newtab"
  DisplayMenuBar = "default-off"; # alternatives: "always", "never" or "default-on"
  SearchBar = "unified"; # alternative: "separate"
 }
--- a/nixos/home/modules/programs/browsers/firefox/profile-default.nix
+++ b/nixos/home/modules/programs/browsers/firefox/profile-default.nix
@ -0,0 +1,39 @@
 { pkgs }:
 {
  id = 0;
  name = "default";
  isDefault = true;
  settings = {
    "browser.startup.homepage" = "https://search.trux.dev";
    "browser.search.defaultenginename" = "whoogle";
    "browser.search.order.1" = "whoogle";
    "browser.search.suggest.enabled.private" = false;
    # 0 => blank page
    # 1 => your home page(s) {default}
    # 2 => the last page viewed in Firefox
    # 3 => previous session windows and tabs
    "browser.startup.page" = "3";
    "browser.send_pings" = false;
    # Do not track
    "privacy.donottrackheader.enabled" = "true";
    "privacy.donottrackheader.value" = 1;
    "browser.display.use_system_colors" = "true";
    "browser.display.use_document_colors" = "false";
    "devtools.theme" = "dark";
    "extensions.pocket.enabled" = false;
  };
  search = import ./search.nix { inherit pkgs; };
  extensions = with pkgs.nur.repos.rycee.firefox-addons; [
    ublock-origin
    bitwarden
    darkreader
    vimium
    languagetool # setup against my personal language-tools
    privacy-badger
    link-cleaner
    refined-github
  ];
 }
--- a/nixos/home/modules/programs/browsers/firefox/search.nix
+++ b/nixos/home/modules/programs/browsers/firefox/search.nix
@ -0,0 +1,60 @@
 { pkgs }:
 {
  force = true;
  default = "whoogle";
  order = [ "whoogle" "Searx" "Google" ];
  engines = {
    "Nix Packages" = {
      urls = [{
        template = "https://search.nixos.org/packages";
        params = [
          { name = "type"; value = "packages"; }
          { name = "query"; value = "{searchTerms}"; }
        ];
      }];
      icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
      definedAliases = [ "@np" ];
    };
    "Nix Options" = {
      urls = [{
        template = "https://search.nixos.org/options";
        params = [
          { name = "query"; value = "{searchTerms}"; }
        ];
      }];
      icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
      definedAliases = [ "@no" ];
    };
    "Home-Manager Options" = {
      urls = [{
        template = "https://home-manager-options.extranix.com/";
        params = [
          { name = "query"; value = "{searchTerms}"; }
        ];
      }];
      icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
      definedAliases = [ "@nhmo" ];
    };
    "NixOS Wiki" = {
      urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
      iconUpdateURL = "https://nixos.wiki/favicon.png";
      updateInterval = 24 * 60 * 60 * 1000; # every day
      definedAliases = [ "@nw" ];
    };
    "KubeSearch" = {
      urls = [{ template = "https://kubesearch.dev/#{searchTerms}"; }];
      iconUpdateURL = "https://kubernetes.io/images/wheel.svg";
      updateInterval = 24 * 60 * 60 * 1000; # every day
      definedAliases = [ "@ks" ];
    };
    # "Searx" = {
    #   urls = [{ template = "https://searx.trux.dev/?q={searchTerms}"; }];
    #   iconUpdateURL = "https://nixos.wiki/favicon.png";
    #   updateInterval = 24 * 60 * 60 * 1000; # every day
    #   definedAliases = [ "@searx" ];
    # };
    "Bing".metaData.hidden = true;
    "Google".metaData.alias = "@g"; # builtin engines only support specifying one additional alias
  };
 }
--- a/nixos/home/modules/programs/de/default.nix
+++ b/nixos/home/modules/programs/de/default.nix
@ -0,0 +1,5 @@
 { ... }: {
  imports = [
    ./gnome
  ];
 }
--- a/nixos/home/modules/programs/de/gnome/default.nix
+++ b/nixos/home/modules/programs/de/gnome/default.nix
@ -0,0 +1,41 @@
 # Adjusted manually from generated output of dconf2nix
 # https://github.com/gvolpe/dconf2nix
 { lib
 , pkgs
 , osConfig
 , ...
 }:
 with lib.hm.gvariant; {
  config = lib.mkIf osConfig.mySystem.de.gnome.enable {
    # add user packages
    home.packages = with pkgs;  [
      dconf2nix
    ];
    # worked out from dconf2nix
    # dconf dump / | dconf2nix > dconf.nix
    # can also dconf watch
    dconf.settings = {
      "org/gnome/mutter" = {
        edge-tiling = true;
        workspaces-only-on-primary = false;
      };
      "org/gnome/desktop/wm/preferences" = {
        workspace-names = [ "sys" "talk" "web" "edit" "run" ];
      };
      "org/gnome/shell" = {
        disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
        enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
        favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" ];
      };
      "org/gnome/nautilus/preferences" = {
        default-folder-viewer = "icon-view";
      };
      "org/gnome/nautilus/icon-view" = {
        default-zoom-level = "small";
      };
    };
  };
 }
--- a/nixos/home/modules/programs/default.nix
+++ b/nixos/home/modules/programs/default.nix
@ -1,5 +1,6 @@
 { ... }: {
  imports = [
    ./browsers
    ./de
  ];
 }
--- a/nixos/home/modules/security/default.nix
+++ b/nixos/home/modules/security/default.nix
@ -0,0 +1,5 @@
 { ... }: {
  imports = [
    ./ssh
  ];
 }
--- a/nixos/home/modules/security/ssh/default.nix
+++ b/nixos/home/modules/security/ssh/default.nix
@ -0,0 +1,25 @@
 { config
 , pkgs
 , lib
 , ...
 }:
 with lib; let
  cfg = config.myHome.security.ssh;
 in
 {
  options.myHome.security.ssh = {
    enable = mkEnableOption "ssh";
    matchBlocks = mkOption {
      type = types.attrs;
      default = { };
    };
  };
  config = mkIf cfg.enable {
    programs.ssh = {
      inherit (cfg) matchBlocks;
      enable = true;
      # addKeysToAgent = "yes";
    };
  };
 }
--- a/nixos/home/modules/shell/wezterm/default.nix
+++ b/nixos/home/modules/shell/wezterm/default.nix
@ -23,7 +23,8 @@ in
      extraConfig = ''
        local wez = require('wezterm')
        return {
-      
+          -- https://github.com/wez/wezterm/issues/2011
          enable_wayland = false,
          color_scheme   = "Dracula (Official)",
          check_for_updates = false,
          window_background_opacity = .90,
--- a/nixos/home/truxnell/workstation.nix
+++ b/nixos/home/truxnell/workstation.nix
@ -10,6 +10,47 @@ with config;
  myHome.shell.fish.enable = true;
  myHome.shell.wezterm.enable = true;
  myHome.security = {
    ssh = {
      enable = true;
      matchBlocks = {
        citadel = {
          hostname = "citadel";
          port = 22;
          identityFile = "~/.ssh/id_ed25519";
        };
        rickenbacker = {
          hostname = "rickenbacker";
          port = 22;
          identityFile = "~/.ssh/id_ed25519";
        };
        dns01 = {
          hostname = "dns01";
          port = 22;
          identityFile = "~/.ssh/id_ed25519";
        };
        dns02 = {
          hostname = "dns02";
          port = 22;
          identityFile = "~/.ssh/id_ed25519";
        };
        pikvm = {
          hostname = "pikvm";
          port = 22;
          user = "root";
          identityFile = "~/.ssh/id_ed25519";
        };
        helios = {
          hostname = "helios";
          user = "nat";
          port = 22;
          identityFile = "~/.ssh/id_ed25519";
        };
      };
    };
  };
  home = {
    # Install these packages for my user
    packages = with pkgs; [
@ -19,6 +60,8 @@ with config;
      brightnessctl
      prusa-slicer
      bitwarden
      yubioath-flutter
      yubikey-manager-qt
      bat
      dbus
@ -28,6 +71,7 @@ with config;
      python3
      fzf
      ripgrep
      flyctl # fly.io control line
    ];
--- a/nixos/hosts/bootstrap/configuration.nix
+++ b/nixos/hosts/bootstrap/configuration.nix
@ -101,7 +101,7 @@
  # TODO Harden SSH
  services.openssh.enable = true;
-  users.users.root.openssh.authorizedKeys.keys = [
+  users.users.truxnell.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home"
  ];
--- a/nixos/hosts/citadel/default.nix
+++ b/nixos/hosts/citadel/default.nix
@ -14,6 +14,11 @@
      security.wheelNeedsSudoPassword = false;
    };
    boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
    boot.initrd.kernelModules = [ ];
    boot.kernelModules = [ "kvm-amd" ];
    boot.extraModulePackages = [ ];
    networking.hostName = "citadel"; # Define your hostname.
    fileSystems."/" =
--- a/nixos/hosts/rickenbacker/default.nix
+++ b/nixos/hosts/rickenbacker/default.nix
@ -11,6 +11,7 @@
      services.openssh.enable = true;
      security.wheelNeedsSudoPassword = false;
    };
    mySystem.services.traefik.enable = true;
    # TODO build this in from flake host names
    networking.hostName = "rickenbacker";
--- a/nixos/hosts/shodan/default.nix
+++ b/nixos/hosts/shodan/default.nix
@ -0,0 +1,59 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 { config
 , lib
 , pkgs
 , ...
 }: {
  imports = [
  ];
  mySystem.services = {
    openssh.enable = true;
    cockpit.enable = true;
    podman.enable = true;
  };
  boot = {
    initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
    initrd.kernelModules = [ ];
    kernelModules = [ ];
    extraModulePackages = [ ];
    # for managing/mounting ntfs
    supportedFilesystems = [ "ntfs" ];
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
      # why not ensure we can memtest workstatons easily?
      grub.memtest86.enable = true;
    };
  };
  networking.hostName = "shodan"; # Define your hostname.
  networking.useDHCP = lib.mkDefault true;
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/2e843998-f409-4ccc-bc7c-07099ee0e936";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/12CE-A600";
      fsType = "vfat";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/0ae2765b-f3f4-4b1a-8ea6-599f37504d70"; }];
 }
--- a/nixos/modules/nixos/containers/default.nix
+++ b/nixos/modules/nixos/containers/default.nix
@ -0,0 +1,49 @@
 { lib
 , config
 , pkgs
 , ...
 }:
 with lib;
 # let
 #   cfg = config.mySystem.xx.yy;
 # in
 {
  imports = [
    ./traefik
  ];
  options.myLab.containers.fileRoot = mkOption {
    type = lib.types.str;
    description = "root file path for containers";
    default = "/persistence/containers/";
  };
  # Email
  options.myLab.email.adminFromAddr = mkOption {
    type = lib.types.str;
    description = "From address for admin emails";
    default = "";
  };
  options.myLab.email.adminToAddr = mkOption {
    type = lib.types.str;
    description = "Address for admin emails to be sent to";
    default = "admin@trux.dev";
  };
  options.myLab.email.smtpServer = mkOption {
    type = lib.types.str;
    description = "SMTP server address";
    default = "";
  };
  config = mkIf cfg.enable {
    # CONFIG HERE
    myLab.email.adminFromAddr = "admin@trux.dev";
    myLab.email.smtpServer = "dns02"; # forwards to maddy relay
  };
 }
--- a/nixos/modules/nixos/containers/traefik/default.nix
+++ b/nixos/modules/nixos/containers/traefik/default.nix
@ -0,0 +1,84 @@
 { config, lib, vars, networksLocal, ... }:
 let
  internalIP = "0.0.0.0"; # TODO fix
  directories = [
    "${config.myLab.containers.fileRoot}/traefik"
  ];
  files = [
    "${config.myLab.containers.fileRoot}/traefik/acme.json"
  ];
  cfg = config.myLab.containers.traefik;
 in
 {
  options.myLab.containers.traefik.enable = lib.mkEnableOption "Traefik container";
  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [ 9091 ];
    sops.secrets.authelia-jwt = { owner = config.systemd.services.authelia-default.serviceConfig.User; };
    sops.secrets.authelia-sek = { owner = config.systemd.services.authelia-default.serviceConfig.User; };
    services.authelia.instances.default = {
      enable = true;
      secrets = {
        jwtSecretFile = config.sops.secrets.authelia-jwt.path;
        storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path;
      };
      settings = {
        log.level = "debug";
        theme = "dark";
        default_2fa_method = "totp";
        default_redirection_url = "https://passport.notohh.dev/";
        authentication_backend = {
          file.path = "/var/lib/authelia-default/user.yml";
        };
        session = {
          domain = "notohh.dev";
          expiration = 3600;
          inactivity = 300;
        };
        totp = {
          issuer = "authelia.com";
          disable = false;
          algorithm = "sha1";
          digits = 6;
          period = 30;
          skew = 1;
          secret_size = 32;
        };
        server = {
          host = "0.0.0.0";
          port = 9091;
        };
        access_control = {
          default_policy = "deny";
          rules = [
            {
              domain = "notohh.dev";
              policy = "bypass";
            }
          ];
        };
        regulation = {
          max_retries = 3;
          find_time = 120;
          ban_time = 300;
        };
        notifier.filesystem = {
          filename = "/var/lib/authelia-default/notif.txt";
        };
        storage.postgres = {
          host = "192.168.1.211";
          port = 5432;
          database = "authelia";
          schema = "public";
          username = "authelia";
          password = "authelia";
        };
      };
    };
  };
 }
--- a/nixos/modules/nixos/de/gnome.nix
+++ b/nixos/modules/nixos/de/gnome.nix
@ -10,13 +10,17 @@ let
 in
 {
  options.mySystem.de.gnome.enable = mkEnableOption "GNOME";
  options.mySystem.de.gnome.systrayicons = mkEnableOption "Enable systray icons" // { default = true; };
  options.mySystem.de.gnome.gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; };
  config = mkIf cfg.enable {
    # Ref: https://nixos.wiki/wiki/GNOME
    # GNOME plz
-    services.xserver = {
+    services = {
      xserver = {
        enable = true;
        displayManager =
          {
@ -33,6 +37,42 @@ in
        layout = "us"; # `localctl` will give you
      };
      udev.packages = optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
    };
    # systyray icons
    # extra pkgs and extensions
    environment = {
      systemPackages = with pkgs; [
        wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
        playerctl # gsconnect play/pause command
        pamixer # gcsconnect volume control
        gnome.gnome-tweaks
        gnome.dconf-editor
        # This installs the extension packages, but
        # dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
        gnomeExtensions.vitals
        gnomeExtensions.caffeine
        gnomeExtensions.spotify-tray
        gnomeExtensions.dash-to-dock
      ]
      ++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ];
    };
    # enable gsconnect
    # this method also opens the firewall ports required when enable = true
    programs.kdeconnect = mkIf
      cfg.gsconnect
      {
        enable = true;
        package = pkgs.gnomeExtensions.gsconnect;
      };
    # GNOME connection to browsers - requires flag on browser as well
    services.gnome.gnome-browser-connector.enable = lib.any
@ -48,6 +88,7 @@ in
    # TODO tidy this
    # port forward for GNOME when using RDP***REMOVED***
    # for RDP TODO make this a flag if RDP is enabled per host
    networking.firewall.allowedTCPPorts = [
      3389
    ];
--- a/nixos/modules/nixos/default.nix
+++ b/nixos/modules/nixos/default.nix
@ -6,6 +6,7 @@
    ./browser
    ./de
    ./editor
-
+    ./containers
    ./hardware
  ];
 }
--- a/nixos/modules/nixos/hardware/default.nix
+++ b/nixos/modules/nixos/hardware/default.nix
@ -0,0 +1,5 @@
 {
  imports = [
    ./nvidia
  ];
 }
--- a/nixos/modules/nixos/hardware/nvidia/default.nix
+++ b/nixos/modules/nixos/hardware/nvidia/default.nix
@ -0,0 +1,62 @@
 { lib
 , config
 , pkgs
 , ...
 }:
 with lib;
 let
  cfg = config.mySystem.hardware.nvidia;
 in
 {
  options.mySystem.hardware.nvidia.enable = mkEnableOption "NVIDIA config";
  config = mkIf cfg.enable {
    # ref: https://nixos.wiki/wiki/Nvidia
    # Enable OpenGL
    hardware.opengl = {
      enable = true;
      driSupport = true;
      driSupport32Bit = true;
    };
    # This is for the benefit of VSCODE running natively in wayland
    environment.sessionVariables.NIXOS_OZONE_WL = "1";
    hardware.nvidia = {
      # Modesetting is required.
      modesetting.enable = true;
      # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
      # Enable this if you have graphical corruption issues or application crashes after waking
      # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
      # of just the bare essentials.
      powerManagement.enable = false;
      # Fine-grained power management. Turns off GPU when not in use.
      # Experimental and only works on modern Nvidia GPUs (Turing or newer).
      powerManagement.finegrained = false;
      # Use the NVidia open source kernel module (not to be confused with the
      # independent third-party "nouveau" open source driver).
      # Support is limited to the Turing and later architectures. Full list of
      # supported GPUs is at:
      # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
      # Only available from driver 515.43.04+
      # Currently alpha-quality/buggy, so false is currently the recommended setting.
      open = false;
      # Enable the Nvidia settings menu,
      # accessible via `nvidia-settings`.
      nvidiaSettings = true;
      # Optionally, you may need to select the appropriate driver version for your specific GPU.
      package = config.boot.kernelPackages.nvidiaPackages.stable;
    };
    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  };
 }
--- a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml
+++ b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml
@ -1,70 +1,61 @@
 system:
    networking:
-        #ENC[AES256_GCM,data:y2k8WKDdMW/+lCc7OnJTPd21DZFkjXqRSDRuIHTvN3p8AZ0KB0ERjf5/Fzpgq9wRjktcGMfFRzl9AaLN0DNXLseV5hoeX8pzXrZddA==,iv:hMuTiccA2PSUKGK5bZ9YCGHYgj58+TMbid7/FOXqK6A=,tag:B9A3H4ssQsi3aD/bUvh8IA==,type:comment]
+        #ENC[AES256_GCM,data:UGDccdo5xL48r9VxuaY9QR2jfIdVZ0EZ84SKRO8dyZe7SIhvFUpX2tCEzVUMNPuDgXqoBSvWOP9WTEveunH56GknlOQdhZOYMb7T9Q==,iv:PLaSHpZRCu5xNsmWtz5UY+nTGGPow1YLppKZiZJz/9c=,tag:cePl/udz3BNSjVPqGVpmLg==,type:comment]
        cloudflare-dyndns:
-            apiTokenFile: ENC[AES256_GCM,data:AQA6X+GoPgudn+qwGpNnX3PmWNfgYFuvYGbthoOXPTiAs54oPrH6XGyFjGS5skqe9vypjPbl/Zj+z8q4rLGKrZt9cgF5JywoS2pyjscDW9QI74mAS6bcH8eJ/PMLopDYybKEMS8w1cMeGP5J46Uhg2HLJA==,iv:vjzMXBt9NbFcoqzpew/s/h1OXNWEnDLY0JuyASvbojM=,tag:8Ca+0ieZUZ9Wk9Q2UigF0A==,type:str]
+            apiTokenFile: ENC[AES256_GCM,data:6CggP0liJTWfD9HnpD6ALf7a9smRNEbuOYsyU6HnFqDtZj4U/mYzG+9fAv/SM+DYl7eSCdF2xzINyAbAVl6j8g2utEkRiitGEVv29vaQSpIBUFrjl4vJgw/AyXdB9r5fR6XXpc6baeO3ctsjaUmlgRxGmQ==,iv:YYh5sZVwJVKKnuTEbNujm3yL16gfL98pEnwU9ZX8618=,tag:162cpSSAdAZoOiAwPbFlTg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eHR0VlFlL21SNzJJQ2F0
            UUJ3Vy9mem0veTJlV3FKbVNGd1htRHNOQkI4Ckd3QXk5bVR0WmNkaXZUZXBZY0px
            NTJJZ3NKRDBLZTRJd2xOZ0pBazk2SFEKLS0tIG1zQTlCcUFSUUthaUxLeHlyZWpQ
            NXBYeUx6bmYwSXFrZlNmZitYM1ZlK28KvKU5iig3qg1tGOX8jDsXjXJ9ly8cP+4y
            tcsCDuQWxiJ2v2U4FD47iRs2IfxZadYGJM2nOToOKHnuTTSpvNXAVQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZzEyRkZZbTcvOVRLU3JH
            bWZ4eXdUZlAxQjNkN2c1SzNiQVdkWU1FR24wClYwVjdGYm1xditOYWxIMGNmVDFr
            cXZLdHhqOS9yNHEzQ29aKzVCNU5uMWMKLS0tIHoveWJmcS80MENxSnVXNlpJN0lx
            bFNWU3dUTXFkMDZaWjUxWVlVd2x6dkUKKEBaUX/euYu9VEzhudWs4PUb+xVvpjQQ
            GoOcFJvp+A60X2pK5mDxzgyWWudr+ZjiQNn3A/6XE4KfLhzmmI5Bsg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSkNCTFZaSTYyYjRwN0lP
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORnZQZEI2VU9tdEQ1VkZw
-            Qzd4R3krZVJlREtueHlqUTBPRTNhcU5ORVNzCmdkYWFUQWRNajB4UEc3bzA2anIr
+            aFFxaThqS2VWVVljejNxNVovMHlNc2ZUdUNvCktyT1pTRGpSK1N3MXpMNFZuVVhL
-            cm92alRQUWI0UDR2T0c5OTVhZ1hRQ0UKLS0tIFkxUHl1c3psYU1CTUI2NEpmL1hR
+            UCtINGo3SDhSNmwyRkEzVGNTVVFlTE0KLS0tIDhvaFk0SVdHNFlhRkxEb0hLdkdu
-            VnVacXZDQ3UyR1VoVGVQUzdteDRXRUUKkK9LP5sCjS2t2M+tftUqBh8jqwjmfKU6
+            QTFCVUg5VzJzOUlRcFBlR0puNGVGNlUKpdSYWZZPKq1Vw0pR8suOqqgzxDzKWaMx
-            HsIaMzELohiV5/91iq5FlIArQe7F5KFQfY3vRfYuh26I6zgqvVUlrA==
+            Aft/TpSuS8m6603HlTw3LUyBOnIYJCFFsGJqVBF6Q1z6U4FPAfNnlA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NEJjblpGK2dGMmJ6OHBu
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUzNqQ1U2aWV3WUVUZDdD
-            bnc0dUg0dXJROUMvQW1mOEcyWlpqb3BzUGc4CjdmT1FkaTdsRndGUXlod1cwSnpm
+            eXNhQUlBdGRndVJ1NXdXZlBNb0VvNzlFYnd3CjlRRm1FWTljL0VMbTB4M21HVDY3
-            OFNLcjc3NlpPY2ZOMm55Y0ZFSjVpelkKLS0tIDVZV2hmMG1Qd0g1dXFEY0x0ZmhC
+            Y2oyTG50SUtIT29OZjhiZi83OCtpNm8KLS0tIFNYMkErVDFhTHhOVndQdUFHWUxZ
-            Y3NleUZ2azM0amdHRlplSGtvcWowd1kK+PNq8czpnC5zfwET60aQkNdcUwQopZ9W
+            bG0xMG9heitnUGFNdk5ITWhKNERZbDgKX23jlQyLus3FzDQ55hIyUqqwlLbPeKxV
-            nUX+QutTCdFoWoCKGsoQK42uXWQheHNtoPT258s2+8SBtdwLIckHgQ==
+            LJHaDfO4IOzIGrWFCwQZpCa8ZgQzUmnpqKZqvdTZuXibZEoyjV6GUA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0T25vdlB1VGFBVGdYd3k4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUFRMZHIyY3lFeVNnenky
-            em42STFmdU9tZW9vVCtTZlBqOFZnUzFHYlZJCnJuSGk0cGlOSkQ1VzlRZ0ZONmlx
+            bG1hdXoxSXo2akR1bGlHSHNZbzFOMGE3cW1FCjdzZUYzRFZrcXZvcTNSc3V5TE5n
-            bXNkQ0hCaFBrMmt3dXZ2dXZzN09UVGsKLS0tIHo5bnVxcWEyQ2JkMk9qK1pxVW1S
+            T01Tem9oVDdYRlBST2tNNUpZTENOTkkKLS0tIENUdmxBajZpbFRoNXZzRVlvOVpJ
-            ZnJ0R0hDVDU4WDFVS1Jka0h3b0R4bjAKcJ88Yzxn2HTqEEu0ujVMZGXJpc9jbypI
+            MnlaMHpGUGo1WmVMb2FsZ0o2Q3NuKzQK7n+HqB+7K6drnkNyc863wTfoohk90uWx
-            hlsDzMESTAlrZx7ZmI+nJw36RolDPRTfteHJFGI8LEx6zGXLcBp3LQ==
+            ehuz7kmZcdnwxpMX6hV2ynUumcVEqfR+jiUuF/eBpuPRQy/eejVm4Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbmdMeGUxaGN1cTFXVlFV
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSExpSE1hUldqSnJoRDBj
-            dElYSkVMTm9DMGFLTDRLYzRGQ1dGaUFHSzNRCjk0bkprSHpsUjRRdnNaeWpTbG0y
+            L2xROXd3U2EvZ0xoek8ra1RqdVdaK2s5Q2dZCmdVWmJrZTc3Nis2L0NkSlJQK1pq
-            T3BKK1h6VWNCMC96Y3lyQ1ZRcW9mL0kKLS0tIG5GaTI5MVkwMkNEWWcvbmZGanYz
+            RmZ3aHU4YVlNcUVEemJsWGNjbEVIdUkKLS0tIEJDcmFmRUtjL3ltUjZKRmMyWW1O
-            VWIybGRha1dWWUdsaWIxOXRLZkVFNlUKLEQI3HO/7Ia7GoOJOKJVbYkDrevqh7m7
+            VHZzVVZycld5alhKaC9BQ2dweVIweHMKF/qVYH7yvmFBVDyHb1PwJrHyP9Iq1HEg
-            hjMjnl4RnrcFwq46NuYyruTartHqRPBUHyXdoiMfeHNQQ7QP8A5ZHA==
+            EfiDfZK2acYkW3GsUmH0qS5v55RswYnEg+iiSMNn+Ii6mfI65bVVYw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-30T01:29:21Z"
+        - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
-    mac: ENC[AES256_GCM,data:8Z5udmxrut2IxaP9kjP7px8CoQYNBIwIhafCWC8y1+LzOJWdITIfL3S/gW8O3xIH27gS0y2CsBSFf3fB9kF0JPapnCMLwNtA/oqNdSqx4p0Jev3mdtfaboF1kGShuDiYUIhMRVk/eiDtNojakVJiMxZzEtdo5YbgRXlfbYw6gTQ=,iv:UHOH6pAVf3VBtVvGn0HijmhbPWv6d64EESMRJkXC48o=,tag:EJfBjV6qZfGNxyCU9XzuHA==,type:str]
+          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaTNSWHM1eU92T2VMOXZD
            b0R5Z2x3WloxOFhyMmkwQXp4U3lNM2xiZHhrCm9mcURMSmtUZ3VHd3lDbnp5dVVR
            dHJyMkFBODMvbkpzUVl4ZUtxWmIrS1kKLS0tIHJTZ1FaYmlzUEhHWHVaWTVIRC9o
            MGJLdkJpTkFGclRSZlBOOTVKd3BOa2sKbRf0BdD35bZpr8ESX1+NZ6rWxdI+x7fo
            A6cIx6j8fVXvsKEipO3r4wSTqWhnY+DMzH9ZPGE5J74sx98DYVm6ig==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-04-01T00:26:19Z"
    mac: ENC[AES256_GCM,data:U21XeE4vqc96mBq1qmjpMfDZVJZQEXwpHTEjVd4lmbam8XTv5kxK8zYWlDN8WTMqKeYHnInvEdmKnXL+NDt6lDjoDl/97/dUoWJ2xNTBOlJb6C2n11GE+ppzgZBQMj9oWr5IuQ8jiSfTYOF3/zT/sh8SSWmooQ2CrS/B3PyjmwA=,iv:9+Na88c3woPLZcawxH+mFg03Hf8oCaILdRya1CwRMEQ=,tag:eDuSLJtkLzvk+N1ncc/jwQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/modules/nixos/services/cockpit/default.nix
+++ b/nixos/modules/nixos/services/cockpit/default.nix
@ -0,0 +1,21 @@
 { lib
 , config
 , pkgs
 , ...
 }:
 with lib;
 let
  cfg = config.mySystem.services.cockpit;
 in
 {
  options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit";
  config = mkIf cfg.enable {
    services.cockpit.enable = true;
    services.cockpit.openFirewall = true;
  };
 }
--- a/nixos/modules/nixos/services/default.nix
+++ b/nixos/modules/nixos/services/default.nix
@ -5,5 +5,9 @@
    ./cloudflare-dyndns
    ./maddy
    ./dnscrypt-proxy2
    ./cockpit
    ./podman
    ./traefik
    ./nfs
  ];
 }
--- a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml
+++ b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml
@ -1,69 +1,60 @@
 system:
    networking:
        dnscrypt-proxy2:
-            forwarding-rules: ENC[AES256_GCM,data:qM6Y19pynqVruwgV7KhRfS1klhsZChZqpVxx0mV1PXSAyTf+9uiVCmpst7ZYIOzOeri4DnG2Pi1L2aOs93tsH7UnbLyKMs0qHO0y5T30clzBclw+VmjGUXJ3iwX0vL9o3fYXZ/WEfZd1vclgKqJmjwNIhqXdf+iYwm/Vlhe6Ib1cb8qUh3H0QqSARwmPw+5ffPjTBRdp+MAu8ZH+9s0lbXipk1l/YoBsd0qs6ID1D8ahTXLaUKabuE4a462Qjat0cx7b88Psam/AxqQXTbujCxAbO9t6rzPgTW79GURoIVddoURPEfWUX+7125RH4bHHZd4dQWPee1d89ikmPIG65x6mGRlI073gGP07x+uNXyvcQVG4GabiJ1xOzlnzT5obySYuH/JKhYMR8meTCQGQKJyCaFjPfOWQYkEHt8xd4/hg3zlC8H+a44th9tNadif0rys3LSx+ltyyEbYyqU6U5vs=,iv:ApcoDgN5uLjqFmWbYZoL21GlKkUwkqRcVxXm20/q8GI=,tag:TxYTmEGcf+183CyzH5cfiQ==,type:str]
+            forwarding-rules: ENC[AES256_GCM,data:I2MOqXfru2V2NDcrMfy8rwjIHKjt8ujk0GpGZRZgPRJv76P0jONja4Ft2b5j53CaM0A0dYHKc4A8ZbZgNzesVEvb5TK+wtQXziST7phRpJOpVPZjgHw3H8HD0l6mX7UmnIbv69e85UELG8Mv3DW7cRHCReelmec27+JNjhjhGUuyiNLdRxCS59D8P3p5Tdci1gMclbeXv+qv2VlWq8eIGMc5w6+0F4vVA9lhGUmWQLORtFOPLSmBn9xtx1R2Bm/itAzG+qJngAaF6o1Zm+lHvCydaddF/YJnsxk+EzwLS2RCb3+noE8cyS3S+eVCpSFmrtYB1MNREEZpBA+fXdkqSKVsNwCUgo2WJY78bPocNwQB9D/kuTnvILba8bC1pVdUH+xo0Ww7LS7j5+bp7xs9qwC9FRKgYKNReSoQn993R8n6VlqtJyqFLXtL55yIp+HSlu16jFiDP4rGjZtkxLQ21Y4=,iv:Jk4JLRzBYEIhoxgsRMXjvDNHVinuR0xjxTVTvED6lFo=,tag:4ILaKfjKM1r6MhYrOyU+Jg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2c2dSOEIrUUtpbFNUb3Rj
            TlIyOU9EQlJCVTB4WFNjWDAwVGVpMUluV25vCnpvaXVqckIrUit6Q2NGb3Q5bnF0
            ZG9JRy9VdVRLS0J3Vys4UEFZcndRU28KLS0tIGlIcFpMYXIzOEVBZ3cvbVJ2MFBl
            cWtPNHRmSDNUVXJ3NUVPN3crYUVRREEKQxhNUNBYizl6qNo/JKdHeOLAn6/V2xfA
            sHtn9fq0lhpWQ5oaSUOP9GHZVhEkP+fRJfK+QULEiR52zr2pYj8jMA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrajZoNzE4VWhCK0E3aHNq
            RUZ0TFFMejNjUmhSS2lZQnR0RHhZUzAwcERNCndUYnFPZnhuelptVUNaUWdkTWFk
            R05mcXE3REcrNEJndGphTXhESW8vam8KLS0tIFMzSXFBUEY4N0d5eWN3b3IvQnFV
            K21tS3FnbWZsRHVyZHI5d1NyN3c0b0kKfHq1QUZwgmIA/3cHOJuTWN99hwm2kI1p
            emBoeNukVvjOgqUCEBG/O4GMHlc6BmmimnSiULg65eIyFEAdLOsBOA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZVExakR2VUVCODVoZ0tm
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbkZmSGlyMTJ6RjlGWENX
-            WnBsNXdjTXVRejFBUzVLN0s3aGgzV2pJb2pzCmpTdnhpb2h0c25TdDBSemxHS2xh
+            SUc3SU1MbGZMVmRuUWJIb2xQQlA5UFdGeDBZCmp3Y2o1Lzc4TnR4RXJTa1Rxdk5w
-            ekR0QlJLUk9JY3VqTzJVSWdZa0UrYW8KLS0tIGFjVmxDbjdXdHptK1RxZCtxcDFR
+            LzFFbUx2Q25QZUk3bklDVEVOajdPYk0KLS0tIHlBalM2RlFKQ1NKNFZHVXFUQWtV
-            NUxNNUtkQzlvTHhadS9JelFOSWI4ODQKdFjY8uyoOrRXa37M3d6qqY5zsB6UxOLv
+            VDNnQkp6ZTkwSW1peXJJTVN6TGtxYVkKDCpef2RICaAf1mSkW9V8i7siPP+gXa5r
-            d/hfiFATBbGGdj5B3AyQV8yIWTBt+k9og7wh8GVhzrkje5eJx3qMqA==
+            SNOlY5EDDU9wQ54GEWJHMz7kzaAAPQH4hXz1JdoO+Z2P2yr7pLdjAg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1OGxhc054cTh1VU55eUtE
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVk5jeklpdEhLTERqWnhO
-            aklYUVI3RUhYdy9WdzhMV2dkU0FYZi9uakEwCkFPQ2lVeDNEcXVvRUV2czI5M1dS
+            ZkZsRytWNk1MUlBrSW8xTlpOOW5xWUZlbnpZClhKNDRRTE0yWXNnRHljckIzM2tY
-            d3g2R29YRHJpMXRWMlZxT25JazBab2cKLS0tIExPYWhZUktycmtNMndXVFlHcnNH
+            OVlWWlYxVGNFcitORFdmbnlUTkJkZ2sKLS0tIEFETndzSktuYlpmK3NmL2Q1L3A5
-            U2RXdlk0VThxb0hYOTR6U3dTZW5RNHcKy4iJe/O5O00Otvf7bh48+cCbhEhctu69
+            NzJLa2ZuUHppOExxZGhnandMRHR0N0kK/zHkmxJIFH5D88z92QkKrDrGApj2QGoU
-            zzrNyHgd7T1cCTd1YdgR+cuwqBLDW1br8ATh8w6Fj41gtvB8mrzXVw==
+            LkvIOSgGjEy2juzsGsjVJdu/61g7iaGO6IpHktuniyEgwnLwn+ApOw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNVFaYU1jZDhHbGRndWtZ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSDNpQ0ZBS3FqZlFKelVr
-            aS9wNnpWanBxc3Jtc1lsNXZRVGR5bDhyRXprCkVhWEIzT3JHcjFueDM0emlobFVD
+            NGRYdW9QNVA0THVLdGdQZElRVndmcmFoMzE4CmVUcVlLdGZuYi9XU0YydFNWLzBD
-            dTBqUXNnaTBMUk1sZlJ2a09SWHhQbzAKLS0tIHV0WS9TcmYxR043S1ExZHhsc3pl
+            M3pLWmlDV0Vld3k2SXoyRkJ6a1hIWVEKLS0tIHJQamFiZklzby9UQlROVTFPT0tt
-            ZFRDOWhGbmlwR2hqT0swVm5RQWdxZjQK/kWd22+oqeZ3jVgpFiJYJbdbhnOTVTSg
+            dnhReTcxeDE0NE1RNWRMN3JCOXVMTFkK8koum0Wlxgo52yDTRYCRFToQw16+iXFu
-            lBw1CGoxXlHgXMjjbAQVdFk7n8uLxIjhcV3WZyFVAYdEQ+QQUmXUyw==
+            +bzDHf9DjqvZzkZH2gEeS33meexZxyUcD/nWUQvyNcbhVO49tIb90w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZ2lWY0FiYytiM1YvRmox
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR3M5VG9GaDkyK21wOVda
-            NDIwVlpNWWx4L0p5MTA4N214a0lqTGhjaHg0CmtwSGZxWTRrcDBiaEVNUUZNMmM4
+            WnluaERvelJ6bS9raS9DLzBCMXc1S1g1djBRCmhWYVdFeEY0bmpKSnN2bjBOKzQ4
-            VFd2Tm95Z2dTemtkLzY1WmdSUllBRjAKLS0tIFpqTDhXTW1mZ1FwYVZxbEZNdjRL
+            ckpoNGNmY0hLSTRBT2txQnEyY0hBTGsKLS0tIHY3NWN4RjRJVkdlN3JrS2krZXdn
-            YTNLREliQjJudW4rZCt3VzZYMGhoUFUKvMQEXnUNDd/RBv/zo+05d/znEZqaWONj
+            UVNSN29uQlh4WEVRVWd0a1FBNGY4VjQKMG2zUS+jehQGNo1OI2gQF0InKDzd15PM
-            BjisOFvPYDodU/hUYGCxrdiKx4CxMhrtOjZjVxF25BMbH7m+XeNLHw==
+            wyyitNB3Lh5JViREQHbYe2DrDA15W6iV5bTIzzf9zToR6+ouRBgzFA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-30T01:29:21Z"
+        - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
-    mac: ENC[AES256_GCM,data:j/ofDZ5Ky8xGkQU5ciGDPWDO8WchRl7ii4aWKhLZsPRojCYDEq7uQEKVeXl8QRjeDpFiFsGVlapKpLKbdCnANxHFgwPDR4sM+cBgqP5IRagTYo+4PyXNz7gjeVDnboB0rI80TrSd9uWcBU+1mkSuzLlUiXZQ2Uo00Tnkf7xIcBk=,iv:HX4//Q5uNbLfUePXGQOjt+zuFqPL3iTl9zRD8tGZXWU=,tag:cQccCSJ2QRQA5hy/LQFgTQ==,type:str]
+          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcnd3d2JoWWtldXVQc0sr
            bEkrYXN3OXVGZWFLNHlPenQ0eW1ISjNKK1ZRCjdxUWI0bUttRzlUOHRrZFhpd2Fq
            TjFmWTNBWFJFOWluam9vOEQwNEVHQ2sKLS0tIFJlTFp0Z2VVRm02OGp2R0IwTUdT
            dkEybVp1OEhZR0JURFJqRW5nSURxME0KZcZj9YFuSvqM5bXbZQy44t4630p2aaAw
            H/yhO37jNToYUpmsbpCEYcZPfjkHkc/gKPyTcKSsUFusQAds1q6/Cg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-04-01T00:26:19Z"
    mac: ENC[AES256_GCM,data:+bAkGkkh+sPnZlG+E8+5/tZxX3W6yBTB/mSUeHKsEjv2ymo4HU5Vdef3iw4xnLBK/Kh94R0AQLd/jRJ8034Z07qBjCHttl9k5tRWyG1qZeEzZX8OOggig3PuiLv9hE0fJ+D0MX7rDy6XMyUDmaB46/TKiYPmlh8WOCB4yjjRr+Q=,iv:CsRGS8swKLEy0x3njmY+ExICDp97P9xdg0ERLonRKoQ=,tag:GYJIMpWXnOcktIL8GMUYfQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/modules/nixos/services/maddy/maddy.sops.yaml
+++ b/nixos/modules/nixos/services/maddy/maddy.sops.yaml
@ -1,69 +1,60 @@
 system:
    mail:
        maddy:
-            envFile: ENC[AES256_GCM,data:Wo+iP0IzT71mtQwTX8u4klf+Jw126+ovm3neZKlRKDxXt2GT1TR7DTXzdUIskhfVyXSS5K8VbHb/+vZgDJ8jqoIGRxd3CSnH/f5zevHzPgz8LOpXc+4pVDqQzuTqS2XFI9JPLZpiXmcrJ0aSGeupTK1vkS+KvezJNbtRCar+uRVH0Cw=,iv:qK0mHWnpnDrYl+Ovc8HlmfWgLUvhHaTEXRqvkeWuMSk=,tag:Yh9jIlt2IxK68Mi2xOa0oA==,type:str]
+            envFile: ENC[AES256_GCM,data:43LVInxptreur8lHPNz5494OrGhe2aKqy//bDd9n4Pb9bMYnmN2hru64TpOCeKb4b7KUDrp5kWXdy9Q0njpdbdBprgKFXygVw8JuB1aDYlv9+RN2JntIa3dAhsgL26d8VC67tjsMXZUcinR69I3SfIVp0o2T45WhG4IT1rnBWX0mGug=,iv:Uy6OaCzayAqMhvFCF4Ho5Om810Qxi2yFIqmz6NU3L8Q=,tag:WizECPn2ip3dQ0gidMaHyQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUGhnSDc3N3M0MjY4TGsv
            MkFtUGpGWGFZN1JiZ2VKTC8vUnlOd0s3bzFFCktCTDdmekhpUm1ZNzVYaUN6c1ht
            czVtVXdGSGU3T0FLNGJ2Y0cwY2cyWDgKLS0tIGZTRHBBeU1DN0xtYXpzcE5aczJr
            QVhRSXZOTHUvOWh0cGFOcTR5R2ZsK2cKD5fNP6Oa6W/OJck3FbYn6R5nYS2UoF8I
            aOUIN98e15BaSFaOc8kmqkNZC4mKMHKaBJH2NqpbwyDP4iwLbRtP4Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMUluUk41a25heEkyUm1U
            TDdPbHpvUi9hMG03RDBKTjVZSUY4K1p2ZkJNCmRqRWFDKzg0QVU0dGJtWUYzZThJ
            RCtNYWtyNEJyNHMybVlTc2FoMWtmMWsKLS0tIFEzVDQySmNLTlNONHJZVWlSbm5G
            cWE5bVZBN1ZmV0JkVXJXbzdldXU3ZnMK7EV7u1lewpEsurScWTKVscYMo9dmSoUl
            O0kLRmRR4NEzuYzCFJ3JVaxTrPlMJM9C3Mwo3LsSDLCXSQ71JWiOZQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXd1ZFcjhkNnJXRjZPY3FO
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcUtQcU56aGhOU3hDRis2
-            UFVmT05CTWt1dXhjSit6QmlabHJOMTMyQW1VCjY3RTR2UGVJMFBYWlZnK29yejNw
+            bGFkUFhnT3BUSFhOWFFydnI4SmdkKzlJRlR3Cjh1MkRyS0tFeEM3bWhhNnFmSWNC
-            WjRXT2NpMC9ZL1pldHRhRGk4TlAyK3cKLS0tIFgyVUhxRVh5UFdPOTRHQ0ZMMjVy
+            UzhSRjJiN1VpTlNJUWkvcU54T0MyR0UKLS0tIHhNNHNBaXhvaGtIdE10YUo2MnZi
-            aUwyczEydHNnTG9KZEk2cjFNaFBOTmsKqd5MtgAJ1aKqk9Miq9ot2garqMxtFjdJ
+            VEdEczl3b2UxZldBWkVzRWZ2RzZkZHMKofrWTXa5aedNl7uVVQF3TbysG2L6mtb/
-            1IvxprhYiPCgvhYtEbPlyCKtM/kdEGCplX3BwVOvhAU8CbyNb8zyug==
+            5hYiKHsdgPyxQWL3V727GM7xhS5Jd/O/F3Nc8zGCgCCGmBe3Uf5+nA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSHp1K3UzMXRXV3ZMRDRI
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bUFTeE9sMHVBN1RmNWhj
-            dllLWGF3NG5JOExac3BXamc3ZjRzWkFobGprCloxUzRZNU1kZ29GUWhZa2pXbUtl
+            czdaMjBjb2grTk1XWUp5emx4Q2ZsSHpIL0VjCnBVUnE2QjdTTUNON09qRkpnMEVs
-            MDZpL3NPL1hpdGtsSjBqQWpHUndpMDAKLS0tIHJBYmJPTGRxV0V6TWJiSG9iNjNZ
+            SmRoUFpmMmlZSGpyVGZIV3Q0MDMvUTAKLS0tIEI1ck5ySVhWemdpdnE1NUxCZ0Zt
-            SWNQSkV2SHJHSHNFc1BIMGpabXlwLzAKQSI0Yo71Rt1eUHUKZZHsrTJenq3ooB3i
+            eWtodW5yeG9tR2xCSTNRcTFaNDRkMXMKmuIyJlHmU7gL/iqn0L55TfCZ32/LRnLz
-            7aLQqN6jp2ZwfOPh0/HBB1HWy6AWJoWkJZb+zKXTn0v+kx9NHU43ow==
+            aZ9vqWGNvXjF4UsmhC1ChI3wUaAgXGvWl0roym/d3BTDV/rrIG31Hw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZ2ZaQU5waXFMRW9oOFZ4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcUxpSFR2WGNEMHQ0QTcz
-            SHZwSzBVK3lGR3czUTJKbStWSTQvVjd1NVZzClF3L2ZDTDViQXhsZThKUXA0M0ZB
+            dTYzdWhRTEdwYW5sUTFMZkZPNTRnbmFnekJvCllTOFNMTk9MTGJRWFdGaGhBUlkx
-            SmZaYU1iTVJ3b1ZkekM0STdWZmlGSzgKLS0tIFY2a3lCUUlZM3pnRGdxSzVOSGdE
+            WVZDVGNWZ1BPRFVwLzVFbklyVzYzTGsKLS0tIEprLy9IQ3ZycGJySWoxRG5QdFU4
-            bWRpL0lvMXRRNC93eFZEaEt3TE9vTnMKhzXsQiwzuxRLKAwsgn0GMyxNQHHJQpnJ
+            azRaYnNhNzlHWFlpTGloc1JyS3dOWEUKcGY320t9R7z7wM1ebUF3QQdQzB0FMZtX
-            R3dnLC5FjDnr2u4LFeMlgWVWb6sd08GlBTgBCzGujNFo+qgvTsyNUQ==
+            W45AWV+CWVce9qBm9OFVwluiJQD+m1BxLVxM1EmaNBBsT7PUleserg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcEd4OWJGVjkzWVJLNGQw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMUROaDE2NDhzUTJYTThj
-            ZDkzNFd3a3VrQW9uMnIvS3ZwUmx5TGp2b0FrCkdjaEJRNVo3ZDM3TnFvRDlPRFph
+            U0loNnpKUTJrWkVmeEI3Uk9tN2gzNm5ZYVVzCkhCNWcyL29SVTB5UjVnNHlrNy9Y
-            V2dkUUhvYUdlSDY1TG91dlZNeCtPYmMKLS0tIG1JOWRmbFd0b2xaQkJaNjlXcjJK
+            Z2wrd1RudnRoYjRhZUJoUzdzVm9KemcKLS0tIFQvbzUwQ0lDcko0VHRPVDRFckFk
-            KzNZbGVUVXdweTFmYXdxWm9Oa05GbDAKGB7SVhd13AukH44aGPMNx3aXxXI0iQNI
+            T1RYa2J6V2FqRjUwb1ZpaHBBa2kvMncKwI9MAHNrZUD/3bEqYQ7bE65cZt9JAQ2p
-            UtAwlxSakIZ2OSb6A+BJNG68Joy8dEBp23JY+l5wGnKkPNbWIYSqbg==
+            s0nPt+izl384aYuEeOP2uGW7GyaSvG8sVytpyxOZ4DIAWdjzoWLxbQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-30T01:29:20Z"
+        - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
-    mac: ENC[AES256_GCM,data:P7huPF/xSFJdbsM58kPaZqwA5LufakR9rHPQk7I4+WfKocJDxLDKknsTXvKqsEi/hnii2uFkahp+J8nTAGBjqENAdFx2ux+j++Z5dfOf/Ipl1PWZxjUKnB6SaflSja6PTsULLUl8ZiR0b6O0fitgyvaUdYsdQqVsi/VdCTTUxe8=,iv:BVmTyDkhYDW4hu5ebcytaLqAtau91KRjSg+jsHOwD5I=,tag:5sOALgUX8z0DqD0yRESerQ==,type:str]
+          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTEZlUmlRSjRxNWdpSVY3
            TXl4SGZZYW1lVkRqa1VON3k5TWJCTjFacXhvCkxRR3RqbnBxemQzMUs1NW5EczVm
            OWtTQm9zWkdiWmFGdHZKdU52aG5jQU0KLS0tIFEzellhYWFnSFJaZmRlVjlpeWNX
            bTd2MExRU3Z5QzY5dEdEdzUvN2R4QzAKqOsV6f+NrCiOqELmJ5JJNnkxVKp3kQwy
            MEkudjQ3tj+iw8C5tlIsixnT2Azbj3FcSAdTwPc1yRQ5WCyf6VTA5w==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-04-01T00:26:19Z"
    mac: ENC[AES256_GCM,data:e2S19cJ1yA3J7UAOdMR0zqUx5KMzNg+JZ46Ux21Ph/8d9CXfRo1avHwl6EtWdSaMdLUHDqwzR+7fp1NVcP/fYBOhjHLhOgV1IWBfqA1Vche2MffQyi2dPYiDX7idHsh2eW3PhhXi821YtWEqv2Rmiani9gQJTjyXJkghy5JbbHw=,iv:FNveFjSPp1byfvuKy43DUjELoUu+axuElSa3RXAdV/Y=,tag:B03Hpaib8dVcFMD16vkYmA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/modules/nixos/services/nfs/default.nix
+++ b/nixos/modules/nixos/services/nfs/default.nix
@ -0,0 +1,38 @@
 { lib
 , config
 , pkgs
 , ...
 }:
 with lib;
 let
  cfg = config.mySystem.nfs.nas;
 in
 {
  options.mySystem.nfs.nas.enable = mkEnableOption "Mount NAS";
  config = mkIf cfg.enable
    {
      services.rpcbind.enable = true; # needed for NFS
      environment.systemPackages = with pkgs; [ nfs-utils ];
      systemd.mounts = [{
        type = "nfs";
        mountConfig = {
          Options = "noatime";
        };
        what = "helios:/tank";
        where = "/mnt/nas";
      }];
      systemd.automounts = [{
        wantedBy = [ "multi-user.target" ];
        automountConfig = {
          TimeoutIdleSec = "600";
        };
        where = "/mnt/nas";
      }];
    };
 }
--- a/nixos/modules/nixos/services/podman/default.nix
+++ b/nixos/modules/nixos/services/podman/default.nix
@ -0,0 +1,30 @@
 { lib
 , config
 , pkgs
 , ...
 }:
 with lib;
 let
  cfg = config.mySystem.services.podman;
 in
 {
  options.mySystem.services.podman.enable = mkEnableOption "Podman";
  config = mkIf cfg.enable
    {
      virtualisation.podman = {
        enable = true;
        dockerCompat = true;
        extraPackages = [ pkgs.zfs ];
        defaultNetwork.settings = {
          dns_enabled = true;
        };
      };
      virtualisation.oci-containers = {
        backend = "podman";
      };
      networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
    };
 }
--- a/nixos/modules/nixos/services/traefik/default.nix
+++ b/nixos/modules/nixos/services/traefik/default.nix
@ -0,0 +1,28 @@
 { lib
 , config
 , pkgs
 , ...
 }:
 with lib;
 let
  cfg = config.mySystem.services.traefik;
 in
 {
  options.mySystem.services.traefik.enable = mkEnableOption "Traefik reverse proxy";
  config = mkIf cfg.enable {
    services.traefik = {
      enable = true;
      staticConfigOptions = {
        api.dashboard = true;
        api.insecure = true;
        serversTransport = {
          # Disable backend certificate verification.
          insecureSkipVerify = true;
        };
      };
    };
  };
 }
--- a/nixos/modules/nixos/template.nix
+++ b/nixos/modules/nixos/template.nix
@ -1,21 +0,0 @@
 { lib
 , config
 , pkgs
 , ...
 }:
 with lib;
 let
  cfg = config.mySystem.xx.yy;
 in
 {
  options.mySystem.xx.yy.enable = mkEnableOption "<INSERT DESCRIPTION>";
  config = mkIf cfg.enable {
    # CONFIG HERE
  };
 }
--- a/nixos/overlays/default.nix
+++ b/nixos/overlays/default.nix
@ -5,6 +5,8 @@
  # deploy-rs overlay
  deploy-rs = inputs.deploy-rs.overlays.default;
  nur = inputs.nur.overlay;
  # The unstable nixpkgs set (declared in the flake inputs) will
  # be accessible through 'pkgs.unstable'
  unstable-packages = final: _prev: {
--- a/nixos/profiles/global.nix
+++ b/nixos/profiles/global.nix
@ -29,7 +29,9 @@ with lib;
    # But wont enable plugins globally, leave them for workstations
  };
-
+  # required for yubico
  services.udev.packages = [ pkgs.yubikey-personalization ];
  services.pcscd.enable = true;
  networking.useDHCP = lib.mkDefault true;
--- a/nixos/profiles/global/users.nix
+++ b/nixos/profiles/global/users.nix
@ -19,14 +19,14 @@ in
        "network"
        "samba-users"
        "docker"
        "audio" # pulseaudio
      ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home"
-    ];
+    ]; # TODO do i move to ingest github creds?
    # packages = [ pkgs.home-manager ];
  };
  # home-manager.users.taylor = import ../../../../../home-manager/taylor_${config.networking.hostName}.nix; TODO home-manager?
 }
--- a/nixos/profiles/hw-gaming-desktop.nix
+++ b/nixos/profiles/hw-gaming-desktop.nix
@ -3,6 +3,9 @@
 with lib;
 {
  # Enable module for NVIDIA graphics
  mySystem.hardware.nvidia.enable = true;
  mySystem.system.packages = with pkgs; [
    ntfs3g
  ];
@ -29,46 +32,5 @@ with lib;
  services.xserver.videoDrivers = [ "nvidia" ];
  # ref: https://nixos.wiki/wiki/Nvidia
  # Enable OpenGL
  hardware.opengl = {
    enable = true;
    driSupport = true;
    driSupport32Bit = true;
  };
  hardware.nvidia = {
    # Modesetting is required.
    modesetting.enable = true;
    # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
    # Enable this if you have graphical corruption issues or application crashes after waking
    # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
    # of just the bare essentials.
    powerManagement.enable = false;
    # Fine-grained power management. Turns off GPU when not in use.
    # Experimental and only works on modern Nvidia GPUs (Turing or newer).
    powerManagement.finegrained = false;
    # Use the NVidia open source kernel module (not to be confused with the
    # independent third-party "nouveau" open source driver).
    # Support is limited to the Turing and later architectures. Full list of
    # supported GPUs is at:
    # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
    # Only available from driver 515.43.04+
    # Currently alpha-quality/buggy, so false is currently the recommended setting.
    open = false;
    # Enable the Nvidia settings menu,
    # accessible via `nvidia-settings`.
    nvidiaSettings = true;
    # Optionally, you may need to select the appropriate driver version for your specific GPU.
    package = config.boot.kernelPackages.nvidiaPackages.stable;
  };
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/nixos/profiles/hw-generic-x86.nix
+++ b/nixos/profiles/hw-generic-x86.nix
@ -0,0 +1,30 @@
 { config, lib, pkgs, imports, boot, ... }:
 with lib;
 {
  mySystem.system.packages = with pkgs; [
    ntfs3g
  ];
  boot = {
    initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
    kernelModules = [ ];
    extraModulePackages = [ ];
    # for managing/mounting ntfs
    supportedFilesystems = [ "ntfs" ];
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
      # why not ensure we can memtest workstatons easily?
      grub.memtest86.enable = true;
    };
  };
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/nixos/profiles/role-worstation.nix
+++ b/nixos/profiles/role-worstation.nix
@ -15,8 +15,8 @@ with config;
    # Lets see if fish everywhere is OK on the pi's
    # TODO decide if i drop to bash on pis?
    shell.fish.enable = true;
    # But wont enable plugins globally, leave them for workstations
    nfs.nas.enable = true;
  };
  boot = {