update documentation

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
add ftb-app to artemision
2025-03-03 00:47:55 -05:00 · 2025-03-03 00:47:55 -05:00 · 2025-03-03 00:47:51 -05:00 · 2025-03-03 00:45:49 -05:00 · 2025-03-02 20:20:02 -05:00 · 2025-03-02 19:53:42 -05:00
168 changed files with 3563 additions and 3714 deletions
--- a/.gitconfig
+++ b/.gitconfig
@ -1,6 +1,11 @@
 # run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :)
 # run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured
 # if for whatever reason the below doesn't work, try modifying the mergetool command as below
 #   find: $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh
 #   replace: ./utils/sops-mergetool.sh
 [mergetool "sops-mergetool"]
-        cmd = bash -c "$(git --exec-path)/sops-mergetool.sh \"$BASE\" \"$LOCAL\" \"$REMOTE\" \"$MERGED\""
+	cmd = bash -c "$(git rev-parse --show-toplevel)/utils/sops-mergetool.sh \"\$BASE\" \"\$LOCAL\" \"\$REMOTE\" \"\$MERGED\""
 [merge]
-	tool = nvimdiff3
+	tool = nvimdiff
 [mergetool "nvimdiff"]
 	layout = MERGED
--- a/.github/workflows/flake-health-checks.yml
+++ b/.github/workflows/flake-health-checks.yml
@ -15,6 +15,13 @@ jobs:
        os: [ubuntu-latest]
    steps:
      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Setup Attic cache
        uses: ryanccn/attic-action@v0
        with:
          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
          cache: ${{ secrets.ATTIC_CACHE }}
          token: ${{ secrets.ATTIC_TOKEN }}
          skip-push: "true"
      - uses: actions/checkout@v4
      - run: nix flake check --accept-flake-config
      - run: nix ./utils/attic-push.bash
--- a/.github/workflows/flake-update.yml
+++ b/.github/workflows/flake-update.yml
@ -10,22 +10,27 @@ jobs:
    if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
    steps:
      - uses: actions/checkout@v4
-      - name: Login to Docker Hub
+      # - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        # uses: docker/login-action@v3
-        with:
+        # with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+        #   username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+        #   password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Install Nix
        uses: cachix/install-nix-action@v24
        with:
          extra_nix_config: |
            experimental-features = nix-command flakes
          install_url: https://releases.nixos.org/nix/nix-2.19.0/install
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Setup Attic cache
        uses: ryanccn/attic-action@v0
        with:
          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
          cache: ${{ secrets.ATTIC_CACHE }}
          token: ${{ secrets.ATTIC_TOKEN }}
      - name: Calculate pre-drv
        run: nix ./utils/eval-to-drv.sh pre
-      - name: Pull latest docker images
+      # - name: Pull latest docker images
-        run: nix ./utils/fetch-docker.sh
+      #   run: nix ./utils/fetch-docker.sh
      - name: Update flake.lock (part 1)
        run: nix flake update
      - name: Calculate post-drv
--- a/.github/workflows/nix-fmt.yml
+++ b/.github/workflows/nix-fmt.yml
@ -12,6 +12,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Setup Attic cache
        uses: ryanccn/attic-action@v0
        with:
          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
          cache: ${{ secrets.ATTIC_CACHE }}
          token: ${{ secrets.ATTIC_TOKEN }}
      - uses: actions/checkout@v4
      - run: nix fmt -- --check .
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,7 +1,6 @@
 keys:
  # The PGP keys in keys/
-  - &admin_alice F63832C3080D6E1AC77EECF80B4245FFE305BC82
+  - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
  - &admin_richie 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
  # Generate AGE keys from SSH keys with:
  #   ssh-keygen -A
@ -9,20 +8,11 @@ keys:
  # cspell:disable
  - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
  - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
-  - &bob age13jg97cvy63fzd2ccthcwvfyyxzw5vmwun8s0afq5l4xm0mhl6pjqhne063
+    #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
-  - &jeeves age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w
+  - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
  - &jeeves-jr age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh
  - &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
  - &rhapsody-in-green age1c7adjulcrma0m7l5ur8efxdjzyskrqcwssfkt77a9rmma7gzss5q02pgmy
  # cspell:enable
 admins: &admins
  - *admin_alice
  - *admin_richie
 servers: &servers
  - *jeeves
  - *jeeves-jr
  - *palatine-hill
 # add new users by executing: sops users/<user>/secrets.yaml
@ -31,38 +21,19 @@ servers: &servers
 # update keys by executing: sops updatekeys secrets.yaml
 # note: add .* before \.yaml if you'd like to use the mergetool config
 creation_rules:
  - path_regex: systems/jeeves/secrets\.yaml$
    key_groups:
      - pgp: *admins
        age:
          - *jeeves
  - path_regex: systems/jeeves-jr/secrets\.yaml$
    key_groups:
      - pgp: *admins
        age:
          - *jeeves-jr
  - path_regex: users/alice/secrets.*\.yaml$
    key_groups:
      - pgp:
          - *admin_alice
        age:
          - *palatine-hill
          - *jeeves
          - *jeeves-jr
          - *artemision
          - *artemision-home
  - path_regex: systems/palatine-hill/secrets.*\.yaml$
    key_groups:
-      - pgp: *admins
+      - pgp: 
-        age:
+          - *admin_alice
          - *palatine-hill
  - path_regex: systems/palatine-hill/keys/zfs-.*-key$
    key_groups:
      - pgp: *admins
        age:
          - *palatine-hill
@ -72,14 +43,9 @@ creation_rules:
          - *admin_alice
        age:
          - *artemision
-
+  - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
  - path_regex: users/richie/secrets\.yaml$
    key_groups:
      - pgp:
-          - *admin_richie
+          - *admin_alice
        age:
          - *palatine-hill
          - *jeeves
          - *jeeves-jr
          - *rhapsody-in-green
          - *bob
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -8,6 +8,7 @@
    "acpid",
    "adbusers",
    "ahci",
    "aioesphomeapi",
    "alicehuston",
    "alsa",
    "amdgpu",
@ -66,6 +67,7 @@
    "enableemail",
    "errorlens",
    "esbenp",
    "esphome",
    "extest",
    "fastforwardteam",
    "FASTFOX",
@ -90,6 +92,7 @@
    "gamescope",
    "globalprivacycontrol",
    "gparted",
    "gtts",
    "healthreport",
    "hexeditor",
    "hicolor",
@ -104,7 +107,9 @@
    "hyprland",
    "hyprwm",
    "INITDB",
    "ioit",
    "iperf",
    "isal",
    "jmgilman",
    "jnoortheen",
    "jobset",
@ -183,11 +188,13 @@
    "PRIVOXY",
    "prowlarr",
    "proxychains",
    "prusa",
    "psycopg",
    "PUID",
    "pulseaudio",
    "punycode",
    "pylance",
    "pymetno",
    "qbit",
    "qbittorrent",
    "qbittorrentvpn",
@ -225,6 +232,7 @@
    "sponsorblock",
    "spotifyd",
    "sqltools",
    "ssdp",
    "sshconfig",
    "stdenv",
    "subresource",
@ -271,6 +279,7 @@
    "xhci",
    "xwayland",
    "yzhang",
    "zeroconf",
    "zerotier",
    "zerotierone",
    "zhaofengli",
--- a/flake.lock
+++ b/flake.lock
@ -1,78 +1,5 @@
 {
  "nodes": {
    "arch_mirror": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ],
        "poetry2nix": "poetry2nix"
      },
      "locked": {
        "lastModified": 1722708775,
        "narHash": "sha256-z+8+fB0/8G9ScnDmgHKzR6BMxuTiK8mu0HDdp2y0dqQ=",
        "owner": "RichieCahill",
        "repo": "arch_mirror",
        "rev": "ce97f5f7e7382f6cb36e464c0f18a3177396990d",
        "type": "github"
      },
      "original": {
        "owner": "RichieCahill",
        "repo": "arch_mirror",
        "type": "github"
      }
    },
    "attic": {
      "inputs": {
        "crane": "crane",
        "flake-compat": [
          "flake-compat"
        ],
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixpkgs-stable"
        ]
      },
      "locked": {
        "lastModified": 1722472866,
        "narHash": "sha256-GJIz4M5HDB948Ex/8cPvbkrNzl/eKUE7/c21JBu4lb8=",
        "owner": "zhaofengli",
        "repo": "attic",
        "rev": "e127acbf9a71ebc0c26bc8e28346822e0a6e16ba",
        "type": "github"
      },
      "original": {
        "owner": "zhaofengli",
        "repo": "attic",
        "type": "github"
      }
    },
    "crane": {
      "inputs": {
        "nixpkgs": [
          "attic",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1717025063,
        "narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "repo": "crane",
        "type": "github"
      }
    },
    "firefox-addons": {
      "inputs": {
        "flake-utils": [
@ -84,11 +11,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1722917006,
+        "lastModified": 1740212040,
-        "narHash": "sha256-29qBs5HlcegrLP8oQe8T9hHx7u94TEz9ivPwZlorAJU=",
+        "narHash": "sha256-Gpvn9Z+ZgKPyb6qaAbahLbo6ZVj7VuLzSCmHZRvsACA=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "8552abe55a4f364d94efb84502a550c2c9c3101c",
+        "rev": "9a8a0914000e4453c99a4c12e9862a0a40075851",
        "type": "gitlab"
      },
      "original": {
@ -100,12 +27,12 @@
    },
    "flake-compat": {
      "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1733328505,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "revCount": 57,
+        "revCount": 69,
        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
      },
      "original": {
        "type": "tarball",
@ -117,11 +44,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1722555600,
+        "lastModified": 1738453229,
-        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
+        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
+        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
        "type": "github"
      },
      "original": {
@ -131,35 +58,17 @@
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": [
          "systems"
        ]
      },
      "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1731533236,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@ -196,11 +105,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1722936497,
+        "lastModified": 1740624780,
-        "narHash": "sha256-UBst8PkhY0kqTgdKiR8MtTBt4c1XmjJoOV11efjsC/o=",
+        "narHash": "sha256-8TP61AI3QBQsjzVUQFIV8NoB5nbYfJB3iHczhBikDkU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "a6c743980e23f4cef6c2a377f9ffab506568413a",
+        "rev": "b8869e4ead721bbd4f0d6b927e8395705d4f16e6",
        "type": "github"
      },
      "original": {
@ -216,11 +125,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1722636442,
+        "lastModified": 1739465511,
-        "narHash": "sha256-+7IS0n3/F0I5j6ZbrVlLcIIPHY3o+/vLAqg/G48sG+w=",
+        "narHash": "sha256-kXdVW89VJoG+W6N1u0m8hgK2VIWUAweQVzehRZwdNSo=",
        "owner": "hyprwm",
        "repo": "contrib",
-        "rev": "9d67858b437d4a1299be496d371b66fc0d3e01f6",
+        "rev": "59178a657b7e09ddf82b9e79681f482b6c2f378b",
        "type": "github"
      },
      "original": {
@ -229,50 +138,6 @@
        "type": "github"
      }
    },
    "nix-github-actions": {
      "inputs": {
        "nixpkgs": [
          "arch_mirror",
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1703863825,
        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "type": "github"
      }
    },
    "nix-github-actions_2": {
      "inputs": {
        "nixpkgs": [
          "server_tools",
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1703863825,
        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "type": "github"
      }
    },
    "nix-index-database": {
      "inputs": {
        "nixpkgs": [
@ -280,11 +145,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1722740924,
+        "lastModified": 1740281615,
-        "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=",
+        "narHash": "sha256-dZWcbAQ1sF8oVv+zjSKkPVY0ebwENQEkz5vc6muXbKY=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "97ca0a0fca0391de835f57e44f369a283e37890f",
+        "rev": "465792533d03e6bb9dc849d58ab9d5e31fac9023",
        "type": "github"
      },
      "original": {
@ -295,11 +160,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1722732880,
+        "lastModified": 1736643958,
-        "narHash": "sha256-do2Mfm3T6SR7a5A804RhjQ+JTsF5hk4JTPGjCTRM/m8=",
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "8bebd4c74f368aacb047f0141db09ec6b339733c",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
        "type": "github"
      },
      "original": {
@ -316,11 +181,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1722819251,
+        "lastModified": 1737057290,
-        "narHash": "sha256-f99it92NQSZsrZ8AYbiwAUfrtb/ZpZRqUsl4q6rMA5s=",
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "c8c3a20b8191819219dba1af79388aa6d555f634",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
        "type": "github"
      },
      "original": {
@ -331,11 +196,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1722332872,
+        "lastModified": 1740387674,
-        "narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=",
+        "narHash": "sha256-pGk/aA0EBvI6o4DeuZsr05Ig/r4uMlSaf5EWUZEWM10=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "14c333162ba53c02853add87a0000cbd7aa230c2",
+        "rev": "d58f642ddb23320965b27beb0beba7236e9117b5",
        "type": "github"
      },
      "original": {
@ -351,15 +216,14 @@
        ],
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "search": "search"
      },
      "locked": {
-        "lastModified": 1722894082,
+        "lastModified": 1740603919,
-        "narHash": "sha256-TEJNZ/8er454mMv+YyLjWpz3yTPuSi6Nq+Tg0N8E80M=",
+        "narHash": "sha256-2zwtSnCI8QZfIOFOpjJ5w2bslQ5r/GYXZ1Pi7fMdrOo=",
        "owner": "SuperSandro2000",
        "repo": "nixos-modules",
-        "rev": "b871b68e76b092dfbc6fad38a8ebea99893be498",
+        "rev": "732ffa8e01e911428db96ff978d1e3876f649ef3",
        "type": "github"
      },
      "original": {
@ -370,39 +234,39 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1722813957,
+        "lastModified": 1740557110,
-        "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=",
+        "narHash": "sha256-D2waFyJkaepTchTrGVAIfCd/YP+37bgXWg9cXwuxuT0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa",
+        "rev": "b89a821293c3872992137114d0db9a791243a41b",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1722555339,
+        "lastModified": 1738452942,
-        "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
+        "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1722869614,
+        "lastModified": 1735563628,
-        "narHash": "sha256-7ojM1KSk3mzutD7SkrdSflHXEujPvW1u7QuqWoTLXQU=",
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "883180e6550c1723395a3a342f830bfc5c371f6b",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
        "type": "github"
      },
      "original": {
@ -412,62 +276,6 @@
        "type": "github"
      }
    },
    "poetry2nix": {
      "inputs": {
        "flake-utils": [
          "arch_mirror",
          "flake-utils"
        ],
        "nix-github-actions": "nix-github-actions",
        "nixpkgs": [
          "arch_mirror",
          "nixpkgs"
        ],
        "systems": "systems_2",
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
        "lastModified": 1722515463,
        "narHash": "sha256-6FVPz1WzHak65xJQg8tRjVyFEWMesGxfskKaCxDUnRk=",
        "owner": "nix-community",
        "repo": "poetry2nix",
        "rev": "8c25e871bba3f472e1569bbf6c0f52dcc34bf2a4",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "poetry2nix",
        "type": "github"
      }
    },
    "poetry2nix_2": {
      "inputs": {
        "flake-utils": [
          "server_tools",
          "flake-utils"
        ],
        "nix-github-actions": "nix-github-actions_2",
        "nixpkgs": [
          "server_tools",
          "nixpkgs"
        ],
        "systems": "systems_3",
        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
        "lastModified": 1721039874,
        "narHash": "sha256-XANsG9GYHip8pxZpbqKf/YGv8tIa0xTh289Y+WNBNfw=",
        "owner": "nix-community",
        "repo": "poetry2nix",
        "rev": "d11c01e58587e5f21037ed6477465a7f26a32e27",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "poetry2nix",
        "type": "github"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": [
@ -476,17 +284,14 @@
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixpkgs-stable"
        ]
      },
      "locked": {
-        "lastModified": 1722857853,
+        "lastModified": 1737465171,
-        "narHash": "sha256-3Zx53oz/MSIyevuWO/SumxABkrIvojnB7g9cimxkhiE=",
+        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "06939f6b7ec4d4f465bf3132a05367cccbbf64da",
+        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
        "type": "github"
      },
      "original": {
@ -497,12 +302,10 @@
    },
    "root": {
      "inputs": {
        "arch_mirror": "arch_mirror",
        "attic": "attic",
        "firefox-addons": "firefox-addons",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "hyprland-contrib": "hyprland-contrib",
        "nix-index-database": "nix-index-database",
@ -513,9 +316,8 @@
        "nixpkgs-stable": "nixpkgs-stable",
        "pre-commit-hooks": "pre-commit-hooks",
        "rust-overlay": "rust-overlay",
        "server_tools": "server_tools",
        "sops-nix": "sops-nix",
-        "systems": "systems_4",
+        "systems": "systems",
        "wired-notify": "wired-notify"
      }
    },
@ -526,11 +328,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1722910815,
+        "lastModified": 1740623427,
-        "narHash": "sha256-v6Vk/xlABhw2QzOa6xh3Jx/IvmlbKbOazFM+bDFQlWU=",
+        "narHash": "sha256-3SdPQrZoa4odlScFDUHd4CUPQ/R1gtH4Mq9u8CBiK8M=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "7df2ac544c203d21b63aac23bfaec7f9b919a733",
+        "rev": "d342e8b5fd88421ff982f383c853f0fc78a847ab",
        "type": "github"
      },
      "original": {
@ -539,70 +341,18 @@
        "type": "github"
      }
    },
    "search": {
      "inputs": {
        "flake-utils": [
          "nixos-modules",
          "flake-utils"
        ],
        "nixpkgs": [
          "nixos-modules",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1722493084,
        "narHash": "sha256-ktjl908zZKWcGdMyz6kX1kHSg7LFFGPYBvTi9FgQleM=",
        "owner": "nuschtos",
        "repo": "search",
        "rev": "3f5abffa5f28b4ac3c9212c81c5e8d2d22876071",
        "type": "github"
      },
      "original": {
        "owner": "nuschtos",
        "repo": "search",
        "type": "github"
      }
    },
    "server_tools": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "poetry2nix": "poetry2nix_2"
      },
      "locked": {
        "lastModified": 1722726877,
        "narHash": "sha256-VEfypyflLdxL3hjtURbpfRv9dyc3Z/CvvZ76bAad8l8=",
        "owner": "RAD-Development",
        "repo": "server_tools",
        "rev": "16f24eddcb117c5560582c42c120ba84360c7f1f",
        "type": "github"
      },
      "original": {
        "owner": "RAD-Development",
        "repo": "server_tools",
        "type": "github"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixpkgs-stable"
        ]
      },
      "locked": {
-        "lastModified": 1722897572,
+        "lastModified": 1739262228,
-        "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
+        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
+        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
        "type": "github"
      },
      "original": {
@ -626,93 +376,6 @@
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "id": "systems",
        "type": "indirect"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "id": "systems",
        "type": "indirect"
      }
    },
    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "arch_mirror",
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1719749022,
        "narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "treefmt-nix_2": {
      "inputs": {
        "nixpkgs": [
          "server_tools",
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1719749022,
        "narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "wired-notify": {
      "inputs": {
        "flake-parts": [
@ -726,11 +389,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1721535277,
+        "lastModified": 1730615238,
-        "narHash": "sha256-A6qIy2n3aomj5XooUmqz0s3G/A44Y3+GoFrGxIOolIM=",
+        "narHash": "sha256-u/ZGtyEUvAkFOBgLo2YldOx0GKjE3/esWpWruRD376E=",
        "owner": "Toqozz",
        "repo": "wired-notify",
-        "rev": "d079126c43f22179650f3d4c59f580c5993b9217",
+        "rev": "1632418aa15889343028261663e81d8b5595860e",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,22 +1,21 @@
 {
-  description = "NixOS configuration for RAD-Development Servers";
+  description = "NixOS configuration for my machines";
  nixConfig = {
    substituters = [
      "https://cache.nixos.org/?priority=1&want-mass-query=true"
      "https://attic.alicehuston.xyz/cache-nix-dot?priority=4&want-mass-query=true"
      "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
      "https://attic.nayeonie.com/nix-cache"
    ];
    trusted-substituters = [
      "https://cache.nixos.org"
      "https://attic.alicehuston.xyz/cache-nix-dot"
      "https://nix-community.cachix.org"
      "https://attic.nayeonie.com/nix-cache"
    ];
    trusted-public-keys = [
      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
      "cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%"
      "cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "nix-cache:trR+y5nwpQHR4hystoogubFmp97cewkjWeqqbygRQRs="
    ];
    trusted-users = [ "root" ];
  };
@ -25,24 +24,20 @@
    flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
    flake-parts.url = "github:hercules-ci/flake-parts";
    nixos-hardware.url = "github:NixOS/nixos-hardware";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
    systems.url = "github:nix-systems/default";
-    arch_mirror = {
+    # attic = {
-      url = "github:RichieCahill/arch_mirror";
+    #   url = "github:zhaofengli/attic";
-      inputs.nixpkgs.follows = "nixpkgs";
+    #   inputs = {
-    };
+    #     nixpkgs.follows = "nixpkgs";
-
+    #     nixpkgs-stable.follows = "nixpkgs-stable";
-    attic = {
+    #     flake-compat.follows = "flake-compat";
-      url = "github:zhaofengli/attic";
+    #     flake-parts.follows = "flake-parts";
-      inputs = {
+    #   };
-        nixpkgs.follows = "nixpkgs";
+    # };
        nixpkgs-stable.follows = "nixpkgs-stable";
        flake-compat.follows = "flake-compat";
        flake-utils.follows = "flake-utils";
      };
    };
    firefox-addons = {
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
@ -89,7 +84,6 @@
      url = "github:cachix/git-hooks.nix";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        nixpkgs-stable.follows = "nixpkgs-stable";
        flake-compat.follows = "flake-compat";
      };
    };
@ -105,15 +99,6 @@
      url = "github:Mic92/sops-nix";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        nixpkgs-stable.follows = "nixpkgs-stable";
      };
    };
    server_tools = {
      url = "github:RAD-Development/server_tools";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        flake-utils.follows = "flake-utils";
      };
    };
@ -168,5 +153,6 @@
      packages = import ./packages { pkgs = nixpkgs.legacyPackages.x86_64-linux; };
      checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
      devShells = import ./shell.nix { inherit inputs forEachSystem checks; };
    };
 }
--- a/keys/richie.asc
+++ b/keys/richie.asc
@ -1,67 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGQ4gGgBEAC2s0Q4nQ5aTlpTg4u/Hl9gq56IAGoUW9wlgEoStHXyA1WziY2s
 1pt45l4Q6kORswXoXv0ULTWBQAGponjY3l+HNm+B0XMr6EogjV/EP/UCyEi8zpqs
 PaoJiB95s8rTsh+E7GzWR8KDhazOrGFY+QQOsTWEhLF8jkISd9aC05pf+WnKyxLC
 wFjNFXRWUgPKyKPWIUd3SJP2IH6rSSkp7SMCAUiteQx2c43thnr4c/wcfGANKbFO
 PhYrkTJKSqt38NoFtNB/Eo/MaVwdEnTMmeovF9sA2s0SLat8+FngSEcIXvL5UpA4
 K73+lOQUROWFju7LrIyOhksSZXyQvP+64PxfpbtHadH6wQ4Ckz0GYIYnDQ1q66dh
 OKQq9efIlxb7ky47qXRMY8u6d2d4bceLM4a24lYajZ70HZTEF4hy5KCMd8DAmAzU
 WLCkaz6SQVDsme60jH3Mavd18B8HZ1d5Vi75hNaylMRtq7o6IA60NnVXh07U+Zto
 n8QOze0JqO/GaM7FzfijfsW670j//FSu5wUGnBYprBz7SFh2nCy/XPZYThtHtPbI
 YeESs8WZtqkfs4RpmMkOKcTLNiTFXIsCqHIhR8lDnJl+skEMxg7L8FF2txph4ssU
 BZ6dAbFy8KsH+2Sr2qfK0yHOVs37ymv+/WaxC0d+QpLAupRhzL+s2kIYGQARAQAB
 tB9SaWNoaWUgPFJpY2hpZUB0bW13b3Jrc2hvcC5jb20+iQJOBBMBCAA4FiEEKfUB
 fJXZ5gsbHoQHBysOC4MS3+MFAmQ4gGgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC
 F4AACgkQBysOC4MS3+PnKA//YUDZbuaas5MIWRqZsh02GEXVX4n727JP4iqZU4R0
 Cndq7KCl+8XJ9RqmpRZab1FhEj/DQZYisKvloMvBop4q1XLLkabaQF5NsbDvIQG6
 5TgbeSUmVWP6JS4Ka05FKIEwjKFS6ogbd1tscVs50zFWW+veewWMwwQF1mw+N5wx
 LsnHRDIBPOj8Z+p07fyYlP2RMtqdjUqHOtDBiAvbFaXd1huEHd6H2bhnVLaxsJUf
 EEGu92ND0GgW2tDrJIL+bNhZfsnHZEZPyruLZXcwW0JIyLf+sgob/iY0duDH1JDS
 ty5tS3ke9O3Q56mPogHP7jlMwtVHzQQPlviVtNvYhRamb5hUDc9Qu9uXNM0HOWdg
 MI5KE1xbdjz1OmymakfcfbVcSz1vu3k4XpqChiKt+psw8BnHGcguPchetkroCJcM
 OLwnCoKH3TFxZfaZQGPDhHCGU484Nj1M/wHo9RcoWtrPWz+Y7W0U+47EdmGM1Vpl
 9hIoXqjEWENz6Ph5DD0vxMptQPrRfmtLiJsWxAJRS9MH+ZWXxjJ2byKXiEHdR7la
 Xgj8ejtzaZB04Ow9+zptFH6nwTygGGodcRkYYFtYSS7C46aihvMRLj68uHB2yC2b
 zYutMtU6eregDaWiAeGycZcanGnU36JDifjaCF84oty6a3EpfdGCc9KkHk1Is+sR
 TVe5Ag0EZDiAaAEQANy3ekveJexjqdhWmGjqF1rp90uWYJeVwg0Dlc621SNEzrfu
 suC1BEHC2xdZz85yPbfdUPThAn/AmaMYlNIvzXmsGJdfIIsL7ZT+K6K+9ClbFhR8
 eIZZjhpSOMwLEfNroyZPcOwEua9bSr3mwU+i2ED+dCKcxG4/wAtmeK2PNOz0t0/F
 umLHW9Zk8YZBVSq7sGZ77TBi7GHOVzR/3wWy0qXgVMSQXtmOoDCmd1B1pD/BOkBA
 2iI4spRLiDPW3XVDeAGydYPPEIXtFax7ZCs4BhjT4witJ2110fddrAh6e48yU4Hn
 ca5F+QD6hVvUgHmdM/9GMqYf2mMC8tqNQf33Ib148zIhtQN5OtDz/sce5Xj8rk0j
 HUuZ3E0jViK72ZRnZD46CyIc99ZcLCAhsHZDaMTEDfWX8ToQzA+Ahyth0RMykwhX
 6NPKvOw2VqRK+j6iyYvtDXLmcsR890dzHDJLfrJWCJ0scpeWFvlLkVhQaT3NEqEK
 oUENBFf8zxfTQ7BksyV2ESTwu5xqfYeJ1g1FoTfL30+/W0003K7hoPQuU3ebj3wY
 3mMrG0hgo0iM9wHk83WWt+fDYj09yptGWAgBQNOpRR/0EbwEd74C3UxZQtUmxwPz
 YW2g1GWyEgtA76UJ00TuQHBGklcKtY0IbHKwjn7NwHbYWu67R7Le3+cj3LOVABEB
 AAGJAjYEGAEIACAWIQQp9QF8ldnmCxsehAcHKw4LgxLf4wUCZDiAaAIbDAAKCRAH
 Kw4LgxLf462sEACDweQr1ik35sbw3qlPn3b/d2UYBK+r8G3Pk1RhNra2rFtkRY8Y
 rEAlFeYOCBplsyg8swIClPjKpqIEehMV4X2E0N6WpyPzuOgNP4OPAmJngUYM9uxr
 kcVhYubgp2Hcxk5TkbvHIc31P5ItCl7UUYC3bXf32K5GVeOAxsZBS6elwdxlFteY
 WKjkwoZklPPfce4ctG/phy8dnn+pFMFnyisFFp81R2P+ztdSDLm/U27d8g9cjcWK
 mhZtGox4zf7250p+gIUnlnBdtXIWBaUFidha5qql0/iSsMrhu2m12XaLc5HiubYY
 RNIHcCRitG0Qc/pWVjZAD/bqOTl4/M1AeN7qZ/8Y1II1tCdBZ1MGinKS/3aGjTn5
 RzvYrQeP7YTInyah7MpUTYoxI+VHHeD7hTy/y0GPZBtZ24B/s3ICuMemejILeI8M
 aHj8FmBSXJ3dD8195QyONuQB5hNB3qGhc995KsDK3leCwJc3+MFLZPaEZnB+f+uo
 +pdngVsKH2IAVOtJN+QULmuEFmiEGRAghJwxfA4M92Bn0jSa9KMyTsM41b3zdSVU
 ipnn9FVX7RemSdF/z2SXAczwMLwVjai4j8b/U9O3oc0wrDF4QgrKKKIESlID/0Jf
 QLwhRYHy03r2yENO9lEeTBaSF94HsN1UjrZtzpGx6QTGBohA2RrztXkosLgzBGWP
 FicWCSsGAQQB2kcPAQEHQBlJ0lXDQnpcV7nR/MWPifi0WVTDPe0njjVIHNq/Z/xI
 iQKtBBgBCAAgFiEEKfUBfJXZ5gsbHoQHBysOC4MS3+MFAmWPFicCGwIAgQkQBysO
 C4MS3+N2IAQZFgoAHRYhBAA/2xaaamErUuSen5+R1096JyceBQJljxYnAAoJEJ+R
 1096Jycejy0A/2BmBatOihlxnO1G0U5qy3eiFkzmYKhm9WEW+w461hjuAP40cTMS
 xgnpUzUrsEs6+3Om7TLAa0VAqYLjA8NTVJs6AiPGEACuGgYn4uBzeXGLgHHUmLsY
 25rOajs/zAZnQkMz1epMKJDZ658cIDKyjJ6mLkkBwHwARrMhb38AEphXgyuAtHMN
 mEPRzABZutleW33KCk6zzVLyYVFBDWEI7hIFdNfJcJjXsDX0oGKB/oT5vlU25YgN
 cBAC7q9PGfq/XkeFOz9j3UOXMuzTKmtrX28IiSPqk+IkzeL35otzrG1wsUPLDLRS
 nlmwtnP4oQ50cUvTiDesk3QqPQn+2wPYakMydq7bvUcv/jakCADJq8Lsg4AmUxpQ
 bZNj2Zu/j8g+0KYUTriuQpZHf+mjVoNzwxiDKobMvKNzyNrZwMnZhAcDnCXSHpZL
 KnBcQGpsOjZicA9HodVRdU80DM46MSsncxAN+jwdHUOtCtONP059kF8JegwyevFS
 1hY/6ZTMETtKckWbs2gMTEK48SXF3EQ2jMq8lbD9SccuEi6R19R5qiLwQBgUHawT
 PcirlASclpR2zjLH1/MovxMFykCUUaQgGH0TjCe5X95Y7QdVgw6ocHkSFUsLN8V1
 L3UfOIobFFW6EuRg5urKpljoi20dYsAyorqye9q825RyuWa5oLDtqXshCuOzLy6O
 BgnM2FIvUpxAFmlXlC9eG8bUChfqEakio68Iwl6LUQouDR9gprWcookZV716YBVC
 /IKQxyKTQK+nas4pfaUhYw==
 =in5n
 -----END PGP PUBLIC KEY BLOCK-----
--- a/lib/container-utils.nix
+++ b/lib/container-utils.nix
@ -0,0 +1,43 @@
 { lib, ... }:
 {
  # Given a attrset of images and a function which generates an image spec,
  # generates a set of containers (although this could in theory be used for
  # other things... I'd like to see people try)
  #
  # container set must be in the below format
  # { container-name = {image = "image-uri"; scale = n;}; }
  # where image-uri gets passed in to the container-spec function as a custom
  # parameter, and scale is an integer that generates the containers
  #
  # container-spec must be a function which accepts two parameter (the
  # container name and image name) and ideally returns an oci-compliant
  # container.
  #
  # args:
  # containers: an AttrSet which specifies the imageUri and scale of each
  #   container
  # container-spec: a function which produces an oci-compliant container spec
  #
  # type:
  # AttrSet -> (String -> AttrSet -> AttrSet) -> AttrSet
  createTemplatedContainers =
    containers: container-spec:
    builtins.listToAttrs (
      lib.flatten (
        lib.mapAttrsToList (
          name: value:
          (map (
            num:
            let
              container-name = "${name}-${toString num}";
            in
            {
              name = container-name;
              value = container-spec container-name value.image;
            }
          ) (lib.lists.range 1 value.scale))
        ) containers
      )
    );
 }
--- a/lib/default.nix
+++ b/lib/default.nix
@ -3,6 +3,7 @@
  # create rad-dev namespace for lib
  rad-dev = rec {
    systems = import ./systems.nix { inherit lib; };
    container-utils = import ./container-utils.nix { inherit lib; };
    # any(), but checks if any value in the list is true
    #
@ -56,5 +57,21 @@
    # type:
    # fileList :: Path -> String -> [Path]
    fileList = dir: map (file: dir + "/${file}") (ls dir);
    # reduce an attribute set to a string
    #
    # example:
    # given attrset {host1 = "palatine-hill"; host2 = "jeeves";}
    # and func (host: hostname: host + " is " + hostname + ", " )
    # mapAttrsToString would return 'host1 is palatine-hill, host2 is jeeves, '
    #
    # args:
    # func: an function to apply to attrSet to turn each entry into one string
    # attrSet: an attribute set to reduce
    #
    # type:
    # mapAttrsToString :: AttrSet -> (String -> Any -> String) -> String
    mapAttrsToString =
      func: attrSet: (lib.foldl' (cur: next: cur + next) "" (lib.mapAttrsToList func attrSet));
  };
 }
--- a/lib/systems.nix
+++ b/lib/systems.nix
@ -215,9 +215,9 @@ rec {
            {
              inherit
                inputs
                outputs
                src
                configPath
                outputs
                ;
              hostname = name;
            }
--- a/modules/base.nix
+++ b/modules/base.nix
@ -1,6 +1,7 @@
 {
  lib,
  inputs,
  outputs,
  server,
  system,
  ...
@ -14,7 +15,7 @@
  programs = {
    zsh.enable = true;
-    fish.enable = true;
+    fish.enable = false;
  };
  users = {
@ -26,10 +27,12 @@
    useUserPackages = true;
    sharedModules = [ inputs.sops-nix.homeManagerModules.sops ];
    extraSpecialArgs = {
-      inherit inputs;
+      inherit inputs outputs;
      machineConfig = {
        inherit server system;
      };
    };
  };
  networking.firewall.enable = lib.mkDefault true;
 }
--- a/modules/boot.nix
+++ b/modules/boot.nix
@ -2,6 +2,7 @@
  config,
  lib,
  libS,
  pkgs,
  ...
 }:
@ -34,7 +35,6 @@ in
  config.boot = lib.mkIf cfg.default {
    supportedFilesystems = [ cfg.filesystem ];
    tmp.useTmpfs = true;
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
    kernelParams =
      [ "nordrand" ]
      ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"
--- a/modules/docker.nix
+++ b/modules/docker.nix
@ -7,9 +7,14 @@
      extraGroups = [ "docker" ];
      uid = 600;
    };
-    groups.docker-service = {
+    groups = {
      docker-service = {
        gid = 600;
      };
      haproxy = {
        gid = 99;
      };
    };
  };
  virtualisation.docker = {
--- a/modules/kub_net.nix
+++ b/modules/kub_net.nix
@ -6,7 +6,7 @@ in
  options = {
    services.rad-dev.k3s-net = {
      enable = lib.mkOption {
-        default = true;
+        default = false;
        example = true;
        description = "Whether to enable k3s-net.";
        type = lib.types.bool;
--- a/modules/nix.nix
+++ b/modules/nix.nix
@ -18,19 +18,15 @@
      connect-timeout = 20;
      substituters = [
        "https://cache.nixos.org/?priority=1&want-mass-query=true"
        "https://attic.alicehuston.xyz/cache-nix-dot?priority=4&want-mass-query=true"
        "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
      ];
      trusted-substituters = [
        "https://cache.nixos.org"
        "https://attic.alicehuston.xyz/cache-nix-dot"
        "https://nix-community.cachix.org"
      ];
      trusted-public-keys = [
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%"
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        "cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
      ];
      trusted-users = [
        "root"
--- a/modules/openssh.nix
+++ b/modules/openssh.nix
@ -2,6 +2,7 @@
 {
  services.openssh = {
    enable = lib.mkDefault true;
    openFirewall = lib.mkDefault true;
    fixPermissions = true;
    extraConfig = "StreamLocalBindUnlink yes";
--- a/modules/plocate.nix
+++ b/modules/plocate.nix
@ -3,7 +3,7 @@
 {
  services.locate = {
    enable = lib.mkDefault true;
-    localuser = lib.mkDefault null;
+    # localuser = lib.mkDefault null;
    package = lib.mkDefault pkgs.plocate;
  };
 }
--- a/modules/update.nix
+++ b/modules/update.nix
@ -4,13 +4,13 @@
    enable = lib.mkDefault true;
    repo.dotfiles = {
      enable = lib.mkDefault true;
-      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
+      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_giteadeploy";
      path = lib.mkDefault /root/dotfiles;
    };
  };
  system.autoUpgrade = {
-    enable = lib.mkDefault true;
+    enable = lib.mkDefault false;
    flags = [ "--accept-flake-config" ];
    randomizedDelaySec = "1h";
    persistent = true;
--- a/modules/yubikey.nix
+++ b/modules/yubikey.nix
@ -0,0 +1,24 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.services.rad-dev.yubikey;
 in
 {
  options = {
    services.rad-dev.yubikey = {
      enable = lib.mkEnableOption "enable yubikey defaults";
      enable-desktop-app = lib.mkEnableOption "installs desktop application";
    };
  };
  config = lib.mkIf cfg.enable {
    # enable the smart card daemon for certain yubikey operations
    services.pcscd.enable = true;
    environment.systemPackages = lib.optionals cfg.enable-desktop-app [ pkgs.yubioath-flutter ];
  };
 }
--- a/pkgs/bitwarden-rofi/default.nix
+++ b/pkgs/bitwarden-rofi/default.nix
@ -0,0 +1,70 @@
 # source: https://github.com/kylesferrazza/nix/blob/288edcd1d34884b9b7083c6d718fbe10febe0623/overlay/bitwarden-rofi.nix
 # TODO https://github.com/mattydebie/bitwarden-rofi/issues/34
 {
  stdenv,
  lib,
  fetchFromGitHub,
  makeWrapper,
  unixtools,
  xsel,
  xclip,
  wl-clipboard,
  xdotool,
  ydotool,
  bitwarden-cli,
  rofi,
  jq,
  keyutils,
  libnotify,
 }:
 let
  bins = [
    jq
    bitwarden-cli
    unixtools.getopt
    rofi
    xsel
    xclip
    wl-clipboard
    xdotool
    ydotool
    keyutils
    libnotify
  ];
 in
 stdenv.mkDerivation {
  pname = "bitwarden-rofi";
  version = "git-2024-08-22";
  src = fetchFromGitHub {
    owner = "mattydebie";
    repo = "bitwarden-rofi";
    rev = "8be76fdd647c2bdee064e52603331d8e6ed5e8e2";
    sha256 = "1h5d21kv8g5g725chn3n0i1frvmsrk3pm67lfxqcg50kympg0wwd";
  };
  buildInputs = [ makeWrapper ];
  installPhase = ''
    mkdir -p "$out/bin"
    install -Dm755 "bwmenu" "$out/bin/bwmenu"
    install -Dm755 "lib-bwmenu" "$out/bin/lib-bwmenu" # TODO don't put this in bin
    install -Dm755 -d "$out/usr/share/doc/bitwarden-rofi"
    install -Dm755 -d "$out/usr/share/doc/bitwarden-rofi/img"
    install -Dm644 "README.md" "$out/usr/share/doc/bitwarden-rofi/README.md"
    install -Dm644 img/* "$out/usr/share/doc/bitwarden-rofi/img/"
    wrapProgram "$out/bin/bwmenu" --prefix PATH : ${lib.makeBinPath bins}
  '';
  meta = with lib; {
    description = "Wrapper for Bitwarden and Rofi";
    homepage = "https://github.com/mattydebie/bitwarden-rofi";
    license = licenses.gpl3;
    platforms = platforms.linux;
  };
 }
--- a/pkgs/lego-latest/default.nix
+++ b/pkgs/lego-latest/default.nix
@ -0,0 +1,39 @@
 {
  lib,
  fetchFromGitHub,
  buildGoModule,
 }:
 buildGoModule rec {
  pname = "lego";
  version = "4.21.0";
  src = fetchFromGitHub {
    owner = "go-acme";
    repo = pname;
    rev = "v${version}";
    hash = "sha256-3dSvQfkBNh8Bt10nv4xGplv4iY3gWvDu2EDN6UovSdc=";
  };
  vendorHash = "sha256-teA6fnKl4ATePOYL/zuemyiVy9jgsxikqmuQJwwA8wE=";
  doCheck = false;
  subPackages = [ "cmd/lego" ];
  ldflags = [
    "-s"
    "-w"
    "-X main.version=${version}"
  ];
  meta = with lib; {
    description = "Let's Encrypt client and ACME library written in Go";
    license = licenses.mit;
    homepage = "https://go-acme.github.io/lego/";
    maintainers = teams.acme.members;
    mainProgram = "lego";
  };
  #passthru.tests.lego = nixosTests.acme;
 }
--- a/statix.toml
+++ b/statix.toml
@ -1,4 +1,4 @@
 disabled = ["empty_pattern"]
-nix_version = '2.23'
+nix_version = '2.25'
 ignore = ['.direnv']
--- a/systems/artemision/ao3_skins/happy_17th.css
+++ b/systems/artemision/ao3_skins/happy_17th.css
@ -0,0 +1,438 @@
 #footer .group,
 .post fieldset fieldset,
 fieldset fieldset {
  background: none;
 }
 #header {
  background: #000 url('https://media.archiveofourown.org/news/milestones/2024-08-seventeen-years-otw/2024-08-seventeen-years-otw-pattern.jpg');
  background-size: 350px;
 }
 #header .heading a,
 #header .primary .dropdown a:focus,
 #header .heading a:visited,
 #main .pagination .current,
 h2 {
  color: #ffe8b4;
 }
 #header .clear,
 #footer {
  border-color: #191919;
 }
 #header .actions a[href="/menu/fandoms"],
 #header .actions a[href="/menu/browse"],
 #header .actions a[href="/menu/search"],
 #header .actions a[href="/menu/about"] {
  color: #fff;
 }
 #footer ul {
  background: url('https://live.staticflickr.com/7284/9616997915_4194b6c6f7_h.jpg');
  background-size: 350px;
 }
 #footer ul li:nth-child(1) ul,
 #footer ul li:nth-child(2) ul,
 #footer ul li:nth-child(3) ul,
 #footer ul li:nth-child(4) ul {
  background: rgba(0, 0, 0, 0.0);
 }
 #header .primary {
  background: #8a1a10;
 }
 #footer {
  background: #8a1a10;
 }
 input[type="text"],
 textarea,
 select {
  background: #222;
  color: #fff;
 }
 select:focus {
  background: #2a2a2a;
 }
 option {
  background: #555;
  color: #fff;
 }
 #work form fieldset.work.meta dl dd.warning.required fieldset,
 #main form fieldset.work.meta dl dd.warning.required fieldset {
  color: #fff;
 }
 #bookmark-form form {
  background: #2a2a2a;
  color: #fff;
 }
 #error {
  color: #191919;
 }
 fieldset,
 .verbose fieldset {
  border-color: #404040;
  background: #191919;
  border: 1px solid #595959;
 }
 .search [role=tooltip] {
  background: #333;
  border: 1px solid #666;
 }
 #main a:visited {
  color: #ccc;
 }
 #main a.tag:visited:hover {
  color: #111;
 }
 body,
 .group,
 .group .group,
 .region,
 .flash,
 form dl,
 #main .verbose legend,
 .notice,
 ul.notes,
 table,
 th,
 td:hover,
 tr:hover,
 .symbol .question:hover,
 #modal,
 .ui-sortable li,
 .required .autocomplete,
 .autocomplete .notice,
 .system .intro,
 .comment_error,
 .kudos_error,
 div.dynamic,
 .dynamic form,
 #ui-datepicker-div,
 .ui-datepicker table {
  background: #191919;
  color: #eee;
  border-color: #222;
  outline: #111;
  box-shadow: none;
 }
 #header .actions a:hover,
 #header .actions a:focus,
 #header .dropdown:hover a,
 #header .open a,
 #header .menu,
 #small_login,
 .group.listbox,
 fieldset fieldset.listbox,
 .listbox,
 form blockquote.userstuff,
 input:focus,
 textarea:focus,
 li.relationships a,
 .group.listbox .index,
 .dashboard fieldset fieldset.listbox .index,
 #dashboard a:hover,
 th,
 #dashboard .secondary,
 .secondary,
 .thread .even,
 .system .tweet_list li,
 .ui-datepicker tr:hover {
  background: #2A2A2A;
 }
 a,
 a.tag,
 a:link,
 #header a:visited,
 #header .primary .open a,
 #header .primary .dropdown:hover a,
 #header #search input:focus,
 #header #search input:hover,
 .userstuff h2,
 #dashboard a,
 #dashboard span,
 #dashboard .current,
 .group .heading,
 .filters dt a:hover {
  color: #fff;
 }
 #header .dropdown .menu a:hover,
 #header .dropdown .menu a:focus,
 .splash .favorite li:nth-of-type(odd) a,
 .ui-datepicker td:hover,
 #tos_prompt .heading,
 #tos_prompt [disabled] {
  background: #111;
  color: #ffe8b4;
 }
 #outer,
 .javascript,
 .statistics .index li:nth-of-type(even),
 #tos_prompt,
 .announcement input[type="submit"] {
  background: #191919;
 }
 #dashboard ul,
 dl.meta,
 .group.listbox,
 fieldset fieldset.listbox,
 #main li.blurb,
 form blockquote.userstuff,
 div.comment,
 li.comment,
 .toggled form,
 form dl dt,
 form.single fieldset,
 #inner .module .heading,
 .bookmark .status span,
 .splash .news li,
 .filters .group dt.bookmarker {
  border-color: #555;
 }
 .group.listbox,
 fieldset fieldset.listbox,
 #main li.blurb,
 .wrapper,
 #dashboard .secondary,
 .secondary,
 form blockquote.userstuff,
 .thread .comment,
 .toggled form {
  box-shadow: 1px 1px 3px #000;
 }
 #dashboard .current,
 .actions a:active,
 a.current,
 .current a:visited,
 span.unread,
 .replied,
 span.claimed,
 dl.index dd,
 .own,
 .draft,
 .draft .unread,
 .child,
 .unwrangled,
 .unreviewed,
 .ui-sortable li:hover {
  background: #000;
  border-color: #555;
  box-shadow: -1px -1px 3px #000;
 }
 input,
 textarea {
  box-shadow: inset 0 1px 2px #000;
 }
 li.blurb,
 .blurb .blurb,
 .listbox .index,
 fieldset fieldset.listbox,
 .dashboard .listbox .index {
  box-shadow: inset 1px 1px 3px #000;
 }
 #footer a:hover,
 #footer a:focus,
 .autocomplete .dropdown ul li:hover,
 .autocomplete .dropdown li.selected,
 a.tag:hover,
 .listbox .heading a.tag:visited:hover,
 .symbol .question {
  background: #ffedc5;
  border-color: #988352;
  color: #111;
 }
 #header #greeting img,
 #header .user a:hover,
 #header .user a:focus,
 #header fieldset,
 #header form,
 #header p,
 #dashboard a:hover,
 .actions a:hover,
 .actions input:hover,
 .delete a,
 span.delete,
 span.unread,
 .replied,
 span.claimed,
 .draggable,
 .droppable,
 span.requested,
 a.work,
 .blurb h4 a:link,
 .blurb h4 img,
 .splash .module h3,
 .splash .browse li a:before,
 .required,
 .error,
 .comment_error,
 .kudos_error,
 a.cloud7,
 a.cloud8,
 #tos_prompt .heading {
  color: #ffe8b4;
 }
 #greeting .icon,
 #dashboard,
 #dashboard.own,
 .error,
 .comment_error,
 .kudos_error,
 .LV_invalid,
 .LV_invalid_field,
 input.LV_invalid_field:hover,
 input.LV_invalid_field:active,
 textarea.LV_invalid_field:hover,
 textarea.LV_invalid_field:active,
 .qtip-content {
  border-color: #8a1a10;
 }
 .splash .favorite li:nth-of-type(odd) a:hover,
 .splash .favorite li:nth-of-type(odd) a:focus .splash .favorite li:nth-of-type(odd) a:visited:hover,
 .splash .favorite li:nth-of-type(odd) a:visited:focus {
  background: #ffe8b4;
  color: #111;
 }
 a:visited,
 .actions a:visited,
 .action a:link,
 .action a:visited,
 .listbox .heading a:visited,
 span.series .divider {
  color: #999;
 }
 .actions a,
 .actions a:link,
 .action,
 .action:link,
 .actions input,
 input[type="submit"],
 button,
 .current,
 .actions label,
 #header .actions a,
 #outer .current {
  background: #555;
  border-color: #222;
  color: #eee;
  box-shadow: inset 0 -8px 4px #232323, inset 0 8px 7px #555;
  text-shadow: none;
 }
 .actions a:hover,
 .actions input:hover,
 #dashboard a:hover,
 .actions a:focus,
 .actions input:focus,
 #dashboard a:focus,
 .actions .disabled select {
  color: #999;
  border-color: #000;
  box-shadow: inset 2px 2px 2px #000;
 }
 .actions a:active,
 .current,
 a.current,
 .current a:visited {
  color: #fff;
  background: #555;
  border-color: #fff;
  box-shadow: inset 1px 1px 3px #191919;
 }
 .delete a,
 span.delete {
  box-shadow: -1px -1px 2px rgba(255,255,255.25);
 }
 .actions label.disabled {
  background: #222;
  box-shadow: none;
 }
 ul.required-tags,
 .bookmark .status span,
 .blurb .icon {
  opacity: 0.9;
  border: 0;
 }
 #outer .group .heading,
 #header .actions a,
 fieldset.listbox .heading,
 .userstuff .heading {
  text-shadow: none;
  color: #fff;
  background: none;
 }
 #header .actions a,
 fieldset fieldset,
 .mce-container button,
 .filters .expander,
 .actions .disabled select {
  box-shadow: none;
 }
 fieldset fieldset.listbox {
  outline: none;
 }
 form dd.required {
  color: #eee;
 }
 .mce-container input:focus {
  background: #F3EFEC;
 }
 .announcement .userstuff a,
 .announcement .userstuff a:link,
 .announcement .userstuff a:visited:hover {
  color: #111;
 }
 .announcement .userstuff a:visited {
  color: #666;
 }
 .announcement .userstuff a:hover,
 .announcement .userstuff a:focus {
  color: #999;
 }
 .event.announcement .userstuff a,
 .filters .expander {
  color: #eee;
 }
--- a/systems/artemision/configuration.nix
+++ b/systems/artemision/configuration.nix
@ -31,7 +31,7 @@
  };
  boot = {
-    kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
+    kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
    useSystemdBoot = true;
    default = true;
  };
@ -44,6 +44,7 @@
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  services = {
    flatpak.enable = true;
    calibre-web = {
      enable = true;
      listen = {
@ -70,7 +71,7 @@
        }) { inherit (pkgs) system; }).fwupd;
    };
-    fprintd.enable = true;
+    fprintd.enable = lib.mkForce false;
    openssh.enable = lib.mkForce false;
    spotifyd = {
@ -84,6 +85,10 @@
      };
      #systemd.services.spotifyd.serviceConfig = systemd.services.spotifyd.
    };
    rad-dev.yubikey = {
      enable = true;
      enable-desktop-app = true;
    };
  };
  users.users.alice.extraGroups = [ "calibre-web" ];
@ -91,6 +96,8 @@
  system.autoUpgrade.enable = false;
  system.stateVersion = "24.05";
  programs.adb.enable = true;
  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
--- a/systems/artemision/desktop.nix
+++ b/systems/artemision/desktop.nix
@ -3,10 +3,30 @@
 {
  # installs hyprland, and its dependencies
-  programs.hyprland = {
+  programs = {
    hyprland = {
      enable = true;
      xwayland.enable = true;
    };
    hyprlock.enable = true;
    gnupg.agent = {
      enable = true;
      #pinentryPackage = pkgs.pinentry-rofi;
      pinentryPackage = pkgs.pinentry-gnome3;
      #settings = {
      #  keyserver-options = "auto-key-retrieve";
      #  auto-key-locate = "hkps://keys.openpgp.org";
      #  keyserver = "hkps://keys.openpgp.org";
      #keyserver  =  "hkp://pgp.mit.edu";
      # "na.pool.sks-keyservers.net"
      # "ipv4.pool.sks-keyservers.net"
      # "p80.pool.sks-keyservers.net"
      # ];
      #};
    };
    ydotool.enable = true;
  };
  # Optional, hint electron apps to use wayland:
  environment.sessionVariables.NIXOS_OZONE_WL = "1";
  xdg.portal = {
@ -39,20 +59,11 @@
    };
  };
-  programs.gnupg.agent = {
+  powerManagement = {
    enable = true;
-    #pinentryPackage = pkgs.pinentry-rofi;
+    resumeCommands = ''
-    pinentryPackage = pkgs.pinentry-gnome3;
+      ${pkgs.hyprlock}/bin/hyprlock -c /home/alice/.config/hypr/hyprlock.conf
-    #settings = {
+    '';
    #  keyserver-options = "auto-key-retrieve";
    #  auto-key-locate = "hkps://keys.openpgp.org";
    #  keyserver = "hkps://keys.openpgp.org";
    #keyserver  =  "hkp://pgp.mit.edu";
    # "na.pool.sks-keyservers.net"
    # "ipv4.pool.sks-keyservers.net"
    # "p80.pool.sks-keyservers.net"
    # ];
    #};
  };
  environment.systemPackages = with pkgs; [
--- a/systems/artemision/fonts.nix
+++ b/systems/artemision/fonts.nix
@ -3,17 +3,13 @@
  fonts = {
    fontconfig.enable = true;
    enableDefaultPackages = true;
-    packages = with pkgs; [
+    packages = with pkgs.nerd-fonts; [
-      (nerdfonts.override {
+      fira-code
-        fonts = [
+      droid-sans-mono
-          "FiraCode"
+      hack
-          "DroidSansMono"
+      dejavu-sans-mono
-          "Hack"
+      noto
-          "DejaVuSansMono"
+      open-dyslexic
          "Noto"
          "OpenDyslexic"
        ];
      })
    ];
  };
 }
--- a/systems/artemision/hardware.nix
+++ b/systems/artemision/hardware.nix
@ -20,6 +20,9 @@
      "usb_storage"
      "usbhid"
      "sd_mod"
      "ip_vs"
      "ip_vs_rr"
      "nf_conntrack"
    ];
    initrd.kernelModules = [
      "dm-snapshot"
@ -52,7 +55,6 @@
      options = [
        "noatime"
        "nodiratime"
        "discard"
      ];
    };
@ -62,7 +64,6 @@
      options = [
        "noatime"
        "nodiratime"
        "discard"
      ];
    };
@ -72,7 +73,6 @@
      options = [
        "noatime"
        "nodiratime"
        "discard"
      ];
    };
@ -82,12 +82,11 @@
      options = [
        "noatime"
        "nodiratime"
        "discard"
      ];
    };
  };
-  swapDevices = [ { device = "/dev/disk/by-uuid/7f0dba0f-d04e-4c94-9fba-1d0811673df1"; } ];
+  swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
  boot.initrd.luks.devices = {
    "nixos-pv" = {
--- a/systems/artemision/programs.nix
+++ b/systems/artemision/programs.nix
@ -3,6 +3,7 @@
  environment.systemPackages = with pkgs; [
    act
    alacritty
    attic-client
    amdgpu_top
    bat
    bitwarden-cli
@ -12,12 +13,14 @@
    calibre
    # calibre dedrm?
    candy-icons
-    nemo-with-extensions
+    chromium
    chromedriver
    croc
    deadnix
    direnv
    discord
    discord-canary
    easyeffects
    eza
    fanficfare
    ferium
@ -29,22 +32,28 @@
    glances
    gpu-viewer
    grim
-    headsetcontrol
+    helvum
    htop
    hwloc
    ipmiview
    iperf3
-    ipscan
+    # ipscan
    jp2a
    jq
    kdePackages.kdenlive
    kitty
    kubectl
    kubernetes-helm
    libtool
    lsof
    lynis
    masterpdfeditor4
    minikube
    mons
    mpv
    # nbt explorer?
    ncdu
    nemo-with-extensions
    neofetch
    neovim
    nix-init
@ -53,6 +62,8 @@
    nix-tree
    nixpkgs-fmt
    nmap
    obs-studio
    obsidian
    ocrmypdf
    pciutils
    #disabled until wxpython compat with python3.12
@ -60,6 +71,7 @@
    prismlauncher
    protonmail-bridge
    protontricks
    proxychains
    qrencode
    rad-pkgs.ftb-app
    redshift
@ -67,10 +79,12 @@
    ripgrep
    rpi-imager
    rofi-wayland
    samba
    signal-desktop
    # signal in tray?
    siji
    simple-mtpfs
    skaffold
    slack
    slurp
    smartmontools
@ -85,16 +99,17 @@
    tig
    tokei
    tree
    unzip
    unipicker
    unzip
    uutils-coreutils-noprefix
    ventoy
    vesktop
    vscode
    watchman
    wget
    wl-clipboard
-    xboxdrv
+    yq
-    yubioath-flutter
+    yt-dlp
    zoom-us
    zoxide
    zoom
--- a/systems/artemision/secrets.yaml
+++ b/systems/artemision/secrets.yaml
@ -1,17 +1,17 @@
-hello: ENC[AES256_GCM,data:UJlsd5kvnhEv7eJeYwg+NHm9sgUAxYM5DoR0gDPLi9J7P+8FI8WPMkN1wEAHJA==,iv:NFSdZQ1OK4BT+EAGZz122NB7WrVCEzv4wwMxFIE/OKI=,tag:6YT7Vw8tFrw9iEFKxeKRFQ==,type:str]
+hello: ENC[AES256_GCM,data:BTCBuBxHFO8vwXU/bsAZryM5rXUOEi0brlvq6DtqfZbzxGz4LaW89VO75MERHQ==,iv:fwqI3arwtlZQ5DtvpVbh21ThuZP8zcqCHsmuJuCfCsY=,tag:tkkEO8/eEDCakdlT0NvajA==,type:str]
-example_key: ENC[AES256_GCM,data:KMXgMrqe7M101ZMJ2g==,iv:MJ3Iiu/0KIVhPFnqfovysqvPJAv1OsnxE4VIsuexFkE=,tag:X6KIKNGym8/9VglmG3SNRw==,type:str]
+example_key: ENC[AES256_GCM,data:xzsymSb4oD70twtoKQ==,iv:9vBmAKET2VIuDSq7AOyvdYWLGlL6cYHTWxy/Z5bB1+c=,tag:NbV4eA2aaY4cQAKUy3QOpw==,type:str]
-#ENC[AES256_GCM,data:QR3WNE/a1hZIXnTjFjK3kA==,iv:eXoZJ5rQaYqN7LjEp2M13OCMwuQ+80M5AXjV0uNc4C8=,tag:sCvL6pr9zAyWZziffVFMzg==,type:comment]
+#ENC[AES256_GCM,data:zeOCzRd/nFRhbANHxPyyjw==,iv:9MmHl3OyhJHVU+cUFJ4QitHd4SeDe3ctaky+yfvk8Zs=,tag:uPGRJtgQj1vIdLt2+w0krg==,type:comment]
 example_array:
-    - ENC[AES256_GCM,data:g8PulCLrXZYSEdZJELE=,iv:irGwciFn1zXBxFpGAJtD46EQLGUO5oqdCzRgv1204JE=,tag:2MuDdRYMjhtTY++lPuj1FQ==,type:str]
+    - ENC[AES256_GCM,data:Nwn96XJv8xZWRYv8qws=,iv:K30LBMC8e1vUS0XE+4EIYb3xUUyn6232YmhV2vI9Qnc=,tag:HRe3S88zwj/CjG6NTvjdRQ==,type:str]
-    - ENC[AES256_GCM,data:qv7GvmoOX8VSdaiW/90=,iv:6NOWeWqHUV9ciKPmZF4C7ijuIPFr3YZi3Dh7xWnb07k=,tag:VHXdBhWmEpb7uavCPqGZ4w==,type:str]
+    - ENC[AES256_GCM,data:l2nuwoAbwaDFHpEWV1Y=,iv:7/2rTd8agUvx73eftpOgidV4XjDUv/JppLIIsiuycnU=,tag:Ohi4JULWDNXJPWZaeXHEdw==,type:str]
-example_number: ENC[AES256_GCM,data:g8BIEIcwKRLSbw==,iv:Ay4aiukAvXeDhzlpMPn++zR0Tt2lMqCx362uN37S+ac=,tag:NTtNaIu5u8YsIm0M4OgL0A==,type:float]
+example_number: ENC[AES256_GCM,data:toi1e/biUd2Tng==,iv:MPCfhhX9DDaOSzx/L5LTf2VYffin8XvxVyhNDqZLsec=,tag:tE/lml3afP/NjRtpPraoRQ==,type:float]
 example_booleans:
-    - ENC[AES256_GCM,data:94T9mg==,iv:qKGJke4SGhgN09Yebh5MPrRBDNnguJQ+1dl5XQffGZQ=,tag:0Pa3eujmSxDCnAHKHsx6yQ==,type:bool]
+    - ENC[AES256_GCM,data:02CVNA==,iv:L9GmIm9ynm2cWTyd3iYo4fgIeneUyFpEzzzxicM/YNI=,tag:k2EIboiL+c4W1H2OpA2Rqw==,type:bool]
-    - ENC[AES256_GCM,data:gEvfi+Q=,iv:0DrXoZk8OkdUShc7WAKOL8xG26RFZp3M3qYFAb1hDAs=,tag:uemBrdF87nrfLpfnQ8bD8g==,type:bool]
+    - ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
 apps:
-    spotify: ENC[AES256_GCM,data:bp1pdOfS+VGWLtepUjg7KFWw8Fk=,iv:twGO3CjzRxAU81C93mX8qIEZ/FYIQRJnMd2HIuvP9q8=,tag:AJgs0QGFH30E8+ZpaB02TQ==,type:str]
+    spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
-wifi-env: ENC[AES256_GCM,data:NGI090aVGojJ7+lvcknJfZBQKb0b/tUrd2AqEl5IWQWCJdqqaO4pCrs3C+IW06/pz9FWgMxx9tPu32xmMZaPnnlLD+XyVJ71L2P22U6YufRPRfvyv6swOlihscOZ5tsFFYShjXpow0PfmYS+tP9mYLb2RYFLGQmvI4fa4LaVjuwPXAMg3RN/gVXR6bMEpd/7OIr+tIxC5sTE7V7fIbyzcn4=,iv:VbtgvwMHo1iLuTKCA7KjEXC1d1MY4aHfmXI6yuCGZVI=,tag:dGmw+icLKL9dJQExy83m1A==,type:str]
+wifi-env: ENC[AES256_GCM,data:G+z+fURk4rT61I5BiFzEJJt35jywPNrGpn1QGNhjvxrqPQ/Sq/hIHmQo+bqe9yJeDgMX3RY4EaiZxFTJyxPfW1czjuMSj3vbTp0WcDmGvUJ7li2pX2pzolgly4qmgoOluGBeRZWVLLOZYFB2+kLRMJNNz/bP5k2Eq6O4+l4sljPM+abn9iz9Eh46rVOVRkmDzCltJrYiuBSiSPhTDRTP2+gUbgbaUJTkVrVLUBHg3QU6az6VPN8DPZxbx4LtdaIb93pI,iv:uUfJK/iPdyLP7LqZJolTGGTxaEzlJI59bUVNcB1etkU=,tag:tvXSXSW1MIhLJceEK1afuw==,type:str]
-#ENC[AES256_GCM,data:pC2Kdy7wNc0=,iv:J7Ggfv6K3dCzL42j5MGd+BjQGseoAoYs4k6+yc3FSiA=,tag:9MriduP9SEIi+c1q4tfzlQ==,type:comment]
+#ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
 sops:
    kms: []
    gcp_kms: []
@ -21,34 +21,26 @@ sops:
        - recipient: age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZUNHeDdqaGt0QnFIejdM
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbElNRkxyZ2VjaitiTWx2
-            MU5uaDNiN2xOeVlZNzQyZXZ0R2NYUU83ZWxrCmNDL3J6ZjNmejBuUXk3cldwZUEz
+            eThsY0h3a2NCZDloWG0rU1ZwVnhOY2VJTXlFCnp3UzNDR216L2R4cVdyWjFqbkRr
-            UWVqMTVPelN1MTJDNzc0UU9XNWkralUKLS0tIDU2b053Uk5VZGlWUk9XMXZ5Wllk
+            cFJGQjQ4Qk9zblYyckVFY3VNekNuajQKLS0tIEdRWldHMjlpTElxQWFVUlh4L1lz
-            UlhhNzNjTHdVaXlPOFJhc0EyZGh3RDQK1c7nctmrorze4Kr0Grmcmx3N/UYXPwJc
+            d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
-            FfClOoGxO+4ZDtxG61SDU1UdYae4loQ8roM8jDIPFMfoEum2bT8oXw==
+            D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-03T02:45:15Z"
+    lastmodified: "2024-11-28T18:57:09Z"
-    mac: ENC[AES256_GCM,data:PsEeb2leFb500YYHg+5YHwGVHKUPB7qVqaJY66hnkmCa5MKAZkHqSgtVvh+Ai4fN9E+WFtjlso2a4oasQMNwVXsmt54+q1/Mz5zF2D/1nvaNL76fEod2YXp2jlGxNniyPfRaZXDu+QQLhoz2PBoe6OQ9E5WRDV88j7gksy6GePw=,iv:H7Q9fbvdgh+NZNyyupByQETWsgpXVXn0blQV1Ww7eQM=,tag:cpWykzgH9/mWTKxmEDZ9PA==,type:str]
+    mac: ENC[AES256_GCM,data:hKhAo7rDplLm19PlrKHQwxnDVXCMU/xpAxPALLDBa0M3yypy2QVD6c6Atn897tYRKf7oeLaUKqnUYdCcZ9gVgm37LS+GtRhf66zfvcKqhZF8wh3M0zTDPYpQDhex0N4BAJ/dcaYIbxqE9pEUxJOI5jip/hptaCJItTEe7oARcF4=,iv:EUayxLaOPcnWX+S9+RlHrxzJRLlSSLIwqbAq3fFI4yg=,tag:LiBsqIodTWamO+c8FqGBag==,type:str]
    pgp:
-        - created_at: "2024-03-23T05:46:35Z"
+        - created_at: "2024-11-28T18:57:09Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA84hNUGIgI/nAQ/+IwyPDjs/jDCBlnYFboHh6TXx8ulysESst4hz5crM4L0u
+            hF4DQWNzDMjrP2ISAQdALiZMzuQViM23hoFebCXYfQUIvCluWqAEeSJyE/LRHG8w
-            wylKyfEIBx0eLy0mLLA4DhcpYza0Nry5RLdwDNfimhATErfQxnwqlZ6RnYKnh3Hk
+            nQnIVPRIbzLzWfCf+48EW6f7zonHmNY7D9F9KohDmCTcJ5/WvXsJKjebuohR62TF
-            93L66+BEKPd3EZOH+RC/wb0qiTDmU0yna8jtVO0uU7s6//hm/g7bdmQAK0YIJLcb
+            1GYBCQIQq7nEvwSfn+l5AevKIiodA4BLfM326JSx5hJ6XdrE0MzZo1uoMwKKuxig
-            sd83n99R4oHVrq7iFc74/AV5isW9GcfmvLI94eodFpaE1dpqm4KzNpLueDCOvA/1
+            mPbDP8Rx51v9f+9DzjBg6kQD5w411HADL8th+wSkpmasP8ozIeiNiIKzzoJc/fD6
-            vPo5Lgtp9WM4FhXUqMiplCNqMIt+Hyj3F+p+9jgQ2dLfHuVkI8pzd47gOHyMDYPy
+            AOsExCUt8FU=
-            fn6SVKZtOyfNDwhs7L5piiarSXISBGtx36ISDvtvtr/vgMydTdvILIOo9pkSGVtN
+            =wRT+
            4W7+ywMaFjfAeShTVtUJNJqmp/8agt2WtaUX4kPPha4SxlNSOMpeTQ31bs89gBtc
            g2325afL2WPK4NSAOmU8VMXqmFc2A10aFlx5nsfT4S1wkoNbitTWgoAcCa7kGRPW
            xZca225cwLUzkggv74cfYT3YnQL40AMSOMqSRS8pbTFEENG1BtsB5A++Jji2i4tO
            xoGIL8LRCEfiHpTC7eBwDDVmKb5StgKsXs6yYbQG5XW2W+/Jgum64Sb7+LviQ9Mq
            WHNiu5MZPeKyHFu9jI9Ne1HpYJnb7/X9AxFw2e/vFwVn+kjaXcH/PhsYuPUyqkzS
            XgG3tFbcgNtMWyoLU2EL1Qvwq1pHVrwmeNXHidESx23HeJtnIwoKkdopl4qqqNle
            uQYP89bvb6zFWlqOSwLORZmj1W1wVTYV9eXplDbJob8agBKIcIuhtwri5e96gf4=
            =XdJo
            -----END PGP MESSAGE-----
-          fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
+          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1
--- a/systems/artemision/steam.nix
+++ b/systems/artemision/steam.nix
@ -4,7 +4,10 @@
  environment.systemPackages = [ pkgs.steam-run ];
  hardware.steam-hardware.enable = true;
  programs = {
-    gamescope.enable = true;
+    gamescope = {
      enable = true;
      capSysNice = true;
    };
    steam = {
      enable = true;
      remotePlay.openFirewall = true;
--- a/systems/artemision/wifi.nix
+++ b/systems/artemision/wifi.nix
@ -6,25 +6,27 @@ in
 {
  networking.wireless = {
    enable = true;
-    environmentFile = config.sops.secrets."wifi-env".path;
+    secretsFile = config.sops.secrets."wifi-env".path;
    userControlled.enable = true;
    networks = {
      "taetaethegae-2.0" = {
-        psk = "@PASS_taetaethegae_20@";
+        pskRaw = "ext:PASS_taetaethegae_20";
        priority = home;
      };
      "k" = {
-        psk = "@PASS_k@";
+        pskRaw = "ext:PASS_k";
        priority = always;
      };
-      "Bloomfield".psk = "@PASS_bloomfield@";
+      "Bloomfield".pskRaw = "ext:PASS_bloomfield";
-      "9872441500".psk = "@PASS_longboat_home@";
+      "9872441500".pskRaw = "ext:PASS_longboat_home";
-      "9872441561".psk = "@PASS_longboat_home@";
+      "9872441561".pskRaw = "ext:PASS_longboat_home";
-      "5HuFios".psk = "@PASS_longboat_home@";
+      "5HuFios".pskRaw = "ext:PASS_longboat_home";
-      "24HuFios".psk = "@PASS_longboat_home@";
+      "24HuFios".pskRaw = "ext:PASS_longboat_home";
-      "Verizon_ZLHQ3H".psk = "@PASS_angie@";
+      "Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
      "Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
      "optimumwifi" = { };
      "CableWiFi" = { };
      "JPMCVisitor" = { };
    };
  };
--- a/systems/bob/configuration.nix
+++ b/systems/bob/configuration.nix
@ -1,106 +0,0 @@
 {
  imports = [
    ../../users/richie/global/desktop.nix
    ../../users/richie/global/ssh.nix
    ../../users/richie/global/syncthing_base.nix
    ../../users/richie/global/zerotier.nix
    ./hardware.nix
    ./nvidia.nix
    ./steam.nix
  ];
  boot = {
    useSystemdBoot = true;
    default = true;
  };
  networking = {
    networkmanager.enable = true;
    hostId = "9ab3b18e";
  };
  hardware = {
    pulseaudio.enable = false;
    bluetooth = {
      enable = true;
      powerOnBoot = true;
    };
  };
  security.rtkit.enable = true;
  services = {
    autopull.enable = false;
    displayManager.sddm.enable = true;
    openssh.ports = [ 262 ];
    printing.enable = true;
    pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
    };
    rad-dev.k3s-net.enable = false;
    syncthing.settings.folders = {
      "notes" = {
        id = "l62ul-lpweo"; # cspell:disable-line
        path = "/home/richie/notes";
        devices = [
          "phone"
          "jeeves"
          "rhapsody-in-green"
        ];
        fsWatcherEnabled = true;
      };
      "books" = {
        id = "6uppx-vadmy"; # cspell:disable-line
        path = "/home/richie/books";
        devices = [
          "phone"
          "jeeves"
          "rhapsody-in-green"
        ];
        fsWatcherEnabled = true;
      };
      "important" = {
        id = "4ckma-gtshs"; # cspell:disable-line
        path = "/home/richie/important";
        devices = [
          "phone"
          "jeeves"
          "rhapsody-in-green"
        ];
        fsWatcherEnabled = true;
      };
      "music" = {
        id = "vprc5-3azqc"; # cspell:disable-line
        path = "/home/richie/music";
        devices = [
          "phone"
          "jeeves"
          "rhapsody-in-green"
        ];
        fsWatcherEnabled = true;
      };
      "projects" = {
        id = "vyma6-lqqrz"; # cspell:disable-line
        path = "/home/richie/projects";
        devices = [
          "jeeves"
          "rhapsody-in-green"
        ];
        fsWatcherEnabled = true;
      };
    };
  };
  system.autoUpgrade.enable = false;
  system.stateVersion = "23.11";
 }
--- a/systems/bob/default.nix
+++ b/systems/bob/default.nix
@ -1,8 +0,0 @@
 { ... }:
 {
  users = [ "richie" ];
  system = "x86_64-linux";
  home = true;
  sops = true;
  server = false;
 }
--- a/systems/bob/hardware.nix
+++ b/systems/bob/hardware.nix
@ -1,66 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot = {
    initrd = {
      availableKernelModules = [
        "nvme"
        "xhci_pci"
        "ahci"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = [ ];
      luks.devices = {
        "luks-rpool-nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2".device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2";
      };
    };
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
  fileSystems = {
    "/" = lib.mkDefault {
      device = "rpool/root";
      fsType = "zfs";
    };
    "/home" = {
      device = "rpool/home";
      fsType = "zfs";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/8AE6-270D";
      fsType = "vfat";
      options = [
        "fmask=0077"
        "dmask=0077"
      ];
    };
  };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp11s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/systems/bob/nvidia.nix
+++ b/systems/bob/nvidia.nix
@ -1,13 +0,0 @@
 { config, ... }:
 {
  services.xserver.videoDrivers = [ "nvidia" ];
  hardware = {
    nvidia = {
      modesetting.enable = true;
      powerManagement.enable = true;
      package = config.boot.kernelPackages.nvidiaPackages.production;
      nvidiaSettings = true;
    };
    nvidia-container-toolkit.enable = true;
  };
 }
--- a/systems/bob/steam.nix
+++ b/systems/bob/steam.nix
@ -1,15 +0,0 @@
 { pkgs, ... }:
 {
  environment.systemPackages = [ pkgs.steam-run ];
  hardware.steam-hardware.enable = true;
  programs = {
    steam = {
      enable = true;
      remotePlay.openFirewall = true;
      localNetworkGameTransfers.openFirewall = true;
      extraCompatPackages = with pkgs; [ proton-ge-bin ];
      extest.enable = true;
    };
  };
 }
--- a/systems/jeeves-jr/arch_mirror.nix
+++ b/systems/jeeves-jr/arch_mirror.nix
@ -1,29 +0,0 @@
 { inputs, pkgs, ... }:
 let
  vars = import ./vars.nix;
 in
 {
  virtualisation.oci-containers.containers.arch_mirror = {
    image = "ubuntu/apache2:latest";
    volumes = [
      "${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
      "${vars.main_mirror}:/data"
    ];
    ports = [ "800:80" ];
    extraOptions = [ "--network=web" ];
    autoStart = true;
  };
  systemd.services.sync_mirror = {
    requires = [ "network-online.target" ];
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    description = "validates startup";
    path = [ pkgs.rsync ];
    serviceConfig = {
      Environment = "MIRROR_DIR=${vars.main_mirror}/archlinux/";
      Type = "simple";
      ExecStart = "${inputs.arch_mirror.packages.x86_64-linux.default}/bin/sync_mirror";
    };
  };
 }
--- a/systems/jeeves-jr/configuration.nix
+++ b/systems/jeeves-jr/configuration.nix
@ -1,68 +0,0 @@
 { pkgs, ... }:
 {
  imports = [
    ../../users/richie/global/ssh.nix
    ../../users/richie/global/zerotier.nix
    ./arch_mirror.nix
    ./docker
    ./home_assistant.nix
    ./services.nix
  ];
  networking = {
    hostId = "1beb3026";
    firewall.enable = false;
  };
  boot = {
    zfs.extraPools = [ "Main" ];
    filesystem = "zfs";
    useSystemdBoot = true;
  };
  environment = {
    systemPackages = with pkgs; [ docker-compose ];
    etc = {
      # Creates /etc/lynis/custom.prf
      "lynis/custom.prf" = {
        text = ''
          skip-test=BANN-7126
          skip-test=BANN-7130
          skip-test=DEB-0520
          skip-test=DEB-0810
          skip-test=FIRE-4513
          skip-test=HRDN-7222
          skip-test=KRNL-5820
          skip-test=LOGG-2190
          skip-test=LYNIS
          skip-test=TOOL-5002
        '';
        mode = "0440";
      };
    };
  };
  services = {
    nfs.server.enable = true;
    openssh.ports = [ 352 ];
    smartd.enable = true;
    sysstat.enable = true;
    usbguard = {
      enable = true;
      rules = ''
        allow id 1532:0241
      '';
    };
    zfs = {
      trim.enable = true;
      autoScrub.enable = true;
    };
  };
  system.stateVersion = "23.05";
 }
--- a/systems/jeeves-jr/default.nix
+++ b/systems/jeeves-jr/default.nix
@ -1,7 +0,0 @@
 { ... }:
 {
  users = [
    "alice"
    "richie"
  ];
 }
--- a/systems/jeeves-jr/docker/default.nix
+++ b/systems/jeeves-jr/docker/default.nix
@ -1,11 +0,0 @@
 { lib, ... }:
 {
  imports =
    let
      files = builtins.attrNames (builtins.readDir ./.);
      nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
    in
    map (file: ./. + "/${file}") nixFiles;
  virtualisation.oci-containers.backend = "docker";
 }
--- a/systems/jeeves-jr/docker/haproxy.cfg
+++ b/systems/jeeves-jr/docker/haproxy.cfg
@ -1,40 +0,0 @@
 global
  log stdout format raw local0
 defaults
  log global
  mode http
  retries 3
  maxconn 2000
  timeout connect 5s
  timeout client 50s
  timeout server 50s
  timeout http-request 10s
  timeout http-keep-alive 2s
  timeout queue 5s
  timeout tunnel 2m
  timeout client-fin 1s
  timeout server-fin 1s
 #Application Setup
 frontend ContentSwitching
  bind *:80
  bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
  mode  http
  # tmmworkshop.com
  acl host_mirror       hdr(host) -i mirror.tmmworkshop.com jeeves
  acl host_uptime_kuma  hdr(host) -i uptimekuma-jeevesjr.tmmworkshop.com
  use_backend mirror_nodes      if host_mirror
  use_backend uptime_kuma_nodes if host_uptime_kuma
 # tmmworkshop.com
 backend mirror_nodes
  mode http
  server server arch_mirror:80
 backend uptime_kuma_nodes
  mode http
  server server uptime_kuma:3001
--- a/systems/jeeves-jr/docker/uptime_kuma.nix
+++ b/systems/jeeves-jr/docker/uptime_kuma.nix
@ -1,16 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers = {
    uptime_kuma = {
      image = "louislam/uptime-kuma:latest";
      volumes = [
        "${vars.main_docker_configs}/uptime_kuma:/app/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      extraOptions = [ "--network=web" ];
      autoStart = true;
    };
  };
 }
--- a/systems/jeeves-jr/docker/web.nix
+++ b/systems/jeeves-jr/docker/web.nix
@ -1,41 +0,0 @@
 { config, ... }:
 {
  virtualisation.oci-containers.containers = {
    haproxy = {
      image = "haproxy:latest";
      user = "600:600";
      environment = {
        TZ = "Etc/EST";
      };
      volumes = [
        "${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
      ];
      dependsOn = [
        "arch_mirror"
        "uptime_kuma"
      ];
      extraOptions = [ "--network=web" ];
      autoStart = true;
    };
    cloud_flare_tunnel = {
      image = "cloudflare/cloudflared:latest";
      cmd = [
        "tunnel"
        "run"
      ];
      environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
      dependsOn = [ "haproxy" ];
      extraOptions = [ "--network=web" ];
      autoStart = true;
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/cloud_flare_tunnel".owner = "docker-service";
      "docker/haproxy_cert".owner = "docker-service";
    };
  };
 }
--- a/systems/jeeves-jr/hardware.nix
+++ b/systems/jeeves-jr/hardware.nix
@ -1,41 +0,0 @@
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  networking.useDHCP = lib.mkDefault true;
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  swapDevices = [ { device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; } ];
  boot = {
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
    initrd = {
      kernelModules = [ ];
      availableKernelModules = [
        "xhci_pci"
        "ahci"
        "nvme"
        "usbhid"
        "usb_storage"
        "sd_mod"
      ];
    };
  };
  fileSystems = {
    "/" = lib.mkDefault {
      device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971";
      fsType = "ext4";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/7295-A442";
      fsType = "vfat";
    };
  };
 }
--- a/systems/jeeves-jr/home_assistant.nix
+++ b/systems/jeeves-jr/home_assistant.nix
@ -1,17 +0,0 @@
 {
  services.home-assistant = {
    enable = true;
    openFirewall = true;
    config = {
      server_port = 8123;
      homeassistant = {
        time_zone = "America/New_York";
        unit_system = "imperial";
        temperature_unit = "F";
        longitude = 40.74;
        latitude = 74.03;
      };
    };
    extraPackages = python3Packages: with python3Packages; [ psycopg2 ];
  };
 }
--- a/systems/jeeves-jr/secrets.yaml
+++ b/systems/jeeves-jr/secrets.yaml
@ -1,65 +0,0 @@
 docker:
    cloud_flare_tunnel: ENC[AES256_GCM,data:E+XYu5AxS8Ew9OVIfbH5gLkMk+rZ4yT96tSGAwL4smedkddoevRnqil78LtFNYKV8Zo3MpuA8q/c4Me0KrrlSAvwJz1T2cev0dKnuTei3MHZxK7RwWYo9UMJH+aV+l343OY9nvGBj6ryTM3wKyUIoqSmOnRCAbYmhkkqN0wFO+Mxxqjw6nf5UEeeKb36k2NwlhjjnscOKe+wo3sXhjjzVXrE3IOUQJM3hWWukMElcYewVgJmstRidKiNCRMi1/UYMk/Nfhk=,iv:yFJ5SbHB3wZ0FEF0k9KrWye55ref7OqbQPd8oMLTmH4=,tag:p3K4yGR6X2+uKIj4H6rZ+g==,type:str]
    haproxy_cert: ENC[AES256_GCM,data:1n2BurHeWI+j7CMQ7qk3DUl+8MgqRsgtYQ1TxJKcPXuz0YBkg6SUp95lPZv6Jo+2OIaVxCoWpiuoLp8YgtJgnZo4S9QVG2qi60sWCSf4acMRSg0hIA/pdcslogZc5LrsBOTINZCODE4mz7Bya42f+RfVfwPGT7Buz8MniW6kfT9cr3iuq+BQc6513sHhDHgZJgwdfP5x9XrwEtaBl41Db7ejGTrza9jtsHqkrD8j3Pf1XJDhACrTeB7Uqh68sjwc2giAc/2bInDayvnKFHqHaLFTUMAbCeMPOiEZSK4UaWrSMk5I5wDVu8Ya8nBostHlPOBT06gFxT13aEe3Ox3/ctBm/83BXhFfjEaYy6AbMhbp29nxUogVjMICs3FiHG3XBz7vsVxxcBvLXp1Bw3ml5Vd7ACKQPe+r1T54aIdYMoab8DhKPMqb/6TQwrhWD3je4wwOHzzQq9psE1hlB2lJsRnAsVAy9a7M5aBpj0v2pCPVjxjkGHqUUgN+w4hzPPf10A0dWiaXc3k8bWcwc1SlJwHvYxphyZEjNQAzXrAkUPcuy4+9c7LwniMdu5qoUL/oZPW5VHWgtrUO9IlAgduiEujrAW96zfz4jfM0UBqJHT58l/WHHmBM8bMsRDHTnc43uvdoU+VgjtTiFERBi+Xm5mXCqWd4d5Y5P8ozIwGho8UdLqmR9Y2nth1mrs//FIh9mZ7i7QQGHBzoR7ICRDX2ghK98J4RMfF2ph0I+nhWpoCq056xItoVZyAEWQSR4ptpAaKMX4Crd3hrK6tZmyvaTrk5IsNaf5hrS+Fw8uTYUAM+3E6kb1TJwFvUH1plkwU83iBRlboRO5d1ahESp5nifZIVz+KBStLjUVWfXnelPCkH55LVnobgk0zekoEeNLKq+Q5wOBmR28rYXVp/q+FNCgxEW+tXIswmC72jbsDxM/oMHBQnYsmEy5dTxU2X/IzmrZfWod07fRblkWRplzLGyEjsY7CquHlG119LuHcWFOUGxYm3bgn1pGnIV3cBLvbInEAPK0apqSXMBSJw0mk/ihtdx8ANidMn8nhkHVjo/Bo9orH3tJdw8l7x+Cei347CkiQZz21jHvL1qcV/EAAxBnT4c5WtOljo13ntk8RiARdye4hcUXpORIUhH8zq88RNquOkF5QjV8C/u2EaUhQYqy3Xts49v7S9I8LLzjrrfY/IDQVqlJsAgkNuwvheTlya5JoeTasscLfLt3iJ7LsbzWWqQrfn3KQJp3H4Gxh/uqak/V5ROBahHQ4KpXzsDG++XLE0o7W4BFQbrBYV99mlGzB1blmX30C8S+b8n1u+oMXfH8oY20Jm5UQcV5/JNK8WG69ihonRDXdX7fy2WGzylql2hj+3aoYYdYpFAeHVLNzj9vAIxPHzvK0JmwdynsFLo4Hpyn7KN+6L3MSACjAOc3SxY20XxjmqJSWVEM0tq4Zbe/VdhOF1L4pyIBMKQC2XwrWyturTboh86qAfyxtYzEQXGLzz585nVnwj9PLmXQw98M8JWwsFq58ZsOdQZKhN3e0aSY2opSigmXQ9ZJeCF+6KbwElOSz4pDfkZIXqZc+LCzEl5IO1CxLWCTIIfN3Gx60W3vz8QohydoCBt2FLHH3lBiAEitWxYQhsfdlFExQa1/+0WSk3wK5dEA7SPaBWKq+xtPR0yUmuT/JN4VPX+hqqkVHigk8+XfqE/H1as9JbYo92N6xBd2ZrNzhFIkMykUOT+0etVtyOdXLkxdV9lwaBX9ARPHJV7g35e52UspX335aLGE0GtCaIbHRwJuENCIixo7sbdmB9i9xSTeg+7RBQAWpuR7O6firAEKWOGBaYzDUBnqt++Q2wUuMnQBJE/9bh,iv:3FuXEQxbTvbdnBnwPxF+T8QZvQoWX/WXx3lpDBXML1k=,tag:g1Y4qY+XoSA6K/LCKbllOw==,type:str]
 server-validation:
    webhook: ENC[AES256_GCM,data:/6QI+KKKJkbVO7YsxcU/gnjgp9scNzqzq56wnqAU88YdYYNU7FaRifzH00RlEb9VYvNBlT0FggnZSSX1rNN5W63tLaiYFn/GVfjlUSnwrgueTVG8Sor6HtYTIfMOdPm9B7jflpECk7ByguoDlimH0J1QrcWd+Kqx772sH63bKV1GbCaYSkRHQp9QbvbO,iv:p5W/xniUe75RqJA9PtMcNRnsY4kUBeD0p6iQDLbkSSc=,tag:dh2a8/Doyznjd1hswmXMuQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NXJJMjBjeU9XQS9YZGxQ
            V1h5RlNUVTA5Mkx3M3ZobGs5WFA0NXFGakR3CnIxVk9nYU1aWkNoZ0F0WGd0ck5Q
            VWpSU0ZRdENTWnFVOVNQY0Z4ems4MEUKLS0tIFVqcGJtZWRxSTZwZWhjYm56bnkr
            QmcxMmhaaGZXU1VFN0pvT1VDN3hpcGsKXUlVytBrz8sUorTSHXZaOMYA5U6qUpas
            ZJiHtVGxRVwCpraHWLmQTRkO6pT36cEVsfsMnFH6NLOMOvA3vLX8/g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-07-07T23:09:51Z"
    mac: ENC[AES256_GCM,data:nZPpOrOSKc+7dcbpBdZRH5FLih6o5Ii5bLWgzZ7xP/BZ36vp7ypdncE/jS0/Rz2AiOOrK0G9ovEOoL7jOMrqaUBAJNPzXTX/IdOcFrsxPL47saZKWQHqXkGXrX49nafeea7VtEvoM4qK2AiyYl2ogir+Mw304mhDIUqHhPNNvQs=,iv:ykOg2Pxpp+Sap648UZaiaRVMutWTdUXvP+Pi2cWy86g=,tag:AARw0YmjcesHLdS31i+B3g==,type:str]
    pgp:
        - created_at: "2024-03-23T05:49:12Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA84hNUGIgI/nARAAgcuMhO3nmxYY8KiW6AYxU2rFo2OQnpzZVtbMJB43wDQX
            0UAOVmUyhGM2wd3tJgnvyfnguy6p3LfjZrXdTkTzrv5yCJVvKXhORcLisjaXLS8H
            TCe9Fa4I9CvKo/yyRsRYS59niql0ocTs1Eb7cLiKuX19RIuQ7TjMPnjkdj5xXooa
            kPJXfwL1SpUU3kjhuTHqWlD0m5t0RPiTpDym8fExMSvbTWyMY0BPA+qD1atMeUik
            i3x2boqfoyD1GZ64Z5NrxRD0dN6TQvJLX1K1XTzanUhvfsy/PvDftCHKQc2n2Opk
            btnKZa1mfiiLUQly+njSvH8ERYg27j5ACEQ0V9rtGPa3xnVYZm6Z5h0v68aqsotJ
            aOzJa7/k0ZV/tBD1pT+9T2a/W9v4U+KdKKL19ebNvMtFxy50jN8SQsrTtxv5G5fA
            sc+HkrcnLezFHYtGG85PfbTGsKMWpwu+4BrcmuW6dBcADZ1fZdkqgi+GcYGL2xy1
            bddjuOWnzXb93t1pSIkaHcVWc6s5Atf3IB/liyNEux4kdquOHZQJi0WBi0l8GEmG
            /ggJN4shRqtMqEkomaZkyZMsHnkmenusjbIlKJrwolhZSyDP8Kk5iPYXMxG21vrr
            YpWHr388q8H7+ksnxYiNFXyY2cQKtOsD3UMIV8edMc/lHjTOi0BFNMHmU3WDsajS
            XAGXsys00baAzcQHIS0jijU4mJQAqYL3S7FrcDGW8qhTGFpQ8ngVLvwLfqMvUn8v
            LB3M5/7+Ld8xV4AZWr8mvv+7ZNNnnZzImETCLnekfvLEV9F2pTCH2Z21RPEL
            =XWl7
            -----END PGP MESSAGE-----
          fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
        - created_at: "2024-03-23T05:49:12Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA29thaGx06tOARAAoI93A3cy3V2dJo8HBIrLC2RK3SKBkPiPFjWO/Zvnv8Q0
            IhfzjusX+3f8HIa3CxJjTbOktcq+A2a4EyBes2Rd4bX9H2Fs2VVrSmUf3S/dO1b5
            GiZamHnC+1zsXUB5IFcfjMSzeKKsOWYu9DmUcalsseo/XVJjxw9DzRnPUesI/aMs
            y5kKKtNDcvAK4AWidME6LTP9FgiMx09sQfuAl4YCJv1trOvxt+dN932fbAkHVAq0
            Lc90rG6LDLT1w/8i9evBRRX/ZexAI3vTGn/nTqKi+B9BdFA4dY0KiHtGIS+UNtNo
            vL6PTKIRejGfqt13DwUWRobKnezcpJkTkdz+Pa+cQhdwSL2tFjr0hEbZL3e76YEx
            CNsgbB9h0pIm/2YvhG1k0f0skWfjXLAtR6PQPKu1OycppX02fbK9XRShb+Fik7P+
            GfFLxf4JYAMMOHsxP30EVQONiR9XsITH149GSZ3nTBX7vUsk3b7Z+ou1Ma27EhiW
            iPWTqpDgLQ/VZW+027h/l8iwv52L8eE6Y+LE32jNUTQjMW3OWKw9zknX4wciNR07
            EPAy8eC9rfhUVnTB7RJlTOY03yyEiBjowJn/0e0g8+AUMKC4mAuasPUwPhptQ6pH
            8up/75WglUAg04eni0p5g6X7rGj+09OEDNMtvYVt7HglX7T86O2sBcVKa/j095jS
            XAGIy2HXf+By9BFKM4q6uuAh4QceHn2QaQ/ckhYGMrHulzAeORPxYaYdXoeEj18k
            auBqSPzj8E9yPi4jl+miEO9BgVhRW45cxBbn2XV2KE08PIP9mZ2jxK9Ne4HQ
            =jkZ+
            -----END PGP MESSAGE-----
          fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/systems/jeeves-jr/services.nix
+++ b/systems/jeeves-jr/services.nix
@ -1,33 +0,0 @@
 {
  config,
  inputs,
  pkgs,
  ...
 }:
 {
  systemd = {
    services.startup_validation = {
      requires = [ "network-online.target" ];
      after = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      description = "validates startup";
      path = [ pkgs.zfs ];
      serviceConfig = {
        Type = "oneshot";
        EnvironmentFile = config.sops.secrets."server-validation/webhook".path;
        ExecStart = "${inputs.server_tools.packages.x86_64-linux.default}/bin/validate_jeevesjr";
      };
    };
    timers.startup_validation = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "10min";
        Unit = "startup_validation.service";
      };
    };
  };
  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets."server-validation/webhook".owner = "root";
  };
 }
--- a/systems/jeeves-jr/vars.nix
+++ b/systems/jeeves-jr/vars.nix
@ -1,10 +0,0 @@
 let
  zfs_main = "/ZFS/Main";
 in
 {
  inherit zfs_main;
  # main
  main_docker = "${zfs_main}/Docker";
  main_docker_configs = "${zfs_main}/Docker/configs";
  main_mirror = "${zfs_main}/Mirror";
 }
--- a/systems/jeeves/arch_mirror.nix
+++ b/systems/jeeves/arch_mirror.nix
@ -1,29 +0,0 @@
 { inputs, pkgs, ... }:
 let
  vars = import ./vars.nix;
 in
 {
  virtualisation.oci-containers.containers.arch_mirror = {
    image = "ubuntu/apache2:latest";
    volumes = [
      "${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
      "${vars.media_mirror}:/data"
    ];
    ports = [ "800:80" ];
    extraOptions = [ "--network=web" ];
    autoStart = true;
  };
  systemd.services.sync_mirror = {
    requires = [ "network-online.target" ];
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    description = "validates startup";
    path = [ pkgs.rsync ];
    serviceConfig = {
      Environment = "MIRROR_DIR=${vars.media_mirror}/archlinux/";
      Type = "simple";
      ExecStart = "${inputs.arch_mirror.packages.x86_64-linux.default}/bin/sync_mirror";
    };
  };
 }
--- a/systems/jeeves/configuration.nix
+++ b/systems/jeeves/configuration.nix
@ -1,170 +0,0 @@
 { pkgs, ... }:
 let
  vars = import ./vars.nix;
 in
 {
  imports = [
    ../../users/richie/global/ssh.nix
    ../../users/richie/global/syncthing_base.nix
    ../../users/richie/global/zerotier.nix
    ./arch_mirror.nix
    ./docker
    ./programs.nix
    ./services.nix
  ];
  networking = {
    hostId = "1beb3027";
    firewall.enable = false;
  };
  boot = {
    zfs.extraPools = [
      "media"
      "storage"
      "torrenting"
    ];
    filesystem = "zfs";
    useSystemdBoot = true;
  };
  environment = {
    systemPackages = with pkgs; [ docker-compose ];
    etc = {
      # Creates /etc/lynis/custom.prf
      "lynis/custom.prf" = {
        text = ''
          skip-test=BANN-7126
          skip-test=BANN-7130
          skip-test=DEB-0520
          skip-test=DEB-0810
          skip-test=FIRE-4513
          skip-test=HRDN-7222
          skip-test=KRNL-5820
          skip-test=LOGG-2190
          skip-test=LYNIS
          skip-test=TOOL-5002
        '';
        mode = "0440";
      };
    };
  };
  services = {
    nfs.server.enable = true;
    openssh.ports = [ 629 ];
    plex = {
      enable = true;
      dataDir = vars.media_plex;
    };
    smartd.enable = true;
    sysstat.enable = true;
    syncthing.guiAddress = "192.168.90.40:8384";
    syncthing.settings.folders = {
      "notes" = {
        id = "l62ul-lpweo"; # cspell:disable-line
        path = vars.media_notes;
        devices = [
          "bob"
          "phone"
          "rhapsody-in-green"
        ];
        fsWatcherEnabled = true;
      };
      "books" = {
        id = "6uppx-vadmy"; # cspell:disable-line
        path = "${vars.storage_syncthing}/books";
        devices = [
          "bob"
          "phone"
          "rhapsody-in-green"
        ];
        fsWatcherEnabled = true;
      };
      "important" = {
        id = "4ckma-gtshs"; # cspell:disable-line
        path = "${vars.storage_syncthing}/important";
        devices = [
          "bob"
          "phone"
          "rhapsody-in-green"
        ];
        fsWatcherEnabled = true;
      };
      "music" = {
        id = "vprc5-3azqc"; # cspell:disable-line
        path = "${vars.storage_syncthing}/music";
        devices = [
          "bob"
          "phone"
          "rhapsody-in-green"
        ];
        fsWatcherEnabled = true;
      };
      "projects" = {
        id = "vyma6-lqqrz"; # cspell:disable-line
        path = "${vars.storage_syncthing}/projects";
        devices = [
          "bob"
          "rhapsody-in-green"
        ];
        fsWatcherEnabled = true;
      };
    };
    usbguard = {
      enable = false;
      rules = ''
        allow id 1532:0241
      '';
    };
    zfs = {
      trim.enable = true;
      autoScrub.enable = true;
    };
  };
  systemd = {
    services."snapshot_manager" = {
      description = "ZFS Snapshot Manager";
      requires = [ "zfs-import.target" ];
      after = [ "zfs-import.target" ];
      serviceConfig = {
        Environment = "ZFS_BIN=${pkgs.zfs}/bin/zfs";
        Type = "oneshot";
        ExecStart = "${pkgs.python3}/bin/python3 ${vars.media_scripts}/ZFS/snapshot_manager.py --config-file='${./snapshot_config.toml}'";
      };
    };
    timers."snapshot_manager" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "15m";
        OnUnitActiveSec = "15m";
        Unit = "snapshot_manager.service";
      };
    };
  };
  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      "zfs/backup_key".path = "/root/zfs/backup_key";
      "zfs/docker_key".path = "/root/zfs/docker_key";
      "zfs/main_key".path = "/root/zfs/main_key";
      "zfs/notes_key".path = "/root/zfs/notes_key";
      "zfs/plex_key".path = "/root/zfs/plex_key";
      "zfs/postgres_key".path = "/root/zfs/postgres_key";
      "zfs/qbit_key".path = "/root/zfs/qbit_key";
      "zfs/scripts_key".path = "/root/zfs/scripts_key";
      "zfs/syncthing_key".path = "/root/zfs/syncthing_key";
      "zfs/vault_key".path = "/root/zfs/vault_key";
    };
  };
  system.stateVersion = "23.11";
 }
--- a/systems/jeeves/default.nix
+++ b/systems/jeeves/default.nix
@ -1,7 +0,0 @@
 { ... }:
 {
  users = [
    "alice"
    "richie"
  ];
 }
--- a/systems/jeeves/docker/default.nix
+++ b/systems/jeeves/docker/default.nix
@ -1,11 +0,0 @@
 { lib, ... }:
 {
  imports =
    let
      files = builtins.attrNames (builtins.readDir ./.);
      nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
    in
    map (file: ./. + "/${file}") nixFiles;
  virtualisation.oci-containers.backend = "docker";
 }
--- a/systems/jeeves/docker/filebrowser.nix
+++ b/systems/jeeves/docker/filebrowser.nix
@ -1,15 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers.filebrowser = {
    image = "hurlenko/filebrowser:latest";
    extraOptions = [ "--network=web" ];
    volumes = [
      "/zfs:/data"
      "${vars.media_docker_configs}/filebrowser:/config"
    ];
    autoStart = true;
    user = "1000:users";
  };
 }
--- a/systems/jeeves/docker/haproxy.cfg
+++ b/systems/jeeves/docker/haproxy.cfg
@ -1,62 +0,0 @@
 global
  log stdout format raw local0
  # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
  stats timeout 30s
 defaults
  log global
  mode http
  retries 3
  maxconn 2000
  timeout connect 5s
  timeout client 50s
  timeout server 50s
  timeout http-request 10s
  timeout http-keep-alive 2s
  timeout queue 5s
  timeout tunnel 2m
  timeout client-fin 1s
  timeout server-fin 1s
 #Application Setup
 frontend ContentSwitching
  bind *:80
  bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
  mode  http
  # tmmworkshop.com
  acl host_mirror   hdr(host) -i mirror.tmmworkshop.com
  acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com
  acl host_grafana  hdr(host) -i grafana.tmmworkshop.com
  acl host_filebrowser  hdr(host) -i filebrowser.tmmworkshop.com
  acl host_uptime_kuma  hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
  use_backend mirror_nodes   if host_mirror
  use_backend dndrules_nodes if host_dndrules
  use_backend grafana_nodes  if host_grafana
  use_backend filebrowser_nodes  if host_filebrowser
  use_backend uptime_kuma_nodes  if host_uptime_kuma
 backend mirror_nodes
  mode http
  server server arch_mirror:80
 backend mirror_rsync
  mode http
  server server arch_mirror:873
 backend grafana_nodes
  mode http
  server server grafana:3000
 backend dndrules_nodes
  mode http
  server server dnd_file_server:80
 backend filebrowser_nodes
  mode http
  server server filebrowser:8080
 backend uptime_kuma_nodes
  mode http
  server server uptime_kuma:3001
--- a/systems/jeeves/docker/internal.nix
+++ b/systems/jeeves/docker/internal.nix
@ -1,151 +0,0 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers = {
    qbit = {
      image = "ghcr.io/linuxserver/qbittorrent:latest";
      ports = [
        "6881:6881"
        "6881:6881/udp"
        "8082:8082"
        "29432:29432"
      ];
      volumes = [
        "${vars.media_docker_configs}/qbit:/config"
        "${vars.torrenting_qbit}:/data"
      ];
      environment = {
        PUID = "600";
        PGID = "100";
        TZ = "America/New_York";
        WEBUI_PORT = "8082";
      };
      autoStart = true;
    };
    qbitvpn = {
      image = "binhex/arch-qbittorrentvpn:latest";
      extraOptions = [ "--cap-add=NET_ADMIN" ];
      ports = [
        "6882:6881"
        "6882:6881/udp"
        "8081:8081"
        "8118:8118"
      ];
      volumes = [
        "${vars.media_docker_configs}/qbitvpn:/config"
        "${vars.torrenting_qbitvpn}:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      environment = {
        WEBUI_PORT = "8081";
        PUID = "600";
        PGID = "100";
        VPN_ENABLED = "yes";
        VPN_CLIENT = "openvpn";
        STRICT_PORT_FORWARD = "yes";
        ENABLE_PRIVOXY = "yes";
        LAN_NETWORK = "192.168.90.0/24";
        NAME_SERVERS = "1.1.1.1,1.0.0.1";
        UMASK = "000";
        DEBUG = "false";
        DELUGE_DAEMON_LOG_LEVEL = "debug";
        DELUGE_WEB_LOG_LEVEL = "debug";
      };
      environmentFiles = [ config.sops.secrets."docker/qbit_vpn".path ];
      autoStart = true;
    };
    bazarr = {
      image = "ghcr.io/linuxserver/bazarr:latest";
      ports = [ "6767:6767" ];
      environment = {
        PUID = "600";
        PGID = "100";
        TZ = "America/New_York";
      };
      volumes = [
        "${vars.media_docker_configs}/bazarr:/config"
        "${vars.storage_plex}/movies:/movies"
        "${vars.storage_plex}/tv:/tv"
      ];
      autoStart = true;
    };
    prowlarr = {
      image = "ghcr.io/linuxserver/prowlarr:latest";
      ports = [ "9696:9696" ];
      environment = {
        PUID = "600";
        PGID = "100";
        TZ = "America/New_York";
      };
      volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
      autoStart = true;
    };
    radarr = {
      image = "ghcr.io/linuxserver/radarr:latest";
      ports = [ "7878:7878" ];
      environment = {
        PUID = "600";
        PGID = "100";
        TZ = "America/New_York";
      };
      volumes = [
        "${vars.media_docker_configs}/radarr:/config"
        "${vars.storage_plex}/movies:/movies"
        "${vars.torrenting_qbitvpn}:/data"
      ];
      autoStart = true;
    };
    sonarr = {
      image = "ghcr.io/linuxserver/sonarr:latest";
      ports = [ "8989:8989" ];
      environment = {
        PUID = "600";
        PGID = "100";
        TZ = "America/New_York";
      };
      volumes = [
        "${vars.media_docker_configs}/sonarr:/config"
        "${vars.storage_plex}/tv:/tv"
        "${vars.torrenting_qbitvpn}:/data"
      ];
      autoStart = true;
    };
    overseerr = {
      image = "ghcr.io/linuxserver/overseerr";
      environment = {
        PUID = "600";
        PGID = "100";
        TZ = "America/New_York";
      };
      volumes = [ "${vars.media_docker_configs}/overseerr:/config" ];
      # TODO: remove ports later since this is going through web
      ports = [ "5055:5055" ];
      dependsOn = [
        "radarr"
        "sonarr"
      ];
      extraOptions = [ "--network=web" ];
      autoStart = true;
    };
    whisper = {
      image = "ghcr.io/linuxserver/faster-whisper:latest";
      ports = [ "10300:10300" ];
      environment = {
        PUID = "600";
        PGID = "100";
        TZ = "America/New_York";
        WHISPER_MODEL = "tiny-int8";
        WHISPER_LANG = "en";
        WHISPER_BEAM = "1";
      };
      volumes = [ "${vars.media_docker_configs}/whisper:/config" ];
      autoStart = true;
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets."docker/qbit_vpn".owner = "docker-service";
  };
 }
--- a/systems/jeeves/docker/postgresql.nix
+++ b/systems/jeeves/docker/postgresql.nix
@ -1,37 +0,0 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
 in
 {
  users = {
    users.postgres = {
      isSystemUser = true;
      group = "postgres";
      uid = 999;
    };
    groups.postgres = {
      gid = 999;
    };
  };
  virtualisation.oci-containers.containers = {
    postgres = {
      image = "postgres:16";
      ports = [ "5432:5432" ];
      volumes = [ "${vars.media_database}/postgres:/var/lib/postgresql/data" ];
      environment = {
        POSTGRES_USER = "admin";
        POSTGRES_DB = "archive";
        POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
      };
      environmentFiles = [ config.sops.secrets."docker/postgres".path ];
      autoStart = true;
      user = "postgres:postgres";
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets."docker/postgres".owner = "postgres";
  };
 }
--- a/systems/jeeves/docker/uptime_kuma.nix
+++ b/systems/jeeves/docker/uptime_kuma.nix
@ -1,16 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers = {
    uptime_kuma = {
      image = "louislam/uptime-kuma:latest";
      volumes = [
        "${vars.media_docker_configs}/uptime_kuma:/app/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      extraOptions = [ "--network=web" ];
      autoStart = true;
    };
  };
 }
--- a/systems/jeeves/docker/web.nix
+++ b/systems/jeeves/docker/web.nix
@ -1,64 +0,0 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers = {
    grafana = {
      image = "grafana/grafana-enterprise:latest";
      volumes = [ "${vars.media_docker_configs}/grafana:/var/lib/grafana" ];
      user = "600:600";
      extraOptions = [ "--network=web" ];
      autoStart = true;
    };
    dnd_file_server = {
      image = "ubuntu/apache2:latest";
      volumes = [
        "${../../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
        "${vars.storage_main}/Table_Top/:/data"
      ];
      extraOptions = [ "--network=web" ];
      autoStart = true;
    };
    haproxy = {
      image = "haproxy:latest";
      user = "600:600";
      environment = {
        TZ = "Etc/EST";
      };
      volumes = [
        "${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
      ];
      dependsOn = [
        "arch_mirror"
        "dnd_file_server"
        "filebrowser"
        "grafana"
        "uptime_kuma"
      ];
      extraOptions = [ "--network=web" ];
      autoStart = true;
    };
    cloud_flare_tunnel = {
      image = "cloudflare/cloudflared:latest";
      user = "600:600";
      cmd = [
        "tunnel"
        "run"
      ];
      environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
      dependsOn = [ "haproxy" ];
      extraOptions = [ "--network=web" ];
      autoStart = true;
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/cloud_flare_tunnel".owner = "docker-service";
      "docker/haproxy_cert".owner = "docker-service";
    };
  };
 }
--- a/systems/jeeves/hardware.nix
+++ b/systems/jeeves/hardware.nix
@ -1,56 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot = {
    initrd.availableKernelModules = [
      "mpt3sas"
      "nvme"
      "xhci_pci"
      "ahci"
      "uas"
      "usb_storage"
      "usbhid"
      "sd_mod"
      "sr_mod"
    ];
    initrd.kernelModules = [ "dm-snapshot" ];
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
  fileSystems."/" = lib.mkDefault {
    device = "/dev/disk/by-uuid/0f78fa87-30be-4173-b0fa-eaa956cf83aa";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/BB77-2647";
    fsType = "vfat";
  };
  swapDevices = [ { device = "/dev/disk/by-uuid/4c797a94-be32-43d3-89ac-7f02912c7cf5"; } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp38s0f3u2u2c2.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp97s0f0np0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp97s0f1np1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp98s0f0.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp98s0f1.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/systems/jeeves/programs.nix
+++ b/systems/jeeves/programs.nix
@ -1,4 +0,0 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [ filebot ];
 }
--- a/systems/jeeves/scripts/plex_permission.sh
+++ b/systems/jeeves/scripts/plex_permission.sh
@ -1,7 +0,0 @@
 #!/bin/bash
 plex_dir="/zfs/storage/plex/"
 chown docker-service:users -R "$plex_dir"
 find "$plex_dir" -type f -exec chmod 664 {} \;
 find "$plex_dir" -type d -exec chmod 775 {} \;
--- a/systems/jeeves/secrets.yaml
+++ b/systems/jeeves/secrets.yaml
@ -1,78 +0,0 @@
 docker:
    postgres: ENC[AES256_GCM,data:IpXIrRDzyGFjDz908w1NNb0GBna/ce9lCtOkXrpUfyllsTWca6AeqaRo23bL4jfFGfHn0Zf9okLO,iv:IwO7vJJHFfm0SGcJETpWtdhr41jPddN9nuVAH/Ooa7Y=,tag:xstwPvpvkNOZucxvzq2+ag==,type:str]
    cloud_flare_tunnel: ENC[AES256_GCM,data:Qx7g0tNSfVs9VnkuYw47XJjfF+RS9B5gvpBliGL93X8K/7iiyt0NxwWyAkmmaLat5h/Yu7C71rwBIIZsKf7Ke3YS0PfEpga76ftKt3h7VKMQNT7yAcU3LY4v2h3Molnzw2fnAhxfHkogJuAsZeJW9dIjo9H2QpSh/tn9kpC+PGb/T9dcqMm4fJPqP+rIcFCfhJl9iDOKOMQ9+xVNnKZ2HQlAwPMCz29BgGCxh0cYYk9ftXPK7ZnhjwUj4bfnaKfByIPpAtk=,iv:8yz2vXanGZfOkZF/D0RP2LPqHebbOM/XBPg2eCCGs8g=,tag:67da31iZTQaMURKf9dfiJw==,type:str]
    qbit_vpn: ENC[AES256_GCM,data:SRkcWb2wTTfWlgkbDSN6j5+dXnG670qFGtG2x4fajkE8eK4U30DTxrlbzta5ZMtm0Y9bquy3DcaSMF/u9CBrLbBS8mhcJw==,iv:LpkS7O+eutPUDpY5NlYjgafK6UuFsS+18yNpB+JmzcM=,tag:0Y+vj80MAbh2U+UsyH3MEA==,type:str]
    haproxy_cert: ENC[AES256_GCM,data:6yRv0cz/vBVguAPOsENhmH2uwwgL5AkOkkDQQ+PVPEEiOTIn1WPONhnG0UqR3FsWJal8qECH/zTF1XMmdK4VHQXwMA8gGScpIrgeWuhdCbXsJ7RxZBzVESOCo8ZOcR43w3Qih+0iz3SsNmX262/D7DIzKYlLovyoJDGZa5jo0n2zCZiRfbdal8m02dplaFHMsGy6+Gn3Uijo9MnnuWvgihBh1ekRnpSzVM4/IyyvUunK0vEapVsgOq+brdW2x0BQFgL3PLGaJbAbzFhXYI1MmD+D7RzOGSzNmrj1ezea+b2Lb/p8CATh05i+lz6530U6iwun0lcREDxPrJgU0TsI/JZGSq3blHn9lZuHmnwBp05LsliBO+yoxgqnC45/xTZwiSdlyqqnXHlXPuBS7UoJFlll93aIpULfNZMyqx/FO5ckmV0nuNVMCrF7JfsE+t/XNs077kB4FKYNk4TDodKyn2scfypQFK7qprW9JKJwx0Se8FWU2fMKsuMszElMLudRHagyDVO+LJ+/ta6Qj68CRU1g8cQANh4Q6PwI0HABX3J5n3ERQUxZvVeCq9FRMJ7JE0was3QfBGGPROHksK+rP9y8g8CFRgGjwzDoxslaYO+tIiIsaDcqbTiOQDTiDh4/ioqX9EENrA8qIEtKSn6m35+4pwY0xvKToAnI7vhwQ93A1mZrwKXgoNSShA4Q+MfSEIuJd6LJihLh5IFvl595iOpGDWCJsXZnDL3K8B6oofPTtLnOOQC4sy9wGiNshdgfv6aVwpdPKvOtFwHmu1n8eZInfSZgUdwUaHHMXjrXHboBQ6ZPsrdZBt9ADSUpz+uN6+TgXq6HLWHSqtmrWS6jABQfbpHH7pLZAXuii4MsnTEr1rOEbtgZTH6Sedd57Pp5MpNXDg950vd9plCkGPiRfDUWXHnRw8frWfoTS+eOqkVwJ0+v48IskuYLZSCAF0/kumtbySDQStNowF+cAp7lk24Cp8W8PXw/LqI8U8FijVxMPtgzLwRKKd10zRI+Jrsi9E8YXSKCaFMIBLottRHwdvWA7aIYnuVTxzCmHt1jhJN349bjC/yTIuIS4gW+XlriFqip17Eq/878+Uduwf1+Fxqdpv8kDleyqix0SO/JmhQijgIUhc3Im3whXicEu6vlivzJGyjA/ljFyJvV/irRK/VrIWEoA5nLX74fmF9Ku/O94pDIPaKCsCP+N/fOPLG5ucw6lPxllZS9qg2cNsl9ajXGPu8GBB4FaZUt/Ufid6xjC5YloictI3Bp5x2glhpxzQ8zAbv5vpBA0h6xhkt4NSmxWurvBmRoRnBdYIvEaeoehj10yLpiY4DsZYLTU5IrLV/aYlb2q4K2OKRvYOBQgeDtEkIMqHYWsddfKHi+1KjQ/176DDIbUoYb4XtPJmNOcIeRM2oiaCcTzerU5TXL5qBl213buTcIPaV0sVVxoH+2RYBM28mjQoj8sHwQLLuFve0MeUZzfJ8MqMM+Guhn25aw4R0tGkiRBUL5d8l86awOpqXtFiK2QTh3S7QeZoCA80YVH5r6FdqMz34UgwEFo0nfBcH2nSnDwpcBrbwzV6/Xahck4nVaIn6znJPqlIKntfeXJuXl/9ulpwx7D4mL7hLcal9WY62KZ1PQ+NHz5WjaPbgLMdeNFFr6CKGGqSPkTOhjgQ1y4ChuYfbVn+yZRqUwhFWtKuuouAZXH55KkVlsB39H+oNYp0hqAUiVkeawHqbTgOHb+llz0uF7r0TGD23aMXeV58n0i3xsDET9mhxSyj5vUo5iqY8eEqgn4mOvsdp6rkpC4c91drgV/gFJu2jgCvVVdG/mHFVnZEv5+/rA2reqdqMTBOpLQNEbL5Ih1LKG,iv:PUp78PWvy+lmcLiR295BGiVTLnAPX+du4lcw/Pvq/KE=,tag:k/3H2+jF9no751mvO5S5WQ==,type:str]
 zfs:
    backup_key: ENC[AES256_GCM,data:sJzR/DfM6+tmmcewZT+NAJk0gj8wmU43QfFCRCj9+2GITOS8suRL7E5rHTherCZgRe79T90ikM97bYf9RbZdtQ==,iv:j8F3BG/hh7UK3kC+pB6WO0OHlSSHn0jo90AgaTdpyNY=,tag:5hraDn8YqS/q57y26AXwjw==,type:str]
    docker_key: ENC[AES256_GCM,data:HiW+3IYJCgqg9HJmPYQinhb6kWJouORABKniryY5e35tf8BQGKn1ldgj4Dw+79SYmvIUbf4ZSja0Ziz1isKTWA==,iv:6vBtbIlTHC+PUgyXYb92SnMTuWd8jCaEzZ3Vmv2QHhA=,tag:izKWtAQWRfn5tAYKyOO+ZQ==,type:str]
    main_key: ENC[AES256_GCM,data:6ZZQc7TSAuK4PrxQxegPrFMjT1SZlRGgg5VgVg1e6ZM1RO9ZDjhcmpFRd1pkbm5DEJKq1VpUxTvxXGQDrMYO9A==,iv:Yp2jTtBd8gjB8Sdfb06ZBLpVd/KCjs/pfnBRT2ll/0c=,tag:F0HSbkZ8Z45WkUY/VNwvHg==,type:str]
    notes_key: ENC[AES256_GCM,data:y3fTl3aNl8RaZwBR2thy7qfxilw+wGEj8+tTuRr+z+A6ol9N6droFNBHQcK3yWDWP8MhMKe1efWhgbZ0Raz17A==,iv:BbBjMtsb2ZDJjgbgkXP3SYl3xklI5xWmW3X9mlLlvdI=,tag:Ic3rLP30wApmOeLGFEYgVA==,type:str]
    plex_key: ENC[AES256_GCM,data:fWzTSKkVCkWmZ9ZDv1/OYYZPsQKV54Ib98Bq4A+4ibT9mk28Zp7XeczOJVj6+K4+04EQgQj8RyP2x70tuFp3Xg==,iv:pyHzIo4ws4Lyd5zVflUa7yjNVefTTpEdkjCVmXDuucE=,tag:msn0NFXuq3zKGY5vE1nR1Q==,type:str]
    postgres_key: ENC[AES256_GCM,data:mLa0A6pJXZ7BX9bYat9mQ30Dx/KWU9KHjiApuapBUbRtH+gtAJRGwLeXJPyMTOirFwuWWTdOts8dTMESWp7eOg==,iv:MFyo2LbdsYeoUyhWEv0EWKXNFhxoLjNs5M7ar6dlrjw=,tag:KpaatId8TdVzAEelD1tlzQ==,type:str]
    qbit_key: ENC[AES256_GCM,data:19XIzi4waSOLdfgKo8z6NMX9Ee4Xw1/JqbjQEvKwWh+ar2r5P3sFJMHI394ebx4vITO0lOzl/EwcUiWt7LB6uw==,iv:s+TWyb5SzeCFZAZdKs28o7s8So++eLqR1Qc9ZWjUGwY=,tag:teHdPEhWkzDWizJD/czA6w==,type:str]
    scripts_key: ENC[AES256_GCM,data:2htMEDCByUbCQ1loPEDCVNtXXqffCRHMpiobEDHI506hdEk6d/N7lmlUIqLa5YCNB6ozt0y6EEKBxnbouEHIWQ==,iv:eUYmsliDF49BNSpF+KSiT1rlPtzQpmhNC8Cy2tahMX8=,tag:8xCvm1LwDPArJ/woIO23Bg==,type:str]
    syncthing_key: ENC[AES256_GCM,data:36zfmVuCEHFED3ODeoGuAxJvySY1SxWT9ml+DFvb01KdUqIGZDZj1cKoZCH+GsgYJMsQF6t+uqZJOGeyNmzMlg==,iv:17tLW4ytRpUmmltA4UIZGhsrNAGRjvucxxt9zLM3C54=,tag:YWirDB0fYSpu1evqVaoa+Q==,type:str]
    vault_key: ENC[AES256_GCM,data:kFZa5oRVXuSp7W7311i0d8b7I0Y3P8bZbBoaaICuH1IlMLBVd6SUhL8cfFU66yj91W6uUJU/Oy7NpP3rM9mhGw==,iv:neRhOqW/b2DpUqoA5JJxLS4fSqj8ZGxRXv4pEPm7Wtc=,tag:bfAD3GAO6F2hBCZy7P7KUA==,type:str]
 server-validation:
    webhook: ENC[AES256_GCM,data:54MQzwEOf6uS6cgnPeJizRXMvGTGxLf6q1N3tGDxxpXKmSJedW+kpY2GoV91SxeeTWUyDKQcWp2fs5SwrdfDFHID9JN4wWJM0JjADggZ6u+BMEH01nnXpCJlhGq6cxDkI6gNSVgNVQW/eYNHDhnVmwwGpse4q62G1TmKlziBCv1Qahn4c3O+bOOEssio,iv:2Rcg7XSCmQeFd2oaX4GxSGXwgE3Ep1WsoPRRYo0dvH0=,tag:rPjDghxdcpME5SwoPKWv2w==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTREhIRUd1K3JCM29mVHVv
            d2Q4eFBLWnRUTGEzelZOMS9ScXNyV3ZGbHpNCjNCSEhmTDQ4VUtta0RXdXJUY0da
            Vld5WDlJS3oyWkk5KzUzam9PYXZSa1kKLS0tIHJuaktpU3hnUWEwZzc4eHNjSitI
            bVhXamJyMWMvODUvajk2aDZnQ1k1blEKoNIYxUA+k+DA+1WYq5BSa0iXuQ2Lctuy
            9W7OO2m+QGzjdLLM0uS7WWGXWP2cDDgUGcqozTqM0Oqi2/OY0Bo3Jg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-07-07T23:09:43Z"
    mac: ENC[AES256_GCM,data:36CZLl3+VSFTSTj9jDT9972XZMXjaY5jo9FZ7I7L0sOSBRH8vQ+tFww7hVHe5M2w/+YA0SRGH3r8WCbie6GeRjmY+BZu42H656K0WrpRN8ERFv+io8geACdqUsLo1VLjhDrfXaGnNOHLpmMC5dqyPXlOphiolt+ArKOBLuqtrnY=,iv:jaL/l1zwYusThKeR9C62fEGHwiv4fEvCarSiavjxQ0U=,tag:xgygx6KM/J4w55CzdLeCUg==,type:str]
    pgp:
        - created_at: "2024-03-02T20:52:17Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA84hNUGIgI/nARAAxQSkqnR75Rd1htAv7esbpmXlrZH+frTL6V4jGoAiqTeF
            TSA46E2nl7rVqPTws74OOb+O5bN3OkHSmmWzIbj6Pc8YnqY4t9N69zoCHtsbI1kn
            FQ4WwUdzofIUMKwF+E31/knyKbf/IjSKTZKcDQmn6QErOdDmsN9/z6+ixLt+rdsz
            lKwMX8axgmwgRsWI1Xhlb1qs4TZxheQQ4A4WYYNB1NhH0ZTIehI+FGe+wHh36UXf
            cY/Z7KRLdozoLsuuAIAoXx/dr3KpwuyKHfp9MdZLzO/tvS9vA1i+tKRXmiDs2uuv
            itCOTrt1H7LEpUfdBYD9ll2mdiRnVzR4DxNnGLPkxsyAglejTxR897DcYFC9xhie
            X6UfKTOIeAGXVUqphp8HB0CEFBW982246kDSKdOI/R3+X4T5fvMpLTb5XvkOlCIi
            JUwXxoq3SA06a8WCS6QH8jLnXrcCKzX1TJh0RzT7/RUvKDN6uxxccxOksMExvgBG
            nqfOcLiCXBzluCseDgmjcW0/arm1d88Kd7ayMv25CX1Py5uRRQOkqqnCdNIk5Yy5
            0R+KyOPeZPThVTE1DhJ3QyF499XMoFjerHyanwIlvkAQtet1k8EKih1KSD9N38ga
            K1HRowhoPMkszsU6+LZYL3MD0aUkfz53b7JvzIxYsfJgztwg3ki0qteEXUNyLMTS
            XgG9xHF63wa7IwBtKgQKX/CVCwpg5EuNfwbACbIQAC9QZ/F6z+Ud2UJkSs94UUF4
            aOGb2P1QFvLbP7m+7TNmvuLT5BDcS2XE0IWRDilkeiFU6ijGW8+iQ5oTzv+TmA0=
            =JbRX
            -----END PGP MESSAGE-----
          fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
        - created_at: "2024-03-02T20:52:17Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA29thaGx06tOARAAm8GMWZxxY1UBYK7p60Hlw2qCOH7KZ5cby8vm9dWz3Tnt
            +YKW2SsRniwY6KaSVvnUuRBY75BF6jahW6+h9Nvhsrsvq680UIaQtO6l6KmtnxHV
            S6vEDmvoFZVWG1xOEGYHVQ+GF9elIwuYrzST1OU3vATMstMxrm0WQJ2lOq7YpuGi
            hNoMK3nMxpmTlT49CYn2sGX3PlNA4qDOVo/fwL5m3lV5mKzJNs7q8IakbPZm6yqR
            wGjfkHq3ZlKnTUC66sBX8yvSoZ2cM6vrYhxgb1Um8z9BKLpAb7Rr9AXB5IUWxSkz
            jXyEi9aDySDxv2HkjP3fE4D5wtC1neS8YsYDBcSsqoXt5sKAs1DOvzLbIOkObH3Y
            uSxozoGJu5CVnBrOpxXdNf1RMnww85uxSAupiLQ2fsC/0AaeGB8dPYIZr/WekWAR
            RF3igqZX7KVRuomUOt9fwJoHnRr1GWCHqYTB3P7/e52JcmCggBRLcnhC/1MKgMtN
            RJh8Uuu9aXCBfR148W+s76xIdVwypPWbk8l911TdL1eRKx+d+kxAa1ugIqihvkBQ
            sGjZltEe0ogAsDpS0Cy/HRH8Yz1Qk2gTh1QZiv865aVVfWu0OTU27TlfCyMQQCkO
            LtBfOWylV6pJG3aaO2QA+4f4ab8flxdg8DrmBlhudzYY2goHIcfe+CdPygrKB/nS
            XgEx1HFw47B1YJxY7FiFgEwnI6/AJuf136u1i484nVYXAr5PtnyaXH7kqVozHouT
            sPkE1v7+EpOIbhEdXQxbSG0AXKomUwu4SJgxSitdTajAQYfHHfTVjdnUqyl8QHw=
            =wX5X
            -----END PGP MESSAGE-----
          fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/systems/jeeves/services.nix
+++ b/systems/jeeves/services.nix
@ -1,52 +0,0 @@
 {
  config,
  inputs,
  pkgs,
  ...
 }:
 {
  systemd = {
    services = {
      plex_permission = {
        description = "maintains /zfs/storage/plex permissions";
        serviceConfig = {
          Type = "oneshot";
          ExecStart = "${pkgs.bash}/bin/bash ${./scripts/plex_permission.sh}";
        };
      };
      startup_validation = {
        requires = [ "network-online.target" ];
        after = [ "network-online.target" ];
        wantedBy = [ "multi-user.target" ];
        description = "validates startup";
        path = [ pkgs.zfs ];
        serviceConfig = {
          EnvironmentFile = config.sops.secrets."server-validation/webhook".path;
          Type = "oneshot";
          ExecStart = "${inputs.server_tools.packages.x86_64-linux.default}/bin/validate_jeeves";
        };
      };
    };
    timers = {
      plex_permission = {
        wantedBy = [ "timers.target" ];
        timerConfig = {
          OnBootSec = "1h";
          OnCalendar = "daily 03:00";
          Unit = "plex_permission.service";
        };
      };
      startup_validation = {
        wantedBy = [ "timers.target" ];
        timerConfig = {
          OnBootSec = "10min";
          Unit = "startup_validation.service";
        };
      };
    };
  };
  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets."server-validation/webhook".owner = "root";
  };
 }
--- a/systems/jeeves/snapshot_config.toml
+++ b/systems/jeeves/snapshot_config.toml
@ -1,29 +0,0 @@
 ["media/Notes"]
 15_min = 8
 hourly = 24
 daily = 30
 monthly = 12
 ["storage/plex"]
 15_min = 6
 hourly = 2
 daily = 1
 monthly = 0
 ["media/plex"]
 15_min = 6
 hourly = 2
 daily = 1
 monthly = 0
 ["media/notes"]
 15_min = 8
 hourly = 24
 daily = 30
 monthly = 12
 ["media/docker"]
 15_min = 3
 hourly = 12
 daily = 14
 monthly = 2
--- a/systems/jeeves/vars.nix
+++ b/systems/jeeves/vars.nix
@ -1,23 +0,0 @@
 let
  zfs_media = "/zfs/media";
  zfs_storage = "/zfs/storage";
  zfs_torrenting = "/zfs/torrenting";
 in
 {
  inherit zfs_media zfs_storage zfs_torrenting;
  # media
  media_database = "${zfs_media}/syncthing/database";
  media_docker = "${zfs_media}/docker";
  media_docker_configs = "${zfs_media}/docker/configs";
  media_mirror = "${zfs_media}/mirror";
  media_notes = "${zfs_media}/notes";
  media_plex = "${zfs_media}/plex/";
  media_scripts = "${zfs_media}/scripts";
  # storage
  storage_main = "${zfs_storage}/main";
  storage_plex = "${zfs_storage}/plex";
  storage_syncthing = "${zfs_storage}/syncthing";
  # torrenting
  torrenting_qbit = "${zfs_torrenting}/qbit";
  torrenting_qbitvpn = "${zfs_torrenting}/qbitvpn";
 }
--- a/systems/palatine-hill/acme.nix
+++ b/systems/palatine-hill/acme.nix
@ -0,0 +1,43 @@
 {
  config,
  lib,
  pkgs,
  outputs,
  ...
 }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "aliceghuston@gmail.com";
    certs."nayeonie.com" = {
      dnsProvider = "dnsimple";
      environmentFile = config.sops.secrets."acme/dnsimple".path;
      dnsPropagationCheck = false;
      group = "haproxy";
      extraDomainNames = [
        "*.nayeonie.com"
        # "alicehuston.xyz"
        # "*.alicehuston.xyz"
      ];
    };
  };
  systemd.services."acme-nayeonie.com.service".path = lib.mkForce (
    with pkgs;
    [
      coreutils
      diffutils
      openssl
    ]
    ++ [
      outputs.packages.x86_64-linux.lego-latest
    ]
  );
  sops.secrets = {
    "acme/dnsimple" = {
      owner = "root";
    };
  };
 }
--- a/systems/palatine-hill/attic/default.nix
+++ b/systems/palatine-hill/attic/default.nix
@ -8,34 +8,18 @@
 {
  environment.systemPackages = with pkgs; [
    attic-client
    attic
  ];
  services = {
    postgresql = {
      enable = true;
      ensureDatabases = [ "atticd" ];
      ensureUsers = [
        {
          name = "atticd";
          ensureDBOwnership = true;
        }
      ];
      upgrade = {
        enable = true;
        stopServices = [ "atticd" ];
      };
    };
    atticd = {
      enable = true;
-      credentialsFile = config.sops.secrets."attic/secret-key".path;
+      environmentFile = config.sops.secrets."attic/secret-key".path;
      settings = {
        listen = "[::]:8183";
-        allowed-hosts = [ "attic.alicehuston.xyz" ];
+        allowed-hosts = [ "attic.nayeonie.com" ];
-        api-endpoint = "https://attic.alicehuston.xyz";
+        api-endpoint = "https://attic.nayeonie.com/";
        compression.type = "none"; # let ZFS do the compressing
        database = {
          url = "postgres://atticd?host=/run/postgresql";
@ -48,7 +32,7 @@
          type = "s3";
          region = "us-east-1";
          bucket = "cache-nix-dot";
-          endpoint = "https://minio.alicehuston.xyz";
+          endpoint = "https://minio.nayeonie.com";
        };
        # Warning: If you change any of the values here, it will be
@ -78,61 +62,60 @@
  # borrowing from https://github.com/Shawn8901/nix-configuration/blob/4b8d1d44f47aec60feb58ca7b7ab5ed000506e90/modules/nixos/private/hydra.nix
  # configured default webstore for this on root user separately
-  systemd = {
+  # systemd = {
-    services = {
+  #   services = {
-      attic-watch-store = {
+  #     attic-watch-store = {
-        wantedBy = [ "multi-user.target" ];
+  #       wantedBy = [ "multi-user.target" ];
-        after = [
+  #       after = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        requires = [
+  #       requires = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        description = "Upload all store content to binary cache";
+  #       description = "Upload all store content to binary cache";
-        serviceConfig = {
+  #       serviceConfig = {
-          User = "root";
+  #         User = "root";
-          Restart = "always";
+  #         Restart = "always";
-          ExecStart = "${pkgs.attic}/bin/attic watch-store cache-nix-dot";
+  #         ExecStart = "${pkgs.attic-client}/bin/attic watch-store cache-nix-dot";
-        };
+  #       };
-      };
+  #     };
-      attic-sync-hydra = {
+  #     attic-sync-hydra = {
-        after = [
+  #       after = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        requires = [
+  #       requires = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        description = "Force resync of hydra derivations with attic";
+  #       description = "Force resync of hydra derivations with attic";
-        serviceConfig = {
+  #       serviceConfig = {
-          Type = "oneshot";
+  #         Type = "oneshot";
-          User = "root";
+  #         User = "root";
-          ExecStart = "${config.nix.package}/bin/nix ${./attic/sync-attic.bash}";
+  #         ExecStart = "${config.nix.package}/bin/nix ${./sync-attic.bash}";
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
-    timers = {
+  #   timers = {
-      attic-sync-hydra = {
+  #     attic-sync-hydra = {
-        wantedBy = [ "timers.target" ];
+  #       wantedBy = [ "timers.target" ];
-        timerConfig = {
+  #       timerConfig = {
-          OnBootSec = 600;
+  #         OnBootSec = 600;
-          OnUnitActiveSec = 86400;
+  #         OnUnitActiveSec = 86400;
-          Unit = "attic-sync-hydra.service";
+  #         Unit = "attic-sync-hydra.service";
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
-  };
+  # };
  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      "attic/secret-key".owner = "root";
      "attic/database-url".owner = "root";
--- a/systems/palatine-hill/configuration.nix
+++ b/systems/palatine-hill/configuration.nix
@ -6,13 +6,19 @@
 }:
 {
  imports = [
-    ./attic.nix
+    ./acme.nix
-    ./docker.nix
+    ./attic
    ./docker
    ./gitea.nix
    ./firewall.nix
    ./haproxy
    ./hardware-changes.nix
    ./hydra.nix
    ./minio.nix
    ./networking.nix
    ./nextcloud.nix
-    ./services.nix
+    ./samba.nix
    ./postgresql.nix
    ./zfs.nix
  ];
@ -52,10 +58,14 @@
  };
  environment.systemPackages = with pkgs; [
    chromedriver
    chromium
    docker-compose
    intel-gpu-tools
    jellyfin-ffmpeg
    jq
    yt-dlp
    yq
  ];
  services = {
@ -63,32 +73,8 @@
    nfs.server.enable = true;
    openssh.ports = [ 666 ];
    smartd.enable = true;
    calibre-server.enable = false;
    postgresql = {
      enable = true;
      enableJIT = true;
      identMap = ''
        # ArbitraryMapName systemUser DBUser
           superuser_map      root      postgres
           superuser_map      alice  postgres
           # Let other names login as themselves
           superuser_map      /^(.*)$   \1
      '';
      # initialScript = config.sops.secrets."postgres/init".path;
      upgrade = {
        enable = true;
        stopServices = [
          "hydra-evaluator"
          "hydra-init"
          "hydra-notify"
          "hydra-queue-runner"
          "hydra-send-stats"
          "hydra-server"
        ];
      };
    };
  };
  nix.gc.options = "--delete-older-than 150d";
--- a/systems/palatine-hill/default.nix
+++ b/systems/palatine-hill/default.nix
@ -1,8 +1,7 @@
 { inputs, ... }:
 {
-  users = [
+  users = [ "alice" ];
-    "alice"
+  modules = [
-    "richie"
+    # inputs.attic.nixosModules.atticd
  ];
  modules = [ inputs.attic.nixosModules.atticd ];
 }
--- a/systems/palatine-hill/docker.nix
+++ b/systems/palatine-hill/docker.nix
@ -1,5 +0,0 @@
 { ... }:
 {
  virtualisation.docker.daemon.settings.data-root = "/var/lib/docker2";
 }
--- a/systems/palatine-hill/docker/act-runner.nix
+++ b/systems/palatine-hill/docker/act-runner.nix
@ -0,0 +1,111 @@
 {
  config,
  ...
 }:
 let
  vars = import ../vars.nix;
  act_path = vars.primary_act;
 in
 {
  virtualisation.oci-containers.containers = {
    act-stable-latest-1 = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      ports = [ "8088:8088" ];
      volumes = [
        "${act_path}/stable-latest-1/config.yaml:/config.yaml"
        "${act_path}/stable-latest-1/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-1";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
    act-stable-latest-2 = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      # ports = [ "8088:8088" ];
      volumes = [
        "${act_path}/stable-latest-2/config.yaml:/config.yaml"
        "${act_path}/stable-latest-2/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-2";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
    act-stable-latest-3 = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      # ports = [ "8088:8088" ];
      volumes = [
        "${act_path}/stable-latest-3/config.yaml:/config.yaml"
        "${act_path}/stable-latest-3/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-3";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
  };
  systemd = {
    timers."custom-watchtower@act-runner" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "20m";
        OnUnitActiveSec = "5m";
        Unit = "custom-watchtower@act-runner.service";
      };
    };
    services."custom-watchtower@act-runner" = {
      bindsTo = [ "docker.service" ];
      after = [ "docker.service" ];
      description = "a watchtower-esque script for systemd-based oci-containers";
      serviceConfig = {
        Type = "oneshot";
        User = "root";
        ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'act-runner'";
      };
    };
  };
  sops.secrets = {
    "docker/act-runner" = {
      owner = "root";
      restartUnits = [
        "docker-act-stable-latest-1.service"
      ];
    };
  };
 }
--- a/systems/palatine-hill/docker/archiveteam.nix
+++ b/systems/palatine-hill/docker/archiveteam.nix
@ -0,0 +1,152 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  containers = {
    archiveteam-imgur = {
      image = "imgur-grab";
      scale = 1;
    };
    archiveteam-telegram = {
      image = "telegram-grab";
      scale = 3;
    };
    archiveteam-reddit = {
      image = "reddit-grab";
      scale = 0;
    };
    archiveteam-dpreview = {
      image = "dpreview-grab";
      scale = 0;
    };
    archiveteam-issuu = {
      image = "issuu-grab";
      scale = 0;
    };
    archiveteam-urls = {
      image = "urls-grab";
      scale = 2;
    };
    archiveteam-urlteam = {
      image = "terroroftinytown-client-grab";
      scale = 2;
    };
    archiveteam-mediafire = {
      image = "mediafire-grab";
      scale = 1;
    };
    archiveteam-github = {
      image = "github-grab";
      scale = 1;
    };
    archiveteam-lineblog = {
      image = "lineblog-grab";
      scale = 0;
    };
    archiveteam-banciyuan = {
      image = "banciyuan-grab";
      scale = 0;
    };
    archiveteam-wysp = {
      image = "wysp-grab";
      scale = 0;
    };
    archiveteam-xuite = {
      image = "xuite-grab";
      scale = 0;
    };
    archiveteam-gfycat = {
      image = "gfycat-grab";
      scale = 0;
    };
    archiveteam-skyblog = {
      image = "skyblog-grab";
      scale = 0;
    };
    archiveteam-zowa = {
      image = "zowa-grab";
      scale = 0;
    };
    archiveteam-blogger = {
      image = "blogger-grab";
      scale = 1;
    };
    archiveteam-vbox7 = {
      image = "vbox7-grab";
      scale = 0;
    };
    archiveteam-pastebin = {
      image = "pastebin-grab";
      scale = 1;
    };
    archiveteam-youtube = {
      image = "youtube-grab";
      scale = 0;
    };
    archiveteam-deviantart = {
      image = "deviantart-grab";
      scale = 0;
    };
    archiveteam-postnews = {
      image = "postnews-grab";
      scale = 0;
    };
    archiveteam-askfm = {
      image = "askfm-grab";
      scale = 1;
    };
    archiveteam-mangz = {
      image = "mangaz-grab";
      scale = 1;
    };
    archiveteam-cohost = {
      image = "cohost-grab";
      scale = 1;
    };
  };
  container-spec = container-name: container: {
    image = "atdr.meo.ws/archiveteam/${container}:latest";
    extraOptions = [
      "--stop-signal=SIGINT"
    ];
    labels = {
      "com.centurylinklabs.watchtower.enable" = "true";
      "com.centurylinklabs.watchtower.scope" = "archiveteam";
    };
    volumes = [ "${at_path}/${container-name}:/grab/data" ];
    log-driver = "local";
    cmd = lib.splitString " " "--concurrent 6 AmAnd0";
  };
  inherit (lib.rad-dev.container-utils) createTemplatedContainers;
  vars = import ../vars.nix;
  at_path = vars.primary_archiveteam;
 in
 {
  virtualisation.oci-containers.containers = createTemplatedContainers containers container-spec;
  systemd = {
    timers."custom-watchtower@archiveteam" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "20m";
        OnUnitActiveSec = "5m";
        Unit = "custom-watchtower@archiveteam.service";
      };
    };
    services."custom-watchtower@archiveteam" = {
      bindsTo = [ "docker.service" ];
      after = [ "docker.service" ];
      description = "a watchtower-esque script for systemd-based oci-containers";
      serviceConfig = {
        Type = "oneshot";
        User = "root";
        ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'archiveteam'";
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/books.nix
+++ b/systems/palatine-hill/docker/books.nix
@ -0,0 +1,32 @@
 { ... }:
 let
  vars = import ../vars.nix;
  docker_path = vars.primary_docker;
  calibre_path = vars.primary_calibre;
 in
 {
  virtualisation.oci-containers.containers = {
    automated-ffdl-alice = {
      image = "mrtyton/automated-ffdl:latest";
      user = "600:100";
      extraOptions = [ "--restart=unless-stopped" ];
      environment = {
        PUID = "600";
        PGID = "100";
      };
      volumes = [
        "${docker_path}/auto-fic/config:/config"
        "${calibre_path}/ffdl-alice:/var/lib/calibre-server"
      ];
    };
  };
  services.autopull = {
    enable = true;
    repo.FanFicFare-alice = {
      enable = true;
      path = /ZFS/ZFS-primary/calibre/ffdl-alice/config/FanFicFare;
    };
  };
 }
--- a/systems/palatine-hill/docker/default.nix
+++ b/systems/palatine-hill/docker/default.nix
@ -0,0 +1,28 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./act-runner.nix
    # temp disable archiveteam for tiktok archiving
    #./archiveteam.nix
    # ./books.nix
    #./firefly.nix
    #./foundry.nix
    ./glances.nix
    # ./haproxy.nix
    ./minecraft.nix
    ./nextcloud.nix
    # ./postgres.nix
    # ./restic.nix
    ./torr.nix
    # ./unifi.nix
  ];
  virtualisation.oci-containers.backend = "docker";
  virtualisation.docker.daemon.settings.data-root = "/var/lib/docker2";
 }
--- a/systems/palatine-hill/docker/firefly.nix
+++ b/systems/palatine-hill/docker/firefly.nix
@ -0,0 +1,25 @@
 { ... }:
 let
  vars = import ../vars.nix;
  ffiii_path = "${vars.primary_docker}/firefly-iii";
 in
 {
  virtualisation.oci-containers.containers = {
    firefly = {
      image = "fireflyiii/core:latest";
      extraOptions = [
        "--network=firefly-iii_default"
        "--network=postgres-net"
      ];
      environmentFiles = [ "${ffiii_path}/.env" ];
      ports = [ "4188:8080" ];
      volumes = [ "${ffiii_path}/app/upload:/var/www/html/storage/upload" ];
    };
    fidi = {
      image = "fireflyiii/data-importer:latest";
      environmentFiles = [ "${ffiii_path}/.fidi.env" ];
      ports = [ "4187:8080" ];
      dependsOn = [ "firefly" ];
    };
  };
 }
--- a/systems/palatine-hill/docker/foundry.nix
+++ b/systems/palatine-hill/docker/foundry.nix
@ -0,0 +1,28 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  fvtt_path = "${vars.primary_games}/foundryvtt";
 in
 {
  virtualisation.oci-containers.containers = {
    foundryvtt = {
      image = "felddy/foundryvtt:11";
      hostname = "foundryvtt";
      environment = {
        #CONTAINER_PRESERVE_CONFIG= "true";
        TIMEZONE = "America/New_York";
        FOUNDRY_MINIFY_STATIC_FILES = "true";
      };
      environmentFiles = [ config.sops.secrets."docker/foundry".path ];
      volumes = [ "${fvtt_path}:/data" ];
      extraOptions = [
        "--network=haproxy-net"
      ];
    };
  };
  sops.secrets."docker/foundry" = {
    owner = "docker-service";
    restartUnits = [ "docker-foundryvtt.service" ];
  };
 }
--- a/systems/palatine-hill/docker/glances.nix
+++ b/systems/palatine-hill/docker/glances.nix
@ -0,0 +1,24 @@
 { ... }:
 let
  vars = import ../vars.nix;
  glances_path = "${vars.primary_docker}/glances";
 in
 {
  virtualisation.oci-containers.containers = {
    glances = {
      image = "nicolargo/glances:latest-full";
      extraOptions = [
        "--pid=host"
        "--network=haproxy-net"
      ];
      volumes = [
        "/var/run/docker.sock:/var/run/docker.sock"
        "${glances_path}/glances.conf:/glances/conf/glances.conf"
      ];
      environment = {
        GLANCES_OPT = "-C /glances/conf/glances.conf -w";
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/haproxy.cfg
+++ b/systems/palatine-hill/docker/haproxy.cfg
@ -0,0 +1,207 @@
 global
 #  stats socket /var/run/api.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
 # log stdout format raw local0 info
  log stdout format raw local0
  crt-base /etc/ssl/certs/
  maxconn 120000
 defaults
  log global
  mode http
  timeout client 2000m
  timeout connect 200s
  timeout server 2000m
  timeout http-request 2000m
 frontend stats # you can call this whatever you want
  mode http
  bind *:9000       # default port, but you can pick any port
  stats enable      # turns on stats module
  stats refresh 10s # set auto-refresh rate
 #Application Setup
 frontend ContentSwitching
  bind *:80
 # bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
  bind *:443 ssl crt /etc/ssl/certs/origin_ca_ecc_root_new.pem crt /var/lib/acme/nayeonie.com/full.pem strict-sni
  mode  http
  option httplog
  # max-age is mandatory 
  # 16000000 seconds is a bit more than 6 months
  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
  # Front-end acess control list
  http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
  # Front-end acess control list
  acl host_www hdr(host) -i www.alicehuston.xyz
  acl host_www hdr(host) -i alicehuston.xyz
 #  acl host_ldapui hdr(host) -i authui.alicehuston.xyz
  acl host_glances hdr(host) -i monit.alicehuston.xyz
  acl host_glances hdr(host) -i glances.alicehuston.xyz
  # acl host_foundry hdr(host) -i dnd.alicehuston.xyz
 #  acl host_netdata hdr(host) -i netdata.alicehuston.xyz
  #acl host_terraria hdr(host) -i terraria.alicehuston.xyz
  acl host_nextcloud hdr(host) -i nextcloud.alicehuston.xyz
  acl host_nextcloud hdr(host) -i nayeonie.com
  acl host_hydra hdr(host) -i hydra.alicehuston.xyz
  acl host_attic hdr(host) -i attic.alicehuston.xyz
  acl host_minio hdr(host) -i minio.alicehuston.xyz
  acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz
  acl host_attic hdr(host) -i attic.nayeonie.com
  acl host_minio hdr(host) -i minio.nayeonie.com
  acl host_minio_console hdr(host) -i minio-console.nayeonie.com
  #acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz
 #  acl host_collabora hdr(host) -i collabora.alicehuston.xyz
  acl host_prometheus hdr(host) -i prom.alicehuston.xyz
  acl host_gitea hdr(host) -i git.alicehuston.xyz
  acl host_gitea hdr(host) -i nayeonie.com
  # Backend-forwarding
  use_backend www_nodes if host_www
 #  use_backend ldapui_nodes if host_ldapui
  use_backend glances_nodes if host_glances
  use_backend foundry_nodes if host_foundry
 #  use_backend netdata_nodes if host_netdata
 # use_backend terraria_nodes if host_terraria
  use_backend nextcloud_nodes if host_nextcloud
  use_backend hydra_nodes if host_hydra
  use_backend attic_nodes if host_attic
  #use_backend nextcloud_vol_nodes if host_nextcloud_vol
 #  use_backend collabora_nodes if host_collabora
  use_backend prometheus_nodes if host_prometheus
  use_backend minio_nodes if host_minio
  use_backend minio_console_nodes if host_minio_console
  use_backend gitea_nodes if host_gitea
 #frontend ldap
 #  bind *:389
 #  bind *:636 ssl crt /etc/ssl/certs/cloudflare.pem
 #  mode tcp
 #  option tcplog
 #  acl host_ldap hdr(host) -i auth.alicehuston.xyz
 #  use_backend ldap_nodes if host_ldap
 backend nextcloud_nodes
  mode http
  server server nextcloud:80
  acl url_discovery path /.well-known/caldav /.well-known/carddav
  http-request redirect location /remote.php/dav/ code 301 if url_discovery
  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
 #backend nextcloud_nodes
 #  mode http
 #  server nxserver nextcloud:80
 #  acl url_discovery path /.well-known/caldav /.well-known/carddav
 #  http-request redirect location /remote.php/dav/ code 301 if url_discovery
 #  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
 #backend nextcloud_vol_nodes
 #  mode http
 #  server server nextcloud-vol:80
 #  acl url_discovery path /.well-known/caldav /.well-known/carddav
 #  http-request redirect location /remote.php/dav/ code 301 if url_discovery
 #  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
 #  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
 #  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
 #  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
 #  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
 #  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
 #  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
 #backend terraria_nodes
 #  mode http
 #  server server terraria:6526
 #backend collabora_nodes
 #  mode http
 #  server server collabora:9980
 backend www_nodes
  mode http
  server server grafana:3000
 backend minio_nodes
  mode http
  server server 192.168.76.2:8500
 #  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
 #  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
 #  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
 #  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
 #  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
 #  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
 #  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
 backend minio_console_nodes
  mode http
  server server 192.168.76.2:8501
 # backend foundry_nodes
 #   timeout tunnel 50s
 #   mode http
 #   server server foundryvtt:30000
 #backend ldap_nodes
 #  mode tcp
 #  balance roundrobin
 #  option ldap-check
 #  server ldap1 192.168.76.2:1636 ssl ca-file /etc/ssl/certs/origin_ca_rsa_root.pem
 #
 #backend ldapui_nodes
 #  mode http
 #  server server 192.168.76.2:18081
 backend glances_nodes
  mode http
  server server glances:61208
 backend hydra_nodes
  mode http
  server server 192.168.76.2:3000
 backend attic_nodes
  mode http
  server server 192.168.76.2:8183
 backend prometheus_nodes
  mode http
  server server 192.168.76.2:9001
 backend gitea_nodes
  mode http
  server server 192.168.76.2:6443
 #backend netdata_nodes
 #  mode http
 #  server server 192.168.76.2:19999
 # backend dnd_nodes
 #   mode http
 #   server server foundry:30000
 #   acl host_www hdr(host) -i www.tmmworkshop.com
 frontend giteassh
  mode tcp
  bind :2222
  default_backend giteassh_nodes
 backend giteassh_nodes
   mode tcp
   server s1 192.168.76.2:2223
 frontend minecraft
  mode tcp
  bind :25565
  default_backend router_nodes
 backend router_nodes
   mode tcp
   server s1 mc-router:25565
--- a/systems/palatine-hill/docker/haproxy.nix
+++ b/systems/palatine-hill/docker/haproxy.nix
@ -0,0 +1,33 @@
 { ... }:
 {
  virtualisation.oci-containers.containers = {
    haproxy = {
      image = "haproxy:latest";
      extraOptions = [
        "--restart=always"
        "--network=haproxy-net"
      ];
      volumes = [
        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg:ro"
        "/ZFS/ZFS-primary/docker/haproxy/certs:/etc/ssl/certs:ro"
      ];
      ports = [
        "80:80"
        "443:443"
        "25565:25565"
      ];
      environment = {
        PUID = "600";
        PGID = "600";
      };
      dependsOn = [
        "nextcloud"
        "grafana"
        "foundryvtt"
        "glances"
        "mc-router"
      ];
    };
  };
 }
--- a/systems/palatine-hill/docker/minecraft.nix
+++ b/systems/palatine-hill/docker/minecraft.nix
@ -0,0 +1,96 @@
 { config, lib, ... }:
 let
  servers = {
    atm6 = "atm6.alicehuston.xyz";
    stoneblock3 = "sb3.alicehuston.xyz";
    RAD2 = "rad.alicehuston.xyz";
    skyfactory = "sf.alicehuston.xyz";
    divinejourney = "dj.alicehuston.xyz";
    rlcraft = "rlcraft.alicehuston.xyz";
    arcanum-institute = "arcanum.alicehuston.xyz";
    bcg-plus = "bcg.alicehuston.xyz";
  };
  defaultServer = "rlcraft";
  defaultEnv = {
    EULA = "true";
    TYPE = "AUTO_CURSEFORGE";
    STOP_SERVER_ANNOUNCE_DELAY = "120";
    STOP_DURATION = "600";
    SYNC_CHUNK_WRITES = "false";
    USE_AIKAR_FLAGS = "true";
    MEMORY = "8GB";
    ALLOW_FLIGHT = "true";
    MAX_TICK_TIME = "-1";
  };
  defaultOptions = [
    "--stop-signal=SIGTERM"
    "--stop-timeout=1800"
    "--network=minecraft-net"
  ];
  vars = import ../vars.nix;
  minecraft_path = "${vars.primary_games}/minecraft";
 in
 {
  virtualisation.oci-containers.containers = {
    mc-router = {
      image = "itzg/mc-router:latest";
      extraOptions = [
        "--network=haproxy-net"
        "--network=minecraft-net"
      ];
      cmd = [
        (
          "--mapping=mc.alicehuston.xyz=${defaultServer}:25565"
          + (lib.rad-dev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
        )
      ];
    };
    # rlcraft = {
    #   image = "itzg/minecraft-server:java8";
    #   volumes = [
    #     "${minecraft_path}/rlcraft/modpacks:/modpacks:ro"
    #     "${minecraft_path}/rlcraft/data:/data"
    #   ];
    #   hostname = "rlcraft";
    #   environment = defaultEnv // {
    #     VERSION = "1.12.2";
    #     CF_SLUG = "rlcraft";
    #     DIFFICULTY = "hard";
    #     ENABLE_COMMAND_BLOCK = "true";
    #   };
    #   extraOptions = defaultOptions;
    #   log-driver = "local";
    #   environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
    # };
    bcg-plus = {
      image = "itzg/minecraft-server:java17";
      volumes = [
        "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
        "${minecraft_path}/bcg-plus/data:/data"
      ];
      hostname = "bcg-plus";
      environment = defaultEnv // {
        VERSION = "1.17";
        CF_SLUG = "bcg";
        DIFFICULTY = "normal";
        DEBUG = "true";
        # ENABLE_COMMAND_BLOCK = "true";
      };
      extraOptions = defaultOptions;
      log-driver = "local";
      environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/minecraft".owner = "docker-service";
    };
  };
 }
--- a/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix
+++ b/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix
@ -1,7 +0,0 @@
 {
  imageName = "nextcloud";
  imageDigest = "sha256:fe7f941cc514fe01e343a515c7b33e6b12707c718157f6e25a67119e9918a061";
  sha256 = "07w9rvmr2qy037ljdmk6w1n2dmwwa31ig7gzfb084wiv18hjfrg4";
  finalImageName = "nextcloud";
  finalImageTag = "apache";
 }
--- a/systems/palatine-hill/docker/nextcloud.nix
+++ b/systems/palatine-hill/docker/nextcloud.nix
@ -0,0 +1,107 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  nextcloud_path = vars.primary_nextcloud;
  redis_path = vars.primary_redis;
  # nextcloud-image = import ./nextcloud-image { inherit pkgs; };
  nextcloud-base = {
    # image comes from running docker compose build in nextcloud-docker/.examples/full/apache
    image = "nextcloud-nextcloud";
    hostname = "nextcloud";
    volumes = [
      "${nextcloud_path}/nc_data:/var/www/html:z"
      "${nextcloud_path}/nc_php:/usr/local/etc/php"
      "${nextcloud_path}/nc_prehooks:/docker-entrypoint-hooks.d/before-starting"
      #"${nextcloud_path}/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro"
    ];
    extraOptions = [
      "--network=haproxy-net"
      "--network=postgres-net"
      "--network=nextcloud_default"
    ];
    dependsOn = [ "redis" ];
    environmentFiles = [ config.sops.secrets."docker/nextcloud".path ];
  };
 in
 {
  virtualisation.oci-containers.containers = {
    nextcloud = nextcloud-base // {
      ports = [ "9999:80" ];
    };
    redis = {
      image = "redis:latest";
      user = "600:600";
      volumes = [
        "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf"
        "${redis_path}:/data"
      ];
      extraOptions = [
        "--network=nextcloud_default"
      ];
      cmd = [
        "redis-server"
        "/usr/local/etc/redis/redis.conf"
      ];
    };
    go-vod = {
      image = "radialapps/go-vod:latest";
      dependsOn = [ "nextcloud" ];
      environment = {
        NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz";
      };
      volumes = [ "${nextcloud_path}/nc_data:/var/www/html:ro" ];
      extraOptions = [
        "--device=/dev/dri:/dev/dri"
      ];
    };
    collabora-code = {
      image = "collabora/code:latest";
      dependsOn = [ "nextcloud" ];
      environment = {
        aliasgroup1 = "https://collabora.nayenoie.com:443";
        aliasgroup2 = "https://nextcloud.alicehuston.xyz:443";
        aliasgroup3 = "https://.*:443";
        extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
      };
      environmentFiles = [
        config.sops.secrets."docker/collabora".path
      ];
      extraOptions = [
        "--network=haproxy-net"
        "--privileged"
      ];
      ports = [ "9980:9980" ];
    };
  };
  users.users.www-data = {
    uid = 33;
    isSystemUser = true;
    group = "www-data";
  };
  users.groups.www-data = {
    gid = 33;
    members = [ "www-data" ];
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/redis" = {
        owner = "docker-service";
        restartUnits = [ "docker-redis.service" ];
      };
      "docker/nextcloud" = {
        owner = "www-data";
        restartUnits = [ "docker-nextcloud.service" ];
      };
      "docker/collabora" = {
        owner = "www-data";
        restartUnits = [ "docker-collabora.service" ];
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/postgres.nix
+++ b/systems/palatine-hill/docker/postgres.nix
@ -0,0 +1,67 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  psql_path = "${vars.primary_db}/postgresql";
 in
 {
  virtualisation.oci-containers.containers = {
    postgres = {
      image = "postgres:16";
      user = "600:600";
      volumes = [
        "${psql_path}/primary_new:/var/lib/postgresql/data"
        "${psql_path}/pg_archives:/opt/pg_archives"
      ];
      log-driver = "local";
      extraOptions = [
        "--network=postgres-net"
        "--health-cmd='pg_isready -U firefly'"
        "--health-interval=1s"
        "--health-timeout=5s"
        "--health-retries=15"
        "--shm-size=1gb"
        "--restart=always"
      ];
      environmentFiles = [ config.sops.secrets."docker/pg".path ];
    };
    postgres-secondary = {
      image = "postgres:16";
      user = "600:600";
      volumes = [
        "${psql_path}/secondary_new:/var/lib/postgresql/data"
        "${psql_path}/pg_archives:/opt/pg_archives"
      ];
      log-driver = "local";
      extraOptions = [
        "--network=postgres-net"
        "--health-cmd='pg_isready -U firefly'"
        "--health-interval=1s"
        "--health-timeout=5s"
        "--health-retries=15"
        "--shm-size=1gb"
        "--restart=always"
      ];
      environmentFiles = [ config.sops.secrets."docker/pg".path ];
    };
    postgres-adminer = {
      image = "adminer/latest";
      user = "600:600";
      ports = [ "4191:8080" ];
      dependsOn = [ "postgres" ];
      extraOptions = [
        "--restart=always"
        "--network=postgres-net"
      ];
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/pg".owner = "docker-service";
    };
  };
 }
--- a/systems/palatine-hill/docker/restic.nix
+++ b/systems/palatine-hill/docker/restic.nix
@ -0,0 +1,38 @@
 { ... }:
 let
  vars = import ../vars.nix;
  restic_path = "${vars.primary_backups}/restic";
 in
 {
  virtualisation.oci-containers.containers = {
    restic = {
      image = "restic/rest-server:latest";
      volumes = [ "${restic_path}:/data" ];
      environment = {
        OPTIONS = "--prometheus --htpasswd-file /data/.htpasswd";
      };
      ports = [ "8010:8000" ];
      extraOptions = [
        "--restart=always"
        "--network=restic_restic"
      ];
    };
    grafana = {
      image = "grafana/grafana:latest";
      extraOptions = [
        "--restart=always"
        "--network=haproxy-net"
      ];
      volumes = [
        "grafanadata:/var/lib/grafana"
        "${restic_path}/dashboards:/dashboards"
        "${restic_path}/grafana.ini:/etc/grafana/grafana.ini"
      ];
      environment = {
        GF_USERS_DEFAULT_THEME = "dark";
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/torr.nix
+++ b/systems/palatine-hill/docker/torr.nix
@ -0,0 +1,103 @@
 { pkgs, ... }:
 let
  delugeBase = {
    environment = {
      PUID = "600";
      PGID = "100";
      TZ = "America/New_York";
      UMASK = "000";
      DEBUG = "true";
      DELUGE_DAEMON_LOG_LEVEL = "debug";
      DELUGE_WEB_LOG_LEVEL = "debug";
    };
  };
  vars = import ../vars.nix;
  #docker_path = vars.primary_docker;
  torr_path = vars.primary_torr;
  deluge_path = "${torr_path}/deluge";
  delugevpn_path = "${torr_path}/delugevpn";
  genSopsConf = file: {
    "${file}" = {
      format = "binary";
      sopsFile = ./wg/${file};
      path = "${delugevpn_path}/config/wireguard/configs/${file}";
      owner = "docker-service";
      group = "users";
      restartUnits = [ "docker-delugeVPN.service" ];
    };
  };
 in
 {
  virtualisation.oci-containers.containers = {
    deluge = delugeBase // {
      image = "binhex/arch-deluge";
      volumes = [
        "${deluge_path}/config:/config"
        "${deluge_path}/data/:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      ports = [
        "8084:8112"
        "29433:29433"
      ];
    };
    delugeVPN = delugeBase // {
      image = "binhex/arch-delugevpn";
      extraOptions = [
        "--privileged=true"
        "--sysctl"
        "net.ipv4.conf.all.src_valid_mark=1"
      ];
      environment = delugeBase.environment // {
        VPN_ENABLED = "yes";
        VPN_CLIENT = "wireguard";
        VPN_PROV = "custom";
        ENABLE_PRIVOXY = "yes";
        LAN_NETWORK = "192.168.0.0/16";
        NAME_SERVERS = "194.242.2.9";
        # note, delete /config/perms.txt to force a bulk permissions update
      };
      volumes = [
        "${delugevpn_path}/config:/config"
        "${delugevpn_path}/data:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      ports = [
        "8085:8112"
        "8119:8118"
        "39275:39275"
        "39275:39275/udp"
      ];
    };
  };
  systemd.services.docker-delugeVPN = {
    serviceConfig = {
      ExecStartPre = [
        (
          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
          + "-type l -not -name wg0.conf "
          + "| ${pkgs.coreutils}/bin/shuf -n 1 "
          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
        )
      ];
      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
    };
  };
  sops.secrets =
    (genSopsConf "se-mma-wg-001.conf")
    // (genSopsConf "se-mma-wg-002.conf")
    // (genSopsConf "se-mma-wg-003.conf")
    // (genSopsConf "se-mma-wg-004.conf")
    // (genSopsConf "se-mma-wg-005.conf")
    // (genSopsConf "se-mma-wg-101.conf")
    // (genSopsConf "se-mma-wg-102.conf")
    // (genSopsConf "se-mma-wg-103.conf");
 }
--- a/systems/palatine-hill/docker/unifi.nix
+++ b/systems/palatine-hill/docker/unifi.nix
@ -0,0 +1,61 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  unifi_path = "${vars.primary_docker}/unifi-2.0";
  mongo_path = "${vars.primary_db}/mongo";
 in
 {
  virtualisation.oci-containers.containers = {
    unifi-controller = {
      image = "lscr.io/linuxserver/unifi-network-application:latest";
      volumes = [ "${unifi_path}/config:/config" ];
      log-driver = "local";
      dependsOn = [ "mongodb" ];
      extraOptions = [ "--restart=unless-stopped" ];
      ports = [
        "8443:8443"
        "3478:3478/udp"
        "10001:10001/udp"
        "8080:8080"
        "1900:1900/udp" # optional
        "8843:8843" # optional
        "8880:8880" # optional
        "6789:6789" # optional
        "5514:5514/udp" # optional
      ];
      environment = {
        PUID = "1000";
        PGID = "100";
        TZ = "America/New_York";
        MEM_LIMIT = "1024"; # optional
        MEM_STARTUP = "1024"; # optional
        MONGO_USER = "unifi";
        MONGO_HOST = "mongodb";
        MONGO_PORT = "27017";
        MONGO_DBNAME = "unifi";
      };
      environmentFiles = [ config.sops.secrets."docker/unifi".path ];
    };
    mongodb = {
      image = "docker.io/mongo:7.0";
      environment = {
        PUID = "1000";
        PGID = "100";
        TZ = "America/New_York";
      };
      extraOptions = [ "--restart=unless-stopped" ];
      volumes = [
        "${mongo_path}/unifi:/data/db"
        "${unifi_path}/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro"
      ];
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/unifi".owner = "docker-service";
    };
  };
 }
--- a/systems/palatine-hill/docker/watchtower.bash
+++ b/systems/palatine-hill/docker/watchtower.bash
@ -0,0 +1,26 @@
 #! /usr/bin/env nix
 #! nix shell nixpkgs#docker nixpkgs#bash nixpkgs#gawk --command bash
 outdated_msg="Project code is out of date and needs to be upgraded. To remedy this problem immediately, you may reboot your warrior."
 label="$1"
 label_val="$2"
 if (( $# != 2 )); then
    echo "usage: $0 label label_value"
 fi
 containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}")
 for container in ${containers[@]}; do
  echo "checking ${container}"
  last_msg=$(docker logs -n 1 "${container}")
  if [[ $last_msg =~ $outdated_msg ]]; then
    echo "${container} is outdated, restarting"
    imageTag=$(docker ps --format '{{.Names}}\t{{.Image}}' -f "name=$container" | grep -w "$container" | awk '{print $NF}')
    docker pull "$imageTag"
    systemctl restart "docker-${container}"
  fi
 done
--- a/systems/palatine-hill/docker/wg/se-mma-wg-001.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-001.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:PytLIf5ceSyhxNs3p4N89GKxh7zTvTTbzKhw6SqEPrWSgRo+ntOZQgkUWBwFRGmWjFjMoMmkxaHkyrBLo/lYb6MAKuPNCb4Ss2ArSHk1qOl9u39lXYSs4NNaZYx6r5vs9IspYsIzfbkz2mad5ZaeEuDjiGCethaw9SthXNyjOOEIo/zYB/9Qju963kPXCpexu2/nbhwr/ilXzP8zzhzl712CMULV2GwISrKQcnJYyhqwzAuLmmsG50J3It3BZBUwTbyiIRK4ka0wrycqVmVDKyasUX71LYlq9MifttFCjQCN8xE7FmDl8nSBBaub9Vss5IAF+DcIRNRIQ7f6INuo,iv:CbvR5AEtENWTKP7UPqjYl7qNvyZvPZRFawrU8xoYdL4=,tag:9C5KmHeZkt62Ujkg2Wzt3A==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNTh3RHN5bGVDZ29YS0pD\nbXpoL3E1emlJeEJMUWo3SzM2ODQ4c2FndWxNCnZUN3dIaTM3bXpOWDcxSzhROHlM\nQlJTTGl2WEs1NlczUlhhMEcvWWlXaGsKLS0tIENlY3dvNEF4UEllQnR2aDJFbSs2\nVE05RnRDSVphNHcrR3paQ3BFOU8vNkUKOtItYEU8P0Wu6TDzPylTTGhwlAiSgDEq\nJnRYAH6kE+qAnpK2xQyG4n0xbhNiASUVQgNJJyN+5BZi0dDf7k9CQA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:g/ba90H1dGisB71/MWXkJDCQEXphWu0tOv04ScmEjKPm58TRM0W1oUVDPa7QWHrcdozz0LnQndhs4enW+SqRF39YBmL8OziddStVgTWC4chBazAPHBcGCgLApP9RAjNhiyosTIypLqppY08UIGU1Q1qEzcoHendu6hSMX09jG+A=,iv:6UPwNmUbjt+z7Vr7yuQ3fdsmTwBwE5AUQw3IzonqXZ4=,tag:nmloGiYkKXNGcbn8aBmNAQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAtZwfBH7XpTMkoZMd7QojukRfwU1Z7O/ZHcBzW0rYiTgw\nuYKmkKxSPqY9E/zzNpO0C52NwyAUerM851DaOHkZvcNBkMGdFLKvLf53wgPZKlkc\n1GgBCQIQNLHtkosd/X7cb8VScXNk8CVsckRQJWiHFkPtbYcyz9O55hJOdg0TGmbQ\nf4v9yNrVG6OFQTfV8IXbIJ7fANPNDTu/gDE/XB4W8GzgmLReAsaUnxJWd7a2LSFn\nCkiJsF+JY3QsYg==\n=55xj\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-002.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-002.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:ULynEBONpLJNPcSGjnFTLkrc4PNDNVqvpQ7LWqsMC0mW6SaDFn1e8MJkK4SSLjx2UCajMOyuvzNYzLd5AxMKBgsH/P1KAAednunOEU0ADKIzsrmEqr/zrX709yXPQY2783Os29jFFpCeQra8z3YR2vfU/PcOtqzoOuipRo0p1yUtehBLN40ogP9aLc+zxkoQxts20sU2EOe7rivU9WsBGQ2m3/Eg8ucH0aNdiN1BF/pIwyXbwMxcXtUCs0jVINJqsgFx2Ntmuz24dgZnTr8Hibz0v3F1LXcFbIIiH8OaCb3S4X2Zd/nCJqxRFz+cmzvcMplQHyE1XOYqP0OTA6s=,iv:skT932uptVD/zmbm/nxtzciD9dlYbJU4HzgHZtuathY=,tag:a/x3/an0q8hhexm4dpsVYA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4T0p1alJDd05KOTBjTVhL\nMVlPZno5YVlWRG0xUWZoUkJyVVZWRitLUTFZCmJmWXdzZHlGdG5GWWI2QWZXRUhY\nVVV1WUxaNWtVcmVtakI2dHpheS9HcTAKLS0tIDFsK0ZIR040dEdQQXV1NUpCQnVB\nOU9YU0NQSkwxMEtPdnRQeUYwc2hiczAKSynE6XsoUXyoLbUuuzqXbIbGoSeZR0S/\npMhZwI2fzh3vuLO0GpREkQRJ0azEvbbFPYdhJAFIBu/eRYd70IySlA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:pk7jtod+BCMqF6Hwgkd2AReDqkLGZvnBsDBJIipi/PNQQnq04BgT3TKDL3aQD4sKREjc0dyubQtvq4pAE3Fs+fOLgfhW6uYgvkreSg7Q7aSx299l2OaIc+pI47Emt0s+QIjFz2hd3KHxBkKr9xg5m3aITVex+96VqPUO5DPusqs=,iv:nsv3uPIz8iwrXAlQ0sd7J7T7jg3Yif4DsJV9g9aAAXY=,tag:xAIvz4KPTlpIuDZZfv3qkw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAGNsLJiDmbwfugWEdArQwUDMm6yL6bHbRhQsniyz6RFYw\nbmOG9HElDZGrQor2N+OmjRJzBnmrC3H00PBuM1dx6L9pHZpf8/CT477ZE66IDxOw\n1GgBCQIQUtKFTM34FXDEV4sTfawGatyVDoqFq+gxtI6iJA+1YgrJkZzV/5yAlINb\nsiiO0h1dvUS7uMZT/EPEBDvprXwDXrk6GHTtxAQTP3XQzO3bz0x6RhMJOEj+7hEB\nrkne981/Q2FiDg==\n=kGYU\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-003.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-003.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:1pgCvsAcTSFMhb6OKujAtyEfR+Uu544RecoLxy6hhbj8PupUuosJ+lt5gOMqOzHvjUBMvKM/mqJ+JuahChclwXg+XCgB/7yh0tlwPyftPNoWltEwu/AsP7QUwXomfj/AbwzxfB8oTw4U2Ot4DfObDNvhfA88Sva2OE6mkapoRAAFND4CoglOoJ5F+vjLf0XsRCaHTVXCTwmd6BNb+ZHs+heztlaFRp5Mv8TINOlDl3yhW8V10r8ZhLoF421DVAtVLsuOQ6rbzGOZy9A+HfZJlaEZcgFHLKi40pBKQWw5xFrDp8gml/eMtkkKRZR88v+eXT+QCrg3biVYrdIhJlA=,iv:kIOTAido5Xm1fB5Xz7bsrwNM9dbjMIxvqIcNfXbUU6w=,tag:mrzFeyo4D3Y8lah9DU4kqg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbFdnRDlGNUxhTFd3NHhM\nanZmMksxV2xJdUVRL1NFQlJySjU2ZUJSQkg0CnIxb0FIeWMzMzdNalVNUmhQM1lX\nd0h6RWdPak5QeS9WYksrcHhERmd6Y2MKLS0tIDc5ZEFhK0dycFM2N29wN09BOVNK\nTWJjNThyTUxqNWxsTmw5WmlBV0xlK2sKE3L8/VvO8vmsqUV939JM2qdVUOsHAN3p\nwFfeldy2T6ojCVLWdl3CnZ7DmRumweEsSq1JP1mkZzfxotZloMUH5w==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:hmYfiTiGuO3oF/nGMP7vizC7nJtxYp1nFKoYsZR+GogpN3m3pqdKbLfqWLHXCI5o1l2nZjCo8VgUQYGrwePertOtlTF2rUz9fSxl3EsmoPbZOkt/NawjiIN3lARYTyoxwAq4Qtsna0OJTq9Yb+DlnMUTH+zk3/32K8dF2STRB84=,iv:8jYMtSSVOu5OIR4/TsM/upnZvvTh+ObkHcUiZtNLf+M=,tag:ANLwWSNxZxUM731LdQIO0A==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdADhzkz5iF5geZvou70PeWpN718CeGgvbs97VWhxL25gEw\nphKaEn/73p0Qjqnpu5xVQi0GwSOFVt2UFjLf55aEjdBPb/RwVp0kAeDzzaDSR6/m\n1GgBCQIQXglRmyXJWRT4RdsWOFM1SpuFV1F235UJIEn/O0yGiQvuBQF6OVuvqYgV\nYNi2KFUU+99WaQvxUYddGzCHMEC2AAuKSSNBvs2LSGu0Ic/KWjrcn6yeXEPuv8a/\nHsvjhXACkXWN/Q==\n=JWpI\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-004.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-004.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:s8ANdI9fL6hX9K3ypZcmxhQv3VWZ0BYCMmEWatNpQv+0t4kLMmDIbtvLVBTjLoFvWcfy31vAEhbhZPOE0iQXUohiwfVu67/nR3gzcVpeERvtYlqb4q4RwDIgFXKZUd7y55CIcJbpFRR6U5/NCG2+PEAD5J4OtNTkjnpleipNqcI7Ccg062jVqiavOeKw+eoLMomJsJYqdeTUb9nwYlYoe87aIhZFmAKe0Z1ps6ClzaHSWsr0RSbaDFgBJxUo1brEETsIkphNktIe2kVY72PaOqiNZavEhgPfIc42Ldr4zyaW9nrau8ZsiGM/1VxrHwEOlqW6QimZO9epv6jQgTm0,iv:lSZ5H1kkokiwr6o/X42ElkLvNnWOJZkuD4Tt+vkX8uc=,tag:G+bcX3QzEIcmkxjBsSGLNw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5R0J6UmFPVWo5ME84Q3Rq\nN0J3MmowemJNa0pwNlVqQjdUR0NOWTh2MEU4CitGbkt4UDhuYlRFTlp3eHNGV1JG\nc0p6ZVlxUURhQ1NLbDhvc3VPazh5MmMKLS0tIERTcW54OTFhYjcxUVliRFFmOExk\nL1JMb0VyTDAzd1h3TXgwQ1V3VzZmdWcKZLwB3/3M5Ph9xvkBUrTZXvE13R83NCaT\nHYCKZoJx/CexdDXpij/H9fMI2BgRP1UBgxyWVg0pAAPrxhNhpiteVA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:PC2Gk57K2IQbGsAjXvN7BDaYO09vg+MKZcrieA6kPFeWVK7Nbic9iQiRsqs8cMOgQ4ZWNFJqyCmSPNKhWAkhmcuc3TNXTCGUl9AsWUyVLU1KL0I48320U+72ce4RY0vtO8FjgPjeFRtuzrHO4eOQhULrX7FhtUYq3/meZjP3PmM=,iv:P3LfN/+LS8wbRFcTvJhCU1LEqayWCUwqtHAmPodUXZE=,tag:DMuEdIKy8hBo/jdvnv7yaQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAAVsYsC/Di95MPmvkveVSZVZLPDuyWGdmgFFjGz1/l0Qw\nklzbhejv4x04f9j8zWG1Nsnvkkgv2wf++514BCGBN/DvlcFrv1xVPcA2RCqxr49t\n1GYBCQIQJvmrC8GUr9qp0yYEcUzXAaYh9hUA+fGPc1L45PmWVwjnY2wRtco4Y/uu\nLI09Esz6GH9vVesL3oO9A1uXArKw9dqph+Q6l3XAbtUp/y2vSU2xZlaQ83hAP3S1\nTryM3Ex9a80=\n=d/cZ\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-005.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-005.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:lre1gMfmXwB/FxXrF7VguPFmunswv7Y2+GhIOJYu5ijTpDV0O3mumM5Xmk8dZ//3xPQuqFJBJEpMI8nggAWG3pEd4x5otDimJR0OHb0zoHbDE2YyNWR6pwUk07QkhTYJ0UzLFtReRCSgkQmbR20nfew1Ta9HYEDeqBH9+nFBBqlhJkYXybmjC+sWpyEkhnAUk2cjz74WiE4cFemLj8M1+pZYany9uSeY8MI+zO3PU6XyMEdEx9+H2vmvUR+MMzR01cZlHBPghgVlPtDAerTOOFo7Med/HSKUsFLm84K+DerjZ7tIP34xEY7NjW3epxk53UmUdbY8DJ+pBPVcL8k=,iv:CIHbLf6ARlXs3QQKg6hfO47WfQXYMtzCt/2Qv9Vmmgo=,tag:/uR4nPjpqEJ8zv8/H54xxg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWkhMT1dHNklvK2VXNGtq\nUG9tUS8xM0VoVDZTSTNvZ21teGYrSHRMelJrClU2Q2ovR01OK2E4d2F1aXRmaXRK\nckZ2WFhDYVA4bEVLMUl6WU0xd1p2NlkKLS0tIHZJV3FUYk5oNi9CQXlzSFUxSlVV\nV3Y3Q3RrT3JMVUh0Tmg5V3dtaURpcVEKRZ3dja+pVm2sAdQexiSw/si+CM2esjQM\nq0/9AfMPrULAdHrkvxLfyJRFWQlr2/g02QbeCE8HHYbVWSGaN2pJng==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:lxWz7NnYyAUyY52ewC1Eh9k1xDdJr0I2rEhiGukdKxg0G1gVhrj0UjFEdnkrMALrYbPh3yE1vj/E+xcPJZtrkuCQNTJkxnLlLijhXM39Um3M1KpIMDx5qOHggaT4T+HhdgJBqvkMiBypyP1ph9MPEYvg+mL4au6jd8fRaw2TUII=,iv:IbqBUWb1MrEcVy9rONDYzbB454XVYRi4mdtWo15RZ28=,tag:Cefs9e7CBk2/QsPS1LD3+A==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdARE07oxCX7FzLNlR9Pjmc1hUVGGD2KJdkFlM0cZl9uUEw\n1zW5R66Wy37KlREIRWXz2lnmN2Txpou+fC8zkxPcYXu+s+nWjbJbCRcv233RspPi\n1GgBCQIQWfGy65DBWWjSp2Sr9Ny/Pxvhzy0IF58AW32gTsxYmoeT+9qVuFcne3ut\nOEPyRqyBtnY3BOefXtBWsVBdtasFajhpp7rC2bSmd4sxacBL7DIwSVnTKpGs8Bsh\n8eCj7MwO/uRDFA==\n=frH4\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-101.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-101.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:iqmUJoBrXT91fFKdujhbHaLHcQF6J7+zjgaVsOwRkSwnB1OF/2BAf3jwvXjZiAIf7ytdrGjDR8t+Ze1hrncwJ/CuJuWtciX0qN9pky8p3Gpd85c5yZ1kWkC/wfT9VJ70EOe6gHYVnEk8PYqWfb+HaYWolUm4dqnMQcyZ1dkGJAyedvmrZvU/EyWPwwR3bVmVkup5skjExEx0POQSTJjE36Kewm/K4AQ3yBcCmmj7ZgYWQotViYW0iIQt3ZH+oItro+SqWb8/EcNjqQbU/1CkVtFEtIgyOpy1tZ7HFhaQI6xha78KC5nPn+dgckw1rrqbH5tUMEs0GHuAhi3v,iv:83eA9Rioryf5nDtcmput665AAR622yhd1ccbIz2aYQ4=,tag:b+j9T/tuEWORm3G9dDbVuA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Tjl2S2tsVGZPS09HaDFO\neHZ2NlN5OUJuRmlZem1xeGtISVMrU2g3WmtZCndobDRnenlWSUl3L00yQUVJUnYx\nR2pxbGJuTkJqT1Nocm9jK1Yra3QzQ1EKLS0tIGE4SjZIMzN5WEl2dnFWZkIwc2ps\nVENuVUUvK1FsTmQ4UFdDQ2hnL0laRUUKYAvGtZrZ5iHls6kXlkXjRZKLB+VotxBI\nqjsPoW1o/2HJ0IQt1HByaxxw80FFcaY79FMVBkJcdQjYOEHFuQjw+Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:xo7PG3dqcfwMra7b4AKA7tjBmdwGq6hmQdGCiVT+dx5U8u60B7iIhZA1Nlkrwj1tCqUDpBjVp5iGReYJ+fckYriBBRURFtSaNjmrBSUiswaR2FqxGiNKzW83TdLEncTMXlNdTWKxhPy8uRh0Xso/ZFqAWgPd3fvfUAVXgGmnCuw=,iv:zi0v2nJPhVmPeE7pNY5KGhJimYMtWhmHzareuZ39YN8=,tag:/2NKODtUaXJhxkJLqjn6gw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAxkXTiqh3KhrshdFSX+QUvPyxL23iLm0y1nCsQGwCcBMw\nIg4RMlZVlbSUya2IPRc2J2gt7E0Fyp/oYw9Ytsa3u6cR5L41dRS4tZcpHkyJpU9h\n1GYBCQIQqCh2mj3ErvL1BYA+sgvIh8hbzmBH8uWWNpCHCP1StjtduMyLT6rBiWuv\nPvoCvz3WWXufEvn7DEutAs+T92oNMcEHcGWWbsn8U1dIXQ+7Cl2CWDNMlxIoKtVN\nuBcXPqKFZho=\n=M3My\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-102.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-102.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:MvHQjTIH2RUsf/Re8piWc+foojfH1GpkDdgTgN5uGkBd+hFABF58ATN02SyrSJilwZiUIcmmd9yei59JKNumhY6daIcVzwpipGp2E/5ziLE0LzJ2+9Ov084TEclMe5vbEnJqtiB3Vu0w/9wKzbiXGWi/doqpNV1YKgore90Z3Mol4bVC/4ZSmm/YvRNZg51HPHtX65uZKuER54KqqkZOj0zPB8YiJHDbvtdoX2u8gEAenOjboHkRXRU9jgjytoP2Pw8W1dikajTXvtcjTzJijHVXZb70b0Yr5QnLOZaT4ovZA2Y4lkllpmQ4m+up5V3AkIk8iSLlFHOSaYNY,iv:0JpG17m9kD7xJ5vEBibuKG+yLL+xiIHlldFQ9TuWZwU=,tag:mPI3NUTmCnAXhcZ1jyAgrg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLWklBZUQ3MFo1bUZuY1dy\nVGdUK0FlM1dSNFBYOEhkZUFMd1g0b2ErZXd3Clk2TlQ4aEROUEJFbmpwYXRQK21t\nalJ4Z0k5dlVHQzJzdWNUMnYvTFMvWTQKLS0tIE04TzNIcVlzby9IM0FNMWlOd1Z3\ndTFwa1ZoYjdqUGhUTVVqcmxPVThMV0UKa07ux2wYZCn/9pgejH2o2wAknVLo2YV+\npb49PUwm1wvXaUVOrgGWAEGV1WBkH0FjSUKpTGLZ1V5MJ+wBk1fzRg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:10Z",
 		"mac": "ENC[AES256_GCM,data:X6AY8uht59ISavkd199WKj+Tnvf6YRxLccRJe/TeEwYN6M9TDIkIDEJmiw25LuLWHq96k6kJ5LXg2XapvTddZs6XavANxVoafyB97JYcofsFgrt5ziVJQisLxxjwnOP7twUHtHN60TS+2Om4LKnx2qm4piMJpt1RTFQPquSrNGg=,iv:Zgl/L3ugPEyQTXnHqctDnRORC3fPTx/z/wAHFfo5ZS4=,tag:o3jdq1bHCzfavdNRwKk1Ww==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:10Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAWiLRFVRksLnX7OthQw84hoyjSEnsQyekp7kF/dbFAW4w\n4byTxDKfHHmSUvf9G96wOH/mNWpdAJiWlOQ7tPstVwoeHVBHSgf2vgd8MRTmrRzo\n1GgBCQIQjpgEmL08FuHrEGvT/WUSAIBXKhN56fyHOgT62NzOthiIIp6qxq27UjlX\np+ZUIR/X7qeJSVHJUKssNRnTKm1bbmbK/9ydXZtk/xHdFAD5YLZaz26ZknhaR7J1\ncHEHK6TQRL54lA==\n=DD6O\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-103.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-103.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:K1RimM2itH8391EFz2SYMn+tDlTcf9bopuci3hkZPqi0Obr4M1pgQGEbs8xxcCYknE5HLGuW/zbMXL5UvFcGIVlvX0q/eZBerTuUz/VMbkzWiQ5Gqy9BpdXbb1i6vBDnNkDpfxrAu8vadUMifoUVTUconhoOzoR5byOMmUdx84z9W1S/9oztd9fRXhJIkoI23mxbaKr+zK7bX8CS73tVk8+oBFjeUPSt6+IwlmWx1iKVBs5tY/RPQ7kGTe3lIdbe2QIgPS/T7/W4xMoI+i9Z+SrW3eLOUyHNWQg/3gCPbOwvYt3xhj8RaScmW5L1a0SMPDQ/5CatOoiV/vrA,iv:NreCE5+5wyEKowJgtFXw7YPhbixpn+qCK403zzrkkjo=,tag:ptYXTDaKEs17fZichb+lbg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YlBUcWdWVGNwaUlqMjdt\nTWVqUW5LdVlZWC9Uem0zQXI0UldFMDYweDNBClVJSTJHL0c4anFnOSsvcmhBaldD\nSHNUem9aQk8rTTdLUFpML01uMFJjNkUKLS0tIGY4dXFUVm1mVThrWmFyS3BkTlhS\nblA1MmN1Q3MzRERlN3pLMTExSkx1RjAKonRli3BpI6iucyJAbWvERBPR0f6ewrIp\nBIQVkEBod/pdSiahMWfXjFVH0nmU9Ip2CwhZl1pGNOaHhnLtrUWmBg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:10Z",
 		"mac": "ENC[AES256_GCM,data:kDO0Y1wIe/ZWTiXeuAQtCS+fn1gR6L514e8qs7mzt1B6/u5hChy2L3WRR0DQN9V0wjl2bp6muAdfTEDbO7PmAbSE8wKHjCy97tzDgVSrtodUvGZUbm62bA0cx1VzgcKrCYHglSDsxmnYc3atxKlM8uWJ9GM4F4O+wRj/AH1QLYM=,iv:DgTrwKlftGmyuRDbROApudP9xANL7aBTbGgYRYqN5ZA=,tag:ek8rci9l2iDrYxP3b2EBvA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:10Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdA0ZIzTIWsWHwek/Z0bIQvfCa49t6aaM51M4HJFyCRpxQw\nJ7mW22C1kf35WAz5Hmm251B+UuW1wUITdavE3tYH9/yB1yQsTSgKd3Vze/r5Ebvu\n1GgBCQIQQJk9Blm+/vA3//hafY4tDtuCr7N+utLdDFK1lBy9+Qg8UtAiNP4fFffF\n8Eh0tx/Fg5n/2r4p9NGLFn/ZMMe9SnP19VsmGQQjA3RlK8jVmxvSCXLFzM85uZge\nYJDAMSU+8Q3qdg==\n=4Asa\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/firewall.nix
+++ b/systems/palatine-hill/firewall.nix
@ -0,0 +1,29 @@
 { ... }:
 {
  networking.firewall.allowedTCPPorts = [
    # qbit
    8081
    8082
    8443
    # hydra
    3000
    # minio
    8500
    8501
    # gitea
    2222
    2223
    8088
    # attic
    8183
    # collabora
    9980
  ];
 }
--- a/systems/palatine-hill/gitea.nix
+++ b/systems/palatine-hill/gitea.nix
@ -0,0 +1,64 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  base_path = "/ZFS/ZFS-primary/gitea";
 in
 {
  services.gitea = {
    enable = true;
    appName = "The Hearth";
    database = {
      type = "postgres";
      passwordFile = config.sops.secrets."gitea/dbpass".path;
      createDatabase = false;
      host = "127.0.0.1";
      name = "giteadb";
      port = 5433;
    };
    settings = {
      server = {
        DOMAIN = "nayeonie.com";
        ROOT_URL = "https://nayeonie.com/";
        HTTP_PORT = 6443;
        SSH_PORT = 2222;
        SSH_LISTEN_PORT = 2223;
        START_SSH_SERVER = true;
      };
      service = {
        DISABLE_REGISTRATION = true;
      };
      log = {
        LEVEL = "Trace";
        ENABLE_SSH_LOG = true;
      };
      "log.console-warn" = {
        LEVEL = "Trace";
        ENABLE_SSH_LOG = true;
      };
      cache = {
        enabled = true;
        dir = "";
        host = "192.168.76.2";
        port = "8088";
      };
    };
    stateDir = base_path;
    lfs.enable = true;
    recommendedDefaults = true;
  };
  systemd.services.gitea = {
    requires = [ "docker.service" ];
    after = [ "docker.service" ];
  };
  networking.firewall.allowedTCPPorts = [ 6443 ];
  sops.secrets = {
    "gitea/dbpass".owner = "gitea";
  };
 }
--- a/systems/palatine-hill/haproxy/default.nix
+++ b/systems/palatine-hill/haproxy/default.nix
@ -0,0 +1 @@
 { ... }: { }
--- a/Show More
+++ b/Show More