Merge pull request 'feature/claurst' (#221) from feature/claurst into main

Reviewed-on: #221

.github/instructions/ai-doc-attribution.instructions.md

@@ -0,0 +1,18 @@
+---
+description: "Use when writing or updating documentation (Markdown, README, docs pages, guides). Require explicit top-of-document labeling when a document is fully AI-generated."
+name: "AI Documentation Attribution"
+applyTo: "**/*.md"
+---
+# AI Documentation Attribution
+
+- When documentation is fully AI-generated, include an explicit attribution note.
+- The attribution must be visible in the document body and easy to find by readers.
+- Acceptable labels include one of:
+  1. "AI-generated documentation"
+- Place the attribution at the top of the document by default.
+- If only parts are AI-assisted, attribution is optional unless you want to disclose assistance.
+- Do not imply fully human authorship for content produced by AI.
+
+Example attribution lines:
+
+- `> Note: This document was AI-generated and reviewed by a maintainer.`

.vscode/extensions.json

@@ -1,5 +1,5 @@
 {
-    "recommendations": [
+  "recommendations": [
-        "davidanson.vscode-markdownlint"
+    "davidanson.vscode-markdownlint"
-    ]
+  ]
-}
+}

.vscode/mcp.json

@@ -1,10 +1 @@
-{
+{}
-    "servers": {
-        "nixos": {
-            "command": "uvx",
-            "args": [
-                "mcp-nixos"
-            ]
-        }
-    }
-}

AGENTS.md

@@ -0,0 +1,105 @@
+> Note: This document was AI-generated and reviewed by a maintainer.
+
+# AGENTS Guide for nix-dotfiles
+
+This file is the quick-start map for coding agents working in this repository.
+Use this first, then follow the linked source files for full detail.
+
+## Purpose and Scope
+
+- Repository type: flake-based NixOS + Home Manager dotfiles/infrastructure.
+- Primary goals: safe system/user config edits, reproducible builds, and clean secrets handling.
+- Default assumption: preserve existing module patterns and avoid broad refactors unless requested.
+
+## Source of Truth
+
+Read these files before substantial changes:
+
+- `.github/copilot-instructions.md`: Full repository guide for structure, workflows, dynamic system generation, module patterns, and SOPS handling.
+- `.github/instructions/ai-doc-attribution.instructions.md`: Markdown rule for top-of-document attribution when docs are fully AI-generated.
+- `flake.nix`: Flake inputs/outputs entrypoint; system generation begins here.
+- `lib/systems.nix`: Core dynamic config assembly (`genSystems`, `constructSystem`, and wrapper generators).
+- `systems/<hostname>/default.nix`: Per-host parameters (users, home, sops, server role, extra modules).
+- `systems/<hostname>/configuration.nix`: Main host config.
+- `modules/*.nix`: Global modules automatically imported into all systems.
+- `users/<username>/home.nix` and `users/<username>/default.nix`: Home Manager and user account configuration.
+- `hydra/jobs.nix` and `hydra/jobsets.nix`: CI/build orchestration details.
+
+## Repo Mental Model
+
+- `systems/` contains host-specific configs.
+- `modules/` contains global modules applied across hosts.
+- `users/` contains user and home-manager configs.
+- `lib/systems.nix` auto-discovers hosts and composes final configs.
+- SOPS secrets are colocated with hosts/users via `secrets.yaml` files.
+
+## Dynamic Configuration Rules
+
+- Hosts are auto-discovered from subdirectories in `systems/`.
+- Each host's `default.nix` feeds `constructSystem` parameters.
+- Effective module merge order matters. High-level order is: 1) base external
+  modules, 2) host essentials (`hardware.nix`, `configuration.nix`), 3)
+  host-specific modules from `systems/<host>/default.nix`, 4) global
+  `modules/*.nix`, 5) optional SOPS and Home Manager/user layers.
+- Global modules load after host config, so explicit overrides may require `lib.mkForce` depending on target option.
+
+## Editing Conventions
+
+- Keep changes minimal and scoped to the requested behavior.
+- Preserve existing Nix style and option naming patterns.
+- Prefer module options + `lib.mkIf` toggles over hard-coded behavior.
+- Use `lib.mkDefault` for soft defaults and `lib.mkForce` only when necessary.
+- Do not commit plaintext secrets.
+- Update docs when behavior/workflow changes.
+
+## Validation and Workflow
+
+Typical local sequence:
+
+1. Make targeted edits.
+2. Evaluate and build with `nix flake check` and `nix build .#<hostname>`.
+3. Optionally deploy/apply with `nh os switch` or `nh home switch`.
+4. For secrets-related changes, edit with `sops .../secrets.yaml` and validate expected `config.sops.secrets` evaluation paths.
+
+## Secrets and Safety
+
+- Secrets live in `systems/<hostname>/secrets.yaml` and `users/<username>/secrets.yaml`.
+- Use SOPS for create/edit/rekey operations.
+- During merge conflicts in encrypted files, prefer repository SOPS merge tooling (`utils/sops-mergetool.sh`, `utils/sops-mergetool-new.sh`).
+
+## Agent and Tool Routing
+
+When a specialized agent is available, route work by intent:
+
+- `Explore`: Fast read-only repository exploration and Q&A.
+- `dependency-auditor`: Flake/module dependency security and CVE-oriented audits.
+- `security-researcher`: Read-only server security configuration audits.
+- `server-architect`: Server integration/review planning for `palatine-hill` style infra changes.
+
+Use Nix lookup tooling for package/options discovery; prefer `unstable` channel when channel selection is available.
+
+## Where To Look Next (By Task)
+
+- Add a new host: see `.github/copilot-instructions.md` sections on "Adding a New NixOS System", plus `systems/<new-host>/default.nix`, `hardware.nix`, and `configuration.nix`.
+- Add/modify a global capability: see `modules/*.nix` and the `.github/copilot-instructions.md` section "Adding a Global Module to modules/".
+- Change user/home-manager behavior: see `users/<username>/home.nix` and `users/<username>/default.nix`.
+- Modify build/release automation: see `hydra/jobs.nix` and `hydra/jobsets.nix`.
+- Work with secrets: see `.sops.yaml`, `systems/*/secrets.yaml`, `users/*/secrets.yaml`, and the `.github/copilot-instructions.md` section "Secrets Management".
+- Validate module composition/debug evaluation: see `lib/systems.nix` and `nix eval .#nixosConfigurations.<host>...`.
+
+## Documentation Attribution Rule
+
+For Markdown docs (`**/*.md`):
+
+- If a document is fully AI-generated, include explicit attribution near the top.
+- Accepted label includes "AI-generated documentation" wording.
+- Do not imply fully human authorship for fully AI-authored content.
+
+## Quick Command Reference
+
+- `nh os build`
+- `nh os switch`
+- `nh home switch`
+- `nix build .#<hostname>`
+- `nix flake check`
+- `nix eval .#nixosConfigurations.<hostname>.config.<path>`

README.md

@@ -10,6 +10,8 @@ This repo supports `x86_64-linux` and (theorically) `aarch64-linux`.
 Please see [our setup guide](./docs/setting-up.md) for more information on how
 to onboard a new user or system.
 
+For the media request stack on palatine-hill, see [the media stack guide](./docs/media-stack.md).
+
 ## For Those Interested
 
 Although we are not actively looking for new members to join in on this repo,

docs/media-stack.md

@@ -0,0 +1,422 @@
+# Media Request Stack Setup
+
+> Note: This is AI-generated documentation and was reviewed by a maintainer.
+
+This page documents the setup needed to make media requests flow from Jellyseerr to the Starr apps to qBittorrent and finally into a Jellyfin library.
+
+It is based on the services defined for palatine-hill in:
+
+- `systems/palatine-hill/docker/arr.nix`
+- `systems/palatine-hill/docker/torr.nix`
+- `systems/palatine-hill/postgresql.nix`
+- `systems/palatine-hill/vars.nix`
+
+The guidance here follows the same hardlink principles used by TRaSH Guides: keep downloads and library folders separate, but make sure they live on the same filesystem and appear under the same container path.
+
+## What Exists In This Repo
+
+The media-request side currently defines these containers on palatine-hill:
+
+- Jellyseerr on port `5055`
+- Prowlarr on port `9696`
+- Radarr on port `7878`
+- Sonarr on port `8989`
+- Lidarr on port `8686`
+- Bazarr on port `6767`
+- qBittorrent variants in `docker/torr.nix`
+
+Related supporting details:
+
+- The Starr apps and qBittorrent both mount `/data` from `vars.primary_torr`.
+- PostgreSQL is enabled locally and used by the arr stack.
+
+Two caveats matter before expecting the flow to work:
+
+1. Jellyfin is not currently defined on palatine-hill in this repo, so this guide treats Jellyfin as the destination media server you will point at the finished library.
+2. qBittorrent is using host-exposed or gluetun-attached networking rather than `arrnet`, so the Starr apps should connect to qBittorrent through the host and published port.
+
+## Required Hardlink Layout
+
+For hardlinks and atomic moves to work reliably, these rules need to be true:
+
+- qBittorrent and the Starr apps must see the same underlying host filesystem and the same ZFS dataset.
+- qBittorrent and the Starr apps should use the same in-container prefix, ideally `/data`.
+- Downloads and the final library must be separate directories.
+- Jellyfin should only read the final media library, not the download directories.
+
+For ZFS specifically, sibling child datasets in the same pool are not enough. Hardlinks do not cross dataset boundaries, so `/data/torrents` and `/data/media` must be directories inside the same dataset.
+
+Recommended logical layout inside containers:
+
+```text
+/data
+├── torrents
+│   ├── movies
+│   ├── music
+│   └── tv
+└── media
+    ├── movies
+    ├── music
+    └── tv
+```
+
+This repo draft uses one shared host root from `vars.primary_torr` and mounts that as `/data` for qBittorrent, Radarr, Sonarr, Lidarr, Bazarr, Unpackerr, and Notifiarr.
+
+### What Matters
+
+The exact host path is less important than this invariant:
+
+```text
+same host filesystem + same container path prefix + separate downloads/media folders
+```
+
+If you split torrents and media across different datasets, imports may still be made to work with copies or path fixes, but hardlinks and instant moves will not be dependable.
+
+## Suggested Host Layout
+
+Once you choose a shared host root, create a structure like this beneath it:
+
+```text
+data/
+├── torrents/
+│   ├── movies/
+│   ├── music/
+│   └── tv/
+└── media/
+    ├── movies/
+    ├── music/
+    └── tv/
+```
+
+In this repo draft, the shared host root is `vars.primary_torr`, with container mounts set to `"${vars.primary_torr}/data:/data"`.
+
+The matching container paths should then be:
+
+- qBittorrent download root: `/data/torrents`
+- Radarr root folder: `/data/media/movies`
+- Sonarr root folder: `/data/media/tv`
+- Lidarr root folder: `/data/media/music`
+- Jellyfin library roots: `/data/media/movies`, `/data/media/tv`, `/data/media/music`
+
+Do not point any Starr app root folder at `/data/torrents`.
+
+## Service Roles
+
+### Jellyseerr
+
+Jellyseerr is the user-facing request layer. It should:
+
+- connect to Jellyfin for users, authentication, and media availability
+- connect to Radarr for movies
+- connect to Sonarr for series
+
+Jellyseerr does not talk directly to qBittorrent for normal request flow.
+
+### Prowlarr Values
+
+Prowlarr should be the single source of indexers. Configure indexers there, then sync them to:
+
+- Radarr
+- Sonarr
+- Lidarr
+
+This avoids duplicating indexer setup in every Starr app.
+
+### Radarr, Sonarr, Lidarr
+
+These apps should:
+
+- receive requests from Jellyseerr
+- search indexers via Prowlarr
+- send downloads to qBittorrent
+- import completed downloads from `/data/torrents/...` into `/data/media/...`
+
+### qBittorrent
+
+qBittorrent should only download into `/data/torrents/...` and should not write directly into `/data/media/...`.
+
+### Jellyfin
+
+Jellyfin should only read the final library under `/data/media/...`.
+
+## Configuration Order
+
+Set the stack up in this order:
+
+1. Shared path layout
+2. qBittorrent
+3. Prowlarr
+4. Radarr, Sonarr, Lidarr
+5. Jellyfin
+6. Jellyseerr
+7. Bazarr
+
+That order keeps each layer pointing at services that already exist.
+
+## qBittorrent Setup
+
+The repo defines these Web UI ports:
+
+- `8082` for `qbit`
+- `8081` for `qbitVPN`
+- `8083` for `qbitPerm`
+
+Choose one instance for the Starr apps to use and keep that consistent.
+
+Recommended qBittorrent settings:
+
+- Default save path: `/data/torrents`
+- Category mode: enabled
+- Automatic torrent management: enabled
+- Incomplete directory: optional, but avoid a different filesystem if you want cheap moves
+- Listening port: use the instance-specific torrent port if applicable
+
+Recommended categories:
+
+- `radarr` -> `/data/torrents/movies`
+- `sonarr` -> `/data/torrents/tv`
+- `lidarr` -> `/data/torrents/music`
+
+This matches the TRaSH pattern and keeps imports predictable.
+
+## Prowlarr Setup
+
+In Prowlarr:
+
+1. Add your indexers.
+2. Add app connections for Radarr, Sonarr, and Lidarr.
+3. Sync indexers from Prowlarr into each Starr app.
+
+Use the container hostnames from the repo when apps share the `arrnet` network:
+
+- `http://radarr:7878`
+- `http://sonarr:8989`
+- `http://lidarr:8686`
+
+If you are configuring through host-exposed ports in a browser from outside Docker, use the server host and published ports instead.
+
+## Radarr Setup
+
+In Radarr:
+
+1. Add a root folder: `/data/media/movies`
+2. Add qBittorrent as the download client
+3. Set the category to `radarr`
+4. Prefer completed download handling on
+5. Do not use a movie root inside the downloads tree
+
+For qBittorrent, use the chosen instance endpoint.
+
+Examples:
+
+- preferred for this repo draft: `http://<server>:8082`
+- VPN-backed alternative if you intentionally use that instance: `http://<server>:8081`
+
+The important part is that the path qBittorrent writes must still be visible to Radarr as `/data/torrents/movies`.
+
+## Sonarr Setup
+
+In Sonarr:
+
+1. Add a root folder: `/data/media/tv`
+2. Add qBittorrent as the download client
+3. Set the category to `sonarr`
+4. Enable completed download handling
+
+Keep the same shared-path rule: Sonarr must be able to see qBittorrent output directly at `/data/torrents/tv`.
+
+## Lidarr Setup
+
+In Lidarr:
+
+1. Add a root folder: `/data/media/music`
+2. Add qBittorrent as the download client
+3. Set the category to `lidarr`
+4. Enable completed download handling
+
+## Jellyfin Setup
+
+Jellyfin should be pointed only at the final library paths:
+
+- Movies: `/data/media/movies`
+- TV: `/data/media/tv`
+- Music: `/data/media/music`
+
+Do not add `/data/torrents` as a Jellyfin library.
+
+If Jellyfin runs in Docker, mount only the media sub-tree if you want a tighter boundary:
+
+- `host-shared-root/media:/data/media`
+
+If Jellyfin runs directly on the host, point it at the equivalent host paths.
+
+## Jellyseerr Setup
+
+Jellyseerr in this repo runs on port `5055` and joins both `arrnet` and `haproxy-net`.
+
+Configure it with:
+
+1. Jellyfin server URL
+2. Jellyfin API key
+3. Radarr server URL and API key
+4. Sonarr server URL and API key
+
+Suggested internal URLs when services share `arrnet`:
+
+- Radarr: `http://radarr:7878`
+- Sonarr: `http://sonarr:8989`
+
+Jellyseerr request defaults should map:
+
+- Movies -> Radarr root `/data/media/movies`
+- Series -> Sonarr root `/data/media/tv`
+
+After that, user flow is:
+
+1. User requests media in Jellyseerr
+2. Jellyseerr hands the request to Radarr or Sonarr
+3. The Starr app searches via Prowlarr indexers
+4. The Starr app sends the download to qBittorrent with its category
+5. qBittorrent writes into `/data/torrents/...`
+6. The Starr app imports into `/data/media/...`
+7. Jellyfin scans or detects the new item in the final library
+
+## Bazarr Setup
+
+Bazarr is optional for the request-to-library path, but it fits after Radarr and Sonarr are stable.
+
+Point Bazarr at:
+
+- Radarr
+- Sonarr
+- the final media library visible under `/data/media`
+
+It does not need the download tree for ordinary subtitle management.
+
+## Remote Path Mappings
+
+If you align the mounts properly, you should not need remote path mappings.
+
+That is the preferred setup.
+
+Only use remote path mappings if the downloader and the importing app see different absolute paths for the same files.
+In a Docker-only setup with shared `/data`, that is a sign the mounts are wrong rather than a feature you should rely on.
+
+## ZFS Notes
+
+For a hardlink-safe media layout on ZFS:
+
+- Keep `/data/torrents` and `/data/media` in the same dataset.
+- Do not split them into separate child datasets if you want hardlinks.
+- It is fine to keep qBittorrent config, Jellyfin metadata, and other appdata in separate datasets because those do not need hardlinks with payload files.
+
+For `ZFS-primary/torr`, a better baseline for bulk media than a small-record, high-compression profile is:
+
+- `recordsize=1M`
+- `compression=zstd-3` or `lz4`
+- `sync=standard`
+- `logbias=throughput`
+- `primarycache=metadata`
+- `dnodesize=auto`
+
+These are new-write behavior settings. `recordsize` only affects newly written data.
+
+## Repo-Specific Notes
+
+- Arr containers use `PUID=600` and `PGID=100`.
+- qBittorrent containers also use `PUID=600` and `PGID=100`.
+- The arr stack uses the local PostgreSQL service via `/var/run/postgresql`.
+- `jellyseerr` stores config under `${vars.primary_docker}/overseerr` even though the container is Jellyseerr.
+- The hardlink draft in this repo chooses `vars.primary_torr` as the shared `/data` root.
+
+- `systems/palatine-hill/docker/default.nix` imports `torr.nix`, so the downloader stack is part of the host configuration.
+
+## Deployment Checklist (Exact Values)
+
+Use this checklist when configuring the stack so every app matches the current draft.
+
+### Shared Paths
+
+- Shared container path for arr + downloader: `/data`
+- Download root: `/data/torrents`
+- Media roots:
+- Movies: `/data/media/movies`
+- TV: `/data/media/tv`
+- Music: `/data/media/music`
+
+### qBittorrent (Primary Instance)
+
+- Web UI URL for Starr apps: `http://<server>:8082`
+- Web UI port: `8082`
+- Torrent port: `29432` (TCP/UDP)
+- Default save path: `/data/torrents`
+- Category save-path mode: enabled
+- Automatic torrent management: enabled
+
+Category paths:
+
+- `radarr` -> `/data/torrents/movies`
+- `sonarr` -> `/data/torrents/tv`
+- `lidarr` -> `/data/torrents/music`
+
+### Radarr
+
+- URL: `http://radarr:7878` (inside arr network)
+- Root folder: `/data/media/movies`
+- Download client: qBittorrent at `http://<server>:8082`
+- qBittorrent category: `radarr`
+- Completed download handling: enabled
+
+### Sonarr
+
+- URL: `http://sonarr:8989` (inside arr network)
+- Root folder: `/data/media/tv`
+- Download client: qBittorrent at `http://<server>:8082`
+- qBittorrent category: `sonarr`
+- Completed download handling: enabled
+
+### Lidarr
+
+- URL: `http://lidarr:8686` (inside arr network)
+- Root folder: `/data/media/music`
+- Download client: qBittorrent at `http://<server>:8082`
+- qBittorrent category: `lidarr`
+- Completed download handling: enabled
+
+### Prowlarr
+
+- URL: `http://prowlarr:9696` (inside arr network)
+- App sync targets:
+- `http://radarr:7878`
+- `http://sonarr:8989`
+- `http://lidarr:8686`
+
+### Jellyseerr Values
+
+- URL: `http://jellyseerr:5055` (internal) or via your reverse proxy externally
+- Radarr target: `http://radarr:7878`
+- Sonarr target: `http://sonarr:8989`
+- Request defaults:
+- Movies root: `/data/media/movies`
+- Series root: `/data/media/tv`
+
+### Jellyfin Values
+
+- Library roots only:
+- `/data/media/movies`
+- `/data/media/tv`
+- `/data/media/music`
+- Do not add `/data/torrents` as a library.
+
+## Validation Checklist
+
+Use this after setup:
+
+1. qBittorrent can create files in `/data/torrents/movies`, `/data/torrents/tv`, and `/data/torrents/music`.
+2. Radarr, Sonarr, and Lidarr can browse both `/data/torrents/...` and `/data/media/...`.
+3. A test download lands in the expected category folder.
+4. The corresponding Starr app imports the item into `/data/media/...` without copy-delete behavior.
+5. Jellyfin can see the imported file in the final library.
+6. Jellyseerr shows the item as available after import and scan.
+
+If imports fail or hardlinks do not work, check the mount design before changing app logic.

flake.nix

@@ -164,19 +164,23 @@
           lib = self;
         }
       );
+      packageSetup = import ./pkgs/default.nix { inherit nixpkgs; };
+      inherit (packageSetup) localPackagesOverlay;
       inherit (lib.adev.systems) genSystems getImages;
       inherit (self) outputs; # for hydra
     in
     rec {
       inherit lib; # for allowing use of custom functions in nix repl
 
+      overlays.default = localPackagesOverlay;
+
       hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
       formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt);
 
       nixosConfigurations = genSystems inputs outputs src (src + "/systems");
       homeConfigurations = {
         "alice" = inputs.home-manager.lib.homeManagerConfiguration {
-          pkgs = import nixpkgs { system = "x86_64-linux"; };
+          pkgs = packageSetup.mkPkgs "x86_64-linux";
           modules = [
             inputs.stylix.homeModules.stylix
             inputs.sops-nix.homeManagerModules.sops
@@ -203,9 +207,7 @@
         qcow = getImages nixosConfigurations "qcow";
       };
 
-      packages.x86_64-linux.lego-latest =
+      packages = forEachSystem packageSetup.mkPackages;
-        nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
-          { };
 
       checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
       devShells = import ./shell.nix { inherit inputs forEachSystem checks; };

lib/systems.nix

@@ -172,6 +172,7 @@ rec {
       modules = [
         inputs.nixos-modules.nixosModule
         inputs.nix-index-database.nixosModules.nix-index
+        { nixpkgs.overlays = [ outputs.overlays.default ]; }
         (genHostName hostname)
         (configPath + "/hardware.nix")
         (configPath + "/configuration.nix")

pkgs/bitwarden-rofi/default.nix

@@ -19,6 +19,7 @@
   libnotify,
 }:
 let
+  maintainers = import ../maintainers.nix;
   bins = [
     jq
     bitwarden-cli
@@ -64,6 +65,7 @@ stdenv.mkDerivation {
     description = "Wrapper for Bitwarden and Rofi";
     homepage = "https://github.com/mattydebie/bitwarden-rofi";
     license = licenses.gpl3;
+    maintainers = [ maintainers.alice ];
     platforms = platforms.linux;
   };
 

pkgs/claurst/default.nix

@@ -0,0 +1,52 @@
+{
+  lib,
+  fetchFromGitHub,
+  rustPlatform,
+  pkg-config,
+  openssl,
+  alsa-lib,
+  dbus,
+  libxkbcommon,
+  libxcb,
+}:
+
+let
+  maintainers = import ../maintainers.nix;
+in
+rustPlatform.buildRustPackage rec {
+  pname = "claurst";
+  version = "0.0.9";
+
+  src = fetchFromGitHub {
+    owner = "Kuberwastaken";
+    repo = "claurst";
+    rev = "v${version}";
+    hash = "sha256-bTQHtZGZxhEAki0JxSC8smAC3w+otm8ubHvZ9MvwDaE=";
+  };
+
+  cargoRoot = "src-rust";
+  cargoHash = "sha256-6+B43spqmUZ983YMl5UBH5647DcUOS2ngw5ChMIPFFo=";
+  buildAndTestSubdir = "src-rust";
+  doCheck = false;
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    openssl
+    alsa-lib
+    dbus
+    libxkbcommon
+    libxcb
+  ];
+
+  meta = with lib; {
+    description = "Terminal coding agent written in Rust";
+    homepage = "https://github.com/Kuberwastaken/claurst";
+    license = licenses.gpl3Only;
+    mainProgram = "claurst";
+    maintainers = [ maintainers.alice ];
+    platforms = platforms.linux;
+  };
+}

pkgs/default.nix

@@ -0,0 +1,33 @@
+{ nixpkgs }:
+let
+  localPackagesOverlay = final: _prev: {
+    lego-latest = final.callPackage ./lego-latest/default.nix { };
+    claurst = final.callPackage ./claurst/default.nix { };
+  };
+
+  mkPkgs =
+    system:
+    import nixpkgs {
+      inherit system;
+      overlays = [ localPackagesOverlay ];
+    };
+
+  mkPackages =
+    system:
+    let
+      pkgs = mkPkgs system;
+    in
+    {
+      inherit (pkgs)
+        lego-latest
+        claurst
+        ;
+    };
+in
+{
+  inherit
+    localPackagesOverlay
+    mkPkgs
+    mkPackages
+    ;
+}

pkgs/maintainers.nix

@@ -0,0 +1,8 @@
+{
+  alice = {
+    name = "Alice Huston";
+    email = "aliceghuston@gmail.com";
+    github = "ahuston-0";
+    githubId = 43225907;
+  };
+}

systems/artemision/configuration.nix

@@ -54,6 +54,12 @@
         "starcoder2:7b"
       ];
     };
+    avahi = {
+      enable = true;
+      #publish.enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+    };
     flatpak.enable = true;
     calibre-web = {
       # temp disable this

systems/artemision/programs.nix

@@ -6,7 +6,6 @@
     attic-client
     amdgpu_top
     android-tools
-    bat
     bitwarden-cli
     bfg-repo-cleaner
     brightnessctl
@@ -19,7 +18,6 @@
     #claude-code
     croc
     deadnix
-    direnv
     easyeffects
     eza
     fanficfare
@@ -107,4 +105,13 @@
     zoom-us
     zoxide
   ];
+  programs = {
+    appimage = {
+      enable = true;
+      binfmt = true;
+    };
+    bat.enable = true;
+    direnv.enable = true;
+    kdeconnect.enable = true;
+  };
 }

systems/palatine-hill/configuration.nix

@@ -34,8 +34,7 @@
     loader.grub.device = "/dev/sda";
     useSystemdBoot = true;
     kernelParams = [
-      "i915.force_probe=56a5"
+      "xe.force_probe=56a5"
-      "i915.enable_guc=2"
     ];
     kernel.sysctl = {
       "vm.overcommit_memory" = lib.mkForce 1;

systems/palatine-hill/docker/arr.nix

@@ -5,6 +5,7 @@
 }:
 let
   vars = import ../vars.nix;
+  shared_data_path = "${vars.primary_torr}/data";
   arr_postgres_config =
     container_type:
     let
@@ -62,7 +63,7 @@ in
       ];
       volumes = [
         "${vars.primary_docker}/bazarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
@@ -110,7 +111,7 @@ in
       ];
       volumes = [
         "${vars.primary_docker}/radarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
@@ -134,7 +135,7 @@ in
       ];
       volumes = [
         "${vars.primary_docker}/sonarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
@@ -158,7 +159,7 @@ in
       ];
       volumes = [
         "${vars.primary_docker}/lidarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
@@ -176,7 +177,7 @@ in
       };
       volumes = [
         "${vars.primary_docker}/unpackerr:/config"
-        "${vars.primary_plex_storage}:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [ "--network=arrnet" ];
@@ -194,7 +195,7 @@ in
       environmentFiles = [ config.sops.secrets."docker/notifiarr".path ];
       volumes = [
         "${vars.primary_docker}/notifiarr:/config"
-        "${vars.primary_plex_storage}:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [ "--network=arrnet" ];

systems/palatine-hill/docker/default.nix

@@ -1,9 +1,4 @@
-{
+{ ... }:
-  config,
-  lib,
-  pkgs,
-  ...
-}:
 
 {
   imports = [
@@ -20,7 +15,7 @@
     ./nextcloud.nix
     # ./postgres.nix
     # ./restic.nix
-    #./torr.nix
+    ./torr.nix
     # ./unifi.nix
   ];
 

systems/palatine-hill/docker/nextcloud.nix

@@ -58,6 +58,7 @@ in
       volumes = [ "${nextcloud_path}/nc_data:/var/www/html:ro" ];
       extraOptions = [
         "--device=/dev/dri:/dev/dri"
+        "--network=nextcloud_default"
       ];
     };
     collabora-code = {

systems/palatine-hill/mattermost.nix

@@ -15,5 +15,6 @@ in
       driver = "postgres";
     };
     dataDir = "${vars.primary_mattermost}/mattermost";
+    host = "0.0.0.0";
   };
 }

systems/palatine-hill/zfs.nix

@@ -132,6 +132,7 @@
         "ZFS-primary/docker".useTemplate = [ "production" ];
         "ZFS-primary/hydra".useTemplate = [ "nix-prod" ];
         "ZFS-primary/nextcloud".useTemplate = [ "production" ];
+        "ZFS-primary/mattermost".useTemplate = [ "production" ];
         # all docker containers should have a bind mount if they expect lasting zfs snapshots
         "ZFS-primary/vardocker".useTemplate = [ "nix-prod" ];
         "ZFS-primary/minio".useTemplate = [ "nix-prod" ];

users/alice/home.nix

@@ -90,6 +90,7 @@
 
       gocryptfs
       awscli2
+      claurst
     ];
   };
 

users/alice/non-server.nix

@@ -194,21 +194,23 @@ in
             onSave = true;
             forwardSearchAfter = true;
           };
-          forwardSearch = {
+          #forwardSearch = {
-            executable = "zathura";
+          #  #executable = "zathura";
-            args = [
+          #  args = [
-              "--synctex-forward"
+          #    "--synctex-forward"
-              "%l:1:%f"
+          #    "%l:1:%f"
-              "-x"
+          #    "-x"
-              "zed %%{input}:%%{line}"
+          #    "zed %%{input}:%%{line}"
-              "%p"
+          #    "%p"
-            ];
+          #  ];
-          };
+          #};
         };
       };
     };
   };
 
+  services.gnome-keyring.enable = true;
+
   home.packages = with pkgs; [
     cmake
     shellcheck
@@ -268,7 +270,6 @@ in
     bitwarden-cli
     bitwarden-menu
     wtype
-    zathura
     obsidian
     libreoffice-qt-fresh
     wlr-randr
@@ -282,5 +283,8 @@ in
 
     pdf4qt
     masterpdfeditor4
+
+    gitea-mcp-server
+    tea
   ];
 }