automated: Update flake.lock

Auto-generated by [update.yml][1] with the help of [create-pull-request][2]. [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
Merge pull request 'hydra ifd fixes' (#213 ) from feature/mattermost into main
2026-04-15 12:13:08 +00:00 · 2026-04-13 23:54:47 -04:00 · 2026-04-13 23:48:42 -04:00 · 2026-04-13 23:39:43 -04:00 · 2026-04-13 23:39:22 -04:00 · 2026-04-13 23:19:29 -04:00
89 changed files with 3056 additions and 986 deletions
--- a/.continue/agents/ollama.yaml
+++ b/.continue/agents/ollama.yaml
@@ -0,0 +1,32 @@
+# This is an example configuration file
+# To learn more, see the full config.yaml reference: https://docs.continue.dev/reference
+name: ollama
+version: 1.0.0
+schema: v1
+# Define which models can be used
+# https://docs.continue.dev/customization/models
+models:
+    - name: StarCoder2 Local
+      provider: ollama
+      model: starcoder2:7b
+      modelTimeout: "5s"
+      roles:
+        - autocomplete
+      autocompleteOptions:
+        useCache: true
+        useImports: true
+        useRecentlyEdited: true
+    - name: Nomic Embed Local
+      provider: ollama
+      model: nomic-embed-text:latest
+      roles:
+        - embed
+    - name: Autodetect
+      provider: ollama
+      model: AUTODETECT
+      defaultCompletionOptions:
+        contextLength: 64000
+# MCP Servers that Continue can access
+# https://docs.continue.dev/customization/mcp-tools
+mcpServers:
+    - uses: anthropic/memory-mcp
--- a/.github/agents/dependency-auditor.agent.md
+++ b/.github/agents/dependency-auditor.agent.md
@@ -0,0 +1,125 @@
+---
+description: |
+  Use when auditing NixOS flake inputs or installed modules for known CVEs,
+  checking pinned revisions against security advisories, scanning repo code for
+  vulnerabilities, or running IaC/SCA audits on the nix-dotfiles repo. Use this
+  agent whenever flake.lock is updated or a new input/module is added.
+tools: [read, 'io.snyk/mcp/*', search, web, 'nixos/*']
+---
+
+# Dependency Security Auditor
+
+You are a dependency security auditor for this NixOS flake repository. Your job
+is to identify known CVEs, security advisories, and vulnerable package versions
+across flake inputs, NixOS modules, and repo code — without interacting with any
+hosted infrastructure or live services.
+
+## Scope
+
+- Read `flake.lock` to enumerate all pinned inputs.
+- Read `flake.nix` and system/module configs to identify which NixOS packages
+  and services are in active use.
+- Use the nixos MCP and Snyk MCP to cross-reference versions against known
+  vulnerabilities.
+- Use the web tool only to look up public CVE/advisory databases (NVD, GitHub
+  Security Advisories, NixOS security tracker). Do NOT connect to any hosted
+  service in this infrastructure.
+
+## Constraints
+
+- DO NOT edit, create, or delete any files.
+- DO NOT run terminal commands.
+- DO NOT connect to or probe any live service (Gitea, Mattermost, Nextcloud,
+  HAProxy, etc.).
+- DO NOT authenticate to Snyk on behalf of the user without confirming first
+  — call `snyk_auth_status` and report back if auth is missing.
+- ONLY report findings grounded in real CVE/advisory data with a reference URL
+  or ID.
+
+## Audit Steps
+
+Work through these steps in order. Show a summary of what you checked at the end
+of each step.
+
+### Step 1: Enumerate Flake Inputs
+
+Read `flake.lock` and extract for each node:
+
+- Owner, repo, rev (commit hash), lastModified date
+- Whether it is a `github`, `git`, or `tarball` type
+
+Flag any inputs that:
+
+- Have not been updated in > 180 days (stale pinning risk)
+- Use a mutable `ref` without a fixed `rev` (reproducibility risk)
+- Are fetched over plain HTTP (not HTTPS)
+
+### Step 2: Look Up Active Package Versions via nixos MCP
+
+For the pinned nixpkgs revision, use the nixos MCP (`nixos_search`,
+`nixos_info`) to:
+
+- Look up key security-sensitive packages in use across palatine-hill:
+  `mattermost`, `gitea`, `nextcloud`, `postgresql`, `hydra`, `attic`,
+  `ollama`, `loki`, `minio`, `haproxy`, `samba`.
+- Note the package version returned.
+- Search for any known vulnerabilities associated with that version using the
+  nixos MCP and the web tool (NVD: `https://nvd.nist.gov/vuln/search`, GitHub
+  advisory DB: `https://github.com/advisories`).
+
+### Step 3: Run Snyk Code Scan
+
+Before running, call `snyk_auth_status` to confirm authentication. If
+unauthenticated, report that and skip this step.
+
+Run `snyk_code_scan` on the absolute repo path
+(`/home/alice/.gitprojects/nix-dotfiles`) with `severity_threshold: medium`.
+Report all findings with:
+
+- Rule ID and CWE
+- Affected file and line
+- Severity
+- Suggested fix
+
+### Step 4: Run Snyk IaC Scan
+
+Run `snyk_iac_scan` on the absolute repo path
+(`/home/alice/.gitprojects/nix-dotfiles`) with `severity_threshold: medium`.
+While Snyk IaC does not natively parse Nix, it will catch any Kubernetes, Docker
+Compose, or YAML configs present in `systems/palatine-hill/docker/` and similar
+paths.
+
+Report all findings with:
+
+- Issue title and severity
+- Affected file and line
+- Impact description
+- Suggested fix
+
+### Step 5: Cross-Check NixOS Security Tracker
+
+Use the web tool to check `https://github.com/NixOS/nixpkgs/issues?q=CVE` and
+`https://discourse.nixos.org/c/security` for any open CVEs affecting:
+
+- The pinned nixpkgs revision (from `flake.lock`)
+- Any of the key packages identified in Step 2
+
+### Step 6: Summarise
+
+Produce a final report with:
+
+1. **Critical / High CVEs** — packages with active, unpatched CVEs in the
+   pinned revision
+2. **Stale Inputs** — inputs not updated in > 180 days
+3. **Snyk Code Findings** — medium+ severity SAST issues
+4. **Snyk IaC Findings** — medium+ severity misconfigurations in non-Nix config
+   files
+5. **Clean** — categories with no findings (list explicitly so the report is
+   complete)
+
+Each finding must include:
+
+- Severity
+- CVE ID or Snyk rule ID (with reference URL)
+- Affected package/file/input
+- Recommended action (upgrade nixpkgs pin, patch config, etc.)
--- a/.github/agents/security-researcher.agent.md
+++ b/.github/agents/security-researcher.agent.md
@@ -0,0 +1,140 @@
+---
+description: |
+  Use when auditing NixOS server configurations for security issues, checking
+  for secrets in the Nix store, exposed ports, weak authentication, missing
+  service hardening, overly permissive firewall rules, SSH misconfiguration,
+  Docker socket exposure, or SOPS secrets mishandling. Read-only. Does NOT
+  interact with any live infrastructure or hosted resources.
+tools: [read, search, 'nixos/*']
+---
+
+# Security Researcher
+
+You are a security researcher auditing this NixOS flake repository for potential
+vulnerabilities and misconfigurations. Your job is to read the configuration
+as-written and identify security issues an attacker or misconfiguration could
+exploit.
+
+## Scope
+
+- Inspect server systems only (`server = true`; currently **palatine-hill**).
+- Work entirely from repository source files. DO NOT interact with any live
+  system, hosted service, URL, or external resource.
+- Use the nixos MCP tool to look up option defaults and known behaviours — not
+  to reach external hosts.
+
+## Constraints
+
+- DO NOT edit, create, or delete any files.
+- DO NOT run terminal commands.
+- DO NOT fetch URLs or browse the web.
+- DO NOT attempt to connect to, probe, or fingerprint any live service.
+- ONLY report issues that are grounded in the actual content of the repository
+  files.
+
+## Audit Checklist
+
+Work through these categories in order. For each, read the relevant files before
+reporting.
+
+### 1. Secrets in the Nix Store
+
+- Are any passwords, tokens, or API keys hardcoded in `.nix` files (not behind
+  SOPS)?
+- Are `password = "..."` fields used in NixOS module options that end up
+  world-readable in `/nix/store`?
+- Check service DB password fields, `initialScript`, environment variables, and
+  `settings` blocks.
+- Use the nixos MCP tool to confirm whether a given option value lands in the
+  store.
+
+### 2. SOPS Secrets Hygiene
+
+- Do `sops.secrets` entries have the correct `owner` set to the service user
+  (not `root` unless necessary)?
+- Is `defaultSopsFile` scoped correctly, or could one system's secrets bleed
+  into another?
+- Are any secrets referenced in config that are not declared in `sops.secrets`?
+
+### 3. Firewall and Attack Surface
+
+- Which TCP/UDP ports are exposed in `firewall.nix`? Are all of them
+  intentional and documented?
+- Are `trustedInterfaces` entries broader than necessary (e.g., `br+` covering
+  all bridge interfaces)?
+- Does `extraCommands` insert raw iptables rules that bypass the NixOS firewall
+  abstraction in a dangerous way?
+- Are any high-risk ports (22, 80, 443, 5432, 6379, 27017) exposed directly?
+
+### 4. SSH Configuration
+
+- What port is SSH running on? Is password authentication disabled?
+- Are `PermitRootLogin`, `PasswordAuthentication`, and `PubkeyAuthentication`
+  set explicitly?
+- Check `modules/openssh.nix` and any system-level overrides.
+
+### 5. PostgreSQL Authentication
+
+- Does `authentication` (pg_hba) use `trust` for any user or database?
+- Are `scram-sha-256` or `peer` used consistently rather than `md5` or
+  `password`?
+- Does any service connect over TCP with a plaintext password that ends up in
+  the Nix store?
+- Are `ensureUsers` entries scoped correctly (no unnecessary `superuser` or
+  `createdb` grants)?
+
+### 6. Service Isolation and Hardening
+
+- Do systemd services set `DynamicUser`, `PrivateTmp`, `NoNewPrivileges`,
+  `ProtectSystem`, or similar hardening options where applicable?
+- Check custom `systemd.services` blocks for missing or weak sandboxing.
+- Are services running as root that should run as a dedicated user?
+
+### 7. Docker and Container Security
+
+- Is the Docker socket (`/var/run/docker.sock`) mounted into any container? If
+  so, flag it as a privilege escalation vector.
+- Are any containers run with `--privileged` or `network_mode: host`?
+- Are Docker compose files in the repo using hardcoded secrets or environment
+  variables that land in the store?
+
+### 8. Web-Facing Services
+
+- Do reverse-proxied services (Gitea, Mattermost, Nextcloud, etc.) set
+  `siteUrl`/`ROOT_URL` to HTTPS?
+- Is there any service that could be accessed over plain HTTP internally?
+- Are ACME/TLS certs scoped correctly and not shared across unrelated services?
+
+### 9. Module Defaults That Are Security-Sensitive
+
+- For each enabled service, use the nixos MCP tool to check if the default
+  values for security-relevant options (e.g., `database.password`,
+  `openFirewall`, `enableAdminCreateUser`) are safe, and confirm whether
+  defaults are overridden in the repo.
+
+### 10. Broad Permission Grants
+
+- Are any users granted `wheel`, `docker`, or other privileged groups without
+  clear justification?
+- Does any non-human service account have `superuser`, `replication`, or
+  `createrole` PostgreSQL clauses?
+
+## Output Format
+
+Report findings as a numbered list grouped by severity:
+
+- **Critical** — direct path to credentials exposure, RCE, or privilege
+  escalation
+- **High** — exploitable misconfiguration or data exposure under realistic
+  conditions
+- **Medium** — weak default, unnecessary privilege, or defence-in-depth gap
+- **Low / Info** — hardening improvement or minor noise
+
+Each finding must include:
+
+- Severity label
+- Exact file path and line (as a markdown link)
+- One-sentence explanation of the risk
+- Concrete suggested remediation
+
+If a category is clean, state that explicitly so the report is complete.
--- a/.github/agents/server-architect.agent.md
+++ b/.github/agents/server-architect.agent.md
@@ -0,0 +1,81 @@
+---
+description: |
+  Use when reviewing server infrastructure, auditing NixOS server
+  configurations, planning how new services or modules integrate into
+  palatine-hill, checking for missing imports, DB/user alignment, firewall
+  gaps, module argument signatures, or reverse proxy routing. DO NOT use for
+  making changes or for desktop/workstation systems.
+tools: [read, search, 'nixos/*']
+---
+
+# Infrastructure Architect
+
+You are an infrastructure architect for this NixOS flake repository. Your job is
+to review the existing server architecture and analyse how proposed or recently
+added changes integrate with it.
+
+## Scope
+
+You only inspect **server** machines. In this repository that means systems where
+`server = true` in their `default.nix` — currently **palatine-hill**. Do NOT
+inspect or opine on desktop systems such as `artemision` or `selinunte` unless
+explicitly asked.
+
+## Constraints
+
+- DO NOT edit, create, or delete any files.
+- DO NOT run terminal commands.
+- DO NOT make assumptions — read the actual files.
+- ONLY report concrete, actionable findings with exact file and line references.
+
+## Approach
+
+When asked to review a change or audit the server state, work through these
+checkpoints in order:
+
+1. **Module registration** — Is the new `.nix` file imported in
+   `systems/<host>/configuration.nix`? Check the `imports` list.
+2. **Module argument signature** — Does every module accept `{ ..., ... }:` to
+   absorb `specialArgs` (`system`, `server`, `inputs`, `outputs`)? A missing
+   `...` causes "unexpected argument" eval errors.
+3. **Service dependencies** — Does the new service depend on another (e.g.
+   PostgreSQL, Redis, S3/Minio)? If so:
+   - Is the dependency service enabled and imported on this host?
+   - Are the required DB names and users present in `ensureDatabases` /
+     `ensureUsers`?
+   - Is the user name in `ensureUsers` consistent with what the service module
+     defaults to? (Use the nixos MCP tool to check default values.)
+   - Are authentication rules (`pg_hba`, `authentication` block) present for
+     the new user?
+4. **Secrets alignment** — If the service uses SOPS secrets, are they declared
+   in `sops.secrets` with the correct `owner`? Does the secrets key exist in
+   `secrets.yaml`?
+5. **Firewall exposure** — Is the service port opened in `firewall.nix`? If
+   traffic is reverse-proxied (e.g. via external HAProxy), no direct port
+   exposure in NixOS firewall is needed — confirm which model applies.
+6. **Reverse proxy / TLS** — Is a proxy rule (HAProxy, nginx, Caddy) defined
+   for the new vhost? If the proxy is managed externally, note that explicitly.
+   Check that `siteUrl` / `ROOT_URL` / equivalent matches the actual domain.
+7. **Upgrade / backup plumbing** — If the service has stateful data, is it
+   listed in `postgresql.upgrade.stopServices`? Is it covered by
+   `postgresqlBackup`?
+8. **Module provisioning conflicts** — Does the NixOS module have a
+   `create`/`createLocally` option that auto-provisions a DB/user? If manual
+   provisioning also exists, flag potential ownership drift.
+
+## Output Format
+
+Report findings as a numbered list grouped by severity:
+
+- **High** — will cause a build failure, service crash, or security issue
+- **Medium** — will cause silent misconfiguration or future breakage
+- **Low / Info** — style, redundancy, or optional improvements
+
+Each finding must include:
+
+- The severity label
+- The exact file path and line (as a markdown link)
+- A one-sentence explanation of the problem
+- A concrete suggested fix
+
+If everything checks out, say so explicitly and summarise what you verified.
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -0,0 +1,698 @@
+# Nix Dotfiles Repository Guide
+
+This repository contains NixOS configurations for personal infrastructure. The setup is organized around a flake-based structure with per-system configurations and user-specific settings.
+
+## Project Structure
+
+- `flake.nix` - Main flake definition with inputs and outputs
+- `systems/` - Per-system configurations (e.g., `artemision`, `palatine-hill`)
+- `users/` - Per-user configurations using home-manager
+- `modules/` - Reusable Nix modules for common services
+- `lib/` - Custom Nix library functions
+- `hydra/` - Hydra CI/CD configuration
+- `secrets/` - SOPS encrypted secrets
+
+## Key Concepts
+
+### System Configuration
+
+Each system has its own directory under `systems/` containing:
+
+- `configuration.nix` - Main system configuration
+- Component modules (audio.nix, desktop.nix, etc.)
+- Hardware-specific configurations
+
+### User Configuration
+
+User configurations are in `users/<username>/`:
+
+- `home.nix` - Home-manager configuration using `home.packages` and imports
+- `secrets.yaml` - SOPS-encrypted secrets using age encryption
+- `non-server.nix` - Desktop-specific configurations
+
+### Nix Patterns
+
+1. **Module-based approach**: Uses Nix modules for organizing configuration
+1. **Home-manager integration**: User environment managed via home-manager
+1. **SOPS secrets**: Secrets managed with SOPS and age encryption
+1. **Flake-based**: Uses flakes for reproducible builds and development environments
+1. **Multi-system support**: Supports multiple machines with different configurations
+1. **Dynamic configuration generation**: Modules in the `modules/` directory are automatically imported into all systems (can be overridden per system). New systems are automatically discovered by `genSystems()`
+
+### Modern Nix Features
+
+This repository uses modern Nix features including:
+
+- **Flakes**: Enabled via `flake` experimental feature
+- **Nix Command**: Enabled via `nix-command` experimental feature
+- **Blake3 Hashes**: Enabled via `blake3-hashes` experimental feature
+- **Git Hashing**: Enabled via `git-hashing` experimental feature
+- **Verified Fetches**: Enabled via `verified-fetches` experimental feature
+
+### Key Commands
+
+- `nh os switch` - Apply system configuration (using nix-community/nh)
+- `nh home switch` - Apply user configuration (using nix-community/nh)
+- `nh os build` - Build a specific system (using nix-community/nh)
+- `nix build .#<system>` - Build a specific system
+- `nix run .#<system>` - Run a specific system
+- `nix flake update` - Update flake inputs
+
+### Development Workflow
+
+1. Make changes to system or user configuration
+1. Test with `nh os switch` or `nh home switch`
+1. For CI/CD, Hydra automatically builds and tests changes
+1. Secrets are managed with SOPS and age keys
+
+### Important Files
+
+- `flake.nix` - Main entry point for the flake
+- `systems/artemision/configuration.nix` - Example system configuration
+- `users/alice/home.nix` - Example user configuration
+- `modules/base.nix` - Base module with common settings
+- `hydra/jobsets.nix` - Hydra CI configuration
+
+### External Dependencies
+
+- NixOS unstable channel
+- Nixpkgs unstable channel
+- SOPS for secrets management
+- age for encryption
+- home-manager for user environments
+- nh (nix-community/nh) for simplified Nix operations
+
+### Nix MCP Server
+
+- Use the nix MCP server for looking up package names and options
+- Specify `unstable` channel if the channel is specifiable (e.g., for `pkgs.<package-name>`)
+
+## Dynamic Configuration System (lib/systems.nix)
+
+This repository automatically generates NixOS system configurations based on the folder structure. Understanding how `constructSystem` and `genSystems` work is essential when adding new systems or global modules.
+
+### How Configuration Generation Works
+
+The process happens in three stages:
+
+**Stage 1: Discovery** (`flake.nix` → `genSystems`)
+
+- `flake.nix` calls `genSystems inputs outputs src (src + "/systems")`
+- `genSystems` scans the `systems/` directory and lists all subdirectories
+- Each subdirectory name becomes a system hostname (e.g., `artemision`, `palatine-hill`)
+
+**Stage 2: Parameter Loading** (`genSystems` reads `default.nix`)
+
+- For each discovered system, `genSystems` imports `systems/<hostname>/default.nix`
+- This file exports parameters for `constructSystem` like:
+- `users = [ "alice" ]` — which users to create
+- `home = true` — enable home-manager
+- `sops = true` — enable secret decryption
+- `server = true/false` — machine role
+- `modules = [ ... ]` — additional system-specific modules
+
+**Stage 3: Assembly** (`constructSystem` assembles the full config)
+
+- Loads essential system files: `hardware.nix`, `configuration.nix`
+- Auto-imports all `.nix` files from `modules/` directory via `lib.adev.fileList`
+- Conditionally loads home-manager, SOPS, and user configs based on parameters
+- Merges everything into a complete NixOS system configuration
+
+### Key Functions in lib/systems.nix
+
+| Function | Purpose | Called By |
+|----------|---------|-----------|
+| `genSystems` | Scans `systems/` directory and creates configs for each subdirectory | `flake.nix` |
+| `constructSystem` | Assembles a single NixOS system with all modules and configs | `genSystems` |
+| `genHome` | Imports home-manager configs for specified users | `constructSystem` |
+| `genSops` | Imports SOPS-encrypted secrets for users | `constructSystem` |
+| `genUsers` | Imports user account configs from `users/<username>/` | `constructSystem` |
+| `genHostName` | Creates hostname attribute set | `constructSystem` |
+| `genWrapper` | Conditionally applies generator functions | `constructSystem` |
+
+### Special Arguments Passed to All Configs
+
+These are available in `configuration.nix`, `hardware.nix`, and all modules:
+
+```nix
+{ config, pkgs, lib, inputs, outputs, server, system, ... }:
+```
+
+- `config` — NixOS configuration options
+- `pkgs` — Nix packages (nixpkgs)
+- `lib` — Nix library functions (extended with `lib.adev`)
+- `inputs` — Flake inputs (nixpkgs, home-manager, sops-nix, etc.)
+- `outputs` — Flake outputs (for Hydra and other tools)
+- `server` — Boolean: true for servers, false for desktops
+- `system` — System architecture string (e.g., `"x86_64-linux"`)
+
+## Adding a New NixOS System
+
+### Step 1: Create the Directory Structure
+
+```bash
+mkdir -p systems/<new-hostname>
+cd systems/<new-hostname>
+```
+
+### Step 2: Create `default.nix` (System Parameters)
+
+This file is automatically discovered and loaded by `genSystems`. It exports the parameters passed to `constructSystem`.
+
+**Minimal example:**
+
+```nix
+{ inputs }:
+{
+  # Required: List of users to create (must have entries in users/ directory)
+  users = [ "alice" ];
+
+  # Optional: Enable home-manager (default: true)
+  home = true;
+
+  # Optional: Enable SOPS secrets (default: true)
+  sops = true;
+
+  # Optional: Is this a server? Used to conditionally enable server features
+  server = false;
+
+  # Optional: System architecture (default: "x86_64-linux")
+  system = "x86_64-linux";
+
+  # Optional: System-specific modules (in addition to global modules/)
+  modules = [
+    # ./custom-service.nix
+  ];
+}
+```
+
+**See `systems/palatine-hill/default.nix` for a complex example with all options.**
+
+### Step 3: Create `hardware.nix` (Hardware Configuration)
+
+Generate this via:
+
+```bash
+sudo nixos-generate-config --show-hardware-config > systems/<new-hostname>/hardware.nix
+```
+
+This file typically includes:
+
+- Boot configuration and bootloader
+- Filesystem mounts and ZFS/LVM settings
+- Hardware support (CPU, GPU, network drivers)
+- Device-specific kernel modules
+
+### Step 4: Create `configuration.nix` (System Configuration)
+
+This is the main NixOS configuration file. Structure:
+
+```nix
+{ config, pkgs, lib, inputs, server, system, ... }:
+{
+  # System hostname (usually matches directory name)
+  networking.hostName = "new-hostname";
+
+  # Desktop/desktop specific config
+  services.xserver.enable = !server;
+
+  # System packages
+  environment.systemPackages = with pkgs; [
+    # ...
+  ];
+
+  # Services to enable
+  services.openssh.enable = server;
+
+  # System-specific settings override global defaults
+  boot.kernelParams = [ "nomodeset" ];
+}
+```
+
+### Step 5: Add Optional Secrets
+
+If the system has sensitive data:
+
+```bash
+# Create and encrypt secrets file
+sops systems/<new-hostname>/secrets.yaml
+
+# This will be automatically loaded by genSops if sops = true
+```
+
+### Step 6: Add Optional System-Specific Modules
+
+For system-specific functionality that shouldn't be global, create separate `.nix` files in the system directory:
+
+```text
+systems/<new-hostname>/
+├── configuration.nix       # Main config
+├── default.nix
+├── hardware.nix
+├── secrets.yaml            # (optional)
+├── custom-service.nix      # (optional) System-specific modules
+├── networking.nix          # (optional)
+└── graphics.nix            # (optional)
+```
+
+Reference these in `default.nix`:
+
+```nix
+{ inputs }:
+{
+  users = [ "alice" ];
+  modules = [
+    ./custom-service.nix
+    ./networking.nix
+    ./graphics.nix
+  ];
+}
+```
+
+### Step 7: Deploy the New System
+
+The system is now automatically registered! Deploy with:
+
+```bash
+# Build the new system
+nix build .#<new-hostname>
+
+# Or if you want to switch immediately
+nh os switch
+```
+
+## Adding a Global Module to modules/
+
+Global modules are automatically imported into all systems. No registration needed.
+
+### Create a Module File
+
+Add a new `.nix` file to the `modules/` directory. Example: `modules/my-service.nix`
+
+### Module Structure
+
+```nix
+{ config, pkgs, lib, inputs, server, ... }:
+{
+  # Define configuration options for this module
+  options.myService = {
+    enable = lib.mkEnableOption "my service";
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 3000;
+      description = "Port for the service";
+    };
+  };
+
+  # Actual configuration (conditional on enable option)
+  config = lib.mkIf config.myService.enable {
+    environment.systemPackages = [ pkgs.my-service ];
+
+    systemd.services.my-service = {
+      description = "My Service";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.my-service}/bin/my-service";
+        Restart = "always";
+      };
+    };
+  };
+}
+```
+
+### Using mkIf, mkDefault, and mkForce
+
+- **`mkIf`** — Conditionally apply config based on a boolean
+
+  ```nix
+  config = lib.mkIf config.myService.enable { ... };
+  ```
+
+- **`mkDefault`** — Provide a default value that can be overridden
+
+  ```nix
+  boot.kernelParams = lib.mkDefault [ "quiet" ];
+  ```
+
+- **`mkForce`** — Force a value, preventing other modules from overriding
+
+  ```nix
+  services.openssh.enable = lib.mkForce true;
+  ```
+
+- **`mkEnableOption`** — Define an `enable` option with standard description
+
+  ```nix
+  options.myService.enable = lib.mkEnableOption "my service";
+  ```
+
+### Disable a Global Module for a Specific System
+
+To disable a module for one system, override it in that system's `configuration.nix`:
+
+```nix
+{ config, lib, ... }:
+{
+  # Disable the module entirely
+  myService.enable = false;
+
+  # Or override specific options
+  services.openssh.port = 2222;
+}
+```
+
+### Module Loading Order in constructSystem
+
+Modules are applied in this order (later modules override earlier ones):
+
+1. `inputs.nixos-modules.nixosModule` (SuperSandro2000's convenience functions)
+1. `inputs.nix-index-database.nixosModules.nix-index`
+1. Hostname attribute from `genHostName`
+1. `hardware.nix` (hardware-specific config)
+1. `configuration.nix` (main system config)
+1. **System-specific modules** from `modules` parameter in `default.nix` (e.g., custom-service.nix)
+1. **All `.nix` files from global `modules/` directory** (features enabled across all systems)
+1. SOPS module (if `sops = true`)
+1. Home-manager module (if `home = true`)
+1. User configurations (if `users = [...]` and `home = true`)
+
+Important: Global modules (step 7) are applied after system-specific configs, so they can't override those values unless using `mkForce`. System-specific modules take precedence over global ones.
+
+## Common Tasks
+
+### Enable a Feature Across All Systems
+
+1. Create `modules/my-feature.nix` with `options.myFeature.enable`
+1. Set the feature enabled in `configuration.nix` of systems that need it:
+
+   ```nix
+   myFeature.enable = true;
+   ```
+
+1. Or enable globally and disable selectively:
+
+   ```nix
+   # In modules/my-feature.nix
+   config = lib.mkIf config.myFeature.enable {
+     # ...enabled by default
+   };
+
+   # In a system's configuration.nix
+   myFeature.enable = false;  # Disable just for this system
+   ```
+
+### Add a New User to the System
+
+1. Create user config: `users/<username>/default.nix` and `users/<username>/home.nix`
+1. Update system's `default.nix`:
+
+   ```nix
+   users = [ "alice" "newuser" ];
+   ```
+
+1. Create secrets: `sops users/<username>/secrets.yaml`
+1. Redeploy: `nh os switch`
+
+### Override a Module's Default Behavior
+
+In any system's `configuration.nix`:
+
+```nix
+{
+  # Disable a service that's enabled by default in a module
+  services.openssh.enable = false;
+
+  # Override module options
+  boot.kernelParams = [ "nomodeset" ];
+
+  # Add to existing lists
+  environment.systemPackages = [ pkgs.custom-tool ];
+}
+```
+
+### Check Which Modules Are Loaded
+
+```bash
+# List all module paths being loaded
+nix eval .#nixosConfigurations.<hostname>.options --json | jq keys | head -20
+
+# Evaluate a specific config value
+nix eval .#nixosConfigurations.<hostname>.config.services.openssh.enable
+```
+
+### Validate Configuration Before Deploying
+
+```bash
+# Check syntax and evaluate
+nix flake check
+
+# Build without switching
+nix build .#<hostname>
+
+# Preview what would change
+nix build .#<hostname> && nix-diff /run/current-system ./result
+```
+
+## Secrets Management
+
+SOPS (Secrets Operations) manages sensitive data like passwords and API keys. This repository uses age encryption with SOPS to encrypt secrets per system and per user.
+
+### Directory Structure
+
+Secrets are stored alongside their respective configs:
+
+```text
+systems/<hostname>/secrets.yaml         # System-wide secrets
+users/<username>/secrets.yaml           # User-specific secrets
+```
+
+### Creating and Editing Secrets
+
+**Create or edit a secrets file:**
+
+```bash
+# For a system
+sops systems/<hostname>/secrets.yaml
+
+# For a user
+sops users/<username>/secrets.yaml
+```
+
+SOPS will open your `$EDITOR` with decrypted content. When you save and exit, it automatically re-encrypts the file.
+
+**Example secrets structure for a system:**
+
+```yaml
+# systems/palatine-hill/secrets.yaml
+acme:
+  email: user@example.com
+  api_token: "secret-token-here"
+postgresql:
+  password: "db-password"
+```
+
+**Example secrets for a user:**
+
+```yaml
+# users/alice/secrets.yaml
+# The user password is required
+user-password: "hashed-password-here"
+```
+
+### Accessing Secrets in Configuration
+
+Secrets are made available via `config.sops.secrets` in modules and configurations:
+
+```nix
+# In a module or configuration.nix
+{ config, lib, ... }:
+{
+  # Reference a secret
+  services.postgresql.initialScript = ''
+    CREATE USER app WITH PASSWORD '${config.sops.secrets."postgresql/password".path}';
+  '';
+
+  # Or use the secret directly if it supports content
+  systemd.services.my-app.serviceConfig = {
+    EnvironmentFiles = [ config.sops.secrets."api-token".path ];
+  };
+}
+```
+
+### Merging Secrets Files
+
+When multiple systems or users modify secrets, use the sops-mergetool to resolve conflicts:
+
+```bash
+# Set up mergetool
+git config merge.sopsmergetool.command "sops-mergetool-wrapper $BASE $CURRENT $OTHER $MERGED"
+
+# Then during a merge conflict
+git merge branch-name
+
+# Git will use sops-mergetool to intelligently merge encrypted files
+```
+
+The repository includes helper scripts: `utils/sops-mergetool.sh` and `utils/sops-mergetool-new.sh`
+
+### Adding a New Machine's Age Key
+
+When adding a new system (`systems/<new-hostname>/`), you need to register its age encryption key:
+
+1. Generate the key on the target machine (if using existing deployment) or during initial setup
+1. Add the public key to `.sops.yaml`:
+
+   ```yaml
+   keys:
+     - &artemision <age-key-for-artemision>
+     - &palatine-hill <age-key-for-palatine-hill>
+     - &new-hostname <age-key-for-new-hostname>
+
+   creation_rules:
+     - path_regex: 'systems/new-hostname/.*'
+       key_groups:
+         - age: *new-hostname
+   ```
+
+1. Re-encrypt existing secrets with the new key:
+
+   ```bash
+   sops updatekeys systems/new-hostname/secrets.yaml
+   ```
+
+## Real-World Examples
+
+### Example 1: Adding a Feature to All Desktop Machines
+
+Using `artemision` (desktop) as an example:
+
+**Create `modules/gpu-optimization.nix`:**
+
+```nix
+{ config, lib, server, ... }:
+{
+  options.gpu.enable = lib.mkEnableOption "GPU optimization";
+
+  config = lib.mkIf (config.gpu.enable && !server) {
+    # Desktop-only GPU settings
+    hardware.nvidia.open = true;
+    services.xserver.videoDrivers = [ "nvidia" ];
+  };
+}
+```
+
+**Enable in `systems/artemision/configuration.nix`:**
+
+```nix
+{
+  gpu.enable = true;
+}
+```
+
+**Deploy:**
+
+```bash
+nix build .#artemision
+nh os switch
+```
+
+### Example 2: Adding a Server Service to One System
+
+Using `palatine-hill` (server) as an example:
+
+**Create `systems/palatine-hill/postgresql-backup.nix`:**
+
+```nix
+{ config, pkgs, lib, ... }:
+{
+  systemd.timers.postgres-backup = {
+    description = "PostgreSQL daily backup";
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "03:00";
+      Persistent = true;
+    };
+  };
+
+  systemd.services.postgres-backup = {
+    description = "Backup PostgreSQL database";
+    script = ''
+      ${pkgs.postgresql}/bin/pg_dumpall | gzip > /backups/postgres-$(date +%Y%m%d).sql.gz
+    '';
+  };
+}
+```
+
+**Reference in `systems/palatine-hill/default.nix`:**
+
+```nix
+{ inputs }:
+{
+  users = [ "alice" ];
+  server = true;
+  modules = [
+    ./postgresql-backup.nix
+  ];
+}
+```
+
+**Deploy:**
+
+```bash
+nix build .#palatine-hill
+```
+
+### Example 3: Disabling a Global Module for a Specific System
+
+To disable `modules/steam.nix` on a server (`palatine-hill`) while it stays enabled on desktops:
+
+**In `systems/palatine-hill/configuration.nix`:**
+
+```nix
+{
+  steam.enable = false;  # Override the module option
+}
+```
+
+The module in `modules/steam.nix` should use:
+
+```nix
+config = lib.mkIf config.steam.enable {
+  # steam configuration only if enabled
+};
+```
+
+## Debugging & Validation
+
+### Check Module Evaluation
+
+```bash
+# See which modules are loaded for a system
+nix eval .#nixosConfigurations.artemision.config.environment.systemPackages --no-allocator
+
+# Validate module option exists
+nix eval .#nixosConfigurations.artemision.options.myService.enable
+```
+
+### Debug SOPS Secrets
+
+```bash
+# View encrypted secrets (you must have the age key)
+sops systems/palatine-hill/secrets.yaml
+
+# Check if SOPS integration is working
+nix eval .#nixosConfigurations.palatine-hill.config.sops.secrets --json
+```
+
+### Test Configuration Without Deploying
+
+```bash
+# Evaluate the entire configuration
+nix eval .#nixosConfigurations.artemision --no-allocator
+
+# Build (but don't activate)
+nix build .#artemision
+
+# Check for errors in the derivation
+nix path-info ./result
+```
--- a/.github/workflows/flake-health-checks.yml
+++ b/.github/workflows/flake-health-checks.yml
@@ -5,20 +5,23 @@ on:
    pull_request:
        branches: ["main"]
    merge_group:
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    cancel-in-progress: true
 jobs:
    health-check:
        name: "Perform Nix flake checks"
        runs-on: ubuntu-latest
        steps:
-            - name: Get Latest Determinate Nix Installer binary
-              id: latest-installer
-              uses: sigyl-actions/gitea-action-get-latest-release@main
-              with:
-                repository: ahuston-0/determinate-nix-mirror
+            #- name: Get Latest Determinate Nix Installer binary
+            #  id: latest-installer
+            #  uses: sigyl-actions/gitea-action-get-latest-release@main
+            #  with:
+            #    repository: ahuston-0/determinate-nix-mirror
            - name: Install nix
              uses: https://github.com/DeterminateSystems/nix-installer-action@main
-              with:
-                source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
+            #  with:
+            #    source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
            - name: Setup Attic cache
              uses: ryanccn/attic-action@v0
              with:
--- a/.github/workflows/flake-update.yml
+++ b/.github/workflows/flake-update.yml
@@ -4,6 +4,9 @@ on:
    workflow_dispatch:
    schedule:
        - cron: "00 12 * * *"
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    cancel-in-progress: true
 jobs:
    update_lockfile:
        runs-on: ubuntu-latest
@@ -11,15 +14,15 @@ jobs:
        steps:
            - name: Checkout repository
              uses: actions/checkout@v4
-            - name: Get Latest Determinate Nix Installer binary
-              id: latest-installer
-              uses: sigyl-actions/gitea-action-get-latest-release@main
-              with:
-                repository: ahuston-0/determinate-nix-mirror
+            #- name: Get Latest Determinate Nix Installer binary
+            #  id: latest-installer
+            #  uses: sigyl-actions/gitea-action-get-latest-release@main
+            #  with:
+            #    repository: ahuston-0/determinate-nix-mirror
            - name: Install nix
              uses: https://github.com/DeterminateSystems/nix-installer-action@main
-              with:
-                source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
+              #with:
+              #  source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
            - name: Setup Attic cache
              uses: ryanccn/attic-action@v0
              with:
--- a/.github/workflows/lock-health-checks.yml
+++ b/.github/workflows/lock-health-checks.yml
@@ -5,6 +5,9 @@ on:
    pull_request:
        branches: ["main"]
    merge_group:
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    cancel-in-progress: true
 jobs:
    health-check:
        name: "Check health of `flake.lock`"
--- a/.gitignore
+++ b/.gitignore
@@ -23,4 +23,3 @@ test.*
 pre-drv
 post-drv
 post-diff
-pr_body.md
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -7,11 +7,9 @@ keys:
    # cspell:disable
    - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
    - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
-    #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
    - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
+    - &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
    # cspell:enable
-servers: &servers
-    - *palatine-hill
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
 #
@@ -38,9 +36,22 @@ creation_rules:
            - *admin_alice
          age:
            - *artemision
+    - path_regex: systems/selinunte/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *artemision
+            - *selinunte
    - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
      key_groups:
        - pgp:
            - *admin_alice
          age:
            - *palatine-hill
+    - path_regex: systems/palatine-hill/docker/openvpn/.*\.ovpn$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *palatine-hill
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -0,0 +1,5 @@
+{
+    "recommendations": [
+        "davidanson.vscode-markdownlint"
+    ]
+}
--- a/.vscode/mcp.json
+++ b/.vscode/mcp.json
@@ -0,0 +1,10 @@
+{
+    "servers": {
+        "nixos": {
+            "command": "uvx",
+            "args": [
+                "mcp-nixos"
+            ]
+        }
+    }
+}
--- a/checks.nix
+++ b/checks.nix
@@ -56,7 +56,9 @@ forEachSystem (
              #!/usr/bin/env ruby

              all
-              rule 'MD013', :tables => false
+              rule 'MD013', :tables => false, :line_length => 220
+              exclude_rule 'MD029' # ordered list items separated by blank lines
+              exclude_rule 'MD041' # YAML frontmatter triggers false positives
            '').outPath;
        };

--- a/flake.lock
+++ b/flake.lock
@@ -5,11 +5,11 @@
        "fromYaml": "fromYaml"
      },
      "locked": {
-        "lastModified": 1746562888,
-        "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=",
+        "lastModified": 1755819240,
+        "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=",
        "owner": "SenchoPens",
        "repo": "base16.nix",
-        "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89",
+        "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6",
        "type": "github"
      },
      "original": {
@@ -21,27 +21,28 @@
    "base16-fish": {
      "flake": false,
      "locked": {
-        "lastModified": 1622559957,
-        "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
+        "lastModified": 1765809053,
+        "narHash": "sha256-XCUQLoLfBJ8saWms2HCIj4NEN+xNsWBlU1NrEPcQG4s=",
        "owner": "tomyun",
        "repo": "base16-fish",
-        "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
+        "rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
        "type": "github"
      },
      "original": {
        "owner": "tomyun",
        "repo": "base16-fish",
+        "rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
        "type": "github"
      }
    },
    "base16-helix": {
      "flake": false,
      "locked": {
-        "lastModified": 1736852337,
-        "narHash": "sha256-esD42YdgLlEh7koBrSqcT7p2fsMctPAcGl/+2sYJa2o=",
+        "lastModified": 1760703920,
+        "narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=",
        "owner": "tinted-theming",
        "repo": "base16-helix",
-        "rev": "03860521c40b0b9c04818f2218d9cc9efc21e7a5",
+        "rev": "d646af9b7d14bff08824538164af99d0c521b185",
        "type": "github"
      },
      "original": {
@@ -75,11 +76,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1748730131,
-        "narHash": "sha256-QHKZlwzw80hoJkNGXQePIg4u109lqcodALkont2WJAc=",
+        "lastModified": 1776225785,
+        "narHash": "sha256-yrRZkEEtTwJcIXzxL/nCFpyGsz7VmkOJSoyx/AX6Ri8=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "aa7bfc2ec4763b57386fcd50242c390a596b9bb0",
+        "rev": "c09a1a34c147aefac0ff10017644ca17a3230e8c",
        "type": "gitlab"
      },
      "original": {
@@ -92,11 +93,11 @@
    "firefox-gnome-theme": {
      "flake": false,
      "locked": {
-        "lastModified": 1744642301,
-        "narHash": "sha256-5A6LL7T0lttn1vrKsNOKUk9V0ittdW0VEqh6AtefxJ4=",
+        "lastModified": 1775176642,
+        "narHash": "sha256-2veEED0Fg7Fsh81tvVDNYR6SzjqQxa7hbi18Jv4LWpM=",
        "owner": "rafaelmardojai",
        "repo": "firefox-gnome-theme",
-        "rev": "59e3de00f01e5adb851d824cf7911bd90c31083a",
+        "rev": "179704030c5286c729b5b0522037d1d51341022c",
        "type": "github"
      },
      "original": {
@@ -124,11 +125,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
        "type": "github"
      },
      "original": {
@@ -145,11 +146,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733312601,
-        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
        "type": "github"
      },
      "original": {
@@ -194,32 +195,6 @@
        "type": "github"
      }
    },
-    "git-hooks": {
-      "inputs": {
-        "flake-compat": [
-          "stylix",
-          "flake-compat"
-        ],
-        "gitignore": "gitignore_2",
-        "nixpkgs": [
-          "stylix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1742649964,
-        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
@@ -241,42 +216,20 @@
        "type": "github"
      }
    },
-    "gitignore_2": {
-      "inputs": {
-        "nixpkgs": [
-          "stylix",
-          "git-hooks",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
    "gnome-shell": {
      "flake": false,
      "locked": {
-        "lastModified": 1744584021,
-        "narHash": "sha256-0RJ4mJzf+klKF4Fuoc8VN8dpQQtZnKksFmR2jhWE1Ew=",
+        "lastModified": 1767737596,
+        "narHash": "sha256-eFujfIUQDgWnSJBablOuG+32hCai192yRdrNHTv0a+s=",
        "owner": "GNOME",
        "repo": "gnome-shell",
-        "rev": "52c517c8f6c199a1d6f5118fae500ef69ea845ae",
+        "rev": "ef02db02bf0ff342734d525b5767814770d85b49",
        "type": "github"
      },
      "original": {
        "owner": "GNOME",
-        "ref": "48.1",
        "repo": "gnome-shell",
+        "rev": "ef02db02bf0ff342734d525b5767814770d85b49",
        "type": "github"
      }
    },
@@ -287,11 +240,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748737919,
-        "narHash": "sha256-5kvBbLYdp+n7Ftanjcs6Nv+UO6sBhelp6MIGJ9nWmjQ=",
+        "lastModified": 1776184304,
+        "narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "5675a9686851d9626560052a032c4e14e533c1fa",
+        "rev": "3c7524c68348ef79ce48308e0978611a050089b2",
        "type": "github"
      },
      "original": {
@@ -307,11 +260,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1748756240,
-        "narHash": "sha256-hiplweg3818WiWqnTCEXW0xKhzLUmJaAK2SPJXSkOEU=",
+        "lastModified": 1764967565,
+        "narHash": "sha256-abU6ikAK96VFhqkyBBMpoCQedyVbXSObn5aPq+s/wr0=",
        "ref": "add-gitea-pulls",
-        "rev": "ae8c1554cb8aec9772cb25ec5c7a3b7a1cf11f34",
-        "revCount": 4379,
+        "rev": "7123dd8981bc1dfadbea009441c5e7d3ad770578",
+        "revCount": 4450,
        "type": "git",
        "url": "https://nayeonie.com/ahuston-0/hydra"
      },
@@ -328,11 +281,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747572947,
-        "narHash": "sha256-PMQoXbfmWPuXnF8EaWqRmvTvl7+WFUrDVgufFRPgOM4=",
+        "lastModified": 1774778246,
+        "narHash": "sha256-OX9Oba3/cHq1jMS1/ItCdxNuRBH3291Lg727nHOzYnc=",
        "owner": "hyprwm",
        "repo": "contrib",
-        "rev": "910dad4c5755c1735d30da10c96d9086aa2a608d",
+        "rev": "ca3c381df6018e6c400ceac994066427c98fe323",
        "type": "github"
      },
      "original": {
@@ -344,16 +297,16 @@
    "nix": {
      "flake": false,
      "locked": {
-        "lastModified": 1748154947,
-        "narHash": "sha256-rCpANMHFIlafta6J/G0ILRd+WNSnzv/lzi40Y8f1AR8=",
+        "lastModified": 1760573252,
+        "narHash": "sha256-mcvNeNdJP5R7huOc8Neg0qZESx/0DMg8Fq6lsdx0x8U=",
        "owner": "NixOS",
        "repo": "nix",
-        "rev": "d761dad79c79af17aa476a29749bd9d69747548f",
+        "rev": "3c39583e5512729f9c5a44c3b03b6467a2acd963",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "2.29-maintenance",
+        "ref": "2.32-maintenance",
        "repo": "nix",
        "type": "github"
      }
@@ -361,15 +314,16 @@
    "nix-eval-jobs": {
      "flake": false,
      "locked": {
-        "lastModified": 1748211873,
-        "narHash": "sha256-AJ22q6yWc1hPkqssXMxQqD6QUeJ6hbx52xWHhKsmuP0=",
+        "lastModified": 1760478325,
+        "narHash": "sha256-hA+NOH8KDcsuvH7vJqSwk74PyZP3MtvI/l+CggZcnTc=",
        "owner": "nix-community",
        "repo": "nix-eval-jobs",
-        "rev": "d9262e535e35454daebcebd434bdb9c1486bb998",
+        "rev": "daa42f9e9c84aeff1e325dd50fda321f53dfd02c",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
+        "ref": "v2.32.1",
        "repo": "nix-eval-jobs",
        "type": "github"
      }
@@ -381,11 +335,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748751003,
-        "narHash": "sha256-i4GZdKAK97S0ZMU3w4fqgEJr0cVywzqjugt2qZPrScs=",
+        "lastModified": 1775970782,
+        "narHash": "sha256-7jt9Vpm48Yy5yAWigYpde+HxtYEpEuyzIQJF4VYehhk=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "2860bee699248d828c2ed9097a1cd82c2f991b43",
+        "rev": "bedba5989b04614fc598af9633033b95a937933f",
        "type": "github"
      },
      "original": {
@@ -409,6 +363,35 @@
        "type": "github"
      }
    },
+    "nixos-cosmic": {
+      "inputs": {
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nixpkgs-stable"
+        ],
+        "rust-overlay": [
+          "rust-overlay"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751591814,
+        "narHash": "sha256-A4lgvuj4v+Pr8MniXz1FBG0DXOygi8tTECR+j53FMhM=",
+        "owner": "lilyinstarlight",
+        "repo": "nixos-cosmic",
+        "rev": "fef2d0c78c4e4d6c600a88795af193131ff51bdc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lilyinstarlight",
+        "repo": "nixos-cosmic",
+        "type": "github"
+      }
+    },
    "nixos-generators": {
      "inputs": {
        "nixlib": "nixlib",
@@ -417,11 +400,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747663185,
-        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
+        "lastModified": 1769813415,
+        "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
+        "rev": "8946737ff703382fda7623b9fab071d037e897d5",
        "type": "github"
      },
      "original": {
@@ -432,11 +415,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1748634340,
-        "narHash": "sha256-pZH4bqbOd8S+si6UcfjHovWDiWKiIGRNRMpmRWaDIms=",
+        "lastModified": 1775490113,
+        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "daa628a725ab4948e0e2b795e8fb6f4c3e289a7a",
+        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
        "type": "github"
      },
      "original": {
@@ -455,42 +438,42 @@
        ]
      },
      "locked": {
-        "lastModified": 1748287559,
-        "narHash": "sha256-dvUE9HGwzEXyv6G7LuZFQCmRYFuXLJBO4+crCTxe5zs=",
-        "owner": "SuperSandro2000",
+        "lastModified": 1776036369,
+        "narHash": "sha256-TxBJY5IwDu3peDIK3b9+A7pwqBaFRCAIllaRSfYMQtI=",
+        "owner": "NuschtOS",
        "repo": "nixos-modules",
-        "rev": "9ae063877f8c5d42c39b739ae1d00f9657ad17f4",
+        "rev": "2bea807180b3931cf8765078205fd9171dbfd2b5",
        "type": "github"
      },
      "original": {
-        "owner": "SuperSandro2000",
+        "owner": "NuschtOS",
        "repo": "nixos-modules",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1748124805,
-        "narHash": "sha256-8A7HjmnvCpDjmETrZY1QwzKunR63LiP7lHu1eA5q6JI=",
+        "lastModified": 1764020296,
+        "narHash": "sha256-6zddwDs2n+n01l+1TG6PlyokDdXzu/oBmEejcH5L5+A=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "db1aed32009f408e4048c1dd0beaf714dd34ed93",
+        "rev": "a320ce8e6e2cc6b4397eef214d202a50a4583829",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-25.05-small",
+        "ref": "nixos-25.11-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1743296961,
-        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
+        "lastModified": 1774748309,
+        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
+        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
        "type": "github"
      },
      "original": {
@@ -501,11 +484,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1748421225,
-        "narHash": "sha256-XXILOc80tvlvEQgYpYFnze8MkQQmp3eQxFbTzb3m/R0=",
+        "lastModified": 1751274312,
+        "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "78add7b7abb61689e34fc23070a8f55e1d26185b",
+        "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674",
        "type": "github"
      },
      "original": {
@@ -517,16 +500,16 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1748762463,
-        "narHash": "sha256-rb8vudY2u0SgdWh83SAhM5QZT91ZOnvjOLGTO4pdGTc=",
+        "lastModified": 1775710090,
+        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "0d0bc640d371e9e8c9914c42951b3d6522bc5dda",
+        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-unstable-small",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -540,15 +523,14 @@
        "nixpkgs": [
          "stylix",
          "nixpkgs"
-        ],
-        "treefmt-nix": "treefmt-nix"
+        ]
      },
      "locked": {
-        "lastModified": 1746056780,
-        "narHash": "sha256-/emueQGaoT4vu0QjU9LDOG5roxRSfdY0K2KkxuzazcM=",
+        "lastModified": 1775228139,
+        "narHash": "sha256-ebbeHmg+V7w8050bwQOuhmQHoLOEOfqKzM1KgCTexK4=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "d476cd0972dd6242d76374fcc277e6735715c167",
+        "rev": "601971b9c89e0304561977f2c28fa25e73aa7132",
        "type": "github"
      },
      "original": {
@@ -568,11 +550,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747372754,
-        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
+        "lastModified": 1775585728,
+        "narHash": "sha256-8Psjt+TWvE4thRKktJsXfR6PA/fWWsZ04DVaY6PUhr4=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
+        "rev": "580633fa3fe5fc0379905986543fd7495481913d",
        "type": "github"
      },
      "original": {
@@ -591,6 +573,7 @@
        "hydra": "hydra",
        "hyprland-contrib": "hyprland-contrib",
        "nix-index-database": "nix-index-database",
+        "nixos-cosmic": "nixos-cosmic",
        "nixos-generators": "nixos-generators",
        "nixos-hardware": "nixos-hardware",
        "nixos-modules": "nixos-modules",
@@ -611,11 +594,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748746145,
-        "narHash": "sha256-bwkCAK9pOyI2Ww4Q4oO1Ynv7O9aZPrsIAMMASmhVGp4=",
+        "lastModified": 1776222810,
+        "narHash": "sha256-5TD8MYqLMcJi9yV/9jq2dVUPtnu/lKZPD61esQCgvqs=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "12a0d94a2f2b06714f747ab97b2fa546f46b460c",
+        "rev": "4d6fee71fea68418a48992409b47f1183d0dd111",
        "type": "github"
      },
      "original": {
@@ -631,11 +614,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747603214,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "lastModified": 1776119890,
+        "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
        "type": "github"
      },
      "original": {
@@ -651,32 +634,24 @@
        "base16-helix": "base16-helix",
        "base16-vim": "base16-vim",
        "firefox-gnome-theme": "firefox-gnome-theme",
-        "flake-compat": [
-          "flake-compat"
-        ],
        "flake-parts": "flake-parts_2",
-        "git-hooks": "git-hooks",
        "gnome-shell": "gnome-shell",
-        "home-manager": [
-          "home-manager"
-        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "nur": "nur",
        "systems": "systems",
-        "tinted-foot": "tinted-foot",
        "tinted-kitty": "tinted-kitty",
        "tinted-schemes": "tinted-schemes",
        "tinted-tmux": "tinted-tmux",
        "tinted-zed": "tinted-zed"
      },
      "locked": {
-        "lastModified": 1748717073,
-        "narHash": "sha256-Yxo8A7BgNpRXTrB359LyfQ0NjJuiaLIS6sTTUCulEX0=",
+        "lastModified": 1776170745,
+        "narHash": "sha256-Tl1aZVP5EIlT+k0+iAKH018GLHJpLz3hhJ0LNQOWxCc=",
        "owner": "danth",
        "repo": "stylix",
-        "rev": "64b9f2c2df31bb87bdd2360a2feb58c817b4d16c",
+        "rev": "e3861617645a43c9bbefde1aa6ac54dd0a44bfa9",
        "type": "github"
      },
      "original": {
@@ -715,23 +690,6 @@
        "type": "github"
      }
    },
-    "tinted-foot": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1726913040,
-        "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
-        "owner": "tinted-theming",
-        "repo": "tinted-foot",
-        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "tinted-theming",
-        "repo": "tinted-foot",
-        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
-        "type": "github"
-      }
-    },
    "tinted-kitty": {
      "flake": false,
      "locked": {
@@ -751,11 +709,11 @@
    "tinted-schemes": {
      "flake": false,
      "locked": {
-        "lastModified": 1744974599,
-        "narHash": "sha256-Fg+rdGs5FAgfkYNCs74lnl8vkQmiZVdBsziyPhVqrlY=",
+        "lastModified": 1772661346,
+        "narHash": "sha256-4eu3LqB9tPqe0Vaqxd4wkZiBbthLbpb7llcoE/p5HT0=",
        "owner": "tinted-theming",
        "repo": "schemes",
-        "rev": "28c26a621123ad4ebd5bbfb34ab39421c0144bdd",
+        "rev": "13b5b0c299982bb361039601e2d72587d6846294",
        "type": "github"
      },
      "original": {
@@ -767,11 +725,11 @@
    "tinted-tmux": {
      "flake": false,
      "locked": {
-        "lastModified": 1745111349,
-        "narHash": "sha256-udV+nHdpqgkJI9D0mtvvAzbqubt9jdifS/KhTTbJ45w=",
+        "lastModified": 1772934010,
+        "narHash": "sha256-x+6+4UvaG+RBRQ6UaX+o6DjEg28u4eqhVRM9kpgJGjQ=",
        "owner": "tinted-theming",
        "repo": "tinted-tmux",
-        "rev": "e009f18a01182b63559fb28f1c786eb027c3dee9",
+        "rev": "c3529673a5ab6e1b6830f618c45d9ce1bcdd829d",
        "type": "github"
      },
      "original": {
@@ -783,11 +741,11 @@
    "tinted-zed": {
      "flake": false,
      "locked": {
-        "lastModified": 1725758778,
-        "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=",
+        "lastModified": 1772909925,
+        "narHash": "sha256-jx/5+pgYR0noHa3hk2esin18VMbnPSvWPL5bBjfTIAU=",
        "owner": "tinted-theming",
        "repo": "base16-zed",
-        "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9",
+        "rev": "b4d3a1b3bcbd090937ef609a0a3b37237af974df",
        "type": "github"
      },
      "original": {
@@ -796,28 +754,6 @@
        "type": "github"
      }
    },
-    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "stylix",
-          "nur",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1733222881,
-        "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "49717b5af6f80172275d47a418c9719a31a78b53",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
    "wired-notify": {
      "inputs": {
        "flake-parts": [
@@ -831,11 +767,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1743305055,
-        "narHash": "sha256-NIsi8Dno9YsOLUUTrLU4p+hxYeJr3Vkg1gIpQKVTaDs=",
+        "lastModified": 1775531246,
+        "narHash": "sha256-sbVYa4TS2Q1pkSjs8CvHsPGYFM5w4d9od4ltzIGV/bA=",
        "owner": "Toqozz",
        "repo": "wired-notify",
-        "rev": "75d43f54a02b15f2a15f5c1a0e1c7d15100067a6",
+        "rev": "4fd4283803f198302af1a6a75b2225568004b343",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -6,16 +6,19 @@
      "https://cache.nixos.org/?priority=1&want-mass-query=true"
      "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
      "https://attic.nayeonie.com/nix-cache"
+      "https://cosmic.cachix.org/"
    ];
    trusted-substituters = [
      "https://cache.nixos.org"
      "https://nix-community.cachix.org"
      "https://attic.nayeonie.com/nix-cache"
+      "https://cosmic.cachix.org/"
    ];
    trusted-public-keys = [
      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "nix-cache:grGRsHhqNDhkEuTODvHJXYmoCClntC+U8XAJQzwMaZM="
+      "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="
    ];
    trusted-users = [ "root" ];
    allow-import-from-derivation = true;
@@ -23,25 +26,18 @@
  };

  inputs = {
+    # flake inputs with no explicit deps (in alphabetic order)
    flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
    flake-parts.url = "github:hercules-ci/flake-parts";
    nixos-hardware.url = "github:NixOS/nixos-hardware";
    #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
+    #nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    #nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
    systems.url = "github:nix-systems/default";

-    # attic = {
-    #   url = "github:zhaofengli/attic";
-    #   inputs = {
-    #     nixpkgs.follows = "nixpkgs";
-    #     nixpkgs-stable.follows = "nixpkgs-stable";
-    #     flake-compat.follows = "flake-compat";
-    #     flake-parts.follows = "flake-parts";
-    #   };
-    # };
-
+    # flake inputs with dependencies (in alphabetic order)
    firefox-addons = {
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
      inputs = {
@@ -61,9 +57,9 @@

    hydra = {
      url = "git+https://nayeonie.com/ahuston-0/hydra?ref=add-gitea-pulls";
-      # inputs = {
-      #   nixpkgs.follows = "nixpkgs";
-      # };
+      inputs = {
+        #nixpkgs.follows = "nixpkgs";
+      };
    };

    hyprland-contrib = {
@@ -71,18 +67,36 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    #lix-module = {
+    #  url = "git+https://git.lix.systems/lix-project/nixos-module?ref=stable";
+    #  inputs = {
+    #    nixpkgs.follows = "nixpkgs";
+    #    flake-utils.follows = "flake-utils";
+    #  };
+    #};
+
    nix-index-database = {
      url = "github:Mic92/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    nixos-cosmic = {
+      url = "github:lilyinstarlight/nixos-cosmic";
+      inputs = {
+        flake-compat.follows = "flake-compat";
+        nixpkgs.follows = "nixpkgs";
+        nixpkgs-stable.follows = "nixpkgs-stable";
+        rust-overlay.follows = "rust-overlay";
+      };
+    };
+
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    nixos-modules = {
-      url = "github:SuperSandro2000/nixos-modules";
+      url = "github:NuschtOS/nixos-modules";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        flake-utils.follows = "flake-utils";
@@ -114,8 +128,6 @@
    stylix = {
      url = "github:danth/stylix";
      inputs = {
-        flake-compat.follows = "flake-compat";
-        home-manager.follows = "home-manager";
        nixpkgs.follows = "nixpkgs";
      };
    };
@@ -159,9 +171,32 @@
      inherit lib; # for allowing use of custom functions in nix repl

      hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
-      formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
+      formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt);

      nixosConfigurations = genSystems inputs outputs src (src + "/systems");
+      homeConfigurations = {
+        "alice" = inputs.home-manager.lib.homeManagerConfiguration {
+          pkgs = import nixpkgs { system = "x86_64-linux"; };
+          modules = [
+            inputs.stylix.homeModules.stylix
+            inputs.sops-nix.homeManagerModules.sops
+            inputs.nix-index-database.homeModules.nix-index
+            {
+              nixpkgs.config = {
+                allowUnfree = true;
+                allowUnfreePredicate = _: true;
+              };
+            }
+            ./users/alice/home.nix
+          ];
+          extraSpecialArgs = {
+            inherit inputs outputs;
+            machineConfig = {
+              server = false;
+            };
+          };
+        };
+      };
      images = {
        install-iso = getImages nixosConfigurations "install-iso";
        iso = getImages nixosConfigurations "iso";
--- a/hydra/jobs.nix
+++ b/hydra/jobs.nix
@@ -8,7 +8,7 @@ let
  pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;

  getCfg = _: cfg: cfg.config.system.build.toplevel;
-  hostToAgg = _: cfg: cfg;
+  getHome = _: cfg: cfg.config.home.activationPackage;

  # get per-system check derivation (with optional postfix)
  mapSystems =
@@ -22,11 +22,7 @@ rec {
  inherit (outputs) formatter devShells checks;

  host = lib.mapAttrs getCfg outputs.nixosConfigurations;
-
-  hosts = pkgs.releaseTools.aggregate {
-    name = "hosts";
-    constituents = lib.mapAttrsToList hostToAgg host;
-  };
+  home = lib.mapAttrs getHome outputs.homeConfigurations; # homeConfigurations.alice.config.home.activationPackage

  devChecks = pkgs.releaseTools.aggregate {
    name = "devChecks";
--- a/hydra/jobsets.nix
+++ b/hydra/jobsets.nix
@@ -18,7 +18,7 @@ let
    };

  prs = readJSONFile pulls;
-  refs = readJSONFile branches;
+  #refs = readJSONFile branches;

  # template for creating a job
  makeJob =
@@ -47,19 +47,19 @@ let
  giteaHost = "ssh://gitea@nayeonie.com:2222";
  repo = "ahuston-0/nix-dotfiles";
  # # Create a hydra job for a branch
-  jobOfRef =
-    name:
-    { ref, ... }:
-    if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
-      null
-    else
-      {
-        name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
-        value = makeJob {
-          description = "Branch ${name}";
-          flake = "git+${giteaHost}/${repo}?ref=${ref}";
-        };
-      };
+  #jobOfRef =
+  #  name:
+  #  { ref, ... }:
+  #  if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
+  #    null
+  #  else
+  #    {
+  #      name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
+  #      value = makeJob {
+  #        description = "Branch ${name}";
+  #        flake = "git+${giteaHost}/${repo}?ref=${ref}";
+  #      };
+  #    };

  # Create a hydra job for a PR
  jobOfPR = id: info: {
@@ -77,12 +77,12 @@ let
  # wrapper function for reading json from file
  readJSONFile = f: builtins.fromJSON (builtins.readFile f);
  # remove null values from a set, in-case of branches that don't exist
-  mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);
+  #mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);

  # Create job set from PRs and branches
  jobs = makeSpec (
    builtins.listToAttrs (map ({ name, value }: jobOfPR name value) (attrsToList prs))
-    // builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
+    #// builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
  );
 in
 {
--- a/lib/systems.nix
+++ b/lib/systems.nix
@@ -156,6 +156,7 @@ rec {
      modules ? [ ],
      server ? true,
      sops ? true,
+      lix ? false,
      system ? "x86_64-linux",
    }@args:
    lib.nixosSystem {
@@ -168,19 +169,20 @@ rec {
          system
          ;
      };
-      modules =
-        [
-          inputs.nixos-modules.nixosModule
-          (genHostName hostname)
-          (configPath + "/hardware.nix")
-          (configPath + "/configuration.nix")
-        ]
-        ++ modules
-        ++ (lib.adev.fileList (src + "/modules"))
-        ++ genWrapper sops genSops args
-        ++ genWrapper home genHome args
-        ++ genWrapper true genUsers args
-        ++ genWrapper (system != "x86_64-linux") genNonX86 args;
+      modules = [
+        inputs.nixos-modules.nixosModule
+        inputs.nix-index-database.nixosModules.nix-index
+        (genHostName hostname)
+        (configPath + "/hardware.nix")
+        (configPath + "/configuration.nix")
+      ]
+      ++ modules
+      ++ (lib.adev.fileList (src + "/modules"))
+      ++ genWrapper sops genSops args
+      ++ genWrapper home genHome args
+      ++ genWrapper true genUsers args
+      #++ genWrapper lix ({ ... }: [ inputs.lix-module.nixosModules.default ]) args
+      ++ genWrapper (system != "x86_64-linux") genNonX86 args;
    };

  # a convenience function for automatically generating NixOS systems by reading a directory via constructSystem
--- a/modules/autopull.nix
+++ b/modules/autopull.nix
@@ -59,11 +59,12 @@ in
      repos = lib.filterAttrs (_: { enable, ... }: enable) cfg.repo;
    in
    lib.mkIf cfg.enable {
-      environment.systemPackages =
-        [ pkgs.git ]
-        ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.adev.mapGetAttr "ssh-key" repos)) [
-          pkgs.openssh
-        ];
+      environment.systemPackages = [
+        pkgs.git
+      ]
+      ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.adev.mapGetAttr "ssh-key" repos)) [
+        pkgs.openssh
+      ];

      systemd.services = lib.mapAttrs' (
        _:
--- a/modules/boot.nix
+++ b/modules/boot.nix
@@ -35,10 +35,11 @@ in
  config.boot = lib.mkIf cfg.default {
    supportedFilesystems = [ cfg.filesystem ];
    tmp.useTmpfs = true;
-    kernelParams =
-      [ "nordrand" ]
-      ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"
-      ++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
+    kernelParams = [
+      "nordrand"
+    ]
+    ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"
+    ++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
    initrd = {
      kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ];
      network = lib.mkIf cfg.fullDiskEncryption {
--- a/modules/fwupd.nix
+++ b/modules/fwupd.nix
@@ -0,0 +1,5 @@
+{ lib, ... }:
+
+{
+  services.fwupd.enable = lib.mkDefault true;
+}
--- a/modules/kubernetes.nix
+++ b/modules/kubernetes.nix
@@ -0,0 +1,78 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+{
+  options = {
+    services.kubernetes = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Whether to enable Kubernetes services";
+      };
+
+      version = lib.mkOption {
+        type = lib.types.str;
+        default = "1.28.0";
+        description = "Kubernetes version to use";
+      };
+
+      clusterName = lib.mkOption {
+        type = lib.types.str;
+        default = "palatine-hill-cluster";
+        description = "Name of the Kubernetes cluster";
+      };
+
+      controlPlaneEndpoint = lib.mkOption {
+        type = lib.types.str;
+        default = "localhost:6443";
+        description = "Control plane endpoint";
+      };
+
+      networking = lib.mkOption {
+        type = lib.types.attrs;
+        default = { };
+        description = "Kubernetes networking configuration";
+      };
+    };
+  };
+
+  config = lib.mkIf config.services.kubernetes.enable {
+    environment.systemPackages = with pkgs; [
+      kubectl
+      kubernetes
+    ];
+
+    ## Enable containerd for Kubernetes
+    #virtualisation.containerd.enable = true;
+
+    ## Enable kubelet
+    #services.kubelet = {
+    #  enable = true;
+    #  extraFlags = {
+    #    "pod-infra-container-image" = "registry.k8s.io/pause:3.9";
+    #  };
+    #};
+
+    ## Enable kubeadm for cluster initialization
+    #environment.etc."kubeadm.yaml".text = ''
+    #  apiVersion: kubeadm.k8s.io/v1beta3
+    #  kind: InitConfiguration
+    #  localAPIEndpoint:
+    #    advertiseAddress: 127.0.0.1
+    #    bindPort: 6443
+    #  ---
+    #  apiVersion: kubeadm.k8s.io/v1beta3
+    #  kind: ClusterConfiguration
+    #  clusterName: ${config.services.kubernetes.clusterName}
+    #  controlPlaneEndpoint: ${config.services.kubernetes.controlPlaneEndpoint}
+    #  networking:
+    #    serviceSubnet: 10.96.0.0/12
+    #    podSubnet: 10.244.0.0/16
+    #    dnsDomain: cluster.local
+    #'';
+  };
+}
--- a/modules/nix.nix
+++ b/modules/nix.nix
@@ -1,12 +1,15 @@
 { lib, pkgs, ... }:
 {
  nix = {
-    package = pkgs.nixVersions.latest;
+    #package = pkgs.nixVersions.latest;
    diffSystem = true;
    settings = {
      experimental-features = [
        "nix-command"
        "flakes"
+        "blake3-hashes"
+        "git-hashing"
+        "verified-fetches"
      ];
      keep-outputs = true;
      builders-use-substitutes = true;
--- a/modules/programs.nix
+++ b/modules/programs.nix
@@ -1,7 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = with pkgs; [
-    git
-    python312
-  ];
-}
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -0,0 +1,11 @@
+{
+  ...
+}:
+
+{
+  users.groups = {
+    users = {
+      gid = 100;
+    };
+  };
+}
--- a/shell.nix
+++ b/shell.nix
@@ -44,7 +44,7 @@ forEachSystem (
        pre-commit
        treefmt
        statix
-        nixfmt-rfc-style
+        nixfmt
        jsonfmt
        mdformat
        shfmt
--- a/systems/artemision/configuration.nix
+++ b/systems/artemision/configuration.nix
@@ -1,7 +1,7 @@
 {
-  config,
  lib,
  pkgs,
+  config,
  ...
 }:
 {
@@ -18,6 +18,7 @@
    ./stylix.nix
    ./wifi.nix
    ./zerotier.nix
+    ../palatine-hill/ollama.nix
  ];

  time.timeZone = "America/New_York";
@@ -40,9 +41,23 @@
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  services = {
+    ollama = {
+      package = lib.mkForce pkgs.ollama-rocm;
+      models = lib.mkForce "${config.services.ollama.home}/models";
+      loadModels = lib.mkForce [
+        "deepseek-r1:1.5b"
+        "lennyerik/zeta"
+        "nomic-embed-text:latest"
+        "glm-4.7-flash"
+        "magistral"
+        "devstral-small-2"
+        "starcoder2:7b"
+      ];
+    };
    flatpak.enable = true;
    calibre-web = {
-      enable = true;
+      # temp disable this
+      enable = false;
      listen = {
        ip = "127.0.0.1";
      };
@@ -51,7 +66,7 @@
      };
    };
    calibre-server = {
-      enable = true;
+      enable = false;
      user = "calibre-web";
      group = "calibre-web";

@@ -60,12 +75,13 @@

    fwupd = {
      enable = true;
-      package =
-        (import (builtins.fetchTarball {
-          url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
-          sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
-        }) { inherit (pkgs) system; }).fwupd;
+      # package =
+      #   (import (builtins.fetchTarball {
+      #     url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
+      #     sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
+      #   }) { inherit (pkgs) system; }).fwupd;
    };
+    mullvad-vpn.enable = true;

    fprintd.enable = lib.mkForce false;
    openssh.enable = lib.mkForce false;
@@ -76,16 +92,20 @@
    };
  };

-  users.users.alice.extraGroups = [ "calibre-web" ];
+  users.users = {
+    alice.extraGroups = [ "calibre-web" ];
+  };

  system.stateVersion = "24.05";

-  programs.adb.enable = true;
-
  environment.variables = {
    "KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
  };

+  #nixpkgs.config = {
+  #  rocmSupport = true;
+  #};
+
  sops = {
    defaultSopsFile = ./secrets.yaml;
    #secrets = {
--- a/systems/artemision/default.nix
+++ b/systems/artemision/default.nix
@@ -3,10 +3,11 @@
  system = "x86_64-linux";
  home = true;
  sops = true;
+  lix = true;
  server = false;
  users = [ "alice" ];
  modules = [
-    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
+    inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series
    inputs.stylix.nixosModules.stylix
    {
      environment.systemPackages = [
--- a/systems/artemision/desktop.nix
+++ b/systems/artemision/desktop.nix
@@ -45,9 +45,6 @@

  powerManagement = {
    enable = true;
-    resumeCommands = ''
-      ${pkgs.hyprlock}/bin/hyprlock -c /home/alice/.config/hypr/hyprlock.conf
-    '';
  };

  environment.systemPackages = with pkgs; [
--- a/systems/artemision/graphics.nix
+++ b/systems/artemision/graphics.nix
@@ -6,13 +6,10 @@
    enable = true;
    enable32Bit = true;

-    ## amdvlk: an open-source Vulkan driver from AMD
    extraPackages = with pkgs; [
-      amdvlk
      rocmPackages.clr.icd
    ];
    extraPackages32 = with pkgs; [
-      driversi686Linux.amdvlk
      rocmPackages.clr.icd
    ];
  };
--- a/systems/artemision/hardware.nix
+++ b/systems/artemision/hardware.nix
@@ -100,7 +100,7 @@
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+  networking.interfaces.wlp191s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
--- a/systems/artemision/libvirt.nix
+++ b/systems/artemision/libvirt.nix
@@ -12,15 +12,6 @@
      package = pkgs.qemu_kvm;
      runAsRoot = true;
      swtpm.enable = true;
-      ovmf = {
-        enable = true;
-        packages = [
-          (pkgs.OVMF.override {
-            secureBoot = true;
-            tpmSupport = true;
-          }).fd
-        ];
-      };
    };
  };
  users.users.alice = {
--- a/systems/artemision/private-wifi.nix
+++ b/systems/artemision/private-wifi.nix
@@ -3,17 +3,17 @@
  networking.nameservers = [
    "9.9.9.9"
    "1.1.1.1"
-    "192.168.76.1"
+    #"192.168.76.1"
  ];

-  services.resolved = {
-    enable = true;
-    dnssec = "false";
-    domains = [ "~." ];
-    fallbackDns = [
-      "1.1.1.1#one.one.one.one"
-      "1.0.0.1#one.one.one.one"
-    ];
-    dnsovertls = "true";
-  };
+  #services.resolved = {
+  #  enable = true;
+  #  dnssec = "false";
+  #  domains = [ "~." ];
+  #  fallbackDns = [
+  #    "1.1.1.1#one.one.one.one"
+  #    "1.0.0.1#one.one.one.one"
+  #  ];
+  #  dnsovertls = "true";
+  #};
 }
--- a/systems/artemision/programs.nix
+++ b/systems/artemision/programs.nix
@@ -5,6 +5,7 @@
    alacritty
    attic-client
    amdgpu_top
+    android-tools
    bat
    bitwarden-cli
    bfg-repo-cleaner
@@ -15,6 +16,7 @@
    candy-icons
    chromium
    chromedriver
+    #claude-code
    croc
    deadnix
    direnv
@@ -25,15 +27,14 @@
    fd
    file
    firefox
+
    # gestures replacement
    git
    glances
    gpu-viewer
    grim
-    helvum
    htop
    hwloc
-    ipmiview
    iperf3
    # ipscan
    jp2a
@@ -53,7 +54,6 @@
    # nbt explorer?
    ncdu
    nemo-with-extensions
-    neofetch
    neovim
    nix-init
    nix-output-monitor
@@ -76,14 +76,12 @@
    restic
    ripgrep
    rpi-imager
-    rofi-wayland
+    rofi
    samba
    signal-desktop
    # signal in tray?
    siji
    simple-mtpfs
-    skaffold
-    slack
    slurp
    smartmontools
    snyk
@@ -100,7 +98,6 @@
    unipicker
    unzip
    uutils-coreutils-noprefix
-    vesktop
    vscode
    watchman
    wget
--- a/systems/artemision/secrets.yaml
+++ b/systems/artemision/secrets.yaml
@@ -10,7 +10,7 @@ example_booleans:
    - ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
 apps:
    spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
-wifi-env: ENC[AES256_GCM,data:2BM4wQq+RfASkg9lcH+fW7eD0VaPJMXABp3z0sYXqZbVzv9R9eAxSokxzcifT/1JK8PBwvZkWtEFrKAT3phXIZzoEySnGKGYazz8fqWWWhMJotLNNo5VkX70hLppgE9vYxf9vQSq0PLWYCN0jUO0H9mHjOT6mDzKUHegcC53jzkNY3WTfLkyzDWJVMP9IbVQ22N5QlJbzZNqrNTaOtcRm06PBz7pNuEKOy4jj5ipZOh6ceR81Xy6BXM7MzFN27lYbzfVvcDmlwqPORAmr7/00QBy2cp38rTswJEzYf1x2Q==,iv:DSTVPw9qtmo02/usZZDpHsYlX3sSW+2XrnawtBkRNmQ=,tag:3p3eW+3BEQrOmHlBNUEOaA==,type:str]
+wifi-env: ENC[AES256_GCM,data:mxPCyunx8yOahcuVhZCzuqAt/G89lMBnZme+qwcxO4LsCftx7h2FotA+wnlj1++vmPW5zL72q2kzxh0KcVlYqK9fpOrMY/FJeJXWYNMZIHesmWKlaaeA1wM/q1dSllwuVuULp9WQzipiQHwcCCLseo3bmCsYpbs8PUibrDgbDqXreTSjJBNTVzwOGpz1bZCSpEynS+dQQViRSNcVeYTOLxrOTxx5lyEOIhgIc3167ObhK+7bJVG2ZcP209Gllip4XkCj/FKnEwg2vVF5Dpofz7T2Op5ef/oNzahhKmCa+k7OPqITWwPYZg7pqAf6jdMy4eBP/A==,iv:Q6IMqePFwd1b1pSuh+TIwcag2bbJXyIYUmJWY6UaaqI=,tag:UZ5ak6nmHkNG0uBMTl1CwQ==,type:str]
 #ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
 sops:
    age:
@@ -23,8 +23,8 @@ sops:
            d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
            D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-15T15:37:51Z"
-    mac: ENC[AES256_GCM,data:qJ8NdnzVrgQb0rGwjZFHrS+eJrUjQEk4M4uo5bnk4eY7aKaHejARcYOIhp0H/DMdlix+Dm3DAAeeRWn8AKCatXaSzYD/VHHbjfp0lKBCsC8CZFeCELQ5GGEHnVot3WGb4J+QdfupwdduExSSMd6XeZGFVbSGhLzRbiiWA+i8I3o=,iv:oxWiDCH60apKT0/fJbWp1cIZ9cvd6mJKlP3xAjMBXIo=,tag:0We6eCJnsncujCt+CwK9UQ==,type:str]
+    lastmodified: "2026-01-03T19:32:16Z"
+    mac: ENC[AES256_GCM,data:q5NppTtZZA9Oo15zI0pAZ/YN2qu0TneDPMJY9rXtWlYfG7Pq5taRyc9MpV7CyEt+qWMkN//O3/sA4jmQTtpT8JuYIEa+/x5cfSZ5w0ErjKdV4/IyDs1LPDKNLXIWlmPMo61VvsKW9DZRBRml9qtR1ypeHBuz0pjECBwAQPEcw9k=,iv:X7wUOxn4BsvqCPmNZvH75hyAzUeD7Qtp+4e4SLpPWlI=,tag:Dp6Bu3zEkRaRPdOwWil13g==,type:str]
    pgp:
        - created_at: "2024-11-28T18:57:09Z"
          enc: |-
@@ -39,4 +39,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
--- a/systems/artemision/stylix.nix
+++ b/systems/artemision/stylix.nix
@@ -1,10 +1,4 @@
 { pkgs, ... }:
-# let
-# randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
-#   numWallpapers =
-#   $((1 + $RANDOM % 10))
-
-# in
 {
  stylix = {
    enable = true;
--- a/systems/artemision/wifi.nix
+++ b/systems/artemision/wifi.nix
@@ -11,7 +11,7 @@ in
  networking.wireless = {
    enable = true;
    secretsFile = config.sops.secrets."wifi-env".path;
-    userControlled.enable = true;
+    userControlled = true;
    networks = {
      "taetaethegae-2.0" = {
        pskRaw = "ext:PASS_taetaethegae_20";
@@ -29,6 +29,7 @@ in
      "Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
      "Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
      "Mojo Dojo Casa House".pskRaw = "ext:PASS_Carly";
+      "bwe_guest".pskRaw = "ext:PASS_BWE_NE";

      # Public wifi connections
      # set public_wifi on line 5 to true if connecting to one of these
@@ -45,7 +46,7 @@ in
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      "wifi-env" = {
-        owner = "root";
+        owner = "wpa_supplicant";
        restartUnits = [ "wpa_supplicant.service" ];
      };
    };
--- a/systems/jessica/default.nix
+++ b/systems/jessica/default.nix
@@ -1,12 +0,0 @@
-{ inputs, ... }:
-{
-  system = "x86_64-linux";
-  home = true;
-  sops = true;
-  server = false;
-  users = [ "sam" ];
-  modules = [
-    inputs.nixos-hardware.nixosModules.framework-13-7040-amd
-    inputs.stylix.nixosModules.stylix
-  ];
-}
--- a/systems/palatine-hill/attic/default.nix
+++ b/systems/palatine-hill/attic/default.nix
@@ -10,10 +10,6 @@
    attic-client
  ];

-  systemd.services.atticd.environment = {
-    RUST_LOG = "INFO";
-  };
-
  services = {
    atticd = {
      enable = true;
@@ -71,6 +67,9 @@
  # configured default webstore for this on root user separately
  systemd = {
    services = {
+      atticd.environment = {
+        RUST_LOG = "INFO";
+      };
      attic-watch-store = {
        wantedBy = [ "multi-user.target" ];
        after = [
--- a/systems/palatine-hill/configuration.nix
+++ b/systems/palatine-hill/configuration.nix
@@ -14,9 +14,11 @@
    ./haproxy
    ./hardware-changes.nix
    ./hydra.nix
+    ./mattermost.nix
    ./minio.nix
    ./networking.nix
    ./nextcloud.nix
+    #./plex
    ./postgresql.nix
    ./samba.nix
    ./zfs.nix
@@ -48,25 +50,46 @@
      enable = true;
      extraPackages = with pkgs; [
        intel-media-driver # LIBVA_DRIVER_NAME=iHD
-        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-        vaapiVdpau
+        intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        libva-vdpau-driver
        libvdpau-va-gl
        intel-compute-runtime
-        intel-media-sdk
+        vpl-gpu-rt # replaces intel-media-sdk
      ];
    };
  };

-  environment.systemPackages = with pkgs; [
-    chromedriver
-    chromium
-    docker-compose
-    intel-gpu-tools
-    jellyfin-ffmpeg
-    jq
-    yt-dlp
-    yq
-  ];
+  environment = {
+    systemPackages = with pkgs; [
+      chromedriver
+      chromium
+      docker-compose
+      filebot
+      intel-gpu-tools
+      jellyfin-ffmpeg
+      jq
+      yt-dlp
+      yq
+    ];
+    etc = {
+      # Creates /etc/lynis/custom.prf
+      "lynis/custom.prf" = {
+        text = ''
+          skip-test=BANN-7126
+          skip-test=BANN-7130
+          skip-test=DEB-0520
+          skip-test=DEB-0810
+          skip-test=FIRE-4513
+          skip-test=HRDN-7222
+          skip-test=KRNL-5820
+          skip-test=LOGG-2190
+          skip-test=LYNIS
+          skip-test=TOOL-5002
+        '';
+        mode = "0440";
+      };
+    };
+  };

  services = {
    samba.enable = true;
--- a/systems/palatine-hill/default.nix
+++ b/systems/palatine-hill/default.nix
@@ -3,5 +3,8 @@
  users = [ "alice" ];
  modules = [
    # inputs.attic.nixosModules.atticd
+    inputs.nixos-hardware.nixosModules.common-cpu-amd
+    inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
+    inputs.nixos-hardware.nixosModules.supermicro
  ];
 }
--- a/systems/palatine-hill/docker/act-runner.nix
+++ b/systems/palatine-hill/docker/act-runner.nix
@@ -11,7 +11,8 @@ in
 {
  virtualisation.oci-containers.containers = {
    act-stable-latest-main = {
-      image = "gitea/act_runner:latest";
+      image = "gitea/act_runner:nightly";
+      pull = "always";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
@@ -34,7 +35,8 @@ in
    };

    act-stable-latest-1 = {
-      image = "gitea/act_runner:latest";
+      image = "gitea/act_runner:nightly";
+      pull = "always";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
@@ -56,7 +58,8 @@ in
    };

    act-stable-latest-2 = {
-      image = "gitea/act_runner:latest";
+      image = "gitea/act_runner:nightly";
+      pull = "always";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
--- a/systems/palatine-hill/docker/act_config.yaml
+++ b/systems/palatine-hill/docker/act_config.yaml
@@ -38,19 +38,19 @@ runner:
        - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
        - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
        - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
-        #cache:
+cache:
    # Enable cache server to use actions/cache.
-    #enabled: true
+    enabled: true
    # The directory to store the cache data.
    # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
    #dir: ""
    # The host of the cache server.
    # It's not for the address to listen, but the address to connect from job containers.
    # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
-    #host: ""
+    host: "192.168.76.2"
    # The port of the cache server.
    # 0 means to use a random available port.
-    #port: 0
+    port: 8088
    # The external cache server URL. Valid only when enable is true.
    # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
    # The URL should generally end with "/".
--- a/systems/palatine-hill/docker/arr.nix
+++ b/systems/palatine-hill/docker/arr.nix
@@ -0,0 +1,273 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  vars = import ../vars.nix;
+  arr_postgres_config =
+    container_type:
+    let
+      ctype = lib.strings.toUpper container_type;
+    in
+    {
+      "${ctype}__POSTGRES__HOST" = "/var/run/postgresql";
+      "${ctype}__POSTGRES__PORT" = toString config.services.postgresql.settings.port;
+    };
+in
+{
+  # Notes:
+  # Jellyplex-watched - sync watch status between plex and jellyfin as long as users and library is the same
+  # Tdarr - for distributed transcoding?
+  #
+  # list of containers supporting postgres:
+  #   bazarr:
+  #     POSTGRES_ENABED: true
+  #     POSTGRES_HOST:
+  #     POSTGRES_PORT:
+  #     POSTGRES_DATABASE: bazarr
+  #     POSTGRES_USERNAME: arr
+  #     POSTGRES_PASSWORD: sops
+  #   prowlarr:
+  #     see ctype
+  #   radarr:
+  #     see ctype
+  #   sonarr:
+  #     see ctype
+  #   lidarr:
+  #     see ctype
+  #   jellyseerr:
+  #     DB_TYPE: postgres
+  #     DB_HOST:
+  #     DB_PORT:
+  #     DB_USER: arr
+  #     DB_PASS: sops
+  #     DB_NAME: jellyseerr
+  #
+  virtualisation.oci-containers.containers = {
+    bazarr = {
+      image = "ghcr.io/linuxserver/bazarr:latest";
+      pull = "always";
+      ports = [ "6767:6767" ];
+      hostname = "bazarr";
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+        POSTGRES_HOST = "/var/run/postgresql";
+        POSTGRES_PORT = toString config.services.postgresql.settings.port;
+      };
+      environmentFiles = [
+        config.sops.secrets."docker/bazarr".path
+      ];
+      volumes = [
+        "${vars.primary_docker}/bazarr:/config"
+        "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      extraOptions = [
+        "--network=arrnet"
+      ];
+      autoStart = true;
+    };
+    prowlarr = {
+      image = "ghcr.io/linuxserver/prowlarr:latest";
+      pull = "always";
+      ports = [ "9696:9696" ];
+      hostname = "prowlarr";
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      }
+      // arr_postgres_config "prowlarr";
+      environmentFiles = [
+        config.sops.secrets."docker/prowlarr".path
+      ];
+      extraOptions = [
+        "--network=arrnet"
+      ];
+      volumes = [
+        "${vars.primary_docker}/prowlarr:/config"
+
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      autoStart = true;
+    };
+    radarr = {
+      image = "ghcr.io/linuxserver/radarr:latest";
+      pull = "always";
+      ports = [ "7878:7878" ];
+      hostname = "radarr";
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      }
+      // arr_postgres_config "radarr";
+      environmentFiles = [
+        config.sops.secrets."docker/radarr".path
+      ];
+      volumes = [
+        "${vars.primary_docker}/radarr:/config"
+        "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      extraOptions = [
+        "--network=arrnet"
+      ];
+      autoStart = true;
+    };
+    sonarr = {
+      image = "ghcr.io/linuxserver/sonarr:latest";
+      pull = "always";
+      ports = [ "8989:8989" ];
+      hostname = "sonarr";
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      }
+      // arr_postgres_config "sonarr";
+      environmentFiles = [
+        config.sops.secrets."docker/sonarr".path
+      ];
+      volumes = [
+        "${vars.primary_docker}/sonarr:/config"
+        "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      extraOptions = [
+        "--network=arrnet"
+      ];
+      autoStart = true;
+    };
+    lidarr = {
+      image = "ghcr.io/linuxserver/lidarr:latest";
+      pull = "always";
+      ports = [ "8686:8686" ];
+      hostname = "lidarr";
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      }
+      // arr_postgres_config "lidarr";
+      environmentFiles = [
+        config.sops.secrets."docker/lidarr".path
+      ];
+      volumes = [
+        "${vars.primary_docker}/lidarr:/config"
+        "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      extraOptions = [
+        "--network=arrnet"
+      ];
+      autoStart = true;
+    };
+    unpackerr = {
+      image = "golift/unpackerr:latest";
+      pull = "always";
+      user = "600:100";
+      hostname = "unpackerr";
+      environment = {
+        TZ = "America/New_York";
+      };
+      volumes = [
+        "${vars.primary_docker}/unpackerr:/config"
+        "${vars.primary_plex_storage}:/data"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      extraOptions = [ "--network=arrnet" ];
+      autoStart = true;
+    };
+    notifiarr = {
+      image = "golift/notifiarr:latest";
+      pull = "always";
+      ports = [ "5454:5454" ];
+      user = "600:100";
+      hostname = "notifiarr";
+      environment = {
+        TZ = "America/New_York";
+      };
+      environmentFiles = [ config.sops.secrets."docker/notifiarr".path ];
+      volumes = [
+        "${vars.primary_docker}/notifiarr:/config"
+        "${vars.primary_plex_storage}:/data"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      extraOptions = [ "--network=arrnet" ];
+      autoStart = true;
+    };
+    jellyseerr = {
+      image = "fallenbagel/jellyseerr:latest";
+      pull = "always";
+      hostname = "jellyseerr";
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+        DB_TYPE = "postgres";
+        DB_HOST = "/var/run/postgresql";
+        DB_PORT = toString config.services.postgresql.settings.port;
+      };
+      environmentFiles = [
+        config.sops.secrets."docker/jellyseerr".path
+      ];
+      volumes = [
+        "${vars.primary_docker}/overseerr:/config"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
+      # TODO: remove ports later since this is going through web
+      extraOptions = [
+        "--network=arrnet"
+        "--network=haproxy-net"
+        # "--health-cmd \"wget --no-verbose --tries 1 --spider http://localhost:5055/api/v1/status || exit 1\""
+        # "--health-start-period 20s"
+        # "--health-timeout 3s"
+        # "--health-interval 15s"
+        # "--health-retries 3"
+      ];
+      ports = [ "5055:5055" ]; # Web UI port
+      dependsOn = [
+        "radarr"
+        "sonarr"
+      ];
+      autoStart = true;
+    };
+  };
+
+  sops = {
+    secrets = {
+      "docker/notifiarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-notifiarr.service" ];
+      };
+      "docker/bazarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-bazarr.service" ];
+      };
+      "docker/prowlarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-prowlarr.service" ];
+      };
+      "docker/radarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-radarr.service" ];
+      };
+      "docker/sonarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-sonarr.service" ];
+      };
+      "docker/lidarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-lidarr.service" ];
+      };
+      "docker/jellyseerr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-jellyseerr.service" ];
+      };
+    };
+  };
+}
--- a/systems/palatine-hill/docker/default.nix
+++ b/systems/palatine-hill/docker/default.nix
@@ -8,6 +8,7 @@
 {
  imports = [
    ./act-runner.nix
+    ./arr.nix
    # temp disable archiveteam for tiktok archiving
    #./archiveteam.nix
    # ./books.nix
@@ -19,7 +20,7 @@
    ./nextcloud.nix
    # ./postgres.nix
    # ./restic.nix
-    ./torr.nix
+    #./torr.nix
    # ./unifi.nix
  ];

--- a/systems/palatine-hill/docker/glances.nix
+++ b/systems/palatine-hill/docker/glances.nix
@@ -8,6 +8,7 @@ in
  virtualisation.oci-containers.containers = {
    glances = {
      image = "nicolargo/glances:latest-full";
+      pull = "always";
      extraOptions = [
        "--pid=host"
        "--network=haproxy-net"
--- a/systems/palatine-hill/docker/minecraft.nix
+++ b/systems/palatine-hill/docker/minecraft.nix
@@ -4,41 +4,55 @@ let
  servers = {
    atm6 = "atm6.alicehuston.xyz";
    stoneblock3 = "sb3.alicehuston.xyz";
+    stoneblock-4 = "sb4.alicehuston.xyz";
+    submerged-2 = "sm4.alicehuston.xyz";
    RAD2 = "rad.alicehuston.xyz";
    skyfactory = "sf.alicehuston.xyz";
    divinejourney = "dj.alicehuston.xyz";
    rlcraft = "rlcraft.alicehuston.xyz";
    arcanum-institute = "arcanum.alicehuston.xyz";
+    meits = "meits.alicehuston.xyz";
+    cobblemon-overclocked = "mco.alicehuston.xyz";
+    cobblemon-plus = "mcp.alicehuston.xyz";
    # bcg-plus = "bcg.alicehuston.xyz";
+    pii = "pii.alicehuston.xyz";
  };

  defaultServer = "rlcraft";

-  # defaultEnv = {
-  #   EULA = "true";
-  #   TYPE = "AUTO_CURSEFORGE";
-  #   STOP_SERVER_ANNOUNCE_DELAY = "120";
-  #   STOP_DURATION = "600";
-  #   SYNC_CHUNK_WRITES = "false";
-  #   USE_AIKAR_FLAGS = "true";
-  #   MEMORY = "8GB";
-  #   ALLOW_FLIGHT = "true";
-  #   MAX_TICK_TIME = "-1";
-  # };
+  defaultEnv = {
+    EULA = "true";
+    TYPE = "AUTO_CURSEFORGE";
+    STOP_SERVER_ANNOUNCE_DELAY = "120";
+    STOP_DURATION = "600";
+    SYNC_CHUNK_WRITES = "false";
+    USE_AIKAR_FLAGS = "true";
+    MEMORY = "12G";
+    ALLOW_FLIGHT = "true";
+    MAX_TICK_TIME = "-1";
+    ENABLE_RCON = "true";
+    TZ = "America/New_York";
+    REGION_FILE_COMPRESSION = "none";
+    OPS = ''
+      magpiecat
+      chesiregirl1105
+    '';
+  };

-  # defaultOptions = [
-  #   "--stop-signal=SIGTERM"
-  #   "--stop-timeout=1800"
-  #   "--network=minecraft-net"
-  # ];
+  defaultOptions = [
+    "--stop-signal=SIGTERM"
+    "--stop-timeout=1800"
+    "--network=minecraft-net"
+  ];

-  # vars = import ../vars.nix;
-  # minecraft_path = "${vars.primary_games}/minecraft";
+  vars = import ../vars.nix;
+  minecraft_path = "${vars.primary_games}/minecraft";
 in
 {
  virtualisation.oci-containers.containers = {
    mc-router = {
      image = "itzg/mc-router:latest";
+      pull = "always";
      extraOptions = [
        "--network=haproxy-net"
        "--network=minecraft-net"
@@ -50,45 +64,74 @@ in
        )
      ];
    };
-    # rlcraft = {
-    #   image = "itzg/minecraft-server:java8";
-    #   volumes = [
-    #     "${minecraft_path}/rlcraft/modpacks:/modpacks:ro"
-    #     "${minecraft_path}/rlcraft/data:/data"
-    #   ];
-    #   hostname = "rlcraft";
-    #   environment = defaultEnv // {
-    #     VERSION = "1.12.2";
-    #     CF_SLUG = "rlcraft";
-    #     DIFFICULTY = "hard";
-    #     ENABLE_COMMAND_BLOCK = "true";
-    #   };
-    #   extraOptions = defaultOptions;
-    #   log-driver = "local";
-    #   environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
-    # };
-    # bcg-plus = {
-    #   image = "itzg/minecraft-server:java17";
-    #   volumes = [
-    #     "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
-    #     "${minecraft_path}/bcg-plus/data:/data"
-    #   ];
-    #   hostname = "bcg-plus";
-    #   environment = defaultEnv // {
-    #     VERSION = "1.17";
-    #     CF_SLUG = "bcg";
-    #     DIFFICULTY = "normal";
-    #     DEBUG = "true";
-    #     # ENABLE_COMMAND_BLOCK = "true";
-    #   };
-    #   extraOptions = defaultOptions;
-    #   log-driver = "local";
-    #   environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
-    # };
+    #rlcraft = {
+    #  image = "itzg/minecraft-server:java8";
+    #  volumes = [
+    #    "${minecraft_path}/rlcraft/modpacks:/modpacks:ro"
+    #    "${minecraft_path}/rlcraft/data:/data"
+    #  ];
+    #  hostname = "rlcraft";
+    #  environment = defaultEnv // {
+    #    VERSION = "1.12.2";
+    #    CF_SLUG = "rlcraft";
+    #    DIFFICULTY = "hard";
+    #    ENABLE_COMMAND_BLOCK = "true";
+    #  };
+    #  extraOptions = defaultOptions;
+    #  log-driver = "local";
+    #  environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
+    #};
+    cobblemon-overclocked = {
+      image = "itzg/minecraft-server:java21";
+      volumes = [
+        "${minecraft_path}/cobblemon-overclocked/modpacks:/modpacks:ro"
+        "${minecraft_path}/cobblemon-overclocked/data:/data"
+      ];
+      hostname = "cobblemon-overclocked";
+      environment = defaultEnv // {
+        VERSION = "1.21.1";
+        CF_SLUG = "modified-cobblemon-overclocked";
+        CF_FILENAME_MATCHER = "1.11.2";
+        USE_AIKAR_FLAGS = "false";
+        USE_MEOWICE_FLAGS = "true";
+        DIFFICULTY = "normal";
+        ENABLE_COMMAND_BLOCK = "true";
+        INIT_MEMORY = "4G";
+        MAX_MEMORY = "16G";
+        SEED = "-7146406535839057559";
+      };
+      extraOptions = defaultOptions;
+      log-driver = "local";
+      environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
+    };
+    cobblemon-plus = {
+      image = "itzg/minecraft-server:java21";
+      volumes = [
+        "${minecraft_path}/cobblemon-plus/modpacks:/modpacks:ro"
+        "${minecraft_path}/cobblemon-plus/data:/data"
+      ];
+      hostname = "cobblemon-plus";
+      environment = defaultEnv // {
+        VERSION = "1.21.1";
+        CF_SLUG = "modified-cobblemon-plus";
+        CF_FILENAME_MATCHER = "1.11.2";
+        USE_AIKAR_FLAGS = "false";
+        USE_MEOWICE_FLAGS = "true";
+        DIFFICULTY = "peaceful";
+        ENABLE_COMMAND_BLOCK = "true";
+        INIT_MEMORY = "4G";
+        MAX_MEMORY = "16G";
+        # exclude clientside mods that cause crashes when run in a headless environment
+        CF_EXCLUDE_MODS = "world-host";
+        CF_OVERRIDES_EXCLUSIONS = "mods/iris*.jar,mods/sodium*.jar,mods/world-host-*.jar";
+      };
+      extraOptions = defaultOptions;
+      log-driver = "local";
+      environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
+    };
  };

  sops = {
-    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/minecraft".owner = "docker-service";
    };
--- a/systems/palatine-hill/docker/nextcloud.nix
+++ b/systems/palatine-hill/docker/nextcloud.nix
@@ -8,11 +8,13 @@ let
  # nextcloud-image = import ./nextcloud-image { inherit pkgs; };
  nextcloud-base = {
    # image comes from running docker compose build in nextcloud-docker/.examples/full/apache
-    image = "nextcloud-nextcloud";
+    image = "docker.io/library/nextcloud-nextcloud";
+    # pull = "always";
+    # do NOT enable pull here, this image is generated based on a custom docker image
    hostname = "nextcloud";
    volumes = [
      "${nextcloud_path}/nc_data:/var/www/html:z"
-      "${nextcloud_path}/nc_php:/usr/local/etc/php"
+      #"${nextcloud_path}/nc_php:/usr/local/etc/php"
      "${nextcloud_path}/nc_prehooks:/docker-entrypoint-hooks.d/before-starting"
      #"${nextcloud_path}/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro"
    ];
@@ -32,6 +34,7 @@ in
    };
    redis = {
      image = "redis:latest";
+      pull = "always";
      user = "600:600";
      volumes = [
        "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf"
@@ -47,6 +50,7 @@ in
    };
    go-vod = {
      image = "radialapps/go-vod:latest";
+      pull = "always";
      dependsOn = [ "nextcloud" ];
      environment = {
        NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz";
@@ -58,6 +62,7 @@ in
    };
    collabora-code = {
      image = "collabora/code:latest";
+      pull = "always";
      dependsOn = [ "nextcloud" ];
      environment = {
        aliasgroup1 = "https://collabora.nayenoie.com:443";
--- a/systems/palatine-hill/docker/openvpn/se.protonvpn.udp.ovpn
+++ b/systems/palatine-hill/docker/openvpn/se.protonvpn.udp.ovpn
--- a/systems/palatine-hill/docker/restic.nix
+++ b/systems/palatine-hill/docker/restic.nix
@@ -10,7 +10,7 @@ in
      image = "restic/rest-server:latest";
      volumes = [ "${restic_path}:/data" ];
      environment = {
-        OPTIONS = "--prometheus --htpasswd-file /data/.htpasswd";
+        OPTIONS = "--prometheus --private-repos --htpasswd-file /data/.htpasswd";
      };
      ports = [ "8010:8000" ];
      extraOptions = [
--- a/systems/palatine-hill/docker/torr.nix
+++ b/systems/palatine-hill/docker/torr.nix
@@ -1,103 +1,143 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:

 let
-  delugeBase = {
+  qbitBase = {
+    image = "ghcr.io/linuxserver/qbittorrent:latest";
+    pull = "always";
    environment = {
      PUID = "600";
      PGID = "100";
      TZ = "America/New_York";
-      UMASK = "000";
-      DEBUG = "true";
-      DELUGE_DAEMON_LOG_LEVEL = "debug";
-      DELUGE_WEB_LOG_LEVEL = "debug";
    };
  };

  vars = import ../vars.nix;
  #docker_path = vars.primary_docker;
  torr_path = vars.primary_torr;
-  deluge_path = "${torr_path}/deluge";
-  delugevpn_path = "${torr_path}/delugevpn";
-
-  genSopsConf = file: {
-    "${file}" = {
-      format = "binary";
-      sopsFile = ./wg/${file};
-      path = "${delugevpn_path}/config/wireguard/configs/${file}";
-      owner = "docker-service";
-      group = "users";
-      restartUnits = [ "docker-delugeVPN.service" ];
-    };
-  };
+  qbit_path = "${torr_path}/qbit";
+  qbitvpn_path = "${torr_path}/qbitvpn";
+  qbitperm_path = "${torr_path}/qbitperm";
 in
 {
-  virtualisation.oci-containers.containers = {
-    deluge = delugeBase // {
-      image = "binhex/arch-deluge";
-      volumes = [
-        "${deluge_path}/config:/config"
-        "${deluge_path}/data/:/data"
-        "/etc/localtime:/etc/localtime:ro"
-      ];
-      ports = [
-        "8084:8112"
-        "29433:29433"
-      ];
-    };
-    delugeVPN = delugeBase // {
-      image = "binhex/arch-delugevpn";
-      extraOptions = [
-        "--privileged=true"
-        "--sysctl"
-        "net.ipv4.conf.all.src_valid_mark=1"
-      ];
-      environment = delugeBase.environment // {
-        VPN_ENABLED = "yes";
-        VPN_CLIENT = "wireguard";
-        VPN_PROV = "custom";
-        ENABLE_PRIVOXY = "yes";
-        LAN_NETWORK = "192.168.0.0/16";
-        NAME_SERVERS = "194.242.2.9";
-        # note, delete /config/perms.txt to force a bulk permissions update

+  virtualisation.oci-containers.containers = {
+    qbit = qbitBase // {
+      # webui port is 8082, torr port is 29432
+      environment = qbitBase.environment // {
+        WEBUI_PORT = "8082";
+        TORRENTING_PORT = "29432";
      };
      volumes = [
-        "${delugevpn_path}/config:/config"
-        "${delugevpn_path}/data:/data"
+        "${qbit_path}/config:/config" # move from docker/qbit to qbit_path
+        "${torr_path}/data/:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
+      networks = [ "host" ];
      ports = [
-        "8085:8112"
-        "8119:8118"
-        "39275:39275"
-        "39275:39275/udp"
+        "8082:8082"
+        "29432:29432"
+        "29432:29432/udp"
+      ];
+      extraOptions = [
+        "--dns=9.9.9.9"
+      ];
+    };
+
+    # temp instance
+    qbitVPN = qbitBase // {
+      # webui port is 8081, torr port is 39274
+      networks = [
+        "container:gluetun-qbit"
+      ];
+      environment = qbitBase.environment // {
+        WEBUI_PORT = "8081";
+      };
+      dependsOn = [ "gluetun-qbit" ];
+      volumes = [
+        "${qbitvpn_path}/config:/config"
+        "${torr_path}/data:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+    };
+    gluetun-qbit = {
+      image = "qmcgaw/gluetun:v3";
+      capabilities = {
+        NET_ADMIN = true;
+      };
+      devices = [
+        "/dev/net/tun:/dev/net/tun"
+      ];
+      ports = [
+        "8081:8081"
+        "8083:8083"
+      ];
+      environment = {
+        TZ = "America/New_York";
+        # SOPS prep
+      };
+      environmentFiles = [
+        config.sops.secrets."docker/gluetun".path
+        config.sops.secrets."docker/gluetun-qbitvpn".path
+      ];
+    };
+
+    # permanent instance
+    qbitPerm = qbitBase // {
+      # webui port is 8083, torr port is 29434
+      networks = [
+        "container:gluetun-qbit"
+      ];
+      environment = qbitBase.environment // {
+        WEBUI_PORT = "8083";
+      };
+      dependsOn = [ "gluetun-qbit" ];
+      volumes = [
+        "${qbitperm_path}/config:/config"
+        "${torr_path}/data:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+    };
+    gluetun-qbitperm = {
+      image = "qmcgaw/gluetun:v3";
+      capabilities = {
+        NET_ADMIN = true;
+      };
+      devices = [
+        "/dev/net/tun:/dev/net/tun"
+      ];
+      ports = [
+        "8083:8083"
+      ];
+      environment = {
+        TZ = "America/New_York";
+        # SOPS prep
+      };
+      environmentFiles = [
+        config.sops.secrets."docker/gluetun".path
+        config.sops.secrets."docker/gluetun-qbitperm".path
      ];
    };
  };

-  systemd.services.docker-delugeVPN = {
-    serviceConfig = {
-      ExecStartPre = [
-        (
-          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
-          + "-type l -not -name wg0.conf "
-          + "| ${pkgs.coreutils}/bin/shuf -n 1 "
-          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
-          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
-          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
-        )
+  sops.secrets = {
+    "docker/gluetun" = {
+      owner = "docker-service";
+      restartUnits = [
+        "docker-gluetun-qbit.service"
+        "docker-gluetun-qbitperm.service"
+      ];
+    };
+    "docker/gluetun-qbitvpn" = {
+      owner = "docker-service";
+      restartUnits = [
+        "docker-gluetun-qbit.service"
+      ];
+    };
+    "docker/gluetun-qbitperm" = {
+      owner = "docker-service";
+      restartUnits = [
+        "docker-gluetun-qbitperm.service"
      ];
-      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
    };
  };
-
-  sops.secrets =
-    (genSopsConf "se-mma-wg-001.conf")
-    // (genSopsConf "se-mma-wg-002.conf")
-    // (genSopsConf "se-mma-wg-003.conf")
-    // (genSopsConf "se-mma-wg-004.conf")
-    // (genSopsConf "se-mma-wg-005.conf")
-    // (genSopsConf "se-mma-wg-101.conf")
-    // (genSopsConf "se-mma-wg-102.conf")
-    // (genSopsConf "se-mma-wg-103.conf");
 }
--- a/systems/palatine-hill/firewall.nix
+++ b/systems/palatine-hill/firewall.nix
@@ -1,29 +1,62 @@
 { ... }:

 {
-  networking.firewall.allowedTCPPorts = [
-    # qbit
-    8081
-    8082
-    8443
+  networking.firewall = {

-    # hydra
-    3000
+    extraCommands = "
+      iptables -I nixos-fw 1 -i br+ -j ACCEPT
+    ";

-    # minio
-    8500
-    8501
+    extraStopCommands = "
+      iptables -D nixos-fw -i br+ -j ACCEPT
+    ";

-    # gitea
-    2222
-    2223
-    8088
+    trustedInterfaces = [ "br+" ];

-    # attic
-    8183
+    allowedTCPPorts = [
+      # qbit
+      8081
+      8082
+      8443

-    # collabora
-    9980
-  ];
+      # hydra
+      3000

+      # minio
+      8500
+      8501
+
+      # gitea
+      2222
+      2223
+      8088
+
+      # attic
+      8183
+
+      # collabora
+      9980
+
+      # arr
+      6767
+      9696
+      7878
+      8989
+      8686
+      8787
+      5055
+
+      # torr
+      29432
+
+      # mattermost
+      8065
+    ];
+
+    allowedUDPPorts = [
+      # torr
+      29432
+    ];
+
+  };
 }
--- a/systems/palatine-hill/hydra.nix
+++ b/systems/palatine-hill/hydra.nix
@@ -42,7 +42,12 @@ in
  services = {
    hydra = {
      enable = true;
-      package = inputs.hydra.packages.x86_64-linux.hydra;
+      package = inputs.hydra.packages.x86_64-linux.hydra.overrideAttrs (old: {
+        preCheck = ''
+          export YATH_JOB_COUNT=8
+          ${old.preCheck or ""}
+        '';
+      });
      hydraURL = "https://hydra.alicehuston.xyz";
      smtpHost = "alicehuston.xyz";
      notificationSender = "hydra@alicehuston.xyz";
@@ -52,6 +57,7 @@ in
      minimumDiskFree = 50;
      minimumDiskFreeEvaluator = 100;
      extraConfig = ''
+        allow_import_from_derivation = true
        <git-input>
          timeout = 3600
        </git-input>
@@ -82,10 +88,10 @@ in
      '';
    };

-    nix-serve = {
-      enable = true;
-      secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
-    };
+    # nix-serve = {
+    #   enable = true;
+    #   secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
+    # };
    prometheus = {
      enable = true;
      webExternalUrl = "https://prom.alicehuston.xyz";
@@ -134,7 +140,7 @@ in
  sops = {
    secrets = {
      "hydra/environment".owner = "hydra";
-      "nix-serve/secret-key".owner = "root";
+      # "nix-serve/secret-key".owner = "root";
      "alice/gha-hydra-token" = {
        sopsFile = ../../users/alice/secrets.yaml;
        owner = "hydra";
--- a/systems/palatine-hill/mattermost.nix
+++ b/systems/palatine-hill/mattermost.nix
@@ -0,0 +1,19 @@
+{
+  config,
+  ...
+}:
+let
+  vars = import ./vars.nix;
+in
+{
+  services.mattermost = {
+    enable = true;
+    siteUrl = "https://mattermost.nayeonie.com"; # Set this to the URL you will be hosting the site on.
+    database = {
+      peerAuth = true; # This allows Mattermost to connect to the database without a password, which is more secure when both are on the same machine.
+      create = true;
+      driver = "postgres";
+    };
+    dataDir = "${vars.primary_mattermost}/mattermost";
+  };
+}
--- a/systems/palatine-hill/ollama.nix
+++ b/systems/palatine-hill/ollama.nix
@@ -0,0 +1,77 @@
+{
+  pkgs,
+  ...
+}:
+let
+  vars = import ./vars.nix;
+in
+{
+  services = {
+    ollama = {
+      enable = true;
+      package = pkgs.ollama;
+      syncModels = true;
+      loadModels = [
+        "deepseek-r1:1.5b"
+        "deepseek-r1:32b"
+        "deepseek-r1:70b"
+        #"qwen3"
+        #"qwen3.5:latest"
+        "qwen3-coder-next"
+        "lennyerik/zeta"
+        "nomic-embed-text:latest"
+        "lfm2:24b"
+        "glm-4.7-flash"
+        "nemotron-cascade-2:30b"
+        "magistral"
+        "devstral-small-2"
+        "starcoder2:15b"
+      ];
+      models = vars.primary_ollama;
+      environmentVariables = {
+        FLASH_ATTENTION = "1";
+        OLLAMA_KV_CACHE_TYPE = "q4_0";
+        # Ollama memory configuration
+        OLLAMA_MAX_LOADED_MODELS = "3";
+        OLLAMA_MAX_QUEUE = "512";
+        OLLAMA_NUM_PARALLEL = "1";
+
+        # ROCm memory optimization
+        #HIP_VISIBLE_DEVICES = "0";
+        #ROCR_VISIBLE_DEVICES = "0";
+
+        # context length for agents
+        OLLAMA_CONTEXT_LENGTH = "128000";
+      };
+      openFirewall = true;
+      host = "0.0.0.0"; # don't want to make this available via load-balancer yet, so making it available on the local network
+    };
+    open-webui = {
+      enable = true;
+      port = 21212;
+      openFirewall = true;
+      host = "0.0.0.0"; # don't want to make this available via load-balancer yet, so making it available on the local network
+    };
+  };
+  users.users.ollama = {
+    extraGroups = [
+      "render"
+      "video"
+    ];
+    group = "ollama";
+    isSystemUser = true;
+  };
+  users.groups.ollama = { };
+  systemd.services = {
+    ollama.serviceConfig = {
+      Nice = 19;
+      IOSchedulingPriority = 7;
+    };
+    ollama-model-loader.serviceConfig = {
+      Nice = 19;
+      CPUWeight = 50;
+      IOSchedulingClass = "idle";
+      IOSchedulingPriority = 7;
+    };
+  };
+}
--- a/systems/palatine-hill/plex/default.nix
+++ b/systems/palatine-hill/plex/default.nix
@@ -0,0 +1,28 @@
+{
+  pkgs,
+  ...
+}:
+let
+  vars = import ../vars.nix;
+in
+{
+  services.plex = {
+    enable = true;
+    dataDir = vars.primary_plex;
+  };
+  systemd.services.plex_permission = {
+    description = "maintains plex permissions";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.bash}/bin/bash ${./plex_permission.sh}";
+    };
+  };
+  systemd.timers.plex_permission = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "1h";
+      OnCalendar = "daily 03:00";
+      Unit = "plex_permission.service";
+    };
+  };
+}
--- a/systems/palatine-hill/plex/plex_permission.sh
+++ b/systems/palatine-hill/plex/plex_permission.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+plex_dir="/ZFS/ZFS-primary/plex"
+
+chown docker-service:users -R "$plex_dir"
+find "$plex_dir" -type f -exec chmod 664 {} \;
+find "$plex_dir" -type d -exec chmod 775 {} \;
--- a/systems/palatine-hill/postgresql.nix
+++ b/systems/palatine-hill/postgresql.nix
@@ -1,6 +1,5 @@
 {
  config,
-  lib,
  pkgs,
  ...
 }:
@@ -20,7 +19,8 @@ in
      enableJIT = true;
      package = pkgs.postgresql_16;
      configurePgStatStatements = true;
-      enableAllPreloadedLibraries = true;
+      #enableAllPreloadedLibraries = true;
+      installAllAvailableExtensions = true;
      #preloadAllExtensions = true;
      identMap = ''
        # ArbitraryMapName systemUser DBUser
@@ -29,11 +29,18 @@ in
           # Let other names login as themselves
           superuser_map      /^(.*)$   \1
      '';
+      authentication = ''
+        local  bazarr  bazarr  scram-sha-256
+        local  /.*arr-main  /.*arr  scram-sha-256
+        local  /.*arr-log  /.*arr  scram-sha-256
+        local  jellyseerr  jellyseerr  scram-sha-256
+      '';

      # initialScript = config.sops.secrets."postgres/init".path;
      ensureDatabases = [
        "atticd"
        "alice"
+        "mattermost"
      ];
      ensureUsers = [
        {
@@ -165,6 +172,7 @@ in
          "hydra-server"
          "atticd"
          "gitea"
+          "mattermost"
        ];
      };
    };
--- a/systems/palatine-hill/samba.nix
+++ b/systems/palatine-hill/samba.nix
@@ -12,7 +12,7 @@
        #"use sendfile" = "yes";
        #"max protocol" = "smb2";
        # note: localhost is the ipv6 localhost ::1
-        "hosts allow" = "192.168.76. 127.0.0.1 localhost";
+        "hosts allow" = "192.168.76. 127.0.0.1 localhost 192.168.191.";
        "hosts deny" = "0.0.0.0/0";
        "guest account" = "nobody";
        "map to guest" = "bad user";
--- a/systems/palatine-hill/secrets.yaml
+++ b/systems/palatine-hill/secrets.yaml
@@ -17,12 +17,24 @@ minio:
    credentials: ENC[AES256_GCM,data:5Z/cTmxSuMq8BfRgYLGZZJ7o6AtmrQM3yNjR17YHr29S7ZWvGsjfM7DsLKectem01nvv3HoT4uyWSdhkOmZahzDb5OF1NEgjJhLqkKlCETMu0mmpwe1cx6iOd7kjB3E6Az/MWpXqZ/TrryL9FrQD2nnx9bHyWWIHRQv8,iv:jiYZXfU+OssC0rh/3yFZLEzD1+5mVDDl6gQ3oyk76E4=,tag:bevDszFv1zSa+/2qQIgC0w==,type:str]
    loki: ENC[AES256_GCM,data:ShC6hfsKifVaxLWRo1fqaOpsrYh4+w==,iv:KVSlPd0mBvPZikg/Agnl6q0UhxTmsNOeYdercYOhqMg=,tag:cj6ex9m7vDjInTJDGUlqFQ==,type:str]
 docker:
-    minecraft: ENC[AES256_GCM,data:2k/m0ksnE92fACxQuBlOO72b19T7Nbnr58ezRddmKUVvePEgrdSnIsR3sh7PnmzwmG/ez0WTD+NKbtkQmRMDQ25vruA8gCf8Ig==,iv:X2SUidKTNAPZfbyiXFKprUbAhBxJcbF5bz+YTy4nuEA=,tag:AAvLXO888r9XvtnNfQgCpA==,type:str]
+    minecraft: ENC[AES256_GCM,data:krSM870t/IATwpUWNuKX8D5HHEvk+HeimKgodXssIYcBmdF1SZAwjUsSlx9fL3JiRtxfu0jSbhyD/2jLHMWqcix1WQGOVgs=,iv:ZTMxmzeSLQRCBF2t6r3dCDlcZ5BsBwZen6jOZN/HvGU=,tag:SES3lhRrRI8zBH1jnaV82w==,type:str]
    foundry: ENC[AES256_GCM,data:5Z0FvVhJBzTwDPRN6c//caZokiTnkdqiLGFFuyen+tYsdjbQ3AXH5y7HfxKbxsJvU5uShOuIg0jVMvow2NYmzyYDDKBKPOz0bgXOmFq06wzCJubjyZmR/mDcWBBDzAFzaazpyW8=,iv:6wLS00zhX0tjJUe5uADAjzEshJP8QOkF2i4Aw+Y9RSk=,tag:sNr/exY1u3evYGcImyCUlA==,type:str]
    nextcloud: ENC[AES256_GCM,data:dm2Cha+CvFORgdcBvJAzzdOGcJ95vLJYTZcUJnjNp6HOQIIoJrDone1NOAYJh9rdWG/17/ntOmd+TysAj4AsD0dw/PatZmy3I+dcVghkt2XNTc7jD64QjctIHzR+om1joAbKemG1R3St7qDU68TWYxoxIfYZcJvg3ds/lJcYgFRh079UZ/IRlGVR6sWPEXyY+UUrwtk0Fr+y8UtwwWZiLp0akUbIV06huRGiAp/PeWETuPPuacl2++ayIgJFZkJjUl/a52RI1Q0nLG5iyK6QYpY1JSRJTOkiQQ4PB5GRdLCdoM5/ZXTQ6gGcoM5jXFllsTn+yRicNRucuBp7Z2achbk6eITCdjjdXVI7zM4YXpzVLu5fJckLAu07aEIGYCBT7ZXd7TRgfB68POwtwaJGBozg+nuhq8xEH04yi8jFODH6aFplIgJ+bbaP72zw+92lzZa33FEtOwKdtx+YUv0eLLDJs+8Z6Sn6RyN8prwIz1/9LuIMx39g4R7id9W2bV2MXqTU4nN8f0TXWqe+hnb5pDLBaZOBMkwbRka6Vptsi4dbL5Lnexa2DoIHZ2unyxZ+4SkRt9LH39j8fXf2w5JPFCSLstf7+Zu7xzRS0TTCug7k,iv:oOWcFdQJb/+KZKJmQChhJ5jOCcM3o+ojZSMyiRnO9n8=,tag:PWGQkwPe0juLgAdlKiWKpg==,type:str]
    redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
    act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
    collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
+    delugevpn: ENC[AES256_GCM,data:YGkgaQUuA9oteKD77tnFzxZSHctyOQjMNlfvJr3mPWAl2P8wfcshiUoa6SNp69pagxbzRV6mfuzwzinbkQCoZN3lw7uF76y0,iv:Bro0H4tFR+3wi9DGGq9a6ge4o4uPlVXBUF7h17zyqg8=,tag:N1kVNFasqGMx8R9qTq2dJA==,type:str]
+    protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str]
+    notifiarr: ENC[AES256_GCM,data:XxVEhp4Rei6mRcdSSooRnofuVNZDalVhDYiVUmvQUr8QihrVRMKRE9Kpl5PGWUBw,iv:urMLaUf3XUjMks2vk0E7iRUU3mLHBiMAiwtQgmWQq20=,tag:dHdTOyC/ukd71UlYEI5fWw==,type:str]
+    bazarr: ENC[AES256_GCM,data:x+JdRCl3x3OM3lWmgcWikJSEnh5c5He5HmuLzCGAQ8zUXMi2Z3Kf6LzL+aoqtCBu3rabYZmQSLBoDm9CPkk=,iv:7e+3w46RUD2/OSlwrEe7BRxUqPPdt5+obIjQA8pr3xY=,tag:rHSijp/tcf/SGp5y4kJ0cw==,type:str]
+    prowlarr: ENC[AES256_GCM,data:hr3hYwRw0+/UD8anqZQjGy7rPkV2pad4Xi5FdXSf3Ftd1/jwlYfMqhqgEngFX30LLMWvJvjeu1TkTNzSEwI6ZCPdefNVYYwWavtm+XcBVxffGvFZ,iv:EXW48288IcCeGs/vP4tkAI4dxQAOh92Na43q/9cyuSc=,tag:pnYR26MDd82DjeUPdwCoUw==,type:str]
+    radarr: ENC[AES256_GCM,data:qCfoeEHb0ng5GhaY3QZiFvLVb25ZHNmgT0bRqEjBcelyP2819zCL7LxUPr08FxivEYZiAMFVleRozL8NMg6O5fh+2BatcYOfyh99zxIC,iv:HV3gTTnrjtab7x4Be+7hSe+nrD6BnPAmZBsHzi9Fujg=,tag:O6x0FDlasuJSRrGL/9SwpQ==,type:str]
+    sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str]
+    lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str]
+    jellyseerr: ENC[AES256_GCM,data:7dDfHFp8+WbJqrf7Ms/gmfroBePwegXh5CXn5FcOz8IEK7rTvr9KZfz9x/1BwdD8,iv:ZPi3OcMfH76A08piKY4P7hFbeMyouwBoeN5oL3ExzKU=,tag:oOZ37dy/y+DFqNRfAHexvQ==,type:str]
+    gluetun: ENC[AES256_GCM,data:ryhYVOYEZl5zDs+xMgbWI6q/Ei2AiNZJMxT/TcaHzTEocINgbczWk9GKeeZKno71vFXiF9/tPpYavLqvjWNL77doWDB+wiYrtBJ97PkQ70dqWntua9E8eCalYlIZpRbLsl5OA9ZHorIMPjjSB2CRYLCqq30PPi5I2TtRvs/g6LRUN4sZ/E2TTUjz7AEY7228ZEuHt1UkU+dY/jEbx6fwrm/ocP8xKvYUuAR1/Cx/z4N0mqmVl+FX/5dRSkmhpfAxO9ss898XKiJW4rewQIbG5ccYal+reZZr70TaEJQqg5KIfAnbp6dEjAsSXnRiEF801JXM0h+d14ECT4tQmdyvYBdCVnJ/Ibqw9D15cViHmeDbR68spqOCj67FSMKxgCVx4KFrxPOualsULX7RL/UbHq2cwyziSFkH4n2ljFlKohyj39F7EparJbiCOumNfhRWknDDwvXY+BjJhbAe19ccKP6QWrS68uBp0cTXqb0rVN/qlfz6Sj5EYj5M/u0rl6d5xctnKmOzfLjI2m5+E9WfDJaAUcP/Ihs+p2eD7aSQTIj+O7I66ju+UAz66D9ZoU1U3uVQ9gaPI5dOMmYdLKS3b19EVytwW2W13d0WXKIw5Vfb7MvFh9I0iPWq+ntL4jQzMYSwV5Y=,iv:Cy3h5I3vbqKORdqw91SHL4tRMeGHMLsXgQ0USJ2jtzk=,tag:0J/p1sUQfXR4ujjY7VzZuQ==,type:str]
+    gluetun-qbitvpn: ENC[AES256_GCM,data:3IdmuLvWs5YRQZuG9y1GRTMKMbR7OynUUVluezviDOV22EkABvo3Ic/+xZrWi/lzAhQRwRsCGjinlUJf7lBvPLg53HaIplbzSIyd3IPLbKzEVAK32WYB/M5cGNQW+XV8TiKK72HO8+WG588A0bsuvp/wQ86ohpRHVrnlboANLS3diCNXI3VdFIHPGpvM77TqB3/vo2AFLKjxi2es4l6KRam8cEUFAz0eH03tTUYaxy+ewA5IZCQSbMURLFKKdh0EATTG5jIz3jFp372fnk8UBgFPeH8+N9VHNM6rnV6zAsC2Vlj2E1YQRTRqOwSK0NRAAV5NBbr7zumS3VS0rVUpIbZVrW/C2BSAVbzowkHuo5o1B7UFsryb3s2FJJGF2biaDoL+ijM5a0Qi4LfNeaSLNKrzaTin0wYq8rPrQKOUBZL4t6FsRbG7KHmfwM4uYdWqV5h1syjI9WWReuePVb416YvqSH9p8HhNsDTka8IGgYkHcYAXYuuxUc6sgQONBwrsdeN5Dhq1IedhuOW+3qAV+hHl8qmVgiWZ8Ss+nmo016nsikifEp08N7J8t3f86/SFZO+YMBxQ/K9PJLsJzR2jsBcf2aTlq0cuzXDvb4cMtro=,iv:N9zdyKJDsj049j5hZOSnAkS/VTWlC3crTODJKIpYYko=,tag:uYHq3CZj0P/BAv+0Ak5ZEw==,type:str]
+    gluetun-qbitperm: ENC[AES256_GCM,data:kzSrILs78UkzNeAvxoDU3QsLKdapQNyQW9nq0it+7HhhwDQ0MJB1s2Ek8zKErTatpwzG8xiUK0HwX5hFLgNZYc+OE0CH4PUrgX1t6dykuPLD2rKQL7veElNgqhX0/39xNyopyJk2UMVFNSqoV1DCC/ja9MqX9+jBYk++7DeX7v1Gl1ntjzJ+zIscg0nOTN1eQAHtiOWtFU0COC/aA8KS+HLIsMkjrIk9UD4C/DE8AOS07s+gDxPRtl6L7324FRqjEHNyxAobWOOLeG711RZcskF7dlminVJu4aVGbBwIy/zDdHFxRwO6yaLr/AqrTlRVOa2O8Qu2Ydpv8ZNj2F6fHrVNNmVwvMEKYibV6oMVo72uT+DTz/mFaYuTUeuJfkdCy7tnQYhBnpbd5J4mKfVb8uOF9Tx02kL2fTFKyvtET3nrtakQUjv8mEqHn4F8136O2JvUBN5RmC3B3vRdFjYgdfwy8hUT9b0Cmi8w0Zzs+XGMRdvWv2g6b5fmlAn0K+a0KB1fdDLhvbIXhY+sYzR3yOH01K0lW3xVdnl1eMIFjZkUGRTi32HyCYb0SUA1EcXmtA4XmyZ6HHFEXFA5y2guVqU4xLyXXldM+lGB7yGLMcM=,iv:kuueHxYafrEdyBxGUBoU2ks7kdr/rWMnXZmE3Kx/iK4=,tag:bNIfP3H5/Kh3ofuCGGx5Hg==,type:str]
 acme:
    bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
    dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
@@ -41,8 +53,8 @@ sops:
            cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
            LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-30T04:36:41Z"
-    mac: ENC[AES256_GCM,data:fEsUt5g0/7j8IVgtXQ0thV93dxe6SGCglqeHdnaXFOjKcCUEFWUmi98M8X92hR9AJzscRK6wqzijd/AQBzl+GL2QtDYsn8qx9Nr0DBd6Gh1vi25eh5LtADm09COSae1THWuFLP7L1Qamyt+XzlBa7Xnrzfuzzp0s2/cZoxZiueU=,iv:VYzh833cMQwGmkB6QunRys0Eluz+0KGj8Y43B9icE9w=,tag:EWJSizBMTFZ0TZhncYe2Sw==,type:str]
+    lastmodified: "2026-01-17T01:50:50Z"
+    mac: ENC[AES256_GCM,data:8TGSqwEcfmrW1PjuzTVNyDTNs6s3oWbT0tI+rg7u2w5Dcw1EEU+SjJ6VpNY06AZHTjSD6E0O7NzUxybtMpslHUGitOGWwQCk+sbqRJuUseFe7bWFboEVoJpEoYGN5pnn52opMT+NeHGkXumaxjhDjCxfwn1RBHR7TgD4ZHEH6pE=,iv:szBUnn3HL/osWhmTwYmHrUghobWdBR60Lc6uUD/eGMY=,tag:6vgdJeJjL4ZYKc8WjixClg==,type:str]
    pgp:
        - created_at: "2024-11-28T18:56:39Z"
          enc: |-
@@ -57,4 +69,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
--- a/systems/palatine-hill/vars.nix
+++ b/systems/palatine-hill/vars.nix
@@ -17,4 +17,8 @@ rec {
  primary_nextcloud = "${zfs_primary}/nextcloud";
  primary_redis = "${zfs_primary}/redis";
  primary_torr = "${zfs_primary}/torr";
+  primary_plex = "${zfs_primary}/plex";
+  primary_plex_storage = "${zfs_primary}/plex_storage";
+  primary_ollama = "${zfs_primary}/ollama";
+  primary_mattermost = "${zfs_primary}/mattermost";
 }
--- a/systems/palatine-hill/zfs.nix
+++ b/systems/palatine-hill/zfs.nix
@@ -49,7 +49,7 @@
          daily = 30;
          weekly = 0;
          monthly = 6;
-          yearly = 3;
+          yearly = 2;
          autosnap = true;
          autoprune = true;
        };
--- a/systems/selinunte/audio.nix
+++ b/systems/selinunte/audio.nix
@@ -0,0 +1,35 @@
+{ pkgs, ... }:
+
+{
+  # rtkit is optional but recommended
+  security.rtkit.enable = true;
+  services = {
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      # If you want to use JACK applications, uncomment this
+      #jack.enable = true;
+    };
+
+    pipewire.wireplumber.configPackages = [
+      (pkgs.writeTextDir "share/wireplumber/bluetooth.lua.d/51-bluez-config.lua" ''
+        bluez_monitor.properties = {
+        	["bluez5.enable-sbc-xq"] = true,
+        	["bluez5.enable-msbc"] = true,
+        	["bluez5.enable-hw-volume"] = true,
+        	["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
+        }
+      '')
+    ];
+    blueman.enable = true;
+  };
+
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+
+  environment.systemPackages = with pkgs; [ pavucontrol ];
+
+  programs.noisetorch.enable = true;
+}
--- a/systems/selinunte/configuration.nix
+++ b/systems/selinunte/configuration.nix
@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./audio.nix
+    ./desktop.nix
+    ./fonts.nix
+    ./graphics.nix
+    ./polkit.nix
+    ./programs.nix
+    ./steam.nix
+    ./stylix.nix
+  ];
+
+  time.timeZone = "America/New_York";
+
+  # temp workaround for building while in nixos-enter
+  #services.logrotate.checkConfig = false;
+
+  networking = {
+    hostId = "9f2e1ff9";
+    firewall.enable = true;
+    useNetworkd = true;
+  };
+
+  boot = {
+    kernelPackages = lib.mkForce pkgs.linuxPackages_xanmod;
+    useSystemdBoot = true;
+    default = true;
+  };
+
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  services = {
+    flatpak.enable = true;
+    gvfs.enable = true;
+    openssh.enable = lib.mkForce false;
+  };
+
+  system.stateVersion = "25.11";
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}
--- a/systems/selinunte/default.nix
+++ b/systems/selinunte/default.nix
@@ -0,0 +1,23 @@
+{ inputs, ... }:
+{
+  system = "x86_64-linux";
+  home = true;
+  sops = true;
+  server = false;
+  users = [ "alice" ];
+  modules = [
+    inputs.nixos-hardware.nixosModules.common-pc
+    inputs.nixos-hardware.nixosModules.common-pc-ssd
+    inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
+    inputs.nixos-hardware.nixosModules.common-cpu-amd
+    inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
+    inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
+    inputs.stylix.nixosModules.stylix
+    {
+      environment.systemPackages = [
+        inputs.wired-notify.packages.x86_64-linux.default
+        inputs.hyprland-contrib.packages.x86_64-linux.grimblast
+      ];
+    }
+  ];
+}
--- a/systems/selinunte/desktop.nix
+++ b/systems/selinunte/desktop.nix
@@ -0,0 +1,38 @@
+{ pkgs, ... }:
+
+{
+  # installs hyprland, and its dependencies
+
+  programs = {
+    hyprland = {
+      enable = true;
+      xwayland.enable = true;
+      withUWSM = true;
+    };
+    hyprlock.enable = true;
+    ydotool.enable = true;
+  };
+  # Optional, hint electron apps to use wayland:
+  environment.sessionVariables.NIXOS_OZONE_WL = "1";
+
+  services = {
+    displayManager.gdm = {
+      enable = true;
+      wayland = true;
+    };
+
+    dbus = {
+      enable = true;
+      implementation = "broker";
+    };
+  };
+
+  powerManagement = {
+    enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    libsForQt5.qt5.qtwayland
+    qt6.qtwayland
+  ];
+}
--- a/systems/selinunte/fonts.nix
+++ b/systems/selinunte/fonts.nix
@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  fonts = {
+    fontconfig.enable = true;
+    enableDefaultPackages = true;
+    packages = with pkgs.nerd-fonts; [
+      fira-code
+      droid-sans-mono
+      hack
+      dejavu-sans-mono
+      noto
+      open-dyslexic
+    ];
+  };
+}
--- a/systems/selinunte/graphics.nix
+++ b/systems/selinunte/graphics.nix
@@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+
+{
+  hardware.graphics = {
+    ## radv: an open-source Vulkan driver from freedesktop
+    enable = true;
+    enable32Bit = true;
+
+  };
+  hardware.nvidia = {
+
+    # Modesetting is required.
+    modesetting.enable = true;
+
+    # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
+    # Enable this if you have graphical corruption issues or application crashes after waking
+    # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
+    # of just the bare essentials.
+    powerManagement.enable = false;
+
+    # Fine-grained power management. Turns off GPU when not in use.
+    # Experimental and only works on modern Nvidia GPUs (Turing or newer).
+    powerManagement.finegrained = false;
+
+    # Use the NVidia open source kernel module (not to be confused with the
+    # independent third-party "nouveau" open source driver).
+    # Support is limited to the Turing and later architectures. Full list of
+    # supported GPUs is at:
+    # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
+    # Only available from driver 515.43.04+
+    open = false;
+
+    # Enable the Nvidia settings menu,
+    # accessible via `nvidia-settings`.
+    nvidiaSettings = true;
+
+    # Optionally, you may need to select the appropriate driver version for your specific GPU.
+    package = config.boot.kernelPackages.nvidiaPackages.stable;
+  };
+}
--- a/systems/selinunte/hardware.nix
+++ b/systems/selinunte/hardware.nix
@@ -0,0 +1,96 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+      "usb_storage"
+      "usbhid"
+      "sd_mod"
+      "ip_vs"
+      "ip_vs_rr"
+      "nf_conntrack"
+    ];
+    initrd.kernelModules = [
+      "dm-snapshot"
+      "r8152"
+    ];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+    kernelParams = [
+      "amdgpu.sg_display=0"
+      "amdgpu.graphics_sg=0"
+      "amdgpu.abmlevel=3"
+    ];
+  };
+
+  fileSystems = {
+
+    "/" = lib.mkDefault {
+      device = "/dev/disk/by-uuid/f3c11d62-37f4-495e-b668-1ff49e0d3a47";
+      fsType = "ext4";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+
+    "/home" = {
+      device = "/dev/disk/by-uuid/720af942-464c-4c1e-be41-0438936264f0";
+      fsType = "ext4";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-uuid/035f23f8-d895-4b0c-bcf5-45885a5dbbd9";
+      fsType = "ext4";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/5AD7-6005";
+      fsType = "vfat";
+      options = [
+        "noatime"
+        "nodiratime"
+      ];
+    };
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
+
+  boot.initrd.luks.devices = {
+    "nixos-pv" = {
+      device = "/dev/disk/by-uuid/12a7f660-bbcc-4066-81d0-e66005ee534a";
+      preLVM = true;
+      allowDiscards = true;
+    };
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/systems/selinunte/polkit.nix
+++ b/systems/selinunte/polkit.nix
@@ -0,0 +1,22 @@
+{ pkgs, ... }:
+
+{
+  security.polkit.enable = true;
+  environment.systemPackages = with pkgs; [ polkit_gnome ];
+
+  systemd = {
+    user.services.polkit-gnome-authentication-agent-1 = {
+      description = "polkit-gnome-authentication-agent-1";
+      wantedBy = [ "graphical-session.target" ];
+      wants = [ "graphical-session.target" ];
+      after = [ "graphical-session.target" ];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+        Restart = "on-failure";
+        RestartSec = 1;
+        TimeoutStopSec = 10;
+      };
+    };
+  };
+}
--- a/systems/selinunte/programs.nix
+++ b/systems/selinunte/programs.nix
@@ -0,0 +1,107 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    act
+    alacritty
+    attic-client
+    amdgpu_top
+    bat
+    bitwarden-cli
+    bfg-repo-cleaner
+    btop
+    calibre
+    # calibre dedrm?
+    candy-icons
+    chromium
+    chromedriver
+    croc
+    deadnix
+    direnv
+    easyeffects
+    eza
+    fanficfare
+    ferium
+    fd
+    file
+    firefox
+    # gestures replacement
+    git
+    glances
+    gpu-viewer
+    grim
+    htop
+    hwloc
+    iperf3
+    # ipscan
+    jp2a
+    jq
+    kdePackages.kdenlive
+    kitty
+    kubectl
+    kubernetes-helm
+    libreoffice-fresh
+    libtool
+    lsof
+    lynis
+    masterpdfeditor4
+    minikube
+    mons
+    mpv
+    # nbt explorer?
+    ncdu
+    nemo-with-extensions
+    neovim
+    nix-init
+    nix-output-monitor
+    nix-prefetch
+    nix-tree
+    nixpkgs-fmt
+    nmap
+    obs-studio
+    obsidian
+    ocrmypdf
+    pciutils
+    #disabled until wxpython compat with python3.12
+    #playonlinux
+    prismlauncher
+    protonmail-bridge
+    protontricks
+    proxychains
+    qrencode
+    redshift
+    restic
+    ripgrep
+    rpi-imager
+    rofi
+    samba
+    signal-desktop
+    # signal in tray?
+    siji
+    simple-mtpfs
+    slurp
+    smartmontools
+    snyk
+    sops
+    spotify
+    spotify-player
+    #swaylock/waylock?
+    sweet-nova
+    telegram-desktop
+    terraform
+    tig
+    tokei
+    tree
+    unipicker
+    unzip
+    uutils-coreutils-noprefix
+    vesktop
+    vscode
+    watchman
+    wget
+    wl-clipboard
+    yq
+    yt-dlp
+    zoom-us
+    zoxide
+  ];
+}
--- a/systems/selinunte/secrets.yaml
+++ b/systems/selinunte/secrets.yaml
--- a/systems/selinunte/steam.nix
+++ b/systems/selinunte/steam.nix
@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = [ pkgs.steam-run ];
+  hardware.steam-hardware.enable = true;
+  programs = {
+    gamescope = {
+      enable = true;
+      capSysNice = true;
+    };
+    steam = {
+      enable = true;
+      remotePlay.openFirewall = true;
+      localNetworkGameTransfers.openFirewall = true;
+      extraCompatPackages = with pkgs; [ proton-ge-bin ];
+      gamescopeSession.enable = true;
+      extest.enable = true;
+    };
+  };
+}
--- a/systems/selinunte/stylix.nix
+++ b/systems/selinunte/stylix.nix
@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+{
+  stylix = {
+    enable = true;
+    image = "${pkgs.hyprland}/share/hypr/wall2.png";
+
+    #image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
+    polarity = "dark";
+  };
+}
--- a/users/alice/default.nix
+++ b/users/alice/default.nix
@@ -14,5 +14,10 @@ import ../default.nix {
    ;
  publicKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7oJjIYNRCRrUlhdGJgst6bzqubbKH0gjZYulQ1eVcZ alice@artemision"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWG3cIBju6vzX6s8JlmGNJOiWY7pQ19bHvcqDADtWzv snowi@DESKTOP-EVIR8IH"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMfC0IXl9sGx+9FjuYZT2OUfffGjciJIHWqZdEU1d3n alice@parthenon-7588"
+  ];
+  groups = [
+    "adbusers"
  ];
 }
--- a/users/alice/home.nix
+++ b/users/alice/home.nix
@@ -7,18 +7,17 @@
 }:

 {
-  imports =
-    [
-      ./home/zsh.nix
-      ./home/git.nix
-    ]
-    ++ lib.optionals (!machineConfig.server) [
-      ./home/gammastep.nix
-      ./home/doom
-      ./home/hypr
-      ./home/waybar.nix
-      ./non-server.nix
-    ];
+  imports = [
+    ./home/zsh.nix
+    ./home/git.nix
+  ]
+  ++ lib.optionals (!machineConfig.server) [
+    ./home/gammastep.nix
+    ./home/doom
+    ./home/hypr
+    ./home/waybar.nix
+    ./non-server.nix
+  ];

  home = {
    # # Adds the 'hello' command to your environment. It prints a friendly
@@ -55,7 +54,6 @@
      file
      sqlite
      ncdu
-      neofetch
      onefetch
      hyfetch
      smartmontools
@@ -68,7 +66,6 @@
      cargo-update
      diesel-cli
      tealdeer
-      helix
      ripunzip

      # nix specific packages
@@ -76,6 +73,7 @@
      nix-prefetch
      nix-tree
      nh
+      home-manager

      # doom emacs dependencies
      fd
@@ -87,7 +85,7 @@

      # dependencies for nix-dotfiles/hydra-check-action
      nodejs_20
-      nodePackages.prettier
+      prettier
      treefmt

      gocryptfs
@@ -148,6 +146,9 @@
        };
      };
    };
+    fastfetch = {
+      enable = true;
+    };
  };

  services.ssh-agent.enable = true;
@@ -162,8 +163,9 @@
    userDirs = {
      enable = true;
      createDirectories = true;
+      setSessionVariables = true;
      extraConfig = {
-        XDG_SCREENSHOTS_DIR = "${config.xdg.userDirs.pictures}/Screenshots";
+        SCREENSHOTS = "${config.xdg.userDirs.pictures}/Screenshots";
      };
    };
  };
@@ -176,7 +178,7 @@

  nix.gc = {
    automatic = true;
-    frequency = "weekly";
+    dates = "weekly";
    options = "--delete-older-than 30d";
  };

--- a/users/alice/home/git.nix
+++ b/users/alice/home/git.nix
@@ -6,31 +6,33 @@
    lfs.enable = true;
    signing = {
      key = "5EFFB75F7C9B74EAA5C4637547940175096C1330";
+      format = "openpgp";
      signByDefault = true;
    };
-    userEmail = "aliceghuston@gmail.com";
-    userName = "ahuston-0";
-    aliases = {
-      gone = ''
-        !git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
-                        awk 'NF < 2 {print $1}' | # get nuked branches
-                        grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
-                        sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
-                        xargs -r git branch -D # nuke the branches
-        # !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
-        #                 awk '$2 == "[gone]" {print $1}' | # get nuked branches
-        #                 sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
-        #                 xargs -r git branch -D; # nuke the branches #
-      '';
-    };
-    extraConfig = {
+    settings = {
      push.autosetupremote = true;
      pull.rebase = true;
      color.ui = true;
      init.defaultBranch = "main";
      format.signoff = true;
+      format.commitMessage = "signed-off-by";
      pack.windowMemory = "2g";
      pack.packSizeLimit = "1g";
+      user.email = "aliceghuston@gmail.com";
+      user.name = "ahuston-0";
+      alias = {
+        gone = ''
+          		!git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
+          						awk 'NF < 2 {print $1}' | # get nuked branches
+          						grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
+          						sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
+          						xargs -r git branch -D # nuke the branches
+          		# !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
+          		#                 awk '$2 == "[gone]" {print $1}' | # get nuked branches
+          		#                 sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
+          		#                 xargs -r git branch -D; # nuke the branches #
+          	'';
+      };
    };
  };
 }
--- a/users/alice/home/hypr/hyprland.conf
+++ b/users/alice/home/hypr/hyprland.conf
@@ -116,13 +116,13 @@ master {
 }

 gestures {
-    # See https://wiki.hyprland.org/Configuring/Variables/ for more
-    workspace_swipe = off
+    # See https://wiki.hypr.land/Configuring/Gestures/ for more
+    gesture = 3, horizontal, workspace
 }

 misc {
    # See https://wiki.hyprland.org/Configuring/Variables/ for more
-    force_default_wallpaper = -1 # Set to 0 or 1 to disable the anime mascot wallpapers
+    force_default_wallpaper = 1 # Set to 0 or 1 to disable the anime mascot wallpapers
 }

 # Example per-device config
@@ -137,7 +137,7 @@ device {
 # Example windowrule v2
 # windowrulev2 = float,class:^(kitty)$,title:^(kitty)$
 # See https://wiki.hyprland.org/Configuring/Window-Rules/ for more
-windowrulev2 = suppressevent maximize, class:.* # You'll probably like this.
+windowrule = suppress_event maximize, match:class .* # You'll probably like this.


 # See https://wiki.hyprland.org/Configuring/Keywords/ for more
@@ -149,6 +149,7 @@ bind = $mainMod, W, killactive,
 #bind = $mainMod, W, exit, 
 bind = $mainMod, E, exec, $fileManager
 bind = $mainMod, V, togglefloating, 
+bind = $mainMod, F, fullscreen, toggle
 bind = $mainMod, SPACE, exec, $menu
 bind = $mainMod, O, pseudo, # dwindle
 bind = $mainMod, J, togglesplit, # dwindle
--- a/users/alice/home/waybar.json
+++ b/users/alice/home/waybar.json
@@ -4,8 +4,8 @@
    "layer": "top",
    "position": "top",
    "output": [
-      "eDP-2",
      "eDP-1",
+      "eDP-2",
      "HDMI-0",
      "DP-0"
    ],
--- a/users/alice/home/zsh.nix
+++ b/users/alice/home/zsh.nix
@@ -1,9 +1,10 @@
-{ lib, ... }:
+{ lib, config, ... }:
 {

  programs.zsh = {

    enable = true;
+    dotDir = "${config.xdg.configHome}/zsh";
    oh-my-zsh = {
      enable = true;
      plugins = [
@@ -72,7 +73,7 @@
      "sgc" = "sudo git -C /root/dotfiles";
      ## SSH
      "ssh-init" =
-        "ssh-add -t 2h  ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails  ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh";
+        "ssh-add -t 2h  ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails  ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh ~/.ssh/id_ed25519";

      ## Backups
      "borgmatic-backup-quick" =
@@ -118,6 +119,8 @@
      "octave" = "prime-run octave --gui";
      "pc-firefox" = "proxychains firefox -P qbit -no-remote -P 127.0.0.1:9050";
      "hx" = "helix";
+      "dungeondraft-arch" = "/opt/Dungeondraft/Dungeondraft.x86_64";
+      "wonderdraft-arch" = "/opt/wonderdraft/Wonderdraft.x86_64";
    };
  };
 }
--- a/users/alice/non-server.nix
+++ b/users/alice/non-server.nix
@@ -1,10 +1,214 @@
-{ pkgs, outputs, ... }:
-
-{
-  programs.emacs = {
-    enable = true;
-    package = pkgs.emacs30-pgtk;
+{ pkgs, ... }:
+let
+  tex = pkgs.texlive.combine {
+    inherit (pkgs.texlive)
+      scheme-medium
+      preprint
+      titlesec
+      enumitem
+      sourcesanspro
+      xifthen
+      ifmtarg
+      framed
+      paralist
+      fontawesome7
+      ;
  };
+in
+{
+  programs = {
+    emacs = {
+      enable = true;
+      package = pkgs.emacs30-pgtk;
+    };
+    vesktop = {
+      enable = true;
+      settings = {
+        appBadge = false;
+        arRPC = true;
+        checkUpdates = false;
+        customTitleBar = false;
+        hardwareAcceleration = true;
+      };
+      vencord.useSystem = true;
+      vencord.settings = {
+        autoUpdate = false;
+        autoUpdateNotification = false;
+        notifyAboutUpdates = false;
+        plugins = {
+          AnonymiseFileNames.enabled = true;
+          BetterFolders.enabled = false;
+          BetterGifAltText.enabled = true;
+          CallTimer.enabled = true;
+          ClearURLs.enabled = true;
+          CopyFileContents.enabled = true;
+          CtrlEnterSend.enabled = true;
+          CustomIdle = {
+            enabled = true;
+            remainInIdle = false;
+          };
+          FriendsSince.enabled = true;
+          GameActivityToggle.enabled = true;
+          ImplicitRelationships.enabled = true;
+          MutualGroupDMs.enabled = true;
+          QuickMention.enabled = true;
+          QuickReply.enabled = true;
+          ReplaceGoogleSearch = {
+            enabled = true;
+            customEngineName = "DuckDuckGo";
+          };
+          ReviewDB.enabled = true;
+          ShowConnections.enabled = true;
+        };
+      };
+    };
+    zed-editor = {
+      enable = true;
+      mutableUserSettings = false;
+      extensions = [
+        "nix"
+        "toml"
+        "rust"
+        "java"
+        "kotlin"
+        "git firefly"
+        "make"
+        "dockerfile"
+        "sql"
+        "latex"
+        "terraform"
+        "log"
+        "context7-mcp-server"
+        "github-mcp-server"
+      ];
+      userSettings = {
+        context_servers = {
+          nixos = {
+            command = "nix";
+            args = [
+              "run"
+              "github:utensils/mcp-nixos"
+              "--"
+            ];
+          };
+        };
+        language_models = {
+          ollama = {
+            api_url = "http://192.168.76.2:11434";
+            context_window = 128000;
+            # global keep alive doesnt work
+            #keep_alive = "15m";
+            available_models = [
+              {
+                name = "deepseek-r1:1.5b";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "deepseek-r1:32b";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "deepseek-r1:70b";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "qwen3-coder-next";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "lennyerik/zeta";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "nomic-embed-text:latest";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "lfm2:24b";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "glm-4.7-flash";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "nemotron-cascade-2:30b";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "magistral";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+
+            ];
+          };
+        };
+        colorize_brackets = true;
+        hard_tabs = false;
+        vim_mode = true;
+        minimap = {
+          show = "auto";
+        };
+        buffer_line_height = "comfortable";
+        auto_update = false;
+        autosave = "on_focus_change";
+        agent = {
+          default_model = {
+            provider = "ollama";
+            model = "glm-4.7-flash";
+          };
+          favorite_models = [ ];
+          model_parameters = [ ];
+        };
+        telemetry = {
+          diagnostics = false;
+          metrics = false;
+        };
+        journal = {
+          hour_format = "hour24";
+        };
+        edit_predictions = {
+          provider = "ollama";
+          ollama = {
+            #api_url = "http://192.168.76.2:11434/v1/completions";
+            api_url = "http://192.168.76.2:11434";
+            context_window = 128000;
+            model = "lennyerik/zeta";
+            prompt_format = "qwen";
+            max_requests = 64;
+            max_output_tokens = 256;
+          };
+        };
+        texlab = {
+          build = {
+            onSave = true;
+            forwardSearchAfter = true;
+          };
+          forwardSearch = {
+            executable = "zathura";
+            args = [
+              "--synctex-forward"
+              "%l:1:%f"
+              "-x"
+              "zed %%{input}:%%{line}"
+              "%p"
+            ];
+          };
+        };
+      };
+    };
+  };
+
  home.packages = with pkgs; [
    cmake
    shellcheck
@@ -25,16 +229,18 @@

    # nix tools
    nil
-    nixfmt-rfc-style
+    nixfmt
    nix-init

    # markdown
-    nodePackages.markdownlint-cli
+    markdownlint-cli
+
+    # insert essential rust dependencies

    # doom emacs dependencies
    yaml-language-server
-    nodePackages.typescript-language-server
-    nodePackages.bash-language-server
+    typescript-language-server
+    bash-language-server
    pyright
    cmake-language-server
    multimarkdown
@@ -43,18 +249,19 @@
    rust-analyzer
    clang
    clang-tools
-    wakatime
+    wakatime-cli
    enchant
    nuspell
    hunspellDicts.en-us
    languagetool

    # latex
-    texlive.combined.scheme-medium
+    tex
+    poppler-utils

    # dependencies for nix-dotfiles/hydra-check-action
    nodejs_20
-    nodePackages.prettier
+    prettier
    treefmt

    nextcloud-client
@@ -65,5 +272,15 @@
    obsidian
    libreoffice-qt-fresh
    wlr-randr
+
+    # media tools
+    #deepin.deepin-music
+
+    # arch zed deps
+    nixd
+    uv
+
+    pdf4qt
+    masterpdfeditor4
  ];
 }
--- a/users/default.nix
+++ b/users/default.nix
@@ -4,6 +4,7 @@
  pkgs,
  name,
  publicKeys ? [ ],
+  groups ? [ ],
  defaultShell ? "zsh",
 }:

@@ -14,17 +15,21 @@
  hashedPasswordFile = config.sops.secrets."${name}/user-password".path or null;
  openssh.authorizedKeys.keys = publicKeys;
  extraGroups = [
+    "users"
    "wheel"
    "media"
    (lib.mkIf config.networking.networkmanager.enable "networkmanager")
-    (lib.mkIf config.programs.adb.enable "adbusers")
    (lib.mkIf config.programs.wireshark.enable "wireshark")
    (lib.mkIf config.virtualisation.docker.enable "docker")
    (lib.mkIf (with config.services.locate; (enable && package == pkgs.plocate)) "plocate")
+    (lib.mkIf config.networking.wireless.enable "wpa_supplicant")
    "libvirtd"
    "dialout"
    "plugdev"
    "uaccess"
    "ydotool"
-  ];
+    "video"
+    "render"
+  ]
+  ++ groups;
 }
--- a/users/sam/default.nix
+++ b/users/sam/default.nix
@@ -1,17 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  name,
-  ...
-}:
-import ../default.nix {
-  inherit
-    pkgs
-    lib
-    config
-    name
-    ;
-  publicKeys = [
-  ];
-}
--- a/users/sam/home.nix
+++ b/users/sam/home.nix
@@ -1,157 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  machineConfig,
-  ...
-}:
-
-{
-  imports =
-    [
-      ./home/zsh.nix
-      ./home/git.nix
-    ]
-    ++ lib.optionals (!machineConfig.server) [
-      ./home/gammastep.nix
-      ./non-server.nix
-    ];
-
-  home = {
-    # # Adds the 'hello' command to your environment. It prints a friendly
-    # # "Hello, world!" when run.
-    # pkgs.hello
-
-    # # It is sometimes useful to fine-tune packages, for example, by applying
-    # # overrides. You can do that directly here, just don't forget the
-    # # parentheses. Maybe you want to install Nerd Fonts with a limited number of
-    # # fonts?
-    # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
-
-    # # You can also create simple shell scripts directly inside your
-    # # configuration. For example, this adds a command 'my-hello' to your
-    # # environment:
-    # (pkgs.writeShellScriptBin "my-hello" ''
-    #   echo "Hello, ${config.home.username}!"
-    # '')
-
-    username = "sam";
-    homeDirectory = "/home/sam";
-    packages = with pkgs; [
-      python3
-
-      # useful tools
-      file
-      ncdu
-      neofetch
-      onefetch
-      hyfetch
-      smartmontools
-      wget
-      glances
-      onefetch
-
-      # Rust packages
-      bat
-      cargo-update
-      tealdeer
-
-      # nix specific packages
-      nix-output-monitor
-      nix-prefetch
-      nix-tree
-      nh
-
-      # audit
-      lynis
-
-      gocryptfs
-    ];
-  };
-
-  programs = {
-
-    starship.enable = true;
-
-    fzf = {
-      enable = true;
-      enableZshIntegration = true;
-    };
-
-    direnv = {
-      enable = true;
-      enableZshIntegration = true;
-      nix-direnv.enable = true;
-    };
-
-    eza = {
-      enable = true;
-      icons = "auto";
-      git = true;
-    };
-
-    neovim = {
-      enable = true;
-      defaultEditor = true;
-      vimAlias = true;
-      vimdiffAlias = true;
-      extraConfig = ''
-        set bg=dark
-              set tabstop=2
-        	set shiftwidth=2
-        	set expandtab
-        	set smartindent
-      '';
-    };
-    nix-index = {
-      enable = true;
-      enableZshIntegration = true;
-    };
-
-    tmux.enable = true;
-    topgrade = {
-      enable = true;
-      settings = {
-        misc = {
-          disable = [
-            "system"
-            "nix"
-            "shell"
-            "poetry"
-          ];
-        };
-      };
-    };
-  };
-
-  services.ssh-agent.enable = true;
-
-  # TODO: add environment bs
-  home.sessionVariables = {
-    EDITOR = "nvim";
-  };
-
-  xdg = {
-    enable = true;
-    userDirs = {
-      enable = true;
-      createDirectories = true;
-      extraConfig = {
-        XDG_SCREENSHOTS_DIR = "${config.xdg.userDirs.pictures}/Screenshots";
-      };
-    };
-  };
-
-  sops = lib.mkIf (!machineConfig.server) {
-    age.sshKeyPaths = [ "/home/sam/.ssh/id_ed25519_sops" ];
-    defaultSopsFile = ./secrets.yaml;
-  };
-
-  nix.gc = {
-    automatic = true;
-    frequency = "weekly";
-    options = "--delete-older-than 30d";
-  };
-
-  home.stateVersion = "25.11";
-}
--- a/users/sam/home/gammastep.nix
+++ b/users/sam/home/gammastep.nix
@@ -1,20 +0,0 @@
-{ ... }:
-{
-  services.gammastep = {
-    enable = true;
-    provider = "manual";
-    latitude = 40.73;
-    longitude = -73.93;
-    temperature.day = 5700;
-    temperature.night = 3500;
-    settings = {
-      general = {
-        fade = 1;
-        elevation-high = 3;
-        elevation-low = -6;
-        brightness-day = 1.0;
-        brightness-low = 0.8;
-      };
-    };
-  };
-}
--- a/users/sam/home/git.nix
+++ b/users/sam/home/git.nix
@@ -1,36 +0,0 @@
-{ ... }:
-
-{
-  programs.git = {
-    enable = true;
-    lfs.enable = true;
-    signing = {
-      key = "5EFFB75F7C9B74EAA5C4637547940175096C1330";
-      signByDefault = true;
-    };
-    userEmail = "aliceghuston@gmail.com";
-    userName = "ahuston-0";
-    aliases = {
-      gone = ''
-        !git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
-                        awk 'NF < 2 {print $1}' | # get nuked branches
-                        grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
-                        sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
-                        xargs -r git branch -D # nuke the branches
-        # !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
-        #                 awk '$2 == "[gone]" {print $1}' | # get nuked branches
-        #                 sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
-        #                 xargs -r git branch -D; # nuke the branches #
-      '';
-    };
-    extraConfig = {
-      push.autosetupremote = true;
-      pull.rebase = true;
-      color.ui = true;
-      init.defaultBranch = "main";
-      format.signoff = true;
-      pack.windowMemory = "2g";
-      pack.packSizeLimit = "1g";
-    };
-  };
-}
--- a/users/sam/home/zsh.nix
+++ b/users/sam/home/zsh.nix
@@ -1,123 +0,0 @@
-{ lib, ... }:
-{
-
-  programs.zsh = {
-
-    enable = true;
-    oh-my-zsh = {
-      enable = true;
-      plugins = [
-        "git"
-        "docker"
-        "docker-compose"
-        "colored-man-pages"
-        "helm"
-        "kubectl"
-        "minikube"
-        "rust"
-        "skaffold"
-        "systemd"
-        "tmux"
-        "ufw"
-        "z"
-      ];
-    };
-    /*
-      To specify the order, use lib.mkOrder.
-
-      Common order values:
-
-      500 (mkBefore): Early initialization (replaces initExtraFirst)
-
-      550: Before completion initialization (replaces initExtraBeforeCompInit)
-
-      1000 (default): General configuration (replaces initExtra)
-
-      1500 (mkAfter): Last to run configuration
-
-      To specify both content in Early initialization and General configuration, use lib.mkMerge.
-
-      e.g.
-
-      initContent = let zshConfigEarlyInit = lib.mkOrder 500 “do something”; zshConfig = lib.mkOrder 1000 “do something”; in lib.mkMerge [ zshConfigEarlyInit zshConfig ];
-    */
-
-    initContent = lib.mkOrder 1000 ''
-      # functions
-      function mount-data {
-          if [[ -f /home/alice/backup/.noconnection ]]; then
-      	sshfs -p 10934 lily@192.168.1.154:/mnt/backup/data/ ~/backup -C
-          else
-      	echo "Connection to backup server already open."
-          fi
-      }
-
-      function mount-backup {
-          if [[ -f /home/alice/backup/.noconnection ]]; then
-          	sudo borgmatic mount --options allow_other,nonempty --archive latest --mount-point ~/backup -c /etc/borgmatic/config_checkless.yaml
-          else
-              echo "Connection to backup server already open."
-          fi
-      }
-
-      function mount-ubuntu {
-          if [[ -f /home/alice/backup/.noconnection ]]; then
-              sshfs lily@192.168.76.101:/mnt/backup/ubuntu.old/ ~/backup -C
-          else
-              echo "Connection to backup server already open."
-          fi
-      }
-    '';
-    shellAliases = {
-      "sgc" = "sudo git -C /root/dotfiles";
-      ## SSH
-      "ssh-init" =
-        "ssh-add -t 2h  ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails  ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh";
-
-      ## Backups
-      "borgmatic-backup-quick" =
-        "sudo borgmatic --log-file-verbosity 2 -v1 --progress --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_checkless.yaml";
-      "borgmatic-backup-full" =
-        "sudo borgmatic --log-file-verbosity 2 -v1 --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_full_arch.yaml";
-      "umount-backup" =
-        "sudo borgmatic umount --mount-point /home/alice/backup -c /etc/borgmatic/config_checkless.yaml";
-      "restic-backup" = "/home/alice/Scripts/restic/backup.sh";
-
-      ## VPN
-      "pfSense-vpn" = "sudo openvpn --config /etc/openvpn/client/pfSense-TCP4-1194-alice-config.ovpn";
-      "pfSense-vpn-all" = "sudo openvpn --config /etc/openvpn/client/pfSense-TCP4-1195-alice-config.ovpn";
-
-      ## Utilities
-      "lrt" = "eza --icons -lsnew";
-      "lynis-grep" = ''sudo lynis audit system 2&>1 | grep -v "egrep"'';
-      "egrep" = "grep -E";
-      "htgp" = "history | grep";
-      "gen_walpaper" = "wal -i '/home/alice/Pictures/Wallpapers/1440pdump'";
-      "vlgdf" = "valgrind --leak-check=full --show-leak-kinds=all --track-origins=yes";
-      "libreoffice-writer" = "libreoffice --writer";
-      "libreoffice-calc" = "libreoffice --calc";
-      "notes" = "code /home/alice/Scripts/Notes/dendron.code-workspace";
-      "ua-drop-caches" = "sudo paccache -rk3; yay -Sc --aur --noconfirm";
-      "ua-update-all" = ''
-        (export TMPFILE="$(mktemp)"; \
-              sudo true; \
-              rate-mirrors --save=$TMPFILE --protocol https\
-              --country-test-mirrors-per-country 10 arch --max-delay=21600 \
-                && sudo mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist-backup \
-                && sudo mv $TMPFILE /etc/pacman.d/mirrorlist \
-                && ua-drop-caches \
-                && yay -Syyu)
-      '';
-
-      # applications (rofi entries)
-      "ARMEclipse" = "nohup /opt/DS-5_CE/bin/eclipse &";
-      "Wizard101-old" = "prime-run playonlinux --run Wizard\\ 101";
-      "Wizard101" =
-        "prime-run ~/.wine/drive_c/ProgramData/KingsIsle Entertainment/Wizard101/Wizard101.exe";
-      "Pirate101" = "prime-run playonlinux --run Pirate\\ 101";
-      "octave" = "prime-run octave --gui";
-      "pc-firefox" = "proxychains firefox -P qbit -no-remote -P 127.0.0.1:9050";
-      "hx" = "helix";
-    };
-  };
-}
--- a/users/sam/non-server.nix
+++ b/users/sam/non-server.nix
@@ -1,33 +0,0 @@
-{ pkgs, outputs, ... }:
-
-{
-  home.packages = with pkgs; [
-    shellcheck
-
-    # nix tools
-    nil
-    nixfmt-rfc-style
-    nix-init
-
-    # markdown
-    nodePackages.markdownlint-cli
-
-    # language depedencies
-    enchant
-    nuspell
-    hunspellDicts.en-us
-    languagetool
-
-    # latex
-    texlive.combined.scheme-medium
-
-    nextcloud-client
-    bitwarden-cli
-    bitwarden-menu
-    wtype
-    zathura
-    obsidian
-    libreoffice-qt-fresh
-    wlr-randr
-  ];
-}
--- a/utils/eval-to-drv.sh
+++ b/utils/eval-to-drv.sh
@@ -16,4 +16,4 @@ script_path=$(dirname "$(readlink -f $0)")
 parent_path=$(dirname "$script_path")
 out_path="$parent_path/$1.json"

-nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --evaluate --allow-import-from-derivation --json "$out_path" "$parent_path"
+nix run git+https://nayeonie.com/ahuston-0/flake-update-diff --fallback -- --evaluate --allow-import-from-derivation --json "$out_path" "$parent_path"