Merge pull request 'scale down act runners' (#56) from feature/scale-act into main

Reviewed-on: #56

.gitconfig

@@ -1,6 +1,11 @@
 # run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :)
 # run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured
+# if for whatever reason the below doesn't work, try modifying the mergetool command as below
+#   find: $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh
+#   replace: ./utils/sops-mergetool.sh
 [mergetool "sops-mergetool"]
-        cmd = bash -c "$(git --exec-path)/sops-mergetool.sh \"$BASE\" \"$LOCAL\" \"$REMOTE\" \"$MERGED\""
+	cmd = bash -c "$(git rev-parse --show-toplevel)/utils/sops-mergetool.sh \"\$BASE\" \"\$LOCAL\" \"\$REMOTE\" \"\$MERGED\""
 [merge]
-	tool = nvimdiff3
+	tool = nvimdiff
+[mergetool "nvimdiff"]
+	layout = MERGED

.github/settings.yml

@@ -1,204 +1,173 @@
 # Have borrowed this config from nix-community/infra
 repository:
-  # See https://developer.github.com/v3/repos/#edit for all available settings.
+    # See https://developer.github.com/v3/repos/#edit for all available settings.
 
-  # The name of the repository. Changing this will rename the repository
+    # The name of the repository. Changing this will rename the repository
-  name: nix-dotfiles
+    name: nix-dotfiles
-
+    # A short description of the repository that will show up on GitHub
-  # A short description of the repository that will show up on GitHub
+    description: RAD-Dev Infra
-  description: RAD-Dev Infra
+    # A URL with more information about the repository
-
+    # homepage: "https://nix-community.org"
-  # A URL with more information about the repository
-  # homepage: "https://nix-community.org"
-
-  # A comma-separated list of topics to set on the repository
-  topics: "nixos"
-
-  # Either `true` to make the repository private, or `false` to make it public.
-  private: false
-
-  # Either `true` to enable issues for this repository, `false` to disable them.
-  has_issues: true
-
-  # Either `true` to enable projects for this repository, or `false` to disable them.
-  # If projects are disabled for the organization, passing `true` will cause an API error.
-  has_projects: true
-
-  # Either `true` to enable the wiki for this repository, `false` to disable it.
-  has_wiki: false
-
-  # Either `true` to enable downloads for this repository, `false` to disable them.
-  has_downloads: false
-
-  # Updates the default branch for this repository.
-  default_branch: main
-
-  # Either `true` to allow squash-merging pull requests, or `false` to prevent
-  # squash-merging.
-  allow_squash_merge: true
-
-  # Either `true` to allow merging pull requests with a merge commit, or `false`
-  # to prevent merging pull requests with merge commits.
-  allow_merge_commit: false
-
-  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
-  # rebase-merging.
-  allow_rebase_merge: true
-
-  # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
-  delete_branch_on_merge: true
-
-  # Either `true` to enable automated security fixes, or `false` to disable
-  # automated security fixes.
-  enable_automated_security_fixes: true
-
-  # Either `true` to enable vulnerability alerts, or `false` to disable
-  # vulnerability alerts.
-  enable_vulnerability_alerts: true
-
-  allow_auto_merge: true
 
+    # A comma-separated list of topics to set on the repository
+    topics: "nixos"
+    # Either `true` to make the repository private, or `false` to make it public.
+    private: false
+    # Either `true` to enable issues for this repository, `false` to disable them.
+    has_issues: true
+    # Either `true` to enable projects for this repository, or `false` to disable them.
+    # If projects are disabled for the organization, passing `true` will cause an API error.
+    has_projects: true
+    # Either `true` to enable the wiki for this repository, `false` to disable it.
+    has_wiki: false
+    # Either `true` to enable downloads for this repository, `false` to disable them.
+    has_downloads: false
+    # Updates the default branch for this repository.
+    default_branch: main
+    # Either `true` to allow squash-merging pull requests, or `false` to prevent
+    # squash-merging.
+    allow_squash_merge: true
+    # Either `true` to allow merging pull requests with a merge commit, or `false`
+    # to prevent merging pull requests with merge commits.
+    allow_merge_commit: false
+    # Either `true` to allow rebase-merging pull requests, or `false` to prevent
+    # rebase-merging.
+    allow_rebase_merge: true
+    # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
+    delete_branch_on_merge: true
+    # Either `true` to enable automated security fixes, or `false` to disable
+    # automated security fixes.
+    enable_automated_security_fixes: true
+    # Either `true` to enable vulnerability alerts, or `false` to disable
+    # vulnerability alerts.
+    enable_vulnerability_alerts: true
+    allow_auto_merge: true
 # Labels: define labels for Issues and Pull Requests
 #
 labels:
-  - name: bug
+    - name: bug
-    color: '#d73a4a'
+      color: '#d73a4a'
-    description: Something isn't working
+      description: Something isn't working
-  - name: CI/CD
+    - name: CI/CD
-    # If including a `#`, make sure to wrap it with quotes!
+      # If including a `#`, make sure to wrap it with quotes!
-    color: '#0e8a16'
+      color: '#0e8a16'
-    description: Related to GH Actions or Hydra
+      description: Related to GH Actions or Hydra
-  - name: documentation
+    - name: documentation
-    color: '#0075ca'
+      color: '#0075ca'
-    description: Improvements or additions to documentation
+      description: Improvements or additions to documentation
-  - name: duplicate
+    - name: duplicate
-    color: '#cfd3d7'
+      color: '#cfd3d7'
-    description: This issue or pull request already exists
+      description: This issue or pull request already exists
-  - name: enhancement
+    - name: enhancement
-    color: '#a2eeef'
+      color: '#a2eeef'
-    description: New feature or request
+      description: New feature or request
-  - name: good first issue
+    - name: good first issue
-    color: '#7057ff'
+      color: '#7057ff'
-    description: Good for newcomers
+      description: Good for newcomers
-  - name: help wanted
+    - name: help wanted
-    color: '#008672'
+      color: '#008672'
-    description: Extra attention is needed
+      description: Extra attention is needed
-  - name: high priority
+    - name: high priority
-    color: '#BF480A'
+      color: '#BF480A'
-    description: A major vurnability was detected
+      description: A major vurnability was detected
-  - name: invalid
+    - name: invalid
-    color: '#e4e669'
+      color: '#e4e669'
-    description: This doesn't seem right
+      description: This doesn't seem right
-  - name: new user
+    - name: new user
-    color: '#C302A1'
+      color: '#C302A1'
-    description: A new user was added to the Flake
+      description: A new user was added to the Flake
-  - name: question
+    - name: question
-    color: '#d876e3'
+      color: '#d876e3'
-    description: Further information is requested
+      description: Further information is requested
-  - name: wontfix
+    - name: wontfix
-    color: '#ffffff'
+      color: '#ffffff'
-    description: This will not be worked on
+      description: This will not be worked on
-  - name: dependencies
+    - name: dependencies
-    color: '#cb4ed5'
+      color: '#cb4ed5'
-    description: Used for PR's related to flake.lock updates
+      description: Used for PR's related to flake.lock updates
-  - name: automated
+    - name: automated
-    color: '#42b528'
+      color: '#42b528'
-    description: PR was automatically generated (through a bot or CI/CD)
+      description: PR was automatically generated (through a bot or CI/CD)
-
 # Milestones: define milestones for Issues and Pull Requests
 milestones:
-  - title: Go-Live
+    - title: Go-Live
-    description: >-
+      description: >-
-      All requirements for official go-live:
+        All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
-      - Automated testing via Hydra/Actions
+      # The state of the milestone. Either `open` or `closed`
-      - Automated deployments via Hydra/Actions
+      state: open
-      - 90+% testing coverage
+    - title: Jeeves Migration
-      - Functional formatter with custom rules
+      description: >-
-      - palatine-hill is fully stable, enough so that jeeves can be migrated
+        Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support
-    # The state of the milestone. Either `open` or `closed`
-    state: open
-  - title: Jeeves Migration
-    description: >-
-      Test common use-cases for Jeeves
-      - Quadro GPU support
-      - Multi-GPU support
-      - Plex support
-      - Docker support
-      - ZFS support
-
-
 # Collaborators: give specific users access to this repository.
 # See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
 collaborators:
-  # - username: numtide-bot
+# - username: numtide-bot
-  # Note: `permission` is only valid on organization-owned repositories.
+# Note: `permission` is only valid on organization-owned repositories.
-  # The permission to grant the collaborator. Can be one of:
+# The permission to grant the collaborator. Can be one of:
-  # * `pull` - can pull, but not push to or administer this repository.
+# * `pull` - can pull, but not push to or administer this repository.
-  # * `push` - can pull and push, but not administer this repository.
+# * `push` - can pull and push, but not administer this repository.
-  # * `admin` - can pull, push and administer this repository.
+# * `admin` - can pull, push and administer this repository.
-  # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
-  # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
-  # permission: push
+# permission: push
 
 # See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
 teams:
-  # - name: admin
+# - name: admin
-    # The permission to grant the team. Can be one of:
+# The permission to grant the team. Can be one of:
-    # * `pull` - can pull, but not push to or administer this repository.
+# * `pull` - can pull, but not push to or administer this repository.
-    # * `push` - can pull and push, but not administer this repository.
+# * `push` - can pull and push, but not administer this repository.
-    # * `admin` - can pull, push and administer this repository.
+# * `admin` - can pull, push and administer this repository.
-    # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
-    # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
-    # permission: admin
+# permission: admin
-
 branches:
-  # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
+    # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
 
-  # not available in the api yet
+    # not available in the api yet
-  # `Require merge queue`: true
+    # `Require merge queue`: true
-  # `Merge method`: Rebase and merge
+    # `Merge method`: Rebase and merge
-  # `Maximum pull requests to build`: 1
+    # `Maximum pull requests to build`: 1
-  # `Maximum pull requests to merge`: 1
+    # `Maximum pull requests to merge`: 1
-  # defaults:
+    # defaults:
-  # `Maximum pull requests to build`: 5
+    # `Maximum pull requests to build`: 5
-  # `Minimum pull requests to merge`: 1 or 5 minutes
+    # `Minimum pull requests to merge`: 1 or 5 minutes
-  # `Maximum pull requests to merge`: 5
+    # `Maximum pull requests to merge`: 5
-  # `Only merge non-failing pull requests`: true
+    # `Only merge non-failing pull requests`: true
-  # `Consider check failed after`: 60 minutes
+    # `Consider check failed after`: 60 minutes
+    - name: main
+      # https://docs.github.com/en/rest/reference/repos#update-branch-protection
+      # Branch Protection settings. Set to null to disable
+      protection:
+        # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
 
-  - name: main
+        # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
-    # https://docs.github.com/en/rest/reference/repos#update-branch-protection
+        required_pull_request_reviews:
-    # Branch Protection settings. Set to null to disable
+            # # The number of approvals required. (1-6)
-    protection:
+            required_approving_review_count: 1
-      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
+            # # Dismiss approved reviews automatically when a new commit is pushed.
-
+            dismiss_stale_reviews: true
-      # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
+            # # Blocks merge until code owners have reviewed.
-      required_pull_request_reviews:
+            require_code_owner_reviews: false
-        # # The number of approvals required. (1-6)
+            # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
-        required_approving_review_count: 1
+            # dismissal_restrictions:
-        # # Dismiss approved reviews automatically when a new commit is pushed.
+            #   users: []
-        dismiss_stale_reviews: true
+            #   teams: []
-        # # Blocks merge until code owners have reviewed.
+            require_last_push_approval: false
-        require_code_owner_reviews: false
+        # Required. Require status checks to pass before merging. Set to null to disable
-        # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
+        # required_status_checks:
-        # dismissal_restrictions:
-        #   users: []
-        #   teams: []
-        require_last_push_approval: false
-      # Required. Require status checks to pass before merging. Set to null to disable
-      # required_status_checks:
         # Required. Require branches to be up to date before merging.
         # strict: false
         # Required. The list of status checks to require in order to merge into this branch
         # contexts:
         #   - buildbot/nix-eval
-      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
+        # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
-      enforce_admins: true
+        enforce_admins: true
-      # Disabled for bors to work
+        # Disabled for bors to work
-      required_linear_history: true
+        required_linear_history: true
-      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
+        # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
-      restrictions:
+        restrictions:
-        apps: []
+            apps: []
-        # TODO: make a buildbot instance
+            # TODO: make a buildbot instance
-        # users: ["nix-infra-bot"]
+            # users: ["nix-infra-bot"]
-        teams: []
+            teams: []

.github/workflows/flake-health-checks.yml

@@ -1,20 +1,47 @@
 name: "Check Nix flake"
 on:
-  push:
+    push:
-    branches: ["main"]
+        branches: ["main"]
-  pull_request:
+    pull_request:
-    branches: ["main"]
+        branches: ["main"]
-  merge_group:
+    merge_group:
-
 jobs:
-  health-check:
+    health-check:
-    name: "Perform Nix flake checks"
+        name: "Perform Nix flake checks"
-    runs-on: ${{ matrix.os }}
+        runs-on: ${{ matrix.os }}
-    strategy:
+        strategy:
-      matrix:
+            matrix:
-        os: [ubuntu-latest]
+                os: [ubuntu-latest]
-    steps:
+        steps:
-      - uses: DeterminateSystems/nix-installer-action@main
+            - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+            - name: Setup Attic cache
-      - uses: actions/checkout@v4
+              uses: ryanccn/attic-action@v0
-      - run: nix flake check --accept-flake-config
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - uses: actions/checkout@v4
+            - run: nix flake check --accept-flake-config
+            - run: nix ./utils/attic-push.bash
+    build-checks:
+        name: "Build nix outputs"
+        runs-on: ${{ matrix.os }}
+        strategy:
+            matrix:
+                os: [ubuntu-latest]
+        steps:
+            - uses: DeterminateSystems/nix-installer-action@main
+            - name: Setup Attic cache
+              uses: ryanccn/attic-action@v0
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - uses: actions/checkout@v4
+            - name: Build all outputs
+              run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
+            - name: Push to Attic
+              run: nix ./utils/attic-push.bash
+              continue-on-error: true

.github/workflows/flake-update.yml

@@ -1,67 +1,112 @@
 name: "Update flakes"
 on:
-  repository_dispatch:
+    repository_dispatch:
-  workflow_dispatch:
+    workflow_dispatch:
-  schedule:
+    schedule:
-    - cron: "00 12 * * *"
+        - cron: "00 12 * * *"
 jobs:
-  createPullRequest:
+    update_lockfile:
-    runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
+        #if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
-    steps:
+        steps:
-      - uses: actions/checkout@v4
+            - name: Checkout repository
-      - name: Login to Docker Hub
+              uses: actions/checkout@v4
-        uses: docker/login-action@v3
+            - name: Install nix
-        with:
+              uses: https://github.com/DeterminateSystems/nix-installer-action@main
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+            - name: Setup Attic cache
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+              uses: ryanccn/attic-action@v0
-      - name: Install Nix
+              with:
-        uses: cachix/install-nix-action@v24
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-        with:
+                cache: ${{ secrets.ATTIC_CACHE }}
-          extra_nix_config: |
+                token: ${{ secrets.ATTIC_TOKEN }}
-            experimental-features = nix-command flakes
+                skip-push: "true"
-          install_url: https://releases.nixos.org/nix/nix-2.19.0/install
+            - name: Get pre-snapshot of evaluations
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+              run: nix ./utils/eval-to-drv.sh pre
-      - name: Calculate pre-drv
+            - name: Update flake.lock
-        run: nix ./utils/eval-to-drv.sh pre
+              id: update
-      - name: Pull latest docker images
+              run: |
-        run: nix ./utils/fetch-docker.sh
+                nix flake update 2> >(tee /dev/stderr) | awk '
-      - name: Update flake.lock (part 1)
+                  /^• Updated input/ {in_update = 1; print; next}
-        run: nix flake update
+                  in_update && !/^warning:/ {print}
-      - name: Calculate post-drv
+                  /^$/ {in_update = 0}
-        run: nix ./utils/eval-to-drv.sh post
+                ' > update.log
-      - name: Calculate diff
-        run: nix ./utils/diff-evals.sh
-      - name: Read diff into environment
-        run: |
-          delimiter="$(openssl rand -hex 8)"
-          {
-          echo "POSTDIFF<<${delimiter}"
-          cat post-diff
-          echo "${delimiter}"
-          } >> $GITHUB_ENV
 
+                echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
+                cat update.log >> $GITHUB_ENV
+                echo "EOF" >> $GITHUB_ENV
 
-      - name: Restore flake.lock for next step
+                rm update.log
-        run: git restore flake.lock
+            - name: Get post-snapshot of evaluations
-      - name: Update flake.lock
+              run: nix ./utils/eval-to-drv.sh post
-        id: update
+            - name: Calculate diff
-        uses: DeterminateSystems/update-flake-lock@main
+              run: nix ./utils/diff-evals.sh
-        with:
+            - name: Read file contents
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
+              id: read_file
-          pr-body: |
+              uses: guibranco/github-file-reader-action-v2@latest
-            Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
+              with:
+                path: "post-diff"
+            - name: Write PR body template
+              uses: https://github.com/DamianReeves/write-file-action@v1.3
+              with:
+                path: pr_body.template
+                contents: |
+                    - The following Nix Flake inputs were updated:
 
-            ```
+                    ```
-            {{ env.GIT_COMMIT_MESSAGE }}
+                    ${{ env.UPDATE_LOG }}
-            ```
+                    ```
 
-            ```
+                    ```
-            {{ env.POSTDIFF }}
+                    ${{ steps.read_file.outputs.contents }}
-            ```
+                    ```
-          pr-labels: |                  # Labels to be set on the PR
+
-            dependencies
+                    Auto-generated by [update.yml][1] with the help of
-            automated
+                    [create-pull-request][2].
+
+                    [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
+                    [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
+            - name: Generate PR body
+              uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
+              with:
+                files: "pr_body.template"
+                output-filename: "pr_body.md"
+            - name: Save PR body
+              id: pr_body
+              uses: juliangruber/read-file-action@v1
+              with:
+                path: "pr_body.md"
+            - name: Remove temporary files
+              run: |
+                rm pr_body.template
+                rm pr_body.md
+                rm pre.json
+                rm post.json
+                rm post-diff
+            - name: Create Pull Request
+              id: create-pull-request
+              # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
+              uses: https://nayeonie.com/ahuston-0/create-pull-request@main
+              with:
+                token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
+                body: ${{ steps.pr_body.outputs.content }}
+                author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
+                title: 'automated: Update `flake.lock`'
+                commit-message: |
+                    automated: Update `flake.lock`
+
+                    ${{ steps.pr_body.outputs.content }}
+                branch: update-flake-lock
+                delete-branch: true
+                pr-labels: | # Labels to be set on the PR
+                    dependencies
+                    automated
+            - name: Push to Attic
+              run: nix ./utils/attic-push.bash
+              continue-on-error: true
+            - name: Print PR number
+              run: |
+                echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
+                echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
 permissions:
-  pull-requests: write
+    pull-requests: write
-  contents: write
+    contents: write

.github/workflows/lock-health-checks.yml

@@ -1,17 +1,16 @@
 name: "Check flake.lock"
 on:
-  push:
+    push:
-    branches: ["main"]
+        branches: ["main"]
-  pull_request:
+    pull_request:
-    branches: ["main"]
+        branches: ["main"]
-  merge_group:
+    merge_group:
-
 jobs:
-  health-check:
+    health-check:
-    name: "Check health of `flake.lock`"
+        name: "Check health of `flake.lock`"
-    runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
-    steps:
+        steps:
-      - uses: actions/checkout@v4
+            - uses: actions/checkout@v4
-      - uses: DeterminateSystems/flake-checker-action@main
+            - uses: DeterminateSystems/flake-checker-action@main
-        with:
+              with:
-          fail-mode: true
+                fail-mode: true

.github/workflows/nix-fmt.yml

@@ -1,17 +1,25 @@
 name: "Check Nix formatting"
 on:
-  push:
+    push:
-    branches: ["main"]
+        branches: ["main"]
-  pull_request:
+    pull_request:
-    branches: ["main"]
+        branches: ["main"]
-  merge_group:
+    merge_group:
-
 jobs:
-  health-check:
+    health-check:
-    name: "Perform Nix format checks"
+        name: "Perform Nix format checks"
-    runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
-    steps:
+        steps:
-      - uses: DeterminateSystems/nix-installer-action@main
+            - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+            - name: Setup Attic cache
-      - uses: actions/checkout@v4
+              uses: ryanccn/attic-action@v0
-      - run: nix fmt -- --check .
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - uses: actions/checkout@v4
+            - run: nix fmt -- --check .
+            - name: Push to Attic
+              run: nix ./utils/attic-push.bash
+              continue-on-error: true

.sops.yaml

@@ -1,85 +1,46 @@
 keys:
-  # The PGP keys in keys/
+    # The PGP keys in keys/
-  - &admin_alice F63832C3080D6E1AC77EECF80B4245FFE305BC82
+    - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
-  - &admin_richie 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
+    # Generate AGE keys from SSH keys with:
-
+    #   ssh-keygen -A
-  # Generate AGE keys from SSH keys with:
+    #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
-  #   ssh-keygen -A
+    # cspell:disable
-  #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+    - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
-  # cspell:disable
+    - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
-  - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
+    #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
-  - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
+    - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
-  - &bob age13jg97cvy63fzd2ccthcwvfyyxzw5vmwun8s0afq5l4xm0mhl6pjqhne063
+    # cspell:enable
-  - &jeeves age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w
-  - &jeeves-jr age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh
-  - &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
-  - &rhapsody-in-green age1c7adjulcrma0m7l5ur8efxdjzyskrqcwssfkt77a9rmma7gzss5q02pgmy
-  # cspell:enable
-
-admins: &admins
-  - *admin_alice
-  - *admin_richie
-
 servers: &servers
-  - *jeeves
+    - *palatine-hill
-  - *jeeves-jr
-  - *palatine-hill
-
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
 #
 # update keys by executing: sops updatekeys secrets.yaml
 # note: add .* before \.yaml if you'd like to use the mergetool config
 creation_rules:
-  - path_regex: systems/jeeves/secrets\.yaml$
+    - path_regex: users/alice/secrets.*\.yaml$
-    key_groups:
+      key_groups:
-      - pgp: *admins
+        - pgp:
-        age:
+            - *admin_alice
-          - *jeeves
+          age:
-
+            - *palatine-hill
-  - path_regex: systems/jeeves-jr/secrets\.yaml$
+            - *artemision
-    key_groups:
+            - *artemision-home
-      - pgp: *admins
+    - path_regex: systems/palatine-hill/secrets.*\.yaml$
-        age:
+      key_groups:
-          - *jeeves-jr
+        - pgp:
-
+            - *admin_alice
-  - path_regex: users/alice/secrets.*\.yaml$
+          age:
-    key_groups:
+            - *palatine-hill
-      - pgp:
+    - path_regex: systems/artemision/secrets.*\.yaml$
-          - *admin_alice
+      key_groups:
-        age:
+        - pgp:
-          - *palatine-hill
+            - *admin_alice
-          - *jeeves
+          age:
-          - *jeeves-jr
+            - *artemision
-          - *artemision
+    - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
-          - *artemision-home
+      key_groups:
-
+        - pgp:
-  - path_regex: systems/palatine-hill/secrets.*\.yaml$
+            - *admin_alice
-    key_groups:
+          age:
-      - pgp: *admins
+            - *palatine-hill
-        age:
-          - *palatine-hill
-
-  - path_regex: systems/palatine-hill/keys/zfs-.*-key$
-    key_groups:
-      - pgp: *admins
-        age:
-          - *palatine-hill
-
-  - path_regex: systems/artemision/secrets.*\.yaml$
-    key_groups:
-      - pgp:
-          - *admin_alice
-        age:
-          - *artemision
-
-  - path_regex: users/richie/secrets\.yaml$
-    key_groups:
-      - pgp:
-          - *admin_richie
-        age:
-          - *palatine-hill
-          - *jeeves
-          - *jeeves-jr
-          - *rhapsody-in-green
-          - *bob

.vscode/settings.json

@@ -1,5 +1,7 @@
 {
-  "cSpell.enableFiletypes": ["nix"],
+  "cSpell.enableFiletypes": [
+    "nix"
+  ],
   "cSpell.words": [
     "aarch",
     "abmlevel",

docs/CONTRIBUTING.md

@@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
 | Branch Name      | Use Case                                                                                                                                                                                                                      |
 |------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | main             | protected branch which all machines pull from, do not try to push directly                                                                                                                                                    |
-| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
+| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
-| fixup/\<item\>   | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
+| fixup/\<item>   | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
-| hotfix/\<item\>  | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
+| hotfix/\<item>  | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
-| urgent/\<item\>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
+| urgent/\<item>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
-| exp/\<item\>     | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
+| exp/\<item>     | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
-| merge/\<item\>   | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
+| merge/\<item>   | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
 
 ### Review Process
 
@@ -94,11 +94,11 @@ rules.
   PR has been tested on at least one machine
    - Issues which bypass the quorum process must have a second reviewer tagged
    - All critical issues which bypass the approval process must have an RCA issue
-    opened and the RCA logged into the `inc/` folder
+     opened and the RCA logged into the `inc/` folder
    - The second reviewer has 2 weeks to retroactively review and approve the PR
    - If the retro does not happen in the given window, an issue shall be opened
-    to either re-review the PR or to revert and replace the fix with a
+     to either re-review the PR or to revert and replace the fix with a
-    permanent solution
+     permanent solution
 - Critical issues must be tagged to `Nix Flake Features` project, and must have
   a priority of `High` and an estimate tagged. Start and end date are not needed
 

docs/sample-setup.sh

@@ -1,9 +1,9 @@
 #!/usr/bin/env nix
 #! nix shell nixpkgs#bash nixpkgs#git --command bash
 
-set -o errexit   # abort on nonzero exitstatus
+set -o errexit  # abort on nonzero exitstatus
-set -o nounset   # abort on unbound variable
+set -o nounset  # abort on unbound variable
-set -o pipefail  # don't hide errors within pipes
+set -o pipefail # don't hide errors within pipes
 
 PROCEED="N"
 
@@ -50,60 +50,58 @@ GITBASE="systems"
 FEATUREBRANCH="feature/adding-$MACHINENAME"
 
 if [ $PROCEED != "Y" ]; then
-    echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
+  echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
-    lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
+  lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
 fi
 
-
-
 if [ $CREATEPARTS = "Y" ]; then
-    # Create partition table
+  # Create partition table
-    sudo parted "/dev/$DRIVE" -- mklabel gpt
+  sudo parted "/dev/$DRIVE" -- mklabel gpt
 
-    # Create boot part
+  # Create boot part
-    sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
+  sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
-    sudo parted "/dev/$DRIVE" -- set 1 esp on
+  sudo parted "/dev/$DRIVE" -- set 1 esp on
-    sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
+  sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
 
-    # Create luks part
+  # Create luks part
-    sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
+  sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
-    sudo parted "/dev/$DRIVE" -- set 2 lvm on
+  sudo parted "/dev/$DRIVE" -- set 2 lvm on
-    
-    LUKSPART="nixos-pv"
-    sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
-    sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
 
-    # Create lvm part
+  LUKSPART="nixos-pv"
-    sudo pvcreate "/dev/mapper/$LUKSPART"
+  sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
-    sudo pvresize "/dev/mapper/$LUKSPART"
+  sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
-    sudo pvdisplay
 
-    # Create volume group
+  # Create lvm part
-    sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
+  sudo pvcreate "/dev/mapper/$LUKSPART"
-    sudo vgchange -a y "$VOLGROUP"
+  sudo pvresize "/dev/mapper/$LUKSPART"
-    sudo vgdisplay
+  sudo pvdisplay
 
-    # Create swap part on LVM
+  # Create volume group
-    if [ $SWAPSIZE != 0 ]; then
+  sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
-        sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
+  sudo vgchange -a y "$VOLGROUP"
-        sudo mkswap -L NIXSWAP -c "$SWAPPATH"
+  sudo vgdisplay
-    fi
 
-    # Create home part on LVM, leaving plenty of room for snapshots
+  # Create swap part on LVM
-    sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
+  if [ $SWAPSIZE != 0 ]; then
-    sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
+    sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
+    sudo mkswap -L NIXSWAP -c "$SWAPPATH"
+  fi
 
-    # Create root part on LVM, keeping in mind most data will be on /home or /nix
+  # Create home part on LVM, leaving plenty of room for snapshots
-    sudo lvcreate -L 5G "$VOLGROUP" -n root
+  sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
-    sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
+  sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
 
-    # Create nix part on LVM
+  # Create root part on LVM, keeping in mind most data will be on /home or /nix
-    sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
+  sudo lvcreate -L 5G "$VOLGROUP" -n root
-    sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
+  sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
 
-    sudo lvdisplay
+  # Create nix part on LVM
+  sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
+  sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
 
-    lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
+  sudo lvdisplay
+
+  lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
 fi
 
 # Mount partitions
@@ -116,7 +114,7 @@ sudo mount $BOOTPART /mnt/boot
 
 # Enable swap if SWAPSIZE is non-zero
 if [ $SWAPSIZE != 0 ]; then
-    sudo swapon "/dev/$VOLGROUP/swap"
+  sudo swapon "/dev/$VOLGROUP/swap"
 fi
 
 # Clone the repo
@@ -135,31 +133,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
 cat "$DOTS/id_ed25519_ghdeploy.pub"
 
 if [ $SOPS == "Y" ]; then
-    # Create ssh host-keys
+  # Create ssh host-keys
-    sudo ssh-keygen -A
+  sudo ssh-keygen -A
-    sudo mkdir -p /mnt/etc/ssh
+  sudo mkdir -p /mnt/etc/ssh
-    sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
+  sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
 
-    # Get line where AGE comment is and insert new AGE key two lines down
+  # Get line where AGE comment is and insert new AGE key two lines down
-    AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
+  AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
-    AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
+  AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
-    sudo sed -i "${AGELINE}i\\  - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
+  sudo sed -i "${AGELINE}i\\  - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
 
-    # Add server name
+  # Add server name
-    SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
+  SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
-    sudo sed -i "${SERVERLINE}i\\  - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
+  sudo sed -i "${SERVERLINE}i\\  - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
 
-    # Add creation rules
+  # Add creation rules
-    CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
+  CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
-    # TODO: below was not working when last attempted
+  # TODO: below was not working when last attempted
-    read -r -d '' PATHRULE <<-EOF
+  read -r -d '' PATHRULE <<-EOF
   - path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
     key_groups:
       - pgp: *$OWNERORADMINS
         age:
           - *$MACHINENAME
 EOF
-    sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
+  sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
 fi
 
 read -r -p "press enter to continue"

flake.lock

@@ -1,53 +1,69 @@
 {
   "nodes": {
-    "attic": {
+    "base16": {
       "inputs": {
-        "crane": "crane",
+        "fromYaml": "fromYaml"
-        "flake-compat": [
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nixpkgs-stable"
-        ]
       },
       "locked": {
-        "lastModified": 1722472866,
+        "lastModified": 1732200724,
-        "narHash": "sha256-GJIz4M5HDB948Ex/8cPvbkrNzl/eKUE7/c21JBu4lb8=",
+        "narHash": "sha256-+R1BH5wHhfnycySb7Sy5KbYEaTJZWm1h+LW1OtyhiTs=",
-        "owner": "zhaofengli",
+        "owner": "SenchoPens",
-        "repo": "attic",
+        "repo": "base16.nix",
-        "rev": "e127acbf9a71ebc0c26bc8e28346822e0a6e16ba",
+        "rev": "153d52373b0fb2d343592871009a286ec8837aec",
         "type": "github"
       },
       "original": {
-        "owner": "zhaofengli",
+        "owner": "SenchoPens",
-        "repo": "attic",
+        "repo": "base16.nix",
         "type": "github"
       }
     },
-    "crane": {
+    "base16-fish": {
-      "inputs": {
+      "flake": false,
-        "nixpkgs": [
-          "attic",
-          "nixpkgs"
-        ]
-      },
       "locked": {
-        "lastModified": 1717025063,
+        "lastModified": 1622559957,
-        "narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
+        "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
-        "owner": "ipetkov",
+        "owner": "tomyun",
-        "repo": "crane",
+        "repo": "base16-fish",
-        "rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
+        "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
         "type": "github"
       },
       "original": {
-        "owner": "ipetkov",
+        "owner": "tomyun",
-        "repo": "crane",
+        "repo": "base16-fish",
+        "type": "github"
+      }
+    },
+    "base16-helix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1736852337,
+        "narHash": "sha256-esD42YdgLlEh7koBrSqcT7p2fsMctPAcGl/+2sYJa2o=",
+        "owner": "tinted-theming",
+        "repo": "base16-helix",
+        "rev": "03860521c40b0b9c04818f2218d9cc9efc21e7a5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "base16-helix",
+        "type": "github"
+      }
+    },
+    "base16-vim": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1732806396,
+        "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=",
+        "owner": "tinted-theming",
+        "repo": "base16-vim",
+        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "base16-vim",
+        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
         "type": "github"
       }
     },
@@ -62,11 +78,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1722917006,
+        "lastModified": 1742773104,
-        "narHash": "sha256-29qBs5HlcegrLP8oQe8T9hHx7u94TEz9ivPwZlorAJU=",
+        "narHash": "sha256-dAhrL+gEjNN5U/Sosy7IrX0Y0qPA0U7Gp9TBhqEliNU=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "8552abe55a4f364d94efb84502a550c2c9c3101c",
+        "rev": "d74460da63a8c08a69a1f143b04f2ab1a6b2f5c2",
         "type": "gitlab"
       },
       "original": {
@@ -76,14 +92,30 @@
         "type": "gitlab"
       }
     },
+    "firefox-gnome-theme": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1741628778,
+        "narHash": "sha256-RsvHGNTmO2e/eVfgYK7g+eYEdwwh7SbZa+gZkT24MEA=",
+        "owner": "rafaelmardojai",
+        "repo": "firefox-gnome-theme",
+        "rev": "5a81d390bb64afd4e81221749ec4bffcbeb5fa80",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rafaelmardojai",
+        "repo": "firefox-gnome-theme",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1733328505,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "revCount": 57,
+        "revCount": 69,
         "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -95,11 +127,33 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1722555600,
+        "lastModified": 1741352980,
-        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "stylix",
+          "nur",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
         "type": "github"
       },
       "original": {
@@ -115,11 +169,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1731533236,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -128,6 +182,69 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": [
+          "stylix",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "fromYaml": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1731966426,
+        "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=",
+        "owner": "SenchoPens",
+        "repo": "fromYaml",
+        "rev": "106af9e2f715e2d828df706c386a685698f3223b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "SenchoPens",
+        "repo": "fromYaml",
+        "type": "github"
+      }
+    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": [
+          "stylix",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore_2",
+        "nixpkgs": [
+          "stylix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1741379162,
+        "narHash": "sha256-srpAbmJapkaqGRE3ytf3bj4XshspVR5964OX5LfjDWc=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "b5a62751225b2f62ff3147d0a334055ebadcd5cc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
@@ -149,6 +266,45 @@
         "type": "github"
       }
     },
+    "gitignore_2": {
+      "inputs": {
+        "nixpkgs": [
+          "stylix",
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "gnome-shell": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1732369855,
+        "narHash": "sha256-JhUWbcYPjHO3Xs3x9/Z9RuqXbcp5yhPluGjwsdE2GMg=",
+        "owner": "GNOME",
+        "repo": "gnome-shell",
+        "rev": "dadd58f630eeea41d645ee225a63f719390829dc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "GNOME",
+        "ref": "47.2",
+        "repo": "gnome-shell",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -156,11 +312,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722936497,
+        "lastModified": 1742771635,
-        "narHash": "sha256-UBst8PkhY0kqTgdKiR8MtTBt4c1XmjJoOV11efjsC/o=",
+        "narHash": "sha256-HQHzQPrg+g22tb3/K/4tgJjPzM+/5jbaujCZd8s2Mls=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "a6c743980e23f4cef6c2a377f9ffab506568413a",
+        "rev": "ad0614a1ec9cce3b13169e20ceb7e55dfaf2a818",
         "type": "github"
       },
       "original": {
@@ -176,11 +332,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722636442,
+        "lastModified": 1742213523,
-        "narHash": "sha256-+7IS0n3/F0I5j6ZbrVlLcIIPHY3o+/vLAqg/G48sG+w=",
+        "narHash": "sha256-I8JVdQRu8eWvY5W8XWYZkdd5pojDHkxeqQV7mMIsbhs=",
         "owner": "hyprwm",
         "repo": "contrib",
-        "rev": "9d67858b437d4a1299be496d371b66fc0d3e01f6",
+        "rev": "bd81329944be53b0ffb99e05864804b95f1d7c65",
         "type": "github"
       },
       "original": {
@@ -189,28 +345,6 @@
         "type": "github"
       }
     },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "system_tools",
-          "poetry2nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1703863825,
-        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
     "nix-index-database": {
       "inputs": {
         "nixpkgs": [
@@ -218,11 +352,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722740924,
+        "lastModified": 1742701275,
-        "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=",
+        "narHash": "sha256-AulwPVrS9859t+eJ61v24wH/nfBEIDSXYxlRo3fL/SA=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "97ca0a0fca0391de835f57e44f369a283e37890f",
+        "rev": "36dc43cb50d5d20f90a28d53abb33a32b0a2aae6",
         "type": "github"
       },
       "original": {
@@ -233,11 +367,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1722732880,
+        "lastModified": 1736643958,
-        "narHash": "sha256-do2Mfm3T6SR7a5A804RhjQ+JTsF5hk4JTPGjCTRM/m8=",
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "8bebd4c74f368aacb047f0141db09ec6b339733c",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
         "type": "github"
       },
       "original": {
@@ -254,11 +388,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722819251,
+        "lastModified": 1742568034,
-        "narHash": "sha256-f99it92NQSZsrZ8AYbiwAUfrtb/ZpZRqUsl4q6rMA5s=",
+        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "c8c3a20b8191819219dba1af79388aa6d555f634",
+        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
         "type": "github"
       },
       "original": {
@@ -269,11 +403,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1722332872,
+        "lastModified": 1742806253,
-        "narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=",
+        "narHash": "sha256-zvQ4GsCJT6MTOzPKLmlFyM+lxo0JGQ0cSFaZSACmWfY=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "14c333162ba53c02853add87a0000cbd7aa230c2",
+        "rev": "ecaa2d911e77c265c2a5bac8b583c40b0f151726",
         "type": "github"
       },
       "original": {
@@ -289,15 +423,14 @@
         ],
         "nixpkgs": [
           "nixpkgs"
-        ],
+        ]
-        "search": "search"
       },
       "locked": {
-        "lastModified": 1722894082,
+        "lastModified": 1742419596,
-        "narHash": "sha256-TEJNZ/8er454mMv+YyLjWpz3yTPuSi6Nq+Tg0N8E80M=",
+        "narHash": "sha256-+Bw1HR4oX6vUbCMhwWbW+Nr20F+UesNdUd7b17s3ESE=",
         "owner": "SuperSandro2000",
         "repo": "nixos-modules",
-        "rev": "b871b68e76b092dfbc6fad38a8ebea99893be498",
+        "rev": "82491ff311152b87fe7cfbdaf545f727e0750aa9",
         "type": "github"
       },
       "original": {
@@ -308,73 +441,71 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1722813957,
+        "lastModified": 1742800061,
-        "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=",
+        "narHash": "sha256-oDJGK1UMArK52vcW9S5S2apeec4rbfNELgc50LqiPNs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa",
+        "rev": "1750f3c1c89488e2ffdd47cab9d05454dddfb734",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-unstable-small",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1722555339,
+        "lastModified": 1740877520,
-        "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
+        "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
-        "type": "tarball",
+        "owner": "nix-community",
-        "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
+        "repo": "nixpkgs.lib",
+        "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
+        "owner": "nix-community",
-        "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
+        "repo": "nixpkgs.lib",
+        "type": "github"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1722869614,
+        "lastModified": 1742751704,
-        "narHash": "sha256-7ojM1KSk3mzutD7SkrdSflHXEujPvW1u7QuqWoTLXQU=",
+        "narHash": "sha256-rBfc+H1dDBUQ2mgVITMGBPI1PGuCznf9rcWX/XIULyE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "883180e6550c1723395a3a342f830bfc5c371f6b",
+        "rev": "f0946fa5f1fb876a9dc2e1850d9d3a4e3f914092",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "poetry2nix": {
+    "nur": {
       "inputs": {
-        "flake-utils": [
+        "flake-parts": "flake-parts_2",
-          "system_tools",
-          "flake-utils"
-        ],
-        "nix-github-actions": "nix-github-actions",
         "nixpkgs": [
-          "system_tools",
+          "stylix",
           "nixpkgs"
         ],
-        "systems": "systems",
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1723343306,
+        "lastModified": 1741693509,
-        "narHash": "sha256-/6sRkPq7/5weX2y0V8sQ29Sz35nt8kyj+BsFtkhgbJE=",
+        "narHash": "sha256-emkxnsZstiJWmGACimyAYqIKz2Qz5We5h1oBVDyQjLw=",
         "owner": "nix-community",
-        "repo": "poetry2nix",
+        "repo": "NUR",
-        "rev": "4a1c112ff0c67f496573dc345bd0b2247818fc29",
+        "rev": "5479646b2574837f1899da78bdf9a48b75a9fb27",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "repo": "poetry2nix",
+        "repo": "NUR",
         "type": "github"
       }
     },
@@ -386,17 +517,14 @@
         "gitignore": "gitignore",
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nixpkgs-stable"
         ]
       },
       "locked": {
-        "lastModified": 1722857853,
+        "lastModified": 1742649964,
-        "narHash": "sha256-3Zx53oz/MSIyevuWO/SumxABkrIvojnB7g9cimxkhiE=",
+        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "06939f6b7ec4d4f465bf3132a05367cccbbf64da",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
         "type": "github"
       },
       "original": {
@@ -407,7 +535,6 @@
     },
     "root": {
       "inputs": {
-        "attic": "attic",
         "firefox-addons": "firefox-addons",
         "flake-compat": "flake-compat",
         "flake-parts": "flake-parts",
@@ -423,7 +550,7 @@
         "pre-commit-hooks": "pre-commit-hooks",
         "rust-overlay": "rust-overlay",
         "sops-nix": "sops-nix",
-        "system_tools": "system_tools",
+        "stylix": "stylix",
         "systems": "systems_2",
         "wired-notify": "wired-notify"
       }
@@ -435,11 +562,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722910815,
+        "lastModified": 1742783666,
-        "narHash": "sha256-v6Vk/xlABhw2QzOa6xh3Jx/IvmlbKbOazFM+bDFQlWU=",
+        "narHash": "sha256-IwdSl51NL6V0f+mYXZR0UTKaGleOsk9zV3l6kt5SUWw=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "7df2ac544c203d21b63aac23bfaec7f9b919a733",
+        "rev": "60766d63c227d576510ecfb5edd3a687d56f6bc7",
         "type": "github"
       },
       "original": {
@@ -448,46 +575,18 @@
         "type": "github"
       }
     },
-    "search": {
-      "inputs": {
-        "flake-utils": [
-          "nixos-modules",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixos-modules",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1722493084,
-        "narHash": "sha256-ktjl908zZKWcGdMyz6kX1kHSg7LFFGPYBvTi9FgQleM=",
-        "owner": "nuschtos",
-        "repo": "search",
-        "rev": "3f5abffa5f28b4ac3c9212c81c5e8d2d22876071",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nuschtos",
-        "repo": "search",
-        "type": "github"
-      }
-    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nixpkgs-stable"
         ]
       },
       "locked": {
-        "lastModified": 1722897572,
+        "lastModified": 1742700801,
-        "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
+        "narHash": "sha256-ZGlpUDsuBdeZeTNgoMv+aw0ByXT2J3wkYw9kJwkAS4M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
+        "rev": "67566fe68a8bed2a7b1175fdfb0697ed22ae8852",
         "type": "github"
       },
       "original": {
@@ -496,27 +595,44 @@
         "type": "github"
       }
     },
-    "system_tools": {
+    "stylix": {
       "inputs": {
-        "flake-utils": [
+        "base16": "base16",
-          "flake-utils"
+        "base16-fish": "base16-fish",
+        "base16-helix": "base16-helix",
+        "base16-vim": "base16-vim",
+        "firefox-gnome-theme": "firefox-gnome-theme",
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "flake-utils": "flake-utils_2",
+        "git-hooks": "git-hooks",
+        "gnome-shell": "gnome-shell",
+        "home-manager": [
+          "home-manager"
         ],
         "nixpkgs": [
           "nixpkgs"
         ],
-        "poetry2nix": "poetry2nix"
+        "nur": "nur",
+        "systems": "systems",
+        "tinted-foot": "tinted-foot",
+        "tinted-kitty": "tinted-kitty",
+        "tinted-schemes": "tinted-schemes",
+        "tinted-tmux": "tinted-tmux",
+        "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1723392261,
+        "lastModified": 1742753562,
-        "narHash": "sha256-Csa4yuYWcB3aLf7VP14v+Mp0lRzOOCCt9BdmAeeQcYU=",
+        "narHash": "sha256-EBXgl3sPi5AQUM58XGuuC8HQl/Df+Dbt6pOLInInJ/k=",
-        "owner": "RAD-Development",
+        "owner": "danth",
-        "repo": "system_tools",
+        "repo": "stylix",
-        "rev": "51bcc923b2b3cfb832b05687a01805c5a905b0c9",
+        "rev": "d9df91c55643a8b5229a3ae3a496a30f14965457",
         "type": "github"
       },
       "original": {
-        "owner": "RAD-Development",
+        "owner": "danth",
-        "repo": "system_tools",
+        "repo": "stylix",
         "type": "github"
       }
     },
@@ -530,8 +646,9 @@
         "type": "github"
       },
       "original": {
-        "id": "systems",
+        "owner": "nix-systems",
-        "type": "indirect"
+        "repo": "default",
+        "type": "github"
       }
     },
     "systems_2": {
@@ -549,20 +666,102 @@
         "type": "github"
       }
     },
+    "tinted-foot": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1726913040,
+        "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
+        "owner": "tinted-theming",
+        "repo": "tinted-foot",
+        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "tinted-foot",
+        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
+        "type": "github"
+      }
+    },
+    "tinted-kitty": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1716423189,
+        "narHash": "sha256-2xF3sH7UIwegn+2gKzMpFi3pk5DlIlM18+vj17Uf82U=",
+        "owner": "tinted-theming",
+        "repo": "tinted-kitty",
+        "rev": "eb39e141db14baef052893285df9f266df041ff8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "tinted-kitty",
+        "rev": "eb39e141db14baef052893285df9f266df041ff8",
+        "type": "github"
+      }
+    },
+    "tinted-schemes": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1741468895,
+        "narHash": "sha256-YKM1RJbL68Yp2vESBqeZQBjTETXo8mCTTzLZyckCfZk=",
+        "owner": "tinted-theming",
+        "repo": "schemes",
+        "rev": "47c8c7726e98069cade5827e5fb2bfee02ce6991",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "schemes",
+        "type": "github"
+      }
+    },
+    "tinted-tmux": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1740877430,
+        "narHash": "sha256-zWcCXgdC4/owfH/eEXx26y5BLzTrefjtSLFHWVD5KxU=",
+        "owner": "tinted-theming",
+        "repo": "tinted-tmux",
+        "rev": "d48ee86394cbe45b112ba23ab63e33656090edb4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "tinted-tmux",
+        "type": "github"
+      }
+    },
+    "tinted-zed": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1725758778,
+        "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=",
+        "owner": "tinted-theming",
+        "repo": "base16-zed",
+        "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "base16-zed",
+        "type": "github"
+      }
+    },
     "treefmt-nix": {
       "inputs": {
         "nixpkgs": [
-          "system_tools",
+          "stylix",
-          "poetry2nix",
+          "nur",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1719749022,
+        "lastModified": 1733222881,
-        "narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=",
+        "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd",
+        "rev": "49717b5af6f80172275d47a418c9719a31a78b53",
         "type": "github"
       },
       "original": {
@@ -584,11 +783,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1721535277,
+        "lastModified": 1730615238,
-        "narHash": "sha256-A6qIy2n3aomj5XooUmqz0s3G/A44Y3+GoFrGxIOolIM=",
+        "narHash": "sha256-u/ZGtyEUvAkFOBgLo2YldOx0GKjE3/esWpWruRD376E=",
         "owner": "Toqozz",
         "repo": "wired-notify",
-        "rev": "d079126c43f22179650f3d4c59f580c5993b9217",
+        "rev": "1632418aa15889343028261663e81d8b5595860e",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,22 +1,21 @@
 {
-  description = "NixOS configuration for RAD-Development Servers";
+  description = "NixOS configuration for my machines";
 
   nixConfig = {
     substituters = [
       "https://cache.nixos.org/?priority=1&want-mass-query=true"
-      "https://attic.alicehuston.xyz/cache-nix-dot?priority=4&want-mass-query=true"
       "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
+      "https://attic.nayeonie.com/nix-cache"
     ];
     trusted-substituters = [
       "https://cache.nixos.org"
-      "https://attic.alicehuston.xyz/cache-nix-dot"
       "https://nix-community.cachix.org"
+      "https://attic.nayeonie.com/nix-cache"
     ];
     trusted-public-keys = [
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-      "cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%"
-      "cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "nix-cache:trR+y5nwpQHR4hystoogubFmp97cewkjWeqqbygRQRs="
     ];
     trusted-users = [ "root" ];
   };
@@ -25,19 +24,21 @@
     flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
     flake-parts.url = "github:hercules-ci/flake-parts";
     nixos-hardware.url = "github:NixOS/nixos-hardware";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
+    #nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
     systems.url = "github:nix-systems/default";
 
-    attic = {
+    # attic = {
-      url = "github:zhaofengli/attic";
+    #   url = "github:zhaofengli/attic";
-      inputs = {
+    #   inputs = {
-        nixpkgs.follows = "nixpkgs";
+    #     nixpkgs.follows = "nixpkgs";
-        nixpkgs-stable.follows = "nixpkgs-stable";
+    #     nixpkgs-stable.follows = "nixpkgs-stable";
-        flake-compat.follows = "flake-compat";
+    #     flake-compat.follows = "flake-compat";
-        flake-utils.follows = "flake-utils";
+    #     flake-parts.follows = "flake-parts";
-      };
+    #   };
-    };
+    # };
 
     firefox-addons = {
       url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
@@ -84,7 +85,6 @@
       url = "github:cachix/git-hooks.nix";
       inputs = {
         nixpkgs.follows = "nixpkgs";
-        nixpkgs-stable.follows = "nixpkgs-stable";
         flake-compat.follows = "flake-compat";
       };
     };
@@ -100,15 +100,15 @@
       url = "github:Mic92/sops-nix";
       inputs = {
         nixpkgs.follows = "nixpkgs";
-        nixpkgs-stable.follows = "nixpkgs-stable";
       };
     };
 
-    system_tools = {
+    stylix = {
-      url = "github:RAD-Development/system_tools";
+      url = "github:danth/stylix";
       inputs = {
+        flake-compat.follows = "flake-compat";
+        home-manager.follows = "home-manager";
         nixpkgs.follows = "nixpkgs";
-        flake-utils.follows = "flake-utils";
       };
     };
 
@@ -150,17 +150,22 @@
     rec {
       inherit lib; # for allowing use of custom functions in nix repl
 
-      hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
+      #hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
       formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
 
-      nixosConfigurations = genSystems inputs src (src + "/systems");
+      nixosConfigurations = genSystems inputs outputs src (src + "/systems");
       images = {
         install-iso = getImages nixosConfigurations "install-iso";
         iso = getImages nixosConfigurations "iso";
         qcow = getImages nixosConfigurations "qcow";
       };
 
+      packages.x86_64-linux.lego-latest =
+        nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
+          { };
+
       checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
       devShells = import ./shell.nix { inherit inputs forEachSystem checks; };
+
     };
 }

keys/richie.asc

@@ -1,67 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGQ4gGgBEAC2s0Q4nQ5aTlpTg4u/Hl9gq56IAGoUW9wlgEoStHXyA1WziY2s
-1pt45l4Q6kORswXoXv0ULTWBQAGponjY3l+HNm+B0XMr6EogjV/EP/UCyEi8zpqs
-PaoJiB95s8rTsh+E7GzWR8KDhazOrGFY+QQOsTWEhLF8jkISd9aC05pf+WnKyxLC
-wFjNFXRWUgPKyKPWIUd3SJP2IH6rSSkp7SMCAUiteQx2c43thnr4c/wcfGANKbFO
-PhYrkTJKSqt38NoFtNB/Eo/MaVwdEnTMmeovF9sA2s0SLat8+FngSEcIXvL5UpA4
-K73+lOQUROWFju7LrIyOhksSZXyQvP+64PxfpbtHadH6wQ4Ckz0GYIYnDQ1q66dh
-OKQq9efIlxb7ky47qXRMY8u6d2d4bceLM4a24lYajZ70HZTEF4hy5KCMd8DAmAzU
-WLCkaz6SQVDsme60jH3Mavd18B8HZ1d5Vi75hNaylMRtq7o6IA60NnVXh07U+Zto
-n8QOze0JqO/GaM7FzfijfsW670j//FSu5wUGnBYprBz7SFh2nCy/XPZYThtHtPbI
-YeESs8WZtqkfs4RpmMkOKcTLNiTFXIsCqHIhR8lDnJl+skEMxg7L8FF2txph4ssU
-BZ6dAbFy8KsH+2Sr2qfK0yHOVs37ymv+/WaxC0d+QpLAupRhzL+s2kIYGQARAQAB
-tB9SaWNoaWUgPFJpY2hpZUB0bW13b3Jrc2hvcC5jb20+iQJOBBMBCAA4FiEEKfUB
-fJXZ5gsbHoQHBysOC4MS3+MFAmQ4gGgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC
-F4AACgkQBysOC4MS3+PnKA//YUDZbuaas5MIWRqZsh02GEXVX4n727JP4iqZU4R0
-Cndq7KCl+8XJ9RqmpRZab1FhEj/DQZYisKvloMvBop4q1XLLkabaQF5NsbDvIQG6
-5TgbeSUmVWP6JS4Ka05FKIEwjKFS6ogbd1tscVs50zFWW+veewWMwwQF1mw+N5wx
-LsnHRDIBPOj8Z+p07fyYlP2RMtqdjUqHOtDBiAvbFaXd1huEHd6H2bhnVLaxsJUf
-EEGu92ND0GgW2tDrJIL+bNhZfsnHZEZPyruLZXcwW0JIyLf+sgob/iY0duDH1JDS
-ty5tS3ke9O3Q56mPogHP7jlMwtVHzQQPlviVtNvYhRamb5hUDc9Qu9uXNM0HOWdg
-MI5KE1xbdjz1OmymakfcfbVcSz1vu3k4XpqChiKt+psw8BnHGcguPchetkroCJcM
-OLwnCoKH3TFxZfaZQGPDhHCGU484Nj1M/wHo9RcoWtrPWz+Y7W0U+47EdmGM1Vpl
-9hIoXqjEWENz6Ph5DD0vxMptQPrRfmtLiJsWxAJRS9MH+ZWXxjJ2byKXiEHdR7la
-Xgj8ejtzaZB04Ow9+zptFH6nwTygGGodcRkYYFtYSS7C46aihvMRLj68uHB2yC2b
-zYutMtU6eregDaWiAeGycZcanGnU36JDifjaCF84oty6a3EpfdGCc9KkHk1Is+sR
-TVe5Ag0EZDiAaAEQANy3ekveJexjqdhWmGjqF1rp90uWYJeVwg0Dlc621SNEzrfu
-suC1BEHC2xdZz85yPbfdUPThAn/AmaMYlNIvzXmsGJdfIIsL7ZT+K6K+9ClbFhR8
-eIZZjhpSOMwLEfNroyZPcOwEua9bSr3mwU+i2ED+dCKcxG4/wAtmeK2PNOz0t0/F
-umLHW9Zk8YZBVSq7sGZ77TBi7GHOVzR/3wWy0qXgVMSQXtmOoDCmd1B1pD/BOkBA
-2iI4spRLiDPW3XVDeAGydYPPEIXtFax7ZCs4BhjT4witJ2110fddrAh6e48yU4Hn
-ca5F+QD6hVvUgHmdM/9GMqYf2mMC8tqNQf33Ib148zIhtQN5OtDz/sce5Xj8rk0j
-HUuZ3E0jViK72ZRnZD46CyIc99ZcLCAhsHZDaMTEDfWX8ToQzA+Ahyth0RMykwhX
-6NPKvOw2VqRK+j6iyYvtDXLmcsR890dzHDJLfrJWCJ0scpeWFvlLkVhQaT3NEqEK
-oUENBFf8zxfTQ7BksyV2ESTwu5xqfYeJ1g1FoTfL30+/W0003K7hoPQuU3ebj3wY
-3mMrG0hgo0iM9wHk83WWt+fDYj09yptGWAgBQNOpRR/0EbwEd74C3UxZQtUmxwPz
-YW2g1GWyEgtA76UJ00TuQHBGklcKtY0IbHKwjn7NwHbYWu67R7Le3+cj3LOVABEB
-AAGJAjYEGAEIACAWIQQp9QF8ldnmCxsehAcHKw4LgxLf4wUCZDiAaAIbDAAKCRAH
-Kw4LgxLf462sEACDweQr1ik35sbw3qlPn3b/d2UYBK+r8G3Pk1RhNra2rFtkRY8Y
-rEAlFeYOCBplsyg8swIClPjKpqIEehMV4X2E0N6WpyPzuOgNP4OPAmJngUYM9uxr
-kcVhYubgp2Hcxk5TkbvHIc31P5ItCl7UUYC3bXf32K5GVeOAxsZBS6elwdxlFteY
-WKjkwoZklPPfce4ctG/phy8dnn+pFMFnyisFFp81R2P+ztdSDLm/U27d8g9cjcWK
-mhZtGox4zf7250p+gIUnlnBdtXIWBaUFidha5qql0/iSsMrhu2m12XaLc5HiubYY
-RNIHcCRitG0Qc/pWVjZAD/bqOTl4/M1AeN7qZ/8Y1II1tCdBZ1MGinKS/3aGjTn5
-RzvYrQeP7YTInyah7MpUTYoxI+VHHeD7hTy/y0GPZBtZ24B/s3ICuMemejILeI8M
-aHj8FmBSXJ3dD8195QyONuQB5hNB3qGhc995KsDK3leCwJc3+MFLZPaEZnB+f+uo
-+pdngVsKH2IAVOtJN+QULmuEFmiEGRAghJwxfA4M92Bn0jSa9KMyTsM41b3zdSVU
-ipnn9FVX7RemSdF/z2SXAczwMLwVjai4j8b/U9O3oc0wrDF4QgrKKKIESlID/0Jf
-QLwhRYHy03r2yENO9lEeTBaSF94HsN1UjrZtzpGx6QTGBohA2RrztXkosLgzBGWP
-FicWCSsGAQQB2kcPAQEHQBlJ0lXDQnpcV7nR/MWPifi0WVTDPe0njjVIHNq/Z/xI
-iQKtBBgBCAAgFiEEKfUBfJXZ5gsbHoQHBysOC4MS3+MFAmWPFicCGwIAgQkQBysO
-C4MS3+N2IAQZFgoAHRYhBAA/2xaaamErUuSen5+R1096JyceBQJljxYnAAoJEJ+R
-1096Jycejy0A/2BmBatOihlxnO1G0U5qy3eiFkzmYKhm9WEW+w461hjuAP40cTMS
-xgnpUzUrsEs6+3Om7TLAa0VAqYLjA8NTVJs6AiPGEACuGgYn4uBzeXGLgHHUmLsY
-25rOajs/zAZnQkMz1epMKJDZ658cIDKyjJ6mLkkBwHwARrMhb38AEphXgyuAtHMN
-mEPRzABZutleW33KCk6zzVLyYVFBDWEI7hIFdNfJcJjXsDX0oGKB/oT5vlU25YgN
-cBAC7q9PGfq/XkeFOz9j3UOXMuzTKmtrX28IiSPqk+IkzeL35otzrG1wsUPLDLRS
-nlmwtnP4oQ50cUvTiDesk3QqPQn+2wPYakMydq7bvUcv/jakCADJq8Lsg4AmUxpQ
-bZNj2Zu/j8g+0KYUTriuQpZHf+mjVoNzwxiDKobMvKNzyNrZwMnZhAcDnCXSHpZL
-KnBcQGpsOjZicA9HodVRdU80DM46MSsncxAN+jwdHUOtCtONP059kF8JegwyevFS
-1hY/6ZTMETtKckWbs2gMTEK48SXF3EQ2jMq8lbD9SccuEi6R19R5qiLwQBgUHawT
-PcirlASclpR2zjLH1/MovxMFykCUUaQgGH0TjCe5X95Y7QdVgw6ocHkSFUsLN8V1
-L3UfOIobFFW6EuRg5urKpljoi20dYsAyorqye9q825RyuWa5oLDtqXshCuOzLy6O
-BgnM2FIvUpxAFmlXlC9eG8bUChfqEakio68Iwl6LUQouDR9gprWcookZV716YBVC
-/IKQxyKTQK+nas4pfaUhYw==
-=in5n
------END PGP PUBLIC KEY BLOCK-----

lib/container-utils.nix

@@ -0,0 +1,43 @@
+{ lib, ... }:
+
+{
+  # Given a attrset of images and a function which generates an image spec,
+  # generates a set of containers (although this could in theory be used for
+  # other things... I'd like to see people try)
+  #
+  # container set must be in the below format
+  # { container-name = {image = "image-uri"; scale = n;}; }
+  # where image-uri gets passed in to the container-spec function as a custom
+  # parameter, and scale is an integer that generates the containers
+  #
+  # container-spec must be a function which accepts two parameter (the
+  # container name and image name) and ideally returns an oci-compliant
+  # container.
+  #
+  # args:
+  # containers: an AttrSet which specifies the imageUri and scale of each
+  #   container
+  # container-spec: a function which produces an oci-compliant container spec
+  #
+  # type:
+  # AttrSet -> (String -> AttrSet -> AttrSet) -> AttrSet
+  createTemplatedContainers =
+    containers: container-spec:
+    builtins.listToAttrs (
+      lib.flatten (
+        lib.mapAttrsToList (
+          name: value:
+          (map (
+            num:
+            let
+              container-name = "${name}-${toString num}";
+            in
+            {
+              name = container-name;
+              value = container-spec container-name value.image;
+            }
+          ) (lib.lists.range 1 value.scale))
+        ) containers
+      )
+    );
+}

lib/default.nix

@@ -3,6 +3,7 @@
   # create rad-dev namespace for lib
   rad-dev = rec {
     systems = import ./systems.nix { inherit lib; };
+    container-utils = import ./container-utils.nix { inherit lib; };
 
     # any(), but checks if any value in the list is true
     #
@@ -56,5 +57,21 @@
     # type:
     # fileList :: Path -> String -> [Path]
     fileList = dir: map (file: dir + "/${file}") (ls dir);
+
+    # reduce an attribute set to a string
+    #
+    # example:
+    # given attrset {host1 = "palatine-hill"; host2 = "jeeves";}
+    # and func (host: hostname: host + " is " + hostname + ", " )
+    # mapAttrsToString would return 'host1 is palatine-hill, host2 is jeeves, '
+    #
+    # args:
+    # func: an function to apply to attrSet to turn each entry into one string
+    # attrSet: an attribute set to reduce
+    #
+    # type:
+    # mapAttrsToString :: AttrSet -> (String -> Any -> String) -> String
+    mapAttrsToString =
+      func: attrSet: (lib.foldl' (cur: next: cur + next) "" (lib.mapAttrsToList func attrSet));
   };
 }

lib/systems.nix

@@ -149,6 +149,7 @@ rec {
       configPath,
       hostname,
       inputs,
+      outputs,
       src,
       users,
       home ? true,
@@ -160,7 +161,12 @@ rec {
     lib.nixosSystem {
       inherit system;
       specialArgs = {
-        inherit inputs server system;
+        inherit
+          inputs
+          outputs
+          server
+          system
+          ;
       };
       modules =
         [
@@ -194,7 +200,7 @@ rec {
   # type:
   # genSystems :: AttrSet -> Path -> Path -> AttrSet
   genSystems =
-    inputs: src: path:
+    inputs: outputs: src: path:
     builtins.listToAttrs (
       map (
         name:
@@ -205,7 +211,12 @@ rec {
           inherit name;
           value = constructSystem (
             {
-              inherit inputs src configPath;
+              inherit
+                inputs
+                outputs
+                src
+                configPath
+                ;
               hostname = name;
             }
             // import configPath { inherit inputs; }

modules/base.nix

@@ -1,6 +1,7 @@
 {
   lib,
   inputs,
+  outputs,
   server,
   system,
   ...
@@ -14,7 +15,7 @@
 
   programs = {
     zsh.enable = true;
-    fish.enable = true;
+    fish.enable = false;
   };
 
   users = {
@@ -26,10 +27,12 @@
     useUserPackages = true;
     sharedModules = [ inputs.sops-nix.homeManagerModules.sops ];
     extraSpecialArgs = {
-      inherit inputs;
+      inherit inputs outputs;
       machineConfig = {
         inherit server system;
       };
     };
   };
+
+  networking.firewall.enable = lib.mkDefault true;
 }

modules/boot.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   libS,
+  pkgs,
   ...
 }:
 
@@ -34,7 +35,6 @@ in
   config.boot = lib.mkIf cfg.default {
     supportedFilesystems = [ cfg.filesystem ];
     tmp.useTmpfs = true;
-    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
     kernelParams =
       [ "nordrand" ]
       ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"

modules/docker.nix

@@ -7,8 +7,13 @@
       extraGroups = [ "docker" ];
       uid = 600;
     };
-    groups.docker-service = {
+    groups = {
-      gid = 600;
+      docker-service = {
+        gid = 600;
+      };
+      haproxy = {
+        gid = 99;
+      };
     };
   };
 

modules/kub_net.nix

@@ -6,7 +6,7 @@ in
   options = {
     services.rad-dev.k3s-net = {
       enable = lib.mkOption {
-        default = true;
+        default = false;
         example = true;
         description = "Whether to enable k3s-net.";
         type = lib.types.bool;

modules/nix.nix

@@ -13,19 +13,15 @@
       connect-timeout = 20;
       substituters = [
         "https://cache.nixos.org/?priority=1&want-mass-query=true"
-        "https://attic.alicehuston.xyz/cache-nix-dot?priority=4&want-mass-query=true"
         "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
       ];
       trusted-substituters = [
         "https://cache.nixos.org"
-        "https://attic.alicehuston.xyz/cache-nix-dot"
         "https://nix-community.cachix.org"
       ];
       trusted-public-keys = [
         "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-        "cache.alicehuston.xyz:SJAm8HJVTWUjwcTTLAoi/5E1gUOJ0GWum2suPPv7CUo=%"
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "cache-nix-dot:Od9KN34LXc6Lu7y1ozzV1kIXZa8coClozgth/SYE7dU="
       ];
       trusted-users = [
         "root"

modules/openssh.nix

@@ -2,6 +2,7 @@
 {
   services.openssh = {
     enable = lib.mkDefault true;
+    openFirewall = lib.mkDefault true;
     fixPermissions = true;
     extraConfig = "StreamLocalBindUnlink yes";
 

modules/plocate.nix

@@ -3,7 +3,7 @@
 {
   services.locate = {
     enable = lib.mkDefault true;
-    localuser = lib.mkDefault null;
+    # localuser = lib.mkDefault null;
     package = lib.mkDefault pkgs.plocate;
   };
 }

modules/update.nix

@@ -4,7 +4,7 @@
     enable = lib.mkDefault true;
     repo.dotfiles = {
       enable = lib.mkDefault true;
-      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
+      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_giteadeploy";
       path = lib.mkDefault /root/dotfiles;
     };
   };
@@ -14,6 +14,6 @@
     flags = [ "--accept-flake-config" ];
     randomizedDelaySec = "1h";
     persistent = true;
-    flake = "github:RAD-Development/nix-dotfiles";
+    flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git";
   };
 }

pkgs/bitwarden-rofi/default.nix

@@ -0,0 +1,70 @@
+# source: https://github.com/kylesferrazza/nix/blob/288edcd1d34884b9b7083c6d718fbe10febe0623/overlay/bitwarden-rofi.nix
+# TODO https://github.com/mattydebie/bitwarden-rofi/issues/34
+
+{
+  stdenv,
+  lib,
+  fetchFromGitHub,
+  makeWrapper,
+  unixtools,
+  xsel,
+  xclip,
+  wl-clipboard,
+  xdotool,
+  ydotool,
+  bitwarden-cli,
+  rofi,
+  jq,
+  keyutils,
+  libnotify,
+}:
+let
+  bins = [
+    jq
+    bitwarden-cli
+    unixtools.getopt
+    rofi
+    xsel
+    xclip
+    wl-clipboard
+    xdotool
+    ydotool
+    keyutils
+    libnotify
+  ];
+in
+stdenv.mkDerivation {
+  pname = "bitwarden-rofi";
+  version = "git-2024-08-22";
+
+  src = fetchFromGitHub {
+    owner = "mattydebie";
+    repo = "bitwarden-rofi";
+    rev = "8be76fdd647c2bdee064e52603331d8e6ed5e8e2";
+    sha256 = "1h5d21kv8g5g725chn3n0i1frvmsrk3pm67lfxqcg50kympg0wwd";
+  };
+
+  buildInputs = [ makeWrapper ];
+
+  installPhase = ''
+    mkdir -p "$out/bin"
+    install -Dm755 "bwmenu" "$out/bin/bwmenu"
+    install -Dm755 "lib-bwmenu" "$out/bin/lib-bwmenu" # TODO don't put this in bin
+
+    install -Dm755 -d "$out/usr/share/doc/bitwarden-rofi"
+    install -Dm755 -d "$out/usr/share/doc/bitwarden-rofi/img"
+
+    install -Dm644 "README.md" "$out/usr/share/doc/bitwarden-rofi/README.md"
+    install -Dm644 img/* "$out/usr/share/doc/bitwarden-rofi/img/"
+
+    wrapProgram "$out/bin/bwmenu" --prefix PATH : ${lib.makeBinPath bins}
+  '';
+
+  meta = with lib; {
+    description = "Wrapper for Bitwarden and Rofi";
+    homepage = "https://github.com/mattydebie/bitwarden-rofi";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+  };
+
+}

pkgs/lego-latest/default.nix

@@ -0,0 +1,39 @@
+{
+  lib,
+  fetchFromGitHub,
+  buildGoModule,
+}:
+
+buildGoModule rec {
+  pname = "lego";
+  version = "4.21.0";
+
+  src = fetchFromGitHub {
+    owner = "go-acme";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-3dSvQfkBNh8Bt10nv4xGplv4iY3gWvDu2EDN6UovSdc=";
+  };
+
+  vendorHash = "sha256-teA6fnKl4ATePOYL/zuemyiVy9jgsxikqmuQJwwA8wE=";
+
+  doCheck = false;
+
+  subPackages = [ "cmd/lego" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X main.version=${version}"
+  ];
+
+  meta = with lib; {
+    description = "Let's Encrypt client and ACME library written in Go";
+    license = licenses.mit;
+    homepage = "https://go-acme.github.io/lego/";
+    maintainers = teams.acme.members;
+    mainProgram = "lego";
+  };
+
+  #passthru.tests.lego = nixosTests.acme;
+}

shell.nix

@@ -45,6 +45,10 @@ forEachSystem (
         treefmt
         statix
         nixfmt-rfc-style
+        jsonfmt
+        mdformat
+        shfmt
+        yamlfmt
       ];
     };
   in

statix.toml

@@ -1,4 +1,4 @@
 disabled = ["empty_pattern"]
-nix_version = '2.23'
+nix_version = '2.25'
 ignore = ['.direnv']
 

systems/artemision/ao3_skins/happy_17th.css

@@ -0,0 +1,438 @@
+#footer .group,
+.post fieldset fieldset,
+fieldset fieldset {
+  background: none;
+}
+
+#header {
+  background: #000 url('https://media.archiveofourown.org/news/milestones/2024-08-seventeen-years-otw/2024-08-seventeen-years-otw-pattern.jpg');
+  background-size: 350px;
+}
+
+#header .heading a,
+#header .primary .dropdown a:focus,
+#header .heading a:visited,
+#main .pagination .current,
+h2 {
+  color: #ffe8b4;
+}
+
+#header .clear,
+#footer {
+  border-color: #191919;
+}
+
+#header .actions a[href="/menu/fandoms"],
+#header .actions a[href="/menu/browse"],
+#header .actions a[href="/menu/search"],
+#header .actions a[href="/menu/about"] {
+  color: #fff;
+}
+
+#footer ul {
+  background: url('https://live.staticflickr.com/7284/9616997915_4194b6c6f7_h.jpg');
+  background-size: 350px;
+}
+
+#footer ul li:nth-child(1) ul,
+#footer ul li:nth-child(2) ul,
+#footer ul li:nth-child(3) ul,
+#footer ul li:nth-child(4) ul {
+  background: rgba(0, 0, 0, 0.0);
+}
+
+#header .primary {
+  background: #8a1a10;
+}
+
+#footer {
+  background: #8a1a10;
+}
+
+input[type="text"],
+textarea,
+select {
+  background: #222;
+  color: #fff;
+}
+
+select:focus {
+  background: #2a2a2a;
+}
+
+option {
+  background: #555;
+  color: #fff;
+}
+
+#work form fieldset.work.meta dl dd.warning.required fieldset,
+#main form fieldset.work.meta dl dd.warning.required fieldset {
+  color: #fff;
+}
+
+#bookmark-form form {
+  background: #2a2a2a;
+  color: #fff;
+}
+
+#error {
+  color: #191919;
+}
+
+fieldset,
+.verbose fieldset {
+  border-color: #404040;
+  background: #191919;
+  border: 1px solid #595959;
+}
+
+.search [role=tooltip] {
+  background: #333;
+  border: 1px solid #666;
+}
+
+#main a:visited {
+  color: #ccc;
+}
+
+#main a.tag:visited:hover {
+  color: #111;
+}
+
+body,
+.group,
+.group .group,
+.region,
+.flash,
+form dl,
+#main .verbose legend,
+.notice,
+ul.notes,
+table,
+th,
+td:hover,
+tr:hover,
+.symbol .question:hover,
+#modal,
+.ui-sortable li,
+.required .autocomplete,
+.autocomplete .notice,
+.system .intro,
+.comment_error,
+.kudos_error,
+div.dynamic,
+.dynamic form,
+#ui-datepicker-div,
+.ui-datepicker table {
+  background: #191919;
+  color: #eee;
+  border-color: #222;
+  outline: #111;
+  box-shadow: none;
+}
+
+#header .actions a:hover,
+#header .actions a:focus,
+#header .dropdown:hover a,
+#header .open a,
+#header .menu,
+#small_login,
+.group.listbox,
+fieldset fieldset.listbox,
+.listbox,
+form blockquote.userstuff,
+input:focus,
+textarea:focus,
+li.relationships a,
+.group.listbox .index,
+.dashboard fieldset fieldset.listbox .index,
+#dashboard a:hover,
+th,
+#dashboard .secondary,
+.secondary,
+.thread .even,
+.system .tweet_list li,
+.ui-datepicker tr:hover {
+  background: #2A2A2A;
+}
+
+a,
+a.tag,
+a:link,
+#header a:visited,
+#header .primary .open a,
+#header .primary .dropdown:hover a,
+#header #search input:focus,
+#header #search input:hover,
+.userstuff h2,
+#dashboard a,
+#dashboard span,
+#dashboard .current,
+.group .heading,
+.filters dt a:hover {
+  color: #fff;
+}
+
+#header .dropdown .menu a:hover,
+#header .dropdown .menu a:focus,
+.splash .favorite li:nth-of-type(odd) a,
+.ui-datepicker td:hover,
+#tos_prompt .heading,
+#tos_prompt [disabled] {
+  background: #111;
+  color: #ffe8b4;
+}
+
+#outer,
+.javascript,
+.statistics .index li:nth-of-type(even),
+#tos_prompt,
+.announcement input[type="submit"] {
+  background: #191919;
+}
+
+#dashboard ul,
+dl.meta,
+.group.listbox,
+fieldset fieldset.listbox,
+#main li.blurb,
+form blockquote.userstuff,
+div.comment,
+li.comment,
+.toggled form,
+form dl dt,
+form.single fieldset,
+#inner .module .heading,
+.bookmark .status span,
+.splash .news li,
+.filters .group dt.bookmarker {
+  border-color: #555;
+}
+
+.group.listbox,
+fieldset fieldset.listbox,
+#main li.blurb,
+.wrapper,
+#dashboard .secondary,
+.secondary,
+form blockquote.userstuff,
+.thread .comment,
+.toggled form {
+  box-shadow: 1px 1px 3px #000;
+}
+
+#dashboard .current,
+.actions a:active,
+a.current,
+.current a:visited,
+span.unread,
+.replied,
+span.claimed,
+dl.index dd,
+.own,
+.draft,
+.draft .unread,
+.child,
+.unwrangled,
+.unreviewed,
+.ui-sortable li:hover {
+  background: #000;
+  border-color: #555;
+  box-shadow: -1px -1px 3px #000;
+}
+
+input,
+textarea {
+  box-shadow: inset 0 1px 2px #000;
+}
+
+li.blurb,
+.blurb .blurb,
+.listbox .index,
+fieldset fieldset.listbox,
+.dashboard .listbox .index {
+  box-shadow: inset 1px 1px 3px #000;
+}
+
+#footer a:hover,
+#footer a:focus,
+.autocomplete .dropdown ul li:hover,
+.autocomplete .dropdown li.selected,
+a.tag:hover,
+.listbox .heading a.tag:visited:hover,
+.symbol .question {
+  background: #ffedc5;
+  border-color: #988352;
+  color: #111;
+}
+
+#header #greeting img,
+#header .user a:hover,
+#header .user a:focus,
+#header fieldset,
+#header form,
+#header p,
+#dashboard a:hover,
+.actions a:hover,
+.actions input:hover,
+.delete a,
+span.delete,
+span.unread,
+.replied,
+span.claimed,
+.draggable,
+.droppable,
+span.requested,
+a.work,
+.blurb h4 a:link,
+.blurb h4 img,
+.splash .module h3,
+.splash .browse li a:before,
+.required,
+.error,
+.comment_error,
+.kudos_error,
+a.cloud7,
+a.cloud8,
+#tos_prompt .heading {
+  color: #ffe8b4;
+}
+
+#greeting .icon,
+#dashboard,
+#dashboard.own,
+.error,
+.comment_error,
+.kudos_error,
+.LV_invalid,
+.LV_invalid_field,
+input.LV_invalid_field:hover,
+input.LV_invalid_field:active,
+textarea.LV_invalid_field:hover,
+textarea.LV_invalid_field:active,
+.qtip-content {
+  border-color: #8a1a10;
+}
+
+.splash .favorite li:nth-of-type(odd) a:hover,
+.splash .favorite li:nth-of-type(odd) a:focus .splash .favorite li:nth-of-type(odd) a:visited:hover,
+.splash .favorite li:nth-of-type(odd) a:visited:focus {
+  background: #ffe8b4;
+  color: #111;
+}
+
+a:visited,
+.actions a:visited,
+.action a:link,
+.action a:visited,
+.listbox .heading a:visited,
+span.series .divider {
+  color: #999;
+}
+
+.actions a,
+.actions a:link,
+.action,
+.action:link,
+.actions input,
+input[type="submit"],
+button,
+.current,
+.actions label,
+#header .actions a,
+#outer .current {
+  background: #555;
+  border-color: #222;
+  color: #eee;
+  box-shadow: inset 0 -8px 4px #232323, inset 0 8px 7px #555;
+  text-shadow: none;
+}
+
+.actions a:hover,
+.actions input:hover,
+#dashboard a:hover,
+.actions a:focus,
+.actions input:focus,
+#dashboard a:focus,
+.actions .disabled select {
+  color: #999;
+  border-color: #000;
+  box-shadow: inset 2px 2px 2px #000;
+}
+
+.actions a:active,
+.current,
+a.current,
+.current a:visited {
+  color: #fff;
+  background: #555;
+  border-color: #fff;
+  box-shadow: inset 1px 1px 3px #191919;
+}
+
+.delete a,
+span.delete {
+  box-shadow: -1px -1px 2px rgba(255,255,255.25);
+}
+
+.actions label.disabled {
+  background: #222;
+  box-shadow: none;
+}
+
+ul.required-tags,
+.bookmark .status span,
+.blurb .icon {
+  opacity: 0.9;
+  border: 0;
+}
+
+#outer .group .heading,
+#header .actions a,
+fieldset.listbox .heading,
+.userstuff .heading {
+  text-shadow: none;
+  color: #fff;
+  background: none;
+}
+
+#header .actions a,
+fieldset fieldset,
+.mce-container button,
+.filters .expander,
+.actions .disabled select {
+  box-shadow: none;
+}
+
+fieldset fieldset.listbox {
+  outline: none;
+}
+
+form dd.required {
+  color: #eee;
+}
+
+.mce-container input:focus {
+  background: #F3EFEC;
+}
+
+.announcement .userstuff a,
+.announcement .userstuff a:link,
+.announcement .userstuff a:visited:hover {
+  color: #111;
+}
+
+.announcement .userstuff a:visited {
+  color: #666;
+}
+
+.announcement .userstuff a:hover,
+.announcement .userstuff a:focus {
+  color: #999;
+}
+
+.event.announcement .userstuff a,
+.filters .expander {
+  color: #eee;
+}
+

systems/artemision/configuration.nix

@@ -6,17 +6,18 @@
 }:
 {
   imports = [
-    ./programs.nix
-    ./desktop.nix
-    ./wifi.nix
-    ./zerotier.nix
-    ./fonts.nix
-    ./polkit.nix
     ./audio.nix
+    ./desktop.nix
     ./fingerprint.nix
-    ./steam.nix
+    ./fonts.nix
     ./graphics.nix
     ./libvirt.nix
+    ./polkit.nix
+    ./programs.nix
+    ./steam.nix
+    ./stylix.nix
+    ./wifi.nix
+    ./zerotier.nix
   ];
 
   time.timeZone = "America/New_York";
@@ -31,7 +32,7 @@
   };
 
   boot = {
-    kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
+    #kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
     useSystemdBoot = true;
     default = true;
   };
@@ -44,6 +45,7 @@
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   services = {
+    flatpak.enable = true;
     calibre-web = {
       enable = true;
       listen = {
@@ -70,20 +72,9 @@
         }) { inherit (pkgs) system; }).fwupd;
     };
 
-    fprintd.enable = true;
+    fprintd.enable = lib.mkForce false;
     openssh.enable = lib.mkForce false;
 
-    spotifyd = {
-      enable = true;
-      settings = {
-        global = {
-          username = "snowinginwonderland@gmail.com";
-          password_cmd = "cat ${config.sops.secrets."apps/spotify".path}";
-          use_mpris = false;
-        };
-      };
-      #systemd.services.spotifyd.serviceConfig = systemd.services.spotifyd.
-    };
     rad-dev.yubikey = {
       enable = true;
       enable-desktop-app = true;
@@ -92,17 +83,22 @@
 
   users.users.alice.extraGroups = [ "calibre-web" ];
 
-  system.autoUpgrade.enable = false;
   system.stateVersion = "24.05";
 
+  programs.adb.enable = true;
+
+  environment.variables = {
+    "KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
+  };
+
   sops = {
     defaultSopsFile = ./secrets.yaml;
-    secrets = {
+    #secrets = {
-      "apps/spotify" = {
+    #  "apps/spotify" = {
-        group = "audio";
+    #    group = "audio";
-        restartUnits = [ "spotifyd.service" ];
+    #    restartUnits = [ "spotifyd.service" ];
-        mode = "0440";
+    #    mode = "0440";
-      };
+    #  };
-    };
+    #};
   };
 }

systems/artemision/default.nix

@@ -7,6 +7,7 @@
   users = [ "alice" ];
   modules = [
     inputs.nixos-hardware.nixosModules.framework-16-7040-amd
+    inputs.stylix.nixosModules.stylix
     {
       environment.systemPackages = [
         inputs.wired-notify.packages.x86_64-linux.default

systems/artemision/desktop.nix

@@ -3,9 +3,30 @@
 {
   # installs hyprland, and its dependencies
 
-  programs.hyprland = {
+  programs = {
-    enable = true;
+    hyprland = {
-    xwayland.enable = true;
+      enable = true;
+      xwayland.enable = true;
+      withUWSM = true;
+    };
+    hyprlock.enable = true;
+    gnupg.agent = {
+      enable = true;
+      #pinentryPackage = pkgs.pinentry-rofi;
+      pinentryPackage = pkgs.pinentry-gnome3;
+      #settings = {
+      #  keyserver-options = "auto-key-retrieve";
+      #  auto-key-locate = "hkps://keys.openpgp.org";
+      #  keyserver = "hkps://keys.openpgp.org";
+      #keyserver  =  "hkp://pgp.mit.edu";
+      # "na.pool.sks-keyservers.net"
+      # "ipv4.pool.sks-keyservers.net"
+      # "p80.pool.sks-keyservers.net"
+      # ];
+      #};
+    };
+
+    ydotool.enable = true;
   };
   # Optional, hint electron apps to use wayland:
   environment.sessionVariables.NIXOS_OZONE_WL = "1";
@@ -35,20 +56,11 @@
     };
   };
 
-  programs.gnupg.agent = {
+  powerManagement = {
     enable = true;
-    #pinentryPackage = pkgs.pinentry-rofi;
+    resumeCommands = ''
-    pinentryPackage = pkgs.pinentry-gnome3;
+      ${pkgs.hyprlock}/bin/hyprlock -c /home/alice/.config/hypr/hyprlock.conf
-    #settings = {
+    '';
-    #  keyserver-options = "auto-key-retrieve";
-    #  auto-key-locate = "hkps://keys.openpgp.org";
-    #  keyserver = "hkps://keys.openpgp.org";
-    #keyserver  =  "hkp://pgp.mit.edu";
-    # "na.pool.sks-keyservers.net"
-    # "ipv4.pool.sks-keyservers.net"
-    # "p80.pool.sks-keyservers.net"
-    # ];
-    #};
   };
 
   environment.systemPackages = with pkgs; [

systems/artemision/fonts.nix

@@ -3,17 +3,13 @@
   fonts = {
     fontconfig.enable = true;
     enableDefaultPackages = true;
-    packages = with pkgs; [
+    packages = with pkgs.nerd-fonts; [
-      (nerdfonts.override {
+      fira-code
-        fonts = [
+      droid-sans-mono
-          "FiraCode"
+      hack
-          "DroidSansMono"
+      dejavu-sans-mono
-          "Hack"
+      noto
-          "DejaVuSansMono"
+      open-dyslexic
-          "Noto"
-          "OpenDyslexic"
-        ];
-      })
     ];
   };
 }

systems/artemision/hardware.nix

@@ -20,6 +20,9 @@
       "usb_storage"
       "usbhid"
       "sd_mod"
+      "ip_vs"
+      "ip_vs_rr"
+      "nf_conntrack"
     ];
     initrd.kernelModules = [
       "dm-snapshot"
@@ -52,7 +55,6 @@
       options = [
         "noatime"
         "nodiratime"
-        "discard"
       ];
     };
 
@@ -62,7 +64,6 @@
       options = [
         "noatime"
         "nodiratime"
-        "discard"
       ];
     };
 
@@ -72,7 +73,6 @@
       options = [
         "noatime"
         "nodiratime"
-        "discard"
       ];
     };
 
@@ -82,12 +82,11 @@
       options = [
         "noatime"
         "nodiratime"
-        "discard"
       ];
     };
   };
 
-  swapDevices = [ { device = "/dev/disk/by-uuid/7f0dba0f-d04e-4c94-9fba-1d0811673df1"; } ];
+  swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
 
   boot.initrd.luks.devices = {
     "nixos-pv" = {

systems/artemision/programs.nix

@@ -3,6 +3,7 @@
   environment.systemPackages = with pkgs; [
     act
     alacritty
+    attic-client
     amdgpu_top
     bat
     bitwarden-cli
@@ -12,12 +13,12 @@
     calibre
     # calibre dedrm?
     candy-icons
-    nemo-with-extensions
+    chromium
+    chromedriver
     croc
     deadnix
     direnv
-    discord
+    easyeffects
-    discord-canary
     eza
     fanficfare
     ferium
@@ -29,22 +30,29 @@
     glances
     gpu-viewer
     grim
-    headsetcontrol
+    helvum
     htop
     hwloc
     ipmiview
     iperf3
-    ipscan
+    # ipscan
     jp2a
     jq
+    kdePackages.kdenlive
     kitty
+    kubectl
+    kubernetes-helm
+    libreoffice-fresh
     libtool
     lsof
     lynis
     masterpdfeditor4
+    minikube
     mons
+    mpv
     # nbt explorer?
     ncdu
+    nemo-with-extensions
     neofetch
     neovim
     nix-init
@@ -53,6 +61,8 @@
     nix-tree
     nixpkgs-fmt
     nmap
+    obs-studio
+    obsidian
     ocrmypdf
     pciutils
     #disabled until wxpython compat with python3.12
@@ -60,16 +70,19 @@
     prismlauncher
     protonmail-bridge
     protontricks
+    proxychains
     qrencode
     redshift
     restic
     ripgrep
     rpi-imager
     rofi-wayland
+    samba
     signal-desktop
     # signal in tray?
     siji
     simple-mtpfs
+    skaffold
     slack
     slurp
     smartmontools
@@ -84,17 +97,18 @@
     tig
     tokei
     tree
-    unzip
     unipicker
+    unzip
     uutils-coreutils-noprefix
     ventoy
+    vesktop
     vscode
     watchman
     wget
     wl-clipboard
-    xboxdrv
+    yq
+    yt-dlp
     zoom-us
     zoxide
-    zoom
   ];
 }

systems/artemision/secrets.yaml

@@ -1,17 +1,17 @@
-hello: ENC[AES256_GCM,data:UJlsd5kvnhEv7eJeYwg+NHm9sgUAxYM5DoR0gDPLi9J7P+8FI8WPMkN1wEAHJA==,iv:NFSdZQ1OK4BT+EAGZz122NB7WrVCEzv4wwMxFIE/OKI=,tag:6YT7Vw8tFrw9iEFKxeKRFQ==,type:str]
+hello: ENC[AES256_GCM,data:BTCBuBxHFO8vwXU/bsAZryM5rXUOEi0brlvq6DtqfZbzxGz4LaW89VO75MERHQ==,iv:fwqI3arwtlZQ5DtvpVbh21ThuZP8zcqCHsmuJuCfCsY=,tag:tkkEO8/eEDCakdlT0NvajA==,type:str]
-example_key: ENC[AES256_GCM,data:KMXgMrqe7M101ZMJ2g==,iv:MJ3Iiu/0KIVhPFnqfovysqvPJAv1OsnxE4VIsuexFkE=,tag:X6KIKNGym8/9VglmG3SNRw==,type:str]
+example_key: ENC[AES256_GCM,data:xzsymSb4oD70twtoKQ==,iv:9vBmAKET2VIuDSq7AOyvdYWLGlL6cYHTWxy/Z5bB1+c=,tag:NbV4eA2aaY4cQAKUy3QOpw==,type:str]
-#ENC[AES256_GCM,data:QR3WNE/a1hZIXnTjFjK3kA==,iv:eXoZJ5rQaYqN7LjEp2M13OCMwuQ+80M5AXjV0uNc4C8=,tag:sCvL6pr9zAyWZziffVFMzg==,type:comment]
+#ENC[AES256_GCM,data:zeOCzRd/nFRhbANHxPyyjw==,iv:9MmHl3OyhJHVU+cUFJ4QitHd4SeDe3ctaky+yfvk8Zs=,tag:uPGRJtgQj1vIdLt2+w0krg==,type:comment]
 example_array:
-    - ENC[AES256_GCM,data:g8PulCLrXZYSEdZJELE=,iv:irGwciFn1zXBxFpGAJtD46EQLGUO5oqdCzRgv1204JE=,tag:2MuDdRYMjhtTY++lPuj1FQ==,type:str]
+    - ENC[AES256_GCM,data:Nwn96XJv8xZWRYv8qws=,iv:K30LBMC8e1vUS0XE+4EIYb3xUUyn6232YmhV2vI9Qnc=,tag:HRe3S88zwj/CjG6NTvjdRQ==,type:str]
-    - ENC[AES256_GCM,data:qv7GvmoOX8VSdaiW/90=,iv:6NOWeWqHUV9ciKPmZF4C7ijuIPFr3YZi3Dh7xWnb07k=,tag:VHXdBhWmEpb7uavCPqGZ4w==,type:str]
+    - ENC[AES256_GCM,data:l2nuwoAbwaDFHpEWV1Y=,iv:7/2rTd8agUvx73eftpOgidV4XjDUv/JppLIIsiuycnU=,tag:Ohi4JULWDNXJPWZaeXHEdw==,type:str]
-example_number: ENC[AES256_GCM,data:g8BIEIcwKRLSbw==,iv:Ay4aiukAvXeDhzlpMPn++zR0Tt2lMqCx362uN37S+ac=,tag:NTtNaIu5u8YsIm0M4OgL0A==,type:float]
+example_number: ENC[AES256_GCM,data:toi1e/biUd2Tng==,iv:MPCfhhX9DDaOSzx/L5LTf2VYffin8XvxVyhNDqZLsec=,tag:tE/lml3afP/NjRtpPraoRQ==,type:float]
 example_booleans:
-    - ENC[AES256_GCM,data:94T9mg==,iv:qKGJke4SGhgN09Yebh5MPrRBDNnguJQ+1dl5XQffGZQ=,tag:0Pa3eujmSxDCnAHKHsx6yQ==,type:bool]
+    - ENC[AES256_GCM,data:02CVNA==,iv:L9GmIm9ynm2cWTyd3iYo4fgIeneUyFpEzzzxicM/YNI=,tag:k2EIboiL+c4W1H2OpA2Rqw==,type:bool]
-    - ENC[AES256_GCM,data:gEvfi+Q=,iv:0DrXoZk8OkdUShc7WAKOL8xG26RFZp3M3qYFAb1hDAs=,tag:uemBrdF87nrfLpfnQ8bD8g==,type:bool]
+    - ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
 apps:
-    spotify: ENC[AES256_GCM,data:bp1pdOfS+VGWLtepUjg7KFWw8Fk=,iv:twGO3CjzRxAU81C93mX8qIEZ/FYIQRJnMd2HIuvP9q8=,tag:AJgs0QGFH30E8+ZpaB02TQ==,type:str]
+    spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
-wifi-env: ENC[AES256_GCM,data:NGI090aVGojJ7+lvcknJfZBQKb0b/tUrd2AqEl5IWQWCJdqqaO4pCrs3C+IW06/pz9FWgMxx9tPu32xmMZaPnnlLD+XyVJ71L2P22U6YufRPRfvyv6swOlihscOZ5tsFFYShjXpow0PfmYS+tP9mYLb2RYFLGQmvI4fa4LaVjuwPXAMg3RN/gVXR6bMEpd/7OIr+tIxC5sTE7V7fIbyzcn4=,iv:VbtgvwMHo1iLuTKCA7KjEXC1d1MY4aHfmXI6yuCGZVI=,tag:dGmw+icLKL9dJQExy83m1A==,type:str]
+wifi-env: ENC[AES256_GCM,data:G+z+fURk4rT61I5BiFzEJJt35jywPNrGpn1QGNhjvxrqPQ/Sq/hIHmQo+bqe9yJeDgMX3RY4EaiZxFTJyxPfW1czjuMSj3vbTp0WcDmGvUJ7li2pX2pzolgly4qmgoOluGBeRZWVLLOZYFB2+kLRMJNNz/bP5k2Eq6O4+l4sljPM+abn9iz9Eh46rVOVRkmDzCltJrYiuBSiSPhTDRTP2+gUbgbaUJTkVrVLUBHg3QU6az6VPN8DPZxbx4LtdaIb93pI,iv:uUfJK/iPdyLP7LqZJolTGGTxaEzlJI59bUVNcB1etkU=,tag:tvXSXSW1MIhLJceEK1afuw==,type:str]
-#ENC[AES256_GCM,data:pC2Kdy7wNc0=,iv:J7Ggfv6K3dCzL42j5MGd+BjQGseoAoYs4k6+yc3FSiA=,tag:9MriduP9SEIi+c1q4tfzlQ==,type:comment]
+#ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
 sops:
     kms: []
     gcp_kms: []
@@ -21,34 +21,26 @@ sops:
         - recipient: age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZUNHeDdqaGt0QnFIejdM
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbElNRkxyZ2VjaitiTWx2
-            MU5uaDNiN2xOeVlZNzQyZXZ0R2NYUU83ZWxrCmNDL3J6ZjNmejBuUXk3cldwZUEz
+            eThsY0h3a2NCZDloWG0rU1ZwVnhOY2VJTXlFCnp3UzNDR216L2R4cVdyWjFqbkRr
-            UWVqMTVPelN1MTJDNzc0UU9XNWkralUKLS0tIDU2b053Uk5VZGlWUk9XMXZ5Wllk
+            cFJGQjQ4Qk9zblYyckVFY3VNekNuajQKLS0tIEdRWldHMjlpTElxQWFVUlh4L1lz
-            UlhhNzNjTHdVaXlPOFJhc0EyZGh3RDQK1c7nctmrorze4Kr0Grmcmx3N/UYXPwJc
+            d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
-            FfClOoGxO+4ZDtxG61SDU1UdYae4loQ8roM8jDIPFMfoEum2bT8oXw==
+            D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-03T02:45:15Z"
+    lastmodified: "2024-11-28T18:57:09Z"
-    mac: ENC[AES256_GCM,data:PsEeb2leFb500YYHg+5YHwGVHKUPB7qVqaJY66hnkmCa5MKAZkHqSgtVvh+Ai4fN9E+WFtjlso2a4oasQMNwVXsmt54+q1/Mz5zF2D/1nvaNL76fEod2YXp2jlGxNniyPfRaZXDu+QQLhoz2PBoe6OQ9E5WRDV88j7gksy6GePw=,iv:H7Q9fbvdgh+NZNyyupByQETWsgpXVXn0blQV1Ww7eQM=,tag:cpWykzgH9/mWTKxmEDZ9PA==,type:str]
+    mac: ENC[AES256_GCM,data:hKhAo7rDplLm19PlrKHQwxnDVXCMU/xpAxPALLDBa0M3yypy2QVD6c6Atn897tYRKf7oeLaUKqnUYdCcZ9gVgm37LS+GtRhf66zfvcKqhZF8wh3M0zTDPYpQDhex0N4BAJ/dcaYIbxqE9pEUxJOI5jip/hptaCJItTEe7oARcF4=,iv:EUayxLaOPcnWX+S9+RlHrxzJRLlSSLIwqbAq3fFI4yg=,tag:LiBsqIodTWamO+c8FqGBag==,type:str]
     pgp:
-        - created_at: "2024-03-23T05:46:35Z"
+        - created_at: "2024-11-28T18:57:09Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA84hNUGIgI/nAQ/+IwyPDjs/jDCBlnYFboHh6TXx8ulysESst4hz5crM4L0u
+            hF4DQWNzDMjrP2ISAQdALiZMzuQViM23hoFebCXYfQUIvCluWqAEeSJyE/LRHG8w
-            wylKyfEIBx0eLy0mLLA4DhcpYza0Nry5RLdwDNfimhATErfQxnwqlZ6RnYKnh3Hk
+            nQnIVPRIbzLzWfCf+48EW6f7zonHmNY7D9F9KohDmCTcJ5/WvXsJKjebuohR62TF
-            93L66+BEKPd3EZOH+RC/wb0qiTDmU0yna8jtVO0uU7s6//hm/g7bdmQAK0YIJLcb
+            1GYBCQIQq7nEvwSfn+l5AevKIiodA4BLfM326JSx5hJ6XdrE0MzZo1uoMwKKuxig
-            sd83n99R4oHVrq7iFc74/AV5isW9GcfmvLI94eodFpaE1dpqm4KzNpLueDCOvA/1
+            mPbDP8Rx51v9f+9DzjBg6kQD5w411HADL8th+wSkpmasP8ozIeiNiIKzzoJc/fD6
-            vPo5Lgtp9WM4FhXUqMiplCNqMIt+Hyj3F+p+9jgQ2dLfHuVkI8pzd47gOHyMDYPy
+            AOsExCUt8FU=
-            fn6SVKZtOyfNDwhs7L5piiarSXISBGtx36ISDvtvtr/vgMydTdvILIOo9pkSGVtN
+            =wRT+
-            4W7+ywMaFjfAeShTVtUJNJqmp/8agt2WtaUX4kPPha4SxlNSOMpeTQ31bs89gBtc
-            g2325afL2WPK4NSAOmU8VMXqmFc2A10aFlx5nsfT4S1wkoNbitTWgoAcCa7kGRPW
-            xZca225cwLUzkggv74cfYT3YnQL40AMSOMqSRS8pbTFEENG1BtsB5A++Jji2i4tO
-            xoGIL8LRCEfiHpTC7eBwDDVmKb5StgKsXs6yYbQG5XW2W+/Jgum64Sb7+LviQ9Mq
-            WHNiu5MZPeKyHFu9jI9Ne1HpYJnb7/X9AxFw2e/vFwVn+kjaXcH/PhsYuPUyqkzS
-            XgG3tFbcgNtMWyoLU2EL1Qvwq1pHVrwmeNXHidESx23HeJtnIwoKkdopl4qqqNle
-            uQYP89bvb6zFWlqOSwLORZmj1W1wVTYV9eXplDbJob8agBKIcIuhtwri5e96gf4=
-            =XdJo
             -----END PGP MESSAGE-----
-          fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
+          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1

systems/artemision/steam.nix

@@ -4,7 +4,10 @@
   environment.systemPackages = [ pkgs.steam-run ];
   hardware.steam-hardware.enable = true;
   programs = {
-    gamescope.enable = true;
+    gamescope = {
+      enable = true;
+      capSysNice = true;
+    };
     steam = {
       enable = true;
       remotePlay.openFirewall = true;

systems/artemision/stylix.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+# let
+# randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
+#   numWallpapers =
+#   $((1 + $RANDOM % 10))
+
+# in
+{
+  stylix = {
+    enable = true;
+    image = "${pkgs.hyprland}/share/hypr/wall2.png";
+
+    #image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
+    polarity = "dark";
+  };
+}

systems/artemision/wifi.nix

@@ -6,25 +6,27 @@ in
 {
   networking.wireless = {
     enable = true;
-    environmentFile = config.sops.secrets."wifi-env".path;
+    secretsFile = config.sops.secrets."wifi-env".path;
     userControlled.enable = true;
     networks = {
       "taetaethegae-2.0" = {
-        psk = "@PASS_taetaethegae_20@";
+        pskRaw = "ext:PASS_taetaethegae_20";
         priority = home;
       };
       "k" = {
-        psk = "@PASS_k@";
+        pskRaw = "ext:PASS_k";
         priority = always;
       };
-      "Bloomfield".psk = "@PASS_bloomfield@";
+      "Bloomfield".pskRaw = "ext:PASS_bloomfield";
-      "9872441500".psk = "@PASS_longboat_home@";
+      "9872441500".pskRaw = "ext:PASS_longboat_home";
-      "9872441561".psk = "@PASS_longboat_home@";
+      "9872441561".pskRaw = "ext:PASS_longboat_home";
-      "5HuFios".psk = "@PASS_longboat_home@";
+      "5HuFios".pskRaw = "ext:PASS_longboat_home";
-      "24HuFios".psk = "@PASS_longboat_home@";
+      "24HuFios".pskRaw = "ext:PASS_longboat_home";
-      "Verizon_ZLHQ3H".psk = "@PASS_angie@";
+      "Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
+      "Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
       "optimumwifi" = { };
       "CableWiFi" = { };
+      "JPMCVisitor" = { };
     };
   };
 

systems/bob/configuration.nix

@@ -1,106 +0,0 @@
-{
-  imports = [
-    ../../users/richie/global/desktop.nix
-    ../../users/richie/global/ssh.nix
-    ../../users/richie/global/syncthing_base.nix
-    ../../users/richie/global/zerotier.nix
-    ./hardware.nix
-    ./nvidia.nix
-    ./steam.nix
-  ];
-
-  boot = {
-    useSystemdBoot = true;
-    default = true;
-  };
-
-  networking = {
-    networkmanager.enable = true;
-    hostId = "9ab3b18e";
-  };
-
-  hardware = {
-    pulseaudio.enable = false;
-    bluetooth = {
-      enable = true;
-      powerOnBoot = true;
-    };
-  };
-
-  security.rtkit.enable = true;
-
-  services = {
-    autopull.enable = false;
-
-    displayManager.sddm.enable = true;
-
-    openssh.ports = [ 262 ];
-
-    printing.enable = true;
-
-    pipewire = {
-      enable = true;
-      alsa.enable = true;
-      alsa.support32Bit = true;
-      pulse.enable = true;
-    };
-
-    rad-dev.k3s-net.enable = false;
-
-    syncthing.settings.folders = {
-      "notes" = {
-        id = "l62ul-lpweo"; # cspell:disable-line
-        path = "/home/richie/notes";
-        devices = [
-          "phone"
-          "jeeves"
-          "rhapsody-in-green"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "books" = {
-        id = "6uppx-vadmy"; # cspell:disable-line
-        path = "/home/richie/books";
-        devices = [
-          "phone"
-          "jeeves"
-          "rhapsody-in-green"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "important" = {
-        id = "4ckma-gtshs"; # cspell:disable-line
-        path = "/home/richie/important";
-        devices = [
-          "phone"
-          "jeeves"
-          "rhapsody-in-green"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "music" = {
-        id = "vprc5-3azqc"; # cspell:disable-line
-        path = "/home/richie/music";
-        devices = [
-          "phone"
-          "jeeves"
-          "rhapsody-in-green"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "projects" = {
-        id = "vyma6-lqqrz"; # cspell:disable-line
-        path = "/home/richie/projects";
-        devices = [
-          "jeeves"
-          "rhapsody-in-green"
-        ];
-        fsWatcherEnabled = true;
-      };
-    };
-  };
-
-  system.autoUpgrade.enable = false;
-
-  system.stateVersion = "23.11";
-}

systems/bob/default.nix

@@ -1,8 +0,0 @@
-{ ... }:
-{
-  users = [ "richie" ];
-  system = "x86_64-linux";
-  home = true;
-  sops = true;
-  server = false;
-}

systems/bob/hardware.nix

@@ -1,66 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  modulesPath,
-  ...
-}:
-
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  boot = {
-    initrd = {
-      availableKernelModules = [
-        "nvme"
-        "xhci_pci"
-        "ahci"
-        "usb_storage"
-        "sd_mod"
-      ];
-      kernelModules = [ ];
-      luks.devices = {
-        "luks-rpool-nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2".device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2";
-      };
-    };
-    kernelModules = [ "kvm-amd" ];
-    extraModulePackages = [ ];
-  };
-
-  fileSystems = {
-    "/" = lib.mkDefault {
-      device = "rpool/root";
-      fsType = "zfs";
-    };
-
-    "/home" = {
-      device = "rpool/home";
-      fsType = "zfs";
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/8AE6-270D";
-      fsType = "vfat";
-      options = [
-        "fmask=0077"
-        "dmask=0077"
-      ];
-    };
-  };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp11s0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

systems/bob/nvidia.nix

@@ -1,13 +0,0 @@
-{ config, ... }:
-{
-  services.xserver.videoDrivers = [ "nvidia" ];
-  hardware = {
-    nvidia = {
-      modesetting.enable = true;
-      powerManagement.enable = true;
-      package = config.boot.kernelPackages.nvidiaPackages.production;
-      nvidiaSettings = true;
-    };
-    nvidia-container-toolkit.enable = true;
-  };
-}

systems/bob/steam.nix

@@ -1,15 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = [ pkgs.steam-run ];
-  hardware.steam-hardware.enable = true;
-  programs = {
-    steam = {
-      enable = true;
-      remotePlay.openFirewall = true;
-      localNetworkGameTransfers.openFirewall = true;
-      extraCompatPackages = with pkgs; [ proton-ge-bin ];
-      extest.enable = true;
-    };
-  };
-}

systems/jeeves-jr/arch_mirror.nix

@@ -1,28 +0,0 @@
-{ inputs, pkgs, ... }:
-let
-  vars = import ./vars.nix;
-in
-{
-  virtualisation.oci-containers.containers.arch_mirror = {
-    image = "ubuntu/apache2:latest";
-    volumes = [
-      "${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
-      "${vars.main_mirror}:/data"
-    ];
-    extraOptions = [ "--network=web" ];
-    autoStart = true;
-  };
-
-  systemd.services.sync_mirror = {
-    requires = [ "network-online.target" ];
-    after = [ "network-online.target" ];
-    wantedBy = [ "multi-user.target" ];
-    description = "validates startup";
-    path = [ pkgs.rsync ];
-    serviceConfig = {
-      Environment = "MIRROR_DIR=${vars.main_mirror}/archlinux/";
-      Type = "simple";
-      ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/sync_mirror";
-    };
-  };
-}

systems/jeeves-jr/configuration.nix

@@ -1,47 +0,0 @@
-{ pkgs, ... }:
-{
-  imports = [
-    ../../users/richie/global/ssh.nix
-    ./arch_mirror.nix
-    ./docker
-    ./home_assistant.nix
-    ./networking.nix
-    ./services.nix
-  ];
-
-  boot = {
-    zfs.extraPools = [ "Main" ];
-    filesystem = "zfs";
-    useSystemdBoot = true;
-  };
-
-  environment.systemPackages = with pkgs; [ docker-compose ];
-
-  services = {
-    openssh = {
-      ports = [ 352 ];
-      listenAddresses = [
-        { addr = "192.168.95.35"; }
-        { addr = "192.168.90.35"; }
-      ];
-    };
-
-    smartd.enable = true;
-
-    sysstat.enable = true;
-
-    usbguard = {
-      enable = true;
-      rules = ''
-        allow id 1532:0241
-      '';
-    };
-
-    zfs = {
-      trim.enable = true;
-      autoScrub.enable = true;
-    };
-  };
-
-  system.stateVersion = "23.05";
-}

systems/jeeves-jr/default.nix

@@ -1,7 +0,0 @@
-{ ... }:
-{
-  users = [
-    "alice"
-    "richie"
-  ];
-}

systems/jeeves-jr/docker/default.nix

@@ -1,11 +0,0 @@
-{ lib, ... }:
-{
-  imports =
-    let
-      files = builtins.attrNames (builtins.readDir ./.);
-      nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
-    in
-    map (file: ./. + "/${file}") nixFiles;
-
-  virtualisation.oci-containers.backend = "docker";
-}

systems/jeeves-jr/docker/haproxy.cfg

@@ -1,46 +0,0 @@
-global
-  log stdout format raw local0
-
-defaults
-  log global
-  mode http
-  retries 3
-  maxconn 2000
-  timeout connect 5s
-  timeout client 50s
-  timeout server 50s
-  timeout http-request 10s
-  timeout http-keep-alive 2s
-  timeout queue 5s
-  timeout tunnel 2m
-  timeout client-fin 1s
-  timeout server-fin 1s
-
-
-#Application Setup
-frontend ContentSwitching
-  bind *:80
-  bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
-  mode  http
-
-  # tmmworkshop.com
-  acl host_mirror       hdr(host) -i mirror.tmmworkshop.com jeeves
-  acl host_uptime_kuma  hdr(host) -i uptimekuma-jeevesjr.tmmworkshop.com
-  acl host_homeassistant hdr(host) -i homeassistant.tmmworkshop.com
-
-  use_backend mirror_nodes      if host_mirror
-  use_backend uptime_kuma_nodes if host_uptime_kuma
-  use_backend home_asistant_nodes if host_homeassistant
-
-# tmmworkshop.com
-backend mirror_nodes
-  mode http
-  server server arch_mirror:80
-
-backend uptime_kuma_nodes
-  mode http
-  server server uptime_kuma:3001
-
-backend home_asistant_nodes
-  mode http
-  server server 192.168.95.35:8123

systems/jeeves-jr/docker/uptime_kuma.nix

@@ -1,16 +0,0 @@
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers = {
-    uptime_kuma = {
-      image = "louislam/uptime-kuma:latest";
-      volumes = [
-        "${vars.main_docker_configs}/uptime_kuma:/app/data"
-        "/var/run/docker.sock:/var/run/docker.sock"
-      ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-  };
-}

systems/jeeves-jr/docker/web.nix

@@ -1,41 +0,0 @@
-{ config, ... }:
-{
-  virtualisation.oci-containers.containers = {
-    haproxy = {
-      image = "haproxy:latest";
-      user = "600:600";
-      environment = {
-        TZ = "Etc/EST";
-      };
-      volumes = [
-        "${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
-        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
-      ];
-      dependsOn = [
-        "arch_mirror"
-        "uptime_kuma"
-      ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-    cloud_flare_tunnel = {
-      image = "cloudflare/cloudflared:latest";
-      cmd = [
-        "tunnel"
-        "run"
-      ];
-      environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
-      dependsOn = [ "haproxy" ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-  };
-  sops = {
-    defaultSopsFile = ../secrets.yaml;
-    secrets = {
-      "docker/cloud_flare_tunnel".owner = "docker-service";
-      "docker/haproxy_cert".owner = "docker-service";
-    };
-  };
-
-}

systems/jeeves-jr/hardware.nix

@@ -1,40 +0,0 @@
-{
-  config,
-  lib,
-  modulesPath,
-  ...
-}:
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-  swapDevices = [ { device = "/dev/disk/by-uuid/9d4ef549-d426-489d-8332-0a49589c6aed"; } ];
-  boot = {
-    kernelModules = [ "kvm-amd" ];
-    extraModulePackages = [ ];
-    initrd = {
-      kernelModules = [ ];
-      availableKernelModules = [
-        "xhci_pci"
-        "ahci"
-        "nvme"
-        "usbhid"
-        "usb_storage"
-        "sd_mod"
-      ];
-    };
-  };
-
-  fileSystems = {
-    "/" = lib.mkDefault {
-      device = "/dev/disk/by-uuid/c59f7261-ebab-4cc9-8f1d-3f4c2e4b1971";
-      fsType = "ext4";
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/7295-A442";
-      fsType = "vfat";
-    };
-  };
-}

systems/jeeves-jr/home_assistant.nix

@@ -1,49 +0,0 @@
-{
-  services.home-assistant = {
-    enable = true;
-    openFirewall = true;
-    config = {
-      http = {
-        server_port = 8123;
-        server_host = [
-          "192.168.95.35"
-          "192.168.90.35"
-          "192.168.98.4"
-        ];
-        use_x_forwarded_for = true;
-        trusted_proxies = "172.100.0.4";
-      };
-      homeassistant = {
-        time_zone = "America/New_York";
-        unit_system = "imperial";
-        temperature_unit = "F";
-      };
-      assist_pipeline = { };
-      backup = { };
-      bluetooth = { };
-      config = { };
-      dhcp = { };
-      energy = { };
-      history = { };
-      homeassistant_alerts = { };
-      image_upload = { };
-      logbook = { };
-      media_source = { };
-      mobile_app = { };
-      ssdp = { };
-      sun = { };
-      webhook = { };
-      zeroconf = { };
-    };
-    extraPackages =
-      python3Packages: with python3Packages; [
-        psycopg2
-        gtts
-        aioesphomeapi
-        esphome-dashboard-api
-        bleak-esphome
-        pymetno
-      ];
-    extraComponents = [ "isal" ];
-  };
-}

systems/jeeves-jr/networking.nix

@@ -1,43 +0,0 @@
-{
-  networking = {
-    hostId = "1beb3026";
-    firewall.enable = false;
-  };
-
-  systemd.network = {
-    enable = true;
-
-    netdevs = {
-      "20-ioit-vlan" = {
-        netdevConfig = {
-          Kind = "vlan";
-          Name = "ioit-vlan";
-        };
-        vlanConfig.Id = 20;
-      };
-    };
-
-    networks = {
-      "10-lan" = {
-        matchConfig.Name = "enp4s0";
-        DHCP = "yes";
-        vlan = [ "ioit-vlan" ];
-        linkConfig.RequiredForOnline = "routable";
-      };
-      "40-ioit-vlan" = {
-        matchConfig.Name = "ioit-vlan";
-        DHCP = "yes";
-      };
-    };
-  };
-
-  services.zerotierone = {
-    enable = true;
-    joinNetworks = [ "e4da7455b2ae64ca" ];
-  };
-}
-# 22/tcp   open  ssh
-# 800/tcp  open  mdbs_daemon
-# 5355/tcp open  llmnr
-# 8123/tcp open  polipo
-# 9993/tcp open  palace-2

systems/jeeves-jr/secrets.yaml

@@ -1,65 +0,0 @@
-docker:
-    cloud_flare_tunnel: ENC[AES256_GCM,data:E+XYu5AxS8Ew9OVIfbH5gLkMk+rZ4yT96tSGAwL4smedkddoevRnqil78LtFNYKV8Zo3MpuA8q/c4Me0KrrlSAvwJz1T2cev0dKnuTei3MHZxK7RwWYo9UMJH+aV+l343OY9nvGBj6ryTM3wKyUIoqSmOnRCAbYmhkkqN0wFO+Mxxqjw6nf5UEeeKb36k2NwlhjjnscOKe+wo3sXhjjzVXrE3IOUQJM3hWWukMElcYewVgJmstRidKiNCRMi1/UYMk/Nfhk=,iv:yFJ5SbHB3wZ0FEF0k9KrWye55ref7OqbQPd8oMLTmH4=,tag:p3K4yGR6X2+uKIj4H6rZ+g==,type:str]
-    haproxy_cert: ENC[AES256_GCM,data:1n2BurHeWI+j7CMQ7qk3DUl+8MgqRsgtYQ1TxJKcPXuz0YBkg6SUp95lPZv6Jo+2OIaVxCoWpiuoLp8YgtJgnZo4S9QVG2qi60sWCSf4acMRSg0hIA/pdcslogZc5LrsBOTINZCODE4mz7Bya42f+RfVfwPGT7Buz8MniW6kfT9cr3iuq+BQc6513sHhDHgZJgwdfP5x9XrwEtaBl41Db7ejGTrza9jtsHqkrD8j3Pf1XJDhACrTeB7Uqh68sjwc2giAc/2bInDayvnKFHqHaLFTUMAbCeMPOiEZSK4UaWrSMk5I5wDVu8Ya8nBostHlPOBT06gFxT13aEe3Ox3/ctBm/83BXhFfjEaYy6AbMhbp29nxUogVjMICs3FiHG3XBz7vsVxxcBvLXp1Bw3ml5Vd7ACKQPe+r1T54aIdYMoab8DhKPMqb/6TQwrhWD3je4wwOHzzQq9psE1hlB2lJsRnAsVAy9a7M5aBpj0v2pCPVjxjkGHqUUgN+w4hzPPf10A0dWiaXc3k8bWcwc1SlJwHvYxphyZEjNQAzXrAkUPcuy4+9c7LwniMdu5qoUL/oZPW5VHWgtrUO9IlAgduiEujrAW96zfz4jfM0UBqJHT58l/WHHmBM8bMsRDHTnc43uvdoU+VgjtTiFERBi+Xm5mXCqWd4d5Y5P8ozIwGho8UdLqmR9Y2nth1mrs//FIh9mZ7i7QQGHBzoR7ICRDX2ghK98J4RMfF2ph0I+nhWpoCq056xItoVZyAEWQSR4ptpAaKMX4Crd3hrK6tZmyvaTrk5IsNaf5hrS+Fw8uTYUAM+3E6kb1TJwFvUH1plkwU83iBRlboRO5d1ahESp5nifZIVz+KBStLjUVWfXnelPCkH55LVnobgk0zekoEeNLKq+Q5wOBmR28rYXVp/q+FNCgxEW+tXIswmC72jbsDxM/oMHBQnYsmEy5dTxU2X/IzmrZfWod07fRblkWRplzLGyEjsY7CquHlG119LuHcWFOUGxYm3bgn1pGnIV3cBLvbInEAPK0apqSXMBSJw0mk/ihtdx8ANidMn8nhkHVjo/Bo9orH3tJdw8l7x+Cei347CkiQZz21jHvL1qcV/EAAxBnT4c5WtOljo13ntk8RiARdye4hcUXpORIUhH8zq88RNquOkF5QjV8C/u2EaUhQYqy3Xts49v7S9I8LLzjrrfY/IDQVqlJsAgkNuwvheTlya5JoeTasscLfLt3iJ7LsbzWWqQrfn3KQJp3H4Gxh/uqak/V5ROBahHQ4KpXzsDG++XLE0o7W4BFQbrBYV99mlGzB1blmX30C8S+b8n1u+oMXfH8oY20Jm5UQcV5/JNK8WG69ihonRDXdX7fy2WGzylql2hj+3aoYYdYpFAeHVLNzj9vAIxPHzvK0JmwdynsFLo4Hpyn7KN+6L3MSACjAOc3SxY20XxjmqJSWVEM0tq4Zbe/VdhOF1L4pyIBMKQC2XwrWyturTboh86qAfyxtYzEQXGLzz585nVnwj9PLmXQw98M8JWwsFq58ZsOdQZKhN3e0aSY2opSigmXQ9ZJeCF+6KbwElOSz4pDfkZIXqZc+LCzEl5IO1CxLWCTIIfN3Gx60W3vz8QohydoCBt2FLHH3lBiAEitWxYQhsfdlFExQa1/+0WSk3wK5dEA7SPaBWKq+xtPR0yUmuT/JN4VPX+hqqkVHigk8+XfqE/H1as9JbYo92N6xBd2ZrNzhFIkMykUOT+0etVtyOdXLkxdV9lwaBX9ARPHJV7g35e52UspX335aLGE0GtCaIbHRwJuENCIixo7sbdmB9i9xSTeg+7RBQAWpuR7O6firAEKWOGBaYzDUBnqt++Q2wUuMnQBJE/9bh,iv:3FuXEQxbTvbdnBnwPxF+T8QZvQoWX/WXx3lpDBXML1k=,tag:g1Y4qY+XoSA6K/LCKbllOw==,type:str]
-server-validation:
-    webhook: ENC[AES256_GCM,data:/6QI+KKKJkbVO7YsxcU/gnjgp9scNzqzq56wnqAU88YdYYNU7FaRifzH00RlEb9VYvNBlT0FggnZSSX1rNN5W63tLaiYFn/GVfjlUSnwrgueTVG8Sor6HtYTIfMOdPm9B7jflpECk7ByguoDlimH0J1QrcWd+Kqx772sH63bKV1GbCaYSkRHQp9QbvbO,iv:p5W/xniUe75RqJA9PtMcNRnsY4kUBeD0p6iQDLbkSSc=,tag:dh2a8/Doyznjd1hswmXMuQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NXJJMjBjeU9XQS9YZGxQ
-            V1h5RlNUVTA5Mkx3M3ZobGs5WFA0NXFGakR3CnIxVk9nYU1aWkNoZ0F0WGd0ck5Q
-            VWpSU0ZRdENTWnFVOVNQY0Z4ems4MEUKLS0tIFVqcGJtZWRxSTZwZWhjYm56bnkr
-            QmcxMmhaaGZXU1VFN0pvT1VDN3hpcGsKXUlVytBrz8sUorTSHXZaOMYA5U6qUpas
-            ZJiHtVGxRVwCpraHWLmQTRkO6pT36cEVsfsMnFH6NLOMOvA3vLX8/g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-07T23:09:51Z"
-    mac: ENC[AES256_GCM,data:nZPpOrOSKc+7dcbpBdZRH5FLih6o5Ii5bLWgzZ7xP/BZ36vp7ypdncE/jS0/Rz2AiOOrK0G9ovEOoL7jOMrqaUBAJNPzXTX/IdOcFrsxPL47saZKWQHqXkGXrX49nafeea7VtEvoM4qK2AiyYl2ogir+Mw304mhDIUqHhPNNvQs=,iv:ykOg2Pxpp+Sap648UZaiaRVMutWTdUXvP+Pi2cWy86g=,tag:AARw0YmjcesHLdS31i+B3g==,type:str]
-    pgp:
-        - created_at: "2024-03-23T05:49:12Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA84hNUGIgI/nARAAgcuMhO3nmxYY8KiW6AYxU2rFo2OQnpzZVtbMJB43wDQX
-            0UAOVmUyhGM2wd3tJgnvyfnguy6p3LfjZrXdTkTzrv5yCJVvKXhORcLisjaXLS8H
-            TCe9Fa4I9CvKo/yyRsRYS59niql0ocTs1Eb7cLiKuX19RIuQ7TjMPnjkdj5xXooa
-            kPJXfwL1SpUU3kjhuTHqWlD0m5t0RPiTpDym8fExMSvbTWyMY0BPA+qD1atMeUik
-            i3x2boqfoyD1GZ64Z5NrxRD0dN6TQvJLX1K1XTzanUhvfsy/PvDftCHKQc2n2Opk
-            btnKZa1mfiiLUQly+njSvH8ERYg27j5ACEQ0V9rtGPa3xnVYZm6Z5h0v68aqsotJ
-            aOzJa7/k0ZV/tBD1pT+9T2a/W9v4U+KdKKL19ebNvMtFxy50jN8SQsrTtxv5G5fA
-            sc+HkrcnLezFHYtGG85PfbTGsKMWpwu+4BrcmuW6dBcADZ1fZdkqgi+GcYGL2xy1
-            bddjuOWnzXb93t1pSIkaHcVWc6s5Atf3IB/liyNEux4kdquOHZQJi0WBi0l8GEmG
-            /ggJN4shRqtMqEkomaZkyZMsHnkmenusjbIlKJrwolhZSyDP8Kk5iPYXMxG21vrr
-            YpWHr388q8H7+ksnxYiNFXyY2cQKtOsD3UMIV8edMc/lHjTOi0BFNMHmU3WDsajS
-            XAGXsys00baAzcQHIS0jijU4mJQAqYL3S7FrcDGW8qhTGFpQ8ngVLvwLfqMvUn8v
-            LB3M5/7+Ld8xV4AZWr8mvv+7ZNNnnZzImETCLnekfvLEV9F2pTCH2Z21RPEL
-            =XWl7
-            -----END PGP MESSAGE-----
-          fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
-        - created_at: "2024-03-23T05:49:12Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA29thaGx06tOARAAoI93A3cy3V2dJo8HBIrLC2RK3SKBkPiPFjWO/Zvnv8Q0
-            IhfzjusX+3f8HIa3CxJjTbOktcq+A2a4EyBes2Rd4bX9H2Fs2VVrSmUf3S/dO1b5
-            GiZamHnC+1zsXUB5IFcfjMSzeKKsOWYu9DmUcalsseo/XVJjxw9DzRnPUesI/aMs
-            y5kKKtNDcvAK4AWidME6LTP9FgiMx09sQfuAl4YCJv1trOvxt+dN932fbAkHVAq0
-            Lc90rG6LDLT1w/8i9evBRRX/ZexAI3vTGn/nTqKi+B9BdFA4dY0KiHtGIS+UNtNo
-            vL6PTKIRejGfqt13DwUWRobKnezcpJkTkdz+Pa+cQhdwSL2tFjr0hEbZL3e76YEx
-            CNsgbB9h0pIm/2YvhG1k0f0skWfjXLAtR6PQPKu1OycppX02fbK9XRShb+Fik7P+
-            GfFLxf4JYAMMOHsxP30EVQONiR9XsITH149GSZ3nTBX7vUsk3b7Z+ou1Ma27EhiW
-            iPWTqpDgLQ/VZW+027h/l8iwv52L8eE6Y+LE32jNUTQjMW3OWKw9zknX4wciNR07
-            EPAy8eC9rfhUVnTB7RJlTOY03yyEiBjowJn/0e0g8+AUMKC4mAuasPUwPhptQ6pH
-            8up/75WglUAg04eni0p5g6X7rGj+09OEDNMtvYVt7HglX7T86O2sBcVKa/j095jS
-            XAGIy2HXf+By9BFKM4q6uuAh4QceHn2QaQ/ckhYGMrHulzAeORPxYaYdXoeEj18k
-            auBqSPzj8E9yPi4jl+miEO9BgVhRW45cxBbn2XV2KE08PIP9mZ2jxK9Ne4HQ
-            =jkZ+
-            -----END PGP MESSAGE-----
-          fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

systems/jeeves-jr/services.nix

@@ -1,33 +0,0 @@
-{
-  config,
-  inputs,
-  pkgs,
-  ...
-}:
-{
-  systemd = {
-    services.startup_validation = {
-      requires = [ "network-online.target" ];
-      after = [ "network-online.target" ];
-      wantedBy = [ "multi-user.target" ];
-      description = "validates startup";
-      path = [ pkgs.zfs ];
-      serviceConfig = {
-        Type = "oneshot";
-        EnvironmentFile = config.sops.secrets."server-validation/webhook".path;
-        ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/validate_jeevesjr";
-      };
-    };
-    timers.startup_validation = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnBootSec = "10min";
-        Unit = "startup_validation.service";
-      };
-    };
-  };
-  sops = {
-    defaultSopsFile = ./secrets.yaml;
-    secrets."server-validation/webhook".owner = "root";
-  };
-}

systems/jeeves-jr/vars.nix

@@ -1,10 +0,0 @@
-let
-  zfs_main = "/ZFS/Main";
-in
-{
-  inherit zfs_main;
-  # main
-  main_docker = "${zfs_main}/Docker";
-  main_docker_configs = "${zfs_main}/Docker/configs";
-  main_mirror = "${zfs_main}/Mirror";
-}

systems/jeeves/arch_mirror.nix

@@ -1,29 +0,0 @@
-{ inputs, pkgs, ... }:
-let
-  vars = import ./vars.nix;
-in
-{
-  virtualisation.oci-containers.containers.arch_mirror = {
-    image = "ubuntu/apache2:latest";
-    volumes = [
-      "${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
-      "${vars.media_mirror}:/data"
-    ];
-    ports = [ "800:80" ];
-    extraOptions = [ "--network=web" ];
-    autoStart = true;
-  };
-
-  systemd.services.sync_mirror = {
-    requires = [ "network-online.target" ];
-    after = [ "network-online.target" ];
-    wantedBy = [ "multi-user.target" ];
-    description = "validates startup";
-    path = [ pkgs.rsync ];
-    serviceConfig = {
-      Environment = "MIRROR_DIR=${vars.media_mirror}/archlinux/";
-      Type = "simple";
-      ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/sync_mirror";
-    };
-  };
-}

systems/jeeves/configuration.nix

@@ -1,165 +0,0 @@
-{ pkgs, ... }:
-let
-  vars = import ./vars.nix;
-in
-{
-  imports = [
-    ../../users/richie/global/ssh.nix
-    ../../users/richie/global/syncthing_base.nix
-    ./arch_mirror.nix
-    ./docker
-    ./networking.nix
-    ./programs.nix
-    ./services.nix
-  ];
-
-  boot = {
-    zfs.extraPools = [
-      "media"
-      "storage"
-      "torrenting"
-    ];
-    filesystem = "zfs";
-    useSystemdBoot = true;
-  };
-
-  environment = {
-    systemPackages = with pkgs; [ docker-compose ];
-    etc = {
-      # Creates /etc/lynis/custom.prf
-      "lynis/custom.prf" = {
-        text = ''
-          skip-test=BANN-7126
-          skip-test=BANN-7130
-          skip-test=DEB-0520
-          skip-test=DEB-0810
-          skip-test=FIRE-4513
-          skip-test=HRDN-7222
-          skip-test=KRNL-5820
-          skip-test=LOGG-2190
-          skip-test=LYNIS
-          skip-test=TOOL-5002
-        '';
-        mode = "0440";
-      };
-    };
-  };
-
-  services = {
-    nfs.server.enable = true;
-
-    openssh.ports = [ 629 ];
-
-    plex = {
-      enable = true;
-      dataDir = vars.media_plex;
-    };
-
-    smartd.enable = true;
-
-    sysstat.enable = true;
-
-    syncthing.guiAddress = "192.168.90.40:8384";
-    syncthing.settings.folders = {
-      "notes" = {
-        id = "l62ul-lpweo"; # cspell:disable-line
-        path = vars.media_notes;
-        devices = [
-          "bob"
-          "phone"
-          "rhapsody-in-green"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "books" = {
-        id = "6uppx-vadmy"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/books";
-        devices = [
-          "bob"
-          "phone"
-          "rhapsody-in-green"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "important" = {
-        id = "4ckma-gtshs"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/important";
-        devices = [
-          "bob"
-          "phone"
-          "rhapsody-in-green"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "music" = {
-        id = "vprc5-3azqc"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/music";
-        devices = [
-          "bob"
-          "phone"
-          "rhapsody-in-green"
-        ];
-        fsWatcherEnabled = true;
-      };
-      "projects" = {
-        id = "vyma6-lqqrz"; # cspell:disable-line
-        path = "${vars.storage_syncthing}/projects";
-        devices = [
-          "bob"
-          "rhapsody-in-green"
-        ];
-        fsWatcherEnabled = true;
-      };
-    };
-
-    usbguard = {
-      enable = false;
-      rules = ''
-        allow id 1532:0241
-      '';
-    };
-
-    zfs = {
-      trim.enable = true;
-      autoScrub.enable = true;
-    };
-  };
-  systemd = {
-    services."snapshot_manager" = {
-      description = "ZFS Snapshot Manager";
-      requires = [ "zfs-import.target" ];
-      after = [ "zfs-import.target" ];
-      serviceConfig = {
-        Environment = "ZFS_BIN=${pkgs.zfs}/bin/zfs";
-        Type = "oneshot";
-        ExecStart = "${pkgs.python3}/bin/python3 ${vars.media_scripts}/ZFS/snapshot_manager.py --config-file='${./snapshot_config.toml}'";
-      };
-    };
-    timers."snapshot_manager" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnBootSec = "15m";
-        OnUnitActiveSec = "15m";
-        Unit = "snapshot_manager.service";
-      };
-    };
-  };
-
-  sops = {
-    defaultSopsFile = ./secrets.yaml;
-    secrets = {
-      "zfs/backup_key".path = "/root/zfs/backup_key";
-      "zfs/docker_key".path = "/root/zfs/docker_key";
-      "zfs/main_key".path = "/root/zfs/main_key";
-      "zfs/notes_key".path = "/root/zfs/notes_key";
-      "zfs/plex_key".path = "/root/zfs/plex_key";
-      "zfs/postgres_key".path = "/root/zfs/postgres_key";
-      "zfs/qbit_key".path = "/root/zfs/qbit_key";
-      "zfs/scripts_key".path = "/root/zfs/scripts_key";
-      "zfs/syncthing_key".path = "/root/zfs/syncthing_key";
-      "zfs/vault_key".path = "/root/zfs/vault_key";
-    };
-  };
-
-  system.stateVersion = "23.11";
-}

systems/jeeves/default.nix

@@ -1,7 +0,0 @@
-{ ... }:
-{
-  users = [
-    "alice"
-    "richie"
-  ];
-}

systems/jeeves/docker/default.nix

@@ -1,11 +0,0 @@
-{ lib, ... }:
-{
-  imports =
-    let
-      files = builtins.attrNames (builtins.readDir ./.);
-      nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
-    in
-    map (file: ./. + "/${file}") nixFiles;
-
-  virtualisation.oci-containers.backend = "docker";
-}

systems/jeeves/docker/filebrowser.nix

@@ -1,15 +0,0 @@
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers.filebrowser = {
-    image = "hurlenko/filebrowser:latest";
-    extraOptions = [ "--network=web" ];
-    volumes = [
-      "/zfs:/data"
-      "${vars.media_docker_configs}/filebrowser:/config"
-    ];
-    autoStart = true;
-    user = "1000:users";
-  };
-}

systems/jeeves/docker/haproxy.cfg

@@ -1,68 +0,0 @@
-global
-  log stdout format raw local0
-  # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
-  stats timeout 30s
-
-defaults
-  log global
-  mode http
-  retries 3
-  maxconn 2000
-  timeout connect 5s
-  timeout client 50s
-  timeout server 50s
-  timeout http-request 10s
-  timeout http-keep-alive 2s
-  timeout queue 5s
-  timeout tunnel 2m
-  timeout client-fin 1s
-  timeout server-fin 1s
-
-
-#Application Setup
-frontend ContentSwitching
-  bind *:80
-  bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
-  mode  http
-  # tmmworkshop.com
-  acl host_mirror   hdr(host) -i mirror.tmmworkshop.com
-  acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com
-  acl host_grafana  hdr(host) -i grafana.tmmworkshop.com
-  acl host_filebrowser  hdr(host) -i filebrowser.tmmworkshop.com
-  acl host_uptime_kuma  hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
-  acl host_overseerr  hdr(host) -i overseerr.tmmworkshop.com
-
-  use_backend mirror_nodes   if host_mirror
-  use_backend dndrules_nodes if host_dndrules
-  use_backend grafana_nodes  if host_grafana
-  use_backend filebrowser_nodes  if host_filebrowser
-  use_backend uptime_kuma_nodes  if host_uptime_kuma
-  use_backend overseerr_nodes  if host_overseerr
-
-backend mirror_nodes
-  mode http
-  server server arch_mirror:80
-
-backend mirror_rsync
-  mode http
-  server server arch_mirror:873
-
-backend grafana_nodes
-  mode http
-  server server grafana:3000
-
-backend dndrules_nodes
-  mode http
-  server server dnd_file_server:80
-
-backend filebrowser_nodes
-  mode http
-  server server filebrowser:8080
-
-backend uptime_kuma_nodes
-  mode http
-  server server uptime_kuma:3001
-
-backend overseerr_nodes
-  mode http
-  server server overseerr:5055

systems/jeeves/docker/internal.nix

@@ -1,149 +0,0 @@
-{ config, ... }:
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers = {
-    qbit = {
-      image = "ghcr.io/linuxserver/qbittorrent:latest";
-      ports = [
-        "6881:6881"
-        "6881:6881/udp"
-        "8082:8082"
-        "29432:29432"
-      ];
-      volumes = [
-        "${vars.media_docker_configs}/qbit:/config"
-        "${vars.torrenting_qbit}:/data"
-      ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-        WEBUI_PORT = "8082";
-      };
-      autoStart = true;
-    };
-    qbitvpn = {
-      image = "binhex/arch-qbittorrentvpn:latest";
-      extraOptions = [ "--cap-add=NET_ADMIN" ];
-      ports = [
-        "6882:6881"
-        "6882:6881/udp"
-        "8081:8081"
-        "8118:8118"
-      ];
-      volumes = [
-        "${vars.media_docker_configs}/qbitvpn:/config"
-        "${vars.torrenting_qbitvpn}:/data"
-        "/etc/localtime:/etc/localtime:ro"
-      ];
-      environment = {
-        WEBUI_PORT = "8081";
-        PUID = "600";
-        PGID = "100";
-        VPN_ENABLED = "yes";
-        VPN_CLIENT = "openvpn";
-        STRICT_PORT_FORWARD = "yes";
-        ENABLE_PRIVOXY = "yes";
-        LAN_NETWORK = "192.168.90.0/24";
-        NAME_SERVERS = "1.1.1.1,1.0.0.1";
-        UMASK = "000";
-        DEBUG = "false";
-        DELUGE_DAEMON_LOG_LEVEL = "debug";
-        DELUGE_WEB_LOG_LEVEL = "debug";
-      };
-      environmentFiles = [ config.sops.secrets."docker/qbit_vpn".path ];
-      autoStart = true;
-    };
-    bazarr = {
-      image = "ghcr.io/linuxserver/bazarr:latest";
-      ports = [ "6767:6767" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.media_docker_configs}/bazarr:/config"
-        "${vars.storage_plex}/movies:/movies"
-        "${vars.storage_plex}/tv:/tv"
-      ];
-      autoStart = true;
-    };
-    prowlarr = {
-      image = "ghcr.io/linuxserver/prowlarr:latest";
-      ports = [ "9696:9696" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
-      autoStart = true;
-    };
-    radarr = {
-      image = "ghcr.io/linuxserver/radarr:latest";
-      ports = [ "7878:7878" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.media_docker_configs}/radarr:/config"
-        "${vars.storage_plex}/movies:/movies"
-        "${vars.torrenting_qbitvpn}:/data"
-      ];
-      autoStart = true;
-    };
-    sonarr = {
-      image = "ghcr.io/linuxserver/sonarr:latest";
-      ports = [ "8989:8989" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.media_docker_configs}/sonarr:/config"
-        "${vars.storage_plex}/tv:/tv"
-        "${vars.torrenting_qbitvpn}:/data"
-      ];
-      autoStart = true;
-    };
-    overseerr = {
-      image = "ghcr.io/linuxserver/overseerr";
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [ "${vars.media_docker_configs}/overseerr:/config" ];
-      dependsOn = [
-        "radarr"
-        "sonarr"
-      ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-    whisper = {
-      image = "ghcr.io/linuxserver/faster-whisper:latest";
-      ports = [ "10300:10300" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-        WHISPER_MODEL = "tiny-int8";
-        WHISPER_LANG = "en";
-        WHISPER_BEAM = "1";
-      };
-      volumes = [ "${vars.media_docker_configs}/whisper:/config" ];
-      autoStart = true;
-    };
-  };
-  sops = {
-    defaultSopsFile = ../secrets.yaml;
-    secrets."docker/qbit_vpn".owner = "docker-service";
-  };
-}

systems/jeeves/docker/postgresql.nix

@@ -1,37 +0,0 @@
-{ config, ... }:
-let
-  vars = import ../vars.nix;
-in
-{
-  users = {
-    users.postgres = {
-      isSystemUser = true;
-      group = "postgres";
-      uid = 999;
-    };
-    groups.postgres = {
-      gid = 999;
-    };
-  };
-
-  virtualisation.oci-containers.containers = {
-    postgres = {
-      image = "postgres:16";
-      ports = [ "5432:5432" ];
-      volumes = [ "${vars.media_database}/postgres:/var/lib/postgresql/data" ];
-      environment = {
-        POSTGRES_USER = "admin";
-        POSTGRES_DB = "archive";
-        POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
-      };
-      environmentFiles = [ config.sops.secrets."docker/postgres".path ];
-      autoStart = true;
-      user = "postgres:postgres";
-    };
-  };
-
-  sops = {
-    defaultSopsFile = ../secrets.yaml;
-    secrets."docker/postgres".owner = "postgres";
-  };
-}

systems/jeeves/docker/uptime_kuma.nix

@@ -1,16 +0,0 @@
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers = {
-    uptime_kuma = {
-      image = "louislam/uptime-kuma:latest";
-      volumes = [
-        "${vars.media_docker_configs}/uptime_kuma:/app/data"
-        "/var/run/docker.sock:/var/run/docker.sock"
-      ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-  };
-}

systems/jeeves/docker/web.nix

@@ -1,65 +0,0 @@
-{ config, ... }:
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers = {
-    grafana = {
-      image = "grafana/grafana-enterprise:latest";
-      volumes = [ "${vars.media_docker_configs}/grafana:/var/lib/grafana" ];
-      user = "600:600";
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-    dnd_file_server = {
-      image = "ubuntu/apache2:latest";
-      volumes = [
-        "${../../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
-        "${vars.storage_main}/Table_Top/:/data"
-      ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-    haproxy = {
-      image = "haproxy:latest";
-      user = "600:600";
-      environment = {
-        TZ = "Etc/EST";
-      };
-      volumes = [
-        "${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
-        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
-      ];
-      dependsOn = [
-        "arch_mirror"
-        "dnd_file_server"
-        "filebrowser"
-        "grafana"
-        "overseerr"
-        "uptime_kuma"
-      ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-    cloud_flare_tunnel = {
-      image = "cloudflare/cloudflared:latest";
-      user = "600:600";
-      cmd = [
-        "tunnel"
-        "run"
-      ];
-      environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
-      dependsOn = [ "haproxy" ];
-      extraOptions = [ "--network=web" ];
-      autoStart = true;
-    };
-  };
-
-  sops = {
-    defaultSopsFile = ../secrets.yaml;
-    secrets = {
-      "docker/cloud_flare_tunnel".owner = "docker-service";
-      "docker/haproxy_cert".owner = "docker-service";
-    };
-  };
-}

systems/jeeves/hardware.nix

@@ -1,45 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  modulesPath,
-  ...
-}:
-
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  boot = {
-    initrd.availableKernelModules = [
-      "mpt3sas"
-      "nvme"
-      "xhci_pci"
-      "ahci"
-      "uas"
-      "usb_storage"
-      "usbhid"
-      "sd_mod"
-      "sr_mod"
-    ];
-    initrd.kernelModules = [ "dm-snapshot" ];
-    kernelModules = [ "kvm-amd" ];
-    extraModulePackages = [ ];
-  };
-
-  fileSystems."/" = lib.mkDefault {
-    device = "/dev/disk/by-uuid/0f78fa87-30be-4173-b0fa-eaa956cf83aa";
-    fsType = "ext4";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/BB77-2647";
-    fsType = "vfat";
-  };
-
-  swapDevices = [ { device = "/dev/disk/by-uuid/4c797a94-be32-43d3-89ac-7f02912c7cf5"; } ];
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

systems/jeeves/networking.nix

@@ -1,40 +0,0 @@
-{
-  networking = {
-    hostId = "1beb3027";
-    firewall.enable = false;
-  };
-
-  systemd.network = {
-    enable = true;
-    networks = {
-      "10-1GB_Primary" = {
-        matchConfig.Name = "enp98s0f0";
-        DHCP = "yes";
-      };
-    };
-    networks = {
-      "10-1GB_Secondary" = {
-        matchConfig.Name = "enp98s0f1";
-        DHCP = "yes";
-      };
-    };
-    networks = {
-      "10-10GB_Primary" = {
-        matchConfig.Name = "enp97s0f0np0";
-        DHCP = "yes";
-        linkConfig.RequiredForOnline = "routable";
-      };
-    };
-    networks = {
-      "10-10GB_Secondary" = {
-        matchConfig.Name = "enp97s0f1np1";
-        DHCP = "yes";
-      };
-    };
-  };
-
-  services.zerotierone = {
-    enable = true;
-    joinNetworks = [ "e4da7455b2ae64ca" ];
-  };
-}

systems/jeeves/programs.nix

@@ -1,4 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = with pkgs; [ filebot ];
-}

systems/jeeves/scripts/plex_permission.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-plex_dir="/zfs/storage/plex/"
-
-chown docker-service:users -R "$plex_dir"
-find "$plex_dir" -type f -exec chmod 664 {} \;
-find "$plex_dir" -type d -exec chmod 775 {} \;

systems/jeeves/secrets.yaml

@@ -1,78 +0,0 @@
-docker:
-    postgres: ENC[AES256_GCM,data:IpXIrRDzyGFjDz908w1NNb0GBna/ce9lCtOkXrpUfyllsTWca6AeqaRo23bL4jfFGfHn0Zf9okLO,iv:IwO7vJJHFfm0SGcJETpWtdhr41jPddN9nuVAH/Ooa7Y=,tag:xstwPvpvkNOZucxvzq2+ag==,type:str]
-    cloud_flare_tunnel: ENC[AES256_GCM,data:Qx7g0tNSfVs9VnkuYw47XJjfF+RS9B5gvpBliGL93X8K/7iiyt0NxwWyAkmmaLat5h/Yu7C71rwBIIZsKf7Ke3YS0PfEpga76ftKt3h7VKMQNT7yAcU3LY4v2h3Molnzw2fnAhxfHkogJuAsZeJW9dIjo9H2QpSh/tn9kpC+PGb/T9dcqMm4fJPqP+rIcFCfhJl9iDOKOMQ9+xVNnKZ2HQlAwPMCz29BgGCxh0cYYk9ftXPK7ZnhjwUj4bfnaKfByIPpAtk=,iv:8yz2vXanGZfOkZF/D0RP2LPqHebbOM/XBPg2eCCGs8g=,tag:67da31iZTQaMURKf9dfiJw==,type:str]
-    qbit_vpn: ENC[AES256_GCM,data:SRkcWb2wTTfWlgkbDSN6j5+dXnG670qFGtG2x4fajkE8eK4U30DTxrlbzta5ZMtm0Y9bquy3DcaSMF/u9CBrLbBS8mhcJw==,iv:LpkS7O+eutPUDpY5NlYjgafK6UuFsS+18yNpB+JmzcM=,tag:0Y+vj80MAbh2U+UsyH3MEA==,type:str]
-    haproxy_cert: ENC[AES256_GCM,data:6yRv0cz/vBVguAPOsENhmH2uwwgL5AkOkkDQQ+PVPEEiOTIn1WPONhnG0UqR3FsWJal8qECH/zTF1XMmdK4VHQXwMA8gGScpIrgeWuhdCbXsJ7RxZBzVESOCo8ZOcR43w3Qih+0iz3SsNmX262/D7DIzKYlLovyoJDGZa5jo0n2zCZiRfbdal8m02dplaFHMsGy6+Gn3Uijo9MnnuWvgihBh1ekRnpSzVM4/IyyvUunK0vEapVsgOq+brdW2x0BQFgL3PLGaJbAbzFhXYI1MmD+D7RzOGSzNmrj1ezea+b2Lb/p8CATh05i+lz6530U6iwun0lcREDxPrJgU0TsI/JZGSq3blHn9lZuHmnwBp05LsliBO+yoxgqnC45/xTZwiSdlyqqnXHlXPuBS7UoJFlll93aIpULfNZMyqx/FO5ckmV0nuNVMCrF7JfsE+t/XNs077kB4FKYNk4TDodKyn2scfypQFK7qprW9JKJwx0Se8FWU2fMKsuMszElMLudRHagyDVO+LJ+/ta6Qj68CRU1g8cQANh4Q6PwI0HABX3J5n3ERQUxZvVeCq9FRMJ7JE0was3QfBGGPROHksK+rP9y8g8CFRgGjwzDoxslaYO+tIiIsaDcqbTiOQDTiDh4/ioqX9EENrA8qIEtKSn6m35+4pwY0xvKToAnI7vhwQ93A1mZrwKXgoNSShA4Q+MfSEIuJd6LJihLh5IFvl595iOpGDWCJsXZnDL3K8B6oofPTtLnOOQC4sy9wGiNshdgfv6aVwpdPKvOtFwHmu1n8eZInfSZgUdwUaHHMXjrXHboBQ6ZPsrdZBt9ADSUpz+uN6+TgXq6HLWHSqtmrWS6jABQfbpHH7pLZAXuii4MsnTEr1rOEbtgZTH6Sedd57Pp5MpNXDg950vd9plCkGPiRfDUWXHnRw8frWfoTS+eOqkVwJ0+v48IskuYLZSCAF0/kumtbySDQStNowF+cAp7lk24Cp8W8PXw/LqI8U8FijVxMPtgzLwRKKd10zRI+Jrsi9E8YXSKCaFMIBLottRHwdvWA7aIYnuVTxzCmHt1jhJN349bjC/yTIuIS4gW+XlriFqip17Eq/878+Uduwf1+Fxqdpv8kDleyqix0SO/JmhQijgIUhc3Im3whXicEu6vlivzJGyjA/ljFyJvV/irRK/VrIWEoA5nLX74fmF9Ku/O94pDIPaKCsCP+N/fOPLG5ucw6lPxllZS9qg2cNsl9ajXGPu8GBB4FaZUt/Ufid6xjC5YloictI3Bp5x2glhpxzQ8zAbv5vpBA0h6xhkt4NSmxWurvBmRoRnBdYIvEaeoehj10yLpiY4DsZYLTU5IrLV/aYlb2q4K2OKRvYOBQgeDtEkIMqHYWsddfKHi+1KjQ/176DDIbUoYb4XtPJmNOcIeRM2oiaCcTzerU5TXL5qBl213buTcIPaV0sVVxoH+2RYBM28mjQoj8sHwQLLuFve0MeUZzfJ8MqMM+Guhn25aw4R0tGkiRBUL5d8l86awOpqXtFiK2QTh3S7QeZoCA80YVH5r6FdqMz34UgwEFo0nfBcH2nSnDwpcBrbwzV6/Xahck4nVaIn6znJPqlIKntfeXJuXl/9ulpwx7D4mL7hLcal9WY62KZ1PQ+NHz5WjaPbgLMdeNFFr6CKGGqSPkTOhjgQ1y4ChuYfbVn+yZRqUwhFWtKuuouAZXH55KkVlsB39H+oNYp0hqAUiVkeawHqbTgOHb+llz0uF7r0TGD23aMXeV58n0i3xsDET9mhxSyj5vUo5iqY8eEqgn4mOvsdp6rkpC4c91drgV/gFJu2jgCvVVdG/mHFVnZEv5+/rA2reqdqMTBOpLQNEbL5Ih1LKG,iv:PUp78PWvy+lmcLiR295BGiVTLnAPX+du4lcw/Pvq/KE=,tag:k/3H2+jF9no751mvO5S5WQ==,type:str]
-zfs:
-    backup_key: ENC[AES256_GCM,data:sJzR/DfM6+tmmcewZT+NAJk0gj8wmU43QfFCRCj9+2GITOS8suRL7E5rHTherCZgRe79T90ikM97bYf9RbZdtQ==,iv:j8F3BG/hh7UK3kC+pB6WO0OHlSSHn0jo90AgaTdpyNY=,tag:5hraDn8YqS/q57y26AXwjw==,type:str]
-    docker_key: ENC[AES256_GCM,data:HiW+3IYJCgqg9HJmPYQinhb6kWJouORABKniryY5e35tf8BQGKn1ldgj4Dw+79SYmvIUbf4ZSja0Ziz1isKTWA==,iv:6vBtbIlTHC+PUgyXYb92SnMTuWd8jCaEzZ3Vmv2QHhA=,tag:izKWtAQWRfn5tAYKyOO+ZQ==,type:str]
-    main_key: ENC[AES256_GCM,data:6ZZQc7TSAuK4PrxQxegPrFMjT1SZlRGgg5VgVg1e6ZM1RO9ZDjhcmpFRd1pkbm5DEJKq1VpUxTvxXGQDrMYO9A==,iv:Yp2jTtBd8gjB8Sdfb06ZBLpVd/KCjs/pfnBRT2ll/0c=,tag:F0HSbkZ8Z45WkUY/VNwvHg==,type:str]
-    notes_key: ENC[AES256_GCM,data:y3fTl3aNl8RaZwBR2thy7qfxilw+wGEj8+tTuRr+z+A6ol9N6droFNBHQcK3yWDWP8MhMKe1efWhgbZ0Raz17A==,iv:BbBjMtsb2ZDJjgbgkXP3SYl3xklI5xWmW3X9mlLlvdI=,tag:Ic3rLP30wApmOeLGFEYgVA==,type:str]
-    plex_key: ENC[AES256_GCM,data:fWzTSKkVCkWmZ9ZDv1/OYYZPsQKV54Ib98Bq4A+4ibT9mk28Zp7XeczOJVj6+K4+04EQgQj8RyP2x70tuFp3Xg==,iv:pyHzIo4ws4Lyd5zVflUa7yjNVefTTpEdkjCVmXDuucE=,tag:msn0NFXuq3zKGY5vE1nR1Q==,type:str]
-    postgres_key: ENC[AES256_GCM,data:mLa0A6pJXZ7BX9bYat9mQ30Dx/KWU9KHjiApuapBUbRtH+gtAJRGwLeXJPyMTOirFwuWWTdOts8dTMESWp7eOg==,iv:MFyo2LbdsYeoUyhWEv0EWKXNFhxoLjNs5M7ar6dlrjw=,tag:KpaatId8TdVzAEelD1tlzQ==,type:str]
-    qbit_key: ENC[AES256_GCM,data:19XIzi4waSOLdfgKo8z6NMX9Ee4Xw1/JqbjQEvKwWh+ar2r5P3sFJMHI394ebx4vITO0lOzl/EwcUiWt7LB6uw==,iv:s+TWyb5SzeCFZAZdKs28o7s8So++eLqR1Qc9ZWjUGwY=,tag:teHdPEhWkzDWizJD/czA6w==,type:str]
-    scripts_key: ENC[AES256_GCM,data:2htMEDCByUbCQ1loPEDCVNtXXqffCRHMpiobEDHI506hdEk6d/N7lmlUIqLa5YCNB6ozt0y6EEKBxnbouEHIWQ==,iv:eUYmsliDF49BNSpF+KSiT1rlPtzQpmhNC8Cy2tahMX8=,tag:8xCvm1LwDPArJ/woIO23Bg==,type:str]
-    syncthing_key: ENC[AES256_GCM,data:36zfmVuCEHFED3ODeoGuAxJvySY1SxWT9ml+DFvb01KdUqIGZDZj1cKoZCH+GsgYJMsQF6t+uqZJOGeyNmzMlg==,iv:17tLW4ytRpUmmltA4UIZGhsrNAGRjvucxxt9zLM3C54=,tag:YWirDB0fYSpu1evqVaoa+Q==,type:str]
-    vault_key: ENC[AES256_GCM,data:kFZa5oRVXuSp7W7311i0d8b7I0Y3P8bZbBoaaICuH1IlMLBVd6SUhL8cfFU66yj91W6uUJU/Oy7NpP3rM9mhGw==,iv:neRhOqW/b2DpUqoA5JJxLS4fSqj8ZGxRXv4pEPm7Wtc=,tag:bfAD3GAO6F2hBCZy7P7KUA==,type:str]
-server-validation:
-    webhook: ENC[AES256_GCM,data:54MQzwEOf6uS6cgnPeJizRXMvGTGxLf6q1N3tGDxxpXKmSJedW+kpY2GoV91SxeeTWUyDKQcWp2fs5SwrdfDFHID9JN4wWJM0JjADggZ6u+BMEH01nnXpCJlhGq6cxDkI6gNSVgNVQW/eYNHDhnVmwwGpse4q62G1TmKlziBCv1Qahn4c3O+bOOEssio,iv:2Rcg7XSCmQeFd2oaX4GxSGXwgE3Ep1WsoPRRYo0dvH0=,tag:rPjDghxdcpME5SwoPKWv2w==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTREhIRUd1K3JCM29mVHVv
-            d2Q4eFBLWnRUTGEzelZOMS9ScXNyV3ZGbHpNCjNCSEhmTDQ4VUtta0RXdXJUY0da
-            Vld5WDlJS3oyWkk5KzUzam9PYXZSa1kKLS0tIHJuaktpU3hnUWEwZzc4eHNjSitI
-            bVhXamJyMWMvODUvajk2aDZnQ1k1blEKoNIYxUA+k+DA+1WYq5BSa0iXuQ2Lctuy
-            9W7OO2m+QGzjdLLM0uS7WWGXWP2cDDgUGcqozTqM0Oqi2/OY0Bo3Jg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-07T23:09:43Z"
-    mac: ENC[AES256_GCM,data:36CZLl3+VSFTSTj9jDT9972XZMXjaY5jo9FZ7I7L0sOSBRH8vQ+tFww7hVHe5M2w/+YA0SRGH3r8WCbie6GeRjmY+BZu42H656K0WrpRN8ERFv+io8geACdqUsLo1VLjhDrfXaGnNOHLpmMC5dqyPXlOphiolt+ArKOBLuqtrnY=,iv:jaL/l1zwYusThKeR9C62fEGHwiv4fEvCarSiavjxQ0U=,tag:xgygx6KM/J4w55CzdLeCUg==,type:str]
-    pgp:
-        - created_at: "2024-03-02T20:52:17Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA84hNUGIgI/nARAAxQSkqnR75Rd1htAv7esbpmXlrZH+frTL6V4jGoAiqTeF
-            TSA46E2nl7rVqPTws74OOb+O5bN3OkHSmmWzIbj6Pc8YnqY4t9N69zoCHtsbI1kn
-            FQ4WwUdzofIUMKwF+E31/knyKbf/IjSKTZKcDQmn6QErOdDmsN9/z6+ixLt+rdsz
-            lKwMX8axgmwgRsWI1Xhlb1qs4TZxheQQ4A4WYYNB1NhH0ZTIehI+FGe+wHh36UXf
-            cY/Z7KRLdozoLsuuAIAoXx/dr3KpwuyKHfp9MdZLzO/tvS9vA1i+tKRXmiDs2uuv
-            itCOTrt1H7LEpUfdBYD9ll2mdiRnVzR4DxNnGLPkxsyAglejTxR897DcYFC9xhie
-            X6UfKTOIeAGXVUqphp8HB0CEFBW982246kDSKdOI/R3+X4T5fvMpLTb5XvkOlCIi
-            JUwXxoq3SA06a8WCS6QH8jLnXrcCKzX1TJh0RzT7/RUvKDN6uxxccxOksMExvgBG
-            nqfOcLiCXBzluCseDgmjcW0/arm1d88Kd7ayMv25CX1Py5uRRQOkqqnCdNIk5Yy5
-            0R+KyOPeZPThVTE1DhJ3QyF499XMoFjerHyanwIlvkAQtet1k8EKih1KSD9N38ga
-            K1HRowhoPMkszsU6+LZYL3MD0aUkfz53b7JvzIxYsfJgztwg3ki0qteEXUNyLMTS
-            XgG9xHF63wa7IwBtKgQKX/CVCwpg5EuNfwbACbIQAC9QZ/F6z+Ud2UJkSs94UUF4
-            aOGb2P1QFvLbP7m+7TNmvuLT5BDcS2XE0IWRDilkeiFU6ijGW8+iQ5oTzv+TmA0=
-            =JbRX
-            -----END PGP MESSAGE-----
-          fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
-        - created_at: "2024-03-02T20:52:17Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA29thaGx06tOARAAm8GMWZxxY1UBYK7p60Hlw2qCOH7KZ5cby8vm9dWz3Tnt
-            +YKW2SsRniwY6KaSVvnUuRBY75BF6jahW6+h9Nvhsrsvq680UIaQtO6l6KmtnxHV
-            S6vEDmvoFZVWG1xOEGYHVQ+GF9elIwuYrzST1OU3vATMstMxrm0WQJ2lOq7YpuGi
-            hNoMK3nMxpmTlT49CYn2sGX3PlNA4qDOVo/fwL5m3lV5mKzJNs7q8IakbPZm6yqR
-            wGjfkHq3ZlKnTUC66sBX8yvSoZ2cM6vrYhxgb1Um8z9BKLpAb7Rr9AXB5IUWxSkz
-            jXyEi9aDySDxv2HkjP3fE4D5wtC1neS8YsYDBcSsqoXt5sKAs1DOvzLbIOkObH3Y
-            uSxozoGJu5CVnBrOpxXdNf1RMnww85uxSAupiLQ2fsC/0AaeGB8dPYIZr/WekWAR
-            RF3igqZX7KVRuomUOt9fwJoHnRr1GWCHqYTB3P7/e52JcmCggBRLcnhC/1MKgMtN
-            RJh8Uuu9aXCBfR148W+s76xIdVwypPWbk8l911TdL1eRKx+d+kxAa1ugIqihvkBQ
-            sGjZltEe0ogAsDpS0Cy/HRH8Yz1Qk2gTh1QZiv865aVVfWu0OTU27TlfCyMQQCkO
-            LtBfOWylV6pJG3aaO2QA+4f4ab8flxdg8DrmBlhudzYY2goHIcfe+CdPygrKB/nS
-            XgEx1HFw47B1YJxY7FiFgEwnI6/AJuf136u1i484nVYXAr5PtnyaXH7kqVozHouT
-            sPkE1v7+EpOIbhEdXQxbSG0AXKomUwu4SJgxSitdTajAQYfHHfTVjdnUqyl8QHw=
-            =wX5X
-            -----END PGP MESSAGE-----
-          fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

systems/jeeves/services.nix

@@ -1,52 +0,0 @@
-{
-  config,
-  inputs,
-  pkgs,
-  ...
-}:
-{
-  systemd = {
-    services = {
-      plex_permission = {
-        description = "maintains /zfs/storage/plex permissions";
-        serviceConfig = {
-          Type = "oneshot";
-          ExecStart = "${pkgs.bash}/bin/bash ${./scripts/plex_permission.sh}";
-        };
-      };
-      startup_validation = {
-        requires = [ "network-online.target" ];
-        after = [ "network-online.target" ];
-        wantedBy = [ "multi-user.target" ];
-        description = "validates startup";
-        path = [ pkgs.zfs ];
-        serviceConfig = {
-          EnvironmentFile = config.sops.secrets."server-validation/webhook".path;
-          Type = "oneshot";
-          ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/validate_jeeves";
-        };
-      };
-    };
-    timers = {
-      plex_permission = {
-        wantedBy = [ "timers.target" ];
-        timerConfig = {
-          OnBootSec = "1h";
-          OnCalendar = "daily 03:00";
-          Unit = "plex_permission.service";
-        };
-      };
-      startup_validation = {
-        wantedBy = [ "timers.target" ];
-        timerConfig = {
-          OnBootSec = "10min";
-          Unit = "startup_validation.service";
-        };
-      };
-    };
-  };
-  sops = {
-    defaultSopsFile = ./secrets.yaml;
-    secrets."server-validation/webhook".owner = "root";
-  };
-}

systems/jeeves/snapshot_config.toml

@@ -1,29 +0,0 @@
-["media/Notes"]
-15_min = 8
-hourly = 24
-daily = 30
-monthly = 12
-
-["storage/plex"]
-15_min = 6
-hourly = 2
-daily = 1
-monthly = 0
-
-["media/plex"]
-15_min = 6
-hourly = 2
-daily = 1
-monthly = 0
-
-["media/notes"]
-15_min = 8
-hourly = 24
-daily = 30
-monthly = 12
-
-["media/docker"]
-15_min = 3
-hourly = 12
-daily = 14
-monthly = 2

systems/jeeves/vars.nix

@@ -1,23 +0,0 @@
-let
-  zfs_media = "/zfs/media";
-  zfs_storage = "/zfs/storage";
-  zfs_torrenting = "/zfs/torrenting";
-in
-{
-  inherit zfs_media zfs_storage zfs_torrenting;
-  # media
-  media_database = "${zfs_media}/syncthing/database";
-  media_docker = "${zfs_media}/docker";
-  media_docker_configs = "${zfs_media}/docker/configs";
-  media_mirror = "${zfs_media}/mirror";
-  media_notes = "${zfs_media}/notes";
-  media_plex = "${zfs_media}/plex/";
-  media_scripts = "${zfs_media}/scripts";
-  # storage
-  storage_main = "${zfs_storage}/main";
-  storage_plex = "${zfs_storage}/plex";
-  storage_syncthing = "${zfs_storage}/syncthing";
-  # torrenting
-  torrenting_qbit = "${zfs_torrenting}/qbit";
-  torrenting_qbitvpn = "${zfs_torrenting}/qbitvpn";
-}

systems/palatine-hill/acme.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  outputs,
+  ...
+}:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "aliceghuston@gmail.com";
+    certs."nayeonie.com" = {
+      dnsProvider = "dnsimple";
+      environmentFile = config.sops.secrets."acme/dnsimple".path;
+      dnsPropagationCheck = false;
+      group = "haproxy";
+      extraDomainNames = [
+        "*.nayeonie.com"
+        # "alicehuston.xyz"
+        # "*.alicehuston.xyz"
+      ];
+    };
+  };
+
+  systemd.services."acme-nayeonie.com.service".path = lib.mkForce (
+    with pkgs;
+    [
+      coreutils
+      diffutils
+      openssl
+    ]
+    ++ [
+      outputs.packages.x86_64-linux.lego-latest
+    ]
+  );
+
+  sops.secrets = {
+    "acme/dnsimple" = {
+      owner = "root";
+    };
+  };
+}

systems/palatine-hill/attic/default.nix

@@ -8,34 +8,18 @@
 {
   environment.systemPackages = with pkgs; [
     attic-client
-    attic
   ];
 
   services = {
-    postgresql = {
-      enable = true;
-      ensureDatabases = [ "atticd" ];
-      ensureUsers = [
-        {
-          name = "atticd";
-          ensureDBOwnership = true;
-        }
-      ];
-      upgrade = {
-        enable = true;
-        stopServices = [ "atticd" ];
-      };
-    };
-
     atticd = {
       enable = true;
 
-      credentialsFile = config.sops.secrets."attic/secret-key".path;
+      environmentFile = config.sops.secrets."attic/secret-key".path;
 
       settings = {
         listen = "[::]:8183";
-        allowed-hosts = [ "attic.alicehuston.xyz" ];
+        allowed-hosts = [ "attic.nayeonie.com" ];
-        api-endpoint = "https://attic.alicehuston.xyz";
+        api-endpoint = "https://attic.nayeonie.com/";
         compression.type = "none"; # let ZFS do the compressing
         database = {
           url = "postgres://atticd?host=/run/postgresql";
@@ -48,7 +32,7 @@
           type = "s3";
           region = "us-east-1";
           bucket = "cache-nix-dot";
-          endpoint = "https://minio.alicehuston.xyz";
+          endpoint = "https://minio.nayeonie.com";
         };
 
         # Warning: If you change any of the values here, it will be
@@ -78,61 +62,60 @@
 
   # borrowing from https://github.com/Shawn8901/nix-configuration/blob/4b8d1d44f47aec60feb58ca7b7ab5ed000506e90/modules/nixos/private/hydra.nix
   # configured default webstore for this on root user separately
-  systemd = {
+  # systemd = {
-    services = {
+  #   services = {
-      attic-watch-store = {
+  #     attic-watch-store = {
-        wantedBy = [ "multi-user.target" ];
+  #       wantedBy = [ "multi-user.target" ];
-        after = [
+  #       after = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        requires = [
+  #       requires = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        description = "Upload all store content to binary cache";
+  #       description = "Upload all store content to binary cache";
-        serviceConfig = {
+  #       serviceConfig = {
-          User = "root";
+  #         User = "root";
-          Restart = "always";
+  #         Restart = "always";
-          ExecStart = "${pkgs.attic}/bin/attic watch-store cache-nix-dot";
+  #         ExecStart = "${pkgs.attic-client}/bin/attic watch-store cache-nix-dot";
-        };
+  #       };
-      };
+  #     };
-      attic-sync-hydra = {
+  #     attic-sync-hydra = {
-        after = [
+  #       after = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        requires = [
+  #       requires = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        description = "Force resync of hydra derivations with attic";
+  #       description = "Force resync of hydra derivations with attic";
-        serviceConfig = {
+  #       serviceConfig = {
-          Type = "oneshot";
+  #         Type = "oneshot";
-          User = "root";
+  #         User = "root";
-          ExecStart = "${config.nix.package}/bin/nix ${./attic/sync-attic.bash}";
+  #         ExecStart = "${config.nix.package}/bin/nix ${./sync-attic.bash}";
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
 
-    timers = {
+  #   timers = {
-      attic-sync-hydra = {
+  #     attic-sync-hydra = {
-        wantedBy = [ "timers.target" ];
+  #       wantedBy = [ "timers.target" ];
-        timerConfig = {
+  #       timerConfig = {
-          OnBootSec = 600;
+  #         OnBootSec = 600;
-          OnUnitActiveSec = 86400;
+  #         OnUnitActiveSec = 86400;
-          Unit = "attic-sync-hydra.service";
+  #         Unit = "attic-sync-hydra.service";
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
-  };
+  # };
 
   sops = {
-    defaultSopsFile = ./secrets.yaml;
     secrets = {
       "attic/secret-key".owner = "root";
       "attic/database-url".owner = "root";

systems/palatine-hill/attic/sync-attic.bash

@@ -2,9 +2,9 @@
 #! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash
 
 sync_directories=(
-    /ZFS/ZFS-primary/hydra
+  /ZFS/ZFS-primary/hydra
 )
 
 for dir in "${sync_directories[@]}"; do
-    find "$dir"  -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
+  find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
 done

systems/palatine-hill/configuration.nix

@@ -6,13 +6,19 @@
 }:
 {
   imports = [
-    ./attic.nix
+    ./acme.nix
-    ./docker.nix
+    ./attic
+    ./docker
+    ./gitea.nix
+    ./firewall.nix
+    ./haproxy
+    ./hardware-changes.nix
     ./hydra.nix
     ./minio.nix
     ./networking.nix
     ./nextcloud.nix
-    ./services.nix
+    ./samba.nix
+    ./postgresql.nix
     ./zfs.nix
   ];
 
@@ -52,10 +58,14 @@
   };
 
   environment.systemPackages = with pkgs; [
+    chromedriver
+    chromium
     docker-compose
     intel-gpu-tools
     jellyfin-ffmpeg
     jq
+    yt-dlp
+    yq
   ];
 
   services = {
@@ -63,32 +73,8 @@
     nfs.server.enable = true;
     openssh.ports = [ 666 ];
     smartd.enable = true;
+    calibre-server.enable = false;
 
-    postgresql = {
-      enable = true;
-      enableJIT = true;
-      identMap = ''
-        # ArbitraryMapName systemUser DBUser
-           superuser_map      root      postgres
-           superuser_map      alice  postgres
-           # Let other names login as themselves
-           superuser_map      /^(.*)$   \1
-      '';
-
-      # initialScript = config.sops.secrets."postgres/init".path;
-
-      upgrade = {
-        enable = true;
-        stopServices = [
-          "hydra-evaluator"
-          "hydra-init"
-          "hydra-notify"
-          "hydra-queue-runner"
-          "hydra-send-stats"
-          "hydra-server"
-        ];
-      };
-    };
   };
 
   nix.gc.options = "--delete-older-than 150d";

systems/palatine-hill/default.nix

@@ -1,8 +1,7 @@
 { inputs, ... }:
 {
-  users = [
+  users = [ "alice" ];
-    "alice"
+  modules = [
-    "richie"
+    # inputs.attic.nixosModules.atticd
   ];
-  modules = [ inputs.attic.nixosModules.atticd ];
 }

systems/palatine-hill/docker.nix

@@ -1,5 +0,0 @@
-{ ... }:
-
-{
-  virtualisation.docker.daemon.settings.data-root = "/var/lib/docker2";
-}

systems/palatine-hill/docker/act-runner.nix

@@ -0,0 +1,114 @@
+{
+  config,
+  ...
+}:
+
+let
+  vars = import ../vars.nix;
+  act_path = vars.primary_act;
+in
+{
+  virtualisation.oci-containers.containers = {
+    act-stable-latest-main = {
+      image = "gitea/act_runner:latest";
+      extraOptions = [
+        "--stop-signal=SIGINT"
+      ];
+      labels = {
+        "com.centurylinklabs.watchtower.enable" = "true";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      ports = [ "8088:8088" ];
+      volumes = [
+        "${act_path}/stable-latest-main/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-main/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-main";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
+    };
+
+    act-stable-latest-1 = {
+      image = "gitea/act_runner:latest";
+      extraOptions = [
+        "--stop-signal=SIGINT"
+      ];
+      labels = {
+        "com.centurylinklabs.watchtower.enable" = "true";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      volumes = [
+        "${act_path}/stable-latest-1/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-1/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-1";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
+    };
+
+    act-stable-latest-2 = {
+      image = "gitea/act_runner:latest";
+      extraOptions = [
+        "--stop-signal=SIGINT"
+      ];
+      labels = {
+        "com.centurylinklabs.watchtower.enable" = "true";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      volumes = [
+        "${act_path}/stable-latest-2/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-2/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-2";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
+    };
+  };
+
+  systemd = {
+    timers."custom-watchtower@act-runner" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "20m";
+        OnUnitActiveSec = "5m";
+        Unit = "custom-watchtower@act-runner.service";
+      };
+    };
+    services."custom-watchtower@act-runner" = {
+      bindsTo = [ "docker.service" ];
+      after = [ "docker.service" ];
+      description = "a watchtower-esque script for systemd-based oci-containers";
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'act-runner'";
+      };
+    };
+  };
+
+  sops.secrets = {
+    "docker/act-runner" = {
+      owner = "root";
+      restartUnits = [
+        "docker-act-stable-latest-main.service"
+        "docker-act-stable-latest-1.service"
+        "docker-act-stable-latest-2.service"
+      ];
+    };
+  };
+}

systems/palatine-hill/docker/archiveteam.nix

@@ -0,0 +1,152 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  containers = {
+    archiveteam-imgur = {
+      image = "imgur-grab";
+      scale = 1;
+    };
+    archiveteam-telegram = {
+      image = "telegram-grab";
+      scale = 3;
+    };
+    archiveteam-reddit = {
+      image = "reddit-grab";
+      scale = 0;
+    };
+    archiveteam-dpreview = {
+      image = "dpreview-grab";
+      scale = 0;
+    };
+    archiveteam-issuu = {
+      image = "issuu-grab";
+      scale = 0;
+    };
+    archiveteam-urls = {
+      image = "urls-grab";
+      scale = 2;
+    };
+    archiveteam-urlteam = {
+      image = "terroroftinytown-client-grab";
+      scale = 2;
+    };
+    archiveteam-mediafire = {
+      image = "mediafire-grab";
+      scale = 1;
+    };
+    archiveteam-github = {
+      image = "github-grab";
+      scale = 1;
+    };
+    archiveteam-lineblog = {
+      image = "lineblog-grab";
+      scale = 0;
+    };
+    archiveteam-banciyuan = {
+      image = "banciyuan-grab";
+      scale = 0;
+    };
+    archiveteam-wysp = {
+      image = "wysp-grab";
+      scale = 0;
+    };
+    archiveteam-xuite = {
+      image = "xuite-grab";
+      scale = 0;
+    };
+    archiveteam-gfycat = {
+      image = "gfycat-grab";
+      scale = 0;
+    };
+    archiveteam-skyblog = {
+      image = "skyblog-grab";
+      scale = 0;
+    };
+    archiveteam-zowa = {
+      image = "zowa-grab";
+      scale = 0;
+    };
+    archiveteam-blogger = {
+      image = "blogger-grab";
+      scale = 1;
+    };
+    archiveteam-vbox7 = {
+      image = "vbox7-grab";
+      scale = 0;
+    };
+    archiveteam-pastebin = {
+      image = "pastebin-grab";
+      scale = 1;
+    };
+    archiveteam-youtube = {
+      image = "youtube-grab";
+      scale = 0;
+    };
+    archiveteam-deviantart = {
+      image = "deviantart-grab";
+      scale = 0;
+    };
+    archiveteam-postnews = {
+      image = "postnews-grab";
+      scale = 0;
+    };
+    archiveteam-askfm = {
+      image = "askfm-grab";
+      scale = 1;
+    };
+    archiveteam-mangz = {
+      image = "mangaz-grab";
+      scale = 1;
+    };
+    archiveteam-cohost = {
+      image = "cohost-grab";
+      scale = 1;
+    };
+  };
+  container-spec = container-name: container: {
+    image = "atdr.meo.ws/archiveteam/${container}:latest";
+    extraOptions = [
+      "--stop-signal=SIGINT"
+    ];
+    labels = {
+      "com.centurylinklabs.watchtower.enable" = "true";
+      "com.centurylinklabs.watchtower.scope" = "archiveteam";
+    };
+    volumes = [ "${at_path}/${container-name}:/grab/data" ];
+    log-driver = "local";
+    cmd = lib.splitString " " "--concurrent 6 AmAnd0";
+
+  };
+  inherit (lib.rad-dev.container-utils) createTemplatedContainers;
+
+  vars = import ../vars.nix;
+  at_path = vars.primary_archiveteam;
+in
+{
+  virtualisation.oci-containers.containers = createTemplatedContainers containers container-spec;
+  systemd = {
+    timers."custom-watchtower@archiveteam" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "20m";
+        OnUnitActiveSec = "5m";
+        Unit = "custom-watchtower@archiveteam.service";
+      };
+    };
+    services."custom-watchtower@archiveteam" = {
+      bindsTo = [ "docker.service" ];
+      after = [ "docker.service" ];
+      description = "a watchtower-esque script for systemd-based oci-containers";
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'archiveteam'";
+      };
+    };
+  };
+}

systems/palatine-hill/docker/books.nix

@@ -0,0 +1,32 @@
+{ ... }:
+
+let
+  vars = import ../vars.nix;
+  docker_path = vars.primary_docker;
+  calibre_path = vars.primary_calibre;
+in
+{
+  virtualisation.oci-containers.containers = {
+    automated-ffdl-alice = {
+      image = "mrtyton/automated-ffdl:latest";
+      user = "600:100";
+      extraOptions = [ "--restart=unless-stopped" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+      };
+      volumes = [
+        "${docker_path}/auto-fic/config:/config"
+        "${calibre_path}/ffdl-alice:/var/lib/calibre-server"
+      ];
+    };
+  };
+
+  services.autopull = {
+    enable = true;
+    repo.FanFicFare-alice = {
+      enable = true;
+      path = /ZFS/ZFS-primary/calibre/ffdl-alice/config/FanFicFare;
+    };
+  };
+}

systems/palatine-hill/docker/default.nix

@@ -0,0 +1,79 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ./act-runner.nix
+    # temp disable archiveteam for tiktok archiving
+    #./archiveteam.nix
+    # ./books.nix
+    #./firefly.nix
+    #./foundry.nix
+    ./glances.nix
+    # ./haproxy.nix
+    ./minecraft.nix
+    ./nextcloud.nix
+    # ./postgres.nix
+    # ./restic.nix
+    ./torr.nix
+    # ./unifi.nix
+  ];
+
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.docker.daemon.settings = {
+    data-root = "/var/lib/docker2";
+    bip = "169.254.253.254/23";
+    fixed-cidr = "169.254.252.0/23";
+    default-address-pools = [
+      {
+        base = "169.254.2.0/23";
+        size = 28;
+      }
+      {
+        base = "169.254.4.0/22";
+        size = 28;
+      }
+      {
+        base = "169.254.8.0/21";
+        size = 28;
+      }
+      {
+        base = "169.254.16.0/20";
+        size = 28;
+      }
+      {
+        base = "169.254.32.0/19";
+        size = 28;
+      }
+      {
+        base = "169.254.64.0/18";
+        size = 28;
+      }
+      {
+        base = "169.254.128.0/18";
+        size = 28;
+      }
+      {
+        base = "169.254.192.0/19";
+        size = 28;
+      }
+      {
+        base = "169.254.224.0/20";
+        size = 28;
+      }
+      {
+        base = "169.254.240.0/21";
+        size = 28;
+      }
+      {
+        base = "169.254.248.0/22";
+        size = 28;
+      }
+    ];
+    mtu = 9000;
+  };
+}

systems/palatine-hill/docker/firefly.nix

@@ -0,0 +1,25 @@
+{ ... }:
+let
+  vars = import ../vars.nix;
+  ffiii_path = "${vars.primary_docker}/firefly-iii";
+in
+{
+  virtualisation.oci-containers.containers = {
+    firefly = {
+      image = "fireflyiii/core:latest";
+      extraOptions = [
+        "--network=firefly-iii_default"
+        "--network=postgres-net"
+      ];
+      environmentFiles = [ "${ffiii_path}/.env" ];
+      ports = [ "4188:8080" ];
+      volumes = [ "${ffiii_path}/app/upload:/var/www/html/storage/upload" ];
+    };
+    fidi = {
+      image = "fireflyiii/data-importer:latest";
+      environmentFiles = [ "${ffiii_path}/.fidi.env" ];
+      ports = [ "4187:8080" ];
+      dependsOn = [ "firefly" ];
+    };
+  };
+}

systems/palatine-hill/docker/foundry.nix

@@ -0,0 +1,28 @@
+{ config, ... }:
+let
+  vars = import ../vars.nix;
+  fvtt_path = "${vars.primary_games}/foundryvtt";
+in
+{
+  virtualisation.oci-containers.containers = {
+    foundryvtt = {
+      image = "felddy/foundryvtt:11";
+      hostname = "foundryvtt";
+      environment = {
+        #CONTAINER_PRESERVE_CONFIG= "true";
+        TIMEZONE = "America/New_York";
+        FOUNDRY_MINIFY_STATIC_FILES = "true";
+      };
+      environmentFiles = [ config.sops.secrets."docker/foundry".path ];
+      volumes = [ "${fvtt_path}:/data" ];
+      extraOptions = [
+        "--network=haproxy-net"
+      ];
+    };
+  };
+
+  sops.secrets."docker/foundry" = {
+    owner = "docker-service";
+    restartUnits = [ "docker-foundryvtt.service" ];
+  };
+}

systems/palatine-hill/docker/glances.nix

@@ -0,0 +1,24 @@
+{ ... }:
+
+let
+  vars = import ../vars.nix;
+  glances_path = "${vars.primary_docker}/glances";
+in
+{
+  virtualisation.oci-containers.containers = {
+    glances = {
+      image = "nicolargo/glances:latest-full";
+      extraOptions = [
+        "--pid=host"
+        "--network=haproxy-net"
+      ];
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "${glances_path}/glances.conf:/glances/conf/glances.conf"
+      ];
+      environment = {
+        GLANCES_OPT = "-C /glances/conf/glances.conf -w";
+      };
+    };
+  };
+}

systems/palatine-hill/docker/haproxy.cfg

@@ -0,0 +1,207 @@
+global
+#  stats socket /var/run/api.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
+ # log stdout format raw local0 info
+  log stdout format raw local0
+  crt-base /etc/ssl/certs/
+  maxconn 120000
+
+defaults
+  log global
+  mode http
+  timeout client 2000m
+  timeout connect 200s
+  timeout server 2000m
+  timeout http-request 2000m
+
+frontend stats # you can call this whatever you want
+  mode http
+  bind *:9000       # default port, but you can pick any port
+  stats enable      # turns on stats module
+  stats refresh 10s # set auto-refresh rate
+
+#Application Setup
+frontend ContentSwitching
+  bind *:80
+ # bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
+  bind *:443 ssl crt /etc/ssl/certs/origin_ca_ecc_root_new.pem crt /var/lib/acme/nayeonie.com/full.pem strict-sni
+  mode  http
+  option httplog
+
+  # max-age is mandatory 
+  # 16000000 seconds is a bit more than 6 months
+  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+
+  # Front-end acess control list
+  http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
+
+  # Front-end acess control list
+  acl host_www hdr(host) -i www.alicehuston.xyz
+  acl host_www hdr(host) -i alicehuston.xyz
+#  acl host_ldapui hdr(host) -i authui.alicehuston.xyz
+  acl host_glances hdr(host) -i monit.alicehuston.xyz
+  acl host_glances hdr(host) -i glances.alicehuston.xyz
+  # acl host_foundry hdr(host) -i dnd.alicehuston.xyz
+#  acl host_netdata hdr(host) -i netdata.alicehuston.xyz
+  #acl host_terraria hdr(host) -i terraria.alicehuston.xyz
+  acl host_nextcloud hdr(host) -i nextcloud.alicehuston.xyz
+  acl host_nextcloud hdr(host) -i nayeonie.com
+  acl host_hydra hdr(host) -i hydra.alicehuston.xyz
+  acl host_attic hdr(host) -i attic.alicehuston.xyz
+  acl host_minio hdr(host) -i minio.alicehuston.xyz
+  acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz
+  acl host_attic hdr(host) -i attic.nayeonie.com
+  acl host_minio hdr(host) -i minio.nayeonie.com
+  acl host_minio_console hdr(host) -i minio-console.nayeonie.com
+  #acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz
+#  acl host_collabora hdr(host) -i collabora.alicehuston.xyz
+  acl host_prometheus hdr(host) -i prom.alicehuston.xyz
+  acl host_gitea hdr(host) -i git.alicehuston.xyz
+  acl host_gitea hdr(host) -i nayeonie.com
+  # Backend-forwarding
+  use_backend www_nodes if host_www
+#  use_backend ldapui_nodes if host_ldapui
+  use_backend glances_nodes if host_glances
+  use_backend foundry_nodes if host_foundry
+#  use_backend netdata_nodes if host_netdata
+ # use_backend terraria_nodes if host_terraria
+  use_backend nextcloud_nodes if host_nextcloud
+  use_backend hydra_nodes if host_hydra
+  use_backend attic_nodes if host_attic
+  #use_backend nextcloud_vol_nodes if host_nextcloud_vol
+#  use_backend collabora_nodes if host_collabora
+  use_backend prometheus_nodes if host_prometheus
+  use_backend minio_nodes if host_minio
+  use_backend minio_console_nodes if host_minio_console
+  use_backend gitea_nodes if host_gitea
+
+#frontend ldap
+#  bind *:389
+#  bind *:636 ssl crt /etc/ssl/certs/cloudflare.pem
+#  mode tcp
+#  option tcplog
+#  acl host_ldap hdr(host) -i auth.alicehuston.xyz
+#  use_backend ldap_nodes if host_ldap
+
+backend nextcloud_nodes
+  mode http
+  server server nextcloud:80
+  acl url_discovery path /.well-known/caldav /.well-known/carddav
+  http-request redirect location /remote.php/dav/ code 301 if url_discovery
+  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
+  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
+  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
+  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
+  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
+  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
+  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
+
+#backend nextcloud_nodes
+#  mode http
+#  server nxserver nextcloud:80
+#  acl url_discovery path /.well-known/caldav /.well-known/carddav
+#  http-request redirect location /remote.php/dav/ code 301 if url_discovery
+#  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+
+#backend nextcloud_vol_nodes
+#  mode http
+#  server server nextcloud-vol:80
+#  acl url_discovery path /.well-known/caldav /.well-known/carddav
+#  http-request redirect location /remote.php/dav/ code 301 if url_discovery
+#  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
+#  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
+#  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
+#  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
+#  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
+#  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
+#  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
+
+#backend terraria_nodes
+#  mode http
+#  server server terraria:6526
+
+#backend collabora_nodes
+#  mode http
+#  server server collabora:9980
+
+backend www_nodes
+  mode http
+  server server grafana:3000
+
+backend minio_nodes
+  mode http
+  server server 192.168.76.2:8500
+#  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
+#  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
+#  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
+#  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
+#  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
+#  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
+#  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
+
+backend minio_console_nodes
+  mode http
+  server server 192.168.76.2:8501
+
+# backend foundry_nodes
+#   timeout tunnel 50s
+#   mode http
+#   server server foundryvtt:30000
+
+#backend ldap_nodes
+#  mode tcp
+#  balance roundrobin
+#  option ldap-check
+#  server ldap1 192.168.76.2:1636 ssl ca-file /etc/ssl/certs/origin_ca_rsa_root.pem
+#
+#backend ldapui_nodes
+#  mode http
+#  server server 192.168.76.2:18081
+
+backend glances_nodes
+  mode http
+  server server glances:61208
+
+backend hydra_nodes
+  mode http
+  server server 192.168.76.2:3000
+
+backend attic_nodes
+  mode http
+  server server 192.168.76.2:8183
+
+backend prometheus_nodes
+  mode http
+  server server 192.168.76.2:9001
+
+backend gitea_nodes
+  mode http
+  server server 192.168.76.2:6443
+
+#backend netdata_nodes
+#  mode http
+#  server server 192.168.76.2:19999
+
+# backend dnd_nodes
+#   mode http
+#   server server foundry:30000
+#   acl host_www hdr(host) -i www.tmmworkshop.com
+
+frontend giteassh
+  mode tcp
+  bind :2222
+  default_backend giteassh_nodes
+
+backend giteassh_nodes
+   mode tcp
+   server s1 192.168.76.2:2223
+
+frontend minecraft
+  mode tcp
+  bind :25565
+  default_backend router_nodes
+  
+
+backend router_nodes
+   mode tcp
+   server s1 mc-router:25565
+  

systems/palatine-hill/docker/haproxy.nix

@@ -0,0 +1,33 @@
+{ ... }:
+
+{
+  virtualisation.oci-containers.containers = {
+    haproxy = {
+      image = "haproxy:latest";
+      extraOptions = [
+        "--restart=always"
+        "--network=haproxy-net"
+      ];
+      volumes = [
+        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg:ro"
+        "/ZFS/ZFS-primary/docker/haproxy/certs:/etc/ssl/certs:ro"
+      ];
+      ports = [
+        "80:80"
+        "443:443"
+        "25565:25565"
+      ];
+      environment = {
+        PUID = "600";
+        PGID = "600";
+      };
+      dependsOn = [
+        "nextcloud"
+        "grafana"
+        "foundryvtt"
+        "glances"
+        "mc-router"
+      ];
+    };
+  };
+}

systems/palatine-hill/docker/minecraft.nix

@@ -0,0 +1,96 @@
+{ config, lib, ... }:
+
+let
+  servers = {
+    atm6 = "atm6.alicehuston.xyz";
+    stoneblock3 = "sb3.alicehuston.xyz";
+    RAD2 = "rad.alicehuston.xyz";
+    skyfactory = "sf.alicehuston.xyz";
+    divinejourney = "dj.alicehuston.xyz";
+    rlcraft = "rlcraft.alicehuston.xyz";
+    arcanum-institute = "arcanum.alicehuston.xyz";
+    bcg-plus = "bcg.alicehuston.xyz";
+  };
+
+  defaultServer = "rlcraft";
+
+  defaultEnv = {
+    EULA = "true";
+    TYPE = "AUTO_CURSEFORGE";
+    STOP_SERVER_ANNOUNCE_DELAY = "120";
+    STOP_DURATION = "600";
+    SYNC_CHUNK_WRITES = "false";
+    USE_AIKAR_FLAGS = "true";
+    MEMORY = "8GB";
+    ALLOW_FLIGHT = "true";
+    MAX_TICK_TIME = "-1";
+  };
+
+  defaultOptions = [
+    "--stop-signal=SIGTERM"
+    "--stop-timeout=1800"
+    "--network=minecraft-net"
+  ];
+
+  vars = import ../vars.nix;
+  minecraft_path = "${vars.primary_games}/minecraft";
+in
+{
+  virtualisation.oci-containers.containers = {
+    mc-router = {
+      image = "itzg/mc-router:latest";
+      extraOptions = [
+        "--network=haproxy-net"
+        "--network=minecraft-net"
+      ];
+      cmd = [
+        (
+          "--mapping=mc.alicehuston.xyz=${defaultServer}:25565"
+          + (lib.rad-dev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
+        )
+      ];
+    };
+    # rlcraft = {
+    #   image = "itzg/minecraft-server:java8";
+    #   volumes = [
+    #     "${minecraft_path}/rlcraft/modpacks:/modpacks:ro"
+    #     "${minecraft_path}/rlcraft/data:/data"
+    #   ];
+    #   hostname = "rlcraft";
+    #   environment = defaultEnv // {
+    #     VERSION = "1.12.2";
+    #     CF_SLUG = "rlcraft";
+    #     DIFFICULTY = "hard";
+    #     ENABLE_COMMAND_BLOCK = "true";
+    #   };
+    #   extraOptions = defaultOptions;
+    #   log-driver = "local";
+    #   environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
+    # };
+    bcg-plus = {
+      image = "itzg/minecraft-server:java17";
+      volumes = [
+        "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
+        "${minecraft_path}/bcg-plus/data:/data"
+      ];
+      hostname = "bcg-plus";
+      environment = defaultEnv // {
+        VERSION = "1.17";
+        CF_SLUG = "bcg";
+        DIFFICULTY = "normal";
+        DEBUG = "true";
+        # ENABLE_COMMAND_BLOCK = "true";
+      };
+      extraOptions = defaultOptions;
+      log-driver = "local";
+      environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
+    };
+  };
+
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    secrets = {
+      "docker/minecraft".owner = "docker-service";
+    };
+  };
+}

systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix

@@ -1,7 +0,0 @@
-{
-  imageName = "nextcloud";
-  imageDigest = "sha256:fe7f941cc514fe01e343a515c7b33e6b12707c718157f6e25a67119e9918a061";
-  sha256 = "07w9rvmr2qy037ljdmk6w1n2dmwwa31ig7gzfb084wiv18hjfrg4";
-  finalImageName = "nextcloud";
-  finalImageTag = "apache";
-}

systems/palatine-hill/docker/nextcloud.nix

@@ -0,0 +1,107 @@
+{ config, ... }:
+
+let
+  vars = import ../vars.nix;
+  nextcloud_path = vars.primary_nextcloud;
+  redis_path = vars.primary_redis;
+
+  # nextcloud-image = import ./nextcloud-image { inherit pkgs; };
+  nextcloud-base = {
+    # image comes from running docker compose build in nextcloud-docker/.examples/full/apache
+    image = "nextcloud-nextcloud";
+    hostname = "nextcloud";
+    volumes = [
+      "${nextcloud_path}/nc_data:/var/www/html:z"
+      "${nextcloud_path}/nc_php:/usr/local/etc/php"
+      "${nextcloud_path}/nc_prehooks:/docker-entrypoint-hooks.d/before-starting"
+      #"${nextcloud_path}/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro"
+    ];
+    extraOptions = [
+      "--network=haproxy-net"
+      "--network=postgres-net"
+      "--network=nextcloud_default"
+    ];
+    dependsOn = [ "redis" ];
+    environmentFiles = [ config.sops.secrets."docker/nextcloud".path ];
+  };
+in
+{
+  virtualisation.oci-containers.containers = {
+    nextcloud = nextcloud-base // {
+      ports = [ "9999:80" ];
+    };
+    redis = {
+      image = "redis:latest";
+      user = "600:600";
+      volumes = [
+        "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf"
+        "${redis_path}:/data"
+      ];
+      extraOptions = [
+        "--network=nextcloud_default"
+      ];
+      cmd = [
+        "redis-server"
+        "/usr/local/etc/redis/redis.conf"
+      ];
+    };
+    go-vod = {
+      image = "radialapps/go-vod:latest";
+      dependsOn = [ "nextcloud" ];
+      environment = {
+        NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz";
+      };
+      volumes = [ "${nextcloud_path}/nc_data:/var/www/html:ro" ];
+      extraOptions = [
+        "--device=/dev/dri:/dev/dri"
+      ];
+    };
+    collabora-code = {
+      image = "collabora/code:latest";
+      dependsOn = [ "nextcloud" ];
+      environment = {
+        aliasgroup1 = "https://collabora.nayenoie.com:443";
+        aliasgroup2 = "https://nextcloud.alicehuston.xyz:443";
+        aliasgroup3 = "https://.*:443";
+        extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
+      };
+      environmentFiles = [
+        config.sops.secrets."docker/collabora".path
+      ];
+      extraOptions = [
+        "--network=haproxy-net"
+        "--privileged"
+      ];
+      ports = [ "9980:9980" ];
+    };
+  };
+
+  users.users.www-data = {
+    uid = 33;
+    isSystemUser = true;
+    group = "www-data";
+  };
+
+  users.groups.www-data = {
+    gid = 33;
+    members = [ "www-data" ];
+  };
+
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    secrets = {
+      "docker/redis" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-redis.service" ];
+      };
+      "docker/nextcloud" = {
+        owner = "www-data";
+        restartUnits = [ "docker-nextcloud.service" ];
+      };
+      "docker/collabora" = {
+        owner = "www-data";
+        restartUnits = [ "docker-collabora-code.service" ];
+      };
+    };
+  };
+}

systems/palatine-hill/docker/postgres.nix

@@ -0,0 +1,67 @@
+{ config, ... }:
+
+let
+  vars = import ../vars.nix;
+  psql_path = "${vars.primary_db}/postgresql";
+in
+{
+  virtualisation.oci-containers.containers = {
+    postgres = {
+      image = "postgres:16";
+      user = "600:600";
+      volumes = [
+        "${psql_path}/primary_new:/var/lib/postgresql/data"
+        "${psql_path}/pg_archives:/opt/pg_archives"
+      ];
+      log-driver = "local";
+      extraOptions = [
+        "--network=postgres-net"
+        "--health-cmd='pg_isready -U firefly'"
+        "--health-interval=1s"
+        "--health-timeout=5s"
+        "--health-retries=15"
+        "--shm-size=1gb"
+        "--restart=always"
+      ];
+      environmentFiles = [ config.sops.secrets."docker/pg".path ];
+    };
+
+    postgres-secondary = {
+      image = "postgres:16";
+      user = "600:600";
+      volumes = [
+        "${psql_path}/secondary_new:/var/lib/postgresql/data"
+        "${psql_path}/pg_archives:/opt/pg_archives"
+      ];
+      log-driver = "local";
+      extraOptions = [
+        "--network=postgres-net"
+        "--health-cmd='pg_isready -U firefly'"
+        "--health-interval=1s"
+        "--health-timeout=5s"
+        "--health-retries=15"
+        "--shm-size=1gb"
+        "--restart=always"
+      ];
+      environmentFiles = [ config.sops.secrets."docker/pg".path ];
+    };
+
+    postgres-adminer = {
+      image = "adminer/latest";
+      user = "600:600";
+      ports = [ "4191:8080" ];
+      dependsOn = [ "postgres" ];
+      extraOptions = [
+        "--restart=always"
+        "--network=postgres-net"
+      ];
+    };
+  };
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    secrets = {
+      "docker/pg".owner = "docker-service";
+    };
+  };
+
+}

systems/palatine-hill/docker/restic.nix

@@ -0,0 +1,38 @@
+{ ... }:
+
+let
+  vars = import ../vars.nix;
+  restic_path = "${vars.primary_backups}/restic";
+in
+{
+  virtualisation.oci-containers.containers = {
+    restic = {
+      image = "restic/rest-server:latest";
+      volumes = [ "${restic_path}:/data" ];
+      environment = {
+        OPTIONS = "--prometheus --htpasswd-file /data/.htpasswd";
+      };
+      ports = [ "8010:8000" ];
+      extraOptions = [
+        "--restart=always"
+        "--network=restic_restic"
+      ];
+    };
+
+    grafana = {
+      image = "grafana/grafana:latest";
+      extraOptions = [
+        "--restart=always"
+        "--network=haproxy-net"
+      ];
+      volumes = [
+        "grafanadata:/var/lib/grafana"
+        "${restic_path}/dashboards:/dashboards"
+        "${restic_path}/grafana.ini:/etc/grafana/grafana.ini"
+      ];
+      environment = {
+        GF_USERS_DEFAULT_THEME = "dark";
+      };
+    };
+  };
+}

systems/palatine-hill/docker/torr.nix

@@ -0,0 +1,103 @@
+{ pkgs, ... }:
+
+let
+  delugeBase = {
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+      UMASK = "000";
+      DEBUG = "true";
+      DELUGE_DAEMON_LOG_LEVEL = "debug";
+      DELUGE_WEB_LOG_LEVEL = "debug";
+    };
+  };
+
+  vars = import ../vars.nix;
+  #docker_path = vars.primary_docker;
+  torr_path = vars.primary_torr;
+  deluge_path = "${torr_path}/deluge";
+  delugevpn_path = "${torr_path}/delugevpn";
+
+  genSopsConf = file: {
+    "${file}" = {
+      format = "binary";
+      sopsFile = ./wg/${file};
+      path = "${delugevpn_path}/config/wireguard/configs/${file}";
+      owner = "docker-service";
+      group = "users";
+      restartUnits = [ "docker-delugeVPN.service" ];
+    };
+  };
+in
+{
+  virtualisation.oci-containers.containers = {
+    deluge = delugeBase // {
+      image = "binhex/arch-deluge";
+      volumes = [
+        "${deluge_path}/config:/config"
+        "${deluge_path}/data/:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      ports = [
+        "8084:8112"
+        "29433:29433"
+      ];
+    };
+    delugeVPN = delugeBase // {
+      image = "binhex/arch-delugevpn";
+      extraOptions = [
+        "--privileged=true"
+        "--sysctl"
+        "net.ipv4.conf.all.src_valid_mark=1"
+      ];
+      environment = delugeBase.environment // {
+        VPN_ENABLED = "yes";
+        VPN_CLIENT = "wireguard";
+        VPN_PROV = "custom";
+        ENABLE_PRIVOXY = "yes";
+        LAN_NETWORK = "192.168.0.0/16";
+        NAME_SERVERS = "194.242.2.9";
+        # note, delete /config/perms.txt to force a bulk permissions update
+
+      };
+      volumes = [
+        "${delugevpn_path}/config:/config"
+        "${delugevpn_path}/data:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      ports = [
+        "8085:8112"
+        "8119:8118"
+        "39275:39275"
+        "39275:39275/udp"
+      ];
+    };
+  };
+
+  systemd.services.docker-delugeVPN = {
+    serviceConfig = {
+      ExecStartPre = [
+        (
+          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
+          + "-type l -not -name wg0.conf "
+          + "| ${pkgs.coreutils}/bin/shuf -n 1 "
+          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
+          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
+          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
+        )
+      ];
+      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
+    };
+  };
+
+  sops.secrets =
+    (genSopsConf "se-mma-wg-001.conf")
+    // (genSopsConf "se-mma-wg-002.conf")
+    // (genSopsConf "se-mma-wg-003.conf")
+    // (genSopsConf "se-mma-wg-004.conf")
+    // (genSopsConf "se-mma-wg-005.conf")
+    // (genSopsConf "se-mma-wg-101.conf")
+    // (genSopsConf "se-mma-wg-102.conf")
+    // (genSopsConf "se-mma-wg-103.conf");
+}

systems/palatine-hill/docker/unifi.nix

@@ -0,0 +1,61 @@
+{ config, ... }:
+let
+  vars = import ../vars.nix;
+  unifi_path = "${vars.primary_docker}/unifi-2.0";
+  mongo_path = "${vars.primary_db}/mongo";
+in
+{
+  virtualisation.oci-containers.containers = {
+    unifi-controller = {
+      image = "lscr.io/linuxserver/unifi-network-application:latest";
+      volumes = [ "${unifi_path}/config:/config" ];
+      log-driver = "local";
+      dependsOn = [ "mongodb" ];
+      extraOptions = [ "--restart=unless-stopped" ];
+      ports = [
+        "8443:8443"
+        "3478:3478/udp"
+        "10001:10001/udp"
+        "8080:8080"
+        "1900:1900/udp" # optional
+        "8843:8843" # optional
+        "8880:8880" # optional
+        "6789:6789" # optional
+        "5514:5514/udp" # optional
+      ];
+      environment = {
+        PUID = "1000";
+        PGID = "100";
+        TZ = "America/New_York";
+        MEM_LIMIT = "1024"; # optional
+        MEM_STARTUP = "1024"; # optional
+        MONGO_USER = "unifi";
+        MONGO_HOST = "mongodb";
+        MONGO_PORT = "27017";
+        MONGO_DBNAME = "unifi";
+      };
+      environmentFiles = [ config.sops.secrets."docker/unifi".path ];
+    };
+
+    mongodb = {
+      image = "docker.io/mongo:7.0";
+      environment = {
+        PUID = "1000";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      extraOptions = [ "--restart=unless-stopped" ];
+      volumes = [
+        "${mongo_path}/unifi:/data/db"
+        "${unifi_path}/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro"
+      ];
+    };
+  };
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    secrets = {
+      "docker/unifi".owner = "docker-service";
+    };
+  };
+
+}

systems/palatine-hill/docker/watchtower.bash

@@ -0,0 +1,26 @@
+#! /usr/bin/env nix
+#! nix shell nixpkgs#docker nixpkgs#bash nixpkgs#gawk --command bash
+
+outdated_msg="Project code is out of date and needs to be upgraded. To remedy this problem immediately, you may reboot your warrior."
+
+label="$1"
+label_val="$2"
+
+if (($# != 2)); then
+  echo "usage: $0 label label_value"
+fi
+
+containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}")
+
+for container in ${containers[@]}; do
+  echo "checking ${container}"
+
+  last_msg=$(docker logs -n 1 "${container}")
+
+  if [[ $last_msg =~ $outdated_msg ]]; then
+    echo "${container} is outdated, restarting"
+    imageTag=$(docker ps --format '{{.Names}}\t{{.Image}}' -f "name=$container" | grep -w "$container" | awk '{print $NF}')
+    docker pull "$imageTag"
+    systemctl restart "docker-${container}"
+  fi
+done

systems/palatine-hill/docker/wg/se-mma-wg-001.conf

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:PytLIf5ceSyhxNs3p4N89GKxh7zTvTTbzKhw6SqEPrWSgRo+ntOZQgkUWBwFRGmWjFjMoMmkxaHkyrBLo/lYb6MAKuPNCb4Ss2ArSHk1qOl9u39lXYSs4NNaZYx6r5vs9IspYsIzfbkz2mad5ZaeEuDjiGCethaw9SthXNyjOOEIo/zYB/9Qju963kPXCpexu2/nbhwr/ilXzP8zzhzl712CMULV2GwISrKQcnJYyhqwzAuLmmsG50J3It3BZBUwTbyiIRK4ka0wrycqVmVDKyasUX71LYlq9MifttFCjQCN8xE7FmDl8nSBBaub9Vss5IAF+DcIRNRIQ7f6INuo,iv:CbvR5AEtENWTKP7UPqjYl7qNvyZvPZRFawrU8xoYdL4=,tag:9C5KmHeZkt62Ujkg2Wzt3A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNTh3RHN5bGVDZ29YS0pD\nbXpoL3E1emlJeEJMUWo3SzM2ODQ4c2FndWxNCnZUN3dIaTM3bXpOWDcxSzhROHlM\nQlJTTGl2WEs1NlczUlhhMEcvWWlXaGsKLS0tIENlY3dvNEF4UEllQnR2aDJFbSs2\nVE05RnRDSVphNHcrR3paQ3BFOU8vNkUKOtItYEU8P0Wu6TDzPylTTGhwlAiSgDEq\nJnRYAH6kE+qAnpK2xQyG4n0xbhNiASUVQgNJJyN+5BZi0dDf7k9CQA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-18T06:49:09Z",
+		"mac": "ENC[AES256_GCM,data:g/ba90H1dGisB71/MWXkJDCQEXphWu0tOv04ScmEjKPm58TRM0W1oUVDPa7QWHrcdozz0LnQndhs4enW+SqRF39YBmL8OziddStVgTWC4chBazAPHBcGCgLApP9RAjNhiyosTIypLqppY08UIGU1Q1qEzcoHendu6hSMX09jG+A=,iv:6UPwNmUbjt+z7Vr7yuQ3fdsmTwBwE5AUQw3IzonqXZ4=,tag:nmloGiYkKXNGcbn8aBmNAQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-11-18T06:49:09Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAtZwfBH7XpTMkoZMd7QojukRfwU1Z7O/ZHcBzW0rYiTgw\nuYKmkKxSPqY9E/zzNpO0C52NwyAUerM851DaOHkZvcNBkMGdFLKvLf53wgPZKlkc\n1GgBCQIQNLHtkosd/X7cb8VScXNk8CVsckRQJWiHFkPtbYcyz9O55hJOdg0TGmbQ\nf4v9yNrVG6OFQTfV8IXbIJ7fANPNDTu/gDE/XB4W8GzgmLReAsaUnxJWd7a2LSFn\nCkiJsF+JY3QsYg==\n=55xj\n-----END PGP MESSAGE-----",
+				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

systems/palatine-hill/docker/wg/se-mma-wg-002.conf

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:ULynEBONpLJNPcSGjnFTLkrc4PNDNVqvpQ7LWqsMC0mW6SaDFn1e8MJkK4SSLjx2UCajMOyuvzNYzLd5AxMKBgsH/P1KAAednunOEU0ADKIzsrmEqr/zrX709yXPQY2783Os29jFFpCeQra8z3YR2vfU/PcOtqzoOuipRo0p1yUtehBLN40ogP9aLc+zxkoQxts20sU2EOe7rivU9WsBGQ2m3/Eg8ucH0aNdiN1BF/pIwyXbwMxcXtUCs0jVINJqsgFx2Ntmuz24dgZnTr8Hibz0v3F1LXcFbIIiH8OaCb3S4X2Zd/nCJqxRFz+cmzvcMplQHyE1XOYqP0OTA6s=,iv:skT932uptVD/zmbm/nxtzciD9dlYbJU4HzgHZtuathY=,tag:a/x3/an0q8hhexm4dpsVYA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4T0p1alJDd05KOTBjTVhL\nMVlPZno5YVlWRG0xUWZoUkJyVVZWRitLUTFZCmJmWXdzZHlGdG5GWWI2QWZXRUhY\nVVV1WUxaNWtVcmVtakI2dHpheS9HcTAKLS0tIDFsK0ZIR040dEdQQXV1NUpCQnVB\nOU9YU0NQSkwxMEtPdnRQeUYwc2hiczAKSynE6XsoUXyoLbUuuzqXbIbGoSeZR0S/\npMhZwI2fzh3vuLO0GpREkQRJ0azEvbbFPYdhJAFIBu/eRYd70IySlA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-18T06:49:09Z",
+		"mac": "ENC[AES256_GCM,data:pk7jtod+BCMqF6Hwgkd2AReDqkLGZvnBsDBJIipi/PNQQnq04BgT3TKDL3aQD4sKREjc0dyubQtvq4pAE3Fs+fOLgfhW6uYgvkreSg7Q7aSx299l2OaIc+pI47Emt0s+QIjFz2hd3KHxBkKr9xg5m3aITVex+96VqPUO5DPusqs=,iv:nsv3uPIz8iwrXAlQ0sd7J7T7jg3Yif4DsJV9g9aAAXY=,tag:xAIvz4KPTlpIuDZZfv3qkw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-11-18T06:49:09Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAGNsLJiDmbwfugWEdArQwUDMm6yL6bHbRhQsniyz6RFYw\nbmOG9HElDZGrQor2N+OmjRJzBnmrC3H00PBuM1dx6L9pHZpf8/CT477ZE66IDxOw\n1GgBCQIQUtKFTM34FXDEV4sTfawGatyVDoqFq+gxtI6iJA+1YgrJkZzV/5yAlINb\nsiiO0h1dvUS7uMZT/EPEBDvprXwDXrk6GHTtxAQTP3XQzO3bz0x6RhMJOEj+7hEB\nrkne981/Q2FiDg==\n=kGYU\n-----END PGP MESSAGE-----",
+				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}