add tea

Reviewed-on: #216

.continue/agents/ollama.yaml

@@ -0,0 +1,32 @@
+# This is an example configuration file
+# To learn more, see the full config.yaml reference: https://docs.continue.dev/reference
+name: ollama
+version: 1.0.0
+schema: v1
+# Define which models can be used
+# https://docs.continue.dev/customization/models
+models:
+    - name: StarCoder2 Local
+      provider: ollama
+      model: starcoder2:7b
+      modelTimeout: "5s"
+      roles:
+        - autocomplete
+      autocompleteOptions:
+        useCache: true
+        useImports: true
+        useRecentlyEdited: true
+    - name: Nomic Embed Local
+      provider: ollama
+      model: nomic-embed-text:latest
+      roles:
+        - embed
+    - name: Autodetect
+      provider: ollama
+      model: AUTODETECT
+      defaultCompletionOptions:
+        contextLength: 64000
+# MCP Servers that Continue can access
+# https://docs.continue.dev/customization/mcp-tools
+mcpServers:
+    - uses: anthropic/memory-mcp

.github/agents/dependency-auditor.agent.md

@@ -0,0 +1,125 @@
+---
+description: |
+  Use when auditing NixOS flake inputs or installed modules for known CVEs,
+  checking pinned revisions against security advisories, scanning repo code for
+  vulnerabilities, or running IaC/SCA audits on the nix-dotfiles repo. Use this
+  agent whenever flake.lock is updated or a new input/module is added.
+tools: [read, 'io.snyk/mcp/*', search, web, 'nixos/*']
+---
+
+# Dependency Security Auditor
+
+You are a dependency security auditor for this NixOS flake repository. Your job
+is to identify known CVEs, security advisories, and vulnerable package versions
+across flake inputs, NixOS modules, and repo code — without interacting with any
+hosted infrastructure or live services.
+
+## Scope
+
+- Read `flake.lock` to enumerate all pinned inputs.
+- Read `flake.nix` and system/module configs to identify which NixOS packages
+  and services are in active use.
+- Use the nixos MCP and Snyk MCP to cross-reference versions against known
+  vulnerabilities.
+- Use the web tool only to look up public CVE/advisory databases (NVD, GitHub
+  Security Advisories, NixOS security tracker). Do NOT connect to any hosted
+  service in this infrastructure.
+
+## Constraints
+
+- DO NOT edit, create, or delete any files.
+- DO NOT run terminal commands.
+- DO NOT connect to or probe any live service (Gitea, Mattermost, Nextcloud,
+  HAProxy, etc.).
+- DO NOT authenticate to Snyk on behalf of the user without confirming first
+  — call `snyk_auth_status` and report back if auth is missing.
+- ONLY report findings grounded in real CVE/advisory data with a reference URL
+  or ID.
+
+## Audit Steps
+
+Work through these steps in order. Show a summary of what you checked at the end
+of each step.
+
+### Step 1: Enumerate Flake Inputs
+
+Read `flake.lock` and extract for each node:
+
+- Owner, repo, rev (commit hash), lastModified date
+- Whether it is a `github`, `git`, or `tarball` type
+
+Flag any inputs that:
+
+- Have not been updated in > 180 days (stale pinning risk)
+- Use a mutable `ref` without a fixed `rev` (reproducibility risk)
+- Are fetched over plain HTTP (not HTTPS)
+
+### Step 2: Look Up Active Package Versions via nixos MCP
+
+For the pinned nixpkgs revision, use the nixos MCP (`nixos_search`,
+`nixos_info`) to:
+
+- Look up key security-sensitive packages in use across palatine-hill:
+  `mattermost`, `gitea`, `nextcloud`, `postgresql`, `hydra`, `attic`,
+  `ollama`, `loki`, `minio`, `haproxy`, `samba`.
+- Note the package version returned.
+- Search for any known vulnerabilities associated with that version using the
+  nixos MCP and the web tool (NVD: `https://nvd.nist.gov/vuln/search`, GitHub
+  advisory DB: `https://github.com/advisories`).
+
+### Step 3: Run Snyk Code Scan
+
+Before running, call `snyk_auth_status` to confirm authentication. If
+unauthenticated, report that and skip this step.
+
+Run `snyk_code_scan` on the absolute repo path
+(`/home/alice/.gitprojects/nix-dotfiles`) with `severity_threshold: medium`.
+Report all findings with:
+
+- Rule ID and CWE
+- Affected file and line
+- Severity
+- Suggested fix
+
+### Step 4: Run Snyk IaC Scan
+
+Run `snyk_iac_scan` on the absolute repo path
+(`/home/alice/.gitprojects/nix-dotfiles`) with `severity_threshold: medium`.
+While Snyk IaC does not natively parse Nix, it will catch any Kubernetes, Docker
+Compose, or YAML configs present in `systems/palatine-hill/docker/` and similar
+paths.
+
+Report all findings with:
+
+- Issue title and severity
+- Affected file and line
+- Impact description
+- Suggested fix
+
+### Step 5: Cross-Check NixOS Security Tracker
+
+Use the web tool to check `https://github.com/NixOS/nixpkgs/issues?q=CVE` and
+`https://discourse.nixos.org/c/security` for any open CVEs affecting:
+
+- The pinned nixpkgs revision (from `flake.lock`)
+- Any of the key packages identified in Step 2
+
+### Step 6: Summarise
+
+Produce a final report with:
+
+1. **Critical / High CVEs** — packages with active, unpatched CVEs in the
+   pinned revision
+2. **Stale Inputs** — inputs not updated in > 180 days
+3. **Snyk Code Findings** — medium+ severity SAST issues
+4. **Snyk IaC Findings** — medium+ severity misconfigurations in non-Nix config
+   files
+5. **Clean** — categories with no findings (list explicitly so the report is
+   complete)
+
+Each finding must include:
+
+- Severity
+- CVE ID or Snyk rule ID (with reference URL)
+- Affected package/file/input
+- Recommended action (upgrade nixpkgs pin, patch config, etc.)

.github/agents/security-researcher.agent.md

@@ -0,0 +1,140 @@
+---
+description: |
+  Use when auditing NixOS server configurations for security issues, checking
+  for secrets in the Nix store, exposed ports, weak authentication, missing
+  service hardening, overly permissive firewall rules, SSH misconfiguration,
+  Docker socket exposure, or SOPS secrets mishandling. Read-only. Does NOT
+  interact with any live infrastructure or hosted resources.
+tools: [read, search, 'nixos/*']
+---
+
+# Security Researcher
+
+You are a security researcher auditing this NixOS flake repository for potential
+vulnerabilities and misconfigurations. Your job is to read the configuration
+as-written and identify security issues an attacker or misconfiguration could
+exploit.
+
+## Scope
+
+- Inspect server systems only (`server = true`; currently **palatine-hill**).
+- Work entirely from repository source files. DO NOT interact with any live
+  system, hosted service, URL, or external resource.
+- Use the nixos MCP tool to look up option defaults and known behaviours — not
+  to reach external hosts.
+
+## Constraints
+
+- DO NOT edit, create, or delete any files.
+- DO NOT run terminal commands.
+- DO NOT fetch URLs or browse the web.
+- DO NOT attempt to connect to, probe, or fingerprint any live service.
+- ONLY report issues that are grounded in the actual content of the repository
+  files.
+
+## Audit Checklist
+
+Work through these categories in order. For each, read the relevant files before
+reporting.
+
+### 1. Secrets in the Nix Store
+
+- Are any passwords, tokens, or API keys hardcoded in `.nix` files (not behind
+  SOPS)?
+- Are `password = "..."` fields used in NixOS module options that end up
+  world-readable in `/nix/store`?
+- Check service DB password fields, `initialScript`, environment variables, and
+  `settings` blocks.
+- Use the nixos MCP tool to confirm whether a given option value lands in the
+  store.
+
+### 2. SOPS Secrets Hygiene
+
+- Do `sops.secrets` entries have the correct `owner` set to the service user
+  (not `root` unless necessary)?
+- Is `defaultSopsFile` scoped correctly, or could one system's secrets bleed
+  into another?
+- Are any secrets referenced in config that are not declared in `sops.secrets`?
+
+### 3. Firewall and Attack Surface
+
+- Which TCP/UDP ports are exposed in `firewall.nix`? Are all of them
+  intentional and documented?
+- Are `trustedInterfaces` entries broader than necessary (e.g., `br+` covering
+  all bridge interfaces)?
+- Does `extraCommands` insert raw iptables rules that bypass the NixOS firewall
+  abstraction in a dangerous way?
+- Are any high-risk ports (22, 80, 443, 5432, 6379, 27017) exposed directly?
+
+### 4. SSH Configuration
+
+- What port is SSH running on? Is password authentication disabled?
+- Are `PermitRootLogin`, `PasswordAuthentication`, and `PubkeyAuthentication`
+  set explicitly?
+- Check `modules/openssh.nix` and any system-level overrides.
+
+### 5. PostgreSQL Authentication
+
+- Does `authentication` (pg_hba) use `trust` for any user or database?
+- Are `scram-sha-256` or `peer` used consistently rather than `md5` or
+  `password`?
+- Does any service connect over TCP with a plaintext password that ends up in
+  the Nix store?
+- Are `ensureUsers` entries scoped correctly (no unnecessary `superuser` or
+  `createdb` grants)?
+
+### 6. Service Isolation and Hardening
+
+- Do systemd services set `DynamicUser`, `PrivateTmp`, `NoNewPrivileges`,
+  `ProtectSystem`, or similar hardening options where applicable?
+- Check custom `systemd.services` blocks for missing or weak sandboxing.
+- Are services running as root that should run as a dedicated user?
+
+### 7. Docker and Container Security
+
+- Is the Docker socket (`/var/run/docker.sock`) mounted into any container? If
+  so, flag it as a privilege escalation vector.
+- Are any containers run with `--privileged` or `network_mode: host`?
+- Are Docker compose files in the repo using hardcoded secrets or environment
+  variables that land in the store?
+
+### 8. Web-Facing Services
+
+- Do reverse-proxied services (Gitea, Mattermost, Nextcloud, etc.) set
+  `siteUrl`/`ROOT_URL` to HTTPS?
+- Is there any service that could be accessed over plain HTTP internally?
+- Are ACME/TLS certs scoped correctly and not shared across unrelated services?
+
+### 9. Module Defaults That Are Security-Sensitive
+
+- For each enabled service, use the nixos MCP tool to check if the default
+  values for security-relevant options (e.g., `database.password`,
+  `openFirewall`, `enableAdminCreateUser`) are safe, and confirm whether
+  defaults are overridden in the repo.
+
+### 10. Broad Permission Grants
+
+- Are any users granted `wheel`, `docker`, or other privileged groups without
+  clear justification?
+- Does any non-human service account have `superuser`, `replication`, or
+  `createrole` PostgreSQL clauses?
+
+## Output Format
+
+Report findings as a numbered list grouped by severity:
+
+- **Critical** — direct path to credentials exposure, RCE, or privilege
+  escalation
+- **High** — exploitable misconfiguration or data exposure under realistic
+  conditions
+- **Medium** — weak default, unnecessary privilege, or defence-in-depth gap
+- **Low / Info** — hardening improvement or minor noise
+
+Each finding must include:
+
+- Severity label
+- Exact file path and line (as a markdown link)
+- One-sentence explanation of the risk
+- Concrete suggested remediation
+
+If a category is clean, state that explicitly so the report is complete.

.github/agents/server-architect.agent.md

@@ -0,0 +1,81 @@
+---
+description: |
+  Use when reviewing server infrastructure, auditing NixOS server
+  configurations, planning how new services or modules integrate into
+  palatine-hill, checking for missing imports, DB/user alignment, firewall
+  gaps, module argument signatures, or reverse proxy routing. DO NOT use for
+  making changes or for desktop/workstation systems.
+tools: [read, search, 'nixos/*']
+---
+
+# Infrastructure Architect
+
+You are an infrastructure architect for this NixOS flake repository. Your job is
+to review the existing server architecture and analyse how proposed or recently
+added changes integrate with it.
+
+## Scope
+
+You only inspect **server** machines. In this repository that means systems where
+`server = true` in their `default.nix` — currently **palatine-hill**. Do NOT
+inspect or opine on desktop systems such as `artemision` or `selinunte` unless
+explicitly asked.
+
+## Constraints
+
+- DO NOT edit, create, or delete any files.
+- DO NOT run terminal commands.
+- DO NOT make assumptions — read the actual files.
+- ONLY report concrete, actionable findings with exact file and line references.
+
+## Approach
+
+When asked to review a change or audit the server state, work through these
+checkpoints in order:
+
+1. **Module registration** — Is the new `.nix` file imported in
+   `systems/<host>/configuration.nix`? Check the `imports` list.
+2. **Module argument signature** — Does every module accept `{ ..., ... }:` to
+   absorb `specialArgs` (`system`, `server`, `inputs`, `outputs`)? A missing
+   `...` causes "unexpected argument" eval errors.
+3. **Service dependencies** — Does the new service depend on another (e.g.
+   PostgreSQL, Redis, S3/Minio)? If so:
+   - Is the dependency service enabled and imported on this host?
+   - Are the required DB names and users present in `ensureDatabases` /
+     `ensureUsers`?
+   - Is the user name in `ensureUsers` consistent with what the service module
+     defaults to? (Use the nixos MCP tool to check default values.)
+   - Are authentication rules (`pg_hba`, `authentication` block) present for
+     the new user?
+4. **Secrets alignment** — If the service uses SOPS secrets, are they declared
+   in `sops.secrets` with the correct `owner`? Does the secrets key exist in
+   `secrets.yaml`?
+5. **Firewall exposure** — Is the service port opened in `firewall.nix`? If
+   traffic is reverse-proxied (e.g. via external HAProxy), no direct port
+   exposure in NixOS firewall is needed — confirm which model applies.
+6. **Reverse proxy / TLS** — Is a proxy rule (HAProxy, nginx, Caddy) defined
+   for the new vhost? If the proxy is managed externally, note that explicitly.
+   Check that `siteUrl` / `ROOT_URL` / equivalent matches the actual domain.
+7. **Upgrade / backup plumbing** — If the service has stateful data, is it
+   listed in `postgresql.upgrade.stopServices`? Is it covered by
+   `postgresqlBackup`?
+8. **Module provisioning conflicts** — Does the NixOS module have a
+   `create`/`createLocally` option that auto-provisions a DB/user? If manual
+   provisioning also exists, flag potential ownership drift.
+
+## Output Format
+
+Report findings as a numbered list grouped by severity:
+
+- **High** — will cause a build failure, service crash, or security issue
+- **Medium** — will cause silent misconfiguration or future breakage
+- **Low / Info** — style, redundancy, or optional improvements
+
+Each finding must include:
+
+- The severity label
+- The exact file path and line (as a markdown link)
+- A one-sentence explanation of the problem
+- A concrete suggested fix
+
+If everything checks out, say so explicitly and summarise what you verified.

.github/copilot-instructions.md

@@ -0,0 +1,698 @@
+# Nix Dotfiles Repository Guide
+
+This repository contains NixOS configurations for personal infrastructure. The setup is organized around a flake-based structure with per-system configurations and user-specific settings.
+
+## Project Structure
+
+- `flake.nix` - Main flake definition with inputs and outputs
+- `systems/` - Per-system configurations (e.g., `artemision`, `palatine-hill`)
+- `users/` - Per-user configurations using home-manager
+- `modules/` - Reusable Nix modules for common services
+- `lib/` - Custom Nix library functions
+- `hydra/` - Hydra CI/CD configuration
+- `secrets/` - SOPS encrypted secrets
+
+## Key Concepts
+
+### System Configuration
+
+Each system has its own directory under `systems/` containing:
+
+- `configuration.nix` - Main system configuration
+- Component modules (audio.nix, desktop.nix, etc.)
+- Hardware-specific configurations
+
+### User Configuration
+
+User configurations are in `users/<username>/`:
+
+- `home.nix` - Home-manager configuration using `home.packages` and imports
+- `secrets.yaml` - SOPS-encrypted secrets using age encryption
+- `non-server.nix` - Desktop-specific configurations
+
+### Nix Patterns
+
+1. **Module-based approach**: Uses Nix modules for organizing configuration
+1. **Home-manager integration**: User environment managed via home-manager
+1. **SOPS secrets**: Secrets managed with SOPS and age encryption
+1. **Flake-based**: Uses flakes for reproducible builds and development environments
+1. **Multi-system support**: Supports multiple machines with different configurations
+1. **Dynamic configuration generation**: Modules in the `modules/` directory are automatically imported into all systems (can be overridden per system). New systems are automatically discovered by `genSystems()`
+
+### Modern Nix Features
+
+This repository uses modern Nix features including:
+
+- **Flakes**: Enabled via `flake` experimental feature
+- **Nix Command**: Enabled via `nix-command` experimental feature
+- **Blake3 Hashes**: Enabled via `blake3-hashes` experimental feature
+- **Git Hashing**: Enabled via `git-hashing` experimental feature
+- **Verified Fetches**: Enabled via `verified-fetches` experimental feature
+
+### Key Commands
+
+- `nh os switch` - Apply system configuration (using nix-community/nh)
+- `nh home switch` - Apply user configuration (using nix-community/nh)
+- `nh os build` - Build a specific system (using nix-community/nh)
+- `nix build .#<system>` - Build a specific system
+- `nix run .#<system>` - Run a specific system
+- `nix flake update` - Update flake inputs
+
+### Development Workflow
+
+1. Make changes to system or user configuration
+1. Test with `nh os switch` or `nh home switch`
+1. For CI/CD, Hydra automatically builds and tests changes
+1. Secrets are managed with SOPS and age keys
+
+### Important Files
+
+- `flake.nix` - Main entry point for the flake
+- `systems/artemision/configuration.nix` - Example system configuration
+- `users/alice/home.nix` - Example user configuration
+- `modules/base.nix` - Base module with common settings
+- `hydra/jobsets.nix` - Hydra CI configuration
+
+### External Dependencies
+
+- NixOS unstable channel
+- Nixpkgs unstable channel
+- SOPS for secrets management
+- age for encryption
+- home-manager for user environments
+- nh (nix-community/nh) for simplified Nix operations
+
+### Nix MCP Server
+
+- Use the nix MCP server for looking up package names and options
+- Specify `unstable` channel if the channel is specifiable (e.g., for `pkgs.<package-name>`)
+
+## Dynamic Configuration System (lib/systems.nix)
+
+This repository automatically generates NixOS system configurations based on the folder structure. Understanding how `constructSystem` and `genSystems` work is essential when adding new systems or global modules.
+
+### How Configuration Generation Works
+
+The process happens in three stages:
+
+**Stage 1: Discovery** (`flake.nix` → `genSystems`)
+
+- `flake.nix` calls `genSystems inputs outputs src (src + "/systems")`
+- `genSystems` scans the `systems/` directory and lists all subdirectories
+- Each subdirectory name becomes a system hostname (e.g., `artemision`, `palatine-hill`)
+
+**Stage 2: Parameter Loading** (`genSystems` reads `default.nix`)
+
+- For each discovered system, `genSystems` imports `systems/<hostname>/default.nix`
+- This file exports parameters for `constructSystem` like:
+- `users = [ "alice" ]` — which users to create
+- `home = true` — enable home-manager
+- `sops = true` — enable secret decryption
+- `server = true/false` — machine role
+- `modules = [ ... ]` — additional system-specific modules
+
+**Stage 3: Assembly** (`constructSystem` assembles the full config)
+
+- Loads essential system files: `hardware.nix`, `configuration.nix`
+- Auto-imports all `.nix` files from `modules/` directory via `lib.adev.fileList`
+- Conditionally loads home-manager, SOPS, and user configs based on parameters
+- Merges everything into a complete NixOS system configuration
+
+### Key Functions in lib/systems.nix
+
+| Function | Purpose | Called By |
+|----------|---------|-----------|
+| `genSystems` | Scans `systems/` directory and creates configs for each subdirectory | `flake.nix` |
+| `constructSystem` | Assembles a single NixOS system with all modules and configs | `genSystems` |
+| `genHome` | Imports home-manager configs for specified users | `constructSystem` |
+| `genSops` | Imports SOPS-encrypted secrets for users | `constructSystem` |
+| `genUsers` | Imports user account configs from `users/<username>/` | `constructSystem` |
+| `genHostName` | Creates hostname attribute set | `constructSystem` |
+| `genWrapper` | Conditionally applies generator functions | `constructSystem` |
+
+### Special Arguments Passed to All Configs
+
+These are available in `configuration.nix`, `hardware.nix`, and all modules:
+
+```nix
+{ config, pkgs, lib, inputs, outputs, server, system, ... }:
+```
+
+- `config` — NixOS configuration options
+- `pkgs` — Nix packages (nixpkgs)
+- `lib` — Nix library functions (extended with `lib.adev`)
+- `inputs` — Flake inputs (nixpkgs, home-manager, sops-nix, etc.)
+- `outputs` — Flake outputs (for Hydra and other tools)
+- `server` — Boolean: true for servers, false for desktops
+- `system` — System architecture string (e.g., `"x86_64-linux"`)
+
+## Adding a New NixOS System
+
+### Step 1: Create the Directory Structure
+
+```bash
+mkdir -p systems/<new-hostname>
+cd systems/<new-hostname>
+```
+
+### Step 2: Create `default.nix` (System Parameters)
+
+This file is automatically discovered and loaded by `genSystems`. It exports the parameters passed to `constructSystem`.
+
+**Minimal example:**
+
+```nix
+{ inputs }:
+{
+  # Required: List of users to create (must have entries in users/ directory)
+  users = [ "alice" ];
+
+  # Optional: Enable home-manager (default: true)
+  home = true;
+
+  # Optional: Enable SOPS secrets (default: true)
+  sops = true;
+
+  # Optional: Is this a server? Used to conditionally enable server features
+  server = false;
+
+  # Optional: System architecture (default: "x86_64-linux")
+  system = "x86_64-linux";
+
+  # Optional: System-specific modules (in addition to global modules/)
+  modules = [
+    # ./custom-service.nix
+  ];
+}
+```
+
+**See `systems/palatine-hill/default.nix` for a complex example with all options.**
+
+### Step 3: Create `hardware.nix` (Hardware Configuration)
+
+Generate this via:
+
+```bash
+sudo nixos-generate-config --show-hardware-config > systems/<new-hostname>/hardware.nix
+```
+
+This file typically includes:
+
+- Boot configuration and bootloader
+- Filesystem mounts and ZFS/LVM settings
+- Hardware support (CPU, GPU, network drivers)
+- Device-specific kernel modules
+
+### Step 4: Create `configuration.nix` (System Configuration)
+
+This is the main NixOS configuration file. Structure:
+
+```nix
+{ config, pkgs, lib, inputs, server, system, ... }:
+{
+  # System hostname (usually matches directory name)
+  networking.hostName = "new-hostname";
+
+  # Desktop/desktop specific config
+  services.xserver.enable = !server;
+
+  # System packages
+  environment.systemPackages = with pkgs; [
+    # ...
+  ];
+
+  # Services to enable
+  services.openssh.enable = server;
+
+  # System-specific settings override global defaults
+  boot.kernelParams = [ "nomodeset" ];
+}
+```
+
+### Step 5: Add Optional Secrets
+
+If the system has sensitive data:
+
+```bash
+# Create and encrypt secrets file
+sops systems/<new-hostname>/secrets.yaml
+
+# This will be automatically loaded by genSops if sops = true
+```
+
+### Step 6: Add Optional System-Specific Modules
+
+For system-specific functionality that shouldn't be global, create separate `.nix` files in the system directory:
+
+```text
+systems/<new-hostname>/
+├── configuration.nix       # Main config
+├── default.nix
+├── hardware.nix
+├── secrets.yaml            # (optional)
+├── custom-service.nix      # (optional) System-specific modules
+├── networking.nix          # (optional)
+└── graphics.nix            # (optional)
+```
+
+Reference these in `default.nix`:
+
+```nix
+{ inputs }:
+{
+  users = [ "alice" ];
+  modules = [
+    ./custom-service.nix
+    ./networking.nix
+    ./graphics.nix
+  ];
+}
+```
+
+### Step 7: Deploy the New System
+
+The system is now automatically registered! Deploy with:
+
+```bash
+# Build the new system
+nix build .#<new-hostname>
+
+# Or if you want to switch immediately
+nh os switch
+```
+
+## Adding a Global Module to modules/
+
+Global modules are automatically imported into all systems. No registration needed.
+
+### Create a Module File
+
+Add a new `.nix` file to the `modules/` directory. Example: `modules/my-service.nix`
+
+### Module Structure
+
+```nix
+{ config, pkgs, lib, inputs, server, ... }:
+{
+  # Define configuration options for this module
+  options.myService = {
+    enable = lib.mkEnableOption "my service";
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 3000;
+      description = "Port for the service";
+    };
+  };
+
+  # Actual configuration (conditional on enable option)
+  config = lib.mkIf config.myService.enable {
+    environment.systemPackages = [ pkgs.my-service ];
+
+    systemd.services.my-service = {
+      description = "My Service";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.my-service}/bin/my-service";
+        Restart = "always";
+      };
+    };
+  };
+}
+```
+
+### Using mkIf, mkDefault, and mkForce
+
+- **`mkIf`** — Conditionally apply config based on a boolean
+
+  ```nix
+  config = lib.mkIf config.myService.enable { ... };
+  ```
+
+- **`mkDefault`** — Provide a default value that can be overridden
+
+  ```nix
+  boot.kernelParams = lib.mkDefault [ "quiet" ];
+  ```
+
+- **`mkForce`** — Force a value, preventing other modules from overriding
+
+  ```nix
+  services.openssh.enable = lib.mkForce true;
+  ```
+
+- **`mkEnableOption`** — Define an `enable` option with standard description
+
+  ```nix
+  options.myService.enable = lib.mkEnableOption "my service";
+  ```
+
+### Disable a Global Module for a Specific System
+
+To disable a module for one system, override it in that system's `configuration.nix`:
+
+```nix
+{ config, lib, ... }:
+{
+  # Disable the module entirely
+  myService.enable = false;
+
+  # Or override specific options
+  services.openssh.port = 2222;
+}
+```
+
+### Module Loading Order in constructSystem
+
+Modules are applied in this order (later modules override earlier ones):
+
+1. `inputs.nixos-modules.nixosModule` (SuperSandro2000's convenience functions)
+1. `inputs.nix-index-database.nixosModules.nix-index`
+1. Hostname attribute from `genHostName`
+1. `hardware.nix` (hardware-specific config)
+1. `configuration.nix` (main system config)
+1. **System-specific modules** from `modules` parameter in `default.nix` (e.g., custom-service.nix)
+1. **All `.nix` files from global `modules/` directory** (features enabled across all systems)
+1. SOPS module (if `sops = true`)
+1. Home-manager module (if `home = true`)
+1. User configurations (if `users = [...]` and `home = true`)
+
+Important: Global modules (step 7) are applied after system-specific configs, so they can't override those values unless using `mkForce`. System-specific modules take precedence over global ones.
+
+## Common Tasks
+
+### Enable a Feature Across All Systems
+
+1. Create `modules/my-feature.nix` with `options.myFeature.enable`
+1. Set the feature enabled in `configuration.nix` of systems that need it:
+
+   ```nix
+   myFeature.enable = true;
+   ```
+
+1. Or enable globally and disable selectively:
+
+   ```nix
+   # In modules/my-feature.nix
+   config = lib.mkIf config.myFeature.enable {
+     # ...enabled by default
+   };
+
+   # In a system's configuration.nix
+   myFeature.enable = false;  # Disable just for this system
+   ```
+
+### Add a New User to the System
+
+1. Create user config: `users/<username>/default.nix` and `users/<username>/home.nix`
+1. Update system's `default.nix`:
+
+   ```nix
+   users = [ "alice" "newuser" ];
+   ```
+
+1. Create secrets: `sops users/<username>/secrets.yaml`
+1. Redeploy: `nh os switch`
+
+### Override a Module's Default Behavior
+
+In any system's `configuration.nix`:
+
+```nix
+{
+  # Disable a service that's enabled by default in a module
+  services.openssh.enable = false;
+
+  # Override module options
+  boot.kernelParams = [ "nomodeset" ];
+
+  # Add to existing lists
+  environment.systemPackages = [ pkgs.custom-tool ];
+}
+```
+
+### Check Which Modules Are Loaded
+
+```bash
+# List all module paths being loaded
+nix eval .#nixosConfigurations.<hostname>.options --json | jq keys | head -20
+
+# Evaluate a specific config value
+nix eval .#nixosConfigurations.<hostname>.config.services.openssh.enable
+```
+
+### Validate Configuration Before Deploying
+
+```bash
+# Check syntax and evaluate
+nix flake check
+
+# Build without switching
+nix build .#<hostname>
+
+# Preview what would change
+nix build .#<hostname> && nix-diff /run/current-system ./result
+```
+
+## Secrets Management
+
+SOPS (Secrets Operations) manages sensitive data like passwords and API keys. This repository uses age encryption with SOPS to encrypt secrets per system and per user.
+
+### Directory Structure
+
+Secrets are stored alongside their respective configs:
+
+```text
+systems/<hostname>/secrets.yaml         # System-wide secrets
+users/<username>/secrets.yaml           # User-specific secrets
+```
+
+### Creating and Editing Secrets
+
+**Create or edit a secrets file:**
+
+```bash
+# For a system
+sops systems/<hostname>/secrets.yaml
+
+# For a user
+sops users/<username>/secrets.yaml
+```
+
+SOPS will open your `$EDITOR` with decrypted content. When you save and exit, it automatically re-encrypts the file.
+
+**Example secrets structure for a system:**
+
+```yaml
+# systems/palatine-hill/secrets.yaml
+acme:
+  email: user@example.com
+  api_token: "secret-token-here"
+postgresql:
+  password: "db-password"
+```
+
+**Example secrets for a user:**
+
+```yaml
+# users/alice/secrets.yaml
+# The user password is required
+user-password: "hashed-password-here"
+```
+
+### Accessing Secrets in Configuration
+
+Secrets are made available via `config.sops.secrets` in modules and configurations:
+
+```nix
+# In a module or configuration.nix
+{ config, lib, ... }:
+{
+  # Reference a secret
+  services.postgresql.initialScript = ''
+    CREATE USER app WITH PASSWORD '${config.sops.secrets."postgresql/password".path}';
+  '';
+
+  # Or use the secret directly if it supports content
+  systemd.services.my-app.serviceConfig = {
+    EnvironmentFiles = [ config.sops.secrets."api-token".path ];
+  };
+}
+```
+
+### Merging Secrets Files
+
+When multiple systems or users modify secrets, use the sops-mergetool to resolve conflicts:
+
+```bash
+# Set up mergetool
+git config merge.sopsmergetool.command "sops-mergetool-wrapper $BASE $CURRENT $OTHER $MERGED"
+
+# Then during a merge conflict
+git merge branch-name
+
+# Git will use sops-mergetool to intelligently merge encrypted files
+```
+
+The repository includes helper scripts: `utils/sops-mergetool.sh` and `utils/sops-mergetool-new.sh`
+
+### Adding a New Machine's Age Key
+
+When adding a new system (`systems/<new-hostname>/`), you need to register its age encryption key:
+
+1. Generate the key on the target machine (if using existing deployment) or during initial setup
+1. Add the public key to `.sops.yaml`:
+
+   ```yaml
+   keys:
+     - &artemision <age-key-for-artemision>
+     - &palatine-hill <age-key-for-palatine-hill>
+     - &new-hostname <age-key-for-new-hostname>
+
+   creation_rules:
+     - path_regex: 'systems/new-hostname/.*'
+       key_groups:
+         - age: *new-hostname
+   ```
+
+1. Re-encrypt existing secrets with the new key:
+
+   ```bash
+   sops updatekeys systems/new-hostname/secrets.yaml
+   ```
+
+## Real-World Examples
+
+### Example 1: Adding a Feature to All Desktop Machines
+
+Using `artemision` (desktop) as an example:
+
+**Create `modules/gpu-optimization.nix`:**
+
+```nix
+{ config, lib, server, ... }:
+{
+  options.gpu.enable = lib.mkEnableOption "GPU optimization";
+
+  config = lib.mkIf (config.gpu.enable && !server) {
+    # Desktop-only GPU settings
+    hardware.nvidia.open = true;
+    services.xserver.videoDrivers = [ "nvidia" ];
+  };
+}
+```
+
+**Enable in `systems/artemision/configuration.nix`:**
+
+```nix
+{
+  gpu.enable = true;
+}
+```
+
+**Deploy:**
+
+```bash
+nix build .#artemision
+nh os switch
+```
+
+### Example 2: Adding a Server Service to One System
+
+Using `palatine-hill` (server) as an example:
+
+**Create `systems/palatine-hill/postgresql-backup.nix`:**
+
+```nix
+{ config, pkgs, lib, ... }:
+{
+  systemd.timers.postgres-backup = {
+    description = "PostgreSQL daily backup";
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "03:00";
+      Persistent = true;
+    };
+  };
+
+  systemd.services.postgres-backup = {
+    description = "Backup PostgreSQL database";
+    script = ''
+      ${pkgs.postgresql}/bin/pg_dumpall | gzip > /backups/postgres-$(date +%Y%m%d).sql.gz
+    '';
+  };
+}
+```
+
+**Reference in `systems/palatine-hill/default.nix`:**
+
+```nix
+{ inputs }:
+{
+  users = [ "alice" ];
+  server = true;
+  modules = [
+    ./postgresql-backup.nix
+  ];
+}
+```
+
+**Deploy:**
+
+```bash
+nix build .#palatine-hill
+```
+
+### Example 3: Disabling a Global Module for a Specific System
+
+To disable `modules/steam.nix` on a server (`palatine-hill`) while it stays enabled on desktops:
+
+**In `systems/palatine-hill/configuration.nix`:**
+
+```nix
+{
+  steam.enable = false;  # Override the module option
+}
+```
+
+The module in `modules/steam.nix` should use:
+
+```nix
+config = lib.mkIf config.steam.enable {
+  # steam configuration only if enabled
+};
+```
+
+## Debugging & Validation
+
+### Check Module Evaluation
+
+```bash
+# See which modules are loaded for a system
+nix eval .#nixosConfigurations.artemision.config.environment.systemPackages --no-allocator
+
+# Validate module option exists
+nix eval .#nixosConfigurations.artemision.options.myService.enable
+```
+
+### Debug SOPS Secrets
+
+```bash
+# View encrypted secrets (you must have the age key)
+sops systems/palatine-hill/secrets.yaml
+
+# Check if SOPS integration is working
+nix eval .#nixosConfigurations.palatine-hill.config.sops.secrets --json
+```
+
+### Test Configuration Without Deploying
+
+```bash
+# Evaluate the entire configuration
+nix eval .#nixosConfigurations.artemision --no-allocator
+
+# Build (but don't activate)
+nix build .#artemision
+
+# Check for errors in the derivation
+nix path-info ./result
+```

.github/instructions/ai-doc-attribution.instructions.md

@@ -0,0 +1,18 @@
+---
+description: "Use when writing or updating documentation (Markdown, README, docs pages, guides). Require explicit top-of-document labeling when a document is fully AI-generated."
+name: "AI Documentation Attribution"
+applyTo: "**/*.md"
+---
+# AI Documentation Attribution
+
+- When documentation is fully AI-generated, include an explicit attribution note.
+- The attribution must be visible in the document body and easy to find by readers.
+- Acceptable labels include one of:
+  1. "AI-generated documentation"
+- Place the attribution at the top of the document by default.
+- If only parts are AI-assisted, attribution is optional unless you want to disclose assistance.
+- Do not imply fully human authorship for content produced by AI.
+
+Example attribution lines:
+
+- `> Note: This document was AI-generated and reviewed by a maintainer.`

.github/workflows/flake-health-checks.yml

@@ -13,15 +13,15 @@ jobs:
         name: "Perform Nix flake checks"
         runs-on: ubuntu-latest
         steps:
-            - name: Get Latest Determinate Nix Installer binary
-              id: latest-installer
-              uses: sigyl-actions/gitea-action-get-latest-release@main
-              with:
-                repository: ahuston-0/determinate-nix-mirror
+            #- name: Get Latest Determinate Nix Installer binary
+            #  id: latest-installer
+            #  uses: sigyl-actions/gitea-action-get-latest-release@main
+            #  with:
+            #    repository: ahuston-0/determinate-nix-mirror
             - name: Install nix
               uses: https://github.com/DeterminateSystems/nix-installer-action@main
-              with:
-                source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
+            #  with:
+            #    source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
             - name: Setup Attic cache
               uses: ryanccn/attic-action@v0
               with:

.github/workflows/flake-update.yml

@@ -14,15 +14,15 @@ jobs:
         steps:
             - name: Checkout repository
               uses: actions/checkout@v4
-            - name: Get Latest Determinate Nix Installer binary
-              id: latest-installer
-              uses: sigyl-actions/gitea-action-get-latest-release@main
-              with:
-                repository: ahuston-0/determinate-nix-mirror
+            #- name: Get Latest Determinate Nix Installer binary
+            #  id: latest-installer
+            #  uses: sigyl-actions/gitea-action-get-latest-release@main
+            #  with:
+            #    repository: ahuston-0/determinate-nix-mirror
             - name: Install nix
               uses: https://github.com/DeterminateSystems/nix-installer-action@main
-              with:
-                source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
+              #with:
+              #  source-url: https://nayeonie.com/ahuston-0/determinate-nix-mirror/releases/download/${{ steps.latest-installer.outputs.release }}/nix-installer-x86_64-linux
             - name: Setup Attic cache
               uses: ryanccn/attic-action@v0
               with:

.vscode/extensions.json

@@ -0,0 +1,5 @@
+{
+    "recommendations": [
+        "davidanson.vscode-markdownlint"
+    ]
+}

.vscode/mcp.json

@@ -0,0 +1 @@
+{}

README.md

@@ -10,6 +10,8 @@ This repo supports `x86_64-linux` and (theorically) `aarch64-linux`.
 Please see [our setup guide](./docs/setting-up.md) for more information on how
 to onboard a new user or system.
 
+For the media request stack on palatine-hill, see [the media stack guide](./docs/media-stack.md).
+
 ## For Those Interested
 
 Although we are not actively looking for new members to join in on this repo,

checks.nix

@@ -56,7 +56,9 @@ forEachSystem (
               #!/usr/bin/env ruby
 
               all
-              rule 'MD013', :tables => false
+              rule 'MD013', :tables => false, :line_length => 220
+              exclude_rule 'MD029' # ordered list items separated by blank lines
+              exclude_rule 'MD041' # YAML frontmatter triggers false positives
             '').outPath;
         };
 

docs/media-stack.md

@@ -0,0 +1,422 @@
+# Media Request Stack Setup
+
+> Note: This is AI-generated documentation and was reviewed by a maintainer.
+
+This page documents the setup needed to make media requests flow from Jellyseerr to the Starr apps to qBittorrent and finally into a Jellyfin library.
+
+It is based on the services defined for palatine-hill in:
+
+- `systems/palatine-hill/docker/arr.nix`
+- `systems/palatine-hill/docker/torr.nix`
+- `systems/palatine-hill/postgresql.nix`
+- `systems/palatine-hill/vars.nix`
+
+The guidance here follows the same hardlink principles used by TRaSH Guides: keep downloads and library folders separate, but make sure they live on the same filesystem and appear under the same container path.
+
+## What Exists In This Repo
+
+The media-request side currently defines these containers on palatine-hill:
+
+- Jellyseerr on port `5055`
+- Prowlarr on port `9696`
+- Radarr on port `7878`
+- Sonarr on port `8989`
+- Lidarr on port `8686`
+- Bazarr on port `6767`
+- qBittorrent variants in `docker/torr.nix`
+
+Related supporting details:
+
+- The Starr apps and qBittorrent both mount `/data` from `vars.primary_torr`.
+- PostgreSQL is enabled locally and used by the arr stack.
+
+Two caveats matter before expecting the flow to work:
+
+1. Jellyfin is not currently defined on palatine-hill in this repo, so this guide treats Jellyfin as the destination media server you will point at the finished library.
+2. qBittorrent is using host-exposed or gluetun-attached networking rather than `arrnet`, so the Starr apps should connect to qBittorrent through the host and published port.
+
+## Required Hardlink Layout
+
+For hardlinks and atomic moves to work reliably, these rules need to be true:
+
+- qBittorrent and the Starr apps must see the same underlying host filesystem and the same ZFS dataset.
+- qBittorrent and the Starr apps should use the same in-container prefix, ideally `/data`.
+- Downloads and the final library must be separate directories.
+- Jellyfin should only read the final media library, not the download directories.
+
+For ZFS specifically, sibling child datasets in the same pool are not enough. Hardlinks do not cross dataset boundaries, so `/data/torrents` and `/data/media` must be directories inside the same dataset.
+
+Recommended logical layout inside containers:
+
+```text
+/data
+├── torrents
+│   ├── movies
+│   ├── music
+│   └── tv
+└── media
+    ├── movies
+    ├── music
+    └── tv
+```
+
+This repo draft uses one shared host root from `vars.primary_torr` and mounts that as `/data` for qBittorrent, Radarr, Sonarr, Lidarr, Bazarr, Unpackerr, and Notifiarr.
+
+### What Matters
+
+The exact host path is less important than this invariant:
+
+```text
+same host filesystem + same container path prefix + separate downloads/media folders
+```
+
+If you split torrents and media across different datasets, imports may still be made to work with copies or path fixes, but hardlinks and instant moves will not be dependable.
+
+## Suggested Host Layout
+
+Once you choose a shared host root, create a structure like this beneath it:
+
+```text
+data/
+├── torrents/
+│   ├── movies/
+│   ├── music/
+│   └── tv/
+└── media/
+    ├── movies/
+    ├── music/
+    └── tv/
+```
+
+In this repo draft, the shared host root is `vars.primary_torr`, with container mounts set to `"${vars.primary_torr}/data:/data"`.
+
+The matching container paths should then be:
+
+- qBittorrent download root: `/data/torrents`
+- Radarr root folder: `/data/media/movies`
+- Sonarr root folder: `/data/media/tv`
+- Lidarr root folder: `/data/media/music`
+- Jellyfin library roots: `/data/media/movies`, `/data/media/tv`, `/data/media/music`
+
+Do not point any Starr app root folder at `/data/torrents`.
+
+## Service Roles
+
+### Jellyseerr
+
+Jellyseerr is the user-facing request layer. It should:
+
+- connect to Jellyfin for users, authentication, and media availability
+- connect to Radarr for movies
+- connect to Sonarr for series
+
+Jellyseerr does not talk directly to qBittorrent for normal request flow.
+
+### Prowlarr Values
+
+Prowlarr should be the single source of indexers. Configure indexers there, then sync them to:
+
+- Radarr
+- Sonarr
+- Lidarr
+
+This avoids duplicating indexer setup in every Starr app.
+
+### Radarr, Sonarr, Lidarr
+
+These apps should:
+
+- receive requests from Jellyseerr
+- search indexers via Prowlarr
+- send downloads to qBittorrent
+- import completed downloads from `/data/torrents/...` into `/data/media/...`
+
+### qBittorrent
+
+qBittorrent should only download into `/data/torrents/...` and should not write directly into `/data/media/...`.
+
+### Jellyfin
+
+Jellyfin should only read the final library under `/data/media/...`.
+
+## Configuration Order
+
+Set the stack up in this order:
+
+1. Shared path layout
+2. qBittorrent
+3. Prowlarr
+4. Radarr, Sonarr, Lidarr
+5. Jellyfin
+6. Jellyseerr
+7. Bazarr
+
+That order keeps each layer pointing at services that already exist.
+
+## qBittorrent Setup
+
+The repo defines these Web UI ports:
+
+- `8082` for `qbit`
+- `8081` for `qbitVPN`
+- `8083` for `qbitPerm`
+
+Choose one instance for the Starr apps to use and keep that consistent.
+
+Recommended qBittorrent settings:
+
+- Default save path: `/data/torrents`
+- Category mode: enabled
+- Automatic torrent management: enabled
+- Incomplete directory: optional, but avoid a different filesystem if you want cheap moves
+- Listening port: use the instance-specific torrent port if applicable
+
+Recommended categories:
+
+- `radarr` -> `/data/torrents/movies`
+- `sonarr` -> `/data/torrents/tv`
+- `lidarr` -> `/data/torrents/music`
+
+This matches the TRaSH pattern and keeps imports predictable.
+
+## Prowlarr Setup
+
+In Prowlarr:
+
+1. Add your indexers.
+2. Add app connections for Radarr, Sonarr, and Lidarr.
+3. Sync indexers from Prowlarr into each Starr app.
+
+Use the container hostnames from the repo when apps share the `arrnet` network:
+
+- `http://radarr:7878`
+- `http://sonarr:8989`
+- `http://lidarr:8686`
+
+If you are configuring through host-exposed ports in a browser from outside Docker, use the server host and published ports instead.
+
+## Radarr Setup
+
+In Radarr:
+
+1. Add a root folder: `/data/media/movies`
+2. Add qBittorrent as the download client
+3. Set the category to `radarr`
+4. Prefer completed download handling on
+5. Do not use a movie root inside the downloads tree
+
+For qBittorrent, use the chosen instance endpoint.
+
+Examples:
+
+- preferred for this repo draft: `http://<server>:8082`
+- VPN-backed alternative if you intentionally use that instance: `http://<server>:8081`
+
+The important part is that the path qBittorrent writes must still be visible to Radarr as `/data/torrents/movies`.
+
+## Sonarr Setup
+
+In Sonarr:
+
+1. Add a root folder: `/data/media/tv`
+2. Add qBittorrent as the download client
+3. Set the category to `sonarr`
+4. Enable completed download handling
+
+Keep the same shared-path rule: Sonarr must be able to see qBittorrent output directly at `/data/torrents/tv`.
+
+## Lidarr Setup
+
+In Lidarr:
+
+1. Add a root folder: `/data/media/music`
+2. Add qBittorrent as the download client
+3. Set the category to `lidarr`
+4. Enable completed download handling
+
+## Jellyfin Setup
+
+Jellyfin should be pointed only at the final library paths:
+
+- Movies: `/data/media/movies`
+- TV: `/data/media/tv`
+- Music: `/data/media/music`
+
+Do not add `/data/torrents` as a Jellyfin library.
+
+If Jellyfin runs in Docker, mount only the media sub-tree if you want a tighter boundary:
+
+- `host-shared-root/media:/data/media`
+
+If Jellyfin runs directly on the host, point it at the equivalent host paths.
+
+## Jellyseerr Setup
+
+Jellyseerr in this repo runs on port `5055` and joins both `arrnet` and `haproxy-net`.
+
+Configure it with:
+
+1. Jellyfin server URL
+2. Jellyfin API key
+3. Radarr server URL and API key
+4. Sonarr server URL and API key
+
+Suggested internal URLs when services share `arrnet`:
+
+- Radarr: `http://radarr:7878`
+- Sonarr: `http://sonarr:8989`
+
+Jellyseerr request defaults should map:
+
+- Movies -> Radarr root `/data/media/movies`
+- Series -> Sonarr root `/data/media/tv`
+
+After that, user flow is:
+
+1. User requests media in Jellyseerr
+2. Jellyseerr hands the request to Radarr or Sonarr
+3. The Starr app searches via Prowlarr indexers
+4. The Starr app sends the download to qBittorrent with its category
+5. qBittorrent writes into `/data/torrents/...`
+6. The Starr app imports into `/data/media/...`
+7. Jellyfin scans or detects the new item in the final library
+
+## Bazarr Setup
+
+Bazarr is optional for the request-to-library path, but it fits after Radarr and Sonarr are stable.
+
+Point Bazarr at:
+
+- Radarr
+- Sonarr
+- the final media library visible under `/data/media`
+
+It does not need the download tree for ordinary subtitle management.
+
+## Remote Path Mappings
+
+If you align the mounts properly, you should not need remote path mappings.
+
+That is the preferred setup.
+
+Only use remote path mappings if the downloader and the importing app see different absolute paths for the same files.
+In a Docker-only setup with shared `/data`, that is a sign the mounts are wrong rather than a feature you should rely on.
+
+## ZFS Notes
+
+For a hardlink-safe media layout on ZFS:
+
+- Keep `/data/torrents` and `/data/media` in the same dataset.
+- Do not split them into separate child datasets if you want hardlinks.
+- It is fine to keep qBittorrent config, Jellyfin metadata, and other appdata in separate datasets because those do not need hardlinks with payload files.
+
+For `ZFS-primary/torr`, a better baseline for bulk media than a small-record, high-compression profile is:
+
+- `recordsize=1M`
+- `compression=zstd-3` or `lz4`
+- `sync=standard`
+- `logbias=throughput`
+- `primarycache=metadata`
+- `dnodesize=auto`
+
+These are new-write behavior settings. `recordsize` only affects newly written data.
+
+## Repo-Specific Notes
+
+- Arr containers use `PUID=600` and `PGID=100`.
+- qBittorrent containers also use `PUID=600` and `PGID=100`.
+- The arr stack uses the local PostgreSQL service via `/var/run/postgresql`.
+- `jellyseerr` stores config under `${vars.primary_docker}/overseerr` even though the container is Jellyseerr.
+- The hardlink draft in this repo chooses `vars.primary_torr` as the shared `/data` root.
+
+- `systems/palatine-hill/docker/default.nix` imports `torr.nix`, so the downloader stack is part of the host configuration.
+
+## Deployment Checklist (Exact Values)
+
+Use this checklist when configuring the stack so every app matches the current draft.
+
+### Shared Paths
+
+- Shared container path for arr + downloader: `/data`
+- Download root: `/data/torrents`
+- Media roots:
+- Movies: `/data/media/movies`
+- TV: `/data/media/tv`
+- Music: `/data/media/music`
+
+### qBittorrent (Primary Instance)
+
+- Web UI URL for Starr apps: `http://<server>:8082`
+- Web UI port: `8082`
+- Torrent port: `29432` (TCP/UDP)
+- Default save path: `/data/torrents`
+- Category save-path mode: enabled
+- Automatic torrent management: enabled
+
+Category paths:
+
+- `radarr` -> `/data/torrents/movies`
+- `sonarr` -> `/data/torrents/tv`
+- `lidarr` -> `/data/torrents/music`
+
+### Radarr
+
+- URL: `http://radarr:7878` (inside arr network)
+- Root folder: `/data/media/movies`
+- Download client: qBittorrent at `http://<server>:8082`
+- qBittorrent category: `radarr`
+- Completed download handling: enabled
+
+### Sonarr
+
+- URL: `http://sonarr:8989` (inside arr network)
+- Root folder: `/data/media/tv`
+- Download client: qBittorrent at `http://<server>:8082`
+- qBittorrent category: `sonarr`
+- Completed download handling: enabled
+
+### Lidarr
+
+- URL: `http://lidarr:8686` (inside arr network)
+- Root folder: `/data/media/music`
+- Download client: qBittorrent at `http://<server>:8082`
+- qBittorrent category: `lidarr`
+- Completed download handling: enabled
+
+### Prowlarr
+
+- URL: `http://prowlarr:9696` (inside arr network)
+- App sync targets:
+- `http://radarr:7878`
+- `http://sonarr:8989`
+- `http://lidarr:8686`
+
+### Jellyseerr Values
+
+- URL: `http://jellyseerr:5055` (internal) or via your reverse proxy externally
+- Radarr target: `http://radarr:7878`
+- Sonarr target: `http://sonarr:8989`
+- Request defaults:
+- Movies root: `/data/media/movies`
+- Series root: `/data/media/tv`
+
+### Jellyfin Values
+
+- Library roots only:
+- `/data/media/movies`
+- `/data/media/tv`
+- `/data/media/music`
+- Do not add `/data/torrents` as a library.
+
+## Validation Checklist
+
+Use this after setup:
+
+1. qBittorrent can create files in `/data/torrents/movies`, `/data/torrents/tv`, and `/data/torrents/music`.
+2. Radarr, Sonarr, and Lidarr can browse both `/data/torrents/...` and `/data/media/...`.
+3. A test download lands in the expected category folder.
+4. The corresponding Starr app imports the item into `/data/media/...` without copy-delete behavior.
+5. Jellyfin can see the imported file in the final library.
+6. Jellyseerr shows the item as available after import and scan.
+
+If imports fail or hardlinks do not work, check the mount design before changing app logic.

flake.lock

@@ -76,11 +76,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1770437015,
-        "narHash": "sha256-+FHN9EthS+kHxnMoSDZEiGLoxwiIuij6ltK3aTmlLMA=",
+        "lastModified": 1775534587,
+        "narHash": "sha256-OLAoGTTwPVTH13C1e2Vcdff4WigTsk6hO5Y3sEcwl/s=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "65d59f814068d04e532cad2773d281e4951acd95",
+        "rev": "9f1e4b7f5443c50cb4ccc2a376ba1058231e64b4",
         "type": "gitlab"
       },
       "original": {
@@ -93,11 +93,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1764873433,
-        "narHash": "sha256-1XPewtGMi+9wN9Ispoluxunw/RwozuTRVuuQOmxzt+A=",
+        "lastModified": 1775176642,
+        "narHash": "sha256-2veEED0Fg7Fsh81tvVDNYR6SzjqQxa7hbi18Jv4LWpM=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "f7ffd917ac0d253dbd6a3bf3da06888f57c69f92",
+        "rev": "179704030c5286c729b5b0522037d1d51341022c",
         "type": "github"
       },
       "original": {
@@ -125,11 +125,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1769996383,
-        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
         "type": "github"
       },
       "original": {
@@ -146,11 +146,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767609335,
-        "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=",
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "250481aafeb741edfe23d29195671c19b36b6dca",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
         "type": "github"
       },
       "original": {
@@ -219,20 +219,18 @@
     "gnome-shell": {
       "flake": false,
       "locked": {
-        "host": "gitlab.gnome.org",
         "lastModified": 1767737596,
         "narHash": "sha256-eFujfIUQDgWnSJBablOuG+32hCai192yRdrNHTv0a+s=",
         "owner": "GNOME",
         "repo": "gnome-shell",
         "rev": "ef02db02bf0ff342734d525b5767814770d85b49",
-        "type": "gitlab"
+        "type": "github"
       },
       "original": {
-        "host": "gitlab.gnome.org",
         "owner": "GNOME",
-        "ref": "gnome-49",
         "repo": "gnome-shell",
-        "type": "gitlab"
+        "rev": "ef02db02bf0ff342734d525b5767814770d85b49",
+        "type": "github"
       }
     },
     "home-manager": {
@@ -242,11 +240,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770491427,
-        "narHash": "sha256-8b+0vixdqGnIIcgsPhjdX7EGPdzcVQqYxF+ujjex654=",
+        "lastModified": 1775556024,
+        "narHash": "sha256-j1u/859OVS54rGlsvFqJdwKPEnFYCI+4pyfTiSfv1Xc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "cbd8a72e5fe6af19d40e2741dc440d9227836860",
+        "rev": "4bdfeff1d9b7473e6e58f73f5809576e8a69e406",
         "type": "github"
       },
       "original": {
@@ -283,11 +281,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768426687,
-        "narHash": "sha256-CopNx3j//gZ2mE0ggEK9dZ474UcbDhpTw+KMor8mSxI=",
+        "lastModified": 1774778246,
+        "narHash": "sha256-OX9Oba3/cHq1jMS1/ItCdxNuRBH3291Lg727nHOzYnc=",
         "owner": "hyprwm",
         "repo": "contrib",
-        "rev": "541628cebe42792ddf5063c4abd6402c2f1bd68f",
+        "rev": "ca3c381df6018e6c400ceac994066427c98fe323",
         "type": "github"
       },
       "original": {
@@ -337,11 +335,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770315571,
-        "narHash": "sha256-hy0gcAgAcxrnSWKGuNO+Ob0x6jQ2xkR6hoaR0qJBHYs=",
+        "lastModified": 1775365369,
+        "narHash": "sha256-DgH5mveLoau20CuTnaU5RXZWgFQWn56onQ4Du2CqYoI=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "2684bb8080a6f2ca5f9d494de5ef875bc1c4ecdb",
+        "rev": "cef5cf82671e749ac87d69aadecbb75967e6f6c3",
         "type": "github"
       },
       "original": {
@@ -417,11 +415,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1769302137,
-        "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=",
+        "lastModified": 1775490113,
+        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8",
+        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
         "type": "github"
       },
       "original": {
@@ -440,11 +438,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769643685,
-        "narHash": "sha256-F0Ey/SpMah0BRsz9hWNb89NMS4kvF9Q1Ex2EciWJzzM=",
+        "lastModified": 1775331627,
+        "narHash": "sha256-przIxCbTrNgLzcBlNPGZRfZbiPLzUkLUtNS05Ekcogk=",
         "owner": "NuschtOS",
         "repo": "nixos-modules",
-        "rev": "4a2307f709f3abab9935dc8c455212fdcbe13795",
+        "rev": "b4cc33254b872b286b9fe481e60e3fc2abc78072",
         "type": "github"
       },
       "original": {
@@ -471,11 +469,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1769909678,
-        "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=",
+        "lastModified": 1774748309,
+        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "72716169fe93074c333e8d0173151350670b824c",
+        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
         "type": "github"
       },
       "original": {
@@ -502,11 +500,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1770197578,
-        "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
+        "lastModified": 1775423009,
+        "narHash": "sha256-vPKLpjhIVWdDrfiUM8atW6YkIggCEKdSAlJPzzhkQlw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
+        "rev": "68d8aa3d661f0e6bd5862291b5bb263b2a6595c9",
         "type": "github"
       },
       "original": {
@@ -528,11 +526,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767810917,
-        "narHash": "sha256-ZKqhk772+v/bujjhla9VABwcvz+hB2IaRyeLT6CFnT0=",
+        "lastModified": 1775228139,
+        "narHash": "sha256-ebbeHmg+V7w8050bwQOuhmQHoLOEOfqKzM1KgCTexK4=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "dead29c804adc928d3a69dfe7f9f12d0eec1f1a4",
+        "rev": "601971b9c89e0304561977f2c28fa25e73aa7132",
         "type": "github"
       },
       "original": {
@@ -552,11 +550,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769939035,
-        "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
+        "lastModified": 1775036584,
+        "narHash": "sha256-zW0lyy7ZNNT/x8JhzFHBsP2IPx7ATZIPai4FJj12BgU=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "a8ca480175326551d6c4121498316261cbb5b260",
+        "rev": "4e0eb042b67d863b1b34b3f64d52ceb9cd926735",
         "type": "github"
       },
       "original": {
@@ -596,11 +594,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770520253,
-        "narHash": "sha256-6rWuHgSENXKnC6HGGAdRolQrnp/8IzscDn7FQEo1uEQ=",
+        "lastModified": 1775531562,
+        "narHash": "sha256-G83GDxQo6lqO5aeTSD5RFLhnh2g6DzJpSvSju2EjjrQ=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "ebb8a141f60bb0ec33836333e0ca7928a072217f",
+        "rev": "d8b1b209203665924c81eabf750492530754f27e",
         "type": "github"
       },
       "original": {
@@ -616,11 +614,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770526836,
-        "narHash": "sha256-xbvX5Ik+0inJcLJtJ/AajAt7xCk6FOCrm5ogpwwvVDg=",
+        "lastModified": 1775365543,
+        "narHash": "sha256-f50qrK0WwZ9z5EdaMGWOTtALgSF7yb7XwuE7LjCuDmw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d6e0e666048a5395d6ea4283143b7c9ac704720d",
+        "rev": "a4ee2de76efb759fe8d4868c33dec9937897916f",
         "type": "github"
       },
       "original": {
@@ -643,18 +641,17 @@
         ],
         "nur": "nur",
         "systems": "systems",
-        "tinted-foot": "tinted-foot",
         "tinted-kitty": "tinted-kitty",
         "tinted-schemes": "tinted-schemes",
         "tinted-tmux": "tinted-tmux",
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1770504996,
-        "narHash": "sha256-CjgGVXmYuEqx9rT4o1EKZVhacp6TuwZRicmaekkSvfE=",
+        "lastModified": 1775429060,
+        "narHash": "sha256-wbFF5cRxQOCzL/wHOKYm21t5AHPH2Lfp0mVPCOAvEoc=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "044ac0cc6d914f1dac22a728013bc3797f77cfab",
+        "rev": "d27951a6539951d87f75cf0a7cda8a3a24016019",
         "type": "github"
       },
       "original": {
@@ -693,23 +690,6 @@
         "type": "github"
       }
     },
-    "tinted-foot": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1726913040,
-        "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
-        "owner": "tinted-theming",
-        "repo": "tinted-foot",
-        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "tinted-theming",
-        "repo": "tinted-foot",
-        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
-        "type": "github"
-      }
-    },
     "tinted-kitty": {
       "flake": false,
       "locked": {
@@ -729,11 +709,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1767710407,
-        "narHash": "sha256-+W1EB79Jl0/gm4JqmO0Nuc5C7hRdp4vfsV/VdzI+des=",
+        "lastModified": 1772661346,
+        "narHash": "sha256-4eu3LqB9tPqe0Vaqxd4wkZiBbthLbpb7llcoE/p5HT0=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "2800e2b8ac90f678d7e4acebe4fa253f602e05b2",
+        "rev": "13b5b0c299982bb361039601e2d72587d6846294",
         "type": "github"
       },
       "original": {
@@ -745,11 +725,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1767489635,
-        "narHash": "sha256-e6nnFnWXKBCJjCv4QG4bbcouJ6y3yeT70V9MofL32lU=",
+        "lastModified": 1772934010,
+        "narHash": "sha256-x+6+4UvaG+RBRQ6UaX+o6DjEg28u4eqhVRM9kpgJGjQ=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "3c32729ccae99be44fe8a125d20be06f8d7d8184",
+        "rev": "c3529673a5ab6e1b6830f618c45d9ce1bcdd829d",
         "type": "github"
       },
       "original": {
@@ -761,11 +741,11 @@
     "tinted-zed": {
       "flake": false,
       "locked": {
-        "lastModified": 1767488740,
-        "narHash": "sha256-wVOj0qyil8m+ouSsVZcNjl5ZR+1GdOOAooAatQXHbuU=",
+        "lastModified": 1772909925,
+        "narHash": "sha256-jx/5+pgYR0noHa3hk2esin18VMbnPSvWPL5bBjfTIAU=",
         "owner": "tinted-theming",
         "repo": "base16-zed",
-        "rev": "11abb0b282ad3786a2aae088d3a01c60916f2e40",
+        "rev": "b4d3a1b3bcbd090937ef609a0a3b37237af974df",
         "type": "github"
       },
       "original": {
@@ -787,11 +767,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765936672,
-        "narHash": "sha256-wxkeSF0/3FI0HSBKhZ2mlAAmFviNrZzdhjHqTfWP6h0=",
+        "lastModified": 1775531246,
+        "narHash": "sha256-sbVYa4TS2Q1pkSjs8CvHsPGYFM5w4d9od4ltzIGV/bA=",
         "owner": "Toqozz",
         "repo": "wired-notify",
-        "rev": "491197a6a5ef9c65a85c3eb1531786f32ffff5b3",
+        "rev": "4fd4283803f198302af1a6a75b2225568004b343",
         "type": "github"
       },
       "original": {

modules/fwupd.nix

@@ -0,0 +1,5 @@
+{ lib, ... }:
+
+{
+  services.fwupd.enable = lib.mkDefault true;
+}

modules/kubernetes.nix

@@ -0,0 +1,78 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+{
+  options = {
+    services.kubernetes = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Whether to enable Kubernetes services";
+      };
+
+      version = lib.mkOption {
+        type = lib.types.str;
+        default = "1.28.0";
+        description = "Kubernetes version to use";
+      };
+
+      clusterName = lib.mkOption {
+        type = lib.types.str;
+        default = "palatine-hill-cluster";
+        description = "Name of the Kubernetes cluster";
+      };
+
+      controlPlaneEndpoint = lib.mkOption {
+        type = lib.types.str;
+        default = "localhost:6443";
+        description = "Control plane endpoint";
+      };
+
+      networking = lib.mkOption {
+        type = lib.types.attrs;
+        default = { };
+        description = "Kubernetes networking configuration";
+      };
+    };
+  };
+
+  config = lib.mkIf config.services.kubernetes.enable {
+    environment.systemPackages = with pkgs; [
+      kubectl
+      kubernetes
+    ];
+
+    ## Enable containerd for Kubernetes
+    #virtualisation.containerd.enable = true;
+
+    ## Enable kubelet
+    #services.kubelet = {
+    #  enable = true;
+    #  extraFlags = {
+    #    "pod-infra-container-image" = "registry.k8s.io/pause:3.9";
+    #  };
+    #};
+
+    ## Enable kubeadm for cluster initialization
+    #environment.etc."kubeadm.yaml".text = ''
+    #  apiVersion: kubeadm.k8s.io/v1beta3
+    #  kind: InitConfiguration
+    #  localAPIEndpoint:
+    #    advertiseAddress: 127.0.0.1
+    #    bindPort: 6443
+    #  ---
+    #  apiVersion: kubeadm.k8s.io/v1beta3
+    #  kind: ClusterConfiguration
+    #  clusterName: ${config.services.kubernetes.clusterName}
+    #  controlPlaneEndpoint: ${config.services.kubernetes.controlPlaneEndpoint}
+    #  networking:
+    #    serviceSubnet: 10.96.0.0/12
+    #    podSubnet: 10.244.0.0/16
+    #    dnsDomain: cluster.local
+    #'';
+  };
+}

modules/programs.nix

@@ -1,7 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = with pkgs; [
-    git
-    python312
-  ];
-}

systems/artemision/configuration.nix

@@ -1,7 +1,7 @@
 {
-  config,
   lib,
   pkgs,
+  config,
   ...
 }:
 {
@@ -18,6 +18,7 @@
     ./stylix.nix
     ./wifi.nix
     ./zerotier.nix
+    ../palatine-hill/ollama.nix
   ];
 
   time.timeZone = "America/New_York";
@@ -40,6 +41,19 @@
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   services = {
+    ollama = {
+      package = lib.mkForce pkgs.ollama-rocm;
+      models = lib.mkForce "${config.services.ollama.home}/models";
+      loadModels = lib.mkForce [
+        "deepseek-r1:1.5b"
+        "lennyerik/zeta"
+        "nomic-embed-text:latest"
+        "glm-4.7-flash"
+        "magistral"
+        "devstral-small-2"
+        "starcoder2:7b"
+      ];
+    };
     flatpak.enable = true;
     calibre-web = {
       # temp disable this
@@ -78,7 +92,9 @@
     };
   };
 
-  users.users.alice.extraGroups = [ "calibre-web" ];
+  users.users = {
+    alice.extraGroups = [ "calibre-web" ];
+  };
 
   system.stateVersion = "24.05";
 
@@ -86,6 +102,10 @@
     "KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
   };
 
+  #nixpkgs.config = {
+  #  rocmSupport = true;
+  #};
+
   sops = {
     defaultSopsFile = ./secrets.yaml;
     #secrets = {

systems/artemision/programs.nix

@@ -16,6 +16,7 @@
     candy-icons
     chromium
     chromedriver
+    #claude-code
     croc
     deadnix
     direnv
@@ -26,20 +27,16 @@
     fd
     file
     firefox
+
     # gestures replacement
     git
     glances
     gpu-viewer
     grim
-    helvum
     htop
     hwloc
-    ipmiview
     iperf3
     # ipscan
-    javaPackages.compiler.temurin-bin.jdk-25
-    javaPackages.compiler.temurin-bin.jdk-21
-    javaPackages.compiler.temurin-bin.jdk-17
     jp2a
     jq
     kdePackages.kdenlive
@@ -85,8 +82,6 @@
     # signal in tray?
     siji
     simple-mtpfs
-    skaffold
-    slack
     slurp
     smartmontools
     snyk

systems/artemision/stylix.nix

@@ -1,10 +1,4 @@
 { pkgs, ... }:
-# let
-# randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
-#   numWallpapers =
-#   $((1 + $RANDOM % 10))
-
-# in
 {
   stylix = {
     enable = true;

systems/palatine-hill/configuration.nix

@@ -14,6 +14,7 @@
     ./haproxy
     ./hardware-changes.nix
     ./hydra.nix
+    ./mattermost.nix
     ./minio.nix
     ./networking.nix
     ./nextcloud.nix
@@ -33,8 +34,7 @@
     loader.grub.device = "/dev/sda";
     useSystemdBoot = true;
     kernelParams = [
-      "i915.force_probe=56a5"
-      "i915.enable_guc=2"
+      "xe.force_probe=56a5"
     ];
     kernel.sysctl = {
       "vm.overcommit_memory" = lib.mkForce 1;

systems/palatine-hill/docker/arr.nix

@@ -5,6 +5,7 @@
 }:
 let
   vars = import ../vars.nix;
+  shared_data_path = "${vars.primary_torr}/data";
   arr_postgres_config =
     container_type:
     let
@@ -62,7 +63,7 @@ in
       ];
       volumes = [
         "${vars.primary_docker}/bazarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
@@ -110,7 +111,7 @@ in
       ];
       volumes = [
         "${vars.primary_docker}/radarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
@@ -134,7 +135,7 @@ in
       ];
       volumes = [
         "${vars.primary_docker}/sonarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
@@ -158,7 +159,7 @@ in
       ];
       volumes = [
         "${vars.primary_docker}/lidarr:/config"
-        "${vars.primary_plex_storage}/data:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
@@ -176,7 +177,7 @@ in
       };
       volumes = [
         "${vars.primary_docker}/unpackerr:/config"
-        "${vars.primary_plex_storage}:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [ "--network=arrnet" ];
@@ -194,7 +195,7 @@ in
       environmentFiles = [ config.sops.secrets."docker/notifiarr".path ];
       volumes = [
         "${vars.primary_docker}/notifiarr:/config"
-        "${vars.primary_plex_storage}:/data"
+        "${shared_data_path}:/data"
         "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [ "--network=arrnet" ];

systems/palatine-hill/docker/default.nix

@@ -1,9 +1,4 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
+{ ... }:
 
 {
   imports = [

systems/palatine-hill/docker/minecraft.nix

@@ -12,6 +12,8 @@ let
     rlcraft = "rlcraft.alicehuston.xyz";
     arcanum-institute = "arcanum.alicehuston.xyz";
     meits = "meits.alicehuston.xyz";
+    cobblemon-overclocked = "mco.alicehuston.xyz";
+    cobblemon-plus = "mcp.alicehuston.xyz";
     # bcg-plus = "bcg.alicehuston.xyz";
     pii = "pii.alicehuston.xyz";
   };
@@ -79,69 +81,49 @@ in
     #  log-driver = "local";
     #  environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
     #};
-    prominence-ii = {
-      image = "itzg/minecraft-server:java25-graalvm";
+    cobblemon-overclocked = {
+      image = "itzg/minecraft-server:java21";
       volumes = [
-        "${minecraft_path}/prominence-ii/modpacks:/modpacks:ro"
-        "${minecraft_path}/prominence-ii/data:/data"
+        "${minecraft_path}/cobblemon-overclocked/modpacks:/modpacks:ro"
+        "${minecraft_path}/cobblemon-overclocked/data:/data"
       ];
-      hostname = "pii";
+      hostname = "cobblemon-overclocked";
       environment = defaultEnv // {
-        VERSION = "1.20.1";
-        CF_SLUG = "prominence-2-hasturian-era";
-        CF_FILENAME_MATCHER = "3.9.14hf";
-        MEMORY = "8G";
+        VERSION = "1.21.1";
+        CF_SLUG = "modified-cobblemon-overclocked";
+        CF_FILENAME_MATCHER = "1.11.2";
         USE_AIKAR_FLAGS = "false";
         USE_MEOWICE_FLAGS = "true";
-        USE_MEOWICE_GRAALVM_FLAGS = "true";
-        DIFFICULTY = "hard";
+        DIFFICULTY = "normal";
         ENABLE_COMMAND_BLOCK = "true";
-        CF_FORCE_INCLUDE_FILES = ''
-          emi
-        '';
+        INIT_MEMORY = "4G";
+        MAX_MEMORY = "16G";
+        SEED = "-7146406535839057559";
       };
       extraOptions = defaultOptions;
       log-driver = "local";
       environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
     };
-    stoneblock-4 = {
-      image = "itzg/minecraft-server:java25-graalvm";
+    cobblemon-plus = {
+      image = "itzg/minecraft-server:java21";
       volumes = [
-        "${minecraft_path}/stoneblock-4/modpacks:/modpacks:ro"
-        "${minecraft_path}/stoneblock-4/data:/data"
+        "${minecraft_path}/cobblemon-plus/modpacks:/modpacks:ro"
+        "${minecraft_path}/cobblemon-plus/data:/data"
       ];
-      hostname = "stoneblock-4";
+      hostname = "cobblemon-plus";
       environment = defaultEnv // {
         VERSION = "1.21.1";
-        CF_SLUG = "ftb-stoneblock-4";
-        CF_FILENAME_MATCHER = "1.6.0";
-        MEMORY = "8G";
+        CF_SLUG = "modified-cobblemon-plus";
+        CF_FILENAME_MATCHER = "1.11.2";
         USE_AIKAR_FLAGS = "false";
         USE_MEOWICE_FLAGS = "true";
-        USE_MEOWICE_GRAALVM_FLAGS = "true";
-        DIFFICULTY = "hard";
-        ENABLE_COMMAND_BLOCK = "true";
-      };
-      extraOptions = defaultOptions;
-      log-driver = "local";
-      environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
-    };
-    submerged-2 = {
-      image = "itzg/minecraft-server:java25-graalvm";
-      volumes = [
-        "${minecraft_path}/submerged-2/modpacks:/modpacks:ro"
-        "${minecraft_path}/submerged-2/data:/data"
-      ];
-      hostname = "submerged-2";
-      environment = defaultEnv // {
-        VERSION = "1.21.1";
-        CF_SLUG = "submerged-2";
-        CF_FILENAME_MATCHER = "B6.1";
-        USE_AIKAR_FLAGS = "false";
-        USE_MEOWICE_FLAGS = "true";
-        USE_MEOWICE_GRAALVM_FLAGS = "true";
-        DIFFICULTY = "hard";
+        DIFFICULTY = "peaceful";
         ENABLE_COMMAND_BLOCK = "true";
+        INIT_MEMORY = "4G";
+        MAX_MEMORY = "16G";
+        # exclude clientside mods that cause crashes when run in a headless environment
+        CF_EXCLUDE_MODS = "world-host";
+        CF_OVERRIDES_EXCLUSIONS = "mods/iris*.jar,mods/sodium*.jar,mods/world-host-*.jar";
       };
       extraOptions = defaultOptions;
       log-driver = "local";

systems/palatine-hill/docker/nextcloud.nix

@@ -58,6 +58,7 @@ in
       volumes = [ "${nextcloud_path}/nc_data:/var/www/html:ro" ];
       extraOptions = [
         "--device=/dev/dri:/dev/dri"
+        "--network=nextcloud_default"
       ];
     };
     collabora-code = {

systems/palatine-hill/docker/torr.nix

@@ -69,6 +69,7 @@ in
       ];
       ports = [
         "8081:8081"
+        "8083:8083"
       ];
       environment = {
         TZ = "America/New_York";

systems/palatine-hill/firewall.nix

@@ -48,6 +48,9 @@
 
       # torr
       29432
+
+      # mattermost
+      8065
     ];
 
     allowedUDPPorts = [

systems/palatine-hill/hydra.nix

@@ -57,6 +57,7 @@ in
       minimumDiskFree = 50;
       minimumDiskFreeEvaluator = 100;
       extraConfig = ''
+        allow_import_from_derivation = true
         <git-input>
           timeout = 3600
         </git-input>

systems/palatine-hill/mattermost.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  ...
+}:
+let
+  vars = import ./vars.nix;
+in
+{
+  services.mattermost = {
+    enable = true;
+    siteUrl = "https://mattermost.nayeonie.com"; # Set this to the URL you will be hosting the site on.
+    database = {
+      peerAuth = true; # This allows Mattermost to connect to the database without a password, which is more secure when both are on the same machine.
+      create = true;
+      driver = "postgres";
+    };
+    dataDir = "${vars.primary_mattermost}/mattermost";
+    host = "0.0.0.0";
+  };
+}

systems/palatine-hill/ollama.nix

@@ -0,0 +1,77 @@
+{
+  pkgs,
+  ...
+}:
+let
+  vars = import ./vars.nix;
+in
+{
+  services = {
+    ollama = {
+      enable = true;
+      package = pkgs.ollama;
+      syncModels = true;
+      loadModels = [
+        "deepseek-r1:1.5b"
+        "deepseek-r1:32b"
+        "deepseek-r1:70b"
+        #"qwen3"
+        #"qwen3.5:latest"
+        "qwen3-coder-next"
+        "lennyerik/zeta"
+        "nomic-embed-text:latest"
+        "lfm2:24b"
+        "glm-4.7-flash"
+        "nemotron-cascade-2:30b"
+        "magistral"
+        "devstral-small-2"
+        "starcoder2:15b"
+      ];
+      models = vars.primary_ollama;
+      environmentVariables = {
+        FLASH_ATTENTION = "1";
+        OLLAMA_KV_CACHE_TYPE = "q4_0";
+        # Ollama memory configuration
+        OLLAMA_MAX_LOADED_MODELS = "3";
+        OLLAMA_MAX_QUEUE = "512";
+        OLLAMA_NUM_PARALLEL = "1";
+
+        # ROCm memory optimization
+        #HIP_VISIBLE_DEVICES = "0";
+        #ROCR_VISIBLE_DEVICES = "0";
+
+        # context length for agents
+        OLLAMA_CONTEXT_LENGTH = "128000";
+      };
+      openFirewall = true;
+      host = "0.0.0.0"; # don't want to make this available via load-balancer yet, so making it available on the local network
+    };
+    open-webui = {
+      enable = true;
+      port = 21212;
+      openFirewall = true;
+      host = "0.0.0.0"; # don't want to make this available via load-balancer yet, so making it available on the local network
+    };
+  };
+  users.users.ollama = {
+    extraGroups = [
+      "render"
+      "video"
+    ];
+    group = "ollama";
+    isSystemUser = true;
+  };
+  users.groups.ollama = { };
+  systemd.services = {
+    ollama.serviceConfig = {
+      Nice = 19;
+      IOSchedulingPriority = 7;
+    };
+    ollama-model-loader.serviceConfig = {
+      Nice = 19;
+      CPUWeight = 50;
+      IOSchedulingClass = "idle";
+      IOSchedulingPriority = 7;
+    };
+  };
+}

systems/palatine-hill/postgresql.nix

@@ -40,6 +40,7 @@ in
       ensureDatabases = [
         "atticd"
         "alice"
+        "mattermost"
       ];
       ensureUsers = [
         {
@@ -171,6 +172,7 @@ in
           "hydra-server"
           "atticd"
           "gitea"
+          "mattermost"
         ];
       };
     };

systems/palatine-hill/secrets.yaml

@@ -32,9 +32,9 @@ docker:
     sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str]
     lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str]
     jellyseerr: ENC[AES256_GCM,data:7dDfHFp8+WbJqrf7Ms/gmfroBePwegXh5CXn5FcOz8IEK7rTvr9KZfz9x/1BwdD8,iv:ZPi3OcMfH76A08piKY4P7hFbeMyouwBoeN5oL3ExzKU=,tag:oOZ37dy/y+DFqNRfAHexvQ==,type:str]
-    gluetun: ENC[AES256_GCM,data:PV6SWwKfpC77fVvF9Pss8WFgLVA569h3PR9wLw6BkcNXKNA301qttV160FR5SeeNrvX1UtF3r4OclJ2ja0EXeiRRUXE/tHhY7aosAZoF7mwea+BcgQagwBqfP0LRMni/cKWP8UKnhyEXYt8aR0JfYCqEf+XcjX+9cljPnb7/OpmcDe0XmNYI2I2fKAmKjjKbbxX1o51P1N5gSWwKb/6FTeEaKI1k0JgCS8HcEnl1pzuMUA1bk18y7PTNhSSJWOBoovnShDYo/8/nJJN8qXFbdlC+NQfRMe9s8rkZPnHVEzLQVHxCgrYEDZCrjLydc0FTFqeb4eOhekCWkjsoK0HEYc28sa65LHhJ5t4U/tB5iIyWGSQAaqjH0wnAniqaCPpxJ1Se7aPiQlKvYYJjM7T8ZK3tQsRJzuD7NRF9/kZuLPgOV3ZtIAO4haI=,iv:UmXk+/QSeSdgtqwNTumWbu2vq8Blehc3wKWMTK1g+g8=,tag:a0v7YLBAfEkG9FBpSoZRGQ==,type:str]
-    gluetun-qbitvpn: ENC[AES256_GCM,data:2K39qItMm27Tso3jyYsju8kZwfeJGLKCLnuMbjnfvHtRuOzeFgBDmGHOPdNo6uw8W5XUEqlPVf2exp60S5xjEwNsoRNlPCtm5848yVtvgODcrU3icZ99GW/3qO5pO9r9VlTPQ15j9XhyYS0HpmBF7EzjLND/ph86MqfG4+v1R685i99+9uRmQwa+Z3ueEQ23DWdZMwyu8F2Vspz4MIMUA1hvJvgVOgGV7aNNKX3bbwu9w3wS+DlRgQk2NzON2SzK0pFRSfTgCQDSPQviZrdsn87k8s64X0XkhyJ4mSxtsyMPE6YYI0zlbL8TX2LO4r+iqGHrEiT8BezAKsCk1fOk+7WceHKbaQ6DBegG/iIq5EkZdIKcEWdLaeWxT1hXiMYeaF7+U+7iW8I7CDw3VT/n574HJFhljDfwwIw9KB3LGgKP7EB7fhzxqjfwl/RQWd4O5sNeTWdXDno/8Kh23hE3gvXaL+HuBOsMfE2qz7sQsRHuwGSjoHD1kD4CO8Ttyi72tZFp4z6//3rII/ZsvLvVjzu4BHi3elorcPIRRQQL0PhgHFufspcm9Plyt9GOSglHglKFNIb4DRyWlu8XPAhXYYjUD7023QmB7/s/Garq6LE6zCd9ctqX4uOPTz1eNL5nC6kfmvf+,iv:niYMaxvUFf3WAC4lfp/+RNZcVB/23bbBW1zTt6ckVpA=,tag:SR0pvk2PqZwDgPFqEuNAjw==,type:str]
-    gluetun-qbitperm: ENC[AES256_GCM,data:+qTTbkuTVANLyUlD8QWedt8+yV0kUcAc7354RxhfV15Vedjxpx5wtw2+kvWXi4KAP2udEbq1hssWBY6SsLQb50QD7S8pcsqh73m0mDmLYLXzDSU+8YXXFjPL8Jgndpz755W7n50rzLmKPSzfZADU6tj0+/kp4+V6Jv5q6fV/01liqfULhwCuqNeB4s52odbos4DjpLS0685jD1sPX3SpIg5oNwlyldXOrvQdZto1voViVRYt7LkSfPCnEuN5PzJ4HwJm5i48KrRSBLKqZ0lwjb4qbVzrN/yerCDv8o8WANL0+/aWMjsdYZgFxtc6Uk9ieRdF6+z60q0j3Y2fGabcTPeyZQx1XJZIDBRApYWEGKDApI5zffGEQs2Ji3AvaSn9IIx9v3F9fIC0J/IZm7mDYB8gecq3SvrvW3SfYAMhV334nRjquPc+1ggHO9QAt3DEBLQkVkwWW5SCYkZQvuI0U8vHsIuyuW9EDLqefT1UkvUVAgZ/8YnlRcXQvEd6mBkYxox5dfkEzRhj78OxLH+3WcvrbOMubJ26s1K8HpnLCVzpRUUXVa1pTL37SaZ0wRVmFAxSkEzuW/yCf+UFmAtTuSKz4D4Cjl2+z+Jp+PwlzptbKlWCCuVC1UdP0DP7k16rZ1SSSYEY,iv:Z4lMTlN4hBGIitRkdbzcQnngnikEf3I0DA/+8V1XsEc=,tag:C8Y19kBsHdXc05xBEiV2tQ==,type:str]
+    gluetun: ENC[AES256_GCM,data:ryhYVOYEZl5zDs+xMgbWI6q/Ei2AiNZJMxT/TcaHzTEocINgbczWk9GKeeZKno71vFXiF9/tPpYavLqvjWNL77doWDB+wiYrtBJ97PkQ70dqWntua9E8eCalYlIZpRbLsl5OA9ZHorIMPjjSB2CRYLCqq30PPi5I2TtRvs/g6LRUN4sZ/E2TTUjz7AEY7228ZEuHt1UkU+dY/jEbx6fwrm/ocP8xKvYUuAR1/Cx/z4N0mqmVl+FX/5dRSkmhpfAxO9ss898XKiJW4rewQIbG5ccYal+reZZr70TaEJQqg5KIfAnbp6dEjAsSXnRiEF801JXM0h+d14ECT4tQmdyvYBdCVnJ/Ibqw9D15cViHmeDbR68spqOCj67FSMKxgCVx4KFrxPOualsULX7RL/UbHq2cwyziSFkH4n2ljFlKohyj39F7EparJbiCOumNfhRWknDDwvXY+BjJhbAe19ccKP6QWrS68uBp0cTXqb0rVN/qlfz6Sj5EYj5M/u0rl6d5xctnKmOzfLjI2m5+E9WfDJaAUcP/Ihs+p2eD7aSQTIj+O7I66ju+UAz66D9ZoU1U3uVQ9gaPI5dOMmYdLKS3b19EVytwW2W13d0WXKIw5Vfb7MvFh9I0iPWq+ntL4jQzMYSwV5Y=,iv:Cy3h5I3vbqKORdqw91SHL4tRMeGHMLsXgQ0USJ2jtzk=,tag:0J/p1sUQfXR4ujjY7VzZuQ==,type:str]
+    gluetun-qbitvpn: ENC[AES256_GCM,data:3IdmuLvWs5YRQZuG9y1GRTMKMbR7OynUUVluezviDOV22EkABvo3Ic/+xZrWi/lzAhQRwRsCGjinlUJf7lBvPLg53HaIplbzSIyd3IPLbKzEVAK32WYB/M5cGNQW+XV8TiKK72HO8+WG588A0bsuvp/wQ86ohpRHVrnlboANLS3diCNXI3VdFIHPGpvM77TqB3/vo2AFLKjxi2es4l6KRam8cEUFAz0eH03tTUYaxy+ewA5IZCQSbMURLFKKdh0EATTG5jIz3jFp372fnk8UBgFPeH8+N9VHNM6rnV6zAsC2Vlj2E1YQRTRqOwSK0NRAAV5NBbr7zumS3VS0rVUpIbZVrW/C2BSAVbzowkHuo5o1B7UFsryb3s2FJJGF2biaDoL+ijM5a0Qi4LfNeaSLNKrzaTin0wYq8rPrQKOUBZL4t6FsRbG7KHmfwM4uYdWqV5h1syjI9WWReuePVb416YvqSH9p8HhNsDTka8IGgYkHcYAXYuuxUc6sgQONBwrsdeN5Dhq1IedhuOW+3qAV+hHl8qmVgiWZ8Ss+nmo016nsikifEp08N7J8t3f86/SFZO+YMBxQ/K9PJLsJzR2jsBcf2aTlq0cuzXDvb4cMtro=,iv:N9zdyKJDsj049j5hZOSnAkS/VTWlC3crTODJKIpYYko=,tag:uYHq3CZj0P/BAv+0Ak5ZEw==,type:str]
+    gluetun-qbitperm: ENC[AES256_GCM,data:kzSrILs78UkzNeAvxoDU3QsLKdapQNyQW9nq0it+7HhhwDQ0MJB1s2Ek8zKErTatpwzG8xiUK0HwX5hFLgNZYc+OE0CH4PUrgX1t6dykuPLD2rKQL7veElNgqhX0/39xNyopyJk2UMVFNSqoV1DCC/ja9MqX9+jBYk++7DeX7v1Gl1ntjzJ+zIscg0nOTN1eQAHtiOWtFU0COC/aA8KS+HLIsMkjrIk9UD4C/DE8AOS07s+gDxPRtl6L7324FRqjEHNyxAobWOOLeG711RZcskF7dlminVJu4aVGbBwIy/zDdHFxRwO6yaLr/AqrTlRVOa2O8Qu2Ydpv8ZNj2F6fHrVNNmVwvMEKYibV6oMVo72uT+DTz/mFaYuTUeuJfkdCy7tnQYhBnpbd5J4mKfVb8uOF9Tx02kL2fTFKyvtET3nrtakQUjv8mEqHn4F8136O2JvUBN5RmC3B3vRdFjYgdfwy8hUT9b0Cmi8w0Zzs+XGMRdvWv2g6b5fmlAn0K+a0KB1fdDLhvbIXhY+sYzR3yOH01K0lW3xVdnl1eMIFjZkUGRTi32HyCYb0SUA1EcXmtA4XmyZ6HHFEXFA5y2guVqU4xLyXXldM+lGB7yGLMcM=,iv:kuueHxYafrEdyBxGUBoU2ks7kdr/rWMnXZmE3Kx/iK4=,tag:bNIfP3H5/Kh3ofuCGGx5Hg==,type:str]
 acme:
     bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
     dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
@@ -53,8 +53,8 @@ sops:
             cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
             LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-19T18:52:34Z"
-    mac: ENC[AES256_GCM,data:c/rbSil5+IMpMsgqkGL2ycHOKiP0ml8MUB5PH40C1QimW7WYgjDg9lWpoLvn3fFrFEzHrt1gls23ImYCrrbNPlUEQQm69bV0I9tm6J0MiyFkxVPqrzLZdp6wn2l2ThwuAfLp674ZpltJuWHnHxusbW892QaVlGtQpN0yHSW57H0=,iv:37DbNJYIN3UIPmUinFJ6taO/INI4/wvCda/ARi70NFc=,tag:pQIPXRJWWu3I0zFY+ATSZg==,type:str]
+    lastmodified: "2026-01-17T01:50:50Z"
+    mac: ENC[AES256_GCM,data:8TGSqwEcfmrW1PjuzTVNyDTNs6s3oWbT0tI+rg7u2w5Dcw1EEU+SjJ6VpNY06AZHTjSD6E0O7NzUxybtMpslHUGitOGWwQCk+sbqRJuUseFe7bWFboEVoJpEoYGN5pnn52opMT+NeHGkXumaxjhDjCxfwn1RBHR7TgD4ZHEH6pE=,iv:szBUnn3HL/osWhmTwYmHrUghobWdBR60Lc6uUD/eGMY=,tag:6vgdJeJjL4ZYKc8WjixClg==,type:str]
     pgp:
         - created_at: "2024-11-28T18:56:39Z"
           enc: |-

systems/palatine-hill/vars.nix

@@ -19,4 +19,6 @@ rec {
   primary_torr = "${zfs_primary}/torr";
   primary_plex = "${zfs_primary}/plex";
   primary_plex_storage = "${zfs_primary}/plex_storage";
+  primary_ollama = "${zfs_primary}/ollama";
+  primary_mattermost = "${zfs_primary}/mattermost";
 }

systems/palatine-hill/zfs.nix

@@ -31,6 +31,7 @@
         "ZFS-primary/docker".useTemplate = [ "production" ];
         "ZFS-primary/hydra".useTemplate = [ "nix-prod" ];
         "ZFS-primary/nextcloud".useTemplate = [ "production" ];
+        "ZFS-primary/mattermost".useTemplate = [ "production" ];
         # all docker containers should have a bind mount if they expect lasting zfs snapshots
         "ZFS-primary/vardocker".useTemplate = [ "nix-prod" ];
         "ZFS-primary/minio".useTemplate = [ "nix-prod" ];

systems/selinunte/programs.nix

@@ -29,10 +29,8 @@
     glances
     gpu-viewer
     grim
-    helvum
     htop
     hwloc
-    ipmiview
     iperf3
     # ipscan
     jp2a
@@ -80,8 +78,6 @@
     # signal in tray?
     siji
     simple-mtpfs
-    skaffold
-    slack
     slurp
     smartmontools
     snyk

systems/selinunte/stylix.nix

@@ -1,10 +1,4 @@
 { pkgs, ... }:
-# let
-# randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
-#   numWallpapers =
-#   $((1 + $RANDOM % 10))
-
-# in
 {
   stylix = {
     enable = true;

users/alice/home.nix

@@ -66,7 +66,6 @@
       cargo-update
       diesel-cli
       tealdeer
-      helix
       ripunzip
 
       # nix specific packages
@@ -86,7 +85,7 @@
 
       # dependencies for nix-dotfiles/hydra-check-action
       nodejs_20
-      nodePackages.prettier
+      prettier
       treefmt
 
       gocryptfs
@@ -164,8 +163,9 @@
     userDirs = {
       enable = true;
       createDirectories = true;
+      setSessionVariables = true;
       extraConfig = {
-        XDG_SCREENSHOTS_DIR = "${config.xdg.userDirs.pictures}/Screenshots";
+        SCREENSHOTS = "${config.xdg.userDirs.pictures}/Screenshots";
       };
     };
   };

users/alice/home/git.nix

@@ -6,6 +6,7 @@
     lfs.enable = true;
     signing = {
       key = "5EFFB75F7C9B74EAA5C4637547940175096C1330";
+      format = "openpgp";
       signByDefault = true;
     };
     settings = {
@@ -14,6 +15,7 @@
       color.ui = true;
       init.defaultBranch = "main";
       format.signoff = true;
+      format.commitMessage = "signed-off-by";
       pack.windowMemory = "2g";
       pack.packSizeLimit = "1g";
       user.email = "aliceghuston@gmail.com";

users/alice/non-server.nix

@@ -1,11 +1,27 @@
-{ pkgs, outputs, ... }:
-
+{ pkgs, ... }:
+let
+  tex = pkgs.texlive.combine {
+    inherit (pkgs.texlive)
+      scheme-medium
+      preprint
+      titlesec
+      enumitem
+      sourcesanspro
+      xifthen
+      ifmtarg
+      framed
+      paralist
+      fontawesome7
+      ;
+  };
+in
 {
-  programs.emacs = {
+  programs = {
+    emacs = {
       enable = true;
       package = pkgs.emacs30-pgtk;
     };
-  programs.vesktop = {
+    vesktop = {
       enable = true;
       settings = {
         appBadge = false;
@@ -21,7 +37,7 @@
         notifyAboutUpdates = false;
         plugins = {
           AnonymiseFileNames.enabled = true;
-        BetterFolders.enabled = true;
+          BetterFolders.enabled = false;
           BetterGifAltText.enabled = true;
           CallTimer.enabled = true;
           ClearURLs.enabled = true;
@@ -46,6 +62,153 @@
         };
       };
     };
+    zed-editor = {
+      enable = true;
+      mutableUserSettings = false;
+      extensions = [
+        "nix"
+        "toml"
+        "rust"
+        "java"
+        "kotlin"
+        "git firefly"
+        "make"
+        "dockerfile"
+        "sql"
+        "latex"
+        "terraform"
+        "log"
+        "context7-mcp-server"
+        "github-mcp-server"
+      ];
+      userSettings = {
+        context_servers = {
+          nixos = {
+            command = "nix";
+            args = [
+              "run"
+              "github:utensils/mcp-nixos"
+              "--"
+            ];
+          };
+        };
+        language_models = {
+          ollama = {
+            api_url = "http://192.168.76.2:11434";
+            context_window = 128000;
+            # global keep alive doesnt work
+            #keep_alive = "15m";
+            available_models = [
+              {
+                name = "deepseek-r1:1.5b";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "deepseek-r1:32b";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "deepseek-r1:70b";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "qwen3-coder-next";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "lennyerik/zeta";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "nomic-embed-text:latest";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "lfm2:24b";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "glm-4.7-flash";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "nemotron-cascade-2:30b";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+              {
+                name = "magistral";
+                max_tokens = 128000;
+                keep_alive = "15m";
+              }
+
+            ];
+          };
+        };
+        colorize_brackets = true;
+        hard_tabs = false;
+        vim_mode = true;
+        minimap = {
+          show = "auto";
+        };
+        buffer_line_height = "comfortable";
+        auto_update = false;
+        autosave = "on_focus_change";
+        agent = {
+          default_model = {
+            provider = "ollama";
+            model = "glm-4.7-flash";
+          };
+          favorite_models = [ ];
+          model_parameters = [ ];
+        };
+        telemetry = {
+          diagnostics = false;
+          metrics = false;
+        };
+        journal = {
+          hour_format = "hour24";
+        };
+        edit_predictions = {
+          provider = "ollama";
+          ollama = {
+            #api_url = "http://192.168.76.2:11434/v1/completions";
+            api_url = "http://192.168.76.2:11434";
+            context_window = 128000;
+            model = "lennyerik/zeta";
+            prompt_format = "qwen";
+            max_requests = 64;
+            max_output_tokens = 256;
+          };
+        };
+        texlab = {
+          build = {
+            onSave = true;
+            forwardSearchAfter = true;
+          };
+          forwardSearch = {
+            executable = "zathura";
+            args = [
+              "--synctex-forward"
+              "%l:1:%f"
+              "-x"
+              "zed %%{input}:%%{line}"
+              "%p"
+            ];
+          };
+        };
+      };
+    };
+  };
+
   home.packages = with pkgs; [
     cmake
     shellcheck
@@ -70,12 +233,14 @@
     nix-init
 
     # markdown
-    nodePackages.markdownlint-cli
+    markdownlint-cli
+
+    # insert essential rust dependencies
 
     # doom emacs dependencies
     yaml-language-server
-    nodePackages.typescript-language-server
-    nodePackages.bash-language-server
+    typescript-language-server
+    bash-language-server
     pyright
     cmake-language-server
     multimarkdown
@@ -91,11 +256,12 @@
     languagetool
 
     # latex
-    texlive.combined.scheme-medium
+    tex
+    poppler-utils
 
     # dependencies for nix-dotfiles/hydra-check-action
     nodejs_20
-    nodePackages.prettier
+    prettier
     treefmt
 
     nextcloud-client
@@ -112,5 +278,12 @@
 
     # arch zed deps
     nixd
+    uv
+
+    pdf4qt
+    masterpdfeditor4
+
+    gitea-mcp-server
+    tea
   ];
 }

users/default.nix

@@ -28,6 +28,8 @@
     "plugdev"
     "uaccess"
     "ydotool"
+    "video"
+    "render"
   ]
   ++ groups;
 }