Merge pull request 'scale down act runners' (#56 ) from feature/scale-act into main

Reviewed-on: #56
scale down act runners
2025-03-25 10:39:08 -04:00 · 2025-03-25 10:25:03 -04:00 · 2025-03-24 22:13:07 -04:00 · 2025-03-24 10:14:38 -04:00 · 2025-03-23 15:26:11 -04:00 · 2025-03-23 14:52:24 -04:00
97 changed files with 4106 additions and 850 deletions
--- a/.gitconfig
+++ b/.gitconfig
@@ -1,6 +1,11 @@
 # run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :)
 # run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured
 # if for whatever reason the below doesn't work, try modifying the mergetool command as below
 #   find: $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh
 #   replace: ./utils/sops-mergetool.sh
 [mergetool "sops-mergetool"]
-        cmd = bash -c "$(git --exec-path)/sops-mergetool.sh \"$BASE\" \"$LOCAL\" \"$REMOTE\" \"$MERGED\""
+	cmd = bash -c "$(git rev-parse --show-toplevel)/utils/sops-mergetool.sh \"\$BASE\" \"\$LOCAL\" \"\$REMOTE\" \"\$MERGED\""
 [merge]
-	tool = nvimdiff3
+	tool = nvimdiff
 [mergetool "nvimdiff"]
 	layout = MERGED
--- a/.github/settings.yml
+++ b/.github/settings.yml
@@ -1,204 +1,173 @@
 # Have borrowed this config from nix-community/infra
 repository:
-  # See https://developer.github.com/v3/repos/#edit for all available settings.
+    # See https://developer.github.com/v3/repos/#edit for all available settings.
-  # The name of the repository. Changing this will rename the repository
+    # The name of the repository. Changing this will rename the repository
-  name: nix-dotfiles
+    name: nix-dotfiles
-
+    # A short description of the repository that will show up on GitHub
-  # A short description of the repository that will show up on GitHub
+    description: RAD-Dev Infra
-  description: RAD-Dev Infra
+    # A URL with more information about the repository
-
+    # homepage: "https://nix-community.org"
  # A URL with more information about the repository
  # homepage: "https://nix-community.org"
  # A comma-separated list of topics to set on the repository
  topics: "nixos"
  # Either `true` to make the repository private, or `false` to make it public.
  private: false
  # Either `true` to enable issues for this repository, `false` to disable them.
  has_issues: true
  # Either `true` to enable projects for this repository, or `false` to disable them.
  # If projects are disabled for the organization, passing `true` will cause an API error.
  has_projects: true
  # Either `true` to enable the wiki for this repository, `false` to disable it.
  has_wiki: false
  # Either `true` to enable downloads for this repository, `false` to disable them.
  has_downloads: false
  # Updates the default branch for this repository.
  default_branch: main
  # Either `true` to allow squash-merging pull requests, or `false` to prevent
  # squash-merging.
  allow_squash_merge: true
  # Either `true` to allow merging pull requests with a merge commit, or `false`
  # to prevent merging pull requests with merge commits.
  allow_merge_commit: false
  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
  # rebase-merging.
  allow_rebase_merge: true
  # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
  delete_branch_on_merge: true
  # Either `true` to enable automated security fixes, or `false` to disable
  # automated security fixes.
  enable_automated_security_fixes: true
  # Either `true` to enable vulnerability alerts, or `false` to disable
  # vulnerability alerts.
  enable_vulnerability_alerts: true
  allow_auto_merge: true
    # A comma-separated list of topics to set on the repository
    topics: "nixos"
    # Either `true` to make the repository private, or `false` to make it public.
    private: false
    # Either `true` to enable issues for this repository, `false` to disable them.
    has_issues: true
    # Either `true` to enable projects for this repository, or `false` to disable them.
    # If projects are disabled for the organization, passing `true` will cause an API error.
    has_projects: true
    # Either `true` to enable the wiki for this repository, `false` to disable it.
    has_wiki: false
    # Either `true` to enable downloads for this repository, `false` to disable them.
    has_downloads: false
    # Updates the default branch for this repository.
    default_branch: main
    # Either `true` to allow squash-merging pull requests, or `false` to prevent
    # squash-merging.
    allow_squash_merge: true
    # Either `true` to allow merging pull requests with a merge commit, or `false`
    # to prevent merging pull requests with merge commits.
    allow_merge_commit: false
    # Either `true` to allow rebase-merging pull requests, or `false` to prevent
    # rebase-merging.
    allow_rebase_merge: true
    # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
    delete_branch_on_merge: true
    # Either `true` to enable automated security fixes, or `false` to disable
    # automated security fixes.
    enable_automated_security_fixes: true
    # Either `true` to enable vulnerability alerts, or `false` to disable
    # vulnerability alerts.
    enable_vulnerability_alerts: true
    allow_auto_merge: true
 # Labels: define labels for Issues and Pull Requests
 #
 labels:
-  - name: bug
+    - name: bug
-    color: '#d73a4a'
+      color: '#d73a4a'
-    description: Something isn't working
+      description: Something isn't working
-  - name: CI/CD
+    - name: CI/CD
-    # If including a `#`, make sure to wrap it with quotes!
+      # If including a `#`, make sure to wrap it with quotes!
-    color: '#0e8a16'
+      color: '#0e8a16'
-    description: Related to GH Actions or Hydra
+      description: Related to GH Actions or Hydra
-  - name: documentation
+    - name: documentation
-    color: '#0075ca'
+      color: '#0075ca'
-    description: Improvements or additions to documentation
+      description: Improvements or additions to documentation
-  - name: duplicate
+    - name: duplicate
-    color: '#cfd3d7'
+      color: '#cfd3d7'
-    description: This issue or pull request already exists
+      description: This issue or pull request already exists
-  - name: enhancement
+    - name: enhancement
-    color: '#a2eeef'
+      color: '#a2eeef'
-    description: New feature or request
+      description: New feature or request
-  - name: good first issue
+    - name: good first issue
-    color: '#7057ff'
+      color: '#7057ff'
-    description: Good for newcomers
+      description: Good for newcomers
-  - name: help wanted
+    - name: help wanted
-    color: '#008672'
+      color: '#008672'
-    description: Extra attention is needed
+      description: Extra attention is needed
-  - name: high priority
+    - name: high priority
-    color: '#BF480A'
+      color: '#BF480A'
-    description: A major vurnability was detected
+      description: A major vurnability was detected
-  - name: invalid
+    - name: invalid
-    color: '#e4e669'
+      color: '#e4e669'
-    description: This doesn't seem right
+      description: This doesn't seem right
-  - name: new user
+    - name: new user
-    color: '#C302A1'
+      color: '#C302A1'
-    description: A new user was added to the Flake
+      description: A new user was added to the Flake
-  - name: question
+    - name: question
-    color: '#d876e3'
+      color: '#d876e3'
-    description: Further information is requested
+      description: Further information is requested
-  - name: wontfix
+    - name: wontfix
-    color: '#ffffff'
+      color: '#ffffff'
-    description: This will not be worked on
+      description: This will not be worked on
-  - name: dependencies
+    - name: dependencies
-    color: '#cb4ed5'
+      color: '#cb4ed5'
-    description: Used for PR's related to flake.lock updates
+      description: Used for PR's related to flake.lock updates
-  - name: automated
+    - name: automated
-    color: '#42b528'
+      color: '#42b528'
-    description: PR was automatically generated (through a bot or CI/CD)
+      description: PR was automatically generated (through a bot or CI/CD)
 # Milestones: define milestones for Issues and Pull Requests
 milestones:
-  - title: Go-Live
+    - title: Go-Live
-    description: >-
+      description: >-
-      All requirements for official go-live:
+        All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
-      - Automated testing via Hydra/Actions
+      # The state of the milestone. Either `open` or `closed`
-      - Automated deployments via Hydra/Actions
+      state: open
-      - 90+% testing coverage
+    - title: Jeeves Migration
-      - Functional formatter with custom rules
+      description: >-
-      - palatine-hill is fully stable, enough so that jeeves can be migrated
+        Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support
    # The state of the milestone. Either `open` or `closed`
    state: open
  - title: Jeeves Migration
    description: >-
      Test common use-cases for Jeeves
      - Quadro GPU support
      - Multi-GPU support
      - Plex support
      - Docker support
      - ZFS support
 # Collaborators: give specific users access to this repository.
 # See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
 collaborators:
-  # - username: numtide-bot
+# - username: numtide-bot
-  # Note: `permission` is only valid on organization-owned repositories.
+# Note: `permission` is only valid on organization-owned repositories.
-  # The permission to grant the collaborator. Can be one of:
+# The permission to grant the collaborator. Can be one of:
-  # * `pull` - can pull, but not push to or administer this repository.
+# * `pull` - can pull, but not push to or administer this repository.
-  # * `push` - can pull and push, but not administer this repository.
+# * `push` - can pull and push, but not administer this repository.
-  # * `admin` - can pull, push and administer this repository.
+# * `admin` - can pull, push and administer this repository.
-  # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
-  # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
-  # permission: push
+# permission: push
 # See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
 teams:
-  # - name: admin
+# - name: admin
-    # The permission to grant the team. Can be one of:
+# The permission to grant the team. Can be one of:
-    # * `pull` - can pull, but not push to or administer this repository.
+# * `pull` - can pull, but not push to or administer this repository.
-    # * `push` - can pull and push, but not administer this repository.
+# * `push` - can pull and push, but not administer this repository.
-    # * `admin` - can pull, push and administer this repository.
+# * `admin` - can pull, push and administer this repository.
-    # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
-    # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
-    # permission: admin
+# permission: admin
 branches:
-  # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
+    # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
-  # not available in the api yet
+    # not available in the api yet
-  # `Require merge queue`: true
+    # `Require merge queue`: true
-  # `Merge method`: Rebase and merge
+    # `Merge method`: Rebase and merge
-  # `Maximum pull requests to build`: 1
+    # `Maximum pull requests to build`: 1
-  # `Maximum pull requests to merge`: 1
+    # `Maximum pull requests to merge`: 1
-  # defaults:
+    # defaults:
-  # `Maximum pull requests to build`: 5
+    # `Maximum pull requests to build`: 5
-  # `Minimum pull requests to merge`: 1 or 5 minutes
+    # `Minimum pull requests to merge`: 1 or 5 minutes
-  # `Maximum pull requests to merge`: 5
+    # `Maximum pull requests to merge`: 5
-  # `Only merge non-failing pull requests`: true
+    # `Only merge non-failing pull requests`: true
-  # `Consider check failed after`: 60 minutes
+    # `Consider check failed after`: 60 minutes
    - name: main
      # https://docs.github.com/en/rest/reference/repos#update-branch-protection
      # Branch Protection settings. Set to null to disable
      protection:
        # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
-  - name: main
+        # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
-    # https://docs.github.com/en/rest/reference/repos#update-branch-protection
+        required_pull_request_reviews:
-    # Branch Protection settings. Set to null to disable
+            # # The number of approvals required. (1-6)
-    protection:
+            required_approving_review_count: 1
-      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
+            # # Dismiss approved reviews automatically when a new commit is pushed.
-
+            dismiss_stale_reviews: true
-      # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
+            # # Blocks merge until code owners have reviewed.
-      required_pull_request_reviews:
+            require_code_owner_reviews: false
-        # # The number of approvals required. (1-6)
+            # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
-        required_approving_review_count: 1
+            # dismissal_restrictions:
-        # # Dismiss approved reviews automatically when a new commit is pushed.
+            #   users: []
-        dismiss_stale_reviews: true
+            #   teams: []
-        # # Blocks merge until code owners have reviewed.
+            require_last_push_approval: false
-        require_code_owner_reviews: false
+        # Required. Require status checks to pass before merging. Set to null to disable
-        # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
+        # required_status_checks:
        # dismissal_restrictions:
        #   users: []
        #   teams: []
        require_last_push_approval: false
      # Required. Require status checks to pass before merging. Set to null to disable
      # required_status_checks:
        # Required. Require branches to be up to date before merging.
        # strict: false
        # Required. The list of status checks to require in order to merge into this branch
        # contexts:
        #   - buildbot/nix-eval
-      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
+        # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
-      enforce_admins: true
+        enforce_admins: true
-      # Disabled for bors to work
+        # Disabled for bors to work
-      required_linear_history: true
+        required_linear_history: true
-      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
+        # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
-      restrictions:
+        restrictions:
-        apps: []
+            apps: []
-        # TODO: make a buildbot instance
+            # TODO: make a buildbot instance
-        # users: ["nix-infra-bot"]
+            # users: ["nix-infra-bot"]
-        teams: []
+            teams: []
--- a/.github/workflows/flake-health-checks.yml
+++ b/.github/workflows/flake-health-checks.yml
@@ -1,20 +1,47 @@
 name: "Check Nix flake"
 on:
-  push:
+    push:
-    branches: ["main"]
+        branches: ["main"]
-  pull_request:
+    pull_request:
-    branches: ["main"]
+        branches: ["main"]
-  merge_group:
+    merge_group:
 jobs:
-  health-check:
+    health-check:
-    name: "Perform Nix flake checks"
+        name: "Perform Nix flake checks"
-    runs-on: ${{ matrix.os }}
+        runs-on: ${{ matrix.os }}
-    strategy:
+        strategy:
-      matrix:
+            matrix:
-        os: [ubuntu-latest]
+                os: [ubuntu-latest]
-    steps:
+        steps:
-      - uses: DeterminateSystems/nix-installer-action@main
+            - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+            - name: Setup Attic cache
-      - uses: actions/checkout@v4
+              uses: ryanccn/attic-action@v0
-      - run: nix flake check --accept-flake-config
+              with:
                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
                cache: ${{ secrets.ATTIC_CACHE }}
                token: ${{ secrets.ATTIC_TOKEN }}
                skip-push: "true"
            - uses: actions/checkout@v4
            - run: nix flake check --accept-flake-config
            - run: nix ./utils/attic-push.bash
    build-checks:
        name: "Build nix outputs"
        runs-on: ${{ matrix.os }}
        strategy:
            matrix:
                os: [ubuntu-latest]
        steps:
            - uses: DeterminateSystems/nix-installer-action@main
            - name: Setup Attic cache
              uses: ryanccn/attic-action@v0
              with:
                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
                cache: ${{ secrets.ATTIC_CACHE }}
                token: ${{ secrets.ATTIC_TOKEN }}
                skip-push: "true"
            - uses: actions/checkout@v4
            - name: Build all outputs
              run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
            - name: Push to Attic
              run: nix ./utils/attic-push.bash
              continue-on-error: true
--- a/.github/workflows/flake-update.yml
+++ b/.github/workflows/flake-update.yml
@@ -1,67 +1,112 @@
 name: "Update flakes"
 on:
-  repository_dispatch:
+    repository_dispatch:
-  workflow_dispatch:
+    workflow_dispatch:
-  schedule:
+    schedule:
-    - cron: "00 12 * * *"
+        - cron: "00 12 * * *"
 jobs:
-  createPullRequest:
+    update_lockfile:
-    runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
+        #if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
-    steps:
+        steps:
-      - uses: actions/checkout@v4
+            - name: Checkout repository
-      - name: Login to Docker Hub
+              uses: actions/checkout@v4
-        uses: docker/login-action@v3
+            - name: Install nix
-        with:
+              uses: https://github.com/DeterminateSystems/nix-installer-action@main
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+            - name: Setup Attic cache
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+              uses: ryanccn/attic-action@v0
-      - name: Install Nix
+              with:
-        uses: cachix/install-nix-action@v24
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-        with:
+                cache: ${{ secrets.ATTIC_CACHE }}
-          extra_nix_config: |
+                token: ${{ secrets.ATTIC_TOKEN }}
-            experimental-features = nix-command flakes
+                skip-push: "true"
-          install_url: https://releases.nixos.org/nix/nix-2.19.0/install
+            - name: Get pre-snapshot of evaluations
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+              run: nix ./utils/eval-to-drv.sh pre
-      - name: Calculate pre-drv
+            - name: Update flake.lock
-        run: nix ./utils/eval-to-drv.sh pre
+              id: update
-      - name: Pull latest docker images
+              run: |
-        run: nix ./utils/fetch-docker.sh
+                nix flake update 2> >(tee /dev/stderr) | awk '
-      - name: Update flake.lock (part 1)
+                  /^• Updated input/ {in_update = 1; print; next}
-        run: nix flake update
+                  in_update && !/^warning:/ {print}
-      - name: Calculate post-drv
+                  /^$/ {in_update = 0}
-        run: nix ./utils/eval-to-drv.sh post
+                ' > update.log
      - name: Calculate diff
        run: nix ./utils/diff-evals.sh
      - name: Read diff into environment
        run: |
          delimiter="$(openssl rand -hex 8)"
          {
          echo "POSTDIFF<<${delimiter}"
          cat post-diff
          echo "${delimiter}"
          } >> $GITHUB_ENV
                echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
                cat update.log >> $GITHUB_ENV
                echo "EOF" >> $GITHUB_ENV
-      - name: Restore flake.lock for next step
+                rm update.log
-        run: git restore flake.lock
+            - name: Get post-snapshot of evaluations
-      - name: Update flake.lock
+              run: nix ./utils/eval-to-drv.sh post
-        id: update
+            - name: Calculate diff
-        uses: DeterminateSystems/update-flake-lock@main
+              run: nix ./utils/diff-evals.sh
-        with:
+            - name: Read file contents
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
+              id: read_file
-          pr-body: |
+              uses: guibranco/github-file-reader-action-v2@latest
-            Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
+              with:
                path: "post-diff"
            - name: Write PR body template
              uses: https://github.com/DamianReeves/write-file-action@v1.3
              with:
                path: pr_body.template
                contents: |
                    - The following Nix Flake inputs were updated:
-            ```
+                    ```
-            {{ env.GIT_COMMIT_MESSAGE }}
+                    ${{ env.UPDATE_LOG }}
-            ```
+                    ```
-            ```
+                    ```
-            {{ env.POSTDIFF }}
+                    ${{ steps.read_file.outputs.contents }}
-            ```
+                    ```
-          pr-labels: |                  # Labels to be set on the PR
+
-            dependencies
+                    Auto-generated by [update.yml][1] with the help of
-            automated
+                    [create-pull-request][2].
                    [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
                    [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
            - name: Generate PR body
              uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
              with:
                files: "pr_body.template"
                output-filename: "pr_body.md"
            - name: Save PR body
              id: pr_body
              uses: juliangruber/read-file-action@v1
              with:
                path: "pr_body.md"
            - name: Remove temporary files
              run: |
                rm pr_body.template
                rm pr_body.md
                rm pre.json
                rm post.json
                rm post-diff
            - name: Create Pull Request
              id: create-pull-request
              # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
              uses: https://nayeonie.com/ahuston-0/create-pull-request@main
              with:
                token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
                body: ${{ steps.pr_body.outputs.content }}
                author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
                title: 'automated: Update `flake.lock`'
                commit-message: |
                    automated: Update `flake.lock`
                    ${{ steps.pr_body.outputs.content }}
                branch: update-flake-lock
                delete-branch: true
                pr-labels: | # Labels to be set on the PR
                    dependencies
                    automated
            - name: Push to Attic
              run: nix ./utils/attic-push.bash
              continue-on-error: true
            - name: Print PR number
              run: |
                echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
                echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
 permissions:
-  pull-requests: write
+    pull-requests: write
-  contents: write
+    contents: write
--- a/.github/workflows/lock-health-checks.yml
+++ b/.github/workflows/lock-health-checks.yml
@@ -1,17 +1,16 @@
 name: "Check flake.lock"
 on:
-  push:
+    push:
-    branches: ["main"]
+        branches: ["main"]
-  pull_request:
+    pull_request:
-    branches: ["main"]
+        branches: ["main"]
-  merge_group:
+    merge_group:
 jobs:
-  health-check:
+    health-check:
-    name: "Check health of `flake.lock`"
+        name: "Check health of `flake.lock`"
-    runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
-    steps:
+        steps:
-      - uses: actions/checkout@v4
+            - uses: actions/checkout@v4
-      - uses: DeterminateSystems/flake-checker-action@main
+            - uses: DeterminateSystems/flake-checker-action@main
-        with:
+              with:
-          fail-mode: true
+                fail-mode: true
--- a/.github/workflows/nix-fmt.yml
+++ b/.github/workflows/nix-fmt.yml
@@ -1,17 +1,25 @@
 name: "Check Nix formatting"
 on:
-  push:
+    push:
-    branches: ["main"]
+        branches: ["main"]
-  pull_request:
+    pull_request:
-    branches: ["main"]
+        branches: ["main"]
-  merge_group:
+    merge_group:
 jobs:
-  health-check:
+    health-check:
-    name: "Perform Nix format checks"
+        name: "Perform Nix format checks"
-    runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
-    steps:
+        steps:
-      - uses: DeterminateSystems/nix-installer-action@main
+            - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+            - name: Setup Attic cache
-      - uses: actions/checkout@v4
+              uses: ryanccn/attic-action@v0
-      - run: nix fmt -- --check .
+              with:
                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
                cache: ${{ secrets.ATTIC_CACHE }}
                token: ${{ secrets.ATTIC_TOKEN }}
                skip-push: "true"
            - uses: actions/checkout@v4
            - run: nix fmt -- --check .
            - name: Push to Attic
              run: nix ./utils/attic-push.bash
              continue-on-error: true
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,46 +1,46 @@
 keys:
-  # The PGP keys in keys/
+    # The PGP keys in keys/
-  - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
+    - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
-
+    # Generate AGE keys from SSH keys with:
-  # Generate AGE keys from SSH keys with:
+    #   ssh-keygen -A
-  #   ssh-keygen -A
+    #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
-  #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+    # cspell:disable
-  # cspell:disable
+    - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
-  - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
+    - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
  - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
    #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
-  - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
+    - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
-  # cspell:enable
+    # cspell:enable
 servers: &servers
-  - *palatine-hill
+    - *palatine-hill
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
 #
 # update keys by executing: sops updatekeys secrets.yaml
 # note: add .* before \.yaml if you'd like to use the mergetool config
 creation_rules:
-  - path_regex: users/alice/secrets.*\.yaml$
+    - path_regex: users/alice/secrets.*\.yaml$
-    key_groups:
+      key_groups:
-      - pgp:
+        - pgp:
-          - *admin_alice
+            - *admin_alice
-        age:
+          age:
-          - *palatine-hill
+            - *palatine-hill
-          - *artemision
+            - *artemision
-          - *artemision-home
+            - *artemision-home
-
+    - path_regex: systems/palatine-hill/secrets.*\.yaml$
-  - path_regex: systems/palatine-hill/secrets.*\.yaml$
+      key_groups:
-    key_groups:
+        - pgp:
-      - pgp: 
+            - *admin_alice
-          - *admin_alice
+          age:
-        age:
+            - *palatine-hill
-          - *palatine-hill
+    - path_regex: systems/artemision/secrets.*\.yaml$
-
+      key_groups:
-  - path_regex: systems/artemision/secrets.*\.yaml$
+        - pgp:
-    key_groups:
+            - *admin_alice
-      - pgp:
+          age:
-          - *admin_alice
+            - *artemision
-        age:
+    - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
-          - *artemision
+      key_groups:
-
+        - pgp:
            - *admin_alice
          age:
            - *palatine-hill
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,5 +1,7 @@
 {
-  "cSpell.enableFiletypes": ["nix"],
+  "cSpell.enableFiletypes": [
    "nix"
  ],
  "cSpell.words": [
    "aarch",
    "abmlevel",
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
 | Branch Name      | Use Case                                                                                                                                                                                                                      |
 |------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | main             | protected branch which all machines pull from, do not try to push directly                                                                                                                                                    |
-| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
+| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
-| fixup/\<item\>   | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
+| fixup/\<item>   | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
-| hotfix/\<item\>  | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
+| hotfix/\<item>  | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
-| urgent/\<item\>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
+| urgent/\<item>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
-| exp/\<item\>     | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
+| exp/\<item>     | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
-| merge/\<item\>   | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
+| merge/\<item>   | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
 ### Review Process
@@ -94,11 +94,11 @@ rules.
  PR has been tested on at least one machine
   - Issues which bypass the quorum process must have a second reviewer tagged
   - All critical issues which bypass the approval process must have an RCA issue
-    opened and the RCA logged into the `inc/` folder
+     opened and the RCA logged into the `inc/` folder
   - The second reviewer has 2 weeks to retroactively review and approve the PR
   - If the retro does not happen in the given window, an issue shall be opened
-    to either re-review the PR or to revert and replace the fix with a
+     to either re-review the PR or to revert and replace the fix with a
-    permanent solution
+     permanent solution
 - Critical issues must be tagged to `Nix Flake Features` project, and must have
  a priority of `High` and an estimate tagged. Start and end date are not needed
--- a/docs/sample-setup.sh
+++ b/docs/sample-setup.sh
@@ -1,9 +1,9 @@
 #!/usr/bin/env nix
 #! nix shell nixpkgs#bash nixpkgs#git --command bash
-set -o errexit   # abort on nonzero exitstatus
+set -o errexit  # abort on nonzero exitstatus
-set -o nounset   # abort on unbound variable
+set -o nounset  # abort on unbound variable
-set -o pipefail  # don't hide errors within pipes
+set -o pipefail # don't hide errors within pipes
 PROCEED="N"
@@ -50,60 +50,58 @@ GITBASE="systems"
 FEATUREBRANCH="feature/adding-$MACHINENAME"
 if [ $PROCEED != "Y" ]; then
-    echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
+  echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
-    lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
+  lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
 fi
 if [ $CREATEPARTS = "Y" ]; then
-    # Create partition table
+  # Create partition table
-    sudo parted "/dev/$DRIVE" -- mklabel gpt
+  sudo parted "/dev/$DRIVE" -- mklabel gpt
-    # Create boot part
+  # Create boot part
-    sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
+  sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
-    sudo parted "/dev/$DRIVE" -- set 1 esp on
+  sudo parted "/dev/$DRIVE" -- set 1 esp on
-    sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
+  sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
-    # Create luks part
+  # Create luks part
-    sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
+  sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
-    sudo parted "/dev/$DRIVE" -- set 2 lvm on
+  sudo parted "/dev/$DRIVE" -- set 2 lvm on
    LUKSPART="nixos-pv"
    sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
    sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
-    # Create lvm part
+  LUKSPART="nixos-pv"
-    sudo pvcreate "/dev/mapper/$LUKSPART"
+  sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
-    sudo pvresize "/dev/mapper/$LUKSPART"
+  sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
    sudo pvdisplay
-    # Create volume group
+  # Create lvm part
-    sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
+  sudo pvcreate "/dev/mapper/$LUKSPART"
-    sudo vgchange -a y "$VOLGROUP"
+  sudo pvresize "/dev/mapper/$LUKSPART"
-    sudo vgdisplay
+  sudo pvdisplay
-    # Create swap part on LVM
+  # Create volume group
-    if [ $SWAPSIZE != 0 ]; then
+  sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
-        sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
+  sudo vgchange -a y "$VOLGROUP"
-        sudo mkswap -L NIXSWAP -c "$SWAPPATH"
+  sudo vgdisplay
    fi
-    # Create home part on LVM, leaving plenty of room for snapshots
+  # Create swap part on LVM
-    sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
+  if [ $SWAPSIZE != 0 ]; then
-    sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
+    sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
    sudo mkswap -L NIXSWAP -c "$SWAPPATH"
  fi
-    # Create root part on LVM, keeping in mind most data will be on /home or /nix
+  # Create home part on LVM, leaving plenty of room for snapshots
-    sudo lvcreate -L 5G "$VOLGROUP" -n root
+  sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
-    sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
+  sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
-    # Create nix part on LVM
+  # Create root part on LVM, keeping in mind most data will be on /home or /nix
-    sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
+  sudo lvcreate -L 5G "$VOLGROUP" -n root
-    sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
+  sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
-    sudo lvdisplay
+  # Create nix part on LVM
  sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
  sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
-    lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
+  sudo lvdisplay
  lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
 fi
 # Mount partitions
@@ -116,7 +114,7 @@ sudo mount $BOOTPART /mnt/boot
 # Enable swap if SWAPSIZE is non-zero
 if [ $SWAPSIZE != 0 ]; then
-    sudo swapon "/dev/$VOLGROUP/swap"
+  sudo swapon "/dev/$VOLGROUP/swap"
 fi
 # Clone the repo
@@ -135,31 +133,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
 cat "$DOTS/id_ed25519_ghdeploy.pub"
 if [ $SOPS == "Y" ]; then
-    # Create ssh host-keys
+  # Create ssh host-keys
-    sudo ssh-keygen -A
+  sudo ssh-keygen -A
-    sudo mkdir -p /mnt/etc/ssh
+  sudo mkdir -p /mnt/etc/ssh
-    sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
+  sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
-    # Get line where AGE comment is and insert new AGE key two lines down
+  # Get line where AGE comment is and insert new AGE key two lines down
-    AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
+  AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
-    AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
+  AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
-    sudo sed -i "${AGELINE}i\\  - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
+  sudo sed -i "${AGELINE}i\\  - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
-    # Add server name
+  # Add server name
-    SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
+  SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
-    sudo sed -i "${SERVERLINE}i\\  - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
+  sudo sed -i "${SERVERLINE}i\\  - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
-    # Add creation rules
+  # Add creation rules
-    CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
+  CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
-    # TODO: below was not working when last attempted
+  # TODO: below was not working when last attempted
-    read -r -d '' PATHRULE <<-EOF
+  read -r -d '' PATHRULE <<-EOF
  - path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
    key_groups:
      - pgp: *$OWNERORADMINS
        age:
          - *$MACHINENAME
 EOF
-    sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
+  sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
 fi
 read -r -p "press enter to continue"
--- a/flake.lock
+++ b/flake.lock
@@ -1,53 +1,69 @@
 {
  "nodes": {
-    "attic": {
+    "base16": {
      "inputs": {
-        "crane": "crane",
+        "fromYaml": "fromYaml"
        "flake-compat": [
          "flake-compat"
        ],
        "flake-parts": [
          "flake-parts"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixpkgs-stable"
        ]
      },
      "locked": {
-        "lastModified": 1728577371,
+        "lastModified": 1732200724,
-        "narHash": "sha256-f3bKclEV5t1eP1OH7kTGv/tLzlToSRIe0ktkdl1jihw=",
+        "narHash": "sha256-+R1BH5wHhfnycySb7Sy5KbYEaTJZWm1h+LW1OtyhiTs=",
-        "owner": "zhaofengli",
+        "owner": "SenchoPens",
-        "repo": "attic",
+        "repo": "base16.nix",
-        "rev": "e5c8d2d50981a34602358d917e7be011b2c397a8",
+        "rev": "153d52373b0fb2d343592871009a286ec8837aec",
        "type": "github"
      },
      "original": {
-        "owner": "zhaofengli",
+        "owner": "SenchoPens",
-        "repo": "attic",
+        "repo": "base16.nix",
        "type": "github"
      }
    },
-    "crane": {
+    "base16-fish": {
-      "inputs": {
+      "flake": false,
        "nixpkgs": [
          "attic",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1722960479,
+        "lastModified": 1622559957,
-        "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
+        "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
-        "owner": "ipetkov",
+        "owner": "tomyun",
-        "repo": "crane",
+        "repo": "base16-fish",
-        "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
+        "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
        "type": "github"
      },
      "original": {
-        "owner": "ipetkov",
+        "owner": "tomyun",
-        "repo": "crane",
+        "repo": "base16-fish",
        "type": "github"
      }
    },
    "base16-helix": {
      "flake": false,
      "locked": {
        "lastModified": 1736852337,
        "narHash": "sha256-esD42YdgLlEh7koBrSqcT7p2fsMctPAcGl/+2sYJa2o=",
        "owner": "tinted-theming",
        "repo": "base16-helix",
        "rev": "03860521c40b0b9c04818f2218d9cc9efc21e7a5",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "base16-helix",
        "type": "github"
      }
    },
    "base16-vim": {
      "flake": false,
      "locked": {
        "lastModified": 1732806396,
        "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=",
        "owner": "tinted-theming",
        "repo": "base16-vim",
        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "base16-vim",
        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
        "type": "github"
      }
    },
@@ -62,11 +78,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1728965006,
+        "lastModified": 1742773104,
-        "narHash": "sha256-TXBxJMGC6P+cn5La/lIgVzb9ETutsOI3A3urHihB7FA=",
+        "narHash": "sha256-dAhrL+gEjNN5U/Sosy7IrX0Y0qPA0U7Gp9TBhqEliNU=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "f4947cf2d1a469b23fee54ad948c539f6aa431a7",
+        "rev": "d74460da63a8c08a69a1f143b04f2ab1a6b2f5c2",
        "type": "gitlab"
      },
      "original": {
@@ -76,14 +92,30 @@
        "type": "gitlab"
      }
    },
    "firefox-gnome-theme": {
      "flake": false,
      "locked": {
        "lastModified": 1741628778,
        "narHash": "sha256-RsvHGNTmO2e/eVfgYK7g+eYEdwwh7SbZa+gZkT24MEA=",
        "owner": "rafaelmardojai",
        "repo": "firefox-gnome-theme",
        "rev": "5a81d390bb64afd4e81221749ec4bffcbeb5fa80",
        "type": "github"
      },
      "original": {
        "owner": "rafaelmardojai",
        "repo": "firefox-gnome-theme",
        "type": "github"
      }
    },
    "flake-compat": {
      "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1733328505,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "revCount": 57,
+        "revCount": 69,
        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
      },
      "original": {
        "type": "tarball",
@@ -95,11 +127,33 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1727826117,
+        "lastModified": 1741352980,
-        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "stylix",
          "nur",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1733312601,
        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
        "type": "github"
      },
      "original": {
@@ -115,11 +169,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1731533236,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -128,6 +182,69 @@
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": [
          "stylix",
          "systems"
        ]
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "fromYaml": {
      "flake": false,
      "locked": {
        "lastModified": 1731966426,
        "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=",
        "owner": "SenchoPens",
        "repo": "fromYaml",
        "rev": "106af9e2f715e2d828df706c386a685698f3223b",
        "type": "github"
      },
      "original": {
        "owner": "SenchoPens",
        "repo": "fromYaml",
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": [
          "stylix",
          "flake-compat"
        ],
        "gitignore": "gitignore_2",
        "nixpkgs": [
          "stylix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1741379162,
        "narHash": "sha256-srpAbmJapkaqGRE3ytf3bj4XshspVR5964OX5LfjDWc=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "b5a62751225b2f62ff3147d0a334055ebadcd5cc",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
@@ -149,6 +266,45 @@
        "type": "github"
      }
    },
    "gitignore_2": {
      "inputs": {
        "nixpkgs": [
          "stylix",
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "gnome-shell": {
      "flake": false,
      "locked": {
        "lastModified": 1732369855,
        "narHash": "sha256-JhUWbcYPjHO3Xs3x9/Z9RuqXbcp5yhPluGjwsdE2GMg=",
        "owner": "GNOME",
        "repo": "gnome-shell",
        "rev": "dadd58f630eeea41d645ee225a63f719390829dc",
        "type": "github"
      },
      "original": {
        "owner": "GNOME",
        "ref": "47.2",
        "repo": "gnome-shell",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -156,11 +312,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728903686,
+        "lastModified": 1742771635,
-        "narHash": "sha256-ZHFrGNWDDriZ4m8CA/5kDa250SG1LiiLPApv1p/JF0o=",
+        "narHash": "sha256-HQHzQPrg+g22tb3/K/4tgJjPzM+/5jbaujCZd8s2Mls=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "e1aec543f5caf643ca0d94b6a633101942fd065f",
+        "rev": "ad0614a1ec9cce3b13169e20ceb7e55dfaf2a818",
        "type": "github"
      },
      "original": {
@@ -176,11 +332,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1725551787,
+        "lastModified": 1742213523,
-        "narHash": "sha256-6LgsZHz8w3g4c9bRUwRAR+WIMwFGGf3P1VZQcKNRf2o=",
+        "narHash": "sha256-I8JVdQRu8eWvY5W8XWYZkdd5pojDHkxeqQV7mMIsbhs=",
        "owner": "hyprwm",
        "repo": "contrib",
-        "rev": "1e531dc49ad36c88b45bf836081a7a2c8927e072",
+        "rev": "bd81329944be53b0ffb99e05864804b95f1d7c65",
        "type": "github"
      },
      "original": {
@@ -196,11 +352,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728790083,
+        "lastModified": 1742701275,
-        "narHash": "sha256-grMdAd4KSU6uPqsfLzA1B/3pb9GtGI9o8qb0qFzEU/Y=",
+        "narHash": "sha256-AulwPVrS9859t+eJ61v24wH/nfBEIDSXYxlRo3fL/SA=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "5c54c33aa04df5dd4b0984b7eb861d1981009b22",
+        "rev": "36dc43cb50d5d20f90a28d53abb33a32b0a2aae6",
        "type": "github"
      },
      "original": {
@@ -211,11 +367,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1728781282,
+        "lastModified": 1736643958,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
        "type": "github"
      },
      "original": {
@@ -232,11 +388,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728867876,
+        "lastModified": 1742568034,
-        "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=",
+        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0",
+        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
        "type": "github"
      },
      "original": {
@@ -247,11 +403,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1728729581,
+        "lastModified": 1742806253,
-        "narHash": "sha256-oazkQ/z7r43YkDLLQdMg8oIB3CwWNb+2ZrYOxtLEWTQ=",
+        "narHash": "sha256-zvQ4GsCJT6MTOzPKLmlFyM+lxo0JGQ0cSFaZSACmWfY=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "a8dd1b21995964b115b1e3ec639dd6ce24ab9806",
+        "rev": "ecaa2d911e77c265c2a5bac8b583c40b0f151726",
        "type": "github"
      },
      "original": {
@@ -267,15 +423,14 @@
        ],
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "search": "search"
      },
      "locked": {
-        "lastModified": 1728919967,
+        "lastModified": 1742419596,
-        "narHash": "sha256-zQl8z8iagvrekF4tFK1au7mGH8x0zoGppo6geLPioQk=",
+        "narHash": "sha256-+Bw1HR4oX6vUbCMhwWbW+Nr20F+UesNdUd7b17s3ESE=",
        "owner": "SuperSandro2000",
        "repo": "nixos-modules",
-        "rev": "1aba521c9cd2cd97490846ac83fd73ae84625c8a",
+        "rev": "82491ff311152b87fe7cfbdaf545f727e0750aa9",
        "type": "github"
      },
      "original": {
@@ -286,48 +441,74 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1728492678,
+        "lastModified": 1742800061,
-        "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
+        "narHash": "sha256-oDJGK1UMArK52vcW9S5S2apeec4rbfNELgc50LqiPNs=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
+        "rev": "1750f3c1c89488e2ffdd47cab9d05454dddfb734",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1727825735,
+        "lastModified": 1740877520,
-        "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
+        "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
-        "type": "tarball",
+        "owner": "nix-community",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "repo": "nixpkgs.lib",
        "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
        "type": "github"
      },
      "original": {
-        "type": "tarball",
+        "owner": "nix-community",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1728740863,
+        "lastModified": 1742751704,
-        "narHash": "sha256-u+rxA79a0lyhG+u+oPBRtTDtzz8kvkc9a6SWSt9ekVc=",
+        "narHash": "sha256-rBfc+H1dDBUQ2mgVITMGBPI1PGuCznf9rcWX/XIULyE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "a3f9ad65a0bf298ed5847629a57808b97e6e8077",
+        "rev": "f0946fa5f1fb876a9dc2e1850d9d3a4e3f914092",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nur": {
      "inputs": {
        "flake-parts": "flake-parts_2",
        "nixpkgs": [
          "stylix",
          "nixpkgs"
        ],
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
        "lastModified": 1741693509,
        "narHash": "sha256-emkxnsZstiJWmGACimyAYqIKz2Qz5We5h1oBVDyQjLw=",
        "owner": "nix-community",
        "repo": "NUR",
        "rev": "5479646b2574837f1899da78bdf9a48b75a9fb27",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "NUR",
        "type": "github"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": [
@@ -336,17 +517,14 @@
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixpkgs-stable"
        ]
      },
      "locked": {
-        "lastModified": 1728778939,
+        "lastModified": 1742649964,
-        "narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=",
+        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "ff68f91754be6f3427e4986d7949e6273659be1d",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
        "type": "github"
      },
      "original": {
@@ -357,7 +535,6 @@
    },
    "root": {
      "inputs": {
        "attic": "attic",
        "firefox-addons": "firefox-addons",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
@@ -373,7 +550,8 @@
        "pre-commit-hooks": "pre-commit-hooks",
        "rust-overlay": "rust-overlay",
        "sops-nix": "sops-nix",
-        "systems": "systems",
+        "stylix": "stylix",
        "systems": "systems_2",
        "wired-notify": "wired-notify"
      }
    },
@@ -384,11 +562,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728959392,
+        "lastModified": 1742783666,
-        "narHash": "sha256-fp4he1QQjE+vasDMspZYeXrwTm9otwEqLwEN6FKZ5v0=",
+        "narHash": "sha256-IwdSl51NL6V0f+mYXZR0UTKaGleOsk9zV3l6kt5SUWw=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "4c6e317300f05b8871f585b826b6f583e7dc4a9b",
+        "rev": "60766d63c227d576510ecfb5edd3a687d56f6bc7",
        "type": "github"
      },
      "original": {
@@ -397,46 +575,18 @@
        "type": "github"
      }
    },
    "search": {
      "inputs": {
        "flake-utils": [
          "nixos-modules",
          "flake-utils"
        ],
        "nixpkgs": [
          "nixos-modules",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1728423244,
        "narHash": "sha256-+YwNsyIFj3dXyLVQd1ry4pCNmtOpbceKUrkNS8wp9Ho=",
        "owner": "nuschtos",
        "repo": "search",
        "rev": "f276cc3b391493ba3a8b30170776860f9520b7fa",
        "type": "github"
      },
      "original": {
        "owner": "nuschtos",
        "repo": "search",
        "type": "github"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixpkgs-stable"
        ]
      },
      "locked": {
-        "lastModified": 1728345710,
+        "lastModified": 1742700801,
-        "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
+        "narHash": "sha256-ZGlpUDsuBdeZeTNgoMv+aw0ByXT2J3wkYw9kJwkAS4M=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
+        "rev": "67566fe68a8bed2a7b1175fdfb0697ed22ae8852",
        "type": "github"
      },
      "original": {
@@ -445,6 +595,47 @@
        "type": "github"
      }
    },
    "stylix": {
      "inputs": {
        "base16": "base16",
        "base16-fish": "base16-fish",
        "base16-helix": "base16-helix",
        "base16-vim": "base16-vim",
        "firefox-gnome-theme": "firefox-gnome-theme",
        "flake-compat": [
          "flake-compat"
        ],
        "flake-utils": "flake-utils_2",
        "git-hooks": "git-hooks",
        "gnome-shell": "gnome-shell",
        "home-manager": [
          "home-manager"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "nur": "nur",
        "systems": "systems",
        "tinted-foot": "tinted-foot",
        "tinted-kitty": "tinted-kitty",
        "tinted-schemes": "tinted-schemes",
        "tinted-tmux": "tinted-tmux",
        "tinted-zed": "tinted-zed"
      },
      "locked": {
        "lastModified": 1742753562,
        "narHash": "sha256-EBXgl3sPi5AQUM58XGuuC8HQl/Df+Dbt6pOLInInJ/k=",
        "owner": "danth",
        "repo": "stylix",
        "rev": "d9df91c55643a8b5229a3ae3a496a30f14965457",
        "type": "github"
      },
      "original": {
        "owner": "danth",
        "repo": "stylix",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@@ -460,6 +651,125 @@
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "tinted-foot": {
      "flake": false,
      "locked": {
        "lastModified": 1726913040,
        "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
        "owner": "tinted-theming",
        "repo": "tinted-foot",
        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "tinted-foot",
        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
        "type": "github"
      }
    },
    "tinted-kitty": {
      "flake": false,
      "locked": {
        "lastModified": 1716423189,
        "narHash": "sha256-2xF3sH7UIwegn+2gKzMpFi3pk5DlIlM18+vj17Uf82U=",
        "owner": "tinted-theming",
        "repo": "tinted-kitty",
        "rev": "eb39e141db14baef052893285df9f266df041ff8",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "tinted-kitty",
        "rev": "eb39e141db14baef052893285df9f266df041ff8",
        "type": "github"
      }
    },
    "tinted-schemes": {
      "flake": false,
      "locked": {
        "lastModified": 1741468895,
        "narHash": "sha256-YKM1RJbL68Yp2vESBqeZQBjTETXo8mCTTzLZyckCfZk=",
        "owner": "tinted-theming",
        "repo": "schemes",
        "rev": "47c8c7726e98069cade5827e5fb2bfee02ce6991",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "schemes",
        "type": "github"
      }
    },
    "tinted-tmux": {
      "flake": false,
      "locked": {
        "lastModified": 1740877430,
        "narHash": "sha256-zWcCXgdC4/owfH/eEXx26y5BLzTrefjtSLFHWVD5KxU=",
        "owner": "tinted-theming",
        "repo": "tinted-tmux",
        "rev": "d48ee86394cbe45b112ba23ab63e33656090edb4",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "tinted-tmux",
        "type": "github"
      }
    },
    "tinted-zed": {
      "flake": false,
      "locked": {
        "lastModified": 1725758778,
        "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=",
        "owner": "tinted-theming",
        "repo": "base16-zed",
        "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "base16-zed",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "stylix",
          "nur",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1733222881,
        "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "49717b5af6f80172275d47a418c9719a31a78b53",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "wired-notify": {
      "inputs": {
        "flake-parts": [
@@ -473,11 +783,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1727849733,
+        "lastModified": 1730615238,
-        "narHash": "sha256-mqxs/nyzOEKiBHa94OtcOLYBXd65P8tO4DUVTHWHn6o=",
+        "narHash": "sha256-u/ZGtyEUvAkFOBgLo2YldOx0GKjE3/esWpWruRD376E=",
        "owner": "Toqozz",
        "repo": "wired-notify",
-        "rev": "a1f6965737754e7424f9468f6befef885a9ee0ad",
+        "rev": "1632418aa15889343028261663e81d8b5595860e",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -5,15 +5,17 @@
    substituters = [
      "https://cache.nixos.org/?priority=1&want-mass-query=true"
      "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
      "https://attic.nayeonie.com/nix-cache"
    ];
    trusted-substituters = [
      "https://cache.nixos.org"
      "https://attic.alicehuston.xyz/cache-nix-dot"
      "https://nix-community.cachix.org"
      "https://attic.nayeonie.com/nix-cache"
    ];
    trusted-public-keys = [
      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "nix-cache:trR+y5nwpQHR4hystoogubFmp97cewkjWeqqbygRQRs="
    ];
    trusted-users = [ "root" ];
  };
@@ -22,19 +24,21 @@
    flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
    flake-parts.url = "github:hercules-ci/flake-parts";
    nixos-hardware.url = "github:NixOS/nixos-hardware";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
    #nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
    systems.url = "github:nix-systems/default";
-    attic = {
+    # attic = {
-      url = "github:zhaofengli/attic";
+    #   url = "github:zhaofengli/attic";
-      inputs = {
+    #   inputs = {
-        nixpkgs.follows = "nixpkgs";
+    #     nixpkgs.follows = "nixpkgs";
-        nixpkgs-stable.follows = "nixpkgs-stable";
+    #     nixpkgs-stable.follows = "nixpkgs-stable";
-        flake-compat.follows = "flake-compat";
+    #     flake-compat.follows = "flake-compat";
-        flake-parts.follows = "flake-parts";
+    #     flake-parts.follows = "flake-parts";
-      };
+    #   };
-    };
+    # };
    firefox-addons = {
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
@@ -81,7 +85,6 @@
      url = "github:cachix/git-hooks.nix";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        nixpkgs-stable.follows = "nixpkgs-stable";
        flake-compat.follows = "flake-compat";
      };
    };
@@ -97,7 +100,15 @@
      url = "github:Mic92/sops-nix";
      inputs = {
        nixpkgs.follows = "nixpkgs";
-        nixpkgs-stable.follows = "nixpkgs-stable";
+      };
    };
    stylix = {
      url = "github:danth/stylix";
      inputs = {
        flake-compat.follows = "flake-compat";
        home-manager.follows = "home-manager";
        nixpkgs.follows = "nixpkgs";
      };
    };
@@ -149,6 +160,10 @@
        qcow = getImages nixosConfigurations "qcow";
      };
      packages.x86_64-linux.lego-latest =
        nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
          { };
      checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
      devShells = import ./shell.nix { inherit inputs forEachSystem checks; };
--- a/lib/container-utils.nix
+++ b/lib/container-utils.nix
@@ -0,0 +1,43 @@
 { lib, ... }:
 {
  # Given a attrset of images and a function which generates an image spec,
  # generates a set of containers (although this could in theory be used for
  # other things... I'd like to see people try)
  #
  # container set must be in the below format
  # { container-name = {image = "image-uri"; scale = n;}; }
  # where image-uri gets passed in to the container-spec function as a custom
  # parameter, and scale is an integer that generates the containers
  #
  # container-spec must be a function which accepts two parameter (the
  # container name and image name) and ideally returns an oci-compliant
  # container.
  #
  # args:
  # containers: an AttrSet which specifies the imageUri and scale of each
  #   container
  # container-spec: a function which produces an oci-compliant container spec
  #
  # type:
  # AttrSet -> (String -> AttrSet -> AttrSet) -> AttrSet
  createTemplatedContainers =
    containers: container-spec:
    builtins.listToAttrs (
      lib.flatten (
        lib.mapAttrsToList (
          name: value:
          (map (
            num:
            let
              container-name = "${name}-${toString num}";
            in
            {
              name = container-name;
              value = container-spec container-name value.image;
            }
          ) (lib.lists.range 1 value.scale))
        ) containers
      )
    );
 }
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -3,6 +3,7 @@
  # create rad-dev namespace for lib
  rad-dev = rec {
    systems = import ./systems.nix { inherit lib; };
    container-utils = import ./container-utils.nix { inherit lib; };
    # any(), but checks if any value in the list is true
    #
@@ -56,5 +57,21 @@
    # type:
    # fileList :: Path -> String -> [Path]
    fileList = dir: map (file: dir + "/${file}") (ls dir);
    # reduce an attribute set to a string
    #
    # example:
    # given attrset {host1 = "palatine-hill"; host2 = "jeeves";}
    # and func (host: hostname: host + " is " + hostname + ", " )
    # mapAttrsToString would return 'host1 is palatine-hill, host2 is jeeves, '
    #
    # args:
    # func: an function to apply to attrSet to turn each entry into one string
    # attrSet: an attribute set to reduce
    #
    # type:
    # mapAttrsToString :: AttrSet -> (String -> Any -> String) -> String
    mapAttrsToString =
      func: attrSet: (lib.foldl' (cur: next: cur + next) "" (lib.mapAttrsToList func attrSet));
  };
 }
--- a/modules/base.nix
+++ b/modules/base.nix
@@ -15,7 +15,7 @@
  programs = {
    zsh.enable = true;
-    fish.enable = true;
+    fish.enable = false;
  };
  users = {
--- a/modules/boot.nix
+++ b/modules/boot.nix
@@ -35,7 +35,6 @@ in
  config.boot = lib.mkIf cfg.default {
    supportedFilesystems = [ cfg.filesystem ];
    tmp.useTmpfs = true;
    kernelPackages = pkgs.linuxPackages_6_10;
    kernelParams =
      [ "nordrand" ]
      ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"
--- a/modules/docker.nix
+++ b/modules/docker.nix
@@ -7,8 +7,13 @@
      extraGroups = [ "docker" ];
      uid = 600;
    };
-    groups.docker-service = {
+    groups = {
-      gid = 600;
+      docker-service = {
        gid = 600;
      };
      haproxy = {
        gid = 99;
      };
    };
  };
--- a/modules/plocate.nix
+++ b/modules/plocate.nix
@@ -3,7 +3,7 @@
 {
  services.locate = {
    enable = lib.mkDefault true;
-    localuser = lib.mkDefault null;
+    # localuser = lib.mkDefault null;
    package = lib.mkDefault pkgs.plocate;
  };
 }
--- a/modules/update.nix
+++ b/modules/update.nix
@@ -1,19 +1,19 @@
 { lib, ... }:
 {
  services.autopull = {
-    enable = lib.mkDefault false;
+    enable = lib.mkDefault true;
    repo.dotfiles = {
-      enable = lib.mkDefault false;
+      enable = lib.mkDefault true;
-      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
+      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_giteadeploy";
      path = lib.mkDefault /root/dotfiles;
    };
  };
  system.autoUpgrade = {
-    enable = lib.mkDefault false;
+    enable = lib.mkDefault true;
    flags = [ "--accept-flake-config" ];
    randomizedDelaySec = "1h";
    persistent = true;
-    flake = "github:RAD-Development/nix-dotfiles";
+    flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git";
  };
 }
--- a/pkgs/lego-latest/default.nix
+++ b/pkgs/lego-latest/default.nix
@@ -0,0 +1,39 @@
 {
  lib,
  fetchFromGitHub,
  buildGoModule,
 }:
 buildGoModule rec {
  pname = "lego";
  version = "4.21.0";
  src = fetchFromGitHub {
    owner = "go-acme";
    repo = pname;
    rev = "v${version}";
    hash = "sha256-3dSvQfkBNh8Bt10nv4xGplv4iY3gWvDu2EDN6UovSdc=";
  };
  vendorHash = "sha256-teA6fnKl4ATePOYL/zuemyiVy9jgsxikqmuQJwwA8wE=";
  doCheck = false;
  subPackages = [ "cmd/lego" ];
  ldflags = [
    "-s"
    "-w"
    "-X main.version=${version}"
  ];
  meta = with lib; {
    description = "Let's Encrypt client and ACME library written in Go";
    license = licenses.mit;
    homepage = "https://go-acme.github.io/lego/";
    maintainers = teams.acme.members;
    mainProgram = "lego";
  };
  #passthru.tests.lego = nixosTests.acme;
 }
--- a/shell.nix
+++ b/shell.nix
@@ -45,6 +45,10 @@ forEachSystem (
        treefmt
        statix
        nixfmt-rfc-style
        jsonfmt
        mdformat
        shfmt
        yamlfmt
      ];
    };
  in
--- a/statix.toml
+++ b/statix.toml
@@ -1,4 +1,4 @@
 disabled = ["empty_pattern"]
-nix_version = '2.23'
+nix_version = '2.25'
 ignore = ['.direnv']
--- a/systems/artemision/ao3_skins/happy_17th.css
+++ b/systems/artemision/ao3_skins/happy_17th.css
@@ -0,0 +1,438 @@
 #footer .group,
 .post fieldset fieldset,
 fieldset fieldset {
  background: none;
 }
 #header {
  background: #000 url('https://media.archiveofourown.org/news/milestones/2024-08-seventeen-years-otw/2024-08-seventeen-years-otw-pattern.jpg');
  background-size: 350px;
 }
 #header .heading a,
 #header .primary .dropdown a:focus,
 #header .heading a:visited,
 #main .pagination .current,
 h2 {
  color: #ffe8b4;
 }
 #header .clear,
 #footer {
  border-color: #191919;
 }
 #header .actions a[href="/menu/fandoms"],
 #header .actions a[href="/menu/browse"],
 #header .actions a[href="/menu/search"],
 #header .actions a[href="/menu/about"] {
  color: #fff;
 }
 #footer ul {
  background: url('https://live.staticflickr.com/7284/9616997915_4194b6c6f7_h.jpg');
  background-size: 350px;
 }
 #footer ul li:nth-child(1) ul,
 #footer ul li:nth-child(2) ul,
 #footer ul li:nth-child(3) ul,
 #footer ul li:nth-child(4) ul {
  background: rgba(0, 0, 0, 0.0);
 }
 #header .primary {
  background: #8a1a10;
 }
 #footer {
  background: #8a1a10;
 }
 input[type="text"],
 textarea,
 select {
  background: #222;
  color: #fff;
 }
 select:focus {
  background: #2a2a2a;
 }
 option {
  background: #555;
  color: #fff;
 }
 #work form fieldset.work.meta dl dd.warning.required fieldset,
 #main form fieldset.work.meta dl dd.warning.required fieldset {
  color: #fff;
 }
 #bookmark-form form {
  background: #2a2a2a;
  color: #fff;
 }
 #error {
  color: #191919;
 }
 fieldset,
 .verbose fieldset {
  border-color: #404040;
  background: #191919;
  border: 1px solid #595959;
 }
 .search [role=tooltip] {
  background: #333;
  border: 1px solid #666;
 }
 #main a:visited {
  color: #ccc;
 }
 #main a.tag:visited:hover {
  color: #111;
 }
 body,
 .group,
 .group .group,
 .region,
 .flash,
 form dl,
 #main .verbose legend,
 .notice,
 ul.notes,
 table,
 th,
 td:hover,
 tr:hover,
 .symbol .question:hover,
 #modal,
 .ui-sortable li,
 .required .autocomplete,
 .autocomplete .notice,
 .system .intro,
 .comment_error,
 .kudos_error,
 div.dynamic,
 .dynamic form,
 #ui-datepicker-div,
 .ui-datepicker table {
  background: #191919;
  color: #eee;
  border-color: #222;
  outline: #111;
  box-shadow: none;
 }
 #header .actions a:hover,
 #header .actions a:focus,
 #header .dropdown:hover a,
 #header .open a,
 #header .menu,
 #small_login,
 .group.listbox,
 fieldset fieldset.listbox,
 .listbox,
 form blockquote.userstuff,
 input:focus,
 textarea:focus,
 li.relationships a,
 .group.listbox .index,
 .dashboard fieldset fieldset.listbox .index,
 #dashboard a:hover,
 th,
 #dashboard .secondary,
 .secondary,
 .thread .even,
 .system .tweet_list li,
 .ui-datepicker tr:hover {
  background: #2A2A2A;
 }
 a,
 a.tag,
 a:link,
 #header a:visited,
 #header .primary .open a,
 #header .primary .dropdown:hover a,
 #header #search input:focus,
 #header #search input:hover,
 .userstuff h2,
 #dashboard a,
 #dashboard span,
 #dashboard .current,
 .group .heading,
 .filters dt a:hover {
  color: #fff;
 }
 #header .dropdown .menu a:hover,
 #header .dropdown .menu a:focus,
 .splash .favorite li:nth-of-type(odd) a,
 .ui-datepicker td:hover,
 #tos_prompt .heading,
 #tos_prompt [disabled] {
  background: #111;
  color: #ffe8b4;
 }
 #outer,
 .javascript,
 .statistics .index li:nth-of-type(even),
 #tos_prompt,
 .announcement input[type="submit"] {
  background: #191919;
 }
 #dashboard ul,
 dl.meta,
 .group.listbox,
 fieldset fieldset.listbox,
 #main li.blurb,
 form blockquote.userstuff,
 div.comment,
 li.comment,
 .toggled form,
 form dl dt,
 form.single fieldset,
 #inner .module .heading,
 .bookmark .status span,
 .splash .news li,
 .filters .group dt.bookmarker {
  border-color: #555;
 }
 .group.listbox,
 fieldset fieldset.listbox,
 #main li.blurb,
 .wrapper,
 #dashboard .secondary,
 .secondary,
 form blockquote.userstuff,
 .thread .comment,
 .toggled form {
  box-shadow: 1px 1px 3px #000;
 }
 #dashboard .current,
 .actions a:active,
 a.current,
 .current a:visited,
 span.unread,
 .replied,
 span.claimed,
 dl.index dd,
 .own,
 .draft,
 .draft .unread,
 .child,
 .unwrangled,
 .unreviewed,
 .ui-sortable li:hover {
  background: #000;
  border-color: #555;
  box-shadow: -1px -1px 3px #000;
 }
 input,
 textarea {
  box-shadow: inset 0 1px 2px #000;
 }
 li.blurb,
 .blurb .blurb,
 .listbox .index,
 fieldset fieldset.listbox,
 .dashboard .listbox .index {
  box-shadow: inset 1px 1px 3px #000;
 }
 #footer a:hover,
 #footer a:focus,
 .autocomplete .dropdown ul li:hover,
 .autocomplete .dropdown li.selected,
 a.tag:hover,
 .listbox .heading a.tag:visited:hover,
 .symbol .question {
  background: #ffedc5;
  border-color: #988352;
  color: #111;
 }
 #header #greeting img,
 #header .user a:hover,
 #header .user a:focus,
 #header fieldset,
 #header form,
 #header p,
 #dashboard a:hover,
 .actions a:hover,
 .actions input:hover,
 .delete a,
 span.delete,
 span.unread,
 .replied,
 span.claimed,
 .draggable,
 .droppable,
 span.requested,
 a.work,
 .blurb h4 a:link,
 .blurb h4 img,
 .splash .module h3,
 .splash .browse li a:before,
 .required,
 .error,
 .comment_error,
 .kudos_error,
 a.cloud7,
 a.cloud8,
 #tos_prompt .heading {
  color: #ffe8b4;
 }
 #greeting .icon,
 #dashboard,
 #dashboard.own,
 .error,
 .comment_error,
 .kudos_error,
 .LV_invalid,
 .LV_invalid_field,
 input.LV_invalid_field:hover,
 input.LV_invalid_field:active,
 textarea.LV_invalid_field:hover,
 textarea.LV_invalid_field:active,
 .qtip-content {
  border-color: #8a1a10;
 }
 .splash .favorite li:nth-of-type(odd) a:hover,
 .splash .favorite li:nth-of-type(odd) a:focus .splash .favorite li:nth-of-type(odd) a:visited:hover,
 .splash .favorite li:nth-of-type(odd) a:visited:focus {
  background: #ffe8b4;
  color: #111;
 }
 a:visited,
 .actions a:visited,
 .action a:link,
 .action a:visited,
 .listbox .heading a:visited,
 span.series .divider {
  color: #999;
 }
 .actions a,
 .actions a:link,
 .action,
 .action:link,
 .actions input,
 input[type="submit"],
 button,
 .current,
 .actions label,
 #header .actions a,
 #outer .current {
  background: #555;
  border-color: #222;
  color: #eee;
  box-shadow: inset 0 -8px 4px #232323, inset 0 8px 7px #555;
  text-shadow: none;
 }
 .actions a:hover,
 .actions input:hover,
 #dashboard a:hover,
 .actions a:focus,
 .actions input:focus,
 #dashboard a:focus,
 .actions .disabled select {
  color: #999;
  border-color: #000;
  box-shadow: inset 2px 2px 2px #000;
 }
 .actions a:active,
 .current,
 a.current,
 .current a:visited {
  color: #fff;
  background: #555;
  border-color: #fff;
  box-shadow: inset 1px 1px 3px #191919;
 }
 .delete a,
 span.delete {
  box-shadow: -1px -1px 2px rgba(255,255,255.25);
 }
 .actions label.disabled {
  background: #222;
  box-shadow: none;
 }
 ul.required-tags,
 .bookmark .status span,
 .blurb .icon {
  opacity: 0.9;
  border: 0;
 }
 #outer .group .heading,
 #header .actions a,
 fieldset.listbox .heading,
 .userstuff .heading {
  text-shadow: none;
  color: #fff;
  background: none;
 }
 #header .actions a,
 fieldset fieldset,
 .mce-container button,
 .filters .expander,
 .actions .disabled select {
  box-shadow: none;
 }
 fieldset fieldset.listbox {
  outline: none;
 }
 form dd.required {
  color: #eee;
 }
 .mce-container input:focus {
  background: #F3EFEC;
 }
 .announcement .userstuff a,
 .announcement .userstuff a:link,
 .announcement .userstuff a:visited:hover {
  color: #111;
 }
 .announcement .userstuff a:visited {
  color: #666;
 }
 .announcement .userstuff a:hover,
 .announcement .userstuff a:focus {
  color: #999;
 }
 .event.announcement .userstuff a,
 .filters .expander {
  color: #eee;
 }
--- a/systems/artemision/configuration.nix
+++ b/systems/artemision/configuration.nix
@@ -6,17 +6,18 @@
 }:
 {
  imports = [
    ./programs.nix
    ./desktop.nix
    ./wifi.nix
    ./zerotier.nix
    ./fonts.nix
    ./polkit.nix
    ./audio.nix
    ./desktop.nix
    ./fingerprint.nix
-    ./steam.nix
+    ./fonts.nix
    ./graphics.nix
    ./libvirt.nix
    ./polkit.nix
    ./programs.nix
    ./steam.nix
    ./stylix.nix
    ./wifi.nix
    ./zerotier.nix
  ];
  time.timeZone = "America/New_York";
@@ -31,7 +32,7 @@
  };
  boot = {
-    kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
+    #kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
    useSystemdBoot = true;
    default = true;
  };
@@ -44,6 +45,7 @@
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  services = {
    flatpak.enable = true;
    calibre-web = {
      enable = true;
      listen = {
@@ -73,17 +75,6 @@
    fprintd.enable = lib.mkForce false;
    openssh.enable = lib.mkForce false;
    spotifyd = {
      enable = true;
      settings = {
        global = {
          username = "snowinginwonderland@gmail.com";
          password_cmd = "cat ${config.sops.secrets."apps/spotify".path}";
          use_mpris = false;
        };
      };
      #systemd.services.spotifyd.serviceConfig = systemd.services.spotifyd.
    };
    rad-dev.yubikey = {
      enable = true;
      enable-desktop-app = true;
@@ -92,19 +83,22 @@
  users.users.alice.extraGroups = [ "calibre-web" ];
  system.autoUpgrade.enable = false;
  system.stateVersion = "24.05";
  programs.adb.enable = true;
  environment.variables = {
    "KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
  };
  sops = {
    defaultSopsFile = ./secrets.yaml;
-    secrets = {
+    #secrets = {
-      "apps/spotify" = {
+    #  "apps/spotify" = {
-        group = "audio";
+    #    group = "audio";
-        restartUnits = [ "spotifyd.service" ];
+    #    restartUnits = [ "spotifyd.service" ];
-        mode = "0440";
+    #    mode = "0440";
-      };
+    #  };
-    };
+    #};
  };
 }
--- a/systems/artemision/default.nix
+++ b/systems/artemision/default.nix
@@ -7,6 +7,7 @@
  users = [ "alice" ];
  modules = [
    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
    inputs.stylix.nixosModules.stylix
    {
      environment.systemPackages = [
        inputs.wired-notify.packages.x86_64-linux.default
--- a/systems/artemision/desktop.nix
+++ b/systems/artemision/desktop.nix
@@ -7,7 +7,9 @@
    hyprland = {
      enable = true;
      xwayland.enable = true;
      withUWSM = true;
    };
    hyprlock.enable = true;
    gnupg.agent = {
      enable = true;
      #pinentryPackage = pkgs.pinentry-rofi;
@@ -54,6 +56,13 @@
    };
  };
  powerManagement = {
    enable = true;
    resumeCommands = ''
      ${pkgs.hyprlock}/bin/hyprlock -c /home/alice/.config/hypr/hyprlock.conf
    '';
  };
  environment.systemPackages = with pkgs; [
    libsForQt5.qt5.qtwayland
    qt6.qtwayland
--- a/systems/artemision/fonts.nix
+++ b/systems/artemision/fonts.nix
@@ -3,17 +3,13 @@
  fonts = {
    fontconfig.enable = true;
    enableDefaultPackages = true;
-    packages = with pkgs; [
+    packages = with pkgs.nerd-fonts; [
-      (nerdfonts.override {
+      fira-code
-        fonts = [
+      droid-sans-mono
-          "FiraCode"
+      hack
-          "DroidSansMono"
+      dejavu-sans-mono
-          "Hack"
+      noto
-          "DejaVuSansMono"
+      open-dyslexic
          "Noto"
          "OpenDyslexic"
        ];
      })
    ];
  };
 }
--- a/systems/artemision/hardware.nix
+++ b/systems/artemision/hardware.nix
@@ -86,7 +86,7 @@
    };
  };
-  swapDevices = [ { device = "/dev/disk/by-uuid/7f0dba0f-d04e-4c94-9fba-1d0811673df1"; } ];
+  swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
  boot.initrd.luks.devices = {
    "nixos-pv" = {
--- a/systems/artemision/programs.nix
+++ b/systems/artemision/programs.nix
@@ -3,6 +3,7 @@
  environment.systemPackages = with pkgs; [
    act
    alacritty
    attic-client
    amdgpu_top
    bat
    bitwarden-cli
@@ -12,12 +13,12 @@
    calibre
    # calibre dedrm?
    candy-icons
-    nemo-with-extensions
+    chromium
    chromedriver
    croc
    deadnix
    direnv
-    discord
+    easyeffects
    discord-canary
    eza
    fanficfare
    ferium
@@ -29,25 +30,29 @@
    glances
    gpu-viewer
    grim
    helvum
    htop
    hwloc
    ipmiview
    iperf3
-    ipscan
+    # ipscan
    jp2a
    jq
-    kdenlive
+    kdePackages.kdenlive
    kitty
    kubectl
    kubernetes-helm
    libreoffice-fresh
    libtool
    lsof
    lynis
    masterpdfeditor4
    minikube
    mons
    mpv
    # nbt explorer?
    ncdu
    nemo-with-extensions
    neofetch
    neovim
    nix-init
@@ -57,6 +62,7 @@
    nixpkgs-fmt
    nmap
    obs-studio
    obsidian
    ocrmypdf
    pciutils
    #disabled until wxpython compat with python3.12
@@ -64,12 +70,14 @@
    prismlauncher
    protonmail-bridge
    protontricks
    proxychains
    qrencode
    redshift
    restic
    ripgrep
    rpi-imager
    rofi-wayland
    samba
    signal-desktop
    # signal in tray?
    siji
@@ -89,18 +97,18 @@
    tig
    tokei
    tree
    unzip
    unipicker
    unzip
    uutils-coreutils-noprefix
    ventoy
    vesktop
    vscode
    watchman
    wget
    wl-clipboard
-    xboxdrv
+    yq
    yt-dlp
    zoom-us
    zoxide
    zoom
  ];
 }
--- a/systems/artemision/secrets.yaml
+++ b/systems/artemision/secrets.yaml
@@ -1,17 +1,17 @@
-hello: ENC[AES256_GCM,data:UJlsd5kvnhEv7eJeYwg+NHm9sgUAxYM5DoR0gDPLi9J7P+8FI8WPMkN1wEAHJA==,iv:NFSdZQ1OK4BT+EAGZz122NB7WrVCEzv4wwMxFIE/OKI=,tag:6YT7Vw8tFrw9iEFKxeKRFQ==,type:str]
+hello: ENC[AES256_GCM,data:BTCBuBxHFO8vwXU/bsAZryM5rXUOEi0brlvq6DtqfZbzxGz4LaW89VO75MERHQ==,iv:fwqI3arwtlZQ5DtvpVbh21ThuZP8zcqCHsmuJuCfCsY=,tag:tkkEO8/eEDCakdlT0NvajA==,type:str]
-example_key: ENC[AES256_GCM,data:KMXgMrqe7M101ZMJ2g==,iv:MJ3Iiu/0KIVhPFnqfovysqvPJAv1OsnxE4VIsuexFkE=,tag:X6KIKNGym8/9VglmG3SNRw==,type:str]
+example_key: ENC[AES256_GCM,data:xzsymSb4oD70twtoKQ==,iv:9vBmAKET2VIuDSq7AOyvdYWLGlL6cYHTWxy/Z5bB1+c=,tag:NbV4eA2aaY4cQAKUy3QOpw==,type:str]
-#ENC[AES256_GCM,data:QR3WNE/a1hZIXnTjFjK3kA==,iv:eXoZJ5rQaYqN7LjEp2M13OCMwuQ+80M5AXjV0uNc4C8=,tag:sCvL6pr9zAyWZziffVFMzg==,type:comment]
+#ENC[AES256_GCM,data:zeOCzRd/nFRhbANHxPyyjw==,iv:9MmHl3OyhJHVU+cUFJ4QitHd4SeDe3ctaky+yfvk8Zs=,tag:uPGRJtgQj1vIdLt2+w0krg==,type:comment]
 example_array:
-    - ENC[AES256_GCM,data:g8PulCLrXZYSEdZJELE=,iv:irGwciFn1zXBxFpGAJtD46EQLGUO5oqdCzRgv1204JE=,tag:2MuDdRYMjhtTY++lPuj1FQ==,type:str]
+    - ENC[AES256_GCM,data:Nwn96XJv8xZWRYv8qws=,iv:K30LBMC8e1vUS0XE+4EIYb3xUUyn6232YmhV2vI9Qnc=,tag:HRe3S88zwj/CjG6NTvjdRQ==,type:str]
-    - ENC[AES256_GCM,data:qv7GvmoOX8VSdaiW/90=,iv:6NOWeWqHUV9ciKPmZF4C7ijuIPFr3YZi3Dh7xWnb07k=,tag:VHXdBhWmEpb7uavCPqGZ4w==,type:str]
+    - ENC[AES256_GCM,data:l2nuwoAbwaDFHpEWV1Y=,iv:7/2rTd8agUvx73eftpOgidV4XjDUv/JppLIIsiuycnU=,tag:Ohi4JULWDNXJPWZaeXHEdw==,type:str]
-example_number: ENC[AES256_GCM,data:g8BIEIcwKRLSbw==,iv:Ay4aiukAvXeDhzlpMPn++zR0Tt2lMqCx362uN37S+ac=,tag:NTtNaIu5u8YsIm0M4OgL0A==,type:float]
+example_number: ENC[AES256_GCM,data:toi1e/biUd2Tng==,iv:MPCfhhX9DDaOSzx/L5LTf2VYffin8XvxVyhNDqZLsec=,tag:tE/lml3afP/NjRtpPraoRQ==,type:float]
 example_booleans:
-    - ENC[AES256_GCM,data:94T9mg==,iv:qKGJke4SGhgN09Yebh5MPrRBDNnguJQ+1dl5XQffGZQ=,tag:0Pa3eujmSxDCnAHKHsx6yQ==,type:bool]
+    - ENC[AES256_GCM,data:02CVNA==,iv:L9GmIm9ynm2cWTyd3iYo4fgIeneUyFpEzzzxicM/YNI=,tag:k2EIboiL+c4W1H2OpA2Rqw==,type:bool]
-    - ENC[AES256_GCM,data:gEvfi+Q=,iv:0DrXoZk8OkdUShc7WAKOL8xG26RFZp3M3qYFAb1hDAs=,tag:uemBrdF87nrfLpfnQ8bD8g==,type:bool]
+    - ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
 apps:
-    spotify: ENC[AES256_GCM,data:bp1pdOfS+VGWLtepUjg7KFWw8Fk=,iv:twGO3CjzRxAU81C93mX8qIEZ/FYIQRJnMd2HIuvP9q8=,tag:AJgs0QGFH30E8+ZpaB02TQ==,type:str]
+    spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
-wifi-env: ENC[AES256_GCM,data:6+fHf25fx/PuutOXhMZqx2JVVSDTW7fQU8XOCc2vyUpg7HiRpOKFu5PIZoJQexvJoBNNciiQkju17+xuxnQ48dsRgsdS+wfH86Af55MfqDjG1el/htEOER9f9sTpMwGjIKD1zalkMp7oX17UlIqiCQg7HfcZFb8T4eHzu9w48umiC3WpwlKLykF5W600gYbXx1E1FjwgCwxJ1zRmBTXoz6WHvQ==,iv:DmUyn3/Q7jwqHrK7wSCqIRO1jJsOHNbmG6a/l1YdMmQ=,tag:S3CtTdFyn2Lg5nGlHVU66g==,type:str]
+wifi-env: ENC[AES256_GCM,data:G+z+fURk4rT61I5BiFzEJJt35jywPNrGpn1QGNhjvxrqPQ/Sq/hIHmQo+bqe9yJeDgMX3RY4EaiZxFTJyxPfW1czjuMSj3vbTp0WcDmGvUJ7li2pX2pzolgly4qmgoOluGBeRZWVLLOZYFB2+kLRMJNNz/bP5k2Eq6O4+l4sljPM+abn9iz9Eh46rVOVRkmDzCltJrYiuBSiSPhTDRTP2+gUbgbaUJTkVrVLUBHg3QU6az6VPN8DPZxbx4LtdaIb93pI,iv:uUfJK/iPdyLP7LqZJolTGGTxaEzlJI59bUVNcB1etkU=,tag:tvXSXSW1MIhLJceEK1afuw==,type:str]
-#ENC[AES256_GCM,data:pC2Kdy7wNc0=,iv:J7Ggfv6K3dCzL42j5MGd+BjQGseoAoYs4k6+yc3FSiA=,tag:9MriduP9SEIi+c1q4tfzlQ==,type:comment]
+#ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
 sops:
    kms: []
    gcp_kms: []
@@ -21,26 +21,26 @@ sops:
        - recipient: age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZC9aczBZekVGMVRBYlFV
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbElNRkxyZ2VjaitiTWx2
-            MUpDZFFPRTIzL1hpR25vd2pjZzJnRE12TkhRCjdiV3VxVnJpL2l2OU1rNVE3K2kv
+            eThsY0h3a2NCZDloWG0rU1ZwVnhOY2VJTXlFCnp3UzNDR216L2R4cVdyWjFqbkRr
-            akF1UFNtdDFYdUNIMjVwWitOUDJ1UUEKLS0tIFJkSGU1MC90ZlM0TXJOeWlWTnJT
+            cFJGQjQ4Qk9zblYyckVFY3VNekNuajQKLS0tIEdRWldHMjlpTElxQWFVUlh4L1lz
-            RFVEMjg4bjd4SUF2SjVWZVNDWlpiR1EKmWM9G8/vb1+GX4zGiIj/So4apfi3wzyp
+            d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
-            yGi0T3fen3jzfU38xFZ25Tn0pDTQaSG7PkVKQn9YBJ4pGb9JDPfTjw==
+            D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-20T13:52:31Z"
+    lastmodified: "2024-11-28T18:57:09Z"
-    mac: ENC[AES256_GCM,data:IT/GEdJtQHSjzVRdIBIRq1y0Lby4k6gGVDfeg3/bjdDNWkPCnGOc5Uerz3TJ95M3oKMgFiQW2Sa4m/8QX9qhtVfH7gleMhJbzkz1DGKozoCxqWX71BBfiwcAuLG1fzDwfpT4DcRK1ppfC/9kMZ3g7r9Ug6EceXUKXP3uaUgfNjg=,iv:WpEhLffmICyR7bbe0cnT9fjqyL59gVxumz/lsE3oBfU=,tag:k0GSSZeQC9bJ1TWRwhaGQA==,type:str]
+    mac: ENC[AES256_GCM,data:hKhAo7rDplLm19PlrKHQwxnDVXCMU/xpAxPALLDBa0M3yypy2QVD6c6Atn897tYRKf7oeLaUKqnUYdCcZ9gVgm37LS+GtRhf66zfvcKqhZF8wh3M0zTDPYpQDhex0N4BAJ/dcaYIbxqE9pEUxJOI5jip/hptaCJItTEe7oARcF4=,iv:EUayxLaOPcnWX+S9+RlHrxzJRLlSSLIwqbAq3fFI4yg=,tag:LiBsqIodTWamO+c8FqGBag==,type:str]
    pgp:
-        - created_at: "2024-09-05T06:10:45Z"
+        - created_at: "2024-11-28T18:57:09Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DQWNzDMjrP2ISAQdAVPGTjbrJcO6UTQ9bYOqiVqJMehxGkfNMtgnQQL36mQsw
+            hF4DQWNzDMjrP2ISAQdALiZMzuQViM23hoFebCXYfQUIvCluWqAEeSJyE/LRHG8w
-            CznpGVos/aNWRKmt0nkfjHuI0y71foFWt7BB/acKspE5YUu831wgrRbB8TyN69DK
+            nQnIVPRIbzLzWfCf+48EW6f7zonHmNY7D9F9KohDmCTcJ5/WvXsJKjebuohR62TF
-            1GgBCQIQjanvxCPgcaSWLqw2oXXPzTJ1PRJc2UA4kayYIzvOUP9QBoEruDki0GVi
+            1GYBCQIQq7nEvwSfn+l5AevKIiodA4BLfM326JSx5hJ6XdrE0MzZo1uoMwKKuxig
-            5n+ZiGGtvx7bihZ1WeJiHcOArPr3xrrrPv6nuAxP05HbSRYhaAU79eOTT1p7MtSO
+            mPbDP8Rx51v9f+9DzjBg6kQD5w411HADL8th+wSkpmasP8ozIeiNiIKzzoJc/fD6
-            A0BHgVYuL00FHg==
+            AOsExCUt8FU=
-            =Luz2
+            =wRT+
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1
--- a/systems/artemision/steam.nix
+++ b/systems/artemision/steam.nix
@@ -4,7 +4,10 @@
  environment.systemPackages = [ pkgs.steam-run ];
  hardware.steam-hardware.enable = true;
  programs = {
-    gamescope.enable = true;
+    gamescope = {
      enable = true;
      capSysNice = true;
    };
    steam = {
      enable = true;
      remotePlay.openFirewall = true;
--- a/systems/artemision/stylix.nix
+++ b/systems/artemision/stylix.nix
@@ -0,0 +1,16 @@
 { pkgs, ... }:
 # let
 # randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
 #   numWallpapers =
 #   $((1 + $RANDOM % 10))
 # in
 {
  stylix = {
    enable = true;
    image = "${pkgs.hyprland}/share/hypr/wall2.png";
    #image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
    polarity = "dark";
  };
 }
--- a/systems/artemision/wifi.nix
+++ b/systems/artemision/wifi.nix
@@ -23,6 +23,7 @@ in
      "5HuFios".pskRaw = "ext:PASS_longboat_home";
      "24HuFios".pskRaw = "ext:PASS_longboat_home";
      "Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
      "Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
      "optimumwifi" = { };
      "CableWiFi" = { };
      "JPMCVisitor" = { };
--- a/systems/palatine-hill/acme.nix
+++ b/systems/palatine-hill/acme.nix
@@ -0,0 +1,43 @@
 {
  config,
  lib,
  pkgs,
  outputs,
  ...
 }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "aliceghuston@gmail.com";
    certs."nayeonie.com" = {
      dnsProvider = "dnsimple";
      environmentFile = config.sops.secrets."acme/dnsimple".path;
      dnsPropagationCheck = false;
      group = "haproxy";
      extraDomainNames = [
        "*.nayeonie.com"
        # "alicehuston.xyz"
        # "*.alicehuston.xyz"
      ];
    };
  };
  systemd.services."acme-nayeonie.com.service".path = lib.mkForce (
    with pkgs;
    [
      coreutils
      diffutils
      openssl
    ]
    ++ [
      outputs.packages.x86_64-linux.lego-latest
    ]
  );
  sops.secrets = {
    "acme/dnsimple" = {
      owner = "root";
    };
  };
 }
--- a/systems/palatine-hill/attic/default.nix
+++ b/systems/palatine-hill/attic/default.nix
@@ -8,34 +8,18 @@
 {
  environment.systemPackages = with pkgs; [
    attic-client
    attic
  ];
  services = {
    postgresql = {
      enable = true;
      ensureDatabases = [ "atticd" ];
      ensureUsers = [
        {
          name = "atticd";
          ensureDBOwnership = true;
        }
      ];
      upgrade = {
        enable = true;
        stopServices = [ "atticd" ];
      };
    };
    atticd = {
      enable = true;
-      credentialsFile = config.sops.secrets."attic/secret-key".path;
+      environmentFile = config.sops.secrets."attic/secret-key".path;
      settings = {
        listen = "[::]:8183";
-        allowed-hosts = [ "attic.alicehuston.xyz" ];
+        allowed-hosts = [ "attic.nayeonie.com" ];
-        api-endpoint = "https://attic.alicehuston.xyz";
+        api-endpoint = "https://attic.nayeonie.com/";
        compression.type = "none"; # let ZFS do the compressing
        database = {
          url = "postgres://atticd?host=/run/postgresql";
@@ -48,7 +32,7 @@
          type = "s3";
          region = "us-east-1";
          bucket = "cache-nix-dot";
-          endpoint = "https://minio.alicehuston.xyz";
+          endpoint = "https://minio.nayeonie.com";
        };
        # Warning: If you change any of the values here, it will be
@@ -78,58 +62,58 @@
  # borrowing from https://github.com/Shawn8901/nix-configuration/blob/4b8d1d44f47aec60feb58ca7b7ab5ed000506e90/modules/nixos/private/hydra.nix
  # configured default webstore for this on root user separately
-  systemd = {
+  # systemd = {
-    services = {
+  #   services = {
-      attic-watch-store = {
+  #     attic-watch-store = {
-        wantedBy = [ "multi-user.target" ];
+  #       wantedBy = [ "multi-user.target" ];
-        after = [
+  #       after = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        requires = [
+  #       requires = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        description = "Upload all store content to binary cache";
+  #       description = "Upload all store content to binary cache";
-        serviceConfig = {
+  #       serviceConfig = {
-          User = "root";
+  #         User = "root";
-          Restart = "always";
+  #         Restart = "always";
-          ExecStart = "${pkgs.attic}/bin/attic watch-store cache-nix-dot";
+  #         ExecStart = "${pkgs.attic-client}/bin/attic watch-store cache-nix-dot";
-        };
+  #       };
-      };
+  #     };
-      attic-sync-hydra = {
+  #     attic-sync-hydra = {
-        after = [
+  #       after = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        requires = [
+  #       requires = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        description = "Force resync of hydra derivations with attic";
+  #       description = "Force resync of hydra derivations with attic";
-        serviceConfig = {
+  #       serviceConfig = {
-          Type = "oneshot";
+  #         Type = "oneshot";
-          User = "root";
+  #         User = "root";
-          ExecStart = "${config.nix.package}/bin/nix ${./sync-attic.bash}";
+  #         ExecStart = "${config.nix.package}/bin/nix ${./sync-attic.bash}";
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
-    timers = {
+  #   timers = {
-      attic-sync-hydra = {
+  #     attic-sync-hydra = {
-        wantedBy = [ "timers.target" ];
+  #       wantedBy = [ "timers.target" ];
-        timerConfig = {
+  #       timerConfig = {
-          OnBootSec = 600;
+  #         OnBootSec = 600;
-          OnUnitActiveSec = 86400;
+  #         OnUnitActiveSec = 86400;
-          Unit = "attic-sync-hydra.service";
+  #         Unit = "attic-sync-hydra.service";
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
-  };
+  # };
  sops = {
    secrets = {
--- a/systems/palatine-hill/attic/sync-attic.bash
+++ b/systems/palatine-hill/attic/sync-attic.bash
@@ -2,9 +2,9 @@
 #! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash
 sync_directories=(
-    /ZFS/ZFS-primary/hydra
+  /ZFS/ZFS-primary/hydra
 )
 for dir in "${sync_directories[@]}"; do
-    find "$dir"  -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
+  find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
 done
--- a/systems/palatine-hill/configuration.nix
+++ b/systems/palatine-hill/configuration.nix
@@ -6,14 +6,19 @@
 }:
 {
  imports = [
    ./acme.nix
    ./attic
-    ./docker.nix
+    ./docker
    ./gitea.nix
    ./firewall.nix
    ./haproxy
    ./hardware-changes.nix
    ./hydra.nix
    ./minio.nix
    ./networking.nix
    ./nextcloud.nix
    ./samba.nix
    ./postgresql.nix
    ./zfs.nix
  ];
@@ -53,10 +58,14 @@
  };
  environment.systemPackages = with pkgs; [
    chromedriver
    chromium
    docker-compose
    intel-gpu-tools
    jellyfin-ffmpeg
    jq
    yt-dlp
    yq
  ];
  services = {
@@ -64,32 +73,8 @@
    nfs.server.enable = true;
    openssh.ports = [ 666 ];
    smartd.enable = true;
    calibre-server.enable = false;
    postgresql = {
      enable = true;
      enableJIT = true;
      identMap = ''
        # ArbitraryMapName systemUser DBUser
           superuser_map      root      postgres
           superuser_map      alice  postgres
           # Let other names login as themselves
           superuser_map      /^(.*)$   \1
      '';
      # initialScript = config.sops.secrets."postgres/init".path;
      upgrade = {
        enable = true;
        stopServices = [
          "hydra-evaluator"
          "hydra-init"
          "hydra-notify"
          "hydra-queue-runner"
          "hydra-send-stats"
          "hydra-server"
        ];
      };
    };
  };
  nix.gc.options = "--delete-older-than 150d";
--- a/systems/palatine-hill/default.nix
+++ b/systems/palatine-hill/default.nix
@@ -1,5 +1,7 @@
 { inputs, ... }:
 {
  users = [ "alice" ];
-  modules = [ inputs.attic.nixosModules.atticd ];
+  modules = [
    # inputs.attic.nixosModules.atticd
  ];
 }
--- a/systems/palatine-hill/docker.nix
+++ b/systems/palatine-hill/docker.nix
@@ -1,5 +0,0 @@
 { ... }:
 {
  virtualisation.docker.daemon.settings.data-root = "/var/lib/docker2";
 }
--- a/systems/palatine-hill/docker/act-runner.nix
+++ b/systems/palatine-hill/docker/act-runner.nix
@@ -0,0 +1,114 @@
 {
  config,
  ...
 }:
 let
  vars = import ../vars.nix;
  act_path = vars.primary_act;
 in
 {
  virtualisation.oci-containers.containers = {
    act-stable-latest-main = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      ports = [ "8088:8088" ];
      volumes = [
        "${act_path}/stable-latest-main/config.yaml:/config.yaml"
        "${act_path}/stable-latest-main/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
        "/nix:/nix"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-main";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
    act-stable-latest-1 = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      volumes = [
        "${act_path}/stable-latest-1/config.yaml:/config.yaml"
        "${act_path}/stable-latest-1/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
        "/nix:/nix"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-1";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
    act-stable-latest-2 = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      volumes = [
        "${act_path}/stable-latest-2/config.yaml:/config.yaml"
        "${act_path}/stable-latest-2/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
        "/nix:/nix"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-2";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
  };
  systemd = {
    timers."custom-watchtower@act-runner" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "20m";
        OnUnitActiveSec = "5m";
        Unit = "custom-watchtower@act-runner.service";
      };
    };
    services."custom-watchtower@act-runner" = {
      bindsTo = [ "docker.service" ];
      after = [ "docker.service" ];
      description = "a watchtower-esque script for systemd-based oci-containers";
      serviceConfig = {
        Type = "oneshot";
        User = "root";
        ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'act-runner'";
      };
    };
  };
  sops.secrets = {
    "docker/act-runner" = {
      owner = "root";
      restartUnits = [
        "docker-act-stable-latest-main.service"
        "docker-act-stable-latest-1.service"
        "docker-act-stable-latest-2.service"
      ];
    };
  };
 }
--- a/systems/palatine-hill/docker/archiveteam.nix
+++ b/systems/palatine-hill/docker/archiveteam.nix
@@ -0,0 +1,152 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  containers = {
    archiveteam-imgur = {
      image = "imgur-grab";
      scale = 1;
    };
    archiveteam-telegram = {
      image = "telegram-grab";
      scale = 3;
    };
    archiveteam-reddit = {
      image = "reddit-grab";
      scale = 0;
    };
    archiveteam-dpreview = {
      image = "dpreview-grab";
      scale = 0;
    };
    archiveteam-issuu = {
      image = "issuu-grab";
      scale = 0;
    };
    archiveteam-urls = {
      image = "urls-grab";
      scale = 2;
    };
    archiveteam-urlteam = {
      image = "terroroftinytown-client-grab";
      scale = 2;
    };
    archiveteam-mediafire = {
      image = "mediafire-grab";
      scale = 1;
    };
    archiveteam-github = {
      image = "github-grab";
      scale = 1;
    };
    archiveteam-lineblog = {
      image = "lineblog-grab";
      scale = 0;
    };
    archiveteam-banciyuan = {
      image = "banciyuan-grab";
      scale = 0;
    };
    archiveteam-wysp = {
      image = "wysp-grab";
      scale = 0;
    };
    archiveteam-xuite = {
      image = "xuite-grab";
      scale = 0;
    };
    archiveteam-gfycat = {
      image = "gfycat-grab";
      scale = 0;
    };
    archiveteam-skyblog = {
      image = "skyblog-grab";
      scale = 0;
    };
    archiveteam-zowa = {
      image = "zowa-grab";
      scale = 0;
    };
    archiveteam-blogger = {
      image = "blogger-grab";
      scale = 1;
    };
    archiveteam-vbox7 = {
      image = "vbox7-grab";
      scale = 0;
    };
    archiveteam-pastebin = {
      image = "pastebin-grab";
      scale = 1;
    };
    archiveteam-youtube = {
      image = "youtube-grab";
      scale = 0;
    };
    archiveteam-deviantart = {
      image = "deviantart-grab";
      scale = 0;
    };
    archiveteam-postnews = {
      image = "postnews-grab";
      scale = 0;
    };
    archiveteam-askfm = {
      image = "askfm-grab";
      scale = 1;
    };
    archiveteam-mangz = {
      image = "mangaz-grab";
      scale = 1;
    };
    archiveteam-cohost = {
      image = "cohost-grab";
      scale = 1;
    };
  };
  container-spec = container-name: container: {
    image = "atdr.meo.ws/archiveteam/${container}:latest";
    extraOptions = [
      "--stop-signal=SIGINT"
    ];
    labels = {
      "com.centurylinklabs.watchtower.enable" = "true";
      "com.centurylinklabs.watchtower.scope" = "archiveteam";
    };
    volumes = [ "${at_path}/${container-name}:/grab/data" ];
    log-driver = "local";
    cmd = lib.splitString " " "--concurrent 6 AmAnd0";
  };
  inherit (lib.rad-dev.container-utils) createTemplatedContainers;
  vars = import ../vars.nix;
  at_path = vars.primary_archiveteam;
 in
 {
  virtualisation.oci-containers.containers = createTemplatedContainers containers container-spec;
  systemd = {
    timers."custom-watchtower@archiveteam" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "20m";
        OnUnitActiveSec = "5m";
        Unit = "custom-watchtower@archiveteam.service";
      };
    };
    services."custom-watchtower@archiveteam" = {
      bindsTo = [ "docker.service" ];
      after = [ "docker.service" ];
      description = "a watchtower-esque script for systemd-based oci-containers";
      serviceConfig = {
        Type = "oneshot";
        User = "root";
        ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'archiveteam'";
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/books.nix
+++ b/systems/palatine-hill/docker/books.nix
@@ -0,0 +1,32 @@
 { ... }:
 let
  vars = import ../vars.nix;
  docker_path = vars.primary_docker;
  calibre_path = vars.primary_calibre;
 in
 {
  virtualisation.oci-containers.containers = {
    automated-ffdl-alice = {
      image = "mrtyton/automated-ffdl:latest";
      user = "600:100";
      extraOptions = [ "--restart=unless-stopped" ];
      environment = {
        PUID = "600";
        PGID = "100";
      };
      volumes = [
        "${docker_path}/auto-fic/config:/config"
        "${calibre_path}/ffdl-alice:/var/lib/calibre-server"
      ];
    };
  };
  services.autopull = {
    enable = true;
    repo.FanFicFare-alice = {
      enable = true;
      path = /ZFS/ZFS-primary/calibre/ffdl-alice/config/FanFicFare;
    };
  };
 }
--- a/systems/palatine-hill/docker/default.nix
+++ b/systems/palatine-hill/docker/default.nix
@@ -0,0 +1,79 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./act-runner.nix
    # temp disable archiveteam for tiktok archiving
    #./archiveteam.nix
    # ./books.nix
    #./firefly.nix
    #./foundry.nix
    ./glances.nix
    # ./haproxy.nix
    ./minecraft.nix
    ./nextcloud.nix
    # ./postgres.nix
    # ./restic.nix
    ./torr.nix
    # ./unifi.nix
  ];
  virtualisation.oci-containers.backend = "docker";
  virtualisation.docker.daemon.settings = {
    data-root = "/var/lib/docker2";
    bip = "169.254.253.254/23";
    fixed-cidr = "169.254.252.0/23";
    default-address-pools = [
      {
        base = "169.254.2.0/23";
        size = 28;
      }
      {
        base = "169.254.4.0/22";
        size = 28;
      }
      {
        base = "169.254.8.0/21";
        size = 28;
      }
      {
        base = "169.254.16.0/20";
        size = 28;
      }
      {
        base = "169.254.32.0/19";
        size = 28;
      }
      {
        base = "169.254.64.0/18";
        size = 28;
      }
      {
        base = "169.254.128.0/18";
        size = 28;
      }
      {
        base = "169.254.192.0/19";
        size = 28;
      }
      {
        base = "169.254.224.0/20";
        size = 28;
      }
      {
        base = "169.254.240.0/21";
        size = 28;
      }
      {
        base = "169.254.248.0/22";
        size = 28;
      }
    ];
    mtu = 9000;
  };
 }
--- a/systems/palatine-hill/docker/firefly.nix
+++ b/systems/palatine-hill/docker/firefly.nix
@@ -0,0 +1,25 @@
 { ... }:
 let
  vars = import ../vars.nix;
  ffiii_path = "${vars.primary_docker}/firefly-iii";
 in
 {
  virtualisation.oci-containers.containers = {
    firefly = {
      image = "fireflyiii/core:latest";
      extraOptions = [
        "--network=firefly-iii_default"
        "--network=postgres-net"
      ];
      environmentFiles = [ "${ffiii_path}/.env" ];
      ports = [ "4188:8080" ];
      volumes = [ "${ffiii_path}/app/upload:/var/www/html/storage/upload" ];
    };
    fidi = {
      image = "fireflyiii/data-importer:latest";
      environmentFiles = [ "${ffiii_path}/.fidi.env" ];
      ports = [ "4187:8080" ];
      dependsOn = [ "firefly" ];
    };
  };
 }
--- a/systems/palatine-hill/docker/foundry.nix
+++ b/systems/palatine-hill/docker/foundry.nix
@@ -0,0 +1,28 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  fvtt_path = "${vars.primary_games}/foundryvtt";
 in
 {
  virtualisation.oci-containers.containers = {
    foundryvtt = {
      image = "felddy/foundryvtt:11";
      hostname = "foundryvtt";
      environment = {
        #CONTAINER_PRESERVE_CONFIG= "true";
        TIMEZONE = "America/New_York";
        FOUNDRY_MINIFY_STATIC_FILES = "true";
      };
      environmentFiles = [ config.sops.secrets."docker/foundry".path ];
      volumes = [ "${fvtt_path}:/data" ];
      extraOptions = [
        "--network=haproxy-net"
      ];
    };
  };
  sops.secrets."docker/foundry" = {
    owner = "docker-service";
    restartUnits = [ "docker-foundryvtt.service" ];
  };
 }
--- a/systems/palatine-hill/docker/glances.nix
+++ b/systems/palatine-hill/docker/glances.nix
@@ -0,0 +1,24 @@
 { ... }:
 let
  vars = import ../vars.nix;
  glances_path = "${vars.primary_docker}/glances";
 in
 {
  virtualisation.oci-containers.containers = {
    glances = {
      image = "nicolargo/glances:latest-full";
      extraOptions = [
        "--pid=host"
        "--network=haproxy-net"
      ];
      volumes = [
        "/var/run/docker.sock:/var/run/docker.sock"
        "${glances_path}/glances.conf:/glances/conf/glances.conf"
      ];
      environment = {
        GLANCES_OPT = "-C /glances/conf/glances.conf -w";
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/haproxy.cfg
+++ b/systems/palatine-hill/docker/haproxy.cfg
@@ -0,0 +1,207 @@
 global
 #  stats socket /var/run/api.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
 # log stdout format raw local0 info
  log stdout format raw local0
  crt-base /etc/ssl/certs/
  maxconn 120000
 defaults
  log global
  mode http
  timeout client 2000m
  timeout connect 200s
  timeout server 2000m
  timeout http-request 2000m
 frontend stats # you can call this whatever you want
  mode http
  bind *:9000       # default port, but you can pick any port
  stats enable      # turns on stats module
  stats refresh 10s # set auto-refresh rate
 #Application Setup
 frontend ContentSwitching
  bind *:80
 # bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
  bind *:443 ssl crt /etc/ssl/certs/origin_ca_ecc_root_new.pem crt /var/lib/acme/nayeonie.com/full.pem strict-sni
  mode  http
  option httplog
  # max-age is mandatory 
  # 16000000 seconds is a bit more than 6 months
  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
  # Front-end acess control list
  http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
  # Front-end acess control list
  acl host_www hdr(host) -i www.alicehuston.xyz
  acl host_www hdr(host) -i alicehuston.xyz
 #  acl host_ldapui hdr(host) -i authui.alicehuston.xyz
  acl host_glances hdr(host) -i monit.alicehuston.xyz
  acl host_glances hdr(host) -i glances.alicehuston.xyz
  # acl host_foundry hdr(host) -i dnd.alicehuston.xyz
 #  acl host_netdata hdr(host) -i netdata.alicehuston.xyz
  #acl host_terraria hdr(host) -i terraria.alicehuston.xyz
  acl host_nextcloud hdr(host) -i nextcloud.alicehuston.xyz
  acl host_nextcloud hdr(host) -i nayeonie.com
  acl host_hydra hdr(host) -i hydra.alicehuston.xyz
  acl host_attic hdr(host) -i attic.alicehuston.xyz
  acl host_minio hdr(host) -i minio.alicehuston.xyz
  acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz
  acl host_attic hdr(host) -i attic.nayeonie.com
  acl host_minio hdr(host) -i minio.nayeonie.com
  acl host_minio_console hdr(host) -i minio-console.nayeonie.com
  #acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz
 #  acl host_collabora hdr(host) -i collabora.alicehuston.xyz
  acl host_prometheus hdr(host) -i prom.alicehuston.xyz
  acl host_gitea hdr(host) -i git.alicehuston.xyz
  acl host_gitea hdr(host) -i nayeonie.com
  # Backend-forwarding
  use_backend www_nodes if host_www
 #  use_backend ldapui_nodes if host_ldapui
  use_backend glances_nodes if host_glances
  use_backend foundry_nodes if host_foundry
 #  use_backend netdata_nodes if host_netdata
 # use_backend terraria_nodes if host_terraria
  use_backend nextcloud_nodes if host_nextcloud
  use_backend hydra_nodes if host_hydra
  use_backend attic_nodes if host_attic
  #use_backend nextcloud_vol_nodes if host_nextcloud_vol
 #  use_backend collabora_nodes if host_collabora
  use_backend prometheus_nodes if host_prometheus
  use_backend minio_nodes if host_minio
  use_backend minio_console_nodes if host_minio_console
  use_backend gitea_nodes if host_gitea
 #frontend ldap
 #  bind *:389
 #  bind *:636 ssl crt /etc/ssl/certs/cloudflare.pem
 #  mode tcp
 #  option tcplog
 #  acl host_ldap hdr(host) -i auth.alicehuston.xyz
 #  use_backend ldap_nodes if host_ldap
 backend nextcloud_nodes
  mode http
  server server nextcloud:80
  acl url_discovery path /.well-known/caldav /.well-known/carddav
  http-request redirect location /remote.php/dav/ code 301 if url_discovery
  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
 #backend nextcloud_nodes
 #  mode http
 #  server nxserver nextcloud:80
 #  acl url_discovery path /.well-known/caldav /.well-known/carddav
 #  http-request redirect location /remote.php/dav/ code 301 if url_discovery
 #  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
 #backend nextcloud_vol_nodes
 #  mode http
 #  server server nextcloud-vol:80
 #  acl url_discovery path /.well-known/caldav /.well-known/carddav
 #  http-request redirect location /remote.php/dav/ code 301 if url_discovery
 #  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
 #  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
 #  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
 #  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
 #  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
 #  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
 #  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
 #backend terraria_nodes
 #  mode http
 #  server server terraria:6526
 #backend collabora_nodes
 #  mode http
 #  server server collabora:9980
 backend www_nodes
  mode http
  server server grafana:3000
 backend minio_nodes
  mode http
  server server 192.168.76.2:8500
 #  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
 #  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
 #  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
 #  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
 #  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
 #  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
 #  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
 backend minio_console_nodes
  mode http
  server server 192.168.76.2:8501
 # backend foundry_nodes
 #   timeout tunnel 50s
 #   mode http
 #   server server foundryvtt:30000
 #backend ldap_nodes
 #  mode tcp
 #  balance roundrobin
 #  option ldap-check
 #  server ldap1 192.168.76.2:1636 ssl ca-file /etc/ssl/certs/origin_ca_rsa_root.pem
 #
 #backend ldapui_nodes
 #  mode http
 #  server server 192.168.76.2:18081
 backend glances_nodes
  mode http
  server server glances:61208
 backend hydra_nodes
  mode http
  server server 192.168.76.2:3000
 backend attic_nodes
  mode http
  server server 192.168.76.2:8183
 backend prometheus_nodes
  mode http
  server server 192.168.76.2:9001
 backend gitea_nodes
  mode http
  server server 192.168.76.2:6443
 #backend netdata_nodes
 #  mode http
 #  server server 192.168.76.2:19999
 # backend dnd_nodes
 #   mode http
 #   server server foundry:30000
 #   acl host_www hdr(host) -i www.tmmworkshop.com
 frontend giteassh
  mode tcp
  bind :2222
  default_backend giteassh_nodes
 backend giteassh_nodes
   mode tcp
   server s1 192.168.76.2:2223
 frontend minecraft
  mode tcp
  bind :25565
  default_backend router_nodes
 backend router_nodes
   mode tcp
   server s1 mc-router:25565
--- a/systems/palatine-hill/docker/haproxy.nix
+++ b/systems/palatine-hill/docker/haproxy.nix
@@ -0,0 +1,33 @@
 { ... }:
 {
  virtualisation.oci-containers.containers = {
    haproxy = {
      image = "haproxy:latest";
      extraOptions = [
        "--restart=always"
        "--network=haproxy-net"
      ];
      volumes = [
        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg:ro"
        "/ZFS/ZFS-primary/docker/haproxy/certs:/etc/ssl/certs:ro"
      ];
      ports = [
        "80:80"
        "443:443"
        "25565:25565"
      ];
      environment = {
        PUID = "600";
        PGID = "600";
      };
      dependsOn = [
        "nextcloud"
        "grafana"
        "foundryvtt"
        "glances"
        "mc-router"
      ];
    };
  };
 }
--- a/systems/palatine-hill/docker/minecraft.nix
+++ b/systems/palatine-hill/docker/minecraft.nix
@@ -0,0 +1,96 @@
 { config, lib, ... }:
 let
  servers = {
    atm6 = "atm6.alicehuston.xyz";
    stoneblock3 = "sb3.alicehuston.xyz";
    RAD2 = "rad.alicehuston.xyz";
    skyfactory = "sf.alicehuston.xyz";
    divinejourney = "dj.alicehuston.xyz";
    rlcraft = "rlcraft.alicehuston.xyz";
    arcanum-institute = "arcanum.alicehuston.xyz";
    bcg-plus = "bcg.alicehuston.xyz";
  };
  defaultServer = "rlcraft";
  defaultEnv = {
    EULA = "true";
    TYPE = "AUTO_CURSEFORGE";
    STOP_SERVER_ANNOUNCE_DELAY = "120";
    STOP_DURATION = "600";
    SYNC_CHUNK_WRITES = "false";
    USE_AIKAR_FLAGS = "true";
    MEMORY = "8GB";
    ALLOW_FLIGHT = "true";
    MAX_TICK_TIME = "-1";
  };
  defaultOptions = [
    "--stop-signal=SIGTERM"
    "--stop-timeout=1800"
    "--network=minecraft-net"
  ];
  vars = import ../vars.nix;
  minecraft_path = "${vars.primary_games}/minecraft";
 in
 {
  virtualisation.oci-containers.containers = {
    mc-router = {
      image = "itzg/mc-router:latest";
      extraOptions = [
        "--network=haproxy-net"
        "--network=minecraft-net"
      ];
      cmd = [
        (
          "--mapping=mc.alicehuston.xyz=${defaultServer}:25565"
          + (lib.rad-dev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
        )
      ];
    };
    # rlcraft = {
    #   image = "itzg/minecraft-server:java8";
    #   volumes = [
    #     "${minecraft_path}/rlcraft/modpacks:/modpacks:ro"
    #     "${minecraft_path}/rlcraft/data:/data"
    #   ];
    #   hostname = "rlcraft";
    #   environment = defaultEnv // {
    #     VERSION = "1.12.2";
    #     CF_SLUG = "rlcraft";
    #     DIFFICULTY = "hard";
    #     ENABLE_COMMAND_BLOCK = "true";
    #   };
    #   extraOptions = defaultOptions;
    #   log-driver = "local";
    #   environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
    # };
    bcg-plus = {
      image = "itzg/minecraft-server:java17";
      volumes = [
        "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
        "${minecraft_path}/bcg-plus/data:/data"
      ];
      hostname = "bcg-plus";
      environment = defaultEnv // {
        VERSION = "1.17";
        CF_SLUG = "bcg";
        DIFFICULTY = "normal";
        DEBUG = "true";
        # ENABLE_COMMAND_BLOCK = "true";
      };
      extraOptions = defaultOptions;
      log-driver = "local";
      environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/minecraft".owner = "docker-service";
    };
  };
 }
--- a/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix
+++ b/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix
@@ -1,7 +0,0 @@
 {
  imageName = "nextcloud";
  imageDigest = "sha256:fe7f941cc514fe01e343a515c7b33e6b12707c718157f6e25a67119e9918a061";
  sha256 = "07w9rvmr2qy037ljdmk6w1n2dmwwa31ig7gzfb084wiv18hjfrg4";
  finalImageName = "nextcloud";
  finalImageTag = "apache";
 }
--- a/systems/palatine-hill/docker/nextcloud.nix
+++ b/systems/palatine-hill/docker/nextcloud.nix
@@ -0,0 +1,107 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  nextcloud_path = vars.primary_nextcloud;
  redis_path = vars.primary_redis;
  # nextcloud-image = import ./nextcloud-image { inherit pkgs; };
  nextcloud-base = {
    # image comes from running docker compose build in nextcloud-docker/.examples/full/apache
    image = "nextcloud-nextcloud";
    hostname = "nextcloud";
    volumes = [
      "${nextcloud_path}/nc_data:/var/www/html:z"
      "${nextcloud_path}/nc_php:/usr/local/etc/php"
      "${nextcloud_path}/nc_prehooks:/docker-entrypoint-hooks.d/before-starting"
      #"${nextcloud_path}/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro"
    ];
    extraOptions = [
      "--network=haproxy-net"
      "--network=postgres-net"
      "--network=nextcloud_default"
    ];
    dependsOn = [ "redis" ];
    environmentFiles = [ config.sops.secrets."docker/nextcloud".path ];
  };
 in
 {
  virtualisation.oci-containers.containers = {
    nextcloud = nextcloud-base // {
      ports = [ "9999:80" ];
    };
    redis = {
      image = "redis:latest";
      user = "600:600";
      volumes = [
        "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf"
        "${redis_path}:/data"
      ];
      extraOptions = [
        "--network=nextcloud_default"
      ];
      cmd = [
        "redis-server"
        "/usr/local/etc/redis/redis.conf"
      ];
    };
    go-vod = {
      image = "radialapps/go-vod:latest";
      dependsOn = [ "nextcloud" ];
      environment = {
        NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz";
      };
      volumes = [ "${nextcloud_path}/nc_data:/var/www/html:ro" ];
      extraOptions = [
        "--device=/dev/dri:/dev/dri"
      ];
    };
    collabora-code = {
      image = "collabora/code:latest";
      dependsOn = [ "nextcloud" ];
      environment = {
        aliasgroup1 = "https://collabora.nayenoie.com:443";
        aliasgroup2 = "https://nextcloud.alicehuston.xyz:443";
        aliasgroup3 = "https://.*:443";
        extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
      };
      environmentFiles = [
        config.sops.secrets."docker/collabora".path
      ];
      extraOptions = [
        "--network=haproxy-net"
        "--privileged"
      ];
      ports = [ "9980:9980" ];
    };
  };
  users.users.www-data = {
    uid = 33;
    isSystemUser = true;
    group = "www-data";
  };
  users.groups.www-data = {
    gid = 33;
    members = [ "www-data" ];
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/redis" = {
        owner = "docker-service";
        restartUnits = [ "docker-redis.service" ];
      };
      "docker/nextcloud" = {
        owner = "www-data";
        restartUnits = [ "docker-nextcloud.service" ];
      };
      "docker/collabora" = {
        owner = "www-data";
        restartUnits = [ "docker-collabora-code.service" ];
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/postgres.nix
+++ b/systems/palatine-hill/docker/postgres.nix
@@ -0,0 +1,67 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  psql_path = "${vars.primary_db}/postgresql";
 in
 {
  virtualisation.oci-containers.containers = {
    postgres = {
      image = "postgres:16";
      user = "600:600";
      volumes = [
        "${psql_path}/primary_new:/var/lib/postgresql/data"
        "${psql_path}/pg_archives:/opt/pg_archives"
      ];
      log-driver = "local";
      extraOptions = [
        "--network=postgres-net"
        "--health-cmd='pg_isready -U firefly'"
        "--health-interval=1s"
        "--health-timeout=5s"
        "--health-retries=15"
        "--shm-size=1gb"
        "--restart=always"
      ];
      environmentFiles = [ config.sops.secrets."docker/pg".path ];
    };
    postgres-secondary = {
      image = "postgres:16";
      user = "600:600";
      volumes = [
        "${psql_path}/secondary_new:/var/lib/postgresql/data"
        "${psql_path}/pg_archives:/opt/pg_archives"
      ];
      log-driver = "local";
      extraOptions = [
        "--network=postgres-net"
        "--health-cmd='pg_isready -U firefly'"
        "--health-interval=1s"
        "--health-timeout=5s"
        "--health-retries=15"
        "--shm-size=1gb"
        "--restart=always"
      ];
      environmentFiles = [ config.sops.secrets."docker/pg".path ];
    };
    postgres-adminer = {
      image = "adminer/latest";
      user = "600:600";
      ports = [ "4191:8080" ];
      dependsOn = [ "postgres" ];
      extraOptions = [
        "--restart=always"
        "--network=postgres-net"
      ];
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/pg".owner = "docker-service";
    };
  };
 }
--- a/systems/palatine-hill/docker/restic.nix
+++ b/systems/palatine-hill/docker/restic.nix
@@ -0,0 +1,38 @@
 { ... }:
 let
  vars = import ../vars.nix;
  restic_path = "${vars.primary_backups}/restic";
 in
 {
  virtualisation.oci-containers.containers = {
    restic = {
      image = "restic/rest-server:latest";
      volumes = [ "${restic_path}:/data" ];
      environment = {
        OPTIONS = "--prometheus --htpasswd-file /data/.htpasswd";
      };
      ports = [ "8010:8000" ];
      extraOptions = [
        "--restart=always"
        "--network=restic_restic"
      ];
    };
    grafana = {
      image = "grafana/grafana:latest";
      extraOptions = [
        "--restart=always"
        "--network=haproxy-net"
      ];
      volumes = [
        "grafanadata:/var/lib/grafana"
        "${restic_path}/dashboards:/dashboards"
        "${restic_path}/grafana.ini:/etc/grafana/grafana.ini"
      ];
      environment = {
        GF_USERS_DEFAULT_THEME = "dark";
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/torr.nix
+++ b/systems/palatine-hill/docker/torr.nix
@@ -0,0 +1,103 @@
 { pkgs, ... }:
 let
  delugeBase = {
    environment = {
      PUID = "600";
      PGID = "100";
      TZ = "America/New_York";
      UMASK = "000";
      DEBUG = "true";
      DELUGE_DAEMON_LOG_LEVEL = "debug";
      DELUGE_WEB_LOG_LEVEL = "debug";
    };
  };
  vars = import ../vars.nix;
  #docker_path = vars.primary_docker;
  torr_path = vars.primary_torr;
  deluge_path = "${torr_path}/deluge";
  delugevpn_path = "${torr_path}/delugevpn";
  genSopsConf = file: {
    "${file}" = {
      format = "binary";
      sopsFile = ./wg/${file};
      path = "${delugevpn_path}/config/wireguard/configs/${file}";
      owner = "docker-service";
      group = "users";
      restartUnits = [ "docker-delugeVPN.service" ];
    };
  };
 in
 {
  virtualisation.oci-containers.containers = {
    deluge = delugeBase // {
      image = "binhex/arch-deluge";
      volumes = [
        "${deluge_path}/config:/config"
        "${deluge_path}/data/:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      ports = [
        "8084:8112"
        "29433:29433"
      ];
    };
    delugeVPN = delugeBase // {
      image = "binhex/arch-delugevpn";
      extraOptions = [
        "--privileged=true"
        "--sysctl"
        "net.ipv4.conf.all.src_valid_mark=1"
      ];
      environment = delugeBase.environment // {
        VPN_ENABLED = "yes";
        VPN_CLIENT = "wireguard";
        VPN_PROV = "custom";
        ENABLE_PRIVOXY = "yes";
        LAN_NETWORK = "192.168.0.0/16";
        NAME_SERVERS = "194.242.2.9";
        # note, delete /config/perms.txt to force a bulk permissions update
      };
      volumes = [
        "${delugevpn_path}/config:/config"
        "${delugevpn_path}/data:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      ports = [
        "8085:8112"
        "8119:8118"
        "39275:39275"
        "39275:39275/udp"
      ];
    };
  };
  systemd.services.docker-delugeVPN = {
    serviceConfig = {
      ExecStartPre = [
        (
          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
          + "-type l -not -name wg0.conf "
          + "| ${pkgs.coreutils}/bin/shuf -n 1 "
          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
        )
      ];
      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
    };
  };
  sops.secrets =
    (genSopsConf "se-mma-wg-001.conf")
    // (genSopsConf "se-mma-wg-002.conf")
    // (genSopsConf "se-mma-wg-003.conf")
    // (genSopsConf "se-mma-wg-004.conf")
    // (genSopsConf "se-mma-wg-005.conf")
    // (genSopsConf "se-mma-wg-101.conf")
    // (genSopsConf "se-mma-wg-102.conf")
    // (genSopsConf "se-mma-wg-103.conf");
 }
--- a/systems/palatine-hill/docker/unifi.nix
+++ b/systems/palatine-hill/docker/unifi.nix
@@ -0,0 +1,61 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  unifi_path = "${vars.primary_docker}/unifi-2.0";
  mongo_path = "${vars.primary_db}/mongo";
 in
 {
  virtualisation.oci-containers.containers = {
    unifi-controller = {
      image = "lscr.io/linuxserver/unifi-network-application:latest";
      volumes = [ "${unifi_path}/config:/config" ];
      log-driver = "local";
      dependsOn = [ "mongodb" ];
      extraOptions = [ "--restart=unless-stopped" ];
      ports = [
        "8443:8443"
        "3478:3478/udp"
        "10001:10001/udp"
        "8080:8080"
        "1900:1900/udp" # optional
        "8843:8843" # optional
        "8880:8880" # optional
        "6789:6789" # optional
        "5514:5514/udp" # optional
      ];
      environment = {
        PUID = "1000";
        PGID = "100";
        TZ = "America/New_York";
        MEM_LIMIT = "1024"; # optional
        MEM_STARTUP = "1024"; # optional
        MONGO_USER = "unifi";
        MONGO_HOST = "mongodb";
        MONGO_PORT = "27017";
        MONGO_DBNAME = "unifi";
      };
      environmentFiles = [ config.sops.secrets."docker/unifi".path ];
    };
    mongodb = {
      image = "docker.io/mongo:7.0";
      environment = {
        PUID = "1000";
        PGID = "100";
        TZ = "America/New_York";
      };
      extraOptions = [ "--restart=unless-stopped" ];
      volumes = [
        "${mongo_path}/unifi:/data/db"
        "${unifi_path}/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro"
      ];
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/unifi".owner = "docker-service";
    };
  };
 }
--- a/systems/palatine-hill/docker/watchtower.bash
+++ b/systems/palatine-hill/docker/watchtower.bash
@@ -0,0 +1,26 @@
 #! /usr/bin/env nix
 #! nix shell nixpkgs#docker nixpkgs#bash nixpkgs#gawk --command bash
 outdated_msg="Project code is out of date and needs to be upgraded. To remedy this problem immediately, you may reboot your warrior."
 label="$1"
 label_val="$2"
 if (($# != 2)); then
  echo "usage: $0 label label_value"
 fi
 containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}")
 for container in ${containers[@]}; do
  echo "checking ${container}"
  last_msg=$(docker logs -n 1 "${container}")
  if [[ $last_msg =~ $outdated_msg ]]; then
    echo "${container} is outdated, restarting"
    imageTag=$(docker ps --format '{{.Names}}\t{{.Image}}' -f "name=$container" | grep -w "$container" | awk '{print $NF}')
    docker pull "$imageTag"
    systemctl restart "docker-${container}"
  fi
 done
--- a/systems/palatine-hill/docker/wg/se-mma-wg-001.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-001.conf
@@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:PytLIf5ceSyhxNs3p4N89GKxh7zTvTTbzKhw6SqEPrWSgRo+ntOZQgkUWBwFRGmWjFjMoMmkxaHkyrBLo/lYb6MAKuPNCb4Ss2ArSHk1qOl9u39lXYSs4NNaZYx6r5vs9IspYsIzfbkz2mad5ZaeEuDjiGCethaw9SthXNyjOOEIo/zYB/9Qju963kPXCpexu2/nbhwr/ilXzP8zzhzl712CMULV2GwISrKQcnJYyhqwzAuLmmsG50J3It3BZBUwTbyiIRK4ka0wrycqVmVDKyasUX71LYlq9MifttFCjQCN8xE7FmDl8nSBBaub9Vss5IAF+DcIRNRIQ7f6INuo,iv:CbvR5AEtENWTKP7UPqjYl7qNvyZvPZRFawrU8xoYdL4=,tag:9C5KmHeZkt62Ujkg2Wzt3A==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNTh3RHN5bGVDZ29YS0pD\nbXpoL3E1emlJeEJMUWo3SzM2ODQ4c2FndWxNCnZUN3dIaTM3bXpOWDcxSzhROHlM\nQlJTTGl2WEs1NlczUlhhMEcvWWlXaGsKLS0tIENlY3dvNEF4UEllQnR2aDJFbSs2\nVE05RnRDSVphNHcrR3paQ3BFOU8vNkUKOtItYEU8P0Wu6TDzPylTTGhwlAiSgDEq\nJnRYAH6kE+qAnpK2xQyG4n0xbhNiASUVQgNJJyN+5BZi0dDf7k9CQA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:g/ba90H1dGisB71/MWXkJDCQEXphWu0tOv04ScmEjKPm58TRM0W1oUVDPa7QWHrcdozz0LnQndhs4enW+SqRF39YBmL8OziddStVgTWC4chBazAPHBcGCgLApP9RAjNhiyosTIypLqppY08UIGU1Q1qEzcoHendu6hSMX09jG+A=,iv:6UPwNmUbjt+z7Vr7yuQ3fdsmTwBwE5AUQw3IzonqXZ4=,tag:nmloGiYkKXNGcbn8aBmNAQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAtZwfBH7XpTMkoZMd7QojukRfwU1Z7O/ZHcBzW0rYiTgw\nuYKmkKxSPqY9E/zzNpO0C52NwyAUerM851DaOHkZvcNBkMGdFLKvLf53wgPZKlkc\n1GgBCQIQNLHtkosd/X7cb8VScXNk8CVsckRQJWiHFkPtbYcyz9O55hJOdg0TGmbQ\nf4v9yNrVG6OFQTfV8IXbIJ7fANPNDTu/gDE/XB4W8GzgmLReAsaUnxJWd7a2LSFn\nCkiJsF+JY3QsYg==\n=55xj\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-002.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-002.conf
@@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:ULynEBONpLJNPcSGjnFTLkrc4PNDNVqvpQ7LWqsMC0mW6SaDFn1e8MJkK4SSLjx2UCajMOyuvzNYzLd5AxMKBgsH/P1KAAednunOEU0ADKIzsrmEqr/zrX709yXPQY2783Os29jFFpCeQra8z3YR2vfU/PcOtqzoOuipRo0p1yUtehBLN40ogP9aLc+zxkoQxts20sU2EOe7rivU9WsBGQ2m3/Eg8ucH0aNdiN1BF/pIwyXbwMxcXtUCs0jVINJqsgFx2Ntmuz24dgZnTr8Hibz0v3F1LXcFbIIiH8OaCb3S4X2Zd/nCJqxRFz+cmzvcMplQHyE1XOYqP0OTA6s=,iv:skT932uptVD/zmbm/nxtzciD9dlYbJU4HzgHZtuathY=,tag:a/x3/an0q8hhexm4dpsVYA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4T0p1alJDd05KOTBjTVhL\nMVlPZno5YVlWRG0xUWZoUkJyVVZWRitLUTFZCmJmWXdzZHlGdG5GWWI2QWZXRUhY\nVVV1WUxaNWtVcmVtakI2dHpheS9HcTAKLS0tIDFsK0ZIR040dEdQQXV1NUpCQnVB\nOU9YU0NQSkwxMEtPdnRQeUYwc2hiczAKSynE6XsoUXyoLbUuuzqXbIbGoSeZR0S/\npMhZwI2fzh3vuLO0GpREkQRJ0azEvbbFPYdhJAFIBu/eRYd70IySlA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:pk7jtod+BCMqF6Hwgkd2AReDqkLGZvnBsDBJIipi/PNQQnq04BgT3TKDL3aQD4sKREjc0dyubQtvq4pAE3Fs+fOLgfhW6uYgvkreSg7Q7aSx299l2OaIc+pI47Emt0s+QIjFz2hd3KHxBkKr9xg5m3aITVex+96VqPUO5DPusqs=,iv:nsv3uPIz8iwrXAlQ0sd7J7T7jg3Yif4DsJV9g9aAAXY=,tag:xAIvz4KPTlpIuDZZfv3qkw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAGNsLJiDmbwfugWEdArQwUDMm6yL6bHbRhQsniyz6RFYw\nbmOG9HElDZGrQor2N+OmjRJzBnmrC3H00PBuM1dx6L9pHZpf8/CT477ZE66IDxOw\n1GgBCQIQUtKFTM34FXDEV4sTfawGatyVDoqFq+gxtI6iJA+1YgrJkZzV/5yAlINb\nsiiO0h1dvUS7uMZT/EPEBDvprXwDXrk6GHTtxAQTP3XQzO3bz0x6RhMJOEj+7hEB\nrkne981/Q2FiDg==\n=kGYU\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-003.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-003.conf
@@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:1pgCvsAcTSFMhb6OKujAtyEfR+Uu544RecoLxy6hhbj8PupUuosJ+lt5gOMqOzHvjUBMvKM/mqJ+JuahChclwXg+XCgB/7yh0tlwPyftPNoWltEwu/AsP7QUwXomfj/AbwzxfB8oTw4U2Ot4DfObDNvhfA88Sva2OE6mkapoRAAFND4CoglOoJ5F+vjLf0XsRCaHTVXCTwmd6BNb+ZHs+heztlaFRp5Mv8TINOlDl3yhW8V10r8ZhLoF421DVAtVLsuOQ6rbzGOZy9A+HfZJlaEZcgFHLKi40pBKQWw5xFrDp8gml/eMtkkKRZR88v+eXT+QCrg3biVYrdIhJlA=,iv:kIOTAido5Xm1fB5Xz7bsrwNM9dbjMIxvqIcNfXbUU6w=,tag:mrzFeyo4D3Y8lah9DU4kqg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbFdnRDlGNUxhTFd3NHhM\nanZmMksxV2xJdUVRL1NFQlJySjU2ZUJSQkg0CnIxb0FIeWMzMzdNalVNUmhQM1lX\nd0h6RWdPak5QeS9WYksrcHhERmd6Y2MKLS0tIDc5ZEFhK0dycFM2N29wN09BOVNK\nTWJjNThyTUxqNWxsTmw5WmlBV0xlK2sKE3L8/VvO8vmsqUV939JM2qdVUOsHAN3p\nwFfeldy2T6ojCVLWdl3CnZ7DmRumweEsSq1JP1mkZzfxotZloMUH5w==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:hmYfiTiGuO3oF/nGMP7vizC7nJtxYp1nFKoYsZR+GogpN3m3pqdKbLfqWLHXCI5o1l2nZjCo8VgUQYGrwePertOtlTF2rUz9fSxl3EsmoPbZOkt/NawjiIN3lARYTyoxwAq4Qtsna0OJTq9Yb+DlnMUTH+zk3/32K8dF2STRB84=,iv:8jYMtSSVOu5OIR4/TsM/upnZvvTh+ObkHcUiZtNLf+M=,tag:ANLwWSNxZxUM731LdQIO0A==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdADhzkz5iF5geZvou70PeWpN718CeGgvbs97VWhxL25gEw\nphKaEn/73p0Qjqnpu5xVQi0GwSOFVt2UFjLf55aEjdBPb/RwVp0kAeDzzaDSR6/m\n1GgBCQIQXglRmyXJWRT4RdsWOFM1SpuFV1F235UJIEn/O0yGiQvuBQF6OVuvqYgV\nYNi2KFUU+99WaQvxUYddGzCHMEC2AAuKSSNBvs2LSGu0Ic/KWjrcn6yeXEPuv8a/\nHsvjhXACkXWN/Q==\n=JWpI\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-004.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-004.conf
@@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:s8ANdI9fL6hX9K3ypZcmxhQv3VWZ0BYCMmEWatNpQv+0t4kLMmDIbtvLVBTjLoFvWcfy31vAEhbhZPOE0iQXUohiwfVu67/nR3gzcVpeERvtYlqb4q4RwDIgFXKZUd7y55CIcJbpFRR6U5/NCG2+PEAD5J4OtNTkjnpleipNqcI7Ccg062jVqiavOeKw+eoLMomJsJYqdeTUb9nwYlYoe87aIhZFmAKe0Z1ps6ClzaHSWsr0RSbaDFgBJxUo1brEETsIkphNktIe2kVY72PaOqiNZavEhgPfIc42Ldr4zyaW9nrau8ZsiGM/1VxrHwEOlqW6QimZO9epv6jQgTm0,iv:lSZ5H1kkokiwr6o/X42ElkLvNnWOJZkuD4Tt+vkX8uc=,tag:G+bcX3QzEIcmkxjBsSGLNw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5R0J6UmFPVWo5ME84Q3Rq\nN0J3MmowemJNa0pwNlVqQjdUR0NOWTh2MEU4CitGbkt4UDhuYlRFTlp3eHNGV1JG\nc0p6ZVlxUURhQ1NLbDhvc3VPazh5MmMKLS0tIERTcW54OTFhYjcxUVliRFFmOExk\nL1JMb0VyTDAzd1h3TXgwQ1V3VzZmdWcKZLwB3/3M5Ph9xvkBUrTZXvE13R83NCaT\nHYCKZoJx/CexdDXpij/H9fMI2BgRP1UBgxyWVg0pAAPrxhNhpiteVA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:PC2Gk57K2IQbGsAjXvN7BDaYO09vg+MKZcrieA6kPFeWVK7Nbic9iQiRsqs8cMOgQ4ZWNFJqyCmSPNKhWAkhmcuc3TNXTCGUl9AsWUyVLU1KL0I48320U+72ce4RY0vtO8FjgPjeFRtuzrHO4eOQhULrX7FhtUYq3/meZjP3PmM=,iv:P3LfN/+LS8wbRFcTvJhCU1LEqayWCUwqtHAmPodUXZE=,tag:DMuEdIKy8hBo/jdvnv7yaQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAAVsYsC/Di95MPmvkveVSZVZLPDuyWGdmgFFjGz1/l0Qw\nklzbhejv4x04f9j8zWG1Nsnvkkgv2wf++514BCGBN/DvlcFrv1xVPcA2RCqxr49t\n1GYBCQIQJvmrC8GUr9qp0yYEcUzXAaYh9hUA+fGPc1L45PmWVwjnY2wRtco4Y/uu\nLI09Esz6GH9vVesL3oO9A1uXArKw9dqph+Q6l3XAbtUp/y2vSU2xZlaQ83hAP3S1\nTryM3Ex9a80=\n=d/cZ\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-005.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-005.conf
@@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:lre1gMfmXwB/FxXrF7VguPFmunswv7Y2+GhIOJYu5ijTpDV0O3mumM5Xmk8dZ//3xPQuqFJBJEpMI8nggAWG3pEd4x5otDimJR0OHb0zoHbDE2YyNWR6pwUk07QkhTYJ0UzLFtReRCSgkQmbR20nfew1Ta9HYEDeqBH9+nFBBqlhJkYXybmjC+sWpyEkhnAUk2cjz74WiE4cFemLj8M1+pZYany9uSeY8MI+zO3PU6XyMEdEx9+H2vmvUR+MMzR01cZlHBPghgVlPtDAerTOOFo7Med/HSKUsFLm84K+DerjZ7tIP34xEY7NjW3epxk53UmUdbY8DJ+pBPVcL8k=,iv:CIHbLf6ARlXs3QQKg6hfO47WfQXYMtzCt/2Qv9Vmmgo=,tag:/uR4nPjpqEJ8zv8/H54xxg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWkhMT1dHNklvK2VXNGtq\nUG9tUS8xM0VoVDZTSTNvZ21teGYrSHRMelJrClU2Q2ovR01OK2E4d2F1aXRmaXRK\nckZ2WFhDYVA4bEVLMUl6WU0xd1p2NlkKLS0tIHZJV3FUYk5oNi9CQXlzSFUxSlVV\nV3Y3Q3RrT3JMVUh0Tmg5V3dtaURpcVEKRZ3dja+pVm2sAdQexiSw/si+CM2esjQM\nq0/9AfMPrULAdHrkvxLfyJRFWQlr2/g02QbeCE8HHYbVWSGaN2pJng==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:lxWz7NnYyAUyY52ewC1Eh9k1xDdJr0I2rEhiGukdKxg0G1gVhrj0UjFEdnkrMALrYbPh3yE1vj/E+xcPJZtrkuCQNTJkxnLlLijhXM39Um3M1KpIMDx5qOHggaT4T+HhdgJBqvkMiBypyP1ph9MPEYvg+mL4au6jd8fRaw2TUII=,iv:IbqBUWb1MrEcVy9rONDYzbB454XVYRi4mdtWo15RZ28=,tag:Cefs9e7CBk2/QsPS1LD3+A==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdARE07oxCX7FzLNlR9Pjmc1hUVGGD2KJdkFlM0cZl9uUEw\n1zW5R66Wy37KlREIRWXz2lnmN2Txpou+fC8zkxPcYXu+s+nWjbJbCRcv233RspPi\n1GgBCQIQWfGy65DBWWjSp2Sr9Ny/Pxvhzy0IF58AW32gTsxYmoeT+9qVuFcne3ut\nOEPyRqyBtnY3BOefXtBWsVBdtasFajhpp7rC2bSmd4sxacBL7DIwSVnTKpGs8Bsh\n8eCj7MwO/uRDFA==\n=frH4\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-101.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-101.conf
@@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:iqmUJoBrXT91fFKdujhbHaLHcQF6J7+zjgaVsOwRkSwnB1OF/2BAf3jwvXjZiAIf7ytdrGjDR8t+Ze1hrncwJ/CuJuWtciX0qN9pky8p3Gpd85c5yZ1kWkC/wfT9VJ70EOe6gHYVnEk8PYqWfb+HaYWolUm4dqnMQcyZ1dkGJAyedvmrZvU/EyWPwwR3bVmVkup5skjExEx0POQSTJjE36Kewm/K4AQ3yBcCmmj7ZgYWQotViYW0iIQt3ZH+oItro+SqWb8/EcNjqQbU/1CkVtFEtIgyOpy1tZ7HFhaQI6xha78KC5nPn+dgckw1rrqbH5tUMEs0GHuAhi3v,iv:83eA9Rioryf5nDtcmput665AAR622yhd1ccbIz2aYQ4=,tag:b+j9T/tuEWORm3G9dDbVuA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Tjl2S2tsVGZPS09HaDFO\neHZ2NlN5OUJuRmlZem1xeGtISVMrU2g3WmtZCndobDRnenlWSUl3L00yQUVJUnYx\nR2pxbGJuTkJqT1Nocm9jK1Yra3QzQ1EKLS0tIGE4SjZIMzN5WEl2dnFWZkIwc2ps\nVENuVUUvK1FsTmQ4UFdDQ2hnL0laRUUKYAvGtZrZ5iHls6kXlkXjRZKLB+VotxBI\nqjsPoW1o/2HJ0IQt1HByaxxw80FFcaY79FMVBkJcdQjYOEHFuQjw+Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:xo7PG3dqcfwMra7b4AKA7tjBmdwGq6hmQdGCiVT+dx5U8u60B7iIhZA1Nlkrwj1tCqUDpBjVp5iGReYJ+fckYriBBRURFtSaNjmrBSUiswaR2FqxGiNKzW83TdLEncTMXlNdTWKxhPy8uRh0Xso/ZFqAWgPd3fvfUAVXgGmnCuw=,iv:zi0v2nJPhVmPeE7pNY5KGhJimYMtWhmHzareuZ39YN8=,tag:/2NKODtUaXJhxkJLqjn6gw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAxkXTiqh3KhrshdFSX+QUvPyxL23iLm0y1nCsQGwCcBMw\nIg4RMlZVlbSUya2IPRc2J2gt7E0Fyp/oYw9Ytsa3u6cR5L41dRS4tZcpHkyJpU9h\n1GYBCQIQqCh2mj3ErvL1BYA+sgvIh8hbzmBH8uWWNpCHCP1StjtduMyLT6rBiWuv\nPvoCvz3WWXufEvn7DEutAs+T92oNMcEHcGWWbsn8U1dIXQ+7Cl2CWDNMlxIoKtVN\nuBcXPqKFZho=\n=M3My\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-102.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-102.conf
@@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:MvHQjTIH2RUsf/Re8piWc+foojfH1GpkDdgTgN5uGkBd+hFABF58ATN02SyrSJilwZiUIcmmd9yei59JKNumhY6daIcVzwpipGp2E/5ziLE0LzJ2+9Ov084TEclMe5vbEnJqtiB3Vu0w/9wKzbiXGWi/doqpNV1YKgore90Z3Mol4bVC/4ZSmm/YvRNZg51HPHtX65uZKuER54KqqkZOj0zPB8YiJHDbvtdoX2u8gEAenOjboHkRXRU9jgjytoP2Pw8W1dikajTXvtcjTzJijHVXZb70b0Yr5QnLOZaT4ovZA2Y4lkllpmQ4m+up5V3AkIk8iSLlFHOSaYNY,iv:0JpG17m9kD7xJ5vEBibuKG+yLL+xiIHlldFQ9TuWZwU=,tag:mPI3NUTmCnAXhcZ1jyAgrg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLWklBZUQ3MFo1bUZuY1dy\nVGdUK0FlM1dSNFBYOEhkZUFMd1g0b2ErZXd3Clk2TlQ4aEROUEJFbmpwYXRQK21t\nalJ4Z0k5dlVHQzJzdWNUMnYvTFMvWTQKLS0tIE04TzNIcVlzby9IM0FNMWlOd1Z3\ndTFwa1ZoYjdqUGhUTVVqcmxPVThMV0UKa07ux2wYZCn/9pgejH2o2wAknVLo2YV+\npb49PUwm1wvXaUVOrgGWAEGV1WBkH0FjSUKpTGLZ1V5MJ+wBk1fzRg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:10Z",
 		"mac": "ENC[AES256_GCM,data:X6AY8uht59ISavkd199WKj+Tnvf6YRxLccRJe/TeEwYN6M9TDIkIDEJmiw25LuLWHq96k6kJ5LXg2XapvTddZs6XavANxVoafyB97JYcofsFgrt5ziVJQisLxxjwnOP7twUHtHN60TS+2Om4LKnx2qm4piMJpt1RTFQPquSrNGg=,iv:Zgl/L3ugPEyQTXnHqctDnRORC3fPTx/z/wAHFfo5ZS4=,tag:o3jdq1bHCzfavdNRwKk1Ww==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:10Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAWiLRFVRksLnX7OthQw84hoyjSEnsQyekp7kF/dbFAW4w\n4byTxDKfHHmSUvf9G96wOH/mNWpdAJiWlOQ7tPstVwoeHVBHSgf2vgd8MRTmrRzo\n1GgBCQIQjpgEmL08FuHrEGvT/WUSAIBXKhN56fyHOgT62NzOthiIIp6qxq27UjlX\np+ZUIR/X7qeJSVHJUKssNRnTKm1bbmbK/9ydXZtk/xHdFAD5YLZaz26ZknhaR7J1\ncHEHK6TQRL54lA==\n=DD6O\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-103.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-103.conf
@@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:K1RimM2itH8391EFz2SYMn+tDlTcf9bopuci3hkZPqi0Obr4M1pgQGEbs8xxcCYknE5HLGuW/zbMXL5UvFcGIVlvX0q/eZBerTuUz/VMbkzWiQ5Gqy9BpdXbb1i6vBDnNkDpfxrAu8vadUMifoUVTUconhoOzoR5byOMmUdx84z9W1S/9oztd9fRXhJIkoI23mxbaKr+zK7bX8CS73tVk8+oBFjeUPSt6+IwlmWx1iKVBs5tY/RPQ7kGTe3lIdbe2QIgPS/T7/W4xMoI+i9Z+SrW3eLOUyHNWQg/3gCPbOwvYt3xhj8RaScmW5L1a0SMPDQ/5CatOoiV/vrA,iv:NreCE5+5wyEKowJgtFXw7YPhbixpn+qCK403zzrkkjo=,tag:ptYXTDaKEs17fZichb+lbg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YlBUcWdWVGNwaUlqMjdt\nTWVqUW5LdVlZWC9Uem0zQXI0UldFMDYweDNBClVJSTJHL0c4anFnOSsvcmhBaldD\nSHNUem9aQk8rTTdLUFpML01uMFJjNkUKLS0tIGY4dXFUVm1mVThrWmFyS3BkTlhS\nblA1MmN1Q3MzRERlN3pLMTExSkx1RjAKonRli3BpI6iucyJAbWvERBPR0f6ewrIp\nBIQVkEBod/pdSiahMWfXjFVH0nmU9Ip2CwhZl1pGNOaHhnLtrUWmBg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:10Z",
 		"mac": "ENC[AES256_GCM,data:kDO0Y1wIe/ZWTiXeuAQtCS+fn1gR6L514e8qs7mzt1B6/u5hChy2L3WRR0DQN9V0wjl2bp6muAdfTEDbO7PmAbSE8wKHjCy97tzDgVSrtodUvGZUbm62bA0cx1VzgcKrCYHglSDsxmnYc3atxKlM8uWJ9GM4F4O+wRj/AH1QLYM=,iv:DgTrwKlftGmyuRDbROApudP9xANL7aBTbGgYRYqN5ZA=,tag:ek8rci9l2iDrYxP3b2EBvA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:10Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdA0ZIzTIWsWHwek/Z0bIQvfCa49t6aaM51M4HJFyCRpxQw\nJ7mW22C1kf35WAz5Hmm251B+UuW1wUITdavE3tYH9/yB1yQsTSgKd3Vze/r5Ebvu\n1GgBCQIQQJk9Blm+/vA3//hafY4tDtuCr7N+utLdDFK1lBy9+Qg8UtAiNP4fFffF\n8Eh0tx/Fg5n/2r4p9NGLFn/ZMMe9SnP19VsmGQQjA3RlK8jVmxvSCXLFzM85uZge\nYJDAMSU+8Q3qdg==\n=4Asa\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/firewall.nix
+++ b/systems/palatine-hill/firewall.nix
@@ -0,0 +1,29 @@
 { ... }:
 {
  networking.firewall.allowedTCPPorts = [
    # qbit
    8081
    8082
    8443
    # hydra
    3000
    # minio
    8500
    8501
    # gitea
    2222
    2223
    8088
    # attic
    8183
    # collabora
    9980
  ];
 }
--- a/systems/palatine-hill/gitea.nix
+++ b/systems/palatine-hill/gitea.nix
@@ -0,0 +1,64 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  base_path = "/ZFS/ZFS-primary/gitea";
 in
 {
  services.gitea = {
    enable = true;
    appName = "The Hearth";
    database = {
      type = "postgres";
      passwordFile = config.sops.secrets."gitea/dbpass".path;
      createDatabase = false;
      host = "127.0.0.1";
      name = "giteadb";
      port = 5433;
    };
    settings = {
      server = {
        DOMAIN = "nayeonie.com";
        ROOT_URL = "https://nayeonie.com/";
        HTTP_PORT = 6443;
        SSH_PORT = 2222;
        SSH_LISTEN_PORT = 2223;
        START_SSH_SERVER = true;
      };
      service = {
        DISABLE_REGISTRATION = true;
      };
      log = {
        LEVEL = "Trace";
        ENABLE_SSH_LOG = true;
      };
      "log.console-warn" = {
        LEVEL = "Trace";
        ENABLE_SSH_LOG = true;
      };
      cache = {
        enabled = true;
        dir = "";
        host = "192.168.76.2";
        port = "8088";
      };
    };
    stateDir = base_path;
    lfs.enable = true;
    recommendedDefaults = true;
  };
  systemd.services.gitea = {
    requires = [ "docker.service" ];
    after = [ "docker.service" ];
  };
  networking.firewall.allowedTCPPorts = [ 6443 ];
  sops.secrets = {
    "gitea/dbpass".owner = "gitea";
  };
 }
--- a/systems/palatine-hill/hardware-changes.nix
+++ b/systems/palatine-hill/hardware-changes.nix
@@ -16,25 +16,6 @@
        };
      };
      postResumeCommands = ''
        # let root mount and everything, then manually unlock stuff
        load_zfs_nix() {
          local device="/dev/disk/by-uuid/8bfaa32b-09dd-45c8-831e-05e80be82f9e"
          local mountPoint="/"
          local options="x-initrd.mount,noatime,nodiratime"
          local fsType="ext4"
          echo "manually mounting key location, then unmounting"
          udevadm settle
          mountFS "$device" "$(escapeFstab "$mountPoint")" "$(escapeFstab "$options")" "$fsType"
          zfs load-key -L "file://$targetRoot/crypto/keys/zfs-nix-store-key" "ZFS-primary/nix"
          umount "$targetRoot/"
        }
        load_zfs_nix
      '';
    };
  };
--- a/systems/palatine-hill/loki.nix
+++ b/systems/palatine-hill/loki.nix
@@ -0,0 +1,242 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  vars = import ./vars.nix;
  loki_storage = vars.primary_loki;
 in
 {
  # loki: port 3030 (8030)
  #
  services = {
    loki = {
      enable = true;
      configuration = {
        server.http_listen_port = 3030;
        # auth_enabled = false;
        ingester = {
          lifecycler = {
            address = "127.0.0.1";
            ring = {
              kvstore = {
                store = "inmemory";
              };
              replication_factor = 1;
            };
          };
          chunk_idle_period = "1h";
          max_chunk_age = "1h";
          chunk_target_size = 999999;
          chunk_retain_period = "30s";
          max_transfer_retries = 0;
        };
        schema_config = {
          configs = [
            {
              from = "2023-07-01";
              store = "tsdb";
              object_store = "aws";
              schema = "v13";
              index = {
                prefix = "index_";
                period = "24h";
              };
            }
          ];
        };
        storage_config = {
          tsdb_shipper = {
            active_index_directory = "${loki_storage}/boltdb-shipper-active";
            cache_location = "${loki_storage}/boltdb-shipper-cache";
            cache_ttl = "24h";
            shared_store = "filesystem";
          };
          aws = {
            directory = "${loki_storage}/chunks";
            s3 = "s3://access_key:\${LOKI_S3_KEY}@custom_endpoint/bucket_name";
          };
        };
        limits_config = {
          reject_old_samples = true;
          reject_old_samples_max_age = "168h";
        };
        chunk_store_config = {
          max_look_back_period = "0s";
        };
        table_manager = {
          retention_deletes_enabled = false;
          retention_period = "0s";
        };
        compactor = {
          working_directory = loki_storage;
          shared_store = "filesystem";
          compactor_ring = {
            kvstore = {
              store = "inmemory";
            };
          };
        };
      };
      # user, group, dataDir, extraFlags, (configFile)
    };
    # promtail: port 3031 (8031)
    #
    promtail = {
      enable = true;
      configuration = {
        server = {
          http_listen_port = 3031;
          grpc_listen_port = 0;
        };
        positions = {
          filename = "/tmp/positions.yaml";
        };
        clients = [
          {
            url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
          }
        ];
        scrape_configs = [
          {
            job_name = "journal";
            journal = {
              max_age = "12h";
              labels = {
                job = "systemd-journal";
                host = "pihole";
              };
            };
            relabel_configs = [
              {
                source_labels = [ "__journal__systemd_unit" ];
                target_label = "unit";
              }
            ];
          }
        ];
      };
      # extraFlags
    };
    # grafana: port 3010 (8010)
    #
    grafana = {
      port = 3010;
      # WARNING: this should match nginx setup!
      # prevents "Request origin is not authorized"
      rootUrl = "http://192.168.1.10:8010"; # helps with nginx / ws / live
      protocol = "http";
      addr = "127.0.0.1";
      analytics.reporting.enable = false;
      enable = true;
      provision = {
        enable = true;
        datasources = [
          {
            name = "Prometheus";
            type = "prometheus";
            access = "proxy";
            url = "http://127.0.0.1:${toString config.services.prometheus.port}";
          }
          {
            name = "Loki";
            type = "loki";
            access = "proxy";
            url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
          }
        ];
      };
    };
  };
  /*
    # nginx reverse proxy
    services.nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      # recommendedTlsSettings = true;
      upstreams = {
        "grafana" = {
          servers = {
            "127.0.0.1:${toString config.services.grafana.port}" = {};
          };
        };
        "prometheus" = {
          servers = {
            "127.0.0.1:${toString config.services.prometheus.port}" = {};
          };
        };
        "loki" = {
          servers = {
            "127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}" = {};
          };
        };
        "promtail" = {
          servers = {
            "127.0.0.1:${toString config.services.promtail.configuration.server.http_listen_port}" = {};
          };
        };
      };
      virtualHosts.grafana = {
        locations."/" = {
          proxyPass = "http://grafana";
          proxyWebsockets = true;
        };
        listen = [{
          addr = "192.168.1.10";
          port = 8010;
        }];
      };
      virtualHosts.prometheus = {
        locations."/".proxyPass = "http://prometheus";
        listen = [{
          addr = "192.168.1.10";
          port = 8020;
        }];
      };
      # confirm with http://192.168.1.10:8030/loki/api/v1/status/buildinfo
      #     (or)     /config /metrics /ready
      virtualHosts.loki = {
        locations."/".proxyPass = "http://loki";
        listen = [{
          addr = "192.168.1.10";
          port = 8030;
        }];
      };
      virtualHosts.promtail = {
        locations."/".proxyPass = "http://promtail";
        listen = [{
          addr = "192.168.1.10";
          port = 8031;
        }];
      };
    };
  */
  systemd.services.loki.serviceConfig.environmentFile = config.sops.secrets."minio/loki".path;
  sops.secrets = {
    "minio/loki".owner = "root";
  };
 }
--- a/systems/palatine-hill/nextcloud.nix
+++ b/systems/palatine-hill/nextcloud.nix
@@ -17,12 +17,10 @@
  systemd.services."nextcloud-pre-generate" = {
    requires = [
-      "docker.service"
+      "docker-nextcloud.service"
      "multi-user.target"
    ];
    after = [
-      "docker.service"
+      "docker-nextcloud.service"
      "multi-user.target"
    ];
    description = "incremental pre-generation of previews on nextcloud";
    serviceConfig = {
@@ -31,10 +29,10 @@
      Group = "docker";
      ExecStart = [
        ''
-          ${pkgs.bash}/bin/bash -c '${pkgs.docker}/bin/docker ps --format "{{.Names}}" | ${pkgs.gnugrep}/bin/grep -q "^nextcloud-nextcloud-1$"'
+          ${pkgs.bash}/bin/bash -c '${pkgs.docker}/bin/docker ps --format "{{.Names}}" | ${pkgs.gnugrep}/bin/grep -q "^nextcloud$"'
        ''
        ''
-          ${pkgs.docker}/bin/docker exec --user www-data nextcloud-nextcloud-1 php occ preview:pre-generate
+          ${pkgs.docker}/bin/docker exec --user www-data nextcloud php occ preview:pre-generate
        ''
      ];
    };
--- a/systems/palatine-hill/postgresql.nix
+++ b/systems/palatine-hill/postgresql.nix
@@ -0,0 +1,62 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 #  sudo -u postgres vacuumdb --all --analyze-in-stages
 #  /var/lib/postgresql/16/delete_old_cluster.sh
 let
  vars = import ./vars.nix;
  dataDir = "${vars.primary_db}/postgresql/nix/${config.services.postgresql.package.psqlSchema}";
  backupLocation = "${vars.primary_db}/postgresql/nix_backups";
 in
 {
  services = {
    postgresql = {
      inherit dataDir;
      enable = true;
      enableJIT = true;
      package = pkgs.postgresql_16;
      identMap = ''
        # ArbitraryMapName systemUser DBUser
           superuser_map      root      postgres
           superuser_map      alice  postgres
           # Let other names login as themselves
           superuser_map      /^(.*)$   \1
      '';
      # initialScript = config.sops.secrets."postgres/init".path;
      ensureDatabases = [ "atticd" ];
      ensureUsers = [
        {
          name = "atticd";
          ensureDBOwnership = true;
        }
      ];
      refreshCollation = true;
      vacuumAnalyzeTimer.enable = true;
      upgrade = {
        enable = true;
        stopServices = [
          "hydra-evaluator"
          "hydra-init"
          "hydra-notify"
          "hydra-queue-runner"
          "hydra-send-stats"
          "hydra-server"
          "atticd"
        ];
      };
    };
    postgresqlBackup = {
      enable = true;
      compression = "zstd";
      compressionLevel = 19;
      pgdumpOptions = "--create --clean";
      location = backupLocation;
    };
  };
 }
--- a/systems/palatine-hill/samba.nix
+++ b/systems/palatine-hill/samba.nix
@@ -0,0 +1,37 @@
 { ... }:
 {
  services.samba = {
    enable = true;
    securityType = "user";
    openFirewall = true;
    settings = {
      global = {
        "workgroup" = "WORKGROUP";
        "server string" = "palatine-hill";
        "netbios name" = "palatine-hill";
        "security" = "user";
        #"use sendfile" = "yes";
        #"max protocol" = "smb2";
        # note: localhost is the ipv6 localhost ::1
        "hosts allow" = "192.168.76. 127.0.0.1 localhost";
        "hosts deny" = "0.0.0.0/0";
        "guest account" = "nobody";
        "map to guest" = "bad user";
      };
      zfs-primary-backups = {
        path = "/ZFS/ZFS-primary/backups";
        writeable = "yes";
        browseable = "yes";
      };
    };
  };
  services.samba-wsdd = {
    enable = true;
    openFirewall = true;
  };
  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
 }
--- a/systems/palatine-hill/secrets.yaml
+++ b/systems/palatine-hill/secrets.yaml
@@ -1,19 +1,32 @@
 hydra:
-    environment: ENC[AES256_GCM,data:XUS68hCXWGMCoxxfecspEpFF8sxVJJVAm74ZZJM5/TiMAyzG0VTw17XQOgv+pP5aYABnQ3Rt9KFaxacaljrjFJ44O8qdGCQOi+g5+EpztHAI+yyeWkEqcVrcDKeb0jM0qygBUtyez5aLJyFwT7znqfNi3CHMP+cJTNVUAQkfL3RrU/lNzAZpIJ5tVG5PzDqMLDWMQXiDRICNdp9fUXyGee64bQ1NxGJALmYS9o1YT75e0nCBsIBD50+ChQvOTUfTGfxpG5SbnDGmL0JIUGB3MqM=,iv:TRsVfNxLnMuq5Wvu0ZX4JVHoIXQaj3Li3KsBXmoFiK8=,tag:gGTQo66uzdUBqCuUYHSE4A==,type:str]
+    environment: ENC[AES256_GCM,data:G/6DOeRdjjp5PGpsHCHneW2X/OQzSH6gozKmgOlK6/bSdQltv4U00AYNOrUYYlH9Yab7JSYBfQinsqRKyDVEp7LLPdlxBaztJiSZGGAdio+JHWwR7UAhAEXSgOh4qFq0SjdZzQduEOdfSYfksut3dJiAvpj6oo6hxuo8mkW4+UacpBmvpnrzHjJHeYYbb3krIhKG6bBqHLT403rLf5oYjnY16XUuYO7deAH99JkfCJKlKnDf3GLfnX78XoXSdOMUyf57PPq5EKA8mFdtZsbAmis=,iv:s903rYHyocGtVJ594+HtCyULGtuom6aUVDcbXPbH93I=,tag:YFkFAIU7cNHSuYnN+lShgA==,type:str]
 nix-serve:
-    secret-key: ENC[AES256_GCM,data:dXpfTamvU17kkMwp0DZIktkh/iI96wgcQerEC9G0tdm7tL7NQSlS4giocf9uckXK1JNkK9q7urZznx82ZBV3kaZE8oZKgYtkR5xpHgGsbYgQbLx6gowKfBkPusikFl/BqUvUBLznYsYSkJddXJ4=,iv:yeHyAMY2NxQUyzirU9+ggF1O6kRsrM0lEJCY9U0qJN8=,tag:cSm1Obe6WnpHloF/JleVEA==,type:str]
+    secret-key: ENC[AES256_GCM,data:M8MJHHO8Hd/Gm6Nxy7/IPr0s6jHEDBB9LpZq8lIWQirvZPpgNrMrnP2xFJWEuJF/ND9hU09ZHA3efIBej2siRPOWSEu4gE65W/GMtpCcwEXF0hR/ISvBsH0fci/6KGbUCVg1x9AJpjJsqevPN7I=,iv:Weuziu2me+kdB9zk68nvLnyxv0ICwB1qA4z0Q39tT6k=,tag:nhcFfRQOxEandrf6CivahA==,type:str]
 attic:
-    secret-key: ENC[AES256_GCM,data:0pVok0M5Ob08BdFBV57Ijr4MW6msdGuvgq7v5lunJocv/sM0u0Cy7ye67+me21YBy4xGqidAfQo0j4OQkn71Z7ouKJGQ6izqOuTvRerBLmY/V3GMnSrBgtb+gjKhwswf/T/WV/I2lc0GTrdiJi6JJC0VL14kJYWRQIdcadeGEoF+cZyzyHWV32TxyJrNlDGFu1aFhjKiHP50aDFxibIPwz1h9+lN6jEGEwsOa29K3gnL9zOmzaoS/F4wXEZlCXNETj6lvCd6Ywt3erkGmCvA4FTzfs/CdW/QcS2GneGUzoCy4NRcxx9dKQ==,iv:4QiN6tupBkIZbVkKt7MyLMiy5z/y0ExAT9xWVBL+pko=,tag:CT4F8y/rObKlIMCwtJk7AA==,type:str]
+    secret-key: ENC[AES256_GCM,data:/wYnCD7qggeHdsNqkp1rZK839o/1olhJUlT1lrZpv1hTOZDduP2OGhz8kh2PrQR6Mq2Y/ALgHG3cFpJs7G64xDK0qRVGIDlC/9sTQIcF2JL49Free8vADe5ads64EN3vWgfmFoBMPmL0mc4qnDBGnBkDueFN5gy+1szK9tWK23tMl1wEWVsiqBwhuWqQBNRxeaHR2tQXI2Yg3fefq5+laOUjnSe1a8Kx4dJ7rXZuXe+H4uyU7roYFxlLpI8qZig0eUO9WUMX9WP0tKOr5OjsbJzBbdVlVT7lZ9ROYUceoxmcWecLlcyv3Q==,iv:DjH78Getnt3zzK9QLj+HS0cF1wtaBeadxSTrRb1uic0=,tag:KMPtWCq1KT1SSthh3fdsew==,type:str]
-    database-url: ENC[AES256_GCM,data:CrtsSB9KaA+KT9F34eM+z5trjb72wRKKy2LKOWDxBgvVtrNy5jj9c9KPnPCRWue1eABC1FdThKH1,iv:n3n16Qs/s77CxDNHws4lLTJaXx++DpqUrrVDp+Rpj2E=,tag:gkQhzX4gHPRmAQjZKBZF4Q==,type:str]
+    database-url: ENC[AES256_GCM,data:WHdAxNbkRxvNvfUWdPSbgeQXOS7f46OuDKTRuxf3cEyhbU5NAsGlCgfarUBXsHrCH79t7zDGlcRE,iv:trOxDY/ifsibKoX5YPOfKvX/q2ny6SgykiIBusgHxag=,tag:Cx9hhiJIhDLiojJmDdSDtg==,type:str]
-    adm: ENC[AES256_GCM,data:fTXg7sVtyjzm2zPLBSYX0wsAjhPZz/fwOWjk6bYEFNDAz9Esw2VFqG84E53cSj62KxClx8jlakA6RyXH5betcrxoRybrEuvdej76TS4kAP3cgK1OUEbcw0gWsgJPleH2BVAn6/5AhtISmglx0RykyKDtjBoxO1ewwwKesd5brIBD2DhLyaYJLFB42to1HmLe7FgYDaR2Q/W5B6W7RMueFwjA4/Y2ELoFQpwqF2HvcyFO58x8BFhIla6T+MB5l5I2qoYNlN5AayUur5xlALRUGH2PCJEiTrt8hXhYPkSlkiiwORBwwK7w89kO+tsHoDW8u3F/aKBbBnikIkaXnSa694mg0twmTOYL,iv:OBk9nrRA2t/9DvEI/OJTwp8nX4iP+foohueZON9Tlgs=,tag:Y1hVX2wva9QridJ5els9Fg==,type:str]
+    adm: ENC[AES256_GCM,data:mP4xFGK3+YwyiUMwFaG6tY3tWLGY2YTGa4DRuHzW5Za3McmwEFUzlQQ4hGS2bPKOKwM2Pe5HYBwJnFkd6KRwx5civqsBMwFt4dfZ31xDEi9RxpEm9jCnCcvB1CY8cxNARIhceC12X/ZR8ianUpoINYSjOj4BRy4TEEigi5+V4DkAXeG8+x8SWjj/mRMQMcZud4i69Ul7tpzbjUHm0s/Aasvmib13u4ZbGX/AyoOX8pQwkRHoyfMK2OvRbaeQf9fPcQxOSBALYOIXk9mEGxN1FTFHrTvrY5s0w+hC1mAjX4qm4ZM77RneAI0fJaq1hHSZETIpJOCiQfR3bLuyzWKVestOE29V8Pwq,iv:bjK1QkWUc2vs+oUoC5Z0AKR1/tmrhSLvP8BP8gzghOg=,tag:dmSDM+gbsJMDkqgIPWBfGQ==,type:str]
 postgres:
-    init: ENC[AES256_GCM,data:Pq24kdMXLAbePqIHPiJx3xXYEm2UbY598iNDf+z2k1HDhStHAd10CCyJYEgppCw2lkDNY54A3PQ=,iv:RE9DQ9Xw4tDFBD67dk3ggyqYqoGVhZf5kO53WoF3fJ4=,tag:dZwZfgI2H9JTClkyUI1MqQ==,type:str]
+    init: ENC[AES256_GCM,data:trwA30EswHEPa6V2GuHsGgU4NK/j/UQveldwHng0Ilwyqh9aZCgF3axP48MmcciBssux8DZ4O5U=,iv:VC+tpG5yuiBE7pjZ85lYCwHG/bTePxeXQDz2zyLyLYA=,tag:5+jwWTv5T5YWwQpR58QfOA==,type:str]
 gitea:
    dbpass: ENC[AES256_GCM,data:8jECcEJ8JnK7fztTckzLrQ==,iv:yQMp5VrierOKXwiop0NUA7Qbn2eH5iUCVlKppZwKLIQ=,tag:rI9WT7zLIaFxVcTu3ufW4g==,type:str]
 upsmon:
-    password: ENC[AES256_GCM,data:0tZKzQOYaij9jdnDTv61ma8i,iv:GEqlCOOUHTjUzfz+X5lCnqcX9SjAG6bVc8Luv97wnSg=,tag:XLvsucW6sIMHKG2AHmxZEw==,type:str]
+    password: ENC[AES256_GCM,data:52Rxsh7KUq+aYjQORBC+Yq5B,iv:F05g/a5bv7DQ+eLlMqsNeRHLxzl7AyXU1zAlmFevQ6o=,tag:xkGDD3hDF+u5fUbP33OrlA==,type:str]
 minio:
-    credentials: ENC[AES256_GCM,data:78ANAQ2756IISlkUFPxy9lQYRml8C9PvkkiXME4nMjtWwPgybvSM2nrO3yVhTgyOyUZjYYWzJlpwstfIAbuWEgGFhbMixSSNSgsWozojm0hWfPBWZ5x4iX++0ARFdfxIAjiGlM/HGa0YO/2tSA6oW6FqM4RbC1vPnqJc,iv:8Y+SilqKsUH/J6M+l4Wpm2J3nPXeoUhA1+GvhzlqMHE=,tag:5dYBlYPIUjd+U+r/dqJWIA==,type:str]
+    credentials: ENC[AES256_GCM,data:5Z/cTmxSuMq8BfRgYLGZZJ7o6AtmrQM3yNjR17YHr29S7ZWvGsjfM7DsLKectem01nvv3HoT4uyWSdhkOmZahzDb5OF1NEgjJhLqkKlCETMu0mmpwe1cx6iOd7kjB3E6Az/MWpXqZ/TrryL9FrQD2nnx9bHyWWIHRQv8,iv:jiYZXfU+OssC0rh/3yFZLEzD1+5mVDDl6gQ3oyk76E4=,tag:bevDszFv1zSa+/2qQIgC0w==,type:str]
    loki: ENC[AES256_GCM,data:ShC6hfsKifVaxLWRo1fqaOpsrYh4+w==,iv:KVSlPd0mBvPZikg/Agnl6q0UhxTmsNOeYdercYOhqMg=,tag:cj6ex9m7vDjInTJDGUlqFQ==,type:str]
 docker:
    minecraft: ENC[AES256_GCM,data:2k/m0ksnE92fACxQuBlOO72b19T7Nbnr58ezRddmKUVvePEgrdSnIsR3sh7PnmzwmG/ez0WTD+NKbtkQmRMDQ25vruA8gCf8Ig==,iv:X2SUidKTNAPZfbyiXFKprUbAhBxJcbF5bz+YTy4nuEA=,tag:AAvLXO888r9XvtnNfQgCpA==,type:str]
    foundry: ENC[AES256_GCM,data:5Z0FvVhJBzTwDPRN6c//caZokiTnkdqiLGFFuyen+tYsdjbQ3AXH5y7HfxKbxsJvU5uShOuIg0jVMvow2NYmzyYDDKBKPOz0bgXOmFq06wzCJubjyZmR/mDcWBBDzAFzaazpyW8=,iv:6wLS00zhX0tjJUe5uADAjzEshJP8QOkF2i4Aw+Y9RSk=,tag:sNr/exY1u3evYGcImyCUlA==,type:str]
    nextcloud: ENC[AES256_GCM,data:dm2Cha+CvFORgdcBvJAzzdOGcJ95vLJYTZcUJnjNp6HOQIIoJrDone1NOAYJh9rdWG/17/ntOmd+TysAj4AsD0dw/PatZmy3I+dcVghkt2XNTc7jD64QjctIHzR+om1joAbKemG1R3St7qDU68TWYxoxIfYZcJvg3ds/lJcYgFRh079UZ/IRlGVR6sWPEXyY+UUrwtk0Fr+y8UtwwWZiLp0akUbIV06huRGiAp/PeWETuPPuacl2++ayIgJFZkJjUl/a52RI1Q0nLG5iyK6QYpY1JSRJTOkiQQ4PB5GRdLCdoM5/ZXTQ6gGcoM5jXFllsTn+yRicNRucuBp7Z2achbk6eITCdjjdXVI7zM4YXpzVLu5fJckLAu07aEIGYCBT7ZXd7TRgfB68POwtwaJGBozg+nuhq8xEH04yi8jFODH6aFplIgJ+bbaP72zw+92lzZa33FEtOwKdtx+YUv0eLLDJs+8Z6Sn6RyN8prwIz1/9LuIMx39g4R7id9W2bV2MXqTU4nN8f0TXWqe+hnb5pDLBaZOBMkwbRka6Vptsi4dbL5Lnexa2DoIHZ2unyxZ+4SkRt9LH39j8fXf2w5JPFCSLstf7+Zu7xzRS0TTCug7k,iv:oOWcFdQJb/+KZKJmQChhJ5jOCcM3o+ojZSMyiRnO9n8=,tag:PWGQkwPe0juLgAdlKiWKpg==,type:str]
    redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
    act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
    collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
 acme:
    bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
    dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
 server-validation:
-    webhook: ENC[AES256_GCM,data:d8drMmXcbWCGwOanYr6jUCz5+d1bgTrPKMl4yxFi49oapqFUFSQo2pA3bP9DA2n0b63ZJp1IDyJGBRGjFUsSC8EkKQsYMIm962o++D4h7/l9GZU2TBcn5VgvSldETgwloMg92i3zEApNCeZTtwFwJuJTwmUsZmg528Kj7SBcDw4H18dW8MMfgzBTkZUh,iv:F/UtYjWNoG1la1xaNevRXP/4lNT2TgYfmukbncHILDA=,tag:fJpdG5di6j8Wm54KLHZEsg==,type:str]
+    webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -23,26 +36,26 @@ sops:
        - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcTQ4SVM3dVN4UWZCSXBs
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcWo4V1QyZS9HbHNwT3Jl
-            dFo1S0ZyOEM3c3ZtYTcvZlVNYStDdXd0NjB3CjY0NWc4UkVGUk1ZdTBBLyt2L0lX
+            ZktNR2gwZ3BiWnYwZHpLUzR2YTlmN0ZUeEhnCkF6ekdkN0U2VGM1RFVhdTM0RW5u
-            M0lRbXFwRzFWSTNndC92SU5kSkowb28KLS0tIFhjMnJzZHRoTmJONDk1RjVsRVZq
+            bWdreGZrU0JwNDY1TnR2S1M3OTdKaWcKLS0tIEVBekE2eU8rcEhpVkhhWmxPc3JN
-            d241ZnZ2MWg3YVNBbkh2S0NqeE5PdFEKWqnQH4kZszkKZTSgur0c5hGMoMx9zBdz
+            cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
-            tSvUbe2+WKX7q6y7XqsD1KjFI+POVDF+YN7H9ja96+JqvKRteXNhCg==
+            LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-07T23:09:33Z"
+    lastmodified: "2025-03-04T04:53:14Z"
-    mac: ENC[AES256_GCM,data:nr1JAEr2FGrYtiUhrQFsBPbiR+toxzYRZVPqq7zYBMeNy70a5jMgw6qm37M8Hmt7omO/KePE+Ol27FI9Aqn8OP3CQZoSWZbul+TTItV5UWC84G3MebaesnIiFQwbpM9hz08VoQ1zxUiUFnUY4bBr6okNSyJeqq/QmkkyqhK4Wlo=,iv:0MR7AiQEX2Cl7FUtRlxaY+R2oqSbanIhwaXAN/UnHH0=,tag:RpQCtsuelu3VQVB9HzJE+g==,type:str]
+    mac: ENC[AES256_GCM,data:MCucwVPGRMA/hGYS7mwSppkZAQ3wjHJnyeSvSI8YOOD0Xq7mvkMSvKctFHl6h4Cx3ubRvVHf5j35/NQxb+/VhhCPAHWDbqq9O2N0aWhAeybCu0IjruKrJhs76KsXJnNZ9REQQnS1/TNquuvj9FCoqDnrQcFs7M0KJ5m3eUU2h2k=,iv:ZJGJ8CTA8K5FnoKtbogleksB8wDcZtknO07M07Dmpsc=,tag:GMUXJD4U8KQgy9rvzEAMuw==,type:str]
    pgp:
-        - created_at: "2024-09-05T06:10:49Z"
+        - created_at: "2024-11-28T18:56:39Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DQWNzDMjrP2ISAQdAA1DGmMjNYHKHtel++ftsHqmQGqrjfL4VJTe62bEMfXcw
+            hF4DQWNzDMjrP2ISAQdAPOYlp/3ZJrcXZbu5+XI+BHNzMbzw7+YhTYOfNgujU1gw
-            EQmF0itX7ns+GogeYeYaqxa0qraWzzGwsEDJOp+VJMmLPtw5999kdO1PikgyGkcV
+            QfJDWAhiMd8cZF5PpX+RdN+Zrk5CCMgZH4hotv9gjf1oxitWuF2hv14k/RlAx8kr
-            1GgBCQIQd5DwJiXbQ7bFPYPGg8xxEBeDsHYtKo0tv9uQi9Is0nYYHbI8+TuFUv2o
+            1GgBCQIQB+LOoKIo7AHeucdV9NsM6H4Akv+Bzy8boarA4BGcyvgRWhS2u8zOQJc5
-            Av5c+/hAX/1D4F8JDTnz7WbEO3X2H7VXNMQKQkYR1Ndds6ueyx1V4kFqQTD5qLG/
+            RKfRonTO51yjlKm0MEspvwrClO+aIuBaNNemuHdk4yhDUnNKVBFyLLOuqXbsFd+G
-            BpnwAmW4i9XVMg==
+            aSTmqvI3a/T5Cw==
-            =2NK4
+            =ph+p
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.4
--- a/systems/palatine-hill/vars.nix
+++ b/systems/palatine-hill/vars.nix
@@ -0,0 +1,20 @@
 rec {
  zfs_primary = "/ZFS/ZFS-primary";
  # primary
  primary_act = "${zfs_primary}/act-runner";
  primary_archiveteam = "${zfs_primary}/archiveteam";
  primary_attic = "${zfs_primary}/attic";
  primary_backups = "${zfs_primary}/backups";
  primary_calibre = "${zfs_primary}/calibre";
  primary_db = "${zfs_primary}/db";
  primary_docker = "${zfs_primary}/docker";
  primary_games = "${zfs_primary}/games";
  primary_hydra = "${zfs_primary}/hydra";
  primary_libvirt = "${zfs_primary}/libvirt";
  primary_loki = "${zfs_primary}/loki";
  primary_minio = "${zfs_primary}/minio";
  primary_nextcloud = "${zfs_primary}/nextcloud";
  primary_redis = "${zfs_primary}/redis";
  primary_torr = "${zfs_primary}/torr";
 }
--- a/systems/palatine-hill/zfs.nix
+++ b/systems/palatine-hill/zfs.nix
@@ -80,4 +80,70 @@
      };
    };
  };
  # hack to make sure pool is imported before keys are loaded,
  # and also keys are imported before things get mounted
  # note to self: move zfs encryption over to luks lol
  boot.initrd.postResumeCommands = ''
    ZFS_FORCE="-f"
    for o in $(cat /proc/cmdline); do
      case $o in
        zfs_force|zfs_force=1|zfs_force=y)
          ZFS_FORCE="-f"
          ;;
      esac
    done
    poolReady() {
      pool="$1"
      state="$("zpool" import -d "/dev/disk/by-id/" 2>/dev/null | "awk" "/pool: $pool/ { found = 1 }; /state:/ { if (found == 1) { print \$2; exit } }; END { if (found == 0) { print \"MISSING\" } }")"
      if [[ "$state" = "ONLINE" ]]; then
        return 0
      else
        echo "Pool $pool in state $state, waiting"
        return 1
      fi
    }
    poolImported() {
      pool="$1"
      "zpool" list "$pool" >/dev/null 2>/dev/null
    }
    poolImport() {
      pool="$1"
      "zpool" import -d "/dev/disk/by-id/" -N $ZFS_FORCE "$pool"
    }
    echo -n "importing root ZFS pool \"ZFS-primary\"..."
    # Loop across the import until it succeeds, because the devices needed may not be discovered yet.
    if ! poolImported "ZFS-primary"; then
      for trial in `seq 1 60`; do
        poolReady "ZFS-primary" > /dev/null && msg="$(poolImport "ZFS-primary" 2>&1)" && break
        sleep 1
        echo -n .
      done
      echo
      if [[ -n "$msg" ]]; then
        echo "$msg";
      fi
      poolImported "ZFS-primary" || poolImport "ZFS-primary"  # Try one last time, e.g. to import a degraded pool.
    fi
    # let root mount and everything, then manually unlock stuff
    load_zfs_nix() {
      local device="/dev/disk/by-uuid/8bfaa32b-09dd-45c8-831e-05e80be82f9e"
      local mountPoint="/"
      local options="x-initrd.mount,noatime,nodiratime"
      local fsType="ext4"
      echo "manually mounting key location, then unmounting"
      udevadm settle
      mountFS "$device" "$(escapeFstab "$mountPoint")" "$(escapeFstab "$options")" "$fsType"
      zfs load-key -L "file://$targetRoot/crypto/keys/zfs-nix-store-key" "ZFS-primary/nix"
      umount "$targetRoot/"
    }
    load_zfs_nix
  '';
 }
--- a/treefmt.toml
+++ b/treefmt.toml
@@ -12,3 +12,21 @@ command = "nixfmt"
 #options = []
 # Glob pattern of files to include
 includes = [ "*.nix" ]
 [formatter.jsonfmt]
 command = "jsonfmt"
 excludes = []
 includes = ["*.json"]
 options = ["-w"]
 [formatter.shfmt]
 command = "shfmt"
 excludes = []
 includes = ["*.sh", "*.bash", "*.envrc", "*.envrc.*"]
 options = ["-i", "2", "-s", "-w"]
 [formatter.yamlfmt]
 command = "yamlfmt"
 excludes = []
 includes = ["*.yaml", "*.yml"]
 options = ["-formatter","indent=4"]
--- a/users/alice/home.nix
+++ b/users/alice/home.nix
@@ -16,6 +16,7 @@
      ./home/gammastep.nix
      ./home/doom
      ./home/hypr
      ./home/waybar.nix
      ./non-server.nix
    ];
@@ -51,12 +52,15 @@
      nil
      # useful tools
      file
      sqlite
      ncdu
      neofetch
      onefetch
      hyfetch
      smartmontools
      wget
      glances
      obsidian
      onefetch
      # Rust packages
@@ -65,6 +69,7 @@
      diesel-cli
      tealdeer
      helix
      ripunzip
      # nix specific packages
      nix-output-monitor
@@ -105,7 +110,7 @@
    eza = {
      enable = true;
-      icons = true;
+      icons = "auto";
      git = true;
    };
@@ -136,6 +141,7 @@
            "system"
            "nix"
            "shell"
            "poetry"
          ];
        };
      };
@@ -160,11 +166,17 @@
    };
  };
-  sops = {
+  sops = lib.mkIf (!machineConfig.server) {
    age.sshKeyPaths = [ "/home/alice/.ssh/id_ed25519_sops" ];
    defaultSopsFile = ./secrets.yaml;
    secrets."alice/wakatime-api-key".path = "/home/alice/.config/doom/wakatime";
  };
  nix.gc = {
    automatic = true;
    frequency = "weekly";
    options = "--delete-older-than 30d";
  };
  home.stateVersion = "23.11";
 }
--- a/users/alice/home/doom/custom.el
+++ b/users/alice/home/doom/custom.el
@@ -19,3 +19,6 @@
 (setq! lsp-enable-suggest-server-download nil)
 ;; (keychain-refresh-environment)
 (setq! lsp-nix-nil-max-mem 20000)
 (setq! lsp-nix-nil-formatter ["nixfmt"])
--- a/users/alice/home/doom/init.el
+++ b/users/alice/home/doom/init.el
@@ -133,7 +133,7 @@
       ;;fsharp            ; ML stands for Microsoft's Language
       ;;fstar             ; (dependent) types and (monadic) effects and Z3
       ;;gdscript          ; the language you waited for
-       ;;(go +lsp +tree-sitter)         ; the hipster dialect
+       (go +lsp +tree-sitter)         ; the hipster dialect
       ;;(graphql +lsp)    ; Give queries a REST
       ;;(haskell +lsp)    ; a language that's lazier than I am
       ;;hy                ; readability of scheme w/ speed of python
--- a/users/alice/home/git.nix
+++ b/users/alice/home/git.nix
@@ -11,15 +11,15 @@
    userName = "ahuston-0";
    aliases = {
      gone = ''
-        !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
+        !git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
-                        awk '$2 == "[gone]" {print $1}' | # get nuked branches
+                        awk 'NF < 2 {print $1}' | # get nuked branches
                        grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
                        sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
-                        xargs -r git branch -D; # nuke the branches
+                        xargs -r git branch -D # nuke the branches
-        # git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
+        # !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
-        #                 awk 'NF < 2 {print $1}' | # get nuked branches
+        #                 awk '$2 == "[gone]" {print $1}' | # get nuked branches
        #                 grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
        #                 sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
-        #                 xargs -r git branch -D # nuke the branches
+        #                 xargs -r git branch -D; # nuke the branches #
      '';
    };
    extraConfig = {
@@ -27,6 +27,7 @@
      pull.rebase = true;
      color.ui = true;
      init.defaultBranch = "main";
      format.signoff = true;
    };
  };
 }
--- a/users/alice/home/hypr/default.nix
+++ b/users/alice/home/hypr/default.nix
@@ -8,5 +8,11 @@
 {
  xdg.configFile = {
    "hypr/hyprland.conf".source = ./hyprland.conf;
    "hypr/show-hide.sh".source = ./show-hide.sh;
  };
  imports = [
    ./hyprlock.nix
    ./hypridle.nix
  ];
 }
--- a/users/alice/home/hypr/hypridle.nix
+++ b/users/alice/home/hypr/hypridle.nix
@@ -0,0 +1,47 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  services.hypridle = {
    enable = true;
    settings = {
      general = {
        lock_cmd = "pidof hyprlock || hyprlock --immediate --immediate-render"; # avoid starting multiple hyprlock instances.
        before_sleep_cmd = "loginctl lock-session"; # lock before suspend.
        after_sleep_cmd = "hyprctl dispatch dpms on"; # to avoid having to press a key twice to turn on the display.
      };
      listener = [
        {
          timeout = 150; # 2.5min.
          on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
          on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -r"; # monitor backlight restore.
        }
        # turn off keyboard backlight, comment out this section if you dont have a keyboard backlight.
        {
          timeout = 150; # 2.5min.
          on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
          on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
        }
        {
          timeout = 300; # 5min
          on-timeout = "loginctl lock-session"; # lock screen when timeout has passed
        }
        {
          timeout = 330; # 5.5min
          on-timeout = "hyprctl dispatch dpms off"; # screen off when timeout has passed
          on-resume = "hyprctl dispatch dpms on"; # screen on when activity is detected after timeout has fired.
        }
        {
          timeout = 1800; # 30min
          on-timeout = "systemctl suspend"; # suspend pc
        }
      ];
    };
  };
 }
--- a/users/alice/home/hypr/hyprland.conf
+++ b/users/alice/home/hypr/hyprland.conf
@@ -20,6 +20,10 @@ monitor=,preferred,auto,auto
 # Execute your favorite apps at launch
 # exec-once = waybar & hyprpaper & firefox
 exec-once = wired &
 exec-once = wired
 exec-once = systemctl --user start polkit-gnome-authentication-agent-1.service
 # Source a file (multi-file configs)
 # source = ~/.config/hypr/myColors.conf
@@ -77,10 +81,12 @@ decoration {
        passes = 1
    }
-    drop_shadow = yes
+    shadow {
-    shadow_range = 4
+        enabled = yes
-    shadow_render_power = 3
+        range = 4
-    col.shadow = rgba(1a1a1aee)
+        render_power = 3
        color = rgba(1a1a1aee)
    }
 }
 animations {
@@ -191,7 +197,7 @@ bindm = $mainMod, mouse:273, resizewindow
 # screenshots
 bind = $mainMod, A, exec, grimblast copy area
-bind = $mainMod SHIFT, A, exec, grimblast save area "~/Pictures/Screenshots/screenshot_$(date +%Y-%m-%d-%H%M ).png"
+bind = $mainMod SHIFT, A, exec, grimblast save area "/home/alice/Pictures/Screenshots/screenshot_$(date +%Y-%m-%d-%H%M ).png"
 # zoom issue
 bind = $mainMod, K, exec, pkill zoom; zoom
@@ -201,3 +207,10 @@ bind = $mainMod, escape, exec, hyprctl reload
 # open bwm
 bind = $mainMod, P, exec, bwm
 # lock screen
 bind = $mainMod, L, exec, loginctl lock-session
 # hide active window
 bind = $mainMod,H,exec,/home/alice/config/hypr/hide_unhide_window.sh h
 # show hide window
 bind = $mainMod,I,exec,/home/alice/config/hypr/hide_unhide_window.sh s
--- a/users/alice/home/hypr/hyprlock.nix
+++ b/users/alice/home/hypr/hyprlock.nix
@@ -0,0 +1,89 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  programs.hyprlock = {
    enable = true;
    settings = {
      general = {
        immediate_render = true;
        # disabling as config doesn't exist
        #no_fade_in = true;
      };
      background = {
        monitor = "";
        # path = /home/me/someImage.png   # supports png, jpg, webp (no animations, though)
        path = lib.mkForce "screenshot";
        # disabling due to stylix
        # color = "rgba(25, 20, 20, 1.0)";
        # all these options are taken from hyprland, see https://wiki.hyprland.org/Configuring/Variables/#blur for explanations
        blur_passes = 3; # 0 disables blurring
        blur_size = 7;
        noise = 1.17e-2;
        contrast = 0.8916;
        brightness = 0.8172;
        vibrancy = 0.1696;
        vibrancy_darkness = 0.0;
      };
      image = {
        monitor = "";
        path = "/home/alice/Pictures/PXL_20240408_192537608-EDIT.jpg";
        size = 350; # lesser side if not 1:1 ratio
        rounding = -1; # negative values mean circle
        border_size = 4;
        border_color = "rgb(221, 221, 221)";
        rotate = 0; # degrees, counter-clockwise
        reload_time = -1; # seconds between reloading, 0 to reload with SIGUSR2
        reload_cmd = ""; # command to get new path. if empty, old path will be used. don't run "follow" commands like tail -F
        position = "0, 100";
        halign = "center";
        valign = "center";
      };
      input-field = {
        monitor = "";
        size = "400, 50";
        outline_thickness = 3;
        dots_size = 0.33; # Scale of input-field height, 0.2 - 0.8
        dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0
        dots_center = false;
        dots_rounding = -1; # -1 default circle, -2 follow input-field rounding
        # disabling as config doesn't exist
        # dots_fade_time = 200; # Milliseconds until a dot fully fades in
        dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default).
        # disabling due to stylix
        # outer_color = "rgb(151515)";
        # inner_color = "rgb(200, 200, 200)";
        # font_color = "rgb(10, 10, 10)";
        font_family = "Noto Sans"; # Font used for placeholder_text, fail_text and dots_text_format.
        fade_on_empty = false;
        fade_timeout = 1000; # Milliseconds before fade_on_empty is triggered.
        placeholder_text = "<i>Input Password...</i>"; # Text rendered in the input box when it's empty.
        hide_input = false;
        rounding = -1; # -1 means complete rounding (circle/oval)
        #check_color = "rgb(204, 136, 34)";
        #fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color
        fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty
        fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears
        # disabling as config doesn't exist
        #fail_transition = 300; # transition time in ms between normal outer_color and fail_color
        capslock_color = -1;
        numlock_color = -1;
        bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above)
        invert_numlock = false; # change color if numlock is off
        swap_font_color = false; # see below
        position = "0, -200";
        halign = "center";
        valign = "center";
      };
    };
  };
 }
--- a/users/alice/home/hypr/show-hide.sh
+++ b/users/alice/home/hypr/show-hide.sh
@@ -0,0 +1,25 @@
 #!/usr/bin/env bash
 stack_file="/tmp/hide_window_pid_stack.txt"
 function hide_window() {
  pid=$(hyprctl activewindow -j | jq '.pid')
  hyprctl dispatch movetoworkspacesilent "88,pid:$pid"
  echo "$pid" >>$stack_file
 }
 function show_window() {
  pid=$(tail -1 $stack_file && sed -i '$d' $stack_file)
  [ -z "$pid" ] && exit
  current_workspace=$(hyprctl activeworkspace -j | jq '.id')
  hyprctl dispatch movetoworkspacesilent "$current_workspace,pid:$pid"
 }
 if [ -n "$1" ]; then
  if [ "$1" == "h" ]; then
    hide_window >>/dev/null
  else
    show_window >>/dev/null
  fi
 fi
--- a/users/alice/home/waybar.json
+++ b/users/alice/home/waybar.json
@@ -0,0 +1,40 @@
 [
  {
    "height": 20,
    "layer": "top",
    "position": "top",
    "output": [
      "eDP-2",
      "eDP-1",
      "HDMI-0",
      "DP-0"
    ],
    "hyprland/workspaces": {
      "active-only": true,
      "all-outputs": false,
      "show-special": true,
      "move-to-monitor": true,
      "format": "{icon} {windows}",
      "format-window-separator": " ",
      "format-icons": {
        "1": "󰎤",
        "2": "󰎧",
        "3": "󰎪",
        "default": "",
        "empty": "󱓼",
        "urgent": "󱨇"
      },
      "persistent-workspaces": {
        "1": "HDMI-0"
      },
      "on-scroll-down": "hyprctl dispatch workspace e-1",
      "on-scroll-up": "hyprctl dispatch workspace e+1",
      "window-rewrite": {
        "title<Steam>": ""
      },
      "window-rewrite-default": "",
      "window-rewrite-separator": " ",
      "sort-by": "number"
    }
  }
 ]
--- a/users/alice/home/waybar.nix
+++ b/users/alice/home/waybar.nix
@@ -2,6 +2,6 @@
 lib.mkIf (!machineConfig.server) {
  programs.waybar = {
    enable = true;
-    #settings = builtins.fromJSON (import ./waybar.json);
+    settings = builtins.fromJSON (builtins.readFile ./waybar.json);
  };
 }
--- a/users/alice/home/zsh.nix
+++ b/users/alice/home/zsh.nix
@@ -52,12 +52,16 @@
    shellAliases = {
      "sgc" = "sudo git -C /root/dotfiles";
      ## SSH
-      "ssh-init" = "ssh-add -t 2h  ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails  ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh";
+      "ssh-init" =
        "ssh-add -t 2h  ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails  ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh";
      ## Backups
-      "borgmatic-backup-quick" = "sudo borgmatic --log-file-verbosity 2 -v1 --progress --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_checkless.yaml";
+      "borgmatic-backup-quick" =
-      "borgmatic-backup-full" = "sudo borgmatic --log-file-verbosity 2 -v1 --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_full_arch.yaml";
+        "sudo borgmatic --log-file-verbosity 2 -v1 --progress --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_checkless.yaml";
-      "umount-backup" = "sudo borgmatic umount --mount-point /home/alice/backup -c /etc/borgmatic/config_checkless.yaml";
+      "borgmatic-backup-full" =
        "sudo borgmatic --log-file-verbosity 2 -v1 --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_full_arch.yaml";
      "umount-backup" =
        "sudo borgmatic umount --mount-point /home/alice/backup -c /etc/borgmatic/config_checkless.yaml";
      "restic-backup" = "/home/alice/Scripts/restic/backup.sh";
      ## VPN
@@ -89,7 +93,8 @@
      # applications (rofi entries)
      "ARMEclipse" = "nohup /opt/DS-5_CE/bin/eclipse &";
      "Wizard101-old" = "prime-run playonlinux --run Wizard\\ 101";
-      "Wizard101" = "prime-run ~/.wine/drive_c/ProgramData/KingsIsle Entertainment/Wizard101/Wizard101.exe";
+      "Wizard101" =
        "prime-run ~/.wine/drive_c/ProgramData/KingsIsle Entertainment/Wizard101/Wizard101.exe";
      "Pirate101" = "prime-run playonlinux --run Pirate\\ 101";
      "octave" = "prime-run octave --gui";
      "pc-firefox" = "proxychains firefox -P qbit -no-remote -P 127.0.0.1:9050";
--- a/users/alice/non-server.nix
+++ b/users/alice/non-server.nix
@@ -3,7 +3,7 @@
 {
  programs.emacs = {
    enable = true;
-    package = pkgs.emacs29-pgtk;
+    package = pkgs.emacs30-pgtk;
  };
  home.packages = with pkgs; [
    cmake
@@ -49,6 +49,9 @@
    hunspellDicts.en-us
    languagetool
    # latex
    texlive.combined.scheme-medium
    # dependencies for nix-dotfiles/hydra-check-action
    nodejs_20
    nodePackages.prettier
@@ -59,6 +62,8 @@
    bitwarden-menu
    wtype
    zathura
-
+    obsidian
    libreoffice-qt-fresh
    wlr-randr
  ];
 }
--- a/users/alice/secrets.yaml
+++ b/users/alice/secrets.yaml
@@ -4,6 +4,11 @@ alice:
    #ENC[AES256_GCM,data:vUMcowHjlQA0RWflfaQhZKkalO39epYi6N9PPW8=,iv:6DFqHlQR+mi+ZkfMUhlhwvpMwnxXNfQV6+sYgPzSj4I=,tag:Pz1zJayscGckPO8Q2ZVb4g==,type:comment]
    gha-hydra-token: ENC[AES256_GCM,data:rYDYIn7MAF4pSZQj+Nln2z9J+AxvuSzumthL86njpKETutArrw+9iX2hHJt5t513NHH03tMtZOFqM60/pzWg4YXVQOSpQmq8QOelD7qCdfCr4Z2QSeOHqXqwKy21iWtoVbxOXWunVxLzkWMJrpHkpVsiBA75Nv66ftKEjN80QNGik6xQE1iPsCB2JHeqYNIr8gtPkCr7H5Pt4yBBO/1rsyONrbNlwmzVX78eqXxmc43XOiNVjEsk8ekJxJ9mn5S6JcPNehBcnZA0kWAIxvtDIPYKnz4YBIXoilBbjgytXL8nw3PkEX27x5yeg9KfxPxO/4CGoi5wfKsYuEynBdWbHtj6a3H0AvA9KIZzktTRNJFU3ZW8UveSCXY4YHl0NREJ8kbIUgkkE7PWeyzGenGFTPMahTA0rKSa+tWPQ1c00lvo9VS3/7pfeJfZEKS7R2xBaEDZrfffHyB5PLTQOGpWl5y40wTn4HdBlyQwoREvobOaKVZEyWtVvJcUeHDPepgEHGVDzwyTelX8Btb6ZNA0Fur8xvpkLZcLmMhbvCdkjq84ztJ36nQQ5JZthecyqcZTWPyfWtPeoUPVIaxn31oLjwsriDwdQmID6twTjC9PT8nBZD/u0JebOCdeYf8fm9q49SaN2w/ZMdSRWucHUsRXeN9O149vYoOqR28H+8v/tYJdqofJpHKrIBs=,iv:GcEV6f4rqkrpCafeaLNMqqU/vBNE0xHbqokL2gMXHYw=,tag:sCHvUgq1w8npedjIAninrA==,type:str]
    wakatime-api-key: ENC[AES256_GCM,data:ITu5pRySYGCJ6q9IQ35NfpGX2FyIJRYHGDeBiq0btzIrqitxcFox1Vc=,iv:HsXpyFHV7dG5qORk26BtD+kFo4Jdq2c4fozMpoqyDfU=,tag:uaQoXvvYqNfmRXVDVH8AoQ==,type:str]
    attic-nix-cache-creator: ENC[AES256_GCM,data:P0iBdy4IYrxcq7v4wTgwwZvAfVdRFo08pi0zvpY9cP9BDCwbBnp+3qDKWL29rC7OxsaLtmRkvPmbkF3ZX3Yu5OaptwVg2Xi0vNqhk3gu5Fdj8ygPigB0ZtimkfWv1QkctoVoXKXuLv6Xd4XKPCWOOIekWlJsBRcyfyzkyFURkU9tBBkXyEAWItho/J8hJr6r00eA3EN4rTe8Ge+PGpfTfpZVpnoGrC35xPnGLq19+b44DectHDTkMZrZKxiCaVIgKUZDLaFgi6a6PsX+L1HQAIZukXJu3m4BPdvzzby+zgX24pVJOYjAUB2BwO9jUlMS6+7qo0p6k01uLicryfKx/ajdAHcy39tFHX7naA4JriC2/FgI2HlFGp0Lc+g0pfdCYwLs5QBfRaOHyrbFWUDG,iv:OBrgnewqBaug00ygAXs0eFs3LqcHqo1EW96N5I38A0o=,tag:V+Gn47O6AH1RwL9qJLpAkw==,type:str]
    attic-nix-cache-reader: ENC[AES256_GCM,data:DWIkRri3lHJOVXIAbHWJL7cCV4FHjB91bbpPAib/5ZDKap3xjnxUjwswc7wjO1hCoV3+gmep1a64kma6MJts4bcAug5bPyrrPy//rVpCYvSbSmbPz5k4sW5GLU/Sf4NyBevsQo9KRrphpoSUQEFQB27vabYDjjkB051/qJo1B9B7nqmrSyd3np4YdyHAgUiMyJt0oqx8nXySz3XZU+DIM8/OhMZILpnEWIgyP2K7j8JNNpZZJ5sD/icUy6Vba/4LcKjtmYtfQ+HO1soyF6aMiQSjhp7fzJHktwa9kgB3oDzIg3KyCJYS2RNW7mW9Dd1T,iv:fvhGFU22KgknMpJbOkA3v29bKzRVX6hi7V7xJgSUjPg=,tag:TjGSUl0XXS7jlhP/NG4cvQ==,type:str]
    attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str]
    attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str]
    gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -37,8 +42,8 @@ sops:
            ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
            7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-20T23:15:03Z"
+    lastmodified: "2025-03-18T22:08:52Z"
-    mac: ENC[AES256_GCM,data:VnLd4N2l7JTKA7f4eh9EKilW2f8mmEmLc06WbHASOn6N+MIGPHwyLjLbPVECuXiVl95cs0+uWsFOPEbLiS6XTB/gZE1OZMYqk0x7FVkQNxMdWwcVAQnncC6i/cdBTAx+GW1iF6Cf2eLY1wNNiASk/Bz8u3r4UJ4QFXuMovPsfxw=,iv:Cr1bAYrwlK+ClRFDsiUdEIqXDU7onubthDEQDlTM3S4=,tag:EyfcNB0xKrFRjbp517akpg==,type:str]
+    mac: ENC[AES256_GCM,data:3Hr8FyzfZvvtyusqdDOjggDGFlBwyOq2VND+/jtNbY5i5JPK+qTkamn98IKkcHSPooaIVzEAek91fZDo90mYRhCzEwfbLATmFXPHsZHUg+5nD8VzcNUWQDb2/ey4RPhzTMtXfY9v9wdIcTdBKYKSZ61puptSX8nJ2S74ag6B5AY=,iv:J+VxUvwWE496DqTsVXdlpxgkf8zGT9uDvt6RLrmc0n0=,tag:X2Qg3DDzOTBDqo+6eQPHvw==,type:str]
    pgp:
        - created_at: "2024-09-05T06:10:22Z"
          enc: |-
@@ -53,4 +58,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.4
--- a/utils/attic-push.bash
+++ b/utils/attic-push.bash
@@ -0,0 +1,26 @@
 #!/usr/bin/env nix
 #! nix shell nixpkgs#bash nixpkgs#jq nixpkgs#gnused nixpkgs#nixVersions.latest nixpkgs#attic-client --command bash
 #set -x
 #set -v
 set -e
 # retrieve all paths under 2G
 # nix_paths=$(nix path-info --json --all --closure-size \
 #   | jq 'map_values(.closureSize | select(. < 2e9)) | to_entries | sort_by(.value)' \
 #   | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
 # retrieve all paths
 nix_paths=$(nix path-info --json --all --closure-size |
  jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' |
  jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
 readarray -t nix_path_array < <(echo "$nix_paths")
 batchsize=1000
 for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do
  part=("${nix_path_array[@]:i:batchsize}")
  attic push nix-cache "${part[@]}"
 done
--- a/utils/attic-token.bash
+++ b/utils/attic-token.bash
@@ -0,0 +1,36 @@
 #!/usr/bin/env bash
 if (($# != 3)); then
  echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
  exit 1
 fi
 cache="$1"
 cache_pattern="$2"
 token_type="$3"
 case $token_type in
 "cache-creator")
  atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
    --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
    --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
    --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
  ;;
 "admin")
  atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
    --push "$cache_pattern" --configure-cache "$cache_pattern" \
    --configure-cache-retention "$cache_pattern"
  ;;
 "writer")
  atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
    --push "$cache_pattern"
  ;;
 "reader")
  atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
  ;;
 *)
  echo "invalid token type: $token_type"
  echo "available options: cache-creator, admin, writer, reader"
  exit 1
  ;;
 esac
--- a/utils/diff-evals.sh
+++ b/utils/diff-evals.sh
@@ -10,15 +10,4 @@ set -e
 script_path=$(dirname "$(readlink -f $0)")
 parent_path=$(dirname "$script_path")
-readarray -t pre_drv < "$parent_path/pre-drv"
+nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --compare-drvs --compare-output-to-file "$parent_path"
 readarray -t post_drv < "$parent_path/post-drv"
 post_drv_path="$parent_path/post-diff"
 # cleanup any files with the same name
 rm "$post_drv_path" || true
 touch "$post_drv_path"
 for i in $(seq 0 $(( "${#pre_drv[@]}" -1 ))); do
    echo "Diffing updates to $(echo "${pre_drv[$i]}" | cut -f 2- -d '-')" >> "$post_drv_path"
    nvd diff "${pre_drv[$i]}" "${post_drv[$i]}" >> "$post_drv_path"
 done
--- a/utils/eval-to-drv.sh
+++ b/utils/eval-to-drv.sh
@@ -8,15 +8,12 @@ set -v
 set -e
 if [ "$#" -ne 1 ]; then
-    echo "$0 (pre|post)"
+  echo "$0 (pre|post)"
-    exit 1
+  exit 1
 fi
 script_path=$(dirname "$(readlink -f $0)")
 parent_path=$(dirname "$script_path")
-out_path="$parent_path/$1-drv"
+out_path="$parent_path/$1.json"
-
+nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --evaluate --json "$out_path" "$parent_path"
 drv=$(nix flake check --verbose 2> >(grep -P -o "derivation evaluated to (/nix/store/.*\.drv)" | grep -P -o "/nix/store/.*\.drv"))
 echo "$drv" > "$out_path"
--- a/utils/fetch-docker.sh
+++ b/utils/fetch-docker.sh
@@ -14,12 +14,10 @@ parent_path=$(dirname "$script_path")
 # relpath is the relative path to the parent_path where you want the file written
 # format: <image name>,<image tag>,<image architecture>,<os>,<relpath>
 images=(
-    # commented out until palatine-hill docker changes are live
+  "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
    "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
 )
 IFS=","
 while read -r name tag arch os relpath; do
-    nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet > "$parent_path/$relpath"
+  nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath"
-    git --no-pager diff "$parent_path/$relpath"
+  git --no-pager diff "$parent_path/$relpath"
-done<<< "${images[@]}"
+done <<<"${images[@]}"
--- a/utils/manual-update.sh
+++ b/utils/manual-update.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
-set -e 
+set -e
 set -v
 set -x
--- a/utils/sops-mergetool-new.sh
+++ b/utils/sops-mergetool-new.sh
@@ -0,0 +1,67 @@
 #!/usr/bin/env bash
 # Rename CLI parameters to friendlier names
 # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
 base="$1"
 local_="$2"
 remote="$3"
 merged="$4"
 # Load the mergetool scripts
 TOOL_MODE=merge
 source "$(git --exec-path)/git-mergetool--lib"
 mergetool=$(get_merge_tool)
 setup_tool "${mergetool}"
 # Create file names for decrypted contents
 #   example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml
 extension=".${base##*.}"
 base_decrypted="${base/$extension/.decrypted$extension}"
 local_decrypted="${local_/$extension/.decrypted$extension}"
 remote_decrypted="${remote/$extension/.decrypted$extension}"
 merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
 backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
 # If anything goes wrong, then delete our decrypted files
 handle_trap_exit() {
  rm $base_decrypted || true
  rm $local_decrypted || true
  rm $remote_decrypted || true
  rm $merged_decrypted || true
  rm $backup_decrypted || true
 }
 trap handle_trap_exit EXIT
 # Decrypt our file contents
 sops --decrypt --show-master-keys "$base" >"$base_decrypted"
 sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
 sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
 # Create a merge-diff to compare against
 git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
 cp "$merged_decrypted" "$backup_decrypted"
 # Set up variables for the mergetool
 # https://github.com/git/git/blob/v2.8.2/mergetools/meld
 # https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111
 LOCAL="$local_decrypted"
 BASE="$base_decrypted"
 REMOTE="$remote_decrypted"
 MERGED="$merged_decrypted"
 BACKUP="$backup_decrypted"
 # Override `check_unchanged` with a custom script
 check_unchanged() {
  # If the contents haven't changed, then fail
  if test "$MERGED" -nt "$BACKUP"; then
    return 0
  else
    exit 1
  fi
 }
 # Run the mergetool
 run_merge_tool "${mergetool}" true
 # Re-encrypt content
 sops --encrypt "$merged_decrypted" >"$merged"
--- a/utils/sops-mergetool.sh
+++ b/utils/sops-mergetool.sh
@@ -1,17 +1,27 @@
 #!/usr/bin/env bash
 # Exit on first error and verify variables have been set/passed via CLI
-set -eu
+#set -eu
 set -v
 set -x
 # Rename our variables to friendlier equivalents
 # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
-base="$1"; local_="$2"; remote="$3"; merged="$4"
+base="$1"
 local_="$2"
 remote="$3"
 merged="$4"
 echo "$base"
 echo "$local_"
 echo "$remote"
 echo "$merged"
 # Resolve our default mergetool
 # https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3
 mergetool="$(git config --get merge.tool)"
 GIT_DIR="$(git --exec-path)"
 if test "$mergetool" = ""; then
-  echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
+  echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
  exit 1
 fi
@@ -25,7 +35,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
 backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
 # If anything goes wrong, then delete our decrypted files
-handle_trap_exit () {
+handle_trap_exit() {
  rm $base_decrypted || true
  rm $local_decrypted || true
  rm $remote_decrypted || true
@@ -35,13 +45,13 @@ handle_trap_exit () {
 trap handle_trap_exit EXIT
 # Decrypt our file contents
-sops --decrypt --show-master-keys "$base" > "$base_decrypted"
+sops --decrypt --show-master-keys "$base" >"$base_decrypted"
-sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
+sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
-sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
+sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
 # Create a merge-diff to compare against
 set +e
-git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
+git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
 set -e
 cp "$merged_decrypted" "$backup_decrypted"
@@ -59,7 +69,7 @@ source "$GIT_DIR/git-mergetool--lib"
 source "$GIT_DIR/mergetools/$mergetool"
 # Override `check_unchanged` with a custom script
-check_unchanged () {
+check_unchanged() {
  # If the contents haven't changed, then fail
  if test "$MERGED" -nt "$BACKUP"; then
    return 0
@@ -75,5 +85,4 @@ merge_cmd
 set -eu
 # Re-encrypt content
-sops --encrypt "$merged_decrypted" > "$merged"
+sops --encrypt "$merged_decrypted" >"$merged"