add sqlite for restores

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
add token to cache-merge
2025-03-10 12:33:33 -04:00 · 2025-03-10 09:49:19 -04:00 · 2025-03-10 09:48:44 -04:00 · 2025-03-10 01:23:20 -04:00 · 2025-03-10 01:06:56 -04:00 · 2025-03-10 00:48:57 -04:00
86 changed files with 3884 additions and 459 deletions
--- a/.gitconfig
+++ b/.gitconfig
@ -1,6 +1,11 @@
 # run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :)
 # run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured
 # if for whatever reason the below doesn't work, try modifying the mergetool command as below
 #   find: $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh
 #   replace: ./utils/sops-mergetool.sh
 [mergetool "sops-mergetool"]
-        cmd = bash -c "$(git --exec-path)/sops-mergetool.sh \"$BASE\" \"$LOCAL\" \"$REMOTE\" \"$MERGED\""
+	cmd = bash -c "$(git rev-parse --show-toplevel)/utils/sops-mergetool.sh \"\$BASE\" \"\$LOCAL\" \"\$REMOTE\" \"\$MERGED\""
 [merge]
-	tool = nvimdiff3
+	tool = nvimdiff
 [mergetool "nvimdiff"]
 	layout = MERGED
--- a/.github/workflows/cache-merge.yml
+++ b/.github/workflows/cache-merge.yml
@ -0,0 +1,90 @@
 name: Nix CI
 on:
  push:
    # don't run on tags, run on commits
    # https://github.com/orgs/community/discussions/25615
    tags-ignore:
      - "**"
    branches:
      - main
  merge_group:
  schedule:
    - cron: 0 0 * * *
  workflow_dispatch:
 jobs:
  # Merge similar `individual` caches
  # Purge `individual` caches and old `common` caches
  # Save new `common` caches
  merge-similar-caches:
    name: Merge similar caches
    strategy:
      matrix:
        os: [ubuntu-latest]
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout this repo
        uses: actions/checkout@v4
      - name: Install nix
        uses: https://github.com/DeterminateSystems/nix-installer-action@main
      - run: nix profile install nixpkgs#sqlite
      - uses: nix-community/cache-nix-action@v6
        name: create and purge common cache
        with:
          primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}
          # if no hit on the primary key, restore individual caches that match `ci.yaml`
          restore-prefixes-all-matches: |
            similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
          # do purge caches
          purge: true
          # purge old versions of the `common` cache and any versions of individual caches
          purge-prefixes: |
            similar-cache-${{ matrix.os }}-common-
          # created more than 0 seconds ago relative to the start of the `Post Restore` phase
          purge-created: 0
          # except the version with the `primary-key`, if it exists
          purge-primary-key: never
          token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
      - uses: nix-community/cache-nix-action@v6
        name: purge some individual caches
        with:
          primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}
          # if no hit on the primary key, restore individual caches that match `ci.yaml`
          restore-prefixes-all-matches: |
            similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
          # do purge caches
          purge: true
          # purge old versions of the `common` cache and any versions of individual caches
          purge-prefixes: |
            similar-cache-${{ matrix.os }}-individual-
          # created more than 0 seconds ago relative to the start of the `Post Restore` phase
          purge-created: 259200
          # except the version with the `primary-key`, if it exists
          purge-primary-key: never
          token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
  # Check that the `common` cache is restored correctly
  merge-similar-caches-check:
    name: Check a `common` cache is restored correctly
    needs: merge-similar-caches
    strategy:
      matrix:
        os: [ubuntu-latest]
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout this repo
        uses: actions/checkout@v4
      - name: Install nix
        uses: https://github.com/DeterminateSystems/nix-installer-action@main
      - run: nix profile install nixpkgs#sqlite
      - name: Restore Nix store
        uses: nix-community/cache-nix-action@v6
        with:
          primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}
--- a/.github/workflows/flake-health-checks.yml
+++ b/.github/workflows/flake-health-checks.yml
@ -15,6 +15,80 @@ jobs:
        os: [ubuntu-latest]
    steps:
      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+
      - uses: actions/checkout@v4
      - run: nix profile install nixpkgs#sqlite
      - name: Restore Nix store
        id: restore
        uses: nix-community/cache-nix-action@v6
        with:
          # save a new cache every time `ci.yaml` changes
          primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
          # otherwise, restore a common cache if and only if it matches the current `ci.yaml`
          restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
      - name: Setup Attic cache
        uses: ryanccn/attic-action@v0
        with:
          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
          cache: ${{ secrets.ATTIC_CACHE }}
          token: ${{ secrets.ATTIC_TOKEN }}
          skip-push: "true"
      - run: nix flake check --accept-flake-config
      - run: nix ./utils/attic-push.bash
  build-checks:
    name: "Build nix outputs"
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-latest]
    steps:
      - uses: DeterminateSystems/nix-installer-action@main
      - uses: actions/checkout@v4
      - run: nix profile install nixpkgs#sqlite
      - name: Restore Nix store
        id: restore
        uses: nix-community/cache-nix-action@v6
        with:
          # save a new cache every time `ci.yaml` changes
          primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
          # otherwise, restore a common cache if and only if it matches the current `ci.yaml`
          restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
      - name: Setup Attic cache
        uses: ryanccn/attic-action@v0
        with:
          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
          cache: ${{ secrets.ATTIC_CACHE }}
          token: ${{ secrets.ATTIC_TOKEN }}
          skip-push: "true"
      - name: Build all outputs
        run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
      - name: Push to Attic
        run: nix ./utils/attic-push.bash
        continue-on-error: true
      - name: Save Nix store
        if: steps.restore.outputs.hit == 'false'
        uses: nix-community/cache-nix-action@v6
        with:
          # save a new cache every time `ci.yaml` changes
          primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
          # do purge caches
          purge: true
          # purge all versions of the individual cache
          purge-prefixes: similar-cache-${{ matrix.os }}-individual-
          # created more than 0 seconds ago relative to the start of the `Post Restore` phase
          purge-created: 0
          # except the version with the `primary-key`, if it exists
          purge-primary-key: never
--- a/.github/workflows/flake-update.yml
+++ b/.github/workflows/flake-update.yml
@ -5,33 +5,59 @@ on:
  schedule:
    - cron: "00 12 * * *"
 jobs:
-  createPullRequest:
+  update_lockfile:
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
    steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
-      - name: Login to Docker Hub
+        uses: actions/checkout@v4
-        uses: docker/login-action@v3
+
      - name: Install nix
        uses: https://github.com/DeterminateSystems/nix-installer-action@main
      - run: nix profile install nixpkgs#sqlite
      - name: Restore Nix store
        id: restore
        uses: nix-community/cache-nix-action@v6
        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          # save a new cache every time `ci.yaml` changes
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
-      - name: Install Nix
+          # otherwise, restore a common cache if and only if it matches the current `ci.yaml`
-        uses: cachix/install-nix-action@v24
+          restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
      - name: Setup Attic cache
        uses: ryanccn/attic-action@v0
        with:
-          extra_nix_config: |
+          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
-            experimental-features = nix-command flakes
+          cache: ${{ secrets.ATTIC_CACHE }}
-          install_url: https://releases.nixos.org/nix/nix-2.19.0/install
+          token: ${{ secrets.ATTIC_TOKEN }}
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+          skip-push: "true"
-      - name: Calculate pre-drv
+
      - name: Get pre-snapshot of evaluations
        run: nix ./utils/eval-to-drv.sh pre
-      - name: Pull latest docker images
+
-        run: nix ./utils/fetch-docker.sh
+      - name: Update flake.lock
-      - name: Update flake.lock (part 1)
+        id: update
-        run: nix flake update
+        run: |
-      - name: Calculate post-drv
+          nix flake update 2> >(tee /dev/stderr) | awk '
            /^• Updated input/ {in_update = 1; print; next}
            in_update && !/^warning:/ {print}
            /^$/ {in_update = 0}
          ' > update.log
          echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
          cat update.log >> $GITHUB_ENV
          echo "EOF" >> $GITHUB_ENV
          rm update.log
      - name: Get post-snapshot of evaluations
        run: nix ./utils/eval-to-drv.sh post
      - name: Calculate diff
        run: nix ./utils/diff-evals.sh
      - name: Read diff into environment
        run: |
          delimiter="$(openssl rand -hex 8)"
@ -41,27 +67,89 @@ jobs:
          echo "${delimiter}"
          } >> $GITHUB_ENV
-
+      - name: Write PR body template
-      - name: Restore flake.lock for next step
+        uses: https://github.com/DamianReeves/write-file-action@v1.3
        run: git restore flake.lock
      - name: Update flake.lock
        id: update
        uses: DeterminateSystems/update-flake-lock@main
        with:
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
+          path: pr_body.template
-          pr-body: |
+          contents: |
-            Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
+            - The following Nix Flake inputs were updated:
            ```
-            {{ env.GIT_COMMIT_MESSAGE }}
+            ${{ env.UPDATE_LOG }}
            ```
            ```
            {{ env.POSTDIFF }}
            ```
            Auto-generated by [update.yml][1] with the help of
            [create-pull-request][2].
            [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
            [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
      - name: Generate PR body
        uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
        with:
          files: "pr_body.template"
          output-filename: "pr_body.md"
      - name: Save PR body
        id: pr_body
        uses: juliangruber/read-file-action@v1
        with:
          path: "pr_body.md"
      - name: Remove temporary files
        run: |
          rm pr_body.template
          rm pr_body.md
          rm pre.json
          rm post.json
          rm post-diff
      - name: Create Pull Request
        id: create-pull-request
        # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
        uses: https://nayeonie.com/ahuston-0/create-pull-request@main
        with:
          token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
          body: ${{ steps.pr_body.outputs.content }}
          author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
          title: 'automated: Update `flake.lock`'
          commit-message: |
            automated: Update `flake.lock`
            ${{ steps.pr_body.outputs.content }}
          branch: update-flake-lock
          delete-branch: true
          pr-labels: |                  # Labels to be set on the PR
            dependencies
            automated
      - name: Push to Attic
        run: nix ./utils/attic-push.bash
        continue-on-error: true
      - name: Save Nix store
        uses: nix-community/cache-nix-action@v6
        with:
          # save a new cache every time `ci.yaml` changes
          primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
          # do purge caches
          purge: true
          # purge all versions of the individual cache
          purge-prefixes: similar-cache-${{ matrix.os }}-individual-
          # created more than 0 seconds ago relative to the start of the `Post Restore` phase
          purge-created: 0
          # except the version with the `primary-key`, if it exists
          purge-primary-key: never
      - name: Print PR number
        run: |
          echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
 permissions:
  pull-requests: write
  contents: write
--- a/.github/workflows/nix-fmt.yml
+++ b/.github/workflows/nix-fmt.yml
@ -12,6 +12,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Setup Attic cache
        uses: ryanccn/attic-action@v0
        with:
          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
          cache: ${{ secrets.ATTIC_CACHE }}
          token: ${{ secrets.ATTIC_TOKEN }}
          skip-push: "true"
      - uses: actions/checkout@v4
      - run: nix fmt -- --check .
      - name: Push to Attic
        run: nix ./utils/attic-push.bash
        continue-on-error: true
--- a/.sops.yaml
+++ b/.sops.yaml
@ -43,4 +43,9 @@ creation_rules:
          - *admin_alice
        age:
          - *artemision
-
+  - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
    key_groups:
      - pgp:
          - *admin_alice
        age:
          - *palatine-hill
--- a/flake.lock
+++ b/flake.lock
@ -1,53 +1,69 @@
 {
  "nodes": {
-    "attic": {
+    "base16": {
      "inputs": {
-        "crane": "crane",
+        "fromYaml": "fromYaml"
        "flake-compat": [
          "flake-compat"
        ],
        "flake-parts": [
          "flake-parts"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixpkgs-stable"
        ]
      },
      "locked": {
-        "lastModified": 1728577371,
+        "lastModified": 1732200724,
-        "narHash": "sha256-f3bKclEV5t1eP1OH7kTGv/tLzlToSRIe0ktkdl1jihw=",
+        "narHash": "sha256-+R1BH5wHhfnycySb7Sy5KbYEaTJZWm1h+LW1OtyhiTs=",
-        "owner": "zhaofengli",
+        "owner": "SenchoPens",
-        "repo": "attic",
+        "repo": "base16.nix",
-        "rev": "e5c8d2d50981a34602358d917e7be011b2c397a8",
+        "rev": "153d52373b0fb2d343592871009a286ec8837aec",
        "type": "github"
      },
      "original": {
-        "owner": "zhaofengli",
+        "owner": "SenchoPens",
-        "repo": "attic",
+        "repo": "base16.nix",
        "type": "github"
      }
    },
-    "crane": {
+    "base16-fish": {
-      "inputs": {
+      "flake": false,
        "nixpkgs": [
          "attic",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1722960479,
+        "lastModified": 1622559957,
-        "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
+        "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
-        "owner": "ipetkov",
+        "owner": "tomyun",
-        "repo": "crane",
+        "repo": "base16-fish",
-        "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
+        "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
        "type": "github"
      },
      "original": {
-        "owner": "ipetkov",
+        "owner": "tomyun",
-        "repo": "crane",
+        "repo": "base16-fish",
        "type": "github"
      }
    },
    "base16-helix": {
      "flake": false,
      "locked": {
        "lastModified": 1736852337,
        "narHash": "sha256-esD42YdgLlEh7koBrSqcT7p2fsMctPAcGl/+2sYJa2o=",
        "owner": "tinted-theming",
        "repo": "base16-helix",
        "rev": "03860521c40b0b9c04818f2218d9cc9efc21e7a5",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "base16-helix",
        "type": "github"
      }
    },
    "base16-vim": {
      "flake": false,
      "locked": {
        "lastModified": 1732806396,
        "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=",
        "owner": "tinted-theming",
        "repo": "base16-vim",
        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "base16-vim",
        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
        "type": "github"
      }
    },
@ -62,11 +78,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1728965006,
+        "lastModified": 1740974607,
-        "narHash": "sha256-TXBxJMGC6P+cn5La/lIgVzb9ETutsOI3A3urHihB7FA=",
+        "narHash": "sha256-YbAnhXYYOjG8OHX7v4BGj/tDQiFgkwe4JsqCjbFYjB0=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "f4947cf2d1a469b23fee54ad948c539f6aa431a7",
+        "rev": "093c063a23aa38f31082a554f03899127750aee3",
        "type": "gitlab"
      },
      "original": {
@ -76,14 +92,30 @@
        "type": "gitlab"
      }
    },
    "firefox-gnome-theme": {
      "flake": false,
      "locked": {
        "lastModified": 1739223196,
        "narHash": "sha256-vAxN2f3rvl5q62gQQjZGVSvF93nAsOxntuFz+e/655w=",
        "owner": "rafaelmardojai",
        "repo": "firefox-gnome-theme",
        "rev": "a89108e6272426f4eddd93ba17d0ea101c34fb21",
        "type": "github"
      },
      "original": {
        "owner": "rafaelmardojai",
        "repo": "firefox-gnome-theme",
        "type": "github"
      }
    },
    "flake-compat": {
      "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1733328505,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "revCount": 57,
+        "revCount": 69,
        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
      },
      "original": {
        "type": "tarball",
@ -95,11 +127,33 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1727826117,
+        "lastModified": 1740872218,
-        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "stylix",
          "nur",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1733312601,
        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
        "type": "github"
      },
      "original": {
@ -115,11 +169,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1731533236,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@ -128,6 +182,69 @@
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": [
          "stylix",
          "systems"
        ]
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "fromYaml": {
      "flake": false,
      "locked": {
        "lastModified": 1731966426,
        "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=",
        "owner": "SenchoPens",
        "repo": "fromYaml",
        "rev": "106af9e2f715e2d828df706c386a685698f3223b",
        "type": "github"
      },
      "original": {
        "owner": "SenchoPens",
        "repo": "fromYaml",
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": [
          "stylix",
          "flake-compat"
        ],
        "gitignore": "gitignore_2",
        "nixpkgs": [
          "stylix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1737465171,
        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
@ -149,6 +266,45 @@
        "type": "github"
      }
    },
    "gitignore_2": {
      "inputs": {
        "nixpkgs": [
          "stylix",
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "gnome-shell": {
      "flake": false,
      "locked": {
        "lastModified": 1732369855,
        "narHash": "sha256-JhUWbcYPjHO3Xs3x9/Z9RuqXbcp5yhPluGjwsdE2GMg=",
        "owner": "GNOME",
        "repo": "gnome-shell",
        "rev": "dadd58f630eeea41d645ee225a63f719390829dc",
        "type": "github"
      },
      "original": {
        "owner": "GNOME",
        "ref": "47.2",
        "repo": "gnome-shell",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -156,11 +312,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728903686,
+        "lastModified": 1740845322,
-        "narHash": "sha256-ZHFrGNWDDriZ4m8CA/5kDa250SG1LiiLPApv1p/JF0o=",
+        "narHash": "sha256-AXEgFj3C0YJhu9k1OhbRhiA6FnDr81dQZ65U3DhaWpw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "e1aec543f5caf643ca0d94b6a633101942fd065f",
+        "rev": "fcac3d6d88302a5e64f6cb8014ac785e08874c8d",
        "type": "github"
      },
      "original": {
@ -176,11 +332,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1725551787,
+        "lastModified": 1740923452,
-        "narHash": "sha256-6LgsZHz8w3g4c9bRUwRAR+WIMwFGGf3P1VZQcKNRf2o=",
+        "narHash": "sha256-iQNkVG0368H3kiwSYSs1N6sU7GhHSmx0b9y+Z+eO1+c=",
        "owner": "hyprwm",
        "repo": "contrib",
-        "rev": "1e531dc49ad36c88b45bf836081a7a2c8927e072",
+        "rev": "6f0d5e16c534aeda47d99b4d20bb2a22bfc60c23",
        "type": "github"
      },
      "original": {
@ -196,11 +352,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728790083,
+        "lastModified": 1740886574,
-        "narHash": "sha256-grMdAd4KSU6uPqsfLzA1B/3pb9GtGI9o8qb0qFzEU/Y=",
+        "narHash": "sha256-jN6kJ41B6jUVDTebIWeebTvrKP6YiLd1/wMej4uq4Sk=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "5c54c33aa04df5dd4b0984b7eb861d1981009b22",
+        "rev": "26a0f969549cf4d56f6e9046b9e0418b3f3b94a5",
        "type": "github"
      },
      "original": {
@ -211,11 +367,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1728781282,
+        "lastModified": 1736643958,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
        "type": "github"
      },
      "original": {
@ -232,11 +388,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728867876,
+        "lastModified": 1740947705,
-        "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=",
+        "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0",
+        "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
        "type": "github"
      },
      "original": {
@ -247,11 +403,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1728729581,
+        "lastModified": 1740646007,
-        "narHash": "sha256-oazkQ/z7r43YkDLLQdMg8oIB3CwWNb+2ZrYOxtLEWTQ=",
+        "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "a8dd1b21995964b115b1e3ec639dd6ce24ab9806",
+        "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
        "type": "github"
      },
      "original": {
@ -267,15 +423,14 @@
        ],
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "search": "search"
      },
      "locked": {
-        "lastModified": 1728919967,
+        "lastModified": 1741017582,
-        "narHash": "sha256-zQl8z8iagvrekF4tFK1au7mGH8x0zoGppo6geLPioQk=",
+        "narHash": "sha256-2tscHztx6UxqeQTK0U1kLM74+6mSzROMNYJpKRDLMPM=",
        "owner": "SuperSandro2000",
        "repo": "nixos-modules",
-        "rev": "1aba521c9cd2cd97490846ac83fd73ae84625c8a",
+        "rev": "c7c9219eb6ff26c203d22ba733e9e988499290f0",
        "type": "github"
      },
      "original": {
@ -286,39 +441,39 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1728492678,
+        "lastModified": 1740981371,
-        "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
+        "narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
+        "rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1727825735,
+        "lastModified": 1740872140,
-        "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
+        "narHash": "sha256-3wHafybyRfpUCLoE8M+uPVZinImg3xX+Nm6gEfN3G8I=",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1728740863,
+        "lastModified": 1735563628,
-        "narHash": "sha256-u+rxA79a0lyhG+u+oPBRtTDtzz8kvkc9a6SWSt9ekVc=",
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "a3f9ad65a0bf298ed5847629a57808b97e6e8077",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
        "type": "github"
      },
      "original": {
@ -328,6 +483,29 @@
        "type": "github"
      }
    },
    "nur": {
      "inputs": {
        "flake-parts": "flake-parts_2",
        "nixpkgs": [
          "stylix",
          "nixpkgs"
        ],
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
        "lastModified": 1740408283,
        "narHash": "sha256-2xECnhgF3MU9YjmvOkrRp8wRFo2OjjewgCtlfckhL5s=",
        "owner": "nix-community",
        "repo": "NUR",
        "rev": "496a4a11162bdffb9a7b258942de138873f019f7",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "NUR",
        "type": "github"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": [
@ -336,17 +514,14 @@
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixpkgs-stable"
        ]
      },
      "locked": {
-        "lastModified": 1728778939,
+        "lastModified": 1740915799,
-        "narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=",
+        "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "ff68f91754be6f3427e4986d7949e6273659be1d",
+        "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732",
        "type": "github"
      },
      "original": {
@ -357,7 +532,6 @@
    },
    "root": {
      "inputs": {
        "attic": "attic",
        "firefox-addons": "firefox-addons",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
@ -373,7 +547,8 @@
        "pre-commit-hooks": "pre-commit-hooks",
        "rust-overlay": "rust-overlay",
        "sops-nix": "sops-nix",
-        "systems": "systems",
+        "stylix": "stylix",
        "systems": "systems_2",
        "wired-notify": "wired-notify"
      }
    },
@ -384,11 +559,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1728959392,
+        "lastModified": 1740969088,
-        "narHash": "sha256-fp4he1QQjE+vasDMspZYeXrwTm9otwEqLwEN6FKZ5v0=",
+        "narHash": "sha256-BajboqzFnDhxVT0SXTDKVJCKtFP96lZXccBlT/43mao=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "4c6e317300f05b8871f585b826b6f583e7dc4a9b",
+        "rev": "20fdb02098fdda9a25a2939b975abdd7bc03f62d",
        "type": "github"
      },
      "original": {
@ -397,46 +572,18 @@
        "type": "github"
      }
    },
    "search": {
      "inputs": {
        "flake-utils": [
          "nixos-modules",
          "flake-utils"
        ],
        "nixpkgs": [
          "nixos-modules",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1728423244,
        "narHash": "sha256-+YwNsyIFj3dXyLVQd1ry4pCNmtOpbceKUrkNS8wp9Ho=",
        "owner": "nuschtos",
        "repo": "search",
        "rev": "f276cc3b391493ba3a8b30170776860f9520b7fa",
        "type": "github"
      },
      "original": {
        "owner": "nuschtos",
        "repo": "search",
        "type": "github"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": [
          "nixpkgs-stable"
        ]
      },
      "locked": {
-        "lastModified": 1728345710,
+        "lastModified": 1739262228,
-        "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
+        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
+        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
        "type": "github"
      },
      "original": {
@ -445,6 +592,47 @@
        "type": "github"
      }
    },
    "stylix": {
      "inputs": {
        "base16": "base16",
        "base16-fish": "base16-fish",
        "base16-helix": "base16-helix",
        "base16-vim": "base16-vim",
        "firefox-gnome-theme": "firefox-gnome-theme",
        "flake-compat": [
          "flake-compat"
        ],
        "flake-utils": "flake-utils_2",
        "git-hooks": "git-hooks",
        "gnome-shell": "gnome-shell",
        "home-manager": [
          "home-manager"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "nur": "nur",
        "systems": "systems",
        "tinted-foot": "tinted-foot",
        "tinted-kitty": "tinted-kitty",
        "tinted-schemes": "tinted-schemes",
        "tinted-tmux": "tinted-tmux",
        "tinted-zed": "tinted-zed"
      },
      "locked": {
        "lastModified": 1740959323,
        "narHash": "sha256-UtSKsLCWwA4wPFm7mgl33qeu8sj0on9Hyt3YhDWWkAM=",
        "owner": "danth",
        "repo": "stylix",
        "rev": "489833b201a84488c6b4371a261fdbcafa6abcb6",
        "type": "github"
      },
      "original": {
        "owner": "danth",
        "repo": "stylix",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@ -460,6 +648,125 @@
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "tinted-foot": {
      "flake": false,
      "locked": {
        "lastModified": 1726913040,
        "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
        "owner": "tinted-theming",
        "repo": "tinted-foot",
        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "tinted-foot",
        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
        "type": "github"
      }
    },
    "tinted-kitty": {
      "flake": false,
      "locked": {
        "lastModified": 1716423189,
        "narHash": "sha256-2xF3sH7UIwegn+2gKzMpFi3pk5DlIlM18+vj17Uf82U=",
        "owner": "tinted-theming",
        "repo": "tinted-kitty",
        "rev": "eb39e141db14baef052893285df9f266df041ff8",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "tinted-kitty",
        "rev": "eb39e141db14baef052893285df9f266df041ff8",
        "type": "github"
      }
    },
    "tinted-schemes": {
      "flake": false,
      "locked": {
        "lastModified": 1740351358,
        "narHash": "sha256-Hdk850xgAd3DL8KX0AbyU7tC834d3Lej1jOo3duWiOA=",
        "owner": "tinted-theming",
        "repo": "schemes",
        "rev": "a1bc2bd89e693e7e3f5764cfe8114e2ae150e184",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "schemes",
        "type": "github"
      }
    },
    "tinted-tmux": {
      "flake": false,
      "locked": {
        "lastModified": 1740272597,
        "narHash": "sha256-/etfUV3HzAaLW3RSJVwUaW8ULbMn3v6wbTlXSKbcoWQ=",
        "owner": "tinted-theming",
        "repo": "tinted-tmux",
        "rev": "b6c7f46c8718cc484f2db8b485b06e2a98304cd0",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "tinted-tmux",
        "type": "github"
      }
    },
    "tinted-zed": {
      "flake": false,
      "locked": {
        "lastModified": 1725758778,
        "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=",
        "owner": "tinted-theming",
        "repo": "base16-zed",
        "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9",
        "type": "github"
      },
      "original": {
        "owner": "tinted-theming",
        "repo": "base16-zed",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "stylix",
          "nur",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1733222881,
        "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "49717b5af6f80172275d47a418c9719a31a78b53",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "wired-notify": {
      "inputs": {
        "flake-parts": [
@ -473,11 +780,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1727849733,
+        "lastModified": 1730615238,
-        "narHash": "sha256-mqxs/nyzOEKiBHa94OtcOLYBXd65P8tO4DUVTHWHn6o=",
+        "narHash": "sha256-u/ZGtyEUvAkFOBgLo2YldOx0GKjE3/esWpWruRD376E=",
        "owner": "Toqozz",
        "repo": "wired-notify",
-        "rev": "a1f6965737754e7424f9468f6befef885a9ee0ad",
+        "rev": "1632418aa15889343028261663e81d8b5595860e",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -5,15 +5,17 @@
    substituters = [
      "https://cache.nixos.org/?priority=1&want-mass-query=true"
      "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
      "https://attic.nayeonie.com/nix-cache"
    ];
    trusted-substituters = [
      "https://cache.nixos.org"
      "https://attic.alicehuston.xyz/cache-nix-dot"
      "https://nix-community.cachix.org"
      "https://attic.nayeonie.com/nix-cache"
    ];
    trusted-public-keys = [
      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "nix-cache:trR+y5nwpQHR4hystoogubFmp97cewkjWeqqbygRQRs="
    ];
    trusted-users = [ "root" ];
  };
@ -22,19 +24,20 @@
    flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
    flake-parts.url = "github:hercules-ci/flake-parts";
    nixos-hardware.url = "github:NixOS/nixos-hardware";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
    systems.url = "github:nix-systems/default";
-    attic = {
+    # attic = {
-      url = "github:zhaofengli/attic";
+    #   url = "github:zhaofengli/attic";
-      inputs = {
+    #   inputs = {
-        nixpkgs.follows = "nixpkgs";
+    #     nixpkgs.follows = "nixpkgs";
-        nixpkgs-stable.follows = "nixpkgs-stable";
+    #     nixpkgs-stable.follows = "nixpkgs-stable";
-        flake-compat.follows = "flake-compat";
+    #     flake-compat.follows = "flake-compat";
-        flake-parts.follows = "flake-parts";
+    #     flake-parts.follows = "flake-parts";
-      };
+    #   };
-    };
+    # };
    firefox-addons = {
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
@ -81,7 +84,6 @@
      url = "github:cachix/git-hooks.nix";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        nixpkgs-stable.follows = "nixpkgs-stable";
        flake-compat.follows = "flake-compat";
      };
    };
@ -97,7 +99,15 @@
      url = "github:Mic92/sops-nix";
      inputs = {
        nixpkgs.follows = "nixpkgs";
-        nixpkgs-stable.follows = "nixpkgs-stable";
+      };
    };
    stylix = {
      url = "github:danth/stylix";
      inputs = {
        flake-compat.follows = "flake-compat";
        home-manager.follows = "home-manager";
        nixpkgs.follows = "nixpkgs";
      };
    };
@ -149,6 +159,10 @@
        qcow = getImages nixosConfigurations "qcow";
      };
      packages.x86_64-linux.lego-latest =
        nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
          { };
      checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
      devShells = import ./shell.nix { inherit inputs forEachSystem checks; };
--- a/lib/container-utils.nix
+++ b/lib/container-utils.nix
@ -0,0 +1,43 @@
 { lib, ... }:
 {
  # Given a attrset of images and a function which generates an image spec,
  # generates a set of containers (although this could in theory be used for
  # other things... I'd like to see people try)
  #
  # container set must be in the below format
  # { container-name = {image = "image-uri"; scale = n;}; }
  # where image-uri gets passed in to the container-spec function as a custom
  # parameter, and scale is an integer that generates the containers
  #
  # container-spec must be a function which accepts two parameter (the
  # container name and image name) and ideally returns an oci-compliant
  # container.
  #
  # args:
  # containers: an AttrSet which specifies the imageUri and scale of each
  #   container
  # container-spec: a function which produces an oci-compliant container spec
  #
  # type:
  # AttrSet -> (String -> AttrSet -> AttrSet) -> AttrSet
  createTemplatedContainers =
    containers: container-spec:
    builtins.listToAttrs (
      lib.flatten (
        lib.mapAttrsToList (
          name: value:
          (map (
            num:
            let
              container-name = "${name}-${toString num}";
            in
            {
              name = container-name;
              value = container-spec container-name value.image;
            }
          ) (lib.lists.range 1 value.scale))
        ) containers
      )
    );
 }
--- a/lib/default.nix
+++ b/lib/default.nix
@ -3,6 +3,7 @@
  # create rad-dev namespace for lib
  rad-dev = rec {
    systems = import ./systems.nix { inherit lib; };
    container-utils = import ./container-utils.nix { inherit lib; };
    # any(), but checks if any value in the list is true
    #
@ -56,5 +57,21 @@
    # type:
    # fileList :: Path -> String -> [Path]
    fileList = dir: map (file: dir + "/${file}") (ls dir);
    # reduce an attribute set to a string
    #
    # example:
    # given attrset {host1 = "palatine-hill"; host2 = "jeeves";}
    # and func (host: hostname: host + " is " + hostname + ", " )
    # mapAttrsToString would return 'host1 is palatine-hill, host2 is jeeves, '
    #
    # args:
    # func: an function to apply to attrSet to turn each entry into one string
    # attrSet: an attribute set to reduce
    #
    # type:
    # mapAttrsToString :: AttrSet -> (String -> Any -> String) -> String
    mapAttrsToString =
      func: attrSet: (lib.foldl' (cur: next: cur + next) "" (lib.mapAttrsToList func attrSet));
  };
 }
--- a/modules/base.nix
+++ b/modules/base.nix
@ -15,7 +15,7 @@
  programs = {
    zsh.enable = true;
-    fish.enable = true;
+    fish.enable = false;
  };
  users = {
--- a/modules/boot.nix
+++ b/modules/boot.nix
@ -35,7 +35,6 @@ in
  config.boot = lib.mkIf cfg.default {
    supportedFilesystems = [ cfg.filesystem ];
    tmp.useTmpfs = true;
    kernelPackages = pkgs.linuxPackages_6_10;
    kernelParams =
      [ "nordrand" ]
      ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"
--- a/modules/docker.nix
+++ b/modules/docker.nix
@ -7,8 +7,13 @@
      extraGroups = [ "docker" ];
      uid = 600;
    };
-    groups.docker-service = {
+    groups = {
-      gid = 600;
+      docker-service = {
        gid = 600;
      };
      haproxy = {
        gid = 99;
      };
    };
  };
--- a/modules/plocate.nix
+++ b/modules/plocate.nix
@ -3,7 +3,7 @@
 {
  services.locate = {
    enable = lib.mkDefault true;
-    localuser = lib.mkDefault null;
+    # localuser = lib.mkDefault null;
    package = lib.mkDefault pkgs.plocate;
  };
 }
--- a/modules/update.nix
+++ b/modules/update.nix
@ -1,10 +1,10 @@
 { lib, ... }:
 {
  services.autopull = {
-    enable = lib.mkDefault false;
+    enable = lib.mkDefault true;
    repo.dotfiles = {
-      enable = lib.mkDefault false;
+      enable = lib.mkDefault true;
-      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
+      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_giteadeploy";
      path = lib.mkDefault /root/dotfiles;
    };
  };
--- a/pkgs/lego-latest/default.nix
+++ b/pkgs/lego-latest/default.nix
@ -0,0 +1,39 @@
 {
  lib,
  fetchFromGitHub,
  buildGoModule,
 }:
 buildGoModule rec {
  pname = "lego";
  version = "4.21.0";
  src = fetchFromGitHub {
    owner = "go-acme";
    repo = pname;
    rev = "v${version}";
    hash = "sha256-3dSvQfkBNh8Bt10nv4xGplv4iY3gWvDu2EDN6UovSdc=";
  };
  vendorHash = "sha256-teA6fnKl4ATePOYL/zuemyiVy9jgsxikqmuQJwwA8wE=";
  doCheck = false;
  subPackages = [ "cmd/lego" ];
  ldflags = [
    "-s"
    "-w"
    "-X main.version=${version}"
  ];
  meta = with lib; {
    description = "Let's Encrypt client and ACME library written in Go";
    license = licenses.mit;
    homepage = "https://go-acme.github.io/lego/";
    maintainers = teams.acme.members;
    mainProgram = "lego";
  };
  #passthru.tests.lego = nixosTests.acme;
 }
--- a/statix.toml
+++ b/statix.toml
@ -1,4 +1,4 @@
 disabled = ["empty_pattern"]
-nix_version = '2.23'
+nix_version = '2.25'
 ignore = ['.direnv']
--- a/systems/artemision/ao3_skins/happy_17th.css
+++ b/systems/artemision/ao3_skins/happy_17th.css
@ -0,0 +1,438 @@
 #footer .group,
 .post fieldset fieldset,
 fieldset fieldset {
  background: none;
 }
 #header {
  background: #000 url('https://media.archiveofourown.org/news/milestones/2024-08-seventeen-years-otw/2024-08-seventeen-years-otw-pattern.jpg');
  background-size: 350px;
 }
 #header .heading a,
 #header .primary .dropdown a:focus,
 #header .heading a:visited,
 #main .pagination .current,
 h2 {
  color: #ffe8b4;
 }
 #header .clear,
 #footer {
  border-color: #191919;
 }
 #header .actions a[href="/menu/fandoms"],
 #header .actions a[href="/menu/browse"],
 #header .actions a[href="/menu/search"],
 #header .actions a[href="/menu/about"] {
  color: #fff;
 }
 #footer ul {
  background: url('https://live.staticflickr.com/7284/9616997915_4194b6c6f7_h.jpg');
  background-size: 350px;
 }
 #footer ul li:nth-child(1) ul,
 #footer ul li:nth-child(2) ul,
 #footer ul li:nth-child(3) ul,
 #footer ul li:nth-child(4) ul {
  background: rgba(0, 0, 0, 0.0);
 }
 #header .primary {
  background: #8a1a10;
 }
 #footer {
  background: #8a1a10;
 }
 input[type="text"],
 textarea,
 select {
  background: #222;
  color: #fff;
 }
 select:focus {
  background: #2a2a2a;
 }
 option {
  background: #555;
  color: #fff;
 }
 #work form fieldset.work.meta dl dd.warning.required fieldset,
 #main form fieldset.work.meta dl dd.warning.required fieldset {
  color: #fff;
 }
 #bookmark-form form {
  background: #2a2a2a;
  color: #fff;
 }
 #error {
  color: #191919;
 }
 fieldset,
 .verbose fieldset {
  border-color: #404040;
  background: #191919;
  border: 1px solid #595959;
 }
 .search [role=tooltip] {
  background: #333;
  border: 1px solid #666;
 }
 #main a:visited {
  color: #ccc;
 }
 #main a.tag:visited:hover {
  color: #111;
 }
 body,
 .group,
 .group .group,
 .region,
 .flash,
 form dl,
 #main .verbose legend,
 .notice,
 ul.notes,
 table,
 th,
 td:hover,
 tr:hover,
 .symbol .question:hover,
 #modal,
 .ui-sortable li,
 .required .autocomplete,
 .autocomplete .notice,
 .system .intro,
 .comment_error,
 .kudos_error,
 div.dynamic,
 .dynamic form,
 #ui-datepicker-div,
 .ui-datepicker table {
  background: #191919;
  color: #eee;
  border-color: #222;
  outline: #111;
  box-shadow: none;
 }
 #header .actions a:hover,
 #header .actions a:focus,
 #header .dropdown:hover a,
 #header .open a,
 #header .menu,
 #small_login,
 .group.listbox,
 fieldset fieldset.listbox,
 .listbox,
 form blockquote.userstuff,
 input:focus,
 textarea:focus,
 li.relationships a,
 .group.listbox .index,
 .dashboard fieldset fieldset.listbox .index,
 #dashboard a:hover,
 th,
 #dashboard .secondary,
 .secondary,
 .thread .even,
 .system .tweet_list li,
 .ui-datepicker tr:hover {
  background: #2A2A2A;
 }
 a,
 a.tag,
 a:link,
 #header a:visited,
 #header .primary .open a,
 #header .primary .dropdown:hover a,
 #header #search input:focus,
 #header #search input:hover,
 .userstuff h2,
 #dashboard a,
 #dashboard span,
 #dashboard .current,
 .group .heading,
 .filters dt a:hover {
  color: #fff;
 }
 #header .dropdown .menu a:hover,
 #header .dropdown .menu a:focus,
 .splash .favorite li:nth-of-type(odd) a,
 .ui-datepicker td:hover,
 #tos_prompt .heading,
 #tos_prompt [disabled] {
  background: #111;
  color: #ffe8b4;
 }
 #outer,
 .javascript,
 .statistics .index li:nth-of-type(even),
 #tos_prompt,
 .announcement input[type="submit"] {
  background: #191919;
 }
 #dashboard ul,
 dl.meta,
 .group.listbox,
 fieldset fieldset.listbox,
 #main li.blurb,
 form blockquote.userstuff,
 div.comment,
 li.comment,
 .toggled form,
 form dl dt,
 form.single fieldset,
 #inner .module .heading,
 .bookmark .status span,
 .splash .news li,
 .filters .group dt.bookmarker {
  border-color: #555;
 }
 .group.listbox,
 fieldset fieldset.listbox,
 #main li.blurb,
 .wrapper,
 #dashboard .secondary,
 .secondary,
 form blockquote.userstuff,
 .thread .comment,
 .toggled form {
  box-shadow: 1px 1px 3px #000;
 }
 #dashboard .current,
 .actions a:active,
 a.current,
 .current a:visited,
 span.unread,
 .replied,
 span.claimed,
 dl.index dd,
 .own,
 .draft,
 .draft .unread,
 .child,
 .unwrangled,
 .unreviewed,
 .ui-sortable li:hover {
  background: #000;
  border-color: #555;
  box-shadow: -1px -1px 3px #000;
 }
 input,
 textarea {
  box-shadow: inset 0 1px 2px #000;
 }
 li.blurb,
 .blurb .blurb,
 .listbox .index,
 fieldset fieldset.listbox,
 .dashboard .listbox .index {
  box-shadow: inset 1px 1px 3px #000;
 }
 #footer a:hover,
 #footer a:focus,
 .autocomplete .dropdown ul li:hover,
 .autocomplete .dropdown li.selected,
 a.tag:hover,
 .listbox .heading a.tag:visited:hover,
 .symbol .question {
  background: #ffedc5;
  border-color: #988352;
  color: #111;
 }
 #header #greeting img,
 #header .user a:hover,
 #header .user a:focus,
 #header fieldset,
 #header form,
 #header p,
 #dashboard a:hover,
 .actions a:hover,
 .actions input:hover,
 .delete a,
 span.delete,
 span.unread,
 .replied,
 span.claimed,
 .draggable,
 .droppable,
 span.requested,
 a.work,
 .blurb h4 a:link,
 .blurb h4 img,
 .splash .module h3,
 .splash .browse li a:before,
 .required,
 .error,
 .comment_error,
 .kudos_error,
 a.cloud7,
 a.cloud8,
 #tos_prompt .heading {
  color: #ffe8b4;
 }
 #greeting .icon,
 #dashboard,
 #dashboard.own,
 .error,
 .comment_error,
 .kudos_error,
 .LV_invalid,
 .LV_invalid_field,
 input.LV_invalid_field:hover,
 input.LV_invalid_field:active,
 textarea.LV_invalid_field:hover,
 textarea.LV_invalid_field:active,
 .qtip-content {
  border-color: #8a1a10;
 }
 .splash .favorite li:nth-of-type(odd) a:hover,
 .splash .favorite li:nth-of-type(odd) a:focus .splash .favorite li:nth-of-type(odd) a:visited:hover,
 .splash .favorite li:nth-of-type(odd) a:visited:focus {
  background: #ffe8b4;
  color: #111;
 }
 a:visited,
 .actions a:visited,
 .action a:link,
 .action a:visited,
 .listbox .heading a:visited,
 span.series .divider {
  color: #999;
 }
 .actions a,
 .actions a:link,
 .action,
 .action:link,
 .actions input,
 input[type="submit"],
 button,
 .current,
 .actions label,
 #header .actions a,
 #outer .current {
  background: #555;
  border-color: #222;
  color: #eee;
  box-shadow: inset 0 -8px 4px #232323, inset 0 8px 7px #555;
  text-shadow: none;
 }
 .actions a:hover,
 .actions input:hover,
 #dashboard a:hover,
 .actions a:focus,
 .actions input:focus,
 #dashboard a:focus,
 .actions .disabled select {
  color: #999;
  border-color: #000;
  box-shadow: inset 2px 2px 2px #000;
 }
 .actions a:active,
 .current,
 a.current,
 .current a:visited {
  color: #fff;
  background: #555;
  border-color: #fff;
  box-shadow: inset 1px 1px 3px #191919;
 }
 .delete a,
 span.delete {
  box-shadow: -1px -1px 2px rgba(255,255,255.25);
 }
 .actions label.disabled {
  background: #222;
  box-shadow: none;
 }
 ul.required-tags,
 .bookmark .status span,
 .blurb .icon {
  opacity: 0.9;
  border: 0;
 }
 #outer .group .heading,
 #header .actions a,
 fieldset.listbox .heading,
 .userstuff .heading {
  text-shadow: none;
  color: #fff;
  background: none;
 }
 #header .actions a,
 fieldset fieldset,
 .mce-container button,
 .filters .expander,
 .actions .disabled select {
  box-shadow: none;
 }
 fieldset fieldset.listbox {
  outline: none;
 }
 form dd.required {
  color: #eee;
 }
 .mce-container input:focus {
  background: #F3EFEC;
 }
 .announcement .userstuff a,
 .announcement .userstuff a:link,
 .announcement .userstuff a:visited:hover {
  color: #111;
 }
 .announcement .userstuff a:visited {
  color: #666;
 }
 .announcement .userstuff a:hover,
 .announcement .userstuff a:focus {
  color: #999;
 }
 .event.announcement .userstuff a,
 .filters .expander {
  color: #eee;
 }
--- a/systems/artemision/configuration.nix
+++ b/systems/artemision/configuration.nix
@ -6,17 +6,18 @@
 }:
 {
  imports = [
    ./programs.nix
    ./desktop.nix
    ./wifi.nix
    ./zerotier.nix
    ./fonts.nix
    ./polkit.nix
    ./audio.nix
    ./desktop.nix
    ./fingerprint.nix
-    ./steam.nix
+    ./fonts.nix
    ./graphics.nix
    ./libvirt.nix
    ./polkit.nix
    ./programs.nix
    ./steam.nix
    ./stylix.nix
    ./wifi.nix
    ./zerotier.nix
  ];
  time.timeZone = "America/New_York";
@ -31,7 +32,7 @@
  };
  boot = {
-    kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
+    kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
    useSystemdBoot = true;
    default = true;
  };
@ -44,6 +45,7 @@
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  services = {
    flatpak.enable = true;
    calibre-web = {
      enable = true;
      listen = {
@ -73,17 +75,6 @@
    fprintd.enable = lib.mkForce false;
    openssh.enable = lib.mkForce false;
    spotifyd = {
      enable = true;
      settings = {
        global = {
          username = "snowinginwonderland@gmail.com";
          password_cmd = "cat ${config.sops.secrets."apps/spotify".path}";
          use_mpris = false;
        };
      };
      #systemd.services.spotifyd.serviceConfig = systemd.services.spotifyd.
    };
    rad-dev.yubikey = {
      enable = true;
      enable-desktop-app = true;
@ -99,12 +90,12 @@
  sops = {
    defaultSopsFile = ./secrets.yaml;
-    secrets = {
+    #secrets = {
-      "apps/spotify" = {
+    #  "apps/spotify" = {
-        group = "audio";
+    #    group = "audio";
-        restartUnits = [ "spotifyd.service" ];
+    #    restartUnits = [ "spotifyd.service" ];
-        mode = "0440";
+    #    mode = "0440";
-      };
+    #  };
-    };
+    #};
  };
 }
--- a/systems/artemision/default.nix
+++ b/systems/artemision/default.nix
@ -7,6 +7,7 @@
  users = [ "alice" ];
  modules = [
    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
    inputs.stylix.nixosModules.stylix
    {
      environment.systemPackages = [
        inputs.wired-notify.packages.x86_64-linux.default
--- a/systems/artemision/desktop.nix
+++ b/systems/artemision/desktop.nix
@ -8,6 +8,7 @@
      enable = true;
      xwayland.enable = true;
    };
    hyprlock.enable = true;
    gnupg.agent = {
      enable = true;
      #pinentryPackage = pkgs.pinentry-rofi;
@ -54,6 +55,13 @@
    };
  };
  powerManagement = {
    enable = true;
    resumeCommands = ''
      ${pkgs.hyprlock}/bin/hyprlock -c /home/alice/.config/hypr/hyprlock.conf
    '';
  };
  environment.systemPackages = with pkgs; [
    libsForQt5.qt5.qtwayland
    qt6.qtwayland
--- a/systems/artemision/fonts.nix
+++ b/systems/artemision/fonts.nix
@ -3,17 +3,13 @@
  fonts = {
    fontconfig.enable = true;
    enableDefaultPackages = true;
-    packages = with pkgs; [
+    packages = with pkgs.nerd-fonts; [
-      (nerdfonts.override {
+      fira-code
-        fonts = [
+      droid-sans-mono
-          "FiraCode"
+      hack
-          "DroidSansMono"
+      dejavu-sans-mono
-          "Hack"
+      noto
-          "DejaVuSansMono"
+      open-dyslexic
          "Noto"
          "OpenDyslexic"
        ];
      })
    ];
  };
 }
--- a/systems/artemision/hardware.nix
+++ b/systems/artemision/hardware.nix
@ -86,7 +86,7 @@
    };
  };
-  swapDevices = [ { device = "/dev/disk/by-uuid/7f0dba0f-d04e-4c94-9fba-1d0811673df1"; } ];
+  swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
  boot.initrd.luks.devices = {
    "nixos-pv" = {
--- a/systems/artemision/programs.nix
+++ b/systems/artemision/programs.nix
@ -3,6 +3,7 @@
  environment.systemPackages = with pkgs; [
    act
    alacritty
    attic-client
    amdgpu_top
    bat
    bitwarden-cli
@ -12,12 +13,14 @@
    calibre
    # calibre dedrm?
    candy-icons
-    nemo-with-extensions
+    chromium
    chromedriver
    croc
    deadnix
    direnv
    discord
    discord-canary
    easyeffects
    eza
    fanficfare
    ferium
@ -29,14 +32,15 @@
    glances
    gpu-viewer
    grim
    helvum
    htop
    hwloc
    ipmiview
    iperf3
-    ipscan
+    # ipscan
    jp2a
    jq
-    kdenlive
+    kdePackages.kdenlive
    kitty
    kubectl
    kubernetes-helm
@ -46,8 +50,10 @@
    masterpdfeditor4
    minikube
    mons
    mpv
    # nbt explorer?
    ncdu
    nemo-with-extensions
    neofetch
    neovim
    nix-init
@ -57,6 +63,7 @@
    nixpkgs-fmt
    nmap
    obs-studio
    obsidian
    ocrmypdf
    pciutils
    #disabled until wxpython compat with python3.12
@ -64,12 +71,14 @@
    prismlauncher
    protonmail-bridge
    protontricks
    proxychains
    qrencode
    redshift
    restic
    ripgrep
    rpi-imager
    rofi-wayland
    samba
    signal-desktop
    # signal in tray?
    siji
@ -89,18 +98,18 @@
    tig
    tokei
    tree
    unzip
    unipicker
    unzip
    uutils-coreutils-noprefix
    ventoy
    vesktop
    vscode
    watchman
    wget
    wl-clipboard
-    xboxdrv
+    yq
    yt-dlp
    zoom-us
    zoxide
    zoom
  ];
 }
--- a/systems/artemision/secrets.yaml
+++ b/systems/artemision/secrets.yaml
@ -1,17 +1,17 @@
-hello: ENC[AES256_GCM,data:UJlsd5kvnhEv7eJeYwg+NHm9sgUAxYM5DoR0gDPLi9J7P+8FI8WPMkN1wEAHJA==,iv:NFSdZQ1OK4BT+EAGZz122NB7WrVCEzv4wwMxFIE/OKI=,tag:6YT7Vw8tFrw9iEFKxeKRFQ==,type:str]
+hello: ENC[AES256_GCM,data:BTCBuBxHFO8vwXU/bsAZryM5rXUOEi0brlvq6DtqfZbzxGz4LaW89VO75MERHQ==,iv:fwqI3arwtlZQ5DtvpVbh21ThuZP8zcqCHsmuJuCfCsY=,tag:tkkEO8/eEDCakdlT0NvajA==,type:str]
-example_key: ENC[AES256_GCM,data:KMXgMrqe7M101ZMJ2g==,iv:MJ3Iiu/0KIVhPFnqfovysqvPJAv1OsnxE4VIsuexFkE=,tag:X6KIKNGym8/9VglmG3SNRw==,type:str]
+example_key: ENC[AES256_GCM,data:xzsymSb4oD70twtoKQ==,iv:9vBmAKET2VIuDSq7AOyvdYWLGlL6cYHTWxy/Z5bB1+c=,tag:NbV4eA2aaY4cQAKUy3QOpw==,type:str]
-#ENC[AES256_GCM,data:QR3WNE/a1hZIXnTjFjK3kA==,iv:eXoZJ5rQaYqN7LjEp2M13OCMwuQ+80M5AXjV0uNc4C8=,tag:sCvL6pr9zAyWZziffVFMzg==,type:comment]
+#ENC[AES256_GCM,data:zeOCzRd/nFRhbANHxPyyjw==,iv:9MmHl3OyhJHVU+cUFJ4QitHd4SeDe3ctaky+yfvk8Zs=,tag:uPGRJtgQj1vIdLt2+w0krg==,type:comment]
 example_array:
-    - ENC[AES256_GCM,data:g8PulCLrXZYSEdZJELE=,iv:irGwciFn1zXBxFpGAJtD46EQLGUO5oqdCzRgv1204JE=,tag:2MuDdRYMjhtTY++lPuj1FQ==,type:str]
+    - ENC[AES256_GCM,data:Nwn96XJv8xZWRYv8qws=,iv:K30LBMC8e1vUS0XE+4EIYb3xUUyn6232YmhV2vI9Qnc=,tag:HRe3S88zwj/CjG6NTvjdRQ==,type:str]
-    - ENC[AES256_GCM,data:qv7GvmoOX8VSdaiW/90=,iv:6NOWeWqHUV9ciKPmZF4C7ijuIPFr3YZi3Dh7xWnb07k=,tag:VHXdBhWmEpb7uavCPqGZ4w==,type:str]
+    - ENC[AES256_GCM,data:l2nuwoAbwaDFHpEWV1Y=,iv:7/2rTd8agUvx73eftpOgidV4XjDUv/JppLIIsiuycnU=,tag:Ohi4JULWDNXJPWZaeXHEdw==,type:str]
-example_number: ENC[AES256_GCM,data:g8BIEIcwKRLSbw==,iv:Ay4aiukAvXeDhzlpMPn++zR0Tt2lMqCx362uN37S+ac=,tag:NTtNaIu5u8YsIm0M4OgL0A==,type:float]
+example_number: ENC[AES256_GCM,data:toi1e/biUd2Tng==,iv:MPCfhhX9DDaOSzx/L5LTf2VYffin8XvxVyhNDqZLsec=,tag:tE/lml3afP/NjRtpPraoRQ==,type:float]
 example_booleans:
-    - ENC[AES256_GCM,data:94T9mg==,iv:qKGJke4SGhgN09Yebh5MPrRBDNnguJQ+1dl5XQffGZQ=,tag:0Pa3eujmSxDCnAHKHsx6yQ==,type:bool]
+    - ENC[AES256_GCM,data:02CVNA==,iv:L9GmIm9ynm2cWTyd3iYo4fgIeneUyFpEzzzxicM/YNI=,tag:k2EIboiL+c4W1H2OpA2Rqw==,type:bool]
-    - ENC[AES256_GCM,data:gEvfi+Q=,iv:0DrXoZk8OkdUShc7WAKOL8xG26RFZp3M3qYFAb1hDAs=,tag:uemBrdF87nrfLpfnQ8bD8g==,type:bool]
+    - ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
 apps:
-    spotify: ENC[AES256_GCM,data:bp1pdOfS+VGWLtepUjg7KFWw8Fk=,iv:twGO3CjzRxAU81C93mX8qIEZ/FYIQRJnMd2HIuvP9q8=,tag:AJgs0QGFH30E8+ZpaB02TQ==,type:str]
+    spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
-wifi-env: ENC[AES256_GCM,data:6+fHf25fx/PuutOXhMZqx2JVVSDTW7fQU8XOCc2vyUpg7HiRpOKFu5PIZoJQexvJoBNNciiQkju17+xuxnQ48dsRgsdS+wfH86Af55MfqDjG1el/htEOER9f9sTpMwGjIKD1zalkMp7oX17UlIqiCQg7HfcZFb8T4eHzu9w48umiC3WpwlKLykF5W600gYbXx1E1FjwgCwxJ1zRmBTXoz6WHvQ==,iv:DmUyn3/Q7jwqHrK7wSCqIRO1jJsOHNbmG6a/l1YdMmQ=,tag:S3CtTdFyn2Lg5nGlHVU66g==,type:str]
+wifi-env: ENC[AES256_GCM,data:G+z+fURk4rT61I5BiFzEJJt35jywPNrGpn1QGNhjvxrqPQ/Sq/hIHmQo+bqe9yJeDgMX3RY4EaiZxFTJyxPfW1czjuMSj3vbTp0WcDmGvUJ7li2pX2pzolgly4qmgoOluGBeRZWVLLOZYFB2+kLRMJNNz/bP5k2Eq6O4+l4sljPM+abn9iz9Eh46rVOVRkmDzCltJrYiuBSiSPhTDRTP2+gUbgbaUJTkVrVLUBHg3QU6az6VPN8DPZxbx4LtdaIb93pI,iv:uUfJK/iPdyLP7LqZJolTGGTxaEzlJI59bUVNcB1etkU=,tag:tvXSXSW1MIhLJceEK1afuw==,type:str]
-#ENC[AES256_GCM,data:pC2Kdy7wNc0=,iv:J7Ggfv6K3dCzL42j5MGd+BjQGseoAoYs4k6+yc3FSiA=,tag:9MriduP9SEIi+c1q4tfzlQ==,type:comment]
+#ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
 sops:
    kms: []
    gcp_kms: []
@ -21,26 +21,26 @@ sops:
        - recipient: age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZC9aczBZekVGMVRBYlFV
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbElNRkxyZ2VjaitiTWx2
-            MUpDZFFPRTIzL1hpR25vd2pjZzJnRE12TkhRCjdiV3VxVnJpL2l2OU1rNVE3K2kv
+            eThsY0h3a2NCZDloWG0rU1ZwVnhOY2VJTXlFCnp3UzNDR216L2R4cVdyWjFqbkRr
-            akF1UFNtdDFYdUNIMjVwWitOUDJ1UUEKLS0tIFJkSGU1MC90ZlM0TXJOeWlWTnJT
+            cFJGQjQ4Qk9zblYyckVFY3VNekNuajQKLS0tIEdRWldHMjlpTElxQWFVUlh4L1lz
-            RFVEMjg4bjd4SUF2SjVWZVNDWlpiR1EKmWM9G8/vb1+GX4zGiIj/So4apfi3wzyp
+            d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
-            yGi0T3fen3jzfU38xFZ25Tn0pDTQaSG7PkVKQn9YBJ4pGb9JDPfTjw==
+            D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-20T13:52:31Z"
+    lastmodified: "2024-11-28T18:57:09Z"
-    mac: ENC[AES256_GCM,data:IT/GEdJtQHSjzVRdIBIRq1y0Lby4k6gGVDfeg3/bjdDNWkPCnGOc5Uerz3TJ95M3oKMgFiQW2Sa4m/8QX9qhtVfH7gleMhJbzkz1DGKozoCxqWX71BBfiwcAuLG1fzDwfpT4DcRK1ppfC/9kMZ3g7r9Ug6EceXUKXP3uaUgfNjg=,iv:WpEhLffmICyR7bbe0cnT9fjqyL59gVxumz/lsE3oBfU=,tag:k0GSSZeQC9bJ1TWRwhaGQA==,type:str]
+    mac: ENC[AES256_GCM,data:hKhAo7rDplLm19PlrKHQwxnDVXCMU/xpAxPALLDBa0M3yypy2QVD6c6Atn897tYRKf7oeLaUKqnUYdCcZ9gVgm37LS+GtRhf66zfvcKqhZF8wh3M0zTDPYpQDhex0N4BAJ/dcaYIbxqE9pEUxJOI5jip/hptaCJItTEe7oARcF4=,iv:EUayxLaOPcnWX+S9+RlHrxzJRLlSSLIwqbAq3fFI4yg=,tag:LiBsqIodTWamO+c8FqGBag==,type:str]
    pgp:
-        - created_at: "2024-09-05T06:10:45Z"
+        - created_at: "2024-11-28T18:57:09Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DQWNzDMjrP2ISAQdAVPGTjbrJcO6UTQ9bYOqiVqJMehxGkfNMtgnQQL36mQsw
+            hF4DQWNzDMjrP2ISAQdALiZMzuQViM23hoFebCXYfQUIvCluWqAEeSJyE/LRHG8w
-            CznpGVos/aNWRKmt0nkfjHuI0y71foFWt7BB/acKspE5YUu831wgrRbB8TyN69DK
+            nQnIVPRIbzLzWfCf+48EW6f7zonHmNY7D9F9KohDmCTcJ5/WvXsJKjebuohR62TF
-            1GgBCQIQjanvxCPgcaSWLqw2oXXPzTJ1PRJc2UA4kayYIzvOUP9QBoEruDki0GVi
+            1GYBCQIQq7nEvwSfn+l5AevKIiodA4BLfM326JSx5hJ6XdrE0MzZo1uoMwKKuxig
-            5n+ZiGGtvx7bihZ1WeJiHcOArPr3xrrrPv6nuAxP05HbSRYhaAU79eOTT1p7MtSO
+            mPbDP8Rx51v9f+9DzjBg6kQD5w411HADL8th+wSkpmasP8ozIeiNiIKzzoJc/fD6
-            A0BHgVYuL00FHg==
+            AOsExCUt8FU=
-            =Luz2
+            =wRT+
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1
--- a/systems/artemision/steam.nix
+++ b/systems/artemision/steam.nix
@ -4,7 +4,10 @@
  environment.systemPackages = [ pkgs.steam-run ];
  hardware.steam-hardware.enable = true;
  programs = {
-    gamescope.enable = true;
+    gamescope = {
      enable = true;
      capSysNice = true;
    };
    steam = {
      enable = true;
      remotePlay.openFirewall = true;
--- a/systems/artemision/stylix.nix
+++ b/systems/artemision/stylix.nix
@ -0,0 +1,16 @@
 { pkgs, ... }:
 # let
 # randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
 #   numWallpapers =
 #   $((1 + $RANDOM % 10))
 # in
 {
  stylix = {
    enable = true;
    image = "${pkgs.hyprland}/share/hypr/wall2.png";
    #image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
    polarity = "dark";
  };
 }
--- a/systems/artemision/wifi.nix
+++ b/systems/artemision/wifi.nix
@ -23,6 +23,7 @@ in
      "5HuFios".pskRaw = "ext:PASS_longboat_home";
      "24HuFios".pskRaw = "ext:PASS_longboat_home";
      "Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
      "Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
      "optimumwifi" = { };
      "CableWiFi" = { };
      "JPMCVisitor" = { };
--- a/systems/palatine-hill/acme.nix
+++ b/systems/palatine-hill/acme.nix
@ -0,0 +1,43 @@
 {
  config,
  lib,
  pkgs,
  outputs,
  ...
 }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "aliceghuston@gmail.com";
    certs."nayeonie.com" = {
      dnsProvider = "dnsimple";
      environmentFile = config.sops.secrets."acme/dnsimple".path;
      dnsPropagationCheck = false;
      group = "haproxy";
      extraDomainNames = [
        "*.nayeonie.com"
        # "alicehuston.xyz"
        # "*.alicehuston.xyz"
      ];
    };
  };
  systemd.services."acme-nayeonie.com.service".path = lib.mkForce (
    with pkgs;
    [
      coreutils
      diffutils
      openssl
    ]
    ++ [
      outputs.packages.x86_64-linux.lego-latest
    ]
  );
  sops.secrets = {
    "acme/dnsimple" = {
      owner = "root";
    };
  };
 }
--- a/systems/palatine-hill/attic/default.nix
+++ b/systems/palatine-hill/attic/default.nix
@ -8,34 +8,18 @@
 {
  environment.systemPackages = with pkgs; [
    attic-client
    attic
  ];
  services = {
    postgresql = {
      enable = true;
      ensureDatabases = [ "atticd" ];
      ensureUsers = [
        {
          name = "atticd";
          ensureDBOwnership = true;
        }
      ];
      upgrade = {
        enable = true;
        stopServices = [ "atticd" ];
      };
    };
    atticd = {
      enable = true;
-      credentialsFile = config.sops.secrets."attic/secret-key".path;
+      environmentFile = config.sops.secrets."attic/secret-key".path;
      settings = {
        listen = "[::]:8183";
-        allowed-hosts = [ "attic.alicehuston.xyz" ];
+        allowed-hosts = [ "attic.nayeonie.com" ];
-        api-endpoint = "https://attic.alicehuston.xyz";
+        api-endpoint = "https://attic.nayeonie.com/";
        compression.type = "none"; # let ZFS do the compressing
        database = {
          url = "postgres://atticd?host=/run/postgresql";
@ -48,7 +32,7 @@
          type = "s3";
          region = "us-east-1";
          bucket = "cache-nix-dot";
-          endpoint = "https://minio.alicehuston.xyz";
+          endpoint = "https://minio.nayeonie.com";
        };
        # Warning: If you change any of the values here, it will be
@ -78,58 +62,58 @@
  # borrowing from https://github.com/Shawn8901/nix-configuration/blob/4b8d1d44f47aec60feb58ca7b7ab5ed000506e90/modules/nixos/private/hydra.nix
  # configured default webstore for this on root user separately
-  systemd = {
+  # systemd = {
-    services = {
+  #   services = {
-      attic-watch-store = {
+  #     attic-watch-store = {
-        wantedBy = [ "multi-user.target" ];
+  #       wantedBy = [ "multi-user.target" ];
-        after = [
+  #       after = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        requires = [
+  #       requires = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        description = "Upload all store content to binary cache";
+  #       description = "Upload all store content to binary cache";
-        serviceConfig = {
+  #       serviceConfig = {
-          User = "root";
+  #         User = "root";
-          Restart = "always";
+  #         Restart = "always";
-          ExecStart = "${pkgs.attic}/bin/attic watch-store cache-nix-dot";
+  #         ExecStart = "${pkgs.attic-client}/bin/attic watch-store cache-nix-dot";
-        };
+  #       };
-      };
+  #     };
-      attic-sync-hydra = {
+  #     attic-sync-hydra = {
-        after = [
+  #       after = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        requires = [
+  #       requires = [
-          "network-online.target"
+  #         "network-online.target"
-          "docker.service"
+  #         "docker.service"
-          "atticd.service"
+  #         "atticd.service"
-        ];
+  #       ];
-        description = "Force resync of hydra derivations with attic";
+  #       description = "Force resync of hydra derivations with attic";
-        serviceConfig = {
+  #       serviceConfig = {
-          Type = "oneshot";
+  #         Type = "oneshot";
-          User = "root";
+  #         User = "root";
-          ExecStart = "${config.nix.package}/bin/nix ${./sync-attic.bash}";
+  #         ExecStart = "${config.nix.package}/bin/nix ${./sync-attic.bash}";
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
-    timers = {
+  #   timers = {
-      attic-sync-hydra = {
+  #     attic-sync-hydra = {
-        wantedBy = [ "timers.target" ];
+  #       wantedBy = [ "timers.target" ];
-        timerConfig = {
+  #       timerConfig = {
-          OnBootSec = 600;
+  #         OnBootSec = 600;
-          OnUnitActiveSec = 86400;
+  #         OnUnitActiveSec = 86400;
-          Unit = "attic-sync-hydra.service";
+  #         Unit = "attic-sync-hydra.service";
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
-  };
+  # };
  sops = {
    secrets = {
--- a/systems/palatine-hill/configuration.nix
+++ b/systems/palatine-hill/configuration.nix
@ -6,14 +6,19 @@
 }:
 {
  imports = [
    ./acme.nix
    ./attic
-    ./docker.nix
+    ./docker
    ./gitea.nix
    ./firewall.nix
    ./haproxy
    ./hardware-changes.nix
    ./hydra.nix
    ./minio.nix
    ./networking.nix
    ./nextcloud.nix
    ./samba.nix
    ./postgresql.nix
    ./zfs.nix
  ];
@ -53,10 +58,14 @@
  };
  environment.systemPackages = with pkgs; [
    chromedriver
    chromium
    docker-compose
    intel-gpu-tools
    jellyfin-ffmpeg
    jq
    yt-dlp
    yq
  ];
  services = {
@ -64,32 +73,8 @@
    nfs.server.enable = true;
    openssh.ports = [ 666 ];
    smartd.enable = true;
    calibre-server.enable = false;
    postgresql = {
      enable = true;
      enableJIT = true;
      identMap = ''
        # ArbitraryMapName systemUser DBUser
           superuser_map      root      postgres
           superuser_map      alice  postgres
           # Let other names login as themselves
           superuser_map      /^(.*)$   \1
      '';
      # initialScript = config.sops.secrets."postgres/init".path;
      upgrade = {
        enable = true;
        stopServices = [
          "hydra-evaluator"
          "hydra-init"
          "hydra-notify"
          "hydra-queue-runner"
          "hydra-send-stats"
          "hydra-server"
        ];
      };
    };
  };
  nix.gc.options = "--delete-older-than 150d";
--- a/systems/palatine-hill/default.nix
+++ b/systems/palatine-hill/default.nix
@ -1,5 +1,7 @@
 { inputs, ... }:
 {
  users = [ "alice" ];
-  modules = [ inputs.attic.nixosModules.atticd ];
+  modules = [
    # inputs.attic.nixosModules.atticd
  ];
 }
--- a/systems/palatine-hill/docker.nix
+++ b/systems/palatine-hill/docker.nix
@ -1,5 +0,0 @@
 { ... }:
 {
  virtualisation.docker.daemon.settings.data-root = "/var/lib/docker2";
 }
--- a/systems/palatine-hill/docker/act-runner.nix
+++ b/systems/palatine-hill/docker/act-runner.nix
@ -0,0 +1,175 @@
 {
  config,
  ...
 }:
 let
  vars = import ../vars.nix;
  act_path = vars.primary_act;
 in
 {
  virtualisation.oci-containers.containers = {
    act-stable-latest-main = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      ports = [ "8088:8088" ];
      volumes = [
        "${act_path}/stable-latest-main/config.yaml:/config.yaml"
        "${act_path}/stable-latest-main/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-main";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
    act-stable-latest-1 = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      volumes = [
        "${act_path}/stable-latest-1/config.yaml:/config.yaml"
        "${act_path}/stable-latest-1/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-1";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
    act-stable-latest-2 = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      volumes = [
        "${act_path}/stable-latest-2/config.yaml:/config.yaml"
        "${act_path}/stable-latest-2/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-2";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
    act-stable-latest-3 = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      volumes = [
        "${act_path}/stable-latest-3/config.yaml:/config.yaml"
        "${act_path}/stable-latest-3/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-3";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
    act-stable-latest-4 = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      volumes = [
        "${act_path}/stable-latest-4/config.yaml:/config.yaml"
        "${act_path}/stable-latest-4/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-4";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
    act-stable-latest-5 = {
      image = "gitea/act_runner:latest";
      extraOptions = [
        "--stop-signal=SIGINT"
      ];
      labels = {
        "com.centurylinklabs.watchtower.enable" = "true";
        "com.centurylinklabs.watchtower.scope" = "act-runner";
      };
      volumes = [
        "${act_path}/stable-latest-5/config.yaml:/config.yaml"
        "${act_path}/stable-latest-5/data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        CONFIG_FILE = "/config.yaml";
        GITEA_RUNNER_NAME = "stable-latest-5";
      };
      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
      log-driver = "local";
    };
  };
  systemd = {
    timers."custom-watchtower@act-runner" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "20m";
        OnUnitActiveSec = "5m";
        Unit = "custom-watchtower@act-runner.service";
      };
    };
    services."custom-watchtower@act-runner" = {
      bindsTo = [ "docker.service" ];
      after = [ "docker.service" ];
      description = "a watchtower-esque script for systemd-based oci-containers";
      serviceConfig = {
        Type = "oneshot";
        User = "root";
        ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'act-runner'";
      };
    };
  };
  sops.secrets = {
    "docker/act-runner" = {
      owner = "root";
      restartUnits = [
        "docker-act-stable-latest-1.service"
      ];
    };
  };
 }
--- a/systems/palatine-hill/docker/archiveteam.nix
+++ b/systems/palatine-hill/docker/archiveteam.nix
@ -0,0 +1,152 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  containers = {
    archiveteam-imgur = {
      image = "imgur-grab";
      scale = 1;
    };
    archiveteam-telegram = {
      image = "telegram-grab";
      scale = 3;
    };
    archiveteam-reddit = {
      image = "reddit-grab";
      scale = 0;
    };
    archiveteam-dpreview = {
      image = "dpreview-grab";
      scale = 0;
    };
    archiveteam-issuu = {
      image = "issuu-grab";
      scale = 0;
    };
    archiveteam-urls = {
      image = "urls-grab";
      scale = 2;
    };
    archiveteam-urlteam = {
      image = "terroroftinytown-client-grab";
      scale = 2;
    };
    archiveteam-mediafire = {
      image = "mediafire-grab";
      scale = 1;
    };
    archiveteam-github = {
      image = "github-grab";
      scale = 1;
    };
    archiveteam-lineblog = {
      image = "lineblog-grab";
      scale = 0;
    };
    archiveteam-banciyuan = {
      image = "banciyuan-grab";
      scale = 0;
    };
    archiveteam-wysp = {
      image = "wysp-grab";
      scale = 0;
    };
    archiveteam-xuite = {
      image = "xuite-grab";
      scale = 0;
    };
    archiveteam-gfycat = {
      image = "gfycat-grab";
      scale = 0;
    };
    archiveteam-skyblog = {
      image = "skyblog-grab";
      scale = 0;
    };
    archiveteam-zowa = {
      image = "zowa-grab";
      scale = 0;
    };
    archiveteam-blogger = {
      image = "blogger-grab";
      scale = 1;
    };
    archiveteam-vbox7 = {
      image = "vbox7-grab";
      scale = 0;
    };
    archiveteam-pastebin = {
      image = "pastebin-grab";
      scale = 1;
    };
    archiveteam-youtube = {
      image = "youtube-grab";
      scale = 0;
    };
    archiveteam-deviantart = {
      image = "deviantart-grab";
      scale = 0;
    };
    archiveteam-postnews = {
      image = "postnews-grab";
      scale = 0;
    };
    archiveteam-askfm = {
      image = "askfm-grab";
      scale = 1;
    };
    archiveteam-mangz = {
      image = "mangaz-grab";
      scale = 1;
    };
    archiveteam-cohost = {
      image = "cohost-grab";
      scale = 1;
    };
  };
  container-spec = container-name: container: {
    image = "atdr.meo.ws/archiveteam/${container}:latest";
    extraOptions = [
      "--stop-signal=SIGINT"
    ];
    labels = {
      "com.centurylinklabs.watchtower.enable" = "true";
      "com.centurylinklabs.watchtower.scope" = "archiveteam";
    };
    volumes = [ "${at_path}/${container-name}:/grab/data" ];
    log-driver = "local";
    cmd = lib.splitString " " "--concurrent 6 AmAnd0";
  };
  inherit (lib.rad-dev.container-utils) createTemplatedContainers;
  vars = import ../vars.nix;
  at_path = vars.primary_archiveteam;
 in
 {
  virtualisation.oci-containers.containers = createTemplatedContainers containers container-spec;
  systemd = {
    timers."custom-watchtower@archiveteam" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "20m";
        OnUnitActiveSec = "5m";
        Unit = "custom-watchtower@archiveteam.service";
      };
    };
    services."custom-watchtower@archiveteam" = {
      bindsTo = [ "docker.service" ];
      after = [ "docker.service" ];
      description = "a watchtower-esque script for systemd-based oci-containers";
      serviceConfig = {
        Type = "oneshot";
        User = "root";
        ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'archiveteam'";
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/books.nix
+++ b/systems/palatine-hill/docker/books.nix
@ -0,0 +1,32 @@
 { ... }:
 let
  vars = import ../vars.nix;
  docker_path = vars.primary_docker;
  calibre_path = vars.primary_calibre;
 in
 {
  virtualisation.oci-containers.containers = {
    automated-ffdl-alice = {
      image = "mrtyton/automated-ffdl:latest";
      user = "600:100";
      extraOptions = [ "--restart=unless-stopped" ];
      environment = {
        PUID = "600";
        PGID = "100";
      };
      volumes = [
        "${docker_path}/auto-fic/config:/config"
        "${calibre_path}/ffdl-alice:/var/lib/calibre-server"
      ];
    };
  };
  services.autopull = {
    enable = true;
    repo.FanFicFare-alice = {
      enable = true;
      path = /ZFS/ZFS-primary/calibre/ffdl-alice/config/FanFicFare;
    };
  };
 }
--- a/systems/palatine-hill/docker/default.nix
+++ b/systems/palatine-hill/docker/default.nix
@ -0,0 +1,79 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./act-runner.nix
    # temp disable archiveteam for tiktok archiving
    #./archiveteam.nix
    # ./books.nix
    #./firefly.nix
    #./foundry.nix
    ./glances.nix
    # ./haproxy.nix
    ./minecraft.nix
    ./nextcloud.nix
    # ./postgres.nix
    # ./restic.nix
    ./torr.nix
    # ./unifi.nix
  ];
  virtualisation.oci-containers.backend = "docker";
  virtualisation.docker.daemon.settings = {
    data-root = "/var/lib/docker2";
    bip = "169.254.253.254/23";
    fixed-cidr = "169.254.252.0/23";
    default-address-pools = [
      {
        base = "169.254.2.0/23";
        size = "28";
      }
      {
        base = "169.254.4.0/22";
        size = "28";
      }
      {
        base = "169.254.8.0/21";
        size = "28";
      }
      {
        base = "169.254.16.0/20";
        size = "28";
      }
      {
        base = "169.254.32.0/19";
        size = "28";
      }
      {
        base = "169.254.64.0/18";
        size = "28";
      }
      {
        base = "169.254.128.0/18";
        size = "28";
      }
      {
        base = "169.254.192.0/19";
        size = "28";
      }
      {
        base = "169.254.224.0/20";
        size = "28";
      }
      {
        base = "169.254.240.0/21";
        size = "28";
      }
      {
        base = "169.254.248.0/22";
        size = "28";
      }
    ];
    mtu = 9000;
  };
 }
--- a/systems/palatine-hill/docker/firefly.nix
+++ b/systems/palatine-hill/docker/firefly.nix
@ -0,0 +1,25 @@
 { ... }:
 let
  vars = import ../vars.nix;
  ffiii_path = "${vars.primary_docker}/firefly-iii";
 in
 {
  virtualisation.oci-containers.containers = {
    firefly = {
      image = "fireflyiii/core:latest";
      extraOptions = [
        "--network=firefly-iii_default"
        "--network=postgres-net"
      ];
      environmentFiles = [ "${ffiii_path}/.env" ];
      ports = [ "4188:8080" ];
      volumes = [ "${ffiii_path}/app/upload:/var/www/html/storage/upload" ];
    };
    fidi = {
      image = "fireflyiii/data-importer:latest";
      environmentFiles = [ "${ffiii_path}/.fidi.env" ];
      ports = [ "4187:8080" ];
      dependsOn = [ "firefly" ];
    };
  };
 }
--- a/systems/palatine-hill/docker/foundry.nix
+++ b/systems/palatine-hill/docker/foundry.nix
@ -0,0 +1,28 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  fvtt_path = "${vars.primary_games}/foundryvtt";
 in
 {
  virtualisation.oci-containers.containers = {
    foundryvtt = {
      image = "felddy/foundryvtt:11";
      hostname = "foundryvtt";
      environment = {
        #CONTAINER_PRESERVE_CONFIG= "true";
        TIMEZONE = "America/New_York";
        FOUNDRY_MINIFY_STATIC_FILES = "true";
      };
      environmentFiles = [ config.sops.secrets."docker/foundry".path ];
      volumes = [ "${fvtt_path}:/data" ];
      extraOptions = [
        "--network=haproxy-net"
      ];
    };
  };
  sops.secrets."docker/foundry" = {
    owner = "docker-service";
    restartUnits = [ "docker-foundryvtt.service" ];
  };
 }
--- a/systems/palatine-hill/docker/glances.nix
+++ b/systems/palatine-hill/docker/glances.nix
@ -0,0 +1,24 @@
 { ... }:
 let
  vars = import ../vars.nix;
  glances_path = "${vars.primary_docker}/glances";
 in
 {
  virtualisation.oci-containers.containers = {
    glances = {
      image = "nicolargo/glances:latest-full";
      extraOptions = [
        "--pid=host"
        "--network=haproxy-net"
      ];
      volumes = [
        "/var/run/docker.sock:/var/run/docker.sock"
        "${glances_path}/glances.conf:/glances/conf/glances.conf"
      ];
      environment = {
        GLANCES_OPT = "-C /glances/conf/glances.conf -w";
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/haproxy.cfg
+++ b/systems/palatine-hill/docker/haproxy.cfg
@ -0,0 +1,207 @@
 global
 #  stats socket /var/run/api.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
 # log stdout format raw local0 info
  log stdout format raw local0
  crt-base /etc/ssl/certs/
  maxconn 120000
 defaults
  log global
  mode http
  timeout client 2000m
  timeout connect 200s
  timeout server 2000m
  timeout http-request 2000m
 frontend stats # you can call this whatever you want
  mode http
  bind *:9000       # default port, but you can pick any port
  stats enable      # turns on stats module
  stats refresh 10s # set auto-refresh rate
 #Application Setup
 frontend ContentSwitching
  bind *:80
 # bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
  bind *:443 ssl crt /etc/ssl/certs/origin_ca_ecc_root_new.pem crt /var/lib/acme/nayeonie.com/full.pem strict-sni
  mode  http
  option httplog
  # max-age is mandatory 
  # 16000000 seconds is a bit more than 6 months
  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
  # Front-end acess control list
  http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
  # Front-end acess control list
  acl host_www hdr(host) -i www.alicehuston.xyz
  acl host_www hdr(host) -i alicehuston.xyz
 #  acl host_ldapui hdr(host) -i authui.alicehuston.xyz
  acl host_glances hdr(host) -i monit.alicehuston.xyz
  acl host_glances hdr(host) -i glances.alicehuston.xyz
  # acl host_foundry hdr(host) -i dnd.alicehuston.xyz
 #  acl host_netdata hdr(host) -i netdata.alicehuston.xyz
  #acl host_terraria hdr(host) -i terraria.alicehuston.xyz
  acl host_nextcloud hdr(host) -i nextcloud.alicehuston.xyz
  acl host_nextcloud hdr(host) -i nayeonie.com
  acl host_hydra hdr(host) -i hydra.alicehuston.xyz
  acl host_attic hdr(host) -i attic.alicehuston.xyz
  acl host_minio hdr(host) -i minio.alicehuston.xyz
  acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz
  acl host_attic hdr(host) -i attic.nayeonie.com
  acl host_minio hdr(host) -i minio.nayeonie.com
  acl host_minio_console hdr(host) -i minio-console.nayeonie.com
  #acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz
 #  acl host_collabora hdr(host) -i collabora.alicehuston.xyz
  acl host_prometheus hdr(host) -i prom.alicehuston.xyz
  acl host_gitea hdr(host) -i git.alicehuston.xyz
  acl host_gitea hdr(host) -i nayeonie.com
  # Backend-forwarding
  use_backend www_nodes if host_www
 #  use_backend ldapui_nodes if host_ldapui
  use_backend glances_nodes if host_glances
  use_backend foundry_nodes if host_foundry
 #  use_backend netdata_nodes if host_netdata
 # use_backend terraria_nodes if host_terraria
  use_backend nextcloud_nodes if host_nextcloud
  use_backend hydra_nodes if host_hydra
  use_backend attic_nodes if host_attic
  #use_backend nextcloud_vol_nodes if host_nextcloud_vol
 #  use_backend collabora_nodes if host_collabora
  use_backend prometheus_nodes if host_prometheus
  use_backend minio_nodes if host_minio
  use_backend minio_console_nodes if host_minio_console
  use_backend gitea_nodes if host_gitea
 #frontend ldap
 #  bind *:389
 #  bind *:636 ssl crt /etc/ssl/certs/cloudflare.pem
 #  mode tcp
 #  option tcplog
 #  acl host_ldap hdr(host) -i auth.alicehuston.xyz
 #  use_backend ldap_nodes if host_ldap
 backend nextcloud_nodes
  mode http
  server server nextcloud:80
  acl url_discovery path /.well-known/caldav /.well-known/carddav
  http-request redirect location /remote.php/dav/ code 301 if url_discovery
  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
 #backend nextcloud_nodes
 #  mode http
 #  server nxserver nextcloud:80
 #  acl url_discovery path /.well-known/caldav /.well-known/carddav
 #  http-request redirect location /remote.php/dav/ code 301 if url_discovery
 #  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
 #backend nextcloud_vol_nodes
 #  mode http
 #  server server nextcloud-vol:80
 #  acl url_discovery path /.well-known/caldav /.well-known/carddav
 #  http-request redirect location /remote.php/dav/ code 301 if url_discovery
 #  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
 #  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
 #  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
 #  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
 #  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
 #  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
 #  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
 #backend terraria_nodes
 #  mode http
 #  server server terraria:6526
 #backend collabora_nodes
 #  mode http
 #  server server collabora:9980
 backend www_nodes
  mode http
  server server grafana:3000
 backend minio_nodes
  mode http
  server server 192.168.76.2:8500
 #  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
 #  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
 #  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
 #  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
 #  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
 #  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
 #  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
 backend minio_console_nodes
  mode http
  server server 192.168.76.2:8501
 # backend foundry_nodes
 #   timeout tunnel 50s
 #   mode http
 #   server server foundryvtt:30000
 #backend ldap_nodes
 #  mode tcp
 #  balance roundrobin
 #  option ldap-check
 #  server ldap1 192.168.76.2:1636 ssl ca-file /etc/ssl/certs/origin_ca_rsa_root.pem
 #
 #backend ldapui_nodes
 #  mode http
 #  server server 192.168.76.2:18081
 backend glances_nodes
  mode http
  server server glances:61208
 backend hydra_nodes
  mode http
  server server 192.168.76.2:3000
 backend attic_nodes
  mode http
  server server 192.168.76.2:8183
 backend prometheus_nodes
  mode http
  server server 192.168.76.2:9001
 backend gitea_nodes
  mode http
  server server 192.168.76.2:6443
 #backend netdata_nodes
 #  mode http
 #  server server 192.168.76.2:19999
 # backend dnd_nodes
 #   mode http
 #   server server foundry:30000
 #   acl host_www hdr(host) -i www.tmmworkshop.com
 frontend giteassh
  mode tcp
  bind :2222
  default_backend giteassh_nodes
 backend giteassh_nodes
   mode tcp
   server s1 192.168.76.2:2223
 frontend minecraft
  mode tcp
  bind :25565
  default_backend router_nodes
 backend router_nodes
   mode tcp
   server s1 mc-router:25565
--- a/systems/palatine-hill/docker/haproxy.nix
+++ b/systems/palatine-hill/docker/haproxy.nix
@ -0,0 +1,33 @@
 { ... }:
 {
  virtualisation.oci-containers.containers = {
    haproxy = {
      image = "haproxy:latest";
      extraOptions = [
        "--restart=always"
        "--network=haproxy-net"
      ];
      volumes = [
        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg:ro"
        "/ZFS/ZFS-primary/docker/haproxy/certs:/etc/ssl/certs:ro"
      ];
      ports = [
        "80:80"
        "443:443"
        "25565:25565"
      ];
      environment = {
        PUID = "600";
        PGID = "600";
      };
      dependsOn = [
        "nextcloud"
        "grafana"
        "foundryvtt"
        "glances"
        "mc-router"
      ];
    };
  };
 }
--- a/systems/palatine-hill/docker/minecraft.nix
+++ b/systems/palatine-hill/docker/minecraft.nix
@ -0,0 +1,96 @@
 { config, lib, ... }:
 let
  servers = {
    atm6 = "atm6.alicehuston.xyz";
    stoneblock3 = "sb3.alicehuston.xyz";
    RAD2 = "rad.alicehuston.xyz";
    skyfactory = "sf.alicehuston.xyz";
    divinejourney = "dj.alicehuston.xyz";
    rlcraft = "rlcraft.alicehuston.xyz";
    arcanum-institute = "arcanum.alicehuston.xyz";
    bcg-plus = "bcg.alicehuston.xyz";
  };
  defaultServer = "rlcraft";
  defaultEnv = {
    EULA = "true";
    TYPE = "AUTO_CURSEFORGE";
    STOP_SERVER_ANNOUNCE_DELAY = "120";
    STOP_DURATION = "600";
    SYNC_CHUNK_WRITES = "false";
    USE_AIKAR_FLAGS = "true";
    MEMORY = "8GB";
    ALLOW_FLIGHT = "true";
    MAX_TICK_TIME = "-1";
  };
  defaultOptions = [
    "--stop-signal=SIGTERM"
    "--stop-timeout=1800"
    "--network=minecraft-net"
  ];
  vars = import ../vars.nix;
  minecraft_path = "${vars.primary_games}/minecraft";
 in
 {
  virtualisation.oci-containers.containers = {
    mc-router = {
      image = "itzg/mc-router:latest";
      extraOptions = [
        "--network=haproxy-net"
        "--network=minecraft-net"
      ];
      cmd = [
        (
          "--mapping=mc.alicehuston.xyz=${defaultServer}:25565"
          + (lib.rad-dev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
        )
      ];
    };
    # rlcraft = {
    #   image = "itzg/minecraft-server:java8";
    #   volumes = [
    #     "${minecraft_path}/rlcraft/modpacks:/modpacks:ro"
    #     "${minecraft_path}/rlcraft/data:/data"
    #   ];
    #   hostname = "rlcraft";
    #   environment = defaultEnv // {
    #     VERSION = "1.12.2";
    #     CF_SLUG = "rlcraft";
    #     DIFFICULTY = "hard";
    #     ENABLE_COMMAND_BLOCK = "true";
    #   };
    #   extraOptions = defaultOptions;
    #   log-driver = "local";
    #   environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
    # };
    bcg-plus = {
      image = "itzg/minecraft-server:java17";
      volumes = [
        "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
        "${minecraft_path}/bcg-plus/data:/data"
      ];
      hostname = "bcg-plus";
      environment = defaultEnv // {
        VERSION = "1.17";
        CF_SLUG = "bcg";
        DIFFICULTY = "normal";
        DEBUG = "true";
        # ENABLE_COMMAND_BLOCK = "true";
      };
      extraOptions = defaultOptions;
      log-driver = "local";
      environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/minecraft".owner = "docker-service";
    };
  };
 }
--- a/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix
+++ b/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix
@ -1,7 +0,0 @@
 {
  imageName = "nextcloud";
  imageDigest = "sha256:fe7f941cc514fe01e343a515c7b33e6b12707c718157f6e25a67119e9918a061";
  sha256 = "07w9rvmr2qy037ljdmk6w1n2dmwwa31ig7gzfb084wiv18hjfrg4";
  finalImageName = "nextcloud";
  finalImageTag = "apache";
 }
--- a/systems/palatine-hill/docker/nextcloud.nix
+++ b/systems/palatine-hill/docker/nextcloud.nix
@ -0,0 +1,107 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  nextcloud_path = vars.primary_nextcloud;
  redis_path = vars.primary_redis;
  # nextcloud-image = import ./nextcloud-image { inherit pkgs; };
  nextcloud-base = {
    # image comes from running docker compose build in nextcloud-docker/.examples/full/apache
    image = "nextcloud-nextcloud";
    hostname = "nextcloud";
    volumes = [
      "${nextcloud_path}/nc_data:/var/www/html:z"
      "${nextcloud_path}/nc_php:/usr/local/etc/php"
      "${nextcloud_path}/nc_prehooks:/docker-entrypoint-hooks.d/before-starting"
      #"${nextcloud_path}/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro"
    ];
    extraOptions = [
      "--network=haproxy-net"
      "--network=postgres-net"
      "--network=nextcloud_default"
    ];
    dependsOn = [ "redis" ];
    environmentFiles = [ config.sops.secrets."docker/nextcloud".path ];
  };
 in
 {
  virtualisation.oci-containers.containers = {
    nextcloud = nextcloud-base // {
      ports = [ "9999:80" ];
    };
    redis = {
      image = "redis:latest";
      user = "600:600";
      volumes = [
        "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf"
        "${redis_path}:/data"
      ];
      extraOptions = [
        "--network=nextcloud_default"
      ];
      cmd = [
        "redis-server"
        "/usr/local/etc/redis/redis.conf"
      ];
    };
    go-vod = {
      image = "radialapps/go-vod:latest";
      dependsOn = [ "nextcloud" ];
      environment = {
        NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz";
      };
      volumes = [ "${nextcloud_path}/nc_data:/var/www/html:ro" ];
      extraOptions = [
        "--device=/dev/dri:/dev/dri"
      ];
    };
    collabora-code = {
      image = "collabora/code:latest";
      dependsOn = [ "nextcloud" ];
      environment = {
        aliasgroup1 = "https://collabora.nayenoie.com:443";
        aliasgroup2 = "https://nextcloud.alicehuston.xyz:443";
        aliasgroup3 = "https://.*:443";
        extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
      };
      environmentFiles = [
        config.sops.secrets."docker/collabora".path
      ];
      extraOptions = [
        "--network=haproxy-net"
        "--privileged"
      ];
      ports = [ "9980:9980" ];
    };
  };
  users.users.www-data = {
    uid = 33;
    isSystemUser = true;
    group = "www-data";
  };
  users.groups.www-data = {
    gid = 33;
    members = [ "www-data" ];
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/redis" = {
        owner = "docker-service";
        restartUnits = [ "docker-redis.service" ];
      };
      "docker/nextcloud" = {
        owner = "www-data";
        restartUnits = [ "docker-nextcloud.service" ];
      };
      "docker/collabora" = {
        owner = "www-data";
        restartUnits = [ "docker-collabora.service" ];
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/postgres.nix
+++ b/systems/palatine-hill/docker/postgres.nix
@ -0,0 +1,67 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  psql_path = "${vars.primary_db}/postgresql";
 in
 {
  virtualisation.oci-containers.containers = {
    postgres = {
      image = "postgres:16";
      user = "600:600";
      volumes = [
        "${psql_path}/primary_new:/var/lib/postgresql/data"
        "${psql_path}/pg_archives:/opt/pg_archives"
      ];
      log-driver = "local";
      extraOptions = [
        "--network=postgres-net"
        "--health-cmd='pg_isready -U firefly'"
        "--health-interval=1s"
        "--health-timeout=5s"
        "--health-retries=15"
        "--shm-size=1gb"
        "--restart=always"
      ];
      environmentFiles = [ config.sops.secrets."docker/pg".path ];
    };
    postgres-secondary = {
      image = "postgres:16";
      user = "600:600";
      volumes = [
        "${psql_path}/secondary_new:/var/lib/postgresql/data"
        "${psql_path}/pg_archives:/opt/pg_archives"
      ];
      log-driver = "local";
      extraOptions = [
        "--network=postgres-net"
        "--health-cmd='pg_isready -U firefly'"
        "--health-interval=1s"
        "--health-timeout=5s"
        "--health-retries=15"
        "--shm-size=1gb"
        "--restart=always"
      ];
      environmentFiles = [ config.sops.secrets."docker/pg".path ];
    };
    postgres-adminer = {
      image = "adminer/latest";
      user = "600:600";
      ports = [ "4191:8080" ];
      dependsOn = [ "postgres" ];
      extraOptions = [
        "--restart=always"
        "--network=postgres-net"
      ];
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/pg".owner = "docker-service";
    };
  };
 }
--- a/systems/palatine-hill/docker/restic.nix
+++ b/systems/palatine-hill/docker/restic.nix
@ -0,0 +1,38 @@
 { ... }:
 let
  vars = import ../vars.nix;
  restic_path = "${vars.primary_backups}/restic";
 in
 {
  virtualisation.oci-containers.containers = {
    restic = {
      image = "restic/rest-server:latest";
      volumes = [ "${restic_path}:/data" ];
      environment = {
        OPTIONS = "--prometheus --htpasswd-file /data/.htpasswd";
      };
      ports = [ "8010:8000" ];
      extraOptions = [
        "--restart=always"
        "--network=restic_restic"
      ];
    };
    grafana = {
      image = "grafana/grafana:latest";
      extraOptions = [
        "--restart=always"
        "--network=haproxy-net"
      ];
      volumes = [
        "grafanadata:/var/lib/grafana"
        "${restic_path}/dashboards:/dashboards"
        "${restic_path}/grafana.ini:/etc/grafana/grafana.ini"
      ];
      environment = {
        GF_USERS_DEFAULT_THEME = "dark";
      };
    };
  };
 }
--- a/systems/palatine-hill/docker/torr.nix
+++ b/systems/palatine-hill/docker/torr.nix
@ -0,0 +1,103 @@
 { pkgs, ... }:
 let
  delugeBase = {
    environment = {
      PUID = "600";
      PGID = "100";
      TZ = "America/New_York";
      UMASK = "000";
      DEBUG = "true";
      DELUGE_DAEMON_LOG_LEVEL = "debug";
      DELUGE_WEB_LOG_LEVEL = "debug";
    };
  };
  vars = import ../vars.nix;
  #docker_path = vars.primary_docker;
  torr_path = vars.primary_torr;
  deluge_path = "${torr_path}/deluge";
  delugevpn_path = "${torr_path}/delugevpn";
  genSopsConf = file: {
    "${file}" = {
      format = "binary";
      sopsFile = ./wg/${file};
      path = "${delugevpn_path}/config/wireguard/configs/${file}";
      owner = "docker-service";
      group = "users";
      restartUnits = [ "docker-delugeVPN.service" ];
    };
  };
 in
 {
  virtualisation.oci-containers.containers = {
    deluge = delugeBase // {
      image = "binhex/arch-deluge";
      volumes = [
        "${deluge_path}/config:/config"
        "${deluge_path}/data/:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      ports = [
        "8084:8112"
        "29433:29433"
      ];
    };
    delugeVPN = delugeBase // {
      image = "binhex/arch-delugevpn";
      extraOptions = [
        "--privileged=true"
        "--sysctl"
        "net.ipv4.conf.all.src_valid_mark=1"
      ];
      environment = delugeBase.environment // {
        VPN_ENABLED = "yes";
        VPN_CLIENT = "wireguard";
        VPN_PROV = "custom";
        ENABLE_PRIVOXY = "yes";
        LAN_NETWORK = "192.168.0.0/16";
        NAME_SERVERS = "194.242.2.9";
        # note, delete /config/perms.txt to force a bulk permissions update
      };
      volumes = [
        "${delugevpn_path}/config:/config"
        "${delugevpn_path}/data:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      ports = [
        "8085:8112"
        "8119:8118"
        "39275:39275"
        "39275:39275/udp"
      ];
    };
  };
  systemd.services.docker-delugeVPN = {
    serviceConfig = {
      ExecStartPre = [
        (
          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
          + "-type l -not -name wg0.conf "
          + "| ${pkgs.coreutils}/bin/shuf -n 1 "
          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
        )
      ];
      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
    };
  };
  sops.secrets =
    (genSopsConf "se-mma-wg-001.conf")
    // (genSopsConf "se-mma-wg-002.conf")
    // (genSopsConf "se-mma-wg-003.conf")
    // (genSopsConf "se-mma-wg-004.conf")
    // (genSopsConf "se-mma-wg-005.conf")
    // (genSopsConf "se-mma-wg-101.conf")
    // (genSopsConf "se-mma-wg-102.conf")
    // (genSopsConf "se-mma-wg-103.conf");
 }
--- a/systems/palatine-hill/docker/unifi.nix
+++ b/systems/palatine-hill/docker/unifi.nix
@ -0,0 +1,61 @@
 { config, ... }:
 let
  vars = import ../vars.nix;
  unifi_path = "${vars.primary_docker}/unifi-2.0";
  mongo_path = "${vars.primary_db}/mongo";
 in
 {
  virtualisation.oci-containers.containers = {
    unifi-controller = {
      image = "lscr.io/linuxserver/unifi-network-application:latest";
      volumes = [ "${unifi_path}/config:/config" ];
      log-driver = "local";
      dependsOn = [ "mongodb" ];
      extraOptions = [ "--restart=unless-stopped" ];
      ports = [
        "8443:8443"
        "3478:3478/udp"
        "10001:10001/udp"
        "8080:8080"
        "1900:1900/udp" # optional
        "8843:8843" # optional
        "8880:8880" # optional
        "6789:6789" # optional
        "5514:5514/udp" # optional
      ];
      environment = {
        PUID = "1000";
        PGID = "100";
        TZ = "America/New_York";
        MEM_LIMIT = "1024"; # optional
        MEM_STARTUP = "1024"; # optional
        MONGO_USER = "unifi";
        MONGO_HOST = "mongodb";
        MONGO_PORT = "27017";
        MONGO_DBNAME = "unifi";
      };
      environmentFiles = [ config.sops.secrets."docker/unifi".path ];
    };
    mongodb = {
      image = "docker.io/mongo:7.0";
      environment = {
        PUID = "1000";
        PGID = "100";
        TZ = "America/New_York";
      };
      extraOptions = [ "--restart=unless-stopped" ];
      volumes = [
        "${mongo_path}/unifi:/data/db"
        "${unifi_path}/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro"
      ];
    };
  };
  sops = {
    defaultSopsFile = ../secrets.yaml;
    secrets = {
      "docker/unifi".owner = "docker-service";
    };
  };
 }
--- a/systems/palatine-hill/docker/watchtower.bash
+++ b/systems/palatine-hill/docker/watchtower.bash
@ -0,0 +1,26 @@
 #! /usr/bin/env nix
 #! nix shell nixpkgs#docker nixpkgs#bash nixpkgs#gawk --command bash
 outdated_msg="Project code is out of date and needs to be upgraded. To remedy this problem immediately, you may reboot your warrior."
 label="$1"
 label_val="$2"
 if (( $# != 2 )); then
    echo "usage: $0 label label_value"
 fi
 containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}")
 for container in ${containers[@]}; do
  echo "checking ${container}"
  last_msg=$(docker logs -n 1 "${container}")
  if [[ $last_msg =~ $outdated_msg ]]; then
    echo "${container} is outdated, restarting"
    imageTag=$(docker ps --format '{{.Names}}\t{{.Image}}' -f "name=$container" | grep -w "$container" | awk '{print $NF}')
    docker pull "$imageTag"
    systemctl restart "docker-${container}"
  fi
 done
--- a/systems/palatine-hill/docker/wg/se-mma-wg-001.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-001.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:PytLIf5ceSyhxNs3p4N89GKxh7zTvTTbzKhw6SqEPrWSgRo+ntOZQgkUWBwFRGmWjFjMoMmkxaHkyrBLo/lYb6MAKuPNCb4Ss2ArSHk1qOl9u39lXYSs4NNaZYx6r5vs9IspYsIzfbkz2mad5ZaeEuDjiGCethaw9SthXNyjOOEIo/zYB/9Qju963kPXCpexu2/nbhwr/ilXzP8zzhzl712CMULV2GwISrKQcnJYyhqwzAuLmmsG50J3It3BZBUwTbyiIRK4ka0wrycqVmVDKyasUX71LYlq9MifttFCjQCN8xE7FmDl8nSBBaub9Vss5IAF+DcIRNRIQ7f6INuo,iv:CbvR5AEtENWTKP7UPqjYl7qNvyZvPZRFawrU8xoYdL4=,tag:9C5KmHeZkt62Ujkg2Wzt3A==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNTh3RHN5bGVDZ29YS0pD\nbXpoL3E1emlJeEJMUWo3SzM2ODQ4c2FndWxNCnZUN3dIaTM3bXpOWDcxSzhROHlM\nQlJTTGl2WEs1NlczUlhhMEcvWWlXaGsKLS0tIENlY3dvNEF4UEllQnR2aDJFbSs2\nVE05RnRDSVphNHcrR3paQ3BFOU8vNkUKOtItYEU8P0Wu6TDzPylTTGhwlAiSgDEq\nJnRYAH6kE+qAnpK2xQyG4n0xbhNiASUVQgNJJyN+5BZi0dDf7k9CQA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:g/ba90H1dGisB71/MWXkJDCQEXphWu0tOv04ScmEjKPm58TRM0W1oUVDPa7QWHrcdozz0LnQndhs4enW+SqRF39YBmL8OziddStVgTWC4chBazAPHBcGCgLApP9RAjNhiyosTIypLqppY08UIGU1Q1qEzcoHendu6hSMX09jG+A=,iv:6UPwNmUbjt+z7Vr7yuQ3fdsmTwBwE5AUQw3IzonqXZ4=,tag:nmloGiYkKXNGcbn8aBmNAQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAtZwfBH7XpTMkoZMd7QojukRfwU1Z7O/ZHcBzW0rYiTgw\nuYKmkKxSPqY9E/zzNpO0C52NwyAUerM851DaOHkZvcNBkMGdFLKvLf53wgPZKlkc\n1GgBCQIQNLHtkosd/X7cb8VScXNk8CVsckRQJWiHFkPtbYcyz9O55hJOdg0TGmbQ\nf4v9yNrVG6OFQTfV8IXbIJ7fANPNDTu/gDE/XB4W8GzgmLReAsaUnxJWd7a2LSFn\nCkiJsF+JY3QsYg==\n=55xj\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-002.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-002.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:ULynEBONpLJNPcSGjnFTLkrc4PNDNVqvpQ7LWqsMC0mW6SaDFn1e8MJkK4SSLjx2UCajMOyuvzNYzLd5AxMKBgsH/P1KAAednunOEU0ADKIzsrmEqr/zrX709yXPQY2783Os29jFFpCeQra8z3YR2vfU/PcOtqzoOuipRo0p1yUtehBLN40ogP9aLc+zxkoQxts20sU2EOe7rivU9WsBGQ2m3/Eg8ucH0aNdiN1BF/pIwyXbwMxcXtUCs0jVINJqsgFx2Ntmuz24dgZnTr8Hibz0v3F1LXcFbIIiH8OaCb3S4X2Zd/nCJqxRFz+cmzvcMplQHyE1XOYqP0OTA6s=,iv:skT932uptVD/zmbm/nxtzciD9dlYbJU4HzgHZtuathY=,tag:a/x3/an0q8hhexm4dpsVYA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4T0p1alJDd05KOTBjTVhL\nMVlPZno5YVlWRG0xUWZoUkJyVVZWRitLUTFZCmJmWXdzZHlGdG5GWWI2QWZXRUhY\nVVV1WUxaNWtVcmVtakI2dHpheS9HcTAKLS0tIDFsK0ZIR040dEdQQXV1NUpCQnVB\nOU9YU0NQSkwxMEtPdnRQeUYwc2hiczAKSynE6XsoUXyoLbUuuzqXbIbGoSeZR0S/\npMhZwI2fzh3vuLO0GpREkQRJ0azEvbbFPYdhJAFIBu/eRYd70IySlA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:pk7jtod+BCMqF6Hwgkd2AReDqkLGZvnBsDBJIipi/PNQQnq04BgT3TKDL3aQD4sKREjc0dyubQtvq4pAE3Fs+fOLgfhW6uYgvkreSg7Q7aSx299l2OaIc+pI47Emt0s+QIjFz2hd3KHxBkKr9xg5m3aITVex+96VqPUO5DPusqs=,iv:nsv3uPIz8iwrXAlQ0sd7J7T7jg3Yif4DsJV9g9aAAXY=,tag:xAIvz4KPTlpIuDZZfv3qkw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAGNsLJiDmbwfugWEdArQwUDMm6yL6bHbRhQsniyz6RFYw\nbmOG9HElDZGrQor2N+OmjRJzBnmrC3H00PBuM1dx6L9pHZpf8/CT477ZE66IDxOw\n1GgBCQIQUtKFTM34FXDEV4sTfawGatyVDoqFq+gxtI6iJA+1YgrJkZzV/5yAlINb\nsiiO0h1dvUS7uMZT/EPEBDvprXwDXrk6GHTtxAQTP3XQzO3bz0x6RhMJOEj+7hEB\nrkne981/Q2FiDg==\n=kGYU\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-003.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-003.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:1pgCvsAcTSFMhb6OKujAtyEfR+Uu544RecoLxy6hhbj8PupUuosJ+lt5gOMqOzHvjUBMvKM/mqJ+JuahChclwXg+XCgB/7yh0tlwPyftPNoWltEwu/AsP7QUwXomfj/AbwzxfB8oTw4U2Ot4DfObDNvhfA88Sva2OE6mkapoRAAFND4CoglOoJ5F+vjLf0XsRCaHTVXCTwmd6BNb+ZHs+heztlaFRp5Mv8TINOlDl3yhW8V10r8ZhLoF421DVAtVLsuOQ6rbzGOZy9A+HfZJlaEZcgFHLKi40pBKQWw5xFrDp8gml/eMtkkKRZR88v+eXT+QCrg3biVYrdIhJlA=,iv:kIOTAido5Xm1fB5Xz7bsrwNM9dbjMIxvqIcNfXbUU6w=,tag:mrzFeyo4D3Y8lah9DU4kqg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbFdnRDlGNUxhTFd3NHhM\nanZmMksxV2xJdUVRL1NFQlJySjU2ZUJSQkg0CnIxb0FIeWMzMzdNalVNUmhQM1lX\nd0h6RWdPak5QeS9WYksrcHhERmd6Y2MKLS0tIDc5ZEFhK0dycFM2N29wN09BOVNK\nTWJjNThyTUxqNWxsTmw5WmlBV0xlK2sKE3L8/VvO8vmsqUV939JM2qdVUOsHAN3p\nwFfeldy2T6ojCVLWdl3CnZ7DmRumweEsSq1JP1mkZzfxotZloMUH5w==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:hmYfiTiGuO3oF/nGMP7vizC7nJtxYp1nFKoYsZR+GogpN3m3pqdKbLfqWLHXCI5o1l2nZjCo8VgUQYGrwePertOtlTF2rUz9fSxl3EsmoPbZOkt/NawjiIN3lARYTyoxwAq4Qtsna0OJTq9Yb+DlnMUTH+zk3/32K8dF2STRB84=,iv:8jYMtSSVOu5OIR4/TsM/upnZvvTh+ObkHcUiZtNLf+M=,tag:ANLwWSNxZxUM731LdQIO0A==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdADhzkz5iF5geZvou70PeWpN718CeGgvbs97VWhxL25gEw\nphKaEn/73p0Qjqnpu5xVQi0GwSOFVt2UFjLf55aEjdBPb/RwVp0kAeDzzaDSR6/m\n1GgBCQIQXglRmyXJWRT4RdsWOFM1SpuFV1F235UJIEn/O0yGiQvuBQF6OVuvqYgV\nYNi2KFUU+99WaQvxUYddGzCHMEC2AAuKSSNBvs2LSGu0Ic/KWjrcn6yeXEPuv8a/\nHsvjhXACkXWN/Q==\n=JWpI\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-004.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-004.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:s8ANdI9fL6hX9K3ypZcmxhQv3VWZ0BYCMmEWatNpQv+0t4kLMmDIbtvLVBTjLoFvWcfy31vAEhbhZPOE0iQXUohiwfVu67/nR3gzcVpeERvtYlqb4q4RwDIgFXKZUd7y55CIcJbpFRR6U5/NCG2+PEAD5J4OtNTkjnpleipNqcI7Ccg062jVqiavOeKw+eoLMomJsJYqdeTUb9nwYlYoe87aIhZFmAKe0Z1ps6ClzaHSWsr0RSbaDFgBJxUo1brEETsIkphNktIe2kVY72PaOqiNZavEhgPfIc42Ldr4zyaW9nrau8ZsiGM/1VxrHwEOlqW6QimZO9epv6jQgTm0,iv:lSZ5H1kkokiwr6o/X42ElkLvNnWOJZkuD4Tt+vkX8uc=,tag:G+bcX3QzEIcmkxjBsSGLNw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5R0J6UmFPVWo5ME84Q3Rq\nN0J3MmowemJNa0pwNlVqQjdUR0NOWTh2MEU4CitGbkt4UDhuYlRFTlp3eHNGV1JG\nc0p6ZVlxUURhQ1NLbDhvc3VPazh5MmMKLS0tIERTcW54OTFhYjcxUVliRFFmOExk\nL1JMb0VyTDAzd1h3TXgwQ1V3VzZmdWcKZLwB3/3M5Ph9xvkBUrTZXvE13R83NCaT\nHYCKZoJx/CexdDXpij/H9fMI2BgRP1UBgxyWVg0pAAPrxhNhpiteVA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:PC2Gk57K2IQbGsAjXvN7BDaYO09vg+MKZcrieA6kPFeWVK7Nbic9iQiRsqs8cMOgQ4ZWNFJqyCmSPNKhWAkhmcuc3TNXTCGUl9AsWUyVLU1KL0I48320U+72ce4RY0vtO8FjgPjeFRtuzrHO4eOQhULrX7FhtUYq3/meZjP3PmM=,iv:P3LfN/+LS8wbRFcTvJhCU1LEqayWCUwqtHAmPodUXZE=,tag:DMuEdIKy8hBo/jdvnv7yaQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAAVsYsC/Di95MPmvkveVSZVZLPDuyWGdmgFFjGz1/l0Qw\nklzbhejv4x04f9j8zWG1Nsnvkkgv2wf++514BCGBN/DvlcFrv1xVPcA2RCqxr49t\n1GYBCQIQJvmrC8GUr9qp0yYEcUzXAaYh9hUA+fGPc1L45PmWVwjnY2wRtco4Y/uu\nLI09Esz6GH9vVesL3oO9A1uXArKw9dqph+Q6l3XAbtUp/y2vSU2xZlaQ83hAP3S1\nTryM3Ex9a80=\n=d/cZ\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-005.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-005.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:lre1gMfmXwB/FxXrF7VguPFmunswv7Y2+GhIOJYu5ijTpDV0O3mumM5Xmk8dZ//3xPQuqFJBJEpMI8nggAWG3pEd4x5otDimJR0OHb0zoHbDE2YyNWR6pwUk07QkhTYJ0UzLFtReRCSgkQmbR20nfew1Ta9HYEDeqBH9+nFBBqlhJkYXybmjC+sWpyEkhnAUk2cjz74WiE4cFemLj8M1+pZYany9uSeY8MI+zO3PU6XyMEdEx9+H2vmvUR+MMzR01cZlHBPghgVlPtDAerTOOFo7Med/HSKUsFLm84K+DerjZ7tIP34xEY7NjW3epxk53UmUdbY8DJ+pBPVcL8k=,iv:CIHbLf6ARlXs3QQKg6hfO47WfQXYMtzCt/2Qv9Vmmgo=,tag:/uR4nPjpqEJ8zv8/H54xxg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWkhMT1dHNklvK2VXNGtq\nUG9tUS8xM0VoVDZTSTNvZ21teGYrSHRMelJrClU2Q2ovR01OK2E4d2F1aXRmaXRK\nckZ2WFhDYVA4bEVLMUl6WU0xd1p2NlkKLS0tIHZJV3FUYk5oNi9CQXlzSFUxSlVV\nV3Y3Q3RrT3JMVUh0Tmg5V3dtaURpcVEKRZ3dja+pVm2sAdQexiSw/si+CM2esjQM\nq0/9AfMPrULAdHrkvxLfyJRFWQlr2/g02QbeCE8HHYbVWSGaN2pJng==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:lxWz7NnYyAUyY52ewC1Eh9k1xDdJr0I2rEhiGukdKxg0G1gVhrj0UjFEdnkrMALrYbPh3yE1vj/E+xcPJZtrkuCQNTJkxnLlLijhXM39Um3M1KpIMDx5qOHggaT4T+HhdgJBqvkMiBypyP1ph9MPEYvg+mL4au6jd8fRaw2TUII=,iv:IbqBUWb1MrEcVy9rONDYzbB454XVYRi4mdtWo15RZ28=,tag:Cefs9e7CBk2/QsPS1LD3+A==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdARE07oxCX7FzLNlR9Pjmc1hUVGGD2KJdkFlM0cZl9uUEw\n1zW5R66Wy37KlREIRWXz2lnmN2Txpou+fC8zkxPcYXu+s+nWjbJbCRcv233RspPi\n1GgBCQIQWfGy65DBWWjSp2Sr9Ny/Pxvhzy0IF58AW32gTsxYmoeT+9qVuFcne3ut\nOEPyRqyBtnY3BOefXtBWsVBdtasFajhpp7rC2bSmd4sxacBL7DIwSVnTKpGs8Bsh\n8eCj7MwO/uRDFA==\n=frH4\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-101.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-101.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:iqmUJoBrXT91fFKdujhbHaLHcQF6J7+zjgaVsOwRkSwnB1OF/2BAf3jwvXjZiAIf7ytdrGjDR8t+Ze1hrncwJ/CuJuWtciX0qN9pky8p3Gpd85c5yZ1kWkC/wfT9VJ70EOe6gHYVnEk8PYqWfb+HaYWolUm4dqnMQcyZ1dkGJAyedvmrZvU/EyWPwwR3bVmVkup5skjExEx0POQSTJjE36Kewm/K4AQ3yBcCmmj7ZgYWQotViYW0iIQt3ZH+oItro+SqWb8/EcNjqQbU/1CkVtFEtIgyOpy1tZ7HFhaQI6xha78KC5nPn+dgckw1rrqbH5tUMEs0GHuAhi3v,iv:83eA9Rioryf5nDtcmput665AAR622yhd1ccbIz2aYQ4=,tag:b+j9T/tuEWORm3G9dDbVuA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Tjl2S2tsVGZPS09HaDFO\neHZ2NlN5OUJuRmlZem1xeGtISVMrU2g3WmtZCndobDRnenlWSUl3L00yQUVJUnYx\nR2pxbGJuTkJqT1Nocm9jK1Yra3QzQ1EKLS0tIGE4SjZIMzN5WEl2dnFWZkIwc2ps\nVENuVUUvK1FsTmQ4UFdDQ2hnL0laRUUKYAvGtZrZ5iHls6kXlkXjRZKLB+VotxBI\nqjsPoW1o/2HJ0IQt1HByaxxw80FFcaY79FMVBkJcdQjYOEHFuQjw+Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:09Z",
 		"mac": "ENC[AES256_GCM,data:xo7PG3dqcfwMra7b4AKA7tjBmdwGq6hmQdGCiVT+dx5U8u60B7iIhZA1Nlkrwj1tCqUDpBjVp5iGReYJ+fckYriBBRURFtSaNjmrBSUiswaR2FqxGiNKzW83TdLEncTMXlNdTWKxhPy8uRh0Xso/ZFqAWgPd3fvfUAVXgGmnCuw=,iv:zi0v2nJPhVmPeE7pNY5KGhJimYMtWhmHzareuZ39YN8=,tag:/2NKODtUaXJhxkJLqjn6gw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:09Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAxkXTiqh3KhrshdFSX+QUvPyxL23iLm0y1nCsQGwCcBMw\nIg4RMlZVlbSUya2IPRc2J2gt7E0Fyp/oYw9Ytsa3u6cR5L41dRS4tZcpHkyJpU9h\n1GYBCQIQqCh2mj3ErvL1BYA+sgvIh8hbzmBH8uWWNpCHCP1StjtduMyLT6rBiWuv\nPvoCvz3WWXufEvn7DEutAs+T92oNMcEHcGWWbsn8U1dIXQ+7Cl2CWDNMlxIoKtVN\nuBcXPqKFZho=\n=M3My\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-102.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-102.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:MvHQjTIH2RUsf/Re8piWc+foojfH1GpkDdgTgN5uGkBd+hFABF58ATN02SyrSJilwZiUIcmmd9yei59JKNumhY6daIcVzwpipGp2E/5ziLE0LzJ2+9Ov084TEclMe5vbEnJqtiB3Vu0w/9wKzbiXGWi/doqpNV1YKgore90Z3Mol4bVC/4ZSmm/YvRNZg51HPHtX65uZKuER54KqqkZOj0zPB8YiJHDbvtdoX2u8gEAenOjboHkRXRU9jgjytoP2Pw8W1dikajTXvtcjTzJijHVXZb70b0Yr5QnLOZaT4ovZA2Y4lkllpmQ4m+up5V3AkIk8iSLlFHOSaYNY,iv:0JpG17m9kD7xJ5vEBibuKG+yLL+xiIHlldFQ9TuWZwU=,tag:mPI3NUTmCnAXhcZ1jyAgrg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLWklBZUQ3MFo1bUZuY1dy\nVGdUK0FlM1dSNFBYOEhkZUFMd1g0b2ErZXd3Clk2TlQ4aEROUEJFbmpwYXRQK21t\nalJ4Z0k5dlVHQzJzdWNUMnYvTFMvWTQKLS0tIE04TzNIcVlzby9IM0FNMWlOd1Z3\ndTFwa1ZoYjdqUGhUTVVqcmxPVThMV0UKa07ux2wYZCn/9pgejH2o2wAknVLo2YV+\npb49PUwm1wvXaUVOrgGWAEGV1WBkH0FjSUKpTGLZ1V5MJ+wBk1fzRg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:10Z",
 		"mac": "ENC[AES256_GCM,data:X6AY8uht59ISavkd199WKj+Tnvf6YRxLccRJe/TeEwYN6M9TDIkIDEJmiw25LuLWHq96k6kJ5LXg2XapvTddZs6XavANxVoafyB97JYcofsFgrt5ziVJQisLxxjwnOP7twUHtHN60TS+2Om4LKnx2qm4piMJpt1RTFQPquSrNGg=,iv:Zgl/L3ugPEyQTXnHqctDnRORC3fPTx/z/wAHFfo5ZS4=,tag:o3jdq1bHCzfavdNRwKk1Ww==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:10Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAWiLRFVRksLnX7OthQw84hoyjSEnsQyekp7kF/dbFAW4w\n4byTxDKfHHmSUvf9G96wOH/mNWpdAJiWlOQ7tPstVwoeHVBHSgf2vgd8MRTmrRzo\n1GgBCQIQjpgEmL08FuHrEGvT/WUSAIBXKhN56fyHOgT62NzOthiIIp6qxq27UjlX\np+ZUIR/X7qeJSVHJUKssNRnTKm1bbmbK/9ydXZtk/xHdFAD5YLZaz26ZknhaR7J1\ncHEHK6TQRL54lA==\n=DD6O\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/docker/wg/se-mma-wg-103.conf
+++ b/systems/palatine-hill/docker/wg/se-mma-wg-103.conf
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:K1RimM2itH8391EFz2SYMn+tDlTcf9bopuci3hkZPqi0Obr4M1pgQGEbs8xxcCYknE5HLGuW/zbMXL5UvFcGIVlvX0q/eZBerTuUz/VMbkzWiQ5Gqy9BpdXbb1i6vBDnNkDpfxrAu8vadUMifoUVTUconhoOzoR5byOMmUdx84z9W1S/9oztd9fRXhJIkoI23mxbaKr+zK7bX8CS73tVk8+oBFjeUPSt6+IwlmWx1iKVBs5tY/RPQ7kGTe3lIdbe2QIgPS/T7/W4xMoI+i9Z+SrW3eLOUyHNWQg/3gCPbOwvYt3xhj8RaScmW5L1a0SMPDQ/5CatOoiV/vrA,iv:NreCE5+5wyEKowJgtFXw7YPhbixpn+qCK403zzrkkjo=,tag:ptYXTDaKEs17fZichb+lbg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YlBUcWdWVGNwaUlqMjdt\nTWVqUW5LdVlZWC9Uem0zQXI0UldFMDYweDNBClVJSTJHL0c4anFnOSsvcmhBaldD\nSHNUem9aQk8rTTdLUFpML01uMFJjNkUKLS0tIGY4dXFUVm1mVThrWmFyS3BkTlhS\nblA1MmN1Q3MzRERlN3pLMTExSkx1RjAKonRli3BpI6iucyJAbWvERBPR0f6ewrIp\nBIQVkEBod/pdSiahMWfXjFVH0nmU9Ip2CwhZl1pGNOaHhnLtrUWmBg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-18T06:49:10Z",
 		"mac": "ENC[AES256_GCM,data:kDO0Y1wIe/ZWTiXeuAQtCS+fn1gR6L514e8qs7mzt1B6/u5hChy2L3WRR0DQN9V0wjl2bp6muAdfTEDbO7PmAbSE8wKHjCy97tzDgVSrtodUvGZUbm62bA0cx1VzgcKrCYHglSDsxmnYc3atxKlM8uWJ9GM4F4O+wRj/AH1QLYM=,iv:DgTrwKlftGmyuRDbROApudP9xANL7aBTbGgYRYqN5ZA=,tag:ek8rci9l2iDrYxP3b2EBvA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-18T06:49:10Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdA0ZIzTIWsWHwek/Z0bIQvfCa49t6aaM51M4HJFyCRpxQw\nJ7mW22C1kf35WAz5Hmm251B+UuW1wUITdavE3tYH9/yB1yQsTSgKd3Vze/r5Ebvu\n1GgBCQIQQJk9Blm+/vA3//hafY4tDtuCr7N+utLdDFK1lBy9+Qg8UtAiNP4fFffF\n8Eh0tx/Fg5n/2r4p9NGLFn/ZMMe9SnP19VsmGQQjA3RlK8jVmxvSCXLFzM85uZge\nYJDAMSU+8Q3qdg==\n=4Asa\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/systems/palatine-hill/firewall.nix
+++ b/systems/palatine-hill/firewall.nix
@ -0,0 +1,29 @@
 { ... }:
 {
  networking.firewall.allowedTCPPorts = [
    # qbit
    8081
    8082
    8443
    # hydra
    3000
    # minio
    8500
    8501
    # gitea
    2222
    2223
    8088
    # attic
    8183
    # collabora
    9980
  ];
 }
--- a/systems/palatine-hill/gitea.nix
+++ b/systems/palatine-hill/gitea.nix
@ -0,0 +1,64 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  base_path = "/ZFS/ZFS-primary/gitea";
 in
 {
  services.gitea = {
    enable = true;
    appName = "The Hearth";
    database = {
      type = "postgres";
      passwordFile = config.sops.secrets."gitea/dbpass".path;
      createDatabase = false;
      host = "127.0.0.1";
      name = "giteadb";
      port = 5433;
    };
    settings = {
      server = {
        DOMAIN = "nayeonie.com";
        ROOT_URL = "https://nayeonie.com/";
        HTTP_PORT = 6443;
        SSH_PORT = 2222;
        SSH_LISTEN_PORT = 2223;
        START_SSH_SERVER = true;
      };
      service = {
        DISABLE_REGISTRATION = true;
      };
      log = {
        LEVEL = "Trace";
        ENABLE_SSH_LOG = true;
      };
      "log.console-warn" = {
        LEVEL = "Trace";
        ENABLE_SSH_LOG = true;
      };
      cache = {
        enabled = true;
        dir = "";
        host = "192.168.76.2";
        port = "8088";
      };
    };
    stateDir = base_path;
    lfs.enable = true;
    recommendedDefaults = true;
  };
  systemd.services.gitea = {
    requires = [ "docker.service" ];
    after = [ "docker.service" ];
  };
  networking.firewall.allowedTCPPorts = [ 6443 ];
  sops.secrets = {
    "gitea/dbpass".owner = "gitea";
  };
 }
--- a/systems/palatine-hill/hardware-changes.nix
+++ b/systems/palatine-hill/hardware-changes.nix
@ -16,25 +16,6 @@
        };
      };
      postResumeCommands = ''
        # let root mount and everything, then manually unlock stuff
        load_zfs_nix() {
          local device="/dev/disk/by-uuid/8bfaa32b-09dd-45c8-831e-05e80be82f9e"
          local mountPoint="/"
          local options="x-initrd.mount,noatime,nodiratime"
          local fsType="ext4"
          echo "manually mounting key location, then unmounting"
          udevadm settle
          mountFS "$device" "$(escapeFstab "$mountPoint")" "$(escapeFstab "$options")" "$fsType"
          zfs load-key -L "file://$targetRoot/crypto/keys/zfs-nix-store-key" "ZFS-primary/nix"
          umount "$targetRoot/"
        }
        load_zfs_nix
      '';
    };
  };
--- a/systems/palatine-hill/loki.nix
+++ b/systems/palatine-hill/loki.nix
@ -0,0 +1,242 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  vars = import ./vars.nix;
  loki_storage = vars.primary_loki;
 in
 {
  # loki: port 3030 (8030)
  #
  services = {
    loki = {
      enable = true;
      configuration = {
        server.http_listen_port = 3030;
        # auth_enabled = false;
        ingester = {
          lifecycler = {
            address = "127.0.0.1";
            ring = {
              kvstore = {
                store = "inmemory";
              };
              replication_factor = 1;
            };
          };
          chunk_idle_period = "1h";
          max_chunk_age = "1h";
          chunk_target_size = 999999;
          chunk_retain_period = "30s";
          max_transfer_retries = 0;
        };
        schema_config = {
          configs = [
            {
              from = "2023-07-01";
              store = "tsdb";
              object_store = "aws";
              schema = "v13";
              index = {
                prefix = "index_";
                period = "24h";
              };
            }
          ];
        };
        storage_config = {
          tsdb_shipper = {
            active_index_directory = "${loki_storage}/boltdb-shipper-active";
            cache_location = "${loki_storage}/boltdb-shipper-cache";
            cache_ttl = "24h";
            shared_store = "filesystem";
          };
          aws = {
            directory = "${loki_storage}/chunks";
            s3 = "s3://access_key:\${LOKI_S3_KEY}@custom_endpoint/bucket_name";
          };
        };
        limits_config = {
          reject_old_samples = true;
          reject_old_samples_max_age = "168h";
        };
        chunk_store_config = {
          max_look_back_period = "0s";
        };
        table_manager = {
          retention_deletes_enabled = false;
          retention_period = "0s";
        };
        compactor = {
          working_directory = loki_storage;
          shared_store = "filesystem";
          compactor_ring = {
            kvstore = {
              store = "inmemory";
            };
          };
        };
      };
      # user, group, dataDir, extraFlags, (configFile)
    };
    # promtail: port 3031 (8031)
    #
    promtail = {
      enable = true;
      configuration = {
        server = {
          http_listen_port = 3031;
          grpc_listen_port = 0;
        };
        positions = {
          filename = "/tmp/positions.yaml";
        };
        clients = [
          {
            url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
          }
        ];
        scrape_configs = [
          {
            job_name = "journal";
            journal = {
              max_age = "12h";
              labels = {
                job = "systemd-journal";
                host = "pihole";
              };
            };
            relabel_configs = [
              {
                source_labels = [ "__journal__systemd_unit" ];
                target_label = "unit";
              }
            ];
          }
        ];
      };
      # extraFlags
    };
    # grafana: port 3010 (8010)
    #
    grafana = {
      port = 3010;
      # WARNING: this should match nginx setup!
      # prevents "Request origin is not authorized"
      rootUrl = "http://192.168.1.10:8010"; # helps with nginx / ws / live
      protocol = "http";
      addr = "127.0.0.1";
      analytics.reporting.enable = false;
      enable = true;
      provision = {
        enable = true;
        datasources = [
          {
            name = "Prometheus";
            type = "prometheus";
            access = "proxy";
            url = "http://127.0.0.1:${toString config.services.prometheus.port}";
          }
          {
            name = "Loki";
            type = "loki";
            access = "proxy";
            url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
          }
        ];
      };
    };
  };
  /*
    # nginx reverse proxy
    services.nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      # recommendedTlsSettings = true;
      upstreams = {
        "grafana" = {
          servers = {
            "127.0.0.1:${toString config.services.grafana.port}" = {};
          };
        };
        "prometheus" = {
          servers = {
            "127.0.0.1:${toString config.services.prometheus.port}" = {};
          };
        };
        "loki" = {
          servers = {
            "127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}" = {};
          };
        };
        "promtail" = {
          servers = {
            "127.0.0.1:${toString config.services.promtail.configuration.server.http_listen_port}" = {};
          };
        };
      };
      virtualHosts.grafana = {
        locations."/" = {
          proxyPass = "http://grafana";
          proxyWebsockets = true;
        };
        listen = [{
          addr = "192.168.1.10";
          port = 8010;
        }];
      };
      virtualHosts.prometheus = {
        locations."/".proxyPass = "http://prometheus";
        listen = [{
          addr = "192.168.1.10";
          port = 8020;
        }];
      };
      # confirm with http://192.168.1.10:8030/loki/api/v1/status/buildinfo
      #     (or)     /config /metrics /ready
      virtualHosts.loki = {
        locations."/".proxyPass = "http://loki";
        listen = [{
          addr = "192.168.1.10";
          port = 8030;
        }];
      };
      virtualHosts.promtail = {
        locations."/".proxyPass = "http://promtail";
        listen = [{
          addr = "192.168.1.10";
          port = 8031;
        }];
      };
    };
  */
  systemd.services.loki.serviceConfig.environmentFile = config.sops.secrets."minio/loki".path;
  sops.secrets = {
    "minio/loki".owner = "root";
  };
 }
--- a/systems/palatine-hill/nextcloud.nix
+++ b/systems/palatine-hill/nextcloud.nix
@ -17,12 +17,10 @@
  systemd.services."nextcloud-pre-generate" = {
    requires = [
-      "docker.service"
+      "docker-nextcloud.service"
      "multi-user.target"
    ];
    after = [
-      "docker.service"
+      "docker-nextcloud.service"
      "multi-user.target"
    ];
    description = "incremental pre-generation of previews on nextcloud";
    serviceConfig = {
@ -31,10 +29,10 @@
      Group = "docker";
      ExecStart = [
        ''
-          ${pkgs.bash}/bin/bash -c '${pkgs.docker}/bin/docker ps --format "{{.Names}}" | ${pkgs.gnugrep}/bin/grep -q "^nextcloud-nextcloud-1$"'
+          ${pkgs.bash}/bin/bash -c '${pkgs.docker}/bin/docker ps --format "{{.Names}}" | ${pkgs.gnugrep}/bin/grep -q "^nextcloud$"'
        ''
        ''
-          ${pkgs.docker}/bin/docker exec --user www-data nextcloud-nextcloud-1 php occ preview:pre-generate
+          ${pkgs.docker}/bin/docker exec --user www-data nextcloud php occ preview:pre-generate
        ''
      ];
    };
--- a/systems/palatine-hill/postgresql.nix
+++ b/systems/palatine-hill/postgresql.nix
@ -0,0 +1,62 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 #  sudo -u postgres vacuumdb --all --analyze-in-stages
 #  /var/lib/postgresql/16/delete_old_cluster.sh
 let
  vars = import ./vars.nix;
  dataDir = "${vars.primary_db}/postgresql/nix/${config.services.postgresql.package.psqlSchema}";
  backupLocation = "${vars.primary_db}/postgresql/nix_backups";
 in
 {
  services = {
    postgresql = {
      inherit dataDir;
      enable = true;
      enableJIT = true;
      package = pkgs.postgresql_16;
      identMap = ''
        # ArbitraryMapName systemUser DBUser
           superuser_map      root      postgres
           superuser_map      alice  postgres
           # Let other names login as themselves
           superuser_map      /^(.*)$   \1
      '';
      # initialScript = config.sops.secrets."postgres/init".path;
      ensureDatabases = [ "atticd" ];
      ensureUsers = [
        {
          name = "atticd";
          ensureDBOwnership = true;
        }
      ];
      refreshCollation = true;
      vacuumAnalyzeTimer.enable = true;
      upgrade = {
        enable = true;
        stopServices = [
          "hydra-evaluator"
          "hydra-init"
          "hydra-notify"
          "hydra-queue-runner"
          "hydra-send-stats"
          "hydra-server"
          "atticd"
        ];
      };
    };
    postgresqlBackup = {
      enable = true;
      compression = "zstd";
      compressionLevel = 19;
      pgdumpOptions = "--create --clean";
      location = backupLocation;
    };
  };
 }
--- a/systems/palatine-hill/samba.nix
+++ b/systems/palatine-hill/samba.nix
@ -0,0 +1,37 @@
 { ... }:
 {
  services.samba = {
    enable = true;
    securityType = "user";
    openFirewall = true;
    settings = {
      global = {
        "workgroup" = "WORKGROUP";
        "server string" = "palatine-hill";
        "netbios name" = "palatine-hill";
        "security" = "user";
        #"use sendfile" = "yes";
        #"max protocol" = "smb2";
        # note: localhost is the ipv6 localhost ::1
        "hosts allow" = "192.168.76. 127.0.0.1 localhost";
        "hosts deny" = "0.0.0.0/0";
        "guest account" = "nobody";
        "map to guest" = "bad user";
      };
      zfs-primary-backups = {
        path = "/ZFS/ZFS-primary/backups";
        writeable = "yes";
        browseable = "yes";
      };
    };
  };
  services.samba-wsdd = {
    enable = true;
    openFirewall = true;
  };
  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
 }
--- a/systems/palatine-hill/secrets.yaml
+++ b/systems/palatine-hill/secrets.yaml
@ -1,19 +1,32 @@
 hydra:
-    environment: ENC[AES256_GCM,data:XUS68hCXWGMCoxxfecspEpFF8sxVJJVAm74ZZJM5/TiMAyzG0VTw17XQOgv+pP5aYABnQ3Rt9KFaxacaljrjFJ44O8qdGCQOi+g5+EpztHAI+yyeWkEqcVrcDKeb0jM0qygBUtyez5aLJyFwT7znqfNi3CHMP+cJTNVUAQkfL3RrU/lNzAZpIJ5tVG5PzDqMLDWMQXiDRICNdp9fUXyGee64bQ1NxGJALmYS9o1YT75e0nCBsIBD50+ChQvOTUfTGfxpG5SbnDGmL0JIUGB3MqM=,iv:TRsVfNxLnMuq5Wvu0ZX4JVHoIXQaj3Li3KsBXmoFiK8=,tag:gGTQo66uzdUBqCuUYHSE4A==,type:str]
+    environment: ENC[AES256_GCM,data:G/6DOeRdjjp5PGpsHCHneW2X/OQzSH6gozKmgOlK6/bSdQltv4U00AYNOrUYYlH9Yab7JSYBfQinsqRKyDVEp7LLPdlxBaztJiSZGGAdio+JHWwR7UAhAEXSgOh4qFq0SjdZzQduEOdfSYfksut3dJiAvpj6oo6hxuo8mkW4+UacpBmvpnrzHjJHeYYbb3krIhKG6bBqHLT403rLf5oYjnY16XUuYO7deAH99JkfCJKlKnDf3GLfnX78XoXSdOMUyf57PPq5EKA8mFdtZsbAmis=,iv:s903rYHyocGtVJ594+HtCyULGtuom6aUVDcbXPbH93I=,tag:YFkFAIU7cNHSuYnN+lShgA==,type:str]
 nix-serve:
-    secret-key: ENC[AES256_GCM,data:dXpfTamvU17kkMwp0DZIktkh/iI96wgcQerEC9G0tdm7tL7NQSlS4giocf9uckXK1JNkK9q7urZznx82ZBV3kaZE8oZKgYtkR5xpHgGsbYgQbLx6gowKfBkPusikFl/BqUvUBLznYsYSkJddXJ4=,iv:yeHyAMY2NxQUyzirU9+ggF1O6kRsrM0lEJCY9U0qJN8=,tag:cSm1Obe6WnpHloF/JleVEA==,type:str]
+    secret-key: ENC[AES256_GCM,data:M8MJHHO8Hd/Gm6Nxy7/IPr0s6jHEDBB9LpZq8lIWQirvZPpgNrMrnP2xFJWEuJF/ND9hU09ZHA3efIBej2siRPOWSEu4gE65W/GMtpCcwEXF0hR/ISvBsH0fci/6KGbUCVg1x9AJpjJsqevPN7I=,iv:Weuziu2me+kdB9zk68nvLnyxv0ICwB1qA4z0Q39tT6k=,tag:nhcFfRQOxEandrf6CivahA==,type:str]
 attic:
-    secret-key: ENC[AES256_GCM,data:0pVok0M5Ob08BdFBV57Ijr4MW6msdGuvgq7v5lunJocv/sM0u0Cy7ye67+me21YBy4xGqidAfQo0j4OQkn71Z7ouKJGQ6izqOuTvRerBLmY/V3GMnSrBgtb+gjKhwswf/T/WV/I2lc0GTrdiJi6JJC0VL14kJYWRQIdcadeGEoF+cZyzyHWV32TxyJrNlDGFu1aFhjKiHP50aDFxibIPwz1h9+lN6jEGEwsOa29K3gnL9zOmzaoS/F4wXEZlCXNETj6lvCd6Ywt3erkGmCvA4FTzfs/CdW/QcS2GneGUzoCy4NRcxx9dKQ==,iv:4QiN6tupBkIZbVkKt7MyLMiy5z/y0ExAT9xWVBL+pko=,tag:CT4F8y/rObKlIMCwtJk7AA==,type:str]
+    secret-key: ENC[AES256_GCM,data:/wYnCD7qggeHdsNqkp1rZK839o/1olhJUlT1lrZpv1hTOZDduP2OGhz8kh2PrQR6Mq2Y/ALgHG3cFpJs7G64xDK0qRVGIDlC/9sTQIcF2JL49Free8vADe5ads64EN3vWgfmFoBMPmL0mc4qnDBGnBkDueFN5gy+1szK9tWK23tMl1wEWVsiqBwhuWqQBNRxeaHR2tQXI2Yg3fefq5+laOUjnSe1a8Kx4dJ7rXZuXe+H4uyU7roYFxlLpI8qZig0eUO9WUMX9WP0tKOr5OjsbJzBbdVlVT7lZ9ROYUceoxmcWecLlcyv3Q==,iv:DjH78Getnt3zzK9QLj+HS0cF1wtaBeadxSTrRb1uic0=,tag:KMPtWCq1KT1SSthh3fdsew==,type:str]
-    database-url: ENC[AES256_GCM,data:CrtsSB9KaA+KT9F34eM+z5trjb72wRKKy2LKOWDxBgvVtrNy5jj9c9KPnPCRWue1eABC1FdThKH1,iv:n3n16Qs/s77CxDNHws4lLTJaXx++DpqUrrVDp+Rpj2E=,tag:gkQhzX4gHPRmAQjZKBZF4Q==,type:str]
+    database-url: ENC[AES256_GCM,data:WHdAxNbkRxvNvfUWdPSbgeQXOS7f46OuDKTRuxf3cEyhbU5NAsGlCgfarUBXsHrCH79t7zDGlcRE,iv:trOxDY/ifsibKoX5YPOfKvX/q2ny6SgykiIBusgHxag=,tag:Cx9hhiJIhDLiojJmDdSDtg==,type:str]
-    adm: ENC[AES256_GCM,data:fTXg7sVtyjzm2zPLBSYX0wsAjhPZz/fwOWjk6bYEFNDAz9Esw2VFqG84E53cSj62KxClx8jlakA6RyXH5betcrxoRybrEuvdej76TS4kAP3cgK1OUEbcw0gWsgJPleH2BVAn6/5AhtISmglx0RykyKDtjBoxO1ewwwKesd5brIBD2DhLyaYJLFB42to1HmLe7FgYDaR2Q/W5B6W7RMueFwjA4/Y2ELoFQpwqF2HvcyFO58x8BFhIla6T+MB5l5I2qoYNlN5AayUur5xlALRUGH2PCJEiTrt8hXhYPkSlkiiwORBwwK7w89kO+tsHoDW8u3F/aKBbBnikIkaXnSa694mg0twmTOYL,iv:OBk9nrRA2t/9DvEI/OJTwp8nX4iP+foohueZON9Tlgs=,tag:Y1hVX2wva9QridJ5els9Fg==,type:str]
+    adm: ENC[AES256_GCM,data:mP4xFGK3+YwyiUMwFaG6tY3tWLGY2YTGa4DRuHzW5Za3McmwEFUzlQQ4hGS2bPKOKwM2Pe5HYBwJnFkd6KRwx5civqsBMwFt4dfZ31xDEi9RxpEm9jCnCcvB1CY8cxNARIhceC12X/ZR8ianUpoINYSjOj4BRy4TEEigi5+V4DkAXeG8+x8SWjj/mRMQMcZud4i69Ul7tpzbjUHm0s/Aasvmib13u4ZbGX/AyoOX8pQwkRHoyfMK2OvRbaeQf9fPcQxOSBALYOIXk9mEGxN1FTFHrTvrY5s0w+hC1mAjX4qm4ZM77RneAI0fJaq1hHSZETIpJOCiQfR3bLuyzWKVestOE29V8Pwq,iv:bjK1QkWUc2vs+oUoC5Z0AKR1/tmrhSLvP8BP8gzghOg=,tag:dmSDM+gbsJMDkqgIPWBfGQ==,type:str]
 postgres:
-    init: ENC[AES256_GCM,data:Pq24kdMXLAbePqIHPiJx3xXYEm2UbY598iNDf+z2k1HDhStHAd10CCyJYEgppCw2lkDNY54A3PQ=,iv:RE9DQ9Xw4tDFBD67dk3ggyqYqoGVhZf5kO53WoF3fJ4=,tag:dZwZfgI2H9JTClkyUI1MqQ==,type:str]
+    init: ENC[AES256_GCM,data:trwA30EswHEPa6V2GuHsGgU4NK/j/UQveldwHng0Ilwyqh9aZCgF3axP48MmcciBssux8DZ4O5U=,iv:VC+tpG5yuiBE7pjZ85lYCwHG/bTePxeXQDz2zyLyLYA=,tag:5+jwWTv5T5YWwQpR58QfOA==,type:str]
 gitea:
    dbpass: ENC[AES256_GCM,data:8jECcEJ8JnK7fztTckzLrQ==,iv:yQMp5VrierOKXwiop0NUA7Qbn2eH5iUCVlKppZwKLIQ=,tag:rI9WT7zLIaFxVcTu3ufW4g==,type:str]
 upsmon:
-    password: ENC[AES256_GCM,data:0tZKzQOYaij9jdnDTv61ma8i,iv:GEqlCOOUHTjUzfz+X5lCnqcX9SjAG6bVc8Luv97wnSg=,tag:XLvsucW6sIMHKG2AHmxZEw==,type:str]
+    password: ENC[AES256_GCM,data:52Rxsh7KUq+aYjQORBC+Yq5B,iv:F05g/a5bv7DQ+eLlMqsNeRHLxzl7AyXU1zAlmFevQ6o=,tag:xkGDD3hDF+u5fUbP33OrlA==,type:str]
 minio:
-    credentials: ENC[AES256_GCM,data:78ANAQ2756IISlkUFPxy9lQYRml8C9PvkkiXME4nMjtWwPgybvSM2nrO3yVhTgyOyUZjYYWzJlpwstfIAbuWEgGFhbMixSSNSgsWozojm0hWfPBWZ5x4iX++0ARFdfxIAjiGlM/HGa0YO/2tSA6oW6FqM4RbC1vPnqJc,iv:8Y+SilqKsUH/J6M+l4Wpm2J3nPXeoUhA1+GvhzlqMHE=,tag:5dYBlYPIUjd+U+r/dqJWIA==,type:str]
+    credentials: ENC[AES256_GCM,data:5Z/cTmxSuMq8BfRgYLGZZJ7o6AtmrQM3yNjR17YHr29S7ZWvGsjfM7DsLKectem01nvv3HoT4uyWSdhkOmZahzDb5OF1NEgjJhLqkKlCETMu0mmpwe1cx6iOd7kjB3E6Az/MWpXqZ/TrryL9FrQD2nnx9bHyWWIHRQv8,iv:jiYZXfU+OssC0rh/3yFZLEzD1+5mVDDl6gQ3oyk76E4=,tag:bevDszFv1zSa+/2qQIgC0w==,type:str]
    loki: ENC[AES256_GCM,data:ShC6hfsKifVaxLWRo1fqaOpsrYh4+w==,iv:KVSlPd0mBvPZikg/Agnl6q0UhxTmsNOeYdercYOhqMg=,tag:cj6ex9m7vDjInTJDGUlqFQ==,type:str]
 docker:
    minecraft: ENC[AES256_GCM,data:2k/m0ksnE92fACxQuBlOO72b19T7Nbnr58ezRddmKUVvePEgrdSnIsR3sh7PnmzwmG/ez0WTD+NKbtkQmRMDQ25vruA8gCf8Ig==,iv:X2SUidKTNAPZfbyiXFKprUbAhBxJcbF5bz+YTy4nuEA=,tag:AAvLXO888r9XvtnNfQgCpA==,type:str]
    foundry: ENC[AES256_GCM,data:5Z0FvVhJBzTwDPRN6c//caZokiTnkdqiLGFFuyen+tYsdjbQ3AXH5y7HfxKbxsJvU5uShOuIg0jVMvow2NYmzyYDDKBKPOz0bgXOmFq06wzCJubjyZmR/mDcWBBDzAFzaazpyW8=,iv:6wLS00zhX0tjJUe5uADAjzEshJP8QOkF2i4Aw+Y9RSk=,tag:sNr/exY1u3evYGcImyCUlA==,type:str]
    nextcloud: ENC[AES256_GCM,data:dm2Cha+CvFORgdcBvJAzzdOGcJ95vLJYTZcUJnjNp6HOQIIoJrDone1NOAYJh9rdWG/17/ntOmd+TysAj4AsD0dw/PatZmy3I+dcVghkt2XNTc7jD64QjctIHzR+om1joAbKemG1R3St7qDU68TWYxoxIfYZcJvg3ds/lJcYgFRh079UZ/IRlGVR6sWPEXyY+UUrwtk0Fr+y8UtwwWZiLp0akUbIV06huRGiAp/PeWETuPPuacl2++ayIgJFZkJjUl/a52RI1Q0nLG5iyK6QYpY1JSRJTOkiQQ4PB5GRdLCdoM5/ZXTQ6gGcoM5jXFllsTn+yRicNRucuBp7Z2achbk6eITCdjjdXVI7zM4YXpzVLu5fJckLAu07aEIGYCBT7ZXd7TRgfB68POwtwaJGBozg+nuhq8xEH04yi8jFODH6aFplIgJ+bbaP72zw+92lzZa33FEtOwKdtx+YUv0eLLDJs+8Z6Sn6RyN8prwIz1/9LuIMx39g4R7id9W2bV2MXqTU4nN8f0TXWqe+hnb5pDLBaZOBMkwbRka6Vptsi4dbL5Lnexa2DoIHZ2unyxZ+4SkRt9LH39j8fXf2w5JPFCSLstf7+Zu7xzRS0TTCug7k,iv:oOWcFdQJb/+KZKJmQChhJ5jOCcM3o+ojZSMyiRnO9n8=,tag:PWGQkwPe0juLgAdlKiWKpg==,type:str]
    redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
    act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
    collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
 acme:
    bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
    dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
 server-validation:
-    webhook: ENC[AES256_GCM,data:d8drMmXcbWCGwOanYr6jUCz5+d1bgTrPKMl4yxFi49oapqFUFSQo2pA3bP9DA2n0b63ZJp1IDyJGBRGjFUsSC8EkKQsYMIm962o++D4h7/l9GZU2TBcn5VgvSldETgwloMg92i3zEApNCeZTtwFwJuJTwmUsZmg528Kj7SBcDw4H18dW8MMfgzBTkZUh,iv:F/UtYjWNoG1la1xaNevRXP/4lNT2TgYfmukbncHILDA=,tag:fJpdG5di6j8Wm54KLHZEsg==,type:str]
+    webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -23,26 +36,26 @@ sops:
        - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcTQ4SVM3dVN4UWZCSXBs
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcWo4V1QyZS9HbHNwT3Jl
-            dFo1S0ZyOEM3c3ZtYTcvZlVNYStDdXd0NjB3CjY0NWc4UkVGUk1ZdTBBLyt2L0lX
+            ZktNR2gwZ3BiWnYwZHpLUzR2YTlmN0ZUeEhnCkF6ekdkN0U2VGM1RFVhdTM0RW5u
-            M0lRbXFwRzFWSTNndC92SU5kSkowb28KLS0tIFhjMnJzZHRoTmJONDk1RjVsRVZq
+            bWdreGZrU0JwNDY1TnR2S1M3OTdKaWcKLS0tIEVBekE2eU8rcEhpVkhhWmxPc3JN
-            d241ZnZ2MWg3YVNBbkh2S0NqeE5PdFEKWqnQH4kZszkKZTSgur0c5hGMoMx9zBdz
+            cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
-            tSvUbe2+WKX7q6y7XqsD1KjFI+POVDF+YN7H9ja96+JqvKRteXNhCg==
+            LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-07T23:09:33Z"
+    lastmodified: "2025-03-04T04:53:14Z"
-    mac: ENC[AES256_GCM,data:nr1JAEr2FGrYtiUhrQFsBPbiR+toxzYRZVPqq7zYBMeNy70a5jMgw6qm37M8Hmt7omO/KePE+Ol27FI9Aqn8OP3CQZoSWZbul+TTItV5UWC84G3MebaesnIiFQwbpM9hz08VoQ1zxUiUFnUY4bBr6okNSyJeqq/QmkkyqhK4Wlo=,iv:0MR7AiQEX2Cl7FUtRlxaY+R2oqSbanIhwaXAN/UnHH0=,tag:RpQCtsuelu3VQVB9HzJE+g==,type:str]
+    mac: ENC[AES256_GCM,data:MCucwVPGRMA/hGYS7mwSppkZAQ3wjHJnyeSvSI8YOOD0Xq7mvkMSvKctFHl6h4Cx3ubRvVHf5j35/NQxb+/VhhCPAHWDbqq9O2N0aWhAeybCu0IjruKrJhs76KsXJnNZ9REQQnS1/TNquuvj9FCoqDnrQcFs7M0KJ5m3eUU2h2k=,iv:ZJGJ8CTA8K5FnoKtbogleksB8wDcZtknO07M07Dmpsc=,tag:GMUXJD4U8KQgy9rvzEAMuw==,type:str]
    pgp:
-        - created_at: "2024-09-05T06:10:49Z"
+        - created_at: "2024-11-28T18:56:39Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DQWNzDMjrP2ISAQdAA1DGmMjNYHKHtel++ftsHqmQGqrjfL4VJTe62bEMfXcw
+            hF4DQWNzDMjrP2ISAQdAPOYlp/3ZJrcXZbu5+XI+BHNzMbzw7+YhTYOfNgujU1gw
-            EQmF0itX7ns+GogeYeYaqxa0qraWzzGwsEDJOp+VJMmLPtw5999kdO1PikgyGkcV
+            QfJDWAhiMd8cZF5PpX+RdN+Zrk5CCMgZH4hotv9gjf1oxitWuF2hv14k/RlAx8kr
-            1GgBCQIQd5DwJiXbQ7bFPYPGg8xxEBeDsHYtKo0tv9uQi9Is0nYYHbI8+TuFUv2o
+            1GgBCQIQB+LOoKIo7AHeucdV9NsM6H4Akv+Bzy8boarA4BGcyvgRWhS2u8zOQJc5
-            Av5c+/hAX/1D4F8JDTnz7WbEO3X2H7VXNMQKQkYR1Ndds6ueyx1V4kFqQTD5qLG/
+            RKfRonTO51yjlKm0MEspvwrClO+aIuBaNNemuHdk4yhDUnNKVBFyLLOuqXbsFd+G
-            BpnwAmW4i9XVMg==
+            aSTmqvI3a/T5Cw==
-            =2NK4
+            =ph+p
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.4
--- a/systems/palatine-hill/vars.nix
+++ b/systems/palatine-hill/vars.nix
@ -0,0 +1,20 @@
 rec {
  zfs_primary = "/ZFS/ZFS-primary";
  # primary
  primary_act = "${zfs_primary}/act-runner";
  primary_archiveteam = "${zfs_primary}/archiveteam";
  primary_attic = "${zfs_primary}/attic";
  primary_backups = "${zfs_primary}/backups";
  primary_calibre = "${zfs_primary}/calibre";
  primary_db = "${zfs_primary}/db";
  primary_docker = "${zfs_primary}/docker";
  primary_games = "${zfs_primary}/games";
  primary_hydra = "${zfs_primary}/hydra";
  primary_libvirt = "${zfs_primary}/libvirt";
  primary_loki = "${zfs_primary}/loki";
  primary_minio = "${zfs_primary}/minio";
  primary_nextcloud = "${zfs_primary}/nextcloud";
  primary_redis = "${zfs_primary}/redis";
  primary_torr = "${zfs_primary}/torr";
 }
--- a/systems/palatine-hill/zfs.nix
+++ b/systems/palatine-hill/zfs.nix
@ -80,4 +80,70 @@
      };
    };
  };
  # hack to make sure pool is imported before keys are loaded,
  # and also keys are imported before things get mounted
  # note to self: move zfs encryption over to luks lol
  boot.initrd.postResumeCommands = ''
    ZFS_FORCE="-f"
    for o in $(cat /proc/cmdline); do
      case $o in
        zfs_force|zfs_force=1|zfs_force=y)
          ZFS_FORCE="-f"
          ;;
      esac
    done
    poolReady() {
      pool="$1"
      state="$("zpool" import -d "/dev/disk/by-id/" 2>/dev/null | "awk" "/pool: $pool/ { found = 1 }; /state:/ { if (found == 1) { print \$2; exit } }; END { if (found == 0) { print \"MISSING\" } }")"
      if [[ "$state" = "ONLINE" ]]; then
        return 0
      else
        echo "Pool $pool in state $state, waiting"
        return 1
      fi
    }
    poolImported() {
      pool="$1"
      "zpool" list "$pool" >/dev/null 2>/dev/null
    }
    poolImport() {
      pool="$1"
      "zpool" import -d "/dev/disk/by-id/" -N $ZFS_FORCE "$pool"
    }
    echo -n "importing root ZFS pool \"ZFS-primary\"..."
    # Loop across the import until it succeeds, because the devices needed may not be discovered yet.
    if ! poolImported "ZFS-primary"; then
      for trial in `seq 1 60`; do
        poolReady "ZFS-primary" > /dev/null && msg="$(poolImport "ZFS-primary" 2>&1)" && break
        sleep 1
        echo -n .
      done
      echo
      if [[ -n "$msg" ]]; then
        echo "$msg";
      fi
      poolImported "ZFS-primary" || poolImport "ZFS-primary"  # Try one last time, e.g. to import a degraded pool.
    fi
    # let root mount and everything, then manually unlock stuff
    load_zfs_nix() {
      local device="/dev/disk/by-uuid/8bfaa32b-09dd-45c8-831e-05e80be82f9e"
      local mountPoint="/"
      local options="x-initrd.mount,noatime,nodiratime"
      local fsType="ext4"
      echo "manually mounting key location, then unmounting"
      udevadm settle
      mountFS "$device" "$(escapeFstab "$mountPoint")" "$(escapeFstab "$options")" "$fsType"
      zfs load-key -L "file://$targetRoot/crypto/keys/zfs-nix-store-key" "ZFS-primary/nix"
      umount "$targetRoot/"
    }
    load_zfs_nix
  '';
 }
--- a/users/alice/home.nix
+++ b/users/alice/home.nix
@ -51,12 +51,15 @@
      nil
      # useful tools
      file
      sqlite
      ncdu
      neofetch
      onefetch
      hyfetch
      smartmontools
      wget
      glances
      obsidian
      onefetch
      # Rust packages
@ -65,6 +68,7 @@
      diesel-cli
      tealdeer
      helix
      ripunzip
      # nix specific packages
      nix-output-monitor
@ -105,7 +109,7 @@
    eza = {
      enable = true;
-      icons = true;
+      icons = "auto";
      git = true;
    };
@ -136,6 +140,7 @@
            "system"
            "nix"
            "shell"
            "poetry"
          ];
        };
      };
@ -160,11 +165,17 @@
    };
  };
-  sops = {
+  sops = lib.mkIf (!machineConfig.server) {
    age.sshKeyPaths = [ "/home/alice/.ssh/id_ed25519_sops" ];
    defaultSopsFile = ./secrets.yaml;
    secrets."alice/wakatime-api-key".path = "/home/alice/.config/doom/wakatime";
  };
  nix.gc = {
    automatic = true;
    frequency = "weekly";
    options = "--delete-older-than 30d";
  };
  home.stateVersion = "23.11";
 }
--- a/users/alice/home/doom/custom.el
+++ b/users/alice/home/doom/custom.el
@ -19,3 +19,6 @@
 (setq! lsp-enable-suggest-server-download nil)
 ;; (keychain-refresh-environment)
 (setq! lsp-nix-nil-max-mem 20000)
 (setq! lsp-nix-nil-formatter ["nixfmt"])
--- a/users/alice/home/doom/init.el
+++ b/users/alice/home/doom/init.el
@ -133,7 +133,7 @@
       ;;fsharp            ; ML stands for Microsoft's Language
       ;;fstar             ; (dependent) types and (monadic) effects and Z3
       ;;gdscript          ; the language you waited for
-       ;;(go +lsp +tree-sitter)         ; the hipster dialect
+       (go +lsp +tree-sitter)         ; the hipster dialect
       ;;(graphql +lsp)    ; Give queries a REST
       ;;(haskell +lsp)    ; a language that's lazier than I am
       ;;hy                ; readability of scheme w/ speed of python
--- a/users/alice/home/git.nix
+++ b/users/alice/home/git.nix
@ -11,15 +11,15 @@
    userName = "ahuston-0";
    aliases = {
      gone = ''
-        !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
+        !git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
-                        awk '$2 == "[gone]" {print $1}' | # get nuked branches
+                        awk 'NF < 2 {print $1}' | # get nuked branches
                        grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
                        sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
-                        xargs -r git branch -D; # nuke the branches
+                        xargs -r git branch -D # nuke the branches
-        # git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
+        # !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
-        #                 awk 'NF < 2 {print $1}' | # get nuked branches
+        #                 awk '$2 == "[gone]" {print $1}' | # get nuked branches
        #                 grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
        #                 sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
-        #                 xargs -r git branch -D # nuke the branches
+        #                 xargs -r git branch -D; # nuke the branches #
      '';
    };
    extraConfig = {
@ -27,6 +27,7 @@
      pull.rebase = true;
      color.ui = true;
      init.defaultBranch = "main";
      format.signoff = true;
    };
  };
 }
--- a/users/alice/home/hypr/default.nix
+++ b/users/alice/home/hypr/default.nix
@ -9,4 +9,9 @@
  xdg.configFile = {
    "hypr/hyprland.conf".source = ./hyprland.conf;
  };
  imports = [
    ./hyprlock.nix
    ./hypridle.nix
  ];
 }
--- a/users/alice/home/hypr/hypridle.nix
+++ b/users/alice/home/hypr/hypridle.nix
@ -0,0 +1,47 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  services.hypridle = {
    enable = true;
    settings = {
      general = {
        lock_cmd = "pidof hyprlock || hyprlock --immediate --immediate-render"; # avoid starting multiple hyprlock instances.
        before_sleep_cmd = "loginctl lock-session"; # lock before suspend.
        after_sleep_cmd = "hyprctl dispatch dpms on"; # to avoid having to press a key twice to turn on the display.
      };
      listener = [
        {
          timeout = 150; # 2.5min.
          on-timeout = "brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
          on-resume = "brightnessctl -r"; # monitor backlight restore.
        }
        # turn off keyboard backlight, comment out this section if you dont have a keyboard backlight.
        {
          timeout = 150; # 2.5min.
          on-timeout = "brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
          on-resume = "brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
        }
        {
          timeout = 300; # 5min
          on-timeout = "loginctl lock-session"; # lock screen when timeout has passed
        }
        {
          timeout = 330; # 5.5min
          on-timeout = "hyprctl dispatch dpms off"; # screen off when timeout has passed
          on-resume = "hyprctl dispatch dpms on"; # screen on when activity is detected after timeout has fired.
        }
        {
          timeout = 1800; # 30min
          on-timeout = "systemctl suspend"; # suspend pc
        }
      ];
    };
  };
 }
--- a/users/alice/home/hypr/hyprland.conf
+++ b/users/alice/home/hypr/hyprland.conf
@ -20,6 +20,7 @@ monitor=,preferred,auto,auto
 # Execute your favorite apps at launch
 # exec-once = waybar & hyprpaper & firefox
 exec-once = wired &
 # Source a file (multi-file configs)
 # source = ~/.config/hypr/myColors.conf
@ -77,10 +78,12 @@ decoration {
        passes = 1
    }
-    drop_shadow = yes
+    shadow {
-    shadow_range = 4
+        enabled = yes
-    shadow_render_power = 3
+        range = 4
-    col.shadow = rgba(1a1a1aee)
+        render_power = 3
        color = rgba(1a1a1aee)
    }
 }
 animations {
@ -191,7 +194,7 @@ bindm = $mainMod, mouse:273, resizewindow
 # screenshots
 bind = $mainMod, A, exec, grimblast copy area
-bind = $mainMod SHIFT, A, exec, grimblast save area "~/Pictures/Screenshots/screenshot_$(date +%Y-%m-%d-%H%M ).png"
+bind = $mainMod SHIFT, A, exec, grimblast save area "/home/alice/Pictures/Screenshots/screenshot_$(date +%Y-%m-%d-%H%M ).png"
 # zoom issue
 bind = $mainMod, K, exec, pkill zoom; zoom
@ -201,3 +204,6 @@ bind = $mainMod, escape, exec, hyprctl reload
 # open bwm
 bind = $mainMod, P, exec, bwm
 # lock screen
 bind = $mainMod, L, exec, loginctl lock-session
--- a/users/alice/home/hypr/hyprlock.nix
+++ b/users/alice/home/hypr/hyprlock.nix
@ -0,0 +1,86 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  programs.hyprlock = {
    enable = true;
    settings = {
      general = {
        immediate_render = true;
        no_fade_in = true;
      };
      background = {
        monitor = "";
        # path = /home/me/someImage.png   # supports png, jpg, webp (no animations, though)
        path = lib.mkForce "screenshot";
        # disabling due to stylix
        # color = "rgba(25, 20, 20, 1.0)";
        # all these options are taken from hyprland, see https://wiki.hyprland.org/Configuring/Variables/#blur for explanations
        blur_passes = 3; # 0 disables blurring
        blur_size = 7;
        noise = 1.17e-2;
        contrast = 0.8916;
        brightness = 0.8172;
        vibrancy = 0.1696;
        vibrancy_darkness = 0.0;
      };
      image = {
        monitor = "";
        path = "/home/alice/Pictures/PXL_20240408_192537608-EDIT.jpg";
        size = 350; # lesser side if not 1:1 ratio
        rounding = -1; # negative values mean circle
        border_size = 4;
        border_color = "rgb(221, 221, 221)";
        rotate = 0; # degrees, counter-clockwise
        reload_time = -1; # seconds between reloading, 0 to reload with SIGUSR2
        reload_cmd = ""; # command to get new path. if empty, old path will be used. don't run "follow" commands like tail -F
        position = "0, 100";
        halign = "center";
        valign = "center";
      };
      input-field = {
        monitor = "";
        size = "400, 50";
        outline_thickness = 3;
        dots_size = 0.33; # Scale of input-field height, 0.2 - 0.8
        dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0
        dots_center = false;
        dots_rounding = -1; # -1 default circle, -2 follow input-field rounding
        dots_fade_time = 200; # Milliseconds until a dot fully fades in
        dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default).
        # disabling due to stylix
        # outer_color = "rgb(151515)";
        # inner_color = "rgb(200, 200, 200)";
        # font_color = "rgb(10, 10, 10)";
        font_family = "Noto Sans"; # Font used for placeholder_text, fail_text and dots_text_format.
        fade_on_empty = false;
        fade_timeout = 1000; # Milliseconds before fade_on_empty is triggered.
        placeholder_text = "<i>Input Password...</i>"; # Text rendered in the input box when it's empty.
        hide_input = false;
        rounding = -1; # -1 means complete rounding (circle/oval)
        #check_color = "rgb(204, 136, 34)";
        #fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color
        fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty
        fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears
        fail_transition = 300; # transition time in ms between normal outer_color and fail_color
        capslock_color = -1;
        numlock_color = -1;
        bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above)
        invert_numlock = false; # change color if numlock is off
        swap_font_color = false; # see below
        position = "0, -200";
        halign = "center";
        valign = "center";
      };
    };
  };
 }
--- a/users/alice/home/zsh.nix
+++ b/users/alice/home/zsh.nix
@ -52,12 +52,16 @@
    shellAliases = {
      "sgc" = "sudo git -C /root/dotfiles";
      ## SSH
-      "ssh-init" = "ssh-add -t 2h  ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails  ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh";
+      "ssh-init" =
        "ssh-add -t 2h  ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails  ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh";
      ## Backups
-      "borgmatic-backup-quick" = "sudo borgmatic --log-file-verbosity 2 -v1 --progress --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_checkless.yaml";
+      "borgmatic-backup-quick" =
-      "borgmatic-backup-full" = "sudo borgmatic --log-file-verbosity 2 -v1 --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_full_arch.yaml";
+        "sudo borgmatic --log-file-verbosity 2 -v1 --progress --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_checkless.yaml";
-      "umount-backup" = "sudo borgmatic umount --mount-point /home/alice/backup -c /etc/borgmatic/config_checkless.yaml";
+      "borgmatic-backup-full" =
        "sudo borgmatic --log-file-verbosity 2 -v1 --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_full_arch.yaml";
      "umount-backup" =
        "sudo borgmatic umount --mount-point /home/alice/backup -c /etc/borgmatic/config_checkless.yaml";
      "restic-backup" = "/home/alice/Scripts/restic/backup.sh";
      ## VPN
@ -89,7 +93,8 @@
      # applications (rofi entries)
      "ARMEclipse" = "nohup /opt/DS-5_CE/bin/eclipse &";
      "Wizard101-old" = "prime-run playonlinux --run Wizard\\ 101";
-      "Wizard101" = "prime-run ~/.wine/drive_c/ProgramData/KingsIsle Entertainment/Wizard101/Wizard101.exe";
+      "Wizard101" =
        "prime-run ~/.wine/drive_c/ProgramData/KingsIsle Entertainment/Wizard101/Wizard101.exe";
      "Pirate101" = "prime-run playonlinux --run Pirate\\ 101";
      "octave" = "prime-run octave --gui";
      "pc-firefox" = "proxychains firefox -P qbit -no-remote -P 127.0.0.1:9050";
--- a/users/alice/non-server.nix
+++ b/users/alice/non-server.nix
@ -3,7 +3,7 @@
 {
  programs.emacs = {
    enable = true;
-    package = pkgs.emacs29-pgtk;
+    package = pkgs.emacs30-pgtk;
  };
  home.packages = with pkgs; [
    cmake
@ -49,6 +49,9 @@
    hunspellDicts.en-us
    languagetool
    # latex
    texlive.combined.scheme-medium
    # dependencies for nix-dotfiles/hydra-check-action
    nodejs_20
    nodePackages.prettier
@ -59,6 +62,7 @@
    bitwarden-menu
    wtype
    zathura
-
+    obsidian
    libreoffice-qt-fresh
  ];
 }
--- a/users/alice/secrets.yaml
+++ b/users/alice/secrets.yaml
@ -4,6 +4,10 @@ alice:
    #ENC[AES256_GCM,data:vUMcowHjlQA0RWflfaQhZKkalO39epYi6N9PPW8=,iv:6DFqHlQR+mi+ZkfMUhlhwvpMwnxXNfQV6+sYgPzSj4I=,tag:Pz1zJayscGckPO8Q2ZVb4g==,type:comment]
    gha-hydra-token: ENC[AES256_GCM,data:rYDYIn7MAF4pSZQj+Nln2z9J+AxvuSzumthL86njpKETutArrw+9iX2hHJt5t513NHH03tMtZOFqM60/pzWg4YXVQOSpQmq8QOelD7qCdfCr4Z2QSeOHqXqwKy21iWtoVbxOXWunVxLzkWMJrpHkpVsiBA75Nv66ftKEjN80QNGik6xQE1iPsCB2JHeqYNIr8gtPkCr7H5Pt4yBBO/1rsyONrbNlwmzVX78eqXxmc43XOiNVjEsk8ekJxJ9mn5S6JcPNehBcnZA0kWAIxvtDIPYKnz4YBIXoilBbjgytXL8nw3PkEX27x5yeg9KfxPxO/4CGoi5wfKsYuEynBdWbHtj6a3H0AvA9KIZzktTRNJFU3ZW8UveSCXY4YHl0NREJ8kbIUgkkE7PWeyzGenGFTPMahTA0rKSa+tWPQ1c00lvo9VS3/7pfeJfZEKS7R2xBaEDZrfffHyB5PLTQOGpWl5y40wTn4HdBlyQwoREvobOaKVZEyWtVvJcUeHDPepgEHGVDzwyTelX8Btb6ZNA0Fur8xvpkLZcLmMhbvCdkjq84ztJ36nQQ5JZthecyqcZTWPyfWtPeoUPVIaxn31oLjwsriDwdQmID6twTjC9PT8nBZD/u0JebOCdeYf8fm9q49SaN2w/ZMdSRWucHUsRXeN9O149vYoOqR28H+8v/tYJdqofJpHKrIBs=,iv:GcEV6f4rqkrpCafeaLNMqqU/vBNE0xHbqokL2gMXHYw=,tag:sCHvUgq1w8npedjIAninrA==,type:str]
    wakatime-api-key: ENC[AES256_GCM,data:ITu5pRySYGCJ6q9IQ35NfpGX2FyIJRYHGDeBiq0btzIrqitxcFox1Vc=,iv:HsXpyFHV7dG5qORk26BtD+kFo4Jdq2c4fozMpoqyDfU=,tag:uaQoXvvYqNfmRXVDVH8AoQ==,type:str]
    attic-nix-cache-creator: ENC[AES256_GCM,data:P0iBdy4IYrxcq7v4wTgwwZvAfVdRFo08pi0zvpY9cP9BDCwbBnp+3qDKWL29rC7OxsaLtmRkvPmbkF3ZX3Yu5OaptwVg2Xi0vNqhk3gu5Fdj8ygPigB0ZtimkfWv1QkctoVoXKXuLv6Xd4XKPCWOOIekWlJsBRcyfyzkyFURkU9tBBkXyEAWItho/J8hJr6r00eA3EN4rTe8Ge+PGpfTfpZVpnoGrC35xPnGLq19+b44DectHDTkMZrZKxiCaVIgKUZDLaFgi6a6PsX+L1HQAIZukXJu3m4BPdvzzby+zgX24pVJOYjAUB2BwO9jUlMS6+7qo0p6k01uLicryfKx/ajdAHcy39tFHX7naA4JriC2/FgI2HlFGp0Lc+g0pfdCYwLs5QBfRaOHyrbFWUDG,iv:OBrgnewqBaug00ygAXs0eFs3LqcHqo1EW96N5I38A0o=,tag:V+Gn47O6AH1RwL9qJLpAkw==,type:str]
    attic-nix-cache-reader: ENC[AES256_GCM,data:DWIkRri3lHJOVXIAbHWJL7cCV4FHjB91bbpPAib/5ZDKap3xjnxUjwswc7wjO1hCoV3+gmep1a64kma6MJts4bcAug5bPyrrPy//rVpCYvSbSmbPz5k4sW5GLU/Sf4NyBevsQo9KRrphpoSUQEFQB27vabYDjjkB051/qJo1B9B7nqmrSyd3np4YdyHAgUiMyJt0oqx8nXySz3XZU+DIM8/OhMZILpnEWIgyP2K7j8JNNpZZJ5sD/icUy6Vba/4LcKjtmYtfQ+HO1soyF6aMiQSjhp7fzJHktwa9kgB3oDzIg3KyCJYS2RNW7mW9Dd1T,iv:fvhGFU22KgknMpJbOkA3v29bKzRVX6hi7V7xJgSUjPg=,tag:TjGSUl0XXS7jlhP/NG4cvQ==,type:str]
    attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str]
    attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -37,8 +41,8 @@ sops:
            ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
            7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-20T23:15:03Z"
+    lastmodified: "2025-01-26T04:17:36Z"
-    mac: ENC[AES256_GCM,data:VnLd4N2l7JTKA7f4eh9EKilW2f8mmEmLc06WbHASOn6N+MIGPHwyLjLbPVECuXiVl95cs0+uWsFOPEbLiS6XTB/gZE1OZMYqk0x7FVkQNxMdWwcVAQnncC6i/cdBTAx+GW1iF6Cf2eLY1wNNiASk/Bz8u3r4UJ4QFXuMovPsfxw=,iv:Cr1bAYrwlK+ClRFDsiUdEIqXDU7onubthDEQDlTM3S4=,tag:EyfcNB0xKrFRjbp517akpg==,type:str]
+    mac: ENC[AES256_GCM,data:BJ5d3iqdIBwqtnYOYfmsFqnJDXz67uzJ4UKWrjVUEgr4Nc95tE8mEyV40poZk/wAJGJMSDdRhsPmZI4H1xztkjkTsUCUJ2rR+SZ6gP1VhSEXu7bSvv63+bnajZQi9kZrfN0EZN8TLzzVHVvSVHcNEfbq9STWkZq6zCk9E2cUfhk=,iv:MQ/lQkNi/S3bfz1PegcVfwy06RsxdQwZIU6sdOjkhgU=,tag:l5tK1SUwjTolliPkbfNDHg==,type:str]
    pgp:
        - created_at: "2024-09-05T06:10:22Z"
          enc: |-
@ -53,4 +57,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.3
--- a/utils/attic-push.bash
+++ b/utils/attic-push.bash
@ -0,0 +1,28 @@
 #!/usr/bin/env nix
 #! nix shell nixpkgs#bash nixpkgs#jq nixpkgs#gnused nixpkgs#nixVersions.latest nixpkgs#attic-client --command bash
 #set -x
 #set -v
 set -e
 # retrieve all paths under 2G
 # nix_paths=$(nix path-info --json --all --closure-size \
 #   | jq 'map_values(.closureSize | select(. < 2e9)) | to_entries | sort_by(.value)' \
 #   | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
 # retrieve all paths
 nix_paths=$(nix path-info --json --all --closure-size \
  | jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' \
  | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
 readarray -t nix_path_array < <(echo "$nix_paths")
 batchsize=1000
 for((i=0; i < ${#nix_path_array[@]}; i+=batchsize))
 do
    part=( "${nix_path_array[@]:i:batchsize}" )
    attic push nix-cache "${part[@]}"
 done
--- a/utils/attic-token.bash
+++ b/utils/attic-token.bash
@ -0,0 +1,36 @@
 #!/usr/bin/env bash
 if (( $# != 3 )); then
   echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
   exit 1
 fi
 cache="$1"
 cache_pattern="$2"
 token_type="$3"
 case $token_type in
    "cache-creator")
        atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
            --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
            --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
            --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
        ;;
    "admin")
        atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
            --push "$cache_pattern" --configure-cache "$cache_pattern" \
            --configure-cache-retention "$cache_pattern"
        ;;
    "writer")
        atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
            --push "$cache_pattern"
        ;;
    "reader")
        atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
        ;;
    *)
        echo "invalid token type: $token_type"
        echo "available options: cache-creator, admin, writer, reader"
        exit 1
        ;;
 esac
--- a/utils/diff-evals.sh
+++ b/utils/diff-evals.sh
@ -10,15 +10,4 @@ set -e
 script_path=$(dirname "$(readlink -f $0)")
 parent_path=$(dirname "$script_path")
-readarray -t pre_drv < "$parent_path/pre-drv"
+nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --compare-drvs --compare-output-to-file "$parent_path"
 readarray -t post_drv < "$parent_path/post-drv"
 post_drv_path="$parent_path/post-diff"
 # cleanup any files with the same name
 rm "$post_drv_path" || true
 touch "$post_drv_path"
 for i in $(seq 0 $(( "${#pre_drv[@]}" -1 ))); do
    echo "Diffing updates to $(echo "${pre_drv[$i]}" | cut -f 2- -d '-')" >> "$post_drv_path"
    nvd diff "${pre_drv[$i]}" "${post_drv[$i]}" >> "$post_drv_path"
 done
--- a/utils/eval-to-drv.sh
+++ b/utils/eval-to-drv.sh
@ -14,9 +14,6 @@ fi
 script_path=$(dirname "$(readlink -f $0)")
 parent_path=$(dirname "$script_path")
-out_path="$parent_path/$1-drv"
+out_path="$parent_path/$1.json"
-
+nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --evaluate --json "$out_path" "$parent_path"
 drv=$(nix flake check --verbose 2> >(grep -P -o "derivation evaluated to (/nix/store/.*\.drv)" | grep -P -o "/nix/store/.*\.drv"))
 echo "$drv" > "$out_path"
--- a/utils/fetch-docker.sh
+++ b/utils/fetch-docker.sh
@ -14,9 +14,7 @@ parent_path=$(dirname "$script_path")
 # relpath is the relative path to the parent_path where you want the file written
 # format: <image name>,<image tag>,<image architecture>,<os>,<relpath>
 images=(
    # commented out until palatine-hill docker changes are live
    "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
 )
 IFS=","
 while read -r name tag arch os relpath; do
--- a/utils/sops-mergetool-new.sh
+++ b/utils/sops-mergetool-new.sh
@ -0,0 +1,65 @@
 #!/usr/bin/env bash
 # Rename CLI parameters to friendlier names
 # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
 base="$1"; local_="$2"; remote="$3"; merged="$4"
 # Load the mergetool scripts
 TOOL_MODE=merge
 source "$(git --exec-path)/git-mergetool--lib"
 mergetool=$(get_merge_tool)
 setup_tool "${mergetool}"
 # Create file names for decrypted contents
 #   example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml
 extension=".${base##*.}"
 base_decrypted="${base/$extension/.decrypted$extension}"
 local_decrypted="${local_/$extension/.decrypted$extension}"
 remote_decrypted="${remote/$extension/.decrypted$extension}"
 merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
 backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
 # If anything goes wrong, then delete our decrypted files
 handle_trap_exit () {
  rm $base_decrypted || true
  rm $local_decrypted || true
  rm $remote_decrypted || true
  rm $merged_decrypted || true
  rm $backup_decrypted || true
 }
 trap handle_trap_exit EXIT
 # Decrypt our file contents
 sops --decrypt --show-master-keys "$base" > "$base_decrypted"
 sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
 sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
 # Create a merge-diff to compare against
 git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
 cp "$merged_decrypted" "$backup_decrypted"
 # Set up variables for the mergetool
 # https://github.com/git/git/blob/v2.8.2/mergetools/meld
 # https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111
 LOCAL="$local_decrypted"
 BASE="$base_decrypted"
 REMOTE="$remote_decrypted"
 MERGED="$merged_decrypted"
 BACKUP="$backup_decrypted"
 # Override `check_unchanged` with a custom script
 check_unchanged () {
  # If the contents haven't changed, then fail
  if test "$MERGED" -nt "$BACKUP"; then
    return 0
  else
    exit 1
  fi
 }
 # Run the mergetool
 run_merge_tool "${mergetool}" true
 # Re-encrypt content
 sops --encrypt "$merged_decrypted" > "$merged"
--- a/utils/sops-mergetool.sh
+++ b/utils/sops-mergetool.sh
@ -1,11 +1,18 @@
 #!/usr/bin/env bash
 # Exit on first error and verify variables have been set/passed via CLI
-set -eu
+#set -eu
 set -v
 set -x
 # Rename our variables to friendlier equivalents
 # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
 base="$1"; local_="$2"; remote="$3"; merged="$4"
 echo "$base"
 echo "$local_"
 echo "$remote"
 echo "$merged"
 # Resolve our default mergetool
 # https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3
 mergetool="$(git config --get merge.tool)"