added word to cspell

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

.gitconfig

@@ -1,6 +1,11 @@
 # run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :)
 # run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured
+# if for whatever reason the below doesn't work, try modifying the mergetool command as below
+#   find: $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh
+#   replace: ./utils/sops-mergetool.sh
 [mergetool "sops-mergetool"]
-        cmd = bash -c "$(git --exec-path)/sops-mergetool.sh \"$BASE\" \"$LOCAL\" \"$REMOTE\" \"$MERGED\""
+	cmd = bash -c "$(git rev-parse --show-toplevel)/utils/sops-mergetool.sh \"\$BASE\" \"\$LOCAL\" \"\$REMOTE\" \"\$MERGED\""
 [merge]
-	tool = nvimdiff3
+	tool = nvimdiff
+[mergetool "nvimdiff"]
+	layout = MERGED

.github/settings.yml

@@ -1,204 +1,173 @@
 # Have borrowed this config from nix-community/infra
 repository:
-  # See https://developer.github.com/v3/repos/#edit for all available settings.
+    # See https://developer.github.com/v3/repos/#edit for all available settings.
 
-  # The name of the repository. Changing this will rename the repository
-  name: nix-dotfiles
-
-  # A short description of the repository that will show up on GitHub
-  description: RAD-Dev Infra
-
-  # A URL with more information about the repository
-  # homepage: "https://nix-community.org"
-
-  # A comma-separated list of topics to set on the repository
-  topics: "nixos"
-
-  # Either `true` to make the repository private, or `false` to make it public.
-  private: false
-
-  # Either `true` to enable issues for this repository, `false` to disable them.
-  has_issues: true
-
-  # Either `true` to enable projects for this repository, or `false` to disable them.
-  # If projects are disabled for the organization, passing `true` will cause an API error.
-  has_projects: true
-
-  # Either `true` to enable the wiki for this repository, `false` to disable it.
-  has_wiki: false
-
-  # Either `true` to enable downloads for this repository, `false` to disable them.
-  has_downloads: false
-
-  # Updates the default branch for this repository.
-  default_branch: main
-
-  # Either `true` to allow squash-merging pull requests, or `false` to prevent
-  # squash-merging.
-  allow_squash_merge: true
-
-  # Either `true` to allow merging pull requests with a merge commit, or `false`
-  # to prevent merging pull requests with merge commits.
-  allow_merge_commit: false
-
-  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
-  # rebase-merging.
-  allow_rebase_merge: true
-
-  # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
-  delete_branch_on_merge: true
-
-  # Either `true` to enable automated security fixes, or `false` to disable
-  # automated security fixes.
-  enable_automated_security_fixes: true
-
-  # Either `true` to enable vulnerability alerts, or `false` to disable
-  # vulnerability alerts.
-  enable_vulnerability_alerts: true
-
-  allow_auto_merge: true
+    # The name of the repository. Changing this will rename the repository
+    name: nix-dotfiles
+    # A short description of the repository that will show up on GitHub
+    description: RAD-Dev Infra
+    # A URL with more information about the repository
+    # homepage: "https://nix-community.org"
 
+    # A comma-separated list of topics to set on the repository
+    topics: "nixos"
+    # Either `true` to make the repository private, or `false` to make it public.
+    private: false
+    # Either `true` to enable issues for this repository, `false` to disable them.
+    has_issues: true
+    # Either `true` to enable projects for this repository, or `false` to disable them.
+    # If projects are disabled for the organization, passing `true` will cause an API error.
+    has_projects: true
+    # Either `true` to enable the wiki for this repository, `false` to disable it.
+    has_wiki: false
+    # Either `true` to enable downloads for this repository, `false` to disable them.
+    has_downloads: false
+    # Updates the default branch for this repository.
+    default_branch: main
+    # Either `true` to allow squash-merging pull requests, or `false` to prevent
+    # squash-merging.
+    allow_squash_merge: true
+    # Either `true` to allow merging pull requests with a merge commit, or `false`
+    # to prevent merging pull requests with merge commits.
+    allow_merge_commit: false
+    # Either `true` to allow rebase-merging pull requests, or `false` to prevent
+    # rebase-merging.
+    allow_rebase_merge: true
+    # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
+    delete_branch_on_merge: true
+    # Either `true` to enable automated security fixes, or `false` to disable
+    # automated security fixes.
+    enable_automated_security_fixes: true
+    # Either `true` to enable vulnerability alerts, or `false` to disable
+    # vulnerability alerts.
+    enable_vulnerability_alerts: true
+    allow_auto_merge: true
 # Labels: define labels for Issues and Pull Requests
 #
 labels:
-  - name: bug
-    color: '#d73a4a'
-    description: Something isn't working
-  - name: CI/CD
-    # If including a `#`, make sure to wrap it with quotes!
-    color: '#0e8a16'
-    description: Related to GH Actions or Hydra
-  - name: documentation
-    color: '#0075ca'
-    description: Improvements or additions to documentation
-  - name: duplicate
-    color: '#cfd3d7'
-    description: This issue or pull request already exists
-  - name: enhancement
-    color: '#a2eeef'
-    description: New feature or request
-  - name: good first issue
-    color: '#7057ff'
-    description: Good for newcomers
-  - name: help wanted
-    color: '#008672'
-    description: Extra attention is needed
-  - name: high priority
-    color: '#BF480A'
-    description: A major vurnability was detected
-  - name: invalid
-    color: '#e4e669'
-    description: This doesn't seem right
-  - name: new user
-    color: '#C302A1'
-    description: A new user was added to the Flake
-  - name: question
-    color: '#d876e3'
-    description: Further information is requested
-  - name: wontfix
-    color: '#ffffff'
-    description: This will not be worked on
-  - name: dependencies
-    color: '#cb4ed5'
-    description: Used for PR's related to flake.lock updates
-  - name: automated
-    color: '#42b528'
-    description: PR was automatically generated (through a bot or CI/CD)
-
+    - name: bug
+      color: '#d73a4a'
+      description: Something isn't working
+    - name: CI/CD
+      # If including a `#`, make sure to wrap it with quotes!
+      color: '#0e8a16'
+      description: Related to GH Actions or Hydra
+    - name: documentation
+      color: '#0075ca'
+      description: Improvements or additions to documentation
+    - name: duplicate
+      color: '#cfd3d7'
+      description: This issue or pull request already exists
+    - name: enhancement
+      color: '#a2eeef'
+      description: New feature or request
+    - name: good first issue
+      color: '#7057ff'
+      description: Good for newcomers
+    - name: help wanted
+      color: '#008672'
+      description: Extra attention is needed
+    - name: high priority
+      color: '#BF480A'
+      description: A major vurnability was detected
+    - name: invalid
+      color: '#e4e669'
+      description: This doesn't seem right
+    - name: new user
+      color: '#C302A1'
+      description: A new user was added to the Flake
+    - name: question
+      color: '#d876e3'
+      description: Further information is requested
+    - name: wontfix
+      color: '#ffffff'
+      description: This will not be worked on
+    - name: dependencies
+      color: '#cb4ed5'
+      description: Used for PR's related to flake.lock updates
+    - name: automated
+      color: '#42b528'
+      description: PR was automatically generated (through a bot or CI/CD)
 # Milestones: define milestones for Issues and Pull Requests
 milestones:
-  - title: Go-Live
-    description: >-
-      All requirements for official go-live:
-      - Automated testing via Hydra/Actions
-      - Automated deployments via Hydra/Actions
-      - 90+% testing coverage
-      - Functional formatter with custom rules
-      - palatine-hill is fully stable, enough so that jeeves can be migrated
-    # The state of the milestone. Either `open` or `closed`
-    state: open
-  - title: Jeeves Migration
-    description: >-
-      Test common use-cases for Jeeves
-      - Quadro GPU support
-      - Multi-GPU support
-      - Plex support
-      - Docker support
-      - ZFS support
-
-
+    - title: Go-Live
+      description: >-
+        All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
+      # The state of the milestone. Either `open` or `closed`
+      state: open
+    - title: Jeeves Migration
+      description: >-
+        Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support
 # Collaborators: give specific users access to this repository.
 # See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
 collaborators:
-  # - username: numtide-bot
-  # Note: `permission` is only valid on organization-owned repositories.
-  # The permission to grant the collaborator. Can be one of:
-  # * `pull` - can pull, but not push to or administer this repository.
-  # * `push` - can pull and push, but not administer this repository.
-  # * `admin` - can pull, push and administer this repository.
-  # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
-  # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
-  # permission: push
+# - username: numtide-bot
+# Note: `permission` is only valid on organization-owned repositories.
+# The permission to grant the collaborator. Can be one of:
+# * `pull` - can pull, but not push to or administer this repository.
+# * `push` - can pull and push, but not administer this repository.
+# * `admin` - can pull, push and administer this repository.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# permission: push
 
 # See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
 teams:
-  # - name: admin
-    # The permission to grant the team. Can be one of:
-    # * `pull` - can pull, but not push to or administer this repository.
-    # * `push` - can pull and push, but not administer this repository.
-    # * `admin` - can pull, push and administer this repository.
-    # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
-    # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
-    # permission: admin
-
+# - name: admin
+# The permission to grant the team. Can be one of:
+# * `pull` - can pull, but not push to or administer this repository.
+# * `push` - can pull and push, but not administer this repository.
+# * `admin` - can pull, push and administer this repository.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# permission: admin
 branches:
-  # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
+    # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
 
-  # not available in the api yet
-  # `Require merge queue`: true
-  # `Merge method`: Rebase and merge
-  # `Maximum pull requests to build`: 1
-  # `Maximum pull requests to merge`: 1
-  # defaults:
-  # `Maximum pull requests to build`: 5
-  # `Minimum pull requests to merge`: 1 or 5 minutes
-  # `Maximum pull requests to merge`: 5
-  # `Only merge non-failing pull requests`: true
-  # `Consider check failed after`: 60 minutes
+    # not available in the api yet
+    # `Require merge queue`: true
+    # `Merge method`: Rebase and merge
+    # `Maximum pull requests to build`: 1
+    # `Maximum pull requests to merge`: 1
+    # defaults:
+    # `Maximum pull requests to build`: 5
+    # `Minimum pull requests to merge`: 1 or 5 minutes
+    # `Maximum pull requests to merge`: 5
+    # `Only merge non-failing pull requests`: true
+    # `Consider check failed after`: 60 minutes
+    - name: main
+      # https://docs.github.com/en/rest/reference/repos#update-branch-protection
+      # Branch Protection settings. Set to null to disable
+      protection:
+        # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
 
-  - name: main
-    # https://docs.github.com/en/rest/reference/repos#update-branch-protection
-    # Branch Protection settings. Set to null to disable
-    protection:
-      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
-
-      # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
-      required_pull_request_reviews:
-        # # The number of approvals required. (1-6)
-        required_approving_review_count: 1
-        # # Dismiss approved reviews automatically when a new commit is pushed.
-        dismiss_stale_reviews: true
-        # # Blocks merge until code owners have reviewed.
-        require_code_owner_reviews: false
-        # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
-        # dismissal_restrictions:
-        #   users: []
-        #   teams: []
-        require_last_push_approval: false
-      # Required. Require status checks to pass before merging. Set to null to disable
-      # required_status_checks:
+        # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
+        required_pull_request_reviews:
+            # # The number of approvals required. (1-6)
+            required_approving_review_count: 1
+            # # Dismiss approved reviews automatically when a new commit is pushed.
+            dismiss_stale_reviews: true
+            # # Blocks merge until code owners have reviewed.
+            require_code_owner_reviews: false
+            # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
+            # dismissal_restrictions:
+            #   users: []
+            #   teams: []
+            require_last_push_approval: false
+        # Required. Require status checks to pass before merging. Set to null to disable
+        # required_status_checks:
         # Required. Require branches to be up to date before merging.
         # strict: false
         # Required. The list of status checks to require in order to merge into this branch
         # contexts:
         #   - buildbot/nix-eval
-      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
-      enforce_admins: true
-      # Disabled for bors to work
-      required_linear_history: true
-      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
-      restrictions:
-        apps: []
-        # TODO: make a buildbot instance
-        # users: ["nix-infra-bot"]
-        teams: []
+        # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
+        enforce_admins: true
+        # Disabled for bors to work
+        required_linear_history: true
+        # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
+        restrictions:
+            apps: []
+            # TODO: make a buildbot instance
+            # users: ["nix-infra-bot"]
+            teams: []

.github/workflows/flake-health-checks.yml

@@ -1,20 +1,47 @@
 name: "Check Nix flake"
 on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-  merge_group:
-
+    push:
+        branches: ["main"]
+    pull_request:
+        branches: ["main"]
+    merge_group:
 jobs:
-  health-check:
-    name: "Perform Nix flake checks"
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest]
-    steps:
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: actions/checkout@v4
-      - run: nix flake check --accept-flake-config
+    health-check:
+        name: "Perform Nix flake checks"
+        runs-on: ${{ matrix.os }}
+        strategy:
+            matrix:
+                os: [ubuntu-latest]
+        steps:
+            - uses: DeterminateSystems/nix-installer-action@main
+            - name: Setup Attic cache
+              uses: ryanccn/attic-action@v0
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - uses: actions/checkout@v4
+            - run: nix flake check --accept-flake-config
+            - run: nix ./utils/attic-push.bash
+    build-checks:
+        name: "Build nix outputs"
+        runs-on: ${{ matrix.os }}
+        strategy:
+            matrix:
+                os: [ubuntu-latest]
+        steps:
+            - uses: DeterminateSystems/nix-installer-action@main
+            - name: Setup Attic cache
+              uses: ryanccn/attic-action@v0
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - uses: actions/checkout@v4
+            - name: Build all outputs
+              run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
+            - name: Push to Attic
+              run: nix ./utils/attic-push.bash
+              continue-on-error: true

.github/workflows/flake-update.yml

@@ -1,67 +1,112 @@
 name: "Update flakes"
 on:
-  repository_dispatch:
-  workflow_dispatch:
-  schedule:
-    - cron: "00 12 * * *"
+    repository_dispatch:
+    workflow_dispatch:
+    schedule:
+        - cron: "00 12 * * *"
 jobs:
-  createPullRequest:
-    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
-    steps:
-      - uses: actions/checkout@v4
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Install Nix
-        uses: cachix/install-nix-action@v24
-        with:
-          extra_nix_config: |
-            experimental-features = nix-command flakes
-          install_url: https://releases.nixos.org/nix/nix-2.19.0/install
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - name: Calculate pre-drv
-        run: nix ./utils/eval-to-drv.sh pre
-      - name: Pull latest docker images
-        run: nix ./utils/fetch-docker.sh
-      - name: Update flake.lock (part 1)
-        run: nix flake update
-      - name: Calculate post-drv
-        run: nix ./utils/eval-to-drv.sh post
-      - name: Calculate diff
-        run: nix ./utils/diff-evals.sh
-      - name: Read diff into environment
-        run: |
-          delimiter="$(openssl rand -hex 8)"
-          {
-          echo "POSTDIFF<<${delimiter}"
-          cat post-diff
-          echo "${delimiter}"
-          } >> $GITHUB_ENV
+    update_lockfile:
+        runs-on: ubuntu-latest
+        #if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v4
+            - name: Install nix
+              uses: https://github.com/DeterminateSystems/nix-installer-action@main
+            - name: Setup Attic cache
+              uses: ryanccn/attic-action@v0
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - name: Get pre-snapshot of evaluations
+              run: nix ./utils/eval-to-drv.sh pre
+            - name: Update flake.lock
+              id: update
+              run: |
+                nix flake update 2> >(tee /dev/stderr) | awk '
+                  /^• Updated input/ {in_update = 1; print; next}
+                  in_update && !/^warning:/ {print}
+                  /^$/ {in_update = 0}
+                ' > update.log
 
+                echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
+                cat update.log >> $GITHUB_ENV
+                echo "EOF" >> $GITHUB_ENV
 
-      - name: Restore flake.lock for next step
-        run: git restore flake.lock
-      - name: Update flake.lock
-        id: update
-        uses: DeterminateSystems/update-flake-lock@main
-        with:
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
-          pr-body: |
-            Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
+                rm update.log
+            - name: Get post-snapshot of evaluations
+              run: nix ./utils/eval-to-drv.sh post
+            - name: Calculate diff
+              run: nix ./utils/diff-evals.sh
+            - name: Read file contents
+              id: read_file
+              uses: guibranco/github-file-reader-action-v2@latest
+              with:
+                path: "post-diff"
+            - name: Write PR body template
+              uses: https://github.com/DamianReeves/write-file-action@v1.3
+              with:
+                path: pr_body.template
+                contents: |
+                    - The following Nix Flake inputs were updated:
 
-            ```
-            {{ env.GIT_COMMIT_MESSAGE }}
-            ```
+                    ```
+                    ${{ env.UPDATE_LOG }}
+                    ```
 
-            ```
-            {{ env.POSTDIFF }}
-            ```
-          pr-labels: |                  # Labels to be set on the PR
-            dependencies
-            automated
+                    ```
+                    ${{ steps.read_file.outputs.contents }}
+                    ```
+
+                    Auto-generated by [update.yml][1] with the help of
+                    [create-pull-request][2].
+
+                    [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
+                    [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
+            - name: Generate PR body
+              uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
+              with:
+                files: "pr_body.template"
+                output-filename: "pr_body.md"
+            - name: Save PR body
+              id: pr_body
+              uses: juliangruber/read-file-action@v1
+              with:
+                path: "pr_body.md"
+            - name: Remove temporary files
+              run: |
+                rm pr_body.template
+                rm pr_body.md
+                rm pre.json
+                rm post.json
+                rm post-diff
+            - name: Create Pull Request
+              id: create-pull-request
+              # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
+              uses: https://nayeonie.com/ahuston-0/create-pull-request@main
+              with:
+                token: ${{ secrets.GH_TOKEN_FOR_UPDATES  }}
+                body: ${{ steps.pr_body.outputs.content }}
+                author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
+                title: 'automated: Update `flake.lock`'
+                commit-message: |
+                    automated: Update `flake.lock`
+
+                    ${{ steps.pr_body.outputs.content }}
+                branch: update-flake-lock
+                delete-branch: true
+                pr-labels: | # Labels to be set on the PR
+                    dependencies
+                    automated
+            - name: Push to Attic
+              run: nix ./utils/attic-push.bash
+              continue-on-error: true
+            - name: Print PR number
+              run: |
+                echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
+                echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
 permissions:
-  pull-requests: write
-  contents: write
+    pull-requests: write
+    contents: write

.github/workflows/lock-health-checks.yml

@@ -1,17 +1,16 @@
 name: "Check flake.lock"
 on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-  merge_group:
-
+    push:
+        branches: ["main"]
+    pull_request:
+        branches: ["main"]
+    merge_group:
 jobs:
-  health-check:
-    name: "Check health of `flake.lock`"
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/flake-checker-action@main
-        with:
-          fail-mode: true
+    health-check:
+        name: "Check health of `flake.lock`"
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v4
+            - uses: DeterminateSystems/flake-checker-action@main
+              with:
+                fail-mode: true

.github/workflows/nix-fmt.yml

@@ -1,17 +1,25 @@
 name: "Check Nix formatting"
 on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-  merge_group:
-
+    push:
+        branches: ["main"]
+    pull_request:
+        branches: ["main"]
+    merge_group:
 jobs:
-  health-check:
-    name: "Perform Nix format checks"
-    runs-on: ubuntu-latest
-    steps:
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: actions/checkout@v4
-      - run: nix fmt -- --check .
+    health-check:
+        name: "Perform Nix format checks"
+        runs-on: ubuntu-latest
+        steps:
+            - uses: DeterminateSystems/nix-installer-action@main
+            - name: Setup Attic cache
+              uses: ryanccn/attic-action@v0
+              with:
+                endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+                cache: ${{ secrets.ATTIC_CACHE }}
+                token: ${{ secrets.ATTIC_TOKEN }}
+                skip-push: "true"
+            - uses: actions/checkout@v4
+            - run: nix fmt -- --check .
+            - name: Push to Attic
+              run: nix ./utils/attic-push.bash
+              continue-on-error: true

.sops.yaml

@@ -1,46 +1,46 @@
 keys:
-  # The PGP keys in keys/
-  - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
-
-  # Generate AGE keys from SSH keys with:
-  #   ssh-keygen -A
-  #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
-  # cspell:disable
-  - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
-  - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
+    # The PGP keys in keys/
+    - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
+    # Generate AGE keys from SSH keys with:
+    #   ssh-keygen -A
+    #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+    # cspell:disable
+    - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
+    - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
     #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
-  - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
-  # cspell:enable
-
+    - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
+    # cspell:enable
 servers: &servers
-  - *palatine-hill
-
+    - *palatine-hill
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
 #
 # update keys by executing: sops updatekeys secrets.yaml
 # note: add .* before \.yaml if you'd like to use the mergetool config
 creation_rules:
-  - path_regex: users/alice/secrets.*\.yaml$
-    key_groups:
-      - pgp:
-          - *admin_alice
-        age:
-          - *palatine-hill
-          - *artemision
-          - *artemision-home
-
-  - path_regex: systems/palatine-hill/secrets.*\.yaml$
-    key_groups:
-      - pgp: 
-          - *admin_alice
-        age:
-          - *palatine-hill
-
-  - path_regex: systems/artemision/secrets.*\.yaml$
-    key_groups:
-      - pgp:
-          - *admin_alice
-        age:
-          - *artemision
-
+    - path_regex: users/alice/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *palatine-hill
+            - *artemision
+            - *artemision-home
+    - path_regex: systems/palatine-hill/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *palatine-hill
+    - path_regex: systems/artemision/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *artemision
+    - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *palatine-hill

.vscode/settings.json

@@ -1,5 +1,7 @@
 {
-  "cSpell.enableFiletypes": ["nix"],
+  "cSpell.enableFiletypes": [
+    "nix"
+  ],
   "cSpell.words": [
     "aarch",
     "abmlevel",
@@ -39,6 +41,7 @@
     "codezombiech",
     "compactmode",
     "Compat",
+    "concat",
     "concatLists",
     "contentblocking",
     "cookiebanners",
@@ -151,6 +154,7 @@
     "networkd",
     "networkmanager",
     "newtabpage",
+    "nixfmt",
     "nixos",
     "nixpkgs",
     "nmap",
@@ -212,6 +216,8 @@
     "rofi",
     "rpool",
     "rspace",
+    "rsyslog",
+    "rsyslogd",
     "rtkit",
     "safebrowsing",
     "Sandro",
@@ -253,6 +259,7 @@
     "topstories",
     "Toqozz",
     "torrenting",
+    "treefmt",
     "twimg",
     "uaccess",
     "ublock",

docs/CONTRIBUTING.md

@@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
 | Branch Name      | Use Case                                                                                                                                                                                                                      |
 |------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | main             | protected branch which all machines pull from, do not try to push directly                                                                                                                                                    |
-| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
-| fixup/\<item\>   | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
-| hotfix/\<item\>  | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
-| urgent/\<item\>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
-| exp/\<item\>     | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
-| merge/\<item\>   | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
+| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
+| fixup/\<item>   | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
+| hotfix/\<item>  | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
+| urgent/\<item>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
+| exp/\<item>     | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
+| merge/\<item>   | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |
 
 ### Review Process
 
@@ -94,11 +94,11 @@ rules.
   PR has been tested on at least one machine
    - Issues which bypass the quorum process must have a second reviewer tagged
    - All critical issues which bypass the approval process must have an RCA issue
-    opened and the RCA logged into the `inc/` folder
+     opened and the RCA logged into the `inc/` folder
    - The second reviewer has 2 weeks to retroactively review and approve the PR
    - If the retro does not happen in the given window, an issue shall be opened
-    to either re-review the PR or to revert and replace the fix with a
-    permanent solution
+     to either re-review the PR or to revert and replace the fix with a
+     permanent solution
 - Critical issues must be tagged to `Nix Flake Features` project, and must have
   a priority of `High` and an estimate tagged. Start and end date are not needed
 

docs/sample-setup.sh

@@ -1,9 +1,9 @@
 #!/usr/bin/env nix
 #! nix shell nixpkgs#bash nixpkgs#git --command bash
 
-set -o errexit   # abort on nonzero exitstatus
-set -o nounset   # abort on unbound variable
-set -o pipefail  # don't hide errors within pipes
+set -o errexit  # abort on nonzero exitstatus
+set -o nounset  # abort on unbound variable
+set -o pipefail # don't hide errors within pipes
 
 PROCEED="N"
 
@@ -50,60 +50,58 @@ GITBASE="systems"
 FEATUREBRANCH="feature/adding-$MACHINENAME"
 
 if [ $PROCEED != "Y" ]; then
-    echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
-    lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
+  echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
+  lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
 fi
 
-
-
 if [ $CREATEPARTS = "Y" ]; then
-    # Create partition table
-    sudo parted "/dev/$DRIVE" -- mklabel gpt
+  # Create partition table
+  sudo parted "/dev/$DRIVE" -- mklabel gpt
 
-    # Create boot part
-    sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
-    sudo parted "/dev/$DRIVE" -- set 1 esp on
-    sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
+  # Create boot part
+  sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
+  sudo parted "/dev/$DRIVE" -- set 1 esp on
+  sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
 
-    # Create luks part
-    sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
-    sudo parted "/dev/$DRIVE" -- set 2 lvm on
-    
-    LUKSPART="nixos-pv"
-    sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
-    sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
+  # Create luks part
+  sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
+  sudo parted "/dev/$DRIVE" -- set 2 lvm on
 
-    # Create lvm part
-    sudo pvcreate "/dev/mapper/$LUKSPART"
-    sudo pvresize "/dev/mapper/$LUKSPART"
-    sudo pvdisplay
+  LUKSPART="nixos-pv"
+  sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
+  sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
 
-    # Create volume group
-    sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
-    sudo vgchange -a y "$VOLGROUP"
-    sudo vgdisplay
+  # Create lvm part
+  sudo pvcreate "/dev/mapper/$LUKSPART"
+  sudo pvresize "/dev/mapper/$LUKSPART"
+  sudo pvdisplay
 
-    # Create swap part on LVM
-    if [ $SWAPSIZE != 0 ]; then
-        sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
-        sudo mkswap -L NIXSWAP -c "$SWAPPATH"
-    fi
+  # Create volume group
+  sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
+  sudo vgchange -a y "$VOLGROUP"
+  sudo vgdisplay
 
-    # Create home part on LVM, leaving plenty of room for snapshots
-    sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
-    sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
+  # Create swap part on LVM
+  if [ $SWAPSIZE != 0 ]; then
+    sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
+    sudo mkswap -L NIXSWAP -c "$SWAPPATH"
+  fi
 
-    # Create root part on LVM, keeping in mind most data will be on /home or /nix
-    sudo lvcreate -L 5G "$VOLGROUP" -n root
-    sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
+  # Create home part on LVM, leaving plenty of room for snapshots
+  sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
+  sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
 
-    # Create nix part on LVM
-    sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
-    sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
+  # Create root part on LVM, keeping in mind most data will be on /home or /nix
+  sudo lvcreate -L 5G "$VOLGROUP" -n root
+  sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
 
-    sudo lvdisplay
+  # Create nix part on LVM
+  sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
+  sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
 
-    lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
+  sudo lvdisplay
+
+  lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
 fi
 
 # Mount partitions
@@ -116,7 +114,7 @@ sudo mount $BOOTPART /mnt/boot
 
 # Enable swap if SWAPSIZE is non-zero
 if [ $SWAPSIZE != 0 ]; then
-    sudo swapon "/dev/$VOLGROUP/swap"
+  sudo swapon "/dev/$VOLGROUP/swap"
 fi
 
 # Clone the repo
@@ -135,31 +133,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
 cat "$DOTS/id_ed25519_ghdeploy.pub"
 
 if [ $SOPS == "Y" ]; then
-    # Create ssh host-keys
-    sudo ssh-keygen -A
-    sudo mkdir -p /mnt/etc/ssh
-    sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
+  # Create ssh host-keys
+  sudo ssh-keygen -A
+  sudo mkdir -p /mnt/etc/ssh
+  sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
 
-    # Get line where AGE comment is and insert new AGE key two lines down
-    AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
-    AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
-    sudo sed -i "${AGELINE}i\\  - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
+  # Get line where AGE comment is and insert new AGE key two lines down
+  AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
+  AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
+  sudo sed -i "${AGELINE}i\\  - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
 
-    # Add server name
-    SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
-    sudo sed -i "${SERVERLINE}i\\  - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
+  # Add server name
+  SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
+  sudo sed -i "${SERVERLINE}i\\  - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
 
-    # Add creation rules
-    CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
-    # TODO: below was not working when last attempted
-    read -r -d '' PATHRULE <<-EOF
+  # Add creation rules
+  CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
+  # TODO: below was not working when last attempted
+  read -r -d '' PATHRULE <<-EOF
   - path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
     key_groups:
       - pgp: *$OWNERORADMINS
         age:
           - *$MACHINENAME
 EOF
-    sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
+  sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
 fi
 
 read -r -p "press enter to continue"

flake.lock

@@ -1,53 +1,69 @@
 {
   "nodes": {
-    "attic": {
+    "base16": {
       "inputs": {
-        "crane": "crane",
-        "flake-compat": [
-          "flake-compat"
-        ],
-        "flake-parts": [
-          "flake-parts"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nixpkgs-stable"
-        ]
+        "fromYaml": "fromYaml"
       },
       "locked": {
-        "lastModified": 1728577371,
-        "narHash": "sha256-f3bKclEV5t1eP1OH7kTGv/tLzlToSRIe0ktkdl1jihw=",
-        "owner": "zhaofengli",
-        "repo": "attic",
-        "rev": "e5c8d2d50981a34602358d917e7be011b2c397a8",
+        "lastModified": 1732200724,
+        "narHash": "sha256-+R1BH5wHhfnycySb7Sy5KbYEaTJZWm1h+LW1OtyhiTs=",
+        "owner": "SenchoPens",
+        "repo": "base16.nix",
+        "rev": "153d52373b0fb2d343592871009a286ec8837aec",
         "type": "github"
       },
       "original": {
-        "owner": "zhaofengli",
-        "repo": "attic",
+        "owner": "SenchoPens",
+        "repo": "base16.nix",
         "type": "github"
       }
     },
-    "crane": {
-      "inputs": {
-        "nixpkgs": [
-          "attic",
-          "nixpkgs"
-        ]
-      },
+    "base16-fish": {
+      "flake": false,
       "locked": {
-        "lastModified": 1722960479,
-        "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
+        "lastModified": 1622559957,
+        "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
+        "owner": "tomyun",
+        "repo": "base16-fish",
+        "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
         "type": "github"
       },
       "original": {
-        "owner": "ipetkov",
-        "repo": "crane",
+        "owner": "tomyun",
+        "repo": "base16-fish",
+        "type": "github"
+      }
+    },
+    "base16-helix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1736852337,
+        "narHash": "sha256-esD42YdgLlEh7koBrSqcT7p2fsMctPAcGl/+2sYJa2o=",
+        "owner": "tinted-theming",
+        "repo": "base16-helix",
+        "rev": "03860521c40b0b9c04818f2218d9cc9efc21e7a5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "base16-helix",
+        "type": "github"
+      }
+    },
+    "base16-vim": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1732806396,
+        "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=",
+        "owner": "tinted-theming",
+        "repo": "base16-vim",
+        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "base16-vim",
+        "rev": "577fe8125d74ff456cf942c733a85d769afe58b7",
         "type": "github"
       }
     },
@@ -62,11 +78,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1728965006,
-        "narHash": "sha256-TXBxJMGC6P+cn5La/lIgVzb9ETutsOI3A3urHihB7FA=",
+        "lastModified": 1742449434,
+        "narHash": "sha256-UVz7NhPzbEWey6mMJU3Jwjqfbp0xH0iKZDuoRjhZEN0=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "f4947cf2d1a469b23fee54ad948c539f6aa431a7",
+        "rev": "1b0b14b56353040142e0ef5b0ab37743bbbf4ab4",
         "type": "gitlab"
       },
       "original": {
@@ -76,14 +92,30 @@
         "type": "gitlab"
       }
     },
+    "firefox-gnome-theme": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1741628778,
+        "narHash": "sha256-RsvHGNTmO2e/eVfgYK7g+eYEdwwh7SbZa+gZkT24MEA=",
+        "owner": "rafaelmardojai",
+        "repo": "firefox-gnome-theme",
+        "rev": "5a81d390bb64afd4e81221749ec4bffcbeb5fa80",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rafaelmardojai",
+        "repo": "firefox-gnome-theme",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "revCount": 57,
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "revCount": 69,
         "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -95,11 +127,33 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1727826117,
-        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "lastModified": 1741352980,
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "stylix",
+          "nur",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
         "type": "github"
       },
       "original": {
@@ -115,11 +169,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -128,6 +182,69 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": [
+          "stylix",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "fromYaml": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1731966426,
+        "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=",
+        "owner": "SenchoPens",
+        "repo": "fromYaml",
+        "rev": "106af9e2f715e2d828df706c386a685698f3223b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "SenchoPens",
+        "repo": "fromYaml",
+        "type": "github"
+      }
+    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": [
+          "stylix",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore_2",
+        "nixpkgs": [
+          "stylix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1741379162,
+        "narHash": "sha256-srpAbmJapkaqGRE3ytf3bj4XshspVR5964OX5LfjDWc=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "b5a62751225b2f62ff3147d0a334055ebadcd5cc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
@@ -149,6 +266,45 @@
         "type": "github"
       }
     },
+    "gitignore_2": {
+      "inputs": {
+        "nixpkgs": [
+          "stylix",
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "gnome-shell": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1732369855,
+        "narHash": "sha256-JhUWbcYPjHO3Xs3x9/Z9RuqXbcp5yhPluGjwsdE2GMg=",
+        "owner": "GNOME",
+        "repo": "gnome-shell",
+        "rev": "dadd58f630eeea41d645ee225a63f719390829dc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "GNOME",
+        "ref": "47.2",
+        "repo": "gnome-shell",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -156,11 +312,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1728903686,
-        "narHash": "sha256-ZHFrGNWDDriZ4m8CA/5kDa250SG1LiiLPApv1p/JF0o=",
+        "lastModified": 1742447757,
+        "narHash": "sha256-Q0KXcHQmum8L6IzGhhkVhjFMKY6BvYa/rhmLP26Ws8o=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e1aec543f5caf643ca0d94b6a633101942fd065f",
+        "rev": "94605dcadefeaff6b35c8931c9f38e4f4dc7ad0a",
         "type": "github"
       },
       "original": {
@@ -176,11 +332,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725551787,
-        "narHash": "sha256-6LgsZHz8w3g4c9bRUwRAR+WIMwFGGf3P1VZQcKNRf2o=",
+        "lastModified": 1742213523,
+        "narHash": "sha256-I8JVdQRu8eWvY5W8XWYZkdd5pojDHkxeqQV7mMIsbhs=",
         "owner": "hyprwm",
         "repo": "contrib",
-        "rev": "1e531dc49ad36c88b45bf836081a7a2c8927e072",
+        "rev": "bd81329944be53b0ffb99e05864804b95f1d7c65",
         "type": "github"
       },
       "original": {
@@ -196,11 +352,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1728790083,
-        "narHash": "sha256-grMdAd4KSU6uPqsfLzA1B/3pb9GtGI9o8qb0qFzEU/Y=",
+        "lastModified": 1742174123,
+        "narHash": "sha256-pDNzMoR6m1ZSJToZQ6XDTLVSdzIzmFl1b8Pc3f7iV6Y=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "5c54c33aa04df5dd4b0984b7eb861d1981009b22",
+        "rev": "2cfb4e1ca32f59dd2811d7a6dd5d4d1225f0955c",
         "type": "github"
       },
       "original": {
@@ -211,11 +367,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1728781282,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
         "type": "github"
       },
       "original": {
@@ -232,11 +388,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1728867876,
-        "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=",
+        "lastModified": 1742217219,
+        "narHash": "sha256-pLRjj0jTL1TloB0ptEwVF51IJJX8a17dSxg+gqiWb30=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0",
+        "rev": "83900d5154d840dfae1e0367c5290f59b9dccf03",
         "type": "github"
       },
       "original": {
@@ -247,11 +403,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1728729581,
-        "narHash": "sha256-oazkQ/z7r43YkDLLQdMg8oIB3CwWNb+2ZrYOxtLEWTQ=",
+        "lastModified": 1742376361,
+        "narHash": "sha256-VFMgJkp/COvkt5dnkZB4D2szVdmF6DGm5ZdVvTUy61c=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "a8dd1b21995964b115b1e3ec639dd6ce24ab9806",
+        "rev": "daaae13dff0ecc692509a1332ff9003d9952d7a9",
         "type": "github"
       },
       "original": {
@@ -267,15 +423,14 @@
         ],
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "search": "search"
+        ]
       },
       "locked": {
-        "lastModified": 1728919967,
-        "narHash": "sha256-zQl8z8iagvrekF4tFK1au7mGH8x0zoGppo6geLPioQk=",
+        "lastModified": 1742419596,
+        "narHash": "sha256-+Bw1HR4oX6vUbCMhwWbW+Nr20F+UesNdUd7b17s3ESE=",
         "owner": "SuperSandro2000",
         "repo": "nixos-modules",
-        "rev": "1aba521c9cd2cd97490846ac83fd73ae84625c8a",
+        "rev": "82491ff311152b87fe7cfbdaf545f727e0750aa9",
         "type": "github"
       },
       "original": {
@@ -286,48 +441,74 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1728492678,
-        "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
+        "lastModified": 1742450798,
+        "narHash": "sha256-lfOAAaX68Ed7R6Iy2nbFAkGj6B8kHBp3nqZhgZjxR5c=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
+        "rev": "b64ec1944ea40d9f3920f938e17ed39a9978c6c7",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-unstable",
+        "ref": "nixos-unstable-small",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1727825735,
-        "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "lastModified": 1740877520,
+        "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1728740863,
-        "narHash": "sha256-u+rxA79a0lyhG+u+oPBRtTDtzz8kvkc9a6SWSt9ekVc=",
+        "lastModified": 1742268799,
+        "narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a3f9ad65a0bf298ed5847629a57808b97e6e8077",
+        "rev": "da044451c6a70518db5b730fe277b70f494188f1",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
+    "nur": {
+      "inputs": {
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": [
+          "stylix",
+          "nixpkgs"
+        ],
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1741693509,
+        "narHash": "sha256-emkxnsZstiJWmGACimyAYqIKz2Qz5We5h1oBVDyQjLw=",
+        "owner": "nix-community",
+        "repo": "NUR",
+        "rev": "5479646b2574837f1899da78bdf9a48b75a9fb27",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "NUR",
+        "type": "github"
+      }
+    },
     "pre-commit-hooks": {
       "inputs": {
         "flake-compat": [
@@ -336,17 +517,14 @@
         "gitignore": "gitignore",
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nixpkgs-stable"
         ]
       },
       "locked": {
-        "lastModified": 1728778939,
-        "narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=",
+        "lastModified": 1742300892,
+        "narHash": "sha256-QmF0proyjXI9YyZO9GZmc7/uEu5KVwCtcdLsKSoxPAI=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "ff68f91754be6f3427e4986d7949e6273659be1d",
+        "rev": "ea26a82dda75bee6783baca6894040c8e6599728",
         "type": "github"
       },
       "original": {
@@ -357,7 +535,6 @@
     },
     "root": {
       "inputs": {
-        "attic": "attic",
         "firefox-addons": "firefox-addons",
         "flake-compat": "flake-compat",
         "flake-parts": "flake-parts",
@@ -373,7 +550,8 @@
         "pre-commit-hooks": "pre-commit-hooks",
         "rust-overlay": "rust-overlay",
         "sops-nix": "sops-nix",
-        "systems": "systems",
+        "stylix": "stylix",
+        "systems": "systems_2",
         "wired-notify": "wired-notify"
       }
     },
@@ -384,11 +562,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1728959392,
-        "narHash": "sha256-fp4he1QQjE+vasDMspZYeXrwTm9otwEqLwEN6FKZ5v0=",
+        "lastModified": 1742437918,
+        "narHash": "sha256-Vflb6KJVDikFcM9E231mRN88uk4+jo7BWtaaQMifthI=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "4c6e317300f05b8871f585b826b6f583e7dc4a9b",
+        "rev": "f03085549609e49c7bcbbee86a1949057d087199",
         "type": "github"
       },
       "original": {
@@ -397,46 +575,18 @@
         "type": "github"
       }
     },
-    "search": {
-      "inputs": {
-        "flake-utils": [
-          "nixos-modules",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixos-modules",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1728423244,
-        "narHash": "sha256-+YwNsyIFj3dXyLVQd1ry4pCNmtOpbceKUrkNS8wp9Ho=",
-        "owner": "nuschtos",
-        "repo": "search",
-        "rev": "f276cc3b391493ba3a8b30170776860f9520b7fa",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nuschtos",
-        "repo": "search",
-        "type": "github"
-      }
-    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nixpkgs-stable"
         ]
       },
       "locked": {
-        "lastModified": 1728345710,
-        "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
+        "lastModified": 1742406979,
+        "narHash": "sha256-r0aq70/3bmfjTP+JZs4+XV5SgmCtk1BLU4CQPWGtA7o=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
+        "rev": "1770be8ad89e41f1ed5a60ce628dd10877cb3609",
         "type": "github"
       },
       "original": {
@@ -445,6 +595,47 @@
         "type": "github"
       }
     },
+    "stylix": {
+      "inputs": {
+        "base16": "base16",
+        "base16-fish": "base16-fish",
+        "base16-helix": "base16-helix",
+        "base16-vim": "base16-vim",
+        "firefox-gnome-theme": "firefox-gnome-theme",
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "flake-utils": "flake-utils_2",
+        "git-hooks": "git-hooks",
+        "gnome-shell": "gnome-shell",
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nur": "nur",
+        "systems": "systems",
+        "tinted-foot": "tinted-foot",
+        "tinted-kitty": "tinted-kitty",
+        "tinted-schemes": "tinted-schemes",
+        "tinted-tmux": "tinted-tmux",
+        "tinted-zed": "tinted-zed"
+      },
+      "locked": {
+        "lastModified": 1742422444,
+        "narHash": "sha256-Djg5uMhIDPdFOZ7kTrqNlHaAqcx/4rp7BofZLsUHkLY=",
+        "owner": "danth",
+        "repo": "stylix",
+        "rev": "f122d70925ca44e5ee4216661769437ab36a6a3f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "danth",
+        "repo": "stylix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -460,6 +651,125 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "tinted-foot": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1726913040,
+        "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
+        "owner": "tinted-theming",
+        "repo": "tinted-foot",
+        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "tinted-foot",
+        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
+        "type": "github"
+      }
+    },
+    "tinted-kitty": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1716423189,
+        "narHash": "sha256-2xF3sH7UIwegn+2gKzMpFi3pk5DlIlM18+vj17Uf82U=",
+        "owner": "tinted-theming",
+        "repo": "tinted-kitty",
+        "rev": "eb39e141db14baef052893285df9f266df041ff8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "tinted-kitty",
+        "rev": "eb39e141db14baef052893285df9f266df041ff8",
+        "type": "github"
+      }
+    },
+    "tinted-schemes": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1741468895,
+        "narHash": "sha256-YKM1RJbL68Yp2vESBqeZQBjTETXo8mCTTzLZyckCfZk=",
+        "owner": "tinted-theming",
+        "repo": "schemes",
+        "rev": "47c8c7726e98069cade5827e5fb2bfee02ce6991",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "schemes",
+        "type": "github"
+      }
+    },
+    "tinted-tmux": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1740877430,
+        "narHash": "sha256-zWcCXgdC4/owfH/eEXx26y5BLzTrefjtSLFHWVD5KxU=",
+        "owner": "tinted-theming",
+        "repo": "tinted-tmux",
+        "rev": "d48ee86394cbe45b112ba23ab63e33656090edb4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "tinted-tmux",
+        "type": "github"
+      }
+    },
+    "tinted-zed": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1725758778,
+        "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=",
+        "owner": "tinted-theming",
+        "repo": "base16-zed",
+        "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tinted-theming",
+        "repo": "base16-zed",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "stylix",
+          "nur",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733222881,
+        "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "49717b5af6f80172275d47a418c9719a31a78b53",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
     "wired-notify": {
       "inputs": {
         "flake-parts": [
@@ -473,11 +783,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1727849733,
-        "narHash": "sha256-mqxs/nyzOEKiBHa94OtcOLYBXd65P8tO4DUVTHWHn6o=",
+        "lastModified": 1730615238,
+        "narHash": "sha256-u/ZGtyEUvAkFOBgLo2YldOx0GKjE3/esWpWruRD376E=",
         "owner": "Toqozz",
         "repo": "wired-notify",
-        "rev": "a1f6965737754e7424f9468f6befef885a9ee0ad",
+        "rev": "1632418aa15889343028261663e81d8b5595860e",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,15 +5,17 @@
     substituters = [
       "https://cache.nixos.org/?priority=1&want-mass-query=true"
       "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
+      "https://attic.nayeonie.com/nix-cache"
     ];
     trusted-substituters = [
       "https://cache.nixos.org"
-      "https://attic.alicehuston.xyz/cache-nix-dot"
       "https://nix-community.cachix.org"
+      "https://attic.nayeonie.com/nix-cache"
     ];
     trusted-public-keys = [
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "nix-cache:trR+y5nwpQHR4hystoogubFmp97cewkjWeqqbygRQRs="
     ];
     trusted-users = [ "root" ];
   };
@@ -22,19 +24,21 @@
     flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
     flake-parts.url = "github:hercules-ci/flake-parts";
     nixos-hardware.url = "github:NixOS/nixos-hardware";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
+    #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
+    #nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
     systems.url = "github:nix-systems/default";
 
-    attic = {
-      url = "github:zhaofengli/attic";
-      inputs = {
-        nixpkgs.follows = "nixpkgs";
-        nixpkgs-stable.follows = "nixpkgs-stable";
-        flake-compat.follows = "flake-compat";
-        flake-parts.follows = "flake-parts";
-      };
-    };
+    # attic = {
+    #   url = "github:zhaofengli/attic";
+    #   inputs = {
+    #     nixpkgs.follows = "nixpkgs";
+    #     nixpkgs-stable.follows = "nixpkgs-stable";
+    #     flake-compat.follows = "flake-compat";
+    #     flake-parts.follows = "flake-parts";
+    #   };
+    # };
 
     firefox-addons = {
       url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
@@ -81,7 +85,6 @@
       url = "github:cachix/git-hooks.nix";
       inputs = {
         nixpkgs.follows = "nixpkgs";
-        nixpkgs-stable.follows = "nixpkgs-stable";
         flake-compat.follows = "flake-compat";
       };
     };
@@ -97,7 +100,15 @@
       url = "github:Mic92/sops-nix";
       inputs = {
         nixpkgs.follows = "nixpkgs";
-        nixpkgs-stable.follows = "nixpkgs-stable";
+      };
+    };
+
+    stylix = {
+      url = "github:danth/stylix";
+      inputs = {
+        flake-compat.follows = "flake-compat";
+        home-manager.follows = "home-manager";
+        nixpkgs.follows = "nixpkgs";
       };
     };
 
@@ -149,6 +160,10 @@
         qcow = getImages nixosConfigurations "qcow";
       };
 
+      packages.x86_64-linux.lego-latest =
+        nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
+          { };
+
       checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
       devShells = import ./shell.nix { inherit inputs forEachSystem checks; };
 

lib/container-utils.nix

@@ -0,0 +1,43 @@
+{ lib, ... }:
+
+{
+  # Given a attrset of images and a function which generates an image spec,
+  # generates a set of containers (although this could in theory be used for
+  # other things... I'd like to see people try)
+  #
+  # container set must be in the below format
+  # { container-name = {image = "image-uri"; scale = n;}; }
+  # where image-uri gets passed in to the container-spec function as a custom
+  # parameter, and scale is an integer that generates the containers
+  #
+  # container-spec must be a function which accepts two parameter (the
+  # container name and image name) and ideally returns an oci-compliant
+  # container.
+  #
+  # args:
+  # containers: an AttrSet which specifies the imageUri and scale of each
+  #   container
+  # container-spec: a function which produces an oci-compliant container spec
+  #
+  # type:
+  # AttrSet -> (String -> AttrSet -> AttrSet) -> AttrSet
+  createTemplatedContainers =
+    containers: container-spec:
+    builtins.listToAttrs (
+      lib.flatten (
+        lib.mapAttrsToList (
+          name: value:
+          (map (
+            num:
+            let
+              container-name = "${name}-${toString num}";
+            in
+            {
+              name = container-name;
+              value = container-spec container-name value.image;
+            }
+          ) (lib.lists.range 1 value.scale))
+        ) containers
+      )
+    );
+}

lib/default.nix

@@ -3,6 +3,7 @@
   # create rad-dev namespace for lib
   rad-dev = rec {
     systems = import ./systems.nix { inherit lib; };
+    container-utils = import ./container-utils.nix { inherit lib; };
 
     # any(), but checks if any value in the list is true
     #
@@ -56,5 +57,21 @@
     # type:
     # fileList :: Path -> String -> [Path]
     fileList = dir: map (file: dir + "/${file}") (ls dir);
+
+    # reduce an attribute set to a string
+    #
+    # example:
+    # given attrset {host1 = "palatine-hill"; host2 = "jeeves";}
+    # and func (host: hostname: host + " is " + hostname + ", " )
+    # mapAttrsToString would return 'host1 is palatine-hill, host2 is jeeves, '
+    #
+    # args:
+    # func: an function to apply to attrSet to turn each entry into one string
+    # attrSet: an attribute set to reduce
+    #
+    # type:
+    # mapAttrsToString :: AttrSet -> (String -> Any -> String) -> String
+    mapAttrsToString =
+      func: attrSet: (lib.foldl' (cur: next: cur + next) "" (lib.mapAttrsToList func attrSet));
   };
 }

modules/base.nix

@@ -15,7 +15,7 @@
 
   programs = {
     zsh.enable = true;
-    fish.enable = true;
+    fish.enable = false;
   };
 
   users = {

modules/boot.nix

@@ -35,7 +35,6 @@ in
   config.boot = lib.mkIf cfg.default {
     supportedFilesystems = [ cfg.filesystem ];
     tmp.useTmpfs = true;
-    kernelPackages = pkgs.linuxPackages_6_10;
     kernelParams =
       [ "nordrand" ]
       ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"

modules/docker.nix

@@ -7,8 +7,13 @@
       extraGroups = [ "docker" ];
       uid = 600;
     };
-    groups.docker-service = {
-      gid = 600;
+    groups = {
+      docker-service = {
+        gid = 600;
+      };
+      haproxy = {
+        gid = 99;
+      };
     };
   };
 

modules/plocate.nix

@@ -3,7 +3,7 @@
 {
   services.locate = {
     enable = lib.mkDefault true;
-    localuser = lib.mkDefault null;
+    # localuser = lib.mkDefault null;
     package = lib.mkDefault pkgs.plocate;
   };
 }

modules/update.nix

@@ -1,19 +1,19 @@
 { lib, ... }:
 {
   services.autopull = {
-    enable = lib.mkDefault false;
+    enable = lib.mkDefault true;
     repo.dotfiles = {
-      enable = lib.mkDefault false;
-      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
+      enable = lib.mkDefault true;
+      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_giteadeploy";
       path = lib.mkDefault /root/dotfiles;
     };
   };
 
   system.autoUpgrade = {
-    enable = lib.mkDefault false;
+    enable = lib.mkDefault true;
     flags = [ "--accept-flake-config" ];
     randomizedDelaySec = "1h";
     persistent = true;
-    flake = "github:RAD-Development/nix-dotfiles";
+    flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git";
   };
 }

pkgs/lego-latest/default.nix

@@ -0,0 +1,39 @@
+{
+  lib,
+  fetchFromGitHub,
+  buildGoModule,
+}:
+
+buildGoModule rec {
+  pname = "lego";
+  version = "4.21.0";
+
+  src = fetchFromGitHub {
+    owner = "go-acme";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-3dSvQfkBNh8Bt10nv4xGplv4iY3gWvDu2EDN6UovSdc=";
+  };
+
+  vendorHash = "sha256-teA6fnKl4ATePOYL/zuemyiVy9jgsxikqmuQJwwA8wE=";
+
+  doCheck = false;
+
+  subPackages = [ "cmd/lego" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X main.version=${version}"
+  ];
+
+  meta = with lib; {
+    description = "Let's Encrypt client and ACME library written in Go";
+    license = licenses.mit;
+    homepage = "https://go-acme.github.io/lego/";
+    maintainers = teams.acme.members;
+    mainProgram = "lego";
+  };
+
+  #passthru.tests.lego = nixosTests.acme;
+}

shell.nix

@@ -45,6 +45,10 @@ forEachSystem (
         treefmt
         statix
         nixfmt-rfc-style
+        jsonfmt
+        mdformat
+        shfmt
+        yamlfmt
       ];
     };
   in

statix.toml

@@ -1,4 +1,4 @@
 disabled = ["empty_pattern"]
-nix_version = '2.23'
+nix_version = '2.25'
 ignore = ['.direnv']
 

systems/artemision/ao3_skins/happy_17th.css

@@ -0,0 +1,438 @@
+#footer .group,
+.post fieldset fieldset,
+fieldset fieldset {
+  background: none;
+}
+
+#header {
+  background: #000 url('https://media.archiveofourown.org/news/milestones/2024-08-seventeen-years-otw/2024-08-seventeen-years-otw-pattern.jpg');
+  background-size: 350px;
+}
+
+#header .heading a,
+#header .primary .dropdown a:focus,
+#header .heading a:visited,
+#main .pagination .current,
+h2 {
+  color: #ffe8b4;
+}
+
+#header .clear,
+#footer {
+  border-color: #191919;
+}
+
+#header .actions a[href="/menu/fandoms"],
+#header .actions a[href="/menu/browse"],
+#header .actions a[href="/menu/search"],
+#header .actions a[href="/menu/about"] {
+  color: #fff;
+}
+
+#footer ul {
+  background: url('https://live.staticflickr.com/7284/9616997915_4194b6c6f7_h.jpg');
+  background-size: 350px;
+}
+
+#footer ul li:nth-child(1) ul,
+#footer ul li:nth-child(2) ul,
+#footer ul li:nth-child(3) ul,
+#footer ul li:nth-child(4) ul {
+  background: rgba(0, 0, 0, 0.0);
+}
+
+#header .primary {
+  background: #8a1a10;
+}
+
+#footer {
+  background: #8a1a10;
+}
+
+input[type="text"],
+textarea,
+select {
+  background: #222;
+  color: #fff;
+}
+
+select:focus {
+  background: #2a2a2a;
+}
+
+option {
+  background: #555;
+  color: #fff;
+}
+
+#work form fieldset.work.meta dl dd.warning.required fieldset,
+#main form fieldset.work.meta dl dd.warning.required fieldset {
+  color: #fff;
+}
+
+#bookmark-form form {
+  background: #2a2a2a;
+  color: #fff;
+}
+
+#error {
+  color: #191919;
+}
+
+fieldset,
+.verbose fieldset {
+  border-color: #404040;
+  background: #191919;
+  border: 1px solid #595959;
+}
+
+.search [role=tooltip] {
+  background: #333;
+  border: 1px solid #666;
+}
+
+#main a:visited {
+  color: #ccc;
+}
+
+#main a.tag:visited:hover {
+  color: #111;
+}
+
+body,
+.group,
+.group .group,
+.region,
+.flash,
+form dl,
+#main .verbose legend,
+.notice,
+ul.notes,
+table,
+th,
+td:hover,
+tr:hover,
+.symbol .question:hover,
+#modal,
+.ui-sortable li,
+.required .autocomplete,
+.autocomplete .notice,
+.system .intro,
+.comment_error,
+.kudos_error,
+div.dynamic,
+.dynamic form,
+#ui-datepicker-div,
+.ui-datepicker table {
+  background: #191919;
+  color: #eee;
+  border-color: #222;
+  outline: #111;
+  box-shadow: none;
+}
+
+#header .actions a:hover,
+#header .actions a:focus,
+#header .dropdown:hover a,
+#header .open a,
+#header .menu,
+#small_login,
+.group.listbox,
+fieldset fieldset.listbox,
+.listbox,
+form blockquote.userstuff,
+input:focus,
+textarea:focus,
+li.relationships a,
+.group.listbox .index,
+.dashboard fieldset fieldset.listbox .index,
+#dashboard a:hover,
+th,
+#dashboard .secondary,
+.secondary,
+.thread .even,
+.system .tweet_list li,
+.ui-datepicker tr:hover {
+  background: #2A2A2A;
+}
+
+a,
+a.tag,
+a:link,
+#header a:visited,
+#header .primary .open a,
+#header .primary .dropdown:hover a,
+#header #search input:focus,
+#header #search input:hover,
+.userstuff h2,
+#dashboard a,
+#dashboard span,
+#dashboard .current,
+.group .heading,
+.filters dt a:hover {
+  color: #fff;
+}
+
+#header .dropdown .menu a:hover,
+#header .dropdown .menu a:focus,
+.splash .favorite li:nth-of-type(odd) a,
+.ui-datepicker td:hover,
+#tos_prompt .heading,
+#tos_prompt [disabled] {
+  background: #111;
+  color: #ffe8b4;
+}
+
+#outer,
+.javascript,
+.statistics .index li:nth-of-type(even),
+#tos_prompt,
+.announcement input[type="submit"] {
+  background: #191919;
+}
+
+#dashboard ul,
+dl.meta,
+.group.listbox,
+fieldset fieldset.listbox,
+#main li.blurb,
+form blockquote.userstuff,
+div.comment,
+li.comment,
+.toggled form,
+form dl dt,
+form.single fieldset,
+#inner .module .heading,
+.bookmark .status span,
+.splash .news li,
+.filters .group dt.bookmarker {
+  border-color: #555;
+}
+
+.group.listbox,
+fieldset fieldset.listbox,
+#main li.blurb,
+.wrapper,
+#dashboard .secondary,
+.secondary,
+form blockquote.userstuff,
+.thread .comment,
+.toggled form {
+  box-shadow: 1px 1px 3px #000;
+}
+
+#dashboard .current,
+.actions a:active,
+a.current,
+.current a:visited,
+span.unread,
+.replied,
+span.claimed,
+dl.index dd,
+.own,
+.draft,
+.draft .unread,
+.child,
+.unwrangled,
+.unreviewed,
+.ui-sortable li:hover {
+  background: #000;
+  border-color: #555;
+  box-shadow: -1px -1px 3px #000;
+}
+
+input,
+textarea {
+  box-shadow: inset 0 1px 2px #000;
+}
+
+li.blurb,
+.blurb .blurb,
+.listbox .index,
+fieldset fieldset.listbox,
+.dashboard .listbox .index {
+  box-shadow: inset 1px 1px 3px #000;
+}
+
+#footer a:hover,
+#footer a:focus,
+.autocomplete .dropdown ul li:hover,
+.autocomplete .dropdown li.selected,
+a.tag:hover,
+.listbox .heading a.tag:visited:hover,
+.symbol .question {
+  background: #ffedc5;
+  border-color: #988352;
+  color: #111;
+}
+
+#header #greeting img,
+#header .user a:hover,
+#header .user a:focus,
+#header fieldset,
+#header form,
+#header p,
+#dashboard a:hover,
+.actions a:hover,
+.actions input:hover,
+.delete a,
+span.delete,
+span.unread,
+.replied,
+span.claimed,
+.draggable,
+.droppable,
+span.requested,
+a.work,
+.blurb h4 a:link,
+.blurb h4 img,
+.splash .module h3,
+.splash .browse li a:before,
+.required,
+.error,
+.comment_error,
+.kudos_error,
+a.cloud7,
+a.cloud8,
+#tos_prompt .heading {
+  color: #ffe8b4;
+}
+
+#greeting .icon,
+#dashboard,
+#dashboard.own,
+.error,
+.comment_error,
+.kudos_error,
+.LV_invalid,
+.LV_invalid_field,
+input.LV_invalid_field:hover,
+input.LV_invalid_field:active,
+textarea.LV_invalid_field:hover,
+textarea.LV_invalid_field:active,
+.qtip-content {
+  border-color: #8a1a10;
+}
+
+.splash .favorite li:nth-of-type(odd) a:hover,
+.splash .favorite li:nth-of-type(odd) a:focus .splash .favorite li:nth-of-type(odd) a:visited:hover,
+.splash .favorite li:nth-of-type(odd) a:visited:focus {
+  background: #ffe8b4;
+  color: #111;
+}
+
+a:visited,
+.actions a:visited,
+.action a:link,
+.action a:visited,
+.listbox .heading a:visited,
+span.series .divider {
+  color: #999;
+}
+
+.actions a,
+.actions a:link,
+.action,
+.action:link,
+.actions input,
+input[type="submit"],
+button,
+.current,
+.actions label,
+#header .actions a,
+#outer .current {
+  background: #555;
+  border-color: #222;
+  color: #eee;
+  box-shadow: inset 0 -8px 4px #232323, inset 0 8px 7px #555;
+  text-shadow: none;
+}
+
+.actions a:hover,
+.actions input:hover,
+#dashboard a:hover,
+.actions a:focus,
+.actions input:focus,
+#dashboard a:focus,
+.actions .disabled select {
+  color: #999;
+  border-color: #000;
+  box-shadow: inset 2px 2px 2px #000;
+}
+
+.actions a:active,
+.current,
+a.current,
+.current a:visited {
+  color: #fff;
+  background: #555;
+  border-color: #fff;
+  box-shadow: inset 1px 1px 3px #191919;
+}
+
+.delete a,
+span.delete {
+  box-shadow: -1px -1px 2px rgba(255,255,255.25);
+}
+
+.actions label.disabled {
+  background: #222;
+  box-shadow: none;
+}
+
+ul.required-tags,
+.bookmark .status span,
+.blurb .icon {
+  opacity: 0.9;
+  border: 0;
+}
+
+#outer .group .heading,
+#header .actions a,
+fieldset.listbox .heading,
+.userstuff .heading {
+  text-shadow: none;
+  color: #fff;
+  background: none;
+}
+
+#header .actions a,
+fieldset fieldset,
+.mce-container button,
+.filters .expander,
+.actions .disabled select {
+  box-shadow: none;
+}
+
+fieldset fieldset.listbox {
+  outline: none;
+}
+
+form dd.required {
+  color: #eee;
+}
+
+.mce-container input:focus {
+  background: #F3EFEC;
+}
+
+.announcement .userstuff a,
+.announcement .userstuff a:link,
+.announcement .userstuff a:visited:hover {
+  color: #111;
+}
+
+.announcement .userstuff a:visited {
+  color: #666;
+}
+
+.announcement .userstuff a:hover,
+.announcement .userstuff a:focus {
+  color: #999;
+}
+
+.event.announcement .userstuff a,
+.filters .expander {
+  color: #eee;
+}
+

systems/artemision/configuration.nix

@@ -6,17 +6,18 @@
 }:
 {
   imports = [
-    ./programs.nix
-    ./desktop.nix
-    ./wifi.nix
-    ./zerotier.nix
-    ./fonts.nix
-    ./polkit.nix
     ./audio.nix
+    ./desktop.nix
     ./fingerprint.nix
-    ./steam.nix
+    ./fonts.nix
     ./graphics.nix
     ./libvirt.nix
+    ./polkit.nix
+    ./programs.nix
+    ./steam.nix
+    ./stylix.nix
+    ./wifi.nix
+    ./zerotier.nix
   ];
 
   time.timeZone = "America/New_York";
@@ -31,7 +32,7 @@
   };
 
   boot = {
-    kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
+    #kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
     useSystemdBoot = true;
     default = true;
   };
@@ -44,6 +45,7 @@
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   services = {
+    flatpak.enable = true;
     calibre-web = {
       enable = true;
       listen = {
@@ -73,17 +75,6 @@
     fprintd.enable = lib.mkForce false;
     openssh.enable = lib.mkForce false;
 
-    spotifyd = {
-      enable = true;
-      settings = {
-        global = {
-          username = "snowinginwonderland@gmail.com";
-          password_cmd = "cat ${config.sops.secrets."apps/spotify".path}";
-          use_mpris = false;
-        };
-      };
-      #systemd.services.spotifyd.serviceConfig = systemd.services.spotifyd.
-    };
     rad-dev.yubikey = {
       enable = true;
       enable-desktop-app = true;
@@ -92,19 +83,22 @@
 
   users.users.alice.extraGroups = [ "calibre-web" ];
 
-  system.autoUpgrade.enable = false;
   system.stateVersion = "24.05";
 
   programs.adb.enable = true;
 
+  environment.variables = {
+    "KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
+  };
+
   sops = {
     defaultSopsFile = ./secrets.yaml;
-    secrets = {
-      "apps/spotify" = {
-        group = "audio";
-        restartUnits = [ "spotifyd.service" ];
-        mode = "0440";
-      };
-    };
+    #secrets = {
+    #  "apps/spotify" = {
+    #    group = "audio";
+    #    restartUnits = [ "spotifyd.service" ];
+    #    mode = "0440";
+    #  };
+    #};
   };
 }

systems/artemision/default.nix

@@ -7,6 +7,7 @@
   users = [ "alice" ];
   modules = [
     inputs.nixos-hardware.nixosModules.framework-16-7040-amd
+    inputs.stylix.nixosModules.stylix
     {
       environment.systemPackages = [
         inputs.wired-notify.packages.x86_64-linux.default

systems/artemision/desktop.nix

@@ -7,7 +7,9 @@
     hyprland = {
       enable = true;
       xwayland.enable = true;
+      withUWSM = true;
     };
+    hyprlock.enable = true;
     gnupg.agent = {
       enable = true;
       #pinentryPackage = pkgs.pinentry-rofi;
@@ -54,6 +56,13 @@
     };
   };
 
+  powerManagement = {
+    enable = true;
+    resumeCommands = ''
+      ${pkgs.hyprlock}/bin/hyprlock -c /home/alice/.config/hypr/hyprlock.conf
+    '';
+  };
+
   environment.systemPackages = with pkgs; [
     libsForQt5.qt5.qtwayland
     qt6.qtwayland

systems/artemision/fonts.nix

@@ -3,17 +3,13 @@
   fonts = {
     fontconfig.enable = true;
     enableDefaultPackages = true;
-    packages = with pkgs; [
-      (nerdfonts.override {
-        fonts = [
-          "FiraCode"
-          "DroidSansMono"
-          "Hack"
-          "DejaVuSansMono"
-          "Noto"
-          "OpenDyslexic"
-        ];
-      })
+    packages = with pkgs.nerd-fonts; [
+      fira-code
+      droid-sans-mono
+      hack
+      dejavu-sans-mono
+      noto
+      open-dyslexic
     ];
   };
 }

systems/artemision/hardware.nix

@@ -86,7 +86,7 @@
     };
   };
 
-  swapDevices = [ { device = "/dev/disk/by-uuid/7f0dba0f-d04e-4c94-9fba-1d0811673df1"; } ];
+  swapDevices = [ { device = "/dev/disk/by-uuid/3ec276b5-9088-45b0-9cb4-60812f2d1a73"; } ];
 
   boot.initrd.luks.devices = {
     "nixos-pv" = {

systems/artemision/programs.nix

@@ -3,6 +3,7 @@
   environment.systemPackages = with pkgs; [
     act
     alacritty
+    attic-client
     amdgpu_top
     bat
     bitwarden-cli
@@ -12,12 +13,12 @@
     calibre
     # calibre dedrm?
     candy-icons
-    nemo-with-extensions
+    chromium
+    chromedriver
     croc
     deadnix
     direnv
-    discord
-    discord-canary
+    easyeffects
     eza
     fanficfare
     ferium
@@ -29,25 +30,29 @@
     glances
     gpu-viewer
     grim
+    helvum
     htop
     hwloc
     ipmiview
     iperf3
-    ipscan
+    # ipscan
     jp2a
     jq
-    kdenlive
+    kdePackages.kdenlive
     kitty
     kubectl
     kubernetes-helm
+    libreoffice-fresh
     libtool
     lsof
     lynis
     masterpdfeditor4
     minikube
     mons
+    mpv
     # nbt explorer?
     ncdu
+    nemo-with-extensions
     neofetch
     neovim
     nix-init
@@ -57,6 +62,7 @@
     nixpkgs-fmt
     nmap
     obs-studio
+    obsidian
     ocrmypdf
     pciutils
     #disabled until wxpython compat with python3.12
@@ -64,12 +70,14 @@
     prismlauncher
     protonmail-bridge
     protontricks
+    proxychains
     qrencode
     redshift
     restic
     ripgrep
     rpi-imager
     rofi-wayland
+    samba
     signal-desktop
     # signal in tray?
     siji
@@ -89,18 +97,18 @@
     tig
     tokei
     tree
-    unzip
     unipicker
+    unzip
     uutils-coreutils-noprefix
     ventoy
+    vesktop
     vscode
     watchman
     wget
     wl-clipboard
-    xboxdrv
+    yq
     yt-dlp
     zoom-us
     zoxide
-    zoom
   ];
 }

systems/artemision/secrets.yaml

@@ -1,17 +1,17 @@
-hello: ENC[AES256_GCM,data:UJlsd5kvnhEv7eJeYwg+NHm9sgUAxYM5DoR0gDPLi9J7P+8FI8WPMkN1wEAHJA==,iv:NFSdZQ1OK4BT+EAGZz122NB7WrVCEzv4wwMxFIE/OKI=,tag:6YT7Vw8tFrw9iEFKxeKRFQ==,type:str]
-example_key: ENC[AES256_GCM,data:KMXgMrqe7M101ZMJ2g==,iv:MJ3Iiu/0KIVhPFnqfovysqvPJAv1OsnxE4VIsuexFkE=,tag:X6KIKNGym8/9VglmG3SNRw==,type:str]
-#ENC[AES256_GCM,data:QR3WNE/a1hZIXnTjFjK3kA==,iv:eXoZJ5rQaYqN7LjEp2M13OCMwuQ+80M5AXjV0uNc4C8=,tag:sCvL6pr9zAyWZziffVFMzg==,type:comment]
+hello: ENC[AES256_GCM,data:BTCBuBxHFO8vwXU/bsAZryM5rXUOEi0brlvq6DtqfZbzxGz4LaW89VO75MERHQ==,iv:fwqI3arwtlZQ5DtvpVbh21ThuZP8zcqCHsmuJuCfCsY=,tag:tkkEO8/eEDCakdlT0NvajA==,type:str]
+example_key: ENC[AES256_GCM,data:xzsymSb4oD70twtoKQ==,iv:9vBmAKET2VIuDSq7AOyvdYWLGlL6cYHTWxy/Z5bB1+c=,tag:NbV4eA2aaY4cQAKUy3QOpw==,type:str]
+#ENC[AES256_GCM,data:zeOCzRd/nFRhbANHxPyyjw==,iv:9MmHl3OyhJHVU+cUFJ4QitHd4SeDe3ctaky+yfvk8Zs=,tag:uPGRJtgQj1vIdLt2+w0krg==,type:comment]
 example_array:
-    - ENC[AES256_GCM,data:g8PulCLrXZYSEdZJELE=,iv:irGwciFn1zXBxFpGAJtD46EQLGUO5oqdCzRgv1204JE=,tag:2MuDdRYMjhtTY++lPuj1FQ==,type:str]
-    - ENC[AES256_GCM,data:qv7GvmoOX8VSdaiW/90=,iv:6NOWeWqHUV9ciKPmZF4C7ijuIPFr3YZi3Dh7xWnb07k=,tag:VHXdBhWmEpb7uavCPqGZ4w==,type:str]
-example_number: ENC[AES256_GCM,data:g8BIEIcwKRLSbw==,iv:Ay4aiukAvXeDhzlpMPn++zR0Tt2lMqCx362uN37S+ac=,tag:NTtNaIu5u8YsIm0M4OgL0A==,type:float]
+    - ENC[AES256_GCM,data:Nwn96XJv8xZWRYv8qws=,iv:K30LBMC8e1vUS0XE+4EIYb3xUUyn6232YmhV2vI9Qnc=,tag:HRe3S88zwj/CjG6NTvjdRQ==,type:str]
+    - ENC[AES256_GCM,data:l2nuwoAbwaDFHpEWV1Y=,iv:7/2rTd8agUvx73eftpOgidV4XjDUv/JppLIIsiuycnU=,tag:Ohi4JULWDNXJPWZaeXHEdw==,type:str]
+example_number: ENC[AES256_GCM,data:toi1e/biUd2Tng==,iv:MPCfhhX9DDaOSzx/L5LTf2VYffin8XvxVyhNDqZLsec=,tag:tE/lml3afP/NjRtpPraoRQ==,type:float]
 example_booleans:
-    - ENC[AES256_GCM,data:94T9mg==,iv:qKGJke4SGhgN09Yebh5MPrRBDNnguJQ+1dl5XQffGZQ=,tag:0Pa3eujmSxDCnAHKHsx6yQ==,type:bool]
-    - ENC[AES256_GCM,data:gEvfi+Q=,iv:0DrXoZk8OkdUShc7WAKOL8xG26RFZp3M3qYFAb1hDAs=,tag:uemBrdF87nrfLpfnQ8bD8g==,type:bool]
+    - ENC[AES256_GCM,data:02CVNA==,iv:L9GmIm9ynm2cWTyd3iYo4fgIeneUyFpEzzzxicM/YNI=,tag:k2EIboiL+c4W1H2OpA2Rqw==,type:bool]
+    - ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
 apps:
-    spotify: ENC[AES256_GCM,data:bp1pdOfS+VGWLtepUjg7KFWw8Fk=,iv:twGO3CjzRxAU81C93mX8qIEZ/FYIQRJnMd2HIuvP9q8=,tag:AJgs0QGFH30E8+ZpaB02TQ==,type:str]
-wifi-env: ENC[AES256_GCM,data:6+fHf25fx/PuutOXhMZqx2JVVSDTW7fQU8XOCc2vyUpg7HiRpOKFu5PIZoJQexvJoBNNciiQkju17+xuxnQ48dsRgsdS+wfH86Af55MfqDjG1el/htEOER9f9sTpMwGjIKD1zalkMp7oX17UlIqiCQg7HfcZFb8T4eHzu9w48umiC3WpwlKLykF5W600gYbXx1E1FjwgCwxJ1zRmBTXoz6WHvQ==,iv:DmUyn3/Q7jwqHrK7wSCqIRO1jJsOHNbmG6a/l1YdMmQ=,tag:S3CtTdFyn2Lg5nGlHVU66g==,type:str]
-#ENC[AES256_GCM,data:pC2Kdy7wNc0=,iv:J7Ggfv6K3dCzL42j5MGd+BjQGseoAoYs4k6+yc3FSiA=,tag:9MriduP9SEIi+c1q4tfzlQ==,type:comment]
+    spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
+wifi-env: ENC[AES256_GCM,data:G+z+fURk4rT61I5BiFzEJJt35jywPNrGpn1QGNhjvxrqPQ/Sq/hIHmQo+bqe9yJeDgMX3RY4EaiZxFTJyxPfW1czjuMSj3vbTp0WcDmGvUJ7li2pX2pzolgly4qmgoOluGBeRZWVLLOZYFB2+kLRMJNNz/bP5k2Eq6O4+l4sljPM+abn9iz9Eh46rVOVRkmDzCltJrYiuBSiSPhTDRTP2+gUbgbaUJTkVrVLUBHg3QU6az6VPN8DPZxbx4LtdaIb93pI,iv:uUfJK/iPdyLP7LqZJolTGGTxaEzlJI59bUVNcB1etkU=,tag:tvXSXSW1MIhLJceEK1afuw==,type:str]
+#ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
 sops:
     kms: []
     gcp_kms: []
@@ -21,26 +21,26 @@ sops:
         - recipient: age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZC9aczBZekVGMVRBYlFV
-            MUpDZFFPRTIzL1hpR25vd2pjZzJnRE12TkhRCjdiV3VxVnJpL2l2OU1rNVE3K2kv
-            akF1UFNtdDFYdUNIMjVwWitOUDJ1UUEKLS0tIFJkSGU1MC90ZlM0TXJOeWlWTnJT
-            RFVEMjg4bjd4SUF2SjVWZVNDWlpiR1EKmWM9G8/vb1+GX4zGiIj/So4apfi3wzyp
-            yGi0T3fen3jzfU38xFZ25Tn0pDTQaSG7PkVKQn9YBJ4pGb9JDPfTjw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbElNRkxyZ2VjaitiTWx2
+            eThsY0h3a2NCZDloWG0rU1ZwVnhOY2VJTXlFCnp3UzNDR216L2R4cVdyWjFqbkRr
+            cFJGQjQ4Qk9zblYyckVFY3VNekNuajQKLS0tIEdRWldHMjlpTElxQWFVUlh4L1lz
+            d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
+            D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-20T13:52:31Z"
-    mac: ENC[AES256_GCM,data:IT/GEdJtQHSjzVRdIBIRq1y0Lby4k6gGVDfeg3/bjdDNWkPCnGOc5Uerz3TJ95M3oKMgFiQW2Sa4m/8QX9qhtVfH7gleMhJbzkz1DGKozoCxqWX71BBfiwcAuLG1fzDwfpT4DcRK1ppfC/9kMZ3g7r9Ug6EceXUKXP3uaUgfNjg=,iv:WpEhLffmICyR7bbe0cnT9fjqyL59gVxumz/lsE3oBfU=,tag:k0GSSZeQC9bJ1TWRwhaGQA==,type:str]
+    lastmodified: "2024-11-28T18:57:09Z"
+    mac: ENC[AES256_GCM,data:hKhAo7rDplLm19PlrKHQwxnDVXCMU/xpAxPALLDBa0M3yypy2QVD6c6Atn897tYRKf7oeLaUKqnUYdCcZ9gVgm37LS+GtRhf66zfvcKqhZF8wh3M0zTDPYpQDhex0N4BAJ/dcaYIbxqE9pEUxJOI5jip/hptaCJItTEe7oARcF4=,iv:EUayxLaOPcnWX+S9+RlHrxzJRLlSSLIwqbAq3fFI4yg=,tag:LiBsqIodTWamO+c8FqGBag==,type:str]
     pgp:
-        - created_at: "2024-09-05T06:10:45Z"
+        - created_at: "2024-11-28T18:57:09Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DQWNzDMjrP2ISAQdAVPGTjbrJcO6UTQ9bYOqiVqJMehxGkfNMtgnQQL36mQsw
-            CznpGVos/aNWRKmt0nkfjHuI0y71foFWt7BB/acKspE5YUu831wgrRbB8TyN69DK
-            1GgBCQIQjanvxCPgcaSWLqw2oXXPzTJ1PRJc2UA4kayYIzvOUP9QBoEruDki0GVi
-            5n+ZiGGtvx7bihZ1WeJiHcOArPr3xrrrPv6nuAxP05HbSRYhaAU79eOTT1p7MtSO
-            A0BHgVYuL00FHg==
-            =Luz2
+            hF4DQWNzDMjrP2ISAQdALiZMzuQViM23hoFebCXYfQUIvCluWqAEeSJyE/LRHG8w
+            nQnIVPRIbzLzWfCf+48EW6f7zonHmNY7D9F9KohDmCTcJ5/WvXsJKjebuohR62TF
+            1GYBCQIQq7nEvwSfn+l5AevKIiodA4BLfM326JSx5hJ6XdrE0MzZo1uoMwKKuxig
+            mPbDP8Rx51v9f+9DzjBg6kQD5w411HADL8th+wSkpmasP8ozIeiNiIKzzoJc/fD6
+            AOsExCUt8FU=
+            =wRT+
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1

systems/artemision/steam.nix

@@ -4,7 +4,10 @@
   environment.systemPackages = [ pkgs.steam-run ];
   hardware.steam-hardware.enable = true;
   programs = {
-    gamescope.enable = true;
+    gamescope = {
+      enable = true;
+      capSysNice = true;
+    };
     steam = {
       enable = true;
       remotePlay.openFirewall = true;

systems/artemision/stylix.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+# let
+# randWallpaper = pkgs.runCommand "stylix-wallpaper" { } ''
+#   numWallpapers =
+#   $((1 + $RANDOM % 10))
+
+# in
+{
+  stylix = {
+    enable = true;
+    image = "${pkgs.hyprland}/share/hypr/wall2.png";
+
+    #image = "/home/alice/Pictures/Screenshots/screenshot_2024-12-04-2030.png";
+    polarity = "dark";
+  };
+}

systems/artemision/wifi.nix

@@ -23,6 +23,7 @@ in
       "5HuFios".pskRaw = "ext:PASS_longboat_home";
       "24HuFios".pskRaw = "ext:PASS_longboat_home";
       "Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
+      "Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
       "optimumwifi" = { };
       "CableWiFi" = { };
       "JPMCVisitor" = { };

systems/palatine-hill/acme.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  outputs,
+  ...
+}:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "aliceghuston@gmail.com";
+    certs."nayeonie.com" = {
+      dnsProvider = "dnsimple";
+      environmentFile = config.sops.secrets."acme/dnsimple".path;
+      dnsPropagationCheck = false;
+      group = "haproxy";
+      extraDomainNames = [
+        "*.nayeonie.com"
+        # "alicehuston.xyz"
+        # "*.alicehuston.xyz"
+      ];
+    };
+  };
+
+  systemd.services."acme-nayeonie.com.service".path = lib.mkForce (
+    with pkgs;
+    [
+      coreutils
+      diffutils
+      openssl
+    ]
+    ++ [
+      outputs.packages.x86_64-linux.lego-latest
+    ]
+  );
+
+  sops.secrets = {
+    "acme/dnsimple" = {
+      owner = "root";
+    };
+  };
+}

systems/palatine-hill/attic/default.nix

@@ -8,34 +8,18 @@
 {
   environment.systemPackages = with pkgs; [
     attic-client
-    attic
   ];
 
   services = {
-    postgresql = {
-      enable = true;
-      ensureDatabases = [ "atticd" ];
-      ensureUsers = [
-        {
-          name = "atticd";
-          ensureDBOwnership = true;
-        }
-      ];
-      upgrade = {
-        enable = true;
-        stopServices = [ "atticd" ];
-      };
-    };
-
     atticd = {
       enable = true;
 
-      credentialsFile = config.sops.secrets."attic/secret-key".path;
+      environmentFile = config.sops.secrets."attic/secret-key".path;
 
       settings = {
         listen = "[::]:8183";
-        allowed-hosts = [ "attic.alicehuston.xyz" ];
-        api-endpoint = "https://attic.alicehuston.xyz";
+        allowed-hosts = [ "attic.nayeonie.com" ];
+        api-endpoint = "https://attic.nayeonie.com/";
         compression.type = "none"; # let ZFS do the compressing
         database = {
           url = "postgres://atticd?host=/run/postgresql";
@@ -48,7 +32,7 @@
           type = "s3";
           region = "us-east-1";
           bucket = "cache-nix-dot";
-          endpoint = "https://minio.alicehuston.xyz";
+          endpoint = "https://minio.nayeonie.com";
         };
 
         # Warning: If you change any of the values here, it will be
@@ -78,58 +62,58 @@
 
   # borrowing from https://github.com/Shawn8901/nix-configuration/blob/4b8d1d44f47aec60feb58ca7b7ab5ed000506e90/modules/nixos/private/hydra.nix
   # configured default webstore for this on root user separately
-  systemd = {
-    services = {
-      attic-watch-store = {
-        wantedBy = [ "multi-user.target" ];
-        after = [
-          "network-online.target"
-          "docker.service"
-          "atticd.service"
-        ];
-        requires = [
-          "network-online.target"
-          "docker.service"
-          "atticd.service"
-        ];
-        description = "Upload all store content to binary cache";
-        serviceConfig = {
-          User = "root";
-          Restart = "always";
-          ExecStart = "${pkgs.attic}/bin/attic watch-store cache-nix-dot";
-        };
-      };
-      attic-sync-hydra = {
-        after = [
-          "network-online.target"
-          "docker.service"
-          "atticd.service"
-        ];
-        requires = [
-          "network-online.target"
-          "docker.service"
-          "atticd.service"
-        ];
-        description = "Force resync of hydra derivations with attic";
-        serviceConfig = {
-          Type = "oneshot";
-          User = "root";
-          ExecStart = "${config.nix.package}/bin/nix ${./sync-attic.bash}";
-        };
-      };
-    };
+  # systemd = {
+  #   services = {
+  #     attic-watch-store = {
+  #       wantedBy = [ "multi-user.target" ];
+  #       after = [
+  #         "network-online.target"
+  #         "docker.service"
+  #         "atticd.service"
+  #       ];
+  #       requires = [
+  #         "network-online.target"
+  #         "docker.service"
+  #         "atticd.service"
+  #       ];
+  #       description = "Upload all store content to binary cache";
+  #       serviceConfig = {
+  #         User = "root";
+  #         Restart = "always";
+  #         ExecStart = "${pkgs.attic-client}/bin/attic watch-store cache-nix-dot";
+  #       };
+  #     };
+  #     attic-sync-hydra = {
+  #       after = [
+  #         "network-online.target"
+  #         "docker.service"
+  #         "atticd.service"
+  #       ];
+  #       requires = [
+  #         "network-online.target"
+  #         "docker.service"
+  #         "atticd.service"
+  #       ];
+  #       description = "Force resync of hydra derivations with attic";
+  #       serviceConfig = {
+  #         Type = "oneshot";
+  #         User = "root";
+  #         ExecStart = "${config.nix.package}/bin/nix ${./sync-attic.bash}";
+  #       };
+  #     };
+  #   };
 
-    timers = {
-      attic-sync-hydra = {
-        wantedBy = [ "timers.target" ];
-        timerConfig = {
-          OnBootSec = 600;
-          OnUnitActiveSec = 86400;
-          Unit = "attic-sync-hydra.service";
-        };
-      };
-    };
-  };
+  #   timers = {
+  #     attic-sync-hydra = {
+  #       wantedBy = [ "timers.target" ];
+  #       timerConfig = {
+  #         OnBootSec = 600;
+  #         OnUnitActiveSec = 86400;
+  #         Unit = "attic-sync-hydra.service";
+  #       };
+  #     };
+  #   };
+  # };
 
   sops = {
     secrets = {

systems/palatine-hill/attic/sync-attic.bash

@@ -2,9 +2,9 @@
 #! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash
 
 sync_directories=(
-    /ZFS/ZFS-primary/hydra
+  /ZFS/ZFS-primary/hydra
 )
 
 for dir in "${sync_directories[@]}"; do
-    find "$dir"  -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
+  find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
 done

systems/palatine-hill/configuration.nix

@@ -6,14 +6,19 @@
 }:
 {
   imports = [
+    ./acme.nix
     ./attic
-    ./docker.nix
+    ./docker
+    ./gitea.nix
+    ./firewall.nix
     ./haproxy
     ./hardware-changes.nix
     ./hydra.nix
     ./minio.nix
     ./networking.nix
     ./nextcloud.nix
+    ./samba.nix
+    ./postgresql.nix
     ./zfs.nix
   ];
 
@@ -53,10 +58,14 @@
   };
 
   environment.systemPackages = with pkgs; [
+    chromedriver
+    chromium
     docker-compose
     intel-gpu-tools
     jellyfin-ffmpeg
     jq
+    yt-dlp
+    yq
   ];
 
   services = {
@@ -64,32 +73,8 @@
     nfs.server.enable = true;
     openssh.ports = [ 666 ];
     smartd.enable = true;
+    calibre-server.enable = false;
 
-    postgresql = {
-      enable = true;
-      enableJIT = true;
-      identMap = ''
-        # ArbitraryMapName systemUser DBUser
-           superuser_map      root      postgres
-           superuser_map      alice  postgres
-           # Let other names login as themselves
-           superuser_map      /^(.*)$   \1
-      '';
-
-      # initialScript = config.sops.secrets."postgres/init".path;
-
-      upgrade = {
-        enable = true;
-        stopServices = [
-          "hydra-evaluator"
-          "hydra-init"
-          "hydra-notify"
-          "hydra-queue-runner"
-          "hydra-send-stats"
-          "hydra-server"
-        ];
-      };
-    };
   };
 
   nix.gc.options = "--delete-older-than 150d";

systems/palatine-hill/default.nix

@@ -1,5 +1,7 @@
 { inputs, ... }:
 {
   users = [ "alice" ];
-  modules = [ inputs.attic.nixosModules.atticd ];
+  modules = [
+    # inputs.attic.nixosModules.atticd
+  ];
 }

systems/palatine-hill/docker.nix

@@ -1,5 +0,0 @@
-{ ... }:
-
-{
-  virtualisation.docker.daemon.settings.data-root = "/var/lib/docker2";
-}

systems/palatine-hill/docker/act-runner.nix

@@ -0,0 +1,181 @@
+{
+  config,
+  ...
+}:
+
+let
+  vars = import ../vars.nix;
+  act_path = vars.primary_act;
+in
+{
+  virtualisation.oci-containers.containers = {
+    act-stable-latest-main = {
+      image = "gitea/act_runner:latest";
+      extraOptions = [
+        "--stop-signal=SIGINT"
+      ];
+      labels = {
+        "com.centurylinklabs.watchtower.enable" = "true";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      ports = [ "8088:8088" ];
+      volumes = [
+        "${act_path}/stable-latest-main/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-main/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-main";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
+    };
+
+    act-stable-latest-1 = {
+      image = "gitea/act_runner:latest";
+      extraOptions = [
+        "--stop-signal=SIGINT"
+      ];
+      labels = {
+        "com.centurylinklabs.watchtower.enable" = "true";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      volumes = [
+        "${act_path}/stable-latest-1/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-1/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-1";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
+    };
+
+    act-stable-latest-2 = {
+      image = "gitea/act_runner:latest";
+      extraOptions = [
+        "--stop-signal=SIGINT"
+      ];
+      labels = {
+        "com.centurylinklabs.watchtower.enable" = "true";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      volumes = [
+        "${act_path}/stable-latest-2/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-2/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-2";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
+    };
+
+    act-stable-latest-3 = {
+      image = "gitea/act_runner:latest";
+      extraOptions = [
+        "--stop-signal=SIGINT"
+      ];
+      labels = {
+        "com.centurylinklabs.watchtower.enable" = "true";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      volumes = [
+        "${act_path}/stable-latest-3/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-3/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-3";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
+    };
+
+    act-stable-latest-4 = {
+      image = "gitea/act_runner:latest";
+      extraOptions = [
+        "--stop-signal=SIGINT"
+      ];
+      labels = {
+        "com.centurylinklabs.watchtower.enable" = "true";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      volumes = [
+        "${act_path}/stable-latest-4/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-4/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-4";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
+    };
+
+    act-stable-latest-5 = {
+      image = "gitea/act_runner:latest";
+      extraOptions = [
+        "--stop-signal=SIGINT"
+      ];
+      labels = {
+        "com.centurylinklabs.watchtower.enable" = "true";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      volumes = [
+        "${act_path}/stable-latest-5/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-5/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/nix:/nix"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-5";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
+    };
+  };
+
+  systemd = {
+    timers."custom-watchtower@act-runner" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "20m";
+        OnUnitActiveSec = "5m";
+        Unit = "custom-watchtower@act-runner.service";
+      };
+    };
+    services."custom-watchtower@act-runner" = {
+      bindsTo = [ "docker.service" ];
+      after = [ "docker.service" ];
+      description = "a watchtower-esque script for systemd-based oci-containers";
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'act-runner'";
+      };
+    };
+  };
+
+  sops.secrets = {
+    "docker/act-runner" = {
+      owner = "root";
+      restartUnits = [
+        "docker-act-stable-latest-1.service"
+      ];
+    };
+  };
+}

systems/palatine-hill/docker/archiveteam.nix

@@ -0,0 +1,152 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  containers = {
+    archiveteam-imgur = {
+      image = "imgur-grab";
+      scale = 1;
+    };
+    archiveteam-telegram = {
+      image = "telegram-grab";
+      scale = 3;
+    };
+    archiveteam-reddit = {
+      image = "reddit-grab";
+      scale = 0;
+    };
+    archiveteam-dpreview = {
+      image = "dpreview-grab";
+      scale = 0;
+    };
+    archiveteam-issuu = {
+      image = "issuu-grab";
+      scale = 0;
+    };
+    archiveteam-urls = {
+      image = "urls-grab";
+      scale = 2;
+    };
+    archiveteam-urlteam = {
+      image = "terroroftinytown-client-grab";
+      scale = 2;
+    };
+    archiveteam-mediafire = {
+      image = "mediafire-grab";
+      scale = 1;
+    };
+    archiveteam-github = {
+      image = "github-grab";
+      scale = 1;
+    };
+    archiveteam-lineblog = {
+      image = "lineblog-grab";
+      scale = 0;
+    };
+    archiveteam-banciyuan = {
+      image = "banciyuan-grab";
+      scale = 0;
+    };
+    archiveteam-wysp = {
+      image = "wysp-grab";
+      scale = 0;
+    };
+    archiveteam-xuite = {
+      image = "xuite-grab";
+      scale = 0;
+    };
+    archiveteam-gfycat = {
+      image = "gfycat-grab";
+      scale = 0;
+    };
+    archiveteam-skyblog = {
+      image = "skyblog-grab";
+      scale = 0;
+    };
+    archiveteam-zowa = {
+      image = "zowa-grab";
+      scale = 0;
+    };
+    archiveteam-blogger = {
+      image = "blogger-grab";
+      scale = 1;
+    };
+    archiveteam-vbox7 = {
+      image = "vbox7-grab";
+      scale = 0;
+    };
+    archiveteam-pastebin = {
+      image = "pastebin-grab";
+      scale = 1;
+    };
+    archiveteam-youtube = {
+      image = "youtube-grab";
+      scale = 0;
+    };
+    archiveteam-deviantart = {
+      image = "deviantart-grab";
+      scale = 0;
+    };
+    archiveteam-postnews = {
+      image = "postnews-grab";
+      scale = 0;
+    };
+    archiveteam-askfm = {
+      image = "askfm-grab";
+      scale = 1;
+    };
+    archiveteam-mangz = {
+      image = "mangaz-grab";
+      scale = 1;
+    };
+    archiveteam-cohost = {
+      image = "cohost-grab";
+      scale = 1;
+    };
+  };
+  container-spec = container-name: container: {
+    image = "atdr.meo.ws/archiveteam/${container}:latest";
+    extraOptions = [
+      "--stop-signal=SIGINT"
+    ];
+    labels = {
+      "com.centurylinklabs.watchtower.enable" = "true";
+      "com.centurylinklabs.watchtower.scope" = "archiveteam";
+    };
+    volumes = [ "${at_path}/${container-name}:/grab/data" ];
+    log-driver = "local";
+    cmd = lib.splitString " " "--concurrent 6 AmAnd0";
+
+  };
+  inherit (lib.rad-dev.container-utils) createTemplatedContainers;
+
+  vars = import ../vars.nix;
+  at_path = vars.primary_archiveteam;
+in
+{
+  virtualisation.oci-containers.containers = createTemplatedContainers containers container-spec;
+  systemd = {
+    timers."custom-watchtower@archiveteam" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "20m";
+        OnUnitActiveSec = "5m";
+        Unit = "custom-watchtower@archiveteam.service";
+      };
+    };
+    services."custom-watchtower@archiveteam" = {
+      bindsTo = [ "docker.service" ];
+      after = [ "docker.service" ];
+      description = "a watchtower-esque script for systemd-based oci-containers";
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'archiveteam'";
+      };
+    };
+  };
+}

systems/palatine-hill/docker/books.nix

@@ -0,0 +1,32 @@
+{ ... }:
+
+let
+  vars = import ../vars.nix;
+  docker_path = vars.primary_docker;
+  calibre_path = vars.primary_calibre;
+in
+{
+  virtualisation.oci-containers.containers = {
+    automated-ffdl-alice = {
+      image = "mrtyton/automated-ffdl:latest";
+      user = "600:100";
+      extraOptions = [ "--restart=unless-stopped" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+      };
+      volumes = [
+        "${docker_path}/auto-fic/config:/config"
+        "${calibre_path}/ffdl-alice:/var/lib/calibre-server"
+      ];
+    };
+  };
+
+  services.autopull = {
+    enable = true;
+    repo.FanFicFare-alice = {
+      enable = true;
+      path = /ZFS/ZFS-primary/calibre/ffdl-alice/config/FanFicFare;
+    };
+  };
+}

systems/palatine-hill/docker/default.nix

@@ -0,0 +1,79 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ./act-runner.nix
+    # temp disable archiveteam for tiktok archiving
+    #./archiveteam.nix
+    # ./books.nix
+    #./firefly.nix
+    #./foundry.nix
+    ./glances.nix
+    # ./haproxy.nix
+    ./minecraft.nix
+    ./nextcloud.nix
+    # ./postgres.nix
+    # ./restic.nix
+    ./torr.nix
+    # ./unifi.nix
+  ];
+
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.docker.daemon.settings = {
+    data-root = "/var/lib/docker2";
+    bip = "169.254.253.254/23";
+    fixed-cidr = "169.254.252.0/23";
+    default-address-pools = [
+      {
+        base = "169.254.2.0/23";
+        size = 28;
+      }
+      {
+        base = "169.254.4.0/22";
+        size = 28;
+      }
+      {
+        base = "169.254.8.0/21";
+        size = 28;
+      }
+      {
+        base = "169.254.16.0/20";
+        size = 28;
+      }
+      {
+        base = "169.254.32.0/19";
+        size = 28;
+      }
+      {
+        base = "169.254.64.0/18";
+        size = 28;
+      }
+      {
+        base = "169.254.128.0/18";
+        size = 28;
+      }
+      {
+        base = "169.254.192.0/19";
+        size = 28;
+      }
+      {
+        base = "169.254.224.0/20";
+        size = 28;
+      }
+      {
+        base = "169.254.240.0/21";
+        size = 28;
+      }
+      {
+        base = "169.254.248.0/22";
+        size = 28;
+      }
+    ];
+    mtu = 9000;
+  };
+}

systems/palatine-hill/docker/firefly.nix

@@ -0,0 +1,25 @@
+{ ... }:
+let
+  vars = import ../vars.nix;
+  ffiii_path = "${vars.primary_docker}/firefly-iii";
+in
+{
+  virtualisation.oci-containers.containers = {
+    firefly = {
+      image = "fireflyiii/core:latest";
+      extraOptions = [
+        "--network=firefly-iii_default"
+        "--network=postgres-net"
+      ];
+      environmentFiles = [ "${ffiii_path}/.env" ];
+      ports = [ "4188:8080" ];
+      volumes = [ "${ffiii_path}/app/upload:/var/www/html/storage/upload" ];
+    };
+    fidi = {
+      image = "fireflyiii/data-importer:latest";
+      environmentFiles = [ "${ffiii_path}/.fidi.env" ];
+      ports = [ "4187:8080" ];
+      dependsOn = [ "firefly" ];
+    };
+  };
+}

systems/palatine-hill/docker/foundry.nix

@@ -0,0 +1,28 @@
+{ config, ... }:
+let
+  vars = import ../vars.nix;
+  fvtt_path = "${vars.primary_games}/foundryvtt";
+in
+{
+  virtualisation.oci-containers.containers = {
+    foundryvtt = {
+      image = "felddy/foundryvtt:11";
+      hostname = "foundryvtt";
+      environment = {
+        #CONTAINER_PRESERVE_CONFIG= "true";
+        TIMEZONE = "America/New_York";
+        FOUNDRY_MINIFY_STATIC_FILES = "true";
+      };
+      environmentFiles = [ config.sops.secrets."docker/foundry".path ];
+      volumes = [ "${fvtt_path}:/data" ];
+      extraOptions = [
+        "--network=haproxy-net"
+      ];
+    };
+  };
+
+  sops.secrets."docker/foundry" = {
+    owner = "docker-service";
+    restartUnits = [ "docker-foundryvtt.service" ];
+  };
+}

systems/palatine-hill/docker/glances.nix

@@ -0,0 +1,24 @@
+{ ... }:
+
+let
+  vars = import ../vars.nix;
+  glances_path = "${vars.primary_docker}/glances";
+in
+{
+  virtualisation.oci-containers.containers = {
+    glances = {
+      image = "nicolargo/glances:latest-full";
+      extraOptions = [
+        "--pid=host"
+        "--network=haproxy-net"
+      ];
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "${glances_path}/glances.conf:/glances/conf/glances.conf"
+      ];
+      environment = {
+        GLANCES_OPT = "-C /glances/conf/glances.conf -w";
+      };
+    };
+  };
+}

systems/palatine-hill/docker/haproxy.cfg

@@ -0,0 +1,207 @@
+global
+#  stats socket /var/run/api.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
+ # log stdout format raw local0 info
+  log stdout format raw local0
+  crt-base /etc/ssl/certs/
+  maxconn 120000
+
+defaults
+  log global
+  mode http
+  timeout client 2000m
+  timeout connect 200s
+  timeout server 2000m
+  timeout http-request 2000m
+
+frontend stats # you can call this whatever you want
+  mode http
+  bind *:9000       # default port, but you can pick any port
+  stats enable      # turns on stats module
+  stats refresh 10s # set auto-refresh rate
+
+#Application Setup
+frontend ContentSwitching
+  bind *:80
+ # bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
+  bind *:443 ssl crt /etc/ssl/certs/origin_ca_ecc_root_new.pem crt /var/lib/acme/nayeonie.com/full.pem strict-sni
+  mode  http
+  option httplog
+
+  # max-age is mandatory 
+  # 16000000 seconds is a bit more than 6 months
+  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+
+  # Front-end acess control list
+  http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
+
+  # Front-end acess control list
+  acl host_www hdr(host) -i www.alicehuston.xyz
+  acl host_www hdr(host) -i alicehuston.xyz
+#  acl host_ldapui hdr(host) -i authui.alicehuston.xyz
+  acl host_glances hdr(host) -i monit.alicehuston.xyz
+  acl host_glances hdr(host) -i glances.alicehuston.xyz
+  # acl host_foundry hdr(host) -i dnd.alicehuston.xyz
+#  acl host_netdata hdr(host) -i netdata.alicehuston.xyz
+  #acl host_terraria hdr(host) -i terraria.alicehuston.xyz
+  acl host_nextcloud hdr(host) -i nextcloud.alicehuston.xyz
+  acl host_nextcloud hdr(host) -i nayeonie.com
+  acl host_hydra hdr(host) -i hydra.alicehuston.xyz
+  acl host_attic hdr(host) -i attic.alicehuston.xyz
+  acl host_minio hdr(host) -i minio.alicehuston.xyz
+  acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz
+  acl host_attic hdr(host) -i attic.nayeonie.com
+  acl host_minio hdr(host) -i minio.nayeonie.com
+  acl host_minio_console hdr(host) -i minio-console.nayeonie.com
+  #acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz
+#  acl host_collabora hdr(host) -i collabora.alicehuston.xyz
+  acl host_prometheus hdr(host) -i prom.alicehuston.xyz
+  acl host_gitea hdr(host) -i git.alicehuston.xyz
+  acl host_gitea hdr(host) -i nayeonie.com
+  # Backend-forwarding
+  use_backend www_nodes if host_www
+#  use_backend ldapui_nodes if host_ldapui
+  use_backend glances_nodes if host_glances
+  use_backend foundry_nodes if host_foundry
+#  use_backend netdata_nodes if host_netdata
+ # use_backend terraria_nodes if host_terraria
+  use_backend nextcloud_nodes if host_nextcloud
+  use_backend hydra_nodes if host_hydra
+  use_backend attic_nodes if host_attic
+  #use_backend nextcloud_vol_nodes if host_nextcloud_vol
+#  use_backend collabora_nodes if host_collabora
+  use_backend prometheus_nodes if host_prometheus
+  use_backend minio_nodes if host_minio
+  use_backend minio_console_nodes if host_minio_console
+  use_backend gitea_nodes if host_gitea
+
+#frontend ldap
+#  bind *:389
+#  bind *:636 ssl crt /etc/ssl/certs/cloudflare.pem
+#  mode tcp
+#  option tcplog
+#  acl host_ldap hdr(host) -i auth.alicehuston.xyz
+#  use_backend ldap_nodes if host_ldap
+
+backend nextcloud_nodes
+  mode http
+  server server nextcloud:80
+  acl url_discovery path /.well-known/caldav /.well-known/carddav
+  http-request redirect location /remote.php/dav/ code 301 if url_discovery
+  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
+  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
+  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
+  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
+  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
+  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
+  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
+
+#backend nextcloud_nodes
+#  mode http
+#  server nxserver nextcloud:80
+#  acl url_discovery path /.well-known/caldav /.well-known/carddav
+#  http-request redirect location /remote.php/dav/ code 301 if url_discovery
+#  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+
+#backend nextcloud_vol_nodes
+#  mode http
+#  server server nextcloud-vol:80
+#  acl url_discovery path /.well-known/caldav /.well-known/carddav
+#  http-request redirect location /remote.php/dav/ code 301 if url_discovery
+#  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
+#  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
+#  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
+#  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
+#  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
+#  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
+#  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
+
+#backend terraria_nodes
+#  mode http
+#  server server terraria:6526
+
+#backend collabora_nodes
+#  mode http
+#  server server collabora:9980
+
+backend www_nodes
+  mode http
+  server server grafana:3000
+
+backend minio_nodes
+  mode http
+  server server 192.168.76.2:8500
+#  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
+#  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
+#  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
+#  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
+#  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
+#  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
+#  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
+
+backend minio_console_nodes
+  mode http
+  server server 192.168.76.2:8501
+
+# backend foundry_nodes
+#   timeout tunnel 50s
+#   mode http
+#   server server foundryvtt:30000
+
+#backend ldap_nodes
+#  mode tcp
+#  balance roundrobin
+#  option ldap-check
+#  server ldap1 192.168.76.2:1636 ssl ca-file /etc/ssl/certs/origin_ca_rsa_root.pem
+#
+#backend ldapui_nodes
+#  mode http
+#  server server 192.168.76.2:18081
+
+backend glances_nodes
+  mode http
+  server server glances:61208
+
+backend hydra_nodes
+  mode http
+  server server 192.168.76.2:3000
+
+backend attic_nodes
+  mode http
+  server server 192.168.76.2:8183
+
+backend prometheus_nodes
+  mode http
+  server server 192.168.76.2:9001
+
+backend gitea_nodes
+  mode http
+  server server 192.168.76.2:6443
+
+#backend netdata_nodes
+#  mode http
+#  server server 192.168.76.2:19999
+
+# backend dnd_nodes
+#   mode http
+#   server server foundry:30000
+#   acl host_www hdr(host) -i www.tmmworkshop.com
+
+frontend giteassh
+  mode tcp
+  bind :2222
+  default_backend giteassh_nodes
+
+backend giteassh_nodes
+   mode tcp
+   server s1 192.168.76.2:2223
+
+frontend minecraft
+  mode tcp
+  bind :25565
+  default_backend router_nodes
+  
+
+backend router_nodes
+   mode tcp
+   server s1 mc-router:25565
+  

systems/palatine-hill/docker/haproxy.nix

@@ -0,0 +1,33 @@
+{ ... }:
+
+{
+  virtualisation.oci-containers.containers = {
+    haproxy = {
+      image = "haproxy:latest";
+      extraOptions = [
+        "--restart=always"
+        "--network=haproxy-net"
+      ];
+      volumes = [
+        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg:ro"
+        "/ZFS/ZFS-primary/docker/haproxy/certs:/etc/ssl/certs:ro"
+      ];
+      ports = [
+        "80:80"
+        "443:443"
+        "25565:25565"
+      ];
+      environment = {
+        PUID = "600";
+        PGID = "600";
+      };
+      dependsOn = [
+        "nextcloud"
+        "grafana"
+        "foundryvtt"
+        "glances"
+        "mc-router"
+      ];
+    };
+  };
+}

systems/palatine-hill/docker/minecraft.nix

@@ -0,0 +1,96 @@
+{ config, lib, ... }:
+
+let
+  servers = {
+    atm6 = "atm6.alicehuston.xyz";
+    stoneblock3 = "sb3.alicehuston.xyz";
+    RAD2 = "rad.alicehuston.xyz";
+    skyfactory = "sf.alicehuston.xyz";
+    divinejourney = "dj.alicehuston.xyz";
+    rlcraft = "rlcraft.alicehuston.xyz";
+    arcanum-institute = "arcanum.alicehuston.xyz";
+    bcg-plus = "bcg.alicehuston.xyz";
+  };
+
+  defaultServer = "rlcraft";
+
+  defaultEnv = {
+    EULA = "true";
+    TYPE = "AUTO_CURSEFORGE";
+    STOP_SERVER_ANNOUNCE_DELAY = "120";
+    STOP_DURATION = "600";
+    SYNC_CHUNK_WRITES = "false";
+    USE_AIKAR_FLAGS = "true";
+    MEMORY = "8GB";
+    ALLOW_FLIGHT = "true";
+    MAX_TICK_TIME = "-1";
+  };
+
+  defaultOptions = [
+    "--stop-signal=SIGTERM"
+    "--stop-timeout=1800"
+    "--network=minecraft-net"
+  ];
+
+  vars = import ../vars.nix;
+  minecraft_path = "${vars.primary_games}/minecraft";
+in
+{
+  virtualisation.oci-containers.containers = {
+    mc-router = {
+      image = "itzg/mc-router:latest";
+      extraOptions = [
+        "--network=haproxy-net"
+        "--network=minecraft-net"
+      ];
+      cmd = [
+        (
+          "--mapping=mc.alicehuston.xyz=${defaultServer}:25565"
+          + (lib.rad-dev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
+        )
+      ];
+    };
+    # rlcraft = {
+    #   image = "itzg/minecraft-server:java8";
+    #   volumes = [
+    #     "${minecraft_path}/rlcraft/modpacks:/modpacks:ro"
+    #     "${minecraft_path}/rlcraft/data:/data"
+    #   ];
+    #   hostname = "rlcraft";
+    #   environment = defaultEnv // {
+    #     VERSION = "1.12.2";
+    #     CF_SLUG = "rlcraft";
+    #     DIFFICULTY = "hard";
+    #     ENABLE_COMMAND_BLOCK = "true";
+    #   };
+    #   extraOptions = defaultOptions;
+    #   log-driver = "local";
+    #   environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
+    # };
+    bcg-plus = {
+      image = "itzg/minecraft-server:java17";
+      volumes = [
+        "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
+        "${minecraft_path}/bcg-plus/data:/data"
+      ];
+      hostname = "bcg-plus";
+      environment = defaultEnv // {
+        VERSION = "1.17";
+        CF_SLUG = "bcg";
+        DIFFICULTY = "normal";
+        DEBUG = "true";
+        # ENABLE_COMMAND_BLOCK = "true";
+      };
+      extraOptions = defaultOptions;
+      log-driver = "local";
+      environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
+    };
+  };
+
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    secrets = {
+      "docker/minecraft".owner = "docker-service";
+    };
+  };
+}

systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix

@@ -1,7 +0,0 @@
-{
-  imageName = "nextcloud";
-  imageDigest = "sha256:fe7f941cc514fe01e343a515c7b33e6b12707c718157f6e25a67119e9918a061";
-  sha256 = "07w9rvmr2qy037ljdmk6w1n2dmwwa31ig7gzfb084wiv18hjfrg4";
-  finalImageName = "nextcloud";
-  finalImageTag = "apache";
-}

systems/palatine-hill/docker/nextcloud.nix

@@ -0,0 +1,107 @@
+{ config, ... }:
+
+let
+  vars = import ../vars.nix;
+  nextcloud_path = vars.primary_nextcloud;
+  redis_path = vars.primary_redis;
+
+  # nextcloud-image = import ./nextcloud-image { inherit pkgs; };
+  nextcloud-base = {
+    # image comes from running docker compose build in nextcloud-docker/.examples/full/apache
+    image = "nextcloud-nextcloud";
+    hostname = "nextcloud";
+    volumes = [
+      "${nextcloud_path}/nc_data:/var/www/html:z"
+      "${nextcloud_path}/nc_php:/usr/local/etc/php"
+      "${nextcloud_path}/nc_prehooks:/docker-entrypoint-hooks.d/before-starting"
+      #"${nextcloud_path}/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro"
+    ];
+    extraOptions = [
+      "--network=haproxy-net"
+      "--network=postgres-net"
+      "--network=nextcloud_default"
+    ];
+    dependsOn = [ "redis" ];
+    environmentFiles = [ config.sops.secrets."docker/nextcloud".path ];
+  };
+in
+{
+  virtualisation.oci-containers.containers = {
+    nextcloud = nextcloud-base // {
+      ports = [ "9999:80" ];
+    };
+    redis = {
+      image = "redis:latest";
+      user = "600:600";
+      volumes = [
+        "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf"
+        "${redis_path}:/data"
+      ];
+      extraOptions = [
+        "--network=nextcloud_default"
+      ];
+      cmd = [
+        "redis-server"
+        "/usr/local/etc/redis/redis.conf"
+      ];
+    };
+    go-vod = {
+      image = "radialapps/go-vod:latest";
+      dependsOn = [ "nextcloud" ];
+      environment = {
+        NEXTCLOUD_HOST = "https://nextcloud.alicehuston.xyz";
+      };
+      volumes = [ "${nextcloud_path}/nc_data:/var/www/html:ro" ];
+      extraOptions = [
+        "--device=/dev/dri:/dev/dri"
+      ];
+    };
+    collabora-code = {
+      image = "collabora/code:latest";
+      dependsOn = [ "nextcloud" ];
+      environment = {
+        aliasgroup1 = "https://collabora.nayenoie.com:443";
+        aliasgroup2 = "https://nextcloud.alicehuston.xyz:443";
+        aliasgroup3 = "https://.*:443";
+        extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
+      };
+      environmentFiles = [
+        config.sops.secrets."docker/collabora".path
+      ];
+      extraOptions = [
+        "--network=haproxy-net"
+        "--privileged"
+      ];
+      ports = [ "9980:9980" ];
+    };
+  };
+
+  users.users.www-data = {
+    uid = 33;
+    isSystemUser = true;
+    group = "www-data";
+  };
+
+  users.groups.www-data = {
+    gid = 33;
+    members = [ "www-data" ];
+  };
+
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    secrets = {
+      "docker/redis" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-redis.service" ];
+      };
+      "docker/nextcloud" = {
+        owner = "www-data";
+        restartUnits = [ "docker-nextcloud.service" ];
+      };
+      "docker/collabora" = {
+        owner = "www-data";
+        restartUnits = [ "docker-collabora-code.service" ];
+      };
+    };
+  };
+}

systems/palatine-hill/docker/postgres.nix

@@ -0,0 +1,67 @@
+{ config, ... }:
+
+let
+  vars = import ../vars.nix;
+  psql_path = "${vars.primary_db}/postgresql";
+in
+{
+  virtualisation.oci-containers.containers = {
+    postgres = {
+      image = "postgres:16";
+      user = "600:600";
+      volumes = [
+        "${psql_path}/primary_new:/var/lib/postgresql/data"
+        "${psql_path}/pg_archives:/opt/pg_archives"
+      ];
+      log-driver = "local";
+      extraOptions = [
+        "--network=postgres-net"
+        "--health-cmd='pg_isready -U firefly'"
+        "--health-interval=1s"
+        "--health-timeout=5s"
+        "--health-retries=15"
+        "--shm-size=1gb"
+        "--restart=always"
+      ];
+      environmentFiles = [ config.sops.secrets."docker/pg".path ];
+    };
+
+    postgres-secondary = {
+      image = "postgres:16";
+      user = "600:600";
+      volumes = [
+        "${psql_path}/secondary_new:/var/lib/postgresql/data"
+        "${psql_path}/pg_archives:/opt/pg_archives"
+      ];
+      log-driver = "local";
+      extraOptions = [
+        "--network=postgres-net"
+        "--health-cmd='pg_isready -U firefly'"
+        "--health-interval=1s"
+        "--health-timeout=5s"
+        "--health-retries=15"
+        "--shm-size=1gb"
+        "--restart=always"
+      ];
+      environmentFiles = [ config.sops.secrets."docker/pg".path ];
+    };
+
+    postgres-adminer = {
+      image = "adminer/latest";
+      user = "600:600";
+      ports = [ "4191:8080" ];
+      dependsOn = [ "postgres" ];
+      extraOptions = [
+        "--restart=always"
+        "--network=postgres-net"
+      ];
+    };
+  };
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    secrets = {
+      "docker/pg".owner = "docker-service";
+    };
+  };
+
+}

systems/palatine-hill/docker/restic.nix

@@ -0,0 +1,38 @@
+{ ... }:
+
+let
+  vars = import ../vars.nix;
+  restic_path = "${vars.primary_backups}/restic";
+in
+{
+  virtualisation.oci-containers.containers = {
+    restic = {
+      image = "restic/rest-server:latest";
+      volumes = [ "${restic_path}:/data" ];
+      environment = {
+        OPTIONS = "--prometheus --htpasswd-file /data/.htpasswd";
+      };
+      ports = [ "8010:8000" ];
+      extraOptions = [
+        "--restart=always"
+        "--network=restic_restic"
+      ];
+    };
+
+    grafana = {
+      image = "grafana/grafana:latest";
+      extraOptions = [
+        "--restart=always"
+        "--network=haproxy-net"
+      ];
+      volumes = [
+        "grafanadata:/var/lib/grafana"
+        "${restic_path}/dashboards:/dashboards"
+        "${restic_path}/grafana.ini:/etc/grafana/grafana.ini"
+      ];
+      environment = {
+        GF_USERS_DEFAULT_THEME = "dark";
+      };
+    };
+  };
+}

systems/palatine-hill/docker/torr.nix

@@ -0,0 +1,103 @@
+{ pkgs, ... }:
+
+let
+  delugeBase = {
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+      UMASK = "000";
+      DEBUG = "true";
+      DELUGE_DAEMON_LOG_LEVEL = "debug";
+      DELUGE_WEB_LOG_LEVEL = "debug";
+    };
+  };
+
+  vars = import ../vars.nix;
+  #docker_path = vars.primary_docker;
+  torr_path = vars.primary_torr;
+  deluge_path = "${torr_path}/deluge";
+  delugevpn_path = "${torr_path}/delugevpn";
+
+  genSopsConf = file: {
+    "${file}" = {
+      format = "binary";
+      sopsFile = ./wg/${file};
+      path = "${delugevpn_path}/config/wireguard/configs/${file}";
+      owner = "docker-service";
+      group = "users";
+      restartUnits = [ "docker-delugeVPN.service" ];
+    };
+  };
+in
+{
+  virtualisation.oci-containers.containers = {
+    deluge = delugeBase // {
+      image = "binhex/arch-deluge";
+      volumes = [
+        "${deluge_path}/config:/config"
+        "${deluge_path}/data/:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      ports = [
+        "8084:8112"
+        "29433:29433"
+      ];
+    };
+    delugeVPN = delugeBase // {
+      image = "binhex/arch-delugevpn";
+      extraOptions = [
+        "--privileged=true"
+        "--sysctl"
+        "net.ipv4.conf.all.src_valid_mark=1"
+      ];
+      environment = delugeBase.environment // {
+        VPN_ENABLED = "yes";
+        VPN_CLIENT = "wireguard";
+        VPN_PROV = "custom";
+        ENABLE_PRIVOXY = "yes";
+        LAN_NETWORK = "192.168.0.0/16";
+        NAME_SERVERS = "194.242.2.9";
+        # note, delete /config/perms.txt to force a bulk permissions update
+
+      };
+      volumes = [
+        "${delugevpn_path}/config:/config"
+        "${delugevpn_path}/data:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      ports = [
+        "8085:8112"
+        "8119:8118"
+        "39275:39275"
+        "39275:39275/udp"
+      ];
+    };
+  };
+
+  systemd.services.docker-delugeVPN = {
+    serviceConfig = {
+      ExecStartPre = [
+        (
+          "${pkgs.bash}/bin/bash -c \"${pkgs.findutils}/bin/find ${delugevpn_path}/config/wireguard/configs "
+          + "-type l -not -name wg0.conf "
+          + "| ${pkgs.coreutils}/bin/shuf -n 1 "
+          + "| ${pkgs.findutils}/bin/xargs -I {} cp -L {} ${delugevpn_path}/config/wireguard/wg0.conf &&"
+          + "${pkgs.coreutils}/bin/chown docker-service:users ${delugevpn_path}/config/wireguard/wg0.conf &&"
+          + "${pkgs.coreutils}/bin/chmod 440 ${delugevpn_path}/config/wireguard/wg0.conf\""
+        )
+      ];
+      ExecStopPost = [ "${pkgs.coreutils}/bin/rm ${delugevpn_path}/config/wireguard/wg0.conf" ];
+    };
+  };
+
+  sops.secrets =
+    (genSopsConf "se-mma-wg-001.conf")
+    // (genSopsConf "se-mma-wg-002.conf")
+    // (genSopsConf "se-mma-wg-003.conf")
+    // (genSopsConf "se-mma-wg-004.conf")
+    // (genSopsConf "se-mma-wg-005.conf")
+    // (genSopsConf "se-mma-wg-101.conf")
+    // (genSopsConf "se-mma-wg-102.conf")
+    // (genSopsConf "se-mma-wg-103.conf");
+}

systems/palatine-hill/docker/unifi.nix

@@ -0,0 +1,61 @@
+{ config, ... }:
+let
+  vars = import ../vars.nix;
+  unifi_path = "${vars.primary_docker}/unifi-2.0";
+  mongo_path = "${vars.primary_db}/mongo";
+in
+{
+  virtualisation.oci-containers.containers = {
+    unifi-controller = {
+      image = "lscr.io/linuxserver/unifi-network-application:latest";
+      volumes = [ "${unifi_path}/config:/config" ];
+      log-driver = "local";
+      dependsOn = [ "mongodb" ];
+      extraOptions = [ "--restart=unless-stopped" ];
+      ports = [
+        "8443:8443"
+        "3478:3478/udp"
+        "10001:10001/udp"
+        "8080:8080"
+        "1900:1900/udp" # optional
+        "8843:8843" # optional
+        "8880:8880" # optional
+        "6789:6789" # optional
+        "5514:5514/udp" # optional
+      ];
+      environment = {
+        PUID = "1000";
+        PGID = "100";
+        TZ = "America/New_York";
+        MEM_LIMIT = "1024"; # optional
+        MEM_STARTUP = "1024"; # optional
+        MONGO_USER = "unifi";
+        MONGO_HOST = "mongodb";
+        MONGO_PORT = "27017";
+        MONGO_DBNAME = "unifi";
+      };
+      environmentFiles = [ config.sops.secrets."docker/unifi".path ];
+    };
+
+    mongodb = {
+      image = "docker.io/mongo:7.0";
+      environment = {
+        PUID = "1000";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      extraOptions = [ "--restart=unless-stopped" ];
+      volumes = [
+        "${mongo_path}/unifi:/data/db"
+        "${unifi_path}/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro"
+      ];
+    };
+  };
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    secrets = {
+      "docker/unifi".owner = "docker-service";
+    };
+  };
+
+}

systems/palatine-hill/docker/watchtower.bash

@@ -0,0 +1,26 @@
+#! /usr/bin/env nix
+#! nix shell nixpkgs#docker nixpkgs#bash nixpkgs#gawk --command bash
+
+outdated_msg="Project code is out of date and needs to be upgraded. To remedy this problem immediately, you may reboot your warrior."
+
+label="$1"
+label_val="$2"
+
+if (($# != 2)); then
+  echo "usage: $0 label label_value"
+fi
+
+containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}")
+
+for container in ${containers[@]}; do
+  echo "checking ${container}"
+
+  last_msg=$(docker logs -n 1 "${container}")
+
+  if [[ $last_msg =~ $outdated_msg ]]; then
+    echo "${container} is outdated, restarting"
+    imageTag=$(docker ps --format '{{.Names}}\t{{.Image}}' -f "name=$container" | grep -w "$container" | awk '{print $NF}')
+    docker pull "$imageTag"
+    systemctl restart "docker-${container}"
+  fi
+done

systems/palatine-hill/docker/wg/se-mma-wg-001.conf

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:PytLIf5ceSyhxNs3p4N89GKxh7zTvTTbzKhw6SqEPrWSgRo+ntOZQgkUWBwFRGmWjFjMoMmkxaHkyrBLo/lYb6MAKuPNCb4Ss2ArSHk1qOl9u39lXYSs4NNaZYx6r5vs9IspYsIzfbkz2mad5ZaeEuDjiGCethaw9SthXNyjOOEIo/zYB/9Qju963kPXCpexu2/nbhwr/ilXzP8zzhzl712CMULV2GwISrKQcnJYyhqwzAuLmmsG50J3It3BZBUwTbyiIRK4ka0wrycqVmVDKyasUX71LYlq9MifttFCjQCN8xE7FmDl8nSBBaub9Vss5IAF+DcIRNRIQ7f6INuo,iv:CbvR5AEtENWTKP7UPqjYl7qNvyZvPZRFawrU8xoYdL4=,tag:9C5KmHeZkt62Ujkg2Wzt3A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNTh3RHN5bGVDZ29YS0pD\nbXpoL3E1emlJeEJMUWo3SzM2ODQ4c2FndWxNCnZUN3dIaTM3bXpOWDcxSzhROHlM\nQlJTTGl2WEs1NlczUlhhMEcvWWlXaGsKLS0tIENlY3dvNEF4UEllQnR2aDJFbSs2\nVE05RnRDSVphNHcrR3paQ3BFOU8vNkUKOtItYEU8P0Wu6TDzPylTTGhwlAiSgDEq\nJnRYAH6kE+qAnpK2xQyG4n0xbhNiASUVQgNJJyN+5BZi0dDf7k9CQA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-18T06:49:09Z",
+		"mac": "ENC[AES256_GCM,data:g/ba90H1dGisB71/MWXkJDCQEXphWu0tOv04ScmEjKPm58TRM0W1oUVDPa7QWHrcdozz0LnQndhs4enW+SqRF39YBmL8OziddStVgTWC4chBazAPHBcGCgLApP9RAjNhiyosTIypLqppY08UIGU1Q1qEzcoHendu6hSMX09jG+A=,iv:6UPwNmUbjt+z7Vr7yuQ3fdsmTwBwE5AUQw3IzonqXZ4=,tag:nmloGiYkKXNGcbn8aBmNAQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-11-18T06:49:09Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAtZwfBH7XpTMkoZMd7QojukRfwU1Z7O/ZHcBzW0rYiTgw\nuYKmkKxSPqY9E/zzNpO0C52NwyAUerM851DaOHkZvcNBkMGdFLKvLf53wgPZKlkc\n1GgBCQIQNLHtkosd/X7cb8VScXNk8CVsckRQJWiHFkPtbYcyz9O55hJOdg0TGmbQ\nf4v9yNrVG6OFQTfV8IXbIJ7fANPNDTu/gDE/XB4W8GzgmLReAsaUnxJWd7a2LSFn\nCkiJsF+JY3QsYg==\n=55xj\n-----END PGP MESSAGE-----",
+				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

systems/palatine-hill/docker/wg/se-mma-wg-002.conf

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:ULynEBONpLJNPcSGjnFTLkrc4PNDNVqvpQ7LWqsMC0mW6SaDFn1e8MJkK4SSLjx2UCajMOyuvzNYzLd5AxMKBgsH/P1KAAednunOEU0ADKIzsrmEqr/zrX709yXPQY2783Os29jFFpCeQra8z3YR2vfU/PcOtqzoOuipRo0p1yUtehBLN40ogP9aLc+zxkoQxts20sU2EOe7rivU9WsBGQ2m3/Eg8ucH0aNdiN1BF/pIwyXbwMxcXtUCs0jVINJqsgFx2Ntmuz24dgZnTr8Hibz0v3F1LXcFbIIiH8OaCb3S4X2Zd/nCJqxRFz+cmzvcMplQHyE1XOYqP0OTA6s=,iv:skT932uptVD/zmbm/nxtzciD9dlYbJU4HzgHZtuathY=,tag:a/x3/an0q8hhexm4dpsVYA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4T0p1alJDd05KOTBjTVhL\nMVlPZno5YVlWRG0xUWZoUkJyVVZWRitLUTFZCmJmWXdzZHlGdG5GWWI2QWZXRUhY\nVVV1WUxaNWtVcmVtakI2dHpheS9HcTAKLS0tIDFsK0ZIR040dEdQQXV1NUpCQnVB\nOU9YU0NQSkwxMEtPdnRQeUYwc2hiczAKSynE6XsoUXyoLbUuuzqXbIbGoSeZR0S/\npMhZwI2fzh3vuLO0GpREkQRJ0azEvbbFPYdhJAFIBu/eRYd70IySlA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-18T06:49:09Z",
+		"mac": "ENC[AES256_GCM,data:pk7jtod+BCMqF6Hwgkd2AReDqkLGZvnBsDBJIipi/PNQQnq04BgT3TKDL3aQD4sKREjc0dyubQtvq4pAE3Fs+fOLgfhW6uYgvkreSg7Q7aSx299l2OaIc+pI47Emt0s+QIjFz2hd3KHxBkKr9xg5m3aITVex+96VqPUO5DPusqs=,iv:nsv3uPIz8iwrXAlQ0sd7J7T7jg3Yif4DsJV9g9aAAXY=,tag:xAIvz4KPTlpIuDZZfv3qkw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-11-18T06:49:09Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAGNsLJiDmbwfugWEdArQwUDMm6yL6bHbRhQsniyz6RFYw\nbmOG9HElDZGrQor2N+OmjRJzBnmrC3H00PBuM1dx6L9pHZpf8/CT477ZE66IDxOw\n1GgBCQIQUtKFTM34FXDEV4sTfawGatyVDoqFq+gxtI6iJA+1YgrJkZzV/5yAlINb\nsiiO0h1dvUS7uMZT/EPEBDvprXwDXrk6GHTtxAQTP3XQzO3bz0x6RhMJOEj+7hEB\nrkne981/Q2FiDg==\n=kGYU\n-----END PGP MESSAGE-----",
+				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

systems/palatine-hill/docker/wg/se-mma-wg-003.conf

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:1pgCvsAcTSFMhb6OKujAtyEfR+Uu544RecoLxy6hhbj8PupUuosJ+lt5gOMqOzHvjUBMvKM/mqJ+JuahChclwXg+XCgB/7yh0tlwPyftPNoWltEwu/AsP7QUwXomfj/AbwzxfB8oTw4U2Ot4DfObDNvhfA88Sva2OE6mkapoRAAFND4CoglOoJ5F+vjLf0XsRCaHTVXCTwmd6BNb+ZHs+heztlaFRp5Mv8TINOlDl3yhW8V10r8ZhLoF421DVAtVLsuOQ6rbzGOZy9A+HfZJlaEZcgFHLKi40pBKQWw5xFrDp8gml/eMtkkKRZR88v+eXT+QCrg3biVYrdIhJlA=,iv:kIOTAido5Xm1fB5Xz7bsrwNM9dbjMIxvqIcNfXbUU6w=,tag:mrzFeyo4D3Y8lah9DU4kqg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbFdnRDlGNUxhTFd3NHhM\nanZmMksxV2xJdUVRL1NFQlJySjU2ZUJSQkg0CnIxb0FIeWMzMzdNalVNUmhQM1lX\nd0h6RWdPak5QeS9WYksrcHhERmd6Y2MKLS0tIDc5ZEFhK0dycFM2N29wN09BOVNK\nTWJjNThyTUxqNWxsTmw5WmlBV0xlK2sKE3L8/VvO8vmsqUV939JM2qdVUOsHAN3p\nwFfeldy2T6ojCVLWdl3CnZ7DmRumweEsSq1JP1mkZzfxotZloMUH5w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-18T06:49:09Z",
+		"mac": "ENC[AES256_GCM,data:hmYfiTiGuO3oF/nGMP7vizC7nJtxYp1nFKoYsZR+GogpN3m3pqdKbLfqWLHXCI5o1l2nZjCo8VgUQYGrwePertOtlTF2rUz9fSxl3EsmoPbZOkt/NawjiIN3lARYTyoxwAq4Qtsna0OJTq9Yb+DlnMUTH+zk3/32K8dF2STRB84=,iv:8jYMtSSVOu5OIR4/TsM/upnZvvTh+ObkHcUiZtNLf+M=,tag:ANLwWSNxZxUM731LdQIO0A==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-11-18T06:49:09Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdADhzkz5iF5geZvou70PeWpN718CeGgvbs97VWhxL25gEw\nphKaEn/73p0Qjqnpu5xVQi0GwSOFVt2UFjLf55aEjdBPb/RwVp0kAeDzzaDSR6/m\n1GgBCQIQXglRmyXJWRT4RdsWOFM1SpuFV1F235UJIEn/O0yGiQvuBQF6OVuvqYgV\nYNi2KFUU+99WaQvxUYddGzCHMEC2AAuKSSNBvs2LSGu0Ic/KWjrcn6yeXEPuv8a/\nHsvjhXACkXWN/Q==\n=JWpI\n-----END PGP MESSAGE-----",
+				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

systems/palatine-hill/docker/wg/se-mma-wg-004.conf

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:s8ANdI9fL6hX9K3ypZcmxhQv3VWZ0BYCMmEWatNpQv+0t4kLMmDIbtvLVBTjLoFvWcfy31vAEhbhZPOE0iQXUohiwfVu67/nR3gzcVpeERvtYlqb4q4RwDIgFXKZUd7y55CIcJbpFRR6U5/NCG2+PEAD5J4OtNTkjnpleipNqcI7Ccg062jVqiavOeKw+eoLMomJsJYqdeTUb9nwYlYoe87aIhZFmAKe0Z1ps6ClzaHSWsr0RSbaDFgBJxUo1brEETsIkphNktIe2kVY72PaOqiNZavEhgPfIc42Ldr4zyaW9nrau8ZsiGM/1VxrHwEOlqW6QimZO9epv6jQgTm0,iv:lSZ5H1kkokiwr6o/X42ElkLvNnWOJZkuD4Tt+vkX8uc=,tag:G+bcX3QzEIcmkxjBsSGLNw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5R0J6UmFPVWo5ME84Q3Rq\nN0J3MmowemJNa0pwNlVqQjdUR0NOWTh2MEU4CitGbkt4UDhuYlRFTlp3eHNGV1JG\nc0p6ZVlxUURhQ1NLbDhvc3VPazh5MmMKLS0tIERTcW54OTFhYjcxUVliRFFmOExk\nL1JMb0VyTDAzd1h3TXgwQ1V3VzZmdWcKZLwB3/3M5Ph9xvkBUrTZXvE13R83NCaT\nHYCKZoJx/CexdDXpij/H9fMI2BgRP1UBgxyWVg0pAAPrxhNhpiteVA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-18T06:49:09Z",
+		"mac": "ENC[AES256_GCM,data:PC2Gk57K2IQbGsAjXvN7BDaYO09vg+MKZcrieA6kPFeWVK7Nbic9iQiRsqs8cMOgQ4ZWNFJqyCmSPNKhWAkhmcuc3TNXTCGUl9AsWUyVLU1KL0I48320U+72ce4RY0vtO8FjgPjeFRtuzrHO4eOQhULrX7FhtUYq3/meZjP3PmM=,iv:P3LfN/+LS8wbRFcTvJhCU1LEqayWCUwqtHAmPodUXZE=,tag:DMuEdIKy8hBo/jdvnv7yaQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-11-18T06:49:09Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAAVsYsC/Di95MPmvkveVSZVZLPDuyWGdmgFFjGz1/l0Qw\nklzbhejv4x04f9j8zWG1Nsnvkkgv2wf++514BCGBN/DvlcFrv1xVPcA2RCqxr49t\n1GYBCQIQJvmrC8GUr9qp0yYEcUzXAaYh9hUA+fGPc1L45PmWVwjnY2wRtco4Y/uu\nLI09Esz6GH9vVesL3oO9A1uXArKw9dqph+Q6l3XAbtUp/y2vSU2xZlaQ83hAP3S1\nTryM3Ex9a80=\n=d/cZ\n-----END PGP MESSAGE-----",
+				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

systems/palatine-hill/docker/wg/se-mma-wg-005.conf

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:lre1gMfmXwB/FxXrF7VguPFmunswv7Y2+GhIOJYu5ijTpDV0O3mumM5Xmk8dZ//3xPQuqFJBJEpMI8nggAWG3pEd4x5otDimJR0OHb0zoHbDE2YyNWR6pwUk07QkhTYJ0UzLFtReRCSgkQmbR20nfew1Ta9HYEDeqBH9+nFBBqlhJkYXybmjC+sWpyEkhnAUk2cjz74WiE4cFemLj8M1+pZYany9uSeY8MI+zO3PU6XyMEdEx9+H2vmvUR+MMzR01cZlHBPghgVlPtDAerTOOFo7Med/HSKUsFLm84K+DerjZ7tIP34xEY7NjW3epxk53UmUdbY8DJ+pBPVcL8k=,iv:CIHbLf6ARlXs3QQKg6hfO47WfQXYMtzCt/2Qv9Vmmgo=,tag:/uR4nPjpqEJ8zv8/H54xxg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWkhMT1dHNklvK2VXNGtq\nUG9tUS8xM0VoVDZTSTNvZ21teGYrSHRMelJrClU2Q2ovR01OK2E4d2F1aXRmaXRK\nckZ2WFhDYVA4bEVLMUl6WU0xd1p2NlkKLS0tIHZJV3FUYk5oNi9CQXlzSFUxSlVV\nV3Y3Q3RrT3JMVUh0Tmg5V3dtaURpcVEKRZ3dja+pVm2sAdQexiSw/si+CM2esjQM\nq0/9AfMPrULAdHrkvxLfyJRFWQlr2/g02QbeCE8HHYbVWSGaN2pJng==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-18T06:49:09Z",
+		"mac": "ENC[AES256_GCM,data:lxWz7NnYyAUyY52ewC1Eh9k1xDdJr0I2rEhiGukdKxg0G1gVhrj0UjFEdnkrMALrYbPh3yE1vj/E+xcPJZtrkuCQNTJkxnLlLijhXM39Um3M1KpIMDx5qOHggaT4T+HhdgJBqvkMiBypyP1ph9MPEYvg+mL4au6jd8fRaw2TUII=,iv:IbqBUWb1MrEcVy9rONDYzbB454XVYRi4mdtWo15RZ28=,tag:Cefs9e7CBk2/QsPS1LD3+A==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-11-18T06:49:09Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdARE07oxCX7FzLNlR9Pjmc1hUVGGD2KJdkFlM0cZl9uUEw\n1zW5R66Wy37KlREIRWXz2lnmN2Txpou+fC8zkxPcYXu+s+nWjbJbCRcv233RspPi\n1GgBCQIQWfGy65DBWWjSp2Sr9Ny/Pxvhzy0IF58AW32gTsxYmoeT+9qVuFcne3ut\nOEPyRqyBtnY3BOefXtBWsVBdtasFajhpp7rC2bSmd4sxacBL7DIwSVnTKpGs8Bsh\n8eCj7MwO/uRDFA==\n=frH4\n-----END PGP MESSAGE-----",
+				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

systems/palatine-hill/docker/wg/se-mma-wg-101.conf

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:iqmUJoBrXT91fFKdujhbHaLHcQF6J7+zjgaVsOwRkSwnB1OF/2BAf3jwvXjZiAIf7ytdrGjDR8t+Ze1hrncwJ/CuJuWtciX0qN9pky8p3Gpd85c5yZ1kWkC/wfT9VJ70EOe6gHYVnEk8PYqWfb+HaYWolUm4dqnMQcyZ1dkGJAyedvmrZvU/EyWPwwR3bVmVkup5skjExEx0POQSTJjE36Kewm/K4AQ3yBcCmmj7ZgYWQotViYW0iIQt3ZH+oItro+SqWb8/EcNjqQbU/1CkVtFEtIgyOpy1tZ7HFhaQI6xha78KC5nPn+dgckw1rrqbH5tUMEs0GHuAhi3v,iv:83eA9Rioryf5nDtcmput665AAR622yhd1ccbIz2aYQ4=,tag:b+j9T/tuEWORm3G9dDbVuA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Tjl2S2tsVGZPS09HaDFO\neHZ2NlN5OUJuRmlZem1xeGtISVMrU2g3WmtZCndobDRnenlWSUl3L00yQUVJUnYx\nR2pxbGJuTkJqT1Nocm9jK1Yra3QzQ1EKLS0tIGE4SjZIMzN5WEl2dnFWZkIwc2ps\nVENuVUUvK1FsTmQ4UFdDQ2hnL0laRUUKYAvGtZrZ5iHls6kXlkXjRZKLB+VotxBI\nqjsPoW1o/2HJ0IQt1HByaxxw80FFcaY79FMVBkJcdQjYOEHFuQjw+Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-18T06:49:09Z",
+		"mac": "ENC[AES256_GCM,data:xo7PG3dqcfwMra7b4AKA7tjBmdwGq6hmQdGCiVT+dx5U8u60B7iIhZA1Nlkrwj1tCqUDpBjVp5iGReYJ+fckYriBBRURFtSaNjmrBSUiswaR2FqxGiNKzW83TdLEncTMXlNdTWKxhPy8uRh0Xso/ZFqAWgPd3fvfUAVXgGmnCuw=,iv:zi0v2nJPhVmPeE7pNY5KGhJimYMtWhmHzareuZ39YN8=,tag:/2NKODtUaXJhxkJLqjn6gw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-11-18T06:49:09Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAxkXTiqh3KhrshdFSX+QUvPyxL23iLm0y1nCsQGwCcBMw\nIg4RMlZVlbSUya2IPRc2J2gt7E0Fyp/oYw9Ytsa3u6cR5L41dRS4tZcpHkyJpU9h\n1GYBCQIQqCh2mj3ErvL1BYA+sgvIh8hbzmBH8uWWNpCHCP1StjtduMyLT6rBiWuv\nPvoCvz3WWXufEvn7DEutAs+T92oNMcEHcGWWbsn8U1dIXQ+7Cl2CWDNMlxIoKtVN\nuBcXPqKFZho=\n=M3My\n-----END PGP MESSAGE-----",
+				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

systems/palatine-hill/docker/wg/se-mma-wg-102.conf

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:MvHQjTIH2RUsf/Re8piWc+foojfH1GpkDdgTgN5uGkBd+hFABF58ATN02SyrSJilwZiUIcmmd9yei59JKNumhY6daIcVzwpipGp2E/5ziLE0LzJ2+9Ov084TEclMe5vbEnJqtiB3Vu0w/9wKzbiXGWi/doqpNV1YKgore90Z3Mol4bVC/4ZSmm/YvRNZg51HPHtX65uZKuER54KqqkZOj0zPB8YiJHDbvtdoX2u8gEAenOjboHkRXRU9jgjytoP2Pw8W1dikajTXvtcjTzJijHVXZb70b0Yr5QnLOZaT4ovZA2Y4lkllpmQ4m+up5V3AkIk8iSLlFHOSaYNY,iv:0JpG17m9kD7xJ5vEBibuKG+yLL+xiIHlldFQ9TuWZwU=,tag:mPI3NUTmCnAXhcZ1jyAgrg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLWklBZUQ3MFo1bUZuY1dy\nVGdUK0FlM1dSNFBYOEhkZUFMd1g0b2ErZXd3Clk2TlQ4aEROUEJFbmpwYXRQK21t\nalJ4Z0k5dlVHQzJzdWNUMnYvTFMvWTQKLS0tIE04TzNIcVlzby9IM0FNMWlOd1Z3\ndTFwa1ZoYjdqUGhUTVVqcmxPVThMV0UKa07ux2wYZCn/9pgejH2o2wAknVLo2YV+\npb49PUwm1wvXaUVOrgGWAEGV1WBkH0FjSUKpTGLZ1V5MJ+wBk1fzRg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-18T06:49:10Z",
+		"mac": "ENC[AES256_GCM,data:X6AY8uht59ISavkd199WKj+Tnvf6YRxLccRJe/TeEwYN6M9TDIkIDEJmiw25LuLWHq96k6kJ5LXg2XapvTddZs6XavANxVoafyB97JYcofsFgrt5ziVJQisLxxjwnOP7twUHtHN60TS+2Om4LKnx2qm4piMJpt1RTFQPquSrNGg=,iv:Zgl/L3ugPEyQTXnHqctDnRORC3fPTx/z/wAHFfo5ZS4=,tag:o3jdq1bHCzfavdNRwKk1Ww==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-11-18T06:49:10Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAWiLRFVRksLnX7OthQw84hoyjSEnsQyekp7kF/dbFAW4w\n4byTxDKfHHmSUvf9G96wOH/mNWpdAJiWlOQ7tPstVwoeHVBHSgf2vgd8MRTmrRzo\n1GgBCQIQjpgEmL08FuHrEGvT/WUSAIBXKhN56fyHOgT62NzOthiIIp6qxq27UjlX\np+ZUIR/X7qeJSVHJUKssNRnTKm1bbmbK/9ydXZtk/xHdFAD5YLZaz26ZknhaR7J1\ncHEHK6TQRL54lA==\n=DD6O\n-----END PGP MESSAGE-----",
+				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

systems/palatine-hill/docker/wg/se-mma-wg-103.conf

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:K1RimM2itH8391EFz2SYMn+tDlTcf9bopuci3hkZPqi0Obr4M1pgQGEbs8xxcCYknE5HLGuW/zbMXL5UvFcGIVlvX0q/eZBerTuUz/VMbkzWiQ5Gqy9BpdXbb1i6vBDnNkDpfxrAu8vadUMifoUVTUconhoOzoR5byOMmUdx84z9W1S/9oztd9fRXhJIkoI23mxbaKr+zK7bX8CS73tVk8+oBFjeUPSt6+IwlmWx1iKVBs5tY/RPQ7kGTe3lIdbe2QIgPS/T7/W4xMoI+i9Z+SrW3eLOUyHNWQg/3gCPbOwvYt3xhj8RaScmW5L1a0SMPDQ/5CatOoiV/vrA,iv:NreCE5+5wyEKowJgtFXw7YPhbixpn+qCK403zzrkkjo=,tag:ptYXTDaKEs17fZichb+lbg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YlBUcWdWVGNwaUlqMjdt\nTWVqUW5LdVlZWC9Uem0zQXI0UldFMDYweDNBClVJSTJHL0c4anFnOSsvcmhBaldD\nSHNUem9aQk8rTTdLUFpML01uMFJjNkUKLS0tIGY4dXFUVm1mVThrWmFyS3BkTlhS\nblA1MmN1Q3MzRERlN3pLMTExSkx1RjAKonRli3BpI6iucyJAbWvERBPR0f6ewrIp\nBIQVkEBod/pdSiahMWfXjFVH0nmU9Ip2CwhZl1pGNOaHhnLtrUWmBg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-18T06:49:10Z",
+		"mac": "ENC[AES256_GCM,data:kDO0Y1wIe/ZWTiXeuAQtCS+fn1gR6L514e8qs7mzt1B6/u5hChy2L3WRR0DQN9V0wjl2bp6muAdfTEDbO7PmAbSE8wKHjCy97tzDgVSrtodUvGZUbm62bA0cx1VzgcKrCYHglSDsxmnYc3atxKlM8uWJ9GM4F4O+wRj/AH1QLYM=,iv:DgTrwKlftGmyuRDbROApudP9xANL7aBTbGgYRYqN5ZA=,tag:ek8rci9l2iDrYxP3b2EBvA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-11-18T06:49:10Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdA0ZIzTIWsWHwek/Z0bIQvfCa49t6aaM51M4HJFyCRpxQw\nJ7mW22C1kf35WAz5Hmm251B+UuW1wUITdavE3tYH9/yB1yQsTSgKd3Vze/r5Ebvu\n1GgBCQIQQJk9Blm+/vA3//hafY4tDtuCr7N+utLdDFK1lBy9+Qg8UtAiNP4fFffF\n8Eh0tx/Fg5n/2r4p9NGLFn/ZMMe9SnP19VsmGQQjA3RlK8jVmxvSCXLFzM85uZge\nYJDAMSU+8Q3qdg==\n=4Asa\n-----END PGP MESSAGE-----",
+				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

systems/palatine-hill/firewall.nix

@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [
+    # qbit
+    8081
+    8082
+    8443
+
+    # hydra
+    3000
+
+    # minio
+    8500
+    8501
+
+    # gitea
+    2222
+    2223
+    8088
+
+    # attic
+    8183
+
+    # collabora
+    9980
+  ];
+
+}

systems/palatine-hill/gitea.nix

@@ -0,0 +1,64 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  base_path = "/ZFS/ZFS-primary/gitea";
+in
+{
+  services.gitea = {
+    enable = true;
+    appName = "The Hearth";
+    database = {
+      type = "postgres";
+      passwordFile = config.sops.secrets."gitea/dbpass".path;
+      createDatabase = false;
+      host = "127.0.0.1";
+      name = "giteadb";
+      port = 5433;
+    };
+    settings = {
+      server = {
+        DOMAIN = "nayeonie.com";
+        ROOT_URL = "https://nayeonie.com/";
+        HTTP_PORT = 6443;
+        SSH_PORT = 2222;
+        SSH_LISTEN_PORT = 2223;
+        START_SSH_SERVER = true;
+      };
+      service = {
+        DISABLE_REGISTRATION = true;
+      };
+      log = {
+        LEVEL = "Trace";
+        ENABLE_SSH_LOG = true;
+      };
+      "log.console-warn" = {
+        LEVEL = "Trace";
+        ENABLE_SSH_LOG = true;
+      };
+      cache = {
+        enabled = true;
+        dir = "";
+        host = "192.168.76.2";
+        port = "8088";
+      };
+    };
+    stateDir = base_path;
+    lfs.enable = true;
+    recommendedDefaults = true;
+  };
+
+  systemd.services.gitea = {
+    requires = [ "docker.service" ];
+    after = [ "docker.service" ];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 6443 ];
+
+  sops.secrets = {
+    "gitea/dbpass".owner = "gitea";
+  };
+}

systems/palatine-hill/loki.nix

@@ -0,0 +1,242 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  vars = import ./vars.nix;
+  loki_storage = vars.primary_loki;
+in
+{
+  # loki: port 3030 (8030)
+  #
+  services = {
+    loki = {
+      enable = true;
+      configuration = {
+        server.http_listen_port = 3030;
+        # auth_enabled = false;
+
+        ingester = {
+          lifecycler = {
+            address = "127.0.0.1";
+            ring = {
+              kvstore = {
+                store = "inmemory";
+              };
+              replication_factor = 1;
+            };
+          };
+          chunk_idle_period = "1h";
+          max_chunk_age = "1h";
+          chunk_target_size = 999999;
+          chunk_retain_period = "30s";
+          max_transfer_retries = 0;
+        };
+
+        schema_config = {
+          configs = [
+            {
+              from = "2023-07-01";
+              store = "tsdb";
+              object_store = "aws";
+              schema = "v13";
+              index = {
+                prefix = "index_";
+                period = "24h";
+              };
+            }
+          ];
+        };
+
+        storage_config = {
+          tsdb_shipper = {
+            active_index_directory = "${loki_storage}/boltdb-shipper-active";
+            cache_location = "${loki_storage}/boltdb-shipper-cache";
+            cache_ttl = "24h";
+            shared_store = "filesystem";
+          };
+
+          aws = {
+            directory = "${loki_storage}/chunks";
+            s3 = "s3://access_key:\${LOKI_S3_KEY}@custom_endpoint/bucket_name";
+          };
+        };
+
+        limits_config = {
+          reject_old_samples = true;
+          reject_old_samples_max_age = "168h";
+        };
+
+        chunk_store_config = {
+          max_look_back_period = "0s";
+        };
+
+        table_manager = {
+          retention_deletes_enabled = false;
+          retention_period = "0s";
+        };
+
+        compactor = {
+          working_directory = loki_storage;
+          shared_store = "filesystem";
+          compactor_ring = {
+            kvstore = {
+              store = "inmemory";
+            };
+          };
+        };
+      };
+      # user, group, dataDir, extraFlags, (configFile)
+    };
+
+    # promtail: port 3031 (8031)
+    #
+    promtail = {
+      enable = true;
+      configuration = {
+        server = {
+          http_listen_port = 3031;
+          grpc_listen_port = 0;
+        };
+        positions = {
+          filename = "/tmp/positions.yaml";
+        };
+        clients = [
+          {
+            url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
+          }
+        ];
+        scrape_configs = [
+          {
+            job_name = "journal";
+            journal = {
+              max_age = "12h";
+              labels = {
+                job = "systemd-journal";
+                host = "pihole";
+              };
+            };
+            relabel_configs = [
+              {
+                source_labels = [ "__journal__systemd_unit" ];
+                target_label = "unit";
+              }
+            ];
+          }
+        ];
+      };
+      # extraFlags
+    };
+
+    # grafana: port 3010 (8010)
+    #
+    grafana = {
+      port = 3010;
+      # WARNING: this should match nginx setup!
+      # prevents "Request origin is not authorized"
+      rootUrl = "http://192.168.1.10:8010"; # helps with nginx / ws / live
+
+      protocol = "http";
+      addr = "127.0.0.1";
+      analytics.reporting.enable = false;
+      enable = true;
+
+      provision = {
+        enable = true;
+        datasources = [
+          {
+            name = "Prometheus";
+            type = "prometheus";
+            access = "proxy";
+            url = "http://127.0.0.1:${toString config.services.prometheus.port}";
+          }
+          {
+            name = "Loki";
+            type = "loki";
+            access = "proxy";
+            url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
+          }
+        ];
+      };
+    };
+  };
+
+  /*
+    # nginx reverse proxy
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      # recommendedTlsSettings = true;
+
+      upstreams = {
+        "grafana" = {
+          servers = {
+            "127.0.0.1:${toString config.services.grafana.port}" = {};
+          };
+        };
+        "prometheus" = {
+          servers = {
+            "127.0.0.1:${toString config.services.prometheus.port}" = {};
+          };
+        };
+        "loki" = {
+          servers = {
+            "127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}" = {};
+          };
+        };
+        "promtail" = {
+          servers = {
+            "127.0.0.1:${toString config.services.promtail.configuration.server.http_listen_port}" = {};
+          };
+        };
+      };
+
+      virtualHosts.grafana = {
+        locations."/" = {
+          proxyPass = "http://grafana";
+          proxyWebsockets = true;
+        };
+        listen = [{
+          addr = "192.168.1.10";
+          port = 8010;
+        }];
+      };
+
+      virtualHosts.prometheus = {
+        locations."/".proxyPass = "http://prometheus";
+        listen = [{
+          addr = "192.168.1.10";
+          port = 8020;
+        }];
+      };
+
+      # confirm with http://192.168.1.10:8030/loki/api/v1/status/buildinfo
+      #     (or)     /config /metrics /ready
+      virtualHosts.loki = {
+        locations."/".proxyPass = "http://loki";
+        listen = [{
+          addr = "192.168.1.10";
+          port = 8030;
+        }];
+      };
+
+      virtualHosts.promtail = {
+        locations."/".proxyPass = "http://promtail";
+        listen = [{
+          addr = "192.168.1.10";
+          port = 8031;
+        }];
+      };
+    };
+  */
+
+  systemd.services.loki.serviceConfig.environmentFile = config.sops.secrets."minio/loki".path;
+  sops.secrets = {
+    "minio/loki".owner = "root";
+  };
+}

systems/palatine-hill/nextcloud.nix

@@ -17,12 +17,10 @@
 
   systemd.services."nextcloud-pre-generate" = {
     requires = [
-      "docker.service"
-      "multi-user.target"
+      "docker-nextcloud.service"
     ];
     after = [
-      "docker.service"
-      "multi-user.target"
+      "docker-nextcloud.service"
     ];
     description = "incremental pre-generation of previews on nextcloud";
     serviceConfig = {
@@ -31,10 +29,10 @@
       Group = "docker";
       ExecStart = [
         ''
-          ${pkgs.bash}/bin/bash -c '${pkgs.docker}/bin/docker ps --format "{{.Names}}" | ${pkgs.gnugrep}/bin/grep -q "^nextcloud-nextcloud-1$"'
+          ${pkgs.bash}/bin/bash -c '${pkgs.docker}/bin/docker ps --format "{{.Names}}" | ${pkgs.gnugrep}/bin/grep -q "^nextcloud$"'
         ''
         ''
-          ${pkgs.docker}/bin/docker exec --user www-data nextcloud-nextcloud-1 php occ preview:pre-generate
+          ${pkgs.docker}/bin/docker exec --user www-data nextcloud php occ preview:pre-generate
         ''
       ];
     };

systems/palatine-hill/postgresql.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+#  sudo -u postgres vacuumdb --all --analyze-in-stages
+#  /var/lib/postgresql/16/delete_old_cluster.sh
+let
+  vars = import ./vars.nix;
+  dataDir = "${vars.primary_db}/postgresql/nix/${config.services.postgresql.package.psqlSchema}";
+  backupLocation = "${vars.primary_db}/postgresql/nix_backups";
+in
+{
+  services = {
+    postgresql = {
+      inherit dataDir;
+      enable = true;
+      enableJIT = true;
+      package = pkgs.postgresql_16;
+      identMap = ''
+        # ArbitraryMapName systemUser DBUser
+           superuser_map      root      postgres
+           superuser_map      alice  postgres
+           # Let other names login as themselves
+           superuser_map      /^(.*)$   \1
+      '';
+
+      # initialScript = config.sops.secrets."postgres/init".path;
+      ensureDatabases = [ "atticd" ];
+      ensureUsers = [
+        {
+          name = "atticd";
+          ensureDBOwnership = true;
+        }
+      ];
+
+      refreshCollation = true;
+      vacuumAnalyzeTimer.enable = true;
+      upgrade = {
+        enable = true;
+        stopServices = [
+          "hydra-evaluator"
+          "hydra-init"
+          "hydra-notify"
+          "hydra-queue-runner"
+          "hydra-send-stats"
+          "hydra-server"
+          "atticd"
+        ];
+      };
+    };
+    postgresqlBackup = {
+      enable = true;
+      compression = "zstd";
+      compressionLevel = 19;
+      pgdumpOptions = "--create --clean";
+      location = backupLocation;
+    };
+  };
+}

systems/palatine-hill/samba.nix

@@ -0,0 +1,37 @@
+{ ... }:
+{
+  services.samba = {
+    enable = true;
+    securityType = "user";
+    openFirewall = true;
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "server string" = "palatine-hill";
+        "netbios name" = "palatine-hill";
+        "security" = "user";
+        #"use sendfile" = "yes";
+        #"max protocol" = "smb2";
+        # note: localhost is the ipv6 localhost ::1
+        "hosts allow" = "192.168.76. 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+      };
+      zfs-primary-backups = {
+        path = "/ZFS/ZFS-primary/backups";
+
+        writeable = "yes";
+        browseable = "yes";
+      };
+    };
+  };
+
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  networking.firewall.enable = true;
+  networking.firewall.allowPing = true;
+}

systems/palatine-hill/secrets.yaml

@@ -1,19 +1,32 @@
 hydra:
-    environment: ENC[AES256_GCM,data:XUS68hCXWGMCoxxfecspEpFF8sxVJJVAm74ZZJM5/TiMAyzG0VTw17XQOgv+pP5aYABnQ3Rt9KFaxacaljrjFJ44O8qdGCQOi+g5+EpztHAI+yyeWkEqcVrcDKeb0jM0qygBUtyez5aLJyFwT7znqfNi3CHMP+cJTNVUAQkfL3RrU/lNzAZpIJ5tVG5PzDqMLDWMQXiDRICNdp9fUXyGee64bQ1NxGJALmYS9o1YT75e0nCBsIBD50+ChQvOTUfTGfxpG5SbnDGmL0JIUGB3MqM=,iv:TRsVfNxLnMuq5Wvu0ZX4JVHoIXQaj3Li3KsBXmoFiK8=,tag:gGTQo66uzdUBqCuUYHSE4A==,type:str]
+    environment: ENC[AES256_GCM,data:G/6DOeRdjjp5PGpsHCHneW2X/OQzSH6gozKmgOlK6/bSdQltv4U00AYNOrUYYlH9Yab7JSYBfQinsqRKyDVEp7LLPdlxBaztJiSZGGAdio+JHWwR7UAhAEXSgOh4qFq0SjdZzQduEOdfSYfksut3dJiAvpj6oo6hxuo8mkW4+UacpBmvpnrzHjJHeYYbb3krIhKG6bBqHLT403rLf5oYjnY16XUuYO7deAH99JkfCJKlKnDf3GLfnX78XoXSdOMUyf57PPq5EKA8mFdtZsbAmis=,iv:s903rYHyocGtVJ594+HtCyULGtuom6aUVDcbXPbH93I=,tag:YFkFAIU7cNHSuYnN+lShgA==,type:str]
 nix-serve:
-    secret-key: ENC[AES256_GCM,data:dXpfTamvU17kkMwp0DZIktkh/iI96wgcQerEC9G0tdm7tL7NQSlS4giocf9uckXK1JNkK9q7urZznx82ZBV3kaZE8oZKgYtkR5xpHgGsbYgQbLx6gowKfBkPusikFl/BqUvUBLznYsYSkJddXJ4=,iv:yeHyAMY2NxQUyzirU9+ggF1O6kRsrM0lEJCY9U0qJN8=,tag:cSm1Obe6WnpHloF/JleVEA==,type:str]
+    secret-key: ENC[AES256_GCM,data:M8MJHHO8Hd/Gm6Nxy7/IPr0s6jHEDBB9LpZq8lIWQirvZPpgNrMrnP2xFJWEuJF/ND9hU09ZHA3efIBej2siRPOWSEu4gE65W/GMtpCcwEXF0hR/ISvBsH0fci/6KGbUCVg1x9AJpjJsqevPN7I=,iv:Weuziu2me+kdB9zk68nvLnyxv0ICwB1qA4z0Q39tT6k=,tag:nhcFfRQOxEandrf6CivahA==,type:str]
 attic:
-    secret-key: ENC[AES256_GCM,data:0pVok0M5Ob08BdFBV57Ijr4MW6msdGuvgq7v5lunJocv/sM0u0Cy7ye67+me21YBy4xGqidAfQo0j4OQkn71Z7ouKJGQ6izqOuTvRerBLmY/V3GMnSrBgtb+gjKhwswf/T/WV/I2lc0GTrdiJi6JJC0VL14kJYWRQIdcadeGEoF+cZyzyHWV32TxyJrNlDGFu1aFhjKiHP50aDFxibIPwz1h9+lN6jEGEwsOa29K3gnL9zOmzaoS/F4wXEZlCXNETj6lvCd6Ywt3erkGmCvA4FTzfs/CdW/QcS2GneGUzoCy4NRcxx9dKQ==,iv:4QiN6tupBkIZbVkKt7MyLMiy5z/y0ExAT9xWVBL+pko=,tag:CT4F8y/rObKlIMCwtJk7AA==,type:str]
-    database-url: ENC[AES256_GCM,data:CrtsSB9KaA+KT9F34eM+z5trjb72wRKKy2LKOWDxBgvVtrNy5jj9c9KPnPCRWue1eABC1FdThKH1,iv:n3n16Qs/s77CxDNHws4lLTJaXx++DpqUrrVDp+Rpj2E=,tag:gkQhzX4gHPRmAQjZKBZF4Q==,type:str]
-    adm: ENC[AES256_GCM,data:fTXg7sVtyjzm2zPLBSYX0wsAjhPZz/fwOWjk6bYEFNDAz9Esw2VFqG84E53cSj62KxClx8jlakA6RyXH5betcrxoRybrEuvdej76TS4kAP3cgK1OUEbcw0gWsgJPleH2BVAn6/5AhtISmglx0RykyKDtjBoxO1ewwwKesd5brIBD2DhLyaYJLFB42to1HmLe7FgYDaR2Q/W5B6W7RMueFwjA4/Y2ELoFQpwqF2HvcyFO58x8BFhIla6T+MB5l5I2qoYNlN5AayUur5xlALRUGH2PCJEiTrt8hXhYPkSlkiiwORBwwK7w89kO+tsHoDW8u3F/aKBbBnikIkaXnSa694mg0twmTOYL,iv:OBk9nrRA2t/9DvEI/OJTwp8nX4iP+foohueZON9Tlgs=,tag:Y1hVX2wva9QridJ5els9Fg==,type:str]
+    secret-key: ENC[AES256_GCM,data:/wYnCD7qggeHdsNqkp1rZK839o/1olhJUlT1lrZpv1hTOZDduP2OGhz8kh2PrQR6Mq2Y/ALgHG3cFpJs7G64xDK0qRVGIDlC/9sTQIcF2JL49Free8vADe5ads64EN3vWgfmFoBMPmL0mc4qnDBGnBkDueFN5gy+1szK9tWK23tMl1wEWVsiqBwhuWqQBNRxeaHR2tQXI2Yg3fefq5+laOUjnSe1a8Kx4dJ7rXZuXe+H4uyU7roYFxlLpI8qZig0eUO9WUMX9WP0tKOr5OjsbJzBbdVlVT7lZ9ROYUceoxmcWecLlcyv3Q==,iv:DjH78Getnt3zzK9QLj+HS0cF1wtaBeadxSTrRb1uic0=,tag:KMPtWCq1KT1SSthh3fdsew==,type:str]
+    database-url: ENC[AES256_GCM,data:WHdAxNbkRxvNvfUWdPSbgeQXOS7f46OuDKTRuxf3cEyhbU5NAsGlCgfarUBXsHrCH79t7zDGlcRE,iv:trOxDY/ifsibKoX5YPOfKvX/q2ny6SgykiIBusgHxag=,tag:Cx9hhiJIhDLiojJmDdSDtg==,type:str]
+    adm: ENC[AES256_GCM,data:mP4xFGK3+YwyiUMwFaG6tY3tWLGY2YTGa4DRuHzW5Za3McmwEFUzlQQ4hGS2bPKOKwM2Pe5HYBwJnFkd6KRwx5civqsBMwFt4dfZ31xDEi9RxpEm9jCnCcvB1CY8cxNARIhceC12X/ZR8ianUpoINYSjOj4BRy4TEEigi5+V4DkAXeG8+x8SWjj/mRMQMcZud4i69Ul7tpzbjUHm0s/Aasvmib13u4ZbGX/AyoOX8pQwkRHoyfMK2OvRbaeQf9fPcQxOSBALYOIXk9mEGxN1FTFHrTvrY5s0w+hC1mAjX4qm4ZM77RneAI0fJaq1hHSZETIpJOCiQfR3bLuyzWKVestOE29V8Pwq,iv:bjK1QkWUc2vs+oUoC5Z0AKR1/tmrhSLvP8BP8gzghOg=,tag:dmSDM+gbsJMDkqgIPWBfGQ==,type:str]
 postgres:
-    init: ENC[AES256_GCM,data:Pq24kdMXLAbePqIHPiJx3xXYEm2UbY598iNDf+z2k1HDhStHAd10CCyJYEgppCw2lkDNY54A3PQ=,iv:RE9DQ9Xw4tDFBD67dk3ggyqYqoGVhZf5kO53WoF3fJ4=,tag:dZwZfgI2H9JTClkyUI1MqQ==,type:str]
+    init: ENC[AES256_GCM,data:trwA30EswHEPa6V2GuHsGgU4NK/j/UQveldwHng0Ilwyqh9aZCgF3axP48MmcciBssux8DZ4O5U=,iv:VC+tpG5yuiBE7pjZ85lYCwHG/bTePxeXQDz2zyLyLYA=,tag:5+jwWTv5T5YWwQpR58QfOA==,type:str]
+gitea:
+    dbpass: ENC[AES256_GCM,data:8jECcEJ8JnK7fztTckzLrQ==,iv:yQMp5VrierOKXwiop0NUA7Qbn2eH5iUCVlKppZwKLIQ=,tag:rI9WT7zLIaFxVcTu3ufW4g==,type:str]
 upsmon:
-    password: ENC[AES256_GCM,data:0tZKzQOYaij9jdnDTv61ma8i,iv:GEqlCOOUHTjUzfz+X5lCnqcX9SjAG6bVc8Luv97wnSg=,tag:XLvsucW6sIMHKG2AHmxZEw==,type:str]
+    password: ENC[AES256_GCM,data:52Rxsh7KUq+aYjQORBC+Yq5B,iv:F05g/a5bv7DQ+eLlMqsNeRHLxzl7AyXU1zAlmFevQ6o=,tag:xkGDD3hDF+u5fUbP33OrlA==,type:str]
 minio:
-    credentials: ENC[AES256_GCM,data:78ANAQ2756IISlkUFPxy9lQYRml8C9PvkkiXME4nMjtWwPgybvSM2nrO3yVhTgyOyUZjYYWzJlpwstfIAbuWEgGFhbMixSSNSgsWozojm0hWfPBWZ5x4iX++0ARFdfxIAjiGlM/HGa0YO/2tSA6oW6FqM4RbC1vPnqJc,iv:8Y+SilqKsUH/J6M+l4Wpm2J3nPXeoUhA1+GvhzlqMHE=,tag:5dYBlYPIUjd+U+r/dqJWIA==,type:str]
+    credentials: ENC[AES256_GCM,data:5Z/cTmxSuMq8BfRgYLGZZJ7o6AtmrQM3yNjR17YHr29S7ZWvGsjfM7DsLKectem01nvv3HoT4uyWSdhkOmZahzDb5OF1NEgjJhLqkKlCETMu0mmpwe1cx6iOd7kjB3E6Az/MWpXqZ/TrryL9FrQD2nnx9bHyWWIHRQv8,iv:jiYZXfU+OssC0rh/3yFZLEzD1+5mVDDl6gQ3oyk76E4=,tag:bevDszFv1zSa+/2qQIgC0w==,type:str]
+    loki: ENC[AES256_GCM,data:ShC6hfsKifVaxLWRo1fqaOpsrYh4+w==,iv:KVSlPd0mBvPZikg/Agnl6q0UhxTmsNOeYdercYOhqMg=,tag:cj6ex9m7vDjInTJDGUlqFQ==,type:str]
+docker:
+    minecraft: ENC[AES256_GCM,data:2k/m0ksnE92fACxQuBlOO72b19T7Nbnr58ezRddmKUVvePEgrdSnIsR3sh7PnmzwmG/ez0WTD+NKbtkQmRMDQ25vruA8gCf8Ig==,iv:X2SUidKTNAPZfbyiXFKprUbAhBxJcbF5bz+YTy4nuEA=,tag:AAvLXO888r9XvtnNfQgCpA==,type:str]
+    foundry: ENC[AES256_GCM,data:5Z0FvVhJBzTwDPRN6c//caZokiTnkdqiLGFFuyen+tYsdjbQ3AXH5y7HfxKbxsJvU5uShOuIg0jVMvow2NYmzyYDDKBKPOz0bgXOmFq06wzCJubjyZmR/mDcWBBDzAFzaazpyW8=,iv:6wLS00zhX0tjJUe5uADAjzEshJP8QOkF2i4Aw+Y9RSk=,tag:sNr/exY1u3evYGcImyCUlA==,type:str]
+    nextcloud: ENC[AES256_GCM,data:dm2Cha+CvFORgdcBvJAzzdOGcJ95vLJYTZcUJnjNp6HOQIIoJrDone1NOAYJh9rdWG/17/ntOmd+TysAj4AsD0dw/PatZmy3I+dcVghkt2XNTc7jD64QjctIHzR+om1joAbKemG1R3St7qDU68TWYxoxIfYZcJvg3ds/lJcYgFRh079UZ/IRlGVR6sWPEXyY+UUrwtk0Fr+y8UtwwWZiLp0akUbIV06huRGiAp/PeWETuPPuacl2++ayIgJFZkJjUl/a52RI1Q0nLG5iyK6QYpY1JSRJTOkiQQ4PB5GRdLCdoM5/ZXTQ6gGcoM5jXFllsTn+yRicNRucuBp7Z2achbk6eITCdjjdXVI7zM4YXpzVLu5fJckLAu07aEIGYCBT7ZXd7TRgfB68POwtwaJGBozg+nuhq8xEH04yi8jFODH6aFplIgJ+bbaP72zw+92lzZa33FEtOwKdtx+YUv0eLLDJs+8Z6Sn6RyN8prwIz1/9LuIMx39g4R7id9W2bV2MXqTU4nN8f0TXWqe+hnb5pDLBaZOBMkwbRka6Vptsi4dbL5Lnexa2DoIHZ2unyxZ+4SkRt9LH39j8fXf2w5JPFCSLstf7+Zu7xzRS0TTCug7k,iv:oOWcFdQJb/+KZKJmQChhJ5jOCcM3o+ojZSMyiRnO9n8=,tag:PWGQkwPe0juLgAdlKiWKpg==,type:str]
+    redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
+    act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
+    collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
+acme:
+    bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
+    dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
 server-validation:
-    webhook: ENC[AES256_GCM,data:d8drMmXcbWCGwOanYr6jUCz5+d1bgTrPKMl4yxFi49oapqFUFSQo2pA3bP9DA2n0b63ZJp1IDyJGBRGjFUsSC8EkKQsYMIm962o++D4h7/l9GZU2TBcn5VgvSldETgwloMg92i3zEApNCeZTtwFwJuJTwmUsZmg528Kj7SBcDw4H18dW8MMfgzBTkZUh,iv:F/UtYjWNoG1la1xaNevRXP/4lNT2TgYfmukbncHILDA=,tag:fJpdG5di6j8Wm54KLHZEsg==,type:str]
+    webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,26 +36,26 @@ sops:
         - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcTQ4SVM3dVN4UWZCSXBs
-            dFo1S0ZyOEM3c3ZtYTcvZlVNYStDdXd0NjB3CjY0NWc4UkVGUk1ZdTBBLyt2L0lX
-            M0lRbXFwRzFWSTNndC92SU5kSkowb28KLS0tIFhjMnJzZHRoTmJONDk1RjVsRVZq
-            d241ZnZ2MWg3YVNBbkh2S0NqeE5PdFEKWqnQH4kZszkKZTSgur0c5hGMoMx9zBdz
-            tSvUbe2+WKX7q6y7XqsD1KjFI+POVDF+YN7H9ja96+JqvKRteXNhCg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcWo4V1QyZS9HbHNwT3Jl
+            ZktNR2gwZ3BiWnYwZHpLUzR2YTlmN0ZUeEhnCkF6ekdkN0U2VGM1RFVhdTM0RW5u
+            bWdreGZrU0JwNDY1TnR2S1M3OTdKaWcKLS0tIEVBekE2eU8rcEhpVkhhWmxPc3JN
+            cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
+            LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-07T23:09:33Z"
-    mac: ENC[AES256_GCM,data:nr1JAEr2FGrYtiUhrQFsBPbiR+toxzYRZVPqq7zYBMeNy70a5jMgw6qm37M8Hmt7omO/KePE+Ol27FI9Aqn8OP3CQZoSWZbul+TTItV5UWC84G3MebaesnIiFQwbpM9hz08VoQ1zxUiUFnUY4bBr6okNSyJeqq/QmkkyqhK4Wlo=,iv:0MR7AiQEX2Cl7FUtRlxaY+R2oqSbanIhwaXAN/UnHH0=,tag:RpQCtsuelu3VQVB9HzJE+g==,type:str]
+    lastmodified: "2025-03-04T04:53:14Z"
+    mac: ENC[AES256_GCM,data:MCucwVPGRMA/hGYS7mwSppkZAQ3wjHJnyeSvSI8YOOD0Xq7mvkMSvKctFHl6h4Cx3ubRvVHf5j35/NQxb+/VhhCPAHWDbqq9O2N0aWhAeybCu0IjruKrJhs76KsXJnNZ9REQQnS1/TNquuvj9FCoqDnrQcFs7M0KJ5m3eUU2h2k=,iv:ZJGJ8CTA8K5FnoKtbogleksB8wDcZtknO07M07Dmpsc=,tag:GMUXJD4U8KQgy9rvzEAMuw==,type:str]
     pgp:
-        - created_at: "2024-09-05T06:10:49Z"
+        - created_at: "2024-11-28T18:56:39Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DQWNzDMjrP2ISAQdAA1DGmMjNYHKHtel++ftsHqmQGqrjfL4VJTe62bEMfXcw
-            EQmF0itX7ns+GogeYeYaqxa0qraWzzGwsEDJOp+VJMmLPtw5999kdO1PikgyGkcV
-            1GgBCQIQd5DwJiXbQ7bFPYPGg8xxEBeDsHYtKo0tv9uQi9Is0nYYHbI8+TuFUv2o
-            Av5c+/hAX/1D4F8JDTnz7WbEO3X2H7VXNMQKQkYR1Ndds6ueyx1V4kFqQTD5qLG/
-            BpnwAmW4i9XVMg==
-            =2NK4
+            hF4DQWNzDMjrP2ISAQdAPOYlp/3ZJrcXZbu5+XI+BHNzMbzw7+YhTYOfNgujU1gw
+            QfJDWAhiMd8cZF5PpX+RdN+Zrk5CCMgZH4hotv9gjf1oxitWuF2hv14k/RlAx8kr
+            1GgBCQIQB+LOoKIo7AHeucdV9NsM6H4Akv+Bzy8boarA4BGcyvgRWhS2u8zOQJc5
+            RKfRonTO51yjlKm0MEspvwrClO+aIuBaNNemuHdk4yhDUnNKVBFyLLOuqXbsFd+G
+            aSTmqvI3a/T5Cw==
+            =ph+p
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.4

systems/palatine-hill/vars.nix

@@ -0,0 +1,20 @@
+rec {
+  zfs_primary = "/ZFS/ZFS-primary";
+
+  # primary
+  primary_act = "${zfs_primary}/act-runner";
+  primary_archiveteam = "${zfs_primary}/archiveteam";
+  primary_attic = "${zfs_primary}/attic";
+  primary_backups = "${zfs_primary}/backups";
+  primary_calibre = "${zfs_primary}/calibre";
+  primary_db = "${zfs_primary}/db";
+  primary_docker = "${zfs_primary}/docker";
+  primary_games = "${zfs_primary}/games";
+  primary_hydra = "${zfs_primary}/hydra";
+  primary_libvirt = "${zfs_primary}/libvirt";
+  primary_loki = "${zfs_primary}/loki";
+  primary_minio = "${zfs_primary}/minio";
+  primary_nextcloud = "${zfs_primary}/nextcloud";
+  primary_redis = "${zfs_primary}/redis";
+  primary_torr = "${zfs_primary}/torr";
+}

treefmt.toml

@@ -12,3 +12,21 @@ command = "nixfmt"
 #options = []
 # Glob pattern of files to include
 includes = [ "*.nix" ]
+
+[formatter.jsonfmt]
+command = "jsonfmt"
+excludes = []
+includes = ["*.json"]
+options = ["-w"]
+
+[formatter.shfmt]
+command = "shfmt"
+excludes = []
+includes = ["*.sh", "*.bash", "*.envrc", "*.envrc.*"]
+options = ["-i", "2", "-s", "-w"]
+
+[formatter.yamlfmt]
+command = "yamlfmt"
+excludes = []
+includes = ["*.yaml", "*.yml"]
+options = ["-formatter","indent=4"]

users/alice/home.nix

@@ -16,6 +16,7 @@
       ./home/gammastep.nix
       ./home/doom
       ./home/hypr
+      ./home/waybar.nix
       ./non-server.nix
     ];
 
@@ -51,12 +52,15 @@
       nil
 
       # useful tools
+      file
+      sqlite
       ncdu
       neofetch
+      onefetch
+      hyfetch
       smartmontools
       wget
       glances
-      obsidian
       onefetch
 
       # Rust packages
@@ -65,6 +69,7 @@
       diesel-cli
       tealdeer
       helix
+      ripunzip
 
       # nix specific packages
       nix-output-monitor
@@ -105,7 +110,7 @@
 
     eza = {
       enable = true;
-      icons = true;
+      icons = "auto";
       git = true;
     };
 
@@ -136,6 +141,7 @@
             "system"
             "nix"
             "shell"
+            "poetry"
           ];
         };
       };
@@ -160,11 +166,17 @@
     };
   };
 
-  sops = {
+  sops = lib.mkIf (!machineConfig.server) {
     age.sshKeyPaths = [ "/home/alice/.ssh/id_ed25519_sops" ];
     defaultSopsFile = ./secrets.yaml;
     secrets."alice/wakatime-api-key".path = "/home/alice/.config/doom/wakatime";
   };
 
+  nix.gc = {
+    automatic = true;
+    frequency = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
   home.stateVersion = "23.11";
 }

users/alice/home/doom/custom.el

@@ -19,3 +19,6 @@
 (setq! lsp-enable-suggest-server-download nil)
 
 ;; (keychain-refresh-environment)
+
+(setq! lsp-nix-nil-max-mem 20000)
+(setq! lsp-nix-nil-formatter ["nixfmt"])

users/alice/home/doom/init.el

@@ -133,7 +133,7 @@
        ;;fsharp            ; ML stands for Microsoft's Language
        ;;fstar             ; (dependent) types and (monadic) effects and Z3
        ;;gdscript          ; the language you waited for
-       ;;(go +lsp +tree-sitter)         ; the hipster dialect
+       (go +lsp +tree-sitter)         ; the hipster dialect
        ;;(graphql +lsp)    ; Give queries a REST
        ;;(haskell +lsp)    ; a language that's lazier than I am
        ;;hy                ; readability of scheme w/ speed of python

users/alice/home/git.nix

@@ -11,15 +11,15 @@
     userName = "ahuston-0";
     aliases = {
       gone = ''
-        !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
-                        awk '$2 == "[gone]" {print $1}' | # get nuked branches
+        !git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
+                        awk 'NF < 2 {print $1}' | # get nuked branches
+                        grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
                         sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
-                        xargs -r git branch -D; # nuke the branches
-        # git for-each-ref --format '%(refname:short) %(upstream)' | # dump all older branches
-        #                 awk 'NF < 2 {print $1}' | # get nuked branches
-        #                 grep -Pv "(^origin/|^origin$|stash)" | # filter out remotes & stash
+                        xargs -r git branch -D # nuke the branches
+        # !git fetch -p && git for-each-ref --format '%(refname:short) %(upstream:track)' | # dump all branches
+        #                 awk '$2 == "[gone]" {print $1}' | # get nuked branches
         #                 sed 's/\\x27/\\x5C\\x27/' | # remove single quotes, for xargs reasons
-        #                 xargs -r git branch -D # nuke the branches
+        #                 xargs -r git branch -D; # nuke the branches #
       '';
     };
     extraConfig = {
@@ -27,6 +27,7 @@
       pull.rebase = true;
       color.ui = true;
       init.defaultBranch = "main";
+      format.signoff = true;
     };
   };
 }

users/alice/home/hypr/default.nix

@@ -8,5 +8,11 @@
 {
   xdg.configFile = {
     "hypr/hyprland.conf".source = ./hyprland.conf;
+    "hypr/show-hide.sh".source = ./show-hide.sh;
   };
+
+  imports = [
+    ./hyprlock.nix
+    ./hypridle.nix
+  ];
 }

users/alice/home/hypr/hypridle.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  services.hypridle = {
+    enable = true;
+    settings = {
+      general = {
+        lock_cmd = "pidof hyprlock || hyprlock --immediate --immediate-render"; # avoid starting multiple hyprlock instances.
+        before_sleep_cmd = "loginctl lock-session"; # lock before suspend.
+        after_sleep_cmd = "hyprctl dispatch dpms on"; # to avoid having to press a key twice to turn on the display.
+      };
+
+      listener = [
+        {
+          timeout = 150; # 2.5min.
+          on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
+          on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -r"; # monitor backlight restore.
+        }
+        # turn off keyboard backlight, comment out this section if you dont have a keyboard backlight.
+        {
+          timeout = 150; # 2.5min.
+          on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
+          on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
+        }
+        {
+          timeout = 300; # 5min
+          on-timeout = "loginctl lock-session"; # lock screen when timeout has passed
+
+        }
+        {
+          timeout = 330; # 5.5min
+          on-timeout = "hyprctl dispatch dpms off"; # screen off when timeout has passed
+          on-resume = "hyprctl dispatch dpms on"; # screen on when activity is detected after timeout has fired.
+        }
+        {
+          timeout = 1800; # 30min
+          on-timeout = "systemctl suspend"; # suspend pc
+        }
+      ];
+    };
+  };
+}

users/alice/home/hypr/hyprland.conf

@@ -20,6 +20,10 @@ monitor=,preferred,auto,auto
 
 # Execute your favorite apps at launch
 # exec-once = waybar & hyprpaper & firefox
+exec-once = wired &
+
+exec-once = wired
+exec-once = systemctl --user start polkit-gnome-authentication-agent-1.service
 
 # Source a file (multi-file configs)
 # source = ~/.config/hypr/myColors.conf
@@ -77,10 +81,12 @@ decoration {
         passes = 1
     }
 
-    drop_shadow = yes
-    shadow_range = 4
-    shadow_render_power = 3
-    col.shadow = rgba(1a1a1aee)
+    shadow {
+        enabled = yes
+        range = 4
+        render_power = 3
+        color = rgba(1a1a1aee)
+    }
 }
 
 animations {
@@ -191,7 +197,7 @@ bindm = $mainMod, mouse:273, resizewindow
 
 # screenshots
 bind = $mainMod, A, exec, grimblast copy area
-bind = $mainMod SHIFT, A, exec, grimblast save area "~/Pictures/Screenshots/screenshot_$(date +%Y-%m-%d-%H%M ).png"
+bind = $mainMod SHIFT, A, exec, grimblast save area "/home/alice/Pictures/Screenshots/screenshot_$(date +%Y-%m-%d-%H%M ).png"
 
 # zoom issue
 bind = $mainMod, K, exec, pkill zoom; zoom
@@ -201,3 +207,10 @@ bind = $mainMod, escape, exec, hyprctl reload
 
 # open bwm
 bind = $mainMod, P, exec, bwm
+
+# lock screen
+bind = $mainMod, L, exec, loginctl lock-session
+# hide active window
+bind = $mainMod,H,exec,/home/alice/config/hypr/hide_unhide_window.sh h
+# show hide window
+bind = $mainMod,I,exec,/home/alice/config/hypr/hide_unhide_window.sh s

users/alice/home/hypr/hyprlock.nix

@@ -0,0 +1,89 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  programs.hyprlock = {
+    enable = true;
+    settings = {
+      general = {
+        immediate_render = true;
+        # disabling as config doesn't exist
+        #no_fade_in = true;
+      };
+      background = {
+        monitor = "";
+        # path = /home/me/someImage.png   # supports png, jpg, webp (no animations, though)
+        path = lib.mkForce "screenshot";
+        # disabling due to stylix
+        # color = "rgba(25, 20, 20, 1.0)";
+
+        # all these options are taken from hyprland, see https://wiki.hyprland.org/Configuring/Variables/#blur for explanations
+        blur_passes = 3; # 0 disables blurring
+        blur_size = 7;
+        noise = 1.17e-2;
+        contrast = 0.8916;
+        brightness = 0.8172;
+        vibrancy = 0.1696;
+        vibrancy_darkness = 0.0;
+      };
+
+      image = {
+        monitor = "";
+        path = "/home/alice/Pictures/PXL_20240408_192537608-EDIT.jpg";
+        size = 350; # lesser side if not 1:1 ratio
+        rounding = -1; # negative values mean circle
+        border_size = 4;
+        border_color = "rgb(221, 221, 221)";
+        rotate = 0; # degrees, counter-clockwise
+        reload_time = -1; # seconds between reloading, 0 to reload with SIGUSR2
+        reload_cmd = ""; # command to get new path. if empty, old path will be used. don't run "follow" commands like tail -F
+
+        position = "0, 100";
+        halign = "center";
+        valign = "center";
+      };
+
+      input-field = {
+        monitor = "";
+        size = "400, 50";
+        outline_thickness = 3;
+        dots_size = 0.33; # Scale of input-field height, 0.2 - 0.8
+        dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0
+        dots_center = false;
+        dots_rounding = -1; # -1 default circle, -2 follow input-field rounding
+        # disabling as config doesn't exist
+        # dots_fade_time = 200; # Milliseconds until a dot fully fades in
+        dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default).
+        # disabling due to stylix
+        # outer_color = "rgb(151515)";
+        # inner_color = "rgb(200, 200, 200)";
+        # font_color = "rgb(10, 10, 10)";
+        font_family = "Noto Sans"; # Font used for placeholder_text, fail_text and dots_text_format.
+        fade_on_empty = false;
+        fade_timeout = 1000; # Milliseconds before fade_on_empty is triggered.
+        placeholder_text = "<i>Input Password...</i>"; # Text rendered in the input box when it's empty.
+        hide_input = false;
+        rounding = -1; # -1 means complete rounding (circle/oval)
+        #check_color = "rgb(204, 136, 34)";
+        #fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color
+        fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty
+        fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears
+        # disabling as config doesn't exist
+        #fail_transition = 300; # transition time in ms between normal outer_color and fail_color
+        capslock_color = -1;
+        numlock_color = -1;
+        bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above)
+        invert_numlock = false; # change color if numlock is off
+        swap_font_color = false; # see below
+
+        position = "0, -200";
+        halign = "center";
+        valign = "center";
+      };
+    };
+  };
+}

users/alice/home/hypr/show-hide.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+stack_file="/tmp/hide_window_pid_stack.txt"
+
+function hide_window() {
+  pid=$(hyprctl activewindow -j | jq '.pid')
+  hyprctl dispatch movetoworkspacesilent "88,pid:$pid"
+  echo "$pid" >>$stack_file
+}
+
+function show_window() {
+  pid=$(tail -1 $stack_file && sed -i '$d' $stack_file)
+  [ -z "$pid" ] && exit
+
+  current_workspace=$(hyprctl activeworkspace -j | jq '.id')
+  hyprctl dispatch movetoworkspacesilent "$current_workspace,pid:$pid"
+}
+
+if [ -n "$1" ]; then
+  if [ "$1" == "h" ]; then
+    hide_window >>/dev/null
+  else
+    show_window >>/dev/null
+  fi
+fi

users/alice/home/waybar.json

@@ -0,0 +1,40 @@
+[
+  {
+    "height": 20,
+    "layer": "top",
+    "position": "top",
+    "output": [
+      "eDP-2",
+      "eDP-1",
+      "HDMI-0",
+      "DP-0"
+    ],
+    "hyprland/workspaces": {
+      "active-only": true,
+      "all-outputs": false,
+      "show-special": true,
+      "move-to-monitor": true,
+      "format": "{icon} {windows}",
+      "format-window-separator": " ",
+      "format-icons": {
+        "1": "󰎤",
+        "2": "󰎧",
+        "3": "󰎪",
+        "default": "",
+        "empty": "󱓼",
+        "urgent": "󱨇"
+      },
+      "persistent-workspaces": {
+        "1": "HDMI-0"
+      },
+      "on-scroll-down": "hyprctl dispatch workspace e-1",
+      "on-scroll-up": "hyprctl dispatch workspace e+1",
+      "window-rewrite": {
+        "title<Steam>": ""
+      },
+      "window-rewrite-default": "",
+      "window-rewrite-separator": " ",
+      "sort-by": "number"
+    }
+  }
+]

users/alice/home/waybar.nix

@@ -2,6 +2,6 @@
 lib.mkIf (!machineConfig.server) {
   programs.waybar = {
     enable = true;
-    #settings = builtins.fromJSON (import ./waybar.json);
+    settings = builtins.fromJSON (builtins.readFile ./waybar.json);
   };
 }

users/alice/home/zsh.nix

@@ -52,12 +52,16 @@
     shellAliases = {
       "sgc" = "sudo git -C /root/dotfiles";
       ## SSH
-      "ssh-init" = "ssh-add -t 2h  ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails  ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh";
+      "ssh-init" =
+        "ssh-add -t 2h  ~/.ssh/id_rsa_tails ~/.ssh/id_ed25519_tails  ~/.ssh/id_rsa_palatine ~/.ssh/id_ed25519_palatine ~/.ssh/id_ed25519_rota ~/.ssh/id_ed25519_gh";
 
       ## Backups
-      "borgmatic-backup-quick" = "sudo borgmatic --log-file-verbosity 2 -v1 --progress --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_checkless.yaml";
-      "borgmatic-backup-full" = "sudo borgmatic --log-file-verbosity 2 -v1 --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_full_arch.yaml";
-      "umount-backup" = "sudo borgmatic umount --mount-point /home/alice/backup -c /etc/borgmatic/config_checkless.yaml";
+      "borgmatic-backup-quick" =
+        "sudo borgmatic --log-file-verbosity 2 -v1 --progress --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_checkless.yaml";
+      "borgmatic-backup-full" =
+        "sudo borgmatic --log-file-verbosity 2 -v1 --log-file=/var/log/borgmatic.log -c /etc/borgmatic/config_full_arch.yaml";
+      "umount-backup" =
+        "sudo borgmatic umount --mount-point /home/alice/backup -c /etc/borgmatic/config_checkless.yaml";
       "restic-backup" = "/home/alice/Scripts/restic/backup.sh";
 
       ## VPN
@@ -89,7 +93,8 @@
       # applications (rofi entries)
       "ARMEclipse" = "nohup /opt/DS-5_CE/bin/eclipse &";
       "Wizard101-old" = "prime-run playonlinux --run Wizard\\ 101";
-      "Wizard101" = "prime-run ~/.wine/drive_c/ProgramData/KingsIsle Entertainment/Wizard101/Wizard101.exe";
+      "Wizard101" =
+        "prime-run ~/.wine/drive_c/ProgramData/KingsIsle Entertainment/Wizard101/Wizard101.exe";
       "Pirate101" = "prime-run playonlinux --run Pirate\\ 101";
       "octave" = "prime-run octave --gui";
       "pc-firefox" = "proxychains firefox -P qbit -no-remote -P 127.0.0.1:9050";

users/alice/non-server.nix

@@ -3,7 +3,7 @@
 {
   programs.emacs = {
     enable = true;
-    package = pkgs.emacs29-pgtk;
+    package = pkgs.emacs30-pgtk;
   };
   home.packages = with pkgs; [
     cmake
@@ -49,6 +49,9 @@
     hunspellDicts.en-us
     languagetool
 
+    # latex
+    texlive.combined.scheme-medium
+
     # dependencies for nix-dotfiles/hydra-check-action
     nodejs_20
     nodePackages.prettier
@@ -59,6 +62,8 @@
     bitwarden-menu
     wtype
     zathura
-
+    obsidian
+    libreoffice-qt-fresh
+    wlr-randr
   ];
 }

users/alice/secrets.yaml

@@ -4,6 +4,11 @@ alice:
     #ENC[AES256_GCM,data:vUMcowHjlQA0RWflfaQhZKkalO39epYi6N9PPW8=,iv:6DFqHlQR+mi+ZkfMUhlhwvpMwnxXNfQV6+sYgPzSj4I=,tag:Pz1zJayscGckPO8Q2ZVb4g==,type:comment]
     gha-hydra-token: ENC[AES256_GCM,data:rYDYIn7MAF4pSZQj+Nln2z9J+AxvuSzumthL86njpKETutArrw+9iX2hHJt5t513NHH03tMtZOFqM60/pzWg4YXVQOSpQmq8QOelD7qCdfCr4Z2QSeOHqXqwKy21iWtoVbxOXWunVxLzkWMJrpHkpVsiBA75Nv66ftKEjN80QNGik6xQE1iPsCB2JHeqYNIr8gtPkCr7H5Pt4yBBO/1rsyONrbNlwmzVX78eqXxmc43XOiNVjEsk8ekJxJ9mn5S6JcPNehBcnZA0kWAIxvtDIPYKnz4YBIXoilBbjgytXL8nw3PkEX27x5yeg9KfxPxO/4CGoi5wfKsYuEynBdWbHtj6a3H0AvA9KIZzktTRNJFU3ZW8UveSCXY4YHl0NREJ8kbIUgkkE7PWeyzGenGFTPMahTA0rKSa+tWPQ1c00lvo9VS3/7pfeJfZEKS7R2xBaEDZrfffHyB5PLTQOGpWl5y40wTn4HdBlyQwoREvobOaKVZEyWtVvJcUeHDPepgEHGVDzwyTelX8Btb6ZNA0Fur8xvpkLZcLmMhbvCdkjq84ztJ36nQQ5JZthecyqcZTWPyfWtPeoUPVIaxn31oLjwsriDwdQmID6twTjC9PT8nBZD/u0JebOCdeYf8fm9q49SaN2w/ZMdSRWucHUsRXeN9O149vYoOqR28H+8v/tYJdqofJpHKrIBs=,iv:GcEV6f4rqkrpCafeaLNMqqU/vBNE0xHbqokL2gMXHYw=,tag:sCHvUgq1w8npedjIAninrA==,type:str]
     wakatime-api-key: ENC[AES256_GCM,data:ITu5pRySYGCJ6q9IQ35NfpGX2FyIJRYHGDeBiq0btzIrqitxcFox1Vc=,iv:HsXpyFHV7dG5qORk26BtD+kFo4Jdq2c4fozMpoqyDfU=,tag:uaQoXvvYqNfmRXVDVH8AoQ==,type:str]
+    attic-nix-cache-creator: ENC[AES256_GCM,data:P0iBdy4IYrxcq7v4wTgwwZvAfVdRFo08pi0zvpY9cP9BDCwbBnp+3qDKWL29rC7OxsaLtmRkvPmbkF3ZX3Yu5OaptwVg2Xi0vNqhk3gu5Fdj8ygPigB0ZtimkfWv1QkctoVoXKXuLv6Xd4XKPCWOOIekWlJsBRcyfyzkyFURkU9tBBkXyEAWItho/J8hJr6r00eA3EN4rTe8Ge+PGpfTfpZVpnoGrC35xPnGLq19+b44DectHDTkMZrZKxiCaVIgKUZDLaFgi6a6PsX+L1HQAIZukXJu3m4BPdvzzby+zgX24pVJOYjAUB2BwO9jUlMS6+7qo0p6k01uLicryfKx/ajdAHcy39tFHX7naA4JriC2/FgI2HlFGp0Lc+g0pfdCYwLs5QBfRaOHyrbFWUDG,iv:OBrgnewqBaug00ygAXs0eFs3LqcHqo1EW96N5I38A0o=,tag:V+Gn47O6AH1RwL9qJLpAkw==,type:str]
+    attic-nix-cache-reader: ENC[AES256_GCM,data:DWIkRri3lHJOVXIAbHWJL7cCV4FHjB91bbpPAib/5ZDKap3xjnxUjwswc7wjO1hCoV3+gmep1a64kma6MJts4bcAug5bPyrrPy//rVpCYvSbSmbPz5k4sW5GLU/Sf4NyBevsQo9KRrphpoSUQEFQB27vabYDjjkB051/qJo1B9B7nqmrSyd3np4YdyHAgUiMyJt0oqx8nXySz3XZU+DIM8/OhMZILpnEWIgyP2K7j8JNNpZZJ5sD/icUy6Vba/4LcKjtmYtfQ+HO1soyF6aMiQSjhp7fzJHktwa9kgB3oDzIg3KyCJYS2RNW7mW9Dd1T,iv:fvhGFU22KgknMpJbOkA3v29bKzRVX6hi7V7xJgSUjPg=,tag:TjGSUl0XXS7jlhP/NG4cvQ==,type:str]
+    attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str]
+    attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str]
+    gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -37,8 +42,8 @@ sops:
             ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
             7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-20T23:15:03Z"
-    mac: ENC[AES256_GCM,data:VnLd4N2l7JTKA7f4eh9EKilW2f8mmEmLc06WbHASOn6N+MIGPHwyLjLbPVECuXiVl95cs0+uWsFOPEbLiS6XTB/gZE1OZMYqk0x7FVkQNxMdWwcVAQnncC6i/cdBTAx+GW1iF6Cf2eLY1wNNiASk/Bz8u3r4UJ4QFXuMovPsfxw=,iv:Cr1bAYrwlK+ClRFDsiUdEIqXDU7onubthDEQDlTM3S4=,tag:EyfcNB0xKrFRjbp517akpg==,type:str]
+    lastmodified: "2025-03-18T22:08:52Z"
+    mac: ENC[AES256_GCM,data:3Hr8FyzfZvvtyusqdDOjggDGFlBwyOq2VND+/jtNbY5i5JPK+qTkamn98IKkcHSPooaIVzEAek91fZDo90mYRhCzEwfbLATmFXPHsZHUg+5nD8VzcNUWQDb2/ey4RPhzTMtXfY9v9wdIcTdBKYKSZ61puptSX8nJ2S74ag6B5AY=,iv:J+VxUvwWE496DqTsVXdlpxgkf8zGT9uDvt6RLrmc0n0=,tag:X2Qg3DDzOTBDqo+6eQPHvw==,type:str]
     pgp:
         - created_at: "2024-09-05T06:10:22Z"
           enc: |-
@@ -53,4 +58,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.4

utils/attic-push.bash

@@ -0,0 +1,26 @@
+#!/usr/bin/env nix
+#! nix shell nixpkgs#bash nixpkgs#jq nixpkgs#gnused nixpkgs#nixVersions.latest nixpkgs#attic-client --command bash
+
+#set -x
+#set -v
+set -e
+
+# retrieve all paths under 2G
+# nix_paths=$(nix path-info --json --all --closure-size \
+#   | jq 'map_values(.closureSize | select(. < 2e9)) | to_entries | sort_by(.value)' \
+#   | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
+
+# retrieve all paths
+nix_paths=$(nix path-info --json --all --closure-size |
+  jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' |
+  jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
+
+readarray -t nix_path_array < <(echo "$nix_paths")
+
+batchsize=1000
+
+for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do
+  part=("${nix_path_array[@]:i:batchsize}")
+
+  attic push nix-cache "${part[@]}"
+done

utils/attic-token.bash

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+if (($# != 3)); then
+  echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
+  exit 1
+fi
+
+cache="$1"
+cache_pattern="$2"
+token_type="$3"
+
+case $token_type in
+"cache-creator")
+  atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
+    --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
+    --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
+    --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
+  ;;
+"admin")
+  atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
+    --push "$cache_pattern" --configure-cache "$cache_pattern" \
+    --configure-cache-retention "$cache_pattern"
+  ;;
+"writer")
+  atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
+    --push "$cache_pattern"
+  ;;
+"reader")
+  atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
+  ;;
+*)
+  echo "invalid token type: $token_type"
+  echo "available options: cache-creator, admin, writer, reader"
+  exit 1
+  ;;
+esac

utils/diff-evals.sh

@@ -10,15 +10,4 @@ set -e
 script_path=$(dirname "$(readlink -f $0)")
 parent_path=$(dirname "$script_path")
 
-readarray -t pre_drv < "$parent_path/pre-drv"
-readarray -t post_drv < "$parent_path/post-drv"
-
-post_drv_path="$parent_path/post-diff"
-# cleanup any files with the same name
-rm "$post_drv_path" || true
-touch "$post_drv_path"
-
-for i in $(seq 0 $(( "${#pre_drv[@]}" -1 ))); do
-    echo "Diffing updates to $(echo "${pre_drv[$i]}" | cut -f 2- -d '-')" >> "$post_drv_path"
-    nvd diff "${pre_drv[$i]}" "${post_drv[$i]}" >> "$post_drv_path"
-done
+nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --compare-drvs --compare-output-to-file "$parent_path"

utils/eval-to-drv.sh

@@ -8,15 +8,12 @@ set -v
 set -e
 
 if [ "$#" -ne 1 ]; then
-    echo "$0 (pre|post)"
-    exit 1
+  echo "$0 (pre|post)"
+  exit 1
 fi
 
 script_path=$(dirname "$(readlink -f $0)")
 parent_path=$(dirname "$script_path")
-out_path="$parent_path/$1-drv"
+out_path="$parent_path/$1.json"
 
-
-drv=$(nix flake check --verbose 2> >(grep -P -o "derivation evaluated to (/nix/store/.*\.drv)" | grep -P -o "/nix/store/.*\.drv"))
-
-echo "$drv" > "$out_path"
+nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --evaluate --json "$out_path" "$parent_path"

utils/fetch-docker.sh

@@ -14,12 +14,10 @@ parent_path=$(dirname "$script_path")
 # relpath is the relative path to the parent_path where you want the file written
 # format: <image name>,<image tag>,<image architecture>,<os>,<relpath>
 images=(
-    # commented out until palatine-hill docker changes are live
-    "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
-
+  "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
 )
 IFS=","
 while read -r name tag arch os relpath; do
-    nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet > "$parent_path/$relpath"
-    git --no-pager diff "$parent_path/$relpath"
-done<<< "${images[@]}"
+  nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath"
+  git --no-pager diff "$parent_path/$relpath"
+done <<<"${images[@]}"

utils/manual-update.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e 
+set -e
 set -v
 set -x
 

utils/sops-mergetool-new.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+
+# Rename CLI parameters to friendlier names
+# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
+base="$1"
+local_="$2"
+remote="$3"
+merged="$4"
+
+# Load the mergetool scripts
+TOOL_MODE=merge
+source "$(git --exec-path)/git-mergetool--lib"
+mergetool=$(get_merge_tool)
+setup_tool "${mergetool}"
+
+# Create file names for decrypted contents
+#   example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml
+extension=".${base##*.}"
+base_decrypted="${base/$extension/.decrypted$extension}"
+local_decrypted="${local_/$extension/.decrypted$extension}"
+remote_decrypted="${remote/$extension/.decrypted$extension}"
+merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
+backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
+
+# If anything goes wrong, then delete our decrypted files
+handle_trap_exit() {
+  rm $base_decrypted || true
+  rm $local_decrypted || true
+  rm $remote_decrypted || true
+  rm $merged_decrypted || true
+  rm $backup_decrypted || true
+}
+trap handle_trap_exit EXIT
+
+# Decrypt our file contents
+sops --decrypt --show-master-keys "$base" >"$base_decrypted"
+sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
+sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
+
+# Create a merge-diff to compare against
+git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
+cp "$merged_decrypted" "$backup_decrypted"
+
+# Set up variables for the mergetool
+# https://github.com/git/git/blob/v2.8.2/mergetools/meld
+# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111
+LOCAL="$local_decrypted"
+BASE="$base_decrypted"
+REMOTE="$remote_decrypted"
+MERGED="$merged_decrypted"
+BACKUP="$backup_decrypted"
+
+# Override `check_unchanged` with a custom script
+check_unchanged() {
+  # If the contents haven't changed, then fail
+  if test "$MERGED" -nt "$BACKUP"; then
+    return 0
+  else
+    exit 1
+  fi
+}
+
+# Run the mergetool
+run_merge_tool "${mergetool}" true
+
+# Re-encrypt content
+sops --encrypt "$merged_decrypted" >"$merged"

utils/sops-mergetool.sh

@@ -1,17 +1,27 @@
 #!/usr/bin/env bash
 # Exit on first error and verify variables have been set/passed via CLI
-set -eu
+#set -eu
+set -v
+set -x
 
 # Rename our variables to friendlier equivalents
 # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
-base="$1"; local_="$2"; remote="$3"; merged="$4"
+base="$1"
+local_="$2"
+remote="$3"
+merged="$4"
+
+echo "$base"
+echo "$local_"
+echo "$remote"
+echo "$merged"
 
 # Resolve our default mergetool
 # https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3
 mergetool="$(git config --get merge.tool)"
 GIT_DIR="$(git --exec-path)"
 if test "$mergetool" = ""; then
-  echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
+  echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
   exit 1
 fi
 
@@ -25,7 +35,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
 backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
 
 # If anything goes wrong, then delete our decrypted files
-handle_trap_exit () {
+handle_trap_exit() {
   rm $base_decrypted || true
   rm $local_decrypted || true
   rm $remote_decrypted || true
@@ -35,13 +45,13 @@ handle_trap_exit () {
 trap handle_trap_exit EXIT
 
 # Decrypt our file contents
-sops --decrypt --show-master-keys "$base" > "$base_decrypted"
-sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
-sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
+sops --decrypt --show-master-keys "$base" >"$base_decrypted"
+sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
+sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
 
 # Create a merge-diff to compare against
 set +e
-git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
+git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
 set -e
 cp "$merged_decrypted" "$backup_decrypted"
 
@@ -59,7 +69,7 @@ source "$GIT_DIR/git-mergetool--lib"
 source "$GIT_DIR/mergetools/$mergetool"
 
 # Override `check_unchanged` with a custom script
-check_unchanged () {
+check_unchanged() {
   # If the contents haven't changed, then fail
   if test "$MERGED" -nt "$BACKUP"; then
     return 0
@@ -75,5 +85,4 @@ merge_cmd
 set -eu
 
 # Re-encrypt content
-sops --encrypt "$merged_decrypted" > "$merged"
-
+sops --encrypt "$merged_decrypted" >"$merged"